this repo has no description
lewis.moe
1# Lewis' Big Boy TODO list
2
3## Active development
4
5### Plugin system
6Extensible architecture allowing third-party plugins to add functionality. Going with wasm-based rather than scripting language.
7
8- [ ] Plugin manifest format (name, version, deps, permissions, hooks)
9- [ ] Plugin loading and lifecycle (enable/disable/hot reload)
10- [ ] WASM host bindings for PDS APIs (database, storage, http, etc.)
11- [ ] Resource limits (memory, cpu time, capability restrictions)
12- [ ] Extension points: request middleware, record lifecycle hooks, custom XRPC endpoints
13- [ ] Extension points: custom lexicons, storage backends, auth providers, notification channels
14- [ ] Extension points: firehose consumers (react to repo events)
15- [ ] Plugin sdk crate with traits and helpers?
16- [ ] Example plugins: cdc, extra logging to 3rd party, content filter, better S3 backup
17- [ ] Plugin registry with signature verification?
18
19### Plugin: Private/encrypted data
20Records that only authorized parties can see and decrypt. Requires key federation between PDSes. Implemented as a plugin using the plugin system above.
21
22- [ ] Survey current ATProto discourse on private data
23- [ ] Document Bluesky team's likely approach
24- [ ] Design key management strategy
25- [ ] Per-user encryption keys (separate from signing keys)
26- [ ] Key derivation for per-record or per-collection encryption
27- [ ] Encrypted record storage format
28- [ ] Transparent encryption/decryption in repo operations
29- [ ] Protocol for sharing decryption keys between PDSes
30- [ ] Handle key rotation and revocation
31
32---
33
34## Completed
35
36Core ATProto: Health, describeServer, all session endpoints, full repo CRUD, applyWrites, blob upload, importRepo, firehose with cursor replay, CAR export, blob sync, crawler notifications, handle resolution, PLC operations, full admin API, moderation reports.
37
38did:web support: Self-hosted did:web (subdomain format `did:web:handle.pds.com`), external/BYOD did:web, DID document serving via `/.well-known/did.json`, clear registration warnings about did:web trade-offs vs did:plc.
39
40OAuth 2.1: Authorization server metadata, JWKS, PAR, authorize endpoint with login UI, token endpoint (auth code + refresh), revocation, introspection, DPoP, PKCE S256, client metadata validation, private_key_jwt verification.
41
42OAuth Scope Enforcement: Full granular scope system with consent UI, human-readable scope descriptions, per-client scope preferences, scope parsing (repo/blob/rpc/account/identity), endpoint-level scope checks, DPoP token support in auth extractors, token revocation on re-authorization, response_mode support (query/fragment).
43
44App endpoints: getPreferences, putPreferences, getProfile, getProfiles, getTimeline, getAuthorFeed, getActorLikes, getPostThread, getFeed, registerPush (all with local-first + proxy fallback).
45
46Infrastructure: Sequencer with cursor replay, postgres repo storage with atomic transactions, valkey DID cache, debounced crawler notifications with circuit breakers, multi-channel notifications (email/Discord/Telegram/Signal), image processing, distributed rate limiting, security hardening.
47
48Web UI: OAuth login, registration, email verification, password reset, multi-account selector, dashboard, sessions, app passwords, invites, notification preferences, repo browser, CAR export, admin panel, OAuth consent screen with scope selection.
49
50Auth: ES256K + HS256 dual support, JTI-only token storage, refresh token family tracking, encrypted signing keys (AES-256-GCM), DPoP replay protection, constant-time comparisons.
51
52Passkeys and 2FA: WebAuthn/FIDO2 passkey registration and authentication, TOTP with QR setup, backup codes (hashed, one-time use), passkey-only account creation, trusted devices (remember this browser), re-auth for sensitive actions, rate-limited 2FA attempts, settings UI for managing all auth methods.
53
54App password scopes: Granular permissions for app passwords using the same scope system as OAuth. Preset buttons for common use cases (full access, read-only, post-only), scope stored in session and preserved across token refresh, explicit RPC/repo/blob scope enforcement for restricted passwords.
55
56Account Delegation: Delegated accounts controlled by other accounts instead of passwords. OAuth delegation flow (authenticate as controller), scope-based permissions (owner/admin/editor/viewer presets), scope intersection (tokens limited to granted permissions), `act` claim for delegation tracking, creating delegated account flow, controller management UI, "act as" account switcher, comprehensive audit logging with actor/controller tracking, delegation-aware OAuth consent with permission limitation notices.
57
58Migration: OAuth-based inbound migration wizard with PLC token flow, offline restore from CAR file + rotation key for disaster recovery, scheduled automatic backups, standalone repo/blob export, did:web DID document editor for self-service identity management.