feat(security): add cacti_dispatch helper for action table authorisation

[somethingwithproof]

Extracts the cacti_dispatch() helper from #7055 (which is being closed due to unrelated scope drift) and ships it as a small, focused change.

What it does

Declarative action dispatcher that every Cacti controller can opt into:

```php
cacti_dispatch(array(
'edit' => array('callback' => 'report_edit', 'method' => 'GET', 'realm' => 21),
'save' => array('callback' => 'report_save', 'method' => 'POST', 'realm' => 21,
'object_acl' => function() { return reports_user_may_mutate(grv('id')); }),
));
```

Guards run in method -> realm -> object-ACL order. Each one logs with a WEBUI category before the helper returns 405 or 403. No existing code is touched by this PR; helpers only.

Why

The repeated `switch (get_request_var('action')) { case 'save': form_save(); ... }` pattern scattered across every controller is where realm checks most often get dropped or duplicated inconsistently. Centralising the guards means new controllers adopt the three checks by construction rather than copy-pasting a switch from a neighbouring file.

Scope

• `lib/cacti_dispatch.php` (121 lines, single function + a fallback `raise_ajax_permission_denied`)
• `tests/Unit/CactiDispatchTest.php` (9 source-scan tests locking in the guard ordering)

No call sites migrated in this PR. Adoption is opt-in and can be done one controller at a time in follow-ups.

[Copilot]

Pull request overview

Adds a reusable, declarative action dispatcher helper to centralize per-action HTTP-method and authorization checks in Cacti controllers, along with unit tests that lock in guard ordering.

Changes:

• Introduces cacti_dispatch() helper to dispatch actions from a declarative action table with method/realm/object-ACL guard sequence.
• Adds a permission-denied fallback helper intended for early-load contexts.
• Adds Pest unit tests that source-scan lib/cacti_dispatch.php to enforce guard ordering and expected denial behaviors.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 8 comments.

File	Description
lib/cacti_dispatch.php	New dispatcher helper implementing guard checks and dispatch to action callbacks.
tests/Unit/CactiDispatchTest.php	New Pest tests that source-scan the dispatcher to pin guard ordering and logging/denial calls.

[somethingwithproof]

Addressed the Copilot review in 7d46ccd:

• String-guard on $action before offset access so ?action[]=x cannot produce a TypeError.
• cacti_strtoupper() + defaulted REQUEST_METHOD so method comparison is locale-independent and CLI tests work.
• Non-callable object_acl now fails closed with an ERROR log and 403 instead of silently skipping the ACL.
• Renamed the fallback denial emitter to cacti_dispatch_deny() so it cannot collide with the unconditionally-loaded raise_ajax_permission_denied() in lib/functions.php.
• cacti_dispatch_deny() now always emits an explicit http_response_code() after the AJAX helper so denied non-AJAX requests do not fall through to a 200 render.
• Non-callable callback now returns 500 with an ERROR log.
• Dropped the redundant docblock and tightened parameter types on cacti_dispatch().
• Tests extended to cover each new branch (non-string action, non-callable ACL denial, 500 for bad callback, status clamp in cacti_dispatch_deny).