Production hardening: security, resilience, observability, and compliance

Password complexity: custom validator requiring uppercase, lowercase, digit (min 8 chars)
Token expiry: 90-day token lifetime with refresh endpoint (60-90 day renewal window)
Health check: /api/health/ now pings Postgres + Redis, returns 503 on failure
Audit logging: async audit_log table for auth events (login, register, delete, etc.)
Circuit breaker: APNs/FCM push sends wrapped with 5-failure threshold, 30s recovery
FK indexes: 27 missing foreign key indexes across all tables (migration 017)
CSP header: default-src 'none'; frame-ancestors 'none'
Gzip compression: level 5 with media endpoint skipper
Prometheus metrics: /metrics endpoint using existing monitoring service
External timeouts: 15s push, 30s SMTP, context timeouts on all external calls

Migrations: 016 (token created_at), 017 (FK indexes), 018 (audit_log)
Tests: circuit breaker (15), audit service (8), token refresh (7), health (4),
       middleware expiry (5), validator (new)

internal/services/cache_service.go

@@ -141,6 +141,12 @@ func (c *CacheService) CacheAuthToken(ctx context.Context, token string, userID
 	return c.SetString(ctx, key, fmt.Sprintf("%d", userID), TokenCacheTTL)
 }
 
+// CacheAuthTokenWithCreated caches a user ID and token creation time for a token
+func (c *CacheService) CacheAuthTokenWithCreated(ctx context.Context, token string, userID uint, createdUnix int64) error {
+	key := AuthTokenPrefix + token
+	return c.SetString(ctx, key, fmt.Sprintf("%d|%d", userID, createdUnix), TokenCacheTTL)
+}
+
 // GetCachedAuthToken gets a cached user ID for a token
 func (c *CacheService) GetCachedAuthToken(ctx context.Context, token string) (uint, error) {
 	key := AuthTokenPrefix + token
@@ -154,6 +160,24 @@ func (c *CacheService) GetCachedAuthToken(ctx context.Context, token string) (ui
 	return userID, err
 }
 
+// GetCachedAuthTokenWithCreated gets a cached user ID and token creation time.
+// Returns userID, createdUnix, error. createdUnix is 0 if not stored (legacy format).
+func (c *CacheService) GetCachedAuthTokenWithCreated(ctx context.Context, token string) (uint, int64, error) {
+	key := AuthTokenPrefix + token
+	val, err := c.GetString(ctx, key)
+	if err != nil {
+		return 0, 0, err
+	}
+
+	var userID uint
+	var createdUnix int64
+	n, _ := fmt.Sscanf(val, "%d|%d", &userID, &createdUnix)
+	if n < 1 {
+		return 0, 0, fmt.Errorf("invalid cached token format")
+	}
+	return userID, createdUnix, nil
+}
+
 // InvalidateAuthToken removes a cached token
 func (c *CacheService) InvalidateAuthToken(ctx context.Context, token string) error {
 	key := AuthTokenPrefix + token