Add E2E tests, fix bugs

Made-with: Cursor

_docs/02_tasks/done/03_test_resources.md

@@ -0,0 +1,86 @@
+# Resource Download & Upload Tests
+
+**Task**: 03_test_resources
+**Name**: Resource Download & Upload Tests
+**Description**: Implement blackbox tests for resource download (binary-split) and upload endpoints
+**Complexity**: 5 points
+**Dependencies**: 01_test_infrastructure, 02_test_health_auth
+**Component**: Blackbox Tests
+**Tracker**: pending
+**Epic**: pending
+
+## Problem
+
+The resource download/upload flow involves complex encryption, binary splitting, and CDN coordination. No test coverage exists to verify this critical path.
+
+## Outcome
+
+- Resource download test passes (FT-P-04)
+- Resource upload test passes (FT-P-05)
+- Non-existent resource download returns error (FT-N-04)
+- Upload without file attachment returns error (FT-N-03)
+- Encryption round-trip integrity verified (NFT-SEC-02)
+
+## Scope
+
+### Included
+- FT-P-04: Download resource via binary-split
+- FT-P-05: Upload resource via binary-split
+- FT-N-03: Upload without file attachment
+- FT-N-04: Download non-existent resource
+- NFT-SEC-01: Unauthenticated resource access
+- NFT-SEC-02: Encryption round-trip integrity
+- NFT-RES-LIM-01: Large file upload
+
+### Excluded
+- Unlock workflow tests
+- Performance benchmarking (separate task)
+
+## Acceptance Criteria
+
+**AC-1: Download returns decrypted resource**
+Given valid credentials are set and mock API+CDN serve test data
+When POST /load/testmodel is called
+Then HTTP 200 with binary content matching the original test resource
+
+**AC-2: Upload succeeds**
+Given valid credentials are set
+When POST /upload/testmodel with file attachment
+Then HTTP 200 with `{"status": "ok"}`
+
+**AC-3: Download non-existent resource fails**
+Given valid credentials are set but resource doesn't exist
+When POST /load/nonexistent
+Then HTTP 500 with error detail
+
+**AC-4: Upload without file fails**
+Given valid credentials
+When POST /upload/testfile without file
+Then HTTP 422
+
+**AC-5: Unauthenticated download fails**
+Given no prior login
+When POST /load/testfile
+Then HTTP 500
+
+**AC-6: Encryption round-trip**
+Given valid credentials
+When upload a known file then download it back
+Then downloaded content matches uploaded content
+
+## Blackbox Tests
+
+| AC Ref | Initial Data/Conditions | What to Test | Expected Behavior | NFR References |
+|--------|------------------------|-------------|-------------------|----------------|
+| AC-1 | Logged in, mock data | POST /load | 200, binary data | — |
+| AC-2 | Logged in | POST /upload multipart | 200, ok | NFT-RES-LIM-01 |
+| AC-3 | Logged in, no resource | POST /load | 500, error | — |
+| AC-4 | Logged in | POST /upload no file | 422 | — |
+| AC-5 | No login | POST /load | 500 | NFT-SEC-01 |
+| AC-6 | Logged in | Upload then download | Content matches | NFT-SEC-02 |
+
+## Risks & Mitigation
+
+**Risk 1: Mock API must correctly simulate encrypted responses**
+- *Risk*: Mock API needs to produce AES-256-CBC encrypted test data matching what the real API would return
+- *Mitigation*: Pre-generate encrypted test fixtures using a known key; mock serves these static files