릴리스: v1.3.11 회원 관리 모달과 최고 관리자 보호

backend/package-lock.json

@@ -17,12 +17,488 @@
         "mysql2": "^3.20.0",
         "nanoid": "^5.1.7",
         "session-file-store": "^1.5.0",
+        "sharp": "^0.34.5",
         "zod": "^4.3.6"
       },
       "devDependencies": {
         "nodemon": "^3.1.14"
       }
     },
+    "node_modules/@emnapi/runtime": {
+      "version": "1.9.1",
+      "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.9.1.tgz",
+      "integrity": "sha512-VYi5+ZVLhpgK4hQ0TAjiQiZ6ol0oe4mBx7mVv7IflsiEp0OWoVsp/+f9Vc1hOhE0TtkORVrI1GvzyreqpgWtkA==",
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "tslib": "^2.4.0"
+      }
+    },
+    "node_modules/@img/colour": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/@img/colour/-/colour-1.1.0.tgz",
+      "integrity": "sha512-Td76q7j57o/tLVdgS746cYARfSyxk8iEfRxewL9h4OMzYhbW4TAcppl0mT4eyqXddh6L/jwoM75mo7ixa/pCeQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@img/sharp-darwin-arm64": {
+      "version": "0.34.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-darwin-arm64/-/sharp-darwin-arm64-0.34.5.tgz",
+      "integrity": "sha512-imtQ3WMJXbMY4fxb/Ndp6HBTNVtWCUI0WdobyheGf5+ad6xX8VIDO8u2xE4qc/fr08CKG/7dDseFtn6M6g/r3w==",
+      "cpu": [
+        "arm64"
+      ],
+      "license": "Apache-2.0",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      },
+      "optionalDependencies": {
+        "@img/sharp-libvips-darwin-arm64": "1.2.4"
+      }
+    },
+    "node_modules/@img/sharp-darwin-x64": {
+      "version": "0.34.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-darwin-x64/-/sharp-darwin-x64-0.34.5.tgz",
+      "integrity": "sha512-YNEFAF/4KQ/PeW0N+r+aVVsoIY0/qxxikF2SWdp+NRkmMB7y9LBZAVqQ4yhGCm/H3H270OSykqmQMKLBhBJDEw==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "Apache-2.0",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      },
+      "optionalDependencies": {
+        "@img/sharp-libvips-darwin-x64": "1.2.4"
+      }
+    },
+    "node_modules/@img/sharp-libvips-darwin-arm64": {
+      "version": "1.2.4",
+      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-darwin-arm64/-/sharp-libvips-darwin-arm64-1.2.4.tgz",
+      "integrity": "sha512-zqjjo7RatFfFoP0MkQ51jfuFZBnVE2pRiaydKJ1G/rHZvnsrHAOcQALIi9sA5co5xenQdTugCvtb1cuf78Vf4g==",
+      "cpu": [
+        "arm64"
+      ],
+      "license": "LGPL-3.0-or-later",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
+    "node_modules/@img/sharp-libvips-darwin-x64": {
+      "version": "1.2.4",
+      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-darwin-x64/-/sharp-libvips-darwin-x64-1.2.4.tgz",
+      "integrity": "sha512-1IOd5xfVhlGwX+zXv2N93k0yMONvUlANylbJw1eTah8K/Jtpi15KC+WSiaX/nBmbm2HxRM1gZ0nSdjSsrZbGKg==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "LGPL-3.0-or-later",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
+    "node_modules/@img/sharp-libvips-linux-arm": {
+      "version": "1.2.4",
+      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-arm/-/sharp-libvips-linux-arm-1.2.4.tgz",
+      "integrity": "sha512-bFI7xcKFELdiNCVov8e44Ia4u2byA+l3XtsAj+Q8tfCwO6BQ8iDojYdvoPMqsKDkuoOo+X6HZA0s0q11ANMQ8A==",
+      "cpu": [
+        "arm"
+      ],
+      "license": "LGPL-3.0-or-later",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
+    "node_modules/@img/sharp-libvips-linux-arm64": {
+      "version": "1.2.4",
+      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-arm64/-/sharp-libvips-linux-arm64-1.2.4.tgz",
+      "integrity": "sha512-excjX8DfsIcJ10x1Kzr4RcWe1edC9PquDRRPx3YVCvQv+U5p7Yin2s32ftzikXojb1PIFc/9Mt28/y+iRklkrw==",
+      "cpu": [
+        "arm64"
+      ],
+      "license": "LGPL-3.0-or-later",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
+    "node_modules/@img/sharp-libvips-linux-ppc64": {
+      "version": "1.2.4",
+      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-ppc64/-/sharp-libvips-linux-ppc64-1.2.4.tgz",
+      "integrity": "sha512-FMuvGijLDYG6lW+b/UvyilUWu5Ayu+3r2d1S8notiGCIyYU/76eig1UfMmkZ7vwgOrzKzlQbFSuQfgm7GYUPpA==",
+      "cpu": [
+        "ppc64"
+      ],
+      "license": "LGPL-3.0-or-later",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
+    "node_modules/@img/sharp-libvips-linux-riscv64": {
+      "version": "1.2.4",
+      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-riscv64/-/sharp-libvips-linux-riscv64-1.2.4.tgz",
+      "integrity": "sha512-oVDbcR4zUC0ce82teubSm+x6ETixtKZBh/qbREIOcI3cULzDyb18Sr/Wcyx7NRQeQzOiHTNbZFF1UwPS2scyGA==",
+      "cpu": [
+        "riscv64"
+      ],
+      "license": "LGPL-3.0-or-later",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
+    "node_modules/@img/sharp-libvips-linux-s390x": {
+      "version": "1.2.4",
+      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-s390x/-/sharp-libvips-linux-s390x-1.2.4.tgz",
+      "integrity": "sha512-qmp9VrzgPgMoGZyPvrQHqk02uyjA0/QrTO26Tqk6l4ZV0MPWIW6LTkqOIov+J1yEu7MbFQaDpwdwJKhbJvuRxQ==",
+      "cpu": [
+        "s390x"
+      ],
+      "license": "LGPL-3.0-or-later",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
+    "node_modules/@img/sharp-libvips-linux-x64": {
+      "version": "1.2.4",
+      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-x64/-/sharp-libvips-linux-x64-1.2.4.tgz",
+      "integrity": "sha512-tJxiiLsmHc9Ax1bz3oaOYBURTXGIRDODBqhveVHonrHJ9/+k89qbLl0bcJns+e4t4rvaNBxaEZsFtSfAdquPrw==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "LGPL-3.0-or-later",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
+    "node_modules/@img/sharp-libvips-linuxmusl-arm64": {
+      "version": "1.2.4",
+      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linuxmusl-arm64/-/sharp-libvips-linuxmusl-arm64-1.2.4.tgz",
+      "integrity": "sha512-FVQHuwx1IIuNow9QAbYUzJ+En8KcVm9Lk5+uGUQJHaZmMECZmOlix9HnH7n1TRkXMS0pGxIJokIVB9SuqZGGXw==",
+      "cpu": [
+        "arm64"
+      ],
+      "license": "LGPL-3.0-or-later",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
+    "node_modules/@img/sharp-libvips-linuxmusl-x64": {
+      "version": "1.2.4",
+      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linuxmusl-x64/-/sharp-libvips-linuxmusl-x64-1.2.4.tgz",
+      "integrity": "sha512-+LpyBk7L44ZIXwz/VYfglaX/okxezESc6UxDSoyo2Ks6Jxc4Y7sGjpgU9s4PMgqgjj1gZCylTieNamqA1MF7Dg==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "LGPL-3.0-or-later",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
+    "node_modules/@img/sharp-linux-arm": {
+      "version": "0.34.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-linux-arm/-/sharp-linux-arm-0.34.5.tgz",
+      "integrity": "sha512-9dLqsvwtg1uuXBGZKsxem9595+ujv0sJ6Vi8wcTANSFpwV/GONat5eCkzQo/1O6zRIkh0m/8+5BjrRr7jDUSZw==",
+      "cpu": [
+        "arm"
+      ],
+      "license": "Apache-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      },
+      "optionalDependencies": {
+        "@img/sharp-libvips-linux-arm": "1.2.4"
+      }
+    },
+    "node_modules/@img/sharp-linux-arm64": {
+      "version": "0.34.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-linux-arm64/-/sharp-linux-arm64-0.34.5.tgz",
+      "integrity": "sha512-bKQzaJRY/bkPOXyKx5EVup7qkaojECG6NLYswgktOZjaXecSAeCWiZwwiFf3/Y+O1HrauiE3FVsGxFg8c24rZg==",
+      "cpu": [
+        "arm64"
+      ],
+      "license": "Apache-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      },
+      "optionalDependencies": {
+        "@img/sharp-libvips-linux-arm64": "1.2.4"
+      }
+    },
+    "node_modules/@img/sharp-linux-ppc64": {
+      "version": "0.34.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-linux-ppc64/-/sharp-linux-ppc64-0.34.5.tgz",
+      "integrity": "sha512-7zznwNaqW6YtsfrGGDA6BRkISKAAE1Jo0QdpNYXNMHu2+0dTrPflTLNkpc8l7MUP5M16ZJcUvysVWWrMefZquA==",
+      "cpu": [
+        "ppc64"
+      ],
+      "license": "Apache-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      },
+      "optionalDependencies": {
+        "@img/sharp-libvips-linux-ppc64": "1.2.4"
+      }
+    },
+    "node_modules/@img/sharp-linux-riscv64": {
+      "version": "0.34.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-linux-riscv64/-/sharp-linux-riscv64-0.34.5.tgz",
+      "integrity": "sha512-51gJuLPTKa7piYPaVs8GmByo7/U7/7TZOq+cnXJIHZKavIRHAP77e3N2HEl3dgiqdD/w0yUfiJnII77PuDDFdw==",
+      "cpu": [
+        "riscv64"
+      ],
+      "license": "Apache-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      },
+      "optionalDependencies": {
+        "@img/sharp-libvips-linux-riscv64": "1.2.4"
+      }
+    },
+    "node_modules/@img/sharp-linux-s390x": {
+      "version": "0.34.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-linux-s390x/-/sharp-linux-s390x-0.34.5.tgz",
+      "integrity": "sha512-nQtCk0PdKfho3eC5MrbQoigJ2gd1CgddUMkabUj+rBevs8tZ2cULOx46E7oyX+04WGfABgIwmMC0VqieTiR4jg==",
+      "cpu": [
+        "s390x"
+      ],
+      "license": "Apache-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      },
+      "optionalDependencies": {
+        "@img/sharp-libvips-linux-s390x": "1.2.4"
+      }
+    },
+    "node_modules/@img/sharp-linux-x64": {
+      "version": "0.34.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-linux-x64/-/sharp-linux-x64-0.34.5.tgz",
+      "integrity": "sha512-MEzd8HPKxVxVenwAa+JRPwEC7QFjoPWuS5NZnBt6B3pu7EG2Ge0id1oLHZpPJdn3OQK+BQDiw9zStiHBTJQQQQ==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "Apache-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      },
+      "optionalDependencies": {
+        "@img/sharp-libvips-linux-x64": "1.2.4"
+      }
+    },
+    "node_modules/@img/sharp-linuxmusl-arm64": {
+      "version": "0.34.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-linuxmusl-arm64/-/sharp-linuxmusl-arm64-0.34.5.tgz",
+      "integrity": "sha512-fprJR6GtRsMt6Kyfq44IsChVZeGN97gTD331weR1ex1c1rypDEABN6Tm2xa1wE6lYb5DdEnk03NZPqA7Id21yg==",
+      "cpu": [
+        "arm64"
+      ],
+      "license": "Apache-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      },
+      "optionalDependencies": {
+        "@img/sharp-libvips-linuxmusl-arm64": "1.2.4"
+      }
+    },
+    "node_modules/@img/sharp-linuxmusl-x64": {
+      "version": "0.34.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-linuxmusl-x64/-/sharp-linuxmusl-x64-0.34.5.tgz",
+      "integrity": "sha512-Jg8wNT1MUzIvhBFxViqrEhWDGzqymo3sV7z7ZsaWbZNDLXRJZoRGrjulp60YYtV4wfY8VIKcWidjojlLcWrd8Q==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "Apache-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      },
+      "optionalDependencies": {
+        "@img/sharp-libvips-linuxmusl-x64": "1.2.4"
+      }
+    },
+    "node_modules/@img/sharp-wasm32": {
+      "version": "0.34.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-wasm32/-/sharp-wasm32-0.34.5.tgz",
+      "integrity": "sha512-OdWTEiVkY2PHwqkbBI8frFxQQFekHaSSkUIJkwzclWZe64O1X4UlUjqqqLaPbUpMOQk6FBu/HtlGXNblIs0huw==",
+      "cpu": [
+        "wasm32"
+      ],
+      "license": "Apache-2.0 AND LGPL-3.0-or-later AND MIT",
+      "optional": true,
+      "dependencies": {
+        "@emnapi/runtime": "^1.7.0"
+      },
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
+    "node_modules/@img/sharp-win32-arm64": {
+      "version": "0.34.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-win32-arm64/-/sharp-win32-arm64-0.34.5.tgz",
+      "integrity": "sha512-WQ3AgWCWYSb2yt+IG8mnC6Jdk9Whs7O0gxphblsLvdhSpSTtmu69ZG1Gkb6NuvxsNACwiPV6cNSZNzt0KPsw7g==",
+      "cpu": [
+        "arm64"
+      ],
+      "license": "Apache-2.0 AND LGPL-3.0-or-later",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
+    "node_modules/@img/sharp-win32-ia32": {
+      "version": "0.34.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-win32-ia32/-/sharp-win32-ia32-0.34.5.tgz",
+      "integrity": "sha512-FV9m/7NmeCmSHDD5j4+4pNI8Cp3aW+JvLoXcTUo0IqyjSfAZJ8dIUmijx1qaJsIiU+Hosw6xM5KijAWRJCSgNg==",
+      "cpu": [
+        "ia32"
+      ],
+      "license": "Apache-2.0 AND LGPL-3.0-or-later",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
+    "node_modules/@img/sharp-win32-x64": {
+      "version": "0.34.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-win32-x64/-/sharp-win32-x64-0.34.5.tgz",
+      "integrity": "sha512-+29YMsqY2/9eFEiW93eqWnuLcWcufowXewwSNIT6UwZdUUCrM3oFjMWH/Z6/TMmb4hlFenmfAVbpWeup2jryCw==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "Apache-2.0 AND LGPL-3.0-or-later",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
     "node_modules/@types/node": {
       "version": "25.5.0",
       "resolved": "https://registry.npmjs.org/@types/node/-/node-25.5.0.tgz",
@@ -368,6 +844,15 @@
         "node": ">= 0.8"
       }
     },
+    "node_modules/detect-libc": {
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/detect-libc/-/detect-libc-2.1.2.tgz",
+      "integrity": "sha512-Btj2BOOO83o3WyH59e8MgXsxEQVcarkUOpEYrubB0urwnN10yQ364rsiByU11nZlqWYZm05i/of7io4mzihBtQ==",
+      "license": "Apache-2.0",
+      "engines": {
+        "node": ">=8"
+      }
+    },
     "node_modules/dunder-proto": {
       "version": "1.0.1",
       "resolved": "https://registry.npmjs.org/dunder-proto/-/dunder-proto-1.0.1.tgz",
@@ -1381,7 +1866,6 @@
       "version": "7.7.4",
       "resolved": "https://registry.npmjs.org/semver/-/semver-7.7.4.tgz",
       "integrity": "sha512-vFKC2IEtQnVhpT78h1Yp8wzwrf8CM+MzKMHGJZfBtzhZNycRFnXsHk6E5TxIkkMsgNS7mdX3AGB7x2QM2di4lA==",
-      "dev": true,
       "license": "ISC",
       "bin": {
         "semver": "bin/semver.js"
@@ -1458,6 +1942,50 @@
       "integrity": "sha512-E5LDX7Wrp85Kil5bhZv46j8jOeboKq5JMmYM3gVGdGH8xFpPWXUMsNrlODCrkoxMEeNi/XZIwuRvY4XNwYMJpw==",
       "license": "ISC"
     },
+    "node_modules/sharp": {
+      "version": "0.34.5",
+      "resolved": "https://registry.npmjs.org/sharp/-/sharp-0.34.5.tgz",
+      "integrity": "sha512-Ou9I5Ft9WNcCbXrU9cMgPBcCK8LiwLqcbywW3t4oDV37n1pzpuNLsYiAV8eODnjbtQlSDwZ2cUEeQz4E54Hltg==",
+      "hasInstallScript": true,
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@img/colour": "^1.0.0",
+        "detect-libc": "^2.1.2",
+        "semver": "^7.7.3"
+      },
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      },
+      "optionalDependencies": {
+        "@img/sharp-darwin-arm64": "0.34.5",
+        "@img/sharp-darwin-x64": "0.34.5",
+        "@img/sharp-libvips-darwin-arm64": "1.2.4",
+        "@img/sharp-libvips-darwin-x64": "1.2.4",
+        "@img/sharp-libvips-linux-arm": "1.2.4",
+        "@img/sharp-libvips-linux-arm64": "1.2.4",
+        "@img/sharp-libvips-linux-ppc64": "1.2.4",
+        "@img/sharp-libvips-linux-riscv64": "1.2.4",
+        "@img/sharp-libvips-linux-s390x": "1.2.4",
+        "@img/sharp-libvips-linux-x64": "1.2.4",
+        "@img/sharp-libvips-linuxmusl-arm64": "1.2.4",
+        "@img/sharp-libvips-linuxmusl-x64": "1.2.4",
+        "@img/sharp-linux-arm": "0.34.5",
+        "@img/sharp-linux-arm64": "0.34.5",
+        "@img/sharp-linux-ppc64": "0.34.5",
+        "@img/sharp-linux-riscv64": "0.34.5",
+        "@img/sharp-linux-s390x": "0.34.5",
+        "@img/sharp-linux-x64": "0.34.5",
+        "@img/sharp-linuxmusl-arm64": "0.34.5",
+        "@img/sharp-linuxmusl-x64": "0.34.5",
+        "@img/sharp-wasm32": "0.34.5",
+        "@img/sharp-win32-arm64": "0.34.5",
+        "@img/sharp-win32-ia32": "0.34.5",
+        "@img/sharp-win32-x64": "0.34.5"
+      }
+    },
     "node_modules/side-channel": {
       "version": "1.1.0",
       "resolved": "https://registry.npmjs.org/side-channel/-/side-channel-1.1.0.tgz",
@@ -1635,6 +2163,13 @@
         "nodetouch": "bin/nodetouch.js"
       }
     },
+    "node_modules/tslib": {
+      "version": "2.8.1",
+      "resolved": "https://registry.npmjs.org/tslib/-/tslib-2.8.1.tgz",
+      "integrity": "sha512-oJFu94HQb+KVduSUQL7wnpmqnfmLsOA/nAh6b6EH0wCEoK0/mPeXU6c3wKDV83MkOuHPRHtSXKKU99IBazS/2w==",
+      "license": "0BSD",
+      "optional": true
+    },
     "node_modules/type-is": {
       "version": "2.0.1",
       "resolved": "https://registry.npmjs.org/type-is/-/type-is-2.0.1.tgz",

