From 34af77e0d8f5c52f1a78bcb0ffe0d35b98116d04 Mon Sep 17 00:00:00 2001
From: pptx704 <rafeed@omukk.dev>
Date: Sat, 28 Mar 2026 14:30:18 +0600
Subject: [PATCH] Fix snapshot race, delete auth, sparse dd, default disk to
 5GB

Snapshot race fix:
- Pre-mark sandbox as "paused" in DB before issuing CreateSnapshot and
  PauseSandbox RPCs, preventing the reconciler from marking it "stopped"
  during the flatten window when the sandbox is gone from the host
  agent's in-memory map but DB still says "running"
- Revert status to "running" on RPC failure
- Check ctx.Err() before writing response to avoid writing to dead
  connections when client disconnects during long snapshot operations

Delete auth fix:
- Block non-admin deletion of platform templates (team_id = all-zeros)
  at DELETE /v1/snapshots/{name} with 403, preventing file deletion
  before the team ownership check fails

Sparse dd:
- Add conv=sparse to dd in FlattenSnapshot so flattened images preserve
  sparseness (~200MB actual vs 5GB logical)

Default disk size:
- Change default disk_size_mb from 20GB to 5GB across migration,
  manager, service, build, and EnsureImageSizes
- Disable split-button dropdown arrow for platform templates in
  dashboard snapshots page (teams cannot delete platform templates)
---
 db/migrations/20260310094104_initial.sql      |  2 +-
 frontend/src/lib/api/capsules.ts              |  1 +
 .../routes/dashboard/snapshots/+page.svelte   | 35 ++++++------
 internal/api/handlers_snapshots.go            | 56 ++++++++++++++-----
 internal/devicemapper/devicemapper.go         |  1 +
 internal/sandbox/images.go                    |  2 +-
 internal/sandbox/manager.go                   |  2 +-
 internal/service/build.go                     |  2 +-
 internal/service/sandbox.go                   | 22 ++++++--
 proto/hostagent/gen/hostagent.pb.go           |  4 +-
 proto/hostagent/hostagent.proto               |  4 +-
 11 files changed, 89 insertions(+), 42 deletions(-)

diff --git a/db/migrations/20260310094104_initial.sql b/db/migrations/20260310094104_initial.sql
index da6607f..6c8afc4 100644
--- a/db/migrations/20260310094104_initial.sql
+++ b/db/migrations/20260310094104_initial.sql
@@ -144,7 +144,7 @@ CREATE TABLE sandboxes (
     vcpus          INTEGER NOT NULL DEFAULT 1,
     memory_mb      INTEGER NOT NULL DEFAULT 512,
     timeout_sec    INTEGER NOT NULL DEFAULT 300,
-    disk_size_mb   INTEGER NOT NULL DEFAULT 20480,
+    disk_size_mb   INTEGER NOT NULL DEFAULT 5120,
     guest_ip       TEXT NOT NULL DEFAULT '',
     host_ip        TEXT NOT NULL DEFAULT '',
     created_at     TIMESTAMPTZ NOT NULL DEFAULT NOW(),
diff --git a/frontend/src/lib/api/capsules.ts b/frontend/src/lib/api/capsules.ts
index cc4ad79..565f14f 100644
--- a/frontend/src/lib/api/capsules.ts
+++ b/frontend/src/lib/api/capsules.ts
@@ -54,6 +54,7 @@ export type Snapshot = {
 	memory_mb?: number;
 	size_bytes: number;
 	created_at: string;
+	platform: boolean;
 };
 
