jayzalowitz
diff --git a/‎CHANGELOG.md‎
Lines changed: 57 additions & 4 deletions b/‎CHANGELOG.md‎
Lines changed: 57 additions & 4 deletions
diff --git a/‎apps/api/src/__tests__/embedded-llm-downloads-routes.test.ts‎
Lines changed: 112 additions & 3 deletions b/‎apps/api/src/__tests__/embedded-llm-downloads-routes.test.ts‎
Lines changed: 112 additions & 3 deletions
diff --git a/‎apps/api/src/embedded-llm/downloader.ts‎
Lines changed: 54 additions & 14 deletions b/‎apps/api/src/embedded-llm/downloader.ts‎
Lines changed: 54 additions & 14 deletions
@@ -53,14 +53,67 @@ minutes later the twin works fully offline.
   existing `.confidence-bar` styles), pause/resume/cancel buttons,
   error surface. Polls `/downloads/:id` every 1s while a download is
   active; stops polling on terminal status.
-- 14 unit tests for the route layer in
+- 25 unit tests for the route layer in
   `apps/api/src/__tests__/embedded-llm-downloads-routes.test.ts`:
   start happy + missing-userId/modelId + 404 unknown-model, get +
   404, percent capping at 100% for over-fetch, percent=0 for pending,
-  list-for-user, pause ok/false, resume + 404, cancel. Mocks
-  `@skytwin/db` + the downloader module — no real HTTP / filesystem.
+  list-for-user, pause ok/false, pause-404, resume + 404, cancel,
+  cancel-404, plus 7 cross-user-403 tests covering every mutating
+  endpoint plus the dev-bypass-allowed case. Mocks `@skytwin/db` +
+  the downloader module — no real HTTP / filesystem.
 
-API total: 477 passing (24 skipped). All 34 packages build clean.
+API total: 486 passing (24 skipped). All 34 packages build clean.
+
+### Fixed (post-/review)
+
+Copilot review on PR #247 surfaced 12 substantive findings; all
+addressed before merge:
+
+- **IDOR on `POST /downloads/start`**: applied `requireOwnership`
+  middleware so the request body's `userId` must match the
+  authenticated user.
+- **IDOR on `GET /downloads/:id` and the pause/resume/cancel routes**:
+  introduced a `loadOwnedDownload(req, res, id)` helper that fetches
+  the row and rejects with 403 if `req.authenticatedUserId` doesn't
+  match `row.user_id`. Dev bypass (no `authenticatedUserId`) keeps
+  current behavior.
+- **OOM on multi-GB SHA-256 verify**: replaced `readFile(path)` with a
+  streaming `createReadStream → hash.update(chunk)` loop in a new
+  `computeSha256(path)` helper. A 4GB GGUF no longer needs 4GB of
+  Node heap to verify.
+- **DB-level idempotency**: schema changed from a non-unique partial
+  index to a `UNIQUE` partial index on `(user_id, model_id)` for
+  non-terminal statuses, so two concurrent `/downloads/start` calls
+  can't both win past `findActive()`. `startDownload()` now also
+  catches the `23505` unique-violation that the loser's `INSERT`
+  raises and re-fetches the surviving row.
+- **In-memory race**: `startDownload()` now bails if the row is
+  already in `inFlight`, preventing two concurrent runners writing
+  the same `.partial`.
+- **Stale progress on Range-ignored**: when the server returns 200 to
+  a Range request, we now `updateProgress(id, 0)` immediately so the
+  poll UI doesn't display stale `bytes_downloaded` until the next
+  1MB flush.
+- **`total_bytes` never persisted**: added
+  `modelDownloadRepository.updateTotalBytes(id, n)` and call it when
+  Content-Length disagrees with the registry by >1MB. The progress
+  bar denominator now matches reality.
+- **DOM update broke action buttons**: the polling tick was finding
+  `labelLine.firstElementChild` and replacing it, which clobbered
+  the size/percent span on first run and the action-button span on
+  subsequent runs. Switched to stable `data-role` selectors
+  (`embedded-llm-progress-text`, `embedded-llm-status`) so updates
+  are scoped.
+- **Singleton listener stale closure**: `ensureListener()` no longer
+  closes over `container` or `userId` from the first mount. The
+  delegator now re-derives both at click time:
+  `document.getElementById('embedded-llm-card-target')` for the
+  container, `localStorage.getItem(KEY_USER_ID)` for the userId.
+  Same pattern as the other singleton delegators in this codebase.
+- **Test auth pattern**: switched from injecting `req.user.id` to
+  `req.authenticatedUserId` to match production. Added 7 new tests
+  covering cross-user 403 on every mutating endpoint plus the
+  dev-bypass-allowed path.
 
