Splits the monolithic web app into reusable packages and lifts the
security boundary into WASM:

- Monorepo restructure: apps/ (cli, web, appview), crates/ (core, derive,
wasm), packages/ (sdk, daemon, react), tests/
- @opake/sdk: TypeScript surface over WASM, OAuth + pending-login flow,
zod boundary validation, structured OpakeError
- @opake/daemon: maintenance task orchestration shared by CLI + web
- @opake/react: provider, hooks (useFileManager, useDirectory, inbox /
workspace observers, SSE consumer)
- WASM security boundary: tokens, DPoP keys, OAuth flow, session creds
all live in opake-core; JS never holds the material it can't zeroize
- Granular OAuth scopes: per-collection repo:app.opake.* instead of
transition:generic, single source of truth in OPAKE_COLLECTIONS
- SSE event streaming: appview broadcasts indexed events, WASM consumer
patches TreeKeeper / WorkspaceKeeper / InboxKeeper in place; CLI runs
a native consumer per configured DID
- Full docs revamp around For users / Under the hood / For developers,
with sequence diagrams and an in-docs search

Opake.init throws IdentityMissing on a device that just completed OAuth
but has no cryptographic identity yet — expected, not a login failure.
The callback's catch block was flattening it to session: error, so the
redirect-on-active effect never fired and the page stuck on the raw
error text.

Classify Opake.init outcomes as a discriminated union (opake /
identity-missing / signed-out) and route identity-missing through a
PDS-direct public-key probe to pick between RecoverIdentityView and
FreshAccountView. Apply the same classification in boot() so a valid
session with no local identity no longer silently degrades to
signed-out.

Also: full-width sign-in input.

First programmer-aimed docs page, plus the scaffolding to host the rest.

Page — `build/sdk/overview.mdx`:
- What `@opake/sdk` is, what it isn't, and how the class shape divides
between static (bootstrap before Identity exists) and instance (normal
working surface after `Opake.init`).
- Hello-cabinet example: upload + download, with the under-the-hood
breakdown written as prose rather than a patronising reveal.
- Static and instance surface shown as two call-shape code blocks
(grouped by purpose, one call per line with aligned comments) rather
than a wall of TypeScript signatures.
- Storage section ends with a contribution pointer: the `Storage`
contract is small enough that new backends are one file plus tests;
upstreaming keeps them in sync with the trait and discoverable next
to the built-ins.
- Error primer showing `OpakeError.kind` branching, with
`IdentityMissing` called out as a normal post-login state, not a
failure mode.
- Navigation grid linking to the rest of the SDK pages (to be written).

Routing — `/docs/{category}/{slug}`:
- New nested route files under `_public/docs/` and `cabinet/docs/`
(`$category/$slug`, both sync + lazy variants). Coexist with the
existing flat `$slug` routes; TanStack picks the more specific match.
- `DocMeta` gains an optional `group` field. Pages with a group live at
`/docs/{group}/{slug}`; flat docs stay on `/docs/{slug}`. New
`docPath(doc)` helper returns the correct URL.
- `DocLink` in the cabinet docs index splits on `doc.group` so each
variant gets the right typed `<Link>`.

Icons:
- Added `folder` (Phosphor `FolderIcon`) for the Files & Directories
card. Added `lightning` as a future-facing option for live-updates
content.

New Tangled URL:
- Swept every `tangled.org/sans-self.org/opake.app` →
`tangled.org/opake.app/opake` across CLI docs, FAQ, troubleshooting,
web footer + nav, README, CRYPTO.md, and the blog post attribution.
- `apps/cli/src/commands/docs/build/cli.mdx`: adjusted the follow-up
`cd opake.app` to `cd opake` now that the repo name matches.

Identity/keys, records/sharing, and workspaces/proposals as separate
mermaid blocks — easier to read than one monolithic graph.

