cuducos.me / at-container-registry
forked from evan.jarrett.net/at-container-registry
A container registry that uses the AT Protocol for manifest storage and S3 for blob storage.
fork atom

start researching quotas based on layer size per DID

evan.jarrett.net 53e196a2 f74bc301

verified
+846 -1304
+324 -1073
docs/QUOTAS.md
··· 1 1 # ATCR Quota System 2 2 3 - This document describes ATCR's storage quota implementation, inspired by Harbor's proven approach to per-project blob tracking with deduplication. 3 + This document describes ATCR's storage quota implementation using ATProto records for per-user layer tracking. 4 4 5 5 ## Table of Contents 6 6 7 7 - [Overview](#overview) 8 - - [Harbor's Approach (Reference Implementation)](#harbors-approach-reference-implementation) 9 - - [Storage Options](#storage-options) 10 - - [Quota Data Model](#quota-data-model) 11 - - [Push Flow (Detailed)](#push-flow-detailed) 8 + - [Quota Model](#quota-model) 9 + - [Layer Record Schema](#layer-record-schema) 10 + - [Quota Calculation](#quota-calculation) 11 + - [Push Flow](#push-flow) 12 12 - [Delete Flow](#delete-flow) 13 13 - [Garbage Collection](#garbage-collection) 14 - - [Quota Reconciliation](#quota-reconciliation) 15 14 - [Configuration](#configuration) 16 - - [Trade-offs & Design Decisions](#trade-offs--design-decisions) 17 15 - [Future Enhancements](#future-enhancements) 18 16 19 17 ## Overview 20 18 21 19 ATCR implements per-user storage quotas to: 22 20 1. **Limit storage consumption** on shared hold services 23 - 2. **Track actual S3 costs** (what new data was added) 24 - 3. **Benefit from deduplication** (users only pay once per layer) 25 - 4. **Provide transparency** (show users their storage usage) 21 + 2. **Provide transparency** (show users their storage usage) 22 + 3. **Enable fair billing** (users pay for what they use) 26 23 27 - **Key principle:** Users pay for layers they've uploaded, but only ONCE per layer regardless of how many images reference it. 24 + **Key principle:** Users pay for layers they reference, deduplicated per-user. If you push the same layer in multiple images, you only pay once. 28 25 29 26 ### Example Scenario 30 27 31 28 ``` 32 29 Alice pushes myapp:v1 (layers A, B, C - each 100MB) 33 - → Alice's quota: +300MB (all new layers) 30 + → Creates 3 layer records in hold's PDS 31 + → Alice's quota: 300MB (3 unique layers) 34 32 35 33 Alice pushes myapp:v2 (layers A, B, D) 36 - → Layers A, B already claimed by Alice 37 - → Layer D is new (100MB) 38 - → Alice's quota: +100MB (only D is new) 39 - → Total: 400MB 34 + → Creates 3 more layer records (A, B again, plus D) 35 + → Alice's quota: 400MB (4 unique layers: A, B, C, D) 36 + → Layers A, B appear twice in records but deduplicated in quota calc 40 37 41 38 Bob pushes his-app:latest (layers A, E) 42 - → Layer A already exists in S3 (uploaded by Alice) 43 - → Bob claims it for first time → +100MB to Bob's quota 44 - → Layer E is new → +100MB to Bob's quota 45 - → Bob's quota: 200MB 39 + → Creates 2 layer records for Bob 40 + → Bob's quota: 200MB (2 unique layers: A, E) 41 + → Layer A shared with Alice in S3, but Bob pays for his own usage 46 42 47 - Physical S3 storage: 500MB (A, B, C, D, E) 48 - Claimed storage: 600MB (Alice: 400MB, Bob: 200MB) 49 - Deduplication savings: 100MB (layer A shared) 43 + Physical S3 storage: 500MB (A, B, C, D, E - deduplicated globally) 44 + Alice's quota: 400MB 45 + Bob's quota: 200MB 50 46 ``` 51 47 52 - ## Harbor's Approach (Reference Implementation) 48 + ## Quota Model 53 49 54 - Harbor is built on distribution/distribution (same as ATCR) and implements quotas as middleware. Their approach: 50 + ### Everyone Pays for What They Upload 55 51 56 - ### Key Insights from Harbor 52 + Each user is charged for all unique layers they reference, regardless of whether those layers exist in S3 from other users' uploads. 57 53 58 - 1. **"Shared blobs are only computed once per project"** 59 - - Each project tracks which blobs it has uploaded 60 - - Same blob used in multiple images counts only once per project 61 - - Different projects claiming the same blob each pay for it 54 + **Why this model?** 55 + - **Simple mental model**: "I pushed 500MB of layers, I use 500MB of quota" 56 + - **Predictable**: Your quota doesn't change based on others' actions 57 + - **Clean deletion**: Delete manifest → layer records removed → quota freed 58 + - **No cross-user dependencies**: Users are isolated 62 59 63 - 2. **Quota checked when manifest is pushed** 64 - - Blobs upload first (presigned URLs, can't intercept) 65 - - Manifest pushed last → quota check happens here 66 - - Can reject manifest if quota exceeded (orphaned blobs cleaned by GC) 60 + **Trade-off:** 61 + - Total claimed storage can exceed physical S3 storage 62 + - This is acceptable - deduplication is an operational benefit for ATCR, not a billing feature 67 63 68 - 3. **Middleware-based implementation** 69 - - distribution/distribution has NO built-in quota support 70 - - Harbor added it as request preprocessing middleware 71 - - Uses database (PostgreSQL) or Redis for quota storage 64 + ### ATProto-Native Storage 72 65 73 - 4. **Per-project ownership model** 74 - - Blobs are physically deduplicated globally 75 - - Quota accounting is logical (per-project claims) 76 - - Total claimed storage can exceed physical storage 66 + Layer tracking uses ATProto records stored in the hold's embedded PDS: 67 + - **Collection**: `io.atcr.hold.layer` 68 + - **Repository**: Hold's DID (e.g., `did:web:hold01.atcr.io`) 69 + - **Records**: One per manifest-layer relationship (TID-based keys) 77 70 78 - ### References 71 + This approach: 72 + - Keeps quota data in ATProto (no separate database) 73 + - Enables standard ATProto sync/query mechanisms 74 + - Provides full audit trail of layer usage 79 75 80 - - Harbor Quota Documentation: https://goharbor.io/docs/1.10/administration/configure-project-quotas/ 81 - - Harbor Source: https://github.com/goharbor/harbor (see `src/controller/quota`) 76 + ## Layer Record Schema 82 77 83 - ## Storage Options 78 + ### LayerRecord 84 79 85 - The hold service needs to store quota data somewhere. Two options: 86 - 87 - ### Option 1: S3-Based Storage (Recommended for BYOS) 88 - 89 - Store quota metadata alongside blobs in the same S3 bucket: 80 + ```go 81 + // pkg/atproto/lexicon.go 90 82 91 - ``` 92 - Bucket structure: 93 - /docker/registry/v2/blobs/sha256/ab/abc123.../data ← actual blobs 94 - /atcr/quota/did:plc:alice.json ← quota tracking 95 - /atcr/quota/did:plc:bob.json 83 + type LayerRecord struct { 84 + Type string `json:"$type"` // "io.atcr.hold.layer" 85 + Digest string `json:"digest"` // Layer digest (sha256:abc123...) 86 + Size int64 `json:"size"` // Size in bytes 87 + MediaType string `json:"mediaType"` // e.g., "application/vnd.oci.image.layer.v1.tar+gzip" 88 + Manifest string `json:"manifest"` // at://did:plc:alice/io.atcr.manifest/abc123 89 + UserDID string `json:"userDid"` // User's DID for quota grouping 90 + CreatedAt string `json:"createdAt"` // ISO 8601 timestamp 91 + } 96 92 ``` 97 93 98 - **Pros:** 99 - - ✅ No separate database needed 100 - - ✅ Single S3 bucket (better UX - no second bucket to configure) 101 - - ✅ Quota data lives with the blobs 102 - - ✅ Hold service stays relatively stateless 103 - - ✅ Works with any S3-compatible service (Storj, Minio, Upcloud, Fly.io) 104 - 105 - **Cons:** 106 - - ❌ Slower than local database (network round-trip) 107 - - ❌ Eventual consistency issues 108 - - ❌ Race conditions on concurrent updates 109 - - ❌ Extra S3 API costs (GET/PUT per upload) 94 + ### Record Key 110 95 111 - **Performance:** 112 - - Each blob upload: 1 HEAD (blob exists?) + 1 GET (quota) + 1 PUT (update quota) 113 - - Typical latency: 100-200ms total overhead 114 - - For high-throughput registries, consider SQLite 96 + Records use TID (timestamp-based ID) as the rkey. This means: 97 + - Multiple records can exist for the same layer (from different manifests) 98 + - Deduplication happens at query time, not storage time 99 + - Simple append-only writes on manifest push 115 100 116 - ### Option 2: SQLite Database (Recommended for Shared Holds) 101 + ### Example Records 117 102 118 - Local database in hold service: 119 - 120 - ```bash 121 - /var/lib/atcr/hold-quota.db 122 103 ``` 123 - 124 - **Pros:** 125 - - ✅ Fast local queries (no network latency) 126 - - ✅ ACID transactions (no race conditions) 127 - - ✅ Efficient for high-throughput registries 128 - - ✅ Can use foreign keys and joins 104 + Manifest A (layers X, Y, Z) → creates 3 records 105 + Manifest B (layers X, W) → creates 2 records 129 106 130 - **Cons:** 131 - - ❌ Makes hold service stateful (persistent volume needed) 132 - - ❌ Not ideal for ephemeral BYOS deployments 133 - - ❌ Backup/restore complexity 134 - - ❌ Multi-instance scaling requires shared database 135 - 136 - **Schema:** 137 - ```sql 138 - CREATE TABLE user_quotas ( 139 - did TEXT PRIMARY KEY, 140 - quota_limit INTEGER NOT NULL DEFAULT 10737418240, -- 10GB 141 - quota_used INTEGER NOT NULL DEFAULT 0, 142 - updated_at TIMESTAMP 143 - ); 144 - 145 - CREATE TABLE claimed_layers ( 146 - did TEXT NOT NULL, 147 - digest TEXT NOT NULL, 148 - size INTEGER NOT NULL, 149 - claimed_at TIMESTAMP, 150 - PRIMARY KEY(did, digest) 151 - ); 107 + io.atcr.hold.layer collection: 108 + ┌──────────────┬────────┬──────┬───────────────────────────────────┬─────────────────┐ 109 + │ rkey (TID) │ digest │ size │ manifest │ userDid │ 110 + ├──────────────┼────────┼──────┼───────────────────────────────────┼─────────────────┤ 111 + │ 3jui7...001 │ X │ 100 │ at://did:plc:alice/.../manifestA │ did:plc:alice │ 112 + │ 3jui7...002 │ Y │ 200 │ at://did:plc:alice/.../manifestA │ did:plc:alice │ 113 + │ 3jui7...003 │ Z │ 150 │ at://did:plc:alice/.../manifestA │ did:plc:alice │ 114 + │ 3jui7...004 │ X │ 100 │ at://did:plc:alice/.../manifestB │ did:plc:alice │ ← duplicate digest 115 + │ 3jui7...005 │ W │ 300 │ at://did:plc:alice/.../manifestB │ did:plc:alice │ 116 + └──────────────┴────────┴──────┴───────────────────────────────────┴─────────────────┘ 152 117 ``` 153 118 154 - ### Recommendation 119 + ## Quota Calculation 155 120 156 - - **BYOS (user-owned holds):** S3-based (keeps hold service ephemeral) 157 - - **Shared holds (multi-user):** SQLite (better performance and consistency) 158 - - **High-traffic production:** SQLite or PostgreSQL (Harbor uses this) 121 + ### Query: User's Unique Storage 159 122 160 - ## Quota Data Model 161 - 162 - ### Quota File Format (S3-based) 163 - 164 - ```json 165 - { 166 - "did": "did:plc:alice123", 167 - "limit": 10737418240, 168 - "used": 5368709120, 169 - "claimed_layers": { 170 - "sha256:abc123...": 104857600, 171 - "sha256:def456...": 52428800, 172 - "sha256:789ghi...": 209715200 173 - }, 174 - "last_updated": "2025-10-09T12:34:56Z", 175 - "version": 1 176 - } 123 + ```sql 124 + -- Calculate quota by deduplicating layers 125 + SELECT SUM(size) FROM ( 126 + SELECT DISTINCT digest, size 127 + FROM io.atcr.hold.layer 128 + WHERE userDid = ? 129 + ) 177 130 ``` 178 131 179 - **Fields:** 180 - - `did`: User's ATProto DID 181 - - `limit`: Maximum storage in bytes (default: 10GB) 182 - - `used`: Current storage usage in bytes (sum of claimed_layers) 183 - - `claimed_layers`: Map of digest → size for all layers user has uploaded 184 - - `last_updated`: Timestamp of last quota update 185 - - `version`: Schema version for future migrations 186 - 187 - ### Why Track Individual Layers? 