+18

CLAUDE.md

··· 53 53 export HOLD_OWNER=did:plc:your-did-here 54 54 ./bin/atcr-hold 55 55 # Hold starts immediately with embedded PDS 56 56 + 57 57 + # Request Bluesky relay crawl (makes your PDS discoverable) 58 58 + ./deploy/request-crawl.sh hold01.atcr.io 59 59 + # Or specify a different relay: 60 60 + ./deploy/request-crawl.sh hold01.atcr.io https://custom-relay.example.com/xrpc/com.atproto.sync.requestCrawl 56 61 ``` 57 62 58 63 ## Architecture Overview ··· 370 375 - `PUT /blobs/{digest}` - Proxy upload (fallback) 371 376 - `POST /register` - Manual registration endpoint 372 377 - `GET /health` - Health check 378 378 + 379 379 + **Embedded PDS Endpoints:** 380 380 + 381 381 + Each hold service includes an embedded PDS (Personal Data Server) that stores captain + crew records: 382 382 + 383 383 + - `GET /xrpc/com.atproto.sync.getRepo?did={did}` - Download full repository as CAR file 384 384 + - `GET /xrpc/com.atproto.sync.getRepo?did={did}&since={rev}` - Download repository diff since revision 385 385 + - `GET /xrpc/com.atproto.sync.subscribeRepos` - WebSocket firehose for real-time events 386 386 + - `GET /xrpc/com.atproto.sync.listRepos` - List all repositories (single-user PDS) 387 387 + - `GET /.well-known/did.json` - DID document (did:web resolution) 388 388 + - Standard ATProto repo endpoints (getRecord, listRecords, etc.) 389 389 + 390 390 + The `subscribeRepos` endpoint broadcasts #commit events whenever crew membership changes, allowing AppViews to monitor hold access control in real-time. 373 391 374 392 **Configuration:** Environment variables (see `.env.example`) 375 393 - `HOLD_PUBLIC_URL` - Public URL of hold service (required)

+9 -2

cmd/hold/main.go

··· 27 27 // This must happen before creating HoldService since service needs PDS for authorization 28 28 var holdPDS *pds.HoldPDS 29 29 var xrpcHandler *pds.XRPCHandler 30 30 + var broadcaster *pds.EventBroadcaster 30 31 if cfg.Database.Path != "" { 31 32 // Generate did:web from public URL 32 33 holdDID := pds.GenerateDIDFromURL(cfg.Server.PublicURL) ··· 44 45 log.Fatalf("Failed to bootstrap PDS: %v", err) 45 46 } 46 47 47 47 - log.Printf("Embedded PDS initialized successfully") 48 48 + // Create event broadcaster for subscribeRepos firehose 49 49 + broadcaster = pds.NewEventBroadcaster(holdDID, 100) // Keep 100 events for backfill 50 50 + 51 51 + // Wire up repo event handler to broadcaster 52 52 + holdPDS.RepomgrRef().SetEventHandler(broadcaster.SetRepoEventHandler(), true) 53 53 + 54 54 + log.Printf("Embedded PDS initialized successfully with firehose enabled") 48 55 } else { 49 56 log.Fatalf("Database path is required for embedded PDS authorization") 50 57 } ··· 59 66 if holdPDS != nil { 60 67 holdDID := holdPDS.DID() 61 68 blobStore := hold.NewHoldServiceBlobStore(service, holdDID) 62 62 - xrpcHandler = pds.NewXRPCHandler(holdPDS, cfg.Server.PublicURL, blobStore) 69 69 + xrpcHandler = pds.NewXRPCHandler(holdPDS, cfg.Server.PublicURL, blobStore, broadcaster) 63 70 } 64 71 65 72 // Setup HTTP routes

