modules/storage: add image validation and WebP compression

- Add MIME type validation for uploads (jpeg, png, webp, avif, heic, gif, tiff, svg, bmp)
- Add folder path validation (allowlist)
- Add server-side WebP compression using sharp
- Preserve SVG and animated GIF as-is
- Update client hint text to show supported formats

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>

Author: aster-void

bun.lock

@@ -11,6 +11,7 @@
         "lucide-svelte": "^0.561.0",
         "marked": "^17.0.1",
         "minio": "^8.0.6",
+        "sharp": "^0.34.5",
         "valibot": "^1.2.0",
       },
       "devDependencies": {
@@ -77,6 +78,8 @@
 
     "@drizzle-team/brocli": ["@drizzle-team/[email protected]", "", {}, "sha512-z33Il7l5dKjUgGULTqBsQBQwckHh5AbIuxhdsIxDDiZAzBOrZO6q9ogcWC65kU382AfynTfgNumVcNIjuIua6w=="],
 
+    "@emnapi/runtime": ["@emnapi/[email protected]", "", { "dependencies": { "tslib": "^2.4.0" } }, "sha512-PVtJr5CmLwYAU9PZDMITZoR5iAOShYREoR45EyyLrbntV50mdePTgUn4AmOw90Ifcj+x2kRjdzr1HP3RrNiHGA=="],
+
     "@esbuild-kit/core-utils": ["@esbuild-kit/[email protected]", "", { "dependencies": { "esbuild": "~0.18.20", "source-map-support": "^0.5.21" } }, "sha512-sPRAnw9CdSsRmEtnsl2WXWdyquogVpB3yZ3dgwJfe8zrOzTsV7cJvmwrKVa+0ma5BoiGJ+BoqkMvawbayKUsqQ=="],
 
     "@esbuild-kit/esm-loader": ["@esbuild-kit/[email protected]", "", { "dependencies": { "@esbuild-kit/core-utils": "^3.3.2", "get-tsconfig": "^4.7.0" } }, "sha512-FxEMIkJKnodyA1OaCUoEvbYRkoZlLZ4d/eXFu9Fh8CbBBgP5EmZxrfTRyN0qpXZ4vOvqnE5YdRdcrmUUXuU+dA=="],
@@ -161,6 +164,56 @@
 
     "@humanwhocodes/retry": ["@humanwhocodes/[email protected]", "", {}, "sha512-bV0Tgo9K4hfPCek+aMAn81RppFKv2ySDQeMoSZuvTASywNTnVJCArCZE2FWqpvIatKu7VMRLWlR1EazvVhDyhQ=="],
 
