The previous fix buffered the body but used bytes.NewBuffer which maintains
a read position. When retrying, we need to explicitly create a new
bytes.NewReader to ensure the read position starts at 0.

Changes:
- Explicitly set retryReq.Body with fresh bytes.NewReader
- Set ContentLength on retry request
- Update GetBody to return fresh bytes.NewReader instances

This ensures the PDS can read the full request body on retry attempts.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

When the server requires a DPoP nonce and returns 401 with use_dpop_nonce,
the transport retries the request with the nonce. However, the original
implementation didn't properly preserve the request body for retry, causing
"stream is not readable" errors on the server side.

This fix:
- Buffers the request body before the first request
- Sets req.GetBody to allow req.Clone() to recreate the body
- Ensures retry requests have a fresh, readable body stream

This resolves the issue where:
1. First request sent without nonce
2. Server responds with 401 and nonce
3. Retry sent with nonce but empty/consumed body
4. Server returns 500 "stream is not readable"

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

- Rename web-demo-chat to web-demo-scope for clarity
- Add web-demo-scope executable to .gitignore
- Example demonstrates requesting custom scopes beyond default atproto scope

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Previously, OAuth scopes were hardcoded to "atproto transition:generic"
in both the authorization flow and client metadata, despite the Client
struct having a Scopes field that could be configured via ClientOptions.

Changes:
- Updated StartAuthFlow() to use client.Scopes instead of hardcoded value
- Updated GetClientMetadata() to use client.Scopes instead of hardcoded value
- Added strings import to client.go for strings.Join()

This allows users to specify custom scopes when creating a client:

client := bskyoauth.NewClientWithOptions(bskyoauth.ClientOptions{
BaseURL: "http://localhost:8181",
Scopes: []string{"atproto", "custom:scope"},
})

The default remains ["atproto", "transition:generic"] when no scopes
are specified, maintaining backward compatibility.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Implements minimal environment-based configuration for the example
application, enabling production deployments to customize session
timeouts, rate limits, and server port without code changes.

New Configuration Variables (4 total):

SESSION_TIMEOUT_DAYS:
- Session cookie lifetime in days (default: 30)
- Range: 1-365 days (warnings outside range)
- Converts to seconds for cookie MaxAge
- Example: SESSION_TIMEOUT_DAYS=7 for weekly sessions

RATE_LIMIT_AUTH:
- Auth endpoint rate limit as "requests/sec,burst"
- Default: "5,10" (5 req/s, burst 10)
- Applies to /login and /callback endpoints
- Example: RATE_LIMIT_AUTH=10,20 for higher limits

RATE_LIMIT_API:
- API endpoint rate limit as "requests/sec,burst"
- Default: "10,20" (10 req/s, burst 20)
- Applies to /post, /create-record, /delete-record, /get-record
- Example: RATE_LIMIT_API=50,100 for high traffic

SERVER_PORT:
- HTTP server port (default: 8181)
- Example: SERVER_PORT=8080 for standard HTTP

Helper Functions:
- getEnvInt() - Parse integer env vars with validation/defaults
- getRateLimitConfig() - Parse "req/sec,burst" format with validation
- validateConfig() - Range validation with warning logs

Configuration Validation:
- Invalid values: Falls back to defaults, logs clear warnings
- Unusual values: Applied but logs configuration warnings
- Format errors: Shows expected format in error message
- Validates ranges: SESSION_TIMEOUT_DAYS (1-365), rate limits (0.1-1000)

Documentation (README.md):
- Comprehensive environment variable reference
- 4 example configurations (dev, staging, production, high-traffic)
- Deployment examples (command line, Docker, Docker Compose, K8s)
- Rate limiting guidelines by scenario
- Session timeout security recommendations
- Configuration validation behavior explained

Testing:
- Default values: All env vars optional, sensible defaults
- Custom values: SESSION_TIMEOUT_DAYS=7, RATE_LIMIT_AUTH=10,20 verified
- Invalid values: Falls back to defaults (tested "abc", "invalid")
- Unusual values: Applies with warnings (tested 400 days, 5000 req/s)
- Server startup logs show all configured values

Scope Decision (Minimal):
- Only 4 most critical production configuration needs
- Excluded (kept hardcoded with good defaults):
- HTTP client timeout (30s is industry standard)
- Server read/write/idle timeouts (best practice values)
- Cookie security flags (auto-detected, should not override)
- Logging level (already auto-configured)

Files Modified:
- examples/web-demo/main.go - Added env parsing, validation (~70 lines)
- README.md - Added Environment Variables section (~185 lines)
- TODO.md - Removed Issue #18
- COMPLETED_ISSUES.md - Added Issue #18 with implementation details
- VERSION.md - Added v1.3.1 release notes

Impact:
- No Library Changes: Example application only
- 100% Backward Compatible: All env vars optional
- 12-Factor Compliant: Environment-based configuration
- Production-Ready: Per-environment tuning without code changes
- Container-Friendly: Works with Docker, K8s, orchestration

Resolves Issue #18: Environment Configuration

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Implements a complete audit logging infrastructure for compliance and
security monitoring, providing a tamper-evident trail of all sensitive
operations.

New Features:

Core Infrastructure (audit.go):
- AuditEvent struct with standardized fields (timestamp, event_type,
actor, action, resource, result, error, metadata, request_id,
session_id)
- AuditLogger interface for flexible backend implementations
- NoOpAuditLogger as safe default (opt-in design, zero overhead)
- 15+ standardized event type constants for consistent categorization
- Package-level functions: SetAuditLogger(), GetAuditLogger(),
LogAuditEvent()
- Automatic context enrichment (timestamps, request IDs, session IDs)

Built-in Loggers (audit_file.go):
- FileAuditLogger - Append-only file logging with restrictive
permissions (0600)
- RotatingFileAuditLogger - Daily rotation at midnight UTC
- Thread-safe concurrent writes with mutex protection
- Automatic directory creation with proper permissions

Integration:
- OAuth flow (oauth.go): auth.start, auth.callback, auth.success,
auth.failure, security.issuer_mismatch, security.invalid_state
- Token refresh (oauth.go): session.refresh
- API operations (client.go): api.post.create, api.record.create,
api.record.read, api.record.delete

Testing (audit_test.go):
- 10 comprehensive test functions
- Tests for all loggers (NoOp, File, Rotating)
- Thread-safety testing under concurrent load
- Event structure validation
- Context enrichment verification
- Mock logger for custom implementations
- All tests pass with -race detection

Documentation (README.md):
- New "Audit Trail" section (380+ lines)
- Quick start guide
- Complete event type reference
- JSON log format specification
- Built-in logger documentation
- Custom logger examples (PostgreSQL, Splunk/SIEM)
- Manual audit logging guide
- Context enrichment guide
- Compliance best practices (retention, integrity, access control)
- Performance considerations (buffering, rotation, sampling)
- Security event examples with JSON output

Files Added:
- audit.go (159 lines)
- audit_file.go (177 lines)
- audit_test.go (532 lines)

Files Modified:
- oauth.go - Integrated audit logging into auth flow
- client.go - Integrated audit logging into API operations
- README.md - Added 380+ lines of audit documentation
- VERSION.md - Added v1.3.0 release notes
- TODO.md - Removed Issue #17
- COMPLETED_ISSUES.md - Added Issue #17 with implementation details

Use Cases:
- Compliance: SOX, PCI-DSS, HIPAA, GDPR audit trail requirements
- Security Monitoring: Real-time attack detection (CSRF, code injection)
- Forensic Analysis: Complete reconstruction of security events
- Incident Response: Tamper-evident trail of sensitive operations
- Operational Insights: Authentication patterns, API usage tracking

Impact:
- 100% backward compatible (minor version bump)
- Opt-in design (no performance impact when disabled)
- Thread-safe for concurrent use
- Production-ready (permissions, rotation, append-only)
- Compliance-ready (structured JSON logs)

Resolves Issue #17: Missing Audit Trail

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Resolved Issue #16 through enhanced documentation rather than code
implementation. Ephemeral DPoP keys are intentional and align with
OAuth 2.0 security best practices.

