+25 -16

CLAUDE.md

reviewed

··· 214 214 **Authentication Flow:** 215 215 ``` 216 216 1. User configures Docker to use the credential helper (adds to config.json) 217 217 - 2. On first docker push/pull, helper generates ECDSA P-256 DPoP key 218 218 - 3. Resolve handle → DID → PDS endpoint 219 219 - 4. Discover OAuth server metadata from PDS 220 220 - 5. PAR request with DPoP header → get request_uri 221 221 - 6. Open browser for user authorization 222 222 - 7. Exchange code for token with DPoP proof 223 223 - 8. Save: access token, refresh token, DPoP key, DID, handle 217 217 + 2. On first docker push/pull, Docker calls credential helper 218 218 + 3. Credential helper opens browser → AppView OAuth page 219 219 + 4. AppView handles OAuth flow: 220 220 + - Resolves handle → DID → PDS endpoint 221 221 + - Discovers OAuth server metadata from PDS 222 222 + - PAR request with DPoP header → get request_uri 223 223 + - User authorizes in browser 224 224 + - AppView exchanges code for OAuth token with DPoP proof 225 225 + - AppView stores: OAuth token, refresh token, DPoP key, DID, handle 226 226 + 5. AppView shows device approval page: "Can [device] push to your account?" 227 227 + 6. User approves device 228 228 + 7. AppView issues registry JWT with validated DID 229 229 + 8. AppView returns JSON token to credential helper (via callback or browser display) 230 230 + 9. Credential helper saves registry JWT locally 231 231 + 10. Helper returns registry JWT to Docker 224 232 225 233 Later (subsequent docker push): 226 226 - 9. Docker calls credential helper 227 227 - 10. Helper loads token, refreshes if needed 228 228 - 11. Helper calls /auth/exchange with OAuth token + handle 229 229 - 12. AppView validates token via PDS getSession 230 230 - 13. AppView ensures sailor profile exists (creates with defaultHold if first login) 231 231 - 14. AppView issues registry JWT with validated DID 232 232 - 15. Helper returns JWT to Docker 234 234 + 11. Docker calls credential helper 235 235 + 12. Helper returns cached registry JWT (or re-authenticates if expired) 233 236 ``` 237 237 + 238 238 + **Key distinction:** The credential helper never manages OAuth tokens or DPoP keys directly. AppView owns the OAuth session and issues registry JWTs to the credential helper. This means AppView has access to user OAuth tokens and DPoP keys, which it needs for: 239 239 + - Writing manifests to user's PDS 240 240 + - Validating user sessions 241 241 + - Delegating access to hold services 234 242 235 243 **Security:** 236 244 - Tokens validated against authoritative source (user's PDS) ··· 479 487 - `HOLD_OWNER` - DID for auto-registration (optional) 480 488 481 489 **Credential Helper**: 482 482 - - Token storage: `~/.atcr/oauth-token.json` 483 483 - - Contains: access token, refresh token, DPoP key (PEM), DID, handle 490 490 + - Token storage: `~/.atcr/credential-helper-token.json` (or Docker's credential store) 491 491 + - Contains: Registry JWT issued by AppView (NOT OAuth tokens) 492 492 + - OAuth session managed entirely by AppView 484 493 485 494 ### Development Notes 486 495

+644

docs/EMBEDDED_PDS.md

reviewed

