security: remove Change Email feature (leaked key = account hijack)

src/index.ts

@@ -12,7 +12,6 @@ import { healthRouter } from "./routes/health.js";
 import { signupRouter } from "./routes/signup.js";
 import { recoverRouter } from "./routes/recover.js";
 import { billingRouter } from "./routes/billing.js";
-import { emailChangeRouter } from "./routes/email-change.js";
 import { authMiddleware } from "./middleware/auth.js";
 import { usageMiddleware, loadUsageData } from "./middleware/usage.js";
 import { getUsageStats } from "./middleware/usage.js";
@@ -56,7 +55,6 @@ app.use((req, res, next) => {
   const isAuthBillingRoute = req.path.startsWith('/v1/signup') || 
                              req.path.startsWith('/v1/recover') || 
                              req.path.startsWith('/v1/billing') ||
-                             req.path.startsWith('/v1/email-change');
   
   if (isAuthBillingRoute) {
     res.setHeader("Access-Control-Allow-Origin", "https://docfast.dev");
@@ -97,7 +95,6 @@ app.use("/health", healthRouter);
 app.use("/v1/signup", signupRouter);
 app.use("/v1/recover", recoverRouter);
 app.use("/v1/billing", billingRouter);
-app.use("/v1/email-change", emailChangeRouter);
 
 // Authenticated routes — conversion routes get tighter body limits (500KB)
 const convertBodyLimit = express.json({ limit: "500kb" });
@@ -217,11 +214,6 @@ app.get("/terms", (_req, res) => {
   res.sendFile(path.join(__dirname, "../public/terms.html"));
 });
 
-app.get("/change-email", (_req, res) => {
-  res.setHeader('Cache-Control', 'public, max-age=3600');
-  res.sendFile(path.join(__dirname, "../public/change-email.html"));
-});
-
 app.get("/status", (_req, res) => {
   res.setHeader("Cache-Control", "public, max-age=60");
   res.sendFile(path.join(__dirname, "../public/status.html"));