Fix bracket buttons rendering below text + UI/security improvements

CSS fixes:
- Fix [ ] brackets appearing below button text by replacing display:inline-flex
  with display:inline-block + white-space:nowrap on .btn — removes cross-browser
  flex pseudo-element inconsistency as root cause
- Remove conflicting .btn::before ripple block (position:absolute was overriding
  bracket content positioning)
- Remove overflow:hidden from .btn which was clipping bracket content
- Fix body::after duplicate rule causing GPU layer blink (second position:fixed
  rule re-created compositor layer, overriding display:none suppression)
- Replace all transition:all with scoped property transitions in dashboard.css,
  ticket.css, base.css (prevents full CSS property evaluation on every hover)
- Convert pulse-warning/pulse-critical keyframes from box-shadow to opacity
  animation (GPU-composited, eliminates CPU repaints at 60fps)
- Fix mobile *::before/*::after blanket content:none rule — now targets only
  decorative frame glyphs, preserving button brackets and status indicators
- Remove --terminal-green-dim override that broke .lt-btn hover backgrounds

JS fixes:
- Fix all lt.lt.toast.* double-prefix instances in dashboard.js
- Add null guard before .appendChild() on bulkAssignUser select
- Replace all remaining emoji with terminal bracket notation (dashboard.js,
  ticket.js, markdown.js)
- Migrate all toast.*() shim calls to lt.toast.* across all JS files

View fixes:
- Remove hardcoded [ ] brackets from .btn buttons (CSS now adds them)
- Replace all emoji with terminal bracket notation in all views and admin views
- Add missing CSP nonces to AuditLogView.php and UserActivityView.php script tags
- Bump CSS version strings to ?v=20260319b for cache busting

Security fixes:
- update_ticket.php: add authorization check (non-admins can only edit their own
  or assigned tickets)
- add_comment.php: validate and cast ticket_id to integer with 400 response
- clone_ticket.php: fix unconditional session_start(), add ticket ID validation,
  add internal ticket access check
- bulk_operation.php: add HTTP 401/403 status codes on auth failures
- upload_attachment.php: fix missing $conn arg in AttachmentModel constructor
- assign_ticket.php: add ticket existence check and permission verification

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

api/add_comment.php

@@ -62,7 +62,14 @@ try {
         throw new Exception("Invalid JSON data received");
     }
 
-    $ticketId = $data['ticket_id'];
+    $ticketId = isset($data['ticket_id']) ? (int)$data['ticket_id'] : 0;
+    if ($ticketId <= 0) {
+        http_response_code(400);
+        ob_end_clean();
+        header('Content-Type: application/json');
+        echo json_encode(['success' => false, 'error' => 'Invalid ticket ID']);
+        exit;
+    }
 
     // Initialize models
     $commentModel = new CommentModel($conn);

api/assign_ticket.php

@@ -6,10 +6,17 @@ require_once dirname(__DIR__) . '/models/UserModel.php';
 
 // Get request data
 $data = json_decode(file_get_contents('php://input'), true);
-$ticketId = $data['ticket_id'] ?? null;
+if (!is_array($data)) {
+    http_response_code(400);
+    echo json_encode(['success' => false, 'error' => 'Invalid JSON body']);
+    exit;
+}
+
+$ticketId = isset($data['ticket_id']) ? (int)$data['ticket_id'] : null;
 $assignedTo = $data['assigned_to'] ?? null;
 
 if (!$ticketId) {
+    http_response_code(400);
     echo json_encode(['success' => false, 'error' => 'Ticket ID required']);
     exit;
 }
@@ -18,6 +25,21 @@ $ticketModel = new TicketModel($conn);
 $auditLogModel = new AuditLogModel($conn);
 $userModel = new UserModel($conn);
 
