diff --git a/TODO.md b/TODO.md
index 51610c1..93d9860 100644
--- a/TODO.md
+++ b/TODO.md
@@ -1,6 +1,21 @@
 # TODO
 
+## In Progress
+- [ ] Extract `SearchController` — most complex public page (§2 step 4)
+- [ ] Extract `SystemController` — biggest single-file win, 500→8 lines (§2 step 3, §5)
+- [ ] Extract `ThesisEditController` — merges edit.php + actions/edit.php, deduplicate jury fieldset (§2 step 5)
+- [ ] Extract remaining controllers one by one (§2 step 6)
+- [ ] Consolidate action handlers into controller methods (§4)
+- [ ] Introduce pagination partial `templates/partials/pagination.php` (§6)
+- [ ] Introduce admin form partials: select-field, checkbox-list, jury-fieldset (§6)
+- [ ] Unify flash message keys project-wide to `_flash_error` / `_flash_success` (§7)
+- [ ] Move OG tag construction into controller logic (§8)
+- [ ] Extract inline CSS/JS from `system.php` into separate assets (§5)
+
 ## Completed
+- [x] Create `src/App.php` — boot, adminGuard, verifyCsrf, rotateCsrf, redirect, flash, consumeFlash, render
+- [x] Auto-load `App.php` from `config/bootstrap.php`
+- [x] Create `templates/partials/flash-messages.php` — unified flash partial with legacy key drain
 - [x] Merge public and admin head/nav templates into unified `templates/head.php` and `templates/header.php`
   - `templates/head.php` — outputs `<!DOCTYPE html>…</head><body class="…">`, reads `$bodyClass`, `$isAdmin`; handles admin title suffix, admin.css prepend, and OG tag suppression internally
   - `templates/header.php` — outputs `<header>…</header>` with public nav + search bar or admin nav depending on `$isAdmin`
diff --git a/config/bootstrap.php b/config/bootstrap.php
index 886ce5c..09444bd 100644
--- a/config/bootstrap.php
+++ b/config/bootstrap.php
@@ -29,6 +29,9 @@ if (file_exists(APP_ROOT . '/config/admin_credentials.php')) {
     require_once APP_ROOT . '/config/admin_credentials.php';
 }
 
+// Central application helper (boot, auth guard, CSRF, flash, render)
+require_once APP_ROOT . '/src/App.php';
+
 // Maintenance mode gate — block public pages; allow /admin/ through.
 // The flag file lives in storage/ (outside webroot) to avoid web exposure.
 define('MAINTENANCE_FLAG', APP_ROOT . '/storage/maintenance.flag');
diff --git a/src/App.php b/src/App.php
new file mode 100644
index 0000000..d72c94d
--- /dev/null
+++ b/src/App.php
@@ -0,0 +1,168 @@
+<?php
+/**
+ * Thin application helper — centralises bootstrap, auth gating, CSRF lifecycle,
+ * flash messages, redirect, and template rendering.
+ *
+ * Eliminates the ~6-8 lines of identical preamble repeated across every page
+ * and action handler. See REFACTORING_RECOMMENDATIONS.md §1 + §3.
+ */
+class App
+{
+    private static bool $booted = false;
+
+    // ── Bootstrap ─────────────────────────────────────────────────────────────
+
+    /**
+     * Boot once per request: load Database, ensure CSRF token exists.
+     * Suitable for public pages (no auth required).
+     */
+    public static function boot(): Database
+    {
+        if (!self::$booted) {
+            require_once APP_ROOT . '/src/Database.php';
+            self::$booted = true;
+        }
+        self::ensureCsrf();
+        return Database::getInstance();
+    }
+
+    /**
+     * Gate for admin pages: require auth + CSRF token + load Database.
+     */
+    public static function adminGuard(): Database
+    {
+        require_once APP_ROOT . '/src/AdminAuth.php';
+        AdminAuth::requireLogin();
+        return self::boot();
+    }
+
+    // ── CSRF lifecycle ────────────────────────────────────────────────────────
+
+    /**
+     * Ensure a CSRF token exists in the session.
+     * Called automatically by boot() / adminGuard().
+     */
+    private static function ensureCsrf(): void
+    {
+        if (empty($_SESSION['csrf_token'])) {
+            $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
+        }
+    }
+
+    /**
+     * Validate the CSRF token on a POST request.
+     * Halts with 403 if the token is missing or invalid.
+     */
+    public static function verifyCsrf(): void
+    {
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST'
+            || !isset($_POST['csrf_token'], $_SESSION['csrf_token'])
+            || !hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
+            http_response_code(403);
+            exit('CSRF token invalide.');
+        }
+    }
+
+    /**
+     * Regenerate the CSRF token after a successful mutation.
