Merge pull request #213 from multica-ai/feature/file-upload-cloudfront

feat(upload): file upload API with S3 + CloudFront signed cookies

.env.example

@@ -30,6 +30,15 @@ GOOGLE_CLIENT_ID=
 GOOGLE_CLIENT_SECRET=
 GOOGLE_REDIRECT_URI=http://localhost:3000/auth/callback
 
+# S3 / CloudFront
+S3_BUCKET=
+S3_REGION=us-west-2
+CLOUDFRONT_KEY_PAIR_ID=
+CLOUDFRONT_PRIVATE_KEY_SECRET=multica/cloudfront-signing-key
+CLOUDFRONT_PRIVATE_KEY=
+CLOUDFRONT_DOMAIN=
+COOKIE_DOMAIN=
+
 # Frontend
 FRONTEND_PORT=3000
 FRONTEND_ORIGIN=http://localhost:3000

apps/web/app/(dashboard)/issues/[id]/page.test.tsx

@@ -58,6 +58,7 @@ vi.mock("@/features/workspace", () => ({
       if (type === "agent") return "CA";
       return "??";
     },
+    getActorAvatarUrl: () => null,
   }),
 }));
 
@@ -296,6 +297,7 @@ describe("IssueDetailPage", () => {
       author_id: "user-1",
       parent_id: null,
       reactions: [],
+      attachments: [],
       created_at: "2026-01-18T00:00:00Z",
       updated_at: "2026-01-18T00:00:00Z",
     };

apps/web/app/(dashboard)/issues/page.test.tsx

@@ -34,6 +34,7 @@ vi.mock("@/features/workspace", () => ({
     getActorName: (type: string, id: string) =>
       type === "member" ? "Test User" : "Claude Agent",
     getActorInitials: () => "TU",
+    getActorAvatarUrl: () => null,
   }),
   useWorkspaceStore: Object.assign(
     (selector?: any) => {

apps/web/app/(dashboard)/settings/_components/account-tab.tsx

@@ -1,7 +1,7 @@
 "use client";
 
-import { useEffect, useState } from "react";
-import { Save } from "lucide-react";
+import { useEffect, useRef, useState } from "react";
+import { Camera, Loader2, Save } from "lucide-react";
 import { Input } from "@/components/ui/input";
 import { Label } from "@/components/ui/label";
 import { Button } from "@/components/ui/button";
@@ -9,27 +9,48 @@ import { Card, CardContent } from "@/components/ui/card";
 import { toast } from "sonner";
 import { useAuthStore } from "@/features/auth";
 import { api } from "@/shared/api";
+import { useFileUpload } from "@/shared/hooks/use-file-upload";
 
 export function AccountTab() {
   const user = useAuthStore((s) => s.user);
   const setUser = useAuthStore((s) => s.setUser);
 
   const [profileName, setProfileName] = useState(user?.name ?? "");
-  const [avatarUrl, setAvatarUrl] = useState(user?.avatar_url ?? "");
   const [profileSaving, setProfileSaving] = useState(false);
+  const { upload, uploading } = useFileUpload();
+  const fileInputRef = useRef<HTMLInputElement>(null);
 
   useEffect(() => {
     setProfileName(user?.name ?? "");
-    setAvatarUrl(user?.avatar_url ?? "");
   }, [user]);
 
+  const initials = (user?.name ?? "")
+    .split(" ")
+    .map((w) => w[0])
+    .join("")
+    .toUpperCase()
+    .slice(0, 2);
+
+  const handleAvatarUpload = async (e: React.ChangeEvent<HTMLInputElement>) => {
+    const file = e.target.files?.[0];
+    if (!file) return;
+    // Reset input so the same file can be re-selected
+    e.target.value = "";
+    try {
+      const result = await upload(file);
+      if (!result) return;
+      const updated = await api.updateMe({ avatar_url: result.link });
+      setUser(updated);
+      toast.success("Avatar updated");
+    } catch (err) {
+      toast.error(err instanceof Error ? err.message : "Failed to upload avatar");
+    }
+  };
+
   const handleProfileSave = async () => {
     setProfileSaving(true);
     try {
-      const updated = await api.updateMe({
-        name: profileName,
-        avatar_url: avatarUrl || undefined,
-      });
+      const updated = await api.updateMe({ name: profileName });
       setUser(updated);
       toast.success("Profile updated");
     } catch (e) {
@@ -45,7 +66,46 @@ export function AccountTab() {
         <h2 className="text-sm font-semibold">Profile</h2>
 
         <Card>
-          <CardContent className="space-y-3">
+          <CardContent className="space-y-4">
+            {/* Avatar upload */}
+            <div className="flex items-center gap-4">
+              <button
+                type="button"
+                className="group relative h-16 w-16 shrink-0 rounded-full bg-muted overflow-hidden focus:outline-none focus-visible:ring-2 focus-visible:ring-ring"
+                onClick={() => fileInputRef.current?.click()}
+                disabled={uploading}
+              >
+                {user?.avatar_url ? (
+                  <img
+                    src={user.avatar_url}
+                    alt={user.name}
+                    className="h-full w-full object-cover"
+                  />
+                ) : (
+                  <span className="flex h-full w-full items-center justify-center text-lg font-semibold text-muted-foreground">
+                    {initials}
+                  </span>
+                )}
+                <div className="absolute inset-0 flex items-center justify-center bg-black/40 opacity-0 transition-opacity group-hover:opacity-100">
+                  {uploading ? (
+                    <Loader2 className="h-5 w-5 animate-spin text-white" />
+                  ) : (
+                    <Camera className="h-5 w-5 text-white" />
+                  )}
+                </div>
+              </button>
+              <input
+                ref={fileInputRef}
+                type="file"
+                accept="image/*"
+                className="hidden"
+                onChange={handleAvatarUpload}
+              />
+              <div className="text-xs text-muted-foreground">
+                Click to upload avatar
+              </div>
+            </div>
+
             <div>
               <Label className="text-xs text-muted-foreground">Name</Label>
               <Input
@@ -55,16 +115,6 @@ export function AccountTab() {
                 className="mt-1"
               />
             </div>
-            <div>
-              <Label className="text-xs text-muted-foreground">Avatar URL</Label>
-              <Input
-                type="url"
-                value={avatarUrl}
-                onChange={(e) => setAvatarUrl(e.target.value)}
-                placeholder="https://example.com/avatar.png"
-                className="mt-1"
-              />
-            </div>
             <div className="flex items-center justify-end gap-2 pt-1">
               <Button
                 size="sm"

apps/web/components/common/actor-avatar.tsx

@@ -1,5 +1,6 @@
 "use client";
 
+import { useState, useEffect } from "react";
 import { Bot } from "lucide-react";
 import { cn } from "@/lib/utils";
 import { useActorName } from "@/features/workspace";
@@ -8,8 +9,10 @@ interface ActorAvatarProps {
   actorType: string;
   actorId: string;
   size?: number;
+  avatarUrl?: string | null;
   getName?: (type: string, id: string) => string;
   getInitials?: (type: string, id: string) => string;
+  getAvatarUrl?: (type: string, id: string) => string | null;
   className?: string;
 }
 
@@ -17,29 +20,47 @@ function ActorAvatar({
   actorType,
   actorId,
   size = 20,
+  avatarUrl,
   getName,
   getInitials,
+  getAvatarUrl,
   className,
 }: ActorAvatarProps) {
   const actorNameHook = useActorName();
   const resolveName = getName ?? actorNameHook.getActorName;
   const resolveInitials = getInitials ?? actorNameHook.getActorInitials;
+  const resolveAvatarUrl = getAvatarUrl ?? actorNameHook.getActorAvatarUrl;
 
   const name = resolveName(actorType, actorId);
   const initials = resolveInitials(actorType, actorId);
   const isAgent = actorType === "agent";
+  const resolvedUrl = avatarUrl !== undefined ? avatarUrl : resolveAvatarUrl(actorType, actorId);
+
+  const [imgError, setImgError] = useState(false);
+
+  // Reset error state when URL changes (e.g. user uploads new avatar)
+  useEffect(() => {
+    setImgError(false);
+  }, [resolvedUrl]);
 
   return (
     <div
       className={cn(
-        "inline-flex shrink-0 items-center justify-center rounded-full font-medium",
+        "inline-flex shrink-0 items-center justify-center rounded-full font-medium overflow-hidden",
         "bg-muted text-muted-foreground",
         className
       )}
       style={{ width: size, height: size, fontSize: size * 0.45 }}
       title={name}
     >
-      {isAgent ? (
+      {resolvedUrl && !imgError ? (
+        <img
+          src={resolvedUrl}
+          alt={name}
+          className="h-full w-full object-cover"
+          onError={() => setImgError(true)}
+        />
+      ) : isAgent ? (
         <Bot style={{ width: size * 0.55, height: size * 0.55 }} />
       ) : (
         initials

apps/web/components/common/rich-text-editor.tsx

@@ -12,9 +12,12 @@ import Placeholder from "@tiptap/extension-placeholder";
 import Link from "@tiptap/extension-link";
 import Typography from "@tiptap/extension-typography";
 import Mention from "@tiptap/extension-mention";
+import Image from "@tiptap/extension-image";
 import { Markdown } from "@tiptap/markdown";
 import { Extension } from "@tiptap/core";
+import { Plugin, PluginKey } from "@tiptap/pm/state";
 import { cn } from "@/lib/utils";
+import type { UploadResult } from "@/shared/hooks/use-file-upload";
 import { createMentionSuggestion } from "./mention-suggestion";
 import "./rich-text-editor.css";
 
@@ -30,12 +33,14 @@ interface RichTextEditorProps {
   className?: string;
   debounceMs?: number;
   onSubmit?: () => void;
+  onUploadFile?: (file: File) => Promise<UploadResult | null>;
 }
 
 interface RichTextEditorRef {
   getMarkdown: () => string;
   clearContent: () => void;
   focus: () => void;
+  insertFile: (filename: string, url: string, isImage: boolean) => void;
 }
 
 // ---------------------------------------------------------------------------
@@ -139,6 +144,77 @@ function createSubmitExtension(onSubmit: () => void) {
   });
 }
 
