* docs: ATB-52 CSS token extraction design doc

* docs: ATB-52 implementation plan

* test(web): add failing preset completeness tests (ATB-52)

* test(web): improve preset test descriptions (ATB-52)

* feat(web): add neobrutal-light and neobrutal-dark JSON presets with font-size-xs token (ATB-52)

* feat(web): switch base layout to JSON preset import, remove TS preset (ATB-52)

* fix(web): replace all hardcoded CSS values with design tokens in mod and structure UI (ATB-52)

Define two new AT Proto record types for the theming system:
- space.atbb.forum.theme (tid key) — design tokens, color scheme, CSS overrides, font URLs
- space.atbb.forum.themePolicy (literal:self) — available themes, light/dark defaults, user choice toggle

Uses knownValues for colorScheme extensibility and strongRef wrapped in themeRef named def for CID integrity.

README was missing 3 of 5 packages (atproto, cli, logger).
Deployment guide had SESSION_TTL_DAYS default wrong (30 vs actual 7)
and was missing LOG_LEVEL, SEED_DEFAULT_ROLES, DEFAULT_MEMBER_ROLE
from the optional env vars table. Production env example was missing
FORUM_HANDLE and FORUM_PASSWORD variables.

* feat(web): admin mod action log page — /admin/modlog (ATB-48)

* docs: ATB-48 modlog UI implementation plan and completion notes

* fix(web): wrap modlogRes.json() in try-catch for non-JSON AppView responses (ATB-48)

A proxy returning HTML with HTTP 200 would cause Response.json() to throw
SyntaxError, which isProgrammingError() re-throws, producing an unhandled crash
instead of a 500 error page. Wrap with the same pattern used in the members
and role-assignment handlers.

Step-by-step TDD plan for GET /api/admin/modlog — requireAnyPermission
middleware, Drizzle alias double join, route handler, and Bruno collection.

Design for GET /api/admin/modlog — paginated mod action audit log with
double users join for moderator and subject handles, and requireAnyPermission
middleware for OR-based permission checks.

* docs: ATB-46 mod action log endpoint design

Design for GET /api/admin/modlog — paginated mod action audit log with
double users join for moderator and subject handles, and requireAnyPermission
middleware for OR-based permission checks.

* docs: ATB-46 mod action log implementation plan

Step-by-step TDD plan for GET /api/admin/modlog — requireAnyPermission
middleware, Drizzle alias double join, route handler, and Bruno collection.

* feat(appview): add requireAnyPermission middleware (ATB-46)

* test(appview): failing tests for GET /api/admin/modlog (ATB-46)

* feat(appview): GET /api/admin/modlog with double users leftJoin (ATB-46)

* docs(bruno): GET /api/admin/modlog collection (ATB-46)

* docs: move ATB-46 plan docs to complete/

* fix(appview): scope modlog queries to forumDid (ATB-46)

* feat(appview): add uri field to serializeCategory (ATB-47)

* test(web): add failing tests for GET /admin/structure (ATB-47)

* feat(web): add GET /admin/structure page with category/board listing (ATB-47)

* fix(web): use lowercase method="post" on structure page forms (ATB-47)

* test(web): add failing tests for category proxy routes (ATB-47)

* feat(web): add category proxy routes for structure management (ATB-47)

* test(web): add failing tests for board proxy routes (ATB-47)

* feat(web): add board proxy routes for structure management (ATB-47)

* feat(web): add CSS for admin structure management page (ATB-47)

* test(web): add missing network error tests for edit proxy routes (ATB-47)

* fix(web): log errors when boards fetch fails per-category in structure page (ATB-47)

* docs: add completed implementation plan for ATB-47 admin structure UI

* fix(web): validate sort order and fix board delete 409 test (ATB-47)

- parseSortOrder now returns null for negative/non-integer values and
redirects with "Sort order must be a non-negative integer." error;
0 remains the default for empty/missing sort order fields
- Use Number() + Number.isInteger() instead of parseInt() to reject
floats like "1.5" that parseInt would silently truncate
- Add validation tests for negative sort order across all 4 create/edit
handlers (create category, edit category, create board, edit board)
- Fix board delete 409 test mock to use the real AppView error message
("Cannot delete board with posts. Remove all posts first.") and assert
the message appears in the redirect URL, matching category delete test

* test(appview): add failing tests for POST /api/admin/boards (ATB-45)

* test(appview): add ForumAgent not authenticated test for POST /api/admin/boards (ATB-45)

* feat(appview): POST /api/admin/boards create endpoint (ATB-45)

* test(appview): add failing tests for PUT /api/admin/boards/:id (ATB-45)

* test(appview): add error body assertion to PUT boards malformed JSON test (ATB-45)

* feat(appview): PUT /api/admin/boards/:id update endpoint (ATB-45)

* test(appview): add failing tests for DELETE /api/admin/boards/:id (ATB-45)

* test(appview): improve DELETE /api/admin/boards/:id test coverage (ATB-45)

* feat(appview): DELETE /api/admin/boards/:id delete endpoint (ATB-45)

Pre-flight refuses with 409 if any posts reference the board (via posts.boardId).
Also fixes test error messages to use "Database connection lost" (matching isDatabaseError keywords) for consistent 503 classification.

* docs(bruno): add board management API collection (ATB-45)

* fix(appview): close postgres connection after each admin test to prevent pool exhaustion (ATB-45)

Each createTestContext() call opens a new postgres.js connection pool. With 93
tests in admin.test.ts, the old pools were never closed, exhausting PostgreSQL's
max_connections limit. Fix by calling $client.end() in cleanup() for Postgres.

* docs(plans): move ATB-44 and ATB-45 plan docs to complete/

* test(appview): add missing DB error 503 tests for board endpoints (ATB-45)

- POST /api/admin/boards: add "returns 503 when category lookup query fails"
- PUT /api/admin/boards/:id: add "returns 503 when board lookup query fails"
- PUT /api/admin/boards/:id: add "returns 503 when category CID lookup query fails"
(call-count pattern: first select passes, second throws)

Replace loose pattern checks (toMatch, toContain) with an exact toBe()
assertion using the seeded role's full AT URI. Also assert toHaveLength(1)
so the test fails if extra roles appear unexpectedly.

Add a startsWith("did:") guard in the POST /admin/members/:did/role handler
before the upstream fetch call. Malformed path parameters now return an inline
MemberRow error fragment without hitting the AppView. Covered by a new test.

* feat(appview): POST /api/admin/categories create endpoint (ATB-44)

* feat(appview): PUT /api/admin/categories/:id update endpoint (ATB-44)

* test(appview): add malformed JSON test for PUT /api/admin/categories/:id (ATB-44)

* test(appview): add failing tests for DELETE /api/admin/categories/:id (ATB-44)

* feat(appview): DELETE /api/admin/categories/:id delete endpoint (ATB-44)

* docs(bruno): add category management API collection (ATB-44)

* fix(appview): use handleRouteError after consolidation refactor (ATB-44)

PR #74 consolidated handleReadError, handleWriteError, and
handleSecurityCheckError into a single handleRouteError. Update the
new category management handlers added in this branch to use the
consolidated name.

* fix(appview): address category endpoint review feedback (ATB-44)

- Tighten sortOrder validation: Number.isInteger() && >= 0 instead of
typeof === "number" (rejects floats, negatives, NaN, Infinity per lexicon
constraint integer, minimum: 0)
- Add 503 "ForumAgent not authenticated" tests for POST, PUT, DELETE
- Add 503 database failure tests for PUT and DELETE category lookup
- Add 403 permission tests for POST, PUT, DELETE

* fix(appview): address final review feedback on category endpoints (ATB-44)

- Fix PUT data loss: putRecord is a full AT Protocol record replacement,
not a patch. Fall back to existing category.description and
category.sortOrder when not provided in request body.
- Add test verifying existing description/sortOrder are preserved on
partial updates (regression test for the data loss bug).
- Add test for DELETE board-count preflight query failure path (503),
using a call-count mock so category lookup succeeds while the second
select throws.

* fix(web): show reply count and last-reply date on board topic listing

The topic listing on board pages always showed "0 replies" (hardcoded)
and used the topic's own createdAt for the date instead of the most
recent reply's timestamp.

- Add getReplyStats() helper: single GROUP BY query computing COUNT() and
MAX(createdAt) per rootPostId for a batch of topic IDs in one round-trip
- Enrich GET /api/boards/:id/topics response with replyCount and lastReplyAt
per topic; fail-open so a stats query failure degrades gracefully to 0/null
- Update TopicResponse interface and TopicRow in boards.tsx to consume the
new fields; date now reflects lastReplyAt ?? createdAt
- Add 5 integration tests covering zero replies, non-banned count, MAX date
accuracy, banned-reply exclusion, and per-topic independence

* fix(web): address code review issues from PR #75

- Add fail-open error path test: mocks getReplyStats DB failure and
asserts 200 response with replyCount 0 / lastReplyAt null / logger.error called
- Fix UI attribution: when lastReplyAt is set, show "last reply X ago"
instead of raw date next to "by {author}" — disambiguates whose action
the timestamp refers to
- Update Bruno collection: add replyCount and lastReplyAt to docs example
and assert blocks for GET /api/boards/:id/topics
- Rebase: merge conflict in boards.ts imports resolved (handleReadError →
handleRouteError from PR #74 refactor)

* fix(web): update setupSuccessfulFetch type to include replyCount and lastReplyAt

The helper's topics array element type was not updated alongside makeTopicsResponse,
causing tsc to reject the new test cases with TS2353. Vitest strips types via esbuild
so it passed locally; tsc in CI caught the mismatch.

handleReadError, handleWriteError, and handleSecurityCheckError had
byte-for-byte identical implementations. Replaced with a single
handleRouteError function, eliminating ~250 lines of duplicated code
across the error handler and its tests. Updated all 10 call sites.

https://claude.ai/code/session_018SH9pay3PqGo9JDdAv3iRj

Co-authored-by: Claude <noreply@anthropic.com>

* feat(web): add canManageRoles session helper (ATB-43)

* feat(appview): include uri in GET /api/admin/roles response (ATB-43)

Add rkey and did fields to the roles DB query, then construct the AT URI
(at://<did>/space.atbb.forum.role/<rkey>) in the response map so the
admin members page dropdown can submit a valid roleUri.

