From 8d1ff79912ce884ff6e06f058610f49bc0b727fa Mon Sep 17 00:00:00 2001
From: kodi <kodi@lab.local>
Date: Fri, 13 Mar 2026 13:44:41 +0100
Subject: [PATCH] upload: deel 01

---
 project_docs/LOCAL_UPLOAD_V1_DESIGN.md        | 233 ++++++++++++++++++
 .../__pycache__/routes_files.cpython-313.pyc  | Bin 5270 -> 5801 bytes
 .../api/__pycache__/schemas.cpython-313.pyc   | Bin 9230 -> 9450 bytes
 webui/backend/app/api/routes_files.py         |  13 +-
 webui/backend/app/api/schemas.py              |   6 +
 .../history_repository.cpython-313.pyc        | Bin 7758 -> 7766 bytes
 webui/backend/app/db/history_repository.py    |   2 +-
 .../filesystem_adapter.cpython-313.pyc        | Bin 17353 -> 18026 bytes
 webui/backend/app/fs/filesystem_adapter.py    |  12 +
 .../file_ops_service.cpython-313.pyc          | Bin 23669 -> 25600 bytes
 .../backend/app/services/file_ops_service.py  |  57 ++++-
 .../test_api_upload_golden.cpython-313.pyc    | Bin 0 -> 10660 bytes
 .../tests/golden/test_api_upload_golden.py    | 186 ++++++++++++++
 13 files changed, 505 insertions(+), 4 deletions(-)
 create mode 100644 project_docs/LOCAL_UPLOAD_V1_DESIGN.md
 create mode 100644 webui/backend/tests/golden/__pycache__/test_api_upload_golden.cpython-313.pyc
 create mode 100644 webui/backend/tests/golden/test_api_upload_golden.py

diff --git a/project_docs/LOCAL_UPLOAD_V1_DESIGN.md b/project_docs/LOCAL_UPLOAD_V1_DESIGN.md
new file mode 100644
index 0000000..91a739c
--- /dev/null
+++ b/project_docs/LOCAL_UPLOAD_V1_DESIGN.md
@@ -0,0 +1,233 @@
+# Local Upload v1
+
+## 1. Doel
+Local upload voegt nu direct waarde toe omdat de app al een bruikbare dual-pane bestandsworkflow heeft, maar nog geen ingang om bestanden vanaf de lokale machine de beheerde storage in te brengen. Dat gat is functioneel groot: browse, rename, move, copy en delete bestaan al, maar import ontbreekt.
+
+Binnen de dual-pane workflow is de meest natuurlijke semantiek:
+- bron: lokale machine via de native browser file picker
+- doel: `currentPath` van het actieve paneel
+
+Dat houdt het model eenvoudig en voorspelbaar. De gebruiker kiest eerst waar in de storage hij staat, en uploadt daarna naar die locatie.
+
+## 2. Scope
+Aanbevolen scope voor v1:
+- upload van lokale bestanden via browser naar storage
+- target = `currentPath` van het actieve paneel
+- native browser file picker gebruiken
+- single-file upload
+- multi-file upload
+- geen folder upload in v1
+- geen drag & drop in v1
+- geen resumable upload
+- geen chunked upload
+
+Motivatie:
+- Multi-file upload via de native picker is klein en nuttig.
+- Folder upload verhoogt de complexiteit direct sterk: recursie, conflictgedrag, voortgang, directory-creatie, mixed failures.
+- Drag & drop is UX-matig aantrekkelijk, maar voegt event-complexiteit en extra foutpaden toe zonder dat het nodig is voor een eerste bruikbare versie.
+- Chunking/resume is pas zinvol als gewone multipart upload aantoonbaar onvoldoende is.
+
+## 3. Startgedrag / UI
+Voor v1:
+- een `Upload` knop links van `F1 Settings` in de onderbalk/topactiezone waar die nu logisch past
+- klik op `Upload` opent direct de native browser file picker
+- de upload werkt altijd naar het actieve paneel
+- de UI toont compact en expliciet:
+  - `Upload to: <currentPath van actief paneel>`
+
+Aanbevolen flow:
+1. gebruiker activeert een paneel
+2. gebruiker klikt `Upload`
+3. browser opent native file picker
+4. gebruiker kiest 1 of meerdere bestanden
+5. upload start naar `currentPath` van actief paneel
+6. voortgang wordt zichtbaar
+7. na afronding wordt het actieve paneel refreshed
+
+Belangrijk:
+- de actieve-paneelcontext moet vooraf duidelijk zijn
+- de knop hoeft niet disabled te zijn zolang een geldig `currentPath` bestaat
+- als een modal open is, moet `Upload` niet tegelijk een nieuwe flow starten
+
+## 4. Voortgang
+Aanbevolen v1-model:
+- één compacte upload-progress UI per lopende uploadbatch
+- globale voortgang over de batch
+- daarnaast compacte status per huidig bestand indien nodig
+
+V1 hoeft niet meteen een volledige task-UI te hergebruiken. De eenvoudigste bruikbare richting is:
+- één uploadstatusblok of kleine modal
+- toont:
+  - totaal aantal bestanden
+  - huidig bestand
+  - globale voortgangsbalk of percentage
+
+Aanbevolen velden in de UI:
+- `Uploading 3 files to /Volumes/...`
+- `2/3 files`
+- huidige bestandsnaam
+- percentage of bytes-progress voor de actieve upload
+
+Dit is lichter dan de bestaande task-list volledig integreren in v1.
+
+## 5. Backend-impact
+Er is zeer waarschijnlijk een nieuw upload-endpoint nodig, bijvoorbeeld:
+- `POST /api/files/upload`
+
+Verwachte vorm:
+- multipart/form-data
+- target path als apart veld, bijvoorbeeld `target_path`
+- één of meerdere file parts
+
+Veiligheidsmodel:
+- `target_path` altijd via bestaande `path_guard`
+- target moet binnen whitelist/toegestane roots vallen
+- target moet bestaan
+- target moet een directory zijn
+- bestandsnamen niet vertrouwen vanuit clientpad-informatie
+- alleen de basename van het gekozen lokale bestand gebruiken
+- validatie van naam via bestaande naamregels (`validate_name` of equivalent)
+- geen client-side padsegmenten overnemen
+
+Traversalpreventie:
+- geen directorystructuur uit de browser aan serverzijde interpreteren in v1
+- geen relatieve paden uit multipart metadata vertrouwen
+- ieder bestand wordt server-side gemapt naar:
+  - `target_path / validated_basename`
+
+## 6. Conflictgedrag
+Ontwerp voor Engelstalige keuzes:
+- `Overwrite`
+- `Overwrite all`
+- `Skip`
+- `Cancel`
+
+Aanbevolen v1-gedrag:
+- conflictcontrole gebeurt server-side per bestand
+- bij conflict in een batch wordt de batch niet stil doorgezet
+- de UI toont een compacte conflictmodal voor het huidige conflicterende bestand
+- de gebruiker kiest één actie
+
+Semantiek:
+- `Overwrite`: alleen huidig conflicterend bestand overschrijven
+- `Overwrite all`: huidig en alle volgende conflicten automatisch overschrijven
+- `Skip`: huidig conflicterend bestand overslaan en doorgaan
+- `Cancel`: resterende batch stoppen
+
+Aanbevolen v1-realisatie:
+- conflict afhandelen per bestand binnen de uploadbatch-flow
+- geen complexe vooraf-scan van alle conflicten nodig
+- geen rollback
+
+Belangrijk:
+- ook directoryconflicten moeten duidelijk zijn
+- als target al een directory met dezelfde naam bevat voor een file-upload, moet dat als conflict/typefout behandeld worden
+
+## 7. Grote bestanden / performance
+Aanbevolen v1:
+- gewone multipart upload
+- geen chunking
+- geen resumable upload
+
+Motivatie:
+- technisch het eenvoudigst
+- breed ondersteund door browser en backendstack
+- voldoende voor een eerste bruikbare versie
+
+Risico:
+- zeer grote bestanden kunnen lang duren of mislukken bij netwerkonderbreking
+- dat risico moet in v1 geaccepteerd en netjes gecommuniceerd worden
+
+V1 hoeft daarom niet meer te doen dan:
+- voortgang tonen
+- foutmelding tonen bij mislukking
+- geen herstart of resume bieden
+
+## 8. Relatie met tasks/history
+Aanbevolen v1:
+- upload opnemen in `history`
+- upload niet meteen in het generieke `tasks` model stoppen
+
+Motivatie:
+- upload heeft wel auditwaarde, dus history is logisch
+- task-integratie maakt de slice groter: background execution, task persistence, progress mapping, polling-UI integratie
+- voor een eerste bruikbare upload is een lichtere directe UI-flow met history-opslag pragmatischer
+
+History v1 voor upload zou moeten registreren:
+- operation = `upload`
+- status = `completed` / `failed`
+- destination = doelpad
+- path of source-naam waar nuttig
+- error_code / error_message bij failure
+
+Als later blijkt dat uploads langlopend worden of meerdere gelijktijdige uploads normaal zijn, kan task-integratie in v2 logisch worden.
+
+## 9. Regressierisico
+Belangrijkste risico's:
+- security: onbetrouwbare bestandsnamen of target path misbruik
+- grote bestanden: timeouts of langlopende requests
+- foutafhandeling: deels geslaagde batch zonder duidelijke feedback
+- UI-complexiteit: conflictflow kan snel onrustig worden
+- actieve-paneelcontext: upload naar verkeerd paneel/pad als context niet duidelijk is
+- conflictafhandeling: onduidelijke semantiek rond overwrite/skip
+
+Laag-regressierisico aanpak:
+- target altijd expliciet koppelen aan actief paneel
+- geen folder upload
+- geen drag & drop
+- geen chunking/resume
+- compacte conflictmodal per bestand
+- direct paneelrefresh na succesvolle upload(s)
+
+## 10. Teststrategie
+Backend golden tests:
+- upload single file success
+- upload multi-file success
+- target path not found
+- target path is file -> type_conflict
+- traversal blocked
+- invalid root alias
+- invalid filename blocked
+- conflict -> already_exists of equivalent
+- overwrite success
+- skip/cancel flow indien servercontract dat nodig maakt
+
+UI smoke/regressietests:
+- `Upload` knop aanwezig links van `F1 Settings`
+- geen uploadstart als ongeldige UI-context aanwezig is
+- targetpaneel-context zichtbaar in uploadflow
+- progress UI verschijnt
+- conflictkeuze-UI verschijnt met:
+  - `Overwrite`
+  - `Overwrite all`
+  - `Skip`
+  - `Cancel`
+
+Handmatige validatie:
+- upload 1 klein bestand
+- upload meerdere bestanden
+- conflict op bestaand bestand
+- overwrite all werkt over meerdere conflicten
+- skip laat batch doorgaan
+- cancel stopt batch
+- actief paneel bepaalt doelpad correct
+- history bevat upload-resultaten
+
+## 11. Aanbeveling
+Aanbevolen v1-richting met laag regressierisico:
+- native browser file picker
+- single + multi-file upload
+- target = `currentPath` van actief paneel
+- geen folder upload
+- geen drag & drop
+- gewone multipart upload
+- directe voortgangsweergave in lichte upload-UI
+- conflictafhandeling per bestand met:
+  - `Overwrite`
+  - `Overwrite all`
+  - `Skip`
+  - `Cancel`
+- wel history-integratie
+- nog geen task-integratie
+
+Dit is de kleinste versie die echt bruikbaar is, zonder meteen te ontsporen in mediaserver- of synchronisatiecomplexiteit.
diff --git a/webui/backend/app/api/__pycache__/routes_files.cpython-313.pyc b/webui/backend/app/api/__pycache__/routes_files.cpython-313.pyc
index a3b0caa61ad3e43f2f472796dd33de81f81f1756..bd83a8ae2758199c7f8cdee5f2bb01b6320b79aa 100644
GIT binary patch
delta 2195
zcmaKsO>7%Q6vt=1>-AUc*zs2yJI==W+@$%SC4@8~p-Pj`ji7B74i!rySKcIB96KGa
zTY(TM&_i+owIiV(%L(Ni4hSkPAdX;(19YV#5CYVjOOQ%AF>lrmu@i8V=Qs2Jy*F>>
zjpsvoXQ+SA@Ao455yVf7-vS8z0)yH|v>k5GE8OZ&cPJtj6&H3XZtRwjid25lqj<5G
z`NHBYqy1SWjKfL<N0cazDlr^ml5;VxwBlCgi;KsUHrys5jZY)hrMf3LoX`?v)DiW2
zw4mypaA-mrX|1=)(P)?IYeQFrE8JMMBHUg@o3xgCv|IHzps6Yv(ERmikJ{XTcG&2}
zpcZAQNJ|TiarUB`vu?zSt7%X3DRl5p?NwVEa!XobX_jQf@Jv{XL3TA_Z*V_{<6wpq
zQv1|sLymMUhd-tT>NXSaSK|$ER}F4%tu0YI(MS@OQf2j6LrnL6Oj~12G(Mmv8t|Td
zJb4t}-hlV+<EcY<bU^KB!27C=le9?PUWW$N&IYu9H7y^12z`<{%a_UL3ueYN3i+Ze
zk}@A17v_zeZVB@Ryl%Oc^s6PkXj<M^Hgbhb79<)KQcbL9){Xq?l3v`Pp}OoNg0Srh
z*ciDf{4FNv3OGq_I_Jc8aNEhZ&Tl%q!R-N)qNeDeMv`zRO!P8Cz7U_{(xf7;4FW4W
zEHSI+bW_JH^ib3QL=BMlTqiuPkrJzNnA~$MD3;I6;8opR-pH71md}=!SL_{#_E6^W
zaT;$4FpVYZ7I|u<T1mrnfQQM9I~JSXp1%9~)^yo-rYxL!vL{gG-CzsZbzR6pVU~NP
zfS2{GVbb#vt{M7unwwR80&+;y)TcfP(_mnYVk<Qd(G65-LQUZhrnaZ<yu3A4_KlT=
zu_t(xiX`V&M*67(>5cqKL3Y^bB|2AkjPSe1V8+R>?oMu$xIFi`Zt|7qw0H`nN#gVN
zCnu?E@$`5wJY}+AC+h$}BImsE5VXW{UNf?K0iUM+47u+8F)0Hu0R|G_DQajT%zutt
z^|cK_ww>zEB|x61rf%mJzmZ+R^K|+p@~Q7jZkD{&l<a~yJa>q78ta)=9V=9Lm3-dx
z0=GZ}|C=;s(=YY?M~uf@E3IG7XN(+vk;bi&ul*3$9JnpAhD?x;104gl3#*<3bLd{3
zhgmQsQVE>hWG6%4db^c4PCZM+x>>?`+)M|uh#3;BL+}L{h7RbyBlITF-S$o7izdb+
z0C^6Qo5)TTu~An15&&?!Ea7sYkYjg@6=tJRKt;Q+43&U~!fo9Ty8D36>UV=Kf%%uD
z=REtrsh|<H186xSK^SzIoDa&~*abRU1vY4fRx(91vtbP5>Pu3@Uh;mhoqQHdhcHV9
z(HJ(4qvU=t#l^^9!NJXH2MQ(nGFZY!fu0+CX4oq-05tpY&VY9k4EtTcO=fqGT`6`y
zSd(|q9#s%~h%EQidLdiN>C^ZUo#W_#(V)*lh37c#0ZRXl7QRQxg$HQlv4FU<{A0@0
z>?7ur-OwMG67M9oF5Z3nMxx9;^K(3LXO_HizxtKxDfgcGE;U(kIk`FRhft)#gY%O&
nQgMP)5m6v%ixoE#BY%2ec8^Dn@rr{1!QGEq9&y5Jw6=c$D@U##