··· 1 1 + # Embedded PDS Architecture for Hold Services 2 2 + 3 3 + This document explores the evolution of ATCR's hold service architecture toward becoming an embedded ATProto PDS (Personal Data Server). 4 4 + 5 5 + ## Motivation 6 6 + 7 7 + ### Comparison to Other ATProto Projects 8 8 + 9 9 + Several ATProto projects face similar challenges with large data storage: 10 10 + 11 11 + | Project | Large Data | Metadata | Current Solution | 12 12 + |---------|-----------|----------|------------------| 13 13 + | **tangled.org** | Git objects | Issues, PRs, comments | External knot storage | 14 14 + | **stream.place** | Video segments | Stream info, chat | Embedded "static PDS" | 15 15 + | **ATCR** | Container blobs | Manifests, comments, builds | External hold service | 16 16 + 17 17 + **Common problem:** Large binary data can't realistically live in user PDSs, but interaction metadata gets fragmented across different users' PDSs. 18 18 + 19 19 + **Emerging pattern:** Application-specific storage services with embedded minimal PDS implementations. 20 20 + 21 21 + ### The Fragmentation Problem 22 22 + 23 23 + #### Tangled.org Example 24 24 + ``` 25 25 + user/myproject repository 26 26 + ├── Git data → Knot (external storage) 27 27 + ├── Issues → Created by @alice → Lives in alice's PDS 28 28 + ├── PRs → Created by @bob → Lives in bob's PDS 29 29 + └── Comments → Created by @charlie → Lives in charlie's PDS 30 30 + ``` 31 31 + 32 32 + **Problems:** 33 33 + - Repo owner can't export all issues/PRs easily 34 34 + - No single source of truth for repo metadata 35 35 + - Interaction history fragmented across PDSs 36 36 + - Can't encrypt repo data while maintaining collaboration 37 37 + 38 38 + #### ATCR's Similar Challenge 39 39 + ``` 40 40 + atcr.io/alice/myapp 41 41 + ├── Manifests → alice's PDS 42 42 + ├── Blobs → Hold service (external) 43 43 + └── Future: Comments, builds, attestations → Where? 44 44 + ``` 45 45 + 46 46 + ### Stream.place's Approach 47 47 + 48 48 + Stream.place built a **minimal "static PDS"** embedded in their application with just the XRPC endpoints they need: 49 49 + - `com.atproto.repo.describeRepo` 50 50 + - `com.atproto.sync.subscribeRepos` 51 51 + - Minimal read methods 52 52 + 53 53 + **Why:** Avoid rate-limiting Bluesky's infrastructure with video segments while staying ATProto-native. 54 54 + 55 55 + ## Current Hold Service Architecture 56 56 + 57 57 + The current hold service is intentionally minimal: 58 58 + 59 59 + ``` 60 60 + Hold Service = 61 61 + - OAuth token validation (call user's PDS) 62 62 + - Generate presigned S3 URLs 63 63 + - Return HTTP redirects 64 64 + - Optional crew membership checks 65 65 + ``` 66 66 + 67 67 + **Endpoints:** 68 68 + - `POST /get-presigned-url` → S3 download URL 69 69 + - `POST /put-presigned-url` → S3 upload URL 70 70 + - `GET /blobs/{digest}` → Proxy fallback 71 71 + - `PUT /blobs/{digest}` → Proxy fallback 72 72 + - `GET /health` → Health check 73 73 + 74 74 + **Resource footprint:** 75 75 + - Single Go binary (~20MB) 76 76 + - No database (stateless) 77 77 + - No PDS (validates against user's PDS) 78 78 + - Minimal memory/CPU (just signing URLs) 79 79 + - S3 does all the heavy lifting 80 80 + 81 81 + This is already **as cheap as possible** for what it does - just an OAuth validation + URL signing service. 82 82 + 83 83 + ## Why Not Force Blobs into User PDSs? 84 84 + 85 85 + ### Size Considerations 86 86 + 87 87 + **PDS blob limits:** Default ~50MB (Bluesky may be lower) 88 88 + 89 89 + **Container layer sizes:** 90 90 + - Alpine base: ~5MB ✓ 91 91 + - Config blobs: ~1-5KB ✓ 92 92 + - Small Go binaries: 10-30MB ✓ 93 93 + - Node.js base: 100-200MB ✗ 94 94 + - Python base: 50-100MB ✗ 95 95 + - ML models: 500MB - 10GB ✗ 96 96 + - Large datasets: huge ✗ 97 97 + 98 98 + **Reality:** Many/most layers exceed 50MB. A split-brain approach would be the norm, not the exception. 