added additional tests; sorted tests

tests-assets/test_crud.py

@@ -1,7 +1,33 @@
+import uuid
 import aiohttp
 import pytest
 
 
+@pytest.mark.asyncio
+async def test_create_from_hash_success(
+    http: aiohttp.ClientSession, api_base: str, seeded_asset: dict
+):
+    h = seeded_asset["asset_hash"]
+    payload = {
+        "hash": h,
+        "name": "from_hash_ok.safetensors",
+        "tags": ["models", "checkpoints", "unit-tests", "from-hash"],
+        "user_metadata": {"k": "v"},
+    }
+    async with http.post(f"{api_base}/api/assets/from-hash", json=payload) as r1:
+        b1 = await r1.json()
+        assert r1.status == 201, b1
+        assert b1["asset_hash"] == h
+        assert b1["created_new"] is False
+        aid = b1["id"]
+
+    # Calling again with the same name should return the same AssetInfo id
+    async with http.post(f"{api_base}/api/assets/from-hash", json=payload) as r2:
+        b2 = await r2.json()
+        assert r2.status == 201, b2
+        assert b2["id"] == aid
+
+
 @pytest.mark.asyncio
 async def test_get_and_delete_asset(http: aiohttp.ClientSession, api_base: str, seeded_asset: dict):
     aid = seeded_asset["id"]
@@ -25,6 +51,41 @@ async def test_get_and_delete_asset(http: aiohttp.ClientSession, api_base: str,
         assert body["error"]["code"] == "ASSET_NOT_FOUND"
 
 
+@pytest.mark.asyncio
+async def test_delete_upon_reference_count(
+    http: aiohttp.ClientSession, api_base: str, seeded_asset: dict
+):
+    # Create a second reference to the same asset via from-hash
+    src_hash = seeded_asset["asset_hash"]
+    payload = {
+        "hash": src_hash,
+        "name": "unit_ref_copy.safetensors",
+        "tags": ["models", "checkpoints", "unit-tests", "del-flow"],
+        "user_metadata": {"note": "copy"},
+    }
+    async with http.post(f"{api_base}/api/assets/from-hash", json=payload) as r2:
+        copy = await r2.json()
+        assert r2.status == 201, copy
+        assert copy["asset_hash"] == src_hash
+        assert copy["created_new"] is False
+
+    # Delete original reference -> asset identity must remain
+    aid1 = seeded_asset["id"]
+    async with http.delete(f"{api_base}/api/assets/{aid1}") as rd1:
+        assert rd1.status == 204
+
+    async with http.head(f"{api_base}/api/assets/hash/{src_hash}") as rh1:
+        assert rh1.status == 200  # identity still present
+
+    # Delete the last reference with default semantics -> identity and cached files removed
+    aid2 = copy["id"]
+    async with http.delete(f"{api_base}/api/assets/{aid2}") as rd2:
+        assert rd2.status == 204
+
+    async with http.head(f"{api_base}/api/assets/hash/{src_hash}") as rh2:
+        assert rh2.status == 404  # orphan content removed
+
+
 @pytest.mark.asyncio
 async def test_update_asset_fields(http: aiohttp.ClientSession, api_base: str, seeded_asset: dict):
     aid = seeded_asset["id"]
@@ -45,7 +106,7 @@ async def test_update_asset_fields(http: aiohttp.ClientSession, api_base: str, s
 
 
 @pytest.mark.asyncio
-async def test_head_asset_by_hash_and_invalids(http: aiohttp.ClientSession, api_base: str, seeded_asset: dict):
+async def test_head_asset_by_hash(http: aiohttp.ClientSession, api_base: str, seeded_asset: dict):
     h = seeded_asset["asset_hash"]
 
     # Existing
@@ -56,6 +117,59 @@ async def test_head_asset_by_hash_and_invalids(http: aiohttp.ClientSession, api_
     async with http.head(f"{api_base}/api/assets/hash/blake3:{'0'*64}") as rh2:
         assert rh2.status == 404
 