+// ---------------------------------------------------------------------------
+// File upload extension (paste + drop)
+// ---------------------------------------------------------------------------
+
+function createFileUploadExtension(
+  onUploadFileRef: React.RefObject<((file: File) => Promise<UploadResult | null>) | undefined>,
+) {
+  return Extension.create({
+    name: "fileUpload",
+    addProseMirrorPlugins() {
+      const { editor } = this;
+
+      const handleFiles = async (files: FileList, pos?: number) => {
+        const handler = onUploadFileRef.current;
+        if (!handler) return false;
+
+        let handled = false;
+        for (const file of Array.from(files)) {
+          handled = true;
+          try {
+            const result = await handler(file);
+            if (!result) continue;
+
+            const isImage = file.type.startsWith("image/");
+            if (isImage) {
+              editor
+                .chain()
+                .focus()
+                .setImage({ src: result.link, alt: result.filename })
+                .run();
+            } else {
+              // Insert as a markdown link
+              const linkText = `[${result.filename}](${result.link})`;
+              if (pos !== undefined) {
+                editor.chain().focus().insertContentAt(pos, linkText).run();
+              } else {
+                editor.chain().focus().insertContent(linkText).run();
+              }
+            }
+          } catch {
+            // Upload errors handled by the hook/caller via toast
+          }
+        }
+        return handled;
+      };
+
+      return [
+        new Plugin({
+          key: new PluginKey("fileUpload"),
+          props: {
+            handlePaste(_view, event) {
+              const files = event.clipboardData?.files;
+              if (!files?.length) return false;
+              if (!onUploadFileRef.current) return false;
+              handleFiles(files);
+              return true;
+            },
+            handleDrop(_view, event) {
+              const files = (event as DragEvent).dataTransfer?.files;
+              if (!files?.length) return false;
+              if (!onUploadFileRef.current) return false;
+              handleFiles(files);
+              return true;
+            },
+          },
+        }),
+      ];
+    },
+  });
+}
+
 // ---------------------------------------------------------------------------
 // Component
 // ---------------------------------------------------------------------------
@@ -153,12 +229,14 @@ const RichTextEditor = forwardRef<RichTextEditorRef, RichTextEditorProps>(
       className,
       debounceMs = 300,
       onSubmit,
+      onUploadFile,
     },
     ref,
   ) {
     const debounceRef = useRef<ReturnType<typeof setTimeout>>(undefined);
     const onUpdateRef = useRef(onUpdate);
     const onSubmitRef = useRef(onSubmit);
+    const onUploadFileRef = useRef(onUploadFile);
 
     // Helper to get markdown from @tiptap/markdown extension
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
@@ -168,6 +246,7 @@ const RichTextEditor = forwardRef<RichTextEditorRef, RichTextEditorProps>(
     // Keep refs in sync without recreating editor
     onUpdateRef.current = onUpdate;
     onSubmitRef.current = onSubmit;
+    onUploadFileRef.current = onUploadFile;
 
     const editor = useEditor({
       immediatelyRender: false,
@@ -184,8 +263,14 @@ const RichTextEditor = forwardRef<RichTextEditorRef, RichTextEditorProps>(
         LinkExtension,
         Typography,
         MentionExtension,
+        Image.configure({
+          inline: false,
+          allowBase64: false,
+          HTMLAttributes: { style: "max-width: 100%; height: auto;" },
+        }),
         Markdown,
         createSubmitExtension(() => onSubmitRef.current?.()),
+        createFileUploadExtension(onUploadFileRef),
       ],
       onUpdate: ({ editor: ed }) => {
         if (!onUpdateRef.current) return;
@@ -230,6 +315,14 @@ const RichTextEditor = forwardRef<RichTextEditorRef, RichTextEditorProps>(
       focus: () => {
         editor?.commands.focus();
       },
+      insertFile: (filename: string, url: string, isImage: boolean) => {
+        if (!editor) return;
+        if (isImage) {
+          editor.chain().focus().setImage({ src: url, alt: filename }).run();
+        } else {
+          editor.chain().focus().insertContent(`[${filename}](${url})`).run();
+        }
+      },
     }));
 
     if (!editor) return null;

apps/web/components/markdown/Markdown.tsx

@@ -56,6 +56,15 @@ function createComponents(
   onFileClick?: (path: string) => void
 ): Partial<Components> {
   const baseComponents: Partial<Components> = {
+    // Images: render uploaded images with constrained sizing
+    img: ({ src, alt }) => (
+      <img
+        src={src}
+        alt={alt ?? ""}
+        className="max-w-full h-auto rounded-md my-2"
+        loading="lazy"
+      />
+    ),
     // Links: Make clickable with callbacks, or render as mention
     a: ({ href, children }) => {
       // Mention links: mention://member/id or mention://agent/id

apps/web/features/issues/components/comment-card.tsx

@@ -28,6 +28,7 @@ import type { TimelineEntry } from "@/shared/types";
 // ---------------------------------------------------------------------------
 
 interface CommentCardProps {
+  issueId: string;
   entry: TimelineEntry;
   allReplies: Map<string, TimelineEntry[]>;
   currentUserId?: string;
@@ -183,6 +184,7 @@ function CommentRow({
 // ---------------------------------------------------------------------------
 
 function CommentCard({
+  issueId,
   entry,
   allReplies,
   currentUserId,
@@ -365,6 +367,7 @@ function CommentCard({
           {/* Reply input */}
           <div className="border-t border-border/50 px-4 py-2.5">
             <ReplyInput
+              issueId={issueId}
               placeholder="Leave a reply..."
               size="sm"
               avatarType="member"

apps/web/features/issues/components/comment-input.tsx

@@ -1,18 +1,34 @@
 "use client";
 
 import { useRef, useState } from "react";
-import { ArrowUp } from "lucide-react";
+import { ArrowUp, Paperclip } from "lucide-react";
 import { Button } from "@/components/ui/button";
 import { RichTextEditor, type RichTextEditorRef } from "@/components/common/rich-text-editor";
+import { useFileUpload } from "@/shared/hooks/use-file-upload";
 
 interface CommentInputProps {
+  issueId: string;
   onSubmit: (content: string) => Promise<void>;
 }
 
-function CommentInput({ onSubmit }: CommentInputProps) {
+function CommentInput({ issueId, onSubmit }: CommentInputProps) {
   const editorRef = useRef<RichTextEditorRef>(null);
+  const fileInputRef = useRef<HTMLInputElement>(null);
   const [isEmpty, setIsEmpty] = useState(true);
   const [submitting, setSubmitting] = useState(false);
+  const { uploadWithToast, uploading } = useFileUpload();
+
+  const handleUpload = (file: File) => uploadWithToast(file, { issueId });
+
+  const handleFileSelect = async (e: React.ChangeEvent<HTMLInputElement>) => {
+    const file = e.target.files?.[0];
+    if (!file) return;
+    e.target.value = "";
+    const result = await handleUpload(file);
+    if (result) {
+      editorRef.current?.insertFile(result.filename, result.link, file.type.startsWith("image/"));
+    }
+  };
 
   const handleSubmit = async () => {
     const content = editorRef.current?.getMarkdown()?.replace(/(\n\s*)+$/, "").trim();
@@ -35,10 +51,26 @@ function CommentInput({ onSubmit }: CommentInputProps) {
           placeholder="Leave a comment..."
           onUpdate={(md) => setIsEmpty(!md.trim())}
           onSubmit={handleSubmit}
+          onUploadFile={handleUpload}
           debounceMs={100}
         />
       </div>
-      <div className="absolute bottom-1.5 right-1.5">
+      <div className="absolute bottom-1.5 right-1.5 flex items-center gap-1">
+        <Button
+          variant="ghost"
+          size="icon-sm"
+          onClick={() => fileInputRef.current?.click()}
+          disabled={uploading}
+          className="text-muted-foreground hover:text-foreground"
+        >
+          <Paperclip className="h-4 w-4" />
+        </Button>
+        <input
+          ref={fileInputRef}
+          type="file"
+          className="hidden"
+          onChange={handleFileSelect}
+        />
         <Button
           size="icon-sm"
           disabled={isEmpty || submitting}

apps/web/features/issues/components/issue-detail.tsx

@@ -69,6 +69,7 @@ import { useIssueTimeline } from "@/features/issues/hooks/use-issue-timeline";
 import { useIssueReactions } from "@/features/issues/hooks/use-issue-reactions";
 import { useIssueSubscribers } from "@/features/issues/hooks/use-issue-subscribers";
 import { ReactionBar } from "@/components/common/reaction-bar";
+import { useFileUpload } from "@/shared/hooks/use-file-upload";
 import { timeAgo } from "@/shared/utils";
 
 function shortDate(date: string | null): string {
@@ -179,6 +180,7 @@ export function IssueDetail({ issueId, onDelete, defaultSidebarOpen = true, layo
   const prevIssue = currentIndex > 0 ? allIssues[currentIndex - 1] : null;
   const nextIssue = currentIndex < allIssues.length - 1 ? allIssues[currentIndex + 1] : null;
   const { getActorName, getActorInitials } = useActorName();
+  const { uploadWithToast } = useFileUpload();
   const { defaultLayout, onLayoutChanged } = useDefaultLayout({
     id: layoutId,
   });
@@ -249,6 +251,11 @@ export function IssueDetail({ issueId, onDelete, defaultSidebarOpen = true, layo
     [issue, id],
   );
 
+  const handleDescriptionUpload = useCallback(
+    (file: File) => uploadWithToast(file, { issueId: id }),
+    [uploadWithToast, id],
+  );
+
   const handleDelete = async () => {
     setDeleting(true);
     try {
@@ -574,6 +581,7 @@ export function IssueDetail({ issueId, onDelete, defaultSidebarOpen = true, layo
             defaultValue={issue.description || ""}
             placeholder="Add description..."
             onUpdate={(md) => handleUpdateField({ description: md || undefined })}
+            onUploadFile={handleDescriptionUpload}
             debounceMs={1500}
             className="mt-5"
           />
@@ -741,6 +749,7 @@ export function IssueDetail({ issueId, onDelete, defaultSidebarOpen = true, layo
                     return (
                       <CommentCard
                         key={entry.id}
+                        issueId={id}
                         entry={entry}
                         allReplies={repliesByParent}
                         currentUserId={user?.id}
@@ -803,7 +812,7 @@ export function IssueDetail({ issueId, onDelete, defaultSidebarOpen = true, layo
 
             {/* Bottom comment input — no avatar, full width */}
             <div className="mt-4">
-              <CommentInput onSubmit={submitComment} />
+              <CommentInput issueId={id} onSubmit={submitComment} />
             </div>
           </div>
         </div>

apps/web/features/issues/components/reply-input.tsx

@@ -1,16 +1,18 @@
 "use client";
 
 import { useRef, useState } from "react";
-import { ArrowUp } from "lucide-react";
+import { ArrowUp, Paperclip } from "lucide-react";
 import { Button } from "@/components/ui/button";
 import { RichTextEditor, type RichTextEditorRef } from "@/components/common/rich-text-editor";
 import { ActorAvatar } from "@/components/common/actor-avatar";
+import { useFileUpload } from "@/shared/hooks/use-file-upload";
 
 // ---------------------------------------------------------------------------
 // Types
 // ---------------------------------------------------------------------------
 
 interface ReplyInputProps {
+  issueId: string;
   placeholder?: string;
   avatarType: string;
   avatarId: string;
@@ -23,6 +25,7 @@ interface ReplyInputProps {
 // ---------------------------------------------------------------------------
 
 function ReplyInput({
+  issueId,
   placeholder = "Leave a reply...",
   avatarType,
   avatarId,
@@ -30,8 +33,22 @@ function ReplyInput({
   size = "default",
 }: ReplyInputProps) {
   const editorRef = useRef<RichTextEditorRef>(null);
+  const fileInputRef = useRef<HTMLInputElement>(null);
   const [isEmpty, setIsEmpty] = useState(true);
   const [submitting, setSubmitting] = useState(false);
+  const { uploadWithToast, uploading } = useFileUpload();
+
+  const handleUpload = (file: File) => uploadWithToast(file, { issueId });
+
+  const handleFileSelect = async (e: React.ChangeEvent<HTMLInputElement>) => {
+    const file = e.target.files?.[0];
+    if (!file) return;
+    e.target.value = "";
+    const result = await handleUpload(file);
+    if (result) {
+      editorRef.current?.insertFile(result.filename, result.link, file.type.startsWith("image/"));
+    }
+  };
 
   const handleSubmit = async () => {
     const content = editorRef.current?.getMarkdown()?.replace(/(\n\s*)+$/, "").trim();
@@ -67,6 +84,7 @@ function ReplyInput({
             placeholder={placeholder}
             onUpdate={(md) => setIsEmpty(!md.trim())}
             onSubmit={handleSubmit}
+            onUploadFile={handleUpload}
             debounceMs={100}
           />
         </div>
@@ -76,7 +94,23 @@ function ReplyInput({
           }`}
         >
           <div className="overflow-hidden">
-            <div className="flex items-center justify-end pt-1">
+            <div className="flex items-center justify-end gap-1 pt-1">
+              <Button
+                variant="ghost"
+                size="icon-xs"
+                onClick={() => fileInputRef.current?.click()}
+                disabled={uploading}
+                tabIndex={isEmpty ? -1 : 0}
+                className="text-muted-foreground hover:text-foreground"
+              >
+                <Paperclip className="h-3.5 w-3.5" />
+              </Button>
+              <input
+                ref={fileInputRef}
+                type="file"
+                className="hidden"
+                onChange={handleFileSelect}
+              />
               <Button
                 size="icon-xs"
                 disabled={isEmpty || submitting}

apps/web/features/workspace/hooks.ts

@@ -32,5 +32,11 @@ export function useActorName() {
       .slice(0, 2);
   };
 
-  return { getMemberName, getAgentName, getActorName, getActorInitials };
+  const getActorAvatarUrl = (type: string, id: string): string | null => {
+    if (type === "member") return members.find((m) => m.user_id === id)?.avatar_url ?? null;
+    if (type === "agent") return agents.find((a) => a.id === id)?.avatar_url ?? null;
+    return null;
+  };
+
+  return { getMemberName, getAgentName, getActorName, getActorInitials, getActorAvatarUrl };
 }

apps/web/package.json

@@ -18,6 +18,7 @@
     "@dnd-kit/utilities": "^3.2.2",
     "@emoji-mart/data": "^1.2.1",
     "@floating-ui/dom": "^1.7.6",
+    "@tiptap/extension-image": "^3.21.0",
     "@tiptap/extension-link": "^3.20.5",
     "@tiptap/extension-mention": "^3.20.5",
     "@tiptap/extension-placeholder": "^3.20.5",

apps/web/shared/api/client.ts

@@ -35,6 +35,7 @@ import type {
   RuntimePing,
   TimelineEntry,
   TaskMessagePayload,
+  Attachment,
 } from "@/shared/types";
 import { type Logger, noopLogger } from "@/shared/logger";
 
@@ -62,6 +63,35 @@ export class ApiClient {
     this.workspaceId = id;
   }
 
+  private authHeaders(): Record<string, string> {
+    const headers: Record<string, string> = {};
+    if (this.token) headers["Authorization"] = `Bearer ${this.token}`;
+    if (this.workspaceId) headers["X-Workspace-ID"] = this.workspaceId;
+    return headers;
+  }
+
+  private handleUnauthorized() {
+    if (typeof window !== "undefined") {
+      localStorage.removeItem("multica_token");
+      localStorage.removeItem("multica_workspace_id");
+      this.token = null;
+      this.workspaceId = null;
+      if (window.location.pathname !== "/login") {
+        window.location.href = "/login";
+      }
+    }
+  }
+
+  private async parseErrorMessage(res: Response, fallback: string): Promise<string> {
+    try {
+      const data = await res.json() as { error?: string };
+      if (typeof data.error === "string" && data.error) return data.error;
+    } catch {
+      // Ignore non-JSON error bodies.
+    }
+    return fallback;
+  }
+
   private async fetch<T>(path: string, init?: RequestInit): Promise<T> {
     const rid = crypto.randomUUID().slice(0, 8);
     const start = Date.now();
@@ -70,14 +100,9 @@ export class ApiClient {
     const headers: Record<string, string> = {
       "Content-Type": "application/json",
       "X-Request-ID": rid,
+      ...this.authHeaders(),
       ...((init?.headers as Record<string, string>) ?? {}),
     };
-    if (this.token) {
-      headers["Authorization"] = `Bearer ${this.token}`;
-    }
-    if (this.workspaceId) {
-      headers["X-Workspace-ID"] = this.workspaceId;
-    }
 
     this.logger.info(`→ ${method} ${path}`, { rid });
 
@@ -87,25 +112,8 @@ export class ApiClient {
     });
 
     if (!res.ok) {
-      if (res.status === 401 && typeof window !== "undefined") {
-        localStorage.removeItem("multica_token");
-        localStorage.removeItem("multica_workspace_id");
-        this.token = null;
-        this.workspaceId = null;
-        if (window.location.pathname !== "/login") {
-          window.location.href = "/login";
-        }
-      }
-
-      let message = `API error: ${res.status} ${res.statusText}`;
-      try {
-        const data = await res.json() as { error?: string };
-        if (typeof data.error === "string" && data.error) {
-          message = data.error;
-        }
-      } catch {
-        // Ignore non-JSON error bodies.
-      }
+      if (res.status === 401) this.handleUnauthorized();
+      const message = await this.parseErrorMessage(res, `API error: ${res.status} ${res.statusText}`);
       this.logger.error(`← ${res.status} ${path}`, { rid, duration: `${Date.now() - start}ms`, error: message });
       throw new Error(message);
     }
@@ -519,4 +527,40 @@ export class ApiClient {
   async revokePersonalAccessToken(id: string): Promise<void> {
     await this.fetch(`/api/tokens/${id}`, { method: "DELETE" });
   }
+
+  // File Upload & Attachments
+  async uploadFile(file: File, opts?: { issueId?: string; commentId?: string }): Promise<Attachment> {
+    const formData = new FormData();
+    formData.append("file", file);
+    if (opts?.issueId) formData.append("issue_id", opts.issueId);
+    if (opts?.commentId) formData.append("comment_id", opts.commentId);
+
+    const rid = crypto.randomUUID().slice(0, 8);
+    const start = Date.now();
+    this.logger.info("→ POST /api/upload-file", { rid });
+
+    const res = await fetch(`${this.baseUrl}/api/upload-file`, {
+      method: "POST",
+      headers: this.authHeaders(),
+      body: formData,
+    });
+
+    if (!res.ok) {
+      if (res.status === 401) this.handleUnauthorized();
+      const message = await this.parseErrorMessage(res, `Upload failed: ${res.status}`);
+      this.logger.error(`← ${res.status} /api/upload-file`, { rid, duration: `${Date.now() - start}ms`, error: message });
+      throw new Error(message);
+    }
+
+    this.logger.info(`← ${res.status} /api/upload-file`, { rid, duration: `${Date.now() - start}ms` });
+    return res.json() as Promise<Attachment>;
+  }
+
+  async listAttachments(issueId: string): Promise<Attachment[]> {
+    return this.fetch(`/api/issues/${issueId}/attachments`);
+  }
+
+  async deleteAttachment(id: string): Promise<void> {
+    await this.fetch(`/api/attachments/${id}`, { method: "DELETE" });
+  }
 }

apps/web/shared/hooks/use-file-upload.ts

@@ -0,0 +1,83 @@
+"use client";
+
+import { useState, useCallback } from "react";
+import { toast } from "sonner";
+import { api } from "@/shared/api";
+import type { Attachment } from "@/shared/types";
+
+const MAX_FILE_SIZE = 10 * 1024 * 1024; // 10 MB
+
+const ALLOWED_TYPES = new Set([
+  "image/png",
+  "image/jpeg",
+  "image/gif",
+  "image/webp",
+  "image/svg+xml",
+  "application/pdf",
+  "text/plain",
+  "text/csv",
+  "application/json",
+  "video/mp4",
+  "video/webm",
+  "audio/mpeg",
+  "audio/wav",
+  "application/zip",
+]);
+
+function isAllowedType(type: string): boolean {
+  // Empty MIME type (browser couldn't determine) — let the server sniff and decide.
+  if (!type) return true;
+  const mediaType = type.split(";")[0] ?? "";
+  return ALLOWED_TYPES.has(mediaType.trim().toLowerCase());
+}
+
+export interface UploadResult {
+  filename: string;
+  link: string;
+}
+
+export interface UploadContext {
+  issueId?: string;
+  commentId?: string;
+}
+
+export function useFileUpload() {
+  const [uploading, setUploading] = useState(false);
+
+  const upload = useCallback(
+    async (file: File, ctx?: UploadContext): Promise<UploadResult | null> => {
+      if (file.size > MAX_FILE_SIZE) {
+        throw new Error("File exceeds 10 MB limit");
+      }
+      if (!isAllowedType(file.type)) {
+        throw new Error(`File type not allowed: ${file.type}`);
+      }
+
+      setUploading(true);
+      try {
+        const att: Attachment = await api.uploadFile(file, {
+          issueId: ctx?.issueId,
+          commentId: ctx?.commentId,
+        });
+        return { filename: att.filename, link: att.url };
+      } finally {
+        setUploading(false);
+      }
+    },
+    [],
+  );
+
+  const uploadWithToast = useCallback(
+    async (file: File, ctx?: UploadContext): Promise<UploadResult | null> => {
+      try {
+        return await upload(file, ctx);
+      } catch (err) {
+        toast.error(err instanceof Error ? err.message : "Upload failed");
+        return null;
+      }
+    },
+    [upload],
+  );
+
+  return { upload, uploadWithToast, uploading };
+}

apps/web/shared/types/activity.ts

@@ -1,4 +1,5 @@
 import type { Reaction } from "./comment";
+import type { Attachment } from "./attachment";
 
 export interface TimelineEntry {
   type: "activity" | "comment";
@@ -15,4 +16,5 @@ export interface TimelineEntry {
   updated_at?: string;
   comment_type?: string;
   reactions?: Reaction[];
+  attachments?: Attachment[];
 }

apps/web/shared/types/attachment.ts

@@ -0,0 +1,14 @@
+export interface Attachment {
+  id: string;
+  workspace_id: string;
+  issue_id: string | null;
+  comment_id: string | null;
+  uploader_type: string;
+  uploader_id: string;
+  filename: string;
+  url: string;
+  download_url: string;
+  content_type: string;
+  size_bytes: number;
+  created_at: string;
+}

apps/web/shared/types/comment.ts

@@ -20,6 +20,7 @@ export interface Comment {
   type: CommentType;
   parent_id: string | null;
   reactions: Reaction[];
+  attachments: import("./attachment").Attachment[];
   created_at: string;
   updated_at: string;
 }

apps/web/shared/types/index.ts

@@ -30,3 +30,4 @@ export type { IssueSubscriber } from "./subscriber";
 export type { DaemonPairingSession, DaemonPairingSessionStatus, ApproveDaemonPairingSessionRequest } from "./daemon";
 export type * from "./events";
 export type * from "./api";
+export type { Attachment } from "./attachment";

pnpm-lock.yaml

@@ -75,6 +75,9 @@ importers:
       '@floating-ui/dom':
         specifier: ^1.7.6
         version: 1.7.6
+      '@tiptap/extension-image':
+        specifier: ^3.21.0
+        version: 3.21.0(@tiptap/core@3.20.5(@tiptap/pm@3.20.5))
       '@tiptap/extension-link':
         specifier: ^3.20.5
         version: 3.20.5(@tiptap/core@3.20.5(@tiptap/pm@3.20.5))(@tiptap/pm@3.20.5)
@@ -1368,6 +1371,11 @@ packages:
       '@tiptap/core': ^3.20.5
       '@tiptap/pm': ^3.20.5
 
