create-crm-tmp 1.1.3 → 2.1.0

package/template/src/app/api/contacts/route.ts

@@ -1,9 +1,77 @@
 import { NextRequest, NextResponse } from 'next/server';
+import { z } from 'zod';
 import { auth } from '@/lib/auth';
-import { prisma } from '@/lib/prisma';
+import { prisma, Prisma } from '@/lib/prisma';
+import { checkPermission } from '@/lib/check-permission';
 import { handleContactDuplicate } from '@/lib/contact-duplicate';
 import { executeWorkflowsOnContactCreated } from '@/lib/workflow-executor';
 import { normalizePhoneNumber } from '@/lib/utils';
+import { buildPrismaWhereFromFilters } from '@/lib/contact-view-filters';
+import {
+  expandRegionCodesToDepartmentCodes,
+  prismaPostalMatchesDepartmentsCondition,
+} from '@/lib/fr-geography';
+import type { ViewFilter, ViewSortConfig } from '@/types/contact-views';
+
+const socialNetworkSchema = z.object({
+  platform: z.string().trim().min(1),
+  url: z.string().trim().url(),
+});
+
+const createContactSchema = z.object({
+  civility: z.enum(['M', 'MME', 'MLLE']).optional().nullable(),
+  firstName: z.string().trim().min(1).optional().nullable(),
+  lastName: z.string().trim().min(1).optional().nullable(),
+  phone: z.string().trim().min(3, 'Le téléphone est obligatoire'),
+  secondaryPhone: z.string().trim().optional().nullable(),
+  email: z.string().email().optional().nullable(),
+  address: z.string().optional().nullable(),
+  city: z.string().optional().nullable(),
+  postalCode: z.string().optional().nullable(),
+  origin: z.string().optional().nullable(),
+  companyName: z.string().trim().optional().nullable(),
+  companyId: z.string().optional().nullable(),
+  jobTitle: z.string().trim().optional().nullable(),
+  website: z.string().trim().url().optional().nullable().or(z.literal('')),
+  socialNetworks: z.array(socialNetworkSchema).optional().nullable(),
+  statusId: z.string().optional().nullable(),
+  closingReason: z.string().optional().nullable(),
+  assignedCommercialId: z.string().optional().nullable(),
+  assignedTeleproId: z.string().optional().nullable(),
+});
+
+function parseContactsListSortDirection(
+  sortDir: string | null,
+  sortOrder: string | null,
+): 'asc' | 'desc' | null {
+  const raw = sortDir ?? sortOrder;
+  return raw === 'asc' || raw === 'desc' ? raw : null;
+}
+
+/** Identifiants UI liste → orderBy Prisma (whitelist). */
+function contactListPrismaOrderBy(
+  uiField: string,
+  direction: 'asc' | 'desc',
+): Prisma.ContactOrderByWithRelationInput | null {
+  switch (uiField) {
+    case 'createdAt':
+      return { createdAt: direction };
+    case 'updatedAt':
+      return { updatedAt: direction };
+    case 'postalCode':
+      return { postalCode: direction };
+    case 'status':
+      return { status: { name: direction } };
+    case 'commercial':
+      return { assignedCommercial: { name: direction } };
+    case 'telepro':
+      return { assignedTelepro: { name: direction } };
+    case 'origin':
+      return { origin: direction };
+    default:
+      return null;
+  }
+}
 
 // GET /api/contacts - Récupérer tous les contacts avec filtres
 export async function GET(request: NextRequest) {
@@ -16,8 +84,26 @@ export async function GET(request: NextRequest) {
       return NextResponse.json({ error: 'Non authentifié' }, { status: 401 });
     }
 
