refactor: reorganize to standard PHP structure

- Moved /lib → /src (PHP source code)
- Moved /includes → /public/includes (main site templates)
- Admin section remains self-contained in /public/admin with its own /inc
- Updated all require/include paths across codebase
- Updated config/bootstrap.php, justfile, tests, docs
- All tests passing ✅

Structure now follows PHP best practices:
  /config      - Configuration files
  /database    - SQLite database + schema
  /docs        - Documentation (intact)
  /nginx       - Server config (intact)
  /public      - Web-accessible files (entry point)
    /admin     - Self-contained admin interface
    /assets    - CSS, fonts, icons
    /includes  - Main site templates (header/footer)
  /scripts     - Deployment scripts (intact)
  /src         - PHP source classes (Database, AdminAuth, RateLimit)
  /tests       - Test suites

src/RateLimit.php

@@ -0,0 +1,162 @@
+<?php
+
+/**
+ * Simple file-based rate limiter
+ * Prevents abuse by limiting requests per IP address
+ */
+class RateLimit {
+    private $cacheDir;
+    private $maxRequests;
+    private $timeWindow;
+
+    /**
+     * Constructor
+     * @param int $maxRequests Maximum requests allowed in time window
+     * @param int $timeWindow Time window in seconds
+     * @param string $cacheDir Directory to store rate limit data
+     */
+    public function __construct($maxRequests = 30, $timeWindow = 60, $cacheDir = null) {
+        $this->maxRequests = $maxRequests;
+        $this->timeWindow = $timeWindow;
+        $this->cacheDir = $cacheDir ?? __DIR__ . '/cache/rate_limit';
+
+        // Create cache directory if it doesn't exist
+        if (!is_dir($this->cacheDir)) {
+            mkdir($this->cacheDir, 0755, true);
+        }
+    }
+
+    /**
+     * Get client identifier (IP address)
+     * @return string Client identifier
+     */
+    private function getClientIdentifier(): string {
+        // Use REMOTE_ADDR only — HTTP_X_FORWARDED_FOR and HTTP_CLIENT_IP
+        // are fully attacker-controlled request headers and must never be
+        // trusted for rate-limiting purposes (an attacker can rotate them
+        // freely to bypass the limiter). Nginx-level rate limiting also
+        // uses $binary_remote_addr for the same reason. If this app is
+        // ever placed behind a trusted reverse-proxy, IP extraction should
+        // be handled at the nginx level, not here.
+        return $_SERVER['REMOTE_ADDR'] ?? 'unknown';
+    }
+
+    /**
+     * Get cache file path for a client
+     * @param string $identifier Client identifier
+     * @return string File path
+     */
+    private function getCacheFile($identifier) {
+        return $this->cacheDir . '/' . md5($identifier) . '.json';
+    }
+
+    /**
+     * Check if client has exceeded rate limit
+     * @return bool True if allowed, false if rate limit exceeded
+     */
+    public function check() {
+        $identifier = $this->getClientIdentifier();
+        $file = $this->getCacheFile($identifier);
+
+        // Load existing request timestamps
+        $data = [];
+        if (file_exists($file)) {
+            $content = file_get_contents($file);
+            $data = json_decode($content, true) ?? [];
+        }
+
+        // Clean old entries outside time window
+        $now = time();
+        $data = array_filter($data, function($timestamp) use ($now) {
+            return ($now - $timestamp) < $this->timeWindow;
+        });
+
+        // Check if limit exceeded
+        if (count($data) >= $this->maxRequests) {
+            return false;
+        }
+
+        // Add new request timestamp
+        $data[] = $now;
+
+        // Save updated data
+        file_put_contents($file, json_encode($data));
+
+        return true;
+    }
+
+    /**
+     * Get remaining requests for current client
+     * @return int Number of requests remaining
+     */
+    public function getRemaining() {
+        $identifier = $this->getClientIdentifier();
+        $file = $this->getCacheFile($identifier);
+
+        if (!file_exists($file)) {
+            return $this->maxRequests;
+        }
+
+        $content = file_get_contents($file);
+        $data = json_decode($content, true) ?? [];
+
+        // Clean old entries
+        $now = time();
+        $data = array_filter($data, function($timestamp) use ($now) {
+            return ($now - $timestamp) < $this->timeWindow;
+        });
+
+        return max(0, $this->maxRequests - count($data));
+    }
+
+    /**
+     * Get time until rate limit resets
+     * @return int Seconds until reset
+     */
+    public function getResetTime() {
+        $identifier = $this->getClientIdentifier();
+        $file = $this->getCacheFile($identifier);
+
+        if (!file_exists($file)) {
+            return 0;
+        }
+
+        $content = file_get_contents($file);
+        $data = json_decode($content, true) ?? [];
+
+        if (empty($data)) {
+            return 0;
+        }
+
+        // Find oldest timestamp
+        $oldest = min($data);
+        $resetTime = $oldest + $this->timeWindow - time();
+
+        return max(0, $resetTime);
+    }
+
+    /**
+     * Clean up old cache files (run periodically)
+     * Removes files that haven't been modified in 24 hours
+     */
+    public function cleanup() {
+        $files = glob($this->cacheDir . '/*.json');
+        $cutoff = time() - 86400; // 24 hours
+
+        foreach ($files as $file) {
+            if (filemtime($file) < $cutoff) {
+                unlink($file);
+            }
+        }
+    }
+
+    /**
+     * Send rate limit headers
+     * Provides information about rate limits to clients
+     */
+    public function sendHeaders() {
+        header('X-RateLimit-Limit: ' . $this->maxRequests);
+        header('X-RateLimit-Remaining: ' . $this->getRemaining());
+        header('X-RateLimit-Reset: ' . (time() + $this->getResetTime()));
+    }
+}