feat(chat): support zip uploads as virtual folders in the copilot VFS

Accept .zip chat attachments and present each archive as a virtual folder the
agent lists and reads entry-by-entry. The archive is stored once; entries are
extracted lazily on read, reusing the existing file-parsers and zip-bomb /
zip-slip guards. No changes to the Go copilot service.

- allow zip in the attachment allowlist + chat accept attribute
- shared lib/uploads/archive.ts (factored from the file-manage decompress route)
- split readFileRecord into a pure renderFileBuffer reused for in-zip entries
- single-resolve readChatUploadPath/grepChatUploadPath dispatchers + VFS routing
- inline file tree in the upload context message

Author: waleedlatif1

apps/sim/app/api/tools/file/manage/route.ts

@@ -1,5 +1,4 @@
 import { Buffer, isUtf8 } from 'buffer'
-import type { Readable } from 'stream'
 import { AuditAction, AuditResourceType, recordAudit } from '@sim/audit'
 import { createLogger } from '@sim/logger'
 import { getErrorMessage } from '@sim/utils/errors'
@@ -21,6 +20,16 @@ import {
   ShareValidationError,
   upsertFileShare,
 } from '@/lib/public-shares/share-manager'
+import {
+  inflateEntryWithinCaps,
+  isSymlinkEntry,
+  MAX_ARCHIVE_BYTES as MAX_DECOMPRESS_ARCHIVE_BYTES,
+  MAX_ARCHIVE_ENTRIES as MAX_DECOMPRESS_ENTRIES,
+  MAX_ARCHIVE_ENTRY_BYTES as MAX_DECOMPRESS_ENTRY_BYTES,
+  MAX_ARCHIVE_TOTAL_BYTES as MAX_DECOMPRESS_TOTAL_BYTES,
+  readEntryUncompressedSize,
+  sanitizeArchiveEntryPath,
+} from '@/lib/uploads/archive'
 import { ensureWorkspaceFileFolderPath } from '@/lib/uploads/contexts/workspace/workspace-file-folder-manager'
 import {
   fetchWorkspaceFileBuffer,
@@ -199,102 +208,6 @@ const uniqueZipEntryName = (name: string, usedNames: Set<string>): string => {
   return candidate
 }
 
-/** Input archive download cap for the decompress operation. */
-const MAX_DECOMPRESS_ARCHIVE_BYTES = 100 * 1024 * 1024
-/** Maximum number of entries extracted from a single archive. */
-const MAX_DECOMPRESS_ENTRIES = 1000
-/** Maximum uncompressed size for any single archive entry. */
-const MAX_DECOMPRESS_ENTRY_BYTES = 100 * 1024 * 1024
-/** Maximum total uncompressed size across all entries, to bound zip-bomb expansion. */
-const MAX_DECOMPRESS_TOTAL_BYTES = 200 * 1024 * 1024
-
-const S_IFMT = 0o170000
-const S_IFLNK = 0o120000
-
-/**
- * Read a zip entry's declared uncompressed size without materializing it. This
- * value comes straight from the (attacker-controlled) ZIP metadata, so it is only
- * usable as a cheap fast-reject for honestly-declared archives — never as the
- * authoritative cap. {@link inflateEntryWithinCaps} enforces the real limit on the
- * inflated byte stream.
- */
-const readEntryUncompressedSize = (entry: JSZip.JSZipObject): number | undefined => {
-  const data = (entry as JSZip.JSZipObject & { _data?: { uncompressedSize?: number } })._data
-  const size = data?.uncompressedSize
-  return typeof size === 'number' && Number.isFinite(size) ? size : undefined
-}
-
-type InflateResult = { ok: true; buffer: Buffer } | { ok: false; reason: 'entry' | 'total' }
-
-/**
- * Inflate a single zip entry through a streaming counting sink, tearing the
- * stream down the moment cumulative output would exceed the per-entry cap or the
- * remaining total budget. The declared uncompressed size in the ZIP header is
- * attacker-controlled and is NOT trusted here: a forged-small or absent size
- * cannot cause the full (potentially gigabyte-scale) entry to be materialized in
- * memory, because enforcement happens on the actual inflated bytes as they
- * arrive. Peak memory is bounded by the cap plus one DEFLATE chunk.
- */
-const inflateEntryWithinCaps = (
-  entry: JSZip.JSZipObject,
-  remainingTotalBudget: number
-): Promise<InflateResult> =>
-  new Promise((resolve, reject) => {
-    const chunks: Buffer[] = []
-    let size = 0
-    let settled = false
-    const stream = entry.nodeStream() as Readable
-
-    const settle = (result: InflateResult) => {
-      if (settled) return
-      settled = true
-      stream.destroy()
-      resolve(result)
-    }
-
-    stream.on('data', (chunk: Buffer) => {
-      size += chunk.length
-      if (size > MAX_DECOMPRESS_ENTRY_BYTES) {
-        settle({ ok: false, reason: 'entry' })
-        return
-      }
-      if (size > remainingTotalBudget) {
-        settle({ ok: false, reason: 'total' })
-        return
-      }
-      chunks.push(chunk)
-    })
-    stream.on('end', () => settle({ ok: true, buffer: Buffer.concat(chunks, size) }))
-    stream.on('error', (error) => {
-      if (settled) return
-      settled = true
-      stream.destroy()
-      reject(error)
-    })
-  })
-
-/** True when a zip entry's unix mode marks it as a symlink (never extracted). */
-const isSymlinkEntry = (entry: JSZip.JSZipObject): boolean => {
-  const mode = (entry as JSZip.JSZipObject & { unixPermissions?: number | null }).unixPermissions
-  return typeof mode === 'number' && (mode & S_IFMT) === S_IFLNK
-}
-
-/**
- * Normalize a zip entry path into safe workspace folder segments, guarding against
- * zip-slip. Returns null for traversal (`..`), so the entry is skipped rather than
- * written outside its intended location.
- */
-const sanitizeArchiveEntryPath = (rawPath: string): string[] | null => {
-  const segments = rawPath
-    .replace(/\\/g, '/')
-    .split('/')
-    .map((segment) => segment.trim())
-    .filter((segment) => segment.length > 0 && segment !== '.')
-
-  if (segments.length === 0 || segments.includes('..')) return null
-  return segments
-}
-
 const isLikelyTextBuffer = (buffer: Buffer): boolean => isUtf8(buffer) && !buffer.includes(0)
 
