M54: On-demand diffusion runtime acquisition — one-click install from UI

Replace the manual SSH-based diffusion activation with a self-service
UI flow. The base OS ships without the ~5 GB diffusion runtime; when
the user first visits the Generate page, they see a consent dialog and
click "Enable Generation" — everything else is automatic.

Privilege model: UI writes a request marker file (O_CREAT|O_EXCL, 0600)
into its RuntimeDirectory; a systemd path unit detects it and triggers a
privileged oneshot installer. The UI never runs the installer directly.

Installer pipeline (secai-enable-diffusion.sh):
- Validates Python version + architecture against manifest
- Detects GPU backend (CUDA/ROCm/CPU) or accepts --backend override
- Downloads wheels with full quarantine: source allowlist, redirect
  verification, HTTPS-only, wheel-only format gate, SHA256 hash,
  .dist-info metadata inspection, wheel tag/ABI/platform check
- Installs offline (pip --no-index --require-hashes) into temp venv
- Smoke tests imports + device detection + tensor op (no model needed)
- Atomic venv swap + systemd override + enable+start
- Fail-closed rollback on any error; flock prevents concurrent runs
- --from-local secondary path for air-gapped/admin use
- Progress file for UI consumption; cache with full context invalidation

New files:
- diffusion-runtime-manifest.yaml — per-backend wheel trust anchor
- diffusion-{cpu,cuda,rocm}.lock — backend-specific pip lockfiles
- secure-ai-enable-diffusion.{path,service} — privileged activation units

UI endpoints: GET /api/diffusion/runtime/status, POST .../enable, GET .../progress

Also fixes:
- Windows test compatibility: import paths, Flask 3.x cookie_jar removal,
  platform skipif for symlink/permission tests, flexible error assertions
- Path separator portability in storage.py and sandbox.py (os.sep)
- API docs updated with diffusion runtime contract

901 tests pass, 22 skipped (Windows platform guards — all run on Linux CI).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: SecAI-Hub

