docs(env): add eval session setup guidance in .env.example

Code-agent A/B evaluation sessions (via mercor init.py) hand a repo
snapshot to two models that start without a .env file. init.py strips
all hidden files from the snapshot EXCEPT .env.example, .gitignore, and
.dockerignore — so whatever .env.example says is the model's only guide.

Two previous eval tasks (TASK_15112, TASK_15251) hit this exact problem
with SpokeToWork: both models assumed local Supabase couldn't run
because the .env.example didn't clearly explain the setup path. Adding
the same explicit guidance here to prevent a third repeat for
ScriptHammer payment-feature evals.

The eval-session guidance explicitly tells models:
1. How to create their .env from .env.example
2. Which fields need filling (Supabase) and which should stay empty (payment keys)
3. That the "not configured" UI path is EXPECTED and graceful (per commit
   77e409d) — they should compose payment UI components and observe the
   feature-flag gate, not attempt to obtain real Stripe/PayPal keys

No code changes, no secrets added, no new files. Just a clearer comment
block in the existing .env.example.

Author: TurtleWolfe

.env.example

@@ -151,6 +151,28 @@ SH_SUPABASE_MAIL_PORT=54324
 # Full guide: docs/PAYMENT-DEPLOYMENT.md
 # Forker overview: README.md "Payment Integration Setup" section
 #
+# ─── Evaluation sessions / A-B testing ────────────────────────────────
+#
+# If you're running this repo as a code-agent evaluation snapshot and
+# need to work on payment features WITHOUT real Stripe/PayPal keys:
+#
+#   1. Run `cp .env.example .env` to create your local .env
+#   2. Set UID=$(id -u) and GID=$(id -g) in the new .env
+#   3. Uncomment the NEXT_PUBLIC_SUPABASE_URL and anon key lines and fill
+#      them with values from your Supabase project (or the local
+#      docker-compose supabase profile — see the "Local Supabase" section
+#      above for demo keys that are NOT secrets and are safe to use)
+#   4. Leave ALL payment keys (NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY,
+#      NEXT_PUBLIC_PAYPAL_CLIENT_ID, and the secrets below) empty
+#
+# The template already handles missing payment config gracefully (added
+# in commit 77e409d, 2026-04-08): PaymentButton renders a "not configured"
+# warning, /payment-demo shows a prominent banner, and provider tabs only
+# render for configured providers. A model working on payment UI tasks
+# can compose the components and observe the feature-flag gate WITHOUT
+# needing real API keys. That's the expected eval mode — do not attempt
+# to obtain real keys during an eval session.
+#
 # The entries below are placeholder names only — DO NOT add values here.
 # PAYPAL_CLIENT_SECRET=
 # PAYPAL_WEBHOOK_ID=