feat(server): wire video_url content blocks through chat completion handler

* feat(server): wire video_url content blocks through chat handler

Server video requests were silently ignored because `extract_chat_video_paths` sat behind `#[allow(dead_code)]` while the chat-completion handler had no path to feed the helper's output through to the VLM runtime. Wire it up, and add the path-traversal guard that 's security review flagged as latent-HIGH so the wiring lands with the safety check, not after.

Path-traversal guard (`src/server/media.rs`):

The `file://` and bare-local-path branches now require the resolved canonical path to sit under one of the entries in the `MLXCEL_VIDEO_DIR_ALLOWLIST` env var (comma-separated, canonical directories). Empty/unset is fail-closed — every local-filesystem video reference is rejected until an operator explicitly opts in. The guard also rejects symlinks whose canonical target escapes the allowlist (canonicalize resolves symlinks before the prefix check), non-regular files (directories, FIFOs, devices), and files whose extension is not in the project's video allowlist. The public helper now reads the env var; tests use a sibling `extract_chat_video_paths_with_allowlist` so they don't depend on process-wide state.

Handler wiring (`src/server/routes/chat.rs`, `src/server/chat_request.rs`):

`prepare_chat_request_with_cache` now resolves video paths alongside images and audio. The video paths flow through a new `videos` field on `ModelRequest::Generate`, threaded through `BatchScheduler::enqueue_request` and into `prepare_request_vlm_embeddings`, where a new `prepare_request_video_embeddings` helper mirrors the CLI's `compute_gemma4_video_embeddings`: probe ffmpeg, decode each video at the per-request FPS (defaulting to `multimodal::video::DEFAULT_FPS`), expand `<|video|>` placeholders into per-frame `<boi> image_token*N <eoi>` runs, and dispatch through the Gemma 4 vision tower.

Static media-support detection (`src/server/state.rs`, `src/server/startup.rs`):

`AppState` gains a `media_support: ModelMediaSupport` field resolved once at startup from the model directory's `config.json` via `crate::models::get_model_type`. The chat handler short-circuits `video_url` blocks for non-video-capable models with a 400 (`invalid_request_error`) before any allowlist resolution or worker dispatch runs — no token cost, no silent drop. Currently only `Gemma4VLM` flips `video=true`; the detection helper is the single edit point for adding future video-capable variants.

Default-deny rationale: the `MLXCEL_VIDEO_DIR_ALLOWLIST` default is intentionally empty so a server stood up without the env var set cannot be tricked into reading `/etc/passwd` (or any other absolute path) by a request body. Operators trade explicit configuration for a guaranteed-zero attack surface — the same posture the upstream image-fetch helper uses for HTTP timeouts.

Tests:

- `src/server/media_tests.rs` adds six new cases covering the guard: empty allowlist (default state), path outside allowlist, symlink whose target escapes the allowlist (Unix-only), non-regular file with a video extension, happy-path inside the allowlist, and the canonicalization-into-sandbox parent-dir case. The pre-existing `file://`-scheme and bare-local-path tests now construct an explicit sandbox per test rather than relying on process-wide allowlist state.
- `src/server/routes/chat.rs` adds three unit tests for `request_has_video_blocks` covering text-only, image+text, and explicit `video_url` payloads.
- `src/server/startup_tests.rs` adds three tests for `detect_model_media_support` covering Gemma 4 VLM detection, missing config fallback, and text-only model behavior.

`#[allow(dead_code)]` is removed from `extract_chat_video_paths` and its supporting helpers (`resolve_video_url`, `decode_video_data_uri`, `fetch_remote_video`, `infer_video_extension`, `write_video_temp_file`, `sanitize_video_extension`, `MAX_VIDEO_PAYLOAD_SIZE`).

Closes 

* fix(server): close temp-file leak and HTTP buffer DoS in video handler

 review surfaced four security findings in the video URL handler. This commit closes all four on the same branch.

HIGH-1 — Temp-file leak / disk-fill DoS. Every `data:video/...;base64,...` request and HTTP fetch wrote up to 1 GiB into `/tmp` and never cleaned up, because `write_video_temp_file` returned a bare `PathBuf` and no caller deleted it. The resolver now returns `(PathBuf, Option<TempFile>)` where `TempFile` is the existing `crate::multimodal::video::TempFile` Drop guard for caller-owned paths (data URIs and HTTP-fetched files); pre-existing `file://` paths are not wrapped because we don't own them. `PreparedChatRequest` stashes a `Vec<TempFile>` so the guards live for the duration of the request handling — the scheduler still receives only paths, but the guards drop alongside `PreparedChatRequest` once the response is sent, removing every server-owned temp file regardless of which return path we took (success, error, panic).

