bretton.dev
code
Clone this repository
https://tangled.org/bretton.dev/coves
git@knot.bretton.dev:bretton.dev/coves
For self-hosted knots, clone URLs may differ based on your setup.
V2.0 Communities Architecture: PDS-Managed Keys & Password Encryption
This major refactor simplifies community provisioning by delegating all
cryptographic operations to the PDS, enabling faster shipping and better
atProto compliance.
Key Changes:
- Password encryption (not hashing) for session recovery
- PDS-managed DID and key generation
- Removed Coves-side DID generator
- Local PLC directory for E2E testing
- Comprehensive integration tests
Architecture Benefits:
- Simpler codebase (less cryptography to maintain)
- Faster community creation
- Standard atProto migration support
- Better separation of concerns
Migration Path:
- V2.0 (current): PDS-managed keys, Coves-to-Coves migration
- V2.1 (future): Optional Coves rotation key for external migration
馃 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Update development configuration and project documentation to reflect
V2.0 architecture changes and improve code review guidelines.
Changes:
- .env.dev: Add PLC directory configuration for local development
- CLAUDE.md: Enhance PR review checklist with V2-specific concerns
Documentation Updates:
- Clarify atProto write-forward architecture requirements
- Add federation and DID resolution verification steps
- Improve security review checklist
- Add performance and testing coverage guidelines
Environment Updates:
- Configure PLC_DIRECTORY_URL for local PLC directory
- Update IS_DEV_ENV flag documentation
These changes support better code review practices and local
development workflow for V2.0 communities.
馃 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Remove unused dependencies that were only needed for Coves-side DID
generation and key management, which has been delegated to the PDS
in V2.0 architecture.
Changes:
- Remove unused crypto libraries
- Update go.mod and go.sum after dependency cleanup
- Simplify dependency tree
The PDS now handles all cryptographic operations for community DIDs,
reducing our dependency footprint and maintenance burden.
馃 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Remove Coves-side DID generator in favor of PDS-managed DID generation.
Removed Files:
- internal/atproto/did/generator.go
- internal/atproto/did/generator_test.go
Rationale:
V2.0 architecture delegates all DID and key management to the PDS for:
- Bluesky PDS cannot handle record imports created outside the PDS.
- No complex cryptography
- Standard atProto compliance (PDS owns community identity)
The PDS now handles:
- DID generation (did:plc format)
- Signing key generation and storage
- Rotation key generation and storage
- PLC directory registration
馃 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Add Docker Compose profile for running a local PLC directory server,
enabling E2E tests without polluting production plc.directory.
Changes:
- Add postgres-plc service (port 5436) for PLC directory database
- Add plc-directory service (port 3002) running did-method-plc
- Add 'plc' profile for optional PLC directory startup
- Update Makefile with PLC directory targets
Usage:
docker-compose --profile plc up postgres-plc plc-directory
PLC_DIRECTORY_URL=http://localhost:3002 go test ./tests/integration/...
Benefits:
- Isolated dev environment for DID registration testing
- No pollution of production PLC directory
- Faster E2E tests (no external network calls)
- Enables testing of full community provisioning flow locally
This supports V2.0 architecture where communities get PDS-managed DIDs
that should be registered with a PLC directory.
馃 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Update all existing community tests to align with V2.0 changes:
- Replace password hash fields with encrypted password fields
- Remove DID generator mocks and dependencies
- Update test data structures for PDS-managed keys
- Fix assertions for new community provisioning flow
Modified Test Files:
- community_consumer_test.go: Update Jetstream consumer tests
- community_credentials_test.go: Update credential validation tests
- community_e2e_test.go: Update end-to-end workflow tests
- community_repo_test.go: Update repository layer tests
- user_test.go: Add helper functions for test DIDs
- community_service_test.go: Update service layer unit tests
Breaking Changes:
- Communities no longer have Coves-generated DIDs
- Password field is now encrypted, not hashed
- Service constructors simplified (no DID generator)
All tests pass with new V2.0 architecture.
馃 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>