Initial commit: Orchard content-addressable storage system

- Go server with Gin framework - PostgreSQL for metadata storage - MinIO/S3 for artifact storage with SHA256 content addressing - REST API for grove/tree/fruit operations - Web UI for managing artifacts - Docker Compose setup for local development
2025-12-04 10:14:49 -06:00
commit f8e9650de3
19 changed files with 3531 additions and 0 deletions
--- a/internal/api/handlers.go
+++ b/internal/api/handlers.go
@@ -0,0 +1,442 @@
+package api
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+
+	"github.com/bsf/orchard/internal/models"
+	"github.com/bsf/orchard/internal/storage"
+	"github.com/gin-gonic/gin"
+	"go.uber.org/zap"
+)
+
+type Handler struct {
+	db      *storage.Database
+	s3      *storage.S3Storage
+	logger  *zap.Logger
+}
+
+func NewHandler(db *storage.Database, s3 *storage.S3Storage, logger *zap.Logger) *Handler {
+	return &Handler{
+		db:     db,
+		s3:     s3,
+		logger: logger,
+	}
+}
+
+// Health check endpoint
+func (h *Handler) Health(c *gin.Context) {
+	c.JSON(http.StatusOK, gin.H{"status": "healthy"})
+}
+
+// Grove handlers
+
+func (h *Handler) CreateGrove(c *gin.Context) {
+	var grove models.Grove
+	if err := c.ShouldBindJSON(&grove); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	grove.CreatedBy = c.GetString("user_id")
+	if err := h.db.CreateGrove(c.Request.Context(), &grove); err != nil {
+		h.logger.Error("failed to create grove", zap.Error(err))
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to create grove"})
+		return
+	}
+
+	h.logAudit(c, "create_grove", grove.Name)
+	c.JSON(http.StatusCreated, grove)
+}
+
+func (h *Handler) GetGrove(c *gin.Context) {
+	groveName := c.Param("grove")
+
+	grove, err := h.db.GetGrove(c.Request.Context(), groveName)
+	if err != nil {
+		h.logger.Error("failed to get grove", zap.Error(err))
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to get grove"})
+		return
+	}
+
+	if grove == nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "grove not found"})
+		return
+	}
+
+	c.JSON(http.StatusOK, grove)
+}
+
+func (h *Handler) ListGroves(c *gin.Context) {
+	userID := c.GetString("user_id")
+
+	groves, err := h.db.ListGroves(c.Request.Context(), userID)
+	if err != nil {
+		h.logger.Error("failed to list groves", zap.Error(err))
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to list groves"})
+		return
+	}
+
+	c.JSON(http.StatusOK, groves)
+}
+
+// Tree handlers
+
+func (h *Handler) CreateTree(c *gin.Context) {
+	groveName := c.Param("grove")
+
+	grove, err := h.db.GetGrove(c.Request.Context(), groveName)
+	if err != nil || grove == nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "grove not found"})
+		return
+	}
+
+	var tree models.Tree
+	if err := c.ShouldBindJSON(&tree); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	tree.GroveID = grove.ID
+	if err := h.db.CreateTree(c.Request.Context(), &tree); err != nil {
+		h.logger.Error("failed to create tree", zap.Error(err))
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to create tree"})
+		return
+	}
+
+	h.logAudit(c, "create_tree", fmt.Sprintf("%s/%s", groveName, tree.Name))
+	c.JSON(http.StatusCreated, tree)
+}
+
+func (h *Handler) ListTrees(c *gin.Context) {
+	groveName := c.Param("grove")
+
+	grove, err := h.db.GetGrove(c.Request.Context(), groveName)
+	if err != nil || grove == nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "grove not found"})
+		return
+	}
+
+	trees, err := h.db.ListTrees(c.Request.Context(), grove.ID)
+	if err != nil {
+		h.logger.Error("failed to list trees", zap.Error(err))
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to list trees"})
+		return
+	}
+
+	c.JSON(http.StatusOK, trees)
+}
+
+// Fruit handlers (content-addressable storage)
+
+func (h *Handler) Cultivate(c *gin.Context) {
+	groveName := c.Param("grove")
+	treeName := c.Param("tree")
+
+	grove, err := h.db.GetGrove(c.Request.Context(), groveName)
+	if err != nil || grove == nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "grove not found"})
+		return
+	}
+
+	tree, err := h.db.GetTree(c.Request.Context(), grove.ID, treeName)
+	if err != nil || tree == nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "tree not found"})
+		return
+	}
+
+	// Get the uploaded file
+	file, header, err := c.Request.FormFile("file")
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "file is required"})
+		return
+	}
+	defer file.Close()
+
+	// Store in S3 (content-addressable)
+	hash, size, err := h.s3.Store(c.Request.Context(), file)
+	if err != nil {
+		h.logger.Error("failed to store artifact", zap.Error(err))
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to store artifact"})
+		return
+	}
+
+	// Create fruit record
+	fruit := &models.Fruit{
+		ID:           hash,
+		Size:         size,
+		ContentType:  header.Header.Get("Content-Type"),
+		OriginalName: header.Filename,
+		CreatedBy:    c.GetString("user_id"),
+		S3Key:        fmt.Sprintf("%s/%s/%s", hash[:2], hash[2:4], hash),
+	}
+
+	if err := h.db.CreateFruit(c.Request.Context(), fruit); err != nil {
+		h.logger.Error("failed to create fruit record", zap.Error(err))
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to create fruit record"})
+		return
+	}
+
+	// Create harvest record
+	harvest := &models.Harvest{
+		FruitID:      hash,
+		TreeID:       tree.ID,
+		OriginalName: header.Filename,
+		HarvestedBy:  c.GetString("user_id"),
+		SourceIP:     c.ClientIP(),
+	}
+
+	if err := h.db.CreateHarvest(c.Request.Context(), harvest); err != nil {
+		h.logger.Error("failed to create harvest record", zap.Error(err))
+	}
+
+	// Optionally create a graft (tag) if specified
+	tag := c.PostForm("tag")
+	if tag != "" {
+		graft := &models.Graft{
+			TreeID:    tree.ID,
+			Name:      tag,
+			FruitID:   hash,
+			CreatedBy: c.GetString("user_id"),
+		}
+		if err := h.db.CreateGraft(c.Request.Context(), graft); err != nil {
+			h.logger.Error("failed to create graft", zap.Error(err))
+		}
+	}
+
+	h.logAudit(c, "cultivate", fmt.Sprintf("%s/%s/%s", groveName, treeName, hash))
+
+	c.JSON(http.StatusCreated, gin.H{
+		"fruit_id": hash,
+		"size":     size,
+		"grove":    groveName,
+		"tree":     treeName,
+		"tag":      tag,
+	})
+}
+
+func (h *Handler) Harvest(c *gin.Context) {
+	groveName := c.Param("grove")
+	treeName := c.Param("tree")
+	ref := c.Param("ref")
+
+	grove, err := h.db.GetGrove(c.Request.Context(), groveName)
+	if err != nil || grove == nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "grove not found"})
+		return
+	}
+
+	tree, err := h.db.GetTree(c.Request.Context(), grove.ID, treeName)
+	if err != nil || tree == nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "tree not found"})
+		return
+	}
+
+	// Resolve reference to fruit ID
+	var fruitID string
+	if strings.HasPrefix(ref, "fruit:") {
+		// Direct fruit reference
+		fruitID = strings.TrimPrefix(ref, "fruit:")
+	} else if strings.HasPrefix(ref, "version:") || strings.HasPrefix(ref, "tag:") {
+		// Tag/version reference
+		tagName := strings.TrimPrefix(ref, "version:")
+		tagName = strings.TrimPrefix(tagName, "tag:")
+		graft, err := h.db.GetGraft(c.Request.Context(), tree.ID, tagName)
+		if err != nil || graft == nil {
+			c.JSON(http.StatusNotFound, gin.H{"error": "reference not found"})
+			return
+		}
+		fruitID = graft.FruitID
+	} else {
+		// Assume it's a tag name
+		graft, err := h.db.GetGraft(c.Request.Context(), tree.ID, ref)
+		if err != nil || graft == nil {
+			// Maybe it's a direct fruit ID
+			fruit, err := h.db.GetFruit(c.Request.Context(), ref)
+			if err != nil || fruit == nil {
+				c.JSON(http.StatusNotFound, gin.H{"error": "reference not found"})
+				return
+			}
+			fruitID = ref
+		} else {
+			fruitID = graft.FruitID
+		}
+	}
+
+	// Get fruit metadata
+	fruit, err := h.db.GetFruit(c.Request.Context(), fruitID)
+	if err != nil || fruit == nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "fruit not found"})
+		return
+	}
+
+	// Track consumer if project URL is provided
+	projectURL := c.GetHeader("X-Orchard-Project")
+	if projectURL != "" {
+		h.db.TrackConsumer(c.Request.Context(), tree.ID, projectURL)
+	}
+
+	// Stream content from S3
+	reader, err := h.s3.Retrieve(c.Request.Context(), fruitID)
+	if err != nil {
+		h.logger.Error("failed to retrieve artifact", zap.Error(err))
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to retrieve artifact"})
+		return
+	}
+	defer reader.Close()
+
+	h.logAudit(c, "harvest", fmt.Sprintf("%s/%s/%s", groveName, treeName, fruitID))
+
+	c.Header("Content-Type", fruit.ContentType)
+	c.Header("Content-Disposition", fmt.Sprintf("attachment; filename=%q", fruit.OriginalName))
+	c.Header("X-Orchard-Fruit-ID", fruitID)
+	c.Header("X-Orchard-Size", fmt.Sprintf("%d", fruit.Size))
+
+	io.Copy(c.Writer, reader)
+}
+
+func (h *Handler) GetFruit(c *gin.Context) {
+	fruitID := c.Param("fruit")
+
+	fruit, err := h.db.GetFruit(c.Request.Context(), fruitID)
+	if err != nil {
+		h.logger.Error("failed to get fruit", zap.Error(err))
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to get fruit"})
+		return
+	}
+
+	if fruit == nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "fruit not found"})
+		return
+	}
+
+	c.JSON(http.StatusOK, fruit)
+}
+
+// Graft handlers (aliasing/tagging)
+
+func (h *Handler) CreateGraft(c *gin.Context) {
+	groveName := c.Param("grove")
+	treeName := c.Param("tree")
+
+	grove, err := h.db.GetGrove(c.Request.Context(), groveName)
+	if err != nil || grove == nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "grove not found"})
+		return
+	}
+
+	tree, err := h.db.GetTree(c.Request.Context(), grove.ID, treeName)
+	if err != nil || tree == nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "tree not found"})