 /**

apps/sim/lib/copilot/chat/payload.ts

@@ -7,13 +7,20 @@ import type { VfsSnapshotV1 } from '@/lib/copilot/generated/vfs-snapshot-v1'
 import { getExposedIntegrationTools } from '@/lib/copilot/integration-tools'
 import { getToolEntry } from '@/lib/copilot/tool-executor/router'
 import { getCopilotToolDescription } from '@/lib/copilot/tools/descriptions'
+import {
+  type ChatUploadArchiveEntry,
+  listChatUploadArchiveEntries,
+} from '@/lib/copilot/tools/handlers/upload-file-reader'
 import { encodeVfsSegment } from '@/lib/copilot/vfs/path-utils'
 import { isE2BDocEnabled, isHosted } from '@/lib/core/config/env-flags'
 import { buildUserSkillTool } from '@/lib/mothership/skills'
 import { trackChatUpload } from '@/lib/uploads/contexts/workspace/workspace-file-manager'
+import { isArchiveFileName } from '@/lib/uploads/utils/file-utils'
 import { stripVersionSuffix } from '@/tools/utils'
 
 const logger = createLogger('CopilotChatPayload')
+/** Max archive entries listed inline in the upload context before truncating. */
+const MAX_UPLOAD_TREE_ENTRIES = 50
 const INTEGRATION_TOOL_SCHEMA_CACHE_TTL_MS = 5_000
 const INTEGRATION_TOOL_SCHEMA_CACHE_MAX_ENTRIES = 500
 
