feat(meta): live Meta verification status + WhatsApp setup fixes

- GET /v1/organizations/:id/meta-status — fetches WABA account_review_status
and business verification_status live from Meta Graph API, cached 1h in Redis
- POST /v1/organizations/:id/meta-status/refresh — force-invalidates the cache
- ClientsManagementView: replaced static metaVerificationStatus field with live
per-org Meta status (WABA badge, Business badge, derived daily limit)
- launchEmbeddedSignup: fixed race condition — now waits for both the OAuth code
(FB.login) and WABA/phone IDs (WA_EMBEDDED_SIGNUP_EVENT) before resolving
- /whatsapp-setup: exchanges OAuth code for long-lived Meta token (60 days)
before storing; bypasses exchange if token already starts with EAA
- OnboardingWizard: removed broken WhatsApp step (3 steps: welcome, legal, AI)
- OrganizationSchema: removed non-existent DB fields (contractSigned,
contractSignedAt, contractSignerName, metaVerificationStatus, dailyMessageLimit)
that caused prisma.organization.create() to throw Unknown arg at runtime

Requires new env vars: META_APP_ID, WHATSAPP_APP_SECRET (on HF Space + Railway)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

apps/admin/src/components/WhatsAppConnectButton.tsx

@@ -23,10 +23,10 @@ export const WhatsAppConnectButton: React.FC = () => {
             // 1. Launch Meta Popup
             const result = await launchEmbeddedSignup();
             
-            // 2. Send IDs and Code/Token to our Backend
+            // 2. Send OAuth code + WABA/phone IDs to backend for token exchange
             await api.post(`/v1/organizations/${orgId}/whatsapp-setup`, {
                 wabaId: result.waba_id,
-                accessToken: result.accessToken || result.code,
+                accessToken: result.code,
                 phoneNumberId: result.phone_number_id,
                 phoneNumber: ''
             }, token, orgId);

apps/admin/src/lib/meta-signup.ts

@@ -18,14 +18,13 @@ export const initMetaSDK = () => {
     }
 
     const initOptions = {
-        appId      : META_APP_ID,
-        cookie     : true,
-        xfbml      : true,
-        version    : 'v19.0'
+        appId  : META_APP_ID,
+        cookie : true,
+        xfbml  : true,
+        version: 'v19.0'
     };
 
     if (window.FB) {
-        console.log("[META-SDK] SDK already loaded, initializing directly.");
         window.FB.init(initOptions);
     } else {
         window.fbAsyncInit = function() {
@@ -34,33 +33,48 @@ export const initMetaSDK = () => {
     }
 };
 
-export interface MetaSignupResponse {
-    accessToken: string;
-    wabaId: string;
+export interface MetaSignupResult {
+    code: string;
+    waba_id: string;
+    phone_number_id: string;
 }
 
-export const launchEmbeddedSignup = (): Promise<any> => {
+export const launchEmbeddedSignup = (): Promise<MetaSignupResult> => {
     return new Promise((resolve, reject) => {
         if (!window.FB) {
             return reject(new Error("Le SDK Meta n'est pas chargé."));
         }
 
-        // Listener to capture IDs sent by Meta during onboarding
-        const sessionHandler = (event: any) => {
+        // Collect both the OAuth code (from FB.login) and the WABA/phone IDs
+        // (from WA_EMBEDDED_SIGNUP_EVENT) before resolving — they arrive independently.
+        const collected: Partial<MetaSignupResult> = {};
+        let settled = false;
+
+        const tryResolve = () => {
+            if (settled) return;
+            if (collected.code && collected.waba_id && collected.phone_number_id) {
+                settled = true;
+                window.removeEventListener('message', sessionHandler);
+                resolve(collected as MetaSignupResult);
+            }
+        };
+
+        const sessionHandler = (event: MessageEvent) => {
             if (event.origin !== "https://www.facebook.com") return;
-            
             try {
-                const data = JSON.parse(event.data);
+                const data = JSON.parse(event.data as string);
                 if (data.type === 'WA_EMBEDDED_SIGNUP_EVENT') {
                     if (data.event === 'FINISH') {
-                        const { phone_number_id, waba_id } = data.data;
-                        console.log("[META-SDK] Onboarding terminé", { waba_id, phone_number_id });
-                        resolve({ waba_id, phone_number_id, success: true });
-                    } else if (data.event === 'CANCEL') {
+                        collected.waba_id = data.data.waba_id;
+                        collected.phone_number_id = data.data.phone_number_id;
+                        tryResolve();
+                    } else if (data.event === 'CANCEL' && !settled) {
+                        settled = true;
+                        window.removeEventListener('message', sessionHandler);
                         reject(new Error("L'utilisateur a annulé l'onboarding."));
                     }
                 }
-            } catch (err) {
+            } catch {
                 // Not our event
             }
         };
@@ -68,21 +82,20 @@ export const launchEmbeddedSignup = (): Promise<any> => {
         window.addEventListener('message', sessionHandler);
 