Two adjustments to the framing around the AT Protocol:

- `docs/understand/at-protocol.mdx`: renamed the lead section from
"Why We Built This" to "Why Opake was built on the Atmosphere".
The old phrasing implied we built the network; we built a cabinet
on top of it. The rewrite makes the distinction explicit — Opake
picked atproto because it already solves identity, portability, and
federation, and because being a resident of an ecosystem is a better
long-term bet than running our own silo. Shifted sharing language
from "AT Protocol network" to "the Atmosphere" to match the
user-facing terminology Bluesky and the wider community use.
- Login page: the old copy framed the identity as an "AT Protocol
handle", which is accurate but jargon-heavy. New framing:

Sign in with your Atmosphere account
Use the handle from any AT Protocol app — Bluesky, your own PDS,
or anywhere else in the Atmosphere. Opake doesn't issue its own
accounts.

The button is now "Continue to your PDS" (which is what actually
happens on submit), with a reassurance line underneath about the
redirect flow and the password never touching us.

Below the form, a new "What's an Atmosphere account?" explainer
lists concrete starting points so visitors without an atproto
handle have a path forward: Bluesky, Eurosky, pckt.blog, Tangled,
and Smoke Signal, each linked with a short description. A closing
note covers the self-hosted-PDS case so that lane isn't invisible.

The flat docs tree mixed three audiences on one page — casual users who
want to try Opake, readers who want to know how it works, and developers
who want to build on it. Forcing every visitor through the same card grid
meant the casual user scrolled past "X25519 key wrapping" on their way to
"Getting Started", and the developer scrolled past "How to share with a
friend" to find the CLI reference.

Restructured the content tree to match intent:

content/docs/
index.mdx (rewritten landing)
use/ "For users" — store, share, recover
getting-started.mdx
pairing.mdx
seed-phrase.mdx
sharing.mdx (was sharing-dids — dropped the jargon)
workspaces.mdx (was keyrings — matches the web UI)
troubleshooting.mdx (moved out of top level)
understand/ "Under the hood" — crypto, records, protocol
encryption.mdx (was encryption-keys)
at-protocol.mdx
glossary.mdx
build/ "For developers" — CLI, SDK, lexicons
cli.mdx
faq.mdx (cross-cutting, stays near the top of the landing)

Note "Under the hood" deliberately breaks the "For X" pattern: the section
is about the content, not the audience, so anyone curious enough to read
doesn't have to decide whether they qualify as a developer first.

- `docs-registry.ts` gains a `category` field and a `docsByCategory`
helper. `CATEGORY_META` is the source of truth for the section labels
and descriptions that render on the landing.
- Both `$slug` routes (public + cabinet) update their MDX imports.
- The cabinet docs index groups cards by category and puts two entry
points at the top — a big primary "Just getting started?" CTA and a
slim secondary "Got a specific question? → FAQ" row, so visitors who
don't know which category fits them have obvious next clicks before
ever hitting the section grids.
- Public landing (`content/docs/index.mdx`) mirrors the same top-of-page
structure with new `<DocsIndexPrimary>` and `<DocsIndexSecondary>`
components, then three `<DocsIndexSection>` blocks — one per category.
- Cross-doc links updated for the renamed slugs (sharing-dids →
sharing, encryption-keys → encryption).
- CLI command examples in cli.mdx + keyrings.mdx (now workspaces.mdx)
swept for the `opake workspace` / `opake account` / `opake share` /
`--workspace` subcommand shape introduced in the monorepo rework.
- `glossary.mdx`: fixed a tautology — the Indexer entry said it fills
the atproto "indexer" role; corrected to "appview".

The WASM build was emitting 7 warnings:

- Five deprecation warnings on `web_sys::RequestInit::{method,
headers, body}`. web-sys moved to setter-style API
(`set_method`, `set_headers`, `set_body`) in a recent release.
Migrated `wasm_transport.rs` accordingly; the new API takes `&self`
so `let mut opts = RequestInit::new()` becomes `let opts = ...`.
- Two dead-code warnings on `EmptyResult` and `UriResult` DTOs in
`wasm_util.rs`. Neither has any callers after the last few rounds
of WASM surface cleanup — deleted.

