H-01: Egypt document uploads - added path traversal prevention (basename),
replaced HTTP_HOST with APP_DOMAIN env var
H-02: 7 remaining hardcoded /home/siro-api/ paths replaced with env vars
(ENV_FILE_PATH, INTERNAL_SOCKET_KEY_PATH, WEBHOOK_SECRET_KEY_PATH)
H-03: serviceapp/updateDriver.php - added ownership check (user_id must match
driverID or user must be admin); non-admins blocked from changing
password/status/email/phone
H-04: ggg.php - replaced weak client-supplied phone auth with proper admin
JWT authentication via JwtService
H-05: Static IV fallback in encrypt_decrypt.php already documented as legacy
H-06: Wallet shared password noted as design limitation (mitigated by
fingerprint verification + short token TTL)
- Also fixed functions.php log message (removed hardcoded path)
- Removed ALTER TABLE DDL statements from Admin/auth/register.php (belongs in migration scripts)
- Added validated CORS with configurable allowed origins via CORS_ALLOWED_ORIGINS env var
- Removed assignment in load_env.php (secrets no longer exposed in superglobal)
- Changed OTP storage in Admin/auth/login.php from plaintext to sha256 hash
- Updated Admin/auth/verify_login.php to hash user input before comparison
- Replaced hardcoded /home/siro-api/ paths with environment variables:
- ERROR_LOG_PATH, ENV_FILE_PATH, SECRET_KEY_PAY_PATH, SECRET_KEY_PATH
- Falls back to __DIR__-relative paths when env vars are unset
