feat: file drag-and-drop, multi-type uploads, attachment icons; tests; v1.5.9

- Chat: full-page drag-and-drop zone for files; accept images, PDF, Excel, Word, text, CSV, JSON
- Chat: non-image files uploaded via POST /api/uploads, sent as attachmentFilenames with message
- Chat: attachment chips use FileIcon (reuse file-extension-icons), aligned remove button
- API: uploads allowlist (images, audio, documents); blocklist (executables/scripts); saveFileFromBuffer
- API: orchestrator accepts attachmentFilenames, injects file paths into model context
- Unit tests: uploads-handler (validateUploadMimetype, extFromMimetype, processUploadFile), uploads.service saveFileFromBuffer
- Docs: API.md updated for POST /uploads and send_chat_message attachmentFilenames
- Version: 1.5.8 → 1.5.9

Author: vyakymenko

apps/api/src/app/orchestrator/orchestrator.service.ts

@@ -96,6 +96,7 @@ export class OrchestratorService implements OnModuleInit {
     images?: string[];
     audio?: string;
     audioFilename?: string;
+    attachmentFilenames?: string[];
     story?: Array<{ id: string; type: string; message: string; timestamp: string; details?: string }>;
   }): Promise<void> {
     const action = msg.action;
@@ -120,7 +121,13 @@ export class OrchestratorService implements OnModuleInit {
         this.handleLogout();
         break;
       case WS_ACTION.SEND_CHAT_MESSAGE:
-        await this.handleChatMessage(msg.text ?? '', msg.images, msg.audio, msg.audioFilename);
+        await this.handleChatMessage(
+          msg.text ?? '',
+          msg.images,
+          msg.audio,
+          msg.audioFilename,
+          msg.attachmentFilenames
+        );
         break;
       case WS_ACTION.SUBMIT_STORY:
         this.handleSubmitStory(msg.story ?? []);
@@ -207,7 +214,13 @@ export class OrchestratorService implements OnModuleInit {
     this.strategy.executeLogout(connection);
   }
 
-  private async handleChatMessage(text: string, images?: string[], audio?: string, audioFilenameFromClient?: string): Promise<void> {
+  private async handleChatMessage(
+    text: string,
+    images?: string[],
+    audio?: string,
+    audioFilenameFromClient?: string,
+    attachmentFilenames?: string[]
+  ): Promise<void> {
     if (!this.isAuthenticated) {
       this._send(WS_EVENT.ERROR, { message: ERROR_CODE.NEED_AUTH });
       return;
@@ -266,6 +279,17 @@ export class OrchestratorService implements OnModuleInit {
       voiceContext = path ? `\n\nThe user attached a voice recording. File path: ${path}\n\n` : '';
     }
 
+    let attachmentContext = '';
+    if (attachmentFilenames?.length) {
+      const paths = attachmentFilenames
+        .map((f) => this.uploadsService.getPath(f))
+        .filter((p): p is string => p !== null);
+      attachmentContext =
+        paths.length > 0
+          ? `\n\nThe user attached ${paths.length} file(s). Full paths (for reference):\n${paths.map((p) => `- ${p}`).join('\n')}\n\n`
+          : '';
+    }
+
     const atPathRegex = /@([^\s@]+)/g;
     const atPaths = [...new Set((text.match(atPathRegex) ?? []).map((m) => m.slice(1)))];
     let fileContext = '';
@@ -291,7 +315,7 @@ export class OrchestratorService implements OnModuleInit {
       }
     }
 
-    const fullPrompt = `${fileContext}${imageContext}${voiceContext}\n${text}`.trim();
+    const fullPrompt = `${fileContext}${imageContext}${voiceContext}${attachmentContext}\n${text}`.trim();
     const model = this.modelStore.get();
 
     const syntheticStepId = 'generating-response';

apps/api/src/app/uploads/uploads-handler.test.ts

@@ -3,19 +3,47 @@ import { BadRequestException } from '@nestjs/common';
 import {
   processUploadFile,
   validateUploadMimetype,
+  extFromMimetype,
   type MultipartFileResult,
 } from './uploads-handler';
 
 describe('validateUploadMimetype', () => {
-  test('throws for non-audio mimetype', () => {
-    expect(() => validateUploadMimetype('image/png')).toThrow(BadRequestException);
+  test('allows image mimetypes', () => {
+    expect(() => validateUploadMimetype('image/png')).not.toThrow();
+    expect(() => validateUploadMimetype('image/jpeg')).not.toThrow();
   });
 
