ADR-0018 — Per-tenant, whole-object server-side deduplication

V1 Freeze (2026-06-12): Accepted, whole-object. Blocker-1 resolution: V1 dedups at the whole-object granularity (a file’s content is one content-addressed blob), not chunk-level. Chunk/CDC dedup is deferred with ADR-0017. The per-tenant scope (the security decision) is unchanged and binding.

Context

Deduplication scope — per-user, per-tenant, or global (cross-tenant) — is a security decision, not just an efficiency one: cross-user/cross-tenant dedup creates a side channel (Harnik, Pinkas & Shulman-Peleg, 2010) that leaks file existence via observable upload-skips (probing, low-entropy form-filling attacks), and co-mingles bytes across the tenant isolation boundary (ADR-0007).

Independently, granularity (whole-object vs chunk) is an efficiency/complexity decision. The pre-freeze review (review §3.1) found the data model described whole-object blobs while ADRs 0017/0018/0019/0020 described a chunk/pack/manifest store — two contradictory architectures, both “Accepted.” V1 picks one.

Decision

Consequences

Positive

Negative / costs

Alternatives considered

Scaling

Per-tenant scope aligns dedup with the tenant-sharded metadata model, so dedup lookups and refcounts shard naturally and never become a global hotspot.

References