+
+@pytest.mark.asyncio
+async def test_delete_nonexistent_returns_404(http: aiohttp.ClientSession, api_base: str):
+    bogus = str(uuid.uuid4())
+    async with http.delete(f"{api_base}/api/assets/{bogus}") as r:
+        body = await r.json()
+        assert r.status == 404
+        assert body["error"]["code"] == "ASSET_NOT_FOUND"
+
+
+@pytest.mark.asyncio
+async def test_create_from_hash_invalids(http: aiohttp.ClientSession, api_base: str):
+    # Bad hash algorithm
+    bad = {
+        "hash": "sha256:" + "0" * 64,
+        "name": "x.bin",
+        "tags": ["models", "checkpoints", "unit-tests"],
+    }
+    async with http.post(f"{api_base}/api/assets/from-hash", json=bad) as r1:
+        b1 = await r1.json()
+        assert r1.status == 400
+        assert b1["error"]["code"] == "INVALID_BODY"
+
+    # Invalid JSON body
+    async with http.post(f"{api_base}/api/assets/from-hash", data=b"{not json}") as r2:
+        b2 = await r2.json()
+        assert r2.status == 400
+        assert b2["error"]["code"] == "INVALID_JSON"
+
+
+@pytest.mark.asyncio
+async def test_get_update_download_bad_ids(http: aiohttp.ClientSession, api_base: str):
+    # All endpoints should be not found, as we UUID regex directly in the route definition.
+    bad_id = "not-a-uuid"
+
+    async with http.get(f"{api_base}/api/assets/{bad_id}") as r1:
+        assert r1.status == 404
+
+    async with http.get(f"{api_base}/api/assets/{bad_id}/content") as r3:
+        assert r3.status == 404
+
+
+@pytest.mark.asyncio
+async def test_update_requires_at_least_one_field(http: aiohttp.ClientSession, api_base: str, seeded_asset: dict):
+    aid = seeded_asset["id"]
+    async with http.put(f"{api_base}/api/assets/{aid}", json={}) as r:
+        body = await r.json()
+        assert r.status == 400
+        assert body["error"]["code"] == "INVALID_BODY"
+
+
+@pytest.mark.asyncio
+async def test_head_asset_bad_hash(http: aiohttp.ClientSession, api_base: str):
     # Invalid format
     async with http.head(f"{api_base}/api/assets/hash/not_a_hash") as rh3:
         jb = await rh3.json()

tests-assets/test_tags.py

@@ -1,3 +1,4 @@
+import json
 import aiohttp
 import pytest
 
@@ -98,3 +99,29 @@ async def test_tags_list_order_and_prefix(http: aiohttp.ClientSession, api_base:
         b2 = await r2.json()
         assert r2.status == 400
         assert b2["error"]["code"] == "INVALID_QUERY"
+
+
+@pytest.mark.asyncio
+async def test_tags_endpoints_invalid_bodies(http: aiohttp.ClientSession, api_base: str, seeded_asset: dict):
+    aid = seeded_asset["id"]
+
+    # Add with empty list
+    async with http.post(f"{api_base}/api/assets/{aid}/tags", json={"tags": []}) as r1:
+        b1 = await r1.json()
+        assert r1.status == 400
+        assert b1["error"]["code"] == "INVALID_BODY"
+
+    # Remove with wrong type
+    async with http.delete(f"{api_base}/api/assets/{aid}/tags", json={"tags": [123]}) as r2:
+        b2 = await r2.json()
+        assert r2.status == 400
+        assert b2["error"]["code"] == "INVALID_BODY"
+
+    # metadata_filter provided as JSON array should be rejected (must be object)
+    async with http.get(
+        api_base + "/api/assets",
+        params={"metadata_filter": json.dumps([{"x": 1}])},
+    ) as r3:
+        b3 = await r3.json()
+        assert r3.status == 400
+        assert b3["error"]["code"] == "INVALID_QUERY"