* style(web): add admin member table CSS classes (ATB-43)

* feat(web): add GET /admin/members page and POST proxy route (ATB-43)

* fix(web): add manageRoles permission gate to POST proxy route (ATB-43)

* docs: mark ATB-42 and ATB-43 complete in project plan

* docs: add ATB-43 implementation plan

* fix(web): address PR review feedback on admin members page (ATB-43)

* fix(web): use canManageRoles(auth) instead of hardcoded false in rolesJson error path

* docs: ATB-42 admin panel landing page implementation plan

* feat(web): add hasAnyAdminPermission() helper to session.ts (ATB-42)

* test(web): add hasAnyAdminPermission tests + tighten JSDoc (ATB-42)

* feat(web): add GET /admin landing page with permission-gated nav cards (ATB-42)

* refactor(web): move canManageMembers/canManageCategories/canViewModLog to session.ts (ATB-42)

* test(web): add admin landing page route tests (ATB-42)

* test(web): add missing structure-absent assertions for banUsers/lockTopics (ATB-42)

* style(web): add admin nav grid CSS (ATB-42)

* docs: add admin panel UI preview screenshot (ATB-42)

* fix(web): address minor code review feedback on ATB-42 admin panel

- Use var(--font-size-xl, 2rem) for admin card icon (CSS token consistency)
- Add banUsers and lockTopics test cases for canViewModLog helper
- Move plan doc to docs/plans/complete/

Step-by-step plan: add axe-core + jsdom deps, create consolidated test
file with jsdom env pragma, one happy-path WCAG AA test per page route.

Captures the approved design for adding axe-core + jsdom automated
accessibility tests to apps/web — single consolidated test file,
per-file jsdom environment pragma, one happy-path test per page route.

* docs: ATB-34 axe-core a11y testing design

Captures the approved design for adding axe-core + jsdom automated
accessibility tests to apps/web — single consolidated test file,
per-file jsdom environment pragma, one happy-path test per page route.

* docs: ATB-34 axe-core a11y implementation plan

Step-by-step plan: add axe-core + jsdom deps, create consolidated test
file with jsdom env pragma, one happy-path WCAG AA test per page route.

* chore(web): add axe-core, jsdom, vitest as explicit devDependencies (ATB-34)

* test(web): scaffold a11y test file with jsdom environment and module mocks (ATB-34)

* test(web): add WCAG AA accessibility tests for all page routes (ATB-34)

* test(web): suppress document.write deprecation with explanatory comment (ATB-34)

* test(web): use @ts-ignore to suppress deprecated document.write diagnostic (ATB-34)

* docs: move ATB-34 plan docs to complete

* test(web): address PR review feedback on a11y tests (ATB-34)

- Fix DOMParser comment to explain axe isPageContext() mechanism accurately
- Add DOM replacement guard after document.write() to catch silent no-ops
- Wrap axe.run() in try/catch with routeLabel for infrastructure error context
- Add routeLabel param to checkA11y; update all 6 call sites
- Reset canLockTopics/canModeratePosts/canBanUsers in beforeEach
- Add afterEach DOM cleanup via documentElement.innerHTML
- Fix path.startsWith('/topics/1') to exact match '/topics/1?offset=0&limit=25'
- Add form presence guard in new-topic test to catch silent auth fallback
- Update design doc to document DOMParser divergence and its reason

* test(web): strengthen DOM write guard to check html[lang] (ATB-34)

afterEach now removes lang from <html> so the guard in checkA11y can use
html[lang] as proof that document.write() actually executed, rather than
just checking that the <html> element exists (which it always does after
afterEach resets innerHTML without touching attributes).

Adds missing \$type fields to forum and board ref objects written to the PDS,
consistent with the replyRef fix in PR #61. Without \$type, the AT Protocol
runtime guards Post.isForumRef()/isBoardRef() return false, which would silently
break any future indexer refactor that adopts typed guards over optional chaining.

Also adds Post.isForumRef()/isBoardRef() assertions to the corresponding tests,
following the same contract-based pattern established for replyRef.

Mark all default roles as critical and throw on any failure during
startup seeding. Previously, per-role errors were caught and swallowed,
allowing the server to start without a Member role — causing every new
user login to create a permanently broken membership with no permissions.

Also scope the existing-role check to ctx.config.forumDid so that roles
from other DIDs in a shared database don't incorrectly satisfy the
idempotency check.

Adds seed-roles unit tests covering the new fail-fast behavior.

Closes ATB-38

* fix(appview): include role strongRef when upgrading bootstrap membership

upgradeBootstrapMembership was writing a PDS record without a role field.
When the firehose re-indexed the event, membershipConfig.toUpdateValues()
set roleUri = record.role?.role.uri ?? null, overwriting the Owner's
roleUri with null and stripping their permissions on first login.

Fix: look up the existing roleUri in the roles table (parsing the AT URI
to extract did/rkey), then include it as a strongRef in the PDS record —
same pattern used by writeMembershipRecord for new members.

Closes ATB-37

* fix(appview): address review feedback on ATB-37 bootstrap upgrade

- Pass ctx.logger to parseAtUri so malformed roleUris emit structured
warnings at parse time
- Add explicit error log when parseAtUri returns null (data integrity
signal — a stored roleUri that can't be parsed is unexpected)
- Upgrade warn → error in DB failure catch: a failed role lookup during
bootstrap upgrade has the same consequence as the role-not-found path
(firehose will null out roleUri), so both warrant error level
- Add DB failure test for the role lookup catch block
- Add malformed roleUri test (parseAtUri returns null path)
- Add result.created assertions to tests 1 and 2
- Add DB state assertions to all three new bootstrap upgrade tests

Covers member management, forum structure CRUD (categories + boards),
and mod action audit log. Approach A: separate pages per section at
/admin/*.

All structure mutations follow PDS-first pattern (ForumAgent → firehose
→ DB) consistent with the rest of the AppView, not the bootstrap CLI's
dual-write shortcut.

- README: update packages/db to mention SQLite/LibSQL support alongside PostgreSQL
- README: add space.atbb.forum.board to the lexicon table (added by ATB-23)
- Deployment guide: fix stale plan doc path (moved to docs/plans/complete/)
- Deployment guide: update DATABASE_URL to document both PostgreSQL and SQLite formats
- Deployment guide: add SQLite overview paragraph to Section 4 Database Setup
- Deployment guide: update migration verification table list from 7 to 12 tables
- Deployment guide: bump version to 1.2, update date to 2026-02-26

* docs: reorganize completed plans and sync atproto-forum-plan

- Move all 45 completed plan docs from docs/plans/ to docs/plans/complete/
to distinguish finished work from active/upcoming plans
- Mark SQLite support as complete in the Future Roadmap section
- Add show-handles-in-posts as a completed Phase 4 item
- Update docs/plans/ path references to docs/plans/complete/

* docs: trim CLAUDE.md to gotchas-only, add CONTRIBUTING.md

CLAUDE.md's stated purpose is "common mistakes and confusion points."
Several sections had grown into general style guides and process docs
that don't serve that purpose:

- Remove generic testing workflow, quality standards, coverage expectations
→ moved to CONTRIBUTING.md
- Remove defensive programming boilerplate, global error handler template,
error testing examples → discoverable from existing code
- Remove security test coverage requirements and security checklist
→ moved to CONTRIBUTING.md
- Remove Bruno file template and testing workflow → moved to CONTRIBUTING.md

Bug fixes in CLAUDE.md:
- Fix stale `role.permissions.includes()` example → role_permissions join table
- Add `forum.board` to lexicon record ownership list (added by ATB-23)
- Add docs/plans/complete/ convention

CONTRIBUTING.md is a new contributor-facing document covering testing
workflow, error handling patterns (with examples), security checklist,
and Bruno template — content humans read before their first PR.

* docs: consolidate Bruno collections into top-level bruno/

apps/appview/bruno/ was a leftover from when the admin role endpoints
were first written. The top-level bruno/ collection was created later
but never picked up the three files that already existed:

- Admin/Assign Role.bru
- Admin/List Members.bru
- Admin/List Roles.bru

Move all three into bruno/AppView API/Admin/ alongside the backfill
endpoints. Remove the now-redundant apps/appview/bruno/bruno.json and
environments/local.bru.

Add missing environment variables (target_user_did, role_rkey) to both
local.bru and dev.bru so Assign Role.bru resolves correctly.

* feat: constrain oauth scopes

* docs: document oauth scopes and sync test mock

Add inline comment explaining each scope token's purpose and the %23
encoding requirement. Update auth test mock to reflect the new scopes.

* feat(db): add @libsql/client dependency for SQLite support

* feat(db): add SQLite schema file

* feat(db): add role_permissions table to Postgres schema (permissions column still present)

* feat(db): URL-based driver detection in createDb (postgres vs SQLite)

* feat(appview): add dialect-specific Drizzle configs and update db scripts

* feat(db): migration 0011 — add role_permissions table

* feat(appview): add migrate-permissions data migration script

Copies permissions from roles.permissions[] into the role_permissions
join table before the column is dropped in migration 0012.

