ofiere-openclaw-plugin 4.15.0 → 4.16.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ofiere-openclaw-plugin",
-  "version": "4.15.0",
+  "version": "4.16.0",
   "type": "module",
   "description": "OpenClaw plugin for Ofiere PM - 11 meta-tools covering tasks, agents, projects, scheduling, knowledge, workflows, notifications, memory, prompts, constellation, and space file management",
   "keywords": ["openclaw", "ofiere", "project-management", "agents", "plugin"],

package/src/tools.ts

@@ -3234,19 +3234,62 @@ function registerFileOps(
 
 // ── File Ops helpers ─────────────────────────────────────────────────────────
 
+/** MIME types allowed by the space-files storage bucket. */
+const ALLOWED_STORAGE_MIMES = new Set([
+  "image/png", "image/jpeg", "image/gif", "image/webp", "image/svg+xml",
+  "video/mp4", "video/webm", "video/quicktime",
+  "audio/mpeg", "audio/wav", "audio/ogg",
+  "application/pdf", "text/plain", "text/markdown", "text/csv",
+  "text/html", "text/css", "application/json",
+  "application/javascript", "text/javascript", "application/typescript",
+  "application/zip", "application/x-tar", "application/gzip",
+  "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
+  "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
+  "application/vnd.openxmlformats-officedocument.presentationml.presentation",
+  "application/octet-stream",
+]);
+
+/**
+ * Simple FNV-1a 32-bit hash → 8-char hex string.
+ * Used to generate stable, short slugs from non-ASCII filenames.
+ */
+function fnv1aHash(str: string): string {
+  let hash = 0x811c9dc5;
+  for (let i = 0; i < str.length; i++) {
+    hash ^= str.charCodeAt(i);
+    hash = (hash * 0x01000193) >>> 0;
+  }
+  return hash.toString(16).padStart(8, "0");
+}
+
 /**
  * Sanitize a filename for safe use as a Supabase storage object key.
- * Strips characters that break storage APIs (parens, em-dashes, exclamation marks, etc.)
- * while preserving extension and readability. The original filename is kept in DB metadata.
+ * Strips characters that break storage APIs while preserving extension and readability.
+ * For Unicode-heavy filenames, generates a hash-based slug to maintain uniqueness.
+ * The original filename is always kept in DB metadata.
  */
 function sanitizeStorageFileName(fileName: string): string {
-  // Replace spaces with hyphens, strip anything not alphanumeric, hyphen, underscore, or dot
-  return fileName
+  // Split extension from stem
+  const dotIdx = fileName.lastIndexOf(".");
+  const stem = dotIdx > 0 ? fileName.slice(0, dotIdx) : fileName;
+  const ext = dotIdx > 0 ? fileName.slice(dotIdx) : ""; // includes dot
+
+  // Sanitize stem: spaces → hyphens, strip non-ASCII/non-safe chars
+  let safeStem = stem
     .replace(/\s+/g, "-")
-    .replace(/[^a-zA-Z0-9._-]/g, "")
-    .replace(/-{2,}/g, "-")     // collapse multiple hyphens
-    .replace(/^-+|-+$/g, "")    // trim leading/trailing hyphens
-    || "file";                   // fallback if everything was stripped
+    .replace(/[^a-zA-Z0-9_-]/g, "")
+    .replace(/-{2,}/g, "-")
+    .replace(/^-+|-+$/g, "");
+
+  // If stem collapsed (e.g. all Unicode), generate hash-based slug for traceability
+  if (safeStem.length < 3) {
+    safeStem = `f-${fnv1aHash(stem)}`;
+  }
+
+  // Sanitize extension too (should be safe but belt-and-suspenders)
+  const safeExt = ext.replace(/[^a-zA-Z0-9.]/g, "");
+
+  return `${safeStem}${safeExt}` || "file";
 }
 
 // ── File Ops handlers ────────────────────────────────────────────────────────
@@ -3408,6 +3451,7 @@ async function handleUploadFile(
 
     // Auto-detect MIME from extension if not explicitly provided
     let mimeType = params.file_type as string;
+    let mimeWarning: string | undefined;
     if (!mimeType) {
       const ext = fileName.split(".").pop()?.toLowerCase() || "";
       const binaryMimeMap: Record<string, string> = {
@@ -3428,6 +3472,10 @@ async function handleUploadFile(
         yml: "text/yaml", xml: "text/xml",
       };
       mimeType = binaryMimeMap[ext] || "application/octet-stream";
+    } else if (!ALLOWED_STORAGE_MIMES.has(mimeType)) {
+      // Explicit MIME not in bucket allowlist → fall back to octet-stream to prevent upload rejection
+      mimeWarning = `Requested MIME "${mimeType}" is not in storage allowlist — stored as application/octet-stream. The original type is preserved in file metadata.`;
+      mimeType = "application/octet-stream";
     }
 
     const safeFileName = sanitizeStorageFileName(fileName);
@@ -3439,6 +3487,10 @@ async function handleUploadFile(
 
     if (uploadErr) return err(`Storage upload failed: ${uploadErr.message}`);
 
+    // Store the originally-requested MIME type in DB (for downstream consumers),
+    // but use the storage-safe MIME for the actual upload
+    const dbMimeType = (params.file_type as string) || mimeType;
+
     const { data, error } = await supabase
       .from("pm_space_files")
       .insert({
@@ -3446,7 +3498,7 @@ async function handleUploadFile(
         space_id: spaceId,
         folder_id: (params.folder_id as string) || null,
         file_name: fileName,
-        file_type: mimeType,
+        file_type: dbMimeType,
         file_size: bytes.length,
         storage_path: storagePath,
         is_shared: false,
@@ -3456,7 +3508,12 @@ async function handleUploadFile(
       .single();
 
     if (error) return err(error.message);
-    return ok({ message: `File "${fileName}" uploaded (${bytes.length} bytes)`, file: data });
+    const result: Record<string, unknown> = {
+      message: `File "${fileName}" uploaded (${bytes.length} bytes)`,
+      file: data,
+    };
+    if (mimeWarning) result.warning = mimeWarning;
+    return ok(result);
   } catch (e) { return err(e instanceof Error ? e.message : String(e)); }
 }