SpecterOps · mykeelium · May 20, 2026 · May 20, 2026 · May 20, 2026 · May 20, 2026
diff --git a/cmd/api/src/bootstrap/initializer.go b/cmd/api/src/bootstrap/initializer.go
@@ -18,6 +18,7 @@ package bootstrap
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"log/slog"
 
@@ -33,20 +34,23 @@ type DatabaseConnections[DBType database.Database, GraphType graph.Database] str
 }
 
 type DatabaseConstructor[DBType database.Database, GraphType graph.Database] func(ctx context.Context, cfg config.Configuration) (DatabaseConnections[DBType, GraphType], error)
-type InitializerLogic[DBType database.Database, GraphType graph.Database] func(ctx context.Context, cfg config.Configuration, databaseConnections DatabaseConnections[DBType, GraphType]) ([]daemons.Daemon, error)
+type RuntimeDependenciesConstructor[DBType database.Database, GraphType graph.Database] func(ctx context.Context, cfg config.Configuration, databaseConnections DatabaseConnections[DBType, GraphType]) (RuntimeDependencies, error)
+type InitializerLogic[DBType database.Database, GraphType graph.Database] func(ctx context.Context, cfg config.Configuration, databaseConnections DatabaseConnections[DBType, GraphType], dependencies RuntimeDependencies) ([]daemons.Daemon, error)
 
 type Initializer[DBType database.Database, GraphType graph.Database] struct {
 	Configuration       config.Configuration
+	DBConnector         DatabaseConstructor[DBType, GraphType]
+	RuntimeDependencies RuntimeDependenciesConstructor[DBType, GraphType]
 	PreMigrationDaemons InitializerLogic[DBType, GraphType]
 	Entrypoint          InitializerLogic[DBType, GraphType]
-	DBConnector         DatabaseConstructor[DBType, GraphType]
 }
 
 func (s Initializer[DBType, GraphType]) Launch(parentCtx context.Context, handleSignals bool) error {
 	var (
 		ctx                 = parentCtx
 		daemonManager       = daemons.NewManager(DefaultServerShutdownTimeout)
 		databaseConnections DatabaseConnections[DBType, GraphType]
+		runtimeDependencies RuntimeDependencies
 		err                 error
 	)
 
@@ -65,17 +69,25 @@ func (s Initializer[DBType, GraphType]) Launch(parentCtx context.Context, handle
 	defer databaseConnections.RDMS.Close(ctx)
 	defer databaseConnections.Graph.Close(ctx)
 
+	if s.RuntimeDependencies == nil {
+		return errors.New("runtime dependencies constructor is required")
+	}
+
+	if runtimeDependencies, err = s.RuntimeDependencies(ctx, s.Configuration, databaseConnections); err != nil {
+		return fmt.Errorf("failed to initialize runtime dependencies: %w", err)
+	}
+
 	// Daemons that start prior to blocking db migration
 	if s.PreMigrationDaemons != nil {
-		if daemonInstances, err := s.PreMigrationDaemons(ctx, s.Configuration, databaseConnections); err != nil {
+		if daemonInstances, err := s.PreMigrationDaemons(ctx, s.Configuration, databaseConnections, runtimeDependencies); err != nil {
 			return fmt.Errorf("failed to start services: %w", err)
 		} else {
 			daemonManager.Start(ctx, daemonInstances...)
 		}
 	}
 
 	// Daemons that start after blocking db migration
-	if daemonInstances, err := s.Entrypoint(ctx, s.Configuration, databaseConnections); err != nil {
+	if daemonInstances, err := s.Entrypoint(ctx, s.Configuration, databaseConnections, runtimeDependencies); err != nil {
 		return fmt.Errorf("failed to start services: %w", err)
 	} else {
 		daemonManager.Start(ctx, daemonInstances...)

diff --git a/cmd/api/src/bootstrap/server_test.go b/cmd/api/src/bootstrap/server_test.go
@@ -17,6 +17,8 @@
 package bootstrap_test
 
 import (
+	"os"
+	"path/filepath"
 	"testing"
 
