+249

docs/data-source-fetches.md

reviewed

··· 1 1 + # Data source fetches 2 2 + 3 3 + An automation can declare a list of **fetches** that run after the trigger 4 4 + event matches but before actions fire. Each fetch resolves to a named entry in 5 5 + the `fetchContext`, which action templates can reference via 6 6 + `{{fetchName.record.*}}` and per-fetch conditions can gate on. 7 7 + 8 8 + There are two kinds today, discriminated by the `kind` field on the stored 9 9 + `FetchStep` ([lib/db/schema.ts](../lib/db/schema.ts)): 10 10 + 11 11 + - **`kind: "record"`** — resolve a specific AT URI to its record. The default 12 12 + if `kind` is absent (legacy rows). 13 13 + - **`kind: "search"`** — find a record in a repo by field equality. Used to 14 14 + answer "does a record already exist that matches X?" before acting. 15 15 + 16 16 + Both kinds return a `FetchContextEntry` with a `found` flag; neither throws on 17 17 + "not found" — that signal is observed via `exists` / `not-exists` conditions 18 18 + on the fetch. 19 19 + 20 20 + ```ts 21 21 + type FetchContextEntry = { 22 22 + found: boolean; 23 23 + uri: string; 24 24 + cid: string; 25 25 + did?: string; 26 26 + collection?: string; 27 27 + rkey?: string; 28 28 + record: Record<string, unknown>; 29 29 + }; 30 30 + ``` 31 31 + 32 32 + ## Record fetches 33 33 + 34 34 + The simple shape. One HTTP request, O(1), no pagination. 35 35 + 36 36 + ```json 37 37 + { 38 38 + "kind": "record", 39 39 + "name": "parentPost", 40 40 + "uri": "at://{{event.commit.record.reply.parent.uri}}" 41 41 + } 42 42 + ``` 43 43 + 44 44 + ### Resolution 45 45 + 46 46 + [lib/actions/fetcher.ts](../lib/actions/fetcher.ts): 47 47 + 48 48 + 1. The `uri` template is rendered against the event + upstream context + owner 49 49 + DID. `{{self}}`, `{{event.*}}`, and `{{otherFetch.*}}` all work. 50 50 + 2. The rendered string is validated against the AT URI shape 51 51 + (`at://did/collection/rkey`). Non-AT-URI → the fetch errors with a log entry. 52 52 + 3. The URI is fetched via `fetchRecord` ([lib/pds/resolver.ts](../lib/pds/resolver.ts)), 53 53 + which resolves the DID to its PDS and calls `com.atproto.repo.getRecord`. 54 54 + 4. A 404 writes `found: false`; any other failure is treated as an error. 55 55 + 56 56 + Record fetches are **independent of each other** and run in parallel via 57 57 + `Promise.all`. Their `conditions` are evaluated once all record fetches have 58 58 + resolved (and before any search fetches begin). 59 59 + 60 60 + ### When to use 61 61 + 62 62 + - Enriching the event with the parent post, the quoted record, the followed 63 63 + subject's profile, etc. 64 64 + - Any case where you already know the exact AT URI to look up. 65 65 + 66 66 + ## Search fetches 67 67 + 68 68 + The richer shape. Answers "is there a record in this repo/collection whose 69 69 + field X equals Y?" Used primarily to prevent duplicates in mirror-style 70 70 + automations — e.g. "only create a Sifa follow if no Sifa follow for this 71 71 + subject already exists." 72 72 + 73 73 + ```json 74 74 + { 75 75 + "kind": "search", 76 76 + "name": "existingMirror", 77 77 + "repo": "{{self}}", 78 78 + "collection": "id.sifa.graph.follow", 79 79 + "where": [ 80 80 + { "field": "subject", "operator": "eq", "value": "{{event.commit.record.subject}}" } 81 81 + ], 82 82 + "limit": 1, 83 83 + "conditions": [ 84 84 + { "field": "found", "operator": "not-exists", "value": "" } 85 85 + ] 86 86 + } 87 87 + ``` 88 88 + 89 89 + ### Inputs 90 90 + 91 91 + - `repo` — template that must resolve to a DID. Typically `{{self}}` but may 92 92 + reference an event field or an upstream fetch. 93 93 + - `collection` — literal NSID (not a template). The collection to scan. 94 94 + - `where` — list of equality clauses. Currently only `operator: "eq"` is 95 95 + supported. Multiple clauses are ANDed. 