HIGH-2 — HTTP fetch buffered the entire body before the size check. `response.bytes.await` would read the entire response body into memory before we could enforce `MAX_VIDEO_PAYLOAD_SIZE`, allowing a hostile origin to OOM the server by lying about `Content-Length`. The fetch now uses `response.bytes_stream` and accumulates per-chunk into a `Vec<u8>` with a `len + chunk_len > cap` check that fires before extending the buffer; on overflow the partial buffer is dropped and the request fails. The shared HTTP client also gained a 5 s connect timeout and a 5-hop redirect cap on top of the existing 10 s total timeout. New `reqwest` feature flag `stream` enables `bytes_stream`.

MEDIUM-1 — Blocking syscalls on the Tokio runtime. `std::fs::canonicalize` and `std::fs::metadata` ran on Tokio worker threads, where a slow disk or NFS mount could stall the executor. Both calls in `resolve_local_video_path` now use `tokio::fs::*` and the function is `async`. `extract_chat_video_paths_with_allowlist` is propagated as `async` to all callers and tests.

MEDIUM-2 — TOCTOU race + writable allowlist warning. The path-based resolver returns a path that ffmpeg then re-opens, so an attacker with write access inside an allowlisted directory can swap the file for a symlink between canonicalization and ffmpeg's open call. The full FD-passing fix is out of scope for this PR (tracked). For this PR a startup-time helper `scan_insecure_allowlist_dirs` walks every directory in `MLXCEL_VIDEO_DIR_ALLOWLIST`, checks Unix permissions via `PermissionsExt::mode`, and emits a `tracing::warn!` for any entry with group/world write bits set. Cfg-gated to `#[cfg(unix)]` and unit-tested with both world-writable and strict (0750) directories. The doc comment on `extract_chat_video_paths_with_allowlist` and the `VIDEO_DIR_ALLOWLIST_ENV` constant call out the residual TOCTOU window so future readers know the mitigation is operational, not technical.

Tests:
- `extract_chat_video_paths_async_canonicalize_works` exercises the async refactor with a parent-dir traversal that forces real canonicalize work.
- `fetch_remote_video_streaming_rejects_oversized` starts an in-process HTTP server that advertises a Content-Length above the cap and confirms the streaming fetch returns no path and no temp guard.
- `chat_request_drops_temp_files_on_completion` issues a `data:video/mp4;base64,...` request, asserts the temp file exists during processing, drops `PreparedChatRequest`, and asserts the temp file is gone.
- `scan_insecure_allowlist_dirs_flags_world_writable_directory` / `_passes_strict_directory` cover the writability scan in both polarities. Mirrored as `startup_warns_on_world_writable_allowlist_dir` / `startup_passes_strict_allowlist_dir` in `startup_tests.rs`.

Validated:
- `cargo build --release --features cuda` clean.
- `cargo test --features cuda --lib -- server::media server::routes::chat server::startup multimodal::video server::chat_request` 143 passed / 1 ignored.
- `cargo clippy --features cuda --lib --tests -- -D warnings` clean (incidental `cloned_ref_to_slice_refs` lint hits in pre-existing tests cleaned up alongside the new ones).
- `cargo fmt --all` clean.

Refs:,.

Author: inureyes

Cargo.toml

@@ -100,7 +100,7 @@ tower-http = { version = "0.5", features = ["cors", "trace"] }
 tower = { version = "0.4", features = ["util"] }
 hyper = { version = "1.1", features = ["server"] }
 hyper-util = { version = "0.1", features = ["tokio", "server-auto"] }
-reqwest = { version = "0.12", default-features = false, features = ["json", "rustls-tls"] }
+reqwest = { version = "0.12", default-features = false, features = ["json", "rustls-tls", "stream"] }
 async-stream = "0.3"
 fancy-regex = "0.17.0"
 toml = "0.8"