188 - 189 - **Q: Can't we just track a counter?** 190 - 191 - **A: We need layer tracking for:** 192 - 193 - 1. **Deduplication detection** 194 - - Check if user already claimed a layer → free upload 195 - - Example: Updating an image reuses most layers 196 - 197 - 2. **Accurate deletes** 198 - - When manifest deleted, only decrement unclaimed layers 199 - - User may have 5 images sharing layer A - deleting 1 image doesn't free layer A 200 - 201 - 3. **Quota reconciliation** 202 - - Verify quota matches reality by listing user's manifests 203 - - Recalculate from layers in manifests vs claimed_layers map 132 + Using the example above: 133 + - Layer X appears twice but counted once: 100 134 + - Layers Y, Z, W counted once each: 200 + 150 + 300 135 + - **Total: 750 bytes** 204 136 205 - 4. **Auditing** 206 - - "Show me what I'm storing" 207 - - Users can see which layers consume their quota 208 - 209 - ## Push Flow (Detailed) 210 - 211 - ### Step-by-Step: User Pushes Image 212 - 213 - ``` 214 - ┌──────────┐ ┌──────────┐ ┌──────────┐ 215 - │ Client │ │ Hold │ │ S3 │ 216 - │ (Docker) │ │ Service │ │ Bucket │ 217 - └──────────┘ └──────────┘ └──────────┘ 218 - │ │ │ 219 - │ 1. PUT /v2/.../blobs/ │ │ 220 - │ upload?digest=sha256:abc│ │ 221 - ├───────────────────────────>│ │ 222 - │ │ │ 223 - │ │ 2. Check if blob exists │ 224 - │ │ (Stat/HEAD request) │ 225 - │ ├───────────────────────────>│ 226 - │ │<───────────────────────────┤ 227 - │ │ 200 OK (exists) or │ 228 - │ │ 404 Not Found │ 229 - │ │ │ 230 - │ │ 3. Read user quota │ 231 - │ │ GET /atcr/quota/{did} │ 232 - │ ├───────────────────────────>│ 233 - │ │<───────────────────────────┤ 234 - │ │ quota.json │ 235 - │ │ │ 236 - │ │ 4. Calculate quota impact │ 237 - │ │ - If digest in │ 238 - │ │ claimed_layers: 0 │ 239 - │ │ - Else: size │ 240 - │ │ │ 241 - │ │ 5. Check quota limit │ 242 - │ │ used + impact <= limit? │ 243 - │ │ │ 244 - │ │ 6. Update quota │ 245 - │ │ PUT /atcr/quota/{did} │ 246 - │ ├───────────────────────────>│ 247 - │ │<───────────────────────────┤ 248 - │ │ 200 OK │ 249 - │ │ │ 250 - │ 7. Presigned URL │ │ 251 - │<───────────────────────────┤ │ 252 - │ {url: "https://s3..."} │ │ 253 - │ │ │ 254 - │ 8. Upload blob to S3 │ │ 255 - ├────────────────────────────┼───────────────────────────>│ 256 - │ │ │ 257 - │ 9. 200 OK │ │ 258 - │<───────────────────────────┼────────────────────────────┤ 259 - │ │ │ 260 - ``` 261 - 262 - ### Implementation (Pseudocode) 137 + ### Implementation 263 138 264 139 ```go 265 - // cmd/hold/main.go - HandlePutPresignedURL 140 + // pkg/hold/quota/quota.go 266 141 267 - func (s *HoldService) HandlePutPresignedURL(w http.ResponseWriter, r *http.Request) { 268 - var req PutPresignedURLRequest 269 - json.NewDecoder(r.Body).Decode(&req) 142 + type QuotaManager struct { 143 + pds *pds.Server // Hold's embedded PDS 144 + } 270 145 271 - // Step 1: Check if blob already exists in S3 272 - blobPath := fmt.Sprintf("/docker/registry/v2/blobs/%s/%s/%s/data", 273 - algorithm, digest[:2], digest) 274 - 275 - _, err := s.driver.Stat(ctx, blobPath) 276 - blobExists := (err == nil) 277 - 278 - // Step 2: Read quota from S3 (or SQLite) 279 - quota, err := s.quotaManager.GetQuota(req.DID) 146 + // GetUsage calculates a user's current quota usage 147 + func (q *QuotaManager) GetUsage(ctx context.Context, userDID string) (int64, error) { 148 + // List all layer records for this user 149 + records, err := q.pds.ListRecords(ctx, LayerCollection, userDID) 280 150 if err != nil { 281 - // First upload - create quota with defaults 282 - quota = &Quota{ 283 - DID: req.DID, 284 - Limit: s.config.QuotaDefaultLimit, 285 - Used: 0, 286 - ClaimedLayers: make(map[string]int64), 287 - } 151 + return 0, err 288 152 } 289 153 290 - // Step 3: Calculate quota impact 291 - quotaImpact := req.Size // Default: assume new layer 292 - 293 - if _, alreadyClaimed := quota.ClaimedLayers[req.Digest]; alreadyClaimed { 294 - // User already uploaded this layer before 295 - quotaImpact = 0 296 - log.Printf("Layer %s already claimed by %s, no quota impact", 297 - req.Digest, req.DID) 298 - } else if blobExists { 299 - // Blob exists in S3 (uploaded by another user) 300 - // But this user is claiming it for first time 301 - // Still counts against their quota 302 - log.Printf("Layer %s exists globally but new to %s, quota impact: %d", 303 - req.Digest, req.DID, quotaImpact) 304 - } else { 305 - // Brand new blob - will be uploaded to S3 306 - log.Printf("New layer %s for %s, quota impact: %d", 307 - req.Digest, req.DID, quotaImpact) 154 + // Deduplicate by digest 155 + uniqueLayers := make(map[string]int64) // digest -> size 156 + for _, record := range records { 157 + var layer LayerRecord 158 + if err := json.Unmarshal(record.Value, &layer); err != nil { 159 + continue 160 + } 161 + if layer.UserDID == userDID { 162 + uniqueLayers[layer.Digest] = layer.Size 163 + } 308 164 } 309 165 310 - // Step 4: Check quota limit 311 - if quota.Used + quotaImpact > quota.Limit { 312 - http.Error(w, fmt.Sprintf( 313 - "quota exceeded: used=%d, impact=%d, limit=%d", 314 - quota.Used, quotaImpact, quota.Limit, 315 - ), http.StatusPaymentRequired) // 402 316 - return 317 - } 318 - 319 - // Step 5: Update quota (optimistic - before upload completes) 320 - quota.Used += quotaImpact 321 - if quotaImpact > 0 { 322 - quota.ClaimedLayers[req.Digest] = req.Size 166 + // Sum unique layer sizes 167 + var total int64 168 + for _, size := range uniqueLayers { 169 + total += size 323 170 } 324 - quota.LastUpdated = time.Now() 325 171 326 - if err := s.quotaManager.SaveQuota(quota); err != nil { 327 - http.Error(w, "failed to update quota", http.StatusInternalServerError) 328 - return 329 - } 172 + return total, nil 173 + } 330 174 331 - // Step 6: Generate presigned URL 332 - presignedURL, err := s.getUploadURL(ctx, req.Digest, req.Size, req.DID) 175 + // CheckQuota returns true if user has space for additional bytes 176 + func (q *QuotaManager) CheckQuota(ctx context.Context, userDID string, additional int64, limit int64) (bool, int64, error) { 177 + current, err := q.GetUsage(ctx, userDID) 333 178 if err != nil { 334 - // Rollback quota update on error 335 - quota.Used -= quotaImpact 336 - delete(quota.ClaimedLayers, req.Digest) 337 - s.quotaManager.SaveQuota(quota) 338 - 339 - http.Error(w, "failed to generate presigned URL", http.StatusInternalServerError) 340 - return 341 - } 342 - 343 - // Step 7: Return presigned URL + quota info 344 - resp := PutPresignedURLResponse{ 345 - URL: presignedURL, 346 - ExpiresAt: time.Now().Add(15 * time.Minute), 347 - QuotaInfo: QuotaInfo{ 348 - Used: quota.Used, 349 - Limit: quota.Limit, 350 - Available: quota.Limit - quota.Used, 351 - Impact: quotaImpact, 352 - AlreadyClaimed: quotaImpact == 0, 353 - }, 179 + return false, 0, err 354 180 } 355 181 356 - w.Header().Set("Content-Type", "application/json") 357 - json.NewEncoder(w).Encode(resp) 182 + return current+additional <= limit, current, nil 358 183 } 359 184 ``` 360 185 361 - ### Race Condition Handling 362 - 363 - **Problem:** Two concurrent uploads of the same blob 186 + ### Quota Response 364 187 365 - ``` 366 - Time User A User B 367 - 0ms Upload layer X (100MB) 368 - 10ms Upload layer X (100MB) 369 - 20ms Check exists: NO Check exists: NO 370 - 30ms Quota impact: 100MB Quota impact: 100MB 371 - 40ms Update quota A: +100MB Update quota B: +100MB 372 - 50ms Generate presigned URL Generate presigned URL 373 - 100ms Upload to S3 completes Upload to S3 (overwrites A's) 188 + ```go 189 + type QuotaInfo struct { 190 + Used int64 `json:"used"` // Current usage (deduplicated) 191 + Limit int64 `json:"limit"` // User's quota limit 192 + Available int64 `json:"available"` // Remaining space 193 + } 374 194 ``` 375 195 376 - **Result:** Both users charged 100MB, but only 100MB stored in S3. 196 + ## Push Flow 377 197 378 - **Mitigation strategies:** 379 - 380 - 1. **Accept eventual consistency** (recommended for S3-based) 381 - - Run periodic reconciliation to fix discrepancies 382 - - Small inconsistency window (minutes) is acceptable 383 - - Reconciliation uses PDS as source of truth 384 - 385 - 2. **Optimistic locking** (S3 ETags) 386 - ```go 387 - // Use S3 ETags for conditional writes 388 - oldETag := getQuotaFileETag(did) 389 - err := putQuotaFileWithCondition(quota, oldETag) 390 - if err == PreconditionFailed { 391 - // Retry with fresh read 392 - } 393 - ``` 394 - 395 - 3. **Database transactions** (SQLite-based) 396 - ```sql 397 - BEGIN TRANSACTION; 398 - SELECT * FROM user_quotas WHERE did = ? FOR UPDATE; 399 - UPDATE user_quotas SET used = used + ? WHERE did = ?; 400 - COMMIT; 401 - ``` 402 - 403 - ## Delete Flow 404 - 405 - ### Manifest Deletion via AppView UI 406 - 407 - When a user deletes a manifest through the AppView web interface: 198 + ### Step-by-Step: User Pushes Image 408 199 409 200 ``` 410 201 ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ 411 - │ User │ │ AppView │ │ Hold │ │ PDS │ 412 - │ UI │ │ Database │ │ Service │ │ │ 202 + │ Client │ │ AppView │ │ Hold │ │ User PDS │ 203 + │ (Docker) │ │ │ │ Service │ │ │ 413 204 └──────────┘ └──────────┘ └──────────┘ └──────────┘ 414 205 │ │ │ │ 415 - │ DELETE manifest │ │ │ 206 + │ 1. Upload blobs │ │ │ 416 207 ├─────────────────────>│ │ │ 208 + │ │ 2. Route to hold │ │ 209 + │ ├─────────────────────>│ │ 210 + │ │ │ 3. Store in S3 │ 417 211 │ │ │ │ 418 - │ │ 1. Get manifest │ │ 419 - │ │ and layers │ │ 212 + │ 4. PUT manifest │ │ │ 213 + ├─────────────────────>│ │ │ 420 214 │ │ │ │ 421 - │ │ 2. Check which │ │ 422 - │ │ layers still │ │ 423 - │ │ referenced by │ │ 424 - │ │ user's other │ │ 425 - │ │ manifests │ │ 215 + │ │ 5. Calculate quota │ │ 216 + │ │ impact for new │ │ 217 + │ │ layers │ │ 218 + │ │ │ │ 219 + │ │ 6. Check quota limit │ │ 220 + │ ├─────────────────────>│ │ 221 + │ │<─────────────────────┤ │ 426 222 │ │ │ │ 427 - │ │ 3. DELETE manifest │ │ 428 - │ │ from PDS │ │ 223 + │ │ 7. Store manifest │ │ 429 224 │ ├──────────────────────┼─────────────────────>│ 430 225 │ │ │ │ 431 - │ │ 4. POST /quota/decrement │ 226 + │ │ 8. Create layer │ │ 227 + │ │ records │ │ 432 228 │ ├─────────────────────>│ │ 433 - │ │ {layers: [...]} │ │ 434 - │ │ │ │ 435 - │ │ │ 5. Update quota │ 436 - │ │ │ Remove unclaimed │ 437 - │ │ │ layers │ 438 - │ │ │ │ 439 - │ │ 6. 200 OK │ │ 440 - │ │<─────────────────────┤ │ 441 - │ │ │ │ 442 - │ │ 7. Delete from DB │ │ 229 + │ │ │ 9. Write to │ 230 + │ │ │ hold's PDS │ 443 231 │ │ │ │ 444 - │ 8. Success │ │ │ 232 + │ 10. 201 Created │ │ │ 445 233 │<─────────────────────┤ │ │ 446 - │ │ │ │ 447 234 ``` 448 235 449 - ### AppView Implementation 236 + ### Implementation 450 237 451 238 ```go 452 - // pkg/appview/handlers/manifest.go 239 + // pkg/appview/storage/routing_repository.go 453 240 454 - func (h *ManifestHandler) DeleteManifest(w http.ResponseWriter, r *http.Request) { 455 - did := r.Context().Value("auth.did").