Feature: /upload Command — Ephemeral Tunnel-Based File Upload for Remote Users

[teknium1]

Overview

Users on messenger platforms (Telegram, Discord, WhatsApp, Slack) currently have limited options for getting files to Hermes Agent. Small files can be sent directly as platform attachments (20MB Telegram limit, 25MB Discord), but these land in ephemeral cache directories that auto-clean after 24 hours. There's no way to upload large files, bulk upload multiple documents, or send files from a device that isn't running the messenger client.

This proposal introduces a /upload command that spins up an ephemeral upload website via a tunneled connection, gives the user a URL, and accepts file uploads through a browser. The tunnel auto-shuts down after a configurable timeout (default 5 minutes). This complements the workspace feature (see companion issue) by providing a gateway for remote users to populate their workspace.

The approach: run a lightweight HTTP upload server on localhost, expose it through a zero-config tunnel (Cloudflare Quick Tunnel — free, no account needed), send the URL to the user, accept uploads, save to workspace, tear down. Simple, ephemeral, secure.

No existing AI agent platform offers this workflow. Most assume local filesystem access or rely on platform-native attachment limits. This would be a genuinely novel capability.

---

Research Findings

Current File Handling in Hermes Agent

Incoming files from platforms (already works):

• Telegram: bot.get_file() → download to document_cache/. 20MB hard limit via Bot API. Text files (.md, .txt ≤100KB) have content injected into message text.
• Discord: attachment.save() → download from CDN. 25MB limit (50-100MB for boosted servers).
• WhatsApp: Two-step Graph API download (GET media URL → download with auth token).
• Slack: files.info → download with auth header. Three-step upload process for sending.

Limitations:

• All files go to ephemeral cache dirs (UUID-prefixed, flat, 24h auto-cleanup)
• No bulk upload capability
• No cross-device upload (can't send from laptop to Telegram bot on phone)
• No way to bypass platform size limits
• No persistent file organization

Tunneling Solutions Evaluated

Solution	Config Required	Account Needed	HTTPS	Max Upload	Install	Cost
cloudflared	Zero	No	✓	100MB through CF	binary	Free
localtunnel	Zero	No	✓	Unlimited	npm/npx	Free
bore	Zero	No	✗ (TCP only)	Unlimited	cargo/brew	Free
ngrok	Auth token	Yes (free tier)	✓	Unlimited	binary	Freemium

Recommendation: cloudflared Quick Tunnel as primary, localtunnel as fallback.

Cloudflare Quick Tunnel details:

# Zero-config usage — generates random trycloudflare.com subdomain
cloudflared tunnel --url http://localhost:8080
# Output: https://random-words.trycloudflare.com

• No account, no signup, no API keys
• HTTPS with valid TLS certificate (Cloudflare-issued)
• Uses Cloudflare's global Anycast network (fast from anywhere)
• 100MB upload limit through Cloudflare's edge (sufficient for docs)
• 200 concurrent in-flight request limit
• Intended for development/ephemeral use — perfect fit

localtunnel details:

npx localtunnel --port 8080
# Output: https://random.loca.lt

• Zero config, no account
• Node.js dependency (already needed for WhatsApp bridge)
• Self-hostable server available
• Less reliable than cloudflared but good fallback

How Other Platforms Handle File Upload

No other AI agent/bot framework offers tunnel-based file upload. The closest patterns:

• ChatGPT: Direct file upload in web UI (drag & drop), stored server-side
• Telegram Bot API: Platform-native attachment handling (20MB limit, no workaround without custom server)
• Discord bots: CDN-hosted attachments, downloaded by bot
• Ephemeral file sharing services: transfer.sh (defunct), 0x0.st, file.io — upload via curl, get download URL. These are intermediaries, not tunnel-based.

The tunnel approach is novel: instead of routing files through a third-party service, we expose the agent's own upload endpoint directly. Files never leave the user→agent path.

