Atomic write pattern (tier-3 polish from headless test finding):
- download_to_file now writes to <dest>.part and renames to <dest> only on
successful stream completion (os.replace is POSIX-atomic). Failed
downloads leave only the .part file — no misleading 0-byte dest files
in the user's downloads directory.
- Resume logic reads from <dest>.part instead of <dest>; the user's
directory only ever contains complete files or clearly-marked .part files.
- New `already_complete` short-circuit: if dest exists and no .part, skip
the network entirely (still re-verify MD5 if requested). The headless
Claude test confirmed this avoids redundant CDN load.
- Symlink rejection re-added at the new code path: even though os.replace
would only replace (not follow) a symlink at dest, predictable refusal
beats silent symlink removal.
Runtime download root tools (for stdio MCP mode):
- get_download_root(): reports current root, source (env var vs default),
existence, writability.
- set_download_root(path): change MCARCHIVE_DOWNLOAD_ROOT mid-session.
Expands ~, creates the dir, refuses system paths
(/, /etc, /usr, /bin, /sbin, /var, /sys, /proc, /dev, /boot, /root).
The lazy-resolved root means the change takes effect on the next
download_file call without restarting the server.
14 new tests (66 total, all green, ruff clean):
- 4 staging tests: failed download leaves no dest, success leaves no .part,
already_complete short-circuit, MD5 verification on existing files
- 6 root-tools tests: env reporting, default reporting, ~ expansion,
system-dir refusal (parametrized), set→download takes effect immediately
- 4 existing tests rewritten to use .part as the resume staging file
Headless Claude smoke test verified end-to-end: get_download_root →
set_download_root → search → list → download → second download
short-circuits with already_complete=true and zero network bytes.
Ryan Malloy
25a34cd24d