         window.FB.login((response: any) => {
-            if (response.authResponse) {
-                const code = response.authResponse.code;
-                resolve({ code });
-            } else {
+            if (response.authResponse?.code) {
+                collected.code = response.authResponse.code;
+                tryResolve();
+            } else if (!settled) {
+                settled = true;
                 window.removeEventListener('message', sessionHandler);
                 reject(new Error("Connexion Facebook échouée ou annulée."));
             }
         }, {
-            config_id: import.meta.env.VITE_META_CONFIG_ID || '', // Requested config_id
-            response_type: 'code', // Requested response_type
-            override_default_response_type: true, // Requested override
+            config_id: import.meta.env.VITE_META_CONFIG_ID || '',
+            response_type: 'code',
+            override_default_response_type: true,
             scope: 'whatsapp_business_management,whatsapp_business_messaging',
-            extras: {
-                feature: 'whatsapp_embedded_signup'
-            }
+            extras: { feature: 'whatsapp_embedded_signup' }
         });
     });
 };

apps/admin/src/pages/ClientsManagementView.tsx

@@ -1,5 +1,5 @@
 import { useState, useEffect } from 'react';
-import { Building2, Plus, MessageSquare, ShieldCheck, Activity, Loader2, X } from 'lucide-react';
+import { Building2, Plus, MessageSquare, ShieldCheck, Activity, Loader2, X, RefreshCw, CheckCircle2, XCircle, AlertTriangle } from 'lucide-react';
 import { api } from '../lib/api';
 import { useAuth } from '../lib/auth';
 import { launchEmbeddedSignup } from '../lib/meta-signup';
@@ -9,17 +9,9 @@ import { useToast } from '../hooks/useToast';
 interface Organization {
     id: string;
     name: string;
-    status: 'ACTIVE' | 'PENDING' | 'CONFIG_REQUIRED';
     mode: 'EDTECH' | 'CRM_MARKETING' | 'PEDAGOGY' | 'CUSTOMER_SERVICE';
-    useCase: 'EDUCATION' | 'CRM_WHATSAPP';
     wabaId?: string;
-    phoneNumbers?: { id: string, phoneNumber: string }[];
-    lastActivity?: string;
-    metaVerificationStatus: 'PENDING' | 'VERIFIED' | 'REJECTED';
-    dailyMessageLimit: number;
-    contractSigned: boolean;
-    contractSignedAt?: string;
-    contractSignerName?: string;
+    phoneNumbers?: { id: string; phoneNumber: string }[];
     personalityConfig?: {
         botName?: string;
         coreMission?: string;
@@ -27,6 +19,17 @@ interface Organization {
     };
 }
 
