From 821a3e452f1ab2175834027a34c27ebfce3e11ea Mon Sep 17 00:00:00 2001
From: Trey t <treytartt@fastmail.com>
Date: Sat, 7 Mar 2026 07:09:06 -0600
Subject: [PATCH] Remove docs and marketing files relocated to old_files

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 deploy/shit_deploy_cant_do.md         |   67 --
 docs/AUDIT_FINDINGS.md                | 1527 -------------------------
 docs/DOKKU_SETUP.md                   |  566 ---------
 docs/GO_TO_PROD.md                    |  260 -----
 docs/LOCALIZATION_PLAN.md             |  412 -------
 docs/PUSH_NOTIFICATIONS.md            |  294 -----
 docs/SECURE_MEDIA_ACCESS.md           |  281 -----
 docs/SUBSCRIPTION_WEBHOOKS.md         |  247 ----
 docs/TASK_KANBAN_CATEGORIZATION.md    |  310 -----
 docs/TASK_KANBAN_LOGIC.md             |  318 -----
 docs/marketing/COMPETITOR_ANALYSIS.md |  252 ----
 docs/marketing/PRESS_RELEASE.md       |  200 ----
 docs/marketing/SOCIAL_MEDIA_KIT.md    |  454 --------
 13 files changed, 5188 deletions(-)
 delete mode 100644 deploy/shit_deploy_cant_do.md
 delete mode 100644 docs/AUDIT_FINDINGS.md
 delete mode 100644 docs/DOKKU_SETUP.md
 delete mode 100644 docs/GO_TO_PROD.md
 delete mode 100644 docs/LOCALIZATION_PLAN.md
 delete mode 100644 docs/PUSH_NOTIFICATIONS.md
 delete mode 100644 docs/SECURE_MEDIA_ACCESS.md
 delete mode 100644 docs/SUBSCRIPTION_WEBHOOKS.md
 delete mode 100644 docs/TASK_KANBAN_CATEGORIZATION.md
 delete mode 100644 docs/TASK_KANBAN_LOGIC.md
 delete mode 100644 docs/marketing/COMPETITOR_ANALYSIS.md
 delete mode 100644 docs/marketing/PRESS_RELEASE.md
 delete mode 100644 docs/marketing/SOCIAL_MEDIA_KIT.md

diff --git a/deploy/shit_deploy_cant_do.md b/deploy/shit_deploy_cant_do.md
deleted file mode 100644
index f2de212..0000000
--- a/deploy/shit_deploy_cant_do.md
+++ /dev/null
@@ -1,67 +0,0 @@
-# Shit Deploy Can't Do
-
-This is everything `./.deploy_prod` cannot safely automate for you.
-
-## 1. Create Infrastructure
-
-Step:
-Create Hetzner servers, networking, and load balancer.
-
-Reason:
-The script only deploys app workloads. It cannot create paid cloud resources without cloud API credentials and IaC wiring.
-
-## 2. Join Nodes To Swarm
-
-Step:
-Run `docker swarm init` on the first manager and `docker swarm join` on other nodes.
-
-Reason:
-Joining nodes requires one-time bootstrap tokens and host-level control.
-
-## 3. Configure Firewall And Origin Restrictions
-
-Step:
-Set firewall rules so only expected ingress paths can reach your nodes.
-
-Reason:
-Firewall policies live in provider networking controls, outside this repo.
-
-## 4. Configure DNS / Cloudflare
-
-Step:
-Point DNS at LB, enable proxying, set SSL mode, and lock down origin access.
-
-Reason:
-DNS and CDN settings are account-level operations in Cloudflare, not deploy-time app actions.
-
-## 5. Configure External Services
-
-Step:
-Create and configure Neon, B2, email provider, APNS, and FCM credentials.
-
-Reason:
-These credentials are issued in vendor dashboards and must be manually generated/rotated.
-
-## 6. Seed SSH Trust
-
-Step:
-Ensure your local machine can SSH to the manager with the key in `deploy/cluster.env`.
-
-Reason:
-The script assumes SSH already works; it cannot grant itself SSH access.
-
-## 7. First-Time Smoke Testing Beyond `/api/health/`
-
-Step:
-Manually test login, push, background jobs, and admin panel flows after first deploy.
-
-Reason:
-Automated health checks prove container readiness, not end-to-end business behavior.
-
-## 8. Safe Secret Garbage Collection
-
-Step:
-Periodically remove old versioned Docker secrets that are no longer referenced.
-
-Reason:
-This deploy script creates versioned secrets for safe rollouts and does not auto-delete old ones to avoid breaking running services.
diff --git a/docs/AUDIT_FINDINGS.md b/docs/AUDIT_FINDINGS.md
deleted file mode 100644
index e6d26b5..0000000
--- a/docs/AUDIT_FINDINGS.md
+++ /dev/null
@@ -1,1527 +0,0 @@
-# HoneyDue Go Backend — Deep Audit Findings
-
-**Date**: 2026-03-01
-**Scope**: All non-test `.go` files under `honeyDueAPI-go/`
-**Agents**: 9 parallel audit agents covering security, authorization, data integrity, concurrency, performance, error handling, architecture compliance, API contracts, and cross-cutting logic
-
----
-
-## Summary
-
-| Audit Area | Critical | Bug | Race Cond. | Logic Error | Silent Failure | Warning | Fragile | Performance | Total |
-|---|---|---|---|---|---|---|---|---|---|
-| Security & Input Validation | 7 | 12 | — | — | — | 17 | — | — | 36 |
-| Authorization & Access Control | 6 | 6 | — | — | — | 9 | — | — | 21 |
-| Data Integrity (GORM) | 7 | 7 | 3 | — | — | 11 | — | — | 28 |
-| Concurrency & Race Conditions | 1 | 4 | 3 | — | — | 10 | — | — | 18 |
-| Performance & Query Efficiency | — | — | — | — | — | 1 | — | 19 | 20 |
-| Error Handling & Panic Safety | 17 | 10 | — | — | 9 | 12 | — | — | 48 |
-| Architecture Compliance | — | 12 | — | — | — | 11 | — | — | 23 |
-| API Contract & Validation | — | 19 | — | — | — | 30 | — | — | 49 |
-| Cross-Cutting Logic | 5 | 5 | 3 | 3 | 1 | — | 4 | — | 21 |
-| **Total (raw)** | **43** | **75** | **9** | **3** | **10** | **101** | **4** | **19** | **264** |
-
----
-
-## Audit 1: Security & Input Validation
-
-### SEC-01 | CRITICAL | Apple JWS payload decoded without signature verification
-- **File**: `internal/handlers/subscription_webhook_handler.go:190-192`
-- **What**: `decodeAppleSignedPayload` splits the JWS token and base64-decodes the payload directly. The comment on line 190 explicitly says "we're trusting Apple's signature for now." `VerifyAppleSignature` exists but is never called from the handler flow.
-- **Impact**: An attacker can craft a fake Apple webhook with arbitrary notification data (subscribe/renew/refund), granting or revoking Pro subscriptions for any user who has ever made a purchase.
-
-### SEC-02 | CRITICAL | Google Pub/Sub webhook always returns true (unauthenticated)
-- **File**: `internal/handlers/subscription_webhook_handler.go:787-793`
-- **What**: `VerifyGooglePubSubToken` unconditionally returns `true`. The Google webhook endpoint `HandleGoogleWebhook` never calls this function at all. Any HTTP client can POST arbitrary subscription events.
-- **Impact**: An attacker can forge Google subscription events to grant themselves Pro access, cancel other users' subscriptions, or trigger arbitrary downgrades.
-
-### SEC-03 | CRITICAL | GoAdmin password reset to "admin" on every migration
-- **File**: `internal/database/database.go:372-382`
-- **What**: Line 373 does `INSERT ON CONFLICT DO NOTHING`, but line 379-382 unconditionally `UPDATE goadmin_users SET password = <bcrypt of "admin"> WHERE username = 'admin'`. Every time migrations run, the GoAdmin password is reset to "admin".
-- **Impact**: The admin panel is permanently accessible with `admin/admin` credentials. Even if the password is changed, the next deploy resets it.
-
-### SEC-04 | CRITICAL | Next.js admin password reset to "admin123" on every migration
-- **File**: `internal/database/database.go:447-463`
-- **What**: Lines 458-463 unconditionally update the admin@honeydue.com password to the bcrypt hash of "admin123" on every migration. The log message on line 463 even says "Updated admin@honeydue.com password to admin123."
-- **Impact**: The admin API is permanently accessible with hardcoded credentials. Any attacker who discovers the endpoint can access full admin functionality.
-
-### SEC-05 | CRITICAL | SQL injection via SortBy in all admin list endpoints
-- **File**: `internal/admin/handlers/admin_user_handler.go:86-88`
-- **What**: `sortBy = filters.SortBy` is concatenated directly into `query.Order(sortBy + " " + filters.GetSortDir())` without any allowlist validation. This pattern is repeated across every admin list handler (admin_user, auth_token, completion, contractor, document, device, notification, etc.).
-- **Impact**: An authenticated admin can inject arbitrary SQL via the `sort_by` query parameter, e.g., `sort_by=created_at; DROP TABLE auth_user; --`, achieving full database read/write.
-
-### SEC-06 | CRITICAL | Apple validation failure grants 1 month free Pro
-- **File**: `internal/services/subscription_service.go:371`
-- **What**: When Apple receipt validation returns a non-fatal error (network timeout, transient failure), the code falls through to `expiresAt = time.Now().UTC().AddDate(0, 1, 0)` -- granting 1 month of Pro. Line 381 grants 1 year when Apple IAP is not configured.
-- **Impact**: An attacker can send any invalid receipt data, trigger a validation error, and receive free Pro access. Repeating monthly yields indefinite free Pro.
-
-### SEC-07 | CRITICAL | Google validation failure grants 1 month free Pro; not configured grants 1 year
-- **File**: `internal/services/subscription_service.go:429-449`
-- **What**: Same pattern as Apple. Line 430: non-fatal Google validation error gives 1-month fallback. Line 449: unconfigured Google client gives 1 year. An attacker sending a garbage `purchaseToken` with `platform=android` triggers the fallback.
-- **Impact**: Free Pro subscription for any user by sending invalid purchase data.
-
-### SEC-08 | BUG | Token slice panic on short tokens
-- **File**: `internal/middleware/auth.go:66`
-- **What**: `token[:8]+"..."` in the debug log message will panic with an index-out-of-range if the token string is fewer than 8 characters. There is no length check before slicing.
-- **Impact**: A malformed Authorization header with a valid scheme but very short token causes a server panic (500) and potential DoS.
-
-### SEC-09 | BUG | Path traversal in resolveFilePath
-- **File**: `internal/handlers/media_handler.go:156-171`
-- **What**: `resolveFilePath` uses `strings.TrimPrefix` followed by `filepath.Join(uploadDir, relativePath)`. If the stored URL contains `../` sequences (e.g., `/uploads/../../../etc/passwd`), `filepath.Join` resolves them and `c.File()` serves the resulting path. There is no `filepath.Abs` containment check (unlike `storage_service.Delete`).
-- **Impact**: If an attacker can control a stored URL (e.g., via SQL injection or a compromised document record), they can read arbitrary files from the server filesystem.
-
-### SEC-10 | BUG | Path traversal in resolveImageFilePath (task service)
-- **File**: `internal/services/task_service.go:850-862`
-- **What**: Identical path traversal vulnerability to media_handler's `resolveFilePath`. No validation that the resolved path stays within the upload directory.
-- **Impact**: Arbitrary file read if stored URLs are manipulated.
-
-### SEC-11 | BUG | Path traversal check bypassed when filepath.Abs errors
-- **File**: `internal/services/storage_service.go:137-138`
-- **What**: `absUploadDir, _ := filepath.Abs(s.cfg.UploadDir)` and `absFilePath, _ := filepath.Abs(fullPath)` both silently discard errors. If `filepath.Abs` fails, both return empty strings, `strings.HasPrefix("", "")` is true, and the path traversal check passes.
-- **Impact**: Under unusual filesystem conditions, the path containment check becomes ineffective, allowing deletion of arbitrary files.
-
-### SEC-12 | BUG | Nil pointer panic after WebSocket upgrade failure
-- **File**: `internal/monitoring/handler.go:116-119`
-- **What**: When `upgrader.Upgrade` fails, `conn` is nil but execution continues to `defer conn.Close()`, causing a nil pointer panic.
-- **Impact**: Server panic on any failed WebSocket upgrade attempt.
-
-### SEC-13 | BUG | Missing return after context cancellation causes goroutine spin
-- **File**: `internal/monitoring/handler.go:177`
-- **What**: The `case <-ctx.Done():` block has no `return` statement, so after the context is cancelled, the `for` loop immediately re-enters the `select` and spins indefinitely.
-- **Impact**: 100% CPU usage on one goroutine for every WebSocket connection that disconnects. The goroutine never exits, leaking resources.
-
-### SEC-14 | BUG | Nil pointer dereference when cache is nil
-- **File**: `internal/admin/handlers/lookup_handler.go:30-32`
-- **What**: `cache := services.GetCache(); if cache == nil { }` has an empty body, then immediately calls `cache.CacheCategories()`. If cache is nil, this panics. Same pattern at lines 50-52 for priorities.
-- **Impact**: Server panic in admin lookup handlers when Redis is unavailable.
-
-### SEC-15 | BUG | Panic on short reset tokens
-- **File**: `internal/admin/handlers/password_reset_code_handler.go:85`
-- **What**: `code.ResetToken[:8] + "..." + code.ResetToken[len-4:]` panics with index out of range if the reset token is fewer than 8 characters.
-- **Impact**: Admin panel crash when viewing short reset codes.
-
-### SEC-16 | BUG | Race condition in Apple legacy receipt validation
-- **File**: `internal/services/iap_validation.go:381-386`
-- **What**: `c.sandbox = true` mutates the struct field, calls `validateLegacyReceipt`, then `c.sandbox = false`. If two concurrent requests hit this path, one may read a sandbox flag set by the other, causing production receipts to validate against sandbox or vice versa.
-- **Impact**: Intermittent validation failures or sandbox receipts being accepted in production.
-
-### SEC-17 | BUG | Index out of bounds in FCM response parsing
-- **File**: `internal/push/fcm.go:119`
-- **What**: `for i, result := range fcmResp.Results` iterates results and accesses `tokens[i]`. If FCM returns fewer results than tokens sent, this is safe, but if the response is malformed with more results than tokens, it panics.
-- **Impact**: Server panic on malformed FCM responses.
-
-### SEC-18 | BUG | DeleteFile endpoint allows deleting any file without ownership check
-- **File**: `internal/handlers/upload_handler.go:78-91`
-- **What**: The `DELETE /api/uploads/` endpoint accepts a `url` field in the request body and passes it directly to `storageService.Delete`. There is no check that the authenticated user owns or has access to the resource associated with that file.
-- **Impact**: Any authenticated user can delete other users' uploaded files (images, documents, completion photos).
-
-### SEC-19 | BUG | Unchecked type assertion throughout handlers
-- **File**: `internal/handlers/contractor_handler.go:28` (and 60+ other locations)
-- **What**: `c.Get(middleware.AuthUserKey).(*models.User)` is used without the comma-ok pattern across contractor_handler (7 instances), document_handler (10 instances), residence_handler (14 instances), task_handler (18 instances), and media_handler (3 instances). If the auth middleware is misconfigured or bypassed, this panics.
-- **Impact**: Server panic (500) on any request where the context value is not the expected type.
-
-### SEC-20 | WARNING | Admin JWT accepted via query parameter
-- **File**: `internal/middleware/admin_auth.go:49-50`
-- **What**: `tokenString = c.QueryParam("token")` allows passing the admin JWT as a URL query parameter. URL parameters are logged by web servers, proxies, and browser history.
-- **Impact**: Admin tokens leaked into access logs, proxy logs, and referrer headers. A compromised log grants full admin access.
-
-### SEC-21 | WARNING | Hardcoded debug secret key
-- **File**: `internal/config/config.go:339`
-- **What**: When `SECRET_KEY` is not set and `DEBUG=true`, the secret key defaults to `"change-me-in-production-secret-key-12345"`. If debug mode is accidentally enabled in production, all JWT signatures use this predictable key.
-- **Impact**: Trivially forgeable admin JWTs if debug mode leaks to production.
-
-### SEC-22 | WARNING | XSS in admin email HTML template
-- **File**: `internal/admin/handlers/notification_handler.go:351-363`
-- **What**: `req.Subject` and `req.Body` are concatenated directly into HTML via string concatenation (`+ req.Subject +`), with no HTML escaping. If the admin enters `<script>` tags, they are rendered in the email.
-- **Impact**: Stored XSS in emails sent to users. A compromised admin account can inject malicious scripts into user-facing emails.
-
-### SEC-23 | WARNING | User-controlled category parameter in upload path
-- **File**: `internal/handlers/upload_handler.go:31`
-- **What**: `category := c.QueryParam("category")` is passed to `storageService.Upload()`. While `Upload()` sanitizes to known subdirectories ("images", "documents", "completions"), the `category` value itself is not validated at the handler level and could be exploited if the sanitization logic changes.
-- **Impact**: Low risk currently due to service-layer sanitization, but fragile defense.
-
-### SEC-24 | WARNING | `binding` tag instead of `validate` on DeleteFile request
-- **File**: `internal/handlers/upload_handler.go:80`
-- **What**: The `DeleteFile` request struct uses `binding:"required"` (Gin format) instead of `validate:"required"` (Echo format). Echo's validator does not process `binding` tags, so the `url` field is never validated as required.
-- **Impact**: Empty URL strings pass validation and could trigger unexpected behavior in the delete flow.
-
-### SEC-25 | WARNING | No upper bound on notification list limit parameter
-- **File**: `internal/handlers/notification_handler.go:29-33`
-- **What**: The `limit` query parameter is parsed from user input with only a `> 0` check. A user can pass `limit=999999999` to retrieve an unbounded number of notifications in a single query.
-- **Impact**: Denial of service via memory exhaustion on large notification tables.
-
-### SEC-26 | WARNING | Raw error message returned to client
-- **File**: `internal/handlers/contractor_handler.go:31`
-- **What**: `err.Error()` is returned directly in JSON responses at contractor_handler:31, document_handler:92, and multiple other locations. Internal error messages may contain database details, file paths, or stack traces.
-- **Impact**: Information disclosure of internal implementation details to attackers.
-
-### SEC-27 | WARNING | Missing c.Validate() call on CreateContractor
-- **File**: `internal/handlers/contractor_handler.go:55`
-- **What**: After `c.Bind(&req)`, there is no `c.Validate(&req)` call, so `validate` tags on the request struct are never enforced.
-- **Impact**: Invalid data bypasses server-side validation and reaches the service layer.
-
-### SEC-28 | WARNING | WebSocket CheckOrigin always returns true
-- **File**: `internal/monitoring/handler.go:19-22`
-- **What**: The WebSocket upgrader accepts connections from any origin, with no CSRF or origin validation.
-- **Impact**: Cross-site WebSocket hijacking. A malicious website can connect to the monitoring WebSocket from any origin and stream admin logs.
-
-### SEC-29 | WARNING | Client-supplied X-Request-ID accepted without validation
-- **File**: `internal/middleware/request_id.go:21`
-- **What**: The middleware accepts any value from the `X-Request-ID` header without sanitization. An attacker can inject newlines or control characters.
-- **Impact**: Log injection if the request ID is written to structured logs without escaping.
-
-### SEC-30 | WARNING | Raw SQL execution from seed files
-- **File**: `internal/admin/handlers/settings_handler.go:378`
-- **What**: SQL statements from seed files are executed via `sqlDB.Exec(stmt)` with no parameterization.
-- **Impact**: If seed file contents are ever derived from untrusted sources, full SQL injection.
-
-### SEC-31 | WARNING | ClearAllData has no secondary confirmation
-- **File**: `internal/admin/handlers/settings_handler.go:529-539`
-- **What**: The `ClearAllData` endpoint deletes all user data with a single POST request. There is no confirmation token, password re-entry, or audit trail.
-- **Impact**: A single compromised admin session can destroy all production data.
-
-### SEC-32 | WARNING | RestoreSubscription missing receipt validation
-- **File**: `internal/handlers/subscription_handler.go:159-163`
-- **What**: Unlike `ProcessPurchase` which validates that receipt data or transaction ID is present, `RestoreSubscription` calls `ProcessApplePurchase` with potentially empty receipt data and transaction ID when platform is "ios".
-- **Impact**: Compounded with the "validation failure grants Pro" bug, this creates another avenue for free Pro access.
-
-### SEC-33 | WARNING | Fire-and-forget goroutines in handler (6 instances)
-- **File**: `internal/handlers/auth_handler.go:83`
-- **What**: Lines 83, 178, 207, 241, 329, 370 spawn goroutines with `go func()` for email sending. These violate the "no goroutines in handlers" rule and have no error context, no timeout, and no tracking.
-- **Impact**: Silent email failures, goroutine leaks on shutdown, and potential resource exhaustion under load.
-
-### SEC-34 | WARNING | UUID truncated to 8 characters
-- **File**: `internal/services/storage_service.go:75`
-- **What**: `uuid.New().String()[:8]` reduces the UUID from 128 bits to approximately 32 bits of randomness.
-- **Impact**: Increased collision probability. At scale, filename collisions could overwrite existing uploads.
-
-### SEC-35 | WARNING | TOCTOU race in ToggleFavorite
-- **File**: `internal/repositories/contractor_repo.go:89-101`
-- **What**: `ToggleFavorite` reads the current favorite state, then writes the opposite. Without a transaction, two concurrent requests can both read "not favorite" and both write "favorite", or vice versa.
-- **Impact**: Inconsistent favorite state under concurrent access.
-
-### SEC-36 | WARNING | Non-pointer bool `IsActive` defaults to false on PATCH
-- **File**: `internal/admin/handlers/share_code_handler.go:155-162`
-- **What**: `IsActive` is a `bool` (not `*bool`), so when the field is absent from the JSON body, it defaults to `false`. A PATCH request that only wants to update other fields will inadvertently deactivate the share code.
-- **Impact**: Share codes silently deactivated by partial updates.
-
----
-
-## Audit 2: Authorization & Access Control
-
-### AUTH-01 | CRITICAL | Apple JWS payload decoded without signature verification
-- **File**: `internal/handlers/subscription_webhook_handler.go:190-192`
-- **What**: `decodeAppleSignedPayload` splits the JWS token and decodes the payload directly via base64, but never verifies the cryptographic signature. The comment on line 191 says "trusting Apple's signature for now."
-- **Impact**: Attacker can upgrade any user to Pro, downgrade any user to Free, or revoke any subscription by sending forged webhook payloads to the public `/api/subscription/webhook/apple/` endpoint.
-
-### AUTH-02 | CRITICAL | Google Pub/Sub webhook authentication always returns true
-- **File**: `internal/handlers/subscription_webhook_handler.go:787-793`
-- **What**: `VerifyGooglePubSubToken` unconditionally returns `true`. The Google webhook endpoint at `/api/subscription/webhook/google/` is publicly accessible (no auth middleware) and performs no caller verification.
-- **Impact**: Attacker can upgrade any user to Pro, downgrade users to Free, or manipulate subscription state by sending forged Google webhook payloads.
-
-### AUTH-03 | CRITICAL | IAP validation failure or misconfiguration grants free Pro subscription
-- **File**: `internal/services/subscription_service.go:370-381`
-- **What**: When Apple IAP validation fails with a non-fatal error (line 371), the service falls back to granting 1 month of free Pro. When the Apple client is not configured at all (line 381), the service grants 1 year of free Pro. The same applies to Google on lines 429 and 449.
-- **Impact**: Complete subscription paywall bypass. Any user can get Pro for free by sending invalid receipt data to `POST /api/subscription/purchase/`.
-
-### AUTH-04 | CRITICAL | Path traversal in resolveFilePath
-- **File**: `internal/handlers/media_handler.go:156-171`
-- **What**: `resolveFilePath` uses `filepath.Join(uploadDir, relativePath)` where `relativePath` comes from stored URLs in the database after `TrimPrefix`. The function lacks the `filepath.Abs` + `HasPrefix` guard used in `StorageService.Delete`.
-- **Impact**: If an attacker can control a stored file URL, they can read arbitrary files from the server filesystem through the authenticated media proxy.
-
-### AUTH-05 | CRITICAL | Subscription tier limit check commented out for residence creation
-- **File**: `internal/services/residence_service.go:155`
-- **What**: The `CreateResidence` method has the subscription tier limit check completely commented out (lines 155-160) with a TODO. The `CheckLimit` function exists in `SubscriptionService` but is never called from any create operation.
-- **Impact**: Free-tier users can create unlimited residences, tasks, contractors, and documents, completely bypassing the subscription paywall.
-
-### AUTH-06 | CRITICAL | Hardcoded admin credentials reset on every migration
-- **File**: `internal/database/database.go:372-382,447-463`
-- **What**: Hardcoded admin credentials (`admin@honeydue.com` / `admin123` and GoAdmin password of `admin`) are re-applied on every server restart/migration, overwriting any password changes.
-- **Impact**: If these endpoints are accessible in production, any attacker with knowledge of these default credentials can gain full admin access.
-
-### AUTH-07 | BUG | User-controlled category parameter enables storage path manipulation
-- **File**: `internal/handlers/upload_handler.go:31`
-- **What**: `UploadImage` reads the `category` query parameter from the user and passes it directly to `storageService.Upload`. The storage service's switch statement defaults to "images" for unknown categories, which is safe, but the `DeleteFile` endpoint passes user-supplied URLs to `storageService.Delete`.
-- **Impact**: Low risk due to the safe default, but the delete endpoint accepts any URL and relies solely on the `filepath.Abs`/`HasPrefix` check which silently ignores errors.
-
-### AUTH-08 | BUG | DeleteDevice does not verify device ownership
-- **File**: `internal/services/notification_service.go:359-372`
-- **What**: `DeleteDevice` accepts a `deviceID` and `platform` from the URL path, and the `userID` is extracted from the auth token. However, the method calls `DeactivateAPNSDevice(deviceID)` or `DeactivateGCMDevice(deviceID)` without first checking that the device belongs to `userID`.
-- **Impact**: User A can disable push notifications for User B by guessing/enumerating device IDs via `DELETE /api/notifications/devices/:id/`.
-
-### AUTH-09 | BUG | CreateContractor missing validation call
-- **File**: `internal/handlers/contractor_handler.go:55`
-- **What**: The `CreateContractor` handler binds the request body but never calls `c.Validate(&req)`. This means any `validate` tags on `CreateContractorRequest` fields are not enforced.
-- **Impact**: Malformed or incomplete contractor data can be persisted to the database.
-
-### AUTH-10 | BUG | Raw error string leaked to client in ListContractors
-- **File**: `internal/handlers/contractor_handler.go:31`
-- **What**: When `ListContractors` encounters an error, it returns `err.Error()` directly in the JSON response rather than using apperrors.
-- **Impact**: Information disclosure of internal server state.
-
-### AUTH-11 | BUG | UpdateContractor allows reassigning contractor to any residence without access check
-- **File**: `internal/services/contractor_service.go:200`
-- **What**: When updating a contractor, if `req.ResidenceID` is provided, the contractor's `ResidenceID` is set unconditionally. There is no check that the authenticated user has access to the new residence. The access check only validates the contractor's current residence.
-- **Impact**: A user who has access to a contractor can reassign it to a residence they do not have access to, effectively injecting data into another user's residence.