+  '@tiptap/extension-image@3.21.0':
+    resolution: {integrity: sha512-W9786a2K4LSZJMPeRLmoDulJeXOsM0ueRV2MHjTol7ikPRauROB7GUbAz9DyPAJHA2AGUfpswnGAYPO3tz5CLg==}
+    peerDependencies:
+      '@tiptap/core': ^3.21.0
+
   '@tiptap/extension-italic@3.20.5':
     resolution: {integrity: sha512-7bZCgdJVTvhR5vSmNgFQbGvgRoC6m26KcUpHqWiKA95kLL5Wk4YlMCIqdiDpvJ1eakeFEvDcGZvFLg5+1NiQ+w==}
     peerDependencies:
@@ -4949,6 +4957,10 @@ snapshots:
       '@tiptap/core': 3.20.5(@tiptap/pm@3.20.5)
       '@tiptap/pm': 3.20.5
 
+  '@tiptap/extension-image@3.21.0(@tiptap/core@3.20.5(@tiptap/pm@3.20.5))':
+    dependencies:
+      '@tiptap/core': 3.20.5(@tiptap/pm@3.20.5)
+
   '@tiptap/extension-italic@3.20.5(@tiptap/core@3.20.5(@tiptap/pm@3.20.5))':
     dependencies:
       '@tiptap/core': 3.20.5(@tiptap/pm@3.20.5)

server/cmd/server/router.go

@@ -12,11 +12,13 @@ import (
 	"github.com/jackc/pgx/v5/pgtype"
 	"github.com/jackc/pgx/v5/pgxpool"
 
+	"github.com/multica-ai/multica/server/internal/auth"
 	"github.com/multica-ai/multica/server/internal/events"
 	"github.com/multica-ai/multica/server/internal/handler"
 	"github.com/multica-ai/multica/server/internal/middleware"
 	"github.com/multica-ai/multica/server/internal/realtime"
 	"github.com/multica-ai/multica/server/internal/service"
+	"github.com/multica-ai/multica/server/internal/storage"
 	db "github.com/multica-ai/multica/server/pkg/db/generated"
 )
 
@@ -47,7 +49,9 @@ func allowedOrigins() []string {
 func NewRouter(pool *pgxpool.Pool, hub *realtime.Hub, bus *events.Bus) chi.Router {
 	queries := db.New(pool)
 	emailSvc := service.NewEmailService()
-	h := handler.New(queries, pool, hub, bus, emailSvc)
+	s3 := storage.NewS3StorageFromEnv()
+	cfSigner := auth.NewCloudFrontSignerFromEnv()
+	h := handler.New(queries, pool, hub, bus, emailSvc, s3, cfSigner)
 
 	r := chi.NewRouter()
 
@@ -106,10 +110,12 @@ func NewRouter(pool *pgxpool.Pool, hub *realtime.Hub, bus *events.Bus) chi.Route
 	// Protected API routes
 	r.Group(func(r chi.Router) {
 		r.Use(middleware.Auth(queries))
+		r.Use(middleware.RefreshCloudFrontCookies(cfSigner))
 
 		// --- User-scoped routes (no workspace context required) ---
 		r.Get("/api/me", h.GetMe)
 		r.Patch("/api/me", h.UpdateMe)
+		r.Post("/api/upload-file", h.UploadFile)
 
 		r.Route("/api/workspaces", func(r chi.Router) {
 			r.Get("/", h.ListWorkspaces)
@@ -170,9 +176,13 @@ func NewRouter(pool *pgxpool.Pool, hub *realtime.Hub, bus *events.Bus) chi.Route
 					r.Get("/task-runs", h.ListTasksByIssue)
 					r.Post("/reactions", h.AddIssueReaction)
 					r.Delete("/reactions", h.RemoveIssueReaction)
+					r.Get("/attachments", h.ListAttachments)
 				})
 			})
 
+			// Attachments
+			r.Delete("/api/attachments/{id}", h.DeleteAttachment)
+
 			// Comments
 			r.Route("/api/comments/{commentId}", func(r chi.Router) {
 				r.Put("/", h.UpdateComment)

server/go.mod

@@ -3,21 +3,41 @@ module github.com/multica-ai/multica/server
 go 1.26.1
 
 require (
+	github.com/aws/aws-sdk-go-v2 v1.41.5
+	github.com/aws/aws-sdk-go-v2/config v1.32.13
+	github.com/aws/aws-sdk-go-v2/credentials v1.19.13
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.97.3
+	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.41.5
 	github.com/go-chi/chi/v5 v5.2.5
 	github.com/go-chi/cors v1.2.2
 	github.com/golang-jwt/jwt/v5 v5.3.1
 	github.com/gorilla/websocket v1.5.3
 	github.com/jackc/pgx/v5 v5.8.0
+	github.com/lmittmann/tint v1.1.3
 	github.com/resend/resend-go/v2 v2.28.0
 	github.com/spf13/cobra v1.10.2
 )
 
 require (
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.8 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.21 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.21 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.21 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.6 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.22 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.13 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.21 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.21 // indirect
+	github.com/aws/aws-sdk-go-v2/service/signin v1.0.9 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.30.14 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.18 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.41.10 // indirect
+	github.com/aws/smithy-go v1.24.2 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
 	github.com/jackc/puddle/v2 v2.2.2 // indirect
-	github.com/lmittmann/tint v1.1.3 // indirect
 	github.com/spf13/pflag v1.0.9 // indirect
 	golang.org/x/sync v0.20.0 // indirect
 	golang.org/x/text v0.35.0 // indirect

server/go.sum

@@ -1,3 +1,43 @@
+github.com/aws/aws-sdk-go-v2 v1.41.5 h1:dj5kopbwUsVUVFgO4Fi5BIT3t4WyqIDjGKCangnV/yY=
+github.com/aws/aws-sdk-go-v2 v1.41.5/go.mod h1:mwsPRE8ceUUpiTgF7QmQIJ7lgsKUPQOUl3o72QBrE1o=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.8 h1:eBMB84YGghSocM7PsjmmPffTa+1FBUeNvGvFou6V/4o=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.8/go.mod h1:lyw7GFp3qENLh7kwzf7iMzAxDn+NzjXEAGjKS2UOKqI=
+github.com/aws/aws-sdk-go-v2/config v1.32.13 h1:5KgbxMaS2coSWRrx9TX/QtWbqzgQkOdEa3sZPhBhCSg=
+github.com/aws/aws-sdk-go-v2/config v1.32.13/go.mod h1:8zz7wedqtCbw5e9Mi2doEwDyEgHcEE9YOJp6a8jdSMY=
+github.com/aws/aws-sdk-go-v2/credentials v1.19.13 h1:mA59E3fokBvyEGHKFdnpNNrvaR351cqiHgRg+JzOSRI=
+github.com/aws/aws-sdk-go-v2/credentials v1.19.13/go.mod h1:yoTXOQKea18nrM69wGF9jBdG4WocSZA1h38A+t/MAsk=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.21 h1:NUS3K4BTDArQqNu2ih7yeDLaS3bmHD0YndtA6UP884g=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.21/go.mod h1:YWNWJQNjKigKY1RHVJCuupeWDrrHjRqHm0N9rdrWzYI=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.21 h1:Rgg6wvjjtX8bNHcvi9OnXWwcE0a2vGpbwmtICOsvcf4=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.21/go.mod h1:A/kJFst/nm//cyqonihbdpQZwiUhhzpqTsdbhDdRF9c=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.21 h1:PEgGVtPoB6NTpPrBgqSE5hE/o47Ij9qk/SEZFbUOe9A=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.21/go.mod h1:p+hz+PRAYlY3zcpJhPwXlLC4C+kqn70WIHwnzAfs6ps=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.6 h1:qYQ4pzQ2Oz6WpQ8T3HvGHnZydA72MnLuFK9tJwmrbHw=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.6/go.mod h1:O3h0IK87yXci+kg6flUKzJnWeziQUKciKrLjcatSNcY=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.22 h1:rWyie/PxDRIdhNf4DzRk0lvjVOqFJuNnO8WwaIRVxzQ=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.22/go.mod h1:zd/JsJ4P7oGfUhXn1VyLqaRZwPmZwg44Jf2dS84Dm3Y=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7 h1:5EniKhLZe4xzL7a+fU3C2tfUN4nWIqlLesfrjkuPFTY=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7/go.mod h1:x0nZssQ3qZSnIcePWLvcoFisRXJzcTVvYpAAdYX8+GI=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.13 h1:JRaIgADQS/U6uXDqlPiefP32yXTda7Kqfx+LgspooZM=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.13/go.mod h1:CEuVn5WqOMilYl+tbccq8+N2ieCy0gVn3OtRb0vBNNM=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.21 h1:c31//R3xgIJMSC8S6hEVq+38DcvUlgFY0FM6mSI5oto=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.21/go.mod h1:r6+pf23ouCB718FUxaqzZdbpYFyDtehyZcmP5KL9FkA=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.21 h1:ZlvrNcHSFFWURB8avufQq9gFsheUgjVD9536obIknfM=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.21/go.mod h1:cv3TNhVrssKR0O/xxLJVRfd2oazSnZnkUeTf6ctUwfQ=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.97.3 h1:HwxWTbTrIHm5qY+CAEur0s/figc3qwvLWsNkF4RPToo=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.97.3/go.mod h1:uoA43SdFwacedBfSgfFSjjCvYe8aYBS7EnU5GZ/YKMM=
+github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.41.5 h1:z2ayoK3pOvf8ODj/vPR0FgAS5ONruBq0F94SRoW/BIU=
+github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.41.5/go.mod h1:mpZB5HAl4ZIISod9qCi12xZ170TbHX9CCJV5y7nb7QU=
+github.com/aws/aws-sdk-go-v2/service/signin v1.0.9 h1:QKZH0S178gCmFEgst8hN0mCX1KxLgHBKKY/CLqwP8lg=
+github.com/aws/aws-sdk-go-v2/service/signin v1.0.9/go.mod h1:7yuQJoT+OoH8aqIxw9vwF+8KpvLZ8AWmvmUWHsGQZvI=
+github.com/aws/aws-sdk-go-v2/service/sso v1.30.14 h1:GcLE9ba5ehAQma6wlopUesYg/hbcOhFNWTjELkiWkh4=
+github.com/aws/aws-sdk-go-v2/service/sso v1.30.14/go.mod h1:WSvS1NLr7JaPunCXqpJnWk1Bjo7IxzZXrZi1QQCkuqM=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.18 h1:mP49nTpfKtpXLt5SLn8Uv8z6W+03jYVoOSAl/c02nog=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.18/go.mod h1:YO8TrYtFdl5w/4vmjL8zaBSsiNp3w0L1FfKVKenZT7w=
+github.com/aws/aws-sdk-go-v2/service/sts v1.41.10 h1:p8ogvvLugcR/zLBXTXrTkj0RYBUdErbMnAFFp12Lm/U=
+github.com/aws/aws-sdk-go-v2/service/sts v1.41.10/go.mod h1:60dv0eZJfeVXfbT1tFJinbHrDfSJ2GZl4Q//OSSNAVw=
+github.com/aws/smithy-go v1.24.2 h1:FzA3bu/nt/vDvmnkg+R8Xl46gmzEDam6mZ1hzmwXFng=
+github.com/aws/smithy-go v1.24.2/go.mod h1:YE2RhdIuDbA5E5bTdciG9KrW3+TiEONeUWCqxX9i1Fc=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=

