security: round 1 — quick wins (rate limiting, headers, mass assignment, logging)

- Add throttle middleware to login (5/min), portal/token-auth (10/min),
  volunteer-register (5/min), and invitation routes (10/min)
- Set Sanctum token expiration to 7 days
- Remove billing_status from UpdateOrganisationRequest (super_admin only)
- Revoke all Sanctum tokens on password reset
- Strengthen password rules: min 8 chars, mixed case, numbers
- Create SecurityHeaders middleware (X-Content-Type-Options, X-Frame-Options,
  HSTS, Referrer-Policy, Permissions-Policy)
- Fix open redirect on all 3 login pages (validate ?to= starts with /)
- Set APP_DEBUG=false in .env.example
- Log failed login attempts with email, IP, user-agent
- Log authorization failures (403) with user, IP, path, method
- Harden mass assignment: remove user_id from Person, audit fields from
  ShiftAssignment, system fields from UserInvitation $fillable
- Replace real DB records with factory make() in mail preview routes

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

api/tests/Feature/Invitation/InvitationTest.php

@@ -154,8 +154,8 @@ class InvitationTest extends TestCase
         $response = $this->postJson("/api/v1/invitations/{$invitation->token}/accept", [
             'first_name' => 'New',
             'last_name' => 'User',
-            'password' => 'password123',
-            'password_confirmation' => 'password123',
+            'password' => 'Password123',
+            'password_confirmation' => 'Password123',
         ]);
 
         $response->assertOk();
@@ -207,8 +207,8 @@ class InvitationTest extends TestCase
         $response = $this->postJson("/api/v1/invitations/{$invitation->token}/accept", [
             'first_name' => 'Test',
             'last_name' => 'User',
-            'password' => 'password123',
-            'password_confirmation' => 'password123',
+            'password' => 'Password123',
+            'password_confirmation' => 'Password123',
         ]);
 
         $response->assertUnprocessable();
@@ -226,8 +226,8 @@ class InvitationTest extends TestCase
         $response = $this->postJson("/api/v1/invitations/{$invitation->token}/accept", [
             'first_name' => 'Test',
             'last_name' => 'User',
-            'password' => 'password123',
-            'password_confirmation' => 'password123',
+            'password' => 'Password123',
+            'password_confirmation' => 'Password123',
         ]);
 
         $response->assertUnprocessable();