+interface MetaStatus {
+    configured: boolean;
+    wabaStatus?: 'APPROVED' | 'PENDING' | 'REJECTED' | 'BANNED' | 'UNKNOWN';
+    businessId?: string;
+    businessName?: string;
+    businessVerified?: boolean;
+    syncedAt?: string;
+    error?: string;
+    loading?: boolean;
+}
+
 interface PersonalityModalProps {
     org: Organization;
     onClose: () => void;
@@ -52,19 +55,34 @@ export default function ClientsManagementView() {
     const [isCreating, setIsCreating] = useState(false);
     const [showGuide, setShowGuide] = useState(false);
     const [billingOrg, setBillingOrg] = useState<Organization | null>(null);
- 
+    const [metaStatuses, setMetaStatuses] = useState<Record<string, MetaStatus>>({});
+
+    const fetchMetaStatus = async (orgId: string, force = false) => {
+        setMetaStatuses(prev => ({ ...prev, [orgId]: { ...prev[orgId], configured: false, loading: true } }));
+        try {
+            const status = force
+                ? await api.post(`/v1/organizations/${orgId}/meta-status/refresh`, {}, token!)
+                : await api.get(`/v1/organizations/${orgId}/meta-status`, token!);
+            setMetaStatuses(prev => ({ ...prev, [orgId]: { ...status, loading: false } }));
+        } catch {
+            setMetaStatuses(prev => ({ ...prev, [orgId]: { configured: false, loading: false, error: 'Erreur réseau' } }));
+        }
+    };
+
     const fetchClients = async () => {
         if (!token) return;
         try {
             const data = await api.get('/v1/organizations', token);
             setClients(data);
+            // Fetch Meta status for all orgs in parallel (non-blocking)
+            data.forEach((org: Organization) => fetchMetaStatus(org.id));
         } catch (error) {
             console.error("Failed to fetch organizations:", error);
         } finally {
             setLoading(false);
         }
     };
- 
+
     useEffect(() => {
         fetchClients();
     }, [token]);
@@ -88,10 +106,13 @@ export default function ClientsManagementView() {
 
     const handleEmbeddedSignup = async (orgId: string) => {
         try {
-            const signupData = await launchEmbeddedSignup();
-            
-            await api.post(`/v1/organizations/${orgId}/whatsapp-setup`, signupData, token!);
-            
+            const result = await launchEmbeddedSignup();
+            await api.post(`/v1/organizations/${orgId}/whatsapp-setup`, {
+                wabaId: result.waba_id,
+                accessToken: result.code,
+                phoneNumberId: result.phone_number_id,
+                phoneNumber: ''
+            }, token!);
             toast.success("WhatsApp connecté avec succès !");
             fetchClients();
         } catch (error: any) {
@@ -180,47 +201,13 @@ export default function ClientsManagementView() {
                         </div>
 