delta 1941
zcmZ`)O>7%g5Z?8!*IsY^8{3JKI$1l3<LytJhBm=fiHMXYjV%Pqg2cg6<l;^0%JI5y
zZ4kXg^aK~A@DS<=am@*&UN~?-;*Qc2(n<vc5)}s|N)8n_X5QMw-q^M@J8x#bZ|2RL
zw|ji`3oU;d3<fy($$vblKMr!-@3`pwypF=3ekvU0vok8EbGlHLN<QLax>)v?WFnUW
zBv4YwQ9XT$nZ4z)Qk=w@E|n9dBuT1VMaXixPxlvjGF}<qxpwq@LJ8`DqNgHexk~)#
z*Tkx-E0f%P@jic}TL4L6WUrdDr+%Rl9)xD}pbI)V0vf6W2B7t<9(F;e09riD*3<Mz
zC5BKv>XdwgcRbfU(_H^wpVeb7#xye0h$o>a1IdeXdfXK{JtBFcm(EE}PdusOyq<KS
zXGWmM2hq^&VoslMfz=V<)G+X*3!E7No;n9!&FL3i;4FZLopZVp9q3nSL7#R(XZL5c
z{GWId8gDDrX47m}+jX;PX@V`UzqP$%cG?E9eH%v0Xx1#-w_`l$7*?BpBqsR)eJp-L
zuX$fc<3K<rXkNN4rBF>#OZpMU8Pp7lNf4F?gsPG>8nQi+K+haq@+Zf>+5c%}^Xbaw
z$7?6b)`__FFPWyF`|e#<Aw=`oQq5=>Pz)~56XwvGqYM6Jnvvh+Rr)}l$g$8odM<*n
z1Q2Sk0u9Y5=IPh68aWj~eH4lD550wYbI+t-`I7X7e6=tKcIb_WM$O}7XKel3xq@UU
z7U>&-41bB5f$yM(E6Tcr2Sb*rrQ|o3LA8Z_qfLCEX`(|mg#pND`&-0lRf$ovuo$S+
zX_oDMzg{y;@+uft=r798@697*2?bJ;S3p2%Oux=_JJzMzZPoU6tu`^L2Q2BaaJB=o
z3b6xCu>}YxuYvhCRf9jge$yd~_sHr8)qSI%j@&v&;blQ&9UMD!Hgtzyqm9r*{w94M
zQWtRFLojmtUgzL$vs!PE4T#vKi($ll5dKV35wS$Wkr`*4*seFxcy6Y)(2Al#-;Hb^
zvc4*4!{(AP5Vk~&c84^{1z2bjVIlC^?h7Gza2e|J`-k{t^!r&WZ2{U#aL8=&u4y)U
z*$#n*aYY?26&_?8#sB3ve*A!Rxg0;MN*WT0-Gi!CbPZ$b`WZgV?x8DH1PSKoZ&58_
zNB62$yV|NR62of2g*PnXqlH*H#P*9DBv=_O$7boH*c2b5U&byUcDv}j6~vYaduNH*
zeP(xX1(6yGb}4XZ*+j94V8_eO=$JbN569jHw*S_FS?e^6HS!MF@WWv7a9RHrc%Fa8
lWuJ3}r(EF~S9lo}IsQY>ONi-7S{wW4$+z*pc=2t3{RaivRX_j$

