feat(ai-workspace): surface AI files in FxFiles + move-as-access-control (1.i/1.ii/1.iii)#93
Merged
Merged
Conversation
…rol (1.i/1.ii/1.iii) After the Worker writes AI files forest-indexed (functionland/pinning-service#68 + functionland/fula-api#82), FxFiles can see + move them. Three parts: P1 (1.i) category map: the MCP writes SINGULAR category segments (ai/document/, ai/note/, ai/image/ …); FxFiles' category views are PLURAL. _mergeAiWorkspaceInto now maps them (images<-image+screenshot, documents<-document+note+link, other<-file+other) and folds the AI categories with no FileCategory of their own into the closest view. A view with no AI mapping (downloads/archives/starred) short-circuits. P2 (1.i) cloud-files: the bucket view routes fula-ai-workspace through the workspace client (workspace secret) instead of the master-KEK listObjects, so the AI files decrypt + list, tagged sourceBucket for correct open/move routing. P3 (1.ii/1.iii) move-as-access-control: moving a file INTO the AI bucket re-encrypts it under the workspace secret + forest-indexes it (grant AI read) under an ai/<category>/<name> key; moving OUT re-encrypts under the master KEK and removes the workspace copy (revoke). The revoke is VERIFIED: the re-encrypted master copy must decrypt BEFORE the AI copy is deleted, then the AI copy is verified gone — "revoke incomplete" is surfaced loudly otherwise. All re-keying is client-side (the KEK never leaves FxFiles). New primitives: uploadWorkspaceObject (putFlat), deleteWorkspaceObject (deleteFlat, which removes the forest entry too). The move orchestration is factored into a UI-free aiAwareMove() so the security- critical revoke is unit-tested (grant / verified-revoke / abort-without-delete-on- failed-verify / normal-move). flutter analyze clean (0 errors); 25 AI unit tests green. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_0161UGEJmTpM6DM2cVZyV6Ev
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Surface the AI/MCP's
fula-ai-workspacefiles in FxFiles and let the user move files in/out of it to grant/revoke AI access (issue #1: 1.i / 1.ii / 1.iii). Depends on the Worker writing files forest-indexed (functionland/pinning-service#68, functionland/fula-api#82).P1 — category map (1.i)
The MCP writes singular category segments (
ai/document/,ai/note/,ai/image/…) but FxFiles' category views are plural._mergeAiWorkspaceIntonow maps them and folds the AI categories with noFileCategoryhome into the closest view:images ← image + screenshot,documents ← document + note + link,other ← file + other. A view with no AI mapping (downloads/archives/starred) short-circuits (no workspace list call).P2 — cloud-files bucket view (1.i)
_loadObjectsroutesfula-ai-workspacethrough the workspace client (workspace secret) instead of the master-KEKlistObjects, so the files decrypt + list, taggedsourceBucketfor correct open/move routing.P3 — move-as-access-control (1.ii / 1.iii)
ai/<category>/<name>(grant AI read).revoke incompleteis surfaced loudly otherwise.uploadWorkspaceObject(putFlat),deleteWorkspaceObject(deleteFlat— removes the forest index entry, not just the blob).aiAwareMove()so the security-critical revoke is unit-tested.Test
flutter analyzeclean (whole project, 0 errors). 25 AI unit tests pass, including: singular→plural mapping + homeless folding; grant; verified revoke; abort-without-delete when the re-encrypted copy fails to verify; normal move.Note on ordering
Additive + safe to land before the Worker deploy: until the Worker writes indexed files, the workspace reads empty (shows nothing extra); a move stores correctly via FxFiles' own forest-tracked put, and AI read activates once the Worker is live.
🤖 Generated with Claude Code