From 5a41dcbc68f47959babcda2a870b1769eadc25da Mon Sep 17 00:00:00 2001
From: Laurent Dinclaux <laurent@gecka.nc>
Date: Thu, 5 Feb 2026 04:06:07 +1100
Subject: [PATCH] feat: add Nextcloud bridge for file and calendar integration

Add optional bridge feature that enables RoundCube (via NextBridge plugin)
to integrate with Nextcloud services:

- Pick files from Nextcloud to attach to emails
- Save email attachments to Nextcloud
- Create and insert public share links
- Add calendar invitations (.ics) to Nextcloud Calendar

The bridge uses postMessage API for secure iframe communication.
A new admin setting allows enabling/disabling this feature.

The CalendarController handles orphaned UIDs from soft-deleted events,
fixing the 412 Precondition Failed error when re-adding deleted events.
---
 README.md                               |  34 +
 appinfo/routes.php                      |   6 +
 lib/Controller/CalendarController.php   | 328 +++++++++
 lib/Controller/PageController.php       |   1 +
 lib/Controller/SettingsController.php   |   3 +
 lib/Service/Config.php                  |   3 +
 package.json                            |   3 +-
 src/AdminSettings.vue                   |  15 +
 src/RoundCubeWrapper.vue                | 224 ++++++
 src/RoundCubeWrapperRouteReactivity.vue |   2 +
 src/app.ts                              |   3 +
 src/composables/useIframeBridge.ts      | 924 ++++++++++++++++++++++++
 src/types/initial-state.d.ts            |   1 +
 13 files changed, 1546 insertions(+), 1 deletion(-)
 create mode 100644 lib/Controller/CalendarController.php
 create mode 100644 src/composables/useIframeBridge.ts

diff --git a/README.md b/README.md
index 51bc2f7a..46b02195 100644
--- a/README.md
+++ b/README.md
@@ -30,6 +30,7 @@
       - [Enable SSL Verification](#enable-ssl-verification)
       - [Per-User Encryption of Config-Values](#per-user-encryption-of-config-values)
       - [CardDAV Integration](#carddav-integration)
+      - [RoundCube Bridge](#roundcube-bridge)
   - [Personal Settings](#personal-settings)
     - [Email Login Name](#email-login-name)
     - [Email Password](#email-password)
@@ -348,6 +349,39 @@ RoundCube CardDAV plugin -- which may work or not. In order to have
 auto-configuration working it is vital to **not** include "username" and
 "password" into the "fixed" array.
 
+##### RoundCube Bridge
+
+This app provides a communication bridge for compatible RoundCube plugins, allowing seamless integration with Nextcloud services (files, calendar) from within the email interface.
+
+**How it works:**
+
+When enabled in admin settings, the app establishes a communication bridge between RoundCube (running in an iframe) and Nextcloud using the postMessage API. This allows compatible plugins to use Nextcloud's native file picker, calendar, and other services. All operations are executed by Nextcloud itself - RoundCube only sends requests via postMessage.
+
+**Example Implementation: NextBridge Plugin**
+
+The [NextBridge Roundcube plugin](https://github.com/Gecka-Apps/NextBridge) is the first plugin to use this bridge. It allows users to:
+- Attach files from Nextcloud storage to emails
+- Save email attachments directly to Nextcloud files
+- Insert public share links into email body
+- Add calendar invitations (.ics) to Nextcloud Calendar
+
+**Setup:**
+
+1. Enable "RoundCube bridge" in Nextcloud admin settings (disabled by default)
+
+2. Install the NextBridge plugin in your Roundcube installation:
+   ```bash
+   cd /path/to/roundcube/plugins/
+   git clone https://github.com/Gecka-Apps/NextBridge.git nextbridge
+   ```
+
+3. Enable the plugin in Roundcube's `config/config.inc.php`:
+   ```php
+   $config['plugins'] = array('nextbridge', /* other plugins */);
+   ```
+
+4. **That's it!** When users access Roundcube through Nextcloud, the bridge is automatically available.
+
 ### Personal Settings
 
