Remove .gsd/ and .claude/ from repo, add to gitignore

AI tooling artifacts (project planning, milestones, decisions, settings) are local development state — not part of the distributed project.
2026-04-03 02:53:58 -06:00 · 2026-03-22 00:27:55 -05:00 · 2026-03-22 00:27:55 -05:00 · c8d5283926
commit c8d5283926
parent ae1711ada4
55 changed files with 3 additions and 4850 deletions
--- a/.claude/settings.local.json
+++ b/.claude/settings.local.json
@ -1,21 +0,0 @@
 {
  "permissions": {
    "allow": [
      "Bash(node C:/Users/jlightner/.claude/get-shit-done/bin/gsd-tools.cjs commit \"docs: initialize project\" --files .planning/PROJECT.md)",
      "WebSearch",
      "WebFetch(domain:pypi.org)",
      "WebFetch(domain:github.com)",
      "WebFetch(domain:noted.lol)",
      "WebFetch(domain:yt-dlp.eknerd.com)",
      "WebFetch(domain:gist.github.com)",
      "Bash(find W:/programming/Projects/media-rip -name *.py -not -path */.venv/* -not -path *worktrees*)",
      "Bash(grep -rn await_job W:/programming/Projects/media-rip/.gsd/ --include=*.md --include=*.json)",
      "Bash(.venv/Scripts/python -m pytest tests/test_sse.py -v -k \"not HTTP and not Endpoint\" --timeout=10)",
      "Bash(.venv/Scripts/python -m pytest tests/test_sse.py -v -k \"not HTTP and not Endpoint\")",
      "Bash(.venv/Scripts/python -m pytest tests/test_sse.py -v)",
      "Bash(python -c \"import httpx; import inspect; import os; print\\(os.path.dirname\\(inspect.getfile\\(httpx\\)\\)\\)\")",
      "Bash(find W:/programming/Projects/media-rip/.gsd/worktrees/M001/backend/.venv -path */httpx* -name *.py -not -path *__pycache__*)",
      "Bash(.venv/Scripts/python -m pytest tests/ -v)"
    ]
  }
 }
--- a/.gitignore
+++ b/.gitignore
@ -1,18 +1,7 @@
-# ── GSD baseline (auto-generated) ──
+# ── AI tooling (not part of the distributed project) ──
-.gsd/activity/
+.gsd/
-.gsd/forensics/
+.claude/
 .gsd/runtime/
 .gsd/worktrees/
 .gsd/parallel/
 .gsd/auto.lock
 .gsd/metrics.json
 .gsd/completed-units.json
 .gsd/STATE.md
 .gsd/gsd.db
 .gsd/DISCUSSION-MANIFEST.json
 .gsd/milestones/**/*-CONTINUE.md
 .gsd/milestones/**/continue.md
 .DS_Store
 Thumbs.db
 *.swp
@ -38,6 +27,3 @@ vendor/
 coverage/
 .cache/
 tmp/
 # ── GSD baseline (auto-generated) ──
 .gsd
--- a/.gsd/DECISIONS.md
+++ b/.gsd/DECISIONS.md
@ -1,21 +0,0 @@
 # Decisions Register
 <!-- Append-only. Never edit or remove existing rows.
     To reverse a decision, add a new row that supersedes it.
     Read this file at the start of any planning or research phase. -->
 | # | When | Scope | Decision | Choice | Rationale | Revisable? |
 |---|------|-------|----------|--------|-----------|------------|
 | D001 | M001 | arch | Backend framework | Python 3.12 + FastAPI | Async-first, Pydantic v2, SSE support, well-documented yt-dlp integration patterns | No |
 | D002 | M001 | arch | Frontend framework | Vue 3 + TypeScript + Pinia + Vite | Composition API, `<script setup>`, Pinia 3 (Vuex dead for Vue 3), Vite 8 with Rolldown | No |
 | D003 | M001 | arch | Real-time transport | SSE via sse-starlette (not WebSocket) | Server-push only needed; SSE is simpler, HTTP-native, auto-reconnecting. sse-starlette has better disconnect handling than FastAPI native SSE | No |
 | D004 | M001 | arch | Database | SQLite via aiosqlite with WAL mode | Single-file, zero external deps, sufficient for single-instance self-hosted tool. WAL required for concurrent download writes | No |
 | D005 | M001 | arch | yt-dlp integration | Library import, not subprocess | Structured progress hooks, no shell injection surface, typed error info | No |
 | D006 | M001 | arch | Sync-to-async bridge | ThreadPoolExecutor + loop.call_soon_threadsafe | YoutubeDL not picklable (rules out ProcessPoolExecutor). call_soon_threadsafe is the only safe bridge from sync threads to asyncio Queue | No |
 | D007 | M001 | arch | Session identity | Opaque UUID in httpOnly cookie, all state in SQLite | Starlette SessionMiddleware signs entire session dict into cookie — grows unboundedly and can be decoded. Opaque ID is simpler and safer | No |
 | D008 | M001 | arch | Admin authentication | HTTPBasic + bcrypt 5.0.0 (direct, not passlib) | passlib is unmaintained, breaks on Python 3.13. bcrypt direct is simple and correct. timing-safe comparison via secrets.compare_digest | No |
 | D009 | M001 | arch | Config hierarchy | Defaults → config.yaml → env vars → SQLite admin writes | Operators need both infra-as-code (YAML, env) AND live UI config. YAML seeds DB on first boot, then SQLite wins | No |
 | D010 | M001 | arch | Scheduler | APScheduler 3.x AsyncIOScheduler (not 4.x alpha) | 3.x is stable and well-documented. 4.x is alpha with breaking changes | Yes — when 4.x ships stable |
 | D011 | M001 | convention | TLS handling | Reverse proxy responsibility, not in-container | Standard self-hosted pattern. App provides startup warning when admin enabled without TLS. Secure deployment example with reverse proxy sidecar | No |
 | D012 | M001 | convention | Commit strategy | Branch-per-slice with squash merge to main | Clean main history, one commit per slice, individually revertable | No |
 | D013 | M001 | scope | Anti-features | OAuth/SSO, WebSocket, user accounts, embedded player, auto-update yt-dlp, subscription monitoring, FlareSolverr — all explicitly out of scope | Each would massively increase scope or conflict with anonymous-first, zero-telemetry positioning | No |
--- a/.gsd/KNOWLEDGE.md
+++ b/.gsd/KNOWLEDGE.md
@ -1,46 +0,0 @@
 # Knowledge Base
 ## Python / Build System
 ### setuptools build-backend compatibility (discovered T01)
 On this system, Python 3.12.4's pip (24.0) does not ship `setuptools.backends._legacy:_Backend`. Use `setuptools.build_meta` as the build-backend in `pyproject.toml`. The legacy backend module was introduced in setuptools ≥75 but isn't available in the bundled version.
 ### Python version on this system (discovered T01)
 System default `python` is 3.14.3, but the project requires `>=3.12,<3.13`. Use `py -3.12` to create venvs. The venv is at `backend/.venv` and must be activated with `source backend/.venv/Scripts/activate` before running any backend commands.
 ## pydantic-settings (discovered T02)
 ### YAML file testing pattern
 pydantic-settings v2 rejects unknown init kwargs — you cannot pass `_yaml_file=path` to `AppConfig()`. To test YAML loading, use `monkeypatch.setitem(AppConfig.model_config, "yaml_file", str(path))` before constructing the config instance.
 ### env_prefix includes the delimiter
 Set `env_prefix="MEDIARIP__"` (with trailing `__`) in `SettingsConfigDict`. Combined with `env_nested_delimiter="__"`, env vars look like `MEDIARIP__SERVER__PORT=9000`.
 ## pytest-asyncio (discovered T02)
 ### Async fixtures must use get_running_loop()
 In pytest-asyncio with `asyncio_mode="auto"`, sync fixtures that call `asyncio.get_event_loop()` get a *different* loop than the one running async tests. Any fixture that needs the test's event loop must be an async fixture (`@pytest_asyncio.fixture`) using `asyncio.get_running_loop()`.
 ## yt-dlp (discovered T03)
 ### Test video URL: use jNQXAC9IVRw not BaW_jenozKc
 The video `BaW_jenozKc` (commonly cited in yt-dlp docs as a test URL) is unavailable as of March 2026. Use `jNQXAC9IVRw` ("Me at the zoo" — first YouTube video, 19 seconds) for integration tests. It's been up since 2005 and is extremely unlikely to be removed.
 ### SSEBroker.publish() is already thread-safe
 The `SSEBroker.publish()` method already calls `loop.call_soon_threadsafe` internally. From a worker thread, call `broker.publish(session_id, event)` directly — do NOT try to call `_publish_sync` or manually schedule with `call_soon_threadsafe`. The task plan mentioned calling `publish_sync` directly but the actual broker API handles the bridging.
 ### DB writes from worker threads
 Use `asyncio.run_coroutine_threadsafe(coro, loop).result(timeout=N)` to call async database functions from a synchronous yt-dlp worker thread. This blocks the worker thread until the DB write completes, which is fine because worker threads are pool-managed and the block is brief.
 ## FastAPI Testing (discovered T04)
 ### httpx ASGITransport does not trigger Starlette lifespan
 When using `httpx.AsyncClient` with `ASGITransport(app=app)`, Starlette lifespan events (startup/shutdown) do **not** run. The `client` fixture must either: (a) build a fresh FastAPI app and manually wire `app.state` with services, or (b) use an explicit async context manager around the app. Option (a) is simpler — create temp DB, config, broker, and download service directly in the fixture.
 ### Cancel endpoint race condition with background workers
 `DownloadService.cancel()` sets `status=failed` in DB, but a background worker thread may overwrite this with `status=downloading` via its own `run_coroutine_threadsafe` call that was already in-flight. In tests, assert `status != "queued"` rather than `status == "failed"` to tolerate the race. This is inherent to the cancel design (yt-dlp has no reliable mid-stream abort).
 ## FastAPI + PEP 563 (discovered S02-T01)
 ### Do not use lazy imports for FastAPI endpoint parameter types
 When `from __future__ import annotations` is active (PEP 563), type annotations are stored as strings. If a FastAPI endpoint uses `request: Request` and `Request` was imported inside a function body (lazy import), FastAPI's dependency resolution fails to recognize `Request` as a special parameter and treats it as a required query parameter, returning 422 Unprocessable Entity. Always import `Request` (and other FastAPI types used in endpoint signatures) at **module level**.
--- a/.gsd/PROJECT.md
+++ b/.gsd/PROJECT.md
@ -1,49 +0,0 @@
 # media.rip()
 ## What This Is
 A self-hostable, redistributable Docker container — a web-based yt-dlp frontend that anyone can run on their own infrastructure. Users paste a URL, pick quality, and download media without creating an account, sending data anywhere, or knowing what a terminal is. Ships with a cyberpunk default theme, session isolation, and ephemeral downloads. Fully configurable via mounted config file for personal, family, team, or public use.
 Ground-up build. Not a MeTube fork. Treats theming, session behavior, purge policy, and operator experience as first-class concerns.
 ## Core Value
 A user can paste any yt-dlp-supported URL, see exactly what they're about to download, and get it — without creating an account, without sending data anywhere, and without knowing what a terminal is.
 ## Current State
 **v1.0.0 — Feature-complete and ship-ready.**
 M001 (v1.0 full build — 6 slices) and M002 (UI/UX polish — 3 slices) are complete. 213 tests passing (179 backend, 34 frontend). Code pushed to GitHub. Docker image, CI/CD workflows, and deployment examples are in place.
 All core capabilities implemented: URL submission + download, live format extraction, real-time SSE progress with reconnect replay, download queue management, playlist support with parent/child jobs, session isolation (isolated/shared/open), cookie auth upload, purge system (scheduled/manual/never), three built-in themes + custom theme system, admin panel with bcrypt auth, unsupported URL reporting, health endpoint, session export/import, link sharing, source-aware output templates, mobile-responsive layout, and zero outbound telemetry.
 ## Architecture / Key Patterns
 - **Backend:** Python 3.12 + FastAPI, yt-dlp as library (not subprocess), aiosqlite for SQLite, sse-starlette for SSE, APScheduler 3.x for cron, bcrypt for admin auth
 - **Frontend:** Vue 3 + TypeScript + Pinia + Vite
 - **Transport:** SSE (server-push only, no WebSocket)
 - **Persistence:** SQLite with WAL mode — `/data/mediarip.db` in Docker
 - **Critical pattern:** `ThreadPoolExecutor` + `loop.call_soon_threadsafe` bridges sync yt-dlp into async FastAPI — the load-bearing architectural seam
 - **Session isolation:** Per-browser cookie-scoped queues (isolated/shared/open modes)
 - **Config hierarchy:** Hardcoded defaults → config.yaml → env var overrides (MEDIARIP__*) → SQLite admin writes
 - **Distribution:** Single multi-stage Docker image (ghcr.io/xpltdco/media-rip), amd64 + arm64
 - **Security:** CSP headers (self-only), no outbound requests, bcrypt admin auth, httpOnly session cookies
 ## Persistent Volumes (Docker)
 | Mount | Purpose | Required |
 |-------|---------|----------|
 | `/downloads` | Downloaded media files | Yes |
 | `/data` | SQLite database, session state, error logs | Yes |
 | `/themes` | Custom theme CSS overrides | No |
 | `/app/config.yaml` | YAML configuration file | No |
 ## Capability Contract
 See `.gsd/REQUIREMENTS.md` for the explicit capability contract, requirement status, and coverage mapping.
 ## Milestone History
 - ✅ M001: media.rip() v1.0 — Full-featured self-hosted yt-dlp web frontend (6 slices)
 - ✅ M002: UI/UX Polish — Ship-Ready Frontend (3 slices)
--- a/.gsd/REQUIREMENTS.md
+++ b/.gsd/REQUIREMENTS.md
@ -1,455 +0,0 @@
 # Requirements
 This file is the explicit capability and coverage contract for the project.
 Use it to track what is actively in scope, what has been validated by completed work, what is intentionally deferred, and what is explicitly out of scope.
 ## Validated
 ### R001 — URL submission + download for any yt-dlp-supported site
 - Class: core-capability
 - Status: validated
 - Description: User pastes any URL supported by yt-dlp and the system downloads it to the configured output directory
 - Why it matters: The fundamental product primitive — everything else depends on this working
 - Source: user
 - Primary owning slice: M001/S01
 - Supporting slices: none
 - Validation: unmapped
 - Notes: Jobs keyed by UUID4 (R024), not URL — concurrent same-URL downloads are supported
 ### R002 — Live format/quality extraction and selection
 - Class: core-capability
 - Status: validated
 - Description: GET /api/formats?url= calls yt-dlp extract_info to return available formats; user picks resolution, codec, ext before downloading
 - Why it matters: Power users won't use a tool that hides quality choice. Competitors use presets — live extraction is a step up
 - Source: user
 - Primary owning slice: M001/S01
 - Supporting slices: M001/S03
 - Validation: unmapped
 - Notes: Extraction can take 3-10s for some sites — UI must show loading state. filesize is frequently null
 ### R003 — Real-time SSE progress
 - Class: core-capability
 - Status: validated
 - Description: Server-sent events stream delivers job status transitions (queued→extracting→downloading→completed/failed) with download progress (percent, speed, ETA) per session
 - Why it matters: No progress = no trust. Users need to see something is happening
 - Source: user
 - Primary owning slice: M001/S02
 - Supporting slices: M001/S03
 - Validation: unmapped
 - Notes: SSE via sse-starlette, not WebSocket. Events: init, job_update, job_removed, error, purge_complete
 ### R004 — SSE init replay on reconnect
 - Class: continuity
 - Status: validated
 - Description: When a client reconnects to the SSE endpoint, the server replays current job states from the DB as synthetic events before entering the live queue
 - Why it matters: Without this, page refresh clears the queue view even though downloads are running. Breaks session isolation's value proposition entirely
 - Source: user
 - Primary owning slice: M001/S02
 - Supporting slices: none
 - Validation: unmapped
 - Notes: Eliminates "spinner forever after refresh" bugs. The DB is source of truth, not frontend memory
 ### R005 — Download queue: view, cancel, filter, sort
 - Class: primary-user-loop
 - Status: validated
 - Description: Users see all their downloads in a unified queue with status, progress, and can cancel or remove entries. Filter by status, sort by date/name
 - Why it matters: Table stakes for any download manager UX
 - Source: user
 - Primary owning slice: M001/S03
 - Supporting slices: none
 - Validation: unmapped
 - Notes: Queue is a projection of SQLite state replayed via SSE
 ### R006 — Playlist support: parent + collapsible child jobs
 - Class: core-capability
 - Status: validated
 - Description: Playlist URLs create a parent job with collapsible child video rows. Parent status reflects aggregate child progress. Mixed success/failure shown per child
 - Why it matters: Playlists are a primary use case for self-hosters. MeTube treats them as flat — collapsible parent/child is a step up
 - Source: user
 - Primary owning slice: M001/S03
 - Supporting slices: M001/S01
 - Validation: unmapped
 - Notes: A 200-video playlist = 201 rows — must be collapsed by default. Parent completes when all children reach completed or failed
 ### R007 — Session isolation: isolated (default) / shared / open modes
 - Class: differentiator
 - Status: validated
 - Description: Operator selects session mode server-wide. Isolated: each browser sees only its own downloads via httpOnly UUID cookie. Shared: all sessions see all downloads. Open: no session tracking
 - Why it matters: The primary differentiator from MeTube (issue #591 closed as "won't fix"). The feature that created demand for forks
 - Source: user
 - Primary owning slice: M001/S02
 - Supporting slices: M001/S03
 - Validation: unmapped
 - Notes: isolated is the zero-config safe default. Mode switching mid-deployment: isolated rows remain scoped, shared queries all rows
 ### R008 — Cookie auth: per-session cookies.txt upload
 - Class: core-capability
 - Status: validated
 - Description: Users upload a Netscape-format cookies.txt file scoped to their session. Enables downloading paywalled/private content. Files purged on session clear
 - Why it matters: The practical reason people move off MeTube. Enables authenticated downloads without embedding credentials in the app
 - Source: research
 - Primary owning slice: M001/S04
 - Supporting slices: none
 - Validation: unmapped
 - Notes: CVE-2023-35934 — pin yt-dlp >= 2023-07-06. Store per-session at data/sessions/{id}/cookies.txt. Never log contents. Normalize CRLF→LF. Chrome cookie extraction broken since July 2024 — surface Firefox recommendation in UI
 ### R009 — Purge system: scheduled/manual/never, independent file + log TTL
 - Class: operability
 - Status: validated
 - Description: Operator configures purge mode (scheduled cron, manual-only, never). File TTL and log TTL are independent values. Purge activity written to audit log. Purge must skip active downloads
 - Why it matters: Ephemeral storage is the contract with users. Operators need control over disk lifecycle
 - Source: user
 - Primary owning slice: M001/S04
 - Supporting slices: none
 - Validation: unmapped
 - Notes: Purge must filter status IN (completed, failed, cancelled) — never delete files for active downloads. Handle already-deleted files gracefully
 ### R010 — Three built-in themes: cyberpunk (default), dark, light
 - Class: differentiator
 - Status: validated
 - Description: Three themes baked into the Docker image. Cyberpunk is default: #00a8ff/#ff6b2b, JetBrains Mono, scanlines, grid overlay. Dark and light are clean alternatives
 - Why it matters: Visual identity differentiator — every other tool ships with plain material/tailwind defaults. Cyberpunk makes first impressions memorable
 - Source: user
 - Primary owning slice: M001/S05
 - Supporting slices: none
 - Validation: unmapped
 - Notes: Built-in themes compiled into frontend bundle. Heavily commented as drop-in documentation for custom theme authors
 ### R011 — Drop-in custom theme system via volume mount
 - Class: differentiator
 - Status: validated
 - Description: Operators drop a theme folder into /themes volume mount. Theme pack: theme.css (CSS variable overrides) + metadata.json + optional preview.png + optional assets/. Appears in picker without recompile
 - Why it matters: The feature MeTube refuses to build. Lowers theming floor to "edit a CSS file"
 - Source: user
 - Primary owning slice: M001/S05
 - Supporting slices: none
 - Validation: unmapped
 - Notes: Theme directory scanned at startup + on-demand re-scan. No file watchers needed
 ### R012 — CSS variable contract (base.css) as stable theme API
 - Class: constraint
 - Status: validated
 - Description: A documented, stable set of CSS custom properties (--color-bg, --color-accent-primary, --font-ui, --radius-sm, --effect-overlay, etc.) that all themes override. Token names cannot change after v1.0 ships — they are the public API for custom themes
 - Why it matters: Changing token names after operators write custom themes breaks those themes. This is a one-way door
 - Source: user
 - Primary owning slice: M001/S05
 - Supporting slices: M001/S03
 - Validation: unmapped
 - Notes: Must be designed before component work references token names. Establish early in S05, referenced by S03 components
 ### R013 — Mobile-responsive layout
 - Class: primary-user-loop
 - Status: validated
 - Description: <768px breakpoint: bottom tab bar (Submit/Queue/Settings), full-width URL input, card list for queue (swipe-to-cancel), bottom sheet for format options. All tap targets minimum 44px
 - Why it matters: >50% of self-hoster interactions happen on phone or tablet. No existing yt-dlp web UI does mobile well
 - Source: user
 - Primary owning slice: M001/S03
 - Supporting slices: none
 - Validation: unmapped
 - Notes: Desktop (≥768px): top header bar, left sidebar (collapsible), full download table
 ### R014 — Admin panel with secure auth
 - Class: operability
 - Status: validated
 - Description: Admin panel with username/password login (HTTPBasic + bcrypt). First-boot credential setup with forced change prompt. Session list, storage view, manual purge trigger, live config editor, unsupported URL log download. Security posture: timing-safe comparison (secrets.compare_digest), Secure/HttpOnly/SameSite=Strict cookies behind TLS, security headers on admin routes (HSTS, X-Content-Type-Options, X-Frame-Options), startup warning when admin enabled without TLS detected
 - Why it matters: Shipping an admin panel with crappy auth undermines the trust proposition of the entire product. Operators deserve qBittorrent/Sonarr-level login UX, not raw tokens
 - Source: user
 - Primary owning slice: M001/S04
 - Supporting slices: none
 - Validation: unmapped
 - Notes: If no X-Forwarded-Proto: https detected, log warning. Admin routes hidden from nav unless credentials configured
 ### R015 — Unsupported URL reporting with audit log
 - Class: failure-visibility
 - Status: validated
 - Description: When yt-dlp fails with extraction error, job shows failed badge + "Report unsupported site" button. Click appends to log (domain-only by default, full URL opt-in). Admin downloads log. Zero automatic outbound reporting
 - Why it matters: Users see exactly what gets logged. Trust feature — transparency in failure handling
 - Source: user
 - Primary owning slice: M001/S04
 - Supporting slices: none
 - Validation: unmapped
 - Notes: User-triggered only. Config report_full_url controls privacy level
 ### R016 — Health endpoint
 - Class: operability
 - Status: validated
 - Description: GET /api/health returns status, version, yt_dlp_version, uptime
 - Why it matters: Uptime Kuma and similar monitoring tools are table stakes for self-hosters
 - Source: user
 - Primary owning slice: M001/S02
 - Supporting slices: none
 - Validation: unmapped
 - Notes: Extend with disk space and queue depth if practical
 ### R017 — Session export/import
 - Class: continuity
 - Status: validated
 - Description: Export session as JSON archive (download history + queue state + preferences). Import restores history into a new session. Does not require sign-in, stays anonymous-first
 - Why it matters: Enables identity continuity on persistent instances without a real account system. No competitor offers this
 - Source: research
 - Primary owning slice: M001/S04
 - Supporting slices: none
 - Validation: unmapped
 - Notes: Meaningless in open mode — UI should hide export button when session mode is open
 ### R018 — Link sharing (completed file shareable URL)
 - Class: primary-user-loop
 - Status: validated
 - Description: Completed downloads are served at predictable URLs. Users can copy a direct download link to share with others
 - Why it matters: Removes the "now what?" question after downloading — users share a ripped file with a friend via URL
 - Source: research
 - Primary owning slice: M001/S04
 - Supporting slices: none
 - Validation: unmapped
 - Notes: Requires knowing the output filename. Files served via FastAPI StaticFiles or explicit route on /downloads
 ### R019 — Source-aware output templates
 - Class: core-capability
 - Status: validated
 - Description: Per-site default output templates (YouTube: uploader/title, SoundCloud: uploader/title, generic: title). Configurable via config.yaml source_templates map
 - Why it matters: Sensible defaults per-site are a step up from MeTube's single global template. Organizes downloads without user effort
 - Source: user
 - Primary owning slice: M001/S01
 - Supporting slices: none
 - Validation: 9 unit tests prove domain-specific lookup, www stripping, user override priority, fallback chain, custom config (S01 test_output_template.py)
 - Notes: Per-download override also supported (R025)
 ### R020 — Zero automatic outbound telemetry
 - Class: constraint
 - Status: validated
 - Description: The container makes zero automatic outbound network requests. No CDN calls, no Google Fonts, no update checks, no analytics. All fonts and assets bundled or self-hosted
 - Why it matters: Trust is the core proposition. Competing tools have subtle external requests. This is an explicit design constraint, not an afterthought
 - Source: user
 - Primary owning slice: M001/S06
 - Supporting slices: all
 - Validation: unmapped
 - Notes: Verified by checking zero outbound network requests from container during normal operation
 ### R021 — Docker: single multi-stage image, GHCR + Docker Hub, amd64 + arm64
 - Class: launchability
 - Status: validated
 - Description: Single Dockerfile, multi-stage build (Node frontend builder → Python deps → slim runtime with ffmpeg). Published to ghcr.io/xpltd/media-rip and docker.io/xpltd/media-rip. Both amd64 and arm64 architectures
 - Why it matters: Docker is the distribution mechanism for self-hosted tools. arm64 users (Raspberry Pi, Apple Silicon NAS) are a significant audience
 - Source: user
 - Primary owning slice: M001/S06
 - Supporting slices: none
 - Validation: unmapped
 - Notes: Target <400MB compressed. ffmpeg from Debian apt supports arm64 natively
 ### R022 — CI/CD: lint + test on PR, build + push on tag
 - Class: launchability
 - Status: validated
 - Description: GitHub Actions: ci.yml runs ruff + pytest + eslint + vue-tsc + vitest + Docker smoke on PRs. publish.yml builds multi-platform image and pushes to both registries on v*.*.* tags. Generates GitHub Release with changelog
 - Why it matters: Ensures the image stays functional as yt-dlp extractors evolve. Automated quality gate
 - Source: user
 - Primary owning slice: M001/S06
 - Supporting slices: none
 - Validation: unmapped
 - Notes: CI smoke-tests downloads from 2+ sites to catch extractor breakage
 ### R023 — Config system: config.yaml + env var overrides + admin live writes
 - Class: operability
 - Status: validated
 - Description: Three-layer config: hardcoded defaults → config.yaml (read-only at start) → env var overrides (MEDIARIP__SECTION__KEY) → SQLite admin writes (live, no restart). All fields optional — zero-config works out of the box
 - Why it matters: Operators need infrastructure-as-code (YAML, env vars) AND live UI config without restart
 - Source: user
 - Primary owning slice: M001/S01
 - Supporting slices: M001/S04
 - Validation: unmapped
 - Notes: YAML seeds DB on first boot, then SQLite wins. YAML never reflects admin UI changes — document this clearly
 ### R024 — Concurrent same-URL support
 - Class: core-capability
 - Status: validated
 - Description: Jobs keyed by UUID4, not URL. Submitting the same URL twice at different qualities creates two independent jobs
 - Why it matters: Users legitimately want the same video in different formats. URL-keyed dedup would prevent this
 - Source: user
 - Primary owning slice: M001/S01
 - Supporting slices: none
 - Validation: Integration test runs two simultaneous downloads of same video with different output templates — both complete successfully (S01 test_download_service::test_concurrent_downloads)
 - Notes: Intentional design per PROJECT.md
 ### R025 — Per-download output template override
 - Class: core-capability
 - Status: validated
 - Description: Users can override the output template on a per-download basis, in addition to the source-aware defaults (R019)
 - Why it matters: Power users want control over file naming for specific downloads
 - Source: user
 - Primary owning slice: M001/S03
 - Supporting slices: none
 - Validation: unmapped
 - Notes: UI field in "More options" area
 ### R026 — Secure deployment example
 - Class: launchability
 - Status: validated
 - Description: docker-compose.example.yml ships with a reverse proxy + TLS configuration as the default documented deployment path, not an afterthought
 - Why it matters: Making the secure path the default path prevents operators from accidentally running admin auth over cleartext
 - Source: user
 - Primary owning slice: M001/S06
 - Supporting slices: none
 - Validation: unmapped
 - Notes: Caddy or Traefik sidecar — decision deferred to slice planning
 ## Deferred
 ### R027 — Per-format download presets (saved quality profiles)
 - Class: primary-user-loop
 - Status: deferred
 - Description: Save "my 720p MP3 preset" for reuse across downloads
 - Why it matters: Convenience feature for repeat users
 - Source: research
 - Primary owning slice: none
 - Supporting slices: none
 - Validation: unmapped
 - Notes: Deferred — v1 needs live format selection working first. Add when session system is stable
 ### R028 — GitHub issue prefill for unsupported URL reporting
 - Class: failure-visibility
 - Status: deferred
 - Description: Config option reporting.github_issues: true opens pre-filled GitHub issue for unsupported URLs
 - Why it matters: Streamlines community reporting of extractor gaps
 - Source: research
 - Primary owning slice: none
 - Supporting slices: none
 - Validation: unmapped
 - Notes: Deferred — enable only after log download (R015) is validated
 ### R029 — Queue filter/sort persistence in localStorage
 - Class: primary-user-loop
 - Status: deferred
 - Description: Store last sort/filter state in localStorage so it persists across page loads
 - Why it matters: Minor convenience — avoids resetting sort every refresh
 - Source: research
 - Primary owning slice: none
 - Supporting slices: none
 - Validation: unmapped
 - Notes: Trivial to add post-v1
 ## Out of Scope
 ### R030 — OAuth / SSO integration
 - Class: anti-feature
 - Status: out-of-scope
 - Description: Centralized auth via OAuth/SSO providers
 - Why it matters: Prevents massive scope increase. Reverse proxy handles AuthN; media.rip handles AuthZ via session mode + admin auth
 - Source: research
 - Primary owning slice: none
 - Supporting slices: none
 - Validation: n/a
 - Notes: Authentik, Authelia, Traefik ForwardAuth are the operator's tools for this
 ### R031 — WebSocket transport
 - Class: anti-feature
 - Status: out-of-scope
 - Description: WebSocket for real-time communication
 - Why it matters: SSE covers 100% of actual needs (server-push only). WebSocket adds complexity without benefit
 - Source: research
 - Primary owning slice: none
 - Supporting slices: none
 - Validation: n/a
 - Notes: SSE is simpler, HTTP-native, auto-reconnecting via browser EventSource
 ### R032 — User accounts / registration
 - Class: anti-feature
 - Status: out-of-scope
 - Description: User registration, login, password reset
 - Why it matters: Anonymous-first identity model. Session isolation provides multi-user support without accounts
 - Source: research
 - Primary owning slice: none
 - Supporting slices: none
 - Validation: n/a
 - Notes: Would fundamentally change the product shape
 ### R033 — Automatic yt-dlp update at runtime
 - Class: anti-feature
 - Status: out-of-scope
 - Description: Auto-update yt-dlp extractors inside running container
 - Why it matters: Breaks immutable containers and reproducible builds. Version drift between deployments
 - Source: research
 - Primary owning slice: none
 - Supporting slices: none
 - Validation: n/a
 - Notes: Pin version in requirements; publish new image on yt-dlp releases via CI
 ### R034 — Embedded video player
 - Class: anti-feature
 - Status: out-of-scope
 - Description: Play downloaded media within the web UI
 - Why it matters: Adds significant frontend complexity, licensing surface for codecs, scope creep. Files go to Jellyfin/Plex anyway
 - Source: research
 - Primary owning slice: none
 - Supporting slices: none
 - Validation: n/a
 - Notes: Serve files at predictable paths; users open in their preferred player
 ### R035 — Subscription / channel monitoring
 - Class: anti-feature
 - Status: out-of-scope
 - Description: "Set it and forget it" channel archiving
 - Why it matters: Fundamentally different product — a scheduler/archiver vs a download UI. Tools like Pinchflat, TubeArchivist do this better
 - Source: research
 - Primary owning slice: none
 - Supporting slices: none
 - Validation: n/a
 - Notes: Architecture should not block adding it later. APScheduler already present for purge
 ### R036 — FlareSolverr / Cloudflare bypass
 - Class: anti-feature
 - Status: out-of-scope
 - Description: Cloudflare bypass via external FlareSolverr service
 - Why it matters: Introduces external service dependency, legal gray area, niche use case
 - Source: research
 - Primary owning slice: none
 - Supporting slices: none
 - Validation: n/a
 - Notes: cookies.txt upload (R008) solves authenticated content for most users
 ## Traceability
 | ID | Class | Status | Primary owner | Supporting | Proof |
 |---|---|---|---|---|---|
 | R001 | core-capability | validated | M001/S01 | none | unmapped |
 | R002 | core-capability | validated | M001/S01 | M001/S03 | unmapped |
 | R003 | core-capability | validated | M001/S02 | M001/S03 | unmapped |
 | R004 | continuity | validated | M001/S02 | none | unmapped |
 | R005 | primary-user-loop | validated | M001/S03 | none | unmapped |
 | R006 | core-capability | validated | M001/S03 | M001/S01 | unmapped |
 | R007 | differentiator | validated | M001/S02 | M001/S03 | unmapped |
 | R008 | core-capability | validated | M001/S04 | none | unmapped |
 | R009 | operability | validated | M001/S04 | none | unmapped |
 | R010 | differentiator | validated | M001/S05 | none | unmapped |
 | R011 | differentiator | validated | M001/S05 | none | unmapped |
 | R012 | constraint | validated | M001/S05 | M001/S03 | unmapped |
 | R013 | primary-user-loop | validated | M001/S03 | none | unmapped |
 | R014 | operability | validated | M001/S04 | none | unmapped |
 | R015 | failure-visibility | validated | M001/S04 | none | unmapped |
 | R016 | operability | validated | M001/S02 | none | unmapped |
 | R017 | continuity | validated | M001/S04 | none | unmapped |
 | R018 | primary-user-loop | validated | M001/S04 | none | unmapped |
 | R019 | core-capability | validated | M001/S01 | none | 9 unit tests (S01 test_output_template.py) |
 | R020 | constraint | validated | M001/S06 | all | unmapped |
 | R021 | launchability | validated | M001/S06 | none | unmapped |
 | R022 | launchability | validated | M001/S06 | none | unmapped |
 | R023 | operability | validated | M001/S01 | M001/S04 | unmapped |
 | R024 | core-capability | validated | M001/S01 | none | integration test (S01 test_concurrent_downloads) |
 | R025 | core-capability | validated | M001/S03 | none | unmapped |
 | R026 | launchability | validated | M001/S06 | none | unmapped |
 | R027 | primary-user-loop | deferred | none | none | unmapped |
 | R028 | failure-visibility | deferred | none | none | unmapped |
 | R029 | primary-user-loop | deferred | none | none | unmapped |
 | R030 | anti-feature | out-of-scope | none | none | n/a |
 | R031 | anti-feature | out-of-scope | none | none | n/a |
 | R032 | anti-feature | out-of-scope | none | none | n/a |
 | R033 | anti-feature | out-of-scope | none | none | n/a |
 | R034 | anti-feature | out-of-scope | none | none | n/a |
 | R035 | anti-feature | out-of-scope | none | none | n/a |
 | R036 | anti-feature | out-of-scope | none | none | n/a |
 ## Coverage Summary
 - Active requirements: 0
 - Mapped to slices: 26
 - Validated: 26
 - Unmapped active requirements: 0
--- a/.gsd/gsd.db-shm
+++ b/.gsd/gsd.db-shm
--- a/.gsd/gsd.db-wal
+++ b/.gsd/gsd.db-wal
--- a/.gsd/milestones/M001/M001-CONTEXT.md
+++ b/.gsd/milestones/M001/M001-CONTEXT.md
@ -1,126 +0,0 @@
 # M001: media.rip() v1.0 — Context
 **Gathered:** 2026-03-17
 **Status:** Ready for planning
 ## Project Description
 media.rip() is a self-hostable web-based yt-dlp frontend distributed as a Docker container. Users paste any yt-dlp-supported URL, select format/quality from live extraction, and download media — no account, no telemetry, no terminal. Ground-up build targeting the gaps every competitor (MeTube, yt-dlp-web-ui, ytptube) leaves open: session isolation, real theming, mobile UX, and operator-first configuration.
 ## Why This Milestone
 This is the only milestone. M001 delivers the complete v1.0 product — from first line of code through Docker distribution. The product cannot ship partially; a download tool without real-time progress, or with progress but no session isolation, or with isolation but no admin panel, would be an incomplete product that fails to differentiate from existing tools.
 ## User-Visible Outcome
 ### When this milestone is complete, the user can:
 - Run `docker compose up` and access a fully functional download UI at :8080 with cyberpunk theme, zero configuration
 - Paste any yt-dlp-supported URL, pick format/quality from live extraction, and download to /downloads
 - See real-time progress (percent, speed, ETA) via SSE, surviving page refreshes
 - Use isolated session mode (default) so two browsers see only their own downloads
 - Upload cookies.txt for paywalled content, scoped to their session
 - Switch between cyberpunk, dark, and light themes — or drop a custom theme into /themes
 - Access admin panel via username/password login to manage sessions, storage, purge, and config
 - Deploy securely using the provided reverse-proxy + TLS compose example
 ### Entry point / environment
 - Entry point: `docker compose up` → http://localhost:8080 (dev), https://media.example.com (prod behind reverse proxy)
 - Environment: Docker container, browser-accessed
 - Live dependencies involved: yt-dlp (bundled library), ffmpeg (bundled binary), SQLite (embedded)
 ## Completion Class
 - Contract complete means: all API endpoints respond correctly, yt-dlp downloads succeed, SSE streams deliver events, session isolation works, admin auth rejects unauthorized requests, purge deletes correct files, themes apply correctly
 - Integration complete means: frontend ↔ backend SSE flow works end-to-end, yt-dlp progress hooks bridge to browser progress bars, admin config changes take effect live, theme volume mount → picker → apply chain works
 - Operational complete means: Docker image builds for both architectures, CI runs on PR, CD publishes on tag, health endpoint responds, startup TLS warning fires when appropriate
 ## Final Integrated Acceptance
 To call this milestone complete, we must prove:
 - Paste a YouTube URL in the browser → pick quality → see real-time progress → file appears in /downloads (the full primary loop)
 - Open two different browsers → each sees only its own downloads (session isolation)
 - Admin login → change a config value → effect visible without container restart
 - Drop a custom theme folder into /themes volume → restart → appears in theme picker → applies correctly
 - `docker compose up` with zero config → everything works at :8080 with cyberpunk theme and isolated mode
 - Tag v0.1.0 → GitHub Actions builds and pushes amd64 + arm64 images to both registries
 ## Risks and Unknowns
 - **Sync-to-async bridge correctness** — yt-dlp is synchronous, FastAPI is async. ThreadPoolExecutor + `call_soon_threadsafe` is the known-correct pattern, but getting the event loop capture and progress hook wiring wrong produces silent event loss or blocked loops. Must be proven in S01
 - **SSE disconnect handling** — CancelledError swallowing creates zombie connections. sse-starlette handles this but the generator must use try/finally correctly. Must be proven in S02
 - **SQLite write contention** — WAL mode + busy_timeout handles this for the expected load, but must be enabled at DB init before any schema work. Addressed in S01
 - **CSS variable contract is a one-way door** — Token names cannot change after operators write custom themes. Must be designed deliberately in S05, not evolved by accident
 - **cookies.txt security** — CVE-2023-35934 requires pinning yt-dlp >= 2023-07-06. Cookie files are sensitive — never log, store per-session, delete on purge
 - **Admin auth over cleartext** — If operator doesn't use TLS, admin credentials sent in cleartext. Mitigated by startup warning + secure deployment docs, but can't be prevented from the app side
 ## Existing Codebase / Prior Art
 - `PROJECT.md` — comprehensive product spec with data models, API surface, SSE schema, config schema, Dockerfile sketch, CI/CD outline
 - `.planning/research/ARCHITECTURE.md` — system diagram, component boundaries, data flow paths, anti-patterns, Docker layering strategy
 - `.planning/research/FEATURES.md` — feature landscape, competitor analysis, dependency graph, edge cases, MVP definition
 - `.planning/research/STACK.md` — pinned versions for all dependencies, integration patterns, known pitfalls per library
 - `.planning/research/PITFALLS.md` — critical pitfalls with prevention strategies and warning signs
 - `.planning/research/SUMMARY.md` — executive summary of all research with confidence assessments
 > See `.gsd/DECISIONS.md` for all architectural and pattern decisions — it is an append-only register; read it during planning, append to it during execution.
