···

       
38
       
38
       
 
       
PDS_ADMIN_PASSWORD=admin

     

       
39
       
39
       
 
       


     

       
40
       
40
       
 
       
# Handle domains (users will get handles like alice.local.coves.dev)

     

       
41
       
41
       
-
       
# Communities will use .communities.coves.social

     

       
42
       
42
       
-
       
PDS_SERVICE_HANDLE_DOMAINS=.local.coves.dev,.communities.coves.social

     

       
41
       
41
       
+
       
# Communities will use .community.coves.social (singular per atProto conventions)

     

       
42
       
42
       
+
       
PDS_SERVICE_HANDLE_DOMAINS=.local.coves.dev,.community.coves.social

     

       
43
       
43
       
 
       


     

       
44
       
44
       
 
       
# PLC Rotation Key (k256 private key in hex format - for local dev only)

     

       
45
       
45
       
 
       
# This is a randomly generated key for testing - DO NOT use in production

     

···

       
83
       
83
       
 
       
      PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX: ${PDS_PLC_ROTATION_KEY:-af514fb84c4356241deed29feb392d1ee359f99c05a7b8f7bff2e5f2614f64b2}

     

       
84
       
84
       
 
       


     

       
85
       
85
       
 
       
      # Service endpoints

     

       
86
       
86
       
-
       
      # Allow both user handles (.local.coves.dev) and community handles (.communities.coves.social)

     

       
87
       
87
       
-
       
      PDS_SERVICE_HANDLE_DOMAINS: ${PDS_SERVICE_HANDLE_DOMAINS:-.local.coves.dev,.communities.coves.social}

     

       
86
       
86
       
+
       
      # Allow both user handles (.local.coves.dev) and community handles (.community.coves.social)

     

       
87
       
87
       
+
       
      PDS_SERVICE_HANDLE_DOMAINS: ${PDS_SERVICE_HANDLE_DOMAINS:-.local.coves.dev,.community.coves.social}

     

       
88
       
88
       
 
       


     

       
89
       
89
       
 
       
      # Dev mode settings (allows HTTP instead of HTTPS)

     

       
90
       
90
       
 
       
      PDS_DEV_MODE: "true"

     

···

       
257
       
257
       
 
       
- [ ] **Security Checklist:** Pre-launch security audit

     

       
258
       
258
       
 
       


     

       
259
       
259
       
 
       
### Infrastructure & DNS

     

       
260
       
260
       
-
       
- [ ] **DNS Wildcard Setup:** Configure `*.communities.coves.social` for community handle resolution

     

       
261
       
261
       
-
       
- [ ] **Well-Known Endpoint:** Implement `.well-known/atproto-did` handler for `*.communities.coves.social` subdomains

     

       
260
       
260
       
+
       
- [ ] **DNS Wildcard Setup:** Configure `*.community.coves.social` for community handle resolution

     

       
261
       
261
       
+
       
- [ ] **Well-Known Endpoint:** Implement `.well-known/atproto-did` handler for `*.community.coves.social` subdomains

     

       
262
       
262
       
 
       


     

       
263
       
263
       
 
       
---

     

       
264
       
264
       
 
       


     
···

       
310
       
310
       
 
       
**Status:** ✅ Implemented and tested

     

       
311
       
311
       
 
       


     

       
312
       
312
       
 
       
**Required Fields:**

     

       
313
       
313
       
-
       
- `handle` - atProto handle (DNS-resolvable, e.g., `gaming.communities.coves.social`)

     

       
313
       
313
       
+
       
- `handle` - atProto handle (DNS-resolvable, e.g., `gaming.community.coves.social`)

     

       
314
       
314
       
 
       
- `name` - Short community name for !mentions (e.g., `gaming`)

     

       
315
       
315
       
 
       
- `createdBy` - DID of user who created community

     

       
316
       
316
       
 
       
- `hostedBy` - DID of hosting instance

     
···

       
378
       
378
       
 
       
- Follows separation of concerns: protocol layer uses DNS handles, UI layer formats for display

     

       
379
       
379
       
 
       


     

       
380
       
380
       
 
       
**Implementation:**

     

       
381
       
381
       
-
       
- Lexicon: `handle` = `gaming.communities.coves.social` (DNS-resolvable)

     

       
381
       
381
       
+
       
- Lexicon: `handle` = `gaming.community.coves.social` (DNS-resolvable)

     

       
382
       
382
       
 
       
- Client derives display: `!${name}@${instance}` from `name` + parsed instance

     

       
383
       
383
       
 
       
- Rich text facets can encode community mentions with `!` prefix for UX

     

       
384
       
384
       
 
       


     

···

       
11
       
11
       
 
       
	github.com/lestrrat-go/jwx/v2 v2.0.12

     

       
12
       
12
       
 
       
	github.com/lib/pq v1.10.9

     

       
13
       
13
       
 
       
	github.com/pressly/goose/v3 v3.22.1

     

       
14
       
14
       
+
       
	github.com/stretchr/testify v1.9.0

     

       
14
       
15
       
 
       
	golang.org/x/net v0.46.0

     

       
15
       
16
       
 
       
	golang.org/x/time v0.3.0

     

       
16
       
17
       
 
       
)

     
···

       
19
       
20
       
 
       
	github.com/beorn7/perks v1.0.1 // indirect

     

       
20
       
21
       
 
       
	github.com/carlmjohnson/versioninfo v0.22.5 // indirect

     

       
21
       
22
       
 
       
	github.com/cespare/xxhash/v2 v2.2.0 // indirect

     

       
23
       
23
       
+
       
	github.com/davecgh/go-spew v1.1.1 // indirect

     

       
22
       
24
       
 
       
	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect

     

       
23
       
25
       
 
       
	github.com/felixge/httpsnoop v1.0.4 // indirect

     

       
24
       
26
       
 
       
	github.com/go-logr/logr v1.4.1 // indirect

     
···

       
59
       
61
       
 
       
	github.com/multiformats/go-multihash v0.2.3 // indirect

     

       
60
       
62
       
 
       
	github.com/multiformats/go-varint v0.0.7 // indirect

     

       
61
       
63
       
 
       
	github.com/opentracing/opentracing-go v1.2.0 // indirect

     

       
64
       
64
       
+
       
	github.com/pmezard/go-difflib v1.0.0 // indirect

     

       
62
       
65
       
 
       
	github.com/polydawn/refmt v0.89.1-0.20221221234430-40501e09de1f // indirect

     

       
63
       
66
       
 
       
	github.com/prometheus/client_golang v1.17.0 // indirect

     

       
64
       
67
       
 
       
	github.com/prometheus/client_model v0.5.0 // indirect

     
···

       
83
       
86
       
 
       
	golang.org/x/sys v0.37.0 // indirect

     

       
84
       
87
       
 
       
	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect

     

       
85
       
88
       
 
       
	google.golang.org/protobuf v1.33.0 // indirect

     

       
89
       
89
       
+
       
	gopkg.in/yaml.v3 v3.0.1 // indirect

     

       
86
       
90
       
 
       
	lukechampine.com/blake3 v1.2.1 // indirect

     

       
87
       
91
       
 
       
)

     

···

       
312
       
312
       
 
       
	// Extract domain from community handle

     

       
313
       
313
       
 
       
	// Handle format examples:

     

       
314
       
314
       
 
       
	//   - "!gaming@coves.social" → domain: "coves.social"

     

       
315
       
315
       
-
       
	//   - "gaming.communities.coves.social" → domain: "coves.social"

     

       
315
       
315
       
+
       
	//   - "gaming.community.coves.social" → domain: "coves.social"

     

       
316
       
316
       
 
       
	handleDomain := extractDomainFromHandle(handle)

     

       
317
       
317
       
 
       
	if handleDomain == "" {

     

       
318
       
318
       
 
       
		return fmt.Errorf("failed to extract domain from handle: %s", handle)

     
···

       
430
       
430
       
 
       
// extractDomainFromHandle extracts the registrable domain from a community handle

     

       
431
       
431
       
 
       
// Handles both formats:

     

       
432
       
432
       
 
       
//   - Bluesky-style: "!gaming@coves.social" → "coves.social"

     

       
433
       
433
       
-
       
//   - DNS-style: "gaming.communities.coves.social" → "coves.social"

     

       
433
       
433
       
+
       
//   - DNS-style: "gaming.community.coves.social" → "coves.social"

     

       
434
       
434
       
 
       
//

     

       
435
       
435
       
 
       
// Uses golang.org/x/net/publicsuffix to correctly handle multi-part TLDs:

     

       
436
       
436
       
-
       
//   - "gaming.communities.coves.co.uk" → "coves.co.uk" (not "co.uk")

     

       
437
       
437
       
-
       
//   - "gaming.communities.example.com.au" → "example.com.au" (not "com.au")

     

       
436
       
436
       
+
       
//   - "gaming.community.coves.co.uk" → "coves.co.uk" (not "co.uk")

     

       
437
       
437
       
+
       
//   - "gaming.community.example.com.au" → "example.com.au" (not "com.au")

     

       
438
       
438
       
 
       
func extractDomainFromHandle(handle string) string {

     

       
439
       
439
       
 
       
	// Remove leading ! if present

     

       
440
       
440
       
 
       
	handle = strings.TrimPrefix(handle, "!")

     
···

       
456
       
456
       
 
       
		return ""

     

       
457
       
457
       
 
       
	}

     

       
458
       
458
       
 
       


     

       
459
       
459
       
-
       
	// For DNS-style handles (e.g., "gaming.communities.coves.social")

     

       
459
       
459
       
+
       
	// For DNS-style handles (e.g., "gaming.community.coves.social")

     

       
460
       
460
       
 
       
	// Extract the registrable domain (eTLD+1) using publicsuffix

     

       
461
       
461
       
 
       
	// This correctly handles multi-part TLDs like .co.uk, .com.au, etc.