 export async function createSnapshot(sandboxId: string, name?: string): Promise<ApiResult<Snapshot>> {
diff --git a/frontend/src/routes/dashboard/snapshots/+page.svelte b/frontend/src/routes/dashboard/snapshots/+page.svelte
index 6f86d4c..2ae201a 100644
--- a/frontend/src/routes/dashboard/snapshots/+page.svelte
+++ b/frontend/src/routes/dashboard/snapshots/+page.svelte
@@ -423,6 +423,7 @@
 												<div class="w-px shrink-0 bg-[var(--color-border-mid)]"></div>
 												<!-- Chevron / dropdown trigger -->
 												<button
+													disabled={snapshot.platform}
 													onclick={(e) => {
 														e.stopPropagation();
 														if (openDropdownName === snapshot.name) {
@@ -433,7 +434,7 @@
 															openDropdownName = snapshot.name;
 														}
 													}}
-													class="flex items-center px-2 py-1.5 text-[var(--color-text-secondary)] transition-colors duration-150 hover:bg-[var(--color-bg-4)] hover:text-[var(--color-text-bright)]"
+													class="flex items-center px-2 py-1.5 text-[var(--color-text-secondary)] transition-colors duration-150 hover:bg-[var(--color-bg-4)] hover:text-[var(--color-text-bright)] disabled:cursor-not-allowed disabled:opacity-30 disabled:hover:bg-transparent disabled:hover:text-[var(--color-text-secondary)]"
 												>
 													<svg
 														class="transition-transform duration-150 {openDropdownName === snapshot.name ? 'rotate-180' : ''}"
@@ -484,21 +485,23 @@
 			class="fixed z-50 w-32 overflow-hidden rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] py-1"
 			style="top: {dropdownPos.top}px; left: {dropdownPos.left}px; animation: fadeUp 0.15s ease both"
 		>
-			<button
-				onclick={(e) => {
-					e.stopPropagation();
-					const target = snapshots.find((s) => s.name === openDropdownName);
-					openDropdownName = null;
-					if (target) { deleteTarget = target; deleteError = null; }
-				}}
-				class="flex w-full items-center gap-2 px-3 py-2 text-meta text-[var(--color-red)] transition-colors duration-150 hover:bg-[var(--color-red)]/5"
-			>
-				<svg width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="shrink-0">
-					<polyline points="3 6 5 6 21 6" />
-					<path d="M19 6v14a2 2 0 0 1-2 2H7a2 2 0 0 1-2-2V6m3 0V4a2 2 0 0 1 2-2h4a2 2 0 0 1 2 2v2" />
-				</svg>
-				Delete
-			</button>
+			{#if !dropdownSnapshot.platform}
+				<button
+					onclick={(e) => {
+						e.stopPropagation();
+						const target = snapshots.find((s) => s.name === openDropdownName);
+						openDropdownName = null;
+						if (target) { deleteTarget = target; deleteError = null; }
+					}}
+					class="flex w-full items-center gap-2 px-3 py-2 text-meta text-[var(--color-red)] transition-colors duration-150 hover:bg-[var(--color-red)]/5"
+				>
+					<svg width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="shrink-0">
+						<polyline points="3 6 5 6 21 6" />
+						<path d="M19 6v14a2 2 0 0 1-2 2H7a2 2 0 0 1-2-2V6m3 0V4a2 2 0 0 1 2-2h4a2 2 0 0 1 2 2v2" />
+					</svg>
+					Delete
+				</button>
+			{/if}
 		</div>
 	{/if}
 {/if}
diff --git a/internal/api/handlers_snapshots.go b/internal/api/handlers_snapshots.go
index f3e2907..1b5f1f3 100644
--- a/internal/api/handlers_snapshots.go
+++ b/internal/api/handlers_snapshots.go
@@ -69,6 +69,7 @@ type snapshotResponse struct {
 	MemoryMB  *int32 `json:"memory_mb,omitempty"`
 	SizeBytes int64  `json:"size_bytes"`
 	CreatedAt string `json:"created_at"`
+	Platform  bool   `json:"platform"`
 }
 
 func templateToResponse(t db.Template) snapshotResponse {
@@ -76,6 +77,7 @@ func templateToResponse(t db.Template) snapshotResponse {
 		Name:      t.Name,
 		Type:      t.Type,
 		SizeBytes: t.SizeBytes,
+		Platform:  t.TeamID == id.PlatformTeamID,
 	}
 	if t.Vcpus != 0 {
 		resp.VCPUs = &t.Vcpus
@@ -154,26 +156,43 @@ func (h *snapshotHandler) Create(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	resp, err := agent.CreateSnapshot(ctx, connect.NewRequest(&pb.CreateSnapshotRequest{
+	// Pre-mark sandbox as "paused" in DB BEFORE issuing the snapshot RPC.
+	// The host agent's CreateSnapshot removes the sandbox from its in-memory
+	// map immediately; if the reconciler fires during the flatten window and
+	// the DB still says "running", it will mark the sandbox "stopped".
+	if sb.Status == "running" {
+		if _, err := h.db.UpdateSandboxStatus(ctx, db.UpdateSandboxStatusParams{
+			ID: sandboxID, Status: "paused",
+		}); err != nil {
+			writeError(w, http.StatusInternalServerError, "db_error", "failed to update sandbox status")
+			return
+		}
+	}
+
+	// Use a detached context with a generous timeout so the snapshot completes
+	// even if the client disconnects (the flatten step can take 10-20s).
+	snapCtx, snapCancel := context.WithTimeout(context.Background(), 5*time.Minute)
+	defer snapCancel()
+
+	resp, err := agent.CreateSnapshot(snapCtx, connect.NewRequest(&pb.CreateSnapshotRequest{
 		SandboxId: req.SandboxID,
 		Name:      req.Name,
 	}))
 	if err != nil {
+		// Snapshot failed — revert status back to what it was.
+		if sb.Status == "running" {
+			if _, dbErr := h.db.UpdateSandboxStatus(snapCtx, db.UpdateSandboxStatusParams{
+				ID: sandboxID, Status: "running",
+			}); dbErr != nil {
+				slog.Error("failed to revert sandbox status after snapshot error", "sandbox_id", req.SandboxID, "error", dbErr)
+			}
+		}
 		status, code, msg := agentErrToHTTP(err)
 		writeError(w, status, code, msg)
 		return
 	}
 
