MyFSIO v0.3.7 Release

Reviewed-on: #30

app/__init__.py

@@ -1,13 +1,13 @@
 from __future__ import annotations
 
 import html as html_module
+import itertools
 import logging
 import mimetypes
 import os
 import shutil
 import sys
 import time
-import uuid
 from logging.handlers import RotatingFileHandler
 from pathlib import Path
 from datetime import timedelta
@@ -39,6 +39,8 @@ from .storage import ObjectStorage, StorageError
 from .version import get_version
 from .website_domains import WebsiteDomainStore
 
+_request_counter = itertools.count(1)
+
 
 def _migrate_config_file(active_path: Path, legacy_paths: List[Path]) -> Path:
     """Migrate config file from legacy locations to the active path.
@@ -128,6 +130,7 @@ def create_app(
         Path(app.config["IAM_CONFIG"]),
         auth_max_attempts=app.config.get("AUTH_MAX_ATTEMPTS", 5),
         auth_lockout_minutes=app.config.get("AUTH_LOCKOUT_MINUTES", 15),
+        encryption_key=app.config.get("SECRET_KEY"),
     )
     bucket_policies = BucketPolicyStore(Path(app.config["BUCKET_POLICY_PATH"]))
     secret_store = EphemeralSecretStore(default_ttl=app.config.get("SECRET_TTL_SECONDS", 300))
@@ -481,13 +484,9 @@ def _configure_logging(app: Flask) -> None:
 
     @app.before_request
     def _log_request_start() -> None:
-        g.request_id = uuid.uuid4().hex
+        g.request_id = f"{os.getpid():x}{next(_request_counter):012x}"
         g.request_started_at = time.perf_counter()
         g.request_bytes_in = request.content_length or 0
-        app.logger.info(
-            "Request started",
-            extra={"path": request.path, "method": request.method, "remote_addr": request.remote_addr},
-        )
 
     @app.before_request
     def _maybe_serve_website():
@@ -616,8 +615,9 @@ def _configure_logging(app: Flask) -> None:
         duration_ms = 0.0
         if hasattr(g, "request_started_at"):
             duration_ms = (time.perf_counter() - g.request_started_at) * 1000
-        request_id = getattr(g, "request_id", uuid.uuid4().hex)
+        request_id = getattr(g, "request_id", f"{os.getpid():x}{next(_request_counter):012x}")
         response.headers.setdefault("X-Request-ID", request_id)
+        if app.logger.isEnabledFor(logging.INFO):
             app.logger.info(
                 "Request completed",
                 extra={

app/bucket_policies.py

@@ -2,6 +2,7 @@ from __future__ import annotations
 
 import ipaddress
 import json
+import os
 import re
 import time
 from dataclasses import dataclass, field
@@ -268,7 +269,7 @@ class BucketPolicyStore:
         self._last_mtime = self._current_mtime()
         # Performance: Avoid stat() on every request
         self._last_stat_check = 0.0
-        self._stat_check_interval = 1.0  # Only check mtime every 1 second
+        self._stat_check_interval = float(os.environ.get("BUCKET_POLICY_STAT_CHECK_INTERVAL_SECONDS", "2.0"))
 
     def maybe_reload(self) -> None:
         # Performance: Skip stat check if we checked recently

app/iam.py

@@ -1,5 +1,6 @@
 from __future__ import annotations
 
+import base64
 import hashlib
 import hmac
 import json
@@ -14,6 +15,8 @@ from datetime import datetime, timedelta, timezone
 from pathlib import Path
 from typing import Any, Deque, Dict, Iterable, List, Optional, Sequence, Set, Tuple
 
+from cryptography.fernet import Fernet, InvalidToken
+
 
 class IamError(RuntimeError):
     """Raised when authentication or authorization fails."""
@@ -107,13 +110,24 @@ class Principal:
     policies: List[Policy]
 
 
+def _derive_fernet_key(secret: str) -> bytes:
+    raw = hashlib.pbkdf2_hmac("sha256", secret.encode(), b"myfsio-iam-encryption", 100_000)
+    return base64.urlsafe_b64encode(raw)
+
+
+_IAM_ENCRYPTED_PREFIX = b"MYFSIO_IAM_ENC:"
+
+
 class IamService:
     """Loads IAM configuration, manages users, and evaluates policies."""
 
-    def __init__(self, config_path: Path, auth_max_attempts: int = 5, auth_lockout_minutes: int = 15) -> None:
+    def __init__(self, config_path: Path, auth_max_attempts: int = 5, auth_lockout_minutes: int = 15, encryption_key: str | None = None) -> None:
         self.config_path = Path(config_path)
         self.auth_max_attempts = auth_max_attempts
         self.auth_lockout_window = timedelta(minutes=auth_lockout_minutes)
+        self._fernet: Fernet | None = None
+        if encryption_key:
+            self._fernet = Fernet(_derive_fernet_key(encryption_key))
         self.config_path.parent.mkdir(parents=True, exist_ok=True)
         if not self.config_path.exists():
             self._write_default()
@@ -125,7 +139,7 @@ class IamService:
         self._secret_key_cache: Dict[str, Tuple[str, float]] = {}
         self._cache_ttl = float(os.environ.get("IAM_CACHE_TTL_SECONDS", "5.0"))
         self._last_stat_check = 0.0
-        self._stat_check_interval = 1.0
+        self._stat_check_interval = float(os.environ.get("IAM_STAT_CHECK_INTERVAL_SECONDS", "2.0"))
         self._sessions: Dict[str, Dict[str, Any]] = {}
         self._session_lock = threading.Lock()
         self._load()
@@ -145,6 +159,19 @@ class IamService:
         except OSError:
             pass
 
+    def _check_expiry(self, access_key: str, record: Dict[str, Any]) -> None:
+        expires_at = record.get("expires_at")
+        if not expires_at:
+            return
+        try:
+            exp_dt = datetime.fromisoformat(expires_at)
+            if exp_dt.tzinfo is None:
+                exp_dt = exp_dt.replace(tzinfo=timezone.utc)
+            if datetime.now(timezone.utc) >= exp_dt:
+                raise IamError(f"Credentials for '{access_key}' have expired")
+        except (ValueError, TypeError):
+            pass
+
     def authenticate(self, access_key: str, secret_key: str) -> Principal:
         self._maybe_reload()
         access_key = (access_key or "").strip()
@@ -161,6 +188,7 @@ class IamService:
         if not record or not hmac.compare_digest(stored_secret, secret_key):
             self._record_failed_attempt(access_key)
             raise IamError("Invalid credentials")
+        self._check_expiry(access_key, record)
         self._clear_failed_attempts(access_key)
         return self._build_principal(access_key, record)
 
@@ -288,12 +316,16 @@ class IamService:
         if cached:
             principal, cached_time = cached
             if now - cached_time < self._cache_ttl:
+                record = self._users.get(access_key)
+                if record:
+                    self._check_expiry(access_key, record)
                 return principal
 
         self._maybe_reload()
         record = self._users.get(access_key)
         if not record:
             raise IamError("Unknown access key")
+        self._check_expiry(access_key, record)
         principal = self._build_principal(access_key, record)
         self._principal_cache[access_key] = (principal, now)
         return principal
@@ -303,6 +335,7 @@ class IamService:
         record = self._users.get(access_key)
         if not record:
             raise IamError("Unknown access key")
+        self._check_expiry(access_key, record)
         return record["secret_key"]
 
     def authorize(self, principal: Principal, bucket_name: str | None, action: str) -> None:
@@ -347,6 +380,7 @@ class IamService:
                 {
                     "access_key": access_key,
                     "display_name": record["display_name"],
+                    "expires_at": record.get("expires_at"),
                     "policies": [
                         {"bucket": policy.bucket, "actions": sorted(policy.actions)}
                         for policy in record["policies"]
@@ -362,20 +396,25 @@ class IamService:
         policies: Optional[Sequence[Dict[str, Any]]] = None,
         access_key: str | None = None,
         secret_key: str | None = None,
+        expires_at: str | None = None,
     ) -> Dict[str, str]:
         access_key = (access_key or self._generate_access_key()).strip()
         if not access_key:
             raise IamError("Access key cannot be empty")
         if access_key in self._users:
             raise IamError("Access key already exists")
+        if expires_at:
+            self._validate_expires_at(expires_at)
         secret_key = secret_key or self._generate_secret_key()
         sanitized_policies = self._prepare_policy_payload(policies)
-        record = {
+        record: Dict[str, Any] = {
             "access_key": access_key,
             "secret_key": secret_key,
             "display_name": display_name or access_key,
             "policies": sanitized_policies,
         }
+        if expires_at:
+            record["expires_at"] = expires_at
         self._raw_config.setdefault("users", []).append(record)
         self._save()
         self._load()
@@ -414,17 +453,43 @@ class IamService:
         clear_signing_key_cache()
         self._load()
 
+    def update_user_expiry(self, access_key: str, expires_at: str | None) -> None:
+        user = self._get_raw_user(access_key)
+        if expires_at:
+            self._validate_expires_at(expires_at)
+            user["expires_at"] = expires_at
+        else:
+            user.pop("expires_at", None)
+        self._save()
+        self._principal_cache.pop(access_key, None)
+        self._secret_key_cache.pop(access_key, None)
+        self._load()
+
     def update_user_policies(self, access_key: str, policies: Sequence[Dict[str, Any]]) -> None:
         user = self._get_raw_user(access_key)
         user["policies"] = self._prepare_policy_payload(policies)
         self._save()
         self._load()
 
+    def _decrypt_content(self, raw_bytes: bytes) -> str:
+        if raw_bytes.startswith(_IAM_ENCRYPTED_PREFIX):
+            if not self._fernet:
+                raise IamError("IAM config is encrypted but no encryption key provided. Set SECRET_KEY or use 'python run.py reset-cred'.")
+            try:
+                encrypted_data = raw_bytes[len(_IAM_ENCRYPTED_PREFIX):]
+                return self._fernet.decrypt(encrypted_data).decode("utf-8")
+            except InvalidToken:
+                raise IamError("Cannot decrypt IAM config. SECRET_KEY may have changed. Use 'python run.py reset-cred' to reset credentials.")
+        return raw_bytes.decode("utf-8")
+
     def _load(self) -> None:
         try:
             self._last_load_time = self.config_path.stat().st_mtime
-            content = self.config_path.read_text(encoding='utf-8')
+            raw_bytes = self.config_path.read_bytes()
+            content = self._decrypt_content(raw_bytes)
             raw = json.loads(content)
+        except IamError:
+            raise
         except FileNotFoundError:
             raise IamError(f"IAM config not found: {self.config_path}")
         except json.JSONDecodeError as e:
@@ -434,33 +499,47 @@ class IamService:
         except (OSError, ValueError) as e:
             raise IamError(f"Failed to load IAM config: {e}")
 
+        was_plaintext = not raw_bytes.startswith(_IAM_ENCRYPTED_PREFIX)
+
         users: Dict[str, Dict[str, Any]] = {}
         for user in raw.get("users", []):
             policies = self._build_policy_objects(user.get("policies", []))
-            users[user["access_key"]] = {
+            user_record: Dict[str, Any] = {
                 "secret_key": user["secret_key"],
                 "display_name": user.get("display_name", user["access_key"]),
                 "policies": policies,
             }
+            if user.get("expires_at"):
+                user_record["expires_at"] = user["expires_at"]
+            users[user["access_key"]] = user_record
         if not users:
             raise IamError("IAM configuration contains no users")
         self._users = users
-        self._raw_config = {
+        raw_users: List[Dict[str, Any]] = []
-            "users": [
+        for entry in raw.get("users", []):
-                {
+            raw_entry: Dict[str, Any] = {
                 "access_key": entry["access_key"],
                 "secret_key": entry["secret_key"],
                 "display_name": entry.get("display_name", entry["access_key"]),
                 "policies": entry.get("policies", []),
             }
-                for entry in raw.get("users", [])
+            if entry.get("expires_at"):
-            ]
+                raw_entry["expires_at"] = entry["expires_at"]
-        }
+            raw_users.append(raw_entry)
+        self._raw_config = {"users": raw_users}
+
+        if was_plaintext and self._fernet:
+            self._save()
 
     def _save(self) -> None:
         try:
+            json_text = json.dumps(self._raw_config, indent=2)
             temp_path = self.config_path.with_suffix('.json.tmp')
-            temp_path.write_text(json.dumps(self._raw_config, indent=2), encoding='utf-8')
+            if self._fernet:
+                encrypted = self._fernet.encrypt(json_text.encode("utf-8"))
+                temp_path.write_bytes(_IAM_ENCRYPTED_PREFIX + encrypted)
+            else:
+                temp_path.write_text(json_text, encoding='utf-8')
             temp_path.replace(self.config_path)
         except (OSError, PermissionError) as e:
             raise IamError(f"Cannot save IAM config: {e}")
@@ -475,9 +554,14 @@ class IamService:
     def export_config(self, mask_secrets: bool = True) -> Dict[str, Any]:
         payload: Dict[str, Any] = {"users": []}
         for user in self._raw_config.get("users", []):
-            record = dict(user)
+            record: Dict[str, Any] = {
-            if mask_secrets and "secret_key" in record:
+                "access_key": user["access_key"],
-                record["secret_key"] = "••••••••••"
+                "secret_key": "••••••••••" if mask_secrets else user["secret_key"],
+                "display_name": user["display_name"],
+                "policies": user["policies"],
+            }
+            if user.get("expires_at"):
+                record["expires_at"] = user["expires_at"]
             payload["users"].append(record)
         return payload
 
