Files come in two flavours, and conflating them is how apps leak private data or re-upload the same logo a hundred times. onvibe keeps them cleanly apart.
Public assets, shared by content
Build-time files you provide — a logo, a stylesheet, an icon — go in with upload_asset. They're content-addressed: immutable, served from a CDN, and shared by their content hash. That's why a fork of your app keeps working without re-uploading anything: identical bytes resolve to the same URL.
Private uploads, behind signed URLs
Files your users upload at runtime — a receipt photo, an avatar — are different. Store them with uploadFile and hand them back with getDownloadUrl, which mints a short-lived signed URL; the physical keys stay opaque so nobody can guess their way to someone else's file. It's the Active-Storage model — logical names mapped to neutral keys — with a per-app maximum file size you set.
Two models, each right for its job, neither leaking into the other.