Add live Stripe card charges (PaymentIntent + Elements + webhook)

Completes the deferred half of payments: real credit-card processing on
top of the existing ledger/e-transfer/comp foundation.

- StripeGateway wraps stripe/stripe-php: creates idempotent PaymentIntents
  (amount in cents, registration ids in metadata) and verifies webhook
  signatures. Stripe calls sit behind protected seams for unit testing.
- PaymentService::createIntent resolves the client-side step for a new
  registration (card → client secret; e-transfer → display data; comp →
  none) with caller-ownership enforcement.
- PaymentService::handleWebhook finalises a payment exactly once on
  payment_intent.succeeded (mark paid → confirm → receipt) and marks it
  failed on payment_intent.payment_failed.
- PaymentEndpoint: POST /payments/intent (book_lesson) and public,
  signature-verified POST /payments/webhook.
- PaymentRepository: setStripeIntentId / findByStripeIntentId.
- StudioSettings: us_stripe_webhook_secret option, with the webhook URL
  and required events surfaced on the settings page.
- Front end: shared payment.js mounts Stripe Payment Elements and confirms
  the card (or shows e-transfer instructions); Stripe.js enqueued only when
  configured. Wired into booking and group-class flows.

Tests: new StripeGatewayTest; PaymentService card-intent + webhook cases;
repository coverage. composer test/lint/cs all green.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

tests/Unit/Payment/StripeGatewayTest.php

@@ -0,0 +1,111 @@
+<?php
+declare(strict_types=1);
+
+namespace Unsupervised\Schedular\Tests\Unit\Payment;
+
+use Mockery;
+use Unsupervised\Schedular\Payment\Payment;
+use Unsupervised\Schedular\Payment\StripeGateway;
+use Unsupervised\Schedular\Payment\StudioSettings;
+use Unsupervised\Schedular\Tests\Unit\TestCase;
+
+class StripeGatewayTest extends TestCase
+{
+    private StudioSettings $settings;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+
+        $this->settings = Mockery::mock(StudioSettings::class);
+    }
+
+    private function partialGateway(): StripeGateway
+    {
+        return Mockery::mock(StripeGateway::class, [$this->settings])
+            ->makePartial()
+            ->shouldAllowMockingProtectedMethods();
+    }
+
+    private function payment(): Payment
+    {
+        return new Payment(5, 3, Payment::REG_LESSON, 12, 35.00, 'CAD', Payment::METHOD_CARD, Payment::STATUS_PENDING, id: 90);
+    }
+
+    public function testCreateIntentReturnsNullWhenNotConfigured(): void
+    {
+        $this->settings->shouldReceive('isStripeConfigured')->andReturn(false);
+
+        $gateway = new StripeGateway($this->settings);
+
+        self::assertNull($gateway->createIntent($this->payment()));
+    }
+
+    public function testCreateIntentSendsAmountInCentsAndReturnsIntent(): void
+    {
+        $this->settings->shouldReceive('isStripeConfigured')->andReturn(true);
+
+        $intent  = \Stripe\PaymentIntent::constructFrom(['id' => 'pi_1', 'client_secret' => 'cs_1']);
+        $gateway = $this->partialGateway();
+        $gateway->shouldReceive('paymentIntentsCreate')
+            ->once()
+            ->with(
+                Mockery::on(static fn (array $p): bool => $p['amount'] === 3500
+                    && $p['currency'] === 'cad'
+                    && $p['metadata']['payment_id'] === '90'),
+                Mockery::on(static fn (array $o): bool => $o['idempotency_key'] === 'usc-payment-90')
+            )
+            ->andReturn($intent);
+
+        self::assertSame('pi_1', $gateway->createIntent($this->payment())->id);
+    }
+
+    public function testCreateIntentReturnsNullOnStripeError(): void
+    {
+        $this->settings->shouldReceive('isStripeConfigured')->andReturn(true);
+
+        $gateway = $this->partialGateway();
+        $gateway->shouldReceive('paymentIntentsCreate')->once()->andThrow(new \RuntimeException('declined'));
+
+        self::assertNull($gateway->createIntent($this->payment()));
+    }
+
+    public function testVerifyWebhookReturnsNullWithoutSecret(): void
+    {
+        $this->settings->shouldReceive('webhookSecret')->andReturn('');
+
+        $gateway = new StripeGateway($this->settings);
+
+        self::assertNull($gateway->verifyWebhook('{}', 'sig'));
+    }
+
+    public function testVerifyWebhookReturnsNullWithoutSignatureHeader(): void
+    {
+        $this->settings->shouldReceive('webhookSecret')->andReturn('whsec_123');
+
+        $gateway = new StripeGateway($this->settings);
+
+        self::assertNull($gateway->verifyWebhook('{}', ''));
+    }
+
+    public function testVerifyWebhookReturnsNullOnInvalidSignature(): void
+    {
+        $this->settings->shouldReceive('webhookSecret')->andReturn('whsec_123');
+
+        $gateway = $this->partialGateway();
+        $gateway->shouldReceive('constructEvent')->once()->andThrow(new \RuntimeException('bad signature'));
+
+        self::assertNull($gateway->verifyWebhook('{}', 'sig'));
+    }
+
+    public function testVerifyWebhookReturnsEventOnSuccess(): void
+    {
+        $this->settings->shouldReceive('webhookSecret')->andReturn('whsec_123');
+
+        $event   = \Stripe\Event::constructFrom(['type' => 'payment_intent.succeeded']);
+        $gateway = $this->partialGateway();
+        $gateway->shouldReceive('constructEvent')->once()->with('{payload}', 'sig', 'whsec_123')->andReturn($event);
+
+        self::assertSame('payment_intent.succeeded', $gateway->verifyWebhook('{payload}', 'sig')->type);
+    }
+}