+    const [canViewAll, canViewOwn, canViewUnassigned] = await Promise.all([
+      checkPermission('contacts.view_all'),
+      checkPermission('contacts.view_own'),
+      checkPermission('contacts.view_unassigned'),
+    ]);
+
+    if (!canViewAll && !canViewOwn) {
+      return NextResponse.json({ error: 'Accès refusé' }, { status: 403 });
+    }
+
     const { searchParams } = new URL(request.url);
     const search = searchParams.get('search') || '';
+    const viewId = searchParams.get('viewId');
+    const filtersParam = searchParams.get('filters');
+    const statusIds = searchParams.get('statusIds');
+    const assignedCommercialIds = searchParams.get('assignedCommercialIds');
+    const assignedTeleproIds = searchParams.get('assignedTeleproIds');
+    const origins = searchParams.get('origins');
+    const departmentCodesParam = searchParams.get('departmentCodes');
+    const regionCodesParam = searchParams.get('regionCodes');
     const statusId = searchParams.get('statusId');
     const assignedCommercialId = searchParams.get('assignedCommercialId');
     const assignedTeleproId = searchParams.get('assignedTeleproId');
@@ -26,40 +112,182 @@ export async function GET(request: NextRequest) {
     const createdAtEnd = searchParams.get('createdAtEnd');
     const updatedAtStart = searchParams.get('updatedAtStart');
     const updatedAtEnd = searchParams.get('updatedAtEnd');
-    // const isCompany = searchParams.get('isCompany');
-    const page = parseInt(searchParams.get('page') || '1');
-    const limit = parseInt(searchParams.get('limit') || '50');
+    const sortFieldParam = searchParams.get('sortField');
+    const sortDirParam = searchParams.get('sortDir');
+    const sortOrderParam = searchParams.get('sortOrder');
+    const page = Number.parseInt(searchParams.get('page') || '1');
+    const limit = Math.min(Number.parseInt(searchParams.get('limit') || '50'), 200);
     const skip = (page - 1) * limit;
 
-    // Construire les filtres
     const where: any = {};
+    let viewSortConfig: ViewSortConfig | null = null;
 
-    if (search) {
-      where.OR = [
-        { firstName: { contains: search, mode: 'insensitive' } },
-        { lastName: { contains: search, mode: 'insensitive' } },
-        { email: { contains: search, mode: 'insensitive' } },
-        { phone: { contains: search, mode: 'insensitive' } },
+    // Resolve view filters if viewId or inline filters are provided
+    if (viewId) {
+      const view = await prisma.contactView.findUnique({ where: { id: viewId } });
+      if (view && (view.userId === session.user.id || view.isPublic)) {
+        const viewFilters = (view.filters ?? []) as unknown as ViewFilter[];
+        const viewWhere = buildPrismaWhereFromFilters(viewFilters);
+        if (Object.keys(viewWhere).length > 0) {
+          where.AND = where.AND || [];
+          where.AND.push(viewWhere);
+        }
+        if (view.sortConfig) {
+          viewSortConfig = view.sortConfig as unknown as ViewSortConfig;
+        }
+      }
+    } else if (filtersParam) {
+      try {
+        const parsedFilters = JSON.parse(filtersParam) as ViewFilter[];
+        if (Array.isArray(parsedFilters) && parsedFilters.length > 0) {
+          const filtersWhere = buildPrismaWhereFromFilters(parsedFilters);
+          if (Object.keys(filtersWhere).length > 0) {
+            where.AND = where.AND || [];
+            where.AND.push(filtersWhere);
+          }
+        }
+      } catch {
+        // Invalid JSON, ignore
+      }
+    }
+
+    if (!canViewAll && canViewOwn) {
+      const ownershipConditions: any[] = [
+        { assignedCommercialId: session.user.id },
+        { assignedTeleproId: session.user.id },
+        { createdById: session.user.id },
       ];
+      if (canViewUnassigned) {
+        ownershipConditions.push({
+          AND: [{ assignedCommercialId: null }, { assignedTeleproId: null }],
+        });
+      }
+      where.AND = where.AND || [];
+      where.AND.push({ OR: ownershipConditions });
+    }
+
+    if (search) {
+      const trimmedSearch = search.trim();
+      const searchTerms = trimmedSearch.split(/\s+/).filter(Boolean);
+      const firstTerm = searchTerms[0] || '';
+      const remainingTerms = searchTerms.slice(1).join(' ');
+
+      // Normaliser le numéro si la recherche ressemble à un téléphone
+      const digitsOnly = trimmedSearch.replace(/\D/g, '');
+      const looksLikePhone = digitsOnly.length >= 4;
+      const normalizedPhone = looksLikePhone ? normalizePhoneNumber(trimmedSearch) : null;
+
+      where.AND = where.AND || [];
+      where.AND.push({
+        OR: [
+          { firstName: { contains: trimmedSearch, mode: 'insensitive' } },
+          { lastName: { contains: trimmedSearch, mode: 'insensitive' } },
+          { email: { contains: trimmedSearch, mode: 'insensitive' } },
+          { phone: { contains: trimmedSearch, mode: 'insensitive' } },
+          { city: { contains: trimmedSearch, mode: 'insensitive' } },
+          { postalCode: { contains: trimmedSearch, mode: 'insensitive' } },
+          { address: { contains: trimmedSearch, mode: 'insensitive' } },
+          { secondaryPhone: { contains: trimmedSearch, mode: 'insensitive' } },
+          { origin: { contains: trimmedSearch, mode: 'insensitive' } },
+          { jobTitle: { contains: trimmedSearch, mode: 'insensitive' } },
+          { companyName: { contains: trimmedSearch, mode: 'insensitive' } },
+          { company: { name: { contains: trimmedSearch, mode: 'insensitive' } } },
+          ...(normalizedPhone
+            ? [
+                { phone: { contains: normalizedPhone, mode: 'insensitive' as const } },
+                { secondaryPhone: { contains: normalizedPhone, mode: 'insensitive' as const } },
+              ]
+            : []),
+          ...(remainingTerms
+            ? [
+                {
+                  AND: [
+                    { firstName: { contains: firstTerm, mode: 'insensitive' } },
+                    { lastName: { contains: remainingTerms, mode: 'insensitive' } },
+                  ],
+                },
+                {
+                  AND: [
+                    { firstName: { contains: remainingTerms, mode: 'insensitive' } },
+                    { lastName: { contains: firstTerm, mode: 'insensitive' } },
+                  ],
+                },
+              ]
+            : []),
+        ],
+      });
     }
 
