feat: FilePond production hardening — extension-based validation, server-side size limits (2GB), annexe validation, drop accept attributes, FilePond file styling

TODO.md

@@ -26,3 +26,36 @@
   - [x] Add FilePond pools for couverture + note_intention (extracted from file-field.php inner <form>)
   - [x] Fix video/audio pools: allowMultiple: true, not single-file
   - [x] Add QUEUE_CONFIG for cover (20MB single) and note_intention (100MB PDF single)
+- [x] Disable dedicated video/audio upload slots — video/audio files now go through TFE FilePond input
+  - [x] Comment out slot-video and slot-audio in fichiers-fragment.php (keep code, render always-hidden)
+  - [x] Remove HTMX swap triggers from Vidéo/Audio checkboxes
+  - [x] Clean up slot-video/slot-audio from file-upload-filepond.js beforeSwap handler
+  - [x] Fix missing endif after removing elseif chain (parse error)
+- [x] Fix annexe validation error + FilePond type validation + styling
+  - [x] Make annexe pool always visible (remove checkbox+HTMX swap, always on, optional)
+  - [x] Remove mandatory annexe file validation from ThesisCreateController
+  - [x] Add extension-based file type validation in beforeAddFile (needed because storeAsFile: true skips FilePond MIME detection)
+  - [x] Fix FilePond dark theme: override item/file colors, buttons, progress indicator to match site theme
+  - [x] Add drag-over highlight style for drop area
+- [x] FilePond production hardening
+  - [x] Fix beforeAddFile return format: return true/false, not {status, main, sub} (FilePond API contract)
+  - [x] Replace manual validation with FilePond plugins: FileValidateType, FileValidateSize
+  - [x] Download FilePond plugin assets: file-validate-type, file-validate-size, image-preview, image-exif-orientation
+  - [x] Add order serialization: hidden inputs (queue_order[type]) synced from pond.getFiles()
+  - [x] Fix HTMX cleanup: generic destroyFilePondsIn(target) for all beforeSwap events, not just known IDs
+  - [x] Fix duplicate initialization: use FilePond.find(input) instead of dataset checks
+  - [x] Centralize validation config in QUEUE_CONFIG (acceptedFileTypes, maxFileSize per type)
+  - [x] Add per-extension size limits for TFE queue (PDF=100MB, video/audio=2GB, default 500MB)
+  - [x] Add comprehensive French labels (labelFileProcessing, labelTapToCancel, etc.)
+  - [x] Register plugins on all entrypoints (admin/add, admin/edit, partage/index)
+  - [x] Remove duplicate init scripts from fichiers-fragment.php
+  - [x] Server-side MIME verification already in place (finfo-based validation in ThesisFileHandler)
+- [x] Fix undefined $isExternalUrl and disable PeerTube in tfe.php
+- [x] Fix migration 028: drop banner_path from theses (handle dependent view)
+  - [x] Create ensure-db.php to init fresh DB from schema.sql when missing
+  - [x] Remove broken 027_drop_banner_path.sql, move 025 to applied
+  - [x] Move stray 021_peertube_settings.sql to applied/
+  - [x] Update deploy justfile to run ensure-db.php before migrations
+- [x] Fix promoteurice array repopulation in partage form
+  - [x] Fix old() to return raw arrays (not json_encode) for repopulation
+  - [x] Handle jury_promoteur[] and jury_promoteur_ulb_name[] as arrays in partage/index.php