 Please have also a look at the
diff --git a/appinfo/routes.php b/appinfo/routes.php
index b279f7a9..1dd525f7 100644
--- a/appinfo/routes.php
+++ b/appinfo/routes.php
@@ -66,5 +66,11 @@
       'verb' => 'GET',
       'postfix' => '.all',
     ],
+    // Calendar API
+    [
+      'name' => 'calendar#add_event',
+      'url' => '/api/calendar/event',
+      'verb' => 'POST',
+    ],
   ]
 ];
diff --git a/lib/Controller/CalendarController.php b/lib/Controller/CalendarController.php
new file mode 100644
index 00000000..678325ec
--- /dev/null
+++ b/lib/Controller/CalendarController.php
@@ -0,0 +1,328 @@
+<?php
+/**
+ * Calendar Controller for RoundCube App.
+ *
+ * Handles calendar event operations with proper handling of
+ * Nextcloud's soft-deleted events (orphaned UIDs).
+ *
+ * @author Laurent Dinclaux <laurent@gecka.nc>
+ * @copyright 2026 Gecka
+ * @license AGPL-3.0-or-later
+ */
+
+declare(strict_types=1);
+
+namespace OCA\RoundCube\Controller;
+
+use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\JSONResponse;
+use OCP\IRequest;
+use OCP\IUserSession;
+use OCP\IDBConnection;
+use Psr\Log\LoggerInterface;
+
+/**
+ * Controller for calendar event operations.
+ */
+class CalendarController extends Controller
+{
+  private IUserSession $userSession;
+  private IDBConnection $db;
+  private LoggerInterface $logger;
+
+  /**
+   * Constructor.
+   *
+   * @param string $appName
+   * @param IRequest $request
+   * @param IUserSession $userSession
+   * @param IDBConnection $db
+   * @param LoggerInterface $logger
+   */
+  public function __construct(
+    string $appName,
+    IRequest $request,
+    IUserSession $userSession,
+    IDBConnection $db,
+    LoggerInterface $logger
+  ) {
+    parent::__construct($appName, $request);
+    $this->userSession = $userSession;
+    $this->db = $db;
+    $this->logger = $logger;
+  }
+
+  /**
+   * Add an event to a calendar.
+   * Handles orphaned UIDs from soft-deleted events by purging them first.
+   *
+   * @param string $calendarUri The calendar URI.
+   * @param string $icsContent The ICS content.
+   *
+   * @return JSONResponse
+   *
+   * @NoAdminRequired
+   */
+  public function addEvent(string $calendarUri, string $icsContent): JSONResponse
+  {
+    $user = $this->userSession->getUser();
+    if ($user === null) {
+      return new JSONResponse(['error' => 'Not authenticated'], Http::STATUS_UNAUTHORIZED);
+    }
+
+    $userId = $user->getUID();
+
+    // Extract calendar name from URI if it's a full path
+    // e.g., /remote.php/dav/calendars/user/personal/ -> personal
+    $calendarName = $this->extractCalendarName($calendarUri);
+    if ($calendarName === null) {
+      return new JSONResponse(['error' => 'Invalid calendar URI'], Http::STATUS_BAD_REQUEST);
+    }
+
+    // Get calendar ID from name
+    $calendarId = $this->getCalendarIdByName($userId, $calendarName);
+    if ($calendarId === null) {
+      return new JSONResponse(['error' => 'Calendar not found'], Http::STATUS_NOT_FOUND);
+    }
+
+    // Clean ICS: remove METHOD line (REQUEST/REPLY/CANCEL are for iMIP, not CalDAV)
+    $cleanedIcs = preg_replace('/^METHOD:[^\r\n]*\r?\n/im', '', $icsContent);
+
+    // Extract UID from ICS
+    $uid = $this->extractUidFromIcs($cleanedIcs);
+    if ($uid === null) {
+      // Generate a new UID if not present
+      $uid = $this->generateUid();
+      // Insert UID into ICS after BEGIN:VEVENT
+      $cleanedIcs = preg_replace(
+        '/(BEGIN:VEVENT\r?\n)/i',
+        '$1UID:' . $uid . "\r\n",
+        $cleanedIcs,
+        1
+      );
+    }
+
+    // Check if event already exists (visible, not soft-deleted)
+    $existingEvent = $this->getExistingEvent($calendarId, $uid);
+    $updated = $existingEvent !== null;
+
+    // Check for orphaned UID (soft-deleted event)
+    $orphanedEvent = $this->getOrphanedEvent($calendarId, $uid);
+    if ($orphanedEvent !== null) {
+      $this->logger->debug('Purging orphaned calendar event', [
+        'calendarId' => $calendarId,
+        'uid' => $uid,
+        'objectId' => $orphanedEvent['id'],
+      ]);
+      $this->purgeOrphanedEvent((int)$orphanedEvent['id']);
+      $updated = true; // Treat as update since we're replacing a deleted event
+    }
+
+    // Now add/update the event via CalDAV backend
+    try {
+      $this->saveEventToCalendar($calendarId, $uid, $cleanedIcs, $existingEvent !== null);
+    } catch (\Exception $e) {
+      $this->logger->error('Failed to save calendar event', [
+        'calendarId' => $calendarId,
+        'uid' => $uid,
+        'error' => $e->getMessage(),
+      ]);
+      return new JSONResponse([
+        'error' => 'Failed to save event: ' . $e->getMessage(),
+      ], Http::STATUS_INTERNAL_SERVER_ERROR);
+    }
+
+    return new JSONResponse([
+      'success' => true,
+      'updated' => $updated,
+      'uid' => $uid,
+    ]);
+  }
+
+  /**
+   * Extract calendar name from URI.
+   *
+   * @param string $uri The calendar URI.
+   *
+   * @return string|null
+   */
+  private function extractCalendarName(string $uri): ?string
+  {
+    // Remove trailing slash
+    $uri = rtrim($uri, '/');
+
+    // If it's a full path, extract the last segment
+    if (preg_match('#/calendars/[^/]+/([^/]+)$#', $uri, $matches)) {
+      return $matches[1];
+    }
+
+    // If it's just the calendar name
+    if (!str_contains($uri, '/')) {
+      return $uri;
+    }
+
+    return null;
+  }
+
+  /**
+   * Get calendar ID by name for a user.
+   *
+   * @param string $userId The user ID.
+   * @param string $calendarName The calendar name.
+   *
+   * @return int|null
+   */
+  private function getCalendarIdByName(string $userId, string $calendarName): ?int
+  {
+    $qb = $this->db->getQueryBuilder();
+    $qb->select('id')
+      ->from('calendars')
+      ->where($qb->expr()->eq('uri', $qb->createNamedParameter($calendarName)))
+      ->andWhere($qb->expr()->eq('principaluri', $qb->createNamedParameter('principals/users/' . $userId)));
+
+    $result = $qb->executeQuery();
+    $row = $result->fetch();
+    $result->closeCursor();
+
+    return $row !== false ? (int)$row['id'] : null;
+  }
+
+  /**
+   * Extract UID from ICS content.
+   *
+   * @param string $ics The ICS content.
+   *
+   * @return string|null
+   */
+  private function extractUidFromIcs(string $ics): ?string
+  {
+    if (preg_match('/^UID:([^\r\n]+)/im', $ics, $matches)) {
+      return trim($matches[1]);
+    }
+    return null;
+  }
+
+  /**
+   * Generate a new UID.
+   *
+   * @return string
+   */
+  private function generateUid(): string
+  {
+    return sprintf(
+      '%04x%04x-%04x-%04x-%04x-%04x%04x%04x',
+      mt_rand(0, 0xffff),
+      mt_rand(0, 0xffff),
+      mt_rand(0, 0xffff),
+      mt_rand(0, 0x0fff) | 0x4000,
+      mt_rand(0, 0x3fff) | 0x8000,
+      mt_rand(0, 0xffff),
+      mt_rand(0, 0xffff),
+      mt_rand(0, 0xffff)
+    );
+  }
+
+  /**
+   * Get existing event (not soft-deleted).
+   *
+   * @param int $calendarId The calendar ID.
+   * @param string $uid The event UID.
+   *
+   * @return array|null
+   */
+  private function getExistingEvent(int $calendarId, string $uid): ?array
+  {
+    $qb = $this->db->getQueryBuilder();
+    $qb->select('id', 'uri', 'etag')
+      ->from('calendarobjects')
+      ->where($qb->expr()->eq('calendarid', $qb->createNamedParameter($calendarId)))
+      ->andWhere($qb->expr()->eq('calendartype', $qb->createNamedParameter(0))) // 0 = regular calendar
+      ->andWhere($qb->expr()->eq('uid', $qb->createNamedParameter($uid)))
+      ->andWhere($qb->expr()->isNull('deleted_at'));
+
+    $result = $qb->executeQuery();
+    $row = $result->fetch();
+    $result->closeCursor();
+
+    return $row !== false ? $row : null;
+  }
+
+  /**
+   * Get orphaned event (soft-deleted, still has UID constraint).
+   *
+   * @param int $calendarId The calendar ID.
+   * @param string $uid The event UID.
+   *
+   * @return array|null
+   */
+  private function getOrphanedEvent(int $calendarId, string $uid): ?array
+  {
+    $qb = $this->db->getQueryBuilder();
+    $qb->select('id', 'uri')
+      ->from('calendarobjects')
+      ->where($qb->expr()->eq('calendarid', $qb->createNamedParameter($calendarId)))
+      ->andWhere($qb->expr()->eq('calendartype', $qb->createNamedParameter(0)))
+      ->andWhere($qb->expr()->eq('uid', $qb->createNamedParameter($uid)))
+      ->andWhere($qb->expr()->isNotNull('deleted_at'));
+
+    $result = $qb->executeQuery();
+    $row = $result->fetch();
+    $result->closeCursor();
+
+    return $row !== false ? $row : null;
+  }
+
+  /**
+   * Purge an orphaned (soft-deleted) event from the database.
+   *
+   * @param int $objectId The calendar object ID.
+   *
+   * @return void
+   */
+  private function purgeOrphanedEvent(int $objectId): void
+  {
+    // Delete from calendarobjects
+    $qb = $this->db->getQueryBuilder();
+    $qb->delete('calendarobjects')
+      ->where($qb->expr()->eq('id', $qb->createNamedParameter($objectId)));
+    $qb->executeStatement();
+
+    // Also delete from calendarobjects_props if exists
+    $qb = $this->db->getQueryBuilder();
+    $qb->delete('calendarobjects_props')
+      ->where($qb->expr()->eq('objectid', $qb->createNamedParameter($objectId)));
+    $qb->executeStatement();
+  }
+
+  /**
+   * Save event to calendar using CalDAV backend.
+   *
+   * @param int $calendarId The calendar ID.
+   * @param string $uid The event UID.
+   * @param string $icsContent The ICS content.
+   * @param bool $isUpdate Whether this is an update operation.
+   *
+   * @return void
+   */
+  private function saveEventToCalendar(int $calendarId, string $uid, string $icsContent, bool $isUpdate): void
+  {
+    /** @var \OCA\DAV\CalDAV\CalDavBackend $caldavBackend */
+    $caldavBackend = \OC::$server->get(\OCA\DAV\CalDAV\CalDavBackend::class);
+
+    $uri = $uid . '.ics';
+
+    if ($isUpdate) {
+      // Get current etag for update
+      $existingEvent = $this->getExistingEvent($calendarId, $uid);
+      if ($existingEvent !== null) {
+        $caldavBackend->updateCalendarObject($calendarId, $existingEvent['uri'], $icsContent);
+      } else {
+        // Shouldn't happen, but create if missing
+        $caldavBackend->createCalendarObject($calendarId, $uri, $icsContent);
+      }
+    } else {
+      $caldavBackend->createCalendarObject($calendarId, $uri, $icsContent);
+    }
+  }
+}
diff --git a/lib/Controller/PageController.php b/lib/Controller/PageController.php
index 7d9e54bb..a9b0c191 100644
--- a/lib/Controller/PageController.php
+++ b/lib/Controller/PageController.php
@@ -106,6 +106,7 @@ public function index()
       'emailUserId' => $credentials['userId'] ?? null,
       Config::EXTERNAL_LOCATION => $roundCubeUrl,
       Config::SHOW_TOP_LINE => $this->config->getAppValue(Config::SHOW_TOP_LINE),
+      Config::ENABLE_BRIDGE => $this->config->getAppValue(Config::ENABLE_BRIDGE),
     ]);
 
