feat(payment): standalone ZarinPal broker on pay.flatrender.ir

A generic multi-client payment gateway so FlatRender, meezi.ir and
bargevasat.ir can all pay through ZarinPal's single verified callback
domain (pay.flatrender.ir).

New Go service services/payment (clones the notification skeleton +
vendored deps):
- migration 31_payment_broker.sql — `payment` schema: client_apps,
  transactions, webhook_deliveries.
- ZarinPal v4 client ported from the proven identity PaymentService
  (request.json -> StartPay -> verify.json; codes 100/101).
- client API: POST /v1/pay/request + /v1/pay/inquiry, authed by
  X-Api-Key + HMAC body signature; GET /callback/zarinpal (the single
  verified endpoint) verifies, then 302s the user back to the site's
  return_url (signed) and fires a signed, retried webhook.
- per-client ZarinPal merchant override (default = shared merchant);
  amount stored canonically in Rial, unit to ZarinPal env-configurable.
- admin API /v1/admin/* (FlatRender admin JWT): client-app CRUD +
  key issue/rotate + transactions list.

Deploy wiring: payment-svc in docker-compose.v2.yml (host port 1607),
pay.flatrender.ir server block in mirror-nginx conf, ENV_FILE +
README updates (cert SAN + manual migration note).

Admin UI: src/components/admin/PaymentsAdmin.tsx (client apps with
one-time key reveal + rotate, transactions table) + /admin/payments
page + nav link + fa/en strings; pay-admin proxy route to payment-svc.

Docs/SDK: deploy/PAYMENTS.md (integration contract) + deploy/sdk/flatpay.js
(zero-dep Node client + webhook verifier) for meezi/any site.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

backend/db/migrations/31_payment_broker.sql

@@ -0,0 +1,111 @@
+-- =====================================================================
+-- PAYMENT BROKER SCHEMA — generic multi-client ZarinPal gateway
+-- Served on pay.flatrender.ir (the single ZarinPal-verified callback domain).
+-- Other sites (meezi.ir, bargevasat.ir, FlatRender) register as client_apps
+-- and route payments through this broker.
+--
+-- NOTE: migrations auto-run only on FIRST volume creation. On an existing
+-- DB volume, apply this manually:
+--   docker exec -i fr2-postgres psql -U postgres -d flatrender < 31_payment_broker.sql
+-- =====================================================================
+
+CREATE SCHEMA IF NOT EXISTS payment;
+SET search_path TO payment, public;
+
+-- ---------------------------------------------------------------------
+-- client_apps — each site that pays through the broker
+-- ---------------------------------------------------------------------
+CREATE TABLE IF NOT EXISTS payment.client_apps (
+    id                      UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    tenant_id               UUID,                          -- optional link to identity.tenants
+    name                    TEXT NOT NULL,                 -- "meezi.ir", "FlatRender"
+    slug                    TEXT NOT NULL UNIQUE,          -- "meezi"
+    api_key                 TEXT NOT NULL UNIQUE,          -- public id (pk_...)
+    secret                  TEXT NOT NULL,                 -- shared HMAC secret (sk_...) — signs in+out
+
+    -- ZarinPal: per-client override; NULL → broker default merchant/sandbox
+    zarinpal_merchant_id    TEXT,
+    zarinpal_sandbox        BOOLEAN,
+
+    allowed_return_origins  TEXT[] NOT NULL DEFAULT '{}',  -- e.g. {'https://meezi.ir'}; empty = permissive
+    webhook_url             TEXT,                          -- server-to-server result notification
+    is_active               BOOLEAN NOT NULL DEFAULT TRUE,
+
+    created_at              TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at              TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+-- ---------------------------------------------------------------------
+-- transactions — one row per payment attempt
+-- ---------------------------------------------------------------------
+CREATE TABLE IF NOT EXISTS payment.transactions (
+    id                  UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    client_app_id       UUID NOT NULL REFERENCES payment.client_apps(id) ON DELETE RESTRICT,
+
+    status              TEXT NOT NULL DEFAULT 'Created',   -- Created|Pending|Paid|Failed|Cancelled|Expired
+    gateway             TEXT NOT NULL DEFAULT 'ZarinPal',
+
+    amount_rial         BIGINT NOT NULL,                   -- canonical Rial
+    currency            TEXT NOT NULL DEFAULT 'IRR',
+    description         TEXT,
+
+    client_ref          TEXT,                              -- the client's own order id
+    return_url          TEXT NOT NULL,                     -- where the user is sent back
+    metadata            JSONB,                             -- echoed back to the client
+    payer_mobile        TEXT,
+    payer_email         TEXT,
+
+    authority           TEXT,                              -- ZarinPal authority token
+    ref_id              TEXT,                              -- ZarinPal ref_id (receipt)
+    card_pan            TEXT,
+    fee_rial            BIGINT,
+    gateway_response    JSONB,
+    failure_reason      TEXT,
+
+    paid_at             TIMESTAMPTZ,
+    failed_at           TIMESTAMPTZ,
+    expires_at          TIMESTAMPTZ,
+
+    created_at          TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at          TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX IF NOT EXISTS idx_pay_txn_client   ON payment.transactions(client_app_id, created_at DESC);
+CREATE UNIQUE INDEX IF NOT EXISTS idx_pay_txn_authority ON payment.transactions(authority) WHERE authority IS NOT NULL;
+CREATE INDEX IF NOT EXISTS idx_pay_txn_clientref ON payment.transactions(client_app_id, client_ref) WHERE client_ref IS NOT NULL;
+CREATE INDEX IF NOT EXISTS idx_pay_txn_status   ON payment.transactions(status);
+
+-- ---------------------------------------------------------------------
+-- webhook_deliveries — outbound signed notifications with retry
+-- ---------------------------------------------------------------------
+CREATE TABLE IF NOT EXISTS payment.webhook_deliveries (
+    id                  UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    transaction_id      UUID NOT NULL REFERENCES payment.transactions(id) ON DELETE CASCADE,
+    url                 TEXT NOT NULL,
+    payload             JSONB NOT NULL,
+    signature           TEXT NOT NULL,
+    attempts            INT NOT NULL DEFAULT 0,
+    delivered           BOOLEAN NOT NULL DEFAULT FALSE,
+    last_status         INT,
+    last_error          TEXT,
+    next_attempt_at     TIMESTAMPTZ,
+    created_at          TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at          TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX IF NOT EXISTS idx_pay_wh_pending ON payment.webhook_deliveries(delivered, next_attempt_at) WHERE delivered = FALSE;
+
+-- ---------------------------------------------------------------------
+-- updated_at triggers (helper tg_set_updated_at() created in 00_setup.sql)
+-- ---------------------------------------------------------------------
+DROP TRIGGER IF EXISTS tg_pay_client_apps_updated ON payment.client_apps;
+CREATE TRIGGER tg_pay_client_apps_updated BEFORE UPDATE ON payment.client_apps
+    FOR EACH ROW EXECUTE FUNCTION public.tg_set_updated_at();
+
+DROP TRIGGER IF EXISTS tg_pay_transactions_updated ON payment.transactions;
+CREATE TRIGGER tg_pay_transactions_updated BEFORE UPDATE ON payment.transactions
+    FOR EACH ROW EXECUTE FUNCTION public.tg_set_updated_at();
+
+DROP TRIGGER IF EXISTS tg_pay_webhook_updated ON payment.webhook_deliveries;
+CREATE TRIGGER tg_pay_webhook_updated BEFORE UPDATE ON payment.webhook_deliveries
+    FOR EACH ROW EXECUTE FUNCTION public.tg_set_updated_at();