-
-### AUTH-12 | BUG | CreateTask missing validation call
-- **File**: `internal/handlers/task_handler.go:112-115`
-- **What**: The `CreateTask` handler binds the request but does not call `c.Validate(&req)`, so `validate` tags on `CreateTaskRequest` fields are not enforced.
-- **Impact**: Invalid task data can be persisted.
-
-### AUTH-13 | WARNING | UpdateTask missing validation call
-- **File**: `internal/handlers/task_handler.go:134-137`
-- **What**: Same issue as CreateTask -- `c.Validate(&req)` is never called for update requests.
-- **Impact**: Invalid task update data can be persisted.
-
-### AUTH-14 | WARNING | No DocumentType validation in form upload path
-- **File**: `internal/handlers/document_handler.go:137`
-- **What**: When creating a document via multipart form, the `document_type` form value is cast directly to `models.DocumentType` without validating against allowed enum values.
-- **Impact**: Inconsistent document type data in the database.
-
-### AUTH-15 | WARNING | No upper bound on notification list limit parameter
-- **File**: `internal/handlers/notification_handler.go:29-34`
-- **What**: The `limit` query parameter is parsed from user input with only a `> 0` check.
-- **Impact**: Denial of service via memory exhaustion on large notification tables.
-
-### AUTH-16 | WARNING | RestoreSubscription does not validate receipt/transaction presence
-- **File**: `internal/handlers/subscription_handler.go:159-163`
-- **What**: Unlike `ProcessPurchase`, `RestoreSubscription` calls `ProcessApplePurchase` with potentially empty receipt data.
-- **Impact**: Empty receipt data stored; webhook user lookup can fail.
-
-### AUTH-17 | WARNING | Token logging panics on short tokens
-- **File**: `internal/middleware/auth.go:66`
-- **What**: `token[:8]+"..."` panics if the token is fewer than 8 characters.
-- **Impact**: DoS via short auth tokens.
-
-### AUTH-18 | WARNING | Admin JWT accepted via query parameter
-- **File**: `internal/middleware/admin_auth.go:50`
-- **What**: Admin auth middleware falls back to reading the JWT token from the `token` query parameter. Query parameters are logged in access logs, proxy logs, and browser history.
-- **Impact**: Admin JWT tokens leak into server logs.
-
-### AUTH-19 | WARNING | DeleteFile endpoint allows deleting any file without ownership check
-- **File**: `internal/handlers/upload_handler.go:78-91`
-- **What**: The `DELETE /api/uploads/` endpoint accepts a `url` field and passes it to `storageService.Delete` with no ownership check.
-- **Impact**: Any authenticated user can delete any uploaded file.
-
-### AUTH-20 | WARNING | ClearAllData has no double-authentication check
-- **File**: `internal/admin/handlers/settings_handler.go:529-793`
-- **What**: The admin `ClearAllData` endpoint deletes all data with only standard admin JWT authentication.
-- **Impact**: A compromised admin session can wipe all production data.
-
-### AUTH-21 | WARNING | JoinWithCode missing validation call
-- **File**: `internal/handlers/residence_handler.go:224`
-- **What**: The `JoinWithCode` handler binds the request but never calls `c.Validate(&req)`.
-- **Impact**: Empty share codes may be passed to the service layer.
-
----
-
-## Audit 3: Data Integrity (GORM)
-
-### DATA-01 | CRITICAL | Completion created but task update failure only logged, not returned
-- **File**: `internal/services/task_service.go:601`
-- **What**: After `CreateCompletion` succeeds at line 563, the subsequent `taskRepo.Update(task)` at line 601 can fail. When it does, the error is logged but NOT returned to the caller.
-- **Impact**: One-time task appears as "not completed" in kanban. Recurring task shows wrong next occurrence. Data permanently inconsistent.
-
-### DATA-02 | CRITICAL | Completion creation and task update not wrapped in a transaction
-- **File**: `internal/services/task_service.go:563-606`
-- **What**: `CreateCompletion` and `Update(task)` are two separate database operations with no transaction. If the process crashes between them, partial writes corrupt task state.
-- **Impact**: A one-time task can have a completion record but still show as "active".
-
-### DATA-03 | CRITICAL | ToggleFavorite read-then-write without transaction (TOCTOU)
-- **File**: `internal/repositories/contractor_repo.go:89-101`
-- **What**: `ToggleFavorite` reads the contractor, negates `IsFavorite`, then writes back as two separate operations. Also does not filter `is_active`.
-- **Impact**: Race condition causes wrong favorite state. Soft-deleted contractors can be toggled.
-
-### DATA-04 | CRITICAL | GetOrCreatePreferences has race condition creating duplicates
-- **File**: `internal/repositories/notification_repo.go:137-161`
-- **What**: `FindPreferencesByUser` and `CreatePreferences` are not atomic. Also uses `==` instead of `errors.Is` for `gorm.ErrRecordNotFound`.
-- **Impact**: Duplicate key error returned to user on concurrent first access.
-
-### DATA-05 | CRITICAL | GetOrCreate race condition for subscriptions
-- **File**: `internal/repositories/subscription_repo.go:34-53`
-- **What**: Same read-then-create pattern as notification_repo without transaction or ON CONFLICT clause.
-- **Impact**: Concurrent first-time access causes duplicate subscription records or unique constraint errors.
-
-### DATA-06 | CRITICAL | GoAdmin password reset on every migration run
-- **File**: `internal/database/database.go:379-382`
-- **What**: Unconditionally updates GoAdmin password to "admin" on every migration. Overwrites any password changes.
-- **Impact**: Admin password reverts to known value on every deployment.
-
-### DATA-07 | CRITICAL | Next.js admin password reset on every migration run
-- **File**: `internal/database/database.go:458-463`
-- **What**: Unconditionally updates admin@honeydue.com password to "admin123" on every migration.
-- **Impact**: Same persistent backdoor.
-
-### DATA-08 | BUG | GetAllUsers/HasAccess silently wrong when associations not preloaded
-- **File**: `internal/models/residence.go:65-70`
-- **What**: `GetAllUsers()` returns `Owner + Users` but assumes both are preloaded. If called on a Residence loaded without preloads, `Owner` is zero-value (ID=0) and `Users` is empty.
-- **Impact**: Access checks return wrong results. GetAllUsers includes a phantom user with ID=0.
-
-### DATA-09 | BUG | IsRecurring requires Frequency preloaded, returns false without it
-- **File**: `internal/task/predicates/predicates.go:209-211`
-- **What**: `IsRecurring` checks `task.Frequency != nil && task.Frequency.Days != nil`. If Frequency is not preloaded, always returns false.
-- **Impact**: Code paths using `IsRecurring` on unpreloaded tasks get incorrect results.
-
-### DATA-10 | BUG | DeleteCompletion ignores image deletion error
-- **File**: `internal/repositories/task_repo.go:706-709`
-- **What**: Image deletion error is discarded before deleting the completion itself.
-- **Impact**: Orphaned TaskCompletionImage records remain in the database.
-
-### DATA-11 | BUG | AddUser uses PostgreSQL-specific ON CONFLICT syntax
-- **File**: `internal/repositories/residence_repo.go:125-128`
-- **What**: `ON CONFLICT DO NOTHING` is PostgreSQL-specific. Tests use SQLite.
-- **Impact**: Test coverage gap — join-with-code never truly tested against production SQL dialect.
-
-### DATA-12 | BUG | generateUniqueCode ignores Count error
-- **File**: `internal/repositories/residence_repo.go:298-301`
-- **What**: `r.db.Model(...).Count(&count)` without checking the returned error. If query fails, `count` stays 0.
-- **Impact**: Duplicate share codes during transient DB errors.
-
-### DATA-13 | BUG | Task template Save without Omit could corrupt Category/Frequency
-- **File**: `internal/repositories/task_template_repo.go:79-81`
-- **What**: `r.db.Save(template)` without `Omit("Category", "Frequency")`. GORM's Save may attempt to update lookup records.
-- **Impact**: Lookup data could be accidentally modified when updating a template.
-
-### DATA-14 | BUG | IsActive/IsPro ignore IsFree admin override field
-- **File**: `internal/models/subscription.go:57-65`
-- **What**: `IsActive()` and `IsPro()` only check `Tier == TierPro` and expiry. They don't account for the `IsFree` admin override.
-- **Impact**: Model methods misleading for admin-overridden users.
-
-### DATA-15 | RACE_CONDITION | Unbounded goroutine in QuickComplete
-- **File**: `internal/services/task_service.go:735`
-- **What**: `go s.sendTaskCompletedNotification(task, completion)` spawns fire-and-forget goroutines. O(users * completions) with no backpressure.
-- **Impact**: Memory exhaustion under heavy quick-complete load.
-
-### DATA-16 | RACE_CONDITION | Unbounded goroutine per user in notification loop
-- **File**: `internal/services/task_service.go:773`
-- **What**: Spawns `go func(userID uint)` for each residence user, plus another goroutine for email. 2N goroutines per completion.
-- **Impact**: Goroutine explosion for shared residences.
-
-### DATA-17 | RACE_CONDITION | WithTransaction uses package-level global db
-- **File**: `internal/database/database.go:100-102`
-- **What**: `WithTransaction` calls `db.Transaction(fn)` where `db` is the package-level variable. If `Connect()` is called again, the pointer changes.
-- **Impact**: Fragile coupling to mutable global.
-
-### DATA-18 | WARNING | LIKE wildcards in search not escaped
-- **File**: `internal/repositories/document_repo.go:91-93`
-- **What**: User-provided `filter.Search` concatenated with `%` for `ILIKE`. `%` or `_` in search get unexpected wildcard matching.
-- **Impact**: Unexpected search results.
-
-### DATA-19 | WARNING | Same LIKE wildcard escape issue in template search
-- **File**: `internal/repositories/task_template_repo.go:48`
-- **What**: Same pattern as document_repo.
-- **Impact**: Unexpected search results with special characters.
-
-### DATA-20 | WARNING | GORM v1 query option pattern for SELECT FOR UPDATE
-- **File**: `internal/repositories/subscription_repo.go:66`
-- **What**: `tx.Set("gorm:query_option", "FOR UPDATE")` is GORM v1 pattern. GORM v2 recommends `tx.Clauses(clause.Locking{Strength: "UPDATE"})`.
-- **Impact**: Row locking may silently fail to acquire locks.
-
-### DATA-21 | WARNING | N+1 queries in getUserUsage
-- **File**: `internal/services/subscription_service.go:186-204`
-- **What**: 3 separate COUNT queries per residence for subscription usage check.
-- **Impact**: Performance degradation for users with many properties.
-
-### DATA-22 | WARNING | Apple validation failure grants free Pro (duplicate cross-ref)
-- **File**: `internal/services/subscription_service.go:371`
-- **What**: Non-fatal Apple error grants 1-month free Pro. Unconfigured client grants 1 year.
-- **Impact**: Subscription paywall bypass.
-
-### DATA-23 | WARNING | Same free-Pro-on-error for Google (duplicate cross-ref)
-- **File**: `internal/services/subscription_service.go:429-449`
-- **What**: Same pattern for Google.
-- **Impact**: Same.
-
-### DATA-24 | WARNING | resolveImageFilePath has no path traversal validation
-- **File**: `internal/services/task_service.go:857-862`
-- **What**: Path traversal via `filepath.Join` without containment check.
-- **Impact**: Arbitrary file read if stored URLs manipulated.
-
-### DATA-25 | WARNING | UpdatePreferences uses bare Save without Omit
-- **File**: `internal/repositories/notification_repo.go:133`
-- **What**: `r.db.Save(prefs)` could update related models if associations added later.
-- **Impact**: Low risk currently but fragile.
-
-### DATA-26 | WARNING | Subscription Update uses bare Save
-- **File**: `internal/repositories/subscription_repo.go:57`
-- **What**: `r.db.Save(sub)` without Omit. Has a `User` relation that could be written.
-- **Impact**: Potential unintended User table writes.
-
-### DATA-27 | WARNING | GetKanbanColumnWithTimezone duplicates categorization chain logic
-- **File**: `internal/models/task.go:189-264`
-- **What**: Reimplements categorization chain inline to avoid circular dependency.
-- **Impact**: Logic drift between implementations.
-
-### DATA-28 | WARNING | DeactivateShareCode error silently ignored
-- **File**: `internal/repositories/residence_repo.go:272`
-- **What**: Error from deactivation discarded. Expired code stays active.
-- **Impact**: Expired share codes not properly cleaned up.
-
----
-
-## Audit 4: Concurrency & Race Conditions
-
-### CONC-01 | CRITICAL | Unbounded goroutine creation per residence user for push notifications
-- **File**: `internal/services/task_service.go:773`
-- **What**: `go func(userID uint)` per user for push, plus `go func(u models.User, images []EmbeddedImage)` per user for email. 2N goroutines per completion with no upper bound.
-- **Impact**: Memory exhaustion under heavy completion load. No panic recovery.
-
-### CONC-02 | BUG | Nil pointer dereference after failed WebSocket upgrade
-- **File**: `internal/monitoring/handler.go:117-120`
-- **What**: After `upgrader.Upgrade` fails, `conn` is nil but execution continues to `defer conn.Close()`.
-- **Impact**: Guaranteed nil pointer panic.
-
-### CONC-03 | BUG | Missing return after context cancellation causes goroutine spin
-- **File**: `internal/monitoring/handler.go:176-178`
-- **What**: `case <-ctx.Done():` has no `return`. Goroutine spins indefinitely.
-- **Impact**: 100% CPU per disconnected WebSocket client.
-
-### CONC-04 | BUG | Token slice panic for short tokens
-- **File**: `internal/middleware/auth.go:66`
-- **What**: `token[:8]` panics if token is fewer than 8 characters.
-- **Impact**: DoS via short auth tokens.
-
-### CONC-05 | BUG | Index out of bounds in FCM response parsing
-- **File**: `internal/push/fcm.go:119-126`
-- **What**: Loop iterates results and indexes into `tokens[i]`. Malformed response panics.
-- **Impact**: Server panic on malformed FCM responses.
-
-### CONC-06 | RACE_CONDITION | ToggleFavorite read-then-write without transaction
-- **File**: `internal/repositories/contractor_repo.go:89-101`
-- **What**: Separate read and write without transaction. Concurrent toggles produce incorrect state.
-- **Impact**: Wrong favorite state under concurrent usage.
-
-### CONC-07 | RACE_CONDITION | GetOrCreatePreferences race condition
-- **File**: `internal/repositories/notification_repo.go:137-161`
-- **What**: Read-then-create without transaction. Also uses `==` instead of `errors.Is`.
-- **Impact**: Duplicate key error on concurrent first access.
-
-### CONC-08 | RACE_CONDITION | GetOrCreate for subscriptions race condition
-- **File**: `internal/repositories/subscription_repo.go:34-53`
-- **What**: Same pattern. Also uses `==` instead of `errors.Is`.
-- **Impact**: Duplicate records on concurrent first login.
-
-### CONC-09 | WARNING | Fire-and-forget goroutine for welcome email (6 instances)
-- **File**: `internal/handlers/auth_handler.go:83`
-- **What**: Six `go func()` calls for email sending with no `defer recover()` and no context.
-- **Impact**: Unrecovered panic kills the server. Violates "no goroutines in handlers" rule.
-
-### CONC-10 | WARNING | Fire-and-forget goroutine for UpdateUserTimezone
-- **File**: `internal/handlers/task_handler.go:41`
-- **What**: `go h.taskService.UpdateUserTimezone(user.ID, tzHeader)` with no error handling.
-- **Impact**: Silent crash if service panics.
-
-### CONC-11 | WARNING | Fire-and-forget goroutine for email open tracking
-- **File**: `internal/handlers/tracking_handler.go:34`
-- **What**: `go func() { _ = h.onboardingService.RecordEmailOpened(trackingID) }()`.
-- **Impact**: Error discarded, goroutine untracked.
-
-### CONC-12 | WARNING | QuickComplete sends notifications in goroutine
-- **File**: `internal/services/task_service.go:735`
-- **What**: Spawns nested goroutines with no tracking or recovery.
-- **Impact**: Notifications silently lost on server shutdown.
-
-### CONC-13 | WARNING | Global singleton `cacheInstance` without synchronization
-- **File**: `internal/services/cache_service.go:21-53`
-- **What**: `var cacheInstance *CacheService` set by `NewCacheService` and read by `GetCache` without mutex.
-- **Impact**: Data race if accessed concurrently during init.
-
-### CONC-14 | WARNING | Global Bundle variable set without synchronization
-- **File**: `internal/i18n/i18n.go:16-46`
-- **What**: `var Bundle *i18n.Bundle` nil until `Init()`. `NewLocalizer` dereferences without nil check. `MustParseMessageFileBytes` panics on malformed files.
-- **Impact**: Panic if handler invoked before Init completes.
-
-### CONC-15 | WARNING | runtime.ReadMemStats called twice per collection cycle
-- **File**: `internal/monitoring/collector.go:96-110`
-- **What**: `collectMemory` and `collectRuntime` each independently call `runtime.ReadMemStats`. Both cause stop-the-world pauses.
-- **Impact**: Double STW pause per collection interval.
-
-### CONC-16 | WARNING | SetAsynqInspector writes without synchronization
-- **File**: `internal/monitoring/service.go:85-87`
-- **What**: Sets `s.collector.asynqClient` which may be read concurrently by the collector goroutine.
-- **Impact**: Data race window during initialization.
-
-### CONC-17 | WARNING | Unbounded goroutine creation for every log line
-- **File**: `internal/monitoring/writer.go:90`
-- **What**: `go func() { _ = w.buffer.Push(entry) }()` per log line. Under high load, goroutines accumulate.
-- **Impact**: Memory exhaustion if Redis is slow. No backpressure.
-
-### CONC-18 | WARNING | log.Fatal in goroutines kills process without graceful shutdown
-- **File**: `internal/cmd/worker/main.go:185-197`
-- **What**: Scheduler and worker goroutines call `log.Fatal()` on error, which calls `os.Exit(1)` immediately.
-- **Impact**: Bypasses deferred cleanup, graceful shutdown.
-
----
-
-## Audit 5: Performance & Query Efficiency
-
-### PERF-01 | PERFORMANCE | N+1 queries in getUserUsage: 3 COUNT queries per residence in loop
-- **File**: `internal/services/subscription_service.go:186-204`
-- **What**: 3 separate COUNT queries per residence. 5 residences = 16 DB queries.
-- **Impact**: Should be a single aggregate query with `WHERE residence_id IN (...)`.
-
-### PERF-02 | PERFORMANCE | Kanban board fires 5 separate queries instead of 1 batched query
-- **File**: `internal/repositories/task_repo.go:504-553`
-- **What**: `GetKanbanData` executes 5 independent queries for overdue, in-progress, due-soon, upcoming, completed.
-- **Impact**: 5x database round-trips per kanban load. Main API endpoint on every app open.
-
-### PERF-03 | PERFORMANCE | runtime.ReadMemStats called twice per collection cycle
-- **File**: `internal/monitoring/collector.go:96-132`
-- **What**: Two separate calls to `runtime.ReadMemStats` per collection interval.
-- **Impact**: Double stop-the-world pause.
-
-### PERF-04 | PERFORMANCE | cpu.Percent blocks for 1 full second on every collection
-- **File**: `internal/monitoring/collector.go:82`
-- **What**: `cpu.Percent(time.Second, false)` blocks 1 second. For 5-second interval, 20% of time spent blocking.
-- **Impact**: Collector goroutine unresponsive for 1 second each cycle.
-
-### PERF-05 | PERFORMANCE | Unbounded goroutine creation per log line
-- **File**: `internal/monitoring/writer.go:90-92`
-- **What**: New goroutine per log line for Redis LPUSH.
-- **Impact**: Goroutine spike under heavy logging. Overwhelms Redis.
-
-### PERF-06 | PERFORMANCE | WebSocket handler continues after upgrade failure
-- **File**: `internal/monitoring/handler.go:116-119`
-- **What**: No return after upgrade failure causes nil conn panic.
-- **Impact**: Wasted resources on every failed upgrade.
-
-### PERF-07 | PERFORMANCE | Goroutine spin after ctx.Done
-- **File**: `internal/monitoring/handler.go:176-178`
-- **What**: Missing return causes tight spin loop.
-- **Impact**: CPU spin per disconnected WebSocket.
-
-### PERF-08 | PERFORMANCE | N+1 query in admin document images list
-- **File**: `internal/admin/handlers/document_image_handler.go:223-244`
-- **What**: `toResponse` queries DB per image for Document+Residence. 20 images = 20 extra queries.
-- **Impact**: Slow admin document images page.
-
-### PERF-09 | PERFORMANCE | O(N*M) linear scan to match users to eligible list
-- **File**: `internal/worker/jobs/handler.go:154-159`
-- **What**: Nested loop checking user membership. 500 tasks * 100 users = 50,000 comparisons.
-- **Impact**: Should use `map[uint]bool` for O(1) lookup.
-
-### PERF-10 | PERFORMANCE | Daily digest fires 4 DB queries per user in loop
-- **File**: `internal/worker/jobs/handler.go:321-401`
-- **What**: 4 queries per eligible user. 100 users = 400 queries.
-- **Impact**: Should batch task queries across all users.
-
-### PERF-11 | PERFORMANCE | Unbounded goroutine creation per notification recipient
-- **File**: `internal/services/task_service.go:773`
-- **What**: 2N goroutines per completion (N = residence users).
-- **Impact**: No rate limiting. Should use Asynq worker.
-
-### PERF-12 | PERFORMANCE | LIKE search on apple_receipt_data blob column (unindexed)
-- **File**: `internal/repositories/subscription_repo.go:126-134`
-- **What**: `WHERE apple_receipt_data LIKE '%transactionID%'` does full table scan on blob column.
-- **Impact**: Scales poorly. Should store transaction IDs in indexed column.
-
-### PERF-13 | PERFORMANCE | No upper bound on notification query limit
-- **File**: `internal/handlers/notification_handler.go:29-34`
-- **What**: `limit=999999999` causes unbounded query.
-- **Impact**: OOM from single request.
-
-### PERF-14 | PERFORMANCE | FindByUser fetches all documents with no LIMIT
-- **File**: `internal/repositories/document_repo.go:56-65`
-- **What**: All documents across all residences with full preloads, no pagination.
-- **Impact**: Memory bloat for power users.
-
-### PERF-15 | PERFORMANCE | FindByUser fetches all contractors with no LIMIT
-- **File**: `internal/repositories/contractor_repo.go:48-67`
-- **What**: All contractors with full preloads, no pagination.
-- **Impact**: Unbounded query result.
-
-### PERF-16 | PERFORMANCE | GetEmailStats fires 4 separate COUNT queries
-- **File**: `internal/services/onboarding_email_service.go:128-149`
-- **What**: 4 individual COUNT queries. Could be 1 with conditional aggregation.
-- **Impact**: Minor — admin-only endpoint.
-
-### PERF-17 | PERFORMANCE | HasSentReminder called per-task in smart reminder loop
-- **File**: `internal/worker/jobs/handler.go:740-741`
-- **What**: Individual COUNT query per active task. 200 tasks = 200 queries.
-- **Impact**: Should batch-check all tuples in single query.
-
-### PERF-18 | PERFORMANCE | FindByResidence preloads Completions.Images for all tasks
-- **File**: `internal/repositories/task_repo.go:267-278`
-- **What**: Eagerly preloads `Completions.Images` and `Completions.CompletedBy` for every task.
-- **Impact**: Over-fetching for list endpoints. 50 tasks * 3 completions * 2 images = 300+ objects.
-
-### PERF-19 | WARNING | Task update failure after completion silently swallowed
-- **File**: `internal/services/task_service.go:601-606`
-- **What**: Error only logged, not returned. Task state becomes inconsistent.
-- **Impact**: Stale NextDueDate persists until manual edit.
-
-### PERF-20 | WARNING | WithTransaction uses global db variable
-- **File**: `internal/database/database.go:100-102`
-- **What**: Captures global `db` pointer. Reconnection could cause stale reference.
-- **Impact**: Fragile coupling.
-
----
-
-## Audit 6: Error Handling & Panic Safety
-
-### ERR-01 | CRITICAL | Unchecked type assertion on auth user — task_handler.go
-- **File**: `internal/handlers/task_handler.go:35`
-- **What**: `c.Get(middleware.AuthUserKey).(*models.User)` without comma-ok across 14+ methods (lines 35, 65, 80, 109, 126, 148, 163, 180, 197, 214, 231, 249, 266, 281, 291, 307, 379, 399).
-- **Impact**: Nil pointer panic on middleware misconfiguration.
-
-### ERR-02 | CRITICAL | Unchecked type assertion — contractor_handler.go
-- **File**: `internal/handlers/contractor_handler.go:28`
-- **What**: Same pattern across 10 locations (lines 28, 38, 53, 68, 88, 103, 118, 133).
-- **Impact**: Nil pointer panic.
-
-### ERR-03 | CRITICAL | Unchecked type assertion — document_handler.go
-- **File**: `internal/handlers/document_handler.go:37`
-- **What**: Same pattern at lines 37, 74, 89, 100, 210, 229, 244, 259, 275, 319.
-- **Impact**: Nil pointer panic.
-
-### ERR-04 | CRITICAL | Unchecked type assertion — residence_handler.go
-- **File**: `internal/handlers/residence_handler.go:38`
-- **What**: Same pattern at lines 38, 50, 64, 77, 94, 114, 139, 157, 178, 200, 221, 238, 255, 292.
-- **Impact**: Nil pointer panic.
-
-### ERR-05 | CRITICAL | Unchecked type assertion — notification_handler.go
-- **File**: `internal/handlers/notification_handler.go:27`
-- **What**: Same pattern at lines 27, 55, 67, 84, 96, 108, 125, 142, 155, 181.
-- **Impact**: Nil pointer panic.
-
-### ERR-06 | CRITICAL | Unchecked type assertion — subscription_handler.go
-- **File**: `internal/handlers/subscription_handler.go:26`
-- **What**: Same pattern at lines 26, 38, 82, 94, 132, 147.
-- **Impact**: Nil pointer panic.
-
-### ERR-07 | CRITICAL | Unchecked type assertion — media_handler.go
-- **File**: `internal/handlers/media_handler.go:43`
-- **What**: Same pattern at lines 43, 76, 114.
-- **Impact**: Nil pointer panic.
-
-### ERR-08 | CRITICAL | Unchecked type assertion — user_handler.go
-- **File**: `internal/handlers/user_handler.go:29`
-- **What**: Same pattern at lines 29, 45, 63.
-- **Impact**: Nil pointer panic.
-
-### ERR-09 | CRITICAL | Apple JWS decoded without signature verification
-- **File**: `internal/handlers/subscription_webhook_handler.go:190-192`
-- **What**: Decodes payload without verifying signature.
-- **Impact**: Forged webhook payloads can manipulate subscriptions.
-
-### ERR-10 | CRITICAL | Google webhook always returns true
-- **File**: `internal/handlers/subscription_webhook_handler.go:787-793`
-- **What**: `VerifyGooglePubSubToken` returns `true` unconditionally.
-- **Impact**: Forged subscription events accepted.
-
-### ERR-11 | CRITICAL | Unchecked type assertion in VerifyAppleSignature
-- **File**: `internal/handlers/subscription_webhook_handler.go:759`
-- **What**: `x5c[0].(string)` and `cert.PublicKey.(*ecdsa.PublicKey)` unchecked. RSA cert panics.
-- **Impact**: Panic on unexpected certificate format.
-
-### ERR-12 | CRITICAL | Apple validation failure grants free Pro
-- **File**: `internal/services/subscription_service.go:371`
-- **What**: Non-fatal error fallback grants 1-month Pro.
