xamxam/TODO.md

# TODO

- [x] Convert all file inputs to FilePond (CSV import, file-field.php; fix dialog init + missing CSS/JS on index page)
- [x] Fix `account.php`: replace `!==` CSRF token check with `hash_equals` (constant-time comparison)
- [x] Fix `ShareLink::setPassword()`: also encrypt and store plain-text password, matching `create()` behavior
- [x] Audit: confirm all remaining credential comparison sites use constant-time `hash_equals` or `password_verify`
- [x] Fix `.gitignore`: anchor `vendor/` to root (`/vendor/`) so `app/public/assets/js/vendor/` (htmx, OverType, FilePond) is tracked
- [x] Fix migration `025_lowercase_languages.sql`: deduplicate languages before LOWER() to avoid UNIQUE constraint violation (`Néerlandais`/`néerlandais`)
- [x] Fix home page: load ALL published theses grouped by year (desc), shuffled randomly within each year (instead of only ~20 from latest year)
- [x] Répertoire: colonnes à largeurs différenciées (Années plus étroites, Orientations/AP plus larges)
- [x] Répertoire: barres de scroll discrètes (thin + semi-transparentes)
- [x] Répertoire: fontes/graisses conformes à la maquette (Ductus pour titres colonnes, années en bold, etc.)
- [x] Répertoire: diminutifs des AP entre crochets (ex: Design et Politique du Multiple [DPM])