                         <div className="mt-8 pt-6 border-t border-slate-50 grid grid-cols-4 gap-6">
-                            <div className="flex items-center gap-3">
-                                <div className={`p-2 rounded-lg ${client.metaVerificationStatus === 'VERIFIED' ? 'bg-emerald-50' : 'bg-amber-50'}`}>
-                                    <ShieldCheck className={`w-4 h-4 ${client.metaVerificationStatus === 'VERIFIED' ? 'text-emerald-500' : 'text-amber-500'}`} />
-                                </div>
-                                <div>
-                                    <p className="text-[10px] uppercase font-bold text-slate-400 tracking-wider">Statut Meta</p>
-                                    <div className="flex items-center gap-2">
-                                        <p className="text-sm font-medium text-slate-700">
-                                            {client.metaVerificationStatus === 'VERIFIED' ? 'Entreprise Vérifiée' : 'Non Vérifiée'}
-                                        </p>
-                                        {client.metaVerificationStatus !== 'VERIFIED' && (
-                                            <button 
-                                                onClick={() => setShowGuide(true)}
-                                                className="text-[10px] text-indigo-600 hover:underline font-bold"
-                                            >
-                                                Comment vérifier ? →
-                                            </button>
-                                        )}
-                                    </div>
-                                </div>
-                            </div>
-                            <div className="flex items-center gap-3">
-                                <div className="p-2 bg-indigo-50 rounded-lg">
-                                    <MessageSquare className="w-4 h-4 text-indigo-500" />
-                                </div>
-                                <div>
-                                    <p className="text-[10px] uppercase font-bold text-slate-400 tracking-wider">Limite Quotidienne</p>
-                                    <p className="text-sm font-medium text-slate-700">{client.dailyMessageLimit} conv.</p>
-                                </div>
-                            </div>
-                            <div className="flex items-center gap-3">
-                                <div className={`p-2 rounded-lg ${client.contractSigned ? 'bg-blue-50' : 'bg-slate-50'}`}>
-                                    <Activity className={`w-4 h-4 ${client.contractSigned ? 'text-blue-500' : 'text-slate-400'}`} />
-                                </div>
-                                <div>
-                                    <p className="text-[10px] uppercase font-bold text-slate-400 tracking-wider">Contrat PaaS</p>
-                                    <p className={`text-sm font-medium ${client.contractSigned ? 'text-blue-600' : 'text-slate-500'}`}>
-                                        {client.contractSigned ? 'Signé' : 'En attente'}
-                                    </p>
-                                </div>
-                            </div>
+                            <MetaStatusCell
+                                ms={metaStatuses[client.id]}
+                                onRefresh={() => fetchMetaStatus(client.id, true)}
+                                onGuide={() => setShowGuide(true)}
+                            />
+                            <BusinessVerificationCell ms={metaStatuses[client.id]} />
+                            <DailyLimitCell ms={metaStatuses[client.id]} />
                             <div className="flex items-center justify-end">
                                 <button
                                     onClick={() => setBillingOrg(client)}
@@ -384,20 +371,16 @@ export default function ClientsManagementView() {
                                     <p className="font-semibold text-slate-800">{billingOrg.mode}</p>
                                 </div>
                                 <div className="bg-slate-50 rounded-2xl p-4">
-                                    <p className="text-xs font-bold text-slate-400 uppercase tracking-widest mb-1">Statut Meta</p>
-                                    <p className={`font-semibold ${billingOrg.metaVerificationStatus === 'VERIFIED' ? 'text-emerald-600' : 'text-amber-600'}`}>
-                                        {billingOrg.metaVerificationStatus === 'VERIFIED' ? 'Vérifié' : 'Non vérifié'}
-                                    </p>
+                                    <p className="text-xs font-bold text-slate-400 uppercase tracking-widest mb-1">WABA Status</p>
+                                    <WabaStatusBadge ms={metaStatuses[billingOrg.id]} />
                                 </div>
                                 <div className="bg-slate-50 rounded-2xl p-4">
                                     <p className="text-xs font-bold text-slate-400 uppercase tracking-widest mb-1">Limite quotidienne</p>
-                                    <p className="font-semibold text-slate-800">{billingOrg.dailyMessageLimit} conv.</p>
+                                    <p className="font-semibold text-slate-800">{dailyLimitLabel(metaStatuses[billingOrg.id])}</p>
                                 </div>
                                 <div className="bg-slate-50 rounded-2xl p-4">
-                                    <p className="text-xs font-bold text-slate-400 uppercase tracking-widest mb-1">Contrat PaaS</p>
-                                    <p className={`font-semibold ${billingOrg.contractSigned ? 'text-blue-600' : 'text-slate-500'}`}>
-                                        {billingOrg.contractSigned ? `Signé${billingOrg.contractSignerName ? ' par ' + billingOrg.contractSignerName : ''}` : 'En attente'}
-                                    </p>
+                                    <p className="text-xs font-bold text-slate-400 uppercase tracking-widest mb-1">Entreprise Meta</p>
+                                    <BusinessBadge ms={metaStatuses[billingOrg.id]} />
                                 </div>
                             </div>
                             {billingOrg.wabaId && (
@@ -449,6 +432,117 @@ export default function ClientsManagementView() {
     );
 }
 