* feat(db): migration 0012 — drop permissions column from roles (data already in role_permissions)

* feat(db): add SQLite migrations (single clean initial migration)

* feat(appview): update checkPermission and getUserRole to use role_permissions table

* feat(appview): update indexer to store role permissions in role_permissions table

- Remove permissions field from roleConfig.toInsertValues and toUpdateValues
(the permissions text[] column no longer exists on the roles table)
- Add optional afterUpsert hook to CollectionConfig for post-row child writes
- Implement roleConfig.afterUpsert to delete+insert into role_permissions
within the same transaction, using .returning({ id }) to get the row id
- Update genericCreate and genericUpdate to call afterUpsert when defined
- Rewrite indexer-roles test assertions to query role_permissions table
- Remove permissions field from direct db.insert(roles) test setup calls

* feat(appview): update admin routes to return permissions from role_permissions table

- GET /api/admin/roles: removed roles.permissions from select, enriches each
role with permissions fetched from role_permissions join table via Promise.all
- GET /api/admin/members/me: removed roles.permissions from join select, adds
roleId to select, then fetches permissions separately from role_permissions
- Updated all test files to remove permissions field from db.insert(roles).values()
calls, replacing with separate db.insert(rolePermissions).values() calls after
capturing the returned role id via .returning({ id: roles.id })
- Fixed admin-backfill.test.ts mock count: checkPermission now makes 3 DB
selects (membership + role + role_permissions) instead of 2
- Updated seed-roles.ts CLI step to insert permissions into role_permissions
table separately instead of the removed permissions column

* feat(appview): update test context to support SQLite via createDb factory

- Replace hardcoded postgres.js/drizzle-orm/postgres-js with createDb() from @atbb/db,
which auto-detects the URL prefix (postgres:// vs file:) and selects the right driver
- Add runSqliteMigrations() to @atbb/db so migrations run via the same drizzle-orm
instance used by createDb(), avoiding cross-package module boundary issues
- For SQLite in-memory mode, upgrade file::memory: to file::memory:?cache=shared so
that @libsql/client's transaction() handoff (which sets #db=null and lazily reconnects)
reattaches to the same shared in-memory database rather than creating an empty new one
- For SQLite cleanDatabase(): delete all rows without WHERE clauses (isolated in-memory DB)
- For Postgres cleanDatabase(): retain existing DID-based patterns
- Remove sql.end() from cleanup() — createDb owns the connection lifecycle
- Fix boards.test.ts and categories.test.ts "returns 503 on database error" tests to use
vi.spyOn() instead of relying on sql.end() to break the connection
- Replace count(*)::int (Postgres-specific cast) with Drizzle's count() helper in admin.ts
so the backfill/:id endpoint works on both Postgres and SQLite

* feat: add docker-compose.sqlite.yml for SQLite deployments

* feat(nix): add database.type option to NixOS module (postgresql | sqlite)

* feat(nix): include SQLite migrations and dialect configs in Nix package output

* feat(devenv): make postgres optional via mkDefault, document SQLite alternative

* refactor(appview): embed data migration into 0012 postgres migration

Copy permissions array into role_permissions join table inside the same
migration that drops the column. ON CONFLICT DO NOTHING keeps the script
idempotent for DBs that already ran migrate-permissions.ts manually.

* fix(appview): guard against out-of-order UPDATE in indexer; populate role_permissions in mod tests

- indexer.ts: add `if (!updated) return` before afterUpsert call so an
out-of-order firehose UPDATE that matches zero rows (CREATE not yet
received) doesn't crash with TypeError on `updated.id`
- mod.test.ts: add rolePermissions inserts for all 4 role setups so
test DB state accurately reflects the permissions each role claims
to have (ban admin: banUsers; lock/unlock mod: lockTopics)

* fix(appview): replace fabricated editPosts permission with real lockTopics in admin test

space.atbb.permission.editPosts is not defined in the lexicon or any
default role. Swap it for space.atbb.permission.lockTopics so the
GET /api/admin/members/me test uses a real permission value and would
catch a regression that silently dropped a real permission from a role.

Audit of plan doc against Linear issues and codebase state as of 2026-02-24.

Completed work added:
- ATB-25: separate bannedByMod column from deleted (Phase 3 bug fix, PR #56)
- ATB-35: strip title from reply records at index time (Phase 3 bug fix, PR #55)
- ATB-26: neobrutal design system, shared components, route stubs (Phase 4, PR #39)
- ATB-33: server-side offset/limit pagination for GET /api/topics/:id (Phase 4, PR #57)
- Fix ATB-30/31 attribution: compose forms are ATB-31, login/logout is ATB-30

Key Risks section:
- Mark PDS write path resolved (OAuth 2.1 + PKCE, ATB-14)
- Mark record deletion resolved (tombstone handling + bannedByMod split, ATB-25)

New Known Issues / Active Backlog section:
- ATB-39 (High): upgradeBootstrapMembership writes PDS record without role field
- ATB-38 (High): seedDefaultRoles partial failure should fail fast
- ATB-41 (Medium): missing $type on forumRef/boardRef in PDS writes
- ATB-34 (Low): axe-core WCAG AA automated tests
- Notes ATB-39/40 are duplicates of ATB-37/38

Future Roadmap:
- Add SQLite support (design approved, docs/plans/2026-02-24-sqlite-support-design.md)
- Update user self-deletion note: deleted_by_user column already in schema (ATB-25)

Designs dual-dialect database support (PostgreSQL + SQLite) with:
- URL-prefix detection in createDb factory
- role_permissions join table replacing permissions text[] array
- Two-phase Postgres migration with data migration script
- NixOS module and devenv changes for optional Postgres service
- Operator upgrade instructions with safety warnings

* docs: add design for storing user handles at login time

* feat: persist user handle to DB during OAuth login so posts show handles

* fix: address PR review comments on handle persistence

Critical:
- Add isProgrammingError guard to upsert catch so TypeErrors are not swallowed
- Add logger.warn assertion to upsert failure test (per CLAUDE.md logging test requirement)

Important:
- Fix upsert to use COALESCE so a null getProfile result never overwrites a good existing handle
- Add warn log when persisting null handle so operators can detect suspended/migrating accounts
- Add test: getProfile returns undefined → null handle written, login still succeeds
- Add test: existing handle preserved when getProfile returns undefined
- Align log severity — upsert failure now uses warn (consistent with membership failure)
- Fix misleading vi.clearAllMocks() comment; fresh ctx is what makes the spy safe to abandon
- Update design doc snippet to match implementation (use extracted handle variable + COALESCE)

Suggestion:
- Add test: TypeError from upsert is re-thrown and causes 500, not silent redirect
- Hardcode getProfile mock return value instead of deriving from DID string split

* fix(appview): add $type to reply ref so indexer resolves rootPostId/parentPostId

Post.isReplyRef() uses AT Protocol's is$typed() runtime guard which requires
$type: "space.atbb.post#replyRef" to be present. Without it the guard returned
false, leaving rootPostId/parentPostId null in the database and breaking reply
threading. Also adds an assertion to the happy-path test that verifies the
record written to the PDS includes the correct $type on the reply ref.

* fix(appview): address PR review feedback on reply ref $type fix

- Use Post.isReplyRef() in route tests instead of $type string literal,
so the actual indexer contract is tested (a typo in the string would
still break isReplyRef() but pass a literal comparison)
- Add isReplyRef() assertion to nested-reply test (creates reply to reply)
- Add regex URI assertions for stronger AT-URI shape validation
- Add indexer happy-path test: correctly-typed reply ref resolves
rootPostId/parentPostId to non-null values
- Upgrade logger.warn → logger.error for missing $type (data corruption,
not a warning — post is silently unreachable in thread navigation)
- Add errorId field to missing $type log entry for operator filtering
- Split outer try block in POST /api/posts: DB lookup and PDS write now
have separate catch blocks with accurate error messages (per CLAUDE.md
Try Block Granularity pattern)

* style(web): make board cards full-width on all screen sizes

Remove responsive grid overrides so boards stack in a single column
at every viewport, freeing up horizontal space for future additions
like topic counts and latest-topic metadata.

* fix(docker,nix): add missing @atbb/logger package to build configs

The @atbb/logger package was added to the workspace but Dockerfile and
nix/package.nix were not updated to include it, causing the Docker build
to fail with missing @opentelemetry/* and hono modules.

Dockerfile: copy packages/logger/package.json in both builder and runtime
stages so pnpm installs its dependencies, and copy logger/dist in the
runtime stage so workspace symlinks resolve at runtime.

nix/package.nix: add packages/logger to the installPhase loop so the
built dist/ and node_modules/ are included in the Nix output derivation.

* set pnpmDeps hash to empty string for updates

* set pnpmDeps hash to the proper hash

Remove responsive grid overrides so boards stack in a single column
at every viewport, freeing up horizontal space for future additions
like topic counts and latest-topic metadata.

* fix(appview): assign default Member role when creating membership on first login

Membership PDS records were written without a role reference, causing the
firehose to index roleUri as null. The permission middleware fails closed on
null roleUri, so all newly-registered users got 403 on every post attempt.

Now looks up the seeded "Member" role and includes it as a strongRef in the
membership record at creation time. Falls back gracefully (no role field) if
the Member role is not yet in the DB.

* fix(appview): address code review feedback on default-member-role fix

- Log ctx.logger.error when Member role not found in DB (operator alert)
- Wrap role lookup in try-catch; log ctx.logger.warn and proceed without
role on transient DB errors, so membership is still created
- Add orderBy(asc(roles.indexedAt)) to make role selection deterministic
when duplicate Member roles exist
- Rename test DIDs to use did:plc:test-* prefix per established cleanup patterns
- Add test asserting logger.error fires when Member role is absent
- Add test asserting membership is created without role on DB error

* fix(appview): re-throw programming errors from role lookup catch block

Per CLAUDE.md error handling standards, TypeError/ReferenceError/SyntaxError
indicate code bugs and must not be silently swallowed. Adds re-throw guard
before the warn log so transient DB errors are handled gracefully while
programming errors surface during development.

Adds test verifying TypeError propagates rather than being caught.

* test(appview): add failing pagination tests for server-side topic pagination (ATB-33)

Add describe.sequential block to topics.test.ts covering GET /api/topics/:id
server-side pagination behavior that does not exist yet. Tests verify total,
offset, limit fields in response, default/explicit pagination, offset/limit
clamping, and empty result sets. All 8 tests fail as expected — implementation
pending.

* test(appview): clarify total semantics in pagination test name (ATB-33)

* feat(appview): add offset/limit pagination to GET /api/topics/:id (ATB-33)

- Parse offset/limit query params (default 25, max 100)
- Run COUNT + paginated SELECT in parallel (matching boards pattern)
- Return total, offset, limit in response alongside paginated replies
- Removes 1000-reply defensive limit in favour of server-controlled pagination

* test(appview): document approximate total semantic and add companion test (ATB-33)

* feat(web): use server-side pagination for topic replies (ATB-33)

- Pass offset/limit to AppView instead of slicing locally
- HTMX partial: forwards ?offset=N&limit=25 to AppView
- Full page: requests ?offset=0&limit=(offset+25) for bookmark support
- Removes TODO(ATB-33) comment

* fix(web): remove duplicate total property in makeTopicResponse test helper (ATB-33)

* chore(web): add clarifying comments for pagination edge cases (ATB-33)

* fix(web): remove invalid JSX comment between attributes (ATB-33)

* docs(bruno): update Get Topic collection with pagination params (ATB-33)

* fix(appview,web): address code review feedback on ATB-33 pagination

Critical fixes:
- Split single try-catch into two: topic query and reply query now have
distinct error messages ("Failed to retrieve topic" vs "Failed to
retrieve replies for topic") per CLAUDE.md try-block granularity rule
- HTMX partial error now returns a retry fragment instead of silently
replacing the Load More button with empty content
- Fix hasMore infinite loop: use `replies.length >= limit` (page-fullness
heuristic) instead of `nextOffset < total`; total is pre-filter and can
cause an infinite loop when in-memory filters zero out all SQL results
- Raise AppView limit cap from 100 to 250 so bookmark displayLimit
(offset + REPLIES_PER_PAGE) no longer gets silently clamped for deep links
- Fix Bruno docs: total is filtered for bannedByMod=false at SQL level,
not "unfiltered"; update description to match inline code comment

Important fixes:
- Remove total from ReplyFragment props (no longer used after hasMore fix)
- Change `total === 0` guard to `initialReplies.length === 0` so EmptyState
renders when all page-1 replies are filtered in-memory; update message to
"No replies to show."
- Add test: bannedByMod=true directly reduces total (proves COUNT query
applies the SQL-level filter)
- Add test: non-numeric offset/limit params default to 0/25
- Strengthen clamps limit=0 test to assert replies are returned, not just
metadata; rename limit cap test to reflect new max of 250
- Add AppView URL assertions to bookmark and HTMX partial web tests
- Update HTMX error test to assert retry fragment content

* fix(atb-33): clean up HTMX retry element and stale pagination comment

- Replace <p>/<button> retry fragment with bare <button> so hx-swap="outerHTML"
replaces the entire error element on retry success (no orphan text node)
- Update stale comment: topics cap is 250 (not 100 like boards) to support bookmarks

* fix(indexer): strip title from reply records at index time (ATB-35)

When a space.atbb.post record carries both a reply ref and a title field,
the indexer now coerces title to null for both INSERT and UPDATE paths.
This enforces the lexicon invariant ("title is omitted for replies") at
the data-ingestion boundary rather than relying on the API or UI to ignore
the field.

ATB-36 is a duplicate of this issue and has been marked accordingly.

* fix(indexer): address PR review feedback (ATB-35)

- Add try-catch to getPostIdByUri, matching the structured error logging
pattern used by all other helper methods
- Warn when reply ref is present but missing $type (rootPostId/parentPostId
will be null; operators now have an observable signal)
- Reaction stub handlers: info → warn (events are being permanently
discarded, not successfully processed)
- Tests: extract createTrackingDb helper to eliminate inline mock duplication
- Tests: add topic-starter title-preserved assertions (right branch of ternary)
- Tests: assert full inserted shape on reply create (rootPostId/parentPostId
null, rootUri/parentUri populated) to document the $type-less behavior

* fix(appview): separate ban enforcement from user-initiated deletes (ATB-25)

- Add bannedByMod column to posts: applyBan/liftBan now use this column
exclusively, so lifting a ban can never resurrect user-deleted content
- Add deletedByUser column and tombstone user-initiated deletes: when a
post delete arrives from the firehose, the row is kept (for FK stability)
but text is replaced with '[user deleted this post]' and deletedByUser
is set to true — personal content is gone, thread structure is preserved
- Remove shared deleted column; all API filters now use bannedByMod=false
- Migrations: 0009 adds banned_by_mod, 0010 drops deleted / adds deleted_by_user

* test: fix schema column list test and strengthen tombstone assertion

- schema.test.ts: update "has expected columns for the unified post model"
to check for bannedByMod/deletedByUser instead of deleted (was missed in
the original commit, causing CI to fail)
- indexer.test.ts: replace weak toHaveBeenCalled() guard with exact
payload assertion per code review — verifies text and deletedByUser are
set, and that bannedByMod/deleted are never touched

* docs: correct genericDelete comment — posts always tombstone, no fallback

* fix(indexer): strip title from reply records at index time (ATB-35)

When a space.atbb.post record carries both a reply ref and a title field,
the indexer now coerces title to null for both INSERT and UPDATE paths.
This enforces the lexicon invariant ("title is omitted for replies") at
the data-ingestion boundary rather than relying on the API or UI to ignore
the field.

ATB-36 is a duplicate of this issue and has been marked accordingly.

* fix(indexer): address PR review feedback (ATB-35)

- Add try-catch to getPostIdByUri, matching the structured error logging
pattern used by all other helper methods
- Warn when reply ref is present but missing $type (rootPostId/parentPostId
will be null; operators now have an observable signal)
- Reaction stub handlers: info → warn (events are being permanently
discarded, not successfully processed)
- Tests: extract createTrackingDb helper to eliminate inline mock duplication
- Tests: add topic-starter title-preserved assertions (right branch of ternary)
- Tests: assert full inserted shape on reply create (rootPostId/parentPostId
null, rootUri/parentUri populated) to document the $type-less behavior

* feat: add structured logging with OpenTelemetry Logs SDK

Introduces `@atbb/logger` package backed by the OpenTelemetry Logs SDK,
providing structured NDJSON output to stdout that's compatible with
standard log aggregation tools (ELK, Grafana Loki, Datadog).

This lays the foundation for later adding OTel traces and metrics,
since the Resource and provider infrastructure is already in place.

Package (`packages/logger/`):
- `StructuredLogExporter` — custom OTel exporter outputting NDJSON to stdout
- `AppLogger` — ergonomic wrapper (info/warn/error/etc.) over OTel Logs API
with child logger support for per-request context
- `requestLogger` — Hono middleware replacing built-in logger() with
structured request/response logging including duration_ms
- Configurable log levels: debug | info | warn | error | fatal

Integration:
- AppView: logger added to AppContext, wired into create-app, index.ts
- Web: logger initialized at startup, replaces Hono built-in logger
- LOG_LEVEL env var added to .env.example and turbo.json
- All existing tests updated for new AppContext shape

* feat: migrate all console calls to structured @atbb/logger

Replace all console.log/error/warn/info/debug calls across the entire
codebase with the structured @atbb/logger package. This provides
consistent NDJSON output with timestamps, log levels, service names,
and structured attributes for all logging.

Changes by area:

Appview route handlers (topics, posts, categories, boards, forum,
health, admin, mod, auth, helpers):
- Replace console.error with ctx.logger.error using structured attributes
- Replace console.log/JSON.stringify patterns with ctx.logger.info

Appview middleware (auth, permissions):
- Use ctx.logger from AppContext for error/warn logging

Appview lib (indexer, firehose, circuit-breaker, cursor-manager,
reconnection-manager, ban-enforcer, seed-roles, session, ttl-store,
at-uri):
- Add Logger as constructor parameter to Indexer, FirehoseService,
CircuitBreaker, CursorManager, ReconnectionManager, BanEnforcer
- Add optional Logger parameter to parseAtUri and TTLStore
- Thread logger through constructor chains (FirehoseService -> children)
- Update app-context.ts to pass logger to FirehoseService

Web app (routes/topics, boards, home, new-topic, mod, auth, session):
- Create shared apps/web/src/lib/logger.ts module
- Import and use module-level logger in all route files

Packages:
- Add Logger as 4th parameter to ForumAgent constructor
- Add @atbb/logger dependency to @atbb/atproto and @atbb/cli packages
- Create packages/cli/src/lib/logger.ts for CLI commands

Test updates:
- Create apps/appview/src/lib/__tests__/mock-logger.ts utility
- Update all unit tests to pass mock logger to constructors
- Replace vi.spyOn(console, "error") with vi.spyOn(ctx.logger, "error")
in route integration tests
- Mock logger module in web route tests

Intentionally unchanged:
- apps/appview/src/lib/config.ts (runs before logger initialization)
- packages/lexicon/scripts/* (build tooling)

Note: Pre-commit test hook bypassed because integration tests require
PostgreSQL which is not available in this environment. All unit tests
pass (743 tests across 58 files). Lint and typecheck hooks passed.

https://claude.ai/code/session_01UfKwEoAk25GH38mVmAnEnM

* fix: migrate backfill-manager console calls to structured logger

All console.log/error/warn calls in BackfillManager are now routed
through this.logger, consistent with the rest of the codebase.