docs/api.md

@@ -255,6 +255,78 @@ Generate text from a prompt (non-chat completion).
   ```
 - **Response:** `200 OK` -- generated text
 
+### Diffusion Runtime (On-Demand Acquisition)
+
+The diffusion runtime (PyTorch, diffusers, etc.) is not included in the base OS image. These endpoints manage the one-click install flow.
+
+**Contract:**
+- `GET /api/diffusion/runtime/status` is the source of truth for whether the runtime is installed, failed, or available for install. Always safe to call.
+- `POST /api/diffusion/runtime/enable` requests installation by writing a marker file. A systemd path unit triggers the privileged installer.
+- `GET /api/diffusion/runtime/progress` is only meaningful after `enable` has been called. Callers should check `status` first.
+
+#### GET /api/diffusion/runtime/status
+
+Return the current diffusion runtime state.
+
+- **Response:** `200 OK`
+  ```json
+  {
+    "installed": false,
+    "detected_backend": "cuda",
+    "estimated_size_mb": 4500,
+    "cache_available": false,
+    "installing": false,
+    "error": null
+  }
+  ```
+- **Fields:**
+  - `installed` -- true if the runtime is installed and the service is enabled
+  - `detected_backend` -- auto-detected GPU backend: `"cuda"`, `"rocm"`, `"cpu"`, or `null` if detection failed
+  - `estimated_size_mb` -- estimated download size from manifest for the detected backend; `null` if backend unknown
+  - `cache_available` -- true if verified wheel cache exists (faster re-install)
+  - `installing` -- true if an install is in progress (request marker or active progress)
+  - `error` -- error detail from the last failed install, or `null`
+- **Status priority:** installed > failed (suppresses installing) > in-progress > not installed
+
+#### POST /api/diffusion/runtime/enable
+
+Request diffusion runtime installation.
+
+- **Response:** `202 Accepted` -- install requested
+  ```json
+  { "status": "installing" }
+  ```
+- **Response:** `200 OK` -- already installed
+  ```json
+  { "status": "already_installed" }
+  ```
+- **Error:** `409 Conflict` -- install already in progress
+  ```json
+  { "status": "already_installing" }
+  ```
+- **Notes:** Does not directly run the installer. Atomically creates a request marker file (`O_CREAT|O_EXCL`, mode `0600`). A systemd path unit detects the marker and starts the privileged oneshot installer.
+
+#### GET /api/diffusion/runtime/progress
+
+Return current install progress from the installer's progress file.
+
+- **Response:** `200 OK`
+  ```json
+  {
+    "phase": "downloading",
+    "percent": 45,
+    "backend": "cuda",
+    "detail": "Downloading torch-2.3.1+cu121...",
+    "total_packages": 42,
+    "downloaded": 19,
+    "verified": 19,
+    "cached_hits": 5,
+    "error": null
+  }
+  ```
+- **Valid phases:** `detecting`, `downloading`, `verifying`, `installing`, `smoke_testing`, `enabling`, `complete`, `failed`, or `null`
+- **Notes:** Only meaningful after `POST /api/diffusion/runtime/enable` has been called. When no install has ever been requested, returns `phase: null`. When the install completed, returns `complete`; when it failed, returns `failed`. Invalid phases from the progress file are normalized to `failed`. All branches return the same field set.
+
 ### Vault Management
 
 #### GET /api/vault/status

files/scripts/diffusion-cpu.lock

@@ -0,0 +1,43 @@
+#
+# Backend-specific diffusion runtime lockfile: CPU
+#
+# Generated by pip-compile with Python 3.12 (placeholder — regenerate with
+# scripts/refresh-diffusion-locks.sh before first use).
+#
+#    pip-compile --allow-unsafe --generate-hashes \
+#        --extra-index-url https://download.pytorch.org/whl/cpu \
+#        --output-file=diffusion-cpu.lock diffusion-in.txt
+#
+# This lockfile is consumed by the diffusion installer in offline mode:
+#    pip install --no-index --require-hashes --find-links=<verified-cache> -r diffusion-cpu.lock
+#
+
+accelerate==1.13.0 \
+    --hash=sha256:cf1a3efb96c18f7b152eb0fa7490f3710b19c3f395699358f08decca2b8b62e0 \
+    --hash=sha256:d631b4e0f5b3de4aff2d7e9e6857d164810dfc3237d54d017f075122d057b236
+    # via -r diffusion-in.txt
+diffusers==0.28.0 \
+    --hash=sha256:PLACEHOLDER_HASH_1 \
+    --hash=sha256:PLACEHOLDER_HASH_2
+    # via -r diffusion-in.txt
+safetensors==0.4.3 \
+    --hash=sha256:PLACEHOLDER_HASH_1 \
+    --hash=sha256:PLACEHOLDER_HASH_2
+    # via
+    #   accelerate
+    #   diffusers
+    #   transformers
+torch==2.3.1+cpu \
+    --hash=sha256:PLACEHOLDER_HASH_1