+// ─── Meta status helpers ──────────────────────────────────────────────────────
+
+function dailyLimitLabel(ms?: MetaStatus): string {
+    if (!ms || ms.loading) return '…';
+    if (!ms.configured) return '—';
+    if (ms.wabaStatus === 'APPROVED') return '1 000+ conv.';
+    if (ms.wabaStatus === 'REJECTED' || ms.wabaStatus === 'BANNED') return '0 conv.';
+    return '250 conv.';
+}
+
+function WabaStatusBadge({ ms }: { ms?: MetaStatus }) {
+    if (!ms || ms.loading) return <span className="text-slate-400 text-xs animate-pulse">Vérification…</span>;
+    if (!ms.configured) return <span className="text-slate-400 font-medium text-xs">Non connecté</span>;
+    const map: Record<string, { label: string; cls: string }> = {
+        APPROVED: { label: 'Approuvé', cls: 'text-emerald-600' },
+        PENDING:  { label: 'En révision', cls: 'text-amber-600' },
+        REJECTED: { label: 'Rejeté', cls: 'text-red-600' },
+        BANNED:   { label: 'Suspendu', cls: 'text-red-600' },
+        UNKNOWN:  { label: 'Inconnu', cls: 'text-slate-500' },
+    };
+    const s = map[ms.wabaStatus ?? 'UNKNOWN'] ?? map.UNKNOWN;
+    return <span className={`font-semibold text-sm ${s.cls}`}>{s.label}</span>;
+}
+
+function BusinessBadge({ ms }: { ms?: MetaStatus }) {
+    if (!ms || ms.loading) return <span className="text-slate-400 text-xs animate-pulse">Vérification…</span>;
+    if (!ms.configured) return <span className="text-slate-400 font-medium text-xs">—</span>;
+    return ms.businessVerified
+        ? <span className="font-semibold text-sm text-emerald-600">Vérifiée</span>
+        : <span className="font-semibold text-sm text-amber-600">Non vérifiée</span>;
+}
+
+function MetaStatusCell({ ms, onRefresh, onGuide }: { ms?: MetaStatus; onRefresh: () => void; onGuide: () => void }) {
+    const isApproved = ms?.wabaStatus === 'APPROVED';
+    const isLoading  = !ms || ms.loading;
+    return (
+        <div className="flex items-center gap-3">
+            <div className={`p-2 rounded-lg ${isLoading ? 'bg-slate-50' : isApproved ? 'bg-emerald-50' : 'bg-amber-50'}`}>
+                {isLoading
+                    ? <ShieldCheck className="w-4 h-4 text-slate-300 animate-pulse" />
+                    : isApproved
+                        ? <CheckCircle2 className="w-4 h-4 text-emerald-500" />
+                        : <AlertTriangle className="w-4 h-4 text-amber-500" />}
+            </div>
+            <div className="min-w-0">
+                <div className="flex items-center gap-1.5">
+                    <p className="text-[10px] uppercase font-bold text-slate-400 tracking-wider">WABA</p>
+                    <button onClick={onRefresh} title="Rafraîchir" className="text-slate-300 hover:text-slate-500 transition">
+                        <RefreshCw className="w-3 h-3" />
+                    </button>
+                </div>
+                <div className="flex items-center gap-2 flex-wrap">
+                    <WabaStatusBadge ms={ms} />
+                    {ms && !isLoading && !isApproved && ms.configured && (
+                        <button onClick={onGuide} className="text-[10px] text-indigo-600 hover:underline font-bold whitespace-nowrap">
+                            Que faire ? →
+                        </button>
+                    )}
+                </div>
+                {ms?.error && <p className="text-[10px] text-red-400 truncate">{ms.error}</p>}
+            </div>
+        </div>
+    );
+}
+
+function BusinessVerificationCell({ ms }: { ms?: MetaStatus }) {
+    const isLoading = !ms || ms.loading;
+    return (
+        <div className="flex items-center gap-3">
+            <div className={`p-2 rounded-lg ${isLoading ? 'bg-slate-50' : ms?.businessVerified ? 'bg-emerald-50' : 'bg-amber-50'}`}>
+                {isLoading
+                    ? <ShieldCheck className="w-4 h-4 text-slate-300 animate-pulse" />
+                    : ms?.businessVerified
+                        ? <CheckCircle2 className="w-4 h-4 text-emerald-500" />
+                        : <XCircle className="w-4 h-4 text-amber-500" />}
+            </div>
+            <div>
+                <p className="text-[10px] uppercase font-bold text-slate-400 tracking-wider">Entreprise Meta</p>
+                <div className="flex items-center gap-2">
+                    <BusinessBadge ms={ms} />
+                    {ms && !isLoading && ms.configured && !ms.businessVerified && (
+                        <a
+                            href="https://business.facebook.com/settings/security"
+                            target="_blank" rel="noreferrer"
+                            className="text-[10px] text-indigo-600 hover:underline font-bold whitespace-nowrap"
+                        >
+                            Vérifier →
+                        </a>
+                    )}
+                </div>
+            </div>
+        </div>
+    );
+}
+
+function DailyLimitCell({ ms }: { ms?: MetaStatus }) {
+    return (
+        <div className="flex items-center gap-3">
+            <div className="p-2 bg-indigo-50 rounded-lg">
+                <MessageSquare className="w-4 h-4 text-indigo-500" />
+            </div>
+            <div>
+                <p className="text-[10px] uppercase font-bold text-slate-400 tracking-wider">Limite Quotidienne</p>
+                <p className="text-sm font-medium text-slate-700">{dailyLimitLabel(ms)}</p>
+            </div>
+        </div>
+    );
+}
+
+// ─── Personality Studio Modal ─────────────────────────────────────────────────
+
 function PersonalityStudioModal({ org, onClose, onSave }: PersonalityModalProps) {
     const [config, setConfig] = useState(org.personalityConfig || {
         botName: '',