 	"github.com/specterops/bloodhound/cmd/api/src/bootstrap"
@@ -71,3 +73,36 @@ func TestFillAndPopulateDefaultAdminInfo(t *testing.T) {
 		require.NotEqual(t, "", cfg.PrincipalName)
 	}
 }
+
+func TestEnsureServerDirectoriesCreatesRequiredDirectories(t *testing.T) {
+	t.Parallel()
+
+	var (
+		rootDirectory = t.TempDir()
+		cfg           = config.Configuration{
+			WorkDir:            filepath.Join(rootDirectory, "work"),
+			CollectorsBasePath: filepath.Join(rootDirectory, "collectors"),
+		}
+	)
+
+	require.NoError(t, bootstrap.EnsureServerDirectories(cfg))
+
+	for _, directory := range []string{
+		cfg.WorkDir,
+		cfg.TempDirectory(),
+		cfg.ScratchDirectory(),
+		cfg.RetainedFilesDirectory(),
+		cfg.ClientLogDirectory(),
+		cfg.CollectorsDirectory(),
+	} {
+		requireDirectoryExists(t, directory)
+	}
+}
+
+func requireDirectoryExists(t *testing.T, path string) {
+	t.Helper()
+
+	info, err := os.Stat(path)
+	require.NoError(t, err)
+	require.True(t, info.IsDir())
+}
diff --git a/cmd/api/src/bootstrap/util.go b/cmd/api/src/bootstrap/util.go
@@ -25,13 +25,22 @@ import (
 	"github.com/jackc/pgx/v5/pgxpool"
 	"github.com/specterops/bloodhound/cmd/api/src/api/tools"
 	"github.com/specterops/bloodhound/cmd/api/src/config"
+	"github.com/specterops/bloodhound/cmd/api/src/services/storage"
 	"github.com/specterops/dawgs"
 	"github.com/specterops/dawgs/drivers/neo4j"
 	"github.com/specterops/dawgs/drivers/pg"
 	"github.com/specterops/dawgs/graph"
 	"github.com/specterops/dawgs/util/size"
 )
 
+// RuntimeDependencies holds values that must be created before the entrypoint starts. For instance
+// IngestControl is reliant on the FileService. In order for the pre-migration toolapi to have
+// access to the FileServiceRetained, the FileServiceResolver is created prior to the
+// PreMigrationDaemons and the Entrypoint. This could then be passed in.
+type RuntimeDependencies struct {
+	FileServiceResolver storage.FileServiceResolver
+}
+
 func ensureDirectory(path string) error {
 	if _, err := os.Stat(path); err != nil {
 		if !os.IsNotExist(err) {
@@ -57,6 +66,10 @@ func EnsureServerDirectories(cfg config.Configuration) error {
 		return err
 	}
 
+	if err := ensureDirectory(cfg.ScratchDirectory()); err != nil {
+		return err
+	}
+
 	if err := ensureDirectory(cfg.RetainedFilesDirectory()); err != nil {
 		return err
 	}

diff --git a/cmd/api/src/cmd/bhapi/main.go b/cmd/api/src/cmd/bhapi/main.go
@@ -128,6 +128,7 @@ func main() {
 	initializer := bootstrap.Initializer[*database.BloodhoundDB, *graph.DatabaseSwitch]{
 		Configuration:       cfg,
 		DBConnector:         services.ConnectDatabases,
+		RuntimeDependencies: services.CreateRuntimeDependencies,
 		PreMigrationDaemons: services.PreMigrationDaemons,
 		Entrypoint:          services.Entrypoint,
 	}

diff --git a/cmd/api/src/config/config.go b/cmd/api/src/config/config.go
@@ -146,6 +146,10 @@ type Configuration struct {
 	EnableAuditLogStdout            bool                        `json:"enable_audit_log_stdout"`
 }
 
+func (s Configuration) ScratchDirectory() string {
+	return filepath.Join(s.WorkDir, "ingest_scratch")
+}
+
 func (s Configuration) TempDirectory() string {
 	return filepath.Join(s.WorkDir, "tmp")
 }

diff --git a/cmd/api/src/services/entrypoint.go b/cmd/api/src/services/entrypoint.go
@@ -41,6 +41,7 @@ import (
 	"github.com/specterops/bloodhound/cmd/api/src/queries"
 	"github.com/specterops/bloodhound/cmd/api/src/services/dogtags"
 	"github.com/specterops/bloodhound/cmd/api/src/services/opengraphschema"
+	"github.com/specterops/bloodhound/cmd/api/src/services/storage"
 	"github.com/specterops/bloodhound/cmd/api/src/services/upload"
 	"github.com/specterops/bloodhound/packages/go/bhlog/attr"
 	"github.com/specterops/bloodhound/packages/go/cache"
@@ -74,14 +75,33 @@ func ConnectDatabases(ctx context.Context, cfg config.Configuration) (bootstrap.
 	}
 }
 
