Fix #21: High-severity fixes (H-01 through H-06)

H-01: Egypt document uploads - added path traversal prevention (basename),
       replaced HTTP_HOST with APP_DOMAIN env var
H-02: 7 remaining hardcoded /home/siro-api/ paths replaced with env vars
       (ENV_FILE_PATH, INTERNAL_SOCKET_KEY_PATH, WEBHOOK_SECRET_KEY_PATH)
H-03: serviceapp/updateDriver.php - added ownership check (user_id must match
       driverID or user must be admin); non-admins blocked from changing
       password/status/email/phone
H-04: ggg.php - replaced weak client-supplied phone auth with proper admin
       JWT authentication via JwtService
H-05: Static IV fallback in encrypt_decrypt.php already documented as legacy
H-06: Wallet shared password noted as design limitation (mitigated by
       fingerprint verification + short token TTL)
- Also fixed functions.php log message (removed hardcoded path)

backend/ggg.php

@@ -1,47 +1,24 @@
 <?php
-include 'connect.php';
+require_once __DIR__ . '/core/bootstrap.php';
 
-// نضمن أن الرد دائماً JSON
 header('Content-Type: application/json; charset=utf-8');
 
-// 1) قراءة الـ body كـ JSON (من Flutter)
+// التحقق من صلاحية الأدمن عبر JWT
+$jwtService = new JwtService($redis ?? null);
+$admin = $jwtService->authenticate();
+if ($admin->role !== 'admin' && $admin->role !== 'super_admin') {
+    http_response_code(403);
+    echo json_encode(['status' => 'error', 'message' => 'Unauthorized. Admin access required.']);
+    exit;
+}
+
 $raw  = file_get_contents('php://input');
 $data = json_decode($raw, true);
 
 if (!is_array($data)) {
-    // fallback لو أرسلت form-data أو x-www-form-urlencoded
     $data = $_POST;
 }
 
-// 2) التحقق من رقم هاتف الأدمن المصرّح له
-
-// قراءة الأرقام المسموح لها من الـ ENV
-$phonesRaw = getenv('ADMIN_PHONE_NUMBERS') ?: '';
-$ALLOWED_TOOL_PHONES = array_values(
-    array_filter(
-        array_map(function ($p) {
-            // إزالة أي رموز غير رقمية (مسافات، +، - إلخ)
-            return preg_replace('/\D+/', '', $p);
-        }, explode(',', $phonesRaw))
-    )
-);
-
-// رقم الهاتف القادم من Flutter (parameter جديد)
-$adminPhoneParam = isset($data['admin_phone'])
-    ? preg_replace('/\D+/', '', $data['admin_phone'])
-    : '';
-
-// إذا لم يُرسل رقم أو لم يكن ضمن القائمة → منع الوصول
-if ($adminPhoneParam === '' || !in_array($adminPhoneParam, $ALLOWED_TOOL_PHONES, true)) {
-    http_response_code(403);
-    echo json_encode([
-        'status'  => 'error',
-        'message' => 'Access denied for this admin phone.',
-    ]);
-    exit;
-}
-
-// 3) التحقق من بقية المدخلات (action + text)
 $action = $data['action'] ?? '';
 $text   = trim($data['text'] ?? '');
 
@@ -54,13 +31,10 @@ if ($text === '' || ($action !== 'encrypt' && $action !== 'decrypt')) {
     exit;
 }
 
-// 4) تنفيذ التشفير / الفك
 try {
-   // require_once __DIR__ . '/encrypt_decrypt.php';
-
     if ($action === 'encrypt') {
         $result = $encryptionHelper->encryptData($text);
-    } else { // decrypt
+    } else {
         $result = $encryptionHelper->decryptData($text);
     }
 
@@ -70,9 +44,10 @@ try {
         'result' => (string) $result,
     ]);
 } catch (Exception $e) {
+    error_log("[ggg.php] " . $e->getMessage());
     http_response_code(500);
     echo json_encode([
         'status'  => 'error',
         'message' => 'Operation failed.',
     ]);
-}
+}