@@ -546,8 +630,9 @@ class IamService:
         return candidate if candidate in ALLOWED_ACTIONS else ""
 
     def _write_default(self) -> None:
-        access_key = secrets.token_hex(12)
+        access_key = os.environ.get("ADMIN_ACCESS_KEY", "").strip() or secrets.token_hex(12)
-        secret_key = secrets.token_urlsafe(32)
+        secret_key = os.environ.get("ADMIN_SECRET_KEY", "").strip() or secrets.token_urlsafe(32)
+        custom_keys = bool(os.environ.get("ADMIN_ACCESS_KEY", "").strip())
         default = {
             "users": [
                 {
@@ -560,16 +645,37 @@ class IamService:
                 }
             ]
         }
-        self.config_path.write_text(json.dumps(default, indent=2))
+        json_text = json.dumps(default, indent=2)
+        if self._fernet:
+            encrypted = self._fernet.encrypt(json_text.encode("utf-8"))
+            self.config_path.write_bytes(_IAM_ENCRYPTED_PREFIX + encrypted)
+        else:
+            self.config_path.write_text(json_text)
         print(f"\n{'='*60}")
-        print("MYFSIO FIRST RUN - ADMIN CREDENTIALS GENERATED")
+        print("MYFSIO FIRST RUN - ADMIN CREDENTIALS")
         print(f"{'='*60}")
+        if custom_keys:
+            print(f"Access Key: {access_key} (from ADMIN_ACCESS_KEY)")
+            print(f"Secret Key: {'(from ADMIN_SECRET_KEY)' if os.environ.get('ADMIN_SECRET_KEY', '').strip() else secret_key}")
+        else:
             print(f"Access Key: {access_key}")
             print(f"Secret Key: {secret_key}")
         print(f"{'='*60}")
+        if self._fernet:
+            print("IAM config is encrypted at rest.")
+            print("Lost credentials? Run: python run.py reset-cred")
+        else:
             print(f"Missed this? Check: {self.config_path}")
         print(f"{'='*60}\n")
 
+    def _validate_expires_at(self, expires_at: str) -> None:
+        try:
+            dt = datetime.fromisoformat(expires_at)
+            if dt.tzinfo is None:
+                dt = dt.replace(tzinfo=timezone.utc)
+        except (ValueError, TypeError):
+            raise IamError(f"Invalid expires_at format: {expires_at}. Use ISO 8601 (e.g. 2026-12-31T23:59:59Z)")
+
     def _generate_access_key(self) -> str:
         return secrets.token_hex(8)
 
@@ -588,11 +694,15 @@ class IamService:
         if cached:
             secret_key, cached_time = cached
             if now - cached_time < self._cache_ttl:
+                record = self._users.get(access_key)
+                if record:
+                    self._check_expiry(access_key, record)
                 return secret_key
 
         self._maybe_reload()
         record = self._users.get(access_key)
         if record:
+            self._check_expiry(access_key, record)
             secret_key = record["secret_key"]
             self._secret_key_cache[access_key] = (secret_key, now)
             return secret_key
@@ -604,11 +714,15 @@ class IamService:
         if cached:
             principal, cached_time = cached
             if now - cached_time < self._cache_ttl:
+                record = self._users.get(access_key)
+                if record:
+                    self._check_expiry(access_key, record)
                 return principal
 
         self._maybe_reload()
         record = self._users.get(access_key)
         if record:
+            self._check_expiry(access_key, record)
             principal = self._build_principal(access_key, record)
             self._principal_cache[access_key] = (principal, now)
             return principal

app/operation_metrics.py

@@ -5,6 +5,7 @@ import logging
 import random
 import threading
 import time
+from collections import defaultdict
 from dataclasses import dataclass, field
 from datetime import datetime, timezone
 from pathlib import Path
@@ -138,8 +139,8 @@ class OperationMetricsCollector:
         self.interval_seconds = interval_minutes * 60
         self.retention_hours = retention_hours
         self._lock = threading.Lock()
-        self._by_method: Dict[str, OperationStats] = {}
+        self._by_method: Dict[str, OperationStats] = defaultdict(OperationStats)
-        self._by_endpoint: Dict[str, OperationStats] = {}
+        self._by_endpoint: Dict[str, OperationStats] = defaultdict(OperationStats)
         self._by_status_class: Dict[str, int] = {}
         self._error_codes: Dict[str, int] = {}
         self._totals = OperationStats()
@@ -211,8 +212,8 @@ class OperationMetricsCollector:
             self._prune_old_snapshots()
             self._save_history()
 
-            self._by_method.clear()
+            self._by_method = defaultdict(OperationStats)
-            self._by_endpoint.clear()
+            self._by_endpoint = defaultdict(OperationStats)
             self._by_status_class.clear()
             self._error_codes.clear()
             self._totals = OperationStats()
@@ -232,12 +233,7 @@ class OperationMetricsCollector:
         status_class = f"{status_code // 100}xx"
 
         with self._lock:
-            if method not in self._by_method:
-                self._by_method[method] = OperationStats()
             self._by_method[method].record(latency_ms, success, bytes_in, bytes_out)
-
-            if endpoint_type not in self._by_endpoint:
-                self._by_endpoint[endpoint_type] = OperationStats()
             self._by_endpoint[endpoint_type].record(latency_ms, success, bytes_in, bytes_out)
 
             self._by_status_class[status_class] = self._by_status_class.get(status_class, 0) + 1

app/s3_api.py

@@ -85,6 +85,9 @@ def _bucket_policies() -> BucketPolicyStore:
 
 
 def _build_policy_context() -> Dict[str, Any]:
+    cached = getattr(g, "_policy_context", None)
+    if cached is not None:
+        return cached
     ctx: Dict[str, Any] = {}
     if request.headers.get("Referer"):
         ctx["aws:Referer"] = request.headers.get("Referer")
@@ -98,6 +101,7 @@ def _build_policy_context() -> Dict[str, Any]:
     ctx["aws:SecureTransport"] = str(request.is_secure).lower()
     if request.headers.get("User-Agent"):
         ctx["aws:UserAgent"] = request.headers.get("User-Agent")
+    g._policy_context = ctx
     return ctx
 
 
@@ -1021,11 +1025,15 @@ def _apply_object_headers(
     file_stat,
     metadata: Dict[str, str] | None,
     etag: str,
+    size_override: int | None = None,
+    mtime_override: float | None = None,
 ) -> None:
-    if file_stat is not None:
+    effective_size = size_override if size_override is not None else (file_stat.st_size if file_stat is not None else None)
-        if response.status_code != 206:
+    effective_mtime = mtime_override if mtime_override is not None else (file_stat.st_mtime if file_stat is not None else None)
-            response.headers["Content-Length"] = str(file_stat.st_size)
+    if effective_size is not None and response.status_code != 206:
-        response.headers["Last-Modified"] = http_date(file_stat.st_mtime)
+        response.headers["Content-Length"] = str(effective_size)
+    if effective_mtime is not None:
+        response.headers["Last-Modified"] = http_date(effective_mtime)
     response.headers["ETag"] = f'"{etag}"'
     response.headers["Accept-Ranges"] = "bytes"
     for key, value in (metadata or {}).items():
@@ -2820,6 +2828,8 @@ def object_handler(bucket_name: str, object_key: str):
         if validation_error:
             return _error_response("InvalidArgument", validation_error, 400)
 
+        metadata["__content_type__"] = content_type or mimetypes.guess_type(object_key)[0] or "application/octet-stream"
+
         try:
             meta = storage.put_object(
                 bucket_name,
@@ -2834,6 +2844,19 @@ def object_handler(bucket_name: str, object_key: str):
             if "Bucket" in message:
                 return _error_response("NoSuchBucket", message, 404)
             return _error_response("InvalidArgument", message, 400)
+
+        content_md5 = request.headers.get("Content-MD5")
+        if content_md5 and meta.etag:
+            try:
+                expected_md5 = base64.b64decode(content_md5).hex()
+            except Exception:
+                storage.delete_object(bucket_name, object_key)
+                return _error_response("InvalidDigest", "Content-MD5 header is not valid base64", 400)
+            if expected_md5 != meta.etag:
+                storage.delete_object(bucket_name, object_key)
+                return _error_response("BadDigest", "The Content-MD5 you specified did not match what we received", 400)
+
+        if current_app.logger.isEnabledFor(logging.INFO):
             current_app.logger.info(
                 "Object uploaded",
                 extra={"bucket": bucket_name, "key": object_key, "size": meta.size},
@@ -2871,7 +2894,7 @@ def object_handler(bucket_name: str, object_key: str):
         except StorageError as exc:
             return _error_response("NoSuchKey", str(exc), 404)
         metadata = storage.get_object_metadata(bucket_name, object_key)
-        mimetype = mimetypes.guess_type(object_key)[0] or "application/octet-stream"
+        mimetype = metadata.get("__content_type__") or mimetypes.guess_type(object_key)[0] or "application/octet-stream"
         
         is_encrypted = "x-amz-server-side-encryption" in metadata
         
@@ -2963,10 +2986,7 @@ def object_handler(bucket_name: str, object_key: str):
             response.headers["Content-Type"] = mimetype
             logged_bytes = 0
 
-        try:
+        file_stat = stat if not is_encrypted else None
-            file_stat = path.stat() if not is_encrypted else None
-        except (PermissionError, OSError):
-            file_stat = None
         _apply_object_headers(response, file_stat=file_stat, metadata=metadata, etag=etag)
 
         if request.method == "GET":
@@ -2983,6 +3003,7 @@ def object_handler(bucket_name: str, object_key: str):
                 if value:
                     response.headers[header] = _sanitize_header_value(value)
 
+        if current_app.logger.isEnabledFor(logging.INFO):
             action = "Object read" if request.method == "GET" else "Object head"
             current_app.logger.info(action, extra={"bucket": bucket_name, "key": object_key, "bytes": logged_bytes})
         return response
@@ -3002,6 +3023,7 @@ def object_handler(bucket_name: str, object_key: str):
 
     storage.delete_object(bucket_name, object_key)
     lock_service.delete_object_lock_metadata(bucket_name, object_key)
+    if current_app.logger.isEnabledFor(logging.INFO):
         current_app.logger.info("Object deleted", extra={"bucket": bucket_name, "key": object_key})
 
     principal, _ = _require_principal()
@@ -3343,12 +3365,20 @@ def head_object(bucket_name: str, object_key: str) -> Response:
         _authorize_action(principal, bucket_name, "read", object_key=object_key)
         path = _storage().get_object_path(bucket_name, object_key)
         metadata = _storage().get_object_metadata(bucket_name, object_key)
-        stat = path.stat()
         etag = metadata.get("__etag__") or _storage()._compute_etag(path)
 
+        cached_size = metadata.get("__size__")
+        cached_mtime = metadata.get("__last_modified__")
+        if cached_size is not None and cached_mtime is not None:
+            size_val = int(cached_size)
+            mtime_val = float(cached_mtime)
+            response = Response(status=200)
+            _apply_object_headers(response, file_stat=None, metadata=metadata, etag=etag, size_override=size_val, mtime_override=mtime_val)
+        else:
+            stat = path.stat()
             response = Response(status=200)
             _apply_object_headers(response, file_stat=stat, metadata=metadata, etag=etag)
-        response.headers["Content-Type"] = mimetypes.guess_type(object_key)[0] or "application/octet-stream"
+        response.headers["Content-Type"] = metadata.get("__content_type__") or mimetypes.guess_type(object_key)[0] or "application/octet-stream"
         return response
     except (StorageError, FileNotFoundError):
         return _error_response("NoSuchKey", "Object not found", 404)
@@ -3578,6 +3608,8 @@ def _initiate_multipart_upload(bucket_name: str, object_key: str) -> Response:
         return error
     
     metadata = _extract_request_metadata()
+    content_type = request.headers.get("Content-Type")
+    metadata["__content_type__"] = content_type or mimetypes.guess_type(object_key)[0] or "application/octet-stream"
     try:
         upload_id = _storage().initiate_multipart_upload(
             bucket_name,
@@ -3630,6 +3662,15 @@ def _upload_part(bucket_name: str, object_key: str) -> Response:
             return _error_response("NoSuchUpload", str(exc), 404)
         return _error_response("InvalidArgument", str(exc), 400)
 