Documentation Added:
- New README section: "DPoP Key Persistence and Security Considerations"
- Security trade-offs comparison table (300+ lines of documentation)
- Three implementation options with complete code examples:
1. Ephemeral Keys (Default - Recommended)
2. Hybrid Approach (Recommended for Production)
3. Encrypted Persistence (Advanced - with AES-256-GCM)

Key Features:
- Complete SecureRedisSessionStore implementation (~140 lines)
- Security requirements checklist (encryption, key management, storage)
- Key rotation guidance and best practices
- Summary recommendations by scenario (web/API/mobile/desktop)
- Added warning to simple Redis example about plaintext storage

Security Guidance:
- Ephemeral keys (default): Maximum security, zero storage risk
- Hybrid approach: Ephemeral keys + token refresh for extended sessions
- Encrypted persistence: For mobile/desktop apps requiring persistence
- Clear explanation of trade-offs and when to use each approach

Why Documentation Over Code:
1. Security decision - users must consciously choose key persistence
2. SessionStore interface already flexible for any implementation
3. Use cases vary - different apps have different requirements
4. Library can't safely manage encryption keys for users
5. Current design (ephemeral) is OAuth 2.0 best practice

Documentation Updates:
- README.md: Added ~300 lines of comprehensive guidance
- TODO.md: Removed Issue #16 (moved to completed)
- COMPLETED_ISSUES.md: Added Issue #16 with resolution details
- VERSION.md: Added v1.2.1 release notes

Impact:
- No code changes (documentation only)
- 100% backward compatible
- Security-by-default maintained
- Clear guidance for all use cases

Resolves Issue #16: DPoP Key Storage Considerations

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Issue #15 (Add Security Testing) was completed in v1.2.0 but was
left in TODO.md instead of being properly archived to COMPLETED_ISSUES.md.

Changes:
- Moved Issue #15 from TODO.md to COMPLETED_ISSUES.md
- Added comprehensive details about the 22 security tests implemented
- TODO.md now correctly shows Issues #16-18 as remaining low-priority items
- COMPLETED_ISSUES.md now has Issue #15 at the top as the most recent completion

This completes the documentation cleanup for the v1.2.0 release.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Implemented extensive security-focused tests covering CSRF protection,
session security, rate limiting, and input validation fuzzing per
Issue #15 in TODO.md.

New Test Files (22 tests total):
- security_csrf_test.go (8 tests)
* State parameter validation and expiration
* Issuer validation for authorization code injection prevention
* State reuse prevention (replay attack protection)
* Concurrent state validation thread-safety
* State storage limits under attack scenarios
* Error type validation

- security_session_test.go (6 tests)
* Session hijacking prevention (cryptographic randomness, 192-bit entropy)
* Session fixation prevention (ID regeneration)
* Session expiration enforcement (cookie MaxAge, store TTL, cleanup)
* Concurrent session access thread-safety
* Cookie security flags (HttpOnly, Secure, SameSite)
* Session storage security

- security_ratelimit_test.go (3 tests)
* X-Forwarded-For header manipulation blocking
* IPv6 rate limiting support
* Distributed attack simulation from multiple IPs
* Endpoint-specific rate limits (auth vs API)

- validation_fuzz_test.go (5 fuzz tests)
* FuzzValidateHandle - handle format fuzzing
* FuzzValidatePostText - post text fuzzing
* FuzzValidateTextField - generic text field fuzzing
* FuzzValidateCollectionNSID - NSID format fuzzing
* FuzzValidateRecordFields - record structure fuzzing

Test Coverage:
- All tests pass with -race detection
- Tests simulate real-world attack scenarios
- Fuzzing provides continuous edge case discovery
- Thread-safety verified under concurrent access

Documentation Updates:
- TODO.md: Marked Issue #15 as completed (v1.2.0)
- VERSION.md: Added v1.2.0 release notes
- All tests validated with go test -race ./...

Impact:
- Enhanced security confidence through attack simulation
- Zero breaking changes (tests only)
- 100% backward compatible
- Ready for production use

Resolves Issue #15: Add Security Testing

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Improved documentation maintainability by archiving all completed
security issues from TODO.md to new COMPLETED_ISSUES.md file.

Changes:
- Created COMPLETED_ISSUES.md with 14 completed security issues (~550 lines)
- Reduced TODO.md from 757 to 220 lines (71% reduction)
- Added cross-reference links between files
- Kept only active work items in TODO.md (Issues #15-18)
- Preserved complete historical record in COMPLETED_ISSUES.md

Impact:
- Easier to identify pending work vs completed issues
- Cleaner, more actionable TODO list
- Historical documentation preserved
- No functional changes (documentation only)

This is a pure documentation maintenance release with zero code changes.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Pure housekeeping cleanup of leftover empty file from Phase 1 refactoring.

Cleanup:
- Removed jwt.go (contained only package declaration, no content)
- JWT functionality remains in internal/jwt package (unchanged)
- Leftover from Phase 1 refactoring when JWT moved to internal/

Documentation Updates:
- CHANGELOG.md: Updated JWT reference to point to internal/jwt
- TODO.md: Clarified JWT code is internal-only per AT Protocol spec
- VERSION.md: Documented v1.1.3 cleanup release
- Removed outdated references to jwt.go and jwt_test.go

Technical Details:
- jwt.go had 1 line: "package bskyoauth" (empty file)
- internal/jwt/verify.go contains actual JWT verification code
- internal/jwt package is used internally by the library
- No public JWT API exposed (per AT Protocol OAuth spec)

No Functional Changes:
- No API changes
- No behavior changes
- No new features
- No bug fixes
- Pure cleanup of confusing empty file

Testing:
- All tests pass with -race detection
- Build successful
- internal/jwt package still tested and working
- Package file list confirms jwt.go removed

Backward Compatibility:
- 100% compatible with v1.1.2
- No breaking changes
- jwt.go was empty, removal has zero impact

Why This Matters:
- Cleaner codebase without confusing empty files
- Accurate documentation reflecting current structure
- Clear indication JWT is internal-only (per AT Protocol)
- Removes confusion for new contributors

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Enhances user experience by showing the created record's details
immediately after creation, eliminating the need to check server logs.

