Add admin account page for PHP password management

Implements the admin user management UI as a self-contained PHP password
change/set flow — no SSH or sudo required.

- public/admin/account.php: shows auth status (PHP hash present, credentials
  file path), password change form (requires current password when one exists,
  min 12 chars, confirm field), and a danger-zone form to delete the
  credentials file entirely
- public/admin/actions/account.php: CSRF-guarded POST handler; verifies
  current password via AdminAuth::login() before accepting a new one;
  generates bcrypt (cost 12) hash; writes config/admin_credentials.php
  atomically via a temp file + rename; regenerates session on success;
  redirects to /admin/login.php when credentials are deleted
- templates/admin/head.php: 'Compte' nav link added (active on account.php)
- public/assets/admin.css: .admin-account-status, .admin-section-title,
  .admin-field-hint, .admin-danger-zone component styles added

Note: the nginx htpasswd flow (manage-admin-users.sh) requires root on the
server and is intentionally kept as a CLI-only operation.

TODO.md

@@ -333,4 +333,4 @@ Goal: rename the tables and column to the canonical M2M pattern (`tags`, `thesis
 - [x] Add server status view in admin panel (nginx + php-fpm health, site HTTP check)
 - [x] Add server log viewer in admin panel (tail nginx error/access logs via SSH or log endpoint)
 - [ ] Add nginx config deploy flow to admin panel (upload `scripts/deploy-server.sh`, run remotely)
-- [ ] Add admin user management UI (wraps `scripts/manage-admin-users.sh` on server)
+- [x] Add admin user management UI — password change/set for PHP auth layer (`public/admin/account.php` + `actions/account.php`; "Compte" nav link; account CSS)

