fix(security): eliminate remaining critical vulnerabilities

- SystemFixService: removed ALL shell_exec/sudo calls (30+ instances), replaced with
  safe PHP alternatives (mkdir, chmod, disk_total_space, Artisan calls)
- InstallationController: added ALLOWED_SETTINGS whitelist to prevent arbitrary
  settings manipulation via request data
- ExceptionHandler: removed dangerous npm run build execution and hardcoded
  chown/chmod paths from auto-recovery
- AuthController: fixed user enumeration timing attack by running Hash::make()
  even when user doesn't exist (constant-time comparison)
- DDoSDetectionCommand: added IP validation (FILTER_VALIDATE_IP) before blocking
  to prevent iptables manipulation with spoofed/malicious IPs
- trackRequest: now validates IP before storing in cache

app/Http/Controllers/Api/AuthController.php

@@ -26,7 +26,11 @@ class AuthController extends Controller
             ->orWhere('mail', $username)
             ->first();
 
-        if (! $user || ! Hash::check($request->input('password'), $user->password)) {
+        $credentialsValid = $user && Hash::check($request->input('password'), $user->password);
+
+        if (! $credentialsValid) {
+            Hash::make($request->input('password'));
+
             throw ValidationException::withMessages([
                 'email' => ['The provided credentials are incorrect.'],
             ]);