xamxam/app/public/admin/actions/filepond/remove.php

<?php
/**
 * FilePond remove endpoint — soft-deletes a thesis_files row (admin).
 *
 * DELETE /admin/actions/filepond/remove.php
 * Body: JSON { "db_id": 123 }
 *
 * Called when a user removes an existing file in edit mode via FilePond UI.
 */

require_once __DIR__ . '/../../../../bootstrap.php';
require_once __DIR__ . '/../../../../src/AdminAuth.php';
require_once __DIR__ . '/../../../../src/FilepondHandler.php';

// ── Auth (admin only) ────────────────────────────────────────────────────
AdminAuth::requireLogin();

// ── CSRF via header ──────────────────────────────────────────────────────
$csrfHeader = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
if (!isset($_SESSION['csrf_token'])
    || !hash_equals($_SESSION['csrf_token'], $csrfHeader)) {
    http_response_code(403);
    die('Token CSRF invalide.');
}

$handler = new FilepondHandler('[filepond:admin]');
$handler->handleRemove();