feat: stages module, mobility frontend, theme toggle, employeeOnly access control

- Add stages module with full CRUD API and admin overview island
- Add mobility overview island (Liste, Kanban, Detail CRUD views)
- Add contract PDF upload/download endpoints for mobilites
- Add light/dark theme toggle in header
- Add employeeOnly flag to hide entire modules from students (admin, students, stages)
- Add read-only GET endpoints for modules/ues/ue-modules in notes module
- Add [slug].tsx catch-all routes for direct URL navigation
- Replace old mobility table with mobilites + stages schema (migration 0004)
- Allow students to create mobilites and upload contracts
- Redirect authenticated users from / to /apps catalog

routes/(apps)/mobility/api/mobilites/[idMob].ts

@@ -0,0 +1,149 @@
+import { FreshContext, Handlers } from "$fresh/server.ts";
+import { db } from "$root/databases/db.ts";
+import { mobilites } from "$root/databases/schema.ts";
+import { AuthenticatedState } from "$root/defaults/interfaces.ts";
+import { eq } from "npm:drizzle-orm@0.45.2";
+
+const VALID_STATUSES = [
+  "contracts_received",
+  "under_revision",
+  "done",
+  "validated",
+  "canceled",
+] as const;
+
+const NOT_FOUND = () =>
+  new Response(
+    JSON.stringify({ error: "Mobilité introuvable" }),
+    { status: 404, headers: { "content-type": "application/json" } },
+  );
+
+const FORBIDDEN = () => new Response(null, { status: 403 });
+
+export const handler: Handlers<null, AuthenticatedState> = {
+  // GET /mobilites/:idMob
+  async GET(
+    _request: Request,
+    context: FreshContext<AuthenticatedState>,
+  ): Promise<Response> {
+    const idMob = Number(context.params.idMob);
+    if (isNaN(idMob)) {
+      return new Response("Paramètre idMob invalide", { status: 400 });
+    }
+
+    const row = await db
+      .select()
+      .from(mobilites)
+      .where(eq(mobilites.id, idMob))
+      .then((rows) => rows[0] ?? null);
+
+    if (!row) return NOT_FOUND();
+
+    return new Response(JSON.stringify(row), {
+      headers: { "content-type": "application/json" },
+    });
+  },
+
+  // PUT /mobilites/:idMob (employee only)
+  async PUT(
+    request: Request,
+    context: FreshContext<AuthenticatedState>,
+  ): Promise<Response> {
+    if (context.state.session.eduPersonPrimaryAffiliation !== "employee") {
+      return FORBIDDEN();
+    }
+
+    const idMob = Number(context.params.idMob);
+    if (isNaN(idMob)) {
+      return new Response("Paramètre idMob invalide", { status: 400 });
+    }
+
+    const body = await request.json();
+    const { duree, ecole, pays, status, idStage } = body;
+
+    if (
+      status !== undefined &&
+      !VALID_STATUSES.includes(status)
+    ) {
+      return new Response(
+        JSON.stringify({
+          error: `status invalide, valeurs: ${VALID_STATUSES.join(", ")}`,
+        }),
+        { status: 400, headers: { "content-type": "application/json" } },
+      );
+    }
+
+    if (duree !== undefined && (!Number.isInteger(duree) || duree < 1)) {
+      return new Response(
+        JSON.stringify({ error: "duree doit être un entier >= 1" }),
+        { status: 400, headers: { "content-type": "application/json" } },
+      );
+    }
+
+    const set: Record<string, unknown> = {};
+    if (duree !== undefined) set.duree = duree;
+    if (ecole !== undefined) set.ecole = ecole;
+    if (pays !== undefined) set.pays = pays;
+    if (status !== undefined) set.status = status;
+    if (idStage !== undefined) {
+      set.idStage = idStage;
+      if (idStage) set.status = "validated";
+    }
+
+    if (Object.keys(set).length === 0) {
+      return new Response(
+        JSON.stringify({ error: "Au moins un champ à modifier requis" }),
+        { status: 400, headers: { "content-type": "application/json" } },
+      );
+    }
+
+    const [updated] = await db
+      .update(mobilites)
+      .set(set)
+      .where(eq(mobilites.id, idMob))
+      .returning();
+
+    if (!updated) return NOT_FOUND();
+
+    return new Response(JSON.stringify(updated), {
+      headers: { "content-type": "application/json" },
+    });
+  },
+
+  // DELETE /mobilites/:idMob (employee only)
+  async DELETE(
+    _request: Request,
+    context: FreshContext<AuthenticatedState>,
+  ): Promise<Response> {
+    if (context.state.session.eduPersonPrimaryAffiliation !== "employee") {
+      return FORBIDDEN();
+    }
+
+    const idMob = Number(context.params.idMob);
+    if (isNaN(idMob)) {
+      return new Response("Paramètre idMob invalide", { status: 400 });
+    }
+
+    // Delete contract file if exists
+    const row = await db
+      .select({ contratMob: mobilites.contratMob })
+      .from(mobilites)
+      .where(eq(mobilites.id, idMob))
+      .then((rows) => rows[0] ?? null);
+
+    if (row?.contratMob) {
+      try {
+        await Deno.remove(`uploads/contracts/${row.contratMob}`);
+      } catch { /* file may not exist */ }
+    }
+
+    const [deleted] = await db
+      .delete(mobilites)
+      .where(eq(mobilites.id, idMob))
+      .returning();
+
+    if (!deleted) return NOT_FOUND();
+
+    return new Response(null, { status: 204 });
+  },
+};