refactor(content): extract the upload ingest into a shared lib (#73)

routes/content.js POST / processing (thumbnail/dimensions/duration) + insert moved to
lib/content-ingest.js so the agency router produces byte-identical first-class content.
content.js POST / is now a thin caller; behavior-preserving - the 52 content regression
tests (api/operator-permissions/config-paths) pass unchanged.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

server/lib/content-ingest.js

@@ -0,0 +1,77 @@
+'use strict';
+
+// #73: shared content-ingest core. Extracted from routes/content.js POST / so the agency
+// upload (routes/agency.js) produces BYTE-IDENTICAL first-class content (same thumbnail/
+// dimensions/duration/insert) - an agency asset is indistinguishable from a dashboard
+// upload. routes/content.js POST / is now a thin caller; behavior is unchanged (its
+// existing tests are the regression guard).
+
+const path = require('path');
+const { v4: uuidv4 } = require('uuid');
+const { db } = require('../db/database');
+const config = require('../config');
+const { sanitizeString } = require('../middleware/sanitize');
+
+// Multer takes file.originalname from the multipart header, bypassing sanitizeBody, so
+// HTML-escape here (renders as text in every UI sink). .normalize('NFC') first: macOS
+// sends NFD-decomposed names; Linux/renderers expect NFC. Single point - every filename
+// storage site flows through here.
+function safeFilename(name) {
+  return sanitizeString((name || '').normalize('NFC'));
+}
+
+// Process a multer-uploaded file (thumbnail + dimensions + duration) and insert a content
+// row. Returns the content row. Throws on a hard failure (the caller maps to 500);
+// thumbnail/metadata failures are best-effort (logged, non-fatal) exactly as before.
+async function ingestUploadedFile({ file, userId, workspaceId }) {
+  const id = uuidv4();
+  const filepath = file.filename;
+  let width = null, height = null, durationSec = null, thumbnailPath = null;
+
+  try {
+    if (file.mimetype.startsWith('image/')) {
+      const sharp = require('sharp');
+      const metadata = await sharp(file.path).metadata();
+      width = metadata.width;
+      height = metadata.height;
+      thumbnailPath = `thumb_${filepath}`;
+      await sharp(file.path)
+        .resize(config.thumbnailWidth)
+        .jpeg({ quality: 70 })
+        .toFile(path.join(config.contentDir, thumbnailPath));
+    } else if (file.mimetype.startsWith('video/')) {
+      try {
+        const { execFileSync } = require('child_process');
+        const probe = execFileSync('ffprobe', ['-v', 'quiet', '-print_format', 'json', '-show_format', '-show_streams', file.path],
+          { timeout: 15000 }
+        ).toString();
+        const info = JSON.parse(probe);
+        if (info.format?.duration) durationSec = parseFloat(info.format.duration);
+        const videoStream = info.streams?.find(s => s.codec_type === 'video');
+        if (videoStream) {
+          width = videoStream.width;
+          height = videoStream.height;
+        }
+        thumbnailPath = `thumb_${filepath.replace(/\.[^.]+$/, '.jpg')}`;
+        try {
+          execFileSync('ffmpeg', ['-y', '-i', file.path, '-ss', '2', '-vframes', '1', '-vf', `scale=${config.thumbnailWidth}:-1`, path.join(config.contentDir, thumbnailPath)],
+            { timeout: 15000 }
+          );
+        } catch { thumbnailPath = null; }
+      } catch (e) {
+        console.warn('ffprobe failed:', e.message);
+      }
+    }
+  } catch (e) {
+    console.warn('Thumbnail/metadata generation failed:', e.message);
+  }
+
+  db.prepare(`
+    INSERT INTO content (id, user_id, workspace_id, filename, filepath, mime_type, file_size, duration_sec, thumbnail_path, width, height)
+    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+  `).run(id, userId, workspaceId, safeFilename(file.originalname), filepath, file.mimetype, file.size, durationSec, thumbnailPath, width, height);
+
+  return db.prepare('SELECT * FROM content WHERE id = ?').get(id);
+}
+
+module.exports = { ingestUploadedFile, safeFilename };

