fix: allow agents to attach any file type#26560
Conversation
Agent-created chat artifacts can now be any file type, stored as a downloadable artifact. PrepareStoredFile now only normalizes the name and classifies the bytes; it no longer enforces the prompt-input allowlist. The upload allowlist is enforced inline at postChatFile, which is the correct layer for user-provided prompt input. User uploads remain limited to the prompt-input media types. Unsafe or unknown types stay download-only because IsInlineRenderableStoredMediaType still refuses them. Model replay is unchanged: assistant and tool attachments are never forwarded to the LLM.
This comment has been minimized.
This comment has been minimized.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 5bf6ecd179
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
@codex review |
|
Codex Review: Didn't find any major issues. What shall we delve into next? Reviewed commit: ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
Agents can now attach any file type as a downloadable chat artifact, where previously the stored-file allowlist rejected types like
.zip.The reason arbitrary types were blocked is that a single media-type list (
codersdk.AllChatAttachmentMediaTypes) was doing three different jobs at once: gating what users may upload as prompt input, deciding what is safe to render inline in the browser, and admitting what the agent'sattach_filecould store. Because the agent storage path reused that same list as an admission gate, any artifact outside it was rejected even though agent artifacts are only ever downloaded by the user and are never forwarded to the model, so the prompt-input and inline-render constraints did not actually apply to them.This splits those concerns.
PrepareStoredFilenow only normalizes the name and classifies the bytes, and the prompt-input allowlist is enforced inline atpostChatFileinstead, which is the correct layer for user-provided input.User uploads are unchanged and still limited to the allowed prompt-input media types, and unsafe or unknown types remain download-only because
IsInlineRenderableStoredMediaTypestill refuses to render them inline.Model replay is also unchanged: assistant and tool attachments are never forwarded to the LLM.
Closes CODAGT-654