+		return
+	}
+
+	var graft models.Graft
+	if err := c.ShouldBindJSON(&graft); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	graft.TreeID = tree.ID
+	graft.CreatedBy = c.GetString("user_id")
+
+	// Verify fruit exists
+	fruit, err := h.db.GetFruit(c.Request.Context(), graft.FruitID)
+	if err != nil || fruit == nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "fruit not found"})
+		return
+	}
+
+	if err := h.db.CreateGraft(c.Request.Context(), &graft); err != nil {
+		h.logger.Error("failed to create graft", zap.Error(err))
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to create graft"})
+		return
+	}
+
+	h.logAudit(c, "create_graft", fmt.Sprintf("%s/%s/%s", groveName, treeName, graft.Name))
+	c.JSON(http.StatusCreated, graft)
+}
+
+func (h *Handler) ListGrafts(c *gin.Context) {
+	groveName := c.Param("grove")
+	treeName := c.Param("tree")
+
+	grove, err := h.db.GetGrove(c.Request.Context(), groveName)
+	if err != nil || grove == nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "grove not found"})
+		return
+	}
+
+	tree, err := h.db.GetTree(c.Request.Context(), grove.ID, treeName)
+	if err != nil || tree == nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "tree not found"})
+		return
+	}
+
+	grafts, err := h.db.ListGrafts(c.Request.Context(), tree.ID)
+	if err != nil {
+		h.logger.Error("failed to list grafts", zap.Error(err))
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to list grafts"})
+		return
+	}
+
+	c.JSON(http.StatusOK, grafts)
+}
+
+// Consumer tracking handlers
+
+func (h *Handler) GetConsumers(c *gin.Context) {
+	groveName := c.Param("grove")
+	treeName := c.Param("tree")
+
+	grove, err := h.db.GetGrove(c.Request.Context(), groveName)
+	if err != nil || grove == nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "grove not found"})
+		return
+	}
+
+	tree, err := h.db.GetTree(c.Request.Context(), grove.ID, treeName)
+	if err != nil || tree == nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "tree not found"})
+		return
+	}
+
+	consumers, err := h.db.GetConsumers(c.Request.Context(), tree.ID)
+	if err != nil {
+		h.logger.Error("failed to get consumers", zap.Error(err))
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to get consumers"})
+		return
+	}
+
+	c.JSON(http.StatusOK, consumers)
+}
+
+// Search handler
+
+func (h *Handler) Search(c *gin.Context) {
+	// TODO: Implement format-aware search
+	c.JSON(http.StatusOK, gin.H{"message": "search not yet implemented"})
+}
+
+// Helper to log audit events
+func (h *Handler) logAudit(c *gin.Context, action, resource string) {
+	details, _ := json.Marshal(map[string]string{
+		"method": c.Request.Method,
+		"path":   c.Request.URL.Path,
+	})
+
+	log := &models.AuditLog{
+		Action:   action,
+		Resource: resource,
+		UserID:   c.GetString("user_id"),
+		Details:  string(details),
+		SourceIP: c.ClientIP(),
+	}
+
+	if err := h.db.CreateAuditLog(c.Request.Context(), log); err != nil {
+		h.logger.Error("failed to create audit log", zap.Error(err))
+	}
+}
--- a/internal/api/router.go
+++ b/internal/api/router.go
@@ -0,0 +1,153 @@
+package api
+
+import (
+	"embed"
+	"io/fs"
+
+	"github.com/bsf/orchard/internal/storage"
+	"github.com/gin-gonic/gin"
+	"go.uber.org/zap"
+)
+
+//go:embed static/*
+var staticFiles embed.FS
+
+// SetupRouter configures all API routes
+func SetupRouter(db *storage.Database, s3 *storage.S3Storage, logger *zap.Logger) *gin.Engine {
+	router := gin.New()
+	router.Use(gin.Recovery())
+	router.Use(LoggerMiddleware(logger))
+
+	handler := NewHandler(db, s3, logger)
+
+	// Serve static files from embedded FS
+	staticFS, _ := fs.Sub(staticFiles, "static")
+
+	// Root - serve index.html
+	router.GET("/", func(c *gin.Context) {
+		data, err := fs.ReadFile(staticFS, "index.html")
+		if err != nil {
+			c.String(500, "Error loading page: "+err.Error())
+			return
+		}
+		c.Data(200, "text/html; charset=utf-8", data)
+	})
+
+	// CSS file
+	router.GET("/static/style.css", func(c *gin.Context) {
+		data, err := fs.ReadFile(staticFS, "style.css")
+		if err != nil {
+			c.String(404, "Not found: "+err.Error())
+			return
+		}
+		c.Data(200, "text/css; charset=utf-8", data)
+	})
+
+	// JS file
+	router.GET("/static/app.js", func(c *gin.Context) {
+		data, err := fs.ReadFile(staticFS, "app.js")
+		if err != nil {
+			c.String(404, "Not found: "+err.Error())
+			return
+		}
+		c.Data(200, "application/javascript; charset=utf-8", data)
+	})
+
+	// Health check
+	router.GET("/health", handler.Health)
+
+	// API v1
+	v1 := router.Group("/api/v1")
+	{
+		// Authentication middleware
+		v1.Use(AuthMiddleware(db))
+
+		// Grove routes
+		groves := v1.Group("/groves")
+		{
+			groves.GET("", handler.ListGroves)
+			groves.POST("", handler.CreateGrove)
+			groves.GET("/:grove", handler.GetGrove)
+		}
+
+		// Tree routes
+		trees := v1.Group("/grove/:grove/trees")
+		{
+			trees.GET("", handler.ListTrees)
+			trees.POST("", handler.CreateTree)
+		}
+
+		// Fruit routes (content-addressable storage)
+		fruits := v1.Group("/grove/:grove/:tree")
+		{
+			// Upload artifact (cultivate)
+			fruits.POST("/cultivate", handler.Cultivate)
+
+			// Download artifact (harvest)
+			fruits.GET("/+/:ref", handler.Harvest)
+
+			// List grafts (tags/versions)
+			fruits.GET("/grafts", handler.ListGrafts)
+
+			// Create graft (tag)
+			fruits.POST("/graft", handler.CreateGraft)
+
+			// Get consumers
+			fruits.GET("/consumers", handler.GetConsumers)
+		}
+
+		// Direct fruit access by hash
+		v1.GET("/fruit/:fruit", handler.GetFruit)
+
+		// Search
+		v1.GET("/search", handler.Search)
+	}
+
+	// Compatibility endpoint matching the URL pattern from spec
+	// /grove/{project}/{tree}/+/{ref}
+	router.GET("/grove/:grove/:tree/+/:ref", AuthMiddleware(db), handler.Harvest)
+
+	return router
+}
+
+// LoggerMiddleware logs requests
+func LoggerMiddleware(logger *zap.Logger) gin.HandlerFunc {
+	return func(c *gin.Context) {
+		c.Next()
+
+		logger.Info("request",
+			zap.String("method", c.Request.Method),
+			zap.String("path", c.Request.URL.Path),
+			zap.Int("status", c.Writer.Status()),
+			zap.String("client_ip", c.ClientIP()),
+		)
+	}
+}
+
+// AuthMiddleware handles authentication
+func AuthMiddleware(db *storage.Database) gin.HandlerFunc {
+	return func(c *gin.Context) {
+		// Check for API key in header
+		apiKey := c.GetHeader("X-Orchard-API-Key")
+		if apiKey != "" {
+			// TODO: Validate API key against database
+			// For now, extract user ID from key
+			c.Set("user_id", "api-user")
+			c.Next()
+			return
+		}
+
+		// Check for Bearer token
+		authHeader := c.GetHeader("Authorization")
+		if authHeader != "" {
+			// TODO: Implement OIDC/SAML validation
+			c.Set("user_id", "bearer-user")
+			c.Next()
+			return
+		}
+
+		// Allow anonymous access for public groves (read only)
+		c.Set("user_id", "anonymous")
+		c.Next()
+	}
+}
--- a/internal/api/static/app.js
+++ b/internal/api/static/app.js
@@ -0,0 +1,573 @@
+// Orchard Web UI
+
+const API_BASE = '/api/v1';
+
+// State
+let currentGrove = null;
+let currentTree = null;
+
+// Initialize
+document.addEventListener('DOMContentLoaded', () => {
+    setupNavigation();
+    loadGroves();
+});
+
+// Navigation
+function setupNavigation() {
+    document.querySelectorAll('.nav-link').forEach(link => {
+        link.addEventListener('click', (e) => {
+            e.preventDefault();
+            const view = link.dataset.view;
+            showView(view);
+
+            document.querySelectorAll('.nav-link').forEach(l => l.classList.remove('active'));
+            link.classList.add('active');
+        });
+    });
+}
+
+function showView(viewName) {
+    document.querySelectorAll('.view').forEach(v => v.classList.remove('active'));
+    document.getElementById(`${viewName}-view`).classList.add('active');
+
+    // Load data for view
+    if (viewName === 'groves') {
+        loadGroves();
+    } else if (viewName === 'upload') {
+        loadGrovesForUpload();
+    }
+}
+
+// Groves
+async function loadGroves() {
+    const container = document.getElementById('groves-list');
+    container.innerHTML = '<div class="loading">Loading groves...</div>';
+
+    try {
+        const response = await fetch(`${API_BASE}/groves`);
+        const groves = await response.json();
+
+        if (!groves || groves.length === 0) {
+            container.innerHTML = `
+                <div class="empty-state">
+                    <h3>No groves yet</h3>
+                    <p>Create your first grove to get started</p>
+                </div>
+            `;
+            return;
+        }
+
+        container.innerHTML = groves.map(grove => `
+            <div class="grove-card" onclick="viewGrove('${grove.name}')">
+                <h3>
+                    <span>&#127795;</span>
+                    ${escapeHtml(grove.name)}
+                    <span class="badge ${grove.is_public ? 'badge-public' : 'badge-private'}">
+                        ${grove.is_public ? 'Public' : 'Private'}
+                    </span>
+                </h3>
+                <p>${escapeHtml(grove.description || 'No description')}</p>
+                <div class="meta">
+                    Created ${formatDate(grove.created_at)}
+                </div>
+            </div>
+        `).join('');
+    } catch (error) {
+        container.innerHTML = `<div class="empty-state"><p>Error loading groves: ${error.message}</p></div>`;
+    }
+}
+
+async function viewGrove(groveName) {
+    currentGrove = groveName;
+    document.getElementById('grove-detail-title').textContent = groveName;
+
+    // Load grove info
+    try {
+        const response = await fetch(`${API_BASE}/groves/${groveName}`);