-	// Mark sandbox as paused (if it was running, it got paused by the snapshot).
-	if sb.Status != "paused" {
-		if _, err := h.db.UpdateSandboxStatus(ctx, db.UpdateSandboxStatusParams{
-			ID: sandboxID, Status: "paused",
-		}); err != nil {
-			slog.Error("failed to update sandbox status after snapshot", "sandbox_id", req.SandboxID, "error", err)
-		}
-	}
-
-	tmpl, err := h.db.InsertTemplate(ctx, db.InsertTemplateParams{
+	tmpl, err := h.db.InsertTemplate(snapCtx, db.InsertTemplateParams{
 		Name:      req.Name,
 		Type:      "snapshot",
 		Vcpus:     sb.Vcpus,
@@ -187,7 +206,12 @@ func (h *snapshotHandler) Create(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	h.audit.LogSnapshotCreate(r.Context(), ac, req.Name)
+	h.audit.LogSnapshotCreate(snapCtx, ac, req.Name)
+
+	if ctx.Err() != nil {
+		slog.Info("snapshot created but client disconnected before response", "name", req.Name)
+		return
+	}
 	writeJSON(w, http.StatusCreated, templateToResponse(tmpl))
 }
 
@@ -220,10 +244,16 @@ func (h *snapshotHandler) Delete(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	ac := auth.MustFromContext(ctx)
 
-	if _, err := h.db.GetTemplateByTeam(ctx, db.GetTemplateByTeamParams{Name: name, TeamID: ac.TeamID}); err != nil {
+	tmpl, err := h.db.GetTemplateByTeam(ctx, db.GetTemplateByTeamParams{Name: name, TeamID: ac.TeamID})
+	if err != nil {
 		writeError(w, http.StatusNotFound, "not_found", "template not found")
 		return
 	}
+	// Platform templates can only be deleted by admins via /v1/admin/templates.
+	if tmpl.TeamID == id.PlatformTeamID {
+		writeError(w, http.StatusForbidden, "forbidden", "platform templates cannot be deleted here")
+		return
+	}
 
 	if err := h.deleteSnapshotBroadcast(ctx, name); err != nil {
 		writeError(w, http.StatusInternalServerError, "agent_error", "failed to delete snapshot files")
diff --git a/internal/devicemapper/devicemapper.go b/internal/devicemapper/devicemapper.go
index ba801f1..9fa0833 100644
--- a/internal/devicemapper/devicemapper.go
+++ b/internal/devicemapper/devicemapper.go
@@ -224,6 +224,7 @@ func FlattenSnapshot(dmDevPath, outputPath string) error {
 		"if="+dmDevPath,
 		"of="+outputPath,
 		"bs=4M",
+		"conv=sparse",
 		"status=none",
 	)
 	if out, err := cmd.CombinedOutput(); err != nil {
diff --git a/internal/sandbox/images.go b/internal/sandbox/images.go
index 0f3e24a..feb3398 100644
--- a/internal/sandbox/images.go
+++ b/internal/sandbox/images.go
@@ -12,7 +12,7 @@ import (
 // than this are expanded at startup so that dm-snapshot sandboxes see the full
 // size without per-sandbox copies. The expansion is sparse — only metadata
 // changes; no physical disk is consumed beyond the original content.
-const DefaultDiskSizeMB = 20480 // 20 GB
+const DefaultDiskSizeMB = 5120 // 5 GB
 
 // EnsureImageSizes walks the images directory and expands any rootfs.ext4 that
 // is smaller than the target size. This is idempotent: images already at or
diff --git a/internal/sandbox/manager.go b/internal/sandbox/manager.go
index b91fed1..9fcecb5 100644
--- a/internal/sandbox/manager.go
+++ b/internal/sandbox/manager.go
@@ -107,7 +107,7 @@ func (m *Manager) Create(ctx context.Context, sandboxID, template string, vcpus,
 		memoryMB = 512
 	}
 	if diskSizeMB <= 0 {
-		diskSizeMB = 20480 // 20 GB default
+		diskSizeMB = 5120 // 5 GB default
 	}
 
