encapsulate raw PDO queries leaking from callers into Database.php methods

- Add getThesisAccessTypeId(int $id): ?int — replaces raw SELECT in tfe.php
- Add getCoverPathsForTheses(array $ids): array — replaces raw SELECT/IN query in index.php
- Add getFileVisibility(string $path): ?int — replaces raw join query in media.php
- Add getThesisBannerPath(int $id): ?string — replaces unparameterised SQL injection in
  edit.php (SELECT banner_path FROM theses WHERE id = $thesisId was interpolating $thesisId
  directly into the query string; now parameterised via prepared statement)
- Add getThesisRawFields(int $id): ?array — replaces raw SELECT license_id/access_type_id/
  context_note in edit.php
- Add getThesisCount(): int — replaces raw SELECT COUNT(*) in system.php

Callers updated: public/tfe.php, public/index.php, public/media.php,
public/admin/edit.php, public/admin/system.php

public/tfe.php

@@ -180,14 +180,7 @@ $currentNav = '';
                 <?php
                     // Determine effective access: need raw access_type_id
                     // The view exposes 'access_type' (name string). Fetch raw id for gate.
-                    $accessTypeId = null;
-                    try {
-                        $accessStmt = $db->getConnection()->prepare(
-                            "SELECT access_type_id FROM theses WHERE id = ?"
-                        );
-                        $accessStmt->execute([$thesisId]);
-                        $accessTypeId = (int)($accessStmt->fetchColumn() ?? 1);
-                    } catch (\Throwable $e) {}
+                    $accessTypeId = $db->getThesisAccessTypeId($thesisId) ?? 1;
                     $isInterdit = ($accessTypeId === 3);
                 ?>
                 <?php if ($isInterdit): ?>