(string) 456 - repository := chi.URLParam(r, "repository") 457 - digest := chi.URLParam(r, "digest") 241 + func (r *RoutingRepository) PutManifest(ctx context.Context, manifest distribution.Manifest) error { 242 + // Parse manifest to get layers 243 + layers := extractLayers(manifest) 458 244 459 - // Step 1: Get manifest and its layers from database 460 - manifest, err := db.GetManifest(h.db, digest) 245 + // Get user's current unique layers from hold 246 + existingLayers, err := r.holdClient.GetUserLayers(ctx, r.userDID) 461 247 if err != nil { 462 - http.Error(w, "manifest not found", 404) 463 - return 248 + return err 464 249 } 250 + existingSet := makeDigestSet(existingLayers) 465 251 466 - layers, err := db.GetLayersForManifest(h.db, manifest.ID) 467 - if err != nil { 468 - http.Error(w, "failed to get layers", 500) 469 - return 470 - } 471 - 472 - // Step 2: For each layer, check if user still references it 473 - // in other manifests 474 - layersToDecrement := []LayerInfo{} 475 - 252 + // Calculate quota impact (only new unique layers) 253 + var quotaImpact int64 476 254 for _, layer := range layers { 477 - // Query: does this user have other manifests using this layer? 478 - stillReferenced, err := db.CheckLayerReferencedByUser( 479 - h.db, did, repository, layer.Digest, manifest.ID, 480 - ) 481 - 482 - if err != nil { 483 - http.Error(w, "failed to check layer references", 500) 484 - return 255 + if !existingSet[layer.Digest] { 256 + quotaImpact += layer.Size 485 257 } 258 + } 486 259 487 - if !stillReferenced { 488 - // This layer is no longer used by user 489 - layersToDecrement = append(layersToDecrement, LayerInfo{ 490 - Digest: layer.Digest, 491 - Size: layer.Size, 492 - }) 493 - } 260 + // Check quota 261 + ok, current, err := r.quotaManager.CheckQuota(ctx, r.userDID, quotaImpact, r.quotaLimit) 262 + if err != nil { 263 + return err 264 + } 265 + if !ok { 266 + return fmt.Errorf("quota exceeded: used=%d, impact=%d, limit=%d", 267 + current, quotaImpact, r.quotaLimit) 494 268 } 495 269 496 - // Step 3: Delete manifest from user's PDS 497 - atprotoClient := atproto.NewClient(manifest.PDSEndpoint, did, accessToken) 498 - err = atprotoClient.DeleteRecord(ctx, atproto.ManifestCollection, manifestRKey) 270 + // Store manifest in user's PDS 271 + manifestURI, err := r.atprotoClient.PutManifest(ctx, manifest) 499 272 if err != nil { 500 - http.Error(w, "failed to delete from PDS", 500) 501 - return 273 + return err 502 274 } 503 275 504 - // Step 4: Notify hold service to decrement quota 505 - if len(layersToDecrement) > 0 { 506 - holdClient := &http.Client{} 507 - 508 - decrementReq := QuotaDecrementRequest{ 509 - DID: did, 510 - Layers: layersToDecrement, 276 + // Create layer records in hold's PDS 277 + for _, layer := range layers { 278 + record := LayerRecord{ 279 + Type: "io.atcr.hold.layer", 280 + Digest: layer.Digest, 281 + Size: layer.Size, 282 + MediaType: layer.MediaType, 283 + Manifest: manifestURI, 284 + UserDID: r.userDID, 285 + CreatedAt: time.Now().Format(time.RFC3339), 511 286 } 512 - 513 - body, _ := json.Marshal(decrementReq) 514 - resp, err := holdClient.Post( 515 - manifest.HoldEndpoint + "/quota/decrement", 516 - "application/json", 517 - bytes.NewReader(body), 518 - ) 519 - 520 - if err != nil || resp.StatusCode != 200 { 521 - log.Printf("Warning: failed to update quota on hold service: %v", err) 522 - // Continue anyway - GC reconciliation will fix it 287 + if err := r.holdClient.CreateLayerRecord(ctx, record); err != nil { 288 + log.Printf("Warning: failed to create layer record: %v", err) 289 + // Continue - reconciliation will fix 523 290 } 524 291 } 525 292 526 - // Step 5: Delete from AppView database 527 - err = db.DeleteManifest(h.db, did, repository, digest) 528 - if err != nil { 529 - http.Error(w, "failed to delete from database", 500) 530 - return 531 - } 532 - 533 - w.WriteHeader(http.StatusNoContent) 293 + return nil 534 294 } 535 295 ``` 536 296 537 - ### Hold Service Decrement Endpoint 538 - 539 - ```go 540 - // cmd/hold/main.go 541 - 542 - type QuotaDecrementRequest struct { 543 - DID string `json:"did"` 544 - Layers []LayerInfo `json:"layers"` 545 - } 297 + ### Quota Check Timing 546 298 547 - type LayerInfo struct { 548 - Digest string `json:"digest"` 549 - Size int64 `json:"size"` 550 - } 299 + Quota is checked when the **manifest is pushed** (after blobs are uploaded): 300 + - Blobs upload first via presigned URLs 301 + - Manifest pushed last triggers quota check 302 + - If quota exceeded, manifest is rejected (orphaned blobs cleaned by GC) 551 303 552 - func (s *HoldService) HandleQuotaDecrement(w http.ResponseWriter, r *http.Request) { 553 - var req QuotaDecrementRequest 554 - if err := json.NewDecoder(r.Body).Decode(&req); err != nil { 555 - http.Error(w, "invalid request", 400) 556 - return 557 - } 304 + This matches Harbor's approach and is the industry standard. 558 305 559 - // Read current quota 560 - quota, err := s.quotaManager.GetQuota(req.DID) 561 - if err != nil { 562 - http.Error(w, "quota not found", 404) 563 - return 564 - } 306 + ## Delete Flow 565 307 566 - // Decrement quota for each layer 567 - for _, layer := range req.Layers { 568 - if size, claimed := quota.ClaimedLayers[layer.Digest]; claimed { 569 - // Remove from claimed layers 570 - delete(quota.ClaimedLayers, layer.Digest) 571 - quota.Used -= size 308 + ### Manifest Deletion 572 309 573 - log.Printf("Decremented quota for %s: layer %s (%d bytes)", 574 - req.DID, layer.Digest, size) 575 - } else { 576 - log.Printf("Warning: layer %s not in claimed_layers for %s", 577 - layer.Digest, req.DID) 578 - } 579 - } 310 + When a user deletes a manifest: 580 311 581 - // Ensure quota.Used doesn't go negative (defensive) 582 - if quota.Used < 0 { 583 - log.Printf("Warning: quota.Used went negative for %s, resetting to 0", req.DID) 584 - quota.Used = 0 585 - } 586 - 587 - // Save updated quota 588 - quota.LastUpdated = time.Now() 589 - if err := s.quotaManager.SaveQuota(quota); err != nil { 590 - http.Error(w, "failed to save quota", 500) 591 - return 592 - } 593 - 594 - // Return updated quota info 595 - json.NewEncoder(w).Encode(map[string]any{ 596 - "used": quota.Used, 597 - "limit": quota.Limit, 598 - }) 599 - } 600 312 ``` 601 - 602 - ### SQL Query: Check Layer References 603 - 604 - ```sql 605 - -- pkg/appview/db/queries.go 606 - 607 - -- Check if user still references this layer in other manifests 608 - SELECT COUNT(*) 609 - FROM layers l 610 - JOIN manifests m ON l.manifest_id = m.id 611 - WHERE m.did = ? -- User's DID 612 - AND l.digest = ? -- Layer digest 613 - AND m.id != ? -- Exclude the manifest being deleted 313 + ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ 314 + │ User │ │ AppView │ │ Hold │ │ User PDS │ 315 + │ UI │ │ │ │ Service │ │ │ 316 + └──────────┘ └──────────┘ └──────────┘ └──────────┘ 317 + │ │ │ │ 318 + │ DELETE manifest │ │ │ 319 + ├─────────────────────>│ │ │ 320 + │ │ │ │ 321 + │ │ 1. Delete manifest │ │ 322 + │ │ from user's PDS │ │ 323 + │ ├──────────────────────┼─────────────────────>│ 324 + │ │ │ │ 325 + │ │ 2. Delete layer │ │ 326 + │ │ records for this │ │ 327 + │ │ manifest │ │ 328 + │ ├─────────────────────>│ │ 329 + │ │ │ 3. Remove records │ 330 + │ │ │ where manifest │ 331 + │ │ │ == deleted URI │ 332 + │ │ │ │ 333 + │ 4. 204 No Content │ │ │ 334 + │<─────────────────────┤ │ │ 614 335 ``` 615 336 616 - ## Garbage Collection 617 - 618 - ### Background: Orphaned Blobs 619 - 620 - Orphaned blobs accumulate when: 621 - 1. Manifest push fails after blobs uploaded (presigned URLs bypass hold) 622 - 2. Quota exceeded - manifest rejected, blobs already in S3 623 - 3. User deletes manifest - blobs no longer referenced 624 - 625 - **GC periodically cleans these up.** 626 - 627 - ### GC Cron Implementation 628 - 629 - Similar to AppView's backfill worker, the hold service can run periodic GC: 337 + ### Implementation 630 338 631 339 ```go 632 - // cmd/hold/gc/gc.go 340 + // pkg/appview/handlers/manifest.go 633 341 634 - type GarbageCollector struct { 635 - driver storagedriver.StorageDriver 636 - appviewURL string 637 - holdURL string 638 - quotaManager *quota.Manager 639 - } 342 + func (h *ManifestHandler) DeleteManifest(w http.ResponseWriter, r *http.Request) { 343 + userDID := auth.GetDID(r.Context()) 344 + repository := chi.URLParam(r, "repository") 345 + digest := chi.URLParam(r, "digest") 640 346 641 - // Run garbage collection 642 - func (gc *GarbageCollector) Run(ctx context.Context) error { 643 - log.Println("Starting garbage collection...") 347 + // Get manifest URI before deletion 348 + manifestURI := fmt.Sprintf("at://%s/%s/%s", userDID, ManifestCollection, digest) 644 349 645 - // Step 1: Get list of referenced blobs from AppView 646 - referenced, err := gc.getReferencedBlobs() 647 - if err != nil { 648 - return fmt.Errorf("failed to get referenced blobs: %w", err) 350 + // Delete manifest from user's PDS 351 + if err := h.atprotoClient.DeleteRecord(ctx, ManifestCollection, digest); err != nil { 352 + http.Error(w, "failed to delete manifest", 500) 353 + return 649 354 } 650 355 651 - referencedSet := make(map[string]bool) 652 - for _, digest := range referenced { 653 - referencedSet[digest] = true 356 + // Delete associated layer records from hold's PDS 357 + if err := h.holdClient.DeleteLayerRecords(ctx, manifestURI); err != nil { 358 + log.Printf("Warning: failed to delete layer records: %v", err) 359 + // Continue - reconciliation will clean up 654 360 } 655 361 656 - log.Printf("AppView reports %d referenced blobs", len(referenced)) 657 - 658 - // Step 2: Walk S3 blobs 659 - deletedCount := 0 660 - reclaimedBytes := int64(0) 661 - 662 - err = gc.driver.Walk(ctx, "/docker/registry/v2/blobs", func(fileInfo storagedriver.FileInfo) error { 663 - if fileInfo.IsDir() { 664 - return nil // Skip directories 665 - } 666 - 667 - // Extract digest from path 668 - // Path: /docker/registry/v2/blobs/sha256/ab/abc123.../data 669 - digest := extractDigestFromPath(fileInfo.Path()) 670 - 671 - if !referencedSet[digest] { 672 - // Unreferenced blob - delete it 673 - size := fileInfo.Size() 674 - 675 - if err := gc.driver.Delete(ctx, fileInfo.Path()); err != nil { 676 - log.Printf("Failed to delete blob %s: %v", digest, err) 677 - return nil // Continue anyway 678 - } 679 - 680 - deletedCount++ 681 - reclaimedBytes += size 682 - 683 - log.Printf("GC: Deleted unreferenced blob %s (%d bytes)", digest, size) 684 - } 685 - 686 - return nil 687 - }) 688 - 689 - if err != nil { 690 - return fmt.Errorf("failed to walk blobs: %w", err) 691 - } 692 - 693 - log.Printf("GC complete: deleted %d blobs, reclaimed %d bytes", 694 - deletedCount, reclaimedBytes) 695 - 696 - return nil 697 - } 698 - 699 - // Get referenced blobs from AppView 700 - func (gc *GarbageCollector) getReferencedBlobs() ([]string, error) { 701 - // Query AppView for all blobs referenced by manifests 702 - // stored in THIS hold service 703 - url := fmt.Sprintf("%s/internal/blobs/referenced?hold=%s", 704 - gc.appviewURL, url.QueryEscape(gc.holdURL)) 705 - 706 - resp, err := http.Get(url) 707 - if err != nil { 708 - return nil, err 709 - } 710 - defer resp.Body.Close() 711 - 712 - var result struct { 713 - Blobs []string `json:"blobs"` 714 - } 715 - 716 - if err := json.NewDecoder(resp.Body).Decode(&result); err != nil { 717 - return nil, err 718 - } 719 - 720 - return result.Blobs, nil 362 + w.WriteHeader(http.StatusNoContent) 721 363 } 722 364 ``` 723 365 724 - ### AppView Internal API 366 + ### Hold Service: Delete Layer Records 725 367 726 368 ```go 727 - // pkg/appview/handlers/internal.go 369 + // pkg/hold/pds/xrpc.go 728 370 729 - // Get all referenced blobs for a specific hold 730 - func (h *InternalHandler) GetReferencedBlobs(w http.ResponseWriter, r *http.Request) { 731 - holdEndpoint := r.URL.Query().Get("hold") 732 - if holdEndpoint == "" { 733 - http.Error(w, "missing hold parameter", 400) 734 - return 735 - } 736 - 737 - // Query database for all layers in manifests stored in this hold 738 - query := ` 739 - SELECT DISTINCT l.digest 740 - FROM layers l 741 - JOIN manifests m ON l.manifest_id = m.id 742 - WHERE m.hold_endpoint = ? 