feat(upload): surface aborted status + sanitize audit metadata

- Map the new "aborted" pipeline reason to HTTP 499 (nginx "client
  closed request") and pipe request.signal into runUploadPipeline.
- Strip control characters and ANSI escape sequences from
  user-supplied strings (filename, virus name) before they land in
  the audit log or console.error. Clip to 255 chars.
- Propagate the "aborted" failure reason through uploadFile (client)
  and useFileUploadForm so users see "L'upload a été interrompu"
  instead of the generic server_error copy.

Author: maxgfr

packages/app/src/app/api/upload/route.ts

@@ -42,6 +42,7 @@ function isFlowType(value: string | null): value is FlowType {
  *  - 403 — declaration for current year not found (not owned by session SIREN)
  *  - 400 — cse_opinion max files reached
  *  - 422 — ClamAV detected a virus (body includes `virus` name)
+ *  - 499 — client closed the request before the upload finished
  *  - 503 — ClamAV unreachable / timed out (transient, user should retry)
  *  - 500 — S3 or DB failure after stream; compensating delete attempted
  *
@@ -195,6 +196,7 @@ export async function POST(request: Request): Promise<Response> {
 			contentType,
 			stream: request.body,
 			flowType,
+			signal: request.signal,
 		});
 	} catch (error) {
 		console.error("[api/upload]", error);
@@ -296,11 +298,31 @@ function mapFailureToHttp(reason: PipelineFailureReason): {
 			return { status: 422, errorMessage: "HTTP 422 virus_detected" };
 		case "scan_unavailable":
 			return { status: 503, errorMessage: "HTTP 503 antivirus_unavailable" };
+		case "aborted":
+			// 499 is the nginx-style "client closed request" status. The body is
+			// never consumed by the client (they are gone), so the status is
+			// purely for server-side observability.
+			return { status: 499, errorMessage: "HTTP 499 client_aborted" };
 		case "server_error":
 			return { status: 500, errorMessage: "HTTP 500 server_error" };
 	}
 }
 
+/**
+ * Strips control characters (including ANSI escape sequences) and clips to
+ * 255 chars before a user-supplied string is persisted to the audit log or
+ * echoed to a terminal via console.error. Defence-in-depth: a crafted header
+ * could carry escape sequences that mislead log readers.
+ */
+function sanitizeUserText(value: string): string {
+	let out = "";
+	for (const ch of value) {
+		const code = ch.codePointAt(0) ?? 0;
+		if (code >= 0x20 && code !== 0x7f) out += ch;
+	}
+	return out.slice(0, 255);
+}
+
 type AuditFailureInput = {
 	action: AuditActionKey;
 	flowType: FlowType;
@@ -331,9 +353,9 @@ function writeFailure({
 	s3Cleanup = null,
 }: AuditFailureInput): void {
 	const metadata: Record<string, unknown> = { flowType };
-	if (fileName) metadata.fileName = fileName;
+	if (fileName) metadata.fileName = sanitizeUserText(fileName);
 	if (fileId) metadata.fileId = fileId;
-	if (virusName) metadata.virusName = virusName;
+	if (virusName) metadata.virusName = sanitizeUserText(virusName);
 	if (s3Cleanup) metadata.s3Cleanup = s3Cleanup;
 
 	void logAction({

packages/app/src/modules/shared/uploadFile.ts

@@ -11,7 +11,8 @@ export type UploadFailureReason =
 	| "not_found"
 	| "scan_unavailable"
 	| "unauthorized"
-	| "server_error";
+	| "server_error"
+	| "aborted";
 
 type UploadSuccess = { ok: true; fileId: string; fileName: string };
 type UploadError = {
@@ -80,6 +81,7 @@ const VALID_REASONS = new Set<UploadFailureReason>([
 	"scan_unavailable",
 	"unauthorized",
 	"server_error",
+	"aborted",
 ]);
 
 function parseReason(status: number, raw: unknown): UploadFailureReason {
@@ -92,6 +94,7 @@ function parseReason(status: number, raw: unknown): UploadFailureReason {
 	// Fall back to a reason inferred from the HTTP status for early-exit paths
 	// where the server returns 400/401 without a structured `reason` field.
 	if (status === 401) return "unauthorized";
+	if (status === 499) return "aborted";
 	if (status === 400) return "wrong_type";
 	return "server_error";
 }

packages/app/src/modules/shared/useFileUploadForm.ts

@@ -130,5 +130,7 @@ function formatUploadError(
 			return serverError;
 		case "server_error":
 			return "Erreur lors de l'upload du fichier. Merci de réessayer.";
+		case "aborted":
+			return "L'upload a été interrompu. Merci de réessayer.";
 	}
 }