Reintroduce TFE duration metadata: DB columns, form fields, controllers, views, and migration

Add 'unsafe-eval' to CSP script-src directives (htmx requires Function())

app/src/FilepondHandler.php

@@ -7,7 +7,7 @@
  * called from both the admin panel and the student partage form.
  *
  * Auth is checked by the caller before invoking these methods:
- *   - Admin endpoints: nginx auth_basic + AdminAuth::requireLogin()
+ *   - Admin endpoints: AdminAuth::requireLogin()
  *   - Partagé endpoints: session_start() + verify share_active + CSRF
  *
  * All paths in this file assume the session is already started and CSRF is