Moderator file-area reject uses banned native prompt() for reason

Area: Files/photos (re-run) (audit p5r) · Surface: /files/{slug}/queue (FileModController@queue → files/queue.php) · Dimension: native-dialogs · Severity: major

The moderator-facing file-area review queue collects the rejection reason with a native browser prompt(). Native confirm/alert/prompt are explicitly banned by Engineering Law (they break theme, are unstyleable, and look like malware). Note this is a DIFFERENT surface from the already-filed admin queue reject: the admin queue (templates/admin/files/queue.php:309) correctly uses a styled flow with data-confirm and a hidden reason field, while this moderator queue still uses prompt(). The two queues are inconsistent.

Evidence

platform/templates/files/queue.php:69-70 — `<form action="/files/<?= $e($area['slug']) ?>/queue/<?= (int) $f['id'] ?>/reject" method="POST" class="d-inline"\n onsubmit="var r=prompt('Reason (optional):'); if(r===null){return false;} this.querySelector('[name=reason]').value=r||''; return true;">`

Suggested fix. Replace the onsubmit=prompt() with an App.modal-based reason prompt (App.modal.prompt / a small styled modal), or mirror the admin queue pattern: a reject button that opens a styled modal with a reason textarea, posting the reason via a hidden field. Remove the inline onsubmit handler.

Filed by the automated tenant-app audit and adversarially evidence-verified. Status: verified. Open — not yet actioned.