Mail Portal Uploads Moved to Filestack, Plus Multi-Region Image Publishing (QA)

This release reaches QA with two combined changes to the Mail portal. First, the three main upload flows (Add New Batch, Add Mail, Add Document) now upload files through the Filestack picker rather than sending raw files to the backend, with the server pulling files from cloud storage for processing. Second, the frontend's container build pipeline now publishes its image to a second AWS region (us-east-1 / Commercial East) in addition to the existing GovCloud region.

The previous upload flows sent files straight to the backend as raw multipart uploads, with the browser also extracting ZIP archives and splitting PDFs locally. Moving uploads to Filestack offloads the heavy work to a dedicated upload service and the backend's background worker, aligning the Mail portal with the upload pattern already used in the Vendor portal. Separately, publishing the container image to a Commercial-East registry is required to support deploying the frontend into that AWS region.

Users uploading batches, mail, or documents now go through the Filestack picker overlay instead of the old drag-and-drop tile. Large files and ZIP archives no longer have to be processed in the browser, so the upload step is lighter on the user's machine. ZIP files now show a dedicated preview card (name, size, and a download link to verify contents) since archives can't be rendered in-browser. The PDF splitter in Add Mail is preserved. The build/registry change is infrastructure-only and is not visible to end users.

• CI/build (docker-ecr.yml): Adds a second AWS credentials + ECR login step for us-east-1 (Commercial East) alongside the existing GovCloud (us-gov-west-1). Switches docker build/docker push to docker buildx build --platform linux/amd64 with --push, tagging the image into both registries (ECR_REPO and new ECR_REPO_EAST) for dev/qa/prod.
• Filestack upload migration (absorbs PRs #975, #976, #977): Add Batch, Add Mail, and Add Document modals replace the native dropzone/file input with a shared Filestack picker tile. Uploads go to Filestack; the backend receives handles + signed policy/signature and the Celery worker handles ZIP extraction / S3 copy.
• Shared FilestackFileUploader, useFilestackFileHandling, useFilestackPicker, useMailProgrammaticUpload (PDF-splitter path), and useFilestackCredsRefresh hooks; new filestack services/queries/routes/types.
• Preview URLs are re-signed with a separate read-only credentials policy (/v1/filestack/read-credentials); a new ZIP placeholder card with signed download was added.
• Submit paths refresh the policy/signature near its ~15-min expiry to prevent silent backend 403s that stranded records in processing.
• Bug fix: Add Document now sends document_type_ids as an array instead of a comma-joined string. Old component paths kept as re-export shims.

Moderate. This rewrites the core file-upload path for three high-traffic Mail flows and depends on Filestack credentials, the read-only signing policy, and a backend endpoint contract (unwrapped after backend #148). A credential/expiry or policy-path mismatch can cause uploads to appear successful in the UI while the record stalls server-side. Mitigations: credential refresh before submit, explicit error toasts when creds are missing, and legacy Edit Batch / Reupload flows left on the old path. The dual-region build is low risk but depends on the new AWS_ACCESS_KEY_EAST/AWS_SECRET_KEY_EAST secrets and the us-east-1 ECR repo existing.

• Upload via Add New Batch (multi-file + ZIP), Add Mail (incl. Split PDF & upload), and Add Document (single file) and confirm records complete, not stuck in processing.
• Verify file previews render (PDF/image) and ZIP shows the placeholder card with a working signed download.
• Linger >15 min on a form before submitting to confirm credential refresh prevents a silent backend 403.
• Confirm Add Document type selection saves correctly (array, not comma-joined string).
• Verify Edit Batch and Reupload (legacy flows) are unchanged.
• Confirm the CI pipeline pushes the image to both the GovCloud and us-east-1 ECR registries on a qa deploy.