Real-world processor adapter delegating to :lattice_stripe.

This is the ONLY module in the codebase allowed to alias, import, or reference LatticeStripe (D-07). All raw Stripe errors cross this facade and are translated to Accrue.Error subtypes via Accrue.Processor.Stripe.ErrorMapper — downstream Billing code never sees raw LatticeStripe.Error shapes. A CI-enforced facade-lockdown test in test/accrue/processor/stripe_test.exs walks lib/accrue/**/*.ex and fails if LatticeStripe appears anywhere except stripe.ex and stripe/error_mapper.ex.

Config keys (READ-ONLY)

This module reads (never writes) the following Phase 1 keys that Accrue.Config already defines:

• :stripe_secret_key — runtime only (CLAUDE.md §Config Boundaries). An unset key raises Accrue.ConfigError at call time rather than at Application.compile_env!/2 load time so secrets never leak into compiled release artifacts.
• :stripe_api_version — runtime only, defaults to "2026-03-25.dahlia".

PII discipline

Raw Stripe responses often contain PII in fields like email, name, address, phone, shipping. This adapter:

• Does not log processor_error verbatim — T-PROC-01 mitigation.
• Does not auto-inject params or responses into telemetry metadata — only %{adapter: :stripe, operation: ...} at this layer.
• Converts LatticeStripe.Customer structs to plain maps via customer_to_map/1 so downstream code never pattern-matches on %LatticeStripe.Customer{}.

Phase 1 scope

Only the three customer callbacks are implemented (PROC-01, PROC-03, PROC-07). Wire-level integration tests against Stripe test mode are deferred to Phase 3 (PROC-02) — Phase 1 only proves the behaviour conformance, the error-mapping contract, and the facade lockdown.