fix(BUG-106): DB fallback for downgradeByCustomer and recover route

- downgradeByCustomer now queries DB when key not in memory cache,
  preventing cancelled customers from keeping Pro access in multi-pod setups
- recover/verify endpoint falls back to DB lookup when cache miss on email
- Added TDD tests for both fallback paths (4 new tests)

src/routes/recover.ts

@@ -3,6 +3,7 @@ import rateLimit from "express-rate-limit";
 import { createPendingVerification, verifyCode } from "../services/verification.js";
 import { sendVerificationEmail } from "../services/email.js";
 import { getAllKeys } from "../services/keys.js";
+import { queryWithRetry } from "../services/db.js";
 import logger from "../services/logger.js";
 
 const router = Router();
@@ -143,8 +144,27 @@ router.post("/verify", recoverLimiter, async (req: Request, res: Response) => {
   switch (result.status) {
     case "ok": {
       const keys = getAllKeys();
-      const userKey = keys.find(k => k.email === cleanEmail);
+      let userKey = keys.find(k => k.email === cleanEmail);
       
+      // DB fallback: cache may be stale in multi-replica setups
+      if (!userKey) {
+        logger.info({ email: cleanEmail }, "recover verify: cache miss, falling back to DB");
+        const dbResult = await queryWithRetry(
+          "SELECT key, tier, email, created_at, stripe_customer_id FROM api_keys WHERE email = $1 LIMIT 1",
+          [cleanEmail]
+        );
+        if (dbResult.rows.length > 0) {
+          const row = dbResult.rows[0];
+          userKey = {
+            key: row.key,
+            tier: row.tier as "free" | "pro",
+            email: row.email,
+            createdAt: row.created_at instanceof Date ? row.created_at.toISOString() : row.created_at,
+            stripeCustomerId: row.stripe_customer_id || undefined,
+          };
+        }
+      }
+
       if (userKey) {
         res.json({
           status: "recovered",