Implement TFE file access restriction feature (complete)

Requirements:
- parametres.php toggle: 'restricted_files_enabled' enables/disables the feature
- Public TFE page: when enabled + access_type=Interne, hides files, shows French
  restriction message + access request form (metadata/synopsis still visible)
- ERG emails (@erg.school / @erg.be): auto-approve, send 24h access link immediately
- External emails: show justification textarea, create pending request, notify admin
- Admin panel /admin/file-access.php: approve/reject requests with optional notes,
  sends access email on approval (linked from admin nav with pending count badge)

Security:
- One-time 24h email tokens (used_at + is_valid=0 on first click)
- Token redeemed via POST /validate-access (GET shows confirmation page only)
- Long-lived 30-day browser session in file_access_sessions table
- Cookie: HttpOnly + Secure + SameSite=Strict
- CSRF on all mutations, rate limiting on request submission
- Audit trail: IP, UA, event, timestamp in file_access_audit

Bug fixes:
- admin/file-access.php: $vars never extract()ed → page was blank
- Template had self-contained head/footer includes (double-include)
- Admin approval URL used $requestId instead of $request['thesis_id']
- App::boot() now starts session so CSRF token works on public pages
- Dispatcher routes /validate-access and /request-access through front controller

app/src/Controllers/TfeController.php

@@ -72,8 +72,23 @@ class TfeController
         }
 
         // Access type (1 = open, 2 = restricted, 3 = forbidden)
-        $accessTypeId = $this->db->getThesisAccessTypeId($thesisId) ?? 1;
-        $isInterdit   = ($accessTypeId === 3);
+        $accessTypeId      = $this->db->getThesisAccessTypeId($thesisId) ?? 1;
+        $isInterdit        = ($accessTypeId === 3);
+        
+        // Check if restricted files feature is enabled and user has access
+        $restrictedEnabled = $this->db->isRestrictedFilesEnabled();
+        $hasRestrictedAccess = false;
+        
+        if ($restrictedEnabled && $accessTypeId === 2) {
+            // Check for cookie-based access
+            $cookieToken = $_COOKIE['tfe_access_' . $thesisId] ?? null;
+            if ($cookieToken) {
+                $hasRestrictedAccess = $this->db->hasValidCookieAccess($cookieToken, $thesisId);
+            }
+        }
+        
+        // If access is restricted and user doesn't have valid access, hide files
+        $shouldHideFiles = ($restrictedEnabled && $accessTypeId === 2 && !$hasRestrictedAccess);
 
         // Caption (WebVTT) files — N-th VTT is paired with the N-th <video>
         $captionFiles = $this->collectCaptionPaths($data['files'] ?? []);
@@ -101,6 +116,11 @@ class TfeController
             'promoteursExternes' => $juryByRole['externes'],
             'juryLecteurs'      => $juryByRole['lecteurs'],
 
+            // Restricted files access
+            'restrictedEnabled'  => $restrictedEnabled,
+            'hasRestrictedAccess' => $hasRestrictedAccess,
+            'shouldHideFiles'    => $shouldHideFiles,
+
             // Page meta
             'pageTitle'       => $pageTitle,
             'metaDescription' => $metaDescription,