server/routes/content.js

@@ -11,6 +11,8 @@ const { sanitizeString } = require('../middleware/sanitize');
 const { PLATFORM_ROLES, ELEVATED_ROLES } = require('../middleware/auth');
 // Phase 2.2b: workspace-aware access. Mirrors the pattern from devices.js.
 const { accessContext } = require('../lib/tenancy');
+// #73: the upload ingest (processing + insert) is now shared with the agency router.
+const { ingestUploadedFile } = require('../lib/content-ingest');
 
 // Multer captures file.originalname directly from the multipart filename header,
 // bypassing sanitizeBody. Apply the same HTML-escape here so a filename like
@@ -91,60 +93,8 @@ router.post('/', checkStorageLimit, upload.single('file'), async (req, res) => {
     if (!req.workspaceId) return res.status(403).json({ error: 'No workspace context. Switch to a workspace before uploading.' });
     if (!req.file) return res.status(400).json({ error: 'No file uploaded' });
 
-    const id = uuidv4();
+    // #73: shared ingest - identical processing + insert for dashboard and agency uploads.
-    const filepath = req.file.filename;
+    const content = await ingestUploadedFile({ file: req.file, userId: req.user.id, workspaceId: req.workspaceId });
-    let width = null, height = null, durationSec = null, thumbnailPath = null;
-
-    // Try to generate thumbnail, get dimensions, and detect duration
-    try {
-      if (req.file.mimetype.startsWith('image/')) {
-        const sharp = require('sharp');
-        const metadata = await sharp(req.file.path).metadata();
-        width = metadata.width;
-        height = metadata.height;
-
-        // Generate thumbnail
-        thumbnailPath = `thumb_${filepath}`;
-        await sharp(req.file.path)
-          .resize(config.thumbnailWidth)
-          .jpeg({ quality: 70 })
-          .toFile(path.join(config.contentDir, thumbnailPath));
-      } else if (req.file.mimetype.startsWith('video/')) {
-        // Extract video duration and dimensions with ffprobe
-        try {
-          const { execFileSync } = require('child_process');
-          // Use execFileSync (not execSync) to prevent shell injection - args are NOT passed through shell
-          const probe = execFileSync('ffprobe', ['-v', 'quiet', '-print_format', 'json', '-show_format', '-show_streams', req.file.path],
-            { timeout: 15000 }
-          ).toString();
-          const info = JSON.parse(probe);
-          if (info.format?.duration) durationSec = parseFloat(info.format.duration);
-          const videoStream = info.streams?.find(s => s.codec_type === 'video');
-          if (videoStream) {
-            width = videoStream.width;
-            height = videoStream.height;
-          }
-          // Generate video thumbnail at 2 second mark
-          thumbnailPath = `thumb_${filepath.replace(/\.[^.]+$/, '.jpg')}`;
-          try {
-            execFileSync('ffmpeg', ['-y', '-i', req.file.path, '-ss', '2', '-vframes', '1', '-vf', `scale=${config.thumbnailWidth}:-1`, path.join(config.contentDir, thumbnailPath)],
-              { timeout: 15000 }
-            );
-          } catch { thumbnailPath = null; }
-        } catch (e) {
-          console.warn('ffprobe failed:', e.message);
-        }
-      }
-    } catch (e) {
-      console.warn('Thumbnail/metadata generation failed:', e.message);
-    }
-
-    db.prepare(`
-      INSERT INTO content (id, user_id, workspace_id, filename, filepath, mime_type, file_size, duration_sec, thumbnail_path, width, height)
-      VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
-    `).run(id, req.user.id, req.workspaceId, safeFilename(req.file.originalname), filepath, req.file.mimetype, req.file.size, durationSec, thumbnailPath, width, height);
-
-    const content = db.prepare('SELECT * FROM content WHERE id = ?').get(id);
     res.status(201).json(content);
   } catch (err) {
     console.error('Upload error:', err);