feat: core utilities - CSRF, auth, encryption, PHPMailer

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

includes/csrf.php

@@ -0,0 +1,18 @@
+<?php
+function csrfToken(): string {
+    if (session_status() === PHP_SESSION_NONE) session_start();
+    if (empty($_SESSION['csrf_token'])) {
+        $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
+    }
+    return $_SESSION['csrf_token'];
+}
+
+function csrfField(): string {
+    return '<input type="hidden" name="csrf_token" value="' . htmlspecialchars(csrfToken()) . '">';
+}
+
+function csrfValidate(): bool {
+    if (session_status() === PHP_SESSION_NONE) session_start();
+    $token = $_POST['csrf_token'] ?? '';
+    return hash_equals($_SESSION['csrf_token'] ?? '', $token);
+}