fix(security): remediate 2026-05-12 audit findings (Stages 2–5)

Remediation of the 2026-05-12/13 audits (78 findings + cluster gaps),
tracked in deploy-k3s/SECURITY.md, plus fixes from two independent
post-remediation reviews.

Auth & sessions:
- SHA-256 hashed auth-token storage (C1); prior-token cache eviction on
  re-login (MEDIUM-1)
- local Google JWKS verification, iss/aud/exp checks (C2/C3)
- constant-time login + generic errors (L1/LIVE-L11/LIVE-L13)
- per-account login lockout keyed on distinct source IPs (M5/MEDIUM-3)
- verified-email gating, login rate limiting (LIVE-L19, H1-H3)

IAP & webhooks:
- Apple/Google cross-account replay protection (C5/C6/C10/C13, H5/H6)
- migrations 000003-000006 (token hashing, IAP replay, audit_log +
  webhook_event_log table creation, append-only audit log)

Authorization & races:
- file-ownership owner-OR-member fix (C7), atomic share-code join
  (C9/H9), device-token reassignment (C8/LOW-3)

Secrets & deploy:
- secrets file-mounted at /etc/honeydue/secrets, not env (F8); Redis
  password out of the ConfigMap (HIGH-1); B2 keys reconciled
- digest-pinned images, admin ingress hardening, CSP/HSTS, /metrics
  lockdown; kubeconfig 0600, etcd secrets-encryption, fail2ban +
  unattended-upgrades at provision; secret-rotation runbook

Build, vet, and the full test suite (incl. -race) pass; the goose
migration chain is verified against PostgreSQL 16.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

internal/services/residence_service.go

@@ -559,30 +559,22 @@ func (s *ResidenceService) GenerateSharePackage(ctx context.Context, residenceID
 	}, nil
 }
 
-// JoinWithCode allows a user to join a residence using a share code
+// JoinWithCode allows a user to join a residence using a share code.
+// Audit C9/H9: the code lookup, membership add, and one-time-code
+// deactivation run as a single locked transaction in the repository, so a
+// code can never be redeemed twice and a deactivation failure aborts the join.
 func (s *ResidenceService) JoinWithCode(ctx context.Context, code string, userID uint) (*responses.JoinResidenceResponse, error) {
-	// Find the share code
-	shareCode, err := s.residenceRepo.WithContext(ctx).FindShareCodeByCode(code)
+	residenceID, alreadyMember, err := s.residenceRepo.WithContext(ctx).JoinWithShareCode(code, userID)
 	if err != nil {
 		if errors.Is(err, gorm.ErrRecordNotFound) {
 			return nil, apperrors.NotFound("error.share_code_invalid")
 		}
 		return nil, apperrors.Internal(err)
 	}
-
-	// Check if already a member
-	hasAccess, err := s.residenceRepo.WithContext(ctx).HasAccess(shareCode.ResidenceID, userID)
-	if err != nil {
-		return nil, apperrors.Internal(err)
-	}
-	if hasAccess {
+	if alreadyMember {
 		return nil, apperrors.Conflict("error.user_already_member")
 	}
 
-	// Add user to residence
-	if err := s.residenceRepo.WithContext(ctx).AddUser(shareCode.ResidenceID, userID); err != nil {
-		return nil, apperrors.Internal(err)
-	}
 	if s.cache != nil {
 		// The joining user's residence-IDs cache is now stale, and their
 		// subscription status now reflects an extra residence with all of its
@@ -591,15 +583,8 @@ func (s *ResidenceService) JoinWithCode(ctx context.Context, code string, userID
 		_ = s.cache.InvalidateSubscriptionStatusForUsers(ctx, userID)
 	}
 
-	// Mark share code as used (one-time use)
-	if err := s.residenceRepo.WithContext(ctx).DeactivateShareCode(shareCode.ID); err != nil {
-		// Log the error but don't fail the join - the user has already been added
-		// The code will just be usable by others until it expires
-		log.Error().Err(err).Uint("code_id", shareCode.ID).Msg("Failed to deactivate share code after join")
-	}
-
 	// Get the residence with full details
-	residence, err := s.residenceRepo.WithContext(ctx).FindByID(shareCode.ResidenceID)
+	residence, err := s.residenceRepo.WithContext(ctx).FindByID(residenceID)
 	if err != nil {
 		return nil, apperrors.Internal(err)
 	}