Audit fixes: security, dead code removal, API consolidation, JS dedup

Security:
- Fix IDOR in delete/update comment (add ticket visibility check)
- XSS defense-in-depth in DashboardView active filters
- Replace innerHTML with DOM construction in toast.js
- Remove redundant real_escape_string in check_duplicates
- Add rate limiting to get_template, download_attachment, audit_log,
  saved_filters, user_preferences endpoints

Bug fixes:
- Session timeout now reads from config instead of hardcoded 18000
- TicketController uses $GLOBALS['config'] instead of duplicate .env parsing
- Add DISCORD_WEBHOOK_URL to centralized config
- Cleanup script uses hashmap for O(1) ticket ID lookups

Dead code removal (~100 lines):
- Remove dead getTicketComments() from TicketModel (wrong bind_param type)
- Remove dead getCategories()/getTypes() from DashboardController
- Remove ~80 lines dead Discord webhook code from update_ticket API

Consolidation:
- Create api/bootstrap.php for shared API setup (auth, CSRF, rate limit)
- Convert 6 API endpoints to use bootstrap
- Extract escapeHtml/getTicketIdFromUrl into shared utils.js
- Batch save for user preferences (1 request instead of 7)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

assets/js/ticket.js

@@ -1,22 +1,3 @@
-// XSS prevention helper
-function escapeHtml(text) {
-    const div = document.createElement('div');
-    div.textContent = text;
-    return div.innerHTML;
-}
-
-// Get ticket ID from URL (handles both /ticket/123 and ?id=123 formats)
-function getTicketIdFromUrl() {
-    // Try new URL format first: /ticket/123456789
-    const pathMatch = window.location.pathname.match(/\/ticket\/(\d+)/);
-    if (pathMatch) {
-        return pathMatch[1];
-    }
-    // Fall back to query param: ?id=123456789
-    const params = new URLSearchParams(window.location.search);
-    return params.get('id');
-}
-
 /**
  * Toggle visibility groups field based on visibility selection
  */