Security hardening and performance improvements

- Add visibility check to attachment downloads (prevents unauthorized access)
- Fix ticket ID collision with uniqueness verification loop
- Harden CSP: replace unsafe-inline with nonce-based script execution
- Add IP-based rate limiting (supplements session-based)
- Add visibility checks to bulk operations
- Validate internal visibility requires groups
- Optimize user activity query (JOINs vs subqueries)
- Update documentation with design decisions and security info

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

api/update_ticket.php

@@ -151,6 +151,15 @@ try {
                 if (is_array($visibilityGroups)) {
                     $visibilityGroups = implode(',', array_map('trim', $visibilityGroups));
                 }
+
+                // Validate internal visibility requires groups
+                if ($data['visibility'] === 'internal' && (empty($visibilityGroups) || trim($visibilityGroups) === '')) {
+                    return [
+                        'success' => false,
+                        'error' => 'Internal visibility requires at least one group to be specified'
+                    ];
+                }
+
                 $this->ticketModel->updateVisibility($id, $data['visibility'], $visibilityGroups, $this->userId);
             }