···

       
4
       
 
       
	"Coves/internal/api/handlers/oauth"

     

       
5
       
 
       
	"Coves/internal/api/middleware"

     

       
6
       
 
       
	"Coves/internal/api/routes"

     

       
7
       
-
       
	"Coves/internal/atproto/did"

     

       
8
       
 
       
	"Coves/internal/atproto/identity"

     

       
9
       
 
       
	"Coves/internal/atproto/jetstream"

     

       
10
       
 
       
	"Coves/internal/core/communities"

     
···

       
83
       
 
       
	r.Use(rateLimiter.Middleware)

     

       
84
       
 
       


     

       
85
       
 
       
	// Initialize identity resolver

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
86
       
 
       
	identityConfig := identity.DefaultConfig()

     

       
87
       
-
       
	// Override from environment if set

     

       
88
       
-
       
	if plcURL := os.Getenv("IDENTITY_PLC_URL"); plcURL != "" {

     

       
89
       
-
       
		identityConfig.PLCURL = plcURL

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
90
       
 
       
	}

     

       
0
       
 
       

     

       
91
       
 
       
	if cacheTTL := os.Getenv("IDENTITY_CACHE_TTL"); cacheTTL != "" {

     

       
92
       
 
       
		if duration, parseErr := time.ParseDuration(cacheTTL); parseErr == nil {

     

       
93
       
 
       
			identityConfig.CacheTTL = duration

     
···

       
95
       
 
       
	}

     

       
96
       
 
       


     

       
97
       
 
       
	identityResolver := identity.NewResolver(db, identityConfig)

     

       
98
       
-
       
	log.Println("Identity resolver initialized with PLC:", identityConfig.PLCURL)

     

       
99
       
 
       


     

       
100
       
 
       
	// Initialize OAuth session store

     

       
101
       
 
       
	sessionStore := oauthCore.NewPostgresSessionStore(db)

     
···

       
107
       
 
       


     

       
108
       
 
       
	communityRepo := postgresRepo.NewCommunityRepository(db)

     

       
109
       
 
       


     

       
110
       
-
       
	// Initialize DID generator for communities

     

       
111
       
-
       
	// IS_DEV_ENV=true:  Generate did:plc:xxx without registering to PLC directory

     

       
112
       
-
       
	// IS_DEV_ENV=false: Generate did:plc:xxx and register with PLC_DIRECTORY_URL

     

       
113
       
-
       
	isDevEnv := os.Getenv("IS_DEV_ENV") == "true"

     

       
114
       
-
       
	plcDirectoryURL := os.Getenv("PLC_DIRECTORY_URL")

     

       
115
       
-
       
	if plcDirectoryURL == "" {

     

       
116
       
-
       
		plcDirectoryURL = "https://plc.directory" // Default to Bluesky's PLC

     

       
117
       
-
       
	}

     

       
118
       
-
       
	didGenerator := did.NewGenerator(isDevEnv, plcDirectoryURL)

     

       
119
       
-
       
	log.Printf("DID generator initialized (dev_mode=%v, plc_url=%s)", isDevEnv, plcDirectoryURL)

     

       
120
       
 
       


     

       
121
       
 
       
	instanceDID := os.Getenv("INSTANCE_DID")

     

       
122
       
 
       
	if instanceDID == "" {

     
···

       
148
       
 
       


     

       
149
       
 
       
	log.Printf("Instance domain: %s (extracted from DID: %s)", instanceDomain, instanceDID)

     

       
150
       
 
       


     

       
151
       
-
       
	// V2: Initialize PDS account provisioner for communities

     

       
152
       
-
       
	provisioner := communities.NewPDSAccountProvisioner(userService, instanceDomain, defaultPDS)

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
153
       
 
       


     

       
154
       
-
       
	communityService := communities.NewCommunityService(communityRepo, didGenerator, defaultPDS, instanceDID, instanceDomain, provisioner)

     

       
0
       
 
       

     

       
155
       
 
       


     

       
156
       
 
       
	// Authenticate Coves instance with PDS to enable community record writes

     

       
157
       
 
       
	// The instance needs a PDS account to write community records it owns

     

···

       
4
       
 
       
	"Coves/internal/api/handlers/oauth"

     

       
5
       
 
       
	"Coves/internal/api/middleware"

     

       
6
       
 
       
	"Coves/internal/api/routes"

     

       
0
       
 
       

     

       
7
       
 
       
