Add security logging, domain validation, and output helpers

- Add authentication failure logging to AuthMiddleware (session expiry,
  access denied, unauthenticated access attempts)
- Add UrlHelper for secure URL generation with host validation against
  configurable ALLOWED_HOSTS whitelist
- Add OutputHelper with consistent XSS-safe escaping functions (h, attr,
  json, url, css, truncate, date, cssClass)
- Add validation to AuditLogModel query parameters (pagination limits,
  date format validation, action/entity type validation, IP sanitization)
- Add APP_DOMAIN and ALLOWED_HOSTS configuration options

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

controllers/TicketController.php

@@ -6,6 +6,7 @@ require_once dirname(__DIR__) . '/models/AuditLogModel.php';
 require_once dirname(__DIR__) . '/models/UserModel.php';
 require_once dirname(__DIR__) . '/models/WorkflowModel.php';
 require_once dirname(__DIR__) . '/models/TemplateModel.php';
+require_once dirname(__DIR__) . '/helpers/UrlHelper.php';
 
 class TicketController {
     private $ticketModel;
@@ -218,10 +219,8 @@ class TicketController {
 
         $webhookUrl = $this->envVars['DISCORD_WEBHOOK_URL'];
 
-        // Create ticket URL
-        $protocol = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') ? 'https' : 'http';
-        $host = $_SERVER['HTTP_HOST'] ?? 't.lotusguild.org';
-        $ticketUrl = "{$protocol}://{$host}/ticket/{$ticketId}";
+        // Create ticket URL using validated host
+        $ticketUrl = UrlHelper::ticketUrl($ticketId);
 
         // Map priorities to Discord colors (matching API endpoint)
         $priorityColors = [