+    content_md5 = request.headers.get("Content-MD5")
+    if content_md5 and etag:
+        try:
+            expected_md5 = base64.b64decode(content_md5).hex()
+        except Exception:
+            return _error_response("InvalidDigest", "Content-MD5 header is not valid base64", 400)
+        if expected_md5 != etag:
+            return _error_response("BadDigest", "The Content-MD5 you specified did not match what we received", 400)
+
     response = Response(status=200)
     response.headers["ETag"] = f'"{etag}"'
     return response

app/storage.py

@@ -1,6 +1,5 @@
 from __future__ import annotations
 
-import copy
 import hashlib
 import json
 import os
@@ -196,7 +195,9 @@ class ObjectStorage:
         self.root.mkdir(parents=True, exist_ok=True)
         self._ensure_system_roots()
         self._object_cache: OrderedDict[str, tuple[Dict[str, ObjectMeta], float, float]] = OrderedDict()
-        self._cache_lock = threading.Lock()
+        self._obj_cache_lock = threading.Lock()
+        self._meta_cache_lock = threading.Lock()
+        self._registry_lock = threading.Lock()
         self._bucket_locks: Dict[str, threading.Lock] = {}
         self._cache_version: Dict[str, int] = {}
         self._bucket_config_cache: Dict[str, tuple[dict[str, Any], float]] = {}
@@ -209,10 +210,17 @@ class ObjectStorage:
         self._meta_read_cache: OrderedDict[tuple, Optional[Dict[str, Any]]] = OrderedDict()
         self._meta_read_cache_max = 2048
         self._cleanup_executor = ThreadPoolExecutor(max_workers=1, thread_name_prefix="ParentCleanup")
+        self._stats_mem: Dict[str, Dict[str, int]] = {}
+        self._stats_serial: Dict[str, int] = {}
+        self._stats_mem_time: Dict[str, float] = {}
+        self._stats_lock = threading.Lock()
+        self._stats_dirty: set[str] = set()
+        self._stats_flush_timer: Optional[threading.Timer] = None
+        self._etag_index_dirty: set[str] = set()
+        self._etag_index_flush_timer: Optional[threading.Timer] = None
 
     def _get_bucket_lock(self, bucket_id: str) -> threading.Lock:
-        """Get or create a lock for a specific bucket. Reduces global lock contention."""
+        with self._registry_lock:
-        with self._cache_lock:
             if bucket_id not in self._bucket_locks:
                 self._bucket_locks[bucket_id] = threading.Lock()
             return self._bucket_locks[bucket_id]
@@ -260,26 +268,24 @@ class ObjectStorage:
         self._system_bucket_root(bucket_path.name).mkdir(parents=True, exist_ok=True)
 
     def bucket_stats(self, bucket_name: str, cache_ttl: int = 60) -> dict[str, int]:
-        """Return object count and total size for the bucket (cached).
-
-        Args:
-            bucket_name: Name of the bucket
-            cache_ttl: Cache time-to-live in seconds (default 60)
-        """
         bucket_path = self._bucket_path(bucket_name)
         if not bucket_path.exists():
             raise BucketNotFoundError("Bucket does not exist")
 
+        with self._stats_lock:
+            if bucket_name in self._stats_mem:
+                cached_at = self._stats_mem_time.get(bucket_name, 0.0)
+                if (time.monotonic() - cached_at) < cache_ttl:
+                    return dict(self._stats_mem[bucket_name])
+                self._stats_mem.pop(bucket_name, None)
+                self._stats_mem_time.pop(bucket_name, None)
+
         cache_path = self._system_bucket_root(bucket_name) / "stats.json"
         cached_stats = None
-        cache_fresh = False
 
         if cache_path.exists():
             try:
-                cache_fresh = time.time() - cache_path.stat().st_mtime < cache_ttl
                 cached_stats = json.loads(cache_path.read_text(encoding="utf-8"))
-                if cache_fresh:
-                    return cached_stats
             except (OSError, json.JSONDecodeError):
                 pass
 
@@ -348,16 +354,25 @@ class ObjectStorage:
             "_cache_serial": existing_serial,
         }
 
+        with self._stats_lock:
+            self._stats_mem[bucket_name] = stats
+            self._stats_mem_time[bucket_name] = time.monotonic()
+            self._stats_serial[bucket_name] = existing_serial
+
         try:
             cache_path.parent.mkdir(parents=True, exist_ok=True)
-            cache_path.write_text(json.dumps(stats), encoding="utf-8")
+            self._atomic_write_json(cache_path, stats)
         except OSError:
             pass
 
         return stats
 
     def _invalidate_bucket_stats_cache(self, bucket_id: str) -> None:
-        """Invalidate the cached bucket statistics."""
+        with self._stats_lock:
+            self._stats_mem.pop(bucket_id, None)
+            self._stats_mem_time.pop(bucket_id, None)
+            self._stats_serial[bucket_id] = self._stats_serial.get(bucket_id, 0) + 1
+            self._stats_dirty.discard(bucket_id)
         cache_path = self._system_bucket_root(bucket_id) / "stats.json"
         try:
             cache_path.unlink(missing_ok=True)
@@ -373,30 +388,53 @@ class ObjectStorage:
         version_bytes_delta: int = 0,
         version_count_delta: int = 0,
     ) -> None:
-        """Incrementally update cached bucket statistics instead of invalidating.
+        with self._stats_lock:
+            if bucket_id not in self._stats_mem:
+                self._stats_mem[bucket_id] = {
+                    "objects": 0, "bytes": 0, "version_count": 0,
+                    "version_bytes": 0, "total_objects": 0, "total_bytes": 0,
+                    "_cache_serial": 0,
+                }
+            data = self._stats_mem[bucket_id]
+            data["objects"] = max(0, data["objects"] + objects_delta)
+            data["bytes"] = max(0, data["bytes"] + bytes_delta)
+            data["version_count"] = max(0, data["version_count"] + version_count_delta)
+            data["version_bytes"] = max(0, data["version_bytes"] + version_bytes_delta)
+            data["total_objects"] = max(0, data["total_objects"] + objects_delta + version_count_delta)
+            data["total_bytes"] = max(0, data["total_bytes"] + bytes_delta + version_bytes_delta)
+            data["_cache_serial"] = data["_cache_serial"] + 1
+            self._stats_serial[bucket_id] = self._stats_serial.get(bucket_id, 0) + 1
+            self._stats_mem_time[bucket_id] = time.monotonic()
+            self._stats_dirty.add(bucket_id)
+            self._schedule_stats_flush()
 
-        This avoids expensive full directory scans on every PUT/DELETE by
+    def _schedule_stats_flush(self) -> None:
-        adjusting the cached values directly. Also signals cross-process cache
+        if self._stats_flush_timer is None or not self._stats_flush_timer.is_alive():
-        invalidation by incrementing _cache_serial.
+            self._stats_flush_timer = threading.Timer(3.0, self._flush_stats)
-        """
+            self._stats_flush_timer.daemon = True
+            self._stats_flush_timer.start()
+
+    def _flush_stats(self) -> None:
+        with self._stats_lock:
+            dirty = list(self._stats_dirty)
+            self._stats_dirty.clear()
+            snapshots = {b: dict(self._stats_mem[b]) for b in dirty if b in self._stats_mem}
+        for bucket_id, data in snapshots.items():
             cache_path = self._system_bucket_root(bucket_id) / "stats.json"
             try:
                 cache_path.parent.mkdir(parents=True, exist_ok=True)
-            if cache_path.exists():
+                self._atomic_write_json(cache_path, data)
-                data = json.loads(cache_path.read_text(encoding="utf-8"))
+            except OSError:
-            else:
-                data = {"objects": 0, "bytes": 0, "version_count": 0, "version_bytes": 0, "total_objects": 0, "total_bytes": 0, "_cache_serial": 0}
-            data["objects"] = max(0, data.get("objects", 0) + objects_delta)
-            data["bytes"] = max(0, data.get("bytes", 0) + bytes_delta)
-            data["version_count"] = max(0, data.get("version_count", 0) + version_count_delta)
-            data["version_bytes"] = max(0, data.get("version_bytes", 0) + version_bytes_delta)
-            data["total_objects"] = max(0, data.get("total_objects", 0) + objects_delta + version_count_delta)
-            data["total_bytes"] = max(0, data.get("total_bytes", 0) + bytes_delta + version_bytes_delta)
-            data["_cache_serial"] = data.get("_cache_serial", 0) + 1
-            cache_path.write_text(json.dumps(data), encoding="utf-8")
-        except (OSError, json.JSONDecodeError):
                 pass
 
+    def shutdown_stats(self) -> None:
+        if self._stats_flush_timer is not None:
+            self._stats_flush_timer.cancel()
+        self._flush_stats()
+        if self._etag_index_flush_timer is not None:
+            self._etag_index_flush_timer.cancel()
+        self._flush_etag_indexes()
+
     def delete_bucket(self, bucket_name: str) -> None:
         bucket_path = self._bucket_path(bucket_name)
         if not bucket_path.exists():
@@ -413,13 +451,20 @@ class ObjectStorage:
         self._remove_tree(self._system_bucket_root(bucket_id))
         self._remove_tree(self._multipart_bucket_root(bucket_id))
         self._bucket_config_cache.pop(bucket_id, None)
-        with self._cache_lock:
+        with self._obj_cache_lock:
             self._object_cache.pop(bucket_id, None)
             self._cache_version.pop(bucket_id, None)
             self._sorted_key_cache.pop(bucket_id, None)
+        with self._meta_cache_lock:
             stale = [k for k in self._meta_read_cache if k[0] == bucket_id]
             for k in stale:
                 del self._meta_read_cache[k]
+        with self._stats_lock:
+            self._stats_mem.pop(bucket_id, None)
+            self._stats_mem_time.pop(bucket_id, None)
+            self._stats_serial.pop(bucket_id, None)
+            self._stats_dirty.discard(bucket_id)
+        self._etag_index_dirty.discard(bucket_id)
 
     def list_objects(
         self,
@@ -834,11 +879,6 @@ class ObjectStorage:
         is_overwrite = destination.exists()
         existing_size = destination.stat().st_size if is_overwrite else 0
 
-        archived_version_size = 0
-        if self._is_versioning_enabled(bucket_path) and is_overwrite:
-            archived_version_size = existing_size
-            self._archive_current_version(bucket_id, safe_key, reason="overwrite")
-
         tmp_dir = self._system_root_path() / self.SYSTEM_TMP_DIR
         tmp_dir.mkdir(parents=True, exist_ok=True)
 
@@ -865,19 +905,21 @@ class ObjectStorage:
                             quota_check["quota"],
                             quota_check["usage"],
                         )
-
+            except BaseException:
-                shutil.move(str(tmp_path), str(destination))
-            finally:
                 if tmp_path:
                     try:
                         tmp_path.unlink(missing_ok=True)
                     except OSError:
                         pass
+                raise
         else:
             tmp_path = tmp_dir / f"{uuid.uuid4().hex}.tmp"
             try:
+                checksum = hashlib.md5()
                 with tmp_path.open("wb") as target:
-                    shutil.copyfileobj(stream, target)
+                    shutil.copyfileobj(_HashingReader(stream, checksum), target)
+                    target.flush()
+                    os.fsync(target.fileno())
 
                 new_size = tmp_path.stat().st_size
                 size_delta = new_size - existing_size
@@ -896,27 +938,43 @@ class ObjectStorage:
                             quota_check["usage"],
                         )
 
