Close all 25 codex audit findings and add KMP contract tests

Remediate all P0-S priority findings from cross-platform architecture audit:
- Add input validation and authorization checks across handlers
- Harden social auth (Apple/Google) token validation
- Add document ownership verification and file type validation
- Add rate limiting config and CORS origin restrictions
- Add subscription tier enforcement in handlers
- Add OpenAPI 3.0.3 spec (81 schemas, 104 operations)
- Add URL-level contract test (KMP API routes match spec paths)
- Add model-level contract test (65 schemas, 464 fields validated)
- Add CI workflow for backend tests

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/services/apple_auth.go

@@ -159,12 +159,18 @@ func (s *AppleAuthService) VerifyIdentityToken(ctx context.Context, idToken stri
 	return claims, nil
 }
 
-// verifyAudience checks if the token audience matches our client ID
+// verifyAudience checks if the token audience matches our client ID.
+// In production (non-debug), an empty clientID causes verification to fail
+// rather than silently bypassing the check.
 func (s *AppleAuthService) verifyAudience(audience jwt.ClaimStrings) bool {
 	clientID := s.config.AppleAuth.ClientID
 	if clientID == "" {
-		// If not configured, skip audience verification (for development)
-		return true
+		if s.config.Server.Debug {
+			// In debug mode only, skip audience verification for local development
+			return true
+		}
+		// In production, missing client ID means we cannot verify the audience
+		return false
 	}
 
 	for _, aud := range audience {