- Removed ALTER TABLE DDL statements from Admin/auth/register.php (belongs in migration scripts)
- Added validated CORS with configurable allowed origins via CORS_ALLOWED_ORIGINS env var
- Removed assignment in load_env.php (secrets no longer exposed in superglobal)
- Changed OTP storage in Admin/auth/login.php from plaintext to sha256 hash
- Updated Admin/auth/verify_login.php to hash user input before comparison
- Replaced hardcoded /home/siro-api/ paths with environment variables:
- ERROR_LOG_PATH, ENV_FILE_PATH, SECRET_KEY_PAY_PATH, SECRET_KEY_PATH
- Falls back to __DIR__-relative paths when env vars are unset
- Replaced all client-facing $e->getMessage() with generic error messages
- Added error_log() with filename prefix to all catch blocks
- Covered jsonError(), echo, and json_encode() response patterns
- Also fixed 2 remaining display_errors=1 and add_invoice.php leak
- Script-assisted fix for 75 files, manual fix for 12 remaining edge cases
