refactor: extract download proxy route

[zereight]

Summary

Part of #516.

Stacked on #542 because this route extraction imports utils/download-token.ts from that PR.

This keeps the route refactor behavior-preserving:

• moves /downloads/:type Express proxy registration into downloads/proxy.ts
• injects existing dependencies from index.ts instead of importing shared server state
• keeps buildDownloadUrl() in index.ts
• keeps auth fallback order, rate limiting, resource binding, and response handling unchanged

Verification

• rtk npm run build
• node --import tsx/esm --test test/test-remote-downloads.ts
• node --import tsx/esm --test test/test-job-artifacts.ts
• tsx test/test-download-attachment.ts

---

Note

Low Risk
Mechanical extraction with explicit dependency injection; download auth and proxy logic are unchanged aside from module boundaries.

Overview
Moves the /downloads/:type GitLab download proxy out of index.ts into downloads/proxy.ts, with no intended behavior change.

registerDownloadProxy now takes a DownloadProxyDependencies object (API URL defaults, dynamic API URL flag, rate limit, normalizeGitLabApiUrl, getEffectiveProjectId, HTTP agent, fetch, logger) instead of reading server globals. Both SSE and Streamable HTTP startup paths wire the same dependencies from index.ts.

buildDownloadUrl and createDownloadToken stay in index.ts; the proxy module only imports decryptDownloadToken for _token handling. Auth order, per-token rate limiting, resource binding checks, download types, and streaming responses are unchanged.

^{Reviewed by Cursor Bugbot for commit 502282a. Bugbot is set up for automated code reviews on this repo. Configure here.}

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: e62cbc71-a24e-4b61-a169-6e9009417467

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch refactor/download-proxy-route

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch refactor/download-proxy-route

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}