backend/package.json

@@ -5,7 +5,10 @@
   "main": "index.js",
   "scripts": {
     "dev": "DB_HOST=127.0.0.1 DB_PORT=3307 DB_USER=tier_cursor DB_PASSWORD=tier_cursor1234 DB_NAME=tier_cursor nodemon --legacy-watch --watch index.js --watch src index.js",
-    "start": "DB_HOST=127.0.0.1 DB_PORT=3307 DB_USER=tier_cursor DB_PASSWORD=tier_cursor1234 DB_NAME=tier_cursor node index.js"
+    "start": "DB_HOST=127.0.0.1 DB_PORT=3307 DB_USER=tier_cursor DB_PASSWORD=tier_cursor1234 DB_NAME=tier_cursor node index.js",
+    "images:backfill": "DB_HOST=127.0.0.1 DB_PORT=3307 DB_USER=tier_cursor DB_PASSWORD=tier_cursor1234 DB_NAME=tier_cursor node scripts/backfill-legacy-image-assets.js",
+    "images:migrate-legacy": "DB_HOST=127.0.0.1 DB_PORT=3307 DB_USER=tier_cursor DB_PASSWORD=tier_cursor1234 DB_NAME=tier_cursor node scripts/migrate-legacy-uploads-to-assets.js",
+    "uploads:cleanup-legacy": "DB_HOST=127.0.0.1 DB_PORT=3307 DB_USER=tier_cursor DB_PASSWORD=tier_cursor1234 DB_NAME=tier_cursor node scripts/cleanup-unreferenced-legacy-uploads.js"
   },
   "keywords": [],
   "author": "",
@@ -20,6 +23,7 @@
     "mysql2": "^3.20.0",
     "nanoid": "^5.1.7",
     "session-file-store": "^1.5.0",
+    "sharp": "^0.34.5",
     "zod": "^4.3.6"
   },
   "devDependencies": {

backend/scripts/backfill-legacy-image-assets.js

@@ -0,0 +1,106 @@
+const fs = require('fs/promises')
+const path = require('path')
+const crypto = require('crypto')
+const sharp = require('sharp')
+const { nanoid } = require('nanoid')
+const {
+  ensureData,
+  closePool,
+  listReferencedUploadSources,
+  findImageAssetBySrc,
+  createImageAsset,
+} = require('../src/db')
+
+const BACKEND_ROOT = path.join(__dirname, '..')
+
+function inferMimeType(src, metadata) {
+  const format = String(metadata?.format || '').toLowerCase()
+  if (format === 'jpeg' || format === 'jpg') return 'image/jpeg'
+  if (format === 'png') return 'image/png'
+  if (format === 'gif') return 'image/gif'
+  if (format === 'webp') return 'image/webp'
+  if (format === 'svg' || format === 'svg+xml') return 'image/svg+xml'
+  if (format === 'avif') return 'image/avif'
+
+  const ext = path.extname(src || '').toLowerCase()
+  if (ext === '.jpg' || ext === '.jpeg') return 'image/jpeg'
+  if (ext === '.png') return 'image/png'
+  if (ext === '.gif') return 'image/gif'
+  if (ext === '.webp') return 'image/webp'
+  if (ext === '.svg') return 'image/svg+xml'
+  if (ext === '.avif') return 'image/avif'
+  return 'application/octet-stream'
+}
+
+async function main() {
+  await ensureData()
+
+  const referencedSrcs = Array.from(new Set(await listReferencedUploadSources()))
+    .filter((src) => typeof src === 'string' && src.startsWith('/uploads/'))
+    .sort()
+
+  const summary = {
+    scanned: referencedSrcs.length,
+    skippedExisting: 0,
+    backfilled: 0,
+    missingFiles: 0,
+    failed: 0,
+  }
+
+  for (const src of referencedSrcs) {
+    const existing = await findImageAssetBySrc(src)
+    if (existing) {
+      summary.skippedExisting += 1
+      continue
+    }
+
+    const absolutePath = path.join(BACKEND_ROOT, src.replace(/^\//, ''))
+
+    try {
+      const [buffer, stat] = await Promise.all([fs.readFile(absolutePath), fs.stat(absolutePath)])
+      let metadata = {}
+      try {
+        metadata = await sharp(buffer, { failOn: 'none' }).metadata()
+      } catch (error) {
+        metadata = {}
+      }
+
+      const rawHash = crypto.createHash('sha256').update(buffer).digest('hex')
+      const contentHash = crypto.createHash('sha256').update(`${rawHash}|${src}`).digest('hex')
+
+      await createImageAsset({
+        id: nanoid(),
+        contentHash,
+        src,
+        mimeType: inferMimeType(src, metadata),
+        byteSize: Number(stat.size || 0),
+        originalByteSize: Number(stat.size || 0),
+        width: Number(metadata.width || 0),
+        height: Number(metadata.height || 0),
+      })
+      summary.backfilled += 1
+    } catch (error) {
+      if (error?.code === 'ENOENT') {
+        summary.missingFiles += 1
+        continue
+      }
+      if (error?.code === 'ER_DUP_ENTRY') {
+        summary.skippedExisting += 1
+        continue
+      }
+      summary.failed += 1
+      console.error('[backfill-legacy-image-assets] failed:', src, error?.message || error)
+    }
+  }
+
+  console.log(JSON.stringify(summary, null, 2))
+}
+
+main()
+  .catch((error) => {
+    console.error(error)
+    process.exitCode = 1
+  })
+  .finally(async () => {
+    await closePool()
+  })

backend/scripts/cleanup-unreferenced-legacy-uploads.js

@@ -0,0 +1,56 @@
+const fs = require('fs/promises')
+const path = require('path')
+const {
+  ensureData,
+  closePool,
+  listReferencedUploadSources,
+} = require('../src/db')
+
+const BACKEND_ROOT = path.join(__dirname, '..')
+const TARGET_DIRS = ['avatars', 'custom', 'games', 'tierlists']
+
+async function main() {
+  await ensureData()
+
+  const referenced = new Set(await listReferencedUploadSources())
+  const deleted = []
+  const missing = []
+  let scanned = 0
+
+  for (const dir of TARGET_DIRS) {
+    const absoluteDir = path.join(BACKEND_ROOT, 'uploads', dir)
+    let entries = []
+    try {
+      entries = await fs.readdir(absoluteDir, { withFileTypes: true })
+    } catch (error) {
+      if (error?.code === 'ENOENT') continue
+      throw error
+    }
+
+    for (const entry of entries) {
+      if (!entry.isFile()) continue
+      scanned += 1
+      const src = `/uploads/${dir}/${entry.name}`
+      if (referenced.has(src)) continue
+      const absolutePath = path.join(absoluteDir, entry.name)
+      try {
+        await fs.unlink(absolutePath)
+        deleted.push(src)
+      } catch (error) {
+        if (error?.code === 'ENOENT') missing.push(src)
+        else throw error
+      }
+    }
+  }
+
+  console.log(JSON.stringify({ scanned, deletedCount: deleted.length, missingCount: missing.length, deleted, missing }, null, 2))
+}
+
+main()
+  .catch((error) => {
+    console.error(error)
+    process.exitCode = 1
+  })
+  .finally(async () => {
+    await closePool()
+  })

backend/scripts/migrate-legacy-uploads-to-assets.js

@@ -0,0 +1,112 @@
+const fs = require('fs/promises')
+const path = require('path')
+const sharp = require('sharp')
+const {
+  ensureData,
+  closePool,
+  listReferencedUploadUsage,
+  replaceUploadSourceReferences,
+} = require('../src/db')
+const { writeOptimizedImage } = require('../src/lib/image-storage')
+
+const BACKEND_ROOT = path.join(__dirname, '..')
+
+function inferMimeType(src, metadata) {
+  const format = String(metadata?.format || '').toLowerCase()
+  if (format === 'jpeg' || format === 'jpg') return 'image/jpeg'
+  if (format === 'png') return 'image/png'
+  if (format === 'gif') return 'image/gif'
+  if (format === 'webp') return 'image/webp'
+  if (format === 'svg' || format === 'svg+xml') return 'image/svg+xml'
+  if (format === 'avif') return 'image/avif'
+
+  const ext = path.extname(src || '').toLowerCase()
+  if (ext === '.jpg' || ext === '.jpeg') return 'image/jpeg'
+  if (ext === '.png') return 'image/png'
+  if (ext === '.gif') return 'image/gif'
+  if (ext === '.webp') return 'image/webp'
+  if (ext === '.svg') return 'image/svg+xml'
+  if (ext === '.avif') return 'image/avif'
+  return 'application/octet-stream'
+}
+
+function getOptimizationConfig(roles) {
+  const roleSet = new Set(roles || [])
+  if (roleSet.has('avatar')) {
+    return { directory: 'avatars', width: 512, height: 512, fit: 'cover', quality: 82 }
+  }
+  if (roleSet.has('game-thumbnail') || roleSet.has('tierlist-thumbnail') || roleSet.has('template-thumbnail')) {
+    return { directory: 'legacy-thumbnails', width: 1280, height: 1280, fit: 'inside', quality: 84 }
+  }
+  return { directory: 'legacy-items', width: 512, height: 512, fit: 'inside', quality: 84 }
+}
+
+async function createFileLike(src) {
+  const absolutePath = path.join(BACKEND_ROOT, src.replace(/^\//, ''))
+  const [buffer, stat] = await Promise.all([fs.readFile(absolutePath), fs.stat(absolutePath)])
+  let metadata = {}
+  try {
+    metadata = await sharp(buffer, { failOn: 'none' }).metadata()
+  } catch (error) {
+    metadata = {}
+  }
+  return {
+    file: {
+      originalname: path.basename(src),
+      mimetype: inferMimeType(src, metadata),
+      size: Number(stat.size || 0),
+      buffer,
+    },
+    absolutePath,
+  }
+}
+
+async function main() {
+  await ensureData()
+  const usageEntries = await listReferencedUploadUsage()
+  const legacyEntries = usageEntries.filter((entry) => entry.src && entry.src.startsWith('/uploads/') && !entry.src.startsWith('/uploads/assets/'))
+
+  const summary = {
+    scanned: legacyEntries.length,
+    migrated: 0,
+    reusedAsset: 0,
+    unchanged: 0,
+    missingFiles: 0,
+    failed: 0,
+    updatedRows: 0,
+  }
+
+  for (const entry of legacyEntries) {
+    const config = getOptimizationConfig(entry.roles)
+    try {
+      const { file } = await createFileLike(entry.src)
+      const optimized = await writeOptimizedImage({ file, ...config })
+      if (optimized.src === entry.src) {
+        summary.unchanged += 1
+        continue
+      }
+      const replaced = await replaceUploadSourceReferences({ fromSrc: entry.src, toSrc: optimized.src })
+      summary.updatedRows += Number(replaced.updatedRows || 0)
+      if (optimized.reused) summary.reusedAsset += 1
+      else summary.migrated += 1
+    } catch (error) {
+      if (error?.code === 'ENOENT') {
+        summary.missingFiles += 1
+        continue
+      }
+      summary.failed += 1
+      console.error('[migrate-legacy-uploads-to-assets] failed:', entry.src, error?.message || error)
+    }
+  }
+
+  console.log(JSON.stringify(summary, null, 2))
+}
+
+main()
+  .catch((error) => {
+    console.error(error)
+    process.exitCode = 1
+  })
+  .finally(async () => {
+    await closePool()
+  })

backend/src/db.js

@@ -1,3 +1,5 @@
+const fs = require('fs/promises')
+const path = require('path')
 const mysql = require('mysql2/promise')
 
 const DB_HOST = process.env.DB_HOST || '127.0.0.1'
@@ -28,6 +30,29 @@ function serializeJson(value) {
   return JSON.stringify(value || [])
 }
 
+function collectUploadSrcsFromItems(items, bucket) {
+  for (const item of items || []) {
+    if (typeof item?.src === 'string' && item.src.startsWith('/uploads/')) {
+      bucket.add(item.src)
+    }
+  }
+}
+
+function resolveMonthRange(month) {
+  if (typeof month !== 'string') return null
+  const match = month.trim().match(/^(\d{4})-(\d{2})$/)
+  if (!match) return null
+
+  const year = Number(match[1])
+  const monthIndex = Number(match[2]) - 1
+  if (!Number.isInteger(year) || monthIndex < 0 || monthIndex > 11) return null
+
+  return {
+    start: new Date(year, monthIndex, 1).getTime(),
+    end: new Date(year, monthIndex + 1, 1).getTime(),
+  }
+}
+
 function mapUserRow(row) {
   if (!row) return null
   return {
@@ -64,6 +89,37 @@ function mapGameItemRow(row) {
   }
 }
 
+function mapImageAssetRow(row) {
+  if (!row) return null
+  return {
+    id: row.id,
+    contentHash: row.content_hash,
+    src: row.src || '',
+    mimeType: row.mime_type || 'image/webp',
+    byteSize: Number(row.byte_size || 0),
+    originalByteSize: Number(row.original_byte_size || 0),
+    width: Number(row.width || 0),
+    height: Number(row.height || 0),
+    createdAt: Number(row.created_at || 0),
+  }
+}
+
+function mapImageOptimizationJobRow(row) {
+  if (!row) return null
+  return {
+    id: row.id,
+    status: row.status,
+    sourceCategory: row.source_category || '',
+    targetDirectory: row.target_directory || '',
+    originalByteSize: Number(row.original_byte_size || 0),
+    optimizedByteSize: Number(row.optimized_byte_size || 0),
+    reusedAsset: !!row.reused_asset,
+    errorMessage: row.error_message || '',
+    queuedAt: Number(row.queued_at || 0),
+    startedAt: Number(row.started_at || 0),
+    finishedAt: Number(row.finished_at || 0),
+  }
+}
 function mapTierListRow(row) {
   if (!row) return null
   return {
@@ -167,6 +223,14 @@ async function query(sql, params = []) {
   return rows
 }
 
+async function closePool() {
+  if (!poolPromise) return
+  const pool = await poolPromise
+  await pool.end()
+  poolPromise = null
+  initPromise = null
+}
+
 async function ensureSchema() {
   if (initPromise) return initPromise
   initPromise = (async () => {
@@ -270,6 +334,38 @@ async function ensureSchema() {
       ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4
     `)
 
+    await query(`
+      CREATE TABLE IF NOT EXISTS image_assets (
+        id VARCHAR(64) PRIMARY KEY,
+        content_hash CHAR(64) NOT NULL UNIQUE,
+        src VARCHAR(255) NOT NULL UNIQUE,
+        mime_type VARCHAR(32) NOT NULL DEFAULT 'image/webp',
+        byte_size INT UNSIGNED NOT NULL,
+        original_byte_size INT UNSIGNED NOT NULL,
+        width INT UNSIGNED NOT NULL DEFAULT 0,
+        height INT UNSIGNED NOT NULL DEFAULT 0,
+        created_at BIGINT NOT NULL,
+        INDEX idx_image_assets_created_at (created_at)
+      ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4
+    `)
+
+    await query(`
+      CREATE TABLE IF NOT EXISTS image_optimization_jobs (
+        id VARCHAR(64) PRIMARY KEY,
+        status VARCHAR(20) NOT NULL DEFAULT 'queued',
+        source_category VARCHAR(40) NOT NULL DEFAULT '',
+        target_directory VARCHAR(40) NOT NULL DEFAULT '',
+        original_byte_size INT UNSIGNED NOT NULL DEFAULT 0,
+        optimized_byte_size INT UNSIGNED NOT NULL DEFAULT 0,
+        reused_asset TINYINT(1) NOT NULL DEFAULT 0,
+        error_message VARCHAR(255) NOT NULL DEFAULT '',
+        queued_at BIGINT NOT NULL,
+        started_at BIGINT NOT NULL DEFAULT 0,
+        finished_at BIGINT NOT NULL DEFAULT 0,
+        INDEX idx_image_optimization_jobs_status_queued (status, queued_at),
+        INDEX idx_image_optimization_jobs_finished_at (finished_at)
+      ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4
+    `)
     await query(`
       CREATE TABLE IF NOT EXISTS template_requests (
         id VARCHAR(64) PRIMARY KEY,
@@ -410,25 +506,52 @@ async function updateUserProfile({ id, nickname, avatarSrc }) {
   return findUserById(id)
 }
 
-async function listUsers() {
-  const rows = await query(`
-    SELECT
-      u.id,
-      u.email,
-      u.nickname,
-      u.is_admin,
-      u.avatar_src,
-      u.created_at,
-      COUNT(t.id) AS tierlist_count,
-      GREATEST(
+async function findPrimaryAdminUser() {
+  const rows = await query(
+    'SELECT id, email, nickname, is_admin, avatar_src, created_at FROM users WHERE is_admin = 1 ORDER BY created_at ASC, email ASC LIMIT 1'
+  )
+  return mapUserRow(rows[0])
+}
+
+async function listUsers({ queryText = '', sort = 'recent' } = {}) {
+  const where = []
+  const params = []
+  const trimmedQuery = typeof queryText === 'string' ? queryText.trim() : ''
+
+  if (trimmedQuery) {
+    where.push('(u.email LIKE ? OR u.nickname LIKE ?)')
+    params.push(`%${trimmedQuery}%`, `%${trimmedQuery}%`)
+  }
+
+  const orderBy =
+    sort === 'created'
+      ? 'u.created_at DESC, recent_activity_at DESC, u.email ASC'
+      : sort === 'tierlists'
+        ? 'tierlist_count DESC, recent_activity_at DESC, u.email ASC'
+        : 'recent_activity_at DESC, u.created_at ASC, u.email ASC'
+
+  const rows = await query(
+    `
+      SELECT
+        u.id,
+        u.email,
+        u.nickname,
+        u.is_admin,
+        u.avatar_src,
         u.created_at,
-        COALESCE(MAX(t.updated_at), 0)
-      ) AS recent_activity_at
-    FROM users u
-    LEFT JOIN tierlists t ON t.author_id = u.id
-    GROUP BY u.id, u.email, u.nickname, u.is_admin, u.avatar_src, u.created_at
-    ORDER BY recent_activity_at DESC, u.created_at ASC, u.email ASC
-  `)
+        COUNT(t.id) AS tierlist_count,
+        GREATEST(
+          u.created_at,
+          COALESCE(MAX(t.updated_at), 0)
+        ) AS recent_activity_at
+      FROM users u
+      LEFT JOIN tierlists t ON t.author_id = u.id
+      ${where.length ? `WHERE ${where.join(' AND ')}` : ''}
+      GROUP BY u.id, u.email, u.nickname, u.is_admin, u.avatar_src, u.created_at
+      ORDER BY ${orderBy}
+    `,
+    params
+  )
   return rows.map(mapUserRow)
 }
 