-- **Impact**: Free Pro on transient errors.
-
-### ERR-13 | CRITICAL | Apple not configured grants 1-year free Pro
-- **File**: `internal/services/subscription_service.go:381`
-- **What**: `s.appleClient == nil` grants 1-year Pro.
-- **Impact**: Free Pro on misconfigured deployments.
-
-### ERR-14 | CRITICAL | Google validation failure/not configured grants free Pro
-- **File**: `internal/services/subscription_service.go:429-449`
-- **What**: Same pattern for Google.
-- **Impact**: Same.
-
-### ERR-15 | CRITICAL | WebSocket nil pointer dereference
-- **File**: `internal/monitoring/handler.go:116-119`
-- **What**: No return after upgrade failure. `conn` is nil.
-- **Impact**: Guaranteed panic.
-
-### ERR-16 | CRITICAL | Unchecked type assertion in GetAuthUser
-- **File**: `internal/middleware/auth.go:209`
-- **What**: `return user.(*models.User)` — panics on type mismatch.
-- **Impact**: Panic if middleware sets wrong type.
-
-### ERR-17 | CRITICAL | Unchecked type assertion in RequireSuperAdmin
-- **File**: `internal/middleware/admin_auth.go:124`
-- **What**: `adminUser := admin.(*models.AdminUser)` after only nil check.
-- **Impact**: Panic on type mismatch.
-
-### ERR-18 | BUG | Token slice panic on short tokens
-- **File**: `internal/middleware/auth.go:66`
-- **What**: `token[:8]` without length check.
-- **Impact**: Panic on < 8 char tokens.
-
-### ERR-19 | BUG | Raw error leaked — contractor_handler.go:31
-- **File**: `internal/handlers/contractor_handler.go:31`
-- **What**: `err.Error()` in JSON response.
-- **Impact**: Information disclosure.
-
-### ERR-20 | BUG | Raw error leaked — contractor_handler.go:150
-- **File**: `internal/handlers/contractor_handler.go:150`
-- **What**: Same pattern for GetSpecialties.
-- **Impact**: Information disclosure.
-
-### ERR-21 | BUG | Raw error leaked — document_handler.go:92
-- **File**: `internal/handlers/document_handler.go:92`
-- **What**: Same pattern for ListWarranties.
-- **Impact**: Information disclosure.
-
-### ERR-22 | BUG | Task update error after completion only logged
-- **File**: `internal/services/task_service.go:601-606`
-- **What**: Error logged but not returned. Stale task state.
-- **Impact**: Data integrity issue.
-
-### ERR-23 | BUG | WebSocket goroutine spin after ctx.Done
-- **File**: `internal/monitoring/handler.go:177`
-- **What**: Missing return. Tight spin loop.
-- **Impact**: CPU exhaustion per disconnected client.
-
-### ERR-24 | BUG | ToggleFavorite race condition
-- **File**: `internal/repositories/contractor_repo.go:89-101`
-- **What**: Read-then-write without transaction.
-- **Impact**: Inconsistent state.
-
-### ERR-25 | BUG | GetOrCreatePreferences race condition
-- **File**: `internal/repositories/notification_repo.go:137-161`
-- **What**: Read-then-create. Uses `==` instead of `errors.Is`.
-- **Impact**: Duplicate key errors.
-
-### ERR-26 | BUG | GetOrCreate subscription race condition
-- **File**: `internal/repositories/subscription_repo.go:34-53`
-- **What**: Same pattern. `==` instead of `errors.Is`.
-- **Impact**: Duplicate records.
-
-### ERR-27 | BUG | UTF-8 byte-level truncation breaks multi-byte characters
-- **File**: `internal/services/pdf_service.go:131-132`
-- **What**: `title = title[:32] + "..."` truncates at byte position, splitting multi-byte chars.
-- **Impact**: Corrupted UTF-8 in PDFs for non-ASCII titles.
-
-### ERR-28 | BUG | FCM index out of bounds
-- **File**: `internal/push/fcm.go:119-126`
-- **What**: Malformed FCM response panics.
-- **Impact**: Server panic.
-
-### ERR-29 | SILENT_FAILURE | HasSentEmail ignores Count error
-- **File**: `internal/services/onboarding_email_service.go:43-46`
-- **What**: DB error unchecked. Count stays 0, returns false.
-- **Impact**: Duplicate onboarding emails during DB issues.
-
-### ERR-30 | SILENT_FAILURE | GetEmailStats ignores 4 Count errors
-- **File**: `internal/services/onboarding_email_service.go:128-146`
-- **What**: Four count queries with no error checking.
-- **Impact**: Admin dashboard shows zeros on failure.
-
-### ERR-31 | SILENT_FAILURE | Delete error silently ignored
-- **File**: `internal/services/onboarding_email_service.go:354`
-- **What**: `s.db.Where(...).Delete(...)` return unchecked.
-- **Impact**: Old record persists, subsequent Create may fail.
-
-### ERR-32 | SILENT_FAILURE | DeactivateShareCode error ignored
-- **File**: `internal/repositories/residence_repo.go:272`
-- **What**: Error from deactivation discarded.
-- **Impact**: Expired codes remain active.
-
-### ERR-33 | SILENT_FAILURE | generateUniqueCode Count error unchecked
-- **File**: `internal/repositories/residence_repo.go:298-301`
-- **What**: DB error unchecked. Code considered unique on failure.
-- **Impact**: Duplicate share codes possible.
-
-### ERR-34 | SILENT_FAILURE | DeleteCompletion ignores image deletion error
-- **File**: `internal/repositories/task_repo.go:708`
-- **What**: Image deletion error discarded before completion delete.
-- **Impact**: Orphaned image records.
-
-### ERR-35 | SILENT_FAILURE | GetAllStats error silently ignored in sendStats
-- **File**: `internal/monitoring/handler.go:183-184`
-- **What**: `if err != nil { }` — empty error handler.
-- **Impact**: Nil or stale stats sent to clients.
-
-### ERR-36 | SILENT_FAILURE | WriteJSON error unchecked
-- **File**: `internal/monitoring/handler.go:192`
-- **What**: `conn.WriteJSON(wsMsg)` return unchecked.
-- **Impact**: Broken connections not detected.
-
-### ERR-37 | SILENT_FAILURE | Bind error silently discarded
-- **File**: `internal/handlers/residence_handler.go:187`
-- **What**: `c.Bind(&req)` return discarded. Zero-value request used.
-- **Impact**: Silent use of zero-value struct.
-
-### ERR-38 | WARNING | Fire-and-forget goroutines in auth_handler (6 instances)
-- **File**: `internal/handlers/auth_handler.go:83,178,207,241,329,370`
-- **What**: Untracked goroutines for email. No context, no recovery.
-- **Impact**: Goroutine leaks, silent failures.
-
-### ERR-39 | WARNING | Fire-and-forget goroutine for timezone
-- **File**: `internal/handlers/task_handler.go:41`
-- **What**: `go h.taskService.UpdateUserTimezone(...)`.
-- **Impact**: Silent crash on panic.
-
-### ERR-40 | WARNING | Fire-and-forget goroutine for tracking
-- **File**: `internal/handlers/tracking_handler.go:34`
-- **What**: Error discarded, goroutine untracked.
-- **Impact**: Silent failures.
-
-### ERR-41 | WARNING | Missing c.Validate() — contractor_handler.go:55
-- **File**: `internal/handlers/contractor_handler.go:55`
-- **What**: Bind without Validate.
-- **Impact**: Validation tags ignored.
-
-### ERR-42 | WARNING | Missing c.Validate() — task_handler.go:113,135
-- **File**: `internal/handlers/task_handler.go:113`
-- **What**: CreateTask and UpdateTask skip Validate.
-- **Impact**: Validation tags ignored.
-
-### ERR-43 | WARNING | RestoreSubscription missing receipt validation
-- **File**: `internal/handlers/subscription_handler.go:159`
-- **What**: No receipt/token presence check before calling service.
-- **Impact**: Empty data reaches validation.
-
-### ERR-44 | WARNING | Admin JWT via query parameter
-- **File**: `internal/middleware/admin_auth.go:50`
-- **What**: JWT in URL params logged by servers/proxies.
-- **Impact**: Token leakage.
-
-### ERR-45 | WARNING | No notification limit cap
-- **File**: `internal/handlers/notification_handler.go:29`
-- **What**: Unbounded limit parameter.
-- **Impact**: Memory exhaustion.
-
-### ERR-46 | WARNING | Path traversal in task service resolveImageFilePath
-- **File**: `internal/services/task_service.go:857-862`
-- **What**: No containment check.
-- **Impact**: Arbitrary file read via email embedding.
-
-### ERR-47 | WARNING | filepath.Abs errors ignored in storage_service
-- **File**: `internal/services/storage_service.go:137-138`
-- **What**: Errors discarded, security check ineffective.
-- **Impact**: Path traversal on Abs failure.
-
-### ERR-48 | WARNING | MustParseMessageFileBytes panics on malformed translations
-- **File**: `internal/i18n/i18n.go:37`
-- **What**: Panics on invalid JSON in embedded files.
-- **Impact**: Server fails to start on corrupt embed.
-
-### ERR-49 | CRITICAL | Unchecked type assertions in timezone middleware
-- **File**: `internal/middleware/timezone.go:88,99`
-- **What**: `loc.(*time.Location)` and `now.(time.Time)` without comma-ok.
-- **Impact**: Panic on type mismatch.
-
----
-
-## Audit 7: Architecture Compliance
-
-### ARCH-01 | WARNING | Goroutine in auth_handler for email (6 instances)
-- **File**: `internal/handlers/auth_handler.go:83,178,206,240,328,370`
-- **What**: Violates "no goroutines in handlers" rule.
-- **Impact**: Untracked goroutines, no error recovery.
-
-### ARCH-02 | WARNING | Goroutine in tracking_handler
-- **File**: `internal/handlers/tracking_handler.go:34`
-- **What**: Same violation.
-- **Impact**: Error discarded.
-
-### ARCH-03 | WARNING | Goroutine in task_handler for timezone
-- **File**: `internal/handlers/task_handler.go:41`
-- **What**: Same violation.
-- **Impact**: No error handling.
-
-### ARCH-04 | BUG | MediaHandler accesses repositories directly
-- **File**: `internal/handlers/media_handler.go:19`
-- **What**: Holds `*repositories.DocumentRepository`, `*repositories.TaskRepository`, `*repositories.ResidenceRepository` directly. Calls repo methods from handler.
-- **Impact**: Violates "Handlers MUST NOT access database directly".
-
-### ARCH-05 | BUG | Raw error string leaked — contractor_handler.go:31
-- **File**: `internal/handlers/contractor_handler.go:31`
-- **What**: `err.Error()` in JSON response. Same at line 150.
-- **Impact**: Violates "NEVER return raw error strings to clients".
-
-### ARCH-06 | BUG | Raw error string leaked — document_handler.go:92
-- **File**: `internal/handlers/document_handler.go:92`
-- **What**: Same violation.
-- **Impact**: Internal details exposed.
-
-### ARCH-07 | WARNING | Missing c.Validate() — contractor_handler.go:55
-- **File**: `internal/handlers/contractor_handler.go:55`
-- **What**: Violates "All request bodies MUST use validate tags. NEVER trust raw input."
-- **Impact**: Validation tags dead code.
-
-### ARCH-08 | WARNING | Missing c.Validate() — task_handler.go:113,135
-- **File**: `internal/handlers/task_handler.go:113`
-- **What**: CreateTask and UpdateTask skip validation.
-- **Impact**: Validation tags dead code.
-
-### ARCH-09 | WARNING | RestoreSubscription missing validation
-- **File**: `internal/handlers/subscription_handler.go:159`
-- **What**: No receipt/token check.
-- **Impact**: Empty data reaches service.
-
-### ARCH-10 | BUG | Path traversal — media_handler.go:156
-- **File**: `internal/handlers/media_handler.go:156`
-- **What**: No `filepath.Abs` containment check.
-- **Impact**: Arbitrary file read.
-
-### ARCH-11 | WARNING | 72 unchecked type assertions across all handlers
-- **File**: `internal/handlers/*.go`
-- **What**: Systemic `c.Get(AuthUserKey).(*models.User)` without comma-ok.
-- **Impact**: Panic on middleware misconfiguration.
-
-### ARCH-12 | BUG | OnboardingEmailService bypasses repository layer
-- **File**: `internal/services/onboarding_email_service.go:17`
-- **What**: Holds `*gorm.DB` directly. Performs all DB operations without repository.
-- **Impact**: Violates layered architecture. No centralized query management.
-
-### ARCH-13 | WARNING | Goroutine in QuickComplete service
-- **File**: `internal/services/task_service.go:735`
-- **What**: Spawns goroutines from service. Creates cascade of untracked goroutines.
-- **Impact**: Unbounded goroutine creation.
-
-### ARCH-14 | BUG | Task update failure not returned
-- **File**: `internal/services/task_service.go:601`
-- **What**: Error logged but not returned after completion.
-- **Impact**: Data integrity issue.
-
-### ARCH-15 | BUG | Apple IAP validation failure grants free Pro
-- **File**: `internal/services/subscription_service.go:371`
-- **What**: Non-fatal errors grant Pro access.
-- **Impact**: Paywall bypass.
-
-### ARCH-16 | WARNING | stdlib log instead of zerolog in subscription_service
-- **File**: `internal/services/subscription_service.go:7`
-- **What**: Uses `"log"` instead of `"github.com/rs/zerolog/log"`.
-- **Impact**: Subscription logs bypass structured logging pipeline.
-
-### ARCH-17 | WARNING | resolveImageFilePath no path traversal validation
-- **File**: `internal/services/task_service.go:850`
-- **What**: No containment check.
-- **Impact**: Potential file read escape.
-
-### ARCH-18 | BUG | Apple JWS not verified
-- **File**: `internal/handlers/subscription_webhook_handler.go:190`
-- **What**: Payload decoded without signature verification.
-- **Impact**: Forged webhooks accepted.
-
-### ARCH-19 | BUG | Google webhook always returns true
-- **File**: `internal/handlers/subscription_webhook_handler.go:787`
-- **What**: `VerifyGooglePubSubToken` returns true unconditionally.
-- **Impact**: Forged events accepted.
-
-### ARCH-20 | WARNING | stdlib log in webhook handler
-- **File**: `internal/handlers/subscription_webhook_handler.go:11`
-- **What**: Uses `"log"` instead of zerolog.
-- **Impact**: Unstructured webhook processing logs.
-
-### ARCH-21 | WARNING | Webhook handler bypasses service layer
-- **File**: `internal/handlers/subscription_webhook_handler.go:26`
-- **What**: Holds repos directly. Business logic duplicated.
-- **Impact**: Violates "Handlers MUST NOT access database directly".
-
-### ARCH-22 | BUG | GetKanbanColumnWithTimezone duplicates categorization chain
-- **File**: `internal/models/task.go:201`
-- **What**: 65-line method re-implements categorization chain inline due to circular dependency.
-- **Impact**: Two implementations must be kept in sync. Violates "NEVER write inline task logic".
-
-### ARCH-23 | WARNING | Worker handler accesses DB directly
-- **File**: `internal/worker/jobs/handler.go:35`
-- **What**: Holds `*gorm.DB` directly. Does raw GORM queries.
-- **Impact**: Inconsistent data access patterns.
-
-### ARCH-24 | BUG | Hardcoded admin password reset every migration
-- **File**: `internal/database/database.go:372-382,446-463`
-- **What**: Admin passwords reset to known defaults on every deploy.
-- **Impact**: Persistent backdoor.
-
-### ARCH-25 | WARNING | Hardcoded debug fallback secret key
-- **File**: `internal/config/config.go:339`
-- **What**: Deterministic key in debug mode.
-- **Impact**: Forgeable JWTs if debug leaks to production.
-
-### ARCH-26 | BUG | Token slice panic
-- **File**: `internal/middleware/auth.go:66`
-- **What**: `token[:8]` without length check.
-- **Impact**: DoS via short tokens.
-
-### ARCH-27 | BUG | WebSocket nil pointer after upgrade failure
-- **File**: `internal/monitoring/handler.go:117`
-- **What**: No return after failure. Nil conn used.
-- **Impact**: Guaranteed panic.
-
----
-
-## Audit 8: API Contract & Validation
-
-### API-01 | BUG | CreateContractor skips validation after Bind
-- **File**: `internal/handlers/contractor_handler.go:55`
-- **What**: `c.Bind(&req)` without `c.Validate(&req)`. `CreateContractorRequest` has `required`, `min`, `max`, `email` tags.
-- **Impact**: Empty names, invalid emails, oversized strings accepted.
-
-### API-02 | BUG | UpdateContractor skips validation after Bind
-- **File**: `internal/handlers/contractor_handler.go:75`
-- **What**: Same issue.
-- **Impact**: Max-length, email format constraints unenforced on updates.
-
-### API-03 | BUG | UpdateDocument skips validation after Bind
-- **File**: `internal/handlers/document_handler.go:217`
-- **What**: Same issue. DTO has max length constraints.
-- **Impact**: Oversized filenames/URLs persisted.
-
-### API-04 | BUG | CreateDocument (JSON path) skips validation
-- **File**: `internal/handlers/document_handler.go:196`
-- **What**: JSON code path skips validation. Multipart path does manual partial validation.
-- **Impact**: Required fields and max-length constraints unenforced.
-
-### API-05 | BUG | CreateTask skips validation after Bind
-- **File**: `internal/handlers/task_handler.go:113`
-- **What**: `CreateTaskRequest` has `validate:"required"` on ResidenceID and Title, `min=1,max=200` on Title.
-- **Impact**: Empty titles and zero residence_id accepted.
-
-### API-06 | BUG | UpdateTask skips validation after Bind
-- **File**: `internal/handlers/task_handler.go:135`
-- **What**: `UpdateTaskRequest` has `validate:"omitempty,min=1,max=200"` on Title.
-- **Impact**: Empty or oversized titles accepted.
-
-### API-07 | BUG | CreateCompletion (JSON path) skips validation
-- **File**: `internal/handlers/task_handler.go:365`
-- **What**: `CreateTaskCompletionRequest` has `validate:"required"` on TaskID.
-- **Impact**: `task_id: 0` completions created.
-
-### API-08 | BUG | UpdateCompletion skips validation
-- **File**: `internal/handlers/task_handler.go:386`
-- **What**: Pattern inconsistency. No validate tags currently but pattern sets maintenance trap.
-- **Impact**: Low immediate risk.
-
-### API-09 | BUG | UpdatePreferences skips validation
-- **File**: `internal/handlers/notification_handler.go:111`
-- **What**: No validate tags on DTO currently. Missing Validate call.
-- **Impact**: Maintenance trap.
-
-### API-10 | BUG | RegisterDevice skips validation
-- **File**: `internal/handlers/notification_handler.go:128`
-- **What**: DTO has `binding:"required"` (Gin-style), which Echo ignores.
-- **Impact**: Empty device records saved. Push notifications fail silently.
-
-### API-11 | BUG | ProcessPurchase skips validation
-- **File**: `internal/handlers/subscription_handler.go:97`
-- **What**: DTO uses `binding:"required,oneof=ios android"` (Gin-style).
-- **Impact**: Platform `oneof` never enforced (switch default catches it).
-
-### API-12 | BUG | RestoreSubscription skips validation
-- **File**: `internal/handlers/subscription_handler.go:150`
-- **What**: No receipt/token presence check unlike ProcessPurchase.
-- **Impact**: Empty data to Apple/Google validation.
-
-### API-13 | BUG | JoinWithCode skips validation
-- **File**: `internal/handlers/residence_handler.go:224`
-- **What**: `JoinWithCodeRequest` has `validate:"required,len=6"` on Code.
-- **Impact**: Empty or wrong-length codes reach service.
-
-### API-14 | BUG | RegisterDeviceRequest uses `binding` tags (Gin)
-- **File**: `internal/services/notification_service.go:552-554`
-- **What**: Echo's validator only reads `validate` tags. `binding` tags are dead.
-- **Impact**: No validation ever enforced on device registration.
-
-### API-15 | BUG | ProcessPurchaseRequest uses `binding` tag
-- **File**: `internal/services/subscription_service.go:657`
-- **What**: Gin-style tag on Platform field.
-- **Impact**: `oneof` constraint documentary-only.
-
-### API-16 | BUG | DeleteFile uses `binding` tag
-- **File**: `internal/handlers/upload_handler.go:80`
-- **What**: `binding:"required"` on URL field. Echo ignores it.
-- **Impact**: Empty URL passes through.
-
-### API-17 | BUG | Raw error leaked — contractor_handler.go:31
-- **File**: `internal/handlers/contractor_handler.go:31`
-- **What**: `err.Error()` in JSON response.
-- **Impact**: Internal details exposed.
-
-### API-18 | BUG | Raw error leaked — contractor_handler.go:150
-- **File**: `internal/handlers/contractor_handler.go:150`
-- **What**: Same.
-- **Impact**: Same.
-
-### API-19 | BUG | Raw error leaked — document_handler.go:92
-- **File**: `internal/handlers/document_handler.go:92`
-- **What**: Same.
-- **Impact**: Same.
-
-### API-20 | BUG | Unchecked type assertions (72+ locations)
-- **File**: `internal/handlers/*.go`
-- **What**: Systemic `c.Get(AuthUserKey).(*models.User)` without comma-ok across all handlers.
-- **Impact**: Panic on middleware misconfiguration.
-
-### API-21 | BUG | Path traversal in resolveFilePath
-- **File**: `internal/handlers/media_handler.go:156-171`
-- **What**: No containment check after filepath.Join.
-- **Impact**: Arbitrary file read.
-
-### API-22 | BUG | Apple JWS not verified
-- **File**: `internal/handlers/subscription_webhook_handler.go:190-192`
-- **What**: Signature never checked.
-- **Impact**: Forged webhooks accepted.
-
-### API-23 | BUG | Google webhook always returns true
-- **File**: `internal/handlers/subscription_webhook_handler.go:787-793`
-- **What**: Unconditional `return true`.
-- **Impact**: Forged events accepted.
-
-### API-24 | BUG | Hardcoded admin credentials
-- **File**: `internal/database/database.go:372-382,447-463`
-- **What**: Reset on every migration.
-- **Impact**: Permanent backdoor.
-
-### API-25 | WARNING | Rating field — no min/max
-- **File**: `internal/dto/requests/contractor.go:17`
-- **What**: `Rating *float64` unbounded. Accepts -999 or 1000000.
-- **Impact**: Garbage ratings stored.
-
-### API-26 | WARNING | UpdateContractorRequest Rating unbounded
-- **File**: `internal/dto/requests/contractor.go:34`
-- **What**: Same issue on update path.
-- **Impact**: Same.
-
-### API-27 | WARNING | Completion Rating — no min/max
-- **File**: `internal/dto/requests/task.go:93`
-- **What**: `Rating *int` unbounded. Comment says "1-5 star" but nothing enforces it.
-- **Impact**: Ratings of 0, -1, or 999 stored.
-
-### API-28 | WARNING | UpdateCompletion Rating unbounded
-- **File**: `internal/dto/requests/task.go:101`
-- **What**: Same on update path.
-- **Impact**: Same.
-
-### API-29 | WARNING | CustomIntervalDays — no min validation
-- **File**: `internal/dto/requests/task.go:63`
-- **What**: Accepts 0 or negative values.
-- **Impact**: Infinite loops or incorrect next-due-date calculations.
-
-### API-30 | WARNING | Bedrooms and SquareFootage accept negatives
-- **File**: `internal/dto/requests/residence.go:19-21`
-- **What**: No `min=0` validation.
-- **Impact**: -3 bedrooms, -500 sqft stored.
-
-### API-31 | WARNING | ExpiresInHours — no validation
-- **File**: `internal/dto/requests/residence.go:58`
-- **What**: 0 or negative produces already-expired or never-expiring codes.
-- **Impact**: Unexpected share code lifetimes.
-
-### API-32 | WARNING | FileSize — no min validation
-- **File**: `internal/dto/requests/document.go:19`
-- **What**: Negative file sizes accepted.
-- **Impact**: Cosmetic/reporting issue.
-
-### API-33 | WARNING | ImageURLs array — no length limit
-- **File**: `internal/dto/requests/document.go:28`
-- **What**: Unbounded string array.
-- **Impact**: DoS via database write amplification.
-
-### API-34 | WARNING | CreateCompletion ImageURLs unbounded
-- **File**: `internal/dto/requests/task.go:94`
-- **What**: Same issue.
-- **Impact**: Same.
-
-### API-35 | WARNING | UpdateCompletion ImageURLs unbounded
-- **File**: `internal/dto/requests/task.go:102`
-- **What**: Same.
-- **Impact**: Same.
-
-### API-36 | WARNING | SpecialtyIDs array unbounded
-- **File**: `internal/dto/requests/contractor.go:16`
-- **What**: `SpecialtyIDs []uint` no length limit.
-- **Impact**: Bulk insert DoS.
-
-### API-37 | WARNING | ListNotifications — no upper bound on limit
-- **File**: `internal/handlers/notification_handler.go:29-34`
-- **What**: `limit=999999999` accepted.
-- **Impact**: OOM from single request.
-
-### API-38 | WARNING | ListContractors — no pagination
-- **File**: `internal/handlers/contractor_handler.go:28`
-- **What**: Returns all contractors, no limit/offset.
-- **Impact**: Unbounded response payload.
-
-### API-39 | WARNING | ListDocuments — no pagination
-- **File**: `internal/handlers/document_handler.go:36`
-- **What**: Returns all documents matching filter.
-- **Impact**: Same.
-
-### API-40 | WARNING | ListCompletions — no pagination
-- **File**: `internal/handlers/task_handler.go:280`
-- **What**: Returns all completions.
-- **Impact**: Same.
-
-### API-41 | WARNING | Inconsistent error response formats
-- **File**: `internal/handlers/contractor_handler.go:31`
-- **What**: `map[string]interface{}{"error":...}` vs `responses.ErrorResponse` vs `validator.FormatValidationErrors`. 3+ different shapes.
-- **Impact**: Client must handle multiple error formats.
-
-### API-42 | WARNING | Activate/Deactivate returns hybrid response
-- **File**: `internal/handlers/document_handler.go:255`
-- **What**: Returns `map[string]interface{}{"message":"...", "document": response}` mixing message with DTO.
-- **Impact**: Inconsistent response shape.
-
-### API-43 | WARNING | UploadImage accepts any file type
-- **File**: `internal/handlers/upload_handler.go:24-42`
-- **What**: No Content-Type or extension validation. Accepts executables, HTML, etc.
-- **Impact**: Stored XSS risk; non-image files stored as images.
-
-### API-44 | WARNING | User-controlled category in upload
-- **File**: `internal/handlers/upload_handler.go:31`
-- **What**: `category` query param passed to Upload without validation.
-- **Impact**: Low risk due to service-layer sanitization.
-
-### API-45 | WARNING | UploadDocumentImage accepts any file type
-- **File**: `internal/handlers/document_handler.go:282-293`
-- **What**: Same issue as UploadImage.
-- **Impact**: Non-image files stored as images.
-
-### API-46 | WARNING | DocumentType accepts arbitrary strings
-- **File**: `internal/dto/requests/document.go:16`
-- **What**: No `validate:"oneof=..."` tag.
-- **Impact**: Unknown document types in database.
-
-### API-47 | WARNING | Multipart DocumentType not validated
-- **File**: `internal/handlers/document_handler.go:136-138`
-- **What**: `models.DocumentType(docType)` casts any string.
-- **Impact**: Same.
