Security/Clean URL Update

Included in this package:
1. Clean user URLs
   - User flow no longer uses visible ?step=email / ?step=primary URLs.
   - User status polling no longer exposes a visitor ID in the browser URL.
   - Step state is stored server-side in PHP sessions.

2. Frontend hardening
   - CSS has been minified.
   - Inline JavaScript has been minified/lightly obfuscated.
   - PHP/server files remain readable for maintenance.
   - Sensitive logic stays server-side in PHP.

3. Change admin password from admin panel
   - Go to Admin > Settings > Admin Credentials.
   - Enter current password, new password, confirm password.
   - Tick “Change admin password when saving”.
   - Password is stored as a PHP password_hash() value in the settings table.
   - First successful login with the old config password automatically migrates it to a hash.

Important:
- Keep config.php private and never expose it publicly.
- Do not place API keys, DB passwords, Telegram tokens, or Turnstile secret keys inside JavaScript.
- After upload, test login, change password, and the user flow once on your server.