@@ -297,15 +304,56 @@ export async function buildCopilotRequestPayload(
         } catch {
           encodedUploadName = displayName
         }
-        const lines = [
-          `File "${displayName}" (${mediaType}, ${f.size} bytes) uploaded.`,
-          `Read with: read("uploads/${encodedUploadName}")`,
-          `To save permanently: materialize_file(fileName: "${displayName}")`,
-        ]
-        if (displayName.endsWith('.json')) {
-          lines.push(
-            `To import as a workflow: materialize_file(fileName: "${displayName}", operation: "import")`
-          )
+        let lines: string[]
+        if (isArchiveFileName(displayName)) {
+          // An archive is presented as a virtual folder. Show a capped file tree
+          // up front so the agent sees the contents without a glob round-trip;
+          // degrade to a glob hint if the tree can't be built (never block send).
+          let entries: ChatUploadArchiveEntry[] | null = null
+          try {
+            entries = await listChatUploadArchiveEntries(displayName, chatId)
+          } catch (treeErr) {
+            logger.warn('Failed to build archive upload tree', {
+              filename,
+              chatId,
+              error: toError(treeErr).message,
+            })
+          }
+          if (entries && entries.length > 0) {
+            const shown = entries.slice(0, MAX_UPLOAD_TREE_ENTRIES)
+            const treeLines = shown.map((entry) => `  ${entry.path}`)
+            if (entries.length > MAX_UPLOAD_TREE_ENTRIES) {
+              treeLines.push(`  … and ${entries.length - MAX_UPLOAD_TREE_ENTRIES} more`)
+            }
+            lines = [
+              `Archive "${displayName}" (${mediaType}, ${f.size} bytes) uploaded — ${
+                entries.length
+              } file${entries.length === 1 ? '' : 's'}:`,
+              ...treeLines,
+              '',
+              `List entries with: glob("uploads/${encodedUploadName}/*")`,
+              `Read an entry with: read("uploads/${encodedUploadName}/<path>")`,
+              `To save the archive permanently: materialize_file(fileName: "${displayName}")`,
+            ]
+          } else {
+            lines = [
+              `Archive "${displayName}" (${mediaType}, ${f.size} bytes) uploaded.`,
+              `List entries with: glob("uploads/${encodedUploadName}/*")`,
+              `Read an entry with: read("uploads/${encodedUploadName}/<path>")`,
+              `To save the archive permanently: materialize_file(fileName: "${displayName}")`,
+            ]
+          }
+        } else {
+          lines = [
+            `File "${displayName}" (${mediaType}, ${f.size} bytes) uploaded.`,
+            `Read with: read("uploads/${encodedUploadName}")`,
+            `To save permanently: materialize_file(fileName: "${displayName}")`,
+          ]
+          if (displayName.endsWith('.json')) {
+            lines.push(
+              `To import as a workflow: materialize_file(fileName: "${displayName}", operation: "import")`
+            )
+          }
         }
         uploadContexts.push({
           type: 'uploaded_file',

apps/sim/lib/copilot/tools/handlers/upload-file-reader.test.ts

@@ -2,25 +2,46 @@
  * @vitest-environment node
  */
 
+import { Buffer } from 'buffer'
 import { dbChainMock, dbChainMockFns, resetDbChainMock } from '@sim/testing'
+import JSZip from 'jszip'
 import { beforeEach, describe, expect, it, vi } from 'vitest'
 
 vi.mock('@sim/db', () => dbChainMock)
 
-const { mockReadFileRecord } = vi.hoisted(() => ({
-  mockReadFileRecord: vi.fn(),
-}))
+const { mockReadFileRecord, mockRenderFileBuffer, mockFetchWorkspaceFileBuffer } = vi.hoisted(
+  () => ({
+    mockReadFileRecord: vi.fn(),
+    // Echo the entry bytes back as text so a successful resolve is observable.
+    mockRenderFileBuffer: vi.fn(async (buffer: Buffer) => ({
+      content: buffer.toString('utf-8'),
+      totalLines: 1,
+    })),
+    mockFetchWorkspaceFileBuffer: vi.fn(),
+  })
+)
 
 vi.mock('@/lib/copilot/vfs/file-reader', () => ({
   readFileRecord: mockReadFileRecord,
+  renderFileBuffer: mockRenderFileBuffer,
+}))
+vi.mock('@/lib/uploads/contexts/workspace/workspace-file-manager', () => ({
+  fetchWorkspaceFileBuffer: mockFetchWorkspaceFileBuffer,
 }))
 
 import {
   findMothershipUploadRowByChatAndName,
+  listChatUploadArchiveEntries,
   listChatUploads,
-  readChatUpload,
+  readChatUploadPath,
 } from './upload-file-reader'
 
+async function buildZip(files: Record<string, string>): Promise<Buffer> {
+  const zip = new JSZip()
+  for (const [name, content] of Object.entries(files)) zip.file(name, content)
+  return Buffer.from(await zip.generateAsync({ type: 'uint8array' }))
+}
+
 const CHAT_ID = '11111111-1111-1111-1111-111111111111'
 const NOW = new Date('2026-05-05T00:00:00.000Z')
 
@@ -147,7 +168,7 @@ describe('listChatUploads', () => {
   })
 })
 
-describe('readChatUpload', () => {
+describe('readChatUploadPath (plain upload)', () => {
   beforeEach(() => {
     vi.clearAllMocks()
     resetDbChainMock()
@@ -159,21 +180,97 @@ describe('readChatUpload', () => {
     mockOrderByThenLimit([row])
     mockReadFileRecord.mockResolvedValueOnce({ content: 'PNGDATA', totalLines: 1 })
 
-    const result = await readChatUpload('image (2).png', CHAT_ID)
+    const result = await readChatUploadPath('image (2).png', '', CHAT_ID)
 
     expect(result).toEqual({ content: 'PNGDATA', totalLines: 1 })
     expect(mockReadFileRecord).toHaveBeenCalledWith(
       expect.objectContaining({ id: 'wf_2', name: 'image (2).png', storageContext: 'mothership' })
     )
   })
 