     Util::addScript($this->appName, $this->assetService->getJSAsset(self::MAIN_ASSET)['asset']);
diff --git a/lib/Controller/SettingsController.php b/lib/Controller/SettingsController.php
index ec1570cc..28cd89c9 100644
--- a/lib/Controller/SettingsController.php
+++ b/lib/Controller/SettingsController.php
@@ -62,6 +62,7 @@ class SettingsController extends Controller
     Config::ENABLE_SSL_VERIFY => [ 'rw' => true, 'default' => Config::ENABLE_SSL_VERIFY_DEFAULT, ],
     Config::PERSONAL_ENCRYPTION => [ 'rw' => true, 'default' => Config::PERSONAL_ENCRYPTION_DEFAULT, ],
     Config::CARDDAV_PROVISIONG_TAG => [ 'rw' => true, 'default' => Config::CARDDAV_PROVISIONG_TAG_DEFAULT, ],
+    Config::ENABLE_BRIDGE => [ 'rw' => true, 'default' => Config::ENABLE_BRIDGE_DEFAULT, ],
   ];
 
   public const EMAIL_ADDRESS = 'emailAddress';
@@ -162,6 +163,7 @@ public function setAdmin(string $setting, mixed $value, bool $force = false):Dat
       case Config::SHOW_TOP_LINE:
       case Config::ENABLE_SSL_VERIFY:
       case Config::PERSONAL_ENCRYPTION:
+      case Config::ENABLE_BRIDGE:
         $newValue = filter_var($value, FILTER_VALIDATE_BOOLEAN, ['flags' => FILTER_NULL_ON_FAILURE]);
         if ($newValue === null) {
           return self::grumble($this->l->t(
@@ -249,6 +251,7 @@ public function getAdmin(?string $setting = null):DataResponse
         case Config::SHOW_TOP_LINE:
         case Config::ENABLE_SSL_VERIFY:
         case Config::PERSONAL_ENCRYPTION:
+        case Config::ENABLE_BRIDGE:
           if ($humanValue !== null) {
             $humanValue = $humanValue ? $this->l->t('true') : $this->l->t('false');
           }
diff --git a/lib/Service/Config.php b/lib/Service/Config.php
index 115dea5a..6b161d84 100644
--- a/lib/Service/Config.php
+++ b/lib/Service/Config.php
@@ -70,6 +70,8 @@ class Config
   public const PERSONAL_ENCRYPTION_DEFAULT = false;
   public const CARDDAV_PROVISIONG_TAG = 'cardDavProvisioningTag';
   public const CARDDAV_PROVISIONG_TAG_DEFAULT = '';
+  public const ENABLE_BRIDGE = 'enableBridge';
+  public const ENABLE_BRIDGE_DEFAULT = false;
 
   const SETTINGS = [
     self::EXTERNAL_LOCATION => self::EXTERNAL_LOCATION_DEFAULT,
@@ -80,6 +82,7 @@ class Config
     self::ENABLE_SSL_VERIFY => self::ENABLE_SSL_VERIFY_DEFAULT,
     self::PERSONAL_ENCRYPTION => self::PERSONAL_ENCRYPTION_DEFAULT,
     self::CARDDAV_PROVISIONG_TAG => self::CARDDAV_PROVISIONG_TAG_DEFAULT,
+    self::ENABLE_BRIDGE => self::ENABLE_BRIDGE_DEFAULT,
   ];
 
   /** @var \OCP\IUser */
diff --git a/package.json b/package.json
index 17ab9d07..62b4fa0e 100644
--- a/package.json
+++ b/package.json
@@ -32,7 +32,8 @@
     "@nextcloud/auth": "^2.1.0",
     "@nextcloud/axios": "^2.4.0",
     "@nextcloud/browserslist-config": "^3.0.0",
-    "@nextcloud/dialogs": "^6.0.0",
+    "@nextcloud/dialogs": "^6.4.2",
+    "@nextcloud/files": "^3.12.2",
     "@nextcloud/eslint-config": "^v8.3.0-beta.2",
     "@nextcloud/initial-state": "^2.0.0",
     "@nextcloud/l10n": "^3.2.0",
diff --git a/src/AdminSettings.vue b/src/AdminSettings.vue
index c8e36e09..5508e1f6 100644
--- a/src/AdminSettings.vue
+++ b/src/AdminSettings.vue
@@ -184,6 +184,20 @@
       >
         {{ t(appName, 'Per-user encryption of config values.') }}
       </label>
+      <input id="enable-bridge"
+             v-model="settings.enableBridge"
+             class="checkbox"
+             type="checkbox"
+             name="enableBridge"
+             value="1"
+             :disabled="loading"
+             @change="saveSetting('enableBridge')"
+      >
+      <label for="enable-bridge"
+             :title="t(appName, 'When enabled, allows RoundCube to integrate with Nextcloud for file operations (attach/save) and calendar (add events).')"
+      >
+        {{ t(appName, 'Enable RoundCube bridge.') }}
+      </label>
       <TextField :value.sync="settings.cardDavProvisioningTag"
                  :label="t(appName, 'RoundCube CardDAV Tag')"
                  :helper-text="t(appName, 'Tag of a preconfigured CardDAV account pointing to the cloud addressbook. See the documentation of the RCMCardDAV plugin.')"
@@ -268,6 +282,7 @@ const settings = reactive({
   enableSSLVerify: true,
   personalEncryption: false,
   cardDavProvisioningTag: '',
+  enableBridge: false,
 })
 
 const addressBookUrl = computed(() => generateRemoteUrl('dav') + '/addressbooks/users/%l')
diff --git a/src/RoundCubeWrapper.vue b/src/RoundCubeWrapper.vue
index 7a83e93f..63dca7f3 100644
--- a/src/RoundCubeWrapper.vue
+++ b/src/RoundCubeWrapper.vue
@@ -33,6 +33,31 @@
               @load="loadHandler"
       />
     </div>
+    <!-- File picker for attaching files from Nextcloud -->
+    <FilePicker
+      v-if="isFilePickerOpen"
+      :name="t(appName, 'Choose a file to add as attachment')"
+      :buttons="filePickerButtons"
+      @close="onFilePickerClose"
+    />
+    <!-- Folder picker for saving attachments to Nextcloud -->
+    <FilePicker
+      v-if="isFileSaverOpen"
+      :name="t(appName, 'Choose a folder to store the attachment in')"
+      :buttons="fileSaverButtons"
+      :allow-pick-directory="true"
+      :multiselect="false"
+      :mimetype-filter="['httpd/unix-directory']"
+      @close="onFileSaverClose"
+    />
+    <!-- File picker for creating share links -->
+    <FilePicker
+      v-if="isShareLinkPickerOpen"
+      :name="t(appName, 'Choose a file to share as a link')"
+      :buttons="shareLinkPickerButtons"
+      :multiselect="false"
+      @close="onShareLinkPickerClose"
+    />
   </div>
 </template>
 <script setup lang="ts">
@@ -49,6 +74,8 @@ import {
 } from 'vue'
 import logger from './logger.ts'
 import type { Route } from 'vue-router'
+import { useIframeBridge } from './composables/useIframeBridge.ts'
+import { FilePickerVue as FilePicker } from '@nextcloud/dialogs/filepicker.js'
 
 const wrappedApp = 'RoundCube'
 
