Close all 25 codex audit findings and add KMP contract tests

Remediate all P0-S priority findings from cross-platform architecture audit:
- Add input validation and authorization checks across handlers
- Harden social auth (Apple/Google) token validation
- Add document ownership verification and file type validation
- Add rate limiting config and CORS origin restrictions
- Add subscription tier enforcement in handlers
- Add OpenAPI 3.0.3 spec (81 schemas, 104 operations)
- Add URL-level contract test (KMP API routes match spec paths)
- Add model-level contract test (65 schemas, 464 fields validated)
- Add CI workflow for backend tests

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/router/router.go

@@ -213,10 +213,27 @@ func SetupRouter(deps *Dependencies) *echo.Echo {
 	return e
 }
 
-// corsMiddleware configures CORS - allowing all origins for API access
+// corsMiddleware configures CORS with restricted origins in production.
+// In debug mode, all origins are allowed for development convenience.
+// In production, origins are read from the CORS_ALLOWED_ORIGINS environment variable
+// (comma-separated), falling back to a restrictive default set.
 func corsMiddleware(cfg *config.Config) echo.MiddlewareFunc {
+	var origins []string
+	if cfg.Server.Debug {
+		origins = []string{"*"}
+	} else {
+		origins = cfg.Server.CorsAllowedOrigins
+		if len(origins) == 0 {
+			// Restrictive default: only the known production domains
+			origins = []string{
+				"https://casera.app",
+				"https://casera.treytartt.com",
+			}
+		}
+	}
+
 	return middleware.CORSWithConfig(middleware.CORSConfig{
-		AllowOrigins:     []string{"*"},
+		AllowOrigins:     origins,
 		AllowMethods:     []string{http.MethodGet, http.MethodPost, http.MethodPut, http.MethodPatch, http.MethodDelete, http.MethodOptions},
 		AllowHeaders:     []string{echo.HeaderOrigin, echo.HeaderContentType, echo.HeaderAccept, echo.HeaderAuthorization, "X-Requested-With", "X-Timezone"},
 		ExposeHeaders:    []string{echo.HeaderContentLength},
@@ -311,6 +328,7 @@ func setupResidenceRoutes(api *echo.Group, residenceHandler *handlers.ResidenceH
 		residences.PATCH("/:id/", residenceHandler.UpdateResidence)
 		residences.DELETE("/:id/", residenceHandler.DeleteResidence)
 
+		residences.GET("/:id/share-code/", residenceHandler.GetShareCode)
 		residences.POST("/:id/generate-share-code/", residenceHandler.GenerateShareCode)
 		residences.POST("/:id/generate-share-package/", residenceHandler.GenerateSharePackage)
 		residences.POST("/:id/generate-tasks-report/", residenceHandler.GenerateTasksReport)
@@ -347,6 +365,7 @@ func setupTaskRoutes(api *echo.Group, taskHandler *handlers.TaskHandler) {
 		completions.GET("/", taskHandler.ListCompletions)
 		completions.POST("/", taskHandler.CreateCompletion)
 		completions.GET("/:id/", taskHandler.GetCompletion)
+		completions.PUT("/:id/", taskHandler.UpdateCompletion)
 		completions.DELETE("/:id/", taskHandler.DeleteCompletion)
 	}
 }
@@ -380,6 +399,8 @@ func setupDocumentRoutes(api *echo.Group, documentHandler *handlers.DocumentHand
 		documents.DELETE("/:id/", documentHandler.DeleteDocument)
 		documents.POST("/:id/activate/", documentHandler.ActivateDocument)
 		documents.POST("/:id/deactivate/", documentHandler.DeactivateDocument)
+		documents.POST("/:id/images/", documentHandler.UploadDocumentImage)
+		documents.DELETE("/:id/images/:imageId/", documentHandler.DeleteDocumentImage)
 	}
 }
 
@@ -394,6 +415,7 @@ func setupNotificationRoutes(api *echo.Group, notificationHandler *handlers.Noti
 
 		notifications.POST("/devices/", notificationHandler.RegisterDevice)
 		notifications.POST("/devices/register/", notificationHandler.RegisterDevice) // Alias for mobile clients
+		notifications.POST("/devices/unregister/", notificationHandler.UnregisterDevice)
 		notifications.GET("/devices/", notificationHandler.ListDevices)
 		notifications.DELETE("/devices/:id/", notificationHandler.DeleteDevice)