latch: a tiny JSON store with an audit log

Tiny HTTP JSON store over SQLite with append-only logs. Perfect as a sidecar for feature flags, tokens, caches, and webhooks.

Quickstart

Run

docker run --rm -p 8080:8080 ghcr.io/nendlabs/latch:latest

First write

curl -X POST \
+  -H "authorization: Bearer $TOKEN" \
+  -H "content-type: application/json" \
+  -d '{\"project\":\"demo\",\"type\":\"flag\",\"data\":{\"checkout\":true}}' \
+  http://localhost:8080/v1/entities

Latest nightly dev · tag nightly · generated Jan 1, 2024

Operational snapshot

  • Append-only log

    Every write lands in SQLite and is recorded in an audit log.

  • Token-scoped access

    Bootstrap tokens with projects baked in; access stays contained.

  • Ship it in minutes

    Run one binary, point at durable storage. No control plane.

Why latch exists

Every team eventually hides critical state in environment variables, JSON blobs in S3, or ad-hoc SQLite files. latch turns that sprawl into a purpose-built service with a single binary, strict APIs, and a log you can trust.

How it behaves

Writes are append-only, scoped by project, and mirrored to SQLite. Each change is recorded in an audit log you can read via the API. Reads stay fast because the data set is intentionally tiny—feature flags, config payloads, secrets you want to rotate.

Operate it like a tool, not a platform

You run one process per environment, point it at durable disk, and hand out scoped tokens. No migrations to babysit, no queue of pending schema changes. The CLI ships with an interactive shell for day-two operations and drift inspection.

latch serve \
  --db-path ./data/latch.db \
  --port 8080 \
  --bootstrap-token ops-team=prod,staging

# Ship structured JSON with full history
curl -X POST \
  -H "authorization: Bearer $TOKEN" \
  -H "content-type: application/json" \
  -d '{"project":"demo","type":"feature","data":{"flag":"checkout","enabled":true}}' \
  "$LATCH_URL/v1/entities"

What you get out of the box

  • Tiny surface area

    A single `latch serve` process exposes a JSON HTTP API and an audit log. There are no background workers or surprise dependencies—only Go and SQLite, with optional Prometheus metrics and daily SQLite backups.

  • Project-scoped tokens

    Tokens are hashed at rest and bound to projects. Teams can self-serve tiny pieces of state without touching your primary database or begging for new tables.

  • Structured history

    Every write lands in an append-only log. Replay, diff, or pipe it into your analytics stack to see who flipped which flag at 3 AM.

  • CLI that doubles as a console

    Ship the same binary everywhere. `latch shell` gives you interactive CRUD, SQL access, and log queries without needing a bespoke admin dashboard.

API at a glance

Create JSON entities and list them with the same shape across the SDKs and HTTP API.

curl -X POST \
  -H "authorization: Bearer $TOKEN" \
  -H "content-type: application/json" \
  -d '{"project":"demo","type":"flag","data":{"checkout":true}}' \
  $LATCH_URL/v1/entities

curl -H "authorization: Bearer $TOKEN" \
  "$LATCH_URL/v1/entities?project=demo&type=flag"

Not a general database

  • Single-node SQLite under the hood—no HA or replicas.
  • Querying sticks to primary key + filters; no ad-hoc joins.
  • Designed for ~512KB per entity with receipts in the log.

Build a simple workflow

latch keeps the boring infrastructure around state boring. Point your services at a single endpoint, let SREs audit the log, and reserve brain cycles for features instead of yet another control plane.

  • 1. Capture

    Services POST JSON with a project and type. latch stores the document, versions it, and returns a stable key. No ORM, no migrations—just explicit payloads.

  • 2. Observe

    The append-only log records every mutation. Query it via the /v1/logs endpoint or inspect it with the shell when you need to answer who changed what.

  • 3. Operate

    Use the CLI or HTTP API to rotate tokens, patch config, and inspect data. Audit trails stay intact, so rollback is just another write.

Where latch shines

Feature Flags

Ship rollout logic without a bespoke toggles service. Store variants, rollbacks, and history in one place.

View recipe →

Webhook Inbox

Park inbound payloads safely, inspect them later, and replay with receipts when partners misfire.

View recipe →

Memoization Cache

Run worker jobs once, store the JSON result, and let other services fetch it without recomputation.

View recipe →

One-Time Tokens

Generate scoped secrets for CLIs or approvals, mark them used, and keep the audit trail forever.

View recipe →

Observability

Ship it with health checks, metrics, and guardrails baked in for every project.

  • /health endpoint for probes and schedulers.
  • /metrics exposes Prometheus counters and histograms.
  • Per-project rate limiting so shared clusters stay polite.

Prometheus

scrape_configs:
  - job_name: latch
    static_configs:
      - targets: ['latch.internal:8080']
    metrics_path: /metrics

Downloads

Nightly builds publish on every merge to main. Use the shell installer above or pull a binary for your platform.

Release metadata is still publishing. Refresh in a minute or fetch binaries directly from the downloads bucket.

Repository nendlabs/latch · Version dev · tag nightly · generated Jan 1, 2024