+        const grove = await response.json();
+
+        document.getElementById('grove-info').innerHTML = `
+            <div class="info-grid">
+                <div class="info-item">
+                    <label>Name</label>
+                    <span>${escapeHtml(grove.name)}</span>
+                </div>
+                <div class="info-item">
+                    <label>Visibility</label>
+                    <span class="badge ${grove.is_public ? 'badge-public' : 'badge-private'}">
+                        ${grove.is_public ? 'Public' : 'Private'}
+                    </span>
+                </div>
+                <div class="info-item">
+                    <label>Created</label>
+                    <span>${formatDate(grove.created_at)}</span>
+                </div>
+                <div class="info-item">
+                    <label>Description</label>
+                    <span>${escapeHtml(grove.description || 'No description')}</span>
+                </div>
+            </div>
+        `;
+    } catch (error) {
+        console.error('Error loading grove:', error);
+    }
+
+    // Load trees
+    await loadTrees(groveName);
+
+    // Show view
+    document.querySelectorAll('.view').forEach(v => v.classList.remove('active'));
+    document.getElementById('grove-detail-view').classList.add('active');
+}
+
+async function loadTrees(groveName) {
+    const container = document.getElementById('trees-list');
+    container.innerHTML = '<div class="loading">Loading trees...</div>';
+
+    try {
+        const response = await fetch(`${API_BASE}/grove/${groveName}/trees`);
+        const trees = await response.json();
+
+        if (!trees || trees.length === 0) {
+            container.innerHTML = `
+                <div class="empty-state">
+                    <h3>No trees yet</h3>
+                    <p>Create a tree to store artifacts</p>
+                </div>
+            `;
+            return;
+        }
+
+        container.innerHTML = trees.map(tree => `
+            <div class="tree-card" onclick="viewTree('${groveName}', '${tree.name}')">
+                <h3>
+                    <span>&#127794;</span>
+                    ${escapeHtml(tree.name)}
+                </h3>
+                <p>${escapeHtml(tree.description || 'No description')}</p>
+                <div class="meta">
+                    Created ${formatDate(tree.created_at)}
+                </div>
+            </div>
+        `).join('');
+    } catch (error) {
+        container.innerHTML = `<div class="empty-state"><p>Error loading trees: ${error.message}</p></div>`;
+    }
+}
+
+async function viewTree(groveName, treeName) {
+    currentGrove = groveName;
+    currentTree = treeName;
+
+    document.getElementById('tree-detail-title').textContent = `${groveName} / ${treeName}`;
+
+    document.getElementById('tree-info').innerHTML = `
+        <div class="info-grid">
+            <div class="info-item">
+                <label>Grove</label>
+                <span>${escapeHtml(groveName)}</span>
+            </div>
+            <div class="info-item">
+                <label>Tree</label>
+                <span>${escapeHtml(treeName)}</span>
+            </div>
+        </div>
+    `;
+
+    // Load grafts
+    await loadGrafts(groveName, treeName);
+
+    // Show view
+    document.querySelectorAll('.view').forEach(v => v.classList.remove('active'));
+    document.getElementById('tree-detail-view').classList.add('active');
+}
+
+async function loadGrafts(groveName, treeName) {
+    const container = document.getElementById('grafts-list');
+    container.innerHTML = '<div class="loading">Loading versions...</div>';
+
+    try {
+        const response = await fetch(`${API_BASE}/grove/${groveName}/${treeName}/grafts`);
+        const grafts = await response.json();
+
+        if (!grafts || grafts.length === 0) {
+            container.innerHTML = `
+                <div class="empty-state">
+                    <h3>No versions yet</h3>
+                    <p>Upload an artifact to create the first version</p>
+                </div>
+            `;
+            return;
+        }
+
+        container.innerHTML = `
+            <table>
+                <thead>
+                    <tr>
+                        <th>Tag</th>
+                        <th>Fruit ID</th>
+                        <th>Created</th>
+                        <th>Actions</th>
+                    </tr>
+                </thead>
+                <tbody>
+                    ${grafts.map(graft => `
+                        <tr>
+                            <td><strong>${escapeHtml(graft.name)}</strong></td>
+                            <td>
+                                <span class="hash hash-short" onclick="copyToClipboard('${graft.fruit_id}')" title="Click to copy">
+                                    ${graft.fruit_id.substring(0, 16)}...
+                                </span>
+                            </td>
+                            <td>${formatDate(graft.created_at)}</td>
+                            <td>
+                                <a href="/api/v1/grove/${groveName}/${treeName}/+/${graft.name}"
+                                   class="btn btn-secondary" download>
+                                    Download
+                                </a>
+                            </td>
+                        </tr>
+                    `).join('')}
+                </tbody>
+            </table>
+        `;
+    } catch (error) {
+        container.innerHTML = `<div class="empty-state"><p>Error loading versions: ${error.message}</p></div>`;
+    }
+}
+
+function backToGrove() {
+    if (currentGrove) {
+        viewGrove(currentGrove);
+    } else {
+        showView('groves');
+    }
+}
+
+// Create Grove
+function showCreateGroveModal() {
+    document.getElementById('create-grove-modal').classList.remove('hidden');
+    document.getElementById('grove-name').focus();
+}
+
+async function createGrove(e) {
+    e.preventDefault();
+
+    const name = document.getElementById('grove-name').value;
+    const description = document.getElementById('grove-description').value;
+    const isPublic = document.getElementById('grove-public').checked;
+
+    try {
+        const response = await fetch(`${API_BASE}/groves`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ name, description, is_public: isPublic })
+        });
+
+        if (!response.ok) {
+            const error = await response.json();
+            throw new Error(error.error || 'Failed to create grove');
+        }
+
+        showToast('Grove created successfully!', 'success');
+        closeModals();
+        loadGroves();
+
+        // Reset form
+        document.getElementById('grove-name').value = '';
+        document.getElementById('grove-description').value = '';
+        document.getElementById('grove-public').checked = true;
+    } catch (error) {
+        showToast(error.message, 'error');
+    }
+}
+
+// Create Tree
+function showCreateTreeModal() {
+    document.getElementById('create-tree-modal').classList.remove('hidden');
+    document.getElementById('tree-name').focus();
+}
+
+async function createTree(e) {
+    e.preventDefault();
+
+    const name = document.getElementById('tree-name').value;
+    const description = document.getElementById('tree-description').value;
+
+    try {
+        const response = await fetch(`${API_BASE}/grove/${currentGrove}/trees`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ name, description })
+        });
+
+        if (!response.ok) {
+            const error = await response.json();
+            throw new Error(error.error || 'Failed to create tree');
+        }
+
+        showToast('Tree created successfully!', 'success');
+        closeModals();
+        loadTrees(currentGrove);
+
+        // Reset form
+        document.getElementById('tree-name').value = '';
+        document.getElementById('tree-description').value = '';
+    } catch (error) {
+        showToast(error.message, 'error');
+    }
+}
+
+// Upload
+async function loadGrovesForUpload() {
+    const select = document.getElementById('upload-grove');
+    select.innerHTML = '<option value="">Loading...</option>';
+
+    try {
+        const response = await fetch(`${API_BASE}/groves`);
+        const groves = await response.json();
+
+        select.innerHTML = '<option value="">Select grove...</option>' +
+            (groves || []).map(g => `<option value="${g.name}">${g.name}</option>`).join('');
+    } catch (error) {
+        select.innerHTML = '<option value="">Error loading groves</option>';
+    }
+}
+
+async function loadTreesForUpload() {
+    const groveName = document.getElementById('upload-grove').value;
+    const select = document.getElementById('upload-tree');
+
+    if (!groveName) {
+        select.innerHTML = '<option value="">Select tree...</option>';
+        return;
+    }
+
+    select.innerHTML = '<option value="">Loading...</option>';
+
+    try {
+        const response = await fetch(`${API_BASE}/grove/${groveName}/trees`);
+        const trees = await response.json();
+
+        select.innerHTML = '<option value="">Select tree...</option>' +
+            (trees || []).map(t => `<option value="${t.name}">${t.name}</option>`).join('');
+    } catch (error) {
+        select.innerHTML = '<option value="">Error loading trees</option>';
+    }
+}
+
+function updateFileName() {
+    const input = document.getElementById('upload-file');
+    const display = document.getElementById('file-name');
+    display.textContent = input.files[0]?.name || '';
+}
+
+async function uploadArtifact(e) {
+    e.preventDefault();