diff --git a/webui/backend/app/api/__pycache__/schemas.cpython-313.pyc b/webui/backend/app/api/__pycache__/schemas.cpython-313.pyc
index c3eb33d305828545f419bce36ce9c449564fee17..e9dce69aa04461558d5ad5e26e4b25f061585cb4 100644
GIT binary patch
delta 1556
zcmZ9MZD?C%6vy+dS=T1HOOqyPa`SeRRc1xhe$cIxf=z2lYfVeDY1bEHx?a|-X>N1x
z%|_!K)S{_aHp@{EUp5BC3H@M;f*%Gdi1<Na1EGX6@PnVKpwsTl#DUNMNvm#w{BrV~
z|9Q?i&)dc1FMZOEB-t$dW3B%@S6Pt)?AFHN@Ak=lOWcy~k}c`Pc-@nA5Lhhwq0`-M
zJ)ix#?@|MG?vK((K^uK3xm^cO%;mN0)UayIX$3>w?xdfjBQ)cX9J+$AW}u7K{Q+9A
zzrwodp1ok}!6490B}WJA5$?|YPlxU4>{)eKEtXWn+)hE&07QU(Qlxg<08Ai7W0JxK
zc0>0HQrK}65Ez0CI1WPrL?uH)pFH>t8zqPHdDcs#&R+Q>{Jp>^Fb0eR6ZCb&Z%e}j
zM(LJQV`(vm+LR0D;7D?8IgM%UT*jO(%}y4wxxA6mN9fn4H|r;%I3;Guzyxyiq3bBi
zh*^Gfm5&tpSgLHF)U>>EUP);MRnI~@0@NmeH3g`EgQLw(3r?>rgf0v|C=@wQ!vhrQ
zw)<In*CW$lbBWE<x6KJQLJgjFrVHU22!VMT_jIr`qPS1FwMg5Zj+hBIu*knV*prH-
zY7cK(!?k5Kg?`+7_n``uV$<@lW`P2r0dpKF{RJxfp5o~@e8=2qe#>T<S>05pGFemC
z>7K8Zo@j|QEg<4G09m;Mdod3as8F$mcqi-rej4;kP4B}Y64x?OyFEhB1R8yC7!o2Z
zRflu&xvI;vY4y-c0flZHXs5sY9?zA%*sTL*)|koUrt|{hZA)+fSExTAvnA2yg}|h1
zm5=c~hI=>NAAtd{FvV`5QT-xtNtC?|6IdlvKE{?s*>~j@wnnbt<F*yJfi>z6%50^U
zCzy_|!_f+e<rMvi+dvpAiYC7gHL`W`hg#|9P#3)#^2uLtXW5<48Rl3*(`II~`b?jx
z&Q9oO5#W9gu>f@XIS#rIR_J%zVQLNg?bk6{%PAJ&1N;ZBlNR<;A}Z76@W;uoFf0nX
zf2Z$T7HCAh|7|9AT-N~yN1KD6V_E+9bUdgQyG}QvjrGW93{%$QrN1M+?6O!R)Vvt=
z27chqvP*QF<ZWyE{Qnw`T}3tkG6OZ^_=YyEq1y4iO1Gos=uN0ZLt$8=>=Upa16~ws
zeLmL6ZqkPG2wUa(kBVn767xS?<&v^b<WH+v{nRvn5KDP;w+O^1fj&&~=rx!CqV|ra
zJ@%tDR&_SNF<7e!{#08leG;4K>_NZ)Fa(JA2rr4a+Tz-Z%PH=K{yH2>z%sBxiFlk{
jqnG1h+ZrEW{A;{LmH0c3I_7@+<Q)tDx#OVVp`CvKb(Mrk

delta 1460
zcmZvcU1$_n6vw@qCUJIWv)>=HyV<WqQE97E(pG9~3^BW!EHN5w{n~7@OS&dzab_!Z
z8!J(a1SQ&>6ciyMXej|7f*%m{K~balXiE&@n+T#0eaJ)UTkro&RZ<+dKhB)<zjw~L
z_uP4%8cnM6s;VrK&+N-<g@#|$fS8$D{%~<cZ{v!M*Q%GCsis!zPhveivJQ}DRjEmB
zptV+wx@-|@U#d{MSD_izV^7K@^lG3MXrVXi8YKl2NYXM}RHR6_19E0cq-oOjd7uqp
zAPpl5xPUg+xoYl-?ew&!O*B!xeUr8Wp(bD_@GbBiu#3b;{+f1}z;-!|EDgmxbl2V~
z+Ig|njzVP*6wP$e;T4^9(=k$+fujqvl|3+l9_n>|A@=a3X=nN4KIu!BE#1Xpe{?XK
zE)L}Neb9CS<^r&?KsR-{A{vJs9}MG5IYfXyy5(vXIr*hgVbEFkMw!(g?lq#w<@7=Z
z7#ORl(I2H&k6ZLo*3%)5&~?w3v4hY6N935t=AT?NX9>?%gw1_C$W<)&{!>2$C7(_K
z)_wq$>HWX~iL}0rntcs2he6*u=YaG)Q;bqpFXeNYY)LQDBVV26N2m`2WqRd{o2e>?
z-~fi`D?f=t{M9=#^oNtQfGWl*=5x_vo2DFt6d0#WASjM4kUj{wedi%SqR*;IS)(sg
z$Z?(|Y{B{yhyf58RtZ_IYCqmOXRR6DVwQY@S4?T$jtLo0o5y4pNw>9D51V{AC|W-S
zoaPP~feB2|H^FscWI<~8gFbPEo(DgzAB7CKBFEb#6!my&&SD$hY$h?vbAy!;vR5gj
zhgQZXF{=*X{eOQ?&ccV?Muo~4-hfGZ5vmho@~k&dGVB#olnMJQ&<fBwe}xX1f>C03
zxP|@-`)xPidG{r#qvzlP5HqSI<i1r~hFi>R&vCYe+TXsOhVTPjvS1sb;Vb?#tfK((
zmmSg;sng!|)BiQx)wH^HshFm#kuGt8YfDExp&2>5?C38TrQJ!1qJB74${*OPzpXZg
zlhgqy4djP556xDD%mOC3fIp+z_+u!!fG{jhvjf&A0DcU-&6n^7Jf^|eN^$AGqi$UF
zMEc5JPGws@tM`20kvD$mFTKx4Z^qP361>o5ya7*WYdly5E4?B?Mttx36hi!i;~x|M
tUvlvA#pavK_l9o-cQ!X5I!hlTH4&%J5&`9R`6}cvj?&J=IQ^ZN{};9jOAG)2

diff --git a/webui/backend/app/api/routes_files.py b/webui/backend/app/api/routes_files.py
index 5738ed0..812b687 100644
--- a/webui/backend/app/api/routes_files.py
+++ b/webui/backend/app/api/routes_files.py
@@ -1,9 +1,9 @@
 from __future__ import annotations
 
-from fastapi import APIRouter, Depends, Request
+from fastapi import APIRouter, Depends, File, Form, Request, UploadFile
 from fastapi.responses import StreamingResponse
 
-from backend.app.api.schemas import DeleteRequest, DeleteResponse, FileInfoResponse, MkdirRequest, MkdirResponse, RenameRequest, RenameResponse, SaveRequest, SaveResponse, ViewResponse
+from backend.app.api.schemas import DeleteRequest, DeleteResponse, FileInfoResponse, MkdirRequest, MkdirResponse, RenameRequest, RenameResponse, SaveRequest, SaveResponse, UploadResponse, ViewResponse
 from backend.app.dependencies import get_file_ops_service
 from backend.app.services.file_ops_service import FileOpsService
 
@@ -34,6 +34,15 @@ async def delete(
     return service.delete(path=request.path)
 
 
+@router.post("/upload", response_model=UploadResponse)
+async def upload(
+    target_path: str = Form(...),
+    file: UploadFile = File(...),
+    service: FileOpsService = Depends(get_file_ops_service),
+) -> UploadResponse:
+    return service.upload(target_path=target_path, upload_file=file)
+
+
 @router.get("/view", response_model=ViewResponse)
 async def view(
     path: str,
diff --git a/webui/backend/app/api/schemas.py b/webui/backend/app/api/schemas.py
index 074d014..52e1ad2 100644
--- a/webui/backend/app/api/schemas.py
+++ b/webui/backend/app/api/schemas.py
@@ -58,6 +58,12 @@ class DeleteResponse(BaseModel):
     path: str
 
 
+class UploadResponse(BaseModel):
+    path: str
+    size: int
+    modified: str
+
+
 class ViewResponse(BaseModel):
     path: str
     name: str
diff --git a/webui/backend/app/db/__pycache__/history_repository.cpython-313.pyc b/webui/backend/app/db/__pycache__/history_repository.cpython-313.pyc
index 31a6984eebd5ebe9f7cdca5dcafb6ffccd8fe0ab..007e0fa0b6f5d2cdb9d47f43dad53c32750a631d 100644
GIT binary patch
delta 1134
zcmZuw&1(};5YKLs%}28;N}HHAb#0rrYd@tHtcD&01uqf2iIsKDZq4dux6Z!!QG^@>
z@8$gy^;ja_>dCWu^6>rv(M!<^f+BV1ZA}zh$S?Ee<2N&J=Dn?bsOkH<o=@PH(q4M6
zxAZTHwskO>6<T}44{fJgRmQYp3GE^mZn$7GFARhhF`Km`-pGurQ031utGP0{6dK_2
zpZN;^nE5qu8Z|IRFv0h-2g(%R%WbdCkm3x%0>L7|Sp+i+lm)5;%LISL<53)0_X00!
zx{meG_S-I;M`e^nFb+Q`clYy6wceu?*>#sSnzrx568f2%%plUf*YcRiwd}{16eX2N
zLHH<w6=KzTtjPI7zoZ_WMvYKC2hO1Y%lvj`a^6h#s~5?;E<=U9sI(g}coG+wjH!^P
zeyo_jJVZR&h7II0OI$iZujE4tI7wRBVUK_`MFe5+ozjW!?%=jk9>lYm5t-<L?=g2t
zWEx=*xD5tFyi=T#V~bf-bTka0A;BWwExt2ks3KC1*I=d+_pOju?6ky{a*4kwRh3Hj
zbE%*VR47!&FQCck&>7>XAybX(rGCtz_=;q2a*R?MMbnRb#K3rJ)Wg7qQ>Xx+!01VG
z;8G{IMoQy7>qJkY73s)ep@GZV5P*#;vk)(jOxRETKh{213j;-pN-~vC4zZ-*3h9y_
zPKd0VdEblJO}eLBXsn|O(~TgK6#@jjfWDl972X*xm1XPzg&p?%$7`1F3}5UFQ}6|X
zRf4Mo*9d6FkRqV15CwW_UZdr*X6VR0mJde^T2^eaY{tO5(`IgDS#Xa6`?ESuM*<yx
z(L4_LdE%R@rboN?N2Zl==}2Z%7kSHCZ{uaU$U;j8HwfnVtIC`yAFWAeN%(IPk*&2t
er|r9|u*nOfGsWxg6Q%FknyNU;*M$6&75xTvEcb-~

delta 1017
zcmZ8gF>ljQ5YBTPCrx5RP!cDN6HJ0yOlVrQNPv<egoM<E3Naugif9x&#KKA7*`aEM
zl#vaodcS~;g`sj61`rDi128f8A23peNHCPU=hP8+_<a8E?z?+;&)-{LTJkShPDbD<
zy+5!H_vN1?wtu|fEs?536m}=Bh-GlHZoI}`#haw)eU4X2N&}9bL#VMy;+QP3$=sW*
zi%94Q4TNQc6#zX!6|~PITt?6kf_$+2Q(bFdIX%;O^t^44OnL=KCjp>MA6oSOBzuAy
zO8SYe>2`W;+or1!r%O~}V>z#4rZ3Xrjzh1ah!l!|#DRQMP!=&lunf8eM$palgq4OK
zoi*)8ADb=^*ts7w2QJ+W`icgUpm*=I61$N@zx1?CF{F-~GD6ttRDu?e<p&D|kjZ;*
za~}!GvVl?{IrdUnRIp+YDS)MEw1~tq`=or;vS8}O7Y(c9>LfTL!Kff;l^qt=iRv8{
z(j=u~8qaO8xp`xZ-;je1>q5{E_N(WEQSjdRcDRK@`JHrJs=d%QhXa#VfS^wh&W4s2
zT6~$@TMfBdXyN9^JlU71>5k}tZUd#KgFEqGX$@RKrJ3qX%LcD6VoN&tVW5ggZy^`8
zU<2sgOWKy>KEN401m|s_pxh=PdTAd31~9WlKF7T?&NJI`&9%ne;m*mSxm*gBrp!rV
zoxLkHTl1)Q4PhN&0|Dy5S`kD9ya;~Uaoeud>6>nEXz&|L8*D`_<tz-DEh>Yb8E;!{
z5{a`J_PVS{_mRHDK9rYq{*PVYVF>@``-xV6XpC(0I^AX2N?qCb7AZ`mErA&1D8gU7
F*k9<k&AtEt

diff --git a/webui/backend/app/db/history_repository.py b/webui/backend/app/db/history_repository.py
index a9d32b0..2073f08 100644
--- a/webui/backend/app/db/history_repository.py
+++ b/webui/backend/app/db/history_repository.py
@@ -7,7 +7,7 @@ from datetime import datetime, timezone
 from pathlib import Path
 
