refactor(payments): migrate to params.expect

- Wrap AJAX parameters in `payment` hash for params.expect compatibility
- Flatten Stripe token fields (stripe_email, stripe_token_id) instead of
  nested `data` hash for clearer parameter names
- Update controller to use params.expect with flat structure
- Add type tampering test to verify 400 Bad Request behavior
- Remove root-level parameters exception from CLAUDE.md

Addresses review comment on #2476 about payments_controller still using
params.permit. Now all controllers use params.expect consistently.

Author: mroderick

CLAUDE.md

@@ -217,15 +217,6 @@ def index
 end
 ```
 
-### Root-Level Parameters
-
-For parameters without a wrapper key (less common):
-
-```ruby
-# Use params.permit for root-level params
-payment_params = params.permit(:amount, :name, data: [:email, :id])
-```
-
 ### Return Value
 
 `params.expect(key: [...])` returns the **inner permitted parameters**, not wrapped: