Protect payment creation endpoint

[sodalone]

Summary

• require bearer authentication before creating payment intents
• validate payment payloads with a Zod schema before calling the payment service
• reject zero or invalid amounts with HTTP 400 while preserving the default usd currency for valid requests
• add regression tests for unauthenticated access, invalid amount rejection, and successful authenticated payment creation

Validation

$ node --test apps\api\src\tests\*.test.js
pass 4
fail 0

$ git diff --check
(no output)

Note: the root npm test command still hits the existing API test-directory glob issue already covered separately by #1892, so this branch uses the explicit test glob above for validation.

Fixes #1959.

/claim #743

[sodalone]

Validation transcript from this branch:

$ node --test apps\api\src\tests\*.test.js
pass 4
fail 0

$ git diff --check
(no output)

Coverage note: the regression tests verify that /api/payments returns 401 without a token, rejects a zero amount with HTTP 400, and creates a payment intent for an authenticated positive amount while preserving the default usd currency.