Add admin account page for PHP password management

Implements the admin user management UI as a self-contained PHP password
change/set flow — no SSH or sudo required.

- public/admin/account.php: shows auth status (PHP hash present, credentials
  file path), password change form (requires current password when one exists,
  min 12 chars, confirm field), and a danger-zone form to delete the
  credentials file entirely
- public/admin/actions/account.php: CSRF-guarded POST handler; verifies
  current password via AdminAuth::login() before accepting a new one;
  generates bcrypt (cost 12) hash; writes config/admin_credentials.php
  atomically via a temp file + rename; regenerates session on success;
  redirects to /admin/login.php when credentials are deleted
- templates/admin/head.php: 'Compte' nav link added (active on account.php)
- public/assets/admin.css: .admin-account-status, .admin-section-title,
  .admin-field-hint, .admin-danger-zone component styles added

Note: the nginx htpasswd flow (manage-admin-users.sh) requires root on the
server and is intentionally kept as a CLI-only operation.

public/admin/actions/account.php

@@ -0,0 +1,122 @@
+<?php
+/**
+ * Admin account action — update or remove admin_credentials.php
+ *
+ * Actions:
+ *   POST (default)       — set/change the PHP admin password
+ *   POST action=remove_credentials — delete admin_credentials.php
+ */
+
+require_once __DIR__ . '/../../../config/bootstrap.php';
+require_once __DIR__ . '/../../../src/AdminAuth.php';
+AdminAuth::requireLogin();
+
+// ── CSRF ──────────────────────────────────────────────────────────────────────
+if (empty($_SESSION['csrf_token']) || ($_POST['csrf_token'] ?? '') !== $_SESSION['csrf_token']) {
+    http_response_code(403);
+    die('Invalid CSRF token.');
+}
+
+$credentialsFile = APP_ROOT . '/config/admin_credentials.php';
+$hasPassword     = defined('ADMIN_PASSWORD_HASH');
+$action          = $_POST['action'] ?? 'change_password';
+
+// ── Remove credentials ────────────────────────────────────────────────────────
+if ($action === 'remove_credentials') {
+    if (!$hasPassword) {
+        $_SESSION['error'] = 'Aucun fichier de mot de passe à supprimer.';
+        header('Location: /admin/account.php');
+        exit;
+    }
+
+    if (!is_writable($credentialsFile) && !is_writable(dirname($credentialsFile))) {
+        $_SESSION['error'] = 'Le fichier de configuration n\'est pas accessible en écriture.';
+        header('Location: /admin/account.php');
+        exit;
+    }
+
+    if (@unlink($credentialsFile)) {
+        // Destroy session so the user is forced to re-authenticate via nginx Basic Auth.
+        AdminAuth::logout();
+        header('Location: /admin/login.php');
+        exit;
+    } else {
+        $_SESSION['error'] = 'Impossible de supprimer le fichier de configuration.';
+        header('Location: /admin/account.php');
+        exit;
+    }
+}
+
+// ── Change / set password ─────────────────────────────────────────────────────
+
+// 1. If a password is already set, verify the current one.
+if ($hasPassword) {
+    $currentPassword = $_POST['current_password'] ?? '';
+    if (!AdminAuth::login($currentPassword)) {
+        $_SESSION['error'] = 'Mot de passe actuel incorrect.';
+        header('Location: /admin/account.php');
+        exit;
+    }
+}
+
+// 2. Validate new password.
+$newPassword     = $_POST['new_password']     ?? '';
+$confirmPassword = $_POST['confirm_password'] ?? '';
+
+if (strlen($newPassword) < 12) {
+    $_SESSION['error'] = 'Le nouveau mot de passe doit contenir au moins 12 caractères.';
+    header('Location: /admin/account.php');
+    exit;
+}
+
+if ($newPassword !== $confirmPassword) {
+    $_SESSION['error'] = 'Les mots de passe ne correspondent pas.';
+    header('Location: /admin/account.php');
+    exit;
+}
+
+// 3. Generate bcrypt hash (cost 12).
+$hash = password_hash($newPassword, PASSWORD_BCRYPT, ['cost' => 12]);
+if ($hash === false) {
+    $_SESSION['error'] = 'Erreur lors du hachage du mot de passe.';
+    header('Location: /admin/account.php');
+    exit;
+}
+
+// 4. Write credentials file.
+$configContent = '<?php' . "\n"
+    . '/**' . "\n"
+    . ' * Admin PHP-level password for the session auth guard (defence-in-depth).' . "\n"
+    . ' *' . "\n"
+    . ' * Generated by the admin panel on ' . date('Y-m-d H:i:s') . '.' . "\n"
+    . ' * To regenerate manually:' . "\n"
+    . ' *   php -r "echo password_hash(\'your-password\', PASSWORD_BCRYPT, [\'cost\' => 12]);"' . "\n"
+    . ' */' . "\n"
+    . "\n"
+    . 'define(\'ADMIN_PASSWORD_HASH\', ' . var_export($hash, true) . ');' . "\n";
+
+// Write atomically via a temp file.
+$tmpFile = $credentialsFile . '.tmp.' . bin2hex(random_bytes(6));
+if (file_put_contents($tmpFile, $configContent, LOCK_EX) === false) {
+    @unlink($tmpFile);
+    $_SESSION['error'] = 'Impossible d\'écrire le fichier de configuration. Vérifiez les permissions sur config/.';
+    header('Location: /admin/account.php');
+    exit;
+}
+if (!rename($tmpFile, $credentialsFile)) {
+    @unlink($tmpFile);
+    $_SESSION['error'] = 'Impossible de mettre à jour le fichier de configuration.';
+    header('Location: /admin/account.php');
+    exit;
+}
+
+// 5. Regenerate session (password changed — invalidate old sessions).
+session_regenerate_id(true);
+$_SESSION['admin_authenticated'] = true;
+
+$_SESSION['success'] = $hasPassword
+    ? 'Mot de passe mis à jour avec succès.'
+    : 'Mot de passe défini avec succès. L\'authentification PHP est maintenant active.';
+
+header('Location: /admin/account.php');
+exit;