Surfaced by the v1.0.5 browser smoke test. ResponseCache captures the
entire body into a bytes.Buffer, JSON-serializes it (escaping non-UTF-8
bytes), and replays via c.Data for subsequent hits. For audio/video
streams this has two failure modes:
1. Range headers are never honored — the cache replays the *full body*
on every request, strips the Accept-Ranges header, and leaves the
<audio> element unable to seek. The smoke test caught this when a
`Range: bytes=100-299` request got back 200 OK with 48944 bytes
instead of 206 Partial Content with 200 bytes.
2. Non-UTF-8 bytes get escaped through the JSON round-trip (`\uFFFD`
substitution etc.), corrupting the MP3 payload so even full plays
can fail mid-stream.
Minimum-invasive fix: skip the cache entirely for any path containing
`/stream`, `/download`, or `/hls/`, and for any request that carries a
`Range` header (belt-and-suspenders for any future media endpoint). All
other anonymous GETs keep their 5-minute TTL.
Verified live: `GET /api/v1/tracks/:id/stream` returns
- full: 200 OK, Accept-Ranges: bytes, Content-Length matches disk,
body MD5 matches source file byte-for-byte
- range: 206 Partial Content, Content-Range: bytes 100-299/48944,
exactly 200 bytes
Browser <audio> plays end-to-end with currentTime progressing from 0 to
duration and seek to 1.5s succeeding (readyState=4, no error).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
dda71cad80