create_aio

internal/admin/admin.go

@@ -0,0 +1,146 @@
+package admin
+
+import (
+	"context"
+	_ "embed"
+	"html/template"
+	"net/http"
+	"strconv"
+	"strings"
+	"time"
+
+	"git.send.nrw/sendnrw/decent-webui/internal/filesvc"
+	"git.send.nrw/sendnrw/decent-webui/internal/mesh"
+)
+
+/*** Templates einbetten ***/
+
+//go:embed tpl/layout.html
+var layoutHTML string
+
+//go:embed tpl/partials_items.html
+var itemsPartialHTML string
+
+//go:embed tpl/partials_peers.html
+var peersPartialHTML string
+
+var (
+	tplLayout = template.Must(template.New("layout").Parse(layoutHTML))
+	tplItems  = template.Must(template.New("items").Funcs(template.FuncMap{
+		"timeRFC3339": func(unixNano int64) string {
+			if unixNano == 0 {
+				return ""
+			}
+			return time.Unix(0, unixNano).UTC().Format(time.RFC3339)
+		},
+	}).Parse(itemsPartialHTML))
+	tplPeers = template.Must(template.New("peers").Parse(peersPartialHTML))
+)
+
+type Deps struct {
+	Store filesvc.MeshStore
+	Mesh  *mesh.Node
+}
+
+// Register hängt alle /admin Routen ein.
+// Auth liegt optional VOR Register (BasicAuth-Middleware), siehe main.go.
+func Register(mux *http.ServeMux, d Deps) {
+	// Dashboard
+	mux.HandleFunc("/admin", func(w http.ResponseWriter, r *http.Request) {
+		renderLayout(w, r, "Files", "/admin/items")
+	})
+
+	// Partials
+	mux.HandleFunc("/admin/items", func(w http.ResponseWriter, r *http.Request) {
+		// Liste rendern (Pagination optional via ?next=)
+		nextQ := strings.TrimSpace(r.URL.Query().Get("next"))
+		var nextID filesvc.ID
+		if nextQ != "" {
+			if n, err := strconv.ParseInt(nextQ, 10, 64); err == nil {
+				nextID = filesvc.ID(n)
+			}
+		}
+		items, nextOut, _ := d.Store.List(r.Context(), nextID, 100)
+		_ = tplItems.Execute(w, map[string]any{
+			"Items": items,
+			"Next":  nextOut,
+		})
+	})
+
+	mux.HandleFunc("/admin/peers", func(w http.ResponseWriter, r *http.Request) {
+		peers := d.Mesh.PeerList()
+		_ = tplPeers.Execute(w, map[string]any{
+			"Peers": peers,
+			"Now":   time.Now(),
+		})
+	})
+
+	// Actions (HTMX POSTs)
+	mux.HandleFunc("/admin/items/create", func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != http.MethodPost {
+			http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
+			return
+		}
+		name := strings.TrimSpace(r.FormValue("name"))
+		if name != "" {
+			_, _ = d.Store.Create(r.Context(), name)
+			_ = d.Mesh.SyncNow(r.Context()) // prompt push (best effort)
+		}
+		// Nach Aktion Items partial zurückgeben (HTMX swap)
+		http.Redirect(w, r, "/admin/items", http.StatusSeeOther)
+	})
+
+	mux.HandleFunc("/admin/items/rename", func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != http.MethodPost {
+			http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
+			return
+		}
+		idStr := r.FormValue("id")
+		newName := strings.TrimSpace(r.FormValue("name"))
+		if id, err := strconv.ParseInt(idStr, 10, 64); err == nil && newName != "" {
+			_, _ = d.Store.Rename(r.Context(), filesvc.ID(id), newName)
+			_ = d.Mesh.SyncNow(r.Context())
+		}
+		http.Redirect(w, r, "/admin/items", http.StatusSeeOther)
+	})
+
+	mux.HandleFunc("/admin/items/delete", func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != http.MethodPost {
+			http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
+			return
+		}
+		if id, err := strconv.ParseInt(r.FormValue("id"), 10, 64); err == nil {
+			_, _ = d.Store.Delete(r.Context(), filesvc.ID(id))
+			_ = d.Mesh.SyncNow(r.Context())
+		}
+		http.Redirect(w, r, "/admin/items", http.StatusSeeOther)
+	})
+
+	mux.HandleFunc("/admin/mesh/syncnow", func(w http.ResponseWriter, r *http.Request) {
+		_ = d.Mesh.SyncNow(context.Background())
+		http.Redirect(w, r, "/admin/peers", http.StatusSeeOther)
+	})
+}
+
+func renderLayout(w http.ResponseWriter, _ *http.Request, active string, initial string) {
+	_ = tplLayout.Execute(w, map[string]any{
+		"Active": active,
+		"Init":   initial, // initialer HTMX Swap-Endpunkt
+	})
+}
+
+/*** Optional: einfache BasicAuth (siehe main.go) ***/
+func BasicAuth(user, pass string, next http.Handler) http.Handler {
+	if strings.TrimSpace(user) == "" {
+		return next // deaktiviert
+	}
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		u, p, ok := r.BasicAuth()
+		if !ok || u != user || p != pass {
+			w.Header().Set("WWW-Authenticate", `Basic realm="admin"`)
+			http.Error(w, "unauthorized", http.StatusUnauthorized)
+			return
+		}
+		next.ServeHTTP(w, r)
+	})
+}

