fix: OpenAPI spec accuracy — hide internal endpoints, mark signup/verify deprecated

- Remove @openapi annotations from /v1/billing/webhook (Stripe-internal)
- Remove @openapi annotations from /v1/billing/success (browser redirect)
- Mark /v1/signup/verify as deprecated (returns 410)
- Add 3 TDD tests in openapi-spec.test.ts
- Update 2 existing tests in app-routes.test.ts
- 530 tests passing (was 527)

src/__tests__/app-routes.test.ts

@@ -106,14 +106,12 @@ describe("App-level routes", () => {
       expect(spec.paths["/v1/signup/verify"].post).toBeDefined();
     });
 
-    it("includes GET /v1/billing/success", () => {
-      expect(spec.paths["/v1/billing/success"]).toBeDefined();
-      expect(spec.paths["/v1/billing/success"].get).toBeDefined();
+    it("excludes GET /v1/billing/success (browser redirect, not public API)", () => {
+      expect(spec.paths["/v1/billing/success"]).toBeUndefined();
     });
 
-    it("includes POST /v1/billing/webhook", () => {
-      expect(spec.paths["/v1/billing/webhook"]).toBeDefined();
-      expect(spec.paths["/v1/billing/webhook"].post).toBeDefined();
+    it("excludes POST /v1/billing/webhook (internal Stripe endpoint)", () => {
+      expect(spec.paths["/v1/billing/webhook"]).toBeUndefined();
     });
   });
 

src/__tests__/openapi-spec.test.ts

@@ -0,0 +1,18 @@
+import { describe, it, expect } from "vitest";
+import { swaggerSpec } from "../swagger.js";
+
+describe("OpenAPI spec accuracy", () => {
+  const spec = swaggerSpec as any;
+
+  it("should NOT include /v1/billing/webhook (internal Stripe endpoint)", () => {
+    expect(spec.paths).not.toHaveProperty("/v1/billing/webhook");
+  });
+
+  it("should NOT include /v1/billing/success (browser redirect page)", () => {
+    expect(spec.paths).not.toHaveProperty("/v1/billing/success");
+  });
+
+  it("should mark /v1/signup/verify as deprecated", () => {
+    expect(spec.paths["/v1/signup/verify"]?.post?.deprecated).toBe(true);
+  });
+});