 ## Relevant Requirements
 - R001-R006 — Core download loop (URL → format → progress → queue → playlist)
 - R007 — Session isolation (the primary differentiator)
 - R003, R004 — SSE transport + replay (the technical enabler for isolation)
 - R014 — Admin panel with secure auth (trust proposition)
 - R010-R012 — Theme system (visual identity + operator customization)
 - R021-R022 — Docker distribution + CI/CD (the delivery mechanism)
 - R020 — Zero telemetry (hard constraint on all slices)
 ## Scope
 ### In Scope
 - Complete backend: FastAPI app with all API endpoints, yt-dlp integration, SSE, sessions, admin, purge, config, health
 - Complete frontend: Vue 3 SPA with download queue, format picker, progress, playlist UI, mobile layout, admin panel, theme picker
 - Three built-in themes + drop-in custom theme system
 - Cookie auth (cookies.txt per-session)
 - Session export/import
 - Unsupported URL reporting
 - Docker packaging + CI/CD
 - Secure deployment documentation
 ### Out of Scope / Non-Goals
 - OAuth/SSO, user accounts, WebSocket, embedded player, auto-update yt-dlp, subscription monitoring, FlareSolverr (see R030-R036)
 - TLS termination inside the container (reverse proxy responsibility)
 - Telegram/Discord bot (v2+ extension point)
 - Arr-stack API integration (v2+)
 ## Technical Constraints
 - Python 3.12 (not 3.13 — passlib breakage)
 - yt-dlp as library, not subprocess (structured progress hooks, no shell injection)
 - YoutubeDL instance created fresh per job — never shared across threads
 - ThreadPoolExecutor only (not ProcessPoolExecutor — YoutubeDL not picklable)
 - SQLite with WAL mode, synchronous=NORMAL, busy_timeout=5000 — enabled before any schema work
 - SSE via sse-starlette (not FastAPI native — better disconnect handling)
 - APScheduler 3.x (not 4.x alpha)
 - bcrypt 5.0.0 direct (not passlib — unmaintained, Python 3.13 breakage)
 - All fonts/assets bundled — zero external CDN requests
 ## Integration Points
 - **yt-dlp** — library import, ThreadPoolExecutor workers, progress hooks via call_soon_threadsafe
 - **ffmpeg** — installed in Docker image, found by yt-dlp via PATH for muxing
 - **sse-starlette** — EventSourceResponse wrapping async generators
 - **APScheduler AsyncIOScheduler** — started in FastAPI lifespan, shares event loop
 - **aiosqlite** — connection pool via FastAPI Depends, WAL mode
 - **GitHub Actions** — CI (lint/test on PR) + CD (build/push on tag)
 - **GHCR + Docker Hub** — image registry targets
 ## Open Questions
 - **Reverse proxy for deployment example** — Caddy vs Traefik. Leaning Caddy for simplicity (one-liner TLS). Decide during S06 planning
 - **First-boot admin UX** — How pushy should the forced credential change prompt be? Decide during S04 planning
 - **HTTP/2 for SSE connection limit** — SSE has 6-connection-per-domain limit on HTTP/1.1. Caddy handles HTTP/2 automatically if chosen as reverse proxy. Confirm approach during S06
--- a/.gsd/milestones/M001/M001-META.json
+++ b/.gsd/milestones/M001/M001-META.json
@ -1,3 +0,0 @@
 {
  "integrationBranch": "master"
 }
--- a/.gsd/milestones/M001/M001-ROADMAP.md
+++ b/.gsd/milestones/M001/M001-ROADMAP.md
@ -1,176 +0,0 @@
 # M001: media.rip() v1.0 — Ship It
 **Vision:** Deliver a complete self-hostable yt-dlp web frontend as a Docker container. Paste a URL, pick quality, download — with session isolation, real-time progress, a cyberpunk default theme, secure admin panel, and zero telemetry. Distributed via GHCR + Docker Hub for amd64 + arm64.
 ## Success Criteria
 - User can `docker compose up` with zero config and get a working download UI at :8080 with cyberpunk theme and isolated session mode
 - User can paste any yt-dlp-supported URL, select format/quality from live extraction, and download to /downloads with real-time progress
 - Two different browsers see only their own downloads (session isolation works)
 - Page refresh preserves queue state via SSE replay
 - Admin can log in with username/password, manage sessions/storage/config, trigger manual purge
 - Custom theme dropped into /themes volume appears in picker and applies correctly
 - Mobile layout (375px) uses bottom tabs, card list, ≥44px touch targets
 - Tag v0.1.0 triggers CI/CD pipeline that pushes multi-arch images to both registries
 - Container makes zero automatic outbound network requests
 ## Key Risks / Unknowns
 - **Sync-to-async bridge** — yt-dlp is synchronous; FastAPI is async. The ThreadPoolExecutor + `call_soon_threadsafe` pattern is well-documented but must be wired correctly or progress events are silently lost
 - **SSE zombie connections** — CancelledError swallowing in SSE generators creates memory leaks. Must use try/finally and explicitly handle cancellation
 - **CSS variable contract lock-in** — Token names are a one-way door once custom themes exist. Must be designed deliberately before components reference them
 - **Admin auth over cleartext** — Can't prevent operators from skipping TLS, but can warn loudly at startup
 ## Proof Strategy
 - Sync-to-async bridge → retire in S01 by proving yt-dlp progress events arrive in an asyncio.Queue via call_soon_threadsafe, with a test that runs a real download and asserts events were received
 - SSE zombie connections → retire in S02 by proving SSE endpoint cleanup works on client disconnect (generator finally block fires, queue removed from broker)
 - CSS variable contract → retire in S05 by establishing the token set before any component references it, with documentation freeze
 - Admin auth security → retire in S04 by proving bcrypt comparison, timing-safe check, security headers, and TLS detection warning all function correctly
 ## Verification Classes
 - Contract verification: pytest for backend (API, services, models), vitest for frontend (stores, components), ruff + eslint + vue-tsc for lint/type-check
 - Integration verification: real yt-dlp download producing a file, SSE events flowing from progress hook to browser EventSource, admin config write taking effect without restart
 - Operational verification: Docker image builds for both architectures, health endpoint responds, startup TLS warning fires when appropriate
 - UAT / human verification: visual theme check, mobile layout feel, admin panel UX flow, first-boot credential setup
 ## Milestone Definition of Done
 This milestone is complete only when all are true:
 - All six slices are complete with passing verification
 - The full primary loop works end-to-end: URL → format picker → real-time progress → completed file
 - Session isolation proven with two independent browsers
 - Admin panel accessible only via authenticated login with bcrypt-hashed credentials
 - Three built-in themes render correctly; drop-in custom theme chain works
 - Mobile layout functions at 375px with correct breakpoint behavior
 - Docker image builds and runs for amd64 + arm64
 - CI/CD pipeline triggers correctly on PR and tag
 - Zero outbound network requests from container verified
 - Secure deployment example (reverse proxy + TLS) documented and functional
 ## Requirement Coverage
 - Covers: R001-R026 (all 26 active requirements)
 - Partially covers: none
 - Leaves for later: R027 (presets), R028 (GitHub issue prefill), R029 (filter persistence)
 - Orphan risks: none
 ## Slices
 - [x] **S01: Foundation + Download Engine** `risk:high` `depends:[]`
  > After this: POST a URL to the API → yt-dlp downloads it to /downloads with progress events arriving in an asyncio.Queue. Format probe returns available qualities. Config loads from YAML + env vars. SQLite with WAL mode stores jobs. Proven via API tests and a real yt-dlp download.
 - [x] **S02: SSE Transport + Session System** `risk:high` `depends:[S01]`
  > After this: Open two browser tabs → each gets its own SSE stream scoped to their session cookie. Live progress events flow from yt-dlp worker threads through SSEBroker to the correct session's EventSource. Refresh a tab → SSE replays current state. Health endpoint responds. Proven via real SSE connections and session isolation test.
 - [x] **S03: Frontend Core** `risk:medium` `depends:[S02]`
  > After this: Full Vue 3 SPA in the browser: paste URL, pick format from live extraction, watch progress bar fill, see completed files in queue. Playlists show as collapsible parent/child rows. Mobile layout (375px) uses bottom tabs, card list, ≥44px targets. Desktop uses sidebar + table. Proven by loading the SPA and completing a download flow.
 - [x] **S04: Admin, Auth + Supporting Features** `risk:medium` `depends:[S02]`
  > After this: Admin panel requires username/password login (bcrypt). Session list, storage view, manual purge, live config editor, unsupported URL log download all functional. Cookie auth upload works per-session. Session export/import produces valid archive. File link sharing serves completed downloads. Security headers present on admin routes. Startup warns if TLS not detected. Proven via auth tests + admin flow verification.
 - [x] **S05: Theme System** `risk:low` `depends:[S03]`
  > After this: Cyberpunk theme renders with scanlines/grid overlay, JetBrains Mono, #00a8ff/#ff6b2b. Dark and light themes are clean alternatives. CSS variable contract documented in base.css. Drop a custom theme folder into /themes volume → restart → appears in picker → applies correctly. Built-in themes heavily commented as documentation. Proven by theme switching and custom theme load.
 - [x] **S06: Docker + CI/CD** `risk:low` `depends:[S01,S02,S03,S04,S05]`
  > After this: `docker compose up` → app works at :8080 with zero config. `docker-compose.example.yml` includes Caddy/Traefik sidecar for TLS. Tag v0.1.0 → GitHub Actions builds multi-arch image → pushes to GHCR + Docker Hub → creates GitHub Release. PR triggers lint + test + Docker smoke. Zero outbound telemetry verified. Proven by running the published image and completing a full download flow.
 ## Boundary Map
 ### S01 → S02
 Produces:
 - `app/core/database.py` → aiosqlite connection pool with WAL mode, job CRUD operations
 - `app/core/config.py` → ConfigManager: YAML + env var merge, typed config access
 - `app/models/job.py` → Job Pydantic model, JobStatus enum, ProgressEvent model
 - `app/models/session.py` → Session Pydantic model
 - `app/services/download.py` → DownloadService: ThreadPoolExecutor, enqueue(), progress hook producing ProgressEvent into a callback
 - `app/core/sse_broker.py` → SSEBroker: per-session Queue map, put_nowait(), subscribe()/unsubscribe()
 Consumes:
 - nothing (first slice)
 ### S01 → S03
 Produces:
 - `app/routers/downloads.py` → POST /api/downloads, GET /api/downloads, DELETE /api/downloads/{id}
 - `app/routers/formats.py` → GET /api/formats?url= (live yt-dlp extraction)
 - `app/models/job.py` → Job, ProgressEvent (JSON schema for frontend TypeScript types)
 ### S01 → S04
 Produces:
 - `app/core/database.py` → job/session/config table access
 - `app/core/config.py` → ConfigManager (admin writes extend this)
 - `app/services/download.py` → DownloadService.cancel()
 ### S02 → S03
 Produces:
 - `app/routers/sse.py` → GET /api/events (EventSourceResponse per session)
 - `app/middleware/session.py` → SessionMiddleware: auto-creates mrip_session httpOnly cookie, populates request.state.session_id
 - `app/routers/health.py` → GET /api/health
 - `app/routers/system.py` → GET /api/config/public (sanitized config for frontend)
 - SSE event contract: init, job_update, job_removed, error event types with typed payloads
 Consumes from S01:
 - `app/core/sse_broker.py` → SSEBroker.subscribe(), SSEBroker.put_nowait()
 - `app/core/database.py` → job queries for SSE replay
 - `app/models/job.py` → Job, ProgressEvent models
 - `app/models/session.py` → Session model
 ### S02 → S04
 Produces:
 - `app/middleware/session.py` → SessionMiddleware (session identity for admin to list)
 - `app/core/database.py` → session table queries
 ### S03 → S05
 Produces:
 - Vue component structure referencing CSS custom properties (--color-bg, --color-accent-primary, etc.)
 - `frontend/src/stores/theme.ts` → theme store with setTheme(), availableThemes
 - Component DOM structure that themes must style correctly
 Consumes from S02:
 - SSE event contract (EventSource integration in Pinia sse store)
 - GET /api/config/public (session mode, default theme)
 - Session cookie (auto-set by middleware)
 ### S04 → S06
 Produces:
 - `app/routers/admin.py` → all admin API endpoints
 - Admin auth middleware (HTTPBasic + bcrypt)
 - `app/services/purge.py` → PurgeService
 - Test suite for admin routes
 Consumes from S02:
 - Session middleware, session queries
 - SSEBroker (for purge_complete event)
 Consumes from S01:
 - Database, ConfigManager, DownloadService
 ### S05 → S06
 Produces:
 - `frontend/src/themes/` → cyberpunk.css, dark.css, light.css (baked into build)
 - `app/core/theme_loader.py` → ThemeLoader scanning /themes volume
 - `app/routers/themes.py` → GET /api/themes manifest
 - CSS variable contract in base.css (the stable theme API)
 Consumes from S03:
 - Vue component structure (components reference CSS custom properties)
 - Theme store (setTheme, availableThemes)
 ### All → S06
 S06 consumes the complete application from S01-S05:
 - All backend source under `backend/app/`
 - All frontend source under `frontend/src/`
 - All test suites
 - All theme assets
 - docker-compose.yml, Dockerfile, GitHub Actions workflows
--- a/.gsd/milestones/M001/UI-REVIEW-FINDINGS.md
+++ b/.gsd/milestones/M001/UI-REVIEW-FINDINGS.md
@ -1,133 +0,0 @@
 # UI/UX Review Findings — M001 Post-Completion Walkthrough
 **Date:** 2026-03-18
 **Participants:** User (product owner) + GSD (agent)
 **Method:** Live app walkthrough at localhost:5173, guided interview
 ---
 ## Summary
 M001 is functionally complete (208 tests, all slices done) but the UI needs a significant UX pass before v0.1.0 tag. The app works but doesn't feel polished — unclear affordances, missing user flows, and several functional gaps identified during live testing.
 ---
 ## Findings
 ### 1. Welcome / Informational Block
 **Priority: HIGH**
 - Add a configurable welcome message block above the URL input
 - Default text: "Paste any video or audio URL. We rip it, you download it. No accounts, no tracking. Files auto-purge after 24h." (or similar)
 - Admin-configurable from admin panel (can override text or hide entirely)
 - Should look clean and integrated, not a banner bar — a styled text block above the input area
 ### 2. Theme System Rework
 **Priority: HIGH**
 - **Current:** 3 radio-button dots (Cyberpunk/Dark/Light) in header
 - **Target:** Admin sets the theme (cyberpunk default). Users get a sun/moon toggle for light ↔ dark variant only
 - Backend implication: each theme needs a light variant, or the light mode is a modifier on any theme
 - The "dark" and "light" themes become _modes_ rather than separate themes
 - Theme picker (full theme selection) moves to admin panel
 ### 3. SSE Connection Indicator (Green Dot)
 **Priority: LOW**
 - Currently unlabeled, looks like a 4th theme option
 - **Decision:** Hide in production. Keep available for debug/development mode only
 ### 4. Remove ADMIN Tab from Main Nav
 **Priority: HIGH**
 - Admin panel accessible only via `/admin` URL — no visual link from main app
 - Security by obscurity layer (auth still required, but no invitation to probe)
 - Consequence: since ADMIN tab is removed, the DOWNLOADS tab is also unnecessary (only one view)
 - Remove the entire DOWNLOADS/ADMIN tab bar
 ### 5. Footer with Version Info
 **Priority: MEDIUM**
 - Centered footer showing: `media.rip() v0.1.0 | yt-dlp 2026.03.17 | GitHub`
 - Pipe-delimited, clean typography
 - GitHub link goes to repo
 - Version info pulled from health endpoint data
 ### 6. Download Flow Rework
 **Priority: HIGH**
 - **Current:** URL input → "Get Formats" button → format picker appears → "Download" button
 - **Target:** URL input → "Download" button (auto-best quality) with optional format picker as expandable section
 - Add audio/video toggle glyph — clean, intuitive icon to switch between audio-only and video download
 - Format picker becomes "Advanced" or expandable area, not the primary flow
 - Must handle playlist URLs intuitively — multi-file links should dynamically show appropriate UI
 ### 7. Download Queue → Table-Style Display
 **Priority: HIGH**
 - **Current:** Card-based list with title, progress bar, speed, ETA, cancel
 - **Target:** Table-like display that maintains the card aesthetic (not Excel — keep the cyberpunk vibes)
 - Columns to add: started timestamp, file size (if available)
 - Admin-configurable visible columns (enable/disable from admin panel)
 - Sorting: by ETA, % complete, alphabetical, download status
 - Keep filter tabs (All/Active/Completed/Failed) with counts
 ### 8. Download Item Actions (Glyphs, Not Words)
 **Priority: HIGH**
 - Use intuitive glyphs/icons instead of text labels
 - **Active downloads:** Cancel (✕)
 - **Completed downloads:** Download to local machine (↓), Copy share link (🔗), Clear from queue (✕)
 - Cancel and clear should use the same position/interface pattern
 - Single-click copy for share link
 ### 9. Cancel Download Bug
 **Priority: HIGH (Functional Bug)**
 - Cancel button (✕) on active downloads does not work — clicking does not cancel the download
 - Network logs show no request is sent when clicking cancel
 - Likely a click handler or z-index/event propagation issue in the grid layout
 - Must investigate and fix
 ### 10. Session Management UI Missing
 **Priority: MEDIUM**
 - R017 (Session export/import) has no visible UI elements
 - No export, import, or delete session buttons anywhere in the app
 - Needs UI surface — likely in a settings area or as part of the header/footer
 ### 11. Admin Panel — Deferred to Next Review
 **Priority: MEDIUM (deferred)**
 - Admin panel needs review after UI changes are applied
 - Current state: login form shows even when admin is disabled (no credentials configured)
 - New admin features needed: welcome message editor, theme selection, column visibility toggles
 - Default credentials / first-boot setup flow needs work
 - Will review in next walkthrough round
 ### 12. Mobile View
 **Priority: MEDIUM**
 - Bottom tab bar (SUBMIT/QUEUE) appears at <768px
 - If table-style download display makes mobile too complex, recommend most elegant fallback
 - Needs reassessment after desktop changes land
 ---
 ## Bugs Found
 | # | Description | Severity |
 |---|---|---|
 | B1 | Cancel button on active downloads doesn't fire network request | High |
 | B2 | Admin login form shown when admin is disabled (no credentials configured) | Medium |
 | B3 | Format picker only shows "Completed" text match from filter tab label (false text match, cosmetic) | Low |
 ---
 ## Proposed Execution Order
 1. **Cancel bug fix** (B1) — functional blocker
 2. **Header rework** — remove tabs, add welcome message block, simplify theme to sun/moon toggle
 3. **Footer** — version info display
 4. **Download flow** — quick download + optional format picker, audio/video toggle
 5. **Queue table redesign** — table-style with sorting, timestamps, file size
 6. **Action glyphs** — download/copy/clear icons on completed items
 7. **Admin panel improvements** — welcome message editor, theme selection, column config
 8. **Session management UI** — export/import/delete
 9. **Mobile reassessment** — after desktop changes
 ---
 ## Out of Scope for This Pass
 - Full admin panel redesign (deferred to next review round)
 - Playlist-specific UI (parent/child collapse) — will be designed during execution if time permits
 - Visual polish / animation refinement
--- a/.gsd/milestones/M001/slices/S01/S01-ASSESSMENT.md
+++ b/.gsd/milestones/M001/slices/S01/S01-ASSESSMENT.md
@ -1,37 +0,0 @@
 # S01 Post-Slice Assessment
 **Verdict:** Roadmap confirmed — no changes needed.
 ## Risk Retirement
 S01's primary risk (sync-to-async bridge) is fully retired. Real yt-dlp download produces progress events via `call_soon_threadsafe` into asyncio.Queue, proven by integration test with actual YouTube download. This was the highest-risk item in the entire milestone.
 ## Boundary Contract Check
 All S01 outputs match the boundary map exactly:
 - `database.py`, `config.py`, `sse_broker.py`, `download.py`, models, routers — all present with the expected APIs
 - `app.state` holds `db`, `config`, `broker`, `download_service` as documented
 - Stub session dependency in `dependencies.py` ready for S02 replacement
 - `middleware/` package exists but empty, awaiting S02's SessionMiddleware
 No boundary contract adjustments needed.
 ## Success Criteria Coverage
 All 9 success criteria map to at least one remaining slice (S02-S06). No gaps.
 ## Requirement Coverage
 - R019 (output templates) and R024 (concurrent same-URL) validated in S01
 - 24 active requirements still correctly assigned to their designated slices
 - No new requirements surfaced, none invalidated
 ## Known Issues Carried Forward
 - yt-dlp cancel has no reliable mid-stream abort — known limitation, doesn't affect remaining slices
 - Worker thread teardown noise in tests — cosmetic, production unaffected
 - yt-dlp version pinned at 2026.3.17 — integration tests depend on network; "Me at the zoo" is stable but not guaranteed
 ## Slice Ordering
 S02 (SSE + sessions) remains the correct next slice — it's the second high-risk item and unblocks S03 (frontend) and S04 (admin).
--- a/.gsd/milestones/M001/slices/S01/S01-PLAN.md
+++ b/.gsd/milestones/M001/slices/S01/S01-PLAN.md
@ -1,111 +0,0 @@
 # S01: Foundation + Download Engine
 **Goal:** Deliver the backend foundation: project scaffold, SQLite database with WAL mode, config system (defaults → YAML → env vars), Pydantic models, SSE broker data structure, yt-dlp download service with sync-to-async progress bridging, and API routes for submitting downloads and probing formats.
 **Demo:** `POST /api/downloads` with a URL → yt-dlp downloads it to `/downloads` with progress events arriving in an `asyncio.Queue` via `call_soon_threadsafe`. `GET /api/formats?url=` returns available qualities. Config loads from YAML + env vars. SQLite with WAL mode stores jobs. Proven via pytest running API tests and a real yt-dlp download.
 ## Must-Haves
 - Project scaffold with `pyproject.toml`, pinned dependencies, and `backend/app/` package structure matching the boundary map
 - Pydantic models: `Job`, `JobStatus`, `JobCreate`, `ProgressEvent` (with `from_yt_dlp` normalizer handling `total_bytes: None`), `Session`, `FormatInfo`
 - Config via `pydantic-settings[yaml]`: `AppConfig` with env prefix `MEDIARIP`, nested delimiter `__`, YAML source, zero-config defaults
 - SQLite database via `aiosqlite`: WAL mode + `busy_timeout=5000` + `synchronous=NORMAL` as first PRAGMAs, schema for `sessions`/`jobs`/`config`/`unsupported_urls` tables, async CRUD functions
 - `SSEBroker`: per-session queue map with `subscribe`/`unsubscribe`/`publish`, thread-safe via `call_soon_threadsafe`
 - `DownloadService`: `ThreadPoolExecutor`, fresh `YoutubeDL` per job, progress hook → broker publish, `enqueue()` and `get_formats()` methods
 - Output template resolver: per-domain template lookup with fallback to `*` default
 - `POST /api/downloads`, `GET /api/downloads`, `DELETE /api/downloads/{id}`, `GET /api/formats?url=`
 - Stub session ID dependency (reads `X-Session-ID` header, falls back to default UUID) replaceable by S02 middleware
 - Real yt-dlp integration test proving progress events flow through the sync-to-async bridge
 ## Proof Level
 - This slice proves: integration (sync-to-async bridge, DB concurrency, full API vertical)
 - Real runtime required: yes (yt-dlp must download a real file)
 - Human/UAT required: no
 ## Verification
 All tests run from `backend/` using the venv Python (system Python is 3.14, project requires 3.12):
 - `cd backend && .venv/Scripts/python -m pytest tests/test_models.py -v` — model construction, `ProgressEvent.from_yt_dlp` normalization, edge cases
 - `cd backend && .venv/Scripts/python -m pytest tests/test_config.py -v` — env var override, YAML loading, zero-config defaults
 - `cd backend && .venv/Scripts/python -m pytest tests/test_database.py -v` — CRUD, WAL mode verification, concurrent writes
 - `cd backend && .venv/Scripts/python -m pytest tests/test_sse_broker.py -v` — subscribe/unsubscribe, thread-safe publish
 - `cd backend && .venv/Scripts/python -m pytest tests/test_download_service.py -v` — real yt-dlp download with progress events, format extraction
 - `cd backend && .venv/Scripts/python -m pytest tests/test_api.py -v` — all four API endpoints via httpx AsyncClient
 - `cd backend && .venv/Scripts/python -m pytest tests/ -v` — full suite green, 0 failures
 - Verify `PRAGMA journal_mode` returns `wal` in database test
 - Verify progress events contain `status=downloading` with valid percent values in download service test
 ## Observability / Diagnostics
 - Runtime signals: `logging.getLogger("mediarip")` structured logs on job state transitions (queued → extracting → downloading → completed/failed), download errors logged with job_id + exception
 - Inspection surfaces: `jobs` table in SQLite with `status`, `error_message`, `progress_percent` columns; `PRAGMA journal_mode` query to verify WAL
 - Failure visibility: `Job.error_message` stores failure reason, `Job.status = "failed"` on any download error, `ProgressEvent` includes `status` field for real-time failure detection
 - Redaction constraints: none in S01 (admin credentials are S04)
 ## Integration Closure
 - Upstream surfaces consumed: none (first slice)
 - New wiring introduced: FastAPI app factory with lifespan (DB init/close), router mounting, dependency injection for DownloadService/SSEBroker/database
 - What remains before the milestone is truly usable end-to-end: S02 (SSE transport + real session middleware), S03 (frontend SPA), S04 (admin auth), S05 (themes), S06 (Docker + CI/CD)
 ## Tasks
 - [x] **T01: Scaffold project and define Pydantic models** `est:45m`
  - Why: Greenfield project — no code exists. Every subsequent task imports from the models and depends on the package structure. The boundary map contract (`app/core/`, `app/services/`, `app/routers/`, `app/models/`) must be established first.
  - Files: `backend/pyproject.toml`, `backend/app/__init__.py`, `backend/app/main.py`, `backend/app/models/__init__.py`, `backend/app/models/job.py`, `backend/app/models/session.py`, `backend/tests/test_models.py`
  - Do: Create `backend/pyproject.toml` with all pinned deps from research. Create directory structure with `__init__.py` files for `app/`, `app/core/`, `app/services/`, `app/routers/`, `app/models/`, `app/middleware/`. Write `JobStatus` enum, `JobCreate`, `Job`, `ProgressEvent` (with `from_yt_dlp` classmethod), `FormatInfo`, `Session` models. Write `app/main.py` skeleton (empty FastAPI app, placeholder lifespan). Write model unit tests covering ProgressEvent normalization with `total_bytes: None`, `total_bytes_estimate` fallback, and all status values.
  - Verify: `cd backend && pip install -e ".[dev]" && python -m pytest tests/test_models.py -v`
  - Done when: `pip install -e ".[dev]"` succeeds, all model tests pass, `from app.models.job import Job, JobStatus, ProgressEvent, JobCreate, FormatInfo` works
 - [x] **T02: Build config system, database layer, and SSE broker** `est:1h`
  - Why: These three infrastructure modules are the foundation everything else depends on. Config provides settings to database and download service. Database stores all job state. SSE broker is the thread-safe event distribution mechanism. All three are pure infrastructure with well-defined interfaces.
  - Files: `backend/app/core/config.py`, `backend/app/core/database.py`, `backend/app/core/sse_broker.py`, `backend/tests/conftest.py`, `backend/tests/test_config.py`, `backend/tests/test_database.py`, `backend/tests/test_sse_broker.py`
  - Do: Build `AppConfig` via pydantic-settings with env prefix `MEDIARIP`, nested delimiter `__`, YAML source (handle missing file gracefully), and `settings_customise_sources` for priority ordering. Build database module with aiosqlite: singleton connection pattern for lifespan, WAL + busy_timeout + synchronous PRAGMAs first, schema creation (sessions, jobs, config, unsupported_urls tables with indexes), async CRUD functions. Build SSEBroker with per-session queue map, subscribe/unsubscribe, and `publish` using `loop.call_soon_threadsafe`. Create `conftest.py` with shared fixtures (temp DB, test config). Write tests: config env override + YAML + zero-config defaults; DB CRUD + WAL verification + concurrent write test; broker subscribe/publish-from-thread/unsubscribe.
  - Verify: `cd backend && python -m pytest tests/test_config.py tests/test_database.py tests/test_sse_broker.py -v`
  - Done when: All three test files pass. `PRAGMA journal_mode` returns `wal`. Concurrent writes (3 simultaneous) complete without `SQLITE_BUSY`. Broker publish from a thread delivers event to subscriber queue.
 - [x] **T03: Implement download service with sync-to-async bridge** `est:1h`
  - Why: This is the highest-risk component in the slice — the sync-to-async bridge between yt-dlp worker threads and asyncio queues. It must be built and proven separately before API routes wire it up. The output template resolver is a direct dependency. This task retires the primary risk identified in the roadmap: "proving yt-dlp progress events arrive in an asyncio.Queue via call_soon_threadsafe."
  - Files: `backend/app/services/download.py`, `backend/app/services/output_template.py`, `backend/app/services/__init__.py`, `backend/tests/test_download_service.py`, `backend/tests/test_output_template.py`
  - Do: Build `resolve_template(url, user_override, config)` — extract domain, lookup in `source_templates` config map, fallback to `*`. Build `DownloadService` class: accepts config, database, SSE broker, event loop in constructor. `ThreadPoolExecutor(max_workers=config.downloads.max_concurrent)`. `enqueue(job_create, session_id)` creates DB row then submits `_run_download` to executor. `_run_download` creates fresh `YoutubeDL` per job (never shared), registers progress hook that calls `loop.call_soon_threadsafe(broker.publish, session_id, ProgressEvent.from_yt_dlp(...))`, updates DB on completion/failure. `get_formats(url)` runs `extract_info(url, download=False)` in executor, returns list of `FormatInfo`. `cancel(job_id)` sets status=failed in DB. Handle `total_bytes: None` in progress hook. Throttle DB progress writes (≥1% change or status change). Write integration test: real yt-dlp download of a short Creative Commons video, assert progress events arrive in broker queue with `status=downloading` and valid percent. Write format extraction test. Write output template unit tests.
  - Verify: `cd backend && python -m pytest tests/test_download_service.py tests/test_output_template.py -v`
  - Done when: Real download test passes — file appears in output dir AND progress events with `status=downloading` were received in the broker queue. Format extraction returns non-empty list with `format_id` and `ext` fields. Output template resolves domain-specific and fallback templates correctly.
 - [x] **T04: Wire API routes and FastAPI app factory** `est:45m`
  - Why: The API routes are the HTTP surface that S02 and S03 consume. The app factory lifespan wires database init/close and service construction. The stub session dependency provides `session_id` for testing until S02 delivers real middleware. This task proves the full vertical: HTTP request → router → service → yt-dlp → DB + SSE broker.
  - Files: `backend/app/main.py`, `backend/app/routers/downloads.py`, `backend/app/routers/formats.py`, `backend/app/routers/__init__.py`, `backend/app/dependencies.py`, `backend/tests/test_api.py`, `backend/tests/conftest.py`
  - Do: Create `app/dependencies.py` with stub `get_session_id` dependency (reads `X-Session-ID` header, falls back to a default UUID — clearly documented as S02-replaceable). Update `app/main.py` lifespan: init aiosqlite connection with WAL PRAGMAs, create schema, instantiate AppConfig + SSEBroker + DownloadService, store on `app.state`, close DB on shutdown. Mount download and format routers under `/api`. Build `POST /api/downloads` (accepts `JobCreate` body + session_id dep, delegates to `DownloadService.enqueue`, returns `Job`), `GET /api/downloads` (returns jobs for session from DB), `DELETE /api/downloads/{id}` (cancels job), `GET /api/formats?url=` (delegates to `DownloadService.get_formats`). Write API tests via `httpx.AsyncClient` + `ASGITransport`: POST valid URL → 200 + Job JSON, GET downloads → list, DELETE → 200, GET formats → format list, POST invalid URL → error response.
  - Verify: `cd backend && python -m pytest tests/test_api.py -v && python -m pytest tests/ -v`
  - Done when: All four API endpoints return correct responses. Full test suite (`python -m pytest tests/ -v`) passes with 0 failures. The app starts via lifespan without errors.
 ## Files Likely Touched
 - `backend/pyproject.toml`
 - `backend/app/__init__.py`
 - `backend/app/main.py`
 - `backend/app/models/__init__.py`
 - `backend/app/models/job.py`
 - `backend/app/models/session.py`
 - `backend/app/core/__init__.py`
 - `backend/app/core/config.py`
 - `backend/app/core/database.py`
 - `backend/app/core/sse_broker.py`
 - `backend/app/services/__init__.py`
 - `backend/app/services/download.py`
 - `backend/app/services/output_template.py`
 - `backend/app/routers/__init__.py`
 - `backend/app/routers/downloads.py`
 - `backend/app/routers/formats.py`
 - `backend/app/dependencies.py`
 - `backend/app/middleware/__init__.py`
 - `backend/tests/__init__.py`
 - `backend/tests/conftest.py`
 - `backend/tests/test_models.py`
 - `backend/tests/test_config.py`
 - `backend/tests/test_database.py`
 - `backend/tests/test_sse_broker.py`
 - `backend/tests/test_download_service.py`
 - `backend/tests/test_output_template.py`
 - `backend/tests/test_api.py`
--- a/.gsd/milestones/M001/slices/S01/S01-RESEARCH.md
+++ b/.gsd/milestones/M001/slices/S01/S01-RESEARCH.md
@ -1,157 +0,0 @@
 # S01: Foundation + Download Engine — Research
 **Date:** 2026-03-17
 **Depth:** Deep research — high-risk slice, sync-to-async bridge, greenfield project with no existing code
 ## Summary
 S01 is the foundation slice for a greenfield project. No source code exists yet — everything must be built from scratch using the comprehensive planning docs (PROJECT.md, ARCHITECTURE.md, STACK.md, PITFALLS.md) as specifications. The slice must deliver: project scaffolding with dependency management, SQLite database with WAL mode, a three-layer config system (defaults → YAML → env vars), Pydantic models for jobs/sessions/events, an SSE broker data structure for per-session queues, a download service wrapping yt-dlp in a ThreadPoolExecutor with `call_soon_threadsafe` progress bridging, and API routes for submitting downloads and probing formats.
 The primary risk is the sync-to-async bridge: yt-dlp is synchronous, FastAPI is async, and progress events must flow from worker threads to asyncio queues without blocking the event loop or losing events. This is a well-documented pattern (`ThreadPoolExecutor` + `loop.call_soon_threadsafe`), but getting the event loop capture and hook wiring wrong produces silent event loss. The slice must prove this works with a real download test.
 Secondary risks are SQLite write contention under concurrent downloads (solved by WAL mode + busy_timeout, but must be enabled before any schema work) and the config system's fourth layer (SQLite admin writes, which S04 builds on top of the pydantic-settings layers delivered here).
 ## Recommendation
 Build bottom-up: project scaffold → database → config → models → SSE broker → download service → API routes → tests. Prove the sync-to-async bridge as early as possible by writing an integration test that runs a real yt-dlp download and asserts progress events arrive in an asyncio.Queue.
 **Key architectural choices to follow** (from DECISIONS.md):
 - D001: Python 3.12 + FastAPI
 - D004: SQLite via aiosqlite with WAL mode
 - D005: yt-dlp as library import, not subprocess
 - D006: ThreadPoolExecutor + loop.call_soon_threadsafe
 - D007: Opaque UUID in httpOnly cookie (session model only; middleware is S02)
 - D008: HTTPBasic + bcrypt 5.0.0 direct (admin auth is S04, but the model should accommodate it)
 - D009: Defaults → config.yaml → env vars → SQLite admin writes
 **Naming convention:** Follow the boundary map in the roadmap (`app/core/`, `app/services/`, `app/routers/`, `app/models/`, `app/middleware/`), not the PROJECT.md structure (which uses `app/api/` and `app/core/` for everything). The roadmap boundary map is the contract S02 depends on.
 ## Implementation Landscape
 ### Key Files
 All paths relative to `backend/` within the repo root.
 - `backend/pyproject.toml` — Python project config with pinned dependencies (fastapi 0.135.1, uvicorn 0.42.0, yt-dlp 2026.3.17, aiosqlite 0.22.1, apscheduler 3.11.2, pydantic 2.12.5, pydantic-settings[yaml] 2.13.1, sse-starlette 3.3.3, bcrypt 5.0.0, python-multipart 0.0.22, PyYAML 6.0.2). Dev deps: httpx 0.28.1, pytest 9.0.2, anyio, ruff.
 - `backend/app/__init__.py` — Package marker
 - `backend/app/main.py` — FastAPI app factory with lifespan context manager (DB init/close, future scheduler start). Mounts routers. SPA fallback for frontend (future). **S01 delivers the skeleton only** — lifespan starts DB, mounts download + format routers.
 - `backend/app/core/__init__.py` — Package marker
 - `backend/app/core/database.py` — Singleton aiosqlite connection managed in lifespan. Must set `PRAGMA journal_mode=WAL`, `PRAGMA synchronous=NORMAL`, `PRAGMA busy_timeout=5000` before schema creation. Schema: `sessions`, `jobs`, `config`, `unsupported_urls` tables. Provides async functions for job CRUD (create, get_by_id, get_by_session, update_status, update_progress, delete). Uses `aiosqlite.Row` row_factory for dict-like access. Indexes on `jobs(session_id, status)`, `jobs(completed_at)`, `sessions(last_seen)`.
 - `backend/app/core/config.py` — `AppConfig` via pydantic-settings with `env_prefix="MEDIARIP"`, `env_nested_delimiter="__"`, `yaml_file` path. Nested models: `ServerConfig`, `DownloadsConfig`, `SessionConfig`, `PurgeConfig`, `UIConfig`, `ReportingConfig`, `AdminConfig`. `settings_customise_sources` override to order: env vars → YAML → init → defaults. This covers layers 1-3 of the config hierarchy. Layer 4 (SQLite admin writes) is S04's responsibility — S01 just reads config, never writes to SQLite config table.
 - `backend/app/models/__init__.py` — Package marker
 - `backend/app/models/job.py` — `JobStatus` enum (queued, extracting, downloading, completed, failed, expired), `JobCreate` (url, format_id, quality, output_template — all optional except url), `Job` Pydantic model matching the DB schema, `ProgressEvent` model (job_id, status, percent, speed, eta, downloaded_bytes, total_bytes, filename). ProgressEvent has a `from_yt_dlp(job_id, d)` classmethod that normalizes raw yt-dlp progress hook dicts.
 - `backend/app/models/session.py` — `Session` Pydantic model (id, created_at, last_seen, job_count). Lightweight — S02 adds middleware that actually creates sessions.
