fix: move hyphen to end of password validation regex character class

The hyphen character was positioned between * and + in the regex
character class [#?!@$%^&*-+], causing it to be interpreted as a
range operator (ASCII 42-43) instead of a literal hyphen (ASCII 45).

This caused passwords containing hyphens to fail validation while
passwords with asterisks passed.

Moving the hyphen to the end of the character class [#?!@$%^&*+-]
ensures it is treated as a literal character.

Regression introduced in 757e964.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: caseylocker

config/auth.php

@@ -102,9 +102,9 @@
     'password_reset_lifetime' => env('AUTH_PASSWORD_RESET_LIFETIME', 1800),
     'password_min_length' => env('AUTH_PASSWORD_MIN_LENGTH', 8),
     'password_max_length' => env('AUTH_PASSWORD_MAX_LENGTH', 30),
-    'password_allowed_special_characters' => env('AUTH_PASSWORD_ALLOWED_SPECIAL_CHARACTERS', '[A-Za-z0-9#?!@$%^&*-+]'),
-    'password_shape_pattern' => env('AUTH_PASSWORD_SHAPE_PATTERN', '^(?=.*?[A-Z])(?=.*?[a-z])(?=.*?[0-9])(?=.*?[#?!@$%^&*-+])[A-Za-z0-9#?!@$%^&*-+]+$'),
-    'password_shape_warning' => env('AUTH_PASSWORD_SHAPE_WARNING', 'Password must include at least one uppercase letter, one lowercase letter, one number, and one special character (#?!@$%^&*-+).'),
+    'password_allowed_special_characters' => env('AUTH_PASSWORD_ALLOWED_SPECIAL_CHARACTERS', '[A-Za-z0-9#?!@$%^&*+-]'),
+    'password_shape_pattern' => env('AUTH_PASSWORD_SHAPE_PATTERN', '^(?=.*?[A-Z])(?=.*?[a-z])(?=.*?[0-9])(?=.*?[#?!@$%^&*+-])[A-Za-z0-9#?!@$%^&*+-]+$'),
+    'password_shape_warning' => env('AUTH_PASSWORD_SHAPE_WARNING', 'Password must include at least one uppercase letter, one lowercase letter, one number, and one special character (#?!@$%^&*+-).'),
     'verification_email_lifetime' => env("AUTH_VERIFICATION_EMAIL_LIFETIME", 600),
     'allows_native_auth' => env('AUTH_ALLOWS_NATIVE_AUTH', 1),
     'allows_native_on_config' => env('AUTH_ALLOWS_NATIVE_AUTH_CONFIG', 1),