-  test('allows audio/* mimetypes', () => {
+  test('allows audio mimetypes', () => {
     expect(() => validateUploadMimetype('audio/webm')).not.toThrow();
     expect(() => validateUploadMimetype('audio/ogg')).not.toThrow();
     expect(() => validateUploadMimetype('audio/custom')).not.toThrow();
   });
+
+  test('allows document mimetypes', () => {
+    expect(() => validateUploadMimetype('application/pdf')).not.toThrow();
+    expect(() => validateUploadMimetype('text/plain')).not.toThrow();
+    expect(() => validateUploadMimetype('text/csv')).not.toThrow();
+    expect(() =>
+      validateUploadMimetype('application/vnd.openxmlformats-officedocument.spreadsheetml.sheet')
+    ).not.toThrow();
+  });
+
+  test('throws for blocked mimetype', () => {
+    expect(() => validateUploadMimetype('application/x-msdownload')).toThrow(BadRequestException);
+  });
+
+  test('throws for unknown mimetype', () => {
+    expect(() => validateUploadMimetype('application/x-foo-bar')).toThrow(BadRequestException);
+  });
+});
+
+describe('extFromMimetype', () => {
+  test('returns correct ext for known types', () => {
+    expect(extFromMimetype('application/pdf')).toBe('pdf');
+    expect(extFromMimetype('text/plain')).toBe('txt');
+    expect(extFromMimetype('image/jpeg')).toBe('jpg');
+    expect(extFromMimetype('image/png')).toBe('png');
+  });
 });
 
 describe('processUploadFile', () => {
@@ -25,14 +53,14 @@ describe('processUploadFile', () => {
     );
   });
 
-  test('throws when mimetype not audio', async () => {
+  test('throws when mimetype blocked', async () => {
     const fileResult: MultipartFileResult = {
-      mimetype: 'image/png',
+      mimetype: 'application/x-msdownload',
       toBuffer: async () => Buffer.from(''),
     };
-    await expect(processUploadFile(fileResult, () => 'x.webm')).rejects.toThrow(
-      BadRequestException
-    );
+    await expect(
+      processUploadFile(fileResult, () => 'x.webm')
+    ).rejects.toThrow(BadRequestException);
   });
 
   test('returns filename for valid audio', async () => {
@@ -43,4 +71,13 @@ describe('processUploadFile', () => {
     const result = await processUploadFile(fileResult, () => 'saved.webm');
     expect(result).toEqual({ filename: 'saved.webm' });
   });
+
+  test('returns filename for valid image', async () => {
+    const fileResult: MultipartFileResult = {
+      mimetype: 'image/png',
+      toBuffer: async () => Buffer.from(''),
+    };
+    const result = await processUploadFile(fileResult, () => 'saved.png');
+    expect(result).toEqual({ filename: 'saved.png' });
+  });
 });

apps/api/src/app/uploads/uploads-handler.ts

@@ -8,22 +8,95 @@ const AUDIO_MIMES = new Set([
   'audio/ogg;codecs=opus',
 ]);
 
+const ALLOWED_MIME_PREFIXES = new Set([
+  'image/',
+  'audio/',
+  'text/',
+  'application/pdf',
+  'application/json',
+  'application/vnd.ms-excel',
+  'application/vnd.openxmlformats-officedocument.spreadsheetml.',
+  'application/msword',
+  'application/vnd.openxmlformats-officedocument.wordprocessingml.',
+  'application/rtf',
+]);
+
+const BLOCKED_MIME_SUBSTRINGS = [
+  'application/x-msdownload',
+  'application/x-msi',
+  'application/x-executable',
+  'application/x-sh',
+  'application/x-shellscript',
+  'application/javascript',
+  'text/javascript',
+  'application/x-bat',
+  'application/x-csh',
+  'application/vnd.microsoft.portable-executable',
+];
+
+const MIME_TO_EXT: Record<string, string> = {
+  'audio/webm': 'webm',
+  'audio/ogg': 'ogg',
+  'audio/mp4': 'm4a',
+  'application/pdf': 'pdf',
+  'application/json': 'json',
+  'text/plain': 'txt',
+  'text/csv': 'csv',
+  'text/markdown': 'md',
+  'text/html': 'html',
+  'application/rtf': 'rtf',
+  'application/msword': 'doc',
+  'application/vnd.openxmlformats-officedocument.wordprocessingml.document': 'docx',
+  'application/vnd.ms-excel': 'xls',
+  'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet': 'xlsx',
+};
+
 export type MultipartFileResult = { mimetype: string; toBuffer: () => Promise<Buffer> } | undefined;
 