+    "@img/colour": ["@img/[email protected]", "", {}, "sha512-A5P/LfWGFSl6nsckYtjw9da+19jB8hkJ6ACTGcDfEJ0aE+l2n2El7dsVM7UVHZQ9s2lmYMWlrS21YLy2IR1LUw=="],
+
+    "@img/sharp-darwin-arm64": ["@img/[email protected]", "", { "optionalDependencies": { "@img/sharp-libvips-darwin-arm64": "1.2.4" }, "os": "darwin", "cpu": "arm64" }, "sha512-imtQ3WMJXbMY4fxb/Ndp6HBTNVtWCUI0WdobyheGf5+ad6xX8VIDO8u2xE4qc/fr08CKG/7dDseFtn6M6g/r3w=="],
+
+    "@img/sharp-darwin-x64": ["@img/[email protected]", "", { "optionalDependencies": { "@img/sharp-libvips-darwin-x64": "1.2.4" }, "os": "darwin", "cpu": "x64" }, "sha512-YNEFAF/4KQ/PeW0N+r+aVVsoIY0/qxxikF2SWdp+NRkmMB7y9LBZAVqQ4yhGCm/H3H270OSykqmQMKLBhBJDEw=="],
+
+    "@img/sharp-libvips-darwin-arm64": ["@img/[email protected]", "", { "os": "darwin", "cpu": "arm64" }, "sha512-zqjjo7RatFfFoP0MkQ51jfuFZBnVE2pRiaydKJ1G/rHZvnsrHAOcQALIi9sA5co5xenQdTugCvtb1cuf78Vf4g=="],
+
+    "@img/sharp-libvips-darwin-x64": ["@img/[email protected]", "", { "os": "darwin", "cpu": "x64" }, "sha512-1IOd5xfVhlGwX+zXv2N93k0yMONvUlANylbJw1eTah8K/Jtpi15KC+WSiaX/nBmbm2HxRM1gZ0nSdjSsrZbGKg=="],
+
+    "@img/sharp-libvips-linux-arm": ["@img/[email protected]", "", { "os": "linux", "cpu": "arm" }, "sha512-bFI7xcKFELdiNCVov8e44Ia4u2byA+l3XtsAj+Q8tfCwO6BQ8iDojYdvoPMqsKDkuoOo+X6HZA0s0q11ANMQ8A=="],
+
+    "@img/sharp-libvips-linux-arm64": ["@img/[email protected]", "", { "os": "linux", "cpu": "arm64" }, "sha512-excjX8DfsIcJ10x1Kzr4RcWe1edC9PquDRRPx3YVCvQv+U5p7Yin2s32ftzikXojb1PIFc/9Mt28/y+iRklkrw=="],
+
+    "@img/sharp-libvips-linux-ppc64": ["@img/[email protected]", "", { "os": "linux", "cpu": "ppc64" }, "sha512-FMuvGijLDYG6lW+b/UvyilUWu5Ayu+3r2d1S8notiGCIyYU/76eig1UfMmkZ7vwgOrzKzlQbFSuQfgm7GYUPpA=="],
+
+    "@img/sharp-libvips-linux-riscv64": ["@img/[email protected]", "", { "os": "linux", "cpu": "none" }, "sha512-oVDbcR4zUC0ce82teubSm+x6ETixtKZBh/qbREIOcI3cULzDyb18Sr/Wcyx7NRQeQzOiHTNbZFF1UwPS2scyGA=="],
+
+    "@img/sharp-libvips-linux-s390x": ["@img/[email protected]", "", { "os": "linux", "cpu": "s390x" }, "sha512-qmp9VrzgPgMoGZyPvrQHqk02uyjA0/QrTO26Tqk6l4ZV0MPWIW6LTkqOIov+J1yEu7MbFQaDpwdwJKhbJvuRxQ=="],
+
+    "@img/sharp-libvips-linux-x64": ["@img/[email protected]", "", { "os": "linux", "cpu": "x64" }, "sha512-tJxiiLsmHc9Ax1bz3oaOYBURTXGIRDODBqhveVHonrHJ9/+k89qbLl0bcJns+e4t4rvaNBxaEZsFtSfAdquPrw=="],
+
+    "@img/sharp-libvips-linuxmusl-arm64": ["@img/[email protected]", "", { "os": "linux", "cpu": "arm64" }, "sha512-FVQHuwx1IIuNow9QAbYUzJ+En8KcVm9Lk5+uGUQJHaZmMECZmOlix9HnH7n1TRkXMS0pGxIJokIVB9SuqZGGXw=="],
+
+    "@img/sharp-libvips-linuxmusl-x64": ["@img/[email protected]", "", { "os": "linux", "cpu": "x64" }, "sha512-+LpyBk7L44ZIXwz/VYfglaX/okxezESc6UxDSoyo2Ks6Jxc4Y7sGjpgU9s4PMgqgjj1gZCylTieNamqA1MF7Dg=="],
+
+    "@img/sharp-linux-arm": ["@img/[email protected]", "", { "optionalDependencies": { "@img/sharp-libvips-linux-arm": "1.2.4" }, "os": "linux", "cpu": "arm" }, "sha512-9dLqsvwtg1uuXBGZKsxem9595+ujv0sJ6Vi8wcTANSFpwV/GONat5eCkzQo/1O6zRIkh0m/8+5BjrRr7jDUSZw=="],