-                checksum = hashlib.md5()
-                with tmp_path.open("rb") as f:
-                    while True:
-                        chunk = f.read(1048576)
-                        if not chunk:
-                            break
-                        checksum.update(chunk)
                 etag = checksum.hexdigest()
-
+            except BaseException:
-                shutil.move(str(tmp_path), str(destination))
-            finally:
                 try:
                     tmp_path.unlink(missing_ok=True)
                 except OSError:
                     pass
+                raise
+
+        lock_file_path = self._system_bucket_root(bucket_id) / "locks" / f"{safe_key.as_posix().replace('/', '_')}.lock"
+        try:
+            with _atomic_lock_file(lock_file_path):
+                archived_version_size = 0
+                if self._is_versioning_enabled(bucket_path) and is_overwrite:
+                    archived_version_size = existing_size
+                    self._archive_current_version(bucket_id, safe_key, reason="overwrite")
+
+                shutil.move(str(tmp_path), str(destination))
+                tmp_path = None
 
                 stat = destination.stat()
 
-        internal_meta = {"__etag__": etag, "__size__": str(stat.st_size)}
+                internal_meta = {"__etag__": etag, "__size__": str(stat.st_size), "__last_modified__": str(stat.st_mtime)}
                 combined_meta = {**internal_meta, **(metadata or {})}
                 self._write_metadata(bucket_id, safe_key, combined_meta)
+        except BlockingIOError:
+            try:
+                if tmp_path:
+                    tmp_path.unlink(missing_ok=True)
+            except OSError:
+                pass
+            raise StorageError("Another upload to this key is in progress")
+        finally:
+            if tmp_path:
+                try:
+                    tmp_path.unlink(missing_ok=True)
+                except OSError:
+                    pass
 
         self._update_bucket_stats_cache(
             bucket_id,
@@ -1508,18 +1566,16 @@ class ObjectStorage:
         temp_path = upload_root / f".{part_filename}.tmp"
 
         try:
+            if _HAS_RUST:
                 with temp_path.open("wb") as target:
                     shutil.copyfileobj(stream, target)
-            if _HAS_RUST:
                 part_etag = _rc.md5_file(str(temp_path))
             else:
                 checksum = hashlib.md5()
-                with temp_path.open("rb") as f:
+                with temp_path.open("wb") as target:
-                    while True:
+                    shutil.copyfileobj(_HashingReader(stream, checksum), target)
-                        chunk = f.read(1048576)
+                    target.flush()
-                        if not chunk:
+                    os.fsync(target.fileno())
-                            break
-                        checksum.update(chunk)
                 part_etag = checksum.hexdigest()
             temp_path.replace(part_path)
         except OSError:
@@ -1553,7 +1609,7 @@ class ObjectStorage:
 
                         parts = manifest.setdefault("parts", {})
                         parts[str(part_number)] = record
-                        manifest_path.write_text(json.dumps(manifest), encoding="utf-8")
+                        self._atomic_write_json(manifest_path, manifest)
                 break
             except OSError as exc:
                 if attempt < max_retries - 1:
@@ -1646,7 +1702,7 @@ class ObjectStorage:
 
                         parts = manifest.setdefault("parts", {})
                         parts[str(part_number)] = record
-                        manifest_path.write_text(json.dumps(manifest), encoding="utf-8")
+                        self._atomic_write_json(manifest_path, manifest)
                 break
             except OSError as exc:
                 if attempt < max_retries - 1:
@@ -1752,6 +1808,8 @@ class ObjectStorage:
                                         break
                                     checksum.update(data)
                                     target.write(data)
+                        target.flush()
+                        os.fsync(target.fileno())
                     checksum_hex = checksum.hexdigest()
         except BlockingIOError:
             raise StorageError("Another upload to this key is in progress")
@@ -1770,7 +1828,7 @@ class ObjectStorage:
         etag = checksum_hex
         metadata = manifest.get("metadata")
 
-        internal_meta = {"__etag__": etag, "__size__": str(stat.st_size)}
+        internal_meta = {"__etag__": etag, "__size__": str(stat.st_size), "__last_modified__": str(stat.st_mtime)}
         combined_meta = {**internal_meta, **(metadata or {})}
         self._write_metadata(bucket_id, safe_key, combined_meta)
 
@@ -2131,19 +2189,19 @@ class ObjectStorage:
         now = time.time()
         current_stats_mtime = self._get_cache_marker_mtime(bucket_id)
 
-        with self._cache_lock:
+        with self._obj_cache_lock:
             cached = self._object_cache.get(bucket_id)
             if cached:
                 objects, timestamp, cached_stats_mtime = cached
                 if now - timestamp < self._cache_ttl and current_stats_mtime == cached_stats_mtime:
                     self._object_cache.move_to_end(bucket_id)
                     return objects
-            cache_version = self._cache_version.get(bucket_id, 0)
 
         bucket_lock = self._get_bucket_lock(bucket_id)
         with bucket_lock:
+            now = time.time()
             current_stats_mtime = self._get_cache_marker_mtime(bucket_id)
-            with self._cache_lock:
+            with self._obj_cache_lock:
                 cached = self._object_cache.get(bucket_id)
                 if cached:
                     objects, timestamp, cached_stats_mtime = cached
@@ -2154,31 +2212,23 @@ class ObjectStorage:
             objects = self._build_object_cache(bucket_path)
             new_stats_mtime = self._get_cache_marker_mtime(bucket_id)
 
-            with self._cache_lock:
+            with self._obj_cache_lock:
-                current_version = self._cache_version.get(bucket_id, 0)
-                if current_version != cache_version:
-                    objects = self._build_object_cache(bucket_path)
-                    new_stats_mtime = self._get_cache_marker_mtime(bucket_id)
                 while len(self._object_cache) >= self._object_cache_max_size:
                     self._object_cache.popitem(last=False)
 
                 self._object_cache[bucket_id] = (objects, time.time(), new_stats_mtime)
                 self._object_cache.move_to_end(bucket_id)
-                self._cache_version[bucket_id] = current_version + 1
+                self._cache_version[bucket_id] = self._cache_version.get(bucket_id, 0) + 1
                 self._sorted_key_cache.pop(bucket_id, None)
 
         return objects
 
     def _invalidate_object_cache(self, bucket_id: str) -> None:
-        """Invalidate the object cache and etag index for a bucket.
+        with self._obj_cache_lock:
-
-        Increments version counter to signal stale reads.
-        Cross-process invalidation is handled by checking stats.json mtime.
-        """
-        with self._cache_lock:
             self._object_cache.pop(bucket_id, None)
             self._cache_version[bucket_id] = self._cache_version.get(bucket_id, 0) + 1
 
+        self._etag_index_dirty.discard(bucket_id)
         etag_index_path = self._system_bucket_root(bucket_id) / "etag_index.json"
         try:
             etag_index_path.unlink(missing_ok=True)
@@ -2186,22 +2236,10 @@ class ObjectStorage:
             pass
 
     def _get_cache_marker_mtime(self, bucket_id: str) -> float:
-        """Get a cache marker combining serial and object count for cross-process invalidation.
+        return float(self._stats_serial.get(bucket_id, 0))
-
-        Returns a combined value that changes if either _cache_serial or object count changes.
-        This handles cases where the serial was reset but object count differs.
-        """
-        stats_path = self._system_bucket_root(bucket_id) / "stats.json"
-        try:
-            data = json.loads(stats_path.read_text(encoding="utf-8"))
-            serial = data.get("_cache_serial", 0)
-            count = data.get("objects", 0)
-            return float(serial * 1000000 + count)
-        except (OSError, json.JSONDecodeError):
-            return 0
 
     def _update_object_cache_entry(self, bucket_id: str, key: str, meta: Optional[ObjectMeta]) -> None:
-        with self._cache_lock:
+        with self._obj_cache_lock:
             cached = self._object_cache.get(bucket_id)
             if cached:
                 objects, timestamp, stats_mtime = cached
@@ -2212,22 +2250,31 @@ class ObjectStorage:
             self._cache_version[bucket_id] = self._cache_version.get(bucket_id, 0) + 1
             self._sorted_key_cache.pop(bucket_id, None)
 
-        self._update_etag_index(bucket_id, key, meta.etag if meta else None)
+        self._etag_index_dirty.add(bucket_id)
+        self._schedule_etag_index_flush()
 
-    def _update_etag_index(self, bucket_id: str, key: str, etag: Optional[str]) -> None:
+    def _schedule_etag_index_flush(self) -> None:
+        if self._etag_index_flush_timer is None or not self._etag_index_flush_timer.is_alive():
+            self._etag_index_flush_timer = threading.Timer(5.0, self._flush_etag_indexes)
+            self._etag_index_flush_timer.daemon = True
+            self._etag_index_flush_timer.start()
+
+    def _flush_etag_indexes(self) -> None:
+        dirty = set(self._etag_index_dirty)
+        self._etag_index_dirty.clear()
+        for bucket_id in dirty:
+            with self._obj_cache_lock:
+                cached = self._object_cache.get(bucket_id)
+                if not cached:
+                    continue
+                objects = cached[0]
+                index = {k: v.etag for k, v in objects.items() if v.etag}
             etag_index_path = self._system_bucket_root(bucket_id) / "etag_index.json"
-        if not etag_index_path.exists():
-            return
             try:
-            with open(etag_index_path, 'r', encoding='utf-8') as f:
+                etag_index_path.parent.mkdir(parents=True, exist_ok=True)
-                index = json.load(f)
-            if etag is None:
-                index.pop(key, None)
-            else:
-                index[key] = etag
                 with open(etag_index_path, 'w', encoding='utf-8') as f:
                     json.dump(index, f)
-        except (OSError, json.JSONDecodeError):
+            except OSError:
                 pass
 
     def warm_cache(self, bucket_names: Optional[List[str]] = None) -> None:
@@ -2269,6 +2316,23 @@ class ObjectStorage:
         ):
             path.mkdir(parents=True, exist_ok=True)
 
+    @staticmethod
+    def _atomic_write_json(path: Path, data: Any) -> None:
+        path.parent.mkdir(parents=True, exist_ok=True)
+        tmp_path = path.with_suffix(".tmp")
+        try:
+            with tmp_path.open("w", encoding="utf-8") as f:
+                json.dump(data, f)
+                f.flush()
+                os.fsync(f.fileno())
+            tmp_path.replace(path)
+        except BaseException:
+            try:
+                tmp_path.unlink(missing_ok=True)
+            except OSError:
+                pass
+            raise
+
     def _multipart_dir(self, bucket_name: str, upload_id: str) -> Path:
         return self._multipart_bucket_root(bucket_name) / upload_id
 
@@ -2285,11 +2349,6 @@ class ObjectStorage:
         if cached:
             config, cached_time, cached_mtime = cached
             if now - cached_time < self._bucket_config_cache_ttl:
-                try:
-                    current_mtime = config_path.stat().st_mtime if config_path.exists() else 0.0
-                except OSError:
-                    current_mtime = 0.0
-                if current_mtime == cached_mtime:
                 return config.copy()
 
         if not config_path.exists():
@@ -2308,7 +2367,7 @@ class ObjectStorage:
     def _write_bucket_config(self, bucket_name: str, payload: dict[str, Any]) -> None:
         config_path = self._bucket_config_path(bucket_name)
         config_path.parent.mkdir(parents=True, exist_ok=True)
-        config_path.write_text(json.dumps(payload), encoding="utf-8")
+        self._atomic_write_json(config_path, payload)
         try:
             mtime = config_path.stat().st_mtime
         except OSError:
@@ -2342,8 +2401,7 @@ class ObjectStorage:
 
     def _write_multipart_manifest(self, upload_root: Path, manifest: dict[str, Any]) -> None:
         manifest_path = upload_root / self.MULTIPART_MANIFEST
-        manifest_path.parent.mkdir(parents=True, exist_ok=True)
+        self._atomic_write_json(manifest_path, manifest)
-        manifest_path.write_text(json.dumps(manifest), encoding="utf-8")
 
     def _metadata_file(self, bucket_name: str, key: Path) -> Path:
         meta_root = self._bucket_meta_root(bucket_name)
@@ -2359,19 +2417,19 @@ class ObjectStorage:
         return meta_root / parent / "_index.json", entry_name
 
     def _get_meta_index_lock(self, index_path: str) -> threading.Lock:
-        with self._cache_lock:
+        with self._registry_lock:
             if index_path not in self._meta_index_locks:
                 self._meta_index_locks[index_path] = threading.Lock()
             return self._meta_index_locks[index_path]
 
     def _read_index_entry(self, bucket_name: str, key: Path) -> Optional[Dict[str, Any]]:
         cache_key = (bucket_name, str(key))
-        with self._cache_lock:
+        with self._meta_cache_lock:
             hit = self._meta_read_cache.get(cache_key)
             if hit is not None:
                 self._meta_read_cache.move_to_end(cache_key)
                 cached = hit[0]
-                return copy.deepcopy(cached) if cached is not None else None
+                return dict(cached) if cached is not None else None
 
         index_path, entry_name = self._index_file_for_key(bucket_name, key)
         if _HAS_RUST:
@@ -2386,16 +2444,16 @@ class ObjectStorage:
                 except (OSError, json.JSONDecodeError):
                     result = None
 