 VALID_HISTORY_STATUSES = {"queued", "completed", "failed"}
-VALID_HISTORY_OPERATIONS = {"mkdir", "rename", "delete", "copy", "move"}
+VALID_HISTORY_OPERATIONS = {"mkdir", "rename", "delete", "copy", "move", "upload"}
 
 
 class HistoryRepository:
diff --git a/webui/backend/app/fs/__pycache__/filesystem_adapter.cpython-313.pyc b/webui/backend/app/fs/__pycache__/filesystem_adapter.cpython-313.pyc
index eb48fd5a4a3d8d172886f3af003897768ca1c868..faa59000ccec77b00336a5130f295dd5272af7b0 100644
GIT binary patch
delta 1615
zcmZvbdrVtZ9LMjk_tEzDL7|iuxMc-8;8LjQDA~v;uV{=>TsW&{j@T61Z5@x1(~_b8
z)PJ1L%)mVHk?bF%(a6lE%QgEC1~W6k%}t_FQWF#Z@HLHw&25Q^k8@57u9>IFC*R-q
z_sBWtp02(C*H3`+ro*8MbV<rb>Ah_yo!4@sAPBDtBLW5_U=so?A`O{pgu@b+kROR$
z$*2xVTq$T9lDRUY08+TJpn7EH%1V`mD-|^$D_1t!p>k!X%EpxgHKHJLP@R(w19qbA
zs0le)ibiELYDQ(n$c0*vj$Fm4oJOsvycku`D1<7Ck$a>PwIMf)BJ7NGVGn9YmCV6a
zG~13mC0XxCWsaIvC8m!TdP}@&?)gf*8tzq>c(vTCDe*K^i~R@fdN^PHP<kSjc_x!h
zP4*`f)7cdM*={^)`pFLqBog@CD-|})sZff705>%t-?=ri+-j4hIw58v<=)CbOpMUa
z#@3V^lUoW>NK)@{cT5_V$vM$Y{?e?$fbdwGARzvWm<n|PVZXW9A;e(VO72%{K_wfs
z<pa%3mYM@HGKEb+Qr1wL8yf5pw+RP87l-ikv<tsYp_}oGOdn@>i9u(mW@u$NMWHMB
z0j76Q<ZTD&(c_scP9-Mu>e!)~squIw{cI|)97;?jCsLTusth}HfG^CxVBUQ+htt_q
zd}ey$NFtd^#@Uqo_Is`|eDvP3IW{m$@tm;kD4*MReBXTbMEp%<y`pN}*Z8%sWzE;}
zUd<Q2&UyJ;ueM%Uz3!@d-G0*kM(j&h<Azmmd+&&XQ}O@d6g)oiRY3RMaR^TT%ke)m
zHahi{aDR`u(xVR8%!X7y3o2fqE<Q~`<{O@ZQ^qe1v!E1Ak`4~SyT+N|8Gy6K{w7TX
z!<f~FOrA@$KCjG7O((|2b&=l{K25#}Rl_2=6>5S{46Q9Jd083$jNvSWZrv<QbR2{w
zvf9xMSB;I1A59fkXnH{|rdj<}a(#y%E)Yv+6Z~r2*Lfabjr<S^xwb~;#l&a^|4!<=
z+^|d{T}^Py80m_LZJ)A!D@BGq%qJfl*n`>0@#RhHi9I_5_%~+VAd9<p!YaAFt3fFY
zCUxDK!fu1^ps%|XR>*jFGyH9k?j8{?leL~!$3HYn9|?OO^vsrM2riP&XfwEtkthJz
z$kV-plyCLwlvjEKyKVG+V<!de8fRTGhKVipUtTIqW$y`d*FjqPB1)lvjP<n_q@BFh
z7tC?j&c*^hMmsk5#Jl+i)VJpFGRs}lKV&JMKewf}di1;Z@&B$3JjH{Q6x&F+zY*%l
za6fjv!v??4U@)8~*ZQ@tMJAURE-)-JtT0@p$a~`Szm~|R$Kr`>7N<vNvZ+iwj#W}W
zpuzVfI`FWp%Ia+&IX3VyTq2JQhH6xHxluNO|Me`pCyyj&CQ?!CC3AzJvb_@cZwQRM
F=wA+ob|L@(

delta 1241
zcmZuwSx8i26u$o~cNQJD9G7vXrd+RM3t46`ip^;FB*AHc&}7t6N1ajro0YxzW-me1
zPcOYhQA7(x+=t2qhV~#RiXiTj5D^v;Ef54j=lre%-G`6weBU|eKj-JapHH(Fr&!KU
zkH@Xx_v@pPxLSKQ=hftXrYPr?PK7g2xCI!uLK#?m%8-rQzz<f*><|E(WGbu&yJQa7
z0IFn82!ca07c!@0ZrBJe$+ED*Em=0QEXh2u3Ch8Pe9|_=cn(xRCFGEWQ7%SRkh>J+
zK{eDs-cpp0kp}roQ9<WAsD%QGcG6b(@j?i}I#Re7-4GOJxJ6R)u4<iFQY^)yRS~rk
zsTF5vrBW-&(0o!W&Ctrg$NdA@TAk5m`5R!Ghz4I9Q{~55q3P}&98V2*>xq+bQyq+@
z`bOfyQF)l1F?uRbF!d&Fa7)ZrMco&W>S2V1bLCzmQhkQ8%f_1;zm;7xzJ)q0Thr*7
z>Ue4_);p|Oc|C^wmedC0vA#Ihtr!G@K~7i0?~BQX67N`Qpt~=TjHmR(XiA?(L+?^V
zUehk)^_K6};xuJGC%A^7xt5xW_uB{91JP1n%^n(q^`9&S&(OYZUp<q*5V3{;o5n+`
z9P?=E{flisG)yq|Qgk(jD$*#+=B72)qw~*{Wk<jfmxr8@L-r)c)(p8od1KVA(a7KZ
z+fw(0`nX87AslLp?BiJ^JzbU#?rRKkD&t?pj&LJ;ERx|(HE9y$ZW=Pv-Oopp-8~aW
z<GSX^Sma)~md)a_CE`ywm;Er@O-)wzRJ6C$dj4RgrY_&gWJ`$6QDR=~SfYQ;$PVLe
z3u8<b@AgCyOCwsBihr4D>ljVNv3{6FQ3*y?7$tBQ!m@v0#g}Z=w=JG8>!s=x7b82>
z#ROqSHZM|#@I)()NYz1Y8K1(AnsZI{bvlA>gWp(T@&%Hntv%=esw(b8y}00$XgLdr
zg(%OuLVa!%+!e#Ee&2nf4+!Y3@fm_yf;n-iwT#)tT&thW3$wLdRJT21Y4N2k<g?RN
hG*cG6T+<m&j`od@#G846*tR#6+iqil9}1yN`Ue1DBLx5e

diff --git a/webui/backend/app/fs/filesystem_adapter.py b/webui/backend/app/fs/filesystem_adapter.py
index 03ea6e6..ebc8938 100644
--- a/webui/backend/app/fs/filesystem_adapter.py
+++ b/webui/backend/app/fs/filesystem_adapter.py
@@ -140,6 +140,18 @@ class FilesystemAdapter:
             "modified": self.modified_iso(path),
         }
 
