Unify flash messages: replace all legacy session key writes with App::flash()

All admin action files (account, tag, page, edit, visibility, maintenance,
publish, formulaire) now call App::flash('error'|'success', ...) instead of
writing to raw per-page session keys ($_SESSION['error'], 'admin_error',
'edit_error', 'admin_success', 'edit_success', 'form_error').

All admin display pages (add, edit, account, tags, pages, index) now include
templates/partials/flash-messages.php instead of manually reading and
unsetting the legacy session keys and inlining their own alert HTML.

App::consumeFlash() already drained all legacy key variants as a safety net,
so the partial works correctly whether called from pages that were already
migrated or any remaining stragglers. No behaviour change for end users.

public/admin/actions/publish.php

@@ -13,7 +13,7 @@ require_once __DIR__ . '/../../../src/Database.php';
 
 // Verify CSRF token
 if (!isset($_POST['csrf_token']) || !isset($_SESSION['csrf_token']) || !hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
-    $_SESSION['error'] = "Erreur de sécurité : token invalide.";
+    App::flash('error', "Erreur de sécurité : token invalide.");
     header('Location: ../index.php');
     exit;
 }
@@ -22,7 +22,7 @@ $action = isset($_POST['action']) ? $_POST['action'] : '';
 $isBulk = isset($_POST['bulk']) && $_POST['bulk'] == '1';
 
 if (!in_array($action, ['publish', 'unpublish'])) {
-    $_SESSION['error'] = "Action invalide.";
+    App::flash('error', "Action invalide.");
     header('Location: ../index.php');
     exit;
 }
@@ -38,7 +38,7 @@ try {
         $thesisIds = isset($_POST['selected_theses']) ? $_POST['selected_theses'] : [];
 
         if (empty($thesisIds)) {
-            $_SESSION['error'] = "Aucun TFE sélectionné.";
+            App::flash('error', "Aucun TFE sélectionné.");
             header('Location: ../index.php');
             exit;
         }
@@ -48,7 +48,7 @@ try {
         $thesisIds = array_filter($thesisIds, fn($id) => $id > 0);
 
         if (empty($thesisIds)) {
-            $_SESSION['error'] = "IDs invalides.";
+            App::flash('error', "IDs invalides.");
             header('Location: ../index.php');
             exit;
         }
@@ -63,9 +63,9 @@ try {
 
         $count = count($thesisIds);
         if ($action === 'publish') {
-            $_SESSION['success'] = "$count TFE(s) publié(s) avec succès!";
+            App::flash('success', "$count TFE(s) publié(s) avec succès!");
         } else {
-            $_SESSION['success'] = "$count TFE(s) retiré(s) de la publication.";
+            App::flash('success', "$count TFE(s) retiré(s) de la publication.");
         }
 
     } else {
@@ -73,7 +73,7 @@ try {
         $thesisId = isset($_POST['thesis_id']) ? intval($_POST['thesis_id']) : 0;
 
         if ($thesisId <= 0) {
-            $_SESSION['error'] = "ID invalide.";
+            App::flash('error', "ID invalide.");
             header('Location: ../index.php');
             exit;
         }
@@ -82,15 +82,15 @@ try {
         $stmt->execute([$isPublished, $thesisId]);
 
         if ($action === 'publish') {
-            $_SESSION['success'] = "TFE publié avec succès!";
+            App::flash('success', "TFE publié avec succès!");
         } else {
-            $_SESSION['success'] = "TFE retiré de la publication.";
+            App::flash('success', "TFE retiré de la publication.");
         }
     }
 
 } catch (Exception $e) {
     error_log("Publish error: " . $e->getMessage());
-    $_SESSION['error'] = "Erreur lors de la modification: " . $e->getMessage();
+    App::flash('error', "Erreur lors de la modification: " . $e->getMessage());
 }
 
 // Regenerate CSRF token