refactor: rename database → storage

More semantically accurate: contains SQLite files, schema, fixtures, test data.
Updated all references in code, scripts, docs.

docs/COMPLETE_DEPLOYMENT_GUIDE.md

@@ -188,7 +188,7 @@ curl -I https://posterg.erg.be/
 curl -I https://posterg.erg.be/admin/
 
 # Should be 404 (SECURITY - private files):
-curl -I https://posterg.erg.be/database/test.db
+curl -I https://posterg.erg.be/storage/test.db
 curl -I https://posterg.erg.be/config/bootstrap.php
 curl -I https://posterg.erg.be/includes/header.php
 curl -I https://posterg.erg.be/lib/Database.php
@@ -320,8 +320,8 @@ sudo systemctl reload nginx
 **Fix:**
 ```bash
 ssh posterg
-sudo chown www-data:posterg /var/www/posterg/database/test.db
-sudo chmod 660 /var/www/posterg/database/test.db
+sudo chown www-data:posterg /var/www/posterg/storage/test.db
+sudo chmod 660 /var/www/posterg/storage/test.db
 ```
 
 ### Admin upload errors

docs/DATABASE_CONFIG.md

@@ -23,10 +23,10 @@ The `shared/config.php` file defines:
 
 ```php
 // Test database (development)
-DB_TEST_PATH = '/path/to/database/test.db'
+DB_TEST_PATH = '/path/to/storage/test.db'
 
 // Production database (server)
-DB_PROD_PATH = '/path/to/database/posterg.db'
+DB_PROD_PATH = '/path/to/storage/posterg.db'
 ```
 
 ## How It Works
@@ -35,7 +35,7 @@ DB_PROD_PATH = '/path/to/database/posterg.db'
 
 By default, the system automatically determines which database to use:
 
-1. **If `database/test.db` exists** → Use test database (development mode)
+1. **If `storage/test.db` exists** → Use test database (development mode)
 2. **Otherwise** → Use production database (production mode)
 
 This means:
@@ -123,7 +123,7 @@ just deploy-database
 To test with production data locally:
 ```bash
 # Download production database (optional)
-scp posterg:/var/www/html/database/posterg.db database/
+scp posterg:/var/www/html/storage/posterg.db database/
 
 # Remove test database to force production mode
 rm database/test.db
@@ -177,5 +177,5 @@ if (isTestMode()) {
 - **Explicit test deploy**: Use `just test-deploy` to explicitly deploy test.db when needed
 - **Git ignored**: Test database is in `.gitignore` and never committed
 - **Backups**: Production database should be backed up regularly
-- **Schema**: Both databases use the same schema (`database/schema.sql`)
+- **Schema**: Both databases use the same schema (`storage/schema.sql`)
 - **Verification**: Run `rsync --dry-run` to preview what will be deployed before deploying

docs/DEPLOYMENT_MIGRATION.md

@@ -14,7 +14,7 @@ php -S 127.0.0.1:8000
 
 **Problems:**
 - Serves from project root (all files accessible via web)
-- Exposes sensitive files: `database/`, `tests/`, `vendor/`, config files
+- Exposes sensitive files: `storage/`, `tests/`, `vendor/`, config files
 - Doesn't match production DocumentRoot configuration
 - Security risk: `.env`, database files, source code all accessible
 
@@ -216,7 +216,7 @@ deploy-code:
 ```just
 test-deploy:
     ssh posterg "mkdir -p /var/www/html/database"
-    rsync -vur --progress ./database/test.db posterg:/var/www/html/database/test.db
+    rsync -vur --progress ./storage/test.db posterg:/var/www/html/storage/test.db
 ```
 
 **New:**
@@ -229,9 +229,9 @@ deploy-database:
     echo; \
     if [[ $$REPLY =~ ^[Yy]$$ ]]; then \
         ssh posterg "mkdir -p /var/www/posterg/database" && \
-        rsync -vur --progress ./database/test.db posterg:/var/www/posterg/database/ && \
-        ssh posterg "chown www-data:posterg /var/www/posterg/database/test.db && \
-                     chmod 660 /var/www/posterg/database/test.db" && \
+        rsync -vur --progress ./storage/test.db posterg:/var/www/posterg/storage/ && \
+        ssh posterg "chown www-data:posterg /var/www/posterg/storage/test.db && \
+                     chmod 660 /var/www/posterg/storage/test.db" && \
         echo "✅ Database deployed"; \
     else \
         echo "❌ Cancelled"; \
@@ -241,7 +241,7 @@ deploy-database:
 [group('deploy')]
 backup-remote-db:
     @echo "💾 Backing up remote database..."
-    @ssh posterg "sqlite3 /var/www/posterg/database/test.db .dump" > database/remote_backup_$(date +%Y%m%d_%H%M%S).sql
+    @ssh posterg "sqlite3 /var/www/posterg/storage/test.db .dump" > database/remote_backup_$(date +%Y%m%d_%H%M%S).sql
     @echo "✅ Remote database backed up locally"
 ```
 
