bretton.dev / coves
A community based topic aggregation platform built on atproto
fork atom
coves / docs / PRD_ALPHA_GO_LIVE.md
at main 23 kB view raw view rendered
1# Alpha Go-Live Readiness PRD 2 3**Status**: Pre-Alpha → **E2E Testing Complete** 🎉 4**Target**: Alpha launch with real users 5**Last Updated**: 2025-11-16 6 7## 🎯 Major Progress Update 8 9**✅ ALL E2E TESTS COMPLETE!** (Completed 2025-11-16) 10**✅ BIDIRECTIONAL DID VERIFICATION COMPLETE!** (Completed 2025-11-16) 11 12All 6 critical E2E test suites have been implemented and are passing: 13- ✅ Full User Journey (signup → community → post → comment → vote) 14- ✅ Blob Upload (image uploads, PDS integration, validation) 15- ✅ Multi-Community Timeline (feed aggregation, sorting, pagination) 16- ✅ Concurrent Scenarios (race condition testing with database verification) 17- ✅ Rate Limiting (100 req/min general, 20 req/min comments, 10 posts/hour aggregators) 18- ✅ Error Recovery (Jetstream retry, PDS unavailability, malformed events) 19 20**Time Saved**: ~7-12 hours through parallel agent implementation 21**Test Quality**: Enhanced with comprehensive database record verification to catch race conditions 22 23### Production Deployment Requirements 24 25**Architecture**: 26- **AppView Domain**: coves.social (instance identity, API, frontend) 27- **PDS Domain**: coves.me (separate domain required - cannot be same as AppView) 28- **Community Handles**: Use @coves.social (AppView domain) 29- **Jetstream**: Connects to Bluesky's production firehose (wss://jetstream2.us-east.bsky.network) 30 31**Required: .well-known/did.json at coves.social**: 32```json 33{ 34 "id": "did:web:coves.social", 35 "alsoKnownAs": ["at://coves.social"], 36 "verificationMethod": [ 37 { 38 "id": "did:web:coves.social#atproto", 39 "type": "Multikey", 40 "controller": "did:web:coves.social", 41 "publicKeyMultibase": "z..." 42 } 43 ], 44 "service": [ 45 { 46 "id": "#atproto_pds", 47 "type": "AtprotoPersonalDataServer", 48 "serviceEndpoint": "https://coves.me" 49 } 50 ] 51} 52``` 53 54**Environment Variables**: 55- AppView: 56 - `INSTANCE_DID=did:web:coves.social` 57 - `INSTANCE_DOMAIN=coves.social` 58 - `PDS_URL=https://coves.me` (separate domain) 59 - `SKIP_DID_WEB_VERIFICATION=false` (production) 60 - `JETSTREAM_URL=wss://jetstream2.us-east.bsky.network/subscribe` 61 62**Verification**: 63- `curl https://coves.social/.well-known/did.json` (should return DID document) 64- `curl https://coves.me/xrpc/_health` (PDS health check) 65 66## Overview 67 68This document tracks the remaining work required to launch Coves alpha with real users. Focus is on critical functionality, security, and operational readiness. 69 70--- 71 72## P0: Critical Blockers (Must Complete Before Alpha) 73 74### 1. Authentication & Security 75 76#### Production PDS Deployment 77**CRITICAL**: PDS must be on separate domain from AppView (coves.me, not coves.social) 78 79- [ ] Deploy PDS to coves.me domain 80 - [ ] Set up DNS: A record for coves.me → server IP 81 - [ ] Configure SSL certificate for coves.me 82 - [ ] Deploy PDS container/service on port 2583 83 - [ ] Configure nginx/Caddy reverse proxy for coves.me → localhost:2583 84 - [ ] Set PDS_HOSTNAME=coves.me in PDS environment 85 - [ ] Mount persistent volume for PDS data (/pds/data) 86- [ ] Verify PDS connectivity 87 - [ ] Test: `curl https://coves.me/xrpc/_health` 88 - [ ] Create test community account on PDS 89 - [ ] Verify JWKS endpoint: `curl https://coves.me/.well-known/jwks.json` 90 - [ ] Test community account token provisioning 91- [ ] Configure AppView to use production PDS 92 - [ ] Set `PDS_URL=https://coves.me` in AppView .env 93 - [ ] Test community creation flow (provisions account on coves.me) 94 - [ ] Verify account provisioning works end-to-end 95 96**Important**: Jetstream connects to Bluesky's production firehose, which automatically includes events from all production PDS instances (including coves.me once it's live) 97 98**Estimated Effort**: 4-6 hours 99**Risk**: Medium (infrastructure setup, DNS propagation) 100 101#### JWT Signature