Coverage priorities 1-5: test pure functions, extract interfaces, mock-based handler tests

- Priority 1: Test NewSendEmailTask + NewSendPushTask (5 tests)
- Priority 2: Test customHTTPErrorHandler — all 15+ branches (21 tests)
- Priority 3: Extract Enqueuer interface + payload builders in worker pkg (5 tests)
- Priority 4: Extract ClassifyFile/ComputeRelPath in migrate-encrypt (6 tests)
- Priority 5: Define Handler interfaces, refactor to accept them, mock-based tests (14 tests)
- Fix .gitignore: /worker instead of worker to stop ignoring internal/worker/

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/integration/security_regression_test.go

@@ -265,8 +265,8 @@ func TestE2E_SQLInjection_AdminSort_Blocked(t *testing.T) {
 	adminUserHandler := adminhandlers.NewAdminUserHandler(db)
 
 	// Create a couple of test users to have data to sort
-	testutil.CreateTestUser(t, db, "alice", "alice@test.com", "password123")
-	testutil.CreateTestUser(t, db, "bob", "bob@test.com", "password123")
+	testutil.CreateTestUser(t, db, "alice", "alice@test.com", "Password123")
+	testutil.CreateTestUser(t, db, "bob", "bob@test.com", "Password123")
 
 	// Set up a minimal Echo instance with the admin handler
 	e := echo.New()
@@ -322,7 +322,7 @@ func TestE2E_SQLInjection_AdminSort_Blocked(t *testing.T) {
 // garbage receipt data does NOT upgrade the user to Pro tier.
 func TestE2E_IAP_InvalidReceipt_NoPro(t *testing.T) {
 	app := setupSecurityTest(t)
-	token, userID := app.registerAndLoginSec(t, "iapuser", "iap@test.com", "password123")
+	token, userID := app.registerAndLoginSec(t, "iapuser", "iap@test.com", "Password123")
 
 	// Create initial subscription (free tier)
 	sub := &models.UserSubscription{UserID: userID, Tier: models.TierFree}
@@ -352,7 +352,7 @@ func TestE2E_IAP_InvalidReceipt_NoPro(t *testing.T) {
 // updates both the completion record and the task's NextDueDate together (P1-5/P1-6).
 func TestE2E_CompletionTransaction_Atomic(t *testing.T) {
 	app := setupSecurityTest(t)
-	token, _ := app.registerAndLoginSec(t, "atomicuser", "atomic@test.com", "password123")
+	token, _ := app.registerAndLoginSec(t, "atomicuser", "atomic@test.com", "Password123")
 
 	// Create a residence
 	residenceBody := map[string]interface{}{"name": "Atomic Test House"}
@@ -423,7 +423,7 @@ func TestE2E_CompletionTransaction_Atomic(t *testing.T) {
 // on a recurring task recalculates NextDueDate back to the correct value (P1-7).
 func TestE2E_DeleteCompletion_RecalculatesNextDueDate(t *testing.T) {
 	app := setupSecurityTest(t)
-	token, _ := app.registerAndLoginSec(t, "recuruser", "recur@test.com", "password123")
+	token, _ := app.registerAndLoginSec(t, "recuruser", "recur@test.com", "Password123")
 
 	// Create a residence
 	residenceBody := map[string]interface{}{"name": "Recurring Test House"}
@@ -510,7 +510,7 @@ func TestE2E_DeleteCompletion_RecalculatesNextDueDate(t *testing.T) {
 // configured property limit.
 func TestE2E_TierLimits_Enforced(t *testing.T) {
 	app := setupSecurityTest(t)
-	token, userID := app.registerAndLoginSec(t, "tieruser", "tier@test.com", "password123")
+	token, userID := app.registerAndLoginSec(t, "tieruser", "tier@test.com", "Password123")
 
 	// Enable global limitations
 	app.DB.Where("1=1").Delete(&models.SubscriptionSettings{})
@@ -602,7 +602,7 @@ func TestE2E_AuthAssertion_NoPanics(t *testing.T) {
 // caps the limit parameter to 200 even if the client requests more.
 func TestE2E_NotificationLimit_Capped(t *testing.T) {
 	app := setupSecurityTest(t)
-	token, userID := app.registerAndLoginSec(t, "notifuser", "notif@test.com", "password123")
+	token, userID := app.registerAndLoginSec(t, "notifuser", "notif@test.com", "Password123")
 
 	// Create 210 notifications directly in the database
 	for i := 0; i < 210; i++ {