Restructure repository and implement secure search feature

Phase 1: Consolidate shared infrastructure
- Create shared/ directory for common code
- Consolidate Database.php from front-backend and formulaire into unified shared/Database.php
  - Smart path detection for test.db vs posterg.db
  - Secure search with wildcard escaping and input validation
  - Support both singleton and direct instantiation patterns
  - Full CRUD methods for admin functionality
- Move RateLimit.php to shared/ (30 requests/min)
- Update all require paths across apps to use shared/

Phase 2: Reorganize directory structure
- Rename front-backend/ → apps/public/
- Rename formulaire/ → apps/admin/
- Rename db/ → database/
- Update all file paths for new structure
- Create root .gitignore excluding databases, cache, logs

Implement secure search feature
- Add apps/public/search.php with full-text search across theses
- Search filters: query, year, orientation, AP program, keywords
- Security features:
  - SQL injection prevention (prepared statements)
  - Wildcard injection prevention (escape % and _)
  - Input validation (max 200 chars, year range 1900-2100)
  - Rate limiting (30 req/min per IP)
  - Pagination limited to 100 results/page
  - XSS protection (htmlspecialchars on output)

Add comprehensive test suite
- Create apps/public/tests/ with proper structure
  - tests/Integration/SearchTest.php - 12 search scenarios
  - tests/Security/SecurityTest.php - vulnerability testing
  - tests/Unit/RateLimitTest.php - rate limit behavior
- Create database/fixtures/CreateTestDatabase.php
- Add apps/public/run-tests.php test runner
- All tests passing (4/4 suites)

Update deployment configuration
- Rename justfile 'sync' recipe to 'deploy'
- Create deploy group with separate deploy-public and deploy-admin
- Add test-deploy recipe for test database
- Exclude *.db, tests/, cache/, *.md from production deploy
- Deploy shared/ to both public and admin locations

Stats: +4482 insertions, -654 deletions across 72 files

shared/RateLimit.php

@@ -0,0 +1,164 @@
+<?php
+
+/**
+ * Simple file-based rate limiter
+ * Prevents abuse by limiting requests per IP address
+ */
+class RateLimit {
+    private $cacheDir;
+    private $maxRequests;
+    private $timeWindow;
+
+    /**
+     * Constructor
+     * @param int $maxRequests Maximum requests allowed in time window
+     * @param int $timeWindow Time window in seconds
+     * @param string $cacheDir Directory to store rate limit data
+     */
+    public function __construct($maxRequests = 30, $timeWindow = 60, $cacheDir = null) {
+        $this->maxRequests = $maxRequests;
+        $this->timeWindow = $timeWindow;
+        $this->cacheDir = $cacheDir ?? __DIR__ . '/cache/rate_limit';
+
+        // Create cache directory if it doesn't exist
+        if (!is_dir($this->cacheDir)) {
+            mkdir($this->cacheDir, 0755, true);
+        }
+    }
+
+    /**
+     * Get client identifier (IP address)
+     * @return string Client identifier
+     */
+    private function getClientIdentifier() {
+        // Try to get real IP if behind proxy
+        if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
+            $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
+        } elseif (!empty($_SERVER['HTTP_CLIENT_IP'])) {
+            $ip = $_SERVER['HTTP_CLIENT_IP'];
+        } else {
+            $ip = $_SERVER['REMOTE_ADDR'] ?? 'unknown';
+        }
+
+        return $ip;
+    }
+
+    /**
+     * Get cache file path for a client
+     * @param string $identifier Client identifier
+     * @return string File path
+     */
+    private function getCacheFile($identifier) {
+        return $this->cacheDir . '/' . md5($identifier) . '.json';
+    }
+
+    /**
+     * Check if client has exceeded rate limit
+     * @return bool True if allowed, false if rate limit exceeded
+     */
+    public function check() {
+        $identifier = $this->getClientIdentifier();
+        $file = $this->getCacheFile($identifier);
+
+        // Load existing request timestamps
+        $data = [];
+        if (file_exists($file)) {
+            $content = file_get_contents($file);
+            $data = json_decode($content, true) ?? [];
+        }
+
+        // Clean old entries outside time window
+        $now = time();
+        $data = array_filter($data, function($timestamp) use ($now) {
+            return ($now - $timestamp) < $this->timeWindow;
+        });
+
+        // Check if limit exceeded
+        if (count($data) >= $this->maxRequests) {
+            return false;
+        }
+
+        // Add new request timestamp
+        $data[] = $now;
+
+        // Save updated data
+        file_put_contents($file, json_encode($data));
+
+        return true;
+    }
+
+    /**
+     * Get remaining requests for current client
+     * @return int Number of requests remaining
+     */
+    public function getRemaining() {
+        $identifier = $this->getClientIdentifier();
+        $file = $this->getCacheFile($identifier);
+
+        if (!file_exists($file)) {
+            return $this->maxRequests;
+        }
+
+        $content = file_get_contents($file);
+        $data = json_decode($content, true) ?? [];
+
+        // Clean old entries
+        $now = time();
+        $data = array_filter($data, function($timestamp) use ($now) {
+            return ($now - $timestamp) < $this->timeWindow;
+        });
+
+        return max(0, $this->maxRequests - count($data));
+    }
+
+    /**
+     * Get time until rate limit resets
+     * @return int Seconds until reset
+     */
+    public function getResetTime() {
+        $identifier = $this->getClientIdentifier();
+        $file = $this->getCacheFile($identifier);
+
+        if (!file_exists($file)) {
+            return 0;
+        }
+
+        $content = file_get_contents($file);
+        $data = json_decode($content, true) ?? [];
+
+        if (empty($data)) {
+            return 0;
+        }
+
+        // Find oldest timestamp
+        $oldest = min($data);
+        $resetTime = $oldest + $this->timeWindow - time();
+
+        return max(0, $resetTime);
+    }
+
+    /**
+     * Clean up old cache files (run periodically)
+     * Removes files that haven't been modified in 24 hours
+     */
+    public function cleanup() {
+        $files = glob($this->cacheDir . '/*.json');
+        $cutoff = time() - 86400; // 24 hours
+
+        foreach ($files as $file) {
+            if (filemtime($file) < $cutoff) {
+                unlink($file);
+            }
+        }
+    }
+
+    /**
+     * Send rate limit headers
+     * Provides information about rate limits to clients
+     */
+    public function sendHeaders() {
+        header('X-RateLimit-Limit: ' . $this->maxRequests);
+        header('X-RateLimit-Remaining: ' . $this->getRemaining());
+        header('X-RateLimit-Reset: ' . (time() + $this->getResetTime()));
+    }
+}