 - `backend/app/core/sse_broker.py` — `SSEBroker` class. Holds `dict[str, list[asyncio.Queue]]` mapping session_id → list of subscriber queues. Methods: `subscribe(session_id) → Queue`, `unsubscribe(session_id, queue)`, `publish(session_id, event)`. The `publish` method uses `loop.call_soon_threadsafe(queue.put_nowait, event)` — this is the thread-safe bridge. Must store a reference to the event loop captured at app startup. **S01 builds this data structure; S02 wires it to the SSE endpoint.**
 - `backend/app/services/__init__.py` — Package marker
 - `backend/app/services/download.py` — `DownloadService` class. Owns a `ThreadPoolExecutor(max_workers=config.downloads.max_concurrent)`. Methods: `enqueue(job_create, session_id) → Job` (creates DB row, submits to executor), `cancel(job_id)` (sets status=failed, relies on yt-dlp's internal cancellation — no reliable mid-stream abort exists), `get_formats(url) → list[FormatInfo]` (runs `extract_info(url, download=False)` in executor). The worker function `_run_download(job_id, url, opts)` creates a **fresh YoutubeDL instance per job** (never shared — Pitfall #1), registers a progress hook that calls `loop.call_soon_threadsafe(broker.publish, session_id, event)`, and handles errors by updating DB status to `failed`. The output template is resolved per-source domain using the `source_templates` config map (R019).
 - `backend/app/services/output_template.py` — `resolve_template(url, user_override, config) → str`. Extracts domain from URL, looks up in `config.downloads.source_templates`, falls back to `*` default. If user provided an override in the job submission, use that instead. Simple utility, no I/O.
 - `backend/app/routers/__init__.py` — Package marker
 - `backend/app/routers/downloads.py` — `POST /api/downloads` (accepts JobCreate body + session_id from request state, delegates to DownloadService.enqueue), `GET /api/downloads` (returns jobs for current session from DB), `DELETE /api/downloads/{id}` (delegates to DownloadService.cancel). Session_id comes from `request.state.session_id` — **in S01, this must be a temporary dependency** since session middleware is S02. Use a header or query param fallback for testing, or a stub middleware.
 - `backend/app/routers/formats.py` — `GET /api/formats?url={url}` (delegates to DownloadService.get_formats). Returns normalized format list with resolution, codec, ext, filesize estimate, format_id. Must handle `filesize: null` gracefully (common — R002 notes this).
 - `backend/tests/` — Test directory with conftest.py (httpx AsyncClient + ASGITransport), test files for database, config, download service, and API routes.
 ### Build Order
 The build order is strictly dependency-driven:
 1. **Project scaffold** — `pyproject.toml`, directory structure, `__init__.py` files, `backend/app/main.py` skeleton with empty lifespan. This unblocks everything else.
 2. **Pydantic models** (`app/models/`) — Job, Session, ProgressEvent, JobCreate, FormatInfo models. These are pure data classes with no dependencies. Every other module imports from here.
 3. **Config system** (`app/core/config.py`) — AppConfig with pydantic-settings. Depends on nothing except pydantic. Creates the typed config that database, download service, and routes all need. Must be testable standalone: verify env var override works, verify YAML loading works, verify defaults are sane.
 4. **Database** (`app/core/database.py`) — aiosqlite connection singleton, schema creation, WAL mode setup, job/session CRUD functions. Depends on models (for type hints) and config (for DB path). **Critical: WAL + busy_timeout must be the first PRAGMAs executed.** Test with concurrent writes to verify no SQLITE_BUSY errors.
 5. **SSE Broker** (`app/core/sse_broker.py`) — Pure asyncio data structure. Depends only on the event loop reference. Test in isolation: create broker, subscribe, publish from a thread, verify event arrives in queue.
 6. **Output template resolver** (`app/services/output_template.py`) — Pure function, depends only on config. Quick to build and test.
 7. **Download service** (`app/services/download.py`) — The critical integration point. Depends on database, config, SSE broker, models, output_template. This is where the sync-to-async bridge lives. **Build and test this before API routes** — proving the bridge works is the slice's primary risk retirement.
 8. **API routes** (`app/routers/downloads.py`, `app/routers/formats.py`) — Thin HTTP layer over the download service. Depends on everything above. Need a stub session_id mechanism for testing (S02 provides real middleware).
 9. **Integration tests** — Real yt-dlp download test that proves events flow through the bridge. Format extraction test against a known URL. Concurrent download test (3 simultaneous) that proves WAL mode handles contention.
 ### Verification Approach
 **Unit tests** (fast, no network):
 - Config: env var override, YAML loading, defaults
 - Models: ProgressEvent.from_yt_dlp with various yt-dlp dict shapes (including `total_bytes: None`)
 - Database: CRUD operations, WAL mode verification (`PRAGMA journal_mode` returns `wal`), concurrent write test
 - SSE Broker: subscribe/unsubscribe, publish from thread via call_soon_threadsafe
 - Output template: domain matching, fallback to `*`, user override priority
 **Integration tests** (require yt-dlp, may need network):
 - `test_real_download` — Submit a short public-domain video URL → verify file appears in output dir, verify ProgressEvents were emitted with status=downloading and status=finished
 - `test_format_extraction` — Call `get_formats` on a known URL → verify formats list is non-empty, each has format_id + ext
 - `test_concurrent_downloads` — Start 3 downloads simultaneously → verify all complete without SQLITE_BUSY errors or progress cross-contamination
 **API tests** (httpx AsyncClient):
 - `POST /api/downloads` with valid URL → 200 + Job response
 - `GET /api/downloads` → list of jobs
 - `DELETE /api/downloads/{id}` → 200
 - `GET /api/formats?url=...` → format list
 - `POST /api/downloads` with invalid URL → appropriate error
 **Smoke command:** `cd backend && python -m pytest tests/ -v`
 ## Don't Hand-Roll
 | Problem | Existing Solution | Why Use It |
 |---------|------------------|------------|
 | Config loading from YAML + env vars with nested delimiter | `pydantic-settings[yaml]` with `YamlConfigSettingsSource` | Handles `MEDIARIP__SECTION__KEY` → nested model natively via `env_nested_delimiter="__"`. Custom source priority via `settings_customise_sources`. No manual parsing needed. |
 | Progress hook normalization | yt-dlp's built-in `progress_hooks` callback | Fires with structured dict containing `status`, `downloaded_bytes`, `total_bytes`, `speed`, `eta`, `filename`. Just normalize into Pydantic model. |
 | Thread-safe event loop bridging | `asyncio.AbstractEventLoop.call_soon_threadsafe` | stdlib solution. The ONLY safe way to push data from a sync thread to an asyncio Queue. |
 | SQLite async access | `aiosqlite` | asyncio bridge over stdlib sqlite3. Context manager pattern for connection lifecycle. |
 | HTTP test client | `httpx.AsyncClient` with `ASGITransport` | FastAPI's recommended testing pattern. No real server needed. |
 ## Constraints
 - **Python 3.12 only** — passlib breaks on 3.13; pinned in Dockerfile (D001)
 - **yt-dlp as library, not subprocess** — structured progress hooks, no shell injection (D005)
 - **Fresh YoutubeDL instance per job** — never shared across threads. YoutubeDL contains mutable state (cookies, temp files, logger) that corrupts under concurrent access (Pitfall #1)
 - **ThreadPoolExecutor only** — YoutubeDL is not picklable, rules out ProcessPoolExecutor (D006, yt-dlp issue #9487)
 - **WAL mode + busy_timeout BEFORE any schema work** — first PRAGMAs on DB init. Without this, 3+ concurrent downloads cause SQLITE_BUSY (Pitfall #7)
 - **Event loop captured at startup** — `asyncio.get_event_loop()` in lifespan, stored on SSEBroker/DownloadService. Cannot call `get_event_loop()` inside a worker thread.
 - **yt-dlp >= 2023.07.06** — CVE-2023-35934 cookie leak via redirect. Pin version in dependencies.
 - **pydantic-settings env prefix** — Must use `MEDIARIP` prefix (no trailing underscore — pydantic-settings adds `_` between prefix and field). Double-underscore `__` for nesting: `MEDIARIP__DOWNLOADS__MAX_CONCURRENT`.
 - **No automatic outbound network requests** — R020 hard constraint. No telemetry, no CDN, no update checks.
 - **Session middleware is S02** — S01 routes need a temporary session_id mechanism. Use a dependency that reads `X-Session-ID` header or generates a default UUID for testing. S02 replaces this with real cookie middleware.
 ## Common Pitfalls
 - **Shared YoutubeDL instance** — Progress percentages jump between jobs, `TypeError` on `None` fields. Create fresh instance per job inside the worker function. Never pass YoutubeDL across thread boundaries. (Pitfall #1)
 - **Calling asyncio primitives from progress hook** — `asyncio.Queue.put_nowait()` directly from the hook raises `RuntimeError: no running event loop`. Must use `loop.call_soon_threadsafe(queue.put_nowait, data)`. (Pitfall #2)
 - **`total_bytes` is frequently None** — yt-dlp returns `None` for subtitle downloads, live streams, and some sites. The `ProgressEvent.from_yt_dlp` normalizer must handle this: use `total_bytes_estimate` as fallback, calculate percent as 0 if both are None. (R002 notes, Pitfall checklist)
 - **aiosqlite connection not closed properly** — Always use `async with aiosqlite.connect()` context manager. Unclosed connections in test teardown cause "database is locked" errors in subsequent tests.
 - **pydantic-settings YAML file missing** — If `config.yaml` doesn't exist (zero-config mode), pydantic-settings must not crash. Set `yaml_file` only if the file exists, or handle `FileNotFoundError` in the custom source.
 - **Progress hook throttling** — yt-dlp fires the hook very frequently (every few KB on fast connections). Writing every event to DB causes write contention. Throttle DB writes: update only when percent changes by ≥1% or status changes. SSE broker gets all events (they're cheap in-memory), but DB gets throttled writes.
 - **Format extraction timeout** — `extract_info(url, download=False)` can take 3-10+ seconds for some sites. Must run in executor (not on event loop). Consider a timeout wrapper so a bad URL doesn't block a thread pool slot forever.
 ## Open Risks
 - **Session ID mechanism for S01 testing** — S01 produces download/format routes that need `session_id`, but session middleware is S02. The stub mechanism (header-based fallback) must be cleanly replaceable. Risk: if the stub leaks into production code or makes assumptions S02 breaks.
 - **yt-dlp version drift** — Pinning to 2026.3.17 ensures reproducibility, but site extractors break as YouTube/Vimeo update APIs. Users will report "can't download X" before a new image is published. Acceptable for v1.0 but needs an update strategy for v1.x.
 - **Large playlist memory pressure** — A 200-video playlist creates 201 DB rows and 201 SSE events on reconnect replay. S01 should design the schema to handle this but cannot fully test it without the SSE endpoint (S02).
 - **Config YAML missing vs. malformed** — Missing file = zero-config (expected). Malformed YAML = crash at startup. Need graceful error handling with clear error message pointing to the syntax problem.
 ## Skills Discovered
 | Technology | Skill | Status |
 |------------|-------|--------|
 | FastAPI | `wshobson/agents@fastapi-templates` (7.3K installs) | available — most popular; general FastAPI templates |
 | FastAPI | `fastapi/fastapi@fastapi` (509 installs) | available — official repo skill |
 | yt-dlp | `lwmxiaobei/yt-dlp-skill@yt-dlp` (559 installs) | available — yt-dlp specific |
 None are critical for this work — the planning docs + library docs provide sufficient implementation guidance. Consider installing the FastAPI templates skill if future slices need more boilerplate generation.
 ## Sources
 - yt-dlp progress hooks and extract_info API (source: [yt-dlp embedding docs](https://github.com/yt-dlp/yt-dlp#embedding-yt-dlp))
 - pydantic-settings YAML + env nested delimiter (source: [pydantic-settings docs](https://docs.pydantic.dev/latest/concepts/pydantic_settings/))
 - sse-starlette disconnect handling with CancelledError (source: [sse-starlette README](https://github.com/sysid/sse-starlette))
 - aiosqlite async context manager pattern (source: [aiosqlite README](https://github.com/omnilib/aiosqlite))
 - yt-dlp YoutubeDL not picklable — ThreadPoolExecutor required (source: [yt-dlp issue #9487](https://github.com/yt-dlp/yt-dlp/issues/9487))
 - CVE-2023-35934 cookie leak via redirect (source: [GHSA-v8mc-9377-rwjj](https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-v8mc-9377-rwjj))
 - SQLite WAL mode for concurrent write access (source: [SQLite WAL docs](https://www.sqlite.org/wal.html))
 - APScheduler CronTrigger.from_crontab for cron string parsing (source: [APScheduler 3.x docs](https://apscheduler.readthedocs.io/en/3.x/))
--- a/.gsd/milestones/M001/slices/S01/S01-SUMMARY.md
+++ b/.gsd/milestones/M001/slices/S01/S01-SUMMARY.md
@ -1,200 +0,0 @@
 ---
 id: S01
 parent: M001
 milestone: M001
 provides:
  - Python backend scaffold (backend/app/ with core, models, services, routers, middleware subpackages)
  - Pydantic models: Job, JobStatus, JobCreate, ProgressEvent (with from_yt_dlp normalizer), FormatInfo, Session
  - AppConfig via pydantic-settings (env + YAML + zero-config defaults, MEDIARIP__ prefix)
  - aiosqlite database with WAL mode, busy_timeout, 4-table schema, async CRUD functions
  - SSEBroker with thread-safe publish via call_soon_threadsafe
  - DownloadService with ThreadPoolExecutor, sync-to-async bridge, progress hook → SSE broker
  - Output template resolver with per-domain lookup and fallback chain
  - API routes: POST/GET/DELETE /api/downloads, GET /api/formats?url=
  - Stub session_id dependency (X-Session-ID header, S02-replaceable)
  - FastAPI app factory with lifespan (DB init/close, service wiring)
 requires:
  - slice: none
    provides: first slice — no upstream dependencies
 affects:
  - S02 (consumes database, config, SSEBroker, DownloadService, models)
  - S03 (consumes API routes, models for TypeScript type generation)
  - S04 (consumes database, config, DownloadService.cancel)
 key_files:
  - backend/pyproject.toml
  - backend/app/main.py
  - backend/app/models/job.py
  - backend/app/models/session.py
  - backend/app/core/config.py
  - backend/app/core/database.py
  - backend/app/core/sse_broker.py
  - backend/app/services/download.py
  - backend/app/services/output_template.py
  - backend/app/routers/downloads.py
  - backend/app/routers/formats.py
  - backend/app/dependencies.py
 key_decisions:
  - Used Python 3.12 venv (py -3.12) — system Python is 3.14 but project requires >=3.12,<3.13
  - SSEBroker.publish() handles thread-safety internally via call_soon_threadsafe — workers call it directly
  - DB writes from worker threads use asyncio.run_coroutine_threadsafe().result(timeout=10) — blocks worker thread briefly
  - httpx ASGITransport doesn't trigger Starlette lifespan — test fixtures wire app.state manually
  - Test video is jNQXAC9IVRw ("Me at the zoo") — BaW_jenozKc is unavailable as of March 2026
 patterns_established:
  - ProgressEvent.from_yt_dlp normalizes raw yt-dlp hook dicts with total_bytes fallback chain
  - Fresh YoutubeDL instance per job in worker thread — never shared across threads
  - Progress hook throttling — SSE broker gets all events, DB writes only on >=1% change or status change
  - Thread-to-async bridge — call_soon_threadsafe for fire-and-forget, run_coroutine_threadsafe for blocking
  - Test fixture pattern — fresh FastAPI app per test with temp DB/output dir, services on app.state
  - _SafeYamlSource wraps YamlConfigSettingsSource to gracefully handle missing/None yaml_file
  - Database PRAGMA order: busy_timeout → WAL → synchronous before any DDL
 observability_surfaces:
  - mediarip.download logger at INFO for job lifecycle (created/starting/completed/cancelled), ERROR with exc_info for failures
  - mediarip.database logger at INFO for WAL mode set and table creation
  - mediarip.sse logger at WARNING for QueueFull (subscriber backpressure)
  - mediarip.app logger at INFO for startup config source and DB path
  - mediarip.api.downloads/formats loggers at DEBUG for request details
  - Job.error_message column stores yt-dlp failure reason; Job.status tracks lifecycle
  - Error responses return structured JSON with detail field, not stack traces
 drill_down_paths:
  - .gsd/milestones/M001/slices/S01/tasks/T01-SUMMARY.md
  - .gsd/milestones/M001/slices/S01/tasks/T02-SUMMARY.md
  - .gsd/milestones/M001/slices/S01/tasks/T03-SUMMARY.md
  - .gsd/milestones/M001/slices/S01/tasks/T04-SUMMARY.md
 duration: 72m
 verification_result: passed
 completed_at: 2026-03-17
 ---
 # S01: Foundation + Download Engine
 **Built the complete backend foundation: FastAPI app with yt-dlp download engine, SQLite/WAL persistence, config system, SSE broker, and 4 API endpoints — 68 tests passing including a real YouTube download proving the sync-to-async bridge works.**
 ## What Happened
 Four tasks built the backend from scratch, each layer providing the foundation for the next:
 **T01 (scaffold + models)** created the project structure with `pyproject.toml` (11 runtime deps, 5 dev deps), the `backend/app/` package hierarchy matching the boundary map, and all Pydantic models. The critical `ProgressEvent.from_yt_dlp` classmethod normalizes raw yt-dlp progress hook dictionaries with the `total_bytes → total_bytes_estimate → None` fallback chain. 16 model tests.
 **T02 (config + database + SSE broker)** built three infrastructure modules. `AppConfig` uses pydantic-settings with env prefix `MEDIARIP__`, YAML source (graceful on missing file), and zero-config defaults. The database module sets SQLite PRAGMAs in critical order (busy_timeout → WAL → synchronous), creates 4 tables with indexes, and provides async CRUD. SSEBroker manages per-session asyncio.Queue maps with `publish()` using `call_soon_threadsafe` for thread safety. 31 tests (11 config + 11 database + 9 broker).
 **T03 (download service + output templates)** was the highest-risk task — proving the sync-to-async bridge. `DownloadService` wraps yt-dlp in a ThreadPoolExecutor. Each `enqueue()` creates a DB row then submits `_run_download` to the executor. The worker thread creates a fresh YoutubeDL per job, registers a progress hook that bridges events to the async world — broker gets every event directly (already thread-safe), DB writes are throttled to ≥1% changes via `run_coroutine_threadsafe`. A real integration test downloads "Me at the zoo" from YouTube and asserts progress events with `status=downloading` arrive in the broker queue. Output template resolver handles per-domain lookup with fallback. 13 tests (4 download service + 9 output template).
 **T04 (API routes + app factory)** wired the HTTP surface. The lifespan context manager loads config, inits DB, creates SSE broker and download service, stores all on `app.state`. Four routes: POST /api/downloads (201, creates job), GET /api/downloads (list by session), DELETE /api/downloads/{id} (cancel), GET /api/formats?url= (live extraction). A stub session dependency reads `X-Session-ID` header with default UUID fallback, documented as S02-replaceable. 8 API tests via httpx AsyncClient.
 ## Verification
 Full slice verification — 68/68 tests passing across 7 test files:
 | Test File | Tests | Status |
 |-----------|-------|--------|
 | test_models.py | 16 | ✅ passed |
 | test_config.py | 11 | ✅ passed |
 | test_database.py | 11 | ✅ passed |
 | test_sse_broker.py | 9 | ✅ passed |
 | test_download_service.py | 4 | ✅ passed |
 | test_output_template.py | 9 | ✅ passed |
 | test_api.py | 8 | ✅ passed |
 | **Full suite** | **68** | **✅ passed (8.36s)** |
 Key proof points:
 - `PRAGMA journal_mode` returns `wal` — verified in test_database
 - 3 concurrent DB writes complete without SQLITE_BUSY — verified in test_database
 - Real yt-dlp download produces a file AND progress events with `status=downloading` arrive in broker queue — verified in test_download_service
 - Format extraction returns non-empty list with format_id and ext fields — verified in test_download_service
 - Thread-safe publish from worker thread delivers event to subscriber queue — verified in test_sse_broker
 - All 4 API endpoints return correct responses — verified in test_api
 - Session isolation (different X-Session-ID headers see different jobs) — verified in test_api
 **Note:** Tests must run with the venv Python (`backend/.venv/Scripts/python`), not system Python (3.14). System Python lacks project dependencies.
 ## Requirements Advanced
 - R001 — POST /api/downloads accepts any URL and yt-dlp downloads it. Proven with real YouTube download in integration test. Backend portion complete; needs frontend (S03) for full user flow.
 - R002 — GET /api/formats?url= calls yt-dlp extract_info and returns format list. Backend extraction works; needs frontend picker (S03).
 - R019 — Output template resolver implements per-domain lookup (YouTube, SoundCloud) with config.yaml source_templates map and fallback chain. Fully implemented and tested.
 - R023 — Config system: hardcoded defaults → YAML → env vars all working. Zero-config works out of the box. SQLite admin writes deferred to S04.
 - R024 — Jobs keyed by UUID4. Concurrent same-URL downloads proven in test_concurrent_downloads (two simultaneous downloads of same video both complete).
 ## Requirements Validated
 - R019 — Source-aware output templates fully implemented and tested: domain-specific lookup, www stripping, user override priority, fallback chain, custom config. 9 unit tests prove all paths.
 - R024 — Concurrent same-URL support proven by integration test running two simultaneous downloads of the same video with different output templates — both complete successfully.
 ## New Requirements Surfaced
 - none
 ## Requirements Invalidated or Re-scoped
 - none
 ## Deviations
 - `pyproject.toml` build-backend changed from `setuptools.backends._legacy:_Backend` to `setuptools.build_meta` — the legacy backend isn't available in Python 3.12.4's bundled setuptools.
 - Test video changed from `BaW_jenozKc` to `jNQXAC9IVRw` ("Me at the zoo") — the commonly cited test URL is unavailable as of March 2026.
 - Verification commands updated to use `.venv/Scripts/python` explicitly — system Python is 3.14, project requires 3.12.
 ## Known Limitations
 - **yt-dlp cancel has no reliable mid-stream abort** — `DownloadService.cancel()` marks the job as failed in DB, but the worker thread continues downloading. The file may still complete on disk. This is a yt-dlp limitation, not a bug.
 - **Background worker thread teardown noise** — Worker threads that outlive test event loop produce `RuntimeWarning: coroutine 'update_job_status' was never awaited` on stderr. Harmless in tests; doesn't occur in production (lifespan shuts down executor before closing event loop).
 - **Stub session dependency** — `get_session_id()` reads X-Session-ID header with static fallback UUID. S02 replaces this with real cookie-based session middleware.
 - **Config SQLite layer not yet wired** — R023's admin live-write layer requires S04 (admin panel).
 ## Follow-ups
 - S02 must replace the stub session dependency in `app/dependencies.py` with real cookie-based session middleware.
 - S02 should wire SSEBroker.subscribe()/unsubscribe() into an SSE endpoint that streams events to the browser.
 - S04 should extend AppConfig with SQLite admin writes for the full R023 config hierarchy.
 ## Files Created/Modified
 - `backend/pyproject.toml` — project config with all pinned dependencies
 - `backend/app/__init__.py` — package root
 - `backend/app/main.py` — FastAPI app factory with lifespan, router mounting, logging
 - `backend/app/models/job.py` — JobStatus, JobCreate, Job, ProgressEvent, FormatInfo models
 - `backend/app/models/session.py` — Session model
 - `backend/app/models/__init__.py` — models subpackage
 - `backend/app/core/__init__.py` — core subpackage
 - `backend/app/core/config.py` — AppConfig with nested sections, _SafeYamlSource, env/YAML/zero-config
 - `backend/app/core/database.py` — init_db with WAL PRAGMAs, schema DDL, CRUD functions
 - `backend/app/core/sse_broker.py` — SSEBroker with thread-safe publish via call_soon_threadsafe
 - `backend/app/services/__init__.py` — services subpackage
 - `backend/app/services/download.py` — DownloadService with enqueue, get_formats, cancel, shutdown
 - `backend/app/services/output_template.py` — resolve_template with domain extraction and fallback
 - `backend/app/routers/__init__.py` — routers subpackage
 - `backend/app/routers/downloads.py` — POST/GET/DELETE download endpoints
 - `backend/app/routers/formats.py` — GET formats endpoint with error handling
 - `backend/app/dependencies.py` — stub session_id dependency (S02-replaceable)
 - `backend/app/middleware/__init__.py` — middleware subpackage (empty, S02 populates)
 - `backend/tests/__init__.py` — test package
 - `backend/tests/conftest.py` — shared fixtures: tmp_db_path, test_config, db, broker, httpx client
 - `backend/tests/test_models.py` — 16 model unit tests
 - `backend/tests/test_config.py` — 11 config tests
 - `backend/tests/test_database.py` — 11 database tests
 - `backend/tests/test_sse_broker.py` — 9 broker tests
 - `backend/tests/test_download_service.py` — 4 download service integration tests
 - `backend/tests/test_output_template.py` — 9 output template unit tests
 - `backend/tests/test_api.py` — 8 API tests via httpx AsyncClient
 ## Forward Intelligence
 ### What the next slice should know
 - The SSEBroker has subscribe/unsubscribe/publish but no SSE endpoint yet. S02 needs to create GET /api/events that calls broker.subscribe() to get a queue, then streams events as SSE, calling broker.unsubscribe() in the finally block.
 - The stub session dependency in `app/dependencies.py` is a simple function — S02 replaces it with middleware that reads/creates a `mrip_session` httpOnly cookie.
 - `app.state` holds `db` (aiosqlite connection), `config` (AppConfig), `broker` (SSEBroker), and `download_service` (DownloadService). S02 should add session middleware and SSE router using these same state objects.
 - The `DownloadService` constructor takes `(config, db, broker, loop)`. The event loop is captured at app startup in the lifespan.
 ### What's fragile
 - **Worker thread teardown timing** — if the event loop closes before all worker threads finish their `run_coroutine_threadsafe` calls, those calls get `RuntimeError: Event loop is closed`. In production this is handled by the lifespan shutting down the executor first, but tests with short-lived event loops can hit it. The test warnings are harmless but noisy.
 - **yt-dlp version pinned at 2026.3.17** — extractors break frequently. If YouTube changes their player API, the integration tests that download real videos will fail. The test uses "Me at the zoo" (jNQXAC9IVRw) which is the most stable video on the platform, but it's still a network dependency.
 ### Authoritative diagnostics
 - `cd backend && .venv/Scripts/python -m pytest tests/ -v` — the single command that proves the entire slice works. 68 tests, ~8s.
 - `SELECT status, error_message, progress_percent FROM jobs WHERE id = ?` — check any job's state directly in SQLite.
 - `logging.getLogger("mediarip")` — all loggers are children of this root, structured by module (mediarip.download, mediarip.database, mediarip.sse, mediarip.app).
 ### What assumptions changed
 - **Build backend**: The plan assumed `setuptools.backends._legacy:_Backend` would work — it doesn't on this system's setuptools version. Using `setuptools.build_meta` instead.
 - **Test video URL**: Plan/research referenced `BaW_jenozKc` — it's unavailable. Switched to `jNQXAC9IVRw`.
 - **Verification environment**: Plan assumed `python` would find the venv — system Python is 3.14. All verification commands must use `.venv/Scripts/python` explicitly.
--- a/.gsd/milestones/M001/slices/S01/S01-UAT.md
+++ b/.gsd/milestones/M001/slices/S01/S01-UAT.md
@ -1,202 +0,0 @@
 # S01: Foundation + Download Engine — UAT
 **Milestone:** M001
 **Written:** 2026-03-17
 ## UAT Type
 - UAT mode: artifact-driven
 - Why this mode is sufficient: S01 is a backend-only slice with no UI. All verification is through pytest (API contracts, database state, real yt-dlp downloads). No human-visible frontend to inspect.
 ## Preconditions
 - Python 3.12 venv activated: `cd backend && source .venv/Scripts/activate` (or use `.venv/Scripts/python` directly)
 - All dependencies installed: `pip install -e ".[dev]"` (already done during T01)
 - Network access available (integration tests download from YouTube)
 ## Smoke Test
 ```bash
 cd backend && .venv/Scripts/python -m pytest tests/ -v
 ```
 Expected: 68 passed, 0 failed. Runtime ~8-10s (network-dependent for yt-dlp integration tests).
 ## Test Cases
 ### 1. Pydantic Model Construction and Normalization
 ```bash
 cd backend && .venv/Scripts/python -m pytest tests/test_models.py -v
 ```
 1. Run the model test suite
 2. **Expected:** 16 tests pass covering:
   - JobStatus enum has all 6 values (queued, extracting, downloading, completed, failed, cancelled)
   - JobCreate accepts minimal (url only) and full construction
   - Job model has correct defaults (progress_percent=0.0, status=queued)
   - ProgressEvent.from_yt_dlp handles: complete dict, total_bytes=None fallback to estimate, both None → percent=0.0, finished status, minimal dict with missing keys
   - FormatInfo and Session models construct correctly
 ### 2. Config System: Zero-Config + Env Vars + YAML
 ```bash
 cd backend && .venv/Scripts/python -m pytest tests/test_config.py -v
 ```
 1. Run the config test suite
 2. **Expected:** 11 tests pass covering:
   - Zero-config: AppConfig() works with no YAML file and no env vars
   - Default values: max_concurrent=3, output_dir="/downloads", session_timeout_hours=72
   - Env var override: MEDIARIP__DOWNLOADS__MAX_CONCURRENT overrides default
   - YAML loading: values from YAML file are picked up
   - Missing YAML: no crash when yaml_file points to nonexistent path
   - Source templates: default entries for youtube.com, soundcloud.com, and * fallback
 ### 3. Database: WAL Mode + CRUD + Concurrency
 ```bash
 cd backend && .venv/Scripts/python -m pytest tests/test_database.py -v
 ```
 1. Run the database test suite
 2. **Expected:** 11 tests pass covering:
   - All 4 tables created (sessions, jobs, config, unsupported_urls)
   - `PRAGMA journal_mode` returns `wal`
   - `PRAGMA busy_timeout` returns 5000
   - Indexes created on jobs(session_id), jobs(status), sessions(last_seen)
   - Job CRUD roundtrip: create → get → verify fields match
   - get_nonexistent returns None
   - get_jobs_by_session filters correctly
   - update_job_status changes status + sets updated_at
   - update_job_progress changes percent + speed + eta
   - delete_job removes the row
   - 3 concurrent inserts complete without SQLITE_BUSY
 ### 4. SSE Broker: Subscribe/Publish/Thread-Safety
 ```bash
 cd backend && .venv/Scripts/python -m pytest tests/test_sse_broker.py -v
 ```
 1. Run the SSE broker test suite
 2. **Expected:** 9 tests pass covering:
   - subscribe creates an asyncio.Queue for the session
   - unsubscribe removes the queue
   - unsubscribe on nonexistent session doesn't raise
   - publish delivers event to subscriber's queue
   - Multiple subscribers on same session all receive event
   - publish to nonexistent session doesn't raise
   - Unsubscribed queue stops receiving events
   - publish from a worker thread (via call_soon_threadsafe) delivers event
   - Multiple threads publishing concurrently all deliver events
 ### 5. Download Service: Real yt-dlp Integration
 ```bash
 cd backend && .venv/Scripts/python -m pytest tests/test_download_service.py -v
 ```
 1. Run the download service test suite
 2. **Expected:** 4 tests pass:
   - **Real download**: Downloads "Me at the zoo" (jNQXAC9IVRw) → file appears in temp output dir, progress events with `status=downloading` and valid percent received in broker queue, DB status=completed
   - **Format extraction**: extract_info returns non-empty list of FormatInfo with format_id and ext fields
   - **Cancel**: cancel() sets DB status to failed with "Cancelled by user" error_message
   - **Concurrent downloads**: Two simultaneous downloads of the same video (different output templates) both complete
 ### 6. Output Template Resolution
 ```bash
 cd backend && .venv/Scripts/python -m pytest tests/test_output_template.py -v
 ```
 1. Run the output template test suite
 2. **Expected:** 9 tests pass covering:
   - youtube.com URL matches YouTube domain template
   - soundcloud.com URL matches SoundCloud domain template
   - Unknown domain falls back to `*` wildcard template
   - www. prefix stripped before lookup
   - User override takes priority over domain match
   - Malformed URL returns fallback template
   - Empty URL returns fallback template
   - URL with port resolves correctly
   - Custom domain template from config is used
 ### 7. API Endpoints: Full HTTP Vertical
 ```bash
 cd backend && .venv/Scripts/python -m pytest tests/test_api.py -v
 ```
 1. Run the API test suite
 2. **Expected:** 8 tests pass covering:
   - POST /api/downloads with valid URL → 201, response has id/url/status=queued/session_id
   - GET /api/downloads with no downloads → 200, empty list
   - GET /api/downloads after POST → 200, list contains the posted job
   - DELETE /api/downloads/{id} → 200, job status changes (not queued)
   - GET /api/formats?url=(YouTube URL) → 200, non-empty list of format objects
   - POST /api/downloads with invalid URL → 200 (job created, fails async)
   - Default session ID fallback → uses 00000000-0000-0000-0000-000000000000
   - Session isolation → different X-Session-ID headers see different job lists
 ### 8. Full Regression Suite
 ```bash
 cd backend && .venv/Scripts/python -m pytest tests/ -v
 ```
 1. Run all tests
 2. **Expected:** 68 passed, 0 failed
 ## Edge Cases
 ### WAL Mode Under Concurrent Load
 1. The test_three_concurrent_inserts test fires 3 simultaneous job inserts
 2. **Expected:** All 3 succeed without SQLITE_BUSY errors (WAL + busy_timeout=5000ms)
 ### ProgressEvent with Missing Total Bytes
 1. ProgressEvent.from_yt_dlp receives a dict where both total_bytes and total_bytes_estimate are None
 2. **Expected:** percent=0.0, no exception raised — graceful degradation
 ### Broker Publish to Missing Session
 1. broker.publish("nonexistent-session", event)
 2. **Expected:** No exception raised, event silently dropped
 ### Cancel Race Condition
 1. POST a download, immediately DELETE it
 2. **Expected:** Job status is not "queued" (may be "failed" or "downloading" depending on timing). The background worker may have already started.
 ## Failure Signals
 - `python -m pytest` returns exit code != 0
 - Any test marked FAILED in pytest output
 - `SQLITE_BUSY` errors in database tests (indicates WAL or busy_timeout misconfiguration)
 - `No module named` errors (indicates venv not activated or dependencies not installed)
 - `SSL: CERTIFICATE_VERIFY_FAILED` in test *results* (stderr noise from background threads is normal; only a problem if it causes test failure)
 - Progress events missing from broker queue after real download (indicates sync-to-async bridge broken)
 ## Requirements Proved By This UAT
 - R001 — Real yt-dlp download completes via API (test_download_service::test_real_download, test_api::test_post_download)
 - R002 — Format extraction returns quality options (test_download_service::test_format_extraction, test_api::test_get_formats)
 - R019 — Output templates resolve per-domain with fallback (test_output_template, 9 cases)
 - R023 — Config defaults + YAML + env vars all work (test_config, 11 cases). Admin SQLite writes deferred to S04.
 - R024 — Concurrent same-URL downloads succeed (test_download_service::test_concurrent_downloads)
 ## Not Proven By This UAT
 - R001/R002 full user flow (needs frontend from S03)
 - R003 SSE streaming to browser (needs S02 SSE endpoint)
 - R006 Playlist parent/child handling (needs S03 UI)
 - R023 admin live config writes (needs S04)
 - Any frontend, theme, admin, or Docker concerns (S02-S06)
 ## Notes for Tester
 - **Venv is required.** System Python is 3.14; project requires 3.12. Always use `backend/.venv/Scripts/python` or activate the venv first.
 - **Network tests are slow.** test_download_service and test_api (format extraction) hit YouTube. Expect ~8-10s total runtime. If behind a corporate proxy or firewall, these may fail with SSL errors.
 - **Stderr noise is expected.** Background yt-dlp worker threads that outlive the test event loop produce `RuntimeWarning` and error messages on stderr. These are cosmetic — the test exit code is what matters.
 - **Cancel test is race-tolerant.** The DELETE endpoint test asserts `status != "queued"` rather than exactly `status == "failed"` because the background worker may overwrite the status.
--- a/.gsd/milestones/M001/slices/S01/tasks/T01-PLAN.md
+++ b/.gsd/milestones/M001/slices/S01/tasks/T01-PLAN.md
@ -1,96 +0,0 @@
 ---
 estimated_steps: 5
 estimated_files: 7
 ---
 # T01: Scaffold project and define Pydantic models
 **Slice:** S01 — Foundation + Download Engine
 **Milestone:** M001
 ## Description
 Create the entire `backend/` project from scratch. This is a greenfield project — no source code exists yet. Establish `pyproject.toml` with all pinned dependencies, the package directory structure matching the boundary map (`app/core/`, `app/services/`, `app/routers/`, `app/models/`, `app/middleware/`), and all Pydantic models that every subsequent task imports from.
 The models are pure data classes with no I/O dependencies. The critical implementation detail is `ProgressEvent.from_yt_dlp(job_id, d)` — a classmethod that normalizes raw yt-dlp progress hook dictionaries into a typed model. It must handle `total_bytes: None` (common for subtitles, live streams, and some sites) by falling back to `total_bytes_estimate`, and calculating percent as 0 if both are `None`.
 ## Steps
 1. Create `backend/pyproject.toml` with:
   - `[project]` section: name `media-rip`, python `>=3.12,<3.13`, pinned dependencies: `fastapi==0.135.1`, `uvicorn[standard]==0.42.0`, `yt-dlp==2026.3.17`, `aiosqlite==0.22.1`, `apscheduler==3.11.2`, `pydantic==2.12.5`, `pydantic-settings[yaml]==2.13.1`, `sse-starlette==3.3.3`, `bcrypt==5.0.0`, `python-multipart==0.0.22`, `PyYAML==6.0.2`
   - `[project.optional-dependencies]` dev: `httpx==0.28.1`, `pytest==9.0.2`, `anyio[trio]`, `pytest-asyncio`, `ruff`
   - `[tool.pytest.ini_options]` asyncio_mode = "auto"
   - `[tool.ruff]` target-version = "py312"
 2. Create directory structure with `__init__.py` files:
   - `backend/app/__init__.py`
   - `backend/app/core/__init__.py`
   - `backend/app/models/__init__.py`
   - `backend/app/services/__init__.py`
   - `backend/app/routers/__init__.py`
   - `backend/app/middleware/__init__.py`
   - `backend/tests/__init__.py`
 3. Create `backend/app/models/job.py` with:
   - `JobStatus` — string enum: `queued`, `extracting`, `downloading`, `completed`, `failed`, `expired`
   - `JobCreate` — `url: str`, optional `format_id: str | None`, `quality: str | None`, `output_template: str | None`
   - `Job` — full model matching DB schema: `id: str` (UUID4), `session_id: str`, `url: str`, `status: JobStatus`, `format_id`, `quality`, `output_template`, `filename: str | None`, `filesize: int | None`, `progress_percent: float` (default 0), `speed: str | None`, `eta: str | None`, `error_message: str | None`, `created_at: str`, `started_at: str | None`, `completed_at: str | None`
   - `ProgressEvent` — `job_id: str`, `status: str`, `percent: float`, `speed: str | None`, `eta: str | None`, `downloaded_bytes: int | None`, `total_bytes: int | None`, `filename: str | None`. Has `from_yt_dlp(cls, job_id: str, d: dict) -> ProgressEvent` classmethod that normalizes yt-dlp's progress hook dict. Key logic: `total_bytes = d.get("total_bytes") or d.get("total_bytes_estimate")`, percent = `(downloaded / total * 100)` if both exist else `0.0`, speed formatted from bytes/sec, eta from seconds.
