Integrate web_template design system and fix security/quality issues

Security fixes:
- Add HTTP method validation to delete_comment.php (block CSRF via GET)
- Remove $_GET fallback in comment deletion (was CSRF bypass vector)
- Guard session_start() with session_status() check across API files
- Escape json_encode() data attributes with htmlspecialchars in views
- Escape inline APP_TIMEZONE config values in DashboardView/TicketView
- Validate timezone param against DateTimeZone::listIdentifiers() in index.php
- Remove Database::escape() (was using real_escape_string, not safe)
- Fix AttachmentModel hardcoded connection; inject via constructor

Backend fixes:
- Fix CommentModel bind_param type for ticket_id (s→i)
- Fix buildCommentThread orphan parent guard
- Fix StatsModel JOIN→LEFT JOIN so unassigned tickets aren't excluded
- Add ticket ID validation in BulkOperationsModel before implode()
- Add duplicate key retry in TicketModel::createTicket() for race conditions
- Wrap SavedFiltersModel default filter changes in transactions
- Add null result guards in WorkflowModel query methods

Frontend JS:
- Rewrite toast.js as lt.toast shim (base.js dependency)
- Delegate escapeHtml() to lt.escHtml()
- Rewrite keyboard-shortcuts.js using lt.keys.on()
- Migrate settings.js to lt.api.* and lt.modal.open/close()
- Migrate advanced-search.js to lt.api.* and lt.modal.open/close()
- Migrate dashboard.js fetch calls to lt.api.*; update all dynamic
  modals (bulk ops, quick actions, confirm/input) to lt-modal structure
- Migrate ticket.js fetchMentionUsers to lt.api.get()
- Remove console.log/error/warn calls from JS files

Views:
- Add /web_template/base.css and base.js to all 10 view files
- Call lt.keys.initDefaults() in DashboardView, TicketView, admin views
- Migrate all modal HTML from settings-modal/settings-content to
  lt-modal-overlay/lt-modal/lt-modal-header/lt-modal-body/lt-modal-footer
- Replace style="display:none" with aria-hidden="true" on all modals
- Replace modal open/close style.display with lt.modal.open/close()
- Update modal buttons to lt-btn lt-btn-primary/lt-btn-ghost classes
- Remove manual ESC keydown handlers (replaced by lt.keys.initDefaults)
- Fix unescaped timezone values in TicketView inline script

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

assets/js/advanced-search.js

@@ -7,8 +7,7 @@
 function openAdvancedSearch() {
     const modal = document.getElementById('advancedSearchModal');
     if (modal) {
-        modal.style.display = 'flex';
-        document.body.classList.add('modal-open');
+        lt.modal.open('advancedSearchModal');
         loadUsersForSearch();
         populateCurrentFilters();
         loadSavedFilters();
@@ -17,11 +16,7 @@ function openAdvancedSearch() {
 
 // Close advanced search modal
 function closeAdvancedSearch() {
-    const modal = document.getElementById('advancedSearchModal');
-    if (modal) {
-        modal.style.display = 'none';
-        document.body.classList.remove('modal-open');
-    }
+    lt.modal.close('advancedSearchModal');
 }
 
 // Close modal when clicking on backdrop
@@ -35,10 +30,7 @@ function closeOnAdvancedSearchBackdropClick(event) {
 // Load users for dropdown
 async function loadUsersForSearch() {
     try {
-        const response = await fetch('/api/get_users.php', {
-            credentials: 'same-origin'
-        });
-        const data = await response.json();
+        const data = await lt.api.get('/api/get_users.php');
 
         if (data.success && data.users) {
             const createdBySelect = document.getElementById('adv-created-by');
@@ -68,7 +60,7 @@ async function loadUsersForSearch() {
             });
         }
     } catch (error) {
-        console.error('Error loading users:', error);
+        lt.toast.error('Error loading users');
     }
 }
 
