Add file attachments to comments

[ItsMalikJones]

Closes #32

Summary

Adds optional file attachments to comments. Users can attach one or more files when writing a comment; images render as thumbnails and other file types render as downloadable chips beneath the comment body. The feature is opt-in and disabled by default, so existing installations are unaffected until they explicitly enable it and publish the new migration.

What's included

• New comment_attachments table with a publishable migration (create_commentions_attachments_table), wired into the package's migration tag and the test suite.
• CommentAttachment model — belongsTo a comment, resolves its table via Config, exposes getUrl() and isImage(), and deletes its underlying file from the configured disk when the record is deleted.
• StoreCommentAttachments action — persists uploaded files to the configured disk/directory and creates the attachment records, following the existing Action::run() convention. Logs a warning instead of silently dropping a file if a write fails.
• Per-component toggle via a HasAttachments Filament concern: enableAttachments() / disableAttachments() (accepts a bool or closure) on CommentsEntry, CommentsAction, and CommentsTableAction, falling back to the global config value.
• Livewire integration in the Comments component using WithFileUploads: pending-file list with per-file removal, upload progress indicator, and validation errors. The attach control is gated on the editor's wasFocused state so it appears alongside the existing Comment/Cancel buttons rather than always being visible.
• Cleanup: deleting a comment removes its attachment records and their files.
• Localization: attach_files and uploading strings added across all bundled locales (ar, en, es, fr, nl, ro).
• Eager loading: attachments added to the comment query to avoid N+1s in the list.

Configuration

A new attachments config block controls the feature:

'attachments' => [
    'enabled' => env('COMMENTIONS_ATTACHMENTS_ENABLED', false),
    'disk' => env('COMMENTIONS_ATTACHMENTS_DISK', 'public'),
    'directory' => env('COMMENTIONS_ATTACHMENTS_DIRECTORY', 'commentions-attachments'),
    'max_size' => (int) env('COMMENTIONS_ATTACHMENTS_MAX_SIZE', 10240), // KB, per file
    'max_files' => (int) env('COMMENTIONS_ATTACHMENTS_MAX_FILES', 5),
    'accepted_mime_types' => [/* safe image/document allowlist */],
],

The README documents enabling globally vs. per-component, all options, and the deletion behavior.

Security considerations

• accepted_mime_types ships with a safe allowlist (common images + documents) rather than allowing any type, and is validated against each file's actual contents (mimetypes rule). The README includes a warning that emptying the allowlist permits browser-executable types (e.g. image/svg+xml, text/html) to be served from a public disk.
• Upload validation (size, count, MIME) runs before the comment is created, so a rejected upload never produces an orphaned comment.
• The attachmentsEnabled Livewire property is marked #[Locked], so a client cannot flip a closure-based gate by tampering with the request payload.
• Stored filenames use Laravel's hashed storage paths; the original client filename is only used as display text (escaped in Blade).

Testing

Adds tests/Livewire/CommentAttachmentTest.php covering: attaching a file, the control's visibility (disabled, enabled, and focus-gated), file + record cleanup on comment deletion, oversized-file rejection, disallowed-MIME rejection, pending-file removal, the per-component toggle, and image detection. Run with ./vendor/bin/pest.