-    if (statusId) {
+    // Legacy query-param filters (rétrocompatibilité)
+    if (statusIds) {
+      const ids = statusIds.split(',').filter(Boolean);
+      where.statusId = ids.length === 1 ? ids[0] : { in: ids };
+    } else if (statusId) {
       where.statusId = statusId;
     }
 
-    if (assignedCommercialId) {
+    if (assignedCommercialIds) {
+      const ids = assignedCommercialIds.split(',').filter(Boolean);
+      const hasUnassigned = ids.includes('UNASSIGNED');
+      const realIds = ids.filter((id) => id !== 'UNASSIGNED');
+      if (hasUnassigned && realIds.length > 0) {
+        where.AND = where.AND || [];
+        where.AND.push({
+          OR: [{ assignedCommercialId: null }, { assignedCommercialId: { in: realIds } }],
+        });
+      } else if (hasUnassigned) {
+        where.assignedCommercialId = null;
+      } else {
+        where.assignedCommercialId = realIds.length === 1 ? realIds[0] : { in: realIds };
+      }
+    } else if (assignedCommercialId) {
       where.assignedCommercialId = assignedCommercialId;
     }
 
-    if (assignedTeleproId) {
+    if (assignedTeleproIds) {
+      const ids = assignedTeleproIds.split(',').filter(Boolean);
+      const hasUnassigned = ids.includes('UNASSIGNED');
+      const realIds = ids.filter((id) => id !== 'UNASSIGNED');
+      if (hasUnassigned && realIds.length > 0) {
+        where.AND = where.AND || [];
+        where.AND.push({
+          OR: [{ assignedTeleproId: null }, { assignedTeleproId: { in: realIds } }],
+        });
+      } else if (hasUnassigned) {
+        where.assignedTeleproId = null;
+      } else {
+        where.assignedTeleproId = realIds.length === 1 ? realIds[0] : { in: realIds };
+      }
+    } else if (assignedTeleproId) {
       where.assignedTeleproId = assignedTeleproId;
     }
 
-    if (origin) {
+    if (origins) {
+      const vals = origins.split(',').filter(Boolean);
+      where.origin = vals.length === 1 ? vals[0] : { in: vals };
+    } else if (origin) {
       where.origin = origin;
     }
 
-    // Filtres de date pour createdAt
+    if (departmentCodesParam) {
+      const codes = departmentCodesParam.split(',').filter(Boolean);
+      const geoCond = prismaPostalMatchesDepartmentsCondition(codes);
+      if (geoCond) {
+        where.AND = where.AND || [];
+        where.AND.push(geoCond);
+      }
+    }
+
+    if (regionCodesParam) {
+      const codes = regionCodesParam.split(',').filter(Boolean);
+      const depts = expandRegionCodesToDepartmentCodes(codes);
+      const geoCond = prismaPostalMatchesDepartmentsCondition(depts);
+      if (geoCond) {
+        where.AND = where.AND || [];
+        where.AND.push(geoCond);
+      }
+    }
+
     if (createdAtStart || createdAtEnd) {
       where.createdAt = {};
       if (createdAtStart) {
@@ -69,7 +297,6 @@ export async function GET(request: NextRequest) {
         }
       }
       if (createdAtEnd) {
-        // Ajouter 23h59m59s pour inclure toute la journée
         const endDate = new Date(createdAtEnd);
         if (!isNaN(endDate.getTime())) {
           endDate.setHours(23, 59, 59, 999);
@@ -78,7 +305,6 @@ export async function GET(request: NextRequest) {
       }
     }
 
