feat(payments): add distributed advisory lock for concurrent checkout session prevention

[Nexha-dev]

Closes #763

Summary

Prevents two concurrent checkout requests from the same user from creating duplicate Stripe sessions by guarding createCheckoutSession() with a Supabase advisory lock.

Changes

• Add acquireAdvisoryLock(key, timeoutMs) / releaseAdvisoryLock(key) in apps/backend/src/lib/supabase/supabase-lock.ts (backed by pg_try_advisory_lock with polling until the 10s timeout).
• Wrap createCheckoutSession() in payment.service.ts with the lock (key payment_checkout_{userId}); the lock is released on both success and error paths via finally.
• Throw CheckoutLockError when the lock cannot be acquired; the checkout route returns 409 Conflict with Retry-After: 10.
• Tests for lock acquisition, release on success, release on error, lock-not-acquired rejection, and concurrent-request rejection.

Notes

• Lock key: payment_checkout_{userId}
• Lock timeout: 10s (released after timeout to avoid deadlock)

🤖 Generated with Claude Code

[drips-wave]

@Nexha-dev Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits