this repo has no description
lewis.moe
1# Lewis' Big Boy TODO list
2
3## Active development
4
5### Delegated accounts
6Accounts controlled by other accounts rather than having their own password. When logging in as a delegated account, OAuth asks you to authenticate with a linked controller account. Uses OAuth scopes as the permission model.
7
8- [ ] Account type flag in actors table (personal | delegated)
9- [ ] account_delegations table (delegated_did, controller_did, granted_scopes[], granted_at, granted_by, revoked_at)
10- [ ] Detect delegated account during authorize flow
11- [ ] Redirect to "authenticate as controller" instead of password prompt
12- [ ] Validate controller has delegation grant for this account
13- [ ] Issue token with intersection of (requested scopes :intersection-emoji: granted scopes)
14- [ ] Token includes act_as claim indicating delegation
15- [ ] Define standard scope sets (owner, admin, editor, viewer)
16- [ ] Create delegated account flow (no password, must add initial controller)
17- [ ] Controller management page (add/remove controllers, modify scopes)
18- [ ] "Act as" account switcher for users with delegation grants
19- [ ] Log all actions with both actor DID and controller DID
20- [ ] Audit log view for delegated account owners
21
22### Migration tool
23Seamless account migration built into the UI, inspired by pdsmoover. Users shouldn't need external tools or brain surgery on half-done account states.
24
25- [ ] Add `migratingTo` parameter to `deactivateAccount` endpoint
26- [ ] For self-hosted did:web users: set `migrated_to_pds`, update DID doc serviceEndpoint
27- [ ] "Migrated" account state for self-hosted did:web: can authenticate but no repo operations
28- [ ] Migrated did:web user UI: minimal dashboard with "update forwarding PDS" setting, or full migration wizard to handle PDS 2 -> PDS 3 moves automatically
29- [ ] Outbound UI wizard: new PDS URL -> export repo -> guide account creation -> complete migration
30- [ ] Inbound UI wizard: login to old PDS -> choose handle -> import -> PLC token flow
31- [ ] Support `createAccount` with existing DID + service auth token
32- [ ] Progress tracking with resume capability
33- [ ] Scheduled automatic backups (CAR export)
34- [ ] One-click restore from backup
35
36### Plugin system
37Extensible architecture allowing third-party plugins to add functionality, like minecraft mods or browser extensions.
38
39- [ ] Research: survey Fabric/Forge, VS Code, Grafana, Caddy plugin architectures
40- [ ] Evaluate rust approaches: WASM, dynamic linking, subprocess IPC, embedded scripting (Lua/Rhai)
41- [ ] Define security model (sandboxing, permissions, resource limits)
42- [ ] Plugin manifest format (name, version, deps, permissions, hooks)
43- [ ] Plugin discovery, loading, lifecycle (enable/disable/hot reload)
44- [ ] Error isolation (bad plugin shouldn't crash PDS)
45- [ ] Extension points: request middleware, record lifecycle hooks, custom XRPC endpoints
46- [ ] Extension points: custom lexicons, storage backends, auth providers, notification channels
47- [ ] Extension points: firehose consumers (react to repo events)
48- [ ] Plugin SDK crate with traits and helpers
49- [ ] Example plugins: custom feed algorithm, content filter, S3 backup
50- [ ] Plugin registry with signature verification and version compatibility
51
52### Plugin: Private/encrypted data
53Records that only authorized parties can see and decrypt. Requires key federation between PDSes. Implemented as a plugin using the plugin system above.
54
55- [ ] Survey current ATProto discourse on private data
56- [ ] Document Bluesky team's likely approach
57- [ ] Design key management strategy
58- [ ] Per-user encryption keys (separate from signing keys)
59- [ ] Key derivation for per-record or per-collection encryption
60- [ ] Encrypted record storage format
61- [ ] Transparent encryption/decryption in repo operations
62- [ ] Protocol for sharing decryption keys between PDSes
63- [ ] Handle key rotation and revocation
64
65---
66
67## Completed
68
69Core ATProto: Health, describeServer, all session endpoints, full repo CRUD, applyWrites, blob upload, importRepo, firehose with cursor replay, CAR export, blob sync, crawler notifications, handle resolution, PLC operations, full admin API, moderation reports.
70
71did:web support: Self-hosted did:web (subdomain format `did:web:handle.pds.com`), external/BYOD did:web, DID document serving via `/.well-known/did.json`, migration tracking for did:web users who leave (serviceEndpoint redirect), clear registration warnings about did:web trade-offs vs did:plc.
72
73OAuth 2.1: Authorization server metadata, JWKS, PAR, authorize endpoint with login UI, token endpoint (auth code + refresh), revocation, introspection, DPoP, PKCE S256, client metadata validation, private_key_jwt verification.
74
75OAuth Scope Enforcement: Full granular scope system with consent UI, human-readable scope descriptions, per-client scope preferences, scope parsing (repo/blob/rpc/account/identity), endpoint-level scope checks, DPoP token support in auth extractors, token revocation on re-authorization, response_mode support (query/fragment).
76
77App endpoints: getPreferences, putPreferences, getProfile, getProfiles, getTimeline, getAuthorFeed, getActorLikes, getPostThread, getFeed, registerPush (all with local-first + proxy fallback).
78
79Infrastructure: Sequencer with cursor replay, postgres repo storage with atomic transactions, valkey DID cache, debounced crawler notifications with circuit breakers, multi-channel notifications (email/Discord/Telegram/Signal), image processing, distributed rate limiting, security hardening.
80
81Web UI: OAuth login, registration, email verification, password reset, multi-account selector, dashboard, sessions, app passwords, invites, notification preferences, repo browser, CAR export, admin panel, OAuth consent screen with scope selection.
82
83Auth: ES256K + HS256 dual support, JTI-only token storage, refresh token family tracking, encrypted signing keys (AES-256-GCM), DPoP replay protection, constant-time comparisons.
84
85Passkeys and 2FA: WebAuthn/FIDO2 passkey registration and authentication, TOTP with QR setup, backup codes (hashed, one-time use), passkey-only account creation, trusted devices (remember this browser), re-auth for sensitive actions, rate-limited 2FA attempts, settings UI for managing all auth methods.
86
87App password scopes: Granular permissions for app passwords using the same scope system as OAuth. Preset buttons for common use cases (full access, read-only, post-only), scope stored in session and preserved across token refresh, explicit RPC/repo/blob scope enforcement for restricted passwords.