Payment Webhooks, Security Hardening & Production Config

Hardened payment webhook handling with signature verification and idempotent coordination with manual payment verification.

Shared payment finalisation logic for webhook and manual verification consistency, with duplicate side-effect protection.

New storage upload notices across KYC, profile, offering, and spender inspiration upload flows.

Explicit account deactivation flow and push notification token persistence in the production schema.

Payment and invite flows now use the live payment configuration and production app URL (https://app.cheqit.co.za).

Admin-only platform functions now require authenticated admin access instead of allowing public invocation.

Merchant and spender surfaces updated to remove unavailable in-app messaging affordances and unimplemented marketing preferences.

Notification registration now correctly persists push tokens across all relevant records.

Spender checkout and booking copy now reflects the non-refundable deposit rule.

Resolved the production mismatch between push-permission acceptance and token persistence.

Resolved database security findings around access policy configuration and hardening.

Corrected production/staging URL drift in invite and payment redirects.

Account deletion affordances replaced with deactivation-only behaviour for regulated transaction records.

Marketing-specific notification settings and inactive customer messaging entry points removed from the current product surface.