feat: merchant API key auth for POST /payments and GET /payments

[Nexha-dev]

Summary

Closes #9

Every write and list endpoint was unauthenticated. This PR adds Bearer token auth backed by hashed API keys, with merchant-scoped payment visibility.

Changes

src/db.rs

• Add merchants table creation to migrate() (id, api_key_hash, created_at)
• create_merchant(id, raw_key) — hashes key with SHA-256, stores digest only
• find_merchant_by_key(raw_key) — hashes input and looks up matching merchant id

src/api/mod.rs

• POST /merchants — provisions a merchant, returns one-time api_key
• auth_middleware — validates Authorization: Bearer <key>, injects AuthenticatedMerchant extension
• Route layering: auth applied only to POST /payments and GET /payments; GET /payments/:id and webhook routes stay public

src/api/payments.rs

• create and list handlers extract merchant id from AuthenticatedMerchant extension (no free-text field)
• list scopes DB query to authenticated merchant

tests/api_tests.rs

• test_unauthenticated_create_returns_401
• test_unauthenticated_list_returns_401
• test_invalid_api_key_returns_401
• test_merchant_list_scoped_to_own_payments
• Existing tests updated to provision a merchant and pass the Bearer token

Acceptance criteria

• Unauthenticated POST /payments → 401
• Unauthenticated GET /payments → 401
• A merchant only sees its own payments in GET /payments
• GET /payments/:id remains public (status polling without a key)