     

       
462
       
462
       
 
       
	registrable, err := publicsuffix.EffectiveTLDPlusOne(handle)

     

···

       
14
       
14
       
 
       
            "type": "string",

     

       
15
       
15
       
 
       
            "maxLength": 253,

     

       
16
       
16
       
 
       
            "format": "handle",

     

       
17
       
17
       
-
       
            "description": "atProto handle (e.g., gaming.communities.coves.social) - DNS-resolvable name for this community"

     

       
17
       
17
       
+
       
            "description": "atProto handle (e.g., gaming.community.coves.social) - DNS-resolvable name for this community"

     

       
18
       
18
       
 
       
          },

     

       
19
       
19
       
 
       
          "name": {

     

       
20
       
20
       
 
       
            "type": "string",

     

···

       
1
       
1
       
 
       
package communities

     

       
2
       
2
       
 
       


     

       
3
       
3
       
 
       
import (

     

       
4
       
4
       
+
       
	"fmt"

     

       
5
       
5
       
+
       
	"strings"

     

       
4
       
6
       
 
       
	"time"

     

       
5
       
7
       
 
       
)

     

       
6
       
8
       
 
       


     
···

       
21
       
23
       
 
       
	HostedByDID            string    `json:"hostedByDid" db:"hosted_by_did"`

     

       
22
       
24
       
 
       
	PDSEmail               string    `json:"-" db:"pds_email"`

     

       
23
       
25
       
 
       
	PDSPassword            string    `json:"-" db:"pds_password_encrypted"`

     

       
24
       
24
       
-
       
	Name                   string    `json:"name" db:"name"`

     

       
26
       
26
       
+
       
	Name                   string    `json:"name" db:"name"`                        // Short name (e.g., "gardening")

     

       
27
       
27
       
+
       
	DisplayHandle          string    `json:"displayHandle,omitempty" db:"-"`        // UI hint: !gardening@coves.social (computed, not stored)

     

       
25
       
28
       
 
       
	RecordCID              string    `json:"recordCid,omitempty" db:"record_cid"`

     

       
26
       
29
       
 
       
	FederatedID            string    `json:"federatedId,omitempty" db:"federated_id"`

     

       
27
       
30
       
 
       
	PDSAccessToken         string    `json:"-" db:"pds_access_token"`

     

       
28
       
31
       
 
       
	SigningKeyPEM          string    `json:"-" db:"signing_key_encrypted"`

     

       
29
       
32
       
 
       
	ModerationType         string    `json:"moderationType,omitempty" db:"moderation_type"`

     

       
30
       
30
       
-
       
	Handle                 string    `json:"handle" db:"handle"`

     

       
33
       
33
       
+
       
	Handle                 string    `json:"handle" db:"handle"`                    // Canonical atProto handle (e.g., gardening.community.coves.social)

     

       
31
       
34
       
 
       
	PDSRefreshToken        string    `json:"-" db:"pds_refresh_token"`

     

       
32
       
35
       
 
       
	Visibility             string    `json:"visibility" db:"visibility"`

     

       
33
       
36
       
 
       
	RotationKeyPEM         string    `json:"-" db:"rotation_key_encrypted"`

     
···

       
135
       
138
       
 
       
	Limit      int    `json:"limit"`

     

       
136
       
139
       
 
       
	Offset     int    `json:"offset"`

     

       
137
       
140
       
 
       
}

     

       
141
       
141
       
+
       


     

       
142
       
142
       
+
       
// GetDisplayHandle returns the user-facing display format for a community handle

     

       
143
       
143
       
+
       
// Following Bluesky's pattern where client adds @ prefix for users, but for communities we use ! prefix

     

       
144
       
144
       
+
       
// Example: "gardening.community.coves.social" -> "!gardening@coves.social"

     

       
145
       
145
       
+
       
//

     

       
146
       
146
       
+
       
// Handles various domain formats correctly:

     

       
147
       
147
       
+
       
// - "gaming.community.coves.social" -> "!gaming@coves.social"

     

       
148
       
148
       
+
       
// - "gaming.community.coves.co.uk" -> "!gaming@coves.co.uk"

     

       
149
       
149
       
+
       
// - "test.community.dev.coves.social" -> "!test@dev.coves.social"

     

       
150
       
150
       
+
       
func (c *Community) GetDisplayHandle() string {

     

       
151
       
151
       
+
       
	// Find the ".community." substring in the handle

     

       
152
       
152
       
+
       
	communityIndex := strings.Index(c.Handle, ".community.")

     

       
153
       
153
       
+
       
	if communityIndex == -1 {

     

       
154
       
154
       
+
       
		// Fallback if format doesn't match expected pattern

     

       
155
       
155
       
+
       
		return c.Handle

     

       
156
       
156
       
+
       
	}

     

       
157
       
157
       
+
       


     

       
158
       
158
       
+
       
	// Extract name (everything before ".community.")

     

       
159
       
159
       
+
       
	name := c.Handle[:communityIndex]

     

       
160
       
160
       
+
       


     

       
161
       
161
       
+
       
	// Extract instance domain (everything after ".community.")

     

       
162
       
162
       
+
       
	// len(".community.") = 11

     

       
163
       
163
       
+
       
	instanceDomain := c.Handle[communityIndex+11:]

     

       
164
       
164
       
+
       


     

       
165
       
165
       
+
       
	return fmt.Sprintf("!%s@%s", name, instanceDomain)

     

       
166
       
166
       
+
       
}

     

···

       
15
       
15
       
 
       
// CommunityPDSAccount represents PDS account credentials for a community

     

       
16
       
16
       
 
       
type CommunityPDSAccount struct {

     

       
17
       
17
       
 
       
	DID            string // Community's DID (owns the repository)

     

       
18
       
18
       
-
       
	Handle         string // Community's handle (e.g., gaming.communities.coves.social)

     

       
18
       
18
       
+
       
	Handle         string // Community's handle (e.g., gaming.community.coves.social)

     

       
19
       
19
       
 
       
	Email          string // System email for PDS account

     

       
20
       
20
       
 
       
	Password       string // Cleartext password (MUST be encrypted before database storage)

     

       
21
       
21
       
 
       
	AccessToken    string // JWT for making API calls as the community

     
···

       
67
       
67
       
 
       
	}

     

       
68
       
68
       
 
       


     

       
69
       
69
       
 
       
	// 1. Generate unique handle for the community

     

       
70
       
70
       
-
       
	// Format: {name}.communities.{instance-domain}

     

       
71
       
71
       
-
       
	// Example: "gaming.communities.coves.social"

     

       
72
       
72
       
-
       
	handle := fmt.Sprintf("%s.communities.%s", strings.ToLower(communityName), p.instanceDomain)

     

       
70
       
70
       
+
       
	// Format: {name}.community.{instance-domain}

     

       
71
       
71
       
+
       
	// Example: "gaming.community.coves.social"

     

       
72
       
72
       
+
       
	// NOTE: Using SINGULAR "community" to follow atProto lexicon conventions

     

       
73
       
73
       
+
       
	// (all record types use singular: app.bsky.feed.post, app.bsky.graph.follow, etc.)

     

       
74
       
74
       
+
       
	handle := fmt.Sprintf("%s.community.%s", strings.ToLower(communityName), p.instanceDomain)

     

       
73
       
75
       
 
       


     

       
74
       
76
       
 
       
	// 2. Generate system email for PDS account management

     

       
75
       
77
       
 
       
	// This email is used for account operations, not for user communication

     

       
76
       
76
       
-
       
	email := fmt.Sprintf("community-%s@communities.%s", strings.ToLower(communityName), p.instanceDomain)

     

       
78
       
78
       
+
       
	email := fmt.Sprintf("community-%s@community.%s", strings.ToLower(communityName), p.instanceDomain)

     

       
77
       
79
       
 
       


     

       
78
       
80
       
 
       
	// 3. Generate secure random password (32 characters)

     

       
79
       
81
       
 
       
	// This password is never shown to users - it's for Coves to authenticate as the community

     
···

       
116
       
118
       
 
       
	// The repository layer handles encryption using pgp_sym_encrypt()

     

       
117
       
119
       
 
       
	return &CommunityPDSAccount{

     

       
118
       
120
       
 
       
		DID:            output.Did,        // The community's DID (PDS-generated)

     

       
119
       
119
       
-
       
		Handle:         output.Handle,     // e.g., gaming.communities.coves.social

     

       
120
       
120
       
-
       
		Email:          email,             // community-gaming@communities.coves.social

     

       
121
       
121
       
+
       
		Handle:         output.Handle,     // e.g., gaming.community.coves.social

     

       
122
       
122
       
+
       
		Email:          email,             // community-gaming@community.coves.social

     

       
121
       
123
       
 
       
		Password:       password,          // Cleartext - will be encrypted by repository

     

       
122
       
124
       
 
       
		AccessToken:    output.AccessJwt,  // JWT for making API calls

     

       
123
       
125
       
 
       
		RefreshToken:   output.RefreshJwt, // For refreshing sessions

     

···

       
16
       
16
       
 
       
	"time"

     

       
17
       
17
       
 
       
)

     

       
18
       
18
       
 
       


     

       
19
       
19
       
-
       
// Community handle validation regex (DNS-valid handle: name.communities.instance.com)

     

       
19
       
19
       
+
       
// Community handle validation regex (DNS-valid handle: name.community.instance.com)

     

       
20
       
20
       
 
       
// Matches standard DNS hostname format (RFC 1035)

     

       
21
       
21
       
 
       
var communityHandleRegex = regexp.MustCompile(`^([a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?$`)

     

       
22
       
22
       
+
       


     

       
23
       
23
       
+
       
// DNS label validation (RFC 1035: 1-63 chars, alphanumeric + hyphen, can't start/end with hyphen)

     

       
24
       
24
       
+
       
var dnsLabelRegex = regexp.MustCompile(`^[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?$`)

     

       
25
       
25
       
+
       


     

       
26
       
26
       
+
       
// Domain validation (simplified - checks for valid DNS hostname structure)

     

       
27
       
27
       
+
       
var domainRegex = regexp.MustCompile(`^([a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)*[a-zA-Z]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?$`)

     

       
22
       
28
       
 
       


     

       
23
       
29
       
 
       
type communityService struct {

     

       
24
       
30
       
 
       
	// Interfaces and pointers first (better alignment)

     
···

       
125
       
131
       
 
       
	// Build community profile record

     

       
126
       
132
       
 
       
	profile := map[string]interface{}{

     

       
127
       
133
       
 
       
		"$type":      "social.coves.community.profile",

     

       
128
       
128
       
-
       
		"handle":     pdsAccount.Handle, // atProto handle (e.g., gaming.communities.coves.social)

     

       
134
       
134
       
+
       
		"handle":     pdsAccount.Handle, // atProto handle (e.g., gaming.community.coves.social)

     

       
129
       
135
       
 
       
		"name":       req.Name,          // Short name for !mentions (e.g., "gaming")

     

       
130
       
136
       
 
       
		"visibility": req.Visibility,

     

       
131
       
137
       
 
       
		"hostedBy":   s.instanceDID, // V2: Instance hosts, community owns

     
···

       
181
       
187
       
 
       
	// Build Community object with PDS credentials AND cryptographic keys

     

       
182
       
188
       
 
       
	community := &Community{

     

       
183
       
189
       
 
       
		DID:                    pdsAccount.DID,    // Community's DID (owns the repo!)