743 - ` 744 - 745 - rows, err := h.db.Query(query, holdEndpoint) 371 + func (s *Server) DeleteLayerRecords(ctx context.Context, manifestURI string) error { 372 + // List all layer records 373 + records, err := s.ListRecords(ctx, LayerCollection, "") 746 374 if err != nil { 747 - http.Error(w, "database error", 500) 748 - return 375 + return err 749 376 } 750 - defer rows.Close() 751 377 752 - blobs := []string{} 753 - for rows.Next() { 754 - var digest string 755 - if err := rows.Scan(&digest); err != nil { 378 + // Delete records matching this manifest 379 + for _, record := range records { 380 + var layer LayerRecord 381 + if err := json.Unmarshal(record.Value, &layer); err != nil { 756 382 continue 757 383 } 758 - blobs = append(blobs, digest) 759 - } 760 - 761 - json.NewEncoder(w).Encode(map[string]any{ 762 - "blobs": blobs, 763 - "count": len(blobs), 764 - "hold": holdEndpoint, 765 - }) 766 - } 767 - ``` 768 - 769 - ### GC Cron Schedule 770 - 771 - ```go 772 - // cmd/hold/main.go 773 - 774 - func main() { 775 - // ... service setup ... 776 - 777 - // Start GC cron if enabled 778 - if os.Getenv("GC_ENABLED") == "true" { 779 - gcInterval := 24 * time.Hour // Daily by default 780 - 781 - go func() { 782 - ticker := time.NewTicker(gcInterval) 783 - defer ticker.Stop() 784 - 785 - for range ticker.C { 786 - if err := garbageCollector.Run(context.Background()); err != nil { 787 - log.Printf("GC error: %v", err) 788 - } 384 + if layer.Manifest == manifestURI { 385 + if err := s.DeleteRecord(ctx, LayerCollection, record.RKey); err != nil { 386 + log.Printf("Failed to delete layer record %s: %v", record.RKey, err) 789 387 } 790 - }() 791 - 792 - log.Printf("GC cron started: runs every %v", gcInterval) 388 + } 793 389 } 794 390 795 - // Start server... 391 + return nil 796 392 } 797 393 ``` 798 394 799 - ## Quota Reconciliation 395 + ### Quota After Deletion 800 396 801 - ### PDS as Source of Truth 397 + After deleting a manifest: 398 + - Layer records for that manifest are removed 399 + - Quota recalculated with `SELECT DISTINCT` query 400 + - If layer was only in deleted manifest → quota decreases 401 + - If layer exists in other manifests → quota unchanged (still deduplicated) 802 402 803 - **Key insight:** Manifest records in PDS are publicly readable (no OAuth needed for reads). 403 + ## Garbage Collection 804 404 805 - Each manifest contains: 806 - - Repository name 807 - - Digest 808 - - Layers array with digest + size 809 - - Hold endpoint 405 + ### Orphaned Blobs 810 406 811 - The hold service can query the PDS to calculate the user's true quota: 407 + Orphaned blobs accumulate when: 408 + 1. Manifest push fails after blobs uploaded 409 + 2. Quota exceeded - manifest rejected 410 + 3. User deletes manifest - blobs may no longer be referenced 812 411 813 - ``` 814 - 1. List all io.atcr.manifest records for user 815 - 2. Filter manifests where holdEndpoint == this hold service 816 - 3. Extract unique layers (deduplicate by digest) 817 - 4. Sum layer sizes = true quota usage 818 - 5. Compare to quota file 819 - 6. Fix discrepancies 820 - ``` 821 - 822 - ### Implementation 412 + ### GC Process 823 413 824 414 ```go 825 - // cmd/hold/quota/reconcile.go 415 + // pkg/hold/gc/gc.go 826 416 827 - type Reconciler struct { 828 - quotaManager *Manager 829 - atprotoResolver *atproto.Resolver 830 - holdURL string 831 - } 832 - 833 - // ReconcileUser recalculates quota from PDS manifests 834 - func (r *Reconciler) ReconcileUser(ctx context.Context, did string) error { 835 - log.Printf("Reconciling quota for %s", did) 836 - 837 - // Step 1: Resolve user's PDS endpoint 838 - identity, err := r.atprotoResolver.ResolveIdentity(ctx, did) 417 + func (gc *GarbageCollector) Run(ctx context.Context) error { 418 + // Step 1: Get all referenced digests from layer records 419 + records, err := gc.pds.ListRecords(ctx, LayerCollection, "") 839 420 if err != nil { 840 - return fmt.Errorf("failed to resolve DID: %w", err) 421 + return err 841 422 } 842 423 843 - // Step 2: Create unauthenticated ATProto client 844 - // (manifest records are public - no OAuth needed) 845 - client := atproto.NewClient(identity.PDSEndpoint, did, "") 846 - 847 - // Step 3: List all manifest records for this user 848 - manifests, err := client.ListRecords(ctx, atproto.ManifestCollection, 1000) 849 - if err != nil { 850 - return fmt.Errorf("failed to list manifests: %w", err) 851 - } 852 - 853 - // Step 4: Filter manifests stored in THIS hold service 854 - // and extract unique layers 855 - uniqueLayers := make(map[string]int64) // digest -> size 856 - 857 - for _, record := range manifests { 858 - var manifest atproto.ManifestRecord 859 - if err := json.Unmarshal(record.Value, &manifest); err != nil { 860 - log.Printf("Warning: failed to parse manifest: %v", err) 861 - continue 862 - } 863 - 864 - // Only count manifests stored in this hold 865 - if manifest.HoldEndpoint != r.holdURL { 424 + referenced := make(map[string]bool) 425 + for _, record := range records { 426 + var layer LayerRecord 427 + if err := json.Unmarshal(record.Value, &layer); err != nil { 866 428 continue 867 429 } 868 - 869 - // Add config blob 870 - if manifest.Config.Digest != "" { 871 - uniqueLayers[manifest.Config.Digest] = manifest.Config.Size 872 - } 873 - 874 - // Add layer blobs 875 - for _, layer := range manifest.Layers { 876 - uniqueLayers[layer.Digest] = layer.Size 877 - } 430 + referenced[layer.Digest] = true 878 431 } 879 432 880 - // Step 5: Calculate true quota usage 881 - trueUsage := int64(0) 882 - for _, size := range uniqueLayers { 883 - trueUsage += size 884 - } 885 - 886 - log.Printf("User %s true usage from PDS: %d bytes (%d unique layers)", 887 - did, trueUsage, len(uniqueLayers)) 433 + log.Printf("Found %d referenced blobs", len(referenced)) 888 434 889 - // Step 6: Compare with current quota file 890 - quota, err := r.quotaManager.GetQuota(did) 891 - if err != nil { 892 - log.Printf("No existing quota for %s, creating new", did) 893 - quota = &Quota{ 894 - DID: did, 895 - Limit: r.quotaManager.DefaultLimit, 896 - ClaimedLayers: make(map[string]int64), 435 + // Step 2: Walk S3 blobs and delete unreferenced 436 + var deleted, reclaimed int64 437 + err = gc.driver.Walk(ctx, "/docker/registry/v2/blobs", func(fi storagedriver.FileInfo) error { 438 + if fi.IsDir() { 439 + return nil 897 440 } 898 - } 899 441 900 - // Step 7: Fix discrepancies 901 - if quota.Used != trueUsage || len(quota.ClaimedLayers) != len(uniqueLayers) { 902 - log.Printf("Quota mismatch for %s: recorded=%d, actual=%d (diff=%d)", 903 - did, quota.Used, trueUsage, trueUsage - quota.Used) 904 - 905 - // Update quota to match PDS truth 906 - quota.Used = trueUsage 907 - quota.ClaimedLayers = uniqueLayers 908 - quota.LastUpdated = time.Now() 909 - 910 - if err := r.quotaManager.SaveQuota(quota); err != nil { 911 - return fmt.Errorf("failed to save reconciled quota: %w", err) 912 - } 913 - 914 - log.Printf("Reconciled quota for %s: %d bytes", did, trueUsage) 915 - } else { 916 - log.Printf("Quota for %s is accurate", did) 917 - } 918 - 919 - return nil 920 - } 921 - 922 - // ReconcileAll reconciles all users (run periodically) 923 - func (r *Reconciler) ReconcileAll(ctx context.Context) error { 924 - // Get list of all users with quota files 925 - users, err := r.quotaManager.ListUsers() 926 - if err != nil { 927 - return err 928 - } 929 - 930 - log.Printf("Starting reconciliation for %d users", len(users)) 931 - 932 - for _, did := range users { 933 - if err := r.ReconcileUser(ctx, did); err != nil { 934 - log.Printf("Failed to reconcile %s: %v", did, err) 935 - // Continue with other users 442 + digest := extractDigestFromPath(fi.Path()) 443 + if !referenced[digest] { 444 + size := fi.Size() 445 + if err := gc.driver.Delete(ctx, fi.Path()); err != nil { 446 + log.Printf("Failed to delete %s: %v", digest, err) 447 + return nil 448 + } 449 + deleted++ 450 + reclaimed += size 451 + log.Printf("GC: deleted %s (%d bytes)", digest, size) 936 452 } 937 - } 453 + return nil 454 + }) 938 455 939 - log.Println("Reconciliation complete") 940 - return nil 456 + log.Printf("GC complete: deleted %d blobs, reclaimed %d bytes", deleted, reclaimed) 457 + return err 941 458 } 942 459 ``` 943 460 944 - ### Reconciliation Cron 945 - 946 - ```go 947 - // cmd/hold/main.go 948 - 949 - func main() { 950 - // ... setup ... 951 - 952 - // Start reconciliation cron 953 - if os.Getenv("QUOTA_RECONCILE_ENABLED") == "true" { 954 - reconcileInterval := 24 * time.Hour // Daily 955 - 956 - go func() { 957 - ticker := time.NewTicker(reconcileInterval) 958 - defer ticker.Stop() 959 - 960 - for range ticker.C { 961 - if err := reconciler.ReconcileAll(context.Background()); err != nil { 962 - log.Printf("Reconciliation error: %v", err) 963 - } 964 - } 965 - }() 461 + ### GC Schedule 966 462 967 - log.Printf("Quota reconciliation cron started: runs every %v", reconcileInterval) 968 - } 969 - 970 - // ... start server ... 