+function isAllowedMimetype(mimetype: string): boolean {
+  const normalized = mimetype.split(';')[0].trim().toLowerCase();
+  if (BLOCKED_MIME_SUBSTRINGS.some((s) => normalized.includes(s))) return false;
+  if (AUDIO_MIMES.has(mimetype) || normalized.startsWith('audio/')) return true;
+  if (normalized.startsWith('image/')) return true;
+  if (normalized.startsWith('text/')) return true;
+  for (const prefix of ALLOWED_MIME_PREFIXES) {
+    if (prefix.endsWith('.') && normalized.startsWith(prefix)) return true;
+    if (normalized === prefix || normalized.startsWith(prefix)) return true;
+  }
+  return false;
+}
+
 export function validateUploadMimetype(mimetype: string): void {
-  if (!AUDIO_MIMES.has(mimetype) && !mimetype.startsWith('audio/')) {
-    throw new BadRequestException('Unsupported file type');
+  if (!mimetype || !isAllowedMimetype(mimetype)) {
+    throw new BadRequestException('Unsupported or blocked file type');
+  }
+}
+
+export function extFromMimetype(mimetype: string): string {
+  const normalized = mimetype.split(';')[0].trim().toLowerCase();
+  const exact = MIME_TO_EXT[normalized];
+  if (exact) return exact;
+  if (normalized.startsWith('image/')) {
+    const sub = normalized.replace('image/', '');
+    return sub === 'jpeg' ? 'jpg' : sub;
+  }
+  if (normalized.startsWith('audio/')) {
+    if (normalized.includes('webm')) return 'webm';
+    if (normalized.includes('ogg')) return 'ogg';
+    if (normalized.includes('mp4')) return 'm4a';
+    return 'webm';
   }
+  return 'bin';
 }
 
 export async function processUploadFile(
   fileResult: MultipartFileResult,
-  saveAudioFromBuffer: (buffer: Buffer, mimetype: string) => string | Promise<string>
+  saveFromBuffer: (buffer: Buffer, mimetype: string) => string | Promise<string>
 ): Promise<{ filename: string }> {
   if (!fileResult) throw new BadRequestException('No file uploaded');
-  const mimetype = fileResult.mimetype ?? 'audio/webm';
+  const mimetype = fileResult.mimetype ?? 'application/octet-stream';
   validateUploadMimetype(mimetype);
   const buffer = await fileResult.toBuffer();
-  const filename = await saveAudioFromBuffer(buffer, mimetype);
+  const filename = await saveFromBuffer(buffer, mimetype);
   return { filename };
 }

apps/api/src/app/uploads/uploads.controller.ts

@@ -24,7 +24,7 @@ export class UploadsController {
   async uploadFile(@Req() req: FastifyRequest): Promise<{ filename: string }> {
     const data = await (req as { file: () => Promise<MultipartFileResult> }).file();
     return processUploadFile(data, (buffer, mimetype) =>
-      this.uploads.saveAudioFromBuffer(buffer, mimetype)
+      this.uploads.saveFileFromBuffer(buffer, mimetype)
     );
   }
 }

apps/api/src/app/uploads/uploads.service.test.ts

@@ -88,4 +88,18 @@ describe('UploadsService', () => {
     const filename = await service.saveAudioFromBuffer(Buffer.from('x'), 'audio/webm');
     expect(service.getPath(filename)).toBe(join(subDir, 'uploads', filename));
   });
+
+  test('saveFileFromBuffer creates file with correct extension for PDF', async () => {
+    const service = new UploadsService(config as never);
+    const buf = Buffer.from('pdf content');
+    const filename = await service.saveFileFromBuffer(buf, 'application/pdf');
+    expect(filename).toMatch(/\.pdf$/);
+    expect(readFileSync(service.getPath(filename)!)).toEqual(buf);
+  });
+
+  test('saveFileFromBuffer uses correct extension for spreadsheet and text', async () => {
+    const service = new UploadsService(config as never);
+    expect(await service.saveFileFromBuffer(Buffer.from(''), 'text/csv')).toMatch(/\.csv$/);
+    expect(await service.saveFileFromBuffer(Buffer.from(''), 'text/plain')).toMatch(/\.txt$/);
+  });
 });

apps/api/src/app/uploads/uploads.service.ts

@@ -4,6 +4,7 @@ import { writeFile } from 'node:fs/promises';
 import { join } from 'node:path';
 import { randomUUID } from 'node:crypto';
 import { ConfigService } from '../config/config.service';
+import { extFromMimetype } from './uploads-handler';
 
 const DATA_URL_REGEX = /^data:([^;]+);base64,(.+)$/;
 
@@ -49,6 +50,12 @@ export class UploadsService {
     return this.writeFile(ext, buffer);
   }
 
+  async saveFileFromBuffer(buffer: Buffer, mimetype: string): Promise<string> {
+    this.ensureUploadsDir();
+    const ext = extFromMimetype(mimetype);
+    return this.writeFile(ext, buffer);
+  }
+
   getPath(filename: string): string | null {
     if (!this.isSafeFilename(filename)) return null;
     const path = join(this.getUploadsDir(), filename);

apps/api/src/main.ts

@@ -119,6 +119,7 @@ async function bootstrap() {
           images?: string[];
           audio?: string;
           audioFilename?: string;
+          attachmentFilenames?: string[];
         };
         void orchestrator.handleClientMessage(msg);
       } catch {