feat(issue-108): support Stripe live mode

[JonasBaeumer]

Summary

Add mode detection and guard test-only code paths so the app works safely with both test and live Stripe keys. Key discovery: server-side virtual card reveal (expand: ['number', 'cvc']) works in both modes per Stripe docs — only checkout simulation needs guarding.

Closes #108

Type of change

• New feature
• Docs / config

Module(s) affected

• Contracts (src/contracts/)
• API Gateway (src/api/, src/app.ts)
• Payments (src/payments/)
• Tests / QA
• Docs / Tooling

Checklist

• npm test passes locally
• New or changed logic has unit tests
• Integration tests added/updated if DB or Redis is touched
• No PAN, CVC, or card expiry is logged or stored (security rule)
• No new cross-module file edits (used function imports instead)
• Types added/updated in src/contracts/ if shared across modules
• .env.example updated if new env vars are introduced

How to test

1. Run unit tests: npm test -- --testPathPattern=payments (119 tests, 11 suites)
2. Run all unit tests: npm test -- --testPathPattern="tests/unit" (364 tests, no regressions)
3. Smoke test live mode guard:
   • Set STRIPE_SECRET_KEY=sk_live_fake in .env
   • POST /v1/checkout/simulate with valid body → expect HTTP 422 with TestModeOnlyError message
   • GET /v1/agent/card/:intentId → should still work (virtual card reveal is not blocked)

Notes for reviewer

• The original issue assumed revealCard() was blocked in live mode. Investigation found this is incorrect for virtual cards — Stripe explicitly supports server-side expand: ['number', 'cvc'] for virtual cards in live mode. See issue comment for details.
• PCI-DSS Service Provider obligations may apply when generating virtual cards for end users. This is documented in the updated stripe.md rules but is a compliance decision, not a code blocker.
• Dual key support (STRIPE_TEST_KEY + STRIPE_LIVE_KEY) was considered but not implemented — auto-detection from the single key prefix is simpler and avoids mismatch bugs.