Avatar uploads
Account avatars use Directus Files and the built-in directus_users.avatar relation.
Upload path
The account page posts images to /api/settings/account/avatar. The endpoint validates the authenticated session, checks the CSRF token, accepts image files up to 2 MB, stores the file in Directus, and assigns the uploaded file id to the current Directus user.
Display path
The encrypted session stores the current avatar file id so app chrome can render the same image everywhere initials appear. If no avatar is set, the UI falls back to generated initials.
Future uploads
Use the same pattern for future customer uploads: validate in an Astro endpoint, scope writes to the authenticated customer, upload to Directus Files, then attach the returned file id to the relevant record.
// docs maintenance
Keep docs updated with product, API, UI, and workflow changes. If behavior changes, the matching docs page should change in the same work.