     

       
184
       
184
       
-
       
		Handle:                 pdsAccount.Handle, // atProto handle (e.g., gaming.communities.coves.social)

     

       
190
       
190
       
+
       
		Handle:                 pdsAccount.Handle, // atProto handle (e.g., gaming.community.coves.social)

     

       
185
       
191
       
 
       
		Name:                   req.Name,

     

       
186
       
192
       
 
       
		DisplayName:            req.DisplayName,

     

       
187
       
193
       
 
       
		Description:            req.Description,

     
···

       
824
       
830
       
 
       
	return nil

     

       
825
       
831
       
 
       
}

     

       
826
       
832
       
 
       


     

       
827
       
827
       
-
       
// ResolveCommunityIdentifier converts a handle or DID to a DID

     

       
833
       
833
       
+
       
// ResolveCommunityIdentifier converts a community identifier to a DID

     

       
834
       
834
       
+
       
// Following Bluesky's pattern with Coves extensions:

     

       
835
       
835
       
+
       
//

     

       
836
       
836
       
+
       
// Accepts (like Bluesky's at-identifier):

     

       
837
       
837
       
+
       
//   1. DID: did:plc:abc123 (pass through)

     

       
838
       
838
       
+
       
//   2. Canonical handle: gardening.community.coves.social (atProto standard)

     

       
839
       
839
       
+
       
//   3. At-identifier: @gardening.community.coves.social (strip @ prefix)

     

       
840
       
840
       
+
       
//

     

       
841
       
841
       
+
       
// Coves-specific extensions:

     

       
842
       
842
       
+
       
//   4. Scoped format: !gardening@coves.social (parse and resolve)

     

       
843
       
843
       
+
       
//

     

       
844
       
844
       
+
       
// Returns: DID string

     

       
828
       
845
       
 
       
func (s *communityService) ResolveCommunityIdentifier(ctx context.Context, identifier string) (string, error) {

     

       
846
       
846
       
+
       
	identifier = strings.TrimSpace(identifier)

     

       
847
       
847
       
+
       


     

       
829
       
848
       
 
       
	if identifier == "" {

     

       
830
       
849
       
 
       
		return "", ErrInvalidInput

     

       
831
       
850
       
 
       
	}

     

       
832
       
851
       
 
       


     

       
833
       
833
       
-
       
	// If it's already a DID, verify the community exists

     

       
852
       
852
       
+
       
	// 1. DID - verify it exists and return (Bluesky standard)

     

       
834
       
853
       
 
       
	if strings.HasPrefix(identifier, "did:") {

     

       
835
       
854
       
 
       
		_, err := s.repo.GetByDID(ctx, identifier)

     

       
836
       
855
       
 
       
		if err != nil {

     

       
837
       
856
       
 
       
			if IsNotFound(err) {

     

       
838
       
838
       
-
       
				return "", fmt.Errorf("community not found: %w", err)

     

       
857
       
857
       
+
       
				return "", fmt.Errorf("community not found for DID %s: %w", identifier, err)

     

       
839
       
858
       
 
       
			}

     

       
840
       
840
       
-
       
			return "", fmt.Errorf("failed to verify community DID: %w", err)

     

       
859
       
859
       
+
       
			return "", fmt.Errorf("failed to verify community DID %s: %w", identifier, err)

     

       
841
       
860
       
 
       
		}

     

       
842
       
861
       
 
       
		return identifier, nil

     

       
843
       
862
       
 
       
	}

     

       
844
       
863
       
 
       


     

       
845
       
845
       
-
       
	// If it's a handle, look it up in AppView DB

     

       
864
       
864
       
+
       
	// 2. Scoped format: !name@instance (Coves-specific)

     

       
846
       
865
       
 
       
	if strings.HasPrefix(identifier, "!") {

     

       
847
       
847
       
-
       
		community, err := s.repo.GetByHandle(ctx, identifier)

     

       
866
       
866
       
+
       
		return s.resolveScopedIdentifier(ctx, identifier)

     

       
867
       
867
       
+
       
	}

     

       
868
       
868
       
+
       


     

       
869
       
869
       
+
       
	// 3. At-identifier format: @handle (Bluesky standard - strip @ prefix)

     

       
870
       
870
       
+
       
	if strings.HasPrefix(identifier, "@") {

     

       
871
       
871
       
+
       
		identifier = strings.TrimPrefix(identifier, "@")

     

       
872
       
872
       
+
       
	}

     

       
873
       
873
       
+
       


     

       
874
       
874
       
+
       
	// 4. Canonical handle: name.community.instance.com (Bluesky standard)

     

       
875
       
875
       
+
       
	if strings.Contains(identifier, ".") {

     

       
876
       
876
       
+
       
		community, err := s.repo.GetByHandle(ctx, strings.ToLower(identifier))

     

       
848
       
877
       
 
       
		if err != nil {

     

       
849
       
849
       
-
       
			return "", err

     

       
878
       
878
       
+
       
			return "", fmt.Errorf("community not found for handle %s: %w", identifier, err)

     

       
850
       
879
       
 
       
		}

     

       
851
       
880
       
 
       
		return community.DID, nil

     

       
852
       
881
       
 
       
	}

     

       
853
       
882
       
 
       


     

       
854
       
854
       
-
       
	return "", NewValidationError("identifier", "must be a DID or handle")

     

       
883
       
883
       
+
       
	return "", NewValidationError("identifier", "must be a DID, handle, or scoped identifier (!name@instance)")

     

       
884
       
884
       
+
       
}

     

       
885
       
885
       
+
       


     

       
886
       
886
       
+
       
// resolveScopedIdentifier handles Coves-specific !name@instance format

     

       
887
       
887
       
+
       
// Formats accepted:

     

       
888
       
888
       
+
       
//   !gardening@coves.social  -> gardening.community.coves.social

     

       
889
       
889
       
+
       
func (s *communityService) resolveScopedIdentifier(ctx context.Context, scoped string) (string, error) {

     

       
890
       
890
       
+
       
	// Remove ! prefix

     

       
891
       
891
       
+
       
	scoped = strings.TrimPrefix(scoped, "!")

     

       
892
       
892
       
+
       


     

       
893
       
893
       
+
       
	var name string

     

       
894
       
894
       
+
       
	var instanceDomain string

     

       
895
       
895
       
+
       


     

       
896
       
896
       
+
       
	// Parse !name@instance

     

       
897
       
897
       
+
       
	if !strings.Contains(scoped, "@") {

     

       
898
       
898
       
+
       
		return "", NewValidationError("identifier", "scoped identifier must include @ symbol (!name@instance)")

     

       
899
       
899
       
+
       
	}

     

       
900
       
900
       
+
       


     

       
901
       
901
       
+
       
	parts := strings.SplitN(scoped, "@", 2)

     

       
902
       
902
       
+
       
	name = strings.TrimSpace(parts[0])

     

       
903
       
903
       
+
       
	instanceDomain = strings.TrimSpace(parts[1])

     

       
904
       
904
       
+
       


     

       
905
       
905
       
+
       
	// Validate name format

     

       
906
       
906
       
+
       
	if name == "" {

     

       
907
       
907
       
+
       
		return "", NewValidationError("identifier", "community name cannot be empty")

     

       
908
       
908
       
+
       
	}

     

       
909
       
909
       
+
       


     

       
910
       
910
       
+
       
	// Validate name is a valid DNS label (RFC 1035)

     

       
911
       
911
       
+
       
	// Must be 1-63 chars, alphanumeric + hyphen, can't start/end with hyphen

     

       
912
       
912
       
+
       
	if !isValidDNSLabel(name) {

     

       
913
       
913
       
+
       
		return "", NewValidationError("identifier", "community name must be valid DNS label (alphanumeric and hyphens only, 1-63 chars, cannot start or end with hyphen)")

     

       
914
       
914
       
+
       
	}

     

       
915
       
915
       
+
       


     

       
916
       
916
       
+
       
	// Validate instance domain format

     

       
917
       
917
       
+
       
	if !isValidDomain(instanceDomain) {

     

       
918
       
918
       
+
       
		return "", NewValidationError("identifier", "invalid instance domain format")

     

       
919
       
919
       
+
       
	}

     

       
920
       
920
       
+
       


     

       
921
       
921
       
+
       
	// Normalize domain to lowercase (DNS is case-insensitive)

     

       
922
       
922
       
+
       
	// This fixes the bug where !gardening@Coves.social would fail lookup

     

       
923
       
923
       
+
       
	instanceDomain = strings.ToLower(instanceDomain)

     

       
924
       
924
       
+
       


     

       
925
       
925
       
+
       
	// Validate the instance matches this server

     

       
926
       
926
       
+
       
	if !s.isLocalInstance(instanceDomain) {

     

       
927
       
927
       
+
       
		return "", NewValidationError("identifier",

     

       
928
       
928
       
+
       
			fmt.Sprintf("community is not hosted on this instance (expected @%s)", s.instanceDomain))

     

       
929
       
929
       
+
       
	}

     

       
930
       
930
       
+
       


     

       
931
       
931
       
+
       
	// Construct canonical handle: {name}.community.{instanceDomain}

     

       
932
       
932
       
+
       
	// Both name and instanceDomain are normalized to lowercase for consistent DB lookup

     

       
933
       
933
       
+
       
	canonicalHandle := fmt.Sprintf("%s.community.%s",

     

       
934
       
934
       
+
       
		strings.ToLower(name),

     

       
935
       
935
       
+
       
		instanceDomain) // Already normalized to lowercase on line 923

     

       
936
       
936
       
+
       


     

       
937
       
937
       
+
       
	// Look up by canonical handle

     

       
938
       
938
       
+
       
	community, err := s.repo.GetByHandle(ctx, canonicalHandle)

     

       
939
       
939
       
+
       
	if err != nil {

     

       
940
       
940
       
+
       
		return "", fmt.Errorf("community not found for scoped identifier !%s@%s: %w", name, instanceDomain, err)

     

       
941
       
941
       
+
       
	}

     

       
942
       
942
       
+
       


     

       
943
       
943
       
+
       
	return community.DID, nil

     

       
944
       
944
       
+
       
}

     

       
945
       
945
       
+
       


     

       
946
       
946
       
+
       
// isLocalInstance checks if the provided domain matches this instance

     

       
947
       
947
       
+
       
func (s *communityService) isLocalInstance(domain string) bool {

     

       
948
       
948
       
+
       
	// Normalize both domains

     

       
949
       
949
       
+
       
	domain = strings.ToLower(strings.TrimSpace(domain))

     

       
950
       
950
       
+
       
	instanceDomain := strings.ToLower(s.instanceDomain)

     

       
951
       
951
       
+
       


     

       
952
       
952
       
+
       
	// Direct match

     

       
953
       
953
       
+
       
	return domain == instanceDomain

     

       
855
       
954
       
 
       
}

     

       
856
       
955
       
 
       


     

       
857
       
956
       
 
       
// Validation helpers

     

       
858
       
957
       
 
       


     

       
958
       
958
       
+
       
// isValidDNSLabel validates that a string is a valid DNS label per RFC 1035

     

       
959
       
959
       
+
       
// - 1-63 characters

     

       
960
       
960
       
+
       
// - Alphanumeric and hyphens only

     

       
961
       
961
       
+
       
// - Cannot start or end with hyphen

     

       
962
       
962
       
+
       
func isValidDNSLabel(label string) bool {

     

       
963
       
963
       
+
       
	return dnsLabelRegex.MatchString(label)

     

       
964
       
964
       
+
       
}

     

       
965
       
965
       
+
       


     

       
966
       
966
       
+
       
// isValidDomain validates that a string is a valid domain name

     

       
967
       
967
       
+
       
// Simplified validation - checks basic DNS hostname structure

     

       
968
       
968
       
+
       
func isValidDomain(domain string) bool {

     

       
969
       
969
       
+
       
	if domain == "" || len(domain) > 253 {

     

       
970
       
970
       
+
       
		return false

     

       
971
       
971
       
+
       
	}

     

       
972
       
972
       
+
       
	return domainRegex.MatchString(domain)

     

       
973
       
973
       
+
       
}

     

       
974
       
974
       
+
       


     

       
859
       
975
       
 
       
func (s *communityService) validateCreateRequest(req CreateCommunityRequest) error {

     

       
860
       
976
       
 
       
	if req.Name == "" {

     

       
861
       
977
       
 
       
		return NewValidationError("name", "required")

     

       
862
       
978
       
 
       
	}

     

       
863
       
979
       
 
       


     

       
864
       
980
       
 
       
	// DNS label limit: 63 characters per label

     

       
865
       
865
       
-
       
	// Community handle format: {name}.communities.{instanceDomain}

     

       
981
       
981
       
+
       
	// Community handle format: {name}.community.{instanceDomain}

     

       
866
       
982
       
 
       
	// The first label is just req.Name, so it must be <= 63 chars

     

       
867
       
983
       
 
       
	if len(req.Name) > 63 {

     

       
868
       
984
       
 
       
		return NewValidationError("name", "must be 63 characters or less (DNS label limit)")

     

···

       
1
       
1
       
+
       
-- +goose Up

     

       
2
       
2
       
+
       
-- +goose StatementBegin

     

       
3
       
3
       
+
       


     

       
4
       
4
       
+
       
-- Migration: Rename community handles from .communities. to .community.