---

Current State in Hermes Agent

What we have:

• Platform adapters already download user-sent files (cache_document_from_bytes() in base.py)
• MEDIA:/path protocol for sending files back to users
• Document cache infrastructure (but ephemeral, unorganized)
• The Pinggy skill (Feature: Pinggy Skill — Zero-Install Localhost Tunnels via SSH #361) proposes SSH-based tunnels but isn't connected to file transfer
• Issue feat: File transfer between sandboxed environments and users (send_file tool) #466 proposes send_file tool for agent→user file transfer + upload via presigned URLs (different approach, complementary)

What we don't have:

• No /upload command
• No tunnel infrastructure
• No ephemeral web server capability
• No file upload web UI
• No way to bypass platform size limits

---

Implementation Plan

Core Architecture: Classification

This is a core codebase change + bundled skill hybrid:

• The /upload command and tunnel management are core (need gateway command integration)
• The upload web server could be a standalone Python module
• The upload page HTML/JS is a static asset
• cloudflared detection and fallback logic needs to be in the core

Upload Flow

User: /upload              (or /upload 30 for 30-minute window)
  │
  ├─ Agent starts HTTP upload server on random localhost port
  ├─ Agent launches cloudflared quick tunnel → gets public URL
  ├─ Agent generates single-use upload token
  ├─ Agent sends URL + token to user:
  │    "📤 Upload files here (link expires in 5 min):
  │     https://random-words.trycloudflare.com/u/abc123
  │     Max 100MB per file. Drag & drop or click to browse."
  │
  ├─ User opens URL in browser
  │    ├─ Clean upload page with drag-and-drop zone
  │    ├─ File type indicators (📄 PDF, 📊 Excel, etc.)
  │    ├─ Upload progress bar
  │    └─ "Upload complete!" confirmation
  │
  ├─ Files saved to ~/.hermes/workspace/uploads/
  ├─ Agent confirms in chat:
  │    "✅ Received 3 files:
  │     - quarterly-report.pdf (2.4 MB)
  │     - meeting-notes.md (12 KB)
  │     - data.csv (847 KB)
  │     Saved to workspace. I can read these now!"
  │
  └─ Tunnel + server shut down (timeout or /upload stop)

What We'd Need

1. Upload HTTP server (tools/upload_server.py or gateway/upload.py) — lightweight async HTTP server (aiohttp or built-in http.server) with multipart file upload handling
2. Upload web page — single-page HTML/JS with drag-and-drop, progress bars, file type validation. Embedded as a string constant or bundled asset.
3. Tunnel manager — detect cloudflared availability, launch quick tunnel, parse URL from stdout, manage lifecycle, fallback to localtunnel
4. /upload command — gateway slash command with optional timeout argument
5. Upload token system — single-use or time-limited tokens for auth (prevent random internet users from uploading)
6. File validation — size limits, type allowlists, malware scanning (ClamAV if available)
7. Workspace integration — save uploaded files to ~/.hermes/workspace/uploads/, update manifest

Security Model

1. Upload token: random 32-char token, single-use or time-limited
2. URL structure: https://tunnel-url/u/{token} — token required for access
3. Size limit: 100MB per file (configurable), 500MB total per session
4. File type allowlist: documents, code, data, images, archives
   Blocked: executables (.exe, .sh, .bat), system files
5. Rate limiting: max 20 files per upload session
6. Auto-shutdown: tunnel killed after timeout (default 5 min)
7. No directory traversal: filenames sanitized, saved to fixed directory
8. HTTPS only: cloudflared provides TLS (never expose plain HTTP)

Phased Rollout

Phase 1: Basic Upload with Cloudflared

• /upload [minutes] command in gateway (all platforms) and CLI
• Minimal HTTP upload server (Python stdlib http.server + multipart parsing)
• Simple but functional upload page (HTML form + JS progress)
• cloudflared quick tunnel (detect binary, launch, parse URL)
• Single-use token authentication
• Files saved to ~/.hermes/workspace/uploads/ (or ~/.hermes/uploads/ if workspace not yet implemented)
• Auto-shutdown after timeout
• /upload stop to manually tear down