server/internal/auth/cloudfront.go

@@ -0,0 +1,203 @@
+package auth
+
+import (
+	"context"
+	"crypto"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/sha1"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/pem"
+	"fmt"
+	"log/slog"
+	"net/http"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	awsconfig "github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/service/secretsmanager"
+)
+
+// CloudFrontSigner generates signed cookies for CloudFront private distributions.
+type CloudFrontSigner struct {
+	keyPairID    string
+	privateKey   *rsa.PrivateKey
+	domain       string // CDN domain, e.g. "static.multica.ai"
+	cookieDomain string // cookie scope, e.g. ".multica.ai"
+}
+
+// NewCloudFrontSignerFromEnv creates a signer from environment variables.
+// Returns nil if CLOUDFRONT_KEY_PAIR_ID is not set (disables signed cookies).
+//
+// Private key resolution order:
+//  1. AWS Secrets Manager (CLOUDFRONT_PRIVATE_KEY_SECRET — secret name/ARN)
+//  2. Environment variable fallback (CLOUDFRONT_PRIVATE_KEY — base64-encoded PEM, for local dev only)
+//
+// Other required environment variables:
+//   - CLOUDFRONT_KEY_PAIR_ID
+//   - CLOUDFRONT_DOMAIN       (e.g. "static.multica.ai")
+//   - COOKIE_DOMAIN           (e.g. ".multica.ai")
+func NewCloudFrontSignerFromEnv() *CloudFrontSigner {
+	keyPairID := os.Getenv("CLOUDFRONT_KEY_PAIR_ID")
+	if keyPairID == "" {
+		slog.Info("CLOUDFRONT_KEY_PAIR_ID not set, signed cookies disabled")
+		return nil
+	}
+
+	domain := os.Getenv("CLOUDFRONT_DOMAIN")
+	if domain == "" {
+		slog.Error("CLOUDFRONT_DOMAIN not set")
+		return nil
+	}
+
+	cookieDomain := os.Getenv("COOKIE_DOMAIN")
+	if cookieDomain == "" {
+		slog.Error("COOKIE_DOMAIN not set")
+		return nil
+	}
+
+	rsaKey, err := loadPrivateKey()
+	if err != nil {
+		slog.Error("failed to load CloudFront private key", "error", err)
+		return nil
+	}
+
+	slog.Info("CloudFront cookie signer initialized", "key_pair_id", keyPairID, "domain", domain)
+	return &CloudFrontSigner{
+		keyPairID:    keyPairID,
+		privateKey:   rsaKey,
+		domain:       domain,
+		cookieDomain: cookieDomain,
+	}
+}
+
+// loadPrivateKey loads the RSA private key from Secrets Manager or env var fallback.
+func loadPrivateKey() (*rsa.PrivateKey, error) {
+	// 1. Try Secrets Manager
+	if secretName := os.Getenv("CLOUDFRONT_PRIVATE_KEY_SECRET"); secretName != "" {
+		slog.Info("loading CloudFront private key from Secrets Manager", "secret", secretName)
+		return loadKeyFromSecretsManager(secretName)
+	}
+
+	// 2. Fallback: base64-encoded env var (local dev)
+	if pkB64 := os.Getenv("CLOUDFRONT_PRIVATE_KEY"); pkB64 != "" {
+		slog.Info("loading CloudFront private key from environment variable (local dev)")
+		pemBytes, err := base64.StdEncoding.DecodeString(pkB64)
+		if err != nil {
+			return nil, fmt.Errorf("base64 decode: %w", err)
+		}
+		return parseRSAPrivateKey(pemBytes)
+	}
+
+	return nil, fmt.Errorf("neither CLOUDFRONT_PRIVATE_KEY_SECRET nor CLOUDFRONT_PRIVATE_KEY is set")
+}
+
+func loadKeyFromSecretsManager(secretName string) (*rsa.PrivateKey, error) {
+	cfg, err := awsconfig.LoadDefaultConfig(context.Background())
+	if err != nil {
+		return nil, fmt.Errorf("load AWS config: %w", err)
+	}
+
+	client := secretsmanager.NewFromConfig(cfg)
+	result, err := client.GetSecretValue(context.Background(), &secretsmanager.GetSecretValueInput{
+		SecretId: aws.String(secretName),
+	})
+	if err != nil {
+		return nil, fmt.Errorf("get secret %q: %w", secretName, err)
+	}
+
+	if result.SecretString == nil {
+		return nil, fmt.Errorf("secret %q has no string value", secretName)
+	}
+
+	return parseRSAPrivateKey([]byte(*result.SecretString))
+}
+
+func parseRSAPrivateKey(pemBytes []byte) (*rsa.PrivateKey, error) {
+	block, _ := pem.Decode(pemBytes)
+	if block == nil {
+		return nil, fmt.Errorf("no PEM block found")
+	}
+
+	// Try PKCS8 first, then PKCS1
+	if key, err := x509.ParsePKCS8PrivateKey(block.Bytes); err == nil {
+		if rsaKey, ok := key.(*rsa.PrivateKey); ok {
+			return rsaKey, nil
+		}
+		return nil, fmt.Errorf("PKCS8 key is not RSA")
+	}
+
+	rsaKey, err := x509.ParsePKCS1PrivateKey(block.Bytes)
+	if err != nil {
+		return nil, fmt.Errorf("parse private key: %w", err)
+	}
+	return rsaKey, nil
+}
+
+// SignedCookies generates the three CloudFront signed cookies with the given expiry.
+func (s *CloudFrontSigner) SignedCookies(expiry time.Time) []*http.Cookie {
+	policy := fmt.Sprintf(`{"Statement":[{"Resource":"https://%s/*","Condition":{"DateLessThan":{"AWS:EpochTime":%d}}}]}`, s.domain, expiry.Unix())
+
+	encodedPolicy := cfBase64Encode([]byte(policy))
+
+	h := sha1.New()
+	h.Write([]byte(policy))
+	sig, err := rsa.SignPKCS1v15(rand.Reader, s.privateKey, crypto.SHA1, h.Sum(nil))
+	if err != nil {
+		slog.Error("failed to sign CloudFront policy", "error", err)
+		return nil
+	}
+	encodedSig := cfBase64Encode(sig)
+
+	cookieAttrs := func(name, value string) *http.Cookie {
+		return &http.Cookie{
+			Name:     name,
+			Value:    value,
+			Domain:   s.cookieDomain,
+			Path:     "/",
+			Expires:  expiry,
+			Secure:   true,
+			HttpOnly: true,
+			SameSite: http.SameSiteNoneMode,
+		}
+	}
+
+	return []*http.Cookie{
+		cookieAttrs("CloudFront-Policy", encodedPolicy),
+		cookieAttrs("CloudFront-Signature", encodedSig),
+		cookieAttrs("CloudFront-Key-Pair-Id", s.keyPairID),
+	}
+}
+
+// SignedURL generates a CloudFront signed URL for the given resource URL.
+// Used by CLI/API clients that don't have browser cookies.
+func (s *CloudFrontSigner) SignedURL(rawURL string, expiry time.Time) string {
+	policy := fmt.Sprintf(`{"Statement":[{"Resource":"%s","Condition":{"DateLessThan":{"AWS:EpochTime":%d}}}]}`, rawURL, expiry.Unix())
+
+	encodedPolicy := cfBase64Encode([]byte(policy))
+
+	h := sha1.New()
+	h.Write([]byte(policy))
+	sig, err := rsa.SignPKCS1v15(rand.Reader, s.privateKey, crypto.SHA1, h.Sum(nil))
+	if err != nil {
+		slog.Error("failed to sign CloudFront URL", "error", err)
+		return rawURL
+	}
+	encodedSig := cfBase64Encode(sig)
+
+	separator := "?"
+	if strings.Contains(rawURL, "?") {
+		separator = "&"
+	}
+	return fmt.Sprintf("%s%sPolicy=%s&Signature=%s&Key-Pair-Id=%s", rawURL, separator, encodedPolicy, encodedSig, s.keyPairID)
+}
+
+// cfBase64Encode applies CloudFront's URL-safe base64 encoding.
+func cfBase64Encode(data []byte) string {
+	encoded := base64.StdEncoding.EncodeToString(data)
+	r := strings.NewReplacer("+", "-", "=", "_", "/", "~")
+	return r.Replace(encoded)
+}

server/internal/handler/activity.go

@@ -25,11 +25,12 @@ type TimelineEntry struct {
 	Details json.RawMessage `json:"details,omitempty"`
 
 	// Comment-only fields
-	Content     *string            `json:"content,omitempty"`
-	ParentID    *string            `json:"parent_id,omitempty"`
-	UpdatedAt   *string            `json:"updated_at,omitempty"`
-	CommentType *string            `json:"comment_type,omitempty"`
-	Reactions   []ReactionResponse `json:"reactions,omitempty"`
+	Content     *string              `json:"content,omitempty"`
+	ParentID    *string              `json:"parent_id,omitempty"`
+	UpdatedAt   *string              `json:"updated_at,omitempty"`
+	CommentType *string              `json:"comment_type,omitempty"`
+	Reactions   []ReactionResponse   `json:"reactions,omitempty"`
+	Attachments []AttachmentResponse `json:"attachments,omitempty"`
 }
 
 // ListTimeline returns a merged, chronologically-sorted timeline of activities
@@ -79,20 +80,22 @@ func (h *Handler) ListTimeline(w http.ResponseWriter, r *http.Request) {
 		})
 	}
 