+    def write_uploaded_file(self, path: Path, file_stream, chunk_size: int = 1024 * 1024) -> dict:
+        with path.open("xb") as handle:
+            while True:
+                chunk = file_stream.read(chunk_size)
+                if not chunk:
+                    break
+                handle.write(chunk)
+        return {
+            "size": int(path.stat().st_size),
+            "modified": self.modified_iso(path),
+        }
+
     async def stream_file_range(self, path: Path, start: int, end: int, chunk_size: int = 1024 * 1024):
         with path.open("rb") as handle:
             handle.seek(start)
diff --git a/webui/backend/app/services/__pycache__/file_ops_service.cpython-313.pyc b/webui/backend/app/services/__pycache__/file_ops_service.cpython-313.pyc
index c9668dace75d8a70825fa2679884f64da27febb9..a590fe0b61f33a08c47423ce4b08a98ed5fb96ec 100644
GIT binary patch
delta 6119
zcmb7I3vioPmHvOd-;(vPWLuVH%Z{zumK{5`BR9^&j-AGFtkgG3(>Ot^SbrKNj^y57
zdG2;qh5~`M&~Ra<rF3}BFx%aoA&d(x43Cy2?G9yGi_9YNlLAxd3=0c5v=o-k?(8}D
z_e1VBl*q~FqjS$W_ndR@Irm=w;W_cae-$0C+wB$sK03oQ+4mg3;s}VpxYE9-Z_-Zf
zVSxxlzt1u0q)tv7_PHi&Xbq>0``nWr>H*qBz3|_6<x_Q}mYCtk9n(-h@xYIl_(*L`
zM+0l${3Jl?NPWym>qr9$l17lNCn3_*E7FF5&?1m<y+E1=H0YBc&>%C3-J+2ViU*92
z<idPDomqT9{Cm;m!BH=Q522P>wYlQwL_zq3a8#fo5vYcUREtv(ZM|?xcS@u>m`H~-
z)srTo=ahkjiGfo_(oBq;GLaS%Att0j%S>8{ne#2AjaWEk1-qMwbw$EP+KCP5qK?{u
zv~v*$P!3KxkGe<)aUwkczT$`0053{h8+dNctJ%QwaGrYu&&zq94Ll$6!o<6QSxYok
zKfaiOUD1W=LqbR(caT~XJ%uZ!3i)GN7_Qw$I!Rz<C;&#gNZkgTb-?Q;^&5Egq=7cv
zr-{ZE{raN5IR*hL))U!WRz4|ZQt86eB1PWQS~`TW$Jn!$U1E^^x8;=B$THS>PZQTz
zNK+|SNG+rbCus-!xpg$O4f$H>!kladD!lrk5j3-9am;qiAV%3|-M*Pl<a8l)Bj9wj
z2S71^&GZ?GV&<a;)q$;iK+d0~bCP1sNOB>YOBb^FoT?W`<zZ&>#9iFqBlvw5A;w<l
z3Yc~R8TG@~yx-Fxj<QER;jsx|DF!tFdKg8=5XKSqAQ%vKBQydiR@Eyt*1gD{WXqml
zaSF+O2>TJH0iqU)=}}#~2Pnl!B{@HT4pOUzK=0<<mGn_*9%4Bs(HYbt2$)8C5J1LK
zU(I4Ttmg4v;3>X|?7Wm%eAv6gV6Dm^`;YpO8B84=L>NZ66X7VrF@*OZj38`B*nzMU
zAnK+;q*DkyKgO(_IswyASoDUz)0hpVHY3eT1t}$+StwjgWwKP7E9B`#s^$b$jR-t1
z8Kl<pqOZye4-+HgvC4X&c$jL0rx(RwhlbhwX2;)Xu|p6cr%j4E9a}IA4eMu7oPUy<
z8C<BheMZEN6;1})5_CLq0QwAk*k=MhP0qkd9e&nn^jZv1O4_(4XH2r2A)hX(pK-7+
z4SJl$)piE6YGGEC|8bMYmDH{n5^|=bX~xYqZ;i3fgzU`Ya%)YXEY|thh|9$0MmpfT
z8;xl-GeLG`v&X#BA#-LHHv5fcVgU<$I<5(l?ANYvjXo^QVzuzkszkS$*f8d#nb`3+
zam2N)LbEVitI7$2QAh^_A!kVnGi|Ii?U^+vwMkvlLY#43SdcJ*mR*(;;_Rj>jb7B4
z^{;Y>i_{P|@yte7IZ4ZEyuBhZ#dSIBs{NvB->TYAS|w=U>I^4@5p9!jLX3K+6@lVH
zP_##HUGQi5DWMj;e!bvVDj0RKz!jaGy(B57Gx<#RM7CMVKzHI@<19*?1BmKW<@L%h
z?nJgv-PgNNP6wcva8vUp!`&Oj0bc&N!_^*u`@gCY@E+hfPqVP|Rd=D7(Tbwu1+u>T
zZK%k1KWzNsN=LBqov&C6X?mZeHcZ8;+EJ}|t9n{$wIL|BlUW&yOYJ(mWG<k2-afo*
zO{Gd#(aUM*GrV^|Wz|CmL5Fy0t$<o#1@>OAx2U@C?;s&pph6xLDov3kQ?TN1xolh3
z^qB*dP)j)!D}`d^(0C~{{`~3dp_$8x8~%pJ_mzXarC@J4ICypRx__wb-&XQ(yL?wA
z5G)5eN`a1YV6YSzyn5mJb4!82rNH#%y_HCNIWky^3|=jkhZ3cs#8UC@BiAFdOSW*O
zq37}xAMY<k`pc1>rO3{uUCHZ_LooO=XQb@xDmlB#&i<0Kzw8_+IR|dkhAMT@N^ol>
z9H}%$mfGUww$W1C=u&X(rdjWIFAMq__p(Fq)s?-iC2wolyS3!qx)k4Ejvp$;4=o*@
zD<3{tEFC_1-J88UUa`5#wr~j?sc(VcD;QV26pUAV(Xy|v<m;;h!=K*&#QrA}%T~eO
zd{Z#k9d9@UZ_B!Xum17DE5|Bzp~o+k>h8E{)Oj7tg3j*v(;F7S6?k1Rn%#VsO(okV
zoF&*>@zpn1YU`HGg1!Bwptn1gZGzqX)(vOv>w=wqsj+KnRSv`&Hi&rwm-oH3++a5c
z{w%k`>V06`HtrFwc`Os%+G~xT@m}q<UOUnwof93}7d!M5-HQ#OgjPJoPB%AfI4`a=
z|3mQ|4g<wppl5S)=>lw~wE|O&bNO5Wj{K-eEj=tB#kRss6)rAF^h3a+A4XVHqYuN^
z|9863913CgHmc|BJiFF%C)_W@NKazz(4cmd!g->`_2UC7I8RejCR<R?%ST{bF)mQ)
zTvj@-9-Mdzt?hVLjD$1>aq-iUgtn7AZC*dQF5wJo&MIc<0)!~z<>C=m-ySLQ9)X=k
z(eVh^MRhcvFVH7YA3dO-M0gV6QwUE1M9o!)D(@m@xsWcTvN?!=HyIO(^2Wmxl13%n
zdZ=(SX5VP{Z^AP{(V?2+nZToeK_(JCmz|Sh$Q*_8m7fvV=HYtg?Rd(7ZGKM2M89|O
z<&Fbd-zl8seF)tMym9uhE6q(T(WN&$1iVWT*3{qR;z|7=%Df-p1MEXxeW!2%)s=mR
zt+JjwdLHDWHB}Mw2-g;RWu4L3qX3E)y0Bu9a&!5NL?1(TBiq~^39hfc6%CrIvhgrm
z==S$uD^y%_XDPpbswV<$)CbW7zcyh~S5_Y`P3*bukRgc~`Vs3LmKPJT$8@*I$V($l
z#&g+>l&24|`u<1aeK?cxq?85^Wp$PLZg#y}knE@ZErySvLmy?vEg{1+l8vl$OWonM
z+o58k>D+x%N;O}#mCbmlr1*KKhwVZOaHq~?C^|#G0`N}PLdDBo*y3eZx3n2PhM|6v
zhdMpbDT<pG-`bJV+#=%NZjGwz-+}ATw#6+&Uxq2*bj6vfLUz1s$PdJuCwQFCp{5!<
zQheWA<pPz`XZU&dboB=3=Ni_JtOLMRgBANld_sJI-9L7LeSY|he>s4cM%u)O*l$Mq
zI?-?XF96YZ_jPi6WB09mrPt8VivZOweSG_N@m229^Z+~}cAWXkZskWKYF_Waybdj7
zPK2>LWpnq@+wt?aqYby|=iu0|Myp|6!{^z5jzR9&6T8QnpMhYW7NQzOcRVdiyrIf?
zAzgh_jIsaO-J)sLu;%d=P_gZ)W5>q-O>AJD6A`h4B_^Wb7>Fx2c|n@Xrsq?5ecE8*
zQTF&mn+9&}-<p`>7A|dT0F9_l@f_N_dpwaEOH3aepFWs6c<+I6Ld!5l6@&`HFn|o(
zR#<uCJj=elr&H6TVZYncp<3IyV$FZ>uH^pF>0NuLZqMR(*bnaN(e!JWcJGSCHUIYR
z-?eA__N;xEy}Gy4Is_@CKSTd9WtWCmT&y{;d*b%YeV=`AGAiE5-kglOv30}4_XwJu
zMToJ@`<lc!yL;cm#UW&DMW`CbufIb0H3D9iqZ%55UvM@<&Eab;SD+W+EaI)_ue9+_
zPk3=JJ318+cd!SiCRInZ)sC<mQ%~Lf8=POKJ_zB3A<)eTlgKqxIl$kz8-tJyAcPHI
zbyrToccqo3r$WY*L}{KLX207%p&o7mtJ&jaiRo7ie?a?hvc5!1&l^B)*p)b~;(yzL
znabtQr?T)QXYWhwfhvAE@uH?_-BsRZ@tH+`fPm`(9qH=Keo<!sJJZ~Vj7x^&7YmX+
zqKI8|5e2@8Aj1<gPFlBp0lvUhyg;)H@M~cn?kT(_eiixJGufPCIh3A1D~)4J@b`kR
zqw+TpM3Fr~dRo7U^tTZBab^LEr-g%hgZ~=)FVZgFzvw;qfY^y0man+lqxn8G&@ggc
z2+asigckPoWVo0>lD9v8yWx}$%8#010G0`BT^+w?jpF0z2`ujVIOpPJ3%Gx~QPzfB
zabklx20TSqJf6?bQ?6=PRo`Y1&+pYsCU=hCKsfb}Fr>Q1_4y5<+F{J)pDmF4@ZW`}
z^Eru6qv$f(xx$*`MYO@yYanQF@cNq3x8(z;Tvfy4N!4<pmRo&oa;JDja*FS099L_X
zQ!!NJ)UQ+u=2vT#GqGURVRT8+q1RDcm33Y!SQ~1s-O@Ub$c?^fR6n`*26cOJ@Aw{j
z4&Q}b;F7ZdPe5rln=5pM0ggq3?8ZHV#a5ha3&On!rx6MWpFsE=!apNCkMI)0%Lw?8
zgcAbpx7oQfQsHDiqdu$gvPYjq_zuE%5x$SWpUqh0ygksb0j2m-sXo;N{2>x5==fQv
zvs9|O7EvLv3IjmM|HQs|xWV+sQE@;Ycr&;7<HL`LHeR<VHXUtb@)21>?d<1A+C>Mm
z&bEtA)<4@;<i+tZH1!z5j}U%{@G8P<2tPsiB?6zaswDtVF>Qm}=h=B_I}JnL;h!LX
z4`5j<isCCm%WFd5HKFs58bLgu`6G-U(A?zsim(I!v6p9`bk3Q@&fg1&yw&_41$tw{