tests-assets/test_uploads.py

@@ -3,51 +3,6 @@ import aiohttp
 import pytest
 
 
-@pytest.mark.asyncio
-async def test_upload_requires_multipart(http: aiohttp.ClientSession, api_base: str):
-    async with http.post(api_base + "/api/assets", json={"foo": "bar"}) as r:
-        body = await r.json()
-        assert r.status == 415
-        assert body["error"]["code"] == "UNSUPPORTED_MEDIA_TYPE"
-
-
-@pytest.mark.asyncio
-async def test_upload_missing_file_and_hash(http: aiohttp.ClientSession, api_base: str):
-    form = aiohttp.FormData(default_to_multipart=True)
-    form.add_field("tags", json.dumps(["models", "checkpoints", "unit-tests"]))
-    form.add_field("name", "x.safetensors")
-    async with http.post(api_base + "/api/assets", data=form) as r:
-        body = await r.json()
-        assert r.status == 400
-        assert body["error"]["code"] == "MISSING_FILE"
-
-
-@pytest.mark.asyncio
-async def test_upload_models_unknown_category(http: aiohttp.ClientSession, api_base: str):
-    form = aiohttp.FormData()
-    form.add_field("file", b"A" * 128, filename="m.safetensors", content_type="application/octet-stream")
-    form.add_field("tags", json.dumps(["models", "no_such_category", "unit-tests"]))
-    form.add_field("name", "m.safetensors")
-    async with http.post(api_base + "/api/assets", data=form) as r:
-        body = await r.json()
-        assert r.status == 400
-        assert body["error"]["code"] == "INVALID_BODY"
-        assert "unknown models category" in body["error"]["message"] or "unknown model category" in body["error"]["message"]
-
-
-@pytest.mark.asyncio
-async def test_upload_tags_traversal_guard(http: aiohttp.ClientSession, api_base: str):
-    form = aiohttp.FormData()
-    form.add_field("file", b"A" * 256, filename="evil.safetensors", content_type="application/octet-stream")
-    # '..' should be rejected by destination resolver
-    form.add_field("tags", json.dumps(["models", "checkpoints", "unit-tests", "..", "zzz"]))
-    form.add_field("name", "evil.safetensors")
-    async with http.post(api_base + "/api/assets", data=form) as r:
-        body = await r.json()
-        assert r.status == 400
-        assert body["error"]["code"] in ("BAD_REQUEST", "INVALID_BODY")
-
-
 @pytest.mark.asyncio
 async def test_upload_ok_duplicate_reference(http: aiohttp.ClientSession, api_base: str, make_asset_bytes):
     name = "dup_a.safetensors"
@@ -120,6 +75,56 @@ async def test_upload_fastpath_from_existing_hash_no_file(http: aiohttp.ClientSe
         assert b2["asset_hash"] == h
 
