Implement bulk_delete operation; validate operation types

- TicketModel: add deleteTicket() that removes all child records
  (comments, watchers, dependencies, attachments, custom fields)
  then deletes the ticket and cleans up physical attachment files
- BulkOperationsModel: add bulk_delete case to processBulkOperation()
  so the "Bulk Delete" UI button actually works instead of silently
  failing with N failures
- bulk_operation.php: validate operation_type against whitelist to
  reject unknown operations early with a proper error

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

api/bulk_operation.php

@@ -44,7 +44,8 @@ $ticketIds = $data['ticket_ids'] ?? [];
 $parameters = $data['parameters'] ?? null;
 
 // Validate input
-if (!$operationType || empty($ticketIds)) {
+$validOperationTypes = ['bulk_close', 'bulk_assign', 'bulk_priority', 'bulk_status', 'bulk_delete'];
+if (!$operationType || !in_array($operationType, $validOperationTypes, true) || empty($ticketIds)) {
     echo json_encode(['success' => false, 'error' => 'Operation type and ticket IDs required']);
     exit;
 }