   - `FormatInfo` — `format_id: str`, `ext: str`, `resolution: str | None`, `codec: str | None`, `filesize: int | None`, `format_note: str | None`, `vcodec: str | None`, `acodec: str | None`
 4. Create `backend/app/models/session.py` with:
   - `Session` — `id: str`, `created_at: str`, `last_seen: str`, `job_count: int` (default 0)
 5. Create `backend/app/main.py` — minimal FastAPI app skeleton:
   - `from fastapi import FastAPI`
   - `@asynccontextmanager async def lifespan(app): yield` (placeholder — T04 fills it in)
   - `app = FastAPI(title="media.rip()", lifespan=lifespan)`
 6. Create `backend/tests/test_models.py`:
   - Test `JobStatus` enum values
   - Test `JobCreate` with minimal fields (just url)
   - Test `Job` construction with all fields
   - Test `ProgressEvent.from_yt_dlp` with complete dict (total_bytes present)
   - Test `ProgressEvent.from_yt_dlp` with `total_bytes: None, total_bytes_estimate: 5000`
   - Test `ProgressEvent.from_yt_dlp` with both `None` → percent = 0.0
   - Test `ProgressEvent.from_yt_dlp` with `status: "finished"` dict shape
   - Test `FormatInfo` construction
   - Test `Session` construction with defaults
 7. Install and run tests: `cd backend && pip install -e ".[dev]" && python -m pytest tests/test_models.py -v`
 ## Must-Haves
 - [ ] `pyproject.toml` has all pinned deps from research (exact versions)
 - [ ] Directory structure matches boundary map: `app/core/`, `app/services/`, `app/routers/`, `app/models/`, `app/middleware/`
 - [ ] `ProgressEvent.from_yt_dlp` handles `total_bytes: None` gracefully (falls back to `total_bytes_estimate`, then 0.0)
 - [ ] `JobStatus` is a string enum with all 6 values
 - [ ] All model tests pass
 - [ ] `pip install -e ".[dev]"` succeeds without errors
 ## Verification
 - `cd backend && pip install -e ".[dev]"` — installs without errors
 - `cd backend && python -m pytest tests/test_models.py -v` — all tests pass
 - `cd backend && python -c "from app.models.job import Job, JobStatus, ProgressEvent, JobCreate, FormatInfo; from app.models.session import Session; print('OK')"` — prints OK
 ## Observability Impact
 - **Signals changed:** None at runtime — this task creates pure data models with no I/O. No logs, no DB, no network.
 - **Inspection surfaces:** A future agent can verify the scaffold by importing models: `python -c "from app.models.job import Job, JobStatus, ProgressEvent; print('OK')"`. Package structure is inspectable via `find backend/app -name '*.py'`.
 - **Failure visibility:** `ProgressEvent.from_yt_dlp` normalizes yt-dlp hook dicts — malformed inputs (missing `total_bytes`, missing `total_bytes_estimate`) produce `percent=0.0` rather than exceptions, which is the designed graceful-degradation path. Model validation errors from Pydantic raise `ValidationError` with field-level detail.
 ## Inputs
 - No prior code exists — this is the first task
 - Research doc specifies all dependency versions, model fields, and directory structure
 ## Expected Output
 - `backend/pyproject.toml` — complete project config with pinned dependencies
 - `backend/app/__init__.py` and all sub-package `__init__.py` files — package structure
 - `backend/app/main.py` — minimal FastAPI skeleton
 - `backend/app/models/job.py` — Job, JobStatus, JobCreate, ProgressEvent, FormatInfo models
 - `backend/app/models/session.py` — Session model
 - `backend/tests/__init__.py` — test package marker
 - `backend/tests/test_models.py` — model unit tests (8+ test cases)
--- a/.gsd/milestones/M001/slices/S01/tasks/T01-SUMMARY.md
+++ b/.gsd/milestones/M001/slices/S01/tasks/T01-SUMMARY.md
@ -1,105 +0,0 @@
 ---
 id: T01
 parent: S01
 milestone: M001
 provides:
  - Python package structure (backend/app/ with core, models, services, routers, middleware subpackages)
  - Pydantic models: Job, JobStatus, JobCreate, ProgressEvent (with from_yt_dlp normalizer), FormatInfo, Session
  - pyproject.toml with all pinned dependencies
  - Minimal FastAPI app skeleton (backend/app/main.py)
  - Model unit tests (16 test cases)
 key_files:
  - backend/pyproject.toml
  - backend/app/models/job.py
  - backend/app/models/session.py
  - backend/app/main.py
  - backend/tests/test_models.py
 key_decisions:
  - Used Python 3.12 venv (py -3.12) since system default is 3.14 but pyproject.toml requires >=3.12,<3.13
  - Fixed build-backend from setuptools.backends._legacy:_Backend to setuptools.build_meta for compatibility with pip 24.0's bundled setuptools
 patterns_established:
  - ProgressEvent.from_yt_dlp normalizes yt-dlp hook dicts: total_bytes fallback chain (total_bytes → total_bytes_estimate → None), percent=0.0 when both None
  - Speed formatting: B/s → KiB/s → MiB/s → GiB/s with human-readable output
  - ETA formatting: seconds → Xs / XmYYs / XhYYmZZs
 observability_surfaces:
  - Model validation errors raise Pydantic ValidationError with field-level detail
  - ProgressEvent.from_yt_dlp gracefully degrades (percent=0.0) instead of raising on missing total_bytes
 duration: 12m
 verification_result: passed
 completed_at: 2026-03-17T22:24:00-05:00
 blocker_discovered: false
 ---
 # T01: Scaffold project and define Pydantic models
 **Created backend/ project scaffold with pyproject.toml (all pinned deps), package structure matching boundary map, Pydantic models (Job, JobStatus, JobCreate, ProgressEvent with from_yt_dlp normalizer, FormatInfo, Session), FastAPI skeleton, and 16 passing model tests.**
 ## What Happened
 Built the entire `backend/` project from scratch as the first task in the greenfield project. Created `pyproject.toml` with all 11 pinned runtime dependencies and 5 dev dependencies. Established the package directory structure with `__init__.py` files for `app/core/`, `app/models/`, `app/services/`, `app/routers/`, and `app/middleware/`.
 Implemented all Pydantic models in `app/models/job.py` and `app/models/session.py`. The critical `ProgressEvent.from_yt_dlp` classmethod normalizes raw yt-dlp progress hook dictionaries with the specified fallback chain: `total_bytes → total_bytes_estimate → None`, with `percent=0.0` when no total is available. Speed and ETA are formatted into human-readable strings.
 Created a minimal FastAPI app in `app/main.py` with a placeholder lifespan context manager (T04 will wire DB and services).
 Wrote 16 model unit tests covering all models, enum values, the complete ProgressEvent normalization path (complete data, fallback to estimate, both None, finished status, minimal dict), and edge cases.
 Had to fix the build-backend in `pyproject.toml` from `setuptools.backends._legacy:_Backend` to `setuptools.build_meta` because the Python 3.12 venv's setuptools didn't have the newer backend module.
 ## Verification
 All three task-level verification commands pass:
 1. `pip install -e ".[dev]"` — installed successfully with all dependencies
 2. `python -m pytest tests/test_models.py -v` — 16/16 tests pass
 3. `python -c "from app.models.job import Job, JobStatus, ProgressEvent, JobCreate, FormatInfo; from app.models.session import Session; print('OK')"` — prints OK
 ## Verification Evidence
 | # | Command | Exit Code | Verdict | Duration |
 |---|---------|-----------|---------|----------|
 | 1 | `pip install -e ".[dev]"` | 0 | ✅ pass | 43.8s |
 | 2 | `python -m pytest tests/test_models.py -v` | 0 | ✅ pass | 0.12s |
 | 3 | `python -c "from app.models.job import ...;print('OK')"` | 0 | ✅ pass | <1s |
 | 4 | `python -m pytest tests/ -v` (full suite) | 0 | ✅ pass | 0.07s |
 ### Slice-level verification (T01 scope):
 | # | Slice Check | Status | Notes |
 |---|-------------|--------|-------|
 | 1 | `pytest tests/test_models.py -v` | ✅ pass | 16/16 tests |
 | 2 | `pytest tests/test_config.py -v` | ⏳ pending | T02 |
 | 3 | `pytest tests/test_database.py -v` | ⏳ pending | T02 |
 | 4 | `pytest tests/test_sse_broker.py -v` | ⏳ pending | T02 |
 | 5 | `pytest tests/test_download_service.py -v` | ⏳ pending | T03 |
 | 6 | `pytest tests/test_api.py -v` | ⏳ pending | T04 |
 | 7 | `pytest tests/ -v` (full suite) | ⏳ partial | Only test_models.py exists |
 ## Diagnostics
 - Import check: `python -c "from app.models.job import Job, JobStatus, ProgressEvent, JobCreate, FormatInfo; from app.models.session import Session; print('OK')"`
 - Structure check: `find backend/app -name '*.py' | grep -v .venv | sort`
 - Venv activation: `source backend/.venv/Scripts/activate` (Python 3.12.4)
 ## Deviations
 - Changed `pyproject.toml` build-backend from `setuptools.backends._legacy:_Backend` to `setuptools.build_meta` because the legacy backend module doesn't exist in setuptools bundled with Python 3.12.4's pip. This is a minor tooling fix, not an architectural change.
 ## Known Issues
 - None
 ## Files Created/Modified
 - `backend/pyproject.toml` — project config with all pinned dependencies
 - `backend/app/__init__.py` — package root
 - `backend/app/core/__init__.py` — core subpackage marker
 - `backend/app/models/__init__.py` — models subpackage marker
 - `backend/app/services/__init__.py` — services subpackage marker
 - `backend/app/routers/__init__.py` — routers subpackage marker
 - `backend/app/middleware/__init__.py` — middleware subpackage marker
 - `backend/app/main.py` — minimal FastAPI app skeleton with placeholder lifespan
 - `backend/app/models/job.py` — JobStatus, JobCreate, Job, ProgressEvent, FormatInfo models
 - `backend/app/models/session.py` — Session model
 - `backend/tests/__init__.py` — test package marker
 - `backend/tests/test_models.py` — 16 model unit tests
--- a/.gsd/milestones/M001/slices/S01/tasks/T01-VERIFY.json
+++ b/.gsd/milestones/M001/slices/S01/tasks/T01-VERIFY.json
@ -1,18 +0,0 @@
 {
  "schemaVersion": 1,
  "taskId": "T01",
  "unitId": "M001/S01/T01",
  "timestamp": 1773804833046,
  "passed": false,
  "discoverySource": "task-plan",
  "checks": [
    {
      "command": "pip install -e \".[dev]\"",
      "exitCode": 1,
      "durationMs": 595,
      "verdict": "fail"
    }
  ],
  "retryAttempt": 3,
  "maxRetries": 2
 }
--- a/.gsd/milestones/M001/slices/S01/tasks/T02-PLAN.md
+++ b/.gsd/milestones/M001/slices/S01/tasks/T02-PLAN.md
@ -1,111 +0,0 @@
 ---
 estimated_steps: 7
 estimated_files: 7
 ---
 # T02: Build config system, database layer, and SSE broker
 **Slice:** S01 — Foundation + Download Engine
 **Milestone:** M001
 ## Description
 Build the three infrastructure modules that the download service and API routes depend on: the pydantic-settings config system, the aiosqlite database layer with WAL mode, and the SSE broker for thread-safe per-session event distribution. Also establish the shared test fixtures in `conftest.py`.
 The config system uses `pydantic-settings[yaml]` with env prefix `MEDIARIP` and nested delimiter `__`. It must handle a missing `config.yaml` gracefully (zero-config mode). The database must execute WAL + busy_timeout + synchronous PRAGMAs before any schema creation — this is critical for concurrent download writes. The SSE broker stores a reference to the event loop captured at init time and uses `loop.call_soon_threadsafe(queue.put_nowait, event)` for thread-safe publishing.
 ## Steps
 1. Create `backend/app/core/config.py`:
   - Import `pydantic_settings.BaseSettings`, `pydantic.BaseModel`
   - Define nested config models: `ServerConfig` (host, port, log_level, db_path defaulting to `"mediarip.db"`), `DownloadsConfig` (output_dir, max_concurrent, source_templates dict, default_template), `SessionConfig` (mode, timeout_hours), `PurgeConfig` (enabled, max_age_hours, cron), `UIConfig` (default_theme), `AdminConfig` (enabled, username, password_hash)
   - `AppConfig(BaseSettings)` with `model_config = SettingsConfigDict(env_prefix="MEDIARIP", env_nested_delimiter="__", yaml_file=None)`. Nested models with sensible defaults: `server: ServerConfig = ServerConfig()`, `downloads: DownloadsConfig = DownloadsConfig()`, etc.
   - Override `settings_customise_sources` to order: `env_settings` → `YamlConfigSettingsSource` → `init_settings` → `dotenv_settings`. Wrap YAML source to handle missing file gracefully (return empty dict if file doesn't exist or `yaml_file` is None).
   - Defaults: `downloads.output_dir="/downloads"`, `downloads.max_concurrent=3`, `downloads.source_templates={"youtube.com": "%(uploader)s/%(title)s.%(ext)s", "soundcloud.com": "%(uploader)s/%(title)s.%(ext)s", "*": "%(title)s.%(ext)s"}`, `session.mode="isolated"`, `session.timeout_hours=72`, `admin.enabled=False`
 2. Create `backend/app/core/database.py`:
   - Async functions: `init_db(db_path: str) -> aiosqlite.Connection` — opens connection, sets `row_factory = aiosqlite.Row`, executes PRAGMAs in this exact order: `PRAGMA busy_timeout=5000`, `PRAGMA journal_mode=WAL`, `PRAGMA synchronous=NORMAL`. Then creates tables.
   - Schema: `sessions` (id TEXT PRIMARY KEY, created_at TEXT, last_seen TEXT), `jobs` (id TEXT PRIMARY KEY, session_id TEXT, url TEXT, status TEXT, format_id TEXT, quality TEXT, output_template TEXT, filename TEXT, filesize INTEGER, progress_percent REAL DEFAULT 0, speed TEXT, eta TEXT, error_message TEXT, created_at TEXT, started_at TEXT, completed_at TEXT), `config` (key TEXT PRIMARY KEY, value TEXT, updated_at TEXT), `unsupported_urls` (id INTEGER PRIMARY KEY AUTOINCREMENT, url TEXT, session_id TEXT, error TEXT, created_at TEXT)
   - Indexes: `CREATE INDEX IF NOT EXISTS idx_jobs_session_status ON jobs(session_id, status)`, `CREATE INDEX IF NOT EXISTS idx_jobs_completed ON jobs(completed_at)`, `CREATE INDEX IF NOT EXISTS idx_sessions_last_seen ON sessions(last_seen)`
   - CRUD functions: `create_job(db, job: Job) -> Job`, `get_job(db, job_id: str) -> Job | None`, `get_jobs_by_session(db, session_id: str) -> list[Job]`, `update_job_status(db, job_id: str, status: str, error_message: str | None = None)`, `update_job_progress(db, job_id: str, progress_percent: float, speed: str | None, eta: str | None, filename: str | None)`, `delete_job(db, job_id: str)`, `close_db(db)` — calls `db.close()`
   - All write operations use `await db.commit()` after execution
 3. Create `backend/app/core/sse_broker.py`:
   - `SSEBroker` class with `__init__(self, loop: asyncio.AbstractEventLoop)`
   - Internal state: `self._subscribers: dict[str, list[asyncio.Queue]] = {}`, `self._loop = loop`
   - `subscribe(session_id: str) -> asyncio.Queue` — creates queue, appends to session's list, returns queue
   - `unsubscribe(session_id: str, queue: asyncio.Queue)` — removes queue from list, removes session key if list empty
   - `publish(session_id: str, event)` — uses `self._loop.call_soon_threadsafe(self._publish_sync, session_id, event)` where `_publish_sync` iterates all queues for that session and calls `queue.put_nowait(event)` (catches `asyncio.QueueFull` and logs warning)
   - `publish_sync(session_id: str, event)` — the actual sync method called on the event loop thread, iterates queues and calls `put_nowait`
 4. Create `backend/tests/conftest.py`:
   - `tmp_db_path` fixture: returns a temp file path for test database, cleans up after
   - `test_config` fixture: returns `AppConfig` with `downloads.output_dir` set to a temp dir
   - `db` async fixture: calls `init_db(tmp_db_path)`, yields connection, calls `close_db`
   - `broker` fixture: creates SSEBroker with current event loop
   - Mark all async fixtures with appropriate scope
 5. Create `backend/tests/test_config.py`:
   - Test zero-config: `AppConfig()` loads with all defaults, no crash
   - Test env var override: set `MEDIARIP__DOWNLOADS__MAX_CONCURRENT=5` in env, verify `config.downloads.max_concurrent == 5`
   - Test YAML loading: write a temp YAML file, set `yaml_file` path, verify values load
   - Test missing YAML file: set `yaml_file` to nonexistent path, verify no crash (zero-config)
   - Test default source_templates contains youtube.com, soundcloud.com, and `*` entries
 6. Create `backend/tests/test_database.py`:
   - Test `init_db` creates all tables (query `sqlite_master`)
   - Test WAL mode: `PRAGMA journal_mode` returns `wal`
   - Test `create_job` + `get_job` roundtrip
   - Test `get_jobs_by_session` returns correct subset
   - Test `update_job_status` changes status field
   - Test `update_job_progress` updates progress fields
   - Test `delete_job` removes the row
   - Test concurrent writes: launch 3 simultaneous `create_job` calls via `asyncio.gather`, verify all succeed without `SQLITE_BUSY`
 7. Create `backend/tests/test_sse_broker.py`:
   - Test subscribe creates a queue and returns it
   - Test publish delivers event to subscribed queue
   - Test publish from a thread (simulating yt-dlp worker): start a `threading.Thread` that calls `broker.publish(session_id, event)`, verify event arrives in queue within 1 second
   - Test unsubscribe removes queue, subsequent publish doesn't deliver
   - Test multiple subscribers to same session all receive the event
   - Test publish to non-existent session doesn't raise
 ## Must-Haves
 - [ ] Config: zero-config mode works (no YAML, no env vars → all defaults)
 - [ ] Config: env var with `MEDIARIP__` prefix and `__` nesting overrides config
 - [ ] Database: WAL mode verified via `PRAGMA journal_mode` query returning `wal`
 - [ ] Database: `busy_timeout=5000` set before schema creation
 - [ ] Database: All four tables created with correct schema
 - [ ] Database: 3 concurrent writes succeed without `SQLITE_BUSY`
 - [ ] SSE Broker: publish from a separate thread delivers event to subscriber queue
 - [ ] SSE Broker: unsubscribe removes queue from distribution
 - [ ] All tests pass
 ## Verification
 - `cd backend && python -m pytest tests/test_config.py -v` — all config tests pass
 - `cd backend && python -m pytest tests/test_database.py -v` — all DB tests pass including WAL verification and concurrent writes
 - `cd backend && python -m pytest tests/test_sse_broker.py -v` — all broker tests pass including thread-safe publish
 ## Observability Impact
 - Database module logs table creation and PRAGMA results at startup (INFO level)
 - SSEBroker logs `QueueFull` warnings if a subscriber queue is backed up
 - Job status transitions visible via `jobs` table `status` column
 ## Inputs
 - `backend/app/models/job.py` — Job, JobStatus models for database type hints
 - `backend/app/models/session.py` — Session model
 - `backend/pyproject.toml` — dependencies already installed from T01
 ## Expected Output
 - `backend/app/core/config.py` — AppConfig with nested models, pydantic-settings integration
 - `backend/app/core/database.py` — init_db, CRUD functions, WAL mode setup
 - `backend/app/core/sse_broker.py` — SSEBroker with thread-safe publish
 - `backend/tests/conftest.py` — shared test fixtures (db, config, broker)
 - `backend/tests/test_config.py` — config test suite
 - `backend/tests/test_database.py` — database test suite with concurrency test
 - `backend/tests/test_sse_broker.py` — broker test suite with thread-safety test
--- a/.gsd/milestones/M001/slices/S01/tasks/T02-SUMMARY.md
+++ b/.gsd/milestones/M001/slices/S01/tasks/T02-SUMMARY.md
@ -1,104 +0,0 @@
 ---
 id: T02
 parent: S01
 milestone: M001
 provides:
  - AppConfig with pydantic-settings (env + YAML + zero-config defaults)
  - aiosqlite database layer with WAL mode, busy_timeout, CRUD functions
  - SSEBroker with thread-safe publish via call_soon_threadsafe
  - Shared test fixtures in conftest.py (tmp_db_path, test_config, db, broker)
 key_files:
  - backend/app/core/config.py
  - backend/app/core/database.py
  - backend/app/core/sse_broker.py
  - backend/tests/conftest.py
 key_decisions:
  - Used monkeypatch.setitem on model_config to test YAML loading since pydantic-settings v2 does not accept _yaml_file as an init kwarg
  - SSE broker fixture must be async (pytest_asyncio.fixture) using asyncio.get_running_loop() — get_event_loop() returns a different loop than the one running async tests
  - env_prefix set to "MEDIARIP__" (with trailing delimiter) so nested vars use MEDIARIP__SERVER__PORT format
 patterns_established:
  - _SafeYamlSource wraps YamlConfigSettingsSource to gracefully handle missing/None yaml_file
  - Database PRAGMA order (busy_timeout → WAL → synchronous) set before any DDL
  - _row_to_job helper converts aiosqlite.Row to Job model — single point of row mapping
 observability_surfaces:
  - mediarip.database logger: INFO on journal_mode set and table creation
  - mediarip.sse logger: WARNING on QueueFull (subscriber backpressure)
  - mediarip.config logger: DEBUG when YAML file not found
 duration: 25m
 verification_result: passed
 completed_at: 2026-03-17
 blocker_discovered: false
 ---
 # T02: Build config system, database layer, and SSE broker
 **Built pydantic-settings config (env + YAML + zero-config), aiosqlite database with WAL mode and CRUD, and thread-safe SSE broker — 47 tests passing**
 ## What Happened
 Created three infrastructure modules in `backend/app/core/`:
 1. **config.py** — `AppConfig(BaseSettings)` with six nested config sections (ServerConfig, DownloadsConfig, SessionConfig, PurgeConfig, UIConfig, AdminConfig). Uses `_SafeYamlSource` subclass of `YamlConfigSettingsSource` that gracefully returns `{}` when the YAML file is missing or None. Priority chain: env vars → YAML → init kwargs → .env. Env prefix `MEDIARIP__` with `__` nesting.
 2. **database.py** — `init_db()` opens aiosqlite connection, sets PRAGMAs in the critical order (busy_timeout=5000 → journal_mode=WAL → synchronous=NORMAL), then creates four tables (sessions, jobs, config, unsupported_urls) with three indexes. CRUD functions: create_job, get_job, get_jobs_by_session, update_job_status, update_job_progress, delete_job, close_db. All writes commit immediately.
 3. **sse_broker.py** — `SSEBroker` holds a dict of session_id → list[asyncio.Queue]. `publish()` uses `loop.call_soon_threadsafe(_publish_sync, ...)` so yt-dlp worker threads can fire events safely. `_publish_sync` iterates queues with `put_nowait`, catching `QueueFull`.
 Created `conftest.py` with shared async fixtures (tmp_db_path, test_config, db, broker). The broker fixture is async to capture the running event loop correctly — `asyncio.get_event_loop()` returns a different loop than the test runner's.
 Two test issues discovered and fixed during verification:
 - YAML config tests initially used `_yaml_file` as an init kwarg, but pydantic-settings v2 rejects unknown init kwargs. Fixed by using `monkeypatch.setitem` on `model_config`.
 - Broker thread-safety tests initially failed because the broker fixture used `get_event_loop()` (deprecation-era API returning a stale loop). Fixed by making the fixture async with `get_running_loop()`.
 ## Verification
 All three module test suites pass, plus the T01 model tests — 47/47 total:
 - `test_config.py`: 11 passed (zero-config, env overrides, YAML load, missing YAML, default templates)
 - `test_database.py`: 11 passed (all tables created, WAL mode, busy_timeout, indexes, CRUD roundtrip, concurrent writes)
 - `test_sse_broker.py`: 9 passed (subscribe, unsubscribe, publish, multi-subscriber, thread-safe publish, multi-thread publish)
 - `test_models.py`: 16 passed (unchanged from T01)
 ## Verification Evidence
 | # | Command | Exit Code | Verdict | Duration |
 |---|---------|-----------|---------|----------|
 | 1 | `cd backend && python -m pytest tests/test_config.py -v` | 0 | ✅ pass | 0.22s |
 | 2 | `cd backend && python -m pytest tests/test_database.py -v` | 0 | ✅ pass | 0.19s |
 | 3 | `cd backend && python -m pytest tests/test_sse_broker.py -v` | 0 | ✅ pass | 0.23s |
 | 4 | `cd backend && python -m pytest tests/ -v` | 0 | ✅ pass | 0.43s |
 Slice-level checks (partial — T02 is not the final task):
 | # | Command | Exit Code | Verdict | Notes |
 |---|---------|-----------|---------|-------|
 | 1 | `test_models.py -v` | 0 | ✅ pass | T01 output |
 | 2 | `test_config.py -v` | 0 | ✅ pass | T02 new |
 | 3 | `test_database.py -v` | 0 | ✅ pass | T02 new |
 | 4 | `test_sse_broker.py -v` | 0 | ✅ pass | T02 new |
 | 5 | `test_download_service.py -v` | — | ⏳ pending | T03 |
 | 6 | `test_api.py -v` | — | ⏳ pending | T04 |
 ## Diagnostics
 - WAL mode: `sqlite3 mediarip.db "PRAGMA journal_mode"` → should return `wal`
 - Config inspection: `python -c "from app.core.config import AppConfig; c = AppConfig(); print(c.model_dump())"`
 - Database tables: `sqlite3 mediarip.db ".tables"` → sessions, jobs, config, unsupported_urls
 - SSE broker: subscriber count visible via `len(broker._subscribers[session_id])`
 ## Deviations
 - YAML config test approach changed from init kwarg (`_yaml_file=path`) to `monkeypatch.setitem(model_config, "yaml_file", path)` — pydantic-settings v2 forbids extra init kwargs.
 - Broker fixture changed from sync (`@pytest.fixture`) to async (`@pytest_asyncio.fixture`) using `get_running_loop()` instead of `get_event_loop()`.
 ## Known Issues
 None.
 ## Files Created/Modified
 - `backend/app/core/config.py` — AppConfig with nested sections, _SafeYamlSource, env/YAML/zero-config support
 - `backend/app/core/database.py` — init_db with WAL PRAGMAs, schema DDL, CRUD functions
 - `backend/app/core/sse_broker.py` — SSEBroker with thread-safe publish via call_soon_threadsafe
 - `backend/tests/conftest.py` — shared fixtures: tmp_db_path, test_config, db, broker
 - `backend/tests/test_config.py` — 11 config tests (zero-config, env override, YAML, missing YAML)
 - `backend/tests/test_database.py` — 11 database tests (tables, WAL, CRUD, concurrent writes)
 - `backend/tests/test_sse_broker.py` — 9 broker tests (subscribe, publish, thread-safe, multi-subscriber)
--- a/.gsd/milestones/M001/slices/S01/tasks/T02-VERIFY.json
+++ b/.gsd/milestones/M001/slices/S01/tasks/T02-VERIFY.json
@ -1,9 +0,0 @@
 {
  "schemaVersion": 1,
  "taskId": "T02",
  "unitId": "M001/S01/T02",
  "timestamp": 1773805461502,
  "passed": true,
  "discoverySource": "none",
  "checks": []
 }
--- a/.gsd/milestones/M001/slices/S01/tasks/T03-PLAN.md
+++ b/.gsd/milestones/M001/slices/S01/tasks/T03-PLAN.md
@ -1,130 +0,0 @@
 ---
 estimated_steps: 5
 estimated_files: 5
 ---
 # T03: Implement download service with sync-to-async bridge
 **Slice:** S01 — Foundation + Download Engine
 **Milestone:** M001
 ## Description
 Build the download service — the highest-risk component in S01. This is where yt-dlp (synchronous, thread-bound) meets FastAPI (async, event-loop-bound). The service wraps yt-dlp in a `ThreadPoolExecutor` and bridges progress events to the async world via `loop.call_soon_threadsafe`. Also build the output template resolver utility.
 This task retires the primary risk identified in the M001 roadmap: **"proving yt-dlp progress events arrive in an asyncio.Queue via call_soon_threadsafe, with a test that runs a real download and asserts events were received."**
 **Critical implementation constraints:**
 - **Fresh YoutubeDL instance per job** — never shared across threads. YoutubeDL has mutable state (cookies, temp files, logger) that corrupts under concurrent access.
 - **Event loop captured at construction** — `asyncio.get_event_loop()` in `__init__`, stored as `self._loop`. Cannot call `get_event_loop()` inside a worker thread.
 - **Progress hook throttling** — Write to DB only when percent changes by ≥1% or status changes. SSE broker gets all events (cheap in-memory), DB gets throttled writes.
 - **`total_bytes` is frequently None** — Already handled in `ProgressEvent.from_yt_dlp` from T01, but the hook must not crash when the dict is sparse.
 ## Steps
 1. Create `backend/app/services/output_template.py`:
   - `resolve_template(url: str, user_override: str | None, config: AppConfig) -> str`
   - Extract domain from URL using `urllib.parse.urlparse`. Strip `www.` prefix.
   - If `user_override` is not None, return it directly (R025 per-download override)
   - Look up domain in `config.downloads.source_templates`. If found, return it.
   - Fall back to `config.downloads.source_templates.get("*", "%(title)s.%(ext)s")`
   - Handle malformed URLs gracefully (return default template)
 2. Create `backend/app/services/download.py`:
   - `DownloadService` class. Constructor takes `config: AppConfig`, `db: aiosqlite.Connection`, `broker: SSEBroker`, `loop: asyncio.AbstractEventLoop`.
   - `self._executor = ThreadPoolExecutor(max_workers=config.downloads.max_concurrent)`
   - `async def enqueue(self, job_create: JobCreate, session_id: str) -> Job`:
     - Generate UUID4 for job_id, resolve output template via `resolve_template`
     - Create Job model, persist via `create_job(self._db, job)` (from database module)
     - Submit `self._run_download` to executor via `self._loop.run_in_executor(self._executor, self._run_download, job.id, job.url, opts, session_id)`
     - Return the Job
   - `def _run_download(self, job_id: str, url: str, opts: dict, session_id: str)`:
     - This runs in a worker thread. **Create a fresh YoutubeDL instance** with opts.
     - Register a `progress_hooks` callback that:
       - Creates `ProgressEvent.from_yt_dlp(job_id, d)` from the hook dict
       - Calls `self._loop.call_soon_threadsafe(self._broker.publish_sync, session_id, event)` (NOT `publish` — call the sync method directly since we're already scheduling on the event loop)
       - Throttles DB writes: track `_last_db_percent` per job, only write when `abs(new - last) >= 1.0` or status changed
       - DB writes from the thread use `asyncio.run_coroutine_threadsafe(update_job_progress(...), self._loop).result()` — blocks the worker thread until the async DB write completes
     - Call `ydl.download([url])`
     - On success: update status to `completed`, set `completed_at`
     - On exception: update status to `failed`, set `error_message` to str(e), log the error
   - `async def get_formats(self, url: str) -> list[FormatInfo]`:
     - Run in executor: `ydl.extract_info(url, download=False)`
     - Parse result `formats` list into `FormatInfo` models
     - Handle `filesize: None` gracefully
     - Return list sorted by resolution (best first)
   - `async def cancel(self, job_id: str)`:
     - Update job status to `failed` with error_message "Cancelled by user" in DB
     - Note: yt-dlp has no reliable mid-stream abort. The thread continues but the job is marked failed.
   - `def shutdown(self)`:
     - `self._executor.shutdown(wait=False)`
 3. Create `backend/tests/test_output_template.py`:
   - Test YouTube URL → youtube.com template
   - Test SoundCloud URL → soundcloud.com template
   - Test unknown domain → fallback `*` template
   - Test `www.` prefix stripping (www.youtube.com → youtube.com lookup)
   - Test user override takes priority over domain match
   - Test malformed URL → fallback template
 4. Create `backend/tests/test_download_service.py`:
   - **Integration test — real download** (mark with `@pytest.mark.integration` or `@pytest.mark.slow`):
     - Set up: create temp output dir, init DB, create SSEBroker, create DownloadService
     - Subscribe to broker queue for the test session
     - Call `service.enqueue(JobCreate(url="https://www.youtube.com/watch?v=BaW_jenozKc"), session_id="test-session")` — this is a 10-second Creative Commons video commonly used in yt-dlp tests. If this URL stops working, any short public video works.
     - Collect events from broker queue with a timeout (10-30 seconds depending on network)
     - Assert: at least one event has `status == "downloading"` with `percent > 0`
     - Assert: final event has `status == "finished"` (this is yt-dlp's hook status, not JobStatus)
     - Assert: output file exists in the temp dir
     - Assert: DB job status is `completed`
   - **Format extraction test** (also integration — needs network):
     - Call `service.get_formats("https://www.youtube.com/watch?v=BaW_jenozKc")`
     - Assert: result is non-empty list
     - Assert: each FormatInfo has `format_id` and `ext` populated
   - **Cancel test** (unit — no network):
     - Create a job in DB with status `downloading`
     - Call `service.cancel(job_id)`
     - Assert: DB job status is now `failed` with error_message "Cancelled by user"
   - **Concurrent enqueue test** (integration — light):
     - Enqueue 2 downloads simultaneously via `asyncio.gather`
     - Verify both complete without errors (proves ThreadPoolExecutor + WAL work together)
 5. Run all tests: `cd backend && python -m pytest tests/test_output_template.py tests/test_download_service.py -v`
 ## Must-Haves
 - [ ] Fresh YoutubeDL instance created per job inside worker thread (never shared)
 - [ ] Progress events bridge from worker thread to SSE broker via `call_soon_threadsafe`
 - [ ] Real download integration test passes — file appears in output dir AND progress events received
 - [ ] Format extraction returns non-empty list with `format_id` and `ext`
 - [ ] DB progress writes throttled (≥1% change or status change)
 - [ ] Output template resolves domain-specific and fallback correctly
 - [ ] `total_bytes: None` doesn't crash the progress hook
 ## Verification
 - `cd backend && python -m pytest tests/test_output_template.py -v` — all template tests pass
 - `cd backend && python -m pytest tests/test_download_service.py -v` — all service tests pass including real download
 - `cd backend && python -m pytest tests/test_download_service.py -v -k "real_download"` — specifically verify the risk-retirement test
 ## Observability Impact
 - Download worker logs job_id + status transitions at INFO level
 - Download errors logged at ERROR level with job_id + exception traceback
 - Progress hook logs throttling decisions at DEBUG level
 - `jobs` table `error_message` column populated on failure
 ## Inputs
 - `backend/app/models/job.py` — Job, JobCreate, ProgressEvent, FormatInfo, JobStatus
 - `backend/app/core/config.py` — AppConfig with downloads settings
 - `backend/app/core/database.py` — init_db, CRUD functions
 - `backend/app/core/sse_broker.py` — SSEBroker with publish/subscribe
 - `backend/tests/conftest.py` — shared fixtures (db, config, broker)
 ## Expected Output
 - `backend/app/services/output_template.py` — resolve_template utility
 - `backend/app/services/download.py` — DownloadService with enqueue, get_formats, cancel
 - `backend/tests/test_output_template.py` — template resolution tests
 - `backend/tests/test_download_service.py` — integration tests proving sync-to-async bridge works
--- a/.gsd/milestones/M001/slices/S01/tasks/T03-SUMMARY.md
+++ b/.gsd/milestones/M001/slices/S01/tasks/T03-SUMMARY.md
@ -1,103 +0,0 @@
 ---
 id: T03
 parent: S01
 milestone: M001
 provides:
  - DownloadService with enqueue, get_formats, cancel, shutdown methods
  - sync-to-async bridge via ThreadPoolExecutor + call_soon_threadsafe + run_coroutine_threadsafe
  - Output template resolver with domain-specific lookup and fallback
  - Integration tests proving real yt-dlp download with progress event flow
 key_files:
  - backend/app/services/download.py
  - backend/app/services/output_template.py
  - backend/tests/test_download_service.py
  - backend/tests/test_output_template.py
 key_decisions:
  - DownloadService uses broker.publish() directly (already thread-safe via call_soon_threadsafe) rather than a separate publish_sync method
  - DB writes from worker threads via asyncio.run_coroutine_threadsafe().result() with 10s timeout — blocks the worker thread until the async DB write completes
  - Concurrent download tests need distinct output_template overrides to avoid ffmpeg postprocessing collisions when downloading the same video twice
 patterns_established:
  - Fresh YoutubeDL instance per job inside worker thread — never shared across threads
  - Progress hook throttling pattern — SSE broker gets all events (cheap in-memory), DB writes only on >=1% change or status change
  - Thread-to-async bridge pattern — loop.call_soon_threadsafe for fire-and-forget, run_coroutine_threadsafe for blocking async calls from threads
 observability_surfaces:
  - mediarip.download logger at INFO for job lifecycle (created, starting, completed, cancelled), ERROR with exc_info for failures
  - mediarip.output_template logger at DEBUG for template resolution decisions
  - jobs table error_message column populated on failure with yt-dlp error string
  - Progress hook DEBUG logs for DB write throttling decisions
 duration: 15m
 verification_result: passed
 completed_at: 2026-03-17
 blocker_discovered: false
 ---
 # T03: Implement download service with sync-to-async bridge
 **Built DownloadService with ThreadPoolExecutor-based yt-dlp wrapper, progress event bridging via call_soon_threadsafe, output template resolver, and integration tests proving real downloads produce files and SSE events**
 ## What Happened
 Implemented the two service modules and their test suites:
 1. **Output template resolver** (`output_template.py`): `resolve_template()` extracts the domain from the URL via `urlparse`, strips `www.` prefix, looks up domain in `config.downloads.source_templates`, falls back to wildcard `*` then hard-coded default. Handles malformed URLs gracefully.
 2. **Download service** (`download.py`): `DownloadService` class wraps yt-dlp in a `ThreadPoolExecutor`. Each `enqueue()` call creates a `Job` in the DB then submits `_run_download` to the executor. The worker thread creates a fresh `YoutubeDL` per job, registers a progress hook that bridges events to the async world — SSE broker gets every event via `broker.publish()` (already thread-safe), DB writes are throttled to ≥1% changes via `run_coroutine_threadsafe`. `get_formats()` runs `extract_info(download=False)` in the executor and returns sorted `FormatInfo` list. `cancel()` marks the job as failed in the DB.
 3. **Tests**: 9 output template tests covering domain matching, www stripping, user override priority, malformed URLs, and custom config. 4 download service tests: real download integration (file appears + progress events received), format extraction (non-empty list with format_id and ext), cancel (DB status updated), and concurrent downloads (two simultaneous jobs both complete).
 Fixed a concurrent test issue where two downloads of the same video collided at the ffmpeg postprocessing step — resolved by using distinct `output_template` overrides per job.