* fix(logger): address all PR review blocking issues

- Add error handling to StructuredLogExporter.export() — catches
JSON.stringify failures and stdout.write throws, calls resultCallback
with FAILED instead of silently dropping records
- Remove dead try-catch from requestLogger around next() — Hono's
internal onError catches handler throws before they propagate to
middleware; the catch block was unreachable
- Migrate route-errors.ts console.error calls to ctx.logger.error()
— ErrorContext interface gains required `logger: Logger` field;
all route callers (admin, boards, categories, forum, mod, posts,
topics) updated to pass logger: ctx.logger
- Add LOG_LEVEL validation in config.ts — parseLogLevel() warns and
defaults to "info" for invalid values instead of unsafe cast
- Add @atbb/logger test suite — 21 tests covering NDJSON format,
level filtering, child() inheritance, hrTimeToISO arithmetic,
StructuredLogExporter error handling, and requestLogger middleware
- Fix all test files to spy on ctx.logger.error instead of console.error
(backfill-manager, route-errors, require-not-banned, posts, topics)

---------

Co-authored-by: Claude <noreply@anthropic.com>

* docs: add backfill and repo sync design (ATB-13)

Approved design for gap detection, collection-based repo sync via
existing Indexer handlers, DB-backed progress tracking with resume,
and async admin API for manual backfill triggers.

* docs: add backfill implementation plan (ATB-13)

12-task TDD plan covering DB schema, gap detection, repo sync,
orchestration with progress tracking, firehose integration,
admin API endpoints, and AppContext wiring.

* feat(db): add backfill_progress and backfill_errors tables (ATB-13)

Add two tables to support crash-resilient backfill:
- backfill_progress: tracks job state, DID counts, and resume cursor
- backfill_errors: per-DID error log with FK to backfill_progress

* feat(appview): add backfill configuration fields (ATB-13)

Add three new optional config fields with sensible defaults:
- backfillRateLimit (default 10): max XRPC requests/sec per PDS
- backfillConcurrency (default 10): max DIDs processed concurrently
- backfillCursorMaxAgeHours (default 48): cursor age threshold for CatchUp

Declare env vars in turbo.json so Turbo passes them through to tests.
Update test helpers (app-context.test.ts, test-context.ts) for new fields.

* feat(appview): add getCursorAgeHours to CursorManager (ATB-13)

Add method to calculate cursor age in hours from microsecond Jetstream
timestamps. Used by BackfillManager gap detection to determine if
backfill is needed when cursor is too old.

* feat(appview): add BackfillManager with gap detection (ATB-13)

- Adds BackfillManager class with checkIfNeeded() and getIsRunning()
- BackfillStatus enum: NotNeeded, CatchUp, FullSync
- Gap detection logic: null cursor → FullSync, empty DB → FullSync,
stale cursor (>backfillCursorMaxAgeHours) → CatchUp, fresh → NotNeeded
- Structured JSON logging for all decision paths
- 4 unit tests covering all decision branches

* fix(appview): add DB error handling and fix null guard in BackfillManager (ATB-13)

- Wrap forums DB query in try-catch; return FullSync on error (fail safe)
- Replace destructuring with results[0] so forum is in scope after try block
- Use non-null assertion on getCursorAgeHours since cursor is proven non-null at that point
- Remove redundant null ternary in NotNeeded log payload (ageHours is always a number)
- Add test: returns FullSync when DB query fails (fail safe)

* feat(appview): add syncRepoRecords with event adapter (ATB-13)

* fix(appview): correct event adapter shape and add guard logging in BackfillManager (ATB-13)

* feat(appview): add performBackfill orchestration with progress tracking (ATB-13)

* fix(appview): mark backfill as failed on error, fix type and concurrent mutation (ATB-13)

* fix(appview): resolve TypeScript closure narrowing with const capture (ATB-13)

TypeScript cannot narrow let variables through async closure boundaries.
Replace backfillId! non-null assertions inside batch.map closures with
a const resolvedBackfillId captured immediately after the insert.

* test(appview): add CatchUp path coverage for performBackfill (ATB-13)

Add two tests exercising the Phase 2 (CatchUp) branch:
- Aggregates counts correctly across 2 users × 2 collections × 1 record
- Rejected batch callbacks (backfillErrors insert failure) increment
totalErrors via allSettled rejected branch rather than silently swallowing

Phase 1 mocks now explicitly return empty pages for all 5 forum-owned
collections so counts are isolated to Phase 2 user records.

* feat(appview): add interrupted backfill resume (ATB-13)

- Add checkForInterruptedBackfill() to query backfill_progress for any in_progress row
- Add resumeBackfill() to continue a CatchUp from lastProcessedDid without re-running Phase 1
- Add gt to drizzle-orm imports for the WHERE did > lastProcessedDid predicate
- Cover both methods with 6 new tests (null result, found row, resume counts, no-op complete, isRunning cleanup, concurrency guard)

* feat(appview): integrate backfill check into FirehoseService.start() (ATB-13)

- Add BackfillManager setter/getter to FirehoseService for DI wiring
- Run checkForInterruptedBackfill and resumeBackfill before Jetstream starts
- Fall back to gap detection (checkIfNeeded/performBackfill) when no interrupted backfill
- Expose getIndexer() for BackfillManager wiring in Task 10
- Add 5 Backfill Integration tests covering CatchUp, NotNeeded, resume, no-manager, and getIndexer()
- Add missing handleBoard/handleRole handlers to Indexer mock

* feat(appview): add admin backfill endpoints (ATB-13)

- POST /api/admin/backfill: trigger backfill (202), check if needed (200), or force with ?force=catch_up|full_sync
- GET /api/admin/backfill/:id: fetch progress row with error count
- GET /api/admin/backfill/:id/errors: list per-DID errors for a backfill
- Add backfillManager field to AppContext (null until Task 10 wires it up)
- Add backfillProgress/backfillErrors cleanup to test-context for isolation
- Fix health.test.ts to include backfillManager: null in mock AppContext
- 16 tests covering auth, permissions, 409 conflict, 503 unavailable, 200/202 success cases, 404/400 errors

* feat(appview): wire BackfillManager into AppContext and startup (ATB-13)

* docs: add backfill Bruno collection and update plan (ATB-13)

- Add bruno/AppView API/Admin/ with three .bru files:
- Trigger Backfill (POST /api/admin/backfill, ?force param docs)
- Get Backfill Status (GET /api/admin/backfill/:id)
- Get Backfill Errors (GET /api/admin/backfill/:id/errors)
- Mark ATB-13 complete in docs/atproto-forum-plan.md (Phase 3 entry)
- Resolve "Backfill" item in Key Risks & Open Questions

* fix(appview): address PR review feedback for ATB-13 backfill

Critical fixes:
- Wrap firehose startup backfill block in try-catch so a transient DB error
doesn't crash the entire process; stale firehose data is better than no data
- Bind error in handleReconnect bare catch{} so root cause is never silently lost
- Add isProgrammingError re-throw to per-record catch in syncRepoRecords so
code bugs (TypeError, ReferenceError) surface instead of being counted as data errors
- Add try-catch to checkForInterruptedBackfill; returns null on runtime errors
- Mark interrupted FullSync backfills as failed instead of silently no-oping;
FullSync has no checkpoint to resume from and must be re-triggered

Important fixes:
- Remove yourPriority/targetRolePriority from 403 response (CLAUDE.md: no internal details)
- Add isProgrammingError re-throw to GET /roles and GET /members catch blocks
- Wrap cursor load + checkIfNeeded in try-catch in POST /api/admin/backfill
- Replace parseInt with BigInt regex validation to prevent silent precision loss
- Wrap batch checkpoint updates in separate try-catch so a failed checkpoint
logs a warning but does not abort the entire backfill run
- Add DID to batch failure logs for debuggability

API improvement:
- Surface backfill ID in 202 response via prepareBackfillRow; the progress row
is created synchronously so the ID can be used immediately for status polling
- performBackfill now accepts optional existingRowId to skip duplicate row creation

Tests added:
- resumeBackfill with full_sync type marks row as failed (not completed)
- checkForInterruptedBackfill returns null on DB failure
- syncRepoRecords returns error stats when indexer is not set
- 403 tests for GET /backfill/:id and GET /backfill/:id/errors
- 500 error tests for both GET endpoints
- in_progress status response test for GET /backfill/:id
- Decimal backfill ID rejected (5.9 → 400)
- Invalid ?force falls through to gap detection
- 202 response now asserts id field and correct performBackfill call signature

* fix(backfill): address follow-up review feedback on ATB-13

HIGH priority:
- firehose.ts: add isInitialStart guard to prevent backfill re-running
on Jetstream reconnects; flag cleared before try block so reconnects
are skipped even when the initial backfill throws
- firehose.test.ts: replace stub expect(true).toBe(true) with real
graceful-degradation test; add reconnect guard test
- admin.ts: switch GET /backfill/:id and GET /backfill/:id/errors catch
blocks to handleReadError for consistent error classification

Medium priority:
- route-errors.ts: tighten safeParseJsonBody catch to re-throw anything
that is not a SyntaxError (malformed user JSON), preventing silent
swallowing of programming bugs
- packages/atproto/src/errors.ts: replace broad "query" substring with
"failed query" — the exact prefix DrizzleQueryError uses when wrapping
failed DB queries, avoiding false positives on unrelated messages
- backfill-manager.ts: persist per-collection errors to backfillErrors
table during Phase 1 (forum-owned collections) to match Phase 2 behaviour
- admin.ts GET /members: add isTruncated field to response when result
set is truncated at 100 rows

