cloud-py-api
diff --git a/‎PROGRESS.md‎
Lines changed: 9 additions & 5 deletions b/‎PROGRESS.md‎
Lines changed: 9 additions & 5 deletions
diff --git a/‎README.md‎
Lines changed: 15 additions & 1 deletion b/‎README.md‎
Lines changed: 15 additions & 1 deletion
diff --git a/‎src/nc_mcp_server/client.py‎
Lines changed: 35 additions & 1 deletion b/‎src/nc_mcp_server/client.py‎
Lines changed: 35 additions & 1 deletion
diff --git a/‎src/nc_mcp_server/config.py‎
Lines changed: 17 additions & 0 deletions b/‎src/nc_mcp_server/config.py‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎src/nc_mcp_server/tools/files.py‎
Lines changed: 123 additions & 0 deletions b/‎src/nc_mcp_server/tools/files.py‎
Lines changed: 123 additions & 0 deletions
@@ -38,6 +38,7 @@
 - [x] Tasks tools: list_task_lists, get_tasks, get_task, create_task, update_task, complete_task, delete_task (2026-04-08)
 - [x] Unified Search tools: list_search_providers, unified_search (2026-04-12)
 - [x] upload_file_binary tool: base64-encoded binary upload with MIME inference (2026-04-21)
+- [x] upload_file_from_path tool: stream a local file to Nextcloud. Off by default; enabled via NEXTCLOUD_MCP_UPLOAD_ROOT, restricted to files inside that root (symlinks resolved) (2026-04-21)
 
 ### In Progress
 
@@ -63,7 +64,7 @@
 
 | Module | Tools | Tests |
 |--------|-------|-------|
-| Files | 9 | 60 |
+| Files | 10 | 77 |
 | Users | 5 | 20 |
 | Notifications | 3 | 11 |
 | Talk | 8 | 48 |
@@ -84,11 +85,14 @@
 | Tasks | 7 | 48 |
 | Search | 2 | 17 |
 | User Permissions | — | 15 |
-| Server | — | 7 |
+| Server | — | 8 |
 | Permissions | — | 34 |
 | Errors | — | 16 |
 | Client | — | 29 |
-| Config | — | 17 |
+| Config | — | 24 |
 | State | — | 2 |
-| File Helpers | — | 11 |
-| **Total** | **98** | **711** |
+| File Helpers | — | 26 |
+| **Total** | **99** | **751** |
+
+Files shows 10, but one (`upload_file_from_path`) is only registered when
+`NEXTCLOUD_MCP_UPLOAD_ROOT` is configured. Default deployments expose 98 tools.
@@ -32,9 +32,12 @@ nc-mcp-server
 
 ## 98 Tools Across 20 Nextcloud Apps
 
+A 99th tool, `upload_file_from_path`, is registered only when the operator sets
+`NEXTCLOUD_MCP_UPLOAD_ROOT`. See [Files](#files) for details.
+
 | Category | Tools | Protocol |
 |----------|-------|----------|
-| [Files](#files) | list, read, search, upload (text + binary), copy, move, delete | WebDAV |
+| [Files](#files) | list, read, search, upload (text / binary / from path), copy, move, delete | WebDAV |
 | [File Sharing](#file-sharing) | list, get, create, update, delete shares | OCS |
 | [Trashbin](#trashbin) | list, restore, delete item, empty trash | WebDAV |
 | [File Versions](#file-versions) | list, restore versions | WebDAV |
@@ -100,6 +103,9 @@ export NEXTCLOUD_PASSWORD=your-app-password  # Use an app password, not your mai
 # Optional
 export NEXTCLOUD_MCP_PERMISSIONS=read  # read (default), write, or destructive
 export NEXTCLOUD_MCP_RETRY_MAX=3       # max retries on 429/503 (default: 3, 0 to disable)
+export NEXTCLOUD_MCP_UPLOAD_ROOT=      # unset (default). If set to an absolute directory,
+                                       # enables upload_file_from_path, restricted to files
+                                       # inside that directory (symlinks resolved).
