authzed
diff --git a/‎.gitattributes‎
Lines changed: 1 addition & 0 deletions b/‎.gitattributes‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎.github/workflows/build-test.yaml‎
Lines changed: 2 additions & 0 deletions b/‎.github/workflows/build-test.yaml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎.goreleaser.nightly.yml‎
Lines changed: 1 addition & 1 deletion b/‎.goreleaser.nightly.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.goreleaser.windows.yml‎
Lines changed: 1 addition & 1 deletion b/‎.goreleaser.windows.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.goreleaser.yml‎
Lines changed: 2 additions & 2 deletions b/‎.goreleaser.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎Dockerfile‎
Lines changed: 2 additions & 1 deletion b/‎Dockerfile‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎cmd/spicedb/serve_integration_test.go‎
Lines changed: 50 additions & 0 deletions b/‎cmd/spicedb/serve_integration_test.go‎
Lines changed: 50 additions & 0 deletions
diff --git a/‎development/prometheus.yaml‎
Lines changed: 2 additions & 2 deletions b/‎development/prometheus.yaml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎go.mod‎
Lines changed: 5 additions & 0 deletions b/‎go.mod‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎go.sum‎
Lines changed: 4 additions & 0 deletions b/‎go.sum‎
Lines changed: 4 additions & 0 deletions
@@ -1,3 +1,4 @@
+internal/**/mock_*.go linguist-generated=true
 *.pb.go linguist-generated=true
 *.pb.*.go linguist-generated=true
 proto/internal/buf.lock linguist-generated=true
@@ -59,6 +59,8 @@ jobs:
           username: "${{ env.DOCKERHUB_PUBLIC_USER }}"
           password: "${{ env.DOCKERHUB_PUBLIC_ACCESS_TOKEN }}"
       - uses: "authzed/actions/go-build@70432bd54a9e690d7fe19817dda46d8e4c0a2c3a" # main
+        with:
+          ldflags: "-checklinkname=0"
       - name: "Image tests"
         run: "go run mage.go test:image"
 
 
@@ -12,7 +12,7 @@ builds:
       - "arm64"
     mod_timestamp: "{{ .CommitTimestamp }}"
     ldflags:
-      - "-s -w"
+      - "-s -w -checklinkname=0"
       - "-X github.com/jzelinskie/cobrautil/v2.Version=v{{ .Version }}"
 kos:
   - id: "spicedb"
 
@@ -17,7 +17,7 @@ builds:
       - "amd64"
     mod_timestamp: "{{ .CommitTimestamp }}"
     ldflags:
-      - "-s -w"
+      - "-s -w -checklinkname=0"
       - "-X github.com/jzelinskie/cobrautil/v2.Version=v{{ .Version }}"
 archives:
   - files:
 
@@ -20,7 +20,7 @@ builds:
       - "arm64"
     mod_timestamp: "{{ .CommitTimestamp }}"
     ldflags:
-      - "-s -w"
+      - "-s -w -checklinkname=0"
       - "-X github.com/jzelinskie/cobrautil/v2.Version=v{{ .Version }}"
 archives:
   - files:
@@ -95,7 +95,7 @@ brews:
         if build.head?
           versionVar = "github.com/jzelinskie/cobrautil/v2.Version"
           versionCmd = "$(git describe --always --abbrev=7 --dirty --tags)"
-          system "go build --ldflags '-s -w -X #{versionVar}=#{versionCmd}' ./cmd/spicedb"
+          system "go build --ldflags '-s -w -checklinkname=0 -X #{versionVar}=#{versionCmd}' ./cmd/spicedb"
         end
         bin.install "spicedb"
         generate_completions_from_executable(bin/"spicedb", "completion", shells: [:bash, :zsh, :fish])
 
@@ -3,7 +3,8 @@ FROM golang:1.25.3-alpine@sha256:aee43c3ccbf24fdffb7295693b6e33b21e01baec1b2a55a
 WORKDIR /go/src/app
 RUN apk update && apk add --no-cache git
 COPY . .
-RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg/mod CGO_ENABLED=0 go build -v ./cmd/...
+# https://github.com/odigos-io/go-rtml#about-ldflags-checklinkname0
+RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg/mod CGO_ENABLED=0 go build -v -ldflags=-checklinkname=0 ./cmd/...
 
 # use `docker buildx imagetools inspect <image>` to get the multi-platform sha256
 FROM golang:1.25.3-alpine@sha256:aee43c3ccbf24fdffb7295693b6e33b21e01baec1b2a55acc351fde345e9ec34 AS health-probe-builder
 
