feat: add bounded file byte reads

2026-06-29 03:16:16 +08:00 · 2026-06-29 03:16:16 +08:00 · 57677d1b1b
parent aa4905a097
commit 57677d1b1b
13 changed files with 208 additions and 13 deletions
--- a/docs/DEV_PLUGINS.md
+++ b/docs/DEV_PLUGINS.md
@ -85,12 +85,13 @@ Frontend bundles are mounted with a plugin-scoped API created by
 - `capabilities.list/get/has`
 - `commands.register/execute` for handlers declared in `contributes.commands`
 - `events.publish/subscribe` using the bundled frontend event bus
- `files.list/metadata/readText/writeText/createFolder/move/trash/openExternal/showInFolder`
+- `files.list/metadata/readText/readBytes/writeText/createFolder/move/trash/openExternal/showInFolder`
  for canonical vault-relative slash paths guarded by `files.read`,
  `files.write`, `files.delete`, and `files.openExternal`. Backslashes,
  Windows absolute paths, UNC paths, traversal, `.verstak` variants, and
  symlink read/write/move/trash/external-open operations are rejected. Text
-  read/write is UTF-8 only and limited to 2 MB for reads.
+  read/write is UTF-8 only and limited to 2 MB for text reads; `readBytes`
  returns base64 for regular files up to 8 MB.
 - `workbench.openResource/editResource` for routing vault resources to
  contributed `openProviders`. Plugins must declare `workbench.open`; this is a
  policy/contract check. Files and Notes plugins call this API and do not import
--- a/docs/PLUGIN_RUNTIME.md
+++ b/docs/PLUGIN_RUNTIME.md
@ -437,6 +437,8 @@ contributions summary.
 - `files.list(relativeDir)` — list directory using a vault-relative path.
 - `files.metadata(relativePath)` — returns file/folder/symlink metadata.
 - `files.readText(relativePath)` — reads a UTF-8 regular file, with a size limit.
 - `files.readBytes(relativePath)` — reads a regular file up to 8 MB and returns
  `{ relativePath, size, mimeHint, dataBase64 }` for bounded binary preview use.
 - `files.writeText(relativePath, content, options)` — atomically writes text via
  temp-file-and-rename. `options.createIfMissing` and `options.overwrite`
  control conflicts.
@ -464,8 +466,9 @@ contributions summary.
 - `files.metadata` may report a final symlink as `type: "symlink"`, but
  `files.list` through a symlink directory and all read/write/move/trash
  operations through symlinks are forbidden in Milestone 6a.
- Files API is text-only for read/write in Milestone 6a. `readText` is limited
+- Files API writes are text-only. `readText` is limited to UTF-8 regular files
-  to UTF-8 regular files up to 2 MB. Binary streaming is deferred.
+  up to 2 MB. `readBytes` is a bounded read-only byte contract up to 8 MB;
  write streaming is deferred.
 - Live watcher refresh is active while Verstak is running and a vault is open.
  It performs an initial no-event snapshot, then publishes `file.changed` for
  external creates, updates, and deletes outside `.verstak/`. It does not keep a
@ -540,6 +543,7 @@ bundled runtime. Это реальный runtime contract для cooperative bun
 | `api.files.list(relativeDir)` | ✅ Работает | Список vault-relative директории, `.verstak` скрыта |
 | `api.files.metadata(relativePath)` | ✅ Работает | Metadata для файла/папки/symlink без чтения содержимого |
 | `api.files.readText(relativePath)` | ✅ Работает | Читает UTF-8 regular file до 2 MB |
 | `api.files.readBytes(relativePath)` | ✅ Работает | Читает regular file до 8 MB как base64 payload |
 | `api.files.writeText(relativePath, content, options)` | ✅ Работает | Atomic text write с явным create/overwrite policy |
 | `api.files.createFolder(relativePath)` | ✅ Работает | Создаёт vault-relative folder |
 | `api.files.move(from, to, options)` | ✅ Работает | Move file/folder с conflict и path-policy checks |
