docs: add per-repo storage design plans

Captures the design for per-repo {orgID}/{repoName} filesystem dispatch and the per-keypair bucket-per-repo Tigris resolver.

Assisted-by: Claude Opus 4.8 via Claude Code
Signed-off-by: Xe Iaso <xe@tigrisdata.com>

Author: Xe

docs/plans/per-repo-bucket.md

@@ -0,0 +1,176 @@
+# Per-keypair Tigris resolver: a bucket per repo
+
+## Context
+
+The per-repo `repofs.Resolver` hook is already in place: every git request resolves
+to a `billy.Filesystem` via `Resolve(ctx, ref, cred)`, and the HTTP Basic-auth
+pair already arrives as `repofs.Credential{Username, Password}`. The default
+`BucketResolver` chroots one shared bucket.
+
+We now want a real backend: treat the Basic-auth credential as a **Tigris
+keypair** (username = access key ID, password = secret access key), build a
+`storage.Client` per keypair, and give **each repository its own Tigris bucket**,
+created on first push. This replaces the single-shared-bucket model as the
+production default.
+
+Decisions (confirmed):
+
+- **Credential = keypair**: `username` → access key ID, `password` → secret.
+- **Bucket name**: `objgit-{base36(sha256(orgID/repoName))[:N]}` — deterministic,
+  DNS-valid (lowercase alnum), collision-free.
+- **Create on push only**: the resolver creates the bucket only on the write
+  path; reads of a missing bucket are a 404.
+- **Replace default**: `main.go` wires the Tigris resolver. `BucketResolver`
+  stays in `repofs` for tests (memfs), just not wired in production.
+- **All S3 ops go through `github.com/tigrisdata/storage-go`** (`*storage.Client`,
+  which embeds `*s3.Client`); never construct a bare AWS `s3.Client`.
+
+## 1. Gate creation on the Resolver interface (`internal/repofs`)
+
+`Resolve` needs to know read vs. write so it only creates buckets on push. Add a
+`create bool`:
+
+```go
+type Resolver interface {
+	Resolve(ctx context.Context, ref RepoRef, cred Credential, create bool) (billy.Filesystem, error)
+}
+```
+
+- `BucketResolver.Resolve` ignores `create` (chroot is creation-free).
+- `daemon.load` (read) passes `create=false`; `daemon.loadOrInit` (push) passes
+  `create=true` (`cmd/objgitd/git_protocol.go`).
+- Update the `recordingResolver` test stub in `cmd/objgitd/http_test.go`.
+
+Add a `BucketName()` helper — but put it in the Tigris package (below), since the
+`objgit-` prefix and hashing are storage policy, not neutral identity.
+
+## 2. New package: `internal/tigrisfs`
+
+The concrete, Tigris-backed `repofs.Resolver`. Depends on `storage-go`, `s3fs`,
+and (for the not-found sentinel) go-git `transport`. Keeping it out of `repofs`
+preserves `repofs`'s transport/storage neutrality.
+
+```go
+package tigrisfs
+
+// Resolver implements repofs.Resolver against Tigris, one bucket per repo.
+type Resolver struct {
+	// newClient builds a storage.Client from a keypair. Defaults to
+	// storage.New(ctx, storage.WithAccessKeypair(id, secret)); overridable for tests.
+	newClient func(ctx context.Context, cred repofs.Credential) (*storage.Client, error)
+	fsOpts    []s3fs.Option // listing/pack cache opts applied per-bucket S3FS
+
+	mu      sync.Mutex
+	clients map[string]*cachedClient // keyed by access key ID (cred.Username)
+}
+
+type cachedClient struct {
+	raw      *storage.Client // bucket ops (CreateBucket/HeadBucket) go here
+	hardened s3fs.S3Client   // object I/O handed to s3fs (see note on Harden)
+}
+```
+
+`Resolve`:
+
+1. Reject empty `cred.Username`/`cred.Password` (auth required → surfaces as 401
+   at the HTTP layer; see error mapping).