+    # via
+    #   -r diffusion-in.txt
+    #   accelerate
+    #   diffusers
+transformers==4.41.2 \
+    --hash=sha256:PLACEHOLDER_HASH_1 \
+    --hash=sha256:PLACEHOLDER_HASH_2
+    # via -r diffusion-in.txt
+
+# NOTE: This is a placeholder lockfile with representative entries.
+# Run scripts/refresh-diffusion-locks.sh to generate the complete
+# lockfile with all transitive dependencies and real SHA256 hashes.

files/scripts/diffusion-cuda.lock

@@ -0,0 +1,43 @@
+#
+# Backend-specific diffusion runtime lockfile: CUDA 12.1
+#
+# Generated by pip-compile with Python 3.12 (placeholder — regenerate with
+# scripts/refresh-diffusion-locks.sh before first use).
+#
+#    pip-compile --allow-unsafe --generate-hashes \
+#        --extra-index-url https://download.pytorch.org/whl/cu121 \
+#        --output-file=diffusion-cuda.lock diffusion-in.txt
+#
+# This lockfile is consumed by the diffusion installer in offline mode:
+#    pip install --no-index --require-hashes --find-links=<verified-cache> -r diffusion-cuda.lock
+#
+
+accelerate==1.13.0 \
+    --hash=sha256:cf1a3efb96c18f7b152eb0fa7490f3710b19c3f395699358f08decca2b8b62e0 \
+    --hash=sha256:d631b4e0f5b3de4aff2d7e9e6857d164810dfc3237d54d017f075122d057b236
+    # via -r diffusion-in.txt
+diffusers==0.28.0 \
+    --hash=sha256:PLACEHOLDER_HASH_1 \
+    --hash=sha256:PLACEHOLDER_HASH_2
+    # via -r diffusion-in.txt
+safetensors==0.4.3 \
+    --hash=sha256:PLACEHOLDER_HASH_1 \
+    --hash=sha256:PLACEHOLDER_HASH_2
+    # via
+    #   accelerate
+    #   diffusers
+    #   transformers
+torch==2.3.1+cu121 \
+    --hash=sha256:PLACEHOLDER_HASH_1
+    # via
+    #   -r diffusion-in.txt
+    #   accelerate
+    #   diffusers
+transformers==4.41.2 \
+    --hash=sha256:PLACEHOLDER_HASH_1 \
+    --hash=sha256:PLACEHOLDER_HASH_2
+    # via -r diffusion-in.txt
+
+# NOTE: This is a placeholder lockfile with representative entries.
+# Run scripts/refresh-diffusion-locks.sh to generate the complete
+# lockfile with all transitive dependencies and real SHA256 hashes.

files/scripts/diffusion-rocm.lock

@@ -0,0 +1,43 @@
+#
+# Backend-specific diffusion runtime lockfile: ROCm 6.0
+#
+# Generated by pip-compile with Python 3.12 (placeholder — regenerate with
+# scripts/refresh-diffusion-locks.sh before first use).
+#
+#    pip-compile --allow-unsafe --generate-hashes \
+#        --extra-index-url https://download.pytorch.org/whl/rocm6.0 \
+#        --output-file=diffusion-rocm.lock diffusion-in.txt
+#
+# This lockfile is consumed by the diffusion installer in offline mode:
+#    pip install --no-index --require-hashes --find-links=<verified-cache> -r diffusion-rocm.lock
+#
+
+accelerate==1.13.0 \
+    --hash=sha256:cf1a3efb96c18f7b152eb0fa7490f3710b19c3f395699358f08decca2b8b62e0 \
+    --hash=sha256:d631b4e0f5b3de4aff2d7e9e6857d164810dfc3237d54d017f075122d057b236
+    # via -r diffusion-in.txt
+diffusers==0.28.0 \
+    --hash=sha256:PLACEHOLDER_HASH_1 \
+    --hash=sha256:PLACEHOLDER_HASH_2
+    # via -r diffusion-in.txt
+safetensors==0.4.3 \
+    --hash=sha256:PLACEHOLDER_HASH_1 \
+    --hash=sha256:PLACEHOLDER_HASH_2
+    # via
+    #   accelerate
+    #   diffusers
+    #   transformers
+torch==2.3.1+rocm6.0 \
+    --hash=sha256:PLACEHOLDER_HASH_1
+    # via
+    #   -r diffusion-in.txt
+    #   accelerate
+    #   diffusers
+transformers==4.41.2 \
+    --hash=sha256:PLACEHOLDER_HASH_1 \
+    --hash=sha256:PLACEHOLDER_HASH_2
+    # via -r diffusion-in.txt
+
+# NOTE: This is a placeholder lockfile with representative entries.
+# Run scripts/refresh-diffusion-locks.sh to generate the complete
+# lockfile with all transitive dependencies and real SHA256 hashes.

files/scripts/diffusion-runtime-manifest.yaml

@@ -0,0 +1,108 @@
+# Diffusion runtime trust anchor.
+#
+# This manifest defines the per-backend wheel sets needed by the diffusion
+# runtime installer (secai-enable-diffusion.sh).  It is the sole trust anchor
+# for the on-demand acquisition flow.
+#
+# Two-file trust model per backend:
+#   1. Lockfile  (diffusion-<backend>.lock)   -- pip-compile --generate-hashes
+#      Used at install time: pip install --no-index --require-hashes
+#   2. Wheel manifest (the "wheels" list below)
+#      Used at download time: exact filename + SHA256 before promotion.
+#
+# To refresh after a dependency change:
+#   scripts/refresh-diffusion-locks.sh   (regenerates lockfiles + manifest)
+
+schema_version: 1