 ```
 
 ### Getting an App Password
@@ -167,11 +173,19 @@ nc-mcp-server
 | `search_files` | read | Search files by name, MIME type, or path pattern |
 | `upload_file` | write | Upload or overwrite a text file |
 | `upload_file_binary` | write | Upload or overwrite a binary file (images, PDFs, archives) from base64-encoded content |
+| `upload_file_from_path` | write | Stream a local file from the server's filesystem — only registered when `NEXTCLOUD_MCP_UPLOAD_ROOT` is set |
 | `create_directory` | write | Create a new directory |
 | `copy_file` | write | Copy a file or directory |
 | `move_file` | destructive | Move or rename a file |
 | `delete_file` | destructive | Delete a file or directory (moves to trash) |
 
+`upload_file_from_path` is off by default because it gives the AI read access
+to the local filesystem. To enable it, set `NEXTCLOUD_MCP_UPLOAD_ROOT` to an
+absolute directory — only files resolving inside that directory (after symlink
+resolution) can be uploaded. This is the right choice when you need to upload
+multi-GB files that would blow past the size limit of an inline `base64` tool
+call; the body is streamed in chunks rather than loaded into memory.
+
 ### File Sharing
 
 | Tool | Permission | Description |
 
@@ -3,11 +3,12 @@
 import contextlib
 import logging
 import xml.etree.ElementTree as ET
+from collections.abc import AsyncIterable, Callable
 from typing import Any
 from urllib.parse import quote as url_quote
 
 import niquests
-from urllib3.util import Retry
+from urllib3.util import Retry, Timeout
 
 from .config import Config
 
@@ -306,6 +307,39 @@ async def dav_put(self, path: str, content: bytes, content_type: str = "applicat
         response = await self._do_request("PUT", url, data=content, headers={"Content-Type": content_type})
         _raise_for_status(response, f"Upload file '{path}'")
 
+    async def dav_put_stream(
+        self,
+        path: str,
+        chunks_factory: Callable[[], AsyncIterable[bytes]],
+        content_type: str = "application/octet-stream",
+    ) -> None:
+        """PUT (upload/overwrite) a file via WebDAV, streaming body from an async iterable.
+
+        Use this for files too large to hold fully in memory. niquests sends the body
+        with Transfer-Encoding: chunked; we deliberately do not set Content-Length
+        because nginx rejects (HTTP 400) requests that combine both headers.
+
+        The body is supplied as a factory (not a single iterable) because a cached
+        session cookie can expire mid-run: if the first attempt drains the iterable
+        and returns 401, the generic _do_request retry would send the retry with an
+        empty body — Nextcloud would happily accept the empty PUT and silently
+        truncate the file. Each attempt calls the factory to get a fresh generator.
+
+        The read timeout is disabled — a multi-GB upload can legitimately take
+        minutes. Connect timeout still applies via the session default.
+        """
+        user = self._config.user
+        url = f"{self._base_url}/remote.php/dav/files/{user}/{path.lstrip('/')}"
+        headers = {"Content-Type": content_type}
+        timeout = Timeout(connect=30, read=None)
+
+        session = await self._get_session()
+        response = await session.request("PUT", url, data=chunks_factory(), headers=headers, timeout=timeout)
+        if await self._should_retry_auth(response):
+            session = await self._get_session()
+            response = await session.request("PUT", url, data=chunks_factory(), headers=headers, timeout=timeout)
+        _raise_for_status(response, f"Upload file '{path}'")
+
     async def dav_delete(self, path: str) -> None:
         """DELETE a file or folder via WebDAV."""
         user = self._config.user
 
@@ -2,6 +2,7 @@
 
 import os
 from dataclasses import dataclass, field
+from pathlib import Path
 
 from .permissions import PermissionLevel
 
@@ -21,6 +22,9 @@ class Config:
         NEXTCLOUD_MCP_PORT: Port for HTTP server (default: 8100)
         NEXTCLOUD_MCP_RETRY_MAX: Max retries on 429/503 (default: 3, 0 to disable)
         NEXTCLOUD_MCP_APP_PASSWORD: Set to 'true' when using an app password to skip session caching
+        NEXTCLOUD_MCP_UPLOAD_ROOT: Absolute path to a local directory. When set, enables the
+            upload_file_from_path tool, restricted to files under this directory (symlinks
+            are resolved before the containment check). Unset by default — tool disabled.