delta 4557
zcmb7H4Qx}_6@J%0&ra+(i4&8=PGZL)Brm@V2!$lj1)5OuPaaSRFyq88;NaNSeJ^Q}
z0w&$mZ7o~HZYQB>RjY1YOIg*mp4N6+yLQv6{j@^W)Rn!7jcMvOCb6HEp{nYnopWCt
zJ1Z=kU-J39bI(2Z{N8(g=BMPJFA>)V1qJy6e8?Zu(dQ4IbCr{;=jwO01_W7<t^Eak
zF6!d6*k9OJM2k3W>o4weQ#a6dS_1#2=N_++J#rpA?p70BBbUHa3Y;~q7FxFaRwkFr
z6|%S0M$2WNTq#$9Y=vAc`_~idEf<1<9PkQqO}h#05d`XEPSQd|)<H(nUn4W5$c@|*
zgi-_#^PA(T^F$E7DjXIlkp*g!2{m)&X0I@1nIhC8SIHKnsTG#8a!Qo_vdAf$9FS{d
z+mftZ4$5}U&y#EAJWl0<wzYEpl7vI9lO3Gz1j-3i%0df(EZ|Jn;X-+x>_WO7EW{5j
z0$#mbxPn*Ac||LDZq6%S!7JfB_X=Jq=apo51AGyWY|42`Tg7T&wMTA{J*Z>~6K2d_
z!+vk6=#=ELC4Lz!)hL%|mf|aw1FuQ0Siys&QtvU7)SPa&rmQtBAgDVgqw%PET#1Cj
z+66+9cfm|I!xwE~@8owAA1iZAkxF*IBUVz)XC%W^iEE)`SUXPZ8FB8Y?nJ&>nVV4a
zfC^+jG>B?8ro+x7B57bhbbCl6d#$FdLl;3qcv_*GKtK|W<?cWwqMDeY6N>JLD5@5X
zhqY)T&W)m5P}f$ru4Jo+TXzuO#}LqF+Q||nWfrLns`23xAL(WnO9DH4U_=)Ud+9wW
zwgcfVgkA&@VJAW*fbKBNGF-bG*}IvmwDOLAB>NCBjdTz|%BL6&WAXh!>4j8L6R}x{
zq~QY{Vc}Abv<Ia|5im+r22in+GeHUjj4&NYKUTV1bTp$7_o$V9;N9lO2vICjx)q@V
z;Sj=Mgd^y6rR1hQeESRn_t_RzLzB^%LLqOy4JXh;eN9A(DVh>erjy!yC=#X0gqEQ5
z)bJCh+7P&}6G&x!wdVNBT|qCnKdKcd?uy~XRN7zJU`jty*KMwk!q7(^nI|+bJ)>%Y
zaU~EAaJzEd{J7!iR2M4ThOiysP5?bmqcib|u%<+GiyB=}bo+E75}k~~yKN#7*PsX`
zyAi8;ly@#ML)v^&p>wEb9$^9DK7^A1p9mJ67KDP_QaHgH8#|%mCmY*R%Q2u%RDkP9
zwrn(X`(%QKlt@%FQhW-=bz71uvr*+<Bi9(zrCjq6=@uN*OL`$a!%0<E=xlUCX+`EG
z5LJH+`{WtnvbXwOZ{yo+Ti3DleNC55&D_Jh<*exz9>!(Y^gLw_0-|EOoMNY2Yg0IZ
z2S>N?cw|K_G?CEgLpYB1(z6I(LijSm!vIoVPDSz7$Wyhj7K+BfU#u`{N8p_U;S=al
z0LhXK3?-wirmc(w+19pdn*)4Ozbmk|UN4(#dz93r*Q}44Jy;-=BCIS2zo>?16{@nA
zH%g9K9M=$L*!7JYM9d+bgSsz2u<Vj#Hp(E&D9*8;+sm!Yw)+XxavDH4$CS7(D)EU#
zM4^kwu4G@_RJ$pgc?U3|(6a50Cg{b=ToO76+C5X1bd+7)<nifNv_4{FAH%eiedu%M
zYOf~M>6Ui8^)}8|_4sYG(TI`&?~@&8w|)wjvK?2#V4P~Cix+XxYW}hI&Y+lr+4KxM
z(pfDIB3a26JK-cpvIP}8X*hmN2^s2hDmV{|E5v)w3VEj*Z0_+0MPuj%fKO~-?0V;R
zawy&0^$h~a-LorX^4>DJFn6Jr5y|V&j?YYw$HUPWI2!+SYuD2-1P2dl&vDbWnwuc5
z`&ieAZx`Q{=|!AxxQ!GqU5BbsB|ObH#0$AK%C|CX0o4M4X@V4WboY`6(~I5p8BcDT
zsX9@GX$#Hl)s233tjE=aKG5$0NUPe-9`C7Y;W@d5#q=dq^fExMVSnk_PA;;=?m70&
zt{v<Tz0<2kx(Xw0O-3dm#@BYQPyHYE!P>ef1XDw~n`#KU|F&_yrPZj%4f`RU!R&lr
zD|wT9aA*H>q>lZqe`n28AaOyEOuA(}tSWqiRq<k(ITm*?c_3)IPT0KzL6{OBu3+hb
zw}_W54%U)-_T->MTG*w*3X$J6PP4xb)|vi6m}h8!OD}-rl_6i?=b)0lh42dmJWEyB
zl!T?j_Ze0`++_NYu%6+D<$2eJ{j1G;ku{98nLZ}$;7E4fzeZMF?-jOXPm@CcN9ixo
z9&~J>!waNj(Thj!>J9B29@^V8v^TW(;7E^5S26!}795p`g$;~K?mAQ=(u1gW455X6
ze$-F4u%|{JO7WW$UbJ$@@%0MAZxQgGC7Eaye8Gtdje}Q)xJKvUOyE1m|ES|uS3&V^
z)LP8~`>KhZ{YvgLtTpFa!#3=Fbl@r)VKJ^IZ9voY2)mIh=2*dRR5_l)xQcr`wsNL`
z`k8N^L~2;izFx@e*?l*~KclW|><jyY?myv-+;ZE^ez3oiw6kCD-v#YebI%(le|CMo
z|KWv){saLd4I73yHb}bI-mw}lG8V+~c}-Eb>7<!{3k9A4(AihU)>fQH3ieYPO~O|)
z2A2lj{NHAm#>$+}q40MQZV2rCu{P;>q+dX|?Va&i7}bN!I~F7z>FGnKNE2>&Ja@*%
z$ty~ve&iM+1Q1*ZHOzA)kQzdg??e2)z^M<Bmj?i`Zdo4RzfAFQyuw0;vg4d<LoVrE
zG4XT2gYHfwVwB6^MJh8hm0i$|?4|1*=i)hMnD+H$iYsuSWUgr#x{vZ9uz{0-p+sEa
z>*$t9bVAE4lwHRPZ4a~G;5zw9@gJU}Xl5Fo3x?GeoaQ!usc>byi#Wv#5XX&v<5UYy
z<P`5LPVx5Q)RxR>YROczT5{%S=atQ`EB{?P4~U4inG8F*^&;if#I55c#p?`Z7YenR
zWK1~}jcd(;XxyS5k$kK_v^iCaCT&DGfG~yd0Ky{(k0GQHzK`%K!jAxSCteGq6Vr-z
zJP|Q|U7g0kXAoXQcm?5g1Z;le=LI%0eHH-Dm=M>%tVatwbGixz$})gIf7B<z$p?g+
zCbM<(jr?`i@*5+h3-BaqwwB*KoZffzEOGLV#A!oPCA%J0nKHhX6tD-!>xqlKFkTnq
zJ@8r7yNK{6!p{)iLAZ?YHo|WZ`1&ht((PSv+nb3g+i5A-1Al`08o=Mpgpeyj@I9gY
bJ)!A$Lh4;1#fB%ID2&-j)B6G<-!A?Qe>CKI

diff --git a/webui/backend/app/services/file_ops_service.py b/webui/backend/app/services/file_ops_service.py
index 03bf372..de185cb 100644
--- a/webui/backend/app/services/file_ops_service.py
+++ b/webui/backend/app/services/file_ops_service.py
@@ -3,7 +3,7 @@ from __future__ import annotations
 from pathlib import Path
 
 from backend.app.api.errors import AppError
-from backend.app.api.schemas import DeleteResponse, FileInfoResponse, MkdirResponse, RenameResponse, SaveResponse, ViewResponse
+from backend.app.api.schemas import DeleteResponse, FileInfoResponse, MkdirResponse, RenameResponse, SaveResponse, UploadResponse, ViewResponse
 from backend.app.db.history_repository import HistoryRepository
 from backend.app.fs.filesystem_adapter import FilesystemAdapter
 from backend.app.security.path_guard import PathGuard
@@ -204,6 +204,61 @@ class FileOpsService:
             self._record_history_error(operation="delete", path=path, error=error)
             raise error
 
+    def upload(self, target_path: str, upload_file) -> UploadResponse:
+        destination_relative = None
+        history_path = target_path
+        try:
+            resolved_target = self._path_guard.resolve_directory_path(target_path)
+            filename = Path(upload_file.filename or "").name
+            safe_name = self._path_guard.validate_name(filename, field="name")
+            destination_relative = self._join_relative(resolved_target.relative, safe_name)
+            history_path = destination_relative
+            resolved_destination = self._path_guard.resolve_path(destination_relative)
+
+            if resolved_destination.absolute.exists():
+                raise AppError(
+                    code="already_exists",
+                    message="Target path already exists",
+                    status_code=409,
+                    details={"path": resolved_destination.relative},
+                )
+
+            saved = self._filesystem.write_uploaded_file(resolved_destination.absolute, upload_file.file)
+            self._record_history(
+                operation="upload",
+                status="completed",
+                destination=resolved_destination.relative,
+                path=resolved_destination.relative,
+                finished_at=self._now_iso(),
+            )
+            return UploadResponse(
+                path=resolved_destination.relative,
+                size=saved["size"],
+                modified=saved["modified"],
+            )
+        except AppError as exc:
+            self._record_history_error(
+                operation="upload",
+                destination=destination_relative,
+                path=history_path,
+                error=exc,
+            )
+            raise
+        except OSError as exc:
+            error = AppError(
+                code="io_error",
+                message="Filesystem operation failed",
+                status_code=500,
+                details={"reason": str(exc)},
+            )
+            self._record_history_error(
+                operation="upload",
+                destination=destination_relative,
+                path=history_path,
+                error=error,
+            )
+            raise error
+
     def view(self, path: str, for_edit: bool = False) -> ViewResponse:
         resolved_target = self._path_guard.resolve_existing_path(path)
 
