···
## ๐ด P0: Critical (Alpha Blockers)
### OAuth DPoP Token Architecture - Voting Write-Forward
16
-
**Added:** 2025-11-02 | **Effort:** 4-6 hours | **Priority:** ALPHA BLOCKER
17
-
**Status:** โ ๏ธ ARCHITECTURE DECISION REQUIRED
16
+
**Added:** 2025-11-02 | **Completed:** 2025-11-02 | **Effort:** 2 hours | **Priority:** ALPHA BLOCKER
17
+
**Status:** โ
COMPLETE
Our backend is attempting to use DPoP-bound OAuth tokens to write votes to users' PDSs, causing "Malformed token" errors. This violates atProto architecture patterns.
···
- Bluesky social-app: Direct PDS writes via agent
- atProto OAuth spec: DPoP binding prevents token reuse
- atProto architecture: AppView = read-only indexer
130
+
### OAuth DPoP Token Architecture - Community Subscriptions
131
+
**Added:** 2025-11-02 | **Effort:** 1-2 hours | **Priority:** ALPHA BLOCKER
132
+
**Status:** ๐ TODO (Waiting for frontend implementation)
135
+
Same DPoP token issue as voting - backend cannot use user's DPoP-bound OAuth tokens to write subscription records to user's PDS.
137
+
**Affected Operations:**
138
+
- `SubscribeToCommunity()` - [service.go:564-624](../internal/core/communities/service.go#L564-L624)
139
+
- `UnsubscribeFromCommunity()` - [service.go:626-660](../internal/core/communities/service.go#L626-L660)
141
+
**Collection:** `social.coves.community.subscription`
144
+
Client writes directly using `com.atproto.repo.createRecord`:
146
+
await agent.call('com.atproto.repo.createRecord', {
148
+
collection: 'social.coves.community.subscription',
150
+
$type: 'social.coves.community.subscription',
151
+
subject: communityDid,
152
+
contentVisibility: 3,
153
+
createdAt: new Date().toISOString()
158
+
**Backend Changes Needed:**
159
+
1. Remove write-forward from `SubscribeToCommunity()` and `UnsubscribeFromCommunity()`
160
+
2. Update handlers to return errors directing to client-direct pattern
161
+
3. Verify Jetstream consumer indexes subscriptions (already working)
163
+
**Files to Modify:**
164
+
- `internal/core/communities/service.go`
165
+
- `internal/api/handlers/community/subscribe.go`
169
+
### OAuth DPoP Token Architecture - Community Blocking
170
+
**Added:** 2025-11-02 | **Effort:** 1-2 hours | **Priority:** ALPHA BLOCKER
171
+
**Status:** ๐ TODO (Waiting for frontend implementation)
174
+
Same DPoP token issue - backend cannot use user's DPoP-bound OAuth tokens to write block records to user's PDS.
176
+
**Affected Operations:**
177
+
- `BlockCommunity()` - [service.go:709-781](../internal/core/communities/service.go#L709-L781)
178
+
- `UnblockCommunity()` - [service.go:783-816](../internal/core/communities/service.go#L783-L816)
180
+
**Collection:** `social.coves.community.block`
183
+
Client writes directly using `com.atproto.repo.createRecord`:
185
+
await agent.call('com.atproto.repo.createRecord', {
187
+
collection: 'social.coves.community.block',
189
+
$type: 'social.coves.community.block',
190
+
subject: communityDid,
191
+
createdAt: new Date().toISOString()
196
+
**Backend Changes Needed:**
197
+
1. Remove write-forward from `BlockCommunity()` and `UnblockCommunity()`
198
+
2. Update handlers to return errors directing to client-direct pattern
199
+
3. Verify Jetstream consumer indexes blocks (already working)
201
+
**Files to Modify:**
202
+
- `internal/core/communities/service.go`
203
+
- `internal/api/handlers/community/block.go`
bretton.dev