refactor: reorganize to standard PHP structure

- Moved /lib → /src (PHP source code)
- Moved /includes → /public/includes (main site templates)
- Admin section remains self-contained in /public/admin with its own /inc
- Updated all require/include paths across codebase
- Updated config/bootstrap.php, justfile, tests, docs
- All tests passing ✅

Structure now follows PHP best practices:
  /config      - Configuration files
  /database    - SQLite database + schema
  /docs        - Documentation (intact)
  /nginx       - Server config (intact)
  /public      - Web-accessible files (entry point)
    /admin     - Self-contained admin interface
    /assets    - CSS, fonts, icons
    /includes  - Main site templates (header/footer)
  /scripts     - Deployment scripts (intact)
  /src         - PHP source classes (Database, AdminAuth, RateLimit)
  /tests       - Test suites

docs/SECURITY_ANALYSIS.md

@@ -138,7 +138,7 @@ and serve files through a dedicated PHP endpoint that validates access rights.
 
 ### 5. Rate Limiter Vulnerable to IP Spoofing
 
-**File:** `lib/RateLimit.php` — method `getClientIdentifier()`
+**File:** `src/RateLimit.php` — method `getClientIdentifier()`
 
 ```php
 if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
@@ -373,7 +373,7 @@ define('DATABASE_PATH', APP_ROOT . '/database/test.db');
 ```
 
 This constant is never used anywhere. `Database.php` uses `getDatabasePath()` from
-`lib/config.php`. The duplicate creates confusion about which configuration is
+`src/config.php`. The duplicate creates confusion about which configuration is
 authoritative and could lead to future bugs if someone uses the wrong one.
 
 **Fix:** Remove the `DATABASE_PATH` define from `bootstrap.php`.