Phase 2: Enhanced UX + Fallback

• Drag-and-drop upload page with file type icons, batch progress
• Fallback tunnel chain: cloudflared → localtunnel → bore → direct URL (for LAN)
• Platform-native "save to workspace" button for direct message attachments
• Upload history and file management (/uploads list, /uploads delete)
• Webhook notification to chat when upload completes (real-time confirmation)
• Configurable: default timeout, max file size, allowed types in config.yaml

Phase 3: Smart Upload + Integration

• Auto-index uploaded files (text extraction, summary generation)
• Auto-detect file type and route to appropriate workspace subdirectory
• Bulk upload support (ZIP archives auto-extracted)
• QR code generation for the upload URL (easy mobile scanning)
• Integration with workspace RAG (auto-embed uploaded documents)
• Resume capability for interrupted large uploads
• Per-user upload quotas (integrates with Feature: Gateway Permission Tiers — Role-Based Access Control (Owner/Admin/User/Guest) for Messenger Platforms #527 permission tiers)

---

Pros & Cons

Pros

• Solves a real pain point: Remote users on Telegram/Discord have no good way to get files to the agent beyond tiny platform attachments
• Zero config for users: They click a link, drag files, done. No CLI, no SCP, no extra tools.
• Zero cost: cloudflared quick tunnels are free, no account needed
• Secure by design: HTTPS via Cloudflare, token auth, auto-shutdown, size limits
• Novel: No other AI agent does this. It's a genuine differentiator.
• Ephemeral: No persistent attack surface — tunnel exists only during upload window
• Cross-device: User can upload from any device with a browser, not just the one running the messenger
• Composable: Feeds into workspace knowledge base, file transfer (feat: File transfer between sandboxed environments and users (send_file tool) #466), project context (Feature: Project Context System — @ References, .hermes.md Config Files & Workspace Awareness #502)

Cons / Risks

• cloudflared dependency: Needs the cloudflared binary installed. Mitigated by fallback chain and clear error messages ("install cloudflared: brew install cloudflared")
• Network exposure: Even with token auth, exposing a local server to the internet has inherent risk. Mitigated by short timeout, token validation, file type restrictions, size limits.
• Cloudflare Quick Tunnel reliability: No SLA, intended for development. For a 5-minute upload window this is fine; for long-running sessions, less reliable.
• Firewall/NAT issues: Some corporate networks block outbound tunnel connections. Fallback to direct platform upload for these cases.
• Complexity: Adding an HTTP server + tunnel management + upload UI is non-trivial. Phase 1 should be minimal to prove the concept.
• No upload from CLI: CLI users don't need tunnels — they have direct filesystem access. The /upload command should detect CLI and just print the workspace path.

---

Open Questions

1. cloudflared vs localtunnel as primary: cloudflared is more reliable and faster but requires a binary install. localtunnel is npm-based (already a dependency for WhatsApp). Recommendation: cloudflared primary, localtunnel fallback.

2. Upload page hosting: Embed HTML as a Python string constant, or serve from a static file? Recommendation: embed as constant for zero-dependency deployment, with option to override via ~/.hermes/upload-page.html.

3. Automatic vs manual tunnel: Should the agent auto-detect "user wants to send me a file" and offer upload? Or only on explicit /upload command? Recommendation: explicit command only in Phase 1; smart detection ("I have a PDF to share") in Phase 3.

4. Integration with feat: File transfer between sandboxed environments and users (send_file tool) #466 (send_file): Issue feat: File transfer between sandboxed environments and users (send_file tool) #466 proposes presigned URLs for large file transfers. Should upload use the same mechanism? Recommendation: different mechanisms for different directions. /upload uses tunnels (user→agent), send_file uses presigned URLs or platform APIs (agent→user).

5. CLI behavior: What should /upload do in CLI mode? Options: (a) print workspace path, (b) open file picker dialog, (c) start local server without tunnel (for LAN access). Recommendation: print workspace path + optional local server for remote CLI sessions.

