# Changelog All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/). ## [Unreleased] ## [0.5.0] - 2026-01-08 ### Added - **Direct OAuth authorization** without requiring Pushed Authorization Requests (PAR) - `/oauth/authorize` now accepts direct query parameters (client_id, redirect_uri, code_challenge, etc.) - Creates authorization request record on-the-fly, same as PAR flow - DPoP binding deferred to token exchange time for direct auth flows - Matches official AT Protocol PDS behavior ### Changed - AS metadata: `require_pushed_authorization_requests` now `false` - Extracted `validateAuthorizationParameters()` helper shared between PAR and direct auth ## [0.4.0] - 2026-01-08 ### Added - **Foreign DID proxying** via `atproto-proxy` header - `parseAtprotoProxyHeader()` parses `did:web:api.bsky.app#bsky_appview` format - `getKnownServiceUrl()` maps known service DIDs to URLs - `proxyToService()` generic proxy utility with header forwarding - Repo endpoints (getRecord, listRecords, describeRepo) support explicit proxying - Returns appropriate errors for malformed headers or unknown services - Unit tests for proxy utilities - E2E tests for foreign DID proxying behavior ### Changed - Refactored `handleAppViewProxy` to use shared `proxyToService` utility ## [0.3.0] - 2026-01-08 ### Added - **Granular OAuth scope enforcement** on repo and blob endpoints - `parseRepoScope()` parses `repo:collection?action=create&action=update` format - `parseBlobScope()` parses `blob:image/*` format with MIME wildcards - `ScopePermissions` class for checking repo/blob permissions - Enforced on createRecord, putRecord, deleteRecord, applyWrites, uploadBlob - **Consent page permissions table** displaying scopes in human-readable format - Identity-only: "wants to uniquely identify you" message - Granular scopes: Table with Collection + Create/Update/Delete columns - Full access: Warning banner for `transition:generic` - `parseScopesForDisplay()` helper for consent page rendering - E2E tests for scope enforcement and consent page display ## [0.2.0] - 2026-01-07 ### Added - **OAuth 2.0 authorization server** with full AT Protocol support - Discovery endpoints (AS metadata, protected resource, JWKS) - Pushed Authorization Requests (PAR) - Authorization endpoint with dark-themed consent UI - Token endpoint (authorization_code + refresh_token grants) - Token revocation (RFC 7009) - DPoP proof validation and token binding - PKCE with S256 code challenge - Client metadata fetching and validation - Loopback client support for development - DPoP JTI tracking to prevent replay attacks - Comprehensive OAuth e2e tests ### Changed - **BREAKING:** Normalized SQL schema to snake_case convention - Tables: `blob` → `blobs`, `record_blob` → `record_blobs` - Columns: `mimeType` → `mime_type`, `createdAt` → `created_at`, `blobCid` → `blob_cid`, `recordUri` → `record_uri` - Existing Durable Objects require storage reset - Consolidated error responses to use `errorResponse` helper - Moved OAuth types to TYPES & CONSTANTS section ## [0.1.0] - 2025-01-07 Initial experimental release. ### Added - **Repo operations:** createRecord, getRecord, putRecord, deleteRecord, applyWrites, listRecords - **Sync endpoints:** getRepo (CAR export), subscribeRepos (WebSocket firehose), getLatestCommit - **Authentication:** createSession, getSession, refreshSession with JWT tokens - **Blob storage:** uploadBlob, getBlob, listBlobs with R2 backend - MIME type sniffing (JPEG, PNG, GIF, WebP, MP4, AVIF, HEIC) - Automatic orphaned blob cleanup via DO alarms - Blob-record association tracking - **Identity:** Handle resolution, PLC directory registration - **Federation:** Relay notification (requestCrawl), AppView proxy for app.bsky.* endpoints - **Infrastructure:** - Merkle Search Tree (MST) for repo structure - DAG-CBOR encoding with CID generation - P-256 ECDSA signing via Web Crypto - TypeScript checking via JSDoc annotations - Setup script for key generation and PLC registration