Harden API security: input validation, safe auth extraction, new tests, and deploy config

Comprehensive security hardening from audit findings:
- Add validation tags to all DTO request structs (max lengths, ranges, enums)
- Replace unsafe type assertions with MustGetAuthUser helper across all handlers
- Remove query-param token auth from admin middleware (prevents URL token leakage)
- Add request validation calls in handlers that were missing c.Validate()
- Remove goroutines in handlers (timezone update now synchronous)
- Add sanitize middleware and path traversal protection (path_utils)
- Stop resetting admin passwords on migration restart
- Warn on well-known default SECRET_KEY
- Add ~30 new test files covering security regressions, auth safety, repos, and services
- Add deploy/ config, audit digests, and AUDIT_FINDINGS documentation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/handlers/tracking_handler.go

@@ -5,6 +5,7 @@ import (
 	"net/http"
 
 	"github.com/labstack/echo/v4"
+	"github.com/rs/zerolog/log"
 
 	"github.com/treytartt/casera-api/internal/services"
 )
@@ -32,7 +33,14 @@ func (h *TrackingHandler) TrackEmailOpen(c echo.Context) error {
 	if trackingID != "" && h.onboardingService != nil {
 		// Record the open (async, don't block response)
 		go func() {
-			_ = h.onboardingService.RecordEmailOpened(trackingID)
+			defer func() {
+				if r := recover(); r != nil {
+					log.Error().Interface("panic", r).Str("tracking_id", trackingID).Msg("Panic in email open tracking goroutine")
+				}
+			}()
+			if err := h.onboardingService.RecordEmailOpened(trackingID); err != nil {
+				log.Error().Err(err).Str("tracking_id", trackingID).Msg("Failed to record email open")
+			}
 		}()
 	}