Verification (Production Mode) 102- [ ] Test with production PDS at coves.me 103 - [ ] Verify JWKS endpoint is accessible: `https://coves.me/.well-known/jwks.json` 104 - [ ] Run `TestJWTSignatureVerification` against production PDS 105 - [ ] Confirm signature verification succeeds 106 - [ ] Test token refresh flow for community accounts 107- [ ] Set `AUTH_SKIP_VERIFY=false` in production environment 108- [ ] Verify all auth middleware tests pass with verification enabled 109 110**Estimated Effort**: 2-3 hours 111**Risk**: Low (depends on PDS deployment) 112 113#### did:web Verification ✅ COMPLETE 114- [x] Complete did:web domain verification implementation (2025-11-16) 115- [x] Implement Bluesky-compatible bidirectional verification 116- [x] Add alsoKnownAs field verification in DID documents 117- [x] Add security logging for verification failures 118- [x] Update cache TTL to 24h (matches Bluesky recommendations) 119- [x] Comprehensive test coverage with mock HTTP servers 120- [ ] Set `SKIP_DID_WEB_VERIFICATION=false` for production (dev default: true) 121- [ ] Deploy `.well-known/did.json` to production domain 122 123**Implementation Details**: 124- **Location**: [internal/atproto/jetstream/community_consumer.go](../internal/atproto/jetstream/community_consumer.go) 125- **Verification Flow**: Domain matching + DID document fetch + alsoKnownAs validation 126- **Security Model**: Matches Bluesky (DNS/HTTPS authority + bidirectional binding) 127- **Performance**: Bounded LRU cache (1000 entries), rate limiting (10 req/s), 24h TTL 128- **Impact**: AppView indexing and federation trust (not community creation API) 129- **Tests**: `tests/integration/community_hostedby_security_test.go` 130 131**Actual Effort**: 3 hours (implementation + testing) 132**Risk**: ✅ Low (complete and tested) 133 134### 2. DPoP Token Architecture Fix 135 136**Problem**: Backend attempts to write subscriptions/blocks to user PDS using DPoP-bound tokens (fails with "Malformed token"). 137 138#### Remove Write-Forward Code 139- [ ] Remove write-forward from `SubscribeToCommunity` handler 140- [ ] Remove write-forward from `UnsubscribeFromCommunity` handler 141- [ ] Remove write-forward from `BlockCommunity` handler 142- [ ] Remove write-forward from `UnblockCommunity` handler 143- [ ] Update handlers to return helpful error: "Write directly to your PDS" 144- [ ] Update API documentation to reflect client-write pattern 145- [ ] Verify Jetstream consumers still index correctly 146 147**Files**: 148- `internal/core/communities/service.go:564-816` 149- `internal/api/handlers/community/subscribe.go` 150- `internal/api/handlers/community/block.go` 151 152**Estimated Effort**: 3-4 hours 153**Risk**: Low (similar to votes pattern) 154 155## P1: Important (Should Complete Before Alpha) 156 157### 5. Post Read Operations 158 159- [ ] Implement `getPost` endpoint (single post retrieval) 160- [ ] Implement `listPosts` endpoint (with pagination) 161- [ ] Add post permalink support 162- [ ] Integration tests for post retrieval 163- [ ] Error handling for missing/deleted posts 164 165**Estimated Effort**: 6-8 hours 166**Risk**: Low 167**Note**: Can defer if direct post linking not needed initially 168 169### 6. Production Infrastructure 170 171#### Monitoring Setup 172- [ ] Add Prometheus metrics endpoints 173 - [ ] HTTP request metrics (duration, status codes, paths) 174 - [ ] Database query metrics (slow queries, connection pool) 175 - [ ] Jetstream consumer metrics (events processed, lag, errors) 176 - [ ] Auth metrics (token validations, failures) 177- [ ] Set up Grafana dashboards 178 - [ ] Request rate and latency 179 - [ ] Error rates by endpoint 180 - [ ] Database performance 181 - [ ] Jetstream consumer health 182- [ ] Configure alerting rules 183 - [ ] High error rate (>5% 5xx responses) 184 - [ ] Slow response time (p99 >1s) 185 - [ ] Database connection pool exhaustion 186 - [ ] Jetstream consumer lag >1 minute 187 - [ ] PDS health check failures 188 189**Estimated Effort**: 8-10 hours 190 191#### Structured Logging 192- [ ] Replace `log` package with structured logger (zerolog or zap) 193- [ ] Add log levels (debug, info, warn, error) 194- [ ] JSON output format for production 195- [ ] Add request ID tracking 196- [ ] Add correlation IDs for async operations 197- [ ] Sanitize sensitive data from logs (passwords, tokens, emails) 198- [ ] Configure log rotation 199- [ ] Ship logs to aggregation service (optional: Loki, CloudWatch) 200 201**Estimated Effort**: 6-8 hours 202 203#### Database Backups 204- [ ] Automated PostgreSQL backups (daily minimum) 205- [ ] Backup retention policy (30 days) 206- [ ] Test restore procedure 207- [ ] Document backup/restore runbook 208- [ ] Off-site backup storage 209- [ ] Monitor backup success/failure 210- [ ] Point-in-time recovery (PITR) setup (optional) 211 212**Estimated Effort**: 4-6 hours 213 214#### Load Testing 215- [ ] Define load test scenarios 216 - [ ] User signup and authentication 217 - [ ] Community creation 218 - [ ] Post creation and viewing 219 - [ ] Feed retrieval (timeline, discover, community) 220 - [ ] Comment creation and threading 221 - [ ] Voting 222- [ ] Set target metrics 223 - [ ] Concurrent users target (e.g., 100 concurrent) 224 - [ ] Requests per second target 225 - [ ] P95 latency target (<500ms) 226 - [ ] Error rate target (<1%) 227- [ ] Run load tests with k6/Artillery/JMeter 228- [ ] Identify bottlenecks (database, CPU, memory) 229- [ ] Optimize slow queries 230- [ ] Add database indexes if needed 231- [ ] Test graceful degradation under load 232 233**Estimated Effort**: 10-12 hours 234 235#### Deployment Runbook 236- [ ] Document deployment procedure 237 - [ ] Pre-deployment checklist 238 - [ ] Database migration steps 239 - [ ] Environment variable validation 240 - [ ] Health check verification 241 - [ ] Rollback procedure 242- [ ] Document operational procedures 243 - [ ] How to check system health 244 - [ ] How to read logs 245 - [ ] How to check Jetstream consumer status 246 - [ ] How to manually trigger community token refresh 247 - [ ] How to clear caches 248- [ ] Document incident response 249 - [ ] Who to contact 250 - [ ] Escalation path 251 - [ ] Common issues and fixes 252 - [ ] Emergency procedures (PDS down, database down, etc.) 253- [ ] Create production environment checklist 254 - [ ] **Domain Setup** 255 - [ ] AppView domain (coves.social) DNS configured 256 - [ ] PDS domain (coves.me) DNS configured - MUST be separate domain 257 - [ ] SSL certificates for both domains 258 - [ ] Nginx/Caddy reverse proxy configured for both domains 259 - [ ] **AppView Environment Variables** 260 - [ ] `INSTANCE_DID=did:web:coves.social` 261 - [ ] `INSTANCE_DOMAIN=coves.social` 262 - [ ] `PDS_URL=https://coves.me` (separate domain) 263 - [ ] `AUTH_SKIP_VERIFY=false` 264 - [ ] `SKIP_DID_WEB_VERIFICATION=false` 265 - [ ] `JETSTREAM_URL=wss://jetstream2.us-east.bsky.network/subscribe` 266 - [ ] **PDS Environment Variables** 267 - [ ] `PDS_HOSTNAME=coves.me` 268 - [ ] `PDS_PORT=2583` 269 - [ ] Persistent storage mounted 270 - [ ] **Deployment Verification** 271 - [ ] Deploy `.well-known/did.json` to coves.social with `serviceEndpoint: https://coves.me` 272 - [ ] Verify: `curl https://coves.social/.well-known/did.json` 273 - [ ] Verify: `curl https://coves.me/xrpc/_health` 274 - [ ] Database migrations applied 275 - [ ] PDS connectivity verified from AppView 276 - [ ] JWKS caching working 277 - [ ] Jetstream consumer connected to Bluesky production firehose 278 - [ ] Test community creation end-to-end 279 - [ ] Monitoring and alerting active 280 281**Estimated Effort**: 6-8 hours 282 283--- 284 285## P2: Nice to Have (Can Defer to Post-Alpha) 286 287### 7. Post Update/Delete 288- [ ] Implement post update endpoint 289- [ ] Implement post delete endpoint 290- [ ] Jetstream consumer for UPDATE/DELETE events 291- [ ] Soft delete support 292 293**Estimated Effort**: 4-6 hours 294 295### 8. Community Delete 296- [ ] Implement community delete endpoint 297- [ ] Cascade delete considerations 298- [ ] Archive vs hard delete decision 299 300**Estimated Effort**: 2-3 hours 301 