-
-### API-48 | WARNING | Description fields — no max length (4 locations)
-- **File**: `internal/dto/requests/task.go:59`, `document.go:15`, `contractor.go:11`, `residence.go:24`
-- **What**: Description/Notes fields have no `max` validation.
-- **Impact**: Multi-megabyte descriptions stored.
-
-### API-49 | WARNING | Template search — no max query length
-- **File**: `internal/handlers/task_template_handler.go:50-57`
-- **What**: Minimum length (2) but no maximum. 10MB query string accepted.
-- **Impact**: Slow LIKE queries, memory exhaustion.
-
----
-
-## Audit 9: Cross-Cutting Logic
-
-### CROSS-01 | CRITICAL | Task update error after completion logged but not returned
-- **File**: `internal/services/task_service.go:601-606`
-- **What**: `taskRepo.Update(task)` failure only logged. Version conflicts propagate but other errors swallowed. Inconsistent behavior.
-- **Impact**: One-time tasks remain in kanban with stale NextDueDate. Recurring tasks show wrong next occurrence.
-
-### CROSS-02 | CRITICAL | Apple IAP validation failure grants 1-month free Pro
-- **File**: `internal/services/subscription_service.go:371`
-- **What**: Non-fatal errors (network timeouts, server errors) fall through to 1-month Pro grant.
-- **Impact**: Free Pro on transient Apple API errors.
-
-### CROSS-03 | CRITICAL | Unconfigured Apple IAP grants 1-year free Pro
-- **File**: `internal/services/subscription_service.go:378-381`
-- **What**: `s.appleClient == nil` grants 1-year Pro.
-- **Impact**: Free Pro on any deployment without Apple IAP configured.
-
-### CROSS-04 | CRITICAL | Apple JWS not verified
-- **File**: `internal/handlers/subscription_webhook_handler.go:190-192`
-- **What**: `VerifyAppleSignature` exists but is never called. Returns nil when certs not loaded.
-- **Impact**: Forged webhooks accepted.
-
-### CROSS-05 | CRITICAL | Google webhook always returns true
-- **File**: `internal/handlers/subscription_webhook_handler.go:787-793`
-- **What**: Unconditional `return true`.
-- **Impact**: Forged events accepted.
-
-### CROSS-06 | BUG | resolveImageFilePath — path traversal
-- **File**: `internal/services/task_service.go:857-862`
-- **What**: No containment check. `os.ReadFile` could read arbitrary files.
-- **Impact**: Arbitrary files embedded in notification emails.
-
-### CROSS-07 | BUG | Media handler resolveFilePath — path traversal
-- **File**: `internal/handlers/media_handler.go:156-171`
-- **What**: Same issue. Stored URL controls file path.
-- **Impact**: Arbitrary file serving via media endpoint.
-
-### CROSS-08 | BUG | Subscription tier limits commented out
-- **File**: `internal/services/residence_service.go:155`
-- **What**: `CheckLimit` never called from any create operation.
-- **Impact**: Free-tier users have unlimited everything.
-
-### CROSS-09 | BUG | CreateTask handler missing c.Validate()
-- **File**: `internal/handlers/task_handler.go:108-121`
-- **What**: Validation tags dead code.
-- **Impact**: Empty titles, missing residence_id accepted.
-
-### CROSS-10 | BUG | Raw error leaked — contractor_handler.go:31
-- **File**: `internal/handlers/contractor_handler.go:31`
-- **What**: `err.Error()` in response.
-- **Impact**: Internal details exposed.
-
-### CROSS-11 | LOGIC_ERROR | Google renewal extends by guessing duration from product ID string
-- **File**: `internal/handlers/subscription_webhook_handler.go:636-651`
-- **What**: `strings.Contains(notification.SubscriptionID, "monthly")` determines duration. Uses `time.Now()` instead of current expiry.
-- **Impact**: Wrong renewal duration if product renamed. Late renewals get extra time.
-
-### CROSS-12 | LOGIC_ERROR | Google recovered/restarted hardcode 1-month regardless of plan
-- **File**: `internal/handlers/subscription_webhook_handler.go:657,694`
-- **What**: Both use `AddDate(0, 1, 0)` regardless of monthly vs yearly.
-- **Impact**: Yearly subscribers get only 1 month after recovery/restart.
-
-### CROSS-13 | LOGIC_ERROR | DeleteCompletion does not recalculate NextDueDate
-- **File**: `internal/services/task_service.go:980-1007`
-- **What**: Deletes completion but never recalculates task state. One-time tasks stay "Completed" with no completions.
-- **Impact**: Permanent kanban column mismatch. Only manual due date edit fixes it.
-
-### CROSS-14 | RACE_CONDITION | ToggleFavorite read-then-write
-- **File**: `internal/repositories/contractor_repo.go:89-101`
-- **What**: No transaction. Also doesn't filter `is_active`.
-- **Impact**: Concurrent toggles produce wrong state. Soft-deleted contractors toggleable.
-
-### CROSS-15 | RACE_CONDITION | GetOrCreatePreferences race
-- **File**: `internal/repositories/notification_repo.go:137-161`
-- **What**: Read-then-create. `==` instead of `errors.Is`.
-- **Impact**: Duplicate key errors.
-
-### CROSS-16 | RACE_CONDITION | GetOrCreate subscription race
-- **File**: `internal/repositories/subscription_repo.go:34-53`
-- **What**: Same pattern. Same error comparison issue.
-- **Impact**: Duplicate records.
-
-### CROSS-17 | SILENT_FAILURE | Share code deactivation error ignored
-- **File**: `internal/services/residence_service.go:447-450`
-- **What**: Empty `if err` block. No logging despite comment.
-- **Impact**: Multi-use of one-time share codes.
-
-### CROSS-18 | FRAGILE | QuickComplete goroutine cascade
-- **File**: `internal/services/task_service.go:735`
-- **What**: Spawns goroutines from service. Violates architecture rule. No tracking.
-- **Impact**: Unbounded goroutines. Notifications lost on shutdown.
-
-### CROSS-19 | FRAGILE | N+1 queries in getUserUsage
-- **File**: `internal/services/subscription_service.go:186-204`
-- **What**: 3 COUNT queries per residence.
-- **Impact**: Linear query growth. Called on every subscription check.
-
-### CROSS-20 | FRAGILE | Unchecked type assertions (72+ locations)
-- **File**: `internal/handlers/*.go`
-- **What**: Systemic pattern. `MustGetAuthUser` exists but unused outside auth_handler.
-- **Impact**: Panic on middleware misconfiguration.
-
-### CROSS-21 | FRAGILE | stdlib "log" instead of zerolog in subscription_service
-- **File**: `internal/services/subscription_service.go:7`
-- **What**: ~15 `log.Printf` calls bypass structured logging.
-- **Impact**: Payment debugging harder. Logs not captured in pipeline.
-
----
-
-## Deduplicated Priority List
-
-### P0 — Exploitable Now (Fix Immediately)
-
-| ID | Finding | Files |
-|---|---|---|
-| P0-1 | Apple JWS webhook not verified | `subscription_webhook_handler.go:190` |
-| P0-2 | Google webhook auth always true | `subscription_webhook_handler.go:787` |
-| P0-3 | IAP validation failure grants free Pro (Apple) | `subscription_service.go:371` |
-| P0-4 | IAP not configured grants 1-year free Pro (Apple) | `subscription_service.go:381` |
-| P0-5 | IAP validation failure grants free Pro (Google) | `subscription_service.go:429` |
-| P0-6 | IAP not configured grants 1-year free Pro (Google) | `subscription_service.go:449` |
-| P0-7 | Hardcoded admin "admin/admin" reset every migration | `database.go:372-382` |
-| P0-8 | Hardcoded admin "admin123" reset every migration | `database.go:447-463` |
-| P0-9 | SQL injection in admin sort_by params | `admin/handlers/*.go` |
-| P0-10 | Path traversal — media handler resolveFilePath | `media_handler.go:156` |
-| P0-11 | Path traversal — task service resolveImageFilePath | `task_service.go:857` |
-| P0-12 | Subscription tier limits commented out | `residence_service.go:155` |
-
-### P1 — Crashes & Data Corruption
-
-| ID | Finding | Files |
-|---|---|---|
-| P1-1 | 72+ unchecked type assertions (panic risk) | All handlers |
-| P1-2 | Token slice panic on < 8 char tokens | `auth.go:66` |
-| P1-3 | WebSocket nil deref after upgrade failure | `monitoring/handler.go:117` |
-| P1-4 | WebSocket goroutine spin after ctx.Done | `monitoring/handler.go:177` |
-| P1-5 | Completion + task update not in transaction | `task_service.go:563-606` |
-| P1-6 | Task update error after completion swallowed | `task_service.go:601` |
-| P1-7 | DeleteCompletion doesn't recalculate NextDueDate | `task_service.go:980` |
-| P1-8 | 3 TOCTOU race conditions (GetOrCreate patterns) | `notification_repo.go:137`, `subscription_repo.go:34`, `contractor_repo.go:89` |
-| P1-9 | ToggleFavorite on soft-deleted contractors | `contractor_repo.go:91` |
-| P1-10 | UpdateContractor allows cross-residence reassignment | `contractor_service.go:200` |
-| P1-11 | DeleteDevice no ownership check | `notification_service.go:359` |
-| P1-12 | DeleteFile no ownership check | `upload_handler.go:78` |
-| P1-13 | FCM response index out of bounds | `fcm.go:119` |
-| P1-14 | Admin lookup handler nil cache panic | `admin/lookup_handler.go:30` |
-| P1-15 | Apple legacy receipt sandbox race condition | `iap_validation.go:381` |
-
-### P2 — Resource Exhaustion & Performance
-
-| ID | Finding | Files |
-|---|---|---|
-| P2-1 | Unbounded goroutines per notification (2N per completion) | `task_service.go:773` |
-| P2-2 | 8+ fire-and-forget goroutines in handlers | `auth_handler.go:83`, `task_handler.go:41`, `tracking_handler.go:34` |
-| P2-3 | No limit cap on notification queries | `notification_handler.go:29` |
-| P2-4 | N+1 queries: getUserUsage (3N+1 per subscription check) | `subscription_service.go:186` |
-| P2-5 | Kanban 5 separate queries instead of 1 | `task_repo.go:504` |
-| P2-6 | Daily digest 4 queries per user | `worker/jobs/handler.go:321` |
-| P2-7 | Smart reminder N queries per active task | `worker/jobs/handler.go:740` |
-| P2-8 | LIKE search on unindexed receipt blob | `subscription_repo.go:126` |
-| P2-9 | FindByUser unbounded (documents + contractors) | `document_repo.go:56`, `contractor_repo.go:48` |
-| P2-10 | FindByResidence over-preloads Completions.Images | `task_repo.go:267` |
-| P2-11 | Unbounded goroutines per log line | `monitoring/writer.go:90` |
-| P2-12 | cpu.Percent blocks 1 second per collection | `monitoring/collector.go:82` |
-| P2-13 | Double ReadMemStats per collection | `monitoring/collector.go:96` |
-| P2-14 | O(N*M) linear scan in reminder jobs | `worker/jobs/handler.go:154` |
-| P2-15 | Admin document images N+1 query | `admin/document_image_handler.go:223` |
-| P2-16 | 4 separate COUNT queries for email stats | `onboarding_email_service.go:128` |
-
-### P3 — Validation & Hardening
-
-| ID | Finding | Files |
-|---|---|---|
-| P3-1 | 13 handlers missing c.Validate() after Bind | Multiple handlers |
-| P3-2 | 3 DTOs use Gin `binding` tags instead of Echo `validate` | `notification_service.go:552`, `subscription_service.go:657`, `upload_handler.go:80` |
-| P3-3 | 3 handlers leak raw err.Error() to clients | `contractor_handler.go:31,150`, `document_handler.go:92` |
-| P3-4 | Rating fields unbounded (contractor + completion) | `contractor.go:17,34`, `task.go:93,101` |
-| P3-5 | CustomIntervalDays accepts 0/negative | `task.go:63` |
-| P3-6 | Bedrooms/SquareFootage accept negatives | `residence.go:19-21` |
-| P3-7 | ExpiresInHours no validation | `residence.go:58` |
-| P3-8 | FileSize accepts negative | `document.go:19` |
-| P3-9 | Array fields unbounded (ImageURLs, SpecialtyIDs) | `document.go:28`, `task.go:94,102`, `contractor.go:16` |
-| P3-10 | Description/Notes no max length (4 locations) | `task.go:59`, `document.go:15`, `contractor.go:11`, `residence.go:24` |
-| P3-11 | DocumentType no enum validation | `document.go:16`, `document_handler.go:136` |
-| P3-12 | Upload accepts any Content-Type | `upload_handler.go:24`, `document_handler.go:282` |
-| P3-13 | Search query no max length | `task_template_handler.go:50` |
-| P3-14 | No pagination on 3 list endpoints | `contractor_handler.go:28`, `document_handler.go:36`, `task_handler.go:280` |
-| P3-15 | Inconsistent error response formats | Multiple handlers |
-| P3-16 | Google renewal duration guessed from product ID string | `subscription_webhook_handler.go:636` |
-| P3-17 | Google recovered/restarted hardcode 1-month | `subscription_webhook_handler.go:657,694` |
-| P3-18 | LIKE wildcards not escaped | `document_repo.go:91`, `task_template_repo.go:48` |
-| P3-19 | GORM v1 FOR UPDATE pattern | `subscription_repo.go:66` |
-| P3-20 | Admin JWT via query parameter | `admin_auth.go:50` |
-| P3-21 | WebSocket CheckOrigin always true | `monitoring/handler.go:19` |
-| P3-22 | X-Request-ID not sanitized (log injection) | `request_id.go:21` |
-| P3-23 | ClearAllData no secondary confirmation | `admin/settings_handler.go:529` |
-| P3-24 | XSS in admin email template | `admin/notification_handler.go:351` |
-| P3-25 | Admin seed SQL not parameterized | `admin/settings_handler.go:378` |
-| P3-26 | UUID truncated to 8 chars | `storage_service.go:75` |
-| P3-27 | Non-pointer bool IsActive defaults false on PATCH | `admin/share_code_handler.go:155` |
-| P3-28 | Share code deactivation silently ignored | `residence_service.go:447` |
-| P3-29 | Hardcoded debug secret key | `config.go:339` |
-| P3-30 | stdlib log instead of zerolog (subscription) | `subscription_service.go:7` |
-| P3-31 | stdlib log instead of zerolog (webhook) | `subscription_webhook_handler.go:11` |
-| P3-32 | 9 silent failures (unchecked DB errors) | Multiple files |
-| P3-33 | MediaHandler bypasses service layer | `media_handler.go:19` |
-| P3-34 | OnboardingEmailService bypasses repository | `onboarding_email_service.go:17` |
-| P3-35 | Webhook handler bypasses service layer | `subscription_webhook_handler.go:26` |
-| P3-36 | Worker handler raw DB access | `worker/jobs/handler.go:35` |
-| P3-37 | GetKanbanColumnWithTimezone duplicates chain | `models/task.go:201` |
-| P3-38 | IsActive/IsPro ignore IsFree override | `models/subscription.go:57` |
-| P3-39 | GetAllUsers wrong when not preloaded | `models/residence.go:65` |
-| P3-40 | IsRecurring wrong when Frequency not preloaded | `predicates/predicates.go:209` |
-| P3-41 | Template Save without Omit | `task_template_repo.go:79` |
-| P3-42 | AddUser uses PostgreSQL-specific ON CONFLICT | `residence_repo.go:125` |
-| P3-43 | Bare Save without Omit (notification prefs + subscription) | `notification_repo.go:133`, `subscription_repo.go:57` |
-| P3-44 | `errors.Is` not used for ErrRecordNotFound (2 locations) | `notification_repo.go:143`, `subscription_repo.go:40` |
-| P3-45 | UTF-8 byte-level truncation in PDF | `pdf_service.go:131` |
-| P3-46 | Global cache singleton without sync | `cache_service.go:21` |
-| P3-47 | i18n Bundle nil dereference risk | `i18n.go:16` |
-| P3-48 | log.Fatal in worker goroutines | `cmd/worker/main.go:185` |
-| P3-49 | WithTransaction uses mutable global db | `database.go:100` |
-| P3-50 | filepath.Abs errors ignored in storage Delete | `storage_service.go:137` |
-| P3-51 | Bind error silently discarded (residence_handler) | `residence_handler.go:187` |
-| P3-52 | SetAsynqInspector writes without sync | `monitoring/service.go:85` |
-| P3-53 | WebSocket reader doesn't stop on write errors | `monitoring/handler.go:131` |
-| P3-54 | Activate/Deactivate hybrid response format | `document_handler.go:255` |
-| P3-55 | nil vs empty slice inconsistency | `user_service.go`, `responses/*.go` |
-| P3-56 | applyFilterOptions applies no scope on empty filter | `task_repo.go:60` |
-| P3-57 | Multiple db.Exec errors unchecked for index creation | `database.go:182+` |
diff --git a/docs/DOKKU_SETUP.md b/docs/DOKKU_SETUP.md
deleted file mode 100644
index c0aff68..0000000
--- a/docs/DOKKU_SETUP.md
+++ /dev/null
@@ -1,566 +0,0 @@
-# Dokku Deployment Guide for honeyDue API
-
-This guide provides step-by-step instructions for deploying the honeyDue Go API to a remote server using Dokku.
-
-## Table of Contents
-
-1. [Prerequisites](#prerequisites)
-2. [Server Setup](#server-setup)
-3. [Install Dokku](#install-dokku)
-4. [Create the App](#create-the-app)
-5. [Configure PostgreSQL](#configure-postgresql)
-6. [Configure Redis](#configure-redis)
-7. [Set Environment Variables](#set-environment-variables)
-8. [Configure Storage](#configure-storage)
-9. [Deploy the Application](#deploy-the-application)
-10. [Configure SSL](#configure-ssl)
-11. [Set Up Worker Process](#set-up-worker-process)
-12. [Push Notifications (Optional)](#push-notifications-optional)
-13. [Maintenance Commands](#maintenance-commands)
-14. [Troubleshooting](#troubleshooting)
-
----
-
-## Prerequisites
-
-### Server Requirements
-- Ubuntu 22.04 LTS (recommended) or 20.04 LTS
-- Minimum 2GB RAM (4GB+ recommended for production)
-- 20GB+ disk space
-- Root or sudo access
-- Domain name pointed to your server's IP
-
-### Local Requirements
-- Git installed
-- SSH key configured for server access
-
----
-
-## Server Setup
-
-### 1. Connect to Your Server
-
-```bash
-ssh root@your-server-ip
-```
-
-### 2. Update System Packages
-
-```bash
-apt update && apt upgrade -y
-```
-
-### 3. Set Up Swap (Recommended for servers with limited RAM)
-
-```bash
-# Create 2GB swap file
-fallocate -l 2G /swapfile
-chmod 600 /swapfile
-mkswap /swapfile
-swapon /swapfile
-
-# Make permanent
-echo '/swapfile none swap sw 0 0' | tee -a /etc/fstab
-```
-
-### 4. Configure Firewall
-
-```bash
-ufw allow OpenSSH
-ufw allow 80/tcp
-ufw allow 443/tcp
-ufw enable
-```
-
----
-
-## Install Dokku
-
-### 1. Download and Install Dokku
-
-```bash
-# Download the installation script
-wget -NP . https://dokku.com/install/v0.34.4/bootstrap.sh
-
-# Run the installer (takes 5-10 minutes)
-sudo DOKKU_TAG=v0.34.4 bash bootstrap.sh
-```
-
-### 2. Configure Dokku
-
-```bash
-# Set your domain (replace with your actual domain)
-dokku domains:set-global honeyDue.treytartt.com
-
-# Add your SSH public key for deployments
-# Run this from your LOCAL machine:
-cat ~/.ssh/id_rsa.pub | ssh root@your-server-ip dokku ssh-keys:add admin
-```
-
-### 3. Install Required Plugins
-
-```bash
-# PostgreSQL plugin
-dokku plugin:install https://github.com/dokku/dokku-postgres.git postgres
-
-# Redis plugin
-dokku plugin:install https://github.com/dokku/dokku-redis.git redis
-
-# Let's Encrypt plugin (for SSL)
-dokku plugin:install https://github.com/dokku/dokku-letsencrypt.git
-```
-
----
-
-## Create the App
-
-### 1. Create the Dokku App
-
-```bash
-dokku apps:create honeydue-api
-```
-
-### 2. Set the Domain
-
-```bash
-dokku domains:add honeydue-api api.honeyDue.treytartt.com
-```
-
-### 3. Configure Buildpack (if needed)
-
-The app uses a Dockerfile, so Dokku will auto-detect it. If you need to force Docker builds:
-
-```bash
-dokku builder:set honeydue-api build-dir .
-dokku builder-dockerfile:set honeydue-api dockerfile-path Dockerfile
-```
-
----
-
-## Configure PostgreSQL
-
-### 1. Create PostgreSQL Service
-
-```bash
-# Create the database service
-dokku postgres:create honeydue-db
-
-# Link to the app (automatically sets DATABASE_URL)
-dokku postgres:link honeydue-db honeydue-api
-```
-
-### 2. Verify Connection
-
-```bash
-# Check the connection info
-dokku postgres:info honeydue-db
-
-# Connect to the database
-dokku postgres:connect honeydue-db
-```
-
-### 3. Set Individual Database Variables
-
-Dokku sets `DATABASE_URL` automatically, but the app expects individual variables:
-
-```bash
-# Get the database credentials
-dokku postgres:info honeydue-db
-
-# Set individual variables (replace with actual values from info command)
-dokku config:set honeydue-api \
-  DB_HOST=dokku-postgres-honeydue-db \
-  DB_PORT=5432 \
-  POSTGRES_DB=honeydue_db \
-  POSTGRES_USER=postgres \
-  POSTGRES_PASSWORD=1mJPfu6rzG9r6xukcGbUOU5NoCg0jKfa
-```
-
----
-
-## Configure Redis
-
-### 1. Create Redis Service
-
-```bash
-# Create the Redis service
-dokku redis:create honeydue-redis
-
-# Link to the app (automatically sets REDIS_URL)
-dokku redis:link honeydue-redis honeydue-api
-```
-
-### 2. Verify Connection
-
-```bash
-dokku redis:info honeydue-redis
-```
-
----
-
-## Set Environment Variables
-
-### 1. Required Variables
-
-```bash
-dokku config:set honeydue-api \
-  PORT=5000 \
-  DEBUG=false \
-  ALLOWED_HOSTS=api.honeyDue.treytartt.com,localhost \
-  TIMEZONE=UTC \
-  SECRET_KEY=8553813eda361017a02677ed504abdd331537cfe6f7cc407345f037cc22c75fc
-```
-
-### 2. Email Configuration
-
-```bash
-dokku config:set honeydue-api \
-  EMAIL_HOST=smtp.fastmail.com \
-  EMAIL_PORT=587 \
-  EMAIL_USE_TLS=true \
-  EMAIL_HOST_USER=treytartt@fastmail.com \
-  EMAIL_HOST_PASSWORD=2t9y4n4t497z5863 \
-  DEFAULT_FROM_EMAIL="honeyDue <treytartt@fastmail.com>"
-```
-
-### 3. Apple Sign In (Optional)
-
-```bash
-dokku config:set honeydue-api \
-  APPLE_CLIENT_ID=com.tt.honeyDue.honeyDueDev \
-  APPLE_TEAM_ID=V3PF3M6B6U
-```
-
-### 4. Push Notifications (Optional)
-
-The API uses direct APNs/FCM connections (no external push server needed):
-
-```bash
-dokku config:set honeydue-api \
-  APNS_AUTH_KEY_PATH=/push_certs/AuthKey_R9N3SM2WD5.p8 \
-  APNS_AUTH_KEY_ID=R9N3SM2WD5 \
-  APNS_TEAM_ID=V3PF3M6B6U \
-  APNS_TOPIC=com.tt.honeyDue.honeyDueDev \
-  APNS_PRODUCTION=true \
-  FCM_SERVER_KEY=your-firebase-server-key
-```
-
-### 5. Admin Panel URL
-
-```bash
-dokku config:set honeydue-api \
-  NEXT_PUBLIC_API_URL=https://api.honeyDue.treytartt.com
-```
-
-### 6. View All Configuration
-
-```bash
-dokku config:show honeydue-api
-```
-
----
-
-## Configure Storage
-
-### 1. Create Persistent Storage Directory
-
-```bash
-# Create storage directory on host
-mkdir -p /var/lib/dokku/data/storage/honeydue-api/uploads
-
-# Set permissions
-chown -R 32767:32767 /var/lib/dokku/data/storage/honeydue-api
-```
-
-### 2. Mount Storage to App
-
-```bash
-dokku storage:mount honeydue-api /var/lib/dokku/data/storage/honeydue-api/uploads:/app/uploads
-```
-
----
-
-## Deploy the Application
-
-### 1. Add Dokku Remote (Local Machine)
-
-```bash
-cd /path/to/honeyDueAPI-go
-git remote add dokku dokku@your-server-ip:honeydue-api
-```
-
-### 2. Deploy
-
-```bash
-git push dokku master:main
-# Or if your branch is already 'main':
-git push dokku main
-```
-
-### 3. Watch Deployment Logs
-
-```bash
-# On server
-dokku logs honeydue-api -t
-```
-
-### 4. Verify Deployment
-
-```bash
-# Check app status
-dokku ps:report honeydue-api
-
-# Check app is running
-curl https://api.honeyDue.treytartt.com/api/health/
-```
-
----
-
-## Configure SSL
-
-### 1. Set Let's Encrypt Email
-
-```bash
-dokku letsencrypt:set honeydue-api email admin@treytartt.com
-```
-
-### 2. Enable Let's Encrypt
-
-```bash
-dokku letsencrypt:enable honeydue-api
-```
-
-### 3. Set Up Auto-Renewal
-
-```bash
-dokku letsencrypt:cron-job --add
-```
-
----
-
-## Set Up Worker Process
-
-The worker process handles background jobs (task reminders, overdue alerts, daily digests, email sending, etc.).
-
-### 1. Configure Worker Environment Variables
-
-```bash
-dokku config:set honeydue-api \
-  TASK_REMINDER_HOUR=20 \
-  TASK_REMINDER_MINUTE=0 \
-  OVERDUE_REMINDER_HOUR=9 \
-  DAILY_DIGEST_HOUR=11
-```
-
-**Schedule times are in UTC:**
-| Variable | Default | Description |
-|----------|---------|-------------|
-| `TASK_REMINDER_HOUR` | 20 | Hour to send "task due soon" notifications (8 PM UTC) |
-| `TASK_REMINDER_MINUTE` | 0 | Minute for task reminder |
-| `OVERDUE_REMINDER_HOUR` | 9 | Hour to send overdue task alerts (9 AM UTC) |
-| `DAILY_DIGEST_HOUR` | 11 | Hour to send daily summary (11 AM UTC) |
-
-### 2. Scale Worker Process
-
-```bash
-# Scale to 1 worker
-dokku ps:scale honeydue-api worker=1
-
-# Verify processes
-dokku ps:report honeydue-api
-```
-
-### 3. Verify Worker is Running
-
-```bash
-# Check worker logs
-dokku logs honeydue-api -p worker
-
-# Should see:
-# "Registered task reminder job"
-# "Registered overdue reminder job"
-# "Registered daily digest job"
-# "Starting worker server..."
