# TODO - [x] Replace inline alert CSS in admin.css with floating bottom-center toast styles (fixed, z-index, animation) - [x] Update flash-messages.php partial to output `.toast` markup in hidden container for footer JS - [x] Add toast container HTML + JS to admin footer.php (centralised, 4s auto-dismiss with fade-out) - [x] Remove redundant flash-messages.php includes from all admin pages (8 files) - [x] Convert hardcoded alerts in login.php, thanks.php, index.php import to `.toast` class - [x] Update admin.css dialog rule from `[role=alert/status]` to `.toast` - [x] Commit with jj - [x] Move DB export from admin/index.php to admin/parametres.php (maintenance section) - [x] Reorganize src/ - move 7 controllers to src/Controllers/ - [x] Create Controllers directory - [x] Move controller files (Home, Tfe, Search, ThesisCreate, ThesisEdit, Export, System) - [x] Update all require_once paths across codebase - [x] Move stray test.db from root to storage/ - [x] Store admin password hash in DB (site_settings) instead of config file - [x] Create migration 013 - [x] Update AdminAuth to read hash from DB - [x] Update bootstrap.php — remove credential file loading - [x] Update parametres.php — status check from DB - [x] Update actions/account.php — write hash to DB - [x] Update login.php — dev-mode check - [x] Update header.php — dev check - [x] Delete config/admin_credentials.example.php ## Now: Single Entry Point Routing ### Phase 1: Dispatcher refinement - [x] MediaController: extract media.php logic into MediaController class - [x] Create src/Controllers/MediaController.php - [x] Move path validation + storage jail + MIME check + streaming - [x] Wire into Dispatcher for /media route - [x] Delete app/public/media.php - [ ] Update Dispatcher to handle all routes directly (no require APP_ROOT/public/*.php) ### Phase 2: Single entry point - [ ] Create app/public/index.php as front controller - [ ] Bootstrap + Dispatcher invocation - [ ] Remove direct-access public/*.php (index.php, search.php, tfe.php, apropos.php, licence.php) - [ ] Rename old entry points so they can't be hit directly (e.g., prefix with underscore or delete) ### Phase 3: Server config - [ ] Update router.php — route all PHP requests to Dispatcher - [ ] Update nginx config — point all public routes to index.php via try_files - [ ] Replace per-file `location ~ \.php$` with front-controller pattern ### Phase 4: Cleanup - [ ] Delete app/public/live-reload.php (already handled by LiveReloadController) - [ ] Test all routes (/, search.php, tfe, repertoire, apropos, licence, media, live-reload)