302### 9. Content Rules Validation 303- [ ] Implement text-only community enforcement 304- [ ] Implement allowed embed types validation 305- [ ] Content length limits 306 307**Estimated Effort**: 6-8 hours 308 309### 10. Search Functionality 310- [ ] Community search improvements 311- [ ] Post search 312- [ ] User search 313- [ ] Full-text search with PostgreSQL or external service 314 315**Estimated Effort**: 8-10 hours 316 317--- 318 319## Testing Gaps 320 321### E2E Testing Recommendations 322 323#### 1. Full User Journey Test (CRITICAL) ✅ COMPLETE 324**What**: Test complete user flow from signup to interaction 325**Why**: No single test validates the entire happy path 326 327- [x] Create test: Signup Authenticate Create Community Create Post Add Comment Vote 328- [x] Verify all data flows through Jetstream correctly 329- [x] Verify counts update (vote counts, comment counts, subscriber counts) 330- [x] Verify timeline feed shows posts from subscribed communities 331- [x] Test with 2+ users interacting (user A posts, user B comments) 332- [x] Real E2E with Docker infrastructure (PDS, Jetstream, PostgreSQL) 333- [x] Graceful fallback for CI/CD environments 334 335**Actual Time**: ~3 hours (agent-implemented) 336**Test Location**: `tests/integration/user_journey_e2e_test.go` 337 338#### 2. Blob Upload E2E Test ✅ COMPLETE 339**What**: Test image upload and display in posts 340**Why**: No test validates the full blob upload post feed display flow 341 342- [x] Create post with embedded image 343- [x] Verify blob uploaded to PDS 344- [x] Verify blob URL transformation in feed responses 345- [x] Test multiple images in single post 346- [x] Test image in comment 347- [x] PDS health check (skips gracefully if PDS unavailable) 348- [x] Mock server test (runs in all environments) 349- [x] Comprehensive validation tests (empty data, MIME types, size limits) 350- [x] Actual JPEG format testing (not just PNG with different MIME types) 351 352**Actual Time**: ~2-3 hours (agent-implemented) 353**Test Location**: `tests/integration/blob_upload_e2e_test.go` 354 355#### 3. Multi-Community Timeline Test ✅ COMPLETE 356**What**: Test timeline feed with multiple community subscriptions 357**Why**: Timeline logic may have edge cases with multiple sources 358 359- [x] Create 3+ communities 360- [x] Subscribe user to all communities 361- [x] Create posts in each community 362- [x] Verify timeline shows posts from all subscribed communities 363- [x] Verify hot/top/new sorting across communities 364- [x] Test pagination across multiple communities 365- [x] Verify security (unsubscribed communities excluded) 366- [x] Verify record schema compliance across communities 367 368**Actual Time**: ~2 hours 369**Test Location**: `/tests/integration/timeline_test.go::TestGetTimeline_MultiCommunity_E2E` 370 371#### 4. Concurrent User Scenarios ✅ COMPLETE 372**What**: Test system behavior with simultaneous users 373**Why**: Race conditions and locking issues only appear under concurrency 374 375- [x] Multiple users voting on same post simultaneously (20-25 concurrent) 376- [x] Multiple users commenting on same post simultaneously (25 concurrent) 377- [x] Community creation with same handle (should fail) - verified UNIQUE constraint 378- [x] Subscription race conditions (30 concurrent subscribers) 379- [x] **Enhanced with database record verification** (detects duplicates/lost records) 380- [x] Concurrent upvotes and downvotes (15 up + 10 down) 381- [x] Concurrent replies to same comment (15 concurrent) 382- [x] Concurrent subscribe/unsubscribe (20 users) 383 384**Actual Time**: ~3 hours (agent-implemented) + 1 hour (race condition verification added) 385**Test Location**: `tests/integration/concurrent_scenarios_test.go` 386**Finding**: NO RACE CONDITIONS DETECTED - all tests pass with full database verification 387 388#### 5. Rate Limiting Tests ✅ COMPLETE 389**What**: Verify rate limits work correctly 390**Why**: Protection against abuse 391 392- [x] Test aggregator rate limits (10 posts/hour) - existing test verified 393- [x] Test general