In `@build.gradle`:
- Around line 49-55: Update the springdoc-openapi dependencies to the 3.0.x line
and add a Bouncy Castle override: replace the existing springdoc coordinates
(org.springdoc:springdoc-openapi-starter-webmvc-ui and
org.springdoc:springdoc-openapi-starter-webmvc-api currently at 2.8.13) with
3.0.0 (or latest 3.0.x) to be compatible with Spring Boot 4.0.x, and add an
explicit org.bouncycastle:bcpkix-jdk18on dependency at 1.79+ to override the
transitive Bouncy Castle pulled in by io.jsonwebtoken:jjwt-*
(jjwt-api/jjwt-impl/jjwt-jackson) and mitigate CVE-2025-8916.

In
`@src/main/java/ssurent/ssurentbe/common/exception/GlobalExceptionHandler.java`:
- Around line 12-17: The handler in
GlobalExceptionHandler.handleGeneralException currently casts e.getStatus() to
ErrorStatus which can throw ClassCastException at runtime; change the
implementation to avoid unsafe casting by checking e.getStatus() with instanceof
(or using a safe accessor) and handle non-ErrorStatus cases (e.g., map unknown
statuses to a default ErrorStatus or return a generic error response) before
calling BaseResponse.error; ensure you reference GeneralException.getStatus()
and ErrorStatus and produce a ResponseEntity with an appropriate HttpStatus for
fallback paths.

In `@src/main/java/ssurent/ssurentbe/common/jwt/JwtAuthenticationFilter.java`:
- Around line 42-44: JwtAuthenticationFilter currently unsafely casts
GeneralException.getStatus() to ErrorStatus in the catch block; update the
handling so the cast is safe by either (A) changing GeneralException to only
accept ErrorStatus in its constructor (and update usages) or (B) adding a
runtime check in JwtAuthenticationFilter (and similarly in
GlobalExceptionHandler) that tests if e.getStatus() instanceof ErrorStatus
before casting—if true, call sendErrorResponse(response, (ErrorStatus)
e.getStatus()); otherwise map/convert the BaseStatus to a safe ErrorStatus (or
use a default/generic error response) and log the unexpected status type. Ensure
you update both JwtAuthenticationFilter and GlobalExceptionHandler to follow the
same safe pattern.

In
`@src/main/java/ssurent/ssurentbe/common/security/CustomUserDetailsService.java`:
- Around line 22-31: loadUserByUsername currently only checks existence and
returns a UserDetails, allowing deleted/disabled accounts to authenticate;
update CustomUserDetailsService.loadUserByUsername to check the Users entity
flags (e.g., isDeleted() and getStatus()/status enum) after fetching from
userRepository and throw UsernameNotFoundException or a custom DisabledException
when the account is deleted or inactive. Ensure the exception uses a clear
ErrorStatus (or map to ErrorStatus.USER_NOT_FOUND or a new ErrorStatus for
disabled users) so getAuthentication() will reject such tokens, and keep
returning the Spring Security User with roles only for active users.

In `@src/main/java/ssurent/ssurentbe/domain/users/controller/AuthController.java`:
- Around line 41-43: AuthController.refresh currently unsafely extracts the
token with authorization.replace("Bearer ", "") which can NPE or return wrong
value; change it to the same safe parsing used by
JwtAuthenticationFilter.resolveToken — i.e., check for null/empty, verify the
header startsWith("Bearer "), then extract the substring after the prefix (or
call JwtAuthenticationFilter.resolveToken(authorization) if accessible) and
handle a missing/invalid token by returning an appropriate error (or throwing
the same exception path used elsewhere) before calling
authService.refresh(refreshToken).

In
`@src/main/java/ssurent/ssurentbe/domain/users/controller/docs/AuthApiDocs.java`:
- Around line 21-46: Create concrete wrapper response classes that extend
BaseResponse with the generic type parameter (e.g., class SignupResponse extends
BaseResponse<TokenResponse>, LoginResponse extends BaseResponse<TokenResponse>,
RefreshResponse extends BaseResponse<TokenResponse>) and update the
`@ApiResponse/`@Content annotations on the signup, login and refresh operations to
use `@Schema`(implementation = SignupResponse.class) / LoginResponse.class /
RefreshResponse.class respectively so springdoc-openapi can surface
TokenResponse fields (accessToken, refreshToken, tokenType) in Swagger; locate
the annotations around the methods named signup, login and the token refresh
operation and replace the existing `@Schema`(implementation = BaseResponse.class)
references with the new concrete classes.

In `@src/main/java/ssurent/ssurentbe/domain/users/dto/SignupRequest.java`:
- Around line 3-8: SignupRequest currently uses the record-generated toString
which exposes sensitive fields; override SignupRequest#toString to return a safe
representation that masks phoneNum and password (e.g., show only last 2-4
digits/characters or replace with fixed ********), keep non-sensitive fields
like name/studentNum readable if desired, and ensure the method is implemented
on the record itself so any logging/exception handling uses the masked output.

In `@src/main/java/ssurent/ssurentbe/domain/users/service/AuthService.java`:
- Around line 69-72: The if-check in AuthService.refresh around
jwtTokenProvider.validateToken(refreshToken) is dead because validateToken
throws GeneralException on invalid tokens; remove the if-block and either (a)
simply call jwtTokenProvider.validateToken(refreshToken) and let its exception
propagate, or (b) wrap the call in a try-catch that catches the thrown exception
and rethrows/translate it to ErrorStatus.JWT_INVALID for clearer control flow;
update the method to proceed to the rest of TokenResponse creation only after a
successful validateToken call.

In `@src/main/java/ssurent/ssurentbe/domain/users/enums/PanaltyTypes.java`:
- Around line 3-5: Add `@Enumerated`(EnumType.STRING) to the
UserPanaltyLog.panaltyType field so PanaltyTypes is persisted by name instead of
ordinal; update the PanaltyTypes enum definition (public enum PanaltyTypes) only
if needed to include any legacy constants (e.g., BANNED) to avoid
compile/runtime mismatches. Also add a DB migration that converts existing
ordinal values to their String names (e.g., rows where panalty_type = 2 ->
'BANNED', 1 -> 'UNAUTHORIZED_USE', 0 -> 'OVERDUE') and run it before deploying
the annotation change to prevent data corruption.