P1 — change-tier UX, Zaprite webhook copy, self-tier guard, Lightning copy

Bundle of bugfixes from the P1 testing batch. None individually
huge; together they close several "tested it, hit a sharp edge"
items.

1. Change-tier modal — kill the paid path from UI
   The Apply-as-comp toggle is gone. Admin tier changes always
   apply as comp now. The reasoning (per Grant's testing): admin
   tier changes are operator-driven, payment has either already
   happened off-rails or it's a comp; the "admin generates
   invoice and forwards URL" flow is a tiny niche that just
   produces orphan invoices when the modal gets dismissed.
   Buyers who want to pay use the SDK's /v1/upgrade.
   The API path is unchanged for back-compat with scripted
   operators (skip_payment defaults to true here).

2. Change-tier modal — downgrade detection + warning banner
   Detects target.tier_rank < current.tier_rank (or price-diff
   when ranks aren't set), renders a yellow warning card listing
   the entitlements the buyer is about to lose, and confirms via
   browser dialog before submit. Operator sees what they're
   doing.

3. Self-tier guard on admin change-tier
   POST /v1/admin/licenses/<id>/change-tier rejects when <id>
   is the daemon's own self_license. Avoids the recursion Grant
   hit when trying to downgrade himself: the on-disk signed key
   is the source-of-truth at boot, so the DB tier_change just
   produces a half-applied state. Error message points at the
   right paths (re-mint via master Keysat OR rename
   /data/keysat-license.txt for testing). With the P0 self-tier
   live-refresh in place the recursion is now fully resolved
   anyway, but the guard is good belt-and-suspenders for
   operator clarity.

4. Zaprite webhook — full URL in copy + persistent action
   - The Connect Zaprite action now shows the EXACT
     https://your-keysat-url/v1/zaprite/webhook URL to paste
     into Zaprite's dashboard. Previous copy showed a
     placeholder "<your Keysat public URL>/...", which Zaprite's
     form rejects (it requires full https://). Daemon's
     /v1/admin/zaprite/connect now returns webhook_url; the
     action displays it.
   - New "Show Zaprite webhook setup" StartOS Action — operators
     who skipped the step on first connect, or who lost the
     output, can run this any time and get the URL again.
   - Full explainer of what webhooks unlock vs polling-only:
     "without webhooks, Keysat polls /v1/orders every 60s, so
     license issuance lags settle by up to a minute; with
     webhooks, ~1s." Lives on /v1/admin/zaprite/status response
     as `webhook_explainer` + in the action's display text.

5. Connect-while-connected short-circuit
   POST /v1/admin/zaprite/connect now returns 409 Conflict with a
   clear "already connected — disconnect first" message instead
   of silently overwriting an existing config. (BTCPay's
   start_connect already had this guard since the durable
   provider switch work.)

6. Lightning vs on-chain copy on the wait page
   /thank-you was hard-coded to "next block confirms" — wrong
   for Lightning payments (instant) and confusing in the common
   case where buyers paid via Lightning and saw a "waiting for
   block confirmation" message. Updated to: "Lightning settles
   in seconds; on-chain typically settles in 10-20 minutes (one
   block confirmation)." Method-aware copy (parsed from the
   provider's invoice payload) is a deeper fix but out of scope
   here — this gets the operator-facing accuracy right today.

Test count unchanged; all 77 still passing.

startos/actions/configureZaprite.ts

@@ -87,18 +87,89 @@ export const configureZaprite = sdk.Action.withInput(
       ok: true
       provider: string
       base_url: string
+      webhook_url: string
     }
     return {
       version: '1',
       title: 'Zaprite connected',
       message:
         `Active payment provider is now Zaprite (${body.base_url}).\n\n` +
-        `Next step: register a webhook in Zaprite's dashboard pointing at:\n` +
-        `<your Keysat public URL>/v1/zaprite/webhook\n\n` +
-        `Zaprite doesn't sign webhook deliveries; Keysat authenticates ` +
-        `each delivery via the externalUniqId we attach at order ` +
-        `creation, so a webhook configured to ANY URL on your daemon ` +
-        `is safe even without a shared secret.`,
+        `Next step — register a webhook in Zaprite's dashboard:\n` +
+        `1. Open app.zaprite.com → Settings → Webhooks → New webhook.\n` +
+        `2. Paste this URL exactly (full https://, not just the path):\n\n` +
+        `   ${body.webhook_url}\n\n` +
+        `3. Subscribe to order events (payment_received, settled, refunded).\n\n` +
+        `Why webhooks: without them, Keysat falls back to polling Zaprite's ` +
+        `/v1/orders every 60 seconds, so license issuance can lag a settle ` +
+        `event by up to a minute. With webhooks, Keysat issues the license ` +
+        `within ~1 second of payment.\n\n` +
+        `Security: Zaprite doesn't sign webhook deliveries. Keysat ` +
+        `authenticates each delivery via the externalUniqId we attach at ` +
+        `order creation, so a webhook configured to ANY URL on your daemon ` +
+        `is safe even without a shared secret.\n\n` +
+        `Lost this message? Run "Show Zaprite webhook setup" to see the URL again.`,
+      result: null,
+    }
+  },
+)
+
+/**
+ * Persistent surface for the webhook URL — operators who skipped the
+ * step on first connect, or who just want to verify which URL Zaprite
+ * should be posting to, run this and get the exact value to paste.
+ */
+export const showZapriteWebhookSetup = sdk.Action.withoutInput(
+  'show-zaprite-webhook-setup',
+  async () => ({
+    name: 'Show Zaprite webhook setup',
+    description:
+      "Display the full webhook URL to register in your Zaprite dashboard, " +
+      "plus an explanation of what webhooks do that polling doesn't. " +
+      "Useful if you skipped the step on first Connect.",
+    warning: null,
+    allowedStatuses: 'only-running',
+    group: 'Zaprite',
+    visibility: 'enabled',
+  }),
+  async ({ effects: _effects }) => {
+    const storeData = await store.read().once()
+    if (!storeData) throw new Error('Store not initialized — restart the service.')
+    const resp = await adminCall(
+      LICENSING_URL,
+      storeData.admin_api_key,
+      '/v1/admin/zaprite/status',
+      { method: 'GET' },
+    )
+    if (!resp.ok) {
+      throw new Error(
+        `Could not read status: HTTP ${resp.status} — ${await resp.text()}`,
+      )
+    }
+    const body = (await resp.json()) as {
+      connected: boolean
+      webhook_url: string
+      webhook_explainer: string
+    }
+    if (!body.connected) {
+      return {
+        version: '1',
+        title: 'Zaprite not connected',
+        message:
+          'Connect Zaprite first via the Connect Zaprite action. ' +
+          'Once connected, re-run this action to see the webhook URL ' +
+          'to register in your Zaprite dashboard.',
+        result: null,
+      }
+    }
+    return {
+      version: '1',
+      title: 'Zaprite webhook setup',
+      message:
+        `Paste this URL exactly into Zaprite's webhook form ` +
+        `(app.zaprite.com → Settings → Webhooks → New webhook):\n\n` +
+        `   ${body.webhook_url}\n\n` +
+        `Subscribe to order events (payment_received, settled, refunded).\n\n` +
+        body.webhook_explainer,
       result: null,
     }
   },