internal/admin/tpl/layout.html

@@ -0,0 +1,39 @@
+<!doctype html>
+<html lang="de">
+<head>
+  <meta charset="utf-8"/>
+  <meta name="viewport" content="width=device-width,initial-scale=1"/>
+  <title>Admin</title>
+  <script src="https://unpkg.com/htmx.org@1.9.12"></script>
+  <style>
+    :root { --bg:#0b1220; --card:#121a2b; --muted:#94a3b8; --text:#e5e7eb; --accent:#4f46e5; }
+    html,body { margin:0; background:var(--bg); color:var(--text); font-family: ui-sans-serif, system-ui, -apple-system, Segoe UI, Roboto, Ubuntu; }
+    .wrap { max-width: 980px; margin: 40px auto; padding: 0 16px; }
+    .nav { display:flex; gap:12px; margin-bottom:16px; }
+    .btn { background:var(--card); border:1px solid #243044; padding:8px 12px; border-radius:10px; color:var(--text); cursor:pointer; }
+    .btn:hover { border-color:#3b4a66; }
+    .btn-primary { background: var(--accent); border-color: var(--accent); color:white; }
+    .card { background:var(--card); border:1px solid #1f2937; border-radius:16px; padding:16px; box-shadow: 0 6px 30px rgba(0,0,0,.25); }
+    .row { display:flex; gap:16px; flex-wrap:wrap; }
+    table { width:100%; border-collapse: collapse; }
+    th, td { border-bottom: 1px solid #1f2937; padding:10px; text-align:left; }
+    input[type="text"] { background:#0f1626; border:1px solid #263246; color:var(--text); padding:8px 10px; border-radius:10px; width:100%; }
+    small { color: var(--muted); }
+    .muted { color: var(--muted); }
+    .pill { font-size: 12px; padding: 2px 8px; border:1px solid #2b364b; border-radius:999px; background:#0f1626; color:#bcd; }
+  </style>
+</head>
+<body>
+  <div class="wrap">
+    <h1 style="margin:0 0 10px 0;">Unified Admin</h1>
+    <div class="nav">
+      <button class="btn" hx-get="/admin/items" hx-target="#main" hx-swap="innerHTML">Dateien</button>
+      <button class="btn" hx-get="/admin/peers" hx-target="#main" hx-swap="innerHTML">Mesh</button>
+    </div>
+    <div id="main" class="card" hx-get="{{.Init}}" hx-trigger="load" hx-swap="innerHTML">
+      <div class="muted">Lade…</div>
+    </div>
+    <div style="margin-top:14px"><small>© Admin UI</small></div>
+  </div>
+</body>
+</html>

internal/admin/tpl/partials_items.html

@@ -0,0 +1,57 @@
+<div class="row">
+  <div style="flex: 1 1 360px">
+    <form hx-post="/admin/items/create" hx-target="#items" hx-get="/admin/items" hx-swap="outerHTML">
+      <label>Neue Datei</label>
+      <div style="display:flex; gap:8px; margin-top:6px">
+        <input type="text" name="name" placeholder="z.B. notes.txt" required>
+        <button class="btn btn-primary" type="submit">Anlegen</button>
+      </div>
+    </form>
+  </div>
+</div>
+
+<div id="items" style="margin-top:14px">
+  <table>
+    <thead>
+      <tr>
+        <th>ID</th><th>Name</th><th>Updated</th><th style="width:200px">Aktionen</th>
+      </tr>
+    </thead>
+    <tbody>
+    {{ range .Items }}
+      <tr>
+        <td>{{ .ID }}</td>
+        <td>{{ .Name }}</td>
+        <td><small class="muted">{{ printf "%.19s" (timeRFC3339 .UpdatedAt) }}</small></td>
+        <td>
+          <form style="display:inline-flex; gap:6px" 
+                hx-post="/admin/items/rename" 
+                hx-target="#items" hx-get="/admin/items" hx-swap="outerHTML">
+            <input type="hidden" name="id" value="{{ .ID }}">
+            <input type="text" name="name" placeholder="Neuer Name">
+            <button class="btn" type="submit" title="Umbenennen">Rename</button>
+          </form>
+          <form style="display:inline" 
+                hx-post="/admin/items/delete" 
+                hx-target="#items" hx-get="/admin/items" hx-swap="outerHTML"
+                onsubmit="return confirm('Wirklich löschen?');">
+            <input type="hidden" name="id" value="{{ .ID }}">
+            <button class="btn" type="submit" title="Löschen">Delete</button>
+          </form>
+        </td>
+      </tr>
+    {{ else }}
+      <tr><td colspan="4" class="muted">Keine Dateien vorhanden.</td></tr>
+    {{ end }}
+    </tbody>
+  </table>
+
+  {{ if .Next }}
+    <div style="margin-top:10px">
+      <button class="btn" 
+              hx-get="/admin/items?next={{ .Next }}" 
+              hx-target="#items" hx-swap="outerHTML">Mehr laden</button>
+      <span class="pill">next={{ .Next }}</span>
+    </div>
+  {{ end }}
+</div>