-        with self._cache_lock:
+        with self._meta_cache_lock:
             while len(self._meta_read_cache) >= self._meta_read_cache_max:
                 self._meta_read_cache.popitem(last=False)
-            self._meta_read_cache[cache_key] = (copy.deepcopy(result) if result is not None else None,)
+            self._meta_read_cache[cache_key] = (dict(result) if result is not None else None,)
 
         return result
 
     def _invalidate_meta_read_cache(self, bucket_name: str, key: Path) -> None:
         cache_key = (bucket_name, str(key))
-        with self._cache_lock:
+        with self._meta_cache_lock:
             self._meta_read_cache.pop(cache_key, None)
 
     def _write_index_entry(self, bucket_name: str, key: Path, entry: Dict[str, Any]) -> None:
@@ -2413,7 +2471,7 @@ class ObjectStorage:
                     except (OSError, json.JSONDecodeError):
                         pass
                 index_data[entry_name] = entry
-                index_path.write_text(json.dumps(index_data), encoding="utf-8")
+                self._atomic_write_json(index_path, index_data)
         self._invalidate_meta_read_cache(bucket_name, key)
 
     def _delete_index_entry(self, bucket_name: str, key: Path) -> None:
@@ -2434,7 +2492,7 @@ class ObjectStorage:
                 if entry_name in index_data:
                     del index_data[entry_name]
                     if index_data:
-                        index_path.write_text(json.dumps(index_data), encoding="utf-8")
+                        self._atomic_write_json(index_path, index_data)
                     else:
                         try:
                             index_path.unlink()
@@ -2483,7 +2541,7 @@ class ObjectStorage:
             "reason": reason,
         }
         manifest_path = version_dir / f"{version_id}.json"
-        manifest_path.write_text(json.dumps(record), encoding="utf-8")
+        self._atomic_write_json(manifest_path, record)
 
     def _read_metadata(self, bucket_name: str, key: Path) -> Dict[str, str]:
         entry = self._read_index_entry(bucket_name, key)

app/ui.py

@@ -1754,6 +1754,10 @@ def iam_dashboard():
     users = iam_service.list_users() if not locked else []
     config_summary = iam_service.config_summary()
     config_document = json.dumps(iam_service.export_config(mask_secrets=True), indent=2)
+    from datetime import datetime as _dt, timedelta as _td, timezone as _tz
+    _now = _dt.now(_tz.utc)
+    now_iso = _now.isoformat()
+    soon_iso = (_now + _td(days=7)).isoformat()
     return render_template(
         "iam.html",
         users=users,
@@ -1763,6 +1767,8 @@ def iam_dashboard():
         config_summary=config_summary,
         config_document=config_document,
         disclosed_secret=disclosed_secret,
+        now_iso=now_iso,
+        soon_iso=soon_iso,
     )
 
 
@@ -1782,6 +1788,8 @@ def create_iam_user():
             return jsonify({"error": "Display name must be 64 characters or fewer"}), 400
         flash("Display name must be 64 characters or fewer", "danger")
         return redirect(url_for("ui.iam_dashboard"))
+    custom_access_key = request.form.get("access_key", "").strip() or None
+    custom_secret_key = request.form.get("secret_key", "").strip() or None
     policies_text = request.form.get("policies", "").strip()
     policies = None
     if policies_text:
@@ -1792,8 +1800,21 @@ def create_iam_user():
                 return jsonify({"error": f"Invalid JSON: {exc}"}), 400
             flash(f"Invalid JSON: {exc}", "danger")
             return redirect(url_for("ui.iam_dashboard"))
+    expires_at = request.form.get("expires_at", "").strip() or None
+    if expires_at:
         try:
-        created = _iam().create_user(display_name=display_name, policies=policies)
+            from datetime import datetime as _dt, timezone as _tz
+            exp_dt = _dt.fromisoformat(expires_at)
+            if exp_dt.tzinfo is None:
+                exp_dt = exp_dt.replace(tzinfo=_tz.utc)
+            expires_at = exp_dt.isoformat()
+        except (ValueError, TypeError):
+            if _wants_json():
+                return jsonify({"error": "Invalid expiry date format"}), 400
+            flash("Invalid expiry date format", "danger")
+            return redirect(url_for("ui.iam_dashboard"))
+    try:
+        created = _iam().create_user(display_name=display_name, policies=policies, access_key=custom_access_key, secret_key=custom_secret_key, expires_at=expires_at)
     except IamError as exc:
         if _wants_json():
             return jsonify({"error": str(exc)}), 400
@@ -1967,6 +1988,45 @@ def update_iam_policies(access_key: str):
     return redirect(url_for("ui.iam_dashboard"))
 
 
+@ui_bp.post("/iam/users/<access_key>/expiry")
+def update_iam_expiry(access_key: str):
+    principal = _current_principal()
+    try:
+        _iam().authorize(principal, None, "iam:update_policy")
+    except IamError as exc:
+        if _wants_json():
+            return jsonify({"error": str(exc)}), 403
+        flash(str(exc), "danger")
+        return redirect(url_for("ui.iam_dashboard"))
+
+    expires_at = request.form.get("expires_at", "").strip() or None
+    if expires_at:
+        try:
+            from datetime import datetime as _dt, timezone as _tz
+            exp_dt = _dt.fromisoformat(expires_at)
+            if exp_dt.tzinfo is None:
+                exp_dt = exp_dt.replace(tzinfo=_tz.utc)
+            expires_at = exp_dt.isoformat()
+        except (ValueError, TypeError):
+            if _wants_json():
+                return jsonify({"error": "Invalid expiry date format"}), 400
+            flash("Invalid expiry date format", "danger")
+            return redirect(url_for("ui.iam_dashboard"))
+
+    try:
+        _iam().update_user_expiry(access_key, expires_at)
+        if _wants_json():
+            return jsonify({"success": True, "message": f"Updated expiry for {access_key}", "expires_at": expires_at})
+        label = expires_at if expires_at else "never"
+        flash(f"Expiry for {access_key} set to {label}", "success")
+    except IamError as exc:
+        if _wants_json():
+            return jsonify({"error": str(exc)}), 400
+        flash(str(exc), "danger")
+
+    return redirect(url_for("ui.iam_dashboard"))
+
+
 @ui_bp.post("/connections")
 def create_connection():
     principal = _current_principal()

app/version.py

@@ -1,6 +1,6 @@
 from __future__ import annotations
 
-APP_VERSION = "0.3.4"
+APP_VERSION = "0.3.7"
 
 
 def get_version() -> str:

docs.md

@@ -145,13 +145,15 @@ All configuration is done via environment variables. The table below lists every
 
 | Variable | Default | Notes |
 | --- | --- | --- |
-| `IAM_CONFIG` | `data/.myfsio.sys/config/iam.json` | Stores users, secrets, and inline policies. |
+| `IAM_CONFIG` | `data/.myfsio.sys/config/iam.json` | Stores users, secrets, and inline policies. Encrypted at rest when `SECRET_KEY` is set. |
 | `BUCKET_POLICY_PATH` | `data/.myfsio.sys/config/bucket_policies.json` | Bucket policy store (auto hot-reload). |
 | `AUTH_MAX_ATTEMPTS` | `5` | Failed login attempts before lockout. |
 | `AUTH_LOCKOUT_MINUTES` | `15` | Lockout duration after max failed attempts. |
 | `SESSION_LIFETIME_DAYS` | `30` | How long UI sessions remain valid. |
 | `SECRET_TTL_SECONDS` | `300` | TTL for ephemeral secrets (presigned URLs). |
 | `UI_ENFORCE_BUCKET_POLICIES` | `false` | Whether the UI should enforce bucket policies. |
+| `ADMIN_ACCESS_KEY` | (none) | Custom access key for the admin user on first run or credential reset. If unset, a random key is generated. |
+| `ADMIN_SECRET_KEY` | (none) | Custom secret key for the admin user on first run or credential reset. If unset, a random key is generated. |
 
 ### CORS (Cross-Origin Resource Sharing)
 
@@ -277,13 +279,14 @@ API responses for JSON, XML, HTML, CSS, and JavaScript are automatically gzip-co
 
 Before deploying to production, ensure you:
 
-1. **Set `SECRET_KEY`** - Use a strong, unique value (e.g., `openssl rand -base64 32`)
+1. **Set `SECRET_KEY`** - Use a strong, unique value (e.g., `openssl rand -base64 32`). This also enables IAM config encryption at rest.
 2. **Restrict CORS** - Set `CORS_ORIGINS` to your specific domains instead of `*`
 3. **Configure `API_BASE_URL`** - Required for correct presigned URLs behind proxies
 4. **Enable HTTPS** - Use a reverse proxy (nginx, Cloudflare) with TLS termination
 5. **Review rate limits** - Adjust `RATE_LIMIT_DEFAULT` based on your needs
 6. **Secure master keys** - Back up `ENCRYPTION_MASTER_KEY_PATH` if using encryption
 7. **Use `--prod` flag** - Runs with Waitress instead of Flask dev server
+8. **Set credential expiry** - Assign `expires_at` to non-admin users for time-limited access
 
 ### Proxy Configuration
 
@@ -633,9 +636,10 @@ MyFSIO implements a comprehensive Identity and Access Management (IAM) system th
 
 ### Getting Started
 
-1. On first boot, `data/.myfsio.sys/config/iam.json` is created with a randomly generated admin user. The access key and secret key are printed to the console during first startup. If you miss it, check the `iam.json` file directly—credentials are stored in plaintext.
+1. On first boot, `data/.myfsio.sys/config/iam.json` is created with a randomly generated admin user. The access key and secret key are printed to the console during first startup. You can set `ADMIN_ACCESS_KEY` and `ADMIN_SECRET_KEY` environment variables to use custom credentials instead of random ones. If `SECRET_KEY` is configured, the IAM config file is encrypted at rest using AES (Fernet). To reset admin credentials later, run `python run.py --reset-cred`.
 2. Sign into the UI using the generated credentials, then open **IAM**:
-   - **Create user**: supply a display name and optional JSON inline policy array.
+   - **Create user**: supply a display name, optional JSON inline policy array, and optional credential expiry date.
+   - **Set expiry**: assign an expiration date to any user's credentials. Expired credentials are rejected at authentication time. The UI shows expiry badges and preset durations (1h, 24h, 7d, 30d, 90d).
    - **Rotate secret**: generates a new secret key; the UI surfaces it once.
    - **Policy editor**: select a user, paste an array of objects (`{"bucket": "*", "actions": ["list", "read"]}`), and submit. Alias support includes AWS-style verbs (e.g., `s3:GetObject`).
 3. Wildcard action `iam:*` is supported for admin user definitions.
@@ -653,8 +657,11 @@ The API expects every request to include authentication headers. The UI persists
 
 **Security Features:**
 - **Lockout Protection**: After `AUTH_MAX_ATTEMPTS` (default: 5) failed login attempts, the account is locked for `AUTH_LOCKOUT_MINUTES` (default: 15 minutes).
+- **Credential Expiry**: Each user can have an optional `expires_at` timestamp (ISO 8601). Once expired, all API requests using those credentials are rejected. Set or clear expiry via the UI or API.
+- **IAM Config Encryption**: When `SECRET_KEY` is set, the IAM config file (`iam.json`) is encrypted at rest using Fernet (AES-256-CBC with HMAC). Existing plaintext configs are automatically encrypted on next load.
 - **Session Management**: UI sessions remain valid for `SESSION_LIFETIME_DAYS` (default: 30 days).
 - **Hot Reload**: IAM configuration changes take effect immediately without restart.
+- **Credential Reset**: Run `python run.py --reset-cred` to reset admin credentials. Supports `ADMIN_ACCESS_KEY` and `ADMIN_SECRET_KEY` env vars for deterministic keys.
 
