Milestone 4: payment abstraction, receipts, refunds, logging, hardened Docker

- lib/payments.ts: provider-agnostic payment interface; cash (immediate) and
  card stub (swappable for Square/Stripe Terminal/Tyro)
- POST /transactions/:id/refund — manager+, server-authoritative, blocks double-refund
- GET /transactions/:id/receipt — structured receipt payload for print/email/SMS
- lib/logger.ts: minimal structured JSON logger respecting LOG_LEVEL env var
- middleware/requestLogger.ts: per-request method/path/status/ms logging
- errorHandler now uses structured logger instead of console.error
- Dockerfile: non-root user (appuser), HEALTHCHECK via /api/v1/health,
  npm cache cleared in runtime stage

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

server/src/app.ts

@@ -12,6 +12,7 @@ import productsRouter from "./routes/products.js";
 import catalogRouter from "./routes/catalog.js";
 import transactionsRouter from "./routes/transactions.js";
 import { errorHandler } from "./middleware/errorHandler.js";
+import { requestLogger } from "./middleware/requestLogger.js";
 
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
@@ -27,6 +28,7 @@ export function createApp() {
   );
   app.use(express.json());
   app.use(express.urlencoded({ extended: true }));
+  app.use(requestLogger);
 
   // API routes
   app.use("/api/v1", healthRouter);