-	// Fetch reactions for all comments in one batch.
+	// Fetch reactions and attachments for all comments in one batch.
 	commentIDs := make([]pgtype.UUID, len(comments))
 	for i, c := range comments {
 		commentIDs[i] = c.ID
 	}
 	grouped := h.groupReactions(r, commentIDs)
+	groupedAtt := h.groupAttachments(r, commentIDs)
 
 	for _, c := range comments {
 		content := c.Content
 		commentType := c.Type
 		updatedAt := timestampToString(c.UpdatedAt)
+		cid := uuidToString(c.ID)
 		timeline = append(timeline, TimelineEntry{
 			Type:        "comment",
-			ID:          uuidToString(c.ID),
+			ID:          cid,
 			ActorType:   c.AuthorType,
 			ActorID:     uuidToString(c.AuthorID),
 			Content:     &content,
@@ -100,7 +103,8 @@ func (h *Handler) ListTimeline(w http.ResponseWriter, r *http.Request) {
 			ParentID:    uuidToPtr(c.ParentID),
 			CreatedAt:   timestampToString(c.CreatedAt),
 			UpdatedAt:   &updatedAt,
-			Reactions:   grouped[uuidToString(c.ID)],
+			Reactions:   grouped[cid],
+			Attachments: groupedAtt[cid],
 		})
 	}
 

server/internal/handler/auth.go

@@ -300,6 +300,13 @@ func (h *Handler) VerifyCode(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	// Set CloudFront signed cookies for CDN access.
+	if h.CFSigner != nil {
+		for _, cookie := range h.CFSigner.SignedCookies(time.Now().Add(72 * time.Hour)) {
+			http.SetCookie(w, cookie)
+		}
+	}
+
 	slog.Info("user logged in", append(logger.RequestAttrs(r), "user_id", uuidToString(user.ID), "email", user.Email)...)
 	writeJSON(w, http.StatusOK, LoginResponse{
 		Token: tokenString,

server/internal/handler/comment.go

@@ -15,33 +15,38 @@ import (
 )
 
 type CommentResponse struct {
-	ID         string             `json:"id"`
-	IssueID    string             `json:"issue_id"`
-	AuthorType string             `json:"author_type"`
-	AuthorID   string             `json:"author_id"`
-	Content    string             `json:"content"`
-	Type       string             `json:"type"`
-	ParentID   *string            `json:"parent_id"`
-	CreatedAt  string             `json:"created_at"`
-	UpdatedAt  string             `json:"updated_at"`
-	Reactions  []ReactionResponse `json:"reactions"`
+	ID          string               `json:"id"`
+	IssueID     string               `json:"issue_id"`
+	AuthorType  string               `json:"author_type"`
+	AuthorID    string               `json:"author_id"`
+	Content     string               `json:"content"`
+	Type        string               `json:"type"`
+	ParentID    *string              `json:"parent_id"`
+	CreatedAt   string               `json:"created_at"`
+	UpdatedAt   string               `json:"updated_at"`
+	Reactions   []ReactionResponse   `json:"reactions"`
+	Attachments []AttachmentResponse `json:"attachments"`
 }
 
-func commentToResponse(c db.Comment, reactions []ReactionResponse) CommentResponse {
+func commentToResponse(c db.Comment, reactions []ReactionResponse, attachments []AttachmentResponse) CommentResponse {
 	if reactions == nil {
 		reactions = []ReactionResponse{}
 	}
+	if attachments == nil {
+		attachments = []AttachmentResponse{}
+	}
 	return CommentResponse{
-		ID:         uuidToString(c.ID),
-		IssueID:    uuidToString(c.IssueID),
-		AuthorType: c.AuthorType,
-		AuthorID:   uuidToString(c.AuthorID),
-		Content:    c.Content,
-		Type:       c.Type,
-		ParentID:   uuidToPtr(c.ParentID),
-		CreatedAt:  timestampToString(c.CreatedAt),
-		UpdatedAt:  timestampToString(c.UpdatedAt),
-		Reactions:  reactions,
+		ID:          uuidToString(c.ID),
+		IssueID:     uuidToString(c.IssueID),
+		AuthorType:  c.AuthorType,
+		AuthorID:    uuidToString(c.AuthorID),
+		Content:     c.Content,
+		Type:        c.Type,
+		ParentID:    uuidToPtr(c.ParentID),
+		CreatedAt:   timestampToString(c.CreatedAt),
+		UpdatedAt:   timestampToString(c.UpdatedAt),
+		Reactions:   reactions,
+		Attachments: attachments,
 	}
 }
 
@@ -66,10 +71,12 @@ func (h *Handler) ListComments(w http.ResponseWriter, r *http.Request) {
 		commentIDs[i] = c.ID
 	}
 	grouped := h.groupReactions(r, commentIDs)
+	groupedAtt := h.groupAttachments(r, commentIDs)
 
 	resp := make([]CommentResponse, len(comments))
 	for i, c := range comments {
-		resp[i] = commentToResponse(c, grouped[uuidToString(c.ID)])
+		cid := uuidToString(c.ID)
+		resp[i] = commentToResponse(c, grouped[cid], groupedAtt[cid])
 	}
 
 	writeJSON(w, http.StatusOK, resp)
@@ -135,7 +142,7 @@ func (h *Handler) CreateComment(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	resp := commentToResponse(comment, nil)
+	resp := commentToResponse(comment, nil, nil)
 	slog.Info("comment created", append(logger.RequestAttrs(r), "comment_id", uuidToString(comment.ID), "issue_id", issueID)...)
 	h.publish(protocol.EventCommentCreated, uuidToString(issue.WorkspaceID), authorType, authorID, map[string]any{
 		"comment":             resp,
@@ -293,9 +300,11 @@ func (h *Handler) UpdateComment(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	// Fetch reactions for the updated comment.
+	// Fetch reactions and attachments for the updated comment.
 	grouped := h.groupReactions(r, []pgtype.UUID{comment.ID})
-	resp := commentToResponse(comment, grouped[uuidToString(comment.ID)])
+	groupedAtt := h.groupAttachments(r, []pgtype.UUID{comment.ID})
+	cid := uuidToString(comment.ID)
+	resp := commentToResponse(comment, grouped[cid], groupedAtt[cid])
 	slog.Info("comment updated", append(logger.RequestAttrs(r), "comment_id", commentId)...)
 	h.publish(protocol.EventCommentUpdated, workspaceID, actorType, actorID, map[string]any{"comment": resp})
 	writeJSON(w, http.StatusOK, resp)

server/internal/handler/file.go

@@ -0,0 +1,296 @@
+package handler
+
+import (
+	"crypto/rand"
+	"encoding/hex"
+	"fmt"
+	"io"
+	"log/slog"
+	"net/http"
+	"path"
+	"strings"
+	"time"
+
+	"github.com/go-chi/chi/v5"
+	"github.com/jackc/pgx/v5/pgtype"
+	db "github.com/multica-ai/multica/server/pkg/db/generated"
+)
+
+const maxUploadSize = 10 << 20 // 10 MB
+
+// Allowed MIME type prefixes and exact types for uploads.
+var allowedContentTypes = map[string]bool{
+	"image/png":        true,
+	"image/jpeg":       true,
+	"image/gif":        true,
+	"image/webp":       true,
+	"image/svg+xml":    true,
+	"application/pdf":  true,
+	"text/plain":       true,
+	"text/csv":         true,
+	"application/json": true,
+	"video/mp4":        true,
+	"video/webm":       true,
+	"audio/mpeg":       true,
+	"audio/wav":        true,
+	"application/zip":  true,
+}
+
+func isContentTypeAllowed(ct string) bool {
+	// Normalize: take only the media type, strip parameters like charset.
+	ct = strings.TrimSpace(strings.SplitN(ct, ";", 2)[0])
+	ct = strings.ToLower(ct)
+	return allowedContentTypes[ct]
+}
+
+// ---------------------------------------------------------------------------
+// Response types
+// ---------------------------------------------------------------------------
+
+type AttachmentResponse struct {
+	ID           string  `json:"id"`
+	WorkspaceID  string  `json:"workspace_id"`
+	IssueID      *string `json:"issue_id"`
+	CommentID    *string `json:"comment_id"`
+	UploaderType string  `json:"uploader_type"`
+	UploaderID   string  `json:"uploader_id"`
+	Filename     string  `json:"filename"`
+	URL          string  `json:"url"`
+	DownloadURL  string  `json:"download_url"`
+	ContentType  string  `json:"content_type"`
+	SizeBytes    int64   `json:"size_bytes"`
+	CreatedAt    string  `json:"created_at"`
+}
+
+func (h *Handler) attachmentToResponse(a db.Attachment) AttachmentResponse {
+	resp := AttachmentResponse{
+		ID:           uuidToString(a.ID),
+		WorkspaceID:  uuidToString(a.WorkspaceID),
+		UploaderType: a.UploaderType,
+		UploaderID:   uuidToString(a.UploaderID),
+		Filename:     a.Filename,
+		URL:          a.Url,
+		DownloadURL:  a.Url,
+		ContentType:  a.ContentType,
+		SizeBytes:    a.SizeBytes,
+		CreatedAt:    a.CreatedAt.Time.Format("2006-01-02T15:04:05Z07:00"),
+	}
+	if h.CFSigner != nil {
+		resp.DownloadURL = h.CFSigner.SignedURL(a.Url, time.Now().Add(5*time.Minute))
+	}
+	if a.IssueID.Valid {
+		s := uuidToString(a.IssueID)
+		resp.IssueID = &s
+	}
+	if a.CommentID.Valid {
+		s := uuidToString(a.CommentID)
+		resp.CommentID = &s
+	}
+	return resp
+}
+
+// groupAttachments loads attachments for multiple comments and groups them by comment ID.
+func (h *Handler) groupAttachments(r *http.Request, commentIDs []pgtype.UUID) map[string][]AttachmentResponse {
+	if len(commentIDs) == 0 {
+		return nil
+	}
+	attachments, err := h.Queries.ListAttachmentsByCommentIDs(r.Context(), commentIDs)
+	if err != nil {
+		slog.Error("failed to load attachments for comments", "error", err)
+		return nil
+	}
+	grouped := make(map[string][]AttachmentResponse, len(commentIDs))
+	for _, a := range attachments {
+		cid := uuidToString(a.CommentID)
+		grouped[cid] = append(grouped[cid], h.attachmentToResponse(a))
+	}
+	return grouped
+}
+
+// ---------------------------------------------------------------------------
+// UploadFile — POST /api/upload-file
+// ---------------------------------------------------------------------------
+
+func (h *Handler) UploadFile(w http.ResponseWriter, r *http.Request) {
+	if h.Storage == nil {
+		writeError(w, http.StatusServiceUnavailable, "file upload not configured")
+		return
+	}
+
+	userID, ok := requireUserID(w, r)
+	if !ok {
+		return
+	}
+
+	workspaceID := resolveWorkspaceID(r)
+
+	r.Body = http.MaxBytesReader(w, r.Body, maxUploadSize)
+
+	if err := r.ParseMultipartForm(maxUploadSize); err != nil {
+		writeError(w, http.StatusBadRequest, "file too large or invalid multipart form")
+		return
+	}
+	defer r.MultipartForm.RemoveAll()
+
+	file, header, err := r.FormFile("file")
+	if err != nil {
+		writeError(w, http.StatusBadRequest, fmt.Sprintf("missing file field: %v", err))
+		return
+	}
+	defer file.Close()
+
+	// Sniff actual content type from file bytes instead of trusting the client header.
+	buf := make([]byte, 512)
+	n, err := file.Read(buf)
+	if err != nil && err != io.EOF {
+		writeError(w, http.StatusBadRequest, "failed to read file")
+		return
+	}
+	contentType := http.DetectContentType(buf[:n])
+	if !isContentTypeAllowed(contentType) {
+		writeError(w, http.StatusBadRequest, fmt.Sprintf("file type not allowed: %s", contentType))
+		return
+	}
+	// Seek back so the full file is uploaded.
+	if _, err := file.Seek(0, io.SeekStart); err != nil {
+		writeError(w, http.StatusInternalServerError, "failed to read file")
+		return
+	}
+
+	data, err := io.ReadAll(file)
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "failed to read file")
+		return
+	}
+
+	b := make([]byte, 16)
+	if _, err := rand.Read(b); err != nil {
+		slog.Error("failed to generate file key", "error", err)
+		writeError(w, http.StatusInternalServerError, "internal error")
+		return
+	}
+	key := hex.EncodeToString(b) + path.Ext(header.Filename)
+
+	link, err := h.Storage.Upload(r.Context(), key, data, contentType, header.Filename)
+	if err != nil {
+		slog.Error("file upload failed", "error", err)
+		writeError(w, http.StatusInternalServerError, "upload failed")
+		return
+	}
+
+	// If workspace context is available, create an attachment record.
+	if workspaceID != "" {
+		uploaderType, uploaderID := h.resolveActor(r, userID, workspaceID)
+
+		params := db.CreateAttachmentParams{
+			WorkspaceID:  parseUUID(workspaceID),
+			UploaderType: uploaderType,
+			UploaderID:   parseUUID(uploaderID),
+			Filename:     header.Filename,
+			Url:          link,
+			ContentType:  contentType,
+			SizeBytes:    int64(len(data)),
+		}
+
+		// Optional issue_id / comment_id from form fields
+		if issueID := r.FormValue("issue_id"); issueID != "" {
+			params.IssueID = parseUUID(issueID)
+		}
+		if commentID := r.FormValue("comment_id"); commentID != "" {
+			params.CommentID = parseUUID(commentID)
+		}
+
+		att, err := h.Queries.CreateAttachment(r.Context(), params)
+		if err != nil {
+			slog.Error("failed to create attachment record", "error", err)
+			// S3 upload succeeded but DB record failed — still return the link
+			// so the file is usable. Log the error for investigation.
+		} else {
+			writeJSON(w, http.StatusOK, h.attachmentToResponse(att))
+			return
+		}
+	}
+
+	// Fallback response (no workspace context, e.g. avatar upload)
+	writeJSON(w, http.StatusOK, map[string]string{
+		"filename": header.Filename,
+		"link":     link,
+	})
+}
+
+// ---------------------------------------------------------------------------
+// ListAttachments — GET /api/issues/{id}/attachments
+// ---------------------------------------------------------------------------
+
+func (h *Handler) ListAttachments(w http.ResponseWriter, r *http.Request) {
+	issueID := chi.URLParam(r, "id")
+	issue, ok := h.loadIssueForUser(w, r, issueID)
+	if !ok {
+		return
+	}
+
+	attachments, err := h.Queries.ListAttachmentsByIssue(r.Context(), db.ListAttachmentsByIssueParams{
+		IssueID:     issue.ID,
+		WorkspaceID: issue.WorkspaceID,
+	})
+	if err != nil {
+		slog.Error("failed to list attachments", "error", err)
+		writeError(w, http.StatusInternalServerError, "failed to list attachments")
+		return
+	}
+
+	resp := make([]AttachmentResponse, len(attachments))
+	for i, a := range attachments {
+		resp[i] = h.attachmentToResponse(a)
+	}
+	writeJSON(w, http.StatusOK, resp)
+}
+
+// ---------------------------------------------------------------------------
+// DeleteAttachment — DELETE /api/attachments/{id}
+// ---------------------------------------------------------------------------
+
+func (h *Handler) DeleteAttachment(w http.ResponseWriter, r *http.Request) {
+	attachmentID := chi.URLParam(r, "id")
+	workspaceID := resolveWorkspaceID(r)
+	if workspaceID == "" {
+		writeError(w, http.StatusBadRequest, "workspace_id is required")
+		return
+	}
+
+	userID, ok := requireUserID(w, r)
+	if !ok {
+		return
+	}
+
+	att, err := h.Queries.GetAttachment(r.Context(), db.GetAttachmentParams{
+		ID:          parseUUID(attachmentID),
+		WorkspaceID: parseUUID(workspaceID),
+	})
+	if err != nil {
+		writeError(w, http.StatusNotFound, "attachment not found")
+		return
+	}
+
+	// Only the uploader (or workspace admin) can delete
+	uploaderID := uuidToString(att.UploaderID)
+	isUploader := att.UploaderType == "member" && uploaderID == userID
+	member, hasMember := ctxMember(r.Context())
+	isAdmin := hasMember && (member.Role == "admin" || member.Role == "owner")
+
+	if !isUploader && !isAdmin {
+		writeError(w, http.StatusForbidden, "not authorized to delete this attachment")
+		return
+	}
+
+	if err := h.Queries.DeleteAttachment(r.Context(), db.DeleteAttachmentParams{
+		ID:          att.ID,
+		WorkspaceID: att.WorkspaceID,
+	}); err != nil {
+		slog.Error("failed to delete attachment", "error", err)
+		writeError(w, http.StatusInternalServerError, "failed to delete attachment")
+		return
+	}
+
+	w.WriteHeader(http.StatusNoContent)
+}

