dunkirk.sh
+78
AGENTS.md
+78
AGENTS.md
···End of handoff. Implement auth login and repo list as described, keeping changes focused and testable.+This workspace often needs to peek at the Tangled monorepo to confirm XRPC endpoints and shapes. Here are concise tips and findings that informed this CLI implementation.+- Note: there is no `sh.tangled.repo.list` lexicon in the core right now; listing is done via ATproto records.+- Knotserver XRPC routes (what requires auth vs open): `../tangled-core/knotserver/xrpc/xrpc.go`+- Validates ServiceAuth; expects rkey for the `sh.tangled.repo` record that already exists on the user's PDS.+- ServiceAuth middleware (how Bearer is validated): `../tangled-core/xrpc/serviceauth/service_auth.go`+- Appview client for ServiceAuth: `../tangled-core/appview/xrpcclient/xrpc.go` (method: `ServerGetServiceAuth`).+- `ls ../tangled-core/lexicons/repo` or `rg -n "\bid\": \"sh\.tangled\..*\"" ../tangled-core/lexicons`+2) List records from the user’s PDS: `GET com.atproto.repo.listRecords` with `collection=sh.tangled.repo`.+3) Filter client-side (e.g., by `knot`). “Starred” filtering is not currently defined in core.+- `POST com.atproto.repo.createRecord` with `{ repo: <did>, collection: "sh.tangled.repo", record: { name, knot, description?, createdAt } }`.+- Obtain ServiceAuth: `GET com.atproto.server.getServiceAuth` from PDS with `aud=did:web:<tngl.sh or target-host>`.+- `POST sh.tangled.repo.create` on the Tangled API base with `{ rkey, defaultBranch?, source? }` and `Authorization: Bearer <serviceAuth>`.+- Server validates token via `xrpc/serviceauth`, confirms actor permissions, and creates the git repo.+- Tangled API base (server): default is `https://tngl.sh`. Do not use the marketing/landing site.+- PDS base (auth + record ops): default `https://bsky.social` unless a different PDS was chosen on login.+- ServiceAuth audience DID is `did:web:<host>` where `<host>` is the Tangled API base hostname.+- `InvalidToken` when listing repos: listing should use the PDS (`com.atproto.repo.listRecords`), not the Tangled API base.+- 404 on `repo.create`: verify ServiceAuth audience matches the target host and that the rkey exists on the PDS.+- Keychain issues on Linux: ensure a Secret Service (e.g., GNOME Keyring or KWallet) is running.+- `com.atproto.server.createSession` against the PDS, save `{accessJwt, refreshJwt, did, handle, pds}` in keyring.+- Unit test decoding with minimal JSON envelopes: record lists, createRecord `uri`, and repo.create (empty body or simple ack).