@@ -57,9 +84,11 @@ const props = withDefaults(defineProps<{
   fullScreen?: boolean,
   hideTopLine?: boolean,
   query?: Route['query'],
+  enableBridge?: boolean,
 }>(), {
   fullScreen: true,
   hideTopLine: true,
+  enableBridge: false,
   query: () => ({
     _task: 'mail',
   }),
@@ -116,6 +145,49 @@ const frameWrapper = ref<null|HTMLDivElement>(null)
 const externalFrame = ref<null|HTMLIFrameElement>(null)
 let iFrameBody: undefined | HTMLBodyElement
 
+// Enable file bridge for Nextcloud file picker integration (if enabled by admin)
+const {
+  isFilePickerOpen,
+  isFileSaverOpen,
+  isShareLinkPickerOpen,
+  onFilesPicked,
+  onFilePickerClose,
+  onFolderSelected,
+  onFileSaverClose,
+  onShareLinkFilePicked,
+  onShareLinkPickerClose,
+} = useIframeBridge(
+  externalFrame,
+  { enabled: props.enableBridge }
+)
+
+// File picker buttons configuration
+const filePickerButtons = [
+  {
+    label: t(appName, 'Choose'),
+    callback: onFilesPicked,
+    type: 'primary',
+  },
+]
+
+// Folder picker buttons configuration for saving files
+const fileSaverButtons = [
+  {
+    label: t(appName, 'Choose'),
+    callback: onFolderSelected,
+    type: 'primary',
+  },
+]
+
+// Share link file picker buttons configuration
+const shareLinkPickerButtons = [
+  {
+    label: t(appName, 'Share'),
+    callback: onShareLinkFilePicked,
+    type: 'primary',
+  },
+]
+
 const contentObserver = new MutationObserver((entries) => {
   logger.info('MUTATION OBSERVED', { entries })
   const iFrame = externalFrame.value!
@@ -176,12 +248,164 @@ Please check that your Nextcloud instance ({nextcloudUrl}) and the wrapped {wrap
   })
 }
 
+/**
+ * Inject the Nextcloud bridge client into the iframe.
+ * This enables file/calendar integration via postMessage.
+ */
+const injectBridgeClient = (iFrameWindow: Window, iFrameDocument: Document) => {
+  // Check if already injected
+  if ((iFrameWindow as { NextcloudBridge?: unknown }).NextcloudBridge) {
+    return
+  }
+
+  try {
+    const script = iFrameDocument.createElement('script')
+    script.textContent = `
+      (function() {
+        if (window.NextcloudBridge) return;
+
+        var pendingRequests = {};
+
+        window.NextcloudBridge = {
+          generateRequestId: function() {
+            return 'req_' + Date.now() + '_' + Math.random().toString(36).substr(2, 9);
+          },
+
+          handleMessage: function(event) {
+            var data = event.data;
+            if (!data || !data.requestId || !data.action) return;
+            var pending = pendingRequests[data.requestId];
+            if (!pending) return;
+            delete pendingRequests[data.requestId];
+            if (data.success) {
+              pending.resolve(data);
+            } else {
+              pending.reject(new Error(data.error || 'Unknown error'));
+            }
+          },
+
+          sendAndWait: function(message, timeoutMs) {
+            var self = this;
+            timeoutMs = timeoutMs || 300000;
+            return new Promise(function(resolve, reject) {
+              var requestId = self.generateRequestId();
+              message.requestId = requestId;
+              pendingRequests[requestId] = { resolve: resolve, reject: reject };
+              setTimeout(function() {
+                if (pendingRequests[requestId]) {
+                  delete pendingRequests[requestId];
+                  reject(new Error('Request timeout'));
+                }
+              }, timeoutMs);
+              window.parent.postMessage(message, '*');
+            });
+          },
+
+          pickFiles: function(options) {
+            options = options || {};
+            return this.sendAndWait({
+              action: 'pickFile',
+              multiple: options.multiple !== false,
+              mimeTypes: options.mimeTypes
+            }).then(function(response) {
+              return response.files || [];
+            });
+          },
+
+          saveFile: function(filename, content, mimeType) {
+            return this.sendAndWait({
+              action: 'saveFile',
+              filename: filename,
+              content: content,
+              mimeType: mimeType
+            }).then(function(response) {
+              return response.path || '';
+            });
+          },
+
+          saveFiles: function(files) {
+            return this.sendAndWait({
+              action: 'saveFiles',
+              files: files
+            }).then(function(response) {
+              return response.path || '';
+            });
+          },
+
+          createShareLink: function() {
+            return this.sendAndWait({
+              action: 'createShareLink'
+            }).then(function(response) {
+              return {
+                url: response.url || '',
+                filename: response.filename || ''
+              };
+            });
+          },
+
+          getCalendars: function() {
+            return this.sendAndWait({
+              action: 'getCalendars'
+            }).then(function(response) {
+              return response.calendars || [];
+            });
+          },
+
+          addToCalendar: function(calendarUrl, icsContent) {
+            return this.sendAndWait({
+              action: 'addToCalendar',
+              calendarUrl: calendarUrl,
+              icsContent: icsContent
+            });
+          },
+
+          blobToBase64: function(blob) {
+            return new Promise(function(resolve, reject) {
+              var reader = new FileReader();
+              reader.onload = function() {
+                var result = reader.result;
+                var base64 = result.split(',')[1] || result;
+                resolve(base64);
+              };
+              reader.onerror = reject;
+              reader.readAsDataURL(blob);
+            });
+          },
+
+          base64ToBlob: function(base64, mimeType) {
+            mimeType = mimeType || 'application/octet-stream';
+            var binary = atob(base64);
+            var bytes = new Uint8Array(binary.length);
+            for (var i = 0; i < binary.length; i++) {
+              bytes[i] = binary.charCodeAt(i);
+            }
+            return new Blob([bytes], { type: mimeType });
+          }
+        };
+
+        window.addEventListener('message', function(e) {
+          window.NextcloudBridge.handleMessage(e);
+        });
+      })();
+    `
+    iFrameDocument.head.appendChild(script)
+  } catch (error) {
+    logger.error('Failed to inject file bridge client', { error })
+  }
+}
+
 const emitLoaded = (iFrame: HTMLIFrameElement) => {
   const iFrameWindow = iFrame.contentWindow!
   const iFrameDocument = iFrame.contentDocument!
   currentLocation.value = iFrameWindow.location.href
   const search = iFrameWindow.location.search
   const query = Object.fromEntries((new URLSearchParams(search)).entries())
+
+  // Inject bridge client for Nextcloud integration (if enabled)
+  if (props.enableBridge) {
+    injectBridgeClient(iFrameWindow, iFrameDocument)
+  }
+
   emit('iframe-loaded', {
     query,
     iFrame,
diff --git a/src/RoundCubeWrapperRouteReactivity.vue b/src/RoundCubeWrapperRouteReactivity.vue
index bf53d628..879fa5f4 100644
--- a/src/RoundCubeWrapperRouteReactivity.vue
+++ b/src/RoundCubeWrapperRouteReactivity.vue
@@ -20,6 +20,7 @@
   <RoundCubeWrapper v-bind="$attrs"
                     :external-location="externalLocation"
                     :query="routeQuery"
+                    :enable-bridge="enableBridge"
                     v-on="$listeners"
   />
 </template>
@@ -44,6 +45,7 @@ const routeQuery = ref<Route['query']>({})
 
 const initialState = getInitialState<InitialState>()
 const externalLocation = ref<string>(initialState?.externalLocation || '')
+const enableBridge = ref<boolean>(initialState?.enableBridge ?? false)
 
 const onRouteChange = (to: Route) => {
   routeQuery.value = to.query
diff --git a/src/app.ts b/src/app.ts
index 901d73f1..35357479 100644
--- a/src/app.ts
+++ b/src/app.ts
@@ -28,6 +28,9 @@ import router from './router/router.ts';
 import Vue from 'vue';
 import App from './App.vue';
 