 ### Why this fits the theme
 
 
@@ -52,12 +52,19 @@ const SAMPLE_ROW = {
   completed_at: null,
 };
 
-function buildApp(userId: string | null = USER_ID): Express {
+/**
+ * Build an Express app for tests. Production auth sets
+ * `req.authenticatedUserId` via `sessionAuth`; the ownership middleware
+ * compares it against userId in params/body/query (or against the row's
+ * user_id for `:id`-keyed routes). Pass `null` to simulate dev bypass —
+ * `requireOwnership` skips the check when `authenticatedUserId` is undefined.
+ */
+function buildApp(authUserId: string | null = USER_ID): Express {
   const app = express();
   app.use(express.json());
-  if (userId !== null) {
+  if (authUserId !== null) {
     app.use((req, _res, next) => {
-      (req as unknown as { user: { id: string } }).user = { id: userId };
+      req.authenticatedUserId = authUserId;
       next();
     });
   }
@@ -229,6 +236,7 @@ describe('GET /api/embedded-llm/downloads/user/:userId', () => {
 
 describe('POST /api/embedded-llm/downloads/:id/pause', () => {
   it('returns ok=true on successful pause', async () => {
+    mockRepo.findById.mockResolvedValue(SAMPLE_ROW);
     mockPauseDownload.mockResolvedValue(true);
     const { status, body } = await req(
       buildApp(),
@@ -241,6 +249,7 @@ describe('POST /api/embedded-llm/downloads/:id/pause', () => {
   });
 
   it('returns ok=false when row is not pausable', async () => {
+    mockRepo.findById.mockResolvedValue(SAMPLE_ROW);
     mockPauseDownload.mockResolvedValue(false);
     const { body } = await req(
       buildApp(),
@@ -249,6 +258,17 @@ describe('POST /api/embedded-llm/downloads/:id/pause', () => {
     );
     expect(body['ok']).toBe(false);
   });
+
+  it('returns 404 when download not found', async () => {
+    mockRepo.findById.mockResolvedValue(null);
+    const { status } = await req(
+      buildApp(),
+      'POST',
+      `/api/embedded-llm/downloads/${DOWNLOAD_ID}/pause`,
+    );
+    expect(status).toBe(404);
+    expect(mockPauseDownload).not.toHaveBeenCalled();
+  });
 });
 
 describe('POST /api/embedded-llm/downloads/:id/resume', () => {
@@ -281,6 +301,7 @@ describe('POST /api/embedded-llm/downloads/:id/resume', () => {
 
