Security & robustness hardening pass

Cross-cutting input-validation, isolation, and DoS-resistance fixes across
the app, API, billing, queue, and infra layers.

- Runtime validation (zod) for client-supplied admin actions (role/plan/
  limits), series generation index, and all pg-boss queue payloads
- Auth: require email verification before sign-in; reject weak/placeholder/
  short BETTER_AUTH_SECRET in production
- Billing: sanitize Stripe/PayPal errors (log server-side, generic to client);
  race-safe subscription upsert; only count "processed" webhook events as
  handled; verify org membership in getEffectivePlan to block plan escalation
- Series generation: reserve usage up front and refund on failure; bill the
  owning org, not the caller's active org
- Injection defenses: HTML-escape user fields in emails, strip CR/LF from
  subject/recipient, validate ElevenLabs voiceId before URL interpolation
- Media routes: stream off disk instead of buffering whole files; rate-limit
  anonymous public audio/cover endpoints by client IP

app/(admin)/admin/actions.ts

@@ -1,6 +1,7 @@
 "use server";
 
 import { revalidatePath } from "next/cache";
+import { z } from "zod";
 import { Prisma } from "@prisma/client";
 import { getServerSession } from "@/lib/auth/guards";
 import { prisma } from "@/lib/db";
@@ -43,8 +44,13 @@ export async function banUserAction(userId: string, ban: boolean): Promise<{ ok:
 export async function setRoleAction(userId: string, role: "admin" | "user"): Promise<{ ok: boolean; error?: string }> {
   const s = await adminSession();
   if (!s) return { ok: false, error: "Not allowed." };
-  await prisma.user.update({ where: { id: userId }, data: { role } });
-  await audit(s.user.id, "user.role", userId, { role });
+  // Don't trust the TS union at runtime — reject anything outside the allowed set.
+  const parsedRole = z.enum(["admin", "user"]).safeParse(role);
+  if (!parsedRole.success) return { ok: false, error: "Invalid role." };
+  // Self-guard: an admin must not demote/remove their own admin role and lock out.
+  if (userId === s.user.id) return { ok: false, error: "You can't change your own role." };
+  await prisma.user.update({ where: { id: userId }, data: { role: parsedRole.data } });
+  await audit(s.user.id, "user.role", userId, { role: parsedRole.data });
   revalidatePath("/admin/users");
   return { ok: true };
 }
@@ -87,6 +93,16 @@ export async function compPlanAction(
   const s = await adminSession();
   if (!s) return { ok: false, error: "Not allowed." };
 
+  // Validate the client-supplied plan/interval at runtime, not just via the TS union.
+  const parsed = z
+    .object({
+      plan: z.enum(["creator", "pro", "agency"]),
+      interval: z.enum(["month", "year"]),
+    })
+    .safeParse({ plan, interval });
+  if (!parsed.success) return { ok: false, error: "Invalid plan or interval." };
+  ({ plan, interval } = parsed.data);
+
   const now = new Date();
   const periodEnd = new Date(now.getTime() + (interval === "year" ? 365 : 30) * DAY_MS);
 
@@ -309,26 +325,65 @@ export interface PlanUpdateInput {
   };
 }
 
+// A monthly metric cap: a finite integer that is either a real non-negative cap
+// or UNLIMITED (-1). Mirrors the canonical PlanLimits shape in lib/billing/plans.ts.
+const quotaCap = z.number().int().gte(-1);
+// Counts that can't be "unlimited": must be finite non-negative integers.
+const nonNegInt = z.number().int().nonnegative();
+
+// Validate the limits object against the known keys only — `.strict()` rejects
+// extra/unknown keys so a client can't mass-assign arbitrary JSON into the column.
+const planLimitsSchema = z
+  .object({
+    script: quotaCap,
+    audio: quotaCap,
+    art: quotaCap,
+    repurpose: quotaCap,
+    seats: nonNegInt,
+    maxEpisodeMinutes: nonNegInt,
+  })
+  .strict();
+
+const planUpdateSchema = z.object({
+  key: z.string().min(1),
+  priceMonthly: z.number().int().nonnegative(),
+  priceYearly: z.number().int().nonnegative(),
+  limits: planLimitsSchema,
+});
+
 /** Override a plan's price/limits in the DB (an override on lib/billing/plans.ts). */
 export async function updatePlanAction(key: string, input: PlanUpdateInput): Promise<ActionResult> {
   const s = await adminSession();
   if (!s) return { ok: false, error: "Not allowed." };
 
-  const existing = await prisma.plan.findUnique({ where: { key } });
+  // Validate ALL client args (key + prices + limits) before touching the DB so
+  // nothing unvalidated reaches the JSON column. Prices arrive as cents; round
+  // to ints first to keep the existing tolerance for fractional input.
+  const parsed = planUpdateSchema.safeParse({
+    key,
+    priceMonthly: Math.round(input.priceMonthly),
+    priceYearly: Math.round(input.priceYearly),
+    limits: input.limits,
+  });
+  if (!parsed.success) {
+    return { ok: false, error: parsed.error.issues[0]?.message ?? "Invalid plan input." };
+  }
+
+  const existing = await prisma.plan.findUnique({ where: { key: parsed.data.key } });
   if (!existing) return { ok: false, error: "Plan not found." };
 
   await prisma.plan.update({
-    where: { key },
+    where: { key: parsed.data.key },
     data: {
-      priceMonthly: Math.max(0, Math.round(input.priceMonthly)),
-      priceYearly: Math.max(0, Math.round(input.priceYearly)),
-      limits: input.limits as unknown as Prisma.InputJsonValue,
+      priceMonthly: parsed.data.priceMonthly,
+      priceYearly: parsed.data.priceYearly,
+      limits: parsed.data.limits as unknown as Prisma.InputJsonValue,
     },
   });
 
-  await audit(s.user.id, "plan.update", key, {
-    priceMonthly: input.priceMonthly,
-    priceYearly: input.priceYearly,
+  await audit(s.user.id, "plan.update", parsed.data.key, {
+    priceMonthly: parsed.data.priceMonthly,
+    priceYearly: parsed.data.priceYearly,
   });
   revalidatePath("/admin/settings");
   return { ok: true };