Post-change the WASM build is warning-clean:
cargo build -p opake-wasm --target wasm32-unknown-unknown
→ Finished, 0 warnings

`startOAuthLogin` never touched the storage adapter it accepted —
the WASM function only resolves the PDS, discovers the AS, generates
DPoP/PKCE/state, fires the PAR request, and returns the auth URL +
serializable pending state. The existing comment in the body even
spells it out: "Config is NOT saved here — the user hasn't authorized
yet."

The parameter was paying for itself in nothing and forcing every SDK
caller to construct a `WasmStorageAdapter` for a no-op. Dropping it:

- Removes `_storage_adapter: JsStorageAdapter` from the WASM extern.
- Removes `storage: Storage` from `StartLoginOptions` in @opake/sdk.
- Drops the `createStorageAdapter(options.storage)` call in
`Opake.startLogin`; adjusts `Opake.login` (which composes start +
complete) to omit `storage` from the start half only — complete
still needs it.
- Web auth store: stops reading `getStorage()` before calling
`Opake.startLogin`.

Downstream callers that were passing storage to `startLogin` will
see a TS error at the call site — the fix is a one-line removal.
No runtime behaviour change; any build that passed storage was just
wasting an adapter allocation per login start.

Two pre-existing test failures boiled down to the same root cause:
the wire format for atproto lexicon records is camelCase, but the
serde structs were declared snake_case only. Tests exercising legacy
login and identity-file migration therefore failed on deserialization
with "missing field `access_jwt`" / "missing field `public_key`".

Adding `#[serde(alias = ...)]` on each affected field lets the
structs accept either form on read while still emitting the canonical
snake_case name on write. That means:

- Legacy session parsing (createSession / refreshSession) now works
against real PDS responses, not just test fixtures that pre-shaped
the JSON into snake_case.
- Identity files written by an older version in camelCase (the
format the migration test assumes) load cleanly; files written
today stay snake_case, so the on-disk format doesn't churn.

Confirmed `cargo test -p opake-core --lib` (571 pass) and
`cargo test -p opake-cli` (103 pass) both green — the two failures
flagged during the Identity refactor now resolve.

Catches the documentation tree up with several landed changes that
weren't previously reflected:

- Monorepo layout: `web/` → `apps/web/`, `crates/opake-cli` →
`apps/cli/`, `appview/` → `apps/indexer/`, packages moved into
`packages/opake-{sdk,react,daemon}/`. Updated every reference to
cargo install paths, test commands, file tree diagrams, and the
architectural narrative.
- AppView → Indexer rename across docs, lexicons, and the ER diagram
role labels. The architecture overview adds a one-liner explaining
that the service fills atproto's "appview" role but is called
indexer here because all payloads are ciphertext.
- SDK package split documented: `@opake/sdk`, `@opake/react`,
`@opake/daemon` descriptions, dependency boundary, React hooks
catalog. LICENSING.md updated so the copyleft-triggering bundle
list names all three packages.
- Lexicon additions: `keyringUpdate` (action types:
addMember/removeMember/updateRole/rename/updateDescription/leave)
replaces the old single-purpose `keyringLeave`, `invitation` +
`invitationAcceptance`, and the `authFullAccess` permission set
for OAuth `include:` scopes when PDSes support them.
- SSE live updates: FLOWS.md adds sections for the WorkspaceKeeper
and InboxKeeper bootstrap-then-patch lifecycle, dedup semantics,
and the rationale for separating `stopSseConsumer` from the keeper
drain (`wipeState`).
- Pair flow key containment + Opake identity invariant: sequence
diagrams updated to show the new Storage touchpoints
(`save_pair_state` on request, `load_pair_state` + `save_identity`
+ `delete_pair_state` on receive), prose rewritten to reflect that
the ephemeral private key is persisted in Storage rather than
kept in memory, and the Domain API section updated to reflect
Opake always having an Identity.
- STORAGE.md reorganised: new `save_pair_state` / `load_pair_state`
/ `delete_pair_state` trait row, JsStorage replaces the former
NoopStorage-on-WASM explanation, record-cache section rewritten
around the SSE-driven refresh model.
- AUTH.md: OAuth section rewritten to reflect WASM-owned tokens
(startOAuthLogin / completeOAuthLogin / loginWithAppPasswordWasm),
the two-step web login flow with PendingLogin, granular scopes
built from `OPAKE_COLLECTIONS`, and proactive refresh via
`tokenExpiresAt` + `proactiveRefresh`.
- docs/indexer.md: new file. Tables, endpoints, auth flow, SSE
stream, backfill, firehose consumer config, deployment notes.
- apps/indexer/lib/opake_indexer_web/router.ex: new file bringing
the Phoenix router into the repo with the full endpoint surface
(`/api/health`, `/api/inbox`, `/api/keyrings`, cabinet +
workspace snapshot/sync/updates, SSE events + token).
- crates/opake-core/src/crypto/mod.rs: add a `Debug` impl for
`Redacted<Option<[u8; N]>>` so `RedactedDebug`-derived types with
optional key fields (Identity.signing_key, verify_key) stop
printing raw bytes in `{:?}` output.

