A runnable Open Cloud Mesh peer in Go, focused on a strict, WebDAV-centered subset of the protocol.
OpenCloudMesh Go is a Go server for Open Cloud Mesh (OCM). It focuses on a pinned, practical slice of the protocol: discovery, user shares, invite flows, token exchange, a notification subset, HTTP-signature-aware behavior, and WebDAV access on that path.
This repository is not the OCM specification itself, and it does not claim full OCM-API coverage or broad compatibility with arbitrary peers. What it does try to offer is narrower and more useful: a documented strict contract, a pinned spec snapshot, and a real server you can run, test, and extend.
Status: active development. The strict contract is the part that is supported and tested on every change; expect the edges outside it to keep moving.
When a discovery stub is not enough, you usually want a real peer you can talk to, a clear idea of what "strict" means, and a codebase that does not hide the interesting parts behind magic. That is what this repo is trying to be.
It gives you a runnable OCM peer in Go, keeps the scope explicit instead of pretending to implement everything, and pins behavior to a specific OCM-API snapshot. It also tries to make the compatibility story legible: signatures, transport, trust, and peer-compat behavior are all deliberate knobs rather than silent fallbacks.
Right now that means discovery, user-share flows on the WebDAV-centered path, invite handling, accept flows, optional WAYF support, token exchange on the documented OCM route surface, the current notification subset, and a bundled UI and API for practical local and multi-instance workflows.
For the exact route surface, start with docs/protocol-endpoints.md and docs/discovery.md.
You will probably get the most out of this if you are building or testing OCM peers and want something concrete to talk to, if you are studying how a signature-aware, WebDAV-centered OCM flow actually fits together, or if you need a Go server whose scope and guarantees are written down rather than implied. If you are looking for a full, drop-in OCM implementation that federates with every peer out there, this is not that yet, and it is honest about it.
The repo ships unit tests, architecture guard tests, integration tests, and optional Playwright E2E flows. They matter, but they do not all prove the same thing, and this README should not pretend otherwise.
The narrow contract this repo stands behind lives in docs/verification-boundary.md. If you want to know what a green strict run actually proves, what remains operator-managed, and what this project does not claim about arbitrary peers, read that file first.
From the repo root:
# Build the server binary
make build
# Run unit and integration tests
make test
# Start the server in strict mode (default)
./bin/opencloudmesh-go
# Check discovery
curl http://localhost:9200/.well-known/ocmUseful local variants:
# Dev preset
./bin/opencloudmesh-go -mode dev
# Strict preset with a TOML file
./bin/opencloudmesh-go -config docker/configs/config-tls.toml
# Override from the CLI
./bin/opencloudmesh-go -mode strict -public-origin https://localhost:9200The quickest way to watch two peers talk is the bundled two-instance runner. It builds the binary and starts a sender and a receiver side by side:
./scripts/dev/two-instance.shThat gives you a sender on http://localhost:9200 and a receiver on
http://localhost:9201, both ready for a local share flow. Hit Ctrl+C to stop
both. From there you can open discovery on each, or drive an invite and accept
between them.
The server resolves config in this order: preset bundle, TOML file, CLI flags.
The shipped preset bundles are strict, compat, and dev. They are good
starting points, but they are not the whole posture story. Effective behavior
still depends on compatibility_scope and the signature, transport, trust, and
peer-compat settings.
If you are getting oriented, start here:
Useful sample configs:
docker/configs/config.tomlfor a minimal container-oriented dev setupdocker/configs/config-tls.tomlfor a strict setup with static TLStests/ca_pool/configs/valid.tomlandinvalid.tomlfor outbound root CA validation
- docs/protocol-endpoints.md
- docs/discovery.md
- docs/invite-wayf-and-accept.md
- docs/directory-service-and-ocm-aux.md
- docs/outbound-http-ssrf.md
- docs/verification-boundary.md
cmd/opencloudmesh-go/ Binary entrypoint
internal/ Production and test-support code
architecture/ Architecture guard tests
components/ Domain logic (ocm, api, identity, ...)
frameworks/ Service registry and startup
interceptors/ HTTP middleware (ratelimit, ...)
platform/ Config, HTTP, cache, store, repos
services/ HTTP route handlers
testsupport/ Test-only helpers (not for production)
wiring/ Composition root
tests/ Integration, E2E, and CA pool tests
docs/ Developer and protocol documentation
docker/ Container image and sample configs
See docs/repo-layout.md for the full map.
make build
make test-go
make test-integration
make test
make test-e2e-install
make test-e2e
make fmt
make vet
make tidymake test runs unit and integration tests. E2E stays separate because it
needs Bun, Playwright, and a built binary.
Build the local image:
./scripts/build-docker.sh
# or: docker build -t opencloudmesh-go:local -f docker/Dockerfile .Run in HTTP mode:
docker run -d -p 8080:8080 -e HOST=ocm-go1 opencloudmesh-go:local
curl http://localhost:8080/.well-known/ocmRun in TLS mode with the pre-installed certs:
docker run -d -p 443:443 -e HOST=ocm-go1 -e TLS_ENABLED=true opencloudmesh-go:local
curl -k https://localhost/.well-known/ocmSet at least one of HOST or PUBLIC_ORIGIN. The full environment-variable
reference, including TLS material and how the entrypoint derives the public
origin, lives in docs/docker.md.
If you want a browsable, AI-generated overview of the repository, see
DeepWiki. The files
under docs/ are still the source of truth.
OpenCloudMesh Go sits in the middle of the wider OCM stack. The protocol lives in cs3org/OCM-API. This repo provides a runnable Go server for a focused OCM slice, and downstream container and interoperability setups use it alongside the wider OCM image and test tooling.
Protocol behavior is pinned to the OCM-API snapshot at
a2b8bacd4590ff201a06883330b67636e99c4f5b,
with the vendored pin recorded in internal/components/ocm/spec/vendor/pin.json.
OpenCloudMesh Go exists because someone chose to fund open source infrastructure. A big thank you to the Sovereign Tech Agency for backing this work, which Mahdi Baghbani develops as part of Open Cloud Mesh.
You can read the full story in FUNDING.md.
Contributions are welcome. See CONTRIBUTING.md for the development workflow, validation commands, and pull request expectations.
Bug reports, questions, and ideas are welcome on the issue tracker. If something in the docs is unclear or wrong, that is worth an issue too.
Licensed under the GNU Affero General Public License v3.0 or later (AGPL-3.0-or-later). See LICENSE.md.