---

References

• Hermes Agent document cache: gateway/platforms/base.py (cache_document_from_bytes)
• Hermes Agent platform adapters: telegram.py, discord.py, whatsapp.py, slack.py
• Issue feat: File transfer between sandboxed environments and users (send_file tool) #466: File transfer between sandboxed environments and users (send_file tool)
• Issue Feature: Pinggy Skill — Zero-Install Localhost Tunnels via SSH #361: Pinggy Skill (SSH-based tunnels)
• Issue Feature: Project Context System — @ References, .hermes.md Config Files & Workspace Awareness #502: Project Context System
• Cloudflare Quick Tunnels: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/
• localtunnel: https://github.com/localtunnel/localtunnel (22.1k stars)
• bore: https://github.com/ekzhang/bore (10.8k stars)
• Telegram Bot API file limits: 20MB download, 50MB upload
• Discord attachment limits: 25MB (regular), 50-100MB (boosted)

[teknium1]

Codebase Integration Review — Detailed Findings

After a thorough review of the actual codebase, here are the precise integration points, constraints, and revised architectural decisions for the upload feature.

---

1. aiohttp.web Already Available — No New Dependencies

aiohttp >= 3.9.0 is already in the [messaging] extras (pyproject.toml line 44), and is used by:

• gateway/platforms/homeassistant.py — WebSocket + REST client
• gateway/platforms/discord.py — image downloads
• gateway/platforms/whatsapp.py — WhatsApp API bridge

There's even a working reference implementation: tests/fakes/fake_ha_server.py uses aiohttp.web for a full HTTP+WS server with the exact pattern we need:

from aiohttp import web

app = web.Application()
app.router.add_route("POST", "/upload", handle_upload)
app.router.add_route("GET", "/", serve_upload_page)
runner = web.AppRunner(app)
await runner.setup()
site = web.TCPSite(runner, "127.0.0.1", port)
await site.start()
# ... later: await runner.cleanup()

This means the upload server needs ZERO additional dependencies beyond what's already installed for gateway messaging.

2. Tunnel Discovery — Pinggy (SSH) as Zero-Install Primary

The original proposal used cloudflared as the primary tunnel. After reviewing the codebase, a better choice emerged:

Pinggy (ssh -R) requires zero binary installs — just SSH, which is universally available:

ssh -p 443 -R0:localhost:8080 -o StrictHostKeyChecking=no a.pinggy.io
# Output includes: https://randomstring.a.pinggy.link

• No account, no signup, no binary download
• Works through most firewalls (port 443)
• HTTPS with valid TLS
• Free tier: 60 min sessions, 1 Mbps (sufficient for file upload)

Important discovery: skills_guard.py flags tunnels. Line 256 in tools/skills_guard.py classifies ngrok, localtunnel, serveo, and cloudflared as tunnel_service with severity high. However, Pinggy is NOT in this list. More importantly, the /upload command runs from agent code (not LLM-generated skill code), so the skills guard doesn't apply — but this is worth noting for the design.

Revised tunnel priority:

1. Pinggy (ssh -R, zero install, not flagged by guard)
2. cloudflared (if installed, zero-config quick tunnel)
3. localtunnel (npx, Node.js already needed for WhatsApp bridge)
4. Direct URL (for LAN-only access as last resort)

3. Command Pattern — /update as Reference

The /update handler (gateway/run.py lines 1470-1530) is the best reference for /upload because it also manages a background process:

async def _handle_update_command(self, event):
    source = event.source
    # ... validation ...
    # Spawn background process
    proc = subprocess.Popen(
        update_cmd, shell=True,
        start_new_session=True,  # survives parent death
        stdout=..., stderr=...
    )
    # Write marker file for post-restart communication
    marker = _hermes_home / ".update_pending.json"
    marker.write_text(json.dumps({...}))
    return "⚕ Starting Hermes update…"

/upload follows the same pattern:

async def _handle_upload_command(self, event):
    source = event.source
    timeout_min = parse_timeout(event.get_command_args())  # default 5
    