+55

deploy/request-crawl.sh

··· 1 1 + #!/bin/bash 2 2 + # 3 3 + # Request crawl for a PDS from the Bluesky relay 4 4 + # 5 5 + # Usage: ./request-crawl.sh <hostname> [relay-url] 6 6 + # Example: ./request-crawl.sh hold01.atcr.io 7 7 + # 8 8 + 9 9 + set -e 10 10 + 11 11 + DEFAULT_RELAY="https://bsky.network/xrpc/com.atproto.sync.requestCrawl" 12 12 + 13 13 + # Parse arguments 14 14 + HOSTNAME="${1:-}" 15 15 + RELAY_URL="${2:-$DEFAULT_RELAY}" 16 16 + 17 17 + # Validate hostname 18 18 + if [ -z "$HOSTNAME" ]; then 19 19 + echo "Error: hostname is required" >&2 20 20 + echo "" >&2 21 21 + echo "Usage: $0 <hostname> [relay-url]" >&2 22 22 + echo "Example: $0 hold01.atcr.io" >&2 23 23 + echo "" >&2 24 24 + echo "Options:" >&2 25 25 + echo " hostname Hostname of the PDS to request crawl for (required)" >&2 26 26 + echo " relay-url Relay URL to send crawl request to (default: $DEFAULT_RELAY)" >&2 27 27 + exit 1 28 28 + fi 29 29 + 30 30 + # Log what we're doing 31 31 + echo "Requesting crawl for hostname: $HOSTNAME" 32 32 + echo "Sending to relay: $RELAY_URL" 33 33 + 34 34 + # Make the request 35 35 + RESPONSE=$(curl -s -w "\n%{http_code}" -X POST "$RELAY_URL" \ 36 36 + -H "Content-Type: application/json" \ 37 37 + -d "{\"hostname\":\"$HOSTNAME\"}") 38 38 + 39 39 + # Split response and status code 40 40 + HTTP_BODY=$(echo "$RESPONSE" | head -n -1) 41 41 + HTTP_CODE=$(echo "$RESPONSE" | tail -n 1) 42 42 + 43 43 + # Check response 44 44 + if [ "$HTTP_CODE" -ge 200 ] && [ "$HTTP_CODE" -lt 300 ]; then 45 45 + echo "✅ Success! Crawl requested for $HOSTNAME" 46 46 + if [ -n "$HTTP_BODY" ]; then 47 47 + echo "Response: $HTTP_BODY" 48 48 + fi 49 49 + else 50 50 + echo "❌ Failed with status $HTTP_CODE" >&2 51 51 + if [ -n "$HTTP_BODY" ]; then 52 52 + echo "Response: $HTTP_BODY" >&2 53 53 + fi 54 54 + exit 1 55 55 + fi

