Security: Fix critical vulnerabilities and implement security hardening

CRITICAL SECURITY FIXES:
- Fixed certificate validation bypass vulnerability in BTCPayServerService
  * Removed unsafe ServerCertificateCustomValidationCallback
  * Added environment-specific SSL configuration
  * Production now enforces proper SSL validation

- Fixed overly permissive CORS policy
  * Replaced AllowAnyOrigin() with specific trusted origins
  * Created separate CORS policies for Development/Production/API
  * Configured from appsettings for environment-specific control

- Implemented CSRF protection across admin panel
  * Added [ValidateAntiForgeryToken] to all POST/PUT/DELETE actions
  * Protected 10 admin controllers with anti-forgery tokens
  * Prevents Cross-Site Request Forgery attacks

CONFIGURATION IMPROVEMENTS:
- Created appsettings.Development.json for dev-specific settings
- Added Security:AllowInsecureSSL flag (Development only)
- Added CORS:AllowedOrigins configuration arrays
- Created comprehensive security roadmap (ROADMAP.md)

ALSO FIXED:
- TeleBot syntax errors (Program.cs, MessageFormatter.cs)
- Added enterprise-full-stack-developer output style

Impact: All Phase 1 critical security vulnerabilities resolved
Status: Ready for security review and deployment preparation

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

LittleShop/Areas/Admin/Controllers/OrdersController.cs

@@ -78,6 +78,7 @@ public class OrdersController : Controller
     }
 
     [HttpPost]
+    [ValidateAntiForgeryToken]
     public async Task<IActionResult> Create(CreateOrderDto model)
     {
         if (!ModelState.IsValid)
@@ -101,6 +102,7 @@ public class OrdersController : Controller
     }
 
     [HttpPost]
+    [ValidateAntiForgeryToken]
     public async Task<IActionResult> Edit(Guid id, OrderDto model)
     {
         if (!ModelState.IsValid)
@@ -125,6 +127,7 @@ public class OrdersController : Controller
     }
 
     [HttpPost]
+    [ValidateAntiForgeryToken]
     public async Task<IActionResult> UpdateStatus(Guid id, UpdateOrderStatusDto model)
     {
         var success = await _orderService.UpdateOrderStatusAsync(id, model);
@@ -138,6 +141,7 @@ public class OrdersController : Controller
 
     // Workflow action methods
     [HttpPost]
+    [ValidateAntiForgeryToken]
     public async Task<IActionResult> AcceptOrder(Guid id, string? notes)
     {
         var userName = User.Identity?.Name ?? "Unknown";
@@ -157,6 +161,7 @@ public class OrdersController : Controller
     }
 
     [HttpPost]
+    [ValidateAntiForgeryToken]
     public async Task<IActionResult> StartPacking(Guid id, string? notes)
     {
         var userName = User.Identity?.Name ?? "Unknown";
@@ -176,6 +181,7 @@ public class OrdersController : Controller
     }
 
     [HttpPost]
+    [ValidateAntiForgeryToken]
     public async Task<IActionResult> DispatchOrder(Guid id, string trackingNumber, int estimatedDays = 3, string? notes = null)
     {
         var userName = User.Identity?.Name ?? "Unknown";
@@ -200,6 +206,7 @@ public class OrdersController : Controller
     }
 
     [HttpPost]
+    [ValidateAntiForgeryToken]
     public async Task<IActionResult> PutOnHold(Guid id, string reason, string? notes)
     {
         var userName = User.Identity?.Name ?? "Unknown";
@@ -219,6 +226,7 @@ public class OrdersController : Controller
     }
 
     [HttpPost]
+    [ValidateAntiForgeryToken]
     public async Task<IActionResult> RemoveFromHold(Guid id)
     {
         var userName = User.Identity?.Name ?? "Unknown";
@@ -237,6 +245,7 @@ public class OrdersController : Controller
     }
 
     [HttpPost]
+    [ValidateAntiForgeryToken]
     public async Task<IActionResult> MarkDelivered(Guid id, DateTime? actualDeliveryDate, string? notes)
     {
         var deliveredDto = new MarkDeliveredDto