+2. Look up / build the cached client for `cred.Username` (build via `newClient`,
+   then `hardened = s3fs.Harden(raw)`). Cache under a mutex.
+3. `bucket := bucketName(ref)`.
+4. If `create`: `ensureBucket(ctx, raw, bucket)` — `CreateBucket`; treat
+   `*types.BucketAlreadyOwnedByYou` / `*types.BucketAlreadyExists` (via
+   `errors.As`) as success.
+   Else: `HeadBucket`; on `*types.NotFound`/`*types.NoSuchBucket` return
+   `transport.ErrRepositoryNotFound`.
+5. Return `s3fs.NewS3FS(hardened, bucket, r.fsOpts...)` (root `""` — the bucket
+   _is_ the repo).
+
+```go
+func bucketName(ref repofs.RepoRef) string {
+	sum := sha256.Sum256([]byte(ref.Path()))
+	b36 := new(big.Int).SetBytes(sum[:]).Text(36) // 0-9a-z
+	// left-pad to a fixed width so truncation is deterministic, then take N.
+	return "objgit-" + leftPad(b36, 50, '0')[:32] // "objgit-" + 32 = 39 chars, < 63
+}
+```
+
+**Harden note:** `s3fs.Harden` returns the 9-method object-only `s3Client`
+wrapper — it does **not** expose `CreateBucket`/`HeadBucket`. So the resolver
+keeps the raw `*storage.Client` for the (rare) bucket calls and hands the
+hardened wrapper to `s3fs` for the hot object path. Both are storage-go clients;
+no bare AWS client is created.
+
+**s3fs export:** `s3fs.NewS3FS` currently takes an unexported `s3Client`
+interface. An external package can still satisfy it (method set is exported), but
+to name the field type in `cachedClient` cleanly, export the interface as
+`s3fs.S3Client` (alias/rename of the existing `s3Client`). Small, mechanical
+change in `internal/s3fs/filesystem.go`.
+
+## 3. `main.go` wiring (replace default)
+
+- Read the keypair-mode resolver instead of `BucketResolver`:
+  `resolver: tigrisfs.New(tigrisfs.WithFSOptions(fsOpts...))`.
+- The default `newClient` does `storage.New(ctx, storage.WithAccessKeypair(...))`
+  (endpoint defaults to the global Tigris endpoint; add a `-tigris-endpoint`
+  flag later if needed).
+- `sysFS` (SSH host key) still uses the ambient `-bucket` `fsys` built today;
+  repos no longer use it. The existing `-bucket` flag becomes "system bucket"
+  (host key only). Note this in flag help.
+- Per-keypair `ListingCache`/`PackCache`: the caches `main` builds today are
+  bound to one bucket and no longer fit a bucket-per-repo world. For this pass,
+  pass no per-bucket caches (or a bounded per-(keyID,bucket) cache later);
+  **log that repo-side caching is disabled** so it isn't mistaken for working.
+
+## 4. Error mapping
+
+- Empty/invalid credential → resolver returns a sentinel (`tigrisfs.ErrNoCredential`);
+  HTTP `resolve` maps it to `401 WWW-Authenticate: Basic` (reuse the existing
+  `auth.Unauthenticated` rendering path, or special-case the error).
+- Missing bucket on read → `transport.ErrRepositoryNotFound` → existing 404 path.
+- A bad keypair surfaces as an S3 `AccessDenied` mid-call; log and return 500
+  (acceptable for now — real authz is a later seam).
+
+## 5. Caching & concurrency
+
+- One `cachedClient` per access key ID, guarded by a mutex (or `sync.Map`).
+  Building a `storage.Client` loads AWS config (network-free) and is the main
+  cost we're avoiding per request.
+- Bound the map (simple max or LRU, e.g. 1024 keypairs) as a follow-up; note the
+  unbounded-growth risk in a comment for now.
+
+## 6. Tests
+
+- `internal/tigrisfs/tigrisfs_test.go` (unit, no network):
+  - `bucketName` is deterministic, `objgit-`-prefixed, ≤ 63 chars, lowercase
+    alnum, and differs for different `orgID/repoName`.
