Skip to content

feat(platform): Add file upload to copilot chat [SECRT-1788]#12220

Merged
ntindle merged 17 commits intodevfrom
ntindle/file-upload
Mar 3, 2026
Merged

feat(platform): Add file upload to copilot chat [SECRT-1788]#12220
ntindle merged 17 commits intodevfrom
ntindle/file-upload

Conversation

@ntindle
Copy link
Member

@ntindle ntindle commented Feb 27, 2026
edited by cursor bot
Loading

Summary

  • Add file attachment support to copilot chat (documents, images, spreadsheets, video, audio)
  • Show upload progress with spinner overlays on file chips during upload
  • Display attached files as styled pills in sent user messages using AI SDK's native FileUIPart
  • Backend upload endpoint with virus scanning (ClamAV), per-file size limits, and per-user storage caps
  • Enrich chat stream with file metadata so the LLM can access files via read_workspace_file

Resolves: SECRT-1788

Backend

File Change
chat/routes.py Accept file_ids in stream request, enrich user message with file metadata
workspace/routes.py New POST /files/upload and GET /storage/usage endpoints
executor/utils.py Thread file_ids through CoPilotExecutionEntry and RabbitMQ
settings.py Add max_file_size_mb and max_workspace_storage_mb config

Frontend

File Change
AttachmentMenu.tsx New β€” + button with popover for file category selection
FileChips.tsx New β€” file preview chips with upload spinner state
MessageAttachments.tsx New β€” paperclip pills rendering FileUIPart in chat bubbles
upload/route.ts New β€” Next.js API proxy for multipart uploads to backend
ChatInput.tsx Integrate attachment menu, file chips, upload progress
useCopilotPage.ts Upload flow, FileUIPart construction, transport file_ids extraction
ChatMessagesContainer.tsx Render file parts as MessageAttachments
ChatContainer.tsx / EmptySession.tsx Thread isUploadingFiles prop
useChatInput.ts canSendEmpty option for file-only sends
stream/route.ts Forward file_ids to backend

Test plan

  • Attach files via + button β†’ file chips appear with X buttons
  • Remove a chip β†’ file is removed from the list
  • Send message with files β†’ chips show upload spinners β†’ message appears with file attachment pills
  • Upload failure β†’ toast error, chips revert to editable (no phantom message sent)
  • New session (empty form): same upload flow works
  • Messages without files render normally
  • Network tab: file_ids present in stream POST body

πŸ€– Generated with Claude Code

Note

Medium Risk
Adds authenticated file upload/storage-quota enforcement and threads file_ids through the chat streaming path, which affects data handling and storage behavior. Risk is mitigated by UUID/workspace scoping, size limits, and virus scanning but still touches security- and reliability-sensitive upload flows.

Overview
Copilot chat now supports attaching files: the frontend adds drag-and-drop and an attach button, shows selected files as removable chips with an upload-in-progress state, and renders sent attachments using AI SDK FileUIPart with download links.

On send, files are uploaded to the backend (with client-side limits and failure handling) and the chat stream request includes file_ids; the backend sanitizes/filters IDs, scopes them to the user’s workspace, appends an [Attached files] metadata block to the user message for the LLM, and forwards the sanitized IDs through enqueue_copilot_turn.

The backend adds POST /workspace/files/upload (filename sanitization, per-file size limit, ClamAV scan, and per-user storage quota with post-write rollback) plus GET /workspace/storage/usage, introduces max_workspace_storage_mb config, optimizes workspace size calculation, and fixes executor cleanup to avoid un-awaited coroutine warnings; new route tests cover file ID validation and upload quota/scan behaviors.

Written by Cursor Bugbot for commit 8d3b95d. This will update automatically on new commits. Configure here.

@ntindle @claude
feat(platform): Add file upload to copilot chat [SECRT-1788]
91e6723 
Enable users to attach files (documents, images, spreadsheets, video,
audio) to copilot chat messages with upload progress feedback and
attachment display in sent messages.

Resolves: https://linear.app/autogpt/issue/SECRT-1788

Backend:
- Add POST /workspace/files/upload endpoint with virus scanning, size
  limits, and storage cap enforcement
- Add GET /workspace/storage/usage endpoint
- Enrich chat stream requests with file metadata so the LLM can
  reference attached files via read_workspace_file
- Thread file_ids through CoPilotExecutionEntry and RabbitMQ queue

Frontend:
- Add AttachmentMenu (+) popover with file category picker
- Add FileChips showing attached files with upload spinner state
- Leverage AI SDK native FileUIPart for sent message file parts
- Add MessageAttachments component rendering file pills in chat bubbles
- Add upload proxy route (Next.js API β†’ backend)
- Extract file_ids from FileUIPart URLs in transport layer
- Handle upload failures gracefully (chips revert, no phantom messages)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@ntindle ntindle requested a review from a team as a code owner February 27, 2026 00:54
@ntindle ntindle requested review from Pwuts and kcze and removed request for a team February 27, 2026 00:54
@github-project-automation github-project-automation bot moved this to πŸ†• Needs initial review in AutoGPT development kanban Feb 27, 2026
@github-actions github-actions bot added platform/frontend AutoGPT Platform - Front end platform/backend AutoGPT Platform - Back end labels Feb 27, 2026
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Feb 27, 2026
edited
Loading

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▢️ Resume reviews
  • πŸ” Trigger review

Walkthrough

Adds end-to-end workspace file attachment support: frontend UI and upload proxy, backend upload/storage endpoints, StreamChatRequest/file_ids propagation and validation, message enrichment with an β€œ[Attached files]” block, propagation of sanitized file_ids into Copilot execution, and related tests and settings.

Changes

Cohort / File(s) Summary
Backend Chat & Executor
autogpt_platform/backend/backend/api/features/chat/routes.py, autogpt_platform/backend/backend/api/features/chat/routes_test.py, autogpt_platform/backend/backend/copilot/executor/utils.py		 Add optional file_ids to streaming request and CoPilotExecutionEntry; validate/filter UUIDs, batch-fetch workspace files, append formatted β€œ[Attached files]” metadata to user messages, propagate sanitized file_ids into enqueue and stream creation; tests for limits, filtering, and scoping.
Backend Workspace APIs, Data & Tests
autogpt_platform/backend/backend/api/features/workspace/routes.py, autogpt_platform/backend/backend/api/features/workspace/routes_test.py, autogpt_platform/backend/backend/data/workspace.py, autogpt_platform/backend/backend/util/settings.py		 New upload and storage-usage endpoints, upload validation (extensions, per-file size, quota checks pre/post-write with rollback), virus-scan hook, storage accounting, optimized workspace size aggregation (Prisma sum), config max_workspace_storage_mb, and comprehensive upload/download/quota tests.
Frontend Copilot Flow & Hooks
autogpt_platform/frontend/src/app/(platform)/copilot/useCopilotPage.ts, autogpt_platform/frontend/src/app/(platform)/copilot/CopilotPage.tsx		 Add isUploadingFiles state, pendingFiles orchestration, uploadFiles + buildFileParts, include file_ids in outgoing chat requests, expose upload state to UI.
Frontend Chat Input & Supporting UI
frontend/src/app/(platform)/copilot/components/ChatInput/ChatInput.tsx, .../useChatInput.ts, .../components/AttachmentMenu.tsx, .../components/FileChips.tsx, autogpt_platform/frontend/src/app/(platform)/copilot/components/EmptySession/EmptySession.tsx		 Extend onSend to accept optional files; add AttachmentMenu (category filters), FileChips (attachment UI), canSendEmpty handling, propagate isUploadingFiles, and minor layout tweaks.
Frontend Messages & Attachments Rendering
frontend/src/app/(platform)/copilot/components/ChatMessagesContainer/ChatMessagesContainer.tsx, .../components/MessageAttachments.tsx, .../helpers/convertChatSessionToUiMessages.ts		 Parse and extract an β€œ[Attached files]” block from message text into FileUIPart entries, avoid inline rendering of file parts, and render attachments via MessageAttachments with download links.
Frontend Proxies & OpenAPI
frontend/src/app/api/workspace/files/upload/route.ts, frontend/src/app/api/chat/sessions/[sessionId]/stream/route.ts, frontend/src/app/api/openapi.json		 Add upload proxy route forwarding multipart upload to backend, forward file_ids in stream proxy, and update OpenAPI schemas/endpoints for upload and storage usage and StreamChatRequest file_ids.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Frontend
    participant UploadProxy as Upload Proxy
    participant Backend
    participant WorkspaceDB as WorkspaceDB
    participant CopilotExec as CopilotExecutor

    User->>Frontend: Attach files + Send (text + files)
    Frontend->>UploadProxy: POST /api/workspace/files/upload (formData)
    UploadProxy->>Backend: Forward POST /api/workspace/files/upload (Authorization)
    Backend->>WorkspaceDB: Store files, scan, enforce quota
    WorkspaceDB-->>Backend: Return file_ids + metadata
    Backend-->>UploadProxy: UploadFileResponse (metadata + ids)
    UploadProxy-->>Frontend: Return file_ids + metadata
    Frontend->>Backend: POST /api/chat/.../stream {message, file_ids}
    Backend->>WorkspaceDB: Batch-fetch UserWorkspaceFile for sanitized file_ids
    Backend-->>Backend: Build "[Attached files]" block and append to message
    Backend->>CopilotExec: Enqueue copilot turn (message + sanitized file_ids)
    CopilotExec-->>Backend: Ack enqueue
    Backend-->>Frontend: Streamed response (with file parts)
Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

Suggested labels

Review effort 2/5

Suggested reviewers

  • 0ubbe
  • kcze
  • Pwuts

Poem

🐰 I nibbled filenames into tidy little rows,
Pushed them through pickers where the upload wind blows.
UUIDs aligned, metadata in tow,
From chips to backend the attached files now show.
Hooray β€” the copilot munches files and says hello!

πŸš₯ Pre-merge checks | βœ… 2 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 42.55% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
βœ… Passed checks (2 passed)
Check name Status Explanation
Title check βœ… Passed Title clearly and specifically describes the main feature: adding file upload functionality to copilot chat, with a tracking reference.
Description check βœ… Passed The PR description is directly related to the changeset, providing clear details on file attachment support implementation across frontend and backend with specific file changes, test plan, and risk assessment.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
  • πŸ“ Generate docstrings (stacked PR)
  • πŸ“ Generate docstrings (commit on current branch)
πŸ§ͺ Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch ntindle/file-upload

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❀️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions
Copy link
Contributor

github-actions bot commented Feb 27, 2026
edited
Loading

πŸ” PR Overlap Detection

This check compares your PR against all other open PRs targeting the same branch to detect potential merge conflicts early.

πŸ”΄ Merge Conflicts Detected

The following PRs have been tested and will have merge conflicts if merged after this PR. Consider coordinating with the authors.

  • Fix CoPilot stop button by cancelling backend chat streamΒ #12116 (Deeven-Seru Β· updated 4d ago)

    • πŸ“ autogpt_platform/
      • backend/Dockerfile (3 conflicts, ~76 lines)
      • backend/backend/api/features/builder/db.py (2 conflicts, ~8 lines)
      • backend/backend/api/features/chat/model_test.py (deleted here, modified there)
      • backend/backend/api/features/chat/routes.py (9 conflicts, ~456 lines)
      • backend/backend/api/features/chat/service_test.py (deleted here, modified there)
      • backend/backend/api/features/chat/tools/find_block_test.py (deleted here, modified there)
      • backend/backend/api/features/chat/tools/run_block_test.py (deleted here, modified there)
      • backend/backend/api/features/chat/tools/workspace_files.py (deleted here, modified there)
      • backend/backend/api/features/library/db.py (1 conflict, ~19 lines)
      • backend/backend/copilot/config.py (2 conflicts, ~9 lines)
      • backend/backend/copilot/model.py (10 conflicts, ~400 lines)
      • backend/backend/copilot/response_model.py (1 conflict, ~5 lines)
      • backend/backend/copilot/service.py (3 conflicts, ~376 lines)
      • backend/backend/copilot/stream_registry.py (4 conflicts, ~130 lines)
      • backend/backend/copilot/tools/__init__.py (1 conflict, ~4 lines)
      • backend/backend/copilot/tools/agent_generator/dummy.py (2 conflicts, ~33 lines)
      • backend/backend/copilot/tools/agent_generator/service.py (2 conflicts, ~12 lines)
      • backend/backend/copilot/tools/bash_exec.py (1 conflict, ~20 lines)
      • backend/backend/copilot/tools/check_operation_status.py (added there)
      • backend/backend/copilot/tools/feature_requests.py (9 conflicts, ~79 lines)
      • backend/backend/copilot/tools/feature_requests_test.py (8 conflicts, ~59 lines)
      • backend/backend/copilot/tools/find_block.py (1 conflict, ~6 lines)
      • backend/backend/copilot/tools/models.py (3 conflicts, ~37 lines)
      • backend/backend/copilot/tools/run_block.py (1 conflict, ~14 lines)
      • backend/backend/copilot/tools/sandbox.py (3 conflicts, ~24 lines)
      • backend/backend/copilot/tools/test_run_block_details.py (4 conflicts, ~20 lines)
      • backend/backend/copilot/tools/web_fetch.py (1 conflict, ~18 lines)
      • backend/backend/util/settings.py (1 conflict, ~5 lines)
      • backend/backend/util/test.py (1 conflict, ~4 lines)
      • backend/poetry.lock (3 conflicts, ~23 lines)
      • backend/pyproject.toml (1 conflict, ~5 lines)
      • frontend/src/app/(platform)/build/components/NewControlPanel/NewBlockMenu/Block.tsx (1 conflict, ~8 lines)
      • frontend/src/app/(platform)/build/components/legacy-builder/Flow/Flow.tsx (deleted here, modified there)
      • frontend/src/app/(platform)/copilot/components/ChatMessagesContainer/ChatMessagesContainer.tsx (5 conflicts, ~194 lines)
      • frontend/src/app/(platform)/copilot/tools/CreateAgent/CreateAgent.tsx (6 conflicts, ~181 lines)
      • frontend/src/app/(platform)/copilot/tools/GenericTool/GenericTool.tsx (3 conflicts, ~813 lines)
      • frontend/src/app/(platform)/copilot/tools/RunBlock/RunBlock.tsx (2 conflicts, ~11 lines)
      • frontend/src/app/(platform)/copilot/useCopilotPage.ts (4 conflicts, ~95 lines)
      • frontend/src/app/api/chat/sessions/[sessionId]/stream/route.ts (1 conflict, ~19 lines)
      • frontend/src/app/api/chat/tasks/[taskId]/stream/route.ts (deleted here, modified there)
      • frontend/src/app/api/openapi.json (4 conflicts, ~54 lines)
      • frontend/src/app/globals.css (1 conflict, ~8 lines)
      • frontend/src/tests/pages/build.page.ts (1 conflict, ~15 lines)

  • feat(platform): switch builder file inputs from base64 to workspace uploadsΒ #12226 (Abhi1992002 Β· updated 3h ago)

    • πŸ“ autogpt_platform/
      • backend/backend/api/features/workspace/routes.py (3 conflicts, ~205 lines)
      • backend/backend/api/features/workspace/routes_test.py (4 conflicts, ~516 lines)
      • frontend/src/app/api/openapi.json (6 conflicts, ~134 lines)

  • refactor(backend): Merge autogpt_libs into backend packageΒ #12074 (Otto-AGPT Β· updated 4d ago)

    • autogpt_platform/autogpt_libs/poetry.lock (modified here, deleted there)
    • autogpt_platform/autogpt_libs/pyproject.toml (modified here, deleted there)
    • autogpt_platform/backend/Dockerfile (1 conflict, ~10 lines)
    • autogpt_platform/backend/backend/api/features/chat/routes.py (4 conflicts, ~77 lines)
    • autogpt_platform/backend/backend/api/features/workspace/routes.py (2 conflicts, ~22 lines)
    • autogpt_platform/backend/backend/api/rest_api.py (1 conflict, ~11 lines)
    • autogpt_platform/backend/backend/blocks/data_manipulation.py (1 conflict, ~473 lines)
    • autogpt_platform/backend/backend/copilot/response_model.py (1 conflict, ~5 lines)
    • autogpt_platform/backend/backend/copilot/stream_registry.py (1 conflict, ~5 lines)
    • autogpt_platform/backend/backend/copilot/tools/run_block.py (1 conflict, ~31 lines)
    • autogpt_platform/backend/backend/integrations/credentials_store.py (1 conflict, ~13 lines)
    • autogpt_platform/backend/poetry.lock (2 conflicts, ~36 lines)
    • autogpt_platform/frontend/src/app/(platform)/copilot/components/ChatMessagesContainer/ChatMessagesContainer.tsx (3 conflicts, ~66 lines)
    • autogpt_platform/frontend/src/app/(platform)/copilot/tools/CreateAgent/CreateAgent.tsx (2 conflicts, ~10 lines)
    • autogpt_platform/frontend/src/app/api/chat/sessions/[sessionId]/stream/route.ts (1 conflict, ~19 lines)
    • autogpt_platform/frontend/src/app/api/chat/tasks/[taskId]/stream/route.ts (deleted here, modified there)
    • docs/integrations/README.md (1 conflict, ~6 lines)

  • feat(copilot): UX improvementsΒ #12258 (kcze Β· updated 4h ago)

    • πŸ“ autogpt_platform/
      • backend/backend/api/features/chat/routes.py (1 conflict, ~6 lines)
      • backend/backend/api/features/chat/routes_test.py (3 conflicts, ~344 lines)
      • frontend/src/app/(platform)/copilot/components/ChatSidebar/ChatSidebar.tsx (1 conflict, ~5 lines)
      • frontend/src/app/(platform)/copilot/useCopilotPage.ts (4 conflicts, ~195 lines)

  • chore(frontend): Fix react-doctor warnings + add CI jobΒ #12163 (0ubbe Β· updated 3d ago)

    • πŸ“ autogpt_platform/frontend/src/app/(platform)/copilot/
      • components/ChatContainer/ChatContainer.tsx (1 conflict, ~91 lines)
      • components/ChatMessagesContainer/ChatMessagesContainer.tsx (2 conflicts, ~234 lines)
      • components/EmptySession/EmptySession.tsx (1 conflict, ~66 lines)
      • tools/RunAgent/components/AgentDetailsCard/AgentDetailsCard.tsx (2 conflicts, ~119 lines)

  • feat(frontend/copilot): collapse repeated block executions into grouped summary rowsΒ #12259 (0ubbe Β· updated 4h ago)

    • πŸ“ autogpt_platform/frontend/src/app/
      • (platform)/copilot/components/ChatMessagesContainer/ChatMessagesContainer.tsx (2 conflicts, ~44 lines)
      • (platform)/copilot/components/ChatMessagesContainer/components/MessagePartRenderer.tsx (1 conflict, ~8 lines)
      • (platform)/copilot/components/ChatMessagesContainer/components/ThinkingIndicator.tsx (3 conflicts, ~46 lines)
      • (platform)/copilot/useCopilotPage.ts (2 conflicts, ~172 lines)
      • (platform)/copilot/useCopilotStream.ts (4 conflicts, ~28 lines)
      • api/chat/sessions/[sessionId]/stream/route.ts (1 conflict, ~15 lines)

  • feat(frontend): Show thinking indicator between CoPilot tool callsΒ #12203 (Otto-AGPT Β· updated 5d ago)

    • πŸ“ autogpt_platform/frontend/src/app/(platform)/copilot/components/ChatMessagesContainer/
      • ChatMessagesContainer.tsx (4 conflicts, ~170 lines)

  • feat(backend/copilot): async polling for agent-generator + SSE auto-reconnectΒ #12199 (majdyz Β· updated 5d ago)

    • πŸ“ autogpt_platform/frontend/src/app/(platform)/copilot/
      • useCopilotPage.ts (1 conflict, ~117 lines)

  • feat(frontend/copilot): add text-to-speech and share output actionsΒ #12256 (0ubbe Β· updated 4h ago)

    • πŸ“ autogpt_platform/frontend/src/app/(platform)/copilot/components/ChatMessagesContainer/
      • ChatMessagesContainer.tsx (2 conflicts, ~34 lines)

  • feat(frontend/copilot): add output action buttons (upvote, downvote) with Langfuse feedbackΒ #12260 (0ubbe Β· updated 6h ago)

    • πŸ“ autogpt_platform/frontend/src/app/(platform)/copilot/components/ChatMessagesContainer/
      • ChatMessagesContainer.tsx (3 conflicts, ~29 lines)

🟒 Low Risk β€” File Overlap Only

These PRs touch the same files but different sections (click to expand)

Summary: 10 conflict(s), 0 medium risk, 8 low risk (out of 18 PRs with file overlap)

Auto-generated on push. Ignores: openapi.json, lock files.

sentry[bot]
sentry bot reviewed Feb 27, 2026
View reviewed changes
coderabbitai[bot]
coderabbitai bot reviewed Feb 27, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 6

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)
autogpt_platform/frontend/src/app/(platform)/copilot/components/EmptySession/EmptySession.tsx (1)

79-97: ⚠️ Potential issue | 🟑 Minor

Disable quick actions while files are uploading.

isUploadingFiles is passed to ChatInput, but quick-action buttons remain clickable and can trigger overlapping onSend calls during active upload.

πŸ”§ Suggested fix 
-              disabled={isCreatingSession || loadingAction !== null}
+              disabled={
+                isCreatingSession ||
+                loadingAction !== null ||
+                !!isUploadingFiles
+              }
πŸ€– Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In
`@autogpt_platform/frontend/src/app/`(platform)/copilot/components/EmptySession/EmptySession.tsx
around lines 79 - 97, Quick-action buttons can still be triggered while files
upload; update the Button disable logic and handler to respect isUploadingFiles:
add isUploadingFiles to the disabled expression for the Buttons rendered in the
quickActions map (alongside isCreatingSession and loadingAction !== null) and
set aria-busy when isUploadingFiles is true; additionally, guard
handleQuickActionClick (the click handler) to no-op early if isUploadingFiles is
true to prevent overlapping onSend calls.
autogpt_platform/frontend/src/app/api/chat/sessions/[sessionId]/stream/route.ts (1)

27-35: ⚠️ Potential issue | 🟑 Minor

Validate file_ids at the proxy boundary before forwarding.

file_ids is forwarded without runtime shape checks. Invalid payloads can propagate to backend and fail unpredictably. Return a 400 here if it is not string[] | null | undefined.

πŸ”§ Suggested fix 
     const body = await request.json();
     const { message, is_user_message, context, file_ids } = body;
+
+    if (
+      file_ids != null &&
+      (!Array.isArray(file_ids) ||
+        file_ids.some((id) => typeof id !== "string"))
+    ) {
+      return new Response(
+        JSON.stringify({ error: "file_ids must be an array of strings" }),
+        { status: 400, headers: { "Content-Type": "application/json" } },
+      );
+    }

@@
-        file_ids: file_ids || null,
+        file_ids: file_ids ?? null,

Also applies to: 59-64

πŸ€– Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In
`@autogpt_platform/frontend/src/app/api/chat/sessions/`[sessionId]/stream/route.ts
around lines 27 - 35, Validate the incoming file_ids after parsing the request
JSON in the route handler: ensure file_ids is either undefined, null, or an
array of strings (string[]); if any element is not a string or file_ids is
another type, return a 400 JSON response like the existing message block. Apply
the same runtime shape check wherever file_ids is read/forwarded (the initial
parse block around the const { message, is_user_message, context, file_ids } =
body and the later usage around lines 59-64) so invalid payloads are rejected at
the proxy boundary before forwarding to the backend.
🧹 Nitpick comments (6)
autogpt_platform/backend/backend/api/features/workspace/routes.py (1)

171-182: Avoid double-buffering large uploads in memory.

Collecting chunks into a list and then b"".join(...) creates an additional full-size copy. A bytearray path reduces peak memory pressure per request.

Proposed refactor 
-    chunks: list[bytes] = []
+    content = bytearray()
     total_size = 0
     while chunk := await file.read(64 * 1024):  # 64KB chunks
         total_size += len(chunk)
         if total_size > max_file_bytes:
             raise fastapi.HTTPException(
                 status_code=400,
                 detail=f"File exceeds maximum size of {config.max_file_size_mb} MB",
             )
-        chunks.append(chunk)
-    content = b"".join(chunks)
+        content.extend(chunk)
+    content_bytes = bytes(content)
...
-    if current_usage + len(content) > storage_limit_bytes:
+    if current_usage + len(content_bytes) > storage_limit_bytes:
...
-    usage_ratio = (current_usage + len(content)) / storage_limit_bytes
+    usage_ratio = (current_usage + len(content_bytes)) / storage_limit_bytes
...
-    await scan_content_safe(content, filename=filename)
+    await scan_content_safe(content_bytes, filename=filename)
...
-    workspace_file = await manager.write_file(content, filename)
+    workspace_file = await manager.write_file(content_bytes, filename)
πŸ€– Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@autogpt_platform/backend/backend/api/features/workspace/routes.py` around
lines 171 - 182, The current upload loop double-buffers large files by appending
chunks to chunks:list[bytes] and then calling b"".join(chunks); change it to
accumulate into a single mutable buffer (e.g., a bytearray) to avoid the extra
full-size copy: replace chunks list with a bytearray buffer, extend it on each
await file.read(...) iteration, keep the total_size check against
max_file_bytes, and then use bytes(buffer) or pass the bytearray as needed for
the final content variable (replace content = b"".join(chunks) with
converting/using the bytearray); reference variables/functions: chunks,
total_size, max_file_bytes/config.max_file_size_mb, file.read, and content to
locate where to modify.
autogpt_platform/frontend/src/app/(platform)/copilot/components/ChatInput/ChatInput.tsx (1)

9-11: Please remove useCallback and keep handlers as function declarations.

This adds unnecessary memoization and arrow-handler style where simple function declarations are enough.

Proposed refactor 
-import { ChangeEvent, useCallback, useState } from "react";
+import { ChangeEvent, useState } from "react";
...
-  const handleChange = useCallback(
-    (e: ChangeEvent<HTMLTextAreaElement>) => {
-      if (isRecording) return;
-      baseHandleChange(e);
-    },
-    [isRecording, baseHandleChange],
-  );
+  function handleChange(e: ChangeEvent<HTMLTextAreaElement>) {
+    if (isRecording) return;
+    baseHandleChange(e);
+  }
As per coding guidelines: "Do not use `useCallback` or `useMemo` unless asked to optimize a specific function" and "Use function declarations (not arrow functions) for components and handlers."

Also applies to: 50-54, 79-86

πŸ€– Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In
`@autogpt_platform/frontend/src/app/`(platform)/copilot/components/ChatInput/ChatInput.tsx
around lines 9 - 11, Remove the unnecessary useCallback usage and arrow-handler
style in the ChatInput component: delete the import of useCallback and replace
any const <name> = useCallback(...) or const <name> = (...) => {...} handler
definitions (e.g. the input change handler, submit handler, attach/file handlers
referenced in the component and noted around the other occurrences) with plain
function declarations like function handleX(...) {...}; ensure their parameter
types (ChangeEvent, etc.) and references in JSX remain unchanged so behavior is
preserved.
autogpt_platform/backend/backend/api/features/chat/routes.py (2)

406-407: Silent skip may hide configuration issues.

When a file_id is not found (or belongs to a different workspace), it's silently skipped. This is reasonable for graceful degradation, but consider logging a warning to help diagnose issues where users report missing attachments.

πŸ“ Suggested logging 
         wf = await get_workspace_file(fid, workspace.id)
         if wf is None:
+            logger.warning(
+                f"[STREAM] File {fid} not found in workspace for user {user_id}"
+            )
             continue
πŸ€– Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@autogpt_platform/backend/backend/api/features/chat/routes.py` around lines
406 - 407, The loop that checks "if wf is None: continue" should log a warning
instead of silently skipping so missing attachments can be diagnosed; update the
code in routes.py at the block where "wf" and "file_id" are validated to emit a
warning-level log (using the module's existing logger or Python logging) that
includes the file_id and relevant context (workspace id, user id or request id
if available) and then continue, so behavior stays graceful but
misconfigurations are visible in logs.

398-418: Consider batch fetching files to avoid N+1 queries.

The loop makes individual get_workspace_file calls for each file_id. With many attachments, this causes N+1 database queries. Consider adding a batch fetch method (e.g., get_workspace_files(file_ids, workspace_id)) that retrieves all files in a single query.

