feat: add endorsement endpoints and deprecate /api/content/verify

[jt55401]

Summary

• Implements spec §2.5 endorsement storage and serving (POST/GET/DELETE /api/endorsements).
• Marks POST /api/content/verify deprecated per spec §3.1 — cryptographic verification is a local operation in clients; the trust directory's job is to store and serve signed artifacts, not act as an oracle.
• Existing sign/verify behavior unchanged; only metadata signaling that verify is no longer canonical.

Endorsement endpoints

• POST /api/endorsements — stores a signed endorsement blob, optionally re-verifying server-side as a sanity check (clients MUST NOT rely on this; verification is local per spec).
• GET /api/endorsements?content-hash=... — returns stored blobs verbatim for clients to verify locally.
• DELETE /api/endorsements/:id — MVP-gated on the existing API key; TODO for keyid-match auth.
• Endorsement model with unique compound index on {contentHash, endorser}.

Deprecation signaling

• Deprecation: true and Link: <https://htmltrust.dev/spec#section-3-1>; rel="deprecation" headers.
• deprecated: true in openapi.yaml.
• README documents the deprecation and points to local verification.

Test plan

• npm install clean, 0 vulnerabilities
• node src/server.js boots cleanly with new routes mounted
• openapi.yaml parses; new paths/schemas/tag and the deprecated flag verify in the parsed structure
• Smoke tests against a running Mongo (no test framework configured in this repo):

  curl 'http://localhost:3000/api/endorsements?content-hash=sha256:abc'
  curl -X POST http://localhost:3000/api/endorsements \
    -H 'Content-Type: application/json' -H "X-API-KEY: $GENERAL_API_KEY" \
    -d '{"endorser":"did:web:publisher.org","contentHash":"sha256:abc","signature":"BASE64SIG","timestamp":"2025-05-01T00:00:00Z"}'
  curl -i -X POST http://localhost:3000/api/content/verify -H 'Content-Type: application/json' -d '{}'  # expect Deprecation: true

🤖 Generated with Claude Code