 ## Verification
 - `python -m pytest tests/test_output_template.py -v` — 9/9 passed
 - `python -m pytest tests/test_download_service.py -v -k real_download` — real download test passed (file created, progress events with `status=downloading` received, DB status=completed)
 - `python -m pytest tests/test_download_service.py -v -k format_extraction` — format list returned with format_id and ext fields
 - `python -m pytest tests/test_download_service.py -v -k cancel` — DB status set to failed with "Cancelled by user"
 - `python -m pytest tests/test_download_service.py -v -k concurrent` — two simultaneous downloads both completed
 - `python -m pytest tests/ -v` — 60/60 passed in 7.08s (full suite including all T01/T02/T03 tests)
 ## Verification Evidence
 | # | Command | Exit Code | Verdict | Duration |
 |---|---------|-----------|---------|----------|
 | 1 | `python -m pytest tests/test_output_template.py -v` | 0 | ✅ pass | 0.01s |
 | 2 | `python -m pytest tests/test_download_service.py -v -k real_download` | 0 | ✅ pass | 2.54s |
 | 3 | `python -m pytest tests/test_download_service.py -v -k format_extraction` | 0 | ✅ pass | 1.43s |
 | 4 | `python -m pytest tests/test_download_service.py -v -k cancel` | 0 | ✅ pass | 0.09s |
 | 5 | `python -m pytest tests/test_download_service.py -v -k concurrent` | 0 | ✅ pass | 1.61s |
 | 6 | `python -m pytest tests/ -v` | 0 | ✅ pass | 7.08s |
 ## Slice-level Verification (partial — T03 of T04)
 | Check | Status |
 |-------|--------|
 | `python -m pytest tests/test_models.py -v` | ✅ 16 passed |
 | `python -m pytest tests/test_config.py -v` | ✅ 11 passed |
 | `python -m pytest tests/test_database.py -v` | ✅ 11 passed |
 | `python -m pytest tests/test_sse_broker.py -v` | ✅ 9 passed |
 | `python -m pytest tests/test_download_service.py -v` | ✅ 4 passed |
 | `python -m pytest tests/test_api.py -v` | ⏳ T04 (not yet created) |
 | `python -m pytest tests/ -v` | ✅ 60 passed, 0 failures |
 | Progress events contain `status=downloading` with valid percent | ✅ verified in real_download test |
 ## Diagnostics
 - **Download service logs**: `logging.getLogger("mediarip.download")` — INFO on job lifecycle (create/start/complete/cancel), ERROR with traceback on failures
 - **Template resolution**: `logging.getLogger("mediarip.output_template")` — DEBUG for resolution path taken
 - **DB inspection**: `SELECT status, error_message, progress_percent FROM jobs WHERE id = ?` to check job state
 - **Throttle behavior**: DEBUG-level logs show when DB writes are triggered vs skipped in the progress hook
 ## Deviations
 - Concurrent download test needed distinct `output_template` overrides per job to avoid ffmpeg postprocessing collisions when downloading the same URL twice to the same directory. This is a test design issue, not a service limitation.
 ## Known Issues
 - yt-dlp `cancel()` has no reliable mid-stream abort — the worker thread continues downloading but the job is marked as failed in the DB. This is documented in the plan and is a known yt-dlp limitation.
 ## Files Created/Modified
 - `backend/app/services/output_template.py` — resolve_template utility with domain extraction and fallback chain
 - `backend/app/services/download.py` — DownloadService class with enqueue, get_formats, cancel, shutdown
 - `backend/tests/test_output_template.py` — 9 tests covering template resolution logic
 - `backend/tests/test_download_service.py` — 4 tests including real download integration, format extraction, cancel, and concurrent downloads
--- a/.gsd/milestones/M001/slices/S01/tasks/T03-VERIFY.json
+++ b/.gsd/milestones/M001/slices/S01/tasks/T03-VERIFY.json
@ -1,9 +0,0 @@
 {
  "schemaVersion": 1,
  "taskId": "T03",
  "unitId": "M001/S01/T03",
  "timestamp": 1773806197708,
  "passed": true,
  "discoverySource": "none",
  "checks": []
 }
--- a/.gsd/milestones/M001/slices/S01/tasks/T04-PLAN.md
+++ b/.gsd/milestones/M001/slices/S01/tasks/T04-PLAN.md
@ -1,101 +0,0 @@
 ---
 estimated_steps: 5
 estimated_files: 7
 ---
 # T04: Wire API routes and FastAPI app factory
 **Slice:** S01 — Foundation + Download Engine
 **Milestone:** M001
 ## Description
 Build the HTTP layer that ties everything together: the FastAPI app factory with lifespan (DB init/close, service construction), API routers for downloads and format extraction, a stub session dependency for testing, and API-level tests via httpx. This is the composition task — it proves the full vertical from HTTP request through to yt-dlp and back.
 The stub session dependency reads `X-Session-ID` from request headers, falling back to a default UUID. This is explicitly documented as S02-replaceable — S02 delivers real cookie-based session middleware that replaces this dependency entirely.
 **Important:** The API tests use `httpx.AsyncClient` with `ASGITransport` — no real server is started. This is FastAPI's recommended testing pattern.
 ## Steps
 1. Create `backend/app/dependencies.py`:
   - `get_session_id(request: Request) -> str` dependency function
   - Reads `X-Session-ID` header from request. If present, return it.
   - If not present, return a default UUID string (e.g., `"00000000-0000-0000-0000-000000000000"`)
   - Add a docstring clearly marking this as a stub: `"""Stub session ID dependency. S02 replaces this with cookie-based session middleware."""`
 2. Update `backend/app/main.py` — full app factory with lifespan:
   - `@asynccontextmanager async def lifespan(app: FastAPI)`:
     - Load config: `config = AppConfig(yaml_file="config.yaml")` if file exists, else `AppConfig()`
     - Init DB: `db = await init_db(config.server.db_path)`
     - Capture event loop: `loop = asyncio.get_event_loop()`
     - Create SSEBroker: `broker = SSEBroker(loop)`
     - Create DownloadService: `download_service = DownloadService(config, db, broker, loop)`
     - Store on `app.state`: `app.state.config = config`, `app.state.db = db`, `app.state.broker = broker`, `app.state.download_service = download_service`
     - `yield`
     - Teardown: `download_service.shutdown()`, `await close_db(db)`
   - Include routers: `app.include_router(downloads_router, prefix="/api")`, `app.include_router(formats_router, prefix="/api")`
 3. Create `backend/app/routers/downloads.py`:
   - `router = APIRouter(tags=["downloads"])`
   - `POST /downloads` — accepts `JobCreate` body, gets `session_id` from `Depends(get_session_id)`, gets `download_service` from `request.app.state.download_service`. Calls `await download_service.enqueue(job_create, session_id)`. Returns Job as JSON with status 201.
   - `GET /downloads` — gets session_id, queries DB via `get_jobs_by_session(request.app.state.db, session_id)`. Returns list of Jobs.
   - `DELETE /downloads/{job_id}` — calls `await download_service.cancel(job_id)`. Returns `{"status": "cancelled"}`.
 4. Create `backend/app/routers/formats.py`:
   - `router = APIRouter(tags=["formats"])`
   - `GET /formats` — accepts `url: str` query param. Gets download_service from app.state. Calls `await download_service.get_formats(url)`. Returns list of FormatInfo.
   - Handle errors gracefully: if extraction fails, return 400 with error message.
 5. Create/update `backend/tests/test_api.py` and update `backend/tests/conftest.py`:
   - Add `client` async fixture to conftest: creates `httpx.AsyncClient` with `ASGITransport(app=app)`, base_url `http://test`
   - The app fixture needs a fresh lifespan — use temp DB path and temp output dir
   - Tests:
     - `test_post_download` — POST `/api/downloads` with `{"url": "https://www.youtube.com/watch?v=BaW_jenozKc"}` and `X-Session-ID: test-session` header → 201 + response has `id`, `status == "queued"`, `url` matches
     - `test_get_downloads_empty` — GET `/api/downloads` with `X-Session-ID: new-session` → 200 + empty list
     - `test_get_downloads_after_post` — POST a download, then GET → list contains the job
     - `test_delete_download` — POST a download, then DELETE → 200 + status cancelled, GET confirms status changed
     - `test_get_formats` — GET `/api/formats?url=https://www.youtube.com/watch?v=BaW_jenozKc` → 200 + non-empty list with format_id fields (integration — needs network)
     - `test_post_download_invalid_url` — POST with `{"url": "not-a-url"}` → appropriate error response
   - Run full suite: `cd backend && python -m pytest tests/ -v`
 ## Must-Haves
 - [ ] App starts without errors via lifespan (DB initialized, services created)
 - [ ] POST /api/downloads creates a job and returns it with status 201
 - [ ] GET /api/downloads returns jobs filtered by session_id
 - [ ] DELETE /api/downloads/{id} marks job as cancelled/failed
 - [ ] GET /api/formats?url= returns format list from yt-dlp extraction
 - [ ] Stub session_id dependency reads X-Session-ID header with fallback
 - [ ] Full test suite (`python -m pytest tests/ -v`) passes with 0 failures
 ## Verification
 - `cd backend && python -m pytest tests/test_api.py -v` — all API tests pass
 - `cd backend && python -m pytest tests/ -v` — FULL suite (models + config + db + broker + download + template + api) passes with 0 failures
 - `python -c "from app.main import app; print(app.title)"` — prints "media.rip()"
 ## Observability Impact
 - App lifespan logs config source (YAML/env/defaults) and DB path at startup (INFO level)
 - API routes log incoming requests with session_id at DEBUG level
 - Error responses include structured error messages (not stack traces)
 ## Inputs
 - `backend/app/models/job.py` — Job, JobCreate, FormatInfo models
 - `backend/app/core/config.py` — AppConfig
 - `backend/app/core/database.py` — init_db, close_db, CRUD functions
 - `backend/app/core/sse_broker.py` — SSEBroker
 - `backend/app/services/download.py` — DownloadService
 - `backend/tests/conftest.py` — shared fixtures from T02
 ## Expected Output
 - `backend/app/dependencies.py` — stub session_id dependency
 - `backend/app/main.py` — complete app factory with lifespan, router mounting
 - `backend/app/routers/downloads.py` — POST/GET/DELETE download endpoints
 - `backend/app/routers/formats.py` — GET formats endpoint
 - `backend/tests/test_api.py` — API test suite (6+ test cases)
 - `backend/tests/conftest.py` — updated with httpx client fixture
 - All prior test files still passing (full regression)
--- a/.gsd/milestones/M001/slices/S01/tasks/T04-SUMMARY.md
+++ b/.gsd/milestones/M001/slices/S01/tasks/T04-SUMMARY.md
@ -1,109 +0,0 @@
 ---
 id: T04
 parent: S01
 milestone: M001
 provides:
  - FastAPI app factory with lifespan (DB init/close, SSE broker, DownloadService on app.state)
  - API routes: POST/GET/DELETE /api/downloads, GET /api/formats
  - Stub session_id dependency (X-Session-ID header with default UUID fallback, S02-replaceable)
  - httpx AsyncClient test fixture with manual lifespan management
 key_files:
  - backend/app/main.py
  - backend/app/dependencies.py
  - backend/app/routers/downloads.py
  - backend/app/routers/formats.py
  - backend/tests/test_api.py
  - backend/tests/conftest.py
 key_decisions:
  - httpx ASGITransport does not trigger Starlette lifespan events — test fixture builds a fresh FastAPI app with manually-wired state instead of relying on lifespan
  - Cancel/delete test accepts race condition with background worker (asserts status != queued rather than exactly failed) since yt-dlp has no reliable mid-stream abort
  - Switched test video from BaW_jenozKc (unavailable) to jNQXAC9IVRw ("Me at the zoo", first YouTube video) for stable integration tests
 patterns_established:
  - Test fixture pattern for FastAPI + httpx — fresh app per test with temp DB/output dir, services wired on app.state manually, no lifespan dependency
  - API error handling pattern — formats endpoint catches extraction exceptions and returns 400 with structured detail message
 observability_surfaces:
  - mediarip.app logger at INFO for startup config source (YAML/env/defaults) and DB path
  - mediarip.api.downloads logger at DEBUG for incoming requests with session_id
  - mediarip.api.formats logger at DEBUG for format extraction requests, ERROR for failures
  - Error responses return structured JSON with detail field, not stack traces
 duration: 20m
 verification_result: passed
 completed_at: 2026-03-17
 blocker_discovered: false
 ---
 # T04: Wire API routes and FastAPI app factory
 **Built FastAPI app factory with lifespan, 4 API routes (POST/GET/DELETE downloads + GET formats), stub session dependency, and 8 API tests — full suite 68/68 passing**
 ## What Happened
 Implemented the HTTP composition layer that proves the full vertical from request to yt-dlp and back:
 1. **Stub session dependency** (`dependencies.py`): `get_session_id()` reads `X-Session-ID` header with fallback to `00000000-0000-0000-0000-000000000000`. Documented as S02-replaceable.
 2. **App factory** (`main.py`): Lifespan context manager loads config (YAML if present, else defaults+env), inits aiosqlite DB, creates SSEBroker and DownloadService, stores all on `app.state`. Teardown shuts down executor and closes DB. Mounts downloads and formats routers under `/api`.
 3. **Download routes** (`routers/downloads.py`): `POST /api/downloads` (201, creates job via DownloadService.enqueue), `GET /api/downloads` (200, lists jobs by session), `DELETE /api/downloads/{job_id}` (200, cancels job).
 4. **Format route** (`routers/formats.py`): `GET /api/formats?url=` returns format list, catches extraction errors and returns 400 with structured detail.
 5. **Test fixture** (`conftest.py`): The `client` fixture builds a fresh FastAPI app with manually-wired state (temp DB, temp output dir, real services) because httpx's `ASGITransport` doesn't trigger Starlette lifespan events. This avoids the complexity of mocking env vars or patching the lifespan.
 6. **API tests** (`test_api.py`): 8 tests covering POST download (201 + job fields), GET empty session, GET after POST, DELETE with race-tolerant assertion, GET formats (integration with real yt-dlp), POST invalid URL, default session ID fallback, and session isolation.
 ## Verification
 - `python -m pytest tests/test_api.py -v` — 8/8 passed in 2.27s
 - `python -m pytest tests/ -v` — 68/68 passed in 9.82s (full regression)
 - `python -c "from app.main import app; print(app.title)"` — prints "media.rip()"
 ## Verification Evidence
 | # | Command | Exit Code | Verdict | Duration |
 |---|---------|-----------|---------|----------|
 | 1 | `python -m pytest tests/test_api.py -v` | 0 | ✅ pass | 2.27s |
 | 2 | `python -m pytest tests/ -v` | 0 | ✅ pass | 9.82s |
 | 3 | `python -c "from app.main import app; print(app.title)"` | 0 | ✅ pass | <1s |
 ## Slice-level Verification (final task — S01 complete)
 | Check | Status |
 |-------|--------|
 | `python -m pytest tests/test_models.py -v` | ✅ 16 passed |
 | `python -m pytest tests/test_config.py -v` | ✅ 11 passed |
 | `python -m pytest tests/test_database.py -v` | ✅ 11 passed |
 | `python -m pytest tests/test_sse_broker.py -v` | ✅ 9 passed |
 | `python -m pytest tests/test_download_service.py -v` | ✅ 4 passed |
 | `python -m pytest tests/test_output_template.py -v` | ✅ 9 passed |
 | `python -m pytest tests/test_api.py -v` | ✅ 8 passed |
 | `python -m pytest tests/ -v` | ✅ 68 passed, 0 failures |
 | PRAGMA journal_mode returns WAL | ✅ verified in test_database |
 | Progress events contain status=downloading with valid percent | ✅ verified in test_download_service |
 ## Diagnostics
 - **App import check**: `python -c "from app.main import app; print(app.routes)"` — lists all mounted routes
 - **API logs**: `logging.getLogger("mediarip.api.downloads")` at DEBUG shows request session_id and URL; `mediarip.api.formats` at DEBUG shows format extraction requests
 - **Lifespan logs**: `mediarip.app` at INFO logs config source and DB path on startup
 - **Error responses**: Formats endpoint returns `{"detail": "Format extraction failed: ..."}` on extraction errors, not stack traces
 ## Deviations
 - Test video changed from `BaW_jenozKc` (unavailable) to `jNQXAC9IVRw` ("Me at the zoo") for reliable integration tests
 - Test fixture manually wires app.state instead of using lifespan — httpx `ASGITransport` doesn't trigger Starlette lifespan events
 - Cancel test uses race-tolerant assertion (`status != "queued"`) instead of exact `status == "failed"` because the background worker thread's status update can overwrite the cancel
 ## Known Issues
 - Background worker threads that outlive the test event loop produce `RuntimeWarning: coroutine 'update_job_status' was never awaited` — harmless stderr noise from threads that try to update DB after the test fixture tears down. Does not affect test correctness.
 - yt-dlp cancel limitation persists (documented in T03): worker thread continues after cancel, job is marked failed in DB but download may still complete on disk.
 ## Files Created/Modified
 - `backend/app/dependencies.py` — stub session_id dependency (reads X-Session-ID header, fallback to default UUID)
 - `backend/app/main.py` — complete app factory with lifespan, router mounting, logging
 - `backend/app/routers/downloads.py` — POST/GET/DELETE download endpoints
 - `backend/app/routers/formats.py` — GET formats endpoint with error handling
 - `backend/tests/test_api.py` — 8 API tests via httpx AsyncClient
 - `backend/tests/conftest.py` — updated with httpx client fixture (manual app.state wiring)
--- a/.gsd/milestones/M001/slices/S01/tasks/T04-VERIFY.json
+++ b/.gsd/milestones/M001/slices/S01/tasks/T04-VERIFY.json
@ -1,18 +0,0 @@
 {
  "schemaVersion": 1,
  "taskId": "T04",
  "unitId": "M001/S01/T04",
  "timestamp": 1773806835855,
  "passed": false,
  "discoverySource": "task-plan",
  "checks": [
    {
      "command": "python -m pytest tests/test_api.py -v",
      "exitCode": 1,
      "durationMs": 29,
      "verdict": "fail"
    }
  ],
  "retryAttempt": 2,
  "maxRetries": 2
 }
--- a/.gsd/milestones/M001/slices/S02/S02-PLAN.md
+++ b/.gsd/milestones/M001/slices/S02/S02-PLAN.md
@ -1,85 +0,0 @@
 # S02: SSE Transport + Session System
 **Goal:** Wire live SSE event streaming and cookie-based session identity so that download progress flows from yt-dlp worker threads to the correct browser session, with reconnect replay and session isolation.
 **Demo:** Open two browser tabs → each gets its own SSE stream scoped to their session cookie. Live progress events flow from yt-dlp workers through SSEBroker to the correct session's EventSource. Refresh a tab → SSE replays current state. Health endpoint responds.
 ## Must-Haves
 - Session middleware that auto-creates `mrip_session` httpOnly cookie and populates `request.state.session_id`
 - Session CRUD in database.py (create, get, update_last_seen)
 - SSE endpoint (`GET /api/events`) streaming `init`, `job_update`, `job_removed`, `ping` events per session
 - Reconnect replay: connecting after jobs exist → `init` event contains current non-terminal jobs
 - Disconnect cleanup: generator `try/finally` calls `broker.unsubscribe()`, no zombie connections
 - Session-mode-aware job queries: isolated filters by session_id, shared returns all, open uses fixed ID
 - `GET /api/health` returning `{status, version, yt_dlp_version, uptime, queue_depth}`
 - `GET /api/config/public` returning sanitized config (session mode, default theme — no admin credentials)
 - All 68 existing S01 tests still pass after session middleware swap
 - `job_removed` event published to SSE when a download is deleted
 ## Proof Level
 - This slice proves: integration (SSE streaming from worker threads to HTTP clients, session isolation across cookies)
 - Real runtime required: yes (async generators, SSE streaming, cookie handling)
 - Human/UAT required: no (all provable via automated tests)
 ## Verification
 - `cd backend && .venv/Scripts/python -m pytest tests/ -v` — all tests pass (S01 tests + new S02 tests)
 - `backend/tests/test_session_middleware.py` — session cookie creation, reuse, invalid UUID handling, open mode bypass
 - `backend/tests/test_sse.py` — init event replay, job_update streaming, disconnect cleanup, keepalive, job_removed event
 - `backend/tests/test_health.py` — health endpoint fields, public config sanitization, session mode query layer
 - SSE disconnect test: after generator exits, `broker._subscribers` has no leftover queues for the session
 - Session isolation test: two different session cookies → GET /api/downloads returns different job sets
 - Regression: all 68 S01 tests pass (route migration from header stub to middleware didn't break anything)
 ## Observability / Diagnostics
 - Runtime signals: `mediarip.session` logger at INFO for session creation, DEBUG for session reuse/update_last_seen; `mediarip.sse` logger at INFO for SSE connect/disconnect with session_id, WARNING for QueueFull (already exists)
 - Inspection surfaces: `GET /api/health` returns queue_depth, uptime, versions; `sessions` table in SQLite shows all active sessions with last_seen timestamps
 - Failure visibility: SSE generator logs session_id on connect and disconnect — if a connection drops without the disconnect log, the finally block didn't fire (zombie). Health endpoint queue_depth > max_concurrent suggests workers are stuck.
 - Redaction constraints: session UUIDs are opaque identifiers, not secrets. Admin password_hash must NOT appear in `GET /api/config/public`.
 ## Integration Closure
 - Upstream surfaces consumed: `app/core/sse_broker.py` (subscribe/unsubscribe/publish), `app/core/database.py` (jobs CRUD, sessions table DDL), `app/core/config.py` (AppConfig.session.mode, session.timeout_hours), `app/models/job.py` (Job, ProgressEvent), `app/models/session.py` (Session), `app/services/download.py` (DownloadService), `app/dependencies.py` (replaced)
 - New wiring introduced in this slice: SessionMiddleware added to app in main.py, SSE/health/system routers mounted, downloads router switched from Depends(get_session_id) to request.state.session_id, broker.publish called from delete endpoint for job_removed events
 - What remains before the milestone is truly usable end-to-end: S03 (frontend SPA consuming SSE), S04 (admin panel), S05 (themes), S06 (Docker/CI)
 ## Tasks
 - [x] **T01: Wire session middleware, DB CRUD, and migrate existing routes** `est:1h`
  - Why: Everything in S02 depends on `request.state.session_id` being populated by real cookie-based middleware instead of the X-Session-ID header stub. Session DB functions are needed for the middleware and for SSE replay. Existing routes and tests must be migrated atomically.
  - Files: `backend/app/middleware/session.py`, `backend/app/core/database.py`, `backend/app/dependencies.py`, `backend/app/routers/downloads.py`, `backend/app/main.py`, `backend/tests/conftest.py`, `backend/tests/test_session_middleware.py`, `backend/tests/test_api.py`
  - Do: Add session CRUD functions to database.py (create_session, get_session, update_session_last_seen). Build SessionMiddleware as Starlette BaseHTTPMiddleware — reads mrip_session cookie, looks up/creates session in DB, sets request.state.session_id, sets httpOnly cookie on response. Handle open mode (fixed session_id, no cookie). Replace get_session_id stub in dependencies.py with a thin function that reads request.state.session_id. Update downloads router to use the new dependency. Wire middleware into main.py. Update conftest.py client fixture to include middleware. Migrate test_api.py from X-Session-ID headers to cookie flow.
  - Verify: `cd backend && .venv/Scripts/python -m pytest tests/test_session_middleware.py tests/test_api.py -v` — new session tests pass AND all existing API tests pass
  - Done when: Requests without a cookie get one set (httpOnly, SameSite=Lax), requests with valid cookie reuse the session, session rows appear in DB, all 68+ tests pass
 - [ ] **T02: Build SSE endpoint with replay, disconnect cleanup, and job_removed broadcasting** `est:1h`
  - Why: This is the core of S02 — the live event stream that S03's frontend will consume. Covers R003 (SSE progress stream) and R004 (reconnect replay). Also wires job_removed events so the frontend can remove deleted jobs in real-time.
  - Files: `backend/app/routers/sse.py`, `backend/app/routers/downloads.py`, `backend/app/core/database.py`, `backend/app/main.py`, `backend/tests/test_sse.py`
  - Do: Add `get_active_jobs_by_session()` to database.py (non-terminal jobs for replay). Build SSE router with GET /api/events — async generator subscribes to broker, sends `init` event with current jobs from DB, then yields `job_update` events from the queue, with 15s keepalive `ping`. Generator MUST use try/finally for broker.unsubscribe() and MUST NOT catch CancelledError. Use sse-starlette EventSourceResponse. Add broker.publish of job_removed event in downloads router delete endpoint. Mount SSE router in main.py. Write comprehensive tests: init replay, live job_update, disconnect cleanup (verify broker._subscribers empty after), keepalive timing, job_removed event delivery, session isolation (two sessions get different init payloads).
  - Verify: `cd backend && .venv/Scripts/python -m pytest tests/test_sse.py -v` — all SSE tests pass
  - Done when: SSE endpoint streams init event with current jobs on connect, live job_update events arrive from broker, disconnect fires cleanup (no zombie queues), job_removed events flow when downloads are deleted
 - [ ] **T03: Add health endpoint, public config endpoint, and session-mode query layer** `est:45m`
  - Why: Closes R016 (health endpoint for monitoring tools), provides public config for S03 frontend, and proves session-mode-aware job queries for R007. These are the remaining S02 deliverables.
  - Files: `backend/app/routers/health.py`, `backend/app/routers/system.py`, `backend/app/core/database.py`, `backend/app/main.py`, `backend/tests/test_health.py`
  - Do: Build health router: GET /api/health returns {status: "ok", version: "0.1.0", yt_dlp_version: <from yt_dlp.version>, uptime: <seconds since startup>, queue_depth: <count of queued/downloading jobs>}. Capture start_time in lifespan. Build system router: GET /api/config/public returns {session_mode, default_theme, purge_enabled} — explicitly excludes admin.password_hash and admin.username. Add `get_all_jobs()` to database.py for shared mode. Add `get_jobs_by_session_mode()` helper that dispatches on config.session.mode (isolated → filter by session_id, shared → all jobs, open → all jobs). Mount both routers in main.py. Write tests: health returns correct fields with right types, version strings are non-empty, queue_depth reflects actual job count, public config excludes sensitive fields, session mode query dispatching works correctly for isolated/shared/open.
  - Verify: `cd backend && .venv/Scripts/python -m pytest tests/test_health.py -v` — all health/config/mode tests pass
  - Done when: GET /api/health returns valid JSON with version info, GET /api/config/public excludes admin credentials, session mode queries dispatch correctly, full test suite passes
 ## Files Likely Touched
 - `backend/app/middleware/session.py` (new)
 - `backend/app/routers/sse.py` (new)
 - `backend/app/routers/health.py` (new)
 - `backend/app/routers/system.py` (new)
 - `backend/app/core/database.py` (modified — session CRUD, active jobs query, all jobs query, mode-aware query)
 - `backend/app/dependencies.py` (modified — replace stub with request.state reader)
 - `backend/app/routers/downloads.py` (modified — use new session dependency, publish job_removed)
 - `backend/app/main.py` (modified — add middleware, mount new routers, capture start_time)
 - `backend/tests/conftest.py` (modified — add middleware to test app, cookie helpers)
 - `backend/tests/test_session_middleware.py` (new)
 - `backend/tests/test_sse.py` (new)
 - `backend/tests/test_health.py` (new)
 - `backend/tests/test_api.py` (modified — migrate from header to cookie flow)
--- a/.gsd/milestones/M001/slices/S02/S02-RESEARCH.md
+++ b/.gsd/milestones/M001/slices/S02/S02-RESEARCH.md
@ -1,145 +0,0 @@
 # S02: SSE Transport + Session System — Research
 **Date:** 2026-03-17
 ## Summary
 S02 wires the live event stream and session identity that S01 left stubbed. The SSEBroker (subscribe/unsubscribe/publish) already works and is proven thread-safe. The `sessions` table exists. What's missing: the HTTP layer that turns those primitives into a real SSE endpoint with reconnect replay, a middleware that auto-creates `mrip_session` cookies and populates `request.state.session_id`, session-mode-aware job queries (isolated/shared/open), a health endpoint, and a public config endpoint.
 All building blocks exist — this is integration work on top of well-understood libraries (`sse-starlette`, `FastAPI` middleware, `aiosqlite`). The main risk is the SSE disconnect/cleanup path: the generator must use `try/finally` to call `broker.unsubscribe()`, and must re-raise `CancelledError` (not swallow it). The PITFALLS doc calls this out explicitly as Pitfall 3 (zombie connections).
 ## Recommendation
 Build in this order: (1) session middleware + DB CRUD, (2) SSE endpoint with replay, (3) session-mode-aware query functions, (4) health + public config endpoints. Session middleware first because the SSE endpoint and all existing routes depend on `request.state.session_id` being populated by middleware rather than the header stub. The SSE endpoint is the riskiest piece — it needs disconnect handling, replay, and keepalive. Health and config endpoints are trivial.
 Replace `dependencies.get_session_id()` with `request.state.session_id` set by the new middleware. Existing routes that use `Depends(get_session_id)` switch to reading `request.state.session_id` directly (or a thin dependency that reads it from `request.state`). Existing tests that pass `X-Session-ID` header will need updating to either use the cookie flow or a test middleware that sets `request.state.session_id`.
 ## Implementation Landscape
 ### Key Files
 **Existing (consumed by S02):**
 - `backend/app/core/sse_broker.py` — SSEBroker with subscribe/unsubscribe/publish. Complete, proven in 9 tests. SSE endpoint calls `subscribe()` to get a queue, yields events from it, calls `unsubscribe()` in finally block.
 - `backend/app/core/database.py` — Has `sessions` table DDL and `jobs` CRUD. Missing: session CRUD functions (create, get, update_last_seen) and session-mode-aware job queries.
 - `backend/app/core/config.py` — `AppConfig` with `session.mode` (default "isolated") and `session.timeout_hours` (default 72). Config is on `app.state.config`.
 - `backend/app/dependencies.py` — Stub `get_session_id()` reads `X-Session-ID` header. S02 replaces this.
 - `backend/app/main.py` — Lifespan stores `config`, `db`, `broker`, `download_service` on `app.state`. S02 adds session middleware and new routers here.
 - `backend/app/models/job.py` — Job, ProgressEvent, FormatInfo models. SSE events serialize these.
 - `backend/app/models/session.py` — Session model with id, created_at, last_seen, job_count. Used for API responses.
 - `backend/app/routers/downloads.py` — Uses `Depends(get_session_id)`. Must switch to middleware-provided session_id.
 - `backend/tests/conftest.py` — Client fixture builds a fresh FastAPI app with temp DB. S02 tests need this pattern extended to include session middleware.
 **New (created by S02):**
 - `backend/app/middleware/session.py` — SessionMiddleware: reads `mrip_session` cookie → looks up in DB → creates if missing → sets `request.state.session_id` → updates `last_seen`. Sets httpOnly, SameSite=Lax, Path=/ cookie on response. In "open" session mode, sets a fixed session_id (no cookie).
 - `backend/app/routers/sse.py` — `GET /api/events` SSE endpoint. Async generator subscribes to broker, replays current job state from DB as `init` event, then yields live events. Uses `try/finally` for cleanup. Keepalive ping every 15s. `retry: 5000` in stream.
 - `backend/app/routers/health.py` — `GET /api/health` returning `{status, version, yt_dlp_version, uptime, queue_depth}`.
 - `backend/app/routers/system.py` — `GET /api/config/public` returning sanitized config (session mode, default theme, purge enabled — no admin credentials).
 **Modified:**
 - `backend/app/core/database.py` — Add session CRUD: `create_session()`, `get_session()`, `update_session_last_seen()`. Add `get_all_jobs()` for shared/open mode. Add `get_active_jobs_by_session()` for SSE replay (non-terminal jobs).
 - `backend/app/dependencies.py` — Replace stub with a dependency that reads `request.state.session_id` (set by middleware). Or remove entirely and have routes read `request.state.session_id` directly.
 - `backend/app/main.py` — Add `app.add_middleware(SessionMiddleware)` and include new routers (sse, health, system).
 - `backend/app/routers/downloads.py` — Switch from `Depends(get_session_id)` to `request.state.session_id`. For shared mode, `GET /api/downloads` returns all jobs.
 - `backend/tests/conftest.py` — Client fixture adds session middleware to test app. May need a helper to set session cookies in test requests.
 - `backend/tests/test_api.py` — Tests switch from `X-Session-ID` header to cookie-based session flow.
 ### SSE Event Contract
 Events yielded by the SSE generator use sse-starlette's dict format:
 ```python
 {"event": "init", "data": json.dumps({"jobs": [job.model_dump() for job in jobs]})}
 {"event": "job_update", "data": json.dumps(progress_event.model_dump())}
 {"event": "job_removed", "data": json.dumps({"job_id": job_id})}
 {"event": "error", "data": json.dumps({"message": str})}
 {"event": "ping", "data": ""}
 ```
 The `init` event replays all non-terminal jobs for the session on connect. `job_update` wraps ProgressEvent from the broker queue. `job_removed` fires when a job is deleted. `ping` is a keepalive every 15s of inactivity.
 Note: The broker currently publishes raw `ProgressEvent` objects from download workers. The SSE generator needs to wrap these into the `{"event": "job_update", "data": ...}` envelope. The broker should also support publishing `job_removed` events when `DELETE /api/downloads/{id}` is called — this requires the downloads router to publish to the broker after deleting.
 ### Session Middleware Design
 ```
 Request → SessionMiddleware:
  1. Read `mrip_session` cookie
  2. If present and valid UUID → look up in sessions table
     - Found → update last_seen, set request.state.session_id
     - Not found → create new session row, set cookie
  3. If missing → generate UUID4, create session row, set cookie on response
  4. If config.session.mode == "open" → skip cookie, use fixed session_id
 Response:
  - Set-Cookie: mrip_session=<uuid>; HttpOnly; SameSite=Lax; Path=/; Max-Age=<timeout_hours * 3600>
 ```
 The middleware is a Starlette `BaseHTTPMiddleware` subclass. It accesses `app.state.db` and `app.state.config` for DB lookups and session mode.
 ### Session Mode Logic
 - **isolated** (default): Jobs queried by `session_id`. Each browser sees only its own jobs. SSE stream scoped to session.
 - **shared**: Jobs queried without session filter — all sessions see all jobs. SSE stream shows all events (broker needs to broadcast or use a wildcard).
 - **open**: No session tracking. All requests use a fixed session_id. No cookie set.
 Shared mode is the trickiest for SSE: the broker is keyed by session_id, but shared mode needs all events to reach all subscribers. Two approaches:
 1. Broker publishes to a `"__all__"` channel that shared-mode subscribers listen on — requires broker change.
 2. Download workers publish to both the job's session_id AND a broadcast channel — messy.
 3. **Simplest: in shared mode, the SSE generator subscribes to a well-known `"__shared__"` session_id, and the download service publishes to `"__shared__"` when mode is shared.** This requires checking session mode at publish time.
 Recommendation: For S02, implement isolated mode fully and add the shared/open mode hooks. The actual multi-mode switching can be proven with a test that changes config and verifies query behavior. Full shared-mode SSE broadcasting can be deferred to S04 if needed — R007 says "operator selects session mode server-wide" which implies it's a deployment-time choice, not a runtime toggle.
 ### Build Order
 1. **Session DB CRUD + middleware** — Unblocks everything. Write `create_session`, `get_session`, `update_session_last_seen` in database.py. Write SessionMiddleware. Wire into main.py. Update dependencies.py.
 2. **SSE endpoint with replay** — The riskiest piece. Write the async generator with subscribe → replay → live stream → cleanup pattern. Test disconnect handling (generator finally block fires, queue removed from broker). Test replay (connect after job created → init event contains the job).
 3. **Update existing routes + tests** — Switch downloads router from header stub to middleware session_id. Update test fixtures and test_api.py.
 4. **Health + public config endpoints** — Straightforward. Health: capture `start_time` in lifespan, return uptime delta. Public config: return sanitized subset of AppConfig.
 5. **Session mode tests** — Test isolated vs shared query behavior. Test open mode skips cookies.
 ### Verification Approach
 **Unit tests:**
 - Session middleware: request without cookie gets one set, request with valid cookie reuses session, request with invalid UUID gets new session
 - SSE generator: connect → receives init event with current jobs, disconnect → broker.unsubscribe called, keepalive ping fires after timeout
 - Session mode: isolated mode filters by session_id, shared mode returns all jobs
 - Health endpoint: returns expected fields with correct types
 - Public config: returns session mode and theme, does NOT include admin password_hash
 **Integration test:**
 - Start a download via POST, connect to SSE endpoint, verify `job_update` events arrive with progress data
 - Connect to SSE after a job exists → verify `init` event replays the job
 - Two different sessions → each SSE stream only sees its own jobs (session isolation proof)
 **Commands:**
 ```bash
 cd backend && .venv/Scripts/python -m pytest tests/ -v
 ```
 The slice is proven when:
 1. SSE endpoint streams real events from a download worker to a subscriber
 2. Disconnect cleanup fires (broker queue removed)
 3. Replay works (connect after job → init contains job)
 4. Session isolation: two sessions see different job sets
 5. Health endpoint returns valid JSON with version info
 6. All existing S01 tests still pass (no regression from session middleware swap)
 ## Constraints
 - `sse-starlette==3.3.3` is already pinned in pyproject.toml — use `EventSourceResponse` directly, don't wrap it.
 - SSEBroker is keyed by session_id string. Shared mode needs a strategy for cross-session event delivery (recommend: defer full shared-mode SSE to S04, prove the query layer handles it in S02).
 - `BaseHTTPMiddleware` has a known limitation: it creates a new task per request, which can cause issues with `request.state` in streaming responses. For the SSE endpoint specifically, the session_id may need to be resolved as a dependency rather than middleware. Test this — if `request.state.session_id` is accessible inside the SSE generator after middleware runs, middleware is fine. If not, fall back to a `Depends()` that reads the cookie directly.
 - The `sessions` table schema in database.py uses `TEXT` for `created_at` and `last_seen` (ISO format strings). The architecture doc suggests `INTEGER` (unix timestamps). Use what S01 established: TEXT ISO format, consistent with the jobs table.
 - Python 3.12 venv at `backend/.venv` — all commands must use `.venv/Scripts/python`.
 ## Common Pitfalls
 - **CancelledError swallowing in SSE generator** — Use `try/finally` for cleanup. If you catch `CancelledError`, re-raise it. Never use bare `except Exception` around the generator body. This is Pitfall 3 from the research — creates zombie connections that leak memory. The warning sign is `asyncio.all_tasks()` growing over time.
 - **BaseHTTPMiddleware + streaming responses** — BaseHTTPMiddleware wraps the response body in a new task. For SSE (long-lived streaming), this can cause `request.state` to be garbage-collected or the middleware's `call_next` to hang. If tests show this, switch the session resolution to a FastAPI `Depends()` function instead of middleware. The middleware approach is cleaner architecturally but may not survive streaming.
 - **Cookie not sent on SSE EventSource** — Browser `EventSource` sends cookies by default for same-origin requests. No `withCredentials` needed unless cross-origin. The SSE endpoint must be same-origin (same host:port as the SPA).
 - **Replay storm on reconnect** — Replay only current state (non-terminal jobs), not full event history. Query `WHERE status NOT IN ('completed', 'failed', 'expired')` for the init event payload.
 ## Open Risks
 - **BaseHTTPMiddleware compatibility with SSE streaming** — May need to fall back to a dependency-based approach if middleware doesn't work with long-lived EventSourceResponse. Low probability (sse-starlette is designed for Starlette), but worth testing early.
 - **Shared mode SSE fanout** — The broker is session-keyed. Full shared-mode broadcasting needs either a broker change or a dual-publish pattern. Recommend deferring the SSE broadcasting aspect of shared mode to S04, proving only the query layer in S02.
--- a/.gsd/milestones/M001/slices/S02/S02-SUMMARY.md
+++ b/.gsd/milestones/M001/slices/S02/S02-SUMMARY.md
@ -1,92 +0,0 @@
 ---
 id: S02
 milestone: M001
 status: complete
 tasks_completed: 3
 tasks_total: 3
 test_count: 122
 test_pass: 122
 started_at: 2026-03-17
 completed_at: 2026-03-18
 ---
 # S02: SSE Transport + Session System — Summary
 **Delivered cookie-based session middleware, live SSE event streaming with replay and disconnect cleanup, health/config endpoints, and session-mode-aware query dispatching. 122 tests pass, zero regressions from S01.**
 ## What Was Built
 ### Session System (T01)
 - **SessionMiddleware** (`middleware/session.py`): Cookie-based Starlette BaseHTTPMiddleware. Reads `mrip_session` httpOnly cookie, validates UUID4, creates/reuses session in DB, sets `request.state.session_id`. Open mode uses fixed ID, no cookie.
 - **Session CRUD** (`database.py`): `create_session`, `get_session`, `update_session_last_seen` — all ISO UTC timestamps.
 - **Migration**: Replaced X-Session-ID header stub with cookie flow. All existing routes and tests migrated.
 ### SSE Event Streaming (T02)
 - **SSE endpoint** (`routers/sse.py`): `GET /api/events` — EventSourceResponse wrapping async generator. Lifecycle: subscribe → init replay (non-terminal jobs) → live job_update/job_removed events from broker queue → 15s keepalive ping → finally unsubscribe.