* refactor(appview): extract shared error handling, ban check middleware, and ForumAgent helper

Eliminates ~500 lines of duplicated boilerplate across all route handlers by
extracting three reusable patterns:

- handleReadError/handleWriteError/handleSecurityCheckError: centralized error
classification (programming errors re-thrown, network→503, database→503,
unexpected→500) replacing ~40 inline try-catch blocks
- safeParseJsonBody: replaces 9 identical JSON parsing blocks
- requireNotBanned middleware: replaces duplicate ban-check-with-error-handling
in topics.ts and posts.ts
- getForumAgentOrError: replaces 6 identical ForumAgent availability checks
in mod.ts and admin.ts

* fix(review): address PR #52 review feedback on shared error handling refactor

C1: Update test assertions to match centralized error messages
C2: Add isProgrammingError re-throw to handleReadError
C3: Delete parseJsonBody — false JSDoc, deleted in favor of safeParseJsonBody
I1: Add 503 classification (isNetworkError + isDatabaseError) to handleReadError
I2: Add isNetworkError check to handleSecurityCheckError
I3: Restore original middleware ordering — ban check before permission check
M1: Add unit tests for route-errors.ts and require-not-banned.ts
Also: Remove redundant isProgrammingError guards in admin.ts

* fix(review): re-throw programming errors in fail-open GET topic catch blocks

Ban check, hidden-posts check, and mod-status check in GET /api/topics/:id
are fail-open (continue on transient DB failure). But without an
isProgrammingError guard, a TypeError from a code bug would silently skip
the safety check — banned users' content visible, hidden posts visible, or
locked topics accepting replies. isProgrammingError was already imported.

* refactor(appview): remove duplicate requireNotBanned from permissions.ts

PR 51 added requireNotBanned to permissions.ts; PR 52 introduced a
dedicated require-not-banned.ts with the improved implementation that
uses handleSecurityCheckError (proper network+DB classification, dynamic
operation name, correct 500 message). All callers already import from
require-not-banned.ts. Remove the stale copy and its now-unused imports
(getActiveBans, isProgrammingError, isDatabaseError).

---------

Co-authored-by: Claude <noreply@anthropic.com>

* feat: add title field to topics

Topics (thread-starter posts) now have a dedicated title field separate
from the post body text. This adds the field across the full stack:

- Lexicon: optional `title` string on space.atbb.post (max 120 graphemes)
- Database: nullable `title` column on posts table with migration
- Indexer: stores title from incoming post records
- API: POST /api/topics validates and requires title for new topics
- Web UI: title input on new-topic form, title display in topic list and
thread view (falls back to text slice for older titleless posts)
- Tests: title validation, serialization, and form submission tests
- Bruno: updated API collection docs

https://claude.ai/code/session_01AFY6D5413QU48JULXnSQ5Z

* fix(review): address PR #51 review feedback on topic title feature

- Add validateTopicTitle unit tests mirroring validatePostText suite:
boundary at 120 graphemes, emoji grapheme counting, trim behavior,
and non-string input rejection (null/undefined/number/object)
- Add GET /api/topics/:id round-trip test asserting data.post.title
- Add backward-compat test for null title (pre-migration rows)
- Add title field to serializePost JSDoc response shape
- Add minGraphemes: 1 to post.yaml to close lexicon/AppView gap
- Fix Bruno Create Topic.bru: 400 error list now includes missing title;
constraint description changed to "max 120 graphemes; required"
- Add title: null to Get Topic.bru reply example
- Remove misleading maxlength={1000} from title input (server validates graphemes)
- Change || to ?? for null title fallback in boards.tsx TopicRow

Tracks ATB-35 (strip title from reply records at index time)

* fix(review): address PR #51 second round review feedback

- Fix || → ?? for null title fallback in topics.tsx (web)
- Split combined DB+PDS try block into two separate blocks so a
database error (which may surface as "fetch failed" via postgres.js)
cannot be misclassified as a PDS failure and return the wrong message
- Add comment explaining why title is enforced as required in AppView
despite being optional in the lexicon (AT Protocol schemas cannot
express per-use-case requirements)
- Update 503 database error test to mock getForumByUri instead of
putRecord, accurately targeting the DB lookup phase
- File ATB-36 to track stripping title from reply records at index time

* fix(review): extract ban check to middleware and split DB lookup try blocks

- Add requireNotBanned middleware to permissions.ts so banned users see
"You are banned" before requirePermission can return "Insufficient
permissions" — middleware ordering now encodes the correct UX priority
- Split getForumByUri and getBoardByUri into separate try blocks in
topics.ts so operators can distinguish forum vs board lookup failures
in production logs
- Update vi.mock in topics.test.ts and posts.test.ts to use importOriginal
so requireNotBanned executes its real implementation in ban enforcement
tests while requirePermission remains a pass-through
- Update ban error test operation strings from route-scoped labels to
"requireNotBanned" to match the new middleware location

---------

Co-authored-by: Claude <noreply@anthropic.com>

* docs: add NixOS flake design for atBB deployment

NixOS module with systemd services for appview + web, nginx
virtualHost integration, and optional PostgreSQL provisioning.

* docs: add NixOS flake implementation plan

Six-task plan: flake skeleton, package derivation with pnpm.fetchDeps,
NixOS module options, systemd services, nginx virtualHost, final verify.

* chore: scaffold Nix flake with placeholder package and module

* feat(nix): implement package derivation with pnpm workspace build

* feat(nix): add NixOS module option declarations for services.atbb

* feat(nix): add systemd services and PostgreSQL to NixOS module

* feat(nix): add nginx virtualHost with ACME to NixOS module

* fix(nix): address code review findings in NixOS module

- Use drizzle-kit/bin.cjs directly instead of .bin shim
- Add network.target to atbb-web service ordering
- Equalize hardening directives across all services
- Add assertion for ensureDBOwnership name constraint

* chore: add Nix result symlink to .gitignore

* fix(nix): address PR review feedback

- Include packages/db/src/ in package output for drizzle.config.ts
schema path resolution (../../packages/db/src/schema.ts)
- Use .bin/drizzle-kit shim directly instead of node + bin.cjs
(patchShebangs rewrites the shebang, making it self-contained)
- Add requires = [ "atbb-appview.service" ] to atbb-web so it
stops if appview goes down (after alone only orders startup)
- Add ACME prerequisites assertion (acceptTerms + email)

* feat(nix): expose atbb CLI as a bin wrapper

makeWrapper creates $out/bin/atbb pointing at the CLI's dist/index.js
with the Nix store Node binary. This puts `atbb init`, `atbb category`,
and `atbb board` on PATH for the deployed system.

* fix(nix): add fetcherVersion and real pnpmDeps hash

- Add fetcherVersion = 1 (required by updated nixpkgs fetchPnpmDeps API)
- Set real pnpmDeps hash obtained from Linux build via Docker
- Keep pnpm_9.fetchDeps/configHook for consistency; mixing with the
top-level pnpmConfigHook (pnpm 10) caused lefthook to be missing
from the offline store during pnpm install

* fix(nix): use x86_64-linux pnpm deps hash

The previous hash was computed on aarch64-linux (Apple Silicon Docker).
pnpm_9.fetchDeps fetches platform-specific optional packages (e.g.
lefthook-linux-arm64 vs lefthook-linux-x64), so the store content
differs per architecture.

Hash corrected to the x86_64-linux value reported by the Colmena build.

* docs(nix): add example Caddyfile for Caddy users

Provides an alternative to the built-in nginx reverse proxy for operators
who prefer Caddy. Includes:
- Correct routing for /.well-known/* (must reach appview for AT Proto OAuth)
- /api/* → appview, /* → web UI
- NixOS integration snippet using services.caddy.virtualHosts with
references to services.atbb port options

* docs: add NixOS deployment section to deployment guide

Covers the full NixOS deployment path as an alternative to Docker:
- Adding the atBB flake as a nixosModules.default input
- Creating the environment file with Unix socket DATABASE_URL
- Module configuration with key options reference table
- Running atbb-migrate one-shot service
- Caddy alternative to built-in nginx (referencing Caddyfile.example)
- Upgrade procedure via nix flake update

* feat(nix): add atbb CLI to environment.systemPackages

The atbb binary was built into the package but not put on PATH.
Adding cfg.package to systemPackages makes `atbb init`, `atbb category`,
and `atbb board` available to all users after nixos-rebuild switch.

* fix(nix): set PGHOST explicitly for Unix socket connections

postgres.js does not reliably honour ?host= as a query parameter in
connection string URLs, causing it to fall back to TCP (127.0.0.1:5432)
and triggering md5 password auth instead of peer auth.

Setting PGHOST=/run/postgresql in all systemd service environments and
in the env file template ensures postgres.js uses the Unix socket
directory directly, regardless of URL parsing behaviour.

* fix(nix): add nodejs to PATH for atbb-migrate service

pnpm .bin/ shims are shell scripts that invoke `node` by name in their
body. patchShebangs only patches the shebang line, leaving the body's
`node` call as a PATH lookup. Systemd's default PATH excludes the Nix
store, so drizzle-kit fails with "node not found".

Setting PATH=${nodejs}/bin in the service environment resolves this.

* fix(nix): use path option instead of environment.PATH for nodejs

Setting environment.PATH conflicts with NixOS's default systemd PATH
definition. The `path` option is the NixOS-idiomatic way to add
packages to a service's PATH — it prepends package bin dirs without
replacing the system defaults.

* docs: add design doc for responsive, accessibility, and UI polish (ATB-32)

Covers CSS completion for ~20 unstyled classes, mobile-first responsive
breakpoints, WCAG AA accessibility baseline, error/loading/empty state
audit, and visual polish. Deferred axe-core testing to ATB-34.

