Fix visibility enforcement and register missing API routes

Security fixes:
- add_comment.php: verify canUserAccessTicket() before allowing comment creation
- assign_ticket.php: use canUserAccessTicket() to prevent info leakage via 403 vs 404
- check_duplicates.php: apply getVisibilityFilter() so confidential ticket titles are not exposed in duplicate search results
- ticket_dependencies.php: verify ticket access on GET before returning dependency data

Route registration:
- Register 7 previously missing API endpoints in index.php: custom_fields, saved_filters, audit_log, user_preferences, download_attachment, clone_ticket, health

Frontend:
- ticket.js: fill empty catch block and empty else block in addComment() with proper error toasts

Documentation:
- README.md: document all API endpoints and update project structure listing

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

assets/js/ticket.js

@@ -188,9 +188,11 @@ function addComment() {
 
             commentsList.insertBefore(commentDiv, commentsList.firstChild);
         } else {
+            lt.toast.error(data.error || 'Failed to add comment');
         }
     })
     .catch(error => {
+        lt.toast.error('Error adding comment: ' + error.message);
     });
 }