feat(BA-3744): Add multiple download handler and pydantic jwt model

[kwonkwonn]

resolves #7766 (BA-3744)

implementation of BA-1040, multiple file zip downloader.

Checklist: (if applicable)

• Milestone metadata specifying the target backport version
• Mention to the original issue
• Installer updates including:
  • Fixtures for db schema changes
  • New mandatory config options
• Update of end-to-end CLI integration tests in ai.backend.test
• API server-client counterparts (e.g., manager API -> client SDK)
• Test case(s) to:
  • Demonstrate the difference of before/after
  • Demonstrate the flow of abstract/conceptual models with a concrete implementation
• Documentation
  • Contents in the docs directory
  • docstrings in public interfaces and type annotations

[Copilot]

Pull request overview

This PR implements a new endpoint for downloading multiple files/directories as a single ZIP archive, addressing issue #7766 (BA-3744). The implementation introduces a streaming ZIP archive handler that leverages zipstream to avoid creating temporary files.

Changes:

• Adds new ZipArchiveStreamReader class and ArchiveDownloadTokenData Pydantic model for JWT validation
• Implements /folder/file/download-archive manager endpoint to generate download tokens for multiple files
• Implements /download-archive client endpoint to stream requested files as a ZIP archive

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 16 comments.

File	Description
src/ai/backend/storage/services/file_stream/zip.py	New module containing ZIP streaming infrastructure with ZipArchiveStreamReader and ArchiveDownloadTokenData Pydantic model
src/ai/backend/storage/api/manager.py	Adds create_archive_download_session endpoint and route for generating JWT tokens for multi-file downloads
src/ai/backend/storage/api/client.py	Adds download_archive handler for streaming multiple files as ZIP using token-based authentication

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Manual JWT validation is inconsistent with existing patterns in this file. The existing download and upload handlers use tx.JsonWebToken validator in the check_params context manager for automatic JWT decoding and validation (see lines 145-148, 309-312). This approach should be used here for consistency and better error handling.

[kwonkwonn]

tx.JsonWebToken validator in the check_params uses Trafaret based validation.
Our ultimate goal is to migrate Trafaret into pydantic inside the program, Better implement it inline the function and replace with pydantic based validator later.

But at least not in this pr.

[Copilot]

The implementation doesn't handle duplicate paths in the input list. If the same file or directory appears multiple times in token_data.files, it will be added to the zip archive multiple times with the same arcname, which may cause issues or confusion. Consider deduplicating the file paths before processing, or at least documenting this behavior.

Suggested change

	sanitized: list[Path] = []
	for relpath in token_data.files:
	file_path = volume.sanitize_vfpath(token_data.vfolder_id, relpath)
	# Ensure the file_path is within the vfolder_root boundary
	if not file_path.exists():
	raise web.HTTPNotFound(reason=f"File not found: {relpath}")
	sanitized: list[Path] = []
	seen_paths: set[Path] = set()
	for relpath in token_data.files:
	file_path = volume.sanitize_vfpath(token_data.vfolder_id, relpath)
	# Ensure the file_path is within the vfolder_root boundary
	if not file_path.exists():
	raise web.HTTPNotFound(reason=f"File not found: {relpath}")
	if file_path in seen_paths:
	continue
	seen_paths.add(file_path)

[kwonkwonn]

I will add comment on this one, but we need to decide which part should get charged of detecting duplicated files in the list

[Copilot]

The TODO comment indicates that the current implementation is incomplete and needs to be refactored. Since the codebase already has a tx.JsonWebToken validator that handles JWT decoding with secret extraction from context, this manual approach should be replaced with the existing pattern before merging.

[kwonkwonn]

It depends on trafaret based validation

[HyeockJinKim]

Please write it based on Pydantic this time.

[kwonkwonn]

I was thinking of wrapping api handlers with pydantic, but it seems better to have it in the future PR

[kwonkwonn]

Couldn't find pydantic wrapper to automatize validation and error handling

[kwonkwonn]

Will be done in following issue as migrating storage is needed

[HyeockJinKim]

You can use the api_handler decorator, which was also used in manager.

[kwonkwonn]

We can add three tests.

• jwt generator: unit test with request->response validation
• download_archive: mock streamReader and file structure, how it detect files, how it response (unit test?)
• StreamReader: needs component test and running server at least. manual test for now

[kwonkwonn]

sanitize_vfpath call mangle function which translate vfid into absolute path, not needed to use entire function.

[HyeockJinKim]

You can use the api_handler decorator, which was also used in manager.

[HyeockJinKim]

Please write it based on Pydantic this time.

[HyeockJinKim]

There's no reason to keep this implementation. Please define it based on pydantic.

[HyeockJinKim]

Defining pydantic and first validating with trafaret is highly unusual.

[HyeockJinKim]

Since the request must also be made in the manager, the values to be passed as DTOs should be defined in common/dto/storage.
And please define values like operation as an Enum rather than a Literal.

[HyeockJinKim]

Please ensure API requests are not intertwined here. The service layer should only return a StreamReader, and we want it to use only the values returned from the API layer.