Fix #20: DDL removal from register.php, CORS policy, secret leak

- Removed ALTER TABLE DDL statements from Admin/auth/register.php (belongs in migration scripts)
- Added validated CORS with configurable allowed origins via CORS_ALLOWED_ORIGINS env var
- Removed  assignment in load_env.php (secrets no longer exposed in superglobal)

backend/Admin/auth/register.php

@@ -53,12 +53,6 @@ try {
     $encPhone = $encPhoneInput;
     $encFp    = $encryptionHelper->encryptData($fingerprint);
 
-    // التأكد من وجود عمود phone و status في الجدول
-    try {
-        $con->exec("ALTER TABLE adminUser ADD COLUMN phone VARCHAR(255) NULL AFTER name");
-        $con->exec("ALTER TABLE adminUser ADD COLUMN status VARCHAR(50) DEFAULT 'pending' AFTER role");
-    } catch (Exception $e) { /* الأعمدة موجودة مسبقاً */ }
-
     // 4. الإدخال في قاعدة البيانات بحالة pending
     $sql = "INSERT INTO adminUser (id, fingerprint, fingerprint_hash, name, phone, password, role, status, created_at) 
             VALUES (:id, :fp, :fp_hash, :name, :phone, :pass, 'admin', 'pending', NOW())";