+
+    const grove = document.getElementById('upload-grove').value;
+    const tree = document.getElementById('upload-tree').value;
+    const file = document.getElementById('upload-file').files[0];
+    const tag = document.getElementById('upload-tag').value;
+
+    const formData = new FormData();
+    formData.append('file', file);
+    if (tag) formData.append('tag', tag);
+
+    const resultDiv = document.getElementById('upload-result');
+    resultDiv.innerHTML = '<div class="loading">Uploading...</div>';
+    resultDiv.classList.remove('hidden', 'success', 'error');
+
+    try {
+        const response = await fetch(`${API_BASE}/grove/${grove}/${tree}/cultivate`, {
+            method: 'POST',
+            body: formData
+        });
+
+        const result = await response.json();
+
+        if (!response.ok) {
+            throw new Error(result.error || 'Upload failed');
+        }
+
+        resultDiv.classList.add('success');
+        resultDiv.innerHTML = `
+            <h3>Upload Successful!</h3>
+            <dl>
+                <dt>Fruit ID</dt>
+                <dd class="hash">${result.fruit_id}</dd>
+                <dt>Size</dt>
+                <dd>${formatBytes(result.size)}</dd>
+                <dt>Grove</dt>
+                <dd>${escapeHtml(result.grove)}</dd>
+                <dt>Tree</dt>
+                <dd>${escapeHtml(result.tree)}</dd>
+                ${result.tag ? `<dt>Tag</dt><dd>${escapeHtml(result.tag)}</dd>` : ''}
+            </dl>
+            <div class="actions">
+                <a href="/api/v1/grove/${grove}/${tree}/+/${result.tag || 'fruit:' + result.fruit_id}"
+                   class="btn btn-primary" download>
+                    Download Artifact
+                </a>
+            </div>
+        `;
+
+        showToast('Artifact uploaded successfully!', 'success');
+    } catch (error) {
+        resultDiv.classList.add('error');
+        resultDiv.innerHTML = `<h3>Upload Failed</h3><p>${escapeHtml(error.message)}</p>`;
+        showToast(error.message, 'error');
+    }
+}
+
+async function uploadToTree(e) {
+    e.preventDefault();
+
+    const file = document.getElementById('tree-upload-file').files[0];
+    const tag = document.getElementById('tree-upload-tag').value;
+
+    const formData = new FormData();
+    formData.append('file', file);
+    if (tag) formData.append('tag', tag);
+
+    try {
+        const response = await fetch(`${API_BASE}/grove/${currentGrove}/${currentTree}/cultivate`, {
+            method: 'POST',
+            body: formData
+        });
+
+        const result = await response.json();
+
+        if (!response.ok) {
+            throw new Error(result.error || 'Upload failed');
+        }
+
+        showToast('Artifact uploaded successfully!', 'success');
+
+        // Reload grafts
+        loadGrafts(currentGrove, currentTree);
+
+        // Reset form
+        document.getElementById('tree-upload-file').value = '';
+        document.getElementById('tree-upload-tag').value = '';
+    } catch (error) {
+        showToast(error.message, 'error');
+    }
+}
+
+// Search
+function handleSearchKeyup(e) {
+    if (e.key === 'Enter') {
+        searchFruit();
+    }
+}
+
+async function searchFruit() {
+    const fruitId = document.getElementById('search-input').value.trim();
+    const resultDiv = document.getElementById('search-result');
+
+    if (!fruitId) {
+        showToast('Please enter a fruit ID', 'error');
+        return;
+    }
+
+    resultDiv.innerHTML = '<div class="loading">Searching...</div>';
+    resultDiv.classList.remove('hidden', 'success', 'error');
+
+    try {
+        const response = await fetch(`${API_BASE}/fruit/${fruitId}`);
+        const result = await response.json();
+
+        if (!response.ok) {
+            throw new Error(result.error || 'Fruit not found');
+        }
+
+        resultDiv.classList.add('success');
+        resultDiv.innerHTML = `
+            <h3>Fruit Found</h3>
+            <dl>
+                <dt>Fruit ID</dt>
+                <dd class="hash">${result.id}</dd>
+                <dt>Original Name</dt>
+                <dd>${escapeHtml(result.original_name || 'Unknown')}</dd>
+                <dt>Size</dt>
+                <dd>${formatBytes(result.size)}</dd>
+                <dt>Content Type</dt>
+                <dd>${escapeHtml(result.content_type || 'Unknown')}</dd>
+                <dt>Created</dt>
+                <dd>${formatDate(result.created_at)}</dd>
+                <dt>Reference Count</dt>
+                <dd>${result.ref_count}</dd>
+            </dl>
+        `;
+    } catch (error) {
+        resultDiv.classList.add('error');
+        resultDiv.innerHTML = `<h3>Not Found</h3><p>${escapeHtml(error.message)}</p>`;
+    }
+}
+
+// Modals
+function closeModals() {
+    document.querySelectorAll('.modal').forEach(m => m.classList.add('hidden'));
+}
+
+// Close modal on outside click
+document.addEventListener('click', (e) => {
+    if (e.target.classList.contains('modal')) {
+        closeModals();
+    }
+});
+
+// Close modal on Escape
+document.addEventListener('keydown', (e) => {
+    if (e.key === 'Escape') {
+        closeModals();
+    }
+});
+
+// Toast notifications
+function showToast(message, type = 'info') {
+    const container = document.getElementById('toast-container');
+    const toast = document.createElement('div');
+    toast.className = `toast ${type}`;
+    toast.textContent = message;
+    container.appendChild(toast);
+
+    setTimeout(() => {
+        toast.remove();
+    }, 3000);
+}
+
+// Utilities
+function escapeHtml(str) {
+    if (!str) return '';
+    const div = document.createElement('div');
+    div.textContent = str;
+    return div.innerHTML;
+}
+
+function formatDate(dateStr) {
+    if (!dateStr) return 'Unknown';
+    const date = new Date(dateStr);
+    return date.toLocaleDateString('en-US', {
+        year: 'numeric',
+        month: 'short',
+        day: 'numeric',
+        hour: '2-digit',
+        minute: '2-digit'
+    });
+}
+
+function formatBytes(bytes) {
+    if (bytes === 0) return '0 Bytes';
+    const k = 1024;
+    const sizes = ['Bytes', 'KB', 'MB', 'GB', 'TB'];
+    const i = Math.floor(Math.log(bytes) / Math.log(k));
+    return parseFloat((bytes / Math.pow(k, i)).toFixed(2)) + ' ' + sizes[i];
+}
+
+function copyToClipboard(text) {
+    navigator.clipboard.writeText(text).then(() => {
+        showToast('Copied to clipboard!', 'success');
+    });
+}
--- a/internal/api/static/index.html
+++ b/internal/api/static/index.html
@@ -0,0 +1,183 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Orchard - Content Addressable Storage</title>
+    <link rel="stylesheet" href="/static/style.css">
+</head>
+<body>
+    <nav class="navbar">
+        <div class="nav-brand">
+            <span class="logo">&#127822;</span> Orchard
+        </div>
+        <div class="nav-links">
+            <a href="#" class="nav-link active" data-view="groves">Groves</a>
+            <a href="#" class="nav-link" data-view="upload">Upload</a>
+            <a href="#" class="nav-link" data-view="search">Search</a>
+        </div>
+    </nav>
+
+    <main class="container">
+        <!-- Groves View -->
+        <div id="groves-view" class="view active">
+            <div class="view-header">
+                <h1>Groves</h1>
+                <button class="btn btn-primary" onclick="showCreateGroveModal()">+ New Grove</button>
+            </div>
+            <div id="groves-list" class="card-grid">
+                <div class="loading">Loading groves...</div>
+            </div>
+        </div>
+
+        <!-- Grove Detail View -->
+        <div id="grove-detail-view" class="view">
+            <div class="view-header">
+                <button class="btn btn-secondary" onclick="showView('groves')">&larr; Back</button>
+                <h1 id="grove-detail-title">Grove</h1>
+            </div>
+            <div class="grove-info" id="grove-info"></div>
+            <div class="section">
+                <div class="section-header">
+                    <h2>Trees</h2>
+                    <button class="btn btn-primary" onclick="showCreateTreeModal()">+ New Tree</button>
+                </div>
+                <div id="trees-list" class="card-grid"></div>
+            </div>
+        </div>
+
+        <!-- Tree Detail View -->
+        <div id="tree-detail-view" class="view">
+            <div class="view-header">
+                <button class="btn btn-secondary" onclick="backToGrove()">&larr; Back</button>
+                <h1 id="tree-detail-title">Tree</h1>
+            </div>
+            <div class="tree-info" id="tree-info"></div>
+            <div class="section">
+                <div class="section-header">
+                    <h2>Versions (Grafts)</h2>
+                </div>
+                <div id="grafts-list" class="table-container"></div>
+            </div>
+            <div class="section">
+                <h2>Upload Artifact</h2>
+                <form id="tree-upload-form" class="upload-form" onsubmit="uploadToTree(event)">
+                    <div class="form-group">
+                        <label>File</label>
+                        <input type="file" id="tree-upload-file" required>
+                    </div>
+                    <div class="form-group">
+                        <label>Tag (optional)</label>
+                        <input type="text" id="tree-upload-tag" placeholder="e.g., v1.0.0, latest">
+                    </div>
+                    <button type="submit" class="btn btn-primary">Upload</button>
+                </form>
+            </div>
+        </div>
+