-    // Filtres de date pour updatedAt
     if (updatedAtStart || updatedAtEnd) {
       where.updatedAt = {};
       if (updatedAtStart) {
@@ -88,7 +314,6 @@ export async function GET(request: NextRequest) {
         }
       }
       if (updatedAtEnd) {
-        // Ajouter 23h59m59s pour inclure toute la journée
         const endDate = new Date(updatedAtEnd);
         if (!isNaN(endDate.getTime())) {
           endDate.setHours(23, 59, 59, 999);
@@ -97,21 +322,33 @@ export async function GET(request: NextRequest) {
       }
     }
 
-    // if (isCompany === 'true') {
-    //   where = { ...where, isCompany: true };
-    // }
+    // Determine sort order: explicit param > view config > default
+    let orderBy: Prisma.ContactOrderByWithRelationInput = { createdAt: 'desc' };
+    const explicitDirection = parseContactsListSortDirection(sortDirParam, sortOrderParam);
+    if (sortFieldParam && explicitDirection) {
+      const mapped = contactListPrismaOrderBy(sortFieldParam, explicitDirection);
+      if (mapped) {
+        orderBy = mapped;
+      }
+    } else if (viewSortConfig?.field) {
+      const dir =
+        viewSortConfig.direction === 'asc' || viewSortConfig.direction === 'desc'
+          ? viewSortConfig.direction
+          : null;
+      if (dir) {
+        const mapped = contactListPrismaOrderBy(viewSortConfig.field, dir);
+        if (mapped) {
+          orderBy = mapped;
+        }
+      }
+    }
 
     const [contacts, total] = await Promise.all([
       prisma.contact.findMany({
-        where: {
-          ...where,
-          isCompany: false,
-        },
+        where,
         include: {
           status: true,
-          companyRelation: {
-            select: { id: true, firstName: true, lastName: true, isCompany: true },
-          },
+          company: { select: { id: true, name: true } },
           assignedCommercial: {
             select: { id: true, name: true, email: true },
           },
@@ -122,22 +359,29 @@ export async function GET(request: NextRequest) {
             select: { id: true, name: true, email: true },
           },
         },
-        orderBy: { createdAt: 'desc' },
+        orderBy,
         skip,
         take: limit,
       }),
-      prisma.contact.count({ where: { ...where, isCompany: false } }),
+      prisma.contact.count({ where }),
     ]);
 
-    return NextResponse.json({
-      contacts,
-      pagination: {
-        page,
-        limit,
-        total,
-        totalPages: Math.ceil(total / limit),
+    return NextResponse.json(
+      {
+        contacts,
+        pagination: {
+          page,
+          limit,
+          total,
+          totalPages: Math.ceil(total / limit),
+        },
       },
-    });
+      {
+        headers: {
+          'Cache-Control': 'private, no-store, max-age=0, must-revalidate',
+        },
+      },
+    );
   } catch (error: any) {
     console.error('Erreur lors de la récupération des contacts:', error);
     return NextResponse.json({ error: 'Erreur serveur' }, { status: 500 });
@@ -155,7 +399,24 @@ export async function POST(request: NextRequest) {
       return NextResponse.json({ error: 'Non authentifié' }, { status: 401 });
     }
 
-    const body = await request.json();
+    const canCreate = await checkPermission('contacts.create');
+    if (!canCreate) {
+      return NextResponse.json({ error: 'Accès refusé' }, { status: 403 });
+    }
+
+    const json = await request.json();
+    const parseResult = createContactSchema.safeParse(json);
+
+    if (!parseResult.success) {
+      return NextResponse.json(
+        {
+          error: 'Données invalides',
+          details: parseResult.error.flatten(),
+        },
+        { status: 400 },
+      );
+    }
+
     const {
       civility,
       firstName,
@@ -168,18 +429,15 @@ export async function POST(request: NextRequest) {
       postalCode,
       origin,
       companyName,
-      isCompany,
       companyId,
+      jobTitle,
+      website,
+      socialNetworks,
       statusId,
       closingReason,
       assignedCommercialId,
       assignedTeleproId,
-    } = body;
-
-    // Validation
-    if (!phone) {
-      return NextResponse.json({ error: 'Le téléphone est obligatoire' }, { status: 400 });
-    }
+    } = parseResult.data;
 