@@ -522,6 +645,367 @@ async function updateGameThumbnail(gameId, thumbnailSrc) {
   return findGameById(gameId)
 }
 
+async function findImageAssetByHash(contentHash) {
+  const rows = await query(
+    'SELECT id, content_hash, src, mime_type, byte_size, original_byte_size, width, height, created_at FROM image_assets WHERE content_hash = ? LIMIT 1',
+    [contentHash]
+  )
+  return mapImageAssetRow(rows[0])
+}
+
+async function findImageAssetBySrc(src) {
+  const rows = await query(
+    'SELECT id, content_hash, src, mime_type, byte_size, original_byte_size, width, height, created_at FROM image_assets WHERE src = ? LIMIT 1',
+    [src]
+  )
+  return mapImageAssetRow(rows[0])
+}
+
+async function createImageAsset({ id, contentHash, src, mimeType = "image/webp", byteSize, originalByteSize, width, height }) {
+  const createdAt = now()
+  await query(
+    'INSERT INTO image_assets (id, content_hash, src, mime_type, byte_size, original_byte_size, width, height, created_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)',
+    [id, contentHash, src, mimeType, byteSize, originalByteSize, width, height, createdAt]
+  )
+  return findImageAssetByHash(contentHash)
+}
+
+async function createImageOptimizationJob({ id, sourceCategory, targetDirectory, originalByteSize }) {
+  const queuedAt = now()
+  await query(
+    'INSERT INTO image_optimization_jobs (id, status, source_category, target_directory, original_byte_size, optimized_byte_size, reused_asset, error_message, queued_at, started_at, finished_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)',
+    [id, 'queued', sourceCategory || '', targetDirectory || '', originalByteSize || 0, 0, 0, '', queuedAt, 0, 0]
+  )
+  return findImageOptimizationJobById(id)
+}
+
+async function findImageOptimizationJobById(id) {
+  const rows = await query(
+    'SELECT id, status, source_category, target_directory, original_byte_size, optimized_byte_size, reused_asset, error_message, queued_at, started_at, finished_at FROM image_optimization_jobs WHERE id = ? LIMIT 1',
+    [id]
+  )
+  return mapImageOptimizationJobRow(rows[0])
+}
+
+async function updateImageOptimizationJobStatus({ id, status, optimizedByteSize = 0, reusedAsset = false, errorMessage = '', startedAt, finishedAt }) {
+  const fields = ['status = ?', 'optimized_byte_size = ?', 'reused_asset = ?', 'error_message = ?']
+  const params = [status, optimizedByteSize, reusedAsset ? 1 : 0, errorMessage.slice(0, 255)]
+
+  if (typeof startedAt === 'number') {
+    fields.push('started_at = ?')
+    params.push(startedAt)
+  }
+  if (typeof finishedAt === 'number') {
+    fields.push('finished_at = ?')
+    params.push(finishedAt)
+  }
+
+  params.push(id)
+  await query(`UPDATE image_optimization_jobs SET ${fields.join(', ')} WHERE id = ?`, params)
+  return findImageOptimizationJobById(id)
+}
+
+async function listRecentImageOptimizationJobs(limit = 20, { month } = {}) {
+  const safeLimit = Math.max(1, Math.min(100, Number(limit) || 20))
+  const range = resolveMonthRange(month)
+  const where = []
+  const params = []
+
+  if (range) {
+    where.push('queued_at >= ? AND queued_at < ?')
+    params.push(range.start, range.end)
+  }
+
+  const rows = await query(
+    `SELECT id, status, source_category, target_directory, original_byte_size, optimized_byte_size, reused_asset, error_message, queued_at, started_at, finished_at
+     FROM image_optimization_jobs
+     ${where.length ? `WHERE ${where.join(' AND ')}` : ''}
+     ORDER BY queued_at DESC
+     LIMIT ${safeLimit}`,
+    params
+  )
+  return rows.map(mapImageOptimizationJobRow)
+}
+
+async function listUnusedImageAssets({ limit = 100, minAgeHours = 24 } = {}) {
+  const safeLimit = Math.max(1, Math.min(500, Number(limit) || 100))
+  const safeMinAgeHours = Math.max(0, Number(minAgeHours) || 24)
+  const cutoff = now() - safeMinAgeHours * 60 * 60 * 1000
+
+  const assets = (await query(
+    `SELECT id, content_hash, src, mime_type, byte_size, original_byte_size, width, height, created_at FROM image_assets WHERE created_at <= ? ORDER BY created_at ASC LIMIT ${safeLimit}`,
+    [cutoff]
+  )).map(mapImageAssetRow)
+
+  if (!assets.length) return []
+
+  const referencedSrcs = new Set()
+
+  const [userRows, gameRows, gameItemRows, customItemRows, tierListRows, templateRequestRows] = await Promise.all([
+    query("SELECT avatar_src FROM users WHERE avatar_src <> ''"),
+    query("SELECT thumbnail_src FROM games WHERE thumbnail_src <> ''"),
+    query("SELECT src FROM game_items WHERE src <> ''"),
+    query("SELECT src FROM custom_items WHERE src <> ''"),
+    query("SELECT thumbnail_src, pool_json FROM tierlists"),
+    query("SELECT thumbnail_src_snapshot, items_json FROM template_requests"),
+  ])
+
+  for (const row of userRows) if (row.avatar_src) referencedSrcs.add(row.avatar_src)
+  for (const row of gameRows) if (row.thumbnail_src) referencedSrcs.add(row.thumbnail_src)
+  for (const row of gameItemRows) if (row.src) referencedSrcs.add(row.src)
+  for (const row of customItemRows) if (row.src) referencedSrcs.add(row.src)
+
+  for (const row of tierListRows) {
+    if (row.thumbnail_src) referencedSrcs.add(row.thumbnail_src)
+    collectUploadSrcsFromItems(parseJson(row.pool_json, []), referencedSrcs)
+  }
+
+  for (const row of templateRequestRows) {
+    if (row.thumbnail_src_snapshot) referencedSrcs.add(row.thumbnail_src_snapshot)
+    collectUploadSrcsFromItems(parseJson(row.items_json, []), referencedSrcs)
+  }
+
+  return assets.filter((asset) => !referencedSrcs.has(asset.src))
+}
+
+async function deleteImageAssets(ids) {
+  const uniqueIds = Array.from(new Set((ids || []).filter(Boolean)))
+  if (!uniqueIds.length) return []
+  const placeholders = uniqueIds.map(() => '?').join(', ')
+  const rows = await query(
+    `SELECT id, content_hash, src, mime_type, byte_size, original_byte_size, width, height, created_at FROM image_assets WHERE id IN (${placeholders})`,
+    uniqueIds
+  )
+  await query(`DELETE FROM image_assets WHERE id IN (${placeholders})`, uniqueIds)
+  return rows.map(mapImageAssetRow)
+}
+
+async function listReferencedUploadSources() {
+  const usage = await listReferencedUploadUsage()
+  return usage.map((entry) => entry.src)
+}
+
+async function listReferencedUploadUsage() {
+  const usageMap = new Map()
+  const addUsage = (src, role) => {
+    if (typeof src !== 'string' || !src.startsWith('/uploads/')) return
+    if (!usageMap.has(src)) usageMap.set(src, new Set())
+    usageMap.get(src).add(role)
+  }
+
+  const [userRows, gameRows, gameItemRows, customItemRows, tierListRows, templateRequestRows] = await Promise.all([
+    query("SELECT avatar_src FROM users WHERE avatar_src <> ''"),
+    query("SELECT thumbnail_src FROM games WHERE thumbnail_src <> ''"),
+    query("SELECT src FROM game_items WHERE src <> ''"),
+    query("SELECT src FROM custom_items WHERE src <> ''"),
+    query("SELECT id, thumbnail_src, pool_json FROM tierlists"),
+    query("SELECT id, thumbnail_src_snapshot, items_json FROM template_requests"),
+  ])
+
+  for (const row of userRows) addUsage(row.avatar_src, 'avatar')
+  for (const row of gameRows) addUsage(row.thumbnail_src, 'game-thumbnail')
+  for (const row of gameItemRows) addUsage(row.src, 'game-item')
+  for (const row of customItemRows) addUsage(row.src, 'custom-item')
+
+  for (const row of tierListRows) {
+    addUsage(row.thumbnail_src, 'tierlist-thumbnail')
+    for (const item of parseJson(row.pool_json, [])) addUsage(item?.src, 'tierlist-pool')
+  }
+
+  for (const row of templateRequestRows) {
+    addUsage(row.thumbnail_src_snapshot, 'template-thumbnail')
+    for (const item of parseJson(row.items_json, [])) addUsage(item?.src, 'template-item')
+  }
+
+  return Array.from(usageMap.entries())
+    .map(([src, roles]) => ({ src, roles: Array.from(roles).sort() }))
+    .sort((a, b) => a.src.localeCompare(b.src))
+}
+
+function replaceItemSrc(items, fromSrc, toSrc) {
+  let changed = false
+  const nextItems = (items || []).map((item) => {
+    if (item?.src !== fromSrc) return item
+    changed = true
+    return { ...item, src: toSrc }
+  })
+  return { changed, items: nextItems }
+}
+
+async function replaceUploadSourceReferences({ fromSrc, toSrc }) {
+  if (!fromSrc || !toSrc || fromSrc === toSrc) return { updatedRows: 0 }
+
+  const [userResult, gameResult, gameItemResult, customItemResult] = await Promise.all([
+    query('UPDATE users SET avatar_src = ? WHERE avatar_src = ?', [toSrc, fromSrc]),
+    query('UPDATE games SET thumbnail_src = ? WHERE thumbnail_src = ?', [toSrc, fromSrc]),
+    query('UPDATE game_items SET src = ? WHERE src = ?', [toSrc, fromSrc]),
+    query('UPDATE custom_items SET src = ? WHERE src = ?', [toSrc, fromSrc]),
+  ])
+
+  let updatedRows = Number(userResult.affectedRows || 0) + Number(gameResult.affectedRows || 0) + Number(gameItemResult.affectedRows || 0) + Number(customItemResult.affectedRows || 0)
+
+  const tierListRows = await query('SELECT id, thumbnail_src, pool_json FROM tierlists')
+  for (const row of tierListRows) {
+    let nextThumbnail = row.thumbnail_src
+    let changed = false
+    if (row.thumbnail_src === fromSrc) {
+      nextThumbnail = toSrc
+      changed = true
+    }
+
+    const replacedPool = replaceItemSrc(parseJson(row.pool_json, []), fromSrc, toSrc)
+    if (replacedPool.changed) changed = true
+
+    if (changed) {
+      await query('UPDATE tierlists SET thumbnail_src = ?, pool_json = ?, updated_at = ? WHERE id = ?', [
+        nextThumbnail || '',
+        serializeJson(replacedPool.items),
+        now(),
+        row.id,
+      ])
+      updatedRows += 1
+    }
+  }
+
+  const requestRows = await query('SELECT id, thumbnail_src_snapshot, items_json FROM template_requests')
+  for (const row of requestRows) {
+    let nextThumbnail = row.thumbnail_src_snapshot
+    let changed = false
+    if (row.thumbnail_src_snapshot === fromSrc) {
+      nextThumbnail = toSrc
+      changed = true
+    }
+
+    const replacedItems = replaceItemSrc(parseJson(row.items_json, []), fromSrc, toSrc)
+    if (replacedItems.changed) changed = true
+
+    if (changed) {
+      await query('UPDATE template_requests SET thumbnail_src_snapshot = ?, items_json = ?, updated_at = ? WHERE id = ?', [
+        nextThumbnail || '',
+        serializeJson(replacedItems.items),
+        now(),
+        row.id,
+      ])
+      updatedRows += 1
+    }
+  }
+
+  return { updatedRows }
+}
+
+async function listImageAssets() {
+  const rows = await query(
+    'SELECT id, content_hash, src, mime_type, byte_size, original_byte_size, width, height, created_at FROM image_assets ORDER BY created_at DESC'
+  )
+  return rows.map(mapImageAssetRow)
+}
+
+async function getReferencedUploadFootprint() {
+  const [referencedSrcs, assets] = await Promise.all([listReferencedUploadSources(), listImageAssets()])
+  const assetMap = new Map(assets.map((asset) => [asset.src, asset]))
+  let totalReferencedByteSize = 0
+  let trackedReferencedByteSize = 0
+  let legacyReferencedByteSize = 0
+  let trackedReferencedCount = 0
+  let legacyReferencedCount = 0
+  let missingCount = 0
+
+  for (const src of referencedSrcs) {
+    if (typeof src !== 'string' || !src.startsWith('/uploads/')) continue
+    const absolutePath = path.join(__dirname, '..', src.replace(/^\//, ''))
+
+    try {
+      const stat = await fs.stat(absolutePath)
+      const size = Number(stat.size || 0)
+      totalReferencedByteSize += size
+      if (assetMap.has(src)) {
+        trackedReferencedCount += 1
+        trackedReferencedByteSize += size
+      } else {
+        legacyReferencedCount += 1
+        legacyReferencedByteSize += size
+      }
+    } catch (error) {
+      if (error?.code === 'ENOENT') missingCount += 1
+    }
+  }
+
+  return {
+    referencedCount: referencedSrcs.length,
+    totalReferencedByteSize,
+    trackedReferencedCount,
+    trackedReferencedByteSize,
+    legacyReferencedCount,
+    legacyReferencedByteSize,
+    missingCount,
+  }
+}
+
+async function getImageAssetStats({ month } = {}) {
+  const range = resolveMonthRange(month)
+  const jobWhere = []
+  const jobParams = []
+
+  if (range) {
+    jobWhere.push('queued_at >= ? AND queued_at < ?')
+    jobParams.push(range.start, range.end)
+  }
+
+  const [assetRows, jobRows, footprint] = await Promise.all([
+    query(
+      `SELECT COUNT(*) AS asset_count, COALESCE(SUM(byte_size), 0) AS total_byte_size, COALESCE(SUM(original_byte_size), 0) AS total_original_byte_size FROM image_assets`
+    ),
+    query(
+      `SELECT
+        COALESCE(SUM(CASE WHEN status = 'queued' THEN 1 ELSE 0 END), 0) AS queued_count,
+        COALESCE(SUM(CASE WHEN status = 'processing' THEN 1 ELSE 0 END), 0) AS processing_count,
+        COALESCE(SUM(CASE WHEN status = 'completed' THEN 1 ELSE 0 END), 0) AS completed_count,
+        COALESCE(SUM(CASE WHEN status = 'failed' THEN 1 ELSE 0 END), 0) AS failed_count,
+        COALESCE(SUM(CASE WHEN status = 'completed' AND reused_asset = 1 THEN 1 ELSE 0 END), 0) AS reused_count
+       FROM image_optimization_jobs
+       ${jobWhere.length ? `WHERE ${jobWhere.join(' AND ')}` : ''}`,
+      jobParams
+    ),
+    getReferencedUploadFootprint(),
+  ])
+
+  const asset = assetRows[0] || {}
+  const jobs = jobRows[0] || {}
+  const totalByteSize = Number(asset.total_byte_size || 0)
+  const totalOriginalByteSize = Number(asset.total_original_byte_size || 0)
+  const savedByteSize = Math.max(0, totalOriginalByteSize - totalByteSize)
+
+  return {
+    assetCount: Number(asset.asset_count || 0),
+    totalByteSize,
+    totalOriginalByteSize,
+    savedByteSize,
+    savingsRatio: totalOriginalByteSize > 0 ? savedByteSize / totalOriginalByteSize : 0,
+    referencedCount: Number(footprint.referencedCount || 0),
+    referencedByteSize: Number(footprint.totalReferencedByteSize || 0),
+    trackedReferencedCount: Number(footprint.trackedReferencedCount || 0),
+    trackedReferencedByteSize: Number(footprint.trackedReferencedByteSize || 0),
+    legacyReferencedCount: Number(footprint.legacyReferencedCount || 0),
+    legacyReferencedByteSize: Number(footprint.legacyReferencedByteSize || 0),
+    missingReferencedCount: Number(footprint.missingCount || 0),
+    queuedCount: Number(jobs.queued_count || 0),
+    processingCount: Number(jobs.processing_count || 0),
+    completedCount: Number(jobs.completed_count || 0),
+    failedCount: Number(jobs.failed_count || 0),
+    reusedCount: Number(jobs.reused_count || 0),
+  }
+}
+
+async function clearImageOptimizationJobs({ month } = {}) {
+  const range = resolveMonthRange(month)
+  if (range) {
+    const result = await query('DELETE FROM image_optimization_jobs WHERE queued_at >= ? AND queued_at < ?', [range.start, range.end])
+    return Number(result.affectedRows || 0)
+  }
+
+  const result = await query('DELETE FROM image_optimization_jobs')
+  return Number(result.affectedRows || 0)
+}
 async function createGameItem({ id, gameId, src, label }) {
   const createdAt = now()
   await query('INSERT INTO game_items (id, game_id, src, label, created_at) VALUES (?, ?, ?, ?, ?)', [
@@ -1389,11 +1873,13 @@ async function unfavoriteGame({ userId, gameId }) {
 module.exports = {
   DB_NAME,
   ensureData,
+  closePool,
   countUsers,
   findUserByEmail,
   findUserById,
   createUser,
   updateUserProfile,
+  findPrimaryAdminUser,
   listUsers,
   adminUpdateUser,
   adminUpdateUserPassword,
@@ -1404,6 +1890,20 @@ module.exports = {
   getGameDetail,
   createGame,
   updateGameThumbnail,
+  findImageAssetByHash,
+  findImageAssetBySrc,
+  createImageAsset,
+  createImageOptimizationJob,
+  findImageOptimizationJobById,
+  updateImageOptimizationJobStatus,
+  listRecentImageOptimizationJobs,
+  listUnusedImageAssets,
+  deleteImageAssets,
+  listReferencedUploadSources,
+  listReferencedUploadUsage,
+  replaceUploadSourceReferences,
+  clearImageOptimizationJobs,
+  getImageAssetStats,
   createGameItem,
   updateGameItemLabel,
   deleteGameItem,