-```
-
----
-
-## Maintenance Commands
-
-### View Logs
-
-```bash
-# Real-time logs
-dokku logs honeydue-api -t
-
-# Last 100 lines
-dokku logs honeydue-api -n 100
-
-# Worker logs
-dokku logs honeydue-api -p worker
-```
-
-### Database Operations
-
-```bash
-# Connect to database
-dokku postgres:connect honeydue-db
-
-# Export database backup
-dokku postgres:export honeydue-db > backup.sql
-
-# Import database backup
-dokku postgres:import honeydue-db < backup.sql
-```
-
-### Run Migrations Manually
-
-```bash
-# Enter the app container
-dokku enter honeydue-api web
-
-# Migrations run automatically on startup, but if needed:
-/app/api migrate
-```
-
-### Restart App
-
-```bash
-dokku ps:restart honeydue-api
-```
-
-### Scale App
-
-```bash
-# Scale web process
-dokku ps:scale honeydue-api web=2 worker=1
-
-# View current scale
-dokku ps:report honeydue-api
-```
-
-### Stop/Start App
-
-```bash
-dokku ps:stop honeydue-api
-dokku ps:start honeydue-api
-```
-
----
-
-## Troubleshooting
-
-### Check App Status
-
-```bash
-dokku ps:report honeydue-api
-dokku logs honeydue-api -n 200
-```
-
-### Common Issues
-
-#### 1. App Won't Start
-
-```bash
-# Check logs for errors
-dokku logs honeydue-api -n 500
-
-# Verify environment variables
-dokku config:show honeydue-api
-
-# Check if ports are available
-dokku proxy:ports honeydue-api
-```
-
-#### 2. Database Connection Failed
-
-```bash
-# Verify link
-dokku postgres:linked honeydue-api honeydue-db
-
-# Check database is running
-dokku postgres:info honeydue-db
-
-# Re-link if needed
-dokku postgres:unlink honeydue-db honeydue-api
-dokku postgres:link honeydue-db honeydue-api
-```
-
-#### 3. Redis Connection Failed
-
-```bash
-# Verify link
-dokku redis:linked honeydue-api honeydue-redis
-
-# Check Redis is running
-dokku redis:info honeydue-redis
-```
-
-#### 4. Storage/Upload Issues
-
-```bash
-# Check mounts
-dokku storage:report honeydue-api
-
-# Verify permissions
-ls -la /var/lib/dokku/data/storage/honeydue-api/
-```
-
-#### 5. SSL Certificate Issues
-
-```bash
-# Check certificate status
-dokku letsencrypt:list
-
-# Renew manually
-dokku letsencrypt:enable honeydue-api
-```
-
-### View Resource Usage
-
-```bash
-# Docker stats for all containers
-docker stats
-
-# Disk usage
-dokku storage:report honeydue-api
-df -h
-```
-
----
-
-## Quick Reference
-
-| Command | Description |
-|---------|-------------|
-| `dokku apps:list` | List all apps |
-| `dokku logs honeydue-api -t` | Tail logs |
-| `dokku ps:restart honeydue-api` | Restart app |
-| `dokku config:show honeydue-api` | Show env vars |
-| `dokku postgres:connect honeydue-db` | Connect to DB |
-| `dokku enter honeydue-api web` | Shell into container |
-| `dokku ps:scale honeydue-api web=2` | Scale processes |
-
----
-
-## Environment Variables Reference
-
-| Variable | Required | Description |
-|----------|----------|-------------|
-| `SECRET_KEY` | Yes | 32+ character secret key |
-| `DEBUG` | Yes | Set to `false` in production |
-| `ALLOWED_HOSTS` | Yes | Comma-separated list of domains |
-| `DATABASE_URL` | Auto | Set by postgres:link |
-| `REDIS_URL` | Auto | Set by redis:link |
-| `EMAIL_HOST` | Yes | SMTP server |
-| `EMAIL_PORT` | Yes | SMTP port (587) |
-| `EMAIL_HOST_USER` | Yes | SMTP username |
-| `EMAIL_HOST_PASSWORD` | Yes | SMTP password |
-| `APPLE_CLIENT_ID` | No | iOS Bundle ID |
-| `APPLE_TEAM_ID` | No | Apple Developer Team ID |
-| `APNS_AUTH_KEY_PATH` | No | Path to APNs .p8 key |
-| `APNS_AUTH_KEY_ID` | No | APNs Key ID |
-| `APNS_TEAM_ID` | No | APNs Team ID |
-| `APNS_TOPIC` | No | APNs topic (bundle ID) |
-| `APNS_PRODUCTION` | No | Use production APNs (default: false) |
-| `FCM_SERVER_KEY` | No | Firebase Cloud Messaging server key |
diff --git a/docs/GO_TO_PROD.md b/docs/GO_TO_PROD.md
deleted file mode 100644
index d68587f..0000000
--- a/docs/GO_TO_PROD.md
+++ /dev/null
@@ -1,260 +0,0 @@
-# Go To Prod Plan
-
-This document is a phased production-readiness plan for the honeyDue Go API repo.
-Execute phases in order. Do not skip exit criteria.
-
-## How To Use This Plan
-
-1. Create an issue/epic per phase.
-2. Track each checklist item as a task.
-3. Only advance phases after all exit criteria pass in CI and staging.
-
-## Phase 0 - Baseline And Drift Cleanup
-
-Goal: eliminate known repo/config drift before hardening.
-
-### Tasks
-
-1. Fix stale admin build/run targets in [`Makefile`](/Users/treyt/Desktop/code/HoneyDueAPI_GO/Makefile) that reference `cmd/admin` (non-existent).
-2. Align worker env vars in [`docker-compose.yml`](/Users/treyt/Desktop/code/HoneyDueAPI_GO/docker-compose.yml) with Go config:
-   - use `TASK_REMINDER_HOUR`
-   - use `OVERDUE_REMINDER_HOUR`
-   - use `DAILY_DIGEST_HOUR`
-3. Align supported locales in [`internal/i18n/i18n.go`](/Users/treyt/Desktop/code/HoneyDueAPI_GO/internal/i18n/i18n.go) with translation files in [`internal/i18n/translations`](/Users/treyt/Desktop/code/HoneyDueAPI_GO/internal/i18n/translations).
-4. Remove any committed secrets/keys from repo and history; rotate immediately.
-
-### Validation
-
-1. `go test ./...`
-2. `go build ./cmd/api ./cmd/worker`
-3. `docker compose config` succeeds.
-
-### Exit Criteria
-
-1. No stale targets or mismatched env keys remain.
-2. CI and local boot work with a single source-of-truth config model.
-
----
-
-## Phase 1 - Non-Negotiable CI Gates
-
-Goal: block regressions by policy.
-
-### Tasks
-
-1. Update [`/.github/workflows/backend-ci.yml`](/Users/treyt/Desktop/code/HoneyDueAPI_GO/.github/workflows/backend-ci.yml) with required jobs:
-   - `lint` (`go vet ./...`, `gofmt -l .`)
-   - `test` (`go test -race -count=1 ./...`)
-   - `contract` (`go test -v -run "TestRouteSpecContract|TestKMPSpecContract" ./internal/integration/`)
-   - `build` (`go build ./cmd/api ./cmd/worker`)
-2. Add `govulncheck ./...` job.
-3. Add secret scanning (for example, gitleaks).
-4. Set branch protection on `main` and `develop`:
-   - require PR
-   - require all status checks
-   - require at least one review
-   - dismiss stale reviews on new commits
-
-### Validation
-
-1. Open test PR with intentional formatting error; ensure merge is blocked.
-2. Open test PR with OpenAPI/route drift; ensure merge is blocked.
-
-### Exit Criteria
-
-1. No direct merge path exists without passing all gates.
-
----
-
-## Phase 2 - Contract, Data, And Migration Safety
-
-Goal: guarantee deploy safety for API behavior and schema changes.
-
-### Tasks
-
-1. Keep OpenAPI as source of truth in [`docs/openapi.yaml`](/Users/treyt/Desktop/code/HoneyDueAPI_GO/docs/openapi.yaml).
-2. Require route/schema updates in same PR as handler changes.
-3. Add migration checks in CI:
-   - migrate up on clean DB
-   - migrate down one step
-   - migrate up again
-4. Add DB constraints for business invariants currently enforced only in service code.
-5. Add idempotency protections for webhook/job handlers.
-
-### Validation
-
-1. Run migration smoke test pipeline against ephemeral Postgres.
-2. Re-run integration contract tests after each endpoint change.
-
-### Exit Criteria
-
-1. Schema changes are reversible and validated before merge.
-2. API contract drift is caught pre-merge.
-
----
-
-## Phase 3 - Test Hardening For Failure Modes
-
-Goal: increase confidence in edge cases and concurrency.
-
-### Tasks
-
-1. Add table-driven tests for task lifecycle transitions:
-   - cancel/uncancel
-   - archive/unarchive
-   - complete/quick-complete
-   - recurring next due date transitions
-2. Add timezone boundary tests around midnight and DST.
-3. Add concurrency tests for race-prone flows in services/repositories.
-4. Add fuzz/property tests for:
-   - task categorization predicates
-   - reminder schedule logic
-5. Add unauthorized-access tests for media/document/task cross-residence access.
-
-### Validation
-
-1. `go test -race -count=1 ./...` stays green.
-2. New tests fail when logic is intentionally broken (mutation spot checks).
-
-### Exit Criteria
-
-1. High-risk flows have explicit edge-case coverage.
-
----
-
-## Phase 4 - Security Hardening
-
-Goal: reduce breach and abuse risk.
-
-### Tasks
-
-1. Add strict request size/time limits for upload and auth endpoints.
-2. Add rate limits for:
-   - login
-   - forgot/reset password
-   - verification endpoints
-   - webhooks
-3. Ensure logs redact secrets/tokens/PII payloads.
-4. Enforce least-privilege for runtime creds and service accounts.
-5. Enable dependency update cadence with security review.
-
-### Validation
-
-1. Abuse test scripts for brute-force and oversized payload attempts.
-2. Verify logs do not expose secrets under failure paths.
-
-### Exit Criteria
-
-1. Security scans pass and abuse protections are enforced in runtime.
-
----
-
-## Phase 5 - Observability And Operations
-
-Goal: make production behavior measurable and actionable.
-
-### Tasks
-
-1. Standardize request correlation IDs across API and worker logs.
-2. Define SLOs:
-   - API availability
-   - p95 latency for key endpoints
-   - worker queue delay
-3. Add dashboards + alerts for:
-   - 5xx error rate
-   - auth failures
-   - queue depth/retry spikes
-   - DB latency
-4. Add dead-letter queue review and replay procedure.
-5. Document incident runbooks in [`docs/`](/Users/treyt/Desktop/code/HoneyDueAPI_GO/docs):
-   - DB outage
-   - Redis outage
-   - push provider outage
-   - webhook backlog
-
-### Validation
-
-1. Trigger synthetic failures in staging and confirm alerts fire.
-2. Execute at least one incident drill and capture MTTR.
-
-### Exit Criteria
-
-1. Team can detect and recover from common failures quickly.
-
----
-
-## Phase 6 - Performance And Capacity
-
-Goal: prove headroom before production growth.
-
-### Tasks
-
-1. Define load profiles for hot endpoints:
-   - `/api/tasks/`
-   - `/api/static_data/`
-   - `/api/auth/login/`
-2. Run load and soak tests in staging.
-3. Capture query plans for slow SQL and add indexes where needed.
-4. Validate Redis/cache fallback behavior under cache loss.
-5. Tune worker concurrency and queue weights from measured data.
-
-### Validation
-
-1. Meet agreed latency/error SLOs under target load.
-2. No sustained queue growth under steady-state load.
-
-### Exit Criteria
-
-1. Capacity plan is documented with clear limits and scaling triggers.
-
----
-
-## Phase 7 - Release Discipline And Recovery
-
-Goal: safe deployments and verified rollback/recovery.
-
-### Tasks
-
-1. Adopt canary or blue/green deploy strategy.
-2. Add automatic rollback triggers based on SLO violations.
-3. Add pre-deploy checklist:
-   - migrations reviewed
-   - CI green
-   - queue backlog healthy
-   - dependencies healthy
-4. Validate backups with restore drills (not just backup existence).
-5. Document RPO/RTO targets and current measured reality.
-
-### Validation
-
-1. Perform one full staging rollback rehearsal.
-2. Perform one restore-from-backup rehearsal.
-
-### Exit Criteria
-
-1. Deploy and rollback are repeatable, scripted, and tested.
-
----
-
-## Definition Of Done (Every PR)
-
-1. `go vet ./...`
-2. `gofmt -l .` returns no files
-3. `go test -race -count=1 ./...`
-4. Contract tests pass
-5. OpenAPI updated for endpoint changes
-6. Migrations added and reversible for schema changes
-7. Security impact reviewed for auth/uploads/media/webhooks
-8. Observability impact reviewed for new critical paths
-
----
-
-## Recommended Execution Timeline
-
-1. Week 1: Phase 0 + Phase 1
-2. Week 2: Phase 2
-3. Week 3-4: Phase 3 + Phase 4
-4. Week 5: Phase 5
-5. Week 6: Phase 6 + Phase 7 rehearsal
-
-Adjust timeline based on team size and release pressure, but keep ordering.
diff --git a/docs/LOCALIZATION_PLAN.md b/docs/LOCALIZATION_PLAN.md
deleted file mode 100644
index bd1c8db..0000000
--- a/docs/LOCALIZATION_PLAN.md
+++ /dev/null
@@ -1,412 +0,0 @@
-# Full Localization Plan for honeyDue
-
-## Overview
-
-Complete localization of the honeyDue property management app across three codebases:
-- **Go API** - Server-side localization of errors, emails, push notifications, lookup data
-- **KMM/Android** - Compose Multiplatform string resources
-- **iOS** - Apple String Catalogs (.xcstrings)
-
-**Target Languages**: English (base), Spanish, French, German, Portuguese (extensible)
-
-**Key Decisions**:
-- API returns localized strings (server-side translation)
-- Accept-Language header determines locale
-- Clients display what API returns for API content
-- Clients localize their own UI strings
-
----
-
-## Part 1: Go API Localization
-
-### 1.1 Add Dependency
-
-```bash
-go get github.com/nicksnyder/go-i18n/v2
-```
-
-### 1.2 Directory Structure
-
-```
-honeyDueAPI-go/
-├── internal/
-│   └── i18n/
-│       ├── i18n.go           # Core setup, bundle, T() helper
-│       ├── middleware.go     # Gin middleware for Accept-Language
-│       └── translations/
-│           ├── en.json       # English (base)
-│           ├── es.json       # Spanish
-│           ├── fr.json       # French
-│           ├── de.json       # German
-│           └── pt.json       # Portuguese
-├── templates/
-│   └── emails/
-│       ├── en/
-│       │   ├── welcome.html
-│       │   ├── verification.html
-│       │   └── password_reset.html
-│       ├── es/
-│       ├── fr/
-│       ├── de/
-│       └── pt/
-```
-
-### 1.3 Core Files to Create
-
-**internal/i18n/i18n.go**:
-- Initialize i18n bundle with embedded translation files
-- Provide `T(localizer, messageID, data)` helper function
-- Load all JSON translation files at startup
-
-**internal/i18n/middleware.go**:
-- Parse Accept-Language header
-- Match against supported languages (en, es, fr, de, pt)
-- Store localizer in Gin context
-- Provide `GetLocalizer(c)` helper
-
-### 1.4 Translation File Format
-
-```json
-{
-  "error.invalid_credentials": "Invalid credentials",
-  "error.username_taken": "Username already taken",
-  "error.email_taken": "Email already registered",
-  "error.not_authenticated": "Not authenticated",
-  "error.task_not_found": "Task not found",
-  "error.residence_access_denied": "You don't have access to this property",
-  "message.logged_out": "Logged out successfully",
-  "message.task_deleted": "Task deleted successfully",
-  "push.task_due_soon.title": "Task Due Soon",
-  "push.task_due_soon.body": "{{.TaskTitle}} is due {{.DueDate}}"
-}
-```
-
-### 1.5 Handler Update Pattern
-
-```go
-// Before
-c.JSON(400, gin.H{"error": "Invalid credentials"})
-
-// After
-localizer := i18n.GetLocalizer(c)
-c.JSON(400, gin.H{"error": i18n.T(localizer, "error.invalid_credentials", nil)})
-```
-
-### 1.6 Database for Lookup Translations
-
-Add translation table for task categories, priorities, statuses, frequencies:
-
-```sql
-CREATE TABLE lookup_translations (
-    id SERIAL PRIMARY KEY,
-    table_name VARCHAR(50) NOT NULL,
-    record_id INT NOT NULL,
-    locale VARCHAR(10) NOT NULL,
-    field_name VARCHAR(50) NOT NULL,
-    translated_value TEXT NOT NULL,
-    UNIQUE(table_name, record_id, locale, field_name)
-);
-```
-
-Update lookup endpoints to return translated names based on locale.
-
-### 1.7 Critical Go Files to Modify
-
-| File | Action | Description |
-|------|--------|-------------|
-| `internal/i18n/i18n.go` | CREATE | Core i18n bundle and helpers |
-| `internal/i18n/middleware.go` | CREATE | Locale detection middleware |
-| `internal/i18n/translations/*.json` | CREATE | Translation files (5 languages) |
-| `internal/router/router.go` | MODIFY | Add i18n middleware |
-| `internal/handlers/auth_handler.go` | MODIFY | Localize ~22 error strings |
-| `internal/handlers/task_handler.go` | MODIFY | Localize ~30 error strings |
-| `internal/handlers/residence_handler.go` | MODIFY | Localize ~20 error strings |
-| `internal/handlers/contractor_handler.go` | MODIFY | Localize ~15 error strings |
-| `internal/handlers/document_handler.go` | MODIFY | Localize ~15 error strings |
-| `internal/services/email_service.go` | MODIFY | Template-based emails |
-| `internal/services/notification_service.go` | MODIFY | Localized push content |
-| `internal/services/lookup_service.go` | MODIFY | Return translated lookups |
-| `templates/emails/**` | CREATE | Email templates per language |
-
----
-
-## Part 2: KMM/Android Localization
-
-### 2.1 Strategy
-
-Use Compose Multiplatform Resources (already in build.gradle.kts via `compose.components.resources`).
-
-### 2.2 Directory Structure
-
-```
-HoneyDueKMM/composeApp/src/commonMain/
-└── composeResources/
-    ├── values/
-    │   └── strings.xml          # English (base)
-    ├── values-es/
-    │   └── strings.xml          # Spanish
-    ├── values-fr/
-    │   └── strings.xml          # French
-    ├── values-de/
-    │   └── strings.xml          # German
-    └── values-pt/
-        └── strings.xml          # Portuguese
-```
-
-### 2.3 String Resource Format
-
-```xml
-<?xml version="1.0" encoding="utf-8"?>
-<resources>
-    <!-- Auth -->
-    <string name="auth_login_title">Sign In</string>
-    <string name="auth_login_subtitle">Manage your properties with ease</string>
-    <string name="auth_login_username_label">Username or Email</string>
-    <string name="auth_login_password_label">Password</string>
-    <string name="auth_login_button">Sign In</string>
-    <string name="auth_forgot_password">Forgot Password?</string>
-
-    <!-- Properties -->
-    <string name="properties_title">My Properties</string>
-    <string name="properties_empty_title">No properties yet</string>
-    <string name="properties_empty_subtitle">Add your first property to get started!</string>
-    <string name="properties_add_button">Add Property</string>
-
-    <!-- Tasks -->
-    <string name="tasks_title">Tasks</string>
-    <string name="tasks_add_title">Add New Task</string>
-    <string name="tasks_column_overdue">Overdue</string>
-    <string name="tasks_column_due_soon">Due Soon</string>
-
-    <!-- Common -->
-    <string name="common_save">Save</string>
-    <string name="common_cancel">Cancel</string>
-    <string name="common_delete">Delete</string>
-    <string name="common_loading">Loading…</string>
-    <string name="common_error_generic">Something went wrong. Please try again.</string>
-
-    <!-- Accessibility -->
-    <string name="a11y_back">Back</string>
-    <string name="a11y_close">Close</string>
-    <string name="a11y_add_property">Add Property</string>
-</resources>
-```
-
-### 2.4 Usage in Compose
-
-```kotlin
-import honeydue.composeapp.generated.resources.Res
-import honeydue.composeapp.generated.resources.*
-import org.jetbrains.compose.resources.stringResource
-
-@Composable
-fun LoginScreen() {
-    Text(stringResource(Res.string.auth_login_title))
-    Button(onClick = { /* ... */ }) {
-        Text(stringResource(Res.string.auth_login_button))
-    }
-}
-```
-
-### 2.5 Critical KMM Files to Modify
-
-| File | Action | Description |
-|------|--------|-------------|
-| `composeResources/values/strings.xml` | CREATE | Base English strings (~500) |
-| `composeResources/values-es/strings.xml` | CREATE | Spanish translations |
-| `composeResources/values-fr/strings.xml` | CREATE | French translations |
-| `composeResources/values-de/strings.xml` | CREATE | German translations |
-| `composeResources/values-pt/strings.xml` | CREATE | Portuguese translations |
-| `ui/screens/LoginScreen.kt` | MODIFY | Replace hardcoded strings |
-| `ui/screens/ResidencesScreen.kt` | MODIFY | Replace hardcoded strings |
-| `ui/screens/TasksScreen.kt` | MODIFY | Replace hardcoded strings |
-| `ui/screens/ContractorsScreen.kt` | MODIFY | Replace hardcoded strings |
-| `ui/screens/DocumentsScreen.kt` | MODIFY | Replace hardcoded strings |
-| `ui/components/*.kt` | MODIFY | Replace hardcoded strings (33 files) |
-| All other screen files | MODIFY | Replace hardcoded strings |
-
----
-
-## Part 3: iOS Localization
-
-### 3.1 Strategy
-
-Use Apple String Catalogs (`.xcstrings`) - modern approach with Xcode visual editor.
-
-### 3.2 Create String Catalog
-
-1. Xcode: File > New > File > String Catalog
-2. Name: `Localizable.xcstrings`
-3. Add languages: English, Spanish, French, German, Portuguese
-
-### 3.3 Type-Safe String Access
-
-Create `iosApp/iosApp/Helpers/L10n.swift`:
-
-```swift
-import Foundation
-
-enum L10n {
-    enum Auth {
-        static let loginTitle = String(localized: "auth_login_title")
-        static let loginSubtitle = String(localized: "auth_login_subtitle")
-        static let loginUsernameLabel = String(localized: "auth_login_username_label")
-        static let loginPasswordLabel = String(localized: "auth_login_password_label")
-        static let loginButton = String(localized: "auth_login_button")
-        static let forgotPassword = String(localized: "auth_forgot_password")
-    }
-
-    enum Properties {
-        static let title = String(localized: "properties_title")
-        static let emptyTitle = String(localized: "properties_empty_title")
-        static let emptySubtitle = String(localized: "properties_empty_subtitle")
-        static let addButton = String(localized: "properties_add_button")
-    }
-
-    enum Tasks {
-        static let title = String(localized: "tasks_title")
-        static let addTitle = String(localized: "tasks_add_title")
-        static let columnOverdue = String(localized: "tasks_column_overdue")
-        static let columnDueSoon = String(localized: "tasks_column_due_soon")
-    }
-
-    enum Common {
-        static let save = String(localized: "common_save")
-        static let cancel = String(localized: "common_cancel")
-        static let delete = String(localized: "common_delete")
-        static let loading = String(localized: "common_loading")
-        static let errorGeneric = String(localized: "common_error_generic")
-    }
-}
-```
-
-### 3.4 Usage in SwiftUI
-
-```swift
-// Before
-Text("My Properties")
-    .navigationTitle("My Properties")
-
-// After
-Text(L10n.Properties.title)
-    .navigationTitle(L10n.Properties.title)
-```
-
-### 3.5 Critical iOS Files to Modify
-
-| File | Action | Description |
-|------|--------|-------------|
-| `iosApp/Localizable.xcstrings` | CREATE | String catalog with all translations |
-| `iosApp/Helpers/L10n.swift` | CREATE | Type-safe string access |
-| `Login/LoginView.swift` | MODIFY | Replace ~7 hardcoded strings |
-| `Login/LoginViewModel.swift` | MODIFY | Replace ~12 error messages |
-| `Register/RegisterView.swift` | MODIFY | Replace ~10 hardcoded strings |
-| `Residence/*.swift` | MODIFY | Replace ~30 hardcoded strings |
-| `Task/*.swift` | MODIFY | Replace ~50 hardcoded strings |
-| `Contractor/*.swift` | MODIFY | Replace ~20 hardcoded strings |
-| `Document/*.swift` | MODIFY | Replace ~15 hardcoded strings |
-| `Profile/*.swift` | MODIFY | Replace ~20 hardcoded strings |
-| All other view files | MODIFY | Replace hardcoded strings |
-
----
-
-## Part 4: Implementation Order
-
-### Phase 1: Infrastructure (Do First)
-
-1. **Go API**:
-   - Add go-i18n dependency
-   - Create `internal/i18n/` package with i18n.go and middleware.go
-   - Create base `en.json` with all extractable strings
-   - Add middleware to router
-   - Test with curl using Accept-Language header
-
-2. **KMM**:
-   - Create `composeResources/values/strings.xml` with ~50 core strings
-   - Verify Compose resources compile correctly
-   - Update one screen (LoginScreen) as proof of concept
-
-3. **iOS**:
-   - Create `Localizable.xcstrings` in Xcode
-   - Create `L10n.swift` helper
-   - Add ~50 core strings
-   - Update LoginView as proof of concept
-
-### Phase 2: API Full Localization
-
-1. Update all handlers to use localized errors
-2. Add lookup_translations table and seed data
-3. Update lookup service to return translated names
-4. Move email templates to files, create Spanish versions
-5. Update push notification service for localized content
-
-### Phase 3: Mobile String Extraction
-
-**Order by feature (same for KMM and iOS)**:
-1. Auth screens (Login, Register, Verify, Password Reset, Apple Sign In)
-2. Property screens (List, Detail, Form, Join, Share, Manage Users)
-3. Task screens (List, Detail, Form, Complete, Actions, Kanban)
-4. Contractor screens (List, Detail, Form)
-5. Document screens (List, Detail, Form, Warranties)
-6. Profile screens (Profile, Settings, Notifications)
-7. Common components (Dialogs, Cards, Empty States, Loading)
-
-### Phase 4: Create Translation Files
-
-- Create es.json, fr.json, de.json, pt.json for Go API
-- Create values-es/, values-fr/, values-de/, values-pt/ for KMM
-- Add all language translations to iOS String Catalog
-
-### Phase 5: Testing & Polish
-
-- Test all screens in each language
-- Verify email rendering in each language
-- Test push notifications
-- Verify lookup data translations
-- Handle edge cases (long strings, RTL future-proofing)
-
----
-
-## String Naming Convention
-
-Use consistent keys across all platforms:
-
-```
-<category>_<screen/feature>_<element>
-
-Examples:
-auth_login_title
-auth_login_button
-properties_list_empty_title
-properties_form_field_name
-tasks_detail_button_complete
-common_button_save
-common_button_cancel
-error_network_timeout
-a11y_button_back
-```
-
-
----
-
-## Estimated String Counts
-
-| Platform | Approximate Strings |
-|----------|---------------------|
-| Go API - Errors | ~100 |
-| Go API - Email templates | ~50 per language |
-| Go API - Push notifications | ~20 |
-| Go API - Lookup data | ~50 |
-| KMM/Android | ~500 |
-| iOS | ~500 |
-| **Total unique strings** | ~700-800 |
-
----
-
-## Translation Workflow
-
-1. **Extract**: All English strings defined first
-2. **Export**: JSON (Go), XML (Android), .xcstrings (iOS)
-3. **Translate**: Use Lokalise, Crowdin, or manual translation
-4. **Import**: Place translated files in correct locations
-5. **Test**: Verify in each language
diff --git a/docs/PUSH_NOTIFICATIONS.md b/docs/PUSH_NOTIFICATIONS.md
deleted file mode 100644
index 5bb1406..0000000
--- a/docs/PUSH_NOTIFICATIONS.md
+++ /dev/null
@@ -1,294 +0,0 @@
-# Push Notifications Architecture
-
-This document describes how push notifications work in the honeyDue API.