`Opake<T, R, S>` previously took `Option<Identity>`, but 16 methods
hard-required it via `require_identity()?` and three more silently
returned empty lists when identity was absent. The optionality was a
lie — callers couldn't use an `Opake` without identity anyway, and the
silent-empty-list branches hid configuration bugs (a missing signing
key looked indistinguishable from "no data").

Meanwhile, the pair flow on the new device leaked the ephemeral X25519
private key across the WASM/JS boundary: `createPairRequest` returned
it, JS stashed it in sessionStorage, `receivePairResponse` took it
back. The resulting Identity DTO also crossed in full. Both violated
the WASM-owns-crypto-material policy in CLAUDE.md.

Those two problems were entangled because the pair methods lived on
`Opake` but needed to work pre-identity. Fixing #9 alone would have
left pair as an awkward "identity-less method on the identity-requiring
type"; fixing the key leak alone would still have needed the optional
plumbing. Combined, they produce a clean two-phase model:

1. Bootstrap: static methods that populate Identity in Storage —
`startLogin` / `completeLogin` / `createPairRequest` +
`awaitPairCompletion`.
2. Use: `Opake.init({storage, did})` returns a handle that *always*
has Identity. Returns `Error::IdentityMissing` when bootstrap
hasn't run yet, signalling the UI to route to recovery or pair.

Core (opake-core):
- Drop `Option<Identity>` from `Opake`; `identity()` returns `&Identity`.
- `for_account` returns `Error::IdentityMissing` on missing identity.
- Delete `require_identity()`; replace 16 call sites with `&self.identity`.
- Replace three silent-tolerate branches with a `require_signing_key()`
helper that actually errors. Identity migration runs in `for_account`,
so the error only fires on a custom `Opake::new` with a legacy identity.
- New `Storage` trait methods: `save_pair_state` / `load_pair_state` /
`delete_pair_state`. Implemented by FileStorage (0600 file per rkey),
IndexedDbStorage (new `pairStates` table, Dexie v2 in-place migration),
MemoryStorage (Map with defensive copy on read/write).
- Rewrite `pairing::create_pair_request` to take `&S: Storage` + `did`
and persist the ephemeral privkey internally. Returns
`PairRequestInfo { uri, rkey, ephemeral_public_key }` — no private
material leaves the crate.
- New `pairing::try_complete_pair` polls once, and on match decrypts
the Identity, saves it via Storage, wipes pair_state, and tears down
both on-PDS records. `complete_pair_response` exposed for tests.
- New `pairing::cancel_pair_request` for UI back-out; tolerates
NotFound on either the storage side or the PDS side.
- New `opake::authenticated_client` helper — builds an XrpcClient from
a session in Storage without requiring identity. Shared by native and
WASM bootstrap paths.

