feat: Enhance file upload and session management with agent file support

- Updated the `upload_file` function to create sessions for file uploads, enabling session reuse for referenced files.
- Introduced `is_agent_file` flag to distinguish between user-uploaded files and agent-assigned files, enforcing read-only restrictions on agent files.
- Modified `FileService` to handle the `is_agent_file` attribute in file metadata, ensuring proper storage and retrieval.
- Enhanced `ExecutionOrchestrator` to prevent modifications to files associated with different sessions and agent files.
- Added integration tests to verify the read-only behavior of agent files and the editability of user files.

Author: usnavy13

src/api/files.py

@@ -14,9 +14,9 @@
 
 # Local application imports
 from ..config import settings
-from ..dependencies import FileServiceDep
+from ..dependencies import FileServiceDep, SessionServiceDep
+from ..models import SessionCreate
 from ..services.execution.output import OutputProcessor
-from ..utils.id_generator import generate_session_id
 
 logger = structlog.get_logger(__name__)
 router = APIRouter()
@@ -55,6 +55,7 @@ async def upload_file(
     files: Optional[List[UploadFile]] = File(None),
     entity_id: Optional[str] = Form(None),
     file_service: FileServiceDep = None,
+    session_service: SessionServiceDep = None,
 ):
     """Upload files with multipart form handling - LibreChat compatible.
 
@@ -112,8 +113,17 @@ async def upload_file(
 
         uploaded_files = []
 
-        # Create a session ID for this upload
-        session_id = generate_session_id()
+        # Create a real session for file uploads
+        # This enables session reuse when files are referenced in /exec
+        metadata = {}
+        if entity_id:
+            metadata["entity_id"] = entity_id
+        session = await session_service.create_session(SessionCreate(metadata=metadata))
+        session_id = session.session_id
+
+        # Determine if this is an agent file (uploaded with entity_id)
+        # Agent files are read-only and cannot be modified by user code
+        is_agent_file = entity_id is not None and len(entity_id) > 0
 
         for file in upload_files:
             # Read file content
@@ -125,6 +135,7 @@ async def upload_file(
                 filename=file.filename,
                 content=content,
                 content_type=file.content_type,
+                is_agent_file=is_agent_file,
             )
 
             # Sanitize filename to match what will be used in container

src/services/file.py

@@ -541,8 +541,20 @@ async def store_uploaded_file(
         filename: str,
         content: bytes,
         content_type: Optional[str] = None,
+        is_agent_file: bool = False,
     ) -> str:
-        """Store an uploaded file directly."""
+        """Store an uploaded file directly.
+
+        Args:
+            session_id: Session identifier
+            filename: Original filename
+            content: File content as bytes
+            content_type: MIME type of the file
+            is_agent_file: If True, marks the file as read-only (agent-assigned)
+
+        Returns:
+            The generated file_id
+        """
         await self._ensure_bucket_exists()
 
         # Generate unique file ID
@@ -579,6 +591,7 @@ async def store_uploaded_file(
                 "size": len(content),
                 "path": f"/{filename}",
                 "type": "upload",  # Mark as uploaded file
+                "is_agent_file": "1" if is_agent_file else "0",  # Read-only if agent file
             }
 
             await self._store_file_metadata(session_id, file_id, metadata)

src/services/orchestrator.py

@@ -564,6 +564,10 @@ async def _update_mounted_files_content(self, ctx: ExecutionContext) -> None:
         This ensures in-place edits to mounted files persist after execution.
         Called after execution completes, reads current content from container
         and updates the file in MinIO storage.
+
+        SECURITY: Only updates files that belong to the current session.
+        Files referenced from other sessions are read-only to prevent
+        cross-session/cross-user data modification.
         """
         if not ctx.mounted_files or not ctx.container:
             return
@@ -574,9 +578,33 @@ async def _update_mounted_files_content(self, ctx: ExecutionContext) -> None:
             try:
                 filename = file_info.get("filename")
                 file_id = file_info.get("file_id")
-                session_id = file_info.get("session_id")
+                file_session_id = file_info.get("session_id")
+
+                if not all([filename, file_id, file_session_id]):
+                    continue
+
+                # SECURITY: Only update files from the current session
+                # Files from other sessions are read-only
+                if file_session_id != ctx.session_id:
+                    logger.debug(
+                        "Skipping update for cross-session file",
+                        filename=filename,
+                        file_session=file_session_id[:12] if file_session_id else None,
+                        exec_session=ctx.session_id[:12] if ctx.session_id else None,
+                    )
+                    continue
 
-                if not all([filename, file_id, session_id]):
+                # SECURITY: Skip agent-assigned files (uploaded with entity_id)
+                # Agent files are read-only and cannot be modified by user code
+                file_metadata = await self.file_service._get_file_metadata(
+                    file_session_id, file_id
+                )
+                if file_metadata and file_metadata.get("is_agent_file") == "1":
+                    logger.debug(
+                        "Skipping update for agent-assigned file (read-only)",
+                        filename=filename,
+                        file_id=file_id,
+                    )
                     continue
 
                 # Read current content from container
@@ -595,7 +623,7 @@ async def _update_mounted_files_content(self, ctx: ExecutionContext) -> None:
 
                 # Update file in storage
                 await self.file_service.update_file_content(
-                    session_id=session_id,
+                    session_id=file_session_id,
                     file_id=file_id,
                     content=content,
                     state_hash=ctx.new_state_hash,