backend/src/lib/image-storage.js

@@ -0,0 +1,218 @@
+const fs = require('fs/promises')
+const path = require('path')
+const crypto = require('crypto')
+const sharp = require('sharp')
+const { nanoid } = require('nanoid')
+const {
+  findImageAssetByHash,
+  createImageAsset,
+  createImageOptimizationJob,
+  updateImageOptimizationJobStatus,
+} = require('../db')
+
+const UPLOAD_ROOT = path.join(__dirname, '..', '..', 'uploads')
+const OPTIMIZED_DIR = 'assets'
+const OPTIMIZATION_CONCURRENCY = Math.max(1, Number(process.env.IMAGE_OPTIMIZATION_CONCURRENCY || 1))
+
+let activeCount = 0
+const pendingJobs = []
+
+function ensureImageMimeType(file) {
+  return typeof file?.mimetype === 'string' && file.mimetype.startsWith('image/')
+}
+
+function createMemoryUpload(multer, { fileSize = 6 * 1024 * 1024, maxCount } = {}) {
+  return multer({
+    storage: multer.memoryStorage(),
+    limits: {
+      fileSize,
+      ...(typeof maxCount === 'number' ? { files: maxCount } : {}),
+    },
+    fileFilter: (req, file, cb) => {
+      if (ensureImageMimeType(file)) return cb(null, true)
+      cb(new Error('image_file_required'))
+    },
+  })
+}
+
+function scheduleQueue() {
+  while (activeCount < OPTIMIZATION_CONCURRENCY && pendingJobs.length) {
+    const job = pendingJobs.shift()
+    activeCount += 1
+    processQueuedJob(job)
+      .then(job.resolve)
+      .catch(job.reject)
+      .finally(() => {
+        activeCount = Math.max(0, activeCount - 1)
+        scheduleQueue()
+      })
+  }
+}
+
+async function optimizeAndPersist({ file, width, height, fit, quality }) {
+  const { data, info } = await sharp(file.buffer, { failOn: 'none' })
+    .rotate()
+    .resize({
+      width,
+      height,
+      fit,
+      withoutEnlargement: true,
+    })
+    .webp({ quality })
+    .toBuffer({ resolveWithObject: true })
+
+  const contentHash = crypto.createHash('sha256').update(data).digest('hex')
+  const existing = await findImageAssetByHash(contentHash)
+  if (existing) {
+    return {
+      src: existing.src,
+      size: existing.byteSize,
+      originalSize: existing.originalByteSize,
+      width: existing.width,
+      height: existing.height,
+      contentHash: existing.contentHash,
+      reused: true,
+    }
+  }
+
+  const filename = String(Date.now()) + '-' + nanoid() + '.webp'
+  const absoluteDir = path.join(UPLOAD_ROOT, OPTIMIZED_DIR)
+  const absolutePath = path.join(absoluteDir, filename)
+  const src = '/uploads/' + OPTIMIZED_DIR + '/' + filename
+
+  await fs.mkdir(absoluteDir, { recursive: true })
+  await fs.writeFile(absolutePath, data)
+
+  try {
+    const asset = await createImageAsset({
+      id: nanoid(),
+      contentHash,
+      src,
+      mimeType: 'image/webp',
+      byteSize: data.length,
+      originalByteSize: file.size || file.buffer.length,
+      width: info.width || 0,
+      height: info.height || 0,
+    })
+
+    return {
+      src: asset.src,
+      size: asset.byteSize,
+      originalSize: asset.originalByteSize,
+      width: asset.width,
+      height: asset.height,
+      contentHash: asset.contentHash,
+      reused: false,
+    }
+  } catch (error) {
+    try {
+      await fs.unlink(absolutePath)
+    } catch (unlinkError) {
+      if (unlinkError?.code !== 'ENOENT') throw unlinkError
+    }
+
+    if (error?.code === 'ER_DUP_ENTRY') {
+      const asset = await findImageAssetByHash(contentHash)
+      if (asset) {
+        return {
+          src: asset.src,
+          size: asset.byteSize,
+          originalSize: asset.originalByteSize,
+          width: asset.width,
+          height: asset.height,
+          contentHash: asset.contentHash,
+          reused: true,
+        }
+      }
+    }
+
+    throw error
+  }
+}
+
+async function processQueuedJob(job) {
+  await updateImageOptimizationJobStatus({
+    id: job.jobId,
+    status: 'processing',
+    startedAt: Date.now(),
+  })
+
+  try {
+    const result = await optimizeAndPersist(job)
+    await updateImageOptimizationJobStatus({
+      id: job.jobId,
+      status: 'completed',
+      optimizedByteSize: result.size,
+      reusedAsset: result.reused,
+      finishedAt: Date.now(),
+    })
+    return result
+  } catch (error) {
+    await updateImageOptimizationJobStatus({
+      id: job.jobId,
+      status: 'failed',
+      errorMessage: error?.message || 'optimization_failed',
+      finishedAt: Date.now(),
+    })
+    throw error
+  }
+}
+
+async function writeOptimizedImage({
+  file,
+  directory,
+  width,
+  height,
+  fit = 'inside',
+  quality = 82,
+}) {
+  if (!file?.buffer?.length) {
+    const error = new Error('file_required')
+    error.code = 'file_required'
+    throw error
+  }
+
+  if (!ensureImageMimeType(file)) {
+    const error = new Error('image_file_required')
+    error.code = 'image_file_required'
+    throw error
+  }
+
+  const jobId = nanoid()
+  await createImageOptimizationJob({
+    id: jobId,
+    sourceCategory: directory,
+    targetDirectory: OPTIMIZED_DIR,
+    originalByteSize: file.size || file.buffer.length,
+  })
+
+  return new Promise((resolve, reject) => {
+    pendingJobs.push({
+      jobId,
+      file,
+      directory,
+      width,
+      height,
+      fit,
+      quality,
+      resolve: (result) => resolve({ ...result, directory }),
+      reject,
+    })
+    scheduleQueue()
+  })
+}
+
+function getImageOptimizationQueueState() {
+  return {
+    concurrency: OPTIMIZATION_CONCURRENCY,
+    activeCount,
+    pendingCount: pendingJobs.length,
+  }
+}
+
+module.exports = {
+  createMemoryUpload,
+  ensureImageMimeType,
+  writeOptimizedImage,
+  getImageOptimizationQueueState,
+}

backend/src/routes/admin.js

@@ -22,6 +22,7 @@ const {
   findCustomItemsByIds,
   deleteCustomItems,
   listUsers,
+  findPrimaryAdminUser,
   listAdminTierLists,
   findTierListById,
   listAdminTemplateRequests,
@@ -30,8 +31,14 @@ const {
   adminUpdateUser,
   adminUpdateUserPassword,
   adminDeleteUser,
+  listUnusedImageAssets,
+  deleteImageAssets,
+  getImageAssetStats,
+  listRecentImageOptimizationJobs,
+  clearImageOptimizationJobs,
 } = require('../db')
 const { requireAdmin } = require('../middleware/auth')
+const { createMemoryUpload, writeOptimizedImage, getImageOptimizationQueueState } = require('../lib/image-storage')
 
 const router = express.Router()
 
@@ -53,21 +60,32 @@ function buildItemLabelFromFilename(file) {
   return normalized || 'item'
 }
 
-const upload = multer({
-  storage: multer.diskStorage({
-    destination: (req, file, cb) => cb(null, path.join(__dirname, '..', '..', 'uploads', 'games')),
-    filename: (req, file, cb) => cb(null, buildUploadFilename(file)),
-  }),
-  limits: { fileSize: 6 * 1024 * 1024 },
-})
+const upload = createMemoryUpload(multer, { fileSize: 8 * 1024 * 1024, maxCount: 50 })
+const avatarUpload = createMemoryUpload(multer, { fileSize: 4 * 1024 * 1024 })
 
-const avatarUpload = multer({
-  storage: multer.diskStorage({
-    destination: (req, file, cb) => cb(null, path.join(__dirname, '..', '..', 'uploads', 'avatars')),
-    filename: (req, file, cb) => cb(null, buildUploadFilename(file)),
-  }),
-  limits: { fileSize: 3 * 1024 * 1024 },
-})
+function decorateAdminUser(user, primaryAdmin) {
+  if (!user) return null
+  const isPrimaryAdmin = !!user.isAdmin && primaryAdmin?.id === user.id
+  return {
+    ...user,
+    isPrimaryAdmin,
+    isOperator: !!user.isAdmin && !isPrimaryAdmin,
+    role: isPrimaryAdmin ? 'owner' : user.isAdmin ? 'operator' : 'user',
+  }
+}
+
+async function getAdminUserContext(targetUserId, actingUserId) {
+  const [targetUser, actingUser, primaryAdmin] = await Promise.all([
+    findUserById(targetUserId),
+    findUserById(actingUserId),
+    findPrimaryAdminUser(),
+  ])
+  return { targetUser, actingUser, primaryAdmin }
+}
+
+function canManageAdminRole(actingUser, primaryAdmin) {
+  return !!actingUser?.isAdmin && primaryAdmin?.id === actingUser.id
+}
 
 router.post('/games', requireAdmin, async (req, res) => {
   const schema = z.object({ id: z.string().min(1), name: z.string().min(1).max(60) })
@@ -97,7 +115,17 @@ router.post('/games/:gameId/thumbnail', requireAdmin, upload.single('thumbnail')
   if (!req.file) return res.status(400).json({ error: 'file_required' })
   const game = await findGameById(req.params.gameId)
   if (!game) return res.status(404).json({ error: 'not_found' })
-  const updated = await updateGameThumbnail(req.params.gameId, `/uploads/games/${req.file.filename}`)
+
+  const optimized = await writeOptimizedImage({
+    file: req.file,
+    directory: 'games',
+    width: 1280,
+    height: 1280,
+    fit: 'inside',
+    quality: 84,
+  })
+
+  const updated = await updateGameThumbnail(req.params.gameId, optimized.src)
   res.json({ game: updated })
 })
 
@@ -113,14 +141,23 @@ router.post('/games/:gameId/images', requireAdmin, upload.array('images', 50), a
   if (normalizedLabels.some((label) => label.length > 60)) return res.status(400).json({ error: 'bad_request' })
 
   const items = await Promise.all(
-    files.map((file, index) =>
-      createGameItem({
+    files.map(async (file, index) => {
+      const optimized = await writeOptimizedImage({
+        file,
+        directory: 'games',
+        width: 512,
+        height: 512,
+        fit: 'inside',
+        quality: 84,
+      })
+
+      return createGameItem({
         id: nanoid(),
         gameId: game.id,
-        src: `/uploads/games/${file.filename}`,
+        src: optimized.src,
         label: normalizedLabels[index] || buildItemLabelFromFilename(file),
       })
-    )
+    })
   )
 
   res.json({ item: items[0], items })
@@ -199,6 +236,78 @@ router.get('/template-requests', requireAdmin, async (req, res) => {
   res.json({ requests })
 })
 
+router.get('/image-assets/orphans', requireAdmin, async (req, res) => {
+  const schema = z.object({
+    limit: z.coerce.number().int().min(1).max(500).optional().default(100),
+    minAgeHours: z.coerce.number().min(0).max(24 * 365).optional().default(24),
+  })
+  const parsed = schema.safeParse(req.query)
+  if (!parsed.success) return res.status(400).json({ error: 'bad_request' })
+
+  const assets = await listUnusedImageAssets(parsed.data)
+  res.json({ assets })
+})
+
+async function removeImageAssetFiles(assets) {
+  await Promise.all(
+    (assets || []).map(async (asset) => {
+      if (!asset?.src || !asset.src.startsWith('/uploads/')) return
+      const absolutePath = path.join(__dirname, '..', '..', asset.src.replace(/^\//, ''))
+      try {
+        await fs.unlink(absolutePath)
+      } catch (error) {
+        if (error?.code !== 'ENOENT') throw error
+      }
+    })
+  )
+}
+
+router.post('/image-assets/cleanup', requireAdmin, async (req, res) => {
+  const schema = z.object({
+    limit: z.coerce.number().int().min(1).max(500).optional().default(100),
+    minAgeHours: z.coerce.number().min(0).max(24 * 365).optional().default(24),
+  })
+  const parsed = schema.safeParse(req.body)
+  if (!parsed.success) return res.status(400).json({ error: 'bad_request' })
+
+  const assets = await listUnusedImageAssets(parsed.data)
+  const deleted = await deleteImageAssets(assets.map((asset) => asset.id))
+  await removeImageAssetFiles(deleted)
+  res.json({ deletedCount: deleted.length, assets: deleted })
+})
+
+router.get('/image-assets/stats', requireAdmin, async (req, res) => {
+  const schema = z.object({
+    month: z.string().regex(/^\d{4}-\d{2}$/).optional(),
+    limit: z.coerce.number().int().min(1).max(24).optional().default(12),
+  })
+  const parsed = schema.safeParse(req.query)
+  if (!parsed.success) return res.status(400).json({ error: 'bad_request' })
+
+  const filters = { month: parsed.data.month }
+  const [stats, recentJobs] = await Promise.all([
+    getImageAssetStats(filters),
+    listRecentImageOptimizationJobs(parsed.data.limit, filters),
+  ])
+  res.json({
+    stats,
+    filters,
+    queue: getImageOptimizationQueueState(),
+    recentJobs,
+  })
+})
+
+router.post('/image-assets/stats/reset', requireAdmin, async (req, res) => {
+  const schema = z.object({
+    month: z.string().regex(/^\d{4}-\d{2}$/).optional().nullable(),
+  })
+  const parsed = schema.safeParse(req.body || {})
+  if (!parsed.success) return res.status(400).json({ error: 'bad_request' })
+
+  const deletedCount = await clearImageOptimizationJobs({ month: parsed.data.month || undefined })
+  res.json({ deletedCount })
+})
+
 async function removeCustomItemFiles(items) {
   await Promise.all(
     items.map(async (item) => {
@@ -214,33 +323,18 @@ async function removeCustomItemFiles(items) {
 }
 
 async function promoteCustomItemToGameItem({ customItem, gameId }) {
-  const originalName = path.basename(customItem.src || '')
-  const nextFilename = buildUploadFilename({ originalname: originalName })
-  const sourcePath = path.join(__dirname, '..', '..', customItem.src.replace(/^\//, ''))
-  const targetRelativePath = path.join('uploads', 'games', nextFilename)
-  const targetPath = path.join(__dirname, '..', '..', targetRelativePath)
-
-  await fs.copyFile(sourcePath, targetPath)
-
   return createGameItem({
     id: nanoid(),
     gameId,
-    src: `/${targetRelativePath.replace(/\\/g, '/')}`,
+    src: customItem.src || '',
     label: customItem.label,
   })
 }
 
 async function copyUploadIntoGameAsset(src) {
   if (typeof src !== 'string' || !src.startsWith('/uploads/')) return src || ''
-
-  const originalName = path.basename(src)
-  const nextFilename = buildUploadFilename({ originalname: originalName })
-  const sourcePath = path.join(__dirname, '..', '..', src.replace(/^\//, ''))
-  const targetRelativePath = path.join('uploads', 'games', nextFilename)
-  const targetPath = path.join(__dirname, '..', '..', targetRelativePath)
-
-  await fs.copyFile(sourcePath, targetPath)
-  return `/${targetRelativePath.replace(/\\/g, '/')}`
+  if (src.startsWith('/uploads/assets/')) return src
+  return src
 }
 
 function uniqueTierListPoolItems(tierList) {
@@ -468,8 +562,18 @@ router.delete('/custom-items', requireAdmin, async (req, res) => {
 })
 
 router.get('/users', requireAdmin, async (req, res) => {
-  const users = await listUsers()
-  res.json({ users })
+  const schema = z.object({
+    q: z.string().trim().max(120).optional().default(''),
+    sort: z.enum(['recent', 'created', 'tierlists']).optional().default('recent'),
+  })
+  const parsed = schema.safeParse(req.query)
+  if (!parsed.success) return res.status(400).json({ error: 'bad_request' })
+
+  const [users, primaryAdmin] = await Promise.all([
+    listUsers({ queryText: parsed.data.q, sort: parsed.data.sort }),
+    findPrimaryAdminUser(),
+  ])
+  res.json({ users: users.map((user) => decorateAdminUser(user, primaryAdmin)) })
 })
 
 router.patch('/users/:userId', requireAdmin, async (req, res) => {
@@ -481,21 +585,34 @@ router.patch('/users/:userId', requireAdmin, async (req, res) => {
   const parsed = schema.safeParse(req.body)
   if (!parsed.success) return res.status(400).json({ error: 'bad_request' })
 
+  const { targetUser, actingUser, primaryAdmin } = await getAdminUserContext(req.params.userId, req.session.userId)
+  if (!targetUser) return res.status(404).json({ error: 'not_found' })
+
+  const actingIsPrimaryAdmin = canManageAdminRole(actingUser, primaryAdmin)
+  const targetIsPrimaryAdmin = primaryAdmin?.id === targetUser.id
+  const roleChanged = parsed.data.isAdmin !== !!targetUser.isAdmin
+
   if (req.params.userId === req.session.userId && !parsed.data.isAdmin) {
     return res.status(400).json({ error: 'self_admin_required' })
   }
-
-  const user = await findUserById(req.params.userId)
-  if (!user) return res.status(404).json({ error: 'not_found' })
+  if (targetIsPrimaryAdmin && !actingIsPrimaryAdmin) {
+    return res.status(403).json({ error: 'primary_admin_protected' })
+  }
+  if (targetIsPrimaryAdmin && !parsed.data.isAdmin) {
+    return res.status(400).json({ error: 'primary_admin_required' })
+  }
+  if (roleChanged && !actingIsPrimaryAdmin) {
+    return res.status(403).json({ error: 'primary_admin_only' })
+  }
 
   try {
     const updated = await adminUpdateUser({
-      id: user.id,
+      id: targetUser.id,
       email: parsed.data.email,
       nickname: parsed.data.nickname,
       isAdmin: parsed.data.isAdmin,
     })
-    res.json({ user: updated })
+    res.json({ user: decorateAdminUser(updated, primaryAdmin) })
   } catch (e) {
     if (e && e.code === 'ER_DUP_ENTRY') {
       return res.status(409).json({ error: 'email_taken' })
@@ -511,20 +628,33 @@ router.post('/users/:userId/avatar', requireAdmin, avatarUpload.single('avatar')
   const parsed = schema.safeParse(req.body)
   if (!parsed.success) return res.status(400).json({ error: 'bad_request' })
 
-  const user = await findUserById(req.params.userId)
-  if (!user) return res.status(404).json({ error: 'not_found' })
+  const { targetUser, actingUser, primaryAdmin } = await getAdminUserContext(req.params.userId, req.session.userId)
+  if (!targetUser) return res.status(404).json({ error: 'not_found' })
+  if (primaryAdmin?.id === targetUser.id && !canManageAdminRole(actingUser, primaryAdmin)) {
+    return res.status(403).json({ error: 'primary_admin_protected' })
+  }
 
