feat: wire up swagger-jsdoc dynamic spec, delete static openapi.json

- Create src/swagger.ts config module for swagger-jsdoc
- Add GET /openapi.json dynamic route (generated from @openapi annotations)
- Delete static public/openapi.json (was drifting from code)
- Add @openapi annotation for deprecated /v1/signup/free in index.ts
- Import swaggerSpec into index.ts
- All 12 endpoints now code-driven: demo/html, demo/markdown, convert/html,
  convert/markdown, convert/url, templates, templates/{id}/render,
  recover, recover/verify, billing/checkout, signup/free, health

dist/routes/recover.js

@@ -12,6 +12,46 @@ const recoverLimiter = rateLimit({
     standardHeaders: true,
     legacyHeaders: false,
 });
+/**
+ * @openapi
+ * /v1/recover:
+ *   post:
+ *     tags: [Account]
+ *     summary: Request API key recovery
+ *     description: |
+ *       Sends a 6-digit verification code to the email address if an account exists.
+ *       Response is always the same regardless of whether the email exists (to prevent enumeration).
+ *       Rate limited to 3 requests per hour.
+ *     requestBody:
+ *       required: true
+ *       content:
+ *         application/json:
+ *           schema:
+ *             type: object
+ *             required: [email]
+ *             properties:
+ *               email:
+ *                 type: string
+ *                 format: email
+ *                 description: Email address associated with the API key
+ *     responses:
+ *       200:
+ *         description: Recovery code sent (or no-op if email not found)
+ *         content:
+ *           application/json:
+ *             schema:
+ *               type: object
+ *               properties:
+ *                 status:
+ *                   type: string
+ *                   example: recovery_sent
+ *                 message:
+ *                   type: string
+ *       400:
+ *         description: Invalid email format
+ *       429:
+ *         description: Too many recovery attempts
+ */
 router.post("/", recoverLimiter, async (req, res) => {
     const { email } = req.body || {};
     if (!email || typeof email !== "string" || !/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)) {
@@ -31,6 +71,52 @@ router.post("/", recoverLimiter, async (req, res) => {
     });
     res.json({ status: "recovery_sent", message: "If an account exists for this email, a verification code has been sent." });
 });
+/**
+ * @openapi
+ * /v1/recover/verify:
+ *   post:
+ *     tags: [Account]
+ *     summary: Verify recovery code and retrieve API key
+ *     description: Verifies the 6-digit code sent via email and returns the API key if valid. Code expires after 15 minutes.
+ *     requestBody:
+ *       required: true
+ *       content:
+ *         application/json:
+ *           schema:
+ *             type: object
+ *             required: [email, code]
+ *             properties:
+ *               email:
+ *                 type: string
+ *                 format: email
+ *               code:
+ *                 type: string
+ *                 pattern: '^\d{6}$'
+ *                 description: 6-digit verification code
+ *     responses:
+ *       200:
+ *         description: API key recovered
+ *         content:
+ *           application/json:
+ *             schema:
+ *               type: object
+ *               properties:
+ *                 status:
+ *                   type: string
+ *                   example: recovered
+ *                 apiKey:
+ *                   type: string
+ *                   description: The recovered API key
+ *                 tier:
+ *                   type: string
+ *                   enum: [free, pro]
+ *       400:
+ *         description: Invalid verification code or missing fields
+ *       410:
+ *         description: Verification code expired
+ *       429:
+ *         description: Too many failed attempts
+ */
 router.post("/verify", recoverLimiter, async (req, res) => {
     const { email, code } = req.body || {};
     if (!email || !code) {