Handle Incoming Webhooks from Stripe

Create a webhook handler at POST /api/webhooks/stripe. The first thing it must do is verify the Stripe-Signature header against the raw request body using the Stripe webhook secret (stored in STRIPE_WEBHOOK_SECRET environment variable) — reject any request that fails verification with a 400 status. Then handle the following three event types: for checkout.session.completed, find the user by their Stripe customer ID and set their subscription_tier, subscription_status to "active", and store the subscription ID; for customer.subscription.updated, update the subscription_tier to reflect the new plan and update subscription_end_date from the period_end timestamp; for customer.subscription.deleted, set subscription_status to "canceled" and subscription_tier to "free". For all other event types, return 200 without taking action. Always return 200 OK immediately after processing so Stripe does not retry the webhook.