Database as source of truth
Cotton treats the database as the authority for whether a storage object is alive. A backend object by itself is not a durable product reference; the product needs explicit metadata that says why that object must survive.
- File manifests and manifest chunks keep visible file content alive.
- Snapshots, versions, shares, and trash can retain references after the current layout changes.
- The cleanup job can reason about live content without trusting raw backend listing alone.
Live references are bigger than files
A file cloud stores more than uploaded files. Preview objects, user avatars, protected database backup artifacts, and bootstrap artifacts such as the encrypted master-key sentinel also need retention paths.
- Previews and avatars are storage-backed product surfaces.
- Latest backup pointer, backup manifest, and backup chunks can protect restore artifacts.
- The encrypted master-key sentinel must survive because it protects unlock continuity.
Not every row retains content
ChunkOwnership helps ingestion and concurrency, but it is not a durable retention reference. That distinction matters because an upload coordination guard should not accidentally keep physical bytes alive forever.
Orphans are scheduled, not instantly destroyed
Cotton can register raw backend objects as orphan chunk rows so garbage collection can schedule them. Reclaim is delayed and references are checked again before deletion, so objects that become live again are left alone.
Ingest and GC cooperate
If a chunk is being deleted, ingest does not blindly race a re-upload of the same chunk. The safer behavior is to hold or refuse the conflicting write until the delete completes, then reconcile from a known state.
Feature registration rule
New storage-backed features need to write through the normal chunk and manifest flow, or add an explicit protection path that the chunk usage service understands. If GC cannot see the reference, the object is eligible for reclaim after the retention window.
Lifetime proof
The lifetime contract is concrete: live file chunks, preview objects, avatars, backup artifacts, the encrypted sentinel, orphan scheduling, retention windows, and final rechecks all feed the reclaim decision.
Reclaim should be boring
The storage win is not dramatic deletion. It is predictable deletion. Cotton is built so storage cleanup behaves like an operating discipline, not a dangerous background guess.
The cost of being careful
Cautious reclaim means more metadata discipline and delayed deletion. That is the right tradeoff for a file cloud where snapshots, previews, shares, backup artifacts, and integrity checks all depend on storage references staying honest.