New Features:
- Success page displays full AT URI and extracted rkey
- Quick action buttons: "View Record", "Delete Record", "Create Another"
- Styled page with copyable rkey text
- Confirmation dialog for delete action

Implementation:
- Added extractRkeyFromURI() to parse rkey from AT URI
- Added renderRecordCreatedPage() to display success page with record details
- Updated createRecordHandler to render success page instead of redirect

User Experience:
- Immediate feedback on record creation
- Easy copy/paste of rkey for testing
- Direct links to view or delete the created record
- No need to check server logs for record IDs
- Improved workflow for testing CRUD operations

UI Design:
- Clean, styled success page with visual hierarchy
- Monospace font for AT URI and rkey
- Color-coded success message (green)
- Copyable rkey with user-select styling
- Responsive button layout
- Confirmation prompt for destructive actions

Changes:
- examples/web-demo/main.go: +84 lines (utility function + success page + handler update)
- VERSION.md: +32 lines (document v1.1.2)

Backward Compatibility:
- 100% compatible with v1.1.1
- No changes to core library
- Only affects web-demo example UI
- No breaking changes

This enhancement significantly improves the developer experience when
testing custom record CRUD operations.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Resolves the "unrecognized lexicon type: com.demo.bskyoauth" error by
implementing proper AT Protocol lexicon type registration.

New Package: lexicon
- DemoRecord struct with JSON and CBOR tags
- Full CBOR marshaling/unmarshaling implementation
- Automatic type registration via init() function
- Field validation (text length, RFC3339 timestamps)
- Comprehensive unit tests with 15+ test cases

New Files:
- lexicon/demo.go - DemoRecord type with CBOR methods (~175 lines)
- lexicon/validation.go - Field validation (~45 lines)
- lexicon/demo_test.go - Unit tests for marshaling and validation (~280 lines)
- lexicons/com/demo/bskyoauth.json - AT Protocol lexicon JSON schema

Implementation:
- Registered com.demo.bskyoauth type with indigo library
- CBOR marshaling follows established patterns from bsky types
- Validation enforces max 10000 bytes OR 3000 graphemes for text
- Validation ensures RFC3339 format for createdAt timestamps
- Added blank imports to trigger lexicon registration

API Changes:
- GetRecord now properly decodes custom lexicon types
- CreateRecord can use typed DemoRecord with validation
- Example updated to demonstrate lexicon usage and validation

Testing:
- All unit tests pass with -race detection
- Round-trip CBOR encoding/decoding verified
- Validation edge cases covered
- Unicode and long text handling tested

Backward Compatibility:
- 100% compatible with v1.1.0
- CreateRecord still accepts map[string]interface{}
- GetRecord API unchanged
- Optional: Use lexicon.DemoRecord for type safety

This patch fixes the GetRecord functionality and establishes best
practices for lexicon types in the library, following AT Protocol
standards.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

This release adds a new GetRecord() method to retrieve records from any
collection, completing the CRUD operations for AT Protocol records.

New Features:
- GetRecord() public API method in client.go
- Supports retrieving records from any collection (e.g., com.demo.bskyoauth)
- Full DPoP authentication and automatic nonce management
- Automatic token refresh on 401 errors
- Returns records as map[string]interface{} for maximum flexibility

Implementation:
- internal/api/client.go: Added GetRecordRequest type and GetRecord method
- client.go: Added public GetRecord wrapper with session management
- examples/web-demo/main.go: Added /get-record endpoint demonstrating usage
- VERSION.md: Documented v1.1.0 release with all changes

Backward Compatibility:
- 100% backward compatible with v1.0.0
- All existing APIs unchanged
- No breaking changes

The GetRecord method complements the existing CreateRecord and DeleteRecord
operations, providing a complete set of CRUD operations for custom AT Protocol
collections.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Created VERSION.md to track version history and establish versioning policy
for future releases.

Versioning Policy:
- v1.x.x: Stable API, 100% backward compatibility
- Major (v2.x.x): Only for breaking changes
- Minor (v1.x.0): New features, non-breaking enhancements
- Patch (v1.0.x): Bug fixes, documentation, internal improvements

The file includes:
- Complete v1.0.0 release notes
- Versioning policy and semantic versioning guidelines
- Release process checklist
- Sections for tracking planned changes (v1.1.0, v1.0.1)
- Stability guarantees for v1.x.x releases

This provides a clear process for maintaining the module going forward
while tracking all changes for users.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

All major refactoring phases are now complete. The library has been
successfully reorganized with the following accomplishments:

Completed Phases:
- ✅ Phase 1: Internal Package Extraction (8/8 steps)
* Created internal/ packages for oauth, dpop, jwt, session, api, http, validation
* Reduced root package files by 50-86%
* Clear separation between public API and internal implementation

- ✅ Phase 3: Type Organization
* Consolidated constants in constants.go
* Consolidated errors in errors.go
* Consolidated types in types.go
* Single source of truth for all public interfaces

- ✅ Phase 4: Middleware Extraction
* Standard Go middleware patterns throughout
* Added LoggingMiddleware for HTTP request/response logging
* All middleware composable and reusable

- ✅ Phase 5: Testing Improvements
* Created internal/testutil/ with fixtures, mock servers, and helpers
* Eliminates 27+ instances of duplicate test code
* Mock OAuth, PDS, and handle resolution servers
* Comprehensive assertion helpers and utilities

Phase 2 Considered Complete:
- Original goal was to make Client struct fields private
- Decision: Keep fields public for backward compatibility and user convenience
- The architectural improvements Phase 2 wanted (delegation to internal
packages) are already achieved through Phase 1
- No breaking changes required - v1.x remains stable

Results:
- 100% backward compatibility maintained throughout all phases
- All tests pass with race detection
- Significant code reduction and better organization
- Clear separation of concerns
- Reusable components for middleware and testing
- Foundation established for future enhancements
- Zero impact on existing users

The refactoring plan has served its purpose and is no longer needed.
The library is now in excellent shape for long-term maintenance.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Completed Phase 5 of the refactoring plan, creating a robust testing
infrastructure to reduce code duplication and improve test quality.

New Package: internal/testutil/
- Created dedicated package for shared test utilities
- Follows Go best practices for test helpers

fixtures.go - Test Data Generators:
- NewTestDPoPKey() - Generate test ECDSA keys (eliminates 27+ duplicates)
- NewTestSession() - Create sessions with sensible defaults
- TestSessionOption pattern for customization (WithDID, WithPDS, etc.)
- WithExpiredAccessToken/RefreshToken for expiration testing
- NewTestAuthServerMetadata() - OAuth metadata fixtures
- NewTestClientConfig() - Client configuration fixtures
- RandomString() - URL-safe random string generator

mock_server.go - Mock Servers:
- MockOAuthServer - Full OAuth authorization server
* Metadata endpoint (/.well-known/oauth-authorization-server)
* JWKS endpoint with RSA key generation
* Authorization endpoint with code generation
* Token endpoint (authorization_code and refresh_token grants)
* PAR endpoint for pushed authorization requests
- MockPDSServer - AT Protocol PDS server
* com.atproto.repo.createRecord with DPoP validation
* com.atproto.repo.deleteRecord with DPoP validation
* com.atproto.server.describeServer
- MockHandleServer - Handle resolution server
* com.atproto.identity.resolveHandle
* AddHandle() for custom handle mappings

helpers.go - Assertion and Utilities:
- Assertion helpers: AssertNoError, AssertEqual, AssertNotNil, etc.
- AssertContains/AssertNotContains for string matching
- AssertPanics for panic testing
- NewTestContext() with automatic cleanup
- MockHTTPClient for testing HTTP interactions
- MockRoundTripper for http.RoundTripper testing
- WaitForCondition() for async testing

Testing:
- All testutil functions have their own tests
- 13 passing tests demonstrating usage
- All package tests pass with race detection
- 100% backward compatibility maintained

Benefits:
- Reduces test code duplication (27+ key generations → 1 function)
- Faster test writing with reusable fixtures
- More consistent test data across the codebase
- Better test isolation with proper mock servers
- Easier maintenance - update fixtures once, affects all tests
- Foundation for incrementally improving existing tests

Next Steps:
- Existing tests can be incrementally updated to use testutil
- No breaking changes required
- Immediate value for new tests being written

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Completed Phase 4 of the refactoring plan, focusing on middleware
standardization and reusability.

