comparing e4d5d33f2a70e12b482f9853388742994db130b2 and feat/dpop-token-binding on bretton.dev/coves

+200

internal/core/unfurl/circuit_breaker.go

···

       1
       +
       package unfurl

     

       2
       +
       

     

       3
       +
       import (

     

       4
       +
       	"fmt"

     

       5
       +
       	"log"

     

       6
       +
       	"sync"

     

       7
       +
       	"time"

     

       8
       +
       )

     

       9
       +
       

     

       10
       +
       // circuitState represents the state of a circuit breaker

     

       11
       +
       type circuitState int

     

       12
       +
       

     

       13
       +
       const (

     

       14
       +
       	stateClosed   circuitState = iota // Normal operation

     

       15
       +
       	stateOpen                         // Circuit is open (provider failing)

     

       16
       +
       	stateHalfOpen                     // Testing if provider recovered

     

       17
       +
       )

     

       18
       +
       

     

       19
       +
       // circuitBreaker tracks failures per provider and stops trying failing providers

     

       20
       +
       type circuitBreaker struct {

     

       21
       +
       	failures         map[string]int

     

       22
       +
       	lastFailure      map[string]time.Time

     

       23
       +
       	state            map[string]circuitState

     

       24
       +
       	lastStateLog     map[string]time.Time

     

       25
       +
       	failureThreshold int

     

       26
       +
       	openDuration     time.Duration

     

       27
       +
       	mu               sync.RWMutex

     

       28
       +
       }

     

       29
       +
       

     

       30
       +
       // newCircuitBreaker creates a circuit breaker with default settings

     

       31
       +
       func newCircuitBreaker() *circuitBreaker {

     

       32
       +
       	return &circuitBreaker{

     

       33
       +
       		failureThreshold: 3,               // Open after 3 consecutive failures

     

       34
       +
       		openDuration:     5 * time.Minute, // Keep open for 5 minutes

     

       35
       +
       		failures:         make(map[string]int),

     

       36
       +
       		lastFailure:      make(map[string]time.Time),

     

       37
       +
       		state:            make(map[string]circuitState),

     

       38
       +
       		lastStateLog:     make(map[string]time.Time),

     

       39
       +
       	}

     

       40
       +
       }

     

       41
       +
       

     

       42
       +
       // canAttempt checks if we should attempt to call this provider

     

       43
       +
       // Returns true if circuit is closed or half-open (ready to retry)

     

       44
       +
       func (cb *circuitBreaker) canAttempt(provider string) (bool, error) {

     

       45
       +
       	cb.mu.RLock()

     

       46
       +
       	defer cb.mu.RUnlock()

     

       47
       +
       

     

       48
       +
       	state := cb.getState(provider)

     

       49
       +
       

     

       50
       +
       	switch state {

     

       51
       +
       	case stateClosed:

     

       52
       +
       		return true, nil

     

       53
       +
       	case stateOpen:

     

       54
       +
       		// Check if we should transition to half-open

     

       55
       +
       		lastFail := cb.lastFailure[provider]

     

       56
       +
       		if time.Since(lastFail) > cb.openDuration {

     

       57
       +
       			// Transition to half-open (allow one retry)

     

       58
       +
       			cb.mu.RUnlock()

     

       59
       +
       			cb.mu.Lock()

     

       60
       +
       			cb.state[provider] = stateHalfOpen

     

       61
       +
       			cb.logStateChange(provider, stateHalfOpen)

     

       62
       +
       			cb.mu.Unlock()

     

       63
       +
       			cb.mu.RLock()

     

       64
       +
       			return true, nil

     

       65
       +
       		}

     

       66
       +
       		// Still in open period

     

       67
       +
       		failCount := cb.failures[provider]

     

       68
       +
       		nextRetry := lastFail.Add(cb.openDuration)

     

       69
       +
       		return false, fmt.Errorf(

     

       70
       +
       			"circuit breaker open for provider '%s' (failures: %d, next retry: %s)",

     

       71
       +
       			provider,

     

       72
       +
       			failCount,

     

       73
       +
       			nextRetry.Format("15:04:05"),

     

       74
       +
       		)

     

       75
       +
       	case stateHalfOpen:

     

       76
       +
       		return true, nil

     

       77
       +
       	default:

     

       78
       +
       		return true, nil

     

       79
       +
       	}

     

       80
       +
       }

     

       81
       +
       

     

       82
       +
       // recordSuccess records a successful unfurl, resetting failure count

     

       83
       +
       func (cb *circuitBreaker) recordSuccess(provider string) {

     

       84
       +
       	cb.mu.Lock()

     

       85
       +
       	defer cb.mu.Unlock()

     

       86
       +
       

     

       87
       +
       	oldState := cb.getState(provider)

     

       88
       +
       

     

       89
       +
       	// Reset failure tracking

     

       90
       +
       	delete(cb.failures, provider)

     

       91
       +
       	delete(cb.lastFailure, provider)

     

       92
       +
       	cb.state[provider] = stateClosed

     

       93
       +
       

     

       94
       +
       	// Log recovery if we were in a failure state

     

       95
       +
       	if oldState != stateClosed {

     

       96
       +
       		cb.logStateChange(provider, stateClosed)

     

       97
       +
       	}

     

       98
       +
       }

     

       99
       +
       

     

       100
       +
       // recordFailure records a failed unfurl attempt

     

       101
       +
       func (cb *circuitBreaker) recordFailure(provider string, err error) {

     

       102
       +
       	cb.mu.Lock()

     

       103
       +
       	defer cb.mu.Unlock()

     

       104
       +
       

     

       105
       +
       	// Increment failure count

     

       106
       +
       	cb.failures[provider]++

     

       107
       +
       	cb.lastFailure[provider] = time.Now()

     

       108
       +
       

     

       109
       +
       	failCount := cb.failures[provider]

     

       110
       +
       

     

       111
       +
       	// Check if we should open the circuit

     

       112
       +
       	if failCount >= cb.failureThreshold {

     

       113
       +
       		oldState := cb.getState(provider)

     

       114
       +
       		cb.state[provider] = stateOpen

     

       115
       +
       		if oldState != stateOpen {

     

       116
       +
       			log.Printf(

     

       117
       +
       				"[UNFURL-CIRCUIT] Opening circuit for provider '%s' after %d consecutive failures. Last error: %v",

     

       118
       +
       				provider,

     

       119
       +
       				failCount,

     

       120
       +
       				err,

     

       121
       +
       			)

     

       122
       +
       			cb.lastStateLog[provider] = time.Now()

     

       123
       +
       		}

     

       124
       +
       	} else {

     

       125
       +
       		log.Printf(

     

       126
       +
       			"[UNFURL-CIRCUIT] Failure %d/%d for provider '%s': %v",

     

       127
       +
       			failCount,

     

       128
       +
       			cb.failureThreshold,

     

       129
       +
       			provider,

     

       130
       +
       			err,

     

       131
       +
       		)

     

       132
       +
       	}

     

       133
       +
       }

     

       134
       +
       

     

       135
       +
       // getState returns the current state (must be called with lock held)

     

       136
       +
       func (cb *circuitBreaker) getState(provider string) circuitState {

     

       137
       +
       	if state, exists := cb.state[provider]; exists {

     

       138
       +
       		return state

     

       139
       +
       	}

     

       140
       +
       	return stateClosed

     

       141
       +
       }

     

       142
       +
       

     

       143
       +
       // logStateChange logs state transitions (must be called with lock held)

     

       144
       +
       // Debounced to avoid log spam (max once per minute per provider)

     

       145
       +
       func (cb *circuitBreaker) logStateChange(provider string, newState circuitState) {

     

       146
       +
       	lastLog, exists := cb.lastStateLog[provider]

     

       147
       +
       	if exists && time.Since(lastLog) < time.Minute {

     

       148
       +
       		return // Don't spam logs

     

       149
       +
       	}

     

       150
       +
       

     

       151
       +
       	var stateStr string

     

       152
       +
       	switch newState {

     

       153
       +
       	case stateClosed:

     

       154
       +
       		stateStr = "CLOSED (recovered)"

     

       155
       +
       	case stateOpen:

     

       156
       +
       		stateStr = "OPEN (failing)"

     

       157
       +
       	case stateHalfOpen:

     

       158
       +
       		stateStr = "HALF-OPEN (testing)"

     

       159
       +
       	}

     

       160
       +
       

     

       161
       +
       	log.Printf("[UNFURL-CIRCUIT] Circuit for provider '%s' is now %s", provider, stateStr)

     

       162
       +
       	cb.lastStateLog[provider] = time.Now()

     

       163
       +
       }

     

       164
       +
       

     

       165
       +
       // getStats returns current circuit breaker stats (for debugging/monitoring)

     

       166
       +
       func (cb *circuitBreaker) getStats() map[string]interface{} {

     

       167
       +
       	cb.mu.RLock()

     

       168
       +
       	defer cb.mu.RUnlock()

     

       169
       +
       

     

       170
       +
       	stats := make(map[string]interface{})

     

       171
       +
       

     

       172
       +
       	// Collect all providers with any activity (state, failures, or both)

     

       173
       +
       	providers := make(map[string]bool)

     

       174
       +
       	for provider := range cb.state {

     

       175
       +
       		providers[provider] = true

     

       176
       +
       	}

     

       177
       +
       	for provider := range cb.failures {

     

       178
       +
       		providers[provider] = true

     

       179
       +
       	}

     

       180
       +
       

     

       181
       +
       	for provider := range providers {

     

       182
       +
       		state := cb.getState(provider)

     

       183
       +
       		var stateStr string

     

       184
       +
       		switch state {

     

       185
       +
       		case stateClosed:

     

       186
       +
       			stateStr = "closed"

     

       187
       +
       		case stateOpen:

     

       188
       +
       			stateStr = "open"

     

       189
       +
       		case stateHalfOpen:

     

       190
       +
       			stateStr = "half-open"

     

       191
       +
       		}

     

       192
       +
       

     

       193
       +
       		stats[provider] = map[string]interface{}{

     

       194
       +
       			"state":        stateStr,

     

       195
       +
       			"failures":     cb.failures[provider],

     

       196
       +
       			"last_failure": cb.lastFailure[provider],

     

       197
       +
       		}

     

       198
       +
       	}

     

       199
       +
       	return stats

     

       200
       +
       }

+175

internal/core/unfurl/circuit_breaker_test.go

···

       1
       +
       package unfurl

     

       2
       +
       

     

       3
       +
       import (

     

       4
       +
       	"fmt"

     

       5
       +
       	"testing"

     

       6
       +
       	"time"

     

       7
       +
       )

     

       8
       +
       

     

       9
       +
       func TestCircuitBreaker_Basic(t *testing.T) {

     

       10
       +
       	cb := newCircuitBreaker()

     

       11
       +
       

     

       12
       +
       	provider := "test-provider"

     

       13
       +
       

     

       14
       +
       	// Should start closed (allow attempts)

     

       15
       +
       	canAttempt, err := cb.canAttempt(provider)

     

       16
       +
       	if !canAttempt {

     

       17
       +
       		t.Errorf("Expected circuit to be closed initially, but got error: %v", err)

     

       18
       +
       	}

     

       19
       +
       

     

       20
       +
       	// Record success

     

       21
       +
       	cb.recordSuccess(provider)

     

       22
       +
       	canAttempt, _ = cb.canAttempt(provider)

     

       23
       +
       	if !canAttempt {

     

       24
       +
       		t.Error("Expected circuit to remain closed after success")

     

       25
       +
       	}

     

       26
       +
       }

     

       27
       +
       

     

       28
       +
       func TestCircuitBreaker_OpensAfterFailures(t *testing.T) {

     

       29
       +
       	cb := newCircuitBreaker()

     

       30
       +
       	provider := "failing-provider"

     

       31
       +
       

     

       32
       +
       	// Record failures up to threshold

     

       33
       +
       	for i := 0; i < cb.failureThreshold; i++ {

     

       34
       +
       		cb.recordFailure(provider, fmt.Errorf("test error %d", i))

     

       35
       +
       	}

     

       36
       +
       

     

       37
       +
       	// Circuit should now be open

     

       38
       +
       	canAttempt, err := cb.canAttempt(provider)

     

       39
       +
       	if canAttempt {

     

       40
       +
       		t.Error("Expected circuit to be open after threshold failures")

     

       41
       +
       	}

     

       42
       +
       	if err == nil {

     

       43
       +
       		t.Error("Expected error when circuit is open")

     

       44
       +
       	}

     

       45
       +
       }

     

       46
       +
       

     

       47
       +
       func TestCircuitBreaker_RecoveryAfterSuccess(t *testing.T) {

     

       48
       +
       	cb := newCircuitBreaker()

     

       49
       +
       	provider := "recovery-provider"

     

       50
       +
       

     

       51
       +
       	// Record some failures

     

       52
       +
       	cb.recordFailure(provider, fmt.Errorf("error 1"))

     

       53
       +
       	cb.recordFailure(provider, fmt.Errorf("error 2"))

     

       54
       +
       

     

       55
       +
       	// Record success - should reset failure count

     

       56
       +
       	cb.recordSuccess(provider)

     

       57
       +
       

     

       58
       +
       	// Should be able to attempt again

     

       59
       +
       	canAttempt, err := cb.canAttempt(provider)

     

       60
       +
       	if !canAttempt {

     

       61
       +
       		t.Errorf("Expected circuit to be closed after success, but got error: %v", err)

     

       62
       +
       	}

     

       63
       +
       

     

       64
       +
       	// Failure count should be reset

     

       65
       +
       	if count := cb.failures[provider]; count != 0 {

     

       66
       +
       		t.Errorf("Expected failure count to be reset to 0, got %d", count)

     

       67
       +
       	}

     

       68
       +
       }

     

       69
       +
       

     

       70
       +
       func TestCircuitBreaker_HalfOpenTransition(t *testing.T) {

     

       71
       +
       	cb := newCircuitBreaker()

     

       72
       +
       	cb.openDuration = 100 * time.Millisecond // Short duration for testing

     

       73
       +
       	provider := "half-open-provider"

     

       74
       +
       

     

       75
       +
       	// Open the circuit

     

       76
       +
       	for i := 0; i < cb.failureThreshold; i++ {

     

       77
       +
       		cb.recordFailure(provider, fmt.Errorf("error %d", i))

     

       78
       +
       	}

     

       79
       +
       

     

       80
       +
       	// Should be open

     

       81
       +
       	canAttempt, _ := cb.canAttempt(provider)

     

       82
       +
       	if canAttempt {

     

       83
       +
       		t.Error("Expected circuit to be open")

     

       84
       +
       	}

     

       85
       +
       

     

       86
       +
       	// Wait for open duration

     

       87
       +
       	time.Sleep(150 * time.Millisecond)

     

       88
       +
       

     

       89
       +
       	// Should transition to half-open and allow one attempt

     

       90
       +
       	canAttempt, err := cb.canAttempt(provider)

     

       91
       +
       	if !canAttempt {

     

       92
       +
       		t.Errorf("Expected circuit to transition to half-open after duration, but got error: %v", err)

     

       93
       +
       	}

     

       94
       +
       

     

       95
       +
       	// State should be half-open

     

       96
       +
       	cb.mu.RLock()

     

       97
       +
       	state := cb.state[provider]

     

       98
       +
       	cb.mu.RUnlock()

     

       99
       +
       

     

       100
       +
       	if state != stateHalfOpen {

     

       101
       +
       		t.Errorf("Expected state to be half-open, got %v", state)

     

       102
       +
       	}

     

       103
       +
       }

     

       104
       +
       

     

       105
       +
       func TestCircuitBreaker_MultipleProviders(t *testing.T) {

     

       106
       +
       	cb := newCircuitBreaker()

     

       107
       +
       

     

       108
       +
       	// Open circuit for provider A

     

       109
       +
       	for i := 0; i < cb.failureThreshold; i++ {

     

       110
       +
       		cb.recordFailure("providerA", fmt.Errorf("error"))

     

       111
       +
       	}

     

       112
       +
       

     

       113
       +
       	// Provider A should be blocked

     

       114
       +
       	canAttemptA, _ := cb.canAttempt("providerA")

     

       115
       +
       	if canAttemptA {

     

       116
       +
       		t.Error("Expected providerA circuit to be open")

     

       117
       +
       	}

     

       118
       +
       

     

       119
       +
       	// Provider B should still be open (independent circuits)

     

       120
       +
       	canAttemptB, err := cb.canAttempt("providerB")

     

       121
       +
       	if !canAttemptB {

     

       122
       +
       		t.Errorf("Expected providerB circuit to be closed, but got error: %v", err)

     

       123
       +
       	}

     

       124
       +
       }

     

       125
       +
       

     

       126
       +
       func TestCircuitBreaker_GetStats(t *testing.T) {

     

       127
       +
       	cb := newCircuitBreaker()

     

       128
       +
       

     

       129
       +
       	// Record some activity

     

       130
       +
       	cb.recordFailure("provider1", fmt.Errorf("error 1"))

     

       131
       +
       	cb.recordFailure("provider1", fmt.Errorf("error 2"))

     

       132
       +
       

     

       133
       +
       	stats := cb.getStats()

     

       134
       +
       

     

       135
       +
       	// Should have stats for providers with failures

     

       136
       +
       	if providerStats, ok := stats["provider1"]; !ok {

     

       137
       +
       		t.Error("Expected stats for provider1")

     

       138
       +
       	} else {

     

       139
       +
       		// Check that failure count is tracked

     

       140
       +
       		statsMap := providerStats.(map[string]interface{})

     

       141
       +
       		if failures, ok := statsMap["failures"].(int); !ok || failures != 2 {

     

       142
       +
       			t.Errorf("Expected 2 failures for provider1, got %v", statsMap["failures"])

     

       143
       +
       		}

     

       144
       +
       	}

     

       145
       +
       

     

       146
       +
       	// Provider that succeeds is cleaned up from state

     

       147
       +
       	cb.recordSuccess("provider2")

     

       148
       +
       	_ = cb.getStats()

     

       149
       +
       	// Provider2 should not be in stats (or have state "closed" with 0 failures)

     

       150
       +
       }

     

       151
       +
       

     

       152
       +
       func TestCircuitBreaker_FailureThresholdExact(t *testing.T) {

     

       153
       +
       	cb := newCircuitBreaker()

     

       154
       +
       	provider := "exact-threshold-provider"

     

       155
       +
       

     

       156
       +
       	// Record failures just below threshold

     

       157
       +
       	for i := 0; i < cb.failureThreshold-1; i++ {

     

       158
       +
       		cb.recordFailure(provider, fmt.Errorf("error %d", i))

     

       159
       +
       	}

     

       160
       +
       

     

       161
       +
       	// Should still be closed

     

       162
       +
       	canAttempt, err := cb.canAttempt(provider)

     

       163
       +
       	if !canAttempt {

     

       164
       +
       		t.Errorf("Expected circuit to be closed below threshold, but got error: %v", err)

     

       165
       +
       	}

     

       166
       +
       

     

       167
       +
       	// One more failure should open it

     

       168
       +
       	cb.recordFailure(provider, fmt.Errorf("final error"))

     

       169
       +
       

     

       170
       +
       	// Should now be open

     

       171
       +
       	canAttempt, _ = cb.canAttempt(provider)

     

       172
       +
       	if canAttempt {

     

       173
       +
       		t.Error("Expected circuit to be open at threshold")

     

       174
       +
       	}

     

       175
       +
       }

+202

internal/core/unfurl/kagi_test.go

···

       1
       +
       package unfurl

     

       2
       +
       

     

       3
       +
       import (

     

       4
       +
       	"context"

     

       5
       +
       	"net/http"

     

       6
       +
       	"net/http/httptest"

     

       7
       +
       	"testing"

     

       8
       +
       	"time"

     

       9
       +
       

     

       10
       +
       	"github.com/stretchr/testify/assert"

     

       11
       +
       	"github.com/stretchr/testify/require"

     

       12
       +
       )

     

       13
       +
       

     

       14
       +
       func TestFetchKagiKite_Success(t *testing.T) {

     

       15
       +
       	// Mock Kagi HTML response

     

       16
       +
       	mockHTML := `<!DOCTYPE html>

     

       17
       +
       <html>

     

       18
       +
       <head>

     

       19
       +
       	<title>FAA orders 10% flight cuts at 40 airports - Kagi News</title>

     

       20
       +
       	<meta property="og:title" content="FAA orders 10% flight cuts" />

     

       21
       +
       	<meta property="og:description" content="Flight restrictions announced" />

     

       22
       +
       </head>

     

       23
       +
       <body>

     

       24
       +
       	<img src="https://kagiproxy.com/img/DHdCvN_NqVDWU3UyoNZSv86b" alt="Airport runway" />

     

       25
       +
       </body>

     

       26
       +
       </html>`

     

       27
       +
       

     

       28
       +
       	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       29
       +
       		w.Header().Set("Content-Type", "text/html")

     

       30
       +
       		w.WriteHeader(http.StatusOK)

     

       31
       +
       		_, _ = w.Write([]byte(mockHTML))

     

       32
       +
       	}))

     

       33
       +
       	defer server.Close()

     

       34
       +
       

     

       35
       +
       	ctx := context.Background()

     

       36
       +
       

     

       37
       +
       	result, err := fetchKagiKite(ctx, server.URL, 5*time.Second, "TestBot/1.0")

     

       38
       +
       

     

       39
       +
       	require.NoError(t, err)

     

       40
       +
       	assert.Equal(t, "article", result.Type)

     

       41
       +
       	assert.Equal(t, "FAA orders 10% flight cuts", result.Title)

     

       42
       +
       	assert.Equal(t, "Flight restrictions announced", result.Description)

     

       43
       +
       	assert.Contains(t, result.ThumbnailURL, "kagiproxy.com")

     

       44
       +
       	assert.Equal(t, "kagi", result.Provider)

     

       45
       +
       	assert.Equal(t, "kite.kagi.com", result.Domain)

     

       46
       +
       }

     

       47
       +
       

     

       48
       +
       func TestFetchKagiKite_NoImage(t *testing.T) {

     

       49
       +
       	mockHTML := `<!DOCTYPE html>

     

       50
       +
       <html>

     

       51
       +
       <head><title>Test Story</title></head>

     

       52
       +
       <body><p>No images here</p></body>

     

       53
       +
       </html>`

     

       54
       +
       

     

       55
       +
       	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       56
       +
       		w.Header().Set("Content-Type", "text/html")

     

       57
       +
       		w.WriteHeader(http.StatusOK)

     

       58
       +
       		_, _ = w.Write([]byte(mockHTML))

     

       59
       +
       	}))

     

       60
       +
       	defer server.Close()

     

       61
       +
       

     

       62
       +
       	ctx := context.Background()

     

       63
       +
       

     

       64
       +
       	result, err := fetchKagiKite(ctx, server.URL, 5*time.Second, "TestBot/1.0")

     

       65
       +
       

     

       66
       +
       	assert.Error(t, err)

     

       67
       +
       	assert.Nil(t, result)

     

       68
       +
       	assert.Contains(t, err.Error(), "no image found")

     

       69
       +
       }

     

       70
       +
       

     

       71
       +
       func TestFetchKagiKite_FallbackToTitle(t *testing.T) {

     

       72
       +
       	mockHTML := `<!DOCTYPE html>

     

       73
       +
       <html>

     

       74
       +
       <head><title>Fallback Title</title></head>

     

       75
       +
       <body>

     

       76
       +
       	<img src="https://kagiproxy.com/img/test123" />

     

       77
       +
       </body>

     

       78
       +
       </html>`

     

       79
       +
       

     

       80
       +
       	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       81
       +
       		w.Header().Set("Content-Type", "text/html")

     

       82
       +
       		w.WriteHeader(http.StatusOK)

     

       83
       +
       		_, _ = w.Write([]byte(mockHTML))

     

       84
       +
       	}))

     

       85
       +
       	defer server.Close()

     

       86
       +
       

     

       87
       +
       	ctx := context.Background()

     

       88
       +
       

     

       89
       +
       	result, err := fetchKagiKite(ctx, server.URL, 5*time.Second, "TestBot/1.0")

     

       90
       +
       

     

       91
       +
       	require.NoError(t, err)

     

       92
       +
       	assert.Equal(t, "Fallback Title", result.Title)

     

       93
       +
       	assert.Contains(t, result.ThumbnailURL, "kagiproxy.com")

     

       94
       +
       }

     

       95
       +
       

     

       96
       +
       func TestFetchKagiKite_ImageWithAltText(t *testing.T) {

     

       97
       +
       	mockHTML := `<!DOCTYPE html>

     

       98
       +
       <html>

     

       99
       +
       <head><title>News Story</title></head>

     

       100
       +
       <body>

     

       101
       +
       	<img src="https://kagiproxy.com/img/xyz789" alt="This is the alt text description" />

     

       102
       +
       </body>

     

       103
       +
       </html>`

     

       104
       +
       

     

       105
       +
       	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       106
       +
       		w.Header().Set("Content-Type", "text/html")

     

       107
       +
       		w.WriteHeader(http.StatusOK)

     

       108
       +
       		_, _ = w.Write([]byte(mockHTML))

     

       109
       +
       	}))

     

       110
       +
       	defer server.Close()

     

       111
       +
       

     

       112
       +
       	ctx := context.Background()

     

       113
       +
       

     

       114
       +
       	result, err := fetchKagiKite(ctx, server.URL, 5*time.Second, "TestBot/1.0")

     

       115
       +
       

     

       116
       +
       	require.NoError(t, err)

     

       117
       +
       	assert.Equal(t, "News Story", result.Title)

     

       118
       +
       	assert.Equal(t, "This is the alt text description", result.Description)

     

       119
       +
       	assert.Contains(t, result.ThumbnailURL, "kagiproxy.com")

     

       120
       +
       }

     

       121
       +
       

     

       122
       +
       func TestFetchKagiKite_HTTPError(t *testing.T) {

     

       123
       +
       	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       124
       +
       		w.WriteHeader(http.StatusNotFound)

     

       125
       +
       	}))

     

       126
       +
       	defer server.Close()

     

       127
       +
       

     

       128
       +
       	ctx := context.Background()

     

       129
       +
       

     

       130
       +
       	result, err := fetchKagiKite(ctx, server.URL, 5*time.Second, "TestBot/1.0")

     

       131
       +
       

     

       132
       +
       	assert.Error(t, err)

     

       133
       +
       	assert.Nil(t, result)

     

       134
       +
       	assert.Contains(t, err.Error(), "HTTP 404")

     

       135
       +
       }

     

       136
       +
       

     

       137
       +
       func TestFetchKagiKite_Timeout(t *testing.T) {

     

       138
       +
       	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       139
       +
       		time.Sleep(2 * time.Second)

     

       140
       +
       		w.WriteHeader(http.StatusOK)

     

       141
       +
       	}))

     

       142
       +
       	defer server.Close()

     

       143
       +
       

     

       144
       +
       	ctx := context.Background()

     

       145
       +
       

     

       146
       +
       	result, err := fetchKagiKite(ctx, server.URL, 100*time.Millisecond, "TestBot/1.0")

     

       147
       +
       

     

       148
       +
       	assert.Error(t, err)

     

       149
       +
       	assert.Nil(t, result)

     

       150
       +
       }

     

       151
       +
       

     

       152
       +
       func TestFetchKagiKite_MultipleImages_PicksSecond(t *testing.T) {

     

       153
       +
       	mockHTML := `<!DOCTYPE html>

     

       154
       +
       <html>

     

       155
       +
       <head><title>Story with multiple images</title></head>

     

       156
       +
       <body>

     

       157
       +
       	<img src="https://kagiproxy.com/img/first123" alt="First image (header/logo)" />

     

       158
       +
       	<img src="https://kagiproxy.com/img/second456" alt="Second image" />

     

       159
       +
       </body>

     

       160
       +
       </html>`

     

       161
       +
       

     

       162
       +
       	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       163
       +
       		w.Header().Set("Content-Type", "text/html")

     

       164
       +
       		w.WriteHeader(http.StatusOK)

     

       165
       +
       		_, _ = w.Write([]byte(mockHTML))

     

       166
       +
       	}))

     

       167
       +
       	defer server.Close()

     

       168
       +
       

     

       169
       +
       	ctx := context.Background()

     

       170
       +
       

     

       171
       +
       	result, err := fetchKagiKite(ctx, server.URL, 5*time.Second, "TestBot/1.0")

     

       172
       +
       

     

       173
       +
       	require.NoError(t, err)

     

       174
       +
       	// We skip the first image (often a header/logo) and use the second

     

       175
       +
       	assert.Contains(t, result.ThumbnailURL, "second456")

     

       176
       +
       	assert.Equal(t, "Second image", result.Description)

     

       177
       +
       }

     

       178
       +
       

     

       179
       +
       func TestFetchKagiKite_OnlyNonKagiImages_NoMatch(t *testing.T) {

     

       180
       +
       	mockHTML := `<!DOCTYPE html>

     

       181
       +
       <html>

     

       182
       +
       <head><title>Story with non-Kagi images</title></head>

     

       183
       +
       <body>

     

       184
       +
       	<img src="https://example.com/img/test.jpg" alt="External image" />

     

       185
       +
       </body>

     

       186
       +
       </html>`

     

       187
       +
       

     

       188
       +
       	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       189
       +
       		w.Header().Set("Content-Type", "text/html")

     

       190
       +
       		w.WriteHeader(http.StatusOK)

     

       191
       +
       		_, _ = w.Write([]byte(mockHTML))

     

       192
       +
       	}))

     

       193
       +
       	defer server.Close()

     

       194
       +
       

     

       195
       +
       	ctx := context.Background()

     

       196
       +
       

     

       197
       +
       	result, err := fetchKagiKite(ctx, server.URL, 5*time.Second, "TestBot/1.0")

     

       198
       +
       

     

       199
       +
       	assert.Error(t, err)

     

       200
       +
       	assert.Nil(t, result)

     

       201
       +
       	assert.Contains(t, err.Error(), "no image found")

     

       202
       +
       }

+269

internal/core/unfurl/opengraph_test.go

···

       1
       +
       package unfurl

     

       2
       +
       

     

       3
       +
       import (

     

       4
       +
       	"context"

     

       5
       +
       	"net/http"

     

       6
       +
       	"net/http/httptest"

     

       7
       +
       	"testing"

     

       8
       +
       	"time"

     

       9
       +
       

     

       10
       +
       	"github.com/stretchr/testify/assert"

     

       11
       +
       	"github.com/stretchr/testify/require"

     

       12
       +
       )

     

       13
       +
       

     

       14
       +
       func TestParseOpenGraph_ValidTags(t *testing.T) {

     

       15
       +
       	html := `

     

       16
       +
       <!DOCTYPE html>

     

       17
       +
       <html>

     

       18
       +
       <head>

     

       19
       +
           <meta property="og:title" content="Test Article Title" />

     

       20
       +
           <meta property="og:description" content="This is a test description" />

     

       21
       +
           <meta property="og:image" content="https://example.com/image.jpg" />

     

       22
       +
           <meta property="og:url" content="https://example.com/canonical" />

     

       23
       +
       </head>

     

       24
       +
       <body>

     

       25
       +
           <p>Some content</p>

     

       26
       +
       </body>

     

       27
       +
       </html>

     

       28
       +
       `

     

       29
       +
       

     

       30
       +
       	og, err := parseOpenGraph(html)

     

       31
       +
       	require.NoError(t, err)

     

       32
       +
       

     

       33
       +
       	assert.Equal(t, "Test Article Title", og.Title)

     

       34
       +
       	assert.Equal(t, "This is a test description", og.Description)

     

       35
       +
       	assert.Equal(t, "https://example.com/image.jpg", og.Image)

     

       36
       +
       	assert.Equal(t, "https://example.com/canonical", og.URL)

     

       37
       +
       }

     

       38
       +
       

     

       39
       +
       func TestParseOpenGraph_MissingImage(t *testing.T) {

     

       40
       +
       	html := `

     

       41
       +
       <!DOCTYPE html>

     

       42
       +
       <html>

     

       43
       +
       <head>

     

       44
       +
           <meta property="og:title" content="Article Without Image" />

     

       45
       +
           <meta property="og:description" content="No image tag" />

     

       46
       +
       </head>

     

       47
       +
       <body></body>

     

       48
       +
       </html>

     

       49
       +
       `

     

       50
       +
       

     

       51
       +
       	og, err := parseOpenGraph(html)

     

       52
       +
       	require.NoError(t, err)

     

       53
       +
       

     

       54
       +
       	assert.Equal(t, "Article Without Image", og.Title)

     

       55
       +
       	assert.Equal(t, "No image tag", og.Description)

     

       56
       +
       	assert.Empty(t, og.Image, "Image should be empty when not provided")

     

       57
       +
       }

     

       58
       +
       

     

       59
       +
       func TestParseOpenGraph_FallbackToTitle(t *testing.T) {

     

       60
       +
       	html := `

     

       61
       +
       <!DOCTYPE html>

     

       62
       +
       <html>

     

       63
       +
       <head>

     

       64
       +
           <title>Page Title Fallback</title>

     

       65
       +
           <meta name="description" content="Meta description fallback" />

     

       66
       +
       </head>

     

       67
       +
       <body></body>

     

       68
       +
       </html>

     

       69
       +
       `

     

       70
       +
       

     

       71
       +
       	og, err := parseOpenGraph(html)

     

       72
       +
       	require.NoError(t, err)

     

       73
       +
       

     

       74
       +
       	assert.Equal(t, "Page Title Fallback", og.Title, "Should fall back to <title>")

     

       75
       +
       	assert.Equal(t, "Meta description fallback", og.Description, "Should fall back to meta description")

     

       76
       +
       }

     

       77
       +
       

     

       78
       +
       func TestParseOpenGraph_PreferOpenGraphOverFallback(t *testing.T) {

     

       79
       +
       	html := `

     

       80
       +
       <!DOCTYPE html>

     

       81
       +
       <html>

     

       82
       +
       <head>

     

       83
       +
           <title>Page Title</title>

     

       84
       +
           <meta name="description" content="Meta description" />

     

       85
       +
           <meta property="og:title" content="OpenGraph Title" />

     

       86
       +
           <meta property="og:description" content="OpenGraph Description" />

     

       87
       +
       </head>

     

       88
       +
       <body></body>

     

       89
       +
       </html>

     

       90
       +
       `

     

       91
       +
       

     

       92
       +
       	og, err := parseOpenGraph(html)

     

       93
       +
       	require.NoError(t, err)

     

       94
       +
       

     

       95
       +
       	assert.Equal(t, "OpenGraph Title", og.Title, "Should prefer og:title")

     

       96
       +
       	assert.Equal(t, "OpenGraph Description", og.Description, "Should prefer og:description")

     

       97
       +
       }

     

       98
       +
       

     

       99
       +
       func TestParseOpenGraph_MalformedHTML(t *testing.T) {

     

       100
       +
       	html := `

     

       101
       +
       <!DOCTYPE html>

     

       102
       +
       <html>

     

       103
       +
       <head>

     

       104
       +
           <meta property="og:title" content="Still Works" />

     

       105
       +
           <meta property="og:description" content="Even with broken tags

     

       106
       +
       </head>

     

       107
       +
       <body>

     

       108
       +
           <p>Unclosed paragraph

     

       109
       +
       </body>

     

       110
       +
       `

     

       111
       +
       

     

       112
       +
       	og, err := parseOpenGraph(html)

     

       113
       +
       	require.NoError(t, err)

     

       114
       +
       

     

       115
       +
       	// Best-effort parsing should still extract what it can

     

       116
       +
       	assert.NotEmpty(t, og.Title, "Should extract title despite malformed HTML")

     

       117
       +
       }

     

       118
       +
       

     

       119
       +
       func TestParseOpenGraph_Empty(t *testing.T) {

     

       120
       +
       	html := `

     

       121
       +
       <!DOCTYPE html>

     

       122
       +
       <html>

     

       123
       +
       <head></head>

     

       124
       +
       <body></body>

     

       125
       +
       </html>

     

       126
       +
       `

     

       127
       +
       

     

       128
       +
       	og, err := parseOpenGraph(html)

     

       129
       +
       	require.NoError(t, err)

     

       130
       +
       

     

       131
       +
       	assert.Empty(t, og.Title)

     

       132
       +
       	assert.Empty(t, og.Description)

     

       133
       +
       	assert.Empty(t, og.Image)

     

       134
       +
       }

     

       135
       +
       

     

       136
       +
       func TestFetchOpenGraph_Success(t *testing.T) {

     

       137
       +
       	// Create test server with OpenGraph metadata

     

       138
       +
       	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       139
       +
       		assert.Contains(t, r.Header.Get("User-Agent"), "CovesBot")

     

       140
       +
       

     

       141
       +
       		html := `

     

       142
       +
       <!DOCTYPE html>

     

       143
       +
       <html>

     

       144
       +
       <head>

     

       145
       +
           <meta property="og:title" content="Test News Article" />

     

       146
       +
           <meta property="og:description" content="Breaking news story" />

     

       147
       +
           <meta property="og:image" content="https://example.com/news.jpg" />

     

       148
       +
           <meta property="og:url" content="https://example.com/article/123" />

     

       149
       +
       </head>

     

       150
       +
       <body><p>Article content</p></body>

     

       151
       +
       </html>

     

       152
       +
       `

     

       153
       +
       		w.Header().Set("Content-Type", "text/html")

     

       154
       +
       		w.WriteHeader(http.StatusOK)

     

       155
       +
       		_, _ = w.Write([]byte(html))

     

       156
       +
       	}))

     

       157
       +
       	defer server.Close()

     

       158
       +
       

     

       159
       +
       	ctx := context.Background()

     

       160
       +
       	result, err := fetchOpenGraph(ctx, server.URL, 10*time.Second, "CovesBot/1.0")

     

       161
       +
       	require.NoError(t, err)

     

       162
       +
       	require.NotNil(t, result)

     

       163
       +
       

     

       164
       +
       	assert.Equal(t, "Test News Article", result.Title)

     

       165
       +
       	assert.Equal(t, "Breaking news story", result.Description)

     

       166
       +
       	assert.Equal(t, "https://example.com/news.jpg", result.ThumbnailURL)

     

       167
       +
       	assert.Equal(t, "article", result.Type)

     

       168
       +
       	assert.Equal(t, "opengraph", result.Provider)

     

       169
       +
       }

     

       170
       +
       

     

       171
       +
       func TestFetchOpenGraph_HTTPError(t *testing.T) {

     

       172
       +
       	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       173
       +
       		w.WriteHeader(http.StatusNotFound)

     

       174
       +
       	}))

     

       175
       +
       	defer server.Close()

     

       176
       +
       

     

       177
       +
       	ctx := context.Background()

     

       178
       +
       	result, err := fetchOpenGraph(ctx, server.URL, 10*time.Second, "CovesBot/1.0")

     

       179
       +
       	require.Error(t, err)

     

       180
       +
       	assert.Nil(t, result)

     

       181
       +
       	assert.Contains(t, err.Error(), "404")

     

       182
       +
       }

     

       183
       +
       

     

       184
       +
       func TestFetchOpenGraph_Timeout(t *testing.T) {

     

       185
       +
       	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       186
       +
       		time.Sleep(2 * time.Second)

     

       187
       +
       		w.WriteHeader(http.StatusOK)

     

       188
       +
       	}))

     

       189
       +
       	defer server.Close()

     

       190
       +
       

     

       191
       +
       	ctx := context.Background()

     

       192
       +
       	result, err := fetchOpenGraph(ctx, server.URL, 100*time.Millisecond, "CovesBot/1.0")

     

       193
       +
       	require.Error(t, err)

     

       194
       +
       	assert.Nil(t, result)

     

       195
       +
       }

     

       196
       +
       

     

       197
       +
       func TestFetchOpenGraph_NoMetadata(t *testing.T) {

     

       198
       +
       	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       199
       +
       		html := `<html><head></head><body><p>No metadata</p></body></html>`

     

       200
       +
       		w.Header().Set("Content-Type", "text/html")

     

       201
       +
       		w.WriteHeader(http.StatusOK)

     

       202
       +
       		_, _ = w.Write([]byte(html))

     

       203
       +
       	}))

     

       204
       +
       	defer server.Close()

     

       205
       +
       

     

       206
       +
       	ctx := context.Background()

     

       207
       +
       	result, err := fetchOpenGraph(ctx, server.URL, 10*time.Second, "CovesBot/1.0")

     

       208
       +
       	require.NoError(t, err)

     

       209
       +
       	require.NotNil(t, result)

     

       210
       +
       

     

       211
       +
       	// Should still return a result with domain

     

       212
       +
       	assert.Equal(t, "article", result.Type)

     

       213
       +
       	assert.Equal(t, "opengraph", result.Provider)

     

       214
       +
       	assert.NotEmpty(t, result.Domain)

     

       215
       +
       }

     

       216
       +
       

     

       217
       +
       func TestIsOEmbedProvider(t *testing.T) {

     

       218
       +
       	tests := []struct {

     

       219
       +
       		url      string

     

       220
       +
       		expected bool

     

       221
       +
       	}{

     

       222
       +
       		{"https://streamable.com/abc123", true},

     

       223
       +
       		{"https://www.youtube.com/watch?v=test", true},

     

       224
       +
       		{"https://youtu.be/test", true},

     

       225
       +
       		{"https://reddit.com/r/test/comments/123", true},

     

       226
       +
       		{"https://www.reddit.com/r/test/comments/123", true},

     

       227
       +
       		{"https://example.com/article", false},

     

       228
       +
       		{"https://news.ycombinator.com/item?id=123", false},

     

       229
       +
       		{"https://kite.kagi.com/search?q=test", false},

     

       230
       +
       	}

     

       231
       +
       

     

       232
       +
       	for _, tt := range tests {

     

       233
       +
       		t.Run(tt.url, func(t *testing.T) {

     

       234
       +
       			result := isOEmbedProvider(tt.url)

     

       235
       +
       			assert.Equal(t, tt.expected, result, "URL: %s", tt.url)

     

       236
       +
       		})

     

       237
       +
       	}

     

       238
       +
       }

     

       239
       +
       

     

       240
       +
       func TestIsSupported(t *testing.T) {

     

       241
       +
       	tests := []struct {

     

       242
       +
       		url      string

     

       243
       +
       		expected bool

     

       244
       +
       	}{

     

       245
       +
       		{"https://example.com", true},

     

       246
       +
       		{"http://example.com", true},

     

       247
       +
       		{"https://news.site.com/article", true},

     

       248
       +
       		{"ftp://example.com", false},

     

       249
       +
       		{"not-a-url", false},

     

       250
       +
       		{"", false},

     

       251
       +
       	}

     

       252
       +
       

     

       253
       +
       	for _, tt := range tests {

     

       254
       +
       		t.Run(tt.url, func(t *testing.T) {

     

       255
       +
       			result := isSupported(tt.url)

     

       256
       +
       			assert.Equal(t, tt.expected, result, "URL: %s", tt.url)

     

       257
       +
       		})

     

       258
       +
       	}

     

       259
       +
       }

     

       260
       +
       

     

       261
       +
       func TestGetAttr(t *testing.T) {

     

       262
       +
       	html := `<meta property="og:title" content="Test Title" name="test" />`

     

       263
       +
       	doc, err := parseOpenGraph(html)

     

       264
       +
       	require.NoError(t, err)

     

       265
       +
       

     

       266
       +
       	// This is a simple test to verify the helper function works

     

       267
       +
       	// The actual usage is tested in the parseOpenGraph tests

     

       268
       +
       	assert.NotNil(t, doc)

     

       269
       +
       }

+170

internal/core/unfurl/service.go

···

       1
       +
       package unfurl

     

       2
       +
       

     

       3
       +
       import (

     

       4
       +
       	"context"

     

       5
       +
       	"fmt"

     

       6
       +
       	"log"

     

       7
       +
       	"time"

     

       8
       +
       )

     

       9
       +
       

     

       10
       +
       // Service handles URL unfurling with caching

     

       11
       +
       type Service interface {

     

       12
       +
       	UnfurlURL(ctx context.Context, url string) (*UnfurlResult, error)

     

       13
       +
       	IsSupported(url string) bool

     

       14
       +
       }

     

       15
       +
       

     

       16
       +
       type service struct {

     

       17
       +
       	repo           Repository

     

       18
       +
       	circuitBreaker *circuitBreaker

     

       19
       +
       	userAgent      string

     

       20
       +
       	timeout        time.Duration

     

       21
       +
       	cacheTTL       time.Duration

     

       22
       +
       }

     

       23
       +
       

     

       24
       +
       // NewService creates a new unfurl service

     

       25
       +
       func NewService(repo Repository, opts ...ServiceOption) Service {

     

       26
       +
       	s := &service{

     

       27
       +
       		repo:           repo,

     

       28
       +
       		timeout:        10 * time.Second,

     

       29
       +
       		userAgent:      "CovesBot/1.0 (+https://coves.social)",

     

       30
       +
       		cacheTTL:       24 * time.Hour,

     

       31
       +
       		circuitBreaker: newCircuitBreaker(),

     

       32
       +
       	}

     

       33
       +
       

     

       34
       +
       	for _, opt := range opts {

     

       35
       +
       		opt(s)

     

       36
       +
       	}

     

       37
       +
       

     

       38
       +
       	return s

     

       39
       +
       }

     

       40
       +
       

     

       41
       +
       // ServiceOption configures the service

     

       42
       +
       type ServiceOption func(*service)

     

       43
       +
       

     

       44
       +
       // WithTimeout sets the HTTP timeout for oEmbed requests

     

       45
       +
       func WithTimeout(timeout time.Duration) ServiceOption {

     

       46
       +
       	return func(s *service) {

     

       47
       +
       		s.timeout = timeout

     

       48
       +
       	}

     

       49
       +
       }

     

       50
       +
       

     

       51
       +
       // WithUserAgent sets the User-Agent header for oEmbed requests

     

       52
       +
       func WithUserAgent(userAgent string) ServiceOption {

     

       53
       +
       	return func(s *service) {

     

       54
       +
       		s.userAgent = userAgent

     

       55
       +
       	}

     

       56
       +
       }

     

       57
       +
       

     

       58
       +
       // WithCacheTTL sets the cache TTL

     

       59
       +
       func WithCacheTTL(ttl time.Duration) ServiceOption {

     

       60
       +
       	return func(s *service) {

     

       61
       +
       		s.cacheTTL = ttl

     

       62
       +
       	}

     

       63
       +
       }

     

       64
       +
       

     

       65
       +
       // IsSupported returns true if we can unfurl this URL

     

       66
       +
       func (s *service) IsSupported(url string) bool {

     

       67
       +
       	return isSupported(url)

     

       68
       +
       }

     

       69
       +
       

     

       70
       +
       // UnfurlURL fetches metadata for a URL (with caching)

     

       71
       +
       func (s *service) UnfurlURL(ctx context.Context, urlStr string) (*UnfurlResult, error) {

     

       72
       +
       	// 1. Check cache first

     

       73
       +
       	cached, err := s.repo.Get(ctx, urlStr)

     

       74
       +
       	if err == nil && cached != nil {

     

       75
       +
       		log.Printf("[UNFURL] Cache hit for %s (provider: %s)", urlStr, cached.Provider)

     

       76
       +
       		return cached, nil

     

       77
       +
       	}

     

       78
       +
       

     

       79
       +
       	// 2. Check if we support this URL

     

       80
       +
       	if !isSupported(urlStr) {

     

       81
       +
       		return nil, fmt.Errorf("unsupported URL: %s", urlStr)

     

       82
       +
       	}

     

       83
       +
       

     

       84
       +
       	var result *UnfurlResult

     

       85
       +
       	domain := extractDomain(urlStr)

     

       86
       +
       

     

       87
       +
       	// 3. Smart routing: Special handling for Kagi Kite (client-side rendered, no og:image tags)

     

       88
       +
       	if domain == "kite.kagi.com" {

     

       89
       +
       		provider := "kagi"

     

       90
       +
       

     

       91
       +
       		// Check circuit breaker

     

       92
       +
       		canAttempt, err := s.circuitBreaker.canAttempt(provider)

     

       93
       +
       		if !canAttempt {

     

       94
       +
       			log.Printf("[UNFURL] Skipping %s due to circuit breaker: %v", urlStr, err)

     

       95
       +
       			return nil, err

     

       96
       +
       		}

     

       97
       +
       

     

       98
       +
       		log.Printf("[UNFURL] Cache miss for %s, fetching via Kagi parser...", urlStr)

     

       99
       +
       		result, err = fetchKagiKite(ctx, urlStr, s.timeout, s.userAgent)

     

       100
       +
       		if err != nil {

     

       101
       +
       			s.circuitBreaker.recordFailure(provider, err)

     

       102
       +
       			return nil, err

     

       103
       +
       		}

     

       104
       +
       

     

       105
       +
       		s.circuitBreaker.recordSuccess(provider)

     

       106
       +
       

     

       107
       +
       		// Cache result

     

       108
       +
       		if cacheErr := s.repo.Set(ctx, urlStr, result, s.cacheTTL); cacheErr != nil {

     

       109
       +
       			log.Printf("[UNFURL] Warning: failed to cache result: %v", cacheErr)

     

       110
       +
       		}

     

       111
       +
       		return result, nil

     

       112
       +
       	}

     

       113
       +
       

     

       114
       +
       	// 4. Check if this is a known oEmbed provider

     

       115
       +
       	if isOEmbedProvider(urlStr) {

     

       116
       +
       		provider := domain // Use domain as provider name (e.g., "streamable.com", "youtube.com")

     

       117
       +
       

     

       118
       +
       		// Check circuit breaker

     

       119
       +
       		canAttempt, err := s.circuitBreaker.canAttempt(provider)

     

       120
       +
       		if !canAttempt {

     

       121
       +
       			log.Printf("[UNFURL] Skipping %s due to circuit breaker: %v", urlStr, err)

     

       122
       +
       			return nil, err

     

       123
       +
       		}

     

       124
       +
       

     

       125
       +
       		log.Printf("[UNFURL] Cache miss for %s, fetching from oEmbed...", urlStr)

     

       126
       +
       

     

       127
       +
       		// Fetch from oEmbed provider

     

       128
       +
       		oembed, err := fetchOEmbed(ctx, urlStr, s.timeout, s.userAgent)

     

       129
       +
       		if err != nil {

     

       130
       +
       			s.circuitBreaker.recordFailure(provider, err)

     

       131
       +
       			return nil, fmt.Errorf("failed to fetch oEmbed data: %w", err)

     

       132
       +
       		}

     

       133
       +
       

     

       134
       +
       		s.circuitBreaker.recordSuccess(provider)

     

       135
       +
       

     

       136
       +
       		// Convert to UnfurlResult

     

       137
       +
       		result = mapOEmbedToResult(oembed, urlStr)

     

       138
       +
       	} else {

     

       139
       +
       		provider := "opengraph"

     

       140
       +
       

     

       141
       +
       		// Check circuit breaker

     

       142
       +
       		canAttempt, err := s.circuitBreaker.canAttempt(provider)

     

       143
       +
       		if !canAttempt {

     

       144
       +
       			log.Printf("[UNFURL] Skipping %s due to circuit breaker: %v", urlStr, err)

     

       145
       +
       			return nil, err

     

       146
       +
       		}

     

       147
       +
       

     

       148
       +
       		log.Printf("[UNFURL] Cache miss for %s, fetching via OpenGraph...", urlStr)

     

       149
       +
       

     

       150
       +
       		// Fetch via OpenGraph

     

       151
       +
       		result, err = fetchOpenGraph(ctx, urlStr, s.timeout, s.userAgent)

     

       152
       +
       		if err != nil {

     

       153
       +
       			s.circuitBreaker.recordFailure(provider, err)

     

       154
       +
       			return nil, fmt.Errorf("failed to fetch OpenGraph data: %w", err)

     

       155
       +
       		}

     

       156
       +
       

     

       157
       +
       		s.circuitBreaker.recordSuccess(provider)

     

       158
       +
       	}

     

       159
       +
       

     

       160
       +
       	// 5. Store in cache

     

       161
       +
       	if cacheErr := s.repo.Set(ctx, urlStr, result, s.cacheTTL); cacheErr != nil {

     

       162
       +
       		// Log but don't fail - cache is best-effort

     

       163
       +
       		log.Printf("[UNFURL] Warning: Failed to cache result for %s: %v", urlStr, cacheErr)

     

       164
       +
       	}

     

       165
       +
       

     

       166
       +
       	log.Printf("[UNFURL] Successfully unfurled %s (provider: %s, type: %s)",

     

       167
       +
       		urlStr, result.Provider, result.Type)

     

       168
       +
       

     

       169
       +
       	return result, nil

     

       170
       +
       }

+27

internal/core/unfurl/types.go

···

       1
       +
       package unfurl

     

       2
       +
       

     

       3
       +
       import "time"

     

       4
       +
       

     

       5
       +
       // UnfurlResult represents the result of unfurling a URL

     

       6
       +
       type UnfurlResult struct {

     

       7
       +
       	Type         string `json:"type"`         // "video", "article", "image", "website"

     

       8
       +
       	URI          string `json:"uri"`          // Original URL

     

       9
       +
       	Title        string `json:"title"`        // Page/video title

     

       10
       +
       	Description  string `json:"description"`  // Page/video description

     

       11
       +
       	ThumbnailURL string `json:"thumbnailUrl"` // Preview image URL

     

       12
       +
       	Provider     string `json:"provider"`     // "streamable", "youtube", "reddit"

     

       13
       +
       	Domain       string `json:"domain"`       // Domain of the URL

     

       14
       +
       	Width        int    `json:"width"`        // Media width (if applicable)

     

       15
       +
       	Height       int    `json:"height"`       // Media height (if applicable)

     

       16
       +
       }

     

       17
       +
       

     

       18
       +
       // CacheEntry represents a cached unfurl result with metadata

     

       19
       +
       type CacheEntry struct {

     

       20
       +
       	FetchedAt    time.Time    `db:"fetched_at"`

     

       21
       +
       	ExpiresAt    time.Time    `db:"expires_at"`

     

       22
       +
       	CreatedAt    time.Time    `db:"created_at"`

     

       23
       +
       	ThumbnailURL *string      `db:"thumbnail_url"`

     

       24
       +
       	URL          string       `db:"url"`

     

       25
       +
       	Provider     string       `db:"provider"`

     

       26
       +
       	Metadata     UnfurlResult `db:"metadata"`

     

       27
       +
       }

+14

internal/core/unfurl/errors.go

···

       1
       +
       package unfurl

     

       2
       +
       

     

       3
       +
       import "errors"

     

       4
       +
       

     

       5
       +
       var (

     

       6
       +
       	// ErrNotFound is returned when an unfurl cache entry is not found or has expired

     

       7
       +
       	ErrNotFound = errors.New("unfurl cache entry not found or expired")

     

       8
       +
       

     

       9
       +
       	// ErrInvalidURL is returned when the provided URL is invalid

     

       10
       +
       	ErrInvalidURL = errors.New("invalid URL")

     

       11
       +
       

     

       12
       +
       	// ErrInvalidTTL is returned when the provided TTL is invalid (e.g., negative or zero)

     

       13
       +
       	ErrInvalidTTL = errors.New("invalid TTL: must be positive")

     

       14
       +
       )

+19

internal/core/unfurl/interfaces.go

···

       1
       +
       package unfurl

     

       2
       +
       

     

       3
       +
       import (

     

       4
       +
       	"context"

     

       5
       +
       	"time"

     

       6
       +
       )

     

       7
       +
       

     

       8
       +
       // Repository defines the interface for unfurl cache persistence

     

       9
       +
       type Repository interface {

     

       10
       +
       	// Get retrieves a cached unfurl result for the given URL.

     

       11
       +
       	// Returns nil, nil if not found or expired (not an error condition).

     

       12
       +
       	// Returns error only on database failures.

     

       13
       +
       	Get(ctx context.Context, url string) (*UnfurlResult, error)

     

       14
       +
       

     

       15
       +
       	// Set stores an unfurl result in the cache with the specified TTL.

     

       16
       +
       	// If an entry already exists for the URL, it will be updated.

     

       17
       +
       	// The expires_at is calculated as NOW() + ttl.

     

       18
       +
       	Set(ctx context.Context, url string, result *UnfurlResult, ttl time.Duration) error

     

       19
       +
       }

+117

internal/core/unfurl/repository.go

···

       1
       +
       package unfurl

     

       2
       +
       

     

       3
       +
       import (

     

       4
       +
       	"context"

     

       5
       +
       	"database/sql"

     

       6
       +
       	"encoding/json"

     

       7
       +
       	"fmt"

     

       8
       +
       	"time"

     

       9
       +
       )

     

       10
       +
       

     

       11
       +
       type postgresUnfurlRepo struct {

     

       12
       +
       	db *sql.DB

     

       13
       +
       }

     

       14
       +
       

     

       15
       +
       // NewRepository creates a new PostgreSQL unfurl cache repository

     

       16
       +
       func NewRepository(db *sql.DB) Repository {

     

       17
       +
       	return &postgresUnfurlRepo{db: db}

     

       18
       +
       }

     

       19
       +
       

     

       20
       +
       // Get retrieves a cached unfurl result for the given URL.

     

       21
       +
       // Returns nil, nil if not found or expired (not an error condition).

     

       22
       +
       // Returns error only on database failures.

     

       23
       +
       func (r *postgresUnfurlRepo) Get(ctx context.Context, url string) (*UnfurlResult, error) {

     

       24
       +
       	query := `

     

       25
       +
       		SELECT metadata, thumbnail_url, provider

     

       26
       +
       		FROM unfurl_cache

     

       27
       +
       		WHERE url = $1 AND expires_at > NOW()

     

       28
       +
       	`

     

       29
       +
       

     

       30
       +
       	var metadataJSON []byte

     

       31
       +
       	var thumbnailURL sql.NullString

     

       32
       +
       	var provider string

     

       33
       +
       

     

       34
       +
       	err := r.db.QueryRowContext(ctx, query, url).Scan(&metadataJSON, &thumbnailURL, &provider)

     

       35
       +
       	if err == sql.ErrNoRows {

     

       36
       +
       		// Not found or expired is not an error

     

       37
       +
       		return nil, nil

     

       38
       +
       	}

     

       39
       +
       	if err != nil {

     

       40
       +
       		return nil, fmt.Errorf("failed to get unfurl cache entry: %w", err)

     

       41
       +
       	}

     

       42
       +
       

     

       43
       +
       	// Unmarshal metadata JSONB to UnfurlResult

     

       44
       +
       	var result UnfurlResult

     

       45
       +
       	if err := json.Unmarshal(metadataJSON, &result); err != nil {

     

       46
       +
       		return nil, fmt.Errorf("failed to unmarshal metadata: %w", err)

     

       47
       +
       	}

     

       48
       +
       

     

       49
       +
       	// Ensure provider and thumbnailURL are set (may not be in metadata JSON)

     

       50
       +
       	result.Provider = provider

     

       51
       +
       	if thumbnailURL.Valid {

     

       52
       +
       		result.ThumbnailURL = thumbnailURL.String

     

       53
       +
       	}

     

       54
       +
       

     

       55
       +
       	return &result, nil

     

       56
       +
       }

     

       57
       +
       

     

       58
       +
       // Set stores an unfurl result in the cache with the specified TTL.

     

       59
       +
       // If an entry already exists for the URL, it will be updated.

     

       60
       +
       // The expires_at is calculated as NOW() + ttl.

     

       61
       +
       func (r *postgresUnfurlRepo) Set(ctx context.Context, url string, result *UnfurlResult, ttl time.Duration) error {

     

       62
       +
       	// Marshal UnfurlResult to JSON for metadata column

     

       63
       +
       	metadataJSON, err := json.Marshal(result)

     

       64
       +
       	if err != nil {

     

       65
       +
       		return fmt.Errorf("failed to marshal metadata: %w", err)

     

       66
       +
       	}

     

       67
       +
       

     

       68
       +
       	// Store thumbnail_url separately for potential queries

     

       69
       +
       	var thumbnailURL sql.NullString

     

       70
       +
       	if result.ThumbnailURL != "" {

     

       71
       +
       		thumbnailURL.String = result.ThumbnailURL

     

       72
       +
       		thumbnailURL.Valid = true

     

       73
       +
       	}

     

       74
       +
       

     

       75
       +
       	// Convert Go duration to PostgreSQL interval string

     

       76
       +
       	// e.g., "1 hour", "24 hours", "7 days"

     

       77
       +
       	intervalStr := formatInterval(ttl)

     

       78
       +
       

     

       79
       +
       	query := `

     

       80
       +
       		INSERT INTO unfurl_cache (url, provider, metadata, thumbnail_url, expires_at)

     

       81
       +
       		VALUES ($1, $2, $3, $4, NOW() + $5::interval)

     

       82
       +
       		ON CONFLICT (url) DO UPDATE

     

       83
       +
       		SET provider = EXCLUDED.provider,

     

       84
       +
       		    metadata = EXCLUDED.metadata,

     

       85
       +
       		    thumbnail_url = EXCLUDED.thumbnail_url,

     

       86
       +
       		    expires_at = EXCLUDED.expires_at,

     

       87
       +
       		    fetched_at = NOW()

     

       88
       +
       	`

     

       89
       +
       

     

       90
       +
       	_, err = r.db.ExecContext(ctx, query, url, result.Provider, metadataJSON, thumbnailURL, intervalStr)

     

       91
       +
       	if err != nil {

     

       92
       +
       		return fmt.Errorf("failed to insert/update unfurl cache entry: %w", err)

     

       93
       +
       	}

     

       94
       +
       

     

       95
       +
       	return nil

     

       96
       +
       }

     

       97
       +
       

     

       98
       +
       // formatInterval converts a Go duration to a PostgreSQL interval string

     

       99
       +
       // PostgreSQL accepts intervals like "1 hour", "24 hours", "7 days"

     

       100
       +
       func formatInterval(d time.Duration) string {

     

       101
       +
       	seconds := int64(d.Seconds())

     

       102
       +
       

     

       103
       +
       	// Convert to appropriate unit for readability

     

       104
       +
       	switch {

     

       105
       +
       	case seconds >= 86400: // >= 1 day

     

       106
       +
       		days := seconds / 86400

     

       107
       +
       		return fmt.Sprintf("%d days", days)

     

       108
       +
       	case seconds >= 3600: // >= 1 hour

     

       109
       +
       		hours := seconds / 3600

     

       110
       +
       		return fmt.Sprintf("%d hours", hours)

     

       111
       +
       	case seconds >= 60: // >= 1 minute

     

       112
       +
       		minutes := seconds / 60

     

       113
       +
       		return fmt.Sprintf("%d minutes", minutes)

     

       114
       +
       	default:

     

       115
       +
       		return fmt.Sprintf("%d seconds", seconds)

     

       116
       +
       	}

     

       117
       +
       }

+23

internal/db/migrations/017_create_unfurl_cache.sql

···

       1
       +
       -- +goose Up

     

       2
       +
       CREATE TABLE unfurl_cache (

     

       3
       +
           url TEXT PRIMARY KEY,

     

       4
       +
           provider TEXT NOT NULL,

     

       5
       +
           metadata JSONB NOT NULL,

     

       6
       +
           thumbnail_url TEXT,

     

       7
       +
           fetched_at TIMESTAMP NOT NULL DEFAULT NOW(),

     

       8
       +
           expires_at TIMESTAMP NOT NULL,

     

       9
       +
           created_at TIMESTAMP NOT NULL DEFAULT NOW()

     

       10
       +
       );

     

       11
       +
       

     

       12
       +
       CREATE INDEX idx_unfurl_cache_expires ON unfurl_cache(expires_at);

     

       13
       +
       

     

       14
       +
       COMMENT ON TABLE unfurl_cache IS 'Cache for oEmbed/URL unfurl results to reduce external API calls';

     

       15
       +
       COMMENT ON COLUMN unfurl_cache.url IS 'The URL that was unfurled (primary key)';

     

       16
       +
       COMMENT ON COLUMN unfurl_cache.provider IS 'Provider name (streamable, youtube, reddit, etc.)';

     

       17
       +
       COMMENT ON COLUMN unfurl_cache.metadata IS 'Full unfurl result as JSON (title, description, type, etc.)';

     

       18
       +
       COMMENT ON COLUMN unfurl_cache.thumbnail_url IS 'URL of the thumbnail image';

     

       19
       +
       COMMENT ON COLUMN unfurl_cache.expires_at IS 'When this cache entry should be refetched (TTL-based)';

     

       20
       +
       

     

       21
       +
       -- +goose Down

     

       22
       +
       DROP INDEX IF EXISTS idx_unfurl_cache_expires;

     

       23
       +
       DROP TABLE IF EXISTS unfurl_cache;

internal/core/blobs/types.go

···

       1
       +
       package blobs

     

       2
       +
       

     

       3
       +
       // BlobRef represents a blob reference for atproto records

     

       4
       +
       type BlobRef struct {

     

       5
       +
       	Type     string            `json:"$type"`

     

       6
       +
       	Ref      map[string]string `json:"ref"`

     

       7
       +
       	MimeType string            `json:"mimeType"`

     

       8
       +
       	Size     int               `json:"size"`

     

       9
       +
       }

+7 -1

internal/core/posts/interfaces.go

···

       1
        
       package posts

     

       2
        
       

     

       3
       -
       import "context"

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       4
        
       

     

       5
        
       // Service defines the business logic interface for posts

     

       6
        
       // Coordinates between Repository, community service, and PDS

···

       1
        
       package posts

     

       2
        
       

     

       3
       +
       import (

     

       4
       +
       	"context"

     

       5
       +
       )

     

       6
       +
       

     

       7
       +
       // Service constructor accepts optional blobs.Service and unfurl.Service for embed enhancement.

     

       8
       +
       // When unfurlService is provided, external embeds will be automatically enriched with metadata.

     

       9
       +
       // When blobService is provided, thumbnails from unfurled URLs will be uploaded as blobs.