	"Coves/internal/atproto/identity"

     

       
8
       
 
       
	"Coves/internal/atproto/jetstream"

     

       
9
       
 
       
	"Coves/internal/core/communities"

     
···

       
82
       
 
       
	r.Use(rateLimiter.Middleware)

     

       
83
       
 
       


     

       
84
       
 
       
	// Initialize identity resolver

     

       
85
       
+
       
	// IMPORTANT: In dev mode, identity resolution MUST use the same local PLC

     

       
86
       
+
       
	// directory as DID registration to ensure E2E tests work without hitting

     

       
87
       
+
       
	// the production plc.directory

     

       
88
       
 
       
	identityConfig := identity.DefaultConfig()

     

       
89
       
+
       


     

       
90
       
+
       
	isDevEnv := os.Getenv("IS_DEV_ENV") == "true"

     

       
91
       
+
       
	plcDirectoryURL := os.Getenv("PLC_DIRECTORY_URL")

     

       
92
       
+
       
	if plcDirectoryURL == "" {

     

       
93
       
+
       
		plcDirectoryURL = "https://plc.directory" // Default to production PLC

     

       
94
       
+
       
	}

     

       
95
       
+
       


     

       
96
       
+
       
	// In dev mode, use PLC_DIRECTORY_URL for identity resolution

     

       
97
       
+
       
	// In prod mode, use IDENTITY_PLC_URL if set, otherwise PLC_DIRECTORY_URL

     

       
98
       
+
       
	if isDevEnv {

     

       
99
       
+
       
		identityConfig.PLCURL = plcDirectoryURL

     

       
100
       
+
       
		log.Printf("🧪 DEV MODE: Identity resolver will use local PLC: %s", plcDirectoryURL)

     

       
101
       
+
       
	} else {

     

       
102
       
+
       
		// Production: Allow separate IDENTITY_PLC_URL for read operations

     

       
103
       
+
       
		if identityPLCURL := os.Getenv("IDENTITY_PLC_URL"); identityPLCURL != "" {

     

       
104
       
+
       
			identityConfig.PLCURL = identityPLCURL

     

       
105
       
+
       
		} else {

     

       
106
       
+
       
			identityConfig.PLCURL = plcDirectoryURL

     

       
107
       
+
       
		}

     

       
108
       
+
       
		log.Printf("✅ PRODUCTION MODE: Identity resolver using PLC: %s", identityConfig.PLCURL)

     

       
109
       
 
       
	}

     

       
110
       
+
       


     

       
111
       
 
       
	if cacheTTL := os.Getenv("IDENTITY_CACHE_TTL"); cacheTTL != "" {

     

       
112
       
 
       
		if duration, parseErr := time.ParseDuration(cacheTTL); parseErr == nil {

     

       
113
       
 
       
			identityConfig.CacheTTL = duration

     
···

       
115
       
 
       
	}

     

       
116
       
 
       


     

       
117
       
 
       
	identityResolver := identity.NewResolver(db, identityConfig)

     

       
0
       
 
       

     

       
118
       
 
       


     

       
119
       
 
       
	// Initialize OAuth session store

     

       
120
       
 
       
	sessionStore := oauthCore.NewPostgresSessionStore(db)

     
···

       
126
       
 
       


     

       
127
       
 
       
	communityRepo := postgresRepo.NewCommunityRepository(db)

     

       
128
       
 
       


     

       
129
       
+
       
	// V2.0: PDS-managed DID generation

     

       
130
       
+
       
	// Community DIDs and keys are generated entirely by the PDS

     

       
131
       
+
       
	// No Coves-side DID generator needed (reserved for future V2.1 hybrid approach)

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
132
       
 
       


     

       
133
       
 
       
	instanceDID := os.Getenv("INSTANCE_DID")

     

       
134
       
 
       
	if instanceDID == "" {

     
···

       
160
       
 
       


     

       
161
       
 
       
	log.Printf("Instance domain: %s (extracted from DID: %s)", instanceDomain, instanceDID)

     

       
162
       
 
       


     

       
163
       
+
       
	// V2.0: Initialize PDS account provisioner for communities (simplified)

     

       
164
       
+
       
	// PDS handles all DID and key generation - no Coves-side cryptography needed

     

       
165
       
+
       
	provisioner := communities.NewPDSAccountProvisioner(instanceDomain, defaultPDS)

     

       
166
       
+
       
	log.Printf("✅ Community provisioner initialized (PDS-managed keys)")