diff --git a/webui/backend/tests/golden/__pycache__/test_api_upload_golden.cpython-313.pyc b/webui/backend/tests/golden/__pycache__/test_api_upload_golden.cpython-313.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..4bd7a1893ee0f261462f6ea77a52c6891e3cb48d
GIT binary patch
literal 10660
zcmds7U2GdycAnu3$st9FvLuTXC0Uf@KgJg2A1StM*@^rU$5Nss9I0t5ug4TQl4(;z
z=FZTzl%Mq`Z6kMsb-Z3Ta=S&e55>x8(Yip=ZXcbeJd&0Iva>c|AO#8oeQ;nc+!%f6
zId?cDMbnnt?E>wNt;=(N=gz&~`OZ0a=3#ZUlYwi>_C@S3n;GU?%$S#82<*exScbXA
zh>XY%F@r2&{U}?8EW|>8Il|Fjp78Y7O04k94cP|m#GY>}5a9$DsxyZ!{)W~UWm6KF
z6IC6|2|N6`dg0!9g<y8&S8u)`)KXr<Fd}b-LbG?T#b`liV;yo2){@%6bz~jQ+lJ}}
z>q$M8?L!TN>&bd53qy^A9^#?0W5_$$M4G7V9P$k|lV&Pc4Ydrml2$+CWjYwq<zvL^
z6V_1wlk@52j55+TX$jQa$4r3LtHO$s(85|Qp{T=<=idx#r|)CafJJYZlr?E07MG<&
zQk7JhoQp+dy&g+X$5bsrrp-d=x$ae?C?qEnY78r}@D=E-POF+cH4qIaHJRLCbuOGt
zLY)I|bu1MoQOML_!#9$uXxs!#^5f-8BF5~EG{2ba!w(^UjXA*(R%8GSEC9hRT71kI
zgo0b-sALsuMV?AFah+(Tk{xPoR1!e4Q^^66KqV(g4k}fF<fM`dq$(;^g9Hl=_oxx8
ziF>jpP^Z_ACgX{4bRZc!mWW4XWkgoB`;9QWNFF|P;s|J1TlV44;0aFhC#~0*F<OC1
zDF0N20uVYF6Jn!Gyih-8H`|OdA>NdWzoES16ibRg6xpsShJn!#o%Dh+s0x~S<2O{j
zGLJdY0{^%^iy!(|>Lc>`u}kMy^W-?s9(!z^+2gl*PAksER6lrLM`6^0!oyQkAOy3I
z!j5?geVR;3v=!%9c@@n5J6Ka1D^N#aH(Al%$4&8Lt>(C+tSI!cQ&zERl<#3F`h+vQ
zVi8@VR>&g;G0%-!#x|IJLVi;!{*HB+@)i(Axm8+kENwl>1geL1o+J|52&lh3878u#
zsk$Iv0Ns`nXLWmu!d#tk<_RDe9oGe<g7BogGr;N2Bq+5siCV2Ykva_J*XvBeAf@!+
zEaslj@2jXMwJ^PdY$xLfEgxYvGJCiQ_69qA1F5UFoS9TqwTt?2_xS`lt0uz{x%<34
zJ{4AAZlr7KToSXXSoe51a#mKN-5Thq+C542m1d-HGA0>MC>h1U<h1US66a(>Vo~`?
zE<8{{?SrbUjV6Qr@kAsXR}TiC-W_*HbwTo<_nC`KuD&zv>iqs8D)dL3ja~bS5JV9{
zSirKl&6UpcwXrJ154CzzaV}-8^#131lCs_}z~H41(vfy`d`~)YLKfXdWGzJ$f`k&V
zkgf1TkQ4&-x&U?|iQA~xjerCwBGX4=M2?{OFlwb}j1XKBomawBGO0(=I&~I`^{PA?
zv5n5D8qw|1aS0JfkOAo(39c_e<)=3#KnjfB5S5dF09lDl7gj_iHf)5{6|m{ND#s^?
z4@=rH*^EgWCYvBpv8f-fmtQs()=KwWZ+hw?B9o{L0QCEd%pI>k>)n0ZyL-{wJIjAk
zeW$@Y*YJ7k_10|DwoKEu#fI$*=Q0gg<;V%H%Z^Kq%kE3=d455gb!UX0Tyxv!eb@Wu
zr!&nvX89$-3yrdZHzRnn!iJ2nVP3l#O{28`j>q@&o_YS4)xW6D`gdjgyB3>w-;8IP
z4=s8Q!|1MmYYi@F|M1?8_ZD0G(}M3#bKs80KmWqtMQ(2V=fFP({#Hr1A6WDpyyMxr
z=y@U6w(~nX-{MRQ-eo7#97y-PlJOmzbwA=+$HqrC*3tRE#_StmKjE^1KO^{;+Ius?
zi@CjT6$^T93%w6vAyyhiG;16xy9UB)1~F7HTR4t!nWRe167Edd6)I4Fv7*>#lA-Do
zuu^D{ozO<NM&fdqkZma2QC3pmv5;Mmr|RT4b{*gwCPxzI6}_d>#+$V}up1IBY`sur
ztWH+goDnuJ30rZ8t1ne&h1QJF`i;;=aApOk0oH{<@YD4PfpC&NX*tP(FKihFQ!vW*
za3Y&G4g6}Z#3)~MCrs0{kqL0a5g52|;bL9I?eGCw4{`?gt~T@-PLf_C+s7)UUQLA!
z=>Y%1@FZB~ICyTS;qlI~*SKM;i&5B7w$g@)yl5Tacd(*ugd4Gl_8tyop^rNbp+ISW
z6+;5}XFA-+AzxbW2P+~l!@cn5fj>t(vz?)B;0cU52#kwClENzrYcOH)Gi{6?{!KCm
zxHe{jMJp6=3=?#l9<MvCX~})vhBX226<l14?$AhBQGw7jT^J9mvXmn6nRVS@U%IJL
z>^7K7uhPN<-D%`3oyV#fFL=lCScJOd-HC`MYhA!>a(D`;l#hnBux_P81gyFhZ+$_p
z9uSWmA2DxeFkIDuI;}(w$75i?bsju&4FLWU%vZNXj6!=Pp=eku;Bb^%2cTX>1@rqa
zUc6{voR>&S(F2w6oi~*wmJXUCeAN#ip*HP~w>9hCcH6t{3ohgBnLU2T(~|XUz3th0
zvoC$@kF%b!+n%wsB<ET?KOeh3mTTCO^KDsZPB-=Dn%n1JU6@Soc`Mx+O8dkIc4kB1
z0mE;od&KbGx<?%2J;6f%MbFrGmeK+!OMAxtOZ@|w!biIfRk2^P1KVu>#DVlLEdx8b
zTkF|@F59g}4&^2n6yMs!4s_dYZMLD@#bS9ki}Fs}A;ErY4?D2Wb!)E+<ga);l;>^O
z;~Kj9!H^95tf(^Vx;>1G9!uyPECj4K@&&;~B}14DV)7a!#u}eGbt=yz_WVlf&Cgio
z9_;9c<ncx3k;U$)`;LKRxsIvzTz>b@-@V@RS1&HQJJLeON(O-rMFu$p8RQPi89X?+
zSWB<U!N(}O7REr6Nf~1Y%P{|U_`;;Pa)wYWqm~f50cDqI5=1Miz#4gE0664@--<_U
z29J;fa8q&+k{K7}iM)%YTVvoPsR0`~iVa@D1Se09L85a&9y)(UO(+45sy8`~#RAEL
zQUzv3M}_J##hxClh_RBGex*KBPKd!M=%TJwo!htk()SDB!ti4I{%rI9PlcSP?X&l<
zynpqF^XD_3?nl<5^8Rb{{(>%-s_uuo4mGl0umdmJzT`mq)%t;c?p8HBu-A60rV-_h
zE-1dW1C-N-iVE^x7R&dsDEHeA)!V<au!pR!uQ(UVZab9UFx<}>XB^_0v1lx!{eZjy
z&ju<@b(Jb7`Xl)j(_K=@!s!0hmhNTfs-n|)ky*CzjvdRcHE1UqNZ2O!p$_VE4MS`A
zEx$w-4W`KVabO^s5N>PP1!l8ggo{<8)ii|Q9kC%))w0WkJ*Y+HaV??^6+*O^jP$gY
z0&VG7(XxW~RXK1LEf}&_Ivg<PXsR^z^xS0+0$H;igvpg>$caum!z!A(R?M@~nwssa
zY5STrw|CR_B`XG@b?xxuS~F74+kf@3<Fp))CxY4q?ICudxf@)W(YXILRDl%-C*iTL
ze2DJC2oSWyX5{-g4nYv>jzm%>)RE9_DH^!zHWd#0QmXEVB&L#aS(BrBRTSdjm_pkH
z1cF{B91E%tK59qbNrmHjmC;9vB%(6;L#%ch)gvS&lOPt@=m~*JPCzEW8_M)YSiz4c
zqSLxPPi8726zC{#_u4Q5Hv?`prcA;~BRV6Jnu<hZRn>P_Qn*z*Apxp)Ai;>*^I89u
z{`B^PUpJ>uPJG&*uAiJ0?wR4zoHyIlm1*i)P?v<=Ik)HX`<LGT@egPDLOeCsFgJ0%
zCB5bFl5nJ~aQ>YoA%MO+L}qgh*``3IDX=h<Y1)(ZzLfF4wCEjJ5)R#~Ys}VlX6iZ@
z>o(2Wiz9gE*IoC`L+c$kw=N0$%PU^RIlWt<;`L0^u5{0v-w1C#Y2z{Ar7ZIIApA~Q
zq_So`lUqcaXcq<1A+q4KJA>f57c~hqqiT4js2Ni+6`?>*!E=x>CgYIAeg>qdTj3lg
zLG&7W$OPxs(nKPqL}yw;@;fPjk{tD8jsJXD^+T<n){-c6zrpD|!dJIX0j}UY2u=!Q
zEgXxhH+YJ8GKF_iFhPWap`Zo<F|3vvg!WSOl{oKGVK#d2YM`yy?QOghKJIhE)&z6T
z)o}UsORxX<jeE78T+8-c+ku>ab9(E(blZLi+kJHpI9qkiZ>$c7^BLIr54b<Y4*Zs1
z#=$WS&nhrw-a1(*Gb00)U82>%0N5|IGZpL*IAw_8vP)cPODgw!mNVxRt3;PrEm{G2
zHBTVVJv>v7I~T?yB;(i#xmaf}JhrB^iLSjjSUCMu06GB4nU(_gR_Id(*!$N3u;d&(
zj$TLMs!b<lpipH3f;(-dy$rH31F>O$VICB><N^!;zF$3#<2+Bm7nC&lf>sH$-~l3L
z3o#`!DWL$y{i;m5rBIBilzdkw-3py1;124aKmzD(^nDh)5=(dN$u#bnt;z}Y#<A3#
zy6`qVmg>D{((+(>^i=u`L0(p$%FC4jz9ZLmhywhTblb7D1N{FdIl2qD3kJJoEm97(
zs|Bce45*PX97Cw#xCA5zsFtHMt#2YR!l{H&;WzOH&c}H<TErT84>pm!kK0*Fd#x*I
z&m2V>hcoW8;6m(NmGa8FAg;^l?!ebo=^x05hKc7yLvOC_AVou8x^3U@JsMKVSp^Oq
zO&_uh4dfHtL4$Z=%DHen7M1Xgjs#Lzov9l&di$}=Ps>)_{SBqN|KynZuGO~x$vz+d
zukJsv!S3I;{kJ^DRU#5B-Has|EOCxLEf9dau+)Z2G~+sMV8BmL__iZ9Q1_mq=Nl{S
zw0S;QQ1`uS-S6_Ae}TJ>^IzfQG^F2_Q0q@Ur`C7n+PYxZ7x=jk)~@qEho$<Rxj1k-
zjqi1z)5Q^r&hS%Rqi4A|4l(cKJn7=Vcop8`uLzSXxm55K1r1<pX}WIJ`I+tOX#4s#
zw{M{BoyGPL46GlfgqDBljFG^Hh}VxWLFg1=PyQ6Ml<8{1aX2E6PD@4{I^!Fm=jui{
zkgxOSW7H`2k};u*fM$-I#sp8f$Qej<+XRFLVAq^9-k^bRz)mAwg2YwH`&tqDUdKl0
zdJzIiS=76!RL4w*P)aDq+~I)@H>__pC3|YuzrlOngM?~Xw!Sk{-#LFaQ@?Xo$O*Ms
zp*bTo&kf%6q*3ZCcw=h`k}Er75N+(I^m`=TcC@I9%NT7uXk_X=|Klk5!jiDJJUo6a
z)3h_a`|vly5gN(BaRa_!qb@RiV@LOC7>@L|Lb1*dClncuH3qOvHzq>`2@m9T>-aQm
zi1Au_7_0D5JW#6(l7y5gNxD;#rV`N<oJ&Y>ASmIPNWR7`!Cnzni^mjMNk|gejRW*y
zg2yNn6GTM`--wV)nEV8jpJIY+Nd6iUeZ3^%8A~i8g*A=D##1mO7;OVKKxH+KZ}DRY
zf=MI%srZT4pTRMs#~NancUi3dWx;9fT=v=_sdHgrOSRRxyrCA7jZ`v|M;q2#kFv(V
zI9$Mwk2sNnxAgFc1fvD=CM57meOe^}l!TNL(-61#QHXXr9vi3c<c%|FR4CmRgLfcA
zqf3lyN6&F2-3}+wi8wf&4cN$=|MVgV@3?}6cknS-emn%F@80$H6>Y|Y=BEb5Petg<
z{gv$|)F9r__}D}W8=sodxBhx<>3CD&m}0yjYbz~Q<wy!*tLY$hpXt{t^t%Cl)5=!#
z132SWrJuyn4-NE<72BHA&wq_UKSI!j5m?H@@LrH^XW2gMLcamGgXBwC6|h%~im%2W
za4gH-WjelPYJSZ)f6chz|6RuWE#tb!a32dl5<YhS$o(mMW%m_r?$xUwWIbIOPuHTS
zJL}n#@$C5(oAK;htlz)H^#40Ee3yBN{`cQydhaqXgS>2uTG*rP+}5mbTgJETHw?{E
Gko-3VNk4x8