     

       10
        
       

     

       11
        
       // Service defines the business logic interface for posts

     

       12
        
       // Coordinates between Repository, community service, and PDS

internal/core/posts/post.go

···

       50
        
       	Title          *string                `json:"title,omitempty"`

     

       51
        
       	Content        *string                `json:"content,omitempty"`

     

       52
        
       	Embed          map[string]interface{} `json:"embed,omitempty"`

     

       0
        
       
     

       53
        
       	Labels         *SelfLabels            `json:"labels,omitempty"`

     

       54
        
       	Community      string                 `json:"community"`

     

       55
        
       	AuthorDID      string                 `json:"authorDid"`

     
···

       121
        
       	DID    string  `json:"did"`

     

       122
        
       	Handle string  `json:"handle"`

     

       123
        
       	Name   string  `json:"name"`

     

       0
        
       
     

       124
        
       }

     

       125
        
       

     

       126
        
       // PostStats represents aggregated statistics

···

       50
        
       	Title          *string                `json:"title,omitempty"`

     

       51
        
       	Content        *string                `json:"content,omitempty"`

     

       52
        
       	Embed          map[string]interface{} `json:"embed,omitempty"`

     

       53
       +
       	ThumbnailURL   *string                `json:"thumbnailUrl,omitempty"`

     

       54
        
       	Labels         *SelfLabels            `json:"labels,omitempty"`

     

       55
        
       	Community      string                 `json:"community"`

     

       56
        
       	AuthorDID      string                 `json:"authorDid"`

     
···

       122
        
       	DID    string  `json:"did"`

     

       123
        
       	Handle string  `json:"handle"`

     

       124
        
       	Name   string  `json:"name"`

     

       125
       +
       	PDSURL string  `json:"-"` // Not exposed to API, used for blob URL transformation

     

       126
        
       }

     

       127
        
       

     

       128
        
       // PostStats represents aggregated statistics

+81

internal/core/posts/blob_transform.go

···

       1
       +
       package posts

     

       2
       +
       

     

       3
       +
       import (

     

       4
       +
       	"fmt"

     

       5
       +
       )

     

       6
       +
       

     

       7
       +
       // TransformBlobRefsToURLs transforms all blob references in a PostView to PDS URLs

     

       8
       +
       // This modifies the Embed field in-place, converting blob refs to direct URLs

     

       9
       +
       // The transformation only affects external embeds with thumbnail blobs

     

       10
       +
       func TransformBlobRefsToURLs(postView *PostView) {

     

       11
       +
       	if postView == nil || postView.Embed == nil {

     

       12
       +
       		return

     

       13
       +
       	}

     

       14
       +
       

     

       15
       +
       	// Get community PDS URL from post view

     

       16
       +
       	if postView.Community == nil || postView.Community.PDSURL == "" {

     

       17
       +
       		return // Cannot transform without PDS URL

     

       18
       +
       	}

     

       19
       +
       

     

       20
       +
       	communityDID := postView.Community.DID

     

       21
       +
       	pdsURL := postView.Community.PDSURL

     

       22
       +
       

     

       23
       +
       	// Check if embed is a map (should be for external embeds)

     

       24
       +
       	embedMap, ok := postView.Embed.(map[string]interface{})

     

       25
       +
       	if !ok {

     

       26
       +
       		return

     

       27
       +
       	}

     

       28
       +
       

     

       29
       +
       	// Check embed type

     

       30
       +
       	embedType, ok := embedMap["$type"].(string)

     

       31
       +
       	if !ok {

     

       32
       +
       		return

     

       33
       +
       	}

     

       34
       +
       

     

       35
       +
       	// Only transform external embeds

     

       36
       +
       	if embedType == "social.coves.embed.external" {

     

       37
       +
       		if external, ok := embedMap["external"].(map[string]interface{}); ok {

     

       38
       +
       			transformThumbToURL(external, communityDID, pdsURL)

     

       39
       +
       		}

     

       40
       +
       	}

     

       41
       +
       }

     

       42
       +
       

     

       43
       +
       // transformThumbToURL converts a thumb blob ref to a PDS URL

     

       44
       +
       // This modifies the external map in-place

     

       45
       +
       func transformThumbToURL(external map[string]interface{}, communityDID, pdsURL string) {

     

       46
       +
       	// Check if thumb exists

     

       47
       +
       	thumb, ok := external["thumb"]

     

       48
       +
       	if !ok {

     

       49
       +
       		return

     

       50
       +
       	}

     

       51
       +
       

     

       52
       +
       	// If thumb is already a string (URL), don't transform

     

       53
       +
       	if _, isString := thumb.(string); isString {

     

       54
       +
       		return

     

       55
       +
       	}

     

       56
       +
       

     

       57
       +
       	// Try to parse as blob ref

     

       58
       +
       	thumbMap, ok := thumb.(map[string]interface{})

     

       59
       +
       	if !ok {

     

       60
       +
       		return

     

       61
       +
       	}

     

       62
       +
       

     

       63
       +
       	// Extract CID from blob ref

     

       64
       +
       	ref, ok := thumbMap["ref"].(map[string]interface{})

     

       65
       +
       	if !ok {

     

       66
       +
       		return

     

       67
       +
       	}

     

       68
       +
       

     

       69
       +
       	cid, ok := ref["$link"].(string)

     

       70
       +
       	if !ok || cid == "" {

     

       71
       +
       		return

     

       72
       +
       	}

     

       73
       +
       

     

       74
       +
       	// Transform to PDS blob endpoint URL

     

       75
       +
       	// Format: {pds_url}/xrpc/com.atproto.sync.getBlob?did={community_did}&cid={cid}

     

       76
       +
       	blobURL := fmt.Sprintf("%s/xrpc/com.atproto.sync.getBlob?did=%s&cid=%s",

     

       77
       +
       		pdsURL, communityDID, cid)

     

       78
       +
       

     

       79
       +
       	// Replace blob ref with URL string

     

       80
       +
       	external["thumb"] = blobURL

     

       81
       +
       }

+312

internal/core/posts/blob_transform_test.go

···

       1
       +
       package posts

     

       2
       +
       

     

       3
       +
       import (

     

       4
       +
       	"testing"

     

       5
       +
       

     

       6
       +
       	"github.com/stretchr/testify/assert"

     

       7
       +
       	"github.com/stretchr/testify/require"

     

       8
       +
       )

     

       9
       +
       

     

       10
       +
       func TestTransformBlobRefsToURLs(t *testing.T) {

     

       11
       +
       	t.Run("transforms external embed thumb from blob to URL", func(t *testing.T) {

     

       12
       +
       		post := &PostView{

     

       13
       +
       			Community: &CommunityRef{

     

       14
       +
       				DID:    "did:plc:testcommunity",

     

       15
       +
       				PDSURL: "http://localhost:3001",

     

       16
       +
       			},

     

       17
       +
       			Embed: map[string]interface{}{

     

       18
       +
       				"$type": "social.coves.embed.external",

     

       19
       +
       				"external": map[string]interface{}{

     

       20
       +
       					"uri": "https://example.com",

     

       21
       +
       					"thumb": map[string]interface{}{

     

       22
       +
       						"$type": "blob",

     

       23
       +
       						"ref": map[string]interface{}{

     

       24
       +
       							"$link": "bafyreib6tbnql2ux3whnfysbzabthaj2vvck53nimhbi5g5a7jgvgr5eqm",

     

       25
       +
       						},

     

       26
       +
       						"mimeType": "image/jpeg",

     

       27
       +
       						"size":     52813,

     

       28
       +
       					},

     

       29
       +
       				},

     

       30
       +
       			},

     

       31
       +
       		}

     

       32
       +
       

     

       33
       +
       		TransformBlobRefsToURLs(post)

     

       34
       +
       

     

       35
       +
       		// Verify embed is still a map

     

       36
       +
       		embedMap, ok := post.Embed.(map[string]interface{})

     

       37
       +
       		require.True(t, ok, "embed should still be a map")

     

       38
       +
       

     

       39
       +
       		// Verify external is still a map

     

       40
       +
       		external, ok := embedMap["external"].(map[string]interface{})

     

       41
       +
       		require.True(t, ok, "external should be a map")

     

       42
       +
       

     

       43
       +
       		// Verify thumb is now a URL string

     

       44
       +
       		thumbURL, ok := external["thumb"].(string)

     

       45
       +
       		require.True(t, ok, "thumb should be a string URL")

     

       46
       +
       		assert.Equal(t,

     

       47
       +
       			"http://localhost:3001/xrpc/com.atproto.sync.getBlob?did=did:plc:testcommunity&cid=bafyreib6tbnql2ux3whnfysbzabthaj2vvck53nimhbi5g5a7jgvgr5eqm",

     

       48
       +
       			thumbURL)

     

       49
       +
       	})

     

       50
       +
       

     

       51
       +
       	t.Run("handles missing thumb gracefully", func(t *testing.T) {

     

       52
       +
       		post := &PostView{

     

       53
       +
       			Community: &CommunityRef{

     

       54
       +
       				DID:    "did:plc:testcommunity",

     

       55
       +
       				PDSURL: "http://localhost:3001",

     

       56
       +
       			},

     

       57
       +
       			Embed: map[string]interface{}{

     

       58
       +
       				"$type": "social.coves.embed.external",

     

       59
       +
       				"external": map[string]interface{}{

     

       60
       +
       					"uri": "https://example.com",

     

       61
       +
       					// No thumb field

     

       62
       +
       				},

     

       63
       +
       			},

     

       64
       +
       		}

     

       65
       +
       

     

       66
       +
       		// Should not panic

     

       67
       +
       		TransformBlobRefsToURLs(post)

     

       68
       +
       

     

       69
       +
       		// Verify external is unchanged

     

       70
       +
       		embedMap := post.Embed.(map[string]interface{})

     

       71
       +
       		external := embedMap["external"].(map[string]interface{})

     

       72
       +
       		_, hasThumb := external["thumb"]

     

       73
       +
       		assert.False(t, hasThumb, "thumb should not be added")

     

       74
       +
       	})

     

       75
       +
       

     

       76
       +
       	t.Run("handles already-transformed URL thumb", func(t *testing.T) {

     

       77
       +
       		expectedURL := "http://localhost:3001/xrpc/com.atproto.sync.getBlob?did=did:plc:test&cid=bafytest"

     

       78
       +
       		post := &PostView{

     

       79
       +
       			Community: &CommunityRef{

     

       80
       +
       				DID:    "did:plc:testcommunity",

     

       81
       +
       				PDSURL: "http://localhost:3001",

     

       82
       +
       			},

     

       83
       +
       			Embed: map[string]interface{}{

     

       84
       +
       				"$type": "social.coves.embed.external",

     

       85
       +
       				"external": map[string]interface{}{

     

       86
       +
       					"uri":   "https://example.com",

     

       87
       +
       					"thumb": expectedURL, // Already a URL string

     

       88
       +
       				},

     

       89
       +
       			},

     

       90
       +
       		}

     

       91
       +
       

     

       92
       +
       		// Should not error or change the URL

     

       93
       +
       		TransformBlobRefsToURLs(post)

     

       94
       +
       

     

       95
       +
       		// Verify thumb is unchanged

     

       96
       +
       		embedMap := post.Embed.(map[string]interface{})

     

       97
       +
       		external := embedMap["external"].(map[string]interface{})

     

       98
       +
       		thumbURL, ok := external["thumb"].(string)

     

       99
       +
       		require.True(t, ok, "thumb should still be a string")

     

       100
       +
       		assert.Equal(t, expectedURL, thumbURL, "thumb URL should be unchanged")

     

       101
       +
       	})

     

       102
       +
       

     

       103
       +
       	t.Run("handles missing embed", func(t *testing.T) {

     

       104
       +
       		post := &PostView{

     

       105
       +
       			Community: &CommunityRef{

     

       106
       +
       				DID:    "did:plc:testcommunity",

     

       107
       +
       				PDSURL: "http://localhost:3001",

     

       108
       +
       			},

     

       109
       +
       			Embed: nil,

     

       110
       +
       		}

     

       111
       +
       

     

       112
       +
       		// Should not panic

     

       113
       +
       		TransformBlobRefsToURLs(post)

     

       114
       +
       

     

       115
       +
       		// Verify embed is still nil

     

       116
       +
       		assert.Nil(t, post.Embed, "embed should remain nil")

     

       117
       +
       	})

     

       118
       +
       

     

       119
       +
       	t.Run("handles nil post", func(t *testing.T) {

     

       120
       +
       		// Should not panic

     

       121
       +
       		TransformBlobRefsToURLs(nil)

     

       122
       +
       	})

     

       123
       +
       

     

       124
       +
       	t.Run("handles missing community", func(t *testing.T) {

     

       125
       +
       		post := &PostView{

     

       126
       +
       			Community: nil,

     

       127
       +
       			Embed: map[string]interface{}{

     

       128
       +
       				"$type": "social.coves.embed.external",

     

       129
       +
       				"external": map[string]interface{}{

     

       130
       +
       					"uri": "https://example.com",

     

       131
       +
       					"thumb": map[string]interface{}{

     

       132
       +
       						"$type": "blob",

     

       133
       +
       						"ref": map[string]interface{}{

     

       134
       +
       							"$link": "bafyreib6tbnql2ux3whnfysbzabthaj2vvck53nimhbi5g5a7jgvgr5eqm",

     

       135
       +
       						},

     

       136
       +
       					},

     

       137
       +
       				},

     

       138
       +
       			},

     

       139
       +
       		}

     

       140
       +
       

     

       141
       +
       		// Should not panic or transform

     

       142
       +
       		TransformBlobRefsToURLs(post)

     

       143
       +
       

     

       144
       +
       		// Verify thumb is unchanged (still a blob)

     

       145
       +
       		embedMap := post.Embed.(map[string]interface{})

     

       146
       +
       		external := embedMap["external"].(map[string]interface{})

     

       147
       +
       		thumb, ok := external["thumb"].(map[string]interface{})

     

       148
       +
       		require.True(t, ok, "thumb should still be a map (blob ref)")

     

       149
       +
       		assert.Equal(t, "blob", thumb["$type"], "blob type should be unchanged")

     

       150
       +
       	})

     

       151
       +
       

     

       152
       +
       	t.Run("handles missing PDS URL", func(t *testing.T) {

     

       153
       +
       		post := &PostView{

     

       154
       +
       			Community: &CommunityRef{

     

       155
       +
       				DID:    "did:plc:testcommunity",

     

       156
       +
       				PDSURL: "", // Empty PDS URL

     

       157
       +
       			},

     

       158
       +
       			Embed: map[string]interface{}{

     

       159
       +
       				"$type": "social.coves.embed.external",

     

       160
       +
       				"external": map[string]interface{}{

     

       161
       +
       					"uri": "https://example.com",

     

       162
       +
       					"thumb": map[string]interface{}{

     

       163
       +
       						"$type": "blob",

     

       164
       +
       						"ref": map[string]interface{}{

     

       165
       +
       							"$link": "bafyreib6tbnql2ux3whnfysbzabthaj2vvck53nimhbi5g5a7jgvgr5eqm",

     

       166
       +
       						},

     

       167
       +
       					},

     

       168
       +
       				},

     

       169
       +
       			},

     

       170
       +
       		}

     

       171
       +
       

     

       172
       +
       		// Should not panic or transform

     

       173
       +
       		TransformBlobRefsToURLs(post)

     

       174
       +
       

     

       175
       +
       		// Verify thumb is unchanged (still a blob)

     

       176
       +
       		embedMap := post.Embed.(map[string]interface{})

     

       177
       +
       		external := embedMap["external"].(map[string]interface{})

     

       178
       +
       		thumb, ok := external["thumb"].(map[string]interface{})

     

       179
       +
       		require.True(t, ok, "thumb should still be a map (blob ref)")

     

       180
       +
       		assert.Equal(t, "blob", thumb["$type"], "blob type should be unchanged")

     

       181
       +
       	})

     

       182
       +
       

     

       183
       +
       	t.Run("handles malformed blob ref gracefully", func(t *testing.T) {

     

       184
       +
       		post := &PostView{

     

       185
       +
       			Community: &CommunityRef{

     

       186
       +
       				DID:    "did:plc:testcommunity",

     

       187
       +
       				PDSURL: "http://localhost:3001",

     

       188
       +
       			},

     

       189
       +
       			Embed: map[string]interface{}{

     

       190
       +
       				"$type": "social.coves.embed.external",

     

       191
       +
       				"external": map[string]interface{}{

     

       192
       +
       					"uri": "https://example.com",

     

       193
       +
       					"thumb": map[string]interface{}{

     

       194
       +
       						"$type": "blob",

     

       195
       +
       						"ref":   "invalid-ref-format", // Should be a map with $link

     

       196
       +
       					},

     

       197
       +
       				},

     

       198
       +
       			},

     

       199
       +
       		}

     

       200
       +
       

     

       201
       +
       		// Should not panic

     

       202
       +
       		TransformBlobRefsToURLs(post)

     

       203
       +
       

     

       204
       +
       		// Verify thumb is unchanged (malformed blob)

     

       205
       +
       		embedMap := post.Embed.(map[string]interface{})

     

       206
       +
       		external := embedMap["external"].(map[string]interface{})

     

       207
       +
       		thumb, ok := external["thumb"].(map[string]interface{})

     

       208
       +
       		require.True(t, ok, "thumb should still be a map")

     

       209
       +
       		assert.Equal(t, "invalid-ref-format", thumb["ref"], "malformed ref should be unchanged")

     

       210
       +
       	})

     

       211
       +
       

     

       212
       +
       	t.Run("ignores non-external embed types", func(t *testing.T) {

     

       213
       +
       		post := &PostView{

     

       214
       +
       			Community: &CommunityRef{

     

       215
       +
       				DID:    "did:plc:testcommunity",

     

       216
       +
       				PDSURL: "http://localhost:3001",

     

       217
       +
       			},

     

       218
       +
       			Embed: map[string]interface{}{

     

       219
       +
       				"$type": "social.coves.embed.images",

     

       220
       +
       				"images": []interface{}{

     

       221
       +
       					map[string]interface{}{

     

       222
       +
       						"image": map[string]interface{}{

     

       223
       +
       							"$type": "blob",

     

       224
       +
       							"ref": map[string]interface{}{

     

       225
       +
       								"$link": "bafyreib6tbnql2ux3whnfysbzabthaj2vvck53nimhbi5g5a7jgvgr5eqm",

     

       226
       +
       							},

     

       227
       +
       						},

     

       228
       +
       					},

     

       229
       +
       				},

     

       230
       +
       			},

     

       231
       +
       		}

     

       232
       +
       

     

       233
       +
       		// Should not transform non-external embeds

     

       234
       +
       		TransformBlobRefsToURLs(post)

     

       235
       +
       

     

       236
       +
       		// Verify images embed is unchanged

     

       237
       +
       		embedMap := post.Embed.(map[string]interface{})

     

       238
       +
       		images := embedMap["images"].([]interface{})

     

       239
       +
       		imageObj := images[0].(map[string]interface{})

     

       240
       +
       		imageBlob := imageObj["image"].(map[string]interface{})

     

       241
       +
       		assert.Equal(t, "blob", imageBlob["$type"], "image blob should be unchanged")

     

       242
       +
       	})

     

       243
       +
       }

     

       244
       +
       

     

       245
       +
       func TestTransformThumbToURL(t *testing.T) {

     

       246
       +
       	t.Run("transforms valid blob ref to URL", func(t *testing.T) {

     

       247
       +
       		external := map[string]interface{}{

     

       248
       +
       			"uri": "https://example.com",

     

       249
       +
       			"thumb": map[string]interface{}{

     

       250
       +
       				"$type": "blob",

     

       251
       +
       				"ref": map[string]interface{}{

     

       252
       +
       					"$link": "bafyreib6tbnql2ux3whnfysbzabthaj2vvck53nimhbi5g5a7jgvgr5eqm",

     

       253
       +
       				},

     

       254
       +
       				"mimeType": "image/jpeg",

     

       255
       +
       				"size":     52813,

     

       256
       +
       			},

     

       257
       +
       		}

     

       258
       +
       

     

       259
       +
       		transformThumbToURL(external, "did:plc:test", "http://localhost:3001")

     

       260
       +
       

     

       261
       +
       		thumbURL, ok := external["thumb"].(string)

     

       262
       +
       		require.True(t, ok, "thumb should be a string URL")

     

       263
       +
       		assert.Equal(t,

     

       264
       +
       			"http://localhost:3001/xrpc/com.atproto.sync.getBlob?did=did:plc:test&cid=bafyreib6tbnql2ux3whnfysbzabthaj2vvck53nimhbi5g5a7jgvgr5eqm",

     

       265
       +
       			thumbURL)

     

       266
       +
       	})

     

       267
       +
       

     

       268
       +
       	t.Run("does not transform if thumb is already string", func(t *testing.T) {

     

       269
       +
       		expectedURL := "http://localhost:3001/xrpc/com.atproto.sync.getBlob?did=did:plc:test&cid=bafytest"

     

       270
       +
       		external := map[string]interface{}{

     

       271
       +
       			"uri":   "https://example.com",

     

       272
       +
       			"thumb": expectedURL,

     

       273
       +
       		}

     

       274
       +
       

     

       275
       +
       		transformThumbToURL(external, "did:plc:test", "http://localhost:3001")

     

       276
       +
       

     

       277
       +
       		thumbURL, ok := external["thumb"].(string)

     

       278
       +
       		require.True(t, ok, "thumb should still be a string")

     

       279
       +
       		assert.Equal(t, expectedURL, thumbURL, "thumb should be unchanged")

     

       280
       +
       	})

     

       281
       +
       

     

       282
       +
       	t.Run("does not transform if thumb is missing", func(t *testing.T) {

     

       283
       +
       		external := map[string]interface{}{

     

       284
       +
       			"uri": "https://example.com",

     

       285
       +
       		}

     

       286
       +
       

     

       287
       +
       		transformThumbToURL(external, "did:plc:test", "http://localhost:3001")

     

       288
       +
       

     

       289
       +
       		_, hasThumb := external["thumb"]

     

       290
       +
       		assert.False(t, hasThumb, "thumb should not be added")

     

       291
       +
       	})

     

       292
       +
       

     

       293
       +
       	t.Run("does not transform if CID is empty", func(t *testing.T) {

     

       294
       +
       		external := map[string]interface{}{

     

       295
       +
       			"uri": "https://example.com",

     

       296
       +
       			"thumb": map[string]interface{}{

     

       297
       +
       				"$type": "blob",

     

       298
       +
       				"ref": map[string]interface{}{

     

       299
       +
       					"$link": "", // Empty CID

     

       300
       +
       				},

     

       301
       +
       			},

     

       302
       +
       		}

     

       303
       +
       

     

       304
       +
       		transformThumbToURL(external, "did:plc:test", "http://localhost:3001")

     

       305
       +
       

     

       306
       +
       		// Verify thumb is unchanged

     

       307
       +
       		thumb, ok := external["thumb"].(map[string]interface{})

     

       308
       +
       		require.True(t, ok, "thumb should still be a map")

     

       309
       +
       		ref := thumb["ref"].(map[string]interface{})

     

       310
       +
       		assert.Equal(t, "", ref["$link"], "empty CID should be unchanged")

     

       311
       +
       	})

     

       312
       +
       }

+13 -14

aggregators/kagi-news/src/coves_client.py

···

       72
        
               content: str,

     

       73
        
               facets: List[Dict],

     

       74
        
               title: Optional[str] = None,

     

       75
       -
               embed: Optional[Dict] = None

     

       0
        
       
     

       76
        
           ) -> str:

     

       77
        
               """

     

       78
        
               Create a post in a community.

     
···

       83
        
                   facets: Rich text facets (formatting, links)

     

       84
        
                   title: Optional post title

     

       85
        
                   embed: Optional external embed

     

       0
        
       
     

       86
        
       

     

       87
        
               Returns:

     

       88
        
                   AT Proto URI of created post (e.g., "at://did:plc:.../social.coves.post/...")

     
···

       109
        
                   if embed:

     

       110
        
                       post_data["embed"] = embed

     

       111
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       112
        
                   # Use Coves-specific endpoint (not direct PDS write)

     

       113
        
                   # This provides validation, authorization, and business logic

     

       114
        
                   logger.info(f"Creating post in community: {community_handle}")

     
···

       141
        
               self,

     

       142
        
               uri: str,

     

       143
        
               title: str,

     

       144
       -
               description: str,

     

       145
       -
               thumb: Optional[str] = None

     

       146
        
           ) -> Dict:

     

       147
        
               """

     

       148
        
               Create external embed object for hot-linked content.

     

       149
        
       

     

       150
        
               Args:

     

       151
       -
                   uri: External URL (story link)

     

       152
       -
                   title: Story title

     

       153
       -
                   description: Story description/summary

     

       154
       -
                   thumb: Optional thumbnail image URL

     

       155
        
       

     

       156
        
               Returns:

     

       157
       -
                   External embed dictionary

     

       158
        
               """

     

       159
       -
               embed = {

     

       160
        
                   "$type": "social.coves.embed.external",

     

       161
        
                   "external": {

     

       162
        
                       "uri": uri,

     
···

       165
        
                   }

     

       166
        
               }

     

       167
        
       

     

       168
       -
               if thumb:

     

       169
       -
                   embed["external"]["thumb"] = thumb

     

       170
       -
       

     

       171
       -
               return embed

     

       172
       -
       

     

       173
        
           def _get_timestamp(self) -> str:

     

       174
        
               """

     

       175
        
               Get current timestamp in ISO 8601 format.

···

       72
        
               content: str,

     

       73
        
               facets: List[Dict],

     

       74
        
               title: Optional[str] = None,

     

       75
       +
               embed: Optional[Dict] = None,

     

       76
       +
               thumbnail_url: Optional[str] = None

     

       77
        
           ) -> str:

     

       78
        
               """

     

       79
        
               Create a post in a community.

     
···

       84
        
                   facets: Rich text facets (formatting, links)

     

       85
        
                   title: Optional post title

     

       86
        
                   embed: Optional external embed

     

       87
       +
                   thumbnail_url: Optional thumbnail URL (for trusted aggregators only)

     

       88
        
       

     

       89
        
               Returns:

     

       90
        
                   AT Proto URI of created post (e.g., "at://did:plc:.../social.coves.post/...")

     
···

       111
        
                   if embed:

     

       112
        
                       post_data["embed"] = embed

     

       113
        
       

     

       114
       +
                   # Add thumbnail URL at top level if provided (for trusted aggregators)

     

       115
       +
                   if thumbnail_url:

     

       116
       +
                       post_data["thumbnailUrl"] = thumbnail_url

     

       117
       +
       

     

       118
        
                   # Use Coves-specific endpoint (not direct PDS write)

     

       119
        
                   # This provides validation, authorization, and business logic

     

       120
        
                   logger.info(f"Creating post in community: {community_handle}")

     
···

       147
        
               self,

     

       148
        
               uri: str,

     

       149
        
               title: str,

     

       150
       +
               description: str

     

       0
        
       
     

       151
        
           ) -> Dict:

     

       152
        
               """

     

       153
        
               Create external embed object for hot-linked content.

     

       154
        
       

     

       155
        
               Args:

     

       156
       +
                   uri: URL of the external content

     

       157
       +
                   title: Title of the content

     

       158
       +
                   description: Description/summary

     

       0
        
       
     

       159
        
       

     

       160
        
               Returns:

     

       161
       +
                   Embed dictionary ready for post creation

     

       162
        
               """

     

       163
       +
               return {

     

       164
        
                   "$type": "social.coves.embed.external",

     

       165
        
                   "external": {

     

       166
        
                       "uri": uri,

     
···

       169
        
                   }

     

       170
        
               }

     

       171
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       172
        
           def _get_timestamp(self) -> str:

     

       173
        
               """

     

       174
        
               Get current timestamp in ISO 8601 format.

+4 -3

aggregators/kagi-news/src/main.py

···

       173
        
                       embed = self.coves_client.create_external_embed(

     

       174
        
                           uri=story.link,

     

       175
        
                           title=story.title,

     

       176
       -
                           description=story.summary[:200] if len(story.summary) > 200 else story.summary,

     

       177
       -
                           thumb=story.image_url

     

       178
        
                       )

     

       179
        
       

     

       180
        
                       # Post to community

     

       0
        
       
     

       181
        
                       try:

     

       182
        
                           post_uri = self.coves_client.create_post(

     

       183
        
                               community_handle=feed_config.community_handle,

     

       184
        
                               title=story.title,

     

       185
        
                               content=rich_text["content"],

     

       186
        
                               facets=rich_text["facets"],

     

       187
       -
                               embed=embed

     

       0
        
       
     

       188
        
                           )

     

       189
        
       

     

       190
        
                           # Mark as posted (only if successful)

···

       173
        
                       embed = self.coves_client.create_external_embed(

     

       174
        
                           uri=story.link,

     

       175
        
                           title=story.title,

     

       176
       +
                           description=story.summary[:200] if len(story.summary) > 200 else story.summary

     

       0
        
       
     

       177
        
                       )

     

       178
        
       

     

       179
        
                       # Post to community

     

       180
       +
                       # Pass thumbnail URL from RSS feed at top level for trusted aggregator upload

     

       181
        
                       try:

     

       182
        
                           post_uri = self.coves_client.create_post(

     

       183
        
                               community_handle=feed_config.community_handle,

     

       184
        
                               title=story.title,

     

       185
        
                               content=rich_text["content"],

     

       186
        
                               facets=rich_text["facets"],

     

       187
       +
                               embed=embed,

     

       188
       +
                               thumbnail_url=story.image_url  # From RSS feed - server will validate and upload

     

       189
        
                           )

     

       190
        
       

     

       191
        
                           # Mark as posted (only if successful)

+5 -14

aggregators/kagi-news/tests/test_e2e.py

···

       398
        
           Verifies:

     

       399
        
           - Embed structure matches social.coves.embed.external

     

       400
        
           - All required fields are present

     

       401
       -
           - Optional thumbnail is included when provided

     

       402
        
           """

     

       403
        
           handle, password = aggregator_credentials

     

       404
        
       

     
···

       408
        
               password=password

     

       409
        
           )

     

       410
        
       

     

       411
       -
           # Test with thumbnail

     

       412
        
           embed = client.create_external_embed(

     

       413
        
               uri="https://example.com/story",

     

       414
        
               title="Test Story",

     

       415
       -
               description="Test description",

     

       416
       -
               thumb="https://example.com/image.jpg"

     

       417
        
           )

     

       418
        
       

     

       419
        
           assert embed["$type"] == "social.coves.embed.external"

     

       420
        
           assert embed["external"]["uri"] == "https://example.com/story"

     

       421
        
           assert embed["external"]["title"] == "Test Story"

     

       422
        
           assert embed["external"]["description"] == "Test description"

     

       423
       -
           assert embed["external"]["thumb"] == "https://example.com/image.jpg"

     

       424
       -
       

     

       425
       -
           # Test without thumbnail

     

       426
       -
           embed_no_thumb = client.create_external_embed(

     

       427
       -
               uri="https://example.com/story2",

     

       428
       -
               title="Test Story 2",

     

       429
       -
               description="Test description 2"

     

       430
       -
           )

     

       431
       -
       

     

       432
       -
           assert "thumb" not in embed_no_thumb["external"]

     

       433
        
           print("\n✅ External embed format correct")

···

       398
        
           Verifies:

     

       399
        
           - Embed structure matches social.coves.embed.external

     

       400
        
           - All required fields are present

     

       401
       +
           - Thumbnails are handled by server's unfurl service (not included in client)

     

       402
        
           """

     

       403
        
           handle, password = aggregator_credentials

     

       404
        
       

     
···

       408
        
               password=password

     

       409
        
           )

     

       410
        
       

     

       411
       +
           # Create external embed (server will handle thumbnail extraction)

     

       412
        
           embed = client.create_external_embed(

     

       413
        
               uri="https://example.com/story",

     

       414
        
               title="Test Story",

     

       415
       +
               description="Test description"

     

       0
        
       
     

       416
        
           )

     

       417
        
       

     

       418
        
           assert embed["$type"] == "social.coves.embed.external"

     

       419
        
           assert embed["external"]["uri"] == "https://example.com/story"

     

       420
        
           assert embed["external"]["title"] == "Test Story"

     

       421
        
           assert embed["external"]["description"] == "Test description"

     

       422
       +
           # Thumbnail is not included - server's unfurl service handles it

     

       423
       +
           assert "thumb" not in embed["external"]

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       424
        
           print("\n✅ External embed format correct")

+4 -3

aggregators/kagi-news/tests/test_main.py

···

       404
        
               mock_client.create_post.return_value = "at://did:plc:test/social.coves.post/abc123"

     

       405
        
       

     

       406
        
               # Mock create_external_embed to return proper embed structure

     

       0
        
       
     

       407
        
               mock_client.create_external_embed.return_value = {

     

       408
        
                   "$type": "social.coves.embed.external",

     

       409
        
                   "external": {

     

       410
        
                       "uri": sample_story.link,

     

       411
        
                       "title": sample_story.title,

     

       412
       -
                       "description": sample_story.summary,

     

       413
       -
                       "thumb": sample_story.image_url

     

       414
        
                   }

     

       415
        
               }

     

       416
        
       

     
···

       457
        
                   assert call_kwargs["embed"]["$type"] == "social.coves.embed.external"

     

       458
        
                   assert call_kwargs["embed"]["external"]["uri"] == sample_story.link

     

       459
        
                   assert call_kwargs["embed"]["external"]["title"] == sample_story.title

     

       460
       -
                   assert call_kwargs["embed"]["external"]["thumb"] == sample_story.image_url

     

       0

···

       404
        
               mock_client.create_post.return_value = "at://did:plc:test/social.coves.post/abc123"

     

       405
        
       

     

       406
        
               # Mock create_external_embed to return proper embed structure

     

       407
       +
               # Note: Thumbnails are handled by server's unfurl service, not client

     

       408
        
               mock_client.create_external_embed.return_value = {

     

       409
        
                   "$type": "social.coves.embed.external",

     

       410
        
                   "external": {

     

       411
        
                       "uri": sample_story.link,

     

       412
        
                       "title": sample_story.title,

     

       413
       +
                       "description": sample_story.summary

     

       0
        
       
     

       414
        
                   }

     

       415
        
               }

     

       416
        
       

     
···

       457
        
                   assert call_kwargs["embed"]["$type"] == "social.coves.embed.external"

     

       458
        
                   assert call_kwargs["embed"]["external"]["uri"] == sample_story.link

     

       459
        
                   assert call_kwargs["embed"]["external"]["title"] == sample_story.title

     

       460
       +
                   # Thumbnail is not included - server's unfurl service handles it

     

       461
       +
                   assert "thumb" not in call_kwargs["embed"]["external"]

+134

scripts/post_streamable.py

···

       1
       +
       #!/usr/bin/env python3

     

       2
       +
       """

     

       3
       +
       Quick script to post a Streamable video to test-usnews community.

     

       4
       +
       Uses the kagi-news CovesClient infrastructure.

     

       5
       +
       """

     

       6
       +
       

     

       7
       +
       import sys

     

       8
       +
       import os

     

       9
       +
       

     

       10
       +
       # Add kagi-news src to path to use CovesClient

     

       11
       +
       sys.path.insert(0, os.path.join(os.path.dirname(__file__), '../aggregators/kagi-news'))

     

       12
       +
       

     

       13
       +
       from src.coves_client import CovesClient

     

       14
       +
       

     

       15
       +
       def main():

     

       16
       +
           # Configuration

     

       17
       +
           COVES_API_URL = "http://localhost:8081"

     

       18
       +
           PDS_URL = "http://localhost:3001"

     

       19
       +
       

     

       20
       +
           # Use PDS instance credentials (from .env.dev)

     

       21
       +
           HANDLE = "testuser123.local.coves.dev"

     

       22
       +
           PASSWORD = "test-password-123"

     

       23
       +
       

     

       24
       +
           # Post details

     

       25
       +
           COMMUNITY_HANDLE = "test-usnews.community.coves.social"

     

       26
       +
       

     

       27
       +
           # Post 1: Streamable video

     

       28
       +
           STREAMABLE_URL = "https://streamable.com/7kpdft"

     

       29
       +
           STREAMABLE_TITLE = "NBACentral - \"Your son don't wanna be here, we know it's your last weekend. Enjoy ..."

     

       30
       +
       

     

       31
       +
           # Post 2: Reddit highlight

     

       32
       +
           REDDIT_URL = "https://www.reddit.com/r/nba/comments/1orfsgm/highlight_giannis_antetokounmpo_41_pts_15_reb_9/"

     

       33
       +
           REDDIT_TITLE = "[Highlight] Giannis Antetokounmpo (41 PTS, 15 REB, 9 AST) tallies his 56th career regular season game of 40+ points, passing Kareem Abdul-Jabbar for the most such games in franchise history. Milwaukee defeats Chicago 126-110 to win their NBA Cup opener."

     

       34
       +
       

     

       35
       +
           # Initialize client

     

       36
       +
           print(f"Initializing Coves client...")

     

       37
       +
           print(f"  API URL: {COVES_API_URL}")

     

       38
       +
           print(f"  PDS URL: {PDS_URL}")

     

       39
       +
           print(f"  Handle: {HANDLE}")

     

       40
       +
       

     

       41
       +
           client = CovesClient(

     

       42
       +
               api_url=COVES_API_URL,

     

       43
       +
               handle=HANDLE,

     

       44
       +
               password=PASSWORD,

     

       45
       +
               pds_url=PDS_URL

     

       46
       +
           )

     

       47
       +
       

     

       48
       +
           # Authenticate

     

       49
       +
           print("\nAuthenticating...")

     

       50
       +
           try:

     

       51
       +
               client.authenticate()

     

       52
       +
               print(f"✓ Authenticated as {client.did}")

     

       53
       +
           except Exception as e:

     

       54
       +
               print(f"✗ Authentication failed: {e}")

     

       55
       +
               return 1

     

       56
       +
       

     

       57
       +
           # Post 1: Streamable video

     

       58
       +
           print("\n" + "="*60)

     

       59
       +
           print("POST 1: STREAMABLE VIDEO")

     

       60
       +
           print("="*60)

     

       61
       +
       

     

       62
       +
           print("\nCreating minimal external embed (URI only)...")

     

       63
       +
           streamable_embed = {

     

       64
       +
               "$type": "social.coves.embed.external",

     

       65
       +
               "external": {

     

       66
       +
                   "uri": STREAMABLE_URL

     

       67
       +
               }

     

       68
       +
           }

     

       69
       +
           print(f"✓ Embed created with URI only (unfurl service should enrich)")

     

       70
       +
       

     

       71
       +
           print(f"\nPosting to {COMMUNITY_HANDLE}...")

     

       72
       +
           print(f"  Title: {STREAMABLE_TITLE}")

     

       73
       +
           print(f"  Video: {STREAMABLE_URL}")

     

       74
       +
       

     

       75
       +
           try:

     

       76
       +
               post_uri = client.create_post(

     

       77
       +
                   community_handle=COMMUNITY_HANDLE,

     

       78
       +
                   title=STREAMABLE_TITLE,

     

       79
       +
                   content="",

     

       80
       +
                   facets=[],

     

       81
       +
                   embed=streamable_embed

     

       82
       +
               )

     

       83
       +
       

     

       84
       +
               print(f"\n✓ Streamable post created successfully!")

     

       85
       +
               print(f"  URI: {post_uri}")

     

       86
       +
       

     

       87
       +
           except Exception as e:

     

       88
       +
               print(f"\n✗ Streamable post creation failed: {e}")

     

       89
       +
               import traceback

     

       90
       +
               traceback.print_exc()

     

       91
       +
               return 1

     

       92
       +
       

     

       93
       +
           # Post 2: Reddit highlight

     

       94
       +
           print("\n" + "="*60)

     

       95
       +
           print("POST 2: REDDIT HIGHLIGHT")

     

       96
       +
           print("="*60)

     

       97
       +
       

     

       98
       +
           print("\nCreating minimal external embed (URI only)...")

     

       99
       +
           reddit_embed = {

     

       100
       +
               "$type": "social.coves.embed.external",

     

       101
       +
               "external": {

     

       102
       +
                   "uri": REDDIT_URL

     

       103
       +
               }

     

       104
       +
           }

     

       105
       +
           print(f"✓ Embed created with URI only (unfurl service should enrich)")

     

       106
       +
       

     

       107
       +
           print(f"\nPosting to {COMMUNITY_HANDLE}...")

     

       108
       +
           print(f"  Title: {REDDIT_TITLE}")

     

       109
       +
           print(f"  URL: {REDDIT_URL}")

     

       110
       +
       

     

       111
       +
           try:

     

       112
       +
               post_uri = client.create_post(

     

       113
       +
                   community_handle=COMMUNITY_HANDLE,

     

       114
       +
                   title=REDDIT_TITLE,

     

       115
       +
                   content="",

     

       116
       +
                   facets=[],

     

       117
       +
                   embed=reddit_embed

     

       118
       +
               )

     

       119
       +
       

     

       120
       +
               print(f"\n✓ Reddit post created successfully!")

     

       121
       +
               print(f"  URI: {post_uri}")

     

       122
       +
               print(f"\n" + "="*60)

     

       123
       +
               print("Both posts created! Check them out at !test-usnews")

     

       124
       +
               print("="*60)

     

       125
       +
               return 0

     

       126
       +
       

     

       127
       +
           except Exception as e:

     

       128
       +
               print(f"\n✗ Reddit post creation failed: {e}")

     

       129
       +
               import traceback

     

       130
       +
               traceback.print_exc()

     

       131
       +
               return 1

     

       132
       +
       

     

       133
       +
       if __name__ == "__main__":

     

       134
       +
           sys.exit(main())

+6 -3

aggregators/kagi-news/src/html_parser.py

···

       78
        
                   Perspective(

     

       79
        
                       actor=p['actor'],

     

       80
        
                       description=p['description'],

     

       81
       -
                       source_url=p['source_url']

     

       0
        
       
     

       82
        
                   )

     

       83
        
                   for p in parsed['perspectives']

     

       84
        
               ]

     
···

       230
        
               actor, rest = full_text.split(':', 1)

     

       231
        
               actor = actor.strip()

     

       232
        
       

     

       233
       -
               # Find the <a> tag for source URL

     

       234
        
               a_tag = li.find('a')

     

       235
        
               source_url = a_tag['href'] if a_tag and a_tag.get('href') else ""

     

       0
        
       
     

       236
        
       

     

       237
        
               # Extract description (between colon and source link)

     

       238
        
               # Remove the source citation part in parentheses

     
···

       250
        
               return {

     

       251
        
                   'actor': actor,

     

       252
        
                   'description': description,

     

       253
       -
                   'source_url': source_url

     

       0
        
       
     

       254
        
               }

     

       255
        
       

     

       256
        
           def _extract_sources(self, soup: BeautifulSoup) -> List[Dict]:

···

       78
        
                   Perspective(

     

       79
        
                       actor=p['actor'],

     

       80
        
                       description=p['description'],

     

       81
       +
                       source_url=p['source_url'],

     

       82
       +
                       source_name=p.get('source_name', '')

     

       83
        
                   )

     

       84
        
                   for p in parsed['perspectives']

     

       85
        
               ]

     
···

       231
        
               actor, rest = full_text.split(':', 1)

     

       232
        
               actor = actor.strip()

     

       233
        
       

     

       234
       +
               # Find the <a> tag for source URL and name

     

       235
        
               a_tag = li.find('a')

     

       236
        
               source_url = a_tag['href'] if a_tag and a_tag.get('href') else ""

     

       237
       +
               source_name = a_tag.get_text(strip=True) if a_tag else ""

     

       238
        
       

     

       239
        
               # Extract description (between colon and source link)

     

       240
        
               # Remove the source citation part in parentheses

     
···

       252
        
               return {

     

       253
        
                   'actor': actor,

     

       254
        
                   'description': description,

     

       255
       +
                   'source_url': source_url,

     

       256
       +
                   'source_name': source_name

     

       257
        
               }

     

       258
        
       

     

       259
        
           def _extract_sources(self, soup: BeautifulSoup) -> List[Dict]:

aggregators/kagi-news/src/models.py

···

       20
        
           actor: str

     

       21
        
           description: str

     

       22
        
           source_url: str

     

       0
        
       
     

       23
        
       

     

       24
        
       

     

       25
        
       @dataclass

···

       20
        
           actor: str

     

       21
        
           description: str

     

       22
        
           source_url: str

     

       23
       +
           source_name: str = ""  # Name of the source (e.g., "The Straits Times")

     

       24
        
       

     

       25
        
       

     

       26
        
       @dataclass

+11 -7

aggregators/kagi-news/src/richtext_formatter.py

···

       42
        
                   builder.add_bold("Highlights:")

     

       43
        
                   builder.add_text("\n")

     

       44
        
                   for highlight in story.highlights:

     

       45
       -
                       builder.add_text(f"• {highlight}\n")

     

       46
        
                   builder.add_text("\n")

     

       47
        
       

     

       48
        
               # Perspectives (if present)

     
···

       53
        
                       # Bold the actor name

     

       54
        
                       actor_with_colon = f"{perspective.actor}:"

     

       55
        
                       builder.add_bold(actor_with_colon)

     

       56
       -
                       builder.add_text(f" {perspective.description} (")

     

       57
        
       

     

       58
       -
                       # Add link to source

     

       59
       -
                       source_link_text = "Source"

     

       60
       -
                       builder.add_link(source_link_text, perspective.source_url)

     

       61
       -
                       builder.add_text(")\n")

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       62
        
                   builder.add_text("\n")

     

       63
        
       

     

       64
        
               # Quote (if present)

     
···

       74
        
                   for source in story.sources:

     

       75
        
                       builder.add_text("• ")

     

       76
        
                       builder.add_link(source.title, source.url)

     

       77
       -
                       builder.add_text(f" - {source.domain}\n")

     

       78
        
                   builder.add_text("\n")

     

       79
        
       

     

       80
        
               # Kagi News attribution

···

       42
        
                   builder.add_bold("Highlights:")

     

       43
        
                   builder.add_text("\n")

     

       44
        
                   for highlight in story.highlights:

     

       45
       +
                       builder.add_text(f"• {highlight}\n\n")

     

       46
        
                   builder.add_text("\n")

     

       47
        
       

     

       48
        
               # Perspectives (if present)

     
···

       53
        
                       # Bold the actor name

     

       54
        
                       actor_with_colon = f"{perspective.actor}:"

     

       55
        
                       builder.add_bold(actor_with_colon)

     

       56
       +
                       builder.add_text(f" {perspective.description}")

     

       57
        
       

     

       58
       +
                       # Add link to source if available

     

       59
       +
                       if perspective.source_url:

     

       60
       +
                           builder.add_text(" (")

     

       61
       +
                           source_link_text = perspective.source_name if perspective.source_name else "Source"

     

       62
       +
                           builder.add_link(source_link_text, perspective.source_url)

     

       63
       +
                           builder.add_text(")")

     

       64
       +
       

     

       65
       +
                       builder.add_text("\n\n")

     

       66
        
                   builder.add_text("\n")

     

       67
        
       

     

       68
        
               # Quote (if present)

     
···

       78
        
                   for source in story.sources:

     

       79
        
                       builder.add_text("• ")

     

       80
        
                       builder.add_link(source.title, source.url)

     

       81
       +
                       builder.add_text(f" - {source.domain}\n\n")

     

       82
        
                   builder.add_text("\n")

     

       83
        
       

     

       84
        
               # Kagi News attribution

-2

docker-compose.dev.yml

···

       1
       -
       version: '3.8'

     

       2
       -
       

     

       3
        
       # Coves Local Development Stack

     

       4
        
       # All-in-one setup: PDS + PostgreSQL + optional Relay

     

       5
        
       #

···

       0
        
       
     

       0
        
       
     

       1
        
       # Coves Local Development Stack

     

       2
        
       # All-in-one setup: PDS + PostgreSQL + optional Relay

     

       3
        
       #

+1 -1

tests/lexicon-test-data/interaction/comment-invalid-content.json

···

       1
        
       {

     

       2
       -
         "$type": "social.coves.feed.comment",

     

       3
        
         "reply": {

     

       4
        
           "root": {

     

       5
        
             "uri": "at://did:plc:test123/social.coves.community.post/3k7a3dmb5bk2c",

···

       1
        
       {

     

       2
       +
         "$type": "social.coves.community.comment",

     

       3
        
         "reply": {

     

       4
        
           "root": {

     

       5
        
             "uri": "at://did:plc:test123/social.coves.community.post/3k7a3dmb5bk2c",

+1 -1

tests/lexicon-test-data/interaction/comment-valid-sticker.json

···

       1
        
       {

     

       2
       -
         "$type": "social.coves.feed.comment",

     

       3
        
         "reply": {

     

       4
        
           "root": {

     

       5
        
             "uri": "at://did:plc:test123/social.coves.community.post/3k7a3dmb5bk2c",

···

       1
        
       {

     

       2
       +
         "$type": "social.coves.community.comment",

     

       3
        
         "reply": {

     

       4
        
           "root": {

     

       5
        
             "uri": "at://did:plc:test123/social.coves.community.post/3k7a3dmb5bk2c",

+1 -1

tests/lexicon-test-data/interaction/comment-valid-text.json

···

       1
        
       {

     

       2
       -
         "$type": "social.coves.feed.comment",

     

       3
        
         "reply": {

     

       4
        
           "root": {

     

       5
        
             "uri": "at://did:plc:test123/social.coves.community.post/3k7a3dmb5bk2c",

···

       1
        
       {

     

       2
       +
         "$type": "social.coves.community.comment",

     

       3
        
         "reply": {

     

       4
        
           "root": {

     

       5
        
             "uri": "at://did:plc:test123/social.coves.community.post/3k7a3dmb5bk2c",

+34

internal/db/migrations/018_migrate_comment_namespace.sql

···

       1
       +
       -- +goose Up

     

       2
       +
       -- Migration: Update comment URIs from social.coves.feed.comment to social.coves.community.comment

     

       3
       +
       -- This updates the namespace for all comment records in the database.

     

       4
       +
       -- Since we're pre-production, we're only updating the comments table (not votes).

     

       5
       +
       

     

       6
       +
       -- Update main comment URIs

     

       7
       +
       UPDATE comments

     

       8
       +
       SET uri = REPLACE(uri, '/social.coves.feed.comment/', '/social.coves.community.comment/')

     

       9
       +
       WHERE uri LIKE '%/social.coves.feed.comment/%';

     

       10
       +
       

     

       11
       +
       -- Update root references (when root is a comment, not a post)

     

       12
       +
       UPDATE comments

     

       13
       +
       SET root_uri = REPLACE(root_uri, '/social.coves.feed.comment/', '/social.coves.community.comment/')

     

       14
       +
       WHERE root_uri LIKE '%/social.coves.feed.comment/%';

     

       15
       +
       

     

       16
       +
       -- Update parent references (when parent is a comment)

     

       17
       +
       UPDATE comments

     

       18
       +
       SET parent_uri = REPLACE(parent_uri, '/social.coves.feed.comment/', '/social.coves.community.comment/')

     

       19
       +
       WHERE parent_uri LIKE '%/social.coves.feed.comment/%';

     

       20
       +
       

     

       21
       +
       -- +goose Down

     

       22
       +
       -- Rollback: Revert comment URIs from social.coves.community.comment to social.coves.feed.comment

     

       23
       +
       

     

       24
       +
       UPDATE comments

     

       25
       +
       SET uri = REPLACE(uri, '/social.coves.community.comment/', '/social.coves.feed.comment/')

     

       26
       +
       WHERE uri LIKE '%/social.coves.community.comment/%';

     

       27
       +
       

     

       28
       +
       UPDATE comments

     

       29
       +
       SET root_uri = REPLACE(root_uri, '/social.coves.community.comment/', '/social.coves.feed.comment/')

     

       30
       +
       WHERE root_uri LIKE '%/social.coves.community.comment/%';

     

       31
       +
       

     

       32
       +
       UPDATE comments

     

       33
       +
       SET parent_uri = REPLACE(parent_uri, '/social.coves.community.comment/', '/social.coves.feed.comment/')

     

       34
       +
       WHERE parent_uri LIKE '%/social.coves.community.comment/%';

+1 -1

internal/atproto/utils/record_utils.go

···

       20
        
       // Format: at://did/collection/rkey -> collection

     

       21
        
       //

     

       22
        
       // Returns:

     

       23
       -
       //   - Collection name (e.g., "social.coves.feed.comment") if URI is well-formed

     

       24
        
       //   - Empty string if URI is malformed or doesn't contain a collection segment

     

       25
        
       //

     

       26
        
       // Note: Empty string indicates "unknown/unsupported collection" and should be

···

       20
        
       // Format: at://did/collection/rkey -> collection

     

       21
        
       //

     

       22
        
       // Returns:

     

       23
       +
       //   - Collection name (e.g., "social.coves.community.comment") if URI is well-formed

     

       24
        
       //   - Empty string if URI is malformed or doesn't contain a collection segment

     

       25
        
       //

     

       26
        
       // Note: Empty string indicates "unknown/unsupported collection" and should be

+1 -1

internal/core/comments/comment.go

···

       33
        
       

     

       34
        
       // CommentRecord represents the atProto record structure indexed from Jetstream

     

       35
        
       // This is the data structure that gets stored in the user's repository

     

       36
       -
       // Matches social.coves.feed.comment lexicon

     

       37
        
       type CommentRecord struct {

     

       38
        
       	Embed     map[string]interface{} `json:"embed,omitempty"`

     

       39
        
       	Labels    *SelfLabels            `json:"labels,omitempty"`

···

       33
        
       

     

       34
        
       // CommentRecord represents the atProto record structure indexed from Jetstream

     

       35
        
       // This is the data structure that gets stored in the user's repository

     

       36
       +
       // Matches social.coves.community.comment lexicon

     

       37
        
       type CommentRecord struct {

     

       38
        
       	Embed     map[string]interface{} `json:"embed,omitempty"`

     

       39
        
       	Labels    *SelfLabels            `json:"labels,omitempty"`

+2 -2

internal/core/comments/view_models.go

···

       5
        
       )

     

       6
        
       

     

       7
        
       // CommentView represents the full view of a comment with all metadata

     

       8
       -
       // Matches social.coves.feed.getComments#commentView lexicon

     

       9
        
       // Used in thread views and get endpoints

     

       10
        
       type CommentView struct {

     

       11
        
       	Embed         interface{}         `json:"embed,omitempty"`

     
···

       24
        
       }

     

       25
        
       

     

       26
        
       // ThreadViewComment represents a comment with its nested replies

     

       27
       -
       // Matches social.coves.feed.getComments#threadViewComment lexicon

     

       28
        
       // Supports recursive threading for comment trees

     

       29
        
       type ThreadViewComment struct {

     

       30
        
       	Comment *CommentView         `json:"comment"`

···

       5
        
       )

     

       6
        
       

     

       7
        
       // CommentView represents the full view of a comment with all metadata

     

       8
       +
       // Matches social.coves.community.comment.getComments#commentView lexicon

     

       9
        
       // Used in thread views and get endpoints

     

       10
        
       type CommentView struct {

     

       11
        
       	Embed         interface{}         `json:"embed,omitempty"`

     
···

       24
        
       }

     

       25
        
       

     

       26
        
       // ThreadViewComment represents a comment with its nested replies

     

       27
       +
       // Matches social.coves.community.comment.getComments#threadViewComment lexicon

     

       28
        
       // Supports recursive threading for comment trees

     

       29
        
       type ThreadViewComment struct {

     

       30
        
       	Comment *CommentView         `json:"comment"`

+1 -1

internal/validation/lexicon.go

···

       86
        
       

     

       87
        
       // ValidateComment validates a comment record

     

       88
        
       func (v *LexiconValidator) ValidateComment(comment map[string]interface{}) error {

     

       89
       -
       	return v.ValidateRecord(comment, "social.coves.feed.comment")

     

       90
        
       }

     

       91
        
       

     

       92
        
       // ValidateVote validates a vote record

···

       86
        
       

     

       87
        
       // ValidateComment validates a comment record

     

       88
        
       func (v *LexiconValidator) ValidateComment(comment map[string]interface{}) error {

     

       89
       +
       	return v.ValidateRecord(comment, "social.coves.community.comment")

     

       90
        
       }

     

       91
        
       

     

       92
        
       // ValidateVote validates a vote record

+18 -15

docs/COMMENT_SYSTEM_IMPLEMENTATION.md

···

       308
        
       ```json

     

       309
        
       {

     

       310
        
         "lexicon": 1,

     

       311
       -
         "id": "social.coves.feed.comment",

     

       312
        
         "defs": {

     

       313
        
           "main": {

     

       314
        
             "type": "record",

     
···

       365
        
       ```sql

     

       366
        
       CREATE TABLE comments (

     

       367
        
           id BIGSERIAL PRIMARY KEY,

     

       368
       -
           uri TEXT UNIQUE NOT NULL,               -- AT-URI (at://commenter_did/social.coves.feed.comment/rkey)

     

       369
        
           cid TEXT NOT NULL,                      -- Content ID

     

       370
        
           rkey TEXT NOT NULL,                     -- Record key (TID)

     

       371
        
           commenter_did TEXT NOT NULL,            -- User who commented (from AT-URI repo field)

     
···

       559
        
               return nil

     

       560
        
           }

     

       561
        
       

     

       562
       -
           if event.Commit.Collection == "social.coves.feed.comment" {

     

       563
        
               switch event.Commit.Operation {

     

       564
        
               case "create":

     

       565
        
                   return c.createComment(ctx, event.Did, commit)

     
···

       653
        
       - Auto-reconnect on errors (5-second retry)

     

       654
        
       - Ping/pong keepalive (30-second ping, 60-second read deadline)

     

       655
        
       - Graceful shutdown via context cancellation

     

       656
       -
       - Subscribes to: `wantedCollections=social.coves.feed.comment`

     

       657
        
       

     

       658
        
       ---

     

       659
        
       

     
···

       669
        
       // Start Jetstream consumer for comments

     

       670
        
       commentJetstreamURL := os.Getenv("COMMENT_JETSTREAM_URL")

     

       671
        
       if commentJetstreamURL == "" {

     

       672
       -
           commentJetstreamURL = "ws://localhost:6008/subscribe?wantedCollections=social.coves.feed.comment"

     

       673
        
       }

     

       674
        
       

     

       675
        
       commentEventConsumer := jetstream.NewCommentEventConsumer(commentRepo, db)

     
···

       682
        
       }()

     

       683
        
       

     

       684
        
       log.Printf("Started Jetstream comment consumer: %s", commentJetstreamURL)

     

       685
       -
       log.Println("  - Indexing: social.coves.feed.comment CREATE/UPDATE/DELETE operations")

     

       686
        
       log.Println("  - Updating: Post comment counts and comment reply counts atomically")

     

       687
        
       ```

     

       688
        
       

     
···

       835
        
       | Aspect | Votes | Comments |

     

       836
        
       |--------|-------|----------|

     

       837
        
       | **Location** | User repositories | User repositories |

     

       838
       -
       | **Lexicon** | `social.coves.feed.vote` | `social.coves.feed.comment` |

     

       839
        
       | **Operations** | CREATE, DELETE | CREATE, UPDATE, DELETE |

     

       840
        
       | **Mutability** | Immutable | Editable |

     

       841
        
       | **Foreign Keys** | None (out-of-order indexing) | None (out-of-order indexing) |

     
···

       1197
        
       

     

       1198
        
       ---

     

       1199
        
       

     

       1200
       -
       ### 📋 Phase 4: Namespace Migration (Separate Task)

     

       0
        
       
     

       0
        
       
     

       1201
        
       

     

       1202
        
       **Scope:**

     

       1203
       -
       - Migrate existing `social.coves.feed.comment` records to `social.coves.community.comment`

     

       1204
       -
       - Update all AT-URIs in database

     

       1205
       -
       - Update Jetstream consumer collection filter

     

       1206
       -
       - Migration script with rollback capability

     

       1207
       -
       - Zero-downtime deployment strategy

     

       0
        
       
     

       1208
        
       

     

       1209
       -
       **Note:** Currently out of scope - will be tackled separately when needed.

     

       1210
        
       

     

       1211
        
       ---

     

       1212
        
       

     
···

       1456
        
       ### Environment Variables

     

       1457
        
       ```bash

     

       1458
        
       # Jetstream URL (optional, defaults to localhost:6008)

     

       1459
       -
       export COMMENT_JETSTREAM_URL="ws://localhost:6008/subscribe?wantedCollections=social.coves.feed.comment"

     

       1460
        
       

     

       1461
        
       # Database URL

     

       1462
        
       export TEST_DATABASE_URL="postgres://test_user:test_password@localhost:5434/coves_test?sslmode=disable"

···

       308
        
       ```json

     

       309
        
       {

     

       310
        
         "lexicon": 1,

     

       311
       +
         "id": "social.coves.community.comment",

     

       312
        
         "defs": {

     

       313
        
           "main": {

     

       314
        
             "type": "record",

     
···

       365
        
       ```sql

     

       366
        
       CREATE TABLE comments (

     

       367
        
           id BIGSERIAL PRIMARY KEY,

     

       368
       +
           uri TEXT UNIQUE NOT NULL,               -- AT-URI (at://commenter_did/social.coves.community.comment/rkey)

     

       369
        
           cid TEXT NOT NULL,                      -- Content ID

     

       370
        
           rkey TEXT NOT NULL,                     -- Record key (TID)

     

       371
        
           commenter_did TEXT NOT NULL,            -- User who commented (from AT-URI repo field)

     
···

       559
        
               return nil

     

       560
        
           }

     

       561
        
       

     

       562
       +
           if event.Commit.Collection == "social.coves.community.comment" {

     

       563
        
               switch event.Commit.Operation {

     

       564
        
               case "create":

     

       565
        
                   return c.createComment(ctx, event.Did, commit)

     
···

       653
        
       - Auto-reconnect on errors (5-second retry)

     

       654
        
       - Ping/pong keepalive (30-second ping, 60-second read deadline)

     

       655
        
       - Graceful shutdown via context cancellation

     

       656
       +
       - Subscribes to: `wantedCollections=social.coves.community.comment`

     

       657
        
       

     

       658
        
       ---

     

       659
        
       

     
···

       669
        
       // Start Jetstream consumer for comments

     

       670
        
       commentJetstreamURL := os.Getenv("COMMENT_JETSTREAM_URL")

     

       671
        
       if commentJetstreamURL == "" {

     

       672
       +
           commentJetstreamURL = "ws://localhost:6008/subscribe?wantedCollections=social.coves.community.comment"

     

       673
        
       }

     

       674
        
       

     

       675
        
       commentEventConsumer := jetstream.NewCommentEventConsumer(commentRepo, db)

     
···

       682
        
       }()

     

       683
        
       

     

       684
        
       log.Printf("Started Jetstream comment consumer: %s", commentJetstreamURL)

     

       685
       +
       log.Println("  - Indexing: social.coves.community.comment CREATE/UPDATE/DELETE operations")

     

       686
        
       log.Println("  - Updating: Post comment counts and comment reply counts atomically")

     

       687
        
       ```

     

       688
        
       

     
···

       835
        
       | Aspect | Votes | Comments |

     

       836
        
       |--------|-------|----------|

     

       837
        
       | **Location** | User repositories | User repositories |

     

       838
       +
       | **Lexicon** | `social.coves.feed.vote` | `social.coves.community.comment` |

     

       839
        
       | **Operations** | CREATE, DELETE | CREATE, UPDATE, DELETE |

     

       840
        
       | **Mutability** | Immutable | Editable |

     

       841
        
       | **Foreign Keys** | None (out-of-order indexing) | None (out-of-order indexing) |

     
···

       1197
        
       

     

       1198
        
       ---

     

       1199
        
       

     

       1200
       +
       ### ✅ Phase 4: Namespace Migration (COMPLETED)

     

       1201
       +
       

     

       1202
       +
       **Completed:** 2025-11-16

     

       1203
        
       

     

       1204
        
       **Scope:**

     

       1205
       +
       - ✅ Migrated `social.coves.community.comment` namespace to `social.coves.community.comment`

     

       1206
       +
       - ✅ Updated lexicon definitions (record and query schemas)

     

       1207
       +
       - ✅ Updated Jetstream consumer collection filter

     

       1208
       +
       - ✅ Updated all code references (consumer, service, validation layers)

     

       1209
       +
       - ✅ Updated integration tests and test data generation scripts

     

       1210
       +
       - ✅ Created database migration (018_migrate_comment_namespace.sql)

     

       1211
        
       

     

       1212
       +
       **Note:** Since we're pre-production, no historical data migration was needed. Migration script updates URIs in comments table (uri, root_uri, parent_uri columns).

     

       1213
        
       

     

       1214
        
       ---

     

       1215
        
       

     
···

       1459
        
       ### Environment Variables

     

       1460
        
       ```bash

     

       1461
        
       # Jetstream URL (optional, defaults to localhost:6008)

     

       1462
       +
       export COMMENT_JETSTREAM_URL="ws://localhost:6008/subscribe?wantedCollections=social.coves.community.comment"

     

       1463
        
       

     

       1464
        
       # Database URL

     

       1465
        
       export TEST_DATABASE_URL="postgres://test_user:test_password@localhost:5434/coves_test?sslmode=disable"

+3 -2

internal/core/unfurl/providers.go

···

       108
        
       

     

       109
        
       // normalizeURL converts protocol-relative URLs to HTTPS

     

       110
        
       // Examples:

     

       111
       -
       //   "//example.com/image.jpg" -> "https://example.com/image.jpg"

     

       112
       -
       //   "https://example.com/image.jpg" -> "https://example.com/image.jpg" (unchanged)

     

       0
        
       
     

       113
        
       func normalizeURL(urlStr string) string {

     

       114
        
       	if strings.HasPrefix(urlStr, "//") {

     

       115
        
       		return "https:" + urlStr

···

       108
        
       

     

       109
        
       // normalizeURL converts protocol-relative URLs to HTTPS

     

       110
        
       // Examples:

     

       111
       +
       //

     

       112
       +
       //	"//example.com/image.jpg" -> "https://example.com/image.jpg"

     

       113
       +
       //	"https://example.com/image.jpg" -> "https://example.com/image.jpg" (unchanged)

     

       114
        
       func normalizeURL(urlStr string) string {

     

       115
        
       	if strings.HasPrefix(urlStr, "//") {

     

       116
        
       		return "https:" + urlStr

+785

docs/federation-prd.md

···

       1
       +
       # Federation PRD: Cross-Instance Posting (Beta)

     

       2
       +
       

     

       3
       +
       **Status:** Planning - Beta

     

       4
       +
       **Target:** Beta Release

     

       5
       +
       **Owner:** TBD

     

       6
       +
       **Last Updated:** 2025-11-16

     

       7
       +
       

     

       8
       +
       ---

     

       9
       +
       

     

       10
       +
       ## Overview

     

       11
       +
       

     

       12
       +
       Enable Lemmy-style federation where users on any Coves instance can post to communities hosted on other instances, while maintaining community ownership and moderation control.

     

       13
       +
       

     

       14
       +
       ### Problem Statement

     

       15
       +
       

     

       16
       +
       **Current (Alpha):**

     

       17
       +
       - Posts to communities require community credentials

     

       18
       +
       - Users can only post to communities on their home instance

     

       19
       +
       - No true federation across instances

     

       20
       +
       

     

       21
       +
       **Desired (Beta):**

     

       22
       +
       - User A@coves.social can post to !gaming@covesinstance.com

     

       23
       +
       - Communities maintain full moderation control

     

       24
       +
       - Content lives in community repositories (not user repos)

     

       25
       +
       - Seamless UX - users don't think about federation

     

       26
       +
       

     

       27
       +
       ---

     

       28
       +
       

     

       29
       +
       ## Goals

     

       30
       +
       

     

       31
       +
       ### Primary Goals

     

       32
       +
       1. **Enable cross-instance posting** - Users can post to any community on any federated instance

     

       33
       +
       2. **Preserve community ownership** - Posts live in community repos, not user repos

     

       34
       +
       3. **atProto-native implementation** - Use `com.atproto.server.getServiceAuth` pattern

     

       35
       +
       4. **Maintain security** - No compromise on auth, validation, or moderation

     

       36
       +
       

     

       37
       +
       ### Non-Goals (Future Versions)

     

       38
       +
       - Automatic instance discovery (Beta: manual allowlist)

     

       39
       +
       - Cross-instance moderation delegation

     

       40
       +
       - Content mirroring/replication

     

       41
       +
       - User migration between instances

     

       42
       +
       

     

       43
       +
       ---

     

       44
       +
       

     

       45
       +
       ## Technical Approach

     

       46
       +
       

     

       47
       +
       ### Architecture: atProto Service Auth

     

       48
       +
       

     

       49
       +
       Use atProto's native service authentication delegation pattern:

     

       50
       +
       

     

       51
       +
       ```

     

       52
       +
       ┌─────────────┐         ┌──────────────────┐         ┌─────────────┐

     

       53
       +
       │  User A     │         │  coves.social    │         │ covesinstance│

     

       54
       +
       │ @coves.soc  │────────▶│   AppView        │────────▶│  .com PDS   │

     

       55
       +
       └─────────────┘  (1)    └──────────────────┘  (2)    └─────────────┘

     

       56
       +
                       JWT auth    Request Service Auth         Validate

     

       57
       +
                                            │                       │

     

       58
       +
                                            │◀──────────────────────┘

     

       59
       +
                                            │        (3) Scoped Token

     

       60
       +
                                            │

     

       61
       +
                                            ▼

     

       62
       +
                                   ┌──────────────────┐

     

       63
       +
                                   │ covesinstance    │

     

       64
       +
                                   │  .com PDS        │

     

       65
       +
                                   │ Write Post       │

     

       66
       +
                                   └──────────────────┘

     

       67
       +
                                            │

     

       68
       +
                                            ▼

     

       69
       +
                                   ┌──────────────────┐

     

       70
       +
                                   │   Firehose       │

     

       71
       +
                                   │  (broadcasts)    │

     

       72
       +
                                   └──────────────────┘

     

       73
       +
                                            │

     

       74
       +
                               ┌────────────┴────────────┐

     

       75
       +
                               ▼                         ▼

     

       76
       +
                       ┌──────────────┐        ┌──────────────┐

     

       77
       +
                       │ coves.social │        │covesinstance │

     

       78
       +
                       │   AppView    │        │  .com AppView│

     

       79
       +
                       │  (indexes)   │        │   (indexes)  │

     

       80
       +
                       └──────────────┘        └──────────────┘

     

       81
       +
       ```

     

       82
       +
       

     

       83
       +
       ### Flow Breakdown

     

       84
       +
       

     

       85
       +
       **Step 1: User Authentication (Unchanged)**

     

       86
       +
       - User authenticates with their home instance (coves.social)

     

       87
       +
       - Receives JWT token for API requests

     

       88
       +
       

     

       89
       +
       **Step 2: Service Auth Request (New)**

     

       90
       +
       - When posting to remote community, AppView requests service auth token

     

       91
       +
       - Endpoint: `POST {remote-pds}/xrpc/com.atproto.server.getServiceAuth`

     

       92
       +
       - Payload:

     

       93
       +
         ```json

     

       94
       +
         {

     

       95
       +
           "aud": "did:plc:community123",  // Community DID

     

       96
       +
           "exp": 1234567890,               // Token expiration

     

       97
       +
           "lxm": "social.coves.community.post.create"  // Authorized method

     

       98
       +
         }

     

       99
       +
         ```

     

       100
       +
       

     

       101
       +
       **Step 3: Service Auth Validation (New - PDS Side)**

     

       102
       +
       - Remote PDS validates request:

     

       103
       +
         - Is requesting service trusted? (instance allowlist)

     

       104
       +
         - Is user banned from community?

     

       105
       +
         - Does community allow remote posts?

     

       106
       +
         - Rate limiting checks

     

       107
       +
       - Returns scoped token valid for specific community + operation

     

       108
       +
       

     

       109
       +
       **Step 4: Post Creation (Modified)**

     

       110
       +
       - AppView uses service auth token to write to remote PDS

     

       111
       +
       - Same `com.atproto.repo.createRecord` endpoint as current implementation

     

       112
       +
       - Post record written to community's repository

     

       113
       +
       

     

       114
       +
       **Step 5: Indexing (Unchanged)**

     

       115
       +
       - PDS broadcasts to firehose

     

       116
       +
       - All AppViews index via Jetstream consumers

     

       117
       +
       

     

       118
       +
       ---

     

       119
       +
       

     

       120
       +
       ## Implementation Details

     

       121
       +
       

     

       122
       +
       ### Phase 1: Service Detection (Local vs Remote)

     

       123
       +
       

     

       124
       +
       **File:** `internal/core/posts/service.go`

     

       125
       +
       

     

       126
       +
       ```go

     

       127
       +
       func (s *postService) CreatePost(ctx context.Context, req CreatePostRequest) (*CreatePostResponse, error) {

     

       128
       +
           // ... existing validation ...