971 - } 463 + ```bash 464 + # Environment variable 465 + GC_ENABLED=true 466 + GC_INTERVAL=24h # Daily by default 972 467 ``` 973 468 974 - ### Why PDS as Source of Truth Works 975 - 976 - 1. **Manifests are canonical** - If manifest exists in PDS, user owns those layers 977 - 2. **Public reads** - No OAuth needed, just resolve DID → PDS endpoint 978 - 3. **ATProto durability** - PDS is user's authoritative data store 979 - 4. **AppView is cache** - AppView database might lag or have inconsistencies 980 - 5. **Reconciliation fixes drift** - Periodic sync from PDS ensures accuracy 981 - 982 - **Example reconciliation scenarios:** 983 - 984 - - **Orphaned quota entries:** User deleted manifest from PDS, but hold quota still has it 985 - → Reconciliation removes from claimed_layers 986 - 987 - - **Missing quota entries:** User pushed manifest, but quota update failed 988 - → Reconciliation adds to claimed_layers 989 - 990 - - **Race condition duplicates:** Two concurrent pushes double-counted a layer 991 - → Reconciliation fixes to actual usage 992 - 993 469 ## Configuration 994 470 995 471 ### Hold Service Environment Variables ··· 997 473 ```bash 998 474 # .env.hold 999 475 1000 - # ============================================================================ 1001 476 # Quota Configuration 1002 - # ============================================================================ 1003 - 1004 - # Enable quota enforcement 1005 477 QUOTA_ENABLED=true 1006 - 1007 - # Default quota limit per user (bytes) 1008 - # 10GB = 10737418240 1009 - # 50GB = 53687091200 1010 - # 100GB = 107374182400 1011 - QUOTA_DEFAULT_LIMIT=10737418240 1012 - 1013 - # Storage backend for quota data 1014 - # Options: s3, sqlite 1015 - QUOTA_STORAGE_BACKEND=s3 1016 - 1017 - # For S3-based storage: 1018 - # Quota files stored in same bucket as blobs 1019 - QUOTA_STORAGE_PREFIX=/atcr/quota/ 478 + QUOTA_DEFAULT_LIMIT=10737418240 # 10GB in bytes 1020 479 1021 - # For SQLite-based storage: 1022 - QUOTA_DB_PATH=/var/lib/atcr/hold-quota.db 1023 - 1024 - # ============================================================================ 1025 480 # Garbage Collection 1026 - # ============================================================================ 1027 - 1028 - # Enable periodic garbage collection 1029 481 GC_ENABLED=true 1030 - 1031 - # GC interval (default: 24h) 1032 482 GC_INTERVAL=24h 1033 - 1034 - # AppView URL for GC reference checking 1035 - APPVIEW_URL=https://atcr.io 1036 - 1037 - # ============================================================================ 1038 - # Quota Reconciliation 1039 - # ============================================================================ 1040 - 1041 - # Enable quota reconciliation from PDS 1042 - QUOTA_RECONCILE_ENABLED=true 1043 - 1044 - # Reconciliation interval (default: 24h) 1045 - QUOTA_RECONCILE_INTERVAL=24h 1046 - 1047 - # ============================================================================ 1048 - # Hold Service Identity (Required) 1049 - # ============================================================================ 1050 - 1051 - # Public URL of this hold service 1052 - HOLD_PUBLIC_URL=https://hold1.example.com 1053 - 1054 - # Owner DID (for auto-registration) 1055 - HOLD_OWNER=did:plc:xyz123 1056 483 ``` 1057 484 1058 - ### AppView Configuration 485 + ### Quota Limits by Bytes 1059 486 1060 - ```bash 1061 - # .env.appview 1062 - 1063 - # Internal API endpoint for hold services 1064 - # Used for GC reference checking 1065 - ATCR_INTERNAL_API_ENABLED=true 1066 - 1067 - # Optional: authentication token for internal APIs 1068 - ATCR_INTERNAL_API_TOKEN=secret123 1069 - ``` 1070 - 1071 - ## Trade-offs & Design Decisions 1072 - 1073 - ### 1. Claimed Storage vs Physical Storage 1074 - 1075 - **Decision:** Track claimed storage (logical accounting) 1076 - 1077 - **Why:** 1078 - - Predictable for users: "you pay for what you upload" 1079 - - No complex cross-user dependencies 1080 - - Delete always gives you quota back 1081 - - Matches Harbor's proven model 1082 - 1083 - **Trade-off:** 1084 - - Total claimed can exceed physical storage 1085 - - Users might complain "I uploaded 10GB but S3 only has 6GB" 1086 - 1087 - **Mitigation:** 1088 - - Show deduplication savings metric 1089 - - Educate users: "You claimed 10GB, but deduplication saved 4GB" 1090 - 1091 - ### 2. S3 vs SQLite for Quota Storage 1092 - 1093 - **Decision:** Support both, recommend based on use case 1094 - 1095 - **S3 Pros:** 1096 - - No database to manage 1097 - - Quota data lives with blobs 1098 - - Better for ephemeral BYOS 1099 - 1100 - **SQLite Pros:** 1101 - - Faster (no network) 1102 - - ACID transactions (no race conditions) 1103 - - Better for high-traffic shared holds 1104 - 1105 - **Trade-off:** 1106 - - S3: eventual consistency, race conditions 1107 - - SQLite: stateful service, scaling challenges 1108 - 1109 - **Mitigation:** 1110 - - Reconciliation fixes S3 inconsistencies 1111 - - SQLite can use shared DB for multi-instance 1112 - 1113 - ### 3. Optimistic Quota Update 1114 - 1115 - **Decision:** Update quota BEFORE upload completes 1116 - 1117 - **Why:** 1118 - - Prevent race conditions (two users uploading simultaneously) 1119 - - Can reject before presigned URL generated 1120 - - Simpler flow 1121 - 1122 - **Trade-off:** 1123 - - If upload fails, quota already incremented (user "paid" for nothing) 1124 - 1125 - **Mitigation:** 1126 - - Reconciliation from PDS fixes orphaned quota entries 1127 - - Acceptable for MVP (upload failures are rare) 1128 - 1129 - ### 4. AppView as Intermediary 1130 - 1131 - **Decision:** AppView notifies hold service on deletes 1132 - 1133 - **Why:** 1134 - - AppView already has manifest/layer database 1135 - - Can efficiently check if layer still referenced 1136 - - Hold service doesn't need to query PDS on every delete 1137 - 1138 - **Trade-off:** 1139 - - AppView → Hold dependency 1140 - - Network hop on delete 1141 - 1142 - **Mitigation:** 1143 - - If notification fails, reconciliation fixes quota 1144 - - Eventually consistent is acceptable 1145 - 1146 - ### 5. PDS as Source of Truth 1147 - 1148 - **Decision:** Use PDS manifests for reconciliation 1149 - 1150 - **Why:** 1151 - - Manifests in PDS are canonical user data 1152 - - Public reads (no OAuth for reconciliation) 1153 - - AppView database might lag or be inconsistent 1154 - 1155 - **Trade-off:** 1156 - - Reconciliation requires PDS queries (slower) 1157 - - Limited to 1000 manifests per query 1158 - 1159 - **Mitigation:** 1160 - - Run reconciliation daily (not real-time) 1161 - - Paginate if user has >1000 manifests 487 + | Size | Bytes | 488 + |------|-------| 489 + | 1 GB | 1073741824 | 490 + | 5 GB | 5368709120 | 491 + | 10 GB | 10737418240 | 492 + | 50 GB | 53687091200 | 493 + | 100 GB | 107374182400 | 1162 494 1163 495 ## Future Enhancements 1164 496 1165 497 ### 1. Quota API Endpoints 1166 498 1167 499 ``` 1168 - GET /quota/usage - Get current user's quota 1169 - GET /quota/breakdown - Get storage by repository 1170 - POST /quota/limit - Update user's quota limit (admin) 1171 - GET /quota/stats - Get hold-wide statistics 500 + GET /xrpc/io.atcr.hold.getQuota?did={userDID} - Get user's quota usage 501 + GET /xrpc/io.atcr.hold.getQuotaBreakdown - Storage by repository 1172 502 ``` 1173 503 1174 504 ### 2. Quota Alerts 1175 505 1176 - Notify users when approaching limit: 1177 - - Email/webhook at 80%, 90%, 95% 1178 - - Reject uploads at 100% (currently implemented) 1179 - - Grace period: allow 105% temporarily 506 + - Warning thresholds at 80%, 90%, 95% 507 + - Email/webhook notifications 508 + - Grace period before hard enforcement 1180 509 1181 510 ### 3. Tiered Quotas 1182 511 1183 - Different limits based on user tier: 1184 - - Free: 10GB 1185 - - Pro: 100GB 1186 - - Enterprise: unlimited 1187 - 1188 - ### 4. Quota Purchasing 1189 - 1190 - Allow users to buy additional storage: 1191 - - Stripe integration 1192 - - $0.10/GB/month pricing 1193 - - Dynamic limit updates 1194 - 1195 - ### 5. Cross-Hold Deduplication 1196 - 1197 - If multiple holds share same S3 bucket: 1198 - - Track blob ownership globally 1199 - - Split costs proportionally 1200 - - More complex, but maximizes deduplication 1201 - 1202 - ### 6. Manifest-Based Quota (Alternative Model) 1203 - 1204 - Instead of tracking layers, track manifests: 1205 - - Simpler: just count manifest sizes 1206 - - No deduplication benefits for users 1207 - - Might be acceptable for some use cases 1208 - 1209 - ### 7. Redis-Based Quota (High Performance) 1210 - 1211 - For high-traffic registries: 1212 - - Use Redis instead of S3/SQLite 1213 - - Sub-millisecond quota checks 1214 - - Harbor-proven approach 1215 - 1216 - ### 8. Quota Visualizations 1217 - 1218 - Web UI showing: 1219 - - Storage usage over time 1220 - - Top consumers by repository 1221 - - Deduplication savings graph 1222 - - Layer size distribution 512 + | Tier | Limit | 513 + |------|-------| 514 + | Free | 10 GB | 515 + | Pro | 100 GB | 516 + | Enterprise | Unlimited | 1223 517 1224 - ## Appendix: SQL Queries 518 + ### 4. Rate Limiting 1225 519 1226 - ### Check if User Still References Layer 520 + Pull rate limits (Docker Hub style): 521 + - Anonymous: 100 pulls per 6 hours per IP 522 + - Authenticated: 200 pulls per 6 hours 523 + - Paid: Unlimited 1227 524 1228 - ```sql 1229 - -- After deleting manifest, check if user has other manifests using this layer 1230 - SELECT COUNT(*) 1231 - FROM layers l 1232 - JOIN manifests m ON l.manifest_id = m.id 1233 - WHERE m.did = ? -- User's DID 1234 - AND l.digest = ? -- Layer digest to check 1235 - AND m.id != ? -- Exclude the manifest being deleted 1236 - ``` 525 + ### 5. Quota Purchasing 1237 526 1238 - ### Get All Unique Layers for User 1239 - 1240 - ```sql 1241 - -- Calculate true quota usage for a user 1242 - SELECT DISTINCT l.digest, l.size 1243 - FROM layers l 1244 - JOIN manifests m ON l.manifest_id = m.id 1245 - WHERE m.did = ? 1246 - AND m.hold_endpoint = ? 1247 - ``` 1248 - 1249 - ### Get Referenced Blobs for Hold 1250 - 1251 - ```sql 1252 - -- For GC: get all blobs still referenced by any user of this hold 1253 - SELECT DISTINCT l.digest 1254 - FROM layers l 1255 - JOIN manifests m ON l.manifest_id = m.id 1256 - WHERE m.hold_endpoint = ? 1257 - ``` 1258 - 1259 - ### Get Storage Stats by Repository 1260 - 1261 - ```sql 1262 - -- User's storage broken down by repository 1263 - SELECT 1264 - m.repository, 1265 - COUNT(DISTINCT m.id) as manifest_count, 1266 - COUNT(DISTINCT l.digest) as unique_layers, 1267 - SUM(l.size) as total_size 1268 - FROM manifests m 1269 - JOIN layers l ON l.manifest_id = m.id 1270 - WHERE m.did = ? 1271 - AND m.hold_endpoint = ? 1272 - GROUP BY m.repository 1273 - ORDER BY total_size DESC 1274 - ``` 527 + - Stripe integration for additional storage 528 + - $0.10/GB/month pricing (industry standard) 1275 529 1276 530 ## References 1277 531 1278 532 - **Harbor Quotas:** https://goharbor.io/docs/1.10/administration/configure-project-quotas/ 1279 - - **Harbor Source:** https://github.com/goharbor/harbor 1280 533 - **ATProto Spec:** https://atproto.com/specs/record 1281 534 - **OCI Distribution Spec:** https://github.com/opencontainers/distribution-spec 1282 - - **S3 API Reference:** https://docs.aws.amazon.com/AmazonS3/latest/API/ 1283 - - **Distribution GC:** https://github.com/distribution/distribution/blob/main/registry/storage/garbagecollect.go 1284 535 1285 536 --- 1286 537 1287 - **Document Version:** 1.0 1288 - **Last Updated:** 2025-10-09 1289 - **Author:** Generated from implementation research and Harbor analysis 538 + **Document Version:** 2.0 539 + **Last Updated:** 2026-01-04 540 + **Model:** Per-user layer tracking with ATProto records
+4 -9
lexicons/io/atcr/hold/layer.json
··· 8 8 "description": "Represents metadata about a container layer stored in the hold. Stored in the hold's embedded PDS for tracking and analytics.", 9 9 "record": { 10 10 "type": "object", 11 - "required": ["digest", "size", "mediaType", "repository", "userDid", "userHandle", "createdAt"], 11 + "required": ["digest", "size", "mediaType", "manifest", "userDid", "createdAt"], 12 12 "properties": { 13 13 "digest": { 14 14 "type": "string", ··· 24 24 "description": "Media type (e.g., application/vnd.oci.image.layer.v1.tar+gzip)", 25 25 "maxLength": 128 26 26 }, 27 - "repository": { 27 + "manifest": { 28 28 "type": "string", 29 - "description": "Repository this layer belongs to", 30 - "maxLength": 255 29 + "format": "at-uri", 30 + "description": "AT-URI of the manifest that included this layer (e.g., at://did:plc:xyz/io.atcr.manifest/abc123)" 31 31 }, 32 32 "userDid": { 33 33 "type": "string", 34 34 "format": "did", 35 35 "description": "DID of user who uploaded this layer" 36 - }, 37 - "userHandle": { 38 - "type": "string", 39 - "format": "handle", 40 - "description": "Handle of user (for display purposes)" 41 36 }, 42 37 "createdAt": { 43 38 "type": "string",
