feat: streaming storage + cross-spring namespace isolation on isomorphic IPC

Wire storage.store_blob, storage.retrieve_blob, storage.retrieve_range
(4 MiB chunked base64), storage.object.size, and storage.namespaces.list
into the modern isomorphic IPC adapter. Evolve StorageState to family-scoped
namespace model: {base}/datasets/{family_id}/{namespace}/{key}.json. All
storage.* methods accept optional namespace parameter (default "shared" for
cross-spring access). Resolves both primalSpring upstream gaps: large tensor
retrieval and cross-spring persistent storage IPC. 11,816 tests pass.

Made-with: Cursor

Author: NestGate Team

CHANGELOG.md

@@ -9,6 +9,22 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased] - 4.7.0-dev
 
+### Session 43h: Streaming storage & cross-spring namespace isolation (April 13, 2026)
+
+- **Streaming large-object support on isomorphic IPC**: `storage.store_blob`, `storage.retrieve_blob`,
+  `storage.retrieve_range` (4 MiB chunked base64), and `storage.object.size` wired into the modern
+  isomorphic IPC adapter — resolves primalSpring upstream gap for large tensor retrieval.
+- **Cross-spring namespace isolation**: All `storage.*` methods now accept an optional `namespace`
+  parameter. Default namespace is `"shared"` (cross-spring accessible). Springs can use private
+  namespaces for isolation. Directory layout: `{base}/datasets/{family_id}/{namespace}/{key}.json`.
+- **`storage.namespaces.list`**: New method to enumerate available namespaces within a family.
+- **`StorageState` evolved**: Family-scoped (`NESTGATE_FAMILY_ID` / `FAMILY_ID` / `BIOMEOS_FAMILY_ID`
+  env resolution), namespace directory model, blob subdirectory, segment validation.
+- **11 new tests**: blob store/retrieve roundtrip, chunked range reassembly, object.size,
+  namespace isolation, shared namespace default, namespace listing, path traversal rejection,
+  capabilities listing.
+- Validation: `cargo fmt`, `cargo clippy`, `cargo doc`, `cargo test` — all PASS (11,816 tests, 0 failures).
+
 ### Session 43g: Deep debt evolution — error types & dead code (April 13, 2026)
 
 - **`Box<dyn Error>` evolved**: 5 production function signatures (`websocket.rs`, `probes.rs`×3,

CONTEXT.md

@@ -29,7 +29,7 @@ than by importing this crate graph.
 | **Unsafe** | `#![forbid(unsafe_code)]` on ALL crate roots (zero exceptions) |
 | **Lint / format** | `cargo clippy --workspace --all-targets --all-features -- -D warnings` zero warnings (pedantic + nursery); `cargo fmt --check` clean |
 | **Docs** | `cargo doc --workspace --no-deps` — clean in routine runs |
-| **Tests** | `cargo test --workspace` — 11,805 passing, 451 ignored, 0 failures (see STATUS.md) |
+| **Tests** | `cargo test --workspace` — 11,816 passing, 451 ignored, 0 failures (see STATUS.md) |
 | **Coverage** | ~81.7% line (llvm-cov) — wateringHole 80% met; 90% target pending |
 | **Platforms** | Linux, FreeBSD, macOS, WSL2, illumos, Android |
 | **Specs** | 16 specification documents under `specs/` |

README.md

@@ -11,7 +11,7 @@
 - **Supply chain**: `cargo deny check bans` — PASS; `cargo tree -i ring` — no matches  
 
 **Metrics** (re-measure as needed; see [STATUS.md](./STATUS.md))  
-- **Tests (last recorded)**: 11,805 passing, 451 ignored, 0 failures — run `cargo test --workspace` to refresh counts
+- **Tests (last recorded)**: 11,816 passing, 451 ignored, 0 failures — run `cargo test --workspace` to refresh counts
 - **Coverage**: ~81.7% line (`cargo llvm-cov --workspace --lib`; wateringHole minimum 80% met; org target 90% pending)
 
 **Technical debt (honest)**  
@@ -132,7 +132,7 @@ See [STATUS.md](./STATUS.md) for measured metrics. Verified as of 2026-04-13 (Se
 | Build | `cargo check --workspace --all-features --all-targets` — PASS |
 | Clippy | `cargo clippy --workspace --all-targets --all-features -- -D warnings` — PASS (zero warnings) |
 | Format | `cargo fmt --all --check` — PASS |
-| Tests | `cargo test --workspace` — 11,805 passing, 0 failures, 451 ignored |
+| Tests | `cargo test --workspace` — 11,816 passing, 0 failures, 451 ignored |
 | Coverage | ~81.7% line (llvm-cov) — wateringHole 80% met; 90% target pending |
 | Docs | `cargo doc --workspace --no-deps` — zero warnings |
 | Deprecated | 193 `#[deprecated]` for canonical migration; zero dead callers |