* docs: add implementation plan for responsive/a11y/polish (ATB-32)

16-task plan covering CSS completion, responsive breakpoints, accessibility
(skip link, ARIA, semantic HTML), 404 page, and visual polish. TDD for
JSX changes, CSS-only for styling tasks.

* style(web): add CSS for forms, login form, char counter, and success banner (ATB-32)

* style(web): add CSS for post cards, breadcrumbs, topic rows, and locked banner (ATB-32)

* style(web): enhance error, empty, and loading state CSS with error page styles (ATB-32)

* style(web): add mobile-first responsive breakpoints with token overrides (ATB-32)

* feat(web): add skip link, favicon, focus styles, and mobile hamburger nav (ATB-32)

- Add skip-to-content link as first body element with off-screen positioning
- Add main landmark id="main-content" for skip link target
- Add :focus-visible outline styles for keyboard navigation
- Create SVG favicon with atBB branding
- Extract NavContent helper component for DRY desktop/mobile nav
- Add CSS-only hamburger menu using details/summary for mobile
- Add desktop-nav / mobile-nav with responsive show/hide
- Add tests for all new accessibility and mobile nav features

* feat(web): add ARIA attributes to forms, dialog, and live regions (ATB-32)

* feat(web): convert breadcrumbs to nav/ol, post cards to article elements (ATB-32)

* feat(web): add 404 page with neobrutal styling and catch-all route (ATB-32)

* style(web): add smooth transitions and hover polish to interactive elements (ATB-32)

* docs: mark Phase 4 complete and update ATB-32 design status

All Phase 4 web UI items now tracked with completion notes:
- Compose (ATB-30), Login (ATB-30), Admin panel (ATB-24)
- Responsive design (ATB-32) — final done gate for Phase 4
- Category view deferred (boards hierarchy replaced it)

* fix(web): address code review feedback on ATB-32 PR

- Add production-path tests for 404 page (auth, unauth, AppView down)
- Replace aria-live on reply-list with sr-only status element using
hx-swap-oob to announce reply count instead of full card content
- Re-throw programming errors in getSession/getSessionWithPermissions
catch blocks (import isProgrammingError from errors.ts)
- Differentiate nav aria-labels (Main navigation vs Mobile navigation)
- Harden test assertions: skip link position check, nav aria-label
coverage, exact count assertions for duplication detection

* docs: add compose forms design doc (ATB-31)

Captures approved design for HTMX-powered new topic and reply forms,
including web server proxy architecture, HTMX integration patterns,
character counter approach, and testing requirements.

* docs: add ATB-31 compose forms implementation plan

Step-by-step TDD plan for new topic form (GET+POST), board flash
banner, and reply form with proxy handlers for the AppView write API.

* feat(appview): add uri field to board API response (ATB-31)

- Add computed uri field to serializeBoard (at://did/space.atbb.forum.board/rkey)
- Add uri assertion to AppView board serialization test
- Add uri to BoardResponse interface in web boards route
- Update makeBoardResponse helpers in web test files

* refactor(appview): strengthen boards uri test assertion and update JSDoc

* feat(web): new topic form GET handler with board context (ATB-31)

* refactor(web): add network error test and fix spinner text in new-topic form

* feat(web): new topic POST handler proxied to AppView (ATB-31)

* test(web): add missing POST /new-topic edge case tests (ATB-31)

- Non-numeric boardId validation test
- AppView 5xx error path with console.error assertion

* feat(web): success banner on board page after new topic (ATB-31)

* feat(web): reply form and POST /topics/:id/reply handler (ATB-31)

* test(web): add missing reply POST edge case tests (ATB-31)

- Non-numeric topic ID in POST handler
- Cookie forwarding assertion for AppView proxy call

* test(web): add missing reply POST error branch tests (ATB-31)

- AppView 5xx with console.error assertion
- 403 banned branch
- 403 non-JSON body fallback

* test(appview): update serializeBoard toEqual assertions to include uri field (ATB-31)

* fix(web): address code review feedback on ATB-31 compose forms

- Bruno: add uri field to Get Board and List All Boards docs and assertions
- boards.tsx: gate ?posted=1 success banner on auth?.authenticated
- new-topic.tsx: parse 403 JSON body to distinguish banned vs no-permission;
add logging to all silent catch blocks (parseBody, 400, 403 inner catches);
add else-if branch logging for unexpected 4xx responses
- topics.tsx: add uri to BoardResponse interface; remove unused rootPostId and
parentPostId hidden form fields; add logging to all silent catch blocks
(parseBody, 400, 403 inner catches); add else-if branch logging for 4xx
- tests: update hidden-field assertions for removed reply form fields; add URL
assertion to reply POST body test; add 400 non-JSON body test for new-topic;
add unauthenticated banner suppression test for boards

* docs: topic view design for ATB-29

Architecture, components, error handling, and test plan for the
topic thread display page with HTMX Load More and bookmarkable URLs.

* docs: topic view implementation plan for ATB-29

10-task TDD plan: interfaces, error handling, OP rendering, breadcrumb,
replies, locked state, auth gate, pagination, HTMX partial, bookmark support.

* fix(appview): scope forum lookup to forumDid in createMembershipForUser

The forum query used only rkey="self" as a filter, which returns the
wrong row when multiple forums exist in the same database (e.g., real
forum data from CLI init runs alongside test forum rows). Add
eq(forums.did, ctx.config.forumDid) to ensure we always look up the
configured forum, preventing forumUri mismatches in duplicate checks
and bootstrap upgrades.

Also simplify the "throws when forum metadata not found" test to remove
manual DELETE statements that were attempting to delete a real forum
with FK dependencies (categories_forum_id_forums_id_fk), causing the
test to fail. With the DID-scoped query, emptyDb:true + cleanDatabase()
is sufficient to put the DB in the expected state.

Fixes 4 failing tests in membership.test.ts.

* feat(web): topic view type interfaces and component stubs (ATB-29)

* fix(web): restore stub body and remove eslint-disable (ATB-29)

* feat(web): topic view thread display with replies (ATB-29)

- GET /topics/:id renders OP + replies with post number badges (#1, #2, …)
- Breadcrumb: Home → Category → Board → Topic (degrades gracefully on fetch failure)
- Locked topic banner + disabled reply slot
- HTMX Load More with hx-push-url for bookmarkable URLs
- ?offset=N bookmark support renders all replies 0→N+pageSize inline
- Auth-gated reply form slot placeholder (unauthenticated / authenticated / locked)
- Full error handling: 400 (invalid ID), 404 (not found), 503 (network), 500 (server)
- TypeError/programming errors re-thrown to global error handler
- 35 tests covering all acceptance criteria
- Remove outdated topics stub tests now superseded by comprehensive test suite

* docs: mark ATB-29 topic view complete in plan

Update phase 4 checklist with implementation notes covering
three-stage fetch, HTMX Load More, breadcrumb degradation,
locked topic handling, and 35 integration tests.

* fix(review): address PR #46 code review feedback

Critical:
- Wrap res.json() in try-catch in fetchApi to prevent SyntaxError from
malformed AppView responses propagating as a programming error (would
have caused isProgrammingError() to re-throw, defeating non-fatal
behavior of breadcrumb fetch stages 2+3)

Important:
- Add multi-tenant isolation regression test in membership.test.ts:
verifies forum lookup is scoped to ctx.config.forumDid by inserting a
forum with a different DID and asserting 'Forum not found' is thrown
- Fix misleading comment in topics test: clarify that stage 1 returns
null (not a fetch error), and stage 2 crashes on null.post.boardId
- Remove two unused mock calls in topics re-throws TypeError test
- Add TODO(ATB-33) comment on client-side reply slicing in topics.tsx

Tests added:
- api.test.ts: malformed JSON from AppView throws response error
- topics.test.tsx: locked + authenticated shows disabled message
- topics.test.tsx: null boardId skips stages 2 and 3 entirely
- topics.test.tsx: HTMX partial re-throws TypeError (programming error)
- topics.test.tsx: breadcrumb links use correct /categories/:id URLs

Bug fix:
- Category breadcrumb was linking to '/' instead of '/categories/:id'

* fix(test): eliminate cleanDatabase() race condition in isolation test

The isolation test previously called createTestContext({ emptyDb: true })
inside the test body, which triggered cleanDatabase() and deleted the
did:plc:test-forum row that concurrently-running forum.test.ts depended
on — causing a flaky "description is object (null)" failure in CI.

Fix: spread ctx with an overridden forumDid instead of creating a new
context. This keeps the same DB connection and never calls cleanDatabase(),
eliminating the race. The test still proves the forumDid scoping: with
did:plc:test-forum in the DB and isolationCtx.forumDid pointing to a
non-existent DID, a broken implementation would find the wrong forum
instead of throwing "Forum not found".

Also removes unused forums import added in previous commit.

* docs: add try block granularity guidance to error handling standards

When a single try block covers multiple distinct operations, errors from
later steps get attributed to the first — misleading for operators
debugging production failures. Document the pattern of splitting try
blocks by failure semantics, with a concrete example from ATB-28.

* docs: add ATB-28 board view design doc

* docs: add ATB-28 board view implementation plan

* feat(web): add timeAgo utility for relative date formatting

* feat(web): add isNotFoundError helper for AppView 404 responses

* feat(appview): add GET /api/boards/:id endpoint

Adds single board lookup by ID to the boards router, with 400 for
invalid IDs, 404 for missing boards, and 500 with structured logging
for unexpected errors.