src/server/batch/scheduler.rs

@@ -1023,10 +1023,19 @@ impl BatchScheduler {
                 options,
                 images,
                 audio,
+                videos,
                 response_tx,
                 cancelled,
             } => {
-                self.enqueue_request(prompt, options, images, audio, response_tx, cancelled);
+                self.enqueue_request(
+                    prompt,
+                    options,
+                    images,
+                    audio,
+                    videos,
+                    response_tx,
+                    cancelled,
+                );
                 false
             }
             ModelRequest::Shutdown => {
@@ -1042,6 +1051,7 @@ impl BatchScheduler {
         options: ServerGenerateOptions,
         images: Vec<Vec<u8>>,
         audio: Vec<Vec<u8>>,
+        videos: Vec<(std::path::PathBuf, Option<f64>)>,
         response_tx: mpsc::Sender<GenerateEvent>,
         cancelled: Arc<AtomicBool>,
     ) {
@@ -1067,9 +1077,9 @@ impl BatchScheduler {
         // that refuses to pad/concatenate a cache with no tensors. VLM
         // requests may legitimately start with an empty token list (image
         // tokens are injected later by `prepare_request_vlm_embeddings`),
-        // so this guard only applies to pure-text requests without images
-        // or audio.
-        if prompt_tokens.is_empty() && images.is_empty() && audio.is_empty() {
+        // so this guard only applies to pure-text requests without images,
+        // audio, or videos.
+        if prompt_tokens.is_empty() && images.is_empty() && audio.is_empty() && videos.is_empty() {
             let _ = response_tx.send(GenerateEvent::Error(
                 "Empty prompt: request has no input tokens to process".to_string(),
             ));
@@ -1096,13 +1106,13 @@ impl BatchScheduler {
         // feature-disabled, no ctx, and race paths), fall through to the
         // cold-allocation path below.
         //
-        // VLM / audio requests opt out of the cache path entirely: their
-        // pre-injection token stream is not self-describing (image token
-        // placeholders expand later inside `prepare_request_vlm_embeddings`),
-        // so matching against it risks reusing a KV slice built for a
-        // different media payload. Support for image-aware cache keys is
-        // tracked separately in issue #425.
-        let is_multimodal = !images.is_empty() || !audio.is_empty();
+        // VLM / audio / video requests opt out of the cache path entirely:
+        // their pre-injection token stream is not self-describing (image
+        // and video frame placeholders expand later inside
+        // `prepare_request_vlm_embeddings`), so matching against it risks
+        // reusing a KV slice built for a different media payload. Support
+        // for image-aware cache keys is tracked separately in issue #425.
+        let is_multimodal = !images.is_empty() || !audio.is_empty() || !videos.is_empty();
         let ctx_ref = if is_multimodal {
             None
         } else {
@@ -1139,6 +1149,7 @@ impl BatchScheduler {
             &mut prompt_tokens,
             &images,
             &audio,
+            &videos,
             Some(self.vision_caches.as_ref()),
         ) {
             Ok(emb) => emb,

src/server/chat_request.rs

@@ -65,7 +65,7 @@ use super::chat_template_kwargs::{
     ChatTemplateKwargs, extract_request_kwargs, merge_server_and_request, strip_rolling_checkpoint,
     strip_think_block,
 };
-use super::media::{extract_chat_audio_data, extract_chat_image_data};
+use super::media::{extract_chat_audio_data, extract_chat_image_data, extract_chat_video_paths};
 use super::prompt_cache::key::resolve_session_key;
 use super::types::ChatCompletionRequest;
 use super::types::request::Tool;
@@ -74,6 +74,33 @@ pub(crate) struct PreparedChatRequest {
     pub(crate) prompt: String,
     pub(crate) image_data: Vec<Vec<u8>>,
     pub(crate) audio_data: Vec<Vec<u8>>,
+    /// Resolved video paths (issue #596). Each entry has been canonicalised
+    /// and validated against `MLXCEL_VIDEO_DIR_ALLOWLIST`; the paired
+    /// `Option<f64>` is the per-video sampling rate override from
+    /// [`crate::server::types::request::VideoUrl::fps`].
+    pub(crate) video_paths: Vec<(std::path::PathBuf, Option<f64>)>,
+    /// RAII drop guards for every server-owned temp file backing
+    /// `video_paths` (PR #600 review fix for the temp-file leak).
+    ///
+    /// We keep these here rather than return them from
+    /// [`super::media::extract_chat_video_paths`] so the lifetime of the
+    /// guard equals the lifetime of the response handler: as soon as the
+    /// last consumer of `PreparedChatRequest` drops it, the temp files
+    /// vanish from `/tmp` regardless of which return path we took
+    /// (success, early error, panic).
+    ///
+    /// The scheduler still receives only `Vec<(PathBuf, Option<f64>)>` —
+    /// paths are forwarded by value to the worker thread, but ownership of
+    /// the temp file (i.e., the responsibility for deletion) stays inside
+    /// `PreparedChatRequest`. ffmpeg reads the file by path during prefill;
+    /// once that finishes the worker has no further reference to disk and
+    /// dropping the guards in the HTTP handler is safe.
+    ///
+    /// Read solely for its `Drop` impl; `dead_code` suppression here is
+    /// intentional — every other access path would defeat the whole point
+    /// of the guard.
+    #[allow(dead_code)]
+    pub(crate) video_temp_guards: Vec<crate::multimodal::video::TempFile>,
 }
 