+  const optimized = req.file
+    ? await writeOptimizedImage({
+        file: req.file,
+        directory: 'avatars',
+        width: 512,
+        height: 512,
+        fit: 'cover',
+        quality: 82,
+      })
+    : null
   const shouldRemoveAvatar = parsed.data.removeAvatar === '1'
-  const nextAvatarSrc = shouldRemoveAvatar ? '' : req.file ? `/uploads/avatars/${req.file.filename}` : user.avatarSrc || ''
+  const nextAvatarSrc = shouldRemoveAvatar ? '' : optimized?.src || targetUser.avatarSrc || ''
   const updated = await adminUpdateUser({
-    id: user.id,
-    email: user.email,
-    nickname: user.nickname || '',
-    isAdmin: !!user.isAdmin,
+    id: targetUser.id,
+    email: targetUser.email,
+    nickname: targetUser.nickname || '',
+    isAdmin: !!targetUser.isAdmin,
     avatarSrc: nextAvatarSrc,
   })
 
-  res.json({ user: updated })
+  res.json({ user: decorateAdminUser(updated, primaryAdmin) })
 })
 
 router.delete('/users/:userId', requireAdmin, async (req, res) => {
@@ -532,10 +662,19 @@ router.delete('/users/:userId', requireAdmin, async (req, res) => {
     return res.status(400).json({ error: 'cannot_delete_self' })
   }
 
-  const user = await findUserById(req.params.userId)
-  if (!user) return res.status(404).json({ error: 'not_found' })
+  const { targetUser, actingUser, primaryAdmin } = await getAdminUserContext(req.params.userId, req.session.userId)
+  if (!targetUser) return res.status(404).json({ error: 'not_found' })
 
-  await adminDeleteUser(user.id)
+  const actingIsPrimaryAdmin = canManageAdminRole(actingUser, primaryAdmin)
+  const targetIsPrimaryAdmin = primaryAdmin?.id === targetUser.id
+  if (targetIsPrimaryAdmin) {
+    return res.status(400).json({ error: 'cannot_delete_primary_admin' })
+  }
+  if (targetUser.isAdmin && !actingIsPrimaryAdmin) {
+    return res.status(403).json({ error: 'primary_admin_only' })
+  }
+
+  await adminDeleteUser(targetUser.id)
   res.json({ ok: true })
 })
 
@@ -546,11 +685,14 @@ router.patch('/users/:userId/password', requireAdmin, async (req, res) => {
   const parsed = schema.safeParse(req.body)
   if (!parsed.success) return res.status(400).json({ error: 'bad_request' })
 
-  const user = await findUserById(req.params.userId)
-  if (!user) return res.status(404).json({ error: 'not_found' })
+  const { targetUser, actingUser, primaryAdmin } = await getAdminUserContext(req.params.userId, req.session.userId)
+  if (!targetUser) return res.status(404).json({ error: 'not_found' })
+  if (primaryAdmin?.id === targetUser.id && !canManageAdminRole(actingUser, primaryAdmin)) {
+    return res.status(403).json({ error: 'primary_admin_protected' })
+  }
 
   const passwordHash = await bcrypt.hash(parsed.data.password, 10)
-  await adminUpdateUserPassword({ id: user.id, passwordHash })
+  await adminUpdateUserPassword({ id: targetUser.id, passwordHash })
   res.json({ ok: true })
 })
 

backend/src/routes/auth.js

@@ -1,5 +1,4 @@
 const express = require('express')
-const path = require('path')
 const bcrypt = require('bcryptjs')
 const { z } = require('zod')
 const { nanoid } = require('nanoid')
@@ -10,17 +9,13 @@ const {
   findUserById,
   createUser,
   updateUserProfile,
+  findPrimaryAdminUser,
 } = require('../db')
 const { requireAuth } = require('../middleware/auth')
+const { createMemoryUpload, writeOptimizedImage } = require('../lib/image-storage')
 
 const router = express.Router()
 
-function buildUploadFilename(file) {
-  const ext = path.extname(file.originalname || '').toLowerCase()
-  const safeExt = ext && /^[.a-z0-9]+$/.test(ext) ? ext : ''
-  return `${Date.now()}-${nanoid()}${safeExt}`
-}
-
 const signupSchema = z.object({
   email: z.string().email(),
   password: z.string().min(6),
@@ -31,6 +26,24 @@ const profileSchema = z.object({
   removeAvatar: z.union([z.string(), z.undefined()]).optional(),
 })
 
+async function serializeUser(user) {
+  if (!user) return null
+  const primaryAdmin = await findPrimaryAdminUser()
+  const isPrimaryAdmin = !!user.isAdmin && primaryAdmin?.id === user.id
+
+  return {
+    id: user.id,
+    email: user.email,
+    nickname: user.nickname || '',
+    isAdmin: !!user.isAdmin,
+    isPrimaryAdmin,
+    isOperator: !!user.isAdmin && !isPrimaryAdmin,
+    role: isPrimaryAdmin ? 'owner' : user.isAdmin ? 'operator' : 'user',
+    avatarSrc: user.avatarSrc || '',
+    createdAt: user.createdAt,
+  }
+}
+
 router.post('/signup', async (req, res) => {
   const parsed = signupSchema.safeParse(req.body)
   if (!parsed.success) return res.status(400).json({ error: 'bad_request' })
@@ -45,10 +58,9 @@ router.post('/signup', async (req, res) => {
 
   req.session.userId = user.id
   req.session.isAdmin = !!user.isAdmin
-  // 세션을 응답 전에 명시적으로 저장해 Set-Cookie가 확실히 내려오도록 보강
-  req.session.save((err) => {
+  req.session.save(async (err) => {
     if (err) return res.status(500).json({ error: 'session_save_failed' })
-    res.json(user)
+    res.json(await serializeUser(user))
   })
 })
 
@@ -65,16 +77,9 @@ router.post('/login', async (req, res) => {
 
   req.session.userId = user.id
   req.session.isAdmin = !!user.isAdmin
-  req.session.save((err) => {
+  req.session.save(async (err) => {
     if (err) return res.status(500).json({ error: 'session_save_failed' })
-    res.json({
-      id: user.id,
-      email: user.email,
-      nickname: user.nickname || '',
-      isAdmin: !!user.isAdmin,
-      avatarSrc: user.avatarSrc || '',
-      createdAt: user.createdAt,
-    })
+    res.json(await serializeUser(user))
   })
 })
 
@@ -87,20 +92,14 @@ router.get('/me', async (req, res) => {
   if (!req.session || !req.session.userId) return res.json({ user: null })
   const user = await findUserById(req.session.userId)
   if (!user) return res.json({ user: null })
-  res.json({ user })
+  res.json({ user: await serializeUser(user) })
 })
 
 router.get('/meta', async (req, res) => {
   res.json({ hasUsers: (await countUsers()) > 0 })
 })
 
-const upload = multer({
-  storage: multer.diskStorage({
-    destination: (req, file, cb) => cb(null, path.join(__dirname, '..', '..', 'uploads', 'avatars')),
-    filename: (req, file, cb) => cb(null, buildUploadFilename(file)),
-  }),
-  limits: { fileSize: 3 * 1024 * 1024 },
-})
+const upload = createMemoryUpload(multer, { fileSize: 4 * 1024 * 1024 })
 
 router.post('/profile', requireAuth, upload.single('avatar'), async (req, res) => {
   const parsed = profileSchema.safeParse(req.body)
@@ -109,19 +108,26 @@ router.post('/profile', requireAuth, upload.single('avatar'), async (req, res) =
   const user = await findUserById(req.session.userId)
   if (!user) return res.status(404).json({ error: 'not_found' })
 
+  const optimized = req.file
+    ? await writeOptimizedImage({
+        file: req.file,
+        directory: 'avatars',
+        width: 512,
+        height: 512,
+        fit: 'cover',
+        quality: 82,
+      })
+    : null
+
   const shouldRemoveAvatar = parsed.data.removeAvatar === '1'
-  const nextAvatarSrc = shouldRemoveAvatar
-    ? ''
-    : req.file
-      ? `/uploads/avatars/${req.file.filename}`
-      : user.avatarSrc || ''
+  const nextAvatarSrc = shouldRemoveAvatar ? '' : optimized?.src || user.avatarSrc || ''
   const updated = await updateUserProfile({
     id: user.id,
     nickname: parsed.data.nickname,
     avatarSrc: nextAvatarSrc,
   })
 
-  res.json({ user: updated })
+  res.json({ user: await serializeUser(updated) })
 })
 
 module.exports = router

backend/src/routes/tierlists.js

@@ -1,5 +1,4 @@
 const express = require('express')
-const path = require('path')
 const multer = require('multer')
 const { z } = require('zod')
 const { nanoid } = require('nanoid')
@@ -18,6 +17,7 @@ const {
   duplicateTierListForUser,
 } = require('../db')
 const { requireAuth } = require('../middleware/auth')
+const { createMemoryUpload, writeOptimizedImage } = require('../lib/image-storage')
 
 const router = express.Router()
 const FREEFORM_GAME_ID = 'freeform'
@@ -55,27 +55,8 @@ function getCustomTemplateItems(tierList) {
   })
 }
 
-function buildUploadFilename(file) {
-  const ext = path.extname(file.originalname || '').toLowerCase()
-  const safeExt = ext && /^[.a-z0-9]+$/.test(ext) ? ext : ''
-  return `${Date.now()}-${nanoid()}${safeExt}`
-}
-
-const upload = multer({
-  storage: multer.diskStorage({
-    destination: (req, file, cb) => cb(null, path.join(__dirname, '..', '..', 'uploads', 'custom')),
-    filename: (req, file, cb) => cb(null, buildUploadFilename(file)),
-  }),
-  limits: { fileSize: 6 * 1024 * 1024 },
-})
-
-const thumbnailUpload = multer({
-  storage: multer.diskStorage({
-    destination: (req, file, cb) => cb(null, path.join(__dirname, '..', '..', 'uploads', 'tierlists')),
-    filename: (req, file, cb) => cb(null, buildUploadFilename(file)),
-  }),
-  limits: { fileSize: 6 * 1024 * 1024 },
-})
+const upload = createMemoryUpload(multer, { fileSize: 6 * 1024 * 1024 })
+const thumbnailUpload = createMemoryUpload(multer, { fileSize: 8 * 1024 * 1024 })
 
 const tierListUpsertSchema = z.object({
   id: z.string().optional(),
@@ -179,10 +160,19 @@ router.post('/custom-items', requireAuth, upload.single('image'), async (req, re
   const parsed = schema.safeParse(req.body)
   if (!parsed.success) return res.status(400).json({ error: 'bad_request' })
 
+  const optimized = await writeOptimizedImage({
+    file: req.file,
+    directory: 'custom',
+    width: 512,
+    height: 512,
+    fit: 'inside',
+    quality: 84,
+  })
+
   const item = await createCustomItem({
     id: nanoid(),
     ownerId: req.session.userId,
-    src: `/uploads/custom/${req.file.filename}`,
+    src: optimized.src,
     label: parsed.data.label,
   })
 
@@ -191,7 +181,17 @@ router.post('/custom-items', requireAuth, upload.single('image'), async (req, re
 
 router.post('/thumbnail', requireAuth, thumbnailUpload.single('thumbnail'), async (req, res) => {
   if (!req.file) return res.status(400).json({ error: 'file_required' })
-  res.json({ thumbnailSrc: `/uploads/tierlists/${req.file.filename}` })
+
+  const optimized = await writeOptimizedImage({
+    file: req.file,
+    directory: 'tierlists',
+    width: 1280,
+    height: 1280,
+    fit: 'inside',
+    quality: 84,
+  })
+
+  res.json({ thumbnailSrc: optimized.src })
 })
 
 router.post('/:id/template-request', requireAuth, async (req, res) => {

docs/todo.md

@@ -1,40 +1,12 @@
 # 할 일 및 이슈
 
 ## 즉시 확인 필요
-- 피그마 기반 리디자인은 현재 공통 셸과 카드 목록 화면, 포커스 화면 안정화까지만 반영된 상태이므로, 에디터/관리자 우측 옵션 패널을 시안 구조에 맞게 실제 기능 패널로 이관하는 작업이 남아 있다.
-- 홈/게임 허브/내 티어표/즐겨찾기 카드 문법은 어느 정도 통일됐지만, 아직 실제 SVG 아이콘, 미세 간격, hover/selection 상태 같은 디테일은 더 다듬을 필요가 있다.
-- 목록 화면 상단 도구 막대는 공통 카드 문법으로 거의 맞췄지만, 실제 피그마처럼 필터 토글/정렬 상태를 시각적으로 더 강하게 드러내는 디테일은 남아 있다.
-- 현재 공통 셸에는 임시 선형 SVG 아이콘을 사용하므로, 최종 머티리얼 아이콘 에셋을 받으면 교체하고 아이콘 크기/정렬을 다시 미세 조정할 필요가 있다.
-- 공통 셸과 에디터에는 일부 실제 SVG 아이콘을 연결했지만, 아직 즐겨찾기/설정/관리자 등 나머지 내비 아이콘은 임시 선형 SVG이므로 추가 에셋 교체가 남아 있다.
-- 공통 우측 패널의 토글과 독립 컬럼 구조는 반영되었지만, 현재는 안내 카드 중심이므로 실제 화면별 기능 컨트롤을 이 패널로 옮기는 작업이 남아 있다.
-- 티어표 편집 화면과 관리자 화면 모두 로컬 우측 패널 구조로 옮겼지만, 아직 세부 카드 밀도와 아이콘/모션 디테일은 피그마 시안 수준으로 더 다듬을 필요가 있다.
-- 에디터/관리자 로컬 우측 패널은 셸 카드에서 분리됐지만, 아직 실제 피그마처럼 패널 토글 전환 모션과 상태 강조가 더 필요하다.
-- 에디터 로컬 우측 패널은 공통 토글과 연결됐지만, 아직 완전한 피그마 수준의 패널 애니메이션과 내부 카드 재배치는 더 다듬을 필요가 있다.
-- 에디터 우측 패널은 셸의 세 번째 컬럼으로 옮겼지만, 내부 카드 간격과 섹션 구분선은 아직 첨부 시안처럼 더 촘촘하게 정리할 필요가 있다.
-- 에디터 우측 패널 외곽 래퍼는 제거했으므로, 다음 단계는 공통 오른쪽 컬럼 안에서 입력/버튼/구분선 간격을 시안처럼 더 정교하게 다듬는 작업이다.
-- 공통 56px 셸 헤더는 반영했으므로, 다음 단계는 좌/중앙/우 헤더 안에 실제 아이콘/상태 요소를 시안 순서에 맞게 하나씩 채워 넣는 작업이다.
-- 좌측 레일은 최근 즐겨찾기와 전역 검색까지 붙었으므로, 다음 단계는 검색 자동완성이나 즐겨찾기 썸네일 품질 같은 디테일을 더 다듬는 작업이다.
-- 좌측 레일 축소형은 반영했으므로, 다음 단계는 축소 상태에서 관리자/로그인 진입점과 hover 툴팁 같은 보조 UX를 더 다듬는 작업이다.
-- 좌우 하단 액션 영역은 분리했으므로, 다음 단계는 축소된 왼쪽 레일에서도 관리자/로그인 버튼을 아이콘형으로 어떻게 유지할지 검토할 수 있다.
-- 홈 게임 카드 메타는 간소화했으므로, 이후 필요하면 게임 썸네일은 상세 허브나 우측 패널처럼 더 맥락이 분명한 위치에만 쓰는 방향을 검토할 수 있다.
-- 좌우 하단 액션은 항상 보이도록 보정했으므로, 다음 단계는 축소된 레일 상태에서 액션 버튼의 아이콘화 여부를 추가 검토할 수 있다.
-- 카드 목록은 4열 기준과 메타 줄 구성까지 통일했으므로, 다음 단계는 필터 상태 배지나 hover·selection 강조 같은 상호작용 디테일을 더 다듬는 작업이다.
-- 검색 결과 화면은 좌측 전역 검색 입력만 쓰도록 정리됐으므로, 다음 단계는 결과 필터/정렬 여부를 검토하는 식으로 확장하면 된다.
-- 공통 3단 셸 구조는 고정했지만, 관리자/에디터 우측 패널 내부에 아직 바디에 남아 있는 제어 요소를 더 옮겨야 한다.
-- 홈 화면 우측 사이드는 CTA 하나만 남긴 상태이므로, 이후 필요할 때도 임시 정보 카드 다수를 다시 넣기보다 실제 필요한 기능만 선별해 추가해야 한다.
-- 관리자 화면은 헤더 요약 통계와 카드 계층까지 정리됐지만, 아직 표준 SVG 아이콘 교체와 더 세밀한 상태 색상/선택 상태 표현은 남아 있다.
-- 머티리얼 아이콘 SVG는 아직 임시 문자/배지 스타일로 대체된 부분이 있으므로, 최종 아이콘 에셋을 받아 반영하는 작업이 필요하다.
-- 미사용 커스텀 이미지 일괄 삭제는 현재 "참조가 없는 항목" 기준이며, 보관 기간 정책 같은 운영 규칙은 아직 없다.
-- 업로드 이미지는 현재 원본 파일을 그대로 저장하므로, 운영 부담이 커지면 서버 저장 전 리사이즈/압축(예: 긴 변 제한, WebP 변환) 도입이 필요하다.
+- 티어표 형식 추가 필요. 최근 게임들은 S, A, B,C 같은 랭크 뿐만 아니라 가로 열도 나누어진형태의 티어표를 원함 (공격, 방어, 지원 등 각 파트별 랭크를 보고싶어함)
+- 레거시 파일 정리 스크립트는 준비됐으므로, 운영 단계에서는 cron 등으로 주기 실행할지와 삭제 전 보관 기간을 함께 정한다.
 - 관리자 기본 아이템 다중 업로드는 현재 파일명 기반 자동 라벨만 지원하므로, 필요하면 업로드 후 일괄 라벨 수정/정렬 UX를 추가 검토한다.
 - 사용자 커스텀 아이템 승격은 현재 수동 복제 방식이므로, 필요하면 중복 감지나 “비슷한 항목 추천” 같은 보조 UX를 검토한다.
-- 템플릿 등록/업데이트 요청은 현재 승인/반려만 지원하므로, 필요하면 관리자 코멘트나 사용자용 요청 상태 이력 화면을 추가 검토한다.
-- 관리자 티어표 관리의 템플릿 생성은 현재 `freeform`만 직접 지원하므로, 필요하면 일반 게임 티어표의 전체 아이템을 복제한 파생 템플릿 생성 UX도 검토한다.
 - 관리자 티어표 관리의 추가 아이템 승격은 현재 커스텀(origin=`custom`) 아이템 기준이므로, 필요하면 “기존 게임 아이템과 비교한 차집합” 기준으로 더 정교하게 확장할 수 있다.
-- 즐겨찾기는 현재 `내 즐겨찾기` 목록과 정렬까지 지원하므로, 필요하면 폴더 분류나 메모 같은 개인 정리 기능을 추가 검토한다.
-- 전역 토스트는 중복 합치기와 페이드아웃까지 지원하므로, 필요하면 액션 링크나 수동 고정(pin) 같은 상호작용 확장을 검토한다.
-- 공개 티어표 검색은 현재 게임별 허브 안에서만 제공하므로, 필요하면 홈 전역 통합 검색도 검토한다.
-- 즐겨찾기 토글은 현재 상세 화면 중심이므로, 필요하면 카드 목록에서도 안전한 보조 인터랙션(예: 길게 누르기, 별도 메뉴)을 검토한다.
+- 이미지 최적화 기록은 월별 조회/비우기까지 지원하므로, 운영 단계에서는 보관 기간 정책과 자동 아카이브 기준을 정한다.
 