STATUS.md

@@ -1,6 +1,6 @@
 # NestGate - Current Status
 
-**Last Updated**: April 13, 2026 (Session 43g — error types & dead code evolution)  
+**Last Updated**: April 13, 2026 (Session 43h — streaming storage & namespace isolation)  
 **Version**: 4.7.0-dev
 
 ---
@@ -12,7 +12,7 @@ Build:              PASS — cargo check --workspace --all-features --all-target
 Clippy:             PASS — cargo clippy --workspace --all-targets --all-features -- -D warnings (zero errors), as of 2026-04-13
 Format:             CLEAN (cargo fmt --check passes), as of 2026-04-13
 Docs:               PASS — cargo doc --workspace --no-deps (zero warnings), as of 2026-04-13
-Tests:              11,805 passing, 0 failures, 451 ignored (cargo test --workspace; flaky tests stabilized)
+Tests:              11,816 passing, 0 failures, 451 ignored (cargo test --workspace; flaky tests stabilized)
 Coverage:           ~81.7% line (cargo llvm-cov --workspace --lib) — wateringHole 80% min met; 90% target pending
 Files > 750 lines:  0 (production; 9 largest refactored Sessions 43–43f — max 749 LOC; engine/gcs/azure/pool_setup all under 500)
 Unwrap/Expect:      ZERO in production library code

capability_registry.toml

@@ -17,11 +17,12 @@ protocol = "jsonrpc-2.0"
 
 [capabilities.storage]
 domain = "storage"
-description = "Filesystem-backed durable key-value and blob storage"
+description = "Filesystem-backed durable key-value and blob storage with namespace isolation"
 methods = [
     "storage.store", "storage.retrieve", "storage.exists",
     "storage.delete", "storage.list", "storage.stats",
     "storage.store_blob", "storage.retrieve_blob", "storage.retrieve_range",
+    "storage.object.size", "storage.namespaces.list",
     "storage.fetch_external",
 ]
 

code/crates/nestgate-rpc/src/rpc/isomorphic_ipc/unix_adapter/mod.rs

@@ -60,14 +60,28 @@ struct JsonRpcError {
 /// Match `nestgate_core::nat_traversal::BEACON_DATASET` when core is linked.
 const BEACON_DATASET: &str = "_known_beacons";
 
-/// Filesystem-backed storage state.
+/// Default namespace for cross-spring shared storage.
+const DEFAULT_NAMESPACE: &str = "shared";
+
+/// Filesystem-backed storage state with family-scoped namespace isolation.
+///
+/// Directory layout:
+/// ```text
+/// {base}/datasets/{family_id}/{namespace}/{key}.json   (JSON values)
+/// {base}/datasets/{family_id}/{namespace}/_blobs/{key}  (binary blobs)
+/// ```
 ///
-/// Keys are stored as individual JSON files under `{base}/datasets/default/{key}.json`.
-/// This replaces the former in-memory `HashMap` so IPC storage survives restarts.
+/// - `family_id` is resolved from env (`NESTGATE_FAMILY_ID` / `FAMILY_ID` / `BIOMEOS_FAMILY_ID`),
+///   defaulting to `"default"`.
+/// - `namespace` isolates each caller (spring). The `"shared"` namespace is the cross-spring
+///   meeting point, readable/writable by all springs in the family. Omitting `namespace` from
+///   request params defaults to `"shared"` for backward compatibility.
 #[derive(Clone)]
 pub(super) struct StorageState {
-    /// Root directory for the default dataset.
-    dataset_dir: PathBuf,
+    /// Root directory for this family: `{base}/datasets/{family_id}`.
+    family_dir: PathBuf,
+    /// The resolved family identifier.
+    family_id: String,
     #[expect(
         dead_code,
         reason = "Template storage wired when template RPC handlers are enabled"
@@ -80,43 +94,81 @@ pub(super) struct StorageState {
     audits: crate::rpc::audit_storage::AuditStorage,
 }
 
+/// Resolve the family identifier from environment, with cascading fallback.
+fn resolve_family_id() -> String {
+    std::env::var("NESTGATE_FAMILY_ID")
+        .or_else(|_| std::env::var("FAMILY_ID"))
+        .or_else(|_| std::env::var("BIOMEOS_FAMILY_ID"))
+        .unwrap_or_else(|_| "default".to_string())
+}
+
 impl StorageState {
     fn new() -> Result<Self> {
-        let dataset_dir = get_storage_base_path().join("datasets").join("default");
-        std::fs::create_dir_all(&dataset_dir)?;
+        let family_id = resolve_family_id();
+        let family_dir = get_storage_base_path().join("datasets").join(&family_id);
+        let shared_dir = family_dir.join(DEFAULT_NAMESPACE);
+        std::fs::create_dir_all(&shared_dir)?;
         Ok(Self {
-            dataset_dir,
+            family_dir,
+            family_id,
             templates: crate::rpc::template_storage::TemplateStorage::new(),
             audits: crate::rpc::audit_storage::AuditStorage::new(),
         })
     }
 
