feat: add routes, lang, tests, stubs, docs, and docker configurations

tests/Feature/Middleware/SecurityHeadersTest.php

@@ -0,0 +1,47 @@
+<?php
+
+use App\Services\SystemConfig\SystemConfigService;
+use Illuminate\Support\Facades\Cache;
+use Illuminate\Support\Facades\Route;
+
+beforeEach(function () {
+    $ref = new ReflectionClass(SystemConfigService::class);
+    $prop = $ref->getProperty('resolvedSettings');
+    $prop->setAccessible(true);
+    $prop->setValue(null, null);
+    Cache::flush();
+
+    Route::middleware('web')
+        ->get('/__sec-probe', fn () => response('ok'));
+});
+
+test('X-Content-Type-Options nosniff is present', function () {
+    $r = $this->get('/__sec-probe');
+    expect($r->headers->get('X-Content-Type-Options'))->toBe('nosniff');
+});
+
+test('X-Frame-Options SAMEORIGIN is present', function () {
+    $r = $this->get('/__sec-probe');
+    expect($r->headers->get('X-Frame-Options'))->toBe('SAMEORIGIN');
+});
+
+test('Referrer-Policy is strict-origin-when-cross-origin', function () {
+    $r = $this->get('/__sec-probe');
+    expect($r->headers->get('Referrer-Policy'))->toBe('strict-origin-when-cross-origin');
+});
+
+test('Permissions-Policy locks down camera, microphone, geolocation', function () {
+    $r = $this->get('/__sec-probe');
+    $pp = $r->headers->get('Permissions-Policy');
+    expect($pp)->toContain('camera=()')->toContain('microphone=()')->toContain('geolocation=()');
+});
+
+test('X-XSS-Protection header is set', function () {
+    $r = $this->get('/__sec-probe');
+    expect($r->headers->get('X-XSS-Protection'))->not->toBeNull();
+});
+
+test('HSTS is omitted over plain HTTP regardless of setting', function () {
+    $r = $this->get('/__sec-probe');
+    expect($r->headers->get('Strict-Transport-Security'))->toBeNull();
+});