Security Hardening: Phase 1-3 complete

- C1: Hash refresh tokens before DB storage (sha256)
- C2: Remove JWT_SECRET fallback, fail hard if missing
- H1: Enforce HTTP methods per route (405 on mismatch)
- H2: CORS with origin whitelist from CORS_ORIGIN env var
- H3: Redact sensitive fields (tokens, passwords) from logs
- M1: Build HmacMiddleware with replay attack prevention
- M2: Fix rate limiter race condition with flock LOCK_EX
- M3: Guard dd() — suppressed in production
- M4: Remove .env from git tracking, strengthen .gitignore
- I1: Add HSTS header (max-age=31536000)

app/helpers/helpers.php

@@ -13,19 +13,25 @@ if (!function_exists('input')) {
     function input(string $key = null, $default = null) {
         static $inputData = null;
         if ($inputData === null) {
-            $json = file_get_contents('php://input');
+            $json      = file_get_contents('php://input');
             $inputData = array_merge($_GET, $_POST, json_decode($json, true) ?? []);
         }
-        
+
         if ($key === null) return $inputData;
         return $inputData[$key] ?? $default;
     }
 }
 
 if (!function_exists('dd')) {
+    // M3 Fix: Guard dd() so it never leaks data in production
     function dd(...$vars) {
+        if (env('APP_DEBUG', 'false') !== 'true') {
+            error_log('dd() called in production — suppressed. Check your code.');
+            json_error('Internal Server Error', 500);
+        }
+        header('Content-Type: text/html; charset=utf-8');
         foreach ($vars as $v) {
-            echo "<pre>";
+            echo "<pre style='background:#1e1e1e;color:#d4d4d4;padding:1rem;border-radius:4px;'>";
             var_dump($v);
             echo "</pre>";
         }