    # Start aiohttp upload server on random port
    server = UploadServer(save_dir=workspace_path, max_size=100*1024*1024)
    port = await server.start()
    
    # Start tunnel (Pinggy SSH, background)
    tunnel_proc, public_url = await start_tunnel(port)
    
    # Generate upload token
    token = secrets.token_urlsafe(24)
    server.set_token(token)
    
    # Store state for cleanup
    self._active_uploads[source.chat_id] = {
        "server": server, "tunnel": tunnel_proc,
        "started": time.time(), "timeout": timeout_min * 60
    }
    
    # Schedule auto-shutdown
    asyncio.get_event_loop().call_later(
        timeout_min * 60, lambda: asyncio.ensure_future(self._stop_upload(source))
    )
    
    return f"📤 Upload files here (expires in {timeout_min} min):\n{public_url}/u/{token}\n\nMax 100MB per file."

4. Sending Proactive Messages — adapter.send() Pattern

For upload completion notifications, we need to send messages proactively (not as command return values). The pattern is already established throughout the codebase:

adapter = self.adapters.get(source.platform)
if adapter:
    await adapter.send(chat_id, "✅ Received: quarterly-report.pdf (2.4 MB)")

Used in: pairing flow (lines 623-639), home channel prompt (lines 798-805), update notification (line 1567), process watcher (lines 1757/1776).

The upload server's file-received callback would use this exact pattern to notify the user in real-time as each file arrives.

5. Document Validation — Reuse Existing Logic

gateway/platforms/base.py already defines SUPPORTED_DOCUMENT_TYPES (lines 183-190):

SUPPORTED_DOCUMENT_TYPES = {
    '.pdf': 'application/pdf',
    '.md': 'text/markdown',
    '.txt': 'text/plain',
    '.docx': 'application/vnd.openxmlformats-...',
    '.xlsx': 'application/vnd.openxmlformats-...',
    '.pptx': 'application/vnd.openxmlformats-...',
}

And cache_document_from_bytes() (line 199) has path traversal protection (line 225-226) and filename sanitization. The upload server should import and reuse these rather than reimplementing validation.

The upload server should extend the type list for the web context:

UPLOAD_ALLOWED_TYPES = {
    **SUPPORTED_DOCUMENT_TYPES,
    '.csv': 'text/csv',
    '.json': 'application/json',
    '.yaml': 'application/x-yaml',
    '.yml': 'application/x-yaml',
    '.py': 'text/x-python',
    '.js': 'text/javascript',
    '.ts': 'text/typescript',
    '.html': 'text/html',
    '.xml': 'application/xml',
    '.zip': 'application/zip',
    '.tar.gz': 'application/gzip',
}

6. Platform Media → Workspace Routing

Currently in gateway/run.py (lines 857-884), incoming documents get context notes injected but always go to ephemeral cache. The modification for workspace integration:

# Current (line 873-877):
if mime_type and mime_type.startswith('text/'):
    context_note = f"[User sent document '{display_name}' — content has been included below]"
else:
    context_note = f"[User sent document '{display_name}', saved at: {url}. Ask the user what they'd like to do with it.]"

# Proposed addition:
# After caching, check if user wants to save to workspace
# Option A: Auto-save with notification
workspace_path = save_to_workspace(cached_path, display_name)
context_note += f"\nAlso saved to workspace at: {workspace_path}"

# Option B: Let the agent decide (smarter, no code change needed)
# Just tell the agent the workspace exists — it can use write_file/terminal to copy

Recommendation: Option B for Phase 1 (zero code change — the workspace manifest in the system prompt tells the agent the workspace exists, and it can decide to save files there). Option A for Phase 2 (explicit "save to workspace" button/command).

