PAR-772: StoreIntegration Signature Redesign

[mescalantea]

What is the goal?

Replace the random webhook signature with a deterministic HMAC-SHA256 derived from the ApiAccount password and store ID. Switch store integration deletion to identify by webhook URL instead of integrationId. This eliminates the need for the `StoreIntegration` database record, repository, and entity entirely — preventing duplicate API entries on disconnect/reconnect cycles.

References

• Issue: PAR-772
• Related pull-requests: N/A
• Sentry errors: N/A
• Any other references (AppSignal, Prometheus, ...): N/A

How is it being implemented?

• `StoreIntegrationService` constructor swaps `StoreIntegrationRepositoryInterface` for `ConnectionDataRepositoryInterface`. Signature is now computed via `HMAC::generateHMAC([$storeId], $password)` instead of random bytes stored in DB.
• `deleteStoreIntegration` accepts `ConnectionData` directly and computes the webhook URL internally — no longer requires a `StoreIntegration` model.
• `DeleteStoreIntegrationRequest` / `DeleteStoreIntegrationHttpRequest` updated to carry a webhook URL string instead of a `StoreIntegration` object.
• `DisconnectService` simplified: no more `StoreIntegrationRepositoryInterface` dependency.
• `ConnectionService`: `skipIfExists` parameter removed — deterministic signature makes calls idempotent.
• `BootstrapComponent` rewired accordingly; `StoreIntegrationRepositoryInterface` registration removed.
• Domain model, repository interface, DataAccess repository, and ORM entity for `StoreIntegration` deleted.

Opportunistic refactorings

Removed the `StoreIntegration` DB layer entirely (model, repository interface, DataAccess implementation, ORM entity, mock, and tests) since it is no longer needed.

Caveats

• Breaking change (major version bump required): removed `StoreIntegrationRepositoryInterface`, changed `StoreIntegrationService` constructor, changed `deleteStoreIntegration` signature, removed `skipIfExists`.
• Password change regenerates the signature, creating a new API entry — acceptable since this is far less frequent than disconnect/reconnect cycles.
• SeQura API must support deletion by webhook URL before this library version ships.

Does it affect (changes or update) any sensitive data?

No sensitive data affected. API passwords are only used transiently to compute the HMAC and are never stored by this code.

How is it tested?

`StoreIntegrationServiceTest` rewritten with HMAC assertions and no DB interactions. All 754 PHPUnit tests pass. `phpstan` (level 6) and `phpcs` clean.

How is it going to be deployed?

Requires a major version bump. Plugin maintainers must:

• Remove any usage of `StoreIntegrationRepositoryInterface`
• Update `StoreIntegrationService` constructor injection (swap repo for `ConnectionDataRepositoryInterface`)
• Drop the `StoreIntegration` DB table migration in their plugin