96 96 + - `limit` — max number of matches to accept. Defaults to 1. The current 97 97 + executor always returns the *first* match as the context entry; `limit` just 98 98 + controls how many matches the executor is willing to find before stopping. 99 99 + - `conditions` — per-fetch conditions evaluated after the search resolves. 100 100 + Typically `found` + `exists` / `not-exists` to gate on presence. 101 101 + 102 102 + ### Execution strategy 103 103 + 104 104 + [lib/actions/searcher.ts](../lib/actions/searcher.ts): 105 105 + 106 106 + Search doesn't have a single primitive in AT Proto; there's no server-side 107 107 + equivalent of "get a record by field equality." The executor picks one of two 108 108 + strategies. 109 109 + 110 110 + #### 1. Appview fast-path (Bluesky follows only) 111 111 + 112 112 + The specific case of "does `actor` follow `subject` on Bluesky" is answered in 113 113 + O(1) by the Bluesky appview's `app.bsky.graph.getRelationships` endpoint. The 114 114 + executor detects this shape: 115 115 + 116 116 + ```ts 117 117 + if (step.collection === "app.bsky.graph.follow") { 118 118 + const subjectClause = hasOnlyClause(step, "subject", "eq"); 119 119 + if (subjectClause) { 120 120 + // → single appview request, parses the `following` AT URI out of the response 121 121 + } 122 122 + } 123 123 + ``` 124 124 + 125 125 + Trigger conditions: 126 126 + 127 127 + - `collection === "app.bsky.graph.follow"` 128 128 + - Exactly one `where` clause 129 129 + - That clause is `subject eq <DID>` 130 130 + 131 131 + Any other shape on `app.bsky.graph.follow` falls through to the generic path. 132 132 + 133 133 + If the appview returns no `following` URI for the subject, the entry is 134 134 + `notFoundEntry()` (i.e. `found: false`). This is the correct answer — the user 135 135 + doesn't follow the subject — and it's distinct from an appview transport 136 136 + failure, which returns `null` and falls through to `listRecords`. 137 137 + 138 138 + #### 2. Generic `listRecords` scan 139 139 + 140 140 + The fallback. Resolves the repo's PDS endpoint, paginates 141 141 + `com.atproto.repo.listRecords`, and filters results client-side against the 142 142 + `where` clauses. 143 143 + 144 144 + ``` 145 145 + LIST_RECORDS_PAGE_SIZE = 100 // capped by the listRecords lexicon 146 146 + MAX_LIST_RECORDS_PAGES = 100 // → 10k records scanned at most 147 147 + HTTP_TIMEOUT_MS = 10s // per page 148 148 + ``` 149 149 + 150 150 + The page size is a hard ceiling: `com.atproto.repo.listRecords` declares 151 151 + `limit` as `minimum: 1, maximum: 100, default: 50`, so spec-compliant PDSs 152 152 + will reject or clamp anything higher. To scan further we can only add pages. 153 153 + 154 154 + Per page: 155 155 + 156 156 + 1. Fetch up to 100 records via `listRecords`. 157 157 + 2. For each record, check every `where` clause via dotted-path read (same 158 158 + machinery the condition layer uses, `readPath` on the record value). 159 159 + 3. Collect matches until `limit` is reached; the first match is what ends up 160 160 + in the context entry. 161 161 + 4. If the PDS returns a `cursor`, continue; otherwise stop. 162 162 + 163 163 + If the scan completes without finding a match, the entry is `notFoundEntry()`. 164 164 + If the 100-page cap is hit *and* the cursor would continue, a warning is 165 165 + logged and the entry is still `notFoundEntry()` — we intentionally treat an 166 166 + exhausted scan as "not found" rather than erroring, because the usual caller 167 167 + is a `not-exists` gate and false negatives are preferable to hard failures. 168 168 + This is a tradeoff worth understanding: for collections large enough to 169 169 + exceed 10,000 records, the "does X exist?" answer may be incorrect. For the 170 170 + motivating use case — follow lists — this covers the vast majority of 171 171 + accounts; heavy-follower accounts (>10k followees) may see stale-not-found 172 172 + results until the cap is raised or replaced with an indexed data source. 