govoplan-files
Repository type: module (domain).
GovOPlaN Files is the managed file module. It bundles backend storage APIs and the Files WebUI package so file features can be installed as one module.
Ownership
This repository owns:
- backend module manifest
files - file permissions such as
files:file:read,files:file:upload,files:file:download,files:file:organize, andfiles:file:delete - file-space, file metadata, share, upload, download, pattern matching, and transfer APIs
- SQLAlchemy file models and module migration registration
- WebUI package
@govoplan/files-webui /filesroute and IconRail navigation contribution
Core owns auth, tenants, RBAC evaluation, database/session primitives, CSRF/API helpers, and shell layout.
Development
Install through the core environment:
cd /mnt/DATA/git/govoplan-core
./.venv/bin/python -m pip install -r requirements-dev.txt
Run the WebUI from the core host:
cd /mnt/DATA/git/govoplan-core/webui
PATH=/home/zemion/.nvm/versions/node/v22.22.3/bin:$PATH /home/zemion/.nvm/versions/node/v22.22.3/bin/npm run dev
Module integration
Backend entry point:
[project.entry-points."govoplan.modules"]
files = "govoplan_files.backend.manifest:get_manifest"
Frontend package:
@govoplan/files-webui
The campaign module can integrate with files when both modules are installed,
for example for managed attachment selection and campaign file sharing. Files
does not import campaign internals; campaign share/existence checks use the core
campaigns.access capability registered by the campaign module.
Platform RBAC and governance rules are documented in govoplan-core/docs/.
Managed files can carry source provenance for connector and import workflows.
Upload callers may provide source_provenance_json and source_revision; the
module stores those values under file metadata, returns normalized
source_provenance and source_revision fields in file responses, and carries
them into managed campaign attachment matches for frozen execution evidence.
Connector policy preflight is available through
POST /api/v1/files/connector-policy/evaluate, and provenance-bearing uploads
can pass connector_policy_json to enforce the same policy before file content
is read. Policy payloads contain ordered sources; each source has
scope_type, optional scope_id, optional label, and a policy object. The
policy object supports allow/allowlist/whitelist and
deny/denylist/blacklist rules for connectors, providers,
external_ids, external_paths, and external_urls. Deny rules win across the
hierarchy; allow rules narrow access at each source that defines them.
Connector endpoint settings are exposed through governed connector profiles.
Profiles can be supplied as JSON through
GOVOPLAN_FILES_CONNECTOR_PROFILES_JSON, or from a JSON file path through
GOVOPLAN_FILES_CONNECTOR_PROFILES_FILE. Each profile has an id, provider,
endpoint_url, governance scope_type/scope_id, optional capabilities, and
credential references such as password_env, token_env, or secret_ref.
GET /api/v1/files/connectors/profiles returns only profiles visible to the
current principal (system, tenant, user, group, or accessible campaign scope) and
redacts secret values and environment variable names. Use the returned
policy_sources with connector policy preflight before importing files.
GET /api/v1/files/connectors/providers exposes provider descriptors for
Seafile, Nextcloud, WebDAV, SMB, NFS, and local filesystem connectors. The
descriptor declares implementation status, optional dependencies, permission
mapping, sync/index strategy, conflict handling, preview behavior, and audit
events so provider coverage remains visible without forcing every optional
protocol dependency to be installed.
GET /api/v1/files/connectors/profiles/{profile_id}/browse provides read-only
connector browsing. Browse entries use a shared library/folder/file shape,
run profile policy with the browse operation, and support Seafile,
WebDAV/Nextcloud, and SMB when the optional smb extra is installed. Seafile
profiles browse libraries and directories via Seafile's read-only API; profiles
can still opt into WebDAV browsing by setting metadata.webdav_endpoint_url or
metadata.browse_protocol to webdav.
POST /api/v1/files/connectors/profiles/{profile_id}/import imports a Seafile
or WebDAV/Nextcloud/SMB file into managed storage through the same governance,
conflict handling, source provenance, and connector audit path as direct
uploads. The Seafile provider uses account-token auth and the native file
download-link API; Nextcloud and generic WebDAV profiles use authenticated GET
requests against the configured WebDAV endpoint. SMB profiles use
smb://server[:port]/share[/path] endpoints and environment-backed credentials
through smbprotocol.
Local connector development assets live in dev/connectors/. The compose stack
boots Nextcloud, Seafile, WebDAV, and SMB endpoints for provider development and
manual interoperability testing.
Connector and collaboration ownership boundaries are documented in
docs/CONNECTOR_BOUNDARY.md and docs/DOCUMENT_COLLABORATION_BOUNDARY.md.
ZIP uploads are processed without buffering the whole archive in memory. The API spools incoming ZIP request bodies to a bounded temporary file, then extracts members with per-file and total extracted-size limits before storing managed files.
Bulk rename and transfer APIs are owner-scoped: callers must provide the active
user or group file space with owner_type and owner_id. The storage layer
keeps a named legacy file-only helper for historical callers that lack owner
context, and regression tests cover its write-access checks.
Release packaging
The repository root includes a package.json for git-based WebUI installs. It exports the package @govoplan/files-webui from webui/src so release builds can depend on tagged git refs instead of local file: paths.