Fix two backend correctness issues

- Wrap setThesisJury() in a transaction: the method did a DELETE then multiple
  INSERTs with no atomicity guarantee. A partial failure (e.g. findOrCreateSupervisor
  throwing) would leave the jury table with orphaned rows. The fix uses
  pdo->inTransaction() to avoid nesting when called from within an outer transaction,
  and performs beginTransaction/commit/rollBack otherwise.

- Replace raw PDO query in admin/thanks.php with db->getThesisFiles(): the file
  listing after TFE submission was manually preparing a SELECT on thesis_files
  instead of calling the existing Database::getThesisFiles() method. Removes the
  getPDO() call entirely from that file.

TODO.md

@@ -408,7 +408,7 @@ Goal: rename the tables and column to the canonical M2M pattern (`tags`, `thesis
       into `$problematique` but the value is **never used** (no matching column, no INSERT reference).
       Deleted.
 
-- [ ] **`setThesisJury()` not wrapped in a transaction** — the method does a DELETE then multiple
+- [x] **`setThesisJury()` not wrapped in a transaction** — the method does a DELETE then multiple
       INSERTs with no transaction guard of its own. If called from outside a transaction (e.g. a
       future API endpoint) a partial failure leaves orphaned rows. Wrap the body in
       `BEGIN … COMMIT / ROLLBACK` (check `$this->pdo->inTransaction()` to avoid nesting).
@@ -551,7 +551,7 @@ Goal: rename the tables and column to the canonical M2M pattern (`tags`, `thesis
 
 ### H — Minor / low-hanging fruit
 
-- [ ] **`admin/thanks.php` duplicates `getThesisFiles()` with a raw PDO query** — lines 34–40
+- [x] **`admin/thanks.php` duplicates `getThesisFiles()` with a raw PDO query** — lines 34–40
       manually prepare `SELECT … FROM thesis_files WHERE thesis_id = ?` instead of calling
       `$db->getThesisFiles($thesisId)` which already exists. Replace with the DB method.