+// Verify ticket exists
+$ticket = $ticketModel->getTicketById($ticketId);
+if (!$ticket) {
+    http_response_code(404);
+    echo json_encode(['success' => false, 'error' => 'Ticket not found']);
+    exit;
+}
+
+// Authorization: only admins or the ticket creator/assignee can reassign
+if (!$isAdmin && $ticket['created_by'] !== $userId && $ticket['assigned_to'] !== $userId) {
+    http_response_code(403);
+    echo json_encode(['success' => false, 'error' => 'Permission denied']);
+    exit;
+}
+
 if ($assignedTo === null || $assignedTo === '') {
     // Unassign ticket
     $success = $ticketModel->unassignTicket($ticketId, $userId);
@@ -40,4 +62,9 @@ if ($assignedTo === null || $assignedTo === '') {
     }
 }
 
-echo json_encode(['success' => $success]);
+if (!$success) {
+    http_response_code(500);
+    echo json_encode(['success' => false, 'error' => 'Failed to update ticket assignment']);
+} else {
+    echo json_encode(['success' => true]);
+}

api/bulk_operation.php

@@ -14,6 +14,7 @@ header('Content-Type: application/json');
 
 // Check authentication
 if (!isset($_SESSION['user']) || !isset($_SESSION['user']['user_id'])) {
+    http_response_code(401);
     echo json_encode(['success' => false, 'error' => 'Not authenticated']);
     exit;
 }
@@ -32,6 +33,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
 // Check admin status - bulk operations are admin-only
 $isAdmin = $_SESSION['user']['is_admin'] ?? false;
 if (!$isAdmin) {
+    http_response_code(403);
     echo json_encode(['success' => false, 'error' => 'Admin access required']);
     exit;
 }

api/clone_ticket.php

@@ -17,7 +17,9 @@ try {
     require_once dirname(__DIR__) . '/models/AuditLogModel.php';
 
     // Check authentication
-    session_start();
+    if (session_status() === PHP_SESSION_NONE) {
+        session_start();
+    }
     if (!isset($_SESSION['user']) || !isset($_SESSION['user']['user_id'])) {
         http_response_code(401);
         echo json_encode(['success' => false, 'error' => 'Authentication required']);
@@ -50,8 +52,14 @@ try {
         exit;
     }
 
-    $sourceTicketId = $data['ticket_id'];
+    $sourceTicketId = (int)$data['ticket_id'];
+    if ($sourceTicketId <= 0) {
+        http_response_code(400);
+        echo json_encode(['success' => false, 'error' => 'Invalid ticket ID']);
+        exit;
+    }
     $userId = $_SESSION['user']['user_id'];
+    $isAdmin = $_SESSION['user']['is_admin'] ?? false;
 
     // Get database connection
     $conn = Database::getConnection();
@@ -66,6 +74,15 @@ try {
         exit;
     }
 
+    // Authorization: non-admins cannot clone internal tickets unless they created/are assigned
+    if (!$isAdmin && ($sourceTicket['visibility'] ?? 'public') === 'internal') {
+        if ($sourceTicket['created_by'] != $userId && $sourceTicket['assigned_to'] != $userId) {
+            http_response_code(403);
+            echo json_encode(['success' => false, 'error' => 'Permission denied']);
+            exit;
+        }
+    }
+
     // Prepare cloned ticket data
     $clonedTicketData = [
         'title' => '[CLONE] ' . $sourceTicket['title'],

api/update_ticket.php

@@ -79,6 +79,17 @@ try {
                 ];
             }
 
+            // Authorization: admins can edit any ticket; others only their own or assigned
+            if (!$this->isAdmin
+                && $currentTicket['created_by'] != $this->userId
+                && $currentTicket['assigned_to'] != $this->userId
+            ) {
+                return [
+                    'success' => false,
+                    'error' => 'Permission denied'
+                ];
+            }
+
             // Merge current data with updates, keeping existing values for missing fields
             $updateData = [
                 'ticket_id' => $id,

api/upload_attachment.php

@@ -155,7 +155,7 @@ if (empty($originalFilename)) {
 
 // Save to database
 try {
-    $attachmentModel = new AttachmentModel();
+    $attachmentModel = new AttachmentModel($conn);
     $attachmentId = $attachmentModel->addAttachment(
         $ticketId,
         $uniqueFilename,