@@ -338,7 +338,7 @@ server {
         deny all;
     }
     
-    location ~ /database/ {
+    location ~ /storage/ {
         deny all;
     }
     
@@ -400,7 +400,7 @@ mv lib src/lib
 just serve
 # Opens http://localhost:8000
 # Verify that sensitive files return 404:
-#   http://localhost:8000/database/test.db  → 404
+#   http://localhost:8000/storage/test.db  → 404
 #   http://localhost:8000/config/          → 404
 #   http://localhost:8000/src/             → 404
 ```
@@ -461,7 +461,7 @@ just server-status
 - [ ] File uploads work (if applicable)
 - [ ] Logs written to `/var/www/posterg/var/logs/`
 - [ ] Sensitive URLs return 404:
-  - https://posterg.erg.be/database/test.db
+  - https://posterg.erg.be/storage/test.db
   - https://posterg.erg.be/config/
   - https://posterg.erg.be/src/
   - https://posterg.erg.be/vendor/
@@ -477,7 +477,7 @@ just server-status
 | Assets | `/assets/` | `/public/assets/` |
 | Config | `/inc/` | `/config/` or `/src/` |
 | Libraries | `/lib/` | `/src/lib/` |
-| Database | `/database/` | `/database/` (stays) |
+| Database | `/storage/` | `/storage/` (stays) |
 | Vendor | `/vendor/` | `/vendor/` (stays) |
 | Tests | `/tests/` | `/tests/` (stays) |
 
@@ -554,7 +554,7 @@ require_once APP_ROOT . '/config/app.php';
 
 ### Issue: Database connection fails
 **Cause:** Path to database file wrong  
-**Fix:** Update path from `database/test.db` to `../database/test.db` (from public/)
+**Fix:** Update path from `storage/test.db` to `../storage/test.db` (from public/)
 
 ### Issue: Can't write to cache/logs
 **Cause:** Wrong permissions on var/ directory  

docs/DEPLOYMENT_STEPS.md

@@ -24,7 +24,7 @@ This deploys all files to `/var/www/posterg/`:
 - `public/` → `/var/www/posterg/public/`
 - `includes/` → `/var/www/posterg/includes/`
 - `config/` → `/var/www/posterg/config/`
-- `database/` → `/var/www/posterg/database/`
+- `storage/` → `/var/www/posterg/storage/`
 - `src/` → `/var/www/posterg/lib/`
 
 ### 3. Update Nginx Configuration
@@ -59,7 +59,7 @@ just server-status
 Check:
 - https://posterg.erg.be/ (should work)
 - https://posterg.erg.be/admin/ (should work)
-- https://posterg.erg.be/database/test.db (should 404 ✅)
+- https://posterg.erg.be/storage/test.db (should 404 ✅)
 
 ---
 
@@ -84,7 +84,7 @@ just deploy-database
 ```
 
 This will:
-1. Upload `database/test.db` to server
+1. Upload `storage/test.db` to server
 2. Set correct permissions
 3. Warn before overwriting
 
@@ -174,7 +174,7 @@ jj edit <previous-change-id>
 - [ ] SSH to server and apply nginx config
 - [ ] `sudo systemctl reload nginx`
 - [ ] Verify site works: https://posterg.erg.be/
-- [ ] Verify security: https://posterg.erg.be/database/test.db → 404
+- [ ] Verify security: https://posterg.erg.be/storage/test.db → 404
 - [ ] Test admin: https://posterg.erg.be/admin/
 - [ ] Deploy database (if needed): `just deploy-database`
 

docs/DEVELOPMENT_GUIDE.md

@@ -186,7 +186,7 @@ include 'inc/header.php';
 
 ### Test Database
 
-Development uses `database/test.db` (gitignored).
+Development uses `storage/test.db` (gitignored).
 
