fix(security): patch critical security vulnerabilities

- Remove User::$guarded = [] to prevent mass assignment attacks
- Enable SQL strict mode and disable emulated prepares (SQL injection prevention)
- Switch password hashing from bcrypt to argon2id (stronger algorithm)
- Enable session encryption to protect session data at rest
- Restrict TrustProxies to localhost only (prevent IP spoofing)
- Restrict CORS allowed_methods via env variable instead of wildcard
- Add PayPal amount mismatch detection to prevent payment manipulation
- Add double-capture prevention (idempotency check)
- Add expected_amount column to transactions table for verification

database/migrations/2026_05_19_173520_add_expected_amount_to_paypal_transactions.php

@@ -0,0 +1,22 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    public function up(): void
+    {
+        Schema::table('website_paypal_transactions', function (Blueprint $table) {
+            $table->decimal('expected_amount', 10, 2)->nullable()->after('amount');
+        });
+    }
+
+    public function down(): void
+    {
+        Schema::table('website_paypal_transactions', function (Blueprint $table) {
+            $table->dropColumn('expected_amount');
+        });
+    }
+};