internal/admin/tpl/partials_peers.html

@@ -0,0 +1,23 @@
+<div style="display:flex; justify-content:space-between; align-items:center">
+  <h3 style="margin:0">Mesh Peers</h3>
+  <form hx-post="/admin/mesh/syncnow" hx-target="#peers" hx-get="/admin/peers" hx-swap="outerHTML">
+    <button class="btn btn-primary" type="submit">Jetzt synchronisieren</button>
+  </form>
+</div>
+<div id="peers" style="margin-top:10px">
+  <table>
+    <thead><tr><th>URL</th><th>Self</th><th>Last Seen</th></tr></thead>
+    <tbody>
+    {{ range .Peers }}
+      <tr>
+        <td>{{ .URL }}</td>
+        <td>{{ if .Self }}✅{{ else }}—{{ end }}</td>
+        <td><small class="muted">{{ .LastSeen }}</small></td>
+      </tr>
+    {{ else }}
+      <tr><td colspan="3" class="muted">Keine Peers bekannt.</td></tr>
+    {{ end }}
+    </tbody>
+  </table>
+  <div class="muted" style="margin-top:8px"><small>Stand: {{ .Now }}</small></div>
+</div>

internal/filesvc/memstore.go

@@ -0,0 +1,195 @@
+package filesvc
+
+import (
+	"context"
+	"slices"
+	"strings"
+	"sync"
+	"time"
+)
+
+type MemStore struct {
+	mu    sync.Mutex
+	items map[ID]File
+	next  ID
+
+	// optionales Eventing
+	subs []chan ChangeEvent
+}
+
+func NewMemStore() *MemStore {
+	return &MemStore{
+		items: make(map[ID]File),
+		next:  1,
+	}
+}
+
+/*** Store ***/
+
+func (m *MemStore) Get(_ context.Context, id ID) (File, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	it, ok := m.items[id]
+	if !ok || it.Deleted {
+		return File{}, ErrNotFound
+	}
+	return it, nil
+}
+
+func (m *MemStore) List(_ context.Context, next ID, limit int) ([]File, ID, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	if limit <= 0 || limit > 1000 {
+		limit = 100
+	}
+	ids := make([]ID, 0, len(m.items))
+	for id := range m.items {
+		ids = append(ids, id)
+	}
+	slices.Sort(ids)
+
+	start := 0
+	if next > 0 {
+		for i, id := range ids {
+			if id >= next {
+				start = i
+				break
+			}
+		}
+	}
+	end := start + limit
+	if end > len(ids) {
+		end = len(ids)
+	}
+
+	out := make([]File, 0, end-start)
+	for _, id := range ids[start:end] {
+		it := m.items[id]
+		if !it.Deleted {
+			out = append(out, it)
+		}
+	}
+	var nextOut ID
+	if end < len(ids) {
+		nextOut = ids[end]
+	}
+	return out, nextOut, nil
+}
+
+func (m *MemStore) Create(_ context.Context, name string) (File, error) {
+	name = strings.TrimSpace(name)
+	if name == "" {
+		return File{}, ErrBadInput
+	}
+
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	now := time.Now().UnixNano()
+	it := File{ID: m.next, Name: name, UpdatedAt: now}
+	m.items[it.ID] = it
+	m.next++
+	m.emit(it)
+	return it, nil
+}
+
+func (m *MemStore) Rename(_ context.Context, id ID, newName string) (File, error) {
+	newName = strings.TrimSpace(newName)
+	if newName == "" {
+		return File{}, ErrBadInput
+	}
+
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	it, ok := m.items[id]
+	if !ok || it.Deleted {
+		return File{}, ErrNotFound
+	}
+	it.Name = newName
+	it.UpdatedAt = time.Now().UnixNano()
+	m.items[id] = it
+	m.emit(it)
+	return it, nil
+}
+
+func (m *MemStore) Delete(_ context.Context, id ID) (File, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	it, ok := m.items[id]
+	if !ok {
+		return File{}, ErrNotFound
+	}
+	if it.Deleted {
+		return it, nil
+	}
+	it.Deleted = true
+	it.UpdatedAt = time.Now().UnixNano()
+	m.items[id] = it
+	m.emit(it)
+	return it, nil
+}
+
+/*** Replicable ***/
+
+func (m *MemStore) Snapshot(_ context.Context) (Snapshot, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	s := Snapshot{Items: make([]File, 0, len(m.items))}
+	for _, it := range m.items {
+		s.Items = append(s.Items, it) // inkl. Tombstones
+	}
+	return s, nil
+}
+
+func (m *MemStore) ApplyRemote(_ context.Context, s Snapshot) error {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	for _, ri := range s.Items {
+		li, ok := m.items[ri.ID]
+		if !ok || ri.UpdatedAt > li.UpdatedAt {
+			m.items[ri.ID] = ri
+			if ri.ID >= m.next {
+				m.next = ri.ID + 1
+			}
+			m.emitLocked(ri)
+		}
+	}
+	return nil
+}
+
+/*** Watchable (optional) ***/
+
+func (m *MemStore) Watch(stop <-chan struct{}) <-chan ChangeEvent {
+	ch := make(chan ChangeEvent, 32)
+
+	m.mu.Lock()
+	m.subs = append(m.subs, ch)
+	m.mu.Unlock()
+
+	go func() {
+		<-stop
+		m.mu.Lock()
+		// entferne ch aus subs
+		for i, s := range m.subs {
+			if s == ch {
+				m.subs = append(m.subs[:i], m.subs[i+1:]...)
+				break
+			}
+		}
+		m.mu.Unlock()
+		close(ch)
+	}()
+	return ch
+}
+
+func (m *MemStore) emit(it File) {
+	m.emitLocked(it) // mu wird im Aufrufer gehalten
+}
+func (m *MemStore) emitLocked(it File) {
+	ev := ChangeEvent{At: time.Now(), Item: it}
+	for _, s := range m.subs {
+		select {
+		case s <- ev:
+		default: /* drop wenn voll */
+		}
+	}
+}

