Harden CSP by removing unsafe-inline for scripts

Refactored all inline event handlers (onclick, onchange, onsubmit) to use
addEventListener with data-action attributes and event delegation pattern.

Changes:
- views/*.php: Replaced inline handlers with data-action attributes
- views/admin/*.php: Same refactoring for all admin views
- assets/js/dashboard.js: Added event delegation for bulk/quick action modals
- assets/js/ticket.js: Added event delegation for dynamic elements
- assets/js/markdown.js: Refactored toolbar button handlers
- assets/js/keyboard-shortcuts.js: Refactored modal close button
- SecurityHeadersMiddleware.php: Enabled strict CSP with nonces

The CSP now uses script-src 'self' 'nonce-{nonce}' instead of 'unsafe-inline',
significantly improving XSS protection.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

assets/js/keyboard-shortcuts.js

@@ -123,11 +123,16 @@ function showKeyboardHelp() {
                         </table>
                     </div>
                     <div class="modal-footer" style="margin-top: 1rem;">
-                        <button class="btn btn-secondary" onclick="this.closest('.modal-overlay').remove()">Close</button>
+                        <button class="btn btn-secondary" data-action="close-shortcuts-modal">Close</button>
                     </div>
                 </div>
             </div>
         </div>
     `;
     document.body.appendChild(modal);
+
+    // Add event listener for the close button
+    modal.querySelector('[data-action="close-shortcuts-modal"]').addEventListener('click', function() {
+        modal.remove();
+    });
 }