feat: add Memory Protection Middleware

[ecordell]

Description

This introduces a new memory protection middleware to help prevent out-of-memory conditions in SpiceDB by implementing admission control based on current memory usage.

This is not a perfect solution (doesn't prevent non-traffic-related sources of OOM) and is meant to support other future improvements to resource sharing in a single SpiceDB node.

The middleware is installed both in the main api and in dispatch, but at different thresholds. Memory usage is polled in the background, and if in-flight memory rises above the threshold, backpressure is placed on incoming requests.

The dispatch threshold is higher than the API threshold to preserve already admitted traffic as much as possible.

Testing

• Unit tests included
• Manual E2E test:
  • Modify [docker-compose.yaml] to set mem_limit: "200mb"
  • Run docker-compose up --build
  • Run this

zed context set example localhost:50051 foobar --insecure
zed import development/schema.yaml
{
    echo '{"items":['
    for i in $(seq 1 200); do
      d=$(( (RANDOM % 9999) + 1 ))
      echo -n "{\"resource\":{\"objectTy  pe\":\"document\",\"objectId\": \"${d}\"}, \"permission\":\"view\",\"subject\":{ \"object\": {\"objectType\": \"user\", \"objectId\": \"1\"}}}"
      [ $i -lt 200 ] && echo -n ","
    done
    echo "], \"with_tracing\": true}"
} > payload.json
ab -n 100000 -c 200 -T 'application/json' -H 'Authorization: Bearer foobar' -p payload.json http://localhost:8443/v1/permissions/checkbulk

you should see logs such as:

{
  "level": "warn",
  "traceID": "125b7b37c5775af1f2d9ebf253dcf3d1",
  "protocol": "grpc",
  "grpc.component": "server",
  "grpc.service": "authzed.api.v1.PermissionsService",
  "grpc.method": "CheckBulkPermissions",
  "grpc.method_type": "unary",
  "requestID": "d3vurmuoqu8s73bsdom0",
  "peer.address": "127.0.0.1:60376",
  "grpc.start_time": "2025-10-27T22:10:35Z",
  "grpc.code": "ResourceExhausted",
  "grpc.error": "rpc error: code = ResourceExhausted desc = server rejected the request because memory usage is above configured threshold",
  "grpc.time_ms": 0,
  "time": "2025-10-27T22:10:35Z",
  "message": "finished call"
}

and this graph in Grafana:

[codecov]

Codecov Report

❌ Patch coverage is 11.97605% with 1470 lines in your changes missing coverage. Please review.
✅ Project coverage is 77.12%. Comparing base (e55404b) to head (4a317d3).

Files with missing lines	Patch %	Lines
internal/mocks/mock_datastore.go	0.32%	1277 Missing ⚠️
internal/mocks/mock_dispatcher.go	2.57%	152 Missing ⚠️
...ware/memoryprotection/mocks/mock_memory_sampler.go	38.89%	22 Missing ⚠️
...rnal/middleware/memoryprotection/memory_sampler.go	83.08%	9 Missing and 2 partials ⚠️
pkg/cmd/server/server.go	87.24%	3 Missing and 3 partials ⚠️
...l/middleware/memoryprotection/memory_protection.go	96.50%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2646      +/-   ##
==========================================
- Coverage   79.46%   77.12%   -2.33%     
==========================================
  Files         455      460       +5     
  Lines       47161    48779    +1618     
==========================================
+ Hits        37470    37618     +148     
- Misses       6945     8408    +1463     
- Partials     2746     2753       +7     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[miparnisari]

FYI so that we can verify the new metrics in Grafana

[miparnisari]

FYI i can move the mock generation to a different PR

[tstirrat15]

This is fine.

[miparnisari]

FYI so that when changing these, the "View PR" view on Github says that the files are automatically generated and people can just mark "viewed" on them

[miparnisari]

i don't like that we have the default 90 here and also in the struct itself 😭 i'd love a unified approach in the future

[vroldanbet]

I understand the appeal to have this enabled by default (it's for the better!), but playing devil's advocate, this behavior may be surprising for folks as they update to the next release.

[miparnisari]

I agree in that it would be surprising, but the other side of the coin is that right now if they put a limit on their memory usage and they go above that, they'd be getting an OOM, so this approach is better IMO.

I don't have a strong opinion and i would love other people's opinion on this.

[josephschorr]

+1 to enabling it by default - the node dying helps no one, and its better to get some requests through than none, IMO

[vroldanbet]

I understand why we would want to add it here, and I think realistic and practical place for it, but I'd be remiss if I didn't mention that we miss protection as the early middleware layers are traversed.

But again, this is not meant to be perfect, but good enough ™️

[miparnisari]

Looking at the middlewares that run before this one (logging, metrics), it seems right to me, like i wouldn't want this new middleware to run earlier than the others 🤔 do you have a suggestion on a different order?

[vroldanbet]

We have some percent-based flags that are defined as [0...1] floats. Worth having a look and deciding which approach to commit to.

[miparnisari]

Made it similar to this

 --datastore-revision-quantization-max-staleness-percent float           float percentage (where 1 = 100%)

i don't love it but I prefer being consistent

[miparnisari]

Funny, I just found that you can pass a large number to that flag and the server accepts it 😆

- "SPICEDB_DATASTORE_REVISION_QUANTIZATION_MAX_STALENESS_PERCENT=10000"

[tstirrat15]

See comments

[tstirrat15]

Why this syntax as opposed to constructing one?

[miparnisari]

WDYM? This is standard go code to assert that a struct satisfies an interface

[tstirrat15]

This is fine.

[tstirrat15]

This is in a goroutine :P