1. Seeder pause/resume: only resume after prompt execution if pause()
returned True, preventing undo of user-initiated pauses.
2. Missing rollback in enrich_assets_batch: add sess.rollback() in
exception handler to prevent broken session state for subsequent
batch operations.
3. Hash checkpoint validation: store mtime_ns/file_size in
HashCheckpoint and re-stat on resume instead of comparing the same
stat result to itself.
4. Scan progress preserved: save _last_progress before clearing
_progress in finally blocks so wait=true endpoint returns final
stats instead of zeros.
5. Download XSS hardening: block dangerous MIME types (matching
server.py) and add X-Content-Type-Options: nosniff header to
asset content endpoint.
Amp-Thread-ID: https://ampcode.com/threads/T-019cbb6b-e97b-776d-8c43-2de8acd0d09e
Co-authored-by: Amp <amp@ampcode.com>
- Add debug timing logs for each fast scan sub-step (sync_root, collect_paths, build_asset_specs) and info-level total timing
- Refactor enrich_asset to accept a session parameter instead of creating one per file
- enrich_assets_batch now opens one session for the entire batch, committing after each asset to keep transactions short
- Simplify enrichment tests by removing create_session mocking
Amp-Thread-ID: https://ampcode.com/threads/T-019cbb0b-8563-7199-b628-33e3c4fe9f41
Co-authored-by: Amp <amp@ampcode.com>
- Content-Disposition: drop raw filename= parameter, use only RFC 5987
filename*=UTF-8'' to prevent header injection via ; and special chars
- delete_asset: default delete_content to False (non-destructive) when
query parameter is omitted
- create_asset_from_hash: return 400 MISSING_INPUT instead of 404 when
hash not found and no file uploaded (client input error, not missing resource)
- seeder: clear _progress when returning to IDLE so get_status() does not
return stale progress after scan completion
- hashing: handle non-seekable streams in _hash_file_obj by checking
seekable() before attempting tell/seek
- bulk_ingest: filter lost_paths to only include paths tied to actually
inserted asset IDs, preventing inflated counts from ON CONFLICT drops
Amp-Thread-ID: https://ampcode.com/threads/T-019cb67a-9822-7438-ab05-d09991a9f7f3
Co-authored-by: Amp <amp@ampcode.com>
- Fix missing import for compute_filename_for_reference in ingest.py
- Apply code review fixes across routes, queries, scanner, seeder,
hashing, ingest, path_utils, main, and server
- Update and add tests for sync references and seeder
Amp-Thread-ID: https://ampcode.com/threads/T-019cb61a-ed54-738c-a05f-9b5242e513f3
Co-authored-by: Amp <amp@ampcode.com>
