Harden booking, offering exposure, payments, and invites

Security fixes from a pen-test review (issues #31–#37):

- #31 Booking no longer trusts a client-supplied offering_id: a slot-tied
  offering is authoritative and any offering used must belong to the slot's
  instructor, closing a free/misrouted-payment bypass.
- #34 Availability slot creation rejects an offering the instructor does not
  own (AvailabilityEndpoint now takes OfferingRepository).
- #32 Offering/question/policy listing endpoints now require book_lesson
  instead of being public (no anonymous consumer exists); Offering::toArray
  also omits etransfer_email from listings as defense-in-depth.
- #33 Slots are claimed atomically (UPDATE ... WHERE is_booked = 0) before a
  lesson is inserted, preventing a double-booking race.
- #35 A single weekly booking is capped (MAX_WEEKLY_OCCURRENCES) and only
  creates lessons for slots it actually claimed.
- #36 Stripe secret/webhook keys are write-only in the settings UI and a blank
  submit keeps the stored value; secrets are never echoed back into HTML.
- #37 Pending invites expire after 14 days (Invite::isAcceptable), enforced at
  registration and surfaced on the admin invites list.

Adds BookingEndpointTest plus Invite/Offering/AvailabilityRepository coverage
and minimal WP_REST_Request/WP_REST_Response stubs. composer test (200),
lint, and cs all green.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

src/Payment/StudioSettings.php

@@ -73,9 +73,12 @@ class StudioSettings {
 			$this->save();
 		}
 
-		$publishableKey   = $this->publishableKey();
-		$secretKey        = $this->secretKey();
-		$webhookSecret    = $this->webhookSecret();
+		$publishableKey = $this->publishableKey();
+		// Secrets are write-only in the UI: never echo a stored secret back into the
+		// page. We only surface whether one is set so the field can be left blank to
+		// keep the existing value.
+		$secretKeySet     = '' !== $this->secretKey();
+		$webhookSecretSet = '' !== $this->webhookSecret();
 		$webhookUrl       = rest_url( 'us-scheduler/v1/payments/webhook' );
 		$mode             = $this->mode();
 		$currency         = $this->currency();
@@ -91,8 +94,16 @@ class StudioSettings {
 		// phpcs:disable WordPress.Security.NonceVerification.Missing
 		$mode = sanitize_key( wp_unslash( $_POST['mode'] ?? 'test' ) );
 		update_option( self::OPT_PUBLISHABLE, sanitize_text_field( wp_unslash( $_POST['publishable_key'] ?? '' ) ) );
-		update_option( self::OPT_SECRET, sanitize_text_field( wp_unslash( $_POST['secret_key'] ?? '' ) ) );
-		update_option( self::OPT_WEBHOOK_SECRET, sanitize_text_field( wp_unslash( $_POST['webhook_secret'] ?? '' ) ) );
+		// Secret fields are write-only: a blank submission keeps the stored secret,
+		// so an admin saving other settings never wipes the keys.
+		$secretKey = sanitize_text_field( wp_unslash( $_POST['secret_key'] ?? '' ) );
+		if ( '' !== $secretKey ) {
+			update_option( self::OPT_SECRET, $secretKey );
+		}
+		$webhookSecret = sanitize_text_field( wp_unslash( $_POST['webhook_secret'] ?? '' ) );
+		if ( '' !== $webhookSecret ) {
+			update_option( self::OPT_WEBHOOK_SECRET, $webhookSecret );
+		}
 		update_option( self::OPT_MODE, 'live' === $mode ? 'live' : 'test' );
 		update_option( self::OPT_CURRENCY, strtoupper( sanitize_text_field( wp_unslash( $_POST['currency'] ?? 'CAD' ) ) ) );
 		update_option( self::OPT_ETRANSFER_EMAIL, sanitize_email( wp_unslash( $_POST['etransfer_email'] ?? '' ) ) );