Milestone 4: payment abstraction, receipts, refunds, logging, hardened Docker

- lib/payments.ts: provider-agnostic payment interface; cash (immediate) and
  card stub (swappable for Square/Stripe Terminal/Tyro)
- POST /transactions/:id/refund — manager+, server-authoritative, blocks double-refund
- GET /transactions/:id/receipt — structured receipt payload for print/email/SMS
- lib/logger.ts: minimal structured JSON logger respecting LOG_LEVEL env var
- middleware/requestLogger.ts: per-request method/path/status/ms logging
- errorHandler now uses structured logger instead of console.error
- Dockerfile: non-root user (appuser), HEALTHCHECK via /api/v1/health,
  npm cache cleared in runtime stage

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

INSTRUCTIONS.md

@@ -69,13 +69,28 @@ App: `http://localhost:8080`
 
 All endpoints live under `/api/v1`.
 
-| Method | Path                        | Auth     | Description              |
-|--------|-----------------------------|----------|--------------------------|
-| GET    | /health                     | None     | Health check             |
-| POST   | /auth/login                 | None     | Obtain tokens            |
-| POST   | /auth/refresh               | None     | Rotate refresh token     |
-| POST   | /auth/logout                | Bearer   | Invalidate tokens        |
-| GET    | /auth/me                    | Bearer   | Current user info        |
+| Method | Path                              | Auth          | Description                        |
+|--------|-----------------------------------|---------------|------------------------------------|
+| GET    | /health                           | None          | Health check                       |
+| POST   | /auth/login                       | None          | Obtain tokens                      |
+| POST   | /auth/refresh                     | None          | Rotate refresh token               |
+| POST   | /auth/logout                      | Bearer        | Invalidate tokens                  |
+| GET    | /auth/me                          | Bearer        | Current user info                  |
+| GET    | /vendors                          | Bearer        | List vendor                        |
+| PUT    | /vendors/:id                      | owner         | Update vendor settings             |
+| GET    | /users                            | manager+      | List users                         |
+| POST   | /users                            | manager+      | Create user                        |
+| PUT    | /users/:id                        | manager+      | Update user                        |
+| DELETE | /users/:id                        | manager+      | Delete user                        |
+| GET    | /users/roles/list                 | Bearer        | List available roles               |
+| GET/POST/PUT/DELETE | /categories, /taxes, /products | manager+ | Catalog CRUD       |
+| GET    | /catalog/sync?since=              | Bearer        | Delta sync for Android             |
+| POST   | /transactions/batch               | Bearer        | Batch upload (idempotent)          |
+| GET    | /transactions                     | manager+      | List transactions                  |
+| GET    | /transactions/:id                 | manager+      | Get transaction detail             |
+| POST   | /transactions/:id/refund          | manager+      | Refund a completed transaction     |
+| GET    | /transactions/:id/receipt         | Bearer        | Structured receipt payload         |
+| GET    | /transactions/reports/summary     | manager+      | Revenue/tax/top-product summary    |
 
 ---