@@ -163,30 +155,14 @@ async function saveCurrentFilter() {
             const filterCriteria = getCurrentFilterCriteria();
 
             try {
-                const response = await fetch('/api/saved_filters.php', {
-                    method: 'POST',
-                    credentials: 'same-origin',
-                    headers: {
-                        'Content-Type': 'application/json',
-                        'X-CSRF-Token': window.CSRF_TOKEN
-                    },
-                    body: JSON.stringify({
-                        filter_name: filterName.trim(),
-                        filter_criteria: filterCriteria
-                    })
+                await lt.api.post('/api/saved_filters.php', {
+                    filter_name: filterName.trim(),
+                    filter_criteria: filterCriteria
                 });
-
-                const result = await response.json();
-
-                if (result.success) {
-                    toast.success(`Filter "${filterName}" saved successfully!`, 3000);
-                    loadSavedFilters();
-                } else {
-                    toast.error('Failed to save filter: ' + (result.error || 'Unknown error'), 4000);
-                }
+                lt.toast.success(`Filter "${filterName}" saved successfully!`, 3000);
+                loadSavedFilters();
             } catch (error) {
-                console.error('Error saving filter:', error);
-                toast.error('Error saving filter', 4000);
+                lt.toast.error('Error saving filter: ' + (error.message || 'Unknown error'), 4000);
             }
         }
     );
@@ -233,16 +209,12 @@ function getCurrentFilterCriteria() {
 // Load saved filters
 async function loadSavedFilters() {
     try {
-        const response = await fetch('/api/saved_filters.php', {
-            credentials: 'same-origin'
-        });
-        const data = await response.json();
-
+        const data = await lt.api.get('/api/saved_filters.php');
         if (data.success && data.filters) {
             populateSavedFiltersDropdown(data.filters);
         }
     } catch (error) {
-        console.error('Error loading saved filters:', error);
+        lt.toast.error('Error loading saved filters');
     }
 }
 
@@ -277,7 +249,7 @@ function loadSavedFilter() {
         const criteria = JSON.parse(selectedOption.dataset.criteria);
         applySavedFilterCriteria(criteria);
     } catch (error) {
-        console.error('Error loading filter:', error);
+        lt.toast.error('Error loading filter');
     }
 }
 
@@ -314,9 +286,7 @@ async function deleteSavedFilter() {
     const selectedOption = dropdown.options[dropdown.selectedIndex];
 
     if (!selectedOption || selectedOption.value === '') {
-        if (typeof toast !== 'undefined') {
-            toast.error('Please select a filter to delete');
-        }
+        lt.toast.error('Please select a filter to delete');
         return;
     }
 
@@ -329,45 +299,21 @@ async function deleteSavedFilter() {
         'error',
         async () => {
             try {
-                const response = await fetch('/api/saved_filters.php', {
-                    method: 'DELETE',
-                    credentials: 'same-origin',
-                    headers: {
-                        'Content-Type': 'application/json',
-                        'X-CSRF-Token': window.CSRF_TOKEN
-                    },
-                    body: JSON.stringify({ filter_id: filterId })
-                });
-
-                const result = await response.json();
-
-                if (result.success) {
-                    toast.success('Filter deleted successfully', 3000);
-                    loadSavedFilters();
-                    resetAdvancedSearch();
-                } else {
-                    toast.error('Failed to delete filter', 4000);
-                }
+                await lt.api.delete('/api/saved_filters.php', { filter_id: filterId });
+                lt.toast.success('Filter deleted successfully', 3000);
+                loadSavedFilters();
+                resetAdvancedSearch();
             } catch (error) {
-                console.error('Error deleting filter:', error);
-                toast.error('Error deleting filter', 4000);
+                lt.toast.error('Error deleting filter', 4000);
             }
         }
     );
 }
 
-// Keyboard shortcut (Ctrl+Shift+F)
+// Keyboard shortcut (Ctrl+Shift+F) — ESC is handled globally by lt.keys.initDefaults()
 document.addEventListener('keydown', (e) => {
     if (e.ctrlKey && e.shiftKey && e.key === 'F') {
         e.preventDefault();
         openAdvancedSearch();
     }
-
-    // ESC to close
-    if (e.key === 'Escape') {
-        const modal = document.getElementById('advancedSearchModal');
-        if (modal && modal.style.display === 'flex') {
-            closeAdvancedSearch();
-        }
-    }
 });