feat: implement object storage upload foundation#77
Conversation
Add the feature memory and compile-red tests for strict storage config, presigning, readiness, upload validation, fail-closed completion, and completion idempotency. Co-authored-by: OpenAI Codex <codex@openai.com>
Co-authored-by: OpenAI Codex <codex@openai.com>
Co-authored-by: OpenAI Codex <codex@openai.com>
Add the strict Hetzner S3 adapter, storage readiness, owner-bound signed photo upload lifecycle, durable migrations, production topology artifacts, and default-off activation gates. Co-authored-by: OpenAI Codex <codex@openai.com>
Record dedicated cross-project credentials, live policy/CORS evidence, and the backup Object Lock residual. Co-authored-by: OpenAI Codex <codex@openai.com>
|
@codex review Please review the current PR head |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 0d32510e14
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Co-authored-by: OpenAI Codex <codex@openai.com>
Co-authored-by: OpenAI Codex <codex@openai.com>
Co-authored-by: OpenAI Codex <codex@openai.com>
|
@codex review Please review current head |
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 16c5065e9b
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Co-authored-by: OpenAI Codex <codex@openai.com>
Co-authored-by: OpenAI Codex <codex@openai.com>
|
@codex review |
|
Codex Review: Didn't find any major issues. Can't wait for the next one! Reviewed commit: ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
Summary
OBJECT_STORAGE_*configuration and an AWS SDK v2 S3-compatible private-storage adapter with bounded retries/timeouts, readiness, signed PUT/GET, metadata, and delete primitivesupload_jobs/ unattached originalitem_assets, strict validation, and concurrency-safe idempotent completion15203114/ HEL and the Object-Locked backup bucket in project15296835/ FSN; move runtime and backup credentials to bucketless key-only projects15302873and15302925OBJECT_STORAGE_UPLOADS_ENABLED=falsestorage-smokeindependent ofDATABASE_URL, then isolate container liveness on dependency-free/livezwhile/api/healthremains fail-closed release readinessScope Context
040-object-storage-upload-foundationReuse check: extended
config.Load,auth.RequireSession/auth.UserID,httpx, the health handler, pgx migration/repository patterns, and existing OpenAPI upload routes; newstorage/uploadspackages were required because no Go storage/upload bounded context existed.Module-size note: the composition root and upload handlers exceed the ~60-line soft signal only as linear wiring/request pipelines; provider and persistence logic remain split into focused packages and every new Go file remains below the ~500-line review signal.
SENAR Done Gate
spec.mdGoal + Scope sections).789405ba96has greenbaseline-checks/guard/test/AI Review/osv-scanand an exact-head Codex no-major-issues summary. Row 14 waits only for human-authorized resolution of the two addressed review threads and the residual-risk gate below.tasks.mdrecords dead ends, decisions, and known issues under## Process Memory.7f25927,85b7eaa, andf7577c2; implementation begins ina4dd84c. Review fixes also remain test-first:8933ce4→a1a895b, and47f4fb5→789405b.PutObject. The writer still cannot read/delete/list existing data or directly mutate ACL/Object Lock state, but a compromised writer could create retained/held versions and amplify storage cost. Backup automation remains disabled and gated on header sanitization plus explicit acceptance or a provider fix.Validation
789405ba96: greenbaseline-checks,guard,test,AI Review, andosv-scan; Codex reported no major issues47f4fb5→ green789405b;/livezis dependency-free and release readiness stays on/api/healthcd api && go vet ./... && go test ./...cd api && go test -race ./internal/storage ./internal/uploads ./internal/httpx ./cmd/apipostgres:16:go test -tags=integration -race -count=1 -run TestRepoCompleteIsConcurrentAndIdempotent ./internal/uploadsnpm run check:repo && npm run check:feature-memory && npm run check:api-contractnpm --prefix app run typecheckdocker compose ... config --quiets3:*deny, backup normal Put plus read/delete/list/control/ACL denies and dangerous ACL header guardsSecurity Notes
item-originals/*/smoke/spec-040/*object actions; the public bucket explicitly denies that principals3:*.postgres/*puts work; object/version reads, ACL/direct retention/legal-hold controls, deletes, governance bypass, listing, and bucket control reads were denied in live probes. Dangerous canned ACL and AllUsers grant-read puts were also denied.Follow-up Work
pg_dump, scheduling, retention, restore drill, Object Lock header rejection, and explicit residual acceptance/provider fix.imgproxy.Co-authored-by: Codex codex@openai.com