internal/filesvc/store.go

@@ -0,0 +1,78 @@
+package filesvc
+
+import (
+	"context"
+	"errors"
+	"time"
+)
+
+/*** Domain ***/
+
+type ID = int64
+
+type File struct {
+	ID   ID     `json:"id"`
+	Name string `json:"name"`
+	// weitere Metadaten optional: Size, Hash, Owner, Tags, ...
+	UpdatedAt int64 `json:"updatedAt"` // UnixNano für LWW
+	Deleted   bool  `json:"deleted"`   // Tombstone für Mesh-Delete
+}
+
+/*** Fehler ***/
+
+var (
+	ErrNotFound  = errors.New("file not found")
+	ErrBadInput  = errors.New("bad input")
+	ErrConflict  = errors.New("conflict")
+	ErrForbidden = errors.New("forbidden")
+	ErrTransient = errors.New("transient")
+)
+
+/*** Basis-API (lokal nutzbar) ***/
+
+type Store interface {
+	// Lesen & Auflisten
+	Get(ctx context.Context, id ID) (File, error)
+	List(ctx context.Context, next ID, limit int) (items []File, nextOut ID, err error)
+
+	// Mutationen mit LWW-Semantik (UpdatedAt wird intern gesetzt, außer bei ApplyRemote)
+	Create(ctx context.Context, name string) (File, error)
+	Rename(ctx context.Context, id ID, newName string) (File, error)
+	Delete(ctx context.Context, id ID) (File, error)
+}
+
+/*** Mesh-Replikation ***/
+
+type Snapshot struct {
+	Items []File `json:"items"`
+}
+
+type Replicable interface {
+	// Snapshot liefert den vollständigen aktuellen Stand (inkl. Tombstones).
+	Snapshot(ctx context.Context) (Snapshot, error)
+	// ApplyRemote wendet LWW an. next-ID wird dabei korrekt fortgeschrieben.
+	ApplyRemote(ctx context.Context, s Snapshot) error
+}
+
+/*** Events (optional) ***/
+
+// ChangeEvent kann genutzt werden, um proaktive Mesh-Pushes zu triggern.
+// Bei deiner Pull-basierten Anti-Entropy ist es optional.
+type ChangeEvent struct {
+	At   time.Time
+	Item File
+}
+
+// Watch gibt Änderungen aus; close(stop) beendet den Stream.
+// Eine Noop-Implementierung ist erlaubt, wenn Pull-Sync genügt.
+type Watchable interface {
+	Watch(stop <-chan struct{}) <-chan ChangeEvent
+}
+
+/*** Kombiniertes Interface ***/
+
+type MeshStore interface {
+	Store
+	Replicable
+	Watchable // optional – kann Noop sein
+}

