fix(copilot): disambiguate VFS upload paths to prevent stale-row reads

Same-name chat attachments (e.g. multiple "image.png" screenshots) collided
on the VFS path uploads/<originalName>. The agent's read("uploads/image.png")
returned whichever row Postgres ordered first — leading to the agent reading
stale uploads instead of the latest one (real prod incident: trace
71f719d884194b6820851e2267b98cda).

Adds a nullable display_name column on workspace_files plus a partial unique
index on (chat_id, display_name) WHERE context='mothership' that spans the
row's entire lifetime (NOT gated on deleted_at IS NULL). VFS paths handed to
the LLM during a session must remain stable — soft-deleting a sibling cannot
free a name slot the model has already been told about, since that would
make read("uploads/<name>") silently resolve to a different file.

Migration is a clean two-statement ADD COLUMN + CREATE UNIQUE INDEX with no
backfill. Legacy rows keep display_name = NULL; readers coalesce to
original_name. Pre-existing collisions in legacy data persist (the upload
already happened — no fix possible without rewriting history) but new
uploads get full disambiguation. NULLs are distinct in PG unique indexes,
so legacy rows don't block index creation or new inserts.

trackChatUpload allocates "image.png", then "image (2).png", "image (3).png",
... with retry on 23505 narrowed to the displayName index (other 23505s, e.g.
key-active collisions from concurrent same-s3Key inserts, rethrow). Returns
the assigned displayName so the read-hint string given to the model uses it.
Resolver matches displayName for new rows, falls back to original_name for
legacy NULL rows, and orders by uploaded_at DESC so legacy ambiguity resolves
to the newest upload (which fixes the original prod symptom even pre-fix).

Author: TheodoreSpeaks

apps/sim/lib/copilot/tools/handlers/upload-file-reader.ts

@@ -10,11 +10,7 @@ import type { WorkspaceFileRecord } from '@/lib/uploads/contexts/workspace/works
 
 const logger = createLogger('UploadFileReader')
 
-/**
- * VFS-visible name. Pre-displayName-column rows have NULL displayName, so we coalesce
- * to originalName for them (those rows may still collide with each other — acceptable
- * since the upload already happened; only new rows get collision protection).
- */
+/** VFS-visible name. Coalesces to originalName for legacy rows that predate displayName. */
 function vfsName(row: typeof workspaceFiles.$inferSelect): string {
   return row.displayName ?? row.originalName
 }

apps/sim/lib/uploads/contexts/workspace/track-chat-upload.test.ts

@@ -7,7 +7,7 @@ import { beforeEach, describe, expect, it, vi } from 'vitest'
 
 vi.mock('@sim/db', () => dbChainMock)
 
-import { suffixedName, trackChatUpload } from './workspace-file-manager'
+import { CHAT_DISPLAY_NAME_INDEX, suffixedName, trackChatUpload } from './workspace-file-manager'
 
 const CHAT_ID = '11111111-1111-1111-1111-111111111111'
 const WORKSPACE_ID = 'ws_1'
@@ -100,7 +100,7 @@ describe('trackChatUpload', () => {
     // 23505 from the partial unique index on (chat_id, display_name) — the case we retry.
     const displayNameCollision = Object.assign(new Error('duplicate key'), {
       code: '23505',
-      constraint_name: 'workspace_files_chat_display_name_unique',
+      constraint_name: CHAT_DISPLAY_NAME_INDEX,
     })
 
     // Attempt 1: UPDATE finds no row (returning -> []), then INSERT throws displayName 23505.

apps/sim/lib/uploads/contexts/workspace/workspace-file-manager.ts

@@ -408,21 +408,18 @@ export async function registerUploadedWorkspaceFile(params: {
 }
 
 /**
- * Inserts ` (n)` before the last extension, mirroring `withCopySuffix` but starting at n=1
- * for the second occurrence (so `image.png`, `image (2).png`, `image (3).png`).
- * Extensionless names get `name (n)`; dotfiles like `.env` are treated as extensionless.
+ * Like `withCopySuffix` but with `n=1` meaning "no suffix" — used by retry loops where
+ * the first attempt should try the original name (`image.png`, `image (2).png`, ...).
+ * Exported for tests.
  */
 export function suffixedName(name: string, n: number): string {
-  if (n <= 1) return name
-  const dot = name.lastIndexOf('.')
-  if (dot <= 0 || dot === name.length - 1) return `${name} (${n})`
-  return `${name.slice(0, dot)} (${n})${name.slice(dot)}`
+  return n <= 1 ? name : withCopySuffix(name, n)
 }
 
 const MAX_CHAT_DISPLAY_NAME_RETRIES = 1000
 
 /** Postgres constraint name for the partial unique index on `(chat_id, display_name)`. */
-const CHAT_DISPLAY_NAME_INDEX = 'workspace_files_chat_display_name_unique'
+export const CHAT_DISPLAY_NAME_INDEX = 'workspace_files_chat_display_name_unique'
 
 /**
  * Track a file that was already uploaded to workspace S3 as a chat-scoped upload.
@@ -485,13 +482,8 @@ export async function trackChatUpload(
       )
       return { displayName: candidate }
     } catch (error) {
-      /**
-       * Only retry on a collision against the chat displayName index. Any other 23505
-       * (the active-key index from a concurrent insert with the same s3Key, or a
-       * primary-key collision) means a different invariant is contested — bumping the
-       * suffix would silently rename whichever row eventually owns the s3Key, including
-       * a row another caller has already returned to its client.
-       */
+      // Other 23505s (e.g. active-key collision from a racing same-s3Key insert) signal
+      // a different invariant — retrying would silently rename a row another caller owns.
       if (
         getPostgresErrorCode(error) === '23505' &&
         getPostgresConstraintName(error) === CHAT_DISPLAY_NAME_INDEX