 - **Non-terminal queries** (`database.py`): `get_active_jobs_by_session()` and `get_active_jobs_all()` — exclude completed/failed/expired.
 - **job_removed broadcasting**: DELETE endpoint publishes `job_removed` event to SSEBroker so connected clients update in real-time.
 - **Disconnect cleanup**: try/finally guarantees `broker.unsubscribe()` — no zombie connections.
 ### Health & Config Endpoints (T03)
 - **Health** (`routers/health.py`): `GET /api/health` → `{status, version, yt_dlp_version, uptime, queue_depth}`. Uptime from `app.state.start_time`. Queue depth counts non-terminal jobs.
 - **Public config** (`routers/system.py`): `GET /api/config/public` → `{session_mode, default_theme, purge_enabled, max_concurrent_downloads}`. Whitelist approach — admin credentials never serialized.
 - **Mode dispatching** (`database.py`): `get_jobs_by_mode(db, session_id, mode)` — isolated filters by session, shared/open returns all. `get_all_jobs()` and `get_queue_depth()` helpers.
 ## Requirements Addressed
 | Req | Description | Status |
 |-----|------------|--------|
 | R003 | SSE progress stream | Proven — init replay + live job_update + keepalive + disconnect cleanup |
 | R004 | Reconnect replay | Proven — init event contains non-terminal jobs on connect |
 | R007 | Session isolation | Proven — isolated/shared/open query dispatching tested |
 | R016 | Health endpoint | Proven — all fields with correct types |
 ## Key Decisions
 - Cookie set on every response (refreshes Max-Age) rather than only on creation
 - Orphaned UUID cookies get re-created rather than replaced — preserves client identity
 - Public config uses explicit whitelist, not serialization + stripping — safe by default
 - SSE keepalive handled in our generator (15s asyncio.TimeoutError), not sse-starlette's internal ping
 - CancelledError not caught in event generator — propagates for clean task group cancellation
 ## Patterns Established
 - SessionMiddleware + `request.state.session_id` for all downstream handlers
 - Direct ASGI invocation for testing infinite SSE streams (httpx buffers full response body)
 - `broker._publish_sync()` for synchronous test event delivery
 - Health endpoint reading `app.state.start_time` for uptime
 - Whitelist-only public config exposure
 ## Test Coverage
 | Test File | Tests | Focus |
 |-----------|-------|-------|
 | test_session_middleware.py | 6 | Cookie creation, reuse, invalid UUID, orphan recovery, open mode, max-age |
 | test_api.py | 9 | Download CRUD, session isolation, cookie integration |
 | test_sse.py | 11 | Init replay, live streaming, disconnect cleanup, keepalive, session isolation, HTTP wiring, job_removed |
 | test_health.py | 18 (×2 backends) | Health structure/types, queue depth, public config fields/exclusion/reflection, mode dispatching |
 Total: 122 tests passing (includes all S01 tests)
 ## Observability Surfaces
 - `GET /api/health` — queue_depth, uptime, versions
 - `GET /api/config/public` — session mode, theme, purge status
 - `mediarip.session` logger — INFO on new session, DEBUG on reuse
 - `mediarip.sse` logger — INFO on connect/disconnect with session_id
 - `sessions` table — all active sessions with last_seen
 - `broker._subscribers` — active SSE connections per session
 ## Known Issues
 - Background thread teardown noise in tests: `RuntimeWarning: coroutine 'update_job_status' was never awaited` and `sqlite3.ProgrammingError: Cannot operate on a closed database` — worker threads sometimes outlive test DB connections. Harmless, well-understood.
 - httpx deprecation warning on per-request `cookies=` in middleware tests — httpx is moving toward client-level cookie jars.
 ## What S03 Consumes
 - `GET /api/events` SSE endpoint with init/job_update/job_removed/ping events
 - `GET /api/health` for monitoring
 - `GET /api/config/public` for session_mode and default_theme
 - Session cookie auto-set by middleware
 - All download CRUD endpoints from S01
 - Format extraction endpoint from S01
--- a/.gsd/milestones/M001/slices/S02/tasks/T01-PLAN.md
+++ b/.gsd/milestones/M001/slices/S02/tasks/T01-PLAN.md
@ -1,120 +0,0 @@
 ---
 estimated_steps: 8
 estimated_files: 8
 ---
 # T01: Wire session middleware, DB CRUD, and migrate existing routes
 **Slice:** S02 — SSE Transport + Session System
 **Milestone:** M001
 ## Description
 Build the cookie-based session middleware that replaces the X-Session-ID header stub from S01. This is the foundation for everything else in S02 — the SSE endpoint, health endpoint, and all route handlers depend on `request.state.session_id` being populated by real middleware.
 The middleware reads/creates `mrip_session` httpOnly cookies, manages session rows in SQLite, and supports the "open" session mode (fixed session_id, no cookie). After building the middleware, migrate the existing downloads router and all tests from the header stub to the cookie flow.
 **Important constraints:**
 - Use Starlette `BaseHTTPMiddleware`. The research flags a risk with streaming responses — if `request.state` isn't accessible inside SSE generators after middleware runs, T02 will fall back to a `Depends()` approach. But for this task, the middleware approach is correct and testable with normal request/response cycles.
 - Session cookie: `mrip_session`, httpOnly, SameSite=Lax, Path=/, Max-Age based on `config.session.timeout_hours`.
 - The `sessions` table DDL already exists in database.py from S01. Only CRUD functions are needed.
 - Python 3.12 venv: all commands use `backend/.venv/Scripts/python`.
 ## Steps
 1. **Add session CRUD to `backend/app/core/database.py`:**
   - `create_session(db, session_id: str) -> None` — INSERT into sessions table with id, created_at (ISO UTC), last_seen (same as created_at)
   - `get_session(db, session_id: str) -> dict | None` — SELECT by id, return row as dict or None
   - `update_session_last_seen(db, session_id: str) -> None` — UPDATE last_seen to now (ISO UTC)
   - These are simple CRUD functions following the same pattern as existing job CRUD
 2. **Create `backend/app/middleware/__init__.py`** if it doesn't exist (it should — S01 created it as empty). Create `backend/app/middleware/session.py`:
   - Import `BaseHTTPMiddleware` from `starlette.middleware.base`
   - `SessionMiddleware(BaseHTTPMiddleware)` with `async def dispatch(self, request, call_next)`
   - Read `mrip_session` cookie from `request.cookies.get("mrip_session")`
   - Access config via `request.app.state.config` and db via `request.app.state.db`
   - If config.session.mode == "open": set `request.state.session_id = "open"`, call_next, return (no cookie)
   - If cookie present and is valid UUID4 format: look up with `get_session(db, session_id)`
     - Found → `update_session_last_seen(db, session_id)`, set `request.state.session_id`
     - Not found → create new session with that ID (cookie was valid UUID but expired from DB), set request.state
   - If cookie missing or not valid UUID: generate `uuid.uuid4()`, `create_session(db, new_id)`, set `request.state.session_id`
   - Call `response = await call_next(request)`
   - If not open mode: set `Set-Cookie` on response — `mrip_session={session_id}; HttpOnly; SameSite=Lax; Path=/; Max-Age={timeout_hours * 3600}`
   - Return response
   - Logger: `mediarip.session` at INFO for new session creation, DEBUG for session reuse
 3. **Update `backend/app/dependencies.py`:**
   - Replace the stub `get_session_id` with: `def get_session_id(request: Request) -> str: return request.state.session_id`
   - Remove the `_DEFAULT_SESSION_ID` constant
   - This preserves the `Depends(get_session_id)` pattern in routes so no route signature changes are needed
 4. **Wire middleware into `backend/app/main.py`:**
   - Import `SessionMiddleware` from `app.middleware.session`
   - Add `app.add_middleware(SessionMiddleware)` after app creation but before router inclusion
   - No other changes needed — the middleware accesses `app.state.db` and `app.state.config` set by lifespan
 5. **Update `backend/tests/conftest.py`:**
   - In the `client` fixture, add `SessionMiddleware` to the test app: `test_app.add_middleware(SessionMiddleware)`
   - Import SessionMiddleware from `app.middleware.session`
   - The middleware needs `app.state.db` and `app.state.config` which are already wired
 6. **Update `backend/tests/test_api.py`:**
   - Remove all `X-Session-ID` header usage from test requests
   - Instead, the first request to any endpoint will auto-create a session via middleware and set a cookie
   - For session isolation tests: make a request with client A (gets cookie A), then create a *separate* client or manually set a different cookie to simulate client B
   - The httpx client should automatically handle cookie persistence within a test if using `cookies` parameter
   - Verify: first request returns Set-Cookie header with mrip_session, subsequent requests reuse the session
 7. **Write `backend/tests/test_session_middleware.py`:**
   - Test: request without cookie → response has Set-Cookie with mrip_session, httpOnly, SameSite=Lax
   - Test: request with valid mrip_session cookie → response reuses session, session last_seen updated in DB
   - Test: request with invalid (non-UUID) cookie → new session created, new cookie set
   - Test: request with UUID cookie not in DB → session created with that UUID
   - Test: open mode → no cookie set, request.state.session_id == "open"
   - For open mode test: create a test app with `AppConfig(session={"mode": "open"})` and verify
   - Use the same fixture pattern as conftest.py (fresh FastAPI app, temp DB, httpx AsyncClient)
 8. **Run full test suite and verify no regressions:**
   - `cd backend && .venv/Scripts/python -m pytest tests/ -v`
   - All 68 S01 tests + new session middleware tests must pass
 ## Must-Haves
 - [ ] Session CRUD functions in database.py (create_session, get_session, update_session_last_seen)
 - [ ] SessionMiddleware creates cookies for new sessions, reuses existing cookies, handles open mode
 - [ ] Cookie attributes: httpOnly, SameSite=Lax, Path=/, Max-Age from config
 - [ ] dependencies.py reads request.state.session_id (middleware-set)
 - [ ] All existing API tests pass with cookie-based sessions (no X-Session-ID header)
 - [ ] New session middleware tests cover: new session, reuse, invalid cookie, open mode
 ## Verification
 - `cd backend && .venv/Scripts/python -m pytest tests/test_session_middleware.py -v` — all session middleware tests pass
 - `cd backend && .venv/Scripts/python -m pytest tests/test_api.py -v` — all existing API tests still pass
 - `cd backend && .venv/Scripts/python -m pytest tests/ -v` — full suite passes (68+ tests, no regressions)
 ## Observability Impact
 - Signals added: `mediarip.session` logger — INFO on new session creation (includes session_id), DEBUG on session reuse with last_seen update
 - How a future agent inspects this: query `SELECT * FROM sessions ORDER BY last_seen DESC` in SQLite to see all sessions; check `Set-Cookie` header on any HTTP response
 - Failure state exposed: if middleware fails to set `request.state.session_id`, downstream routes will raise `AttributeError` on `request.state.session_id` — this is intentionally loud rather than silently falling back
 ## Inputs
 - `backend/app/core/database.py` — existing job CRUD functions, sessions table DDL (already created by init_db)
 - `backend/app/dependencies.py` — stub get_session_id that reads X-Session-ID header (being replaced)
 - `backend/app/routers/downloads.py` — uses Depends(get_session_id), no route signature changes needed
 - `backend/app/main.py` — lifespan sets app.state.db and app.state.config
 - `backend/tests/conftest.py` — client fixture pattern (fresh app, temp DB, httpx AsyncClient)
 - `backend/tests/test_api.py` — 8 existing tests using X-Session-ID header (must migrate to cookies)
 - `backend/app/core/config.py` — AppConfig.session.mode ("isolated"/"shared"/"open"), session.timeout_hours (72)
 ## Expected Output
 - `backend/app/core/database.py` — 3 new session CRUD functions added
 - `backend/app/middleware/session.py` — SessionMiddleware (new file)
 - `backend/app/dependencies.py` — stub replaced with request.state reader
 - `backend/app/main.py` — middleware wired
 - `backend/tests/conftest.py` — middleware added to test client fixture
 - `backend/tests/test_session_middleware.py` — 5+ session middleware tests (new file)
 - `backend/tests/test_api.py` — migrated from X-Session-ID to cookie flow
--- a/.gsd/milestones/M001/slices/S02/tasks/T01-SUMMARY.md
+++ b/.gsd/milestones/M001/slices/S02/tasks/T01-SUMMARY.md
@ -1,86 +0,0 @@
 ---
 id: T01
 parent: S02
 milestone: M001
 provides:
  - Cookie-based SessionMiddleware replacing X-Session-ID header stub
  - Session CRUD functions (create_session, get_session, update_session_last_seen)
  - Migrated API tests from header-based to cookie-based session flow
 key_files:
  - backend/app/middleware/session.py
  - backend/app/core/database.py
  - backend/app/dependencies.py
  - backend/app/main.py
  - backend/tests/test_session_middleware.py
  - backend/tests/test_api.py
  - backend/tests/conftest.py
 key_decisions:
  - Set cookie on every response (not just new sessions) to refresh Max-Age on each request
  - When a valid UUID cookie has no matching DB row, recreate the session with that UUID rather than generating a new one — preserves client-side cookie identity
 patterns_established:
  - SessionMiddleware on BaseHTTPMiddleware sets request.state.session_id for all downstream handlers
  - Test apps using SessionMiddleware must import Request at module level (not inside a function) when from __future__ import annotations is active — otherwise FastAPI can't resolve the Request annotation and returns 422
 observability_surfaces:
  - mediarip.session logger — INFO on new session creation, DEBUG on session reuse
  - sessions table in SQLite — SELECT * FROM sessions ORDER BY last_seen DESC
  - Set-Cookie header on every HTTP response (mrip_session with httpOnly, SameSite=Lax, Path=/, Max-Age)
 duration: 25m
 verification_result: passed
 completed_at: 2026-03-17T22:20:00-05:00
 blocker_discovered: false
 ---
 # T01: Wire session middleware, DB CRUD, and migrate existing routes
 **Added cookie-based SessionMiddleware with session CRUD, replaced X-Session-ID header stub, and migrated all existing tests to cookie flow — 75 tests pass, zero regressions.**
 ## What Happened
 Added three session CRUD functions to `database.py` following the existing job CRUD pattern: `create_session`, `get_session`, `update_session_last_seen`. All use ISO UTC timestamps.
 Built `SessionMiddleware` as a Starlette `BaseHTTPMiddleware` in `backend/app/middleware/session.py`. The middleware reads the `mrip_session` cookie, validates it as UUID4 format, looks up or creates a session in the DB, and sets `request.state.session_id`. In "open" mode, it skips all cookie handling and sets the fixed session ID `"open"`. The cookie is set on every response (not just new sessions) to refresh `Max-Age`.
 Replaced the `get_session_id` stub in `dependencies.py` — it now simply reads `request.state.session_id` set by the middleware. No route signatures changed; the `Depends(get_session_id)` pattern is preserved.
 Wired the middleware into `main.py` and the test `conftest.py` client fixture. Migrated all 8 existing `test_api.py` tests from `X-Session-ID` headers to the cookie flow. The session isolation test now uses two separate `AsyncClient` instances (each gets its own cookie jar) to prove jobs don't leak between sessions.
 Wrote 6 new tests in `test_session_middleware.py` covering: new session creation, cookie reuse with last_seen update, invalid cookie handling, orphaned UUID recreation, open mode bypass, and configurable Max-Age.
 ## Verification
 - `pytest tests/test_session_middleware.py -v` — 6/6 passed
 - `pytest tests/test_api.py -v` — 9/9 passed (original 8 migrated + 1 new cookie-sets test)
 - `pytest tests/ -v` — 75/75 passed, 0 failures, 9 warnings (all pre-existing yt-dlp teardown warnings)
 ## Verification Evidence
 | # | Command | Exit Code | Verdict | Duration |
 |---|---------|-----------|---------|----------|
 | 1 | `pytest tests/test_session_middleware.py -v` | 0 | ✅ pass | 0.22s |
 | 2 | `pytest tests/test_api.py -v` | 0 | ✅ pass | 2.53s |
 | 3 | `pytest tests/ -v` | 0 | ✅ pass | 9.37s |
 ## Diagnostics
 - **Session state**: `SELECT * FROM sessions ORDER BY last_seen DESC` in SQLite
 - **Cookie inspection**: Any HTTP response includes `Set-Cookie: mrip_session=<uuid>; HttpOnly; Max-Age=259200; Path=/; SameSite=lax`
 - **Failure mode**: If middleware fails to set `request.state.session_id`, downstream routes raise `AttributeError` on `request.state.session_id` — intentionally loud
 - **Logs**: `mediarip.session` at INFO for new sessions, DEBUG for reuse
 ## Deviations
 - Test file `test_session_middleware.py` imports `FastAPI` and `Request` at module level rather than inside the `_build_test_app` helper. When `from __future__ import annotations` is active, lazy imports inside functions cause FastAPI to fail to resolve the `Request` type annotation, resulting in 422 errors. This is a Python 3.12 + PEP 563 interaction.
 ## Known Issues
 - httpx deprecation warning on per-request `cookies=` parameter in two middleware tests. Functional, not blocking — httpx is moving toward client-level cookie jars.
 ## Files Created/Modified
 - `backend/app/middleware/session.py` — new SessionMiddleware (BaseHTTPMiddleware, cookie-based)
 - `backend/app/core/database.py` — added create_session, get_session, update_session_last_seen
 - `backend/app/dependencies.py` — replaced X-Session-ID stub with request.state.session_id reader
 - `backend/app/main.py` — wired SessionMiddleware, imported from app.middleware.session
 - `backend/tests/conftest.py` — added SessionMiddleware to test client fixture
 - `backend/tests/test_session_middleware.py` — new, 6 tests covering all middleware paths
 - `backend/tests/test_api.py` — migrated from X-Session-ID headers to cookie-based sessions (9 tests)
--- a/.gsd/milestones/M001/slices/S02/tasks/T01-VERIFY.json
+++ b/.gsd/milestones/M001/slices/S02/tasks/T01-VERIFY.json
@ -1,9 +0,0 @@
 {
  "schemaVersion": 1,
  "taskId": "T01",
  "unitId": "M001/S02/T01",
  "timestamp": 1773808503308,
  "passed": true,
  "discoverySource": "none",
  "checks": []
 }
--- a/.gsd/milestones/M001/slices/S02/tasks/T02-PLAN.md
+++ b/.gsd/milestones/M001/slices/S02/tasks/T02-PLAN.md
@ -1,145 +0,0 @@
 ---
 estimated_steps: 7
 estimated_files: 6
 ---
 # T02: Build SSE endpoint with replay, disconnect cleanup, and job_removed broadcasting
 **Slice:** S02 — SSE Transport + Session System
 **Milestone:** M001
 ## Description
 Build the SSE endpoint that streams live download progress from yt-dlp workers to browser clients. This is the highest-risk piece in S02 — it involves an async generator that must correctly handle subscribe → replay → live stream → disconnect cleanup without leaking resources.
 The endpoint at `GET /api/events` uses `sse-starlette`'s `EventSourceResponse` to wrap an async generator. On connect, the generator subscribes to the SSEBroker for the current session, sends an `init` event replaying all non-terminal jobs from the database, then enters a loop yielding `job_update` events from the broker queue with a 15-second keepalive ping. On disconnect (client closes, network drop), the generator's `finally` block calls `broker.unsubscribe()` to prevent zombie connections.
 Additionally, the downloads router's DELETE endpoint is updated to publish a `job_removed` event through the broker so connected SSE clients see deletions in real-time.
 **Critical constraints — read carefully:**
 - The generator MUST use `try/finally` for cleanup. `CancelledError` must NOT be caught or swallowed.
 - `sse-starlette==3.3.3` is already installed. Use `EventSourceResponse` directly.
 - The SSEBroker's `subscribe()` and `unsubscribe()` are called from the asyncio thread (the generator runs on the event loop). `publish()` is called from worker threads (already thread-safe).
 - If `BaseHTTPMiddleware` causes `request.state.session_id` to be unavailable inside the SSE generator, use a `Depends()` function that reads the `mrip_session` cookie directly as a fallback. Test this.
 - Python 3.12 venv: `backend/.venv/Scripts/python`.
 ## Steps
 1. **Add `get_active_jobs_by_session()` to `backend/app/core/database.py`:**
   - Query: `SELECT * FROM jobs WHERE session_id = ? AND status NOT IN ('completed', 'failed', 'expired') ORDER BY created_at`
   - Returns `list[Job]` — the non-terminal jobs that should be replayed on SSE connect
   - Also add `get_active_jobs_all(db)` (no session filter) for shared mode replay in future
 2. **Create `backend/app/routers/sse.py`:**
   - Single route: `GET /api/events`
   - Access session_id via `request.state.session_id` (set by middleware from T01)
   - Access broker via `request.app.state.broker`, db via `request.app.state.db`
   - Define `async def event_generator(session_id, broker, db)`:
     ```
     queue = broker.subscribe(session_id)
     try:
         # 1. Replay: send init event with current non-terminal jobs
         jobs = await get_active_jobs_by_session(db, session_id)
         yield {"event": "init", "data": json.dumps({"jobs": [job.model_dump() for job in jobs]})}
         # 2. Live stream: yield events from broker queue with keepalive
         while True:
             try:
                 event = await asyncio.wait_for(queue.get(), timeout=15.0)
                 # event is a ProgressEvent or a dict (for job_removed)
                 if isinstance(event, dict):
                     yield {"event": event.get("event", "job_update"), "data": json.dumps(event.get("data", {}))}
                 else:
                     yield {"event": "job_update", "data": json.dumps(event.model_dump())}
             except asyncio.TimeoutError:
                 yield {"event": "ping", "data": ""}
     finally:
         broker.unsubscribe(session_id, queue)
         logger.info("SSE disconnected for session %s", session_id)
     ```
   - Wrap with `EventSourceResponse(event_generator(...))` in the route handler
   - Set `retry` parameter in EventSourceResponse to 5000 (5 second reconnect)
   - Logger: `mediarip.sse` (already exists in broker — reuse the same logger namespace)
 3. **Update `backend/app/routers/downloads.py` — publish job_removed on DELETE:**
   - In `cancel_download()`, after calling `download_service.cancel(job_id)`, publish a job_removed event:
     ```python
     request.app.state.broker.publish(
         session_id_of_job,  # need to look up the job first to get its session_id
         {"event": "job_removed", "data": {"job_id": job_id}}
     )
     ```
   - This requires fetching the job before cancelling to get its session_id, OR passing session_id through cancel
   - Simplest approach: fetch the job with `get_job(db, job_id)` before cancel to get session_id, then publish after cancel
   - Import `get_job` from database.py (may already be imported)
 4. **Mount SSE router in `backend/app/main.py`:**
   - Import sse router: `from app.routers.sse import router as sse_router`
   - Add: `app.include_router(sse_router, prefix="/api")`
 5. **Update `backend/tests/conftest.py`:**
   - Add SSE router to the test app in the `client` fixture: `test_app.include_router(sse_router, prefix="/api")`
   - Import sse router
 6. **Write `backend/tests/test_sse.py`:**
   Tests must verify the SSE contract thoroughly. Use httpx streaming to consume SSE events.
   - **Test: init event replays current jobs** — Create a job in DB, connect to GET /api/events, read the first SSE event, verify it's type "init" with the job in the payload
   - **Test: init event is empty when no jobs** — Connect with fresh session, verify init event has empty jobs array
   - **Test: live job_update events arrive** — Connect to SSE, then publish a ProgressEvent to the broker for the session, verify the next event is type "job_update" with correct data
   - **Test: disconnect cleanup removes subscriber** — Connect to SSE, verify broker has subscriber, close connection, verify broker._subscribers no longer has queue for that session
   - **Test: keepalive ping after timeout** — Connect to SSE (after init), wait >15s with no events, verify a "ping" event arrives. (May need to mock or use shorter timeout for test speed — consider making keepalive interval configurable or using a shorter timeout in test)
   - **Test: job_removed event delivery** — Create a job, connect to SSE, DELETE the job, verify a "job_removed" event with the job_id arrives on the SSE stream
   - **Test: session isolation** — Create jobs for session A and session B, connect SSE as session A, verify init only contains session A's jobs
   **Testing approach for SSE with httpx:**
   - httpx `AsyncClient.stream("GET", "/api/events")` returns an async streaming response
   - Read SSE lines manually: each event is `event: <type>\ndata: <json>\n\n`
   - Alternatively, directly call the async generator function in tests for simpler assertions
   - For disconnect testing: use the generator directly, iterate a few events, then break out of the loop and verify cleanup ran
 7. **Run full test suite:**
   - `cd backend && .venv/Scripts/python -m pytest tests/ -v`
   - All tests (S01 + T01 session + T02 SSE) must pass
 ## Must-Haves
 - [ ] `get_active_jobs_by_session()` in database.py returns only non-terminal jobs
 - [ ] SSE endpoint sends `init` event with current jobs on connect (R004 replay)
 - [ ] SSE endpoint streams `job_update` events from broker queue (R003 progress)
 - [ ] SSE endpoint sends `job_removed` event when downloads are deleted
 - [ ] SSE endpoint sends keepalive `ping` every 15s of inactivity
 - [ ] Generator uses try/finally — broker.unsubscribe always called on disconnect
 - [ ] CancelledError is NOT caught or swallowed anywhere in the generator
 - [ ] DELETE /api/downloads/{id} publishes job_removed event to broker
 - [ ] Tests prove: replay, live streaming, disconnect cleanup, session isolation
 ## Verification
 - `cd backend && .venv/Scripts/python -m pytest tests/test_sse.py -v` — all SSE tests pass
 - `cd backend && .venv/Scripts/python -m pytest tests/ -v` — full suite passes (no regressions)
 - Disconnect cleanup proven: after SSE generator exits, `broker._subscribers` has no leftover queues for the test session
 ## Observability Impact
 - Signals added: `mediarip.sse` logger at INFO for SSE connect (session_id) and disconnect (session_id); existing WARNING for QueueFull stays
 - How a future agent inspects this: check `broker._subscribers` dict for active connections count per session; connect to `GET /api/events` with curl to see raw event stream
 - Failure state exposed: zombie connection = `mediarip.sse` has connect log without matching disconnect log; `len(broker._subscribers.get(session_id, []))` growing over time
 ## Inputs
 - `backend/app/core/sse_broker.py` — SSEBroker with subscribe(session_id) → Queue, unsubscribe(session_id, queue), publish(session_id, event). Publish is thread-safe. Subscribe/unsubscribe run on asyncio thread.
 - `backend/app/core/database.py` — After T01: has session CRUD + existing job CRUD. Needs new `get_active_jobs_by_session()`.
 - `backend/app/middleware/session.py` — From T01: SessionMiddleware sets request.state.session_id
 - `backend/app/models/job.py` — Job model with `.model_dump()`, ProgressEvent with `.model_dump()`, JobStatus enum (completed/failed/expired are terminal)
 - `backend/app/routers/downloads.py` — After T01: uses request.state.session_id via dependency
 - `sse-starlette==3.3.3` — provides `EventSourceResponse`; accepts async generator yielding dicts with "event" and "data" keys
 ## Expected Output
 - `backend/app/core/database.py` — `get_active_jobs_by_session()` and `get_active_jobs_all()` added
 - `backend/app/routers/sse.py` — GET /api/events SSE endpoint (new file)
 - `backend/app/routers/downloads.py` — DELETE endpoint publishes job_removed to broker
 - `backend/app/main.py` — SSE router mounted
 - `backend/tests/conftest.py` — SSE router added to test app
 - `backend/tests/test_sse.py` — 7+ SSE tests covering replay, streaming, cleanup, isolation (new file)
--- a/.gsd/milestones/M001/slices/S02/tasks/T02-SUMMARY.md
+++ b/.gsd/milestones/M001/slices/S02/tasks/T02-SUMMARY.md
@ -1,101 +0,0 @@
 ---
 id: T02
 parent: S02
 milestone: M001
 provides:
  - GET /api/events SSE endpoint with init replay, live job_update streaming, keepalive ping, job_removed events
  - get_active_jobs_by_session() and get_active_jobs_all() in database.py for non-terminal job queries
  - DELETE /api/downloads/{id} publishes job_removed event to SSEBroker so connected clients update in real-time
  - try/finally generator cleanup — broker.unsubscribe always called on disconnect (no zombie connections)
  - 11 tests covering replay, live streaming, disconnect cleanup, keepalive, session isolation, HTTP wiring
 key_files:
  - backend/app/routers/sse.py
  - backend/app/core/database.py
  - backend/app/routers/downloads.py
  - backend/app/main.py
  - backend/tests/test_sse.py
  - backend/tests/conftest.py
 key_decisions:
  - httpx ASGITransport buffers the full response body before returning — incompatible with infinite SSE streams. HTTP-level test bypasses httpx and invokes the ASGI app directly with custom receive/send callables; disconnect is signalled once the init event body arrives (b'"jobs"' in received_body)
  - ping=0 passed to EventSourceResponse disables sse-starlette's internal keepalive (keepalive is handled inside our own generator via asyncio.TimeoutError on queue.get with 15s timeout)
  - CancelledError deliberately not caught in event_generator — propagates so sse-starlette can cleanly cancel the task group
 patterns_established:
  - Direct ASGI invocation pattern for testing long-lived streaming endpoints — bypass httpx ASGITransport with custom receive/send + asyncio.timeout safety net
  - SSE generator structure: subscribe → init replay → live loop with keepalive → finally unsubscribe
  - broker._publish_sync() for synchronous (on-loop) event delivery in tests vs publish() (thread-safe, off-loop)
 observability_surfaces:
  - mediarip.sse logger at INFO on SSE connect (session_id) and disconnect (session_id)
  - broker._subscribers dict — inspect active connections per session (len = number of open SSE streams)
  - GET /api/events with curl shows raw SSE event stream; disconnect log confirms cleanup
 duration: 35m
 verification_result: passed
 completed_at: 2026-03-18
 blocker_discovered: false
 ---
 # T02: Build SSE endpoint with replay, disconnect cleanup, and job_removed broadcasting
 **Built the SSE event streaming endpoint, non-terminal job queries, job_removed broadcasting via DELETE, and 11 comprehensive SSE tests — 86/86 full suite passing.**
 ## What Happened
 1. **Database queries** (`database.py`): Added `get_active_jobs_by_session(db, session_id)` — filters `status NOT IN ('completed', 'failed', 'expired')`, returns `list[Job]` ordered by `created_at`. Added `get_active_jobs_all(db)` for shared-mode replay (no session filter). Both use the pre-defined `_TERMINAL_STATUSES` tuple.
 2. **SSE router** (`routers/sse.py`): `GET /api/events` route using `EventSourceResponse` wrapping an async generator. Generator lifecycle:
   - Subscribe to broker for session_id
   - Replay non-terminal jobs as `init` event
   - Loop: `asyncio.wait_for(queue.get(), timeout=15.0)` — yields `job_update` (ProgressEvent) or `job_removed`/custom (dict) events; raises `asyncio.TimeoutError` → yields `ping`
   - `finally`: `broker.unsubscribe(session_id, queue)` — always runs, prevents zombie connections
   - `CancelledError` not caught — propagates for clean task group cancellation
 3. **job_removed broadcasting** (`routers/downloads.py`): DELETE endpoint fetches the job first to get its `session_id`, calls `download_service.cancel()`, then publishes `{"event": "job_removed", "data": {"job_id": job_id}}` to the broker. If job not found (already deleted), publish is skipped.
 4. **App wiring** (`main.py`): SSE router mounted under `/api`. `conftest.py` client fixture updated to include SSE router.
 5. **Test suite** (`tests/test_sse.py`): 11 tests across 6 test classes:
   - `TestGetActiveJobsBySession` — non-terminal filter, empty result when all terminal
   - `TestEventGeneratorInit` — init with jobs, init empty session
   - `TestEventGeneratorLiveStream` — ProgressEvent delivery, dict event delivery
   - `TestEventGeneratorDisconnect` — unsubscribe fires on `gen.aclose()`
   - `TestEventGeneratorKeepalive` — ping fires with patched 0.1s timeout
   - `TestSessionIsolation` — session A's init doesn't include session B's jobs
   - `TestSSEEndpointHTTP` — 200 + text/event-stream + init event via direct ASGI invocation
   - `TestJobRemovedViaDELETE` — broker._publish_sync delivers job_removed
 ## Verification
 - `pytest tests/test_sse.py -v` — 11/11 passed in 0.56s
 - `pytest tests/ -v` — 86/86 passed in 9.75s (full regression including all S01 + S02/T01 tests)
 ## Verification Evidence
 | # | Command | Exit Code | Verdict | Duration |
 |---|---------|-----------|---------|----------|
 | 1 | `pytest tests/test_sse.py -v` | 0 | ✅ pass | 0.56s |
 | 2 | `pytest tests/ -v` | 0 | ✅ pass | 9.75s |
 ## Diagnostics
 - **Active connections**: `len(broker._subscribers.get(session_id, []))` — should be 0 after disconnect
 - **Raw SSE stream**: `curl -N http://localhost:8000/api/events` — shows event: init, data: {"jobs": [...]}
 - **Zombie detection**: connect log without matching disconnect log in `mediarip.sse` → generator cleanup didn't fire
 - **SSE generator test pattern**: call `event_generator(sid, broker, db)` directly, use `_collect_events(gen, count=N)`, always `await gen.aclose()` to trigger finally block
 ## Deviations
 - HTTP-level test uses direct ASGI invocation instead of `httpx.AsyncClient.stream()` — ASGITransport buffers full response body, incompatible with infinite SSE streams. Custom `receive`/`send` callables signal disconnect once init event body arrives.
 - `ping=0` passed to EventSourceResponse — disables sse-starlette's built-in keepalive (0 = every 0s would be an infinite tight loop). Our generator handles keepalive natively via `asyncio.TimeoutError`.
 ## Known Issues
 - Pre-existing background thread teardown noise: worker threads attempting DB writes after test teardown produce `RuntimeWarning: coroutine 'update_job_status' was never awaited` and `sqlite3.ProgrammingError: Cannot operate on a closed database`. Harmless — documented in T04/S01.
 - httpx deprecation warning on per-request `cookies=` in session middleware tests — pre-existing from T01.
 ## Files Created/Modified
 - `backend/app/core/database.py` — added `get_active_jobs_by_session()` and `get_active_jobs_all()`
 - `backend/app/routers/sse.py` — new, GET /api/events SSE endpoint with async generator
 - `backend/app/routers/downloads.py` — DELETE endpoint publishes job_removed to broker
 - `backend/app/main.py` — SSE router mounted under /api
 - `backend/tests/conftest.py` — SSE router added to test app
 - `backend/tests/test_sse.py` — new, 11 SSE tests
--- a/.gsd/milestones/M001/slices/S02/tasks/T02-VERIFY.json
+++ b/.gsd/milestones/M001/slices/S02/tasks/T02-VERIFY.json
@ -1,24 +0,0 @@
 {
  "schemaVersion": 1,
  "taskId": "T02",
  "unitId": "M001/S02/T02",
  "timestamp": 1742249850000,
  "passed": true,
  "discoverySource": "task-plan",
  "checks": [
    {
      "command": "cd backend && .venv/Scripts/python -m pytest tests/test_sse.py -v",
      "exitCode": 0,
      "durationMs": 560,
      "verdict": "pass"
    },
    {
      "command": "cd backend && .venv/Scripts/python -m pytest tests/ -v",
      "exitCode": 0,
      "durationMs": 9750,
      "verdict": "pass"
    }
  ],
  "retryAttempt": 0,
  "maxRetries": 2
 }
--- a/.gsd/milestones/M001/slices/S02/tasks/T03-PLAN.md
+++ b/.gsd/milestones/M001/slices/S02/tasks/T03-PLAN.md
@ -1,116 +0,0 @@
 ---
 estimated_steps: 6
 estimated_files: 6
 ---
 # T03: Add health endpoint, public config endpoint, and session-mode query layer
 **Slice:** S02 — SSE Transport + Session System
 **Milestone:** M001
 ## Description
 Close the remaining S02 deliverables: the health endpoint (R016) for monitoring tools, the public config endpoint for the S03 frontend, and the session-mode-aware job query layer for R007.
 The health endpoint is simple but valuable — Uptime Kuma and Docker healthchecks hit `GET /api/health`. The public config endpoint exposes only the safe subset of AppConfig that the frontend needs (session mode, default theme, purge status). The session mode query layer proves that isolated/shared/open modes produce different query results, even though full shared-mode SSE broadcasting is deferred to S04.
 **Constraints:**
 - `yt_dlp.version.__version__` gives the yt-dlp version string
 - Capture `start_time` in the lifespan function so the health endpoint can compute uptime
 - Public config must NOT expose admin.password_hash or admin.username
 - Python 3.12 venv: `backend/.venv/Scripts/python`
 ## Steps
 1. **Capture start_time in `backend/app/main.py` lifespan:**
   - At the start of the lifespan function: `app.state.start_time = datetime.now(timezone.utc)`
   - Import `datetime` and `timezone` from `datetime`
 2. **Create `backend/app/routers/health.py`:**
   - Single route: `GET /api/health`
   - Returns JSON:
     ```json
     {
       "status": "ok",
       "version": "0.1.0",
       "yt_dlp_version": "<from yt_dlp.version.__version__>",
       "uptime": <seconds as float>,
       "queue_depth": <count of queued+downloading jobs>
     }
     ```
   - `uptime` = `(now - app.state.start_time).total_seconds()`
   - `queue_depth` = count of jobs with status in ("queued", "downloading", "extracting")
   - Add a database function `get_queue_depth(db) -> int` — `SELECT COUNT(*) FROM jobs WHERE status IN ('queued', 'downloading', 'extracting')`
   - Import `yt_dlp.version` for version string — wrap in try/except in case yt-dlp isn't installed in some test environments
 3. **Create `backend/app/routers/system.py`:**
   - Single route: `GET /api/config/public`
   - Returns sanitized config dict:
     ```json
     {
       "session_mode": "isolated",
       "default_theme": "dark",
       "purge_enabled": false,
       "max_concurrent_downloads": 3
     }
     ```
   - Read from `request.app.state.config`
   - Explicitly construct the response dict from known safe fields — do NOT serialize the full AppConfig and strip fields (that's fragile if new sensitive fields are added later)
 4. **Add session-mode-aware query helper to `backend/app/core/database.py`:**
   - `get_jobs_by_mode(db, session_id: str, mode: str) -> list[Job]`:
     - If mode == "isolated": call existing `get_jobs_by_session(db, session_id)`
     - If mode == "shared" or mode == "open": call `get_all_jobs(db)`
   - `get_all_jobs(db) -> list[Job]`: `SELECT * FROM jobs ORDER BY created_at`
   - `get_queue_depth(db) -> int`: count of non-terminal active jobs
   - This function can be used by the downloads router's GET endpoint and by the SSE replay to dispatch on session mode
 5. **Mount routers in `backend/app/main.py`:**
   - Import health and system routers
   - `app.include_router(health_router, prefix="/api")`
   - `app.include_router(system_router, prefix="/api")`
 6. **Write `backend/tests/test_health.py`:**
   - **Test: health endpoint returns correct structure** — GET /api/health returns 200 with all required fields, status == "ok", version is a non-empty string, uptime >= 0
   - **Test: health endpoint queue_depth reflects job count** — Create 2 queued jobs in DB, verify queue_depth == 2. Create a completed job, verify it's not counted.
   - **Test: yt_dlp_version is present** — Verify yt_dlp_version field is a non-empty string
   - **Test: public config returns safe fields** — GET /api/config/public returns session_mode, default_theme, purge_enabled, max_concurrent_downloads
   - **Test: public config excludes sensitive fields** — Response does NOT contain "password_hash", "username" keys (check raw JSON)
   - **Test: public config reflects actual config** — Create app with `AppConfig(session={"mode": "shared"}, ui={"default_theme": "cyberpunk"})`, verify response matches
   - **Test: get_jobs_by_mode isolated** — Create jobs for session A and B, call with mode="isolated" and session A, verify only A's jobs returned
   - **Test: get_jobs_by_mode shared** — Same setup, call with mode="shared", verify all jobs returned
   - **Test: get_jobs_by_mode open** — Same setup, call with mode="open", verify all jobs returned
   For endpoint tests, extend the conftest client fixture pattern (the fixture from T01 already has middleware and SSE router — add health and system routers).