99 99 + 100 100 + ### Split-Brain Complexity 101 101 + 102 102 + ```go 103 103 + func (s *SplitBlobStore) Create(ctx context.Context, options ...) { 104 104 + // Challenges: 105 105 + // 1. Monolithic uploads: Size known upfront ✓ 106 106 + // 2. Chunked uploads: Size unknown until complete ✗ 107 107 + // 3. Resumable uploads: State management across PDS/hold ✗ 108 108 + // 4. Mount/cross-repo: Which backend to check? ✗ 109 109 + } 110 110 + ``` 111 111 + 112 112 + Detection works for simple cases but breaks down with: 113 113 + - Multipart/chunked uploads (no size until complete) 114 114 + - Resumable uploads (stateful across boundaries) 115 115 + - Cross-repository blob mounts (which backend?) 116 116 + 117 117 + ### Pragmatic Decision 118 118 + 119 119 + **Accept the trade-off:** 120 120 + - Blobs in holds (practical for large data) 121 121 + - Manifests in user's PDS (ownership of metadata) 122 122 + - Focus on making holds easy to deploy and migrate 123 123 + 124 124 + Users still own the **important part** - the manifest is the source of truth for what the image is. 125 125 + 126 126 + ## Embedded PDS Vision 127 127 + 128 128 + ### Key Insight: Hold is the PDS 129 129 + 130 130 + Because blobs are **content-addressed** and **deduplicated globally**, there isn't a singular owner of blob data. Multiple images share the same base layer blobs. 131 131 + 132 132 + **Therefore:** The **hold itself** is the PDS (with identity `did:web:hold1.example.com`), not individual image repositories. 133 133 + 134 134 + ### Proposed Architecture 135 135 + 136 136 + ``` 137 137 + Hold Service = Minimal PDS (did:web:hold1.example.com) 138 138 + ├── Standard ATProto blob endpoints: 139 139 + │ ├── com.atproto.sync.uploadBlob 140 140 + │ ├── com.atproto.sync.getBlob 141 141 + │ └── Blob storage → S3 (like normal PDS) 142 142 + ├── Custom XRPC methods: 143 143 + │ ├── io.atcr.hold.delegateAccess (IAM) 144 144 + │ ├── io.atcr.hold.getUploadUrl (optimization) 145 145 + │ ├── io.atcr.hold.getDownloadUrl (optimization) 146 146 + │ ├── io.atcr.hold.exportImage (data portability) 147 147 + │ └── io.atcr.hold.getStats (metadata) 148 148 + └── Records (hold's own PDS): 149 149 + ├── io.atcr.hold.crew (crew membership) 150 150 + └── io.atcr.hold.config (hold configuration) 151 151 + ``` 152 152 + 153 153 + ### Benefits 154 154 + 155 155 + 1. **ATProto-native**: Uses standard XRPC, not custom REST API 156 156 + 2. **Discoverable**: Hold's DID document advertises capabilities 157 157 + 3. **Portable**: Users can export images via XRPC 158 158 + 4. **Standardized**: Blob operations use ATProto conventions 159 159 + 5. **Future-proof**: Can add more XRPC methods as needed 160 160 + 6. **Interoperable**: Works with ATProto tooling 161 161 + 162 162 + ## Implementation Details 163 163 + 164 164 + ### 1. SHA256 to CID Mapping 165 165 + 166 166 + ATProto uses CIDs (Content Identifiers) for blobs, while OCI uses SHA256 digests. However, CIDs support SHA256 as the hash function. 167 167 + 168 168 + **Key insight:** We can construct CIDs directly from SHA256 digests with no additional storage needed! 169 169 + 170 170 + ```go 171 171 + // pkg/hold/cid.go 172 172 + func DigestToCID(digest string) (cid.Cid, error) { 173 173 + // sha256:abc123... → raw bytes 174 174 + hash := parseDigest(digest) 175 175 + 176 176 + // Construct CIDv1 with sha256 codec 177 177 + return cid.NewCidV1( 178 178 + cid.Raw, // codec 179 179 + multihash.SHA2_256, // hash function 180 180 + hash, // hash bytes 181 181 + ) 182 182 + } 183 183 + 184 184 + func CIDToDigest(c cid.Cid) string { 185 185 + // Decode multihash → sha256:abc... 186 186 + mh := c.Hash() 187 187 + return fmt.Sprintf("sha256:%x", mh) 188 188 + } 189 189 + ``` 190 190 + 191 191 + **Mapping:** 192 192 + ``` 193 193 + OCI digest: sha256:abc123... 