+
+    "@img/sharp-linux-arm64": ["@img/[email protected]", "", { "optionalDependencies": { "@img/sharp-libvips-linux-arm64": "1.2.4" }, "os": "linux", "cpu": "arm64" }, "sha512-bKQzaJRY/bkPOXyKx5EVup7qkaojECG6NLYswgktOZjaXecSAeCWiZwwiFf3/Y+O1HrauiE3FVsGxFg8c24rZg=="],
+
+    "@img/sharp-linux-ppc64": ["@img/[email protected]", "", { "optionalDependencies": { "@img/sharp-libvips-linux-ppc64": "1.2.4" }, "os": "linux", "cpu": "ppc64" }, "sha512-7zznwNaqW6YtsfrGGDA6BRkISKAAE1Jo0QdpNYXNMHu2+0dTrPflTLNkpc8l7MUP5M16ZJcUvysVWWrMefZquA=="],
+
+    "@img/sharp-linux-riscv64": ["@img/[email protected]", "", { "optionalDependencies": { "@img/sharp-libvips-linux-riscv64": "1.2.4" }, "os": "linux", "cpu": "none" }, "sha512-51gJuLPTKa7piYPaVs8GmByo7/U7/7TZOq+cnXJIHZKavIRHAP77e3N2HEl3dgiqdD/w0yUfiJnII77PuDDFdw=="],
+
+    "@img/sharp-linux-s390x": ["@img/[email protected]", "", { "optionalDependencies": { "@img/sharp-libvips-linux-s390x": "1.2.4" }, "os": "linux", "cpu": "s390x" }, "sha512-nQtCk0PdKfho3eC5MrbQoigJ2gd1CgddUMkabUj+rBevs8tZ2cULOx46E7oyX+04WGfABgIwmMC0VqieTiR4jg=="],
+
+    "@img/sharp-linux-x64": ["@img/[email protected]", "", { "optionalDependencies": { "@img/sharp-libvips-linux-x64": "1.2.4" }, "os": "linux", "cpu": "x64" }, "sha512-MEzd8HPKxVxVenwAa+JRPwEC7QFjoPWuS5NZnBt6B3pu7EG2Ge0id1oLHZpPJdn3OQK+BQDiw9zStiHBTJQQQQ=="],
+
+    "@img/sharp-linuxmusl-arm64": ["@img/[email protected]", "", { "optionalDependencies": { "@img/sharp-libvips-linuxmusl-arm64": "1.2.4" }, "os": "linux", "cpu": "arm64" }, "sha512-fprJR6GtRsMt6Kyfq44IsChVZeGN97gTD331weR1ex1c1rypDEABN6Tm2xa1wE6lYb5DdEnk03NZPqA7Id21yg=="],
+
+    "@img/sharp-linuxmusl-x64": ["@img/[email protected]", "", { "optionalDependencies": { "@img/sharp-libvips-linuxmusl-x64": "1.2.4" }, "os": "linux", "cpu": "x64" }, "sha512-Jg8wNT1MUzIvhBFxViqrEhWDGzqymo3sV7z7ZsaWbZNDLXRJZoRGrjulp60YYtV4wfY8VIKcWidjojlLcWrd8Q=="],
+
+    "@img/sharp-wasm32": ["@img/[email protected]", "", { "dependencies": { "@emnapi/runtime": "^1.7.0" }, "cpu": "none" }, "sha512-OdWTEiVkY2PHwqkbBI8frFxQQFekHaSSkUIJkwzclWZe64O1X4UlUjqqqLaPbUpMOQk6FBu/HtlGXNblIs0huw=="],
+
+    "@img/sharp-win32-arm64": ["@img/[email protected]", "", { "os": "win32", "cpu": "arm64" }, "sha512-WQ3AgWCWYSb2yt+IG8mnC6Jdk9Whs7O0gxphblsLvdhSpSTtmu69ZG1Gkb6NuvxsNACwiPV6cNSZNzt0KPsw7g=="],
+
+    "@img/sharp-win32-ia32": ["@img/[email protected]", "", { "os": "win32", "cpu": "ia32" }, "sha512-FV9m/7NmeCmSHDD5j4+4pNI8Cp3aW+JvLoXcTUo0IqyjSfAZJ8dIUmijx1qaJsIiU+Hosw6xM5KijAWRJCSgNg=="],
+
+    "@img/sharp-win32-x64": ["@img/[email protected]", "", { "os": "win32", "cpu": "x64" }, "sha512-+29YMsqY2/9eFEiW93eqWnuLcWcufowXewwSNIT6UwZdUUCrM3oFjMWH/Z6/TMmb4hlFenmfAVbpWeup2jryCw=="],
+
     "@jridgewell/gen-mapping": ["@jridgewell/[email protected]", "", { "dependencies": { "@jridgewell/sourcemap-codec": "^1.5.0", "@jridgewell/trace-mapping": "^0.3.24" } }, "sha512-2kkt/7niJ6MgEPxF0bYdQ6etZaA+fQvDcLKckhy1yIQOzaoKjBBjSj63/aLVjYE3qhRt5dvM+uUyfCg6UKCBbA=="],
 
