01
Document handling
Documents are uploaded directly to Cloudflare R2 object storage over an encrypted connection. The application server is not in the data path for the file itself. Before issuing an upload URL, the server validates the file size (500 MB maximum), confirms that the content type is PDF, DOCX, XLSX, or PPTX, and verifies that the requesting user is a member of the target audit.
Upload and download URLs are presigned with a 15-minute expiry. The storage bucket is not public. No one retrieves a document by guessing a URL.
Storage keys are structured to mirror the authorization boundary: each object is prefixed with the matter identifier so that a misconfigured access policy would still constrain cross-tenant access. Files are content-addressed with a SHA-256 hash stored in the database as a tamper-evidence anchor.
Uploaded filenames are sanitized before use as storage keys: path traversal characters are stripped and unsafe characters are replaced. Extracted text and LLM classification responses are stored separately in R2 and are never written to local disk during request handling.