server/internal/handler/handler.go

@@ -12,10 +12,12 @@ import (
 	"github.com/jackc/pgx/v5/pgconn"
 	"github.com/jackc/pgx/v5/pgtype"
 	db "github.com/multica-ai/multica/server/pkg/db/generated"
+	"github.com/multica-ai/multica/server/internal/auth"
 	"github.com/multica-ai/multica/server/internal/events"
 	"github.com/multica-ai/multica/server/internal/middleware"
 	"github.com/multica-ai/multica/server/internal/realtime"
 	"github.com/multica-ai/multica/server/internal/service"
+	"github.com/multica-ai/multica/server/internal/storage"
 	"github.com/multica-ai/multica/server/internal/util"
 )
 
@@ -38,9 +40,11 @@ type Handler struct {
 	TaskService  *service.TaskService
 	EmailService *service.EmailService
 	PingStore    *PingStore
+	Storage      *storage.S3Storage
+	CFSigner     *auth.CloudFrontSigner
 }
 
-func New(queries *db.Queries, txStarter txStarter, hub *realtime.Hub, bus *events.Bus, emailService *service.EmailService) *Handler {
+func New(queries *db.Queries, txStarter txStarter, hub *realtime.Hub, bus *events.Bus, emailService *service.EmailService, s3 *storage.S3Storage, cfSigner *auth.CloudFrontSigner) *Handler {
 	var executor dbExecutor
 	if candidate, ok := txStarter.(dbExecutor); ok {
 		executor = candidate
@@ -55,6 +59,8 @@ func New(queries *db.Queries, txStarter txStarter, hub *realtime.Hub, bus *event
 		TaskService:  service.NewTaskService(queries, hub, bus),
 		EmailService: emailService,
 		PingStore:    NewPingStore(),
+		Storage:      s3,
+		CFSigner:     cfSigner,
 	}
 }
 

server/internal/handler/handler_test.go

@@ -53,7 +53,7 @@ func TestMain(m *testing.M) {
 	go hub.Run()
 	bus := events.New()
 	emailSvc := service.NewEmailService()
-	testHandler = New(queries, pool, hub, bus, emailSvc)
+	testHandler = New(queries, pool, hub, bus, emailSvc, nil, nil)
 	testPool = pool
 
 	testUserID, testWorkspaceID, err = setupHandlerTestFixture(ctx, pool)

server/internal/middleware/cloudfront.go

@@ -0,0 +1,28 @@
+package middleware
+
+import (
+	"net/http"
+	"time"
+
+	"github.com/multica-ai/multica/server/internal/auth"
+)
+
+// RefreshCloudFrontCookies is middleware that refreshes CloudFront signed cookies
+// on authenticated requests when the cookie is missing (expired or first request
+// after login). This prevents 403s from the CDN when cookies expire before the
+// user's session does.
+func RefreshCloudFrontCookies(signer *auth.CloudFrontSigner) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		if signer == nil {
+			return next
+		}
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			if _, err := r.Cookie("CloudFront-Policy"); err != nil {
+				for _, cookie := range signer.SignedCookies(time.Now().Add(72 * time.Hour)) {
+					http.SetCookie(w, cookie)
+				}
+			}
+			next.ServeHTTP(w, r)
+		})
+	}
+}

server/internal/storage/s3.go

@@ -0,0 +1,107 @@
+package storage
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"log/slog"
+	"os"
+	"strings"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/credentials"
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/aws/aws-sdk-go-v2/service/s3/types"
+)
+
+type S3Storage struct {
+	client    *s3.Client
+	bucket    string
+	cdnDomain string // if set, returned URLs use this instead of bucket name
+}
+
+// NewS3StorageFromEnv creates an S3Storage from environment variables.
+// Returns nil if S3_BUCKET is not set.
+//
+// Environment variables:
+//   - S3_BUCKET (required)
+//   - S3_REGION (default: us-west-2)
+//   - AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY (optional; falls back to default credential chain)
+func NewS3StorageFromEnv() *S3Storage {
+	bucket := os.Getenv("S3_BUCKET")
+	if bucket == "" {
+		slog.Info("S3_BUCKET not set, file upload disabled")
+		return nil
+	}
+
+	region := os.Getenv("S3_REGION")
+	if region == "" {
+		region = "us-west-2"
+	}
+
+	opts := []func(*config.LoadOptions) error{
+		config.WithRegion(region),
+	}
+
+	accessKey := os.Getenv("AWS_ACCESS_KEY_ID")
+	secretKey := os.Getenv("AWS_SECRET_ACCESS_KEY")
+	if accessKey != "" && secretKey != "" {
+		opts = append(opts, config.WithCredentialsProvider(
+			credentials.NewStaticCredentialsProvider(accessKey, secretKey, ""),
+		))
+	}
+
+	cfg, err := config.LoadDefaultConfig(context.Background(), opts...)
+	if err != nil {
+		slog.Error("failed to load AWS config", "error", err)
+		return nil
+	}
+
+	cdnDomain := os.Getenv("CLOUDFRONT_DOMAIN")
+
+	slog.Info("S3 storage initialized", "bucket", bucket, "region", region, "cdn_domain", cdnDomain)
+	return &S3Storage{
+		client:    s3.NewFromConfig(cfg),
+		bucket:    bucket,
+		cdnDomain: cdnDomain,
+	}
+}
+
+// sanitizeFilename removes characters that could cause header injection in Content-Disposition.
+func sanitizeFilename(name string) string {
+	var b strings.Builder
+	b.Grow(len(name))
+	for _, r := range name {
+		// Strip control chars, newlines, null bytes, quotes, semicolons, backslashes
+		if r < 0x20 || r == 0x7f || r == '"' || r == ';' || r == '\\' || r == '\x00' {
+			b.WriteRune('_')
+		} else {
+			b.WriteRune(r)
+		}
+	}
+	return b.String()
+}
+
+func (s *S3Storage) Upload(ctx context.Context, key string, data []byte, contentType string, filename string) (string, error) {
+	safe := sanitizeFilename(filename)
+	_, err := s.client.PutObject(ctx, &s3.PutObjectInput{
+		Bucket:             aws.String(s.bucket),
+		Key:                aws.String(key),
+		Body:               bytes.NewReader(data),
+		ContentType:        aws.String(contentType),
+		ContentDisposition: aws.String(fmt.Sprintf(`inline; filename="%s"`, safe)),
+		CacheControl:       aws.String("max-age=432000,public"),
+		StorageClass:       types.StorageClassIntelligentTiering,
+	})
+	if err != nil {
+		return "", fmt.Errorf("s3 PutObject: %w", err)
+	}
+
+	domain := s.bucket
+	if s.cdnDomain != "" {
+		domain = s.cdnDomain
+	}
+	link := fmt.Sprintf("https://%s/%s", domain, key)
+	return link, nil
+}