internal/mesh/mesh.go

@@ -0,0 +1,451 @@
+package mesh
+
+import (
+	"bytes"
+	"context"
+	"crypto/hmac"
+	"crypto/sha256"
+	"encoding/hex"
+	"encoding/json"
+	"errors"
+	"hash/crc32"
+	"io"
+	"log"
+	"net"
+	"net/http"
+	"os"
+	"slices"
+	"strings"
+	"sync"
+	"time"
+)
+
+/*** Types & Config ***/
+
+type Config struct {
+	BindAddr         string   // e.g. ":9090"
+	AdvertURL        string   // e.g. "http://10.0.0.5:9090"
+	Seeds            []string // other peers' mesh base URLs
+	ClusterSecret    string   // HMAC key
+	EnableDiscovery  bool
+	DiscoveryAddress string // "239.8.8.8:9898"
+}
+
+type Peer struct {
+	URL       string    `json:"url"`
+	LastSeen  time.Time `json:"lastSeen"`
+	Self      bool      `json:"self"`
+	OwnerHint int       `json:"ownerHint"` // optional
+}
+
+type Item struct {
+	ID        int64  `json:"id"`
+	Name      string `json:"name"`
+	UpdatedAt int64  `json:"updatedAt"`
+	Deleted   bool   `json:"deleted"` // <— NEU: Tombstone für Deletes
+}
+
+type Snapshot struct {
+	Items []Item `json:"items"`
+}
+
+// Callbacks that your app provides
+type Callbacks struct {
+	GetSnapshot func(ctx context.Context) (Snapshot, error)
+	ApplyRemote func(ctx context.Context, s Snapshot) error
+}
+
+/*** Node ***/
+
+type Node struct {
+	cfg    Config
+	cbs    Callbacks
+	self   Peer
+	mu     sync.RWMutex
+	peers  map[string]*Peer
+	client *http.Client
+	srv    *http.Server
+	stop   chan struct{}
+	wg     sync.WaitGroup
+}
+
+func New(cfg Config, cbs Callbacks) (*Node, error) {
+	if cfg.BindAddr == "" || cfg.AdvertURL == "" {
+		return nil, errors.New("mesh: BindAddr and AdvertURL required")
+	}
+	if cfg.ClusterSecret == "" {
+		return nil, errors.New("mesh: ClusterSecret required")
+	}
+	n := &Node{
+		cfg:   cfg,
+		cbs:   cbs,
+		self:  Peer{URL: cfg.AdvertURL, LastSeen: time.Now(), Self: true},
+		peers: make(map[string]*Peer),
+		client: &http.Client{
+			Timeout: 5 * time.Second,
+		},
+		stop: make(chan struct{}),
+	}
+	return n, nil
+}
+
+/*** HMAC helpers ***/
+
+func (n *Node) sign(b []byte) string {
+	m := hmac.New(sha256.New, []byte(n.cfg.ClusterSecret))
+	m.Write(b)
+	return hex.EncodeToString(m.Sum(nil))
+}
+
+func (n *Node) verify(b []byte, sig string) bool {
+	want := n.sign(b)
+	return hmac.Equal([]byte(want), []byte(sig))
+}
+
+/*** HTTP handlers (control plane) ***/
+
+func (n *Node) helloHandler(w http.ResponseWriter, r *http.Request) {
+	body, _ := io.ReadAll(r.Body)
+	if !n.verify(body, r.Header.Get("X-Mesh-Sig")) {
+		http.Error(w, "bad signature", http.StatusUnauthorized)
+		return
+	}
+	var p Peer
+	if err := json.Unmarshal(body, &p); err != nil {
+		http.Error(w, "bad json", http.StatusBadRequest)
+		return
+	}
+	p.LastSeen = time.Now()
+	n.mu.Lock()
+	if existing, ok := n.peers[p.URL]; ok {
+		existing.LastSeen = p.LastSeen
+	} else if p.URL != n.self.URL {
+		cp := p
+		n.peers[p.URL] = &cp
+	}
+	n.mu.Unlock()
+	w.WriteHeader(http.StatusNoContent)
+}
+
+func (n *Node) peersHandler(w http.ResponseWriter, r *http.Request) {
+	n.mu.RLock()
+	defer n.mu.RUnlock()
+	var list []Peer
+	list = append(list, n.self)
+	for _, p := range n.peers {
+		list = append(list, *p)
+	}
+	writeJSON(w, http.StatusOK, list)
+}
+
+func (n *Node) syncHandler(w http.ResponseWriter, r *http.Request) {
+	// verify signature
+	body, _ := io.ReadAll(r.Body)
+	if !n.verify(body, r.Header.Get("X-Mesh-Sig")) {
+		http.Error(w, "bad signature", http.StatusUnauthorized)
+		return
+	}
+	var s Snapshot
+	if err := json.Unmarshal(body, &s); err != nil {
+		http.Error(w, "bad json", http.StatusBadRequest)
+		return
+	}
+	// apply
+	if err := n.cbs.ApplyRemote(r.Context(), s); err != nil {
+		http.Error(w, "apply error: "+err.Error(), http.StatusInternalServerError)
+		return
+	}
+	w.WriteHeader(http.StatusNoContent)
+}
+
+func writeJSON(w http.ResponseWriter, code int, v any) {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(code)
+	_ = json.NewEncoder(w).Encode(v)
+}
+
+/*** Serve ***/
+
+func (n *Node) Serve() error {
+	mux := http.NewServeMux()
+	mux.HandleFunc("/mesh/peers", n.peersHandler)
+	mux.HandleFunc("/mesh/hello", n.helloHandler)
+	mux.HandleFunc("/mesh/sync", n.syncHandler)
+	n.srv = &http.Server{Addr: n.cfg.BindAddr, Handler: mux}
+
+	// background loops
+	n.wg.Add(1)
+	go func() {
+		defer n.wg.Done()
+		n.loopSeeder()
+	}()
+
+	if n.cfg.EnableDiscovery && n.cfg.DiscoveryAddress != "" {
+		n.wg.Add(2)
+		go func() {
+			defer n.wg.Done()
+			n.loopBeaconSend()
+		}()
+		go func() {
+			defer n.wg.Done()
+			n.loopBeaconRecv()
+		}()
+	}
+
+	n.wg.Add(1)
+	go func() {
+		defer n.wg.Done()
+		n.loopAntiEntropy()
+	}()
+
+	// http server
+	errc := make(chan error, 1)
+	go func() {
+		errc <- n.srv.ListenAndServe()
+	}()
+	select {
+	case err := <-errc:
+		return err
+	case <-n.stop:
+		return http.ErrServerClosed
+	}
+}
+
+func (n *Node) Close(ctx context.Context) error {
+	close(n.stop)
+	if n.srv != nil {
+		_ = n.srv.Shutdown(ctx)
+	}
+	n.wg.Wait()
+	return nil
+}
+
+/*** Loops ***/
+
+func (n *Node) loopSeeder() {
+	// attempt to hello known seeds every 5s at start, then every 30s
