Skip to content

Check blob backend before API startup#388

Merged
TheSilkky merged 1 commit into
developfrom
issue-381-check-blob-backend-before-api-startup
Jul 12, 2026
Merged

Check blob backend before API startup#388
TheSilkky merged 1 commit into
developfrom
issue-381-check-blob-backend-before-api-startup

Conversation

@TheSilkky

@TheSilkky TheSilkky commented Jul 12, 2026

Copy link
Copy Markdown
Member

Closes #381

Target base branch

  • Base: develop
  • Head: issue-381-check-blob-backend-before-api-startup

Summary

  • Check the selected local or S3-compatible blob backend before handlers, workers, or HTTP listeners begin serving.
  • Fail closed through the existing sanitized blob_store_open startup stage when storage is unavailable.
  • Add fake-backed readiness success/failure coverage and verify startup logs do not expose endpoints, buckets, credentials, paths, object keys, or raw backend errors.
  • Document the startup contract, operator recovery guidance, and the point-in-time preflight limitation.

Root cause and impact

The API constructed the selected blob store but did not call its existing Check method before starting its listeners. An unavailable configured evidence backend could therefore remain undiscovered until a later storage operation. Startup now verifies the selected backend first while preserving the existing listener split and ciphertext-only storage behavior.

Validation

  • gofmt -w ./cmd ./internal ./migrations
  • Focused API startup and storage check tests
  • go test ./...
  • go vet ./...
  • go test -race ./cmd/api ./internal/storage
  • scripts/check-markdown-links.py
  • COMPOSE_PROJECT_NAME=proofline-issue381 compose/smoke-test.sh full
  • git diff --check

The disposable full-stack smoke covered PostgreSQL, MinIO/S3-compatible storage, Valkey, authenticated upload, idempotent replay, stream completion, bundle download, and local decrypt verification.

Documentation

Updated the changelog, README, documentation index, configuration reference, cluster scope, backup/failure runbook, and threat model. The website governance and README-baseline documents were not in scope because this PR changes only a server-specific runtime behavior fact, not project-wide governance, public voice, README structure, or source-of-truth mapping.

Scope and revalidation

Issue #381 originated from the technical review of upgrade-codex-reports-and-repo-full-validation-security-review at e609ff8. The finding was revalidated against develop at a267f48, which is the base commit for this branch. No public/private route, runtime health route, or listener assignment changed.

Key custody and decryption assumptions are unchanged. The backend remains ciphertext-only and this PR adds no backend decryption, raw server-held keys, key escrow, browser decryption, or key-sharing behavior.

Follow-up

No follow-up work is required for the issue scope. A deeper run-level negative listener test could add another defense-in-depth signal later; the current change is covered by fake-backed failure propagation, source-order review, redaction tests, and the disposable S3-compatible success smoke.

@TheSilkky TheSilkky marked this pull request as ready for review July 12, 2026 08:38
@TheSilkky TheSilkky merged commit f16db76 into develop Jul 12, 2026
18 checks passed
@TheSilkky TheSilkky deleted the issue-381-check-blob-backend-before-api-startup branch July 12, 2026 08:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Check the configured blob backend before API startup

1 participant