+// CreateRuntimeDependencies creates the needed dependencies prior to migration. For instance, the FileService is needed for
+// IngestControl which occurs prior to migration. This function can be used to make the struct to contain the services that
+// are necessary for the application.
+func CreateRuntimeDependencies(ctx context.Context, cfg config.Configuration, connections bootstrap.DatabaseConnections[*database.BloodhoundDB, *graph.DatabaseSwitch]) (bootstrap.RuntimeDependencies, error) {
+	var dependencies = bootstrap.RuntimeDependencies{}
+	if fileServices, err := storage.NewDefaultFileServices(cfg); err != nil {
+		return dependencies, fmt.Errorf("failed to initialize file services: %w", err)
+	} else if fileServiceResolver, err := storage.NewFileServiceResolver(fileServices); err != nil {
+		return dependencies, fmt.Errorf("failed to initialize file service resolver: %w", err)
+		// The FileServiceRetained is necessary for the PreMigrationDaemons where it is used in IngestControl for Cleanup.
+		// Checking it here ensures we have the service prior to running the application.
+	} else if _, err := fileServiceResolver.Resolve(storage.FileServiceRetained); err != nil {
+		return dependencies, fmt.Errorf("failed to resolve retained file service: %w", err)
+	} else {
+		dependencies.FileServiceResolver = fileServiceResolver
+		return dependencies, nil
+	}
+}
+
 // PreMigrationDaemons Word of caution: These daemons will be launched prior to any migration starting
-func PreMigrationDaemons(ctx context.Context, cfg config.Configuration, connections bootstrap.DatabaseConnections[*database.BloodhoundDB, *graph.DatabaseSwitch]) ([]daemons.Daemon, error) {
+func PreMigrationDaemons(ctx context.Context, cfg config.Configuration, connections bootstrap.DatabaseConnections[*database.BloodhoundDB, *graph.DatabaseSwitch], dependencies bootstrap.RuntimeDependencies) ([]daemons.Daemon, error) {
 	return []daemons.Daemon{
 		toolapi.NewDaemon(ctx, connections, cfg, schema.DefaultGraphSchema()),
 	}, nil
 }
 
-func Entrypoint(ctx context.Context, cfg config.Configuration, connections bootstrap.DatabaseConnections[*database.BloodhoundDB, *graph.DatabaseSwitch]) ([]daemons.Daemon, error) {
+func Entrypoint(ctx context.Context, cfg config.Configuration, connections bootstrap.DatabaseConnections[*database.BloodhoundDB, *graph.DatabaseSwitch], dependencies bootstrap.RuntimeDependencies) ([]daemons.Daemon, error) {
 
 	dogtagsService := dogtags.NewDefaultService()
 

diff --git a/cmd/api/src/services/entrypoint_test.go b/cmd/api/src/services/entrypoint_test.go
@@ -0,0 +1,69 @@
+// Copyright 2026 Specter Ops, Inc.
+//
+// Licensed under the Apache License, Version 2.0
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package services_test
+
+import (
+	"context"
+	"path/filepath"
+	"testing"
+
+	"github.com/specterops/bloodhound/cmd/api/src/bootstrap"
+	"github.com/specterops/bloodhound/cmd/api/src/config"
+	"github.com/specterops/bloodhound/cmd/api/src/database"
+	"github.com/specterops/bloodhound/cmd/api/src/services"
+	"github.com/specterops/bloodhound/cmd/api/src/services/storage"
+	"github.com/specterops/dawgs/graph"
+	"github.com/stretchr/testify/require"
+)
+
+func runtimeDependencyTestConfig(t *testing.T) config.Configuration {
+	t.Helper()
+
+	rootDirectory := t.TempDir()
+
+	return config.Configuration{
+		WorkDir:            filepath.Join(rootDirectory, "work"),
+		CollectorsBasePath: filepath.Join(rootDirectory, "collectors"),
+	}
+}
+
+func TestCreateRuntimeDependenciesInitializesDefaultFileServices(t *testing.T) {
+	t.Parallel()
+
+	var (
+		cfg         = runtimeDependencyTestConfig(t)
+		connections = bootstrap.DatabaseConnections[*database.BloodhoundDB, *graph.DatabaseSwitch]{}
+	)
+
+	require.NoError(t, bootstrap.EnsureServerDirectories(cfg))
+
+	deps, err := services.CreateRuntimeDependencies(context.Background(), cfg, connections)
+
+	require.NoError(t, err)
+	require.NotNil(t, deps.FileServiceResolver)
+
+	for _, serviceName := range []storage.FileServiceName{
+		storage.FileServiceWork,
+		storage.FileServiceIngest,
+		storage.FileServiceRetained,
+		storage.FileServiceCollectors,
+	} {
+		fileService, err := deps.FileServiceResolver.Resolve(serviceName)
+		require.NoError(t, err)
+		require.NotNil(t, fileService)
+	}
+}