+        <!-- Upload View -->
+        <div id="upload-view" class="view">
+            <h1>Upload Artifact</h1>
+            <form id="upload-form" class="upload-form card" onsubmit="uploadArtifact(event)">
+                <div class="form-row">
+                    <div class="form-group">
+                        <label>Grove</label>
+                        <select id="upload-grove" required onchange="loadTreesForUpload()">
+                            <option value="">Select grove...</option>
+                        </select>
+                    </div>
+                    <div class="form-group">
+                        <label>Tree</label>
+                        <select id="upload-tree" required>
+                            <option value="">Select tree...</option>
+                        </select>
+                    </div>
+                </div>
+                <div class="form-group">
+                    <label>File</label>
+                    <div class="file-drop" id="file-drop">
+                        <input type="file" id="upload-file" required onchange="updateFileName()">
+                        <p>Drop file here or click to browse</p>
+                        <span id="file-name"></span>
+                    </div>
+                </div>
+                <div class="form-group">
+                    <label>Tag (optional)</label>
+                    <input type="text" id="upload-tag" placeholder="e.g., v1.0.0, latest, stable">
+                </div>
+                <button type="submit" class="btn btn-primary btn-lg">Upload Artifact</button>
+            </form>
+            <div id="upload-result" class="result-card hidden"></div>
+        </div>
+
+        <!-- Search View -->
+        <div id="search-view" class="view">
+            <h1>Search Artifacts</h1>
+            <div class="search-box">
+                <input type="text" id="search-input" placeholder="Enter fruit ID (SHA256 hash)..." onkeyup="handleSearchKeyup(event)">
+                <button class="btn btn-primary" onclick="searchFruit()">Search</button>
+            </div>
+            <div id="search-result" class="result-card hidden"></div>
+        </div>
+    </main>
+
+    <!-- Create Grove Modal -->
+    <div id="create-grove-modal" class="modal hidden">
+        <div class="modal-content">
+            <div class="modal-header">
+                <h2>Create New Grove</h2>
+                <button class="modal-close" onclick="closeModals()">&times;</button>
+            </div>
+            <form onsubmit="createGrove(event)">
+                <div class="form-group">
+                    <label>Name</label>
+                    <input type="text" id="grove-name" required placeholder="e.g., blinx-core">
+                </div>
+                <div class="form-group">
+                    <label>Description</label>
+                    <textarea id="grove-description" placeholder="Optional description..."></textarea>
+                </div>
+                <div class="form-group checkbox">
+                    <label>
+                        <input type="checkbox" id="grove-public" checked>
+                        Public grove
+                    </label>
+                </div>
+                <div class="modal-actions">
+                    <button type="button" class="btn btn-secondary" onclick="closeModals()">Cancel</button>
+                    <button type="submit" class="btn btn-primary">Create Grove</button>
+                </div>
+            </form>
+        </div>
+    </div>
+
+    <!-- Create Tree Modal -->
+    <div id="create-tree-modal" class="modal hidden">
+        <div class="modal-content">
+            <div class="modal-header">
+                <h2>Create New Tree</h2>
+                <button class="modal-close" onclick="closeModals()">&times;</button>
+            </div>
+            <form onsubmit="createTree(event)">
+                <div class="form-group">
+                    <label>Name</label>
+                    <input type="text" id="tree-name" required placeholder="e.g., kernel">
+                </div>
+                <div class="form-group">
+                    <label>Description</label>
+                    <textarea id="tree-description" placeholder="Optional description..."></textarea>
+                </div>
+                <div class="modal-actions">
+                    <button type="button" class="btn btn-secondary" onclick="closeModals()">Cancel</button>
+                    <button type="submit" class="btn btn-primary">Create Tree</button>
+                </div>
+            </form>
+        </div>
+    </div>
+
+    <!-- Toast Notifications -->
+    <div id="toast-container"></div>
+
+    <script src="/static/app.js"></script>
+</body>
+</html>
--- a/internal/api/static/style.css
+++ b/internal/api/static/style.css
@@ -0,0 +1,603 @@
+* {
+    margin: 0;
+    padding: 0;
+    box-sizing: border-box;
+}
+
+:root {
+    --primary: #059669;
+    --primary-dark: #047857;
+    --primary-light: #10b981;
+    --secondary: #6b7280;
+    --background: #f3f4f6;
+    --surface: #ffffff;
+    --text: #1f2937;
+    --text-light: #6b7280;
+    --border: #e5e7eb;
+    --success: #10b981;
+    --error: #ef4444;
+    --warning: #f59e0b;
+    --radius: 8px;
+    --shadow: 0 1px 3px rgba(0,0,0,0.1), 0 1px 2px rgba(0,0,0,0.06);
+    --shadow-lg: 0 10px 15px -3px rgba(0,0,0,0.1), 0 4px 6px -2px rgba(0,0,0,0.05);
+}
+
+body {
+    font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, sans-serif;
+    background: var(--background);
+    color: var(--text);
+    line-height: 1.6;
+}
+
+/* Navbar */
+.navbar {
+    background: var(--surface);
+    border-bottom: 1px solid var(--border);
+    padding: 0 2rem;
+    height: 60px;
+    display: flex;
+    align-items: center;
+    justify-content: space-between;
+    position: sticky;
+    top: 0;
+    z-index: 100;
+}
+
+.nav-brand {
+    font-size: 1.5rem;
+    font-weight: 700;
+    color: var(--primary);
+    display: flex;
+    align-items: center;
+    gap: 0.5rem;
+}
+
+.logo {
+    font-size: 1.75rem;
+}
+
+.nav-links {
+    display: flex;
+    gap: 0.5rem;
+}
+
+.nav-link {
+    padding: 0.5rem 1rem;
+    text-decoration: none;
+    color: var(--text-light);
+    border-radius: var(--radius);
+    transition: all 0.2s;
+}
+
+.nav-link:hover {
+    background: var(--background);
+    color: var(--text);
+}
+
+.nav-link.active {
+    background: var(--primary);
+    color: white;
+}
+
+/* Container */
+.container {
+    max-width: 1200px;
+    margin: 0 auto;
+    padding: 2rem;
+}
+
+/* Views */
+.view {
+    display: none;
+}
+
+.view.active {
+    display: block;
+}
+
+.view-header {
+    display: flex;
+    align-items: center;
+    gap: 1rem;
+    margin-bottom: 1.5rem;
+}
+
+.view-header h1 {
+    flex: 1;
+}
+
+/* Cards */
+.card {
+    background: var(--surface);
+    border-radius: var(--radius);
+    border: 1px solid var(--border);
+    padding: 1.5rem;
+    box-shadow: var(--shadow);
+}
+
+.card-grid {
+    display: grid;
+    grid-template-columns: repeat(auto-fill, minmax(300px, 1fr));
+    gap: 1rem;
+}
+
+.grove-card, .tree-card {
+    background: var(--surface);
+    border-radius: var(--radius);
+    border: 1px solid var(--border);
+    padding: 1.25rem;
+    cursor: pointer;
+    transition: all 0.2s;
+}
+
+.grove-card:hover, .tree-card:hover {
+    border-color: var(--primary);
+    box-shadow: var(--shadow-lg);
+    transform: translateY(-2px);
+}
+
+.grove-card h3, .tree-card h3 {
+    color: var(--primary);
+    margin-bottom: 0.5rem;
+    display: flex;
+    align-items: center;
+    gap: 0.5rem;
+}
+
+.grove-card p, .tree-card p {
+    color: var(--text-light);
+    font-size: 0.9rem;
+}
+
+.grove-card .meta, .tree-card .meta {
+    margin-top: 1rem;
+    padding-top: 1rem;
+    border-top: 1px solid var(--border);
+    font-size: 0.8rem;
+    color: var(--text-light);
+}
+
+.badge {
+    display: inline-block;
+    padding: 0.2rem 0.5rem;
+    border-radius: 4px;
+    font-size: 0.75rem;
+    font-weight: 500;
+}
+
+.badge-public {
+    background: #d1fae5;
+    color: #065f46;
+}
+
+.badge-private {
+    background: #fef3c7;
+    color: #92400e;
+}
+
+/* Sections */
+.section {
+    margin-top: 2rem;
+}
+
+.section-header {
+    display: flex;
+    align-items: center;
+    justify-content: space-between;
+    margin-bottom: 1rem;
+}
+
+.section-header h2 {
+    font-size: 1.25rem;
+}
+
+/* Buttons */
+.btn {
+    padding: 0.5rem 1rem;
+    border-radius: var(--radius);
+    border: none;
+    font-size: 0.9rem;
+    font-weight: 500;
+    cursor: pointer;
+    transition: all 0.2s;
+    display: inline-flex;
+    align-items: center;
+    gap: 0.5rem;
+}
+
+.btn-primary {
+    background: var(--primary);
+    color: white;
+}
+
+.btn-primary:hover {
+    background: var(--primary-dark);
+}
+
+.btn-secondary {
+    background: var(--background);
+    color: var(--text);
+    border: 1px solid var(--border);
+}
+
+.btn-secondary:hover {
+    background: var(--border);
+}
+
+.btn-lg {
+    padding: 0.75rem 1.5rem;
+    font-size: 1rem;
+}
+
+/* Forms */
+.form-group {
+    margin-bottom: 1rem;
+}
+
+.form-group label {
+    display: block;
+    margin-bottom: 0.5rem;
+    font-weight: 500;
+    color: var(--text);
+}
+
+.form-group input[type="text"],
+.form-group input[type="email"],
+.form-group textarea,
+.form-group select {
+    width: 100%;
+    padding: 0.75rem;
+    border: 1px solid var(--border);
+    border-radius: var(--radius);
+    font-size: 1rem;
+    transition: border-color 0.2s;
+}
+
+.form-group input:focus,
+.form-group textarea:focus,
+.form-group select:focus {