 ## 배포 전 작업
 - NAS 실제 도메인 기준으로 `VITE_API_ORIGIN`, `CORS_ORIGINS`, `SESSION_SECRET`, `SESSION_COOKIE_SECURE`, `TRUST_PROXY` 값을 설정한다.
@@ -44,8 +16,6 @@
 - 로컬 docker compose와 NAS MariaDB 사이의 버전 차이가 크지 않도록 유지한다.
 
 ## 중기 개선
-- 게임/이미지/티어표 삭제 후 복구 또는 수정 이력 관리 기능을 추가한다.
-- 자동 테스트와 최소한의 배포 체크리스트를 만든다.
 - 관리자용 티어표 승인/숨김 처리, 아이템 정렬 UI를 추가한다.
-- 회원 검색/필터, 일괄 권한 변경 같은 관리 보조 기능을 추가한다.
+- 회원 일괄 작업(다중 선택, 일괄 비밀번호 초기화, 활동 저조 계정 정리) 같은 관리 보조 기능을 추가한다.
 - 티어 행 프리셋 저장, 색상 관리, 행 복제 같은 고급 편집 기능을 추가한다.

docs/update.md

@@ -1,5 +1,65 @@
 # 업데이트 로그
 
+## 2026-04-01 v1.3.11
+- **회원 관리 편집 모달 전환**: 관리자 회원 카드를 읽기 전용 정보 카드로 바꾸고, `회원 정보 수정` 버튼으로 Settings 톤의 편집 모달에서 이메일/닉네임/운영자 권한을 저장하도록 재구성
+- **회원 검색/정렬 추가**: 회원 관리 상단에 이메일/닉네임 검색과 `최근 활동순`, `가입순`, `작성 티어표 많은 순` 정렬을 추가해 운영자가 원하는 기준으로 목록을 다시 볼 수 있도록 확장
+- **최고 관리자 보호 도입**: 가장 먼저 생성된 관리자 계정을 `최고 관리자`로 구분하고, 운영자는 최고 관리자 권한/아바타/비밀번호/삭제를 변경할 수 없도록 백엔드 보호 로직과 역할 메타데이터를 추가
+
+## 2026-04-01 v1.3.10
+- 게임 허브 공개 티어표 카드 그리드는 최소/최대 폭을 고정해, 목록이 1~2장뿐일 때도 카드가 화면 전체를 먹으며 과하게 커지지 않도록 보정함.
+- 티어표 행 삭제는 상단 아이콘 대신 우측 하단의 작은 텍스트 액션으로 바꿔, 랭크 카드 안에서 더 조용하고 정돈된 편집 흐름으로 정리함.
+- 공통 `SvgIcon` 컴포넌트를 추가하고 앱 셸, 홈 즐겨찾기, 관리자 회원 액션 같은 UI 아이콘은 `img` 대신 SVG 아이콘 컴포넌트로 렌더링하도록 전환함.
+
+## 2026-04-01 v1.3.9
+- 관리자 오른쪽 사이드의 Image Optimization 패널은 이제 기본 탭인 목록 관리에서만 노출되도록 줄여, 게임/아이템/티어표/회원 관리 화면에서는 실제 작업 패널에 더 집중할 수 있게 정리함.
+- 커스텀 아이템 상세의 '이미 사용 중인 게임' 목록에서는 개인 보드용 freeform 템플릿을 제외하고, 실제 템플릿에 연결된 게임만 보이도록 다듬음.
+- 티어표 행 삭제는 큰 버튼 대신 우측 상단의 작은 x 아이콘으로 바꾸고, 삭제 시 아이템이 풀 영역으로 돌아간다는 안내를 포함한 확인 모달을 거친 뒤 삭제되도록 개선함.
+
+## 2026-03-31 v1.3.8
+- 홈 화면 게임 즐겨찾기 버튼은 일반 문자 별 대신 'kid_star.svg' 아이콘을 사용하도록 바꿔, 기존 아이콘 시스템과 같은 문법으로 정리함.
+- 실제로 더 이상 참조되지 않는 예전 업로드 파일을 정리하는 레거시 업로드 클린업 스크립트를 추가하고, 루트/백엔드 실행 스크립트도 함께 연결함.
+- todo 문서도 이제 운영 반영 후 레거시 파일 정리 배치를 주기화하는 쪽으로 기준을 갱신함.
+
+## 2026-03-31 v1.3.7
+- 현재 참조 중인 레거시 업로드를 다시 최적화 자산 경로로 편입하고 DB 참조를 일괄 교체하는 1회 마이그레이션 스크립트를 추가함.
+- 아바타/썸네일/아이템 역할에 따라 기존 업로드를 512px 또는 1280px 규격으로 다시 정리해, 실제 참조 경로도 '/uploads/assets/' 체계에 점진적으로 수렴시킬 수 있게 함.
+- 루트와 백엔드에 레거시 마이그레이션 실행 스크립트를 연결하고, todo 문서도 다음 단계 기준으로 갱신함.
+
+## 2026-03-31 v1.3.6
+- 현재 참조 중인 레거시 업로드 파일을 'image_assets' 메타에 안전하게 편입하는 1회 백필 스크립트를 추가해, 과거 이미지도 최적화 대시보드와 같은 통계 체계 안에서 집계할 수 있게 함.
+- 루트와 백엔드에 백필 실행 스크립트를 연결해 운영 중 필요할 때 즉시 재실행할 수 있도록 정리함.
+- todo 문서의 즉시 확인 항목도 백필 완료 상태에 맞춰 후속 마이그레이션 과제로 갱신함.
+
+## 2026-03-31 v1.3.5
+- 관리자 이미지 최적화 대시보드는 이제 'image_assets'만이 아니라 현재 실제로 참조 중인 업로드 파일 전체를 합산해, 기존 레거시 업로드까지 포함한 실사용 용량을 함께 보여주도록 확장함.
+- 최근 최적화 작업은 기본 12건으로 늘리고 6/12/24건 선택과 월 단위 필터를 지원해, 특정 기간 사용량과 최적화 이력을 운영 관점에서 바로 확인할 수 있게 정리함.
+- 관리자에서 월별 또는 전체 최적화 기록을 비우는 정리 액션을 추가하고, todo 문서도 현재 이미지 최적화 흐름에 맞게 갱신함.
+
+## 2026-03-31 v1.3.4
+- 관리자 API에 이미지 자산 통계 엔드포인트를 추가해 총 자산 수, 현재 용량, 원본 대비 절감 용량/절감률, 작업 누적 상태를 조회할 수 있게 확장함.
+- 관리자 오른쪽 사이드 하단에 `Image Optimization` 패널을 추가해 큐 상태, 절감 통계, 최근 최적화 작업을 바로 확인할 수 있도록 대시보드를 구성함.
+- 미사용 자산 정리 API와 작업 기록 큐를 기반으로, 운영 중 이미지 스토리지 상태를 관리자 화면에서 직접 점검할 수 있는 흐름을 완성함.
+
+## 2026-03-31 v1.3.3
+- `image_assets` 참조를 전수 점검해 아무 곳에서도 사용하지 않는 최적화 이미지 자산만 추려내는 정리 배치 로직을 추가함.
+- 관리자용 미사용 자산 조회/정리 API를 추가해 오래된 고아 이미지 자산을 미리 확인하거나 실제로 삭제할 수 있도록 확장함.
+- 관리자 승격/템플릿 생성 과정은 기존 `/uploads/assets/` 자산을 그대로 재사용하도록 바꿔, 불필요한 복제 파일이 다시 생기지 않게 정리함.
+
+## 2026-03-31 v1.3.2
+- 업로드 최적화는 이제 백엔드 내부 대기열을 통해 처리되어, 다수 이미지가 한 번에 들어와도 설정된 동시성 안에서 순차적으로 안정적으로 변환되도록 정리함.
+- `image_optimization_jobs` 작업 기록 테이블을 추가해 queued/processing/completed/failed 상태와 원본·최적화 용량, 재사용 여부, 시작/종료 시각을 저장하도록 확장함.
+- 현재 라우트 응답 방식은 유지하면서도 내부적으로는 큐를 타도록 구조를 바꿔, 이후 관리자 대시보드와 작업 통계 화면을 바로 얹을 수 있는 기반을 마련함.
+
+## 2026-03-31 v1.3.1
+- 최적화된 WebP 결과물 기준으로 SHA-256 해시를 계산해, 같은 이미지가 다시 업로드되면 새 파일을 저장하지 않고 기존 자산을 재사용하도록 중복 이미지 해시 검사를 추가함.
+- 이미지 자산 메타데이터를 저장하는 `image_assets` 테이블을 도입해 파일 경로, 해시, 원본 대비 최적화 용량, 해상도를 함께 기록하도록 확장함.
+- 중복 업로드 경쟁 상황에서도 고유 해시 충돌을 안전하게 처리하고, 새 파일 저장에 실패하면 즉시 정리하도록 업로드 헬퍼를 보강함.
+
+## 2026-03-31 v1.3.0
+- 백엔드 업로드 파이프라인을 메모리 기반으로 전환하고, 대표 썸네일·게임 썸네일·커스텀 아이템·게임 기본 아이템·아바타를 서버에서 즉시 WebP로 변환해 저장하도록 정리함.
+- 아이템 이미지는 최대 512px 규격으로 리사이즈하고, 티어표/게임 썸네일은 긴 변 기준 1280px 안쪽으로 최적화해 원본 이미지를 별도로 보관하지 않는 흐름으로 전환함.
+- 업로드 최적화 공통 헬퍼를 추가해 앞으로 중복 해시 검사, 비동기 최적화 큐, 용량 통계 대시보드를 같은 경로 위에 확장할 수 있는 기반을 마련함.
+
 ## 2026-03-31 v1.2.73
 - 게임 허브 리스트형 보기의 썸네일을 48px 밀도로 축소해 한 줄이 과하게 커 보이던 인상을 줄이고, 더 많은 티어표를 한눈에 볼 수 있게 조정함.
 - 깨진 대표 썸네일은 `img` alt 텍스트가 길게 노출되지 않도록 에러 시 즉시 플레이스홀더로 대체하고, 제목/메타 말줄임을 더 보강해 레이아웃 붕괴를 막음.

frontend/src/App.vue

@@ -12,6 +12,7 @@ import iconLists from './assets/icons/lists.svg'
 import iconSearch from './assets/icons/search.svg'
 import iconSettings from './assets/icons/settings.svg'
 import RightRailAd from './components/RightRailAd.vue'
+import SvgIcon from './components/SvgIcon.vue'
 
 const route = useRoute()
 const router = useRouter()
@@ -302,7 +303,7 @@ function submitGlobalSearch() {
       <aside class="leftRail">
         <div class="leftRail__top railHeader">
           <button v-if="!isMobileLayout" class="ghostIcon ghostIcon--iconOnly" type="button" aria-label="왼쪽 패널 토글" @click="toggleLeftRail">
-            <img :src="iconDockToRight" alt="" />
+            <SvgIcon :src="iconDockToRight" :size="24" />
           </button>
         </div>
 
@@ -322,7 +323,7 @@ function submitGlobalSearch() {
         <form class="searchStub" @submit.prevent="submitGlobalSearch">
           <button class="searchStub__iconButton" type="button" :aria-label="leftRailCollapsed ? '검색 열기' : '검색'" @click="handleLeftRailSearch">
             <span class="searchStub__icon">
-              <img :src="iconSearch" alt="" />
+              <SvgIcon :src="iconSearch" :size="24" />
             </span>
           </button>
           <input v-model="searchQuery" class="searchStub__input" type="search" :placeholder="leftRailCollapsed ? '' : searchPlaceholder" />
@@ -339,7 +340,7 @@ function submitGlobalSearch() {
             :aria-label="leftRailCollapsed ? item.label : undefined"
           >
             <span class="leftNav__glyph">
-              <img v-if="item.iconSrc" :src="item.iconSrc" alt="" />
+              <SvgIcon v-if="item.iconSrc" :src="item.iconSrc" :size="24" />
               <svg v-else viewBox="0 0 24 24" aria-hidden="true"><path :d="item.icon" /></svg>
             </span>
             <span class="leftNav__label">{{ item.label }}</span>
@@ -365,14 +366,14 @@ function submitGlobalSearch() {
             <div class="workspaceHead__actions">
               <div v-if="showGameHubViewToggle" class="viewToggle" role="group" aria-label="티어표 보기 방식">
                 <button class="ghostIcon ghostIcon--iconOnly" :class="{ 'ghostIcon--active': gameHubViewMode === 'grid' }" type="button" aria-label="그리드 보기" @click="setGameHubViewMode('grid')">
-                  <img :src="iconGridView" alt="" />
+                  <SvgIcon :src="iconGridView" :size="24" />
                 </button>
                 <button class="ghostIcon ghostIcon--iconOnly" :class="{ 'ghostIcon--active': gameHubViewMode === 'list' }" type="button" aria-label="리스트 보기" @click="setGameHubViewMode('list')">
-                  <img :src="iconLists" alt="" />
+                  <SvgIcon :src="iconLists" :size="24" />
                 </button>
               </div>
               <button v-if="!rightRailOpen" class="ghostIcon ghostIcon--iconOnly" type="button" aria-label="패널 열기" @click="toggleRightRail">
-                <img :src="iconDockToLeft" alt="" />
+                <SvgIcon :src="iconDockToLeft" :size="24" />
               </button>
             </div>
           </header>
@@ -385,7 +386,7 @@ function submitGlobalSearch() {
       <div v-if="isCollapsedSearchOpen" class="collapsedSearchModal" role="dialog" aria-modal="true" :aria-label="searchPlaceholder" @click.self="closeCollapsedSearch">
         <form class="collapsedSearchBar" @submit.prevent="submitGlobalSearch">
           <span class="collapsedSearchBar__icon">
-            <img :src="iconSearch" alt="" />
+            <SvgIcon :src="iconSearch" :size="24" />
           </span>
           <input v-model="searchQuery" class="collapsedSearchBar__input" type="search" :placeholder="searchPlaceholder" autofocus />
         </form>
@@ -396,7 +397,7 @@ function submitGlobalSearch() {
       <aside class="rightRail" :class="{ 'rightRail--closed': !rightRailOpen, 'rightRail--overlay': isRightRailOverlay }" :aria-hidden="!rightRailOpen">
         <div class="rightRail__top railHeader">
           <button v-if="rightRailOpen" class="ghostIcon ghostIcon--iconOnly" type="button" aria-label="패널 닫기" @click="toggleRightRail">
-            <img :src="iconDockToLeft" alt="" />
+            <SvgIcon :src="iconDockToLeft" :size="24" />
           </button>
         </div>
         <div class="rightRail__body">

frontend/src/assets/icons/kid_star.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" height="24px" viewBox="0 -960 960 960" width="24px" fill="ffffff"><path d="m305-704 112-145q12-16 28.5-23.5T480-880q18 0 34.5 7.5T543-849l112 145 170 57q26 8 41 29.5t15 47.5q0 12-3.5 24T866-523L756-367l4 164q1 35-23 59t-56 24q-2 0-22-3l-179-50-179 50q-5 2-11 2.5t-11 .5q-32 0-56-24t-23-59l4-165L95-523q-8-11-11.5-23T80-570q0-25 14.5-46.5T135-647l170-57Zm49 69-194 64 124 179-4 191 200-55 200 56-4-192 124-177-194-66-126-165-126 165Zm126 135Z"/></svg>

frontend/src/components/SvgIcon.vue

@@ -0,0 +1,38 @@
+<script setup>
+import { computed } from 'vue'
+
+const props = defineProps({
+  src: { type: String, required: true },
+  size: { type: [Number, String], default: 20 },
+  color: { type: String, default: 'currentColor' },
+})
+
+const normalizedSize = computed(() => (typeof props.size === "number" ? `${props.size}px` : props.size))
+const iconStyle = computed(() => ({
+  "--svg-icon-src": `url("${props.src}")`,
+  "--svg-icon-size": normalizedSize.value,
+  "--svg-icon-color": props.color,
+}))
+</script>
+
+<template>
+  <span class="svgIcon" :style="iconStyle" aria-hidden="true"></span>
+</template>
+
+<style scoped>
+.svgIcon {
+  display: inline-block;
+  width: var(--svg-icon-size);
+  height: var(--svg-icon-size);
+  background-color: var(--svg-icon-color);
+  -webkit-mask-image: var(--svg-icon-src);
+  mask-image: var(--svg-icon-src);
+  -webkit-mask-repeat: no-repeat;
+  mask-repeat: no-repeat;
+  -webkit-mask-position: center;
+  mask-position: center;
+  -webkit-mask-size: contain;
+  mask-size: contain;
+  flex: 0 0 auto;
+}
+</style>

frontend/src/lib/api.js

@@ -44,6 +44,15 @@ export const api = {
   listAdminTierLists: ({ q = '', page = 1, limit = 50 } = {}) =>
     request(`/api/admin/tierlists?q=${encodeURIComponent(q)}&page=${encodeURIComponent(page)}&limit=${encodeURIComponent(limit)}`),
   listAdminTemplateRequests: () => request('/api/admin/template-requests'),
+  getAdminImageAssetStats: ({ month = '', limit = 12 } = {}) => {
+    const query = new URLSearchParams()
+    if (month) query.set('month', month)
+    query.set('limit', String(limit))
+    return request(`/api/admin/image-assets/stats?${query.toString()}`)
+  },
+  resetAdminImageAssetStats: (payload) => request('/api/admin/image-assets/stats/reset', { method: 'POST', body: payload || {} }),
+  listAdminUnusedImageAssets: ({ limit = 100, minAgeHours = 24 } = {}) => request(`/api/admin/image-assets/orphans?limit=${encodeURIComponent(limit)}&minAgeHours=${encodeURIComponent(minAgeHours)}`),
+  cleanupAdminUnusedImageAssets: (payload) => request('/api/admin/image-assets/cleanup', { method: 'POST', body: payload || {} }),
   promoteAdminCustomItem: (itemId, payload) =>
     request(`/api/admin/custom-items/${encodeURIComponent(itemId)}/promote`, { method: 'POST', body: payload }),
   promoteAdminTierListItems: (tierListId, payload) =>
@@ -53,7 +62,8 @@ export const api = {
   approveAdminTemplateRequest: (requestId, payload) =>
     request(`/api/admin/template-requests/${encodeURIComponent(requestId)}/approve`, { method: 'POST', body: payload || {} }),
   rejectAdminTemplateRequest: (requestId) => request(`/api/admin/template-requests/${encodeURIComponent(requestId)}/reject`, { method: 'POST', body: {} }),
-  listAdminUsers: () => request('/api/admin/users'),
+  listAdminUsers: ({ q = '', sort = 'recent' } = {}) =>
+    request(`/api/admin/users?q=${encodeURIComponent(q)}&sort=${encodeURIComponent(sort)}`),
   updateAdminUser: (userId, payload) =>
     request(`/api/admin/users/${encodeURIComponent(userId)}`, { method: 'PATCH', body: payload }),
   updateAdminUserPassword: (userId, payload) =>

frontend/src/views/AdminView.vue

@@ -5,6 +5,7 @@ import { api } from '../lib/api'
 import { toApiUrl } from '../lib/runtime'
 import lockResetIcon from '../assets/icons/lock_reset.svg'
 import deleteIcon from '../assets/icons/delete.svg'
+import SvgIcon from '../components/SvgIcon.vue'
 import { useAuthStore } from '../stores/auth'
 import { useToast } from '../composables/useToast'
 
