Add live Stripe card charges (PaymentIntent + Elements + webhook)

Completes the deferred half of payments: real credit-card processing on
top of the existing ledger/e-transfer/comp foundation.

- StripeGateway wraps stripe/stripe-php: creates idempotent PaymentIntents
  (amount in cents, registration ids in metadata) and verifies webhook
  signatures. Stripe calls sit behind protected seams for unit testing.
- PaymentService::createIntent resolves the client-side step for a new
  registration (card → client secret; e-transfer → display data; comp →
  none) with caller-ownership enforcement.
- PaymentService::handleWebhook finalises a payment exactly once on
  payment_intent.succeeded (mark paid → confirm → receipt) and marks it
  failed on payment_intent.payment_failed.
- PaymentEndpoint: POST /payments/intent (book_lesson) and public,
  signature-verified POST /payments/webhook.
- PaymentRepository: setStripeIntentId / findByStripeIntentId.
- StudioSettings: us_stripe_webhook_secret option, with the webhook URL
  and required events surfaced on the settings page.
- Front end: shared payment.js mounts Stripe Payment Elements and confirms
  the card (or shows e-transfer instructions); Stripe.js enqueued only when
  configured. Wired into booking and group-class flows.

Tests: new StripeGatewayTest; PaymentService card-intent + webhook cases;
repository coverage. composer test/lint/cs all green.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

src/ShortcodeRegistrar.php

@@ -8,6 +8,7 @@ use Unsupervised\Schedular\Auth\LoginPage;
 use Unsupervised\Schedular\Auth\RegistrationPage;
 use Unsupervised\Schedular\Booking\BookingPage;
 use Unsupervised\Schedular\GroupClass\GroupClassPage;
+use Unsupervised\Schedular\Payment\StudioSettings;
 use Unsupervised\Schedular\Policy\AcceptanceRepository;
 use Unsupervised\Schedular\Policy\PolicyRepository;
 use Unsupervised\Schedular\Policy\PolicyVersionRepository;
@@ -43,15 +44,31 @@ class ShortcodeRegistrar {
 	public function enqueueAssets(): void {
 		wp_register_style( 'us-scheduler', USC_PLUGIN_URL . 'assets/css/frontend.css', [], USC_VERSION );
 
+		$settings = new StudioSettings();
+
+		// Stripe.js (loaded from Stripe's CDN per their terms) only when card billing
+		// is available; the payment helper degrades to e-transfer messaging without it.
+		$paymentDeps = [];
+		if ( $settings->isStripeConfigured() ) {
+			// Stripe pins the version in the URL path (/v3/) and forbids self-hosting,
+			// so no query-string version applies here.
+			wp_register_script( 'us-scheduler-stripe', 'https://js.stripe.com/v3/', [], null, true ); // phpcs:ignore WordPress.WP.EnqueuedResourceParameters.MissingVersion
+			$paymentDeps[] = 'us-scheduler-stripe';
+		}
+
+		wp_register_script( 'us-scheduler-payment', USC_PLUGIN_URL . 'assets/js/payment.js', $paymentDeps, USC_VERSION, true );
+
 		$data = [
-			'restUrl' => rest_url( 'us-scheduler/v1/' ),
-			'nonce'   => wp_create_nonce( 'wp_rest' ),
+			'restUrl'   => rest_url( 'us-scheduler/v1/' ),
+			'nonce'     => wp_create_nonce( 'wp_rest' ),
+			'stripeKey' => $settings->publishableKey(),
 		];
 
-		wp_register_script( 'us-scheduler', USC_PLUGIN_URL . 'assets/js/booking.js', [], USC_VERSION, true );
-		wp_localize_script( 'us-scheduler', 'usScheduler', $data );
+		// Attach the shared config to the payment helper so it is defined before the
+		// booking/group scripts (which depend on it) run.
+		wp_localize_script( 'us-scheduler-payment', 'usScheduler', $data );
 
-		wp_register_script( 'us-scheduler-group', USC_PLUGIN_URL . 'assets/js/group-classes.js', [], USC_VERSION, true );
-		wp_localize_script( 'us-scheduler-group', 'usScheduler', $data );
+		wp_register_script( 'us-scheduler', USC_PLUGIN_URL . 'assets/js/booking.js', [ 'us-scheduler-payment' ], USC_VERSION, true );
+		wp_register_script( 'us-scheduler-group', USC_PLUGIN_URL . 'assets/js/group-classes.js', [ 'us-scheduler-payment' ], USC_VERSION, true );
 	}
 }