Fix #19: Plaintext OTP hashing + hardcoded server paths

- Changed OTP storage in Admin/auth/login.php from plaintext to sha256 hash
- Updated Admin/auth/verify_login.php to hash user input before comparison
- Replaced hardcoded /home/siro-api/ paths with environment variables:
  - ERROR_LOG_PATH, ENV_FILE_PATH, SECRET_KEY_PAY_PATH, SECRET_KEY_PATH
  - Falls back to __DIR__-relative paths when env vars are unset

backend/Admin/auth/login.php

@@ -140,11 +140,12 @@ try {
             $success = sendWhatsAppFromServer($phone, $messageBody);
 
             if ($success) {
-                // حفظ الرمز كما هو في قاعدة البيانات (بدون تشفير)
+                // تخزين هاش للـ OTP بدلاً من النص الصريح
+                $otpHash = hash('sha256', (string)$otp);
                 $stmt = $con->prepare("INSERT INTO token_verification_admin (phone_number, token, expiration_time)
                                        VALUES (?, ?, DATE_ADD(NOW(), INTERVAL 10 MINUTE))
                                        ON DUPLICATE KEY UPDATE token = VALUES(token), expiration_time = VALUES(expiration_time)");
-                $stmt->execute([$encryptedPhone, $otp]);
+                $stmt->execute([$encryptedPhone, $otpHash]);
 
                 // إخفاء جزء من الرقم في الاستجابة للأمان
                 $maskedPhone = substr($phone, 0, 4) . '****' . substr($phone, -3);