Add PHP 7.4+ type hints to helpers, models, and middleware

Added strict typing with parameter types, return types, and property
types across all core classes:
- helpers: Database, ErrorHandler, CacheHelper
- models: TicketModel, UserModel, WorkflowModel, TemplateModel, UserPreferencesModel
- middleware: RateLimitMiddleware, CsrfMiddleware, SecurityHeadersMiddleware

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

middleware/CsrfMiddleware.php

@@ -4,14 +4,14 @@
  * Generates and validates CSRF tokens for all state-changing operations
  */
 class CsrfMiddleware {
-    private static $tokenName = 'csrf_token';
-    private static $tokenTime = 'csrf_token_time';
-    private static $tokenLifetime = 3600; // 1 hour
+    private static string $tokenName = 'csrf_token';
+    private static string $tokenTime = 'csrf_token_time';
+    private static int $tokenLifetime = 3600; // 1 hour
 
     /**
      * Generate a new CSRF token
      */
-    public static function generateToken() {
+    public static function generateToken(): string {
         $_SESSION[self::$tokenName] = bin2hex(random_bytes(32));
         $_SESSION[self::$tokenTime] = time();
         return $_SESSION[self::$tokenName];
@@ -20,7 +20,7 @@ class CsrfMiddleware {
     /**
      * Get current CSRF token, regenerate if expired
      */
-    public static function getToken() {
+    public static function getToken(): string {
         if (!isset($_SESSION[self::$tokenName]) || self::isTokenExpired()) {
             return self::generateToken();
         }
@@ -30,7 +30,7 @@ class CsrfMiddleware {
     /**
      * Validate CSRF token (constant-time comparison)
      */
-    public static function validateToken($token) {
+    public static function validateToken(string $token): bool {
         if (!isset($_SESSION[self::$tokenName])) {
             return false;
         }
@@ -47,9 +47,8 @@ class CsrfMiddleware {
     /**
      * Check if token is expired
      */
-    private static function isTokenExpired() {
+    private static function isTokenExpired(): bool {
         return !isset($_SESSION[self::$tokenTime]) ||
                (time() - $_SESSION[self::$tokenTime]) > self::$tokenLifetime;
     }
 }
-?>