-
-## Overview
-
-The honeyDue API sends push notifications directly to Apple Push Notification service (APNs) and Firebase Cloud Messaging (FCM) without any intermediate push server. This approach:
-
-- Reduces infrastructure complexity (no Gorush or other push server needed)
-- Provides direct control over notification payloads
-- Supports actionable notifications with custom button types
-
-## Architecture
-
-```
-┌─────────────────────────────────────────────────────────────────────────┐
-│                           honeyDue API                                     │
-├─────────────────────────────────────────────────────────────────────────┤
-│                                                                          │
-│  ┌──────────────┐    ┌─────────────────────┐    ┌───────────────────┐   │
-│  │   Handlers   │───▶│ NotificationService │───▶│    PushClient     │   │
-│  │  (HTTP API)  │    │                     │    │                   │   │
-│  └──────────────┘    │  - Create record    │    │  ┌─────────────┐  │   │
-│                      │  - Get button types │    │  │  APNsClient │──┼───┼──▶ APNs
-│  ┌──────────────┐    │  - Send push        │    │  │  (apns2)    │  │   │
-│  │   Worker     │───▶│                     │    │  └─────────────┘  │   │
-│  │  (Asynq)     │    └─────────────────────┘    │                   │   │
-│  └──────────────┘                               │  ┌─────────────┐  │   │
-│                                                 │  │  FCMClient  │──┼───┼──▶ FCM
-│                                                 │  │  (HTTP)     │  │   │
-│                                                 │  └─────────────┘  │   │
-│                                                 └───────────────────┘   │
-└─────────────────────────────────────────────────────────────────────────┘
-```
-
-## Components
-
-### 1. Push Client (`internal/push/client.go`)
-
-The unified push client that wraps both APNs and FCM clients:
-
-```go
-type Client struct {
-    apns *APNsClient  // iOS
-    fcm  *FCMClient   // Android
-}
-```
-
-**Key Methods:**
-- `SendToIOS()` - Send to iOS devices
-- `SendToAndroid()` - Send to Android devices
-- `SendToAll()` - Send to both platforms
-- `SendActionableNotification()` - Send with iOS category for action buttons
-
-### 2. APNs Client (`internal/push/apns.go`)
-
-Uses the [sideshow/apns2](https://github.com/sideshow/apns2) library for direct APNs communication:
-
-- **Token-based authentication** using .p8 key file
-- **Production/Sandbox** modes based on configuration
-- **Batch sending** with per-token error handling
-- **Category support** for actionable notifications
-
-### 3. FCM Client (`internal/push/fcm.go`)
-
-Uses direct HTTP calls to the FCM legacy API (`https://fcm.googleapis.com/fcm/send`):
-
-- **Server key authentication**
-- **Batch sending** via `registration_ids`
-- **Data payload** for Android action handling
-
-### 4. Notification Service (`internal/services/notification_service.go`)
-
-Orchestrates notification creation and delivery:
-
-```go
-func (s *NotificationService) CreateAndSendTaskNotification(
-    ctx context.Context,
-    userID uint,
-    notifType models.NotificationType,
-    task *models.Task,
-) error
-```
-
-**Responsibilities:**
-1. Create notification record in database
-2. Determine button types based on task state
-3. Map button types to iOS category
-4. Get user's device tokens
-5. Send via PushClient
-
-### 5. Task Button Types (`internal/services/task_button_types.go`)
-
-Determines which action buttons to show based on task state:
-
-| Task State | Button Types |
-|------------|--------------|
-| Overdue | `edit`, `complete`, `cancel`, `mark_in_progress` |
-| Due Soon | `edit`, `complete`, `cancel`, `mark_in_progress` |
-| In Progress | `edit`, `complete`, `cancel` |
-| Cancelled | `edit` |
-| Completed | `edit` |
-
-## Scheduled Notifications
-
-The worker process (`cmd/worker/main.go`) sends scheduled notifications using Asynq:
-
-### Schedule
-
-| Job | Default Time (UTC) | Config Variable |
-|-----|-------------------|-----------------|
-| Task Reminders | 8:00 PM | `TASK_REMINDER_HOUR`, `TASK_REMINDER_MINUTE` |
-| Overdue Alerts | 9:00 AM | `OVERDUE_REMINDER_HOUR` |
-| Daily Digest | 11:00 AM | `DAILY_DIGEST_HOUR` |
-
-### Job Handlers (`internal/worker/jobs/handler.go`)
-
-1. **HandleTaskReminder** - Sends actionable notifications for tasks due today/tomorrow
-2. **HandleOverdueReminder** - Sends actionable notifications for overdue tasks
-3. **HandleDailyDigest** - Sends summary notification with task statistics
-
-## iOS Categories
-
-iOS actionable notifications use categories to define available actions. The API sends a `category` field that maps to categories registered in the iOS app:
-
-| Category ID | Actions |
-|-------------|---------|
-| `TASK_ACTIONABLE` | Complete, Edit, Skip, In Progress |
-| `TASK_IN_PROGRESS` | Complete, Edit, Cancel |
-| `TASK_CANCELLED` | Edit |
-| `TASK_COMPLETED` | Edit |
-
-The iOS app must register these categories in `AppDelegate`:
-
-```swift
-let completeAction = UNNotificationAction(identifier: "COMPLETE", title: "Complete")
-let editAction = UNNotificationAction(identifier: "EDIT", title: "Edit")
-// ... more actions
-
-let taskCategory = UNNotificationCategory(
-    identifier: "TASK_ACTIONABLE",
-    actions: [completeAction, editAction, skipAction, inProgressAction],
-    intentIdentifiers: []
-)
-```
-
-## Configuration
-
-### Environment Variables
-
-| Variable | Required | Description |
-|----------|----------|-------------|
-| `APNS_AUTH_KEY_PATH` | For iOS | Path to .p8 key file |
-| `APNS_AUTH_KEY_ID` | For iOS | Key ID from Apple Developer |
-| `APNS_TEAM_ID` | For iOS | Team ID from Apple Developer |
-| `APNS_TOPIC` | For iOS | Bundle ID (e.g., `com.tt.honeyDue.honeyDueDev`) |
-| `APNS_PRODUCTION` | No | `true` for production, `false` for sandbox |
-| `APNS_USE_SANDBOX` | No | Deprecated, use `APNS_PRODUCTION` |
-| `FCM_SERVER_KEY` | For Android | Firebase Cloud Messaging server key |
-
-### Docker/Dokku Setup
-
-Mount the .p8 key file:
-
-```bash
-# Docker
-volumes:
-  - ./push_certs:/certs:ro
-
-# Dokku
-dokku storage:mount honeydue-api /path/to/push_certs:/certs
-```
-
-## Data Flow
-
-### Real-time Notification (e.g., task assigned)
-
-```
-1. User assigns task via API
-2. Handler calls NotificationService.CreateAndSendTaskNotification()
-3. NotificationService:
-   a. Creates Notification record in database
-   b. Calls GetButtonTypesForTask() to determine actions
-   c. Maps buttons to iOS category
-   d. Gets user's device tokens from APNSDevice/GCMDevice tables
-   e. Calls PushClient.SendActionableNotification()
-4. PushClient sends to APNs and/or FCM
-5. Device receives notification with action buttons
-```
-
-### Scheduled Notification (e.g., daily overdue alert)
-
-```
-1. Asynq scheduler triggers job at configured time
-2. Worker calls HandleOverdueReminder()
-3. Handler:
-   a. Queries all overdue tasks with Preloads
-   b. Groups tasks by user (assigned_to or residence owner)
-   c. Checks user's notification preferences
-   d. For each user with enabled notifications:
-      - Sends up to 5 individual actionable notifications
-      - Sends summary if more than 5 tasks
-4. NotificationService creates records and sends via PushClient
-```
-
-## Device Token Management
-
-Device tokens are stored in two tables:
-
-- `push_notifications_apnsdevice` - iOS device tokens
-- `push_notifications_gcmdevice` - Android device tokens (FCM)
-
-Fields:
-- `registration_id` - The device token
-- `user_id` - Associated user
-- `active` - Whether to send to this device
-- `device_id` - Unique device identifier
-
-Tokens are registered via:
-- `POST /api/push/apns/` - Register iOS device
-- `POST /api/push/gcm/` - Register Android device
-
-## Error Handling
-
-### APNs Errors
-
-The APNs client handles individual token failures:
-- Logs each failure with token prefix and reason
-- Continues sending to remaining tokens
-- Returns error only if ALL tokens fail
-
-Common APNs errors:
-- `BadDeviceToken` - Invalid or expired token
-- `Unregistered` - App uninstalled
-- `TopicDisallowed` - Bundle ID mismatch
-
-### FCM Errors
-
-The FCM client parses the response to identify failed tokens:
-- Logs failures with error type
-- Returns error only if ALL tokens fail
-
-Common FCM errors:
-- `InvalidRegistration` - Invalid token
-- `NotRegistered` - App uninstalled
-- `MismatchSenderId` - Wrong server key
-
-## Debugging
-
-### Check Push Configuration
-
-```go
-log.Info().
-    Bool("ios_enabled", pushClient.IsIOSEnabled()).
-    Bool("android_enabled", pushClient.IsAndroidEnabled()).
-    Msg("Push notification client initialized")
-```
-
-### View Worker Logs
-
-```bash
-# Docker
-docker-compose logs -f worker
-
-# Dokku
-dokku logs honeydue-api -p worker
-```
-
-### Test Push Manually
-
-The API has a test endpoint (debug mode only):
-
-```bash
-curl -X POST https://api.example.com/api/push/test/ \
-  -H "Authorization: Token <token>" \
-  -H "Content-Type: application/json" \
-  -d '{"title": "Test", "message": "Hello"}'
-```
-
-## Migration from Gorush
-
-The API previously used Gorush as an intermediate push server. The migration to direct APNs/FCM involved:
-
-1. **Added** `internal/push/apns.go` - Direct APNs using apns2 library
-2. **Added** `internal/push/fcm.go` - Direct FCM using HTTP
-3. **Added** `internal/push/client.go` - Unified client wrapper
-4. **Removed** Gorush service from docker-compose.yml
-5. **Removed** `GORUSH_URL` configuration
-
-Benefits of direct approach:
-- No additional container/service to manage
-- Lower latency (one less hop)
-- Full control over notification payload
-- Simplified debugging
diff --git a/docs/SECURE_MEDIA_ACCESS.md b/docs/SECURE_MEDIA_ACCESS.md
deleted file mode 100644
index 9385da6..0000000
--- a/docs/SECURE_MEDIA_ACCESS.md
+++ /dev/null
@@ -1,281 +0,0 @@
-    # Secure Media Access Control Plan
-
-## Problem Statement
-
-Users upload private images and documents (task completion photos, warranties, documents) that may contain sensitive information. Currently, these files are **publicly accessible** via predictable URLs (`/uploads/{category}/{timestamp}_{uuid}.{ext}`). Anyone who knows or guesses a URL can access the file without authentication.
-
-**Goal**: Ensure only users with access to a residence can view media files associated with that residence.
-
-## User Decisions
-
-| Decision | Choice |
-|----------|--------|
-| **Security Method** | Token-based proxy endpoint |
-| **Protected Media** | All uploaded media (completions, documents, warranties) |
-
----
-
-## Current Architecture (Problem)
-
-```
-Mobile App                          Go API                         Disk
-    │                                  │                             │
-    ├─→ POST /api/documents/ ─────────→│ Save to /uploads/docs/     │
-    │   (authenticated)                │────────────────────────────→│
-    │                                  │                             │
-    │←─ { file_url: "/uploads/..." } ←─│                             │
-    │                                  │                             │
-    ├─→ GET /uploads/docs/file.jpg ───→│ Static middleware          │
-    │   (NO AUTH CHECK!)               │←───────────────────────────→│
-    │←─ file bytes ←──────────────────←│                             │
-```
-
-**Issues**:
-1. `r.Static("/uploads", cfg.Storage.UploadDir)` serves files without authentication
-2. File URLs are predictable (timestamp + short UUID)
-3. URLs can be shared/leaked, granting permanent access
-4. No audit trail for file access
-
----
-
-## Recommended Solution: Authenticated Media Proxy
-
-### Architecture
-
-```
-Mobile App                          Go API                         Disk
-    │                                  │                             │
-    ├─→ POST /api/documents/ ─────────→│ Save to /uploads/docs/     │
-    │   (authenticated)                │────────────────────────────→│
-    │                                  │                             │
-    │←─ { file_url: "/api/media/..." }←│ Return proxy URL           │
-    │                                  │                             │
-    ├─→ GET /api/media/{type}/{id}────→│ Media Handler:             │
-    │   Authorization: Token xxx       │  1. Verify token            │
-    │                                  │  2. Get file record         │
-    │                                  │  3. Check residence access  │
-    │                                  │  4. Stream file             │
-    │←─ file bytes ←──────────────────←│←───────────────────────────→│
-```
-
-### Key Changes
-
-1. **Remove public static file serving** - No more `r.Static("/uploads", ...)`
-2. **Create authenticated media endpoint** - `GET /api/media/{type}/{id}`
-3. **Update stored URLs** - Store internal paths, return proxy URLs in API responses
-4. **Add access control** - Verify user has residence access before serving
-
----
-
-## Implementation Plan
-
-### Phase 1: Create Media Handler
-
-**New File: `/internal/handlers/media_handler.go`**
-
-```go
-type MediaHandler struct {
-    documentRepo   repositories.DocumentRepository
-    taskRepo       repositories.TaskRepository
-    residenceRepo  repositories.ResidenceRepository
-    storageSvc     *services.StorageService
-}
-
-// GET /api/media/document/{id}
-// GET /api/media/document-image/{id}
-// GET /api/media/completion-image/{id}
-func (h *MediaHandler) ServeMedia(c *gin.Context) {
-    // 1. Extract user from auth context
-    user := c.MustGet(middleware.AuthUserKey).(*models.User)
-
-    // 2. Get media type and ID from path
-    mediaType := c.Param("type")  // "document", "document-image", "completion-image"
-    mediaID := c.Param("id")
-
-    // 3. Look up the file record and get residence ID
-    residenceID, filePath, err := h.getFileInfo(mediaType, mediaID)
-
-    // 4. Check residence access
-    hasAccess, _ := h.residenceRepo.HasAccess(residenceID, user.ID)
-    if !hasAccess {
-        c.JSON(403, gin.H{"error": "Access denied"})
-        return
-    }
-
-    // 5. Stream the file
-    c.File(filePath)
-}
-```
-
-### Phase 2: Update Models & Responses
-
-**Change how URLs are stored and returned:**
-
-| Model | Current Storage | New Storage | API Response |
-|-------|-----------------|-------------|--------------|
-| `Document.FileURL` | `/uploads/docs/file.pdf` | `docs/file.pdf` (relative) | `/api/media/document/{id}` |
-| `DocumentImage.ImageURL` | `/uploads/images/img.jpg` | `images/img.jpg` (relative) | `/api/media/document-image/{id}` |
-| `TaskCompletionImage.ImageURL` | `/uploads/completions/img.jpg` | `completions/img.jpg` (relative) | `/api/media/completion-image/{id}` |
-
-**Update Response DTOs:**
-
-```go
-// /internal/dto/responses/document_response.go
-type DocumentResponse struct {
-    ID       uint   `json:"id"`
-    // Don't expose FileURL directly
-    // FileURL  string `json:"file_url"` // REMOVE
-    MediaURL string `json:"media_url"` // NEW: "/api/media/document/123"
-    // ...
-}
-
-type DocumentImageResponse struct {
-    ID       uint   `json:"id"`
-    MediaURL string `json:"media_url"` // "/api/media/document-image/456"
-    Caption  string `json:"caption"`
-}
-```
-
-### Phase 3: Update Router
-
-**File: `/internal/router/router.go`**
-
-```go
-// REMOVE this line:
-// r.Static("/uploads", cfg.Storage.UploadDir)
-
-// ADD authenticated media routes:
-media := api.Group("/media")
-media.Use(middleware.AuthRequired(cfg, userService))
-{
-    media.GET("/document/:id", mediaHandler.ServeDocument)
-    media.GET("/document-image/:id", mediaHandler.ServeDocumentImage)
-    media.GET("/completion-image/:id", mediaHandler.ServeCompletionImage)
-}
-```
-
-### Phase 4: Update Mobile Clients
-
-**iOS - Update image loading to include auth headers:**
-
-```swift
-// Before: Direct URL access
-AsyncImage(url: URL(string: document.fileUrl))
-
-// After: Use authenticated request
-AuthenticatedImage(url: document.mediaUrl)
-
-// New component that adds auth header
-struct AuthenticatedImage: View {
-    let url: String
-
-    var body: some View {
-        // Use URLSession with auth header, or
-        // use a library like Kingfisher with request modifier
-    }
-}
-```
-
-**KMM - Update Ktor client for image requests:**
-
-```kotlin
-// Add auth header to image requests
-suspend fun fetchMedia(mediaUrl: String): ByteArray {
-    val token = TokenStorage.getToken()
-    return httpClient.get(mediaUrl) {
-        header("Authorization", "Token $token")
-    }.body()
-}
-```
-
----
-
-## Files to Modify
-
-### Go API (honeyDueAPI-go)
-
-| File | Change |
-|------|--------|
-| `/internal/handlers/media_handler.go` | **NEW** - Authenticated media serving |
-| `/internal/router/router.go` | Remove static serving, add media routes |
-| `/internal/dto/responses/document_response.go` | Add `MediaURL` field, remove direct file URL |
-| `/internal/dto/responses/task_response.go` | Add `MediaURL` to completion images |
-| `/internal/services/document_service.go` | Update to generate proxy URLs |
-| `/internal/services/task_service.go` | Update to generate proxy URLs for completions |
-
-### iOS (HoneyDueKMM/iosApp)
-
-| File | Change |
-|------|--------|
-| `iosApp/Components/AuthenticatedImage.swift` | **NEW** - Image view with auth headers |
-| `iosApp/Task/TaskCompletionDetailView.swift` | Use AuthenticatedImage |
-| `iosApp/Documents/DocumentDetailView.swift` | Use AuthenticatedImage |
-
-### KMM/Android
-
-| File | Change |
-|------|--------|
-| `network/MediaApi.kt` | **NEW** - Authenticated media fetching |
-| `ui/components/AuthenticatedImage.kt` | **NEW** - Compose image with auth |
-
----
-
-## Migration Strategy
-
-### For Existing Data
-
-Option A: **Update URLs in database** (Recommended)
-```sql
--- Strip /uploads prefix from existing URLs
-UPDATE documents SET file_url = REPLACE(file_url, '/uploads/', '') WHERE file_url LIKE '/uploads/%';
-UPDATE document_images SET image_url = REPLACE(image_url, '/uploads/', '') WHERE image_url LIKE '/uploads/%';
-UPDATE task_completion_images SET image_url = REPLACE(image_url, '/uploads/', '') WHERE image_url LIKE '/uploads/%';
-```
-
-Option B: **Handle both formats in code** (Temporary)
-```go
-func (h *MediaHandler) getFilePath(storedURL string) string {
-    // Handle legacy /uploads/... URLs
-    if strings.HasPrefix(storedURL, "/uploads/") {
-        return filepath.Join(h.uploadDir, strings.TrimPrefix(storedURL, "/uploads/"))
-    }
-    // Handle new relative paths
-    return filepath.Join(h.uploadDir, storedURL)
-}
-```
-
----
-
-## Security Considerations
-
-### Pros of This Approach
-- ✓ All media access requires valid auth token
-- ✓ Access control tied to residence membership
-- ✓ No URL guessing possible (URLs are opaque IDs)
-- ✓ Can add audit logging easily
-- ✓ Can add rate limiting per user
-
-### Cons / Trade-offs
-- ✗ Every image request hits the API (increased server load)
-- ✗ Can't use CDN caching for images
-- ✗ Mobile apps need to handle auth for image loading
-
-### Mitigations
-1. **Add caching headers** - `Cache-Control: private, max-age=3600`
-2. **Consider short-lived signed URLs** later if performance becomes an issue
-3. **Add response compression** for images if not already enabled
-
----
-
-## Implementation Order
-
-1. **Create MediaHandler** with access control logic
-2. **Update router** - add media routes, keep static for now
-3. **Update response DTOs** - add MediaURL fields
-4. **Update services** - generate proxy URLs
-5. **Test with Postman** - verify access control works
-6. **Update iOS** - AuthenticatedImage component
-7. **Update Android/KMM** - AuthenticatedImage component
-8. **Run migration** - update existing URLs in database
-9. **Remove static serving** - final step after clients updated
-10. **Add audit logging** (optional)
diff --git a/docs/SUBSCRIPTION_WEBHOOKS.md b/docs/SUBSCRIPTION_WEBHOOKS.md
deleted file mode 100644
index 24483c2..0000000
--- a/docs/SUBSCRIPTION_WEBHOOKS.md
+++ /dev/null
@@ -1,247 +0,0 @@
-# Subscription Webhook Setup
-
-This document explains how to configure Apple App Store Server Notifications and Google Real-time Developer Notifications for server-to-server subscription status updates.
-
-## Overview
-
-The webhook endpoints allow Apple and Google to notify your server when subscription events occur:
-- New subscriptions
-- Renewals
-- Cancellations
-- Refunds
-- Expirations
-- Grace period events
-
-**Webhook Endpoints:**
-- Apple: `POST /api/subscription/webhook/apple/`
-- Google: `POST /api/subscription/webhook/google/`
-
-## Apple App Store Server Notifications v2
-
-### 1. Configure in App Store Connect
-
-1. Log in to [App Store Connect](https://appstoreconnect.apple.com)
-2. Navigate to **My Apps** > Select your app
-3. Go to **App Information** (under General)
-4. Scroll to **App Store Server Notifications**
-5. Enter your webhook URLs:
-   - **Production Server URL**: `https://your-domain.com/api/subscription/webhook/apple/`
-   - **Sandbox Server URL**: `https://your-domain.com/api/subscription/webhook/apple/` (or separate staging URL)
-6. Select **Version 2** for the notification version
-
-### 2. Environment Variables
-
-Set these environment variables on your server:
-
-```bash
-# Apple IAP Configuration (optional but recommended for validation)
-APPLE_IAP_KEY_PATH=/path/to/AuthKey_XXXXX.p8    # Your App Store Connect API key
-APPLE_IAP_KEY_ID=XXXXXXXXXX                      # Key ID from App Store Connect
-APPLE_IAP_ISSUER_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx  # Issuer ID from App Store Connect
-APPLE_IAP_BUNDLE_ID=com.your.app.bundleid       # Your app's bundle ID
-APPLE_IAP_SANDBOX=true                           # Set to false for production
-```
-
-### 3. Generate App Store Connect API Key
-
-To enable server-side receipt validation:
-
-1. Go to [App Store Connect > Users and Access > Keys](https://appstoreconnect.apple.com/access/api)
-2. Click **Generate API Key**
-3. Give it a name (e.g., "honeyDue IAP Server")
-4. Select **App Manager** role (minimum required for IAP)
-5. Download the `.p8` file - **you can only download it once!**
-6. Note the **Key ID** and **Issuer ID**
-
-### 4. Apple Notification Types
-
-Your server will receive these notification types:
-
-| Type | Description | Action |
-|------|-------------|--------|
-| `SUBSCRIBED` | New subscription | Upgrade user to Pro |
-| `DID_RENEW` | Subscription renewed | Extend expiry date |
-| `DID_CHANGE_RENEWAL_STATUS` | Auto-renew toggled | Update auto_renew flag |
-| `DID_FAIL_TO_RENEW` | Billing failed | User may be in grace period |
-| `EXPIRED` | Subscription expired | Downgrade to Free |
-| `REFUND` | User got refund | Downgrade to Free |
-| `REVOKE` | Access revoked | Downgrade to Free |
-| `GRACE_PERIOD_EXPIRED` | Grace period ended | Downgrade to Free |
-
----
-
-## Google Real-time Developer Notifications
-
-Google uses Cloud Pub/Sub to deliver subscription notifications. Setup requires creating a Pub/Sub topic and subscription.
