A community based topic aggregation platform built on atproto
bretton.dev
1# Communities PRD: Federated Forum System
2
3**Status:** In Development
4**Owner:** Platform Team
5**Last Updated:** 2025-10-10
6
7## Overview
8
9Coves communities are federated, instance-scoped forums built on atProto. Each community is identified by a scoped handle (`!gaming@coves.social`) and owns its own atProto repository, enabling true portability and decentralized governance.
10
11## Architecture Evolution
12
13### ✅ V2 Architecture (Current - 2025-10-10)
14
15**Communities own their own repositories:**
16- Each community has its own DID (`did:plc:xxx`)
17- Each community owns its own atProto repository (`at://community_did/...`)
18- Each community has its own PDS account (managed by Coves backend)
19- Communities are truly portable - can migrate between instances by updating DID document
20
21**Repository Structure:**
22```
23Repository: at://did:plc:community789/social.coves.community.profile/self
24Owner: did:plc:community789 (community owns itself)
25Hosted By: did:web:coves.social (instance manages credentials)
26```
27
28**Key Benefits:**
29- ✅ True atProto compliance (matches feed generators, labelers)
30- ✅ Portable URIs (never change when migrating instances)
31- ✅ Self-owned identity model
32- ✅ Standard rkey="self" for singleton profiles
33
34---
35
36## ✅ Completed Features (2025-10-10)
37
38### Core Infrastructure
39- [x] **V2 Architecture:** Communities own their own repositories
40- [x] **PDS Account Provisioning:** Automatic account creation for each community
41- [x] **Credential Management:** Secure storage of community PDS credentials
42- [x] **Encryption at Rest:** PostgreSQL pgcrypto for sensitive credentials
43- [x] **Write-Forward Pattern:** Service → PDS → Firehose → AppView
44- [x] **Jetstream Consumer:** Real-time indexing from firehose
45- [x] **V2 Validation:** Strict rkey="self" enforcement (no V1 compatibility)
46
47### Security & Data Protection
48- [x] **Encrypted Credentials:** Access/refresh tokens encrypted in database
49- [x] **Credential Persistence:** PDS credentials survive server restarts
50- [x] **JSON Exclusion:** Credentials never exposed in API responses (`json:"-"` tags)
51- [x] **Password Hashing:** bcrypt for PDS account passwords
52- [x] **Timeout Handling:** 30s timeout for write operations, 10s for reads
53
54### Database Schema
55- [x] **Communities Table:** Full metadata with V2 credential columns
56- [x] **Subscriptions Table:** Lightweight feed following
57- [x] **Memberships Table:** Active participation tracking
58- [x] **Moderation Table:** Local moderation actions
59- [x] **Encryption Keys Table:** Secure key management for pgcrypto
60- [x] **Indexes:** Optimized for search, visibility filtering, and lookups
61
62### Service Layer
63- [x] **CreateCommunity:** Provisions PDS account, creates record, persists credentials
64- [x] **UpdateCommunity:** Uses community's own credentials (not instance credentials)
65- [x] **GetCommunity:** Fetches from AppView DB with decrypted credentials
66- [x] **ListCommunities:** Pagination, filtering, sorting
67- [x] **SearchCommunities:** Full-text search on name/description
68- [x] **Subscribe/Unsubscribe:** Create subscription records
69- [x] **Handle Validation:** Scoped handle format (`!name@instance`)
70- [x] **DID Generation:** Uses `did:plc` for portability
71
72### Jetstream Consumer
73- [x] **Profile Events:** Create, update, delete community profiles
74- [x] **Subscription Events:** Index user subscriptions to communities
75- [x] **V2 Enforcement:** Reject non-"self" rkeys (no V1 communities)
76- [x] **Self-Ownership Validation:** Verify owner_did == did
