Quarantine / inspect-first-store-later workflows

Many production systems need more than allow or reject. A quarantine-first workflow lets you isolate suspicious files without pretending they are safe.

For storage-backed upload paths, the same promotion model is covered in Scan Files Before S3 Upload in Node.js.

Recommended flow

1. Receive the upload into memory or a restricted staging area.
2. Scan with Pompelmi.
3. Reject malicious.
4. Quarantine suspicious.
5. Promote clean files into the live storage path.

Good fits

• Document portals with human review.
• High-sensitivity internal tools.
• Direct-to-object-storage flows where you need a promotion step anyway.

Repository example

The repository includes an end-to-end example under examples/quarantine-workflow.ts.

Continue

• Upload quarantine and review flows
• Scan files before S3 upload in Node.js
• S3 / presigned upload security
• Document upload security