Middleware Improvements:
- Added LoggingMiddleware to internal/http/middleware.go
- Logs HTTP method, path, status code, duration, and remote address
- Uses responseWriter wrapper to capture status codes
- Exported via new middleware.go in root package
- Follows standard Go middleware pattern: func(http.Handler) http.Handler

Existing Middleware:
- RateLimiter.Middleware already follows standard pattern
- SecurityHeadersMiddleware already follows standard pattern
- All middleware now composable and reusable

Code Organization:
- Removed REFACTORING_PHASE1_SUMMARY.md (no longer needed)
- Updated REFACTORING_PLAN.md with Phase 3 and 4 completion status
- All middleware centralized in internal/http/middleware.go

Testing:
- All tests pass with race detection
- 100% backward compatibility maintained

Phase 4 achieves:
- Reusable middleware components that can be composed
- Standard Go middleware patterns throughout
- Easy to test middleware independently
- Can be used outside of Client struct

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Moved the main Client and ClientOptions types to types.go for better
organization and discoverability. These are the primary types users
interact with and belong with other public types.

Changes:

Modified Files:
- types.go (expanded from 73→130 lines)
* Added Client struct - main entry point for the library
* Added ClientOptions struct - configuration for client creation
* Added net/http import for http.Client in ClientOptions
* All primary public types now in one location

- client.go (reduced)
* Removed Client type definition (now in types.go)
* Removed ClientOptions type definition (now in types.go)
* Kept all Client methods (NewClient, NewClientWithOptions, etc.)
* Focused on Client behavior rather than structure

Types NOT Moved (Intentional):
- MemorySessionStore - Has methods and constructor logic, better in session.go
- CustomRecord - Has CBOR marshaling methods (90 lines), all logic in record.go
- RateLimiter - Middleware type with methods, focused in ratelimit.go
- Internal adapters (authFlowAdapter, sessionStoreAdapter) - Private, stay in client.go

Rationale:
✅ Client & ClientOptions are pure data types with no attached methods
✅ These are the main types users interact with when using the library
✅ Centralizing them improves API discoverability
✅ Consistent with Session, AuthFlowState already in types.go
✅ types.go becomes the definitive reference for all public types

Benefits:
- Single location for all primary public types
- Better API documentation organization
- Easier for users to discover available types
- Clear separation: types.go = structure, other files = behavior
- 100% backward compatible

Testing:
- ✅ All tests pass with race detection
- ✅ No breaking changes
- ✅ All imports work correctly

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Consolidated all public constants, error variables, and types into
dedicated files for better organization and discoverability.

Goal: Better organize public types and interfaces
Status: ✅ Complete (non-breaking)

Changes:

New Files:
- constants.go (37 lines)
* Application type constants (ApplicationTypeWeb, ApplicationTypeNative)
* Context key constants (ContextKeyRequestID, ContextKeySessionID)
* Validation limit constants (re-exported from internal/validation)
* All public constants now in one discoverable location

Modified Files:
- errors.go (expanded from 35→126 lines)
* Client errors (ErrNoSession)
* OAuth errors (ErrInvalidHandle, ErrInvalidState, etc.)
* JWT errors (re-exported from internal/jwt)
* Session errors (re-exported from internal/session)
* Validation errors (re-exported from internal/validation)
* All error variables now in one location
* Kept IsTimeoutError() utility function

- types.go (unchanged, already well-organized)
* Session, AuthFlowState, SessionStore, AuthServerMetadata
* No changes needed - already consolidated

Removed From:
- client.go: Removed ApplicationType constants (now in constants.go)
- client.go: Removed ErrNoSession (now in errors.go)
- client.go: Removed unused "errors" import
- oauth.go: Removed OAuth error variables (now in errors.go)
- jwt.go: Removed JWT error variables (now in errors.go)
- jwt.go: Reduced to minimal wrapper (4 lines)
- session.go: Removed session error variables (now in errors.go)
- validation.go: Removed validation error variables (now in errors.go)
- validation.go: Removed validation constants (now in constants.go)
- logger.go: Removed context key constants (now in constants.go)

Benefits:
✅ Single source of truth for all error variables
✅ Single source of truth for all constants
✅ Better discoverability - developers know where to look
✅ Easier to maintain - no duplicate definitions
✅ Cleaner individual files - focused on their purpose
✅ 100% backward compatibility maintained

Testing:
- ✅ All tests pass with race detection
- ✅ No breaking changes - all symbols still exported
- ✅ Import paths unchanged for users

Code Organization:
Before Phase 3:
• Errors scattered across 6+ files
• Constants scattered across 4+ files
• types.go already good

After Phase 3:
• constants.go - all public constants
• errors.go - all error variables
• types.go - all public types
• Clear, organized public API surface

🎯 PHASE 3 STATUS: ✅ COMPLETE

Phase 3 successfully improves type organization without any breaking
changes, making the public API more discoverable and maintainable.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Final verification and documentation for Phase 1 refactoring. All 8 steps
of Phase 1 are now complete with 100% backward compatibility maintained.

Step 1.8 Tasks Completed:
✅ Full test suite verification with race detection
✅ Backward compatibility confirmation
✅ README.md Redis example verification (still valid)
✅ Documentation review (no changes needed)
✅ Examples verification (all functional)
✅ REFACTORING_PLAN.md status update
✅ Comprehensive Phase 1 summary document

Changes:

New Files:
- REFACTORING_PHASE1_SUMMARY.md (comprehensive completion summary)
* Overview of all Phase 1 changes
* Detailed metrics for each step (1.1-1.8)
* Code reduction statistics per file
* New internal packages overview
* Test coverage summary
* Benefits achieved documentation
* Bug fixes during refactoring
* Architecture before/after comparison
* Documentation status
* Next steps for Phase 2

Modified Files:
- REFACTORING_PLAN.md
* Updated "Current Status" section
* Marked Phase 1 as COMPLETE with all 8 steps
* Added "Results" section with key achievements
* Updated "Next Steps" for Phase 2 planning

Testing Results:
- ✅ All tests pass (100+ tests across all packages)
- ✅ Race detection enabled - no races detected
- ✅ Root package: 45+ tests passing
- ✅ internal/dpop: 10+ tests passing
- ✅ internal/http: 15+ tests passing
- ✅ internal/jwt: 8+ tests passing
- ✅ internal/validation: 31+ tests passing

Backward Compatibility Verification:
- ✅ All public APIs unchanged
- ✅ Session struct fully preserved (including DPoPKey)
- ✅ Error types properly re-exported
- ✅ Constants properly re-exported
- ✅ SessionStore interface unchanged
- ✅ README.md Redis example still valid
- ✅ All code examples functional

Documentation Status:
- ✅ README.md - No changes needed (all examples valid)
- ✅ REFACTORING_PLAN.md - Updated with completion status
- ✅ New summary document created
- ✅ Code comments preserved throughout

Phase 1 Achievement Summary:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