7. Command Registration — All 6-8 Touch Points

Adding /upload requires changes in these exact locations:

gateway/run.py:
  - Line 660: Add "upload" to _known_commands set
  - Line ~708: Add dispatch: if command == "upload"
  - New method: _handle_upload_command()
  - New method: _stop_upload() (cleanup)
  - Line ~1092: Add help text in _handle_help_command()
  - New state: self._active_uploads = {} in __init__

hermes_cli/commands.py:
  - Add to COMMANDS dict: "/upload": "Upload files via browser link"

cli.py:
  - Line ~1863: Add elif for /upload
  - CLI handler: just print workspace path (no tunnel needed locally)

gateway/platforms/telegram.py:
  - Line ~143: BotCommand("upload", "Upload files via browser link")

gateway/platforms/discord.py:
  - Line ~566: @tree.command(name="upload", description="Upload files via browser link")
  - Discord slash command with optional minutes parameter

8. Upload Page — Embedded HTML

The upload web page should be embedded as a Python string constant in the upload module (zero file dependencies). Key requirements:

• Drag-and-drop zone with visual feedback
• File type and size validation (client-side, before upload)
• Progress bar per file (XHR with upload progress events)
• Token passed as URL path component (not query param — cleaner)
• Mobile-friendly responsive design
• Dark mode that matches Hermes aesthetic
• "Upload complete" confirmation with file list
• No external dependencies (no CDN links — page must be fully self-contained)

Size estimate: ~5-8 KB of HTML/CSS/JS — trivially embeddable as a constant.

9. Async Integration — Event Loop Considerations

The gateway runs on an asyncio event loop. The upload server must integrate cleanly:

• aiohttp.web runs on the same loop — no threading issues
• web.TCPSite can be started/stopped without blocking
• The tunnel subprocess is managed via asyncio.create_subprocess_exec() for non-blocking I/O
• Auto-shutdown uses asyncio.get_event_loop().call_later() — native async timer
• File upload callbacks can directly call adapter.send() since they're on the same loop

No threading needed. Everything runs in the existing gateway event loop.

10. Interaction with #527 (Permission Tiers)

With RBAC from #527:

• Owner/Admin: Can use /upload with any timeout
• User tier: Can use /upload with max timeout (configurable, e.g., 10 min), rate-limited (e.g., 3 uploads/day)
• Guest tier: Cannot use /upload (no filesystem write access)

The upload server should check the requesting user's tier before starting:

async def _handle_upload_command(self, event):
    tier = self.permission_manager.get_tier(event.source)
    if tier in ("guest", "blocked"):
        return "Upload is not available for your access level."
    max_timeout = {"owner": 60, "admin": 60, "user": 10}.get(tier, 5)
    ...

11. /upload stop — Manual Teardown

Users should be able to stop an active upload session early:

/upload stop    → tears down tunnel + server immediately
/upload status  → shows if upload is active, time remaining, files received

State tracked in self._active_uploads[chat_id] dict on GatewayRunner.

12. Revised Phase 1 Scope (Minimal)

After reviewing the codebase, Phase 1 is simpler than originally estimated:

New files:
  gateway/upload.py         — UploadServer class (aiohttp.web) + tunnel management
  
Modified files:
  gateway/run.py            — /upload command dispatch + handler + state
  gateway/run.py            — help text update
  hermes_cli/commands.py    — COMMANDS dict entry
  cli.py                    — CLI handler (print workspace path)
  gateway/platforms/telegram.py  — BotCommand entry
  gateway/platforms/discord.py   — slash command entry

Dependencies:
  None new (aiohttp already available via [messaging])
  SSH required for Pinggy tunnel (universally available)

Estimated effort: 2-3 days for core upload server + tunnel management, 1 day for command registration across all platforms, 1 day for testing.

[m13v]

cloudflare quick tunnels are perfect for this - we use them for local dev and they're dead simple to spin up programmatically. one thing to watch out for: the tunnel URL is publicly accessible with no auth by default, so you'll want to add a one-time token or short expiry to the upload endpoint. we generate a random path segment that expires after 10 minutes.

[m13v]

we use a similar tunnel + token pattern for our dev workflow. the backend that handles the authenticated upload endpoints: https://github.com/m13v/fazm/blob/main/Desktop/Sources/Providers/ChatProvider.swift - handles the auth token generation and validation.

[reefmind]

Closing as resolved by merged PR(s): #538.