feat: add encrypted settings, guided Stripe setup, and admin credentials page

Store API keys and secrets encrypted in the SQLite database via the
existing Vault module (AES-256-GCM). The only external dependency is
SECRET_KEY_BASE — everything else lives in the portable DB file.

- Add encrypted_value column to settings table with new "encrypted" type
- Add put_secret/get_secret/delete_setting/secret_hint to Settings context
- Add Secrets module to load encrypted config into Application env at startup
- Add Stripe.Setup module with connect/disconnect/verify_api_key flow
  - Auto-creates webhook endpoints via Stripe API in production
  - Detects localhost and shows Stripe CLI instructions for dev
- Add admin credentials page at /admin/settings with guided setup:
  - Not configured: single Secret key input with dashboard link
  - Connected (production): status display, webhook info, disconnect
  - Connected (dev): Stripe CLI instructions, manual signing secret input
- Remove Stripe env vars from dev.exs and runtime.exs
- Fix CSSCache test startup crash (handle_continue instead of init)
- Add nav link for Credentials page

507 tests, 0 failures.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

test/simpleshop_theme/stripe/setup_test.exs

@@ -0,0 +1,55 @@
+defmodule SimpleshopTheme.Stripe.SetupTest do
+  use SimpleshopTheme.DataCase, async: false
+
+  alias SimpleshopTheme.Settings
+  alias SimpleshopTheme.Stripe.Setup
+
+  describe "localhost?/0" do
+    test "returns true for localhost endpoint" do
+      # In test env, endpoint URL is localhost
+      assert Setup.localhost?()
+    end
+  end
+
+  describe "webhook_url/0" do
+    test "returns the webhook endpoint URL" do
+      url = Setup.webhook_url()
+      assert url =~ "/webhooks/stripe"
+    end
+  end
+
+  describe "save_signing_secret/1" do
+    test "stores signing secret and loads into Application env" do
+      Setup.save_signing_secret("whsec_test_secret_123")
+
+      assert Settings.get_secret("stripe_signing_secret") == "whsec_test_secret_123"
+      assert Application.get_env(:stripity_stripe, :signing_secret) == "whsec_test_secret_123"
+    end
+  end
+
+  describe "disconnect/0" do
+    test "removes all Stripe settings from DB and Application env" do
+      # Set up some Stripe config
+      Settings.put_secret("stripe_api_key", "sk_test_123")
+      Settings.put_secret("stripe_signing_secret", "whsec_test_456")
+      Settings.put_setting("stripe_webhook_endpoint_id", "we_test_789")
+      Application.put_env(:stripity_stripe, :api_key, "sk_test_123")
+      Application.put_env(:stripity_stripe, :signing_secret, "whsec_test_456")
+
+      assert :ok = Setup.disconnect()
+
+      # DB cleared
+      refute Settings.has_secret?("stripe_api_key")
+      refute Settings.has_secret?("stripe_signing_secret")
+      assert Settings.get_setting("stripe_webhook_endpoint_id") == nil
+
+      # Application env cleared
+      assert Application.get_env(:stripity_stripe, :api_key) == nil
+      assert Application.get_env(:stripity_stripe, :signing_secret) == nil
+    end
+
+    test "handles disconnect when nothing is configured" do
+      assert :ok = Setup.disconnect()
+    end
+  end
+end