 describe('POST /api/embedded-llm/downloads/:id/cancel', () => {
   it('returns ok=true on successful cancel', async () => {
+    mockRepo.findById.mockResolvedValue(SAMPLE_ROW);
     mockCancelDownload.mockResolvedValue(true);
     const { status, body } = await req(
       buildApp(),
@@ -290,4 +311,92 @@ describe('POST /api/embedded-llm/downloads/:id/cancel', () => {
     expect(status).toBe(200);
     expect(body['ok']).toBe(true);
   });
+
+  it('returns 404 when download not found', async () => {
+    mockRepo.findById.mockResolvedValue(null);
+    const { status } = await req(
+      buildApp(),
+      'POST',
+      `/api/embedded-llm/downloads/${DOWNLOAD_ID}/cancel`,
+    );
+    expect(status).toBe(404);
+    expect(mockCancelDownload).not.toHaveBeenCalled();
+  });
+});
+
+describe('cross-user access is forbidden', () => {
+  const OTHER_USER_ID = '11111111-2222-3333-4444-555555555555';
+
+  it('POST /downloads/start rejects when body userId differs from authenticated user', async () => {
+    const { status } = await req(
+      buildApp(USER_ID),
+      'POST',
+      '/api/embedded-llm/downloads/start',
+      { userId: OTHER_USER_ID, modelId: 'qwen-2.5-3b-q4' },
+    );
+    expect(status).toBe(403);
+    expect(mockStartDownload).not.toHaveBeenCalled();
+  });
+
+  it('GET /downloads/:id rejects when row belongs to another user', async () => {
+    mockRepo.findById.mockResolvedValue({ ...SAMPLE_ROW, user_id: OTHER_USER_ID });
+    const { status } = await req(
+      buildApp(USER_ID),
+      'GET',
+      `/api/embedded-llm/downloads/${DOWNLOAD_ID}`,
+    );
+    expect(status).toBe(403);
+  });
+
+  it('POST /downloads/:id/pause rejects when row belongs to another user', async () => {
+    mockRepo.findById.mockResolvedValue({ ...SAMPLE_ROW, user_id: OTHER_USER_ID });
+    const { status } = await req(
+      buildApp(USER_ID),
+      'POST',
+      `/api/embedded-llm/downloads/${DOWNLOAD_ID}/pause`,
+    );
+    expect(status).toBe(403);
+    expect(mockPauseDownload).not.toHaveBeenCalled();
+  });
+
+  it('POST /downloads/:id/resume rejects when row belongs to another user', async () => {
+    mockRepo.findById.mockResolvedValue({ ...SAMPLE_ROW, user_id: OTHER_USER_ID });
+    const { status } = await req(
+      buildApp(USER_ID),
+      'POST',
+      `/api/embedded-llm/downloads/${DOWNLOAD_ID}/resume`,
+    );
+    expect(status).toBe(403);
+    expect(mockStartDownload).not.toHaveBeenCalled();
+  });
+
+  it('POST /downloads/:id/cancel rejects when row belongs to another user', async () => {
+    mockRepo.findById.mockResolvedValue({ ...SAMPLE_ROW, user_id: OTHER_USER_ID });
+    const { status } = await req(
+      buildApp(USER_ID),
+      'POST',
+      `/api/embedded-llm/downloads/${DOWNLOAD_ID}/cancel`,
+    );
+    expect(status).toBe(403);
+    expect(mockCancelDownload).not.toHaveBeenCalled();
+  });
+
+  it('GET /downloads/user/:userId rejects when path userId differs from authenticated user', async () => {
+    const { status } = await req(
+      buildApp(USER_ID),
+      'GET',
+      `/api/embedded-llm/downloads/user/${OTHER_USER_ID}`,
+    );
+    expect(status).toBe(403);
+  });
+
+  it('dev bypass (no authenticatedUserId) allows access', async () => {
+    mockRepo.findById.mockResolvedValue({ ...SAMPLE_ROW, user_id: OTHER_USER_ID });
+    const { status } = await req(
+      buildApp(null),
+      'GET',
+      `/api/embedded-llm/downloads/${DOWNLOAD_ID}`,
+    );
+    expect(status).toBe(200);
+  });
 });
@@ -1,5 +1,6 @@
 import { createHash } from 'node:crypto';
 import {
+  createReadStream,
   createWriteStream,
   existsSync,
   mkdirSync,
@@ -97,13 +98,34 @@ export async function startDownload(
     download = existing;
     resumed = existing.bytes_downloaded > 0;
   } else {
-    download = await modelDownloadRepository.create({
-      userId,
-      modelId,
-      targetPath,
-      totalBytes: model.approxBytes,
-      sha256Expected: model.sha256,
-    });
+    try {
+      download = await modelDownloadRepository.create({
+        userId,
+        modelId,
+        targetPath,
+        totalBytes: model.approxBytes,
+        sha256Expected: model.sha256,
+      });
+    } catch (err) {
+      // The DB-level unique partial index can reject concurrent inserts
+      // that both passed findActive(). Re-fetch and treat as resumed.
+      if (isUniqueViolation(err)) {
+        const refetch = await modelDownloadRepository.findActive(userId, modelId);
+        if (refetch === null) throw err;
+        download = refetch;
+        resumed = refetch.bytes_downloaded > 0;
+      } else {
+        throw err;
+      }
+    }
+  }
+
+  // If a runner is already executing for this row, skip kicking off a
+  // second one — two concurrent .partial writers would corrupt the
+  // file. The active runner will keep streaming and the caller polls
+  // for progress on the same row.
+  if (inFlight.has(download.id)) {
+    return { download, resumed };
   }
 