+  it('ignores a trailing habit suffix on a non-archive upload', async () => {
+    const row = makeRow({ id: 'wf_3', displayName: 'report.csv', contentType: 'text/csv' })
+    mockOrderByThenLimit([row])
+    mockReadFileRecord.mockResolvedValueOnce({ content: 'a,b', totalLines: 1 })
+
+    const result = await readChatUploadPath('report.csv', 'content', CHAT_ID)
+
+    expect(result).toEqual({ content: 'a,b', totalLines: 1 })
+    expect(mockReadFileRecord).toHaveBeenCalledWith(expect.objectContaining({ name: 'report.csv' }))
+  })
+
   it('returns null when no row matches', async () => {
     mockOrderByThenLimit([])
     dbChainMockFns.orderBy.mockResolvedValueOnce([] as never)
 
-    const result = await readChatUpload('nope.png', CHAT_ID)
+    const result = await readChatUploadPath('nope.png', '', CHAT_ID)
 
     expect(result).toBeNull()
     expect(mockReadFileRecord).not.toHaveBeenCalled()
   })
 })
+
+describe('readChatUploadPath / listChatUploadArchiveEntries (archive)', () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+    resetDbChainMock()
+  })
+
+  it('lists archive entries as encoded VFS paths', async () => {
+    const buffer = await buildZip({ 'report.pdf': 'x', 'data/sheet.csv': 'a,b' })
+    mockOrderByThenLimit([makeRow({ displayName: 'bundle.zip', contentType: 'application/zip' })])
+    mockFetchWorkspaceFileBuffer.mockResolvedValueOnce(buffer)
+
+    const entries = await listChatUploadArchiveEntries('bundle.zip', CHAT_ID)
+
+    expect(entries?.map((e) => e.vfsPath).sort()).toEqual([
+      'uploads/bundle.zip/data/sheet.csv',
+      'uploads/bundle.zip/report.pdf',
+    ])
+  })
+
+  it('reads a nested entry by its exact path', async () => {
+    const buffer = await buildZip({ 'data/sheet.csv': 'a,b\n1,2' })
+    mockOrderByThenLimit([makeRow({ displayName: 'bundle.zip', contentType: 'application/zip' })])
+    mockFetchWorkspaceFileBuffer.mockResolvedValueOnce(buffer)
+
+    const result = await readChatUploadPath('bundle.zip', 'data/sheet.csv', CHAT_ID)
+
+    expect(result?.content).toBe('a,b\n1,2')
+  })
+
+  it('resolves a unicode (NFD) entry addressed by its NFC-encoded glob path', async () => {
+    // macOS-authored zip: entry name stored decomposed (e + combining acute).
+    const nfdName = `cafe\u0301.txt` // NFD: e + combining acute
+    const buffer = await buildZip({ [nfdName]: 'latte' })
+    mockOrderByThenLimit([makeRow({ displayName: 'bundle.zip', contentType: 'application/zip' })])
+    mockFetchWorkspaceFileBuffer.mockResolvedValueOnce(buffer)
+
+    // The agent reads back the encoded path glob produced (NFC, percent-encoded).
+    const result = await readChatUploadPath('bundle.zip', 'caf%C3%A9.txt', CHAT_ID)
+
+    expect(result?.content).toBe('latte')
+  })
+
+  it('returns null for an entry that is not in the archive', async () => {
+    const buffer = await buildZip({ 'present.txt': 'x' })
+    mockOrderByThenLimit([makeRow({ displayName: 'bundle.zip', contentType: 'application/zip' })])
+    mockFetchWorkspaceFileBuffer.mockResolvedValueOnce(buffer)
+
+    const result = await readChatUploadPath('bundle.zip', 'missing.txt', CHAT_ID)
+
+    expect(result).toBeNull()
+  })
+
+  it('returns the file-tree manifest for a bare archive read', async () => {
+    const buffer = await buildZip({ 'report.pdf': 'x', 'data/sheet.csv': 'a,b' })
+    mockOrderByThenLimit([makeRow({ displayName: 'bundle.zip', contentType: 'application/zip' })])
+    mockFetchWorkspaceFileBuffer.mockResolvedValueOnce(buffer)
+
+    const result = await readChatUploadPath('bundle.zip', '', CHAT_ID)
+
+    expect(result?.content).toContain('Archive "bundle.zip" — 2 files')
+    expect(result?.content).toContain('report.pdf')
+    expect(result?.content).toContain('data/sheet.csv')
+  })
+})