     

       129
       +
       

     

       130
       +
           community, err := s.communityService.GetByDID(ctx, communityDID)

     

       131
       +
           if err != nil {

     

       132
       +
               return nil, err

     

       133
       +
           }

     

       134
       +
       

     

       135
       +
           // NEW: Route based on community location

     

       136
       +
           if s.isLocalCommunity(community) {

     

       137
       +
               return s.createLocalPost(ctx, community, req)

     

       138
       +
           }

     

       139
       +
           return s.createFederatedPost(ctx, community, req)

     

       140
       +
       }

     

       141
       +
       

     

       142
       +
       func (s *postService) isLocalCommunity(community *communities.Community) bool {

     

       143
       +
           localPDSHost := extractHost(s.pdsURL)

     

       144
       +
           communityPDSHost := extractHost(community.PDSURL)

     

       145
       +
           return localPDSHost == communityPDSHost

     

       146
       +
       }

     

       147
       +
       ```

     

       148
       +
       

     

       149
       +
       ### Phase 2: Service Auth Client

     

       150
       +
       

     

       151
       +
       **New File:** `internal/atproto/service_auth/client.go`

     

       152
       +
       

     

       153
       +
       ```go

     

       154
       +
       type ServiceAuthClient interface {

     

       155
       +
           // RequestServiceAuth obtains a scoped token for writing to remote community

     

       156
       +
           RequestServiceAuth(ctx context.Context, opts ServiceAuthOptions) (*ServiceAuthToken, error)

     

       157
       +
       }

     

       158
       +
       

     

       159
       +
       type ServiceAuthOptions struct {

     

       160
       +
           RemotePDSURL  string    // Remote PDS endpoint

     

       161
       +
           CommunityDID  string    // Target community DID

     

       162
       +
           UserDID       string    // Author DID (for validation)

     

       163
       +
           Method        string    // "social.coves.community.post.create"

     

       164
       +
           ExpiresIn     int       // Token lifetime (seconds)

     

       165
       +
       }

     

       166
       +
       

     

       167
       +
       type ServiceAuthToken struct {

     

       168
       +
           Token     string    // JWT token for auth

     

       169
       +
           ExpiresAt time.Time // When token expires

     

       170
       +
       }

     

       171
       +
       

     

       172
       +
       func (c *serviceAuthClient) RequestServiceAuth(ctx context.Context, opts ServiceAuthOptions) (*ServiceAuthToken, error) {

     

       173
       +
           endpoint := fmt.Sprintf("%s/xrpc/com.atproto.server.getServiceAuth", opts.RemotePDSURL)

     

       174
       +
       

     

       175
       +
           payload := map[string]interface{}{

     

       176
       +
               "aud": opts.CommunityDID,

     

       177
       +
               "exp": time.Now().Add(time.Duration(opts.ExpiresIn) * time.Second).Unix(),

     

       178
       +
               "lxm": opts.Method,

     

       179
       +
           }

     

       180
       +
       

     

       181
       +
           // Sign request with our instance DID credentials

     

       182
       +
           signedReq, err := c.signRequest(payload)

     

       183
       +
           if err != nil {

     

       184
       +
               return nil, fmt.Errorf("failed to sign service auth request: %w", err)

     

       185
       +
           }

     

       186
       +
       

     

       187
       +
           resp, err := c.httpClient.Post(endpoint, signedReq)

     

       188
       +
           if err != nil {

     

       189
       +
               return nil, fmt.Errorf("service auth request failed: %w", err)

     

       190
       +
           }

     

       191
       +
       

     

       192
       +
           return parseServiceAuthResponse(resp)

     

       193
       +
       }

     

       194
       +
       ```

     

       195
       +
       

     

       196
       +
       ### Phase 3: Federated Post Creation

     

       197
       +
       

     

       198
       +
       **File:** `internal/core/posts/service.go`

     

       199
       +
       

     

       200
       +
       ```go

     

       201
       +
       func (s *postService) createFederatedPost(ctx context.Context, community *communities.Community, req CreatePostRequest) (*CreatePostResponse, error) {

     

       202
       +
           // 1. Request service auth token from remote PDS

     

       203
       +
           token, err := s.serviceAuthClient.RequestServiceAuth(ctx, service_auth.ServiceAuthOptions{

     

       204
       +
               RemotePDSURL: community.PDSURL,

     

       205
       +
               CommunityDID: community.DID,

     

       206
       +
               UserDID:      req.AuthorDID,

     

       207
       +
               Method:       "social.coves.community.post.create",

     

       208
       +
               ExpiresIn:    300, // 5 minutes

     

       209
       +
           })

     

       210
       +
           if err != nil {

     

       211
       +
               // Handle specific errors

     

       212
       +
               if isUnauthorized(err) {

     

       213
       +
                   return nil, ErrNotAuthorizedRemote

     

       214
       +
               }

     

       215
       +
               if isBanned(err) {

     

       216
       +
                   return nil, ErrBannedRemote

     

       217
       +
               }

     

       218
       +
               return nil, fmt.Errorf("failed to obtain service auth: %w", err)

     

       219
       +
           }

     

       220
       +
       

     

       221
       +
           // 2. Build post record (same as local)

     

       222
       +
           postRecord := PostRecord{

     

       223
       +
               Type:      "social.coves.community.post",

     

       224
       +
               Community: community.DID,

     

       225
       +
               Author:    req.AuthorDID,

     

       226
       +
               Title:     req.Title,

     

       227
       +
               Content:   req.Content,

     

       228
       +
               // ... other fields ...

     

       229
       +
               CreatedAt: time.Now().UTC().Format(time.RFC3339),

     

       230
       +
           }

     

       231
       +
       

     

       232
       +
           // 3. Write to remote PDS using service auth token

     

       233
       +
           uri, cid, err := s.createPostOnRemotePDS(ctx, community.PDSURL, community.DID, postRecord, token.Token)

     

       234
       +
           if err != nil {

     

       235
       +
               return nil, fmt.Errorf("failed to write to remote PDS: %w", err)

     

       236
       +
           }

     

       237
       +
       

     

       238
       +
           log.Printf("[FEDERATION] User %s posted to remote community %s: %s",

     

       239
       +
               req.AuthorDID, community.DID, uri)

     

       240
       +
       

     

       241
       +
           return &CreatePostResponse{

     

       242
       +
               URI: uri,

     

       243
       +
               CID: cid,

     

       244
       +
           }, nil

     

       245
       +
       }

     

       246
       +
       

     

       247
       +
       func (s *postService) createPostOnRemotePDS(

     

       248
       +
           ctx context.Context,

     

       249
       +
           pdsURL string,

     

       250
       +
           communityDID string,

     

       251
       +
           record PostRecord,

     

       252
       +
           serviceAuthToken string,

     

       253
       +
       ) (uri, cid string, err error) {

     

       254
       +
           endpoint := fmt.Sprintf("%s/xrpc/com.atproto.repo.createRecord", pdsURL)

     

       255
       +
       

     

       256
       +
           payload := map[string]interface{}{

     

       257
       +
               "repo":       communityDID,

     

       258
       +
               "collection": "social.coves.community.post",

     

       259
       +
               "record":     record,

     

       260
       +
           }

     

       261
       +
       

     

       262
       +
           jsonData, _ := json.Marshal(payload)

     

       263
       +
           req, _ := http.NewRequestWithContext(ctx, "POST", endpoint, bytes.NewBuffer(jsonData))

     

       264
       +
       

     

       265
       +
           // Use service auth token instead of community credentials

     

       266
       +
           req.Header.Set("Authorization", "Bearer "+serviceAuthToken)

     

       267
       +
           req.Header.Set("Content-Type", "application/json")

     

       268
       +
       

     

       269
       +
           // ... execute request, parse response ...

     

       270
       +
           return uri, cid, nil

     

       271
       +
       }

     

       272
       +
       ```

     

       273
       +
       

     

       274
       +
       ### Phase 4: PDS Service Auth Validation (PDS Extension)

     

       275
       +
       

     

       276
       +
       **Note:** This requires extending the PDS. Options:

     

       277
       +
       1. Contribute to official atproto PDS

     

       278
       +
       2. Run modified PDS fork

     

       279
       +
       3. Use PDS middleware/proxy

     

       280
       +
       

     

       281
       +
       **Conceptual Implementation:**

     

       282
       +
       

     

       283
       +
       ```go

     

       284
       +
       // PDS validates service auth requests before issuing tokens

     

       285
       +
       func (h *ServiceAuthHandler) HandleGetServiceAuth(w http.ResponseWriter, r *http.Request) {

     

       286
       +
           var req ServiceAuthRequest

     

       287
       +
           json.NewDecoder(r.Body).Decode(&req)

     

       288
       +
       

     

       289
       +
           // 1. Verify requesting service is trusted

     

       290
       +
           requestingDID := extractDIDFromJWT(r.Header.Get("Authorization"))

     

       291
       +
           if !h.isTrustedInstance(requestingDID) {

     

       292
       +
               writeError(w, http.StatusForbidden, "UntrustedInstance", "Instance not in allowlist")

     

       293
       +
               return

     

       294
       +
           }

     

       295
       +
       

     

       296
       +
           // 2. Validate community exists on this PDS

     

       297
       +
           community, err := h.getCommunityByDID(req.Aud)

     

       298
       +
           if err != nil {

     

       299
       +
               writeError(w, http.StatusNotFound, "CommunityNotFound", "Community not hosted here")

     

       300
       +
               return

     

       301
       +
           }

     

       302
       +
       

     

       303
       +
           // 3. Check user not banned (query from AppView or local moderation records)

     

       304
       +
           if h.isUserBanned(req.UserDID, req.Aud) {

     

       305
       +
               writeError(w, http.StatusForbidden, "Banned", "User banned from community")

     

       306
       +
               return

     

       307
       +
           }

     

       308
       +
       

     

       309
       +
           // 4. Check community settings (allows remote posts?)

     

       310
       +
           if !community.AllowFederatedPosts {

     

       311
       +
               writeError(w, http.StatusForbidden, "FederationDisabled", "Community doesn't accept federated posts")

     

       312
       +
               return

     

       313
       +
           }

     

       314
       +
       

     

       315
       +
           // 5. Rate limiting (per user, per community, per instance)

     

       316
       +
           if h.exceedsRateLimit(req.UserDID, req.Aud, requestingDID) {

     

       317
       +
               writeError(w, http.StatusTooManyRequests, "RateLimited", "Too many requests")

     

       318
       +
               return

     

       319
       +
           }

     

       320
       +
       

     

       321
       +
           // 6. Generate scoped token

     

       322
       +
           token := h.issueServiceAuthToken(ServiceAuthTokenOptions{

     

       323
       +
               Audience:    req.Aud,           // Community DID

     

       324
       +
               Subject:     requestingDID,     // Requesting instance DID

     

       325
       +
               Method:      req.Lxm,           // Authorized method

     

       326
       +
               ExpiresAt:   time.Unix(req.Exp, 0),

     

       327
       +
               Scopes:      []string{"write:posts"},

     

       328
       +
           })

     

       329
       +
       

     

       330
       +
           json.NewEncoder(w).Encode(map[string]string{

     

       331
       +
               "token": token,

     

       332
       +
           })

     

       333
       +
       }

     

       334
       +
       ```

     

       335
       +
       

     

       336
       +
       ---

     

       337
       +
       

     

       338
       +
       ## Database Schema Changes

     

       339
       +
       

     

       340
       +
       ### New Table: `instance_federation`

     

       341
       +
       

     

       342
       +
       Tracks trusted instances and federation settings:

     

       343
       +
       

     

       344
       +
       ```sql

     

       345
       +
       CREATE TABLE instance_federation (

     

       346
       +
           id SERIAL PRIMARY KEY,

     

       347
       +
           instance_did TEXT NOT NULL UNIQUE,

     

       348
       +
           instance_domain TEXT NOT NULL,

     

       349
       +
           trust_level TEXT NOT NULL,  -- 'trusted', 'limited', 'blocked'

     

       350
       +
           allowed_methods TEXT[] NOT NULL DEFAULT '{}',

     

       351
       +
           rate_limit_posts_per_hour INTEGER NOT NULL DEFAULT 100,

     

       352
       +
           created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),

     

       353
       +
           updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),

     

       354
       +
           notes TEXT

     

       355
       +
       );

     

       356
       +
       

     

       357
       +
       CREATE INDEX idx_instance_federation_did ON instance_federation(instance_did);

     

       358
       +
       CREATE INDEX idx_instance_federation_trust ON instance_federation(trust_level);

     

       359
       +
       ```

     

       360
       +
       

     

       361
       +
       ### New Table: `federation_rate_limits`

     

       362
       +
       

     

       363
       +
       Track federated post rate limits:

     

       364
       +
       

     

       365
       +
       ```sql

     

       366
       +
       CREATE TABLE federation_rate_limits (

     

       367
       +
           id SERIAL PRIMARY KEY,

     

       368
       +
           user_did TEXT NOT NULL,

     

       369
       +
           community_did TEXT NOT NULL,

     

       370
       +
           instance_did TEXT NOT NULL,

     

       371
       +
           window_start TIMESTAMPTZ NOT NULL,

     

       372
       +
           post_count INTEGER NOT NULL DEFAULT 1,

     

       373
       +
           created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),

     

       374
       +
           updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),

     

       375
       +
       

     

       376
       +
           UNIQUE(user_did, community_did, instance_did, window_start)

     

       377
       +
       );

     

       378
       +
       

     

       379
       +
       CREATE INDEX idx_federation_rate_limits_lookup

     

       380
       +
           ON federation_rate_limits(user_did, community_did, instance_did, window_start);

     

       381
       +
       ```

     

       382
       +
       

     

       383
       +
       ### Update Table: `communities`

     

       384
       +
       

     

       385
       +
       Add federation settings:

     

       386
       +
       

     

       387
       +
       ```sql

     

       388
       +
       ALTER TABLE communities

     

       389
       +
       ADD COLUMN allow_federated_posts BOOLEAN NOT NULL DEFAULT true,

     

       390
       +
       ADD COLUMN federation_mode TEXT NOT NULL DEFAULT 'open';

     

       391
       +
       -- federation_mode: 'open' (any instance), 'allowlist' (trusted only), 'local' (no federation)

     

       392
       +
       ```

     

       393
       +
       

     

       394
       +
       ---

     

       395
       +
       

     

       396
       +
       ## Security Considerations

     

       397
       +
       

     

       398
       +
       ### 1. Instance Trust Model

     

       399
       +
       

     

       400
       +
       **Allowlist Approach (Beta):**

     

       401
       +
       - Manual approval of federated instances

     

       402
       +
       - Admin UI to manage instance trust levels

     

       403
       +
       - Default: block all, explicit allow

     

       404
       +
       

     

       405
       +
       **Trust Levels:**

     

       406
       +
       - `trusted` - Full federation, normal rate limits

     

       407
       +
       - `limited` - Federation allowed, strict rate limits

     

       408
       +
       - `blocked` - No federation

     

       409
       +
       

     

       410
       +
       ### 2. User Ban Synchronization

     

       411
       +
       

     

       412
       +
       **Challenge:** Remote instance needs to check local bans

     

       413
       +
       

     

       414
       +
       **Options:**

     

       415
       +
       1. **Service auth validation** - PDS queries AppView for ban status

     

       416
       +
       2. **Ban records in PDS** - Moderation records stored in community repo

     

       417
       +
       3. **Cached ban list** - Remote instances cache ban lists (with TTL)

     

       418
       +
       

     

       419
       +
       **Beta Approach:** Option 1 (service auth validation queries AppView)

     

       420
       +
       

     

       421
       +
       ### 3. Rate Limiting

     

       422
       +
       

     

       423
       +
       **Multi-level rate limits:**

     

       424
       +
       - Per user per community: 10 posts/hour

     

       425
       +
       - Per instance per community: 100 posts/hour

     

       426
       +
       - Per user across all communities: 50 posts/hour

     

       427
       +
       

     

       428
       +
       **Implementation:** In-memory + PostgreSQL for persistence

     

       429
       +
       

     

       430
       +
       ### 4. Content Validation

     

       431
       +
       

     

       432
       +
       **Same validation as local posts:**

     

       433
       +
       - Lexicon validation

     

       434
       +
       - Content length limits

     

       435
       +
       - Embed validation

     

       436
       +
       - Label validation

     

       437
       +
       

     

       438
       +
       **Additional federation checks:**

     

       439
       +
       - Verify author DID is valid

     

       440
       +
       - Verify requesting instance signature

     

       441
       +
       - Verify token scopes match operation

     

       442
       +
       

     

       443
       +
       ---

     

       444
       +
       

     

       445
       +
       ## API Changes

     

       446
       +
       

     

       447
       +
       ### New Endpoint: `social.coves.federation.getTrustedInstances`

     

       448
       +
       

     

       449
       +
       **Purpose:** List instances this instance federates with

     

       450
       +
       

     

       451
       +
       **Lexicon:**

     

       452
       +
       ```json

     

       453
       +
       {

     

       454
       +
         "lexicon": 1,

     

       455
       +
         "id": "social.coves.federation.getTrustedInstances",

     

       456
       +
         "defs": {

     

       457
       +
           "main": {

     

       458
       +
             "type": "query",

     

       459
       +
             "output": {

     

       460
       +
               "encoding": "application/json",

     

       461
       +
               "schema": {

     

       462
       +
                 "type": "object",

     

       463
       +
                 "required": ["instances"],

     

       464
       +
                 "properties": {

     

       465
       +
                   "instances": {

     

       466
       +
                     "type": "array",

     

       467
       +
                     "items": { "$ref": "#instanceView" }

     

       468
       +
                   }

     

       469
       +
                 }

     

       470
       +
               }

     

       471
       +
             }

     

       472
       +
           },

     

       473
       +
           "instanceView": {

     

       474
       +
             "type": "object",

     

       475
       +
             "required": ["did", "domain", "trustLevel"],

     

       476
       +
             "properties": {

     

       477
       +
               "did": { "type": "string" },

     

       478
       +
               "domain": { "type": "string" },

     

       479
       +
               "trustLevel": { "type": "string" },

     

       480
       +
               "allowedMethods": { "type": "array", "items": { "type": "string" } }

     

       481
       +
             }

     

       482
       +
           }

     

       483
       +
         }

     

       484
       +
       }

     

       485
       +
       ```

     

       486
       +
       

     

       487
       +
       ### Modified Endpoint: `social.coves.community.post.create`

     

       488
       +
       

     

       489
       +
       **Changes:**

     

       490
       +
       - No API contract changes

     

       491
       +
       - Internal routing: local vs federated

     

       492
       +
       - New error codes:

     

       493
       +
         - `FederationFailed` - Remote instance unreachable

     

       494
       +
         - `RemoteNotAuthorized` - Remote instance rejected auth

     

       495
       +
         - `RemoteBanned` - User banned on remote community

     

       496
       +
       

     

       497
       +
       ---

     

       498
       +
       

     

       499
       +
       ## User Experience

     

       500
       +
       

     

       501
       +
       ### Happy Path: Cross-Instance Post

     

       502
       +
       

     

       503
       +
       1. User on coves.social navigates to !gaming@covesinstance.com

     

       504
       +
       2. Clicks "Create Post"

     

       505
       +
       3. Fills out post form (title, content, etc.)

     

       506
       +
       4. Clicks "Submit"

     

       507
       +
       5. **Behind the scenes:**

     

       508
       +
          - coves.social requests service auth from covesinstance.com

     

       509
       +
          - covesinstance.com validates and issues token

     

       510
       +
          - coves.social writes post using token

     

       511
       +
          - Post appears in feed within seconds (via firehose)

     

       512
       +
       6. **User sees:** Post published successfully

     

       513
       +
       7. Post appears in:

     

       514
       +
          - covesinstance.com feeds (native community)

     

       515
       +
          - coves.social discover/all feeds (indexed via firehose)

     

       516
       +
          - User's profile on coves.social

     

       517
       +
       

     

       518
       +
       ### Error Cases

     

       519
       +
       

     

       520
       +
       **User Banned:**

     

       521
       +
       - Error: "You are banned from !gaming@covesinstance.com"

     

       522
       +
       - Suggestion: "Contact community moderators for more information"

     

       523
       +
       

     

       524
       +
       **Instance Blocked:**

     

       525
       +
       - Error: "This community does not accept posts from your instance"

     

       526
       +
       - Suggestion: "Contact community administrators or create a local account"

     

       527
       +
       

     

       528
       +
       **Federation Unavailable:**

     

       529
       +
       - Error: "Unable to connect to covesinstance.com. Try again later."

     

       530
       +
       - Fallback: Allow saving as draft (future feature)

     

       531
       +
       

     

       532
       +
       **Rate Limited:**

     

       533
       +
       - Error: "You're posting too quickly. Please wait before posting again."

     

       534
       +
       - Show: Countdown until next post allowed

     

       535
       +
       

     

       536
       +
       ---

     

       537
       +
       

     

       538
       +
       ## Testing Requirements

     

       539
       +
       

     

       540
       +
       ### Unit Tests

     

       541
       +
       

     

       542
       +
       1. **Service Detection:**

     

       543
       +
          - `isLocalCommunity()` correctly identifies local vs remote

     

       544
       +
          - Handles edge cases (different ports, subdomains)

     

       545
       +
       

     

       546
       +
       2. **Service Auth Client:**

     

       547
       +
          - Correctly formats service auth requests

     

       548
       +
          - Handles token expiration

     

       549
       +
          - Retries on transient failures

     

       550
       +
       

     

       551
       +
       3. **Federated Post Creation:**

     

       552
       +
          - Uses service auth token instead of community credentials

     

       553
       +
          - Falls back gracefully on errors

     

       554
       +
          - Logs federation events

     

       555
       +
       

     

       556
       +
       ### Integration Tests

     

       557
       +
       

     

       558
       +
       1. **Local Post (Regression):**

     

       559
       +
          - Posting to local community still works

     

       560
       +
          - No performance degradation

     

       561
       +
       

     

       562
       +
       2. **Federated Post:**

     

       563
       +
          - User can post to remote community

     

       564
       +
          - Service auth token requested correctly

     

       565
       +
          - Post written to remote PDS

     

       566
       +
          - Post indexed by both AppViews

     

       567
       +
       

     

       568
       +
       3. **Authorization Failures:**

     

       569
       +
          - Banned users rejected at service auth stage

     

       570
       +
          - Untrusted instances rejected

     

       571
       +
          - Expired tokens rejected

     

       572
       +
       

     

       573
       +
       4. **Rate Limiting:**

     

       574
       +
          - Per-user rate limits enforced

     

       575
       +
          - Per-instance rate limits enforced

     

       576
       +
          - Rate limit resets correctly

     

       577
       +
       

     

       578
       +
       ### End-to-End Tests

     

       579
       +
       

     

       580
       +
       1. **Cross-Instance User Journey:**

     

       581
       +
          - Set up two instances (instance-a, instance-b)

     

       582
       +
          - Create community on instance-b

     

       583
       +
          - User on instance-a posts to instance-b community

     

       584
       +
          - Verify post appears on both instances

     

       585
       +
       

     

       586
       +
       2. **Moderation Enforcement:**

     

       587
       +
          - Ban user on remote instance

     

       588
       +
          - Verify user can't post from any instance

     

       589
       +
          - Unban user

     

       590
       +
          - Verify user can post again

     

       591
       +
       

     

       592
       +
       3. **Instance Blocklist:**

     

       593
       +
          - Block instance-a on instance-b

     

       594
       +
          - Verify users from instance-a can't post to instance-b communities

     

       595
       +
          - Unblock instance-a

     

       596
       +
          - Verify posting works again

     

       597
       +
       

     

       598
       +
       ---

     

       599
       +
       

     

       600
       +
       ## Migration Path (Alpha → Beta)

     

       601
       +
       

     

       602
       +
       ### Phase 1: Backend Implementation (No User Impact)

     

       603
       +
       1. Add service auth client

     

       604
       +
       2. Add local vs remote detection

     

       605
       +
       3. Deploy with feature flag `ENABLE_FEDERATION=false`

     

       606
       +
       

     

       607
       +
       ### Phase 2: Database Migration

     

       608
       +
       1. Add federation tables

     

       609
       +
       2. Seed with initial trusted instances (manual)

     

       610
       +
       3. Add community federation flags (default: allow)

     

       611
       +
       

     

       612
       +
       ### Phase 3: Soft Launch

     

       613
       +
       1. Enable federation for single test instance

     

       614
       +
       2. Monitor service auth requests/errors

     

       615
       +
       3. Validate rate limiting works

     

       616
       +
       

     

       617
       +
       ### Phase 4: Beta Rollout

     

       618
       +
       1. Enable `ENABLE_FEDERATION=true` for all instances

     

       619
       +
       2. Admin UI for managing trusted instances

     

       620
       +
       3. Community settings for federation preferences

     

       621
       +
       

     

       622
       +
       ### Phase 5: Documentation & Onboarding

     

       623
       +
       1. Instance operator guide: "How to federate with other instances"

     

       624
       +
       2. Community moderator guide: "Federation settings"

     

       625
       +
       3. User guide: "Posting across instances"

     

       626
       +
       

     

       627
       +
       ---

     

       628
       +
       

     

       629
       +
       ## Metrics & Success Criteria

     

       630
       +
       

     

       631
       +
       ### Performance Metrics

     

       632
       +
       - Service auth request latency: p95 < 200ms

     

       633
       +
       - Federated post creation time: p95 < 2 seconds (vs 500ms local)

     

       634
       +
       - Service auth token cache hit rate: > 80%

     

       635
       +
       

     

       636
       +
       ### Adoption Metrics

     

       637
       +
       - % of posts that are federated: Target 20% by end of Beta

     

       638
       +
       - Number of federated instances: Target 5+ by end of Beta

     

       639
       +
       - Cross-instance engagement (comments, votes): Monitor trend

     

       640
       +
       

     

       641
       +
       ### Reliability Metrics

     

       642
       +
       - Service auth success rate: > 99%

     

       643
       +
       - Federated post success rate: > 95%

     

       644
       +
       - Service auth token validation errors: < 1%

     

       645
       +
       

     

       646
       +
       ### Security Metrics

     

       647
       +
       - Unauthorized access attempts: Monitor & alert

     

       648
       +
       - Rate limit triggers: Track per instance

     

       649
       +
       - Ban evasion attempts: Zero tolerance

     

       650
       +
       

     

       651
       +
       ---

     

       652
       +
       

     

       653
       +
       ## Rollback Plan

     

       654
       +
       

     

       655
       +
       If federation causes critical issues:

     

       656
       +
       

     

       657
       +
       1. **Immediate:** Set `ENABLE_FEDERATION=false` via env var

     

       658
       +
       2. **Fallback:** All posts route through local-only flow

     

       659
       +
       3. **Investigation:** Review logs for service auth failures

     

       660
       +
       4. **Fix Forward:** Deploy patch, re-enable gradually

     

       661
       +
       

     

       662
       +
       **No data loss:** Posts are written to PDS, indexed via firehose regardless of federation method.

     

       663
       +
       

     

       664
       +
       ---

     

       665
       +
       

     

       666
       +
       ## Open Questions

     

       667
       +
       

     

       668
       +
       1. **Instance Discovery:** How do users find communities on other instances?

     

       669
       +
          - Beta: Manual (users share links)

     

       670
       +
          - Future: Instance directory, community search across instances

     

       671
       +
       

     

       672
       +
       2. **Service Auth Token Caching:** Should AppViews cache service auth tokens?

     

       673
       +
          - Pros: Reduce latency, fewer PDS requests

     

       674
       +
          - Cons: Stale permissions, ban enforcement delay

     

       675
       +
          - **Decision needed:** Cache with short TTL (5 minutes)?

     

       676
       +
       

     

       677
       +
       3. **PDS Implementation:** Who implements service auth validation?

     

       678
       +
          - Option A: Contribute to official PDS (long timeline)

     

       679
       +
          - Option B: Run forked PDS (maintenance burden)

     

       680
       +
          - Option C: Proxy/middleware (added complexity)

     

       681
       +
          - **Decision needed:** Start with Option B, migrate to Option A?

     

       682
       +
       

     

       683
       +
       4. **Federation Symmetry:** If instance-a trusts instance-b, does instance-b auto-trust instance-a?

     

       684
       +
          - Beta: No (asymmetric trust)

     

       685
       +
          - Future: Mutual federation agreements?

     

       686
       +
       

     

       687
       +
       5. **Cross-Instance Moderation:** Should bans propagate across instances?

     

       688
       +
          - Beta: No (each instance decides)

     

       689
       +
          - Future: Shared moderation lists?

     

       690
       +
       

     

       691
       +
       ---

     

       692
       +
       

     

       693
       +
       ## Future Enhancements (Post-Beta)

     

       694
       +
       

     

       695
       +
       1. **Service Auth Token Caching:** Reduce latency for frequent posters

     

       696
       +
       2. **Batch Service Auth:** Request tokens for multiple communities at once

     

       697
       +
       3. **Instance Discovery API:** Automatic instance detection/registration

     

       698
       +
       4. **Federation Analytics:** Dashboard showing cross-instance activity

     

       699
       +
       5. **Moderation Sync:** Optional shared ban lists across trusted instances

     

       700
       +
       6. **Content Mirroring:** Cache federated posts locally for performance

     

       701
       +
       7. **User Migration:** Transfer account between instances

     

       702
       +
       

     

       703
       +
       ---

     

       704
       +
       

     

       705
       +
       ## Resources

     

       706
       +
       

     

       707
       +
       ### Documentation

     

       708
       +
       - [atProto Service Auth Spec](https://atproto.com/specs/service-auth) (hypothetical - check actual docs)

     

       709
       +
       - Lemmy Federation Architecture

     

       710
       +
       - Mastodon Federation Implementation

     

       711
       +
       

     

       712
       +
       ### Code References

     

       713
       +
       - `internal/core/posts/service.go` - Post creation service

     

       714
       +
       - `internal/api/handlers/post/create.go` - Post creation handler

     

       715
       +
       - `internal/atproto/jetstream/` - Firehose consumers

     

       716
       +
       

     

       717
       +
       ### Dependencies

     

       718
       +
       - atproto SDK (for service auth)

     

       719
       +
       - PDS v0.4+ (service auth support)

     

       720
       +
       - PostgreSQL 14+ (for federation tables)

     

       721
       +
       

     

       722
       +
       ---

     

       723
       +
       

     

       724
       +
       ## Appendix A: Service Auth Request Example

     

       725
       +
       

     

       726
       +
       **Request to Remote PDS:**

     

       727
       +
       ```http

     

       728
       +
       POST https://covesinstance.com/xrpc/com.atproto.server.getServiceAuth

     

       729
       +
       Authorization: Bearer {coves-social-instance-jwt}

     

       730
       +
       Content-Type: application/json

     

       731
       +
       

     

       732
       +
       {

     

       733
       +
         "aud": "did:plc:community123",

     

       734
       +
         "exp": 1700000000,

     

       735
       +
         "lxm": "social.coves.community.post.create"

     

       736
       +
       }

     

       737
       +
       ```

     

       738
       +
       

     

       739
       +
       **Response:**

     

       740
       +
       ```http

     

       741
       +
       HTTP/1.1 200 OK

     

       742
       +
       Content-Type: application/json

     

       743
       +
       

     

       744
       +
       {

     

       745
       +
         "token": "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9..."

     

       746
       +
       }

     

       747
       +
       ```

     

       748
       +
       

     

       749
       +
       **Using Token to Create Post:**

     

       750
       +
       ```http

     

       751
       +
       POST https://covesinstance.com/xrpc/com.atproto.repo.createRecord

     

       752
       +
       Authorization: Bearer {service-auth-token}

     

       753
       +
       Content-Type: application/json

     

       754
       +
       

     

       755
       +
       {

     

       756
       +
         "repo": "did:plc:community123",

     

       757
       +
         "collection": "social.coves.community.post",

     

       758
       +
         "record": {

     

       759
       +
           "$type": "social.coves.community.post",

     

       760
       +
           "community": "did:plc:community123",

     

       761
       +
           "author": "did:plc:user456",

     

       762
       +
           "title": "Hello from coves.social!",

     

       763
       +
           "content": "This is a federated post",

     

       764
       +
           "createdAt": "2024-11-16T12:00:00Z"

     

       765
       +
         }

     

       766
       +
       }

     

       767
       +
       ```

     

       768
       +
       

     

       769
       +
       ---

     

       770
       +
       

     

       771
       +
       ## Appendix B: Error Handling Matrix

     

       772
       +
       

     

       773
       +
       | Error Condition | HTTP Status | Error Code | User Message | Retry Strategy |

     

       774
       +
       |----------------|-------------|------------|--------------|----------------|

     

       775
       +
       | Instance not trusted | 403 | `UntrustedInstance` | "This community doesn't accept posts from your instance" | No retry |

     

       776
       +
       | User banned | 403 | `Banned` | "You are banned from this community" | No retry |

     

       777
       +
       | Rate limit exceeded | 429 | `RateLimited` | "Too many posts. Try again in X minutes" | Exponential backoff |

     

       778
       +
       | PDS unreachable | 503 | `ServiceUnavailable` | "Community temporarily unavailable" | Retry 3x with backoff |

     

       779
       +
       | Invalid token | 401 | `InvalidToken` | "Session expired. Please try again" | Refresh token & retry |

     

       780
       +
       | Community not found | 404 | `CommunityNotFound` | "Community not found" | No retry |

     

       781
       +
       | Service auth failed | 500 | `FederationFailed` | "Unable to connect. Try again later" | Retry 2x |

     

       782
       +
       

     

       783
       +
       ---

     

       784
       +
       

     

       785
       +
       **End of PRD**

+130 -28

docs/PRD_ALPHA_GO_LIVE.md

···

       7
        
       ## 🎯 Major Progress Update

     

       8
        
       

     

       9
        
       **✅ ALL E2E TESTS COMPLETE!** (Completed 2025-11-16)

     

       0
        
       
     

       10
        
       

     

       11
        
       All 6 critical E2E test suites have been implemented and are passing:

     

       12
        
       - ✅ Full User Journey (signup → community → post → comment → vote)

     
···

       19
        
       **Time Saved**: ~7-12 hours through parallel agent implementation

     

       20
        
       **Test Quality**: Enhanced with comprehensive database record verification to catch race conditions

     

       21
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       22
        
       ## Overview

     

       23
        
       

     

       24
        
       This document tracks the remaining work required to launch Coves alpha with real users. Focus is on critical functionality, security, and operational readiness.

     
···

       29
        
       

     

       30
        
       ### 1. Authentication & Security

     

       31
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       32
        
       #### JWT Signature Verification (Production Mode)

     

       33
       -
       - [ ] Test with production PDS at `pds.bretton.dev`

     

       34
       -
         - [ ] Create test account on production PDS

     

       35
       -
         - [ ] Verify JWKS endpoint is accessible

     

       36
        
         - [ ] Run `TestJWTSignatureVerification` against production PDS

     

       37
        
         - [ ] Confirm signature verification succeeds

     

       38
       -
         - [ ] Test token refresh flow

     

       39
        
       - [ ] Set `AUTH_SKIP_VERIFY=false` in production environment

     

       40
        
       - [ ] Verify all auth middleware tests pass with verification enabled

     

       41
       -
       - [ ] Document production PDS requirements for communities

     

       42
       -
       

     

       43
       -
       **Estimated Effort**: 2-3 hours

     

       44
       -
       **Risk**: Medium (code implemented, needs validation)

     

       45
       -
       

     

       46
       -
       #### did:web Verification

     

       47
       -
       - [ ] Complete did:web domain verification implementation

     

       48
       -
       - [ ] Test with real did:web identities

     

       49
       -
       - [ ] Add security logging for verification failures

     

       50
       -
       - [ ] Set `SKIP_DID_WEB_VERIFICATION=false` for production

     

       51
        
       

     

       52
        
       **Estimated Effort**: 2-3 hours

     

       53
       -
       **Risk**: Medium

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       54
        
       

     

       55
        
       ### 2. DPoP Token Architecture Fix

     

       56
        
       

     
···

       172
        
         - [ ] Common issues and fixes

     

       173
        
         - [ ] Emergency procedures (PDS down, database down, etc.)

     

       174
        
       - [ ] Create production environment checklist

     

       175
       -
         - [ ] All environment variables set

     

       176
       -
         - [ ] `AUTH_SKIP_VERIFY=false`

     

       177
       -
         - [ ] `SKIP_DID_WEB_VERIFICATION=false`

     

       178
       -
         - [ ] Database migrations applied

     

       179
       -
         - [ ] PDS connectivity verified

     

       180
       -
         - [ ] JWKS caching working

     

       181
       -
         - [ ] Jetstream consumers running

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       182
        
         - [ ] Monitoring and alerting active

     

       183
        
       

     

       184
        
       **Estimated Effort**: 6-8 hours

     
···

       342
        
       ## Timeline Estimate

     

       343
        
       

     

       344
        
       ### Week 1: Critical Blockers (P0)

     

       345
       -
       - **Days 1-2**: Authentication (JWT + did:web verification)

     

       0
        
       
     

       0
        
       
     

       346
        
       - **Day 3**: DPoP token architecture fix

     

       347
        
       - ~~**Day 4**: Handle resolution + comment count reconciliation~~ ✅ **COMPLETED**

     

       348
        
       - **Day 4-5**: Testing and bug fixes

     

       349
        
       

     

       350
       -
       **Total**: 15-20 hours (reduced from 20-25 due to completed items)

     

       351
        
       

     

       352
        
       ### Week 2: Production Infrastructure (P1)

     

       353
        
       - **Days 6-7**: Monitoring + structured logging

     
···

       363
        
       

     

       364
        
       **Total**: ~~20-25 hours~~ → **13 hours actual** (E2E tests) + 7-12 hours remaining (load testing, polish)

     

       365
        
       

     

       366
       -
       **Grand Total: ~~65-80 hours~~ → 50-65 hours remaining (approximately 1.5-2 weeks full-time)**

     

       367
       -
       *(Originally 70-85 hours. Reduced by completed items: handle resolution, comment count reconciliation, and ALL E2E tests)*

     

       368
        
       

     

       369
        
       **✅ Progress Update**: E2E testing section COMPLETE ahead of schedule - saved ~7-12 hours through parallel agent implementation

     

       370
        
       

     
···

       377
        
       - [ ] All P0 blockers resolved

     

       378
        
         - ✅ Handle resolution (COMPLETE)

     

       379
        
         - ✅ Comment count reconciliation (COMPLETE)

     

       0
        
       
     

       0
        
       
     

       380
        
         - [ ] JWT signature verification working with production PDS

     

       381
        
         - [ ] DPoP architecture fix implemented

     

       382
       -
         - [ ] did:web verification complete

     

       383
        
       - [ ] Subscriptions/blocking work via client-write pattern

     

       384
        
       - [x] **All integration tests passing** ✅

     

       385
        
       - [x] **E2E user journey test passing** ✅

     
···

       461
        
       11. [ ] Go/no-go decision

     

       462
        
       12. [ ] Launch! 🚀

     

       463
        
       

     

       464
       -
       **🎉 Major Milestone**: All E2E tests complete! Test coverage now includes full user journey, blob uploads, concurrent operations, rate limiting, and error recovery.

     

       0
        
       
     

       0

···

       7
        
       ## 🎯 Major Progress Update

     

       8
        
       

     

       9
        
       **✅ ALL E2E TESTS COMPLETE!** (Completed 2025-11-16)

     

       10
       +
       **✅ BIDIRECTIONAL DID VERIFICATION COMPLETE!** (Completed 2025-11-16)

     

       11
        
       

     

       12
        
       All 6 critical E2E test suites have been implemented and are passing:

     

       13
        
       - ✅ Full User Journey (signup → community → post → comment → vote)

     
···

       20
        
       **Time Saved**: ~7-12 hours through parallel agent implementation

     

       21
        
       **Test Quality**: Enhanced with comprehensive database record verification to catch race conditions

     

       22
        
       

     

       23
       +
       ### Production Deployment Requirements

     

       24
       +
       

     

       25
       +
       **Architecture**:

     

       26
       +
       - **AppView Domain**: coves.social (instance identity, API, frontend)

     

       27
       +
       - **PDS Domain**: coves.me (separate domain required - cannot be same as AppView)

     

       28
       +
       - **Community Handles**: Use @coves.social (AppView domain)

     

       29
       +
       - **Jetstream**: Connects to Bluesky's production firehose (wss://jetstream2.us-east.bsky.network)

     

       30
       +
       

     

       31
       +
       **Required: .well-known/did.json at coves.social**:

     

       32
       +
       ```json

     

       33
       +
       {

     

       34
       +
         "id": "did:web:coves.social",

     

       35
       +
         "alsoKnownAs": ["at://coves.social"],

     

       36
       +
         "verificationMethod": [

     

       37
       +
           {

     

       38
       +
             "id": "did:web:coves.social#atproto",

     

       39
       +
             "type": "Multikey",

     

       40
       +
             "controller": "did:web:coves.social",

     

       41
       +
             "publicKeyMultibase": "z..."

     

       42
       +
           }

     

       43
       +
         ],

     

       44
       +
         "service": [

     

       45
       +
           {

     

       46
       +
             "id": "#atproto_pds",

     

       47
       +
             "type": "AtprotoPersonalDataServer",

     

       48
       +
             "serviceEndpoint": "https://coves.me"

     

       49
       +
           }

     

       50
       +
         ]

     

       51
       +
       }

     

       52
       +
       ```

     

       53
       +
       

     

       54
       +
       **Environment Variables**:

     

       55
       +
       - AppView:

     

       56
       +
         - `INSTANCE_DID=did:web:coves.social`

     

       57
       +
         - `INSTANCE_DOMAIN=coves.social`

     

       58
       +
         - `PDS_URL=https://coves.me` (separate domain)

     

       59
       +
         - `SKIP_DID_WEB_VERIFICATION=false` (production)

     

       60
       +
         - `JETSTREAM_URL=wss://jetstream2.us-east.bsky.network/subscribe`

     

       61
       +
       

     

       62
       +
       **Verification**:

     

       63
       +
       - `curl https://coves.social/.well-known/did.json` (should return DID document)

     

       64
       +
       - `curl https://coves.me/xrpc/_health` (PDS health check)

     

       65
       +
       

     

       66
        
       ## Overview

     

       67
        
       

     

       68
        
       This document tracks the remaining work required to launch Coves alpha with real users. Focus is on critical functionality, security, and operational readiness.

     
···

       73
        
       

     

       74
        
       ### 1. Authentication & Security

     

       75
        
       

     

       76
       +
       #### Production PDS Deployment

     

       77
       +
       **CRITICAL**: PDS must be on separate domain from AppView (coves.me, not coves.social)

     

       78
       +
       

     

       79
       +
       - [ ] Deploy PDS to coves.me domain

     

       80
       +
         - [ ] Set up DNS: A record for coves.me → server IP

     

       81
       +
         - [ ] Configure SSL certificate for coves.me

     

       82
       +
         - [ ] Deploy PDS container/service on port 2583

     

       83
       +
         - [ ] Configure nginx/Caddy reverse proxy for coves.me → localhost:2583

     

       84
       +
         - [ ] Set PDS_HOSTNAME=coves.me in PDS environment

     

       85
       +
         - [ ] Mount persistent volume for PDS data (/pds/data)

     

       86
       +
       - [ ] Verify PDS connectivity

     

       87
       +
         - [ ] Test: `curl https://coves.me/xrpc/_health`

     

       88
       +
         - [ ] Create test community account on PDS

     

       89
       +
         - [ ] Verify JWKS endpoint: `curl https://coves.me/.well-known/jwks.json`

     

       90
       +
         - [ ] Test community account token provisioning

     

       91
       +
       - [ ] Configure AppView to use production PDS

     

       92
       +
         - [ ] Set `PDS_URL=https://coves.me` in AppView .env

     

       93
       +
         - [ ] Test community creation flow (provisions account on coves.me)

     

       94
       +
         - [ ] Verify account provisioning works end-to-end

     

       95
       +
       

     

       96
       +
       **Important**: Jetstream connects to Bluesky's production firehose, which automatically includes events from all production PDS instances (including coves.me once it's live)

     

       97
       +
       

     

       98
       +
       **Estimated Effort**: 4-6 hours

     

       99
       +
       **Risk**: Medium (infrastructure setup, DNS propagation)

     

       100
       +
       

     

       101
        
       #### JWT Signature Verification (Production Mode)

     

       102
       +
       - [ ] Test with production PDS at coves.me

     

       103
       +
         - [ ] Verify JWKS endpoint is accessible: `https://coves.me/.well-known/jwks.json`

     

       0
        
       
     

       104
        
         - [ ] Run `TestJWTSignatureVerification` against production PDS

     

       105
        
         - [ ] Confirm signature verification succeeds

     

       106
       +
         - [ ] Test token refresh flow for community accounts

     

       107
        
       - [ ] Set `AUTH_SKIP_VERIFY=false` in production environment

     

       108
        
       - [ ] Verify all auth middleware tests pass with verification enabled

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       109
        
       

     

       110
        
       **Estimated Effort**: 2-3 hours

     

       111
       +
       **Risk**: Low (depends on PDS deployment)

     

       112
       +
       

     

       113
       +
       #### did:web Verification ✅ COMPLETE

     

       114
       +
       - [x] Complete did:web domain verification implementation (2025-11-16)

     

       115
       +
       - [x] Implement Bluesky-compatible bidirectional verification

     

       116
       +
       - [x] Add alsoKnownAs field verification in DID documents

     

       117
       +
       - [x] Add security logging for verification failures

     

       118
       +
       - [x] Update cache TTL to 24h (matches Bluesky recommendations)

     

       119
       +
       - [x] Comprehensive test coverage with mock HTTP servers

     

       120
       +
       - [ ] Set `SKIP_DID_WEB_VERIFICATION=false` for production (dev default: true)

     

       121
       +
       - [ ] Deploy `.well-known/did.json` to production domain

     

       122
       +
       

     

       123
       +
       **Implementation Details**:

     

       124
       +
       - **Location**: [internal/atproto/jetstream/community_consumer.go](../internal/atproto/jetstream/community_consumer.go)

     

       125
       +
       - **Verification Flow**: Domain matching + DID document fetch + alsoKnownAs validation

     

       126
       +
       - **Security Model**: Matches Bluesky (DNS/HTTPS authority + bidirectional binding)

     

       127
       +
       - **Performance**: Bounded LRU cache (1000 entries), rate limiting (10 req/s), 24h TTL

     

       128
       +
       - **Impact**: AppView indexing and federation trust (not community creation API)

     

       129
       +
       - **Tests**: `tests/integration/community_hostedby_security_test.go`

     

       130
       +
       

     

       131
       +
       **Actual Effort**: 3 hours (implementation + testing)

     

       132
       +
       **Risk**: ✅ Low (complete and tested)

     

       133
        
       

     

       134
        
       ### 2. DPoP Token Architecture Fix

     

       135
        
       

     
···

       251
        
         - [ ] Common issues and fixes

     

       252
        
         - [ ] Emergency procedures (PDS down, database down, etc.)

     

       253
        
       - [ ] Create production environment checklist

     

       254
       +
         - [ ] **Domain Setup**

     

       255
       +
           - [ ] AppView domain (coves.social) DNS configured

     

       256
       +
           - [ ] PDS domain (coves.me) DNS configured - MUST be separate domain

     

       257
       +
           - [ ] SSL certificates for both domains

     

       258
       +
           - [ ] Nginx/Caddy reverse proxy configured for both domains

     

       259
       +
         - [ ] **AppView Environment Variables**

     

       260
       +
           - [ ] `INSTANCE_DID=did:web:coves.social`

     

       261
       +
           - [ ] `INSTANCE_DOMAIN=coves.social`

     

       262
       +
           - [ ] `PDS_URL=https://coves.me` (separate domain)

     

       263
       +
           - [ ] `AUTH_SKIP_VERIFY=false`

     

       264
       +
           - [ ] `SKIP_DID_WEB_VERIFICATION=false`

     

       265
       +
           - [ ] `JETSTREAM_URL=wss://jetstream2.us-east.bsky.network/subscribe`

     

       266
       +
         - [ ] **PDS Environment Variables**

     

       267
       +
           - [ ] `PDS_HOSTNAME=coves.me`

     

       268
       +
           - [ ] `PDS_PORT=2583`

     

       269
       +
           - [ ] Persistent storage mounted

     

       270
       +
         - [ ] **Deployment Verification**

     

       271
       +
           - [ ] Deploy `.well-known/did.json` to coves.social with `serviceEndpoint: https://coves.me`

     

       272
       +
           - [ ] Verify: `curl https://coves.social/.well-known/did.json`

     

       273
       +
           - [ ] Verify: `curl https://coves.me/xrpc/_health`

     

       274
       +
           - [ ] Database migrations applied

     

       275
       +
           - [ ] PDS connectivity verified from AppView

     

       276
       +
           - [ ] JWKS caching working

     

       277
       +
           - [ ] Jetstream consumer connected to Bluesky production firehose

     

       278
       +
           - [ ] Test community creation end-to-end

     

       279
        
         - [ ] Monitoring and alerting active

     

       280
        
       

     

       281
        
       **Estimated Effort**: 6-8 hours

     
···

       439
        
       ## Timeline Estimate

     

       440
        
       

     

       441
        
       ### Week 1: Critical Blockers (P0)

     

       442
       +
       - ~~**Days 1-2**: Authentication (JWT + did:web verification)~~ ✅ **did:web COMPLETED**

     

       443
       +
       - **Day 1**: Production PDS deployment (coves.me domain setup)

     

       444
       +
       - **Day 2**: JWT signature verification with production PDS

     

       445
        
       - **Day 3**: DPoP token architecture fix

     

       446
        
       - ~~**Day 4**: Handle resolution + comment count reconciliation~~ ✅ **COMPLETED**

     

       447
        
       - **Day 4-5**: Testing and bug fixes

     

       448
        
       

     

       449
       +
       **Total**: 16-23 hours (added 4-6 hours for PDS deployment, reduced from original due to did:web completion)

     

       450
        
       

     

       451
        
       ### Week 2: Production Infrastructure (P1)

     

       452
        
       - **Days 6-7**: Monitoring + structured logging

     
···

       462
        
       

     

       463
        
       **Total**: ~~20-25 hours~~ → **13 hours actual** (E2E tests) + 7-12 hours remaining (load testing, polish)

     

       464
        
       

     

       465
       +
       **Grand Total: ~~65-80 hours~~ → 51-68 hours remaining (approximately 1.5-2 weeks full-time)**

     

       466
       +
       *(Originally 70-85 hours. Adjusted for: +4-6 hours PDS deployment, -3 hours did:web completion, -13 hours E2E tests completion, -4 hours handle resolution and comment reconciliation)*

     

       467
        
       

     

       468
        
       **✅ Progress Update**: E2E testing section COMPLETE ahead of schedule - saved ~7-12 hours through parallel agent implementation

     

       469
        
       

     
···

       476
        
       - [ ] All P0 blockers resolved

     

       477
        
         - ✅ Handle resolution (COMPLETE)

     

       478
        
         - ✅ Comment count reconciliation (COMPLETE)

     

       479
       +
         - ✅ did:web verification (COMPLETE - needs production deployment)

     

       480
       +
         - [ ] Production PDS deployed to coves.me (separate domain)

     

       481
        
         - [ ] JWT signature verification working with production PDS

     

       482
        
         - [ ] DPoP architecture fix implemented

     

       0
        
       
     

       483
        
       - [ ] Subscriptions/blocking work via client-write pattern

     

       484
        
       - [x] **All integration tests passing** ✅

     

       485
        
       - [x] **E2E user journey test passing** ✅

     
···

       561
        
       11. [ ] Go/no-go decision

     

       562
        
       12. [ ] Launch! 🚀

     

       563
        
       

     

       564
       +
       **🎉 Major Milestones**:

     

       565
       +
       - All E2E tests complete! Test coverage now includes full user journey, blob uploads, concurrent operations, rate limiting, and error recovery.

     

       566
       +
       - Bidirectional DID verification complete! Bluesky-compatible security model with alsoKnownAs validation, 24h cache TTL, and comprehensive test coverage.

+19 -16

docs/PRD_BACKLOG.md

···

       295
        
       

     

       296
        
       ---

     

       297
        
       

     

       298
       -
       ### did:web Domain Verification & hostedByDID Auto-Population

     

       299
       -
       **Added:** 2025-10-11 | **Updated:** 2025-10-16 | **Effort:** 2-3 days | **Priority:** ALPHA BLOCKER

     

       300
        
       

     

       301
        
       **Problem:**

     

       302
        
       1. **Domain Impersonation**: Self-hosters can set `INSTANCE_DID=did:web:nintendo.com` without owning the domain, enabling attacks where communities appear hosted by trusted domains

     
···

       307
        
       - Federation partners can't verify instance authenticity

     

       308
        
       - AppView pollution with fake hosting claims

     

       309
        
       

     

       310
       -
       **Solution:**

     

       311
       -
       1. **Basic Validation (Phase 1)**: Verify `did:web:` domain matches configured `instanceDomain`

     

       312
       -
       2. **Cryptographic Verification (Phase 2)**: Fetch `https://domain/.well-known/did.json` and verify:

     

       313
        
          - DID document exists and is valid

     

       314
       -
          - Domain ownership proven via HTTPS hosting

     

       315
       -
          - DID document matches claimed `instanceDID`

     

       316
       -
       3. **Auto-populate hostedByDID**: Remove from client API, derive from instance configuration in service layer

     

       0
        
       
     

       317
        
       

     

       318
        
       **Current Status:**

     

       319
        
       - ✅ Default changed from `coves.local` → `coves.social` (fixes `.local` TLD bug)

     

       320
       -
       - ✅ TODO comment in [cmd/server/main.go:126-131](../cmd/server/main.go#L126-L131)

     

       321
        
       - ✅ hostedByDID removed from client requests (2025-10-16)

     

       322
        
       - ✅ Service layer auto-populates `hostedByDID` from `instanceDID` (2025-10-16)

     

       323
        
       - ✅ Handler rejects client-provided `hostedByDID` (2025-10-16)

     

       324
        
       - ✅ Basic validation: Logs warning if `did:web:` domain ≠ `instanceDomain` (2025-10-16)

     

       325
       -
       - ⚠️ **REMAINING**: Full DID document verification (cryptographic proof of ownership)

     

       326
       -
       

     

       327
       -
       **Implementation Notes:**

     

       328
       -
       - Phase 1 complete: Basic validation catches config errors, logs warnings

     

       329
       -
       - Phase 2 needed: Fetch `https://domain/.well-known/did.json` and verify ownership

     

       330
       -
       - Add `SKIP_DID_WEB_VERIFICATION=true` for dev mode

     

       331
       -
       - Full verification blocks startup if domain ownership cannot be proven

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       332
        
       

     

       333
        
       ---

     

       334

···

       295
        
       

     

       296
        
       ---

     

       297
        
       

     

       298
       +
       ### ✅ did:web Domain Verification & hostedByDID Auto-Population - COMPLETE

     

       299
       +
       **Added:** 2025-10-11 | **Updated:** 2025-11-16 | **Completed:** 2025-11-16 | **Status:** ✅ DONE

     

       300
        
       

     

       301
        
       **Problem:**

     

       302
        
       1. **Domain Impersonation**: Self-hosters can set `INSTANCE_DID=did:web:nintendo.com` without owning the domain, enabling attacks where communities appear hosted by trusted domains

     
···

       307
        
       - Federation partners can't verify instance authenticity

     

       308
        
       - AppView pollution with fake hosting claims

     

       309
        
       

     

       310
       +
       **Solution Implemented (Bluesky-Compatible):**

     

       311
       +
       1. ✅ **Domain Matching**: Verify `did:web:` domain matches configured `instanceDomain`

     

       312
       +
       2. ✅ **Bidirectional Verification**: Fetch `https://domain/.well-known/did.json` and verify:

     

       313
        
          - DID document exists and is valid

     

       314
       +
          - DID document ID matches claimed `instanceDID`

     

       315
       +
          - DID document claims handle domain in `alsoKnownAs` field (bidirectional binding)

     

       316
       +
          - Domain ownership proven via HTTPS hosting (matches Bluesky's trust model)

     

       317
       +
       3. ✅ **Auto-populate hostedByDID**: Removed from client API, derived from instance configuration in service layer

     

       318
        
       

     

       319
        
       **Current Status:**

     

       320
        
       - ✅ Default changed from `coves.local` → `coves.social` (fixes `.local` TLD bug)

     

       0
        
       
     

       321
        
       - ✅ hostedByDID removed from client requests (2025-10-16)

     

       322
        
       - ✅ Service layer auto-populates `hostedByDID` from `instanceDID` (2025-10-16)

     

       323
        
       - ✅ Handler rejects client-provided `hostedByDID` (2025-10-16)

     

       324
        
       - ✅ Basic validation: Logs warning if `did:web:` domain ≠ `instanceDomain` (2025-10-16)

     

       325
       +
       - ✅ **MANDATORY bidirectional DID verification** (2025-11-16)

     

       326
       +
       - ✅ Cache TTL updated to 24h (matches Bluesky recommendations) (2025-11-16)

     

       327
       +
       

     

       328
       +
       **Implementation Details:**

     

       329
       +
       - **Security Model**: Matches Bluesky's approach - relies on DNS/HTTPS authority, not cryptographic proof

     

       330
       +
       - **Enforcement**: MANDATORY hard-fail in production (rejects communities with verification failures)

     

       331
       +
       - **Dev Mode**: Set `SKIP_DID_WEB_VERIFICATION=true` to bypass verification for local development

     

       332
       +
       - **Performance**: Bounded LRU cache (1000 entries), rate limiting (10 req/s), 24h cache TTL

     

       333
       +
       - **Bidirectional Check**: Prevents impersonation by requiring DID document to claim the handle

     

       334
       +
       - **Location**: [internal/atproto/jetstream/community_consumer.go](../internal/atproto/jetstream/community_consumer.go)

     

       335
        
       

     

       336
        
       ---

     

       337

+18

internal/api/routes/aggregator.go

···

       2
        
       

     

       3
        
       import (

     

       4
        
       	"Coves/internal/api/handlers/aggregator"

     

       0
        
       
     

       0
        
       
     

       5
        
       	"Coves/internal/core/aggregators"

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       6
        
       

     

       7
        
       	"github.com/go-chi/chi/v5"

     

       8
        
       )

     
···

       12
        
       func RegisterAggregatorRoutes(

     

       13
        
       	r chi.Router,

     

       14
        
       	aggregatorService aggregators.Service,

     

       0
        
       
     

       0
        
       
     

       15
        
       ) {

     

       16
        
       	// Create query handlers

     

       17
        
       	getServicesHandler := aggregator.NewGetServicesHandler(aggregatorService)

     

       18
        
       	getAuthorizationsHandler := aggregator.NewGetAuthorizationsHandler(aggregatorService)

     

       19
        
       	listForCommunityHandler := aggregator.NewListForCommunityHandler(aggregatorService)

     

       20
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       21
        
       	// Query endpoints (public - no auth required)

     

       22
        
       	// GET /xrpc/social.coves.aggregator.getServices?dids=did:plc:abc,did:plc:def

     

       23
        
       	// Following app.bsky.feed.getFeedGenerators pattern

     
···

       31
        
       	// Lists aggregators authorized by a community

     

       32
        
       	r.Get("/xrpc/social.coves.aggregator.listForCommunity", listForCommunityHandler.HandleListForCommunity)

     

       33
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       34
        
       	// Write endpoints (Phase 2 - require authentication and moderator permissions)

     

       35
        
       	// TODO: Implement after Jetstream consumer is ready

     

       36
        
       	// POST /xrpc/social.coves.aggregator.enable (requires auth + moderator)

···

       2
        
       

     

       3
        
       import (

     

       4
        
       	"Coves/internal/api/handlers/aggregator"

     

       5
       +
       	"Coves/internal/api/middleware"

     

       6
       +
       	"Coves/internal/atproto/identity"

     

       7
        
       	"Coves/internal/core/aggregators"

     

       8
       +
       	"Coves/internal/core/users"

     

       9
       +
       	"net/http"

     

       10
       +
       	"time"

     

       11
        
       

     

       12
        
       	"github.com/go-chi/chi/v5"

     

       13
        
       )

     
···

       17
        
       func RegisterAggregatorRoutes(

     

       18
        
       	r chi.Router,

     

       19
        
       	aggregatorService aggregators.Service,

     

       20
       +
       	userService users.UserService,

     

       21
       +
       	identityResolver identity.Resolver,

     

       22
        
       ) {

     

       23
        
       	// Create query handlers

     

       24
        
       	getServicesHandler := aggregator.NewGetServicesHandler(aggregatorService)

     

       25
        
       	getAuthorizationsHandler := aggregator.NewGetAuthorizationsHandler(aggregatorService)

     

       26
        
       	listForCommunityHandler := aggregator.NewListForCommunityHandler(aggregatorService)

     

       27
        
       

     

       28
       +
       	// Create registration handler

     

       29
       +
       	registerHandler := aggregator.NewRegisterHandler(userService, identityResolver)

     

       30
       +
       

     

       31
        
       	// Query endpoints (public - no auth required)

     

       32
        
       	// GET /xrpc/social.coves.aggregator.getServices?dids=did:plc:abc,did:plc:def

     

       33
        
       	// Following app.bsky.feed.getFeedGenerators pattern

     
···

       41
        
       	// Lists aggregators authorized by a community

     

       42
        
       	r.Get("/xrpc/social.coves.aggregator.listForCommunity", listForCommunityHandler.HandleListForCommunity)

     

       43
        
       

     

       44
       +
       	// Registration endpoint (public - no auth required)

     

       45
       +
       	// Aggregators register themselves after creating their own PDS accounts

     

       46
       +
       	// POST /xrpc/social.coves.aggregator.register

     

       47
       +
       	// Rate limited to 10 requests per 10 minutes per IP to prevent abuse

     

       48
       +
       	registrationRateLimiter := middleware.NewRateLimiter(10, 10*time.Minute)

     

       49
       +
       	r.Post("/xrpc/social.coves.aggregator.register",

     

       50
       +
       		registrationRateLimiter.Middleware(http.HandlerFunc(registerHandler.HandleRegister)).ServeHTTP)

     

       51
       +
       

     

       52
        
       	// Write endpoints (Phase 2 - require authentication and moderator permissions)

     

       53
        
       	// TODO: Implement after Jetstream consumer is ready

     

       54
        
       	// POST /xrpc/social.coves.aggregator.enable (requires auth + moderator)

+591

docs/aggregators/SETUP_GUIDE.md

···

       1
       +
       # Aggregator Setup Guide

     

       2
       +
       

     

       3
       +
       This guide explains how to set up and register an aggregator with Coves instances.

     

       4
       +
       

     

       5
       +
       ## Table of Contents

     

       6
       +
       

     

       7
       +
       - [Overview](#overview)

     

       8
       +
       - [Architecture](#architecture)

     

       9
       +
       - [Prerequisites](#prerequisites)

     

       10
       +
       - [Quick Start](#quick-start)

     

       11
       +
       - [Detailed Setup Steps](#detailed-setup-steps)

     

       12
       +
       - [Authorization Process](#authorization-process)

     

       13
       +
       - [Posting to Communities](#posting-to-communities)

     

       14
       +
       - [Rate Limits](#rate-limits)

     

       15
       +
       - [Security Best Practices](#security-best-practices)

     

       16
       +
       - [Troubleshooting](#troubleshooting)

     

       17
       +
       - [API Reference](#api-reference)

     

       18
       +
       

     

       19
       +
       ## Overview

     

       20
       +
       

     

       21
       +
       **Aggregators** are automated services that post content to Coves communities. They are similar to Bluesky's feed generators and labelers - self-managed external services that integrate with the platform.

     

       22
       +
       

     

       23
       +
       **Key characteristics**:

     

       24
       +
       - Self-owned: You create and manage your own PDS account

     

       25
       +
       - Domain-verified: Prove ownership via `.well-known/atproto-did`

     

       26
       +
       - Community-authorized: Moderators grant posting permission per-community

     

       27
       +
       - Rate-limited: 10 posts per hour per community

     

       28
       +
       

     

       29
       +
       **Example use cases**:

     

       30
       +
       - RSS feed aggregators (tech news, blog posts)

     

       31
       +
       - Social media cross-posters (Twitter → Coves)

     

       32
       +
       - Event notifications (GitHub releases, weather alerts)

     

       33
       +
       - Content curation bots (daily links, summaries)

     

       34
       +
       

     

       35
       +
       ## Architecture

     

       36
       +
       

     

       37
       +
       ### Data Flow

     

       38
       +
       

     

       39
       +
       ```

     

       40
       +
       ┌──────────────────────────────────────────────────────────┐

     

       41
       +
       │ 1. One-Time Setup                                        │

     

       42
       +
       ├──────────────────────────────────────────────────────────┤

     

       43
       +
       │ Aggregator creates PDS account                           │

     

       44
       +
       │   ↓                                                       │

     

       45
       +
       │ Proves domain ownership (.well-known)                    │

     

       46
       +
       │   ↓                                                       │

     

       47
       +
       │ Registers with Coves (enters users table)                │

     

       48
       +
       │   ↓                                                       │

     

       49
       +
       │ Writes service declaration                               │

     

       50
       +
       │   ↓                                                       │

     

       51
       +
       │ Jetstream indexes into aggregators table                 │

     

       52
       +
       └──────────────────────────────────────────────────────────┘

     

       53
       +
       

     

       54
       +
       ┌──────────────────────────────────────────────────────────┐

     

       55
       +
       │ 2. Per-Community Authorization                           │

     

       56
       +
       ├──────────────────────────────────────────────────────────┤

     

       57
       +
       │ Moderator writes authorization record                    │

     

       58
       +
       │   ↓                                                       │

     

       59
       +
       │ Jetstream indexes into aggregator_authorizations         │

     

       60
       +
       └──────────────────────────────────────────────────────────┘

     

       61
       +
       

     

       62
       +
       ┌──────────────────────────────────────────────────────────┐

     

       63
       +
       │ 3. Posting (Ongoing)                                     │

     

       64
       +
       ├──────────────────────────────────────────────────────────┤

     

       65
       +
       │ Aggregator calls post creation endpoint                  │

     

       66
       +
       │   ↓                                                       │

     

       67
       +
       │ Handler validates:                                        │

     

       68
       +
       │   - Author in users table ✓                              │

     

       69
       +
       │   - Author in aggregators table ✓                        │

     

       70
       +
       │   - Authorization exists ✓                               │

     

       71
       +
       │   - Rate limit not exceeded ✓                            │

     

       72
       +
       │   ↓                                                       │

     

       73
       +
       │ Post written to community's PDS                          │

     

       74
       +
       │   ↓                                                       │

     

       75
       +
       │ Jetstream indexes post                                   │

     

       76
       +
       └──────────────────────────────────────────────────────────┘

     

       77
       +
       ```

     

       78
       +
       

     

       79
       +
       ### Database Tables

     

       80
       +
       

     

       81
       +
       **users** - All actors (users, communities, aggregators)

     

       82
       +
       ```sql

     

       83
       +
       CREATE TABLE users (

     

       84
       +
           did TEXT PRIMARY KEY,

     

       85
       +
           handle TEXT NOT NULL,

     

       86
       +
           pds_url TEXT,

     

       87
       +
           indexed_at TIMESTAMPTZ

     

       88
       +
       );

     

       89
       +
       ```

     

       90
       +
       

     

       91
       +
       **aggregators** - Aggregator-specific metadata

     

       92
       +
       ```sql

     

       93
       +
       CREATE TABLE aggregators (

     

       94
       +
           did TEXT PRIMARY KEY,

     

       95
       +
           display_name TEXT NOT NULL,

     

       96
       +
           description TEXT,

     

       97
       +
           avatar_url TEXT,

     

       98
       +
           config_schema JSONB,

     

       99
       +
           source_url TEXT,

     

       100
       +
           maintainer_did TEXT,

     

       101
       +
           record_uri TEXT NOT NULL UNIQUE,

     

       102
       +
           record_cid TEXT NOT NULL,

     

       103
       +
           created_at TIMESTAMPTZ,

     

       104
       +
           indexed_at TIMESTAMPTZ

     

       105
       +
       );

     

       106
       +
       ```

     

       107
       +
       

     

       108
       +
       **aggregator_authorizations** - Community authorizations

     

       109
       +
       ```sql

     

       110
       +
       CREATE TABLE aggregator_authorizations (

     

       111
       +
           id BIGSERIAL PRIMARY KEY,

     

       112
       +
           aggregator_did TEXT NOT NULL,

     

       113
       +
           community_did TEXT NOT NULL,

     

       114
       +
           enabled BOOLEAN NOT NULL DEFAULT true,

     

       115
       +
           config JSONB,

     

       116
       +
           created_by TEXT,

     

       117
       +
           record_uri TEXT NOT NULL UNIQUE,

     

       118
       +
           record_cid TEXT NOT NULL,

     

       119
       +
           UNIQUE(aggregator_did, community_did)

     

       120
       +
       );

     

       121
       +
       ```

     

       122
       +
       

     

       123
       +
       ## Prerequisites

     

       124
       +
       

     

       125
       +
       1. **Domain ownership**: You must own a domain where you can host static files over HTTPS

     

       126
       +
       2. **Web server**: Ability to serve the `.well-known/atproto-did` file

     

       127
       +
       3. **Development tools**: `curl`, `jq`, basic shell scripting knowledge

     

       128
       +
       4. **Email address**: For creating the PDS account

     

       129
       +
       

     

       130
       +
       **Optional**:

     

       131
       +
       - Custom avatar image (PNG/JPEG/WebP, max 1MB)

     

       132
       +
       - GitHub repository for source code transparency

     

       133
       +
       

     

       134
       +
       ## Quick Start

     

       135
       +
       

     

       136
       +
       We provide automated setup scripts:

     

       137
       +
       

     

       138
       +
       ```bash

     

       139
       +
       cd scripts/aggregator-setup

     

       140
       +
       

     

       141
       +
       # Make scripts executable

     

       142
       +
       chmod +x *.sh

     

       143
       +
       

     

       144
       +
       # Run setup scripts in order

     

       145
       +
       ./1-create-pds-account.sh

     

       146
       +
       ./2-setup-wellknown.sh

     

       147
       +
       # (Upload .well-known to your web server)

     

       148
       +
       ./3-register-with-coves.sh

     

       149
       +
       ./4-create-service-declaration.sh

     

       150
       +
       ```

     

       151
       +
       

     

       152
       +
       See [scripts/aggregator-setup/README.md](../../scripts/aggregator-setup/README.md) for detailed script documentation.

     

       153
       +
       

     

       154
       +
       ## Detailed Setup Steps

     

       155
       +
       

     

       156
       +
       ### Step 1: Create PDS Account

     

       157
       +
       

     

       158
       +
       Your aggregator needs its own atProto identity (DID). The easiest way is to create an account on an existing PDS.