 ### Permission Model
 
@@ -814,7 +821,8 @@ curl -X POST http://localhost:5000/iam/users \
   -H "X-Access-Key: ..." -H "X-Secret-Key: ..." \
   -d '{
     "display_name": "New User",
-    "policies": [{"bucket": "*", "actions": ["list", "read"]}]
+    "policies": [{"bucket": "*", "actions": ["list", "read"]}],
+    "expires_at": "2026-12-31T23:59:59Z"
   }'
 
 # Rotate user secret (requires iam:rotate_key)
@@ -827,6 +835,18 @@ curl -X PUT http://localhost:5000/iam/users/<access-key>/policies \
   -H "X-Access-Key: ..." -H "X-Secret-Key: ..." \
   -d '[{"bucket": "*", "actions": ["list", "read", "write"]}]'
 
+# Update credential expiry (requires iam:update_policy)
+curl -X POST http://localhost:5000/iam/users/<access-key>/expiry \
+  -H "Content-Type: application/x-www-form-urlencoded" \
+  -H "X-Access-Key: ..." -H "X-Secret-Key: ..." \
+  -d 'expires_at=2026-12-31T23:59:59Z'
+
+# Remove credential expiry (never expires)
+curl -X POST http://localhost:5000/iam/users/<access-key>/expiry \
+  -H "Content-Type: application/x-www-form-urlencoded" \
+  -H "X-Access-Key: ..." -H "X-Secret-Key: ..." \
+  -d 'expires_at='
+
 # Delete a user (requires iam:delete_user)
 curl -X DELETE http://localhost:5000/iam/users/<access-key> \
   -H "X-Access-Key: ..." -H "X-Secret-Key: ..."
@@ -838,8 +858,9 @@ When a request is made, permissions are evaluated in this order:
 
 1. **Authentication** – Verify the access key and secret key are valid
 2. **Lockout Check** – Ensure the account is not locked due to failed attempts
-3. **IAM Policy Check** – Verify the user has the required action for the target bucket
+3. **Expiry Check** – Reject requests if the user's credentials have expired (`expires_at`)
-4. **Bucket Policy Check** – If a bucket policy exists, verify it allows the action
+4. **IAM Policy Check** – Verify the user has the required action for the target bucket
+5. **Bucket Policy Check** – If a bucket policy exists, verify it allows the action
 
 A request is allowed only if:
 - The IAM policy grants the action, AND

myfsio_core/src/streaming.rs

@@ -46,6 +46,8 @@ pub fn stream_to_file_with_md5(
 
             py.check_signals()?;
         }
+        file.sync_all()
+            .map_err(|e| PyIOError::new_err(format!("Failed to fsync: {}", e)))?;
         Ok(())
     })();
 
@@ -102,6 +104,9 @@ pub fn assemble_parts_with_md5(
             }
         }
 
+        target.sync_all()
+            .map_err(|e| PyIOError::new_err(format!("Failed to fsync: {}", e)))?;
+
         Ok(format!("{:x}", hasher.finalize()))
     })
 }

run.py

@@ -23,6 +23,7 @@ from typing import Optional
 
 from app import create_api_app, create_ui_app
 from app.config import AppConfig
+from app.iam import IamService, IamError, ALLOWED_ACTIONS, _derive_fernet_key
 
 
 def _server_host() -> str:
@@ -87,21 +88,121 @@ def serve_ui(port: int, prod: bool = False, config: Optional[AppConfig] = None)
         app.run(host=_server_host(), port=port, debug=debug)
 
 
+def reset_credentials() -> None:
+    import json
+    import secrets
+    from cryptography.fernet import Fernet
+
+    config = AppConfig.from_env()
+    iam_path = config.iam_config_path
+    encryption_key = config.secret_key
+
+    access_key = os.environ.get("ADMIN_ACCESS_KEY", "").strip() or secrets.token_hex(12)
+    secret_key = os.environ.get("ADMIN_SECRET_KEY", "").strip() or secrets.token_urlsafe(32)
+    custom_keys = bool(os.environ.get("ADMIN_ACCESS_KEY", "").strip())
+
+    fernet = Fernet(_derive_fernet_key(encryption_key)) if encryption_key else None
+
+    raw_config = None
+    if iam_path.exists():
+        try:
+            raw_bytes = iam_path.read_bytes()
+            from app.iam import _IAM_ENCRYPTED_PREFIX
+            if raw_bytes.startswith(_IAM_ENCRYPTED_PREFIX):
+                if fernet:
+                    try:
+                        content = fernet.decrypt(raw_bytes[len(_IAM_ENCRYPTED_PREFIX):]).decode("utf-8")
+                        raw_config = json.loads(content)
+                    except Exception:
+                        print("WARNING: Could not decrypt existing IAM config. Creating fresh config.")
+                else:
+                    print("WARNING: IAM config is encrypted but no SECRET_KEY available. Creating fresh config.")
+            else:
+                try:
+                    raw_config = json.loads(raw_bytes.decode("utf-8"))
+                except json.JSONDecodeError:
+                    print("WARNING: Existing IAM config is corrupted. Creating fresh config.")
+        except OSError:
+            pass
+
+    if raw_config and raw_config.get("users"):
+        admin_user = None
+        for user in raw_config["users"]:
+            policies = user.get("policies", [])
+            for p in policies:
+                actions = p.get("actions", [])
+                if "iam:*" in actions or "*" in actions:
+                    admin_user = user
+                    break
+            if admin_user:
+                break
+        if not admin_user:
+            admin_user = raw_config["users"][0]
+
+        admin_user["access_key"] = access_key
+        admin_user["secret_key"] = secret_key
+    else:
+        raw_config = {
+            "users": [
+                {
+                    "access_key": access_key,
+                    "secret_key": secret_key,
+                    "display_name": "Local Admin",
+                    "policies": [
+                        {"bucket": "*", "actions": list(ALLOWED_ACTIONS)}
+                    ],
+                }
+            ]
+        }
+
+    json_text = json.dumps(raw_config, indent=2)
+    iam_path.parent.mkdir(parents=True, exist_ok=True)
+    temp_path = iam_path.with_suffix(".json.tmp")
+    if fernet:
+        from app.iam import _IAM_ENCRYPTED_PREFIX
+        encrypted = fernet.encrypt(json_text.encode("utf-8"))
+        temp_path.write_bytes(_IAM_ENCRYPTED_PREFIX + encrypted)
+    else:
+        temp_path.write_text(json_text, encoding="utf-8")
+    temp_path.replace(iam_path)
+
+    print(f"\n{'='*60}")
+    print("MYFSIO - ADMIN CREDENTIALS RESET")
+    print(f"{'='*60}")
+    if custom_keys:
+        print(f"Access Key: {access_key} (from ADMIN_ACCESS_KEY)")
+        print(f"Secret Key: {'(from ADMIN_SECRET_KEY)' if os.environ.get('ADMIN_SECRET_KEY', '').strip() else secret_key}")
+    else:
+        print(f"Access Key: {access_key}")
+        print(f"Secret Key: {secret_key}")
+    print(f"{'='*60}")
+    if fernet:
+        print("IAM config saved (encrypted).")
+    else:
+        print(f"IAM config saved to: {iam_path}")
+    print(f"{'='*60}\n")
+
+
 if __name__ == "__main__":
     multiprocessing.freeze_support()
     if _is_frozen():
         multiprocessing.set_start_method("spawn", force=True)
 
     parser = argparse.ArgumentParser(description="Run the S3 clone services.")
-    parser.add_argument("--mode", choices=["api", "ui", "both"], default="both")
+    parser.add_argument("--mode", choices=["api", "ui", "both", "reset-cred"], default="both")
     parser.add_argument("--api-port", type=int, default=5000)
     parser.add_argument("--ui-port", type=int, default=5100)
     parser.add_argument("--prod", action="store_true", help="Run in production mode using Waitress")
     parser.add_argument("--dev", action="store_true", help="Force development mode (Flask dev server)")
     parser.add_argument("--check-config", action="store_true", help="Validate configuration and exit")
     parser.add_argument("--show-config", action="store_true", help="Show configuration summary and exit")
+    parser.add_argument("--reset-cred", action="store_true", help="Reset admin credentials and exit")
     args = parser.parse_args()
 
+    if args.reset_cred or args.mode == "reset-cred":
+        reset_credentials()
+        sys.exit(0)
+
     if args.check_config or args.show_config:
         config = AppConfig.from_env()
         config.print_startup_summary()

static/css/main.css

@@ -1154,39 +1154,20 @@ html.sidebar-will-collapse .sidebar-user {
 	position: relative;
 	border: 1px solid var(--myfsio-card-border) !important;
 	border-radius: 1rem !important;
-	overflow: hidden;
+	overflow: visible;
 	transition: all 0.2s cubic-bezier(0.4, 0, 0.2, 1);
 }
 
-.iam-user-card::before {
-	content: '';
-	position: absolute;
-	top: 0;
-	left: 0;
-	right: 0;
-	height: 4px;
-	background: linear-gradient(90deg, #3b82f6, #8b5cf6);
-	opacity: 0;
-	transition: opacity 0.2s ease;
-}
-
 .iam-user-card:hover {
 	transform: translateY(-2px);
 	box-shadow: 0 8px 24px -4px rgba(0, 0, 0, 0.12), 0 4px 8px -4px rgba(0, 0, 0, 0.08);
 	border-color: var(--myfsio-accent) !important;
 }
 
-.iam-user-card:hover::before {
-	opacity: 1;
-}
-
 [data-theme='dark'] .iam-user-card:hover {
 	box-shadow: 0 8px 24px -4px rgba(0, 0, 0, 0.4), 0 4px 8px -4px rgba(0, 0, 0, 0.3);
 }
 
-.iam-admin-card::before {
-	background: linear-gradient(90deg, #f59e0b, #ef4444);
-}
 
 .iam-role-badge {
 	display: inline-flex;

static/js/bucket-detail-main.js

@@ -321,7 +321,7 @@
     `;
   };
 
-  const bucketTotalObjects = objectsContainer ? parseInt(objectsContainer.dataset.bucketTotalObjects || '0', 10) : 0;
+  let bucketTotalObjects = objectsContainer ? parseInt(objectsContainer.dataset.bucketTotalObjects || '0', 10) : 0;
 
   const updateObjectCountBadge = () => {
     if (!objectCountBadge) return;
@@ -702,6 +702,7 @@
       flushPendingStreamObjects();
       hasMoreObjects = false;
       totalObjectCount = loadedObjectCount;
+      if (!currentPrefix) bucketTotalObjects = totalObjectCount;
       updateObjectCountBadge();
 
       if (objectsLoadingRow && objectsLoadingRow.parentNode) {
@@ -766,6 +767,7 @@
       }
 
       totalObjectCount = data.total_count || 0;
+      if (!append && !currentPrefix) bucketTotalObjects = totalObjectCount;
       nextContinuationToken = data.next_continuation_token;
 
       if (!append && objectsLoadingRow) {

static/js/iam-management.js

@@ -11,9 +11,11 @@ window.IAMManagement = (function() {
   var editUserModal = null;
   var deleteUserModal = null;
   var rotateSecretModal = null;
+  var expiryModal = null;
   var currentRotateKey = null;
   var currentEditKey = null;
   var currentDeleteKey = null;
+  var currentExpiryKey = null;
 
   var ALL_S3_ACTIONS = ['list', 'read', 'write', 'delete', 'share', 'policy', 'replication', 'lifecycle', 'cors'];
 
@@ -65,6 +67,7 @@ window.IAMManagement = (function() {
     setupEditUserModal();
     setupDeleteUserModal();
     setupRotateSecretModal();
+    setupExpiryModal();
     setupFormHandlers();
     setupSearch();
     setupCopyAccessKeyButtons();
@@ -75,11 +78,13 @@ window.IAMManagement = (function() {
     var editModalEl = document.getElementById('editUserModal');
     var deleteModalEl = document.getElementById('deleteUserModal');
     var rotateModalEl = document.getElementById('rotateSecretModal');
+    var expiryModalEl = document.getElementById('expiryModal');
 
     if (policyModalEl) policyModal = new bootstrap.Modal(policyModalEl);
     if (editModalEl) editUserModal = new bootstrap.Modal(editModalEl);
     if (deleteModalEl) deleteUserModal = new bootstrap.Modal(deleteModalEl);
     if (rotateModalEl) rotateSecretModal = new bootstrap.Modal(rotateModalEl);
+    if (expiryModalEl) expiryModal = new bootstrap.Modal(expiryModalEl);
   }
 
   function setupJsonAutoIndent() {
@@ -97,6 +102,15 @@ window.IAMManagement = (function() {
       });
     });
 