WASM (opake-wasm):
- Drop `createPairRequest` / `receivePairResponse` / `listPairResponses`
/ `cleanupPairRecords` from `OpakeContext`. None should ever have
been on the handle.
- New `pair_wasm` module with three top-level exports that take a DID +
JsStorageAdapter: `createPairRequest`, `tryCompletePair`,
`cancelPairRequest`. Ephemeral private key and Identity DTO never
cross the boundary; only the ephemeral public key (for fingerprint
display) and `{uri, rkey}` go out.
- `approvePairRequest` stays on the handle — it has Identity and uses
the full Opake context.
- Extend `JsStorageAdapter` extern with the three pair_state methods.

SDK (@opake/sdk):
- `Opake.createPairRequest(storage, did)` / `Opake.awaitPairCompletion(
storage, did, rkey, options?)` / `Opake.cancelPairRequest(...)` as
static methods. `awaitPairCompletion` owns the polling loop with
configurable interval, optional timeout, and AbortSignal support.
- Existing-device instance methods unchanged except the four dropped ones.
- Remove `PairResponseRecord` and `ephemeralPrivateKey` from the public
surface. Remove the matching schema fields.
- Extend `Storage` interface + `createStorageAdapter` + `MemoryStorage`
+ `IndexedDbStorage` to mirror the Rust trait.

CLI:
- `pair request` shrinks from ~90 to ~40 lines. `create_pair_request` +
a tokio sleep loop calling `try_complete_pair`. No manual keypair
juggling; cleanup is the free fn's responsibility.
- `recover` uses the raw client + raw storage pattern: derive identity,
save via Storage, *then* construct Opake. Confirms the post-refactor
bootstrap shape.

Web:
- `apps/web/src/lib/pairing.ts` split cleanly: new-device helpers take
Storage + DID, existing-device helpers go through `getOpake()`.
- `pair.request.lazy.tsx` is now a single useEffect: call
`createPairRequest`, render fingerprint, `await awaitPairCompletion`,
call `finalizePairing`. AbortController handles unmount cleanup.
No more setInterval dance or ref-based private key stashing.
- `saveReceivedIdentity(identity)` renamed → `finalizePairing()`: the
Identity DTO no longer crosses the boundary, so the store just needs
to rebuild Opake + refresh derived state.
- Rename the TopBar menu item "Encryption Keys" → "Devices" to match
the route and describe what the page actually does.

Tests:
- New `pairing::request::tests` verifies `create_pair_request`
persists the ephemeral privkey and that the returned public key is
the DH partner of the persisted private key.
- New `config::tests` cover the three FileStorage pair_state
operations plus the 0600 file permission invariant and the
idempotent-delete-on-missing contract.

The `getDid` WASM export had a stale docstring — it justified the
binding with "self-event filtering in the SSE consumer," a mechanism
removed when tree idempotency took over. Meanwhile every consumer
that renders a "signed in as..." UI, keys a local cache by account,
or discriminates between identities had no ergonomic way to ask the
SDK who this Opake represents: `listAccounts().find(a => a.isDefault)`
is clumsy and wrong when the caller passed an explicit DID to init;
reaching into `storage.loadConfig()` leaks the abstraction.

The capability is legitimate — the DID of an Opake instance is
invariant for its lifetime, the WASM side already has a cheap sync
accessor, and exposing it is universally useful. The dead
justification was the smell, not the method.

- WASM: rewrite `getDid`'s docstring around its actual purpose (cheap
sync identity accessor, called once by the SDK during init).
- SDK: add a `readonly did: string` field on `Opake`, populated in
`init()` via a single `ctx.getDid()` call (guaranteed lock-free
since no other code holds the mutex at that point). Surfaces on
`opake.did` — invariant, no round-trip, ergonomic for UI and
account-keyed caches.
- Update the class-level JSDoc with a `console.log("signed in as...")`
example so the property is discoverable.

