honeyDueAPI/audit-digest-8.md

# Digest 8: repositories (remaining), router, services (first half)

### repositories/user_repo.go - Standard GORM CRUD
### repositories/webhook_event_repo.go - Webhook event storage

### router/router.go - Route registration wiring

### services/apple_auth.go - Apple Sign In JWT validation
### services/auth_service.go - Token management, password hashing, email verification

### services/cache_service.go - Redis caching for lookups
### services/contractor_service.go - Contractor CRUD via repository

### services/document_service.go - Document management
### services/email_service.go - SMTP email sending

### services/google_auth.go - Google OAuth token validation
### services/iap_validation.go - Apple/Google receipt validation

### services/notification_service.go - Push notifications, preferences

### services/onboarding_email_service.go (371 lines)
- **ARCHITECTURE**: Direct *gorm.DB access — bypasses repository layer entirely
- Line 43-46: HasSentEmail ignores Count error — could send duplicate emails
- Line 128-133: GetEmailStats ignores 4 Count errors
- Line 170: Raw SQL references "auth_user" table
- Line 354: Delete error silently ignored

### services/pdf_service.go (179 lines)
- **BUG**: Line 131-133: Byte-level truncation of title — breaks multi-byte UTF-8 (CJK, emoji)

### services/residence_service.go (648 lines)
- Line 155: TODO comment — subscription tier limit check commented out (free tier bypass)
- Line 447-450: Empty if block — DeactivateShareCode error completely ignored
- Line 625: Status only set for in-progress tasks; all others have empty string