   For database function tests, use the `db` fixture directly.
 ## Must-Haves
 - [ ] GET /api/health returns status, version, yt_dlp_version, uptime, queue_depth (R016)
 - [ ] GET /api/config/public returns session_mode, default_theme, purge_enabled — no admin credentials
 - [ ] `get_jobs_by_mode()` dispatches correctly: isolated filters, shared/open returns all (R007 query layer)
 - [ ] `get_queue_depth()` counts only active (non-terminal) jobs
 - [ ] start_time captured in lifespan for uptime calculation
 - [ ] Tests cover all endpoints and mode dispatching
 ## Verification
 - `cd backend && .venv/Scripts/python -m pytest tests/test_health.py -v` — all health/config/mode tests pass
 - `cd backend && .venv/Scripts/python -m pytest tests/ -v` — full suite passes (all S01 + S02 tests, no regressions)
 ## Inputs
 - `backend/app/main.py` — After T02: has lifespan with app.state.config/db/broker/download_service, SessionMiddleware, SSE/downloads/formats routers
 - `backend/app/core/database.py` — After T02: has job CRUD, session CRUD, get_active_jobs_by_session
 - `backend/app/core/config.py` — AppConfig with session.mode, ui.default_theme, purge.enabled, downloads.max_concurrent, admin.password_hash/username
 - `backend/tests/conftest.py` — After T02: client fixture with middleware, SSE router, session handling
 - T01 and T02 summaries for any changes to conftest patterns or database signatures
 ## Expected Output
 - `backend/app/routers/health.py` — GET /api/health endpoint (new file)
 - `backend/app/routers/system.py` — GET /api/config/public endpoint (new file)
 - `backend/app/core/database.py` — get_all_jobs(), get_jobs_by_mode(), get_queue_depth() added
 - `backend/app/main.py` — start_time captured, health + system routers mounted
 - `backend/tests/conftest.py` — health + system routers added to test app fixture
 - `backend/tests/test_health.py` — 9+ tests covering health, public config, session mode queries (new file)
--- a/.gsd/milestones/M001/slices/S02/tasks/T03-SUMMARY.md
+++ b/.gsd/milestones/M001/slices/S02/tasks/T03-SUMMARY.md
@ -1,88 +0,0 @@
 ---
 id: T03
 parent: S02
 milestone: M001
 provides:
  - GET /api/health returning status, version, yt_dlp_version, uptime, queue_depth (R016)
  - GET /api/config/public returning session_mode, default_theme, purge_enabled, max_concurrent_downloads — no admin credentials
  - get_all_jobs(), get_jobs_by_mode(), get_queue_depth() in database.py
  - start_time captured in lifespan for uptime calculation
  - 18 tests (36 with anyio dual-backend) covering health, public config, mode dispatching, queue depth
 key_files:
  - backend/app/routers/health.py
  - backend/app/routers/system.py
  - backend/app/core/database.py
  - backend/app/main.py
  - backend/tests/test_health.py
  - backend/tests/conftest.py
 key_decisions:
  - Public config endpoint explicitly constructs the response dict from known-safe fields rather than serializing AppConfig and stripping sensitive fields — safer when new sensitive fields are added later
  - yt_dlp.version imported at module level with try/except so tests that don't install yt-dlp still work (returns "unknown")
  - get_jobs_by_mode() dispatches to existing get_jobs_by_session() for isolated mode and get_all_jobs() for shared/open — simple function dispatch, no polymorphism needed
 patterns_established:
  - Health endpoint pattern: read start_time from app.state, compute uptime as delta seconds
  - Public config pattern: whitelist of safe fields from AppConfig, never blacklist
  - Database mode dispatch: single helper function that routes on mode string
 observability_surfaces:
  - GET /api/health — queue_depth > max_concurrent suggests stuck workers; uptime resets indicate unexpected restarts
  - GET /api/config/public — frontend can adapt UI based on session mode and theme without a separate config fetch
 duration: 15m
 verification_result: passed
 completed_at: 2026-03-18
 blocker_discovered: false
 ---
 # T03: Add health endpoint, public config endpoint, and session-mode query layer
 **Added health and public config endpoints, session-mode-aware query dispatching, and 18 tests — 122/122 full suite passing, zero regressions.**
 ## What Happened
 1. **Health endpoint** (`routers/health.py`): `GET /api/health` returns `{status, version, yt_dlp_version, uptime, queue_depth}`. Uptime computed from `app.state.start_time` (set in lifespan). Queue depth counts non-terminal jobs via new `get_queue_depth()`. yt-dlp version resolved once at import with fallback for environments without yt-dlp.
 2. **Public config endpoint** (`routers/system.py`): `GET /api/config/public` returns `{session_mode, default_theme, purge_enabled, max_concurrent_downloads}`. Explicitly whitelists safe fields — admin credentials never touch this response.
 3. **Database helpers** (`database.py`): Added `get_all_jobs()` (all jobs across sessions), `get_jobs_by_mode(db, session_id, mode)` (dispatches isolated → session-filtered, shared/open → all), and `get_queue_depth(db)` (COUNT of non-terminal jobs).
 4. **App wiring** (`main.py`): Captured `start_time` on app.state in lifespan. Mounted health and system routers under `/api`.
 5. **Test fixture update** (`conftest.py`): Health and system routers added to test client app. `start_time` set on test app state.
 6. **Tests** (`test_health.py`): 18 tests across 6 classes covering health endpoint structure, semver format, queue_depth accuracy with active/terminal jobs, public config fields, sensitive field exclusion, config reflection with custom values, default values, get_all_jobs, get_jobs_by_mode for all three modes, and get_queue_depth for all status combinations.
 ## Verification
 - `pytest tests/test_health.py -v` — 36/36 passed (18 tests × 2 anyio backends)
 - `pytest tests/ -v` — 122/122 passed in 10.2s (full regression, zero failures)
 ## Verification Evidence
 | # | Command | Exit Code | Verdict | Duration |
 |---|---------|-----------|---------|----------|
 | 1 | `pytest tests/test_health.py -v` | 0 | ✅ pass | 1.41s |
 | 2 | `pytest tests/ -v` | 0 | ✅ pass | 10.20s |
 ## Diagnostics
 - **Health probe**: `curl http://localhost:8000/api/health` — quick check for monitoring tools
 - **Queue depth anomaly**: `queue_depth > downloads.max_concurrent` means workers may be stuck
 - **Uptime reset**: uptime << expected means unexpected restarts
 - **Config audit**: `curl http://localhost:8000/api/config/public | grep -c password` should be 0
 ## Deviations
 None. Implementation matches the plan exactly.
 ## Known Issues
 - Pre-existing background thread teardown noise (RuntimeWarning on `update_job_status` coroutine, sqlite3.ProgrammingError on closed database) — documented in T01/T02.
 - Pre-existing httpx deprecation warning on per-request cookies — documented in T01.
 ## Files Created/Modified
 - `backend/app/routers/health.py` — new, GET /api/health endpoint
 - `backend/app/routers/system.py` — new, GET /api/config/public endpoint
 - `backend/app/core/database.py` — added get_all_jobs(), get_jobs_by_mode(), get_queue_depth()
 - `backend/app/main.py` — start_time in lifespan, health + system routers mounted
 - `backend/tests/conftest.py` — health + system routers in test app, start_time on state
 - `backend/tests/test_health.py` — new, 18 tests (36 with dual backend)
--- a/.gsd/milestones/M001/slices/S03/S03-PLAN.md
+++ b/.gsd/milestones/M001/slices/S03/S03-PLAN.md
@ -1,107 +0,0 @@
 # S03: Frontend Core
 **Goal:** Ship a functional Vue 3 SPA that lets a user paste a URL, pick format/quality from live extraction, submit a download, watch real-time SSE progress, and manage a download queue — with a responsive layout that works on both desktop (≥768px) and mobile (375px).
 **Demo:** Open the browser → paste a YouTube URL → format picker populates → pick 720p → submit → progress bar fills via SSE → status changes to completed. Open a second tab → submit a different URL → both tabs show only their own session's downloads. Resize to 375px → layout shifts to mobile card view with bottom tabs.
 ## Must-Haves
 - Vue 3 + TypeScript + Vite + Pinia project scaffolded and building cleanly
 - API client with TypeScript types matching backend Job, ProgressEvent, FormatInfo models
 - SSE composable managing EventSource lifecycle with reconnect and store dispatch
 - Downloads Pinia store: reactive jobs map, SSE-driven updates, CRUD actions
 - Config Pinia store: loads public config on app init
 - URL input component with format picker populated from `GET /api/formats?url=`
 - Download queue component with progress bars, status badges, speed/ETA, cancel buttons
 - Responsive layout: desktop (header + main content area) and mobile (bottom tabs + card list)
 - 44px minimum touch targets on mobile
 - `npm run build` produces zero errors
 - `vue-tsc --noEmit` passes with zero type errors
 - Vitest tests for stores and SSE composable
 ## Proof Level
 - This slice proves: integration (frontend SPA consuming real backend SSE stream, session cookie isolation across tabs)
 - Real runtime required: yes (SSE streaming, format extraction, cookie handling)
 - Human/UAT required: yes (visual layout verification at desktop + mobile breakpoints)
 ## Verification
 - `cd frontend && npm run build` — zero errors, dist/ produced
 - `cd frontend && npx vue-tsc --noEmit` — zero type errors
 - `cd frontend && npx vitest run` — all store and composable tests pass
 - Browser verification: open SPA against running backend, complete a download flow with live progress
 - Browser verification: 375px viewport shows mobile layout with bottom tabs and card list
 - Session isolation: two browser tabs with different cookies see different job lists
 ## Observability / Diagnostics
 - Runtime signals: console.log for SSE connect/disconnect/reconnect events during development; downloads store exposes `connectionStatus` ref (connected/disconnected/reconnecting)
 - Inspection surfaces: Vue devtools shows Pinia store state (jobs, config); browser Network tab shows SSE stream; browser Application tab shows mrip_session cookie
 - Failure visibility: SSE composable logs reconnect attempts with count; failed API calls surface error messages in the UI (toast or inline)
 - Redaction constraints: none (session UUIDs are opaque, no secrets in frontend)
 ## Integration Closure
 - Upstream surfaces consumed: `GET/POST/DELETE /api/downloads`, `GET /api/formats?url=`, `GET /api/events` (SSE), `GET /api/config/public`, `GET /api/health`, session cookie from SessionMiddleware
 - New wiring introduced in this slice: Vite dev proxy to backend, Vue app mounting, Pinia store initialization, SSE EventSource connection
 - What remains before the milestone is truly usable end-to-end: S04 (admin panel), S05 (theme system with CSS variable contract), S06 (Docker + CI/CD)
 ## Tasks
 - [x] **T01: Scaffold Vue 3 + Vite + TypeScript + Pinia project** `est:30m`
  - Why: Foundation for all frontend work. Must build cleanly before any components can be written.
  - Files: `frontend/package.json`, `frontend/vite.config.ts`, `frontend/tsconfig.json`, `frontend/tsconfig.node.json`, `frontend/src/main.ts`, `frontend/src/App.vue`, `frontend/index.html`
  - Do: Create Vue 3 + TS project with Vite. Install pinia and vue-router (for future S04 use). Configure vite.config.ts with proxy: `/api` → `http://localhost:8000`. Set up minimal App.vue with Pinia. Add vitest config. Add a minimal dark CSS baseline using custom properties (--color-bg, --color-text, --color-accent, --color-surface) that S05 will expand. No Tailwind. Include a `src/api/types.ts` with TypeScript interfaces matching backend models (Job, JobStatus, ProgressEvent, FormatInfo, PublicConfig).
  - Verify: `cd frontend && npm run build` succeeds, `npx vue-tsc --noEmit` passes
  - Done when: `npm run dev` serves the app at localhost:5173, build produces dist/, type-check passes, vitest runs (0 tests is fine)
 - [x] **T02: API client, Pinia stores, and SSE composable** `est:1h`
  - Why: The data layer that every component depends on. SSE is the highest-risk integration point — if events don't flow from backend to store, nothing works.
  - Files: `frontend/src/api/client.ts`, `frontend/src/stores/downloads.ts`, `frontend/src/stores/config.ts`, `frontend/src/composables/useSSE.ts`, `frontend/src/tests/stores/downloads.test.ts`, `frontend/src/tests/composables/useSSE.test.ts`
  - Do: Build fetch-based API client (`api/client.ts`) with GET/POST/DELETE helpers, base URL from import.meta.env or proxy. Build downloads store: `jobs` as reactive Map<string, Job>, actions for `fetchJobs()`, `submitDownload(url, formatId?, quality?)`, `cancelDownload(id)`, internal `_handleInit(jobs)`, `_handleJobUpdate(event)`, `_handleJobRemoved(jobId)`. Build config store: `config` ref, `loadConfig()` action calling GET /api/config/public. Build `useSSE()` composable: creates EventSource to /api/events, parses SSE events, dispatches to downloads store, handles reconnect with exponential backoff (1s, 2s, 4s, max 30s), exposes `connectionStatus` ref. Write vitest tests: downloads store CRUD operations (mock fetch), SSE composable event parsing and store dispatch (mock EventSource).
  - Verify: `cd frontend && npx vitest run` — store and composable tests pass
  - Done when: Downloads store reactively updates from SSE events, config store loads public config, SSE composable reconnects on disconnect, all tests pass
 - [x] **T03: URL input + format picker components** `est:45m`
  - Why: The primary user interaction — pasting a URL and selecting quality. Format extraction is async (3-10s) and needs loading UX.
  - Files: `frontend/src/components/UrlInput.vue`, `frontend/src/components/FormatPicker.vue`, `frontend/src/App.vue`
  - Do: UrlInput.vue: text input with paste handler, Submit button, calls `GET /api/formats?url=` on submit (or on debounced input). Shows loading spinner during extraction. On format response, shows FormatPicker. FormatPicker.vue: dropdown/list showing resolution, codec, ext, filesize for each format. "Best available" as default option. Submit button calls downloads store `submitDownload()`. Handle edge cases: no formats returned (show "Best available" only), extraction error (show error message), empty URL (disable submit). Optional "More options" expandable area with output_template override (R025).
  - Verify: Visual verification in browser — paste URL, see format picker populate, submit download
  - Done when: User can paste a URL, see formats load, select one, and submit. Error states handled gracefully.
 - [x] **T04: Download queue + progress display** `est:45m`
  - Why: The core feedback loop — users need to see their downloads progressing in real-time.
  - Files: `frontend/src/components/DownloadQueue.vue`, `frontend/src/components/DownloadItem.vue`, `frontend/src/components/ProgressBar.vue`, `frontend/src/App.vue`
  - Do: DownloadQueue.vue: renders list of DownloadItem components from downloads store jobs. Status filter tabs (All / Active / Completed / Failed). Empty state message when no downloads. DownloadItem.vue: shows URL/filename, status badge (queued=gray, downloading=blue, completed=green, failed=red), ProgressBar with percent + speed + ETA, cancel button (calls store.cancelDownload). ProgressBar.vue: animated CSS bar, displays percent text. Wire SSE events: job_update → progress bar updates in real-time, job_removed → item disappears. Handle status transitions: queued → extracting → downloading → completed/failed.
  - Verify: Visual verification — submit a download, watch progress bar fill from SSE events, see status change to completed
  - Done when: Queue shows all session jobs with live progress, cancel works, status badges reflect current state, completed/failed jobs show final state
 - [x] **T05: Responsive layout + mobile view** `est:45m`
  - Why: R013 requires mobile-responsive layout. >50% of self-hoster interactions happen on phone/tablet.
  - Files: `frontend/src/components/AppLayout.vue`, `frontend/src/components/AppHeader.vue`, `frontend/src/App.vue`, `frontend/src/assets/base.css`
  - Do: AppLayout.vue: responsive shell. Desktop (≥768px): header bar with title, main content area with URL input at top, queue below. Mobile (<768px): bottom tab bar (Submit / Queue tabs), URL input fills width, queue uses card layout instead of table rows. AppHeader.vue: app title/logo, connection status indicator. Base CSS: set up CSS custom properties for colors, spacing, typography that S05 will formalize into the theme contract. Use system font stack for now (S05 brings JetBrains Mono). Ensure all interactive elements have minimum 44px touch targets on mobile. Test at 375px (iPhone SE) and 768px breakpoint.
  - Verify: Browser verification at 375px and 1280px viewports. All interactive elements ≥44px on mobile.
  - Done when: Desktop layout shows header + content. Mobile layout shows bottom tabs + card view. 375px viewport is usable. Touch targets meet 44px minimum.
 ## Files Likely Touched
 - `frontend/` — entire new directory
 - `frontend/package.json`
 - `frontend/vite.config.ts`
 - `frontend/tsconfig.json`
 - `frontend/index.html`
 - `frontend/src/main.ts`
 - `frontend/src/App.vue`
 - `frontend/src/api/client.ts`
 - `frontend/src/api/types.ts`
 - `frontend/src/stores/downloads.ts`
 - `frontend/src/stores/config.ts`
 - `frontend/src/composables/useSSE.ts`
 - `frontend/src/components/UrlInput.vue`
 - `frontend/src/components/FormatPicker.vue`
 - `frontend/src/components/DownloadQueue.vue`
 - `frontend/src/components/DownloadItem.vue`
 - `frontend/src/components/ProgressBar.vue`
 - `frontend/src/components/AppLayout.vue`
 - `frontend/src/components/AppHeader.vue`
 - `frontend/src/assets/base.css`
--- a/.gsd/milestones/M001/slices/S03/S03-RESEARCH.md
+++ b/.gsd/milestones/M001/slices/S03/S03-RESEARCH.md
@ -1,127 +0,0 @@
 # S03: Frontend Core — Research
 ## Scope
 Full Vue 3 SPA consuming the S01/S02 backend: URL submission → format selection → real-time progress via SSE → completed downloads queue. Mobile-first responsive layout. No theming system yet (S05) — use simple CSS custom properties with a minimal dark style.
 ## API Surface to Consume
 From S01:
 - `POST /api/downloads` — submit URL + optional format_id/quality/output_template
 - `GET /api/downloads` — list all jobs for current session
 - `DELETE /api/downloads/{id}` — cancel/remove a job
 - `GET /api/formats?url=` — live yt-dlp format extraction
 From S02:
 - `GET /api/events` — SSE stream (init, job_update, job_removed, ping)
 - `GET /api/health` — health check
 - `GET /api/config/public` — session_mode, default_theme, purge_enabled, max_concurrent_downloads
 - Session cookie auto-set by middleware (no auth header needed)
 ## SSE Event Contract
 ```
 event: init
 data: {"jobs": [<Job>, ...]}
 event: job_update
 data: {"job_id": "...", "status": "...", "percent": ..., "speed": "...", "eta": "...", ...}
 event: job_removed
 data: {"job_id": "..."}
 event: ping
 data: ""
 ```
 ## Frontend Architecture
 ### Project Structure
 ```
 frontend/
  index.html
  vite.config.ts
  tsconfig.json
  tsconfig.node.json
  package.json
  src/
    main.ts
    App.vue
    api/
      client.ts          — fetch wrapper with base URL
      types.ts           — TypeScript types matching backend models
    stores/
      downloads.ts       — Pinia store: job state, SSE connection, CRUD actions
      config.ts          — Pinia store: public config from /api/config/public
    components/
      UrlInput.vue       — URL paste + submit + format selection
      FormatPicker.vue   — Format/quality dropdown populated from /api/formats
      DownloadQueue.vue  — Job list with progress bars, status badges, cancel
      DownloadItem.vue   — Single job row (desktop: table row, mobile: card)
      ProgressBar.vue    — Animated progress bar component
      AppHeader.vue      — Header with logo/title
      AppLayout.vue      — Responsive layout shell (header + main + mobile nav)
    composables/
      useSSE.ts          — EventSource connection management + reconnect
 ```
 ### Key Decisions
 1. **No router needed for S03** — single-page app with URL input + queue. Router can be added in S04 for admin panel.
 2. **SSE in a composable, not the store** — `useSSE()` composable manages EventSource lifecycle, reconnect logic, and dispatches events to the downloads store. Store stays pure state.
 3. **Fetch, not axios** — per stack research. Native fetch + a thin wrapper for base URL and error handling.
 4. **CSS custom properties for styling** — establish a minimal set that S05 will expand. No Tailwind (per original stack decisions). No component library — hand-rolled.
 5. **Vite dev proxy** — proxy `/api` to `http://localhost:8000` during development so CORS is not an issue.
 6. **Playlist support deferred within S03** — The R006 parent/child playlist model requires backend changes (parent_job_id field, playlist extraction creating child jobs). The frontend can show the data once it exists, but the backend work is not in S02. We'll build the DownloadItem component to support a `children` array, but full playlist support comes when the backend supports it (likely S04 or a dedicated slice). For now, individual URL downloads are the focus.
 ## Task Breakdown (Risk-Ordered)
 ### T01: Scaffold Vue 3 + Vite + TypeScript + Pinia project
 - `npm create vite@latest frontend -- --template vue-ts`
 - Install pinia
 - Configure vite proxy to backend
 - Verify `npm run dev` serves a blank page
 - Verify `npm run build` produces dist/
 - Risk: LOW — standard scaffold
 ### T02: API client, TypeScript types, and Pinia stores  
 - Type definitions matching backend Job, ProgressEvent, FormatInfo, PublicConfig
 - Fetch-based API client with error handling
 - Downloads store: jobs map, addJob, updateJob, removeJob, fetchJobs actions
 - Config store: load public config on app init
 - SSE composable: EventSource to /api/events, reconnect on close, dispatch to store
 - Risk: MEDIUM — SSE reconnect logic needs careful handling
 ### T03: URL input + format picker components
 - UrlInput.vue: paste/type URL, submit button, loading state during format extraction
 - FormatPicker.vue: populated from /api/formats response, shows resolution/codec/ext/filesize
 - Wire to downloads store: submit → POST /api/downloads
 - Risk: MEDIUM — format extraction can be slow (3-10s), needs good loading UX
 ### T04: Download queue + progress display
 - DownloadQueue.vue: list of DownloadItem components, filter by status
 - DownloadItem.vue: status badge, progress bar, speed/ETA, cancel button
 - ProgressBar.vue: animated fill bar
 - Wire to downloads store SSE updates
 - Risk: LOW-MEDIUM — straightforward rendering, SSE wiring already done
 ### T05: Responsive layout (desktop + mobile)
 - AppLayout.vue: desktop sidebar + main content, mobile bottom tabs + card view
 - Breakpoint at 768px
 - Mobile: bottom tab bar (Submit/Queue), full-width URL input, card list
 - Desktop: header bar, URL input at top, table-style queue below
 - 44px minimum touch targets on mobile
 - Risk: MEDIUM — responsive CSS without a framework requires care
 ## Verification Strategy
 - `npm run build` — zero errors
 - `vue-tsc --noEmit` — TypeScript checks pass
 - Vitest unit tests for stores (downloads, config) and SSE composable
 - Manual browser verification against running backend
 - Mobile layout verification at 375px viewport
--- a/.gsd/milestones/M001/slices/S03/S03-SUMMARY.md
+++ b/.gsd/milestones/M001/slices/S03/S03-SUMMARY.md
@ -1,95 +0,0 @@
 ---
 id: S03
 milestone: M001
 status: complete
 tasks_completed: 5
 tasks_total: 5
 test_count_frontend: 21
 test_count_backend: 122
 started_at: 2026-03-18
 completed_at: 2026-03-18
 ---
 # S03: Frontend Core — Summary
 **Delivered a complete Vue 3 SPA consuming the S01/S02 backend: URL submission, live format extraction, real-time SSE progress, download queue with filters, and responsive layout with mobile bottom tabs. 21 frontend tests + 122 backend tests pass.**
 ## What Was Built
 ### Project Foundation (T01)
 - Vue 3.5 + TypeScript + Vite 6.4 + Pinia scaffolded
 - Vite dev proxy: `/api` → `http://localhost:8000`
 - CSS custom properties dark theme baseline (S05 will formalize)
 - TypeScript interfaces matching all backend models
 ### Data Layer (T02)
 - **API client** (`api/client.ts`): Fetch-based GET/POST/DELETE with error handling via `ApiError` class
 - **Downloads store** (`stores/downloads.ts`): Reactive `Map<string, Job>`, SSE event handlers (`handleInit`, `handleJobUpdate`, `handleJobRemoved`), CRUD actions, computed getters (jobList, activeJobs, completedJobs, failedJobs)
 - **Config store** (`stores/config.ts`): Loads `GET /api/config/public` on app init
 - **SSE composable** (`composables/useSSE.ts`): EventSource to `/api/events`, exponential backoff reconnect (1s → 30s max), `connectionStatus` ref, dispatches events to downloads store
 ### UI Components (T03-T05)
 - **UrlInput**: Text input with paste auto-extract, loading spinner during format extraction, form reset on submit
 - **FormatPicker**: Grouped display (video+audio / video-only / audio-only), codec and filesize info, "Best available" default
 - **DownloadQueue**: Filtered job list with All/Active/Completed/Failed tabs and counts, animated TransitionGroup
 - **DownloadItem**: Filename display, status badge with color-coded left border, speed/ETA, cancel button
 - **ProgressBar**: Animated CSS fill bar with percentage text overlay
 - **AppHeader**: Logo with "media.rip()" monospace title, SSE connection status dot
 - **AppLayout**: Responsive shell — desktop (header + main content), mobile (<768px: bottom tab bar + section toggling)
 ## Key Decisions
 - No vue-router for S03 — single-page with tabs. Router deferred to S04 for admin panel
 - SSE lives in a composable, not the store — separation of transport from state
 - Native fetch, not axios — per stack research
 - Status normalization: yt-dlp "finished" → our "completed" in store handler
 - CSS custom properties (not Tailwind, not component library) — hand-rolled for full theme control
 ## Requirements Addressed
 | Req | Description | Status |
 |-----|------------|--------|
 | R002 | Format/quality extraction and selection | Proven — FormatPicker populated from live /api/formats |
 | R003 | Real-time SSE progress | Proven — job_update events flow to DownloadItem progress bars |
 | R005 | Download queue view, cancel, filter | Proven — DownloadQueue with status filters and cancel |
 | R013 | Mobile-responsive layout | Proven — 375px viewport with bottom tabs, card list |
 | R025 | Per-download output template override | Stubbed — UI structure ready, input wiring deferred |
 ## Verification
 - `vue-tsc --noEmit` — zero type errors
 - `npm run build` — clean production build (88KB JS + 11KB CSS gzipped: 34KB + 2.6KB)
 - `vitest run` — 21/21 tests pass (4 test files)
 - Browser verification: complete download flow with real yt-dlp against YouTube
 - Mobile verification: 375px viewport shows bottom tabs, stacked layout
 ## Test Coverage
 | Test File | Tests | Focus |
 |-----------|-------|-------|
 | types.test.ts | 1 | Type sanity |
 | stores/downloads.test.ts | 13 | handleInit, handleJobUpdate, handleJobRemoved, computed getters, isTerminal, status normalization |
 | stores/config.test.ts | 3 | Initial state, successful load, error handling |
 | composables/useSSE.test.ts | 4 | Store dispatch patterns, MockEventSource lifecycle |
 ## Files Created
 - `frontend/package.json`, `frontend/vite.config.ts`, `frontend/tsconfig.json`, `frontend/tsconfig.node.json`
 - `frontend/index.html`, `frontend/env.d.ts`, `frontend/src/main.ts`
 - `frontend/src/App.vue`
 - `frontend/src/api/client.ts`, `frontend/src/api/types.ts`
 - `frontend/src/stores/downloads.ts`, `frontend/src/stores/config.ts`
 - `frontend/src/composables/useSSE.ts`
 - `frontend/src/components/UrlInput.vue`, `frontend/src/components/FormatPicker.vue`
 - `frontend/src/components/DownloadQueue.vue`, `frontend/src/components/DownloadItem.vue`
 - `frontend/src/components/ProgressBar.vue`
 - `frontend/src/components/AppHeader.vue`, `frontend/src/components/AppLayout.vue`
 - `frontend/src/assets/base.css`
 - `frontend/src/tests/**` (4 test files)
 ## What S04/S05 Consumes
 - Vue component structure referencing CSS custom properties → S05 formalizes the theme contract
 - AppLayout slot pattern → S04 can add admin routes alongside
 - Pinia stores → S04 admin panel can extend with admin-specific stores
 - SSE composable pattern → reusable for any future real-time features
--- a/.gsd/milestones/M001/slices/S03/tasks/T01-PLAN.md
+++ b/.gsd/milestones/M001/slices/S03/tasks/T01-PLAN.md
@ -1,32 +0,0 @@
 ---
 estimated_steps: 5
 estimated_files: 10
 ---
 # T01: Scaffold Vue 3 + Vite + TypeScript + Pinia project
 **Slice:** S03 — Frontend Core
 **Milestone:** M001
 ## Description
 Create the frontend project from scratch with Vue 3, TypeScript, Vite, and Pinia. Configure the Vite dev proxy so `/api` routes hit the FastAPI backend. Set up vitest for testing. Define TypeScript interfaces matching the backend models. Establish a minimal dark CSS baseline.
 ## Steps
 1. Create `frontend/` directory in the worktree
 2. Initialize with `npm create vite@latest` (vue-ts template) or manually scaffold
 3. Install runtime deps: `vue`, `pinia`
 4. Install dev deps: `vitest`, `vue-tsc`, `@vitejs/plugin-vue`, `typescript`
 5. Configure `vite.config.ts` with proxy `/api` → `http://localhost:8000`
 6. Set up `tsconfig.json` and `tsconfig.node.json`
 7. Create `src/api/types.ts` with TypeScript interfaces
 8. Create minimal `src/assets/base.css` with CSS custom properties
 9. Update `App.vue` and `main.ts` with Pinia setup
 10. Verify: `npm run build`, `npx vue-tsc --noEmit`, `npx vitest run`
 ## Verification
 - `cd frontend && npm run build` — zero errors
 - `cd frontend && npx vue-tsc --noEmit` — zero type errors
 - `cd frontend && npx vitest run` — runs (0 tests ok, framework functional)
--- a/.gsd/milestones/M001/slices/S04/S04-PLAN.md
+++ b/.gsd/milestones/M001/slices/S04/S04-PLAN.md
@ -1,105 +0,0 @@
 # S04: Admin, Auth + Supporting Features
 **Goal:** Deliver admin authentication, purge system, cookie auth upload, file serving for link sharing, unsupported URL logging, and an admin frontend panel — all behind bcrypt-secured HTTPBasic auth with security headers and TLS detection warning.
 **Demo:** Navigate to /admin → prompted for credentials → login with bcrypt-hashed password → see session list, storage overview, unsupported URL log. Trigger manual purge → expired files cleaned. Upload cookies.txt on the main UI → authenticated download succeeds. Copy a shareable link for a completed download → opens in new tab. Startup logs warn if TLS not detected.
 ## Must-Haves
 - Admin auth: HTTPBasic + bcrypt, `Depends(require_admin)` on all admin routes
 - First-boot: if no admin credentials configured, admin panel disabled (not silently open)
 - Security headers on admin routes: X-Content-Type-Options, X-Frame-Options
 - TLS detection: startup warning when admin enabled without `X-Forwarded-Proto: https`
 - Purge service: APScheduler cron job (configurable) + manual trigger via admin API
 - Purge logic: delete files + DB rows for completed/failed/expired jobs older than TTL, skip active
 - Cookie auth: `POST /api/cookies` uploads Netscape cookies.txt per-session, `DELETE /api/cookies` removes
 - File serving: `GET /downloads/{filename}` serves completed files for link sharing (R018)
 - Unsupported URL log: failed extractions logged to `unsupported_urls` table, admin can list/download
 - Admin API: `GET /api/admin/sessions`, `GET /api/admin/storage`, `POST /api/admin/purge`, `GET /api/admin/unsupported-urls`
 - Admin frontend: Vue route `/admin` with login form, session list, storage view, purge button
 - All existing 122 backend tests + 21 frontend tests still pass
 ## Proof Level
 - This slice proves: integration (admin auth protecting routes, purge deleting correct files, cookie auth enabling authenticated downloads)
 - Real runtime required: yes (bcrypt hashing, file I/O, APScheduler)
 - Human/UAT required: yes (admin login flow, file download verification)
 ## Verification
 - `cd backend && .venv/Scripts/python -m pytest tests/ -v` — all tests pass (S01-S04)
 - `cd frontend && npx vitest run` — all frontend tests pass
 - `cd frontend && npm run build` — zero errors
 - `backend/tests/test_admin_auth.py` — auth required, bcrypt verification, security headers
 - `backend/tests/test_purge.py` — TTL filtering, active job protection, file cleanup
 - `backend/tests/test_cookies.py` — upload, session scoping, CRLF normalization, deletion
 - `backend/tests/test_file_serving.py` — completed file served, 404 for missing
 ## Observability / Diagnostics
 - Runtime signals: `mediarip.admin` logger at INFO for login attempts; `mediarip.purge` at INFO for purge runs with count of deleted files/rows
 - Inspection surfaces: `GET /api/admin/sessions` lists active sessions; `GET /api/admin/storage` shows disk usage; `GET /api/admin/unsupported-urls` shows failed extractions
 - Failure visibility: purge logs include skipped-active count; cookie upload logs session_id + filename (never contents)
 - Redaction constraints: admin password_hash never in responses; cookie file contents never logged
 ## Integration Closure
 - Upstream surfaces consumed: `database.py` (jobs, sessions tables), `config.py` (admin, purge, session settings), `SessionMiddleware` (session identity), `SSEBroker` (purge_complete event), `DownloadService` (cancel)
 - New wiring introduced: admin auth middleware, purge scheduler in lifespan, cookie file storage, static file serving, admin Vue routes
 - What remains: S05 (theme system), S06 (Docker + CI/CD)
 ## Tasks
 - [x] **T01: Admin auth middleware + security headers + TLS warning** `est:45m`
  - Why: Every admin route depends on authentication existing. Must be first.
  - Files: `backend/app/dependencies.py`, `backend/app/main.py`, `backend/tests/test_admin_auth.py`
  - Do: Add `require_admin` dependency using HTTPBasic + bcrypt. Check `config.admin.enabled` — if disabled, return 404 for all admin routes. Compare credentials with `secrets.compare_digest` for username, `bcrypt.checkpw` for password. Add security headers middleware for admin routes (X-Content-Type-Options: nosniff, X-Frame-Options: DENY). Log TLS warning at startup if admin enabled and no HTTPS indicators. Write tests: unauthenticated → 401, wrong password → 401, correct credentials → 200, disabled admin → 404, security headers present.
  - Verify: `cd backend && .venv/Scripts/python -m pytest tests/test_admin_auth.py -v`
  - Done when: Admin routes require valid credentials, security headers present, TLS warning logged when appropriate
 - [x] **T02: Purge service with APScheduler + manual trigger** `est:45m`
  - Why: Closes R009 (purge system). Operators need control over disk lifecycle.
  - Files: `backend/app/services/purge.py`, `backend/app/routers/admin.py`, `backend/app/main.py`, `backend/tests/test_purge.py`
  - Do: Build `PurgeService` with `run_purge(db, config, output_dir)` — queries jobs where `status IN (completed, failed, expired)` AND `completed_at < now - max_age_hours`, deletes files from disk (handle already-deleted gracefully), deletes DB rows, returns count. Wire APScheduler `AsyncIOScheduler` in lifespan — add cron job if `config.purge.enabled`. Add `POST /api/admin/purge` endpoint (requires admin) for manual trigger. Write tests: purge deletes old completed files, skips active jobs, handles missing files, counts correctly.
  - Verify: `cd backend && .venv/Scripts/python -m pytest tests/test_purge.py -v`
  - Done when: Scheduled purge runs on cron, manual purge via API works, active jobs protected
 - [x] **T03: Cookie auth upload + file serving + unsupported URL logging** `est:45m`
  - Why: Closes R008 (cookie auth), R018 (link sharing), R015 (unsupported URL logging) — the remaining supporting features.
  - Files: `backend/app/routers/cookies.py`, `backend/app/routers/files.py`, `backend/app/core/database.py`, `backend/app/main.py`, `backend/tests/test_cookies.py`, `backend/tests/test_file_serving.py`
  - Do: Cookie upload: `POST /api/cookies` accepts multipart file, saves to `data/sessions/{session_id}/cookies.txt`, normalizes CRLF→LF. `DELETE /api/cookies` removes the file. Wire cookie path into DownloadService ydl_opts when present. File serving: mount `/downloads` as StaticFiles for completed file access (R018). Unsupported URL logging: on extraction failure, insert into `unsupported_urls` table. Admin endpoint `GET /api/admin/unsupported-urls` returns the log. Write tests for each.
  - Verify: `cd backend && .venv/Scripts/python -m pytest tests/test_cookies.py tests/test_file_serving.py -v`
  - Done when: Cookie upload scoped to session, files served at predictable URLs, unsupported URLs logged
 - [x] **T04: Admin API endpoints (sessions, storage, config)** `est:30m`
  - Why: Admin panel needs data to display — session list, storage usage, live config.
  - Files: `backend/app/routers/admin.py`, `backend/app/core/database.py`, `backend/tests/test_admin_api.py`
  - Do: `GET /api/admin/sessions` — list all sessions with job counts, last_seen. `GET /api/admin/storage` — disk usage of output_dir (total, used, free), job count by status. `GET /api/admin/unsupported-urls` — paginated list from unsupported_urls table. All require admin auth. Write tests.
  - Verify: `cd backend && .venv/Scripts/python -m pytest tests/test_admin_api.py -v`
  - Done when: All admin data endpoints return correct data behind auth
 - [x] **T05: Admin frontend panel** `est:1h`
  - Why: Operators need a UI, not raw API calls. Closes the admin UX loop.
  - Files: `frontend/src/components/AdminPanel.vue`, `frontend/src/components/AdminLogin.vue`, `frontend/src/stores/admin.ts`, `frontend/src/App.vue`
  - Do: Add vue-router with routes: `/` (main app), `/admin` (admin panel). AdminLogin.vue: username/password form, stores credentials for Basic auth header. AdminPanel.vue: tabbed view with Sessions, Storage, Purge, Unsupported URLs sections. Wire admin store for API calls with Basic auth. Add nav link to admin panel (visible only when admin.enabled in public config). Write vitest tests for admin store.
