Production hardening: security, resilience, observability, and compliance

Password complexity: custom validator requiring uppercase, lowercase, digit (min 8 chars)
Token expiry: 90-day token lifetime with refresh endpoint (60-90 day renewal window)
Health check: /api/health/ now pings Postgres + Redis, returns 503 on failure
Audit logging: async audit_log table for auth events (login, register, delete, etc.)
Circuit breaker: APNs/FCM push sends wrapped with 5-failure threshold, 30s recovery
FK indexes: 27 missing foreign key indexes across all tables (migration 017)
CSP header: default-src 'none'; frame-ancestors 'none'
Gzip compression: level 5 with media endpoint skipper
Prometheus metrics: /metrics endpoint using existing monitoring service
External timeouts: 15s push, 30s SMTP, context timeouts on all external calls

Migrations: 016 (token created_at), 017 (FK indexes), 018 (audit_log)
Tests: circuit breaker (15), audit service (8), token refresh (7), health (4),
       middleware expiry (5), validator (new)

internal/repositories/user_repo.go

@@ -173,6 +173,27 @@ func (r *UserRepository) GetOrCreateToken(userID uint) (*models.AuthToken, error
 	return &token, nil
 }
 
+// FindTokenByKey looks up an auth token by its key value.
+func (r *UserRepository) FindTokenByKey(key string) (*models.AuthToken, error) {
+	var token models.AuthToken
+	if err := r.db.Where("key = ?", key).First(&token).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return nil, ErrTokenNotFound
+		}
+		return nil, err
+	}
+	return &token, nil
+}
+
+// CreateToken creates a new auth token for a user.
+func (r *UserRepository) CreateToken(userID uint) (*models.AuthToken, error) {
+	token := models.AuthToken{UserID: userID}
+	if err := r.db.Create(&token).Error; err != nil {
+		return nil, err
+	}
+	return &token, nil
+}
+
 // DeleteToken deletes an auth token
 func (r *UserRepository) DeleteToken(token string) error {
 	result := r.db.Where("key = ?", token).Delete(&models.AuthToken{})