# Resource Download & Upload Tests

**Task**: 03_test_resources
**Name**: Resource Download & Upload Tests
**Description**: Implement blackbox tests for resource download (binary-split) and upload endpoints
**Complexity**: 5 points
**Dependencies**: 01_test_infrastructure, 02_test_health_auth
**Component**: Blackbox Tests
**Tracker**: pending
**Epic**: pending

## Problem

The resource download/upload flow involves complex encryption, binary splitting, and CDN coordination. No test coverage exists to verify this critical path.

## Outcome

- Resource download test passes (FT-P-04)
- Resource upload test passes (FT-P-05)
- Non-existent resource download returns error (FT-N-04)
- Upload without file attachment returns error (FT-N-03)
- Encryption round-trip integrity verified (NFT-SEC-02)

## Scope

### Included
- FT-P-04: Download resource via binary-split
- FT-P-05: Upload resource via binary-split
- FT-N-03: Upload without file attachment
- FT-N-04: Download non-existent resource
- NFT-SEC-01: Unauthenticated resource access
- NFT-SEC-02: Encryption round-trip integrity
- NFT-RES-LIM-01: Large file upload

### Excluded
- Unlock workflow tests
- Performance benchmarking (separate task)

## Acceptance Criteria

**AC-1: Download returns decrypted resource**
Given valid credentials are set and mock API+CDN serve test data
When POST /load/testmodel is called
Then HTTP 200 with binary content matching the original test resource

**AC-2: Upload succeeds**
Given valid credentials are set
When POST /upload/testmodel with file attachment
Then HTTP 200 with `{"status": "ok"}`

**AC-3: Download non-existent resource fails**
Given valid credentials are set but resource doesn't exist
When POST /load/nonexistent
Then HTTP 500 with error detail

**AC-4: Upload without file fails**
Given valid credentials
When POST /upload/testfile without file
Then HTTP 422

**AC-5: Unauthenticated download fails**
Given no prior login
When POST /load/testfile
Then HTTP 500

**AC-6: Encryption round-trip**
Given valid credentials
When upload a known file then download it back
Then downloaded content matches uploaded content

## Blackbox Tests

| AC Ref | Initial Data/Conditions | What to Test | Expected Behavior | NFR References |
|--------|------------------------|-------------|-------------------|----------------|
| AC-1 | Logged in, mock data | POST /load | 200, binary data | — |
| AC-2 | Logged in | POST /upload multipart | 200, ok | NFT-RES-LIM-01 |
| AC-3 | Logged in, no resource | POST /load | 500, error | — |
| AC-4 | Logged in | POST /upload no file | 422 | — |
| AC-5 | No login | POST /load | 500 | NFT-SEC-01 |
| AC-6 | Logged in | Upload then download | Content matches | NFT-SEC-02 |

## Risks & Mitigation

**Risk 1: Mock API must correctly simulate encrypted responses**
- *Risk*: Mock API needs to produce AES-256-CBC encrypted test data matching what the real API would return
- *Mitigation*: Pre-generate encrypted test fixtures using a known key; mock serves these static files