📦 NEW INTERNAL PACKAGES (7 packages, ~2,250 lines)
• internal/oauth/ - OAuth flow, state, token, metadata
• internal/dpop/ - DPoP transport, proof, keys
• internal/jwt/ - JWT verification, JWKS cache
• internal/session/ - Session management, memory store
• internal/api/ - API operations wrapper
• internal/http/ - HTTP handlers, middleware
• internal/validation/ - Handle, post, record validation

📊 CODE REDUCTION IN ROOT PACKAGE
• oauth.go: 641→476 lines (25% reduction)
• dpop.go: 334→45 lines (86% reduction)
• session.go: 245→97 lines (60% reduction)
• client.go (API): 224→97 lines (57% reduction)
• client.go (handlers): 93→35 lines (62% reduction)
• ratelimit.go: 117→43 lines (63% reduction)
• securityheaders.go: 279→61 lines (78% reduction)
• validation.go: 203→65 lines (67% reduction)

✅ BENEFITS ACHIEVED
• Clear API boundaries (public vs internal)
• Improved code organization by concern
• Better maintainability and navigation
• Enhanced testability with isolated packages
• Foundation for future improvements
• 100% backward compatibility maintained

🐛 BUG FIXED
• Session storage bug in CallbackHandler (DPoPKey preservation)

🎯 PHASE 1 STATUS: ✅ COMPLETE (8/8 steps)
Step 1.1: OAuth extraction ✅
Step 1.2: DPoP extraction ✅
Step 1.3: JWT extraction ✅
Step 1.4: Session extraction ✅
Step 1.5: API extraction ✅
Step 1.6: HTTP handlers/middleware ✅
Step 1.7: Validation extraction ✅
Step 1.8: Testing & documentation ✅

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Phase 1 refactoring successfully establishes a solid foundation for
long-term maintenance and evolution. The library now has clear boundaries
between public API and internal implementation, making it easier to
maintain, test, and enhance while protecting users from internal changes.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Extracted validation logic from root package to internal/validation/,
split by concern into three files, following the pattern established in
Steps 1.1-1.6.

Changes:

New Files:
- internal/validation/handle.go (42 lines)
* ValidateHandle function
* Handle validation error types (ErrHandleInvalid, ErrHandleTooLong)
* Handle constants (MaxHandleLength, MaxHandleSegmentLength)
* Uses AT Protocol syntax package for validation

- internal/validation/post.go (87 lines)
* ValidatePostText function
* ValidateTextField function for custom fields
* Post validation error types (ErrTextEmpty, ErrTextTooLong, etc.)
* Post constants (MaxPostTextLength)
* UTF-8 validation, null byte checking, whitespace detection

- internal/validation/record.go (100 lines)
* ValidateRecordFields function
* ValidateCollectionNSID function
* validateRecordDepth helper (prevents stack overflow)
* Record validation error types (ErrRecordFieldInvalid, etc.)
* Validates createdAt datetime fields, text fields, nesting depth

- internal/validation/validation_test.go (moved from validation_test.go)
* Updated package declaration to "validation"
* All 31 test functions work unchanged
* Tests for handles, posts, text fields, records, NSIDs

Modified Files:
- validation.go (fully rewritten as thin wrapper)
* Re-exports all error types from internal/validation
* Re-exports all constants from internal/validation
* All validation functions delegate to internal/validation
* Size reduction: 203→65 lines (67% reduction)

Implementation Details:
- Maintained 100% backward compatibility - all public APIs unchanged
- Split validation by concern for better organization:
* handle.go: Handle-specific validation
* post.go: Post and text field validation
* record.go: Record structure and NSID validation
- All validation logic moved to internal package
- Public API provides thin wrappers that delegate
- Test file moved to internal/validation with package update

Testing:
- All existing tests pass with race detection (31 tests)
- No regressions in validation functionality
- Full test coverage maintained in internal package

Code Organization Improvements:
- Clear separation of concerns (handle/post/record)
- Each file focused on specific validation domain
- Easier to maintain and extend individual validators
- Better code discoverability

Progress: Phase 1 now 7/8 steps complete (87.5%)
- ✅ Steps 1.1-1.7 complete
- ⏳ Step 1.8 remaining (testing and documentation)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

ISSUE: After Step 1.6 refactoring, the CallbackHandler was only storing
DID and AccessToken in the session, losing critical fields like DPoPKey,
RefreshToken, DPoPNonce, and PDS. This caused nil pointer panics when
attempting API operations because the DPoP transport couldn't create
proofs without the key.

Error symptom:
```
panic: runtime error: invalid memory address or nil pointer dereference
github.com/shindakun/bskyoauth/internal/dpop.createDPoPProof(0x0, ...)
```

ROOT CAUSE:
The authFlowAdapter.CompleteAuthFlow() received the full Session from
Client.CompleteAuthFlow() but only copied DID and AccessToken to the
internal/http.Session. Then sessionStoreAdapter.Set() only had access
to this limited session and stored an incomplete Session object missing:
- DPoPKey (causing the panic)
- RefreshToken (breaking token refresh)
- DPoPNonce (breaking nonce tracking)
- PDS, Handle, Email, EmailConfirmed, etc.

FIX:
1. Added lastSession field to authFlowAdapter to cache the full Session
2. Updated sessionStoreAdapter to reference authFlowAdapter
3. sessionStoreAdapter.Set() now retrieves the full Session from
authAdapter.lastSession before storing
4. Wired up the reference in CallbackHandler

This ensures the complete Session with all fields (especially DPoPKey)
is stored and available for subsequent API operations.

Changes:
- client.go:
* authFlowAdapter: Added lastSession field to cache full Session
* CompleteAuthFlow: Store full session in a.lastSession before returning
* sessionStoreAdapter: Added authAdapter reference
* Set(): Retrieve full session from authAdapter.lastSession
* CallbackHandler: Wire up authAdapter reference in sessionStoreAdapter

Testing:
- All existing tests pass
- Manual testing should verify:
* OAuth callback stores complete session
* CreatePost works after OAuth (DPoPKey present)
* Token refresh works (RefreshToken present)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Extracted HTTP handler implementations and middleware (rate limiting and
security headers) from root package to internal/http/, following the
pattern established in Steps 1.1-1.5.

Changes:

New Files:
- internal/http/handlers.go (144 lines)
* Handlers struct for HTTP handler implementations
* ClientMetadata, Login, Callback handlers
* AuthFlow and SessionStore interfaces for dependency injection
* Logger interface matching other internal packages

- internal/http/middleware.go (373 lines)
* RateLimiter with IP-based rate limiting
* SecurityHeadersMiddleware with environment-aware CSP policies
* Localhost detection and HTTPS detection
* SecurityHeadersOptions for customization

- internal/http/middleware_ratelimit_test.go (moved from ratelimit_test.go)
* Updated package declaration to "http"
* Fixed imports (net/http/httptest)
* Added test logger implementation
* Updated all NewRateLimiter calls with loggerGetter parameter

- internal/http/middleware_security_test.go (moved from securityheaders_test.go)
* Updated package declaration to "http"
* Fixed imports (net/http/httptest)

Modified Files:
- client.go
* Added internalhttp import
* ClientMetadataHandler delegates to internal/http (5→6 lines)
* LoginHandler delegates to internal/http (32→12 lines, 63% reduction)
* CallbackHandler delegates to internal/http (56→17 lines, 70% reduction)
* Added authFlowAdapter and sessionStoreAdapter for type conversion
* Total handler code reduction: 93→35 lines (62% reduction)