 
+@pytest.mark.asyncio
+async def test_upload_fastpath_with_known_hash_and_file(
+    http: aiohttp.ClientSession, api_base: str
+):
+    # Seed
+    form1 = aiohttp.FormData()
+    form1.add_field("file", b"C" * 128, filename="seed.safetensors", content_type="application/octet-stream")
+    form1.add_field("tags", json.dumps(["models", "checkpoints", "unit-tests", "fp"]))
+    form1.add_field("name", "seed.safetensors")
+    form1.add_field("user_metadata", json.dumps({}))
+    async with http.post(api_base + "/api/assets", data=form1) as r1:
+        b1 = await r1.json()
+        assert r1.status == 201, b1
+        h = b1["asset_hash"]
+
+    # Send both file and hash of existing content -> server must drain file and create from hash (200)
+    form2 = aiohttp.FormData()
+    form2.add_field("file", b"ignored" * 10, filename="ignored.bin", content_type="application/octet-stream")
+    form2.add_field("hash", h)
+    form2.add_field("tags", json.dumps(["models", "checkpoints", "unit-tests", "fp"]))
+    form2.add_field("name", "copy_from_hash.safetensors")
+    form2.add_field("user_metadata", json.dumps({}))
+    async with http.post(api_base + "/api/assets", data=form2) as r2:
+        b2 = await r2.json()
+        assert r2.status == 200, b2
+        assert b2["created_new"] is False
+        assert b2["asset_hash"] == h
+
+
+@pytest.mark.asyncio
+async def test_upload_multiple_tags_fields_are_merged(http: aiohttp.ClientSession, api_base: str):
+    form = aiohttp.FormData()
+    form.add_field("file", b"B" * 256, filename="merge.safetensors", content_type="application/octet-stream")
+    form.add_field("tags", "models,checkpoints")  # CSV
+    form.add_field("tags", json.dumps(["unit-tests", "alpha"]))  # JSON array in second field
+    form.add_field("name", "merge.safetensors")
+    form.add_field("user_metadata", json.dumps({"u": 1}))
+    async with http.post(api_base + "/api/assets", data=form) as r1:
+        created = await r1.json()
+        assert r1.status in (200, 201), created
+        aid = created["id"]
+
+    # Verify all tags are present on the resource
+    async with http.get(f"{api_base}/api/assets/{aid}") as rg:
+        detail = await rg.json()
+        assert rg.status == 200, detail
+        tags = set(detail["tags"])
+        assert {"models", "checkpoints", "unit-tests", "alpha"}.issubset(tags)
+
+
 @pytest.mark.asyncio
 async def test_create_from_hash_endpoint_404(http: aiohttp.ClientSession, api_base: str):
     payload = {
@@ -131,3 +136,100 @@ async def test_create_from_hash_endpoint_404(http: aiohttp.ClientSession, api_ba
         body = await r.json()
         assert r.status == 404
         assert body["error"]["code"] == "ASSET_NOT_FOUND"
+
+
+@pytest.mark.asyncio
+async def test_upload_zero_byte_rejected(http: aiohttp.ClientSession, api_base: str):
+    form = aiohttp.FormData()
+    form.add_field("file", b"", filename="empty.safetensors", content_type="application/octet-stream")
+    form.add_field("tags", json.dumps(["models", "checkpoints", "unit-tests", "edge"]))
+    form.add_field("name", "empty.safetensors")
+    form.add_field("user_metadata", json.dumps({}))
+    async with http.post(api_base + "/api/assets", data=form) as r:
+        body = await r.json()
+        assert r.status == 400
+        assert body["error"]["code"] == "EMPTY_UPLOAD"
+
+
+@pytest.mark.asyncio
+async def test_upload_invalid_root_tag_rejected(http: aiohttp.ClientSession, api_base: str):
+    form = aiohttp.FormData()
+    form.add_field("file", b"A" * 64, filename="badroot.bin", content_type="application/octet-stream")
+    form.add_field("tags", json.dumps(["not-a-root", "whatever"]))
+    form.add_field("name", "badroot.bin")
+    form.add_field("user_metadata", json.dumps({}))
+    async with http.post(api_base + "/api/assets", data=form) as r:
+        body = await r.json()
+        assert r.status == 400
+        assert body["error"]["code"] == "INVALID_BODY"
+
+
+@pytest.mark.asyncio
+async def test_upload_user_metadata_must_be_json(http: aiohttp.ClientSession, api_base: str):
+    form = aiohttp.FormData()
