Use POST for destructive actions & mobile UI tweaks

Require POST and CSRF verification for destructive endpoints (profile delete, notification delete, clear-all) and update routes accordingly. Replace GET-based delete links with POST forms (including csrf_field()) and add hidden form submission for "clear all" and account deletion via JS. Add server-side request method checks and verifyCsrf() calls in NotificationController and ProfileController. Improve mobile UX: add sidebar overlay, open/close controls (including swipe-to-close), close button, prevent body scroll when sidebar open, responsive search placeholder and adjusted search/top-nav styling, and minor layout tweaks (truncate app name, adjust notification dropdown width). Also minor whitespace/formatting cleanups.

app/Controllers/ProfileController.php

@@ -232,6 +232,15 @@ class ProfileController extends Controller
      */
     public function delete()
     {
+        // Ensure POST method
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
+            $this->redirect('/profile');
+            return;
+        }
+
+        // CSRF Protection
+        $this->verifyCsrf('/profile');
+
         $userId = Auth::id();
         $user = $this->userModel->find($userId);
 
@@ -243,14 +252,14 @@ class ProfileController extends Controller
         }
 
         // Delete user (cascade will handle related records)
-            $this->userModel->delete($userId);
+        $this->userModel->delete($userId);
 
         // Logout
-            session_destroy();
-            session_start();
+        session_destroy();
+        session_start();
 
         $_SESSION['success'] = 'Your account has been deleted';
-            $this->redirect('/login');
+        $this->redirect('/login');
     }
 
     /**