restore: bring back f8a1310 (security review) state

Restores all files to the f8a1310 security-review snapshot as requested,
plus the 2 boot-critical fixes from a24c8a2 (config/session.php env()
instead of app()->environment(), and removal of the duplicate $activeTab
in ProjectMap.php) so the application actually boots.

Forward commit, no history rewrite. The 7d854ff state remains in history.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

app/Livewire/ProjectList.php

@@ -16,11 +16,15 @@ class ProjectList extends Component
 
     public function deleteProject($id)
     {
-        $project = Project::findOrFail($id);
-        if (Auth::user()->can('delete projects')) {
-            $project->delete();
-            session()->flash('message', 'Proyecto eliminado');
+        $user = Auth::user();
+        if (!$user->can('delete projects')) {
+            session()->flash('error', 'Sin permisos para eliminar proyectos.');
+            return;
         }
+        // Scope to accessible projects to prevent IDOR (deleting another user's project by ID)
+        $project = Project::accessibleBy($user)->findOrFail($id);
+        $project->delete();
+        session()->flash('message', 'Proyecto eliminado');
     }
 
     public function render()