♻️ Suggested approach 
# In workspace.py, add a batch fetch method:
async def get_workspace_files(
    file_ids: list[str],
    workspace_id: str,
) -> list[WorkspaceFile]:
    files = await UserWorkspaceFile.prisma().find_many(
        where={
            "id": {"in": file_ids},
            "isDeleted": False,
            "workspaceId": workspace_id,
        }
    )
    return [WorkspaceFile.from_db(f) for f in files]

Then in the route:

-    for fid in request.file_ids:
-        wf = await get_workspace_file(fid, workspace.id)
-        if wf is None:
-            continue
+    workspace_files = await get_workspace_files(request.file_ids, workspace.id)
+    for wf in workspace_files:
         size_kb = round(wf.size_bytes / 1024, 1)
         file_lines.append(
-            f"- {wf.name} ({wf.mime_type}, {size_kb} KB), file_id={fid}"
+            f"- {wf.name} ({wf.mime_type}, {size_kb} KB), file_id={wf.id}"
         )
πŸ€– Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@autogpt_platform/backend/backend/api/features/chat/routes.py` around lines
398 - 418, The current loop calls get_workspace_file for each id causing N+1 DB
queries; modify backend.data.workspace to add a batch fetch function (e.g.,
get_workspace_files(file_ids, workspace_id)) that returns all WorkspaceFile
objects in one query, then in the route replace the per-id awaits with a single
call to get_workspace_files(workspace_id, request.file_ids) and iterate the
returned list to build file_lines (still using get_or_create_workspace to obtain
workspace.id); ensure the batch method filters by workspaceId and isDeleted so
behavior matches get_workspace_file.
autogpt_platform/frontend/src/app/api/openapi.json (2)

12141-12147: Consider enforcing uniqueness for file_ids.

Allowing duplicate IDs can cause redundant backend work; making the array unique tightens the request contract.

Proposed schema tweak 
           "file_ids": {
             "anyOf": [
-              { "items": { "type": "string" }, "type": "array" },
+              {
+                "type": "array",
+                "items": { "type": "string" },
+                "uniqueItems": true
+              },
               { "type": "null" }
             ],
             "title": "File Ids"
           }
πŸ€– Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@autogpt_platform/frontend/src/app/api/openapi.json` around lines 12141 -
12147, The schema for the file_ids property allows arrays of strings but doesn't
prevent duplicate entries; update the OpenAPI schema for "file_ids" (the anyOf
branch with "type": "array" and "items": {"type":"string"}) to include
"uniqueItems": true so arrays must contain unique string IDs, keeping the
existing null branch intact.

6530-6552: Document expected non-2xx upload failures in the OpenAPI contract.

Given this endpoint enforces file-size/storage/scan constraints, exposing explicit failure statuses will make frontend error handling and generated clients more deterministic.

Proposed OpenAPI response additions 
         "responses": {
           "200": {
             "description": "Successful Response",
             "content": {
               "application/json": {
                 "schema": {
                   "$ref": "#/components/schemas/backend__api__features__workspace__routes__UploadFileResponse"
                 }
               }
             }
           },
+          "413": { "description": "File exceeds allowed size limit" },
+          "415": { "description": "Unsupported media type" },
+          "507": { "description": "Workspace storage quota exceeded" },
           "401": {
             "$ref": "#/components/responses/HTTP401NotAuthenticatedError"
           },
           "422": {
πŸ€– Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@autogpt_platform/frontend/src/app/api/openapi.json` around lines 6530 - 6552,
Add explicit non-2xx responses to the upload endpoint's responses block (the one
that currently returns "$ref":
"#/components/schemas/backend__api__features__workspace__routes__UploadFileResponse")
so frontend clients can handle size/type/storage/scan errors deterministically:
include HTTP 413 (Payload Too Large) with a schema ref like
"#/components/schemas/UploadFileTooLarge", HTTP 415 (Unsupported Media Type)
with "#/components/schemas/UnsupportedFileTypeError", HTTP 507 (Insufficient
Storage) with "#/components/schemas/InsufficientStorageError", and a
scan/quarantine error (e.g., 422 or 409) with
"#/components/schemas/FileScanQuarantinedError"; for each response add a
descriptive "description" and "content": {"application/json": {"schema":
{"$ref": "..."} }} and keep the existing 200 and 401/422 entries referencing
UploadFileResponse and HTTPValidationError.
πŸ€– Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@autogpt_platform/backend/backend/api/features/chat/routes.py`:
- Line 399: The handler currently allows an unbounded number of request.file_ids
which can cause expensive DB work; add an upper bound check (e.g., 20) either in
the Pydantic model StreamChatRequest as a constrained list or add a runtime
guard before the block that handles file_ids in routes.py (the if
request.file_ids and user_id: branch) and raise HTTPException(status_code=400,
detail="Too many file attachments (max 20)") when len(request.file_ids) exceeds
the limit; update any unit tests that exercise large file_id lists accordingly.

In `@autogpt_platform/backend/backend/api/features/workspace/routes.py`:
- Around line 176-179: The handler currently raises fastapi.HTTPException with
status_code=400 for per-file size violations; change it to use the correct 413
status by setting status_code to 413 (or
fastapi.status.HTTP_413_REQUEST_ENTITY_TOO_LARGE) in the raise call so the
file-size check in the route returns "Payload Too Large" instead of Bad Request
(locate the raise in the workspace upload route where fastapi.HTTPException is
raised for file size).
- Around line 186-215: The storage cap check is race-prone because
get_workspace_total_size + manager.write_file are separate; fix by making the
size check and reservation atomic: obtain a per-workspace lock (e.g., async
mutex keyed by workspace.id or a Redis-based distributed lock) before calling
get_workspace_total_size, recheck available space accounting for the incoming
file size, and only then call WorkspaceManager.write_file (or call a new
WorkspaceManager.reserve_and_write(filename, content_size, content) method that
performs the check+write under the same lock/DB transaction); ensure the lock is
released on success or error and return the same HTTP 413 if the recheck fails.

In `@autogpt_platform/frontend/src/app/`(platform)/copilot/useCopilotPage.ts:
- Around line 340-359: The upload workflow can reject (uploadFiles) and
currently lacks explicit .catch handling, causing uncaught promise rejections
and potentially dropping the user's send; wrap the uploadFiles promise paths in
try/catch or add a .catch to handle errors, ensure setIsUploadingFiles(false)
runs in finally, and on failure show the toast error and still call sendMessage
if appropriate; specifically update the branches around uploadFiles(...) in
useCopilotPage (references: uploadFiles, buildFileParts, sendMessage,
setIsUploadingFiles, toast) to catch network/JSON errors, log/report them via
toast, and only proceed to buildFileParts/sendMessage when uploads succeeded.

In `@autogpt_platform/frontend/src/app/api/workspace/files/upload/route.ts`:
- Around line 31-34: The code currently returns a NextResponse with a hardcoded
"Content-Type": "application/json" when returning errorText (see NextResponse
and response variables), which can mislabel non-JSON responses; change the
response creation to preserve the backend Content-Type by reading
response.headers.get('content-type') and using that value (or fall back to
'text/plain' if missing) instead of always "application/json", or simply copy
through response.headers when constructing the NextResponse so the original
content type and any other relevant headers are preserved.
- Around line 19-21: The code currently forwards the sentinel string returned by
getServerAuthToken() as a bearer token; update the logic around the token
variable (from getServerAuthToken()) and the headers object so you only set
headers["Authorization"] = `Bearer ${token}` when token is a real value (e.g.,
token is truthy and token !== "no-token-found"); otherwise do not add the
Authorization header (or handle missing auth explicitly) in the upload route
handler in route.ts.

---

Outside diff comments:
In
`@autogpt_platform/frontend/src/app/`(platform)/copilot/components/EmptySession/EmptySession.tsx:
- Around line 79-97: Quick-action buttons can still be triggered while files
upload; update the Button disable logic and handler to respect isUploadingFiles:
add isUploadingFiles to the disabled expression for the Buttons rendered in the
quickActions map (alongside isCreatingSession and loadingAction !== null) and
set aria-busy when isUploadingFiles is true; additionally, guard
handleQuickActionClick (the click handler) to no-op early if isUploadingFiles is
true to prevent overlapping onSend calls.

In
`@autogpt_platform/frontend/src/app/api/chat/sessions/`[sessionId]/stream/route.ts:
- Around line 27-35: Validate the incoming file_ids after parsing the request
JSON in the route handler: ensure file_ids is either undefined, null, or an
array of strings (string[]); if any element is not a string or file_ids is
another type, return a 400 JSON response like the existing message block. Apply
the same runtime shape check wherever file_ids is read/forwarded (the initial
parse block around the const { message, is_user_message, context, file_ids } =
body and the later usage around lines 59-64) so invalid payloads are rejected at
the proxy boundary before forwarding to the backend.

---

Nitpick comments:
In `@autogpt_platform/backend/backend/api/features/chat/routes.py`:
- Around line 406-407: The loop that checks "if wf is None: continue" should log
a warning instead of silently skipping so missing attachments can be diagnosed;
update the code in routes.py at the block where "wf" and "file_id" are validated
to emit a warning-level log (using the module's existing logger or Python
logging) that includes the file_id and relevant context (workspace id, user id
or request id if available) and then continue, so behavior stays graceful but
misconfigurations are visible in logs.
- Around line 398-418: The current loop calls get_workspace_file for each id
causing N+1 DB queries; modify backend.data.workspace to add a batch fetch
function (e.g., get_workspace_files(file_ids, workspace_id)) that returns all
WorkspaceFile objects in one query, then in the route replace the per-id awaits
with a single call to get_workspace_files(workspace_id, request.file_ids) and
iterate the returned list to build file_lines (still using
get_or_create_workspace to obtain workspace.id); ensure the batch method filters
by workspaceId and isDeleted so behavior matches get_workspace_file.

In `@autogpt_platform/backend/backend/api/features/workspace/routes.py`:
- Around line 171-182: The current upload loop double-buffers large files by
appending chunks to chunks:list[bytes] and then calling b"".join(chunks); change
it to accumulate into a single mutable buffer (e.g., a bytearray) to avoid the
extra full-size copy: replace chunks list with a bytearray buffer, extend it on
each await file.read(...) iteration, keep the total_size check against
max_file_bytes, and then use bytes(buffer) or pass the bytearray as needed for
the final content variable (replace content = b"".join(chunks) with
converting/using the bytearray); reference variables/functions: chunks,
total_size, max_file_bytes/config.max_file_size_mb, file.read, and content to
locate where to modify.

In
`@autogpt_platform/frontend/src/app/`(platform)/copilot/components/ChatInput/ChatInput.tsx:
- Around line 9-11: Remove the unnecessary useCallback usage and arrow-handler
style in the ChatInput component: delete the import of useCallback and replace
any const <name> = useCallback(...) or const <name> = (...) => {...} handler
definitions (e.g. the input change handler, submit handler, attach/file handlers
referenced in the component and noted around the other occurrences) with plain
function declarations like function handleX(...) {...}; ensure their parameter
types (ChangeEvent, etc.) and references in JSX remain unchanged so behavior is
preserved.

In `@autogpt_platform/frontend/src/app/api/openapi.json`:
- Around line 12141-12147: The schema for the file_ids property allows arrays of
strings but doesn't prevent duplicate entries; update the OpenAPI schema for
"file_ids" (the anyOf branch with "type": "array" and "items":
{"type":"string"}) to include "uniqueItems": true so arrays must contain unique
string IDs, keeping the existing null branch intact.
- Around line 6530-6552: Add explicit non-2xx responses to the upload endpoint's
responses block (the one that currently returns "$ref":
"#/components/schemas/backend__api__features__workspace__routes__UploadFileResponse")
so frontend clients can handle size/type/storage/scan errors deterministically:
include HTTP 413 (Payload Too Large) with a schema ref like
"#/components/schemas/UploadFileTooLarge", HTTP 415 (Unsupported Media Type)
with "#/components/schemas/UnsupportedFileTypeError", HTTP 507 (Insufficient
Storage) with "#/components/schemas/InsufficientStorageError", and a
scan/quarantine error (e.g., 422 or 409) with
"#/components/schemas/FileScanQuarantinedError"; for each response add a
descriptive "description" and "content": {"application/json": {"schema":
{"$ref": "..."} }} and keep the existing 200 and 401/422 entries referencing
UploadFileResponse and HTTPValidationError.
ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

  • Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

πŸ“₯ Commits

Reviewing files that changed from the base of the PR and between d5efb69 and 91e6723.

πŸ“’ Files selected for processing (17)
  • autogpt_platform/backend/backend/api/features/chat/routes.py
  • autogpt_platform/backend/backend/api/features/workspace/routes.py
  • autogpt_platform/backend/backend/copilot/executor/utils.py
  • autogpt_platform/backend/backend/util/settings.py
  • autogpt_platform/frontend/src/app/(platform)/copilot/CopilotPage.tsx
  • autogpt_platform/frontend/src/app/(platform)/copilot/components/ChatContainer/ChatContainer.tsx
  • autogpt_platform/frontend/src/app/(platform)/copilot/components/ChatInput/ChatInput.tsx
  • autogpt_platform/frontend/src/app/(platform)/copilot/components/ChatInput/components/AttachmentMenu.tsx
  • autogpt_platform/frontend/src/app/(platform)/copilot/components/ChatInput/components/FileChips.tsx
  • autogpt_platform/frontend/src/app/(platform)/copilot/components/ChatInput/useChatInput.ts
  • autogpt_platform/frontend/src/app/(platform)/copilot/components/ChatMessagesContainer/ChatMessagesContainer.tsx
  • autogpt_platform/frontend/src/app/(platform)/copilot/components/ChatMessagesContainer/components/MessageAttachments.tsx
  • autogpt_platform/frontend/src/app/(platform)/copilot/components/EmptySession/EmptySession.tsx
  • autogpt_platform/frontend/src/app/(platform)/copilot/useCopilotPage.ts
  • autogpt_platform/frontend/src/app/api/chat/sessions/[sessionId]/stream/route.ts
  • autogpt_platform/frontend/src/app/api/openapi.json
  • autogpt_platform/frontend/src/app/api/workspace/files/upload/route.ts

cursor[bot]
cursor bot reviewed Feb 27, 2026
View reviewed changes
autogpt-reviewer
autogpt-reviewer reviewed Feb 27, 2026
View reviewed changes
Copy link

@autogpt-reviewer autogpt-reviewer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR #12220 β€” feat(platform): Add file upload to copilot chat [SECRT-1788]
Author: ntindle | Requested by: ntindle | Files: 17 changed (+775/-86)

Key files: workspace/routes.py (+128), useCopilotPage.ts (+114), ChatInput.tsx (+85/-52), AttachmentMenu.tsx (+124), upload/route.ts (+49), chat/routes.py (+24), settings.py (+7), executor/utils.py (+6)

🎯 Verdict: REQUEST_CHANGES

What This PR Does

Adds file attachment support to copilot chat. Users click a "+" button to select files by category (documents, images, spreadsheets, video, audio), see file chips with upload progress, and sent messages display file attachment pills. Backend adds upload endpoint with ClamAV virus scanning, per-file size limits, and per-user storage caps. File metadata is enriched into the LLM's context so the copilot can reference uploaded files.