+252

pkg/hold/pds/events.go

··· 1 1 + package pds 2 2 + 3 3 + import ( 4 4 + "context" 5 5 + "encoding/json" 6 6 + "log" 7 7 + "sync" 8 8 + "time" 9 9 + 10 10 + atproto "github.com/bluesky-social/indigo/api/atproto" 11 11 + lexutil "github.com/bluesky-social/indigo/lex/util" 12 12 + "github.com/gorilla/websocket" 13 13 + ) 14 14 + 15 15 + // EventBroadcaster manages WebSocket connections and broadcasts repo events 16 16 + type EventBroadcaster struct { 17 17 + mu sync.RWMutex 18 18 + subscribers map[*Subscriber]bool 19 19 + eventSeq int64 20 20 + eventHistory []HistoricalEvent // Ring buffer for cursor backfill 21 21 + maxHistory int 22 22 + holdDID string // DID of the hold for setting repo field 23 23 + } 24 24 + 25 25 + // Subscriber represents a WebSocket client subscribed to the firehose 26 26 + type Subscriber struct { 27 27 + conn *websocket.Conn 28 28 + send chan *RepoCommitEvent 29 29 + cursor int64 // Last sequence number this subscriber has seen 30 30 + } 31 31 + 32 32 + // HistoricalEvent stores past events for cursor-based backfill 33 33 + type HistoricalEvent struct { 34 34 + Seq int64 35 35 + Event *RepoCommitEvent 36 36 + } 37 37 + 38 38 + // RepoCommitEvent represents a #commit event in subscribeRepos 39 39 + type RepoCommitEvent struct { 40 40 + Seq int64 `json:"seq" cborgen:"seq"` 41 41 + Repo string `json:"repo" cborgen:"repo"` 42 42 + Commit string `json:"commit" cborgen:"commit"` // CID string 43 43 + Rev string `json:"rev" cborgen:"rev"` 44 44 + Since *string `json:"since,omitempty" cborgen:"since,omitempty"` 45 45 + Blocks []byte `json:"blocks" cborgen:"blocks"` // CAR slice bytes 46 46 + Ops []*atproto.SyncSubscribeRepos_RepoOp `json:"ops" cborgen:"ops"` 47 47 + Time string `json:"time" cborgen:"time"` 48 48 + Type string `json:"$type" cborgen:"$type"` // Always "#commit" 49 49 + } 50 50 + 51 51 + // NewEventBroadcaster creates a new event broadcaster 52 52 + func NewEventBroadcaster(holdDID string, maxHistory int) *EventBroadcaster { 53 53 + if maxHistory <= 0 { 54 54 + maxHistory = 100 // Default to keeping 100 events 55 55 + } 56 56 + 57 57 + return &EventBroadcaster{ 58 58 + subscribers: make(map[*Subscriber]bool), 59 59 + eventSeq: 0, 60 60 + eventHistory: make([]HistoricalEvent, 0, maxHistory), 61 61 + maxHistory: maxHistory, 62 62 + holdDID: holdDID, 63 63 + } 64 64 + } 65 65 + 66 66 + // Subscribe adds a new WebSocket subscriber 67 67 + func (b *EventBroadcaster) Subscribe(conn *websocket.Conn, cursor int64) *Subscriber { 68 68 + sub := &Subscriber{ 69 69 + conn: conn, 70 70 + send: make(chan *RepoCommitEvent, 10), // Buffer 10 events 71 71 + cursor: cursor, 72 72 + } 73 73 + 74 74 + b.mu.Lock() 75 75 + b.subscribers[sub] = true 76 76 + currentSeq := b.eventSeq 77 77 + b.mu.Unlock() 78 78 + 79 79 + // Send historical events if cursor is provided and < current seq 80 80 + if cursor > 0 && cursor < currentSeq { 81 81 + go b.backfillSubscriber(sub, cursor) 82 82 + } 83 83 + 84 84 + // Start goroutine to handle sending events to this subscriber 85 85 + go b.handleSubscriber(sub) 86 86 + 87 87 + return sub 88 88 + } 89 89 + 90 90 + // Unsubscribe removes a WebSocket subscriber 91 91 + func (b *EventBroadcaster) Unsubscribe(sub *Subscriber) { 92 92 + b.mu.Lock() 93 93 + defer b.mu.Unlock() 94 94 + 95 95 + if _, ok := b.subscribers[sub]; ok { 96 96 + delete(b.subscribers, sub) 97 97 + close(sub.send) 98 98 + } 99 99 + } 100 100 + 101 101 + // Broadcast sends an event to all subscribers 102 102 + func (b *EventBroadcaster) Broadcast(ctx context.Context, event *RepoEvent) { 103 103 + b.mu.Lock() 104 104 + defer b.mu.Unlock() 105 105 + 106 106 + // Increment sequence 107 107 + b.eventSeq++ 108 108 + seq := b.eventSeq 109 109 + 110 110 + // Convert RepoEvent to RepoCommitEvent 111 111 + commitEvent := b.convertToCommitEvent(event, seq) 112 112 + 113 113 + // Store in history for backfill 114 114 + b.addToHistory(seq, commitEvent) 115 115 + 116 116 + // Broadcast to all subscribers 117 117 + for sub := range b.subscribers { 118 118 + select { 119 119 + case sub.send <- commitEvent: 120 120 + // Sent successfully 121 121 + default: 122 122 + // Subscriber's buffer is full, skip (they'll get disconnected for being too slow) 123 123 + log.Printf("Warning: subscriber buffer full, skipping event seq=%d", seq) 124 124 + } 125 125 + } 126 126 + } 127 127 + 128 128 + // convertToCommitEvent converts a RepoEvent to a