fix(production): fix multiple remote server errors from nginx logs

- Fix 413 Request Entity Too Large: bump client_max_body_size to 256M,
  PHP post_max_size/upload_max_filesize to 256M, fastcgi timeouts to 300s
- Fix missing v_smtp_active view: add IF NOT EXISTS to all CREATE VIEW
  statements in schema.sql for idempotent migrates
- Fix bars.svg 404: create animated SVG spinner in app/public/assets/img/
- Fix nginx rate limiting: increase admin zone from 60r/m (1 r/s) to
  300r/m (5 r/s) with burst=30 to handle ~11 concurrent HTMX fragment
  GETs on contenus.php page load
- Add deploy-nginx recipe to justfile for uploading nginx config to server
- Database readonly issue mitigated by existing --chown + deploy-server.sh
  permissions fix
- Add comprehensive PHP/JS debugging logs for settings checkboxes:
  per-field raw POST values in error_log, console.log on htmx:beforeSend,
  htmx:sendError, htmx:afterRequest, toast lifecycle
- Fix toast auto-remove script: use getElementById with unique ID instead
  of querySelector which could remove wrong toast on rapid clicks

nginx/xamxam.conf

@@ -7,8 +7,10 @@ limit_req_zone $binary_remote_addr zone=general:10m rate=30r/m;
 limit_req_zone $binary_remote_addr zone=search:10m rate=30r/m;
 # Admin: already protected by HTTP Basic Auth; rate limiting here only guards
 # against brute-force on the auth layer, not normal browsing.
-# 60r/m = 1r/s sustained, burst=20 covers rapid page navigation.
-limit_req_zone $binary_remote_addr zone=admin:10m rate=60r/m;
+# Contenu.php triggers ~12 concurrent HTMX GETs on page load, so we need a
+# generous burst. 300r/m = 5r/s sustained, burst=30 handles all fragments
+# without dropping any, while still limiting brute-force attempts.
+limit_req_zone $binary_remote_addr zone=admin:10m rate=300r/m;
 
 # Main server block
 server {
@@ -44,9 +46,9 @@ server {
     # Server tokens already disabled in nginx.conf
     # server_tokens off;
 
-    # Max upload size (for thesis files)
-    client_max_body_size 100M;
-    client_body_timeout 120s;
+    # Max upload size (for thesis files — can include video)
+    client_max_body_size 256M;
+    client_body_timeout 300s;
 
     # Logging
     access_log /var/log/nginx/xamxam_access.log;
@@ -118,7 +120,9 @@ server {
         auth_basic_user_file /etc/nginx/.htpasswd-xamxam;
 
         # Rate limiting for admin
-        limit_req zone=admin burst=20 nodelay;
+        # 300r/m rate + burst=30 allows all concurrent HTMX fragments (up to ~12
+        # on contenus.php) while still capping brute-force at 5 req/s sustained.
+        limit_req zone=admin burst=30 nodelay;
 
         # Content-Security-Policy - Admin policy
         # script-src needs 'unsafe-inline' for the OverType editor init block
@@ -133,12 +137,12 @@ server {
             include snippets/fastcgi-php.conf;
             fastcgi_pass unix:/var/run/php/php8.4-fpm.sock;
 
-            # Security parameters
-            fastcgi_param PHP_VALUE "upload_max_filesize=50M \n post_max_size=100M";
+            # Security parameters (must be <= client_max_body_size)
+            fastcgi_param PHP_VALUE "upload_max_filesize=256M \n post_max_size=256M";
 
             # Timeouts
-            fastcgi_read_timeout 120;
-            fastcgi_send_timeout 120;
+            fastcgi_read_timeout 300;
+            fastcgi_send_timeout 300;
         }
 
         # Additional security headers for admin
@@ -173,12 +177,12 @@ server {
         include snippets/fastcgi-php.conf;
         fastcgi_pass unix:/var/run/php/php8.4-fpm.sock;
 
-        # Security parameters
-        fastcgi_param PHP_VALUE "upload_max_filesize=50M \n post_max_size=100M";
+        # Security parameters (must be <= client_max_body_size)
+        fastcgi_param PHP_VALUE "upload_max_filesize=256M \n post_max_size=256M";
 
         # Timeouts
-        fastcgi_read_timeout 120;
-        fastcgi_send_timeout 120;
+        fastcgi_read_timeout 300;
+        fastcgi_send_timeout 300;
     }
 
     # All other clean URLs — fall through to front controller