Fix file sharing load speed and move error; misc updates

- Remove recursive directory size calculations (single Seafile API call per list)
- Remove 'Used in this location' usage display
- Fix move using v2 per-type endpoints instead of broken batch endpoint
- Send entry type from frontend for correct move routing

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

supabase/functions/fourge-passwords-crypto/index.ts

@@ -0,0 +1,99 @@
+// deno-lint-ignore-file
+import { createClient } from 'https://esm.sh/@supabase/supabase-js@2'
+
+const corsHeaders = {
+  'Access-Control-Allow-Origin': '*',
+  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
+}
+
+const json = (body: Record<string, unknown>, status: number) =>
+  new Response(JSON.stringify(body), {
+    status,
+    headers: { ...corsHeaders, 'Content-Type': 'application/json' },
+  })
+
+function encodeBase64(bytes: Uint8Array) {
+  return btoa(String.fromCharCode(...bytes))
+}
+
+function decodeBase64(value: string) {
+  return Uint8Array.from(atob(value), char => char.charCodeAt(0))
+}
+
+async function requireTeam(authHeader: string) {
+  const supabaseUrl = Deno.env.get('SUPABASE_URL') ?? ''
+  const supabaseKey = Deno.env.get('SUPABASE_ANON_KEY') || Deno.env.get('SUPABASE_SERVICE_ROLE_KEY') || ''
+
+  const callerClient = createClient(
+    supabaseUrl,
+    supabaseKey,
+    { global: { headers: { Authorization: authHeader } } }
+  )
+
+  const { data: userData, error: userError } = await callerClient.auth.getUser()
+  if (userError || !userData?.user) return { ok: false, error: `Auth failed: ${userError?.message ?? 'no user'}`, status: 401 }
+
+  const { data: profile, error: profileError } = await callerClient
+    .from('profiles').select('role').eq('id', userData.user.id).single()
+
+  if (profileError) return { ok: false, error: `Profile error: ${profileError.message}`, status: 500 }
+  if (profile?.role !== 'team') return { ok: false, error: 'Forbidden: team only', status: 403 }
+
+  return { ok: true }
+}
+
+async function getKey() {
+  const secret = Deno.env.get('PASSWORD_VAULT_KEY') ?? ''
+  if (!secret) throw new Error('PASSWORD_VAULT_KEY is not configured.')
+
+  const rawKey = decodeBase64(secret)
+  return crypto.subtle.importKey('raw', rawKey, 'AES-GCM', false, ['encrypt', 'decrypt'])
+}
+
+Deno.serve(async (req) => {
+  if (req.method === 'OPTIONS') return new Response('ok', { headers: corsHeaders })
+
+  try {
+    const authHeader = req.headers.get('Authorization') ?? ''
+    if (!authHeader) return json({ error: 'No authorization header' }, 401)
+
+    const auth = await requireTeam(authHeader)
+    if (!auth.ok) return json({ error: auth.error as string }, auth.status as number)
+
+    const body = await req.json()
+    const action = body?.action
+    const key = await getKey()
+
+    if (action === 'encrypt') {
+      const plaintext = String(body?.plaintext ?? '')
+      if (!plaintext) return json({ error: 'plaintext required' }, 400)
+
+      const iv = crypto.getRandomValues(new Uint8Array(12))
+      const encoded = new TextEncoder().encode(plaintext)
+      const ciphertext = await crypto.subtle.encrypt({ name: 'AES-GCM', iv }, key, encoded)
+
+      return json({
+        ciphertext: encodeBase64(new Uint8Array(ciphertext)),
+        iv: encodeBase64(iv),
+      }, 200)
+    }
+
+    if (action === 'decrypt') {
+      const ciphertext = String(body?.ciphertext ?? '')
+      const ivValue = String(body?.iv ?? '')
+      if (!ciphertext || !ivValue) return json({ error: 'ciphertext and iv required' }, 400)
+
+      const decrypted = await crypto.subtle.decrypt(
+        { name: 'AES-GCM', iv: decodeBase64(ivValue) },
+        key,
+        decodeBase64(ciphertext),
+      )
+
+      return json({ plaintext: new TextDecoder().decode(decrypted) }, 200)
+    }
+
+    return json({ error: 'Invalid action' }, 400)
+  } catch (err) {
+    return json({ error: `Unexpected: ${String(err)}` }, 500)
+  }
+})