Specialist Findings

πŸ›‘οΈ Security ⚠️ β€” Auth is properly scoped on all endpoints (user β†’ workspace isolation). File ownership checks pass. However: (1) TOCTOU race condition on storage quota β€” concurrent uploads can bypass limits, (2) file_ids list is unbounded β€” DoS via DB query storm, (3) no server-side MIME type validation (frontend allowlist is cosmetic), (4) filename not sanitized for path components, (5) ClamAV silently passes all uploads when disabled β€” needs health assertion.

πŸ—οΈ Architecture βœ… β€” Clean design. Upload separated from chat, proper workspace isolation, extensible categories. Minor: duplicate UploadFileResponse schema names in OpenAPI, file_ids threaded through RabbitMQ but unused by consumer (dead payload), URL regex to extract file_id is fragile.

⚑ Performance ⚠️ β€” (1) get_workspace_total_size() does full table scan + Python sum instead of SQL SUM() β€” runs on every upload, (2) double ClamAV scan per upload (route + write_file both call scan_content_safe), (3) sequential frontend uploads (no parallelism), (4) ~3Γ— file size memory per upload (chunks + joined + ClamAV buffer), (5) N+1 DB queries for file_ids enrichment, (6) Next.js proxy buffers entire upload in memory.

πŸ§ͺ Testing πŸ”΄ β€” Zero new tests for 775 lines of security-sensitive code. No backend tests for upload endpoint, size limits, quota enforcement, virus scanning, or cross-user auth. No frontend component tests or stories for 3 new components. No e2e test for file upload flow. The PR's test plan is manual-only checkboxes (all unchecked).

πŸ“– Quality ⚠️ β€” Good component decomposition and TypeScript types. Issues: double virus scan waste, inline import in hot path (chat/routes.py:400), Config() instantiated per-request, magic numbers (chunk size, warning threshold), file_ids not UUID-validated, inconsistent error detail types (dict vs string).

πŸ“¦ Product βœ… β€” Flow is intuitive and follows established patterns. Good: file-only messages work, error resilience, send-button state. Should fix: no client-side file count/size limits, no per-file upload progress, .csv in both Documents and Spreadsheets, no file size on chips, virus detection error is generic.

πŸ“¬ Discussion ⚠️ β€” 7 bot review comments (all unresolved, 0 author responses β€” PR just opened). Sentry + CodeRabbit both flagged quota race condition. 5 PRs with confirmed merge conflicts (#12074 heaviest at 17 files). Zero human reviewers. CI partially pending (lint βœ…, integration βœ…, backend tests/types/e2e still running).

πŸ”Ž QA ⚠️ β€” Frontend UI verified working: attachment button renders, popover shows 5 categories, file chips display correctly, chip removal works, send enables with files-only, plain messaging unaffected. Cannot verify upload-to-display flow β€” GCS unreachable in review environment (infrastructure limitation, not code bug). ClamAV scanning works (15ms). 11 screenshots captured. No Storybook stories for new components.

Blockers (3)

  1. πŸ”΄ Zero test coverage β€” 775 lines of security-sensitive upload code (virus scanning, quota enforcement, auth scoping) with zero tests. At minimum: upload happy path, size limit enforcement, storage quota enforcement, virus scan mock, cross-user file_ids auth test. [workspace/routes.py, chat/routes.py, all 3 new frontend components]

  2. πŸ”΄ TOCTOU race on storage quota β€” get_workspace_total_size() reads current usage, then write_file() writes. Concurrent uploads both pass the check before either commits. Use advisory lock or atomic DB constraint. [workspace/routes.py:180-193]

  3. πŸ”΄ Unbounded file_ids list β€” No length validation or UUID format check. Attacker can send thousands of IDs, each triggering a DB query. Add max_length=20 and UUID pattern validation. [chat/routes.py:82, stream request model]

Should Fix (Follow-up OK) (8)

  1. O(n) storage quota query β€” get_workspace_total_size() loads all file rows into Python to sum. Use SQL SUM() aggregate. [workspace.py:326-337]
  2. Double virus scan β€” Both upload_file route and write_file call scan_content_safe. Remove one or pass skip_scan flag. [workspace/routes.py:211, workspace.py:187]
  3. Sequential frontend uploads β€” Files upload one-at-a-time in a for loop. Use Promise.allSettled with concurrency limit. [useCopilotPage.ts:~350-370]
  4. No server-side MIME validation β€” Upload accepts any file type. Frontend allowlist is client-only. Add server-side allowlist or python-magic content check. [workspace/routes.py]
  5. Filename path components not stripped β€” ../../etc/passwd creates confusing virtual paths. Apply os.path.basename(). [workspace/routes.py:206]
  6. N+1 queries for file_ids enrichment β€” Each file_id is a separate DB query. Use batch find_many(where={"id": {"in": file_ids}}). [chat/routes.py:397-415]
  7. Next.js proxy buffers entire upload β€” request.formData() parses full upload into memory. Consider streaming request.body directly. [upload/route.ts]
  8. "no-token-found" sentinel forwarded as bearer token β€” CodeRabbit flagged: when auth fails, string literal sent as Authorization header. [upload/route.ts]

Nice to Have (5)

  1. Client-side file count/size limits with user feedback before upload
  2. Per-file upload progress indication (not just all-or-nothing spinner)
  3. Storage usage surfaced in UI (endpoint exists, frontend doesn't call it)
  4. Storybook stories for AttachmentMenu, FileChips, MessageAttachments
  5. Remove .csv from Documents category (already in Spreadsheets)

Risk Assessment

Merge risk: MEDIUM β€” Security-sensitive feature (file upload + virus scanning) with zero tests and a race condition on quota enforcement. The core design is solid and auth is properly scoped, but the gaps need to be closed before merge.

Rollback: EASY β€” New endpoints and UI components. No database migrations. Feature is additive β€” removing it doesn't break existing chat.

QA Evidence

11 screenshots captured during live testing:

  • Landing page, signup flow, dashboard, copilot chat interface
  • Attachment "+" button visible and functional
  • Popover with 5 file categories working
  • File chips rendering with remove buttons
  • Upload attempted (GCS unavailable in review env β€” infrastructure, not code)

CI Status (at review time)

βœ… lint, integration_test, CodeQL, scope, size, license, snyk
⏳ test (3.11/3.12/3.13), types, e2e, Cursor Bugbot β€” still pending

Merge Conflicts

5 PRs with confirmed conflicts: #12074 (17 files), #12163, #12207 (ChatInput.tsx, 4 conflicts), #12203, #12210

@ntindle The feature design is excellent β€” clean separation, solid auth, good UX. Three items need attention before merge: (1) add tests for the upload endpoint and quota enforcement, (2) fix the TOCTOU race on storage quota, and (3) add validation/limits on the file_ids parameter. The rest are follow-up items. Close to mergeable with one more pass. πŸš€

ntindle and others added 2 commits February 27, 2026 00:15
@ntindle @claude
fix(platform): Address PR review feedback for file upload feature
41eccad 
- B1: Add file_ids validation (max 20, UUID format filtering) on StreamChatRequest
- B2: Add post-write storage quota check to eliminate TOCTOU race condition
- B3: Add backend tests for upload routes and chat file_ids enrichment
- SF1: Query Prisma directly in get_workspace_total_size (skip Pydantic conversion)
- SF3: Parallelize frontend file uploads with Promise.allSettled
- SF4: Add server-side file extension allowlist (415 for disallowed types)
- SF5: Sanitize filenames with os.path.basename to strip directory components
- SF6: Replace N+1 file_ids loop with batch find_many query
- SF8: Guard against "no-token-found" sentinel in upload proxy route
- N1: Add client-side file count (10) and size (100MB) limits
- N5: Remove duplicate .csv from Documents category in AttachmentMenu
- Redesign file attachment display with ContentCard components

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@ntindle
Merge branch 'ntindle/file-upload' of https://github.com/Significant-…
6c3cc6b 
…Gravitas/AutoGPT into ntindle/file-upload
@ntindle
Copy link
Member Author

ntindle commented Feb 27, 2026

Review Feedback Addressed

All items from the review have been addressed in commit 41eccad:

Blockers

# Issue Resolution
B1 Unbounded file_ids Added Field(max_length=20) + UUID regex filtering
B2 TOCTOU race on storage quota Post-write quota re-check; over-limit files are soft-deleted
B3 No backend tests Added 12 tests: 8 for workspace upload, 4 for chat file_ids

Should Fix

# Issue Resolution
SF1 O(n) storage quota query Direct Prisma query (skips Pydantic model conversion)
SF2 Double virus scan Kept intentionally β€” defense in depth for non-upload callers
SF3 Sequential frontend uploads Refactored to Promise.allSettled for parallel uploads
SF4 No server-side MIME validation Added extension allowlist; returns 415 for disallowed types
SF5 Filename path components Applied os.path.basename() to strip directory traversal
SF6 N+1 queries for file_ids Replaced per-ID loop with batch find_many query
SF7 Next.js proxy buffers upload Deferred β€” requires edge runtime or custom server; not worth complexity
SF8 "no-token-found" sentinel Added guard matching existing createRequestHeaders() pattern

Nice to Have

# Issue Resolution
N1 Client-side limits Added max 10 files, max 100MB per file with toast feedback
N2 Per-file upload progress Deferred β€” requires XHR with progress events
N3 Storage usage in UI Deferred β€” endpoint exists, needs UI design
N4 Storybook stories Deferred β€” follow-up
N5 .csv in Documents Removed from Documents (already in Spreadsheets)

Also redesigned file attachment display in chat messages using ContentCard components.

coderabbitai[bot]
coderabbitai bot reviewed Feb 27, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 5

♻️ Duplicate comments (1)
autogpt_platform/frontend/src/app/(platform)/copilot/useCopilotPage.ts (1)

333-351: ⚠️ Potential issue | 🟠 Major

Upload-failure handling still drops send intent and can bubble errors.

Line 448 throws when all uploads fail, and Line 344–351 returns early after pending state is cleared. This can drop the user message path on full upload failure.

πŸ›  Suggested hardening 
     if (files.length > 0) {
       setIsUploadingFiles(true);
       void uploadFiles(files, sessionId)
         .then((uploaded) => {
           if (uploaded.length === 0) {
             toast({
               title: "File upload failed",
               description: "Could not upload any files. Please try again.",
               variant: "destructive",
             });
-            return;
+            sendMessage({ text: msg });
+            return;
           }
           const fileParts = buildFileParts(uploaded);
           sendMessage({
             text: msg,
             files: fileParts.length > 0 ? fileParts : undefined,
           });
         })
+        .catch(() => {
+          toast({
+            title: "File upload failed",
+            description: "Could not upload files. Sending message without attachments.",
+            variant: "destructive",
+          });
+          sendMessage({ text: msg });
+        })
         .finally(() => setIsUploadingFiles(false));
@@
         try {
           const uploaded = await uploadFiles(files, sessionId);
           if (uploaded.length === 0) {
-            // All uploads failed β€” abort send so chips revert to editable
-            throw new Error("All file uploads failed");
+            toast({
+              title: "File upload failed",
+              description: "Could not upload any files. Sending without attachments.",
+              variant: "destructive",
+            });
+            sendMessage({ text: trimmed });
+            return;
           }
#!/bin/bash
# Verify current failure paths in the hook.
FILE='autogpt_platform/frontend/src/app/(platform)/copilot/useCopilotPage.ts'

echo "1) Throw on all-failed uploads:"
rg -n -C2 'throw new Error\("All file uploads failed"\)' "$FILE"

echo
echo "2) Pending branch returns early on zero successful uploads:"
rg -n -C2 'uploaded.length === 0|return;' "$FILE"

echo
echo "3) Pending upload chain currently lacks explicit .catch:"
rg -n -C2 'void uploadFiles\(|\.then\(|\.catch\(|\.finally\(' "$FILE"

Also applies to: 364-393, 442-449

πŸ€– Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@autogpt_platform/frontend/src/app/`(platform)/copilot/useCopilotPage.ts
around lines 333 - 351, The useEffect handler clears pendingMessage and
pendingFilesRef then starts uploadFiles but on complete-failure it toasts and
throws which drops the original send intent and can bubble errors; change the
flow in the pending-message branch (the code that uses pendingMessage,
pendingFilesRef, setPendingMessage, setIsUploadingFiles, uploadFiles) so that
you do not permanently clear the send intent before uploads succeed and you
never throw on upload failure: preserve or restore
pendingMessage/pendingFilesRef when uploads fail, remove the thrown Error("All
file uploads failed"), add a .catch handler on the uploadFiles promise to
handle/upload errors (show toast, reset isUploadingFiles, and restore
pendingMessage/pendingFilesRef to allow retry), and ensure the normal
message-send path is invoked when uploads succeed (or when uploads fail but user
should still send message) so sending is not dropped.
🧹 Nitpick comments (2)
autogpt_platform/backend/backend/data/workspace.py (1)

330-332: Docstring optimization claim is not clearly reflected in the query.

Line 330-332 says only sizeBytes is fetched, but Line 339-341 uses a generic find_many and then sums in Python. Please switch to an explicit projection/DB aggregation (or relax the docstring claim) to avoid unnecessary row payload/memory work.

In prisma-client-py 0.15.0, what is the recommended way to compute SUM(sizeBytes) for UserWorkspaceFile (server-side aggregate vs select projection), and what does find_many return by default when no select/include is provided?

Also applies to: 339-342

πŸ€– Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@autogpt_platform/backend/backend/data/workspace.py` around lines 330 - 332,
The code claims it only fetches sizeBytes but actually calls prisma find_many on
UserWorkspaceFile and sums in Python; replace that find_many+Python-sum pattern
with a server-side aggregation (use Prisma client's aggregate/_sum for the
UserWorkspaceFile sizeBytes field) to compute SUM(sizeBytes) on the DB side, or
if you must keep a multi-row fetch, at minimum use a select projection that only
selects sizeBytes to reduce payload; update the code that calls find_many and
the subsequent Python sum accordingly and adjust the docstring to match the
chosen approach (reference the UserWorkspaceFile model, the find_many call, and
the Python summation logic).
autogpt_platform/frontend/src/app/(platform)/copilot/useCopilotPage.ts (1)

378-379: Add Sentry.captureException() for proper exception tracking.