77- [x] **Error Handling:** Graceful handling of malformed events
78
79### Testing Coverage
80- [x] **Integration Tests:** Full CRUD operations
81- [x] **Credential Tests:** Persistence, encryption, decryption
82- [x] **V2 Validation Tests:** Rkey enforcement, self-ownership
83- [x] **Consumer Tests:** Firehose event processing
84- [x] **Repository Tests:** Database operations
85- [x] **Unit Tests:** Service layer logic, timeout handling
86
87---
88
89## 🚧 In Progress / Needs Testing
90
91### XRPC API Endpoints
92**Status:** All core endpoints E2E tested! ✅
93
94**✅ E2E Tested (via community_e2e_test.go):**
95- [x] `social.coves.community.create` - Full E2E test with real PDS
96- [x] `social.coves.community.get` - E2E test validates HTTP endpoint
97- [x] `social.coves.community.list` - E2E test with pagination/filtering
98- [x] `social.coves.community.update` - E2E test verifies write-forward + PDS update
99- [x] `social.coves.community.subscribe` - E2E test verifies subscription in user's repo
100- [x] `social.coves.community.unsubscribe` - E2E test verifies PDS deletion
101
102**📍 Post-Alpha:**
103- [ ] `social.coves.community.search` - Handler exists, defer E2E testing to post-alpha
104
105**⚠️ Remaining Alpha Blocker:**
106- Replace placeholder auth (X-User-DID header) with OAuth context extraction across all endpoints
107
108---
109
110## ⚠️ Alpha Blockers (Must Complete Before Alpha Launch)
111
112### Critical Missing Features
113- [ ] **Subscription Visibility Level (1-5 Scale):** Implement feed slider from DOMAIN_KNOWLEDGE.md
114 - Lexicon: ✅ Ready ([subscription.json:28-34](internal/atproto/lexicon/social/coves/actor/subscription.json))
115 - Service: ❌ Not using `contentVisibility` field
116 - Handler: ❌ Subscribe endpoint doesn't accept/store visibility level
117 - **Impact:** Users can't control how much content they see from each community
118
119- [ ] **Community Blocking:** Users can block communities from their feeds
120 - Lexicon: ❌ Need new record type (extend `social.coves.actor.block` or create new)
121 - Service: ❌ No implementation (`BlockCommunity()` / `UnblockCommunity()`)
122 - Handler: ❌ No endpoints
123 - Repository: ❌ No methods
124 - **Impact:** Users have no way to hide unwanted communities
125
126### Critical Security (High Priority)
127- [ ] **OAuth Authentication:** Replace placeholder `X-User-DID` header with OAuth context
128 - **Currently affected endpoints:** create, update, subscribe, unsubscribe
129 - **See:** [PRD_BACKLOG.md P1 Priority](docs/PRD_BACKLOG.md#L42-L50)
130
131- [ ] **Token Refresh Logic:** Auto-refresh expired PDS access tokens
132 - **Impact:** Communities break after ~2 hours when tokens expire
133 - **See:** [PRD_BACKLOG.md P1 Priority](docs/PRD_BACKLOG.md#L31-L38)
134
135---
136
137## 📍 Beta Features (High Priority - Post Alpha)
138
139### Posts in Communities
140**Status:** Lexicon designed, implementation TODO
141**Priority:** HIGHEST for Beta 1
142
143- [ ] `social.coves.post` already has `community` field ✅
144- [ ] Create post endpoint (decide: membership validation?)
145- [ ] Feed generation for community posts
146- [ ] Post consumer (index community posts from firehose)
147- [ ] Community post count tracking
148- [ ] Decide membership requirements for posting
149
150**Without posts, communities exist but can't be used!**
151
152---
153
154## 📍 Beta Features (Lower Priority)
155
156### Membership System
157**Status:** Lexicon exists, design decisions needed
158**Deferred:** Answer design questions before implementing
159
160- [ ] Decide: Auto-join on first post vs explicit join?
161- [ ] Decide: Reputation tracking in lexicon vs AppView only?
