filepond: implement async server-ID upload architecture with nested queue support + PeerTube integration

Replace `storeAsFile:true` with a full async FilePond round-trip pipeline using opaque server-side file IDs.

* Added 4 new PHP endpoints under `/admin/actions/filepond/`:

  * `process.php` — upload/process single file and return opaque `file_id`
  * `revert.php` — delete pending tmp uploads before form submit
  * `load.php` — stream existing files by DB ID for FilePond preload
  * `remove.php` — soft-delete `thesis_files` rows
* `process.php` improvements:

  * accept arbitrary FilePond field names instead of hardcoded `file`
  * support PHP-nested multi-file queue inputs (`queue_file[tfe][]`)
  * explicit unwrapping of nested `$_FILES` structures
  * add `audio/mp3` to audio + `peertube_audio` MIME whitelists
  * immediate upload of `peertube_*` files to PeerTube, returning `peertube:{uuid}` IDs
  * extensive `error_log()` instrumentation for request, CSRF, MIME, upload, and save stages
* `revert.php` now accepts `peertube:` IDs without local cleanup
* `ThesisFileHandler`:

  * add `handleFilePondQueueFiles()` + `handleFilePondSingleFile()`
  * process async uploads from `storage/tmp/filepond/` via opaque `file_id`
  * inline handling of `peertube:{uuid}` IDs with direct `thesis_files` insertion
  * remove obsolete deferred PeerTube queue-processing flow
* `ThesisCreateController` + `ThesisEditController`:

  * gate async path behind `filepond_mode=1`
  * preserve legacy multipart flow as fallback
* `file-upload-filepond.js`:

  * remove `storeAsFile:true`
  * add `buildServerConfig()` for async endpoint wiring
  * fix `syncOrderInput()` to use `serverId`
  * add `onprocessfile` hook
  * add `fileValidateSizeFilterItem` for per-extension size caps
  * preload existing uploads via `data-existing-files` + `server.load`
  * replace static `INPUT_ID_TO_TYPE` map with `data-queue-type`
  * add extensive `console.log()` debugging across upload pipeline stages
* `upload-progress.js`:

  * block form submission while uploads are pending
  * update `collectFileNames()` to read processed FilePond items
* Templates/layout:

  * add `data-queue-type`
  * add `data-existing-files`
  * add global CSRF meta tag outside admin-only context
  * add `filepond_mode` hidden input
  * add CSRF token/meta support for partage pages
  * move website URL field below file upload block
* `.gitignore`: exclude `storage/tmp/` from version control

app/public/admin/actions/filepond/remove.php

@@ -0,0 +1,80 @@
+<?php
+/**
+ * FilePond remove endpoint — soft-deletes an already-saved thesis_files row.
+ *
+ * DELETE /admin/actions/filepond/remove.php
+ * Body: JSON { "db_id": 123 }
+ *
+ * Called when a user removes an existing file in edit mode via FilePond UI.
+ */
+
+require_once __DIR__ . '/../../../../bootstrap.php';
+require_once __DIR__ . '/../../../../src/AdminAuth.php';
+require_once __DIR__ . '/../../../../src/ErrorHandler.php';
+
+AdminAuth::requireLogin();
+
+// ── CSRF via header ──────────────────────────────────────────────────────
+$csrfHeader = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
+if (!isset($_SESSION['csrf_token'])
+    || !hash_equals($_SESSION['csrf_token'], $csrfHeader)) {
+    http_response_code(403);
+    die('Token CSRF invalide.');
+}
+
+// ── Only accept DELETE ───────────────────────────────────────────────────
+if ($_SERVER['REQUEST_METHOD'] !== 'DELETE') {
+    http_response_code(405);
+    die('Méthode non autorisée.');
+}
+
+// ── Parse JSON body ──────────────────────────────────────────────────────
+$body = json_decode(file_get_contents('php://input'), true);
+$dbId = filter_var($body['db_id'] ?? '', FILTER_VALIDATE_INT);
+
+if ($dbId === false || $dbId <= 0) {
+    http_response_code(400);
+    die('ID de fichier invalide.');
+}
+
+// ── Look up and soft-delete ──────────────────────────────────────────────
+require_once APP_ROOT . '/src/Database.php';
+$db = new Database();
+
+$pdo  = $db->getConnection();
+$stmt = $pdo->prepare('SELECT * FROM thesis_files WHERE id = ?');
+$stmt->execute([$dbId]);
+$fileRow = $stmt->fetch();
+
+if (!$fileRow) {
+    http_response_code(404);
+    die('Fichier introuvable.');
+}
+
+// ── Move physical file to _trash/ for recovery ───────────────────────────
+$filePath = $fileRow['file_path'] ?? '';
+if ($filePath !== ''
+    && !str_starts_with($filePath, 'peertube_ids:')
+    && !str_starts_with($filePath, 'http://')
+    && !str_starts_with($filePath, 'https://')) {
+
+    $absPath = STORAGE_ROOT . '/' . $filePath;
+    if (file_exists($absPath)) {
+        $trashDir = STORAGE_ROOT . '/tmp/_trash';
+        if (!is_dir($trashDir)) {
+            mkdir($trashDir, 0755, true);
+        }
+        $trashPath = $trashDir . '/' . basename($filePath);
+        // Append db_id to avoid name collisions
+        $trashPath = $trashDir . '/' . $dbId . '_' . basename($filePath);
+        rename($absPath, $trashPath);
+    }
+}
+
+// ── Soft-delete the row (set deleted_at timestamp) ───────────────────────
+// thesis_files may not have a deleted_at column; delete outright for now.
+$delStmt = $pdo->prepare('DELETE FROM thesis_files WHERE id = ?');
+$delStmt->execute([$dbId]);
+
+http_response_code(200);
+exit;