   // Kick off the async transfer. Caller doesn't await this — it polls
@@ -118,6 +140,12 @@ export async function startDownload(
   return { download, resumed };
 }
 
+function isUniqueViolation(err: unknown): boolean {
+  if (typeof err !== 'object' || err === null) return false;
+  const code = (err as { code?: unknown }).code;
+  return code === '23505';
+}
+
 /**
  * Pause an in-flight download. Sets the in-memory flag (the streamer
  * checks it per-chunk) and updates the DB row to 'paused'. The
@@ -244,6 +272,9 @@ async function runDownload(download: ModelDownloadRow): Promise<void> {
     if (existsSync(partialPath)) {
       try { unlinkSync(partialPath); } catch { /* best effort */ }
     }
+    // Persist the reset immediately so the polling UI doesn't briefly
+    // report a stale `bytes_downloaded` until the next 1MB flush.
+    await modelDownloadRepository.updateProgress(download.id, 0);
   }
   if (response.body === null) {
     inFlight.delete(download.id);
@@ -262,10 +293,7 @@ async function runDownload(download: ModelDownloadRow): Promise<void> {
     if (Number.isFinite(len) && len > 0) {
       const totalFromServer = response.status === 206 ? resumeFrom + len : len;
       if (Math.abs(totalFromServer - download.total_bytes) > 1024 * 1024) {
-        // Drift > 1MB — update so progress bar isn't lying.
-        await modelDownloadRepository.setStatus(download.id, 'downloading', {
-          bytesDownloaded: resumeFrom,
-        });
+        await modelDownloadRepository.updateTotalBytes(download.id, totalFromServer);
       }
     }
   }
@@ -321,9 +349,9 @@ async function runDownload(download: ModelDownloadRow): Promise<void> {
   const expectedHash = model.sha256.toLowerCase();
   const isPlaceholder = /^0+$/.test(expectedHash);
   if (!isPlaceholder) {
-    const fs = await import('node:fs/promises');
-    const buf = await fs.readFile(partialPath);
-    const actual = createHash('sha256').update(buf).digest('hex');
+    // Stream the file through the hash — multi-GB GGUFs would OOM the
+    // API process if we readFile()'d the whole thing into memory.
+    const actual = await computeSha256(partialPath);
     if (actual !== expectedHash) {
       // Corrupt download. Delete the partial — user should retry,
       // and we don't want a half-bad GGUF lingering on disk.
@@ -383,3 +411,15 @@ export function ensureDirectory(filePath: string): void {
   const dir = dirname(filePath);
   if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
 }
+
+/**
+ * Stream the file through a SHA-256 hash. Multi-GB GGUFs would OOM
+ * the API process if we loaded them into memory whole.
+ */
+async function computeSha256(path: string): Promise<string> {
+  const hash = createHash('sha256');
+  for await (const chunk of createReadStream(path)) {
+    hash.update(chunk as Buffer);
+  }
+  return hash.digest('hex');
+}