feat: fix file deletion on save + trash policy + documents/ prefix + relink browser

1. note_intention: Delete old file only when a genuinely new upload arrives
   (32-char hex file_id), not when the FilePond pool preserves an existing
   file by sending its DB integer ID.  Previously the DB integer ID
   triggered $hasNewNote=true, which deleted the existing note_intention
   from disk+DB, then handleFilePondSingleFile couldn't re-process it
   because the regex requires a hex pattern.  Same fix applied to cover.

2. All file deletions now use deleteThesisFileToTrash() which renames
   files to tmp/_trash/ instead of unlinking.  The trash preserves
   original filenames prefixed with DB id for traceability.  Skips
   website URLs and PeerTube refs (no disk file).

3. Storage prefix changed from theses/ to documents/ to reflect that
   the folder holds all document types (determined by file_type in DB).
   MediaController visibility gate supports both prefixes for backward
   compat with existing files.

4. File browser + relink feature for orphaned files:
   - /admin/fragments/file-browser.php — HTMX tree browser for
     storage/documents/ and storage/theses/
   - /admin/actions/filepond/relink.php — POST endpoint that inserts
     a thesis_files row pointing to existing on-disk file
   - Per-pool "📂 Relier" buttons (edit mode only)
   - JS: XamxamOpenFileBrowser / XamxamRelinkFile with FilePond integration
   - CSS: .relink-modal dialog + .file-browser tree styles

TODO.md

@@ -1,7 +1,32 @@
 # Current tasks
 
+## Save fixes (files disappearing on edit/terminer)
+- [x] Fix: note_intention deleted on save — handleFilePondSingleFile treats existing DB id as new upload, deletes existing, then can't re-process (integer vs hex mismatch)
+- [x] Fix: cover removal now uses trash, same hex-vs-integer guard as note_intention
+- [x] Fix: all file deletions now route through deleteThesisFileToTrash (renames to tmp/_trash instead of unlinking)
+
+## Storage restructure
+- [x] Move storage root from theses/ to documents/ (ThesisFileHandler, ThesisEditController, ThesisCreateController, MediaController)
+- [x] MediaController: support both theses/ and documents/ prefixes for visibility gate
+- [ ] Migration: rename existing theses/ directories to documents/ on disk and update DB paths
+
+## Relink feature
+- [x] Backend: endpoint to browse documents/ directory (file-browser.php with HTMX tree)
+- [x] Backend: endpoint to relink an existing file to a thesis (relink.php inserts thesis_files row)
+- [x] Frontend: modal with folder browser, triggered by a "Relier" button next to each FilePond pool
+- [x] JS: integrate relink button into FilePond UI (XamxamOpenFileBrowser + XamxamRelinkFile)
+- [x] CSS: .relink-modal + .file-browser styles in form.css
+
+## Trash policy
+- [x] FilePond remove moves to tmp/_trash (already implemented in handleRemove)
+
 - [x] Fix: partage FilePond asks admin password — shared handler + separate partage endpoints with share_active session gate
-- [ ] Deploy: just deploy (includes new partage/actions/filepond/ + FilepondHandler.php)
+- [x] Fix: mots-clé HTMX search — restored tag-search-fragment.php logic lost during fragment architecture refactor
+- [x] Generalize pill-search: single fragment endpoint (type=tag|language|supervisor), deduplicate tag & language backends, add jury autocomplete (promoteur·ice interne/externe ULB, lecteur·ice interne/externe)
+- [x] Deploy: just deploy (includes new partage/actions/filepond/ + FilepondHandler.php)
+- [x] Fix: language pill-search showing mots-clé results — form field name collision; replaced hidden inputs with scoped hx-vals; fixed exclude logic per type
+- [x] Add Créer button to jury supervisor autocomplete (removed guard in pill-search-fragment.php)
+- [x] Fix: UNIQUE constraint on authors.email — findOrCreateAuthor now checks for existing author by email before inserting; prevents crash when two authors share an email
 
 # Current tasks
 
@@ -44,7 +69,7 @@
 - [x] `admin/parametres.php`: always-visible accessibility table (Normal vs Maintenance)
 - [x] `admin.css`: `.param-access-table` styles (border-radius via overflow:hidden, green/secondary colours)
 - [x] `partage/index.php`: fix fragment routing — `$slug` was `'fragments'` but check used `str_starts_with($slug, 'fragments/')`, causing HTMX fragments to redirect to / (main page)
-- [ ] Deploy: `just deploy` + `just deploy-nginx`
+- [x] Deploy: `just deploy` + `just deploy-nginx`
 
 ## Previous items
 
@@ -62,3 +87,38 @@
 - [x] Add `script-src 'self' 'unsafe-inline'` to main CSP header (public pages use inline scripts + onclick handlers)
 - [x] Add `storage/tmp/filepond/*` to .gitignore + rsync exclude, with .gitkeep
 - [ ] Deploy: `just deploy` to sync vendor JS files + updated CSP + .gitkeep to server
+
+# improvements_postlaunch — Année verrouillable dans partage + correction ID
+
+## Implémentation
+
+### 1. Schema: ajouter locked_year aux share_links
+- [ ] `Database::runMigrations()`: ALTER TABLE share_links ADD COLUMN locked_year INTEGER
+- [ ] `app/storage/schema.sql`: ajouter la colonne
+
+### 2. ShareLink model: lire/écrire locked_year
+- [ ] `ShareLink::create()`: accepter et stocker locked_year
+- [ ] `ShareLink::update()`: accepter et stocker locked_year
+- [ ] `findBySlug()` retourne déjà SELECT *, donc locked_year remonte automatiquement
+
+### 3. Admin UI — Dialog de création de lien
+- [ ] Ajouter champ "Année académique verrouillée" dans create-dialog (acces.php)
+- [ ] Ajouter champ dans edit-dialog (acces.php)
+
+### 4. Admin UI — Liste des liens
+- [ ] Afficher colonne "Année" dans le tableau des liens (acces.php)
+
+### 5. Admin actions (acces-etudiante.php)
+- [ ] Lire locked_year depuis $_POST dans action 'create' et 'update'
+- [ ] Passer au ShareLink model
+
+### 6. Partage — Formulaire
+- [ ] `partage/index.php` (`renderShareLinkForm`): lire locked_year depuis le lien
+- [ ] `fieldset-academic.php`: quand $lockedYear est défini → hidden input + span "Année académique verrouillée : YYYY" + explication; quand null → comportement actuel
+- [ ] `ThesisCreateController::validateAndSanitise()`: respecter locked_year si présent dans POST (priorité sur $_POST['année'])
+
+### 7. Admin edit.php — Forcer l'identifiant
+- [ ] Ajouter un champ "Identifiant" en lecture seule mais avec un bouton "Regénérer"
+- [ ] `ThesisEditController`: ajouter méthode `regenerateIdentifier()` qui reconstruit YYYY-NNN avec MAX+1 sur la nouvelle année
+- [ ] `Database`: méthode `regenerateThesisIdentifier(int $thesisId, int $year)` — met à jour identifier basé sur l'année dans un SELECT FOR UPDATE
+- [ ] Attention: renommer les dossiers de fichiers sur disque si l'identifiant change