Add Object Storage and File Attachment Protocol schemas

[Copilot]

Implements metadata schemas for object storage providers (S3, Azure Blob, GCS, MinIO, etc.) and file attachment field configuration to enable storage-backed file uploads in ObjectStack applications.

Object Storage Protocol (system/object-storage.zod.ts)

Comprehensive schemas for multi-cloud storage integration:

const storage = ObjectStorageConfigSchema.parse({
  name: 'production_storage',
  provider: 's3',
  connection: {
    accessKeyId: '${AWS_ACCESS_KEY_ID}',
    secretAccessKey: '${AWS_SECRET_ACCESS_KEY}',
    region: 'us-east-1',
  },
  buckets: [{
    name: 'user_uploads',
    bucketName: 'prod-uploads',
    encryption: { enabled: true, algorithm: 'aws:kms' },
    lifecyclePolicy: {
      rules: [{
        id: 'archive_old',
        action: 'transition',
        daysAfterCreation: 90,
        targetStorageClass: 'glacier',
      }],
    },
    multipartConfig: {
      threshold: 100 * 1024 * 1024,  // 100MB
      partSize: 10 * 1024 * 1024,     // 10MB
    },
  }],
});

Schemas: StorageProvider, BucketConfig, ObjectMetadata, AccessControlConfig, LifecyclePolicyConfig, PresignedUrlConfig, MultipartUploadConfig

Key features:

• 9 provider types (S3, Azure, GCS, MinIO, R2, Spaces, Wasabi, Backblaze, Local)
• Access control with CORS, ACL, IP filtering (allowedIps/blockedIps)
• Lifecycle policies with validation (transition requires targetStorageClass)
• Presigned URL generation (60s - 7 days TTL)
• Multipart upload (5MB-5GB parts, configurable concurrency)

File Attachment Configuration (data/field.zod.ts)

Extends FieldSchema with FileAttachmentConfigSchema for file/image/avatar field types:

const resumeField = {
  type: 'file',
  fileAttachmentConfig: {
    maxSize: 5 * 1024 * 1024,  // 5MB
    allowedTypes: ['.pdf', '.docx'],
    virusScan: true,
    virusScanProvider: 'clamav',
    storageProvider: 'production_storage',
    storageBucket: 'user_uploads',
    storagePrefix: 'resumes/',
    extractText: true,
    versioningEnabled: true,
  },
};

Capabilities:

• File type restrictions (extensions + MIME types)
• Size constraints with validation (minSize ≤ maxSize)
• Virus scanning integration (ClamAV, VirusTotal, MetaDefender)
• Image validation (dimensions, aspect ratio, thumbnail generation)
• Storage provider binding
• Metadata extraction (file info, OCR text)
• Version history

Validation constraints:

• virusScanProvider requires virusScan: true
• minSize must be ≤ maxSize
• Lifecycle transition actions require targetStorageClass

Original prompt

4.1 Object Storage Protocol / 对象存储协议

In THIS Repo (Spec Definitions) / 在本仓库（规范定义）

Object Storage Protocol

Create packages/spec/src/system/object-storage.zod.ts
Storage provider enum (S3, Azure Blob, GCS, MinIO)
Bucket configuration schema
Object metadata schema
Access control schema
Lifecycle policy schema
Presigned URL configuration
Multipart upload configuration
File Attachment Protocol

Enhance packages/spec/src/data/field.zod.ts
Add file/attachment field configuration
Add file size limits
Add allowed file types
Add virus scanning configuration
In SEPARATE Repos (Implementations) / 在独立仓库（实现）

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
spec	Ready	Preview, Comment	Jan 30, 2026 0:00am

[github-actions]

This PR is very large. Consider breaking it into smaller PRs for easier review.

To fix the problem, remove the unused imported symbol LifecycleActionSchema from the import list on line 2. This aligns with the recommendation to delete unused program elements and will clear the CodeQL warning.

Concretely, in packages/spec/src/system/object-storage.test.ts, edit the import block at the top of the file so that LifecycleActionSchema is no longer listed among the imported schemas. No other code changes are needed, and no new imports or definitions are required. The rest of the tests and imports should remain unchanged.

[Copilot]

Pull request overview

This PR implements metadata schemas for object storage providers and file attachment field configuration to enable storage-backed file uploads in ObjectStack applications.

