DemoApi OpenAPI templates are incomplete and inconsistent with generated API routes/controllers

[armanist]

Problem

DemoApi OpenAPI annotations in framework templates do not fully cover runtime API endpoints and contain mismatches in path params and request payload fields. As a result, generated spec.json is incomplete and partially inaccurate.

Scope

src/Module/Templates/DemoApi/src/Controllers/OpenApi/*

Current Gaps

1. Missing annotation coverage:

• PUT /api/account-settings/update
• PUT /api/account-settings/update-password
• POST /api/comments/create/{uuid}
• DELETE /api/comments/delete/{uuid}

2. Mismatched annotation fields/params:

• auth path params (activate_token, reset_token, otp_token) vs runtime (token, token, code)
• verify payload docs (otp_code) vs runtime payload (otp, code)
• forget payload docs (username) vs runtime payload (email)
• post-management path params (id) vs runtime (uuid)

3. Missing docs for posts query params:

• per_page, page, q

4. Invalid/legacy multipart file schema usage in some annotations (type=file instead of type=string, format=binary).

Acceptance Criteria

1. OpenAPI template coverage includes all routed DemoApi endpoints above.
2. Path params and request body fields match runtime controller+middleware behavior.
3. posts endpoint query params are documented.
4. Generated OpenAPI is valid and /api/docs loads without spec errors after php qt install:openapi Api.
5. Existing documented endpoints remain present (no regressions).

Validation Steps

1. Generate DemoApi module from updated templates (or update existing generated files).
2. Run php qt install:openapi Api.
3. Open /api/spec and verify all expected paths are present.
4. Open /api/docs and confirm no schema/render errors.
5. Spot-check request schemas for verify, forget, reset, amend, comment/account endpoints.

Notes

This is a template-source fix in quantum-php-core; project-level patching is not sufficient for long-term consistency.