+// Import dialogs styles for FilePicker component
+import '@nextcloud/dialogs/style.css';
+
 // CSP config for webpack dynamic chunk loading
 // eslint-disable-next-line
 __webpack_nonce__ = btoa(getRequestToken() || '')
diff --git a/src/composables/useIframeBridge.ts b/src/composables/useIframeBridge.ts
new file mode 100644
index 00000000..e5c580f2
--- /dev/null
+++ b/src/composables/useIframeBridge.ts
@@ -0,0 +1,924 @@
+/**
+ * Composable for bridging operations between Nextcloud and an embedded RoundCube iframe.
+ *
+ * Handles communication via postMessage to:
+ * - Pick files from Nextcloud and send them to the iframe
+ * - Save files from the iframe to Nextcloud
+ * - Manage calendars and add events via CalDAV
+ *
+ * @author Laurent Dinclaux <laurent@gecka.nc>
+ * @copyright 2025 Gecka
+ * @license AGPL-3.0-or-later
+ */
+
+import { ref, onMounted, onBeforeUnmount } from 'vue'
+import { generateRemoteUrl, generateOcsUrl, generateUrl } from '@nextcloud/router'
+import { getCurrentUser, getRequestToken } from '@nextcloud/auth'
+import axios from '@nextcloud/axios'
+import type { Node } from '@nextcloud/files'
+import logger from '../logger'
+
+// Message types for iframe communication
+export interface PickFileMessage {
+  action: 'pickFile'
+  requestId: string
+  multiple?: boolean
+  mimeTypes?: string[]
+}
+
+export interface SaveFileMessage {
+  action: 'saveFile'
+  requestId: string
+  filename: string
+  content: string // base64 encoded
+  mimeType?: string
+}
+
+export interface SaveFilesMessage {
+  action: 'saveFiles'
+  requestId: string
+  files: Array<{
+    filename: string
+    content: string // base64 encoded
+    mimeType?: string
+  }>
+}
+
+export interface CreateShareLinkMessage {
+  action: 'createShareLink'
+  requestId: string
+}
+
+export interface GetCalendarsMessage {
+  action: 'getCalendars'
+  requestId: string
+}
+
+export interface AddToCalendarMessage {
+  action: 'addToCalendar'
+  requestId: string
+  calendarUrl: string
+  icsContent: string
+}
+
+export interface FilePickedResponse {
+  action: 'filePicked'
+  requestId: string
+  success: boolean
+  files?: Array<{
+    name: string
+    path: string
+    mimeType: string
+    size: number
+    content: string // base64 encoded
+  }>
+  error?: string
+}
+
+export interface FileSavedResponse {
+  action: 'fileSaved'
+  requestId: string
+  success: boolean
+  path?: string
+  error?: string
+}
+
+export interface ShareLinkCreatedResponse {
+  action: 'shareLinkCreated'
+  requestId: string
+  success: boolean
+  url?: string
+  filename?: string
+  error?: string
+}
+
+export interface CalendarInfo {
+  url: string
+  displayname: string
+  color: string
+}
+
+export interface CalendarsResponse {
+  action: 'calendarsLoaded'
+  requestId: string
+  success: boolean
+  calendars?: CalendarInfo[]
+  error?: string
+}
+
+export interface EventAddedResponse {
+  action: 'eventAdded'
+  requestId: string
+  success: boolean
+  updated?: boolean // true if event was updated, false if created
+  error?: string
+}
+
+type IframeMessage = PickFileMessage | SaveFileMessage | SaveFilesMessage | CreateShareLinkMessage | GetCalendarsMessage | AddToCalendarMessage
+
+// Pending request state
+interface PendingPickRequest {
+  requestId: string
+  multiple: boolean
+  mimeTypes?: string[]
+}
+
+interface PendingSaveRequest {
+  requestId: string
+  filename: string
+  content: string
+  mimeType?: string
+}
+
+interface PendingSaveFilesRequest {
+  requestId: string
+  files: Array<{
+    filename: string
+    content: string
+    mimeType?: string
+  }>
+}
+
+interface PendingShareLinkRequest {
+  requestId: string
+}
+
+interface PendingGetCalendarsRequest {
+  requestId: string
+}
+
+interface PendingAddToCalendarRequest {
+  requestId: string
+  calendarUrl: string
+  icsContent: string
+}
+
+/**
+ * Composable to bridge file operations between Nextcloud and an iframe.
+ *
+ * @param iframeRef - Ref to the iframe element
+ * @param options - Options object
+ * @param options.allowedOrigin - Origin to accept messages from (optional, defaults to same origin)
+ * @param options.enabled - Whether the bridge is enabled (optional, defaults to true)
+ */
+export function useIframeBridge(
+  iframeRef: { value: HTMLIFrameElement | null },
+  options?: { allowedOrigin?: string; enabled?: boolean }
+) {
+  const isProcessing = ref(false)
+  const enabled = options?.enabled ?? true
+  const allowedOrigin = options?.allowedOrigin
+  const currentUser = getCurrentUser()
+
+  // File picker state (for Vue component control)
+  const isFilePickerOpen = ref(false)
+  const isFileSaverOpen = ref(false)
+  const isShareLinkPickerOpen = ref(false)
+  const pendingPickRequest = ref<PendingPickRequest | null>(null)
+  const pendingSaveRequest = ref<PendingSaveRequest | null>(null)
+  const pendingSaveFilesRequest = ref<PendingSaveFilesRequest | null>(null)
+  const pendingShareLinkRequest = ref<PendingShareLinkRequest | null>(null)
+
+  /**
+   * Get the WebDAV base URL for the current user.
+   */
+  const getWebDavUrl = (path: string = ''): string => {
+    if (!currentUser?.uid) {
+      throw new Error('No user logged in')
+    }
+    // generateRemoteUrl expects path without leading slash
+    const basePath = `dav/files/${currentUser.uid}`
+    const cleanPath = path.startsWith('/') ? path : `/${path}`
+    return generateRemoteUrl(basePath + cleanPath)
+  }
+
+  /**
+   * Download a file from Nextcloud via WebDAV.
+   */
+  const downloadFile = async (path: string): Promise<{ content: ArrayBuffer; mimeType: string }> => {
+    const url = getWebDavUrl(path)
+    logger.debug('Downloading file from WebDAV', { url, path })
+
+    const response = await fetch(url, {
+      method: 'GET',
+      credentials: 'include',
+    })
+
+    if (!response.ok) {
+      throw new Error(`Failed to download file: ${response.status} ${response.statusText}`)
+    }
+
+    const content = await response.arrayBuffer()
+    const mimeType = response.headers.get('Content-Type') || 'application/octet-stream'
+
+    return { content, mimeType }
+  }
+
+  /**
+   * Check if a file exists via WebDAV.
+   */
+  const fileExists = async (path: string): Promise<boolean> => {
+    const url = getWebDavUrl(path)
+    try {
+      const response = await fetch(url, {
+        method: 'HEAD',
+        credentials: 'include',
+      })
+      return response.ok
+    } catch {
+      return false
+    }
+  }
+
+  /**
+   * Find a unique filename by adding (2), (3), etc. if the file already exists.
+   * Mimics the behavior of Nextcloud Mail app.
+   */
+  const findUniqueFilename = async (folderPath: string, filename: string): Promise<string> => {
+    // Split filename into name and extension
+    const lastDot = filename.lastIndexOf('.')
+    const hasExtension = lastDot > 0
+    const baseName = hasExtension ? filename.substring(0, lastDot) : filename
+    const extension = hasExtension ? filename.substring(lastDot) : ''
+
+    // Try the original filename first
+    let fullPath = `${folderPath}/${filename}`.replace(/\/+/g, '/')
+    if (!(await fileExists(fullPath))) {
+      return fullPath
