fix: resolve all Week 2 performance & security issues (F1.10–F1.19)

Security:
- Replace maybe_serialize() in cookies with json_encode() (PHP object injection fix)
- Add PayPal webhook signature verification
- Add current_user_can('manage_options') to all 18 admin-ajax handlers

Performance:
- Remove flush_rewrite_rules() from init hooks (Thankyou + Payment)
- Add activation/deactivation hooks for flush_rewrite_rules
- Cache currency, country, flags JSON reads in static variables
- Add server-side pagination to Customer::formipay_tabledata_customers()
- Optimize Order::formipay_tabledata_orders() with COUNT(*) GROUP BY

Cleanup:
- Delete Paypal.phpbak backup file
- Fix timezone hardcode Asia/Jakarta → wp_timezone_string()
- Create uninstall.php for proper cleanup on uninstall

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

formipay.php

@@ -50,6 +50,20 @@ spl_autoload_register(function ($class) {
 
 \Formipay\Init::get_instance();
 
+register_activation_hook( __FILE__, 'formipay_activate' );
+function formipay_activate() {
+    // Instantiate singletons so rewrite rules get registered via init hooks
+    \Formipay\Thankyou::get_instance();
+    \Formipay\Integration\Paypal::get_instance();
+    \Formipay\Payment\BankTransfer::get_instance();
+    flush_rewrite_rules();
+}
+
+register_deactivation_hook( __FILE__, 'formipay_deactivate' );
+function formipay_deactivate() {
+    flush_rewrite_rules();
+}
+
 // function formipay_add_defer_attribute($tag, $handle) {
 //     if ( 'product-details' === $handle ) {
 //         // Add defer attribute