+    var accessKeyCopyButton = document.querySelector('[data-access-key-copy]');
+    if (accessKeyCopyButton) {
+      accessKeyCopyButton.addEventListener('click', async function() {
+        var accessKeyInput = document.getElementById('disclosedAccessKeyValue');
+        if (!accessKeyInput) return;
+        await window.UICore.copyToClipboard(accessKeyInput.value, accessKeyCopyButton, 'Copy');
+      });
+    }
+
     var secretCopyButton = document.querySelector('[data-secret-copy]');
     if (secretCopyButton) {
       secretCopyButton.addEventListener('click', async function() {
@@ -143,6 +157,22 @@ window.IAMManagement = (function() {
     });
   }
 
+  function generateSecureHex(byteCount) {
+    var arr = new Uint8Array(byteCount);
+    crypto.getRandomValues(arr);
+    return Array.from(arr).map(function(b) { return b.toString(16).padStart(2, '0'); }).join('');
+  }
+
+  function generateSecureBase64(byteCount) {
+    var arr = new Uint8Array(byteCount);
+    crypto.getRandomValues(arr);
+    var binary = '';
+    for (var i = 0; i < arr.length; i++) {
+      binary += String.fromCharCode(arr[i]);
+    }
+    return btoa(binary).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+  }
+
   function setupCreateUserModal() {
     var createUserPoliciesEl = document.getElementById('createUserPolicies');
 
@@ -151,6 +181,22 @@ window.IAMManagement = (function() {
         applyPolicyTemplate(button.dataset.createPolicyTemplate, createUserPoliciesEl);
       });
     });
+
+    var genAccessKeyBtn = document.getElementById('generateAccessKeyBtn');
+    if (genAccessKeyBtn) {
+      genAccessKeyBtn.addEventListener('click', function() {
+        var input = document.getElementById('createUserAccessKey');
+        if (input) input.value = generateSecureHex(8);
+      });
+    }
+
+    var genSecretKeyBtn = document.getElementById('generateSecretKeyBtn');
+    if (genSecretKeyBtn) {
+      genSecretKeyBtn.addEventListener('click', function() {
+        var input = document.getElementById('createUserSecretKey');
+        if (input) input.value = generateSecureBase64(24);
+      });
+    }
   }
 
   function setupEditUserModal() {
@@ -271,6 +317,77 @@ window.IAMManagement = (function() {
     }
   }
 
+  function openExpiryModal(key, expiresAt) {
+    currentExpiryKey = key;
+    var label = document.getElementById('expiryUserLabel');
+    var input = document.getElementById('expiryDateInput');
+    var form = document.getElementById('expiryForm');
+    if (label) label.textContent = key;
+    if (expiresAt) {
+      try {
+        var dt = new Date(expiresAt);
+        var local = new Date(dt.getTime() - dt.getTimezoneOffset() * 60000);
+        if (input) input.value = local.toISOString().slice(0, 16);
+      } catch(e) {
+        if (input) input.value = '';
+      }
+    } else {
+      if (input) input.value = '';
+    }
+    if (form) form.action = endpoints.updateExpiry.replace('ACCESS_KEY', key);
+    var modalEl = document.getElementById('expiryModal');
+    if (modalEl) {
+      var modal = bootstrap.Modal.getOrCreateInstance(modalEl);
+      modal.show();
+    }
+  }
+
+  function setupExpiryModal() {
+    document.querySelectorAll('[data-expiry-user]').forEach(function(btn) {
+      btn.addEventListener('click', function(e) {
+        e.preventDefault();
+        openExpiryModal(btn.dataset.expiryUser, btn.dataset.expiresAt || '');
+      });
+    });
+
+    document.querySelectorAll('[data-expiry-preset]').forEach(function(btn) {
+      btn.addEventListener('click', function() {
+        var preset = btn.dataset.expiryPreset;
+        var input = document.getElementById('expiryDateInput');
+        if (!input) return;
+        if (preset === 'clear') {
+          input.value = '';
+          return;
+        }
+        var now = new Date();
+        var ms = 0;
+        if (preset === '1h') ms = 3600000;
+        else if (preset === '24h') ms = 86400000;
+        else if (preset === '7d') ms = 7 * 86400000;
+        else if (preset === '30d') ms = 30 * 86400000;
+        else if (preset === '90d') ms = 90 * 86400000;
+        var future = new Date(now.getTime() + ms);
+        var local = new Date(future.getTime() - future.getTimezoneOffset() * 60000);
+        input.value = local.toISOString().slice(0, 16);
+      });
+    });
+
+    var expiryForm = document.getElementById('expiryForm');
+    if (expiryForm) {
+      expiryForm.addEventListener('submit', function(e) {
+        e.preventDefault();
+        window.UICore.submitFormAjax(expiryForm, {
+          successMessage: 'Expiry updated',
+          onSuccess: function() {
+            var modalEl = document.getElementById('expiryModal');
+            if (modalEl) bootstrap.Modal.getOrCreateInstance(modalEl).hide();
+            window.location.reload();
+          }
+        });
+      });
+    }
+  }
+
   function createUserCardHtml(accessKey, displayName, policies) {
     var admin = isAdminUser(policies);
     var cardClass = 'card h-100 iam-user-card' + (admin ? ' iam-admin-card' : '');
@@ -324,6 +441,8 @@ window.IAMManagement = (function() {
       '<ul class="dropdown-menu dropdown-menu-end">' +
       '<li><button class="dropdown-item" type="button" data-edit-user="' + esc(accessKey) + '" data-display-name="' + esc(displayName) + '">' +
       '<svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" class="me-2" viewBox="0 0 16 16"><path d="M12.146.146a.5.5 0 0 1 .708 0l3 3a.5.5 0 0 1 0 .708l-10 10a.5.5 0 0 1-.168.11l-5 2a.5.5 0 0 1-.65-.65l2-5a.5.5 0 0 1 .11-.168l10-10zM11.207 2.5 13.5 4.793 14.793 3.5 12.5 1.207 11.207 2.5zm1.586 3L10.5 3.207 4 9.707V10h.5a.5.5 0 0 1 .5.5v.5h.5a.5.5 0 0 1 .5.5v.5h.293l6.5-6.5z"/></svg>Edit Name</button></li>' +
+      '<li><button class="dropdown-item" type="button" data-expiry-user="' + esc(accessKey) + '" data-expires-at="">' +
+      '<svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" class="me-2" viewBox="0 0 16 16"><path d="M8 3.5a.5.5 0 0 0-1 0V9a.5.5 0 0 0 .252.434l3.5 2a.5.5 0 0 0 .496-.868L8 8.71V3.5z"/><path d="M8 16A8 8 0 1 0 8 0a8 8 0 0 0 0 16zm7-8A7 7 0 1 1 1 8a7 7 0 0 1 14 0z"/></svg>Set Expiry</button></li>' +
       '<li><button class="dropdown-item" type="button" data-rotate-user="' + esc(accessKey) + '">' +
       '<svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" class="me-2" viewBox="0 0 16 16"><path d="M11.534 7h3.932a.25.25 0 0 1 .192.41l-1.966 2.36a.25.25 0 0 1-.384 0l-1.966-2.36a.25.25 0 0 1 .192-.41zm-11 2h3.932a.25.25 0 0 0 .192-.41L2.692 6.23a.25.25 0 0 0-.384 0L.342 8.59A.25.25 0 0 0 .534 9z"/><path fill-rule="evenodd" d="M8 3c-1.552 0-2.94.707-3.857 1.818a.5.5 0 1 1-.771-.636A6.002 6.002 0 0 1 13.917 7H12.9A5.002 5.002 0 0 0 8 3zM3.1 9a5.002 5.002 0 0 0 8.757 2.182.5.5 0 1 1 .771.636A6.002 6.002 0 0 1 2.083 9H3.1z"/></svg>Rotate Secret</button></li>' +
       '<li><hr class="dropdown-divider"></li>' +
@@ -379,6 +498,14 @@ window.IAMManagement = (function() {
       });
     }
 
+    var expiryBtn = cardElement.querySelector('[data-expiry-user]');
+    if (expiryBtn) {
+      expiryBtn.addEventListener('click', function(e) {
+        e.preventDefault();
+        openExpiryModal(accessKey, '');
+      });
+    }
+
     var policyBtn = cardElement.querySelector('[data-policy-editor]');
     if (policyBtn) {
       policyBtn.addEventListener('click', function() {
@@ -428,10 +555,15 @@ window.IAMManagement = (function() {
                 '</svg>' +
                 '<div class="flex-grow-1">' +
                 '<div class="fw-semibold">New user created: <code>' + window.UICore.escapeHtml(data.access_key) + '</code></div>' +
-                '<p class="mb-2 small">This secret is only shown once. Copy it now and store it securely.</p>' +
+                '<p class="mb-2 small">These credentials are only shown once. Copy them now and store them securely.</p>' +
                 '</div>' +
                 '<button type="button" class="btn-close" data-bs-dismiss="alert" aria-label="Close"></button>' +
                 '</div>' +
+                '<div class="input-group mb-2">' +
+                '<span class="input-group-text"><strong>Access key</strong></span>' +
+                '<input class="form-control font-monospace" type="text" value="' + window.UICore.escapeHtml(data.access_key) + '" readonly />' +
+                '<button class="btn btn-outline-primary" type="button" id="copyNewUserAccessKey">Copy</button>' +
+                '</div>' +
                 '<div class="input-group">' +
                 '<span class="input-group-text"><strong>Secret key</strong></span>' +
                 '<input class="form-control font-monospace" type="text" value="' + window.UICore.escapeHtml(data.secret_key) + '" readonly id="newUserSecret" />' +
@@ -440,6 +572,9 @@ window.IAMManagement = (function() {
               var container = document.querySelector('.page-header');
               if (container) {
                 container.insertAdjacentHTML('afterend', alertHtml);
+                document.getElementById('copyNewUserAccessKey').addEventListener('click', async function() {
+                  await window.UICore.copyToClipboard(data.access_key, this, 'Copy');
+                });
                 document.getElementById('copyNewUserSecret').addEventListener('click', async function() {
                   await window.UICore.copyToClipboard(data.secret_key, this, 'Copy');
                 });

templates/docs.html

@@ -202,6 +202,16 @@ python run.py --mode ui
                 <td><code>60 per minute</code></td>
                 <td>Rate limit for admin API endpoints (<code>/admin/*</code>).</td>
               </tr>
+              <tr>
+                <td><code>ADMIN_ACCESS_KEY</code></td>
+                <td>(none)</td>
+                <td>Custom access key for the admin user on first run or credential reset. Random if unset.</td>
+              </tr>
+              <tr>
+                <td><code>ADMIN_SECRET_KEY</code></td>
+                <td>(none)</td>
+                <td>Custom secret key for the admin user on first run or credential reset. Random if unset.</td>
+              </tr>
               <tr class="table-secondary">
                 <td colspan="3" class="fw-semibold">Server Settings</td>
               </tr>
@@ -428,7 +438,7 @@ python run.py --mode ui
           </table>
         </div>
         <div class="alert alert-warning mt-3 mb-0 small">
-          <strong>Production Checklist:</strong> Set <code>SECRET_KEY</code>, restrict <code>CORS_ORIGINS</code>, configure <code>API_BASE_URL</code>, enable HTTPS via reverse proxy, and use <code>--prod</code> flag.
+          <strong>Production Checklist:</strong> Set <code>SECRET_KEY</code> (also enables IAM config encryption at rest), restrict <code>CORS_ORIGINS</code>, configure <code>API_BASE_URL</code>, enable HTTPS via reverse proxy, use <code>--prod</code> flag, and set credential expiry on non-admin users.
         </div>
       </div>
     </article>
@@ -495,11 +505,12 @@ sudo journalctl -u myfsio -f   # View logs</code></pre>
           <span class="docs-section-kicker">03</span>
           <h2 class="h4 mb-0">Authenticate &amp; manage IAM</h2>
         </div>
-        <p class="text-muted">On first startup, MyFSIO generates random admin credentials and prints them to the console. Missed it? Check <code>data/.myfsio.sys/config/iam.json</code> directly—credentials are stored in plaintext.</p>
+        <p class="text-muted">On first startup, MyFSIO generates random admin credentials and prints them to the console. Set <code>ADMIN_ACCESS_KEY</code> and <code>ADMIN_SECRET_KEY</code> env vars for custom credentials. When <code>SECRET_KEY</code> is configured, the IAM config is encrypted at rest. To reset credentials, run <code>python run.py --reset-cred</code>.</p>
         <div class="docs-highlight mb-3">
           <ol class="mb-0">
-            <li>Check the console output (or <code>iam.json</code>) for the generated <code>Access Key</code> and <code>Secret Key</code>, then visit <code>/ui/login</code>.</li>
+            <li>Check the console output for the generated <code>Access Key</code> and <code>Secret Key</code>, then visit <code>/ui/login</code>.</li>
-            <li>Create additional users with descriptive display names and AWS-style inline policies (for example <code>{"bucket": "*", "actions": ["list", "read"]}</code>).</li>
+            <li>Create additional users with descriptive display names, AWS-style inline policies (for example <code>{"bucket": "*", "actions": ["list", "read"]}</code>), and optional credential expiry dates.</li>
+            <li>Set credential expiry on users to grant time-limited access. The UI shows expiry badges and provides preset durations (1h, 24h, 7d, 30d, 90d). Expired credentials are rejected at authentication.</li>
             <li>Rotate secrets when sharing with CI jobs—new secrets display once and persist to <code>data/.myfsio.sys/config/iam.json</code>.</li>
             <li>Bucket policies layer on top of IAM. Apply Private/Public presets or paste custom JSON; changes reload instantly.</li>
           </ol>

