Mission-critical audit: downloader safety, endpoint hardening, and test stabilization

[christopherkarani]

Summary

This PR applies mission-critical correctness and safety fixes identified during the framework audit, plus regression test stabilization to prevent false negatives.

What Changed

1) Build/Test gate correctness

• Fixed DiffusionModelDownloaderTests compile guard to match production symbol availability:
  • from #if canImport(Hub)
  • to #if CONDUIT_TRAIT_MLX && canImport(MLX) && (canImport(Hub) || canImport(HuggingFace))
• Prevents test target compile failures in default trait configurations.

2) Diffusion downloader correctness hardening

File: Sources/Conduit/ImageGeneration/DiffusionModelDownloader.swift

• Added in-flight reserved disk accounting:
  • reservedDiskBytesByModel tracks reservation per model download.
  • checkAvailableDiskSpace now accounts for in-progress reservations to avoid concurrent overcommit false safety checks.
• Added in-flight task reuse check before creating a new task for the same model.
• Fixed deletion race:
  • deleteModel(modelId:) now cancels and awaits any in-flight task before deleting/removing registry state.
  • Prevents model re-registration after deletion from a completing stale task.
• Fixed state consistency for bulk delete:
  • deleteAllModels() no longer silently ignores deletion failures and then wipes registry.
  • It removes successfully deleted/missing entries and throws AIError.fileError when real deletion failures occur.
• Strengthened checksum integrity behavior:
  • If checksum is expected but no .safetensors file is found, now throws AIError.checksumMismatch instead of silently succeeding.
• Ensured reserved disk state is released on cleanup/cancellation (cancelDownload, cancelAllDownloads, deferred completion).

3) ModelManager task lifecycle safety

File: Sources/Conduit/ModelManagement/ModelManager.swift

• Replaced Task.detached with Task for background download kickoff in downloadTask(for:).
• Improves cancellation/lifecycle semantics by keeping task behavior tied to surrounding async context instead of fully detached fire-and-forget semantics.

4) OpenAI Azure endpoint crash hardening

File: Sources/Conduit/Providers/OpenAI/OpenAIEndpoint.swift

• Removed force-unwrapped URL construction from user-provided Azure resource input path.
• Added resource sanitization (trim/lowercase/allowed charset/collapse separators) and URL construction through URLComponents.
• Added safe fallback URL if component construction fails.
• Eliminates runtime crash risk from malformed resource strings.

5) OpenAI endpoint regression tests

File: Tests/ConduitTests/Providers/OpenAI/OpenAIProviderTests.swift

• Added tests for:
  • invalid Azure resource sanitization
  • empty Azure resource fallback to default

6) Registry/provider test stability improvements

Files:

• Tests/ConduitTests/Core/ModelIdentifierTests.swift

• Tests/ConduitTests/Core/ProtocolCompilationTests.swift

• Replaced brittle hardcoded model/provider totals with invariant assertions based on current registry contents.

• Updated ProviderType case-iterable expectations to include newer providers (kimi, minimax) and current case count.

• Prevents unrelated provider catalog growth from causing false failing tests.

7) Compiler-safety cleanup

Files:

• Sources/Conduit/Core/Types/GenerationSchema.swift

• Sources/Conduit/Core/Types/DeviceCapabilities.swift

• GenerationSchema: changed EncodingError.invalidValue(Any, Context) to EncodingError.invalidValue(String, Context) to avoid strict-concurrency Sendable warnings around Any payloads.

• DeviceCapabilities: replaced deprecated C-string conversion with safe UTF-8 byte decoding path.

Verification

• swift test -> PASS (352 tests in 60 suites)
• swift build -> PASS

Risk Notes

• Downloader changes affect runtime state transitions around cancellation/deletion and disk-space checks. Tests/build pass; behavior is now stricter and safer under concurrent operations.
• Registry test updates intentionally shift from static-count assertions to invariant-based assertions to reduce brittleness as model catalogs evolve.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 63e604a278

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Preserve disk reservation until cancellation completes

Releasing reserved bytes inside cancelDownload before the underlying task has finished makes the new disk-safety accounting inaccurate under cooperative cancellation. The download task only checks cancellation around the long snapshot await, so a canceled transfer can keep consuming disk for a while; if another download starts in that window, checkAvailableDiskSpace no longer includes the in-flight reservation and can admit an overcommit that this change is meant to prevent. Keep the reservation until task termination (e.g., via the existing deferred cleanup) rather than clearing it immediately on cancel.

Useful? React with 👍 / 👎.

[christopherkarani]

@claude Releasing reserved bytes inside cancelDownload before the underlying task has finished makes the new disk-safety accounting inaccurate under cooperative cancellation. The download task only checks cancellation around the long snapshot await, so a canceled transfer can keep consuming disk for a while; if another download starts in that window, checkAvailableDiskSpace no longer includes the in-flight reservation and can admit an overcommit that this change is meant to prevent. Keep the reservation until task termination (e.g., via the existing deferred cleanup) rather than clearing it immediately on cancel

@claude fix merge conflicts with main