- refactor: move HTTP status and DTO concerns out of model and service
layers into API and handler code.
- feat: add admin service boundary and route auth through services
instead of direct repository access.
- test: add architecture and error tests covering package boundaries,
redaction, and service behavior.
- docs: record the protocol-neutral boundary decision and update
architecture and roadmap notes.
AdminRequired gates admin endpoints by checking user IsAdmin flag.
Placed AFTER AuthRequired; fetches user from repository, returns 403 for non-admins.
Soft-deleted users are rejected with 401 since FindByID excludes them.
Tests: admin passes, non-admin forbidden, soft-deleted admin rejected, missing user ID.
Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-openagent)
Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
- Fix: replace repeated authorization checks in handlers with the new
MustGetUserID helper, which panics if the user ID is missing. This
simplifies handler code by eliminating redundant error handling.
- Tests: update auth tests to verify the panic behavior in unprotected
routes.
- Add TokenType enum and include in Claims struct
- GenerateRefreshToken now creates tokens with TokenRefresh type
- AuthRequired middleware rejects refresh tokens
- AuthService.Refresh validates token type
- Tests verify type validation