Implement comprehensive improvement plan (Phases 1-6)

Security (Phase 1-2):
- Add SecurityHeadersMiddleware with CSP, X-Frame-Options, etc.
- Add RateLimitMiddleware for API rate limiting
- Add security event logging to AuditLogModel
- Add ResponseHelper for standardized API responses
- Update config.php with security constants

Database (Phase 3):
- Add migration 014 for additional indexes
- Add migration 015 for ticket dependencies
- Add migration 016 for ticket attachments
- Add migration 017 for recurring tickets
- Add migration 018 for custom fields

Features (Phase 4-5):
- Add ticket dependencies with DependencyModel and API
- Add duplicate detection with check_duplicates API
- Add file attachments with AttachmentModel and upload/download APIs
- Add @mentions with autocomplete and highlighting
- Add quick actions on dashboard rows

Collaboration (Phase 5):
- Add mention extraction in CommentModel
- Add mention autocomplete dropdown in ticket.js
- Add mention highlighting CSS styles

Admin & Export (Phase 6):
- Add StatsModel for dashboard widgets
- Add dashboard stats cards (open, critical, unassigned, etc.)
- Add CSV/JSON export via export_tickets API
- Add rich text editor toolbar in markdown.js
- Add RecurringTicketModel with cron job
- Add CustomFieldModel for per-category fields
- Add admin views: RecurringTickets, CustomFields, Workflow,
  Templates, AuditLog, UserActivity
- Add admin APIs: manage_workflows, manage_templates,
  manage_recurring, custom_fields, get_users
- Add admin routes in index.php

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

api/manage_recurring.php

@@ -0,0 +1,169 @@
+<?php
+/**
+ * Recurring Tickets Management API
+ * CRUD operations for recurring_tickets table
+ */
+
+ini_set('display_errors', 0);
+error_reporting(E_ALL);
+
+require_once dirname(__DIR__) . '/middleware/RateLimitMiddleware.php';
+RateLimitMiddleware::apply('api');
+
+try {
+    require_once dirname(__DIR__) . '/config/config.php';
+    require_once dirname(__DIR__) . '/models/RecurringTicketModel.php';
+
+    // Check authentication
+    session_start();
+    if (!isset($_SESSION['user']) || !isset($_SESSION['user']['user_id'])) {
+        http_response_code(401);
+        echo json_encode(['success' => false, 'error' => 'Authentication required']);
+        exit;
+    }
+
+    // Check admin privileges
+    if (!$_SESSION['user']['is_admin']) {
+        http_response_code(403);
+        echo json_encode(['success' => false, 'error' => 'Admin privileges required']);
+        exit;
+    }
+
+    $currentUserId = $_SESSION['user']['user_id'];
+
+    // CSRF Protection for write operations
+    if ($_SERVER['REQUEST_METHOD'] !== 'GET') {
+        require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';
+        $csrfToken = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
+        if (!CsrfMiddleware::validateToken($csrfToken)) {
+            http_response_code(403);
+            echo json_encode(['success' => false, 'error' => 'Invalid CSRF token']);
+            exit;
+        }
+    }
+
+    $conn = new mysqli(
+        $GLOBALS['config']['DB_HOST'],
+        $GLOBALS['config']['DB_USER'],
+        $GLOBALS['config']['DB_PASS'],
+        $GLOBALS['config']['DB_NAME']
+    );
+
+    if ($conn->connect_error) {
+        throw new Exception("Database connection failed");
+    }
+
+    header('Content-Type: application/json');
+
+    $model = new RecurringTicketModel($conn);
+    $method = $_SERVER['REQUEST_METHOD'];
+    $id = isset($_GET['id']) ? (int)$_GET['id'] : null;
+    $action = isset($_GET['action']) ? $_GET['action'] : null;
+
+    switch ($method) {
+        case 'GET':
+            if ($id) {
+                $recurring = $model->getById($id);
+                echo json_encode(['success' => (bool)$recurring, 'recurring' => $recurring]);
+            } else {
+                $all = $model->getAll(true);
+                echo json_encode(['success' => true, 'recurring_tickets' => $all]);
+            }
+            break;
+
+        case 'POST':
+            if ($action === 'toggle' && $id) {
+                $result = $model->toggleActive($id);
+                echo json_encode($result);
+            } else {
+                $data = json_decode(file_get_contents('php://input'), true);
+
+                // Calculate next run time
+                $nextRun = calculateNextRun(
+                    $data['schedule_type'],
+                    $data['schedule_day'] ?? null,
+                    $data['schedule_time'] ?? '09:00'
+                );
+
+                $data['next_run_at'] = $nextRun;
+                $data['is_active'] = isset($data['is_active']) ? (int)$data['is_active'] : 1;
+                $data['created_by'] = $currentUserId;
+
+                $result = $model->create($data);
+                echo json_encode($result);
+            }
+            break;
+
+        case 'PUT':
+            if (!$id) {
+                echo json_encode(['success' => false, 'error' => 'ID required']);
+                exit;
+            }
+
+            $data = json_decode(file_get_contents('php://input'), true);
+
+            // Recalculate next run time if schedule changed
+            $nextRun = calculateNextRun(
+                $data['schedule_type'],
+                $data['schedule_day'] ?? null,
+                $data['schedule_time'] ?? '09:00'
+            );
+            $data['next_run_at'] = $nextRun;
+            $data['is_active'] = isset($data['is_active']) ? (int)$data['is_active'] : 1;
+
+            $result = $model->update($id, $data);
+            echo json_encode($result);
+            break;
+
+        case 'DELETE':
+            if (!$id) {
+                echo json_encode(['success' => false, 'error' => 'ID required']);
+                exit;
+            }
+
+            $result = $model->delete($id);
+            echo json_encode($result);
+            break;
+
+        default:
+            http_response_code(405);
+            echo json_encode(['success' => false, 'error' => 'Method not allowed']);
+    }
+
+    $conn->close();
+
+} catch (Exception $e) {
+    http_response_code(500);
+    echo json_encode(['success' => false, 'error' => $e->getMessage()]);
+}
+
+function calculateNextRun($scheduleType, $scheduleDay, $scheduleTime) {
+    $now = new DateTime();
+    $time = $scheduleTime ?: '09:00';
+
+    switch ($scheduleType) {
+        case 'daily':
+            $next = new DateTime('tomorrow ' . $time);
+            break;
+
+        case 'weekly':
+            $days = ['', 'Monday', 'Tuesday', 'Wednesday', 'Thursday', 'Friday', 'Saturday', 'Sunday'];
+            $dayName = $days[$scheduleDay] ?? 'Monday';
+            $next = new DateTime("next {$dayName} " . $time);
+            break;
+
+        case 'monthly':
+            $day = max(1, min(28, (int)$scheduleDay));
+            $next = new DateTime();
+            $next->modify('first day of next month');
+            $next->setDate($next->format('Y'), $next->format('m'), $day);
+            list($h, $m) = explode(':', $time);
+            $next->setTime((int)$h, (int)$m, 0);
+            break;
+
+        default:
+            $next = new DateTime('tomorrow ' . $time);
+    }
+
+    return $next->format('Y-m-d H:i:s');
+}