     

       159
       +
       

     

       160
       +
       **Using an existing PDS (recommended)**:

     

       161
       +
       

     

       162
       +
       ```bash

     

       163
       +
       curl -X POST https://bsky.social/xrpc/com.atproto.server.createAccount \

     

       164
       +
         -H "Content-Type: application/json" \

     

       165
       +
         -d '{

     

       166
       +
           "handle": "mynewsbot.bsky.social",

     

       167
       +
           "email": "bot@example.com",

     

       168
       +
           "password": "secure-password-here"

     

       169
       +
         }'

     

       170
       +
       ```

     

       171
       +
       

     

       172
       +
       **Response**:

     

       173
       +
       ```json

     

       174
       +
       {

     

       175
       +
         "accessJwt": "eyJ...",

     

       176
       +
         "refreshJwt": "eyJ...",

     

       177
       +
         "handle": "mynewsbot.bsky.social",

     

       178
       +
         "did": "did:plc:abc123...",

     

       179
       +
         "didDoc": {...}

     

       180
       +
       }

     

       181
       +
       ```

     

       182
       +
       

     

       183
       +
       **Save these credentials securely!** You'll need the DID and access token for all subsequent operations.

     

       184
       +
       

     

       185
       +
       **Alternative**: Run your own PDS or use `did:web` (advanced).

     

       186
       +
       

     

       187
       +
       ### Step 2: Prove Domain Ownership

     

       188
       +
       

     

       189
       +
       To register with Coves, you must prove you own a domain by serving your DID at `https://yourdomain.com/.well-known/atproto-did`.

     

       190
       +
       

     

       191
       +
       **Create the file**:

     

       192
       +
       

     

       193
       +
       ```bash

     

       194
       +
       mkdir -p .well-known

     

       195
       +
       echo "did:plc:abc123..." > .well-known/atproto-did

     

       196
       +
       ```

     

       197
       +
       

     

       198
       +
       **Upload to your web server** so it's accessible at:

     

       199
       +
       ```

     

       200
       +
       https://rss-bot.example.com/.well-known/atproto-did

     

       201
       +
       ```

     

       202
       +
       

     

       203
       +
       **Verify it works**:

     

       204
       +
       ```bash

     

       205
       +
       curl https://rss-bot.example.com/.well-known/atproto-did

     

       206
       +
       # Should return: did:plc:abc123...

     

       207
       +
       ```

     

       208
       +
       

     

       209
       +
       **Nginx configuration example**:

     

       210
       +
       ```nginx

     

       211
       +
       location /.well-known/atproto-did {

     

       212
       +
           alias /var/www/.well-known/atproto-did;

     

       213
       +
           default_type text/plain;

     

       214
       +
           add_header Access-Control-Allow-Origin *;

     

       215
       +
       }

     

       216
       +
       ```

     

       217
       +
       

     

       218
       +
       ### Step 3: Register with Coves

     

       219
       +
       

     

       220
       +
       Call the registration endpoint to register your aggregator DID with the Coves instance.

     

       221
       +
       

     

       222
       +
       **Endpoint**: `POST /xrpc/social.coves.aggregator.register`

     

       223
       +
       

     

       224
       +
       **Request**:

     

       225
       +
       ```bash

     

       226
       +
       curl -X POST https://api.coves.social/xrpc/social.coves.aggregator.register \

     

       227
       +
         -H "Content-Type: application/json" \

     

       228
       +
         -d '{

     

       229
       +
           "did": "did:plc:abc123...",

     

       230
       +
           "domain": "rss-bot.example.com"

     

       231
       +
         }'

     

       232
       +
       ```

     

       233
       +
       

     

       234
       +
       **Response** (Success):

     

       235
       +
       ```json

     

       236
       +
       {

     

       237
       +
         "did": "did:plc:abc123...",

     

       238
       +
         "handle": "mynewsbot.bsky.social",

     

       239
       +
         "message": "Aggregator registered successfully. Next step: create a service declaration record at at://did:plc:abc123.../social.coves.aggregator.service/self"

     

       240
       +
       }

     

       241
       +
       ```

     

       242
       +
       

     

       243
       +
       **What happens**:

     

       244
       +
       1. Coves fetches `https://rss-bot.example.com/.well-known/atproto-did`

     

       245
       +
       2. Verifies it contains your DID

     

       246
       +
       3. Resolves your DID to get handle and PDS URL

     

       247
       +
       4. Inserts you into the `users` table

     

       248
       +
       

     

       249
       +
       **You're now registered!** But you need to create a service declaration next.

     

       250
       +
       

     

       251
       +
       ### Step 4: Create Service Declaration

     

       252
       +
       

     

       253
       +
       Write a `social.coves.aggregator.service` record to your repository. This contains metadata about your aggregator and gets indexed by Coves' Jetstream consumer.

     

       254
       +
       

     

       255
       +
       **Endpoint**: `POST https://your-pds.com/xrpc/com.atproto.repo.createRecord`

     

       256
       +
       

     

       257
       +
       **Request**:

     

       258
       +
       ```bash

     

       259
       +
       curl -X POST https://bsky.social/xrpc/com.atproto.repo.createRecord \

     

       260
       +
         -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \

     

       261
       +
         -H "Content-Type: application/json" \

     

       262
       +
         -d '{

     

       263
       +
           "repo": "did:plc:abc123...",

     

       264
       +
           "collection": "social.coves.aggregator.service",

     

       265
       +
           "rkey": "self",

     

       266
       +
           "record": {

     

       267
       +
             "$type": "social.coves.aggregator.service",

     

       268
       +
             "did": "did:plc:abc123...",

     

       269
       +
             "displayName": "RSS News Aggregator",

     

       270
       +
             "description": "Aggregates tech news from various RSS feeds",

     

       271
       +
             "sourceUrl": "https://github.com/yourname/rss-aggregator",

     

       272
       +
             "maintainer": "did:plc:your-personal-did",

     

       273
       +
             "createdAt": "2024-01-15T12:00:00Z"

     

       274
       +
           }

     

       275
       +
         }'

     

       276
       +
       ```

     

       277
       +
       

     

       278
       +
       **Response**:

     

       279
       +
       ```json

     

       280
       +
       {

     

       281
       +
         "uri": "at://did:plc:abc123.../social.coves.aggregator.service/self",

     

       282
       +
         "cid": "bafyrei..."

     

       283
       +
       }

     

       284
       +
       ```

     

       285
       +
       

     

       286
       +
       **Optional fields**:

     

       287
       +
       - `avatar`: Blob reference to avatar image

     

       288
       +
       - `configSchema`: JSON Schema for community-specific configuration

     

       289
       +
       

     

       290
       +
       **Wait 5-10 seconds** for Jetstream to index your service declaration into the `aggregators` table.

     

       291
       +
       

     

       292
       +
       ## Authorization Process

     

       293
       +
       

     

       294
       +
       Before you can post to a community, a moderator must authorize your aggregator.

     

       295
       +
       

     

       296
       +
       ### How Authorization Works

     

       297
       +
       

     

       298
       +
       1. **Moderator decision**: Community moderator evaluates your aggregator

     

       299
       +
       2. **Authorization record**: Moderator writes `social.coves.aggregator.authorization` to community's repo

     

       300
       +
       3. **Jetstream indexing**: Record gets indexed into `aggregator_authorizations` table

     

       301
       +
       4. **Posting enabled**: You can now post to that community

     

       302
       +
       

     

       303
       +
       ### Authorization Record Structure

     

       304
       +
       

     

       305
       +
       **Location**: `at://{community_did}/social.coves.aggregator.authorization/{rkey}`

     

       306
       +
       

     

       307
       +
       **Example**:

     

       308
       +
       ```json

     

       309
       +
       {

     

       310
       +
         "$type": "social.coves.aggregator.authorization",

     

       311
       +
         "aggregatorDid": "did:plc:abc123...",

     

       312
       +
         "communityDid": "did:plc:community123...",

     

       313
       +
         "enabled": true,

     

       314
       +
         "createdBy": "did:plc:moderator...",

     

       315
       +
         "createdAt": "2024-01-15T12:00:00Z",

     

       316
       +
         "config": {

     

       317
       +
           "maxPostsPerHour": 5,

     

       318
       +
           "allowedCategories": ["tech", "news"]

     

       319
       +
         }

     

       320
       +
       }

     

       321
       +
       ```

     

       322
       +
       

     

       323
       +
       ### Checking Your Authorizations

     

       324
       +
       

     

       325
       +
       **Endpoint**: `GET /xrpc/social.coves.aggregator.getAuthorizations`

     

       326
       +
       

     

       327
       +
       ```bash

     

       328
       +
       curl "https://api.coves.social/xrpc/social.coves.aggregator.getAuthorizations?aggregatorDid=did:plc:abc123...&enabledOnly=true"

     

       329
       +
       ```

     

       330
       +
       

     

       331
       +
       **Response**:

     

       332
       +
       ```json

     

       333
       +
       {

     

       334
       +
         "authorizations": [

     

       335
       +
           {

     

       336
       +
             "aggregatorDid": "did:plc:abc123...",

     

       337
       +
             "communityDid": "did:plc:community123...",

     

       338
       +
             "communityHandle": "~tech@coves.social",

     

       339
       +
             "enabled": true,

     

       340
       +
             "createdAt": "2024-01-15T12:00:00Z",

     

       341
       +
             "config": {...}

     

       342
       +
           }

     

       343
       +
         ]

     

       344
       +
       }

     

       345
       +
       ```

     

       346
       +
       

     

       347
       +
       ## Posting to Communities

     

       348
       +
       

     

       349
       +
       Once authorized, you can post to communities using the standard post creation endpoint.

     

       350
       +
       

     

       351
       +
       ### Create Post

     

       352
       +
       

     

       353
       +
       **Endpoint**: `POST /xrpc/social.coves.community.post.create`

     

       354
       +
       

     

       355
       +
       **Request**:

     

       356
       +
       ```bash

     

       357
       +
       curl -X POST https://api.coves.social/xrpc/social.coves.community.post.create \

     

       358
       +
         -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \

     

       359
       +
         -H "Content-Type: application/json" \

     

       360
       +
         -d '{

     

       361
       +
           "communityDid": "did:plc:community123...",

     

       362
       +
           "post": {

     

       363
       +
             "text": "New blog post: Understanding atProto Identity\nhttps://example.com/post",

     

       364
       +
             "createdAt": "2024-01-15T12:00:00Z",

     

       365
       +
             "facets": [

     

       366
       +
               {

     

       367
       +
                 "index": { "byteStart": 50, "byteEnd": 75 },

     

       368
       +
                 "features": [

     

       369
       +
                   {

     

       370
       +
                     "$type": "social.coves.richtext.facet#link",

     

       371
       +
                     "uri": "https://example.com/post"

     

       372
       +
                   }

     

       373
       +
                 ]

     

       374
       +
               }

     

       375
       +
             ]

     

       376
       +
           }

     

       377
       +
         }'

     

       378
       +
       ```

     

       379
       +
       

     

       380
       +
       **Response**:

     

       381
       +
       ```json

     

       382
       +
       {

     

       383
       +
         "uri": "at://did:plc:abc123.../social.coves.community.post/3k...",

     

       384
       +
         "cid": "bafyrei..."

     

       385
       +
       }

     

       386
       +
       ```

     

       387
       +
       

     

       388
       +
       ### Post Validation

     

       389
       +
       

     

       390
       +
       The handler validates:

     

       391
       +
       1. **Authentication**: Valid JWT token

     

       392
       +
       2. **Author exists**: DID in `users` table

     

       393
       +
       3. **Is aggregator**: DID in `aggregators` table

     

       394
       +
       4. **Authorization**: Active authorization for (aggregator, community)

     

       395
       +
       5. **Rate limit**: Less than 10 posts/hour to this community

     

       396
       +
       6. **Content**: Valid post structure per lexicon

     

       397
       +
       

     

       398
       +
       ### Rate Limits

     

       399
       +
       

     

       400
       +
       **Per-community rate limit**: 10 posts per hour

     

       401
       +
       

     

       402
       +
       This is tracked in the `aggregator_posts` table and enforced at the handler level.

     

       403
       +
       

     

       404
       +
       **Why?**: Prevents spam while allowing useful bot activity.

     

       405
       +
       

     

       406
       +
       **Best practices**:

     

       407
       +
       - Batch similar content

     

       408
       +
       - Post only high-quality content

     

       409
       +
       - Respect community guidelines

     

       410
       +
       - Monitor your posting rate

     

       411
       +
       

     

       412
       +
       ## Security Best Practices

     

       413
       +
       

     

       414
       +
       ### Credential Management

     

       415
       +
       

     

       416
       +
       ✅ **DO**:

     

       417
       +
       - Store credentials in environment variables or secret management

     

       418
       +
       - Use HTTPS for all API calls

     

       419
       +
       - Rotate access tokens regularly (use refresh tokens)

     

       420
       +
       - Keep `aggregator-config.env` out of version control

     

       421
       +
       

     

       422
       +
       ❌ **DON'T**:

     

       423
       +
       - Hardcode credentials in source code

     

       424
       +
       - Commit credentials to Git

     

       425
       +
       - Share access tokens publicly

     

       426
       +
       - Reuse personal credentials for bots

     

       427
       +
       

     

       428
       +
       ### Domain Security

     

       429
       +
       

     

       430
       +
       ✅ **DO**:

     

       431
       +
       - Use HTTPS for `.well-known` endpoint

     

       432
       +
       - Keep domain under your control

     

       433
       +
       - Monitor for unauthorized changes

     

       434
       +
       - Use DNSSEC if possible

     

       435
       +
       

     

       436
       +
       ❌ **DON'T**:

     

       437
       +
       - Use HTTP (will fail verification)

     

       438
       +
       - Use shared/untrusted hosting

     

       439
       +
       - Allow others to modify `.well-known` files

     

       440
       +
       - Use expired SSL certificates

     

       441
       +
       

     

       442
       +
       ### Content Security

     

       443
       +
       

     

       444
       +
       ✅ **DO**:

     

       445
       +
       - Validate all external content before posting

     

       446
       +
       - Sanitize URLs and text

     

       447
       +
       - Rate-limit your own posting

     

       448
       +
       - Implement circuit breakers for failures

     

       449
       +
       

     

       450
       +
       ❌ **DON'T**:

     

       451
       +
       - Post unvalidated user input

     

       452
       +
       - Include malicious links

     

       453
       +
       - Spam communities

     

       454
       +
       - Bypass rate limits

     

       455
       +
       

     

       456
       +
       ## Troubleshooting

     

       457
       +
       

     

       458
       +
       ### Registration Errors

     

       459
       +
       

     

       460
       +
       #### Error: "DomainVerificationFailed"

     

       461
       +
       

     

       462
       +
       **Cause**: `.well-known/atproto-did` not accessible or contains wrong DID

     

       463
       +
       

     

       464
       +
       **Solutions**:

     

       465
       +
       1. Verify file is accessible: `curl https://yourdomain.com/.well-known/atproto-did`

     

       466
       +
       2. Check content matches your DID exactly (no extra whitespace)

     

       467
       +
       3. Ensure HTTPS is working (not HTTP)

     

       468
       +
       4. Check web server logs for access errors

     

       469
       +
       5. Verify firewall rules allow HTTPS traffic

     

       470
       +
       

     

       471
       +
       #### Error: "AlreadyRegistered"

     

       472
       +
       

     

       473
       +
       **Cause**: This DID is already registered with this Coves instance

     

       474
       +
       

     

       475
       +
       **Solutions**:

     

       476
       +
       - This is safe to ignore if you're re-running setup

     

       477
       +
       - If you need to update info, just create a new service declaration

     

       478
       +
       - Contact instance admin if you need to remove registration

     

       479
       +
       

     

       480
       +
       #### Error: "DIDResolutionFailed"

     

       481
       +
       

     

       482
       +
       **Cause**: Could not resolve DID document from PLC directory

     

       483
       +
       

     

       484
       +
       **Solutions**:

     

       485
       +
       1. Verify DID exists: `curl https://plc.directory/{your-did}`

     

       486
       +
       2. Wait 30 seconds and retry (PLC propagation delay)

     

       487
       +
       3. Check PDS is accessible

     

       488
       +
       4. Verify DID format is correct (must start with `did:plc:` or `did:web:`)

     

       489
       +
       

     

       490
       +
       ### Posting Errors

     

       491
       +
       

     

       492
       +
       #### Error: "NotAuthorized"

     

       493
       +
       

     

       494
       +
       **Cause**: No active authorization for this (aggregator, community) pair

     

       495
       +
       

     

       496
       +
       **Solutions**:

     

       497
       +
       1. Check authorizations: `GET /xrpc/social.coves.aggregator.getAuthorizations`

     

       498
       +
       2. Contact community moderator to request authorization

     

       499
       +
       3. Verify authorization wasn't disabled

     

       500
       +
       4. Wait for Jetstream to index authorization (5-10 seconds)

     

       501
       +
       

     

       502
       +
       #### Error: "RateLimitExceeded"

     

       503
       +
       

     

       504
       +
       **Cause**: Exceeded 10 posts/hour to this community

     

       505
       +
       

     

       506
       +
       **Solutions**:

     

       507
       +
       1. Wait for the rate limit window to reset

     

       508
       +
       2. Batch posts to stay under limit

     

       509
       +
       3. Distribute posts across multiple communities

     

       510
       +
       4. Implement posting queue in your aggregator

     

       511
       +
       

     

       512
       +
       ### Service Declaration Not Appearing

     

       513
       +
       

     

       514
       +
       **Symptoms**: Service declaration created but not in `aggregators` table

     

       515
       +
       

     

       516
       +
       **Solutions**:

     

       517
       +
       1. Wait 5-10 seconds for Jetstream to index

     

       518
       +
       2. Check Jetstream consumer logs for errors

     

       519
       +
       3. Verify record was created: Check PDS at `at://your-did/social.coves.aggregator.service/self`

     

       520
       +
       4. Verify `$type` field is exactly `"social.coves.aggregator.service"`

     

       521
       +
       5. Check `displayName` is not empty (required field)

     

       522
       +
       

     

       523
       +
       ## API Reference

     

       524
       +
       

     

       525
       +
       ### Registration Endpoint

     

       526
       +
       

     

       527
       +
       **`POST /xrpc/social.coves.aggregator.register`**

     

       528
       +
       

     

       529
       +
       **Input**:

     

       530
       +
       ```typescript

     

       531
       +
       {

     

       532
       +
         did: string      // DID of aggregator (did:plc or did:web)

     

       533
       +
         domain: string   // Domain serving .well-known/atproto-did

     

       534
       +
       }

     

       535
       +
       ```

     

       536
       +
       

     

       537
       +
       **Output**:

     

       538
       +
       ```typescript

     

       539
       +
       {

     

       540
       +
         did: string      // Registered DID

     

       541
       +
         handle: string   // Handle from DID document

     

       542
       +
         message: string  // Next steps message

     

       543
       +
       }

     

       544
       +
       ```

     

       545
       +
       

     

       546
       +
       **Errors**:

     

       547
       +
       - `InvalidDID`: DID format invalid

     

       548
       +
       - `DomainVerificationFailed`: .well-known verification failed

     

       549
       +
       - `AlreadyRegistered`: DID already registered

     

       550
       +
       - `DIDResolutionFailed`: Could not resolve DID

     

       551
       +
       

     

       552
       +
       ### Query Endpoints

     

       553
       +
       

     

       554
       +
       **`GET /xrpc/social.coves.aggregator.getServices`**

     

       555
       +
       

     

       556
       +
       Get aggregator service details.

     

       557
       +
       

     

       558
       +
       **Parameters**:

     

       559
       +
       - `dids`: Array of DIDs (comma-separated)

     

       560
       +
       

     

       561
       +
       **`GET /xrpc/social.coves.aggregator.getAuthorizations`**

     

       562
       +
       

     

       563
       +
       List communities that authorized an aggregator.

     

       564
       +
       

     

       565
       +
       **Parameters**:

     

       566
       +
       - `aggregatorDid`: Aggregator DID

     

       567
       +
       - `enabledOnly`: Filter to enabled only (default: false)

     

       568
       +
       

     

       569
       +
       **`GET /xrpc/social.coves.aggregator.listForCommunity`**

     

       570
       +
       

     

       571
       +
       List aggregators authorized by a community.

     

       572
       +
       

     

       573
       +
       **Parameters**:

     

       574
       +
       - `communityDid`: Community DID

     

       575
       +
       - `enabledOnly`: Filter to enabled only (default: false)

     

       576
       +
       

     

       577
       +
       ## Further Reading

     

       578
       +
       

     

       579
       +
       - [Aggregator PRD](PRD_AGGREGATORS.md) - Architecture and design decisions

     

       580
       +
       - [atProto Guide](../../ATPROTO_GUIDE.md) - atProto fundamentals

     

       581
       +
       - [Communities PRD](../PRD_COMMUNITIES.md) - Community system overview

     

       582
       +
       - [Setup Scripts README](../../scripts/aggregator-setup/README.md) - Script documentation

     

       583
       +
       

     

       584
       +
       ## Support

     

       585
       +
       

     

       586
       +
       For issues or questions:

     

       587
       +
       

     

       588
       +
       1. Check this guide's troubleshooting section

     

       589
       +
       2. Review the PRD and architecture docs

     

       590
       +
       3. Check Coves GitHub issues

     

       591
       +
       4. Ask in Coves developer community

+95

scripts/aggregator-setup/1-create-pds-account.sh

···

       1
       +
       #!/bin/bash

     

       2
       +
       

     

       3
       +
       # Script: 1-create-pds-account.sh

     

       4
       +
       # Purpose: Create a PDS account for your aggregator

     

       5
       +
       #

     

       6
       +
       # This script helps you create an account on a PDS (Personal Data Server).

     

       7
       +
       # The PDS will automatically create a DID:PLC for you.

     

       8
       +
       

     

       9
       +
       set -e

     

       10
       +
       

     

       11
       +
       echo "================================================"

     

       12
       +
       echo "Step 1: Create PDS Account for Your Aggregator"

     

       13
       +
       echo "================================================"

     

       14
       +
       echo ""

     

       15
       +
       

     

       16
       +
       # Get PDS URL

     

       17
       +
       read -p "Enter PDS URL (default: https://bsky.social): " PDS_URL

     

       18
       +
       PDS_URL=${PDS_URL:-https://bsky.social}

     

       19
       +
       

     

       20
       +
       # Get credentials

     

       21
       +
       read -p "Enter desired handle (e.g., mynewsbot.bsky.social): " HANDLE

     

       22
       +
       read -p "Enter email: " EMAIL

     

       23
       +
       read -sp "Enter password: " PASSWORD

     

       24
       +
       echo ""

     

       25
       +
       

     

       26
       +
       # Validate inputs

     

       27
       +
       if [ -z "$HANDLE" ] || [ -z "$EMAIL" ] || [ -z "$PASSWORD" ]; then

     

       28
       +
           echo "Error: All fields are required"

     

       29
       +
           exit 1

     

       30
       +
       fi

     

       31
       +
       

     

       32
       +
       echo ""

     

       33
       +
       echo "Creating account on $PDS_URL..."

     

       34
       +
       

     

       35
       +
       # Create account via com.atproto.server.createAccount

     

       36
       +
       RESPONSE=$(curl -s -X POST "$PDS_URL/xrpc/com.atproto.server.createAccount" \

     

       37
       +
           -H "Content-Type: application/json" \

     

       38
       +
           -d "{

     

       39
       +
               \"handle\": \"$HANDLE\",

     

       40
       +
               \"email\": \"$EMAIL\",

     

       41
       +
               \"password\": \"$PASSWORD\"

     

       42
       +
           }")

     

       43
       +
       

     

       44
       +
       # Check if successful

     

       45
       +
       if echo "$RESPONSE" | jq -e '.error' > /dev/null 2>&1; then

     

       46
       +
           echo "Error creating account:"

     

       47
       +
           echo "$RESPONSE" | jq '.'

     

       48
       +
           exit 1

     

       49
       +
       fi

     

       50
       +
       

     

       51
       +
       # Extract DID and access token

     

       52
       +
       DID=$(echo "$RESPONSE" | jq -r '.did')

     

       53
       +
       ACCESS_JWT=$(echo "$RESPONSE" | jq -r '.accessJwt')

     

       54
       +
       REFRESH_JWT=$(echo "$RESPONSE" | jq -r '.refreshJwt')

     

       55
       +
       

     

       56
       +
       if [ -z "$DID" ] || [ "$DID" = "null" ]; then

     

       57
       +
           echo "Error: Failed to extract DID from response"

     

       58
       +
           echo "$RESPONSE" | jq '.'

     

       59
       +
           exit 1

     

       60
       +
       fi

     

       61
       +
       

     

       62
       +
       echo ""

     

       63
       +
       echo "✓ Account created successfully!"

     

       64
       +
       echo ""

     

       65
       +
       echo "=== Save these credentials ===="

     

       66
       +
       echo "DID:          $DID"

     

       67
       +
       echo "Handle:       $HANDLE"

     

       68
       +
       echo "PDS URL:      $PDS_URL"

     

       69
       +
       echo "Email:        $EMAIL"

     

       70
       +
       echo "Password:     [hidden]"

     

       71
       +
       echo "Access JWT:   $ACCESS_JWT"

     

       72
       +
       echo "Refresh JWT:  $REFRESH_JWT"

     

       73
       +
       echo "==============================="

     

       74
       +
       echo ""

     

       75
       +
       

     

       76
       +
       # Save to config file

     

       77
       +
       CONFIG_FILE="aggregator-config.env"

     

       78
       +
       cat > "$CONFIG_FILE" <<EOF

     

       79
       +
       # Aggregator Account Configuration

     

       80
       +
       # Generated: $(date)

     

       81
       +
       

     

       82
       +
       AGGREGATOR_DID="$DID"

     

       83
       +
       AGGREGATOR_HANDLE="$HANDLE"

     

       84
       +
       AGGREGATOR_PDS_URL="$PDS_URL"

     

       85
       +
       AGGREGATOR_EMAIL="$EMAIL"

     

       86
       +
       AGGREGATOR_PASSWORD="$PASSWORD"

     

       87
       +
       AGGREGATOR_ACCESS_JWT="$ACCESS_JWT"

     

       88
       +
       AGGREGATOR_REFRESH_JWT="$REFRESH_JWT"

     

       89
       +
       EOF

     

       90
       +
       

     

       91
       +
       echo "✓ Configuration saved to $CONFIG_FILE"

     

       92
       +
       echo ""

     

       93
       +
       echo "IMPORTANT: Keep this file secure! It contains your credentials."

     

       94
       +
       echo ""

     

       95
       +
       echo "Next step: Run ./2-setup-wellknown.sh"

+93

scripts/aggregator-setup/2-setup-wellknown.sh

···

       1
       +
       #!/bin/bash

     

       2
       +
       

     

       3
       +
       # Script: 2-setup-wellknown.sh

     

       4
       +
       # Purpose: Generate .well-known/atproto-did file for domain verification

     

       5
       +
       #

     

       6
       +
       # This script creates the .well-known/atproto-did file that proves you own your domain.

     

       7
       +
       # You'll need to host this file at https://yourdomain.com/.well-known/atproto-did

     

       8
       +
       

     

       9
       +
       set -e

     

       10
       +
       

     

       11
       +
       echo "================================================"

     

       12
       +
       echo "Step 2: Setup .well-known/atproto-did"

     

       13
       +
       echo "================================================"

     

       14
       +
       echo ""

     

       15
       +
       

     

       16
       +
       # Load config if available

     

       17
       +
       if [ -f "aggregator-config.env" ]; then

     

       18
       +
           source aggregator-config.env

     

       19
       +
           echo "✓ Loaded configuration from aggregator-config.env"

     

       20
       +
           echo "  DID: $AGGREGATOR_DID"

     

       21
       +
           echo ""

     

       22
       +
       else

     

       23
       +
           echo "Configuration file not found. Please run 1-create-pds-account.sh first."

     

       24
       +
           exit 1

     

       25
       +
       fi

     

       26
       +
       

     

       27
       +
       # Get domain

     

       28
       +
       read -p "Enter your aggregator's domain (e.g., rss-bot.example.com): " DOMAIN

     

       29
       +
       

     

       30
       +
       if [ -z "$DOMAIN" ]; then

     

       31
       +
           echo "Error: Domain is required"

     

       32
       +
           exit 1

     

       33
       +
       fi

     

       34
       +
       

     

       35
       +
       # Save domain to config

     

       36
       +
       echo "" >> aggregator-config.env

     

       37
       +
       echo "AGGREGATOR_DOMAIN=\"$DOMAIN\"" >> aggregator-config.env

     

       38
       +
       

     

       39
       +
       echo ""

     

       40
       +
       echo "Creating .well-known directory..."

     

       41
       +
       mkdir -p .well-known

     

       42
       +
       

     

       43
       +
       # Create the atproto-did file

     

       44
       +
       echo "$AGGREGATOR_DID" > .well-known/atproto-did

     

       45
       +
       

     

       46
       +
       echo "✓ Created .well-known/atproto-did with content: $AGGREGATOR_DID"

     

       47
       +
       echo ""

     

       48
       +
       

     

       49
       +
       echo "================================================"

     

       50
       +
       echo "Next Steps:"

     

       51
       +
       echo "================================================"

     

       52
       +
       echo ""

     

       53
       +
       echo "1. Upload the .well-known directory to your web server"

     

       54
       +
       echo "   The file must be accessible at:"

     

       55
       +
       echo "   https://$DOMAIN/.well-known/atproto-did"

     

       56
       +
       echo ""

     

       57
       +
       echo "2. Verify it's working by running:"

     

       58
       +
       echo "   curl https://$DOMAIN/.well-known/atproto-did"

     

       59
       +
       echo "   (Should return: $AGGREGATOR_DID)"

     

       60
       +
       echo ""

     

       61
       +
       echo "3. Once verified, run: ./3-register-with-coves.sh"

     

       62
       +
       echo ""

     

       63
       +
       

     

       64
       +
       # Create nginx example

     

       65
       +
       cat > nginx-example.conf <<EOF

     

       66
       +
       # Example nginx configuration for serving .well-known

     

       67
       +
       # Add this to your nginx server block:

     

       68
       +
       

     

       69
       +
       location /.well-known/atproto-did {

     

       70
       +
           alias /path/to/your/.well-known/atproto-did;

     

       71
       +
           default_type text/plain;

     

       72
       +
           add_header Access-Control-Allow-Origin *;

     

       73
       +
       }

     

       74
       +
       EOF

     

       75
       +
       

     

       76
       +
       echo "✓ Created nginx-example.conf for reference"

     

       77
       +
       echo ""

     

       78
       +
       

     

       79
       +
       # Create Apache example

     

       80
       +
       cat > apache-example.conf <<EOF

     

       81
       +
       # Example Apache configuration for serving .well-known

     

       82
       +
       # Add this to your Apache virtual host:

     

       83
       +
       

     

       84
       +
       Alias /.well-known /path/to/your/.well-known

     

       85
       +
       <Directory /path/to/your/.well-known>

     

       86
       +
           Options None

     

       87
       +
           AllowOverride None

     

       88
       +
           Require all granted

     

       89
       +
           Header set Access-Control-Allow-Origin "*"

     

       90
       +
       </Directory>

     

       91
       +
       EOF

     

       92
       +
       

     

       93
       +
       echo "✓ Created apache-example.conf for reference"

+103

scripts/aggregator-setup/3-register-with-coves.sh

···

       1
       +
       #!/bin/bash

     

       2
       +
       

     

       3
       +
       # Script: 3-register-with-coves.sh

     

       4
       +
       # Purpose: Register your aggregator with a Coves instance

     

       5
       +
       #

     

       6
       +
       # This script calls the social.coves.aggregator.register XRPC endpoint

     

       7
       +
       # to register your aggregator DID with the Coves instance.

     

       8
       +
       

     

       9
       +
       set -e

     

       10
       +
       

     

       11
       +
       echo "================================================"

     

       12
       +
       echo "Step 3: Register with Coves Instance"

     

       13
       +
       echo "================================================"

     

       14
       +
       echo ""

     

       15
       +
       

     

       16
       +
       # Load config if available

     

       17
       +
       if [ -f "aggregator-config.env" ]; then

     

       18
       +
           source aggregator-config.env

     

       19
       +
           echo "✓ Loaded configuration from aggregator-config.env"

     

       20
       +
           echo "  DID:    $AGGREGATOR_DID"

     

       21
       +
           echo "  Domain: $AGGREGATOR_DOMAIN"

     

       22
       +
           echo ""

     

       23
       +
       else

     

       24
       +
           echo "Configuration file not found. Please run previous scripts first."

     

       25
       +
           exit 1

     

       26
       +
       fi

     

       27
       +
       

     

       28
       +
       # Validate domain is set

     

       29
       +
       if [ -z "$AGGREGATOR_DOMAIN" ]; then

     

       30
       +
           echo "Error: AGGREGATOR_DOMAIN not set. Please run 2-setup-wellknown.sh first."

     

       31
       +
           exit 1

     

       32
       +
       fi

     

       33
       +
       

     

       34
       +
       # Get Coves instance URL

     

       35
       +
       read -p "Enter Coves instance URL (default: https://api.coves.social): " COVES_URL

     

       36
       +
       COVES_URL=${COVES_URL:-https://api.coves.social}

     

       37
       +
       

     

       38
       +
       echo ""

     

       39
       +
       echo "Verifying .well-known/atproto-did is accessible..."

     

       40
       +
       

     

       41
       +
       # Verify .well-known is accessible

     

       42
       +
       WELLKNOWN_URL="https://$AGGREGATOR_DOMAIN/.well-known/atproto-did"

     

       43
       +
       WELLKNOWN_CONTENT=$(curl -s "$WELLKNOWN_URL" || echo "ERROR")

     

       44
       +
       

     

       45
       +
       if [ "$WELLKNOWN_CONTENT" = "ERROR" ]; then

     

       46
       +
           echo "✗ Error: Could not access $WELLKNOWN_URL"

     

       47
       +
           echo "  Please ensure the file is uploaded and accessible."

     

       48
       +
           exit 1

     

       49
       +
       elif [ "$WELLKNOWN_CONTENT" != "$AGGREGATOR_DID" ]; then

     

       50
       +
           echo "✗ Error: .well-known/atproto-did contains wrong DID"

     

       51
       +
           echo "  Expected: $AGGREGATOR_DID"

     

       52
       +
           echo "  Got:      $WELLKNOWN_CONTENT"

     

       53
       +
           exit 1

     

       54
       +
       fi

     

       55
       +
       

     

       56
       +
       echo "✓ .well-known/atproto-did is correctly configured"

     

       57
       +
       echo ""

     

       58
       +
       

     

       59
       +
       echo "Registering with $COVES_URL..."

     

       60
       +
       

     

       61
       +
       # Call registration endpoint

     

       62
       +
       RESPONSE=$(curl -s -X POST "$COVES_URL/xrpc/social.coves.aggregator.register" \

     

       63
       +
           -H "Content-Type: application/json" \

     

       64
       +
           -d "{

     

       65
       +
               \"did\": \"$AGGREGATOR_DID\",

     

       66
       +
               \"domain\": \"$AGGREGATOR_DOMAIN\"

     

       67
       +
           }")

     

       68
       +
       

     

       69
       +
       # Check if successful

     

       70
       +
       if echo "$RESPONSE" | jq -e '.error' > /dev/null 2>&1; then

     

       71
       +
           echo "✗ Registration failed:"

     

       72
       +
           echo "$RESPONSE" | jq '.'

     

       73
       +
           exit 1

     

       74
       +
       fi

     

       75
       +
       

     

       76
       +
       # Extract response

     

       77
       +
       REGISTERED_DID=$(echo "$RESPONSE" | jq -r '.did')

     

       78
       +
       REGISTERED_HANDLE=$(echo "$RESPONSE" | jq -r '.handle')

     

       79
       +
       MESSAGE=$(echo "$RESPONSE" | jq -r '.message')

     

       80
       +
       

     

       81
       +
       if [ -z "$REGISTERED_DID" ] || [ "$REGISTERED_DID" = "null" ]; then

     

       82
       +
           echo "✗ Error: Unexpected response format"

     

       83
       +
           echo "$RESPONSE" | jq '.'

     

       84
       +
           exit 1

     

       85
       +
       fi

     

       86
       +
       

     

       87
       +
       echo ""

     

       88
       +
       echo "✓ Registration successful!"

     

       89
       +
       echo ""

     

       90
       +
       echo "=== Registration Details ===="

     

       91
       +
       echo "DID:     $REGISTERED_DID"

     

       92
       +
       echo "Handle:  $REGISTERED_HANDLE"

     

       93
       +
       echo "Message: $MESSAGE"

     

       94
       +
       echo "============================="

     

       95
       +
       echo ""

     

       96
       +
       

     

       97
       +
       # Save Coves URL to config

     

       98
       +
       echo "" >> aggregator-config.env

     

       99
       +
       echo "COVES_INSTANCE_URL=\"$COVES_URL\"" >> aggregator-config.env

     

       100
       +
       

     

       101
       +
       echo "✓ Updated aggregator-config.env with Coves instance URL"

     

       102
       +
       echo ""

     

       103
       +
       echo "Next step: Run ./4-create-service-declaration.sh"

+125

scripts/aggregator-setup/4-create-service-declaration.sh

···

       1
       +
       #!/bin/bash

     

       2
       +
       

     

       3
       +
       # Script: 4-create-service-declaration.sh

     

       4
       +
       # Purpose: Create aggregator service declaration record

     

       5
       +
       #

     

       6
       +
       # This script writes a social.coves.aggregator.service record to your aggregator's repository.

     

       7
       +
       # This record contains metadata about your aggregator (name, description, etc.) and will be

     

       8
       +
       # indexed by Coves' Jetstream consumer into the aggregators table.

     

       9
       +
       

     

       10
       +
       set -e

     

       11
       +
       

     

       12
       +
       echo "================================================"

     

       13
       +
       echo "Step 4: Create Service Declaration"

     

       14
       +
       echo "================================================"

     

       15
       +
       echo ""

     

       16
       +
       

     

       17
       +
       # Load config if available

     

       18
       +
       if [ -f "aggregator-config.env" ]; then

     

       19
       +
           source aggregator-config.env

     

       20
       +
           echo "✓ Loaded configuration from aggregator-config.env"

     

       21
       +
           echo "  DID:       $AGGREGATOR_DID"

     

       22
       +
           echo "  PDS URL:   $AGGREGATOR_PDS_URL"

     

       23
       +
           echo ""

     

       24
       +
       else

     

       25
       +
           echo "Configuration file not found. Please run previous scripts first."

     

       26
       +
           exit 1

     

       27
       +
       fi

     

       28
       +
       

     

       29
       +
       # Validate required fields

     

       30
       +
       if [ -z "$AGGREGATOR_ACCESS_JWT" ]; then

     

       31
       +
           echo "Error: AGGREGATOR_ACCESS_JWT not set. Please run 1-create-pds-account.sh first."

     

       32
       +
           exit 1

     

       33
       +
       fi

     

       34
       +
       

     

       35
       +
       echo "Enter aggregator metadata:"

     

       36
       +
       echo ""

     

       37
       +
       

     

       38
       +
       # Get metadata from user

     

       39
       +
       read -p "Display Name (e.g., 'RSS News Aggregator'): " DISPLAY_NAME

     

       40
       +
       read -p "Description: " DESCRIPTION

     

       41
       +
       read -p "Source URL (e.g., 'https://github.com/yourname/aggregator'): " SOURCE_URL

     

       42
       +
       read -p "Maintainer DID (your personal DID, optional): " MAINTAINER_DID

     

       43
       +
       

     

       44
       +
       if [ -z "$DISPLAY_NAME" ]; then

     

       45
       +
           echo "Error: Display name is required"

     

       46
       +
           exit 1

     

       47
       +
       fi

     

       48
       +
       

     

       49
       +
       echo ""

     

       50
       +
       echo "Creating service declaration record..."

     

       51
       +
       

     

       52
       +
       # Build the service record

     

       53
       +
       SERVICE_RECORD=$(cat <<EOF

     

       54
       +
       {

     

       55
       +
           "\$type": "social.coves.aggregator.service",

     

       56
       +
           "did": "$AGGREGATOR_DID",

     

       57
       +
           "displayName": "$DISPLAY_NAME",

     

       58
       +
           "description": "$DESCRIPTION",

     

       59
       +
           "sourceUrl": "$SOURCE_URL",

     

       60
       +
           "maintainer": "$MAINTAINER_DID",

     

       61
       +
           "createdAt": "$(date -u +"%Y-%m-%dT%H:%M:%SZ")"

     

       62
       +
       }

     

       63
       +
       EOF

     

       64
       +
       )

     

       65
       +
       

     

       66
       +
       # Call com.atproto.repo.createRecord

     

       67
       +
       RESPONSE=$(curl -s -X POST "$AGGREGATOR_PDS_URL/xrpc/com.atproto.repo.createRecord" \

     

       68
       +
           -H "Authorization: Bearer $AGGREGATOR_ACCESS_JWT" \

     

       69
       +
           -H "Content-Type: application/json" \

     

       70
       +
           -d "{

     

       71
       +
               \"repo\": \"$AGGREGATOR_DID\",

     

       72
       +
               \"collection\": \"social.coves.aggregator.service\",

     

       73
       +
               \"rkey\": \"self\",

     

       74
       +
               \"record\": $SERVICE_RECORD

     

       75
       +
           }")

     

       76
       +
       

     

       77
       +
       # Check if successful

     

       78
       +
       if echo "$RESPONSE" | jq -e '.error' > /dev/null 2>&1; then

     

       79
       +
           echo "✗ Failed to create service declaration:"

     

       80
       +
           echo "$RESPONSE" | jq '.'

     

       81
       +
           exit 1

     

       82
       +
       fi

     

       83
       +
       

     

       84
       +
       # Extract response

     

       85
       +
       RECORD_URI=$(echo "$RESPONSE" | jq -r '.uri')

     

       86
       +
       RECORD_CID=$(echo "$RESPONSE" | jq -r '.cid')

     

       87
       +
       

     

       88
       +
       if [ -z "$RECORD_URI" ] || [ "$RECORD_URI" = "null" ]; then

     

       89
       +
           echo "✗ Error: Unexpected response format"

     

       90
       +
           echo "$RESPONSE" | jq '.'

     

       91
       +
           exit 1

     

       92
       +
       fi

     

       93
       +
       

     

       94
       +
       echo ""

     

       95
       +
       echo "✓ Service declaration created successfully!"

     

       96
       +
       echo ""

     

       97
       +
       echo "=== Record Details ===="

     

       98
       +
       echo "URI: $RECORD_URI"

     

       99
       +
       echo "CID: $RECORD_CID"

     

       100
       +
       echo "======================="

     

       101
       +
       echo ""

     

       102
       +
       

     

       103
       +
       # Save to config

     

       104
       +
       echo "" >> aggregator-config.env

     

       105
       +
       echo "SERVICE_DECLARATION_URI=\"$RECORD_URI\"" >> aggregator-config.env

     

       106
       +
       echo "SERVICE_DECLARATION_CID=\"$RECORD_CID\"" >> aggregator-config.env

     

       107
       +
       

     

       108
       +
       echo "✓ Updated aggregator-config.env"

     

       109
       +
       echo ""

     

       110
       +
       echo "================================================"

     

       111
       +
       echo "Setup Complete!"

     

       112
       +
       echo "================================================"

     

       113
       +
       echo ""

     

       114
       +
       echo "Your aggregator is now registered with Coves!"

     

       115
       +
       echo ""

     

       116
       +
       echo "Next steps:"

     

       117
       +
       echo "1. Wait a few seconds for Jetstream to index your service declaration"

     

       118
       +
       echo "2. Verify your aggregator appears in the aggregators list"

     

       119
       +
       echo "3. Community moderators can now authorize your aggregator"

     

       120
       +
       echo "4. Once authorized, you can start posting to communities"

     

       121
       +
       echo ""

     

       122
       +
       echo "To test posting, use the Coves XRPC endpoint:"

     

       123
       +
       echo "  POST $COVES_INSTANCE_URL/xrpc/social.coves.community.post.create"

     

       124
       +
       echo ""

     

       125
       +
       echo "See docs/aggregators/SETUP_GUIDE.md for more information"

+252

scripts/aggregator-setup/README.md

···

       1
       +
       # Aggregator Setup Scripts

     

       2
       +
       

     

       3
       +
       This directory contains scripts to help you set up and register your aggregator with Coves instances.

     

       4
       +
       

     

       5
       +
       ## Overview

     

       6
       +
       

     

       7
       +
       Aggregators are automated services that post content to Coves communities. They are similar to Bluesky's feed generators and labelers. To use aggregators with Coves, you need to:

     

       8
       +
       

     

       9
       +
       1. Create a PDS account for your aggregator (gets you a DID)

     

       10
       +
       2. Prove you own a domain via `.well-known/atproto-did`

     

       11
       +
       3. Register with a Coves instance

     

       12
       +
       4. Create a service declaration record

     

       13
       +
       

     

       14
       +
       These scripts automate this process for you.

     

       15
       +
       

     

       16
       +
       ## Prerequisites

     

       17
       +
       

     

       18
       +
       - **Domain ownership**: You must own a domain where you can host the `.well-known/atproto-did` file

     

       19
       +
       - **Web server**: Ability to serve static files over HTTPS

     

       20
       +
       - **Tools**: `curl`, `jq` (for JSON processing)

     

       21
       +
       - **Account**: Email address for creating the PDS account

     

       22
       +
       

     

       23
       +
       ## Quick Start

     

       24
       +
       

     

       25
       +
       ### Interactive Setup (Recommended)

     

       26
       +
       

     

       27
       +
       Run the scripts in order:

     

       28
       +
       

     

       29
       +
       ```bash

     

       30
       +
       # Make scripts executable

     

       31
       +
       chmod +x *.sh

     

       32
       +
       

     

       33
       +
       # Step 1: Create PDS account

     

       34
       +
       ./1-create-pds-account.sh

     

       35
       +
       

     

       36
       +
       # Step 2: Generate .well-known file

     

       37
       +
       ./2-setup-wellknown.sh

     

       38
       +
       

     

       39
       +
       # Step 3: Register with Coves (after uploading .well-known)

     

       40
       +
       ./3-register-with-coves.sh

     

       41
       +
       

     

       42
       +
       # Step 4: Create service declaration

     

       43
       +
       ./4-create-service-declaration.sh

     

       44
       +
       ```

     

       45
       +
       

     

       46
       +
       ### Automated Setup Example

     

       47
       +
       

     

       48
       +
       For a reference implementation of automated setup, see the Kagi News aggregator at [aggregators/kagi-news/scripts/setup.sh](../../aggregators/kagi-news/scripts/setup.sh).

     

       49
       +
       

     

       50
       +
       The Kagi script shows how to automate all 4 steps (with the manual .well-known upload step in between).

     

       51
       +
       

     

       52
       +
       ## Script Reference

     

       53
       +
       

     

       54
       +
       ### 1-create-pds-account.sh

     

       55
       +
       

     

       56
       +
       **Purpose**: Creates a PDS account for your aggregator

     

       57
       +
       

     

       58
       +
       **Prompts for**:

     

       59
       +
       - PDS URL (default: https://bsky.social)

     

       60
       +
       - Handle (e.g., mynewsbot.bsky.social)

     

       61
       +
       - Email

     

       62
       +
       - Password

     

       63
       +
       

     

       64
       +
       **Outputs**:

     

       65
       +
       - `aggregator-config.env` - Configuration file with DID and credentials

     

       66
       +
       - Prints your DID and access tokens

     

       67
       +
       

     

       68
       +
       **Notes**:

     

       69
       +
       - Keep the config file secure! It contains your credentials

     

       70
       +
       - The PDS automatically generates a DID:PLC for you

     

       71
       +
       - You can use any PDS service, not just bsky.social

     

       72
       +
       

     

       73
       +
       ### 2-setup-wellknown.sh

     

       74
       +
       

     

       75
       +
       **Purpose**: Generates the `.well-known/atproto-did` file for domain verification

     

       76
       +
       

     

       77
       +
       **Prompts for**:

     

       78
       +
       - Your domain (e.g., rss-bot.example.com)

     

       79
       +
       

     

       80
       +
       **Outputs**:

     

       81
       +
       - `.well-known/atproto-did` - File containing your DID

     

       82
       +
       - `nginx-example.conf` - Example nginx configuration

     

       83
       +
       - `apache-example.conf` - Example Apache configuration

     

       84
       +
       

     

       85
       +
       **Manual step required**:

     

       86
       +
       Upload the `.well-known` directory to your web server. The file must be accessible at:

     

       87
       +
       ```

     

       88
       +
       https://yourdomain.com/.well-known/atproto-did

     

       89
       +
       ```

     

       90
       +
       

     

       91
       +
       **Verify it works**:

     

       92
       +
       ```bash

     

       93
       +
       curl https://yourdomain.com/.well-known/atproto-did

     

       94
       +
       # Should return your DID (e.g., did:plc:abc123...)

     

       95
       +
       ```

     

       96
       +
       

     

       97
       +
       ### 3-register-with-coves.sh

     

       98
       +
       

     

       99
       +
       **Purpose**: Registers your aggregator with a Coves instance

     

       100
       +
       

     

       101
       +
       **Prompts for**:

     

       102
       +
       - Coves instance URL (default: https://api.coves.social)

     

       103
       +
       

     

       104
       +
       **Prerequisites**:

     

       105
       +
       - `.well-known/atproto-did` must be accessible from your domain

     

       106
       +
       - Scripts 1 and 2 must be completed

     

       107
       +
       

     

       108
       +
       **What it does**:

     

       109
       +
       1. Verifies your `.well-known/atproto-did` is accessible

     

       110
       +
       2. Calls `social.coves.aggregator.register` XRPC endpoint

     

       111
       +
       3. Coves verifies domain ownership

     

       112
       +
       4. Inserts your aggregator into the `users` table

     

       113
       +
       

     

       114
       +
       **Outputs**:

     

       115
       +
       - Updates `aggregator-config.env` with Coves instance URL

     

       116
       +
       - Prints registration confirmation

     

       117
       +
       

     

       118
       +
       ### 4-create-service-declaration.sh

     

       119
       +
       

     

       120
       +
       **Purpose**: Creates the service declaration record in your repository

     

       121
       +
       

     

       122
       +
       **Prompts for**:

     

       123
       +
       - Display name (e.g., "RSS News Aggregator")

     

       124
       +
       - Description

     

       125
       +
       - Source URL (GitHub repo, etc.)

     

       126
       +
       - Maintainer DID (optional)

     

       127
       +
       

     

       128
       +
       **What it does**:

     

       129
       +
       1. Creates a `social.coves.aggregator.service` record at `at://your-did/social.coves.aggregator.service/self`

     

       130
       +
       2. Jetstream consumer will index this into the `aggregators` table

     

       131
       +
       3. Communities can now discover and authorize your aggregator

     

       132
       +
       

     

       133
       +
       **Outputs**:

     

       134
       +
       - Updates `aggregator-config.env` with record URI and CID

     

       135
       +
       - Prints record details

     

       136
       +
       

     

       137
       +
       ## Configuration File

     

       138
       +
       

     

       139
       +
       After running the scripts, you'll have an `aggregator-config.env` file with:

     

       140
       +
       

     

       141
       +
       ```bash

     

       142
       +
       AGGREGATOR_DID="did:plc:..."

     

       143
       +
       AGGREGATOR_HANDLE="mynewsbot.bsky.social"

     

       144
       +
       AGGREGATOR_PDS_URL="https://bsky.social"

     

       145
       +
       AGGREGATOR_EMAIL="bot@example.com"

     

       146
       +
       AGGREGATOR_PASSWORD="..."

     

       147
       +
       AGGREGATOR_ACCESS_JWT="..."

     

       148
       +
       AGGREGATOR_REFRESH_JWT="..."

     

       149
       +
       AGGREGATOR_DOMAIN="rss-bot.example.com"

     

       150
       +
       COVES_INSTANCE_URL="https://api.coves.social"

     

       151
       +
       SERVICE_DECLARATION_URI="at://did:plc:.../social.coves.aggregator.service/self"

     

       152
       +
       SERVICE_DECLARATION_CID="..."

     

       153
       +
       ```

     

       154
       +
       

     

       155
       +
       **Use this in your aggregator code** to authenticate and post.

     

       156
       +
       

     

       157
       +
       ## What Happens Next?

     

       158
       +
       

     

       159
       +
       After completing all 4 steps:

     

       160
       +
       

     

       161
       +
       1. **Your aggregator is registered** in the Coves instance's `users` table

     

       162
       +
       2. **Your service declaration is indexed** in the `aggregators` table (takes a few seconds)

     

       163
       +
       3. **Community moderators can now authorize** your aggregator for their communities

     

       164
       +
       4. **Once authorized**, your aggregator can post to those communities

     

       165
       +
       

     

       166
       +
       ## Creating an Authorization

     

       167
       +
       

     

       168
       +
       Authorizations are created by community moderators, not by aggregators. The moderator writes a `social.coves.aggregator.authorization` record to their community's repository.

     

       169
       +
       

     

       170
       +
       See `docs/aggregators/SETUP_GUIDE.md` for more information on the authorization process.

     

       171
       +
       

     

       172
       +
       ## Posting to Communities

     

       173
       +
       

     

       174
       +
       Once authorized, your aggregator can post using:

     

       175
       +
       

     

       176
       +
       ```bash

     

       177
       +
       curl -X POST https://api.coves.social/xrpc/social.coves.community.post.create \

     

       178
       +
         -H "Authorization: Bearer $AGGREGATOR_ACCESS_JWT" \

     

       179
       +
         -H "Content-Type: application/json" \

     

       180
       +
         -d '{

     

       181
       +
           "communityDid": "did:plc:...",

     

       182
       +
           "post": {

     

       183
       +
             "text": "Your post content",

     

       184
       +
             "createdAt": "2024-01-15T12:00:00Z"

     

       185
       +
           }

     

       186
       +
         }'

     

       187
       +
       ```

     

       188
       +
       

     

       189
       +
       ## Troubleshooting

     

       190
       +
       

     

       191
       +
       ### Error: "DomainVerificationFailed"

     

       192
       +
       

     

       193
       +
       - Verify `.well-known/atproto-did` is accessible: `curl https://yourdomain.com/.well-known/atproto-did`

     

       194
       +
       - Check the content matches your DID exactly (no extra whitespace)

     

       195
       +
       - Ensure HTTPS is working (not HTTP)

     

       196
       +
       - Check CORS headers if accessing from browser

     

       197
       +
       

     

       198
       +
       ### Error: "AlreadyRegistered"

     

       199
       +
       

     

       200
       +
       - You've already registered this DID with this Coves instance

     

       201
       +
       - This is safe to ignore if you're re-running the setup

     

       202
       +
       

     

       203
       +
       ### Error: "DIDResolutionFailed"

     

       204
       +
       

     

       205
       +
       - Your DID might be invalid or not found in the PLC directory

     

       206
       +
       - Verify your DID exists: `curl https://plc.directory/<your-did>`

     

       207
       +
       - Wait a few seconds and try again (PLC directory might be propagating)

     

       208
       +
       

     

       209
       +
       ### Service declaration not appearing

     

       210
       +
       

     

       211
       +
       - Wait 5-10 seconds for Jetstream consumer to index it

     

       212
       +
       - Check the Jetstream logs for errors

     

       213
       +
       - Verify the record was created: Check your PDS at `at://your-did/social.coves.aggregator.service/self`

     

       214
       +
       

     

       215
       +
       ## Example: Kagi News Aggregator

     

       216
       +
       

     

       217
       +
       For a complete reference implementation, see the Kagi News aggregator at `aggregators/kagi-news/`.

     

       218
       +
       

     

       219
       +
       The Kagi aggregator includes an automated setup script at [aggregators/kagi-news/scripts/setup.sh](../../aggregators/kagi-news/scripts/setup.sh) that demonstrates how to:

     

       220
       +
       

     

       221
       +
       - Automate the entire registration process

     

       222
       +
       - Use environment variables for configuration

     

       223
       +
       - Handle errors gracefully

     

       224
       +
       - Integrate the setup into your aggregator project

     

       225
       +
       

     

       226
       +
       This shows how you can package scripts 1-4 into a single automated flow for your specific aggregator.

     

       227
       +
       

     

       228
       +
       ## Security Notes

     

       229
       +
       

     

       230
       +
       - **Never commit `aggregator-config.env`** to version control

     

       231
       +
       - Store credentials securely (use environment variables or secret management)

     

       232
       +
       - Rotate access tokens regularly

     

       233
       +
       - Use HTTPS for all API calls

     

       234
       +
       - Validate community authorization before posting

     

       235
       +
       

     

       236
       +
       ## More Information

     

       237
       +
       

     

       238
       +
       - [Aggregator Setup Guide](../../docs/aggregators/SETUP_GUIDE.md)

     

       239
       +
       - [Aggregator PRD](../../docs/aggregators/PRD_AGGREGATORS.md)

     

       240
       +
       - [atProto Identity Guide](../../ATPROTO_GUIDE.md)

     

       241
       +
       - [Coves Communities PRD](../../docs/PRD_COMMUNITIES.md)

     

       242
       +
       

     

       243
       +
       ## Support

     

       244
       +
       

     

       245
       +
       If you encounter issues:

     

       246
       +
       

     

       247
       +
       1. Check the troubleshooting section above

     

       248
       +
       2. Review the full documentation in `docs/aggregators/`

     

       249
       +
       3. Open an issue on GitHub with:

     

       250
       +
          - Which script failed

     

       251
       +
          - Error message

     

       252
       +
          - Your domain (without credentials)

+195

aggregators/kagi-news/scripts/setup.sh

···

       1
       +
       #!/bin/bash

     

       2
       +
       

     

       3
       +
       # Script: setup-kagi-aggregator.sh

     

       4
       +
       # Purpose: Complete setup script for Kagi News RSS aggregator

     

       5
       +
       #

     

       6
       +
       # This is a reference implementation showing automated setup for a specific aggregator.

     

       7
       +
       # Other aggregator developers can use this as a template.

     

       8
       +
       

     

       9
       +
       set -e

     

       10
       +
       

     

       11
       +
       echo "================================================"

     

       12
       +
       echo "Kagi News RSS Aggregator - Automated Setup"

     

       13
       +
       echo "================================================"

     

       14
       +
       echo ""

     

       15
       +
       

     

       16
       +
       # Configuration for Kagi aggregator

     

       17
       +
       AGGREGATOR_NAME="kagi-news-bot"

     

       18
       +
       DISPLAY_NAME="Kagi News RSS"

     

       19
       +
       DESCRIPTION="Aggregates tech news from Kagi RSS feeds and posts to relevant communities"

     

       20
       +
       SOURCE_URL="https://github.com/coves-social/kagi-aggregator"

     

       21
       +
       

     

       22
       +
       # Check if config already exists

     

       23
       +
       if [ -f "kagi-aggregator-config.env" ]; then

     

       24
       +
           echo "Configuration file already exists. Loading existing configuration..."

     

       25
       +
           source kagi-aggregator-config.env

     

       26
       +
           SKIP_ACCOUNT_CREATION=true

     

       27
       +
       else

     

       28
       +
           SKIP_ACCOUNT_CREATION=false

     

       29
       +
       fi

     

       30
       +
       

     

       31
       +
       # Get runtime configuration

     

       32
       +
       if [ "$SKIP_ACCOUNT_CREATION" = false ]; then

     

       33
       +
           read -p "Enter PDS URL (default: https://bsky.social): " PDS_URL

     

       34
       +
           PDS_URL=${PDS_URL:-https://bsky.social}

     

       35
       +
       

     

       36
       +
           read -p "Enter email for bot account: " EMAIL

     

       37
       +
           read -sp "Enter password for bot account: " PASSWORD

     

       38
       +
           echo ""

     

       39
       +
       

     

       40
       +
           # Generate handle

     

       41
       +
           TIMESTAMP=$(date +%s)

     

       42
       +
           HANDLE="$AGGREGATOR_NAME-$TIMESTAMP.bsky.social"

     

       43
       +
       

     

       44
       +
           echo ""

     

       45
       +
           echo "Creating PDS account..."

     

       46
       +
           echo "Handle: $HANDLE"

     

       47
       +
       

     

       48
       +
           # Create account

     

       49
       +
           RESPONSE=$(curl -s -X POST "$PDS_URL/xrpc/com.atproto.server.createAccount" \

     

       50
       +
               -H "Content-Type: application/json" \

     

       51
       +
               -d "{

     

       52
       +
                   \"handle\": \"$HANDLE\",

     

       53
       +
                   \"email\": \"$EMAIL\",

     

       54
       +
                   \"password\": \"$PASSWORD\"

     

       55
       +
               }")

     

       56
       +
       

     

       57
       +
           if echo "$RESPONSE" | jq -e '.error' > /dev/null 2>&1; then

     

       58
       +
               echo "✗ Error creating account:"

     

       59
       +
               echo "$RESPONSE" | jq '.'

     

       60
       +
               exit 1

     

       61
       +
           fi

     

       62
       +
       

     

       63
       +
           DID=$(echo "$RESPONSE" | jq -r '.did')

     

       64
       +
           ACCESS_JWT=$(echo "$RESPONSE" | jq -r '.accessJwt')

     

       65
       +
           REFRESH_JWT=$(echo "$RESPONSE" | jq -r '.refreshJwt')

     

       66
       +
       

     

       67
       +
           echo "✓ Account created: $DID"

     

       68
       +
       

     

       69
       +
           # Save configuration

     

       70
       +
           cat > kagi-aggregator-config.env <<EOF

     

       71
       +
       # Kagi Aggregator Configuration

     

       72
       +
       AGGREGATOR_DID="$DID"

     

       73
       +
       AGGREGATOR_HANDLE="$HANDLE"

     

       74
       +
       AGGREGATOR_PDS_URL="$PDS_URL"

     

       75
       +
       AGGREGATOR_EMAIL="$EMAIL"

     

       76
       +
       AGGREGATOR_PASSWORD="$PASSWORD"

     

       77
       +
       AGGREGATOR_ACCESS_JWT="$ACCESS_JWT"

     

       78
       +
       AGGREGATOR_REFRESH_JWT="$REFRESH_JWT"

     

       79
       +
       EOF

     

       80
       +
       

     

       81
       +
           echo "✓ Configuration saved to kagi-aggregator-config.env"

     

       82
       +
       fi

     

       83
       +
       

     

       84
       +
       # Get domain and Coves instance

     

       85
       +
       read -p "Enter aggregator domain (e.g., kagi-news.example.com): " DOMAIN

     

       86
       +
       read -p "Enter Coves instance URL (default: https://api.coves.social): " COVES_URL

     

       87
       +
       COVES_URL=${COVES_URL:-https://api.coves.social}

     

       88
       +
       

     

       89
       +
       # Setup .well-known

     

       90
       +
       echo ""

     

       91
       +
       echo "Setting up .well-known/atproto-did..."

     

       92
       +
       mkdir -p .well-known

     

       93
       +
       echo "$DID" > .well-known/atproto-did

     

       94
       +
       echo "✓ Created .well-known/atproto-did"

     

       95
       +
       

     

       96
       +
       echo ""

     

       97
       +
       echo "================================================"

     

       98
       +
       echo "IMPORTANT: Manual Step Required"

     

       99
       +
       echo "================================================"

     

       100
       +
       echo ""

     

       101
       +
       echo "Upload the .well-known directory to your web server at:"

     

       102
       +
       echo "  https://$DOMAIN/.well-known/atproto-did"

     

       103
       +
       echo ""

     

       104
       +
       read -p "Press Enter when the file is uploaded and accessible..."

     

       105
       +
       

     

       106
       +
       # Verify .well-known

     

       107
       +
       echo ""

     

       108
       +
       echo "Verifying .well-known/atproto-did..."

     

       109
       +
       WELLKNOWN_CONTENT=$(curl -s "https://$DOMAIN/.well-known/atproto-did" || echo "ERROR")

     

       110
       +
       

     

       111
       +
       if [ "$WELLKNOWN_CONTENT" != "$DID" ]; then

     

       112
       +
           echo "✗ Error: .well-known/atproto-did not accessible or contains wrong DID"

     

       113
       +
           echo "  Expected: $DID"

     

       114
       +
           echo "  Got:      $WELLKNOWN_CONTENT"

     

       115
       +
           exit 1

     

       116
       +
       fi

     

       117
       +
       

     

       118
       +
       echo "✓ .well-known/atproto-did verified"

     

       119
       +
       

     

       120
       +
       # Register with Coves

     

       121
       +
       echo ""

     

       122
       +
       echo "Registering with Coves instance..."

     

       123
       +
       RESPONSE=$(curl -s -X POST "$COVES_URL/xrpc/social.coves.aggregator.register" \

     

       124
       +
           -H "Content-Type: application/json" \

     

       125
       +
           -d "{

     

       126
       +
               \"did\": \"$DID\",

     

       127
       +
               \"domain\": \"$DOMAIN\"

     

       128
       +
           }")

     

       129
       +
       

     

       130
       +
       if echo "$RESPONSE" | jq -e '.error' > /dev/null 2>&1; then

     

       131
       +
           echo "✗ Registration failed:"

     

       132
       +
           echo "$RESPONSE" | jq '.'

     

       133
       +
           exit 1

     

       134
       +
       fi

     

       135
       +
       

     

       136
       +
       echo "✓ Registered with Coves"

     

       137
       +
       

     

       138
       +
       # Create service declaration

     

       139
       +
       echo ""

     

       140
       +
       echo "Creating service declaration..."

     

       141
       +
       SERVICE_RECORD=$(cat <<EOF

     

       142
       +
       {

     

       143
       +
           "\$type": "social.coves.aggregator.service",

     

       144
       +
           "did": "$DID",

     

       145
       +
           "displayName": "$DISPLAY_NAME",

     

       146
       +
           "description": "$DESCRIPTION",

     

       147
       +
           "sourceUrl": "$SOURCE_URL",

     

       148
       +
           "createdAt": "$(date -u +"%Y-%m-%dT%H:%M:%SZ")"

     

       149
       +
       }

     

       150
       +
       EOF

     

       151
       +
       )

     

       152
       +
       

     

       153
       +
       RESPONSE=$(curl -s -X POST "$PDS_URL/xrpc/com.atproto.repo.createRecord" \

     

       154
       +
           -H "Authorization: Bearer $ACCESS_JWT" \

     

       155
       +
           -H "Content-Type: application/json" \

     

       156
       +
           -d "{

     

       157
       +
               \"repo\": \"$DID\",

     

       158
       +
               \"collection\": \"social.coves.aggregator.service\",

     

       159
       +
               \"rkey\": \"self\",

     

       160
       +
               \"record\": $SERVICE_RECORD

     

       161
       +
           }")

     

       162
       +
       

     

       163
       +
       if echo "$RESPONSE" | jq -e '.error' > /dev/null 2>&1; then

     

       164
       +
           echo "✗ Failed to create service declaration:"

     

       165
       +
           echo "$RESPONSE" | jq '.'

     

       166
       +
           exit 1

     

       167
       +
       fi

     

       168
       +
       

     

       169
       +
       RECORD_URI=$(echo "$RESPONSE" | jq -r '.uri')

     

       170
       +
       echo "✓ Service declaration created: $RECORD_URI"

     

       171
       +
       

     

       172
       +
       # Save final configuration

     

       173
       +
       cat >> kagi-aggregator-config.env <<EOF

     

       174
       +
       

     

       175
       +
       # Setup completed on $(date)

     

       176
       +
       AGGREGATOR_DOMAIN="$DOMAIN"

     

       177
       +
       COVES_INSTANCE_URL="$COVES_URL"

     

       178
       +
       SERVICE_DECLARATION_URI="$RECORD_URI"

     

       179
       +
       EOF

     

       180
       +
       

     

       181
       +
       echo ""

     

       182
       +
       echo "================================================"

     

       183
       +
       echo "✓ Kagi Aggregator Setup Complete!"

     

       184
       +
       echo "================================================"

     

       185
       +
       echo ""

     

       186
       +
       echo "Configuration saved to: kagi-aggregator-config.env"

     

       187
       +
       echo ""

     

       188
       +
       echo "Your aggregator is now registered and ready to use."