RepoCommitEvent 129 129 + func (b *EventBroadcaster) convertToCommitEvent(event *RepoEvent, seq int64) *RepoCommitEvent { 130 130 + // Convert RepoOps to atproto.SyncSubscribeRepos_RepoOp 131 131 + ops := make([]*atproto.SyncSubscribeRepos_RepoOp, len(event.Ops)) 132 132 + for i, op := range event.Ops { 133 133 + action := string(op.Kind) // "create", "update", "delete" 134 134 + path := op.Collection + "/" + op.Rkey 135 135 + 136 136 + // Convert CID to LexLink if present 137 137 + var cidLink *lexutil.LexLink 138 138 + if op.RecCid != nil { 139 139 + link := lexutil.LexLink(*op.RecCid) 140 140 + cidLink = &link 141 141 + } 142 142 + 143 143 + ops[i] = &atproto.SyncSubscribeRepos_RepoOp{ 144 144 + Action: action, 145 145 + Path: path, 146 146 + Cid: cidLink, 147 147 + } 148 148 + } 149 149 + 150 150 + // Event.NewRoot is a cid.Cid, convert to string 151 151 + commitCID := event.NewRoot.String() 152 152 + 153 153 + return &RepoCommitEvent{ 154 154 + Seq: seq, 155 155 + Repo: b.holdDID, // Set to hold's DID 156 156 + Commit: commitCID, 157 157 + Rev: event.Rev, 158 158 + Since: event.Since, 159 159 + Blocks: event.RepoSlice, // CAR slice bytes 160 160 + Ops: ops, 161 161 + Time: time.Now().Format(time.RFC3339), 162 162 + Type: "#commit", 163 163 + } 164 164 + } 165 165 + 166 166 + // addToHistory adds an event to the history ring buffer 167 167 + func (b *EventBroadcaster) addToHistory(seq int64, event *RepoCommitEvent) { 168 168 + he := HistoricalEvent{ 169 169 + Seq: seq, 170 170 + Event: event, 171 171 + } 172 172 + 173 173 + // Simple ring buffer: keep last N events 174 174 + if len(b.eventHistory) >= b.maxHistory { 175 175 + // Remove oldest event 176 176 + b.eventHistory = b.eventHistory[1:] 177 177 + } 178 178 + b.eventHistory = append(b.eventHistory, he) 179 179 + } 180 180 + 181 181 + // backfillSubscriber sends historical events to a subscriber 182 182 + func (b *EventBroadcaster) backfillSubscriber(sub *Subscriber, cursor int64) { 183 183 + b.mu.RLock() 184 184 + defer b.mu.RUnlock() 185 185 + 186 186 + for _, he := range b.eventHistory { 187 187 + if he.Seq > cursor { 188 188 + select { 189 189 + case sub.send <- he.Event: 190 190 + // Sent 191 191 + case <-time.After(5 * time.Second): 192 192 + // Timeout, subscriber too slow 193 193 + log.Printf("Backfill timeout for subscriber at seq=%d", he.Seq) 194 194 + return 195 195 + } 196 196 + } 197 197 + } 198 198 + } 199 199 + 200 200 + // handleSubscriber handles sending events to a subscriber over WebSocket 201 201 + func (b *EventBroadcaster) handleSubscriber(sub *Subscriber) { 202 202 + defer func() { 203 203 + b.Unsubscribe(sub) 204 204 + sub.conn.Close() 205 205 + }() 206 206 + 207 207 + for event := range sub.send { 208 208 + // Encode as CBOR 209 209 + cborBytes, err := encodeCBOR(event) 210 210 + if err != nil { 211 211 + log.Printf("Failed to encode event as CBOR: %v", err) 212 212 + continue 213 213 + } 214 214 + 215 215 + // Write CBOR message to WebSocket 216 216 + err = sub.conn.WriteMessage(websocket.BinaryMessage, cborBytes) 217 217 + if err != nil { 218 218 + log.Printf("Failed to write to websocket: %v", err) 219 219 + return 220 220 + } 221 221 + 222 222 + // Update cursor 223 223 + sub.cursor = event.Seq 224 224 + } 225 225 + } 226 226 + 227 227 + // encodeCBOR encodes an event as CBOR 228 228 + func encodeCBOR(event *RepoCommitEvent) ([]byte, error) { 229 229 + // For now, use JSON encoding wrapped in CBOR envelope 230 230 + // In production, you'd use proper CBOR encoding 231 231 + // The atproto spec requires DAG-CBOR with specific header 232 232 + 233 233 + // Simple approach: encode as JSON for MVP 234 234 + // Real implementation needs proper CBOR-gen types 235 235 + return json.Marshal(event) 236 236 + } 237 237 + 238 238 + // SetRepoEventHandler creates a callback to be registered with RepoManager 239 239 + func (b *EventBroadcaster) SetRepoEventHandler() func(context.Context, *RepoEvent) { 240 240 + return func(ctx context.Context, event *RepoEvent) { 241 241 + // Broadcast the event to all subscribers 242 242 + // The holdDID is already set in the broadcaster 243 243 + b.Broadcast(ctx, event) 244 244 + } 245 245 + } 246 246 + 247 247 + // GetCurrentSeq returns the current event sequence number 248 248 + func (b *EventBroadcaster) GetCurrentSeq() int64 { 249 249 + b.mu.RLock() 250 250 + defer b.mu.RUnlock() 251 251 + return b.eventSeq 252 252 + }