+  - Empty credential → `ErrNoCredential` (checked before `newClient`).
+  - `create` gating: with a fake `newClient` returning a client whose bucket ops
+    are observable, assert `CreateBucket` is called iff `create==true` and
+    `HeadBucket` otherwise. (Use a small fake satisfying the bucket-op + object
+    method set; inject via `newClient`.)
+- Integration test gated by real creds (skip when
+  `TIGRIS_STORAGE_ACCESS_KEY_ID`/`_SECRET_ACCESS_KEY` unset — see the
+  `tigris-storage` skill's `skipIfNoCreds` pattern): push to
+  `acme/itest-<unique>.git`, assert the bucket is created and a clone round-trips;
+  clean up the bucket after.
+- `internal/repofs` and `cmd/objgitd` existing tests keep using `BucketResolver`
+  (memfs); update them only for the new `create` parameter.
+
+## Verification
+
+```text
+go build ./...
+go test ./internal/repofs/... ./internal/tigrisfs/... ./cmd/objgitd/...
+```
+
+End-to-end against real Tigris (credentials in the AWS/Tigris env):
+
+```text
+./objgitd -bucket $SYS_BUCKET -http-bind :8080 -allow-push
+# username = Tigris access key ID, password = secret access key
+git clone http://$KEYID:$SECRET@localhost:8080/acme/demo.git   # first push creates bucket objgit-<hash>
+# verify the bucket exists:
+tigris bucket list | grep objgit-
+git clone http://$KEYID:$SECRET@localhost:8080/acme/demo.git   # second clone reuses cached client + bucket
+git clone http://localhost:8080/acme/demo.git                   # no creds -> 401
+```

docs/plans/per-repo-fs-dispatch.md

@@ -0,0 +1,215 @@
+# Per-repo filesystem resolution + `{orgID}/{repoName}` paths (HTTP focus)
+
+## Context
+
+Today the `daemon` holds a single static `fs billy.Filesystem` (the whole bucket)
+and a single `loader transport.Loader`, both built once in `main.go`. Every
+transport passes a **raw, unvalidated, variable-depth** path straight into
+`auth.Request.Repo` and into `load`/`loadOrInit`, which `Chroot`s the one bucket
+fs by that path.
+
+We want two coupled changes:
+
+1. **Restrict repo paths to `{orgID}/{repoName}`** — `orgID` is an opaque
+   reference a later API call will validate; for now it's accepted as-is. Paths
+   that aren't exactly two segments are rejected. The `.git` suffix is stripped
+   from the repo name (`org/repo.git` and `org/repo` resolve to the same repo;
+   storage key `org/repo/`).
+2. **Discover the billy filesystem per-repo via a pluggable hook**, and **pass
+   the HTTP Basic-auth username/password into that hook** so a real backend can
+   route an org to its own bucket/credentials based on who's calling. The
+   default hook preserves today's behavior (chroot the one bucket fs, ignoring
+   the credential).
+
+**Scope:** this pass targets the **HTTP** transport. SSH is explicitly out of
+scope. The shared resolution layer is transport-agnostic, so git:// and SSH get
+only the mechanical edits needed to keep compiling (they pass an empty
+credential); their auth semantics are unchanged.
+
+## New package: `internal/repofs`
+
+Transport-neutral, mirroring how `internal/auth` is structured. Imports only
+`context`, `errors`, `path`, `strings`, and `go-billy/v6`.
+
+```go
+package repofs
+
+var ErrInvalidPath = errors.New("repository path must be of the form {orgID}/{repoName}")
+
+// RepoRef identifies a repository. OrgID is opaque (validated later); Name has
+// any trailing ".git" stripped.
+type RepoRef struct {
+	OrgID string
+	Name  string
+}
+
+// Path is the canonical storage/identity path "orgID/name".
+func (r RepoRef) Path() string { return path.Join(r.OrgID, r.Name) }
+
+// Parse trims surrounding slashes, requires exactly two non-empty segments,
+// and strips a trailing ".git" from the name. OrgID is not otherwise validated.
