- Replace legacy salted password hashing with bcrypt and store hash alg
- Accept existing bcrypt hashes while keeping legacy verification fallback
- Validate box IDs and use SafeChildPath for box/file operations to prevent traversal
- Refactor download flow to share zip writer logic and correctly handle one-time deletes and optional renew-on-download only after a successful zip writefeat(security): use bcrypt hashes and safe paths for boxes
- Replace legacy salted password hashing with bcrypt and store hash alg
- Accept existing bcrypt hashes while keeping legacy verification fallback
- Validate box IDs and use SafeChildPath for box/file operations to prevent traversal
- Refactor download flow to share zip writer logic and correctly handle one-time deletes and optional renew-on-download only after a successful zip write
- Move box ID validation, file listing/pathing, manifest creation, and uploads to `boxstore`
- Use shared helpers for safe filenames and polling interval env parsing
- Add file status constants to `models` to avoid duplicated magic strings across handlersrefactor(server): use boxstore helpers and file status consts
- Move box ID validation, file listing/pathing, manifest creation, and uploads to `boxstore`
- Use shared helpers for safe filenames and polling interval env parsing
- Add file status constants to `models` to avoid duplicated magic strings across handlers
