Restructure repository and implement secure search feature

Phase 1: Consolidate shared infrastructure
- Create shared/ directory for common code
- Consolidate Database.php from front-backend and formulaire into unified shared/Database.php
  - Smart path detection for test.db vs posterg.db
  - Secure search with wildcard escaping and input validation
  - Support both singleton and direct instantiation patterns
  - Full CRUD methods for admin functionality
- Move RateLimit.php to shared/ (30 requests/min)
- Update all require paths across apps to use shared/

Phase 2: Reorganize directory structure
- Rename front-backend/ → apps/public/
- Rename formulaire/ → apps/admin/
- Rename db/ → database/
- Update all file paths for new structure
- Create root .gitignore excluding databases, cache, logs

Implement secure search feature
- Add apps/public/search.php with full-text search across theses
- Search filters: query, year, orientation, AP program, keywords
- Security features:
  - SQL injection prevention (prepared statements)
  - Wildcard injection prevention (escape % and _)
  - Input validation (max 200 chars, year range 1900-2100)
  - Rate limiting (30 req/min per IP)
  - Pagination limited to 100 results/page
  - XSS protection (htmlspecialchars on output)

Add comprehensive test suite
- Create apps/public/tests/ with proper structure
  - tests/Integration/SearchTest.php - 12 search scenarios
  - tests/Security/SecurityTest.php - vulnerability testing
  - tests/Unit/RateLimitTest.php - rate limit behavior
- Create database/fixtures/CreateTestDatabase.php
- Add apps/public/run-tests.php test runner
- All tests passing (4/4 suites)

Update deployment configuration
- Rename justfile 'sync' recipe to 'deploy'
- Create deploy group with separate deploy-public and deploy-admin
- Add test-deploy recipe for test database
- Exclude *.db, tests/, cache/, *.md from production deploy
- Deploy shared/ to both public and admin locations