+func Parse(raw string) (RepoRef, error)
+
+// Credential carries the HTTP Basic-auth username/password (zero value = none).
+// Unvalidated; the Resolver decides what to do with it.
+type Credential struct {
+	Username string
+	Password string
+}
+
+// Resolver maps a RepoRef (plus the caller's credential) to the
+// billy.Filesystem rooted at that repository. This is the hook a real backend
+// implements to route an org to its bucket.
+type Resolver interface {
+	Resolve(ctx context.Context, ref RepoRef, cred Credential) (billy.Filesystem, error)
+}
+
+// BucketResolver is the default Resolver: chroot one base filesystem (the whole
+// bucket) to ref.Path(), ignoring the credential. Preserves current behavior.
+type BucketResolver struct{ Base billy.Filesystem }
+func (b BucketResolver) Resolve(_ context.Context, ref RepoRef, _ Credential) (billy.Filesystem, error) {
+	return b.Base.Chroot(ref.Path())
+}
+```
+
+`Parse` is the single validation path. Add unit tests for valid input,
+missing/extra segments, empty segments, trailing slash, and `.git` stripping.
+
+## `daemon` changes (`cmd/objgitd/git_protocol.go`)
+
+Replace the `fs` and `loader` fields:
+
+```go
+type daemon struct {
+	sysFS    billy.Filesystem // bucket-level storage (SSH host key); NOT repo-scoped
+	resolver repofs.Resolver
+	authz    auth.Authorizer
+	allowHooks  bool
+	hookTimeout time.Duration
+}
+```
+
+Rewrite resolution to go through the hook (threading the credential), building
+the storer per resolved fs. Reuse go-git's bare-repo detection
+(`FilesystemLoader.load` returns `ErrRepositoryNotFound` when no `config` exists
+at the chroot root):
+
+```go
+// storerFor returns the bare-repo storer rooted at fs, or
+// transport.ErrRepositoryNotFound when none exists there.
+func storerFor(fs billy.Filesystem) (storage.Storer, error) {
+	return transport.NewFilesystemLoader(fs, false).Load(&url.URL{Path: "/"})
+}
+
+func (d *daemon) load(ctx context.Context, ref repofs.RepoRef, cred repofs.Credential) (storage.Storer, error) {
+	fs, err := d.resolver.Resolve(ctx, ref, cred)
+	if err != nil { return nil, err }
+	st, err := storerFor(fs)
+	if err != nil { return nil, err }
+	if err := ensureHEAD(st); err != nil { slog.Warn("...", "repo", ref.Path(), "err", err) }
+	return st, nil
+}
+
+func (d *daemon) loadOrInit(ctx context.Context, ref repofs.RepoRef, cred repofs.Credential) (storage.Storer, error) {
+	fs, err := d.resolver.Resolve(ctx, ref, cred)
+	if err != nil { return nil, err }
+	st, err := storerFor(fs)
+	if err == nil { ensureHEAD(st); return st, nil }
+	if !errors.Is(err, transport.ErrRepositoryNotFound) { return nil, err }
+	st = filesystem.NewStorage(fs, cache.NewObjectLRUDefault())
+	if _, err := git.Init(st, git.WithDefaultBranch(plumbing.NewBranchReferenceName("main"))); err != nil {
+		return nil, fmt.Errorf("init bare repo: %w", err)
+	}
+	metrics.ReposCreated()
+	slog.Info("created repository", "repo", ref.Path())
+	return st, nil
+}
+```
+
+The old `d.fs.Chroot(repoPath)` step is gone — `Resolve` returns the repo-root
+fs directly, so resolution happens once per request.
