Rework contenus-edit: auto-save, OverType toolbar, dynamic sidebar links

- Auto-save: new autosave.js with 1.5s debounce, watches all forms with
  data-autosave, POSTs to form action with Accept: application/json, shows
  saving/saved/error status indicator
- All action handlers (page.php, apropos.php, form-help.php) now detect
  JSON Accept header and return {success, csrf_token} or {error} responses
- OverType toolbar enabled (toolbar:true) on all three markdown editors
  (page, about_page, form_help)
- Sidebar links: replaced fixed erg_site_url / source_code_url rows with
  dynamic sidebar_links array of {label, url} objects. Add/remove via JS.
  Fallback migration reads legacy keys if sidebar_links is empty.
- Updated AboutController and about.php template to render dynamic links
- Updated apropos.css: unified .apropos-toc-link replacing .apropos-toc-erg
  and .apropos-toc-source
- New CSS: autosave-status states, sidebar-link-row layout
- Removed all Enregistrer + Annuler buttons — auto-save and h1 back-arrow
  make them redundant

app/public/admin/actions/page.php

@@ -1,14 +1,23 @@
 <?php
 /**
  * Save handler for static page content (Markdown).
+ * Supports both regular form POST and AJAX auto-save requests.
  */
 require_once __DIR__ . '/../../../bootstrap.php';
 require_once __DIR__ . '/../../../src/AdminAuth.php';
 error_log('[page.php] ENTRY | method=' . $_SERVER['REQUEST_METHOD'] . ' | slug=' . ($_POST['slug'] ?? 'none') . ' | post_keys=' . implode(',', array_keys($_POST)));
 AdminAuth::requireLogin();
 
+$isAjax = !empty($_SERVER['HTTP_ACCEPT']) && str_contains($_SERVER['HTTP_ACCEPT'], 'application/json');
+
 if (!isset($_POST['csrf_token'], $_SESSION['csrf_token'])
     || !hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
+    if ($isAjax) {
+        http_response_code(403);
+        header('Content-Type: application/json');
+        echo json_encode(['error' => 'Erreur de sécurité : token invalide.']);
+        exit;
+    }
     App::flash('error', 'Erreur de sécurité : token invalide.');
     header('Location: /admin/contenus.php');
     exit;
@@ -19,6 +28,12 @@ $slug         = $_POST['slug'] ?? '';
 $content      = $_POST['content'] ?? '';
 
 if (!in_array($slug, $allowedSlugs, true)) {
+    if ($isAjax) {
+        http_response_code(400);
+        header('Content-Type: application/json');
+        echo json_encode(['error' => 'Slug de page invalide.']);
+        exit;
+    }
     App::flash('error', 'Slug de page invalide.');
     header('Location: /admin/contenus.php');
     exit;
@@ -32,10 +47,27 @@ $db = new Database();
 try {
     $db->savePage($slug, $content);
     AdminLogger::make()->logPageEdit($slug);
+
+    if ($isAjax) {
+        $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
+        header('Content-Type: application/json');
+        echo json_encode([
+            'success' => true,
+            'csrf_token' => $_SESSION['csrf_token'],
+        ]);
+        exit;
+    }
     App::flash('success', 'Page « ' . htmlspecialchars($slug) . ' » mise à jour.');
 } catch (Exception $e) {
     ErrorHandler::log('page', $e);
-    App::flash('error', 'Erreur lors de la sauvegarde : ' . ErrorHandler::userMessage($e));
+    $msg = 'Erreur lors de la sauvegarde : ' . ErrorHandler::userMessage($e);
+    if ($isAjax) {
+        http_response_code(500);
+        header('Content-Type: application/json');
+        echo json_encode(['error' => $msg]);
+        exit;
+    }
+    App::flash('error', $msg);
 }
 
 $_SESSION['csrf_token'] = bin2hex(random_bytes(32));