apps/admin/src/pages/OnboardingWizard.tsx

@@ -1,29 +1,23 @@
 import { useState } from 'react';
 import { useNavigate } from 'react-router-dom';
-import { 
-  Smartphone, 
-  Bot, 
-  CheckCircle2, 
-  ArrowRight, 
+import {
+  Bot,
+  CheckCircle2,
+  ArrowRight,
   ArrowLeft,
   Globe,
-  Settings2,
   Rocket
 } from 'lucide-react';
 import { useAuth } from '../lib/auth';
 import { api } from '../lib/api';
-import { launchEmbeddedSignup } from '../lib/meta-signup';
-import { useToast } from '../hooks/useToast';
 
 const STEPS = [
   { id: 'welcome', title: 'Bienvenue', icon: <Rocket className="w-5 h-5" /> },
   { id: 'legal', title: 'Contrat', icon: <CheckCircle2 className="w-5 h-5" /> },
-  { id: 'whatsapp', title: 'WhatsApp', icon: <Smartphone className="w-5 h-5" /> },
   { id: 'ai', title: 'Cerveau IA', icon: <Bot className="w-5 h-5" /> }
 ];
 
 export default function OnboardingWizard() {
-  const toast = useToast();
   const [step, setStep] = useState(0);
   const [loading, setLoading] = useState(false);
   const { token } = useAuth();
@@ -36,9 +30,6 @@ export default function OnboardingWizard() {
     signerName: '',
     knowledgeBaseUrl: '',
     customPrompt: '',
-    systemUserToken: '',
-    wabaId: '',
-    phoneNumberId: ''
   });
 
   const next = () => setStep(s => Math.min(s + 1, STEPS.length - 1));
@@ -48,10 +39,10 @@ export default function OnboardingWizard() {
     setLoading(true);
     try {
       await api.post('/v1/organizations', {
-        ...form,
-        contractSigned: form.contractAccepted,
-        contractSignedAt: new Date().toISOString(),
-        contractSignerName: form.signerName
+        name: form.name,
+        mode: form.mode,
+        knowledgeBaseUrl: form.knowledgeBaseUrl,
+        customPrompt: form.customPrompt
       }, token);
       
       navigate('/clients');
@@ -148,49 +139,6 @@ export default function OnboardingWizard() {
           )}
 