public/admin/account.php

@@ -0,0 +1,121 @@
+<?php
+require_once __DIR__ . "/../../config/bootstrap.php";
+require_once __DIR__ . '/../../src/AdminAuth.php';
+AdminAuth::requireLogin();
+
+$pageTitle = "Compte administrateur";
+
+$credentialsFile = APP_ROOT . '/config/admin_credentials.php';
+$hasPassword     = defined('ADMIN_PASSWORD_HASH');
+
+$success = $_SESSION['success'] ?? null;
+$error   = $_SESSION['error']   ?? null;
+unset($_SESSION['success'], $_SESSION['error']);
+
+if (empty($_SESSION['csrf_token'])) {
+    $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
+}
+?>
+<?php require_once APP_ROOT . '/templates/admin/head.php'; ?>
+
+<main class="admin-main">
+    <h1 class="admin-page-title">Compte administrateur</h1>
+
+    <?php if ($error): ?>
+    <div class="admin-alert admin-alert--error">⚠ <?= htmlspecialchars($error) ?></div>
+    <?php endif; ?>
+    <?php if ($success): ?>
+    <div class="admin-alert admin-alert--success">✓ <?= htmlspecialchars($success) ?></div>
+    <?php endif; ?>
+
+    <!-- Status info -->
+    <div class="admin-account-status">
+        <div class="admin-account-status__row">
+            <span class="admin-account-status__label">Authentification PHP</span>
+            <?php if ($hasPassword): ?>
+                <span class="status-badge status-published">Active</span>
+            <?php else: ?>
+                <span class="status-badge status-pending">Non configurée</span>
+            <?php endif; ?>
+        </div>
+        <div class="admin-account-status__row">
+            <span class="admin-account-status__label">Fichier de configuration</span>
+            <code class="admin-account-status__code">config/admin_credentials.php</code>
+            <?php if (file_exists($credentialsFile)): ?>
+                <span class="status-badge status-published">Présent</span>
+            <?php else: ?>
+                <span class="status-badge status-pending">Absent</span>
+            <?php endif; ?>
+        </div>
+        <?php if (!$hasPassword): ?>
+        <p class="admin-account-status__note">
+            Aucun mot de passe PHP configuré. Le formulaire ci-dessous créera
+            <code>config/admin_credentials.php</code> avec un hash bcrypt.
+        </p>
+        <?php endif; ?>
+    </div>
+
+    <!-- Password change form -->
+    <h2 class="admin-section-title"><?= $hasPassword ? 'Changer le mot de passe' : 'Définir le mot de passe' ?></h2>
+
+    <form method="post" action="/admin/actions/account.php" class="admin-form" autocomplete="off">
+        <input type="hidden" name="csrf_token" value="<?= htmlspecialchars($_SESSION['csrf_token']) ?>">
+
+        <?php if ($hasPassword): ?>
+        <div class="admin-form-row">
+            <label class="admin-label" for="current_password">Mot de passe actuel</label>
+            <div>
+                <input class="admin-input" type="password" id="current_password"
+                       name="current_password" required autocomplete="current-password">
+            </div>
+        </div>
+        <?php endif; ?>
+
+        <div class="admin-form-row">
+            <label class="admin-label" for="new_password">Nouveau mot de passe</label>
+            <div>
+                <input class="admin-input" type="password" id="new_password"
+                       name="new_password" required autocomplete="new-password"
+                       minlength="12">
+                <p class="admin-field-hint">Minimum 12 caractères.</p>
+            </div>
+        </div>
+
+        <div class="admin-form-row">
+            <label class="admin-label" for="confirm_password">Confirmer le mot de passe</label>
+            <div>
+                <input class="admin-input" type="password" id="confirm_password"
+                       name="confirm_password" required autocomplete="new-password">
+            </div>
+        </div>
+
+        <div class="admin-submit-wrap">
+            <button type="submit" class="admin-btn">
+                <?= $hasPassword ? 'Mettre à jour le mot de passe' : 'Définir le mot de passe' ?>
+            </button>
+        </div>
+    </form>
+
+    <?php if ($hasPassword): ?>
+    <!-- Danger zone: remove password -->
+    <h2 class="admin-section-title admin-section-title--danger" style="margin-top:3rem;">Zone de danger</h2>
+    <div class="admin-danger-zone">
+        <div class="admin-danger-zone__description">
+            <strong>Supprimer la configuration du mot de passe PHP</strong><br>
+            <span style="color:var(--admin-text-muted);font-size:.9rem;">
+                Supprime <code>config/admin_credentials.php</code>. L'accès admin
+                dépendra uniquement de l'authentification nginx Basic Auth si elle est configurée.
+            </span>
+        </div>
+        <form method="post" action="/admin/actions/account.php"
+              onsubmit="return confirm('Supprimer le fichier de mot de passe PHP ? L\'accès admin ne sera protégé que par nginx Basic Auth.')">
+            <input type="hidden" name="csrf_token" value="<?= htmlspecialchars($_SESSION['csrf_token']) ?>">
+            <input type="hidden" name="action" value="remove_credentials">
+            <input type="hidden" name="current_password_remove" id="current_password_remove" value="">
+            <button type="submit" class="admin-btn admin-btn--danger">Supprimer le fichier</button>
+        </form>
+    </div>
+    <?php endif; ?>
+</main>
+
+<?php require_once APP_ROOT . '/templates/admin/footer.php'; ?>

