fix: operator precedence bugs and PSR-7 getHeader usage

[binaryfire]

Note: These bugs were found by PHPStan at level 5

FilesystemManager: Fix operator precedence in read-only check

• ?? false === true was parsed as ?? (false === true)
• Now correctly checks ($config['read-only'] ?? false) === true

StartSession: Fix operator precedence in AJAX detection

• ! header(...) === 'X' was parsed as (! header(...)) === 'X'
• Boolean === string is always false, so storeCurrentUrl never worked
• Now correctly checks header(...) !== 'XMLHttpRequest'

TestResponseAssert: Fix PSR-7 getHeader returns array not string

• getHeader() returns string[], not string
• Array === string is always false, so JSON error injection never worked
• Now correctly uses getHeader(...)[0] ?? '' with str_contains