server/migrations/029_attachment.down.sql

@@ -0,0 +1 @@
+DROP TABLE IF EXISTS attachment;

server/migrations/029_attachment.up.sql

@@ -0,0 +1,17 @@
+CREATE TABLE attachment (
+    id            UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    workspace_id  UUID NOT NULL REFERENCES workspace(id) ON DELETE CASCADE,
+    issue_id      UUID REFERENCES issue(id) ON DELETE CASCADE,
+    comment_id    UUID REFERENCES comment(id) ON DELETE CASCADE,
+    uploader_type TEXT NOT NULL CHECK (uploader_type IN ('member', 'agent')),
+    uploader_id   UUID NOT NULL,
+    filename      TEXT NOT NULL,
+    url           TEXT NOT NULL,
+    content_type  TEXT NOT NULL,
+    size_bytes    BIGINT NOT NULL,
+    created_at    TIMESTAMPTZ NOT NULL DEFAULT now()
+);
+
+CREATE INDEX idx_attachment_issue ON attachment(issue_id) WHERE issue_id IS NOT NULL;
+CREATE INDEX idx_attachment_comment ON attachment(comment_id) WHERE comment_id IS NOT NULL;
+CREATE INDEX idx_attachment_workspace ON attachment(workspace_id);

server/pkg/db/generated/attachment.sql.go

@@ -0,0 +1,226 @@
+// Code generated by sqlc. DO NOT EDIT.
+// versions:
+//   sqlc v1.30.0
+// source: attachment.sql
+
+package db
+
+import (
+	"context"
+
+	"github.com/jackc/pgx/v5/pgtype"
+)
+
+const createAttachment = `-- name: CreateAttachment :one
+INSERT INTO attachment (workspace_id, issue_id, comment_id, uploader_type, uploader_id, filename, url, content_type, size_bytes)
+VALUES ($1, $8, $9, $2, $3, $4, $5, $6, $7)
+RETURNING id, workspace_id, issue_id, comment_id, uploader_type, uploader_id, filename, url, content_type, size_bytes, created_at
+`
+
+type CreateAttachmentParams struct {
+	WorkspaceID  pgtype.UUID `json:"workspace_id"`
+	UploaderType string      `json:"uploader_type"`
+	UploaderID   pgtype.UUID `json:"uploader_id"`
+	Filename     string      `json:"filename"`
+	Url          string      `json:"url"`
+	ContentType  string      `json:"content_type"`
+	SizeBytes    int64       `json:"size_bytes"`
+	IssueID      pgtype.UUID `json:"issue_id"`
+	CommentID    pgtype.UUID `json:"comment_id"`
+}
+
+func (q *Queries) CreateAttachment(ctx context.Context, arg CreateAttachmentParams) (Attachment, error) {
+	row := q.db.QueryRow(ctx, createAttachment,
+		arg.WorkspaceID,
+		arg.UploaderType,
+		arg.UploaderID,
+		arg.Filename,
+		arg.Url,
+		arg.ContentType,
+		arg.SizeBytes,
+		arg.IssueID,
+		arg.CommentID,
+	)
+	var i Attachment
+	err := row.Scan(
+		&i.ID,
+		&i.WorkspaceID,
+		&i.IssueID,
+		&i.CommentID,
+		&i.UploaderType,
+		&i.UploaderID,
+		&i.Filename,
+		&i.Url,
+		&i.ContentType,
+		&i.SizeBytes,
+		&i.CreatedAt,
+	)
+	return i, err
+}
+
+const deleteAttachment = `-- name: DeleteAttachment :exec
+DELETE FROM attachment WHERE id = $1 AND workspace_id = $2
+`
+
+type DeleteAttachmentParams struct {
+	ID          pgtype.UUID `json:"id"`
+	WorkspaceID pgtype.UUID `json:"workspace_id"`
+}
+
+func (q *Queries) DeleteAttachment(ctx context.Context, arg DeleteAttachmentParams) error {
+	_, err := q.db.Exec(ctx, deleteAttachment, arg.ID, arg.WorkspaceID)
+	return err
+}
+
+const getAttachment = `-- name: GetAttachment :one
+SELECT id, workspace_id, issue_id, comment_id, uploader_type, uploader_id, filename, url, content_type, size_bytes, created_at FROM attachment
+WHERE id = $1 AND workspace_id = $2
+`
+
+type GetAttachmentParams struct {
+	ID          pgtype.UUID `json:"id"`
+	WorkspaceID pgtype.UUID `json:"workspace_id"`
+}
+
+func (q *Queries) GetAttachment(ctx context.Context, arg GetAttachmentParams) (Attachment, error) {
+	row := q.db.QueryRow(ctx, getAttachment, arg.ID, arg.WorkspaceID)
+	var i Attachment
+	err := row.Scan(
+		&i.ID,
+		&i.WorkspaceID,
+		&i.IssueID,
+		&i.CommentID,
+		&i.UploaderType,
+		&i.UploaderID,
+		&i.Filename,
+		&i.Url,
+		&i.ContentType,
+		&i.SizeBytes,
+		&i.CreatedAt,
+	)
+	return i, err
+}
+
+const listAttachmentsByComment = `-- name: ListAttachmentsByComment :many
+SELECT id, workspace_id, issue_id, comment_id, uploader_type, uploader_id, filename, url, content_type, size_bytes, created_at FROM attachment
+WHERE comment_id = $1 AND workspace_id = $2
+ORDER BY created_at ASC
+`
+
+type ListAttachmentsByCommentParams struct {
+	CommentID   pgtype.UUID `json:"comment_id"`
+	WorkspaceID pgtype.UUID `json:"workspace_id"`
+}
+
+func (q *Queries) ListAttachmentsByComment(ctx context.Context, arg ListAttachmentsByCommentParams) ([]Attachment, error) {
+	rows, err := q.db.Query(ctx, listAttachmentsByComment, arg.CommentID, arg.WorkspaceID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	items := []Attachment{}
+	for rows.Next() {
+		var i Attachment
+		if err := rows.Scan(
+			&i.ID,
+			&i.WorkspaceID,
+			&i.IssueID,
+			&i.CommentID,
+			&i.UploaderType,
+			&i.UploaderID,
+			&i.Filename,
+			&i.Url,
+			&i.ContentType,
+			&i.SizeBytes,
+			&i.CreatedAt,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const listAttachmentsByCommentIDs = `-- name: ListAttachmentsByCommentIDs :many
+SELECT id, workspace_id, issue_id, comment_id, uploader_type, uploader_id, filename, url, content_type, size_bytes, created_at FROM attachment
+WHERE comment_id = ANY($1::uuid[])
+ORDER BY created_at ASC
+`
+
+func (q *Queries) ListAttachmentsByCommentIDs(ctx context.Context, dollar_1 []pgtype.UUID) ([]Attachment, error) {
+	rows, err := q.db.Query(ctx, listAttachmentsByCommentIDs, dollar_1)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	items := []Attachment{}
+	for rows.Next() {
+		var i Attachment
+		if err := rows.Scan(
+			&i.ID,
+			&i.WorkspaceID,
+			&i.IssueID,
+			&i.CommentID,
+			&i.UploaderType,
+			&i.UploaderID,
+			&i.Filename,
+			&i.Url,
+			&i.ContentType,
+			&i.SizeBytes,
+			&i.CreatedAt,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const listAttachmentsByIssue = `-- name: ListAttachmentsByIssue :many
+SELECT id, workspace_id, issue_id, comment_id, uploader_type, uploader_id, filename, url, content_type, size_bytes, created_at FROM attachment
+WHERE issue_id = $1 AND workspace_id = $2
+ORDER BY created_at ASC
+`
+
+type ListAttachmentsByIssueParams struct {
+	IssueID     pgtype.UUID `json:"issue_id"`
+	WorkspaceID pgtype.UUID `json:"workspace_id"`
+}
+
+func (q *Queries) ListAttachmentsByIssue(ctx context.Context, arg ListAttachmentsByIssueParams) ([]Attachment, error) {
+	rows, err := q.db.Query(ctx, listAttachmentsByIssue, arg.IssueID, arg.WorkspaceID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	items := []Attachment{}
+	for rows.Next() {
+		var i Attachment
+		if err := rows.Scan(
+			&i.ID,
+			&i.WorkspaceID,
+			&i.IssueID,
+			&i.CommentID,
+			&i.UploaderType,
+			&i.UploaderID,
+			&i.Filename,
+			&i.Url,
+			&i.ContentType,
+			&i.SizeBytes,
+			&i.CreatedAt,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}

server/pkg/db/generated/models.go

@@ -79,6 +79,20 @@ type AgentTaskQueue struct {
 	TriggerCommentID pgtype.UUID        `json:"trigger_comment_id"`
 }
 
+type Attachment struct {
+	ID           pgtype.UUID        `json:"id"`
+	WorkspaceID  pgtype.UUID        `json:"workspace_id"`
+	IssueID      pgtype.UUID        `json:"issue_id"`
+	CommentID    pgtype.UUID        `json:"comment_id"`
+	UploaderType string             `json:"uploader_type"`
+	UploaderID   pgtype.UUID        `json:"uploader_id"`
+	Filename     string             `json:"filename"`
+	Url          string             `json:"url"`
+	ContentType  string             `json:"content_type"`
+	SizeBytes    int64              `json:"size_bytes"`
+	CreatedAt    pgtype.Timestamptz `json:"created_at"`
+}
+
 type Comment struct {
 	ID          pgtype.UUID        `json:"id"`
 	IssueID     pgtype.UUID        `json:"issue_id"`

server/pkg/db/queries/attachment.sql

@@ -0,0 +1,26 @@
+-- name: CreateAttachment :one
+INSERT INTO attachment (workspace_id, issue_id, comment_id, uploader_type, uploader_id, filename, url, content_type, size_bytes)
+VALUES ($1, sqlc.narg(issue_id), sqlc.narg(comment_id), $2, $3, $4, $5, $6, $7)
+RETURNING *;
+
+-- name: ListAttachmentsByIssue :many
+SELECT * FROM attachment
+WHERE issue_id = $1 AND workspace_id = $2
+ORDER BY created_at ASC;
+
+-- name: ListAttachmentsByComment :many
+SELECT * FROM attachment
+WHERE comment_id = $1 AND workspace_id = $2
+ORDER BY created_at ASC;
+
+-- name: GetAttachment :one
+SELECT * FROM attachment
+WHERE id = $1 AND workspace_id = $2;
+
+-- name: ListAttachmentsByCommentIDs :many
+SELECT * FROM attachment
+WHERE comment_id = ANY($1::uuid[])
+ORDER BY created_at ASC;
+
+-- name: DeleteAttachment :exec
+DELETE FROM attachment WHERE id = $1 AND workspace_id = $2;