- ratelimit.go (fully rewritten as thin wrapper)
* Wraps internal/http.RateLimiter
* NewRateLimiter adapts logger context
* Middleware, Cleanup, StartCleanup delegate to internal
* Size reduction: 117→43 lines (63% reduction)

- securityheaders.go (fully rewritten as thin wrapper)
* Re-exports SecurityHeadersOptions type
* SecurityHeadersMiddleware delegates to internal/http
* SecurityHeadersMiddlewareWithOptions delegates to internal/http
* Size reduction: 279→61 lines (78% reduction)

Implementation Details:
- Maintained 100% backward compatibility - all public APIs unchanged
- Used adapter pattern to convert between public and internal types
- Logger interface matches other internal packages
- All handler logic moved to internal package
- Public API provides thin wrappers with type adaptation
- Test files moved to internal/http and updated for new package structure

Testing:
- All existing tests pass with race detection
- Rate limiter tests updated to work with internal package structure
- Security headers tests work unchanged
- No regressions in handler functionality
- Full test coverage maintained

Progress: Phase 1 now 6/8 steps complete (75%)
- ✅ Steps 1.1-1.6 complete
- ⏳ Steps 1.7-1.8 remaining (validation, testing/documentation)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Extracted CreatePost, CreateRecord, and DeleteRecord implementations
from client.go to internal/api/client.go, following the same pattern
established in Steps 1.1-1.4.

Changes:

New Files:
- internal/api/client.go (297 lines)
* API Client struct with dependency injection for transport, logging,
and validation
* CreatePost implementation with validation and PDS endpoint resolution
* CreateRecord implementation supporting custom collections
* DeleteRecord implementation
* Session struct for DPoP nonce tracking
* Logger interface matching other internal packages
* Request types: CreatePostRequest, CreateRecordRequest,
DeleteRecordRequest

Modified Files:
- client.go
* Removed unused imports (bsky, identity, syntax, util, xrpc)
* Updated CreatePost to delegate to internal/api (78→31 lines, 60% reduction)
* Updated CreateRecord to delegate to internal/api (89→34 lines, 62% reduction)
* Updated DeleteRecord to delegate to internal/api (67→32 lines, 52% reduction)
* Added logger adapter functions to match api.Logger interface
* Total reduction: 224→97 lines (57% reduction)

Implementation Details:
- Maintained 100% backward compatibility - public API unchanged
- Used DPoPTransportFactory pattern for transport dependency injection
- Logger adapter wraps *slog.Logger to match api.Logger interface
- Session nonce tracking: api.Session updated, then copied back to Session
- All validation functions injected as dependencies
- PDS endpoint resolution moved to internal package

Testing:
- All existing tests pass with race detection
- No regressions in CreatePost, CreateRecord, DeleteRecord functionality
- DPoP nonce tracking verified through existing integration tests

Progress: Phase 1 now 5/8 steps complete (62.5%)
- ✅ Steps 1.1-1.5 complete
- ⏳ Steps 1.6-1.8 remaining (handlers, validation, testing)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Complete Step 1.1 of Phase 1 by extracting token operations and metadata
discovery from root oauth.go to internal/oauth/ packages. This maintains
100% backward compatibility while improving code organization.

Changes:
- Created internal/oauth/token.go with TokenExchanger for token operations
- RefreshTokenRequest() - handles refresh token exchange with DPoP
- ExchangeCodeForTokens() - handles authorization code exchange
- ParseTokenExpiration() - helper for parsing token expiry
- ValidateRefreshToken() - validates refresh token availability

- Created internal/oauth/metadata.go with MetadataFetcher
- FetchAuthServerMetadata() - fetches OAuth server metadata
- Handles timeout errors and logging

- Updated oauth.go RefreshToken() to use internal packages
- Uses MetadataFetcher for server metadata
- Uses TokenExchanger for token operations
- Cleaner, more modular implementation

- Updated oauth.go CompleteAuthFlow() to use TokenExchanger
- Replaced direct call to exchangeCodeForTokens

- Removed old internal methods (165 lines deleted)
- Deleted refreshTokenRequest()
- Deleted exchangeCodeForTokens()

Benefits:
- Reduced oauth.go from 641 to 476 lines (25% reduction)
- Better separation of concerns (token ops, metadata, state)
- Easier to test each component in isolation
- Internal implementation hidden from library users
- Foundation for future OAuth improvements

Testing:
- All 319+ tests passing with race detection
- Full backward compatibility maintained
- Public API unchanged

Completes REFACTORING_PLAN.md Phase 1, Step 1.1 (OAuth extraction)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Extract session store implementation from root package to internal/session/
while maintaining 100% backward compatibility. This continues Phase 1 of the
library refactoring plan.

Changes:
- Created internal/session/memory.go with MemoryStore implementation
- Updated root session.go to wrapper delegating to internal package
- Re-exported session errors (ErrSessionNotFound, ErrInvalidSession)
- Updated MemorySessionStore to wrap internal MemoryStore
- Integrated logger delegation to internal package
- Updated session tests to only test public API behavior
- Removed tests that checked internal implementation details

Benefits:
- Better code organization with focused session management package
- Internal implementation hidden from library users
- Session types and SessionStore interface remain in root types.go
- Easier to test session functionality in isolation
- Foundation for future session improvements without breaking changes

Testing:
- All tests passing with race detection
- Full backward compatibility maintained
- Public API unchanged

Related to REFACTORING_PLAN.md Phase 1, Step 1.4

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Extract JWT validation and JWKS caching from root package to
internal/jwt/ while maintaining 100% backward compatibility. This
continues Phase 1 of the library refactoring plan.

Changes:
- Created internal/jwt/verify.go with all JWT validation logic
- Created internal/jwt/verify_test.go with comprehensive unit tests
- Updated root jwt.go to thin wrapper re-exporting error variables
- Exported ValidateAccessToken() for internal library use
- Moved JWKSCache and all JWKS fetching logic to internal package

Benefits:
- Better code organization with focused JWT validation package
- Internal implementation hidden from library users
- All JWT-related errors still available via root package
- Easier to test JWT functionality in isolation
- Foundation for future JWT improvements without breaking changes

Testing:
- All tests passing with race detection
- Full backward compatibility maintained
- Public error variables still accessible

Related to REFACTORING_PLAN.md Phase 1, Step 1.3

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Extract DPoP functionality from root package to internal/dpop/ while
maintaining 100% backward compatibility. This is part of Phase 1 of the
library refactoring plan to improve code organization and separation of
concerns.

Changes:
- Created internal/dpop/transport.go with Transport type and all DPoP logic
- Created internal/dpop/transport_test.go with comprehensive unit tests
- Updated root dpop.go to thin wrapper delegating to internal package
- Added DPoPTransport interface for nonce management
- Exported CreateDPoPProof() and GenerateRandomString() for internal use
- Updated client.go to use DPoPTransport interface instead of concrete type
- Updated oauth.go to import and use internal/dpop functions
- Simplified root dpop_test.go to only test public API wrappers

Benefits:
- Better code organization with focused, single-responsibility packages
- Internal implementation details hidden from library users
- Easier to test DPoP functionality in isolation
- Foundation for future refactoring without breaking changes
- Clear separation between public API and internal implementation

Testing:
- All 319 tests passing with race detection
- Full backward compatibility maintained
- Public API unchanged

Related to REFACTORING_PLAN.md Phase 1, Step 1.2

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

This is the first step of the library refactoring plan to improve
structure and maintainability. This change is 100% backward compatible
with no breaking changes to the public API.

