···8282- `getRecord` by `(space, repo, collection, rkey)`
8383- `listRecords`, limit 50, index-only response shape
8484- `getBlob` storage readback
8585-- `getRepoOplog` catch-up reads
8585+- `listRepoOps` catch-up reads
86868787Comparison against Daniel's permissioned-data branch should live in this
8888section once we have a repeatable way to run that PDS locally. Until then, keep
···139139union all select 'repo_blocks', count(*) from repo_blocks where did='$did'
140140union all select 'commits', count(*) from commits where did='$did'
141141union all select 'blobs', count(*) from blobs where did='$did'
142142-union all select 'spaces_owned', count(*) from permissioned_spaces where owner_did='$did'
142142+union all select 'spaces_owned', count(*) from permissioned_spaces where authority_did='$did'
143143union all select 'space_actor_state', count(*) from permissioned_space_actor_state where actor_did='$did'
144144union all select 'space_records', count(*) from permissioned_space_records where repo_did='$did'
145145union all select 'space_repos', count(*) from permissioned_space_repos where repo_did='$did'
+10-10
docs/permissioned-data-proposal-94.md
···1919- isolate prototype code under the existing `space` and permissioned-data
2020 modules
2121- add tests around durable semantics that are likely to survive
2222-- avoid adding new member-list or grant behavior in the old vocabulary
2222+- avoid adding new member-list behavior or resurrecting old credential names
23232424ZDS's immediate goal is modest: get ahead of the likely direction enough to
2525store private data on the user's PDS, while keeping the implementation easy to
···9595 break existing spaces that depend on the declaration, which makes lexicon
9696 resolution override behavior appropriate in a way that would be surprising
9797 for normal AT records.
9898-- `com.atproto.space.getMemberGrant` is older vocabulary. The proposal uses
9999- `com.atproto.space.getDelegationToken` as a PDS-issued OAuth query and then
100100- exchanges that with the space host through `getSpaceCredential`.
101101-- `getRepoOplog` is older vocabulary. The proposal uses `listRepoOps`.
9898+- ZDS should use the proposal names directly: `getDelegationToken` for the
9999+ PDS-issued OAuth query, and `listRepoOps` for incremental permissioned-repo
100100+ sync.
102101- The proposal adds `com.atproto.space.listRepos` so a space host can list known
103102 writer repos in a space without enumerating readers.
104103- The proposal adds `registerNotify` as an explicit syncer registration method.
105104 ZDS currently records credential recipients and supports write/deletion
106105 notifications, but does not expose this method shape.
107107-- Space credentials and delegation tokens have more specific JWT `typ`, `sub`,
108108- `aud`, `client_id`, lifetime, and verification expectations than ZDS's
109109- prototype helper names imply.
106106+- Space credentials and delegation tokens have specific JWT `typ`, `sub`,
107107+ `aud`, `client_id`, lifetime, and verification expectations. Keep ZDS helper
108108+ names and token shapes aligned with those names instead of inventing a local
109109+ credential vocabulary.
110110- The proposal introduces optional client attestation for app-bound space
111111 credentials.
112112- Space-authority DID documents are expected to publish `#atproto_space` and
···200200201201- per-space and per-writer repo isolation
202202- `ats://` parsing and formatting
203203-- OAuth scope gating for owner reads, self reads, writes, and management
203203+- OAuth scope gating for authority reads, self reads, writes, and management
204204- ranged blob reads through permissioned-data auth
205205- write oplog ordering and cursor behavior
206206- record-set commitment changes across create, update, and delete
207207-- deletion behavior for owner spaces versus writer repos
207207+- deletion behavior for authority spaces versus writer repos
208208209209These tests should stay separate from public-repo conformance tests so the
210210experimental surface can move without muddying stable PDS behavior.
+8-17
docs/permissioned-data.md
···5656 `updateSpaceConfig`, `deleteSpace`
5757- records and blobs: `createRecord`, `putRecord`, `deleteRecord`,
5858 `applyWrites`, `getRecord`, `listRecords`, `getBlob`
5959-- writer state: `getRepoState`, `getRepoOplog`, `notifyWrite`
6060-- credentials and deletion fanout: `getMemberGrant`, `getSpaceCredential`,
5959+- writer state: `getRepoState`, `listRepoOps`, `notifyWrite`
6060+- credentials and deletion fanout: `getDelegationToken`, `getSpaceCredential`,
6161 `notifySpaceDeleted`
62626363-The proposal draft has since moved some names and responsibilities. In
6464-particular, `getMemberGrant` maps only loosely to the newer
6565-`getDelegationToken`, and `getRepoOplog` maps only loosely to `listRepoOps`.
6666-Keep that vocabulary difference visible when changing this area.
6363+ZDS uses the proposal names for the credential and sync-read surface:
6464+`getDelegationToken` and `listRepoOps`.
67656866ZDS deliberately does not expose the older protocol member-list routes:
6967···9391experiment.
94929593For private spaces, ZDS currently mints space credentials only to the space
9696-owner DID unless the space is public. That is the conservative default until
9494+authority DID unless the space is public. That is the conservative default until
9795the protocol settles on an application or space-host policy hook for broader
9896credential issuance.
9997···106104ZDS stores many actor repos in one SQLite database, so permissioned data uses
107105explicit space-scoped tables instead of the public repo tables:
108106109109-- `permissioned_spaces`: canonical owner-space config keyed by space URI
110110-- `permissioned_space_actor_state`: actor-local owner/deleted state keyed by
107107+- `permissioned_spaces`: canonical authority-space config keyed by space URI
108108+- `permissioned_space_actor_state`: actor-local authority/deleted state keyed by
111109 `(space, actor_did)`
112110- `permissioned_space_records`: current records keyed by
113111 `(space, repo_did, collection, rkey)` with CID, DAG-CBOR value, repo revision,
···115113- `permissioned_space_repos`: writer repo state and current record-set hash
116114- `permissioned_space_record_oplog`: incremental record changes by
117115 `(space, repo_did, rev, idx)`
118118-- `permissioned_space_credentials`: short-lived prototype grants and
116116+- `permissioned_space_credentials`: short-lived prototype credentials and
119117 credentials
120118- `permissioned_space_credential_recipients`: services to notify for writes and
121119 space deletion
122120123121Permissioned records and blobs are not public repo records. They must not be
124122squeezed into `records`, `repo_blocks`, `commits`, or `seq_events`.
125125-126126-Existing databases from the earlier experiment drop the dedicated
127127-permissioned-space member tables during migration:
128128-129129-- `permissioned_space_members`
130130-- `permissioned_space_member_state`
131131-- `permissioned_space_member_oplog`
132123133124## Zat first
134125