endpoint rate limits (100 req/min) 394- [x] Test comment rate limits (20 req/min) 395- [x] Verify 429 responses 396- [x] Verify rate limit headers (documented as not implemented - acceptable for Alpha) 397- [x] Verify per-client isolation (IP-based rate limiting) 398- [x] Verify X-Forwarded-For and X-Real-IP header support 399- [x] Test rate limit reset behavior 400- [x] Test thread-safety with concurrent requests 401- [x] Test rate limiting across different HTTP methods 402 403**Actual Time**: ~2 hours (agent-implemented) 404**Test Location**: `tests/e2e/ratelimit_e2e_test.go` 405**Configuration Documented**: All rate limits documented in comments (removed fake summary "test") 406 407#### 6. Error Recovery Tests ✅ COMPLETE 408**What**: Test system recovery from failures 409**Why**: Production will have failures 410 411- [x] Jetstream connection retry on failure (renamed from "reconnection" for accuracy) 412- [x] PDS temporarily unavailable during post creation (AppView continues indexing) 413- [x] Database connection loss and recovery (connection pool auto-recovery) 414- [x] Malformed Jetstream events (gracefully skipped, no crashes) 415- [x] Out-of-order event handling (last-write-wins strategy) 416- [x] Events processed correctly after connection established 417 418**Actual Time**: ~2 hours (agent-implemented) + 30 min (test accuracy improvements) 419**Test Location**: `tests/e2e/error_recovery_test.go` 420**Findings**: 421- Automatic reconnection with 5s backoff 422- Circuit breaker pattern for external services 423- AppView can index without PDS availability 424- Note: Tests verify connection retry, not full reconnect-after-disconnect (requires mock WebSocket server) 425 426#### 7. Federation Readiness (Optional) 427**What**: Test cross-PDS interactions 428**Why**: Future-proofing for federation 429 430- [ ] User on different PDS subscribing to Coves community 431- [ ] User on different PDS commenting on Coves post 432- [ ] User on different PDS voting on Coves content 433- [ ] Handle resolution across PDSs 434 435**Note**: Defer to Beta unless federation is alpha requirement 436 437--- 438 439## Timeline Estimate 440 441### Week 1: Critical Blockers (P0) 442- ~~**Days 1-2**: Authentication (JWT + did:web verification)~~ **did:web COMPLETED** 443- **Day 1**: Production PDS deployment (coves.me domain setup) 444- **Day 2**: JWT signature verification with production PDS 445- **Day 3**: DPoP token architecture fix 446- ~~**Day 4**: Handle resolution + comment count reconciliation~~ **COMPLETED** 447- **Day 4-5**: Testing and bug fixes 448 449**Total**: 16-23 hours (added 4-6 hours for PDS deployment, reduced from original due to did:web completion) 450 451### Week 2: Production Infrastructure (P1) 452- **Days 6-7**: Monitoring + structured logging 453- **Day 8**: Database backups + load testing 454- **Days 9-10**: Deployment runbook + final testing 455 456**Total**: 30-35 hours 457 458### Week 3: E2E Testing + Polish ✅ E2E TESTS COMPLETE 459- ~~**Days 11-12**: Critical E2E tests (user journey, blob upload)~~ **COMPLETED** (agent-implemented in ~6 hours) 460- ~~**Day 13**: Additional E2E tests~~ **COMPLETED** (concurrent, rate limiting, error recovery in ~7 hours) 461- **Days 14-15**: Load testing, bug fixes, polish 462 463**Total**: ~~20-25 hours~~ **13 hours actual** (E2E tests) + 7-12 hours remaining (load testing, polish) 464 465**Grand Total: ~~65-80 hours~~ → 51-68 hours remaining (approximately 1.5-2 weeks full-time)** 466*(Originally 70-85 hours. Adjusted for: +4-6 hours PDS deployment, -3 hours did:web completion, -13 hours E2E tests completion, -4 hours handle resolution and comment reconciliation)* 467 468** Progress Update**: E2E testing section COMPLETE ahead of schedule - saved ~7-12 hours through parallel agent implementation 469 470--- 471 472## Success Criteria 473 474Alpha is ready when: 475 476- [ ] All P0 blockers resolved 477 - Handle resolution (COMPLETE) 478 - Comment count reconciliation (COMPLETE) 479 - did:web verification (COMPLETE - needs production deployment) 480 - [ ] Production PDS deployed to coves.me (separate domain) 481 - [ ] JWT signature verification working with production PDS 482 - [ ] DPoP architecture fix implemented 483- [ ] Subscriptions/blocking work via client-write pattern 484- [x] **All integration tests passing** 485- [x] **E2E user journey test passing** 486- [x] **E2E blob upload tests passing** 487- [x] **E2E concurrent scenarios tests passing** 488- [x] **E2E rate limiting tests passing** 489- [x] **E2E error recovery tests passing** 490- [ ] Load testing shows acceptable performance (100+ concurrent users) 491- [ ] Monitoring and alerting active 492- [ ] Database backups configured and tested 493- [ ] Deployment runbook complete and validated 494- [ ] Security audit completed (basic) 495- [ ] No known critical bugs 496 497--- 498 499## Go/No-Go Decision Points 500 501### Can we launch without it? 502 503| Feature | Alpha Requirement | Status | Rationale | 504|---------|------------------|--------|-----------| 505| JWT signature verification | YES | 🟡 Needs testing | Security critical | 506| DPoP architecture fix | YES | 🔴 Not started | Subscriptions broken without it | 507| ~~Handle resolution~~ | ~~✅ YES~~ | **COMPLETE** | Core UX requirement | 508| ~~Comment count reconciliation~~ | ~~✅ YES~~ | **COMPLETE** | Data accuracy | 509| Post read endpoints | MAYBE | 🔴 Not implemented | Can use feeds initially | 510| Post update/delete | NO | 🔴 Not implemented | Can add post-launch | 511| Moderation system | NO | 🔴 Not implemented | Deferred to Beta per PRD_GOVERNANCE | 512| Full-text search | NO | 🔴 Not implemented | Browse works without it | 513| Federation testing | NO | 🔴 Not implemented | Single-instance alpha | 514| Mobile app | MAYBE | 🔴 Not implemented | Web-first acceptable | 515 516--- 517 518## Risk Assessment 519 520### High Risk 5211. **JWT verification with production PDS** - Never tested with real JWKS 5222. **Load under real traffic** - Current tests are single-user 5233. **Operational knowledge** - No one has run this in production yet 524 525### Medium Risk 5261. **Database performance** - Queries optimized but not load tested 5272. **Jetstream consumer lag** - May fall behind under high write volume 5283. **Token refresh stability** - Community tokens refresh every 2 hours (tested but not long-running) 529 530### Low Risk 5311. **DPoP architecture fix** - Similar pattern already works (votes) 5322. ~~**Handle resolution**~~ - Already implemented 5333. ~~**Comment reconciliation**~~ - Already implemented 534 535--- 536 537## Open Questions 538 5391. **What's the target alpha user count?** (affects infrastructure sizing) 5402. **What's the alpha duration?** (affects monitoring retention, backup retention) 5413. **Is mobile app required for alpha?** (affects DPoP testing priority) 5424. **What's the rollback strategy?** (database migrations may not be reversible) 5435. **Who's on-call during alpha?** (affects runbook detail level) 5446. **What's the acceptable downtime?** (affects HA requirements) 5457. **Budget for infrastructure?** (affects monitoring/backup solutions) 546 547--- 548 549## Next Steps 550 5511. Create this PRD 5522. Validate handle resolution (COMPLETE) 5533. Validate comment count reconciliation (COMPLETE) 5544. **Write critical E2E tests** (COMPLETE - all 6 test suites implemented) 5555. [ ] Review and prioritize with team 5566. [ ] Test JWT verification with `pds.bretton.dev` (requires invite code or existing account) 5577. [ ] Begin P0 blockers (DPoP fix first - highest user impact) 5588. [ ] Set up monitoring infrastructure 5599. [ ] Conduct load testing (infrastructure ready, tests written, needs execution) 56010. [ ] Security review 56111. [ ] Go/no-go decision 56212. [ ] Launch! 🚀 563 564**🎉 Major Milestones**: 565- All E2E tests complete! Test coverage now includes full user journey, blob uploads, concurrent operations, rate limiting, and error recovery. 566- Bidirectional DID verification complete! Bluesky-compatible security model with alsoKnownAs validation, 24h cache TTL, and comprehensive test coverage.