Security/correctness: visibility filtering, Content-Type headers, group validation

- TicketModel::getAllTickets() now accepts optional $user param and applies
  getVisibilityFilter() so non-admin users cannot see internal/confidential
  tickets they lack access to from the dashboard listing
- DashboardController passes $GLOBALS['currentUser'] to getAllTickets()
- clone_ticket.php: move Content-Type header to top so all error paths send
  correct JSON content type
- AuthMiddleware: filter group names from HTTP header to [a-z0-9_-] only,
  preventing header injection via malformed group names
- add_comment.php: return HTTP 201 on success, 500 in catch block
- update_comment.php, delete_comment.php: return 500 in catch blocks

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

api/clone_ticket.php

@@ -7,6 +7,8 @@
 ini_set('display_errors', 0);
 error_reporting(E_ALL);
 
+header('Content-Type: application/json');
+
 require_once dirname(__DIR__) . '/middleware/RateLimitMiddleware.php';
 RateLimitMiddleware::apply('api');
 
@@ -109,7 +111,6 @@ try {
         $dependencyModel = new DependencyModel($conn);
         $dependencyModel->addDependency($result['ticket_id'], $sourceTicketId, 'relates_to', $userId);
 
-        header('Content-Type: application/json');
         echo json_encode([
             'success' => true,
             'new_ticket_id' => $result['ticket_id'],