feat(03-tech-debt): standardize CSRF field name to _token

Phase 3 complete:
- Zmieniono _csrf_token -> _token w OrdersController (1x), ShipmentController (2x)
- Zmieniono name="_csrf_token" -> name="_token" w orders/show.php (1x), shipments/prepare.php (2x)
- Usunięto concern z .paul/codebase/CONCERNS.md

Co-Authored-By: Claude <noreply@anthropic.com>

src/Modules/Shipments/ShipmentController.php

@@ -150,7 +150,7 @@ final class ShipmentController
             return Response::html('Not found', 404);
         }
 
-        $csrfToken = (string) $request->input('_csrf_token', '');
+        $csrfToken = (string) $request->input('_token', '');
         if (!Csrf::validate($csrfToken)) {
             $_SESSION['shipment_flash_error'] = $this->translator->get('auth.errors.csrf_expired');
             return Response::redirect('/orders/' . $orderId . '/shipment/prepare');
@@ -267,7 +267,7 @@ final class ShipmentController
             return Response::html('Not found', 404);
         }
 
-        $csrfToken = (string) $request->input('_csrf_token', '');
+        $csrfToken = (string) $request->input('_token', '');
         if (!Csrf::validate($csrfToken)) {
             $_SESSION['shipment_flash_error'] = $this->translator->get('auth.errors.csrf_expired');
             return Response::redirect('/orders/' . $orderId . '/shipment/prepare');