- Add ConsumeTOTPRecoveryCode to UserRepository for atomic read-verify-update
- Update TOTPService.VerifyTOTP to prefer atomic consumption when available
- Update AuthService.verifyTOTPCodeOrRecoveryCode with same pattern
- Fix critical bug: ConsumeTOTPRecoveryCode now correctly returns consumed=false on mismatch
- Maintain backward compatibility: falls back to non-atomic path if repo doesn't implement interface
- Add comprehensive unit tests for atomic consumption path
Refs: review-fix-closure-2026-05-28 TOTP recovery code atomicity
P0-01: Add ESCAPE clause to LIKE queries in operation_log.go and device.go
P0-02: Add atomic Increment to L1Cache and L2Cache interfaces
P0-07: Add TOTP verification step after password login
P1-01: Sanitize error messages in error.go middleware
P1-03: Remove err.Error() from export error messages
P1-04: Add error return to CountByResultSince in login_log.go
P1-05: Add transactional DeleteCascade to RoleRepository
P1-06: Add PasswordChangedAt tracking for JWT token invalidation
P1-07: Wrap theme SetDefault in database transaction
P1-08: Use config values for database pool parameters
P1-09: Add rows.Err() checks in social_account_repo.go
P1-10: Validate sortOrder with map in user.go ORDER BY
P1-11: Add GORM tags to Announcement struct
P1-15: Add pageSize upper limit (100) to device and log handlers
Cursor pagination now only applies when sorting by created_at.
Other sort fields (username, last_login_time, updated_at) will
not use cursor pagination to prevent data inconsistency.
Fixes: UserRepository.ListCursor() allowing sort fields that
don't match the cursor predicate.
- AssignRoles: wrap DeleteByUserID + BatchCreate in DB transaction (P1)
- GetUserRoles: use GetByIDs batch query instead of per-role GetByID loop (N+1 fix)
- ListAdmins: use GetByIDs batch query instead of per-user GetByID loop (N+1 fix)
- Add WithTx/DB methods to UserRoleRepository for transaction support
- Add GetByIDs to UserRepository (batch user lookup)
- Add .gitattributes to normalize line endings to LF (P2)