--- a/frontend/src/lib/plugin-host/VerstakPluginAPI.js
+++ b/frontend/src/lib/plugin-host/VerstakPluginAPI.js
@ -242,6 +242,12 @@ export function createPluginAPI(pluginId) {
          return App.ReadVaultTextFile(pluginId, relativePath);
        });
      },
      readBytes: function(relativePath) {
        assertActive('files.readBytes(' + relativePath + ')');
        return callBackend(pluginId, 'files.readBytes(' + relativePath + ')', function() {
          return App.ReadVaultFileBytes(pluginId, relativePath);
        });
      },
      writeText: function(relativePath, content, options) {
        assertActive('files.writeText(' + relativePath + ')');
        return callBackendErrorString(pluginId, 'files.writeText(' + relativePath + ')', function() {
--- a/frontend/src/lib/test/wails-mock.js
+++ b/frontend/src/lib/test/wails-mock.js
@ -1287,6 +1287,23 @@
      if (node.type !== 'file') return Promise.resolve(['', 'not-regular-file: ' + norm.path]);
      return Promise.resolve([node.content || '', '']);
    },
    ReadVaultFileBytes: function (pluginId, relativePath) {
      var err = requirePluginPermission(pluginId, 'files.read');
      if (err) return Promise.resolve([{}, err]);
      var norm = normalizeVaultPath(relativePath, false);
      if (norm.error) return Promise.resolve([{}, norm.error]);
      var node = vaultFiles[norm.path];
      if (!node) return Promise.resolve([{}, 'not-found: ' + norm.path]);
      if (node.type !== 'file') return Promise.resolve([{}, 'not-regular-file: ' + norm.path]);
      var content = node.content || '';
      var dataBase64 = typeof btoa === 'function' ? btoa(content) : '';
      return Promise.resolve([{
        relativePath: norm.path,
        size: content.length,
        mimeHint: norm.path.toLowerCase().endsWith('.png') ? 'image/png' : '',
        dataBase64: dataBase64
      }, '']);
    },
    WriteVaultTextFile: function (pluginId, relativePath, content, options) {
      var err = requirePluginPermission(pluginId, 'files.write');
      if (err) return Promise.resolve(err);
--- a/frontend/tests/plugin-api-files-test.mjs
+++ b/frontend/tests/plugin-api-files-test.mjs
@ -11,8 +11,12 @@ globalThis.window = {
  go: {
    api: {
      App: {
        ReadVaultFileBytes: (pluginId, relativePath) => {
          calls.push({ method: 'ReadVaultFileBytes', pluginId, relativePath });
          return Promise.resolve([{ relativePath, size: 4, mimeHint: 'image/png', dataBase64: 'iVBORw==' }, '']);
        },
        RestoreVaultTrash: (pluginId, trashId, options) => {
-          calls.push({ pluginId, trashId, options });
+          calls.push({ method: 'RestoreVaultTrash', pluginId, trashId, options });
          return Promise.resolve(['Docs/restored.txt', '']);
        },
      },
@ -33,12 +37,23 @@ const api = apiModule.createPluginAPI('verstak.files');
 if (!api.files || typeof api.files.restoreTrash !== 'function') {
  throw new Error('api.files.restoreTrash is missing');
 }
 if (typeof api.files.readBytes !== 'function') {
  throw new Error('api.files.readBytes is missing');
 }
 const bytes = await api.files.readBytes('Docs/image.png');
 if (bytes.dataBase64 !== 'iVBORw==' || bytes.mimeHint !== 'image/png') {
  throw new Error(`unexpected readBytes result: ${JSON.stringify(bytes)}`);
 }
 const restored = await api.files.restoreTrash('trash-1', { overwrite: true });
 if (restored !== 'Docs/restored.txt') {
  throw new Error(`unexpected restore result: ${JSON.stringify(restored)}`);
 }
-if (calls.length !== 1 || calls[0].pluginId !== 'verstak.files' || calls[0].trashId !== 'trash-1' || calls[0].options.overwrite !== true) {