173 173 + 174 174 + ### Cost 175 175 + 176 176 + - **Appview path**: one HTTP request, a few KB, returned in tens of ms. 177 177 + - **listRecords path**: up to 100 HTTP requests (each up to 100 records). A 178 178 + small repo resolves in one page; a repo on the order of 10k records is 179 179 + typically a few seconds when the PDS is healthy. Each page is 10s-capped 180 180 + individually, so the theoretical worst case is 1000s — and because 181 181 + searches run sequentially in the fetcher, that serializes with any other 182 182 + searches in the same automation. In practice that worst case only shows up 183 183 + when a PDS is degraded or throttling; budget for a few seconds, plan for 184 184 + a few more. 185 185 + 186 186 + Searches are **sequential** in the fetcher — unlike record fetches which run in 187 187 + parallel — because a search's `repo` or `where` clauses can template against 188 188 + upstream fetch results. Running them serially keeps that dependency model 189 189 + straightforward for the MVP. 190 190 + 191 191 + ### The `where` clause model is deliberately narrow 192 192 + 193 193 + The current shape (equality only, always AND) is intentional. AT Proto has no 194 194 + server-side query language for record fields, so every operator added to 195 195 + `where` must be evaluated in `listRecords`-scan code. Equality covers the 196 196 + anti-duplicate use case that motivated search; richer operators would encourage 197 197 + queries that are quietly expensive on large repos. 198 198 + 199 199 + ## Per-fetch conditions 200 200 + 201 201 + Both fetch kinds support a `conditions` array. These run *after* the fetch 202 202 + resolves and are evaluated against the fetch's own entry — paths are 203 203 + entry-scoped, not event-scoped: 204 204 + 205 205 + - `field: "found"` + `exists` / `not-exists` tests the boolean flag directly 206 206 + (special-cased, because stringifying `false` would otherwise read as 207 207 + non-empty). 208 208 + - `field: "record.subject"` walks into the fetched record. 209 209 + - `field: "uri"` / `field: "cid"` test the top-level entry fields. 210 210 + 211 211 + If any condition on any fetch fails, `resolveFetches` returns `skip: true` and 212 212 + the handler short-circuits before actions. This is treated as normal filtering 213 213 + — no delivery log entry, no error. In dry-run mode the handler does write a 214 214 + "skipped by <fetchName>" log so authors can debug why the automation isn't 215 215 + firing. 216 216 + 217 217 + ## Interaction with fetch errors 218 218 + 219 219 + A fetch **error** (bad URI, PDS unreachable, search throws) is distinct from a 220 220 + fetch **not-finding** anything. Errors are collected into the `errors` array 221 221 + on the `FetchResolution`; the entry is not added to the context, subsequent 222 222 + fetches that template against it get `undefined`. Dry-run surfaces these as 223 223 + "Fetch failed: &lt;name&gt;" entries; real runs log them to console but continue. 224 224 + 225 225 + The typical pattern for "only act if X doesn't exist yet" therefore looks like: 226 226 + 227 227 + ```json 228 228 + { 229 229 + "kind": "search", 230 230 + "name": "existingMirror", 231 231 + "repo": "{{self}}", 232 232 + "collection": "id.sifa.graph.follow", 233 233 + "where": [{ "field": "subject", "operator": "eq", "value": "{{event.commit.record.subject}}" }], 234 234 + "limit": 1, 235 235 + "conditions": [ 236 236 + { "field": "found", "operator": "not-exists", "value": "" } 237 237 + ] 238 238 + } 239 239 + ``` 240 240 + 241 241 + - Search resolves → `found: false` (nothing matched). 242 242 + - Condition `found not-exists` passes. 243 243 + - Handler proceeds to actions. 244 244 + 245 245 + If the same subject already exists: 246 246 + 247 247 + - Search resolves → `found: true` with the existing record. 248 248 + - Condition `found not-exists` fails. 249 249 + - `skip: true` bubbles up, actions never run, no log in production.

