fix(security): eliminate remaining critical vulnerabilities

- SystemFixService: removed ALL shell_exec/sudo calls (30+ instances), replaced with
  safe PHP alternatives (mkdir, chmod, disk_total_space, Artisan calls)
- InstallationController: added ALLOWED_SETTINGS whitelist to prevent arbitrary
  settings manipulation via request data
- ExceptionHandler: removed dangerous npm run build execution and hardcoded
  chown/chmod paths from auto-recovery
- AuthController: fixed user enumeration timing attack by running Hash::make()
  even when user doesn't exist (constant-time comparison)
- DDoSDetectionCommand: added IP validation (FILTER_VALIDATE_IP) before blocking
  to prevent iptables manipulation with spoofed/malicious IPs
- trackRequest: now validates IP before storing in cache

app/Http/Controllers/Miscellaneous/InstallationController.php

@@ -16,6 +16,13 @@ use Illuminate\View\View;
 
 class InstallationController extends Controller
 {
+    private const array ALLOWED_SETTINGS = [
+        'hotel_name', 'hotel_url', 'emulator_database_host', 'emulator_database_port',
+        'emulator_database_name', 'emulator_database_username', 'emulator_database_password',
+        'theme', 'start_credits', 'start_pixels', 'start_diamonds',
+        'social_login_google_enabled', 'social_login_discord_enabled', 'social_login_github_enabled',
+    ];
+
     public function index(): View
     {
         return view('installation.index');
@@ -77,11 +84,9 @@ class InstallationController extends Controller
 
     public function completeInstallation(): RedirectResponse
     {
-        // Clear all caches before marking as complete
         Cache::forget('website_permissions');
         Cache::forget('website_settings');
 
-        // Mark installation as complete
         WebsiteInstallation::latest()->first()->update([
             'completed' => true,
         ]);
@@ -91,13 +96,17 @@ class InstallationController extends Controller
 
     private function updateSettings(Request $request): void
     {
-        foreach ($request->except('_token') as $key => $value) {
-            WebsiteSetting::where('key', '=', $key)->update([
-                'value' => $value ?? '',
+        $data = $request->except(['_token', '_method']);
+
+        foreach ($data as $key => $value) {
+            if (! in_array($key, self::ALLOWED_SETTINGS)) {
+                continue;
+            }
+
+            WebsiteSetting::where('key', $key)->update([
+                'value' => is_array($value) ? json_encode($value) : (string) $value,
             ]);
         }
-
-        // Cache will be automatically cleared by WebsiteSetting model events
     }
 
     private function getSettingsForStep(int $step): Collection
@@ -109,7 +118,7 @@ class InstallationController extends Controller
             2 => $settingsData[1] ?? [],
             3 => $settingsData[2] ?? [],
             4 => $settingsData[3] ?? [],
-            5 => [], // Completion step has no settings
+            5 => [],
             default => throw new Exception('Step does not exist'),
         };