     "@jridgewell/remapping": ["@jridgewell/[email protected]", "", { "dependencies": { "@jridgewell/gen-mapping": "^0.3.5", "@jridgewell/trace-mapping": "^0.3.24" } }, "sha512-LI9u/+laYG4Ds1TDKSJW2YPrIlcVYOwi2fUC6xB43lueCjgxV4lffOCZCtYFiH6TNOX+tQKXx97T4IKHbhyHEQ=="],
@@ -769,6 +822,8 @@
 
     "set-function-length": ["[email protected]", "", { "dependencies": { "define-data-property": "^1.1.4", "es-errors": "^1.3.0", "function-bind": "^1.1.2", "get-intrinsic": "^1.2.4", "gopd": "^1.0.1", "has-property-descriptors": "^1.0.2" } }, "sha512-pgRc4hJ4/sNjWCSS9AmnS40x3bNMDTknHgL5UaMBTMyJnU90EgWh1Rz+MC9eFu4BuN/UwZjKQuY/1v3rM7HMfg=="],
 
+    "sharp": ["[email protected]", "", { "dependencies": { "@img/colour": "^1.0.0", "detect-libc": "^2.1.2", "semver": "^7.7.3" }, "optionalDependencies": { "@img/sharp-darwin-arm64": "0.34.5", "@img/sharp-darwin-x64": "0.34.5", "@img/sharp-libvips-darwin-arm64": "1.2.4", "@img/sharp-libvips-darwin-x64": "1.2.4", "@img/sharp-libvips-linux-arm": "1.2.4", "@img/sharp-libvips-linux-arm64": "1.2.4", "@img/sharp-libvips-linux-ppc64": "1.2.4", "@img/sharp-libvips-linux-riscv64": "1.2.4", "@img/sharp-libvips-linux-s390x": "1.2.4", "@img/sharp-libvips-linux-x64": "1.2.4", "@img/sharp-libvips-linuxmusl-arm64": "1.2.4", "@img/sharp-libvips-linuxmusl-x64": "1.2.4", "@img/sharp-linux-arm": "0.34.5", "@img/sharp-linux-arm64": "0.34.5", "@img/sharp-linux-ppc64": "0.34.5", "@img/sharp-linux-riscv64": "0.34.5", "@img/sharp-linux-s390x": "0.34.5", "@img/sharp-linux-x64": "0.34.5", "@img/sharp-linuxmusl-arm64": "0.34.5", "@img/sharp-linuxmusl-x64": "0.34.5", "@img/sharp-wasm32": "0.34.5", "@img/sharp-win32-arm64": "0.34.5", "@img/sharp-win32-ia32": "0.34.5", "@img/sharp-win32-x64": "0.34.5" } }, "sha512-Ou9I5Ft9WNcCbXrU9cMgPBcCK8LiwLqcbywW3t4oDV37n1pzpuNLsYiAV8eODnjbtQlSDwZ2cUEeQz4E54Hltg=="],
+
     "shebang-command": ["[email protected]", "", { "dependencies": { "shebang-regex": "^3.0.0" } }, "sha512-kHxr2zZpYtdmrN1qDjrrX/Z1rR1kG8Dx+gkpK1G4eXmvXswmcE1hTWBWYUzlraYw1/yZp6YuDY77YtvbN0dmDA=="],
 
     "shebang-regex": ["[email protected]", "", {}, "sha512-7++dFhtcx3353uBaq8DDR4NuxBetBzC7ZQOhmTQInHEd6bSrXdiEyzCvG07Z44UYdLShWUyXt5M/yhz8ekcb1A=="],
@@ -827,6 +882,8 @@
 
     "ts-api-utils": ["[email protected]", "", { "peerDependencies": { "typescript": ">=4.8.4" } }, "sha512-CUgTZL1irw8u29bzrOD/nH85jqyc74D6SshFgujOIA7osm2Rz7dYH77agkx7H4FBNxDq7Cjf+IjaX/8zwFW+ZQ=="],
 
+    "tslib": ["[email protected]", "", {}, "sha512-oJFu94HQb+KVduSUQL7wnpmqnfmLsOA/nAh6b6EH0wCEoK0/mPeXU6c3wKDV83MkOuHPRHtSXKKU99IBazS/2w=="],
+
     "type-check": ["[email protected]", "", { "dependencies": { "prelude-ls": "^1.2.1" } }, "sha512-XleUoc9uwGXqjWwXaUTZAmzMcFZ5858QA2vvx1Ur5xIcixXIP+8LnFDgRplU30us6teqdlskFfu+ae4K79Ooew=="],
 