This is manual exception handling with an explicit error path. Replace or supplement console.error() with Sentry.captureException() to align with exception tracking patterns elsewhere in the codebase and coding guidelines. The toast notification correctly handles user feedback; Sentry will provide structured error reporting for debugging.

πŸ€– Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@autogpt_platform/frontend/src/app/`(platform)/copilot/useCopilotPage.ts
around lines 378 - 379, In the error path inside useCopilotPage (where
console.error("File upload failed:", err) and toast(...) are used), call
Sentry.captureException(err) to record the exception (or replace console.error
with Sentry.captureException) and ensure `@sentry/browser` or the project Sentry
instance is imported/available in this module; keep the existing toast for user
feedback but add Sentry.captureException(err) so the failure is tracked in
Sentry.
πŸ€– Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@autogpt_platform/backend/backend/api/features/chat/routes_test.py`:
- Around line 91-93: The test currently only asserts response.status_code != 422
which can hide other failures; update the assertion in
autogpt_platform/backend/backend/api/features/chat/routes_test.py to assert an
explicit successful status (e.g., assert response.status_code == 200) for the
20-file happy path by replacing the loose != 422 check on the response object
with a direct equality check to the expected success code.

In `@autogpt_platform/backend/backend/api/features/chat/routes.py`:
- Around line 404-434: The code validates and scopes file IDs into valid_ids and
uses them to build files_block, but later code still forwards the original
request.file_ids downstream (e.g., into executor payloads), bypassing
sanitization; update all places where request.file_ids is passed (search for
usages of request.file_ids or where executor payloads are constructed after
enrichment) to pass the filtered valid_ids (or an empty list if none) and ensure
any downstream fields (payload keys) are labeled/workspace-scoped the same way
you used for the database query (e.g., use the workspace from
get_or_create_workspace and the valid_ids list) so only sanitized,
workspace-scoped IDs are sent onward.

In `@autogpt_platform/backend/backend/api/features/workspace/routes_test.py`:
- Around line 106-119: The quota tests (e.g.,
test_upload_storage_quota_exceeded) rely on implicit default
Config.max_workspace_storage_mb and are brittle; make them deterministic by
stubbing the config value used by the route. In the test, patch or monkeypatch
the Config (or the symbol used to read max_workspace_storage_mb in
backend.api.features.workspace.routes) to a known value before calling _upload,
then assert against that fixed quota; keep the existing mocks
get_or_create_workspace and get_workspace_total_size intact so behavior is
predictable.

In `@autogpt_platform/backend/backend/api/features/workspace/routes.py`:
- Around line 255-271: The quota math can divide by zero when
config.max_workspace_storage_mb is 0; in the route code around
storage_limit_bytes/current_usage/usage_ratio (use the variables
storage_limit_bytes, current_usage, usage_ratio and the helper
get_workspace_total_size), add a guard that detects storage_limit_bytes == 0 and
return a controlled HTTPException (status_code=413) with the same detail shape
(message, used_bytes=current_usage, limit_bytes=0, used_percent=100 or
appropriate value) before any division occurs, and ensure the later warning
calculation only runs when storage_limit_bytes > 0 so no ZeroDivisionError is
possible.

In `@autogpt_platform/backend/backend/data/workspace.py`:
- Around line 339-341: The query using UserWorkspaceFile.prisma().find_many
filters only by workspaceId and isDeleted, allowing information disclosure
across workspaces; modify the where clause to also enforce ownership by the
requesting user (e.g., include userId or equivalent current_user_id in the where
filter) or validate ownership first by fetching the Workspace and checking
workspace.userId === current_user_id before listing files; update the call
referencing workspace_id and the calling context that supplies the requesting
user's id (e.g., current_user_id, user.id) so all data access in this file
enforces user ID checks.

---

Duplicate comments:
In `@autogpt_platform/frontend/src/app/`(platform)/copilot/useCopilotPage.ts:
- Around line 333-351: The useEffect handler clears pendingMessage and
pendingFilesRef then starts uploadFiles but on complete-failure it toasts and
throws which drops the original send intent and can bubble errors; change the
flow in the pending-message branch (the code that uses pendingMessage,
pendingFilesRef, setPendingMessage, setIsUploadingFiles, uploadFiles) so that
you do not permanently clear the send intent before uploads succeed and you
never throw on upload failure: preserve or restore
pendingMessage/pendingFilesRef when uploads fail, remove the thrown Error("All
file uploads failed"), add a .catch handler on the uploadFiles promise to
handle/upload errors (show toast, reset isUploadingFiles, and restore
pendingMessage/pendingFilesRef to allow retry), and ensure the normal
message-send path is invoked when uploads succeed (or when uploads fail but user
should still send message) so sending is not dropped.

---

Nitpick comments:
In `@autogpt_platform/backend/backend/data/workspace.py`:
- Around line 330-332: The code claims it only fetches sizeBytes but actually
calls prisma find_many on UserWorkspaceFile and sums in Python; replace that
find_many+Python-sum pattern with a server-side aggregation (use Prisma client's
aggregate/_sum for the UserWorkspaceFile sizeBytes field) to compute
SUM(sizeBytes) on the DB side, or if you must keep a multi-row fetch, at minimum
use a select projection that only selects sizeBytes to reduce payload; update
the code that calls find_many and the subsequent Python sum accordingly and
adjust the docstring to match the chosen approach (reference the
UserWorkspaceFile model, the find_many call, and the Python summation logic).

In `@autogpt_platform/frontend/src/app/`(platform)/copilot/useCopilotPage.ts:
- Around line 378-379: In the error path inside useCopilotPage (where
console.error("File upload failed:", err) and toast(...) are used), call
Sentry.captureException(err) to record the exception (or replace console.error
with Sentry.captureException) and ensure `@sentry/browser` or the project Sentry
instance is imported/available in this module; keep the existing toast for user
feedback but add Sentry.captureException(err) so the failure is tracked in
Sentry.
ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

  • Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

πŸ“₯ Commits

Reviewing files that changed from the base of the PR and between 727d7a1 and 6c3cc6b.

πŸ“’ Files selected for processing (10)
  • autogpt_platform/backend/backend/api/features/chat/routes.py
  • autogpt_platform/backend/backend/api/features/chat/routes_test.py
  • autogpt_platform/backend/backend/api/features/workspace/routes.py
  • autogpt_platform/backend/backend/api/features/workspace/routes_test.py
  • autogpt_platform/backend/backend/data/workspace.py
  • autogpt_platform/frontend/src/app/(platform)/copilot/components/ChatInput/components/AttachmentMenu.tsx
  • autogpt_platform/frontend/src/app/(platform)/copilot/components/ChatMessagesContainer/ChatMessagesContainer.tsx
  • autogpt_platform/frontend/src/app/(platform)/copilot/components/ChatMessagesContainer/components/MessageAttachments.tsx
  • autogpt_platform/frontend/src/app/(platform)/copilot/useCopilotPage.ts
  • autogpt_platform/frontend/src/app/api/workspace/files/upload/route.ts
🚧 Files skipped from review as they are similar to previous changes (4)
  • autogpt_platform/frontend/src/app/(platform)/copilot/components/ChatMessagesContainer/components/MessageAttachments.tsx
  • autogpt_platform/frontend/src/app/(platform)/copilot/components/ChatMessagesContainer/ChatMessagesContainer.tsx
  • autogpt_platform/frontend/src/app/api/workspace/files/upload/route.ts
  • autogpt_platform/frontend/src/app/(platform)/copilot/components/ChatInput/components/AttachmentMenu.tsx
πŸ“œ Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)
  • GitHub Check: types
  • GitHub Check: Seer Code Review
  • GitHub Check: Cursor Bugbot
  • GitHub Check: end-to-end tests
  • GitHub Check: test (3.12)
  • GitHub Check: test (3.11)
  • GitHub Check: test (3.13)
  • GitHub Check: Check PR Status
🧰 Additional context used
πŸ““ Path-based instructions (20)
autogpt_platform/backend/**/*.py

πŸ“„ CodeRabbit inference engine (.github/copilot-instructions.md)

autogpt_platform/backend/**/*.py: Use Python 3.11 (required; managed by Poetry via pyproject.toml) for backend development
Always run 'poetry run format' (Black + isort) before linting in backend development
Always run 'poetry run lint' (ruff) after formatting in backend development

Files:

  • autogpt_platform/backend/backend/api/features/chat/routes_test.py
  • autogpt_platform/backend/backend/api/features/workspace/routes_test.py
  • autogpt_platform/backend/backend/data/workspace.py
  • autogpt_platform/backend/backend/api/features/chat/routes.py
  • autogpt_platform/backend/backend/api/features/workspace/routes.py
autogpt_platform/backend/backend/api/features/**/*.py

πŸ“„ CodeRabbit inference engine (.github/copilot-instructions.md)

Update routes in '/backend/backend/api/features/' and add/update Pydantic models in the same directory for API development

When modifying API routes, update corresponding Pydantic models in the same directory and write tests alongside the route file

Files:

  • autogpt_platform/backend/backend/api/features/chat/routes_test.py
  • autogpt_platform/backend/backend/api/features/workspace/routes_test.py
  • autogpt_platform/backend/backend/api/features/chat/routes.py
  • autogpt_platform/backend/backend/api/features/workspace/routes.py
autogpt_platform/backend/**/*.{py,txt}

πŸ“„ CodeRabbit inference engine (autogpt_platform/backend/CLAUDE.md)

Use poetry run prefix for all Python commands, including testing, linting, formatting, and migrations

Files:

  • autogpt_platform/backend/backend/api/features/chat/routes_test.py
  • autogpt_platform/backend/backend/api/features/workspace/routes_test.py
  • autogpt_platform/backend/backend/data/workspace.py
  • autogpt_platform/backend/backend/api/features/chat/routes.py
  • autogpt_platform/backend/backend/api/features/workspace/routes.py
autogpt_platform/backend/**/*_test.py

πŸ“„ CodeRabbit inference engine (autogpt_platform/backend/CLAUDE.md)

autogpt_platform/backend/**/*_test.py: Always review snapshot changes with git diff before committing when updating snapshots with poetry run pytest --snapshot-update
Use pytest with snapshot testing for API responses in test files
Colocate test files with source files using the *_test.py naming convention

Files:

  • autogpt_platform/backend/backend/api/features/chat/routes_test.py
  • autogpt_platform/backend/backend/api/features/workspace/routes_test.py
autogpt_platform/backend/backend/api/**/*.py

πŸ“„ CodeRabbit inference engine (autogpt_platform/backend/CLAUDE.md)

autogpt_platform/backend/backend/api/**/*.py: Use FastAPI for building REST and WebSocket endpoints
Use JWT-based authentication with Supabase integration

Files:

  • autogpt_platform/backend/backend/api/features/chat/routes_test.py
  • autogpt_platform/backend/backend/api/features/workspace/routes_test.py
  • autogpt_platform/backend/backend/api/features/chat/routes.py
  • autogpt_platform/backend/backend/api/features/workspace/routes.py
autogpt_platform/backend/backend/**/*.py

πŸ“„ CodeRabbit inference engine (autogpt_platform/backend/CLAUDE.md)

Use Prisma ORM for database operations in PostgreSQL with pgvector for embeddings

Files:

  • autogpt_platform/backend/backend/api/features/chat/routes_test.py
  • autogpt_platform/backend/backend/api/features/workspace/routes_test.py
  • autogpt_platform/backend/backend/data/workspace.py
  • autogpt_platform/backend/backend/api/features/chat/routes.py
  • autogpt_platform/backend/backend/api/features/workspace/routes.py
autogpt_platform/**/*.py

πŸ“„ CodeRabbit inference engine (AGENTS.md)

Format Python code with poetry run format

Files:

  • autogpt_platform/backend/backend/api/features/chat/routes_test.py
  • autogpt_platform/backend/backend/api/features/workspace/routes_test.py
  • autogpt_platform/backend/backend/data/workspace.py
  • autogpt_platform/backend/backend/api/features/chat/routes.py
  • autogpt_platform/backend/backend/api/features/workspace/routes.py
autogpt_platform/backend/**/*test*.py

πŸ“„ CodeRabbit inference engine (AGENTS.md)

Run poetry run test for backend testing (runs pytest with docker based postgres + prisma)

Files:

  • autogpt_platform/backend/backend/api/features/chat/routes_test.py
  • autogpt_platform/backend/backend/api/features/workspace/routes_test.py
autogpt_platform/frontend/**/*.{ts,tsx,js,jsx}

πŸ“„ CodeRabbit inference engine (.github/copilot-instructions.md)

autogpt_platform/frontend/**/*.{ts,tsx,js,jsx}: Use Node.js 21+ with pnpm package manager for frontend development
Always run 'pnpm format' for formatting and linting code in frontend development

autogpt_platform/frontend/**/*.{ts,tsx,js,jsx}: Run pnpm format to auto-fix formatting issues before completing work
Run pnpm lint to check for lint errors and fix any that appear before completing work

Files:

  • autogpt_platform/frontend/src/app/(platform)/copilot/useCopilotPage.ts
autogpt_platform/frontend/**/*.{tsx,ts}

πŸ“„ CodeRabbit inference engine (.github/copilot-instructions.md)

autogpt_platform/frontend/**/*.{tsx,ts}: Use function declarations for components and handlers (not arrow functions) in React components
Only use arrow functions for small inline lambdas (map, filter, etc.) in React components
Use PascalCase for component names and camelCase with 'use' prefix for hook names in React
Use Tailwind CSS utilities only for styling in frontend components
Use design system components from 'src/components/' (atoms, molecules, organisms) in frontend development
Never use 'src/components/legacy/' in frontend code
Only use Phosphor Icons (@phosphor-icons/react) for icons in frontend components
Use generated API hooks from '@/app/api/generated/endpoints/' instead of deprecated 'BackendAPI' or 'src/lib/autogpt-server-api/'
Use React Query for server state (via generated hooks) in frontend development
Default to client components ('use client') in Next.js; only use server components for SEO or extreme TTFB needs
Use '' component for rendering errors in frontend UI; use toast notifications for mutation errors; use 'Sentry.captureException()' for manual exceptions
Separate render logic from data/behavior in React components; keep comments minimal (code should be self-documenting)

Files:

  • autogpt_platform/frontend/src/app/(platform)/copilot/useCopilotPage.ts
autogpt_platform/frontend/**/*.{ts,tsx}

πŸ“„ CodeRabbit inference engine (.github/copilot-instructions.md)

autogpt_platform/frontend/**/*.{ts,tsx}: No barrel files or 'index.ts' re-exports in frontend code
Regenerate API hooks with 'pnpm generate:api' after backend OpenAPI spec changes in frontend development