+    outline: none;
+    border-color: var(--primary);
+}
+
+.form-group textarea {
+    min-height: 100px;
+    resize: vertical;
+}
+
+.form-group.checkbox label {
+    display: flex;
+    align-items: center;
+    gap: 0.5rem;
+    cursor: pointer;
+}
+
+.form-row {
+    display: grid;
+    grid-template-columns: 1fr 1fr;
+    gap: 1rem;
+}
+
+/* File Drop */
+.file-drop {
+    border: 2px dashed var(--border);
+    border-radius: var(--radius);
+    padding: 2rem;
+    text-align: center;
+    cursor: pointer;
+    transition: all 0.2s;
+    position: relative;
+}
+
+.file-drop:hover {
+    border-color: var(--primary);
+    background: #f0fdf4;
+}
+
+.file-drop input[type="file"] {
+    position: absolute;
+    top: 0;
+    left: 0;
+    width: 100%;
+    height: 100%;
+    opacity: 0;
+    cursor: pointer;
+}
+
+.file-drop p {
+    color: var(--text-light);
+    margin-bottom: 0.5rem;
+}
+
+#file-name {
+    color: var(--primary);
+    font-weight: 500;
+}
+
+/* Upload Form */
+.upload-form {
+    max-width: 600px;
+}
+
+.upload-form.card {
+    padding: 2rem;
+}
+
+/* Tables */
+.table-container {
+    overflow-x: auto;
+}
+
+table {
+    width: 100%;
+    border-collapse: collapse;
+    background: var(--surface);
+    border-radius: var(--radius);
+    overflow: hidden;
+}
+
+th, td {
+    padding: 0.75rem 1rem;
+    text-align: left;
+    border-bottom: 1px solid var(--border);
+}
+
+th {
+    background: var(--background);
+    font-weight: 600;
+    color: var(--text-light);
+    font-size: 0.85rem;
+    text-transform: uppercase;
+}
+
+tr:hover {
+    background: #f9fafb;
+}
+
+.hash {
+    font-family: 'Monaco', 'Menlo', monospace;
+    font-size: 0.85rem;
+    color: var(--text-light);
+}
+
+.hash-short {
+    cursor: pointer;
+}
+
+.hash-short:hover {
+    color: var(--primary);
+}
+
+/* Search */
+.search-box {
+    display: flex;
+    gap: 1rem;
+    max-width: 600px;
+    margin-bottom: 2rem;
+}
+
+.search-box input {
+    flex: 1;
+    padding: 0.75rem 1rem;
+    border: 1px solid var(--border);
+    border-radius: var(--radius);
+    font-size: 1rem;
+}
+
+.search-box input:focus {
+    outline: none;
+    border-color: var(--primary);
+}
+
+/* Result Card */
+.result-card {
+    background: var(--surface);
+    border-radius: var(--radius);
+    border: 1px solid var(--border);
+    padding: 1.5rem;
+    margin-top: 1.5rem;
+    max-width: 600px;
+}
+
+.result-card.success {
+    border-color: var(--success);
+    background: #f0fdf4;
+}
+
+.result-card.error {
+    border-color: var(--error);
+    background: #fef2f2;
+}
+
+.result-card h3 {
+    margin-bottom: 1rem;
+}
+
+.result-card dl {
+    display: grid;
+    grid-template-columns: 150px 1fr;
+    gap: 0.5rem;
+}
+
+.result-card dt {
+    font-weight: 500;
+    color: var(--text-light);
+}
+
+.result-card dd {
+    word-break: break-all;
+}
+
+.result-card .actions {
+    margin-top: 1rem;
+    padding-top: 1rem;
+    border-top: 1px solid var(--border);
+}
+
+/* Modal */
+.modal {
+    position: fixed;
+    top: 0;
+    left: 0;
+    width: 100%;
+    height: 100%;
+    background: rgba(0,0,0,0.5);
+    display: flex;
+    align-items: center;
+    justify-content: center;
+    z-index: 1000;
+}
+
+.modal.hidden {
+    display: none;
+}
+
+.modal-content {
+    background: var(--surface);
+    border-radius: var(--radius);
+    width: 100%;
+    max-width: 500px;
+    max-height: 90vh;
+    overflow-y: auto;
+}
+
+.modal-header {
+    padding: 1rem 1.5rem;
+    border-bottom: 1px solid var(--border);
+    display: flex;
+    align-items: center;
+    justify-content: space-between;
+}
+
+.modal-header h2 {
+    font-size: 1.25rem;
+}
+
+.modal-close {
+    background: none;
+    border: none;
+    font-size: 1.5rem;
+    cursor: pointer;
+    color: var(--text-light);
+}
+
+.modal-close:hover {
+    color: var(--text);
+}
+
+.modal-content form {
+    padding: 1.5rem;
+}
+
+.modal-actions {
+    display: flex;
+    justify-content: flex-end;
+    gap: 0.5rem;
+    margin-top: 1.5rem;
+}
+
+/* Info boxes */
+.grove-info, .tree-info {
+    background: var(--surface);
+    border-radius: var(--radius);
+    border: 1px solid var(--border);
+    padding: 1rem 1.5rem;
+    margin-bottom: 1rem;
+}
+
+.info-grid {
+    display: grid;
+    grid-template-columns: repeat(auto-fit, minmax(200px, 1fr));
+    gap: 1rem;
+}
+
+.info-item label {
+    display: block;
+    font-size: 0.8rem;
+    color: var(--text-light);
+    margin-bottom: 0.25rem;
+}
+
+.info-item span {
+    font-weight: 500;
+}
+
+/* Toast */
+#toast-container {
+    position: fixed;
+    bottom: 2rem;
+    right: 2rem;
+    z-index: 2000;
+}
+
+.toast {
+    background: var(--text);
+    color: white;
+    padding: 1rem 1.5rem;
+    border-radius: var(--radius);
+    margin-top: 0.5rem;
+    box-shadow: var(--shadow-lg);
+    animation: slideIn 0.3s ease;
+}
+
+.toast.success {
+    background: var(--success);
+}
+
+.toast.error {
+    background: var(--error);
+}
+
+@keyframes slideIn {
+    from {
+        transform: translateX(100%);
+        opacity: 0;
+    }
+    to {
+        transform: translateX(0);
+        opacity: 1;
+    }
+}
+
+/* Loading */
+.loading {
+    text-align: center;
+    padding: 2rem;
+    color: var(--text-light);
+}
+
+/* Hidden */
+.hidden {
+    display: none !important;
+}
+
+/* Empty State */
+.empty-state {
+    text-align: center;
+    padding: 3rem;
+    color: var(--text-light);
+}
+
+.empty-state h3 {
+    margin-bottom: 0.5rem;
+    color: var(--text);
+}
+
+/* Responsive */
+@media (max-width: 768px) {
+    .navbar {
+        padding: 0 1rem;
+    }
+
+    .container {
+        padding: 1rem;
+    }
+
+    .form-row {
+        grid-template-columns: 1fr;
+    }
+
+    .card-grid {
+        grid-template-columns: 1fr;
+    }
+}
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -0,0 +1,104 @@
+package config
+
+import (
+	"strings"
+
+	"github.com/spf13/viper"
+)
+
+type Config struct {
+	Server   ServerConfig   `mapstructure:"server"`
+	Database DatabaseConfig `mapstructure:"database"`
+	S3       S3Config       `mapstructure:"s3"`
+	Redis    RedisConfig    `mapstructure:"redis"`
+}
+
+type ServerConfig struct {
+	Host string `mapstructure:"host"`
+	Port int    `mapstructure:"port"`
+}
+
+type DatabaseConfig struct {
+	Host     string `mapstructure:"host"`
+	Port     int    `mapstructure:"port"`
+	User     string `mapstructure:"user"`
+	Password string `mapstructure:"password"`
+	DBName   string `mapstructure:"dbname"`
+	SSLMode  string `mapstructure:"sslmode"`
+}
+
+type S3Config struct {
+	Endpoint        string `mapstructure:"endpoint"`
+	Region          string `mapstructure:"region"`
+	Bucket          string `mapstructure:"bucket"`
+	AccessKeyID     string `mapstructure:"access_key_id"`
+	SecretAccessKey string `mapstructure:"secret_access_key"`
+	UsePathStyle    bool   `mapstructure:"use_path_style"`
+}
+
+type RedisConfig struct {
+	Host     string `mapstructure:"host"`
+	Port     int    `mapstructure:"port"`
+	Password string `mapstructure:"password"`
+	DB       int    `mapstructure:"db"`
+}
+
+func Load() (*Config, error) {
+	viper.SetConfigName("config")
+	viper.SetConfigType("yaml")
+	viper.AddConfigPath(".")
+	viper.AddConfigPath("/etc/orchard")
+
+	// Environment variable overrides
+	viper.SetEnvPrefix("ORCHARD")
+	viper.AutomaticEnv()
+	viper.SetEnvKeyReplacer(strings.NewReplacer(".", "_"))
+
+	// Bind environment variables explicitly for nested config
+	viper.BindEnv("server.host", "ORCHARD_SERVER_HOST")
+	viper.BindEnv("server.port", "ORCHARD_SERVER_PORT")
+	viper.BindEnv("database.host", "ORCHARD_DATABASE_HOST")
+	viper.BindEnv("database.port", "ORCHARD_DATABASE_PORT")
+	viper.BindEnv("database.user", "ORCHARD_DATABASE_USER")
+	viper.BindEnv("database.password", "ORCHARD_DATABASE_PASSWORD")
+	viper.BindEnv("database.dbname", "ORCHARD_DATABASE_DBNAME")
+	viper.BindEnv("database.sslmode", "ORCHARD_DATABASE_SSLMODE")
+	viper.BindEnv("s3.endpoint", "ORCHARD_S3_ENDPOINT")
+	viper.BindEnv("s3.region", "ORCHARD_S3_REGION")
+	viper.BindEnv("s3.bucket", "ORCHARD_S3_BUCKET")
+	viper.BindEnv("s3.access_key_id", "ORCHARD_S3_ACCESS_KEY_ID")
+	viper.BindEnv("s3.secret_access_key", "ORCHARD_S3_SECRET_ACCESS_KEY")
+	viper.BindEnv("s3.use_path_style", "ORCHARD_S3_USE_PATH_STYLE")
+	viper.BindEnv("redis.host", "ORCHARD_REDIS_HOST")
+	viper.BindEnv("redis.port", "ORCHARD_REDIS_PORT")
+	viper.BindEnv("redis.password", "ORCHARD_REDIS_PASSWORD")
+	viper.BindEnv("redis.db", "ORCHARD_REDIS_DB")
+
+	// Defaults
+	viper.SetDefault("server.host", "0.0.0.0")
+	viper.SetDefault("server.port", 8080)
+	viper.SetDefault("database.host", "localhost")
+	viper.SetDefault("database.port", 5432)
+	viper.SetDefault("database.user", "orchard")
+	viper.SetDefault("database.dbname", "orchard")
+	viper.SetDefault("database.sslmode", "disable")
+	viper.SetDefault("s3.region", "us-east-1")
+	viper.SetDefault("s3.bucket", "orchard-artifacts")
+	viper.SetDefault("s3.use_path_style", true)
+	viper.SetDefault("redis.host", "localhost")
+	viper.SetDefault("redis.port", 6379)
+	viper.SetDefault("redis.db", 0)
+
+	if err := viper.ReadInConfig(); err != nil {
+		if _, ok := err.(viper.ConfigFileNotFoundError); !ok {
+			return nil, err
+		}
+	}
+
+	var cfg Config
+	if err := viper.Unmarshal(&cfg); err != nil {
+		return nil, err
+	}
+
+	return &cfg, nil
+}
--- a/internal/models/models.go
+++ b/internal/models/models.go
@@ -0,0 +1,110 @@
+package models
+
+import (
+	"time"
+)
+
+// Fruit represents a content-addressable artifact identified by SHA256 hash
+type Fruit struct {
+	ID           string    `json:"id" db:"id"`                       // SHA256 hash
