Persist payment-webhook dedup; declare BTCPay required; scope CORS

Replace the in-memory dedup Sets in the BTCPay and Zaprite webhook
handlers (and the BTCPay rescan path) with a persistent JSON-backed
store (server/webhook-dedup.js). The in-memory sets were cleared on
restart, so a duplicate webhook delivery straddling a relay restart
could double-credit (BTCPay) or double-extend a subscription (Zaprite).
The store atomically writes /data/processed-webhooks.json, namespaces
keys per rail (storeId|invoiceId vs zaprite:orderId), and prunes
entries older than 180 days (safely beyond any retry window).

Also:
- BTCPay is a required running dependency (operator decision). Config
  was already optional:false/kind:'running'; corrected the contradictory
  "optional" comment in the manifest to match.
- Scope cors() to /relay/* only — off /admin/* and the same-origin
  dashboard, which don't need permissive CORS.
- Add money-path unit tests (commitCredit/refundCredit/applyTierPromotion)
  and webhook-dedup tests (incl. the survives-a-restart guarantee).
- Fix two AGENTS.md auth-doc drifts; refresh Current state.

Version 0.2.125 -> 0.2.126.

server/routes/zaprite-webhook.js

@@ -15,16 +15,14 @@ import express from "express";
 import { extendUserTier } from "../credits.js";
 import { getZapriteConfig } from "../config.js";
 import { getOrder, isOrderPaid, orderIdFromWebhook } from "../zaprite-client.js";
+import { isWebhookProcessed, markWebhookProcessed } from "../webhook-dedup.js";
 
-// In-memory dedup of fully-processed orders (mirrors the BTCPay handler's
-// processedInvoices). Zaprite retries on non-200, and may fire multiple
-// events per order, so we guard the grant. Cleared on restart — a
-// re-delivered webhook after restart re-fetches + re-grants, but
-// extendUserTier is keyed per order via this set within a process; a
-// duplicate grant across a restart is the same harmless "extend by one
-// period" the operator-comp path already tolerates. (Acceptable: card
-// double-fires across a restart are vanishingly rare.)
-const processedZaprite = new Set();
+// Dedup of fully-processed orders (mirrors the BTCPay handler). Zaprite
+// retries on non-200, and may fire multiple events per order, so we
+// guard the grant. Backed by the persistent webhook-dedup store
+// (../webhook-dedup.js) so a re-delivered webhook straddling a relay
+// restart can't double-extend a subscription. Keys are namespaced
+// `zaprite:<orderId>` to share the store with the BTCPay rail.
 
 export function zapriteWebhookRouter() {
   const router = express.Router();
@@ -49,7 +47,7 @@ export function zapriteWebhookRouter() {
         return res.status(200).json({ ok: true, ignored: "no_order_id" });
       }
       const dedupKey = `zaprite:${orderId}`;
-      if (processedZaprite.has(dedupKey)) {
+      if (isWebhookProcessed(dedupKey)) {
         return res
           .status(200)
           .json({ ok: true, ignored: "already_processed", orderId });
@@ -91,7 +89,7 @@ export function zapriteWebhookRouter() {
 
       const meta = order.metadata || {};
       if (meta.product !== "recap_tier_subscription") {
-        processedZaprite.add(dedupKey);
+        await markWebhookProcessed(dedupKey);
         return res
           .status(200)
           .json({ ok: true, ignored: "not_a_tier_order", orderId });
@@ -100,7 +98,7 @@ export function zapriteWebhookRouter() {
       const subTier = meta.tier;
       const periodDays = Number(meta.period_days) || 30;
       if (!subUserId || (subTier !== "pro" && subTier !== "max")) {
-        processedZaprite.add(dedupKey);
+        await markWebhookProcessed(dedupKey);
         return res
           .status(200)
           .json({ ok: true, ignored: "bad_tier_metadata", orderId });
@@ -112,7 +110,7 @@ export function zapriteWebhookRouter() {
           tier: subTier,
           periodDays,
         });
-        processedZaprite.add(dedupKey);
+        await markWebhookProcessed(dedupKey);
         console.log(
           `[zaprite/webhook] ${subTier} +${periodDays}d for user ${subUserId.slice(0, 8)}… (order ${orderId}) → expires ${row.subscription_expires_at}`,
         );