     

       
5
       
5
       
+
       
-- This aligns with AT Protocol lexicon naming conventions (singular form)

     

       
6
       
6
       
+
       
--

     

       
7
       
7
       
+
       
-- Background:

     

       
8
       
8
       
+
       
-- All atProto record types use singular form (app.bsky.feed.post, app.bsky.graph.follow)

     

       
9
       
9
       
+
       
-- This migration updates existing community handles to follow the same pattern

     

       
10
       
10
       
+
       
--

     

       
11
       
11
       
+
       
-- Examples:

     

       
12
       
12
       
+
       
--   gardening.communities.coves.social -> gardening.community.coves.social

     

       
13
       
13
       
+
       
--   gaming.communities.coves.social -> gaming.community.coves.social

     

       
14
       
14
       
+
       
--

     

       
15
       
15
       
+
       
-- Safety: Uses REPLACE which only affects handles containing '.communities.'

     

       
16
       
16
       
+
       
-- Rollback: Available via down migration below

     

       
17
       
17
       
+
       


     

       
18
       
18
       
+
       
-- Update community handles in the communities table

     

       
19
       
19
       
+
       
UPDATE communities

     

       
20
       
20
       
+
       
SET handle = REPLACE(handle, '.communities.', '.community.')

     

       
21
       
21
       
+
       
WHERE handle LIKE '%.communities.%';

     

       
22
       
22
       
+
       


     

       
23
       
23
       
+
       
-- Verify the migration (optional - can be commented out in production)

     

       
24
       
24
       
+
       
-- This will fail if any .communities. handles remain

     

       
25
       
25
       
+
       
DO $$

     

       
26
       
26
       
+
       
DECLARE

     

       
27
       
27
       
+
       
    old_format_count INTEGER;

     

       
28
       
28
       
+
       
BEGIN

     

       
29
       
29
       
+
       
    SELECT COUNT(*) INTO old_format_count

     

       
30
       
30
       
+
       
    FROM communities

     

       
31
       
31
       
+
       
    WHERE handle LIKE '%.communities.%';

     

       
32
       
32
       
+
       


     

       
33
       
33
       
+
       
    IF old_format_count > 0 THEN

     

       
34
       
34
       
+
       
        RAISE EXCEPTION 'Migration incomplete: % communities still have .communities. format', old_format_count;

     

       
35
       
35
       
+
       
    END IF;

     

       
36
       
36
       
+
       


     

       
37
       
37
       
+
       
    RAISE NOTICE 'Migration successful: All community handles updated to .community. format';

     

       
38
       
38
       
+
       
END $$;

     

       
39
       
39
       
+
       


     

       
40
       
40
       
+
       
-- +goose StatementEnd

     

       
41
       
41
       
+
       


     

       
42
       
42
       
+
       
-- +goose Down

     

       
43
       
43
       
+
       
-- +goose StatementBegin

     

       
44
       
44
       
+
       


     

       
45
       
45
       
+
       
-- Rollback: Revert handles from .community. back to .communities.

     

       
46
       
46
       
+
       
-- Only use this if you need to rollback the naming convention change

     

       
47
       
47
       
+
       


     

       
48
       
48
       
+
       
UPDATE communities

     

       
49
       
49
       
+
       
SET handle = REPLACE(handle, '.community.', '.communities.')

     

       
50
       
50
       
+
       
WHERE handle LIKE '%.community.%';

     

       
51
       
51
       
+
       


     

       
52
       
52
       
+
       
-- Verify the rollback

     

       
53
       
53
       
+
       
DO $$

     

       
54
       
54
       
+
       
DECLARE

     

       
55
       
55
       
+
       
    new_format_count INTEGER;

     

       
56
       
56
       
+
       
BEGIN

     

       
57
       
57
       
+
       
    SELECT COUNT(*) INTO new_format_count

     

       
58
       
58
       
+
       
    FROM communities

     

       
59
       
59
       
+
       
    WHERE handle LIKE '%.community.%';

     

       
60
       
60
       
+
       


     

       
61
       
61
       
+
       
    IF new_format_count > 0 THEN

     

       
62
       
62
       
+
       
        RAISE EXCEPTION 'Rollback incomplete: % communities still have .community. format', new_format_count;

     

       
63
       
63
       
+
       
    END IF;

     

       
64
       
64
       
+
       


     

       
65
       
65
       
+
       
    RAISE NOTICE 'Rollback successful: All community handles reverted to .communities. format';

     

       
66
       
66
       
+
       
END $$;

     

       
67
       
67
       
+
       


     

       
68
       
68
       
+
       
-- +goose StatementEnd

     

···

       
158
       
158
       
 
       
	// ====================================================================================

     

       
159
       
159
       
 
       
	t.Run("1. Write-Forward to PDS", func(t *testing.T) {

     

       
160
       
160
       
 
       
		// Use shorter names to avoid "Handle too long" errors

     

       
161
       
161
       
-
       
		// atProto handles max: 63 chars, format: name.communities.coves.social

     

       
161
       
161
       
+
       
		// atProto handles max: 63 chars, format: name.community.coves.social

     

       
162
       
162
       
 
       
		communityName := fmt.Sprintf("e2e-%d", time.Now().Unix())

     

       
163
       
163
       
 
       


     

       
164
       
164
       
 
       
		createReq := communities.CreateCommunityRequest{

     
···

       
190
       
190
       
 
       


     

       
191
       
191
       
 
       
		// V2: Verify PDS account was created for the community

     

       
192
       
192
       
 
       
		t.Logf("\n🔍 V2: Verifying community PDS account exists...")

     

       
193
       
193
       
-
       
		expectedHandle := fmt.Sprintf("%s.communities.%s", communityName, instanceDomain)

     

       
193
       
193
       
+
       
		expectedHandle := fmt.Sprintf("%s.community.%s", communityName, instanceDomain)

     

       
194
       
194
       
 
       
		t.Logf("   Expected handle: %s", expectedHandle)

     

       
195
       
195
       
-
       
		t.Logf("   (Using subdomain: *.communities.%s)", instanceDomain)

     

       
195
       
195
       
+
       
		t.Logf("   (Using subdomain: *.community.%s)", instanceDomain)

     

       
196
       
196
       
 
       


     

       
197
       
197
       
 
       
		accountDID, accountHandle, err := queryPDSAccount(pdsURL, expectedHandle)

     

       
198
       
198
       
 
       
		if err != nil {

     

···

       
41
       
41
       
 
       
				RKey:       "self",

     

       
42
       
42
       
 
       
				CID:        "bafy123abc",

     

       
43
       
43
       
 
       
				Record: map[string]interface{}{

     

       
44
       
44
       
-
       
					"handle":      "gaming.communities.coves.social", // coves.social handle

     

       
44
       
44
       
+
       
					"handle":      "gaming.community.coves.social", // coves.social handle

     

       
45
       
45
       
 
       
					"name":        "gaming",

     

       
46
       
46
       
 
       
					"displayName": "Nintendo Gaming",

     

       
47
       
47
       
 
       
					"description": "Fake Nintendo community",

     
···

       
97
       
97
       
 
       
				RKey:       "self",

     

       
98
       
98
       
 
       
				CID:        "bafy123abc",

     

       
99
       
99
       
 
       
				Record: map[string]interface{}{

     

       
100
       
100
       
-
       
					"handle":      "gaming.communities.coves.social", // coves.social handle

     

       
100
       
100
       
+
       
					"handle":      "gaming.community.coves.social", // coves.social handle

     

       
101
       
101
       
 
       
					"name":        "gaming",

     

       
102
       
102
       
 
       
					"displayName": "Gaming Community",

     

       
103
       
103
       
 
       
					"description": "Legitimate coves.social community",

     
···

       
149
       
149
       
 
       
				RKey:       "self",

     

       
150
       
150
       
 
       
				CID:        "bafy123abc",

     

       
151
       
151
       
 
       
				Record: map[string]interface{}{

     

       
152
       
152
       
-
       
					"handle":      "gaming.communities.coves.social",

     

       
152
       
152
       
+
       
					"handle":      "gaming.community.coves.social",

     

       
153
       
153
       
 
       
					"name":        "gaming",

     

       
154
       
154
       
 
       
					"displayName": "Test Community",

     

       
155
       
155
       
 
       
					"description": "Test",

     
···

       
193
       
193
       
 
       
				RKey:       "self",

     

       
194
       
194
       
 
       
				CID:        "bafy123abc",

     

       
195
       
195
       
 
       
				Record: map[string]interface{}{

     

       
196
       
196
       
-
       
					"handle":      "gaming.communities.example.com",

     

       
196
       
196
       
+
       
					"handle":      "gaming.community.example.com",

     

       
197
       
197
       
 
       
					"name":        "gaming",

     

       
198
       
198
       
 
       
					"displayName": "Test",

     

       
199
       
199
       
 
       
					"description": "Test",

     
···

       
245
       
245
       
 
       
	}{

     

       
246
       
246
       
 
       
		{

     

       
247
       
247
       
 
       
			name:          "DNS-style handle with subdomain",

     

       
248
       
248
       
-
       
			handle:        "gaming.communities.coves.social",

     

       
248
       
248
       
+
       
			handle:        "gaming.community.coves.social",

     

       
249
       
249
       
 
       
			hostedByDID:   "did:web:coves.social",

     

       
250
       
250
       
 
       
			shouldSucceed: true,

     

       
251
       
251
       
 
       
		},

     
···

       
257
       
257
       
 
       
		},

     

       
258
       
258
       
 
       
		{

     

       
259
       
259
       
 
       
			name:          "Multi-part subdomain",

     

       
260
       
260
       
-
       
			handle:        "gaming.test.communities.example.com",

     

       
260
       
260
       
+
       
			handle:        "gaming.test.community.example.com",

     

       
261
       
261
       
 
       
			hostedByDID:   "did:web:example.com",

     

       
262
       
262
       
 
       
			shouldSucceed: true,

     

       
263
       
263
       
 
       
		},

     

       
264
       
264
       
 
       
		{

     