public/admin/actions/account.php

@@ -0,0 +1,122 @@
+<?php
+/**
+ * Admin account action — update or remove admin_credentials.php
+ *
+ * Actions:
+ *   POST (default)       — set/change the PHP admin password
+ *   POST action=remove_credentials — delete admin_credentials.php
+ */
+
+require_once __DIR__ . '/../../../config/bootstrap.php';
+require_once __DIR__ . '/../../../src/AdminAuth.php';
+AdminAuth::requireLogin();
+
+// ── CSRF ──────────────────────────────────────────────────────────────────────
+if (empty($_SESSION['csrf_token']) || ($_POST['csrf_token'] ?? '') !== $_SESSION['csrf_token']) {
+    http_response_code(403);
+    die('Invalid CSRF token.');
+}
+
+$credentialsFile = APP_ROOT . '/config/admin_credentials.php';
+$hasPassword     = defined('ADMIN_PASSWORD_HASH');
+$action          = $_POST['action'] ?? 'change_password';
+
+// ── Remove credentials ────────────────────────────────────────────────────────
+if ($action === 'remove_credentials') {
+    if (!$hasPassword) {
+        $_SESSION['error'] = 'Aucun fichier de mot de passe à supprimer.';
+        header('Location: /admin/account.php');
+        exit;
+    }
+
+    if (!is_writable($credentialsFile) && !is_writable(dirname($credentialsFile))) {
+        $_SESSION['error'] = 'Le fichier de configuration n\'est pas accessible en écriture.';
+        header('Location: /admin/account.php');
+        exit;
+    }
+
+    if (@unlink($credentialsFile)) {
+        // Destroy session so the user is forced to re-authenticate via nginx Basic Auth.
+        AdminAuth::logout();
+        header('Location: /admin/login.php');
+        exit;
+    } else {
+        $_SESSION['error'] = 'Impossible de supprimer le fichier de configuration.';
+        header('Location: /admin/account.php');
+        exit;
+    }
+}
+
+// ── Change / set password ─────────────────────────────────────────────────────
+
+// 1. If a password is already set, verify the current one.
+if ($hasPassword) {
+    $currentPassword = $_POST['current_password'] ?? '';
+    if (!AdminAuth::login($currentPassword)) {
+        $_SESSION['error'] = 'Mot de passe actuel incorrect.';
+        header('Location: /admin/account.php');
+        exit;
+    }
+}
+
+// 2. Validate new password.
+$newPassword     = $_POST['new_password']     ?? '';
+$confirmPassword = $_POST['confirm_password'] ?? '';
+
+if (strlen($newPassword) < 12) {
+    $_SESSION['error'] = 'Le nouveau mot de passe doit contenir au moins 12 caractères.';
+    header('Location: /admin/account.php');
+    exit;
+}
+
+if ($newPassword !== $confirmPassword) {
+    $_SESSION['error'] = 'Les mots de passe ne correspondent pas.';
+    header('Location: /admin/account.php');
+    exit;
+}
+
+// 3. Generate bcrypt hash (cost 12).
+$hash = password_hash($newPassword, PASSWORD_BCRYPT, ['cost' => 12]);
+if ($hash === false) {
+    $_SESSION['error'] = 'Erreur lors du hachage du mot de passe.';
+    header('Location: /admin/account.php');
+    exit;
+}
+
+// 4. Write credentials file.
+$configContent = '<?php' . "\n"
+    . '/**' . "\n"
+    . ' * Admin PHP-level password for the session auth guard (defence-in-depth).' . "\n"
+    . ' *' . "\n"
+    . ' * Generated by the admin panel on ' . date('Y-m-d H:i:s') . '.' . "\n"
+    . ' * To regenerate manually:' . "\n"
+    . ' *   php -r "echo password_hash(\'your-password\', PASSWORD_BCRYPT, [\'cost\' => 12]);"' . "\n"
+    . ' */' . "\n"
+    . "\n"
+    . 'define(\'ADMIN_PASSWORD_HASH\', ' . var_export($hash, true) . ');' . "\n";
+
+// Write atomically via a temp file.
+$tmpFile = $credentialsFile . '.tmp.' . bin2hex(random_bytes(6));
+if (file_put_contents($tmpFile, $configContent, LOCK_EX) === false) {
+    @unlink($tmpFile);
+    $_SESSION['error'] = 'Impossible d\'écrire le fichier de configuration. Vérifiez les permissions sur config/.';
+    header('Location: /admin/account.php');
+    exit;
+}
+if (!rename($tmpFile, $credentialsFile)) {
+    @unlink($tmpFile);
+    $_SESSION['error'] = 'Impossible de mettre à jour le fichier de configuration.';
+    header('Location: /admin/account.php');
+    exit;
+}
+
+// 5. Regenerate session (password changed — invalidate old sessions).
+session_regenerate_id(true);
+$_SESSION['admin_authenticated'] = true;
+
+$_SESSION['success'] = $hasPassword
+    ? 'Mot de passe mis à jour avec succès.'
+    : 'Mot de passe défini avec succès. L\'authentification PHP est maintenant active.';
+
+header('Location: /admin/account.php');
+exit;