Changes:
- Created internal/oauth package structure
- Moved OAuth state management to internal/oauth/state.go
- StateStore (was oauthStateStore)
- State (was internalOAuthState)
- Exported methods: NewStateStore, Set, Get, Delete, Stop
- Updated oauth.go to use internal/oauth.StateStore
- Updated oauth_test.go to use new API
- Removed direct access to internal fields in tests

Benefits:
- Clear separation between public API and internal implementation
- Internal implementation can be refactored without breaking changes
- Better code organization and discoverability
- Foundation for further refactoring steps

Testing:
- All 319 tests passing
- OAuth state store tests updated and passing
- No changes to public API surface
- Backward compatible

Next Steps (from REFACTORING_PLAN.md):
- Extract token operations to internal/oauth/token.go
- Extract metadata discovery to internal/oauth/metadata.go
- Create flow orchestration in internal/oauth/flow.go

See REFACTORING_PLAN.md for complete refactoring roadmap.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Added support for configuring the OAuth client application_type to
support both web and native application deployments.

Features:
- New ApplicationType field in ClientOptions with constants:
- ApplicationTypeWeb ("web") - default, for web-based applications
- ApplicationTypeNative ("native") - for desktop/mobile applications
- Added ApplicationType field to Client struct
- Updated GetClientMetadata() to use configured application_type
- Validates application type and logs warning for invalid values
- Defaults to "web" for backward compatibility

Implementation Details:
- Constants defined per OpenID Connect specification
- Web apps must use HTTPS redirect URIs (except localhost)
- Native apps may use custom URI schemes or http://localhost
- Invalid types trigger warning log and default to "web"
- Client metadata endpoint now serves configured application_type

Testing:
- Added 6 comprehensive test cases covering:
- Default behavior (web)
- Explicit web configuration
- Native application configuration
- Invalid type handling
- Empty type handling
- Constants verification
- All 319 tests passing

Documentation:
- Added Application Type section to README with:
- Usage examples for web and native applications
- Application type values and their meanings
- Redirect URI constraints for each type
- Links to OpenID Connect and AT Protocol specifications
- Updated CHANGELOG with feature details

Compliance:
- Follows OpenID Connect Dynamic Client Registration 1.0 specification
- Complies with AT Protocol OAuth client metadata requirements
- Maintains backward compatibility (defaults to "web")

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Added documentation showing how to handle expired tokens by catching
401 "invalid_token" errors from API calls and automatically refreshing.

This complements the existing proactive refresh strategy and handles
edge cases like:
- Tokens expiring between expiration check and API call
- Users returning after long periods of inactivity (12+ hours)
- Clock skew causing premature token expiration

The reactive pattern is already implemented in the web-demo and this
documentation helps other library users implement the same pattern.

Changes:
- Added "Handling Expired Tokens in API Calls" section to README
- Provides complete code example with error detection and retry logic
- Explains when reactive refresh is necessary vs proactive
- Updated CHANGELOG to document the new pattern

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Previously, the web-demo would fail with "XRPC ERROR 401: invalid_token:
exp claim timestamp check failed" when attempting API operations after
the access token expired (typically after 12 hours of inactivity).

While checkAndRefreshToken() proactively refreshed tokens within 5
minutes of expiration, it didn't handle cases where tokens expired
between the check and the API call, or when users returned after long
periods of inactivity.

Changes:
- Enhanced createPostHandler to detect 401 "invalid_token" errors
- Enhanced createRecordHandler to detect 401 "invalid_token" errors
- Enhanced deleteRecordHandler to detect 401 "invalid_token" errors
- All handlers now automatically refresh tokens when expired
- Retry the original operation after successful token refresh
- Provide clear error messages when refresh fails

Error Handling Flow:
1. Detect 401 with "invalid_token" in error message
2. Log the expiration and attempt automatic refresh
3. Update session with new tokens
4. Retry the original API operation with fresh token
5. If refresh fails, prompt user to re-authenticate

This fix ensures seamless operation even after long periods of
inactivity, improving user experience by handling token expiration
transparently in the background.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Previously, the DPoP transport only retried requests when the server
returned "use_dpop_nonce" or "nonce" errors. This caused "DPoP proof
replayed" errors to fail without retry, even when the server provided
a fresh nonce.

Changes:
- Enhanced error detection in RoundTrip to recognize replay-related
errors ("replayed", "invalid_dpop_proof")
- Consolidated error checking logic to handle all DPoP-related errors
- Automatically requests fresh nonce and retries when replay detected
- Improved error response body handling to restore body for non-DPoP errors

Testing:
- Added TestDPoPTransportReplayErrorRetry to verify replay error handling
- All existing DPoP tests continue to pass
- Full test suite passes with race detection

This fix improves reliability of API calls by preventing unnecessary
failures when the server's replay detection triggers, which can happen
in high-traffic scenarios or when clocks are slightly out of sync.

Resolves the "invalid_dpop_proof: DPoP proof replayed" error reported
in CreatePost operations.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Security improvements based on golangci-lint security scan:

HIGH Priority:
- Add HTTP server timeouts (15s read/write, 60s idle) to prevent
resource exhaustion attacks (G114)

LOW Priority:
- Add error handling for w.Write() in homeHandler
- Add error logging for DeleteSession() in logoutHandler

The server now displays timeout configuration on startup:
- Client requests: 30s total timeout
- Server read: 15s, write: 15s, idle: 60s

All security issues identified in web-demo scan are now resolved.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Updated documentation to reflect the addition of gofmt and golangci-lint
to the pre-commit hooks:
- README.md: Updated development setup section
- CONTRIBUTING.md: Updated development dependencies and hook description
- CHANGELOG.md: Expanded pre-commit hooks entry

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Enhanced pre-commit hooks with additional code quality checks:
- Added gofmt check to ensure consistent code formatting
- Added golangci-lint for comprehensive code quality checks
- Created .golangci.yml configuration with sensible defaults
- Auto-installs golangci-lint if not present
- Fixed code formatting with gofmt -w .
- Fixed misspelling: "cancelled" -> "canceled"
- Updated install-hooks.sh to document new checks

Hook now runs:
1. gofmt - code formatting check
2. golangci-lint - code quality and style (20+ linters)
3. govulncheck - vulnerability scanning
4. go test -race - tests with race detection
5. go mod verify - dependency verification

All checks passing! ✅

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Documented the addition of pre-commit hooks for local security checks.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Added pre-commit git hooks to run automatic checks before commits:
- scripts/pre-commit: Hook that runs govulncheck, tests, and mod verify
- scripts/install-hooks.sh: Installation script for hooks
- CONTRIBUTING.md: Contributor guidelines and development setup
- Updated README.md with development setup section

The pre-commit hook runs:
- govulncheck - Vulnerability scanning
- go test -race - Tests with race detection
- go mod verify - Dependency verification

All checks must pass before commit is allowed. Can bypass with --no-verify.

Installation: ./scripts/install-hooks.sh

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

deps(deps): Bump the dependencies group with 2 updates

Updated github.com/hashicorp/go-retryablehttp from v0.7.5 to v0.7.7
to fix leak of sensitive information to log files.

Vulnerability details:
- CVE: GO-2024-2947
- Severity: Leak of sensitive information to log files
- Fixed version: v0.7.7
- More info: https://pkg.go.dev/vuln/GO-2024-2947

Detected by govulncheck. All tests passing after update.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Bumps the dependencies group with 2 updates: [github.com/ipfs/go-cid](https://github.com/ipfs/go-cid) and [github.com/whyrusleeping/cbor-gen](https://github.com/whyrusleeping/cbor-gen).