162- [ ] Implement membership record creation (if explicit join)
163- [ ] Member lists endpoint
164- [ ] Reputation tracking (if in lexicon)
165
166### Community Management
167- [ ] **Community Deletion:** Soft delete / permanent delete
168- [ ] **Wiki System:** Lexicon exists, no implementation
169- [ ] **Advanced Rules:** Separate rules records, moderation config
170- [ ] **Moderator Management:** Assign/remove moderators (governance work)
171- [ ] **Categories:** REMOVE from lexicon and code (not needed)
172
173### User Features
174- [ ] **Saved Items:** Save posts/comments for later
175- [ ] **User Flairs:** Per-community user flair (design TBD)
176
177### Instance Moderation
178- [ ] **Delist Community:** Remove from search/directory
179- [ ] **Quarantine Community:** Show warning label
180- [ ] **Remove Community:** Hide from instance AppView
181- [ ] **Moderation Audit Log:** Track all moderation actions
182
183---
184
185## ⏳ TODO Before V1 Production Launch
186
187### Community Discovery & Visibility
188- [ ] **Visibility Enforcement:** Respect public/unlisted/private settings in listings
189- [ ] **Federation Config:** Honor `allowExternalDiscovery` flag
190- [ ] **Search Relevance:** Implement ranking algorithm (members, activity, etc.)
191- [ ] **Directory Endpoint:** Public community directory with filters
192- [ ] **Rate Limiting:** Prevent community creation spam (e.g., 5 per user per hour)
193- [ ] **Handle Collision Detection:** Prevent duplicate community handles
194- [ ] **DID Validation:** Verify DIDs before accepting create requests
195
196### Token Refresh & Resilience
197- [ ] **Retry Mechanism:** Retry failed PDS calls with backoff
198- [ ] **Credential Rotation:** Periodic password rotation for security
199- [ ] **Error Recovery:** Graceful degradation if PDS is unavailable
200
201### Performance & Scaling
202- [ ] **Database Indexes:** Verify all common queries are indexed
203- [ ] **Query Optimization:** Review N+1 query patterns
204- [ ] **Caching Strategy:** Cache frequently accessed communities
205- [ ] **Pagination Limits:** Enforce max results per request
206- [ ] **Connection Pooling:** Optimize PDS HTTP client reuse
207
208### Documentation & Deployment
209- [ ] **API Documentation:** OpenAPI/Swagger specs for all endpoints
210- [ ] **Deployment Guide:** Production setup instructions
211- [ ] **Migration Guide:** How to upgrade from test to production
212- [ ] **Monitoring Guide:** Metrics and alerting setup
213- [ ] **Security Checklist:** Pre-launch security audit
214
215### Infrastructure & DNS
216- [ ] **DNS Wildcard Setup:** Configure `*.communities.coves.social` for community handle resolution
217- [ ] **Well-Known Endpoint:** Implement `.well-known/atproto-did` handler for `*.communities.coves.social` subdomains
218
219---
220
221## Out of Scope (Future Versions)
222
223### V3: Federation & Discovery
224- [ ] Cross-instance community search
225- [ ] Federated moderation signals
226- [ ] Trust networks between instances
227- [ ] Moderation signal subscription
228
229### V4: Community Governance
230- [ ] Community-owned governance (voting on moderators)
231- [ ] Migration voting (community votes to move instances)
232- [ ] Custom domain DIDs (`did:web:gaming.community`)
233- [ ] Governance thresholds and time locks
234
235---
236
237## Recent Critical Fixes (2025-10-10)
238
239### Security & Credential Management
240**Issue:** PDS credentials were created but never persisted
241**Fix:** Service layer now immediately persists credentials via `repo.Create()`
242**Impact:** Communities can now be updated after creation (credentials survive restarts)
243
244**Issue:** Credentials stored in plaintext in PostgreSQL
245**Fix:** Added pgcrypto encryption for access/refresh tokens
246**Impact:** Database compromise no longer exposes active tokens
247
248**Issue:** UpdateCommunity used instance credentials instead of community credentials
249**Fix:** Changed to use `existing.DID` and `existing.PDSAccessToken`
250**Impact:** Updates now correctly authenticate as the community itself
251
252### V2 Architecture Enforcement
253**Issue:** Consumer accepted V1 communities with TID-based rkeys
254**Fix:** Strict validation - only rkey="self" accepted
255**Impact:** No legacy V1 data in production
256
257**Issue:** PDS write operations timed out (10s too short)
258**Fix:** Dynamic timeout - writes get 30s, reads get 10s
259**Impact:** Community creation no longer fails on slow PDS operations
260
261---
262
263## Lexicon Summary
264
265### `social.coves.community.profile`
266**Status:** ✅ Implemented and tested
267
268**Required Fields:**
269- `handle` - atProto handle (DNS-resolvable, e.g., `gaming.communities.coves.social`)
270- `name` - Short community name for !mentions (e.g., `gaming`)
271- `createdBy` - DID of user who created community
272- `hostedBy` - DID of hosting instance
273- `visibility` - `"public"`, `"unlisted"`, or `"private"`
274- `federation.allowExternalDiscovery` - Boolean
275
276**Note:** The `!gaming@coves.social` format is derived client-side from `name` + instance for UI display. The `handle` field contains only the DNS-resolvable atProto handle.
