From c9aa69f767a8ba45817b791b98a1a0b6d835d395 Mon Sep 17 00:00:00 2001
From: jason <stedwell@gmail.com>
Date: Wed, 22 Apr 2026 22:28:46 -0500
Subject: [PATCH] image fixes

---
 .dockerignore                |  9 +++++++++
 package.json                 |  2 +-
 server/src/index.ts          | 11 +++++++++--
 server/src/routes/uploads.ts |  8 +-------
 4 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/.dockerignore b/.dockerignore
index f80b7cc..06132e2 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -4,3 +4,12 @@ node_modules
 data
 .git
 *.log
+# Agent/skills files — not part of the app
+AGENTS.md
+DEPLOYMENT-PROFILE.md
+PROJECT-PROFILE-WORKBOOK.md
+ROUTING-EXAMPLES.md
+SKILLS.md
+hubs/
+skills/
+memory/
diff --git a/package.json b/package.json
index d2b7bdf..0b19a85 100644
--- a/package.json
+++ b/package.json
@@ -1,5 +1,5 @@
 {
-  "name": "ai-tools-dashboard",
+  "name": "codedump",
   "version": "1.0.0",
   "private": true,
   "workspaces": ["client", "server"],
diff --git a/server/src/index.ts b/server/src/index.ts
index 28c7135..86b35af 100644
--- a/server/src/index.ts
+++ b/server/src/index.ts
@@ -2,6 +2,7 @@ import express from 'express';
 import cors from 'cors';
 import path from 'path';
 import './db/schema'; // initialize DB + bootstrap admin
+import { UPLOAD_PATH } from './db/schema';
 import { requireAuth } from './middleware/auth';
 import authRouter from './routes/auth';
 import projectsRouter from './routes/projects';
@@ -16,13 +17,19 @@ const PORT = Number(process.env.PORT || 3000);
 app.use(cors());
 app.use(express.json({ limit: '10mb' }));
 
-// Public — auth endpoints (login doesn't require token)
+// Public — auth endpoints
 app.use('/api/auth', authRouter);
 
+// Public — serve uploaded files as static assets.
+// <img> tags and markdown renderers can't send Authorization headers,
+// so file reads must be unauthenticated. POST/DELETE in uploadsRouter
+// are still protected by requireAuth inside the router.
+app.use('/api/uploads', express.static(UPLOAD_PATH));
+
 // Protected — all other API routes require a valid JWT
 app.use('/api/projects', requireAuth, projectsRouter);
 app.use('/api/tools', requireAuth, toolsRouter);
-app.use('/api/uploads', requireAuth, uploadsRouter);
+app.use('/api/uploads', requireAuth, uploadsRouter); // handles POST + DELETE only
 app.use('/api/settings', requireAuth, settingsRouter);
 app.use('/api/users', usersRouter); // requireAdmin applied inside router
 
diff --git a/server/src/routes/uploads.ts b/server/src/routes/uploads.ts
index 6ccd1ba..6b7db96 100644
--- a/server/src/routes/uploads.ts
+++ b/server/src/routes/uploads.ts
@@ -3,6 +3,7 @@ import multer from 'multer';
 import path from 'path';
 import fs from 'fs';
 import { v4 as uuidv4 } from 'uuid';
+// Note: GET /api/uploads/:filename is served by express.static in index.ts (no auth needed for <img> tags)
 import db, { UPLOAD_PATH } from '../db/schema';
 
 const router = Router();
@@ -46,13 +47,6 @@ router.post('/projects/:projectId', upload.single('file'), (req: Request, res: R
   });
 });
 
-// Get raw file
-router.get('/:filename', (req: Request, res: Response) => {
-  const filePath = path.join(UPLOAD_PATH, path.basename(req.params.filename));
-  if (!fs.existsSync(filePath)) return res.status(404).json({ error: 'File not found' });
-  res.sendFile(filePath);
-});
-
 // Delete a document
 router.delete('/documents/:id', (req: Request, res: Response) => {
   const doc = db.prepare('SELECT * FROM documents WHERE id = ?').get(req.params.id) as any;