Refactor apropos/charte/licence pages: shared layout, TOC anchors, and UI polish

Unify the three public pages (à propos, charte, licence) onto a single
grid layout (.page-content) with sticky TOC sidebar, replacing the old
separate  /  /  markup.

- Merge about.php, charte.php, licence.php templates into shared
  .page-content / .content-section structure
- Add CommonMark HeadingPermalinkExtension for stable heading anchors
- Use SlugNormalizer for TOC links so they match rendered heading IDs
- Standardize link styling across content blocks: bold black, accent on
  hover (consistent with global link style)
- Fix code block wrapping: use pre-wrap instead of pre, constrain grid
  columns with min-width:0, auto scrollbar
- Fix apropos page grid placement: force content-section into column 2
  so contacts and credits stay in the content area, not the sidebar

Also includes accumulated WIP changes:
- Header gradient: hardcoded purple-to-green (replaces CSS variables)
- Search placeholder font
- Duration field: replace minutes/sec/heures with h:m:s time inputs
- TFE file optional for formats 1,4,6 with client-side JS toggle
- Licence form: em-dash to hyphen, details/summary classes
- Pill search: block Enter key form submission when no results
- Draft autosave: remove CSRF rotation (broke concurrent FilePond uploads)
- Language pill: clear hints for excluded main languages
- Search results: gradient placeholder cards for items without covers
- TFE display: format durée values as XhYm instead of decimal

app/public/partage/fragments/draft.php

@@ -75,15 +75,16 @@ if ($method === 'POST') {
 
     $_SESSION[$draftKey] = $draft;
 
-    // Rotate CSRF after mutation — keep share CSRF in sync
-    $newToken = bin2hex(random_bytes(32));
-    $_SESSION['csrf_token'] = $newToken;
-    $_SESSION['share_csrf_' . $slug] = $newToken;
+    // NOTE: Do NOT rotate the CSRF token here.
+    // Rotating it breaks concurrent FilePond uploads and overlapping autosave
+    // requests because the in-flight request carries the old token but the
+    // session already has the new one.
+    // The CSRF token already rotates on page load and form submit.
+    // See admin/actions/draft.php for the detailed rationale.
 
     header('Content-Type: application/json');
     echo json_encode([
-        'success'    => true,
-        'csrf_token' => $newToken,
+        'success' => true,
     ]);
     exit;
 }

app/public/partage/pill-search-fragment.php

@@ -74,7 +74,7 @@ $results = array_values(array_filter($results, function($item) use (&$seen) {
 
 // Exclude already-selected items and, for languages, the main three
 if ($type === 'language') {
-    $excludedMain = ['français', 'anglais', 'néerlandais'];
+    $excludedMain = ['français', 'french', 'frans', 'anglais', 'english', 'engels', 'néerlandais', 'nederlands', 'dutch'];
     $results = array_values(array_filter($results, function($lang) use ($excludedMain, $exclude) {
         $lower = strtolower($lang['name']);
         return !in_array($lower, $excludedMain, true)
@@ -98,14 +98,18 @@ foreach ($results as $item) {
 $inExcluded = in_array($q, $exclude, true);
 $canCreate = ($q !== '' && !$exactExists && !$inExcluded);
 
+$mainLangBlocked = false;
 if ($type === 'language') {
-    $excludedMain = ['français', 'anglais', 'néerlandais'];
+    $excludedMain = ['français', 'french', 'frans', 'anglais', 'english', 'engels', 'néerlandais', 'nederlands', 'dutch'];
     if (in_array($q, $excludedMain, true)) {
         $canCreate = false;
+        $mainLangBlocked = true;
     }
 }
 ?>
-<?php if (empty($results) && !$canCreate): ?>
+<?php if ($mainLangBlocked): ?>
+<div class="tag-search-empty tag-search-empty--hint" role="alert">Cette langue est déjà disponible via les cases à cocher ci-dessus.</div>
+<?php elseif (empty($results) && !$canCreate): ?>
 <div class="tag-search-empty"><?= htmlspecialchars($emptyMessage) ?></div>
 <?php endif; ?>