+    }
+
+    // File exists, try with counter
+    let counter = 2
+    while (counter <= 100) { // Safety limit
+      const newFilename = `${baseName} (${counter})${extension}`
+      fullPath = `${folderPath}/${newFilename}`.replace(/\/+/g, '/')
+      if (!(await fileExists(fullPath))) {
+        return fullPath
+      }
+      counter++
+    }
+
+    // Fallback: use timestamp
+    const timestamp = Date.now()
+    const newFilename = `${baseName} (${timestamp})${extension}`
+    return `${folderPath}/${newFilename}`.replace(/\/+/g, '/')
+  }
+
+  /**
+   * Upload a file to Nextcloud via WebDAV.
+   */
+  const uploadFile = async (path: string, content: ArrayBuffer, mimeType?: string): Promise<void> => {
+    const url = getWebDavUrl(path)
+    logger.debug('Uploading file to WebDAV', { url, path })
+
+    const requestToken = getRequestToken()
+    const headers: Record<string, string> = {
+      'Content-Type': mimeType || 'application/octet-stream',
+    }
+    if (requestToken) {
+      headers['requesttoken'] = requestToken
+    }
+
+    const response = await fetch(url, {
+      method: 'PUT',
+      credentials: 'include',
+      headers,
+      body: content,
+    })
+
+    if (!response.ok) {
+      throw new Error(`Failed to upload file: ${response.status} ${response.statusText}`)
+    }
+  }
+
+  /**
+   * Get the CalDAV base URL for the current user's calendars.
+   */
+  const getCalDavUrl = (path: string = ''): string => {
+    if (!currentUser?.uid) {
+      throw new Error('No user logged in')
+    }
+    const basePath = `dav/calendars/${currentUser.uid}`
+    const cleanPath = path.startsWith('/') ? path : path ? `/${path}` : ''
+    return generateRemoteUrl(basePath + cleanPath)
+  }
+
+  /**
+   * Fetch user's calendars via CalDAV PROPFIND.
+   */
+  const fetchCalendars = async (): Promise<CalendarInfo[]> => {
+    const url = getCalDavUrl()
+    logger.debug('Fetching calendars from CalDAV', { url })
+
+    const requestToken = getRequestToken()
+    const headers: Record<string, string> = {
+      'Content-Type': 'application/xml; charset=utf-8',
+      Depth: '1',
+    }
+    if (requestToken) {
+      headers.requesttoken = requestToken
+    }
+
+    const propfindBody = `<?xml version="1.0" encoding="utf-8"?>
+<d:propfind xmlns:d="DAV:" xmlns:cs="http://calendarserver.org/ns/" xmlns:c="urn:ietf:params:xml:ns:caldav" xmlns:oc="http://owncloud.org/ns" xmlns:nc="http://nextcloud.org/ns" xmlns:x1="http://apple.com/ns/ical/">
+  <d:prop>
+    <d:resourcetype/>
+    <d:displayname/>
+    <x1:calendar-color/>
+    <cs:getctag/>
+    <c:supported-calendar-component-set/>
+    <oc:calendar-enabled/>
+  </d:prop>
+</d:propfind>`
+
+    const response = await fetch(url, {
+      method: 'PROPFIND',
+      credentials: 'include',
+      headers,
+      body: propfindBody,
+    })
+
+    if (!response.ok) {
+      throw new Error(`Failed to fetch calendars: ${response.status} ${response.statusText}`)
+    }
+
+    const text = await response.text()
+    const calendars: CalendarInfo[] = []
+
+    // Parse XML response
+    const parser = new DOMParser()
+    const doc = parser.parseFromString(text, 'application/xml')
+    const responses = doc.getElementsByTagNameNS('DAV:', 'response')
+
+    for (let i = 0; i < responses.length; i++) {
+      const resp = responses[i]
+
+      // Check if it's a calendar (has calendar resource type)
+      const resourceTypes = resp.getElementsByTagNameNS('DAV:', 'resourcetype')[0]
+      if (!resourceTypes) continue
+
+      const isCalendar = resourceTypes.getElementsByTagNameNS('urn:ietf:params:xml:ns:caldav', 'calendar').length > 0
+      if (!isCalendar) continue
+
+      // Check if calendar supports VEVENT
+      const supportedComponents = resp.getElementsByTagNameNS('urn:ietf:params:xml:ns:caldav', 'supported-calendar-component-set')[0]
+      let supportsVevent = false
+      if (supportedComponents) {
+        const comps = supportedComponents.getElementsByTagNameNS('urn:ietf:params:xml:ns:caldav', 'comp')
+        for (let j = 0; j < comps.length; j++) {
+          if (comps[j].getAttribute('name') === 'VEVENT') {
+            supportsVevent = true
+            break
+          }
+        }
+      }
+      if (!supportsVevent) continue
+
+      // Check if calendar is enabled
+      const enabledEl = resp.getElementsByTagNameNS('http://owncloud.org/ns', 'calendar-enabled')[0]
+      if (enabledEl && enabledEl.textContent === '0') continue
+
+      // Get calendar URL
+      const hrefEl = resp.getElementsByTagNameNS('DAV:', 'href')[0]
+      if (!hrefEl) continue
+      const href = hrefEl.textContent || ''
+
+      // Get display name
+      const displaynameEl = resp.getElementsByTagNameNS('DAV:', 'displayname')[0]
+      const displayname = displaynameEl?.textContent || 'Calendar'
+
+      // Get calendar color
+      const colorEl = resp.getElementsByTagNameNS('http://apple.com/ns/ical/', 'calendar-color')[0]
+      let color = colorEl?.textContent || '#0082c9'
+      // Normalize color (remove alpha if present: #RRGGBBAA -> #RRGGBB)
+      if (color.length === 9 && color.startsWith('#')) {
+        color = color.substring(0, 7)
+      }
+
+      calendars.push({ url: href, displayname, color })
+    }
+
+    return calendars
+  }
+
+  /**
+   * Add an event to a calendar via the API.
+   * The API handles orphaned UIDs from soft-deleted events.
+   * @param calendarUrl - The calendar URL (e.g., /remote.php/dav/calendars/user/personal/)
+   * @param icsContent - The ICS content of the event
+   * @returns Object with updated: true if event was updated, false if created
+   */
+  const addEventToCalendar = async (calendarUrl: string, icsContent: string): Promise<{ updated: boolean }> => {
+    logger.debug('Adding event to calendar via API', { calendarUrl })
+
+    const response = await axios.post(
+      generateUrl('/apps/mail_roundcube/api/calendar/event'),
+      {
+        calendarUri: calendarUrl,
+        icsContent: icsContent,
+      }
+    )
+
+    if (!response.data.success) {
+      throw new Error(response.data.error || 'Failed to add event')
+    }
+
+    logger.debug('Event added successfully', { updated: response.data.updated, uid: response.data.uid })
+    return { updated: response.data.updated }
+  }
+
+  /**
+   * Convert ArrayBuffer to base64 string.
+   */
+  const arrayBufferToBase64 = (buffer: ArrayBuffer): string => {
+    const bytes = new Uint8Array(buffer)
+    let binary = ''
+    for (let i = 0; i < bytes.byteLength; i++) {
+      binary += String.fromCharCode(bytes[i])
+    }
+    return btoa(binary)
+  }
+
+  /**
+   * Convert base64 string to ArrayBuffer.
+   */
+  const base64ToArrayBuffer = (base64: string): ArrayBuffer => {
+    const binary = atob(base64)
+    const bytes = new Uint8Array(binary.length)
+    for (let i = 0; i < binary.length; i++) {
+      bytes[i] = binary.charCodeAt(i)
+    }
+    return bytes.buffer
+  }
+
+  /**
+   * Send a message to the iframe.
+   */
+  const sendToIframe = (message: FilePickedResponse | FileSavedResponse | ShareLinkCreatedResponse | CalendarsResponse | EventAddedResponse): void => {