+129
pkg/appview/handlers/storage.go
··· 1 + package handlers 2 + 3 + import ( 4 + "encoding/json" 5 + "fmt" 6 + "html/template" 7 + "log/slog" 8 + "net/http" 9 + 10 + "atcr.io/pkg/appview/middleware" 11 + "atcr.io/pkg/appview/storage" 12 + "atcr.io/pkg/atproto" 13 + "atcr.io/pkg/auth/oauth" 14 + ) 15 + 16 + // StorageHandler handles the storage quota API endpoint 17 + // Returns an HTML partial for HTMX to swap into the settings page 18 + type StorageHandler struct { 19 + Templates *template.Template 20 + Refresher *oauth.Refresher 21 + } 22 + 23 + // QuotaStats mirrors the hold service response 24 + type QuotaStats struct { 25 + UserDID string `json:"userDid"` 26 + UniqueBlobs int `json:"uniqueBlobs"` 27 + TotalSize int64 `json:"totalSize"` 28 + } 29 + 30 + func (h *StorageHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { 31 + user := middleware.GetUser(r) 32 + if user == nil { 33 + http.Error(w, "Unauthorized", http.StatusUnauthorized) 34 + return 35 + } 36 + 37 + // Create ATProto client with session provider 38 + client := atproto.NewClientWithSessionProvider(user.PDSEndpoint, user.DID, h.Refresher) 39 + 40 + // Get user's sailor profile to find their default hold 41 + profile, err := storage.GetProfile(r.Context(), client) 42 + if err != nil { 43 + slog.Warn("Failed to get profile for storage quota", "did", user.DID, "error", err) 44 + h.renderError(w, "Failed to load profile") 45 + return 46 + } 47 + 48 + if profile == nil || profile.DefaultHold == "" { 49 + // No default hold configured - can't check quota 50 + h.renderNoHold(w) 51 + return 52 + } 53 + 54 + // Resolve hold URL from DID 55 + holdURL := atproto.ResolveHoldURL(profile.DefaultHold) 56 + if holdURL == "" { 57 + slog.Warn("Failed to resolve hold URL", "did", user.DID, "holdDid", profile.DefaultHold) 58 + h.renderError(w, "Failed to resolve hold service") 59 + return 60 + } 61 + 62 + // Call the hold's quota endpoint 63 + quotaURL := fmt.Sprintf("%s%s?userDid=%s", holdURL, atproto.HoldGetQuota, user.DID) 64 + resp, err := http.Get(quotaURL) 65 + if err != nil { 66 + slog.Warn("Failed to fetch quota from hold", "did", user.DID, "holdURL", holdURL, "error", err) 67 + h.renderError(w, "Failed to connect to hold service") 68 + return 69 + } 70 + defer resp.Body.Close() 71 + 72 + if resp.StatusCode != http.StatusOK { 73 + slog.Warn("Hold returned error for quota", "did", user.DID, "status", resp.StatusCode) 74 + h.renderError(w, "Hold service returned an error") 75 + return 76 + } 77 + 78 + var stats QuotaStats 79 + if err := json.NewDecoder(resp.Body).Decode(&stats); err != nil { 80 + slog.Warn("Failed to decode quota response", "did", user.DID, "error", err) 81 + h.renderError(w, "Failed to parse quota data") 82 + return 83 + } 84 + 85 + // Render the stats partial 86 + h.renderStats(w, stats) 87 + } 88 + 89 + func (h *StorageHandler) renderStats(w http.ResponseWriter, stats QuotaStats) { 90 + data := struct { 91 + UniqueBlobs int 92 + TotalSize int64 93 + HumanSize string 94 + }{ 95 + UniqueBlobs: stats.UniqueBlobs, 96 + TotalSize: stats.TotalSize, 97 + HumanSize: humanizeBytes(stats.TotalSize), 98 + } 99 + 100 + w.Header().Set("Content-Type", "text/html") 101 + if err := h.Templates.ExecuteTemplate(w, "storage_stats", data); err != nil { 102 + slog.Error("Failed to render storage stats template", "error", err) 103 + http.Error(w, "Failed to render template", http.StatusInternalServerError) 104 + } 105 + } 106 + 107 + func (h *StorageHandler) renderError(w http.ResponseWriter, message string) { 108 + w.Header().Set("Content-Type", "text/html") 109 + fmt.Fprintf(w, `<div class="storage-error"><i data-lucide="alert-circle"></i> %s</div>`, message) 110 + } 111 + 112 + func (h *StorageHandler) renderNoHold(w http.ResponseWriter) { 113 + w.Header().Set("Content-Type", "text/html") 114 + fmt.Fprint(w, `<div class="storage-info"><i data-lucide="info"></i> No hold configured. Set a default hold above to see storage usage.</div>`) 115 + } 116 + 117 + // humanizeBytes converts bytes to human-readable format 118 + func humanizeBytes(bytes int64) string { 119 + const unit = 1024 120 + if bytes < unit { 121 + return fmt.Sprintf("%d B", bytes) 122 + } 123 + div, exp := int64(unit), 0 124 + for n := bytes / unit; n >= unit; n /= unit { 125 + div *= unit 126 + exp++ 127 + } 128 + return fmt.Sprintf("%.1f %cB", float64(bytes)/float64(div), "KMGTPE"[exp]) 129 + }
+5
pkg/appview/routes/routes.go
··· 174 174 RegistryURL: registryURL, 175 175 }).ServeHTTP) 176 176 177 + r.Get("/api/storage", (&uihandlers.StorageHandler{ 178 + Templates: deps.Templates, 179 + Refresher: deps.Refresher, 180 + }).ServeHTTP) 181 + 177 182 r.Post("/api/profile/default-hold", (&uihandlers.UpdateDefaultHoldHandler{ 178 183 Refresher: deps.Refresher, 179 184 }).ServeHTTP)
+5 -4
pkg/appview/storage/manifest_store.go
··· 325 325 serviceToken := s.ctx.ServiceToken 326 326 327 327 // Build notification request 328 + // Note: userHandle is resolved from userDid on the hold side (cached, 24-hour TTL) 328 329 notifyReq := map[string]any{ 329 - "repository": s.ctx.Repository, 330 - "userDid": s.ctx.DID, 331 - "userHandle": s.ctx.Handle, 332 - "operation": operation, 330 + "repository": s.ctx.Repository, 331 + "userDid": s.ctx.DID, 332 + "manifestDigest": manifestDigest, 333 + "operation": operation, 333 334 } 334 335 335 336 // For push operations, include full manifest data
+59
pkg/appview/templates/pages/settings.html
··· 29 29 </div> 30 30 </section> 31 31 32 + <!-- Storage Usage Section --> 33 + <section class="settings-section storage-section"> 34 + <h2>Storage Usage</h2> 35 + <p>Estimated storage usage on your default hold.</p> 36 + <div id="storage-stats" hx-get="/api/storage" hx-trigger="load" hx-swap="innerHTML"> 37 + <p><i data-lucide="loader-2" class="spin"></i> Loading...</p> 38 + </div> 39 + </section> 40 + 32 41 <!-- Default Hold Section --> 33 42 <section class="settings-section"> 34 43 <h2>Default Hold</h2> ··· 200 209 </script> 201 210 202 211 <style> 212 + /* Storage Section Styles */ 213 + .storage-section .storage-stats { 214 + background: var(--code-bg); 215 + padding: 1rem; 216 + border-radius: 4px; 217 + margin-top: 0.5rem; 218 + } 219 + .storage-section .stat-row { 220 + display: flex; 221 + justify-content: space-between; 222 + padding: 0.5rem 0; 223 + border-bottom: 1px solid var(--border); 224 + } 225 + .storage-section .stat-row:last-child { 226 + border-bottom: none; 227 + } 228 + .storage-section .stat-label { 229 + color: var(--fg-muted); 230 + } 231 + .storage-section .stat-value { 232 + font-weight: bold; 233 + font-family: monospace; 234 + } 235 + .storage-section .storage-error, 236 + .storage-section .storage-info { 237 + padding: 1rem; 238 + border-radius: 4px; 239 + margin-top: 0.5rem; 240 + display: flex; 241 + align-items: center; 242 + gap: 0.5rem; 243 + } 244 + .storage-section .storage-error { 245 + background: var(--error-bg, #fef2f2); 246 + color: var(--error, #dc2626); 247 + border: 1px solid var(--error, #dc2626); 248 + } 249 + .storage-section .storage-info { 250 + background: var(--info-bg, #eff6ff); 251 + color: var(--info, #2563eb); 252 + border: 1px solid var(--info, #2563eb); 253 + } 254 + .spin { 255 + animation: spin 1s linear infinite; 256 + } 257 + @keyframes spin { 258 + from { transform: rotate(0deg); } 259 + to { transform: rotate(360deg); } 260 + } 261 + 203 262 /* Devices Section Styles */ 204 263 .devices-section .setup-instructions { 205 264 margin: 1rem 0;
+12
pkg/appview/templates/partials/storage_stats.html
··· 1 + {{ define "storage_stats" }} 2 + <div class="storage-stats"> 3 + <div class="stat-row"> 4 + <span class="stat-label">Unique Blobs:</span> 5 + <span class="stat-value">{{ .UniqueBlobs }}</span> 6 + </div> 7 + <div class="stat-row"> 8 + <span class="stat-label">Total Storage:</span> 9 + <span class="stat-value">{{ .HumanSize }}</span> 10 + </div> 11 + </div> 12 + {{ end }}
+36 -70
pkg/atproto/cbor_gen.go
··· 654 654 655 655 cw := cbg.NewCborWriter(w) 656 656 657 - if _, err := cw.Write([]byte{168}); err != nil { 657 + if _, err := cw.Write([]byte{167}); err != nil { 658 658 return err 659 659 } 660 660 ··· 749 749 return err 750 750 } 751 751 752 + // t.Manifest (string) (string) 753 + if len("manifest") > 8192 { 754 + return xerrors.Errorf("Value in field \"manifest\" was too long") 755 + } 756 + 757 + if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("manifest"))); err != nil { 758 + return err 759 + } 760 + if _, err := cw.WriteString(string("manifest")); err != nil { 761 + return err 762 + } 763 + 764 + if len(t.Manifest) > 8192 { 765 + return xerrors.Errorf("Value in field t.Manifest was too long") 766 + } 767 + 768 + if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(t.Manifest))); err != nil { 769 + return err 770 + } 771 + if _, err := cw.WriteString(string(t.Manifest)); err != nil { 772 + return err 773 + } 774 + 752 775 // t.CreatedAt (string) (string) 753 776 if len("createdAt") > 8192 { 754 777 return xerrors.Errorf("Value in field \"createdAt\" was too long") ··· 794 817 if _, err := cw.WriteString(string(t.MediaType)); err != nil { 795 818 return err 796 819 } 797 - 798 - // t.Repository (string) (string) 799 - if len("repository") > 8192 { 800 - return xerrors.Errorf("Value in field \"repository\" was too long") 801 - } 802 - 803 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("repository"))); err != nil { 804 - return err 805 - } 806 - if _, err := cw.WriteString(string("repository")); err != nil { 807 - return err 808 - } 809 - 810 - if len(t.Repository) > 8192 { 811 - return xerrors.Errorf("Value in field t.Repository was too long") 812 - } 813 - 814 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(t.Repository))); err != nil { 815 - return err 816 - } 817 - if _, err := cw.WriteString(string(t.Repository)); err != nil { 818 - return err 819 - } 820 - 821 - // t.UserHandle (string) (string) 822 - if len("userHandle") > 8192 { 823 - return xerrors.Errorf("Value in field \"userHandle\" was too long") 824 - } 825 - 826 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("userHandle"))); err != nil { 827 - return err 828 - } 829 - if _, err := cw.WriteString(string("userHandle")); err != nil { 830 - return err 831 - } 832 - 833 - if len(t.UserHandle) > 8192 { 834 - return xerrors.Errorf("Value in field t.UserHandle was too long") 835 - } 836 - 837 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(t.UserHandle))); err != nil { 838 - return err 839 - } 840 - if _, err := cw.WriteString(string(t.UserHandle)); err != nil { 841 - return err 842 - } 843 820 return nil 844 821 } 845 822 ··· 868 845 869 846 n := extra 870 847 871 - nameBuf := make([]byte, 10) 848 + nameBuf := make([]byte, 9) 872 849 for i := uint64(0); i < n; i++ { 873 850 nameLen, ok, err := cbg.ReadFullStringIntoBuf(cr, nameBuf, 8192) 874 851 if err != nil { ··· 942 920 943 921 t.UserDID = string(sval) 944 922 } 923 + // t.Manifest (string) (string) 924 + case "manifest": 925 + 926 + { 927 + sval, err := cbg.ReadStringWithMax(cr, 8192) 928 + if err != nil { 929 + return err 930 + } 931 + 932 + t.Manifest = string(sval) 933 + } 945 934 // t.CreatedAt (string) (string) 946 935 case "createdAt": 947 936 ··· 963 952 } 964 953 965 954 t.MediaType = string(sval) 966 - } 967 - // t.Repository (string) (string) 968 - case "repository": 969 - 970 - { 971 - sval, err := cbg.ReadStringWithMax(cr, 8192) 972 - if err != nil { 973 - return err 974 - } 975 - 976 - t.Repository = string(sval) 977 - } 978 - // t.UserHandle (string) (string) 979 - case "userHandle": 980 - 981 - { 982 - sval, err := cbg.ReadStringWithMax(cr, 8192) 983 - if err != nil { 984 - return err 985 - } 986 - 987 - t.UserHandle = string(sval) 988 955 } 989 956 990 957 default:
+6
pkg/atproto/endpoints.go
··· 51 51 // Request: {"ownerDid": "...", "repository": "...", "pullCount": 10, "pushCount": 5, "lastPull": "...", "lastPush": "..."} 52 52 // Response: {"success": true} 53 53 HoldSetStats = "/xrpc/io.atcr.hold.setStats" 54 + 55 + // HoldGetQuota returns storage quota information for a user. 56 + // Method: GET 57 + // Query: userDid={did} 58 + // Response: {"userDid": "...", "uniqueBlobs": 10, "totalSize": 1073741824} 59 + HoldGetQuota = "/xrpc/io.atcr.hold.getQuota" 54 60 ) 55 61 56 62 // Hold service crew management endpoints (io.atcr.hold.*)
+16 -17
pkg/atproto/lexicon.go
··· 602 602 // Stored in the hold's embedded PDS for tracking and analytics 603 603 // Uses CBOR encoding for efficient storage in hold's carstore 604 604 type LayerRecord struct { 605 - Type string `json:"$type" cborgen:"$type"` 606 - Digest string `json:"digest" cborgen:"digest"` // Layer digest (e.g., "sha256:abc123...") 607 - Size int64 `json:"size" cborgen:"size"` // Size in bytes 608 - MediaType string `json:"mediaType" cborgen:"mediaType"` // Media type (e.g., "application/vnd.oci.image.layer.v1.tar+gzip") 609 - Repository string `json:"repository" cborgen:"repository"` // Repository this layer belongs to 610 - UserDID string `json:"userDid" cborgen:"userDid"` // DID of user who uploaded this layer 611 - UserHandle string `json:"userHandle" cborgen:"userHandle"` // Handle of user (for display purposes) 612 - CreatedAt string `json:"createdAt" cborgen:"createdAt"` // RFC3339 timestamp 605 + Type string `json:"$type" cborgen:"$type"` 606 + Digest string `json:"digest" cborgen:"digest"` // Layer digest (e.g., "sha256:abc123...") 607 + Size int64 `json:"size" cborgen:"size"` // Size in bytes 608 + MediaType string `json:"mediaType" cborgen:"mediaType"` // Media type (e.g., "application/vnd.oci.image.layer.v1.tar+gzip") 609 + Manifest string `json:"manifest" cborgen:"manifest"` // AT-URI of manifest that included this layer 610 + UserDID string `json:"userDid" cborgen:"userDid"` // DID of user who uploaded this layer 611 + CreatedAt string `json:"createdAt" cborgen:"createdAt"` // RFC3339 timestamp 613 612 } 614 613 615 614 // NewLayerRecord creates a new layer record 616 - func NewLayerRecord(digest string, size int64, mediaType, repository, userDID, userHandle string) *LayerRecord { 615 + // manifestURI: AT-URI of the manifest (e.g., "at://did:plc:xyz/io.atcr.manifest/abc123") 616 + func NewLayerRecord(digest string, size int64, mediaType, userDID, manifestURI string) *LayerRecord { 617 617 return &LayerRecord{ 618 - Type: LayerCollection, 619 - Digest: digest, 620 - Size: size, 621 - MediaType: mediaType, 622 - Repository: repository, 623 - UserDID: userDID, 624 - UserHandle: userHandle, 625 - CreatedAt: time.Now().Format(time.RFC3339), 618 + Type: LayerCollection, 619 + Digest: digest, 620 + Size: size, 621 + MediaType: mediaType, 622 + Manifest: manifestURI, 623 + UserDID: userDID, 624 + CreatedAt: time.Now().Format(time.RFC3339), 626 625 } 627 626 } 628 627
+36 -49
pkg/atproto/lexicon_test.go
··· 1089 1089 1090 1090 func TestNewLayerRecord(t *testing.T) { 1091 1091 tests := []struct { 1092 - name string 1093 - digest string 1094 - size int64 1095 - mediaType string 1096 - repository string 1097 - userDID string 1098 - userHandle string 1092 + name string 1093 + digest string 1094 + size int64 1095 + mediaType string 1096 + userDID string 1097 + manifestURI string 1099 1098 }{ 1100 1099 { 1101 - name: "standard layer", 1102 - digest: "sha256:abc123", 1103 - size: 1024, 1104 - mediaType: "application/vnd.oci.image.layer.v1.tar+gzip", 1105 - repository: "myapp", 1106 - userDID: "did:plc:user123", 1107 - userHandle: "alice.bsky.social", 1100 + name: "standard layer", 1101 + digest: "sha256:abc123", 1102 + size: 1024, 1103 + mediaType: "application/vnd.oci.image.layer.v1.tar+gzip", 1104 + userDID: "did:plc:user123", 1105 + manifestURI: "at://did:plc:user123/io.atcr.manifest/abc123", 1108 1106 }, 1109 1107 { 1110 - name: "large layer", 1111 - digest: "sha256:def456", 1112 - size: 1073741824, // 1GB 1113 - mediaType: "application/vnd.oci.image.layer.v1.tar+gzip", 1114 - repository: "largeapp", 1115 - userDID: "did:plc:user456", 1116 - userHandle: "bob.example.com", 1108 + name: "large layer", 1109 + digest: "sha256:def456", 1110 + size: 1073741824, // 1GB 1111 + mediaType: "application/vnd.oci.image.layer.v1.tar+gzip", 1112 + userDID: "did:plc:user456", 1113 + manifestURI: "at://did:plc:user456/io.atcr.manifest/def456", 1117 1114 }, 1118 1115 { 1119 - name: "empty values", 1120 - digest: "", 1121 - size: 0, 1122 - mediaType: "", 1123 - repository: "", 1124 - userDID: "", 1125 - userHandle: "", 1116 + name: "empty values", 1117 + digest: "", 1118 + size: 0, 1119 + mediaType: "", 1120 + userDID: "", 1121 + manifestURI: "", 1126 1122 }, 1127 1123 { 1128 - name: "config layer", 1129 - digest: "sha256:config123", 1130 - size: 512, 1131 - mediaType: "application/vnd.oci.image.config.v1+json", 1132 - repository: "app/subapp", 1133 - userDID: "did:web:example.com", 1134 - userHandle: "charlie.tangled.io", 1124 + name: "config layer", 1125 + digest: "sha256:config123", 1126 + size: 512, 1127 + mediaType: "application/vnd.oci.image.config.v1+json", 1128 + userDID: "did:web:example.com", 1129 + manifestURI: "at://did:web:example.com/io.atcr.manifest/config123", 1135 1130 }, 1136 1131 } 1137 1132 1138 1133 for _, tt := range tests { 1139 1134 t.Run(tt.name, func(t *testing.T) { 1140 - record := NewLayerRecord(tt.digest, tt.size, tt.mediaType, tt.repository, tt.userDID, tt.userHandle) 1135 + record := NewLayerRecord(tt.digest, tt.size, tt.mediaType, tt.userDID, tt.manifestURI) 1141 1136 1142 1137 // Verify all fields 1143 1138 if record == nil { ··· 1160 1155 t.Errorf("MediaType = %q, want %q", record.MediaType, tt.mediaType) 1161 1156 } 1162 1157 1163 - if record.Repository != tt.repository { 1164 - t.Errorf("Repository = %q, want %q", record.Repository, tt.repository) 1158 + if record.Manifest != tt.manifestURI { 1159 + t.Errorf("Manifest = %q, want %q", record.Manifest, tt.manifestURI) 1165 1160 } 1166 1161 1167 1162 if record.UserDID != tt.userDID { 1168 1163 t.Errorf("UserDID = %q, want %q", record.UserDID, tt.userDID) 1169 - } 1170 - 1171 - if record.UserHandle != tt.userHandle { 1172 - t.Errorf("UserHandle = %q, want %q", record.UserHandle, tt.userHandle) 1173 1164 } 1174 1165 1175 1166 // Verify CreatedAt is set and is a valid RFC3339 timestamp ··· 1192 1183 "sha256:abc123", 1193 1184 1024, 1194 1185 "application/vnd.oci.image.layer.v1.tar+gzip", 1195 - "myapp", 1196 1186 "did:plc:user123", 1197 - "alice.bsky.social", 1187 + "at://did:plc:user123/io.atcr.manifest/abc123", 1198 1188 ) 1199 1189 1200 1190 // Marshal to JSON ··· 1222 1212 if decoded.MediaType != record.MediaType { 1223 1213 t.Errorf("MediaType = %q, want %q", decoded.MediaType, record.MediaType) 1224 1214 } 1225 - if decoded.Repository != record.Repository { 1226 - t.Errorf("Repository = %q, want %q", decoded.Repository, record.Repository) 1215 + if decoded.Manifest != record.Manifest { 1216 + t.Errorf("Manifest = %q, want %q", decoded.Manifest, record.Manifest) 1227 1217 } 1228 1218 if decoded.UserDID != record.UserDID { 1229 1219 t.Errorf("UserDID = %q, want %q", decoded.UserDID, record.UserDID) 1230 - } 1231 - if decoded.UserHandle != record.UserHandle { 1232 - t.Errorf("UserHandle = %q, want %q", decoded.UserHandle, record.UserHandle) 1233 1220 } 1234 1221 if decoded.CreatedAt != record.CreatedAt { 1235 1222 t.Errorf("CreatedAt = %q, want %q", decoded.CreatedAt, record.CreatedAt)
+18 -9
pkg/hold/oci/xrpc.go
··· 217 217 218 218 // Parse request 219 219 var req struct { 220 - Repository string `json:"repository"` 221 - Tag string `json:"tag"` 222 - UserDID string `json:"userDid"` 223 - UserHandle string `json:"userHandle"` 224 - Operation string `json:"operation"` // "push" or "pull", defaults to "push" for backward compatibility 225 - Manifest struct { 220 + Repository string `json:"repository"` 221 + Tag string `json:"tag"` 222 + UserDID string `json:"userDid"` 223 + ManifestDigest string `json:"manifestDigest"` // For building layer record AT-URIs 224 + Operation string `json:"operation"` // "push" or "pull", defaults to "push" for backward compatibility 225 + Manifest struct { 226 226 MediaType string `json:"mediaType"` 227 227 Config struct { 228 228 Digest string `json:"digest"` ··· 287 287 postsEnabled = h.enableBlueskyPosts 288 288 } 289 289 290 + // Build manifest AT-URI for layer records 291 + manifestURI := atproto.BuildManifestURI(req.UserDID, req.ManifestDigest) 292 + 290 293 // Create layer records for each blob 291 294 for _, layer := range req.Manifest.Layers { 292 295 record := atproto.NewLayerRecord( 293 296 layer.Digest, 294 297 layer.Size, 295 298 layer.MediaType, 296 - req.Repository, 297 299 req.UserDID, 298 - req.UserHandle, 300 + manifestURI, 299 301 ) 300 302 301 303 _, _, err := h.pds.CreateLayerRecord(ctx, record) ··· 329 331 330 332 // Create Bluesky post if enabled 331 333 if postsEnabled { 334 + // Resolve handle from DID (cached, 24-hour TTL) 335 + _, userHandle, _, resolveErr := atproto.ResolveIdentity(ctx, req.UserDID) 336 + if resolveErr != nil { 337 + slog.Warn("Failed to resolve handle for user", "did", req.UserDID, "error", resolveErr) 338 + userHandle = req.UserDID // Fallback to DID if resolution fails 339 + } 340 + 332 341 // Extract manifest digest from first layer (or use config digest as fallback) 333 342 manifestDigest := req.Manifest.Config.Digest 334 343 if len(req.Manifest.Layers) > 0 { ··· 340 349 h.driver, 341 350 req.Repository, 342 351 req.Tag, 343 - req.UserHandle, 352 + userHandle, 344 353 req.UserDID, 345 354 manifestDigest, 346 355 totalSize,
+103
pkg/hold/pds/layer.go