       
265
       
265
       
 
       
			name:          "Mismatched domain",

     

       
266
       
266
       
-
       
			handle:        "gaming.communities.coves.social",

     

       
266
       
266
       
+
       
			handle:        "gaming.community.coves.social",

     

       
267
       
267
       
 
       
			hostedByDID:   "did:web:example.com",

     

       
268
       
268
       
 
       
			shouldSucceed: false,

     

       
269
       
269
       
 
       
		},

     

       
270
       
270
       
 
       
		// CRITICAL: Multi-part TLD tests (PR review feedback)

     

       
271
       
271
       
 
       
		{

     

       
272
       
272
       
 
       
			name:          "Multi-part TLD: .co.uk",

     

       
273
       
273
       
-
       
			handle:        "gaming.communities.coves.co.uk",

     

       
273
       
273
       
+
       
			handle:        "gaming.community.coves.co.uk",

     

       
274
       
274
       
 
       
			hostedByDID:   "did:web:coves.co.uk",

     

       
275
       
275
       
 
       
			shouldSucceed: true,

     

       
276
       
276
       
 
       
		},

     

       
277
       
277
       
 
       
		{

     

       
278
       
278
       
 
       
			name:          "Multi-part TLD: .com.au",

     

       
279
       
279
       
-
       
			handle:        "gaming.communities.example.com.au",

     

       
279
       
279
       
+
       
			handle:        "gaming.community.example.com.au",

     

       
280
       
280
       
 
       
			hostedByDID:   "did:web:example.com.au",

     

       
281
       
281
       
 
       
			shouldSucceed: true,

     

       
282
       
282
       
 
       
		},

     

       
283
       
283
       
 
       
		{

     

       
284
       
284
       
 
       
			name:          "Multi-part TLD: Reject incorrect .co.uk extraction",

     

       
285
       
285
       
-
       
			handle:        "gaming.communities.coves.co.uk",

     

       
285
       
285
       
+
       
			handle:        "gaming.community.coves.co.uk",

     

       
286
       
286
       
 
       
			hostedByDID:   "did:web:co.uk", // Wrong! Should be coves.co.uk

     

       
287
       
287
       
 
       
			shouldSucceed: false,

     

       
288
       
288
       
 
       
		},

     

       
289
       
289
       
 
       
		{

     

       
290
       
290
       
 
       
			name:          "Multi-part TLD: .org.uk",

     

       
291
       
291
       
-
       
			handle:        "gaming.communities.myinstance.org.uk",

     

       
291
       
291
       
+
       
			handle:        "gaming.community.myinstance.org.uk",

     

       
292
       
292
       
 
       
			hostedByDID:   "did:web:myinstance.org.uk",

     

       
293
       
293
       
 
       
			shouldSucceed: true,

     

       
294
       
294
       
 
       
		},

     

       
295
       
295
       
 
       
		{

     

       
296
       
296
       
 
       
			name:          "Multi-part TLD: .ac.uk",

     

       
297
       
297
       
-
       
			handle:        "gaming.communities.university.ac.uk",

     

       
297
       
297
       
+
       
			handle:        "gaming.community.university.ac.uk",

     

       
298
       
298
       
 
       
			hostedByDID:   "did:web:university.ac.uk",

     

       
299
       
299
       
 
       
			shouldSucceed: true,

     

       
300
       
300
       
 
       
		},

     

···

       
1
       
1
       
+
       
package integration

     

       
2
       
2
       
+
       


     

       
3
       
3
       
+
       
import (

     

       
4
       
4
       
+
       
	"Coves/internal/core/communities"

     

       
5
       
5
       
+
       
	"Coves/internal/db/postgres"

     

       
6
       
6
       
+
       
	"context"

     

       
7
       
7
       
+
       
	"fmt"

     

       
8
       
8
       
+
       
	"os"

     

       
9
       
9
       
+
       
	"strings"

     

       
10
       
10
       
+
       
	"testing"

     

       
11
       
11
       
+
       
	"time"

     

       
12
       
12
       
+
       


     

       
13
       
13
       
+
       
	"github.com/stretchr/testify/assert"

     

       
14
       
14
       
+
       
	"github.com/stretchr/testify/require"

     

       
15
       
15
       
+
       
)

     

       
16
       
16
       
+
       


     

       
17
       
17
       
+
       
// TestCommunityIdentifierResolution tests all formats accepted by ResolveCommunityIdentifier

     

       
18
       
18
       
+
       
func TestCommunityIdentifierResolution(t *testing.T) {

     

       
19
       
19
       
+
       
	if testing.Short() {

     

       
20
       
20
       
+
       
		t.Skip("Skipping integration test in short mode")

     

       
21
       
21
       
+
       
	}

     

       
22
       
22
       
+
       


     

       
23
       
23
       
+
       
	db := setupTestDB(t)

     

       
24
       
24
       
+
       
	defer func() {

     

       
25
       
25
       
+
       
		if err := db.Close(); err != nil {

     

       
26
       
26
       
+
       
			t.Logf("Failed to close database: %v", err)

     

       
27
       
27
       
+
       
		}

     

       
28
       
28
       
+
       
	}()

     

       
29
       
29
       
+
       


     

       
30
       
30
       
+
       
	repo := postgres.NewCommunityRepository(db)

     

       
31
       
31
       
+
       
	ctx := context.Background()

     

       
32
       
32
       
+
       


     

       
33
       
33
       
+
       
	// Get configuration from environment

     

       
34
       
34
       
+
       
	pdsURL := os.Getenv("PDS_URL")

     

       
35
       
35
       
+
       
	if pdsURL == "" {

     

       
36
       
36
       
+
       
		pdsURL = "http://localhost:3000"

     

       
37
       
37
       
+
       
	}

     

       
38
       
38
       
+
       


     

       
39
       
39
       
+
       
	instanceDomain := os.Getenv("INSTANCE_DOMAIN")

     

       
40
       
40
       
+
       
	if instanceDomain == "" {

     

       
41
       
41
       
+
       
		instanceDomain = "coves.social"

     

       
42
       
42
       
+
       
	}

     

       
43
       
43
       
+
       


     

       
44
       
44
       
+
       
	// Create provisioner (signature: instanceDomain, pdsURL)

     

       
45
       
45
       
+
       
	provisioner := communities.NewPDSAccountProvisioner(instanceDomain, pdsURL)

     

       
46
       
46
       
+
       


     

       
47
       
47
       
+
       
	// Create service

     

       
48
       
48
       
+
       
	instanceDID := os.Getenv("INSTANCE_DID")

     

       
49
       
49
       
+
       
	if instanceDID == "" {

     

       
50
       
50
       
+
       
		instanceDID = "did:web:" + instanceDomain

     

       
51
       
51
       
+
       
	}

     

       
52
       
52
       
+
       


     

       
53
       
53
       
+
       
	service := communities.NewCommunityService(

     

       
54
       
54
       
+
       
		repo,

     

       
55
       
55
       
+
       
		pdsURL,

     

       
56
       
56
       
+
       
		instanceDID,

     

       
57
       
57
       
+
       
		instanceDomain,

     

       
58
       
58
       
+
       
		provisioner,

     

       
59
       
59
       
+
       
	)

     

       
60
       
60
       
+
       


     

       
61
       
61
       
+
       
	// Create a test community to resolve

     

       
62
       
62
       
+
       
	uniqueName := fmt.Sprintf("test%d", time.Now().UnixNano()%1000000)

     

       
63
       
63
       
+
       
	req := communities.CreateCommunityRequest{

     

       
64
       
64
       
+
       
		Name:                   uniqueName,

     

       
65
       
65
       
+
       
		DisplayName:            "Test Community",

     

       
66
       
66
       
+
       
		Description:            "A test community for identifier resolution",

     

       
67
       
67
       
+
       
		Visibility:             "public",

     

       
68
       
68
       
+
       
		CreatedByDID:           "did:plc:testowner123",

     

       
69
       
69
       
+
       
		HostedByDID:            instanceDID,

     

       
70
       
70
       
+
       
		AllowExternalDiscovery: true,

     

       
71
       
71
       
+
       
	}

     

       
72
       
72
       
+
       


     

       
73
       
73
       
+
       
	community, err := service.CreateCommunity(ctx, req)

     

       
74
       
74
       
+
       
	require.NoError(t, err, "Failed to create test community")

     

       
75
       
75
       
+
       
	require.NotNil(t, community)

     

       
76
       
76
       
+
       


     

       
77
       
77
       
+
       
	t.Run("DID format", func(t *testing.T) {

     

       
78
       
78
       
+
       
		t.Run("resolves valid DID", func(t *testing.T) {

     

       
79
       
79
       
+
       
			did, err := service.ResolveCommunityIdentifier(ctx, community.DID)

     

       
80
       
80
       
+
       
			require.NoError(t, err)

     

       
81
       
81
       
+
       
			assert.Equal(t, community.DID, did)

     

       
82
       
82
       
+
       
		})

     

       
83
       
83
       
+
       


     

       
84
       
84
       
+
       
		t.Run("rejects non-existent DID", func(t *testing.T) {

     

       
85
       
85
       
+
       
			_, err := service.ResolveCommunityIdentifier(ctx, "did:plc:nonexistent123")

     

       
86
       
86
       
+
       
			require.Error(t, err)

     

       
87
       
87
       
+
       
			assert.Contains(t, err.Error(), "community not found")

     

       
88
       
88
       
+
       
		})

     

       
89
       
89
       
+
       


     

       
90
       
90
       
+
       
		t.Run("rejects malformed DID", func(t *testing.T) {

     

       
91
       
91
       
+
       
			_, err := service.ResolveCommunityIdentifier(ctx, "did:invalid")

     

       
92
       
92
       
+
       
			require.Error(t, err)

     

       
93
       
93
       
+
       
		})

     

       
94
       
94
       
+
       
	})

     

       
95
       
95
       
+
       


     

       
96
       
96
       
+
       
	t.Run("Canonical handle format", func(t *testing.T) {

     

       
97
       
97
       
+
       
		t.Run("resolves lowercase canonical handle", func(t *testing.T) {

     

       
98
       
98
       
+
       
			did, err := service.ResolveCommunityIdentifier(ctx, community.Handle)

     

       
99
       
99
       
+
       
			require.NoError(t, err)

     

       
100
       
100
       
+
       
			assert.Equal(t, community.DID, did)

     

       
101
       
101
       
+
       
		})

     

       
102
       
102
       
+
       


     

       
103
       
103
       
+
       
		t.Run("resolves uppercase canonical handle (case-insensitive)", func(t *testing.T) {

     

       
104
       
104
       
+
       
			// Use actual community handle in uppercase

     

       
105
       
105
       
+
       
			upperHandle := fmt.Sprintf("%s.COMMUNITY.%s", uniqueName, strings.ToUpper(instanceDomain))

     

       
106
       
106
       
+
       
			did, err := service.ResolveCommunityIdentifier(ctx, upperHandle)

     

       
107
       
107
       
+
       
			require.NoError(t, err)

     

       
108
       
108
       
+
       
			assert.Equal(t, community.DID, did)

     

       
109
       
109
       
+
       
		})

     