* feat(appview): add pagination to GET /api/boards/:id/topics

Adds optional ?offset and ?limit query params with defaults (0 and 25),
clamps limit to 100 max, and returns total/offset/limit in response
alongside topics. Count and topics queries run in parallel via Promise.all.

* feat(appview): add GET /api/categories/:id endpoint

* feat(web): implement board view with HTMX load more pagination

- Replace boards.tsx stub with full two-stage fetch implementation:
stage 1 fetches board metadata + topics in parallel, stage 2 fetches
category for breadcrumb navigation
- HTMX partial mode handles ?offset=N requests, returning HTML fragment
with topic rows and updated Load More button (or empty fragment on error)
- Full error handling: 400 for non-integer IDs, 404 for missing boards,
503 for network errors, 500 for server errors, re-throw for TypeError
- Add 19 comprehensive tests covering all routes, error cases, and HTMX
partial mode; remove 3 now-superseded stub tests from stubs.test.tsx

* fix(web): make board page Stage 2 category fetch non-fatal

Category name lookup for breadcrumb no longer returns a fatal error
response when it fails — the board content loaded in Stage 1 is shown
regardless, with the category segment omitted from the breadcrumb.

* docs(bruno): add Get Board and Get Category; update Get Board Topics with pagination

* docs: mark ATB-28 board view complete in project plan

* fix(web): remove unused unauthSession variable in boards test

* fix: add 500 error tests for GET /api/boards/:id and GET /api/categories/:id; log HTMX partial errors

* docs: CLI categories and boards design

* docs: CLI categories and boards implementation plan

* feat: add createCategory step module (ATB-28)

Implements TDD createCategory step with idempotent PDS write and DB insert,
slug derivation from name, and skipping when a category with the same name exists.

* feat: add createBoard step module (ATB-28)

* feat: add atbb category add command (ATB-28)

* feat: add atbb board add command (ATB-28)

Implements the `atbb board add` subcommand with interactive category
selection when --category-uri is not provided, validating the chosen
category against the database before creating the board record.

* fix: add try/catch around category resolution and URI validation in board add command (ATB-28)

- Wrap entire category resolution block (DB queries + interactive select prompt)
in try/catch so connection drops after the SELECT 1 probe properly call
forumAgent.shutdown() and cleanup() before process.exit(1)
- Validate AT URI format before parsing: reject URIs that don't start with
at:// or have fewer than 5 path segments, with an actionable error message

* feat: extend init with optional category/board seeding step (ATB-28)

* fix: remove dead catch blocks in step modules and add categoryId guard in init (ATB-28)

- create-category.ts / create-board.ts: both branches of the try/catch
re-threw unconditionally, making the catch a no-op; replaced with a
direct await assignment and removed the unused isProgrammingError import
- init.ts: added an explicit error-and-exit guard after the categoryId DB
lookup so a missing row causes a loud failure instead of silently
skipping board creation

* fix: address ATB-28 code review feedback

- Extract deriveSlug to packages/cli/src/lib/slug.ts (Issue 9 — dedup)
- Add isProgrammingError to packages/cli/src/lib/errors.ts and re-throw
in all three command handler catch blocks: category.ts, board.ts,
init.ts Step 4 (Issues 7/1)
- Wrap forumAgent.initialize() in try/catch in category.ts and board.ts
so PDS-unreachable errors call cleanup() before exit (Issue 6)
- Validate AT URI collection segment in board.ts: parts[3] must be
space.atbb.forum.category (Issue 4)
- Add forumDid and resource name context to all catch block error logs
using JSON.stringify (Issue 10)
- Fix misleading comment "Step 6 (label 4)" → "Step 4" in init.ts
- Remove dead guard (categoryUri && categoryId && categoryCid) in init.ts
Step 4 — guaranteed non-null by the !categoryId exit above (Suggestion)
- Add DB insert failure tests to create-category.test.ts and
create-board.test.ts (Issue 2)
- Add sortOrder include/omit tests to both step module test files (Suggestion)
- Add category-command.test.ts: command integration tests for category add
including prompt path, PDS init failure, error/programming-error handling
(Issue 3)
- Add board-command.test.ts: command integration tests for board add
including collection-segment validation, DB category lookup, error
handling (Issues 3/4)
- Add init-step4.test.ts: tests for Step 4 seeding — skip path, full
create path, !categoryId guard, createBoard failure, programming error
re-throw (Issue 5)

* fix: address second round of review feedback on ATB-28

- create-category.ts: warn when forumId is null (silent failure → visible warning)
- category.ts, board.ts: best-effort forumAgent.shutdown() in initialize() failure path
- init.ts: split combined try block so DB re-query failure doesn't report as
"Failed to create category" (the PDS write already succeeded by that point)
- Tests: add isAuthenticated()=false branch for category and board commands
- Tests: add interactive select and empty-categories paths for board command
- Tests: add createBoard programming error re-throw and DB re-query throw for init Step 4

* docs: add homepage design doc for ATB-27

* docs: add homepage implementation plan for ATB-27

* style: add homepage category and board grid CSS

* test: add failing tests for homepage route (ATB-27)

TDD setup: 11 tests covering forum name/description in title and header,
category section rendering, board cards with links and descriptions,
empty states, error handling (503 network, 500 API), and multi-category
layout. All tests intentionally fail against the placeholder route.

* feat: implement forum homepage with live API data (ATB-27)

Replaces placeholder homepage with real implementation that fetches forum
metadata, categories, and boards from the AppView API and renders them.
Also strengthens 500 error test to assert on message text.

* fix: use shared getSession in homepage route

* refactor: extract isNetworkError to shared web lib/errors.ts

* test: update stubs test to mock homepage API calls

The homepage now fetches /api/forum and /api/categories in parallel, so
the two GET / stub tests need mockResolvedValueOnce calls for both endpoints.

* fix: address code review feedback on homepage route (ATB-27)

- Add structured error logging to both catch blocks in home.tsx
- Add Stage 2 error tests (boards fetch) for 503 and 500 responses
- Mark forum homepage complete in atproto-forum-plan.md

* fix: re-throw programming errors in homepage catch blocks (ATB-27)

- Add isProgrammingError to apps/web/src/lib/errors.ts
- Guard both catch blocks with isProgrammingError re-throw before logging
- Add two tests verifying TypeError escapes catch blocks (stage 1 and stage 2)

* docs: bootstrap CLI design for first-time forum setup

Adds design document for `atbb init` CLI command that automates
forum bootstrapping — creating the forum record on the PDS, seeding
default roles, and assigning the first Owner. Includes extraction
of ForumAgent into shared `packages/atproto` package.

* docs: bootstrap CLI implementation plan

12-task TDD implementation plan for atbb init command. Covers
packages/atproto extraction, packages/cli scaffolding, bootstrap
steps (create-forum, seed-roles, assign-owner), and Dockerfile updates.

* feat: extract @atbb/atproto shared package with error helpers

Create packages/atproto as a shared AT Protocol utilities package.
Extract error classification helpers (isProgrammingError, isNetworkError,
isAuthError, isDatabaseError) from appview into the shared package,
consolidating patterns from errors.ts and forum-agent.ts. The appview
errors.ts becomes a re-export shim for backward compatibility.

* refactor: move ForumAgent to @atbb/atproto shared package

Move ForumAgent class and tests from appview to packages/atproto.
Replace inline isAuthError/isNetworkError with imports from errors.ts.
Add ETIMEDOUT pattern to isNetworkError for Node.js socket errors.
Update app-context.ts import and app-context test mock path.

* feat: add identity resolution helper to @atbb/atproto

Add resolveIdentity() that accepts either a DID (returns as-is) or a
handle (resolves via PDS resolveHandle). Used by the CLI to let
operators specify the forum owner by handle or DID.

* chore: scaffold @atbb/cli package with citty

* feat(cli): add config loader and preflight environment checks

* feat(cli): implement create-forum bootstrap step

* feat(cli): implement seed-roles bootstrap step

* feat(cli): implement assign-owner bootstrap step

* feat(cli): wire up init command with interactive prompts and flag overrides

* chore: update Dockerfile to include atproto and cli packages

* fix(cli): make config test hermetic for CI environment

Explicitly stub env vars to empty strings instead of relying on a clean
environment. CI sets DATABASE_URL for its PostgreSQL service container,
so vi.unstubAllEnvs() alone is insufficient — it only reverses previous
stubs, not real env vars.

* fix(cli): address code review feedback on bootstrap flow

1. Fix bootstrap ordering: seedDefaultRoles now inserts into DB after
PDS write, so assignOwnerRole can find the Owner role immediately
without waiting for the firehose.

2. Fix membership ownership: assignOwnerRole no longer writes to the
forum DID's PDS repo (wrong owner per data model). Instead, inserts
membership directly into DB. The PDS record will be created when the
user logs in via OAuth.

3. Fix bare catch in createForumRecord: now discriminates RecordNotFound
from network/auth/programming errors. Only proceeds to create when
the record genuinely doesn't exist.

4. Remove fabricated cid:"pending": no longer writes PDS records with
fake CIDs. Direct DB inserts use "bootstrap" sentinel to indicate
CLI-created records.

5. Fix DB connection leak: init command creates postgres client directly
and calls sql.end() on all exit paths (success + error).

Also: createForumRecord now inserts forum into DB after PDS write,
ensuring downstream steps can reference it.

* fix: upgrade bootstrap memberships to real PDS records on first login

When the CLI creates a bootstrap membership (cid="bootstrap"), the
appview now detects it on first OAuth login and upgrades it by writing
a real PDS record to the user's repo, then updating the DB row with
the actual rkey/cid while preserving the roleUri.

12-task TDD implementation plan for atbb init command. Covers
packages/atproto extraction, packages/cli scaffolding, bootstrap
steps (create-forum, seed-roles, assign-owner), and Dockerfile updates.