- Updated version badge from 0.1.1 to 0.2.0.
- Renamed "Manual integration tests" section to "Docker-based integration tests" and clarified the testing process with Docker.
- Enhanced descriptions of integration scripts to reflect their functionality with a Docker cluster.
- Updated the coverage section to align with the new testing approach, emphasizing the discover round-trips.
### Major changes
- **Client-side identity** — New session key store (`sessionKey.ts`) backed by
`sessionStorage` with a module-level caching, a `crypto.subtle` cache, a `useIdentityLock`
hook for decrypt-once signing, `followSignature.ts` for signed follows, and
two new UI modals (`IdentityBackup.tsx`, `UnlockIdentityModal.tsx`).
`CreateIdentity.tsx` is rewritten to generate BIP-39 mnemonics and encrypt the
Ed25519 keypair with AES-256-GCM via PBKDF2 (600k iterations) before storing
in IndexedDB.
- **Rate limiting** — New `rate-limit-config.ts` and `rate-limit.ts` provide a
per-IP sliding-window rate limiter backed by Redis. All external-facing routes
(`/discover`, `/discover/rotate/*`, `/proxy`, social API endpoints) now have
conservative defaults wired into the custom HTTP server before requests reach
Next.js handlers.
- **Proxy route hardening** — The `/proxy` route now enforces a 256 KB payload
limit (HTTP 413), validates JSON before parsing, applies a per-origin rate
limit (100 req/min), and imports the `blocks` table to reject requests from
blocked servers.
- **Docker integration-test cluster** — New `Dockerfile`, `.dockerignore`, and
`tests/docker-compose.yml` orchestrate three SiPher instances (A, B, C) plus
shared PostgreSQL and Redis. Key generation (`generate-keys.ts`) and discovery
setup (`setup-discovery.ts`) scripts automate cluster bootstrap. Three example
env files document required per-instance configuration.
- **Full test suite overhaul** — Replaces the old attack/auth/discover/key/proxy
tests with a structured suite:
* `tests/federation/` — Keytools unit tests + key-rotation e2e test
* `tests/proxy/` — Proxy relay e2e tests (single-server validation)
* `tests/integration/` — Multi-instance integration tests for discover,
proxy-chain relay, and federated post delivery via BullMQ
* `tests/helpers/` — Reusable DB, identity, and auth-user utilities
* Playwright config updated to match new file conventions
* Unused helpers (`tests/helpers/queue.ts`) removed
- **Social plugin endpoints** — Rewritten `follows.ts`, `blocks.ts`, `mutes.ts`,
and `posts.ts` with proper federation integration. `social.ts` gains helpers
for looking up posts by federation URL.
### Minor changes
- **README** — Expanded from a 42-line stub to a full architecture guide with
tables for every layer (auth, DB, queues, storage, real-time), API route
documentation, setup instructions, environment variables, test coverage, and
the updated roadmap.
- **Federation helpers** — `keytools.ts` refactors imports and cleans up the public surface.
`fetch.ts`, `registry.ts`, and `proxy-helpers/federated-post.ts` pick up small
improvements. `PostFederationSchema` simplifies its encryption type assertion.
- **Plugin infrastructure** — Oven plugin schema and server index gain minor
refactors. Social client adds a `muteUser` method.
- **UI components** — `switch.tsx` and `tooltip.tsx` rewritten for Radix v2 /
Tailwind 4; `accordion.tsx`, `dropdown-menu.tsx`, `form`, `button`, `card` get
minor consistency fixes. `dialog.tsx` removes unused `DialogHeader`.
- **Server bootstrap** — `server.ts` imports DB schema before `instrumentation`
for correct Drizzle initialization, rate-limiting routes are wired, and CORS
allows federation origins. `auth.ts` regenerates Oven and social plugin schemas.
- **Dependencies** — Added `@noble/ciphers` and `@noble/hashes` (crypto
primitives). Removed `@signalapp/libsignal-client`, `base58-js`, `nanostores`,
`tweetnacl-util`, `dexie-react-hooks`, `socket.io-client`. Updated all Better
Auth packages to 1.6.11, BullMQ to 5.76.10, and various dev deps across the
board.
- **.gitignore** — Added `/audits` and `tests/docker/*.env` to prevent secret
leakage.
- **DB schema** — `blocks` table imported in `src/lib/db/schema/index.ts`.
Co-authored-by: Cursor <cursoragent@cursor.com>
- Introduced a new Redis worker connection function to manage worker-specific connections, enhancing reliability.
- Updated the health check job scheduling to use a SHA-256 hash for generating safe job IDs, improving uniqueness and security.
- Added a comprehensive README to document the federation background job queue, including job interfaces, exported functions, and usage examples.