       
110
       
110
       
+
       


     

       
111
       
111
       
+
       
		t.Run("rejects non-existent canonical handle", func(t *testing.T) {

     

       
112
       
112
       
+
       
			_, err := service.ResolveCommunityIdentifier(ctx, fmt.Sprintf("nonexistent.community.%s", instanceDomain))

     

       
113
       
113
       
+
       
			require.Error(t, err)

     

       
114
       
114
       
+
       
			assert.Contains(t, err.Error(), "community not found")

     

       
115
       
115
       
+
       
		})

     

       
116
       
116
       
+
       
	})

     

       
117
       
117
       
+
       


     

       
118
       
118
       
+
       
	t.Run("At-identifier format", func(t *testing.T) {

     

       
119
       
119
       
+
       
		t.Run("resolves @-prefixed handle", func(t *testing.T) {

     

       
120
       
120
       
+
       
			atHandle := "@" + community.Handle

     

       
121
       
121
       
+
       
			did, err := service.ResolveCommunityIdentifier(ctx, atHandle)

     

       
122
       
122
       
+
       
			require.NoError(t, err)

     

       
123
       
123
       
+
       
			assert.Equal(t, community.DID, did)

     

       
124
       
124
       
+
       
		})

     

       
125
       
125
       
+
       


     

       
126
       
126
       
+
       
		t.Run("resolves @-prefixed handle with uppercase (case-insensitive)", func(t *testing.T) {

     

       
127
       
127
       
+
       
			atHandle := "@" + fmt.Sprintf("%s.COMMUNITY.%s", uniqueName, strings.ToUpper(instanceDomain))

     

       
128
       
128
       
+
       
			did, err := service.ResolveCommunityIdentifier(ctx, atHandle)

     

       
129
       
129
       
+
       
			require.NoError(t, err)

     

       
130
       
130
       
+
       
			assert.Equal(t, community.DID, did)

     

       
131
       
131
       
+
       
		})

     

       
132
       
132
       
+
       
	})

     

       
133
       
133
       
+
       


     

       
134
       
134
       
+
       
	t.Run("Scoped format (!name@instance)", func(t *testing.T) {

     

       
135
       
135
       
+
       
		t.Run("resolves valid scoped identifier", func(t *testing.T) {

     

       
136
       
136
       
+
       
			scopedID := fmt.Sprintf("!%s@%s", uniqueName, instanceDomain)

     

       
137
       
137
       
+
       
			did, err := service.ResolveCommunityIdentifier(ctx, scopedID)

     

       
138
       
138
       
+
       
			require.NoError(t, err)

     

       
139
       
139
       
+
       
			assert.Equal(t, community.DID, did)

     

       
140
       
140
       
+
       
		})

     

       
141
       
141
       
+
       


     

       
142
       
142
       
+
       
		t.Run("resolves uppercase scoped identifier (case-insensitive domain)", func(t *testing.T) {

     

       
143
       
143
       
+
       
			scopedID := fmt.Sprintf("!%s@%s", uniqueName, strings.ToUpper(instanceDomain))

     

       
144
       
144
       
+
       
			did, err := service.ResolveCommunityIdentifier(ctx, scopedID)

     

       
145
       
145
       
+
       
			require.NoError(t, err, "Should normalize uppercase domain to lowercase")

     

       
146
       
146
       
+
       
			assert.Equal(t, community.DID, did)

     

       
147
       
147
       
+
       
		})

     

       
148
       
148
       
+
       


     

       
149
       
149
       
+
       
		t.Run("resolves mixed-case scoped identifier", func(t *testing.T) {

     

       
150
       
150
       
+
       
			// Mix case of domain

     

       
151
       
151
       
+
       
			mixedDomain := ""

     

       
152
       
152
       
+
       
			for i, c := range instanceDomain {

     

       
153
       
153
       
+
       
				if i%2 == 0 {

     

       
154
       
154
       
+
       
					mixedDomain += strings.ToUpper(string(c))

     

       
155
       
155
       
+
       
				} else {

     

       
156
       
156
       
+
       
					mixedDomain += strings.ToLower(string(c))

     

       
157
       
157
       
+
       
				}

     

       
158
       
158
       
+
       
			}

     

       
159
       
159
       
+
       
			scopedID := fmt.Sprintf("!%s@%s", uniqueName, mixedDomain)

     

       
160
       
160
       
+
       
			did, err := service.ResolveCommunityIdentifier(ctx, scopedID)

     

       
161
       
161
       
+
       
			require.NoError(t, err, "Should normalize all parts to lowercase")

     

       
162
       
162
       
+
       
			assert.Equal(t, community.DID, did)

     

       
163
       
163
       
+
       
		})

     

       
164
       
164
       
+
       


     

       
165
       
165
       
+
       
		t.Run("rejects scoped identifier without @ symbol", func(t *testing.T) {

     

       
166
       
166
       
+
       
			_, err := service.ResolveCommunityIdentifier(ctx, "!testcommunity")

     

       
167
       
167
       
+
       
			require.Error(t, err)

     

       
168
       
168
       
+
       
			assert.Contains(t, err.Error(), "must include @ symbol")

     

       
169
       
169
       
+
       
		})

     

       
170
       
170
       
+
       


     

       
171
       
171
       
+
       
		t.Run("rejects scoped identifier with empty name", func(t *testing.T) {

     

       
172
       
172
       
+
       
			_, err := service.ResolveCommunityIdentifier(ctx, fmt.Sprintf("!@%s", instanceDomain))

     

       
173
       
173
       
+
       
			require.Error(t, err)

     

       
174
       
174
       
+
       
			assert.Contains(t, err.Error(), "community name cannot be empty")

     

       
175
       
175
       
+
       
		})

     

       
176
       
176
       
+
       


     

       
177
       
177
       
+
       
		t.Run("rejects scoped identifier with wrong instance", func(t *testing.T) {

     

       
178
       
178
       
+
       
			_, err := service.ResolveCommunityIdentifier(ctx, "!testcommunity@wrong.social")

     

       
179
       
179
       
+
       
			require.Error(t, err)

     

       
180
       
180
       
+
       
			assert.Contains(t, err.Error(), "not hosted on this instance")

     

       
181
       
181
       
+
       
		})

     

       
182
       
182
       
+
       


     

       
183
       
183
       
+
       
		t.Run("rejects non-existent community in scoped format", func(t *testing.T) {

     

       
184
       
184
       
+
       
			_, err := service.ResolveCommunityIdentifier(ctx, fmt.Sprintf("!nonexistent@%s", instanceDomain))

     

       
185
       
185
       
+
       
			require.Error(t, err)

     

       
186
       
186
       
+
       
			assert.Contains(t, err.Error(), "community not found")

     

       
187
       
187
       
+
       
		})

     

       
188
       
188
       
+
       
	})

     

       
189
       
189
       
+
       


     

       
190
       
190
       
+
       
	t.Run("Edge cases", func(t *testing.T) {

     

       
191
       
191
       
+
       
		t.Run("rejects empty identifier", func(t *testing.T) {

     

       
192
       
192
       
+
       
			_, err := service.ResolveCommunityIdentifier(ctx, "")

     

       
193
       
193
       
+
       
			require.Error(t, err)

     

       
194
       
194
       
+
       
		})

     

       
195
       
195
       
+
       


     

       
196
       
196
       
+
       
		t.Run("rejects whitespace-only identifier", func(t *testing.T) {

     

       
197
       
197
       
+
       
			_, err := service.ResolveCommunityIdentifier(ctx, "   ")

     

       
198
       
198
       
+
       
			require.Error(t, err)

     

       
199
       
199
       
+
       
		})

     

       
200
       
200
       
+
       


     

       
201
       
201
       
+
       
		t.Run("handles leading/trailing whitespace in valid identifier", func(t *testing.T) {

     

       
202
       
202
       
+
       
			did, err := service.ResolveCommunityIdentifier(ctx, "  "+community.Handle+"  ")

     

       
203
       
203
       
+
       
			require.NoError(t, err)

     

       
204
       
204
       
+
       
			assert.Equal(t, community.DID, did)

     

       
205
       
205
       
+
       
		})

     

       
206
       
206
       
+
       


     

       
207
       
207
       
+
       
		t.Run("rejects identifier without dots (not a valid handle)", func(t *testing.T) {

     

       
208
       
208
       
+
       
			_, err := service.ResolveCommunityIdentifier(ctx, "nodots")

     

       
209
       
209
       
+
       
			require.Error(t, err)

     

       
210
       
210
       
+
       
			assert.Contains(t, err.Error(), "must be a DID, handle, or scoped identifier")

     

       
211
       
211
       
+
       
		})

     

       
212
       
212
       
+
       
	})

     

       
213
       
213
       
+
       
}

     

       
214
       
214
       
+
       


     

       
215
       
215
       
+
       
// TestResolveScopedIdentifier_InputValidation tests input sanitization

     

       
216
       
216
       
+
       
func TestResolveScopedIdentifier_InputValidation(t *testing.T) {

     

       
217
       
217
       
+
       
	if testing.Short() {

     

       
218
       
218
       
+
       
		t.Skip("Skipping integration test in short mode")

     

       
219
       
219
       
+
       
	}

     

       
220
       
220
       
+
       


     

       
221
       
221
       
+
       
	db := setupTestDB(t)

     

       
222
       
222
       
+
       
	defer func() {

     

       
223
       
223
       
+
       
		if err := db.Close(); err != nil {

     

       
224
       
224
       
+
       
			t.Logf("Failed to close database: %v", err)

     

       
225
       
225
       
+
       
		}

     

       
226
       
226
       
+
       
	}()

     

       
227
       
227
       
+
       


     

       
228
       
228
       
+
       
	repo := postgres.NewCommunityRepository(db)

     

       
229
       
229
       
+
       
	ctx := context.Background()

     

       
230
       
230
       
+
       


     

       
231
       
231
       
+
       
	pdsURL := os.Getenv("PDS_URL")

     

       
232
       
232
       
+
       
	if pdsURL == "" {

     

       
233
       
233
       
+
       
		pdsURL = "http://localhost:3000"

     

       
234
       
234
       
+
       
	}

     

       
235
       
235
       
+
       


     

       
236
       
236
       
+
       
	instanceDomain := os.Getenv("INSTANCE_DOMAIN")

     

       
237
       
237
       
+
       
	if instanceDomain == "" {

     

       
238
       
238
       
+
       
		instanceDomain = "coves.social"

     

       
239
       
239
       
+
       
	}

     

       
240
       
240
       
+
       


     

       
241
       
241
       
+
       
	instanceDID := os.Getenv("INSTANCE_DID")

     

       
242
       
242
       
+
       
	if instanceDID == "" {

     

       
243
       
243
       
+
       
		instanceDID = "did:web:" + instanceDomain

     

       
244
       
244
       
+
       
	}

     

       
245
       
245
       
+
       


     

       
246
       
246
       
+
       
	provisioner := communities.NewPDSAccountProvisioner(instanceDomain, pdsURL)

     

       
247
       
247
       
+
       
	service := communities.NewCommunityService(

     

       
248
       
248
       
+
       
		repo,

     