     

       
167
       
+
       
	log.Printf("   - Communities will be created at: %s", defaultPDS)

     

       
168
       
+
       
	log.Printf("   - PDS will generate and manage all DIDs and keys")

     

       
169
       
 
       


     

       
170
       
+
       
	// Initialize community service (no longer needs didGenerator directly)

     

       
171
       
+
       
	communityService := communities.NewCommunityService(communityRepo, defaultPDS, instanceDID, instanceDomain, provisioner)

     

       
172
       
 
       


     

       
173
       
 
       
	// Authenticate Coves instance with PDS to enable community record writes

     

       
174
       
 
       
	// The instance needs a PDS account to write community records it owns

     

···

       
1
       
 
       
package communities

     

       
2
       
 
       


     

       
3
       
 
       
import (

     

       
4
       
-
       
	"Coves/internal/atproto/did"

     

       
5
       
 
       
	"bytes"

     

       
6
       
 
       
	"context"

     

       
7
       
 
       
	"encoding/json"

     
···

       
20
       
 
       


     

       
21
       
 
       
type communityService struct {

     

       
22
       
 
       
	repo           Repository

     

       
23
       
-
       
	didGen         *did.Generator

     

       
24
       
 
       
	provisioner    *PDSAccountProvisioner

     

       
25
       
 
       
	pdsURL         string

     

       
26
       
 
       
	instanceDID    string

     
···

       
29
       
 
       
}

     

       
30
       
 
       


     

       
31
       
 
       
// NewCommunityService creates a new community service

     

       
32
       
-
       
func NewCommunityService(repo Repository, didGen *did.Generator, pdsURL, instanceDID, instanceDomain string, provisioner *PDSAccountProvisioner) Service {

     

       
33
       
 
       
	return &communityService{

     

       
34
       
 
       
		repo:           repo,

     

       
35
       
-
       
		didGen:         didGen,

     

       
36
       
 
       
		pdsURL:         pdsURL,

     

       
37
       
 
       
		instanceDID:    instanceDID,

     

       
38
       
 
       
		instanceDomain: instanceDomain,

     
···

       
141
       
 
       
		return nil, fmt.Errorf("failed to create community profile record: %w", err)

     

       
142
       
 
       
	}

     

       
143
       
 
       


     

       
144
       
-
       
	// Build Community object with PDS credentials

     

       
145
       
 
       
	community := &Community{

     

       
146
       
 
       
		DID:                    pdsAccount.DID,    // Community's DID (owns the repo!)

     

       
147
       
 
       
		Handle:                 pdsAccount.Handle, // atProto handle (e.g., gaming.communities.coves.social)

     
···

       
152
       
 
       
		CreatedByDID:           req.CreatedByDID,

     

       
153
       
 
       
		HostedByDID:            req.HostedByDID,

     

       
154
       
 
       
		PDSEmail:               pdsAccount.Email,

     

       
155
       
-
       
		PDSPasswordHash:        pdsAccount.PasswordHash,

     

       
156
       
 
       
		PDSAccessToken:         pdsAccount.AccessToken,

     

       
157
       
 
       
		PDSRefreshToken:        pdsAccount.RefreshToken,

     

       
158
       
 
       
		PDSURL:                 pdsAccount.PDSURL,

     
···

       
164
       
 
       
		UpdatedAt:              time.Now(),

     

       
165
       
 
       
		RecordURI:              recordURI,

     

       
166
       
 
       
		RecordCID:              recordCID,

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
167
       
 
       
	}

     

       
168
       
 
       


     

       
169
       
 
       
	// CRITICAL: Persist PDS credentials immediately to database

     
···

       
515
       
 
       
		return NewValidationError("name", "required")

     

       
516
       
 
       
	}

     

       
517
       
 
       


     

       
518
       
-
       
	if len(req.Name) > 64 {

     

       
519
       
-
       
		return NewValidationError("name", "must be 64 characters or less")

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
520
       
 
       
	}

     

       
521
       
 
       


     

       
522
       
 
       
	// Name can only contain alphanumeric and hyphens

     

       
523
       
-
       
	nameRegex := regexp.MustCompile(`^[a-zA-Z0-9]([a-zA-Z0-9-]{0,62}[a-zA-Z0-9])?$`)

     

       
0
       
 
       

     

       
524
       
 
       
	if !nameRegex.MatchString(req.Name) {

     