     """
 
     nextcloud_url: str = field(default="")
@@ -31,6 +35,7 @@ class Config:
     port: int = field(default=8100)
     retry_max: int = field(default=3)
     is_app_password: bool = field(default=False)
+    upload_root: str = field(default="")
 
     @classmethod
     def from_env(cls) -> "Config":
@@ -62,6 +67,17 @@ def from_env(cls) -> "Config":
         else:
             raise ValueError(f"Invalid NEXTCLOUD_MCP_APP_PASSWORD='{app_pw_raw}'. Expected: true/false, 1/0, yes/no.")
 
+        upload_root_raw = os.environ.get("NEXTCLOUD_MCP_UPLOAD_ROOT", "").strip()
+        if upload_root_raw:
+            root = Path(upload_root_raw).expanduser()
+            if not root.exists():
+                raise ValueError(f"NEXTCLOUD_MCP_UPLOAD_ROOT='{upload_root_raw}' does not exist.")
+            if not root.is_dir():
+                raise ValueError(f"NEXTCLOUD_MCP_UPLOAD_ROOT='{upload_root_raw}' is not a directory.")
+            upload_root = str(root.resolve(strict=True))
+        else:
+            upload_root = ""
+
         return cls(
             nextcloud_url=url,
             user=user,
@@ -71,6 +87,7 @@ def from_env(cls) -> "Config":
             port=port,
             retry_max=max(0, retry_max),
             is_app_password=is_app_password,
+            upload_root=upload_root,
         )
 
     def validate(self) -> None:
 
@@ -1,9 +1,15 @@
 """File management tools — list, read, upload, copy, delete, move, search files via WebDAV."""
 
+import asyncio
 import base64
 import binascii
+import errno
+import io
 import json
 import mimetypes
+import os
+from collections.abc import AsyncIterator
+from pathlib import Path
 from xml.sax.saxutils import escape as xml_escape
 
 from mcp.server.fastmcp import FastMCP
@@ -21,6 +27,7 @@
 
 _IMAGE_MIME_TYPES = {"image/png", "image/jpeg", "image/gif", "image/webp", "image/bmp", "image/svg+xml"}
 _MAX_IMAGE_SIZE = 10 * 1024 * 1024
+_UPLOAD_CHUNK_SIZE = 256 * 1024
 
 
 def _resolve_content_type(path: str, content_type: str) -> str:
@@ -30,6 +37,72 @@ def _resolve_content_type(path: str, content_type: str) -> str:
     return guessed or "application/octet-stream"
 
 
+def _resolve_local_upload_path(local_path: str, upload_root: str) -> Path:
+    """Resolve a local path and verify it is inside the configured upload root.
+
+    Symlinks are resolved before the containment check, so a symlink inside the
+    root that points outside is rejected.
+
+    Raises:
+        ValueError: when upload_root is not configured, the path is empty, does
+            not exist, is not a regular file, or resolves to a location outside
+            the upload root.
+    """
+    if not upload_root:
+        raise ValueError(
+            "upload_file_from_path is not configured on this server. "
+            "The administrator must set NEXTCLOUD_MCP_UPLOAD_ROOT to a local directory."
+        )
+    if not local_path or not local_path.strip():
+        raise ValueError("local_path cannot be empty.")
+    try:
+        resolved = Path(local_path).expanduser().resolve(strict=True)
+    except FileNotFoundError:
+        raise ValueError(f"Local file not found: {local_path}") from None
+    except (OSError, RuntimeError):
+        raise ValueError(f"Cannot resolve local path: {local_path}") from None
+    root = Path(upload_root).resolve(strict=False)
+    try:
+        resolved.relative_to(root)
+    except ValueError:
+        raise ValueError(f"Path '{local_path}' is outside the configured upload root.") from None
+    if not resolved.is_file():
+        raise ValueError(f"Path is not a regular file: {local_path}")
+    return resolved
+
+
+def _open_no_follow(path: Path) -> io.FileIO:
+    """Open a regular file for reading with O_NOFOLLOW as TOCTOU defense-in-depth.
+
+    _resolve_local_upload_path already rejects symlinks in the caller's input by
+    resolving the path before the containment check. But if another local actor
+    has write access to the upload root, they could replace the validated file
+    with a symlink between validation and this open. O_NOFOLLOW on the final
+    component closes that race window (intermediate components are not covered;
+    see the tool docstring for the expected trust model).
