fix(security): patch critical security vulnerabilities

- Remove User::$guarded = [] to prevent mass assignment attacks
- Enable SQL strict mode and disable emulated prepares (SQL injection prevention)
- Switch password hashing from bcrypt to argon2id (stronger algorithm)
- Enable session encryption to protect session data at rest
- Restrict TrustProxies to localhost only (prevent IP spoofing)
- Restrict CORS allowed_methods via env variable instead of wildcard
- Add PayPal amount mismatch detection to prevent payment manipulation
- Add double-capture prevention (idempotency check)
- Add expected_amount column to transactions table for verification

app/Http/Middleware/TrustProxies.php

@@ -15,7 +15,7 @@ class TrustProxies extends Middleware
      * @var array<int, string>|string|null
      */
     #[\Override]
-    protected $proxies;
+    protected $proxies = '127.0.0.1,::1';
 
     /**
      * The headers that should be used to detect proxies.