       
249
       
249
       
+
       
		pdsURL,

     

       
250
       
250
       
+
       
		instanceDID,

     

       
251
       
251
       
+
       
		instanceDomain,

     

       
252
       
252
       
+
       
		provisioner,

     

       
253
       
253
       
+
       
	)

     

       
254
       
254
       
+
       


     

       
255
       
255
       
+
       
	tests := []struct {

     

       
256
       
256
       
+
       
		name        string

     

       
257
       
257
       
+
       
		identifier  string

     

       
258
       
258
       
+
       
		expectError string

     

       
259
       
259
       
+
       
	}{

     

       
260
       
260
       
+
       
		{

     

       
261
       
261
       
+
       
			name:        "rejects special characters in name",

     

       
262
       
262
       
+
       
			identifier:  fmt.Sprintf("!<script>@%s", instanceDomain),

     

       
263
       
263
       
+
       
			expectError: "valid DNS label",

     

       
264
       
264
       
+
       
		},

     

       
265
       
265
       
+
       
		{

     

       
266
       
266
       
+
       
			name:        "rejects name with spaces",

     

       
267
       
267
       
+
       
			identifier:  fmt.Sprintf("!test community@%s", instanceDomain),

     

       
268
       
268
       
+
       
			expectError: "valid DNS label",

     

       
269
       
269
       
+
       
		},

     

       
270
       
270
       
+
       
		{

     

       
271
       
271
       
+
       
			name:        "rejects name starting with hyphen",

     

       
272
       
272
       
+
       
			identifier:  fmt.Sprintf("!-test@%s", instanceDomain),

     

       
273
       
273
       
+
       
			expectError: "valid DNS label",

     

       
274
       
274
       
+
       
		},

     

       
275
       
275
       
+
       
		{

     

       
276
       
276
       
+
       
			name:        "rejects name ending with hyphen",

     

       
277
       
277
       
+
       
			identifier:  fmt.Sprintf("!test-@%s", instanceDomain),

     

       
278
       
278
       
+
       
			expectError: "valid DNS label",

     

       
279
       
279
       
+
       
		},

     

       
280
       
280
       
+
       
		{

     

       
281
       
281
       
+
       
			name:        "rejects name exceeding 63 characters",

     

       
282
       
282
       
+
       
			identifier:  "!" + string(make([]byte, 64)) + "@" + instanceDomain,

     

       
283
       
283
       
+
       
			expectError: "valid DNS label",

     

       
284
       
284
       
+
       
		},

     

       
285
       
285
       
+
       
		{

     

       
286
       
286
       
+
       
			name:        "accepts valid name with hyphens",

     

       
287
       
287
       
+
       
			identifier:  fmt.Sprintf("!test-community@%s", instanceDomain),

     

       
288
       
288
       
+
       
			expectError: "", // Should create successfully or fail on not found

     

       
289
       
289
       
+
       
		},

     

       
290
       
290
       
+
       
		{

     

       
291
       
291
       
+
       
			name:        "accepts valid name with numbers",

     

       
292
       
292
       
+
       
			identifier:  fmt.Sprintf("!test123@%s", instanceDomain),

     

       
293
       
293
       
+
       
			expectError: "", // Should create successfully or fail on not found

     

       
294
       
294
       
+
       
		},

     

       
295
       
295
       
+
       
		{

     

       
296
       
296
       
+
       
			name:        "rejects invalid domain format",

     

       
297
       
297
       
+
       
			identifier:  "!test@not a domain",

     

       
298
       
298
       
+
       
			expectError: "invalid",

     

       
299
       
299
       
+
       
		},

     

       
300
       
300
       
+
       
		{

     

       
301
       
301
       
+
       
			name:        "rejects domain with special characters",

     

       
302
       
302
       
+
       
			identifier:  "!test@coves$.social",

     

       
303
       
303
       
+
       
			expectError: "invalid",

     

       
304
       
304
       
+
       
		},

     

       
305
       
305
       
+
       
	}

     

       
306
       
306
       
+
       


     

       
307
       
307
       
+
       
	for _, tt := range tests {

     

       
308
       
308
       
+
       
		t.Run(tt.name, func(t *testing.T) {

     

       
309
       
309
       
+
       
			_, err := service.ResolveCommunityIdentifier(ctx, tt.identifier)

     

       
310
       
310
       
+
       


     

       
311
       
311
       
+
       
			if tt.expectError != "" {

     

       
312
       
312
       
+
       
				require.Error(t, err)

     

       
313
       
313
       
+
       
				assert.Contains(t, err.Error(), tt.expectError)

     

       
314
       
314
       
+
       
			} else {

     

       
315
       
315
       
+
       
				// Either succeeds or fails with "not found" (not a validation error)

     

       
316
       
316
       
+
       
				if err != nil {

     

       
317
       
317
       
+
       
					assert.Contains(t, err.Error(), "not found")

     

       
318
       
318
       
+
       
				}

     

       
319
       
319
       
+
       
			}

     

       
320
       
320
       
+
       
		})

     

       
321
       
321
       
+
       
	}

     

       
322
       
322
       
+
       
}

     

       
323
       
323
       
+
       


     

       
324
       
324
       
+
       
// TestGetDisplayHandle tests the GetDisplayHandle method

     

       
325
       
325
       
+
       
func TestGetDisplayHandle(t *testing.T) {

     

       
326
       
326
       
+
       
	tests := []struct {

     

       
327
       
327
       
+
       
		name            string

     

       
328
       
328
       
+
       
		handle          string

     

       
329
       
329
       
+
       
		expectedDisplay string

     

       
330
       
330
       
+
       
	}{

     

       
331
       
331
       
+
       
		{

     

       
332
       
332
       
+
       
			name:            "standard two-part domain",

     

       
333
       
333
       
+
       
			handle:          "gardening.community.coves.social",

     

       
334
       
334
       
+
       
			expectedDisplay: "!gardening@coves.social",

     

       
335
       
335
       
+
       
		},

     

       
336
       
336
       
+
       
		{

     

       
337
       
337
       
+
       
			name:            "multi-part TLD",

     

       
338
       
338
       
+
       
			handle:          "gaming.community.coves.co.uk",

     

       
339
       
339
       
+
       
			expectedDisplay: "!gaming@coves.co.uk",

     

       
340
       
340
       
+
       
		},

     

       
341
       
341
       
+
       
		{

     

       
342
       
342
       
+
       
			name:            "subdomain instance",

     

       
343
       
343
       
+
       
			handle:          "test.community.dev.coves.social",

     

       
344
       
344
       
+
       
			expectedDisplay: "!test@dev.coves.social",

     

       
345
       
345
       
+
       
		},

     

       
346
       
346
       
+
       
		{

     

       
347
       
347
       
+
       
			name:            "single part name",

     

       
348
       
348
       
+
       
			handle:          "a.community.coves.social",

     

       
349
       
349
       
+
       
			expectedDisplay: "!a@coves.social",

     

       
350
       
350
       
+
       
		},

     

       
351
       
351
       
+
       
	}

     

       
352
       
352
       
+
       


     

       
353
       
353
       
+
       
	for _, tt := range tests {

     

       
354
       
354
       
+
       
		t.Run(tt.name, func(t *testing.T) {

     

       
355
       
355
       
+
       
			// Create a community struct and set the handle

     

       
356
       
356
       
+
       
			community := &communities.Community{

     

       
357
       
357
       
+
       
				Handle: tt.handle,

     

       
358
       
358
       
+
       
			}

     

       
359
       
359
       
+
       


     

       
360
       
360
       
+
       
			// Test GetDisplayHandle

     

       
361
       
361
       
+
       
			displayHandle := community.GetDisplayHandle()

     

       
362
       
362
       
+
       
			assert.Equal(t, tt.expectedDisplay, displayHandle)

     

       
363
       
363
       
+
       
		})

     

       
364
       
364
       
+
       
	}

     

       
365
       
365
       
+
       


     

       
366
       
366
       
+
       
	t.Run("handles malformed input gracefully", func(t *testing.T) {

     

       
367
       
367
       
+
       
		// Test edge cases

     

       
368
       
368
       
+
       
		testCases := []struct {

     

       
369
       
369
       
+
       
			handle   string

     

       
370
       
370
       
+
       
			fallback string

     

       
371
       
371
       
+
       
		}{

     

       
372
       
372
       
+
       
			{"nodots", "nodots"},         // No dots - should return as-is

     

       
373
       
373
       
+
       
			{"single.dot", "single.dot"}, // Single dot - should return as-is

     

       
374
       
374
       
+
       
			{"", ""},                      // Empty - should return as-is

     

       
375
       
375
       
+
       
		}

     

       
376
       
376
       
+
       


     

       
377
       
377
       
+
       
		for _, tc := range testCases {

     

       
378
       
378
       
+
       
			community := &communities.Community{

     

       
379
       
379
       
+
       
				Handle: tc.handle,

     

       
380
       
380
       
+
       
			}

     

       
381
       
381
       
+
       
			result := community.GetDisplayHandle()

     

       
382
       
382
       
+
       
			assert.Equal(t, tc.fallback, result, "Should fallback to original handle for: %s", tc.handle)

     

       
383
       
383
       
+
       
		}

     

       
384
       
384
       
+
       
	})

     

       
385
       
385
       
+
       
}

     

       
386
       
386
       
+
       


     

       
387
       
387
       
+
       
// TestIdentifierResolution_ErrorContext verifies error messages include identifier context

     

       
388
       
388
       
+
       
func TestIdentifierResolution_ErrorContext(t *testing.T) {

     

       
389
       
389
       
+
       
	if testing.Short() {

     

       
390
       
390
       
+
       
		t.Skip("Skipping integration test in short mode")

     

       
391
       
391
       
+
       
	}

     

       
392
       
392
       
+
       


     

       
393
       
393
       
+
       
	db := setupTestDB(t)

     

       
394
       
394
       
+
       
	defer func() {

     

       
395
       
395
       
+
       
		if err := db.Close(); err != nil {

     

       
396
       
396
       
+
       
			t.Logf("Failed to close database: %v", err)

     

       
397
       
397
       
+
       
		}

     

       
398
       
398
       
+
       
	}()

     

       
399
       
399
       
+
       


     

       
400
       
400
       
+
       
	repo := postgres.NewCommunityRepository(db)

     

       
401
       
401
       
+
       
	ctx := context.Background()

     

       
402
       
402
       
+
       


     

       
403
       
403
       
+
       
	pdsURL := os.Getenv("PDS_URL")

     

       
404
       
404
       
+
       
	if pdsURL == "" {

     

       
405
       
405
       
+
       
		pdsURL = "http://localhost:3000"

     

       
406
       
406
       
+
       
	}

     

       
407
       
407
       
+
       


     

       
408
       
408
       
+
       
	instanceDomain := os.Getenv("INSTANCE_DOMAIN")

     

       
409
       
409
       
+
       
	if instanceDomain == "" {

     

       
410
       
410
       
+
       
		instanceDomain = "coves.social"

     

       
411
       
411
       
+
       
	}

     

       
412
       
412
       
+
       


     

       
413
       
413
       
+
       
	instanceDID := os.Getenv("INSTANCE_DID")

     