     // Vérifier si c'est un doublon (nom, prénom ET email)
     const duplicateContactId = await handleContactDuplicate(
@@ -196,9 +454,7 @@ export async function POST(request: NextRequest) {
         where: { id: duplicateContactId },
         include: {
           status: true,
-          companyRelation: {
-            select: { id: true, firstName: true, lastName: true, isCompany: true },
-          },
+          company: { select: { id: true, name: true } },
           assignedCommercial: {
             select: { id: true, name: true, email: true },
           },
@@ -216,7 +472,7 @@ export async function POST(request: NextRequest) {
     // Sinon, créer un nouveau contact
     const contact = await prisma.contact.create({
       data: {
-        civility: civility || null,
+        civility: civility ?? null,
         firstName: firstName || null,
         lastName: lastName || null,
         phone: normalizePhoneNumber(phone),
@@ -226,9 +482,12 @@ export async function POST(request: NextRequest) {
         city: city || null,
         postalCode: postalCode || null,
         origin: origin || null,
-        companyName: companyName || null,
-        isCompany: isCompany === true,
+        companyName: companyName && !companyId ? companyName : null,
         companyId: companyId || null,
+        jobTitle: jobTitle || null,
+        website: website && website.trim() ? website : null,
+        socialNetworks:
+          socialNetworks && socialNetworks.length > 0 ? socialNetworks : Prisma.JsonNull,
         statusId: statusId || null,
         closingReason: closingReason || null,
         assignedCommercialId: assignedCommercialId || null,
@@ -252,9 +511,7 @@ export async function POST(request: NextRequest) {
       },
       include: {
         status: true,
-        companyRelation: {
-          select: { id: true, firstName: true, lastName: true, isCompany: true },
-        },
+        company: { select: { id: true, name: true } },
         assignedCommercial: {
           select: { id: true, name: true, email: true },
         },
@@ -278,6 +535,14 @@ export async function POST(request: NextRequest) {
     return NextResponse.json(contact, { status: 201 });
   } catch (error: any) {
     console.error('Erreur lors de la création du contact:', error);
-    return NextResponse.json({ error: error.message || 'Erreur serveur' }, { status: 500 });
+    return NextResponse.json(
+      {
+        error:
+          process.env.NODE_ENV === 'development'
+            ? error.message || 'Erreur serveur'
+            : 'Erreur serveur',
+      },
+      { status: 500 },
+    );
   }
 }