templates/iam.html

@@ -50,9 +50,20 @@
         New user created: <code>{{ disclosed_secret.access_key }}</code>
         {% endif %}
       </div>
-      <p class="mb-2 small">⚠️ This secret is only shown once. Copy it now and store it securely.</p>
+      <p class="mb-2 small">These credentials are only shown once. Copy them now and store them securely.</p>
     </div>
   </div>
+  <div class="input-group mb-2">
+    <span class="input-group-text"><strong>Access key</strong></span>
+    <input class="form-control font-monospace" type="text" value="{{ disclosed_secret.access_key }}" readonly id="disclosedAccessKeyValue" />
+    <button class="btn btn-outline-primary" type="button" data-access-key-copy>
+      <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" class="bi bi-clipboard" viewBox="0 0 16 16">
+        <path d="M4 1.5H3a2 2 0 0 0-2 2V14a2 2 0 0 0 2 2h10a2 2 0 0 0 2-2V3.5a2 2 0 0 0-2-2h-1v1h1a1 1 0 0 1 1 1V14a1 1 0 0 1-1 1H3a1 1 0 0 1-1-1V3.5a1 1 0 0 1 1-1h1v-1z"/>
+        <path d="M9.5 1a.5.5 0 0 1 .5.5v1a.5.5 0 0 1-.5.5h-3a.5.5 0 0 1-.5-.5v-1a.5.5 0 0 1 .5-.5h3zm-3-1A1.5 1.5 0 0 0 5 1.5v1A1.5 1.5 0 0 0 6.5 4h3A1.5 1.5 0 0 0 11 2.5v-1A1.5 1.5 0 0 0 9.5 0h-3z"/>
+      </svg>
+      Copy
+    </button>
+  </div>
   <div class="input-group">
     <span class="input-group-text"><strong>Secret key</strong></span>
     <input class="form-control font-monospace" type="text" value="{{ disclosed_secret.secret_key }}" readonly id="disclosedSecretValue" />
@@ -79,7 +90,7 @@
         <pre class="policy-preview mb-0" id="iamConfigPreview">{{ config_document }}</pre>
         <button class="btn btn-outline-light btn-sm config-copy" type="button" data-copy-target="iamConfigPreview">Copy JSON</button>
       </div>
-      <p class="text-muted small mt-2 mb-0">Secrets are masked above. Access <code>{{ config_summary.path }}</code> directly to view full credentials.</p>
+      <p class="text-muted small mt-2 mb-0">Secrets are masked above. IAM config is encrypted at rest.</p>
     </div>
   </div>
 </div>
@@ -122,12 +133,20 @@
     {% endif %}
     <div class="row g-3">
       {% for user in users %}
-      {% set ns = namespace(is_admin=false) %}
+      {% set ns = namespace(is_admin=false, is_expired=false, is_expiring_soon=false) %}
       {% for policy in user.policies %}
         {% if 'iam:*' in policy.actions or '*' in policy.actions %}
           {% set ns.is_admin = true %}
         {% endif %}
       {% endfor %}
+      {% if user.expires_at %}
+        {% set exp_str = user.expires_at %}
+        {% if exp_str <= now_iso %}
+          {% set ns.is_expired = true %}
+        {% elif exp_str <= soon_iso %}
+          {% set ns.is_expiring_soon = true %}
+        {% endif %}
+      {% endif %}
       <div class="col-md-6 col-xl-4 iam-user-item" data-display-name="{{ user.display_name|lower }}" data-access-key-filter="{{ user.access_key|lower }}">
         <div class="card h-100 iam-user-card{{ ' iam-admin-card' if ns.is_admin else '' }}">
           <div class="card-body">
@@ -146,6 +165,11 @@
                     {% else %}
                     <span class="iam-role-badge iam-role-user" data-role-badge>User</span>
                     {% endif %}
+                    {% if ns.is_expired %}
+                    <span class="badge text-bg-danger" style="font-size: .65rem">Expired</span>
+                    {% elif ns.is_expiring_soon %}
+                    <span class="badge text-bg-warning" style="font-size: .65rem">Expiring soon</span>
+                    {% endif %}
                   </div>
                   <div class="d-flex align-items-center gap-1">
                     <code class="small text-muted text-truncate" title="{{ user.access_key }}">{{ user.access_key }}</code>
@@ -173,6 +197,15 @@
                       Edit Name
                     </button>
                   </li>
+                  <li>
+                    <button class="dropdown-item" type="button" data-expiry-user="{{ user.access_key }}" data-expires-at="{{ user.expires_at or '' }}">
+                      <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" class="me-2" viewBox="0 0 16 16">
+                        <path d="M8 3.5a.5.5 0 0 0-1 0V9a.5.5 0 0 0 .252.434l3.5 2a.5.5 0 0 0 .496-.868L8 8.71V3.5z"/>
+                        <path d="M8 16A8 8 0 1 0 8 0a8 8 0 0 0 0 16zm7-8A7 7 0 1 1 1 8a7 7 0 0 1 14 0z"/>
+                      </svg>
+                      Set Expiry
+                    </button>
+                  </li>
                   <li>
                     <button class="dropdown-item" type="button" data-rotate-user="{{ user.access_key }}">
                       <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" class="me-2" viewBox="0 0 16 16">
@@ -283,6 +316,32 @@
             <label class="form-label fw-medium">Display Name</label>
             <input class="form-control" type="text" name="display_name" placeholder="Analytics Team" required autofocus />
           </div>
+          <div class="mb-3">
+            <label class="form-label fw-medium d-flex justify-content-between align-items-center">
+              Access Key <span class="text-muted fw-normal small">optional</span>
+            </label>
+            <div class="input-group">
+              <input class="form-control font-monospace" type="text" name="access_key" id="createUserAccessKey" placeholder="Leave blank to auto-generate" />
+              <button class="btn btn-outline-secondary" type="button" id="generateAccessKeyBtn" title="Generate secure access key">Generate</button>
+            </div>
+          </div>
+          <div class="mb-3">
+            <label class="form-label fw-medium d-flex justify-content-between align-items-center">
+              Secret Key <span class="text-muted fw-normal small">optional</span>
+            </label>
+            <div class="input-group">
+              <input class="form-control font-monospace" type="text" name="secret_key" id="createUserSecretKey" placeholder="Leave blank to auto-generate" />
+              <button class="btn btn-outline-secondary" type="button" id="generateSecretKeyBtn" title="Generate secure secret key">Generate</button>
+            </div>
+            <div class="form-text">If you set a custom secret key, copy it now. It will be encrypted and cannot be recovered.</div>
+          </div>
+          <div class="mb-3">
+            <label class="form-label fw-medium d-flex justify-content-between align-items-center">
+              Expiry <span class="text-muted fw-normal small">optional</span>
+            </label>
+            <input class="form-control" type="datetime-local" name="expires_at" id="createUserExpiry" />
+            <div class="form-text">Leave blank for no expiration. Expired users cannot authenticate.</div>
+          </div>
           <div class="mb-3">
             <label class="form-label fw-medium">Initial Policies (JSON)</label>
             <textarea class="form-control font-monospace" name="policies" id="createUserPolicies" rows="6" spellcheck="false" placeholder='[
@@ -495,6 +554,52 @@
   </div>
 </div>
 
+<div class="modal fade" id="expiryModal" tabindex="-1" aria-hidden="true">
+  <div class="modal-dialog modal-dialog-centered">
+    <div class="modal-content">
+      <div class="modal-header border-0 pb-0">
+        <h1 class="modal-title fs-5 fw-semibold">
+          <svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" fill="currentColor" class="text-primary" viewBox="0 0 16 16">
+            <path d="M8 3.5a.5.5 0 0 0-1 0V9a.5.5 0 0 0 .252.434l3.5 2a.5.5 0 0 0 .496-.868L8 8.71V3.5z"/>
+            <path d="M8 16A8 8 0 1 0 8 0a8 8 0 0 0 0 16zm7-8A7 7 0 1 1 1 8a7 7 0 0 1 14 0z"/>
+          </svg>
+          Set Expiry
+        </h1>
+        <button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="Close"></button>
+      </div>
+      <form method="post" id="expiryForm">
+        <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
+        <div class="modal-body">
+          <p class="text-muted small mb-3">Set expiration for <code id="expiryUserLabel"></code></p>
+          <div class="mb-3">
+            <label class="form-label fw-medium">Expires at</label>
+            <input class="form-control" type="datetime-local" name="expires_at" id="expiryDateInput" />
+            <div class="form-text">Leave blank to remove expiration (never expires).</div>
+          </div>
+          <div class="d-flex flex-wrap gap-2">
+            <span class="text-muted small me-2 align-self-center">Quick presets:</span>
+            <button class="btn btn-outline-secondary btn-sm" type="button" data-expiry-preset="1h">1 hour</button>
+            <button class="btn btn-outline-secondary btn-sm" type="button" data-expiry-preset="24h">24 hours</button>
+            <button class="btn btn-outline-secondary btn-sm" type="button" data-expiry-preset="7d">7 days</button>
+            <button class="btn btn-outline-secondary btn-sm" type="button" data-expiry-preset="30d">30 days</button>
+            <button class="btn btn-outline-secondary btn-sm" type="button" data-expiry-preset="90d">90 days</button>
+            <button class="btn btn-outline-secondary btn-sm text-danger" type="button" data-expiry-preset="clear">Never</button>
+          </div>
+        </div>
+        <div class="modal-footer">
+          <button type="button" class="btn btn-outline-secondary" data-bs-dismiss="modal">Cancel</button>
+          <button class="btn btn-primary" type="submit">
+            <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" class="me-1" viewBox="0 0 16 16">
+              <path d="M10.97 4.97a.75.75 0 0 1 1.07 1.05l-3.99 4.99a.75.75 0 0 1-1.08.02L4.324 8.384a.75.75 0 1 1 1.06-1.06l2.094 2.093 3.473-4.425a.267.267 0 0 1 .02-.022z"/>
+            </svg>
+            Save Expiry
+          </button>
+        </div>
+      </form>
+    </div>
+  </div>
+</div>
+
 <script id="iamUsersJson" type="application/json">{{ users | tojson }}</script>
 {% endblock %}
 
@@ -512,7 +617,8 @@
       updateUser: "{{ url_for('ui.update_iam_user', access_key='ACCESS_KEY') }}",
       deleteUser: "{{ url_for('ui.delete_iam_user', access_key='ACCESS_KEY') }}",
       updatePolicies: "{{ url_for('ui.update_iam_policies', access_key='ACCESS_KEY') }}",
-      rotateSecret: "{{ url_for('ui.rotate_iam_secret', access_key='ACCESS_KEY') }}"
+      rotateSecret: "{{ url_for('ui.rotate_iam_secret', access_key='ACCESS_KEY') }}",
+      updateExpiry: "{{ url_for('ui.update_iam_expiry', access_key='ACCESS_KEY') }}"
     }
   });
 </script>

templates/login.html

@@ -73,9 +73,6 @@
             </svg>
           </button>
         </form>
-        <div class="text-center mt-4">
-          <small class="text-muted">Need help? Check the <a href="{{ url_for('ui.docs_page') }}" class="text-decoration-none">documentation</a></small>
-        </div>
       </div>
     </div>
   </div>

tests/conftest.py

@@ -43,6 +43,11 @@ def app(tmp_path: Path):
         }
     )
     yield flask_app
+    storage = flask_app.extensions.get("object_storage")
+    if storage:
+        base = getattr(storage, "storage", storage)
+        if hasattr(base, "shutdown_stats"):
+            base.shutdown_stats()
 
 
 @pytest.fixture()