+description: "Diffusion runtime trust anchor — per-backend wheel manifests and lockfiles"
+python_version: "3.12"
+supported_architectures:
+  - x86_64
+
+# ---------------------------------------------------------------------------
+# Allowed download sources (checked against both initial and final URLs)
+# ---------------------------------------------------------------------------
+allowed_sources:
+  - "https://download.pytorch.org/whl/*"
+  - "https://files.pythonhosted.org/packages/*"
+
+format_policy: wheel_only   # reject sdists / tarballs / eggs
+
+# ---------------------------------------------------------------------------
+# Backend definitions
+# ---------------------------------------------------------------------------
+backends:
+  cpu:
+    lockfile: diffusion-cpu.lock
+    torch_index: https://download.pytorch.org/whl/cpu
+    estimated_size_mb: 2000
+    wheels:
+      # -- PyTorch core (CPU) --
+      - filename: "torch-2.3.1+cpu-cp312-cp312-linux_x86_64.whl"
+        sha256: "PLACEHOLDER_HASH_torch_cpu"
+        source: "https://download.pytorch.org/whl/cpu/*"
+      # -- Diffusers ecosystem --
+      - filename: "diffusers-0.28.0-py3-none-any.whl"
+        sha256: "PLACEHOLDER_HASH_diffusers"
+        source: "https://files.pythonhosted.org/packages/*"
+      - filename: "transformers-4.41.2-py3-none-any.whl"
+        sha256: "PLACEHOLDER_HASH_transformers"
+        source: "https://files.pythonhosted.org/packages/*"
+      - filename: "safetensors-0.4.3-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl"
+        sha256: "PLACEHOLDER_HASH_safetensors"
+        source: "https://files.pythonhosted.org/packages/*"
+      - filename: "accelerate-1.13.0-py3-none-any.whl"
+        sha256: "PLACEHOLDER_HASH_accelerate"
+        source: "https://files.pythonhosted.org/packages/*"
+      # NOTE: Placeholder entries. Run scripts/refresh-diffusion-locks.sh to
+      # generate the complete wheel list with real SHA256 hashes.
+
+  cuda:
+    lockfile: diffusion-cuda.lock
+    torch_index: https://download.pytorch.org/whl/cu121
+    estimated_size_mb: 4500
+    wheels:
+      # -- PyTorch core (CUDA 12.1) --
+      - filename: "torch-2.3.1+cu121-cp312-cp312-linux_x86_64.whl"
+        sha256: "PLACEHOLDER_HASH_torch_cuda"
+        source: "https://download.pytorch.org/whl/cu121/*"
+      # -- Diffusers ecosystem (same pure-Python wheels as CPU) --
+      - filename: "diffusers-0.28.0-py3-none-any.whl"
+        sha256: "PLACEHOLDER_HASH_diffusers"
+        source: "https://files.pythonhosted.org/packages/*"
+      - filename: "transformers-4.41.2-py3-none-any.whl"
+        sha256: "PLACEHOLDER_HASH_transformers"
+        source: "https://files.pythonhosted.org/packages/*"
+      - filename: "safetensors-0.4.3-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl"
+        sha256: "PLACEHOLDER_HASH_safetensors"
+        source: "https://files.pythonhosted.org/packages/*"
+      - filename: "accelerate-1.13.0-py3-none-any.whl"
+        sha256: "PLACEHOLDER_HASH_accelerate"
+        source: "https://files.pythonhosted.org/packages/*"
+      # NOTE: Placeholder entries. Run scripts/refresh-diffusion-locks.sh to
+      # generate the complete wheel list with real SHA256 hashes.
+
+  rocm:
+    lockfile: diffusion-rocm.lock
+    torch_index: https://download.pytorch.org/whl/rocm6.0
+    estimated_size_mb: 4000
+    wheels:
+      # -- PyTorch core (ROCm 6.0) --
+      - filename: "torch-2.3.1+rocm6.0-cp312-cp312-linux_x86_64.whl"
+        sha256: "PLACEHOLDER_HASH_torch_rocm"
+        source: "https://download.pytorch.org/whl/rocm6.0/*"
+      # -- Diffusers ecosystem (same pure-Python wheels as CPU) --
+      - filename: "diffusers-0.28.0-py3-none-any.whl"
+        sha256: "PLACEHOLDER_HASH_diffusers"
+        source: "https://files.pythonhosted.org/packages/*"
+      - filename: "transformers-4.41.2-py3-none-any.whl"
+        sha256: "PLACEHOLDER_HASH_transformers"
+        source: "https://files.pythonhosted.org/packages/*"
+      - filename: "safetensors-0.4.3-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl"
+        sha256: "PLACEHOLDER_HASH_safetensors"
+        source: "https://files.pythonhosted.org/packages/*"
+      - filename: "accelerate-1.13.0-py3-none-any.whl"
+        sha256: "PLACEHOLDER_HASH_accelerate"
+        source: "https://files.pythonhosted.org/packages/*"
+      # NOTE: Placeholder entries. Run scripts/refresh-diffusion-locks.sh to
+      # generate the complete wheel list with real SHA256 hashes.