+     */
+    public static function rotateCsrf(): void
+    {
+        $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
+    }
+
+    // ── Flash messages ────────────────────────────────────────────────────────
+
+    /**
+     * Store a flash message in the session.
+     *
+     * @param 'success'|'error' $type
+     */
+    public static function flash(string $type, string $message): void
+    {
+        $_SESSION["_flash_{$type}"] = $message;
+    }
+
+    /**
+     * Consume and return flash messages, then clear them from the session.
+     *
+     * Also drains the legacy per-page keys (error, success, admin_error,
+     * admin_success, edit_error, edit_success, form_error) so the transition
+     * to unified keys can happen incrementally.
+     *
+     * @return array{error: ?string, success: ?string}
+     */
+    public static function consumeFlash(): array
+    {
+        // Unified keys first, fall back to any legacy key that is set.
+        $error = $_SESSION['_flash_error']
+            ?? $_SESSION['error']
+            ?? $_SESSION['admin_error']
+            ?? $_SESSION['edit_error']
+            ?? $_SESSION['form_error']
+            ?? null;
+
+        $success = $_SESSION['_flash_success']
+            ?? $_SESSION['success']
+            ?? $_SESSION['admin_success']
+            ?? $_SESSION['edit_success']
+            ?? null;
+
+        // Clear all variants.
+        unset(
+            $_SESSION['_flash_error'],  $_SESSION['_flash_success'],
+            $_SESSION['error'],         $_SESSION['success'],
+            $_SESSION['admin_error'],   $_SESSION['admin_success'],
+            $_SESSION['edit_error'],    $_SESSION['edit_success'],
+            $_SESSION['form_error']
+        );
+
+        return ['error' => $error, 'success' => $success];
+    }
+
+    // ── Redirect ──────────────────────────────────────────────────────────────
+
+    /**
+     * Flash a message and redirect. Terminates the script.
+     */
+    public static function redirect(string $url, ?string $success = null, ?string $error = null): never
+    {
+        if ($success !== null) {
+            self::flash('success', $success);
+        }
+        if ($error !== null) {
+            self::flash('error', $error);
+        }
+        header('Location: ' . $url);
+        exit;
+    }
+
+    // ── Template rendering ────────────────────────────────────────────────────
+
+    /**
+     * Render a full page: head → header → content template → footer.
+     *
+     * Expects $vars to contain the same keys the templates already rely on
+     * ($pageTitle, $bodyClass, $isAdmin, $extraCss, $ogTags, etc.).
+     * The footer variant (public vs admin) is chosen automatically based
+     * on $isAdmin.
+     *
+     * @param string $template  Path relative to APP_ROOT/templates/
+     * @param array  $vars      Variables to expose inside the templates
+     */
+    public static function render(string $template, array $vars = []): void
+    {
+        // Make all vars available in the template scope.
+        extract($vars);
+
+        include APP_ROOT . '/templates/head.php';
+        include APP_ROOT . '/templates/header.php';
+        include APP_ROOT . '/templates/' . $template;
+
+        if (!empty($isAdmin)) {
+            include APP_ROOT . '/templates/admin/footer.php';
+        } else {
+            include APP_ROOT . '/templates/footer.php';
+        }
+    }
+}
diff --git a/src/cache/rate_limit/ad921d60486366258809553a3db49a4a.json b/src/cache/rate_limit/ad921d60486366258809553a3db49a4a.json
index c31bce6..6f54142 100644
--- a/src/cache/rate_limit/ad921d60486366258809553a3db49a4a.json
+++ b/src/cache/rate_limit/ad921d60486366258809553a3db49a4a.json
@@ -1 +1 @@
-[1774721459]
\ No newline at end of file
+[1775039085]
\ No newline at end of file
diff --git a/templates/partials/flash-messages.php b/templates/partials/flash-messages.php
new file mode 100644
index 0000000..6966fd0
--- /dev/null
+++ b/templates/partials/flash-messages.php
@@ -0,0 +1,18 @@
+<?php
+/**
+ * Shared flash-message partial.
+ *
+ * Consumes all flash variants (unified _flash_* keys and legacy per-page keys)
+ * via App::consumeFlash(), then renders the standard alert markup.
+ *
+ * Usage: include this partial wherever flash messages should appear.
+ * No variables need to be set beforehand — it reads from the session directly.
+ */
+$_flash = App::consumeFlash();
+?>
+<?php if ($_flash['error']): ?>
+<div class="admin-alert admin-alert--error">⚠ <?= htmlspecialchars($_flash['error']) ?></div>
+<?php endif; ?>
+<?php if ($_flash['success']): ?>
+<div class="admin-alert admin-alert--success">✓ <?= htmlspecialchars($_flash['success']) ?></div>
+<?php endif; ?>
