04 — Storage Features
Differentiators that exploit BitVault’s content-addressed core (storage/) for things commodity file apps can’t easily do: provable integrity, zero-knowledge privacy, time-travel, and immutability.
S1 — E2E Encrypted Private Vaults ⭐ flagship
Full treatment in 01 §4. Opt-in zero-knowledge tier; per-file content keys wrapped per recipient; honest tradeoff (no server-side search/preview/dedup on E2E data). Complexity XL · Resume Very High.
S2 — Verifiable Storage (CIDs + Merkle proofs) ⭐ flagship
Full treatment in 01 §6. Content IDs + inclusion proofs + signed receipts → prove integrity without trusting the server. Complexity M–L · Resume Very High.
S3 — Time-Travel / Point-in-Time Browse
Browse the entire namespace as it existed at any past timestamp — not just per-file
version history, but “show me my whole /projects folder as of last Tuesday 3pm.”
- Design: the change journal (ADR-0008,
storage/08) is an ordered log of
namespace mutations; replaying/snapshotting it to time
Treconstructs the tree, and content-addressed immutable blobs (storage/02) guarantee the bytes still resolve. Snapshots (storage/07) make common points cheap.
| Why it matters | “Undo for your whole filesystem” / ransomware recovery / point-in-time exploration — a beloved, demoable feature that falls out of the journal. |
| Complexity | M — journal replay + a time-scoped read path + UI; bounded by journal retention. |
| Dependencies | Change journal + versioning (storage/07), backup retention alignment (platform/12). |
| Resume impact | Medium. Event-sourced temporal queries are a tidy systems story. |
S4 — WORM / Legal-Hold Vaults
Write-once-read-many vaults where objects cannot be modified or deleted until a retention period elapses (or a legal hold releases).
- Design: object-lock buckets (storage/01) +
retain_untilfloors GC must respect (storage/11); enforced by policy (07).
| Why it matters | Compliance (SEC 17a-4, etc.) + a strong anti-ransomware guarantee (even an admin can’t delete). |
| Complexity | M — provider object-lock + GC/retention integration + policy surface. |
| Dependencies | Storage WORM (storage/07), GC grace (storage/11). |
| Resume impact | Medium. Compliance storage with correct GC interaction. |
S5 — Content Transformation Pipeline
Automatic, event-driven derived assets: thumbnails, video transcodes, document previews, OCR text, virus scans — generated by Functions/plugins on upload.
flowchart LR
classDef e fill:#fde68a,stroke:#b45309,color:#111827;
classDef f fill:#bbf7d0,stroke:#15803d,color:#111827;
up["upload → NodeChanged"]:::e --> bus["event bus (08)"]:::e
bus --> t1["thumbnail fn"]:::f
bus --> t2["transcode fn"]:::f
bus --> t3["OCR / extract fn"]:::f
bus --> t4["AV scan fn"]:::f
t1 & t2 & t3 & t4 --> der["derived assets + metadata (content-addressed, dedup'd)"]:::f
- Pure composition of Functions §2 + plugins §1 + events §8; derived assets are themselves content-addressed (dedup, storage/03).
| Why it matters | Previews/transcodes are expected of a serious file product; doing it via the plugin/Functions platform showcases composability and is extensible by users. |
| Complexity | M atop Functions; individual transforms (transcode) have their own depth, offloaded to plugins. |
| Dependencies | Functions (06), plugins (09), events (08). |
| Resume impact | Medium. Event-driven media pipeline; strongest as proof the platform composes. |
Priorities within storage
S1/S2 are the flagship trust pair. S3 (time-travel) is cheap, demoable delight. S5 showcases the platform. S4 is compliance table-stakes done correctly.