··· 5 5 "fmt" 6 6 7 7 "atcr.io/pkg/atproto" 8 + lexutil "github.com/bluesky-social/indigo/lex/util" 9 + "github.com/bluesky-social/indigo/repo" 8 10 ) 9 11 10 12 // CreateLayerRecord creates a new layer record in the hold's PDS ··· 57 59 // not for runtime queries 58 60 return nil, "", fmt.Errorf("ListLayerRecords not yet implemented") 59 61 } 62 + 63 + // QuotaStats represents storage quota information for a user 64 + type QuotaStats struct { 65 + UserDID string `json:"userDid"` 66 + UniqueBlobs int `json:"uniqueBlobs"` 67 + TotalSize int64 `json:"totalSize"` 68 + } 69 + 70 + // GetQuotaForUser calculates storage quota for a specific user 71 + // It iterates through all layer records, filters by userDid, deduplicates by digest, 72 + // and sums the sizes of unique blobs. 73 + func (p *HoldPDS) GetQuotaForUser(ctx context.Context, userDID string) (*QuotaStats, error) { 74 + if p.recordsIndex == nil { 75 + return nil, fmt.Errorf("records index not available") 76 + } 77 + 78 + // Get session for reading record data 79 + session, err := p.carstore.ReadOnlySession(p.uid) 80 + if err != nil { 81 + return nil, fmt.Errorf("failed to create session: %w", err) 82 + } 83 + 84 + head, err := p.carstore.GetUserRepoHead(ctx, p.uid) 85 + if err != nil { 86 + return nil, fmt.Errorf("failed to get repo head: %w", err) 87 + } 88 + 89 + if !head.Defined() { 90 + // Empty repo - return zero stats 91 + return &QuotaStats{UserDID: userDID}, nil 92 + } 93 + 94 + repoHandle, err := repo.OpenRepo(ctx, session, head) 95 + if err != nil { 96 + return nil, fmt.Errorf("failed to open repo: %w", err) 97 + } 98 + 99 + // Track unique digests and their sizes 100 + digestSizes := make(map[string]int64) 101 + 102 + // Iterate all layer records via the index 103 + cursor := "" 104 + batchSize := 1000 // Process in batches 105 + 106 + for { 107 + records, nextCursor, err := p.recordsIndex.ListRecords(atproto.LayerCollection, batchSize, cursor, true) 108 + if err != nil { 109 + return nil, fmt.Errorf("failed to list layer records: %w", err) 110 + } 111 + 112 + for _, rec := range records { 113 + // Construct record path and get the record data 114 + recordPath := rec.Collection + "/" + rec.Rkey 115 + 116 + _, recBytes, err := repoHandle.GetRecordBytes(ctx, recordPath) 117 + if err != nil { 118 + // Skip records we can't read 119 + continue 120 + } 121 + 122 + // Decode the layer record 123 + recordValue, err := lexutil.CborDecodeValue(*recBytes) 124 + if err != nil { 125 + continue 126 + } 127 + 128 + layerRecord, ok := recordValue.(*atproto.LayerRecord) 129 + if !ok { 130 + continue 131 + } 132 + 133 + // Filter by userDID 134 + if layerRecord.UserDID != userDID { 135 + continue 136 + } 137 + 138 + // Deduplicate by digest - keep the size (could be different pushes of same blob) 139 + // Store the size - we only count each unique digest once 140 + if _, exists := digestSizes[layerRecord.Digest]; !exists { 141 + digestSizes[layerRecord.Digest] = layerRecord.Size 142 + } 143 + } 144 + 145 + if nextCursor == "" { 146 + break 147 + } 148 + cursor = nextCursor 149 + } 150 + 151 + // Calculate totals 152 + var totalSize int64 153 + for _, size := range digestSizes { 154 + totalSize += size 155 + } 156 + 157 + return &QuotaStats{ 158 + UserDID: userDID, 159 + UniqueBlobs: len(digestSizes), 160 + TotalSize: totalSize, 161 + }, nil 162 + }
+62 -73
pkg/hold/pds/layer_test.go
··· 22 22 "sha256:abc123def456", 23 23 1048576, // 1 MB 24 24 "application/vnd.oci.image.layer.v1.tar+gzip", 25 - "myapp", 26 25 "did:plc:alice123", 27 - "alice.bsky.social", 26 + "at://did:plc:alice123/io.atcr.manifest/abc123def456", 28 27 ), 29 28 wantErr: false, 30 29 }, ··· 34 33 "sha256:fedcba987654", 35 34 1073741824, // 1 GB 36 35 "application/vnd.docker.image.rootfs.diff.tar.gzip", 37 - "debian", 38 36 "did:plc:bob456", 39 - "bob.example.com", 37 + "at://did:plc:bob456/io.atcr.manifest/fedcba987654", 40 38 ), 41 39 wantErr: false, 42 40 }, 43 41 { 44 42 name: "invalid record type", 45 43 record: &atproto.LayerRecord{ 46 - Type: "wrong.type", 47 - Digest: "sha256:abc123", 48 - Size: 1024, 49 - MediaType: "application/vnd.oci.image.layer.v1.tar", 50 - Repository: "test", 51 - UserDID: "did:plc:test", 52 - UserHandle: "test.example.com", 44 + Type: "wrong.type", 45 + Digest: "sha256:abc123", 46 + Size: 1024, 47 + MediaType: "application/vnd.oci.image.layer.v1.tar", 48 + Manifest: "at://did:plc:test/io.atcr.manifest/abc123", 49 + UserDID: "did:plc:test", 53 50 }, 54 51 wantErr: true, 55 52 errSubstr: "invalid record type", ··· 57 54 { 58 55 name: "missing digest", 59 56 record: &atproto.LayerRecord{ 60 - Type: atproto.LayerCollection, 61 - Digest: "", 62 - Size: 1024, 63 - MediaType: "application/vnd.oci.image.layer.v1.tar", 64 - Repository: "test", 65 - UserDID: "did:plc:test", 66 - UserHandle: "test.example.com", 57 + Type: atproto.LayerCollection, 58 + Digest: "", 59 + Size: 1024, 60 + MediaType: "application/vnd.oci.image.layer.v1.tar", 61 + Manifest: "at://did:plc:test/io.atcr.manifest/abc123", 62 + UserDID: "did:plc:test", 67 63 }, 68 64 wantErr: true, 69 65 errSubstr: "digest is required", ··· 71 67 { 72 68 name: "zero size", 73 69 record: &atproto.LayerRecord{ 74 - Type: atproto.LayerCollection, 75 - Digest: "sha256:abc123", 76 - Size: 0, 77 - MediaType: "application/vnd.oci.image.layer.v1.tar", 78 - Repository: "test", 79 - UserDID: "did:plc:test", 80 - UserHandle: "test.example.com", 70 + Type: atproto.LayerCollection, 71 + Digest: "sha256:abc123", 72 + Size: 0, 73 + MediaType: "application/vnd.oci.image.layer.v1.tar", 74 + Manifest: "at://did:plc:test/io.atcr.manifest/abc123", 75 + UserDID: "did:plc:test", 81 76 }, 82 77 wantErr: true, 83 78 errSubstr: "size must be positive", ··· 85 80 { 86 81 name: "negative size", 87 82 record: &atproto.LayerRecord{ 88 - Type: atproto.LayerCollection, 89 - Digest: "sha256:abc123", 90 - Size: -1, 91 - MediaType: "application/vnd.oci.image.layer.v1.tar", 92 - Repository: "test", 93 - UserDID: "did:plc:test", 94 - UserHandle: "test.example.com", 83 + Type: atproto.LayerCollection, 84 + Digest: "sha256:abc123", 85 + Size: -1, 86 + MediaType: "application/vnd.oci.image.layer.v1.tar", 87 + Manifest: "at://did:plc:test/io.atcr.manifest/abc123", 88 + UserDID: "did:plc:test", 95 89 }, 96 90 wantErr: true, 97 91 errSubstr: "size must be positive", ··· 134 128 func TestCreateLayerRecord_MultipleRecords(t *testing.T) { 135 129 // Test creating multiple layer records for the same manifest 136 130 pds, ctx := setupTestPDS(t) 131 + 132 + manifestURI := "at://did:plc:test123/io.atcr.manifest/manifestabc123" 137 133 138 134 layers := []struct { 139 135 digest string ··· 151 147 layer.digest, 152 148 layer.size, 153 149 "application/vnd.oci.image.layer.v1.tar+gzip", 154 - "multi-layer-app", 155 150 "did:plc:test123", 156 - "test.example.com", 151 + manifestURI, 157 152 ) 158 153 159 154 rkey, cid, err := pds.CreateLayerRecord(ctx, record) ··· 180 175 digest := "sha256:abc123def456" 181 176 size := int64(1048576) 182 177 mediaType := "application/vnd.oci.image.layer.v1.tar+gzip" 183 - repository := "myapp" 184 178 userDID := "did:plc:alice123" 185 - userHandle := "alice.bsky.social" 179 + manifestURI := "at://did:plc:alice123/io.atcr.manifest/abc123def456" 186 180 187 - record := atproto.NewLayerRecord(digest, size, mediaType, repository, userDID, userHandle) 181 + record := atproto.NewLayerRecord(digest, size, mediaType, userDID, manifestURI) 188 182 189 183 if record == nil { 190 184 t.Fatal("NewLayerRecord() returned nil") ··· 207 201 t.Errorf("MediaType = %q, want %q", record.MediaType, mediaType) 208 202 } 209 203 210 - if record.Repository != repository { 211 - t.Errorf("Repository = %q, want %q", record.Repository, repository) 204 + if record.Manifest != manifestURI { 205 + t.Errorf("Manifest = %q, want %q", record.Manifest, manifestURI) 212 206 } 213 207 214 208 if record.UserDID != userDID { 215 209 t.Errorf("UserDID = %q, want %q", record.UserDID, userDID) 216 - } 217 - 218 - if record.UserHandle != userHandle { 219 - t.Errorf("UserHandle = %q, want %q", record.UserHandle, userHandle) 220 210 } 221 211 222 212 if record.CreatedAt == "" { ··· 229 219 func TestLayerRecord_FieldValidation(t *testing.T) { 230 220 // Test various field values 231 221 tests := []struct { 232 - name string 233 - digest string 234 - size int64 235 - mediaType string 236 - repository string 237 - userDID string 238 - userHandle string 222 + name string 223 + digest string 224 + size int64 225 + mediaType string 226 + userDID string 227 + manifestURI string 239 228 }{ 240 229 { 241 - name: "typical OCI layer", 242 - digest: "sha256:e692418e4cbaf90ca69d05a66403747baa33ee08806650b51fab815ad7fc331f", 243 - size: 12582912, // 12 MB 244 - mediaType: "application/vnd.oci.image.layer.v1.tar+gzip", 245 - repository: "hsm-secrets-operator", 246 - userDID: "did:plc:evan123", 247 - userHandle: "evan.jarrett.net", 230 + name: "typical OCI layer", 231 + digest: "sha256:e692418e4cbaf90ca69d05a66403747baa33ee08806650b51fab815ad7fc331f", 232 + size: 12582912, // 12 MB 233 + mediaType: "application/vnd.oci.image.layer.v1.tar+gzip", 234 + userDID: "did:plc:evan123", 235 + manifestURI: "at://did:plc:evan123/io.atcr.manifest/abc123", 248 236 }, 249 237 { 250 - name: "Docker layer format", 251 - digest: "sha256:abc123", 252 - size: 1024, 253 - mediaType: "application/vnd.docker.image.rootfs.diff.tar.gzip", 254 - repository: "nginx", 255 - userDID: "did:plc:user456", 256 - userHandle: "user.example.com", 238 + name: "Docker layer format", 239 + digest: "sha256:abc123", 240 + size: 1024, 241 + mediaType: "application/vnd.docker.image.rootfs.diff.tar.gzip", 242 + userDID: "did:plc:user456", 243 + manifestURI: "at://did:plc:user456/io.atcr.manifest/def456", 257 244 }, 258 245 { 259 - name: "uncompressed layer", 260 - digest: "sha256:def456", 261 - size: 2048, 262 - mediaType: "application/vnd.oci.image.layer.v1.tar", 263 - repository: "alpine", 264 - userDID: "did:plc:user789", 265 - userHandle: "user.bsky.social", 246 + name: "uncompressed layer", 247 + digest: "sha256:def456", 248 + size: 2048, 249 + mediaType: "application/vnd.oci.image.layer.v1.tar", 250 + userDID: "did:plc:user789", 251 + manifestURI: "at://did:plc:user789/io.atcr.manifest/ghi789", 266 252 }, 267 253 } 268 254 ··· 272 258 tt.digest, 273 259 tt.size, 274 260 tt.mediaType, 275 - tt.repository, 276 261 tt.userDID, 277 - tt.userHandle, 262 + tt.manifestURI, 278 263 ) 279 264 280 265 if record == nil { ··· 288 273 289 274 if record.Digest != tt.digest { 290 275 t.Errorf("Digest = %q, want %q", record.Digest, tt.digest) 276 + } 277 + 278 + if record.Manifest != tt.manifestURI { 279 + t.Errorf("Manifest = %q, want %q", record.Manifest, tt.manifestURI) 291 280 } 292 281 }) 293 282 }
+31
pkg/hold/pds/xrpc.go
··· 192 192 r.Use(h.requireAuth) 193 193 r.Post(atproto.HoldRequestCrew, h.HandleRequestCrew) 194 194 }) 195 + 196 + // Public quota endpoint (no auth - quota is per-user, just needs userDid param) 197 + r.Get(atproto.HoldGetQuota, h.HandleGetQuota) 195 198 } 196 199 197 200 // HandleHealth returns health check information ··· 1513 1516 // Clients should use multipart upload flow via com.atproto.repo.uploadBlob 1514 1517 return "" 1515 1518 } 1519 + 1520 + // HandleGetQuota returns storage quota information for a user 1521 + // This calculates the total unique blob storage used by a specific user 1522 + // by iterating layer records and deduplicating by digest. 1523 + func (h *XRPCHandler) HandleGetQuota(w http.ResponseWriter, r *http.Request) { 1524 + userDID := r.URL.Query().Get("userDid") 1525 + if userDID == "" { 1526 + http.Error(w, "missing required parameter: userDid", http.StatusBadRequest) 1527 + return 1528 + } 1529 + 1530 + // Validate DID format 1531 + if !atproto.IsDID(userDID) { 1532 + http.Error(w, "invalid userDid format", http.StatusBadRequest) 1533 + return 1534 + } 1535 + 1536 + // Get quota stats 1537 + stats, err := h.pds.GetQuotaForUser(r.Context(), userDID) 1538 + if err != nil { 1539 + slog.Error("Failed to get quota", "userDid", userDID, "error", err) 1540 + http.Error(w, fmt.Sprintf("failed to get quota: %v", err), http.StatusInternalServerError) 1541 + return 1542 + } 1543 + 1544 + w.Header().Set("Content-Type", "application/json") 1545 + json.NewEncoder(w).Encode(stats) 1546 + }