literal 0
HcmV?d00001

diff --git a/webui/backend/tests/golden/test_api_upload_golden.py b/webui/backend/tests/golden/test_api_upload_golden.py
new file mode 100644
index 0000000..eaf817e
--- /dev/null
+++ b/webui/backend/tests/golden/test_api_upload_golden.py
@@ -0,0 +1,186 @@
+from __future__ import annotations
+
+import asyncio
+import sys
+import tempfile
+import unittest
+from pathlib import Path
+
+import httpx
+
+sys.path.insert(0, str(Path(__file__).resolve().parents[3]))
+
+from backend.app.dependencies import get_file_ops_service, get_history_service
+from backend.app.db.history_repository import HistoryRepository
+from backend.app.fs.filesystem_adapter import FilesystemAdapter
+from backend.app.main import app
+from backend.app.security.path_guard import PathGuard
+from backend.app.services.file_ops_service import FileOpsService
+from backend.app.services.history_service import HistoryService
+
+
+class UploadApiGoldenTest(unittest.TestCase):
+    def setUp(self) -> None:
+        self.temp_dir = tempfile.TemporaryDirectory()
+        self.root = Path(self.temp_dir.name) / "root"
+        self.root.mkdir(parents=True, exist_ok=True)
+        self.uploads_dir = self.root / "uploads"
+        self.uploads_dir.mkdir(parents=True, exist_ok=True)
+        self.db_path = str(Path(self.temp_dir.name) / "history.db")
+
+        history_repository = HistoryRepository(self.db_path)
+        file_ops_service = FileOpsService(
+            path_guard=PathGuard({"storage1": str(self.root)}),
+            filesystem=FilesystemAdapter(),
+            history_repository=history_repository,
+        )
+        history_service = HistoryService(repository=history_repository)
+
+        async def _override_file_ops_service() -> FileOpsService:
+            return file_ops_service
+
+        async def _override_history_service() -> HistoryService:
+            return history_service
+
+        app.dependency_overrides[get_file_ops_service] = _override_file_ops_service
+        app.dependency_overrides[get_history_service] = _override_history_service
+
+    def tearDown(self) -> None:
+        app.dependency_overrides.clear()
+        self.temp_dir.cleanup()
+
+    def _upload(self, *, target_path: str, filename: str, content: bytes) -> httpx.Response:
+        async def _run() -> httpx.Response:
+            transport = httpx.ASGITransport(app=app)
+            async with httpx.AsyncClient(transport=transport, base_url="http://testserver") as client:
+                return await client.post(
+                    "/api/files/upload",
+                    data={"target_path": target_path},
+                    files={"file": (filename, content, "application/octet-stream")},
+                )
+
+        return asyncio.run(_run())
+
+    def _get_history(self) -> list[dict]:
+        async def _run() -> list[dict]:
+            transport = httpx.ASGITransport(app=app)
+            async with httpx.AsyncClient(transport=transport, base_url="http://testserver") as client:
+                response = await client.get("/api/history")
+                return response.json()["items"]
+
+        return asyncio.run(_run())
+
+    def test_upload_single_file_success(self) -> None:
+        response = self._upload(target_path="storage1/uploads", filename="hello.txt", content=b"hello")
+
+        self.assertEqual(response.status_code, 200)
+        body = response.json()
+        self.assertEqual(body["path"], "storage1/uploads/hello.txt")
+        self.assertEqual(body["size"], 5)
+        self.assertTrue((self.uploads_dir / "hello.txt").exists())
+
+        history = self._get_history()
+        self.assertEqual(history[0]["operation"], "upload")
+        self.assertEqual(history[0]["status"], "completed")
+        self.assertEqual(history[0]["destination"], "storage1/uploads/hello.txt")
+
+    def test_upload_target_path_not_found(self) -> None:
+        response = self._upload(target_path="storage1/missing", filename="hello.txt", content=b"hello")
+
+        self.assertEqual(response.status_code, 404)
+        self.assertEqual(
+            response.json(),
+            {
+                "error": {
+                    "code": "path_not_found",
+                    "message": "Requested path was not found",
+                    "details": {"path": "storage1/missing"},
+                }
+            },
+        )
+
+    def test_upload_target_path_is_file(self) -> None:
+        target_file = self.root / "not_a_directory.txt"
+        target_file.write_text("x", encoding="utf-8")
+
+        response = self._upload(target_path="storage1/not_a_directory.txt", filename="hello.txt", content=b"hello")
+
+        self.assertEqual(response.status_code, 409)
+        self.assertEqual(
+            response.json(),
+            {
+                "error": {
+                    "code": "path_type_conflict",
+                    "message": "Requested path is not a directory",
+                    "details": {"path": "storage1/not_a_directory.txt"},
+                }
+            },
+        )
+
+    def test_upload_traversal_blocked(self) -> None:
+        response = self._upload(target_path="storage1/../etc", filename="hello.txt", content=b"hello")
+
+        self.assertEqual(response.status_code, 403)
+        self.assertEqual(
+            response.json(),
+            {
+                "error": {
+                    "code": "path_traversal_detected",
+                    "message": "Path traversal is not allowed",
+                    "details": {"path": "storage1/../etc"},
+                }
+            },
+        )
+
+    def test_upload_invalid_root_alias(self) -> None:
+        response = self._upload(target_path="unknown/uploads", filename="hello.txt", content=b"hello")
+
+        self.assertEqual(response.status_code, 403)
+        self.assertEqual(
+            response.json(),
+            {
+                "error": {
+                    "code": "invalid_root_alias",
+                    "message": "Unknown root alias",
+                    "details": {"path": "unknown/uploads"},
+                }
+            },
+        )
+
+    def test_upload_invalid_filename_blocked(self) -> None:
+        response = self._upload(target_path="storage1/uploads", filename="..", content=b"hello")
+
+        self.assertEqual(response.status_code, 400)
+        self.assertEqual(
+            response.json(),
+            {
+                "error": {
+                    "code": "invalid_request",
+                    "message": "Invalid name",
+                    "details": {"name": ".."},
+                }
+            },
+        )
+
+    def test_upload_conflict_on_existing_file(self) -> None:
+        existing = self.uploads_dir / "hello.txt"
+        existing.write_text("existing", encoding="utf-8")
+
+        response = self._upload(target_path="storage1/uploads", filename="hello.txt", content=b"hello")
+
+        self.assertEqual(response.status_code, 409)
+        self.assertEqual(
+            response.json(),
+            {
+                "error": {
+                    "code": "already_exists",
+                    "message": "Target path already exists",
+                    "details": {"path": "storage1/uploads/hello.txt"},
+                }
+            },
+        )
+
+        history = self._get_history()
+        self.assertEqual(history[0]["operation"], "upload")
+        self.assertEqual(history[0]["status"], "failed")
+        self.assertEqual(history[0]["error_code"], "already_exists")