+5

pkg/hold/pds/server.go

··· 102 102 return p.signingKey 103 103 } 104 104 105 105 + // RepomgrRef returns a reference to the RepoManager for event handler setup 106 106 + func (p *HoldPDS) RepomgrRef() *RepoManager { 107 107 + return p.repomgr 108 108 + } 109 109 + 105 110 // Bootstrap initializes the hold with the captain record and owner as first crew member 106 111 func (p *HoldPDS) Bootstrap(ctx context.Context, ownerDID string, public bool, allowAllCrew bool) error { 107 112 if ownerDID == "" {

+109 -7

pkg/hold/pds/xrpc.go

··· 5 5 "encoding/json" 6 6 "fmt" 7 7 "net/http" 8 8 + "strconv" 8 9 "strings" 9 10 10 11 "atcr.io/pkg/atproto" 11 12 lexutil "github.com/bluesky-social/indigo/lex/util" 12 13 "github.com/bluesky-social/indigo/repo" 14 14 + "github.com/gorilla/websocket" 13 15 "github.com/ipfs/go-cid" 14 16 "github.com/ipld/go-car" 15 17 carutil "github.com/ipld/go-car/util" ··· 19 21 20 22 // XRPCHandler handles XRPC requests for the embedded PDS 21 23 type XRPCHandler struct { 22 22 - pds *HoldPDS 23 23 - publicURL string 24 24 - blobStore BlobStore 24 24 + pds *HoldPDS 25 25 + publicURL string 26 26 + blobStore BlobStore 27 27 + broadcaster *EventBroadcaster 25 28 } 26 29 27 30 // BlobStore interface wraps the existing hold service storage operations ··· 33 36 } 34 37 35 38 // NewXRPCHandler creates a new XRPC handler 36 36 - func NewXRPCHandler(pds *HoldPDS, publicURL string, blobStore BlobStore) *XRPCHandler { 39 39 + func NewXRPCHandler(pds *HoldPDS, publicURL string, blobStore BlobStore, broadcaster *EventBroadcaster) *XRPCHandler { 37 40 return &XRPCHandler{ 38 38 - pds: pds, 39 39 - publicURL: publicURL, 40 40 - blobStore: blobStore, 41 41 + pds: pds, 42 42 + publicURL: publicURL, 43 43 + blobStore: blobStore, 44 44 + broadcaster: broadcaster, 41 45 } 42 46 } 43 47 ··· 72 76 // Sync endpoints 73 77 mux.HandleFunc("/xrpc/com.atproto.sync.listRepos", corsMiddleware(h.HandleListRepos)) 74 78 mux.HandleFunc("/xrpc/com.atproto.sync.getRecord", corsMiddleware(h.HandleSyncGetRecord)) 79 79 + mux.HandleFunc("/xrpc/com.atproto.sync.getRepo", corsMiddleware(h.HandleGetRepo)) 80 80 + mux.HandleFunc("/xrpc/com.atproto.sync.subscribeRepos", corsMiddleware(h.HandleSubscribeRepos)) 75 81 76 82 // Blob endpoints (wrap existing presigned URL logic) 77 83 mux.HandleFunc("/xrpc/com.atproto.repo.uploadBlob", corsMiddleware(h.HandleUploadBlob)) ··· 438 444 439 445 // Write the CAR data to the response 440 446 w.Write(buf.Bytes()) 447 447 + } 448 448 + 449 449 + // HandleGetRepo returns the full repository as a CAR file 450 450 + // This is the critical endpoint for relay crawling and Bluesky discovery 451 451 + func (h *XRPCHandler) HandleGetRepo(w http.ResponseWriter, r *http.Request) { 452 452 + if r.Method != http.MethodGet { 453 453 + http.Error(w, "method not allowed", http.StatusMethodNotAllowed) 454 454 + return 455 455 + } 456 456 + 457 457 + // Get required 'did' parameter 458 458 + did := r.URL.Query().Get("did") 459 459 + if did == "" { 460 460 + http.Error(w, "missing required parameter: did", http.StatusBadRequest) 461 461 + return 462 462 + } 463 463 + 464 464 + // Validate DID matches this PDS 465 465 + if did != h.pds.DID() { 466 466 + http.Error(w, "repo not found", http.StatusNotFound) 467 467 + return 468 468 + } 469 469 + 470 470 + // Get optional 'since' parameter for diff export 471 471 + since := r.URL.Query().Get("since") 472 472 + 473 473 + // Set CAR content type 474 474 + w.Header().Set("Content-Type", "application/vnd.ipld.car") 475 475 + 476 476 + // Stream the repository CAR file directly to the response 477 477 + // ReadRepo handles full export or diff based on 'since' parameter 478 478 + err := h.pds.repomgr.ReadRepo(r.Context(), h.pds.uid, since, w) 479 479 + if err != nil { 480 480 + // Error already written to response by ReadRepo streaming 481 481 + // Log it but don't try to write another HTTP error 482 482 + fmt.Printf("Error streaming repo CAR: %v\n", err) 483 483 + return 484 484 + } 485 485 + } 486 486 + 487 487 + // WebSocket upgrader 488 488 + var upgrader = websocket.Upgrader{ 489 489 + CheckOrigin: func(r *http.Request) bool { 490 490 + // Allow all origins for MVP (ATProto firehose is public) 491 491 + return true 492 492 + }, 493 493 + } 494 494 + 495 495 + // HandleSubscribeRepos handles WebSocket connections for the firehose 496 496 + // This is the real-time event stream for repo changes 497 497 + func (h *XRPCHandler) HandleSubscribeRepos(w http.ResponseWriter, r *http.Request) { 498 498 + if r.Method != http.MethodGet { 499 499 + http.Error(w, "method not allowed", http.StatusMethodNotAllowed) 500 500 + return 501 501 + } 502 502 + 503 503 + // Check if broadcaster is configured 504 504 + if h.broadcaster == nil { 505 505 + http.Error(w, "firehose not enabled", http.StatusNotImplemented) 506 506 + return 507 507 + } 508 508 + 509 509 + // Get optional cursor parameter for backfill 510 510 + var cursor int64 = 0 511 511 + if cursorStr := r.URL.Query().Get("cursor"); cursorStr != "" { 512 512 + var err error 513 513 + cursor, err = strconv.ParseInt(cursorStr, 10, 64) 514 514 + if err != nil { 515 515 + http.Error(w, "invalid cursor parameter", http.StatusBadRequest) 516 516 + return 517 517 + } 518 518 + } 519 519 + 520 520 + // Upgrade to WebSocket 521 521 + conn, err := upgrader.Upgrade(w, r, nil) 522 522 + if err != nil { 523 523 + fmt.Printf("WebSocket upgrade failed: %v\n", err) 524 524 + return 525 525 + } 526 526 + 527 527 + // Subscribe to events 528 528 + sub := h.broadcaster.Subscribe(conn, cursor) 529 529 + 530 530 + // The broadcaster's handleSubscriber goroutine will manage this connection 531 531 + // We just need to keep reading to detect client disconnects 532 532 + go func() { 533 533 + defer h.broadcaster.Unsubscribe(sub) 534 534 + for { 535 535 + // Read messages from client (mostly just to detect disconnect) 536 536 + _, _, err := conn.ReadMessage() 537 537 + if err != nil { 538 538 + // Client disconnected 539 539 + break 540 540 + } 541 541 + } 542 542 + }() 441 543 } 442 544 443 545 // HandleUploadBlob wraps existing presigned upload URL logic