           {step === 2 && (
-            <div className="space-y-6 animate-in fade-in slide-in-from-bottom-4 text-center py-8">
-              <div className="w-20 h-20 bg-indigo-600 rounded-full flex items-center justify-center mx-auto mb-6 text-white shadow-xl shadow-indigo-200">
-                <Smartphone className="w-10 h-10" />
-              </div>
-              <h2 className="text-2xl font-bold text-gray-900 mb-2">Connectez votre WhatsApp</h2>
-              <p className="text-gray-500 mb-8 max-w-sm mx-auto">Plus besoin de copier des codes compliqués. Connectez-vous simplement avec votre compte Facebook.</p>
-              
-              {form.systemUserToken ? (
-                <div className="bg-emerald-50 text-emerald-700 p-4 rounded-2xl flex items-center justify-center gap-3 animate-in zoom-in-95">
-                  <CheckCircle2 className="w-6 h-6" />
-                  <span className="font-bold">Compte Facebook connecté !</span>
-                </div>
-              ) : (
-                <button 
-                  className="bg-[#1877F2] hover:bg-[#166fe5] text-white px-10 py-4 rounded-2xl font-bold flex items-center gap-4 mx-auto transition-all shadow-lg shadow-blue-200 active:scale-95"
-                  onClick={async () => {
-                    try {
-                      const result = await launchEmbeddedSignup();
-                      setForm({
-                        ...form,
-                        systemUserToken: result.accessToken,
-                        wabaId: result.waba_id,
-                        phoneNumberId: result.phone_number_id
-                      });
-                    } catch (err: any) {
-                      toast.error(err.message);
-                    }
-                  }}
-                >
-                  <div className="bg-white p-1 rounded">
-                    <svg width="20" height="20" viewBox="0 0 24 24" fill="#1877F2"><path d="M24 12.073c0-6.627-5.373-12-12-12s-12 5.373-12 12c0 5.99 4.388 10.954 10.125 11.854v-8.385H7.078v-3.47h3.047V9.43c0-3.007 1.792-4.669 4.533-4.669 1.312 0 2.686.235 2.686.235v2.953H15.83c-1.491 0-1.956.925-1.956 1.874v2.25h3.328l-.532 3.47h-2.796v8.385C19.612 23.027 24 18.062 24 12.073z"/></svg>
-                  </div>
-                  Se connecter avec Facebook
-                </button>
-              )}
-              
-              <div className="mt-10 flex items-center justify-center gap-3 text-xs text-slate-400">
-                <Settings2 className="w-4 h-4" /> Entièrement sécurisé par Meta API
-              </div>
-            </div>
-          )}
-
-          {step === 3 && (
             <div className="space-y-6 animate-in fade-in slide-in-from-bottom-4">
               <h2 className="text-2xl font-bold text-gray-900 mb-2">Le Cerveau de votre IA</h2>
               <p className="text-gray-500 mb-8">L'endroit où votre assistant va puiser ses connaissances.</p>

apps/api/src/routes/organizations.ts

@@ -90,11 +90,38 @@ export async function organizationRoutes(fastify: FastifyInstance) {
 
         const { accessToken, phoneNumber, phoneNumberId, wabaId } = body.data;
 
+        // Exchange OAuth code for a long-lived token if needed.
+        // Meta Embedded Signup returns a short-lived OAuth code (not starting with EAA).
+        let realToken = accessToken;
+        if (!accessToken.startsWith('EAA')) {
+            const appId = process.env.META_APP_ID;
+            const appSecret = process.env.WHATSAPP_APP_SECRET;
+            if (!appId || !appSecret) {
+                return reply.code(500).send({ error: 'META_APP_ID and WHATSAPP_APP_SECRET must be configured to exchange OAuth code' });
+            }
+            // Step 1: code → short-lived user access token
+            const exchangeRes = await fetch(
+                `https://graph.facebook.com/oauth/access_token?client_id=${appId}&client_secret=${appSecret}&code=${accessToken}&redirect_uri=`
+            );
+            const exchangeData = await exchangeRes.json() as { access_token?: string; error?: { message: string } };
+            if (!exchangeData.access_token) {
+                logger.error({ detail: exchangeData.error?.message }, '[WHATSAPP-SETUP] OAuth code exchange failed');
+                return reply.code(400).send({ error: 'Failed to exchange OAuth code with Meta', detail: exchangeData.error?.message });
+            }
+            // Step 2: short-lived → long-lived token (60 days)
+            const longLivedRes = await fetch(
+                `https://graph.facebook.com/oauth/access_token?grant_type=fb_exchange_token&client_id=${appId}&client_secret=${appSecret}&fb_exchange_token=${exchangeData.access_token}`
+            );
+            const longLivedData = await longLivedRes.json() as { access_token?: string };
+            realToken = longLivedData.access_token || exchangeData.access_token;
+            logger.info({ organizationId: id }, '[WHATSAPP-SETUP] OAuth code exchanged for long-lived token');
+        }
+
         try {
             await prisma.$transaction(async (tx) => {
                 await tx.organization.update({
                     where: { id },
-                    data: encryptSecrets({ systemUserToken: accessToken, wabaId })
+                    data: encryptSecrets({ systemUserToken: realToken, wabaId })
                 });
 