@@ -92,6 +92,56 @@ func TestServe(t *testing.T) {
 	}
 }
 
+func TestServeWithMemoryProtectionMiddleware(t *testing.T) {
+	t.Parallel()
+
+	pool, err := dockertest.NewPool("")
+	require.NoError(t, err)
+
+	serverToken := "mykey"
+	serveResource, err := pool.RunWithOptions(&dockertest.RunOptions{
+		Repository:   "authzed/spicedb",
+		Tag:          "ci",
+		Cmd:          []string{"serve", "--log-level=debug", "--grpc-preshared-key", serverToken, "--telemetry-endpoint=\"\""},
+		ExposedPorts: []string{"50051/tcp"},
+		Env:          []string{"GOMEMLIMIT=1B"}, // NOTE: Absurdly low on purpose
+	}, func(config *docker.HostConfig) {
+		config.RestartPolicy = docker.RestartPolicy{
+			Name: "no",
+		}
+	})
+	require.NoError(t, err)
+	t.Cleanup(func() {
+		require.NoError(t, pool.Purge(serveResource))
+	})
+
+	serverPort := serveResource.GetPort("50051/tcp")
+	conn, err := grpc.NewClient(fmt.Sprintf("localhost:%s", serverPort),
+		grpc.WithTransportCredentials(insecure.NewCredentials()),
+		grpcutil.WithInsecureBearerToken(serverToken),
+	)
+
+	require.NoError(t, err)
+	t.Cleanup(func() {
+		_ = conn.Close()
+	})
+
+	// Health requests bypass the memory middleware
+	require.Eventually(t, func() bool {
+		resp, err := healthpb.NewHealthClient(conn).Check(context.Background(), &healthpb.HealthCheckRequest{Service: "authzed.api.v1.SchemaService"})
+		return err == nil && resp.GetStatus() == healthpb.HealthCheckResponse_SERVING
+	}, 5*time.Second, 1*time.Second, "server never became healthy")
+
+	// Other requests have the memory middleware
+	client := v1.NewSchemaServiceClient(conn)
+	_, err = client.WriteSchema(context.Background(), &v1.WriteSchemaRequest{
+		Schema: `definition user {}`,
+	})
+	s, ok := status.FromError(err)
+	require.True(t, ok)
+	require.Equal(t, codes.ResourceExhausted, s.Code())
+}
+
 func gracefulShutdown(pool *dockertest.Pool, serveResource *dockertest.Resource) bool {
 	closed := make(chan bool, 1)
 	go func() {
 
@@ -1,7 +1,7 @@
 ---
 global:
-  scrape_interval: "15s"
-  evaluation_interval: "15s"
+  scrape_interval: "1s"
+  evaluation_interval: "1s"
 
 scrape_configs:
   - job_name: "spicedb"
 
@@ -112,6 +112,7 @@ require (
 	go.opentelemetry.io/otel/trace v1.38.0
 	go.uber.org/atomic v1.11.0
 	go.uber.org/goleak v1.3.0
+	go.uber.org/mock v0.6.0
 	golang.org/x/exp v0.0.0-20250819193227-8b4c13bb791b
 	golang.org/x/mod v0.29.0
 	golang.org/x/sync v0.17.0
@@ -138,6 +139,8 @@ tool (
 	github.com/golangci/golangci-lint/v2/cmd/golangci-lint
 	// support running mage with go run mage.go
 	github.com/magefile/mage/mage
+	// mocks are generated with go:generate directives.
+	go.uber.org/mock/mockgen
 	// vulncheck always uses the current directory's go.mod.
 	golang.org/x/vuln/cmd/govulncheck
 )
@@ -313,6 +316,7 @@ require (
 	github.com/klauspost/cpuid/v2 v2.2.5 // indirect
 	github.com/kulti/thelper v0.7.1 // indirect
 	github.com/kunwardeep/paralleltest v1.0.14 // indirect
+	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
 	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
 	github.com/lasiar/canonicalheader v1.1.2 // indirect
@@ -352,6 +356,7 @@ require (
 	github.com/nishanths/exhaustive v0.12.0 // indirect
 	github.com/nishanths/predeclared v0.2.2 // indirect
 	github.com/nunnatsa/ginkgolinter v0.21.0 // indirect
+	github.com/odigos-io/go-rtml v0.0.1 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0 // indirect
 	github.com/opencontainers/runc v1.2.8 // indirect
 
@@ -2232,6 +2232,8 @@ github.com/nishanths/predeclared v0.2.2 h1:V2EPdZPliZymNAn79T8RkNApBjMmVKh5XRpLm
 github.com/nishanths/predeclared v0.2.2/go.mod h1:RROzoN6TnGQupbC+lqggsOlcgysk3LMK/HI84Mp280c=
 github.com/nunnatsa/ginkgolinter v0.21.0 h1:IYwuX+ajy3G1MezlMLB1BENRtFj16+Evyi4uki1NOOQ=
 github.com/nunnatsa/ginkgolinter v0.21.0/go.mod h1:QlzY9UP9zaqu58FjYxhp9bnjuwXwG1bfW5rid9ChNMw=
+github.com/odigos-io/go-rtml v0.0.1 h1:5w21AOXZGq/6UhECv5B9RCrW7R8PzA8YgwdxqtajD0w=
+github.com/odigos-io/go-rtml v0.0.1/go.mod h1:LqKwlorUKSNj1WQ0p/5e9+aOkirEiHQx+FOxdhku/cs=
 github.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus=
 github.com/onsi/ginkgo/v2 v2.23.4/go.mod h1:Bt66ApGPBFzHyR+JO10Zbt0Gsp4uWxu5mIOTusL46e8=
 github.com/onsi/gomega v1.38.0 h1:c/WX+w8SLAinvuKKQFh77WEucCnPk4j2OTUr7lt7BeY=
@@ -2596,6 +2598,8 @@ go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwE
 go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
+go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y=
+go.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU=
 go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=