docs(billing): fix stale JSDoc + test comment after marker-bump fix

- adminUpdatePlanOnly JSDoc now reflects that lastSubscriptionEvent* markers
  are bumped (per V8-C3 fix) — the old text said "Never touches … markers"
- markUnpaid V8-C3 test comment: was "invoice.payment_failed" but the guard
  and markers are subscription-family; corrected to "customer.subscription.updated"

Author: PierreBrisorgueil

modules/billing/repositories/billing.subscription.repository.js

@@ -274,16 +274,19 @@ const updateIfEventNewer = (id, eventCreatedAt, eventId, fields, family = 'subsc
 
 /**
  * @function adminUpdatePlanOnly
- * @description Restricted admin update — sets ONLY `plan` and `adminUpdatedAt`. Never touches
- *              `status`, `stripeCustomerId`, `stripeSubscriptionId`, `currentPeriodStart`, or
- *              the per-family event-ordering markers. Webhook handlers retain exclusive write
- *              authority on those fields via `updateIfEventNewer`.
+ * @description Restricted admin update — sets ONLY `plan`, `adminUpdatedAt`, and the
+ *              subscription-family event-ordering markers. Never touches `status`,
+ *              `stripeCustomerId`, `stripeSubscriptionId`, or `currentPeriodStart`.
  *
  *              Why this restriction matters: a free `update()` call with `{ plan, status }` from
  *              an admin path would overwrite Stripe-driven status (active/past_due/etc.) with
  *              whatever the admin sent, breaking dunning + access control. Splitting the surface
  *              forces admin overrides to plan-only territory.
  *
+ *              The subscription-family markers (`lastSubscriptionEvent*`) are bumped so a
+ *              subsequent stale Stripe webhook redelivery (customer.subscription.*) cannot
+ *              overwrite the admin plan change via `updateIfEventNewer`.
+ *
  * @param {string} id - Subscription ObjectId (string).
  * @param {string} planId - The new plan identifier (must be in config.billing.plans enum).
  * @param {string} adminUserId - The admin user ObjectId (string) who triggered the bump (for audit).

modules/billing/tests/billing.subscription.repository.unit.tests.js

@@ -418,7 +418,7 @@ describe('BillingSubscriptionRepository unit tests:', () => {
   describe('markUnpaid — V8-C3 event-ordering markers', () => {
     const threshold = new Date(Date.now() - 14 * 24 * 60 * 60 * 1000);
 
-    // V8 audit C3 — markUnpaid must bump markers so a stale invoice.payment_failed
+    // V8 audit C3 — markUnpaid must bump markers so a stale customer.subscription.updated
     // redelivery cannot restore 'past_due' after the dunning sweep set 'unpaid'.
     test('V8-C3: bumps lastSubscriptionEventCreatedAt + lastSubscriptionEventId so stale webhook is rejected', async () => {
       const updated = { _id: subId, status: 'unpaid', plan: 'free' };