Close all 25 codex audit findings and add KMP contract tests

Remediate all P0-S priority findings from cross-platform architecture audit:
- Add input validation and authorization checks across handlers
- Harden social auth (Apple/Google) token validation
- Add document ownership verification and file type validation
- Add rate limiting config and CORS origin restrictions
- Add subscription tier enforcement in handlers
- Add OpenAPI 3.0.3 spec (81 schemas, 104 operations)
- Add URL-level contract test (KMP API routes match spec paths)
- Add model-level contract test (65 schemas, 464 fields validated)
- Add CI workflow for backend tests

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/services/apple_auth.go

@@ -159,12 +159,18 @@ func (s *AppleAuthService) VerifyIdentityToken(ctx context.Context, idToken stri
 	return claims, nil
 }
 
-// verifyAudience checks if the token audience matches our client ID
+// verifyAudience checks if the token audience matches our client ID.
+// In production (non-debug), an empty clientID causes verification to fail
+// rather than silently bypassing the check.
 func (s *AppleAuthService) verifyAudience(audience jwt.ClaimStrings) bool {
 	clientID := s.config.AppleAuth.ClientID
 	if clientID == "" {
-		// If not configured, skip audience verification (for development)
-		return true
+		if s.config.Server.Debug {
+			// In debug mode only, skip audience verification for local development
+			return true
+		}
+		// In production, missing client ID means we cannot verify the audience
+		return false
 	}
 
 	for _, aud := range audience {

internal/services/document_service.go

@@ -321,3 +321,89 @@ func (s *DocumentService) DeactivateDocument(documentID, userID uint) (*response
 	resp := responses.NewDocumentResponse(document)
 	return &resp, nil
 }
+
+// UploadDocumentImage adds an image to an existing document
+func (s *DocumentService) UploadDocumentImage(documentID, userID uint, imageURL, caption string) (*responses.DocumentResponse, error) {
+	document, err := s.documentRepo.FindByID(documentID)
+	if err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return nil, apperrors.NotFound("error.document_not_found")
+		}
+		return nil, apperrors.Internal(err)
+	}
+
+	// Check access via residence
+	hasAccess, err := s.residenceRepo.HasAccess(document.ResidenceID, userID)
+	if err != nil {
+		return nil, apperrors.Internal(err)
+	}
+	if !hasAccess {
+		return nil, apperrors.Forbidden("error.document_access_denied")
+	}
+
+	img := &models.DocumentImage{
+		DocumentID: documentID,
+		ImageURL:   imageURL,
+		Caption:    caption,
+	}
+	if err := s.documentRepo.CreateDocumentImage(img); err != nil {
+		return nil, apperrors.Internal(err)
+	}
+
+	// Reload with relations
+	document, err = s.documentRepo.FindByID(documentID)
+	if err != nil {
+		return nil, apperrors.Internal(err)
+	}
+
+	resp := responses.NewDocumentResponse(document)
+	return &resp, nil
+}
+
+// DeleteDocumentImage removes an image from a document
+func (s *DocumentService) DeleteDocumentImage(documentID, imageID, userID uint) (*responses.DocumentResponse, error) {
+	// Find the image first
+	image, err := s.documentRepo.FindImageByID(imageID)
+	if err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return nil, apperrors.NotFound("error.document_image_not_found")
+		}
+		return nil, apperrors.Internal(err)
+	}
+
+	// Verify image belongs to the specified document
+	if image.DocumentID != documentID {
+		return nil, apperrors.NotFound("error.document_image_not_found")
+	}
+
+	// Find parent document to check access
+	document, err := s.documentRepo.FindByID(documentID)
+	if err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return nil, apperrors.NotFound("error.document_not_found")
+		}
+		return nil, apperrors.Internal(err)
+	}
+
+	// Check access via residence
+	hasAccess, err := s.residenceRepo.HasAccess(document.ResidenceID, userID)
+	if err != nil {
+		return nil, apperrors.Internal(err)
+	}
+	if !hasAccess {
+		return nil, apperrors.Forbidden("error.document_access_denied")
+	}
+
+	if err := s.documentRepo.DeleteDocumentImage(imageID); err != nil {
+		return nil, apperrors.Internal(err)
+	}
+
+	// Reload with relations
+	document, err = s.documentRepo.FindByID(documentID)
+	if err != nil {
+		return nil, apperrors.Internal(err)
+	}
+
+	resp := responses.NewDocumentResponse(document)
+	return &resp, nil
+}

internal/services/google_auth.go

@@ -98,12 +98,18 @@ func (s *GoogleAuthService) VerifyIDToken(ctx context.Context, idToken string) (
 	return &tokenInfo, nil
 }
 
-// verifyAudience checks if the token audience matches our client ID(s)
+// verifyAudience checks if the token audience matches our client ID(s).
+// In production (non-debug), an empty clientID causes verification to fail
+// rather than silently bypassing the check.
 func (s *GoogleAuthService) verifyAudience(aud, azp string) bool {
 	clientID := s.config.GoogleAuth.ClientID
 	if clientID == "" {
-		// If not configured, skip audience verification (for development)
-		return true
+		if s.config.Server.Debug {
+			// In debug mode only, skip audience verification for local development
+			return true
+		}
+		// In production, missing client ID means we cannot verify the audience
+		return false
 	}
 
