Add security logging, domain validation, and output helpers

- Add authentication failure logging to AuthMiddleware (session expiry,
  access denied, unauthenticated access attempts)
- Add UrlHelper for secure URL generation with host validation against
  configurable ALLOWED_HOSTS whitelist
- Add OutputHelper with consistent XSS-safe escaping functions (h, attr,
  json, url, css, truncate, date, cssClass)
- Add validation to AuditLogModel query parameters (pagination limits,
  date format validation, action/entity type validation, IP sanitization)
- Add APP_DOMAIN and ALLOWED_HOSTS configuration options

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

config/config.php

@@ -31,6 +31,14 @@ $GLOBALS['config'] = [
     'ASSETS_URL' => '/assets', // Assets URL
     'API_URL' => '/api', // API URL
 
+    // Domain settings for external integrations (webhooks, links, etc.)
+    // Set APP_DOMAIN in .env to override
+    'APP_DOMAIN' => $envVars['APP_DOMAIN'] ?? null,
+    // Allowed hosts for HTTP_HOST validation (comma-separated in .env)
+    'ALLOWED_HOSTS' => array_filter(array_map('trim',
+        explode(',', $envVars['ALLOWED_HOSTS'] ?? 'localhost,127.0.0.1')
+    )),
+
     // Session settings
     'SESSION_TIMEOUT' => 3600, // 1 hour in seconds
     'SESSION_REGENERATE_INTERVAL' => 300, // Regenerate session ID every 5 minutes