Restructure repository and implement secure search feature

Phase 1: Consolidate shared infrastructure
- Create shared/ directory for common code
- Consolidate Database.php from front-backend and formulaire into unified shared/Database.php
  - Smart path detection for test.db vs posterg.db
  - Secure search with wildcard escaping and input validation
  - Support both singleton and direct instantiation patterns
  - Full CRUD methods for admin functionality
- Move RateLimit.php to shared/ (30 requests/min)
- Update all require paths across apps to use shared/

Phase 2: Reorganize directory structure
- Rename front-backend/ → apps/public/
- Rename formulaire/ → apps/admin/
- Rename db/ → database/
- Update all file paths for new structure
- Create root .gitignore excluding databases, cache, logs

Implement secure search feature
- Add apps/public/search.php with full-text search across theses
- Search filters: query, year, orientation, AP program, keywords
- Security features:
  - SQL injection prevention (prepared statements)
  - Wildcard injection prevention (escape % and _)
  - Input validation (max 200 chars, year range 1900-2100)
  - Rate limiting (30 req/min per IP)
  - Pagination limited to 100 results/page
  - XSS protection (htmlspecialchars on output)

Add comprehensive test suite
- Create apps/public/tests/ with proper structure
  - tests/Integration/SearchTest.php - 12 search scenarios
  - tests/Security/SecurityTest.php - vulnerability testing
  - tests/Unit/RateLimitTest.php - rate limit behavior
- Create database/fixtures/CreateTestDatabase.php
- Add apps/public/run-tests.php test runner
- All tests passing (4/4 suites)

Update deployment configuration
- Rename justfile 'sync' recipe to 'deploy'
- Create deploy group with separate deploy-public and deploy-admin
- Add test-deploy recipe for test database
- Exclude *.db, tests/, cache/, *.md from production deploy
- Deploy shared/ to both public and admin locations

Stats: +4482 insertions, -654 deletions across 72 files

nginx/README.md

@@ -0,0 +1,172 @@
+# Nginx Configuration - Post-ERG
+
+This directory contains nginx configuration and setup scripts for the Post-ERG thesis website.
+
+## 📁 Files
+
+- **`posterg.conf`** - Complete nginx configuration file
+- **`setup-password.sh`** - Script to create admin passwords
+- **`SETUP.md`** - Detailed setup instructions
+- **`QUICK_REFERENCE.md`** - Command reference and troubleshooting
+
+## 🚀 Quick Start
+
+### 1. Set up admin password
+
+```bash
+# Make script executable
+chmod +x nginx/setup-password.sh
+
+# Run setup (as root on server)
+sudo ./nginx/setup-password.sh
+```
+
+### 2. Deploy nginx configuration
+
+```bash
+# From your local machine
+just deploy-nginx
+
+# Then on the server:
+sudo cp /tmp/posterg.conf /etc/nginx/sites-available/posterg
+sudo ln -s /etc/nginx/sites-available/posterg /etc/nginx/sites-enabled/
+sudo nginx -t
+sudo systemctl reload nginx
+```
+
+### 3. Set up SSL (production)
+
+```bash
+# On server
+sudo apt install certbot python3-certbot-nginx
+sudo certbot --nginx -d posterg.erg.be -d www.posterg.erg.be
+```
+
+## 🔒 Security Features
+
+### Admin Panel Protection
+- **Password required** for `/formulaire/` (admin panel)
+- HTTP Basic Authentication
+- Rate limited: 10 requests/minute
+
+### File Access Protection
+- Database files (`.db`) - **BLOCKED**
+- Sensitive files (`.md`, `.sql`, `.env`) - **BLOCKED**
+- Shared directory - **BLOCKED**
+- Tests directory - **BLOCKED**
+- Cache directory - **BLOCKED**
+- Hidden files (`.git`, etc.) - **BLOCKED**
+
+### Rate Limiting
+- General requests: 30/minute
+- Search endpoint: 30/minute
+- Admin panel: 10/minute
+
+### Security Headers
+- ✅ X-Frame-Options (clickjacking protection)
+- ✅ X-Content-Type-Options (MIME sniffing protection)
+- ✅ X-XSS-Protection (XSS filter)
+- ✅ Strict-Transport-Security (force HTTPS)
+- ✅ Referrer-Policy (referrer control)
+- ✅ Permissions-Policy (disable browser features)
+
+### SSL/TLS
+- TLS 1.2 and 1.3 only
+- Strong cipher suites
+- OCSP stapling
+- HSTS enabled
+
+## 📚 Documentation
+
+- **[SETUP.md](SETUP.md)** - Complete setup guide
+  - Installation steps
+  - Configuration details
+  - Testing procedures
+  - Troubleshooting
+  - Performance tuning
+  - Security checklist
+
+- **[QUICK_REFERENCE.md](QUICK_REFERENCE.md)** - Command reference
+  - Common operations
+  - Password management
+  - Nginx control
+  - Log viewing
+  - Testing commands
+  - Troubleshooting
+
+## 🧪 Testing
+
+Test your configuration:
+
+```bash
+# Test admin authentication
+curl -I https://posterg.erg.be/formulaire/
+
+# Test file protection
+curl -I https://posterg.erg.be/database/posterg.db
+
+# Test security headers
+curl -I https://posterg.erg.be/ | grep -E "X-|Strict-Transport"
+```
+
+## 🆘 Quick Help
+
+### Admin can't log in
+```bash
+# Reset password
+sudo htpasswd /etc/nginx/.htpasswd-posterg admin
+```
+
+### 502 Bad Gateway
+```bash
+# Check PHP-FPM
+sudo systemctl status php8.2-fpm
+sudo systemctl restart php8.2-fpm
+```
+
+### Configuration errors
+```bash
+# Test and show errors
+sudo nginx -t
+```
+
+## 📊 Monitoring
+
+```bash
+# Watch access logs
+sudo tail -f /var/log/nginx/posterg_access.log
+
+# Watch error logs
+sudo tail -f /var/log/nginx/posterg_error.log
+
+# Check nginx status
+sudo systemctl status nginx
+```
+
+## 🔄 Maintenance
+
+### Change admin password
+```bash
+sudo htpasswd /etc/nginx/.htpasswd-posterg admin
+```
+
+### Reload after config changes
+```bash
+sudo nginx -t && sudo systemctl reload nginx
+```
+
+### Renew SSL certificate
+```bash
+sudo certbot renew
+```
+
+## 📞 Support
+
+For detailed instructions, see:
+- **SETUP.md** - Complete setup guide
+- **QUICK_REFERENCE.md** - Command reference
+
+For issues:
+1. Check nginx error logs: `sudo tail /var/log/nginx/posterg_error.log`
+2. Test configuration: `sudo nginx -t`
+3. Check PHP-FPM: `sudo systemctl status php8.2-fpm`