Harden booking, offering exposure, payments, and invites

Security fixes from a pen-test review (issues #31–#37):

- #31 Booking no longer trusts a client-supplied offering_id: a slot-tied
  offering is authoritative and any offering used must belong to the slot's
  instructor, closing a free/misrouted-payment bypass.
- #34 Availability slot creation rejects an offering the instructor does not
  own (AvailabilityEndpoint now takes OfferingRepository).
- #32 Offering/question/policy listing endpoints now require book_lesson
  instead of being public (no anonymous consumer exists); Offering::toArray
  also omits etransfer_email from listings as defense-in-depth.
- #33 Slots are claimed atomically (UPDATE ... WHERE is_booked = 0) before a
  lesson is inserted, preventing a double-booking race.
- #35 A single weekly booking is capped (MAX_WEEKLY_OCCURRENCES) and only
  creates lessons for slots it actually claimed.
- #36 Stripe secret/webhook keys are write-only in the settings UI and a blank
  submit keeps the stored value; secrets are never echoed back into HTML.
- #37 Pending invites expire after 14 days (Invite::isAcceptable), enforced at
  registration and surfaced on the admin invites list.

Adds BookingEndpointTest plus Invite/Offering/AvailabilityRepository coverage
and minimal WP_REST_Request/WP_REST_Response stubs. composer test (200),
lint, and cs all green.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

tests/bootstrap.php

@@ -14,6 +14,57 @@ define('USC_PLUGIN_FILE', dirname(__DIR__) . '/unsupervised-schedular.php');
 define('USC_PLUGIN_DIR', dirname(__DIR__) . '/');
 define('USC_PLUGIN_URL', 'http://example.com/wp-content/plugins/unsupervised-schedular/');
 
+// Minimal WP_REST_Request stub: a simple parameter bag.
+if (! class_exists('WP_REST_Request')) {
+    class WP_REST_Request
+    {
+        /** @param array<string, mixed> $params */
+        public function __construct(private array $params = [])
+        {
+        }
+
+        public function get_param(string $key): mixed
+        {
+            return $this->params[$key] ?? null;
+        }
+
+        public function set_param(string $key, mixed $value): void
+        {
+            $this->params[$key] = $value;
+        }
+
+        public function get_body(): string
+        {
+            return (string) ($this->params['__body'] ?? '');
+        }
+
+        public function get_header(string $key): string
+        {
+            return (string) ($this->params[$key] ?? '');
+        }
+    }
+}
+
+// Minimal WP_REST_Response stub exposing the data and status.
+if (! class_exists('WP_REST_Response')) {
+    class WP_REST_Response
+    {
+        public function __construct(public mixed $data = null, public int $status = 200)
+        {
+        }
+
+        public function get_data(): mixed
+        {
+            return $this->data;
+        }
+
+        public function get_status(): int
+        {
+            return $this->status;
+        }
+    }
+}
+
 // Minimal WP_Error stub for code under test that returns error objects.
 if (! class_exists('WP_Error')) {
     class WP_Error