+	backoff := 5 * time.Second
+	for {
+		select {
+		case <-n.stop:
+			return
+		case <-time.After(backoff):
+		}
+		if len(n.cfg.Seeds) == 0 {
+			backoff = 30 * time.Second
+			continue
+		}
+		for _, s := range n.cfg.Seeds {
+			if s == "" || s == n.self.URL {
+				continue
+			}
+			_ = n.sendHello(s)
+		}
+		backoff = 30 * time.Second
+	}
+}
+
+func (n *Node) loopAntiEntropy() {
+	t := time.NewTicker(10 * time.Second)
+	defer t.Stop()
+	for {
+		select {
+		case <-n.stop:
+			return
+		case <-t.C:
+			n.mu.RLock()
+			targets := make([]string, 0, len(n.peers))
+			for url := range n.peers {
+				targets = append(targets, url)
+			}
+			n.mu.RUnlock()
+			if len(targets) == 0 {
+				continue
+			}
+			ctx, cancel := context.WithTimeout(context.Background(), 4*time.Second)
+			snap, err := n.cbs.GetSnapshot(ctx)
+			cancel()
+			if err != nil {
+				continue
+			}
+			for _, url := range targets {
+				_ = n.sendSync(url, snap)
+			}
+		}
+	}
+}
+
+func (n *Node) loopBeaconSend() {
+	addr, err := net.ResolveUDPAddr("udp", n.cfg.DiscoveryAddress)
+	if err != nil {
+		log.Printf("mesh beacon send resolve: %v", err)
+		return
+	}
+	conn, err := net.DialUDP("udp", nil, addr)
+	if err != nil {
+		log.Printf("mesh beacon send dial: %v", err)
+		return
+	}
+	defer conn.Close()
+	type beacon struct {
+		URL string `json:"url"`
+	}
+	t := time.NewTicker(5 * time.Second)
+	defer t.Stop()
+	for {
+		select {
+		case <-n.stop:
+			return
+		case <-t.C:
+			b, _ := json.Marshal(beacon{URL: n.self.URL})
+			_, _ = conn.Write(b)
+		}
+	}
+}
+
+func (n *Node) loopBeaconRecv() {
+	addr, err := net.ResolveUDPAddr("udp", n.cfg.DiscoveryAddress)
+	if err != nil {
+		log.Printf("mesh beacon recv resolve: %v", err)
+		return
+	}
+	// enable multicast receive
+	l, err := net.ListenMulticastUDP("udp", nil, addr)
+	if err != nil {
+		log.Printf("mesh beacon recv listen: %v", err)
+		return
+	}
+	defer l.Close()
+	_ = l.SetReadBuffer(1 << 16)
+
+	buf := make([]byte, 2048)
+	for {
+		select {
+		case <-n.stop:
+			return
+		default:
+		}
+		_ = l.SetDeadline(time.Now().Add(6 * time.Second))
+		nr, _, err := l.ReadFromUDP(buf)
+		if err != nil {
+			if ne, ok := err.(net.Error); ok && ne.Timeout() {
+				continue
+			}
+			continue
+		}
+		var msg struct{ URL string }
+		if err := json.Unmarshal(buf[:nr], &msg); err == nil {
+			if msg.URL != "" && msg.URL != n.self.URL {
+				_ = n.sendHello(msg.URL)
+			}
+		}
+	}
+}
+
+/*** Outgoing ***/
+
+func (n *Node) sendHello(url string) error {
+	p := n.self
+	b, _ := json.Marshal(p)
+	req, _ := http.NewRequest(http.MethodPost, strings.TrimRight(url, "/")+"/mesh/hello", bytes.NewReader(b))
+	req.Header.Set("X-Mesh-Sig", n.sign(b))
+	resp, err := n.client.Do(req)
+	if err == nil {
+		io.Copy(io.Discard, resp.Body)
+		resp.Body.Close()
+	}
+	return err
+}
+
+func (n *Node) sendSync(url string, s Snapshot) error {
+	b, _ := json.Marshal(s)
+	req, _ := http.NewRequest(http.MethodPost, strings.TrimRight(url, "/")+"/mesh/sync", bytes.NewReader(b))
+	req.Header.Set("X-Mesh-Sig", n.sign(b))
+	resp, err := n.client.Do(req)
+	if err == nil {
+		io.Copy(io.Discard, resp.Body)
+		resp.Body.Close()
+	}
+	return err
+}
+
+// PeerList liefert eine Kopie der bekannten Peers inkl. Self.
+func (n *Node) PeerList() []Peer {
+	n.mu.RLock()
+	defer n.mu.RUnlock()
+	out := make([]Peer, 0, len(n.peers)+1)
+	out = append(out, n.self)
+	for _, p := range n.peers {
+		cp := *p
+		out = append(out, cp)
+	}
+	return out
+}
+
+// SyncNow verschickt sofort den aktuellen Snapshot an alle bekannten Peers.
+func (n *Node) SyncNow(ctx context.Context) error {
+	snap, err := n.cbs.GetSnapshot(ctx)
+	if err != nil {
+		return err
+	}
+	n.mu.RLock()
+	targets := make([]string, 0, len(n.peers))
+	for url := range n.peers {
+		targets = append(targets, url)
+	}
+	n.mu.RUnlock()
+	for _, u := range targets {
+		_ = n.sendSync(u, snap)
+	}
+	return nil
+}
+
+/*** Utilities ***/
+
+// OwnerHint is a simple, optional mapping to distribute responsibility.
+func OwnerHint(id int64, peers []string) int {
+	if len(peers) == 0 {
+		return 0
+	}
+	h := crc32.ChecksumIEEE([]byte(string(rune(id))))
+	return int(h % uint32(len(peers)))
+}
+
+// Helpers to load from ENV quickly
+func FromEnv() Config {
+	return Config{
+		BindAddr:         getenvDefault("MESH_BIND", ":9090"),
+		AdvertURL:        os.Getenv("MESH_ADVERT"),
+		Seeds:            splitCSV(os.Getenv("MESH_SEEDS")),
+		ClusterSecret:    os.Getenv("MESH_CLUSTER_SECRET"),
+		EnableDiscovery:  os.Getenv("MESH_ENABLE_DISCOVERY") == "true",
+		DiscoveryAddress: getenvDefault("MESH_DISCOVERY_ADDR", "239.8.8.8:9898"),
+	}
+}
+
+func splitCSV(s string) []string {
+	if strings.TrimSpace(s) == "" {
+		return nil
+	}
+	parts := strings.Split(s, ",")
+	for i := range parts {
+		parts[i] = strings.TrimSpace(parts[i])
+	}
+	// dedup
+	out := make([]string, 0, len(parts))
+	for _, p := range parts {
+		if p == "" || slices.Contains(out, p) {
+			continue
+		}
+		out = append(out, p)
+	}
+	return out
+}
+
+func getenvDefault(k, def string) string {
+	v := os.Getenv(k)
+	if v == "" {
+		return def
+	}
+	return v
+}

