Fix visibility enforcement and register missing API routes

Security fixes:
- add_comment.php: verify canUserAccessTicket() before allowing comment creation
- assign_ticket.php: use canUserAccessTicket() to prevent info leakage via 403 vs 404
- check_duplicates.php: apply getVisibilityFilter() so confidential ticket titles are not exposed in duplicate search results
- ticket_dependencies.php: verify ticket access on GET before returning dependency data

Route registration:
- Register 7 previously missing API endpoints in index.php: custom_fields, saved_filters, audit_log, user_preferences, download_attachment, clone_ticket, health

Frontend:
- ticket.js: fill empty catch block and empty else block in addComment() with proper error toasts

Documentation:
- README.md: document all API endpoints and update project structure listing

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

index.php

@@ -146,6 +146,34 @@ switch (true) {
         require_once 'api/check_duplicates.php';
         break;
 
+    case $requestPath == '/api/custom_fields.php':
+        require_once 'api/custom_fields.php';
+        break;
+
+    case $requestPath == '/api/saved_filters.php':
+        require_once 'api/saved_filters.php';
+        break;
+
+    case $requestPath == '/api/audit_log.php':
+        require_once 'api/audit_log.php';
+        break;
+
+    case $requestPath == '/api/user_preferences.php':
+        require_once 'api/user_preferences.php';
+        break;
+
+    case $requestPath == '/api/download_attachment.php':
+        require_once 'api/download_attachment.php';
+        break;
+
+    case $requestPath == '/api/clone_ticket.php':
+        require_once 'api/clone_ticket.php';
+        break;
+
+    case $requestPath == '/api/health.php':
+        require_once 'api/health.php';
+        break;
+
     // Admin Routes - require admin privileges
     case $requestPath == '/admin/recurring-tickets':
         if (!$currentUser || !$currentUser['is_admin']) {