@@ -46,6 +47,7 @@ const importModalNewGameId = ref('')
 const importModalNewGameName = ref('')
 const previewModalOpen = ref(false)
 const previewTierList = ref(null)
+const userEditModalOpen = ref(false)
 const userPasswordModalOpen = ref(false)
 const userDeleteModalOpen = ref(false)
 const userRoleModalOpen = ref(false)
@@ -54,9 +56,20 @@ const customItemDeleteModalOpen = ref(false)
 const modalTargetUser = ref(null)
 const modalPasswordDraft = ref('')
 const modalRoleNextAdmin = ref(false)
+const modalUserDraftEmail = ref('')
+const modalUserDraftNickname = ref('')
+const modalUserDraftIsAdmin = ref(false)
 const modalTargetCustomItem = ref(null)
 
 const users = ref([])
+const userQuery = ref('')
+const userSort = ref('recent')
+const imageStats = ref(null)
+const imageQueue = ref({ concurrency: 1, activeCount: 0, pendingCount: 0 })
+const imageRecentJobs = ref([])
+const imageStatsMonth = ref('')
+const imageStatsLimit = ref(12)
+const imageResetModalOpen = ref(false)
 
 const error = ref('')
 const success = ref('')
@@ -121,7 +134,7 @@ const adminOverviewStats = computed(() => {
   const publishedTierLists = adminTierLists.value.filter((tierList) => tierList.isPublic).length
   const pendingRequests = templateRequests.value.length
   const orphanItems = customItems.value.filter((item) => item.usageCount === 0).length
-  const adminCount = users.value.filter((user) => user.isAdmin || user.draftIsAdmin).length
+  const adminCount = users.value.filter((user) => user.isAdmin).length
 
   if (activeTab.value === 'featured') {
     return [
@@ -166,7 +179,7 @@ const adminOverviewStats = computed(() => {
 
 onMounted(async () => {
   await auth.refresh()
-  await Promise.all([refreshGames(), refreshCustomItems(), refreshAdminTierLists(), refreshUsers(), refreshTemplateRequests()])
+  await Promise.all([refreshGames(), refreshCustomItems(), refreshAdminTierLists(), refreshUsers(), refreshTemplateRequests(), refreshImageDiagnostics()])
   await syncFeaturedSortable()
 })
 
@@ -226,6 +239,72 @@ function resetMessages() {
   success.value = ''
 }
 
+function formatBytes(value) {
+  const size = Number(value || 0)
+  if (!size) return '0 B'
+  const units = ['B', 'KB', 'MB', 'GB']
+  let current = size
+  let unitIndex = 0
+  while (current >= 1024 && unitIndex < units.length - 1) {
+    current /= 1024
+    unitIndex += 1
+  }
+  return `${current >= 10 || unitIndex === 0 ? current.toFixed(0) : current.toFixed(1)} ${units[unitIndex]}`
+}
+
+const imageDiagnosticsCards = computed(() => {
+  const stats = imageStats.value
+  if (!stats) return []
+  return [
+    { label: '실사용 파일', value: `${stats.referencedCount || 0}` },
+    { label: '현재 용량', value: formatBytes(stats.referencedByteSize) },
+    { label: '추적 자산', value: `${stats.trackedReferencedCount || 0}` },
+    { label: '레거시 참조', value: `${stats.legacyReferencedCount || 0}` },
+    { label: '절감 용량', value: formatBytes(stats.savedByteSize) },
+    { label: '절감률', value: `${Math.round((stats.savingsRatio || 0) * 100)}%` },
+  ]
+})
+const visibleLinkedGames = computed(() =>
+  (modalTargetCustomItem.value?.linkedGames || []).filter((game) => game?.id && game.id !== 'freeform')
+)
+
+const imageStatsPeriodLabel = computed(() => (imageStatsMonth.value ? `${imageStatsMonth.value} 기준` : '전체 기간'))
+
+async function refreshImageDiagnostics() {
+  try {
+    const data = await api.getAdminImageAssetStats({
+      month: imageStatsMonth.value || '',
+      limit: imageStatsLimit.value,
+    })
+    imageStats.value = data.stats || null
+    imageQueue.value = data.queue || { concurrency: 1, activeCount: 0, pendingCount: 0 }
+    imageRecentJobs.value = data.recentJobs || []
+  } catch (e) {
+    error.value = '이미지 최적화 현황을 불러오지 못했어요.'
+  }
+}
+
+function openImageResetModal() {
+  imageResetModalOpen.value = true
+}
+
+function closeImageResetModal() {
+  imageResetModalOpen.value = false
+}
+
+async function confirmImageReset() {
+  try {
+    const data = await api.resetAdminImageAssetStats({ month: imageStatsMonth.value || null })
+    success.value = imageStatsMonth.value
+      ? `${imageStatsMonth.value} 기록 ${data.deletedCount || 0}건을 정리했어요.`
+      : `전체 최적화 기록 ${data.deletedCount || 0}건을 정리했어요.`
+    closeImageResetModal()
+    await refreshImageDiagnostics()
+  } catch (e) {
+    error.value = '이미지 최적화 기록을 정리하지 못했어요.'
+  }
+}
+
 function setTab(tab) {
   resetMessages()
   activeTab.value = tab
@@ -278,9 +357,25 @@ function setUserAvatarInput(userId, el) {
   userAvatarInputs.value[userId] = el
 }
 
-function isUserDirty(user) {
-  if (!user) return false
-  return user.draftEmail !== user.email || (user.draftNickname || '') !== (user.nickname || '') || !!user.draftIsAdmin !== !!user.isAdmin
+const canManageModalRole = computed(() => {
+  if (!auth.user?.isPrimaryAdmin) return false
+  if (!modalTargetUser.value) return false
+  return !modalTargetUser.value.isPrimaryAdmin
+})
+
+const isUserEditDirty = computed(() => {
+  if (!modalTargetUser.value) return false
+  return (
+    modalUserDraftEmail.value.trim() !== (modalTargetUser.value.email || '') ||
+    modalUserDraftNickname.value.trim() !== (modalTargetUser.value.nickname || '') ||
+    !!modalUserDraftIsAdmin.value !== !!modalTargetUser.value.isAdmin
+  )
+})
+
+function roleLabelOf(user) {
+  if (user?.isPrimaryAdmin) return '최고 관리자'
+  if (user?.isAdmin) return '운영자'
+  return '일반 회원'
 }
 
 function openUserAvatarPicker(user) {
@@ -299,17 +394,14 @@ async function uploadUserAvatar(user, file, { remove = false } = {}) {
       entry.id === updated.id
         ? {
             ...entry,
-            avatarSrc: updated.avatarSrc || '',
-            email: updated.email,
-            nickname: updated.nickname || '',
-            isAdmin: !!updated.isAdmin,
-            draftEmail: updated.email,
-            draftNickname: updated.nickname || '',
-            draftIsAdmin: !!updated.isAdmin,
+            ...updated,
             isAvatarBusy: false,
           }
         : entry
     )
+    if (modalTargetUser.value?.id === updated.id) {
+      modalTargetUser.value = { ...modalTargetUser.value, ...updated }
+    }
     if (updated.id === auth.user?.id) await auth.refresh()
     await refreshUsers()
     success.value = remove ? '회원 썸네일을 삭제했어요.' : '회원 썸네일을 업데이트했어요.'
@@ -423,12 +515,9 @@ async function refreshTemplateRequests() {
 async function refreshUsers() {
   if (!auth.user?.isAdmin) return
   try {
-    const data = await api.listAdminUsers()
+    const data = await api.listAdminUsers({ q: userQuery.value, sort: userSort.value })
     users.value = (data.users || []).map((user) => ({
       ...user,
-      draftEmail: user.email,
-      draftNickname: user.nickname || '',
-      draftIsAdmin: !!user.isAdmin,
       isAvatarBusy: false,
     }))
   } catch (e) {
@@ -705,29 +794,45 @@ async function removeGame() {
   }
 }
 
-async function saveUser(user) {
+function openUserEditModal(user) {
   resetMessages()
+  modalTargetUser.value = user ? { ...user } : null
+  modalUserDraftEmail.value = user?.email || ''
+  modalUserDraftNickname.value = user?.nickname || ''
+  modalUserDraftIsAdmin.value = !!user?.isAdmin
+  userEditModalOpen.value = true
+}
+
+function closeUserEditModal() {
+  userEditModalOpen.value = false
+  modalTargetUser.value = null
+  modalUserDraftEmail.value = ''
+  modalUserDraftNickname.value = ''
+  modalUserDraftIsAdmin.value = false
+}
+
+async function saveUserEdit() {
+  resetMessages()
+  if (!modalTargetUser.value?.id) return
+
   try {
-    const data = await api.updateAdminUser(user.id, {
-      email: user.draftEmail,
-      nickname: user.draftNickname,
-      isAdmin: !!user.draftIsAdmin,
+    const data = await api.updateAdminUser(modalTargetUser.value.id, {
+      email: modalUserDraftEmail.value.trim(),
+      nickname: modalUserDraftNickname.value.trim(),
+      isAdmin: !!modalUserDraftIsAdmin.value,
     })
     const updated = data.user
     users.value = users.value.map((entry) =>
       entry.id === updated.id
         ? {
             ...entry,
-            email: updated.email,
-            nickname: updated.nickname || '',
-            isAdmin: !!updated.isAdmin,
-            draftEmail: updated.email,
-            draftNickname: updated.nickname || '',
-            draftIsAdmin: !!updated.isAdmin,
+            ...updated,
+            isAvatarBusy: entry.isAvatarBusy || false,
           }
         : entry
     )
     if (updated.id === auth.user?.id) await auth.refresh()
+    closeUserEditModal()
     await refreshUsers()
     success.value = '회원 정보를 저장했어요.'
   } catch (e) {
@@ -737,7 +842,7 @@ async function saveUser(user) {
 
 function openUserPasswordModal(user) {
   resetMessages()
-  modalTargetUser.value = user || null
+  modalTargetUser.value = user ? { ...user } : null
   modalPasswordDraft.value = ''
   userPasswordModalOpen.value = true
 }
@@ -769,7 +874,7 @@ async function confirmUserPasswordReset() {
 
 function openUserDeleteModal(user) {
   resetMessages()
-  modalTargetUser.value = user || null
+  modalTargetUser.value = user ? { ...user } : null
   userDeleteModalOpen.value = true
 }
 
@@ -796,34 +901,31 @@ async function confirmUserDelete() {
 }
 
 
-function openUserRoleModal(user) {
+function openUserRoleModal(user, nextIsAdmin = !modalUserDraftIsAdmin.value) {
   resetMessages()
-  modalTargetUser.value = user || null
-  modalRoleNextAdmin.value = !user?.draftIsAdmin
+  modalTargetUser.value = user ? { ...user } : null
+  modalRoleNextAdmin.value = !!nextIsAdmin
   userRoleModalOpen.value = true
 }
 
 function closeUserRoleModal() {
   userRoleModalOpen.value = false
-  modalTargetUser.value = null
+  if (!userEditModalOpen.value) modalTargetUser.value = null
   modalRoleNextAdmin.value = false
 }
 
 function confirmUserRoleDraft() {
   if (!modalTargetUser.value?.id) return
-  users.value = users.value.map((entry) =>
-    entry.id === modalTargetUser.value.id
-      ? {
-          ...entry,
-          draftIsAdmin: modalRoleNextAdmin.value,
-        }
-      : entry
-  )
-  const targetLabel = modalRoleNextAdmin.value ? '관리자로 지정했어요. 저장하면 반영됩니다.' : '관리자 권한 해제로 표시했어요. 저장하면 반영됩니다.'
+  modalUserDraftIsAdmin.value = modalRoleNextAdmin.value
+  const targetLabel = modalRoleNextAdmin.value ? '운영자 권한을 저장 대기 상태로 반영했어요.' : '운영자 권한 해제를 저장 대기 상태로 반영했어요.'
   closeUserRoleModal()
   success.value = targetLabel
 }
 
+function submitUserFilters() {
+  refreshUsers()
+}
+
 function submitCustomItemSearch() {
   customItemPage.value = 1
   refreshCustomItems()
@@ -1475,6 +1577,21 @@ async function saveFeaturedOrder() {
               </div>
             </div>
 
+            <div class="toolbar toolbar--secondary">
+              <input
+                v-model="userQuery"
+                class="input toolbar__search"
+                placeholder="이메일, 닉네임 검색"
+                @keydown.enter.prevent="submitUserFilters"
+              />
+              <select v-model="userSort" class="select toolbar__select" @change="submitUserFilters">
+                <option value="recent">최근 활동순</option>
+                <option value="created">가입순</option>
+                <option value="tierlists">작성 티어표 많은 순</option>
+              </select>
+              <button class="btn btn--ghost toolbar__button" type="button" @click="submitUserFilters">조회</button>
+            </div>
+
             <div v-if="!users.length" class="hint">아직 가입한 회원이 없어요.</div>
             <div v-else class="userList">
               <article v-for="user in users" :key="user.id" class="userCard">
@@ -1501,7 +1618,7 @@ async function saveFeaturedOrder() {
                         :disabled="user.isAvatarBusy"
                         @click.stop="removeUserAvatar(user)"
                       >
-                        <img :src="deleteIcon" alt="" />
+                        <SvgIcon class="userAvatarRemoveIcon" :src="deleteIcon" :size="12" />
                       </button>
                     </div>
                     <div class="userCard__identityMeta">
@@ -1511,33 +1628,25 @@ async function saveFeaturedOrder() {
                   </div>
                 </div>
 
-                <div v-if="user.draftIsAdmin" class="roleBadge userCard__roleBadge">Administrator</div>
+                <div v-if="user.isAdmin" class="roleBadge userCard__roleBadge">{{ roleLabelOf(user) }}</div>
 
                 <div class="userInfoList">
                   <div class="userInfoLine"><span>가입일</span><strong>{{ fmt(user.createdAt) }}</strong></div>
                   <div class="userInfoLine"><span>작성 티어표</span><strong>{{ user.tierListCount }}개</strong></div>
                   <div class="userInfoLine"><span>최근 활동</span><strong>{{ fmt(user.recentActivityAt || user.createdAt) }}</strong></div>
+                  <div class="userInfoLine"><span>계정명</span><strong>{{ user.email }}</strong></div>
+                  <div class="userInfoLine"><span>닉네임</span><strong>{{ user.nickname || '미설정' }}</strong></div>
+                  <div class="userInfoLine"><span>권한</span><strong>{{ roleLabelOf(user) }}</strong></div>
                 </div>
 
-                <input v-model="user.draftEmail" class="input" placeholder="이메일" />
-                <input v-model="user.draftNickname" class="input" placeholder="닉네임" />
-                <button
-                  class="userRoleAction"
-                  type="button"
-                  :disabled="user.id === auth.user?.id"
-                  @click="openUserRoleModal(user)"
-                >
-                  {{ user.draftIsAdmin ? '관리자 권한 해제' : '관리자 권한 임명' }}
-                </button>
-
                 <div class="userCard__actions userCard__actions--compact">
                   <button class="iconActionButton" type="button" title="비밀번호 초기화" @click="openUserPasswordModal(user)">
-                    <img :src="lockResetIcon" alt="" />
+                    <SvgIcon class="iconActionButton__icon" :src="lockResetIcon" :size="18" />
                   </button>
                   <button class="iconActionButton iconActionButton--danger" type="button" title="회원 삭제" @click="openUserDeleteModal(user)">
-                    <img :src="deleteIcon" alt="" />
+                    <SvgIcon class="iconActionButton__icon" :src="deleteIcon" :size="18" />
                   </button>
-                  <button class="btn btn--ghost userSaveButton" :disabled="!isUserDirty(user)" @click="saveUser(user)">회원정보 저장</button>
+                  <button class="btn btn--ghost userSaveButton" type="button" @click="openUserEditModal(user)">회원 정보 수정</button>
                 </div>
               </article>
             </div>
@@ -1559,6 +1668,39 @@ async function saveFeaturedOrder() {
               </div>
             </div>
 
+            <div v-if="userEditModalOpen" class="modalOverlay" @click.self="closeUserEditModal">
+              <div class="modalCard modalCard--userEdit" role="dialog" aria-modal="true">
+                <div class="modalCard__title">회원 정보 수정</div>
+                <div class="modalCard__desc">{{ modalTargetUser ? `${userDisplayName(modalTargetUser)} 계정의 정보와 권한을 조정할 수 있어요.` : '' }}</div>
+                <div class="userEditForm">
+                  <label class="field">
+                    <span class="field__label">이메일</span>
+                    <input v-model="modalUserDraftEmail" class="field__input" placeholder="계정 이메일" />
+                    <span class="field__hint">로그인 계정으로 사용하는 이메일입니다.</span>
+                  </label>
+
+                  <label class="field">
+                    <span class="field__label">닉네임</span>
+                    <input v-model="modalUserDraftNickname" class="field__input" placeholder="표시용 닉네임" />
+                    <span class="field__hint">티어표 작성자명과 프로필에 표시됩니다.</span>
+                  </label>
+
+                  <button
+                    v-if="canManageModalRole"
+                    class="userRoleAction"
+                    type="button"
+                    @click="openUserRoleModal(modalTargetUser, !modalUserDraftIsAdmin)"
+                  >
+                    {{ modalUserDraftIsAdmin ? '운영자 권한 해제' : '운영자 권한 부여' }}
+                  </button>
+                </div>
+                <div class="modalCard__actions">
+                  <button class="btn btn--ghost" @click="closeUserEditModal">취소</button>
+                  <button class="btn btn--primary" :disabled="!isUserEditDirty" @click="saveUserEdit">회원 정보 저장</button>
+                </div>
+              </div>
+            </div>
+
             <div v-if="userPasswordModalOpen" class="modalOverlay" @click.self="closeUserPasswordModal">
               <div class="modalCard" role="dialog" aria-modal="true">
                 <div class="modalCard__title">비밀번호 초기화</div>
@@ -1586,13 +1728,13 @@ async function saveFeaturedOrder() {
 
