You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Completes delegated release service feasibility task W0.4 by adding an executable workerd harness for confidential atproto OAuth custody.
The harness proves private-key JWT authentication, distinct DPoP keys, real D1 persistence, nonce retry, rotating-token refresh serialization, operation-local lease ownership, lease renewal, fail-closed stale-owner mutation, assertion-key rotation, and the exact create-only release scope. It also records the persisted atcute fields and production constraints in the tracked evidence document.
This changes no production auth implementation or public API. It adds package-local test infrastructure and includes the package in the root unit-test filter.
pnpm test passes (or targeted tests for my change)
pnpm format has been run
I have added/updated tests for my changes (if applicable)
User-visible strings in the admin UI are wrapped for translation (if applicable). Do not include messages.po changes except in translation PRs — a workflow extracts catalogs on merge to main.
I have added a changeset (if this PR changes a published package)
i18n and a changeset are not applicable: this PR has no UI or published runtime behavior. Package manifest changes are test-only dev dependencies and scripts.
AI-generated code disclosure
This PR includes AI-generated code — model/tool: OpenCode with GPT-5.6-sol
Screenshots / test output
pnpm build passes with existing virtual-import and deliberate test-plugin eval warnings
The generated lockfile also reconciles stale TypeScript peer snapshots and deduplicates stale build-time transitives; no shipped runtime dependency changes.
A full working EmDash site, deployed from this branch. Each visit gets its own session-scoped sandbox: no login needed and no shared state. Try the admin, edit content, hit the public site.
Tracks feat/delegated-release-service-04-oauth-workerd. Updated automatically when the playground redeploys.
Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.
This PR includes no changesets
When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types
Closing this feasibility spike. It expanded into a speculative OAuth coordinator rather than the minimal Gate 0 compatibility evidence we need. We will replace it with a small ratification-oriented evidence artifact after resetting the scope.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Completes delegated release service feasibility task
W0.4by adding an executable workerd harness for confidential atproto OAuth custody.The harness proves private-key JWT authentication, distinct DPoP keys, real D1 persistence, nonce retry, rotating-token refresh serialization, operation-local lease ownership, lease renewal, fail-closed stale-owner mutation, assertion-key rotation, and the exact create-only release scope. It also records the persisted atcute fields and production constraints in the tracked evidence document.
This changes no production auth implementation or public API. It adds package-local test infrastructure and includes the package in the root unit-test filter.
Related to #1908, #1870, and Discussion #1590.
Type of change
Checklist
pnpm typecheckpassespnpm lintpassespnpm testpasses (or targeted tests for my change)pnpm formathas been runmessages.pochanges except in translation PRs — a workflow extracts catalogs on merge tomain.i18n and a changeset are not applicable: this PR has no UI or published runtime behavior. Package manifest changes are test-only dev dependencies and scripts.
AI-generated code disclosure
Screenshots / test output
pnpm buildpasses with existing virtual-import and deliberate test-pluginevalwarningspnpm --filter @emdash-cms/auth-atproto typecheckpassestsgo --noEmitpassespnpm --filter @emdash-cms/auth-atproto testpasses: 27 Node tests and 9 workerd testspnpm lintpasses with 0 warnings/errorspnpm lint:json | jq '.diagnostics | length'returns0git diff --checkpassThe generated lockfile also reconciles stale TypeScript peer snapshots and deduplicates stale build-time transitives; no shipped runtime dependency changes.
Try this PR
Open a fresh playground →
A full working EmDash site, deployed from this branch. Each visit gets its own session-scoped sandbox: no login needed and no shared state. Try the admin, edit content, hit the public site.
Tracks
feat/delegated-release-service-04-oauth-workerd. Updated automatically when the playground redeploys.