bretton.dev
code
Clone this repository
https://tangled.org/bretton.dev/coves
git@knot.bretton.dev:bretton.dev/coves
For self-hosted knots, clone URLs may differ based on your setup.
Document what's complete and what's pending for phone verification.
Includes merge strategy, cost estimates, and next steps.
馃 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Add implementation and security documentation:
- DID_SETUP.md: Keypair generation and deployment
- PHONE_VERIFICATION_IMPLEMENTATION.md: Complete implementation guide
- PHONE_VERIFICATION_SUMMARY.md: Quick reference
- VERIFICATION_SECURITY.md: Security model and attack prevention
Documents the hybrid architecture: privacy-first storage with
cryptographically signed, portable verification badges.
馃 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Add DID document and environment configuration:
- did:web:coves.social for cryptographic signing
- P-256 EC keypair for ECDSA signatures
- Configurable for self-hosted instances
Third-party apps fetch public key from /.well-known/did.json
to verify verification signatures.
馃 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Telnyx selected for SMS delivery:
- 50% cheaper than Twilio ($0.004/SMS vs $0.0079)
- Owned infrastructure (better reliability)
- International number support
- Free expert support
Client handles OTP delivery with proper error handling.
馃 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Implement verification service with security-first design:
- Cryptographically secure OTP generation (crypto/rand)
- Rate limiting (3/hour per phone, 5/day per DID)
- Constant-time OTP comparison (bcrypt)
- Signature binding to subject DID (prevents copying attack)
- Comprehensive error types for XRPC handlers
Service interfaces support future verification types (email, domain).
馃 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Add privacy-first phone verification tables:
- phone_verifications: Stores hashed phones only (HMAC-SHA256)
- phone_verification_requests: Temporary OTP storage (10min TTL)
- phone_verification_rate_limits: SMS abuse prevention
- phone_verification_audit_log: Security monitoring
Includes cleanup function for expired requests.
馃 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Add support for cryptographically signed verifications (phone, email, domain, etc.)
to actor profiles. This is a backwards-compatible addition.
Changes:
- Replace simple verified boolean with verifications array
- Add verification lexicon definition with signature support
- Add XRPC endpoints: requestPhone, verifyPhone, getStatus
The verification array allows multiple verification types and is
cryptographically signed by trusted services (e.g., did:web:coves.social).
馃 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>