Return 404 (not 403) for inaccessible tickets in TicketController

Returning 403 Forbidden leaks the existence of tickets to users who
should not know about them. Use 404 Not Found consistently across all
access-controlled endpoints to prevent enumeration.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

controllers/TicketController.php

@@ -42,10 +42,10 @@ class TicketController {
             return;
         }
 
-        // Check visibility access
+        // Check visibility access — return 404 rather than 403 to avoid leaking ticket existence
         if (!$this->ticketModel->canUserAccessTicket($ticket, $currentUser)) {
-            header("HTTP/1.0 403 Forbidden");
-            echo "Access denied: You do not have permission to view this ticket";
+            header("HTTP/1.0 404 Not Found");
+            echo "Ticket not found";
             return;
         }