fix: OpenAPI spec accuracy — hide internal endpoints, mark signup/verify deprecated

- Remove @openapi annotations from /v1/billing/webhook (Stripe-internal)
- Remove @openapi annotations from /v1/billing/success (browser redirect)
- Mark /v1/signup/verify as deprecated (returns 410)
- Add 3 TDD tests in openapi-spec.test.ts
- Update 2 existing tests in app-routes.test.ts
- 530 tests passing (was 527)

dist/routes/templates.js

@@ -3,6 +3,7 @@ import { renderPdf } from "../services/browser.js";
 import logger from "../services/logger.js";
 import { templates, renderTemplate } from "../services/templates.js";
 import { sanitizeFilename } from "../utils/sanitize.js";
+import { validatePdfOptions } from "../utils/pdf-options.js";
 export const templatesRouter = Router();
 /**
  * @openapi
@@ -146,11 +147,20 @@ templatesRouter.post("/:id/render", async (req, res) => {
             });
             return;
         }
+        // Validate PDF options from underscore-prefixed fields (BUG-103)
+        const pdfOpts = {};
+        if (data._format !== undefined)
+            pdfOpts.format = data._format;
+        if (data._margin !== undefined)
+            pdfOpts.margin = data._margin;
+        const validation = validatePdfOptions(pdfOpts);
+        if (!validation.valid) {
+            res.status(400).json({ error: validation.error });
+            return;
+        }
+        const sanitizedPdf = { format: "A4", ...validation.sanitized };
         const html = renderTemplate(id, data);
-        const pdf = await renderPdf(html, {
-            format: data._format || "A4",
-            margin: data._margin,
-        });
+        const { pdf, durationMs } = await renderPdf(html, sanitizedPdf);
         const filename = sanitizeFilename(data._filename || `${id}.pdf`);
         res.setHeader("Content-Type", "application/pdf");
         res.setHeader("Content-Disposition", `inline; filename="${filename}"`);