fix(stripe): use static Stripe.webhooks for verification

Avoids instantiating a Stripe client just to access constructEvent.
The webhook signing secret is per-trigger (user-provided whsec_…) and
unrelated to our billing STRIPE_SECRET_KEY, so coupling them was wrong.
Stripe.webhooks is exposed as a static — no client, no API key needed.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: waleedlatif1

apps/sim/lib/webhooks/providers/stripe.ts

@@ -1,7 +1,6 @@
 import { createLogger } from '@sim/logger'
 import { NextResponse } from 'next/server'
 import Stripe from 'stripe'
-import { env } from '@/lib/core/config/env'
 import type {
   AuthContext,
   EventFilterContext,
@@ -13,16 +12,6 @@ import { skipByEventTypes } from '@/lib/webhooks/providers/utils'
 
 const logger = createLogger('WebhookProvider:Stripe')
 
-/**
- * Stripe SDK instance used solely for `webhooks.constructEvent`. The API key is
- * not used by signature verification (purely local HMAC), but the SDK constructor
- * requires a value — pass the configured secret key when present to avoid leaving
- * a recognisable placeholder in heap dumps or error serialisations.
- */
-const stripeClient = new Stripe(env.STRIPE_SECRET_KEY || '', {
-  apiVersion: '2025-08-27.basil',
-})
-
 export const stripeHandler: WebhookProviderHandler = {
   verifyAuth({ request, rawBody, requestId, providerConfig }: AuthContext) {
     const secret = providerConfig.webhookSecret as string | undefined
@@ -40,7 +29,7 @@ export const stripeHandler: WebhookProviderHandler = {
     }
 
     try {
-      stripeClient.webhooks.constructEvent(rawBody, signature, secret)
+      Stripe.webhooks.constructEvent(rawBody, signature, secret)
     } catch (error) {
       logger.warn(`[${requestId}] Stripe signature verification failed`, {
         error: error instanceof Error ? error.message : String(error),