+
+## HTTP transport (`cmd/objgitd/http.go` + `main.go`) — primary work
+
+Replace the suffix-dispatch `ServeHTTP` with an `http.ServeMux` (built by a new
+`d.httpHandler()` method, wired in `main.go` as the server `Handler`). With a
+fixed two-segment path the wildcards the old code couldn't use now work:
+
+- `GET /{orgID}/{repoName}/info/refs`
+- `POST /{orgID}/{repoName}/git-upload-pack`
+- `POST /{orgID}/{repoName}/git-receive-pack`
+
+Handlers read `r.PathValue("orgID")`/`r.PathValue("repoName")`, build the ref via
+`repofs.Parse(path.Join(orgID, repoName))`, and 400 on `ErrInvalidPath`.
+ServeMux 404s anything that isn't exactly two segments before the suffix, so the
+shape is enforced for free.
+
+`resolve` extracts the Basic-auth credential and threads it through:
+
+```go
+func credFromRequest(r *http.Request) (auth.Credential, repofs.Credential) {
+	if u, p, ok := r.BasicAuth(); ok {
+		return auth.BasicAuth{Username: u, Password: p}, repofs.Credential{Username: u, Password: p}
+	}
+	return auth.Anonymous{}, repofs.Credential{}
+}
+```
+
+(or keep the existing `auth` credential helper and build the `repofs.Credential`
+inline). `resolve`, `handleInfoRefs`, `handleRPC`, and `d.receivePack` change
+their `repoPath string` parameter to a `repofs.RepoRef`; `resolve` passes the
+`repofs.Credential` to `load`/`loadOrInit`. Logging/hook context uses
+`ref.Path()`. Remove the variable-depth comment block and the now-unused
+`strings` import if it drops out.
+
+## git:// and SSH — mechanical only (out of scope)
+
+`git_protocol.go handle` and `ssh.go handleSSH` must adapt to the new
+`load`/`loadOrInit` signatures: parse their raw path with `repofs.Parse`
+(rendering `ErrInvalidPath` in their own dialect — pktline error / stderr+exit)
+and pass an empty `repofs.Credential{}`. `ssh.go`'s host-key load switches from
+`d.fs` to `d.sysFS`. No further redesign of these transports.
+
+## `main.go` changes
+
+- Keep building the base bucket fs (`fsys`) as today.
+- `d := &daemon{ sysFS: fsys, resolver: repofs.BucketResolver{Base: fsys}, authz: ..., allowHooks: ..., hookTimeout: ... }` — drop the `loader` field.
+- HTTP server `Handler: d.httpHandler()` instead of `Handler: d`.
+- Drop the `transport.NewFilesystemLoader` call; remove the `transport` import
+  from `main.go` if it becomes unused.
+
+## Behavioral note / migration
+
+Stripping `.git` and requiring an org changes the storage key from `repo.git/`
+to `org/repo/`. Repos created under the old layout won't resolve under the new
+scheme. Acceptable for the current stage; no migration is in scope.
+
+## Tests
+
+- New `internal/repofs/repofs_test.go` — table-driven `Parse` cases (and a tiny
+  `BucketResolver.Resolve` check that it chroots to `ref.Path()`).
+- Update `cmd/objgitd/http_test.go` (and the shared helpers in
+  `git_protocol_test.go` it reuses): remotes gain an org segment (`/test.git`
+  → `/acme/test.git`), and storage-key assertions drop `.git`
+  (`/test.git/config` → `/acme/test/config`; `assertPackedRepo(t, fs,
+"/acme/test")`). The git:// tests in `git_protocol_test.go` need the same path
+  updates to keep passing.
+- Optionally add an HTTP test that a single-segment path returns 404 and that a
+  Basic-auth credential reaches a stub resolver.
+
+## Verification
+
+```text
+go build ./...
+go test ./internal/repofs/...
+go test -run TestSmartHTTP ./cmd/objgitd/...   # requires git on PATH
+go test ./cmd/objgitd/...
+```
+
+End-to-end against a real bucket:
+
+```text
+./objgitd -bucket $BUCKET -http-bind :8080 -allow-push
+git clone http://user:pass@localhost:8080/acme/demo.git   # creates acme/demo/ on first push; user/pass reach the resolver
+git clone http://localhost:8080/demo.git                  # single segment -> 404
+```