Sign all non-Model screen state with SerializableClosure HMAC

[Copilot]

Screen state is serialized and round-tripped through the client. Previously only Closure properties were HMAC-signed; primitives, arrays, and plain objects used bare PHP serialization — unsigned and tamperable.

Changes

src/Screen/Concerns/SignedValue.php (new)

Wraps any non-Model value in a signed SerializableClosure:

$this->payload = new SerializableClosure(static fn () => $value);

When APP_KEY is set, Laravel's EncryptionServiceProvider registers an HMAC signer. Any payload modification throws InvalidSignatureException on deserialization.

src/Screen/Concerns/ModelStateRetrievable.php

__serialize — explicit dispatch replacing the generic getSerializedPropertyValue fallback:

Value type	Stored as
Unsaved Model	as-is
\Closure	SerializableClosure
Saved Model / QueueableCollection	ModelIdentifier
Everything else	new SignedValue($value)

__unserialize — symmetric type dispatch: SignedValue::restore() calls the captured closure to recover the original value; SerializableClosure::getClosure() returns the original callable; getRestoredPropertyValue() handles ModelIdentifier DB rehydration.

tests/App/Screens/SerializeRetrievableScreen.php

Added ValueObject (a plain readonly DTO), plus typed array $data, float $amount, and ?ValueObject $valueObject properties to exercise non-Model serialization paths.

tests/Unit/Screen/ScreenSerializeTest.php

• testWithPrimitivesAndStdObject — covers int, string, float, array, stdClass; asserts "hash" present in each serialized payload
• testWithComplexObject — asserts ValueObject is captured inside a signed SerializableClosure (not a ModelIdentifier), HMAC hash present, correct round-trip, zero DB queries
• testClosureIsSignedWithAppKey — asserts Signed::$signer is non-null and closure round-trips correctly