public/assets/admin.css

@@ -734,3 +734,77 @@ html, body {
   color: #cc6060;
   border: 1px solid #7a2020;
 }
+
+/* ---- Account page ---- */
+.admin-account-status {
+  background: var(--admin-bg-alt);
+  border: 1px solid var(--admin-border);
+  border-radius: 4px;
+  padding: 1.25rem 1.5rem;
+  margin-bottom: 2.5rem;
+  display: flex;
+  flex-direction: column;
+  gap: 0.75rem;
+}
+
+.admin-account-status__row {
+  display: flex;
+  align-items: center;
+  gap: 0.75rem;
+  font-size: 0.9rem;
+}
+
+.admin-account-status__label {
+  color: var(--admin-text-muted);
+  min-width: 220px;
+}
+
+.admin-account-status__code {
+  font-family: "SFMono-Regular", Consolas, "Liberation Mono", Menlo, monospace;
+  font-size: 0.82rem;
+  background: var(--admin-bg);
+  border: 1px solid var(--admin-border);
+  border-radius: 3px;
+  padding: 0.1rem 0.4rem;
+  color: var(--admin-text-muted);
+}
+
+.admin-account-status__note {
+  font-size: 0.88rem;
+  color: #ffc107;
+  margin: 0.25rem 0 0;
+}
+
+.admin-section-title {
+  font-size: 1rem;
+  font-weight: 600;
+  letter-spacing: 0.07em;
+  text-transform: uppercase;
+  color: var(--admin-text-muted);
+  margin: 0 0 1.25rem;
+  padding-bottom: 0.5rem;
+  border-bottom: 1px solid var(--admin-border);
+}
+
+.admin-field-hint {
+  font-size: 0.8rem;
+  color: var(--admin-text-muted);
+  margin: 0.3rem 0 0;
+}
+
+.admin-danger-zone {
+  background: rgba(180, 0, 0, 0.07);
+  border: 1px solid rgba(200, 60, 60, 0.3);
+  border-radius: 4px;
+  padding: 1.25rem 1.5rem;
+  display: flex;
+  align-items: center;
+  justify-content: space-between;
+  gap: 1.5rem;
+  flex-wrap: wrap;
+}
+
+.admin-danger-zone__description {
+  font-size: 0.9rem;
+  line-height: 1.5;
+}

templates/admin/head.php

@@ -31,6 +31,7 @@
         <a href="/admin/tags.php" class="admin-nav__link <?= $currentPage === 'tags.php' ? 'active' : '' ?>">Mots-clés</a>
         <a href="/admin/status.php" class="admin-nav__link <?= $currentPage === 'status.php' ? 'active' : '' ?>">Statut</a>
         <a href="/admin/logs.php" class="admin-nav__link <?= $currentPage === 'logs.php' ? 'active' : '' ?>">Journaux</a>
+        <a href="/admin/account.php" class="admin-nav__link <?= $currentPage === 'account.php' ? 'active' : '' ?>">Compte</a>
         <?php if ($thesisId && in_array($currentPage, ['edit.php', 'thanks.php'])): ?>
             <a href="/admin/edit.php?id=<?= intval($thesisId) ?>" class="admin-nav__link <?= $currentPage === 'edit.php' ? 'active' : '' ?>">Modifier</a>
         <?php endif; ?>