                 if (phoneNumberId) {
@@ -249,4 +276,18 @@ export async function organizationRoutes(fastify: FastifyInstance) {
         const result = await CRMService.bulkImportJson(id, parsed.data.contacts, parsed.data.listName);
         return { ok: true, ...result };
     });
+
+    // Meta Business Status — cached 1 hour, live from Meta Graph API
+    fastify.get<P>('/:id/meta-status', async (req) => {
+        const { id } = req.params;
+        const { fetchMetaStatus } = await import('../services/organization');
+        return fetchMetaStatus(id);
+    });
+
+    // Force-refresh Meta status cache for an org
+    fastify.post<P>('/:id/meta-status/refresh', async (req) => {
+        const { id } = req.params;
+        const { fetchMetaStatus } = await import('../services/organization');
+        return fetchMetaStatus(id, true);
+    });
 }

apps/api/src/services/organization.ts

@@ -80,6 +80,72 @@ export function decryptSecrets(org: any) {
     return org;
 }
 
+// ─── Meta Business Status ────────────────────────────────────────────────────
+
+export interface MetaStatus {
+    configured: boolean;
+    wabaStatus?: 'APPROVED' | 'PENDING' | 'REJECTED' | 'BANNED' | 'UNKNOWN';
+    businessId?: string;
+    businessName?: string;
+    businessVerified?: boolean;
+    syncedAt: string;
+    error?: string;
+}
+
+export async function fetchMetaStatus(organizationId: string, forceRefresh = false): Promise<MetaStatus> {
+    const cacheKey = `meta:status:${organizationId}`;
+
+    if (!forceRefresh) {
+        try {
+            const cached = await redis.get(cacheKey);
+            if (cached) return JSON.parse(cached) as MetaStatus;
+        } catch (err) {
+            logger.error({ err }, '[META-STATUS] Redis get error');
+        }
+    }
+
+    const org = await prisma.organization.findUnique({ where: { id: organizationId } });
+    if (!org?.wabaId || !org?.systemUserToken) {
+        return { configured: false, syncedAt: new Date().toISOString() };
+    }
+
+    const decrypted = decryptSecrets({ ...org });
+
+    try {
+        const res = await fetch(
+            `https://graph.facebook.com/v19.0/${org.wabaId}?fields=account_review_status,business{id,name,verification_status}`,
+            { headers: { Authorization: `Bearer ${decrypted.systemUserToken}` } }
+        );
+        const data = await res.json() as any;
+
+        if (data.error) {
+            logger.warn({ err: data.error, organizationId }, '[META-STATUS] Meta API error');
+            const errResult: MetaStatus = { configured: true, wabaStatus: 'UNKNOWN', syncedAt: new Date().toISOString(), error: data.error.message };
+            await redis.set(cacheKey, JSON.stringify(errResult), 'EX', 300).catch(() => {});
+            return errResult;
+        }
+
+        const result: MetaStatus = {
+            configured: true,
+            wabaStatus: data.account_review_status ?? 'UNKNOWN',
+            businessId: data.business?.id,
+            businessName: data.business?.name,
+            businessVerified: data.business?.verification_status === 'verified',
+            syncedAt: new Date().toISOString()
+        };
+
+        await redis.set(cacheKey, JSON.stringify(result), 'EX', 3600).catch(err =>
+            logger.error({ err }, '[META-STATUS] Redis set error')
+        );
+        return result;
+    } catch (err) {
+        logger.error({ err, organizationId }, '[META-STATUS] Fetch failed');
+        return { configured: true, wabaStatus: 'UNKNOWN', syncedAt: new Date().toISOString(), error: 'Network error' };
+    }
+}
+
+// ─── Tenant Secrets ──────────────────────────────────────────────────────────
+
 /**
  * Retrieves all secrets for a tenant, decrypted.
  */

packages/shared-types/src/organization.ts

@@ -39,11 +39,6 @@ export const OrganizationSchema = z.object({
     knowledgeBaseUrl: z.string().url().optional().or(z.literal('')),
     systemUserToken: z.string().optional(),
     brandingData: z.any().optional(),
-    contractSigned: z.boolean().optional(),
-    contractSignedAt: z.string().optional(),
-    contractSignerName: z.string().optional(),
-    metaVerificationStatus: z.string().optional(),
-    dailyMessageLimit: z.number().optional()
 });
 
 export type Organization = z.infer<typeof OrganizationSchema>;