ADR-0011 — Direct-to-storage data plane via scoped presigned URLs

Context

File bytes are large and high-volume. Proxying them through Go compute (gateway/ services) is a memory, CPU, and egress-cost disaster and couples data-plane throughput to control-plane replicas (R5/R12). The standard cloud-native answer is direct client ⇄ object-store transfer via presigned URLs. The catch: a presigned URL bypasses BitVault’s authz and audit — it is a bearer capability.

Decision

Consequences

Positive

Negative / costs

Alternatives considered