+	Size         int64     `json:"size" db:"size"`                   // Size in bytes
+	ContentType  string    `json:"content_type" db:"content_type"`   // MIME type
+	OriginalName string    `json:"original_name" db:"original_name"` // Original filename
+	CreatedAt    time.Time `json:"created_at" db:"created_at"`
+	CreatedBy    string    `json:"created_by" db:"created_by"`       // Harvester ID
+	RefCount     int       `json:"ref_count" db:"ref_count"`         // Reference count
+	S3Key        string    `json:"-" db:"s3_key"`                    // S3 object key
+}
+
+// Tree represents a named package within a grove
+type Tree struct {
+	ID          string    `json:"id" db:"id"`
+	GroveID     string    `json:"grove_id" db:"grove_id"`
+	Name        string    `json:"name" db:"name"`
+	Description string    `json:"description" db:"description"`
+	CreatedAt   time.Time `json:"created_at" db:"created_at"`
+	UpdatedAt   time.Time `json:"updated_at" db:"updated_at"`
+}
+
+// Grove represents a top-level project
+type Grove struct {
+	ID          string    `json:"id" db:"id"`
+	Name        string    `json:"name" db:"name"`
+	Description string    `json:"description" db:"description"`
+	IsPublic    bool      `json:"is_public" db:"is_public"`
+	CreatedAt   time.Time `json:"created_at" db:"created_at"`
+	UpdatedAt   time.Time `json:"updated_at" db:"updated_at"`
+	CreatedBy   string    `json:"created_by" db:"created_by"`
+}
+
+// Graft represents an alias/tag pointing to a specific fruit
+type Graft struct {
+	ID        string    `json:"id" db:"id"`
+	TreeID    string    `json:"tree_id" db:"tree_id"`
+	Name      string    `json:"name" db:"name"`           // e.g., "latest", "v1.2.3", "stable"
+	FruitID   string    `json:"fruit_id" db:"fruit_id"`   // SHA256 of the fruit
+	CreatedAt time.Time `json:"created_at" db:"created_at"`
+	CreatedBy string    `json:"created_by" db:"created_by"`
+}
+
+// GraftHistory tracks changes to grafts for rollback capability
+type GraftHistory struct {
+	ID          string    `json:"id" db:"id"`
+	GraftID     string    `json:"graft_id" db:"graft_id"`
+	OldFruitID  string    `json:"old_fruit_id" db:"old_fruit_id"`
+	NewFruitID  string    `json:"new_fruit_id" db:"new_fruit_id"`
+	ChangedAt   time.Time `json:"changed_at" db:"changed_at"`
+	ChangedBy   string    `json:"changed_by" db:"changed_by"`
+}
+
+// Harvest represents metadata about an upload event
+type Harvest struct {
+	ID           string    `json:"id" db:"id"`
+	FruitID      string    `json:"fruit_id" db:"fruit_id"`
+	TreeID       string    `json:"tree_id" db:"tree_id"`
+	OriginalName string    `json:"original_name" db:"original_name"`
+	HarvestedAt  time.Time `json:"harvested_at" db:"harvested_at"`
+	HarvestedBy  string    `json:"harvested_by" db:"harvested_by"`
+	SourceIP     string    `json:"source_ip" db:"source_ip"`
+}
+
+// Consumer tracks which projects consume specific packages
+type Consumer struct {
+	ID         string    `json:"id" db:"id"`
+	TreeID     string    `json:"tree_id" db:"tree_id"`
+	ProjectURL string    `json:"project_url" db:"project_url"`
+	LastAccess time.Time `json:"last_access" db:"last_access"`
+	CreatedAt  time.Time `json:"created_at" db:"created_at"`
+}
+
+// AccessPermission defines grove-level access control
+type AccessPermission struct {
+	ID        string    `json:"id" db:"id"`
+	GroveID   string    `json:"grove_id" db:"grove_id"`
+	UserID    string    `json:"user_id" db:"user_id"`
+	Level     string    `json:"level" db:"level"` // read, write, admin
+	CreatedAt time.Time `json:"created_at" db:"created_at"`
+	ExpiresAt *time.Time `json:"expires_at,omitempty" db:"expires_at"`
+}
+
+// AuditLog tracks all operations for compliance
+type AuditLog struct {
+	ID        string    `json:"id" db:"id"`
+	Action    string    `json:"action" db:"action"`
+	Resource  string    `json:"resource" db:"resource"`
+	UserID    string    `json:"user_id" db:"user_id"`
+	Details   string    `json:"details" db:"details"` // JSON blob
+	Timestamp time.Time `json:"timestamp" db:"timestamp"`
+	SourceIP  string    `json:"source_ip" db:"source_ip"`
+}
+
+// APIKey for programmatic access
+type APIKey struct {
+	ID        string     `json:"id" db:"id"`
+	KeyHash   string     `json:"-" db:"key_hash"` // Hashed API key
+	Name      string     `json:"name" db:"name"`
+	UserID    string     `json:"user_id" db:"user_id"`
+	CreatedAt time.Time  `json:"created_at" db:"created_at"`
+	ExpiresAt *time.Time `json:"expires_at,omitempty" db:"expires_at"`
+	LastUsed  *time.Time `json:"last_used,omitempty" db:"last_used"`
+}
--- a/internal/storage/database.go
+++ b/internal/storage/database.go
@@ -0,0 +1,346 @@
+package storage
+
+import (
+	"context"
+	"database/sql"
+	"fmt"
+	"time"
+
+	"github.com/bsf/orchard/internal/config"
+	"github.com/bsf/orchard/internal/models"
+	"github.com/google/uuid"
+	_ "github.com/lib/pq"
+)
+
+// Database handles all database operations
+type Database struct {
+	db *sql.DB
+}
+
+// NewDatabase creates a new database connection
+func NewDatabase(cfg *config.DatabaseConfig) (*Database, error) {
+	dsn := fmt.Sprintf("host=%s port=%d user=%s password=%s dbname=%s sslmode=%s",
+		cfg.Host, cfg.Port, cfg.User, cfg.Password, cfg.DBName, cfg.SSLMode)
+
+	db, err := sql.Open("postgres", dsn)
+	if err != nil {
+		return nil, fmt.Errorf("failed to connect to database: %w", err)
+	}
+
+	if err := db.Ping(); err != nil {
+		return nil, fmt.Errorf("failed to ping database: %w", err)
+	}
+
+	return &Database{db: db}, nil
+}
+
+// Close closes the database connection
+func (d *Database) Close() error {
+	return d.db.Close()
+}
+
+// Grove operations
+
+func (d *Database) CreateGrove(ctx context.Context, grove *models.Grove) error {
+	grove.ID = uuid.New().String()
+	grove.CreatedAt = time.Now()
+	grove.UpdatedAt = grove.CreatedAt
+
+	_, err := d.db.ExecContext(ctx, `
+		INSERT INTO groves (id, name, description, is_public, created_at, updated_at, created_by)
+		VALUES ($1, $2, $3, $4, $5, $6, $7)
+	`, grove.ID, grove.Name, grove.Description, grove.IsPublic, grove.CreatedAt, grove.UpdatedAt, grove.CreatedBy)
+
+	return err
+}
+
+func (d *Database) GetGrove(ctx context.Context, name string) (*models.Grove, error) {
+	var grove models.Grove
+	err := d.db.QueryRowContext(ctx, `
+		SELECT id, name, description, is_public, created_at, updated_at, created_by
+		FROM groves WHERE name = $1
+	`, name).Scan(&grove.ID, &grove.Name, &grove.Description, &grove.IsPublic,
+		&grove.CreatedAt, &grove.UpdatedAt, &grove.CreatedBy)
+
+	if err == sql.ErrNoRows {
+		return nil, nil
+	}
+	return &grove, err
+}
+
+func (d *Database) ListGroves(ctx context.Context, userID string) ([]*models.Grove, error) {
+	rows, err := d.db.QueryContext(ctx, `
+		SELECT g.id, g.name, g.description, g.is_public, g.created_at, g.updated_at, g.created_by
+		FROM groves g
+		LEFT JOIN access_permissions ap ON g.id = ap.grove_id AND ap.user_id = $1
+		WHERE g.is_public = true OR ap.user_id IS NOT NULL
+		ORDER BY g.name
+	`, userID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	var groves []*models.Grove
+	for rows.Next() {
+		var grove models.Grove
+		if err := rows.Scan(&grove.ID, &grove.Name, &grove.Description, &grove.IsPublic,
+			&grove.CreatedAt, &grove.UpdatedAt, &grove.CreatedBy); err != nil {
+			return nil, err
+		}
+		groves = append(groves, &grove)
+	}
+	return groves, nil
+}
+
+// Tree operations
+
+func (d *Database) CreateTree(ctx context.Context, tree *models.Tree) error {
+	tree.ID = uuid.New().String()
+	tree.CreatedAt = time.Now()
+	tree.UpdatedAt = tree.CreatedAt
+
+	_, err := d.db.ExecContext(ctx, `
+		INSERT INTO trees (id, grove_id, name, description, created_at, updated_at)
+		VALUES ($1, $2, $3, $4, $5, $6)
+	`, tree.ID, tree.GroveID, tree.Name, tree.Description, tree.CreatedAt, tree.UpdatedAt)
+
+	return err
+}
+
+func (d *Database) GetTree(ctx context.Context, groveID, name string) (*models.Tree, error) {
+	var tree models.Tree
+	err := d.db.QueryRowContext(ctx, `
+		SELECT id, grove_id, name, description, created_at, updated_at
+		FROM trees WHERE grove_id = $1 AND name = $2
+	`, groveID, name).Scan(&tree.ID, &tree.GroveID, &tree.Name, &tree.Description,
+		&tree.CreatedAt, &tree.UpdatedAt)
+
+	if err == sql.ErrNoRows {
+		return nil, nil
+	}
+	return &tree, err
+}
+
+func (d *Database) ListTrees(ctx context.Context, groveID string) ([]*models.Tree, error) {
+	rows, err := d.db.QueryContext(ctx, `
+		SELECT id, grove_id, name, description, created_at, updated_at
+		FROM trees WHERE grove_id = $1
+		ORDER BY name
+	`, groveID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	var trees []*models.Tree
+	for rows.Next() {
+		var tree models.Tree
+		if err := rows.Scan(&tree.ID, &tree.GroveID, &tree.Name, &tree.Description,
+			&tree.CreatedAt, &tree.UpdatedAt); err != nil {
+			return nil, err
+		}
+		trees = append(trees, &tree)
+	}
+	return trees, nil
+}
+
+// Fruit operations
+
+func (d *Database) CreateFruit(ctx context.Context, fruit *models.Fruit) error {
+	fruit.CreatedAt = time.Now()
+	fruit.RefCount = 1
+
+	_, err := d.db.ExecContext(ctx, `
+		INSERT INTO fruits (id, size, content_type, original_name, created_at, created_by, ref_count, s3_key)
+		VALUES ($1, $2, $3, $4, $5, $6, $7, $8)
+		ON CONFLICT (id) DO UPDATE SET ref_count = fruits.ref_count + 1
+	`, fruit.ID, fruit.Size, fruit.ContentType, fruit.OriginalName,
+		fruit.CreatedAt, fruit.CreatedBy, fruit.RefCount, fruit.S3Key)
+
+	return err
+}
+
+func (d *Database) GetFruit(ctx context.Context, id string) (*models.Fruit, error) {
+	var fruit models.Fruit
+	err := d.db.QueryRowContext(ctx, `
+		SELECT id, size, content_type, original_name, created_at, created_by, ref_count, s3_key