194 194 + ATProto CID: bafybei... (CIDv1 with sha256, base32 encoded) 195 195 + Storage path: s3://bucket/blobs/sha256/ab/abc123... 196 196 + ``` 197 197 + 198 198 + Blobs stay in distribution's layout, we just compute CID on-the-fly. **No mapping records needed.** 199 199 + 200 200 + ### 2. Storage: Distribution Layout with PDS Interface 201 201 + 202 202 + The hold's blob storage uses distribution's driver directly - no encoding or transformation: 203 203 + 204 204 + ```go 205 205 + type HoldBlobStore struct { 206 206 + storageDriver storagedriver.StorageDriver // S3, filesystem, etc 207 207 + } 208 208 + 209 209 + // Implements ATProto blob interface 210 210 + func (h *HoldBlobStore) UploadBlob(ctx context.Context, data io.Reader) (cid.Cid, error) { 211 211 + // 1. Compute sha256 while reading 212 212 + digest, size := computeDigest(data) 213 213 + 214 214 + // 2. Store at distribution's path: blobs/sha256/ab/abc123... 215 215 + path := h.blobPath(digest) 216 216 + h.storageDriver.PutContent(ctx, path, data) 217 217 + 218 218 + // 3. Return CID (computed from sha256) 219 219 + return DigestToCID(digest), nil 220 220 + } 221 221 + 222 222 + func (h *HoldBlobStore) GetBlob(ctx context.Context, c cid.Cid) (io.Reader, error) { 223 223 + // 1. Convert CID → sha256 digest 224 224 + digest := CIDToDigest(c) 225 225 + 226 226 + // 2. Fetch from distribution's path 227 227 + path := h.blobPath(digest) 228 228 + return h.storageDriver.Reader(ctx, path, 0) 229 229 + } 230 230 + ``` 231 231 + 232 232 + Storage continues to use distribution's existing S3 layout. The PDS interface is just a wrapper. 233 233 + 234 234 + ### 3. Authentication & IAM 235 235 + 236 236 + **Challenge:** ATProto operations are authenticated AS the account owner. For hold operations, we need actions to be performed AS the hold (not individual users), but authorized BY crew members. 237 237 + 238 238 + **Important context:** AppView manages the user's OAuth session. When users authenticate via the credential helper, they actually authenticate through AppView's web interface. AppView obtains and stores the user's OAuth token and DPoP key. The credential helper only receives a registry JWT. 239 239 + 240 240 + **Proposed: DPoP Proof Delegation (Standard ATProto Federation)** 241 241 + 242 242 + ``` 243 243 + 1. User authenticates via AppView (OAuth flow) 244 244 + - AppView obtains: OAuth token, refresh token, DPoP key, DID 245 245 + - AppView stores these in its token storage 246 246 + - Credential helper receives: Registry JWT only 247 247 + 248 248 + 2. When AppView needs blob access, it calls hold: 249 249 + POST /xrpc/io.atcr.hold.delegateAccess 250 250 + Headers: Authorization: DPoP <user-oauth-token> 251 251 + DPoP: <proof-signed-with-user-dpop-key> 252 252 + Body: { 253 253 + "userDid": "did:plc:alice123", 254 254 + "purpose": "blob-upload", 255 255 + "duration": 900 256 256 + } 257 257 + 258 258 + 3. Hold validates (standard ATProto token validation): 259 259 + - Verify DPoP proof signature matches token's bound key 260 260 + - Call user's PDS: com.atproto.server.getSession (validates token) 261 261 + - Extract user's DID from validated session 262 262 + - Check user's DID in hold's crew records 263 263 + - If authorized, issue temporary token for blob operations 264 264 + 265 265 + 4. AppView uses delegated token for blob operations: 266 266 + POST /xrpc/com.atproto.sync.uploadBlob 267 267 + Headers: Authorization: DPoP <hold-token> 268 268 + DPoP: <proof> 269 269 + ``` 270 270 + 271 271 + **This is standard ATProto federation** - services pass OAuth tokens with DPoP proofs between each other. Hold independently validates tokens against the user's PDS, so there's no trust relationship required. 