Integrate web_template design system and fix security/quality issues

Security fixes:
- Add HTTP method validation to delete_comment.php (block CSRF via GET)
- Remove $_GET fallback in comment deletion (was CSRF bypass vector)
- Guard session_start() with session_status() check across API files
- Escape json_encode() data attributes with htmlspecialchars in views
- Escape inline APP_TIMEZONE config values in DashboardView/TicketView
- Validate timezone param against DateTimeZone::listIdentifiers() in index.php
- Remove Database::escape() (was using real_escape_string, not safe)
- Fix AttachmentModel hardcoded connection; inject via constructor

Backend fixes:
- Fix CommentModel bind_param type for ticket_id (s→i)
- Fix buildCommentThread orphan parent guard
- Fix StatsModel JOIN→LEFT JOIN so unassigned tickets aren't excluded
- Add ticket ID validation in BulkOperationsModel before implode()
- Add duplicate key retry in TicketModel::createTicket() for race conditions
- Wrap SavedFiltersModel default filter changes in transactions
- Add null result guards in WorkflowModel query methods

Frontend JS:
- Rewrite toast.js as lt.toast shim (base.js dependency)
- Delegate escapeHtml() to lt.escHtml()
- Rewrite keyboard-shortcuts.js using lt.keys.on()
- Migrate settings.js to lt.api.* and lt.modal.open/close()
- Migrate advanced-search.js to lt.api.* and lt.modal.open/close()
- Migrate dashboard.js fetch calls to lt.api.*; update all dynamic
  modals (bulk ops, quick actions, confirm/input) to lt-modal structure
- Migrate ticket.js fetchMentionUsers to lt.api.get()
- Remove console.log/error/warn calls from JS files

Views:
- Add /web_template/base.css and base.js to all 10 view files
- Call lt.keys.initDefaults() in DashboardView, TicketView, admin views
- Migrate all modal HTML from settings-modal/settings-content to
  lt-modal-overlay/lt-modal/lt-modal-header/lt-modal-body/lt-modal-footer
- Replace style="display:none" with aria-hidden="true" on all modals
- Replace modal open/close style.display with lt.modal.open/close()
- Update modal buttons to lt-btn lt-btn-primary/lt-btn-ghost classes
- Remove manual ESC keydown handlers (replaced by lt.keys.initDefaults)
- Fix unescaped timezone values in TicketView inline script

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

views/admin/CustomFieldsView.php

@@ -12,8 +12,10 @@ $nonce = SecurityHeadersMiddleware::getNonce();
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <title>Custom Fields - Admin</title>
     <link rel="icon" type="image/png" href="<?php echo $GLOBALS['config']['ASSETS_URL']; ?>/images/favicon.png">
+    <link rel="stylesheet" href="/web_template/base.css">
     <link rel="stylesheet" href="<?php echo $GLOBALS['config']['ASSETS_URL']; ?>/css/dashboard.css">
     <link rel="stylesheet" href="<?php echo $GLOBALS['config']['ASSETS_URL']; ?>/css/ticket.css">
+    <script nonce="<?php echo $nonce; ?>" src="/web_template/base.js"></script>
     <script nonce="<?php echo $nonce; ?>">
         window.CSRF_TOKEN = '<?php echo CsrfMiddleware::getToken(); ?>';
     </script>
@@ -92,15 +94,15 @@ $nonce = SecurityHeadersMiddleware::getNonce();
     </div>
 
     <!-- Create/Edit Modal -->
-    <div class="settings-modal" id="fieldModal" style="display: none;" data-action="close-modal-backdrop">
-        <div class="settings-content" style="max-width: 500px;">
-            <div class="settings-header">
-                <h3 id="modalTitle">Create Custom Field</h3>
-                <button class="close-settings" data-action="close-modal">×</button>
+    <div class="lt-modal-overlay" id="fieldModal" aria-hidden="true">
+        <div class="lt-modal" style="max-width: 500px;">
+            <div class="lt-modal-header">
+                <span class="lt-modal-title" id="modalTitle">Create Custom Field</span>
+                <button class="lt-modal-close" data-modal-close>✕</button>
             </div>
             <form id="fieldForm">
                 <input type="hidden" id="field_id" name="field_id">
-                <div class="settings-body">
+                <div class="lt-modal-body">
                     <div class="setting-row">
                         <label for="field_name">Field Name * (internal)</label>
                         <input type="text" id="field_name" name="field_name" required pattern="[a-z_]+" placeholder="e.g., server_name">
@@ -146,9 +148,9 @@ $nonce = SecurityHeadersMiddleware::getNonce();
                         <label><input type="checkbox" id="is_active" name="is_active" checked> Active</label>
                     </div>
                 </div>
-                <div class="settings-footer">
-                    <button type="submit" class="btn btn-primary">Save</button>
-                    <button type="button" class="btn btn-secondary" data-action="close-modal">Cancel</button>
+                <div class="lt-modal-footer">
+                    <button type="submit" class="lt-btn lt-btn-primary">Save</button>
+                    <button type="button" class="lt-btn lt-btn-ghost" data-modal-close>Cancel</button>
                 </div>
             </form>
         </div>
@@ -162,11 +164,11 @@ $nonce = SecurityHeadersMiddleware::getNonce();
             document.getElementById('field_id').value = '';
             document.getElementById('is_active').checked = true;
             toggleOptionsField();
-            document.getElementById('fieldModal').style.display = 'flex';
+            lt.modal.open('fieldModal');
         }
 
         function closeModal() {
-            document.getElementById('fieldModal').style.display = 'none';
+            lt.modal.close('fieldModal');
         }
 
         // Event delegation for data-action handlers
@@ -179,12 +181,6 @@ $nonce = SecurityHeadersMiddleware::getNonce();
                 case 'show-create-modal':
                     showCreateModal();
                     break;
-                case 'close-modal':
-                    closeModal();
-                    break;
-                case 'close-modal-backdrop':
-                    if (event.target === target) closeModal();
-                    break;
                 case 'edit-field':
                     editField(target.dataset.id);
                     break;
@@ -208,12 +204,7 @@ $nonce = SecurityHeadersMiddleware::getNonce();
             saveField(e);
         });
 
-        // Close modal on ESC key
-        document.addEventListener('keydown', (e) => {
-            if (e.key === 'Escape') {
-                closeModal();
-            }
-        });
+        lt.keys.initDefaults();
 
         function toggleOptionsField() {
             const type = document.getElementById('field_type').value;
@@ -255,7 +246,7 @@ $nonce = SecurityHeadersMiddleware::getNonce();
                 if (result.success) {
                     window.location.reload();
                 } else {
-                    toast.error(result.error || 'Failed to save');
+                    lt.toast.error(result.error || 'Failed to save');
                 }
             });
         }
@@ -279,7 +270,7 @@ $nonce = SecurityHeadersMiddleware::getNonce();
                             document.getElementById('field_options').value = f.field_options.options.join('\n');
                         }
                         document.getElementById('modalTitle').textContent = 'Edit Custom Field';
-                        document.getElementById('fieldModal').style.display = 'flex';
+                        lt.modal.open('fieldModal');
                     }
                 });
         }