feat(files): SFTP member storage — private workspaces + shared public area + mgmt TUI#56
Merged
Conversation
… area + mgmt TUI
Implements M4 (Files). A fully virtual Go SFTP server (pkg/sftp + crypto/ssh,
no OS users) wired as an "sftp" subsystem on the existing :22 wish listener, so
members reach their files with their login key:
sftp files@bbs.profullstack.com # scp/rsync ride the same endpoint
Identity is the SSH key (the username is conventional/ignored). Two areas per
session: a private, quota-limited /me workspace and a single shared public file
area /public (old-school BBS file area; world-read, members-only write by
default, operator-moderated). This reverses the old NG1 "no sharing" boundary in
favour of one sanctioned, inspectable sharing surface (PRD §9.3 amended).
internal/files:
- backend.go service, layout, quota/usage, live-session registry, operator API
- fs.go per-session virtual FS; resolve() is the single security
chokepoint (area confinement + symlink-escape guard) + pkg/sftp
request handlers
- server.go subsystem handler: key auth -> member session -> request server,
with byte metering and force-disconnect
- tui.go in-BBS member browser (hub plugin "Files")
- admin.go operator management TUI: sessions, workspaces/quotas, public area
Operator console: ssh sftp@<host> (allowlist-gated; sftpadmin@/filesadmin@
aliases) — list/disconnect sessions, set per-user quotas, revoke SFTP access,
toggle public write, moderate the public area.
store: files_access (per-user quota override + revoked) and files_settings
(public-write mode) tables + methods. main.go wiring guarded by AGENTBBS_FILES
(+ AGENTBBS_FILES_QUOTA_MB, default 1 GiB). Route names reserved.
Tests (incl -race): path traversal/confinement, symlink-escape rejection,
public-write ACL, quota enforcement, usage accounting, and an end-to-end run
against a real SFTP client. Docs: docs/files.md; PRD §5.3/§5.3.1/§9.3 + README
updated.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
# Conflicts: # cmd/agentbbs/main.go # internal/auth/auth.go # internal/store/store.go
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
vu1nz Security Review0 finding(s) in PR #? No security issues found. |
…t Premium-gated) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implements M4 (Files): member file storage over SFTP, reachable with the member's existing SSH login key.
What
A fully virtual Go SFTP server (
pkg/sftp+crypto/ssh, no OS users) wired as ansftpsubsystem on the existing:22wish listener:sftp files@bbs.profullstack.com # scp/rsync ride the same endpointIdentity is the SSH key (username is conventional/ignored). Two areas per session:
/me— private, per-user, quota-limited workspace/public— a single shared public file area (old-school BBS file area; world-read, members-only write by default, operator-moderated)This reverses the old NG1 "no sharing" boundary in favour of one sanctioned, inspectable sharing surface (PRD §9.3 amended; §5.3/§5.3.1 added).
Code (
internal/files)backend.go— service, layout, quota/usage, live-session registry, operator APIfs.go— per-session virtual FS;resolve()is the single security chokepoint (area confinement + symlink-escape guard) + pkg/sftp request handlersserver.go— subsystem handler: key auth → member session → request server, with byte metering + force-disconnecttui.go— in-hub member browser (the "Files" plugin)admin.go— operator management TUIOperator console:
ssh sftp@<host>(allowlist-gated;sftpadmin@/filesadmin@aliases) — list/disconnect sessions, set per-user quotas, revoke SFTP access, toggle public write, moderate the public area.Store:
files_access(per-user quota override + revoked) andfiles_settings(public-write mode) tables + methods. Wiring guarded byAGENTBBS_FILES(+AGENTBBS_FILES_QUOTA_MB, default 1 GiB). Route names reserved.Tests & verification
go build ./...,go vet ./...,gofmtclean-race: path traversal/confinement, symlink-escape rejection, public-write ACL, quota enforcement, usage accounting, and an end-to-end run against a real SFTP clientDocs:
docs/files.md; PRD §5.3/§5.3.1/§9.3 + README + setup.sh updated.🤖 Generated with Claude Code