 	if template == "" {
diff --git a/internal/service/build.go b/internal/service/build.go
index 23f3b8c..5142a13 100644
--- a/internal/service/build.go
+++ b/internal/service/build.go
@@ -213,7 +213,7 @@ func (s *BuildService) executeBuild(ctx context.Context, buildIDStr string) {
 		Vcpus:      build.Vcpus,
 		MemoryMb:   build.MemoryMb,
 		TimeoutSec: 0,     // no auto-pause for builds
-		DiskSizeMb: 20480, // 20 GB for template builds
+		DiskSizeMb: 5120, // 5 GB for template builds
 	}))
 	if err != nil {
 		s.failBuild(ctx, buildID, fmt.Sprintf("create sandbox failed: %v", err))
diff --git a/internal/service/sandbox.go b/internal/service/sandbox.go
index 96d1282..43f1bd3 100644
--- a/internal/service/sandbox.go
+++ b/internal/service/sandbox.go
@@ -79,7 +79,7 @@ func (s *SandboxService) Create(ctx context.Context, p SandboxCreateParams) (db.
 		p.MemoryMB = 512
 	}
 	if p.DiskSizeMB <= 0 {
-		p.DiskSizeMB = 20480 // 20 GB default
+		p.DiskSizeMB = 5120 // 5 GB default
 	}
 
 	// If the template is a snapshot, use its baked-in vcpus/memory.
@@ -187,20 +187,32 @@ func (s *SandboxService) Pause(ctx context.Context, sandboxID, teamID pgtype.UUI
 
 	sandboxIDStr := id.FormatSandboxID(sandboxID)
 
+	// Pre-mark as "paused" in DB before the RPC so the reconciler does not
+	// mark the sandbox "stopped" while the host agent processes the pause.
+	if _, err := s.DB.UpdateSandboxStatus(ctx, db.UpdateSandboxStatusParams{
+		ID: sandboxID, Status: "paused",
+	}); err != nil {
+		return db.Sandbox{}, fmt.Errorf("pre-mark paused: %w", err)
+	}
+
 	// Flush all metrics tiers before pausing so data survives in DB.
 	s.flushAndPersistMetrics(ctx, agent, sandboxID, true)
 
 	if _, err := agent.PauseSandbox(ctx, connect.NewRequest(&pb.PauseSandboxRequest{
 		SandboxId: sandboxIDStr,
 	})); err != nil {
+		// Revert status on failure.
+		if _, dbErr := s.DB.UpdateSandboxStatus(ctx, db.UpdateSandboxStatusParams{
+			ID: sandboxID, Status: "running",
+		}); dbErr != nil {
+			slog.Warn("failed to revert sandbox status after pause error", "sandbox_id", sandboxIDStr, "error", dbErr)
+		}
 		return db.Sandbox{}, fmt.Errorf("agent pause: %w", err)
 	}
 
-	sb, err = s.DB.UpdateSandboxStatus(ctx, db.UpdateSandboxStatusParams{
-		ID: sandboxID, Status: "paused",
-	})
+	sb, err = s.DB.GetSandbox(ctx, sandboxID)
 	if err != nil {
-		return db.Sandbox{}, fmt.Errorf("update status: %w", err)
+		return db.Sandbox{}, fmt.Errorf("get sandbox after pause: %w", err)
 	}
 	return sb, nil
 }
diff --git a/proto/hostagent/gen/hostagent.pb.go b/proto/hostagent/gen/hostagent.pb.go
index aa29db9..9f984f9 100644
--- a/proto/hostagent/gen/hostagent.pb.go
+++ b/proto/hostagent/gen/hostagent.pb.go
@@ -34,8 +34,8 @@ type CreateSandboxRequest struct {
 	// TTL in seconds. Sandbox is auto-paused after this duration of
 	// inactivity. 0 means no auto-pause.
 	TimeoutSec int32 `protobuf:"varint,4,opt,name=timeout_sec,json=timeoutSec,proto3" json:"timeout_sec,omitempty"`
-	// Disk size in MB for the sparse CoW file. Limits how much data the
-	// sandbox can write beyond the base image. Default: 20480 (20 GB).
+	// Disk size in MB for the rootfs. Base images are expanded to this size
+	// at host agent startup. Default: 5120 (5 GB).
 	DiskSizeMb    int32 `protobuf:"varint,6,opt,name=disk_size_mb,json=diskSizeMb,proto3" json:"disk_size_mb,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
diff --git a/proto/hostagent/hostagent.proto b/proto/hostagent/hostagent.proto
index 9af40eb..5a3205b 100644
--- a/proto/hostagent/hostagent.proto
+++ b/proto/hostagent/hostagent.proto
@@ -86,8 +86,8 @@ message CreateSandboxRequest {
   // inactivity. 0 means no auto-pause.
   int32 timeout_sec = 4;
 
-  // Disk size in MB for the sparse CoW file. Limits how much data the
-  // sandbox can write beyond the base image. Default: 20480 (20 GB).
+  // Disk size in MB for the rootfs. Base images are expanded to this size
+  // at host agent startup. Default: 5120 (5 GB).
   int32 disk_size_mb = 6;
 }