internal/store/store.go

@@ -1,316 +0,0 @@
-package store
-
-import (
-	"context"
-	"crypto/sha256"
-	"encoding/hex"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"io"
-	"os"
-	"path/filepath"
-	"sort"
-	"strings"
-	"sync"
-	"time"
-)
-
-type Store struct {
-	blobDir string
-	metaDir string
-	tmpDir  string
-	mu      sync.RWMutex
-}
-
-type FileRecord struct {
-	ID          string            `json:"id"`
-	Name        string            `json:"name"`
-	Hash        string            `json:"hash"`
-	Size        int64             `json:"size"`
-	Meta        map[string]string `json:"meta,omitempty"`
-	CreatedAt   time.Time         `json:"createdAt"`
-	ContentType string            `json:"contentType,omitempty"`
-}
-
-func (fr FileRecord) SafeName() string {
-	n := strings.TrimSpace(fr.Name)
-	if n == "" {
-		return fr.ID
-	}
-	return n
-}
-
-func Open(blobDir, metaDir, tmpDir string) (*Store, error) {
-	for _, p := range []string{blobDir, metaDir, tmpDir} {
-		if err := os.MkdirAll(p, 0o755); err != nil {
-			return nil, err
-		}
-	}
-	return &Store{blobDir: blobDir, metaDir: metaDir, tmpDir: tmpDir}, nil
-}
-
-func (s *Store) Put(ctx context.Context, r io.Reader, name, metaStr string) (*FileRecord, error) {
-	if name == "" {
-		name = "file"
-	}
-
-	tmp, err := os.CreateTemp(s.tmpDir, "upload-*")
-	if err != nil {
-		return nil, err
-	}
-	defer func() { tmp.Close(); os.Remove(tmp.Name()) }()
-
-	h := sha256.New()
-	n, err := io.Copy(io.MultiWriter(tmp, h), r)
-	if err != nil {
-		return nil, err
-	}
-	hash := hex.EncodeToString(h.Sum(nil))
-
-	blobPath := filepath.Join(s.blobDir, hash)
-	if _, err := os.Stat(blobPath); errors.Is(err, os.ErrNotExist) {
-		if err := os.Rename(tmp.Name(), blobPath); err != nil {
-			return nil, err
-		}
-	} else {
-		_ = os.Remove(tmp.Name())
-	}
-
-	rec := &FileRecord{
-		ID:          newID(hash),
-		Name:        name,
-		Hash:        hash,
-		Size:        n,
-		Meta:        parseMeta(metaStr),
-		CreatedAt:   time.Now().UTC(),
-		ContentType: "", // filled on GET via extension
-	}
-
-	if err := s.writeMeta(rec); err != nil {
-		return nil, err
-	}
-	return rec, nil
-}
-
-func (s *Store) Open(ctx context.Context, id string) (io.ReadSeekCloser, *FileRecord, error) {
-	rec, err := s.GetMeta(ctx, id)
-	if err != nil {
-		return nil, nil, err
-	}
-	f, err := os.Open(filepath.Join(s.blobDir, rec.Hash))
-	if err != nil {
-		return nil, nil, err
-	}
-	return f, rec, nil
-}
-
-func (s *Store) GetMeta(_ context.Context, id string) (*FileRecord, error) {
-	s.mu.RLock()
-	defer s.mu.RUnlock()
-	bb, err := os.ReadFile(filepath.Join(s.metaDir, id+".json"))
-	if err != nil {
-		return nil, err
-	}
-	var rec FileRecord
-	if err := json.Unmarshal(bb, &rec); err != nil {
-		return nil, err
-	}
-	return &rec, nil
-}
-
-func (s *Store) UpdateMeta(_ context.Context, id string, meta map[string]string) (*FileRecord, error) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	path := filepath.Join(s.metaDir, id+".json")
-	bb, err := os.ReadFile(path)
-	if err != nil {
-		return nil, err
-	}
-	var rec FileRecord
-	if err := json.Unmarshal(bb, &rec); err != nil {
-		return nil, err
-	}
-	if rec.Meta == nil {
-		rec.Meta = map[string]string{}
-	}
-	for k, v := range meta {
-		rec.Meta[k] = v
-	}
-	nb, _ := json.Marshal(&rec)
-	if err := os.WriteFile(path, nb, 0o600); err != nil {
-		return nil, err
-	}
-	return &rec, nil
-}
-
-func (s *Store) Delete(_ context.Context, id string) error {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	// Only delete metadata; GC for unreferenced blobs is a separate task
-	return os.Remove(filepath.Join(s.metaDir, id+".json"))
-}
-
-func (s *Store) List(_ context.Context, q string, offset, limit int) ([]*FileRecord, int, error) {
-	if limit <= 0 || limit > 200 {
-		limit = 50
-	}
-	entries, err := os.ReadDir(s.metaDir)
-	if err != nil {
-		return nil, 0, err
-	}
-	var items []*FileRecord
-	for _, e := range entries {
-		if e.IsDir() || !strings.HasSuffix(e.Name(), ".json") {
-			continue
-		}
