Security & robustness hardening pass

Cross-cutting input-validation, isolation, and DoS-resistance fixes across
the app, API, billing, queue, and infra layers.

- Runtime validation (zod) for client-supplied admin actions (role/plan/
  limits), series generation index, and all pg-boss queue payloads
- Auth: require email verification before sign-in; reject weak/placeholder/
  short BETTER_AUTH_SECRET in production
- Billing: sanitize Stripe/PayPal errors (log server-side, generic to client);
  race-safe subscription upsert; only count "processed" webhook events as
  handled; verify org membership in getEffectivePlan to block plan escalation
- Series generation: reserve usage up front and refund on failure; bill the
  owning org, not the caller's active org
- Injection defenses: HTML-escape user fields in emails, strip CR/LF from
  subject/recipient, validate ElevenLabs voiceId before URL interpolation
- Media routes: stream off disk instead of buffering whole files; rate-limit
  anonymous public audio/cover endpoints by client IP

prisma/schema.prisma

@@ -211,8 +211,16 @@ model Subscription {
   updatedAt DateTime @updatedAt
 
   @@index([referenceId])
-  @@index([stripeSubscriptionId])
-  @@index([paypalSubscriptionId])
+  // Provider subscription ids are unique so concurrent/replayed webhooks can't
+  // create duplicate rows (atomic upsert keys on these). Nullable: Postgres
+  // treats multiple NULLs as distinct, so existing free/null rows are unaffected.
+  // @@unique already creates a backing index, so no separate @@index is needed.
+  // MIGRATION REQUIRED: these new @@unique constraints must be generated and
+  // applied separately by the operator (`prisma migrate dev` / `migrate deploy`).
+  // The migration will FAIL if duplicate non-null values already exist in the
+  // table — de-dupe those rows first before applying.
+  @@unique([stripeSubscriptionId])
+  @@unique([paypalSubscriptionId])
   @@index([status])
   @@index([createdAt])
   @@map("subscription")