Security & robustness hardening pass

Cross-cutting input-validation, isolation, and DoS-resistance fixes across
the app, API, billing, queue, and infra layers.

- Runtime validation (zod) for client-supplied admin actions (role/plan/
  limits), series generation index, and all pg-boss queue payloads
- Auth: require email verification before sign-in; reject weak/placeholder/
  short BETTER_AUTH_SECRET in production
- Billing: sanitize Stripe/PayPal errors (log server-side, generic to client);
  race-safe subscription upsert; only count "processed" webhook events as
  handled; verify org membership in getEffectivePlan to block plan escalation
- Series generation: reserve usage up front and refund on failure; bill the
  owning org, not the caller's active org
- Injection defenses: HTML-escape user fields in emails, strip CR/LF from
  subject/recipient, validate ElevenLabs voiceId before URL interpolation
- Media routes: stream off disk instead of buffering whole files; rate-limit
  anonymous public audio/cover endpoints by client IP

app/(app)/billing/actions.ts

@@ -20,8 +20,12 @@ import type { PlanKey } from "@/lib/billing/plans";
 
 type ActionResult = { ok: true; url?: string } | { ok: false; error: string };
 
+// Billing calls hit upstream providers (Stripe/PayPal) whose error messages can
+// contain sensitive/verbose detail. Log the real error server-side, but return a
+// single generic message to the client so nothing upstream leaks to end users.
 function errMsg(e: unknown): string {
-  return e instanceof Error ? e.message : "Something went wrong";
+  console.error("[billing] action failed", e);
+  return "Something went wrong with billing. Please try again.";
 }
 
 export async function startStripeCheckoutAction(