fix: CSRF on ticket create form, DOM-safe duplicate list, audit-log param validation

- TicketController::create: validate csrf_token from POST before processing
- CreateTicketView: emit hidden csrf_token field; replace innerHTML duplicate
  list with DOM methods to prevent any XSS path; guard checkDuplicates() with
  lt.api availability check
- index.php audit-log: allowlist action_type; validate date_from/date_to as
  YYYY-MM-DD before passing to query

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

controllers/TicketController.php

@@ -75,6 +75,18 @@ class TicketController {
 
         // Check if form was submitted
         if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+            // Validate CSRF token
+            require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';
+            $csrfToken = $_POST['csrf_token'] ?? '';
+            if (!CsrfMiddleware::validateToken($csrfToken)) {
+                $error = "Invalid or expired security token. Please try again.";
+                $templates = $this->templateModel->getAllTemplates();
+                $allUsers = $this->userModel->getAllUsers();
+                $conn = $this->conn;
+                include dirname(__DIR__) . '/views/CreateTicketView.php';
+                return;
+            }
+
             // Handle visibility groups (comes as array from checkboxes)
             $visibilityGroups = null;
             if (isset($_POST['visibility_groups']) && is_array($_POST['visibility_groups'])) {