+if (calls.length !== 2 || calls[0].method !== 'ReadVaultFileBytes' || calls[0].pluginId !== 'verstak.files' || calls[0].relativePath !== 'Docs/image.png') {
  throw new Error(`unexpected ReadVaultFileBytes call: ${JSON.stringify(calls)}`);
 }
 if (calls[1].method !== 'RestoreVaultTrash' || calls[1].pluginId !== 'verstak.files' || calls[1].trashId !== 'trash-1' || calls[1].options.overwrite !== true) {
  throw new Error(`unexpected RestoreVaultTrash call: ${JSON.stringify(calls)}`);
 }
--- a/frontend/wailsjs/go/api/App.d.ts
+++ b/frontend/wailsjs/go/api/App.d.ts
@ -102,18 +102,20 @@ export function ReadPluginSetting(arg1:string,arg2:string):Promise<any>;
 export function ReadPluginSettings(arg1:string):Promise<Record<string, any>|string>;
 export function ReadVaultFileBytes(arg1:string,arg2:string):Promise<files.FileBytes|string>;
 export function ReadVaultTextFile(arg1:string,arg2:string):Promise<string|string>;
 export function RecordDesiredPlugin(arg1:string,arg2:string,arg3:string):Promise<string>;
 export function ReloadPlugins():Promise<number|string>;
 export function RestoreVaultTrash(arg1:string,arg2:string,arg3:files.RestoreOptions):Promise<string|string>;
 export function RenameWorkspace(arg1:string,arg2:string):Promise<string>;
 export function RenameWorkspaceNode(arg1:string,arg2:string):Promise<string>;
 export function RestoreVaultTrash(arg1:string,arg2:string,arg3:files.RestoreOptions):Promise<string|string>;
 export function SelectDirectory():Promise<string>;
 export function SelectVaultForOpen():Promise<string>;
--- a/frontend/wailsjs/go/api/App.js
+++ b/frontend/wailsjs/go/api/App.js
@ -190,6 +190,10 @@ export function ReadPluginSettings(arg1) {
  return window['go']['api']['App']['ReadPluginSettings'](arg1);
 }
 export function ReadVaultFileBytes(arg1, arg2) {
  return window['go']['api']['App']['ReadVaultFileBytes'](arg1, arg2);
 }
 export function ReadVaultTextFile(arg1, arg2) {
  return window['go']['api']['App']['ReadVaultTextFile'](arg1, arg2);
 }
@ -202,10 +206,6 @@ export function ReloadPlugins() {
  return window['go']['api']['App']['ReloadPlugins']();
 }
 export function RestoreVaultTrash(arg1, arg2, arg3) {
  return window['go']['api']['App']['RestoreVaultTrash'](arg1, arg2, arg3);
 }
 export function RenameWorkspace(arg1, arg2) {
  return window['go']['api']['App']['RenameWorkspace'](arg1, arg2);
 }
@ -214,6 +214,10 @@ export function RenameWorkspaceNode(arg1, arg2) {
  return window['go']['api']['App']['RenameWorkspaceNode'](arg1, arg2);
 }
 export function RestoreVaultTrash(arg1, arg2, arg3) {
  return window['go']['api']['App']['RestoreVaultTrash'](arg1, arg2, arg3);
 }
 export function SelectDirectory() {
  return window['go']['api']['App']['SelectDirectory']();
 }
--- a/frontend/wailsjs/go/models.ts
+++ b/frontend/wailsjs/go/models.ts
@ -369,6 +369,24 @@ export namespace capability {
 export namespace files {
 	export class FileBytes {
 	    relativePath: string;
 	    size: number;
 	    mimeHint: string;
 	    dataBase64: string;
 	    static createFrom(source: any = {}) {
 	        return new FileBytes(source);
 	    }
 	    constructor(source: any = {}) {
 	        if ('string' === typeof source) source = JSON.parse(source);
 	        this.relativePath = source["relativePath"];
 	        this.size = source["size"];
 	        this.mimeHint = source["mimeHint"];
 	        this.dataBase64 = source["dataBase64"];
 	    }
 	}
 	export class FileEntry {
 	    name: string;
 	    relativePath: string;
--- a/internal/api/app.go
+++ b/internal/api/app.go
@ -876,6 +876,21 @@ func (a *App) ReadVaultTextFile(pluginID, relativePath string) (string, string)
 	return text, ""
 }
 // ReadVaultFileBytes reads a bounded regular file as base64 for a plugin with files.read.