 	// Check both aud and azp (Android vs iOS may use different values)

internal/services/notification_service.go

@@ -372,6 +372,39 @@ func (s *NotificationService) DeleteDevice(deviceID uint, platform string, userI
 	return nil
 }
 
+// UnregisterDevice deactivates a device by its registration token
+func (s *NotificationService) UnregisterDevice(registrationID, platform string, userID uint) error {
+	switch platform {
+	case push.PlatformIOS:
+		device, err := s.notificationRepo.FindAPNSDeviceByToken(registrationID)
+		if err != nil {
+			return apperrors.NotFound("error.device_not_found")
+		}
+		// Verify ownership
+		if device.UserID == nil || *device.UserID != userID {
+			return apperrors.NotFound("error.device_not_found")
+		}
+		if err := s.notificationRepo.DeactivateAPNSDevice(device.ID); err != nil {
+			return apperrors.Internal(err)
+		}
+	case push.PlatformAndroid:
+		device, err := s.notificationRepo.FindGCMDeviceByToken(registrationID)
+		if err != nil {
+			return apperrors.NotFound("error.device_not_found")
+		}
+		// Verify ownership
+		if device.UserID == nil || *device.UserID != userID {
+			return apperrors.NotFound("error.device_not_found")
+		}
+		if err := s.notificationRepo.DeactivateGCMDevice(device.ID); err != nil {
+			return apperrors.Internal(err)
+		}
+	default:
+		return apperrors.BadRequest("error.invalid_platform")
+	}
+	return nil
+}
+
 // === Response/Request Types ===
 
 // NotificationResponse represents a notification in API response

internal/services/residence_service.go

@@ -353,6 +353,29 @@ func (s *ResidenceService) GenerateShareCode(residenceID, userID uint, expiresIn
 	}, nil
 }
 
+// GetShareCode retrieves the active share code for a residence (if any)
+func (s *ResidenceService) GetShareCode(residenceID, userID uint) (*responses.ShareCodeResponse, error) {
+	// Check access
+	hasAccess, err := s.residenceRepo.HasAccess(residenceID, userID)
+	if err != nil {
+		return nil, apperrors.Internal(err)
+	}
+	if !hasAccess {
+		return nil, apperrors.Forbidden("error.residence_access_denied")
+	}
+
+	shareCode, err := s.residenceRepo.GetActiveShareCode(residenceID)
+	if err != nil {
+		return nil, apperrors.Internal(err)
+	}
+	if shareCode == nil {
+		return nil, nil
+	}
+
+	resp := responses.NewShareCodeResponse(shareCode)
+	return &resp, nil
+}
+
 // GenerateSharePackage generates a share code and returns package metadata for .casera file
 func (s *ResidenceService) GenerateSharePackage(residenceID, userID uint, expiresInHours int) (*responses.SharePackageResponse, error) {
 	// Check ownership (only owners can share residences)

internal/services/task_service.go

@@ -894,6 +894,61 @@ func (s *TaskService) ListCompletions(userID uint) ([]responses.TaskCompletionRe
 	return responses.NewTaskCompletionListResponse(completions), nil
 }
 
+// UpdateCompletion updates an existing task completion
+func (s *TaskService) UpdateCompletion(completionID, userID uint, req *requests.UpdateTaskCompletionRequest) (*responses.TaskCompletionResponse, error) {
+	completion, err := s.taskRepo.FindCompletionByID(completionID)
+	if err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return nil, apperrors.NotFound("error.completion_not_found")
+		}
+		return nil, apperrors.Internal(err)
+	}
+
+	// Check access via task's residence
+	hasAccess, err := s.residenceRepo.HasAccess(completion.Task.ResidenceID, userID)
+	if err != nil {
+		return nil, apperrors.Internal(err)
+	}
+	if !hasAccess {
+		return nil, apperrors.Forbidden("error.task_access_denied")
+	}
+
+	// Apply updates
+	if req.Notes != nil {
+		completion.Notes = *req.Notes
+	}
+	if req.ActualCost != nil {
+		completion.ActualCost = req.ActualCost
+	}
+	if req.Rating != nil {
+		completion.Rating = req.Rating
+	}
+
+	if err := s.taskRepo.UpdateCompletion(completion); err != nil {
+		return nil, apperrors.Internal(err)
+	}
+
+	// Add any new images
+	for _, imageURL := range req.ImageURLs {
+		image := &models.TaskCompletionImage{
+			CompletionID: completion.ID,
+			ImageURL:     imageURL,
+		}
+		if err := s.taskRepo.CreateCompletionImage(image); err != nil {
+			log.Error().Err(err).Uint("completion_id", completion.ID).Msg("Failed to create completion image during update")
+		}
+	}
+
+	// Reload to get full associations
+	updated, err := s.taskRepo.FindCompletionByID(completionID)
+	if err != nil {
+		return nil, apperrors.Internal(err)
+	}
+
+	resp := responses.NewTaskCompletionResponse(updated)
+	return &resp, nil
+}
+
 // DeleteCompletion deletes a task completion
 func (s *TaskService) DeleteCompletion(completionID, userID uint) (*responses.DeleteWithSummaryResponse, error) {
 	completion, err := s.taskRepo.FindCompletionByID(completionID)