+		FROM fruits WHERE id = $1
+	`, id).Scan(&fruit.ID, &fruit.Size, &fruit.ContentType, &fruit.OriginalName,
+		&fruit.CreatedAt, &fruit.CreatedBy, &fruit.RefCount, &fruit.S3Key)
+
+	if err == sql.ErrNoRows {
+		return nil, nil
+	}
+	return &fruit, err
+}
+
+// Graft operations
+
+func (d *Database) CreateGraft(ctx context.Context, graft *models.Graft) error {
+	graft.ID = uuid.New().String()
+	graft.CreatedAt = time.Now()
+
+	_, err := d.db.ExecContext(ctx, `
+		INSERT INTO grafts (id, tree_id, name, fruit_id, created_at, created_by)
+		VALUES ($1, $2, $3, $4, $5, $6)
+		ON CONFLICT (tree_id, name) DO UPDATE SET fruit_id = $4, created_at = $5, created_by = $6
+	`, graft.ID, graft.TreeID, graft.Name, graft.FruitID, graft.CreatedAt, graft.CreatedBy)
+
+	return err
+}
+
+func (d *Database) GetGraft(ctx context.Context, treeID, name string) (*models.Graft, error) {
+	var graft models.Graft
+	err := d.db.QueryRowContext(ctx, `
+		SELECT id, tree_id, name, fruit_id, created_at, created_by
+		FROM grafts WHERE tree_id = $1 AND name = $2
+	`, treeID, name).Scan(&graft.ID, &graft.TreeID, &graft.Name, &graft.FruitID,
+		&graft.CreatedAt, &graft.CreatedBy)
+
+	if err == sql.ErrNoRows {
+		return nil, nil
+	}
+	return &graft, err
+}
+
+func (d *Database) ListGrafts(ctx context.Context, treeID string) ([]*models.Graft, error) {
+	rows, err := d.db.QueryContext(ctx, `
+		SELECT id, tree_id, name, fruit_id, created_at, created_by
+		FROM grafts WHERE tree_id = $1
+		ORDER BY name
+	`, treeID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	var grafts []*models.Graft
+	for rows.Next() {
+		var graft models.Graft
+		if err := rows.Scan(&graft.ID, &graft.TreeID, &graft.Name, &graft.FruitID,
+			&graft.CreatedAt, &graft.CreatedBy); err != nil {
+			return nil, err
+		}
+		grafts = append(grafts, &graft)
+	}
+	return grafts, nil
+}
+
+// Harvest operations
+
+func (d *Database) CreateHarvest(ctx context.Context, harvest *models.Harvest) error {
+	harvest.ID = uuid.New().String()
+	harvest.HarvestedAt = time.Now()
+
+	_, err := d.db.ExecContext(ctx, `
+		INSERT INTO harvests (id, fruit_id, tree_id, original_name, harvested_at, harvested_by, source_ip)
+		VALUES ($1, $2, $3, $4, $5, $6, $7)
+	`, harvest.ID, harvest.FruitID, harvest.TreeID, harvest.OriginalName,
+		harvest.HarvestedAt, harvest.HarvestedBy, harvest.SourceIP)
+
+	return err
+}
+
+// Audit operations
+
+func (d *Database) CreateAuditLog(ctx context.Context, log *models.AuditLog) error {
+	log.ID = uuid.New().String()
+	log.Timestamp = time.Now()
+
+	_, err := d.db.ExecContext(ctx, `
+		INSERT INTO audit_logs (id, action, resource, user_id, details, timestamp, source_ip)
+		VALUES ($1, $2, $3, $4, $5, $6, $7)
+	`, log.ID, log.Action, log.Resource, log.UserID, log.Details, log.Timestamp, log.SourceIP)
+
+	return err
+}
+
+// Access control operations
+
+func (d *Database) CheckAccess(ctx context.Context, groveID, userID, requiredLevel string) (bool, error) {
+	// Check if grove is public (read access for everyone)
+	var isPublic bool
+	err := d.db.QueryRowContext(ctx, `SELECT is_public FROM groves WHERE id = $1`, groveID).Scan(&isPublic)
+	if err != nil {
+		return false, err
+	}
+
+	if isPublic && requiredLevel == "read" {
+		return true, nil
+	}
+
+	// Check user-specific permissions
+	var level string
+	err = d.db.QueryRowContext(ctx, `
+		SELECT level FROM access_permissions
+		WHERE grove_id = $1 AND user_id = $2 AND (expires_at IS NULL OR expires_at > NOW())
+	`, groveID, userID).Scan(&level)
+
+	if err == sql.ErrNoRows {
+		return false, nil
+	}
+	if err != nil {
+		return false, err
+	}
+
+	// Check permission hierarchy: admin > write > read
+	switch requiredLevel {
+	case "read":
+		return true, nil
+	case "write":
+		return level == "write" || level == "admin", nil
+	case "admin":
+		return level == "admin", nil
+	}
+
+	return false, nil
+}
+
+func (d *Database) GrantAccess(ctx context.Context, perm *models.AccessPermission) error {
+	perm.ID = uuid.New().String()
+	perm.CreatedAt = time.Now()
+
+	_, err := d.db.ExecContext(ctx, `
+		INSERT INTO access_permissions (id, grove_id, user_id, level, created_at, expires_at)
+		VALUES ($1, $2, $3, $4, $5, $6)
+		ON CONFLICT (grove_id, user_id) DO UPDATE SET level = $4, expires_at = $6
+	`, perm.ID, perm.GroveID, perm.UserID, perm.Level, perm.CreatedAt, perm.ExpiresAt)
+
+	return err
+}
+
+// Consumer tracking
+
+func (d *Database) TrackConsumer(ctx context.Context, treeID, projectURL string) error {
+	_, err := d.db.ExecContext(ctx, `
+		INSERT INTO consumers (id, tree_id, project_url, last_access, created_at)
+		VALUES ($1, $2, $3, NOW(), NOW())
+		ON CONFLICT (tree_id, project_url) DO UPDATE SET last_access = NOW()
+	`, uuid.New().String(), treeID, projectURL)
+
+	return err
+}
+
+func (d *Database) GetConsumers(ctx context.Context, treeID string) ([]*models.Consumer, error) {
+	rows, err := d.db.QueryContext(ctx, `
+		SELECT id, tree_id, project_url, last_access, created_at
+		FROM consumers WHERE tree_id = $1
+		ORDER BY last_access DESC
+	`, treeID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	var consumers []*models.Consumer
+	for rows.Next() {
+		var consumer models.Consumer
+		if err := rows.Scan(&consumer.ID, &consumer.TreeID, &consumer.ProjectURL,
+			&consumer.LastAccess, &consumer.CreatedAt); err != nil {
+			return nil, err
+		}
+		consumers = append(consumers, &consumer)
+	}
+	return consumers, nil
+}
--- a/internal/storage/s3.go
+++ b/internal/storage/s3.go
@@ -0,0 +1,158 @@
+package storage
+
+import (
+	"bytes"
+	"context"
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"io"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/credentials"
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	orchardconfig "github.com/bsf/orchard/internal/config"
+)
+
+// S3Storage implements content-addressable storage using S3
+type S3Storage struct {
+	client *s3.Client
+	bucket string
+}
+
+// NewS3Storage creates a new S3 storage backend
+func NewS3Storage(cfg *orchardconfig.S3Config) (*S3Storage, error) {
+	customResolver := aws.EndpointResolverWithOptionsFunc(func(service, region string, options ...interface{}) (aws.Endpoint, error) {
+		if cfg.Endpoint != "" {
+			return aws.Endpoint{
+				URL:               cfg.Endpoint,
+				HostnameImmutable: true,
+			}, nil
+		}
+		return aws.Endpoint{}, &aws.EndpointNotFoundError{}
+	})
+
+	awsCfg, err := config.LoadDefaultConfig(context.Background(),
+		config.WithRegion(cfg.Region),
+		config.WithEndpointResolverWithOptions(customResolver),
+		config.WithCredentialsProvider(credentials.NewStaticCredentialsProvider(
+			cfg.AccessKeyID,
+			cfg.SecretAccessKey,
+			"",
+		)),
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load AWS config: %w", err)
+	}
+
+	client := s3.NewFromConfig(awsCfg, func(o *s3.Options) {
+		o.UsePathStyle = cfg.UsePathStyle
+	})
+
+	return &S3Storage{
+		client: client,
+		bucket: cfg.Bucket,
+	}, nil
+}
+
+// hashToKey converts a SHA256 hash to an S3 object key
+// Uses directory structure: ab/cd/abcdef123...
+func hashToKey(hash string) string {
+	if len(hash) < 4 {
+		return hash
+	}
+	return fmt.Sprintf("%s/%s/%s", hash[:2], hash[2:4], hash)
+}
+
+// Store uploads content to S3 and returns the SHA256 hash
+func (s *S3Storage) Store(ctx context.Context, reader io.Reader) (string, int64, error) {
+	// Read all content into memory to compute hash and enable seeking
+	data, err := io.ReadAll(reader)
+	if err != nil {
+		return "", 0, fmt.Errorf("failed to read content: %w", err)
+	}
+
+	size := int64(len(data))
+
+	// Compute SHA256 hash
+	hasher := sha256.New()
+	hasher.Write(data)
+	hash := hex.EncodeToString(hasher.Sum(nil))
+	finalKey := hashToKey(hash)
+
+	// Check if object already exists (deduplication)
+	_, err = s.client.HeadObject(ctx, &s3.HeadObjectInput{
+		Bucket: aws.String(s.bucket),
+		Key:    aws.String(finalKey),
+	})
+	if err == nil {
+		// Object already exists, return existing hash (deduplication)
+		return hash, size, nil
+	}
+
+	// Upload to final location
+	_, err = s.client.PutObject(ctx, &s3.PutObjectInput{
+		Bucket:        aws.String(s.bucket),
+		Key:           aws.String(finalKey),
+		Body:          bytes.NewReader(data),
+		ContentLength: aws.Int64(size),
+	})
+	if err != nil {
+		return "", 0, fmt.Errorf("failed to upload to S3: %w", err)
+	}
+
+	return hash, size, nil
+}
+
+// Retrieve downloads content by SHA256 hash
+func (s *S3Storage) Retrieve(ctx context.Context, hash string) (io.ReadCloser, error) {
+	key := hashToKey(hash)
+
+	result, err := s.client.GetObject(ctx, &s3.GetObjectInput{
+		Bucket: aws.String(s.bucket),
+		Key:    aws.String(key),
+	})
+	if err != nil {
+		return nil, fmt.Errorf("failed to retrieve object: %w", err)
+	}
+
+	return result.Body, nil
+}
+
+// Exists checks if a fruit exists by hash
+func (s *S3Storage) Exists(ctx context.Context, hash string) (bool, error) {
+	key := hashToKey(hash)
+
+	_, err := s.client.HeadObject(ctx, &s3.HeadObjectInput{
+		Bucket: aws.String(s.bucket),
+		Key:    aws.String(key),
+	})
+	if err != nil {
+		return false, nil
+	}
+	return true, nil
+}
+
+// GetSize returns the size of a stored object
+func (s *S3Storage) GetSize(ctx context.Context, hash string) (int64, error) {
+	key := hashToKey(hash)
+
+	result, err := s.client.HeadObject(ctx, &s3.HeadObjectInput{
+		Bucket: aws.String(s.bucket),
+		Key:    aws.String(key),
+	})
+	if err != nil {
+		return 0, fmt.Errorf("failed to get object metadata: %w", err)
+	}
+
+	return *result.ContentLength, nil
+}
+
+// generateTempID creates a unique temporary ID
+func generateTempID() string {
+	b := make([]byte, 16)
+	rand.Read(b)
+	return hex.EncodeToString(b)
+}