Changes:

• Added comprehensive Object Storage Protocol schemas in packages/spec/src/system/object-storage.zod.ts supporting 9 cloud providers (S3, Azure Blob, GCS, MinIO, R2, Spaces, Wasabi, Backblaze, Local)
• Extended Field schema with FileAttachmentConfig for file/image/avatar field types with virus scanning, storage integration, and image validation capabilities
• Added comprehensive test suites for both protocols with 750+ lines of test coverage
• Generated JSON schemas and documentation files for the new protocols

Reviewed changes

Copilot reviewed 28 out of 28 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
packages/spec/src/system/object-storage.zod.ts	Core object storage protocol with provider configs, bucket management, lifecycle policies, and multipart uploads
packages/spec/src/system/object-storage.test.ts	Comprehensive test suite covering all storage schemas and validation rules
packages/spec/src/data/field.zod.ts	Added FileAttachmentConfig schema with file type restrictions, virus scanning, and storage provider binding
packages/spec/src/data/field.test.ts	Extended tests with 370+ lines covering file attachment configuration scenarios
packages/spec/src/system/index.ts	Added exports for object storage protocol
packages/spec/json-schema/system/*.json	Generated JSON schemas for object storage types
packages/spec/json-schema/data/*.json	Generated JSON schemas for file attachment config
content/docs/references/system/object-storage.mdx	Documentation for system-level object storage protocol
content/docs/references/integration/object-storage.mdx	ISSUE: Incorrectly references non-existent integration file
content/docs/references/integration/misc.mdx	Updated to remove MultipartUploadConfig section but imports remain
content/docs/references/data/field.mdx	Added FileAttachmentConfig documentation

[Copilot]

The documentation file content/docs/references/integration/object-storage.mdx incorrectly references a non-existent source file packages/spec/src/integration/object-storage.zod.ts. The actual object storage protocol is defined in packages/spec/src/system/object-storage.zod.ts. This documentation file should either be removed or moved to the system directory where it actually belongs.

Suggested change

	**Source:** `packages/spec/src/integration/object-storage.zod.ts`
	**Source:** `packages/spec/src/system/object-storage.zod.ts`

[Copilot]

This file documents a MultipartUploadConfig schema that does not match the one defined in the actual source code. The integration layer already has a MultipartUploadConfigSchema defined in packages/spec/src/integration/connector/file-storage.zod.ts with different properties (partSize, maxConcurrentParts, threshold). This documentation file appears to be incorrectly created and should be removed, as the proper documentation for the system-level MultipartUploadConfig is already in content/docs/references/system/object-storage.mdx.

Suggested change

	<Callout type="info">
	**Source:** `packages/spec/src/integration/object-storage.zod.ts`
	</Callout>
	## TypeScript Usage
	```typescript
	import { MultipartUploadConfigSchema } from '@objectstack/spec/integration';
	import type { MultipartUploadConfig } from '@objectstack/spec/integration';
	// Validate data
	const result = MultipartUploadConfigSchema.parse(data);
	```
	---
	## MultipartUploadConfig
	### Properties
	| Property | Type | Required | Description |
	| :--- | :--- | :--- | :--- |
	| **enabled** | `boolean` | optional | Enable multipart uploads |
	| **partSize** | `number` | optional | Part size in bytes (min 5MB) |
	| **maxConcurrentParts** | `number` | optional | Maximum concurrent part uploads |
	| **threshold** | `number` | optional | File size threshold for multipart upload in bytes |
	<Callout type="warning">
	This integration-level documentation for `MultipartUploadConfig` has been deprecated.
	The canonical reference for the system-level object storage configuration (including multipart uploads) is available at:
	- [`System / Object Storage` reference](../system/object-storage)
	Please refer to that page for the up-to-date schema and properties.
	</Callout>

[Copilot]

The removal of the MultipartUploadConfig section from this file is correct, as it was previously documenting the schema from packages/spec/src/integration/connector/file-storage.zod.ts. However, the import statement on line 15 still includes MultipartUploadConfigSchema and MultipartUploadConfig, which should be removed from the imports if this section has been deleted.

[Copilot]

The validation allows a minimum expiration of 1 second (min(1)), but the PR description states "60s - 7 days TTL", suggesting a minimum of 60 seconds. Consider whether the minimum should be 60 seconds instead of 1 second for security and practical reasons. Very short-lived presigned URLs (< 60 seconds) may cause issues with client clock skew and network delays.