+    """
+    try:
+        fd = os.open(path, os.O_RDONLY | os.O_NOFOLLOW | os.O_CLOEXEC)
+    except OSError as exc:
+        if exc.errno in (errno.ELOOP, errno.EMLINK):
+            raise ValueError(f"Refusing to follow symlink at {path.name}: file was swapped after validation.") from exc
+        raise
+    return io.FileIO(fd, closefd=True)
+
+
+async def _stream_local_file(path: Path, chunk_size: int = _UPLOAD_CHUNK_SIZE) -> AsyncIterator[bytes]:
+    """Yield chunks from a local file without blocking the event loop."""
+    f = await asyncio.to_thread(_open_no_follow, path)
+    try:
+        while True:
+            chunk = await asyncio.to_thread(f.read, chunk_size)
+            if not chunk:
+                break
+            yield chunk
+    finally:
+        await asyncio.to_thread(f.close)
+
+
 def _build_search_xml(user: str, query: str, path: str, limit: int, offset: int, mimetype: str) -> str:
     """Build a WebDAV SEARCH request body."""
     where_parts: list[str] = []
@@ -274,6 +347,54 @@ async def create_directory(path: str) -> str:
         return f"Directory created: {path}"
 
 
+def _register_upload_from_path_tool(mcp: FastMCP) -> None:
+    @mcp.tool(annotations=ADDITIVE_IDEMPOTENT)
+    @require_permission(PermissionLevel.WRITE)
+    async def upload_file_from_path(local_path: str, remote_path: str, content_type: str = "") -> str:
+        """Upload a local file from the server's filesystem to Nextcloud.
+
+        Suitable for large files — the content is streamed in chunks rather than
+        loaded fully into memory. Contrast with upload_file (text-only) and
+        upload_file_binary (whole content passed inline as base64).
+
+        The administrator must enable this tool by setting NEXTCLOUD_MCP_UPLOAD_ROOT
+        to a local directory. Only files inside that directory can be uploaded
+        (symlinks are resolved before the containment check). If the env var is
+        not set, this tool is not registered at all.
+
+        Trust model: NEXTCLOUD_MCP_UPLOAD_ROOT should be a directory whose ancestors
+        and contents are not writable by less-privileged local users. The final
+        component is opened with O_NOFOLLOW to defeat symlink-swap TOCTOU races,
+        but intermediate directory components are not re-validated — pointing the
+        upload root at a world-writable tree (e.g. inside /tmp) would let other
+        local accounts redirect uploads via directory-level symlink races.
+
+        Args:
+            local_path: Path to the local file on the MCP server's filesystem.
+                Must resolve to a regular file inside NEXTCLOUD_MCP_UPLOAD_ROOT.
+            remote_path: Destination path in Nextcloud relative to the user's root.
+                Example: "Photos/vacation.jpg"
+            content_type: Optional MIME type for the upload request. If omitted,
+                inferred from the remote_path extension; falls back to
+                "application/octet-stream". Note: Nextcloud re-derives the stored
+                MIME type from the filename, so this mainly controls the upload header.
+
+        Returns:
+            Confirmation message with the uploaded byte count.
+        """
+        config = get_config()
+        resolved = _resolve_local_upload_path(local_path, config.upload_root)
+        size = resolved.stat().st_size
+        resolved_ct = _resolve_content_type(remote_path, content_type)
+        client = get_client()
+        await client.dav_put_stream(
+            remote_path,
+            lambda: _stream_local_file(resolved),
+            content_type=resolved_ct,
+        )
+        return f"File uploaded successfully: {remote_path} ({size} bytes, {resolved_ct})"
+
+
 def _register_destructive_tools(mcp: FastMCP) -> None:
     @mcp.tool(annotations=DESTRUCTIVE)
     @require_permission(PermissionLevel.DESTRUCTIVE)
@@ -314,3 +435,5 @@ def register(mcp: FastMCP) -> None:
     _register_read_tools(mcp)
     _register_write_tools(mcp)
     _register_destructive_tools(mcp)
+    if get_config().upload_root:
+        _register_upload_from_path_tool(mcp)