package/template/src/app/api/cron/cleanup-editor-images/route.ts

@@ -0,0 +1,166 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { createClient } from '@supabase/supabase-js';
+import { prisma } from '@/lib/prisma';
+import { BUCKETS } from '@/lib/supabase-storage';
+
+const BUCKET = BUCKETS.EDITOR_IMAGES;
+const FOLDER = 'images';
+// Ne supprimer que les images de plus de 24h (laisse le temps de sauvegarder)
+const MIN_AGE_MS = 24 * 60 * 60 * 1000;
+const LIST_LIMIT = 1000;
+
+function getAdminClient() {
+  return createClient(
+    process.env.NEXT_PUBLIC_SUPABASE_URL!,
+    process.env.SUPABASE_SERVICE_ROLE_KEY!,
+    { auth: { autoRefreshToken: false, persistSession: false } },
+  );
+}
+
+/**
+ * Collecte toutes les URLs d'images éditeur référencées en BDD.
+ */
+async function getReferencedImageUrls(): Promise<Set<string>> {
+  const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL!;
+  const prefix = `${supabaseUrl}/storage/v1/object/public/${BUCKET}/`;
+
+  const urls = new Set<string>();
+
+  function extractUrls(text: string | null) {
+    if (!text) return;
+    const regex = new RegExp(
+      prefix.replace(/[.*+?^${}()|[\]\\]/g, '\\$&') + '[^"\'\\s<>]+',
+      'g',
+    );
+    for (const match of text.matchAll(regex)) {
+      urls.add(match[0]);
+    }
+  }
+
+  // Templates
+  const templates = await prisma.template.findMany({ select: { content: true } });
+  for (const t of templates) extractUrls(t.content);
+
+  // Interactions (notes, emails)
+  const interactions = await prisma.interaction.findMany({
+    where: { content: { contains: BUCKET } },
+    select: { content: true },
+  });
+  for (const i of interactions) extractUrls(i.content);
+
+  // Tasks
+  const tasks = await prisma.task.findMany({
+    where: { description: { contains: BUCKET } },
+    select: { description: true },
+  });
+  for (const t of tasks) extractUrls(t.description);
+
+  // SMTP signatures
+  const smtpConfigs = await prisma.smtpConfig.findMany({
+    where: { signature: { not: null } },
+    select: { signature: true },
+  });
+  for (const s of smtpConfigs) extractUrls(s.signature);
+
+  // Workflow actions
+  const actions = await prisma.workflowAction.findMany({
+    where: {
+      OR: [
+        { taskDescription: { contains: BUCKET } },
+        { smsMessage: { contains: BUCKET } },
+        { noteContent: { contains: BUCKET } },
+      ],
+    },
+    select: { taskDescription: true, smsMessage: true, noteContent: true },
+  });
+  for (const a of actions) {
+    extractUrls(a.taskDescription);
+    extractUrls(a.smsMessage);
+    extractUrls(a.noteContent);
+  }
+
+  return urls;
+}
+
+// GET /api/cron/cleanup-editor-images
+export async function GET(request: NextRequest) {
+  try {
+    const authHeader = request.headers.get('authorization');
+    if (authHeader !== `Bearer ${process.env.CRON_SECRET}`) {
+      return NextResponse.json({ error: 'Non autorisé' }, { status: 401 });
+    }
+
+    const client = getAdminClient();
+    const now = Date.now();
+
+    // 1. Lister toutes les images du bucket
+    const allFiles: { name: string; created_at: string }[] = [];
+    let offset = 0;
+    while (true) {
+      const { data, error } = await client.storage.from(BUCKET).list(FOLDER, {
+        limit: LIST_LIMIT,
+        offset,
+        sortBy: { column: 'created_at', order: 'asc' },
+      });
+      if (error) throw new Error(`Erreur listing bucket: ${error.message}`);
+      if (!data || data.length === 0) break;
+      allFiles.push(...data.map((f) => ({ name: f.name, created_at: f.created_at ?? '' })));
+      if (data.length < LIST_LIMIT) break;
+      offset += LIST_LIMIT;
+    }
+
+    if (allFiles.length === 0) {
+      return NextResponse.json({ deleted: 0, total: 0 });
+    }
+
+    // 2. Filtrer : ne garder que les images > 24h
+    const oldFiles = allFiles.filter((f) => {
+      const createdAt = new Date(f.created_at).getTime();
+      return now - createdAt > MIN_AGE_MS;
+    });
+
+    if (oldFiles.length === 0) {
+      return NextResponse.json({ deleted: 0, total: allFiles.length, message: 'Aucune image ancienne' });
+    }
+
+    // 3. Récupérer les URLs référencées en BDD
+    const referencedUrls = await getReferencedImageUrls();
+
+    // 4. Identifier les orphelines
+    const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL!;
+    const orphanPaths: string[] = [];
+    for (const file of oldFiles) {
+      const fullUrl = `${supabaseUrl}/storage/v1/object/public/${BUCKET}/${FOLDER}/${file.name}`;
+      if (!referencedUrls.has(fullUrl)) {
+        orphanPaths.push(`${FOLDER}/${file.name}`);
+      }
+    }
+
+    // 5. Supprimer par batch de 100
+    let deleted = 0;
+    for (let i = 0; i < orphanPaths.length; i += 100) {
+      const batch = orphanPaths.slice(i, i + 100);
+      const { error } = await client.storage.from(BUCKET).remove(batch);
+      if (error) {
+        console.error(`Erreur suppression batch ${i}:`, error.message);
+      } else {
+        deleted += batch.length;
+      }
+    }
+
+    console.log(
+      `[cleanup-editor-images] ${deleted} orphelines supprimées sur ${allFiles.length} total (${referencedUrls.size} référencées)`,
+    );
+
+    return NextResponse.json({
+      deleted,
+      total: allFiles.length,
+      referenced: referencedUrls.size,
+      orphans: orphanPaths.length,
+    });
+  } catch (error: unknown) {
+    console.error('[cleanup-editor-images] Erreur:', error);
+    const message = error instanceof Error ? error.message : 'Erreur serveur';
+    return NextResponse.json({ error: message }, { status: 500 });
+  }
+}