Harden booking, offering exposure, payments, and invites

Security fixes from a pen-test review (issues #31–#37):

- #31 Booking no longer trusts a client-supplied offering_id: a slot-tied
  offering is authoritative and any offering used must belong to the slot's
  instructor, closing a free/misrouted-payment bypass.
- #34 Availability slot creation rejects an offering the instructor does not
  own (AvailabilityEndpoint now takes OfferingRepository).
- #32 Offering/question/policy listing endpoints now require book_lesson
  instead of being public (no anonymous consumer exists); Offering::toArray
  also omits etransfer_email from listings as defense-in-depth.
- #33 Slots are claimed atomically (UPDATE ... WHERE is_booked = 0) before a
  lesson is inserted, preventing a double-booking race.
- #35 A single weekly booking is capped (MAX_WEEKLY_OCCURRENCES) and only
  creates lessons for slots it actually claimed.
- #36 Stripe secret/webhook keys are write-only in the settings UI and a blank
  submit keeps the stored value; secrets are never echoed back into HTML.
- #37 Pending invites expire after 14 days (Invite::isAcceptable), enforced at
  registration and surfaced on the admin invites list.

Adds BookingEndpointTest plus Invite/Offering/AvailabilityRepository coverage
and minimal WP_REST_Request/WP_REST_Response stubs. composer test (200),
lint, and cs all green.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

src/Auth/Invite.php

@@ -16,6 +16,12 @@ class Invite {
 	 */
 	public const VALID_STATUSES = [ self::STATUS_PENDING, self::STATUS_ACCEPTED, self::STATUS_REVOKED ];
 
+	/**
+	 * Days a pending invite remains usable after it is created. Limits the window
+	 * in which a leaked or forwarded invitation link can be redeemed.
+	 */
+	public const EXPIRY_DAYS = 14;
+
 	public function __construct(
 		public readonly string $email,
 		public readonly string $token,
@@ -24,6 +30,7 @@ class Invite {
 		public readonly ?int $invitedBy = null,
 		public readonly ?int $acceptedUserId = null,
 		public readonly ?string $acceptedAt = null,
+		public readonly ?string $createdAt = null,
 		public readonly ?int $id = null,
 	) {}
 
@@ -36,6 +43,7 @@ class Invite {
 			invitedBy:      null !== $row->invited_by ? (int) $row->invited_by : null,
 			acceptedUserId: null !== $row->accepted_user_id ? (int) $row->accepted_user_id : null,
 			acceptedAt:     $row->accepted_at,
+			createdAt:      $row->created_at ?? null,
 			id:             (int) $row->id,
 		);
 	}
@@ -44,6 +52,32 @@ class Invite {
 		return self::STATUS_PENDING === $this->status;
 	}
 
+	/**
+	 * Whether the invite was created more than {@see EXPIRY_DAYS} ago, measured
+	 * against the supplied current `Y-m-d H:i:s` timestamp. An invite with no
+	 * known creation time is treated as not expired.
+	 */
+	public function isExpired( string $now ): bool {
+		if ( null === $this->createdAt ) {
+			return false;
+		}
+
+		$created = strtotime( $this->createdAt );
+		$current = strtotime( $now );
+		if ( false === $created || false === $current ) {
+			return false;
+		}
+
+		return ( $current - $created ) > self::EXPIRY_DAYS * 86400;
+	}
+
+	/**
+	 * Whether this invite can still be redeemed: pending and not expired.
+	 */
+	public function isAcceptable( string $now ): bool {
+		return $this->isPending() && ! $this->isExpired( $now );
+	}
+
 	/**
 	 * Returns a plain array representation of the invite.
 	 *