-		bb, err := os.ReadFile(filepath.Join(s.metaDir, e.Name()))
-		if err != nil {
-			continue
-		}
-		var rec FileRecord
-		if err := json.Unmarshal(bb, &rec); err != nil {
-			continue
-		}
-		if q == "" || strings.Contains(strings.ToLower(rec.Name), strings.ToLower(q)) {
-			items = append(items, &rec)
-		}
-	}
-	sort.Slice(items, func(i, j int) bool { return items[i].CreatedAt.After(items[j].CreatedAt) })
-	end := offset + limit
-	if offset > len(items) {
-		return []*FileRecord{}, 0, nil
-	}
-	if end > len(items) {
-		end = len(items)
-	}
-	next := 0
-	if end < len(items) {
-		next = end
-	}
-	return items[offset:end], next, nil
-}
-
-// --- Chunked uploads ---
-
-type UploadSession struct {
-	ID        string    `json:"id"`
-	Name      string    `json:"name"`
-	Meta      string    `json:"meta"`
-	CreatedAt time.Time `json:"createdAt"`
-}
-
-func (s *Store) UploadInit(_ context.Context, name, meta string) (*UploadSession, error) {
-	id := newID(fmt.Sprintf("sess-%d", time.Now().UnixNano()))
-	us := &UploadSession{ID: id, Name: name, Meta: meta, CreatedAt: time.Now().UTC()}
-	// session file marker
-	if err := os.WriteFile(filepath.Join(s.tmpDir, id+".session"), []byte(name+""+meta), 0o600); err != nil {
-		return nil, err
-	}
-	return us, nil
-}
-
-func (s *Store) partPath(uid string, n int) string {
-	return filepath.Join(s.tmpDir, fmt.Sprintf("%s.part.%06d", uid, n))
-}
-
-func (s *Store) UploadPart(_ context.Context, uid string, n int, r io.Reader) error {
-	if _, err := os.Stat(filepath.Join(s.tmpDir, uid+".session")); err != nil {
-		return err
-	}
-	f, err := os.Create(s.partPath(uid, n))
-	if err != nil {
-		return err
-	}
-	defer f.Close()
-	_, err = io.Copy(f, r)
-	return err
-}
-
-func (s *Store) UploadComplete(ctx context.Context, uid string) (*FileRecord, error) {
-	if _, err := os.Stat(filepath.Join(s.tmpDir, uid+".session")); err != nil {
-		return nil, err
-	}
-	matches, _ := filepath.Glob(filepath.Join(s.tmpDir, uid+".part.*"))
-	if len(matches) == 0 {
-		return nil, errors.New("no parts uploaded")
-	}
-	sort.Strings(matches)
-	pr, pw := io.Pipe()
-	go func() {
-		for _, p := range matches {
-			f, err := os.Open(p)
-			if err != nil {
-				_ = pw.CloseWithError(err)
-				return
-			}
-			if _, err := io.Copy(pw, f); err != nil {
-				_ = pw.CloseWithError(err)
-				_ = f.Close()
-				return
-			}
-			_ = f.Close()
-		}
-		_ = pw.Close()
-	}()
-	// Read first line of session file for name/meta (simple format)
-	bb, _ := os.ReadFile(filepath.Join(s.tmpDir, uid+".session"))
-	lines := strings.SplitN(string(bb), "", 2)
-	name := "file"
-	meta := ""
-	if len(lines) >= 1 && strings.TrimSpace(lines[0]) != "" {
-		name = strings.TrimSpace(lines[0])
-	}
-	if len(lines) == 2 {
-		meta = strings.TrimSpace(lines[1])
-	}
-
-	rec, err := s.Put(ctx, pr, name, meta)
-	if err != nil {
-		return nil, err
-	}
-	for _, p := range matches {
-		_ = os.Remove(p)
-	}
-	_ = os.Remove(filepath.Join(s.tmpDir, uid+".session"))
-	return rec, nil
-}
-
-func (s *Store) UploadAbort(_ context.Context, uid string) error {
-	if _, err := os.Stat(filepath.Join(s.tmpDir, uid+".session")); err != nil {
-		return err
-	}
-	matches, _ := filepath.Glob(filepath.Join(s.tmpDir, uid+".part.*"))
-	for _, p := range matches {
-		_ = os.Remove(p)
-	}
-	return os.Remove(filepath.Join(s.tmpDir, uid+".session"))
-}
-
-// --- helpers ---
-
-func (s *Store) writeMeta(rec *FileRecord) error {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	bb, _ := json.Marshal(rec)
-	return os.WriteFile(filepath.Join(s.metaDir, rec.ID+".json"), bb, 0o600)
-}
-
-func newID(seed string) string {
-	h := sha256.Sum256([]byte(fmt.Sprintf("%s|%d", seed, time.Now().UnixNano())))
-	return hex.EncodeToString(h[:16])
-}
-
-func parseMeta(s string) map[string]string {
-	if s == "" {
-		return nil
-	}
-	m := map[string]string{}
-	for _, kv := range strings.Split(s, ",") {
-		kvp := strings.SplitN(kv, "=", 2)
-		if len(kvp) == 2 {
-			m[strings.TrimSpace(kvp[0])] = strings.TrimSpace(kvp[1])
-		}
-	}
-	return m
-}