feat: implement SQLite backup & data integrity plan (Phases 2-4)

TODO.md

@@ -1,76 +1,37 @@
 # TODO
 
-- [x] Fix email addresses in about.php contacts section not using EmailObfuscator for link text
-- [x] Raise rate limits: SearchController 30→300, request-access 3→30, partage 5→50
-- [x] Make Libre option toggleable in Degré d'ouverture fieldset, move to top, remove temporary note
-- [x] Mots-clés required (min 3) in partage form: red count < 3, accent ≥ 3
-- [x] Language checkbox-list no longer required when language_autre pill is present
-- [x] Admin contenus: auto-save checkboxes via HTMX (Restrictions, Degré d'ouverture, Types de travaux), remove Enregistrer buttons
-- [x] Improve recapitulatif.php (partage): bottom margin/padding, center .thanks-success
-- [x] Display ALL submitted info in recapitulatif page + email recap
-- [x] Add "validate your info / contact xamxam@erg.be" note on recap page
-- [x] Fix CSV import: lecteur interne/externe + promoteurice ULB not imported with correct role/is_external/is_ulb flags
-- [x] Add "Terminé" button to import dialog on success (closes dialog + reloads page to clear form)
+## SQLite Backup & Data Integrity (docs/backup-plan.md)
 
-- [x] Replace HTMX+PHP file upload queues with client-side JS
-- [x] Fix submit button on all forms — add JS/PHP debug logging
-  - [x] Fix file-upload-queue.js: redirect detection broken due to opaque redirect (switched from fetch to XHR for reliable responseURL)
-  - [x] Add `console.log` tracing on JS submit interception
-  - [x] Add `error_log` entry-point logging to all 16 PHP action files
-  - [x] Add double-submit guard (`_xamxamActiveSubmit`)
-- [x] Fix spurious HTMX console warnings from checkbox-list default hx-include
-- [x] Fix duplicate language entries (accented vs non-accented variants)
-- [x] Fix checkbox click in admin index navigating to recapitulatif instead of toggling
-  - [x] Deduplicate getPredefinedLanguages() query
-  - [x] Accent-tolerant getOrCreateLanguage() to prevent future duplicates
-  - [x] Delete orphan non-accented language rows from DB
-- [x] Migrate file upload queues to FilePond
-  - [x] Download filepond.min.js + filepond.min.css as local assets
-  - [x] Create file-upload-filepond.js (init script for FilePond instances)
-  - [x] Rewrite fichiers-fragment.php: replace custom picker/queue DOM with FilePond targets
-  - [x] Rewrite fieldset-files.php: same migration (dead code but kept consistent)
-  - [x] Update admin/add.php, admin/edit.php, partage/index.php: swap sortable+file-upload-queue for filepond
-  - [x] Remove file-upload-queue.js and sortable.min.js
-  - [x] Clean up CSS: remove .fq-*, .tfe-file-queue styles, add filepond.css + theme overrides
-  - [x] Decouple format extras from main file inputs — slot-based HTMX swaps preserve FilePond instances
-  - [x] Fix initFilePonds → window.XamxamInitFilePonds bug
-  - [x] Verify backend $_FILES['queue_file'][*] data flow unchanged
-  - [x] Add FilePond pools for couverture + note_intention (extracted from file-field.php inner <form>)
-  - [x] Fix video/audio pools: allowMultiple: true, not single-file
-  - [x] Add QUEUE_CONFIG for cover (20MB single) and note_intention (100MB PDF single)
-- [x] Disable dedicated video/audio upload slots — video/audio files now go through TFE FilePond input
-  - [x] Comment out slot-video and slot-audio in fichiers-fragment.php (keep code, render always-hidden)
-  - [x] Remove HTMX swap triggers from Vidéo/Audio checkboxes
-  - [x] Clean up slot-video/slot-audio from file-upload-filepond.js beforeSwap handler
-  - [x] Fix missing endif after removing elseif chain (parse error)
-- [x] Fix annexe validation error + FilePond type validation + styling
-  - [x] Make annexe pool always visible (remove checkbox+HTMX swap, always on, optional)
-  - [x] Remove mandatory annexe file validation from ThesisCreateController
-  - [x] Add extension-based file type validation in beforeAddFile (needed because storeAsFile: true skips FilePond MIME detection)
-  - [x] Fix FilePond dark theme: override item/file colors, buttons, progress indicator to match site theme