272 272 + 273 273 + **Crew records stored in hold's PDS:** 274 274 + ```json 275 275 + { 276 276 + "$type": "io.atcr.hold.crew", 277 277 + "member": "did:plc:alice123", 278 278 + "role": "admin", 279 279 + "permissions": ["blob:read", "blob:write", "crew:manage"], 280 280 + "addedAt": "2025-10-14T..." 281 281 + } 282 282 + ``` 283 283 + 284 284 + **Security considerations:** 285 285 + - User's OAuth token is exposed to hold during delegation 286 286 + - However, hold independently validates it (can't be forged) 287 287 + - Tokens are short-lived (15min typical) 288 288 + - Hold only accepts tokens for crew members 289 289 + - Hold validates DPoP binding (requires private key) 290 290 + - Standard ATProto security model 291 291 + 292 292 + ### 4. Presigned URLs for Optimized Egress 293 293 + 294 294 + While standard ATProto blob endpoints work, direct S3 access is more efficient. Hold can expose custom XRPC methods: 295 295 + 296 296 + ```go 297 297 + // io.atcr.hold.getUploadUrl - Get presigned upload URL 298 298 + type GetUploadUrlRequest struct { 299 299 + Digest string // sha256:abc... 300 300 + Size int64 301 301 + } 302 302 + 303 303 + type GetUploadUrlResponse struct { 304 304 + UploadURL string // Presigned S3 URL 305 305 + ExpiresAt time.Time 306 306 + } 307 307 + 308 308 + // io.atcr.hold.getDownloadUrl - Get presigned download URL 309 309 + type GetDownloadUrlRequest struct { 310 310 + Digest string 311 311 + } 312 312 + 313 313 + type GetDownloadUrlResponse struct { 314 314 + DownloadURL string // Presigned S3 URL 315 315 + ExpiresAt time.Time 316 316 + } 317 317 + ``` 318 318 + 319 319 + **AppView uses optimized path:** 320 320 + ```go 321 321 + func (a *ATProtoBlobStore) ServeBlob(ctx, w, r, dgst) error { 322 322 + // Try optimized presigned URL endpoint 323 323 + resp, err := a.client.GetDownloadUrl(ctx, dgst) 324 324 + if err == nil { 325 325 + // Redirect directly to S3 326 326 + http.Redirect(w, r, resp.DownloadURL, http.StatusTemporaryRedirect) 327 327 + return nil 328 328 + } 329 329 + 330 330 + // Fallback: Standard ATProto blob endpoint (proxied) 331 331 + reader, _ := a.client.GetBlob(ctx, holdDID, cid) 332 332 + io.Copy(w, reader) 333 333 + } 334 334 + ``` 335 335 + 336 336 + **Best of both worlds:** Standard ATProto interface + S3 optimization for bandwidth efficiency. 337 337 + 338 338 + ### 5. Image Export for Portability 339 339 + 340 340 + Custom XRPC method enables users to export entire images: 341 341 + 342 342 + ```go 343 343 + // io.atcr.hold.exportImage - Export all blobs for an image 344 344 + type ExportImageRequest struct { 345 345 + Manifest *oci.Manifest // User provides manifest 346 346 + } 347 347 + 348 348 + type ExportImageResponse struct { 349 349 + ArchiveURL string // Presigned S3 URL to tar.gz 350 350 + ExpiresAt time.Time 351 351 + } 352 352 + 353 353 + // Implementation: 354 354 + // 1. Extract all blob digests from manifest (config + layers) 355 355 + // 2. Create tar.gz with all blobs 356 356 + // 3. Upload to S3 temp location 357 357 + // 4. Return presigned download URL (15min expiry) 358 358 + ``` 359 359 + 360 360 + Users can request all blobs for their images and migrate to different holds. 