Stats: +4482 insertions, -654 deletions across 72 files

nginx/posterg.conf

@@ -0,0 +1,283 @@
+# Nginx configuration for Post-ERG thesis website
+# Place this in /etc/nginx/sites-available/posterg
+# Then symlink: ln -s /etc/nginx/sites-available/posterg /etc/nginx/sites-enabled/
+
+# Rate limiting zones
+limit_req_zone $binary_remote_addr zone=general:10m rate=30r/m;
+limit_req_zone $binary_remote_addr zone=search:10m rate=30r/m;
+limit_req_zone $binary_remote_addr zone=admin:10m rate=10r/m;
+
+# Server block - HTTP (redirect to HTTPS in production)
+server {
+    listen 80;
+    listen [::]:80;
+    server_name posterg.erg.be www.posterg.erg.be;
+
+    # Redirect all HTTP to HTTPS (uncomment in production)
+    # return 301 https://$server_name$request_uri;
+
+    # For development/testing, allow HTTP
+    root /var/www/html;
+    index index.php index.html;
+
+    # Security headers
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
+
+    # Disable server tokens
+    server_tokens off;
+
+    # Max upload size (for thesis files)
+    client_max_body_size 100M;
+    client_body_timeout 120s;
+
+    # Logging
+    access_log /var/log/nginx/posterg_access.log;
+    error_log /var/log/nginx/posterg_error.log warn;
+
+    # Block common attack patterns
+    location ~ /\. {
+        deny all;
+        access_log off;
+        log_not_found off;
+    }
+
+    location ~ \.(git|env|db-journal)$ {
+        deny all;
+        access_log off;
+        log_not_found off;
+    }
+
+    # Deny access to sensitive files
+    location ~* \.(md|txt|sql|sh|json)$ {
+        deny all;
+    }
+
+    # Deny access to database files
+    location ~* \.db$ {
+        deny all;
+    }
+
+    # Deny access to shared/ directory (PHP includes only)
+    location /shared/ {
+        deny all;
+    }
+
+    # Deny access to tests directory
+    location /tests/ {
+        deny all;
+    }
+
+    # Deny access to cache directory
+    location /cache/ {
+        deny all;
+    }
+
+    # Admin panel - password protected
+    location /formulaire/ {
+        alias /var/www/html/formulaire/;
+
+        # HTTP Basic Authentication
+        auth_basic "Admin Access - Post-ERG";
+        auth_basic_user_file /etc/nginx/.htpasswd-posterg;
+
+        # Rate limiting for admin
+        limit_req zone=admin burst=5 nodelay;
+
+        # PHP handling
+        location ~ \.php$ {
+            include snippets/fastcgi-php.conf;
+            fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
+            fastcgi_param SCRIPT_FILENAME $request_filename;
+        }
+
+        # Additional security for admin
+        add_header X-Robots-Tag "noindex, nofollow" always;
+    }
+
+    # Search endpoint - rate limiting
+    location /search.php {
+        limit_req zone=search burst=10 nodelay;
+        include snippets/fastcgi-php.conf;
+        fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
+    }
+
+    # Public PHP files
+    location ~ \.php$ {
+        limit_req zone=general burst=20 nodelay;
+
+        include snippets/fastcgi-php.conf;
+        fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
+
+        # Security parameters
+        fastcgi_param PHP_VALUE "upload_max_filesize=50M \n post_max_size=100M";
+        fastcgi_param PHP_ADMIN_VALUE "open_basedir=/var/www/html:/tmp";
+
+        # Timeouts
+        fastcgi_read_timeout 120;
+        fastcgi_send_timeout 120;
+    }
+
+    # Static files caching
+    location ~* \.(jpg|jpeg|png|gif|ico|css|js|svg|woff|woff2|ttf|otf)$ {
+        expires 30d;
+        add_header Cache-Control "public, immutable";
+        access_log off;
+    }
+
+    # Root location
+    location / {
+        try_files $uri $uri/ =404;
+    }
+
+    # Deny access to specific file types in data directories
+    location ~* /data/.*\.(php|sh|py)$ {
+        deny all;
+    }
+}
+
+# Server block - HTTPS (production)
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name posterg.erg.be www.posterg.erg.be;
+
+    root /var/www/html;
+    index index.php index.html;
+
+    # SSL certificates (Let's Encrypt)
+    # Run: certbot --nginx -d posterg.erg.be -d www.posterg.erg.be
+    ssl_certificate /etc/letsencrypt/live/posterg.erg.be/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/posterg.erg.be/privkey.pem;
+
+    # SSL configuration
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
+    ssl_prefer_server_ciphers off;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    # Security headers (HTTPS)
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
+
+    # Disable server tokens
+    server_tokens off;
+
+    # Max upload size
+    client_max_body_size 100M;
+    client_body_timeout 120s;
+
+    # Logging
+    access_log /var/log/nginx/posterg_ssl_access.log;
+    error_log /var/log/nginx/posterg_ssl_error.log warn;
+
+    # Block common attack patterns
+    location ~ /\. {
+        deny all;
+        access_log off;
+        log_not_found off;
+    }
+
+    location ~ \.(git|env|db-journal)$ {
+        deny all;
+        access_log off;
+        log_not_found off;
+    }
+
+    # Deny access to sensitive files
+    location ~* \.(md|txt|sql|sh|json)$ {
+        deny all;
+    }
+
+    # Deny access to database files
+    location ~* \.db$ {
+        deny all;
+    }
+
+    # Deny access to shared/ directory
+    location /shared/ {
+        deny all;
+    }
+
+    # Deny access to tests directory
+    location /tests/ {
+        deny all;
+    }
+
+    # Deny access to cache directory
+    location /cache/ {
+        deny all;
+    }
+
+    # Admin panel - password protected
+    location /formulaire/ {
+        alias /var/www/html/formulaire/;
+
+        # HTTP Basic Authentication
+        auth_basic "Admin Access - Post-ERG";
+        auth_basic_user_file /etc/nginx/.htpasswd-posterg;
+
+        # Rate limiting
+        limit_req zone=admin burst=5 nodelay;
+
+        # PHP handling
+        location ~ \.php$ {
+            include snippets/fastcgi-php.conf;
+            fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
+            fastcgi_param SCRIPT_FILENAME $request_filename;
+        }
+
+        # Security headers
+        add_header X-Robots-Tag "noindex, nofollow" always;
+    }
+
+    # Search endpoint - rate limiting
+    location /search.php {
+        limit_req zone=search burst=10 nodelay;
+        include snippets/fastcgi-php.conf;
+        fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
+    }
+
+    # Public PHP files
+    location ~ \.php$ {
+        limit_req zone=general burst=20 nodelay;
+
+        include snippets/fastcgi-php.conf;
+        fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
+
+        # Security parameters
+        fastcgi_param PHP_VALUE "upload_max_filesize=50M \n post_max_size=100M";
+        fastcgi_param PHP_ADMIN_VALUE "open_basedir=/var/www/html:/tmp";
+
+        # Timeouts
+        fastcgi_read_timeout 120;
+        fastcgi_send_timeout 120;
+    }
+
+    # Static files caching
+    location ~* \.(jpg|jpeg|png|gif|ico|css|js|svg|woff|woff2|ttf|otf)$ {
+        expires 30d;
+        add_header Cache-Control "public, immutable";
+        access_log off;
+    }
+
+    # Root location
+    location / {
+        try_files $uri $uri/ =404;
+    }
+
+    # Deny access to script files in data directories
+    location ~* /data/.*\.(php|sh|py)$ {
+        deny all;
+    }
+}