     "typescript": ["[email protected]", "", { "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" } }, "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw=="],

package.json

@@ -63,6 +63,7 @@
     "lucide-svelte": "^0.561.0",
     "marked": "^17.0.1",
     "minio": "^8.0.6",
+    "sharp": "^0.34.5",
     "valibot": "^1.2.0"
   }
 }

src/lib/components/image-upload.svelte

@@ -1,17 +1,22 @@
 <script lang="ts">
   import { upload } from "$lib/data/private/storage.remote";
   import { Loader2, Upload, AlertCircle, X } from "lucide-svelte";
+  import {
+    isAcceptedImageType,
+    isAllowedFolder,
+    type AllowedFolder,
+  } from "$lib/shared/logic/image";
 
   const MAX_FILE_SIZE = 10 * 1024 * 1024; // 10MB
 
   let {
     value = $bindable(""),
-    folder = "images",
+    folder = "images" as AllowedFolder,
     label = "Image",
     aspect = "5/3",
   }: {
     value?: string;
-    folder?: string;
+    folder?: AllowedFolder;
     label?: string;
     aspect?: "5/3" | "1/1" | "16/9" | "4/3";
   } = $props();
@@ -93,8 +98,14 @@
     error = null;
 
     // Validate file type
-    if (!file.type.startsWith("image/")) {
-      error = "Please select an image file";
+    if (!isAcceptedImageType(file.type)) {
+      error = "Unsupported image format";
+      return;
+    }
+
+    // Validate folder
+    if (!isAllowedFolder(folder)) {
+      error = "Invalid upload folder";
       return;
     }
 
@@ -120,9 +131,13 @@
     try {
       const arrayBuffer = await processedFile.arrayBuffer();
       const base64 = arrayBufferToBase64(arrayBuffer);
+      // Use the validated original type - server will re-compress to WebP anyway
+      const uploadType = isAcceptedImageType(processedFile.type)
+        ? processedFile.type
+        : file.type;
       const result = await upload({
         data: base64,
-        type: processedFile.type,
+        type: uploadType,
         name: processedFile.name,
         folder,
       });
@@ -265,7 +280,7 @@
             Drop, click, or paste (Ctrl+V)
           {/if}
         </span>
-        <span class="mt-1 text-xs text-zinc-400">PNG, JPG, GIF up to 10MB</span>
+        <span class="mt-1 text-xs text-zinc-400">JPG, PNG, WebP, AVIF, HEIC up to 10MB</span>
       {/if}
       <input
         type="file"

src/lib/data/private/storage.remote.ts

@@ -2,20 +2,46 @@ import { command } from "$app/server";
 import * as v from "valibot";
 import { requireUtCodeMember } from "$lib/server/database/auth.server";
 import { uploadBuffer, deleteFile } from "$lib/server/database/storage.server";
+import { compressImage } from "$lib/server/database/image.server";
 import { S3KeySchema } from "$lib/shared/logic/storage";
+import { ACCEPTED_IMAGE_TYPES, ALLOWED_FOLDERS } from "$lib/shared/logic/image";
+
+/** Allowed folder paths for uploads */
+const FolderSchema = v.optional(v.picklist([...ALLOWED_FOLDERS]));
+
+/** Max file size: 10MB (base64 encoded ~13.7MB) */
+const MAX_BASE64_SIZE = Math.ceil(10 * 1024 * 1024 * 1.37);
+
+const UploadSchema = v.object({
+  data: v.pipe(
+    v.string(),
+    v.maxLength(MAX_BASE64_SIZE, "File too large (max 10MB)"),
+  ),
+  type: v.picklist([...ACCEPTED_IMAGE_TYPES], "Unsupported image format"),
+  name: v.pipe(v.string(), v.maxLength(255)),
+  folder: FolderSchema,
+});
 