+178

docs/wanted-dids.md

reviewed

··· 1 1 + # `wantedDids` vs `event.did` conditions 2 2 + 3 3 + Airglow exposes two overlapping ways to say "only run this automation for specific 4 4 + accounts": 5 5 + 6 6 + 1. **`wantedDids`** — a list of DIDs set on the automation row. Passed to Jetstream 7 7 + as the `wantedDids` query parameter when the WebSocket subscription is opened. 8 8 + 2. **A trigger condition on `event.did`** — an entry in the automation's 9 9 + top-level `conditions` list using `field: "event.did"`. Evaluated in-process 10 10 + by the matcher after Jetstream has already delivered the event. 11 11 + 12 12 + Both can express "match only commits from DID X". They look redundant but live 13 13 + at different layers and have very different cost profiles. This document 14 14 + explains when each is appropriate, why both exist, and why some collections are 15 15 + forced to use `wantedDids` via `NSID_REQUIRES_DIDS`. 16 16 + 17 17 + ## Where each filter runs 18 18 + 19 19 + ``` 20 20 + Jetstream firehose 21 21 + │ 22 22 + │ wantedCollections + wantedDids filter here (server-side, AT Proto infra) 23 23 + ▼ 24 24 + Airglow WebSocket message 25 25 + │ 26 26 + │ matchConditions(event, conditions, ownerDid) — in-process, per automation 27 27 + ▼ 28 28 + Fetches → actions 29 29 + ``` 30 30 + 31 31 + `wantedDids` is a **subscription-level** filter: Jetstream never sends the event 32 32 + to Airglow in the first place. The trigger condition is an **in-process** 33 33 + filter: the event crosses the network, the worker parses the JSON, then the 34 34 + matcher decides the condition doesn't hold and drops it. 35 35 + 36 36 + Two consequences follow from that difference: 37 37 + 38 38 + - Only `wantedDids` reduces bandwidth and CPU on the Airglow worker. 39 39 + - Only a condition can combine DID filtering with other event shape checks 40 40 + (e.g. "did X AND record.subject starts with Y"). 41 41 + 42 42 + ## One subscription per canonical DID set 43 43 + 44 44 + `JetstreamManager` partitions active automations by their resolved `wantedDids` 45 45 + list (`{{self}}` is expanded, entries deduped and sorted). Each distinct 46 46 + partition opens exactly one WebSocket; the empty partition is the "global" 47 47 + firehose subscription. 48 48 + 49 49 + So adding `wantedDids` to an automation is not free at the subscription layer: 50 50 + if no other automation shares that exact DID set, a new WebSocket is opened for 51 51 + it. Conversely, many automations that share the same owner DID (via `{{self}}`) 52 52 + coalesce into a single subscription. 53 53 + 54 54 + Consumers ([lib/jetstream/consumer.ts](../lib/jetstream/consumer.ts)): 55 55 + 56 56 + ```ts 57 57 + const resolvedDids = canonicalDids(row.wantedDids, row.did); 58 58 + const key = resolvedDids.join(","); 59 59 + // ...partition automations by `key`, then one JetstreamSubscription per partition. 60 60 + ``` 61 61 + 62 62 + ## Tradeoffs 63 63 + 64 64 + ### Prefer `wantedDids` when 65 65 + 66 66 + - The NSID is **high-volume** (anything under `app.bsky.*`, `chat.bsky.*`, 67 67 + etc.). Without a DID filter, Jetstream will fire thousands of events per 68 68 + second just for `app.bsky.feed.post`. 69 69 + - The set of target accounts is **small and known** — typically just the owner 70 70 + (`{{self}}`) or a handful of friends. 71 71 + - The filter is **stable**. Changing `wantedDids` triggers a subscription 72 72 + reconfigure (and in the cross-partition case, reopens a WebSocket). 73 73 + 74 74 + ### Prefer a trigger condition on `event.did` when 75 75 + 76 76 + - The NSID is **low-volume** (custom lexicons, niche collections). The global 77 77 + subscription already carries the event at negligible cost. 78 78 + - You need to combine DID filtering with **other event-shape conditions**: 79 79 + 80 80 + ```json 81 81 + { 82 82 + "conditions": [ 83 83 + { "field": "event.did", "operator": "eq", "value": "did:plc:abc" }, 84 84 + { "field": "subject", "operator": "startsWith", "value": "did:plc:xyz" } 85 85 + ] 86 86 + } 87 87 + ``` 88 88 + 89 89 + - You want a **small dynamic set** of DIDs without re-partitioning subscriptions 90 90 + — e.g. block/allow lists that change often. 91 91 + 92 92 + ### When you'd use both 93 93 + 94 94 + Nothing stops you from setting `wantedDids` *and* adding `event.did` conditions 95 95 + on top, and there's a real use case for it: `wantedDids` narrows the firehose 96 96 + to a set of accounts cheaply, and the condition layer then applies additional 97 97 + constraints (record fields, subject DIDs, etc.) that Jetstream can't express. 98 98 + 99 99 + ## The high-volume case: `app.bsky.