       
525
       
 
       
		return NewValidationError("name", "must contain only alphanumeric characters and hyphens")

     

       
526
       
 
       
	}

     

···

       
1
       
 
       
package communities

     

       
2
       
 
       


     

       
3
       
 
       
import (

     

       
0
       
 
       

     

       
4
       
 
       
	"bytes"

     

       
5
       
 
       
	"context"

     

       
6
       
 
       
	"encoding/json"

     
···

       
19
       
 
       


     

       
20
       
 
       
type communityService struct {

     

       
21
       
 
       
	repo           Repository

     

       
0
       
 
       

     

       
22
       
 
       
	provisioner    *PDSAccountProvisioner

     

       
23
       
 
       
	pdsURL         string

     

       
24
       
 
       
	instanceDID    string

     
···

       
27
       
 
       
}

     

       
28
       
 
       


     

       
29
       
 
       
// NewCommunityService creates a new community service

     

       
30
       
+
       
func NewCommunityService(repo Repository, pdsURL, instanceDID, instanceDomain string, provisioner *PDSAccountProvisioner) Service {

     

       
31
       
 
       
	return &communityService{

     

       
32
       
 
       
		repo:           repo,

     

       
0
       
 
       

     

       
33
       
 
       
		pdsURL:         pdsURL,

     

       
34
       
 
       
		instanceDID:    instanceDID,

     

       
35
       
 
       
		instanceDomain: instanceDomain,

     
···

       
138
       
 
       
		return nil, fmt.Errorf("failed to create community profile record: %w", err)

     

       
139
       
 
       
	}

     

       
140
       
 
       


     

       
141
       
+
       
	// Build Community object with PDS credentials AND cryptographic keys

     

       
142
       
 
       
	community := &Community{

     

       
143
       
 
       
		DID:                    pdsAccount.DID,    // Community's DID (owns the repo!)

     

       
144
       
 
       
		Handle:                 pdsAccount.Handle, // atProto handle (e.g., gaming.communities.coves.social)

     
···

       
149
       
 
       
		CreatedByDID:           req.CreatedByDID,

     

       
150
       
 
       
		HostedByDID:            req.HostedByDID,

     

       
151
       
 
       
		PDSEmail:               pdsAccount.Email,

     

       
152
       
+
       
		PDSPassword:            pdsAccount.Password,

     

       
153
       
 
       
		PDSAccessToken:         pdsAccount.AccessToken,

     

       
154
       
 
       
		PDSRefreshToken:        pdsAccount.RefreshToken,

     

       
155
       
 
       
		PDSURL:                 pdsAccount.PDSURL,

     
···

       
161
       
 
       
		UpdatedAt:              time.Now(),

     

       
162
       
 
       
		RecordURI:              recordURI,

     

       
163
       
 
       
		RecordCID:              recordCID,

     

       
164
       
+
       
		// V2: Cryptographic keys for portability (will be encrypted by repository)

     

       
165
       
+
       
		RotationKeyPEM: pdsAccount.RotationKeyPEM, // CRITICAL: Enables DID migration

     

       
166
       
+
       
		SigningKeyPEM:  pdsAccount.SigningKeyPEM,  // For atproto operations

     

       
167
       
 
       
	}

     

       
168
       
 
       


     

       
169
       
 
       
	// CRITICAL: Persist PDS credentials immediately to database

     
···

       
515
       
 
       
		return NewValidationError("name", "required")

     

       
516
       
 
       
	}

     

       
517
       
 
       


     

       
518
       
+
       
	// DNS label limit: 63 characters per label

     

       
519
       
+
       
	// Community handle format: {name}.communities.{instanceDomain}

     

       
520
       
+
       
	// The first label is just req.Name, so it must be <= 63 chars

     

       
521
       
+
       
	if len(req.Name) > 63 {

     

       
522
       
+
       
		return NewValidationError("name", "must be 63 characters or less (DNS label limit)")

     

       
523
       
 
       
	}

     

       
524
       
 
       


     

       
525
       
 
       
	// Name can only contain alphanumeric and hyphens

     

       
526
       
+
       
	// Must start and end with alphanumeric (not hyphen)

     

       
527
       
+
       
	nameRegex := regexp.MustCompile(`^[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?$`)

     

       
528
       
 
       
	if !nameRegex.MatchString(req.Name) {

     

       
529
       
 
       
		return NewValidationError("name", "must contain only alphanumeric characters and hyphens")

     

       
530
       
 
       
	}