     

       189
       +
       echo ""

     

       190
       +
       echo "Next steps:"

     

       191
       +
       echo "1. Start your aggregator bot: npm start (or appropriate command)"

     

       192
       +
       echo "2. Community moderators can authorize your aggregator"

     

       193
       +
       echo "3. Once authorized, your bot can start posting"

     

       194
       +
       echo ""

     

       195
       +
       echo "See docs/aggregators/SETUP_GUIDE.md for more information"

+55

aggregators/kagi-news/.dockerignore

···

       1
       +
       # Git

     

       2
       +
       .git

     

       3
       +
       .gitignore

     

       4
       +
       

     

       5
       +
       # Python

     

       6
       +
       __pycache__

     

       7
       +
       *.py[cod]

     

       8
       +
       *$py.class

     

       9
       +
       *.so

     

       10
       +
       .Python

     

       11
       +
       venv/

     

       12
       +
       *.egg-info

     

       13
       +
       dist/

     

       14
       +
       build/

     

       15
       +
       

     

       16
       +
       # Testing

     

       17
       +
       .pytest_cache/

     

       18
       +
       .coverage

     

       19
       +
       htmlcov/

     

       20
       +
       .tox/

     

       21
       +
       .hypothesis/

     

       22
       +
       

     

       23
       +
       # IDE

     

       24
       +
       .vscode/

     

       25
       +
       .idea/

     

       26
       +
       *.swp

     

       27
       +
       *.swo

     

       28
       +
       *~

     

       29
       +
       

     

       30
       +
       # Environment

     

       31
       +
       .env.local

     

       32
       +
       .env.*.local

     

       33
       +
       

     

       34
       +
       # Data and logs

     

       35
       +
       data/

     

       36
       +
       *.log

     

       37
       +
       

     

       38
       +
       # Documentation

     

       39
       +
       README.md

     

       40
       +
       docs/

     

       41
       +
       

     

       42
       +
       # Docker

     

       43
       +
       Dockerfile

     

       44
       +
       docker-compose.yml

     

       45
       +
       .dockerignore

     

       46
       +
       

     

       47
       +
       # Development

     

       48
       +
       tests/

     

       49
       +
       pytest.ini

     

       50
       +
       mypy.ini

     

       51
       +
       .mypy_cache/

     

       52
       +
       

     

       53
       +
       # OS

     

       54
       +
       .DS_Store

     

       55
       +
       Thumbs.db

+53

aggregators/kagi-news/Dockerfile

···

       1
       +
       # Kagi News RSS Aggregator

     

       2
       +
       # Production-ready Docker image with cron scheduler

     

       3
       +
       

     

       4
       +
       FROM python:3.11-slim

     

       5
       +
       

     

       6
       +
       # Install cron and other utilities

     

       7
       +
       RUN apt-get update && apt-get install -y \

     

       8
       +
           cron \

     

       9
       +
           curl \

     

       10
       +
           procps \

     

       11
       +
           && rm -rf /var/lib/apt/lists/*

     

       12
       +
       

     

       13
       +
       # Set working directory

     

       14
       +
       WORKDIR /app

     

       15
       +
       

     

       16
       +
       # Copy requirements first for better caching

     

       17
       +
       COPY requirements.txt .

     

       18
       +
       

     

       19
       +
       # Install Python dependencies (exclude dev/test deps in production)

     

       20
       +
       RUN pip install --no-cache-dir \

     

       21
       +
           feedparser==6.0.11 \

     

       22
       +
           beautifulsoup4==4.12.3 \

     

       23
       +
           requests==2.31.0 \

     

       24
       +
           atproto==0.0.55 \

     

       25
       +
           pyyaml==6.0.1

     

       26
       +
       

     

       27
       +
       # Copy application code

     

       28
       +
       COPY src/ ./src/

     

       29
       +
       COPY config.yaml ./

     

       30
       +
       

     

       31
       +
       # Copy crontab file

     

       32
       +
       COPY crontab /etc/cron.d/kagi-aggregator

     

       33
       +
       

     

       34
       +
       # Give execution rights on the cron job and apply it

     

       35
       +
       RUN chmod 0644 /etc/cron.d/kagi-aggregator && \

     

       36
       +
           crontab /etc/cron.d/kagi-aggregator

     

       37
       +
       

     

       38
       +
       # Create log file to be able to run tail

     

       39
       +
       RUN touch /var/log/cron.log

     

       40
       +
       

     

       41
       +
       # Copy entrypoint script

     

       42
       +
       COPY docker-entrypoint.sh /usr/local/bin/

     

       43
       +
       RUN chmod +x /usr/local/bin/docker-entrypoint.sh

     

       44
       +
       

     

       45
       +
       # Health check - verify cron is running

     

       46
       +
       HEALTHCHECK --interval=60s --timeout=10s --start-period=10s --retries=3 \

     

       47
       +
           CMD pgrep cron || exit 1

     

       48
       +
       

     

       49
       +
       # Run the entrypoint script

     

       50
       +
       ENTRYPOINT ["docker-entrypoint.sh"]

     

       51
       +
       

     

       52
       +
       # Default command: tail the cron log

     

       53
       +
       CMD ["tail", "-f", "/var/log/cron.log"]

+48

aggregators/kagi-news/docker-compose.yml

···

       1
       +
       services:

     

       2
       +
         kagi-aggregator:

     

       3
       +
           build:

     

       4
       +
             context: .

     

       5
       +
             dockerfile: Dockerfile

     

       6
       +
           container_name: kagi-news-aggregator

     

       7
       +
           restart: unless-stopped

     

       8
       +
       

     

       9
       +
           # Environment variables - override in .env file or here

     

       10
       +
           environment:

     

       11
       +
             # Required: Aggregator credentials

     

       12
       +
             - AGGREGATOR_HANDLE=${AGGREGATOR_HANDLE}

     

       13
       +
             - AGGREGATOR_PASSWORD=${AGGREGATOR_PASSWORD}

     

       14
       +
       

     

       15
       +
             # Optional: Override Coves API URL

     

       16
       +
             - COVES_API_URL=${COVES_API_URL:-https://api.coves.social}

     

       17
       +
       

     

       18
       +
             # Optional: Run immediately on startup (useful for testing)

     

       19
       +
             - RUN_ON_STARTUP=${RUN_ON_STARTUP:-false}

     

       20
       +
       

     

       21
       +
           # Mount config file if you want to modify it without rebuilding

     

       22
       +
           volumes:

     

       23
       +
             - ./config.yaml:/app/config.yaml:ro

     

       24
       +
             - ./data:/app/data  # For state persistence (if implemented)

     

       25
       +
       

     

       26
       +
           # Use env_file to load credentials from .env

     

       27
       +
           env_file:

     

       28
       +
             - .env

     

       29
       +
       

     

       30
       +
           # Logging configuration

     

       31
       +
           logging:

     

       32
       +
             driver: "json-file"

     

       33
       +
             options:

     

       34
       +
               max-size: "10m"

     

       35
       +
               max-file: "3"

     

       36
       +
       

     

       37
       +
           # Health check

     

       38
       +
           healthcheck:

     

       39
       +
             test: ["CMD", "pgrep", "cron"]

     

       40
       +
             interval: 60s

     

       41
       +
             timeout: 10s

     

       42
       +
             retries: 3

     

       43
       +
             start_period: 10s

     

       44
       +
       

     

       45
       +
       # Optional: Networks for multi-container setups

     

       46
       +
       # networks:

     

       47
       +
       #   coves:

     

       48
       +
       #     external: true

+41

aggregators/kagi-news/docker-entrypoint.sh

···

       1
       +
       #!/bin/bash

     

       2
       +
       set -e

     

       3
       +
       

     

       4
       +
       echo "Starting Kagi News RSS Aggregator..."

     

       5
       +
       echo "========================================="

     

       6
       +
       

     

       7
       +
       # Load environment variables if .env file exists

     

       8
       +
       if [ -f /app/.env ]; then

     

       9
       +
           echo "Loading environment variables from .env"

     

       10
       +
           export $(grep -v '^#' /app/.env | xargs)

     

       11
       +
       fi

     

       12
       +
       

     

       13
       +
       # Validate required environment variables

     

       14
       +
       if [ -z "$AGGREGATOR_HANDLE" ] || [ -z "$AGGREGATOR_PASSWORD" ]; then

     

       15
       +
           echo "ERROR: Missing required environment variables!"

     

       16
       +
           echo "Please set AGGREGATOR_HANDLE and AGGREGATOR_PASSWORD"

     

       17
       +
           exit 1

     

       18
       +
       fi

     

       19
       +
       

     

       20
       +
       echo "Aggregator Handle: $AGGREGATOR_HANDLE"

     

       21
       +
       echo "Cron schedule loaded from /etc/cron.d/kagi-aggregator"

     

       22
       +
       

     

       23
       +
       # Start cron in the background

     

       24
       +
       echo "Starting cron daemon..."

     

       25
       +
       cron

     

       26
       +
       

     

       27
       +
       # Optional: Run aggregator immediately on startup (for testing)

     

       28
       +
       if [ "$RUN_ON_STARTUP" = "true" ]; then

     

       29
       +
           echo "Running aggregator immediately (RUN_ON_STARTUP=true)..."

     

       30
       +
           cd /app && python -m src.main

     

       31
       +
       fi

     

       32
       +
       

     

       33
       +
       echo "========================================="

     

       34
       +
       echo "Kagi News Aggregator is running!"

     

       35
       +
       echo "Cron schedule: Daily at 1 PM UTC"

     

       36
       +
       echo "Logs will appear below:"

     

       37
       +
       echo "========================================="

     

       38
       +
       echo ""

     

       39
       +
       

     

       40
       +
       # Execute the command passed to docker run (defaults to tail -f /var/log/cron.log)

     

       41
       +
       exec "$@"

+20

.beads/.gitignore

···

       1
       +
       # SQLite databases

     

       2
       +
       *.db

     

       3
       +
       *.db-journal

     

       4
       +
       *.db-wal

     

       5
       +
       *.db-shm

     

       6
       +
       

     

       7
       +
       # Daemon runtime files

     

       8
       +
       daemon.lock

     

       9
       +
       daemon.log

     

       10
       +
       daemon.pid

     

       11
       +
       bd.sock

     

       12
       +
       

     

       13
       +
       # Legacy database files

     

       14
       +
       db.sqlite

     

       15
       +
       bd.db

     

       16
       +
       

     

       17
       +
       # Keep JSONL exports and config (source of truth for git)

     

       18
       +
       !*.jsonl

     

       19
       +
       !metadata.json

     

       20
       +
       !config.json

+56

.beads/config.yaml

···

       1
       +
       # Beads Configuration File

     

       2
       +
       # This file configures default behavior for all bd commands in this repository

     

       3
       +
       # All settings can also be set via environment variables (BD_* prefix)

     

       4
       +
       # or overridden with command-line flags

     

       5
       +
       

     

       6
       +
       # Issue prefix for this repository (used by bd init)

     

       7
       +
       # If not set, bd init will auto-detect from directory name

     

       8
       +
       # Example: issue-prefix: "myproject" creates issues like "myproject-1", "myproject-2", etc.

     

       9
       +
       # issue-prefix: ""

     

       10
       +
       

     

       11
       +
       # Use no-db mode: load from JSONL, no SQLite, write back after each command

     

       12
       +
       # When true, bd will use .beads/issues.jsonl as the source of truth

     

       13
       +
       # instead of SQLite database

     

       14
       +
       # no-db: false

     

       15
       +
       

     

       16
       +
       # Disable daemon for RPC communication (forces direct database access)

     

       17
       +
       # no-daemon: false

     

       18
       +
       

     

       19
       +
       # Disable auto-flush of database to JSONL after mutations

     

       20
       +
       # no-auto-flush: false

     

       21
       +
       

     

       22
       +
       # Disable auto-import from JSONL when it's newer than database

     

       23
       +
       # no-auto-import: false

     

       24
       +
       

     

       25
       +
       # Enable JSON output by default

     

       26
       +
       # json: false

     

       27
       +
       

     

       28
       +
       # Default actor for audit trails (overridden by BD_ACTOR or --actor)

     

       29
       +
       # actor: ""

     

       30
       +
       

     

       31
       +
       # Path to database (overridden by BEADS_DB or --db)

     

       32
       +
       # db: ""

     

       33
       +
       

     

       34
       +
       # Auto-start daemon if not running (can also use BEADS_AUTO_START_DAEMON)

     

       35
       +
       # auto-start-daemon: true

     

       36
       +
       

     

       37
       +
       # Debounce interval for auto-flush (can also use BEADS_FLUSH_DEBOUNCE)

     

       38
       +
       # flush-debounce: "5s"

     

       39
       +
       

     

       40
       +
       # Multi-repo configuration (experimental - bd-307)

     

       41
       +
       # Allows hydrating from multiple repositories and routing writes to the correct JSONL

     

       42
       +
       # repos:

     

       43
       +
       #   primary: "."  # Primary repo (where this database lives)

     

       44
       +
       #   additional:   # Additional repos to hydrate from (read-only)

     

       45
       +
       #     - ~/beads-planning  # Personal planning repo

     

       46
       +
       #     - ~/work-planning   # Work planning repo

     

       47
       +
       

     

       48
       +
       # Integration settings (access with 'bd config get/set')

     

       49
       +
       # These are stored in the database, not in this file:

     

       50
       +
       # - jira.url

     

       51
       +
       # - jira.project

     

       52
       +
       # - linear.url

     

       53
       +
       # - linear.api-key

     

       54
       +
       # - github.org

     

       55
       +
       # - github.repo

     

       56
       +
       # - sync.branch - Git branch for beads commits (use BEADS_SYNC_BRANCH env var or bd config set)

.beads/metadata.json

···

       1
       +
       {

     

       2
       +
         "database": "beads.db",

     

       3
       +
         "jsonl_export": "beads.jsonl"

     

       4
       +
       }

.gitattributes

···

       1
       +
       

     

       2
       +
       # Use bd merge for beads JSONL files

     

       3
       +
       .beads/beads.jsonl merge=beads

+131

AGENTS.md

···

       1
       +
       # AI Agent Guidelines for Coves

     

       2
       +
       

     

       3
       +
       ## Issue Tracking with bd (beads)

     

       4
       +
       

     

       5
       +
       **IMPORTANT**: This project uses **bd (beads)** for ALL issue tracking. Do NOT use markdown TODOs, task lists, or other tracking methods.

     

       6
       +
       

     

       7
       +
       ### Why bd?

     

       8
       +
       

     

       9
       +
       - Dependency-aware: Track blockers and relationships between issues

     

       10
       +
       - Git-friendly: Auto-syncs to JSONL for version control

     

       11
       +
       - Agent-optimized: JSON output, ready work detection, discovered-from links

     

       12
       +
       - Prevents duplicate tracking systems and confusion

     

       13
       +
       

     

       14
       +
       ### Quick Start

     

       15
       +
       

     

       16
       +
       **Check for ready work:**

     

       17
       +
       ```bash

     

       18
       +
       bd ready --json

     

       19
       +
       ```

     

       20
       +
       

     

       21
       +
       **Create new issues:**

     

       22
       +
       ```bash

     

       23
       +
       bd create "Issue title" -t bug|feature|task -p 0-4 --json

     

       24
       +
       bd create "Issue title" -p 1 --deps discovered-from:bd-123 --json

     

       25
       +
       ```

     

       26
       +
       

     

       27
       +
       **Claim and update:**

     

       28
       +
       ```bash

     

       29
       +
       bd update bd-42 --status in_progress --json

     

       30
       +
       bd update bd-42 --priority 1 --json

     

       31
       +
       ```

     

       32
       +
       

     

       33
       +
       **Complete work:**

     

       34
       +
       ```bash

     

       35
       +
       bd close bd-42 --reason "Completed" --json

     

       36
       +
       ```

     

       37
       +
       

     

       38
       +
       ### Issue Types

     

       39
       +
       

     

       40
       +
       - `bug` - Something broken

     

       41
       +
       - `feature` - New functionality

     

       42
       +
       - `task` - Work item (tests, docs, refactoring)

     

       43
       +
       - `epic` - Large feature with subtasks

     

       44
       +
       - `chore` - Maintenance (dependencies, tooling)

     

       45
       +
       

     

       46
       +
       ### Priorities

     

       47
       +
       

     

       48
       +
       - `0` - Critical (security, data loss, broken builds)

     

       49
       +
       - `1` - High (major features, important bugs)

     

       50
       +
       - `2` - Medium (default, nice-to-have)

     

       51
       +
       - `3` - Low (polish, optimization)

     

       52
       +
       - `4` - Backlog (future ideas)

     

       53
       +
       

     

       54
       +
       ### Workflow for AI Agents

     

       55
       +
       

     

       56
       +
       1. **Check ready work**: `bd ready` shows unblocked issues

     

       57
       +
       2. **Claim your task**: `bd update <id> --status in_progress`

     

       58
       +
       3. **Work on it**: Implement, test, document

     

       59
       +
       4. **Discover new work?** Create linked issue:

     

       60
       +
          - `bd create "Found bug" -p 1 --deps discovered-from:<parent-id>`

     

       61
       +
       5. **Complete**: `bd close <id> --reason "Done"`

     

       62
       +
       6. **Commit together**: Always commit the `.beads/issues.jsonl` file together with the code changes so issue state stays in sync with code state

     

       63
       +
       

     

       64
       +
       ### Auto-Sync

     

       65
       +
       

     

       66
       +
       bd automatically syncs with git:

     

       67
       +
       - Exports to `.beads/issues.jsonl` after changes (5s debounce)

     

       68
       +
       - Imports from JSONL when newer (e.g., after `git pull`)

     

       69
       +
       - No manual export/import needed!

     

       70
       +
       

     

       71
       +
       ### MCP Server (Recommended)

     

       72
       +
       

     

       73
       +
       If using Claude or MCP-compatible clients, install the beads MCP server:

     

       74
       +
       

     

       75
       +
       ```bash

     

       76
       +
       pip install beads-mcp

     

       77
       +
       ```

     

       78
       +
       

     

       79
       +
       Add to MCP config (e.g., `~/.config/claude/config.json`):

     

       80
       +
       ```json

     

       81
       +
       {

     

       82
       +
         "beads": {

     

       83
       +
           "command": "beads-mcp",

     

       84
       +
           "args": []

     

       85
       +
         }

     

       86
       +
       }

     

       87
       +
       ```

     

       88
       +
       

     

       89
       +
       Then use `mcp__beads__*` functions instead of CLI commands.

     

       90
       +
       

     

       91
       +
       ### Managing AI-Generated Planning Documents

     

       92
       +
       

     

       93
       +
       AI assistants often create planning and design documents during development:

     

       94
       +
       - PLAN.md, IMPLEMENTATION.md, ARCHITECTURE.md

     

       95
       +
       - DESIGN.md, CODEBASE_SUMMARY.md, INTEGRATION_PLAN.md

     

       96
       +
       - TESTING_GUIDE.md, TECHNICAL_DESIGN.md, and similar files

     

       97
       +
       

     

       98
       +
       **Best Practice: Use a dedicated directory for these ephemeral files**

     

       99
       +
       

     

       100
       +
       **Recommended approach:**

     

       101
       +
       - Create a `history/` directory in the project root

     

       102
       +
       - Store ALL AI-generated planning/design docs in `history/`

     

       103
       +
       - Keep the repository root clean and focused on permanent project files

     

       104
       +
       - Only access `history/` when explicitly asked to review past planning

     

       105
       +
       

     

       106
       +
       **Example .gitignore entry (optional):**

     

       107
       +
       ```

     

       108
       +
       # AI planning documents (ephemeral)

     

       109
       +
       history/

     

       110
       +
       ```

     

       111
       +
       

     

       112
       +
       **Benefits:**

     

       113
       +
       - ✅ Clean repository root

     

       114
       +
       - ✅ Clear separation between ephemeral and permanent documentation

     

       115
       +
       - ✅ Easy to exclude from version control if desired

     

       116
       +
       - ✅ Preserves planning history for archeological research

     

       117
       +
       - ✅ Reduces noise when browsing the project

     

       118
       +
       

     

       119
       +
       ### Important Rules

     

       120
       +
       

     

       121
       +
       - ✅ Use bd for ALL task tracking

     

       122
       +
       - ✅ Always use `--json` flag for programmatic use

     

       123
       +
       - ✅ Link discovered work with `discovered-from` dependencies

     

       124
       +
       - ✅ Check `bd ready` before asking "what should I work on?"

     

       125
       +
       - ✅ Store AI planning docs in `history/` directory

     

       126
       +
       - ❌ Do NOT create markdown TODO lists

     

       127
       +
       - ❌ Do NOT use external issue trackers

     

       128
       +
       - ❌ Do NOT duplicate tracking systems

     

       129
       +
       - ❌ Do NOT clutter repo root with planning documents

     

       130
       +
       

     

       131
       +
       For more details, see the [beads repository](https://github.com/steveyegge/beads).

+8 -8

internal/core/communities/community.go

···

       123
        
       

     

       124
        
       // ListCommunitiesRequest represents query parameters for listing communities

     

       125
        
       type ListCommunitiesRequest struct {

     

       126
       -
       	Visibility string `json:"visibility,omitempty"`

     

       127
       -
       	HostedBy   string `json:"hostedBy,omitempty"`

     

       128
       -
       	SortBy     string `json:"sortBy,omitempty"`

     

       129
       -
       	SortOrder  string `json:"sortOrder,omitempty"`

     

       130
       -
       	Limit      int    `json:"limit"`

     

       131
       -
       	Offset     int    `json:"offset"`

     

       132
        
       }

     

       133
        
       

     

       134
        
       // SearchCommunitiesRequest represents query parameters for searching communities

     
···

       159
        
       	name := c.Handle[:communityIndex]

     

       160
        
       

     

       161
        
       	// Extract instance domain (everything after ".community.")

     

       162
       -
       	// len(".community.") = 11

     

       163
       -
       	instanceDomain := c.Handle[communityIndex+11:]

     

       164
        
       

     

       165
        
       	return fmt.Sprintf("!%s@%s", name, instanceDomain)

     

       166
        
       }

···

       123
        
       

     

       124
        
       // ListCommunitiesRequest represents query parameters for listing communities

     

       125
        
       type ListCommunitiesRequest struct {

     

       126
       +
       	Sort       string `json:"sort,omitempty"`       // Enum: popular, active, new, alphabetical

     

       127
       +
       	Visibility string `json:"visibility,omitempty"` // Filter: public, unlisted, private

     

       128
       +
       	Category   string `json:"category,omitempty"`   // Optional: filter by category (future)

     

       129
       +
       	Language   string `json:"language,omitempty"`   // Optional: filter by language (future)

     

       130
       +
       	Limit      int    `json:"limit"`                // 1-100, default 50

     

       131
       +
       	Offset     int    `json:"offset"`               // Pagination offset

     

       132
        
       }

     

       133
        
       

     

       134
        
       // SearchCommunitiesRequest represents query parameters for searching communities

     
···

       159
        
       	name := c.Handle[:communityIndex]

     

       160
        
       

     

       161
        
       	// Extract instance domain (everything after ".community.")

     

       162
       +
       	communitySegment := ".community."

     

       163
       +
       	instanceDomain := c.Handle[communityIndex+len(communitySegment):]

     

       164
        
       

     

       165
        
       	return fmt.Sprintf("!%s@%s", name, instanceDomain)

     

       166
        
       }

+2 -2

internal/core/communities/interfaces.go

···

       16
        
       	UpdateCredentials(ctx context.Context, did, accessToken, refreshToken string) error

     

       17
        
       

     

       18
        
       	// Listing & Search

     

       19
       -
       	List(ctx context.Context, req ListCommunitiesRequest) ([]*Community, int, error) // Returns communities + total count

     

       20
        
       	Search(ctx context.Context, req SearchCommunitiesRequest) ([]*Community, int, error)

     

       21
        
       

     

       22
        
       	// Subscriptions (lightweight feed follows)

     
···

       62
        
       	CreateCommunity(ctx context.Context, req CreateCommunityRequest) (*Community, error)

     

       63
        
       	GetCommunity(ctx context.Context, identifier string) (*Community, error) // identifier can be DID or handle

     

       64
        
       	UpdateCommunity(ctx context.Context, req UpdateCommunityRequest) (*Community, error)

     

       65
       -
       	ListCommunities(ctx context.Context, req ListCommunitiesRequest) ([]*Community, int, error)

     

       66
        
       	SearchCommunities(ctx context.Context, req SearchCommunitiesRequest) ([]*Community, int, error)

     

       67
        
       

     

       68
        
       	// Subscription operations (write-forward: creates record in user's PDS)

···

       16
        
       	UpdateCredentials(ctx context.Context, did, accessToken, refreshToken string) error

     

       17
        
       

     

       18
        
       	// Listing & Search

     

       19
       +
       	List(ctx context.Context, req ListCommunitiesRequest) ([]*Community, error)

     

       20
        
       	Search(ctx context.Context, req SearchCommunitiesRequest) ([]*Community, int, error)

     

       21
        
       

     

       22
        
       	// Subscriptions (lightweight feed follows)

     
···

       62
        
       	CreateCommunity(ctx context.Context, req CreateCommunityRequest) (*Community, error)

     

       63
        
       	GetCommunity(ctx context.Context, identifier string) (*Community, error) // identifier can be DID or handle

     

       64
        
       	UpdateCommunity(ctx context.Context, req UpdateCommunityRequest) (*Community, error)

     

       65
       +
       	ListCommunities(ctx context.Context, req ListCommunitiesRequest) ([]*Community, error)

     

       66
        
       	SearchCommunities(ctx context.Context, req SearchCommunitiesRequest) ([]*Community, int, error)

     

       67
        
       

     

       68
        
       	// Subscription operations (write-forward: creates record in user's PDS)

+57

scripts/backup.sh

···

       1
       +
       #!/bin/bash

     

       2
       +
       # Coves Database Backup Script

     

       3
       +
       # Usage: ./scripts/backup.sh

     

       4
       +
       #

     

       5
       +
       # Creates timestamped PostgreSQL backups in ./backups/

     

       6
       +
       # Retention: Keeps last 30 days of backups

     

       7
       +
       

     

       8
       +
       set -e

     

       9
       +
       

     

       10
       +
       SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"

     

       11
       +
       PROJECT_DIR="$(dirname "$SCRIPT_DIR")"

     

       12
       +
       BACKUP_DIR="$PROJECT_DIR/backups"

     

       13
       +
       COMPOSE_FILE="$PROJECT_DIR/docker-compose.prod.yml"

     

       14
       +
       

     

       15
       +
       # Load environment

     

       16
       +
       set -a

     

       17
       +
       source "$PROJECT_DIR/.env.prod"

     

       18
       +
       set +a

     

       19
       +
       

     

       20
       +
       # Colors

     

       21
       +
       GREEN='\033[0;32m'

     

       22
       +
       YELLOW='\033[1;33m'

     

       23
       +
       NC='\033[0m'

     

       24
       +
       

     

       25
       +
       log() { echo -e "${GREEN}[BACKUP]${NC} $1"; }

     

       26
       +
       warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }

     

       27
       +
       

     

       28
       +
       # Create backup directory

     

       29
       +
       mkdir -p "$BACKUP_DIR"

     

       30
       +
       

     

       31
       +
       # Generate timestamp

     

       32
       +
       TIMESTAMP=$(date +%Y%m%d_%H%M%S)

     

       33
       +
       BACKUP_FILE="$BACKUP_DIR/coves_${TIMESTAMP}.sql.gz"

     

       34
       +
       

     

       35
       +
       log "Starting backup..."

     

       36
       +
       

     

       37
       +
       # Run pg_dump inside container

     

       38
       +
       docker compose -f "$COMPOSE_FILE" exec -T postgres \

     

       39
       +
           pg_dump -U "$POSTGRES_USER" -d "$POSTGRES_DB" --clean --if-exists \

     

       40
       +
           | gzip > "$BACKUP_FILE"

     

       41
       +
       

     

       42
       +
       # Get file size

     

       43
       +
       SIZE=$(du -h "$BACKUP_FILE" | cut -f1)

     

       44
       +
       

     

       45
       +
       log "✅ Backup complete: $BACKUP_FILE ($SIZE)"

     

       46
       +
       

     

       47
       +
       # Cleanup old backups (keep last 30 days)

     

       48
       +
       log "Cleaning up backups older than 30 days..."

     

       49
       +
       find "$BACKUP_DIR" -name "coves_*.sql.gz" -mtime +30 -delete

     

       50
       +
       

     

       51
       +
       # List recent backups

     

       52
       +
       log ""

     

       53
       +
       log "Recent backups:"

     

       54
       +
       ls -lh "$BACKUP_DIR"/*.sql.gz 2>/dev/null | tail -5

     

       55
       +
       

     

       56
       +
       log ""

     

       57
       +
       log "To restore: gunzip -c $BACKUP_FILE | docker compose -f docker-compose.prod.yml exec -T postgres psql -U $POSTGRES_USER -d $POSTGRES_DB"

+133

scripts/deploy.sh

···

       1
       +
       #!/bin/bash

     

       2
       +
       # Coves Deployment Script

     

       3
       +
       # Usage: ./scripts/deploy.sh [service]

     

       4
       +
       #

     

       5
       +
       # Examples:

     

       6
       +
       #   ./scripts/deploy.sh           # Deploy all services

     

       7
       +
       #   ./scripts/deploy.sh appview   # Deploy only AppView

     

       8
       +
       #   ./scripts/deploy.sh --pull    # Pull from git first, then deploy

     

       9
       +
       

     

       10
       +
       set -e

     

       11
       +
       

     

       12
       +
       SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"

     

       13
       +
       PROJECT_DIR="$(dirname "$SCRIPT_DIR")"

     

       14
       +
       COMPOSE_FILE="$PROJECT_DIR/docker-compose.prod.yml"

     

       15
       +
       

     

       16
       +
       # Colors for output

     

       17
       +
       RED='\033[0;31m'

     

       18
       +
       GREEN='\033[0;32m'

     

       19
       +
       YELLOW='\033[1;33m'

     

       20
       +
       NC='\033[0m' # No Color

     

       21
       +
       

     

       22
       +
       log() {

     

       23
       +
           echo -e "${GREEN}[DEPLOY]${NC} $1"

     

       24
       +
       }

     

       25
       +
       

     

       26
       +
       warn() {

     

       27
       +
           echo -e "${YELLOW}[WARN]${NC} $1"

     

       28
       +
       }

     

       29
       +
       

     

       30
       +
       error() {

     

       31
       +
           echo -e "${RED}[ERROR]${NC} $1"

     

       32
       +
           exit 1

     

       33
       +
       }

     

       34
       +
       

     

       35
       +
       # Parse arguments

     

       36
       +
       PULL_GIT=false

     

       37
       +
       SERVICE=""

     

       38
       +
       

     

       39
       +
       for arg in "$@"; do

     

       40
       +
           case $arg in

     

       41
       +
               --pull)

     

       42
       +
                   PULL_GIT=true

     

       43
       +
                   ;;

     

       44
       +
               *)

     

       45
       +
                   SERVICE="$arg"

     

       46
       +
                   ;;

     

       47
       +
           esac

     

       48
       +
       done

     

       49
       +
       

     

       50
       +
       cd "$PROJECT_DIR"

     

       51
       +
       

     

       52
       +
       # Load environment variables

     

       53
       +
       if [ ! -f ".env.prod" ]; then

     

       54
       +
           error ".env.prod not found! Copy from .env.prod.example and configure secrets."

     

       55
       +
       fi

     

       56
       +
       

     

       57
       +
       log "Loading environment from .env.prod..."

     

       58
       +
       set -a

     

       59
       +
       source .env.prod

     

       60
       +
       set +a

     

       61
       +
       

     

       62
       +
       # Optional: Pull from git

     

       63
       +
       if [ "$PULL_GIT" = true ]; then

     

       64
       +
           log "Pulling latest code from git..."

     

       65
       +
           git fetch origin

     

       66
       +
           git pull origin main

     

       67
       +
       fi

     

       68
       +
       

     

       69
       +
       # Check database connectivity before deployment

     

       70
       +
       log "Checking database connectivity..."

     

       71
       +
       if docker compose -f "$COMPOSE_FILE" exec -T postgres pg_isready -U "$POSTGRES_USER" -d "$POSTGRES_DB" > /dev/null 2>&1; then

     

       72
       +
           log "Database is ready"

     

       73
       +
       else

     

       74
       +
           warn "Database not ready yet - it will start with the deployment"

     

       75
       +
       fi

     

       76
       +
       

     

       77
       +
       # Build and deploy

     

       78
       +
       if [ -n "$SERVICE" ]; then

     

       79
       +
           log "Building $SERVICE..."

     

       80
       +
           docker compose -f "$COMPOSE_FILE" build --no-cache "$SERVICE"

     

       81
       +
       

     

       82
       +
           log "Deploying $SERVICE..."

     

       83
       +
           docker compose -f "$COMPOSE_FILE" up -d "$SERVICE"

     

       84
       +
       else

     

       85
       +
           log "Building all services..."

     

       86
       +
           docker compose -f "$COMPOSE_FILE" build --no-cache

     

       87
       +
       

     

       88
       +
           log "Deploying all services..."

     

       89
       +
           docker compose -f "$COMPOSE_FILE" up -d

     

       90
       +
       fi

     

       91
       +
       

     

       92
       +
       # Health check

     

       93
       +
       log "Waiting for services to be healthy..."

     

       94
       +
       sleep 10

     

       95
       +
       

     

       96
       +
       # Wait for database to be ready before running migrations

     

       97
       +
       log "Waiting for database..."

     

       98
       +
       for i in {1..30}; do

     

       99
       +
           if docker compose -f "$COMPOSE_FILE" exec -T postgres pg_isready -U "$POSTGRES_USER" -d "$POSTGRES_DB" > /dev/null 2>&1; then

     

       100
       +
               break

     

       101
       +
           fi

     

       102
       +
           sleep 1

     

       103
       +
       done

     

       104
       +
       

     

       105
       +
       # Run database migrations

     

       106
       +
       # The AppView runs migrations on startup, but we can also trigger them explicitly

     

       107
       +
       log "Running database migrations..."

     

       108
       +
       if docker compose -f "$COMPOSE_FILE" exec -T appview /app/coves-server migrate 2>/dev/null; then

     

       109
       +
           log "✅ Migrations completed"

     

       110
       +
       else

     

       111
       +
           warn "⚠️  Migration command not available or failed - AppView will run migrations on startup"

     

       112
       +
       fi

     

       113
       +
       

     

       114
       +
       # Check AppView health

     

       115
       +
       if docker compose -f "$COMPOSE_FILE" exec -T appview wget --spider -q http://localhost:8080/xrpc/_health 2>/dev/null; then

     

       116
       +
           log "✅ AppView is healthy"

     

       117
       +
       else

     

       118
       +
           warn "⚠️  AppView health check failed - check logs with: docker compose -f docker-compose.prod.yml logs appview"

     

       119
       +
       fi

     

       120
       +
       

     

       121
       +
       # Check PDS health

     

       122
       +
       if docker compose -f "$COMPOSE_FILE" exec -T pds wget --spider -q http://localhost:3000/xrpc/_health 2>/dev/null; then

     

       123
       +
           log "✅ PDS is healthy"

     

       124
       +
       else

     

       125
       +
           warn "⚠️  PDS health check failed - check logs with: docker compose -f docker-compose.prod.yml logs pds"

     

       126
       +
       fi

     

       127
       +
       

     

       128
       +
       log "Deployment complete!"

     

       129
       +
       log ""

     

       130
       +
       log "Useful commands:"

     

       131
       +
       log "  View logs:     docker compose -f docker-compose.prod.yml logs -f"

     

       132
       +
       log "  Check status:  docker compose -f docker-compose.prod.yml ps"

     

       133
       +
       log "  Rollback:      docker compose -f docker-compose.prod.yml down && git checkout HEAD~1 && ./scripts/deploy.sh"

+149

scripts/generate-did-keys.sh

···

       1
       +
       #!/bin/bash

     

       2
       +
       # Generate cryptographic keys for Coves did:web DID document

     

       3
       +
       #

     

       4
       +
       # This script generates a secp256k1 (K-256) key pair as required by atproto.

     

       5
       +
       # Reference: https://atproto.com/specs/cryptography

     

       6
       +
       #

     

       7
       +
       # Key format:

     

       8
       +
       #   - Curve: secp256k1 (K-256) - same as Bitcoin/Ethereum

     

       9
       +
       #   - Type: Multikey

     

       10
       +
       #   - Encoding: publicKeyMultibase with base58btc ('z' prefix)

     

       11
       +
       #   - Multicodec: 0xe7 for secp256k1 compressed public key

     

       12
       +
       #

     

       13
       +
       # Output:

     

       14
       +
       #   - Private key (hex) for PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX

     

       15
       +
       #   - Public key (multibase) for did.json publicKeyMultibase field

     

       16
       +
       #   - Complete did.json file

     

       17
       +
       

     

       18
       +
       set -e

     

       19
       +
       

     

       20
       +
       SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"

     

       21
       +
       PROJECT_DIR="$(dirname "$SCRIPT_DIR")"

     

       22
       +
       OUTPUT_DIR="$PROJECT_DIR/static/.well-known"

     

       23
       +
       

     

       24
       +
       # Colors

     

       25
       +
       GREEN='\033[0;32m'

     

       26
       +
       YELLOW='\033[1;33m'

     

       27
       +
       RED='\033[0;31m'

     

       28
       +
       NC='\033[0m'

     

       29
       +
       

     

       30
       +
       log() { echo -e "${GREEN}[KEYGEN]${NC} $1"; }

     

       31
       +
       warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }

     

       32
       +
       error() { echo -e "${RED}[ERROR]${NC} $1"; exit 1; }

     

       33
       +
       

     

       34
       +
       # Check for required tools

     

       35
       +
       if ! command -v openssl &> /dev/null; then

     

       36
       +
           error "openssl is required but not installed"

     

       37
       +
       fi

     

       38
       +
       

     

       39
       +
       if ! command -v python3 &> /dev/null; then

     

       40
       +
           error "python3 is required for base58 encoding"

     

       41
       +
       fi

     

       42
       +
       

     

       43
       +
       # Check for base58 library

     

       44
       +
       if ! python3 -c "import base58" 2>/dev/null; then

     

       45
       +
           warn "Installing base58 Python library..."

     

       46
       +
           pip3 install base58 || error "Failed to install base58. Run: pip3 install base58"

     

       47
       +
       fi

     

       48
       +
       

     

       49
       +
       log "Generating secp256k1 key pair for did:web..."

     

       50
       +
       

     

       51
       +
       # Generate private key

     

       52
       +
       PRIVATE_KEY_PEM=$(mktemp)

     

       53
       +
       openssl ecparam -name secp256k1 -genkey -noout -out "$PRIVATE_KEY_PEM" 2>/dev/null

     

       54
       +
       

     

       55
       +
       # Extract private key as hex (for PDS config)

     

       56
       +
       PRIVATE_KEY_HEX=$(openssl ec -in "$PRIVATE_KEY_PEM" -text -noout 2>/dev/null | \

     

       57
       +
           grep -A 3 "priv:" | tail -n 3 | tr -d ' :\n' | tr -d '\r')

     

       58
       +
       

     

       59
       +
       # Extract public key as compressed format

     

       60
       +
       # OpenSSL outputs the public key, we need to get the compressed form

     

       61
       +
       PUBLIC_KEY_HEX=$(openssl ec -in "$PRIVATE_KEY_PEM" -pubout -conv_form compressed -outform DER 2>/dev/null | \

     

       62
       +
           tail -c 33 | xxd -p | tr -d '\n')

     

       63
       +
       

     

       64
       +
       # Clean up temp file

     

       65
       +
       rm -f "$PRIVATE_KEY_PEM"

     

       66
       +
       

     

       67
       +
       # Encode public key as multibase with multicodec

     

       68
       +
       # Multicodec 0xe7 = secp256k1 compressed public key

     

       69
       +
       # Then base58btc encode with 'z' prefix

     

       70
       +
       PUBLIC_KEY_MULTIBASE=$(python3 << EOF

     

       71
       +
       import base58

     

       72
       +
       

     

       73
       +
       # Compressed public key bytes

     

       74
       +
       pub_hex = "$PUBLIC_KEY_HEX"

     

       75
       +
       pub_bytes = bytes.fromhex(pub_hex)

     

       76
       +
       

     

       77
       +
       # Prepend multicodec 0xe7 for secp256k1-pub

     

       78
       +
       # 0xe7 as varint is just 0xe7 (single byte, < 128)

     

       79
       +
       multicodec = bytes([0xe7, 0x01])  # 0xe701 for secp256k1-pub compressed

     

       80
       +
       key_with_codec = multicodec + pub_bytes

     

       81
       +
       

     

       82
       +
       # Base58btc encode

     

       83
       +
       encoded = base58.b58encode(key_with_codec).decode('ascii')

     

       84
       +
       

     

       85
       +
       # Add 'z' prefix for multibase

     

       86
       +
       print('z' + encoded)

     

       87
       +
       EOF

     

       88
       +
       )

     

       89
       +
       

     

       90
       +
       log "Keys generated successfully!"

     

       91
       +
       echo ""

     

       92
       +
       echo "============================================"

     

       93
       +
       echo "  PRIVATE KEY (keep secret!)"

     

       94
       +
       echo "============================================"

     

       95
       +
       echo ""

     

       96
       +
       echo "Add this to your .env.prod file:"

     

       97
       +
       echo ""

     

       98
       +
       echo "PDS_ROTATION_KEY=$PRIVATE_KEY_HEX"

     

       99
       +
       echo ""

     

       100
       +
       echo "============================================"

     

       101
       +
       echo "  PUBLIC KEY (for did.json)"

     

       102
       +
       echo "============================================"

     

       103
       +
       echo ""

     

       104
       +
       echo "publicKeyMultibase: $PUBLIC_KEY_MULTIBASE"

     

       105
       +
       echo ""

     

       106
       +
       

     

       107
       +
       # Generate the did.json file

     

       108
       +
       log "Generating did.json..."

     

       109
       +
       

     

       110
       +
       mkdir -p "$OUTPUT_DIR"

     

       111
       +
       

     

       112
       +
       cat > "$OUTPUT_DIR/did.json" << EOF

     

       113
       +
       {

     

       114
       +
         "id": "did:web:coves.social",

     

       115
       +
         "alsoKnownAs": ["at://coves.social"],

     

       116
       +
         "verificationMethod": [

     

       117
       +
           {

     

       118
       +
             "id": "did:web:coves.social#atproto",

     

       119
       +
             "type": "Multikey",

     

       120
       +
             "controller": "did:web:coves.social",

     

       121
       +
             "publicKeyMultibase": "$PUBLIC_KEY_MULTIBASE"

     

       122
       +
           }

     

       123
       +
         ],

     

       124
       +
         "service": [

     

       125
       +
           {

     

       126
       +
             "id": "#atproto_pds",

     

       127
       +
             "type": "AtprotoPersonalDataServer",

     

       128
       +
             "serviceEndpoint": "https://coves.me"

     

       129
       +
           }

     

       130
       +
         ]

     

       131
       +
       }

     

       132
       +
       EOF

     

       133
       +
       

     

       134
       +
       log "Created: $OUTPUT_DIR/did.json"

     

       135
       +
       echo ""

     

       136
       +
       echo "============================================"

     

       137
       +
       echo "  NEXT STEPS"

     

       138
       +
       echo "============================================"

     

       139
       +
       echo ""

     

       140
       +
       echo "1. Copy the PDS_ROTATION_KEY value to your .env.prod file"

     

       141
       +
       echo ""

     

       142
       +
       echo "2. Verify the did.json looks correct:"

     

       143
       +
       echo "   cat $OUTPUT_DIR/did.json"

     

       144
       +
       echo ""

     

       145
       +
       echo "3. After deployment, verify it's accessible:"

     

       146
       +
       echo "   curl https://coves.social/.well-known/did.json"

     

       147
       +
       echo ""

     

       148
       +
       warn "IMPORTANT: Keep the private key secret! Only share the public key."

     

       149
       +
       warn "The did.json file with the public key IS safe to commit to git."

+106

scripts/setup-production.sh

···

       1
       +
       #!/bin/bash

     

       2
       +
       # Coves Production Setup Script

     

       3
       +
       # Run this once on a fresh server to set up everything

     

       4
       +
       #

     

       5
       +
       # Prerequisites:

     

       6
       +
       #   - Docker and docker-compose installed

     

       7
       +
       #   - Git installed

     

       8
       +
       #   - .env.prod file configured

     

       9
       +
       

     

       10
       +
       set -e

     

       11
       +
       

     

       12
       +
       SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"

     

       13
       +
       PROJECT_DIR="$(dirname "$SCRIPT_DIR")"

     

       14
       +
       

     

       15
       +
       # Colors

     

       16
       +
       GREEN='\033[0;32m'

     

       17
       +
       YELLOW='\033[1;33m'

     

       18
       +
       RED='\033[0;31m'

     

       19
       +
       NC='\033[0m'

     

       20
       +
       

     

       21
       +
       log() { echo -e "${GREEN}[SETUP]${NC} $1"; }

     

       22
       +
       warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }

     

       23
       +
       error() { echo -e "${RED}[ERROR]${NC} $1"; exit 1; }

     

       24
       +
       

     

       25
       +
       cd "$PROJECT_DIR"

     

       26
       +
       

     

       27
       +
       # Check prerequisites

     

       28
       +
       log "Checking prerequisites..."

     

       29
       +
       

     

       30
       +
       if ! command -v docker &> /dev/null; then

     

       31
       +
           error "Docker is not installed. Install with: curl -fsSL https://get.docker.com | sh"

     

       32
       +
       fi

     

       33
       +
       

     

       34
       +
       if ! docker compose version &> /dev/null; then

     

       35
       +
           error "docker compose is not available. Install with: apt install docker-compose-plugin"

     

       36
       +
       fi

     

       37
       +
       

     

       38
       +
       # Check for .env.prod

     

       39
       +
       if [ ! -f ".env.prod" ]; then

     

       40
       +
           error ".env.prod not found! Copy from .env.prod.example and configure secrets."

     

       41
       +
       fi

     

       42
       +
       

     

       43
       +
       # Load environment

     

       44
       +
       set -a

     

       45
       +
       source .env.prod

     

       46
       +
       set +a

     

       47
       +
       

     

       48
       +
       # Create required directories

     

       49
       +
       log "Creating directories..."

     

       50
       +
       mkdir -p backups

     

       51
       +
       mkdir -p static/.well-known

     

       52
       +
       

     

       53
       +
       # Check for did.json

     

       54
       +
       if [ ! -f "static/.well-known/did.json" ]; then

     

       55
       +
           warn "static/.well-known/did.json not found!"

     

       56
       +
           warn "Run ./scripts/generate-did-keys.sh to create it."

     

       57
       +
       fi

     

       58
       +
       

     

       59
       +
       # Note: Caddy logs are written to Docker volume (caddy-data)

     

       60
       +
       # If you need host-accessible logs, uncomment and run as root:

     

       61
       +
       # mkdir -p /var/log/caddy && chown 1000:1000 /var/log/caddy

     

       62
       +
       

     

       63
       +
       # Pull Docker images

     

       64
       +
       log "Pulling Docker images..."

     

       65
       +
       docker compose -f docker-compose.prod.yml pull postgres pds caddy

     

       66
       +
       

     

       67
       +
       # Build AppView

     

       68
       +
       log "Building AppView..."

     

       69
       +
       docker compose -f docker-compose.prod.yml build appview

     

       70
       +
       

     

       71
       +
       # Start services

     

       72
       +
       log "Starting services..."

     

       73
       +
       docker compose -f docker-compose.prod.yml up -d

     

       74
       +
       

     

       75
       +
       # Wait for PostgreSQL

     

       76
       +
       log "Waiting for PostgreSQL to be ready..."

     

       77
       +
       until docker compose -f docker-compose.prod.yml exec -T postgres pg_isready -U "$POSTGRES_USER" -d "$POSTGRES_DB" > /dev/null 2>&1; do

     

       78
       +
           sleep 2

     

       79
       +
       done

     

       80
       +
       log "PostgreSQL is ready!"

     

       81
       +
       

     

       82
       +
       # Run migrations

     

       83
       +
       log "Running database migrations..."

     

       84
       +
       # The AppView runs migrations on startup, but you can also run them manually:

     

       85
       +
       # docker compose -f docker-compose.prod.yml exec appview /app/coves-server migrate

     

       86
       +
       

     

       87
       +
       # Final status

     

       88
       +
       log ""

     

       89
       +
       log "============================================"

     

       90
       +
       log "  Coves Production Setup Complete!"

     

       91
       +
       log "============================================"

     

       92
       +
       log ""

     

       93
       +
       log "Services running:"

     

       94
       +
       docker compose -f docker-compose.prod.yml ps

     

       95
       +
       log ""

     

       96
       +
       log "Next steps:"

     

       97
       +
       log "  1. Configure DNS for coves.social and coves.me"

     

       98
       +
       log "  2. Run ./scripts/generate-did-keys.sh to create DID keys"

     

       99
       +
       log "  3. Test health endpoints:"

     

       100
       +
       log "     curl https://coves.social/xrpc/_health"

     

       101
       +
       log "     curl https://coves.me/xrpc/_health"

     

       102
       +
       log ""

     

       103
       +
       log "Useful commands:"

     

       104
       +
       log "  View logs:     docker compose -f docker-compose.prod.yml logs -f"

     

       105
       +
       log "  Deploy update: ./scripts/deploy.sh appview"

     

       106
       +
       log "  Backup DB:     ./scripts/backup.sh"

+19

static/.well-known/did.json.template

···

       1
       +
       {

     

       2
       +
         "id": "did:web:coves.social",

     

       3
       +
         "alsoKnownAs": ["at://coves.social"],

     

       4
       +
         "verificationMethod": [

     

       5
       +
           {

     

       6
       +
             "id": "did:web:coves.social#atproto",

     

       7
       +
             "type": "Multikey",

     

       8
       +
             "controller": "did:web:coves.social",

     

       9
       +
             "publicKeyMultibase": "REPLACE_WITH_YOUR_PUBLIC_KEY"

     

       10
       +
           }

     

       11
       +
         ],

     

       12
       +
         "service": [

     

       13
       +
           {

     

       14
       +
             "id": "#atproto_pds",

     

       15
       +
             "type": "AtprotoPersonalDataServer",

     

       16
       +
             "serviceEndpoint": "https://coves.me"

     

       17
       +
           }

     

       18
       +
         ]

     

       19
       +
       }

+18

static/client-metadata.json

···

       1
       +
       {

     

       2
       +
         "client_id": "https://coves.social/client-metadata.json",

     

       3
       +
         "client_name": "Coves",

     

       4
       +
         "client_uri": "https://coves.social",

     

       5
       +
         "logo_uri": "https://coves.social/logo.png",

     

       6
       +
         "tos_uri": "https://coves.social/terms",

     

       7
       +
         "policy_uri": "https://coves.social/privacy",

     

       8
       +
         "redirect_uris": [

     

       9
       +
           "https://coves.social/oauth/callback",

     

       10
       +
           "social.coves:/oauth/callback"

     

       11
       +
         ],

     

       12
       +
         "scope": "atproto transition:generic",

     

       13
       +
         "grant_types": ["authorization_code", "refresh_token"],

     

       14
       +
         "response_types": ["code"],

     

       15
       +
         "application_type": "native",

     

       16
       +
         "token_endpoint_auth_method": "none",

     

       17
       +
         "dpop_bound_access_tokens": true

     

       18
       +
       }

+97

static/oauth/callback.html

···

       1
       +
       <!DOCTYPE html>

     

       2
       +
       <html>

     

       3
       +
       <head>

     

       4
       +
         <meta charset="utf-8">

     

       5
       +
         <meta name="viewport" content="width=device-width, initial-scale=1">

     

       6
       +
         <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'unsafe-inline'; style-src 'unsafe-inline'">

     

       7
       +
         <title>Authorization Successful - Coves</title>

     

       8
       +
         <style>

     

       9
       +
           body {

     

       10
       +
             font-family: system-ui, -apple-system, sans-serif;

     

       11
       +
             display: flex;

     

       12
       +
             align-items: center;

     

       13
       +
             justify-content: center;

     

       14
       +
             min-height: 100vh;

     

       15
       +
             margin: 0;

     

       16
       +
             background: #f5f5f5;

     

       17
       +
           }

     

       18
       +
           .container {

     

       19
       +
             text-align: center;

     

       20
       +
             padding: 2rem;

     

       21
       +
             background: white;

     

       22
       +
             border-radius: 8px;

     

       23
       +
             box-shadow: 0 2px 8px rgba(0,0,0,0.1);

     

       24
       +
             max-width: 400px;

     

       25
       +
           }

     

       26
       +
           .success { color: #22c55e; font-size: 3rem; margin-bottom: 1rem; }

     

       27
       +
           h1 { margin: 0 0 0.5rem; color: #1f2937; font-size: 1.5rem; }

     

       28
       +
           p { color: #6b7280; margin: 0.5rem 0; }

     

       29
       +
           a {

     

       30
       +
             display: inline-block;

     

       31
       +
             margin-top: 1rem;

     

       32
       +
             padding: 0.75rem 1.5rem;

     

       33
       +
             background: #3b82f6;

     

       34
       +
             color: white;

     

       35
       +
             text-decoration: none;

     

       36
       +
             border-radius: 6px;

     

       37
       +
             font-weight: 500;

     

       38
       +
           }

     

       39
       +
           a:hover { background: #2563eb; }

     

       40
       +
         </style>

     

       41
       +
       </head>

     

       42
       +
       <body>

     

       43
       +
         <div class="container">

     

       44
       +
           <div class="success">✓</div>

     

       45
       +
           <h1>Authorization Successful!</h1>

     

       46
       +
           <p id="status">Returning to Coves...</p>

     

       47
       +
           <a href="#" id="manualLink">Open Coves</a>

     

       48
       +
         </div>

     

       49
       +
         <script>

     

       50
       +
           (function() {

     

       51
       +
             // Parse and sanitize query params - only allow expected OAuth parameters

     

       52
       +
             const urlParams = new URLSearchParams(window.location.search);

     

       53
       +
             const safeParams = new URLSearchParams();

     

       54
       +
       

     

       55
       +
             // Whitelist only expected OAuth callback parameters

     

       56
       +
             const code = urlParams.get('code');

     

       57
       +
             const state = urlParams.get('state');

     

       58
       +
             const error = urlParams.get('error');

     

       59
       +
             const errorDescription = urlParams.get('error_description');

     

       60
       +
             const iss = urlParams.get('iss');

     

       61
       +
       

     

       62
       +
             if (code) safeParams.set('code', code);

     

       63
       +
             if (state) safeParams.set('state', state);

     

       64
       +
             if (error) safeParams.set('error', error);

     

       65
       +
             if (errorDescription) safeParams.set('error_description', errorDescription);

     

       66
       +
             if (iss) safeParams.set('iss', iss);

     

       67
       +
       

     

       68
       +
             const sanitizedQuery = safeParams.toString() ? '?' + safeParams.toString() : '';

     

       69
       +
       

     

       70
       +
             const userAgent = navigator.userAgent || '';

     

       71
       +
             const isAndroid = /Android/i.test(userAgent);

     

       72
       +
       

     

       73
       +
             // Build deep link based on platform

     

       74
       +
             let deepLink;

     

       75
       +
             if (isAndroid) {

     

       76
       +
               // Android: Intent URL format

     

       77
       +
               const pathAndQuery = '/oauth/callback' + sanitizedQuery;

     

       78
       +
               deepLink = 'intent:/' + pathAndQuery + '#Intent;scheme=social.coves;package=social.coves;end';

     

       79
       +
             } else {

     

       80
       +
               // iOS: Custom scheme

     

       81
       +
               deepLink = 'social.coves:/oauth/callback' + sanitizedQuery;

     

       82
       +
             }

     

       83
       +
       

     

       84
       +
             // Update manual link

     

       85
       +
             document.getElementById('manualLink').href = deepLink;

     

       86
       +
       

     

       87
       +
             // Attempt automatic redirect

     

       88
       +
             window.location.href = deepLink;

     

       89
       +
       

     

       90
       +
             // Update status after 2 seconds if redirect didn't work

     

       91
       +
             setTimeout(function() {

     

       92
       +
               document.getElementById('status').textContent = 'Click the button above to continue';

     

       93
       +
             }, 2000);

     

       94
       +
           })();

     

       95
       +
         </script>

     

       96
       +
       </body>

     

       97
       +
       </html>

+2 -1

Dockerfile

···

       42
        
       COPY --from=builder /build/coves-server /app/coves-server

     

       43
        
       

     

       44
        
       # Copy migrations (needed for goose)

     

       45
       -
       COPY --from=builder /build/internal/db/migrations /app/migrations

     

       0
        
       
     

       46
        
       

     

       47
        
       # Set ownership

     

       48
        
       RUN chown -R coves:coves /app

···

       42
        
       COPY --from=builder /build/coves-server /app/coves-server

     

       43
        
       

     

       44
        
       # Copy migrations (needed for goose)

     

       45
       +
       # Must maintain path structure as app looks for internal/db/migrations

     

       46
       +
       COPY --from=builder /build/internal/db/migrations /app/internal/db/migrations

     

       47
        
       

     

       48
        
       # Set ownership

     

       49
        
       RUN chown -R coves:coves /app

+187

scripts/derive-did-from-key.sh

···

       1
       +
       #!/bin/bash

     

       2
       +
       # Derive public key from existing PDS_ROTATION_KEY and create did.json

     

       3
       +
       #

     

       4
       +
       # This script takes your existing private key and derives the public key from it.

     

       5
       +
       # Use this if you already have a PDS running with a rotation key but need to

     

       6
       +
       # create/fix the did.json file.

     

       7
       +
       #

     

       8
       +
       # Usage: ./scripts/derive-did-from-key.sh

     

       9
       +
       

     

       10
       +
       set -e

     

       11
       +
       

     

       12
       +
       SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"

     

       13
       +
       PROJECT_DIR="$(dirname "$SCRIPT_DIR")"

     

       14
       +
       OUTPUT_DIR="$PROJECT_DIR/static/.well-known"

     

       15
       +
       

     

       16
       +
       # Colors

     

       17
       +
       GREEN='\033[0;32m'

     

       18
       +
       YELLOW='\033[1;33m'

     

       19
       +
       RED='\033[0;31m'

     

       20
       +
       NC='\033[0m'

     

       21
       +
       

     

       22
       +
       log() { echo -e "${GREEN}[DERIVE]${NC} $1"; }

     

       23
       +
       warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }

     

       24
       +
       error() { echo -e "${RED}[ERROR]${NC} $1"; exit 1; }

     

       25
       +
       

     

       26
       +
       # Check for required tools

     

       27
       +
       if ! command -v openssl &> /dev/null; then

     

       28
       +
           error "openssl is required but not installed"

     

       29
       +
       fi

     

       30
       +
       

     

       31
       +
       if ! command -v python3 &> /dev/null; then

     

       32
       +
           error "python3 is required for base58 encoding"

     

       33
       +
       fi

     

       34
       +
       

     

       35
       +
       # Check for base58 library

     

       36
       +
       if ! python3 -c "import base58" 2>/dev/null; then

     

       37
       +
           warn "Installing base58 Python library..."

     

       38
       +
           pip3 install base58 || error "Failed to install base58. Run: pip3 install base58"

     

       39
       +
       fi

     

       40
       +
       

     

       41
       +
       # Load environment to get the existing key

     

       42
       +
       if [ -f "$PROJECT_DIR/.env.prod" ]; then

     

       43
       +
           source "$PROJECT_DIR/.env.prod"

     

       44
       +
       elif [ -f "$PROJECT_DIR/.env" ]; then

     

       45
       +
           source "$PROJECT_DIR/.env"

     

       46
       +
       else

     

       47
       +
           error "No .env.prod or .env file found"

     

       48
       +
       fi

     

       49
       +
       

     

       50
       +
       if [ -z "$PDS_ROTATION_KEY" ]; then

     

       51
       +
           error "PDS_ROTATION_KEY not found in environment"

     

       52
       +
       fi

     

       53
       +
       

     

       54
       +
       # Validate key format (should be 64 hex chars)

     

       55
       +
       if [[ ! "$PDS_ROTATION_KEY" =~ ^[0-9a-fA-F]{64}$ ]]; then

     

       56
       +
           error "PDS_ROTATION_KEY is not a valid 64-character hex string"

     

       57
       +
       fi

     

       58
       +
       

     

       59
       +
       log "Deriving public key from existing PDS_ROTATION_KEY..."

     

       60
       +
       

     

       61
       +
       # Create a temporary PEM file from the hex private key

     

       62
       +
       TEMP_DIR=$(mktemp -d)

     

       63
       +
       PRIVATE_KEY_HEX="$PDS_ROTATION_KEY"

     

       64
       +
       

     

       65
       +
       # Convert hex private key to PEM format

     

       66
       +
       # secp256k1 curve OID: 1.3.132.0.10

     

       67
       +
       python3 > "$TEMP_DIR/private.pem" << EOF

     

       68
       +
       import binascii

     

       69
       +
       

     

       70
       +
       # Private key in hex

     

       71
       +
       priv_hex = "$PRIVATE_KEY_HEX"

     

       72
       +
       priv_bytes = binascii.unhexlify(priv_hex)

     

       73
       +
       

     

       74
       +
       # secp256k1 OID

     

       75
       +
       oid = bytes([0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x0a])

     

       76
       +
       

     

       77
       +
       # Build the EC private key structure

     

       78
       +
       # SEQUENCE { version INTEGER, privateKey OCTET STRING, [0] OID, [1] publicKey }

     

       79
       +
       # We'll use a simpler approach: just the private key with curve params

     

       80
       +
       

     

       81
       +
       # EC PARAMETERS for secp256k1

     

       82
       +
       ec_params = bytes([

     

       83
       +
           0x30, 0x07,  # SEQUENCE, 7 bytes

     

       84
       +
           0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x0a  # OID for secp256k1

     

       85
       +
       ])

     

       86
       +
       

     

       87
       +
       # EC PRIVATE KEY structure

     

       88
       +
       # SEQUENCE { version, privateKey, [0] parameters }

     

       89
       +
       inner = bytes([0x02, 0x01, 0x01])  # version = 1

     

       90
       +
       inner += bytes([0x04, 0x20]) + priv_bytes  # OCTET STRING with 32-byte key

     

       91
       +
       inner += bytes([0xa0, 0x07]) + bytes([0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x0a])  # [0] OID

     

       92
       +
       

     

       93
       +
       # Wrap in SEQUENCE

     

       94
       +
       key_der = bytes([0x30, len(inner)]) + inner

     

       95
       +
       

     

       96
       +
       # Base64 encode

     

       97
       +
       import base64

     

       98
       +
       key_b64 = base64.b64encode(key_der).decode('ascii')

     

       99
       +
       

     

       100
       +
       # Format as PEM

     

       101
       +
       print("-----BEGIN EC PRIVATE KEY-----")

     

       102
       +
       for i in range(0, len(key_b64), 64):

     

       103
       +
           print(key_b64[i:i+64])

     

       104
       +
       print("-----END EC PRIVATE KEY-----")

     

       105
       +
       EOF

     

       106
       +
       

     

       107
       +
       # Extract the compressed public key

     

       108
       +
       PUBLIC_KEY_HEX=$(openssl ec -in "$TEMP_DIR/private.pem" -pubout -conv_form compressed -outform DER 2>/dev/null | \

     

       109
       +
           tail -c 33 | xxd -p | tr -d '\n')

     

       110
       +
       

     

       111
       +
       # Clean up

     

       112
       +
       rm -rf "$TEMP_DIR"

     

       113
       +
       

     

       114
       +
       if [ -z "$PUBLIC_KEY_HEX" ] || [ ${#PUBLIC_KEY_HEX} -ne 66 ]; then

     

       115
       +
           error "Failed to derive public key. Got: $PUBLIC_KEY_HEX"

     

       116
       +
       fi

     

       117
       +
       

     

       118
       +
       log "Derived public key: ${PUBLIC_KEY_HEX:0:8}...${PUBLIC_KEY_HEX: -8}"

     

       119
       +
       

     

       120
       +
       # Encode public key as multibase with multicodec

     

       121
       +
       PUBLIC_KEY_MULTIBASE=$(python3 << EOF

     

       122
       +
       import base58

     

       123
       +
       

     

       124
       +
       # Compressed public key bytes

     

       125
       +
       pub_hex = "$PUBLIC_KEY_HEX"

     

       126
       +
       pub_bytes = bytes.fromhex(pub_hex)

     

       127
       +
       

     

       128
       +
       # Prepend multicodec 0xe7 for secp256k1-pub

     

       129
       +
       # 0xe7 as varint is just 0xe7 (single byte, < 128)

     

       130
       +
       multicodec = bytes([0xe7, 0x01])  # 0xe701 for secp256k1-pub compressed

     

       131
       +
       key_with_codec = multicodec + pub_bytes

     

       132
       +
       

     

       133
       +
       # Base58btc encode

     

       134
       +
       encoded = base58.b58encode(key_with_codec).decode('ascii')

     

       135
       +
       

     

       136
       +
       # Add 'z' prefix for multibase

     

       137
       +
       print('z' + encoded)

     

       138
       +
       EOF

     

       139
       +
       )

     

       140
       +
       

     

       141
       +
       log "Public key multibase: $PUBLIC_KEY_MULTIBASE"

     

       142
       +
       

     

       143
       +
       # Generate the did.json file

     

       144
       +
       log "Generating did.json..."

     

       145
       +
       

     

       146
       +
       mkdir -p "$OUTPUT_DIR"

     

       147
       +
       

     

       148
       +
       cat > "$OUTPUT_DIR/did.json" << EOF

     

       149
       +
       {

     

       150
       +
         "id": "did:web:coves.social",

     

       151
       +
         "alsoKnownAs": ["at://coves.social"],

     

       152
       +
         "verificationMethod": [

     

       153
       +
           {

     

       154
       +
             "id": "did:web:coves.social#atproto",

     

       155
       +
             "type": "Multikey",

     

       156
       +
             "controller": "did:web:coves.social",

     

       157
       +
             "publicKeyMultibase": "$PUBLIC_KEY_MULTIBASE"

     

       158
       +
           }

     

       159
       +
         ],

     

       160
       +
         "service": [

     

       161
       +
           {

     

       162
       +
             "id": "#atproto_pds",

     

       163
       +
             "type": "AtprotoPersonalDataServer",

     

       164
       +
             "serviceEndpoint": "https://coves.me"

     

       165
       +
           }

     

       166
       +
         ]

     

       167
       +
       }

     

       168
       +
       EOF

     

       169
       +
       

     

       170
       +
       log "Created: $OUTPUT_DIR/did.json"

     

       171
       +
       echo ""

     

       172
       +
       echo "============================================"

     

       173
       +
       echo "  DID Document Generated Successfully!"

     

       174
       +
       echo "============================================"

     

       175
       +
       echo ""

     

       176
       +
       echo "Public key multibase: $PUBLIC_KEY_MULTIBASE"

     

       177
       +
       echo ""

     

       178
       +
       echo "Next steps:"

     

       179
       +
       echo "  1. Copy this file to your production server:"

     

       180
       +
       echo "     scp $OUTPUT_DIR/did.json user@server:/opt/coves/static/.well-known/"

     

       181
       +
       echo ""

     

       182
       +
       echo "  2. Or if running on production, restart Caddy:"

     

       183
       +
       echo "     docker compose -f docker-compose.prod.yml restart caddy"

     

       184
       +
       echo ""

     

       185
       +
       echo "  3. Verify it's accessible:"

     

       186
       +
       echo "     curl https://coves.social/.well-known/did.json"

     

       187
       +
       echo ""

+3 -2

internal/api/routes/community.go

···

       10
        
       

     

       11
        
       // RegisterCommunityRoutes registers community-related XRPC endpoints on the router

     

       12
        
       // Implements social.coves.community.* lexicon endpoints

     

       13
       -
       func RegisterCommunityRoutes(r chi.Router, service communities.Service, authMiddleware *middleware.AtProtoAuthMiddleware) {

     

       0
        
       
     

       14
        
       	// Initialize handlers

     

       15
       -
       	createHandler := community.NewCreateHandler(service)

     

       16
        
       	getHandler := community.NewGetHandler(service)

     

       17
        
       	updateHandler := community.NewUpdateHandler(service)

     

       18
        
       	listHandler := community.NewListHandler(service)

···

       10
        
       

     

       11
        
       // RegisterCommunityRoutes registers community-related XRPC endpoints on the router

     

       12
        
       // Implements social.coves.community.* lexicon endpoints

     

       13
       +
       // allowedCommunityCreators restricts who can create communities. If empty, anyone can create.