361 361 + 362 362 + ## Changes Required 363 363 + 364 364 + ### AppView Changes 365 365 + 366 366 + **Current:** 367 367 + ```go 368 368 + type ProxyBlobStore struct { 369 369 + holdURL string // HTTP endpoint 370 370 + } 371 371 + 372 372 + func (p *ProxyBlobStore) ServeBlob(...) { 373 373 + // POST /put-presigned-url 374 374 + // Return redirect 375 375 + } 376 376 + ``` 377 377 + 378 378 + **New:** 379 379 + ```go 380 380 + type ATProtoBlobStore struct { 381 381 + holdDID string // did:web:hold1.example.com 382 382 + holdURL string // Resolved from DID document 383 383 + client *atproto.Client // XRPC client 384 384 + delegatedToken string // From io.atcr.hold.delegateAccess 385 385 + } 386 386 + 387 387 + func (a *ATProtoBlobStore) ServeBlob(ctx, w, r, dgst) error { 388 388 + // Try optimized: io.atcr.hold.getDownloadUrl 389 389 + // Fallback: com.atproto.sync.getBlob 390 390 + } 391 391 + ``` 392 392 + 393 393 + ### Hold Service Changes 394 394 + 395 395 + Transform from simple HTTP server to minimal PDS: 396 396 + 397 397 + ```go 398 398 + // cmd/hold/main.go 399 399 + func main() { 400 400 + // Storage driver (unchanged) 401 401 + storageDriver := buildStorageDriver() 402 402 + 403 403 + // NEW: Embedded PDS 404 404 + pds := hold.NewEmbeddedPDS(hold.Config{ 405 405 + DID: "did:web:hold1.example.com", 406 406 + BlobStore: storageDriver, 407 407 + Collections: []string{ 408 408 + "io.atcr.hold.crew", 409 409 + "io.atcr.hold.config", 410 410 + }, 411 411 + }) 412 412 + 413 413 + // Serve XRPC endpoints 414 414 + mux.Handle("/xrpc/", pds.Handler()) 415 415 + 416 416 + // Legacy endpoints (optional for backwards compat) 417 417 + // mux.Handle("/get-presigned-url", legacyHandler) 418 418 + } 419 419 + ``` 420 420 + 421 421 + ## Open Questions 422 422 + 423 423 + ### 1. Docker Hub Size Limits 424 424 + 425 425 + **Research findings:** Docker Hub has soft limits around 10-20GB per layer, with practical issues beyond that. No hard-coded enforcement. 426 426 + 427 427 + **For ATCR:** Hold services can theoretically support larger blobs if S3 and network infrastructure allows. May want configurable limits to prevent abuse. 428 428 + 429 429 + ### 2. Token Delegation Security Model 430 430 + 431 431 + **Recommended approach:** DPoP proof delegation (standard ATProto federation pattern) 432 432 + 433 433 + Open questions: 434 434 + - How long should delegated tokens last? (15min like presigned URLs?) 435 435 + - Should delegation be per-operation or session-based? 436 436 + - Do we need audit logs for delegated operations? 437 437 + - Can AppView cache delegated tokens across requests? 438 438 + - Should we implement token refresh for long-running operations? 439 439 + 440 440 + ### 3. Migration Path 441 441 + 442 442 + - Do we support both HTTP and XRPC APIs during transition? 443 443 + - How do existing manifests with `holdEndpoint: "https://..."` migrate to `holdDid: "did:web:..."`? 444 444 + - Can AppView auto-detect if hold supports XRPC vs legacy? 445 445 + 446 446 + ### 4. PDS Implementation Scope 447 447 + 448 448 + **Minimal endpoints needed:** 449 449 + - `com.atproto.sync.uploadBlob` 450 450 + - `com.atproto.sync.getBlob` 451 451 + - `com.atproto.repo.describeRepo` (discovery) 452 452 + - Custom XRPC methods (delegation, presigned URLs, export) 453 453 + 454 454 + **Not needed:** 455 455 + - `com.atproto.repo.*` (no user repos) 456 456 + - `com.atproto.server.*` (no user sessions) 457 457 + - Most sync/admin endpoints 458 458 + 459 459 + Can we build a reusable "static PDS" library for apps like ATCR, tangled.org, stream.place? 460 460 + 461 461 + ### 5. Crew Management 462 462 + 463 463 + - How are crew members added/removed? 