`WasmOpakeHandle::inner: Rc<Mutex<Option<WasmOpake>>>` and
`WasmFileManagerHandle::context: Option<FileContext>` — neither was
ever set to `None` anywhere in the crate. The Option wrappers and the
defensive "handle already consumed" plumbing were leftover from an
earlier design where `.cabinet()` and `.workspace()` consumed the
parent. Both methods are non-consuming now, and `wipeState()` drains
the keepers rather than the Opake itself, so no code path flipped the
Option — every `is_none()` branch and every
`.as_ref().ok_or_else(...)` was defending an unreachable state.

Collapsing:

- Fields: `Rc<Mutex<Option<WasmOpake>>>` → `Rc<Mutex<WasmOpake>>`;
`context: Option<FileContext>` → `context: FileContext`.
- `OpakeGuard`: was a newtype over `MutexGuard<'_, Option<WasmOpake>>`
with hand-rolled `Deref`/`DerefMut` that unwrapped on every access.
Now a type alias over `MutexGuard<'_, WasmOpake>` — the plain
`MutexGuard` already derefs correctly.
- Seven different error strings gone: "Opake context already consumed",
"already consumed", "already finished", "FileManager already
finished", "Opake not available", and the `FileManager context not
available` branches. They were all defending against None states
that can't occur.
- `setIndexerUrl` loses its `Result` — the lock acquisition can't
fail in single-threaded WASM; a `Promise<void>` JS signature is
preserved.

Legitimate error strings stay: the `try_lock()` "Opake is busy" and
"Opake is busy — an operation is in progress" paths signal real
mutex contention, not impossible states. Identity-missing branches
(`no identity`, `identity has no signing key`) stay too — those are
real user-facing conditions on a freshly-paired device.

Net: -130 / +53 lines. Every access path is simpler, and the API
surface is honest about what can and can't fail.

`WasmOpakeHandle::workspace(keyring_uri, owner_did, key, rotation)`
let JS construct a workspace context from already-resolved material.
The SDK exposed it as `opake.workspaceFromKey(resolvedWorkspace)`;
the TS doc marked it "advanced use, prefer workspace()." It had zero
external callers.

The problem: the binding trusted alignment between the group key, the
keyring URI, and the owner DID without validation. Hand a FileManager
a `Workspace` with mismatched parts and it will happily encrypt with
the wrong key — no runtime check catches it. The Opake domain API was
designed so that `resolve_workspace` → `file_context` is the only way
to produce a `Workspace`, keeping the invariants (URI matches owner
matches group key matches rotation) inside core where they're
verified against the PDS.

This commit restores that invariant:

- Deletes `WasmOpakeHandle::workspace()` and the `workspace_context`
helper in `wasm_util`.
- Deletes `opake.workspaceFromKey()`, the `ResolvedWorkspace` type,
and the SDK docs paragraph suggesting it for "advanced use."
- Flips `Workspace::from_keyring` from `pub` to `pub(crate)`, so the
only way to construct a `Workspace` outside opake-core is through
the resolution methods that actually enforce the invariants.

Opake's tests continue to use `from_keyring` directly (they're
in-crate), so no test rewrites are needed.

Two call sites built `Opake<ReqwestTransport, OsRng, FileStorage>`
with the same five-arg `Opake::for_account` + `OPAKE_INDEXER_URL`
env override: `CommandContext::opake` for user-facing commands and
`daemon::build_opake` for the daemon's per-task builder. When any
construction knob changed (the `now`/`now_micros` collapse; the
priority-chain cleanup's added `accountConfig` seed) both had to be
updated in parallel — bug-prone and nothing enforced the coupling.

Promote `build_opake(storage, did)` to `crate::session` as the one
construction path; `CommandContext::opake` forwards to it; daemon
imports it directly. Shape of the call sites is preserved, so no
behavior change.