  - Verify: `cd frontend && npm run build && npx vitest run`
  - Done when: Admin panel accessible at /admin with login, shows sessions/storage/purge
 ## Files Likely Touched
 - `backend/app/dependencies.py` — require_admin
 - `backend/app/services/purge.py` — new
 - `backend/app/routers/admin.py` — new
 - `backend/app/routers/cookies.py` — new
 - `backend/app/routers/files.py` — new
 - `backend/app/core/database.py` — unsupported URL CRUD, session list with counts
 - `backend/app/main.py` — APScheduler, new routers, TLS warning
 - `backend/tests/test_admin_auth.py` — new
 - `backend/tests/test_purge.py` — new
 - `backend/tests/test_cookies.py` — new
 - `backend/tests/test_file_serving.py` — new
 - `backend/tests/test_admin_api.py` — new
 - `frontend/src/stores/admin.ts` — new
 - `frontend/src/components/AdminPanel.vue` — new
 - `frontend/src/components/AdminLogin.vue` — new
 - `frontend/src/App.vue` — add router
 - `frontend/package.json` — add vue-router
--- a/.gsd/milestones/M001/slices/S04/S04-SUMMARY.md
+++ b/.gsd/milestones/M001/slices/S04/S04-SUMMARY.md
@ -1,87 +0,0 @@
 ---
 id: S04
 milestone: M001
 status: complete
 tasks_completed: 5
 tasks_total: 5
 test_count_backend: 164
 test_count_frontend: 21
 started_at: 2026-03-18
 completed_at: 2026-03-18
 ---
 # S04: Admin, Auth + Supporting Features — Summary
 **Delivered admin authentication (HTTPBasic + bcrypt), purge system with APScheduler, cookie auth upload, file serving for link sharing, unsupported URL logging, and an admin frontend panel with vue-router. 164 backend tests + 21 frontend tests pass.**
 ## What Was Built
 ### Admin Auth (T01)
 - `require_admin` dependency: HTTPBasic + bcrypt with `secrets.compare_digest` for timing-safe username check
 - Admin disabled → 404 (not silently open)
 - TLS warning logged at startup when admin enabled
 - 5 auth tests: no creds → 401, wrong password → 401, wrong user → 401, correct → 200, disabled → 404
 ### Purge Service (T02)
 - `PurgeService.run_purge()`: queries terminal jobs older than TTL, deletes files + DB rows
 - Active job protection: never purges queued/downloading/extracting
 - Handles already-deleted files gracefully
 - APScheduler `AsyncIOScheduler` with `CronTrigger.from_crontab()` in lifespan
 - Manual trigger via `POST /api/admin/purge`
 - 6 purge tests covering TTL, active protection, file deletion, missing files
 ### Cookie Auth + File Serving (T03)
 - `POST /api/cookies`: uploads Netscape cookies.txt per-session, CRLF → LF normalization
 - `DELETE /api/cookies`: removes cookie file
 - `GET /api/downloads/{filename}`: serves completed files with path traversal prevention
 - 7 tests: upload, CRLF normalization, delete, missing delete, file serving, 404, path traversal
 ### Admin API (T04)
 - `GET /api/admin/sessions`: session list with job counts
 - `GET /api/admin/storage`: disk usage + jobs by status
 - `GET /api/admin/unsupported-urls`: paginated extraction failure log
 - `POST /api/admin/purge`: manual purge trigger
 - All endpoints require admin auth
 ### Admin Frontend (T05)
 - vue-router: `/` (MainView), `/admin` (AdminPanel)
 - AdminLogin.vue: username/password form with Basic auth
 - AdminPanel.vue: tabbed view (Sessions, Storage, Purge) with data tables
 - Admin store: login/logout, session/storage loading, purge trigger
 - Route-based code splitting: AdminPanel lazy-loaded
 ## Requirements Addressed
 | Req | Description | Status |
 |-----|------------|--------|
 | R008 | Cookie auth per-session | Proven — upload/delete with CRLF normalization |
 | R009 | Purge system | Proven — scheduled + manual, active protection |
 | R014 | Admin panel with secure auth | Proven — HTTPBasic + bcrypt, security headers |
 | R015 | Unsupported URL reporting | Proven — logged to DB, admin can list |
 | R018 | Link sharing (file serving) | Proven — completed files served at predictable URLs |
 ## Verification
 - `pytest tests/ -v` — 164/164 passed
 - `npm run build` — clean build with code splitting
 - `vue-tsc --noEmit` — zero type errors
 - `vitest run` — 21/21 frontend tests pass
 ## Files Created/Modified
 - `backend/app/dependencies.py` — require_admin with HTTPBasic + bcrypt
 - `backend/app/routers/admin.py` — admin API endpoints
 - `backend/app/routers/cookies.py` — cookie upload/delete
 - `backend/app/routers/files.py` — file serving with path traversal prevention
 - `backend/app/services/purge.py` — purge service
 - `backend/app/main.py` — APScheduler, TLS warning, new routers
 - `backend/tests/test_admin.py` — 8 admin auth + API tests
 - `backend/tests/test_purge.py` — 6 purge tests
 - `backend/tests/test_file_serving.py` — 7 cookie + file serving tests
 - `frontend/src/router.ts` — vue-router setup
 - `frontend/src/stores/admin.ts` — admin Pinia store
 - `frontend/src/components/AdminLogin.vue` — login form
 - `frontend/src/components/AdminPanel.vue` — tabbed admin panel
 - `frontend/src/components/MainView.vue` — extracted main view
 - `frontend/src/App.vue` — router integration + nav links
 - `frontend/src/main.ts` — router plugin
--- a/.gsd/milestones/M001/slices/S05/S05-PLAN.md
+++ b/.gsd/milestones/M001/slices/S05/S05-PLAN.md
@ -1,82 +0,0 @@
 # S05: Theme System
 **Goal:** Establish the CSS variable contract as a stable public API, deliver 3 built-in themes (cyberpunk default, dark, light), add a theme picker to the UI, and enable drop-in custom themes via volume mount with backend scanning + manifest API.
 **Demo:** Change theme in the picker → all colors/fonts/effects update instantly. Drop a custom theme folder into /themes → restart → appears in picker → applies correctly. Built-in themes are heavily commented as documentation for custom theme authors.
 ## Must-Haves
 - CSS variable contract documented in base.css with all tokens components reference
 - Cyberpunk theme: #00a8ff/#ff6b2b accent, JetBrains Mono, scanline overlay, grid background
 - Dark theme: clean neutral palette, no effects
 - Light theme: inverted for daylight use
 - Theme picker in header that persists selection in localStorage
 - Backend theme loader: scans /themes volume, serves manifest + CSS
 - Custom theme pack structure: theme.css + metadata.json + optional preview.png
 - Built-in themes heavily commented for custom theme authors
 ## Proof Level
 - This slice proves: integration (theme switching end-to-end, custom theme loading)
 - Real runtime required: yes (visual verification)
 - Human/UAT required: yes (theme visual quality)
 ## Verification
 - `cd frontend && npx vitest run` — theme store tests pass
 - `cd backend && .venv/Scripts/python -m pytest tests/test_themes.py -v` — theme loader tests pass
 - `cd frontend && npx vue-tsc --noEmit && npm run build` — clean build
 - Browser verify: switch between all 3 themes, confirm visual changes
 - Browser verify: cyberpunk has scanline/grid effects
 ## Tasks
 - [x] **T01: CSS variable contract + cyberpunk theme** `est:45m`
  - Why: Establishes the stable public API for all themes. Cyberpunk is the default and flagship.
  - Files: `frontend/src/assets/base.css`, `frontend/src/themes/cyberpunk.css`
  - Do: Expand base.css with full token set (colors, typography, spacing, borders, shadows, effects, layout). Create cyberpunk.css with scanline/grid overlays, JetBrains Mono import, orange+blue accent palette. Document every token group with comments explaining what each controls. Add CSS class application mechanism (`data-theme` on html element).
  - Verify: Build passes, tokens documented
  - Done when: base.css is the complete variable contract, cyberpunk.css overrides all tokens
 - [x] **T02: Dark + light themes** `est:20m`
  - Why: Two clean alternatives to cyberpunk. Proves the variable contract works for different palettes.
  - Files: `frontend/src/themes/dark.css`, `frontend/src/themes/light.css`
  - Do: Dark theme: neutral grays, no effects, same font stack. Light theme: inverted bg/text, soft shadows, muted accent. Both heavily commented.
  - Verify: Build passes
  - Done when: Both themes define all contract tokens
 - [x] **T03: Theme store + picker component** `est:30m`
  - Why: Users need to switch themes. Picker persists selection across sessions.
  - Files: `frontend/src/stores/theme.ts`, `frontend/src/components/ThemePicker.vue`, `frontend/src/App.vue`
  - Do: Pinia store: loads from localStorage, sets `data-theme` attribute on `<html>`, lists available themes. ThemePicker: dropdown/button group in header. Import all 3 built-in CSS files. Write vitest tests for theme store.
  - Verify: `npx vitest run` — theme store tests pass
  - Done when: Theme switches apply instantly, selection persists across page reload
 - [x] **T04: Backend theme loader + API** `est:30m`
  - Why: Custom themes need to be discovered from /themes volume and served to the frontend.
  - Files: `backend/app/services/theme_loader.py`, `backend/app/routers/themes.py`, `backend/app/main.py`
  - Do: ThemeLoader: scans a directory for theme packs (theme.css + metadata.json). Router: GET /api/themes returns manifest, GET /api/themes/{name}/theme.css serves CSS. Register in main.py. Write pytest tests.
  - Verify: `pytest tests/test_themes.py -v` — passes
  - Done when: Custom theme folders are discovered and served via API
 - [x] **T05: Integration + visual verification** `est:20m`
  - Why: End-to-end proof that theme switching works with real UI, including custom theme loading.
  - Files: `frontend/src/stores/theme.ts`, `frontend/src/App.vue`
  - Do: Connect theme store to backend manifest for custom themes. Verify all 3 built-in themes in browser. Verify cyberpunk effects (scanlines, grid). Full regression: all tests pass.
  - Verify: Browser visual check, `pytest tests/ -v`, `npx vitest run`, `npm run build`
  - Done when: All 3 themes render correctly in browser, build clean, all tests pass
 ## Files Likely Touched
 - `frontend/src/assets/base.css`
 - `frontend/src/themes/cyberpunk.css`
 - `frontend/src/themes/dark.css`
 - `frontend/src/themes/light.css`
 - `frontend/src/stores/theme.ts`
 - `frontend/src/components/ThemePicker.vue`
 - `frontend/src/components/AppHeader.vue`
 - `frontend/src/App.vue`
 - `backend/app/services/theme_loader.py`
 - `backend/app/routers/themes.py`
 - `backend/app/main.py`
 - `backend/tests/test_themes.py`
 - `frontend/src/tests/stores/theme.test.ts`
--- a/.gsd/milestones/M001/slices/S05/S05-SUMMARY.md
+++ b/.gsd/milestones/M001/slices/S05/S05-SUMMARY.md
@ -1,89 +0,0 @@
 ---
 id: S05
 milestone: M001
 status: complete
 tasks_completed: 5
 tasks_total: 5
 test_count_backend: 182
 test_count_frontend: 29
 started_at: 2026-03-18
 completed_at: 2026-03-18
 ---
 # S05: Theme System — Summary
 **Delivered the CSS variable contract as a stable public API, 3 built-in themes (cyberpunk, dark, light), a theme picker in the header, and a backend custom theme loader with API. 182 backend tests + 29 frontend tests pass.**
 ## What Was Built
 ### CSS Variable Contract (T01)
 - `base.css` expanded to 50+ documented tokens across 12 categories
 - Token groups: background/surface, text, accent, status, typography, font sizes, spacing, radius, shadows, effects, layout, transitions
 - Deprecated aliases for S03 compat (`--header-height` → `--layout-header-height`)
 - Body `::before`/`::after` pseudo-elements for scanline + grid overlays (controlled by `--effect-*` tokens)
 - Full header documentation block explaining custom theme creation
 ### Cyberpunk Theme (T01)
 - Flagship theme: #00a8ff electric blue + #ff6b2b molten orange
 - JetBrains Mono for `--font-display`
 - Scanline overlay (CRT effect), grid background, glow on focus
 - Heavily commented as documentation for custom theme authors
 ### Dark Theme (T02)
 - Neutral grays (#121212 base), purple accent (#a78bfa)
 - All effects disabled (`--effect-scanlines: none`, etc.)
 - System font stack throughout
 ### Light Theme (T02)
 - Inverted palette (#f5f5f7 bg, #1a1a2e text)
 - Blue accent (#2563eb) for light-background contrast
 - Soft shadows, no effects
 ### Theme Store + Picker (T03)
 - Pinia store: `init()` reads localStorage, `setTheme()` applies `data-theme` attribute
 - Default: cyberpunk. Persists selection via `mrip-theme` localStorage key
 - `loadCustomThemes()` fetches backend manifest for drop-in themes
 - Custom CSS injection via dynamic `<style>` elements
 - ThemePicker component: preview dots with theme accent colors, mobile-responsive
 - 8 vitest tests covering init, save, restore, invalid fallback, unknown theme rejection
 ### Backend Theme Loader + API (T04)
 - `scan_themes()`: discovers theme packs (metadata.json + theme.css) from directory
 - `get_theme_css()`: reads CSS with path traversal protection
 - Handles: missing metadata, missing CSS, invalid JSON, preview.png detection
 - API: `GET /api/themes` (manifest), `GET /api/themes/{id}/theme.css` (CSS)
 - `themes_dir` config field (default: `./themes`)
 - 18 tests: 9 scanner, 3 CSS retrieval, 6 API endpoint tests
 ## Requirements Addressed
 | Req | Description | Status |
 |-----|------------|--------|
 | R010 | Three built-in themes | Proven — cyberpunk, dark, light all define full token set |
 | R011 | Drop-in custom theme system | Proven — scanner + API + frontend loader chain works |
 | R012 | CSS variable contract | Proven — 50+ tokens documented in base.css as stable API |
 ## Verification
 - `pytest tests/ -v` — 182/182 passed (18 new)
 - `npx vitest run` — 29/29 passed (8 new)
 - `vue-tsc --noEmit` — zero type errors
 - `npm run build` — clean with code splitting
 ## Files Created/Modified
 - `frontend/src/assets/base.css` — full variable contract (complete rewrite)
 - `frontend/src/themes/cyberpunk.css` — cyberpunk theme
 - `frontend/src/themes/dark.css` — dark theme
 - `frontend/src/themes/light.css` — light theme
 - `frontend/src/stores/theme.ts` — theme Pinia store
 - `frontend/src/components/ThemePicker.vue` — theme picker
 - `frontend/src/components/AppHeader.vue` — added ThemePicker + --font-display
 - `frontend/src/App.vue` — theme imports + init
 - `frontend/src/tests/stores/theme.test.ts` — 8 theme store tests
 - `backend/app/core/config.py` — added themes_dir field
 - `backend/app/services/theme_loader.py` — theme scanner
 - `backend/app/routers/themes.py` — theme API
 - `backend/app/main.py` — registered themes router
 - `backend/tests/test_themes.py` — 18 theme tests
 - `backend/tests/conftest.py` — registered themes router
--- a/.gsd/milestones/M001/slices/S06/S06-PLAN.md
+++ b/.gsd/milestones/M001/slices/S06/S06-PLAN.md
@ -1,75 +0,0 @@
 # S06: Docker + CI/CD
 **Goal:** Package the complete application into a production Docker image, create docker-compose configs for zero-config and secure deployment, and set up GitHub Actions CI/CD for lint/test on PR and build/push on tag.
 **Demo:** `docker compose up` → app works at :8080 with zero config. Tag v0.1.0 → GitHub Actions builds multi-arch image → pushes to GHCR. PR triggers lint + test.
 ## Must-Haves
 - Multi-stage Dockerfile: build frontend, install backend deps, minimal runtime image
 - docker-compose.yml for zero-config startup
 - docker-compose.example.yml with reverse proxy (Caddy) for TLS
 - GitHub Actions: CI workflow (PR: lint + test), Release workflow (tag: build + push)
 - Multi-arch support: amd64 + arm64
 - Health check in Docker and compose
 - Zero outbound telemetry verification
 ## Proof Level
 - This slice proves: operational + final-assembly
 - Real runtime required: yes (Docker build + run)
 - Human/UAT required: yes (verify full flow in container)
 ## Verification
 - `docker build -t media-rip .` — image builds successfully
 - `docker compose up -d && curl localhost:8080/api/health` — returns healthy
 - GitHub Actions workflow files pass `actionlint` (if available)
 - Zero telemetry: container makes no outbound requests
 ## Tasks
 - [x] **T01: Dockerfile + .dockerignore** `est:30m`
  - Why: The core deliverable — package everything into a production image.
  - Files: `Dockerfile`, `.dockerignore`
  - Do: Multi-stage build: (1) Node stage builds frontend, (2) Python stage installs backend deps, (3) Runtime stage copies built assets + installed packages. Use python:3.12-slim as base. Install yt-dlp + ffmpeg. Configure uvicorn entrypoint. Add HEALTHCHECK instruction.
  - Verify: `docker build -t media-rip .` succeeds
  - Done when: Image builds, contains frontend dist + backend + yt-dlp + ffmpeg
 - [x] **T02: Docker Compose configs** `est:20m`
  - Why: Zero-config startup and secure deployment example.
  - Files: `docker-compose.yml`, `docker-compose.example.yml`
  - Do: Basic compose: single service, port 8080, /downloads and /themes volumes. Example compose: add Caddy sidecar with auto-TLS, admin enabled. Add .env.example with documented variables.
  - Verify: Compose file valid (docker compose config)
  - Done when: Both compose files parse correctly, volumes and ports mapped
 - [x] **T03: GitHub Actions CI workflow** `est:20m`
  - Why: Automated quality gates on every PR.
  - Files: `.github/workflows/ci.yml`
  - Do: Trigger on PR to main. Jobs: backend lint (ruff) + test (pytest), frontend lint (vue-tsc) + test (vitest) + build. Use matrix for parallel execution. Cache pip and npm.
  - Verify: Workflow YAML is valid
  - Done when: CI workflow covers lint + test + build for both stacks
 - [x] **T04: GitHub Actions Release workflow** `est:20m`
  - Why: Tag-triggered build and push to container registries.
  - Files: `.github/workflows/release.yml`
  - Do: Trigger on tag v*. Build multi-arch (amd64, arm64) via docker buildx. Push to GHCR. Create GitHub Release with auto-generated notes. Cache Docker layers.
  - Verify: Workflow YAML is valid
  - Done when: Release workflow builds and pushes on tag
 - [x] **T05: Final integration + docs** `est:20m`
  - Why: Verify everything works end-to-end and document for operators.
  - Files: `README.md`
  - Do: Write README with quickstart, configuration, theme customization, admin setup, deployment. Verify Docker build. Run full test suites one final time.
  - Verify: All tests pass, Docker builds, README is complete
  - Done when: Project is ship-ready with documentation
 ## Files Likely Touched
 - `Dockerfile`
 - `.dockerignore`
 - `docker-compose.yml`
 - `docker-compose.example.yml`
 - `.env.example`
 - `.github/workflows/ci.yml`
 - `.github/workflows/release.yml`
 - `README.md`
--- a/.gsd/milestones/M001/slices/S06/S06-SUMMARY.md
+++ b/.gsd/milestones/M001/slices/S06/S06-SUMMARY.md
@ -1,65 +0,0 @@
 ---
 id: S06
 milestone: M001
 status: complete
 tasks_completed: 5
 tasks_total: 5
 test_count_backend: 182
 test_count_frontend: 29
 started_at: 2026-03-18
 completed_at: 2026-03-18
 ---
 # S06: Docker + CI/CD — Summary
 **Delivered production Docker image, zero-config and secure compose configs, CI/CD GitHub Actions, SPA static serving, and full README documentation. 211 total tests pass across backend and frontend.**
 ## What Was Built
 ### Dockerfile (T01)
 - Multi-stage build: Node 20 (frontend build) → Python 3.12 (pip install) → python:3.12-slim (runtime)
 - Runtime includes: ffmpeg, curl, yt-dlp (latest stable)
 - HEALTHCHECK instruction using `/api/health`
 - OCI labels for image metadata
 - Volumes: /downloads, /themes, /data
 - Environment defaults for all config via MEDIARIP__ prefix
 ### Docker Compose (T02)
 - `docker-compose.yml`: zero-config, single service, port 8080:8000
 - `docker-compose.example.yml`: Caddy sidecar with auto-TLS for production
 - `Caddyfile`: simple reverse proxy config
 - `.env.example`: documented environment variables
 ### CI Workflow (T03)
 - Triggers on PR and push to main/master
 - Parallel jobs: backend (ruff lint + pytest), frontend (vue-tsc + vitest + build)
 - Docker smoke test: build image, run, curl health endpoint
 - pip + npm caching for fast CI
 ### Release Workflow (T04)
 - Triggers on v* tags
 - Multi-arch build: linux/amd64 + linux/arm64 via buildx + QEMU
 - Pushes to GHCR with semver tags (v1.0.0, v1.0, v1, latest)
 - Creates GitHub Release with auto-generated notes
 - Docker layer caching via GitHub Actions cache
 ### README + Integration (T05)
 - Quickstart, configuration table, session modes, custom theme guide
 - Secure deployment instructions with Caddy
 - API endpoint reference table
 - Development setup for both stacks
 - SPA catch-all route in FastAPI for client-side routing
 - `requirements.txt` with pinned production dependencies
 ## Files Created
 - `Dockerfile` — multi-stage production build
 - `.dockerignore` — excludes dev files from build context
 - `docker-compose.yml` — zero-config compose
 - `docker-compose.example.yml` — secure deployment with Caddy
 - `Caddyfile` — reverse proxy config
 - `.env.example` — documented env vars
 - `.github/workflows/ci.yml` — CI pipeline
 - `.github/workflows/release.yml` — release pipeline
 - `README.md` — full documentation
 - `backend/requirements.txt` — pinned Python deps
--- a/.gsd/milestones/M002/M002-ROADMAP.md
+++ b/.gsd/milestones/M002/M002-ROADMAP.md
@ -1,89 +0,0 @@
 # M002: UI/UX Polish — Ship-Ready Frontend
 **Vision:** Transform the functional-but-rough v1 frontend into a polished, intuitive experience. Fix functional bugs, rework the download flow, redesign the queue display, and clean up navigation so the app feels intentional rather than assembled.
 ## Success Criteria
 - User can paste a URL and download with one click (best quality auto-selected)
 - Completed downloads show download/copy-link/clear actions as intuitive glyphs
 - Cancel button on active downloads actually cancels
 - Download queue displays as a styled table with sorting by ETA, %, name, status
 - Welcome message is visible above the URL input and configurable by admin
 - Theme toggle is a sun/moon icon (light/dark mode), not a 3-option picker
 - Admin panel is only accessible at `/admin` — no link from main app
 - Footer shows app version, yt-dlp version, and GitHub link
 - Mobile view remains functional after desktop changes
 ## Key Risks / Unknowns
 - Cancel bug root cause — could be event propagation, could be deeper API issue
 - Table-style queue on mobile — may need a different layout strategy below 768px
 - Theme light/dark variant architecture — each theme needs a light mode modifier
 ## Proof Strategy
 - Cancel bug → retire in S01 by verifying network request fires and download stops
 - Table mobile layout → retire in S03 by visual verification on mobile viewport
 ## Verification Classes
 - Contract verification: frontend tests (vitest), backend tests (pytest) for any API changes
 - Integration verification: live browser verification of all changed UI flows
 - Operational verification: none (no backend architecture changes)
 - UAT / human verification: walkthrough with user after S03
 ## Milestone Definition of Done
 This milestone is complete only when all are true:
 - All UI changes are implemented and visually verified in browser
 - Cancel downloads works end-to-end
 - Download flow (paste → download → completed → download file) works
 - Mobile view is functional
 - Frontend tests pass
 - Backend tests pass (no regressions)
 - User walkthrough confirms satisfaction
 ## Requirement Coverage
 - Covers: R005 (queue view), R013 (mobile responsive), R018 (link sharing)
 - Partially covers: R010 (themes — light/dark toggle rework), R014 (admin panel — welcome message config)
 - Leaves for later: R017 (session export/import UI), R011 (custom theme system — admin theme picker)
 - Orphan risks: none
 ## Slices
 - [x] **S01: Bug Fixes + Header/Footer Rework** `risk:high` `depends:[]`
  > After this: Cancel button works, header has no tabs, footer shows version info, welcome message block is visible with default text, theme is sun/moon toggle
 - [x] **S02: Download Flow + Queue Redesign** `risk:medium` `depends:[S01]`
  > After this: Single "Download" button with optional format picker, audio/video toggle, queue displays as styled table with sorting, completed items show download/copy/clear glyphs
 - [x] **S03: Mobile + Integration Polish** `risk:low` `depends:[S02]`
  > After this: Mobile layout works with new table design, admin welcome message editor functional, all flows verified end-to-end
 ## Boundary Map
 ### S01 → S02
 Produces:
 - Simplified header component (no tabs, sun/moon toggle)
 - Footer component with version data from `/api/health`
 - Welcome message block component reading from `/api/config/public` 
 - Working cancel endpoint (DELETE `/api/downloads/{id}` verified)
 - `--color-bg-light` / `--color-text-light` CSS variable pattern for light mode
 Consumes:
 - nothing (first slice)
 ### S02 → S03
 Produces:
 - Refactored UrlInput with "Download" primary action + collapsible format picker
 - Audio/video toggle component
 - Table-based DownloadQueue with sortable columns
 - Action glyph components (download, copy-link, clear)
 Consumes:
 - S01 header/footer/welcome components stable
 - S01 cancel bug fixed
--- a/.gsd/milestones/M002/slices/S01/S01-PLAN.md
+++ b/.gsd/milestones/M002/slices/S01/S01-PLAN.md
@ -1,76 +0,0 @@
 # S01: Bug Fixes + Header/Footer Rework
 **Goal:** Fix the cancel download bug, rework the header (remove tabs, add welcome message, simplify theme toggle to sun/moon), add version footer, and hide the SSE status dot in production.
 **Demo:** User sees a clean header with logo + sun/moon toggle, welcome message block above URL input, version footer at bottom. Cancel button on active downloads fires the DELETE request and removes the item.
 ## Must-Haves
 - Cancel button on active downloads actually cancels (fires DELETE request, item removed)
 - Header has no DOWNLOADS/ADMIN tabs
 - Sun/moon toggle replaces 3-theme picker (switches current theme between its dark and light variant)
 - Welcome message block above URL input with sensible default text
 - Footer shows app version, yt-dlp version, GitHub link (pipe-delimited)
 - SSE green dot hidden (dev-mode only)
 - Admin panel still accessible at `/admin` but no nav link from main app
 ## Verification
 - `cd frontend && npx vitest run` — all tests pass (update theme tests for new toggle behavior)
 - `cd backend && python -m pytest tests/ -q -m "not integration"` — no regressions
 - Browser: cancel button on active download fires network request and item disappears
 - Browser: header shows logo + sun/moon toggle, no tabs, no green dot
 - Browser: welcome message visible above URL input
 - Browser: footer visible with version info
 - Browser: `/admin` still loads the login form
 ## Tasks
 - [x] **T01: Fix cancel download bug** `est:30m`
  - Why: Cancel button clicks don't fire a network request — functional blocker
  - Files: `frontend/src/components/DownloadItem.vue`, `frontend/src/components/DownloadQueue.vue`
  - Do: Investigate why the cancel button click doesn't reach the handler. Check for event propagation issues in the grid layout, z-index conflicts, or pointer-events CSS. Verify the DELETE endpoint works via curl. Fix the event wiring. Add `@click.stop` if needed.
  - Verify: Start a download, click cancel, confirm DELETE request in network tab, item disappears from queue
  - Done when: Cancel button reliably cancels active downloads
 - [x] **T02: Rework header — remove tabs, simplify theme toggle** `est:45m`
  - Why: DOWNLOADS/ADMIN tabs are unnecessary (admin moves to URL-only access). Theme picker needs to be a simple sun/moon toggle instead of 3 radio buttons.
  - Files: `frontend/src/components/AppHeader.vue`, `frontend/src/components/ThemePicker.vue`, `frontend/src/stores/theme.ts`, `frontend/src/components/AppLayout.vue`, `frontend/src/App.vue`, `frontend/src/router.ts`
  - Do: Remove the nav tab bar from AppLayout/MainView. Replace ThemePicker with a DarkModeToggle component — a sun/moon icon button that toggles between the current theme's dark and light variants. For cyberpunk, "light" mode uses the light theme CSS. Remove the SSE status dot from the header (or gate behind a `DEV` flag). Keep `/admin` route in router but remove any nav link to it. Update theme store: `toggleDarkMode()` method that swaps between `cyberpunk`↔`light` (or `dark`↔`light`).
  - Verify: Header shows only logo + sun/moon toggle. Clicking toggle switches between dark/light appearance. No tabs visible. Green dot hidden.
  - Done when: Header is clean with logo left, sun/moon toggle right, nothing else
 - [x] **T03: Add welcome message block** `est:30m`
  - Why: Users need context about what the app does when they first land
  - Files: `frontend/src/components/WelcomeMessage.vue` (new), `frontend/src/components/MainView.vue`, `backend/app/routers/system.py`
  - Do: Create WelcomeMessage component that displays a styled text block above the URL input. Default text: "Paste any video or audio URL. We rip it, you download it. No accounts, no tracking." Make it read from the public config endpoint. Add `welcome_message` field to the public config response (with default value). Style it to integrate cleanly — not a banner, but a subtle informational block with proper typography.
  - Verify: Welcome message visible above URL input on page load. Text matches default or config override.
  - Done when: Welcome message block renders with default text, reads from config
 - [x] **T04: Add version footer** `est:20m`
  - Why: Users/operators want to see app version, yt-dlp version, and find the GitHub repo
  - Files: `frontend/src/components/AppFooter.vue` (new), `frontend/src/App.vue`
  - Do: Create AppFooter component. Fetch version data from `/api/health` on mount. Display: `media.rip() v0.1.0 | yt-dlp 2026.03.17 | GitHub`. GitHub links to repo. Pipe-delimited, centered, subtle typography matching the theme. Place it at the bottom of the page (not fixed — scrolls with content).
  - Verify: Footer visible at bottom of page with correct version numbers. GitHub link works.
  - Done when: Footer renders with live version data from health endpoint
 - [x] **T05: Update tests and verify** `est:20m`
  - Why: Theme store tests need updating for the new toggle behavior. Ensure no regressions.
  - Files: `frontend/src/tests/stores/theme.test.ts`, `frontend/src/tests/stores/downloads.test.ts`
  - Do: Update theme store tests to reflect new `toggleDarkMode()` method. Remove tests for 3-theme picker behavior. Add test for dark/light toggle. Run full test suites for both frontend and backend.
  - Verify: `npx vitest run` all pass, `python -m pytest tests/ -q -m "not integration"` all pass
  - Done when: All tests green, no regressions
 ## Files Likely Touched
 - `frontend/src/components/AppHeader.vue`
 - `frontend/src/components/ThemePicker.vue` (replaced by DarkModeToggle)
 - `frontend/src/components/DarkModeToggle.vue` (new)
 - `frontend/src/components/WelcomeMessage.vue` (new)
 - `frontend/src/components/AppFooter.vue` (new)
 - `frontend/src/components/AppLayout.vue`
 - `frontend/src/components/MainView.vue`
 - `frontend/src/App.vue`
 - `frontend/src/stores/theme.ts`
 - `frontend/src/tests/stores/theme.test.ts`
 - `backend/app/routers/system.py`
 - `backend/app/core/config.py`
--- a/.gsd/milestones/M002/slices/S02/S02-PLAN.md
+++ b/.gsd/milestones/M002/slices/S02/S02-PLAN.md
@ -1,68 +0,0 @@
 # S02: Download Flow + Queue Redesign
 **Goal:** Simplify the download flow to a single "Download" button (with optional format picker), add an audio/video quick-toggle, convert the queue from cards to a sortable table, and add action glyphs (download file, copy link, clear) for completed items.
 **Demo:** User pastes URL → clicks "Download" → item appears in the table queue → completes → user clicks download icon to save file or copy icon to copy the download link. Table columns are sortable by status, name, progress, ETA.
 ## Must-Haves
 - "Download" is the primary button (not "Get Formats") — one-click download with best quality
 - Optional format picker accessible via a secondary "⚙ Options" toggle
 - Audio/video quick-toggle (video default) that sets appropriate format flags
 - Queue rendered as a styled table with columns: Name, Status, Progress, Speed, ETA, Actions
 - Table headers are clickable to sort (ascending/descending)
 - Completed items show download (⬇), copy-link (🔗), clear (✕) action icons
 - Active items show cancel (✕) icon
 - Failed items show error message and clear (✕) icon
 - Mobile: table degrades gracefully (horizontal scroll or card fallback below 640px)
 ## Verification
 - `cd frontend && npx vitest run` — all tests pass
 - `cd backend && source .venv/Scripts/activate && python -m pytest tests/ -q -m "not integration"` — no regressions
 - Browser: paste URL → click Download → job appears in table → progresses → completes
 - Browser: click download icon on completed item → file downloads
 - Browser: click copy-link icon → link copied (or tooltip confirms)
 - Browser: sort table by each column header
 - Browser: mobile viewport shows readable queue
 ## Tasks
 - [x] **T01: Rework UrlInput — Download-first flow with collapsible options** `est:45m`
  - Why: Current flow forces "Get Formats" before downloading. Most users just want to paste and go.
  - Files: `frontend/src/components/UrlInput.vue`
  - Do: Make "Download" the primary action button. Add a "⚙" toggle button that expands/collapses the format picker section below. Add audio/video toggle pills (Video | Audio) that set a `mediaType` ref. When `mediaType` is "audio", pass `quality: "bestaudio"` to the submit payload. When format picker is open and user selects a format, use that instead. Keep the paste-to-auto-extract behavior but make it extract silently in the background (populate formats without showing picker). "Download" works immediately with or without format selection.
  - Verify: Paste URL → click Download → job starts without format selection. Toggle audio → Download → job starts with audio quality. Click ⚙ → format picker opens → select format → Download.
  - Done when: Download is the primary one-click action, format picker is optional
 - [x] **T02: Convert queue to sortable table** `est:60m`
  - Why: Card-based queue doesn't scan well with many items. Table with sorting is standard for download managers.
  - Files: `frontend/src/components/DownloadQueue.vue`, `frontend/src/components/DownloadTable.vue` (new), `frontend/src/components/DownloadItem.vue` (remove or repurpose)
  - Do: Create DownloadTable component with `<table>` markup. Columns: Name (truncated, title=full URL), Status (badge), Progress (inline bar), Speed, ETA, Actions. Add a `sortBy` ref and `sortDir` ref. Clicking a column header toggles sort. Computed `sortedJobs` applies sort. Keep the filter buttons (All/Active/Completed/Failed) above the table. Style the table with theme CSS variables. On mobile (< 640px), hide Speed and ETA columns, or use a responsive approach.
  - Verify: Jobs render as table rows. Click column headers to sort. Filter buttons still work. Mobile view is usable.
  - Done when: Queue is a sortable table with all columns rendering correctly
 - [x] **T03: Action glyphs for completed/active/failed items** `est:30m`
  - Why: Users need to download completed files, copy links, and clear items from the queue.
  - Files: `frontend/src/components/DownloadTable.vue`, `frontend/src/stores/downloads.ts`, `frontend/src/api/client.ts`
  - Do: Add action icons in the Actions column. Completed: download file (anchor to `/api/downloads/{filename}`), copy download link (clipboard API), clear from queue (DELETE + remove from store). Active: cancel (existing logic). Failed: clear from queue. Style icons as small inline buttons with hover effects. Add `clearJob(id)` to downloads store that calls DELETE and removes locally.
  - Verify: Click download icon on completed item → browser downloads file. Click copy icon → link in clipboard. Click clear → item removed. Click cancel on active → cancelled.
  - Done when: All action icons work for each status type
 - [x] **T04: Update tests** `est:20m`
  - Why: New components and store changes need test coverage. Old DownloadItem tests may need removal/update.
  - Files: `frontend/src/tests/stores/downloads.test.ts`, `frontend/src/tests/components/` (if any)
  - Do: Add tests for the new sort logic (sortBy, sortDir). Test clearJob action in downloads store. Verify existing download store tests still pass. Run full frontend and backend test suites.
  - Verify: `npx vitest run` all pass, `python -m pytest tests/ -q -m "not integration"` all pass
  - Done when: All tests green, no regressions
 ## Files Likely Touched
 - `frontend/src/components/UrlInput.vue` (reworked)
 - `frontend/src/components/DownloadQueue.vue` (reworked to use table)
 - `frontend/src/components/DownloadTable.vue` (new)
 - `frontend/src/components/DownloadItem.vue` (may be removed — logic moves to table rows)
 - `frontend/src/components/FormatPicker.vue` (minor — toggled visibility)
 - `frontend/src/components/ProgressBar.vue` (minor — may need inline variant)
 - `frontend/src/stores/downloads.ts` (add clearJob, sort helpers)
 - `frontend/src/api/client.ts` (no changes expected — DELETE already exists)
 - `frontend/src/api/types.ts` (no changes expected)
--- a/.gsd/milestones/M002/slices/S03/S03-PLAN.md
+++ b/.gsd/milestones/M002/slices/S03/S03-PLAN.md
@ -1,52 +0,0 @@
 # S03: Mobile + Integration Polish
 **Goal:** Ensure mobile view works cleanly with the new table-based queue, add a welcome message editor in the admin panel, and verify all flows end-to-end.
 **Demo:** Mobile user can submit downloads and view the queue table. Admin can edit the welcome message text from the admin panel Settings tab. All navigation flows work.
 ## Must-Haves
 - Mobile queue table is usable (tested at 390px viewport)
 - Admin panel has a "Settings" tab with welcome message text editor
 - Admin settings tab saves welcome_message via backend API
 - All end-to-end flows verified in browser (desktop + mobile)
 - No test regressions
 ## Verification
 - `cd frontend && npx vitest run` — all tests pass
 - `cd backend && source .venv/Scripts/activate && python -m pytest tests/ -q -m "not integration"` — no regressions
 - Browser (desktop): full download lifecycle works
 - Browser (mobile 390px): submit + queue table renders, actions work
 - Browser: admin panel Settings tab → edit welcome message → saves
 ## Tasks
 - [x] **T01: Admin welcome message editor** `est:30m`
  - Why: Operators need to customize the welcome message without editing config files
  - Files: `frontend/src/components/AdminPanel.vue`, `frontend/src/stores/admin.ts`, `backend/app/routers/admin.py`
  - Do: Add a "Settings" tab to admin panel with a textarea for welcome message. Load current value from `/api/config/public`. Add PUT `/api/admin/settings` endpoint that updates the config's welcome_message in memory (runtime override — persisting to YAML is out of scope for this milestone). Add `updateSettings(data)` to admin store. Show save confirmation.
  - Verify: Login to admin → Settings tab → edit message → save → reload main page → new message visible
  - Done when: Welcome message is editable from admin panel
 - [x] **T02: Mobile polish and end-to-end verification** `est:30m`
  - Why: Table-based queue may have issues at narrow viewports. Need to verify all flows.
  - Files: Various frontend components (fixes only as needed)
  - Do: Test at 390px viewport width. Fix any overflow, truncation, or touch target issues. Verify: submit download, view queue, cancel download, completed actions, dark/light toggle, footer. Fix any issues found.
  - Verify: All flows work at mobile viewport. No horizontal overflow on queue table.
  - Done when: Mobile experience is functional and clean
 - [x] **T03: Final test run and cleanup** `est:15m`
  - Why: Ensure no regressions across the full M002 milestone
  - Files: Test files, cleanup any unused components
  - Do: Run full test suites. Remove ThemePicker.vue if no longer imported. Remove DownloadItem.vue if no longer imported. Clean up any dead imports.
  - Verify: All tests pass, no unused component files, no dead imports
  - Done when: Clean codebase, all tests green
 ## Files Likely Touched
 - `frontend/src/components/AdminPanel.vue` (add Settings tab)
 - `frontend/src/stores/admin.ts` (add updateSettings)
 - `backend/app/routers/admin.py` (add PUT /admin/settings)
 - Various frontend components (mobile fixes as needed)
 - `frontend/src/components/ThemePicker.vue` (remove if unused)
 - `frontend/src/components/DownloadItem.vue` (remove if unused)
--- a/.gsd/milestones/M002/slices/S04/S04-PLAN.md
+++ b/.gsd/milestones/M002/slices/S04/S04-PLAN.md
@ -1,23 +0,0 @@
 # S04: UX Review + Live Tweaks
 **Goal:** Walk through the entire app as a user, identify UX issues, and fix them in real time. This is a guided review session — the user drives the walkthrough and calls out issues, the agent fixes them immediately.
 **Demo:** All issues identified during the walkthrough are resolved. App feels polished for a v1.0 release.
 ## Approach
 1. Start backend + frontend dev servers
 2. Walk through every user flow in the browser at desktop and mobile viewports
 3. User identifies issues — agent fixes each one before moving on
 4. Run tests after all fixes to confirm no regressions
 5. Commit
 ## Verification
 - `cd frontend && npx vitest run` — all tests pass
 - `cd backend && source .venv/Scripts/activate && python -m pytest tests/ -q -m "not integration"` — no regressions
 - Browser: all flows verified during the walkthrough
 ## Tasks
 - [ ] **T01: Live UX review and fixes** `est:variable`
  - Iterative — tasks emerge from the walkthrough