The Storage Service provides encrypted object storage with client-side encryption support.

Storage Architecture

The Storage Service provides encrypted object storage with client-side encryption support.

Service Configuration

From apps/storage-service/src/config/env.ts:

Setting	Environment Variable	Default
Port	`PORT`	8092
Backend	`STORAGE_BACKEND`	`filesystem`
Multipart chunk size	`STORAGE_MULTIPART_CHUNK_SIZE`	32 MB
Upload expiration	`STORAGE_UPLOAD_EXPIRATION_MINUTES`	60 min
Manifest signature	`STORAGE_MANIFEST_SIGNATURE_ALGORITHM`	`dilithium-3`

Storage Backends

Backend	Environment Variable	Description
`filesystem`	`STORAGE_BASE_PATH`	Local filesystem
`s3`	`STORAGE_S3_BUCKET`, `STORAGE_S3_REGION`	AWS S3 or compatible
`azure-blob`	-	Azure Blob Storage
`gcs`	-	Google Cloud Storage

S3 Configuration

Setting	Environment Variable	Default
Bucket	`STORAGE_S3_BUCKET`	-
Region	`STORAGE_S3_REGION`	`us-east-1`
Endpoint	`STORAGE_S3_ENDPOINT`	AWS default
Object Lock	`STORAGE_S3_OBJECT_LOCK_ENABLED`	`false`
Lock Mode	`STORAGE_S3_OBJECT_LOCK_MODE`	`COMPLIANCE`

Malware Scanning

Setting	Environment Variable	Default
Enabled	`STORAGE_MALWARE_SCANNING_ENABLED`	`false`
Driver	`STORAGE_MALWARE_SCANNER_DRIVER`	`clamav`
Endpoint	`STORAGE_MALWARE_SCANNER_ENDPOINT`	`tcp://127.0.0.1:3310`
Timeout	`STORAGE_MALWARE_SCAN_TIMEOUT_MS`	60,000 ms
Suspicious policy	`STORAGE_MALWARE_POLICY_SUSPICIOUS`	`treat-as-infected`

BYOK (Bring Your Own Key)

Configure tenant-specific encryption keys via STORAGE_BYOK_REGISTRY:

[
  {
    "tenantId": "<uuid>",
    "keyId": "<key-id>",
    "algorithm": "aes-256-gcm",
    "provider": "byok",
    "material": "<base64-encoded-key>"
  }
]

Replication

Setting	Environment Variable	Default
Enabled	`STORAGE_REPLICATION_ENABLED`	`false`
Targets	`STORAGE_REPLICATION_TARGETS`	-
Poll interval	`STORAGE_REPLICATION_POLL_INTERVAL_MS`	10,000 ms
Batch size	`STORAGE_REPLICATION_BATCH_SIZE`	10

CDN Integration

Setting	Environment Variable	Default
Base URL	`STORAGE_CDN_BASE_URL`	-
Signing key	`STORAGE_CDN_SIGNING_KEY_BASE64`	-
Token TTL	`STORAGE_CDN_TOKEN_TTL_SECONDS`	600 (10 min)

Request Flow

Client → Edge Gateway (8107) → Storage Service (8092) → Backend
                                       ↓
                                 Vault (keys) / KMS