       
414
       
414
       
+
       
	if instanceDID == "" {

     

       
415
       
415
       
+
       
		instanceDID = "did:web:" + instanceDomain

     

       
416
       
416
       
+
       
	}

     

       
417
       
417
       
+
       


     

       
418
       
418
       
+
       
	provisioner := communities.NewPDSAccountProvisioner(instanceDomain, pdsURL)

     

       
419
       
419
       
+
       
	service := communities.NewCommunityService(

     

       
420
       
420
       
+
       
		repo,

     

       
421
       
421
       
+
       
		pdsURL,

     

       
422
       
422
       
+
       
		instanceDID,

     

       
423
       
423
       
+
       
		instanceDomain,

     

       
424
       
424
       
+
       
		provisioner,

     

       
425
       
425
       
+
       
	)

     

       
426
       
426
       
+
       


     

       
427
       
427
       
+
       
	t.Run("DID error includes identifier", func(t *testing.T) {

     

       
428
       
428
       
+
       
		testDID := "did:plc:nonexistent999"

     

       
429
       
429
       
+
       
		_, err := service.ResolveCommunityIdentifier(ctx, testDID)

     

       
430
       
430
       
+
       
		require.Error(t, err)

     

       
431
       
431
       
+
       
		assert.Contains(t, err.Error(), "community not found")

     

       
432
       
432
       
+
       
		assert.Contains(t, err.Error(), testDID) // Should include the DID in error

     

       
433
       
433
       
+
       
	})

     

       
434
       
434
       
+
       


     

       
435
       
435
       
+
       
	t.Run("handle error includes identifier", func(t *testing.T) {

     

       
436
       
436
       
+
       
		testHandle := fmt.Sprintf("nonexistent.community.%s", instanceDomain)

     

       
437
       
437
       
+
       
		_, err := service.ResolveCommunityIdentifier(ctx, testHandle)

     

       
438
       
438
       
+
       
		require.Error(t, err)

     

       
439
       
439
       
+
       
		assert.Contains(t, err.Error(), "community not found")

     

       
440
       
440
       
+
       
		assert.Contains(t, err.Error(), testHandle) // Should include the handle in error

     

       
441
       
441
       
+
       
	})

     

       
442
       
442
       
+
       


     

       
443
       
443
       
+
       
	t.Run("scoped identifier error includes validation details", func(t *testing.T) {

     

       
444
       
444
       
+
       
		_, err := service.ResolveCommunityIdentifier(ctx, "!test@wrong.instance")

     

       
445
       
445
       
+
       
		require.Error(t, err)

     

       
446
       
446
       
+
       
		assert.Contains(t, err.Error(), "not hosted on this instance")

     

       
447
       
447
       
+
       
		assert.Contains(t, err.Error(), instanceDomain) // Should mention expected instance

     

       
448
       
448
       
+
       
	})

     

       
449
       
449
       
+
       
}

     

···

       
29
       
29
       
 
       


     

       
30
       
30
       
 
       
		community := &communities.Community{

     

       
31
       
31
       
 
       
			DID:                    generateTestDID(uniqueSuffix),

     

       
32
       
32
       
-
       
			Handle:                 fmt.Sprintf("test-encryption-%s.communities.test.local", uniqueSuffix),

     

       
32
       
32
       
+
       
			Handle:                 fmt.Sprintf("test-encryption-%s.community.test.local", uniqueSuffix),

     

       
33
       
33
       
 
       
			Name:                   "test-encryption",

     

       
34
       
34
       
 
       
			DisplayName:            "Test Encryption",

     

       
35
       
35
       
 
       
			Description:            "Testing password encryption",

     
···

       
100
       
100
       
 
       


     

       
101
       
101
       
 
       
		community := &communities.Community{

     

       
102
       
102
       
 
       
			DID:                    generateTestDID(uniqueSuffix),

     

       
103
       
103
       
-
       
			Handle:                 fmt.Sprintf("test-empty-pass-%s.communities.test.local", uniqueSuffix),

     

       
103
       
103
       
+
       
			Handle:                 fmt.Sprintf("test-empty-pass-%s.community.test.local", uniqueSuffix),

     

       
104
       
104
       
 
       
			Name:                   "test-empty-pass",

     

       
105
       
105
       
 
       
			DisplayName:            "Test Empty Password",

     

       
106
       
106
       
 
       
			Description:            "Testing empty password handling",

     
···

       
332
       
332
       
 
       


     

       
333
       
333
       
 
       
			community := &communities.Community{

     

       
334
       
334
       
 
       
				DID:                    generateTestDID(uniqueSuffix),

     

       
335
       
335
       
-
       
				Handle:                 fmt.Sprintf("pwd-unique-%s.communities.test.local", uniqueSuffix),

     

       
335
       
335
       
+
       
				Handle:                 fmt.Sprintf("pwd-unique-%s.community.test.local", uniqueSuffix),

     

       
336
       
336
       
 
       
				Name:                   fmt.Sprintf("pwd-unique-%s", uniqueSuffix),

     

       
337
       
337
       
 
       
				DisplayName:            fmt.Sprintf("Password Unique Test %d", i),

     

       
338
       
338
       
 
       
				Description:            "Testing password uniqueness",

     
···

       
402
       
402
       
 
       


     

       
403
       
403
       
 
       
		community := &communities.Community{

     

       
404
       
404
       
 
       
			DID:                    generateTestDID(uniqueSuffix),

     

       
405
       
405
       
-
       
			Handle:                 fmt.Sprintf("test-pwd-len-%s.communities.test.local", uniqueSuffix),

     

       
405
       
405
       
+
       
			Handle:                 fmt.Sprintf("test-pwd-len-%s.community.test.local", uniqueSuffix),

     

       
406
       
406
       
 
       
			Name:                   "test-pwd-len",

     

       
407
       
407
       
 
       
			DisplayName:            "Test Password Length",

     

       
408
       
408
       
 
       
			Description:            "Testing password length requirements",

     
···

       
470
       
470
       
 
       
				uniqueSuffix := fmt.Sprintf("%d-%d", time.Now().UnixNano(), idx)

     

       
471
       
471
       
 
       
				community := &communities.Community{

     

       
472
       
472
       
 
       
					DID:                    generateTestDID(uniqueSuffix),

     

       
473
       
473
       
-
       
					Handle:                 fmt.Sprintf("%s.communities.test.local", sameName),

     

       
473
       
473
       
+
       
					Handle:                 fmt.Sprintf("%s.community.test.local", sameName),

     

       
474
       
474
       
 
       
					Name:                   sameName,

     

       
475
       
475
       
 
       
					DisplayName:            "Concurrent Test",

     

       
476
       
476
       
 
       
					Description:            "Testing concurrent creation",

     
···

       
530
       
530
       
 
       
		uniqueSuffix := fmt.Sprintf("%d", time.Now().UnixNano())

     

       
531
       
531
       
 
       
		community := &communities.Community{

     

       
532
       
532
       
 
       
			DID:                    generateTestDID(uniqueSuffix),

     

       
533
       
533
       
-
       
			Handle:                 fmt.Sprintf("read-test-%s.communities.test.local", uniqueSuffix),

     

       
533
       
533
       
+
       
			Handle:                 fmt.Sprintf("read-test-%s.community.test.local", uniqueSuffix),

     

       
534
       
534
       
 
       
			Name:                   "read-test",

     

       
535
       
535
       
 
       
			DisplayName:            "Read Test",

     

       
536
       
536
       
 
       
			Description:            "Testing concurrent reads",

     
···

       
719
       
719
       
 
       


     

       
720
       
720
       
 
       
		community := &communities.Community{

     

       
721
       
721
       
 
       
			DID:                    generateTestDID(uniqueSuffix),

     

       
722
       
722
       
-
       
			Handle:                 fmt.Sprintf("token-test-%s.communities.test.local", uniqueSuffix),

     

       
722
       
722
       
+
       
			Handle:                 fmt.Sprintf("token-test-%s.community.test.local", uniqueSuffix),

     

       
723
       
723
       
 
       
			Name:                   "token-test",

     

       
724
       
724
       
 
       
			DisplayName:            "Token Test",

     

       
725
       
725
       
 
       
			Description:            "Testing token storage",

     
···

       
784
       
784
       
 
       


     

       
785
       
785
       
 
       
		community := &communities.Community{

     

       
786
       
786
       
 
       
			DID:                    generateTestDID(uniqueSuffix),

     

       
787
       
787
       
-
       
			Handle:                 fmt.Sprintf("empty-token-%s.communities.test.local", uniqueSuffix),

     

       
787
       
787
       
+
       
			Handle:                 fmt.Sprintf("empty-token-%s.community.test.local", uniqueSuffix),

     

       
788
       
788
       
 
       
			Name:                   "empty-token",

     

       
789
       
789
       
 
       
			DisplayName:            "Empty Token Test",

     

       
790
       
790
       
 
       
			Description:            "Testing empty token handling",

     
···

       
832
       
832
       
 
       


     

       
833
       
833
       
 
       
		community := &communities.Community{

     

       
834
       
834
       
 
       
			DID:                    generateTestDID(uniqueSuffix),

     

       
835
       
835
       
-
       
			Handle:                 fmt.Sprintf("encrypted-token-%s.communities.test.local", uniqueSuffix),

     

       
835
       
835
       
+
       
			Handle:                 fmt.Sprintf("encrypted-token-%s.community.test.local", uniqueSuffix),

     

       
836
       
836
       
 
       
			Name:                   "encrypted-token",

     

       
837
       
837
       
 
       
			DisplayName:            "Encrypted Token Test",

     

       
838
       
838
       
 
       
			Description:            "Testing token encryption",

     

···

       
55
       
55
       
 
       


     

       
56
       
56
       
 
       
	t.Run("creates community with real PDS provisioning", func(t *testing.T) {

     

       
57
       
57
       
 
       
		// Create provisioner and service (production code path)

     

       
58
       
58
       
-
       
		// Use coves.social domain (configured in PDS_SERVICE_HANDLE_DOMAINS as .communities.coves.social)

     

       
58
       
58
       
+
       
		// Use coves.social domain (configured in PDS_SERVICE_HANDLE_DOMAINS as .community.coves.social)

     

       
59
       
59
       
 
       
		provisioner := communities.NewPDSAccountProvisioner("coves.social", pdsURL)

     

       
60
       
60
       
 
       
		service := communities.NewCommunityService(

     

       
61
       
61
       
 
       
			repo,

     
···

       
114
       
114
       
 
       
		t.Logf("✅ Real DID generated: %s", community.DID)

     

       
115
       
115
       
 
       


     

       
116
       
116
       
 
       
		// Verify handle format

     

       
117
       
117
       
-
       
		expectedHandle := fmt.Sprintf("%s.communities.coves.social", uniqueName)

     

       
117
       
117
       
+
       
		expectedHandle := fmt.Sprintf("%s.community.coves.social", uniqueName)

     

       
118
       
118
       
 
       
		if community.Handle != expectedHandle {

     

       
119
       
119
       
 
       
			t.Errorf("Expected handle %s, got %s", expectedHandle, community.Handle)

     

       
120
       
120
       
 
       
		}