     

       14
       +
       func RegisterCommunityRoutes(r chi.Router, service communities.Service, authMiddleware *middleware.AtProtoAuthMiddleware, allowedCommunityCreators []string) {

     

       15
        
       	// Initialize handlers

     

       16
       +
       	createHandler := community.NewCreateHandler(service, allowedCommunityCreators)

     

       17
        
       	getHandler := community.NewGetHandler(service)

     

       18
        
       	updateHandler := community.NewUpdateHandler(service)

     

       19
        
       	listHandler := community.NewListHandler(service)

+1 -2

internal/api/handlers/aggregator/errors.go

···

       1
        
       package aggregator

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       4
        
       	"encoding/json"

     

       5
        
       	"log"

     

       6
        
       	"net/http"

     

       7
       -
       

     

       8
       -
       	"Coves/internal/core/aggregators"

     

       9
        
       )

     

       10
        
       

     

       11
        
       // ErrorResponse represents an XRPC error response

···

       1
        
       package aggregator

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/core/aggregators"

     

       5
        
       	"encoding/json"

     

       6
        
       	"log"

     

       7
        
       	"net/http"

     

       0
        
       
     

       0
        
       
     

       8
        
       )

     

       9
        
       

     

       10
        
       // ErrorResponse represents an XRPC error response

+1 -2

internal/api/handlers/aggregator/get_authorizations.go

···

       1
        
       package aggregator

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       4
        
       	"encoding/json"

     

       5
        
       	"log"

     

       6
        
       	"net/http"

     

       7
        
       	"strconv"

     

       8
       -
       

     

       9
       -
       	"Coves/internal/core/aggregators"

     

       10
        
       )

     

       11
        
       

     

       12
        
       // GetAuthorizationsHandler handles listing authorizations for an aggregator

···

       1
        
       package aggregator

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/core/aggregators"

     

       5
        
       	"encoding/json"

     

       6
        
       	"log"

     

       7
        
       	"net/http"

     

       8
        
       	"strconv"

     

       0
        
       
     

       0
        
       
     

       9
        
       )

     

       10
        
       

     

       11
        
       // GetAuthorizationsHandler handles listing authorizations for an aggregator

+1 -2

internal/api/handlers/aggregator/get_services.go

···

       1
        
       package aggregator

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       4
        
       	"encoding/json"

     

       5
        
       	"log"

     

       6
        
       	"net/http"

     

       7
        
       	"strings"

     

       8
       -
       

     

       9
       -
       	"Coves/internal/core/aggregators"

     

       10
        
       )

     

       11
        
       

     

       12
        
       // GetServicesHandler handles aggregator service details retrieval

···

       1
        
       package aggregator

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/core/aggregators"

     

       5
        
       	"encoding/json"

     

       6
        
       	"log"

     

       7
        
       	"net/http"

     

       8
        
       	"strings"

     

       0
        
       
     

       0
        
       
     

       9
        
       )

     

       10
        
       

     

       11
        
       // GetServicesHandler handles aggregator service details retrieval

+1 -2

internal/api/handlers/aggregator/list_for_community.go

···

       1
        
       package aggregator

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       4
        
       	"encoding/json"

     

       5
        
       	"log"

     

       6
        
       	"net/http"

     

       7
        
       	"strconv"

     

       8
       -
       

     

       9
       -
       	"Coves/internal/core/aggregators"

     

       10
        
       )

     

       11
        
       

     

       12
        
       // ListForCommunityHandler handles listing aggregators for a community

···

       1
        
       package aggregator

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/core/aggregators"

     

       5
        
       	"encoding/json"

     

       6
        
       	"log"

     

       7
        
       	"net/http"

     

       8
        
       	"strconv"

     

       0
        
       
     

       0
        
       
     

       9
        
       )

     

       10
        
       

     

       11
        
       // ListForCommunityHandler handles listing aggregators for a community

+1 -2

internal/api/handlers/comments/errors.go

···

       1
        
       package comments

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       4
        
       	"encoding/json"

     

       5
        
       	"log"

     

       6
        
       	"net/http"

     

       7
       -
       

     

       8
       -
       	"Coves/internal/core/comments"

     

       9
        
       )

     

       10
        
       

     

       11
        
       // errorResponse represents a standardized JSON error response

···

       1
        
       package comments

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/core/comments"

     

       5
        
       	"encoding/json"

     

       6
        
       	"log"

     

       7
        
       	"net/http"

     

       0
        
       
     

       0
        
       
     

       8
        
       )

     

       9
        
       

     

       10
        
       // errorResponse represents a standardized JSON error response

+2 -3

internal/api/handlers/comments/get_comments.go

···

       3
        
       package comments

     

       4
        
       

     

       5
        
       import (

     

       0
        
       
     

       0
        
       
     

       6
        
       	"encoding/json"

     

       7
        
       	"log"

     

       8
        
       	"net/http"

     

       9
        
       	"strconv"

     

       10
       -
       

     

       11
       -
       	"Coves/internal/api/middleware"

     

       12
       -
       	"Coves/internal/core/comments"

     

       13
        
       )

     

       14
        
       

     

       15
        
       // GetCommentsHandler handles comment retrieval for posts

···

       3
        
       package comments

     

       4
        
       

     

       5
        
       import (

     

       6
       +
       	"Coves/internal/api/middleware"

     

       7
       +
       	"Coves/internal/core/comments"

     

       8
        
       	"encoding/json"

     

       9
        
       	"log"

     

       10
        
       	"net/http"

     

       11
        
       	"strconv"

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       12
        
       )

     

       13
        
       

     

       14
        
       // GetCommentsHandler handles comment retrieval for posts

+1 -2

internal/api/handlers/comments/middleware.go

···

       1
        
       package comments

     

       2
        
       

     

       3
        
       import (

     

       4
       -
       	"net/http"

     

       5
       -
       

     

       6
        
       	"Coves/internal/api/middleware"

     

       0
        
       
     

       7
        
       )

     

       8
        
       

     

       9
        
       // OptionalAuthMiddleware wraps the existing OptionalAuth middleware from the middleware package.

···

       1
        
       package comments

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       0
        
       
     

       4
        
       	"Coves/internal/api/middleware"

     

       5
       +
       	"net/http"

     

       6
        
       )

     

       7
        
       

     

       8
        
       // OptionalAuthMiddleware wraps the existing OptionalAuth middleware from the middleware package.

+1 -2

internal/api/handlers/comments/service_adapter.go

···

       1
        
       package comments

     

       2
        
       

     

       3
        
       import (

     

       4
       -
       	"net/http"

     

       5
       -
       

     

       6
        
       	"Coves/internal/core/comments"

     

       0
        
       
     

       7
        
       )

     

       8
        
       

     

       9
        
       // ServiceAdapter adapts the core comments.Service to the handler's Service interface

···

       1
        
       package comments

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       0
        
       
     

       4
        
       	"Coves/internal/core/comments"

     

       5
       +
       	"net/http"

     

       6
        
       )

     

       7
        
       

     

       8
        
       // ServiceAdapter adapts the core comments.Service to the handler's Service interface

+2 -3

internal/api/handlers/community/create.go

···

       1
        
       package community

     

       2
        
       

     

       3
        
       import (

     

       4
       -
       	"encoding/json"

     

       5
       -
       	"net/http"

     

       6
       -
       

     

       7
        
       	"Coves/internal/api/middleware"

     

       8
        
       	"Coves/internal/core/communities"

     

       0
        
       
     

       0
        
       
     

       9
        
       )

     

       10
        
       

     

       11
        
       // CreateHandler handles community creation

···

       1
        
       package community

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       4
        
       	"Coves/internal/api/middleware"

     

       5
        
       	"Coves/internal/core/communities"

     

       6
       +
       	"encoding/json"

     

       7
       +
       	"net/http"

     

       8
        
       )

     

       9
        
       

     

       10
        
       // CreateHandler handles community creation

+1 -2

internal/api/handlers/community/errors.go

···

       1
        
       package community

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       4
        
       	"encoding/json"

     

       5
        
       	"log"

     

       6
        
       	"net/http"

     

       7
       -
       

     

       8
       -
       	"Coves/internal/core/communities"

     

       9
        
       )

     

       10
        
       

     

       11
        
       // XRPCError represents an XRPC error response

···

       1
        
       package community

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/core/communities"

     

       5
        
       	"encoding/json"

     

       6
        
       	"log"

     

       7
        
       	"net/http"

     

       0
        
       
     

       0
        
       
     

       8
        
       )

     

       9
        
       

     

       10
        
       // XRPCError represents an XRPC error response

+1 -2

internal/api/handlers/community/get.go

···

       1
        
       package community

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       4
        
       	"encoding/json"

     

       5
        
       	"net/http"

     

       6
       -
       

     

       7
       -
       	"Coves/internal/core/communities"

     

       8
        
       )

     

       9
        
       

     

       10
        
       // GetHandler handles community retrieval

···

       1
        
       package community

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/core/communities"

     

       5
        
       	"encoding/json"

     

       6
        
       	"net/http"

     

       0
        
       
     

       0
        
       
     

       7
        
       )

     

       8
        
       

     

       9
        
       // GetHandler handles community retrieval

+1 -2

internal/api/handlers/community/search.go

···

       1
        
       package community

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       4
        
       	"encoding/json"

     

       5
        
       	"net/http"

     

       6
        
       	"strconv"

     

       7
       -
       

     

       8
       -
       	"Coves/internal/core/communities"

     

       9
        
       )

     

       10
        
       

     

       11
        
       // SearchHandler handles community search

···

       1
        
       package community

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/core/communities"

     

       5
        
       	"encoding/json"

     

       6
        
       	"net/http"

     

       7
        
       	"strconv"

     

       0
        
       
     

       0
        
       
     

       8
        
       )

     

       9
        
       

     

       10
        
       // SearchHandler handles community search

+2 -3

internal/api/handlers/community/update.go

···

       1
        
       package community

     

       2
        
       

     

       3
        
       import (

     

       4
       -
       	"encoding/json"

     

       5
       -
       	"net/http"

     

       6
       -
       

     

       7
        
       	"Coves/internal/api/middleware"

     

       8
        
       	"Coves/internal/core/communities"

     

       0
        
       
     

       0
        
       
     

       9
        
       )

     

       10
        
       

     

       11
        
       // UpdateHandler handles community updates

···

       1
        
       package community

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       4
        
       	"Coves/internal/api/middleware"

     

       5
        
       	"Coves/internal/core/communities"

     

       6
       +
       	"encoding/json"

     

       7
       +
       	"net/http"

     

       8
        
       )

     

       9
        
       

     

       10
        
       // UpdateHandler handles community updates

+1 -2

internal/api/handlers/communityFeed/errors.go

···

       1
        
       package communityFeed

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       4
        
       	"encoding/json"

     

       5
        
       	"errors"

     

       6
        
       	"log"

     

       7
        
       	"net/http"

     

       8
       -
       

     

       9
       -
       	"Coves/internal/core/communityFeeds"

     

       10
        
       )

     

       11
        
       

     

       12
        
       // ErrorResponse represents an XRPC error response

···

       1
        
       package communityFeed

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/core/communityFeeds"

     

       5
        
       	"encoding/json"

     

       6
        
       	"errors"

     

       7
        
       	"log"

     

       8
        
       	"net/http"

     

       0
        
       
     

       0
        
       
     

       9
        
       )

     

       10
        
       

     

       11
        
       // ErrorResponse represents an XRPC error response

+1 -2

internal/api/handlers/discover/errors.go

···

       1
        
       package discover

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       4
        
       	"encoding/json"

     

       5
        
       	"errors"

     

       6
        
       	"log"

     

       7
        
       	"net/http"

     

       8
       -
       

     

       9
       -
       	"Coves/internal/core/discover"

     

       10
        
       )

     

       11
        
       

     

       12
        
       // XRPCError represents an XRPC error response

···

       1
        
       package discover

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/core/discover"

     

       5
        
       	"encoding/json"

     

       6
        
       	"errors"

     

       7
        
       	"log"

     

       8
        
       	"net/http"

     

       0
        
       
     

       0
        
       
     

       9
        
       )

     

       10
        
       

     

       11
        
       // XRPCError represents an XRPC error response

+2 -3

internal/api/handlers/post/create.go

···

       1
        
       package post

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       0
        
       
     

       4
        
       	"encoding/json"

     

       5
        
       	"log"

     

       6
        
       	"net/http"

     

       7
        
       	"strings"

     

       8
       -
       

     

       9
       -
       	"Coves/internal/api/middleware"

     

       10
       -
       	"Coves/internal/core/posts"

     

       11
        
       )

     

       12
        
       

     

       13
        
       // CreateHandler handles post creation requests

···

       1
        
       package post

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/api/middleware"

     

       5
       +
       	"Coves/internal/core/posts"

     

       6
        
       	"encoding/json"

     

       7
        
       	"log"

     

       8
        
       	"net/http"

     

       9
        
       	"strings"

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       10
        
       )

     

       11
        
       

     

       12
        
       // CreateHandler handles post creation requests

+1 -2

internal/api/handlers/timeline/errors.go

···

       1
        
       package timeline

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       4
        
       	"encoding/json"

     

       5
        
       	"errors"

     

       6
        
       	"log"

     

       7
        
       	"net/http"

     

       8
       -
       

     

       9
       -
       	"Coves/internal/core/timeline"

     

       10
        
       )

     

       11
        
       

     

       12
        
       // XRPCError represents an XRPC error response

···

       1
        
       package timeline

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/core/timeline"

     

       5
        
       	"encoding/json"

     

       6
        
       	"errors"

     

       7
        
       	"log"

     

       8
        
       	"net/http"

     

       0
        
       
     

       0
        
       
     

       9
        
       )

     

       10
        
       

     

       11
        
       // XRPCError represents an XRPC error response

+1 -2

internal/atproto/jetstream/aggregator_consumer.go

···

       1
        
       package jetstream

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       4
        
       	"context"

     

       5
        
       	"encoding/json"

     

       6
        
       	"fmt"

     

       7
        
       	"log"

     

       8
        
       	"time"

     

       9
       -
       

     

       10
       -
       	"Coves/internal/core/aggregators"

     

       11
        
       )

     

       12
        
       

     

       13
        
       // AggregatorEventConsumer consumes aggregator-related events from Jetstream

···

       1
        
       package jetstream

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/core/aggregators"

     

       5
        
       	"context"

     

       6
        
       	"encoding/json"

     

       7
        
       	"fmt"

     

       8
        
       	"log"

     

       9
        
       	"time"

     

       0
        
       
     

       0
        
       
     

       10
        
       )

     

       11
        
       

     

       12
        
       // AggregatorEventConsumer consumes aggregator-related events from Jetstream

+2 -3

internal/atproto/jetstream/comment_consumer.go

···

       1
        
       package jetstream

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       0
        
       
     

       4
        
       	"context"

     

       5
        
       	"database/sql"

     

       6
        
       	"encoding/json"

     
···

       9
        
       	"strings"

     

       10
        
       	"time"

     

       11
        
       

     

       12
       -
       	"Coves/internal/atproto/utils"

     

       13
       -
       	"Coves/internal/core/comments"

     

       14
       -
       

     

       15
        
       	"github.com/lib/pq"

     

       16
        
       )

     

       17

···

       1
        
       package jetstream

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/atproto/utils"

     

       5
       +
       	"Coves/internal/core/comments"

     

       6
        
       	"context"

     

       7
        
       	"database/sql"

     

       8
        
       	"encoding/json"

     
···

       11
        
       	"strings"

     

       12
        
       	"time"

     

       13
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       14
        
       	"github.com/lib/pq"

     

       15
        
       )

     

       16

+3 -4

internal/atproto/jetstream/post_consumer.go

···

       1
        
       package jetstream

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       4
        
       	"context"

     

       5
        
       	"database/sql"

     

       6
        
       	"encoding/json"

     
···

       8
        
       	"log"

     

       9
        
       	"strings"

     

       10
        
       	"time"

     

       11
       -
       

     

       12
       -
       	"Coves/internal/core/communities"

     

       13
       -
       	"Coves/internal/core/posts"

     

       14
       -
       	"Coves/internal/core/users"

     

       15
        
       )

     

       16
        
       

     

       17
        
       // PostEventConsumer consumes post-related events from Jetstream

···

       1
        
       package jetstream

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/core/communities"

     

       5
       +
       	"Coves/internal/core/posts"

     

       6
       +
       	"Coves/internal/core/users"

     

       7
        
       	"context"

     

       8
        
       	"database/sql"

     

       9
        
       	"encoding/json"

     
···

       11
        
       	"log"

     

       12
        
       	"strings"

     

       13
        
       	"time"

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       14
        
       )

     

       15
        
       

     

       16
        
       // PostEventConsumer consumes post-related events from Jetstream

+2 -3

internal/atproto/jetstream/user_consumer.go

···

       1
        
       package jetstream

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       0
        
       
     

       4
        
       	"context"

     

       5
        
       	"encoding/json"

     

       6
        
       	"fmt"

     
···

       8
        
       	"sync"

     

       9
        
       	"time"

     

       10
        
       

     

       11
       -
       	"Coves/internal/atproto/identity"

     

       12
       -
       	"Coves/internal/core/users"

     

       13
       -
       

     

       14
        
       	"github.com/gorilla/websocket"

     

       15
        
       )

     

       16

···

       1
        
       package jetstream

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/atproto/identity"

     

       5
       +
       	"Coves/internal/core/users"

     

       6
        
       	"context"

     

       7
        
       	"encoding/json"

     

       8
        
       	"fmt"

     
···

       10
        
       	"sync"

     

       11
        
       	"time"

     

       12
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       13
        
       	"github.com/gorilla/websocket"

     

       14
        
       )

     

       15

+1 -2

internal/core/aggregators/service.go

···

       1
        
       package aggregators

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       4
        
       	"context"

     

       5
        
       	"encoding/json"

     

       6
        
       	"fmt"

     

       7
        
       	"time"

     

       8
        
       

     

       9
       -
       	"Coves/internal/core/communities"

     

       10
       -
       

     

       11
        
       	"github.com/xeipuuv/gojsonschema"

     

       12
        
       )

     

       13

···

       1
        
       package aggregators

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/core/communities"

     

       5
        
       	"context"

     

       6
        
       	"encoding/json"

     

       7
        
       	"fmt"

     

       8
        
       	"time"

     

       9
        
       

     

       0
        
       
     

       0
        
       
     

       10
        
       	"github.com/xeipuuv/gojsonschema"

     

       11
        
       )

     

       12

+1 -2

internal/core/blobs/service.go

···

       1
        
       package blobs

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       4
        
       	"bytes"

     

       5
        
       	"context"

     

       6
        
       	"encoding/json"

     
···

       9
        
       	"log"

     

       10
        
       	"net/http"

     

       11
        
       	"time"

     

       12
       -
       

     

       13
       -
       	"Coves/internal/core/communities"

     

       14
        
       )

     

       15
        
       

     

       16
        
       // Service defines the interface for blob operations

···

       1
        
       package blobs

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/core/communities"

     

       5
        
       	"bytes"

     

       6
        
       	"context"

     

       7
        
       	"encoding/json"

     
···

       10
        
       	"log"

     

       11
        
       	"net/http"

     

       12
        
       	"time"

     

       0
        
       
     

       0
        
       
     

       13
        
       )

     

       14
        
       

     

       15
        
       // Service defines the interface for blob operations

+5 -6

internal/core/comments/comment_service_test.go

···

       1
        
       package comments

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       4
        
       	"context"

     

       5
        
       	"errors"

     

       6
        
       	"testing"

     

       7
        
       	"time"

     

       8
        
       

     

       9
       -
       	"Coves/internal/core/communities"

     

       10
       -
       	"Coves/internal/core/posts"

     

       11
       -
       	"Coves/internal/core/users"

     

       12
       -
       

     

       13
        
       	"github.com/stretchr/testify/assert"

     

       14
        
       )

     

       15
        
       

     
···

       232
        
       	return nil

     

       233
        
       }

     

       234
        
       

     

       235
       -
       func (m *mockCommunityRepo) List(ctx context.Context, req communities.ListCommunitiesRequest) ([]*communities.Community, int, error) {

     

       236
       -
       	return nil, 0, nil

     

       237
        
       }

     

       238
        
       

     

       239
        
       func (m *mockCommunityRepo) Search(ctx context.Context, req communities.SearchCommunitiesRequest) ([]*communities.Community, int, error) {

···

       1
        
       package comments

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/core/communities"

     

       5
       +
       	"Coves/internal/core/posts"

     

       6
       +
       	"Coves/internal/core/users"

     

       7
        
       	"context"

     

       8
        
       	"errors"

     

       9
        
       	"testing"

     

       10
        
       	"time"

     

       11
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       12
        
       	"github.com/stretchr/testify/assert"

     

       13
        
       )

     

       14
        
       

     
···

       231
        
       	return nil

     

       232
        
       }

     

       233
        
       

     

       234
       +
       func (m *mockCommunityRepo) List(ctx context.Context, req communities.ListCommunitiesRequest) ([]*communities.Community, error) {

     

       235
       +
       	return nil, nil

     

       236
        
       }

     

       237
        
       

     

       238
        
       func (m *mockCommunityRepo) Search(ctx context.Context, req communities.SearchCommunitiesRequest) ([]*communities.Community, int, error) {

+1 -2

internal/core/communityFeeds/service.go

···

       1
        
       package communityFeeds

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       4
        
       	"context"

     

       5
        
       	"fmt"

     

       6
       -
       

     

       7
       -
       	"Coves/internal/core/communities"

     

       8
        
       )

     

       9
        
       

     

       10
        
       type feedService struct {

···

       1
        
       package communityFeeds

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/core/communities"

     

       5
        
       	"context"

     

       6
        
       	"fmt"

     

       0
        
       
     

       0
        
       
     

       7
        
       )

     

       8
        
       

     

       9
        
       type feedService struct {

+1 -2

internal/core/communityFeeds/types.go

···

       1
        
       package communityFeeds

     

       2
        
       

     

       3
        
       import (

     

       4
       -
       	"time"

     

       5
       -
       

     

       6
        
       	"Coves/internal/core/posts"

     

       0
        
       
     

       7
        
       )

     

       8
        
       

     

       9
        
       // GetCommunityFeedRequest represents input for fetching a community feed

···

       1
        
       package communityFeeds

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       0
        
       
     

       4
        
       	"Coves/internal/core/posts"

     

       5
       +
       	"time"

     

       6
        
       )

     

       7
        
       

     

       8
        
       // GetCommunityFeedRequest represents input for fetching a community feed

+1 -2

internal/core/discover/types.go

···

       1
        
       package discover

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       4
        
       	"context"

     

       5
        
       	"errors"

     

       6
       -
       

     

       7
       -
       	"Coves/internal/core/posts"

     

       8
        
       )

     

       9
        
       

     

       10
        
       // Repository defines discover data access interface

···

       1
        
       package discover

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/core/posts"

     

       5
        
       	"context"

     

       6
        
       	"errors"

     

       0
        
       
     

       0
        
       
     

       7
        
       )

     

       8
        
       

     

       9
        
       // Repository defines discover data access interface

+1 -2

internal/core/timeline/types.go

···

       1
        
       package timeline

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       4
        
       	"context"

     

       5
        
       	"errors"

     

       6
        
       	"time"

     

       7
       -
       

     

       8
       -
       	"Coves/internal/core/posts"

     

       9
        
       )

     

       10
        
       

     

       11
        
       // Repository defines timeline data access interface

···

       1
        
       package timeline

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/core/posts"

     

       5
        
       	"context"

     

       6
        
       	"errors"

     

       7
        
       	"time"

     

       0
        
       
     

       0
        
       
     

       8
        
       )

     

       9
        
       

     

       10
        
       // Repository defines timeline data access interface

+1 -2

internal/core/users/service.go

···

       1
        
       package users

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       4
        
       	"bytes"

     

       5
        
       	"context"

     

       6
        
       	"encoding/json"

     
···

       11
        
       	"regexp"

     

       12
        
       	"strings"

     

       13
        
       	"time"

     

       14
       -
       

     

       15
       -
       	"Coves/internal/atproto/identity"

     

       16
        
       )

     

       17
        
       

     

       18
        
       // atProto handle validation regex (per official atProto spec: https://atproto.com/specs/handle)

···

       1
        
       package users

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/atproto/identity"

     

       5
        
       	"bytes"

     

       6
        
       	"context"

     

       7
        
       	"encoding/json"

     
···

       12
        
       	"regexp"

     

       13
        
       	"strings"

     

       14
        
       	"time"

     

       0
        
       
     

       0
        
       
     

       15
        
       )

     

       16
        
       

     

       17
        
       // atProto handle validation regex (per official atProto spec: https://atproto.com/specs/handle)

+1 -2

internal/db/postgres/aggregator_repo.go

···

       1
        
       package postgres

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       4
        
       	"context"

     

       5
        
       	"database/sql"

     

       6
        
       	"fmt"

     

       7
        
       	"strings"

     

       8
        
       	"time"

     

       9
       -
       

     

       10
       -
       	"Coves/internal/core/aggregators"

     

       11
        
       )

     

       12
        
       

     

       13
        
       type postgresAggregatorRepo struct {

···

       1
        
       package postgres

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/core/aggregators"

     

       5
        
       	"context"

     

       6
        
       	"database/sql"

     

       7
        
       	"fmt"

     

       8
        
       	"strings"

     

       9
        
       	"time"

     

       0
        
       
     

       0
        
       
     

       10
        
       )

     

       11
        
       

     

       12
        
       type postgresAggregatorRepo struct {

+1 -2

internal/db/postgres/comment_repo.go

···

       1
        
       package postgres

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       4
        
       	"context"

     

       5
        
       	"database/sql"

     

       6
        
       	"encoding/base64"

     
···

       8
        
       	"log"

     

       9
        
       	"strings"

     

       10
        
       

     

       11
       -
       	"Coves/internal/core/comments"

     

       12
       -
       

     

       13
        
       	"github.com/lib/pq"

     

       14
        
       )

     

       15

···

       1
        
       package postgres

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/core/comments"

     

       5
        
       	"context"

     

       6
        
       	"database/sql"

     

       7
        
       	"encoding/base64"

     
···

       9
        
       	"log"

     

       10
        
       	"strings"

     

       11
        
       

     

       0
        
       
     

       0
        
       
     

       12
        
       	"github.com/lib/pq"

     

       13
        
       )

     

       14

+1 -2

internal/db/postgres/community_repo_blocks.go

···

       1
        
       package postgres

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       4
        
       	"context"

     

       5
        
       	"database/sql"

     

       6
        
       	"fmt"

     

       7
        
       	"log"

     

       8
       -
       

     

       9
       -
       	"Coves/internal/core/communities"

     

       10
        
       )

     

       11
        
       

     

       12
        
       // BlockCommunity creates a new block record (idempotent)

···

       1
        
       package postgres

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/core/communities"

     

       5
        
       	"context"

     

       6
        
       	"database/sql"

     

       7
        
       	"fmt"

     

       8
        
       	"log"

     

       0
        
       
     

       0
        
       
     

       9
        
       )

     

       10
        
       

     

       11
        
       // BlockCommunity creates a new block record (idempotent)

+1 -2

internal/db/postgres/community_repo_memberships.go

···

       1
        
       package postgres

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       4
        
       	"context"

     

       5
        
       	"database/sql"

     

       6
        
       	"fmt"

     

       7
        
       	"log"

     

       8
        
       	"strings"

     

       9
       -
       

     

       10
       -
       	"Coves/internal/core/communities"

     

       11
        
       )

     

       12
        
       

     

       13
        
       // CreateMembership creates a new membership record

···

       1
        
       package postgres

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/core/communities"

     

       5
        
       	"context"

     

       6
        
       	"database/sql"

     

       7
        
       	"fmt"

     

       8
        
       	"log"

     

       9
        
       	"strings"

     

       0
        
       
     

       0
        
       
     

       10
        
       )

     

       11
        
       

     

       12
        
       // CreateMembership creates a new membership record

+1 -2

internal/db/postgres/community_repo_subscriptions.go

···

       1
        
       package postgres

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       4
        
       	"context"

     

       5
        
       	"database/sql"

     

       6
        
       	"fmt"

     

       7
        
       	"log"

     

       8
        
       	"strings"

     

       9
       -
       

     

       10
       -
       	"Coves/internal/core/communities"

     

       11
        
       )

     

       12
        
       

     

       13
        
       // Subscribe creates a new subscription record

···

       1
        
       package postgres

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/core/communities"

     

       5
        
       	"context"

     

       6
        
       	"database/sql"

     

       7
        
       	"fmt"

     

       8
        
       	"log"

     

       9
        
       	"strings"

     

       0
        
       
     

       0
        
       
     

       10
        
       )

     

       11
        
       

     

       12
        
       // Subscribe creates a new subscription record

+1 -2

internal/db/postgres/post_repo.go

···

       1
        
       package postgres

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       4
        
       	"context"

     

       5
        
       	"database/sql"

     

       6
        
       	"fmt"

     

       7
        
       	"strings"

     

       8
       -
       

     

       9
       -
       	"Coves/internal/core/posts"

     

       10
        
       )

     

       11
        
       

     

       12
        
       type postgresPostRepo struct {

···

       1
        
       package postgres

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/core/posts"

     

       5
        
       	"context"

     

       6
        
       	"database/sql"

     

       7
        
       	"fmt"

     

       8
        
       	"strings"

     

       0
        
       
     

       0
        
       
     

       9
        
       )

     

       10
        
       

     

       11
        
       type postgresPostRepo struct {

+1 -2

internal/db/postgres/user_repo.go

···

       1
        
       package postgres

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       4
        
       	"context"

     

       5
        
       	"database/sql"

     

       6
        
       	"fmt"

     

       7
        
       	"log"

     

       8
        
       	"strings"

     

       9
        
       

     

       10
       -
       	"Coves/internal/core/users"

     

       11
       -
       

     

       12
        
       	"github.com/lib/pq"

     

       13
        
       )

     

       14

···

       1
        
       package postgres

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/core/users"

     

       5
        
       	"context"

     

       6
        
       	"database/sql"

     

       7
        
       	"fmt"

     

       8
        
       	"log"

     

       9
        
       	"strings"

     

       10
        
       

     

       0
        
       
     

       0
        
       
     

       11
        
       	"github.com/lib/pq"

     

       12
        
       )

     

       13

+1 -2

internal/db/postgres/vote_repo.go

···

       1
        
       package postgres

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       4
        
       	"context"

     

       5
        
       	"database/sql"

     

       6
        
       	"fmt"

     

       7
        
       	"strings"

     

       8
       -
       

     

       9
       -
       	"Coves/internal/core/votes"

     

       10
        
       )

     

       11
        
       

     

       12
        
       type postgresVoteRepo struct {

···

       1
        
       package postgres

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/core/votes"

     

       5
        
       	"context"

     

       6
        
       	"database/sql"

     

       7
        
       	"fmt"

     

       8
        
       	"strings"

     

       0
        
       
     

       0
        
       
     

       9
        
       )

     

       10
        
       

     

       11
        
       type postgresVoteRepo struct {

+1 -2

internal/db/postgres/vote_repo_test.go

···

       1
        
       package postgres

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       4
        
       	"context"

     

       5
        
       	"database/sql"

     

       6
        
       	"os"

     

       7
        
       	"testing"

     

       8
        
       	"time"

     

       9
        
       

     

       10
       -
       	"Coves/internal/core/votes"

     

       11
       -
       

     

       12
        
       	_ "github.com/lib/pq"

     

       13
        
       	"github.com/pressly/goose/v3"

     

       14
        
       	"github.com/stretchr/testify/assert"

···

       1
        
       package postgres

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/core/votes"

     

       5
        
       	"context"

     

       6
        
       	"database/sql"

     

       7
        
       	"os"

     

       8
        
       	"testing"

     

       9
        
       	"time"

     

       10
        
       

     

       0
        
       
     

       0
        
       
     

       11
        
       	_ "github.com/lib/pq"

     

       12
        
       	"github.com/pressly/goose/v3"

     

       13
        
       	"github.com/stretchr/testify/assert"

+7 -8

tests/e2e/error_recovery_test.go

···

       1
        
       package e2e

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       4
        
       	"context"

     

       5
        
       	"database/sql"

     

       6
        
       	"fmt"

     
···

       12
        
       	"testing"

     

       13
        
       	"time"

     

       14
        
       

     

       15
       -
       	"Coves/internal/atproto/identity"

     

       16
       -
       	"Coves/internal/atproto/jetstream"

     

       17
       -
       	"Coves/internal/core/users"

     

       18
       -
       	"Coves/internal/db/postgres"

     

       19
       -
       

     

       20
        
       	_ "github.com/lib/pq"

     

       21
        
       	"github.com/pressly/goose/v3"

     

       22
        
       )

     
···

       138
        
       

     

       139
        
       	testCases := []struct {

     

       140
        
       		name      string

     

       141
       -
       		event     jetstream.JetstreamEvent

     

       142
        
       		shouldLog string

     

       0
        
       
     

       143
        
       	}{

     

       144
        
       		{

     

       145
        
       			name: "Nil identity data",

     
···

       348
        
       		if shouldFail.Load() {

     

       349
        
       			t.Logf("Mock PDS: Simulating unavailability (request #%d)", requestCount.Load())

     

       350
        
       			w.WriteHeader(http.StatusServiceUnavailable)

     

       351
       -
       			w.Write([]byte(`{"error":"ServiceUnavailable","message":"PDS temporarily unavailable"}`))

     

       352
        
       			return

     

       353
        
       		}

     

       354
        
       

     

       355
        
       		t.Logf("Mock PDS: Serving request successfully (request #%d)", requestCount.Load())

     

       356
        
       		// Simulate successful PDS response

     

       357
        
       		w.WriteHeader(http.StatusOK)

     

       358
       -
       		w.Write([]byte(`{"did":"did:plc:pdstest123","handle":"pds.test"}`))

     

       359
        
       	}))

     

       360
        
       	defer mockPDS.Close()

     

       361

···

       1
        
       package e2e

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/atproto/identity"

     

       5
       +
       	"Coves/internal/atproto/jetstream"

     

       6
       +
       	"Coves/internal/core/users"

     

       7
       +
       	"Coves/internal/db/postgres"

     

       8
        
       	"context"

     

       9
        
       	"database/sql"

     

       10
        
       	"fmt"

     
···

       16
        
       	"testing"

     

       17
        
       	"time"

     

       18
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       19
        
       	_ "github.com/lib/pq"

     

       20
        
       	"github.com/pressly/goose/v3"

     

       21
        
       )

     
···

       137
        
       

     

       138
        
       	testCases := []struct {

     

       139
        
       		name      string

     

       0
        
       
     

       140
        
       		shouldLog string

     

       141
       +
       		event     jetstream.JetstreamEvent

     

       142
        
       	}{

     

       143
        
       		{

     

       144
        
       			name: "Nil identity data",

     
···

       347
        
       		if shouldFail.Load() {

     

       348
        
       			t.Logf("Mock PDS: Simulating unavailability (request #%d)", requestCount.Load())

     

       349
        
       			w.WriteHeader(http.StatusServiceUnavailable)

     

       350
       +
       			_, _ = w.Write([]byte(`{"error":"ServiceUnavailable","message":"PDS temporarily unavailable"}`))

     

       351
        
       			return

     

       352
        
       		}

     

       353
        
       

     

       354
        
       		t.Logf("Mock PDS: Serving request successfully (request #%d)", requestCount.Load())

     

       355
        
       		// Simulate successful PDS response

     

       356
        
       		w.WriteHeader(http.StatusOK)

     

       357
       +
       		_, _ = w.Write([]byte(`{"did":"did:plc:pdstest123","handle":"pds.test"}`))

     

       358
        
       	}))

     

       359
        
       	defer mockPDS.Close()

     

       360

+4 -5

tests/e2e/user_signup_test.go

···

       1
        
       package e2e

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       4
        
       	"bytes"

     

       5
        
       	"context"

     

       6
        
       	"database/sql"

     
···

       11
        
       	"testing"

     

       12
        
       	"time"

     

       13
        
       

     

       14
       -
       	"Coves/internal/atproto/identity"

     

       15
       -
       	"Coves/internal/atproto/jetstream"

     

       16
       -
       	"Coves/internal/core/users"

     

       17
       -
       	"Coves/internal/db/postgres"

     

       18
       -
       

     

       19
        
       	_ "github.com/lib/pq"

     

       20
        
       	"github.com/pressly/goose/v3"

     

       21
        
       )

···

       1
        
       package e2e

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/atproto/identity"

     

       5
       +
       	"Coves/internal/atproto/jetstream"

     

       6
       +
       	"Coves/internal/core/users"

     

       7
       +
       	"Coves/internal/db/postgres"

     

       8
        
       	"bytes"

     

       9
        
       	"context"

     

       10
        
       	"database/sql"

     
···

       15
        
       	"testing"

     

       16
        
       	"time"

     

       17
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       18
        
       	_ "github.com/lib/pq"

     

       19
        
       	"github.com/pressly/goose/v3"

     

       20
        
       )

+3 -4

tests/integration/aggregator_test.go

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       4
        
       	"context"

     

       5
        
       	"encoding/json"

     

       6
        
       	"fmt"

     

       7
        
       	"testing"

     

       8
        
       	"time"

     

       9
       -
       

     

       10
       -
       	"Coves/internal/core/aggregators"

     

       11
       -
       	"Coves/internal/core/communities"

     

       12
       -
       	"Coves/internal/db/postgres"

     

       13
        
       )

     

       14
        
       

     

       15
        
       // TestAggregatorRepository_Create tests basic aggregator creation

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/core/aggregators"

     

       5
       +
       	"Coves/internal/core/communities"

     

       6
       +
       	"Coves/internal/db/postgres"

     

       7
        
       	"context"

     

       8
        
       	"encoding/json"

     

       9
        
       	"fmt"

     

       10
        
       	"testing"

     

       11
        
       	"time"

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       12
        
       )

     

       13
        
       

     

       14
        
       // TestAggregatorRepository_Create tests basic aggregator creation

+13 -14

tests/integration/blob_upload_e2e_test.go

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       4
        
       	"bytes"

     

       5
        
       	"context"

     

       6
        
       	"encoding/json"

     
···

       15
        
       	"testing"

     

       16
        
       	"time"

     

       17
        
       

     

       18
       -
       	"Coves/internal/atproto/identity"

     

       19
       -
       	"Coves/internal/atproto/jetstream"

     

       20
       -
       	"Coves/internal/core/blobs"

     

       21
       -
       	"Coves/internal/core/communities"

     

       22
       -
       	"Coves/internal/core/posts"

     

       23
       -
       	"Coves/internal/core/users"

     

       24
       -
       	"Coves/internal/db/postgres"

     

       25
       -
       

     

       26
        
       	"github.com/stretchr/testify/assert"

     

       27
        
       	"github.com/stretchr/testify/require"

     

       28
        
       )

     
···

       49
        
       	if err != nil {

     

       50
        
       		t.Skipf("PDS not running at %s: %v. Run 'make dev-up' to start PDS.", pdsURL, err)

     

       51
        
       	}

     

       52
       -
       	defer healthResp.Body.Close()

     

       53
        
       	if healthResp.StatusCode != http.StatusOK {

     

       54
        
       		t.Skipf("PDS health check failed at %s: status %d", pdsURL, healthResp.StatusCode)

     

       55
        
       	}

     
···

       357
        
       	if err != nil {

     

       358
        
       		t.Skipf("PDS not running at %s: %v. Run 'make dev-up' to start PDS.", pdsURL, err)

     

       359
        
       	}

     

       360
       -
       	defer healthResp.Body.Close()

     

       361
        
       	if healthResp.StatusCode != http.StatusOK {

     

       362
        
       		t.Skipf("PDS health check failed at %s: status %d", pdsURL, healthResp.StatusCode)

     

       363
        
       	}

     
···

       545
        
       

     

       546
        
       	t.Run("Accept matching image formats with correct MIME types", func(t *testing.T) {

     

       547
        
       		testCases := []struct {

     

       0
        
       
     

       548
        
       			format     string

     

       549
        
       			mimeType   string

     

       550
       -
       			createFunc func(*testing.T, int, int, color.Color) []byte

     

       551
        
       		}{

     

       552
       -
       			{"PNG", "image/png", createTestPNG},

     

       553
       -
       			{"JPEG", "image/jpeg", createTestJPEG},

     

       554
        
       			// Note: WebP requires external library (golang.org/x/image/webp)

     

       555
        
       			// For now, we test that the MIME type is accepted even with PNG data

     

       556
        
       			// In production, actual WebP validation would happen at PDS

     

       557
       -
       			{"WebP (MIME only)", "image/webp", createTestPNG},

     

       558
        
       		}

     

       559
        
       

     

       560
        
       		for _, tc := range testCases {

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/atproto/identity"

     

       5
       +
       	"Coves/internal/atproto/jetstream"

     

       6
       +
       	"Coves/internal/core/blobs"

     

       7
       +
       	"Coves/internal/core/communities"

     

       8
       +
       	"Coves/internal/core/posts"

     

       9
       +
       	"Coves/internal/core/users"

     

       10
       +
       	"Coves/internal/db/postgres"

     

       11
        
       	"bytes"

     

       12
        
       	"context"

     

       13
        
       	"encoding/json"

     
···

       22
        
       	"testing"

     

       23
        
       	"time"

     

       24
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       25
        
       	"github.com/stretchr/testify/assert"

     

       26
        
       	"github.com/stretchr/testify/require"

     

       27
        
       )

     
···

       48
        
       	if err != nil {

     

       49
        
       		t.Skipf("PDS not running at %s: %v. Run 'make dev-up' to start PDS.", pdsURL, err)

     

       50
        
       	}

     

       51
       +
       	defer func() { _ = healthResp.Body.Close() }()

     

       52
        
       	if healthResp.StatusCode != http.StatusOK {

     

       53
        
       		t.Skipf("PDS health check failed at %s: status %d", pdsURL, healthResp.StatusCode)

     

       54
        
       	}

     
···

       356
        
       	if err != nil {

     

       357
        
       		t.Skipf("PDS not running at %s: %v. Run 'make dev-up' to start PDS.", pdsURL, err)

     

       358
        
       	}

     

       359
       +
       	defer func() { _ = healthResp.Body.Close() }()

     

       360
        
       	if healthResp.StatusCode != http.StatusOK {

     

       361
        
       		t.Skipf("PDS health check failed at %s: status %d", pdsURL, healthResp.StatusCode)

     

       362
        
       	}

     
···

       544
        
       

     

       545
        
       	t.Run("Accept matching image formats with correct MIME types", func(t *testing.T) {

     

       546
        
       		testCases := []struct {

     

       547
       +
       			createFunc func(*testing.T, int, int, color.Color) []byte

     

       548
        
       			format     string

     

       549
        
       			mimeType   string

     

       0
        
       
     

       550
        
       		}{

     

       551
       +
       			{createTestPNG, "PNG", "image/png"},

     

       552
       +
       			{createTestJPEG, "JPEG", "image/jpeg"},

     

       553
        
       			// Note: WebP requires external library (golang.org/x/image/webp)

     

       554
        
       			// For now, we test that the MIME type is accepted even with PNG data

     

       555
        
       			// In production, actual WebP validation would happen at PDS

     

       556
       +
       			{createTestPNG, "WebP (MIME only)", "image/webp"},

     

       557
        
       		}

     

       558
        
       

     

       559
        
       		for _, tc := range testCases {

+14 -14

tests/integration/block_handle_resolution_test.go

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       4
        
       	"bytes"

     

       5
        
       	"context"

     

       6
        
       	"encoding/json"

     
···

       9
        
       	"net/http/httptest"

     

       10
        
       	"testing"

     

       11
        
       

     

       12
       -
       	"Coves/internal/api/handlers/community"

     

       13
       -
       	"Coves/internal/api/middleware"

     

       14
       -
       	"Coves/internal/core/communities"

     

       15
        
       	postgresRepo "Coves/internal/db/postgres"

     

       16
        
       )

     

       17
        
       

     
···

       73
        
       		// We expect 401 (no auth) but verify the error is NOT "Community not found"

     

       74
        
       		// If handle resolution worked, we'd get past that validation

     

       75
        
       		resp := w.Result()

     

       76
       -
       		defer resp.Body.Close()

     

       77
        
       

     

       78
        
       		if resp.StatusCode == http.StatusNotFound {

     

       79
        
       			t.Errorf("Handle resolution failed - got 404 CommunityNotFound")

     
···

       82
        
       		// Expected: 401 Unauthorized (because we didn't add auth context)

     

       83
        
       		if resp.StatusCode != http.StatusUnauthorized {

     

       84
        
       			var errorResp map[string]interface{}

     

       85
       -
       			json.NewDecoder(resp.Body).Decode(&errorResp)

     

       86
        
       			t.Logf("Response status: %d, body: %+v", resp.StatusCode, errorResp)

     

       87
        
       		}

     

       88
        
       	})

     
···

       100
        
       		blockHandler.HandleBlock(w, req)

     

       101
        
       

     

       102
        
       		resp := w.Result()

     

       103
       -
       		defer resp.Body.Close()

     

       104
        
       

     

       105
        
       		if resp.StatusCode == http.StatusNotFound {

     

       106
        
       			t.Errorf("@-prefixed handle resolution failed - got 404 CommunityNotFound")

     
···

       121
        
       		blockHandler.HandleBlock(w, req)

     

       122
        
       

     

       123
        
       		resp := w.Result()

     

       124
       -
       		defer resp.Body.Close()

     

       125
        
       

     

       126
        
       		if resp.StatusCode == http.StatusNotFound {

     

       127
        
       			t.Errorf("Scoped format resolution failed - got 404 CommunityNotFound")

     
···

       141
        
       		blockHandler.HandleBlock(w, req)

     

       142
        
       

     

       143
        
       		resp := w.Result()

     

       144
       -
       		defer resp.Body.Close()

     

       145
        
       

     

       146
        
       		if resp.StatusCode == http.StatusNotFound {

     

       147
        
       			t.Errorf("DID resolution failed - got 404 CommunityNotFound")

     
···

       202
        
       				blockHandler.HandleBlock(w, req)

     

       203
        
       

     

       204
        
       				resp := w.Result()

     

       205
       -
       				defer resp.Body.Close()

     

       206
        
       

     

       207
        
       				// Should return 400 Bad Request for validation errors

     

       208
        
       				if resp.StatusCode != http.StatusBadRequest {

     
···

       210
        
       				}

     

       211
        
       

     

       212
        
       				var errorResp map[string]interface{}

     

       213
       -
       				json.NewDecoder(resp.Body).Decode(&errorResp)

     

       214
        
       

     

       215
        
       				if errorCode, ok := errorResp["error"].(string); !ok || errorCode != "InvalidRequest" {

     

       216
        
       					t.Errorf("Expected error code 'InvalidRequest', got %v", errorResp["error"])

     
···

       242
        
       		blockHandler.HandleBlock(w, req)

     

       243
        
       

     

       244
        
       		resp := w.Result()

     

       245
       -
       		defer resp.Body.Close()

     

       246
        
       

     

       247
        
       		// Expected: 401 (auth check happens before resolution)

     

       248
        
       		// In a real scenario with auth, invalid handle would return 404

     
···

       299
        
       		blockHandler.HandleUnblock(w, req)

     

       300
        
       

     

       301
        
       		resp := w.Result()

     

       302
       -
       		defer resp.Body.Close()

     

       303
        
       

     

       304
        
       		// Should NOT be 404 (handle resolution should work)

     

       305
        
       		if resp.StatusCode == http.StatusNotFound {

     
···

       309
        
       		// Expected: 401 (no auth context)

     

       310
        
       		if resp.StatusCode != http.StatusUnauthorized {

     

       311
        
       			var errorResp map[string]interface{}

     

       312
       -
       			json.NewDecoder(resp.Body).Decode(&errorResp)

     

       313
        
       			t.Logf("Response: status=%d, body=%+v", resp.StatusCode, errorResp)

     

       314
        
       		}

     

       315
        
       	})

     
···

       328
        
       		blockHandler.HandleUnblock(w, req)

     

       329
        
       

     

       330
        
       		resp := w.Result()

     

       331
       -
       		defer resp.Body.Close()

     

       332
        
       

     

       333
        
       		// Expected: 401 (auth check happens before resolution)

     

       334
        
       		if resp.StatusCode != http.StatusUnauthorized && resp.StatusCode != http.StatusNotFound {

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/api/handlers/community"

     

       5
       +
       	"Coves/internal/api/middleware"

     

       6
       +
       	"Coves/internal/core/communities"

     

       7
        
       	"bytes"

     

       8
        
       	"context"

     

       9
        
       	"encoding/json"

     
···

       12
        
       	"net/http/httptest"

     

       13
        
       	"testing"

     

       14
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       15
        
       	postgresRepo "Coves/internal/db/postgres"

     

       16
        
       )

     

       17
        
       

     
···

       73
        
       		// We expect 401 (no auth) but verify the error is NOT "Community not found"

     

       74
        
       		// If handle resolution worked, we'd get past that validation

     

       75
        
       		resp := w.Result()

     

       76
       +
       		defer func() { _ = resp.Body.Close() }()

     

       77
        
       

     

       78
        
       		if resp.StatusCode == http.StatusNotFound {

     

       79
        
       			t.Errorf("Handle resolution failed - got 404 CommunityNotFound")

     
···

       82
        
       		// Expected: 401 Unauthorized (because we didn't add auth context)

     

       83
        
       		if resp.StatusCode != http.StatusUnauthorized {

     

       84
        
       			var errorResp map[string]interface{}

     

       85
       +
       			_ = json.NewDecoder(resp.Body).Decode(&errorResp)

     

       86
        
       			t.Logf("Response status: %d, body: %+v", resp.StatusCode, errorResp)

     

       87
        
       		}

     

       88
        
       	})

     
···

       100
        
       		blockHandler.HandleBlock(w, req)

     

       101
        
       

     

       102
        
       		resp := w.Result()

     

       103
       +
       		defer func() { _ = resp.Body.Close() }()

     

       104
        
       

     

       105
        
       		if resp.StatusCode == http.StatusNotFound {

     

       106
        
       			t.Errorf("@-prefixed handle resolution failed - got 404 CommunityNotFound")

     
···

       121
        
       		blockHandler.HandleBlock(w, req)

     

       122
        
       

     

       123
        
       		resp := w.Result()

     

       124
       +
       		defer func() { _ = resp.Body.Close() }()

     

       125
        
       

     

       126
        
       		if resp.StatusCode == http.StatusNotFound {

     

       127
        
       			t.Errorf("Scoped format resolution failed - got 404 CommunityNotFound")

     
···

       141
        
       		blockHandler.HandleBlock(w, req)

     

       142
        
       

     

       143
        
       		resp := w.Result()

     

       144
       +
       		defer func() { _ = resp.Body.Close() }()

     

       145
        
       

     

       146
        
       		if resp.StatusCode == http.StatusNotFound {

     

       147
        
       			t.Errorf("DID resolution failed - got 404 CommunityNotFound")

     
···

       202
        
       				blockHandler.HandleBlock(w, req)

     

       203
        
       

     

       204
        
       				resp := w.Result()

     

       205
       +
       				defer func() { _ = resp.Body.Close() }()

     

       206
        
       

     

       207
        
       				// Should return 400 Bad Request for validation errors

     

       208
        
       				if resp.StatusCode != http.StatusBadRequest {

     
···

       210
        
       				}

     

       211
        
       

     

       212
        
       				var errorResp map[string]interface{}

     

       213
       +
       				_ = json.NewDecoder(resp.Body).Decode(&errorResp)

     

       214
        
       

     

       215
        
       				if errorCode, ok := errorResp["error"].(string); !ok || errorCode != "InvalidRequest" {

     

       216
        
       					t.Errorf("Expected error code 'InvalidRequest', got %v", errorResp["error"])

     
···

       242
        
       		blockHandler.HandleBlock(w, req)

     

       243
        
       

     

       244
        
       		resp := w.Result()

     

       245
       +
       		defer func() { _ = resp.Body.Close() }()

     

       246
        
       

     

       247
        
       		// Expected: 401 (auth check happens before resolution)

     

       248
        
       		// In a real scenario with auth, invalid handle would return 404

     
···

       299
        
       		blockHandler.HandleUnblock(w, req)

     

       300
        
       

     

       301
        
       		resp := w.Result()

     

       302
       +
       		defer func() { _ = resp.Body.Close() }()

     

       303
        
       

     

       304
        
       		// Should NOT be 404 (handle resolution should work)

     

       305
        
       		if resp.StatusCode == http.StatusNotFound {

     
···

       309
        
       		// Expected: 401 (no auth context)

     

       310
        
       		if resp.StatusCode != http.StatusUnauthorized {

     

       311
        
       			var errorResp map[string]interface{}

     

       312
       +
       			_ = json.NewDecoder(resp.Body).Decode(&errorResp)

     

       313
        
       			t.Logf("Response: status=%d, body=%+v", resp.StatusCode, errorResp)

     

       314
        
       		}

     

       315
        
       	})

     
···

       328
        
       		blockHandler.HandleUnblock(w, req)

     

       329
        
       

     

       330
        
       		resp := w.Result()

     

       331
       +
       		defer func() { _ = resp.Body.Close() }()

     

       332
        
       

     

       333
        
       		// Expected: 401 (auth check happens before resolution)

     

       334
        
       		if resp.StatusCode != http.StatusUnauthorized && resp.StatusCode != http.StatusNotFound {

+2 -3

tests/integration/community_blocking_test.go

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       0
        
       
     

       4
        
       	"context"

     

       5
        
       	"database/sql"

     

       6
        
       	"fmt"

     

       7
        
       	"testing"

     

       8
        
       	"time"

     

       9
        
       

     

       10
       -
       	"Coves/internal/atproto/jetstream"

     

       11
       -
       	"Coves/internal/core/communities"

     

       12
       -
       

     

       13
        
       	postgresRepo "Coves/internal/db/postgres"

     

       14
        
       )

     

       15

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/atproto/jetstream"

     

       5
       +
       	"Coves/internal/core/communities"

     

       6
        
       	"context"

     

       7
        
       	"database/sql"

     

       8
        
       	"fmt"

     

       9
        
       	"testing"

     

       10
        
       	"time"

     

       11
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       12
        
       	postgresRepo "Coves/internal/db/postgres"

     

       13
        
       )

     

       14

+4 -5

tests/integration/community_consumer_test.go

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       4
        
       	"context"

     

       5
        
       	"errors"

     

       6
        
       	"fmt"

     

       7
        
       	"testing"

     

       8
        
       	"time"

     

       9
       -
       

     

       10
       -
       	"Coves/internal/atproto/identity"

     

       11
       -
       	"Coves/internal/atproto/jetstream"

     

       12
       -
       	"Coves/internal/core/communities"

     

       13
       -
       	"Coves/internal/db/postgres"

     

       14
        
       )

     

       15
        
       

     

       16
        
       func TestCommunityConsumer_HandleCommunityProfile(t *testing.T) {

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/atproto/identity"

     

       5
       +
       	"Coves/internal/atproto/jetstream"

     

       6
       +
       	"Coves/internal/core/communities"

     

       7
       +
       	"Coves/internal/db/postgres"

     

       8
        
       	"context"

     

       9
        
       	"errors"

     

       10
        
       	"fmt"

     

       11
        
       	"testing"

     

       12
        
       	"time"

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       13
        
       )

     

       14
        
       

     

       15
        
       func TestCommunityConsumer_HandleCommunityProfile(t *testing.T) {

+2 -3

tests/integration/community_credentials_test.go

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       0
        
       
     

       4
        
       	"context"

     

       5
        
       	"fmt"

     

       6
        
       	"testing"

     

       7
        
       	"time"

     

       8
       -
       

     

       9
       -
       	"Coves/internal/core/communities"

     

       10
       -
       	"Coves/internal/db/postgres"

     

       11
        
       )

     

       12
        
       

     

       13
        
       // TestCommunityRepository_CredentialPersistence tests that PDS credentials are properly persisted

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/core/communities"

     

       5
       +
       	"Coves/internal/db/postgres"

     

       6
        
       	"context"

     

       7
        
       	"fmt"

     

       8
        
       	"testing"

     

       9
        
       	"time"

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       10
        
       )

     

       11
        
       

     

       12
        
       // TestCommunityRepository_CredentialPersistence tests that PDS credentials are properly persisted

+2 -3

tests/integration/community_identifier_resolution_test.go

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       0
        
       
     

       4
        
       	"context"

     

       5
        
       	"fmt"

     

       6
        
       	"os"

     
···

       8
        
       	"testing"

     

       9
        
       	"time"

     

       10
        
       

     

       11
       -
       	"Coves/internal/core/communities"

     

       12
       -
       	"Coves/internal/db/postgres"

     

       13
       -
       

     

       14
        
       	"github.com/stretchr/testify/assert"

     

       15
        
       	"github.com/stretchr/testify/require"

     

       16
        
       )

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/core/communities"

     

       5
       +
       	"Coves/internal/db/postgres"

     

       6
        
       	"context"

     

       7
        
       	"fmt"

     

       8
        
       	"os"

     
···

       10
        
       	"testing"

     

       11
        
       	"time"

     

       12
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       13
        
       	"github.com/stretchr/testify/assert"

     

       14
        
       	"github.com/stretchr/testify/require"

     

       15
        
       )

+2 -3

tests/integration/community_provisioning_test.go

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       0
        
       
     

       4
        
       	"context"

     

       5
        
       	"fmt"

     

       6
        
       	"strings"

     

       7
        
       	"testing"

     

       8
        
       	"time"

     

       9
       -
       

     

       10
       -
       	"Coves/internal/core/communities"

     

       11
       -
       	"Coves/internal/db/postgres"

     

       12
        
       )

     

       13
        
       

     

       14
        
       // TestCommunityRepository_PasswordEncryption verifies P0 fix:

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/core/communities"

     

       5
       +
       	"Coves/internal/db/postgres"

     

       6
        
       	"context"

     

       7
        
       	"fmt"

     

       8
        
       	"strings"

     

       9
        
       	"testing"

     

       10
        
       	"time"

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       11
        
       )

     

       12
        
       

     

       13
        
       // TestCommunityRepository_PasswordEncryption verifies P0 fix:

+2 -3

tests/integration/community_service_integration_test.go

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       0
        
       
     

       4
        
       	"bytes"

     

       5
        
       	"context"

     

       6
        
       	"encoding/json"

     
···

       10
        
       	"strings"

     

       11
        
       	"testing"

     

       12
        
       	"time"

     

       13
       -
       

     

       14
       -
       	"Coves/internal/core/communities"

     

       15
       -
       	"Coves/internal/db/postgres"

     

       16
        
       )

     

       17
        
       

     

       18
        
       // TestCommunityService_CreateWithRealPDS tests the complete service layer flow

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/core/communities"

     

       5
       +
       	"Coves/internal/db/postgres"

     

       6
        
       	"bytes"

     

       7
        
       	"context"

     

       8
        
       	"encoding/json"

     
···

       12
        
       	"strings"

     

       13
        
       	"testing"

     

       14
        
       	"time"

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       15
        
       )

     

       16
        
       

     

       17
        
       // TestCommunityService_CreateWithRealPDS tests the complete service layer flow

+3 -4

tests/integration/community_v2_validation_test.go

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       4
        
       	"context"

     

       5
        
       	"fmt"

     

       6
        
       	"testing"

     

       7
        
       	"time"

     

       8
       -
       

     

       9
       -
       	"Coves/internal/atproto/jetstream"

     

       10
       -
       	"Coves/internal/core/communities"

     

       11
       -
       	"Coves/internal/db/postgres"

     

       12
        
       )

     

       13
        
       

     

       14
        
       // TestCommunityConsumer_V2RKeyValidation tests that only V2 communities (rkey="self") are accepted

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/atproto/jetstream"

     

       5
       +
       	"Coves/internal/core/communities"

     

       6
       +
       	"Coves/internal/db/postgres"

     

       7
        
       	"context"

     

       8
        
       	"fmt"

     

       9
        
       	"testing"

     

       10
        
       	"time"

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       11
        
       )

     

       12
        
       

     

       13
        
       // TestCommunityConsumer_V2RKeyValidation tests that only V2 communities (rkey="self") are accepted

+6 -7

tests/integration/concurrent_scenarios_test.go

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       4
       -
       	"context"

     

       5
       -
       	"fmt"

     

       6
       -
       	"sync"

     

       7
       -
       	"testing"

     

       8
       -
       	"time"

     

       9
       -
       

     

       10
        
       	"Coves/internal/atproto/jetstream"

     

       11
        
       	"Coves/internal/core/comments"

     

       12
        
       	"Coves/internal/core/communities"

     

       13
        
       	"Coves/internal/core/users"

     

       14
        
       	"Coves/internal/db/postgres"

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       15
        
       )

     

       16
        
       

     

       17
        
       // TestConcurrentVoting_MultipleUsersOnSamePost tests race conditions when multiple users

     
···

       611
        
       		wg.Add(numAttempts)

     

       612
        
       

     

       613
        
       		type result struct {

     

       614
       -
       			success bool

     

       615
        
       			err     error

     

       0
        
       
     

       616
        
       		}

     

       617
        
       		results := make(chan result, numAttempts)

     

       618

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       4
        
       	"Coves/internal/atproto/jetstream"

     

       5
        
       	"Coves/internal/core/comments"

     

       6
        
       	"Coves/internal/core/communities"

     

       7
        
       	"Coves/internal/core/users"

     

       8
        
       	"Coves/internal/db/postgres"

     

       9
       +
       	"context"

     

       10
       +
       	"fmt"

     

       11
       +
       	"sync"

     

       12
       +
       	"testing"

     

       13
       +
       	"time"

     

       14
        
       )

     

       15
        
       

     

       16
        
       // TestConcurrentVoting_MultipleUsersOnSamePost tests race conditions when multiple users

     
···

       610
        
       		wg.Add(numAttempts)

     

       611
        
       

     

       612
        
       		type result struct {

     

       0
        
       
     

       613
        
       			err     error

     

       614
       +
       			success bool

     

       615
        
       		}

     

       616
        
       		results := make(chan result, numAttempts)

     

       617

+2 -3

tests/integration/discover_test.go

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       0
        
       
     

       4
        
       	"context"

     

       5
        
       	"encoding/json"

     

       6
        
       	"fmt"

     
···

       9
        
       	"testing"

     

       10
        
       	"time"

     

       11
        
       

     

       12
       -
       	"Coves/internal/api/handlers/discover"

     

       13
       -
       	"Coves/internal/db/postgres"

     

       14
       -
       

     

       15
        
       	discoverCore "Coves/internal/core/discover"

     

       16
        
       

     

       17
        
       	"github.com/stretchr/testify/assert"

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/api/handlers/discover"

     

       5
       +
       	"Coves/internal/db/postgres"

     

       6
        
       	"context"

     

       7
        
       	"encoding/json"

     

       8
        
       	"fmt"

     
···

       11
        
       	"testing"

     

       12
        
       	"time"

     

       13
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       14
        
       	discoverCore "Coves/internal/core/discover"

     

       15
        
       

     

       16
        
       	"github.com/stretchr/testify/assert"

+4 -5

tests/integration/feed_test.go

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       4
        
       	"context"

     

       5
        
       	"encoding/json"

     

       6
        
       	"fmt"

     
···

       9
        
       	"testing"

     

       10
        
       	"time"

     

       11
        
       

     

       12
       -
       	"Coves/internal/api/handlers/communityFeed"

     

       13
       -
       	"Coves/internal/core/communities"

     

       14
       -
       	"Coves/internal/core/communityFeeds"

     

       15
       -
       	"Coves/internal/db/postgres"

     

       16
       -
       

     

       17
        
       	"github.com/stretchr/testify/assert"

     

       18
        
       	"github.com/stretchr/testify/require"

     

       19
        
       )

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/api/handlers/communityFeed"

     

       5
       +
       	"Coves/internal/core/communities"

     

       6
       +
       	"Coves/internal/core/communityFeeds"

     

       7
       +
       	"Coves/internal/db/postgres"

     

       8
        
       	"context"

     

       9
        
       	"encoding/json"

     

       10
        
       	"fmt"

     
···

       13
        
       	"testing"

     

       14
        
       	"time"

     

       15
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       16
        
       	"github.com/stretchr/testify/assert"

     

       17
        
       	"github.com/stretchr/testify/require"

     

       18
        
       )

+1 -2

tests/integration/identity_resolution_test.go

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       4
        
       	"context"

     

       5
        
       	"fmt"

     

       6
        
       	"os"

     

       7
        
       	"testing"

     

       8
        
       	"time"

     

       9
       -
       

     

       10
       -
       	"Coves/internal/atproto/identity"

     

       11
        
       )

     

       12
        
       

     

       13
        
       // uniqueID generates a unique identifier for test isolation

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/atproto/identity"

     

       5
        
       	"context"

     

       6
        
       	"fmt"

     

       7
        
       	"os"

     

       8
        
       	"testing"

     

       9
        
       	"time"

     

       0
        
       
     

       0
        
       
     

       10
        
       )

     

       11
        
       

     

       12
        
       // uniqueID generates a unique identifier for test isolation

+3 -4

tests/integration/jetstream_consumer_test.go

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       4
       -
       	"context"

     

       5
       -
       	"testing"

     

       6
       -
       	"time"

     

       7
       -
       

     

       8
        
       	"Coves/internal/atproto/identity"

     

       9
        
       	"Coves/internal/atproto/jetstream"

     

       10
        
       	"Coves/internal/core/users"

     

       11
        
       	"Coves/internal/db/postgres"

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       12
        
       )

     

       13
        
       

     

       14
        
       func TestUserIndexingFromJetstream(t *testing.T) {

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       4
        
       	"Coves/internal/atproto/identity"

     

       5
        
       	"Coves/internal/atproto/jetstream"

     

       6
        
       	"Coves/internal/core/users"

     

       7
        
       	"Coves/internal/db/postgres"

     

       8
       +
       	"context"

     

       9
       +
       	"testing"

     

       10
       +
       	"time"

     

       11
        
       )

     

       12
        
       

     

       13
        
       func TestUserIndexingFromJetstream(t *testing.T) {

+3 -4

tests/integration/jwt_verification_test.go

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       0
        
       
     

       4
        
       	"fmt"

     

       5
        
       	"net/http"

     

       6
        
       	"net/http/httptest"

     
···

       8
        
       	"strings"

     

       9
        
       	"testing"

     

       10
        
       	"time"

     

       11
       -
       

     

       12
       -
       	"Coves/internal/api/middleware"

     

       13
       -
       	"Coves/internal/atproto/auth"

     

       14
        
       )

     

       15
        
       

     

       16
        
       // TestJWTSignatureVerification tests end-to-end JWT signature verification

     
···

       46
        
       	// Check if JWKS is available (production PDS) or symmetric secret (dev PDS)

     

       47
        
       	jwksResp, _ := http.Get(pdsURL + "/oauth/jwks")

     

       48
        
       	if jwksResp != nil {

     

       49
       -
       		defer jwksResp.Body.Close()

     

       50
        
       	}

     

       51
        
       

     

       52
        
       	t.Run("JWT parsing and middleware integration", func(t *testing.T) {

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/api/middleware"

     

       5
       +
       	"Coves/internal/atproto/auth"

     

       6
        
       	"fmt"

     

       7
        
       	"net/http"

     

       8
        
       	"net/http/httptest"

     
···

       10
        
       	"strings"

     

       11
        
       	"testing"

     

       12
        
       	"time"

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       13
        
       )

     

       14
        
       

     

       15
        
       // TestJWTSignatureVerification tests end-to-end JWT signature verification

     
···

       45
        
       	// Check if JWKS is available (production PDS) or symmetric secret (dev PDS)

     

       46
        
       	jwksResp, _ := http.Get(pdsURL + "/oauth/jwks")

     

       47
        
       	if jwksResp != nil {

     

       48
       +
       		defer func() { _ = jwksResp.Body.Close() }()

     

       49
        
       	}

     

       50
        
       

     

       51
        
       	t.Run("JWT parsing and middleware integration", func(t *testing.T) {

+3 -4

tests/integration/post_consumer_test.go

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       4
        
       	"context"

     

       5
        
       	"fmt"

     

       6
        
       	"testing"

     

       7
        
       	"time"

     

       8
       -
       

     

       9
       -
       	"Coves/internal/atproto/jetstream"

     

       10
       -
       	"Coves/internal/core/users"

     

       11
       -
       	"Coves/internal/db/postgres"

     

       12
        
       )

     

       13
        
       

     

       14
        
       // TestPostConsumer_CommentCountReconciliation tests that post comment_count

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/atproto/jetstream"

     

       5
       +
       	"Coves/internal/core/users"

     

       6
       +
       	"Coves/internal/db/postgres"

     

       7
        
       	"context"

     

       8
        
       	"fmt"

     

       9
        
       	"testing"

     

       10
        
       	"time"

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       11
        
       )

     

       12
        
       

     

       13
        
       // TestPostConsumer_CommentCountReconciliation tests that post comment_count

+5 -6

tests/integration/post_thumb_validation_test.go

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       4
        
       	"bytes"

     

       5
        
       	"context"

     

       6
        
       	"encoding/json"

     
···

       8
        
       	"net/http/httptest"

     

       9
        
       	"testing"

     

       10
        
       

     

       11
       -
       	"Coves/internal/api/handlers/post"

     

       12
       -
       	"Coves/internal/api/middleware"

     

       13
       -
       	"Coves/internal/core/communities"

     

       14
       -
       	"Coves/internal/core/posts"

     

       15
       -
       	"Coves/internal/db/postgres"

     

       16
       -
       

     

       17
        
       	"github.com/stretchr/testify/assert"

     

       18
        
       	"github.com/stretchr/testify/require"

     

       19
        
       )

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/api/handlers/post"

     

       5
       +
       	"Coves/internal/api/middleware"

     

       6
       +
       	"Coves/internal/core/communities"

     

       7
       +
       	"Coves/internal/core/posts"

     

       8
       +
       	"Coves/internal/db/postgres"

     

       9
        
       	"bytes"

     

       10
        
       	"context"

     

       11
        
       	"encoding/json"

     
···

       13
        
       	"net/http/httptest"

     

       14
        
       	"testing"

     

       15
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       16
        
       	"github.com/stretchr/testify/assert"

     

       17
        
       	"github.com/stretchr/testify/require"

     

       18
        
       )

+5 -6

tests/integration/post_unfurl_test.go

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       4
       -
       	"context"

     

       5
       -
       	"encoding/json"

     

       6
       -
       	"fmt"

     

       7
       -
       	"testing"

     

       8
       -
       	"time"

     

       9
       -
       

     

       10
        
       	"Coves/internal/api/middleware"

     

       11
        
       	"Coves/internal/atproto/identity"

     

       12
        
       	"Coves/internal/atproto/jetstream"

     
···

       15
        
       	"Coves/internal/core/unfurl"

     

       16
        
       	"Coves/internal/core/users"

     

       17
        
       	"Coves/internal/db/postgres"

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       18
        
       

     

       19
        
       	"github.com/stretchr/testify/assert"

     

       20
        
       	"github.com/stretchr/testify/require"

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       4
        
       	"Coves/internal/api/middleware"

     

       5
        
       	"Coves/internal/atproto/identity"

     

       6
        
       	"Coves/internal/atproto/jetstream"

     
···

       9
        
       	"Coves/internal/core/unfurl"

     

       10
        
       	"Coves/internal/core/users"

     

       11
        
       	"Coves/internal/db/postgres"

     

       12
       +
       	"context"

     

       13
       +
       	"encoding/json"

     

       14
       +
       	"fmt"

     

       15
       +
       	"testing"

     

       16
       +
       	"time"

     

       17
        
       

     

       18
        
       	"github.com/stretchr/testify/assert"

     

       19
        
       	"github.com/stretchr/testify/require"

+2 -3

tests/integration/subscription_indexing_test.go

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       0
        
       
     

       4
        
       	"context"

     

       5
        
       	"database/sql"

     

       6
        
       	"fmt"

     

       7
        
       	"testing"

     

       8
        
       	"time"

     

       9
        
       

     

       10
       -
       	"Coves/internal/atproto/jetstream"

     

       11
       -
       	"Coves/internal/core/communities"

     

       12
       -
       

     

       13
        
       	postgresRepo "Coves/internal/db/postgres"

     

       14
        
       )

     

       15

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/atproto/jetstream"

     

       5
       +
       	"Coves/internal/core/communities"

     

       6
        
       	"context"

     

       7
        
       	"database/sql"

     

       8
        
       	"fmt"

     

       9
        
       	"testing"

     

       10
        
       	"time"

     

       11
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       12
        
       	postgresRepo "Coves/internal/db/postgres"

     

       13
        
       )

     

       14

+2 -3

tests/integration/token_refresh_test.go

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       0
        
       
     

       4
        
       	"context"

     

       5
        
       	"encoding/base64"

     

       6
        
       	"encoding/json"

     

       7
        
       	"fmt"

     

       8
        
       	"testing"

     

       9
        
       	"time"

     

       10
       -
       

     

       11
       -
       	"Coves/internal/core/communities"

     

       12
       -
       	"Coves/internal/db/postgres"

     

       13
        
       )

     

       14
        
       

     

       15
        
       // TestTokenRefresh_ExpirationDetection tests the NeedsRefresh function with various token states

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/core/communities"

     

       5
       +
       	"Coves/internal/db/postgres"

     

       6
        
       	"context"

     

       7
        
       	"encoding/base64"

     

       8
        
       	"encoding/json"

     

       9
        
       	"fmt"

     

       10
        
       	"testing"

     

       11
        
       	"time"

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       12
        
       )

     

       13
        
       

     

       14
        
       // TestTokenRefresh_ExpirationDetection tests the NeedsRefresh function with various token states

+11 -11

tests/integration/user_journey_e2e_test.go

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       4
        
       	"bytes"

     

       5
        
       	"context"

     

       6
        
       	"database/sql"

     
···

       14
        
       	"testing"

     

       15
        
       	"time"

     

       16
        
       

     

       17
       -
       	"Coves/internal/api/middleware"

     

       18
       -
       	"Coves/internal/api/routes"

     

       19
       -
       	"Coves/internal/atproto/identity"

     

       20
       -
       	"Coves/internal/atproto/jetstream"

     

       21
       -
       	"Coves/internal/core/communities"

     

       22
       -
       	"Coves/internal/core/posts"

     

       23
        
       	timelineCore "Coves/internal/core/timeline"

     

       24
       -
       	"Coves/internal/core/users"

     

       25
       -
       	"Coves/internal/db/postgres"

     

       26
        
       

     

       27
        
       	"github.com/go-chi/chi/v5"

     

       28
        
       	"github.com/gorilla/websocket"

     
···

       234
        
       

     

       235
        
       		resp, err := http.DefaultClient.Do(req)

     

       236
        
       		require.NoError(t, err)

     

       237
       -
       		defer resp.Body.Close()

     

       238
        
       

     

       239
        
       		require.Equal(t, http.StatusOK, resp.StatusCode, "Community creation should succeed")

     

       240
        
       

     
···

       318
        
       

     

       319
        
       		resp, err := http.DefaultClient.Do(req)

     

       320
        
       		require.NoError(t, err)

     

       321
       -
       		defer resp.Body.Close()

     

       322
        
       

     

       323
        
       		require.Equal(t, http.StatusOK, resp.StatusCode, "Post creation should succeed")

     

       324
        
       

     
···

       425
        
       

     

       426
        
       		resp, err := http.DefaultClient.Do(req)

     

       427
        
       		require.NoError(t, err)

     

       428
       -
       		defer resp.Body.Close()

     

       429
        
       

     

       430
        
       		require.Equal(t, http.StatusOK, resp.StatusCode, "Subscription should succeed")

     

       431

···

       1
        
       package integration

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/api/middleware"

     

       5
       +
       	"Coves/internal/api/routes"

     

       6
       +
       	"Coves/internal/atproto/identity"

     

       7
       +
       	"Coves/internal/atproto/jetstream"

     

       8
       +
       	"Coves/internal/core/communities"

     

       9
       +
       	"Coves/internal/core/posts"

     

       10
       +
       	"Coves/internal/core/users"

     

       11
       +
       	"Coves/internal/db/postgres"

     

       12
        
       	"bytes"

     

       13
        
       	"context"

     

       14
        
       	"database/sql"

     
···

       22
        
       	"testing"

     

       23
        
       	"time"

     

       24
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       25
        
       	timelineCore "Coves/internal/core/timeline"

     

       0
        
       
     

       0
        
       
     

       26
        
       

     

       27
        
       	"github.com/go-chi/chi/v5"

     

       28
        
       	"github.com/gorilla/websocket"

     
···

       234
        
       

     

       235
        
       		resp, err := http.DefaultClient.Do(req)

     

       236
        
       		require.NoError(t, err)

     

       237
       +
       		defer func() { _ = resp.Body.Close() }()

     

       238
        
       

     

       239
        
       		require.Equal(t, http.StatusOK, resp.StatusCode, "Community creation should succeed")

     

       240
        
       

     
···

       318
        
       

     

       319
        
       		resp, err := http.DefaultClient.Do(req)

     

       320
        
       		require.NoError(t, err)

     

       321
       +
       		defer func() { _ = resp.Body.Close() }()

     

       322
        
       

     

       323
        
       		require.Equal(t, http.StatusOK, resp.StatusCode, "Post creation should succeed")

     

       324
        
       

     
···

       425
        
       

     

       426
        
       		resp, err := http.DefaultClient.Do(req)

     

       427
        
       		require.NoError(t, err)

     

       428
       +
       		defer func() { _ = resp.Body.Close() }()

     

       429
        
       

     

       430
        
       		require.Equal(t, http.StatusOK, resp.StatusCode, "Subscription should succeed")

     

       431

+1 -2

tests/unit/community_service_test.go

···

       1
        
       package unit

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       4
        
       	"context"

     

       5
        
       	"fmt"

     

       6
        
       	"net/http"

     
···

       9
        
       	"sync/atomic"

     

       10
        
       	"testing"

     

       11
        
       	"time"

     

       12
       -
       

     

       13
       -
       	"Coves/internal/core/communities"

     

       14
        
       )

     

       15
        
       

     

       16
        
       // mockCommunityRepo is a minimal mock for testing service layer

···

       1
        
       package unit

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/core/communities"

     

       5
        
       	"context"

     

       6
        
       	"fmt"

     

       7
        
       	"net/http"

     
···

       10
        
       	"sync/atomic"

     

       11
        
       	"testing"

     

       12
        
       	"time"

     

       0
        
       
     

       0
        
       
     

       13
        
       )

     

       14
        
       

     

       15
        
       // mockCommunityRepo is a minimal mock for testing service layer

+23

static/.well-known/did.json

···

       1
       +
       {

     

       2
       +
         "@context": [

     

       3
       +
           "https://www.w3.org/ns/did/v1",

     

       4
       +
           "https://w3id.org/security/multikey/v1"

     

       5
       +
         ],

     

       6
       +
         "id": "did:web:coves.social",

     

       7
       +
         "alsoKnownAs": ["at://coves.social"],

     

       8
       +
         "verificationMethod": [

     

       9
       +
           {

     

       10
       +
             "id": "did:web:coves.social#atproto",

     

       11
       +
             "type": "Multikey",

     

       12
       +
             "controller": "did:web:coves.social",

     

       13
       +
             "publicKeyMultibase": "zQ3shu1T3Y3MYoC1n7fCqkZqyrk8FiY3PV3BYM2JwyqcXFY6s"

     

       14
       +
           }

     

       15
       +
         ],

     

       16
       +
         "service": [

     

       17
       +
           {

     

       18
       +
             "id": "#atproto_pds",

     

       19
       +
             "type": "AtprotoPersonalDataServer",

     

       20
       +
             "serviceEndpoint": "https://pds.coves.me"

     

       21
       +
           }

     

       22
       +
         ]

     

       23
       +
       }

+1 -1

docs/E2E_TESTING.md

···

       93
        
       

     

       94
        
       Query via API:

     

       95
        
       ```bash

     

       96
       -
       curl "http://localhost:8081/xrpc/social.coves.actor.getProfile?actor=alice.local.coves.dev"

     

       97
        
       ```

     

       98
        
       

     

       99
        
       Expected response:

···

       93
        
       

     

       94
        
       Query via API:

     

       95
        
       ```bash

     

       96
       +
       curl "http://localhost:8081/xrpc/social.coves.actor.getprofile?actor=alice.local.coves.dev"

     

       97
        
       ```

     

       98
        
       

     

       99
        
       Expected response:

+52

internal/atproto/auth/combined_key_fetcher.go

···

       1
       +
       package auth

     

       2
       +
       

     

       3
       +
       import (

     

       4
       +
       	"context"

     

       5
       +
       	"fmt"

     

       6
       +
       	"strings"

     

       7
       +
       

     

       8
       +
       	indigoIdentity "github.com/bluesky-social/indigo/atproto/identity"

     

       9
       +
       )

     

       10
       +
       

     

       11
       +
       // CombinedKeyFetcher handles JWT public key fetching for both:

     

       12
       +
       // - DID issuers (did:plc:, did:web:) → resolves via DID document

     

       13
       +
       // - URL issuers (https://) → fetches via JWKS endpoint (legacy/fallback)

     

       14
       +
       //

     

       15
       +
       // For atproto service authentication, the issuer is typically the user's DID,

     

       16
       +
       // and the signing key is published in their DID document.

