feat: admin tag management, maintenance mode, TFE visibility states

Tags admin:
- Database: getAllTagsWithCount(), renameTag(), mergeTag(), deleteTag()
- public/admin/tags.php: table with inline rename/merge/delete forms, CSRF-guarded
- public/admin/actions/tag.php: routes on action=rename|merge|delete
- templates/admin/head.php: 'Mots-clés' nav link
- admin.css: admin-inline-form, admin-btn--sm/warning/danger variants

Maintenance mode:
- config/bootstrap.php: gate on MAINTENANCE_FLAG file; admin/ and maintenance.php exempt
- public/maintenance.php: 503 dark minimal page
- public/admin/actions/maintenance.php: enable/disable toggle
- public/admin/index.php: status bar with toggle button
- admin.css: admin-maintenance-bar styles

TFE Visibility (Libre/Interne/Interdit via existing access_type_id):
- migration 002_add_visibility.sql: seeds access_types if missing
- Database: setVisibility(), bulkSetVisibility(), getAccessTypes()
- public/media.php: blocks thesis files for access_type_id=3
- public/tfe.php: shows access_type, context_note; hides file panel for Interdit
- public/admin/edit.php: access_type_id select + context_note textarea; saves both
- public/admin/index.php: three-state badge (Libre/Interne/Interdit) per row
- public/admin/actions/visibility.php: single + bulk visibility action handler
- admin.css: status-access badge variants

public/media.php

@@ -46,6 +46,38 @@ if (!is_file($realFull)) {
     exit;
 }
 
+// --- 2b. Visibility gate: check access_type_id for thesis files ---------------
+// Only applies to paths under theses/ (uploaded thesis content).
+// Banners and covers are always public (no sensitivity).
+if (preg_match('#^theses/#', $requestedPath)) {
+    require_once __DIR__ . '/../src/Database.php';
+    try {
+        $mediaDb = Database::getInstance();
+        $mediaPdo = $mediaDb->getConnection();
+        // Find the thesis that owns this file path
+        $visStmt = $mediaPdo->prepare("
+            SELECT t.access_type_id FROM theses t
+            JOIN thesis_files tf ON tf.thesis_id = t.id
+            WHERE tf.file_path = ?
+            LIMIT 1
+        ");
+        $visStmt->execute([$requestedPath]);
+        $visRow = $visStmt->fetch();
+        if ($visRow) {
+            $accessTypeId = (int)($visRow['access_type_id'] ?? 1);
+            // 3 = Interdit — block entirely
+            if ($accessTypeId === 3) {
+                http_response_code(403);
+                exit;
+            }
+            // 2 = Interne — allow (no session auth requirement for now; could add later)
+        }
+    } catch (\Throwable $e) {
+        // On DB error, fail open (don't block legitimate requests)
+        error_log("media.php visibility check error: " . $e->getMessage());
+    }
+}
+
 // --- 3. Verify MIME type from file content (not extension) --------------------
 
 $finfo    = new finfo(FILEINFO_MIME_TYPE);