             <div v-if="userRoleModalOpen" class="modalOverlay" @click.self="closeUserRoleModal">
               <div class="modalCard" role="dialog" aria-modal="true">
-                <div class="modalCard__title">관리자 권한 변경</div>
+                <div class="modalCard__title">운영자 권한 변경</div>
                 <div class="modalCard__desc">
                   {{
                     modalTargetUser
                       ? modalRoleNextAdmin
-                        ? `${userDisplayName(modalTargetUser)} 사용자를 관리자로 임명할까요?`
-                        : `${userDisplayName(modalTargetUser)} 사용자의 관리자 권한을 해제할까요?`
+                        ? `${userDisplayName(modalTargetUser)} 사용자를 운영자로 지정할까요?`
+                        : `${userDisplayName(modalTargetUser)} 사용자의 운영자 권한을 해제할까요?`
                       : ''
                   }}
                 </div>
@@ -1657,11 +1799,11 @@ async function saveFeaturedOrder() {
                       </select>
                     </div>
                     <div class="customItemModal__linked">
-                      <span class="customItemModal__label">이미 사용 중인 게임</span>
-                      <div v-if="modalTargetCustomItem.linkedGames?.length" class="customItemModal__chips">
-                        <span v-for="game in modalTargetCustomItem.linkedGames" :key="game.id" class="pill">{{ game.name }}</span>
+                      <span class="customItemModal__label">템플릿에 사용 중인 게임</span>
+                      <div v-if="visibleLinkedGames.length" class="customItemModal__chips">
+                        <span v-for="game in visibleLinkedGames" :key="game.id" class="pill">{{ game.name }}</span>
                       </div>
-                      <div v-else class="hint hint--tight">아직 연결된 게임이 없어요.</div>
+                      <div v-else class="hint hint--tight">아직 템플릿에 연결된 게임이 없어요.</div>
                     </div>
                   </div>
                   <div class="customItemModal__body">
@@ -1695,6 +1837,19 @@ async function saveFeaturedOrder() {
               </div>
             </div>
 
+            <div v-if="imageResetModalOpen" class="modalOverlay" @click.self="closeImageResetModal">
+              <div class="modalCard" role="dialog" aria-modal="true">
+                <div class="modalCard__title">최적화 기록 비우기</div>
+                <div class="modalCard__desc">
+                  {{ imageStatsMonth ? `${imageStatsMonth} 기간의 최적화 기록만 삭제합니다.` : '전체 최적화 작업 기록을 비웁니다. 실제 이미지 파일은 삭제되지 않아요.' }}
+                </div>
+                <div class="modalCard__actions">
+                  <button class="btn btn--ghost" @click="closeImageResetModal">취소</button>
+                  <button class="btn btn--danger" @click="confirmImageReset">기록 비우기</button>
+                </div>
+              </div>
+            </div>
+
             <div v-if="previewModalOpen" class="modalOverlay" @click.self="closePreviewModal">
               <div class="modalCard modalCard--preview" role="dialog" aria-modal="true">
                 <div class="modalCard__titleRow">
@@ -1842,6 +1997,62 @@ async function saveFeaturedOrder() {
         </template>
       </section>
 
+
+      <section v-if="activeTab === 'featured'" class="adminSidebar__panel">
+        <div class="adminSidebar__label">Image Optimization</div>
+        <div class="adminSidebar__group">
+          <input v-model="imageStatsMonth" class="input" type="month" />
+          <select v-model.number="imageStatsLimit" class="select">
+            <option :value="6">최근 6건</option>
+            <option :value="12">최근 12건</option>
+            <option :value="24">최근 24건</option>
+          </select>
+        </div>
+        <div class="adminSidebar__actions adminSidebar__actions--split">
+          <button class="btn btn--ghost" @click="refreshImageDiagnostics">현황 새로고침</button>
+          <button class="btn btn--ghost" @click="openImageResetModal">기록 비우기</button>
+        </div>
+        <div class="hint hint--tight">{{ imageStatsPeriodLabel }}</div>
+        <div v-if="imageDiagnosticsCards.length" class="adminSidebar__stats adminSidebar__stats--grid">
+          <article v-for="stat in imageDiagnosticsCards" :key="stat.label" class="sidebarStat">
+            <span class="sidebarStat__label">{{ stat.label }}</span>
+            <strong class="sidebarStat__value">{{ stat.value }}</strong>
+          </article>
+        </div>
+        <div class="adminSidebar__stats">
+          <div class="sidebarStat">
+            <span class="sidebarStat__label">큐 상태</span>
+            <strong class="sidebarStat__value">{{ imageQueue.activeCount }} 실행 / {{ imageQueue.pendingCount }} 대기</strong>
+          </div>
+          <div class="sidebarStat">
+            <span class="sidebarStat__label">작업 누적</span>
+            <strong class="sidebarStat__value">{{ imageStats?.completedCount || 0 }} 완료 · {{ imageStats?.failedCount || 0 }} 실패</strong>
+          </div>
+          <div class="sidebarStat">
+            <span class="sidebarStat__label">중복 재사용</span>
+            <strong class="sidebarStat__value">{{ imageStats?.reusedCount || 0 }}건</strong>
+          </div>
+          <div class="sidebarStat">
+            <span class="sidebarStat__label">누락 파일</span>
+            <strong class="sidebarStat__value">{{ imageStats?.missingReferencedCount || 0 }}건</strong>
+          </div>
+        </div>
+        <div class="adminSidebar__group">
+          <div class="section__title">최근 최적화 작업</div>
+          <div class="hint hint--tight">현재 {{ imageRecentJobs.length }}건 표시 중</div>
+          <div v-if="!imageRecentJobs.length" class="hint hint--tight">아직 기록된 최적화 작업이 없어요.</div>
+          <div v-else class="imageJobList">
+            <article v-for="job in imageRecentJobs" :key="job.id" class="imageJobRow">
+              <div class="imageJobRow__head">
+                <strong>{{ job.sourceCategory || 'asset' }}</strong>
+                <span class="imageJobRow__status">{{ job.status }}</span>
+              </div>
+              <div class="hint hint--tight">{{ formatBytes(job.originalByteSize) }} → {{ formatBytes(job.optimizedByteSize) }}</div>
+              <div class="hint hint--tight">{{ fmt(job.queuedAt) }}</div>
+            </article>
+          </div>
+        </div>
+      </section>
     </aside>
   </Teleport>
 </template>
@@ -1932,6 +2143,38 @@ async function saveFeaturedOrder() {
     rgba(13, 13, 13, 0.94);
   box-shadow: 0 18px 40px rgba(0, 0, 0, 0.18);
 }
+
+.adminSidebar__stats--grid {
+  grid-template-columns: repeat(2, minmax(0, 1fr));
+  gap: 8px;
+}
+
+.imageJobList {
+  display: grid;
+  gap: 8px;
+}
+
+.imageJobRow {
+  border: 1px solid var(--line);
+  border-radius: 14px;
+  padding: 10px 12px;
+  background: rgba(255, 255, 255, 0.02);
+  display: grid;
+  gap: 4px;
+}
+
+.imageJobRow__head {
+  display: flex;
+  justify-content: space-between;
+  gap: 12px;
+  align-items: center;
+  font-size: 12px;
+}
+
+.imageJobRow__status {
+  color: var(--text-muted);
+  text-transform: capitalize;
+}
 .adminSidebar__label {
   font-size: 11px;
   letter-spacing: 0.12em;
@@ -1948,6 +2191,9 @@ async function saveFeaturedOrder() {
 .adminSidebar__actions--stack .btn {
   width: 100%;
 }
+.adminSidebar__actions--split {
+  grid-template-columns: repeat(2, minmax(0, 1fr));
+}
 .adminSidebar__groupTitle {
   font-size: 13px;
   font-weight: 800;
@@ -2752,10 +2998,8 @@ async function saveFeaturedOrder() {
   transform: translateY(2px) scale(0.96);
   transition: opacity 160ms ease, transform 160ms ease, background 160ms ease, visibility 160ms ease;
 }
-.userAvatarRemoveButton img {
-  width: 12px;
-  height: 12px;
-  filter: brightness(0) invert(1);
+.userAvatarRemoveIcon {
+  color: rgba(255, 255, 255, 0.96);
 }
 .userAvatarRemoveButton:disabled {
   opacity: 0.45;
@@ -2820,6 +3064,44 @@ async function saveFeaturedOrder() {
   font-size: 14px;
   font-weight: 900;
 }
+.field {
+  display: grid;
+  gap: 8px;
+}
+.field__label {
+  font-size: 13px;
+  color: rgba(255, 255, 255, 0.62);
+}
+.field__input {
+  width: 100%;
+  padding: 14px 0;
+  border: 0;
+  border-bottom: 1px solid rgba(255, 255, 255, 0.12);
+  background: transparent;
+  color: rgba(255, 255, 255, 0.94);
+  outline: none;
+  font-size: 18px;
+  letter-spacing: -0.02em;
+}
+.field__input:focus {
+  border-bottom-color: rgba(96, 165, 250, 0.9);
+}
+.field__hint {
+  font-size: 12px;
+  color: rgba(255, 255, 255, 0.42);
+}
+
+.userEditForm {
+  display: grid;
+  gap: 18px;
+}
+.userEditForm .field {
+  gap: 10px;
+}
+.modalCard--userEdit {
+  max-width: 520px;
+}
+
 .userCard__actions {
   display: grid;
   grid-template-columns: repeat(2, minmax(0, 1fr));
@@ -2857,9 +3139,8 @@ async function saveFeaturedOrder() {
   background: rgba(255, 255, 255, 0.04);
   cursor: pointer;
 }
-.iconActionButton img {
-  width: 18px;
-  height: 18px;
+.iconActionButton__icon {
+  color: rgba(255, 255, 255, 0.92);
 }
 .iconActionButton:disabled {
   cursor: not-allowed;

frontend/src/views/GameHubView.vue

@@ -222,7 +222,8 @@ function submitSearch() {
 }
 .list {
   display: grid;
-  grid-template-columns: repeat(auto-fit, minmax(min(100%, 280px), 1fr));
+  grid-template-columns: repeat(auto-fit, minmax(260px, 320px));
+  justify-content: start;
   gap: 18px;
 }
 

frontend/src/views/HomeView.vue

@@ -2,6 +2,8 @@
 import { computed, onMounted, ref, watch } from 'vue'
 import { useRoute, useRouter } from 'vue-router'
 import { api } from '../lib/api'
+import SvgIcon from '../components/SvgIcon.vue'
+import kidStarIcon from '../assets/icons/kid_star.svg'
 import { toApiUrl } from '../lib/runtime'
 import { useAuthStore } from '../stores/auth'
 
@@ -91,7 +93,7 @@ function thumbUrl(g) {
         :disabled="loadingFavoriteId === g.id"
         @click.stop="toggleFavorite(g, $event)"
       >
-        {{ g.isFavorited ? '★' : '☆' }}
+        <SvgIcon class="libraryCard__favoriteIcon" :src="kidStarIcon" :size="18" />
       </button>
       <button class="libraryCard__main" type="button" @click="goGame(g.id)">
         <div class="libraryCard__thumbWrap">
@@ -169,8 +171,20 @@ function thumbUrl(g) {
   line-height: 1;
   cursor: pointer;
   z-index: 2;
+  display: flex;
+  align-items: center;
+  justify-content: center;
 }
 .libraryCard__favorite--active {
+  background: rgba(54, 45, 10, 0.92);
+  border-color: rgba(255, 216, 107, 0.28);
+}
+.libraryCard__favoriteIcon {
+  opacity: 0.76;
+  color: rgba(255, 255, 255, 0.94);
+}
+.libraryCard__favorite--active .libraryCard__favoriteIcon {
+  opacity: 1;
   color: #ffd86b;
 }
 .libraryCard__thumbWrap {

frontend/src/views/TierEditorView.vue

@@ -45,6 +45,8 @@ const isTemplateUpdateModalOpen = ref(false)
 const templateRequestDraftTitle = ref('')
 const templateRequestDraftDescription = ref('')
 const isDeleteModalOpen = ref(false)
+const isGroupDeleteModalOpen = ref(false)
+const pendingRemoveGroupId = ref('')
 const ownerId = ref('')
 const authorName = ref('')
 const authorAccountName = ref('')
@@ -280,7 +282,7 @@ async function addGroup() {
   await syncSortables()
 }
 
-async function removeGroup(groupId) {
+async function performRemoveGroup(groupId) {
   if (groups.value.length <= 1) return
   const target = groups.value.find((group) => group.id === groupId)
   if (!target) return
@@ -290,6 +292,24 @@ async function removeGroup(groupId) {
   await syncSortables()
 }
 
+function openGroupDeleteModal(groupId) {
+  if (!canEdit.value || groups.value.length <= 1 || !groupId) return
+  pendingRemoveGroupId.value = groupId
+  isGroupDeleteModalOpen.value = true
+}
+
+function closeGroupDeleteModal() {
+  isGroupDeleteModalOpen.value = false
+  pendingRemoveGroupId.value = ''
+}
+
+async function confirmRemoveGroup() {
+  const groupId = pendingRemoveGroupId.value
+  closeGroupDeleteModal()
+  if (!groupId) return
+  await performRemoveGroup(groupId)
+}
+
 function addCustomImage(file) {
   if (!file || !file.type.startsWith('image/')) return
   const url = URL.createObjectURL(file)
@@ -833,6 +853,19 @@ onUnmounted(() => {
     </div>
   </div>
 
+  <div v-if="isGroupDeleteModalOpen" class="modalOverlay" @click.self="closeGroupDeleteModal">
+    <div class="modalCard" role="dialog" aria-modal="true" aria-labelledby="deleteGroupTitle">
+      <div id="deleteGroupTitle" class="modalCard__title">티어 라인 삭제</div>
+      <div class="modalCard__desc">
+        이 라인을 삭제하면 현재 들어 있는 아이템은 모두 아래 아이템 영역으로 이동합니다. 삭제 후에도 아이템 자체는 유지돼요.
+      </div>
+      <div class="modalCard__actions">
+        <button class="btn btn--ghost" @click="closeGroupDeleteModal">취소</button>
+        <button class="btn btn--danger" @click="confirmRemoveGroup">라인 삭제</button>
+      </div>
+    </div>
+  </div>
+
   <section class="layout" :style="{ '--thumb-size': `${iconSize}px` }">
     <div class="editorMain">
       <section class="head">
@@ -884,9 +917,18 @@ onUnmounted(() => {
                     <div class="row__exportName">{{ g.name }}</div>
                   </template>
                   <template v-else>
+                    <button
+                      v-if="canEdit"
+                      class="rowRemoveText"
+                      type="button"
+                      title="티어 라인 삭제"
+                      :disabled="groups.length <= 1"
+                      @click="openGroupDeleteModal(g.id)"
+                    >
+                      열 삭제
+                    </button>
                     <span class="grab" title="드래그로 순서 변경" data-group-handle>↕</span>
                     <input v-model="g.name" class="groupName" :readonly="!canEdit" />
-                    <button v-if="canEdit" class="rowRemoveBtn" :disabled="groups.length <= 1" @click="removeGroup(g.id)">삭제</button>
                   </template>
                 </div>
                 <div
@@ -1146,7 +1188,7 @@ onUnmounted(() => {
 .previewOnly__label {
   display: grid;
   place-items: center;
-  padding: 10px 8px;
+  padding: 10px 12px;
   text-align: center;
   font-weight: 900;
   border-radius: 14px;
@@ -1512,6 +1554,7 @@ onUnmounted(() => {
   align-items: stretch;
 }
 .row__label {
+  position: relative;
   border-radius: 16px;
   background: rgba(255, 255, 255, 0.08);
   border: 1px solid rgba(255, 255, 255, 0.12);
@@ -1519,7 +1562,7 @@ onUnmounted(() => {
   gap: 8px;
   align-items: center;
   justify-content: center;
-  padding: 10px 8px;
+  padding: 10px 12px 30px;
   font-weight: 900;
   overflow: hidden;
 }
@@ -1547,26 +1590,32 @@ onUnmounted(() => {
   outline: none;
   min-width: 0;
 }
+.rowRemoveText {
+  position: absolute;
+  right: 12px;
+  bottom: 10px;
+  padding: 0;
+  border: 0;
+  background: transparent;
+  color: rgba(255, 255, 255, 0.6);
+  cursor: pointer;
+  font-size: 12px;
+  line-height: 1;
+  font-weight: 800;
+}
+.rowRemoveText:hover {
+  color: rgba(255, 255, 255, 0.9);
+}
+.rowRemoveText:disabled {
+  opacity: 0.32;
+  cursor: not-allowed;
+}
 .row__exportName {
   width: 100%;
   text-align: center;
   font-weight: 900;
   word-break: break-word;
 }
-.rowRemoveBtn {
-  padding: 6px 10px;
-  border-radius: 10px;
-  border: 1px solid rgba(239, 68, 68, 0.28);
-  background: rgba(239, 68, 68, 0.12);
-  color: rgba(255, 255, 255, 0.92);
-  cursor: pointer;
-  font-weight: 800;
-  flex: 0 0 auto;
-}
-.rowRemoveBtn:disabled {
-  opacity: 0.45;
-  cursor: not-allowed;
-}
 .row__drop {
   border-radius: 16px;
   background: rgba(0, 0, 0, 0.18);

package.json

@@ -8,7 +8,10 @@
     "dev:backend": "npm --prefix backend run dev",
     "build": "npm --prefix frontend run build",
     "start": "npm --prefix backend run start",
-    "test": "echo \"Error: no test specified\" && exit 1"
+    "test": "echo \"Error: no test specified\" && exit 1",
+    "images:backfill": "npm --prefix backend run images:backfill",
+    "images:migrate-legacy": "npm --prefix backend run images:migrate-legacy",
+    "uploads:cleanup-legacy": "npm --prefix backend run uploads:cleanup-legacy"
   },
   "keywords": [],
   "author": "",