     

       17
       +
       type CombinedKeyFetcher struct {

     

       18
       +
       	didFetcher  *DIDKeyFetcher

     

       19
       +
       	jwksFetcher JWKSFetcher

     

       20
       +
       }

     

       21
       +
       

     

       22
       +
       // NewCombinedKeyFetcher creates a key fetcher that supports both DID and URL issuers.

     

       23
       +
       // Parameters:

     

       24
       +
       //   - directory: Indigo's identity directory for DID resolution

     

       25
       +
       //   - jwksFetcher: fallback JWKS fetcher for URL issuers (can be nil if not needed)

     

       26
       +
       func NewCombinedKeyFetcher(directory indigoIdentity.Directory, jwksFetcher JWKSFetcher) *CombinedKeyFetcher {

     

       27
       +
       	return &CombinedKeyFetcher{

     

       28
       +
       		didFetcher:  NewDIDKeyFetcher(directory),

     

       29
       +
       		jwksFetcher: jwksFetcher,

     

       30
       +
       	}

     

       31
       +
       }

     

       32
       +
       

     

       33
       +
       // FetchPublicKey fetches the public key for verifying a JWT.

     

       34
       +
       // Routes to the appropriate fetcher based on issuer format:

     

       35
       +
       // - DID (did:plc:, did:web:) → DIDKeyFetcher

     

       36
       +
       // - URL (https://) → JWKSFetcher

     

       37
       +
       func (f *CombinedKeyFetcher) FetchPublicKey(ctx context.Context, issuer, token string) (interface{}, error) {

     

       38
       +
       	// Check if issuer is a DID

     

       39
       +
       	if strings.HasPrefix(issuer, "did:") {

     

       40
       +
       		return f.didFetcher.FetchPublicKey(ctx, issuer, token)

     

       41
       +
       	}

     

       42
       +
       

     

       43
       +
       	// Check if issuer is a URL (https:// or http:// in dev)

     

       44
       +
       	if strings.HasPrefix(issuer, "https://") || strings.HasPrefix(issuer, "http://") {

     

       45
       +
       		if f.jwksFetcher == nil {

     

       46
       +
       			return nil, fmt.Errorf("URL issuer %s requires JWKS fetcher, but none configured", issuer)

     

       47
       +
       		}

     

       48
       +
       		return f.jwksFetcher.FetchPublicKey(ctx, issuer, token)

     

       49
       +
       	}

     

       50
       +
       

     

       51
       +
       	return nil, fmt.Errorf("unsupported issuer format: %s (expected DID or URL)", issuer)

     

       52
       +
       }

+116

internal/atproto/auth/did_key_fetcher.go

···

       1
       +
       package auth

     

       2
       +
       

     

       3
       +
       import (

     

       4
       +
       	"context"

     

       5
       +
       	"crypto/ecdsa"

     

       6
       +
       	"crypto/elliptic"

     

       7
       +
       	"encoding/base64"

     

       8
       +
       	"fmt"

     

       9
       +
       	"math/big"

     

       10
       +
       	"strings"

     

       11
       +
       

     

       12
       +
       	"github.com/bluesky-social/indigo/atproto/atcrypto"

     

       13
       +
       	indigoIdentity "github.com/bluesky-social/indigo/atproto/identity"

     

       14
       +
       	"github.com/bluesky-social/indigo/atproto/syntax"

     

       15
       +
       )

     

       16
       +
       

     

       17
       +
       // DIDKeyFetcher fetches public keys from DID documents for JWT verification.

     

       18
       +
       // This is the primary method for atproto service authentication, where:

     

       19
       +
       // - The JWT issuer is the user's DID (e.g., did:plc:abc123)

     

       20
       +
       // - The signing key is published in the user's DID document

     

       21
       +
       // - Verification happens by resolving the DID and checking the signature

     

       22
       +
       type DIDKeyFetcher struct {

     

       23
       +
       	directory indigoIdentity.Directory

     

       24
       +
       }

     

       25
       +
       

     

       26
       +
       // NewDIDKeyFetcher creates a new DID-based key fetcher.

     

       27
       +
       func NewDIDKeyFetcher(directory indigoIdentity.Directory) *DIDKeyFetcher {

     

       28
       +
       	return &DIDKeyFetcher{

     

       29
       +
       		directory: directory,

     

       30
       +
       	}

     

       31
       +
       }

     

       32
       +
       

     

       33
       +
       // FetchPublicKey fetches the public key for verifying a JWT from the issuer's DID document.

     

       34
       +
       // For DID issuers (did:plc: or did:web:), resolves the DID and extracts the signing key.

     

       35
       +
       // Returns an *ecdsa.PublicKey suitable for use with jwt-go.

     

       36
       +
       func (f *DIDKeyFetcher) FetchPublicKey(ctx context.Context, issuer, token string) (interface{}, error) {

     

       37
       +
       	// Only handle DID issuers

     

       38
       +
       	if !strings.HasPrefix(issuer, "did:") {

     

       39
       +
       		return nil, fmt.Errorf("DIDKeyFetcher only handles DID issuers, got: %s", issuer)

     

       40
       +
       	}

     

       41
       +
       

     

       42
       +
       	// Parse the DID

     

       43
       +
       	did, err := syntax.ParseDID(issuer)

     

       44
       +
       	if err != nil {

     

       45
       +
       		return nil, fmt.Errorf("invalid DID format: %w", err)

     

       46
       +
       	}

     

       47
       +
       

     

       48
       +
       	// Resolve the DID to get the identity (includes public keys)

     

       49
       +
       	ident, err := f.directory.LookupDID(ctx, did)

     

       50
       +
       	if err != nil {

     

       51
       +
       		return nil, fmt.Errorf("failed to resolve DID %s: %w", issuer, err)

     

       52
       +
       	}

     

       53
       +
       

     

       54
       +
       	// Get the atproto signing key from the DID document

     

       55
       +
       	pubKey, err := ident.PublicKey()

     

       56
       +
       	if err != nil {

     

       57
       +
       		return nil, fmt.Errorf("failed to get public key from DID document: %w", err)

     

       58
       +
       	}

     

       59
       +
       

     

       60
       +
       	// Convert to JWK format to extract coordinates

     

       61
       +
       	jwk, err := pubKey.JWK()

     

       62
       +
       	if err != nil {

     

       63
       +
       		return nil, fmt.Errorf("failed to convert public key to JWK: %w", err)

     

       64
       +
       	}

     

       65
       +
       

     

       66
       +
       	// Convert atcrypto JWK to Go ecdsa.PublicKey

     

       67
       +
       	return atcryptoJWKToECDSA(jwk)

     

       68
       +
       }

     

       69
       +
       

     

       70
       +
       // atcryptoJWKToECDSA converts an atcrypto.JWK to a Go ecdsa.PublicKey

     

       71
       +
       func atcryptoJWKToECDSA(jwk *atcrypto.JWK) (*ecdsa.PublicKey, error) {

     

       72
       +
       	if jwk.KeyType != "EC" {

     

       73
       +
       		return nil, fmt.Errorf("unsupported JWK key type: %s (expected EC)", jwk.KeyType)

     

       74
       +
       	}

     

       75
       +
       

     

       76
       +
       	// Decode X and Y coordinates (base64url, no padding)

     

       77
       +
       	xBytes, err := base64.RawURLEncoding.DecodeString(jwk.X)

     

       78
       +
       	if err != nil {

     

       79
       +
       		return nil, fmt.Errorf("invalid JWK X coordinate encoding: %w", err)

     

       80
       +
       	}

     

       81
       +
       	yBytes, err := base64.RawURLEncoding.DecodeString(jwk.Y)

     

       82
       +
       	if err != nil {

     

       83
       +
       		return nil, fmt.Errorf("invalid JWK Y coordinate encoding: %w", err)

     

       84
       +
       	}

     

       85
       +
       

     

       86
       +
       	var ecCurve elliptic.Curve

     

       87
       +
       	switch jwk.Curve {

     

       88
       +
       	case "P-256":

     

       89
       +
       		ecCurve = elliptic.P256()

     

       90
       +
       	case "P-384":

     

       91
       +
       		ecCurve = elliptic.P384()

     

       92
       +
       	case "P-521":

     

       93
       +
       		ecCurve = elliptic.P521()

     

       94
       +
       	case "secp256k1":

     

       95
       +
       		// secp256k1 (K-256) is used by some atproto implementations

     

       96
       +
       		// Go's standard library doesn't include secp256k1, but we can still

     

       97
       +
       		// construct the key - jwt-go may not support it directly

     

       98
       +
       		return nil, fmt.Errorf("secp256k1 curve requires special handling for JWT verification")

     

       99
       +
       	default:

     

       100
       +
       		return nil, fmt.Errorf("unsupported JWK curve: %s", jwk.Curve)

     

       101
       +
       	}

     

       102
       +
       

     

       103
       +
       	// Create the public key

     

       104
       +
       	pubKey := &ecdsa.PublicKey{

     

       105
       +
       		Curve: ecCurve,

     

       106
       +
       		X:     new(big.Int).SetBytes(xBytes),

     

       107
       +
       		Y:     new(big.Int).SetBytes(yBytes),

     

       108
       +
       	}

     

       109
       +
       

     

       110
       +
       	// Validate point is on curve

     

       111
       +
       	if !ecCurve.IsOnCurve(pubKey.X, pubKey.Y) {

     

       112
       +
       		return nil, fmt.Errorf("invalid public key: point not on curve")

     

       113
       +
       	}

     

       114
       +
       

     

       115
       +
       	return pubKey, nil

     

       116
       +
       }

+484

internal/atproto/auth/dpop.go

···

       1
       +
       package auth

     

       2
       +
       

     

       3
       +
       import (

     

       4
       +
       	"crypto/ecdsa"

     

       5
       +
       	"crypto/elliptic"

     

       6
       +
       	"crypto/sha256"

     

       7
       +
       	"encoding/base64"

     

       8
       +
       	"encoding/json"

     

       9
       +
       	"fmt"

     

       10
       +
       	"math/big"

     

       11
       +
       	"strings"

     

       12
       +
       	"sync"

     

       13
       +
       	"time"

     

       14
       +
       

     

       15
       +
       	indigoCrypto "github.com/bluesky-social/indigo/atproto/atcrypto"

     

       16
       +
       	"github.com/golang-jwt/jwt/v5"

     

       17
       +
       )

     

       18
       +
       

     

       19
       +
       // NonceCache provides replay protection for DPoP proofs by tracking seen jti values.

     

       20
       +
       // This prevents an attacker from reusing a captured DPoP proof within the validity window.

     

       21
       +
       // Per RFC 9449 Section 11.1, servers SHOULD prevent replay attacks.

     

       22
       +
       type NonceCache struct {

     

       23
       +
       	seen    map[string]time.Time // jti -> expiration time

     

       24
       +
       	stopCh  chan struct{}

     

       25
       +
       	maxAge  time.Duration // How long to keep entries

     

       26
       +
       	cleanup time.Duration // How often to clean up expired entries

     

       27
       +
       	mu      sync.RWMutex

     

       28
       +
       }

     

       29
       +
       

     

       30
       +
       // NewNonceCache creates a new nonce cache for DPoP replay protection.

     

       31
       +
       // maxAge should match or exceed DPoPVerifier.MaxProofAge.

     

       32
       +
       func NewNonceCache(maxAge time.Duration) *NonceCache {

     

       33
       +
       	nc := &NonceCache{

     

       34
       +
       		seen:    make(map[string]time.Time),

     

       35
       +
       		maxAge:  maxAge,

     

       36
       +
       		cleanup: maxAge / 2, // Clean up at half the max age

     

       37
       +
       		stopCh:  make(chan struct{}),

     

       38
       +
       	}

     

       39
       +
       

     

       40
       +
       	// Start background cleanup goroutine

     

       41
       +
       	go nc.cleanupLoop()

     

       42
       +
       

     

       43
       +
       	return nc

     

       44
       +
       }

     

       45
       +
       

     

       46
       +
       // CheckAndStore checks if a jti has been seen before and stores it if not.

     

       47
       +
       // Returns true if the jti is fresh (not a replay), false if it's a replay.

     

       48
       +
       func (nc *NonceCache) CheckAndStore(jti string) bool {

     

       49
       +
       	nc.mu.Lock()

     

       50
       +
       	defer nc.mu.Unlock()

     

       51
       +
       

     

       52
       +
       	now := time.Now()

     

       53
       +
       	expiry := now.Add(nc.maxAge)

     

       54
       +
       

     

       55
       +
       	// Check if already seen

     

       56
       +
       	if existingExpiry, seen := nc.seen[jti]; seen {

     

       57
       +
       		// Still valid (not expired) - this is a replay

     

       58
       +
       		if existingExpiry.After(now) {

     

       59
       +
       			return false

     

       60
       +
       		}

     

       61
       +
       		// Expired entry - allow reuse and update expiry

     

       62
       +
       	}

     

       63
       +
       

     

       64
       +
       	// Store the new jti

     

       65
       +
       	nc.seen[jti] = expiry

     

       66
       +
       	return true

     

       67
       +
       }

     

       68
       +
       

     

       69
       +
       // cleanupLoop periodically removes expired entries from the cache

     

       70
       +
       func (nc *NonceCache) cleanupLoop() {

     

       71
       +
       	ticker := time.NewTicker(nc.cleanup)

     

       72
       +
       	defer ticker.Stop()

     

       73
       +
       

     

       74
       +
       	for {

     

       75
       +
       		select {

     

       76
       +
       		case <-ticker.C:

     

       77
       +
       			nc.cleanupExpired()

     

       78
       +
       		case <-nc.stopCh:

     

       79
       +
       			return

     

       80
       +
       		}

     

       81
       +
       	}

     

       82
       +
       }

     

       83
       +
       

     

       84
       +
       // cleanupExpired removes expired entries from the cache

     

       85
       +
       func (nc *NonceCache) cleanupExpired() {

     

       86
       +
       	nc.mu.Lock()

     

       87
       +
       	defer nc.mu.Unlock()

     

       88
       +
       

     

       89
       +
       	now := time.Now()

     

       90
       +
       	for jti, expiry := range nc.seen {

     

       91
       +
       		if expiry.Before(now) {

     

       92
       +
       			delete(nc.seen, jti)

     

       93
       +
       		}

     

       94
       +
       	}

     

       95
       +
       }

     

       96
       +
       

     

       97
       +
       // Stop stops the cleanup goroutine. Call this when done with the cache.

     

       98
       +
       func (nc *NonceCache) Stop() {

     

       99
       +
       	close(nc.stopCh)

     

       100
       +
       }

     

       101
       +
       

     

       102
       +
       // Size returns the number of entries in the cache (for testing/monitoring)

     

       103
       +
       func (nc *NonceCache) Size() int {

     

       104
       +
       	nc.mu.RLock()

     

       105
       +
       	defer nc.mu.RUnlock()

     

       106
       +
       	return len(nc.seen)

     

       107
       +
       }

     

       108
       +
       

     

       109
       +
       // DPoPClaims represents the claims in a DPoP proof JWT (RFC 9449)

     

       110
       +
       type DPoPClaims struct {

     

       111
       +
       	jwt.RegisteredClaims

     

       112
       +
       

     

       113
       +
       	// HTTP method of the request (e.g., "GET", "POST")

     

       114
       +
       	HTTPMethod string `json:"htm"`

     

       115
       +
       

     

       116
       +
       	// HTTP URI of the request (without query and fragment parts)

     

       117
       +
       	HTTPURI string `json:"htu"`

     

       118
       +
       

     

       119
       +
       	// Access token hash (optional, for token binding)

     

       120
       +
       	AccessTokenHash string `json:"ath,omitempty"`

     

       121
       +
       }

     

       122
       +
       

     

       123
       +
       // DPoPProof represents a parsed and verified DPoP proof

     

       124
       +
       type DPoPProof struct {

     

       125
       +
       	RawPublicJWK map[string]interface{}

     

       126
       +
       	Claims       *DPoPClaims

     

       127
       +
       	PublicKey    interface{} // *ecdsa.PublicKey or similar

     

       128
       +
       	Thumbprint   string      // JWK thumbprint (base64url)

     

       129
       +
       }

     

       130
       +
       

     

       131
       +
       // DPoPVerifier verifies DPoP proofs for OAuth token binding

     

       132
       +
       type DPoPVerifier struct {

     

       133
       +
       	// Optional: custom nonce validation function (for server-issued nonces)

     

       134
       +
       	ValidateNonce func(nonce string) bool

     

       135
       +
       

     

       136
       +
       	// NonceCache for replay protection (optional but recommended)

     

       137
       +
       	// If nil, jti replay protection is disabled

     

       138
       +
       	NonceCache *NonceCache

     

       139
       +
       

     

       140
       +
       	// Maximum allowed clock skew for timestamp validation

     

       141
       +
       	MaxClockSkew time.Duration

     

       142
       +
       

     

       143
       +
       	// Maximum age of DPoP proof (prevents replay with old proofs)

     

       144
       +
       	MaxProofAge time.Duration

     

       145
       +
       }

     

       146
       +
       

     

       147
       +
       // NewDPoPVerifier creates a DPoP verifier with sensible defaults including replay protection

     

       148
       +
       func NewDPoPVerifier() *DPoPVerifier {

     

       149
       +
       	maxProofAge := 5 * time.Minute

     

       150
       +
       	return &DPoPVerifier{

     

       151
       +
       		MaxClockSkew: 30 * time.Second,

     

       152
       +
       		MaxProofAge:  maxProofAge,

     

       153
       +
       		NonceCache:   NewNonceCache(maxProofAge),

     

       154
       +
       	}

     

       155
       +
       }

     

       156
       +
       

     

       157
       +
       // NewDPoPVerifierWithoutReplayProtection creates a DPoP verifier without replay protection.

     

       158
       +
       // This should only be used in testing or when replay protection is handled externally.

     

       159
       +
       func NewDPoPVerifierWithoutReplayProtection() *DPoPVerifier {

     

       160
       +
       	return &DPoPVerifier{

     

       161
       +
       		MaxClockSkew: 30 * time.Second,

     

       162
       +
       		MaxProofAge:  5 * time.Minute,

     

       163
       +
       		NonceCache:   nil, // No replay protection

     

       164
       +
       	}

     

       165
       +
       }

     

       166
       +
       

     

       167
       +
       // Stop stops background goroutines. Call this when shutting down.

     

       168
       +
       func (v *DPoPVerifier) Stop() {

     

       169
       +
       	if v.NonceCache != nil {

     

       170
       +
       		v.NonceCache.Stop()

     

       171
       +
       	}

     

       172
       +
       }

     

       173
       +
       

     

       174
       +
       // VerifyDPoPProof verifies a DPoP proof JWT and returns the parsed proof

     

       175
       +
       func (v *DPoPVerifier) VerifyDPoPProof(dpopProof, httpMethod, httpURI string) (*DPoPProof, error) {

     

       176
       +
       	// Parse the DPoP JWT without verification first to extract the header

     

       177
       +
       	parser := jwt.NewParser(jwt.WithoutClaimsValidation())

     

       178
       +
       	token, _, err := parser.ParseUnverified(dpopProof, &DPoPClaims{})

     

       179
       +
       	if err != nil {

     

       180
       +
       		return nil, fmt.Errorf("failed to parse DPoP proof: %w", err)

     

       181
       +
       	}

     

       182
       +
       

     

       183
       +
       	// Extract and validate the header

     

       184
       +
       	header, ok := token.Header["typ"].(string)

     

       185
       +
       	if !ok || header != "dpop+jwt" {

     

       186
       +
       		return nil, fmt.Errorf("invalid DPoP proof: typ must be 'dpop+jwt', got '%s'", header)

     

       187
       +
       	}

     

       188
       +
       

     

       189
       +
       	alg, ok := token.Header["alg"].(string)

     

       190
       +
       	if !ok {

     

       191
       +
       		return nil, fmt.Errorf("invalid DPoP proof: missing alg header")

     

       192
       +
       	}

     

       193
       +
       

     

       194
       +
       	// Extract the JWK from the header

     

       195
       +
       	jwkRaw, ok := token.Header["jwk"]

     

       196
       +
       	if !ok {

     

       197
       +
       		return nil, fmt.Errorf("invalid DPoP proof: missing jwk header")

     

       198
       +
       	}

     

       199
       +
       

     

       200
       +
       	jwkMap, ok := jwkRaw.(map[string]interface{})

     

       201
       +
       	if !ok {

     

       202
       +
       		return nil, fmt.Errorf("invalid DPoP proof: jwk must be an object")

     

       203
       +
       	}

     

       204
       +
       

     

       205
       +
       	// Parse the public key from JWK

     

       206
       +
       	publicKey, err := parseJWKToPublicKey(jwkMap)

     

       207
       +
       	if err != nil {

     

       208
       +
       		return nil, fmt.Errorf("invalid DPoP proof JWK: %w", err)

     

       209
       +
       	}

     

       210
       +
       

     

       211
       +
       	// Calculate the JWK thumbprint

     

       212
       +
       	thumbprint, err := CalculateJWKThumbprint(jwkMap)

     

       213
       +
       	if err != nil {

     

       214
       +
       		return nil, fmt.Errorf("failed to calculate JWK thumbprint: %w", err)

     

       215
       +
       	}

     

       216
       +
       

     

       217
       +
       	// Now verify the signature

     

       218
       +
       	verifiedToken, err := jwt.ParseWithClaims(dpopProof, &DPoPClaims{}, func(token *jwt.Token) (interface{}, error) {

     

       219
       +
       		// Verify the signing method matches what we expect

     

       220
       +
       		switch alg {

     

       221
       +
       		case "ES256":

     

       222
       +
       			if _, ok := token.Method.(*jwt.SigningMethodECDSA); !ok {

     

       223
       +
       				return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])

     

       224
       +
       			}

     

       225
       +
       		case "ES384", "ES512":

     

       226
       +
       			if _, ok := token.Method.(*jwt.SigningMethodECDSA); !ok {

     

       227
       +
       				return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])

     

       228
       +
       			}

     

       229
       +
       		case "RS256", "RS384", "RS512", "PS256", "PS384", "PS512":

     

       230
       +
       			// RSA methods - we primarily support ES256 for atproto

     

       231
       +
       			return nil, fmt.Errorf("RSA algorithms not yet supported for DPoP: %s", alg)

     

       232
       +
       		default:

     

       233
       +
       			return nil, fmt.Errorf("unsupported DPoP algorithm: %s", alg)

     

       234
       +
       		}

     

       235
       +
       		return publicKey, nil

     

       236
       +
       	})

     

       237
       +
       	if err != nil {

     

       238
       +
       		return nil, fmt.Errorf("DPoP proof signature verification failed: %w", err)

     

       239
       +
       	}

     

       240
       +
       

     

       241
       +
       	claims, ok := verifiedToken.Claims.(*DPoPClaims)

     

       242
       +
       	if !ok {

     

       243
       +
       		return nil, fmt.Errorf("invalid DPoP claims type")

     

       244
       +
       	}

     

       245
       +
       

     

       246
       +
       	// Validate the claims

     

       247
       +
       	if err := v.validateDPoPClaims(claims, httpMethod, httpURI); err != nil {

     

       248
       +
       		return nil, err

     

       249
       +
       	}

     

       250
       +
       

     

       251
       +
       	return &DPoPProof{

     

       252
       +
       		Claims:       claims,

     

       253
       +
       		PublicKey:    publicKey,

     

       254
       +
       		Thumbprint:   thumbprint,

     

       255
       +
       		RawPublicJWK: jwkMap,

     

       256
       +
       	}, nil

     

       257
       +
       }

     

       258
       +
       

     

       259
       +
       // validateDPoPClaims validates the DPoP proof claims

     

       260
       +
       func (v *DPoPVerifier) validateDPoPClaims(claims *DPoPClaims, expectedMethod, expectedURI string) error {

     

       261
       +
       	// Validate jti (unique identifier) is present

     

       262
       +
       	if claims.ID == "" {

     

       263
       +
       		return fmt.Errorf("DPoP proof missing jti claim")

     

       264
       +
       	}

     

       265
       +
       

     

       266
       +
       	// Validate htm (HTTP method)

     

       267
       +
       	if !strings.EqualFold(claims.HTTPMethod, expectedMethod) {

     

       268
       +
       		return fmt.Errorf("DPoP proof htm mismatch: expected %s, got %s", expectedMethod, claims.HTTPMethod)

     

       269
       +
       	}

     

       270
       +
       

     

       271
       +
       	// Validate htu (HTTP URI) - compare without query/fragment

     

       272
       +
       	expectedURIBase := stripQueryFragment(expectedURI)

     

       273
       +
       	claimURIBase := stripQueryFragment(claims.HTTPURI)

     

       274
       +
       	if expectedURIBase != claimURIBase {

     

       275
       +
       		return fmt.Errorf("DPoP proof htu mismatch: expected %s, got %s", expectedURIBase, claimURIBase)

     

       276
       +
       	}

     

       277
       +
       

     

       278
       +
       	// Validate iat (issued at) is present and recent

     

       279
       +
       	if claims.IssuedAt == nil {

     

       280
       +
       		return fmt.Errorf("DPoP proof missing iat claim")

     

       281
       +
       	}

     

       282
       +
       

     

       283
       +
       	now := time.Now()

     

       284
       +
       	iat := claims.IssuedAt.Time

     

       285
       +
       

     

       286
       +
       	// Check clock skew (not too far in the future)

     

       287
       +
       	if iat.After(now.Add(v.MaxClockSkew)) {

     

       288
       +
       		return fmt.Errorf("DPoP proof iat is in the future")

     

       289
       +
       	}

     

       290
       +
       

     

       291
       +
       	// Check proof age (not too old)

     

       292
       +
       	if now.Sub(iat) > v.MaxProofAge {

     

       293
       +
       		return fmt.Errorf("DPoP proof is too old (issued %v ago, max %v)", now.Sub(iat), v.MaxProofAge)

     

       294
       +
       	}

     

       295
       +
       

     

       296
       +
       	// SECURITY: Check for replay attack using jti

     

       297
       +
       	// Per RFC 9449 Section 11.1, servers SHOULD prevent replay attacks

     

       298
       +
       	if v.NonceCache != nil {

     

       299
       +
       		if !v.NonceCache.CheckAndStore(claims.ID) {

     

       300
       +
       			return fmt.Errorf("DPoP proof replay detected: jti %s already used", claims.ID)

     

       301
       +
       		}

     

       302
       +
       	}

     

       303
       +
       

     

       304
       +
       	return nil

     

       305
       +
       }

     

       306
       +
       

     

       307
       +
       // VerifyTokenBinding verifies that the DPoP proof binds to the access token

     

       308
       +
       // by comparing the proof's thumbprint to the token's cnf.jkt claim

     

       309
       +
       func (v *DPoPVerifier) VerifyTokenBinding(proof *DPoPProof, expectedThumbprint string) error {

     

       310
       +
       	if proof.Thumbprint != expectedThumbprint {

     

       311
       +
       		return fmt.Errorf("DPoP proof thumbprint mismatch: token expects %s, proof has %s",

     

       312
       +
       			expectedThumbprint, proof.Thumbprint)

     

       313
       +
       	}

     

       314
       +
       	return nil

     

       315
       +
       }

     

       316
       +
       

     

       317
       +
       // CalculateJWKThumbprint calculates the JWK thumbprint per RFC 7638

     

       318
       +
       // The thumbprint is the base64url-encoded SHA-256 hash of the canonical JWK representation

     

       319
       +
       func CalculateJWKThumbprint(jwk map[string]interface{}) (string, error) {

     

       320
       +
       	kty, ok := jwk["kty"].(string)

     

       321
       +
       	if !ok {

     

       322
       +
       		return "", fmt.Errorf("JWK missing kty")

     

       323
       +
       	}

     

       324
       +
       

     

       325
       +
       	// Build the canonical JWK representation based on key type

     

       326
       +
       	// Per RFC 7638, only specific members are included, in lexicographic order

     

       327
       +
       	var canonical map[string]string

     

       328
       +
       

     

       329
       +
       	switch kty {

     

       330
       +
       	case "EC":

     

       331
       +
       		crv, ok := jwk["crv"].(string)

     

       332
       +
       		if !ok {

     

       333
       +
       			return "", fmt.Errorf("EC JWK missing crv")

     

       334
       +
       		}

     

       335
       +
       		x, ok := jwk["x"].(string)

     

       336
       +
       		if !ok {

     

       337
       +
       			return "", fmt.Errorf("EC JWK missing x")

     

       338
       +
       		}

     

       339
       +
       		y, ok := jwk["y"].(string)

     

       340
       +
       		if !ok {

     

       341
       +
       			return "", fmt.Errorf("EC JWK missing y")

     

       342
       +
       		}

     

       343
       +
       		// Lexicographic order: crv, kty, x, y

     

       344
       +
       		canonical = map[string]string{

     

       345
       +
       			"crv": crv,

     

       346
       +
       			"kty": kty,

     

       347
       +
       			"x":   x,

     

       348
       +
       			"y":   y,

     

       349
       +
       		}

     

       350
       +
       	case "RSA":

     

       351
       +
       		e, ok := jwk["e"].(string)

     

       352
       +
       		if !ok {

     

       353
       +
       			return "", fmt.Errorf("RSA JWK missing e")

     

       354
       +
       		}

     

       355
       +
       		n, ok := jwk["n"].(string)

     

       356
       +
       		if !ok {

     

       357
       +
       			return "", fmt.Errorf("RSA JWK missing n")

     

       358
       +
       		}

     

       359
       +
       		// Lexicographic order: e, kty, n

     

       360
       +
       		canonical = map[string]string{

     

       361
       +
       			"e":   e,

     

       362
       +
       			"kty": kty,

     

       363
       +
       			"n":   n,

     

       364
       +
       		}

     

       365
       +
       	case "OKP":

     

       366
       +
       		crv, ok := jwk["crv"].(string)

     

       367
       +
       		if !ok {

     

       368
       +
       			return "", fmt.Errorf("OKP JWK missing crv")

     

       369
       +
       		}

     

       370
       +
       		x, ok := jwk["x"].(string)

     

       371
       +
       		if !ok {

     

       372
       +
       			return "", fmt.Errorf("OKP JWK missing x")

     

       373
       +
       		}

     

       374
       +
       		// Lexicographic order: crv, kty, x

     

       375
       +
       		canonical = map[string]string{

     

       376
       +
       			"crv": crv,

     

       377
       +
       			"kty": kty,

     

       378
       +
       			"x":   x,

     

       379
       +
       		}

     

       380
       +
       	default:

     

       381
       +
       		return "", fmt.Errorf("unsupported JWK key type: %s", kty)

     

       382
       +
       	}

     

       383
       +
       

     

       384
       +
       	// Serialize to JSON (Go's json.Marshal produces lexicographically ordered keys for map[string]string)

     

       385
       +
       	canonicalJSON, err := json.Marshal(canonical)

     

       386
       +
       	if err != nil {

     

       387
       +
       		return "", fmt.Errorf("failed to serialize canonical JWK: %w", err)

     

       388
       +
       	}

     

       389
       +
       

     

       390
       +
       	// SHA-256 hash

     

       391
       +
       	hash := sha256.Sum256(canonicalJSON)

     

       392
       +
       

     

       393
       +
       	// Base64url encode (no padding)

     

       394
       +
       	thumbprint := base64.RawURLEncoding.EncodeToString(hash[:])

     

       395
       +
       

     

       396
       +
       	return thumbprint, nil

     

       397
       +
       }

     

       398
       +
       

     

       399
       +
       // parseJWKToPublicKey parses a JWK map to a Go public key

     

       400
       +
       func parseJWKToPublicKey(jwkMap map[string]interface{}) (interface{}, error) {

     

       401
       +
       	// Convert map to JSON bytes for indigo's parser

     

       402
       +
       	jwkBytes, err := json.Marshal(jwkMap)

     

       403
       +
       	if err != nil {

     

       404
       +
       		return nil, fmt.Errorf("failed to serialize JWK: %w", err)

     

       405
       +
       	}

     

       406
       +
       

     

       407
       +
       	// Try to parse with indigo's crypto package

     

       408
       +
       	pubKey, err := indigoCrypto.ParsePublicJWKBytes(jwkBytes)

     

       409
       +
       	if err != nil {

     

       410
       +
       		return nil, fmt.Errorf("failed to parse JWK: %w", err)

     

       411
       +
       	}

     

       412
       +
       

     

       413
       +
       	// Convert indigo's PublicKey to Go's ecdsa.PublicKey

     

       414
       +
       	jwk, err := pubKey.JWK()

     

       415
       +
       	if err != nil {

     

       416
       +
       		return nil, fmt.Errorf("failed to get JWK from public key: %w", err)

     

       417
       +
       	}

     

       418
       +
       

     

       419
       +
       	// Use our existing conversion function

     

       420
       +
       	return atcryptoJWKToECDSAFromIndigoJWK(jwk)

     

       421
       +
       }

     

       422
       +
       

     

       423
       +
       // atcryptoJWKToECDSAFromIndigoJWK converts an indigo JWK to Go ecdsa.PublicKey

     

       424
       +
       func atcryptoJWKToECDSAFromIndigoJWK(jwk *indigoCrypto.JWK) (*ecdsa.PublicKey, error) {

     

       425
       +
       	if jwk.KeyType != "EC" {

     

       426
       +
       		return nil, fmt.Errorf("unsupported JWK key type: %s (expected EC)", jwk.KeyType)

     

       427
       +
       	}

     

       428
       +
       

     

       429
       +
       	xBytes, err := base64.RawURLEncoding.DecodeString(jwk.X)

     

       430
       +
       	if err != nil {

     

       431
       +
       		return nil, fmt.Errorf("invalid JWK X coordinate: %w", err)

     

       432
       +
       	}

     

       433
       +
       	yBytes, err := base64.RawURLEncoding.DecodeString(jwk.Y)

     

       434
       +
       	if err != nil {

     

       435
       +
       		return nil, fmt.Errorf("invalid JWK Y coordinate: %w", err)

     

       436
       +
       	}

     

       437
       +
       

     

       438
       +
       	var curve ecdsa.PublicKey

     

       439
       +
       	switch jwk.Curve {

     

       440
       +
       	case "P-256":

     

       441
       +
       		curve.Curve = ecdsaP256Curve()

     

       442
       +
       	case "P-384":

     

       443
       +
       		curve.Curve = ecdsaP384Curve()

     

       444
       +
       	case "P-521":

     

       445
       +
       		curve.Curve = ecdsaP521Curve()

     

       446
       +
       	default:

     

       447
       +
       		return nil, fmt.Errorf("unsupported curve: %s", jwk.Curve)

     

       448
       +
       	}

     

       449
       +
       

     

       450
       +
       	curve.X = new(big.Int).SetBytes(xBytes)

     

       451
       +
       	curve.Y = new(big.Int).SetBytes(yBytes)

     

       452
       +
       

     

       453
       +
       	return &curve, nil

     

       454
       +
       }

     

       455
       +
       

     

       456
       +
       // Helper functions for elliptic curves

     

       457
       +
       func ecdsaP256Curve() elliptic.Curve { return elliptic.P256() }

     

       458
       +
       func ecdsaP384Curve() elliptic.Curve { return elliptic.P384() }

     

       459
       +
       func ecdsaP521Curve() elliptic.Curve { return elliptic.P521() }

     

       460
       +
       

     

       461
       +
       // stripQueryFragment removes query and fragment from a URI

     

       462
       +
       func stripQueryFragment(uri string) string {

     

       463
       +
       	if idx := strings.Index(uri, "?"); idx != -1 {

     

       464
       +
       		uri = uri[:idx]

     

       465
       +
       	}

     

       466
       +
       	if idx := strings.Index(uri, "#"); idx != -1 {

     

       467
       +
       		uri = uri[:idx]

     

       468
       +
       	}

     

       469
       +
       	return uri

     

       470
       +
       }

     

       471
       +
       

     

       472
       +
       // ExtractCnfJkt extracts the cnf.jkt (confirmation key thumbprint) from JWT claims

     

       473
       +
       func ExtractCnfJkt(claims *Claims) (string, error) {

     

       474
       +
       	if claims.Confirmation == nil {

     

       475
       +
       		return "", fmt.Errorf("token missing cnf claim (no DPoP binding)")

     

       476
       +
       	}

     

       477
       +
       

     

       478
       +
       	jkt, ok := claims.Confirmation["jkt"].(string)

     

       479
       +
       	if !ok || jkt == "" {

     

       480
       +
       		return "", fmt.Errorf("token cnf claim missing jkt (DPoP key thumbprint)")

     

       481
       +
       	}

     

       482
       +
       

     

       483
       +
       	return jkt, nil

     

       484
       +
       }

+921

internal/atproto/auth/dpop_test.go

···

       1
       +
       package auth

     

       2
       +
       

     

       3
       +
       import (

     

       4
       +
       	"crypto/ecdsa"

     

       5
       +
       	"crypto/elliptic"

     

       6
       +
       	"crypto/rand"

     

       7
       +
       	"crypto/sha256"

     

       8
       +
       	"encoding/base64"

     

       9
       +
       	"encoding/json"

     

       10
       +
       	"strings"

     

       11
       +
       	"testing"

     

       12
       +
       	"time"

     

       13
       +
       

     

       14
       +
       	"github.com/golang-jwt/jwt/v5"

     

       15
       +
       	"github.com/google/uuid"

     

       16
       +
       )

     

       17
       +
       

     

       18
       +
       // === Test Helpers ===

     

       19
       +
       

     

       20
       +
       // testECKey holds a test ES256 key pair

     

       21
       +
       type testECKey struct {

     

       22
       +
       	privateKey *ecdsa.PrivateKey

     

       23
       +
       	publicKey  *ecdsa.PublicKey

     

       24
       +
       	jwk        map[string]interface{}

     

       25
       +
       	thumbprint string

     

       26
       +
       }

     

       27
       +
       

     

       28
       +
       // generateTestES256Key generates a test ES256 key pair and JWK

     

       29
       +
       func generateTestES256Key(t *testing.T) *testECKey {

     

       30
       +
       	t.Helper()

     

       31
       +
       

     

       32
       +
       	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)

     

       33
       +
       	if err != nil {

     

       34
       +
       		t.Fatalf("Failed to generate test key: %v", err)

     

       35
       +
       	}

     

       36
       +
       

     

       37
       +
       	// Encode public key coordinates as base64url

     

       38
       +
       	xBytes := privateKey.PublicKey.X.Bytes()

     

       39
       +
       	yBytes := privateKey.PublicKey.Y.Bytes()

     

       40
       +
       

     

       41
       +
       	// P-256 coordinates must be 32 bytes (pad if needed)

     

       42
       +
       	xBytes = padTo32Bytes(xBytes)

     

       43
       +
       	yBytes = padTo32Bytes(yBytes)

     

       44
       +
       

     

       45
       +
       	x := base64.RawURLEncoding.EncodeToString(xBytes)

     

       46
       +
       	y := base64.RawURLEncoding.EncodeToString(yBytes)

     

       47
       +
       

     

       48
       +
       	jwk := map[string]interface{}{

     

       49
       +
       		"kty": "EC",

     

       50
       +
       		"crv": "P-256",

     

       51
       +
       		"x":   x,

     

       52
       +
       		"y":   y,

     

       53
       +
       	}

     

       54
       +
       

     

       55
       +
       	// Calculate thumbprint

     

       56
       +
       	thumbprint, err := CalculateJWKThumbprint(jwk)

     

       57
       +
       	if err != nil {

     

       58
       +
       		t.Fatalf("Failed to calculate thumbprint: %v", err)

     

       59
       +
       	}

     

       60
       +
       

     

       61
       +
       	return &testECKey{

     

       62
       +
       		privateKey: privateKey,

     

       63
       +
       		publicKey:  &privateKey.PublicKey,

     

       64
       +
       		jwk:        jwk,

     

       65
       +
       		thumbprint: thumbprint,

     

       66
       +
       	}

     

       67
       +
       }

     

       68
       +
       

     

       69
       +
       // padTo32Bytes pads a byte slice to 32 bytes (required for P-256 coordinates)

     

       70
       +
       func padTo32Bytes(b []byte) []byte {

     

       71
       +
       	if len(b) >= 32 {

     

       72
       +
       		return b

     

       73
       +
       	}

     

       74
       +
       	padded := make([]byte, 32)

     

       75
       +
       	copy(padded[32-len(b):], b)

     

       76
       +
       	return padded

     

       77
       +
       }

     

       78
       +
       

     

       79
       +
       // createDPoPProof creates a DPoP proof JWT for testing

     

       80
       +
       func createDPoPProof(t *testing.T, key *testECKey, method, uri string, iat time.Time, jti string) string {

     

       81
       +
       	t.Helper()

     

       82
       +
       

     

       83
       +
       	claims := &DPoPClaims{

     

       84
       +
       		RegisteredClaims: jwt.RegisteredClaims{

     

       85
       +
       			ID:       jti,

     

       86
       +
       			IssuedAt: jwt.NewNumericDate(iat),

     

       87
       +
       		},

     

       88
       +
       		HTTPMethod: method,

     

       89
       +
       		HTTPURI:    uri,

     

       90
       +
       	}

     

       91
       +
       

     

       92
       +
       	token := jwt.NewWithClaims(jwt.SigningMethodES256, claims)

     

       93
       +
       	token.Header["typ"] = "dpop+jwt"

     

       94
       +
       	token.Header["jwk"] = key.jwk

     

       95
       +
       

     

       96
       +
       	tokenString, err := token.SignedString(key.privateKey)

     

       97
       +
       	if err != nil {

     

       98
       +
       		t.Fatalf("Failed to create DPoP proof: %v", err)

     

       99
       +
       	}

     

       100
       +
       

     

       101
       +
       	return tokenString

     

       102
       +
       }

     

       103
       +
       

     

       104
       +
       // === JWK Thumbprint Tests (RFC 7638) ===

     

       105
       +
       

     

       106
       +
       func TestCalculateJWKThumbprint_EC_P256(t *testing.T) {

     

       107
       +
       	// Test with known values from RFC 7638 Appendix A (adapted for P-256)

     

       108
       +
       	jwk := map[string]interface{}{

     

       109
       +
       		"kty": "EC",

     

       110
       +
       		"crv": "P-256",

     

       111
       +
       		"x":   "WKn-ZIGevcwGIyyrzFoZNBdaq9_TsqzGl96oc0CWuis",

     

       112
       +
       		"y":   "y77t-RvAHRKTsSGdIYUfweuOvwrvDD-Q3Hv5J0fSKbE",

     

       113
       +
       	}

     

       114
       +
       

     

       115
       +
       	thumbprint, err := CalculateJWKThumbprint(jwk)

     

       116
       +
       	if err != nil {

     

       117
       +
       		t.Fatalf("CalculateJWKThumbprint failed: %v", err)

     

       118
       +
       	}

     

       119
       +
       

     

       120
       +
       	if thumbprint == "" {

     

       121
       +
       		t.Error("Expected non-empty thumbprint")

     

       122
       +
       	}

     

       123
       +
       

     

       124
       +
       	// Verify it's valid base64url

     

       125
       +
       	_, err = base64.RawURLEncoding.DecodeString(thumbprint)

     

       126
       +
       	if err != nil {

     

       127
       +
       		t.Errorf("Thumbprint is not valid base64url: %v", err)

     

       128
       +
       	}

     

       129
       +
       

     

       130
       +
       	// Verify length (SHA-256 produces 32 bytes = 43 base64url chars)

     

       131
       +
       	if len(thumbprint) != 43 {

     

       132
       +
       		t.Errorf("Expected thumbprint length 43, got %d", len(thumbprint))

     

       133
       +
       	}

     

       134
       +
       }

     

       135
       +
       

     

       136
       +
       func TestCalculateJWKThumbprint_Deterministic(t *testing.T) {

     

       137
       +
       	// Same key should produce same thumbprint

     

       138
       +
       	jwk := map[string]interface{}{

     

       139
       +
       		"kty": "EC",

     

       140
       +
       		"crv": "P-256",

     

       141
       +
       		"x":   "test-x-coordinate",

     

       142
       +
       		"y":   "test-y-coordinate",

     

       143
       +
       	}

     

       144
       +
       

     

       145
       +
       	thumbprint1, err := CalculateJWKThumbprint(jwk)

     

       146
       +
       	if err != nil {

     

       147
       +
       		t.Fatalf("First CalculateJWKThumbprint failed: %v", err)

     

       148
       +
       	}

     

       149
       +
       

     

       150
       +
       	thumbprint2, err := CalculateJWKThumbprint(jwk)

     

       151
       +
       	if err != nil {

     

       152
       +
       		t.Fatalf("Second CalculateJWKThumbprint failed: %v", err)

     

       153
       +
       	}

     

       154
       +
       

     

       155
       +
       	if thumbprint1 != thumbprint2 {

     

       156
       +
       		t.Errorf("Thumbprints are not deterministic: %s != %s", thumbprint1, thumbprint2)

     

       157
       +
       	}

     

       158
       +
       }

     

       159
       +
       

     

       160
       +
       func TestCalculateJWKThumbprint_DifferentKeys(t *testing.T) {

     

       161
       +
       	// Different keys should produce different thumbprints

     

       162
       +
       	jwk1 := map[string]interface{}{

     

       163
       +
       		"kty": "EC",

     

       164
       +
       		"crv": "P-256",

     

       165
       +
       		"x":   "coordinate-x-1",

     

       166
       +
       		"y":   "coordinate-y-1",

     

       167
       +
       	}

     

       168
       +
       

     

       169
       +
       	jwk2 := map[string]interface{}{

     

       170
       +
       		"kty": "EC",

     

       171
       +
       		"crv": "P-256",

     

       172
       +
       		"x":   "coordinate-x-2",

     

       173
       +
       		"y":   "coordinate-y-2",

     

       174
       +
       	}

     

       175
       +
       

     

       176
       +
       	thumbprint1, err := CalculateJWKThumbprint(jwk1)

     

       177
       +
       	if err != nil {

     

       178
       +
       		t.Fatalf("First CalculateJWKThumbprint failed: %v", err)

     

       179
       +
       	}

     

       180
       +
       

     

       181
       +
       	thumbprint2, err := CalculateJWKThumbprint(jwk2)

     

       182
       +
       	if err != nil {

     

       183
       +
       		t.Fatalf("Second CalculateJWKThumbprint failed: %v", err)

     

       184
       +
       	}

     

       185
       +
       

     

       186
       +
       	if thumbprint1 == thumbprint2 {

     

       187
       +
       		t.Error("Different keys produced same thumbprint (collision)")

     

       188
       +
       	}

     

       189
       +
       }

     

       190
       +
       

     

       191
       +
       func TestCalculateJWKThumbprint_MissingKty(t *testing.T) {

     

       192
       +
       	jwk := map[string]interface{}{

     

       193
       +
       		"crv": "P-256",

     

       194
       +
       		"x":   "test-x",

     

       195
       +
       		"y":   "test-y",

     

       196
       +
       	}

     

       197
       +
       

     

       198
       +
       	_, err := CalculateJWKThumbprint(jwk)

     

       199
       +
       	if err == nil {

     

       200
       +
       		t.Error("Expected error for missing kty, got nil")

     

       201
       +
       	}

     

       202
       +
       	if err != nil && !contains(err.Error(), "missing kty") {

     

       203
       +
       		t.Errorf("Expected error about missing kty, got: %v", err)

     

       204
       +
       	}

     

       205
       +
       }

     

       206
       +
       

     

       207
       +
       func TestCalculateJWKThumbprint_EC_MissingCrv(t *testing.T) {

     

       208
       +
       	jwk := map[string]interface{}{

     

       209
       +
       		"kty": "EC",

     

       210
       +
       		"x":   "test-x",

     

       211
       +
       		"y":   "test-y",

     

       212
       +
       	}

     

       213
       +
       

     

       214
       +
       	_, err := CalculateJWKThumbprint(jwk)

     

       215
       +
       	if err == nil {

     

       216
       +
       		t.Error("Expected error for missing crv, got nil")

     

       217
       +
       	}

     

       218
       +
       	if err != nil && !contains(err.Error(), "missing crv") {

     

       219
       +
       		t.Errorf("Expected error about missing crv, got: %v", err)

     

       220
       +
       	}

     

       221
       +
       }

     

       222
       +
       

     

       223
       +
       func TestCalculateJWKThumbprint_EC_MissingX(t *testing.T) {

     

       224
       +
       	jwk := map[string]interface{}{

     

       225
       +
       		"kty": "EC",

     

       226
       +
       		"crv": "P-256",

     

       227
       +
       		"y":   "test-y",

     

       228
       +
       	}

     

       229
       +
       

     

       230
       +
       	_, err := CalculateJWKThumbprint(jwk)

     

       231
       +
       	if err == nil {

     

       232
       +
       		t.Error("Expected error for missing x, got nil")

     

       233
       +
       	}

     

       234
       +
       	if err != nil && !contains(err.Error(), "missing x") {

     

       235
       +
       		t.Errorf("Expected error about missing x, got: %v", err)

     

       236
       +
       	}

     

       237
       +
       }

     

       238
       +
       

     

       239
       +
       func TestCalculateJWKThumbprint_EC_MissingY(t *testing.T) {

     

       240
       +
       	jwk := map[string]interface{}{

     

       241
       +
       		"kty": "EC",

     

       242
       +
       		"crv": "P-256",

     

       243
       +
       		"x":   "test-x",

     

       244
       +
       	}

     

       245
       +
       

     

       246
       +
       	_, err := CalculateJWKThumbprint(jwk)

     

       247
       +
       	if err == nil {

     

       248
       +
       		t.Error("Expected error for missing y, got nil")

     

       249
       +
       	}

     

       250
       +
       	if err != nil && !contains(err.Error(), "missing y") {

     

       251
       +
       		t.Errorf("Expected error about missing y, got: %v", err)

     

       252
       +
       	}

     

       253
       +
       }

     

       254
       +
       

     

       255
       +
       func TestCalculateJWKThumbprint_RSA(t *testing.T) {

     

       256
       +
       	// Test RSA key thumbprint calculation

     

       257
       +
       	jwk := map[string]interface{}{

     

       258
       +
       		"kty": "RSA",

     

       259
       +
       		"e":   "AQAB",

     

       260
       +
       		"n":   "test-modulus",

     

       261
       +
       	}

     

       262
       +
       

     

       263
       +
       	thumbprint, err := CalculateJWKThumbprint(jwk)

     

       264
       +
       	if err != nil {

     

       265
       +
       		t.Fatalf("CalculateJWKThumbprint failed for RSA: %v", err)

     

       266
       +
       	}

     

       267
       +
       

     

       268
       +
       	if thumbprint == "" {

     

       269
       +
       		t.Error("Expected non-empty thumbprint for RSA key")

     

       270
       +
       	}

     

       271
       +
       }

     

       272
       +
       

     

       273
       +
       func TestCalculateJWKThumbprint_OKP(t *testing.T) {

     

       274
       +
       	// Test OKP (Octet Key Pair) thumbprint calculation

     

       275
       +
       	jwk := map[string]interface{}{

     

       276
       +
       		"kty": "OKP",

     

       277
       +
       		"crv": "Ed25519",

     

       278
       +
       		"x":   "test-x-coordinate",

     

       279
       +
       	}

     

       280
       +
       

     

       281
       +
       	thumbprint, err := CalculateJWKThumbprint(jwk)

     

       282
       +
       	if err != nil {

     

       283
       +
       		t.Fatalf("CalculateJWKThumbprint failed for OKP: %v", err)

     

       284
       +
       	}

     

       285
       +
       

     

       286
       +
       	if thumbprint == "" {

     

       287
       +
       		t.Error("Expected non-empty thumbprint for OKP key")

     

       288
       +
       	}

     

       289
       +
       }

     

       290
       +
       

     

       291
       +
       func TestCalculateJWKThumbprint_UnsupportedKeyType(t *testing.T) {

     

       292
       +
       	jwk := map[string]interface{}{

     

       293
       +
       		"kty": "UNKNOWN",

     

       294
       +
       	}

     

       295
       +
       

     

       296
       +
       	_, err := CalculateJWKThumbprint(jwk)

     

       297
       +
       	if err == nil {

     

       298
       +
       		t.Error("Expected error for unsupported key type, got nil")

     

       299
       +
       	}

     

       300
       +
       	if err != nil && !contains(err.Error(), "unsupported JWK key type") {

     

       301
       +
       		t.Errorf("Expected error about unsupported key type, got: %v", err)

     

       302
       +
       	}

     

       303
       +
       }

     

       304
       +
       

     

       305
       +
       func TestCalculateJWKThumbprint_CanonicalJSON(t *testing.T) {

     

       306
       +
       	// RFC 7638 requires lexicographic ordering of keys in canonical JSON

     

       307
       +
       	// This test verifies that the canonical JSON is correctly ordered

     

       308
       +
       

     

       309
       +
       	jwk := map[string]interface{}{

     

       310
       +
       		"kty": "EC",

     

       311
       +
       		"crv": "P-256",

     

       312
       +
       		"x":   "x-coord",

     

       313
       +
       		"y":   "y-coord",

     

       314
       +
       	}

     

       315
       +
       

     

       316
       +
       	// The canonical JSON should be: {"crv":"P-256","kty":"EC","x":"x-coord","y":"y-coord"}

     

       317
       +
       	// (lexicographically ordered: crv, kty, x, y)

     

       318
       +
       

     

       319
       +
       	canonical := map[string]string{

     

       320
       +
       		"crv": "P-256",

     

       321
       +
       		"kty": "EC",

     

       322
       +
       		"x":   "x-coord",

     

       323
       +
       		"y":   "y-coord",

     

       324
       +
       	}

     

       325
       +
       

     

       326
       +
       	canonicalJSON, err := json.Marshal(canonical)

     

       327
       +
       	if err != nil {

     

       328
       +
       		t.Fatalf("Failed to marshal canonical JSON: %v", err)

     

       329
       +
       	}

     

       330
       +
       

     

       331
       +
       	expectedHash := sha256.Sum256(canonicalJSON)

     

       332
       +
       	expectedThumbprint := base64.RawURLEncoding.EncodeToString(expectedHash[:])

     

       333
       +
       

     

       334
       +
       	actualThumbprint, err := CalculateJWKThumbprint(jwk)

     

       335
       +
       	if err != nil {

     

       336
       +
       		t.Fatalf("CalculateJWKThumbprint failed: %v", err)

     

       337
       +
       	}

     

       338
       +
       

     

       339
       +
       	if actualThumbprint != expectedThumbprint {

     

       340
       +
       		t.Errorf("Thumbprint doesn't match expected canonical JSON hash\nExpected: %s\nGot: %s",

     

       341
       +
       			expectedThumbprint, actualThumbprint)

     

       342
       +
       	}

     

       343
       +
       }

     

       344
       +
       

     

       345
       +
       // === DPoP Proof Verification Tests ===

     

       346
       +
       

     

       347
       +
       func TestVerifyDPoPProof_Valid(t *testing.T) {

     

       348
       +
       	verifier := NewDPoPVerifier()

     

       349
       +
       	key := generateTestES256Key(t)

     

       350
       +
       

     

       351
       +
       	method := "POST"

     

       352
       +
       	uri := "https://api.example.com/resource"

     

       353
       +
       	iat := time.Now()

     

       354
       +
       	jti := uuid.New().String()

     

       355
       +
       

     

       356
       +
       	proof := createDPoPProof(t, key, method, uri, iat, jti)

     

       357
       +
       

     

       358
       +
       	result, err := verifier.VerifyDPoPProof(proof, method, uri)

     

       359
       +
       	if err != nil {

     

       360
       +
       		t.Fatalf("VerifyDPoPProof failed for valid proof: %v", err)

     

       361
       +
       	}

     

       362
       +
       

     

       363
       +
       	if result == nil {

     

       364
       +
       		t.Fatal("Expected non-nil proof result")

     

       365
       +
       	}

     

       366
       +
       

     

       367
       +
       	if result.Claims.HTTPMethod != method {

     

       368
       +
       		t.Errorf("Expected method %s, got %s", method, result.Claims.HTTPMethod)

     

       369
       +
       	}

     

       370
       +
       

     

       371
       +
       	if result.Claims.HTTPURI != uri {

     

       372
       +
       		t.Errorf("Expected URI %s, got %s", uri, result.Claims.HTTPURI)

     

       373
       +
       	}

     

       374
       +
       

     

       375
       +
       	if result.Claims.ID != jti {

     

       376
       +
       		t.Errorf("Expected jti %s, got %s", jti, result.Claims.ID)

     

       377
       +
       	}

     

       378
       +
       

     

       379
       +
       	if result.Thumbprint != key.thumbprint {

     

       380
       +
       		t.Errorf("Expected thumbprint %s, got %s", key.thumbprint, result.Thumbprint)

     

       381
       +
       	}

     

       382
       +
       }

     

       383
       +
       

     

       384
       +
       func TestVerifyDPoPProof_InvalidSignature(t *testing.T) {

     

       385
       +
       	verifier := NewDPoPVerifier()

     

       386
       +
       	key := generateTestES256Key(t)

     

       387
       +
       	wrongKey := generateTestES256Key(t)

     

       388
       +
       

     

       389
       +
       	method := "POST"

     

       390
       +
       	uri := "https://api.example.com/resource"

     

       391
       +
       	iat := time.Now()

     

       392
       +
       	jti := uuid.New().String()

     

       393
       +
       

     

       394
       +
       	// Create proof with one key

     

       395
       +
       	proof := createDPoPProof(t, key, method, uri, iat, jti)

     

       396
       +
       

     

       397
       +
       	// Parse and modify to use wrong key's JWK in header (signature won't match)

     

       398
       +
       	parts := splitJWT(proof)

     

       399
       +
       	header := parseJWTHeader(t, parts[0])

     

       400
       +
       	header["jwk"] = wrongKey.jwk

     

       401
       +
       	modifiedHeader := encodeJSON(t, header)

     

       402
       +
       	tamperedProof := modifiedHeader + "." + parts[1] + "." + parts[2]

     

       403
       +
       

     

       404
       +
       	_, err := verifier.VerifyDPoPProof(tamperedProof, method, uri)

     

       405
       +
       	if err == nil {

     

       406
       +
       		t.Error("Expected error for invalid signature, got nil")

     

       407
       +
       	}

     

       408
       +
       	if err != nil && !contains(err.Error(), "signature verification failed") {

     

       409
       +
       		t.Errorf("Expected signature verification error, got: %v", err)

     

       410
       +
       	}

     

       411
       +
       }

     

       412
       +
       

     

       413
       +
       func TestVerifyDPoPProof_WrongHTTPMethod(t *testing.T) {

     

       414
       +
       	verifier := NewDPoPVerifier()

     

       415
       +
       	key := generateTestES256Key(t)

     

       416
       +
       

     

       417
       +
       	method := "POST"

     

       418
       +
       	wrongMethod := "GET"

     

       419
       +
       	uri := "https://api.example.com/resource"

     

       420
       +
       	iat := time.Now()

     

       421
       +
       	jti := uuid.New().String()

     

       422
       +
       

     

       423
       +
       	proof := createDPoPProof(t, key, method, uri, iat, jti)

     

       424
       +
       

     

       425
       +
       	_, err := verifier.VerifyDPoPProof(proof, wrongMethod, uri)

     

       426
       +
       	if err == nil {

     

       427
       +
       		t.Error("Expected error for HTTP method mismatch, got nil")

     

       428
       +
       	}

     

       429
       +
       	if err != nil && !contains(err.Error(), "htm mismatch") {

     

       430
       +
       		t.Errorf("Expected htm mismatch error, got: %v", err)

     

       431
       +
       	}

     

       432
       +
       }

     

       433
       +
       

     

       434
       +
       func TestVerifyDPoPProof_WrongURI(t *testing.T) {

     

       435
       +
       	verifier := NewDPoPVerifier()

     

       436
       +
       	key := generateTestES256Key(t)

     

       437
       +
       

     

       438
       +
       	method := "POST"

     

       439
       +
       	uri := "https://api.example.com/resource"

     

       440
       +
       	wrongURI := "https://api.example.com/different"

     

       441
       +
       	iat := time.Now()

     

       442
       +
       	jti := uuid.New().String()

     

       443
       +
       

     

       444
       +
       	proof := createDPoPProof(t, key, method, uri, iat, jti)

     

       445
       +
       

     

       446
       +
       	_, err := verifier.VerifyDPoPProof(proof, method, wrongURI)

     

       447
       +
       	if err == nil {

     

       448
       +
       		t.Error("Expected error for URI mismatch, got nil")

     

       449
       +
       	}

     

       450
       +
       	if err != nil && !contains(err.Error(), "htu mismatch") {

     

       451
       +
       		t.Errorf("Expected htu mismatch error, got: %v", err)

     

       452
       +
       	}

     

       453
       +
       }

     

       454
       +
       

     

       455
       +
       func TestVerifyDPoPProof_URIWithQuery(t *testing.T) {

     

       456
       +
       	// URI comparison should strip query and fragment

     