277
278**Optional Fields:**
279- `displayName` - Display name for UI
280- `description` - Community description
281- `descriptionFacets` - Rich text annotations
282- `avatar` - Blob reference for avatar image
283- `banner` - Blob reference for banner image
284- `moderationType` - `"moderator"` or `"sortition"`
285- `contentWarnings` - Array of content warning types
286- `memberCount` - Cached count
287- `subscriberCount` - Cached count
288
289### `social.coves.community.subscription`
290**Status:** ✅ Schema exists, consumer TODO
291
292**Fields:**
293- `community` - DID of community being subscribed to
294- `subscribedAt` - Timestamp
295
296### `social.coves.post` (Community Extension)
297**Status:** ⏳ TODO
298
299**New Field:**
300- `community` - Optional DID of community this post belongs to
301
302---
303
304## Success Metrics
305
306### Pre-Launch Checklist
307- [ ] All XRPC endpoints have E2E tests
308- [ ] OAuth authentication working on all protected endpoints
309- [ ] Rate limiting prevents abuse
310- [ ] Communities can be created, updated, searched, and subscribed to
311- [ ] Jetstream consumer indexes events in < 1 second
312- [ ] Database handles 10,000+ communities without performance issues
313- [ ] Security audit completed
314
315### V1 Launch Goals
316- Communities can be created with scoped handles
317- Posts can be made to communities (when implemented)
318- Community discovery works on local instance
319- All three visibility levels function correctly
320- Basic moderation (delist/remove) works
321
322---
323
324## Technical Decisions Log
325
326### 2025-10-11: Single Handle Field (atProto-Compliant)
327**Decision:** Use single `handle` field containing DNS-resolvable atProto handle; remove `atprotoHandle` field
328
329**Rationale:**
330- Matches Bluesky pattern: `app.bsky.actor.profile` has one `handle` field
331- Reduces confusion about which handle is "real"
332- Simplifies lexicon (one field vs two)
333- `!gaming@coves.social` display format is client-side UX concern, not protocol concern
334- Follows separation of concerns: protocol layer uses DNS handles, UI layer formats for display
335
336**Implementation:**
337- Lexicon: `handle` = `gaming.communities.coves.social` (DNS-resolvable)
338- Client derives display: `!${name}@${instance}` from `name` + parsed instance
339- Rich text facets can encode community mentions with `!` prefix for UX
340
341**Trade-offs Accepted:**
342- Clients must parse/format for display (but already do this for `@user` mentions)
343- No explicit "display handle" in record (but `displayName` serves this purpose)
344
345---
346
347### 2025-10-10: V2 Architecture Completed
348- Migrated from instance-owned to community-owned repositories
349- Each community now has own PDS account
350- Credentials encrypted at rest using pgcrypto
351- Strict V2 enforcement (no V1 compatibility)
352
353### 2025-10-08: DID Architecture & atProto Compliance
354- Migrated from `did:coves` to `did:plc` (portable DIDs)
355- Added required `did` field to lexicon
356- Fixed critical `record_uri` bug
357- Matches Bluesky feed generator pattern
358
359---
360
361## References
362
363- atProto Lexicon Spec: https://atproto.com/specs/lexicon
364- DID Web Spec: https://w3c-ccg.github.io/did-method-web/
365- Bluesky Handle System: https://atproto.com/specs/handle
366- PLC Directory: https://plc.directory