feat: add Memory Protection Middleware

[ecordell]

Description

This introduces a new memory protection middleware to help prevent out-of-memory conditions in SpiceDB by implementing admission control based on current memory usage.

This is not a perfect solution (doesn't prevent non-traffic-related sources of OOM) and is meant to support other future improvements to resource sharing in a single SpiceDB node.

The middleware is installed both in the main api and in dispatch, but at different thresholds. Memory usage is polled in the background, and if in-flight memory rises above the threshold, backpressure is placed on incoming requests.

The dispatch threshold is higher than the API threshold to preserve already admitted traffic as much as possible.

Testing

• Unit tests included
• Manual E2E test:
  • Modify docker-compose.yaml to set mem_limit: "300mb" to the spicedb containers
  • Run docker-compose up --build
  • Run this

zed context set example localhost:50051 foobar --insecure
zed import development/schema.yaml
{
    echo '{"items":['
    for i in $(seq 1 200); do
      d=$(( (RANDOM % 9999) + 1 ))
      echo -n "{\"resource\":{\"objectTy  pe\":\"document\",\"objectId\": \"${d}\"}, \"permission\":\"view\",\"subject\":{ \"object\": {\"objectType\": \"user\", \"objectId\": \"1\"}}}"
      [ $i -lt 200 ] && echo -n ","
    done
    echo "], \"with_tracing\": true}"
} > payload.json
ab -n 100000 -c 200 -T 'application/json' -H 'Authorization: Bearer foobar' -p payload.json http://localhost:8443/v1/permissions/checkbulk

you should see logs such as:

{
  "level": "warn",
  "traceID": "125b7b37c5775af1f2d9ebf253dcf3d1",
  "protocol": "grpc",
  "grpc.component": "server",
  "grpc.service": "authzed.api.v1.PermissionsService",
  "grpc.method": "CheckBulkPermissions",
  "grpc.method_type": "unary",
  "requestID": "d3vurmuoqu8s73bsdom0",
  "peer.address": "127.0.0.1:60376",
  "grpc.start_time": "2025-10-27T22:10:35Z",
  "grpc.code": "ResourceExhausted",
  "grpc.error": "rpc error: code = ResourceExhausted desc = server rejected the request because memory usage is above configured threshold",
  "grpc.time_ms": 0,
  "time": "2025-10-27T22:10:35Z",
  "message": "finished call"
}

and this graph in Grafana:

[codecov]

Codecov Report

❌ Patch coverage is 11.97605% with 1470 lines in your changes missing coverage. Please review.
✅ Project coverage is 77.08%. Comparing base (e55404b) to head (8b47b79).
⚠️ Report is 11 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/mocks/mock_datastore.go	0.32%	1277 Missing ⚠️
internal/mocks/mock_dispatcher.go	2.57%	152 Missing ⚠️
...ware/memoryprotection/mocks/mock_memory_sampler.go	38.89%	22 Missing ⚠️
...rnal/middleware/memoryprotection/memory_sampler.go	83.08%	9 Missing and 2 partials ⚠️
pkg/cmd/server/server.go	87.24%	3 Missing and 3 partials ⚠️
...l/middleware/memoryprotection/memory_protection.go	96.50%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2646      +/-   ##
==========================================
- Coverage   79.46%   77.08%   -2.37%     
==========================================
  Files         455      461       +6     
  Lines       47161    48940    +1779     
==========================================
+ Hits        37470    37722     +252     
- Misses       6945     8449    +1504     
- Partials     2746     2769      +23     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[miparnisari]

FYI so that we can verify the new metrics in Grafana

[miparnisari]

FYI i can move the mock generation to a different PR

[tstirrat15]

This is fine.

[miparnisari]

FYI so that when changing these, the "View PR" view on Github says that the files are automatically generated and people can just mark "viewed" on them

[miparnisari]

i don't like that we have the default 90 here and also in the struct itself 😭 i'd love a unified approach in the future

[vroldanbet]

We have some percent-based flags that are defined as [0...1] floats. Worth having a look and deciding which approach to commit to.

[miparnisari]

Made it similar to this

 --datastore-revision-quantization-max-staleness-percent float           float percentage (where 1 = 100%)

i don't love it but I prefer being consistent

[miparnisari]

Funny, I just found that you can pass a large number to that flag and the server accepts it 😆

- "SPICEDB_DATASTORE_REVISION_QUANTIZATION_MAX_STALENESS_PERCENT=10000"

[vroldanbet]

seems like it's missing some validation :D

[tstirrat15]

See comments

[tstirrat15]

Why this syntax as opposed to constructing one?

[miparnisari]

WDYM? This is standard go code to assert that a struct satisfies an interface

[tstirrat15]

This is fine.

[tstirrat15]

This is in a goroutine :P

[ecordell]

We had a discussion on slack where we looked at some implementation details of runtime/metrics. Although it's not stop-the-world like ReadMemStats is, it does acquire a metrics lock (metricsSema) to read the values. Joey found https://github.com/odigos-io/go-rtml/ which looked promising as a way to get these values faster, potentially even on every request (i.e. without the extra goroutines polling in the background).

[vroldanbet]

LGTM, I defer to y'all looking into an alternative implementation to retrieve runtime stats with lower overhead

[miparnisari]

@ecordell @vroldanbet please see #2691