Fix security vulnerabilities, remove dead code, and improve code quality

- Fix path traversal with realpath() validation in getPage() and executePhpFile()
- Remove insecure JWT secret fallback, require JWT_SECRET env var
- Fix IP spoofing by only trusting proxy headers from configured proxies
- Add Secure/HttpOnly/SameSite flags to all cookies
- Use env var for debug mode instead of hardcoded true
- Fix operator precedence bug in MQTTTracker track_user_flows check
- Remove dead code: duplicate is_dir() block, unused scanForPageNames()
- Remove htmlspecialchars() from filesystem path operations
- Remove duplicate require_once calls and redundant autoloader includes
- Fix unclosed </div> in getDirectoryListing()
- Escape breadcrumb titles and add lang param to search result URLs
- Make language prefixes dynamic from config instead of hardcoded nl|en
- Make HTML lang attribute dynamic, add go_to translation key
- Add aria-label/aria-expanded to sidebar toggle for accessibility
- Fix event listener leak in app.js using event delegation
- Remove console.log from production code
- Update guides (NL/EN) with sidebar toggle documentation
- Add TODO.md documenting all identified improvements

admin-console/config/app.php

@@ -3,12 +3,12 @@
 return [
     'name' => 'CodePress Admin Console',
     'version' => '1.0.0',
-    'debug' => true,
+    'debug' => $_ENV['APP_DEBUG'] ?? false,
     'timezone' => 'Europe/Amsterdam',
     
     // Security
     'security' => [
-        'jwt_secret' => $_ENV['JWT_SECRET'] ?? 'your-secret-key-change-in-production',
+        'jwt_secret' => $_ENV['JWT_SECRET'] ?? throw new \RuntimeException('JWT_SECRET environment variable must be set'),
         'jwt_expiration' => 3600, // 1 hour
         'session_timeout' => 1800, // 30 minutes
         'max_login_attempts' => 5,