Security/correctness: visibility filtering, Content-Type headers, group validation

- TicketModel::getAllTickets() now accepts optional $user param and applies
  getVisibilityFilter() so non-admin users cannot see internal/confidential
  tickets they lack access to from the dashboard listing
- DashboardController passes $GLOBALS['currentUser'] to getAllTickets()
- clone_ticket.php: move Content-Type header to top so all error paths send
  correct JSON content type
- AuthMiddleware: filter group names from HTTP header to [a-z0-9_-] only,
  preventing header injection via malformed group names
- add_comment.php: return HTTP 201 on success, 500 in catch block
- update_comment.php, delete_comment.php: return 500 in catch blocks

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

api/add_comment.php

@@ -138,9 +138,12 @@ try {
     ob_end_clean();
 
     // Return JSON response
+    if ($result['success']) {
+        http_response_code(201);
+    }
     header('Content-Type: application/json');
     echo json_encode($result);
-    
+
 } catch (Exception $e) {
     // Discard any unexpected output
     ob_end_clean();
@@ -149,6 +152,7 @@ try {
     error_log("Add comment API error: " . $e->getMessage());
 
     // Return error response
+    http_response_code(500);
     header('Content-Type: application/json');
     echo json_encode([
         'success' => false,