Updates `github.com/ipfs/go-cid` from 0.4.1 to 0.6.0
- [Release notes](https://github.com/ipfs/go-cid/releases)
- [Commits](https://github.com/ipfs/go-cid/compare/v0.4.1...v0.6.0)

Updates `github.com/whyrusleeping/cbor-gen` from 0.2.1-0.20241030202151-b7a6831be65e to 0.3.1
- [Commits](https://github.com/whyrusleeping/cbor-gen/commits/v0.3.1)

---
updated-dependencies:
- dependency-name: github.com/ipfs/go-cid
dependency-version: 0.6.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: dependencies
- dependency-name: github.com/whyrusleeping/cbor-gen
dependency-version: 0.3.1
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>

Updated documentation to reflect completion of dependency security
scanning with Dependabot and GitHub Actions workflow.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Added automated dependency management and security scanning:
- Dependabot configuration for weekly Go module updates
- Groups minor and patch updates together
- Opens max 5 PRs to keep review manageable
- Runs weekly on Mondays at 9am Pacific
- Auto-labels with "dependencies" and "go"
- GitHub Actions workflow for security scanning
- Runs govulncheck on push, PR, and weekly schedule
- Includes test suite with race detection
- Uploads coverage to Codecov
- Runs on Go version specified in go.mod

This implements the recommendation from TODO.md Issue #14.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Implementation is complete and documented in CHANGELOG.md and TODO.md.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Added comprehensive timeout configuration to prevent indefinite hangs:
- Default HTTP client with 30s total timeout, 10s connection/TLS/headers
- Replaced all http.Get() with context-aware http.NewRequestWithContext()
- Added SetHTTPClient()/GetHTTPClient() for global configuration
- Added HTTPClient field to ClientOptions for per-client configuration
- Created IsTimeoutError() helper to detect timeout errors
- Timeout-specific error logging throughout OAuth flow
- 10 new test cases (timeout_test.go, errors_test.go)
- Updated web-demo to demonstrate custom timeout configuration
- Full documentation in README with examples
- All 286 tests passing

Zero breaking changes - all additions backwards compatible.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Implemented automatic token refresh in the web-demo to demonstrate the
token refresh functionality and improve user experience.

Features:
- Added checkAndRefreshToken() helper function
- Checks if token will expire in next 5 minutes
- Automatically refreshes tokens using RefreshToken() method
- Updates session in store after successful refresh
- Redirects to login if refresh fails
- Comprehensive logging for refresh operations

Implementation:
- Applied to all API handlers (postHandler, createRecordHandler, deleteRecordHandler)
- Uses request ID correlation for logging
- Graceful fallback to login on refresh failure
- Zero user-facing changes when tokens are valid

Benefits:
- Users stay logged in without re-authentication
- Demonstrates refresh token usage in real application
- Shows proper error handling for expired refresh tokens
- Educational example of token refresh implementation

The demo now automatically refreshes access tokens before they expire,
providing a seamless user experience without interrupting sessions.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Changed all references from "ongaku" to more generic names for clarity
since the demo now uses com.demo.bskyoauth as the record type.

Changes:
- Renamed createOngakuHandler to createRecordHandler
- Renamed deleteOngakuHandler to deleteRecordHandler
- Updated routes from /create-ongaku to /create-record
- Updated routes from /delete-ongaku to /delete-record
- Changed "Ongaku prototype text" to "Custom record text"
- Changed button labels to "Create/Delete Custom Record"

The functionality remains the same - creating and deleting custom records
in the com.demo.bskyoauth collection.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Added comprehensive token refresh functionality to enable access token renewal
without requiring full re-authentication. Improves user experience and enables
shorter-lived access tokens for better security.

New Features:
- RefreshToken() method to exchange refresh tokens for new access tokens
- Token expiration tracking in Session struct (AccessTokenExpiresAt, RefreshTokenExpiresAt)
- Automatic expiration parsing from OAuth token responses
- Helper methods: IsAccessTokenExpired(), IsRefreshTokenExpired(), TimeUntilAccessTokenExpiry()
- UpdateSession() method to persist refreshed tokens
- refreshTokenRequest() helper with DPoP nonce retry support

AT Protocol Compliance:
- Single-use refresh tokens (old token invalidated after use)
- DPoP binding maintained across token refresh
- Per specification requirements

Implementation Details:
- Token expiration automatically parsed in CompleteAuthFlow()
- Comprehensive logging for refresh operations
- Error handling for expired/missing tokens
- Zero breaking changes - all additions backwards compatible

Testing:
- 6 new test cases for token expiration and refresh
- All 199 tests passing

Documentation:
- Full Token Refresh section in README with examples
- Error handling guidance
- Important notes about single-use tokens and DPoP binding
- Updated CHANGELOG.md with complete feature list
- Updated TODO.md moving #12 to completed section

Changes:
- types.go: Added AccessTokenExpiresAt and RefreshTokenExpiresAt fields
- oauth.go: Added RefreshToken() and refreshTokenRequest() methods
- oauth.go: Updated CompleteAuthFlow() to parse expiration times
- client.go: Added UpdateSession() and token expiration helper methods
- token_test.go: New test file with 6 comprehensive test cases
- README.md: Added Token Refresh section with usage examples
- CHANGELOG.md: Documented all refresh token additions
- TODO.md: Moved Issue #12 to completed section
- Removed IMPLEMENTATION_PLAN_ISSUE12.md

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Changed custom record collection from club.ongaku.prototype to
com.demo.bskyoauth to better reflect the demo nature of the example.

Changes:
- Updated collection name in CreateRecord calls
- Updated collection name in DeleteRecord calls
- Updated UI labels and log messages
- All 5 occurrences updated consistently

The new NSID follows AT Protocol naming conventions and clearly
indicates this is a demo/example record type for the bskyoauth library.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Created comprehensive plan for implementing token refresh functionality to
enable access token renewal without full re-authentication.

Plan includes:
- Token expiration tracking in Session struct
- RefreshToken() method with DPoP support
- Token expiration helper methods
- Optional automatic refresh in API methods
- Per AT Protocol spec: single-use refresh tokens, DPoP binding
- Comprehensive testing strategy
- Documentation updates

Phases:
1. Core refresh functionality (RefreshToken method)
2. Helper methods (expiration checking, session updates)
3. Optional automatic refresh (advanced)
4. Testing (unit and integration)
5. Documentation (README, CHANGELOG)

Estimated: 8-13 hours depending on scope
No breaking changes - all backwards compatible additions

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Added ngrok configuration example to demonstrate easy HTTPS setup for
local development and OAuth testing. Thanks ngrok! :D

Features shown:
- Quick HTTPS setup for testing OAuth flows
- No server configuration required
- Request inspection at http://127.0.0.1:4040
- Perfect for development before deploying to production

Placed after Caddy example in the Reverse Proxy Configuration section.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Added structured logging configuration to the web-demo example to demonstrate
the logging functionality added in the previous commit.

Changes:
- Configure logger with NewLoggerFromEnv() at startup
- Add request ID correlation to login handler
- Add request ID logging to callback success handler
- Display logging configuration in startup message (Info/Error level, format)
- Request IDs now included in log output for correlation

The demo now shows environment-based logging configuration in action:
- Localhost: Info level with text format for readability
- Production: Error level with JSON format for structured processing

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>