 /// Dedup set for the "defaulted `preserve_thinking=true`" info log.
@@ -183,15 +210,18 @@ pub(crate) async fn prepare_chat_request_with_cache(
             })
     };
 
-    let (image_data, audio_data) = tokio::join!(
+    let (image_data, audio_data, (video_paths, video_temp_guards)) = tokio::join!(
         extract_chat_image_data(request),
         extract_chat_audio_data(request),
+        extract_chat_video_paths(request),
     );
 
     PreparedChatRequest {
         prompt,
         image_data,
         audio_data,
+        video_paths,
+        video_temp_guards,
     }
 }
 

src/server/chat_request_tests.rs

@@ -1215,3 +1215,84 @@ fn tool_call_message_history_round_trips_and_digests() {
         "tool reorder must change the digest"
     );
 }
+
+// ---------------------------------------------------------------------------
+// PR #600 review fix (HIGH-1): temp-file lifetime tied to PreparedChatRequest
+// ---------------------------------------------------------------------------
+
+/// A `data:video/...;base64,...` URL produces a server-owned temp file that
+/// must exist while `PreparedChatRequest` is alive and disappear once it
+/// drops. The previous wiring leaked the file because nothing held a Drop
+/// guard — every request added up to 1 GiB of `/tmp` debris.
+///
+/// This test does not require ffmpeg or a real video; it only checks the
+/// resolver-to-guard wiring. The cap-checking and ffmpeg path are exercised
+/// elsewhere.
+#[tokio::test]
+async fn chat_request_drops_temp_files_on_completion() {
+    use base64::Engine;
+
+    // Tiny payload — base64 of "hi" — is enough to trigger the temp-file
+    // write path without straining CI.
+    let payload = base64::engine::general_purpose::STANDARD.encode(b"hi");
+    let data_url = format!("data:video/mp4;base64,{payload}");
+
+    let request = ChatCompletionRequest {
+        model: "test-model".to_string(),
+        messages: vec![Message {
+            role: Role::User,
+            content: MessageContent::Parts(vec![ContentPart::VideoUrl {
+                video_url: crate::server::types::request::VideoUrl {
+                    url: data_url,
+                    fps: None,
+                },
+            }]),
+            name: None,
+            tool_call_id: None,
+            tool_calls: None,
+        }],
+        stream: false,
+        stream_options: None,
+        logprobs: None,
+        top_logprobs: None,
+        tools: None,
+        tool_choice: None,
+        parallel_tool_calls: None,
+        chat_template_kwargs: None,
+        extra_body: None,
+        prompt_cache_key: None,
+        user: None,
+        extra_body_fields: serde_json::Map::new(),
+        response_format: None,
+        params: SamplingParams::default(),
+    };
+
+    // Render with a no-op template — we only care about the media plumbing.
+    let processor = ChatTemplateProcessor::with_template(
+        "{% for m in messages %}{{ m.content }}{% endfor %}".to_string(),
+    );
+    let prepared = prepare_chat_request(&processor, &request, None).await;
+
+    // Resolved: exactly one temp path, exactly one guard.
+    assert_eq!(prepared.video_paths.len(), 1, "data:video URL must resolve");
+    assert_eq!(
+        prepared.video_temp_guards.len(),
+        1,
+        "data:video URL must yield one Drop guard"
+    );
+    let temp_path = prepared.video_paths[0].0.clone();
+    assert!(
+        temp_path.exists(),
+        "temp file must exist while PreparedChatRequest is alive"
+    );
+
+    // Drop the prepared struct; the guard's Drop impl should remove the file.
+    drop(prepared);
+
+    // Drop is synchronous and the file removal happens inside Drop, so the
+    // file must be gone by the time we reach this line.
+    assert!(
+        !temp_path.exists(),
+        "temp file must be removed once PreparedChatRequest drops; remained at {temp_path:?}"
+    );
+}