Add src/App.php foundation class and flash-messages partial

Create the central App helper that eliminates ~170 lines of duplicated
bootstrap/auth/CSRF preamble across 24 page and action handler files.

src/App.php provides:
- boot(): loads Database + ensures CSRF token (public pages)
- adminGuard(): requires AdminAuth login + boot (admin pages)
- verifyCsrf() / rotateCsrf(): centralised CSRF lifecycle
- flash() / consumeFlash(): unified flash messages with legacy key drain
  (error, success, admin_error, admin_success, edit_error, edit_success,
  form_error all consumed transparently for incremental migration)
- redirect(): flash + Location header + exit in one call
- render(): head → header → content → footer pipeline with auto admin
  footer selection

App.php is auto-loaded from config/bootstrap.php so all existing pages
get the class for free without any changes.

templates/partials/flash-messages.php uses App::consumeFlash() to replace
the 5+ copy-pasted flash blocks across admin templates.

All existing tests pass. No existing page files modified — this is a
non-breaking addition that enables incremental controller extraction.

templates/partials/flash-messages.php

@@ -0,0 +1,18 @@
+<?php
+/**
+ * Shared flash-message partial.
+ *
+ * Consumes all flash variants (unified _flash_* keys and legacy per-page keys)
+ * via App::consumeFlash(), then renders the standard alert markup.
+ *
+ * Usage: include this partial wherever flash messages should appear.
+ * No variables need to be set beforehand — it reads from the session directly.
+ */
+$_flash = App::consumeFlash();
+?>
+<?php if ($_flash['error']): ?>
+<div class="admin-alert admin-alert--error">⚠ <?= htmlspecialchars($_flash['error']) ?></div>
+<?php endif; ?>
+<?php if ($_flash['success']): ?>
+<div class="admin-alert admin-alert--success">✓ <?= htmlspecialchars($_flash['success']) ?></div>
+<?php endif; ?>