Run pnpm types to check for type errors and fix any that appear before completing work

Files:

  • autogpt_platform/frontend/src/app/(platform)/copilot/useCopilotPage.ts
autogpt_platform/frontend/**/*.{js,jsx,ts,tsx}

πŸ“„ CodeRabbit inference engine (AGENTS.md)

autogpt_platform/frontend/**/*.{js,jsx,ts,tsx}: Format frontend code using pnpm format
Never use components from src/components/__legacy__/*

Files:

  • autogpt_platform/frontend/src/app/(platform)/copilot/useCopilotPage.ts
autogpt_platform/frontend/src/**/*.{ts,tsx}

πŸ“„ CodeRabbit inference engine (AGENTS.md)

autogpt_platform/frontend/src/**/*.{ts,tsx}: Structure components as ComponentName/ComponentName.tsx + useComponentName.ts + helpers.ts and use design system components from src/components/ (atoms, molecules, organisms)
Use generated API hooks from @/app/api/__generated__/endpoints/ with pattern use{Method}{Version}{OperationName} and regenerate with pnpm generate:api
Use function declarations (not arrow functions) for components and handlers
Separate render logic from business logic with component.tsx + useComponent.ts + helpers.ts structure
Colocate state when possible, avoid creating large components, use sub-components in local /components folder
Avoid large hooks, abstract logic into helpers.ts files when sensible
Use arrow functions only for callbacks, not for component declarations
Avoid comments at all times unless the code is very complex
Do not use useCallback or useMemo unless asked to optimize a given function

autogpt_platform/frontend/src/**/*.{ts,tsx}: Use function declarations (not arrow functions) for components and handlers
Use type-safe generated API hooks via Orval + React Query for data fetching
Use React Query for server state management and co-locate UI state in components/hooks
Separate render logic (.tsx) from business logic (use*.ts hooks)
Use only shadcn/ui (Radix UI primitives) with Tailwind CSS for UI components
Use Phosphor Icons only for all icon implementations
Use ErrorCard component for render errors, toast for mutations, and Sentry for exceptions
Use design system components from src/components/ (atoms, molecules, organisms)
Never use src/components/__legacy__/* components
Use generated API hooks from @/app/api/__generated__/endpoints/ with pattern use{Method}{Version}{OperationName}
Use Tailwind CSS only for styling with design tokens
Do not use useCallback or useMemo unless asked to optimize a specific function
Never type with any unless a variable/attribute can actually be of any type

Files:

  • autogpt_platform/frontend/src/app/(platform)/copilot/useCopilotPage.ts
autogpt_platform/frontend/**/*.{js,jsx,ts,tsx,css}

πŸ“„ CodeRabbit inference engine (AGENTS.md)

Use Tailwind CSS only for styling, use design tokens, and use Phosphor Icons only

Files:

  • autogpt_platform/frontend/src/app/(platform)/copilot/useCopilotPage.ts
autogpt_platform/frontend/src/**/*.ts

πŸ“„ CodeRabbit inference engine (AGENTS.md)

Do not type hook returns, let Typescript infer as much as possible

Files:

  • autogpt_platform/frontend/src/app/(platform)/copilot/useCopilotPage.ts
autogpt_platform/**/*.{ts,tsx}

πŸ“„ CodeRabbit inference engine (AGENTS.md)

Never type with any, if no types available use unknown

Files:

  • autogpt_platform/frontend/src/app/(platform)/copilot/useCopilotPage.ts
autogpt_platform/frontend/src/**/*.{ts,tsx,js,jsx}

πŸ“„ CodeRabbit inference engine (autogpt_platform/frontend/CLAUDE.md)

Fully capitalize acronyms in symbols, e.g. graphID, useBackendAPI

Files:

  • autogpt_platform/frontend/src/app/(platform)/copilot/useCopilotPage.ts
autogpt_platform/frontend/src/**/use*.ts

πŸ“„ CodeRabbit inference engine (autogpt_platform/frontend/CLAUDE.md)

autogpt_platform/frontend/src/**/use*.ts: Extract component logic into custom hooks grouped by concern, with each hook in its own .ts file
Do not type hook returns; let TypeScript infer types as much as possible

Files:

  • autogpt_platform/frontend/src/app/(platform)/copilot/useCopilotPage.ts
autogpt_platform/backend/backend/data/**/*.py

πŸ“„ CodeRabbit inference engine (.github/copilot-instructions.md)

All data access in backend requires user ID checks; verify this for any 'data/*.py' changes

Files:

  • autogpt_platform/backend/backend/data/workspace.py
autogpt_platform/**/data/*.py

πŸ“„ CodeRabbit inference engine (AGENTS.md)

For changes touching data/*.py, validate user ID checks or explain why not needed

Files:

  • autogpt_platform/backend/backend/data/workspace.py
🧠 Learnings (11)
πŸ“š Learning: 2026-02-04T16:50:20.508Z 
Learnt from: CR
Repo: Significant-Gravitas/AutoGPT PR: 0
File: autogpt_platform/backend/CLAUDE.md:0-0
Timestamp: 2026-02-04T16:50:20.508Z
Learning: Applies to autogpt_platform/backend/backend/api/features/**/*.py : When modifying API routes, update corresponding Pydantic models in the same directory and write tests alongside the route file

Applied to files:

  • autogpt_platform/backend/backend/api/features/chat/routes_test.py
  • autogpt_platform/backend/backend/api/features/workspace/routes_test.py
  • autogpt_platform/backend/backend/api/features/workspace/routes.py
πŸ“š Learning: 2026-02-04T16:49:42.490Z 
Learnt from: CR
Repo: Significant-Gravitas/AutoGPT PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2026-02-04T16:49:42.490Z
Learning: Applies to autogpt_platform/backend/backend/api/features/**/*.py : Update routes in '/backend/backend/api/features/' and add/update Pydantic models in the same directory for API development

Applied to files:

  • autogpt_platform/backend/backend/api/features/chat/routes_test.py
  • autogpt_platform/backend/backend/api/features/workspace/routes_test.py
  • autogpt_platform/backend/backend/api/features/chat/routes.py
  • autogpt_platform/backend/backend/api/features/workspace/routes.py
πŸ“š Learning: 2026-02-26T17:02:22.448Z 
Learnt from: Pwuts
Repo: Significant-Gravitas/AutoGPT PR: 12211
File: .pre-commit-config.yaml:160-179
Timestamp: 2026-02-26T17:02:22.448Z
Learning: Keep the pre-commit hook pattern broad for autogpt_platform/backend to ensure OpenAPI schema changes are captured. Do not narrow to backend/api/ alone, since the generated schema depends on Pydantic models across multiple directories (backend/data/, backend/blocks/, backend/copilot/, backend/integrations/, backend/util/). Narrowing could miss schema changes and cause frontend type desynchronization.

Applied to files:

  • autogpt_platform/backend/backend/api/features/chat/routes_test.py
  • autogpt_platform/backend/backend/api/features/workspace/routes_test.py
  • autogpt_platform/backend/backend/data/workspace.py
  • autogpt_platform/backend/backend/api/features/chat/routes.py
  • autogpt_platform/backend/backend/api/features/workspace/routes.py
πŸ“š Learning: 2026-02-26T21:29:44.094Z 
Learnt from: CR
Repo: Significant-Gravitas/AutoGPT PR: 0
File: autogpt_platform/frontend/CLAUDE.md:0-0
Timestamp: 2026-02-26T21:29:44.094Z
Learning: Applies to autogpt_platform/frontend/**/*.{ts,tsx} : Run `pnpm types` to check for type errors and fix any that appear before completing work

Applied to files:

  • autogpt_platform/frontend/src/app/(platform)/copilot/useCopilotPage.ts
πŸ“š Learning: 2026-02-26T21:29:44.094Z 
Learnt from: CR
Repo: Significant-Gravitas/AutoGPT PR: 0
File: autogpt_platform/frontend/CLAUDE.md:0-0
Timestamp: 2026-02-26T21:29:44.094Z
Learning: Applies to autogpt_platform/frontend/**/*.{ts,tsx,js,jsx} : Run `pnpm lint` to check for lint errors and fix any that appear before completing work

Applied to files:

  • autogpt_platform/frontend/src/app/(platform)/copilot/useCopilotPage.ts
πŸ“š Learning: 2026-02-04T16:49:42.490Z 
Learnt from: CR
Repo: Significant-Gravitas/AutoGPT PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2026-02-04T16:49:42.490Z
Learning: Applies to autogpt_platform/frontend/**/*.{tsx,ts} : Use '<ErrorCard />' component for rendering errors in frontend UI; use toast notifications for mutation errors; use 'Sentry.captureException()' for manual exceptions

Applied to files:

  • autogpt_platform/frontend/src/app/(platform)/copilot/useCopilotPage.ts
πŸ“š Learning: 2026-02-26T21:29:44.094Z 
Learnt from: CR
Repo: Significant-Gravitas/AutoGPT PR: 0
File: autogpt_platform/frontend/CLAUDE.md:0-0
Timestamp: 2026-02-26T21:29:44.094Z
Learning: Applies to autogpt_platform/frontend/src/**/*.{ts,tsx} : Use ErrorCard component for render errors, toast for mutations, and Sentry for exceptions

Applied to files:

  • autogpt_platform/frontend/src/app/(platform)/copilot/useCopilotPage.ts
πŸ“š Learning: 2026-02-26T21:29:44.094Z 
Learnt from: CR
Repo: Significant-Gravitas/AutoGPT PR: 0
File: autogpt_platform/frontend/CLAUDE.md:0-0
Timestamp: 2026-02-26T21:29:44.094Z
Learning: Applies to autogpt_platform/frontend/src/**/*.{ts,tsx} : Use React Query for server state management and co-locate UI state in components/hooks

Applied to files:

  • autogpt_platform/frontend/src/app/(platform)/copilot/useCopilotPage.ts
πŸ“š Learning: 2026-02-04T16:49:42.490Z 
Learnt from: CR
Repo: Significant-Gravitas/AutoGPT PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2026-02-04T16:49:42.490Z
Learning: Applies to autogpt_platform/frontend/**/*.{tsx,ts} : Use React Query for server state (via generated hooks) in frontend development

Applied to files:

  • autogpt_platform/frontend/src/app/(platform)/copilot/useCopilotPage.ts
πŸ“š Learning: 2026-02-26T21:29:27.605Z 
Learnt from: CR
Repo: Significant-Gravitas/AutoGPT PR: 0
File: autogpt_platform/CLAUDE.md:0-0
Timestamp: 2026-02-26T21:29:27.605Z
Learning: Backend is a Python FastAPI server with async support

Applied to files:

  • autogpt_platform/backend/backend/api/features/chat/routes.py
πŸ“š Learning: 2026-02-04T16:50:20.508Z 
Learnt from: CR
Repo: Significant-Gravitas/AutoGPT PR: 0
File: autogpt_platform/backend/CLAUDE.md:0-0
Timestamp: 2026-02-04T16:50:20.508Z
Learning: Applies to autogpt_platform/backend/backend/api/**/*.py : Use FastAPI for building REST and WebSocket endpoints

Applied to files:

  • autogpt_platform/backend/backend/api/features/chat/routes.py
🧬 Code graph analysis (3)
autogpt_platform/backend/backend/api/features/chat/routes_test.py (5)
autogpt_platform/backend/backend/util/service_test.py (1)
  • TestClient (125-167)
autogpt_platform/backend/backend/api/features/workspace/routes_test.py (1)
  • setup_app_auth (39-44)
autogpt_platform/backend/backend/api/conftest.py (1)
  • mock_jwt_user (20-27)
autogpt_platform/autogpt_libs/autogpt_libs/auth/jwt_utils.py (1)
  • get_jwt_payload (19-42)
autogpt_platform/backend/backend/api/features/chat/routes.py (1)
  • create_session (185-211)
autogpt_platform/backend/backend/api/features/workspace/routes_test.py (3)
autogpt_platform/backend/backend/api/conftest.py (1)
  • mock_jwt_user (20-27)
autogpt_platform/autogpt_libs/autogpt_libs/auth/jwt_utils.py (1)
  • get_jwt_payload (19-42)
autogpt_platform/backend/backend/util/workspace.py (1)
  • write_file (151-288)
autogpt_platform/backend/backend/api/features/chat/routes.py (1)
autogpt_platform/backend/backend/data/workspace.py (1)
  • get_or_create_workspace (74-95)

@ntindle @claude
fix(platform): Address second-round review feedback
c15e425 
- Forward only sanitized, workspace-scoped file_ids to executor (not raw input)
- Guard quota math against ZeroDivisionError when storage limit is zero
- Sync backend extension allowlist with frontend (add .tsv, .tiff, .htm, .mkv, .flac, .aac, .m4a, .wma)
- Use explicit 200 assertion in test instead of != 422
- Regenerate OpenAPI schema

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
sentry[bot]
sentry bot reviewed Feb 27, 2026
View reviewed changes
coderabbitai[bot]
coderabbitai bot reviewed Feb 27, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🧹 Nitpick comments (2)
autogpt_platform/backend/backend/api/features/workspace/routes.py (1)

245-257: Avoid building a second full in-memory copy of the upload payload.

Line 247-257 stores chunks and then joins, which duplicates memory for large files under concurrent uploads. Consider streaming into a bytearray (single buffer growth) or scanning/writing via a temp file abstraction to reduce peak memory.

πŸ€– Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@autogpt_platform/backend/backend/api/features/workspace/routes.py` around
lines 245 - 257, The current upload loop builds a list "chunks" and then does
b"".join(chunks), duplicating memory; replace that with a single growable buffer
(e.g., use a bytearray named "buffer" and call buffer.extend(chunk)" while
keeping the same size check using "total_size" and "max_file_bytes"), or
alternatively stream directly to a temporary file (open a tempfile and write
each chunk) and use that file handle instead of creating "content". Update
references to "chunks" and "content" accordingly (remove the join and use
"buffer" or the temp file path/handle) so peak memory is not duplicated during
concurrent large uploads.
autogpt_platform/frontend/src/app/api/openapi.json (1)

12141-12150: Tighten file_ids item validation in the schema.

maxItems: 20 is good, but item type can also declare UUID semantics to match backend expectations and improve generated client validation.

