Banned native window.confirm() in events bulk-action handler

Area: Engagement (audit p9) · Surface: /admin/events (bulk approve/delete) · Dimension: native-dialogs · Severity: major

The bulk approve/delete action in the admin events queue triggers a native browser confirm dialog. Native confirm/alert/prompt are banned platform-wide. It breaks the dark/amber/light themes and is jarring next to the rest of the admin UI, which uses App.modal. The data-confirm copy is already authored on the <option> elements — only the JS that consumes it is wrong.

Evidence

platform/templates/events/admin.php:511 `if (!window.confirm(msg)) return;` inside runBulk(). The same file already defines data-confirm strings on the bulk options (admin.php:431-432: `<option value="approve" data-confirm="Approve all selected events?...">`) and on per-row delete (admin.php:231), but the bulk runner reads `opt.dataset.confirm` and then funnels it through native window.confirm instead of App.modal.confirm.

Suggested fix. Replace `if (!window.confirm(msg)) return;` with `App.modal.confirm('Confirm', msg, function(){ /* existing fan-out body */ });` and move the bulk POST logic into the onConfirm callback. App.modal.confirm is already loaded globally (app.min.js:17).

Filed by the automated tenant-app audit and adversarially evidence-verified. Status: verified. Open — not yet actioned.