Integrate web_template design system and fix security/quality issues

Security fixes:
- Add HTTP method validation to delete_comment.php (block CSRF via GET)
- Remove $_GET fallback in comment deletion (was CSRF bypass vector)
- Guard session_start() with session_status() check across API files
- Escape json_encode() data attributes with htmlspecialchars in views
- Escape inline APP_TIMEZONE config values in DashboardView/TicketView
- Validate timezone param against DateTimeZone::listIdentifiers() in index.php
- Remove Database::escape() (was using real_escape_string, not safe)
- Fix AttachmentModel hardcoded connection; inject via constructor

Backend fixes:
- Fix CommentModel bind_param type for ticket_id (s→i)
- Fix buildCommentThread orphan parent guard
- Fix StatsModel JOIN→LEFT JOIN so unassigned tickets aren't excluded
- Add ticket ID validation in BulkOperationsModel before implode()
- Add duplicate key retry in TicketModel::createTicket() for race conditions
- Wrap SavedFiltersModel default filter changes in transactions
- Add null result guards in WorkflowModel query methods

Frontend JS:
- Rewrite toast.js as lt.toast shim (base.js dependency)
- Delegate escapeHtml() to lt.escHtml()
- Rewrite keyboard-shortcuts.js using lt.keys.on()
- Migrate settings.js to lt.api.* and lt.modal.open/close()
- Migrate advanced-search.js to lt.api.* and lt.modal.open/close()
- Migrate dashboard.js fetch calls to lt.api.*; update all dynamic
  modals (bulk ops, quick actions, confirm/input) to lt-modal structure
- Migrate ticket.js fetchMentionUsers to lt.api.get()
- Remove console.log/error/warn calls from JS files

Views:
- Add /web_template/base.css and base.js to all 10 view files
- Call lt.keys.initDefaults() in DashboardView, TicketView, admin views
- Migrate all modal HTML from settings-modal/settings-content to
  lt-modal-overlay/lt-modal/lt-modal-header/lt-modal-body/lt-modal-footer
- Replace style="display:none" with aria-hidden="true" on all modals
- Replace modal open/close style.display with lt.modal.open/close()
- Update modal buttons to lt-btn lt-btn-primary/lt-btn-ghost classes
- Remove manual ESC keydown handlers (replaced by lt.keys.initDefaults)
- Fix unescaped timezone values in TicketView inline script

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

assets/js/toast.js

@@ -1,94 +1,22 @@
 /**
- * Terminal-style toast notification system with queuing
+ * Deprecated: use lt.toast.* directly (from web_template/base.js).
+ * This shim maintains backwards compatibility while callers are migrated.
  */
 
-// Toast queue management
-let toastQueue = [];
-let currentToast = null;
-
-function showToast(message, type = 'info', duration = 3000) {
-    // Queue if a toast is already showing
-    if (currentToast) {
-        toastQueue.push({ message, type, duration });
-        return;
+// showToast() shim — used by inline view scripts
+function showToast(message, type = 'info', duration = 3500) {
+    switch (type) {
+        case 'success': lt.toast.success(message, duration); break;
+        case 'error':   lt.toast.error(message, duration);   break;
+        case 'warning': lt.toast.warning(message, duration); break;
+        default:        lt.toast.info(message, duration);    break;
     }
-
-    displayToast(message, type, duration);
 }
 
-function displayToast(message, type, duration) {
-    // Create toast element
-    const toast = document.createElement('div');
-    toast.className = `terminal-toast toast-${type}`;
-    currentToast = toast;
-
-    // Icon based on type
-    const icons = {
-        success: '✓',
-        error: '✗',
-        info: 'ℹ',
-        warning: '⚠'
-    };
-
-    const iconSpan = document.createElement('span');
-    iconSpan.className = 'toast-icon';
-    iconSpan.textContent = `[${icons[type] || 'ℹ'}]`;
-
-    const msgSpan = document.createElement('span');
-    msgSpan.className = 'toast-message';
-    msgSpan.textContent = message;
-
-    const closeSpan = document.createElement('span');
-    closeSpan.className = 'toast-close';
-    closeSpan.style.cssText = 'margin-left: auto; cursor: pointer; opacity: 0.7; padding-left: 1rem;';
-    closeSpan.textContent = '[×]';
-
-    toast.appendChild(iconSpan);
-    toast.appendChild(msgSpan);
-    toast.appendChild(closeSpan);
-
-    // Add to document
-    document.body.appendChild(toast);
-
-    // Trigger animation
-    setTimeout(() => toast.classList.add('show'), 10);
-
-    // Manual dismiss handler
-    const closeBtn = toast.querySelector('.toast-close');
-    closeBtn.addEventListener('click', () => dismissToast(toast));
-
-    // Auto-remove after duration
-    const timeoutId = setTimeout(() => {
-        dismissToast(toast);
-    }, duration);
-
-    // Store timeout ID for manual dismiss
-    toast.timeoutId = timeoutId;
-}
-
-function dismissToast(toast) {
-    // Clear auto-dismiss timeout
-    if (toast.timeoutId) {
-        clearTimeout(toast.timeoutId);
-    }
-
-    toast.classList.remove('show');
-    setTimeout(() => {
-        toast.remove();
-        currentToast = null;
-
-        // Show next toast in queue
-        if (toastQueue.length > 0) {
-            const next = toastQueue.shift();
-            displayToast(next.message, next.type, next.duration);
-        }
-    }, 300);
-}
-
-// Convenience functions
+// window.toast.* shim — used by JS files
 window.toast = {
-    success: (msg, duration) => showToast(msg, 'success', duration),
-    error: (msg, duration) => showToast(msg, 'error', duration),
-    info: (msg, duration) => showToast(msg, 'info', duration),
-    warning: (msg, duration) => showToast(msg, 'warning', duration)
+    success: (msg, dur) => lt.toast.success(msg, dur),
+    error:   (msg, dur) => lt.toast.error(msg, dur),
+    warning: (msg, dur) => lt.toast.warning(msg, dur),
+    info:    (msg, dur) => lt.toast.info(msg, dur),
 };