 **Create test database:**
 ```bash
@@ -360,7 +360,7 @@ All will auto-refresh when you save files! ✨
 
 ### Using a Real Test Database
 
-The test database (`database/test.db`) is gitignored. To share test data:
+The test database (`storage/test.db`) is gitignored. To share test data:
 
 ```bash
 # Create fixtures
@@ -479,7 +479,7 @@ just test
 ## 📚 Further Reading
 
 - [Test Documentation](../tests/README.md)
-- [Database Specification](../database/DATABASE_SPECIFICATION.md)
+- [Database Specification](../storage/DATABASE_SPECIFICATION.md)
 - [Migration Guide](../MIGRATION_GUIDE.md)
 - [Deployment Guide](../nginx/DEPLOYMENT_COMPLETE.md)
 

docs/MIGRATION_CHECKLIST.md

@@ -52,7 +52,7 @@ sed -i 's/@php -S 127.0.0.1:8000/@php -S 127.0.0.1:8000 -t public\//' justfile
 # 2. Test new dev server
 just serve
 # Visit http://localhost:8000
-# Verify http://localhost:8000/database/test.db returns 404
+# Verify http://localhost:8000/storage/test.db returns 404
 
 # 3. If it works, you're ready for production migration
 ```
@@ -118,13 +118,13 @@ location ^~ /admin/ {
 3. **Remove/update deny rules** (lines 48-60) - These become redundant!
 ```nginx
 # BEFORE - needed because everything in DocumentRoot
-location ^~ /database/ { deny all; }
+location ^~ /storage/ { deny all; }
 location ^~ /shared/ { deny all; }
 location ^~ /data/ { deny all; }
 
 # AFTER - can remove! They're already outside public/
 # But keep as defense-in-depth:
-location ^~ /database/ { deny all; }  # Will never match, but safe
+location ^~ /storage/ { deny all; }  # Will never match, but safe
 ```
 
 ### In justfile:
@@ -191,9 +191,9 @@ deploy:
 test-deploy:
     @echo "⚠️  Deploying test database"
     ssh posterg "mkdir -p /var/www/posterg/database"
-    rsync -vur --progress ./database/test.db posterg:/var/www/posterg/database/
-    ssh posterg "chown www-data:posterg /var/www/posterg/database/test.db && \
-                 chmod 660 /var/www/posterg/database/test.db"
+    rsync -vur --progress ./storage/test.db posterg:/var/www/posterg/storage/
+    ssh posterg "chown www-data:posterg /var/www/posterg/storage/test.db && \
+                 chmod 660 /var/www/posterg/storage/test.db"
     @echo "✅ Test database deployed"
 ```
 
@@ -209,7 +209,7 @@ just serve
 # In another terminal:
 curl http://localhost:8000/                    # ✅ Should work
 curl http://localhost:8000/admin/              # ✅ Should work (after moving)
-curl http://localhost:8000/database/test.db    # ❌ Should 404
+curl http://localhost:8000/storage/test.db    # ❌ Should 404
 curl http://localhost:8000/config/             # ❌ Should 404
 curl http://localhost:8000/vendor/             # ❌ Should 404
 ```
@@ -226,7 +226,7 @@ curl http://localhost:8000/admin/              # ✅ works
 curl http://localhost:8000/assets/css/style.css # ✅ works
 
 # Verify old paths don't work
-curl http://localhost:8000/../database/test.db # ❌ 404
+curl http://localhost:8000/../storage/test.db # ❌ 404
 curl http://localhost:8000/../config/          # ❌ 404
 ```
 
@@ -238,7 +238,7 @@ just server-status
 # Manual checks
 curl -I https://posterg.erg.be/
 curl -I https://posterg.erg.be/admin/
-curl -I https://posterg.erg.be/database/test.db  # Must be 404!
+curl -I https://posterg.erg.be/storage/test.db  # Must be 404!
 ```
 
 ---
@@ -260,7 +260,7 @@ require_once 'database/test.db';
 <?php
 require_once __DIR__ . '/../config/config.php';
 require_once __DIR__ . '/../src/lib/Database.php';
-$db = new PDO('sqlite:' . __DIR__ . '/../database/test.db');
+$db = new PDO('sqlite:' . __DIR__ . '/../storage/test.db');
 ```
 
 **Or use a bootstrap:**
@@ -272,7 +272,7 @@ require_once __DIR__ . '/../config/bootstrap.php';
 // config/bootstrap.php
 define('APP_ROOT', dirname(__DIR__));
 define('PUBLIC_ROOT', APP_ROOT . '/public');
-define('DATABASE_PATH', APP_ROOT . '/database/test.db');
+define('DATABASE_PATH', APP_ROOT . '/storage/test.db');
 
 require_once APP_ROOT . '/vendor/autoload.php';
 ```

docs/MIGRATION_COMPLETE.md

@@ -66,7 +66,7 @@ posterg-website/
 
 **Before:**
 - ❌ All files in DocumentRoot (/var/www/html/)
-- ❌ Database accessible at /database/test.db
+- ❌ Database accessible at /storage/test.db
 - ❌ Config files accessible
 - ❌ Dev server exposed everything
 - ❌ Relied on nginx deny rules
@@ -88,18 +88,18 @@ just serve
 # Test in browser:
 # - http://localhost:8000/ → Should work
 # - http://localhost:8000/admin/ → Should work
-# - http://localhost:8000/database/test.db → Should 404 ✅
+# - http://localhost:8000/storage/test.db → Should 404 ✅
 # - http://localhost:8000/config/ → Should 404 ✅
-# - http://localhost:8000/../database/test.db → Should 404 ✅
+# - http://localhost:8000/../storage/test.db → Should 404 ✅
 ```
 
