Skip to content

Harden large-transfer durability and observability#7

Merged
pzzzy merged 6 commits into
mainfrom
codex/htmx-tailwind-ui
Jul 13, 2026
Merged

Harden large-transfer durability and observability#7
pzzzy merged 6 commits into
mainfrom
codex/htmx-tailwind-ui

Conversation

@pzzzy

@pzzzy pzzzy commented Jul 13, 2026

Copy link
Copy Markdown
Owner

What changed

  • make FTP STOR/APPE/REST, HTTP multipart/chunked uploads, public drops, and admin FTP pulls stage data and commit it atomically
  • preserve the current destination before replacement, surface retention failures, enforce atomic no-overwrite drops, bound chunk writes, scope upload IDs, and serialize concurrent chunks
  • remove whole-body HTTP deadlines by default while retaining header and idle protections; report actual response status, bytes, and ranges
  • reserve limited share downloads atomically and classify tiny/bounded range requests as diagnostic probes instead of completed-download analytics
  • revalidate active FTP sessions, require configured certificates when FTPS is mandatory, and constrain passive/active data peers unless FXP is explicitly enabled
  • rate-limit protected share passwords and authorize protected drops before multipart parsing
  • invalidate Cloudflare-tagged public cache entries after HTTP or FTP mutations, with exact object/parent-listing fallback and validated public-base configuration
  • separate monitor traffic from human/security activity in dashboards and weekly reports; improve long-term tunnel maintenance defaults
  • add stable macOS code-signing support, a reproducible local release gate, pinned GitHub Actions CI, security guidance, regression coverage, and a large-transfer operations runbook

Why

The overnight 10,824,083,788-byte MKV download completed, with its final range ending at the exact stored EOF. macftpd streamed the bytes unchanged; there was no media transcoding or remuxing. The request history also exposed three correctness gaps: the previous 60-second whole-response deadline interrupted long streams and triggered retries, requested sizes and tiny media tail probes distorted download analytics, and overwrite paths could truncate destinations before transfer/retention success. Public writes could additionally leave cached objects or directory listings stale.

Impact

Large streams can continue while making progress, completed-download counts now reflect completed bodies or substantial resumes, and failed uploads/retention operations leave the original destination intact. Overwrites temporarily require space for the staged replacement and retained prior version. Internal staging/trash/version directories are always hidden. Public cache invalidation is best-effort and requires the configured Cloudflare zone token and cache tag.

Checks

  • ./scripts/check.sh
    • gofmt and module verification
    • shuffled tests (3 runs) and race detector
    • go vet, native build, Darwin/arm64 build
    • reproducible Tailwind/HTMX asset build
    • shellcheck, shell syntax, Worker syntax, private-identifier scan
    • gosec v2.27.1: 0 issues
    • govulncheck v1.1.4: 0 reachable vulnerabilities
    • Wrangler 4.110.0 dry run
  • focused post-review shuffled/race tests for config, storage, FTP, and HTTP
  • final go test ./... after merging current main

@pzzzy pzzzy marked this pull request as ready for review July 13, 2026 06:35
@pzzzy pzzzy merged commit b2e89e5 into main Jul 13, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant