maintenance: allow /partage through gate, fix fragment routing, add visibility table in admin

Extract shared filepond logic into src/FilepondHandler.php class.
Admin filepond endpoints delegate to the handler after AdminAuth check.
New partage filepond endpoints at /partage/actions/filepond/ verify
share_active session flag + CSRF token, no admin auth required.

JS reads filepond-base meta tag to determine endpoint path:
- Admin pages: /admin/actions/filepond (via head.php isAdmin check)
- Partage form: /partage/actions/filepond (explicit meta)

partage/index.php sets share_active = true on form render, cleans up on
successful submit. Partage process endpoint rate-limited to 30/5min per
session. No nginx changes needed — /partage/ location already handles
PHP without auth_basic.

app/bootstrap.php

@@ -39,11 +39,12 @@ require_once APP_ROOT . '/src/App.php';
 // The flag file lives in storage/ (outside webroot) to avoid web exposure.
 define('MAINTENANCE_FLAG', APP_ROOT . '/storage/maintenance.flag');
 if (file_exists(MAINTENANCE_FLAG)) {
-    // Allow admin panel through (by path prefix) and the maintenance page itself
+    // Allow admin panel, partage pages (path prefix), and the maintenance page itself
     $requestPath = $_SERVER['REQUEST_URI'] ?? '';
-    $isAdmin = str_starts_with($requestPath, '/admin');
+    $isAdmin       = str_starts_with($requestPath, '/admin');
+    $isPartage     = str_starts_with($requestPath, '/partage');
     $isMaintenance = str_contains($requestPath, 'maintenance.php');
-    if (!$isAdmin && !$isMaintenance) {
+    if (!$isAdmin && !$isPartage && !$isMaintenance) {
         require APP_ROOT . '/public/maintenance.php';
         exit();
     }