-  - [x] Add drag-over highlight style for drop area
-- [x] FilePond production hardening
-  - [x] Fix beforeAddFile return format: return true/false, not {status, main, sub} (FilePond API contract)
-  - [x] Replace manual validation with FilePond plugins: FileValidateType, FileValidateSize
-  - [x] Download FilePond plugin assets: file-validate-type, file-validate-size, image-preview, image-exif-orientation
-  - [x] Add order serialization: hidden inputs (queue_order[type]) synced from pond.getFiles()
-  - [x] Fix HTMX cleanup: generic destroyFilePondsIn(target) for all beforeSwap events, not just known IDs
-  - [x] Fix duplicate initialization: use FilePond.find(input) instead of dataset checks
-  - [x] Centralize validation config in QUEUE_CONFIG (acceptedFileTypes, maxFileSize per type)
-  - [x] Add per-extension size limits for TFE queue (PDF=100MB, video/audio=2GB, default 500MB)
-  - [x] Add comprehensive French labels (labelFileProcessing, labelTapToCancel, etc.)
-  - [x] Register plugins on all entrypoints (admin/add, admin/edit, partage/index)
-  - [x] Remove duplicate init scripts from fichiers-fragment.php
-  - [x] Server-side MIME verification already in place (finfo-based validation in ThesisFileHandler)
-- [x] Fix undefined $isExternalUrl and disable PeerTube in tfe.php
-- [x] Fix migration 028: drop banner_path from theses (handle dependent view)
-  - [x] Create ensure-db.php to init fresh DB from schema.sql when missing
-  - [x] Remove broken 027_drop_banner_path.sql, move 025 to applied
-  - [x] Move stray 021_peertube_settings.sql to applied/
-  - [x] Update deploy justfile to run ensure-db.php before migrations
-- [x] Fix promoteurice array repopulation in partage form
-  - [x] Fix old() to return raw arrays (not json_encode) for repopulation
-  - [x] Handle jury_promoteur[] and jury_promoteur_ulb_name[] as arrays in partage/index.php
-- [x] Make Auteur(s) and Accès columns sortable alphabetically in admin list
-- [x] Merge both .recap-section sections into one + add margin-bottom: var(--space-l)
-- [x] Fix Fatal error: old() type error in jury-fieldset.php — switch from global old() to $oldFn callable
+### Phase 1 — WAL Mode
+- [x] WAL mode already active (`PRAGMA journal_mode` → `wal`) — set in Database constructor
+- [ ] Verify `-wal` and `-shm` sidecar files exist after writes
+- [ ] Verify nginx/PHP write access to sidecar files on server
+
+### Phase 2 — Audit Log
+- [x] `admin_audit_log` table already exists (migration 009), `AdminLogger` already writes to it
+- [x] Create the `audit_log` table for data-level audit (before/after row snapshots)
+- [x] Create `Audit.php` helper class
+- [x] Instrument all DELETE, UPDATE, INSERT operations on core tables (theses, tags, languages, thesis_files)
+- [ ] Verify by triggering a test delete and querying `SELECT * FROM audit_log ORDER BY id DESC LIMIT 5`
+
+### Phase 3 — Soft Deletes
+- [x] Add `deleted_at` columns to `languages`, `tags`, `theses`
+- [x] Rebuild views `v_theses_full` and `v_theses_public` with `deleted_at IS NULL` filters
+- [x] Update `schema.sql` for fresh installs
+- [x] Replace all hard DELETEs with soft deletes (`DELETE` → `UPDATE ... SET deleted_at = ...`)
+- [x] Add `deleted_at IS NULL` to all SELECT queries touching these tables
+- [x] Add admin "Corbeille" view for soft-deleted theses with Restore and Hard Delete actions
+- [ ] Test each htmx-driven element (language search, tag search, repertoire filters) to confirm deleted entries don't appear
+- [ ] Admin: add soft-deleted tags/languages view with restore option
+
+### Phase 4 — Hourly Snapshots via Cronjob
+- [x] Create `scripts/backup-sqlite.sh` (hot backup via `sqlite3 .backup`, gzip, retention pruning)
+- [x] Test locally — backup created, restores correctly
+- [x] Add `just backup-snapshot` command for local ad-hoc backups
+- [ ] Deploy backup script to server (`/usr/local/bin/backup-sqlite.sh`)
+- [ ] Create `/var/backups/xamxam/` directory on server
+- [ ] Add cron jobs (hourly 30d + daily 90d)
+- [ ] Test restore from production backup
+
+### Phase 5 — Remote Sync *(for later)*
+- [ ] (Deferred)