# Import Hardening

**Date:** 2026-03-30
**Purpose:** Define the safe parser boundary for untrusted spreadsheet imports.

## Decision

- Untrusted workbook imports no longer accept legacy `.xls`.
- Server-side dispo imports accept only `.xlsx` files.
- Browser-side ad hoc imports accept `.xlsx` and `.csv`.
- Trusted export generation may still use `xlsx` until the export paths are migrated separately.

## Server Boundary

The dispo-import reader in [read-workbook.ts](/home/hartmut/Documents/Copilot/capakraken/packages/application/src/use-cases/dispo-import/read-workbook.ts) now enforces:

- normalized filesystem paths before reading
- regular-file checks
- non-empty file checks
- a hard size limit of `15 MiB`
- `.xlsx`-only parsing behind a hardened server-side parser boundary

The API entry points in [dispo.ts](/home/hartmut/Documents/Copilot/capakraken/packages/api/src/router/dispo.ts) reject non-`.xlsx` workbook paths before staging or validation begins.

## Browser Boundary

The browser import helpers in [excel.ts](/home/hartmut/Documents/Copilot/capakraken/apps/web/src/lib/excel.ts) and [skillMatrixParser.ts](/home/hartmut/Documents/Copilot/capakraken/apps/web/src/lib/skillMatrixParser.ts) now enforce:

- a hard client-side file size limit of `10 MiB`
- explicit rejection of legacy `.xls`
- `.xlsx` parsing through `exceljs`
- `.csv` parsing through a local parser for simple tabular imports

Affected upload flows:

- resource CSV/XLSX import
- estimate scope spreadsheet import
- single skill-matrix import
- batch skill-matrix import

## Rationale

- `.xls` support keeps the old binary workbook format in the untrusted path without enough payoff.
- the server path keeps compatibility-first `.xlsx` parsing for the current dispo workbooks, but only behind explicit file validation and limits
- the browser path moves away from blanket `xlsx` import usage to a narrower parser boundary
- CSV remains useful for lightweight business imports and is small enough to parse with a narrow local parser.