 ### Security Verification
 ```bash
 # These should all return 404:
-curl http://localhost:8000/database/test.db
+curl http://localhost:8000/storage/test.db
 curl http://localhost:8000/config/bootstrap.php
 curl http://localhost:8000/vendor/autoload.php
-curl http://localhost:8000/../database/test.db
+curl http://localhost:8000/../storage/test.db
 curl http://localhost:8000/lib/Database.php
 ```
 
@@ -138,7 +138,7 @@ curl http://localhost:8000/lib/Database.php
    just server-status
    curl -I https://posterg.erg.be/
    curl -I https://posterg.erg.be/admin/
-   curl -I https://posterg.erg.be/database/test.db  # Must 404!
+   curl -I https://posterg.erg.be/storage/test.db  # Must 404!
    ```
 
 ## 📝 Path Reference
@@ -164,7 +164,7 @@ require_once LIB_ROOT . '/Database.php';               // Library
 - `PUBLIC_ROOT` - /path/to/posterg-website/public
 - `CONFIG_ROOT` - /path/to/posterg-website/config
 - `DATABASE_ROOT` - /path/to/posterg-website/database
-- `DATABASE_PATH` - /path/to/posterg-website/database/test.db
+- `DATABASE_PATH` - /path/to/posterg-website/storage/test.db
 - `RESOURCES_ROOT` - /path/to/posterg-website/resources
 - `LIB_ROOT` - /path/to/posterg-website/lib
 - `VAR_ROOT` - /path/to/posterg-website/var

docs/REPOSITORY_STRUCTURE_ANALYSIS.md

@@ -357,10 +357,10 @@ posterg-website/
 
        private function getDatabasePath() {
            // Check environment
-           if (file_exists(__DIR__ . '/../database/test.db')) {
-               return __DIR__ . '/../database/test.db';
+           if (file_exists(__DIR__ . '/../storage/test.db')) {
+               return __DIR__ . '/../storage/test.db';
            }
-           return __DIR__ . '/../database/posterg.db';
+           return __DIR__ . '/../storage/posterg.db';
        }
    }
    ```
@@ -387,7 +387,7 @@ posterg-website/
 
 9. **Update .gitignore**:
    ```
-   /database/*.db
+   /storage/*.db
    /apps/*/cache/
    /shared/cache/
    *.log

docs/SECURITY_ANALYSIS.md

@@ -369,7 +369,7 @@ rest of the codebase which uses `htmlspecialchars()` everywhere.
 **File:** `config/bootstrap.php`
 
 ```php
-define('DATABASE_PATH', APP_ROOT . '/database/test.db');
+define('DATABASE_PATH', APP_ROOT . '/storage/test.db');
 ```
 
 This constant is never used anywhere. `Database.php` uses `getDatabasePath()` from

docs/SERVER_SETUP.md

@@ -113,6 +113,6 @@ sudo chmod 660 database/*.db
 **Fix:**
 ```bash
 ssh posterg
-sudo chown www-data:posterg /var/www/posterg/database/test.db
-sudo chmod 660 /var/www/posterg/database/test.db
+sudo chown www-data:posterg /var/www/posterg/storage/test.db
+sudo chmod 660 /var/www/posterg/storage/test.db
 ```

docs/SIMPLIFICATION.md

@@ -67,7 +67,7 @@ posterg-website/
 define('APP_ROOT', dirname(__DIR__));
 
 // Database path
-define('DATABASE_PATH', APP_ROOT . '/database/test.db');
+define('DATABASE_PATH', APP_ROOT . '/storage/test.db');
 
 // Error reporting (dev vs production)
 if (php_sapi_name() === 'cli-server') {

docs/TEST_CENTRALIZATION.md

@@ -278,7 +278,7 @@ jobs:
 ## 📖 Related Documentation
 
 - [Test README](../tests/README.md) - Complete test documentation
-- [Database Specification](../database/DATABASE_SPECIFICATION.md)
+- [Database Specification](../storage/DATABASE_SPECIFICATION.md)
 - [Security Documentation](SECURITY.md)
 
 ---