+    form.add_field("file", b"A" * 128, filename="badmeta.bin", content_type="application/octet-stream")
+    form.add_field("tags", json.dumps(["models", "checkpoints", "unit-tests", "edge"]))
+    form.add_field("name", "badmeta.bin")
+    form.add_field("user_metadata", "{not json}")  # invalid
+    async with http.post(api_base + "/api/assets", data=form) as r:
+        body = await r.json()
+        assert r.status == 400
+        assert body["error"]["code"] == "INVALID_BODY"
+
+
+@pytest.mark.asyncio
+async def test_upload_requires_multipart(http: aiohttp.ClientSession, api_base: str):
+    async with http.post(api_base + "/api/assets", json={"foo": "bar"}) as r:
+        body = await r.json()
+        assert r.status == 415
+        assert body["error"]["code"] == "UNSUPPORTED_MEDIA_TYPE"
+
+
+@pytest.mark.asyncio
+async def test_upload_missing_file_and_hash(http: aiohttp.ClientSession, api_base: str):
+    form = aiohttp.FormData(default_to_multipart=True)
+    form.add_field("tags", json.dumps(["models", "checkpoints", "unit-tests"]))
+    form.add_field("name", "x.safetensors")
+    async with http.post(api_base + "/api/assets", data=form) as r:
+        body = await r.json()
+        assert r.status == 400
+        assert body["error"]["code"] == "MISSING_FILE"
+
+
+@pytest.mark.asyncio
+async def test_upload_models_unknown_category(http: aiohttp.ClientSession, api_base: str):
+    form = aiohttp.FormData()
+    form.add_field("file", b"A" * 128, filename="m.safetensors", content_type="application/octet-stream")
+    form.add_field("tags", json.dumps(["models", "no_such_category", "unit-tests"]))
+    form.add_field("name", "m.safetensors")
+    async with http.post(api_base + "/api/assets", data=form) as r:
+        body = await r.json()
+        assert r.status == 400
+        assert body["error"]["code"] == "INVALID_BODY"
+        assert "unknown models category" in body["error"]["message"] or "unknown model category" in body["error"]["message"]
+
+
+@pytest.mark.asyncio
+async def test_upload_models_requires_category(http: aiohttp.ClientSession, api_base: str):
+    form = aiohttp.FormData()
+    form.add_field("file", b"A" * 64, filename="nocat.safetensors", content_type="application/octet-stream")
+    form.add_field("tags", json.dumps(["models"]))  # missing category
+    form.add_field("name", "nocat.safetensors")
+    form.add_field("user_metadata", json.dumps({}))
+    async with http.post(api_base + "/api/assets", data=form) as r:
+        body = await r.json()
+        assert r.status == 400
+        assert body["error"]["code"] == "INVALID_BODY"
+
+
+@pytest.mark.asyncio
+async def test_upload_tags_traversal_guard(http: aiohttp.ClientSession, api_base: str):
+    form = aiohttp.FormData()
+    form.add_field("file", b"A" * 256, filename="evil.safetensors", content_type="application/octet-stream")
+    # '..' should be rejected by destination resolver
+    form.add_field("tags", json.dumps(["models", "checkpoints", "unit-tests", "..", "zzz"]))
+    form.add_field("name", "evil.safetensors")
+    async with http.post(api_base + "/api/assets", data=form) as r:
+        body = await r.json()
+        assert r.status == 400
+        assert body["error"]["code"] in ("BAD_REQUEST", "INVALID_BODY")

tests-assets/test_validation.py

@@ -1,23 +0,0 @@
-import aiohttp
-import pytest
-
-
-@pytest.mark.asyncio
-async def test_get_update_download_bad_ids(http: aiohttp.ClientSession, api_base: str):
-    # All endpoints should be not found, as we UUID regex directly in the route definition.
-    bad_id = "not-a-uuid"
-
-    async with http.get(f"{api_base}/api/assets/{bad_id}") as r1:
-        assert r1.status == 404
-
-    async with http.get(f"{api_base}/api/assets/{bad_id}/content") as r3:
-        assert r3.status == 404
-
-
-@pytest.mark.asyncio
-async def test_update_requires_at_least_one_field(http: aiohttp.ClientSession, api_base: str, seeded_asset: dict):
-    aid = seeded_asset["id"]
-    async with http.put(f"{api_base}/api/assets/{aid}", json={}) as r:
-        body = await r.json()
-        assert r.status == 400
-        assert body["error"]["code"] == "INVALID_BODY"