+    const iframe = iframeRef.value
+    if (!iframe?.contentWindow) {
+      logger.error('Cannot send message: iframe not available')
+      return
+    }
+    const targetOrigin = allowedOrigin || window.location.origin
+    iframe.contentWindow.postMessage(message, targetOrigin)
+    logger.debug('Message sent to iframe', { message, targetOrigin })
+  }
+
+  /**
+   * Handle file pick request from iframe - opens the picker.
+   */
+  const handlePickFile = (message: PickFileMessage): void => {
+    logger.info('Handling pickFile request', { message })
+    isProcessing.value = true
+    pendingPickRequest.value = {
+      requestId: message.requestId,
+      multiple: message.multiple ?? true,
+      mimeTypes: message.mimeTypes,
+    }
+    isFilePickerOpen.value = true
+  }
+
+  /**
+   * Callback when files are picked from the FilePicker component.
+   */
+  const onFilesPicked = async (nodes: Node[]): Promise<void> => {
+    const request = pendingPickRequest.value
+    if (!request) {
+      logger.error('No pending pick request')
+      return
+    }
+
+    // Clear pending request immediately to prevent onFilePickerClose from sending "Cancelled"
+    pendingPickRequest.value = null
+
+    try {
+      const files: FilePickedResponse['files'] = []
+
+      for (const node of nodes) {
+        try {
+          const path = node.path || ''
+          const { content, mimeType } = await downloadFile(path)
+          const name = node.basename || path.split('/').pop() || 'file'
+
+          files.push({
+            name,
+            path,
+            mimeType,
+            size: content.byteLength,
+            content: arrayBufferToBase64(content),
+          })
+        } catch (error) {
+          logger.error('Failed to download file', { path: node.path, error })
+        }
+      }
+
+      sendToIframe({
+        action: 'filePicked',
+        requestId: request.requestId,
+        success: files.length > 0,
+        files,
+      })
+    } catch (error) {
+      logger.error('File picker error', { error })
+      sendToIframe({
+        action: 'filePicked',
+        requestId: request.requestId,
+        success: false,
+        error: error instanceof Error ? error.message : 'Unknown error',
+      })
+    } finally {
+      isProcessing.value = false
+      isFilePickerOpen.value = false
+    }
+  }
+
+  /**
+   * Callback when the file picker is closed without selection.
+   */
+  const onFilePickerClose = (): void => {
+    const request = pendingPickRequest.value
+    // Only send "Cancelled" if there's still a pending request
+    // (onFilesPicked clears it when user clicks the button)
+    if (request) {
+      sendToIframe({
+        action: 'filePicked',
+        requestId: request.requestId,
+        success: false,
+        error: 'Cancelled',
+      })
+      pendingPickRequest.value = null
+    }
+    isProcessing.value = false
+    isFilePickerOpen.value = false
+  }
+
+  /**
+   * Handle file save request from iframe - opens the folder picker.
+   */
+  const handleSaveFile = (message: SaveFileMessage): void => {
+    logger.info('Handling saveFile request', { filename: message.filename })
+    isProcessing.value = true
+    pendingSaveRequest.value = {
+      requestId: message.requestId,
+      filename: message.filename,
+      content: message.content,
+      mimeType: message.mimeType,
+    }
+    pendingSaveFilesRequest.value = null
+    isFileSaverOpen.value = true
+  }
+
+  /**
+   * Handle multiple files save request from iframe - opens the folder picker once.
+   */
+  const handleSaveFiles = (message: SaveFilesMessage): void => {
+    logger.info('Handling saveFiles request', { count: message.files.length })
+    isProcessing.value = true
+    pendingSaveFilesRequest.value = {
+      requestId: message.requestId,
+      files: message.files,
+    }
+    pendingSaveRequest.value = null
+    isFileSaverOpen.value = true
+  }
+
+  /**
+   * Callback when a folder is selected for saving.
+   */
+  const onFolderSelected = async (nodes: Node[]): Promise<void> => {
+    const singleRequest = pendingSaveRequest.value
+    const multiRequest = pendingSaveFilesRequest.value
+
+    if (!singleRequest && !multiRequest) {
+      logger.error('No pending save request')
+      return
+    }
+
+    // Clear pending requests immediately to prevent onFileSaverClose from sending "Cancelled"
+    pendingSaveRequest.value = null
+    pendingSaveFilesRequest.value = null
+
+    const folderPath = nodes[0]?.path || '/'
+
+    // Handle multiple files save
+    if (multiRequest) {
+      const savedPaths: string[] = []
+      const errors: string[] = []
+
+      for (const file of multiRequest.files) {
+        try {
+          const destinationPath = await findUniqueFilename(folderPath, file.filename)
+          logger.debug('Saving file to', { destinationPath })
+          const content = base64ToArrayBuffer(file.content)
+          await uploadFile(destinationPath, content, file.mimeType)
+          savedPaths.push(destinationPath)
+        } catch (error) {
+          logger.error('File save error', { filename: file.filename, error })
+          errors.push(file.filename)
+        }
+      }
+
+      sendToIframe({
+        action: 'fileSaved',
+        requestId: multiRequest.requestId,
+        success: savedPaths.length > 0,
+        path: savedPaths.join(', '),
+        error: errors.length > 0 ? `Failed: ${errors.join(', ')}` : undefined,
+      })
+
+      isProcessing.value = false
+      isFileSaverOpen.value = false
+      return
+    }
+
+    // Handle single file save
+    if (singleRequest) {
+      try {
+        const destinationPath = await findUniqueFilename(folderPath, singleRequest.filename)
+        logger.debug('Saving file to', { destinationPath })
+        const content = base64ToArrayBuffer(singleRequest.content)
+        await uploadFile(destinationPath, content, singleRequest.mimeType)
+
+        sendToIframe({
+          action: 'fileSaved',
+          requestId: singleRequest.requestId,
+          success: true,
+          path: destinationPath,
+        })
+      } catch (error) {
+        logger.error('File save error', { error })
+        sendToIframe({
+          action: 'fileSaved',
+          requestId: singleRequest.requestId,
+          success: false,
+          error: error instanceof Error ? error.message : 'Unknown error',
+        })
+      } finally {
+        isProcessing.value = false
+        isFileSaverOpen.value = false
+      }
+    }
+  }
+
+  /**
+   * Callback when the folder picker is closed without selection.
+   */
+  const onFileSaverClose = (): void => {
+    const singleRequest = pendingSaveRequest.value
+    const multiRequest = pendingSaveFilesRequest.value
+
+    // Only send "Cancelled" if there's still a pending request
+    // (onFolderSelected clears it when user clicks the button)
+    if (singleRequest) {
+      sendToIframe({
+        action: 'fileSaved',
+        requestId: singleRequest.requestId,
+        success: false,
+        error: 'Cancelled',
+      })
+      pendingSaveRequest.value = null
+    }
+    if (multiRequest) {
+      sendToIframe({