 func (a *App) ReadVaultFileBytes(pluginID, relativePath string) (corefiles.FileBytes, string) {
 	if _, err := a.requirePluginAccess(pluginID, "files.read"); err != nil {
 		return corefiles.FileBytes{}, err.Error()
 	}
 	if a.files == nil {
 		return corefiles.FileBytes{}, "files service not initialized"
 	}
 	data, err := a.files.ReadVaultFileBytes(relativePath)
 	if err != nil {
 		return corefiles.FileBytes{}, err.Error()
 	}
 	return data, ""
 }
 // WriteVaultTextFile atomically writes a UTF-8 text file for a plugin with files.write.
 func (a *App) WriteVaultTextFile(pluginID, relativePath string, content string, options corefiles.WriteOptions) string {
 	if _, err := a.requirePluginAccess(pluginID, "files.write"); err != nil {
--- a/internal/api/app_test.go
+++ b/internal/api/app_test.go
@ -360,11 +360,29 @@ func TestFilesBridgeReadWriteListMoveTrash(t *testing.T) {
 		t.Fatalf("text = %q", text)
 	}
 	if err := os.WriteFile(filepath.Join(root, "Docs", "image.png"), []byte{0x89, 0x50, 0x4e, 0x47}, 0o644); err != nil {
 		t.Fatal(err)
 	}
 	bytesResult, errStr := app.ReadVaultFileBytes("files.plugin", "Docs/image.png")
 	if errStr != "" {
 		t.Fatalf("ReadVaultFileBytes: %s", errStr)
 	}
 	if bytesResult.RelativePath != "Docs/image.png" || bytesResult.MimeHint != "image/png" || bytesResult.DataBase64 != "iVBORw==" {
 		t.Fatalf("bytes result = %+v", bytesResult)
 	}
 	entries, errStr := app.ListVaultFiles("files.plugin", "Docs")
 	if errStr != "" {
 		t.Fatalf("ListVaultFiles: %s", errStr)
 	}
-	if len(entries) != 1 || entries[0].RelativePath != "Docs/one.txt" {
+	hasOne := false
 	for _, entry := range entries {
 		if entry.RelativePath == "Docs/one.txt" {
 			hasOne = true
 			break
 		}
 	}
 	if !hasOne {
 		t.Fatalf("entries = %+v", entries)
 	}
@ -594,6 +612,12 @@ func TestFilesBridgePermissions(t *testing.T) {
 			call:       func(app *App) string { _, errStr := app.ReadVaultTextFile("files.plugin", "one.txt"); return errStr },
 			wantPhrase: "files.read",
 		},
 		{
 			name:       "read bytes requires read",
 			perms:      []string{"files.write", "files.delete"},
 			call:       func(app *App) string { _, errStr := app.ReadVaultFileBytes("files.plugin", "one.txt"); return errStr },
 			wantPhrase: "files.read",
 		},
 		{
 			name:  "write requires write",
 			perms: []string{"files.read", "files.delete"},
--- a/internal/core/files/service.go
+++ b/internal/core/files/service.go
@ -1,6 +1,7 @@
 package files
 import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"io/fs"
@ -148,6 +149,42 @@ func (s *Service) ReadVaultTextFile(relativePath string) (string, error) {
 	return string(data), nil
 }
 func (s *Service) ReadVaultFileBytes(relativePath string) (FileBytes, error) {
 	root, rel, full, err := s.resolveFile(relativePath)
 	if err != nil {
 		return FileBytes{}, err
 	}
 	if err := rejectSymlinkPath(root, rel, true); err != nil {
 		return FileBytes{}, err
 	}
 	info, err := os.Lstat(full)
 	if err != nil {
 		if os.IsNotExist(err) {
 			return FileBytes{}, fmt.Errorf("not-found: %s", rel)
 		}
 		return FileBytes{}, err
 	}
 	if info.Mode()&os.ModeSymlink != 0 {
 		return FileBytes{}, fmt.Errorf("symlink-not-allowed: %s", rel)
 	}
 	if !info.Mode().IsRegular() {
 		return FileBytes{}, fmt.Errorf("not-regular-file: %s", rel)
 	}
 	if info.Size() > MaxBinaryReadBytes {
 		return FileBytes{}, fmt.Errorf("file-too-large: %s", rel)
