Close all 25 codex audit findings and add KMP contract tests

Remediate all P0-S priority findings from cross-platform architecture audit:
- Add input validation and authorization checks across handlers
- Harden social auth (Apple/Google) token validation
- Add document ownership verification and file type validation
- Add rate limiting config and CORS origin restrictions
- Add subscription tier enforcement in handlers
- Add OpenAPI 3.0.3 spec (81 schemas, 104 operations)
- Add URL-level contract test (KMP API routes match spec paths)
- Add model-level contract test (65 schemas, 464 fields validated)
- Add CI workflow for backend tests

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/services/google_auth.go

@@ -98,12 +98,18 @@ func (s *GoogleAuthService) VerifyIDToken(ctx context.Context, idToken string) (
 	return &tokenInfo, nil
 }
 
-// verifyAudience checks if the token audience matches our client ID(s)
+// verifyAudience checks if the token audience matches our client ID(s).
+// In production (non-debug), an empty clientID causes verification to fail
+// rather than silently bypassing the check.
 func (s *GoogleAuthService) verifyAudience(aud, azp string) bool {
 	clientID := s.config.GoogleAuth.ClientID
 	if clientID == "" {
-		// If not configured, skip audience verification (for development)
-		return true
+		if s.config.Server.Debug {
+			// In debug mode only, skip audience verification for local development
+			return true
+		}
+		// In production, missing client ID means we cannot verify the audience
+		return false
 	}
 
 	// Check both aud and azp (Android vs iOS may use different values)