 export const upload = command(
-  v.object({
-    data: v.string(), // base64
-    type: v.string(), // mime type
-    name: v.string(), // file name
-    folder: v.optional(v.string()),
-  }),
+  UploadSchema,
   async ({ data, type, name, folder }) => {
     await requireUtCodeMember();
+
     const path = folder ?? "uploads";
-    const buffer = Buffer.from(data, "base64");
-    return await uploadBuffer(buffer, type, name, path);
+    const inputBuffer = Buffer.from(data, "base64");
+
+    // Compress and convert to WebP
+    const {
+      buffer,
+      type: outputType,
+      extension,
+    } = await compressImage(inputBuffer, type);
+
+    // Replace original extension with output extension
+    const baseName = name.replace(/\.[^.]+$/, "");
+    const outputName = `${baseName}.${extension}`;
+
+    return await uploadBuffer(buffer, outputType, outputName, path);
   },
 );
 

src/lib/server/database/image.server.ts

@@ -0,0 +1,81 @@
+import sharp from "sharp";
+
+// Re-export shared types
+export {
+  ACCEPTED_IMAGE_TYPES,
+  isAcceptedImageType,
+  type AcceptedImageType,
+} from "$lib/shared/logic/image";
+
+/**
+ * Image compression options
+ */
+interface CompressOptions {
+  /** Max width/height in pixels (default: 1920) */
+  maxSize?: number;
+  /** WebP quality 1-100 (default: 85) */
+  quality?: number;
+}
+
+/**
+ * Compress an image buffer to WebP format
+ * - Resizes if larger than maxSize
+ * - Converts to WebP for optimal compression
+ * - Preserves aspect ratio
+ * - Handles animated GIFs by keeping them as-is
+ *
+ * @returns Compressed buffer and the output MIME type
+ */
+export async function compressImage(
+  buffer: Buffer,
+  inputType: string,
+  options: CompressOptions = {},
+): Promise<{ buffer: Buffer; type: string; extension: string }> {
+  const { maxSize = 1920, quality = 85 } = options;
+
+  // Pass through SVG as-is (vector format, no compression needed)
+  if (inputType === "image/svg+xml") {
+    return { buffer, type: "image/svg+xml", extension: "svg" };
+  }
+
+  // Check if it's an animated GIF
+  if (inputType === "image/gif") {
+    const metadata = await sharp(buffer).metadata();
+    if (metadata.pages && metadata.pages > 1) {
+      // Animated GIF - pass through as-is
+      return { buffer, type: "image/gif", extension: "gif" };
+    }
+  }
+
+  // Process with sharp
+  let image = sharp(buffer, {
+    // Enable HEIF/HEIC support
+    failOnError: false,
+  });
+
+  const metadata = await image.metadata();
+
+  // Resize if needed (preserve aspect ratio)
+  if (metadata.width && metadata.height) {
+    if (metadata.width > maxSize || metadata.height > maxSize) {
+      image = image.resize(maxSize, maxSize, {
+        fit: "inside",
+        withoutEnlargement: true,
+      });
+    }
+  }
+
+  // Convert to WebP
+  const outputBuffer = await image
+    .webp({
+      quality,
+      effort: 4, // Balance between speed and compression (0-6)
+    })
+    .toBuffer();
+
+  return {
+    buffer: outputBuffer,
+    type: "image/webp",
+    extension: "webp",
+  };
+}

src/lib/shared/logic/image.ts

@@ -0,0 +1,47 @@
+/**
+ * Accepted image MIME types for upload
+ * Shared between client and server
+ */
+export const ACCEPTED_IMAGE_TYPES = [
+  "image/jpeg",
+  "image/png",
+  "image/webp",
+  "image/avif",
+  "image/heic",
+  "image/heif",
+  "image/gif",
+  "image/tiff",
+  "image/svg+xml",
+  "image/bmp",
+] as const;
+
+export type AcceptedImageType = (typeof ACCEPTED_IMAGE_TYPES)[number];
+
+/**
+ * Check if a MIME type is an accepted image type
+ */
+export function isAcceptedImageType(type: string): type is AcceptedImageType {
+  return (ACCEPTED_IMAGE_TYPES as readonly string[]).includes(type);
+}
+
+/**
+ * Allowed folder paths for uploads
+ */
+export const ALLOWED_FOLDERS = [
+  "images",
+  "uploads",
+  "covers",
+  "avatars",
+  "articles",
+  "members",
+  "projects",
+] as const;
+
+export type AllowedFolder = (typeof ALLOWED_FOLDERS)[number];
+
+/**
+ * Check if a folder is allowed
+ */
+export function isAllowedFolder(folder: string): folder is AllowedFolder {
+  return (ALLOWED_FOLDERS as readonly string[]).includes(folder);
+}