+        action: 'fileSaved',
+        requestId: multiRequest.requestId,
+        success: false,
+        error: 'Cancelled',
+      })
+      pendingSaveFilesRequest.value = null
+    }
+    isProcessing.value = false
+    isFileSaverOpen.value = false
+  }
+
+  /**
+   * Create a public share link for a file using OCS Sharing API.
+   * @param path - File path from user's root (e.g., /Documents/file.pdf)
+   * @returns The share URL
+   */
+  const createShareLink = async (path: string): Promise<string> => {
+    const url = generateOcsUrl('apps/files_sharing/api/v1/shares')
+
+    const response = await axios.post(url, {
+      shareType: 3, // SHARE_TYPE_LINK
+      path,
+    })
+
+    return response.data.ocs.data.url
+  }
+
+  /**
+   * Handle create share link request from iframe - opens file picker.
+   */
+  const handleCreateShareLink = (message: CreateShareLinkMessage): void => {
+    logger.info('Handling createShareLink request')
+    isProcessing.value = true
+    pendingShareLinkRequest.value = {
+      requestId: message.requestId,
+    }
+    isShareLinkPickerOpen.value = true
+  }
+
+  /**
+   * Callback when a file is picked for share link creation.
+   */
+  const onShareLinkFilePicked = async (nodes: Node[]): Promise<void> => {
+    const request = pendingShareLinkRequest.value
+    if (!request) {
+      logger.error('No pending share link request')
+      return
+    }
+
+    // Clear pending request immediately
+    pendingShareLinkRequest.value = null
+
+    const node = nodes[0]
+    if (!node?.path) {
+      sendToIframe({
+        action: 'shareLinkCreated',
+        requestId: request.requestId,
+        success: false,
+        error: 'No file selected',
+      })
+      isProcessing.value = false
+      isShareLinkPickerOpen.value = false
+      return
+    }
+
+    try {
+      const url = await createShareLink(node.path)
+      const filename = node.basename || node.path.split('/').pop() || 'file'
+
+      sendToIframe({
+        action: 'shareLinkCreated',
+        requestId: request.requestId,
+        success: true,
+        url,
+        filename,
+      })
+    } catch (error: unknown) {
+      logger.error('Failed to create share link', { error })
+      let errorMessage = 'Failed to create share link'
+      // Try to extract error message from OCS response
+      const axiosError = error as { response?: { data?: { ocs?: { meta?: { message?: string } } } } }
+      if (axiosError.response?.data?.ocs?.meta?.message) {
+        errorMessage = axiosError.response.data.ocs.meta.message
+      }
+      sendToIframe({
+        action: 'shareLinkCreated',
+        requestId: request.requestId,
+        success: false,
+        error: errorMessage,
+      })
+    } finally {
+      isProcessing.value = false
+      isShareLinkPickerOpen.value = false
+    }
+  }
+
+  /**
+   * Callback when the share link file picker is closed without selection.
+   */
+  const onShareLinkPickerClose = (): void => {
+    const request = pendingShareLinkRequest.value
+    if (request) {
+      sendToIframe({
+        action: 'shareLinkCreated',
+        requestId: request.requestId,
+        success: false,
+        error: 'Cancelled',
+      })
+      pendingShareLinkRequest.value = null
+    }
+    isProcessing.value = false
+    isShareLinkPickerOpen.value = false
+  }
+
+  /**
+   * Handle get calendars request from iframe.
+   */
+  const handleGetCalendars = async (message: GetCalendarsMessage): Promise<void> => {
+    logger.info('Handling getCalendars request')
+
+    try {
+      const calendars = await fetchCalendars()
+      sendToIframe({
+        action: 'calendarsLoaded',
+        requestId: message.requestId,
+        success: true,
+        calendars,
+      })
+    } catch (error) {
+      logger.error('Failed to fetch calendars', { error })
+      sendToIframe({
+        action: 'calendarsLoaded',
+        requestId: message.requestId,
+        success: false,
+        error: error instanceof Error ? error.message : 'Failed to fetch calendars',
+      })
+    }
+  }
+
+  /**
+   * Handle add to calendar request from iframe.
+   */
+  const handleAddToCalendar = async (message: AddToCalendarMessage): Promise<void> => {
+    logger.info('Handling addToCalendar request', { calendarUrl: message.calendarUrl })
+
+    try {
+      const result = await addEventToCalendar(message.calendarUrl, message.icsContent)
+      sendToIframe({
+        action: 'eventAdded',
+        requestId: message.requestId,
+        success: true,
+        updated: result.updated,
+      })
+    } catch (error) {
+      logger.error('Failed to add event to calendar', { error })
+      sendToIframe({
+        action: 'eventAdded',
+        requestId: message.requestId,
+        success: false,
+        error: error instanceof Error ? error.message : 'Failed to add event',
+      })
+    }
+  }
+
+  /**
+   * Handle incoming postMessage from iframe.
+   */
+  const handleMessage = (event: MessageEvent): void => {
+    const expectedOrigin = allowedOrigin || window.location.origin
+    if (event.origin !== expectedOrigin) {
+      return
+    }
+
+    const message = event.data as IframeMessage
+    if (!message?.action) {
+      return
+    }
+
+    logger.debug('Received message from iframe', { message })
+
+    switch (message.action) {
+      case 'pickFile':
+        handlePickFile(message)
+        break
+      case 'saveFile':
+        handleSaveFile(message)
+        break
+      case 'saveFiles':
+        handleSaveFiles(message)
+        break
+      case 'createShareLink':
+        handleCreateShareLink(message)
+        break
+      case 'getCalendars':
+        handleGetCalendars(message)
+        break
+      case 'addToCalendar':
+        handleAddToCalendar(message)
+        break
+      default:
+        logger.debug('Unknown action', { action: (message as { action: string }).action })
+    }
+  }
+
+  // Setup and cleanup
+  onMounted(() => {
+    if (!enabled) {
+      logger.debug('IframeBridge: disabled, not listening for messages')
+      return
+    }
+    window.addEventListener('message', handleMessage)
+    logger.info('IframeBridge: listening for messages')
+  })
+
+  onBeforeUnmount(() => {
+    if (!enabled) {
+      return
+    }
+    window.removeEventListener('message', handleMessage)
+    logger.info('IframeBridge: stopped listening')
+  })
+
+  return {
+    // State
+    isProcessing,
+    enabled,
+    isFilePickerOpen,
+    isFileSaverOpen,
+    isShareLinkPickerOpen,
+    pendingPickRequest,
+    pendingSaveRequest,
+    // Callbacks for FilePicker component
+    onFilesPicked,
+    onFilePickerClose,
+    onFolderSelected,
+    onFileSaverClose,
+    // Callbacks for Share Link FilePicker
+    onShareLinkFilePicked,
+    onShareLinkPickerClose,
+  }
+}
diff --git a/src/types/initial-state.d.ts b/src/types/initial-state.d.ts
index 903f6421..65c4b6bc 100644
--- a/src/types/initial-state.d.ts
+++ b/src/types/initial-state.d.ts
@@ -25,4 +25,5 @@ export interface InitialState {
   emailUserId: string|null,
   externalLocation: string|null,
   showTopLine: boolean,
+  enableBridge: boolean,
 }