-
-### 1. Create a Pub/Sub Topic
-
-1. Go to [Google Cloud Console](https://console.cloud.google.com/)
-2. Select your project (or create one)
-3. Navigate to **Pub/Sub** > **Topics**
-4. Click **Create Topic**
-5. Name it (e.g., `honeydue-subscriptions`)
-6. Note the full topic name: `projects/your-project-id/topics/honeydue-subscriptions`
-
-### 2. Create a Push Subscription
-
-1. In the Pub/Sub Topics list, click on your topic
-2. Click **Create Subscription**
-3. Configure:
-   - **Subscription ID**: `honeydue-subscription-webhook`
-   - **Delivery type**: Push
-   - **Endpoint URL**: `https://your-domain.com/api/subscription/webhook/google/`
-   - **Acknowledgment deadline**: 60 seconds
-4. Click **Create**
-
-### 3. Link to Google Play Console
-
-1. Go to [Google Play Console](https://play.google.com/console)
-2. Select your app
-3. Navigate to **Monetization** > **Monetization setup**
-4. Under **Real-time developer notifications**:
-   - Enter your topic name: `projects/your-project-id/topics/honeydue-subscriptions`
-5. Click **Save**
-6. Click **Send test notification** to verify the connection
-
-### 4. Create a Service Account for Validation
-
-1. Go to [Google Cloud Console > IAM & Admin > Service Accounts](https://console.cloud.google.com/iam-admin/serviceaccounts)
-2. Click **Create Service Account**
-3. Name it (e.g., `honeydue-iap-validator`)
-4. Grant roles:
-   - `Pub/Sub Subscriber` (for webhook handling)
-5. Click **Done**
-6. Click on the service account > **Keys** > **Add Key** > **Create new key**
-7. Select **JSON** and download the key file
-
-### 5. Link Play Console to Cloud Project
-
-1. Go to **Google Play Console** > **Setup** > **API access**
-2. Link your Google Cloud project
-3. Under **Service accounts**, grant your service account access:
-   - `View financial data` (for subscription validation)
-
-### 6. Environment Variables
-
-```bash
-# Google IAP Configuration
-GOOGLE_IAP_SERVICE_ACCOUNT_PATH=/path/to/service-account.json
-GOOGLE_IAP_PACKAGE_NAME=com.your.app.packagename
-```
-
-### 7. Google Notification Types
-
-Your server will receive these notification types:
-
-| Type Code | Type | Description | Action |
-|-----------|------|-------------|--------|
-| 1 | `SUBSCRIPTION_RECOVERED` | Recovered from hold | Re-upgrade to Pro |
-| 2 | `SUBSCRIPTION_RENEWED` | Subscription renewed | Extend expiry date |
-| 3 | `SUBSCRIPTION_CANCELED` | User canceled | Mark as canceled, will expire |
-| 4 | `SUBSCRIPTION_PURCHASED` | New purchase | Upgrade to Pro |
-| 5 | `SUBSCRIPTION_ON_HOLD` | Account hold | User may lose access soon |
-| 6 | `SUBSCRIPTION_IN_GRACE_PERIOD` | In grace period | User still has access |
-| 7 | `SUBSCRIPTION_RESTARTED` | User resubscribed | Re-upgrade to Pro |
-| 12 | `SUBSCRIPTION_REVOKED` | Subscription revoked | Downgrade to Free |
-| 13 | `SUBSCRIPTION_EXPIRED` | Subscription expired | Downgrade to Free |
-
----
-
-## Testing
-
-### Test Apple Webhooks
-
-1. Use the **Sandbox** environment in App Store Connect
-2. Create a Sandbox tester account
-3. Make test purchases on a test device
-4. Monitor your server logs for webhook events
-
-### Test Google Webhooks
-
-1. In Google Play Console > **Monetization setup**
-2. Click **Send test notification**
-3. Your server should receive a test notification
-4. Check server logs for: `"Google Webhook: Received test notification"`
-
-### Local Development Testing
-
-For local testing, use a tunnel service like ngrok:
-
-```bash
-# Start ngrok
-ngrok http 8000
-
-# Use the ngrok URL for webhook configuration
-# e.g., https://abc123.ngrok.io/api/subscription/webhook/apple/
-```
-
----
-
-## Security Considerations
-
-### Apple Webhook Verification
-
-The webhook handler includes optional JWS signature verification. Apple signs all notifications using their certificate chain. While the current implementation decodes the payload without full verification, you can enable verification by:
-
-1. Downloading Apple's root certificates from https://www.apple.com/certificateauthority/
-2. Calling `VerifyAppleSignature()` before processing
-
-### Google Webhook Security
-
-Options for securing Google webhooks:
-
-1. **IP Whitelisting**: Google publishes [Pub/Sub IP ranges](https://cloud.google.com/pubsub/docs/reference/service_apis_overview#ip-ranges)
-2. **Push Authentication**: Configure your Pub/Sub subscription to include an authentication header
-3. **OIDC Token**: Have Pub/Sub include an OIDC token that your server verifies
-
-### General Security
-
-- Always use HTTPS for webhook endpoints
-- Validate the bundle ID / package name in each notification
-- Log all webhook events for debugging and audit
-- Return 200 OK even if processing fails (to prevent retries flooding your server)
-
----
-
-## Troubleshooting
-
-### Apple Webhooks Not Arriving
-
-1. Verify the URL is correct in App Store Connect
-2. Check your server is reachable from the internet
-3. Ensure you're testing with a Sandbox account
-4. Check server logs for any processing errors
-
-### Google Webhooks Not Arriving
-
-1. Verify the topic name format: `projects/PROJECT_ID/topics/TOPIC_NAME`
-2. Check the Pub/Sub subscription is active
-3. Test with "Send test notification" in Play Console
-4. Check Cloud Logging for Pub/Sub delivery errors
-
-### User Not Found for Webhook
-
-This typically means:
-- The user made a purchase but the receipt/token wasn't stored
-- The transaction ID or purchase token doesn't match any stored data
-
-The handler logs these cases but returns success to prevent Apple/Google from retrying.
-
----
-
-## Database Schema
-
-Relevant fields in `user_subscriptions` table:
-
-```sql
-apple_receipt_data TEXT    -- Stores receipt/transaction ID for Apple
-google_purchase_token TEXT -- Stores purchase token for Google
-cancelled_at TIMESTAMP     -- When user canceled (will expire at end of period)
-auto_renew BOOLEAN         -- Whether subscription will auto-renew
-```
-
-These fields are used by webhook handlers to:
-1. Find the user associated with a transaction
-2. Track cancellation state
-3. Update renewal preferences
diff --git a/docs/TASK_KANBAN_CATEGORIZATION.md b/docs/TASK_KANBAN_CATEGORIZATION.md
deleted file mode 100644
index 71579cc..0000000
--- a/docs/TASK_KANBAN_CATEGORIZATION.md
+++ /dev/null
@@ -1,310 +0,0 @@
-# Task Kanban Categorization
-
-This document explains how tasks are categorized into kanban columns in the honeyDue application.
-
-> Note: The categorization chain still computes `cancelled_tasks`, but the kanban board response
-> intentionally hides cancelled/archived tasks and returns only 5 visible columns.
-
-## Overview
-
-The task categorization system uses the **Chain of Responsibility** design pattern to determine which kanban column a task belongs to. Each handler in the chain evaluates the task against specific criteria, and if matched, returns the appropriate column. If not matched, the task is passed to the next handler.
-
-## Architecture
-
-### Design Pattern: Chain of Responsibility
-
-```
-┌─────────────┐    ┌─────────────┐    ┌─────────────┐    ┌─────────────┐    ┌─────────────┐    ┌─────────────┐
-│  Cancelled  │───▶│  Completed  │───▶│ In Progress │───▶│   Overdue   │───▶│  Due Soon   │───▶│  Upcoming   │
-│   Handler   │    │   Handler   │    │   Handler   │    │   Handler   │    │   Handler   │    │   Handler   │
-└─────────────┘    └─────────────┘    └─────────────┘    └─────────────┘    └─────────────┘    └─────────────┘
-     │                   │                   │                   │                   │                   │
-     ▼                   ▼                   ▼                   ▼                   ▼                   ▼
-"cancelled_tasks"  "completed_tasks" "in_progress_tasks" "overdue_tasks"  "due_soon_tasks"  "upcoming_tasks"
-```
-
-### Source Files
-
-- **Chain Implementation**: `internal/task/categorization/chain.go`
-- **Tests**: `internal/task/categorization/chain_test.go`
-- **Legacy Wrapper**: `internal/dto/responses/task.go` (`DetermineKanbanColumn`)
-- **Repository Usage**: `internal/repositories/task_repo.go` (`GetKanbanData`)
-
-## Kanban Columns
-
-The system supports 6 kanban columns, evaluated in strict priority order:
-
-| Priority | Column Name | Display Name | Description |
-|----------|-------------|--------------|-------------|
-| 1 | `cancelled_tasks` | Cancelled | Tasks that have been cancelled |
-| 2 | `completed_tasks` | Completed | One-time tasks that are done |
-| 3 | `in_progress_tasks` | In Progress | Tasks currently being worked on |
-| 4 | `overdue_tasks` | Overdue | Tasks past their due date |
-| 5 | `due_soon_tasks` | Due Soon | Tasks due within the threshold (default: 30 days) |
-| 6 | `upcoming_tasks` | Upcoming | All other active tasks |
-
-## Categorization Logic (Step by Step)
-
-### Step 1: Cancelled Check (Highest Priority)
-
-**Handler**: `CancelledHandler`
-
-**Condition**: `task.IsCancelled == true`
-
-**Result**: `cancelled_tasks`
-
-A cancelled task always goes to the cancelled column, regardless of any other attributes. This is the first check because cancellation represents a terminal state that overrides all other considerations.
-
-```go
-if task.IsCancelled {
-    return "cancelled_tasks"
-}
-```
-
-### Step 2: Completed Check
-
-**Handler**: `CompletedHandler`
-
-**Condition**: `task.NextDueDate == nil && len(task.Completions) > 0`
-
-**Result**: `completed_tasks`
-
-A task is considered "completed" when:
-1. It has at least one completion record (someone marked it done)
-2. AND it has no `NextDueDate` (meaning it's a one-time task)
-
-**Important**: Recurring tasks with completions but with a `NextDueDate` set are NOT considered completed - they continue in their active cycle.
-
-```go
-if task.NextDueDate == nil && len(task.Completions) > 0 {
-    return "completed_tasks"
-}
-```
-
-### Step 3: In Progress Check
-
-**Handler**: `InProgressHandler`
-
-**Condition**: `task.InProgress == true`
-
-**Result**: `in_progress_tasks`
-
-Tasks marked as "In Progress" are grouped together regardless of their due date. This allows users to see what's actively being worked on.
-
-```go
-if task.InProgress {
-    return "in_progress_tasks"
-}
-```
-
-### Step 4: Overdue Check
-
-**Handler**: `OverdueHandler`
-
-**Condition**: `effectiveDate.Before(now)`
-
-**Result**: `overdue_tasks`
-
-The "effective date" is determined as:
-1. `NextDueDate` (preferred - used for recurring tasks after completion)
-2. `DueDate` (fallback - used for initial scheduling)
-
-If the effective date is in the past, the task is overdue.
-
-```go
-effectiveDate := task.NextDueDate
-if effectiveDate == nil {
-    effectiveDate = task.DueDate
-}
-if effectiveDate != nil && effectiveDate.Before(now) {
-    return "overdue_tasks"
-}
-```
-
-### Step 5: Due Soon Check
-
-**Handler**: `DueSoonHandler`
-
-**Condition**: `effectiveDate.Before(threshold)`
-
-**Result**: `due_soon_tasks`
-
-Where `threshold = now + daysThreshold` (default 30 days)
-
-Tasks due within the threshold period are considered "due soon" and need attention.
-
-```go
-threshold := now.AddDate(0, 0, daysThreshold)
-if effectiveDate != nil && effectiveDate.Before(threshold) {
-    return "due_soon_tasks"
-}
-```
-
-### Step 6: Upcoming (Default)
-
-**Handler**: `UpcomingHandler`
-
-**Condition**: None (catches all remaining tasks)
-
-**Result**: `upcoming_tasks`
-
-Any task that doesn't match the above criteria falls into "upcoming". This includes:
-- Tasks with due dates beyond the threshold
-- Tasks with no due date set
-- Future scheduled tasks
-
-```go
-return "upcoming_tasks"
-```
-
-## Key Concepts
-
-### DueDate vs NextDueDate
-
-| Field | Purpose | When Set |
-|-------|---------|----------|
-| `DueDate` | Original/initial due date | When task is created |
-| `NextDueDate` | Next occurrence for recurring tasks | After each completion |
-
-**For recurring tasks**: `NextDueDate` takes precedence over `DueDate` for categorization. After completing a recurring task:
-1. A new completion record is created
-2. `NextDueDate` is calculated as `completionDate + frequencyDays`
-3. Status is reset to "Pending"
-4. Task moves to the appropriate column based on the new `NextDueDate`
-
-### One-Time vs Recurring Tasks
-
-**One-Time Tasks** (frequency = "Once" or no frequency):
-- When completed: `NextDueDate` is set to `nil`
-- Categorization: Goes to `completed_tasks` column
-- Status: Remains as-is (usually "Completed" or last status)
-
-**Recurring Tasks** (weekly, monthly, annually, etc.):
-- When completed: `NextDueDate` is set to `completionDate + frequencyDays`
-- Categorization: Based on new `NextDueDate` (could be upcoming, due_soon, etc.)
-- Status: **Reset to "Pending"** to allow proper column placement
-
-### The "In Progress" Gotcha
-
-**Important**: Tasks with "In Progress" status will stay in the `in_progress_tasks` column even if they're overdue!
-
-This is by design - "In Progress" indicates active work, so the task should be visible there. However, this means:
-
-1. If a recurring task is marked "In Progress" and then completed
-2. The `in_progress` flag MUST be reset to `false` after completion
-3. Otherwise, the task stays in "In Progress" instead of moving to "Upcoming"
-
-This is handled automatically in `TaskService.CreateCompletion()`:
-
-```go
-if isRecurringTask {
-    task.InProgress = false
-}
-```
-
-## Configuration
-
-### Days Threshold
-
-The `daysThreshold` parameter controls what counts as "due soon":
-- Default: 30 days
-- Configurable per-request via query parameter
-
-```go
-// Example: Consider tasks due within 7 days as "due soon"
-chain.Categorize(task, 7)
-```
-
-## Column Metadata
-
-Each column has associated metadata for UI rendering:
-
-```go
-{
-    Name:        "overdue_tasks",
-    DisplayName: "Overdue",
-    ButtonTypes: []string{"edit", "complete", "cancel", "mark_in_progress"},
-    Icons:       map[string]string{"ios": "exclamationmark.triangle", "android": "Warning"},
-    Color:       "#FF3B30",
-}
-```
-
-### Button Types by Column
-
-| Column | Available Actions |
-|--------|-------------------|
-| `overdue_tasks` | edit, complete, cancel, mark_in_progress |
-| `in_progress_tasks` | edit, complete, cancel |
-| `due_soon_tasks` | edit, complete, cancel, mark_in_progress |
-| `upcoming_tasks` | edit, complete, cancel, mark_in_progress |
-| `completed_tasks` | (none - read-only) |
-| `cancelled_tasks` | uncancel, delete |
-
-## Usage Examples
-
-### Basic Categorization
-
-```go
-import "github.com/treytartt/honeydue-api/internal/task/categorization"
-
-task := &models.Task{
-    DueDate:    time.Now().AddDate(0, 0, 15), // 15 days from now
-    InProgress: false,
-}
-
-column := categorization.DetermineKanbanColumn(task, 30)
-// Returns: "due_soon_tasks"
-```
-
-### Categorize Multiple Tasks
-
-```go
-tasks := []models.Task{...}
-columns := categorization.CategorizeTasksIntoColumns(tasks, 30)
-
-// Returns map[KanbanColumn][]models.Task with tasks organized by column
-```
-
-### Custom Chain (Advanced)
-
-```go
-chain := categorization.NewChain()
-ctx := categorization.NewContext(task, 14) // 14-day threshold
-column := chain.CategorizeWithContext(ctx)
-```
-
-## Testing
-
-The categorization logic is thoroughly tested in `chain_test.go`:
-
-```bash
-go test ./internal/task/categorization/... -v
-```
-
-Key test scenarios:
-- Each handler's matching criteria
-- Priority order between handlers
-- Recurring task lifecycle
-- Edge cases (nil dates, empty completions, etc.)
-
-## Troubleshooting
-
-### Task stuck in wrong column?
-
-1. **Check `IsCancelled`**: Cancelled takes highest priority
-2. **Check `NextDueDate`**: For recurring tasks, this determines placement
-3. **Check `InProgress`**: `true` overrides date-based categorization
-4. **Check `Completions`**: Empty + nil NextDueDate = upcoming, not completed
-
-### Recurring task not moving to Upcoming after completion?
-
-Verify that `CreateCompletion` is:
-1. Setting `NextDueDate` correctly
-2. Resetting `InProgress` to `false`
-
-### Task showing overdue but due date looks correct?
-
-The system uses UTC times. Ensure dates are compared in UTC:
-```go
-now := time.Now().UTC()
-```
diff --git a/docs/TASK_KANBAN_LOGIC.md b/docs/TASK_KANBAN_LOGIC.md
deleted file mode 100644
index 3f30f8d..0000000
--- a/docs/TASK_KANBAN_LOGIC.md
+++ /dev/null
@@ -1,318 +0,0 @@
-# Task Kanban Board Categorization Logic
-
-This document describes how tasks are categorized into kanban columns for display in the honeyDue mobile app.
-
-> Important: The board intentionally returns **5 visible columns**. Cancelled and archived tasks are
-> hidden from board responses (though task-level `kanban_column` may still be `cancelled_tasks`).
-
-## Overview
-
-Tasks are organized into 5 visible kanban columns based on their state and due date. The categorization logic is implemented in `internal/repositories/task_repo.go` in the `GetKanbanData` and `GetKanbanDataForMultipleResidences` functions.
-
-## Columns Summary
-
-| Column | Name | Color | Button Types | Description |
-|--------|------|-------|--------------|-------------|
-| 1 | **Overdue** | `#FF3B30` (Red) | edit, complete, cancel, mark_in_progress | Tasks past their due date |
-| 2 | **Due Soon** | `#FF9500` (Orange) | edit, complete, cancel, mark_in_progress | Tasks due within the threshold (default 30 days) |
-| 3 | **Upcoming** | `#007AFF` (Blue) | edit, complete, cancel, mark_in_progress | Tasks due beyond the threshold or with no due date |
-| 4 | **In Progress** | `#5856D6` (Purple) | edit, complete, cancel | Tasks with status "In Progress" |
-| 5 | **Completed** | `#34C759` (Green) | view | Tasks with at least one completion record |
-
-## Categorization Flow
-
-The categorization follows this priority order (first match wins):
-
-```
-┌─────────────────────────────────────────────────────────────────┐
-│                        START: Process Task                       │
-└─────────────────────────────────────────────────────────────────┘
-                                  │
-                                  ▼
-                    ┌─────────────────────────┐
-                    │   Is task cancelled?    │
-                    │   (is_cancelled = true) │
-                    └─────────────────────────┘
-                           │           │
-                          YES          NO
-                           │           │
-                           ▼           ▼
-                    ┌──────────┐  ┌─────────────────────────┐
-                    │CANCELLED │  │ Has task completions?   │
-                    │  column  │  │ (len(completions) > 0)  │
-                    └──────────┘  └─────────────────────────┘
-                                       │           │
-                                      YES          NO
-                                       │           │
-                                       ▼           ▼
-                                ┌──────────┐ ┌─────────────────────────┐
-                                │COMPLETED │ │ Is status "In Progress"?│
-                                │  column  │ │ (status.name = "In...)  │
-                                └──────────┘ └─────────────────────────┘
-                                                   │           │
-                                                  YES          NO
-                                                   │           │
-                                                   ▼           ▼
-                                            ┌───────────┐ ┌─────────────────┐
-                                            │IN PROGRESS│ │ Has due date?   │
-                                            │  column   │ └─────────────────┘
-                                            └───────────┘      │         │
-                                                              YES        NO
-                                                               │         │
-                                                               ▼         ▼
-                                                    ┌──────────────┐ ┌────────┐
-                                                    │Check due date│ │UPCOMING│
-                                                    └──────────────┘ │ column │
-                                                           │         └────────┘
-                                              ┌────────────┼────────────┐
-                                              ▼            ▼            ▼
-                                    ┌─────────────┐ ┌──────────┐ ┌────────────┐
-                                    │ due < now   │ │due < now │ │due >= now +│
-                                    │             │ │+ threshold│ │ threshold  │
-                                    └─────────────┘ └──────────┘ └────────────┘
-                                           │              │             │
-                                           ▼              ▼             ▼
-                                    ┌─────────┐    ┌──────────┐  ┌────────┐
-                                    │ OVERDUE │    │ DUE SOON │  │UPCOMING│
-                                    │  column │    │  column  │  │ column │
-                                    └─────────┘    └──────────┘  └────────┘
-```
-
-## Detailed Rules
-
-### 1. Cancelled (highest priority)
-```go
-if task.IsCancelled {
-    cancelled = append(cancelled, task)
-    continue
-}
-```
-- **Condition**: `is_cancelled = true`
-- **Button Types**: `uncancel`, `delete`
-- **Rationale**: Cancelled tasks can be restored (uncancel) or permanently removed (delete)
-
-### 2. Completed
-```go
-if len(task.Completions) > 0 {
-    completed = append(completed, task)
-    continue
-}
-```
-- **Condition**: Task has at least one `TaskCompletion` record
-- **Note**: A task is considered completed based on having completion records, NOT based on status
-- **Button Types**: `view`
-- **Rationale**: Completed tasks are read-only for historical purposes; users can view completion details and photos
-
-### 3. In Progress
-```go
-if task.InProgress {
-    inProgress = append(inProgress, task)
-    continue
-}
-```
-- **Condition**: Task's `in_progress` boolean is `true`
-- **Button Types**: `edit`, `complete`, `cancel`
-- **Rationale**: In-progress tasks can be edited, marked complete, or cancelled if work is abandoned
-
-### 4. Due Date Based Categories (only for tasks not cancelled, completed, or in progress)
-
-#### Overdue
-```go
-if task.DueDate.Before(now) {
-    overdue = append(overdue, task)
-}
-```
-- **Condition**: `due_date < current_time`
-- **Button Types**: `edit`, `complete`, `cancel`, `mark_in_progress`
-- **Rationale**: Overdue tasks need urgent attention - can complete immediately, start working on them, edit the due date, or cancel if no longer needed
-
-#### Due Soon
-```go
-if task.DueDate.Before(threshold) {
-    dueSoon = append(dueSoon, task)
-}
-```
-- **Condition**: `current_time <= due_date < (current_time + days_threshold)`
-- **Default threshold**: 30 days
-- **Button Types**: `edit`, `complete`, `cancel`, `mark_in_progress`
-- **Rationale**: Due soon tasks are approaching their deadline - users can complete early, start working, reschedule, or cancel
-
-#### Upcoming
-```go
-upcoming = append(upcoming, task)
-```
-- **Condition**: `due_date >= (current_time + days_threshold)` OR `due_date IS NULL`
-- **Button Types**: `edit`, `complete`, `cancel`, `mark_in_progress`
-- **Rationale**: Future tasks may need to be completed early (ahead of schedule), started, rescheduled, or cancelled
-
-## Button Types Reference
-
-| Button Type | Action | Description |
-|-------------|--------|-------------|
-| `edit` | Update task | Modify task details (title, description, due date, category, etc.) |
-| `complete` | Create completion | Mark task as done with optional notes and photos |
-| `cancel` | Cancel task | Mark task as cancelled (soft delete, can be uncancelled) |
-| `mark_in_progress` | Start work | Change status to "In Progress" to indicate work has begun |
-| `view` | View details | View task and completion details (read-only) |
-| `uncancel` | Restore task | Restore a cancelled task to its previous state |
-| `delete` | Hard delete | Permanently remove task (only for cancelled tasks) |
-
-## Column Metadata
-
-Each column includes metadata for the mobile clients:
-
-```go
-{
-    Name:        "overdue_tasks",          // Internal identifier
-    DisplayName: "Overdue",                // User-facing label
-    ButtonTypes: []string{"edit", "complete", "cancel", "mark_in_progress"},
-    Icons:       map[string]string{        // Platform-specific icons
-        "ios": "exclamationmark.triangle",
-        "android": "Warning"
-    },
-    Color:       "#FF3B30",                // Display color
-    Tasks:       []Task{...},              // Tasks in this column
-    Count:       int,                      // Number of tasks
-}
-```
-
-### Icons by Column
-
-| Column | iOS Icon | Android Icon |
-|--------|----------|--------------|
-| Overdue | `exclamationmark.triangle` | `Warning` |
-| Due Soon | `clock` | `Schedule` |
-| Upcoming | `calendar` | `Event` |
-| In Progress | `hammer` | `Build` |
-| Completed | `checkmark.circle` | `CheckCircle` |
-| Cancelled | `xmark.circle` | `Cancel` |
-
-## Days Threshold Parameter
-
-The `daysThreshold` parameter (default: 30) determines the boundary between "Due Soon" and "Upcoming":
-
-- Tasks due within `daysThreshold` days from now → **Due Soon**
-- Tasks due beyond `daysThreshold` days from now → **Upcoming**
-
-This can be customized per request via query parameter.
-
-## Sorting
-
-Tasks within each column are sorted by:
-1. `due_date ASC NULLS LAST` (earliest due date first, tasks without due dates at end)
-2. `priority_id DESC` (higher priority first)
-3. `created_at DESC` (newest first)
-
-## Excluded Tasks
-
-The following tasks are excluded from the kanban board entirely:
-- **Archived tasks**: `is_archived = true`
-
-## API Response Example
-
-```json
-{
-  "columns": [
-    {
-      "name": "overdue_tasks",
-      "display_name": "Overdue",
-      "button_types": ["edit", "complete", "cancel", "mark_in_progress"],
-      "icons": {
-        "ios": "exclamationmark.triangle",
-        "android": "Warning"
-      },
-      "color": "#FF3B30",
-      "tasks": [...],
-      "count": 2
-    },
-    {
-      "name": "due_soon_tasks",
-      "display_name": "Due Soon",
-      "button_types": ["edit", "complete", "cancel", "mark_in_progress"],
-      "icons": {
-        "ios": "clock",
-        "android": "Schedule"
-      },
-      "color": "#FF9500",
-      "tasks": [...],
-      "count": 5
-    },
-    {
-      "name": "upcoming_tasks",
-      "display_name": "Upcoming",
-      "button_types": ["edit", "complete", "cancel", "mark_in_progress"],
-      "icons": {
-        "ios": "calendar",
-        "android": "Event"
-      },
-      "color": "#007AFF",
-      "tasks": [...],
-      "count": 10
-    },
-    {
-      "name": "in_progress_tasks",
-      "display_name": "In Progress",
-      "button_types": ["edit", "complete", "cancel"],
-      "icons": {
-        "ios": "hammer",
-        "android": "Build"
-      },
-      "color": "#5856D6",
-      "tasks": [...],
-      "count": 3
-    },
-    {
-      "name": "completed_tasks",
-      "display_name": "Completed",
-      "button_types": ["view"],
-      "icons": {
-        "ios": "checkmark.circle",
-        "android": "CheckCircle"
-      },
-      "color": "#34C759",
-      "tasks": [...],
-      "count": 15
-    },
-    {
-      "name": "cancelled_tasks",
-      "display_name": "Cancelled",
-      "button_types": ["uncancel", "delete"],
-      "icons": {
-        "ios": "xmark.circle",
-        "android": "Cancel"
-      },
-      "color": "#8E8E93",
-      "tasks": [...],
-      "count": 1
-    }
-  ],
-  "days_threshold": 30,
-  "residence_id": "123"
-}
-```
-
-## Design Decisions
-
-### Why "In Progress" doesn't have "mark_in_progress"
-Tasks already in the "In Progress" column are already marked as in progress, so this action doesn't make sense.
-
-### Why "Completed" only has "view"
-Completed tasks represent historical records. Users can view them but shouldn't be able to uncomplete or modify them. If a task was completed incorrectly, the user should delete the completion record through the completion detail view.
-
-### Why "Cancelled" has "delete" but others don't
-Hard deletion is only available for cancelled tasks as a final cleanup action. For active tasks, users should cancel first (soft delete), then delete if truly needed. This prevents accidental data loss.
-
-### Why all active columns have "cancel"
-Users should always be able to abandon a task they no longer need, regardless of its due date or progress state.
-
-## Code Location
-
-- **Repository**: `internal/repositories/task_repo.go`
-  - `GetKanbanData()` - Single residence
-  - `GetKanbanDataForMultipleResidences()` - Multiple residences (all user's properties)
-- **Service**: `internal/services/task_service.go`
-  - `ListTasks()` - All tasks for user
-  - `GetTasksByResidence()` - Tasks for specific residence
-- **Response DTOs**: `internal/dto/responses/task.go`
-  - `KanbanBoardResponse`
-  - `KanbanColumnResponse`
diff --git a/docs/marketing/COMPETITOR_ANALYSIS.md b/docs/marketing/COMPETITOR_ANALYSIS.md
deleted file mode 100644
index 5d67715..0000000
--- a/docs/marketing/COMPETITOR_ANALYSIS.md
+++ /dev/null
@@ -1,252 +0,0 @@
-# Competitor Analysis: Home Management Apps
-
-*Last Updated: December 2024*
-
-This document provides a comprehensive comparison of home management apps similar to honeyDue/HoneyDue.
-
----
-
-## Feature Comparison Table
-
-| App | Task Scheduling | Multi-Property | Document Storage | Contractors | Warranty Tracking | Pricing |
-|-----|----------------|----------------|------------------|-------------|-------------------|---------|
-| **honeyDue** | Recurring + Kanban | Yes | Yes | Yes | Yes | TBD |
-| **HomeZada** | Yes | Yes (Deluxe) | Yes | No | Yes | Free / $59-99/yr |
-| **Centriq** | Reminders only | Yes | Yes (Manuals) | No | Yes + Recalls | Free / $18-100/yr |
-| **Homer** | Yes | Yes | Yes | Contacts only | Yes | Free / Premium |
-| **Dwellin** | Yes | Yes (Pro) | Yes (Pro) | No | Yes | Free / Pro sub |
-| **Sweepy** | Cleaning only | No | No | No | No | Free / $15-17/yr |
-| **Tody** | Cleaning only | No | No | No | No | Free / $6/yr |
-
----
-
-## Detailed Competitor Profiles
-
-### HomeZada
-
-**Website:** [homezada.com](https://www.homezada.com/)
-
-**Overview:** Comprehensive home management platform covering finances, inventory, projects, and maintenance.