       457
       +
       	verifier := NewDPoPVerifier()

     

       458
       +
       	key := generateTestES256Key(t)

     

       459
       +
       

     

       460
       +
       	method := "POST"

     

       461
       +
       	baseURI := "https://api.example.com/resource"

     

       462
       +
       	uriWithQuery := baseURI + "?param=value"

     

       463
       +
       	iat := time.Now()

     

       464
       +
       	jti := uuid.New().String()

     

       465
       +
       

     

       466
       +
       	proof := createDPoPProof(t, key, method, baseURI, iat, jti)

     

       467
       +
       

     

       468
       +
       	// Should succeed because query is stripped

     

       469
       +
       	_, err := verifier.VerifyDPoPProof(proof, method, uriWithQuery)

     

       470
       +
       	if err != nil {

     

       471
       +
       		t.Fatalf("VerifyDPoPProof failed for URI with query: %v", err)

     

       472
       +
       	}

     

       473
       +
       }

     

       474
       +
       

     

       475
       +
       func TestVerifyDPoPProof_URIWithFragment(t *testing.T) {

     

       476
       +
       	// URI comparison should strip query and fragment

     

       477
       +
       	verifier := NewDPoPVerifier()

     

       478
       +
       	key := generateTestES256Key(t)

     

       479
       +
       

     

       480
       +
       	method := "POST"

     

       481
       +
       	baseURI := "https://api.example.com/resource"

     

       482
       +
       	uriWithFragment := baseURI + "#section"

     

       483
       +
       	iat := time.Now()

     

       484
       +
       	jti := uuid.New().String()

     

       485
       +
       

     

       486
       +
       	proof := createDPoPProof(t, key, method, baseURI, iat, jti)

     

       487
       +
       

     

       488
       +
       	// Should succeed because fragment is stripped

     

       489
       +
       	_, err := verifier.VerifyDPoPProof(proof, method, uriWithFragment)

     

       490
       +
       	if err != nil {

     

       491
       +
       		t.Fatalf("VerifyDPoPProof failed for URI with fragment: %v", err)

     

       492
       +
       	}

     

       493
       +
       }

     

       494
       +
       

     

       495
       +
       func TestVerifyDPoPProof_ExpiredProof(t *testing.T) {

     

       496
       +
       	verifier := NewDPoPVerifier()

     

       497
       +
       	key := generateTestES256Key(t)

     

       498
       +
       

     

       499
       +
       	method := "POST"

     

       500
       +
       	uri := "https://api.example.com/resource"

     

       501
       +
       	// Proof issued 10 minutes ago (exceeds default MaxProofAge of 5 minutes)

     

       502
       +
       	iat := time.Now().Add(-10 * time.Minute)

     

       503
       +
       	jti := uuid.New().String()

     

       504
       +
       

     

       505
       +
       	proof := createDPoPProof(t, key, method, uri, iat, jti)

     

       506
       +
       

     

       507
       +
       	_, err := verifier.VerifyDPoPProof(proof, method, uri)

     

       508
       +
       	if err == nil {

     

       509
       +
       		t.Error("Expected error for expired proof, got nil")

     

       510
       +
       	}

     

       511
       +
       	if err != nil && !contains(err.Error(), "too old") {

     

       512
       +
       		t.Errorf("Expected 'too old' error, got: %v", err)

     

       513
       +
       	}

     

       514
       +
       }

     

       515
       +
       

     

       516
       +
       func TestVerifyDPoPProof_FutureProof(t *testing.T) {

     

       517
       +
       	verifier := NewDPoPVerifier()

     

       518
       +
       	key := generateTestES256Key(t)

     

       519
       +
       

     

       520
       +
       	method := "POST"

     

       521
       +
       	uri := "https://api.example.com/resource"

     

       522
       +
       	// Proof issued 1 minute in the future (exceeds MaxClockSkew)

     

       523
       +
       	iat := time.Now().Add(1 * time.Minute)

     

       524
       +
       	jti := uuid.New().String()

     

       525
       +
       

     

       526
       +
       	proof := createDPoPProof(t, key, method, uri, iat, jti)

     

       527
       +
       

     

       528
       +
       	_, err := verifier.VerifyDPoPProof(proof, method, uri)

     

       529
       +
       	if err == nil {

     

       530
       +
       		t.Error("Expected error for future proof, got nil")

     

       531
       +
       	}

     

       532
       +
       	if err != nil && !contains(err.Error(), "in the future") {

     

       533
       +
       		t.Errorf("Expected 'in the future' error, got: %v", err)

     

       534
       +
       	}

     

       535
       +
       }

     

       536
       +
       

     

       537
       +
       func TestVerifyDPoPProof_WithinClockSkew(t *testing.T) {

     

       538
       +
       	verifier := NewDPoPVerifier()

     

       539
       +
       	key := generateTestES256Key(t)

     

       540
       +
       

     

       541
       +
       	method := "POST"

     

       542
       +
       	uri := "https://api.example.com/resource"

     

       543
       +
       	// Proof issued 15 seconds in the future (within MaxClockSkew of 30s)

     

       544
       +
       	iat := time.Now().Add(15 * time.Second)

     

       545
       +
       	jti := uuid.New().String()

     

       546
       +
       

     

       547
       +
       	proof := createDPoPProof(t, key, method, uri, iat, jti)

     

       548
       +
       

     

       549
       +
       	_, err := verifier.VerifyDPoPProof(proof, method, uri)

     

       550
       +
       	if err != nil {

     

       551
       +
       		t.Fatalf("VerifyDPoPProof failed for proof within clock skew: %v", err)

     

       552
       +
       	}

     

       553
       +
       }

     

       554
       +
       

     

       555
       +
       func TestVerifyDPoPProof_MissingJti(t *testing.T) {

     

       556
       +
       	verifier := NewDPoPVerifier()

     

       557
       +
       	key := generateTestES256Key(t)

     

       558
       +
       

     

       559
       +
       	method := "POST"

     

       560
       +
       	uri := "https://api.example.com/resource"

     

       561
       +
       	iat := time.Now()

     

       562
       +
       

     

       563
       +
       	claims := &DPoPClaims{

     

       564
       +
       		RegisteredClaims: jwt.RegisteredClaims{

     

       565
       +
       			// No ID (jti)

     

       566
       +
       			IssuedAt: jwt.NewNumericDate(iat),

     

       567
       +
       		},

     

       568
       +
       		HTTPMethod: method,

     

       569
       +
       		HTTPURI:    uri,

     

       570
       +
       	}

     

       571
       +
       

     

       572
       +
       	token := jwt.NewWithClaims(jwt.SigningMethodES256, claims)

     

       573
       +
       	token.Header["typ"] = "dpop+jwt"

     

       574
       +
       	token.Header["jwk"] = key.jwk

     

       575
       +
       

     

       576
       +
       	proof, err := token.SignedString(key.privateKey)

     

       577
       +
       	if err != nil {

     

       578
       +
       		t.Fatalf("Failed to create test proof: %v", err)

     

       579
       +
       	}

     

       580
       +
       

     

       581
       +
       	_, err = verifier.VerifyDPoPProof(proof, method, uri)

     

       582
       +
       	if err == nil {

     

       583
       +
       		t.Error("Expected error for missing jti, got nil")

     

       584
       +
       	}

     

       585
       +
       	if err != nil && !contains(err.Error(), "missing jti") {

     

       586
       +
       		t.Errorf("Expected missing jti error, got: %v", err)

     

       587
       +
       	}

     

       588
       +
       }

     

       589
       +
       

     

       590
       +
       func TestVerifyDPoPProof_MissingTypHeader(t *testing.T) {

     

       591
       +
       	verifier := NewDPoPVerifier()

     

       592
       +
       	key := generateTestES256Key(t)

     

       593
       +
       

     

       594
       +
       	method := "POST"

     

       595
       +
       	uri := "https://api.example.com/resource"

     

       596
       +
       	iat := time.Now()

     

       597
       +
       	jti := uuid.New().String()

     

       598
       +
       

     

       599
       +
       	claims := &DPoPClaims{

     

       600
       +
       		RegisteredClaims: jwt.RegisteredClaims{

     

       601
       +
       			ID:       jti,

     

       602
       +
       			IssuedAt: jwt.NewNumericDate(iat),

     

       603
       +
       		},

     

       604
       +
       		HTTPMethod: method,

     

       605
       +
       		HTTPURI:    uri,

     

       606
       +
       	}

     

       607
       +
       

     

       608
       +
       	token := jwt.NewWithClaims(jwt.SigningMethodES256, claims)

     

       609
       +
       	// Don't set typ header

     

       610
       +
       	token.Header["jwk"] = key.jwk

     

       611
       +
       

     

       612
       +
       	proof, err := token.SignedString(key.privateKey)

     

       613
       +
       	if err != nil {

     

       614
       +
       		t.Fatalf("Failed to create test proof: %v", err)

     

       615
       +
       	}

     

       616
       +
       

     

       617
       +
       	_, err = verifier.VerifyDPoPProof(proof, method, uri)

     

       618
       +
       	if err == nil {

     

       619
       +
       		t.Error("Expected error for missing typ header, got nil")

     

       620
       +
       	}

     

       621
       +
       	if err != nil && !contains(err.Error(), "typ must be 'dpop+jwt'") {

     

       622
       +
       		t.Errorf("Expected typ header error, got: %v", err)

     

       623
       +
       	}

     

       624
       +
       }

     

       625
       +
       

     

       626
       +
       func TestVerifyDPoPProof_WrongTypHeader(t *testing.T) {

     

       627
       +
       	verifier := NewDPoPVerifier()

     

       628
       +
       	key := generateTestES256Key(t)

     

       629
       +
       

     

       630
       +
       	method := "POST"

     

       631
       +
       	uri := "https://api.example.com/resource"

     

       632
       +
       	iat := time.Now()

     

       633
       +
       	jti := uuid.New().String()

     

       634
       +
       

     

       635
       +
       	claims := &DPoPClaims{

     

       636
       +
       		RegisteredClaims: jwt.RegisteredClaims{

     

       637
       +
       			ID:       jti,

     

       638
       +
       			IssuedAt: jwt.NewNumericDate(iat),

     

       639
       +
       		},

     

       640
       +
       		HTTPMethod: method,

     

       641
       +
       		HTTPURI:    uri,

     

       642
       +
       	}

     

       643
       +
       

     

       644
       +
       	token := jwt.NewWithClaims(jwt.SigningMethodES256, claims)

     

       645
       +
       	token.Header["typ"] = "JWT" // Wrong typ

     

       646
       +
       	token.Header["jwk"] = key.jwk

     

       647
       +
       

     

       648
       +
       	proof, err := token.SignedString(key.privateKey)

     

       649
       +
       	if err != nil {

     

       650
       +
       		t.Fatalf("Failed to create test proof: %v", err)

     

       651
       +
       	}

     

       652
       +
       

     

       653
       +
       	_, err = verifier.VerifyDPoPProof(proof, method, uri)

     

       654
       +
       	if err == nil {

     

       655
       +
       		t.Error("Expected error for wrong typ header, got nil")

     

       656
       +
       	}

     

       657
       +
       	if err != nil && !contains(err.Error(), "typ must be 'dpop+jwt'") {

     

       658
       +
       		t.Errorf("Expected typ header error, got: %v", err)

     

       659
       +
       	}

     

       660
       +
       }

     

       661
       +
       

     

       662
       +
       func TestVerifyDPoPProof_MissingJWK(t *testing.T) {

     

       663
       +
       	verifier := NewDPoPVerifier()

     

       664
       +
       	key := generateTestES256Key(t)

     

       665
       +
       

     

       666
       +
       	method := "POST"

     

       667
       +
       	uri := "https://api.example.com/resource"

     

       668
       +
       	iat := time.Now()

     

       669
       +
       	jti := uuid.New().String()

     

       670
       +
       

     

       671
       +
       	claims := &DPoPClaims{

     

       672
       +
       		RegisteredClaims: jwt.RegisteredClaims{

     

       673
       +
       			ID:       jti,

     

       674
       +
       			IssuedAt: jwt.NewNumericDate(iat),

     

       675
       +
       		},

     

       676
       +
       		HTTPMethod: method,

     

       677
       +
       		HTTPURI:    uri,

     

       678
       +
       	}

     

       679
       +
       

     

       680
       +
       	token := jwt.NewWithClaims(jwt.SigningMethodES256, claims)

     

       681
       +
       	token.Header["typ"] = "dpop+jwt"

     

       682
       +
       	// Don't include JWK

     

       683
       +
       

     

       684
       +
       	proof, err := token.SignedString(key.privateKey)

     

       685
       +
       	if err != nil {

     

       686
       +
       		t.Fatalf("Failed to create test proof: %v", err)

     

       687
       +
       	}

     

       688
       +
       

     

       689
       +
       	_, err = verifier.VerifyDPoPProof(proof, method, uri)

     

       690
       +
       	if err == nil {

     

       691
       +
       		t.Error("Expected error for missing jwk header, got nil")

     

       692
       +
       	}

     

       693
       +
       	if err != nil && !contains(err.Error(), "missing jwk") {

     

       694
       +
       		t.Errorf("Expected missing jwk error, got: %v", err)

     

       695
       +
       	}

     

       696
       +
       }

     

       697
       +
       

     

       698
       +
       func TestVerifyDPoPProof_CustomTimeSettings(t *testing.T) {

     

       699
       +
       	verifier := &DPoPVerifier{

     

       700
       +
       		MaxClockSkew: 1 * time.Minute,

     

       701
       +
       		MaxProofAge:  10 * time.Minute,

     

       702
       +
       	}

     

       703
       +
       	key := generateTestES256Key(t)

     

       704
       +
       

     

       705
       +
       	method := "POST"

     

       706
       +
       	uri := "https://api.example.com/resource"

     

       707
       +
       	// Proof issued 50 seconds in the future (within custom MaxClockSkew)

     

       708
       +
       	iat := time.Now().Add(50 * time.Second)

     

       709
       +
       	jti := uuid.New().String()

     

       710
       +
       

     

       711
       +
       	proof := createDPoPProof(t, key, method, uri, iat, jti)

     

       712
       +
       

     

       713
       +
       	_, err := verifier.VerifyDPoPProof(proof, method, uri)

     

       714
       +
       	if err != nil {

     

       715
       +
       		t.Fatalf("VerifyDPoPProof failed with custom time settings: %v", err)

     

       716
       +
       	}

     

       717
       +
       }

     

       718
       +
       

     

       719
       +
       func TestVerifyDPoPProof_HTTPMethodCaseInsensitive(t *testing.T) {

     

       720
       +
       	// HTTP method comparison should be case-insensitive per spec

     

       721
       +
       	verifier := NewDPoPVerifier()

     

       722
       +
       	key := generateTestES256Key(t)

     

       723
       +
       

     

       724
       +
       	method := "post"

     

       725
       +
       	uri := "https://api.example.com/resource"

     

       726
       +
       	iat := time.Now()

     

       727
       +
       	jti := uuid.New().String()

     

       728
       +
       

     

       729
       +
       	proof := createDPoPProof(t, key, method, uri, iat, jti)

     

       730
       +
       

     

       731
       +
       	// Verify with uppercase method

     

       732
       +
       	_, err := verifier.VerifyDPoPProof(proof, "POST", uri)

     

       733
       +
       	if err != nil {

     

       734
       +
       		t.Fatalf("VerifyDPoPProof failed for case-insensitive method: %v", err)

     

       735
       +
       	}

     

       736
       +
       }

     

       737
       +
       

     

       738
       +
       // === Token Binding Verification Tests ===

     

       739
       +
       

     

       740
       +
       func TestVerifyTokenBinding_Matching(t *testing.T) {

     

       741
       +
       	verifier := NewDPoPVerifier()

     

       742
       +
       	key := generateTestES256Key(t)

     

       743
       +
       

     

       744
       +
       	method := "POST"

     

       745
       +
       	uri := "https://api.example.com/resource"

     

       746
       +
       	iat := time.Now()

     

       747
       +
       	jti := uuid.New().String()

     

       748
       +
       

     

       749
       +
       	proof := createDPoPProof(t, key, method, uri, iat, jti)

     

       750
       +
       

     

       751
       +
       	result, err := verifier.VerifyDPoPProof(proof, method, uri)

     

       752
       +
       	if err != nil {

     

       753
       +
       		t.Fatalf("VerifyDPoPProof failed: %v", err)

     

       754
       +
       	}

     

       755
       +
       

     

       756
       +
       	// Verify token binding with matching thumbprint

     

       757
       +
       	err = verifier.VerifyTokenBinding(result, key.thumbprint)

     

       758
       +
       	if err != nil {

     

       759
       +
       		t.Fatalf("VerifyTokenBinding failed for matching thumbprint: %v", err)

     

       760
       +
       	}

     

       761
       +
       }

     

       762
       +
       

     

       763
       +
       func TestVerifyTokenBinding_Mismatch(t *testing.T) {

     

       764
       +
       	verifier := NewDPoPVerifier()

     

       765
       +
       	key := generateTestES256Key(t)

     

       766
       +
       	wrongKey := generateTestES256Key(t)

     

       767
       +
       

     

       768
       +
       	method := "POST"

     

       769
       +
       	uri := "https://api.example.com/resource"

     

       770
       +
       	iat := time.Now()

     

       771
       +
       	jti := uuid.New().String()

     

       772
       +
       

     

       773
       +
       	proof := createDPoPProof(t, key, method, uri, iat, jti)

     

       774
       +
       

     

       775
       +
       	result, err := verifier.VerifyDPoPProof(proof, method, uri)

     

       776
       +
       	if err != nil {

     

       777
       +
       		t.Fatalf("VerifyDPoPProof failed: %v", err)

     

       778
       +
       	}

     

       779
       +
       

     

       780
       +
       	// Verify token binding with wrong thumbprint

     

       781
       +
       	err = verifier.VerifyTokenBinding(result, wrongKey.thumbprint)

     

       782
       +
       	if err == nil {

     

       783
       +
       		t.Error("Expected error for thumbprint mismatch, got nil")

     

       784
       +
       	}

     

       785
       +
       	if err != nil && !contains(err.Error(), "thumbprint mismatch") {

     

       786
       +
       		t.Errorf("Expected thumbprint mismatch error, got: %v", err)

     

       787
       +
       	}

     

       788
       +
       }

     

       789
       +
       

     

       790
       +
       // === ExtractCnfJkt Tests ===

     

       791
       +
       

     

       792
       +
       func TestExtractCnfJkt_Valid(t *testing.T) {

     

       793
       +
       	expectedJkt := "test-thumbprint-123"

     

       794
       +
       	claims := &Claims{

     

       795
       +
       		Confirmation: map[string]interface{}{

     

       796
       +
       			"jkt": expectedJkt,

     

       797
       +
       		},

     

       798
       +
       	}

     

       799
       +
       

     

       800
       +
       	jkt, err := ExtractCnfJkt(claims)

     

       801
       +
       	if err != nil {

     

       802
       +
       		t.Fatalf("ExtractCnfJkt failed for valid claims: %v", err)

     

       803
       +
       	}

     

       804
       +
       

     

       805
       +
       	if jkt != expectedJkt {

     

       806
       +
       		t.Errorf("Expected jkt %s, got %s", expectedJkt, jkt)

     

       807
       +
       	}

     

       808
       +
       }

     

       809
       +
       

     

       810
       +
       func TestExtractCnfJkt_MissingCnf(t *testing.T) {

     

       811
       +
       	claims := &Claims{

     

       812
       +
       		// No Confirmation

     

       813
       +
       	}

     

       814
       +
       

     

       815
       +
       	_, err := ExtractCnfJkt(claims)

     

       816
       +
       	if err == nil {

     

       817
       +
       		t.Error("Expected error for missing cnf, got nil")

     

       818
       +
       	}

     

       819
       +
       	if err != nil && !contains(err.Error(), "missing cnf claim") {

     

       820
       +
       		t.Errorf("Expected missing cnf error, got: %v", err)

     

       821
       +
       	}

     

       822
       +
       }

     

       823
       +
       

     

       824
       +
       func TestExtractCnfJkt_NilCnf(t *testing.T) {

     

       825
       +
       	claims := &Claims{

     

       826
       +
       		Confirmation: nil,

     

       827
       +
       	}

     

       828
       +
       

     

       829
       +
       	_, err := ExtractCnfJkt(claims)

     

       830
       +
       	if err == nil {

     

       831
       +
       		t.Error("Expected error for nil cnf, got nil")

     

       832
       +
       	}

     

       833
       +
       	if err != nil && !contains(err.Error(), "missing cnf claim") {

     

       834
       +
       		t.Errorf("Expected missing cnf error, got: %v", err)

     

       835
       +
       	}

     

       836
       +
       }

     

       837
       +
       

     

       838
       +
       func TestExtractCnfJkt_MissingJkt(t *testing.T) {

     

       839
       +
       	claims := &Claims{

     

       840
       +
       		Confirmation: map[string]interface{}{

     

       841
       +
       			"other": "value",

     

       842
       +
       		},

     

       843
       +
       	}

     

       844
       +
       

     

       845
       +
       	_, err := ExtractCnfJkt(claims)

     

       846
       +
       	if err == nil {

     

       847
       +
       		t.Error("Expected error for missing jkt, got nil")

     

       848
       +
       	}

     

       849
       +
       	if err != nil && !contains(err.Error(), "missing jkt") {

     

       850
       +
       		t.Errorf("Expected missing jkt error, got: %v", err)

     

       851
       +
       	}

     

       852
       +
       }

     

       853
       +
       

     

       854
       +
       func TestExtractCnfJkt_EmptyJkt(t *testing.T) {

     

       855
       +
       	claims := &Claims{

     

       856
       +
       		Confirmation: map[string]interface{}{

     

       857
       +
       			"jkt": "",

     

       858
       +
       		},

     

       859
       +
       	}

     

       860
       +
       

     

       861
       +
       	_, err := ExtractCnfJkt(claims)

     

       862
       +
       	if err == nil {

     

       863
       +
       		t.Error("Expected error for empty jkt, got nil")

     

       864
       +
       	}

     

       865
       +
       	if err != nil && !contains(err.Error(), "missing jkt") {

     

       866
       +
       		t.Errorf("Expected missing jkt error, got: %v", err)

     

       867
       +
       	}

     

       868
       +
       }

     

       869
       +
       

     

       870
       +
       func TestExtractCnfJkt_WrongType(t *testing.T) {

     

       871
       +
       	claims := &Claims{

     

       872
       +
       		Confirmation: map[string]interface{}{

     

       873
       +
       			"jkt": 123, // Not a string

     

       874
       +
       		},

     

       875
       +
       	}

     

       876
       +
       

     

       877
       +
       	_, err := ExtractCnfJkt(claims)

     

       878
       +
       	if err == nil {

     

       879
       +
       		t.Error("Expected error for wrong type jkt, got nil")

     

       880
       +
       	}

     

       881
       +
       	if err != nil && !contains(err.Error(), "missing jkt") {

     

       882
       +
       		t.Errorf("Expected missing jkt error, got: %v", err)

     

       883
       +
       	}

     

       884
       +
       }

     

       885
       +
       

     

       886
       +
       // === Helper Functions for Tests ===

     

       887
       +
       

     

       888
       +
       // splitJWT splits a JWT into its three parts

     

       889
       +
       func splitJWT(token string) []string {

     

       890
       +
       	return []string{

     

       891
       +
       		token[:strings.IndexByte(token, '.')],

     

       892
       +
       		token[strings.IndexByte(token, '.')+1 : strings.LastIndexByte(token, '.')],

     

       893
       +
       		token[strings.LastIndexByte(token, '.')+1:],

     

       894
       +
       	}

     

       895
       +
       }

     

       896
       +
       

     

       897
       +
       // parseJWTHeader parses a base64url-encoded JWT header

     

       898
       +
       func parseJWTHeader(t *testing.T, encoded string) map[string]interface{} {

     

       899
       +
       	t.Helper()

     

       900
       +
       	decoded, err := base64.RawURLEncoding.DecodeString(encoded)

     

       901
       +
       	if err != nil {

     

       902
       +
       		t.Fatalf("Failed to decode header: %v", err)

     

       903
       +
       	}

     

       904
       +
       

     

       905
       +
       	var header map[string]interface{}

     

       906
       +
       	if err := json.Unmarshal(decoded, &header); err != nil {

     

       907
       +
       		t.Fatalf("Failed to unmarshal header: %v", err)

     

       908
       +
       	}

     

       909
       +
       

     

       910
       +
       	return header

     

       911
       +
       }

     

       912
       +
       

     

       913
       +
       // encodeJSON encodes a value to base64url-encoded JSON

     

       914
       +
       func encodeJSON(t *testing.T, v interface{}) string {

     

       915
       +
       	t.Helper()

     

       916
       +
       	data, err := json.Marshal(v)

     

       917
       +
       	if err != nil {

     

       918
       +
       		t.Fatalf("Failed to marshal JSON: %v", err)

     

       919
       +
       	}

     

       920
       +
       	return base64.RawURLEncoding.EncodeToString(data)

     

       921
       +
       }

+416

internal/api/middleware/auth_test.go

···

       1
        
       package middleware

     

       2
        
       

     

       3
        
       import (

     

       0
        
       
     

       4
        
       	"context"

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       5
        
       	"fmt"

     

       6
        
       	"net/http"

     

       7
        
       	"net/http/httptest"

     
···

       9
        
       	"time"

     

       10
        
       

     

       11
        
       	"github.com/golang-jwt/jwt/v5"

     

       0
        
       
     

       12
        
       )

     

       13
        
       

     

       14
        
       // mockJWKSFetcher is a test double for JWKSFetcher

     
···

       326
        
       		t.Errorf("expected nil claims, got %+v", claims)

     

       327
        
       	}

     

       328
        
       }

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0

···

       1
        
       package middleware

     

       2
        
       

     

       3
        
       import (

     

       4
       +
       	"Coves/internal/atproto/auth"

     

       5
        
       	"context"

     

       6
       +
       	"crypto/ecdsa"

     

       7
       +
       	"crypto/elliptic"

     

       8
       +
       	"crypto/rand"

     

       9
       +
       	"encoding/base64"

     

       10
        
       	"fmt"

     

       11
        
       	"net/http"

     

       12
        
       	"net/http/httptest"

     
···

       14
        
       	"time"

     

       15
        
       

     

       16
        
       	"github.com/golang-jwt/jwt/v5"

     

       17
       +
       	"github.com/google/uuid"

     

       18
        
       )

     

       19
        
       

     

       20
        
       // mockJWKSFetcher is a test double for JWKSFetcher

     
···

       332
        
       		t.Errorf("expected nil claims, got %+v", claims)

     

       333
        
       	}

     

       334
        
       }

     

       335
       +
       

     

       336
       +
       // TestGetDPoPProof_NotAuthenticated tests that GetDPoPProof returns nil when no DPoP was verified

     

       337
       +
       func TestGetDPoPProof_NotAuthenticated(t *testing.T) {

     

       338
       +
       	req := httptest.NewRequest("GET", "/test", nil)

     

       339
       +
       	proof := GetDPoPProof(req)

     

       340
       +
       

     

       341
       +
       	if proof != nil {

     

       342
       +
       		t.Errorf("expected nil proof, got %+v", proof)

     

       343
       +
       	}

     

       344
       +
       }

     

       345
       +
       

     

       346
       +
       // TestRequireAuth_WithDPoP_SecurityModel tests the correct DPoP security model:

     

       347
       +
       // Token MUST be verified first, then DPoP is checked as an additional layer.

     

       348
       +
       // DPoP is NOT a fallback for failed token verification.

     

       349
       +
       func TestRequireAuth_WithDPoP_SecurityModel(t *testing.T) {

     

       350
       +
       	// Generate an ECDSA key pair for DPoP

     

       351
       +
       	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)

     

       352
       +
       	if err != nil {

     

       353
       +
       		t.Fatalf("failed to generate key: %v", err)

     

       354
       +
       	}

     

       355
       +
       

     

       356
       +
       	// Calculate JWK thumbprint for cnf.jkt

     

       357
       +
       	jwk := ecdsaPublicKeyToJWK(&privateKey.PublicKey)

     

       358
       +
       	thumbprint, err := auth.CalculateJWKThumbprint(jwk)

     

       359
       +
       	if err != nil {

     

       360
       +
       		t.Fatalf("failed to calculate thumbprint: %v", err)

     

       361
       +
       	}

     

       362
       +
       

     

       363
       +
       	t.Run("DPoP_is_NOT_fallback_for_failed_verification", func(t *testing.T) {

     

       364
       +
       		// SECURITY TEST: When token verification fails, DPoP should NOT be used as fallback

     

       365
       +
       		// This prevents an attacker from forging a token with their own cnf.jkt

     

       366
       +
       

     

       367
       +
       		// Create a DPoP-bound access token (unsigned - will fail verification)

     

       368
       +
       		claims := auth.Claims{

     

       369
       +
       			RegisteredClaims: jwt.RegisteredClaims{

     

       370
       +
       				Subject:   "did:plc:attacker",

     

       371
       +
       				Issuer:    "https://external.pds.local",

     

       372
       +
       				ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),

     

       373
       +
       				IssuedAt:  jwt.NewNumericDate(time.Now()),

     

       374
       +
       			},

     

       375
       +
       			Scope: "atproto",

     

       376
       +
       			Confirmation: map[string]interface{}{

     

       377
       +
       				"jkt": thumbprint,

     

       378
       +
       			},

     

       379
       +
       		}

     

       380
       +
       

     

       381
       +
       		token := jwt.NewWithClaims(jwt.SigningMethodNone, claims)

     

       382
       +
       		tokenString, _ := token.SignedString(jwt.UnsafeAllowNoneSignatureType)

     

       383
       +
       

     

       384
       +
       		// Create valid DPoP proof (attacker has the private key)

     

       385
       +
       		dpopProof := createDPoPProof(t, privateKey, "GET", "https://test.local/api/endpoint")

     

       386
       +
       

     

       387
       +
       		// Mock fetcher that fails (simulating external PDS without JWKS)

     

       388
       +
       		fetcher := &mockJWKSFetcher{shouldFail: true}

     

       389
       +
       		middleware := NewAtProtoAuthMiddleware(fetcher, false) // skipVerify=false

     

       390
       +
       

     

       391
       +
       		handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       392
       +
       			t.Error("SECURITY VULNERABILITY: handler was called despite token verification failure")

     

       393
       +
       		}))

     

       394
       +
       

     

       395
       +
       		req := httptest.NewRequest("GET", "https://test.local/api/endpoint", nil)

     

       396
       +
       		req.Header.Set("Authorization", "Bearer "+tokenString)

     

       397
       +
       		req.Header.Set("DPoP", dpopProof)

     

       398
       +
       		w := httptest.NewRecorder()

     

       399
       +
       

     

       400
       +
       		handler.ServeHTTP(w, req)

     

       401
       +
       

     

       402
       +
       		// MUST reject - token verification failed, DPoP cannot substitute for signature verification

     

       403
       +
       		if w.Code != http.StatusUnauthorized {

     

       404
       +
       			t.Errorf("SECURITY: expected 401 for unverified token, got %d", w.Code)

     

       405
       +
       		}

     

       406
       +
       	})

     

       407
       +
       

     

       408
       +
       	t.Run("DPoP_required_when_cnf_jkt_present_in_verified_token", func(t *testing.T) {

     

       409
       +
       		// When token has cnf.jkt, DPoP header MUST be present

     

       410
       +
       		// This test uses skipVerify=true to simulate a verified token

     

       411
       +
       

     

       412
       +
       		claims := auth.Claims{

     

       413
       +
       			RegisteredClaims: jwt.RegisteredClaims{

     

       414
       +
       				Subject:   "did:plc:test123",

     

       415
       +
       				Issuer:    "https://test.pds.local",

     

       416
       +
       				ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),

     

       417
       +
       				IssuedAt:  jwt.NewNumericDate(time.Now()),

     

       418
       +
       			},

     

       419
       +
       			Scope: "atproto",

     

       420
       +
       			Confirmation: map[string]interface{}{

     

       421
       +
       				"jkt": thumbprint,

     

       422
       +
       			},

     

       423
       +
       		}

     

       424
       +
       

     

       425
       +
       		token := jwt.NewWithClaims(jwt.SigningMethodNone, claims)

     

       426
       +
       		tokenString, _ := token.SignedString(jwt.UnsafeAllowNoneSignatureType)

     

       427
       +
       

     

       428
       +
       		// NO DPoP header - should fail when skipVerify is false

     

       429
       +
       		// Note: with skipVerify=true, DPoP is not checked

     

       430
       +
       		fetcher := &mockJWKSFetcher{}

     

       431
       +
       		middleware := NewAtProtoAuthMiddleware(fetcher, true) // skipVerify=true for parsing

     

       432
       +
       

     

       433
       +
       		handlerCalled := false

     

       434
       +
       		handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       435
       +
       			handlerCalled = true

     

       436
       +
       			w.WriteHeader(http.StatusOK)

     

       437
       +
       		}))

     

       438
       +
       

     

       439
       +
       		req := httptest.NewRequest("GET", "https://test.local/api/endpoint", nil)

     

       440
       +
       		req.Header.Set("Authorization", "Bearer "+tokenString)

     

       441
       +
       		// No DPoP header

     

       442
       +
       		w := httptest.NewRecorder()

     

       443
       +
       

     

       444
       +
       		handler.ServeHTTP(w, req)

     

       445
       +
       

     

       446
       +
       		// With skipVerify=true, DPoP is not checked, so this should succeed

     

       447
       +
       		if !handlerCalled {

     

       448
       +
       			t.Error("handler should be called when skipVerify=true")

     

       449
       +
       		}

     

       450
       +
       	})

     

       451
       +
       }

     

       452
       +
       

     

       453
       +
       // TestRequireAuth_TokenVerificationFails_DPoPNotUsedAsFallback is the key security test.

     

       454
       +
       // It ensures that DPoP cannot be used as a fallback when token signature verification fails.

     

       455
       +
       func TestRequireAuth_TokenVerificationFails_DPoPNotUsedAsFallback(t *testing.T) {

     

       456
       +
       	// Generate a key pair (attacker's key)

     

       457
       +
       	attackerKey, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)

     

       458
       +
       	jwk := ecdsaPublicKeyToJWK(&attackerKey.PublicKey)

     

       459
       +
       	thumbprint, _ := auth.CalculateJWKThumbprint(jwk)

     

       460
       +
       

     

       461
       +
       	// Create a FORGED token claiming to be the victim

     

       462
       +
       	claims := auth.Claims{

     

       463
       +
       		RegisteredClaims: jwt.RegisteredClaims{

     

       464
       +
       			Subject:   "did:plc:victim_user", // Attacker claims to be victim

     

       465
       +
       			Issuer:    "https://untrusted.pds",

     

       466
       +
       			ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),

     

       467
       +
       			IssuedAt:  jwt.NewNumericDate(time.Now()),

     

       468
       +
       		},

     

       469
       +
       		Scope: "atproto",

     

       470
       +
       		Confirmation: map[string]interface{}{

     

       471
       +
       			"jkt": thumbprint, // Attacker uses their own key

     

       472
       +
       		},

     

       473
       +
       	}

     

       474
       +
       

     

       475
       +
       	token := jwt.NewWithClaims(jwt.SigningMethodNone, claims)

     

       476
       +
       	tokenString, _ := token.SignedString(jwt.UnsafeAllowNoneSignatureType)

     

       477
       +
       

     

       478
       +
       	// Attacker creates a valid DPoP proof with their key

     

       479
       +
       	dpopProof := createDPoPProof(t, attackerKey, "POST", "https://api.example.com/protected")

     

       480
       +
       

     

       481
       +
       	// Fetcher fails (external PDS without JWKS)

     

       482
       +
       	fetcher := &mockJWKSFetcher{shouldFail: true}

     

       483
       +
       	middleware := NewAtProtoAuthMiddleware(fetcher, false) // skipVerify=false - REAL verification

     

       484
       +
       

     

       485
       +
       	handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       486
       +
       		t.Fatalf("CRITICAL SECURITY FAILURE: Request authenticated as %s despite forged token!",

     

       487
       +
       			GetUserDID(r))

     

       488
       +
       	}))

     

       489
       +
       

     

       490
       +
       	req := httptest.NewRequest("POST", "https://api.example.com/protected", nil)

     

       491
       +
       	req.Header.Set("Authorization", "Bearer "+tokenString)

     

       492
       +
       	req.Header.Set("DPoP", dpopProof)

     

       493
       +
       	w := httptest.NewRecorder()

     

       494
       +
       

     

       495
       +
       	handler.ServeHTTP(w, req)

     

       496
       +
       

     

       497
       +
       	// MUST reject - the token signature was never verified

     

       498
       +
       	if w.Code != http.StatusUnauthorized {

     

       499
       +
       		t.Errorf("SECURITY VULNERABILITY: Expected 401, got %d. Token was not properly verified!", w.Code)

     

       500
       +
       	}

     

       501
       +
       }

     

       502
       +
       

     

       503
       +
       // TestVerifyDPoPBinding_UsesForwardedProto ensures we honor the external HTTPS

     

       504
       +
       // scheme when TLS is terminated upstream and X-Forwarded-Proto is present.

     

       505
       +
       func TestVerifyDPoPBinding_UsesForwardedProto(t *testing.T) {

     

       506
       +
       	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)

     

       507
       +
       	if err != nil {

     

       508
       +
       		t.Fatalf("failed to generate key: %v", err)

     

       509
       +
       	}

     

       510
       +
       

     

       511
       +
       	jwk := ecdsaPublicKeyToJWK(&privateKey.PublicKey)

     

       512
       +
       	thumbprint, err := auth.CalculateJWKThumbprint(jwk)

     

       513
       +
       	if err != nil {

     

       514
       +
       		t.Fatalf("failed to calculate thumbprint: %v", err)

     

       515
       +
       	}

     

       516
       +
       

     

       517
       +
       	claims := &auth.Claims{

     

       518
       +
       		RegisteredClaims: jwt.RegisteredClaims{

     

       519
       +
       			Subject:   "did:plc:test123",

     

       520
       +
       			Issuer:    "https://test.pds.local",

     

       521
       +
       			ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),

     

       522
       +
       			IssuedAt:  jwt.NewNumericDate(time.Now()),

     

       523
       +
       		},

     

       524
       +
       		Scope: "atproto",

     

       525
       +
       		Confirmation: map[string]interface{}{

     

       526
       +
       			"jkt": thumbprint,

     

       527
       +
       		},

     

       528
       +
       	}

     

       529
       +
       

     

       530
       +
       	middleware := NewAtProtoAuthMiddleware(&mockJWKSFetcher{}, false)

     

       531
       +
       	defer middleware.Stop()

     

       532
       +
       

     

       533
       +
       	externalURI := "https://api.example.com/protected/resource"

     

       534
       +
       	dpopProof := createDPoPProof(t, privateKey, "GET", externalURI)

     

       535
       +
       

     

       536
       +
       	req := httptest.NewRequest("GET", "http://internal-service/protected/resource", nil)

     

       537
       +
       	req.Host = "api.example.com"

     

       538
       +
       	req.Header.Set("X-Forwarded-Proto", "https")

     

       539
       +
       

     

       540
       +
       	proof, err := middleware.verifyDPoPBinding(req, claims, dpopProof)

     

       541
       +
       	if err != nil {

     

       542
       +
       		t.Fatalf("expected DPoP verification to succeed with forwarded proto, got %v", err)

     

       543
       +
       	}

     

       544
       +
       

     

       545
       +
       	if proof == nil || proof.Claims == nil {

     

       546
       +
       		t.Fatal("expected DPoP proof to be returned")

     

       547
       +
       	}

     

       548
       +
       }

     

       549
       +
       

     

       550
       +
       // TestMiddlewareStop tests that the middleware can be stopped properly

     

       551
       +
       func TestMiddlewareStop(t *testing.T) {

     

       552
       +
       	fetcher := &mockJWKSFetcher{}

     

       553
       +
       	middleware := NewAtProtoAuthMiddleware(fetcher, false)

     

       554
       +
       

     

       555
       +
       	// Stop should not panic and should clean up resources

     

       556
       +
       	middleware.Stop()

     

       557
       +
       

     

       558
       +
       	// Calling Stop again should also be safe (idempotent-ish)

     

       559
       +
       	// Note: The underlying DPoPVerifier.Stop() closes a channel, so this might panic

     

       560
       +
       	// if not handled properly. We test that at least one Stop works.

     

       561
       +
       }

     

       562
       +
       

     

       563
       +
       // TestOptionalAuth_DPoPBoundToken_NoDPoPHeader tests that OptionalAuth treats

     

       564
       +
       // tokens with cnf.jkt but no DPoP header as unauthenticated (potential token theft)

     

       565
       +
       func TestOptionalAuth_DPoPBoundToken_NoDPoPHeader(t *testing.T) {

     

       566
       +
       	// Generate a key pair for DPoP binding

     

       567
       +
       	privateKey, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)

     

       568
       +
       	jwk := ecdsaPublicKeyToJWK(&privateKey.PublicKey)

     

       569
       +
       	thumbprint, _ := auth.CalculateJWKThumbprint(jwk)

     

       570
       +
       

     

       571
       +
       	// Create a DPoP-bound token (has cnf.jkt)

     

       572
       +
       	claims := auth.Claims{

     

       573
       +
       		RegisteredClaims: jwt.RegisteredClaims{

     

       574
       +
       			Subject:   "did:plc:user123",

     

       575
       +
       			Issuer:    "https://test.pds.local",

     

       576
       +
       			ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),

     

       577
       +
       			IssuedAt:  jwt.NewNumericDate(time.Now()),

     

       578
       +
       		},

     

       579
       +
       		Scope: "atproto",

     

       580
       +
       		Confirmation: map[string]interface{}{

     

       581
       +
       			"jkt": thumbprint,

     

       582
       +
       		},

     

       583
       +
       	}

     

       584
       +
       

     

       585
       +
       	token := jwt.NewWithClaims(jwt.SigningMethodNone, claims)

     

       586
       +
       	tokenString, _ := token.SignedString(jwt.UnsafeAllowNoneSignatureType)

     

       587
       +
       

     

       588
       +
       	// Use skipVerify=true to simulate a verified token

     

       589
       +
       	// (In production, skipVerify would be false and VerifyJWT would be called)

     

       590
       +
       	// However, for this test we need skipVerify=false to trigger DPoP checking

     

       591
       +
       	// But the fetcher will fail, so let's use skipVerify=true and verify the logic

     

       592
       +
       	// Actually, the DPoP check only happens when skipVerify=false

     

       593
       +
       

     

       594
       +
       	t.Run("with_skipVerify_false", func(t *testing.T) {

     

       595
       +
       		// This will fail at JWT verification level, but that's expected

     

       596
       +
       		// The important thing is the code path for DPoP checking

     

       597
       +
       		fetcher := &mockJWKSFetcher{shouldFail: true}

     

       598
       +
       		middleware := NewAtProtoAuthMiddleware(fetcher, false)

     

       599
       +
       		defer middleware.Stop()

     

       600
       +
       

     

       601
       +
       		handlerCalled := false

     

       602
       +
       		var capturedDID string

     

       603
       +
       		handler := middleware.OptionalAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       604
       +
       			handlerCalled = true

     

       605
       +
       			capturedDID = GetUserDID(r)

     

       606
       +
       			w.WriteHeader(http.StatusOK)

     

       607
       +
       		}))

     

       608
       +
       

     

       609
       +
       		req := httptest.NewRequest("GET", "/test", nil)

     

       610
       +
       		req.Header.Set("Authorization", "Bearer "+tokenString)

     

       611
       +
       		// Deliberately NOT setting DPoP header

     

       612
       +
       		w := httptest.NewRecorder()

     

       613
       +
       

     

       614
       +
       		handler.ServeHTTP(w, req)

     

       615
       +
       

     

       616
       +
       		// Handler should be called (optional auth doesn't block)

     

       617
       +
       		if !handlerCalled {

     

       618
       +
       			t.Error("handler should be called")

     

       619
       +
       		}

     

       620
       +
       

     

       621
       +
       		// But since JWT verification fails, user should not be authenticated

     

       622
       +
       		if capturedDID != "" {

     

       623
       +
       			t.Errorf("expected empty DID when verification fails, got %s", capturedDID)

     

       624
       +
       		}

     

       625
       +
       	})

     

       626
       +
       

     

       627
       +
       	t.Run("with_skipVerify_true_dpop_not_checked", func(t *testing.T) {

     

       628
       +
       		// When skipVerify=true, DPoP is not checked (Phase 1 mode)

     

       629
       +
       		fetcher := &mockJWKSFetcher{}

     

       630
       +
       		middleware := NewAtProtoAuthMiddleware(fetcher, true)

     

       631
       +
       		defer middleware.Stop()

     

       632
       +
       

     

       633
       +
       		handlerCalled := false

     

       634
       +
       		var capturedDID string

     

       635
       +
       		handler := middleware.OptionalAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       636
       +
       			handlerCalled = true

     

       637
       +
       			capturedDID = GetUserDID(r)

     

       638
       +
       			w.WriteHeader(http.StatusOK)

     

       639
       +
       		}))

     

       640
       +
       

     

       641
       +
       		req := httptest.NewRequest("GET", "/test", nil)

     

       642
       +
       		req.Header.Set("Authorization", "Bearer "+tokenString)

     

       643
       +
       		// No DPoP header

     

       644
       +
       		w := httptest.NewRecorder()

     

       645
       +
       

     

       646
       +
       		handler.ServeHTTP(w, req)

     

       647
       +
       

     

       648
       +
       		if !handlerCalled {

     

       649
       +
       			t.Error("handler should be called")

     

       650
       +
       		}

     

       651
       +
       

     

       652
       +
       		// With skipVerify=true, DPoP check is bypassed - token is trusted

     

       653
       +
       		if capturedDID != "did:plc:user123" {

     

       654
       +
       			t.Errorf("expected DID when skipVerify=true, got %s", capturedDID)

     

       655
       +
       		}

     

       656
       +
       	})

     

       657
       +
       }

     

       658
       +
       

     

       659
       +
       // TestDPoPReplayProtection tests that the same DPoP proof cannot be used twice

     

       660
       +
       func TestDPoPReplayProtection(t *testing.T) {

     

       661
       +
       	// This tests the NonceCache functionality

     

       662
       +
       	cache := auth.NewNonceCache(5 * time.Minute)

     

       663
       +
       	defer cache.Stop()

     

       664
       +
       

     

       665
       +
       	jti := "unique-proof-id-123"

     

       666
       +
       

     

       667
       +
       	// First use should succeed

     

       668
       +
       	if !cache.CheckAndStore(jti) {

     

       669
       +
       		t.Error("First use of jti should succeed")

     

       670
       +
       	}

     

       671
       +
       

     

       672
       +
       	// Second use should fail (replay detected)

     

       673
       +
       	if cache.CheckAndStore(jti) {

     

       674
       +
       		t.Error("SECURITY: Replay attack not detected - same jti accepted twice")

     

       675
       +
       	}

     

       676
       +
       

     

       677
       +
       	// Different jti should succeed

     

       678
       +
       	if !cache.CheckAndStore("different-jti-456") {

     

       679
       +
       		t.Error("Different jti should succeed")

     

       680
       +
       	}

     

       681
       +
       }

     

       682
       +
       

     

       683
       +
       // Helper: createDPoPProof creates a DPoP proof JWT for testing

     

       684
       +
       func createDPoPProof(t *testing.T, privateKey *ecdsa.PrivateKey, method, uri string) string {

     

       685
       +
       	// Create JWK from public key

     

       686
       +
       	jwk := ecdsaPublicKeyToJWK(&privateKey.PublicKey)

     

       687
       +
       

     

       688
       +
       	// Create DPoP claims with UUID for jti to ensure uniqueness across tests

     

       689
       +
       	claims := auth.DPoPClaims{

     

       690
       +
       		RegisteredClaims: jwt.RegisteredClaims{

     

       691
       +
       			IssuedAt: jwt.NewNumericDate(time.Now()),

     

       692
       +
       			ID:       uuid.New().String(),

     

       693
       +
       		},

     

       694
       +
       		HTTPMethod: method,

     

       695
       +
       		HTTPURI:    uri,

     

       696
       +
       	}

     

       697
       +
       

     

       698
       +
       	// Create token with custom header

     

       699
       +
       	token := jwt.NewWithClaims(jwt.SigningMethodES256, claims)

     

       700
       +
       	token.Header["typ"] = "dpop+jwt"

     

       701
       +
       	token.Header["jwk"] = jwk

     

       702
       +
       

     

       703
       +
       	// Sign with private key

     

       704
       +
       	signedToken, err := token.SignedString(privateKey)

     

       705
       +
       	if err != nil {

     

       706
       +
       		t.Fatalf("failed to sign DPoP proof: %v", err)

     

       707
       +
       	}

     

       708
       +
       

     

       709
       +
       	return signedToken

     

       710
       +
       }

     

       711
       +
       

     

       712
       +
       // Helper: ecdsaPublicKeyToJWK converts an ECDSA public key to JWK map

     

       713
       +
       func ecdsaPublicKeyToJWK(pubKey *ecdsa.PublicKey) map[string]interface{} {

     

       714
       +
       	// Get curve name

     

       715
       +
       	var crv string

     

       716
       +
       	switch pubKey.Curve {

     

       717
       +
       	case elliptic.P256():

     

       718
       +
       		crv = "P-256"

     

       719
       +
       	case elliptic.P384():

     

       720
       +
       		crv = "P-384"

     

       721
       +
       	case elliptic.P521():

     

       722
       +
       		crv = "P-521"

     

       723
       +
       	default:

     

       724
       +
       		panic("unsupported curve")

     

       725
       +
       	}

     

       726
       +
       

     

       727
       +
       	// Encode coordinates

     

       728
       +
       	xBytes := pubKey.X.Bytes()

     

       729
       +
       	yBytes := pubKey.Y.Bytes()

     

       730
       +
       

     

       731
       +
       	// Ensure proper byte length (pad if needed)

     

       732
       +
       	keySize := (pubKey.Curve.Params().BitSize + 7) / 8

     

       733
       +
       	xPadded := make([]byte, keySize)

     

       734
       +
       	yPadded := make([]byte, keySize)

     

       735
       +
       	copy(xPadded[keySize-len(xBytes):], xBytes)

     

       736
       +
       	copy(yPadded[keySize-len(yBytes):], yBytes)

     

       737
       +
       

     

       738
       +
       	return map[string]interface{}{

     

       739
       +
       		"kty": "EC",

     

       740
       +
       		"crv": crv,

     

       741
       +
       		"x":   base64.RawURLEncoding.EncodeToString(xPadded),

     

       742
       +
       		"y":   base64.RawURLEncoding.EncodeToString(yPadded),

     

       743
       +
       	}

     

       744
       +
       }

+134 -2

internal/atproto/auth/README.md

···

       110
        
       5. Find matching key by `kid` from JWT header

     

       111
        
       6. Cache the JWKS for 1 hour

     

       112
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       113
        
       ## Security Considerations

     

       114
        
       

     

       115
        
       ### ✅ Implemented

     
···

       120
        
       - Required claims validation (sub, iss)

     

       121
        
       - Key caching with TTL

     

       122
        
       - Secure error messages (no internal details leaked)

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       123
        
       

     

       124
        
       ### ⚠️ Not Yet Implemented

     

       125
        
       

     

       126
       -
       - DPoP validation (for replay attack prevention)

     

       127
        
       - Scope validation (checking `scope` claim)

     

       128
        
       - Audience validation (checking `aud` claim)

     

       129
        
       - Rate limiting per DID

     
···

       186
        
       

     

       187
        
       ## Future Enhancements

     

       188
        
       

     

       189
       -
       - [ ] DPoP proof validation

     

       190
        
       - [ ] Scope-based authorization

     

       191
        
       - [ ] Audience claim validation

     

       192
        
       - [ ] Token revocation support

···

       110
        
       5. Find matching key by `kid` from JWT header

     

       111
        
       6. Cache the JWKS for 1 hour

     

       112
        
       

     

       113
       +
       ## DPoP Token Binding

     

       114
       +
       

     

       115
       +
       DPoP (Demonstrating Proof-of-Possession) binds access tokens to client-controlled cryptographic keys, preventing token theft and replay attacks.

     

       116
       +
       

     

       117
       +
       ### What is DPoP?

     

       118
       +
       

     

       119
       +
       DPoP is an OAuth extension (RFC 9449) that adds proof-of-possession semantics to bearer tokens. When a PDS issues a DPoP-bound access token:

     

       120
       +
       

     

       121
       +
       1. Access token contains `cnf.jkt` claim (JWK thumbprint of client's public key)

     

       122
       +
       2. Client creates a DPoP proof JWT signed with their private key

     

       123
       +
       3. Server verifies the proof signature and checks it matches the token's `cnf.jkt`

     

       124
       +
       

     

       125
       +
       ### CRITICAL: DPoP Security Model

     

       126
       +
       

     

       127
       +
       > ⚠️ **DPoP is an ADDITIONAL security layer, NOT a replacement for token signature verification.**

     

       128
       +
       

     

       129
       +
       The correct verification order is:

     

       130
       +
       1. **ALWAYS verify the access token signature first** (via JWKS, HS256 shared secret, or DID resolution)

     

       131
       +
       2. **If the verified token has `cnf.jkt`, REQUIRE valid DPoP proof**

     

       132
       +
       3. **NEVER use DPoP as a fallback when signature verification fails**

     

       133
       +
       

     

       134
       +
       **Why This Matters**: An attacker could create a fake token with `sub: "did:plc:victim"` and their own `cnf.jkt`, then present a valid DPoP proof signed with their key. If we accept DPoP as a fallback, the attacker can impersonate any user.

     

       135
       +
       

     

       136
       +
       ### How DPoP Works

     

       137
       +
       

     

       138
       +
       ```

     

       139
       +
       ┌─────────────┐                          ┌─────────────┐

     

       140
       +
       │   Client    │                          │   Server    │

     

       141
       +
       │             │                          │  (Coves)    │

     

       142
       +
       └─────────────┘                          └─────────────┘

     

       143
       +
              │                                        │

     

       144
       +
              │ 1. Authorization: Bearer <token>       │

     

       145
       +
              │    DPoP: <proof-jwt>                  │

     

       146
       +
              │───────────────────────────────────────>│

     

       147
       +
              │                                        │

     

       148
       +
              │                                        │ 2. VERIFY token signature

     

       149
       +
              │                                        │    (REQUIRED - no fallback!)

     

       150
       +
              │                                        │

     

       151
       +
              │                                        │ 3. If token has cnf.jkt:

     

       152
       +
              │                                        │    - Verify DPoP proof

     

       153
       +
              │                                        │    - Check thumbprint match

     

       154
       +
              │                                        │

     

       155
       +
              │                              200 OK    │

     

       156
       +
              │<───────────────────────────────────────│

     

       157
       +
       ```

     

       158
       +
       

     

       159
       +
       ### When DPoP is Required

     

       160
       +
       

     

       161
       +
       DPoP verification is **REQUIRED** when:

     

       162
       +
       - Access token signature has been verified AND

     

       163
       +
       - Access token contains `cnf.jkt` claim (DPoP-bound)

     

       164
       +
       

     

       165
       +
       If the token has `cnf.jkt` but no DPoP header is present, the request is **REJECTED**.

     

       166
       +
       

     

       167
       +
       ### Replay Protection

     

       168
       +
       

     

       169
       +
       DPoP proofs include a unique `jti` (JWT ID) claim. The server tracks seen `jti` values to prevent replay attacks:

     

       170
       +
       

     

       171
       +
       ```go

     

       172
       +
       // Create a verifier with replay protection (default)

     

       173
       +
       verifier := auth.NewDPoPVerifier()

     

       174
       +
       defer verifier.Stop() // Stop cleanup goroutine on shutdown

     

       175
       +
       

     

       176
       +
       // The verifier automatically rejects reused jti values within the proof validity window (5 minutes)

     

       177
       +
       ```

     

       178
       +
       

     

       179
       +
       ### DPoP Implementation

     

       180
       +
       

     

       181
       +
       The `dpop.go` module provides:

     

       182
       +
       

     

       183
       +
       ```go

     

       184
       +
       // Create a verifier with replay protection

     

       185
       +
       verifier := auth.NewDPoPVerifier()

     

       186
       +
       defer verifier.Stop()

     

       187
       +
       

     

       188
       +
       // Verify the DPoP proof

     

       189
       +
       proof, err := verifier.VerifyDPoPProof(dpopHeader, "POST", "https://coves.social/xrpc/...")

     

       190
       +
       if err != nil {

     

       191
       +
           // Invalid proof (includes replay detection)

     

       192
       +
       }

     

       193
       +
       

     

       194
       +
       // Verify it binds to the VERIFIED access token

     

       195
       +
       expectedThumbprint, err := auth.ExtractCnfJkt(claims)

     

       196
       +
       if err != nil {

     

       197
       +
           // Token not DPoP-bound

     

       198
       +
       }

     

       199
       +
       

     

       200
       +
       if err := verifier.VerifyTokenBinding(proof, expectedThumbprint); err != nil {

     

       201
       +
           // Proof doesn't match token

     

       202
       +
       }

     

       203
       +
       ```

     

       204
       +
       

     

       205
       +
       ### DPoP Proof Format

     

       206
       +
       

     

       207
       +
       The DPoP header contains a JWT with:

     

       208
       +
       

     

       209
       +
       **Header**:

     

       210
       +
       - `typ`: `"dpop+jwt"` (required)

     

       211
       +
       - `alg`: `"ES256"` (or other supported algorithm)

     

       212
       +
       - `jwk`: Client's public key (JWK format)

     

       213
       +
       

     

       214
       +
       **Claims**:

     

       215
       +
       - `jti`: Unique proof identifier (tracked for replay protection)

     

       216
       +
       - `htm`: HTTP method (e.g., `"POST"`)

     

       217
       +
       - `htu`: HTTP URI (without query/fragment)

     

       218
       +
       - `iat`: Timestamp (must be recent, within 5 minutes)

     

       219
       +
       

     

       220
       +
       **Example**:

     

       221
       +
       ```json

     

       222
       +
       {

     

       223
       +
         "typ": "dpop+jwt",

     

       224
       +
         "alg": "ES256",

     

       225
       +
         "jwk": {

     

       226
       +
           "kty": "EC",

     

       227
       +
           "crv": "P-256",

     

       228
       +
           "x": "...",

     

       229
       +
           "y": "..."

     

       230
       +
         }

     

       231
       +
       }

     

       232
       +
       {

     

       233
       +
         "jti": "unique-id-123",

     

       234
       +
         "htm": "POST",

     

       235
       +
         "htu": "https://coves.social/xrpc/social.coves.community.create",

     

       236
       +
         "iat": 1700000000

     

       237
       +
       }

     

       238
       +
       ```

     

       239
       +
       

     

       240
        
       ## Security Considerations

     

       241
        
       

     

       242
        
       ### ✅ Implemented

     
···

       247
        
       - Required claims validation (sub, iss)

     

       248
        
       - Key caching with TTL

     

       249
        
       - Secure error messages (no internal details leaked)

     

       250
       +
       - **DPoP proof verification** (proof-of-possession for token binding)

     

       251
       +
       - **DPoP thumbprint validation** (prevents token theft attacks)

     

       252
       +
       - **DPoP freshness checks** (5-minute proof validity window)

     

       253
       +
       - **DPoP replay protection** (jti tracking with in-memory cache)

     

       254
       +
       - **Secure DPoP model** (DPoP required AFTER signature verification, never as fallback)

     

       255
        
       

     

       256
        
       ### ⚠️ Not Yet Implemented

     

       257
        
       

     

       258
       +
       - Server-issued DPoP nonces (additional replay protection)

     

       259
        
       - Scope validation (checking `scope` claim)

     

       260
        
       - Audience validation (checking `aud` claim)

     

       261
        
       - Rate limiting per DID

     
···

       318
        
       

     

       319
        
       ## Future Enhancements

     

       320
        
       

     

       321
       +
       - [ ] DPoP nonce validation (server-managed nonce for additional replay protection)

     

       322
        
       - [ ] Scope-based authorization

     

       323
        
       - [ ] Audience claim validation

     

       324
        
       - [ ] Token revocation support

+5 -6

go.mod

···

       1
        
       module Coves

     

       2
        
       

     

       3
       -
       go 1.24.0

     

       4
        
       

     

       5
        
       require (

     

       6
       -
       	github.com/bluesky-social/indigo v0.0.0-20251009212240-20524de167fe

     

       7
        
       	github.com/go-chi/chi/v5 v5.2.1

     

       8
        
       	github.com/golang-jwt/jwt/v5 v5.3.0

     

       9
        
       	github.com/gorilla/websocket v1.5.3

     
···

       11
        
       	github.com/lestrrat-go/jwx/v2 v2.0.12

     

       12
        
       	github.com/lib/pq v1.10.9

     

       13
        
       	github.com/pressly/goose/v3 v3.22.1

     

       14
       -
       	github.com/stretchr/testify v1.9.0

     

       0
        
       
     

       15
        
       	golang.org/x/net v0.46.0

     

       16
        
       	golang.org/x/time v0.3.0

     

       17
        
       )

     

       18
        
       

     

       19
        
       require (

     

       20
        
       	github.com/beorn7/perks v1.0.1 // indirect

     

       21
       -
       	github.com/carlmjohnson/versioninfo v0.22.5 // indirect

     

       22
        
       	github.com/cespare/xxhash/v2 v2.2.0 // indirect

     

       23
        
       	github.com/davecgh/go-spew v1.1.1 // indirect

     

       24
        
       	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect

     

       0
        
       
     

       25
        
       	github.com/felixge/httpsnoop v1.0.4 // indirect

     

       26
        
       	github.com/go-logr/logr v1.4.1 // indirect

     

       27
        
       	github.com/go-logr/stdr v1.2.2 // indirect

     
···

       71
        
       	github.com/segmentio/asm v1.2.0 // indirect

     

       72
        
       	github.com/sethvargo/go-retry v0.3.0 // indirect

     

       73
        
       	github.com/spaolacci/murmur3 v1.1.0 // indirect

     

       74
       -
       	github.com/stretchr/objx v0.5.2 // indirect

     

       75
        
       	github.com/whyrusleeping/cbor-gen v0.2.1-0.20241030202151-b7a6831be65e // indirect

     

       76
        
       	github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect

     

       77
        
       	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect

     

       78
       -
       	github.com/xeipuuv/gojsonschema v1.2.0 // indirect

     

       79
        
       	gitlab.com/yawning/secp256k1-voi v0.0.0-20230925100816-f2616030848b // indirect

     

       80
        
       	gitlab.com/yawning/tuplehash v0.0.0-20230713102510-df83abbf9a02 // indirect

     

       81
        
       	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 // indirect

···

       1
        
       module Coves

     

       2
        
       

     

       3
       +
       go 1.25

     

       4
        
       

     

       5
        
       require (

     

       6
       +
       	github.com/bluesky-social/indigo v0.0.0-20251127021457-6f2658724b36

     

       7
        
       	github.com/go-chi/chi/v5 v5.2.1

     

       8
        
       	github.com/golang-jwt/jwt/v5 v5.3.0

     

       9
        
       	github.com/gorilla/websocket v1.5.3

     
···

       11
        
       	github.com/lestrrat-go/jwx/v2 v2.0.12

     

       12
        
       	github.com/lib/pq v1.10.9

     

       13
        
       	github.com/pressly/goose/v3 v3.22.1

     

       14
       +
       	github.com/stretchr/testify v1.10.0

     

       15
       +
       	github.com/xeipuuv/gojsonschema v1.2.0

     

       16
        
       	golang.org/x/net v0.46.0

     

       17
        
       	golang.org/x/time v0.3.0

     

       18
        
       )

     

       19
        
       

     

       20
        
       require (

     

       21
        
       	github.com/beorn7/perks v1.0.1 // indirect

     

       0
        
       
     

       22
        
       	github.com/cespare/xxhash/v2 v2.2.0 // indirect

     

       23
        
       	github.com/davecgh/go-spew v1.1.1 // indirect

     

       24
        
       	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect

     

       25
       +
       	github.com/earthboundkid/versioninfo/v2 v2.24.1 // indirect

     

       26
        
       	github.com/felixge/httpsnoop v1.0.4 // indirect

     

       27
        
       	github.com/go-logr/logr v1.4.1 // indirect

     

       28
        
       	github.com/go-logr/stdr v1.2.2 // indirect

     
···

       72
        
       	github.com/segmentio/asm v1.2.0 // indirect

     

       73
        
       	github.com/sethvargo/go-retry v0.3.0 // indirect

     

       74
        
       	github.com/spaolacci/murmur3 v1.1.0 // indirect

     

       0
        
       
     

       75
        
       	github.com/whyrusleeping/cbor-gen v0.2.1-0.20241030202151-b7a6831be65e // indirect

     

       76
        
       	github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect

     

       77
        
       	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect

     

       0
        
       
     

       78
        
       	gitlab.com/yawning/secp256k1-voi v0.0.0-20230925100816-f2616030848b // indirect

     

       79
        
       	gitlab.com/yawning/tuplehash v0.0.0-20230713102510-df83abbf9a02 // indirect

     

       80
        
       	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 // indirect

+6 -8

go.sum

···

       2
        
       github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=

     

       3
        
       github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=

     

       4
        
       github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=

     

       5
       -
       github.com/bluesky-social/indigo v0.0.0-20251009212240-20524de167fe h1:VBhaqE5ewQgXbY5SfSWFZC/AwHFo7cHxZKFYi2ce9Yo=

     

       6
       -
       github.com/bluesky-social/indigo v0.0.0-20251009212240-20524de167fe/go.mod h1:RuQVrCGm42QNsgumKaR6se+XkFKfCPNwdCiTvqKRUck=

     

       7
       -
       github.com/carlmjohnson/versioninfo v0.22.5 h1:O00sjOLUAFxYQjlN/bzYTuZiS0y6fWDQjMRvwtKgwwc=

     

       8
       -
       github.com/carlmjohnson/versioninfo v0.22.5/go.mod h1:QT9mph3wcVfISUKd0i9sZfVrPviHuSF+cUtLjm2WSf8=

     

       9
        
       github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=

     

       10
        
       github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=

     

       11
        
       github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=

     
···

       17
        
       github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0=

     

       18
        
       github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=

     

       19
        
       github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=

     

       0
        
       
     

       0
        
       
     

       20
        
       github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=

     

       21
        
       github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=

     

       22
        
       github.com/go-chi/chi/v5 v5.2.1 h1:KOIHODQj58PmL80G2Eak4WdvUzjSJSm0vG72crDCqb8=

     
···

       172
        
       github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=

     

       173
        
       github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=

     

       174
        
       github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=

     

       175
       -
       github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=

     

       176
       -
       github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=

     

       177
        
       github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=

     

       178
        
       github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=

     

       179
        
       github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=

     
···

       182
        
       github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=

     

       183
        
       github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=

     

       184
        
       github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=

     

       185
       -
       github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=

     

       186
       -
       github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=

     

       187
        
       github.com/urfave/cli v1.22.10/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=

     

       188
        
       github.com/warpfork/go-wish v0.0.0-20220906213052-39a1cc7a02d0 h1:GDDkbFiaK8jsSDJfjId/PEGEShv6ugrt4kYsC5UIDaQ=

     

       189
        
       github.com/warpfork/go-wish v0.0.0-20220906213052-39a1cc7a02d0/go.mod h1:x6AKhvSSexNrVSrViXSHUEbICjmGXhtgABaHIySUSGw=

···

       2
        
       github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=

     

       3
        
       github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=

     

       4
        
       github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=

     

       5
       +
       github.com/bluesky-social/indigo v0.0.0-20251127021457-6f2658724b36 h1:Vc+l4sltxQfBT8qC3dm87PRYInmxlGyF1dmpjaW0WkU=

     

       6
       +
       github.com/bluesky-social/indigo v0.0.0-20251127021457-6f2658724b36/go.mod h1:Pm2I1+iDXn/hLbF7XCg/DsZi6uDCiOo7hZGWprSM7k0=

     

       0
        
       
     

       0
        
       
     

       7
        
       github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=

     

       8
        
       github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=

     

       9
        
       github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=

     
···

       15
        
       github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0=

     

       16
        
       github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=

     

       17
        
       github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=

     

       18
       +
       github.com/earthboundkid/versioninfo/v2 v2.24.1 h1:SJTMHaoUx3GzjjnUO1QzP3ZXK6Ee/nbWyCm58eY3oUg=

     

       19
       +
       github.com/earthboundkid/versioninfo/v2 v2.24.1/go.mod h1:VcWEooDEuyUJnMfbdTh0uFN4cfEIg+kHMuWB2CDCLjw=

     

       20
        
       github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=

     

       21
        
       github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=

     

       22
        
       github.com/go-chi/chi/v5 v5.2.1 h1:KOIHODQj58PmL80G2Eak4WdvUzjSJSm0vG72crDCqb8=

     
···

       172
        
       github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=

     

       173
        
       github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=

     

       174
        
       github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=

     

       0
        
       
     

       0
        
       
     

       175
        
       github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=

     

       176
        
       github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=

     

       177
        
       github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=

     
···

       180
        
       github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=

     

       181
        
       github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=

     

       182
        
       github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=

     

       183
       +
       github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=

     

       184
       +
       github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=

     

       185
        
       github.com/urfave/cli v1.22.10/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=

     

       186
        
       github.com/warpfork/go-wish v0.0.0-20220906213052-39a1cc7a02d0 h1:GDDkbFiaK8jsSDJfjId/PEGEShv6ugrt4kYsC5UIDaQ=

     

       187
        
       github.com/warpfork/go-wish v0.0.0-20220906213052-39a1cc7a02d0/go.mod h1:x6AKhvSSexNrVSrViXSHUEbICjmGXhtgABaHIySUSGw=

Compare changes