- Refactored existing code for better organization and clarity, including updates to job processing and error handling.
This update aims to strengthen the federation's job processing capabilities and improve overall system documentation.
This update also finishes #4
Major changes:
- Restructure plugin architecture: moved federation logic into a dedicated `federation` plugin with Better Auth integration, defining schemas for server registry, key rotation, and blacklist management
- Extract encryption layer: new `oven` plugin handles end-to-end encryption (E2EE) with OLM client/server implementations
- Reorganize social features: consolidated social endpoints (posts, follows, blocks, mutes) and removed legacy plugin patterns in favor of unified plugin structure
- Decentralized key management: refactored `keytools` and `keygen` to support federation key rotation with challenge tokens and health checks
Infrastructure updates:
- Upgrade dependencies: bump Better Auth to 1.6.9, React to 19.2.5, Next.js to 16.2.3, Tailwind to 4.2.4
- Add cryptographic libraries: @scure/bip39, @signalapp/libsignal-client, @matrix-org/matrix-sdk-crypto-wasm for enhanced federation security
- Add utilities: base58-js, uuid for federation identifier handling
- Update database schema with new federation tables (serverRegistry, rotateChallengeTokens, blacklistedServers)
Minor updates: test suite alignment, storage client cleanup, PostFederationSchema refinements
Co-authored-by: Cursor <cursoragent@cursor.com>
- Introduced single Redis connection for managing federation delivery jobs, improving reliability and performance.
- Updated environment configuration to include Redis connection details and allowed hostnames for CORS.
- Refactored existing code to streamline federation processes and improve error handling.
- Enhanced database schema to track acknowledgment status for follow requests.
This update aims to strengthen the federation's communication capabilities and ensure better handling of server interactions.
#3#4
- Added a new proxy route to relay encrypted federation traffic between servers, allowing for better communication in restricted environments.
- Implemented health check mechanisms for server registration, including tracking health status and scheduling health checks.
- Updated the database schema to include health check attempts and unhealthy reasons for servers.
- Enhanced the federation fetch logic to handle errors more gracefully and support proxying requests.
- Improved README documentation with a new section explaining public/private data handling and added links to mirrors.
- Refactored existing code for better organization and clarity, including updates to various federation-related modules.
#3
This should all be tested throughly, the workers are messy and poluted, a rework is needed and should be prioritized.
They work, but the code is poorly documented and there is no proper testing of the workers, some of them run twice and there are major issues on them.
- Updated package dependencies to their latest versions.
- Modified `next.config.ts` to dynamically set allowed development origins from environment variables.
- Enhanced `package.json` scripts for development and testing, adding new test commands for proxy tests.
- Adjusted Playwright configuration to use the updated server command for testing.
#3
- Added support for following users with optional federation URLs, allowing for cross-server interactions.
- Implemented new endpoints for following and unfollowing users, including payload validation and error handling.
- Introduced federation delivery jobs to handle follow requests across different servers.
- Updated database schema to include references for follower and following server URLs.
- Enhanced URL validation to allow localhost during development while maintaining security checks.
- Refactored existing social endpoints to accommodate new follow logic and improve code organization.
- Added new environment variables for MinIO configuration in .env.local.example.
- Updated package.json and bun.lock to include new dependencies for key management and encryption.
- Refactored server and route handling to support Ed25519 and X25519 key pairs for improved security during key rotation.
- Implemented validation for public keys and enhanced error handling in the discovery routes.
- Introduced new challenges for key rotation, ensuring secure communication between federations.
- Updated README with additional instructions for the new key rotation process.
- Added a new test suite for attack vectors targeting the /discover federation routes, ensuring (known) vulnerabilities are addressed.
- Implemented a proxy function to check for blacklisted servers, enhancing security measures.
- Introduced URL validation to prevent SSRF attacks by blocking internal addresses.
- Updated package.json with a new test command for the attack tests.
- Refactored server and route handling to improve type safety and error handling.
- Added new middleware for blacklist checks and URL validation to prevent unauthorized access.
- Reintroduced the command for generating federation keys in the package.json.
- Updated the route for server discovery to use the new BETTER_AUTH_URL environment variable.
- Added checks to ensure federation keys are set before authentication.
- Updated package dependencies, including the addition of the 'minio' package and updates to '@types/node' and 'shadcn'.
- Introduced a new test suite for server discovery functionality, ensuring proper registration and response handling.
- Enhanced public key validation logic to include detailed error messages for invalid keys.
- Updated package.json with a new test command for the discovery tests.
- Removed outdated Playwright CI workflow configuration.
- Added new routes for server discovery and key rotation, including challenge issuance and confirmation processes.