 	}
 	data, err := os.ReadFile(full)
 	if err != nil {
 		return FileBytes{}, err
 	}
 	return FileBytes{
 		RelativePath: rel,
 		Size:         int64(len(data)),
 		MimeHint:     mime.TypeByExtension(filepath.Ext(info.Name())),
 		DataBase64:   base64.StdEncoding.EncodeToString(data),
 	}, nil
 }
 func (s *Service) WriteVaultTextFile(relativePath string, content string, options WriteOptions) error {
 	root, rel, full, err := s.resolveFile(relativePath)
 	if err != nil {
--- a/internal/core/files/service_test.go
+++ b/internal/core/files/service_test.go
@ -87,6 +87,9 @@ func TestPathPolicyRejectsUnsafeOperations(t *testing.T) {
 			if _, err := s.ReadVaultTextFile(input); err == nil {
 				t.Fatal("read: expected error")
 			}
 			if _, err := s.ReadVaultFileBytes(input); err == nil {
 				t.Fatal("read bytes: expected error")
 			}
 			if err := s.WriteVaultTextFile(input, "x", WriteOptions{CreateIfMissing: true}); err == nil {
 				t.Fatal("write: expected error")
 			}
@ -137,6 +140,47 @@ func TestReadVaultTextFileRules(t *testing.T) {
 	}
 }
 func TestReadVaultFileBytesRules(t *testing.T) {
 	s, root := newTestService(t)
 	imageBytes := []byte{0x89, 0x50, 0x4e, 0x47}
 	if err := os.WriteFile(filepath.Join(root, "image.png"), imageBytes, 0o644); err != nil {
 		t.Fatal(err)
 	}
 	if err := os.Mkdir(filepath.Join(root, "Folder"), 0o755); err != nil {
 		t.Fatal(err)
 	}
 	if err := os.WriteFile(filepath.Join(root, "huge.bin"), []byte(strings.Repeat("a", int(MaxBinaryReadBytes)+1)), 0o644); err != nil {
 		t.Fatal(err)
 	}
 	result, err := s.ReadVaultFileBytes("image.png")
 	if err != nil {
 		t.Fatalf("ReadVaultFileBytes image: %v", err)
 	}
 	if result.RelativePath != "image.png" {
 		t.Fatalf("relative path = %q, want image.png", result.RelativePath)
 	}
 	if result.Size != int64(len(imageBytes)) {
 		t.Fatalf("size = %d, want %d", result.Size, len(imageBytes))
 	}
 	if result.MimeHint != "image/png" {
 		t.Fatalf("mime hint = %q, want image/png", result.MimeHint)
 	}
 	if result.DataBase64 != "iVBORw==" {
 		t.Fatalf("dataBase64 = %q, want iVBORw==", result.DataBase64)
 	}
 	if _, err := s.ReadVaultFileBytes("Folder"); err == nil || !strings.Contains(err.Error(), "not-regular-file") {
 		t.Fatalf("read folder error = %v, want not-regular-file", err)
 	}
 	if _, err := s.ReadVaultFileBytes("missing.png"); err == nil || !strings.Contains(err.Error(), "not-found") {
 		t.Fatalf("read missing error = %v, want not-found", err)
 	}
 	if _, err := s.ReadVaultFileBytes("huge.bin"); err == nil || !strings.Contains(err.Error(), "file-too-large") {
 		t.Fatalf("read huge error = %v, want file-too-large", err)
 	}
 }
 func TestWriteVaultTextFileAtomicAndConflictBehavior(t *testing.T) {
 	s, root := newTestService(t)
--- a/internal/core/files/types.go
+++ b/internal/core/files/types.go
@ -1,6 +1,7 @@
 package files
 const MaxTextFileBytes int64 = 2 * 1024 * 1024
 const MaxBinaryReadBytes int64 = 8 * 1024 * 1024
 type FileType string
@ -39,6 +40,13 @@ type FileMetadata struct {
 	CanWrite     bool     `json:"canWrite"`
 }
 type FileBytes struct {
 	RelativePath string `json:"relativePath"`
 	Size         int64  `json:"size"`
 	MimeHint     string `json:"mimeHint"`
 	DataBase64   string `json:"dataBase64"`
 }
 type ExternalOpenTarget struct {
 	RelativePath string       `json:"relativePath"`
 	AbsolutePath string       `json:"absolutePath"`