-
-**Key Features:**
-- Customizable maintenance calendar with smart reminders
-- Home improvement project tracking with budgeting
-- Digital document storage for receipts and important files
-- Home inventory system with photo uploads (useful for insurance)
-- Property tax and mortgage tracking
-- Home value estimation
-
-**Pricing:**
-| Plan | Price | Features |
-|------|-------|----------|
-| Essentials | Free | Inventory, documents, contacts, newsfeed |
-| Premium | $79/year or $11.95/month | Full maintenance scheduling, budgeting |
-| Deluxe | $149/year | Up to 3 properties, home marketing tools |
-
-**Strengths:** Most comprehensive feature set, strong financial tracking
-**Weaknesses:** No contractor management, complex interface
-
----
-
-### Centriq
-
-**Overview:** Appliance-focused app that excels at product information and maintenance.
-
-**Key Features:**
-- Snap a product label to auto-fetch manuals, troubleshooting guides, parts info
-- Extensive library of appliance manuals
-- Safety recall notifications
-- How-to videos for repairs
-- Receipt and warranty storage
-- Maintenance reminders (filter changes, etc.)
-
-**Pricing:**
-| Plan | Price | Notes |
-|------|-------|-------|
-| Beginner | Free | Limited items |
-| Baby | $17.95/year | — |
-| Limited | $29.95/year | — |
-| Expert | $59.95/year | — |
-| Genius | $99.95/year | Most items/properties |
-
-*Alternative pricing: $32/property for deluxe subscription*
-
-**Strengths:** Best appliance database, automatic manual fetching, recall alerts
-**Weaknesses:** Not a full task management system, no contractor tracking
-
----
-
-### Homer
-
-**Website:** [homer.co](https://www.homer.co/)
-
-**Overview:** Beautiful, Apple-featured home management app with unique features.
-
-**Key Features:**
-- Built-in receipt scanner and expense tracker
-- Floor plan creator (accurate plans in minutes)
-- AR (augmented reality) notes - place digital markers in 3D space
-- Multi-property support (houses, apartments, condos)
-- Task scheduling and reminders
-- Contact storage for service providers
-
-**Pricing:**
-| Plan | Price | Notes |
-|------|-------|-------|
-| Free | $0 | Basic features, data always accessible |
-| Premium | Unknown | 2-week free trial, no lock-in |
-
-**Recognition:**
-- Apple "App of the Day" (2023)
-- Apple "Apps We Love" (2022, 2023, 2024)
-- Apple "Essential Utility Apps" (2024)
-
-**Strengths:** Best UI/UX, AR features, Apple recognition
-**Weaknesses:** Pricing not transparent, no dedicated contractor management
-
----
-
-### Dwellin
-
-**Website:** [App Store](https://apps.apple.com/us/app/dwellin-easy-home-maintenance/id1566306121)
-
-**Overview:** Eco-conscious home maintenance app with cost estimation.
-
-**Key Features:**
-- Annual home maintenance cost estimation
-- Carbon footprint tracking for your home
-- Maintenance scheduling and reminders
-- Dwellin Pro: automated appliance manuals, digital home binder
-- Family collaboration (Pro)
-- Multi-property management (Pro)
-
-**Pricing:**
-| Plan | Price | Notes |
-|------|-------|-------|
-| Free | $0 | Core features |
-| Pro | Subscription | Monthly, quarterly, or annual options |
-
-*Note: Specific Pro pricing not publicly available*
-
-**Strengths:** Unique eco-friendly angle, cost estimation
-**Weaknesses:** Pro features behind paywall, pricing not transparent
-
----
-
-### Sweepy
-
-**Website:** [sweepy.com](https://sweepy.com/)
-
-**Overview:** Dedicated household cleaning schedule app.
-
-**Key Features:**
-- Tracks daily, monthly, and yearly cleaning tasks
-- Records when each chore was last completed
-- Automatically creates daily cleaning schedules
-- Family member assignment
-- "Dirtiness" indicator for each room
-
-**Pricing:**
-| Plan | Price | Notes |
-|------|-------|-------|
-| Free | $0 | 1 user |
-| Premium | $2.50-$3/month | Multi-user, family features |
-| Annual | $13-$17/year | Best value |
-
-*3-day trial for premium*
-
-**Strengths:** Laser-focused on cleaning, gamification elements
-**Weaknesses:** Only cleaning (not full home management), iOS only
-
----
-
-### Tody
-
-**Website:** [todyapp.com](https://todyapp.com/)
-
-**Overview:** Smart cleaning app with unique "Tody Method" for routine management.
-
-**Key Features:**
-- Visual indicators showing cleaning urgency
-- Customizable task difficulty/effort levels
-- Vacation mode
-- Multi-device sync (Premium)
-- Family collaboration
-
-**Pricing:**
-| Plan | Price | Notes |
-|------|-------|-------|
-| Free | $0 | Full Tody Method |
-| Premium | ~$6/year (Android) | Sync, vacation mode, effort tiers |
-| One-time | $6.99 (some platforms) | — |
-
-**Strengths:** Affordable, effective methodology, good free tier
-**Weaknesses:** Only cleaning tasks, no documents or warranties
-
----
-
-## Competitive Positioning
-
-### Where honeyDue Differentiates
-
-Based on competitor analysis, honeyDue has unique advantages:
-
-1. **Contractor Management** - Most competitors lack this entirely
-2. **Kanban Task View** - Unique visual organization (overdue, due soon, upcoming, completed)
-3. **Shared Household** - Family collaboration with residence sharing codes
-4. **Combined Approach** - Tasks + Documents + Contractors + Warranties in one app
-5. **Recurring Task Intelligence** - Smart next-due-date calculation for recurring maintenance
-
-### Competitor Gaps honeyDue Fills
-
-| Gap | Competitors Missing It | honeyDue Solution |
-|-----|------------------------|-----------------|
-| Contractor database | All except Homer (contacts only) | Full contractor profiles with specialties |
-| Kanban visualization | All | Visual task board with columns |
-| Task sharing | Most | Residence member collaboration |
-| Recurring task logic | Most are basic reminders | Frequency-based auto-scheduling |
-
----
-
-## Suggested Pricing Strategy
-
-Based on market analysis:
-
-### Recommended Tier Structure
-
-| Tier | Price | Target User | Features |
-|------|-------|-------------|----------|
-| **Free** | $0 | Casual homeowner | 1 property, 10 tasks, basic features |
-| **Plus** | $4.99/mo or $49/yr | Active homeowner | Unlimited tasks, documents, 2-3 properties |
-| **Pro** | $9.99/mo or $99/yr | Power user / Landlord | Unlimited everything, contractor management, family sharing, priority support |
-
-### Pricing Rationale
-
-- **Free tier** attracts users and builds habit
-- **Plus at ~$50/yr** undercuts HomeZada Premium ($79/yr) while offering more task features
-- **Pro at ~$100/yr** matches HomeZada Deluxe but includes contractor management they lack
-- Monthly options provide flexibility (important for conversion)
-
-### Competitive Price Points
-
-| Competitor | Annual Price | honeyDue Comparison |
-|------------|--------------|-------------------|
-| Tody | $6 | honeyDue offers much more (not just cleaning) |
-| Sweepy | $15-17 | honeyDue offers full home management |
-| Centriq | $18-100 | honeyDue has better task management |
-| HomeZada | $59-149 | honeyDue adds contractors, better UX |
-
----
-
-## Sources
-
-- [HomeZada](https://www.homezada.com/)
-- [Centriq - App Store](https://apps.apple.com/us/app/centriq-home-assistant/id1063517498)
-- [Homer - The Home Management App](https://www.homer.co/)
-- [Dwellin - App Store](https://apps.apple.com/us/app/dwellin-easy-home-maintenance/id1566306121)
-- [Sweepy](https://sweepy.com/)
-- [Tody](https://todyapp.com/)
-- [Best Home Maintenance Apps - Select Home Warranty](https://www.selecthomewarranty.com/blog/best-home-maintenance-apps/)
-- [Apps for New Homeowners - Today's Homeowner](https://todayshomeowner.com/blog/guides/best-apps-for-new-homeowners/)
-- [Best 6 Apps for New Homeowners - Liberty Home Guard](https://www.libertyhomeguard.com/blog/home-maintenance/best-6-apps-for-new-homeowners/)
-- [Home Organization Apps - Family Handyman](https://www.familyhandyman.com/article/home-organization-apps/)
diff --git a/docs/marketing/PRESS_RELEASE.md b/docs/marketing/PRESS_RELEASE.md
deleted file mode 100644
index 8c47e44..0000000
--- a/docs/marketing/PRESS_RELEASE.md
+++ /dev/null
@@ -1,200 +0,0 @@
-# Press Release
-
----
-
-## FOR IMMEDIATE RELEASE
-
-**Contact:**
-[Your Name]
-[Email]
-[Phone]
-
----
-
-# honeyDue Launches to Help Homeowners Take Control of Home Maintenance
-
-*New mobile app brings task management, document storage, and contractor organization to homeowners tired of forgotten maintenance and lost warranties*
-
----
-
-**[CITY, STATE] — [DATE]** — honeyDue, a new home maintenance management app, launched today on iOS and Android, offering homeowners a simple yet powerful way to organize every aspect of home upkeep. The app combines recurring task scheduling, document storage, contractor management, and household collaboration in one intuitive platform.
-
-"Homeownership comes with a hidden job: maintenance manager," said [Founder Name], founder of honeyDue. "Most people cobble together sticky notes, spreadsheet reminders, and hope. We built honeyDue because there had to be a better way."
-
-### The Problem honeyDue Solves
-
-The average single-family home requires maintenance on over 40 different systems and components, from HVAC filters to roof inspections. According to HomeAdvisor, homeowners spend an average of $3,192 annually on emergency repairs — many of which could be prevented with regular maintenance.
-
-Yet most homeowners lack any organized system to track these tasks. Warranties get lost in email. Contractor contact information lives in scattered text threads. Important maintenance gets forgotten until something breaks.
-
-### How honeyDue Works
-
-honeyDue provides homeowners with four core capabilities:
-
-**Smart Task Scheduling**
-Users can create one-time or recurring maintenance tasks with customizable frequencies — from daily to annually. The app's kanban-style board shows tasks organized by urgency: overdue, due soon, upcoming, and completed. When a recurring task is completed, honeyDue automatically schedules the next occurrence.
-
-**Document Storage**
-Warranties, manuals, receipts, and home documents can be uploaded and organized by room or category. When an appliance needs service, the warranty information is instantly accessible.
-
-**Contractor Management**
-Homeowners can store contact information, specialties, and notes for trusted service providers. No more scrolling through old texts to find the plumber's number during an emergency.
-
-**Household Collaboration**
-Multiple family members can be invited to share a residence, ensuring everyone sees what maintenance is needed. Residents can assign tasks to each other and track completion together.
-
-### Market Opportunity
-
-The home services market is projected to reach $1.2 trillion by 2026, driven by increasing homeownership rates and aging housing stock. The on-demand home services app market alone is expected to grow from $5.29 billion in 2024 to $9.03 billion by 2028.
-
-"We're not competing with handyman apps or smart home devices," said [Founder Name]. "We're replacing the mental load of remembering everything your home needs. That's a problem every homeowner understands."
-
-### Pricing and Availability
-
-honeyDue is available now as a free download on the [App Store](link) and [Google Play](link). The free tier includes core functionality for one property. Premium tiers offering multiple properties, unlimited document storage, and priority support are available starting at $[X]/month.
-
-### About honeyDue
-
-honeyDue is a home maintenance management platform designed to help homeowners stay ahead of maintenance, protect their investment, and reduce the stress of property upkeep. Founded in [YEAR], honeyDue is headquartered in [CITY, STATE].
-
-For more information, visit [www.honeyDue.treytartt.com](https://www.honeyDue.treytartt.com) or follow @honeyDueApp on [Twitter](link) and [Instagram](link).
-
----
-
-### Media Assets
-
-High-resolution logos, app screenshots, and founder headshots are available at: [MEDIA KIT LINK]
-
----
-
-### Quick Facts
-
-| Metric | Detail |
-|--------|--------|
-| **Launch Date** | [DATE] |
-| **Platforms** | iOS, Android |
-| **Price** | Free with premium tiers |
-| **Headquarters** | [CITY, STATE] |
-| **Website** | [URL] |
-| **Social** | @honeyDueApp |
-
----
-
-###
-
----
-
-# ALTERNATIVE VERSIONS
-
----
-
-## Short Version (for email pitches)
-
-**Subject: New App Helps Homeowners Stop Forgetting Maintenance**
-
-Hi [Name],
-
-Quick pitch: honeyDue is a new app that helps homeowners track recurring maintenance, store warranties, and organize contractor info — all in one place.
-
-**The hook:** The average homeowner spends $3,000+/year on emergency repairs. Most are preventable with basic maintenance. But there's been no good system to track it all — until now.
-
-**Key features:**
-- Kanban-style task board (overdue → due soon → upcoming → done)
-- Recurring reminders that actually recur (change filter every 90 days, forever)
-- Document storage for warranties and manuals
-- Contractor rolodex
-- Household sharing
-
-We just launched on iOS and Android. Happy to share more, provide access, or set up an interview with our founder.
-
-Best,
-[Name]
-
----
-
-## Tweet-Length Announcement
-
-```
-📱 honeyDue just launched — the home maintenance app for homeowners who are tired of forgetting filter changes and losing warranties.
-
-Free on iOS + Android.
-
-Your home runs better when you do. 🏠
-```
-
----
-
-## Founder Quote Options
-
-*Choose the one that fits your story best:*
-
-**Problem-focused:**
-> "I built honeyDue after my AC died because I forgot a $150 tune-up. That $4,000 lesson convinced me there had to be a better way to manage home maintenance."
-
-**Vision-focused:**
-> "We believe your home deserves the same organizational tools as your work calendar. honeyDue brings that professionalism to home management."
-
-**Market-focused:**
-> "Smart home technology has focused on automation and convenience. We're focused on something simpler: helping people remember to take care of their biggest investment."
-
-**User-focused:**
-> "Our users tell us the same thing: 'I finally feel on top of my house.' That's exactly what we're going for."
-
----
-
-## Press Coverage Angles
-
-Journalists can approach this story from multiple angles:
-
-**Personal Finance:**
-"App Helps Homeowners Avoid Costly Emergency Repairs Through Preventive Maintenance"
-
-**Productivity/Apps:**
-"Trello for Your House: How Kanban Boards Are Coming to Home Maintenance"
-
-**Real Estate:**
-"New Tech Aims to Reduce Hidden Costs of Homeownership"
-
-**Lifestyle:**
-"The App That Might Finally End the 'Did You Call the Plumber?' Argument"
-
-**First-Time Buyers:**
-"Essential Apps for New Homeowners in [YEAR]"
-
----
-
-## Suggested Interview Questions
-
-1. What's the most commonly forgotten home maintenance task?
-2. How much can preventive maintenance actually save homeowners?
-3. Why hasn't this problem been solved before?
-4. How is honeyDue different from calendar reminders?
-5. What's the most surprising thing you've learned from users?
-
----
-
-## Boilerplate
-
-**About honeyDue (50 words)**
-honeyDue is a home maintenance management app that helps homeowners track recurring tasks, store important documents, organize contractor information, and collaborate with household members. Available on iOS and Android, honeyDue brings clarity and organization to the often-overwhelming job of home upkeep.
-
-**About honeyDue (25 words)**
-honeyDue is a home maintenance app that helps homeowners track tasks, store warranties, and organize contractor info — all in one place.
-
-**About honeyDue (10 words)**
-honeyDue: The organized way to manage home maintenance.
-
----
-
-## Contact
-
-**Media Inquiries:**
-[Name]
-[Email]
-[Phone]
-
-**General Information:**
-Website: [URL]
-Email: hello@honeyDue.treytartt.com
-Twitter: @honeyDueApp
-Instagram: @honeyDueApp
diff --git a/docs/marketing/SOCIAL_MEDIA_KIT.md b/docs/marketing/SOCIAL_MEDIA_KIT.md
deleted file mode 100644
index 2426721..0000000
--- a/docs/marketing/SOCIAL_MEDIA_KIT.md
+++ /dev/null
@@ -1,454 +0,0 @@
-# honeyDue Social Media Kit
-
-*Ready-to-use posts for launching and promoting honeyDue*
-
----
-
-## Brand Voice Guidelines
-
-**Tone:** Friendly, helpful, empowering
-**Style:** Clear, conversational, action-oriented
-**Avoid:** Technical jargon, fear-based messaging, overwhelming lists
-
-**Key Messages:**
-1. Home maintenance doesn't have to be overwhelming
-2. Stay ahead of problems, not behind them
-3. Your home deserves the same organization as your work calendar
-
----
-
-## Twitter/X Posts
-
-### Launch Announcement
-
-**Post 1 - Main Launch**
-```
-Introducing honeyDue 🏠
-
-The home maintenance app that actually makes sense.
-
-✓ Smart task scheduling
-✓ Never miss another filter change
-✓ Track warranties before they expire
-✓ Keep contractor info in one place
-
-Your home runs better when you do.
-
-Download free → [link]
-```
-
-**Post 2 - Problem/Solution**
-```
-That "I should really check the HVAC filter" thought you have every 3 months?
-
-honeyDue remembers it for you.
-
-Set it once. Get reminded forever.
-
-Free download → [link]
-```
-
-**Post 3 - Feature Focus**
-```
-POV: You need a plumber at 9pm
-
-❌ Scrolling through old texts
-❌ Googling "plumber near me" again
-❌ Hoping you saved that business card
-
-✅ Opening honeyDue and finding Mike the Plumber instantly
-
-Your contractor rolodex, always in your pocket.
-```
-
----
-
-### Feature Highlights
-
-**Recurring Tasks**
-```
-"Change HVAC filter"
-"Clean gutters"
-"Test smoke detectors"
-
-These aren't one-time tasks. They come back.
-
-honeyDue knows that. Set the frequency once, and we'll remind you every time it's due.
-
-Smart home maintenance → [link]
-```
-
-**Kanban Board**
-```
-Finally, a way to actually SEE your home maintenance:
-
-🔴 Overdue — handle these first
-🟡 Due Soon — coming up this month
-🟢 Upcoming — you're ahead of the game
-✅ Completed — feel that satisfaction
-
-honeyDue's kanban view. Simple. Visual. Effective.
-```
-
-**Document Storage**
-```
-Where's the warranty for your fridge?
-
-A) Filing cabinet somewhere
-B) Email from 3 years ago
-C) No idea
-D) honeyDue — because you uploaded it when you bought it
-
-Be option D.
-```
-
-**Shared Household**
-```
-"Did you call the electrician?"
-"I thought YOU were going to"
-
-Sound familiar?
-
-honeyDue lets you share your home with family members. Everyone sees what needs doing. No more crossed wires.
-
-(pun intended)
-```
-
----
-
-### Engagement Posts
-
-**Poll**
-```
-What's the home task you forget most often?
-
-🔘 Changing air filters
-🔘 Cleaning gutters
-🔘 Testing smoke detectors
-🔘 Scheduling HVAC service
-```
-
-**Question**
-```
-Be honest: Do you know when your roof was last inspected?
-
-Reply with:
-✅ = Yes, I'm on top of it
-😅 = I should probably check
-❓ = Wait, you're supposed to inspect roofs?
-```
-
-**Tip Thread**
-```
-🧵 5 home maintenance tasks most people forget (and when to do them):
-
-1/ Dryer vent cleaning — Once a year. Prevents fires. Seriously.
-
-2/ Water heater flush — Annually. Extends life by years.
-
-3/ Garbage disposal cleaning — Monthly. Ice cubes + lemon.
-
-4/ Refrigerator coils — Twice a year. Saves energy.
-
-5/ Smoke detector batteries — Every 6 months. Life-saving.
-
-Save this. Or better yet, add them all to honeyDue and never think about it again.
-```
-
----
-
-## Instagram Posts
-
-### Launch Carousel (5 slides)
-
-**Slide 1:**
-```
-MEET HONEYDUE
-The home maintenance app you didn't know you needed
-(but definitely do)
-→
-```
-
-**Slide 2:**
-```
-THE PROBLEM
-
-You bought a home.
-It came with:
-• 47 things that need regular maintenance
-• Zero system to track them
-• That vague anxiety something's overdue
-
-Sound familiar?
-→
-```
-
-**Slide 3:**
-```
-THE SOLUTION
-
-honeyDue organizes everything:
-
-📋 Tasks — recurring reminders that actually recur
-📄 Documents — warranties, manuals, receipts
-🔧 Contractors — your trusted pros, one tap away
-👨‍👩‍👧 Family — shared access, no more "I thought you did it"
-→
-```
-
-**Slide 4:**
-```
-THE VIEW
-
-See everything at a glance:
-
-🔴 Overdue
-🟡 Due Soon
-🟢 Upcoming
-✅ Done
-
-No spreadsheets. No forgotten Post-its.
-Just clarity.
-→
-```
-
-**Slide 5:**
-```
-GET STARTED FREE
-
-Your home works hard for you.
-Let's return the favor.
-
-Download honeyDue
-Link in bio 🏠
-```
-
----
-
-### Single Image Posts
-
-**Post 1 - Lifestyle**
-```
-Caption:
-Sunday morning coffee hits different when you're not mentally running through everything you forgot to maintain.
-
-honeyDue handles the remembering.
-You handle the relaxing.
-
-#homeowner #homeownership #adulting #homemaintenance #organizedhome #homeownertips #firsttimehomebuyer
-```
-
-**Post 2 - Stat-based**
-```
-Caption:
-The average homeowner spends $3,000+/year on emergency repairs.
-
-Most could be prevented with regular maintenance.
-
-The unsexy truth: Boring scheduled tasks save exciting amounts of money.
-
-honeyDue makes the boring part automatic.
-
-#homeownerhacks #homemaintenance #savemoney #preventivemaintenance #homecare
-```
-
-**Post 3 - Testimonial Format**
-```
-Caption:
-"I used to keep track of home stuff in my head.
-
-Then the AC died in July because I forgot the spring tune-up.
-
-$4,200 lesson learned.
-
-Now I use honeyDue."
-
-— Every homeowner, eventually
-
-Don't wait for your expensive lesson.
-
-#homeowner #hvac #homemaintenance #lessonlearned #homeownerlife
-```
-
----
-
-### Reels/Stories Ideas
-
-**Reel 1: "Things I wish I knew as a first-time homeowner"**
-```
-Hook: "Nobody told me homes need THIS much maintenance"
-
-Content:
-- Quick cuts of common maintenance tasks
-- Text overlays with frequency
-- End with honeyDue app demo
-
-Audio: Trending sound
-```
-
-**Reel 2: "POV: You actually maintained your home this year"**
-```
-Hook: Satisfying montage of checking off tasks
-
-Content:
-- Checking HVAC filter ✓
-- Cleaning gutters ✓
-- Testing smoke detectors ✓
-- Organized contractor list
-
-Audio: Satisfying/success sound
-```
-
-**Story Series: "Home Maintenance Monday"**
-```
-Weekly recurring content:
-- One maintenance tip per week
-- Swipe up to add task to honeyDue
-- Build habit + community
-```
-
----
-
-## LinkedIn Posts
-
-### Launch Announcement
-
-```
-I'm excited to share something I've been working on: honeyDue.
-
-It started with a simple frustration. As a homeowner, I was juggling:
-• Sticky notes for maintenance reminders
-• Spreadsheets for warranties
-• Text threads to find my plumber's number
-• The constant nagging feeling I was forgetting something
-
-There had to be a better way.
-
-honeyDue is that better way.
-
-It's a home maintenance app that brings everything together:
-→ Recurring task reminders (that actually recur)
-→ Document storage for warranties and manuals
-→ Contractor directory at your fingertips
-→ Shared access for the whole household
-
-Homeownership is already complicated. Managing it shouldn't be.
-
-We're live on iOS and Android. I'd love for you to try it and share your feedback.
-
-What's the home maintenance task YOU always forget? Drop it in the comments.
-
-#startup #proptech #homeownership #productivity #appdev
-```
-
-### Thought Leadership
-
-```
-Hot take: Most "smart home" technology solves the wrong problems.
-
-We have refrigerators that tweet and thermostats that learn our schedules.
-
-But ask a homeowner when they last:
-- Changed their HVAC filter
-- Flushed their water heater
-- Cleaned their dryer vent
-
-...and you'll get a blank stare.
-
-The unsexy truth about homeownership:
-
-It's not about automation. It's about organization.
-
-The homes that last aren't the most automated. They're the most maintained.
-
-That's why we built honeyDue — not another smart device, but a smart system for the maintenance that actually matters.
-
-Sometimes the most valuable technology is the simplest.
-
-#realestate #proptech #homeownership #startups #productthinking
-```
-
-### Feature Announcement Template
-
-```
-New in honeyDue: [FEATURE NAME]
-
-The problem: [One sentence describing pain point]
-
-The solution: [One sentence describing feature]
-
-How it works:
-1. [Step one]
-2. [Step two]
-3. [Step three]
-
-This was our most-requested feature, and I'm thrilled to ship it.
-
-Update your app to try it today.
-
-What feature should we build next?
-
-#productupdate #honeydue #hometech
-```
-
----
-
-## Hashtag Strategy
-
-### Primary Hashtags (use on every post)
-```
-#honeyDue #HomeMaintenance #HomeOwner #HomeManagement
-```
-
-### Secondary Hashtags (rotate based on content)
-```
-#FirstTimeHomeBuyer #HomeOwnerTips #HomeOwnerLife #Adulting
-#HomeImprovement #PropertyMaintenance #OrganizedHome #HomeHacks
-#RealEstate #NewHomeOwner #HouseGoals #HomeOwnership
-```
-
-### Trending/Seasonal
-```
-Spring: #SpringCleaning #SpringMaintenance
-Summer: #SummerHome #ACMaintenance
-Fall: #FallMaintenance #WinterPrep #GutterCleaning
-Winter: #WinterHome #HeatingSystem
-```
-
----
-
-## Content Calendar Template
-
-| Day | Platform | Content Type | Topic |
-|-----|----------|--------------|-------|
-| Monday | Twitter | Tip | "Maintenance Monday" tip |
-| Tuesday | Instagram | Carousel | Feature deep-dive |
-| Wednesday | LinkedIn | Thought leadership | Industry insight |
-| Thursday | Twitter | Engagement | Poll or question |
-| Friday | Instagram | Lifestyle | Weekend home project |
-| Saturday | Stories | Behind-the-scenes | App updates, team |
-| Sunday | Twitter | Thread | Educational content |
-
----
-
-## Response Templates
-
-### Positive Feedback
-```
-Thanks so much! 🏠 We're glad honeyDue is helping you stay on top of things. Let us know if there's anything we can do better!
-```
-
-### Feature Request
-```
-Love this idea! We're adding it to our list. Thanks for helping us make honeyDue better! 🙏
-```
-
-### Support Issue
-```
-Sorry you're running into trouble! DM us the details and we'll get it sorted out ASAP. 🔧
-```
-
-### Competitor Mention
-```
-Great question! We focus on [specific differentiator]. Happy to share more about how honeyDue might fit your needs — DM us anytime!
-```