🧩 Proposed schema refinement 
           "file_ids": {
             "anyOf": [
               {
-                "items": { "type": "string" },
+                "items": { "type": "string", "format": "uuid" },
                 "type": "array",
                 "maxItems": 20
               },
               { "type": "null" }
             ],
             "title": "File Ids"
πŸ€– Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@autogpt_platform/frontend/src/app/api/openapi.json` around lines 12141 -
12150, The file_ids schema currently allows any string items; restrict each item
to UUID form to match backend expectations by updating the "file_ids" property
in openapi.json: change the array "items" descriptor (currently { "type":
"string" }) to require a UUID (e.g., add "format": "uuid" or a UUID "pattern")
while keeping "type":"array" and "maxItems":20 and preserving the null
alternative; target the "file_ids" schema block so generated clients will
validate UUID strings instead of arbitrary text.
πŸ€– Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@autogpt_platform/backend/backend/api/features/workspace/routes.py`:
- Around line 224-225: The session_id query param is used directly when
composing session paths (e.g., the f"/sessions/{session_id}" usage in
WorkspaceManager) which allows path traversal; update the handler and any
WorkspaceManager methods that build session_path to validate and sanitize
session_id first: enforce a strict whitelist (e.g., only alphanumeric, dash,
underscore), enforce a reasonable max length, reject empty or dot-segments, and
normalize by using os.path.basename or pathlib.Path(...).name (or otherwise
strip any slashes) before interpolating into paths; apply the same
validation/sanitization to all places that accept session_id (including the
other occurrences mentioned) and return a 4xx error for invalid session_id
values.
- Around line 31-92: The _ALLOWED_EXTENSIONS set currently includes code/config
and archive types that are outside the feature scope; restrict it to only the
product-scoped categories (documents, spreadsheets, images, audio/video) by
removing code/executable-adjacent extensions (.py, .js, .ts, .sh, .bat, etc.)
and archive types (.zip, .tar, .gz, .7z, .rar) and any config-only formats you
deem risky (.json, .xml, .yaml/.yml, .toml, .ini, .cfg), leaving only safe
document/image/spreadsheet/audio/video extensions in _ALLOWED_EXTENSIONS and
update any related validation/tests/docs to reflect the narrowed allowlist.

In `@autogpt_platform/frontend/src/app/api/openapi.json`:
- Around line 6530-6552: Add the missing HTTP 415 Unsupported Media Type
response to the upload endpoint responses so the OpenAPI contract matches
backend behavior: in the responses object for the operation that currently
references backend__api__features__workspace__routes__UploadFileResponse, add a
"415" entry pointing to a new or existing response component (e.g., "$ref":
"#/components/responses/HTTP415UnsupportedMediaTypeError") or an inline
description/schema describing disallowed extensions; update components/responses
with HTTP415UnsupportedMediaTypeError if needed so the API spec declares
rejection of disallowed file extensions.

---

Nitpick comments:
In `@autogpt_platform/backend/backend/api/features/workspace/routes.py`:
- Around line 245-257: The current upload loop builds a list "chunks" and then
does b"".join(chunks), duplicating memory; replace that with a single growable
buffer (e.g., use a bytearray named "buffer" and call buffer.extend(chunk)"
while keeping the same size check using "total_size" and "max_file_bytes"), or
alternatively stream directly to a temporary file (open a tempfile and write
each chunk) and use that file handle instead of creating "content". Update
references to "chunks" and "content" accordingly (remove the join and use
"buffer" or the temp file path/handle) so peak memory is not duplicated during
concurrent large uploads.

In `@autogpt_platform/frontend/src/app/api/openapi.json`:
- Around line 12141-12150: The file_ids schema currently allows any string
items; restrict each item to UUID form to match backend expectations by updating
the "file_ids" property in openapi.json: change the array "items" descriptor
(currently { "type": "string" }) to require a UUID (e.g., add "format": "uuid"
or a UUID "pattern") while keeping "type":"array" and "maxItems":20 and
preserving the null alternative; target the "file_ids" schema block so generated
clients will validate UUID strings instead of arbitrary text.
ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

  • Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

πŸ“₯ Commits

Reviewing files that changed from the base of the PR and between 6c3cc6b and c15e425.

πŸ“’ Files selected for processing (4)
  • autogpt_platform/backend/backend/api/features/chat/routes.py
  • autogpt_platform/backend/backend/api/features/chat/routes_test.py
  • autogpt_platform/backend/backend/api/features/workspace/routes.py
  • autogpt_platform/frontend/src/app/api/openapi.json
🚧 Files skipped from review as they are similar to previous changes (1)
  • autogpt_platform/backend/backend/api/features/chat/routes_test.py
πŸ“œ Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (10)
  • GitHub Check: lint
  • GitHub Check: integration_test
  • GitHub Check: Seer Code Review
  • GitHub Check: types
  • GitHub Check: Cursor Bugbot
  • GitHub Check: end-to-end tests
  • GitHub Check: test (3.11)
  • GitHub Check: Check PR Status
  • GitHub Check: test (3.13)
  • GitHub Check: test (3.12)
🧰 Additional context used
πŸ““ Path-based instructions (6)
autogpt_platform/backend/**/*.py

πŸ“„ CodeRabbit inference engine (.github/copilot-instructions.md)

autogpt_platform/backend/**/*.py: Use Python 3.11 (required; managed by Poetry via pyproject.toml) for backend development
Always run 'poetry run format' (Black + isort) before linting in backend development
Always run 'poetry run lint' (ruff) after formatting in backend development

Files:

  • autogpt_platform/backend/backend/api/features/chat/routes.py
  • autogpt_platform/backend/backend/api/features/workspace/routes.py
autogpt_platform/backend/backend/api/features/**/*.py

πŸ“„ CodeRabbit inference engine (.github/copilot-instructions.md)

Update routes in '/backend/backend/api/features/' and add/update Pydantic models in the same directory for API development

When modifying API routes, update corresponding Pydantic models in the same directory and write tests alongside the route file

Files:

  • autogpt_platform/backend/backend/api/features/chat/routes.py
  • autogpt_platform/backend/backend/api/features/workspace/routes.py
autogpt_platform/backend/**/*.{py,txt}

πŸ“„ CodeRabbit inference engine (autogpt_platform/backend/CLAUDE.md)

Use poetry run prefix for all Python commands, including testing, linting, formatting, and migrations

Files:

  • autogpt_platform/backend/backend/api/features/chat/routes.py
  • autogpt_platform/backend/backend/api/features/workspace/routes.py
autogpt_platform/backend/backend/api/**/*.py

πŸ“„ CodeRabbit inference engine (autogpt_platform/backend/CLAUDE.md)

autogpt_platform/backend/backend/api/**/*.py: Use FastAPI for building REST and WebSocket endpoints
Use JWT-based authentication with Supabase integration

Files:

  • autogpt_platform/backend/backend/api/features/chat/routes.py
  • autogpt_platform/backend/backend/api/features/workspace/routes.py
autogpt_platform/backend/backend/**/*.py

πŸ“„ CodeRabbit inference engine (autogpt_platform/backend/CLAUDE.md)

Use Prisma ORM for database operations in PostgreSQL with pgvector for embeddings

Files:

  • autogpt_platform/backend/backend/api/features/chat/routes.py
  • autogpt_platform/backend/backend/api/features/workspace/routes.py
autogpt_platform/**/*.py

πŸ“„ CodeRabbit inference engine (AGENTS.md)

Format Python code with poetry run format

Files:

  • autogpt_platform/backend/backend/api/features/chat/routes.py
  • autogpt_platform/backend/backend/api/features/workspace/routes.py
🧠 Learnings (7)
πŸ“š Learning: 2026-02-04T16:49:42.490Z 
Learnt from: CR
Repo: Significant-Gravitas/AutoGPT PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2026-02-04T16:49:42.490Z
Learning: Applies to autogpt_platform/backend/backend/api/features/**/*.py : Update routes in '/backend/backend/api/features/' and add/update Pydantic models in the same directory for API development

Applied to files:

  • autogpt_platform/backend/backend/api/features/chat/routes.py
  • autogpt_platform/backend/backend/api/features/workspace/routes.py
  • autogpt_platform/frontend/src/app/api/openapi.json
πŸ“š Learning: 2026-02-04T16:50:20.508Z 
Learnt from: CR
Repo: Significant-Gravitas/AutoGPT PR: 0
File: autogpt_platform/backend/CLAUDE.md:0-0
Timestamp: 2026-02-04T16:50:20.508Z
Learning: Applies to autogpt_platform/backend/backend/api/features/**/*.py : When modifying API routes, update corresponding Pydantic models in the same directory and write tests alongside the route file

Applied to files:

  • autogpt_platform/backend/backend/api/features/chat/routes.py
  • autogpt_platform/backend/backend/api/features/workspace/routes.py
πŸ“š Learning: 2026-02-04T16:49:42.490Z 
Learnt from: CR
Repo: Significant-Gravitas/AutoGPT PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2026-02-04T16:49:42.490Z
Learning: Applies to autogpt_platform/backend/backend/data/**/*.py : All data access in backend requires user ID checks; verify this for any 'data/*.py' changes

Applied to files:

  • autogpt_platform/backend/backend/api/features/chat/routes.py
πŸ“š Learning: 2026-02-04T16:50:51.495Z 
Learnt from: CR
Repo: Significant-Gravitas/AutoGPT PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-02-04T16:50:51.495Z
Learning: Applies to autogpt_platform/**/data/*.py : For changes touching `data/*.py`, validate user ID checks or explain why not needed

Applied to files:

  • autogpt_platform/backend/backend/api/features/chat/routes.py
πŸ“š Learning: 2026-02-26T21:29:27.605Z 
Learnt from: CR
Repo: Significant-Gravitas/AutoGPT PR: 0
File: autogpt_platform/CLAUDE.md:0-0
Timestamp: 2026-02-26T21:29:27.605Z
Learning: Backend is a Python FastAPI server with async support

Applied to files:

  • autogpt_platform/backend/backend/api/features/chat/routes.py
πŸ“š Learning: 2026-02-04T16:50:20.508Z 
Learnt from: CR
Repo: Significant-Gravitas/AutoGPT PR: 0
File: autogpt_platform/backend/CLAUDE.md:0-0
Timestamp: 2026-02-04T16:50:20.508Z
Learning: Applies to autogpt_platform/backend/backend/api/**/*.py : Use FastAPI for building REST and WebSocket endpoints

Applied to files:

  • autogpt_platform/backend/backend/api/features/chat/routes.py
πŸ“š Learning: 2026-02-26T17:02:22.448Z 
Learnt from: Pwuts
Repo: Significant-Gravitas/AutoGPT PR: 12211
File: .pre-commit-config.yaml:160-179
Timestamp: 2026-02-26T17:02:22.448Z
Learning: Keep the pre-commit hook pattern broad for autogpt_platform/backend to ensure OpenAPI schema changes are captured. Do not narrow to backend/api/ alone, since the generated schema depends on Pydantic models across multiple directories (backend/data/, backend/blocks/, backend/copilot/, backend/integrations/, backend/util/). Narrowing could miss schema changes and cause frontend type desynchronization.

Applied to files:

  • autogpt_platform/backend/backend/api/features/chat/routes.py
  • autogpt_platform/backend/backend/api/features/workspace/routes.py
πŸ”‡ Additional comments (6)
autogpt_platform/backend/backend/api/features/chat/routes.py (2)

86-88: Good request-boundary hardening for file_ids.

StreamChatRequest.file_ids now has a bounded list size, which is a solid guardrail against oversized attachment lists.

404-492: Sanitization and workspace scoping are correctly enforced before downstream propagation.

The Line 414 UUID filtering + Line 419-425 workspace-scoped batch query + Line 491 sanitized forwarding closes the prior trust-boundary gap cleanly.

autogpt_platform/backend/backend/api/features/workspace/routes.py (1)

294-307: Post-write quota recheck with rollback is a solid concurrency safeguard.

The check-after-write and soft-delete path is a good pragmatic fix for quota races under concurrent uploads.

autogpt_platform/frontend/src/app/api/openapi.json (3)

2042-2044: Good schema ref migration for legacy upload endpoint.

The response now points to the namespaced upload response model, which keeps the contract explicit and avoids ambiguity.

6589-6612: Workspace storage usage endpoint contract looks solid.

Path, auth, and response schema wiring are consistent.

7850-7857: Nice addition of supporting workspace schemas.

The multipart body schema, storage usage response model, and the two upload response models are coherently defined and referenced.

Also applies to: 11682-11692, 14061-14090

@github-actions github-actions bot mentioned this pull request Feb 27, 2026
Merged
6 tasks
@github-actions github-actions bot mentioned this pull request Feb 27, 2026
Merged
6 tasks
@ntindle @claude
fix(frontend): Remove placeholder text leak and fix filename regex in…
d29eea6 
… copilot chat

Remove "(attached files)" placeholder that was rendering in the chat bubble
for file-only messages, and switch FILE_LINE_RE to greedy matching so
filenames containing parentheses (e.g. "image (1).png") parse correctly.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
cursor[bot]
cursor bot reviewed Mar 2, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 2 potential issues.

Autofix Details

Bugbot Autofix prepared fixes for both issues found in the latest run.

  • βœ… Fixed: Proxy rejects file-only sends due to empty message
    • Changed the message guard from !message to message === undefined to allow empty string messages for file-only sends.
  • βœ… Fixed: Pending message effect skips file-only new-session sends
    • Changed the pendingMessage guard from !pendingMessage to pendingMessage === null to allow empty string pending messages for file-only new-session sends.

Create PR

Or push these changes by commenting:

@cursor push 411271074f
Preview (411271074f) 
diff --git a/autogpt_platform/frontend/src/app/(platform)/copilot/useCopilotPage.ts b/autogpt_platform/frontend/src/app/(platform)/copilot/useCopilotPage.ts
--- a/autogpt_platform/frontend/src/app/(platform)/copilot/useCopilotPage.ts
+++ b/autogpt_platform/frontend/src/app/(platform)/copilot/useCopilotPage.ts
@@ -331,7 +331,7 @@
   }, [sessionId, setMessages]);
 
   useEffect(() => {
-    if (!sessionId || !pendingMessage) return;
+    if (!sessionId || pendingMessage === null) return;
     const msg = pendingMessage;
     const files = pendingFilesRef.current;
     setPendingMessage(null);

diff --git a/autogpt_platform/frontend/src/app/api/chat/sessions/[sessionId]/stream/route.ts b/autogpt_platform/frontend/src/app/api/chat/sessions/[sessionId]/stream/route.ts
--- a/autogpt_platform/frontend/src/app/api/chat/sessions/[sessionId]/stream/route.ts
+++ b/autogpt_platform/frontend/src/app/api/chat/sessions/[sessionId]/stream/route.ts
@@ -27,7 +27,7 @@
     const body = await request.json();
     const { message, is_user_message, context, file_ids } = body;
 
-    if (!message) {
+    if (message === undefined) {
       return new Response(
         JSON.stringify({ error: "Missing message parameter" }),
         { status: 400, headers: { "Content-Type": "application/json" } },
This Bugbot Autofix run was free. To enable autofix for future PRs, go to the Cursor dashboard.