*` and `NSID_REQUIRES_DIDS` 100 100 + 101 101 + Bluesky collections (`app.bsky.feed.post`, `app.bsky.graph.follow`, …) are the 102 102 + busiest on the network by several orders of magnitude. Subscribing to 103 103 + `app.bsky.feed.post` with no DID filter is effectively subscribing to the 104 104 + firehose — millions of events per hour. A single Airglow worker running the 105 105 + per-automation matcher against every one of those is not a feasible shape. 106 106 + 107 107 + To protect the instance from an automation author accidentally doing that, 108 108 + [lib/config.ts](../lib/config.ts) exposes a third NSID list: 109 109 + 110 110 + ```ts 111 111 + // NSIDs listed here are only allowed when the automation declares a non-empty 112 112 + // wantedDids. Used to gate high-volume collections (e.g. app.bsky.*) on 113 113 + // Jetstream-level DID filtering instead of a blanket firehose subscription. 114 114 + nsidRequireDids: env("NSID_REQUIRES_DIDS", "").split(",").filter(Boolean), 115 115 + ``` 116 116 + 117 117 + The manager checks this list during partitioning 118 118 + ([lib/jetstream/consumer.ts](../lib/jetstream/consumer.ts)): 119 119 + 120 120 + ```ts 121 121 + if ( 122 122 + nsidRequiresWantedDids(row.lexicon, config.nsidRequireDids) && 123 123 + resolvedDids.length === 0 124 124 + ) { 125 125 + console.warn( 126 126 + `Jetstream: skipping ${row.uri} — ${row.lexicon} requires wantedDids but none are set`, 127 127 + ); 128 128 + continue; 129 129 + } 130 130 + ``` 131 131 + 132 132 + `nsidRequiresWantedDids` does glob matching — a pattern ending in `.*` matches 133 133 + by prefix ([lib/lexicons/match.ts](../lib/lexicons/match.ts)). So a typical 134 134 + production config sets: 135 135 + 136 136 + ``` 137 137 + NSID_REQUIRES_DIDS=app.bsky.*,chat.bsky.* 138 138 + ``` 139 139 + 140 140 + and any automation listening to those collections **must** declare a non-empty 141 141 + `wantedDids`. Automations that violate the rule are silently skipped (with a 142 142 + warning log) at partition time — they won't crash the manager, they just don't 143 143 + get a subscription. 144 144 + 145 145 + A trigger condition on `event.did` does **not** satisfy the gate: the check is 146 146 + structural (`resolvedDids.length === 0`), because the whole point is to avoid 147 147 + opening the firehose subscription in the first place. If `wantedDids` is empty, 148 148 + the automation would end up in the global partition regardless of what its 149 149 + conditions say. 150 150 + 151 151 + ### Why the gate is config-driven rather than baked in 152 152 + 153 153 + The three NSID env vars — `NSID_ALLOWLIST`, `NSID_BLOCKLIST`, 154 154 + `NSID_REQUIRES_DIDS` — together let an operator shape what an instance allows 155 155 + without code changes: 156 156 + 157 157 + - `NSID_ALLOWLIST` / `NSID_BLOCKLIST` control **which** collections can be 158 158 + subscribed to at all. 159 159 + - `NSID_REQUIRES_DIDS` controls **how** the expensive ones may be subscribed to. 160 160 + 161 161 + A hobby instance can leave all three empty and run against the full firehose. 162 162 + A shared instance typically wants `app.bsky.*` in `NSID_REQUIRES_DIDS` so 163 163 + users can still automate on Bluesky events, but only scoped to accounts they 164 164 + care about. 165 165 + 166 166 + ## Rules of thumb 167 167 + 168 168 + | Situation | Use | 169 169 + | ---------------------------------------------------------- | ----------------- | 170 170 + | Automation listens to an `app.bsky.*` collection | `wantedDids` | 171 171 + | Owner-only automation on a custom lexicon | Either; `wantedDids` preferred | 172 172 + | "Anyone posting about topic X on `run.airglow.*`" | Condition on record fields, no DID filter | 173 173 + | Stable list of ≤ a few hundred DIDs | `wantedDids` | 174 174 + | Rapidly changing DID allowlist | `event.did` condition | 175 175 + | Filter by DID **and** by record-shape in the same rule | `wantedDids` + conditions | 176 176 + 177 177 + When in doubt: if the NSID is in `NSID_REQUIRES_DIDS`, you don't get a choice 178 178 + — the manager will skip the automation until `wantedDids` is populated.

+4 -1

lib/actions/searcher.ts

reviewed

··· 9 9 } from "./template.js"; 10 10 11 11 const BSKY_APPVIEW = "https://api.bsky.app"; 12 12 + // `com.atproto.repo.listRecords` caps `limit` at 100 per page in the lexicon, 13 13 + // so 100 is the ceiling regardless of what we'd prefer. To scan more records 14 14 + // we can only raise the page count. 12 15 const LIST_RECORDS_PAGE_SIZE = 100; 13 13 - const MAX_LIST_RECORDS_PAGES = 20; 16 16 + const MAX_LIST_RECORDS_PAGES = 100; // → 10k records scanned at most 14 17 const HTTP_TIMEOUT_MS = 10_000; 15 18 16 19 function render(template: string, event: JetstreamEvent, upstream: FetchContext, ownerDid: string) {