Harden booking, offering exposure, payments, and invites

Security fixes from a pen-test review (issues #31–#37):

- #31 Booking no longer trusts a client-supplied offering_id: a slot-tied
  offering is authoritative and any offering used must belong to the slot's
  instructor, closing a free/misrouted-payment bypass.
- #34 Availability slot creation rejects an offering the instructor does not
  own (AvailabilityEndpoint now takes OfferingRepository).
- #32 Offering/question/policy listing endpoints now require book_lesson
  instead of being public (no anonymous consumer exists); Offering::toArray
  also omits etransfer_email from listings as defense-in-depth.
- #33 Slots are claimed atomically (UPDATE ... WHERE is_booked = 0) before a
  lesson is inserted, preventing a double-booking race.
- #35 A single weekly booking is capped (MAX_WEEKLY_OCCURRENCES) and only
  creates lessons for slots it actually claimed.
- #36 Stripe secret/webhook keys are write-only in the settings UI and a blank
  submit keeps the stored value; secrets are never echoed back into HTML.
- #37 Pending invites expire after 14 days (Invite::isAcceptable), enforced at
  registration and surfaced on the admin invites list.

Adds BookingEndpointTest plus Invite/Offering/AvailabilityRepository coverage
and minimal WP_REST_Request/WP_REST_Response stubs. composer test (200),
lint, and cs all green.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

src/Offering/Offering.php

@@ -68,10 +68,14 @@ class Offering {
 	/**
 	 * Returns a plain array representation of the offering.
 	 *
+	 * The e-transfer destination email is a private payment-routing detail, so it
+	 * is only included when $includeEtransferEmail is true (e.g. manager-only
+	 * responses). The public offerings listing must omit it.
+	 *
 	 * @return array<string, mixed>
 	 */
-	public function toArray(): array {
-		return [
+	public function toArray( bool $includeEtransferEmail = true ): array {
+		$out = [
 			'id'               => $this->id,
 			'instructor_id'    => $this->instructorId,
 			'kind'             => $this->kind,
@@ -86,8 +90,13 @@ class Offering {
 			'term_start'       => $this->termStart,
 			'term_end'         => $this->termEnd,
 			'schedule_note'    => $this->scheduleNote,
-			'etransfer_email'  => $this->etransferEmail,
 			'is_active'        => $this->isActive,
 		];
+
+		if ( $includeEtransferEmail ) {
+			$out['etransfer_email'] = $this->etransferEmail;
+		}
+
+		return $out;
 	}
 }

src/Offering/OfferingEndpoint.php

@@ -17,7 +17,7 @@ class OfferingEndpoint {
 				[
 					'methods'             => \WP_REST_Server::READABLE,
 					'callback'            => [ $this, 'index' ],
-					'permission_callback' => '__return_true',
+					'permission_callback' => [ $this, 'canBook' ],
 					'args'                => [
 						'instructor_id' => [
 							'type'    => 'integer',
@@ -62,7 +62,8 @@ class OfferingEndpoint {
 			activeOnly: true,
 		);
 
-		return new \WP_REST_Response( array_map( fn( Offering $o ) => $o->toArray(), $offerings ), 200 );
+		// Public listing: omit the private e-transfer destination email.
+		return new \WP_REST_Response( array_map( fn( Offering $o ) => $o->toArray( includeEtransferEmail: false ), $offerings ), 200 );
 	}
 
 	public function create( \WP_REST_Request $request ): \WP_REST_Response|\WP_Error {
@@ -171,6 +172,15 @@ class OfferingEndpoint {
 		return is_user_logged_in() && current_user_can( RoleManager::CAP_MANAGE_OFFERINGS );
 	}
 
+	/**
+	 * Reading the offerings catalogue is only needed by the logged-in student
+	 * booking flow, so it requires the same capability as booking — there is no
+	 * anonymous consumer.
+	 */
+	public function canBook(): bool {
+		return is_user_logged_in() && current_user_can( RoleManager::CAP_BOOK_LESSON );
+	}
+
 	/**
 	 * An offering may be changed by its owning instructor or by a studio admin
 	 * (identified by the studio-only manage_instructors capability).