This was referenced Mar 3, 2026
Merged
Closed
@github-actions github-actions bot added the conflicts Automatically applied to PRs with merge conflicts label Mar 3, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Mar 3, 2026

This pull request has conflicts with the base branch, please resolve those so we can evaluate the pull request.

This was referenced Mar 3, 2026
Merged
Merged
Merged
@ntindle @claude
fix(frontend): Merge dev and fix empty-message guards for file-only s…
74f0506 
…ends

Merge origin/dev, resolving conflicts in ChatMessagesContainer (adopt
extracted MessagePartRenderer) and useCopilotPage (keep file-upload state
alongside extracted stream/UI-store hooks).

Also fix empty-message guards: use `pendingMessage === null` and
`message === undefined` so that empty-string text from file-only sends
is not rejected.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@github-actions github-actions bot removed the conflicts Automatically applied to PRs with merge conflicts label Mar 3, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Mar 3, 2026

Conflicts have been resolved! πŸŽ‰ A maintainer will review the pull request shortly.

ntindle and others added 2 commits March 3, 2026 12:29
@ntindle @claude
fix(platform): Pass file_ids in direct transport, add extensionless u…
9d2245a 
…pload test, fix coroutine warning

- useCopilotStream: Extract file_ids from FileUIPart URLs in
  prepareSendMessagesRequest so the backend receives attached file
  references (regression from proxy β†’ direct transport refactor).
- routes_test: Add test for uploading files without an extension.
- processor: Capture coroutine before scheduling to prevent
  "coroutine was never awaited" RuntimeWarning on cleanup.
- routes: Hoist local imports to module level (auto-formatted).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@ntindle @claude
fix(frontend): Bypass Vercel proxy for file uploads to avoid 4.5 MB p…
9aa032e 
…ayload limit

Upload files directly to the Python backend instead of routing through
the Next.js /api/workspace/files/upload proxy. Vercel's serverless
function payload limit (4.5 MB) was rejecting files larger than that
with FUNCTION_PAYLOAD_TOO_LARGE. Uses the same direct-backend auth
pattern as useCopilotStream.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@github-actions
Copy link
Contributor

github-actions bot commented Mar 3, 2026

πŸ” PR Overlap Detection

This check compares your PR against all other open PRs targeting the same branch to detect potential merge conflicts early.

πŸ”΄ Merge Conflicts Detected

The following PRs have been tested and will have merge conflicts if merged after this PR. Consider coordinating with the authors.

  • Fix CoPilot stop button by cancelling backend chat streamΒ #12116 (Deeven-Seru Β· updated 4d ago)

    • πŸ“ autogpt_platform/
      • backend/Dockerfile (3 conflicts, ~76 lines)
      • backend/backend/api/features/builder/db.py (2 conflicts, ~8 lines)
      • backend/backend/api/features/chat/model_test.py (deleted here, modified there)
      • backend/backend/api/features/chat/routes.py (9 conflicts, ~456 lines)
      • backend/backend/api/features/chat/service_test.py (deleted here, modified there)
      • backend/backend/api/features/chat/tools/find_block_test.py (deleted here, modified there)
      • backend/backend/api/features/chat/tools/run_block_test.py (deleted here, modified there)
      • backend/backend/api/features/chat/tools/workspace_files.py (deleted here, modified there)
      • backend/backend/api/features/library/db.py (1 conflict, ~19 lines)
      • backend/backend/copilot/config.py (2 conflicts, ~9 lines)
      • backend/backend/copilot/model.py (10 conflicts, ~400 lines)
      • backend/backend/copilot/response_model.py (1 conflict, ~5 lines)
      • backend/backend/copilot/service.py (3 conflicts, ~376 lines)
      • backend/backend/copilot/stream_registry.py (4 conflicts, ~130 lines)
      • backend/backend/copilot/tools/__init__.py (1 conflict, ~4 lines)
      • backend/backend/copilot/tools/agent_generator/dummy.py (2 conflicts, ~33 lines)
      • backend/backend/copilot/tools/agent_generator/service.py (2 conflicts, ~12 lines)
      • backend/backend/copilot/tools/bash_exec.py (1 conflict, ~20 lines)
      • backend/backend/copilot/tools/check_operation_status.py (added there)
      • backend/backend/copilot/tools/feature_requests.py (9 conflicts, ~79 lines)
      • backend/backend/copilot/tools/feature_requests_test.py (8 conflicts, ~59 lines)
      • backend/backend/copilot/tools/find_block.py (1 conflict, ~6 lines)
      • backend/backend/copilot/tools/models.py (3 conflicts, ~37 lines)
      • backend/backend/copilot/tools/run_block.py (1 conflict, ~14 lines)
      • backend/backend/copilot/tools/sandbox.py (3 conflicts, ~24 lines)
      • backend/backend/copilot/tools/test_run_block_details.py (4 conflicts, ~20 lines)
      • backend/backend/copilot/tools/web_fetch.py (1 conflict, ~18 lines)
      • backend/backend/util/settings.py (1 conflict, ~5 lines)
      • backend/backend/util/test.py (1 conflict, ~4 lines)
      • backend/poetry.lock (3 conflicts, ~23 lines)
      • backend/pyproject.toml (1 conflict, ~5 lines)
      • frontend/src/app/(platform)/build/components/NewControlPanel/NewBlockMenu/Block.tsx (1 conflict, ~8 lines)
      • frontend/src/app/(platform)/build/components/legacy-builder/Flow/Flow.tsx (deleted here, modified there)
      • frontend/src/app/(platform)/copilot/components/ChatMessagesContainer/ChatMessagesContainer.tsx (5 conflicts, ~194 lines)
      • frontend/src/app/(platform)/copilot/tools/CreateAgent/CreateAgent.tsx (6 conflicts, ~181 lines)
      • frontend/src/app/(platform)/copilot/tools/GenericTool/GenericTool.tsx (3 conflicts, ~813 lines)
      • frontend/src/app/(platform)/copilot/tools/RunBlock/RunBlock.tsx (2 conflicts, ~11 lines)
      • frontend/src/app/(platform)/copilot/useCopilotPage.ts (4 conflicts, ~95 lines)
      • frontend/src/app/api/chat/sessions/[sessionId]/stream/route.ts (1 conflict, ~19 lines)
      • frontend/src/app/api/chat/tasks/[taskId]/stream/route.ts (deleted here, modified there)
      • frontend/src/app/api/openapi.json (4 conflicts, ~54 lines)
      • frontend/src/app/globals.css (1 conflict, ~8 lines)
      • frontend/src/tests/pages/build.page.ts (1 conflict, ~15 lines)

  • feat(platform): switch builder file inputs from base64 to workspace uploadsΒ #12226 (Abhi1992002 Β· updated 2h ago)

    • πŸ“ autogpt_platform/
      • backend/backend/api/features/workspace/routes.py (3 conflicts, ~205 lines)
      • backend/backend/api/features/workspace/routes_test.py (4 conflicts, ~516 lines)
      • frontend/src/app/api/openapi.json (6 conflicts, ~134 lines)

  • refactor(backend): Merge autogpt_libs into backend packageΒ #12074 (Otto-AGPT Β· updated 4d ago)

    • autogpt_platform/autogpt_libs/poetry.lock (modified here, deleted there)
    • autogpt_platform/autogpt_libs/pyproject.toml (modified here, deleted there)
    • autogpt_platform/backend/Dockerfile (1 conflict, ~10 lines)
    • autogpt_platform/backend/backend/api/features/chat/routes.py (4 conflicts, ~77 lines)
    • autogpt_platform/backend/backend/api/features/workspace/routes.py (2 conflicts, ~22 lines)
    • autogpt_platform/backend/backend/api/rest_api.py (1 conflict, ~11 lines)
    • autogpt_platform/backend/backend/blocks/data_manipulation.py (1 conflict, ~473 lines)
    • autogpt_platform/backend/backend/copilot/response_model.py (1 conflict, ~5 lines)
    • autogpt_platform/backend/backend/copilot/stream_registry.py (1 conflict, ~5 lines)
    • autogpt_platform/backend/backend/copilot/tools/run_block.py (1 conflict, ~31 lines)
    • autogpt_platform/backend/backend/integrations/credentials_store.py (1 conflict, ~13 lines)
    • autogpt_platform/backend/poetry.lock (2 conflicts, ~36 lines)
    • autogpt_platform/frontend/src/app/(platform)/copilot/components/ChatMessagesContainer/ChatMessagesContainer.tsx (3 conflicts, ~66 lines)
    • autogpt_platform/frontend/src/app/(platform)/copilot/tools/CreateAgent/CreateAgent.tsx (2 conflicts, ~10 lines)
    • autogpt_platform/frontend/src/app/api/chat/sessions/[sessionId]/stream/route.ts (1 conflict, ~19 lines)
    • autogpt_platform/frontend/src/app/api/chat/tasks/[taskId]/stream/route.ts (deleted here, modified there)
    • docs/integrations/README.md (1 conflict, ~6 lines)

  • feat(copilot): UX improvementsΒ #12258 (kcze Β· updated 2h ago)

    • πŸ“ autogpt_platform/
      • backend/backend/api/features/chat/routes.py (1 conflict, ~6 lines)
      • backend/backend/api/features/chat/routes_test.py (3 conflicts, ~344 lines)
      • frontend/src/app/(platform)/copilot/components/ChatSidebar/ChatSidebar.tsx (1 conflict, ~5 lines)
      • frontend/src/app/(platform)/copilot/useCopilotPage.ts (4 conflicts, ~195 lines)

  • chore(frontend): Fix react-doctor warnings + add CI jobΒ #12163 (0ubbe Β· updated 3d ago)

    • πŸ“ autogpt_platform/frontend/src/app/(platform)/copilot/
      • components/ChatContainer/ChatContainer.tsx (1 conflict, ~91 lines)
      • components/ChatMessagesContainer/ChatMessagesContainer.tsx (2 conflicts, ~234 lines)
      • components/EmptySession/EmptySession.tsx (1 conflict, ~66 lines)
      • tools/RunAgent/components/AgentDetailsCard/AgentDetailsCard.tsx (2 conflicts, ~119 lines)

  • feat(frontend/copilot): collapse repeated block executions into grouped summary rowsΒ #12259 (0ubbe Β· updated 2h ago)

    • πŸ“ autogpt_platform/frontend/src/app/
      • (platform)/copilot/components/ChatMessagesContainer/ChatMessagesContainer.tsx (2 conflicts, ~44 lines)
      • (platform)/copilot/components/ChatMessagesContainer/components/MessagePartRenderer.tsx (1 conflict, ~8 lines)
      • (platform)/copilot/components/ChatMessagesContainer/components/ThinkingIndicator.tsx (3 conflicts, ~46 lines)
      • (platform)/copilot/useCopilotPage.ts (2 conflicts, ~172 lines)
      • (platform)/copilot/useCopilotStream.ts (4 conflicts, ~28 lines)
      • api/chat/sessions/[sessionId]/stream/route.ts (1 conflict, ~15 lines)

  • feat(frontend): Show thinking indicator between CoPilot tool callsΒ #12203 (Otto-AGPT Β· updated 5d ago)

    • πŸ“ autogpt_platform/frontend/src/app/(platform)/copilot/components/ChatMessagesContainer/
      • ChatMessagesContainer.tsx (4 conflicts, ~170 lines)

  • feat(backend/copilot): async polling for agent-generator + SSE auto-reconnectΒ #12199 (majdyz Β· updated 5d ago)

    • πŸ“ autogpt_platform/frontend/src/app/(platform)/copilot/
      • useCopilotPage.ts (1 conflict, ~117 lines)

  • feat(frontend/copilot): add text-to-speech and share output actionsΒ #12256 (0ubbe Β· updated 2h ago)

    • πŸ“ autogpt_platform/frontend/src/app/(platform)/copilot/components/ChatMessagesContainer/
      • ChatMessagesContainer.tsx (2 conflicts, ~34 lines)

  • feat(frontend/copilot): add output action buttons (upvote, downvote) with Langfuse feedbackΒ #12260 (0ubbe Β· updated 5h ago)

    • πŸ“ autogpt_platform/frontend/src/app/(platform)/copilot/components/ChatMessagesContainer/
      • ChatMessagesContainer.tsx (3 conflicts, ~29 lines)

🟒 Low Risk β€” File Overlap Only

These PRs touch the same files but different sections (click to expand)

Summary: 10 conflict(s), 0 medium risk, 8 low risk (out of 18 PRs with file overlap)

Auto-generated on push. Ignores: openapi.json, lock files.

cursor[bot]
cursor bot reviewed Mar 3, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

@ntindle @claude
fix(backend): Fix chat route test mock targets after import hoisting
8d3b95d 
Patch targets changed from source module to usage module since
get_or_create_workspace is now a module-level import in routes.py.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@github-project-automation github-project-automation bot moved this from πŸ†• Needs initial review to πŸ‘πŸΌ Mergeable in AutoGPT development kanban Mar 3, 2026
@ntindle ntindle enabled auto-merge March 3, 2026 20:21
@ntindle ntindle added this pull request to the merge queue Mar 3, 2026
Merged via the queue into dev with commit 757ec1f Mar 3, 2026
30 checks passed
@ntindle ntindle deleted the ntindle/file-upload branch March 3, 2026 20:39
@github-project-automation github-project-automation bot moved this to Done in Frontend Mar 3, 2026
@github-project-automation github-project-automation bot moved this from πŸ‘πŸΌ Mergeable to βœ… Done in AutoGPT development kanban Mar 3, 2026
This was referenced Mar 4, 2026
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@cursor cursor[bot] cursor[bot] left review comments

@Torantulino Torantulino Torantulino approved these changes

@Pwuts Pwuts Awaiting requested review from Pwuts Pwuts is a code owner automatically assigned from Significant-Gravitas/maintainers

@kcze kcze Awaiting requested review from kcze kcze is a code owner automatically assigned from Significant-Gravitas/maintainers

+2 more reviewers

@sentry sentry[bot] sentry[bot] left review comments

@autogpt-reviewer autogpt-reviewer autogpt-reviewer left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

platform/backend AutoGPT Platform - Back end platform/frontend AutoGPT Platform - Front end size/xl

Projects

AutoGPT development kanban
Status: βœ… Done
Frontend
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ntindle @Torantulino @autogpt-reviewer