-    /// Sanitize a key to a safe filename (reject path traversal).
-    fn key_path(&self, key: &str) -> std::result::Result<PathBuf, (i32, Cow<'static, str>)> {
-        if key.is_empty()
-            || key.contains('/')
-            || key.contains('\\')
-            || key.contains("..")
-            || key.starts_with('.')
+    /// Validate a name segment (key or namespace) — reject path traversal.
+    fn validate_segment(
+        name: &str,
+        field: &'static str,
+    ) -> std::result::Result<(), (i32, Cow<'static, str>)> {
+        if name.is_empty()
+            || name.contains('/')
+            || name.contains('\\')
+            || name.contains("..")
+            || name.starts_with('.')
         {
-            return Err((-32602, Cow::Borrowed("Invalid key: must be a simple name")));
+            return Err((
+                -32602,
+                Cow::Owned(format!("Invalid {field}: must be a simple name")),
+            ));
         }
-        Ok(self.dataset_dir.join(format!("{key}.json")))
+        Ok(())
+    }
+
+    /// Resolve a namespace directory, creating it on first access.
+    fn namespace_dir(&self, namespace: &str) -> PathBuf {
+        self.family_dir.join(namespace)
+    }
+
+    /// Sanitize a key to a safe filename within a namespace.
+    fn key_path(
+        &self,
+        namespace: &str,
+        key: &str,
+    ) -> std::result::Result<PathBuf, (i32, Cow<'static, str>)> {
+        Self::validate_segment(namespace, "namespace")?;
+        Self::validate_segment(key, "key")?;
+        Ok(self.namespace_dir(namespace).join(format!("{key}.json")))
+    }
+
+    /// Blob storage path within a namespace.
+    fn blob_path(
+        &self,
+        namespace: &str,
+        key: &str,
+    ) -> std::result::Result<PathBuf, (i32, Cow<'static, str>)> {
+        Self::validate_segment(namespace, "namespace")?;
+        Self::validate_segment(key, "key")?;
+        Ok(self.namespace_dir(namespace).join("_blobs").join(key))
     }
 
     /// NAT traversal info is stored under the `_nat` sub-directory.
     fn nat_dir(&self) -> PathBuf {
-        self.dataset_dir
-            .parent()
-            .unwrap_or(&self.dataset_dir)
-            .join("_nat")
+        self.family_dir.join("_nat")
     }
 
     fn beacon_dir(&self) -> PathBuf {
-        self.dataset_dir
-            .parent()
-            .unwrap_or(&self.dataset_dir)
-            .join(BEACON_DATASET)
+        self.family_dir.join(BEACON_DATASET)
     }
 }
 
@@ -152,6 +204,21 @@ impl UnixSocketRpcHandler {
             "storage.list" => unix_adapter_handlers::handle_storage_list(state, &request).await,
             "storage.delete" => unix_adapter_handlers::handle_storage_delete(state, &request).await,
             "storage.exists" => unix_adapter_handlers::handle_storage_exists(state, &request),
+            "storage.store_blob" => {
+                unix_adapter_handlers::handle_storage_store_blob(state, &request).await
+            }
+            "storage.retrieve_blob" => {
+                unix_adapter_handlers::handle_storage_retrieve_blob(state, &request).await
+            }
+            "storage.retrieve_range" => {
+                unix_adapter_handlers::handle_storage_retrieve_range(state, &request).await
+            }
+            "storage.object.size" => {
+                unix_adapter_handlers::handle_storage_object_size(state, &request).await
+            }
+            "storage.namespaces.list" => {
+                unix_adapter_handlers::handle_storage_namespaces_list(state).await
+            }
             "session.save" => unix_adapter_handlers::handle_session_save(state, &request).await,
             "session.load" => unix_adapter_handlers::handle_session_load(state, &request).await,
             "session.list" => unix_adapter_handlers::handle_session_list(state, &request).await,
@@ -173,17 +240,13 @@ impl UnixSocketRpcHandler {
             "capabilities.list" | "discover_capabilities" => {
                 Ok(unix_adapter_handlers::capabilities_response())
             }
-            "identity.get" => {
-                let family_id =
-                    std::env::var("NESTGATE_FAMILY_ID").unwrap_or_else(|_| "default".to_string());
-                Ok(json!({
-                    "primal": nestgate_config::constants::system::DEFAULT_SERVICE_NAME,
-                    "version": env!("CARGO_PKG_VERSION"),
-                    "domain": "storage",
-                    "license": "AGPL-3.0-or-later",
-                    "family_id": family_id
-                }))
-            }
+            "identity.get" => Ok(json!({
+                "primal": nestgate_config::constants::system::DEFAULT_SERVICE_NAME,
+                "version": env!("CARGO_PKG_VERSION"),
+                "domain": "storage",
+                "license": "AGPL-3.0-or-later",
+                "family_id": state.family_id
+            })),
 
             // nat.* — NAT traversal info uses its own sub-directory
             "nat.store_traversal_info" => {