Add src/App.php foundation class and flash-messages partial

Create the central App helper that eliminates ~170 lines of duplicated
bootstrap/auth/CSRF preamble across 24 page and action handler files.

src/App.php provides:
- boot(): loads Database + ensures CSRF token (public pages)
- adminGuard(): requires AdminAuth login + boot (admin pages)
- verifyCsrf() / rotateCsrf(): centralised CSRF lifecycle
- flash() / consumeFlash(): unified flash messages with legacy key drain
  (error, success, admin_error, admin_success, edit_error, edit_success,
  form_error all consumed transparently for incremental migration)
- redirect(): flash + Location header + exit in one call
- render(): head → header → content → footer pipeline with auto admin
  footer selection

App.php is auto-loaded from config/bootstrap.php so all existing pages
get the class for free without any changes.

templates/partials/flash-messages.php uses App::consumeFlash() to replace
the 5+ copy-pasted flash blocks across admin templates.

All existing tests pass. No existing page files modified — this is a
non-breaking addition that enables incremental controller extraction.

config/bootstrap.php

@@ -29,6 +29,9 @@ if (file_exists(APP_ROOT . '/config/admin_credentials.php')) {
     require_once APP_ROOT . '/config/admin_credentials.php';
 }
 
+// Central application helper (boot, auth guard, CSRF, flash, render)
+require_once APP_ROOT . '/src/App.php';
+
 // Maintenance mode gate — block public pages; allow /admin/ through.
 // The flag file lives in storage/ (outside webroot) to avoid web exposure.
 define('MAINTENANCE_FLAG', APP_ROOT . '/storage/maintenance.flag');