464 464 + - UI in AppView? CLI tool? Direct XRPC calls? 465 465 + - Can crew members delegate to other crew members? 466 466 + - Role hierarchy (owner > admin > member)? 467 467 + 468 468 + ### 6. Hold Discovery & Registration 469 469 + 470 470 + **Current:** Hold registers by creating records in owner's PDS 471 471 + **New:** Hold is its own identity - how does AppView discover available holds? 472 472 + 473 473 + Possibilities: 474 474 + - Holds publish to feeds 475 475 + - AppView maintains directory 476 476 + - DIDs are manually configured 477 477 + - ATProto directory service 478 478 + 479 479 + ### 7. Multi-Tenancy 480 480 + 481 481 + Could one hold PDS serve multiple "logical holds" for different organizations? 482 482 + 483 483 + ``` 484 484 + did:web:hold-provider.com/org1 485 485 + did:web:hold-provider.com/org2 486 486 + ``` 487 487 + 488 488 + Or should each hold be a separate deployment? 489 489 + 490 490 + ### 8. Blob Deduplication 491 491 + 492 492 + Current behavior: Global deduplication (same layer shared across all images). 493 493 + 494 494 + With embedded PDS: 495 495 + - Does dedup stay global across all crew/users? 496 496 + - Or is it per-hold (isolated storage)? 497 497 + - How do we track blob references for garbage collection? 498 498 + 499 499 + ### 9. Cost Model 500 500 + 501 501 + - Who pays for S3 storage/egress? 502 502 + - Hold operator? Image owner? Per-pull? 503 503 + - How to implement metering/billing via XRPC? 504 504 + 505 505 + ### 10. Disaster Recovery 506 506 + 507 507 + - How to backup hold's PDS (crew records, config)? 508 508 + - Can holds replicate to other holds? 509 509 + - Image export handles blobs - what about metadata? 510 510 + 511 511 + ## Implementation Plan 512 512 + 513 513 + ### Phase 1: Basic PDS with Carstore (Current) 514 514 + 515 515 + **Decision: Use indigo's carstore with SQLite backend** 516 516 + 517 517 + ```go 518 518 + import ( 519 519 + "github.com/bluesky-social/indigo/carstore" 520 520 + "github.com/bluesky-social/indigo/repo" 521 521 + ) 522 522 + 523 523 + type HoldPDS struct { 524 524 + did string 525 525 + carstore carstore.CarStore 526 526 + repo *repo.Repo 527 527 + } 528 528 + 529 529 + func NewHoldPDS(did, dbPath string) (*HoldPDS, error) { 530 530 + // Create SQLite-backed carstore 531 531 + sqlStore, err := carstore.NewSqliteStore(dbPath) 532 532 + cs := sqlStore.CarStore() 533 533 + 534 534 + // Get or create repo 535 535 + head, err := cs.GetUserRepoHead(ctx, did) 536 536 + var r *repo.Repo 537 537 + if err == carstore.ErrRepoNotFound { 538 538 + r, err = repo.NewRepo(ctx, did, cs.Blockstore()) 539 539 + } else { 540 540 + r, err = repo.OpenRepo(ctx, cs.Blockstore(), head) 541 541 + } 542 542 + 543 543 + return &HoldPDS{did: did, carstore: cs, repo: r}, nil 544 544 + } 545 545 + ``` 546 546 + 547 547 + **Storage:** 548 548 + - Single file: `/var/lib/atcr-hold/hold.db` (SQLite) 549 549 + - Contains MST nodes, records, commits in carstore tables 550 550 + - Proper indigo repo/MST implementation (production-tested) 551 551 + 552 552 + **Why SQLite carstore:** 553 553 + - ✅ Single file persistence (like appview's SQLite) 554 554 + - ✅ Official indigo storage backend 555 555 + - ✅ No custom blockstore implementation needed 556 556 + - ✅ Handles compaction/cleanup automatically 557 557 + - ✅ Migration path to Postgres/Scylla if needed 558 558 + - ✅ Easy to replicate (Litestream, LiteFS, rsync) 559 559 + 560 560 + **Scale considerations:** 561 561 + - SQLite carstore marked "experimental" but suitable for single-hold use 562 562 + - MST designed for massive scale (O(log n) operations) 563 563 + - 1000 crew records = ~1-2MB database (trivial) 564 564 + - Bluesky PDSs use carstore for millions of records 565 565 + - If needed: migrate to Postgres-backed carstore (same API) 566 566 + 567 567 + ### Crew Management: Individual Records 568 568 + 569 569 + **Decision: Individual crew record per user (remove wildcard logic)** 570 570 + 571 571 + ```json 572 572 + // io.atcr.hold.crew/{rkey} 573 573 + { 574 574 + "$type": "io.atcr.hold.crew", 575 575 + "member": "did:plc:alice123", 576 576 + "role": "admin", // or "member" 577 577 + "permissions": ["blob:read", "blob:write"], 578 578 + "addedAt": "2025-10-14T..." 579 579 + } 580 580 + 581 581 + // io.atcr.hold.config/policy 582 582 + { 583 583 + "$type": "io.atcr.hold.config", 584 584 + "access": "public", // or "allowlist" 585 585 + "allowAny": true, // public: allow any authenticated user 586 586 + "requireAuth": true, // require authentication (no anonymous) 587 587 + "maxUsers": 1000 // optional limit 588 588 + } 589 589 + ``` 590 590 + 591 591 + **Authorization logic:** 592 592 + ```go 593 593 + func (p *HoldPDS) CheckAccess(ctx context.Context, userDID string) (bool, error) { 594 594 + policy := p.GetPolicy(ctx) 595 595 + 596 596 + if policy.Access == "public" && policy.AllowAny { 597 597 + // Public hold - any authenticated ATCR user allowed 598 598 + // No individual crew record needed 599 599 + return true, nil 600 600 + } 601 601 + 602 602 + if policy.Access == "allowlist" { 603 603 + // Check explicit crew membership 604 604 + _, err := p.GetCrewMember(ctx, userDID) 605 605 + return err == nil, nil 606 606 + } 607 607 + 608 608 + return false, nil 609 609 + } 610 610 + ``` 611 611 + 612 612 + **Benefits of individual records:** 613 613 + - Auditability (track who has access) 614 614 + - Per-user permissions (admin vs member) 615 615 + - Explicit revocation capabilities 616 616 + - Analytics (usage tracking) 617 617 + - Rate limiting (per-user quotas) 618 618 + - subscribeRepos events on crew changes 619 619 + 620 620 + **Use cases:** 621 621 + - **Public community hold:** `access: "public", allowAny: true` - no crew records needed 622 622 + - **Private team hold:** `access: "allowlist"` - explicit crew membership 623 623 + - **Hybrid:** Public access + explicit admin crew records for elevated permissions 624 624 + 625 625 + ### Next Steps 626 626 + 627 627 + 1. **Add indigo dependencies** - carstore, repo, MST 628 628 + 2. **Implement HoldPDS with carstore** - Create pkg/hold/pds 629 629 + 3. **Add crew management** - CRUD operations for crew records 630 630 + 4. **Implement standard PDS endpoints** - describeServer, describeRepo, getRecord, listRecords 631 631 + 5. **Add DID document** - did:web identity generation 632 632 + 6. **Custom XRPC methods** - getUploadUrl, getDownloadUrl (presigned URLs) 633 633 + 7. **Wire up in cmd/hold** - Serve XRPC alongside existing HTTP 634 634 + 8. **Test basic operations** - Add/list crew, policy checks 635 635 + 9. **Design delegation/IAM** - Token exchange for authenticated operations 636 636 + 10. **Implement AppView XRPC client** - Support PDS-based holds 637 637 + 638 638 + ## References 639 639 + 640 640 + - **Stream.place embedded PDS:** https://streamplace.leaflet.pub/3lut7mgni5s2k/l-quote/6_318-6_554#6 641 641 + - **ATProto OAuth spec:** https://atproto.com/specs/oauth 642 642 + - **ATProto XRPC spec:** https://atproto.com/specs/xrpc 643 643 + - **CID spec:** https://github.com/multiformats/cid 644 644 + - **OCI Distribution Spec:** https://github.com/opencontainers/distribution-spec