- Introduced database schema for managing server registrations and rotation challenges.
- Implemented encryption and decryption utilities for secure communication between servers.
- Updated package dependencies and added new client and server plugins for social features.
- Enhanced user management with additional fields and relations in the database schema.
- Updated user status handling to include optional user-set status, improving user experience during reconnections.
- Added new queries and mutations for managing nests, including fetching non-offline user IDs and forcing users offline.
- Introduced new database schema for nests, roles, and channels, enhancing the application's organizational structure.
- Updated dependencies in package.json and bun.lock for improved stability and compatibility.
- Refactored related components and API to support the new nests functionality.
- Updated various dependencies in package.json and bun.lock to their latest versions for improved stability and security.
- Introduced a new ecosystem.config.cjs file for better environment management.
- Enhanced OLM password handling with encryption and decryption functionalities. (Testing)
- Improved UI components for password dialogs to provide better user feedback and error handling.
- Added new database schema for managing nests and roles in the application.
- Updated color variables in globals.css for improved accessibility and visual consistency.
- Adjusted font styles and shadow properties for better readability and aesthetics.
- Enhanced DMChannelContent component with new button for sending messages and improved layout for message display.
- Integrated `moment` library for improved date formatting in direct messages.
- Refactored timestamp display logic to show relative time for today's messages and full date for older messages.
- Made various UI adjustments for better responsiveness and consistency across components for the mobile version.
- Updated dependencies in `package.json` and `bun.lock` to include `moment`.
- Fixed race condition on @olm-context.tsx when a session is created
- Fixed an issue where the participants ids where being set to the current user only
- Added safeguard for the dm event to try to either parse the message or use it as-is
- Added `trustedOrigins` to authentication options for improved security.
- Updated `@types/bun` and related dependencies in package.json and bun.lock for compatibility.
- Refactored database query for fetching OLM accounts to improve performance and clarity.
- Added support for consuming one-time keys (OTK) in the authentication flow.
- Implemented new mutation `consumeOTK` to handle OTK consumption and update user accounts.
- Updated participant details to include OLM account information.
- Refactored socket management to improve direct messaging functionality.
- Introduced new UI components for password handling and user interactions.
- Updated dependencies in package.json and bun.lock for compatibility and feature enhancements.
- Upgraded `@convex-dev/better-auth` to version 0.10.9.
- Updated `better-auth` to version 1.4.9.
- Incremented `convex` to version 1.31.2.
- Updated `lucide-react` to version 0.562.0.
- Bumped `next` to version 16.1.1.
- Updated `react-day-picker` to version 9.13.0.
- Upgraded `socket.io` and `socket.io-client` to version 4.8.3.
- Updated `@types/bun` to version 1.3.5.
- Added `getParticipantDetails` query to fetch details of multiple participants in a direct message channel.
- Introduced `dexie-react-hooks` for improved state management with Dexie.
- Refactored user validation logic to support optional user authentication.
- Created new UI components for friend actions and friend list display.
- Implemented a layout structure for the application, including a sidebar and main content area.
- Updated socket management to handle connection states more effectively.
- Removed deprecated `page.tsx` file and organized routing structure for better maintainability.
- Implemented a modal for sending and managing friend requests, allowing users to send, accept, decline, or ignore requests.
- Enhanced user status management by integrating real-time updates for online, busy, offline, and away statuses.
- Updated the API and database schema to support new friend request and user status features.
- Improved socket management for better connection handling and user experience.
- Refactored UI components to accommodate new functionalities while maintaining consistency.
- Updated class names in various components to use a more consistent syntax, particularly with respect to data attributes.
- Adjusted styles in ButtonGroup, Calendar, Command, ContextMenu, Field, Item, Kbd, Menubar, and Tooltip components to enhance maintainability.
- Ensured that the changes do not affect the existing functionality of the components.
- Introduced user status management with the ability to update online, busy, offline, and away statuses.
- Added metadata fields for user preferences, including phrase preferences and friends list.
- Updated API and database schema to accommodate new user fields.
- Enhanced the authentication component to handle additional user data effectively.
- Implemented hooks for socket management and OLM setup to improve user experience.
- Updated various dependencies in package.json and bun.lock for better compatibility and features.
- Added OLM (Object Location Management) support by including necessary files and updating authentication logic.
- Enhanced the authentication flow with better error handling and user feedback.
- Introduced new database schema for OLM accounts and updated related API components.
- Improved socket connection management and user interface elements for a smoother user experience.
Added all SQL scripts by using a python script to fetch them.
Also added a "About" page and a skeleton to the chat page.
Fixed the register function that was not setting the public_key on the database
