still WIP
DO NOT MERGE

Signed-off-by: Seongmin Lee <git@boltless.me>

After refactoring record deletion logic, we only need
`db.GetReactionStatus`

Signed-off-by: Seongmin Lee <git@boltless.me>

- upsert public key to handle record update event
- don't delete by pair of name and key. delete by name or rkey instead.

Signed-off-by: Seongmin Lee <git@boltless.me>

Most service flow will be:

1. start db transaction
2. run db operation
3. run PDS operation
4. rollback db if anything above failed
5. commit transaction

If PDS operation succeed, don't try rollback anymore. The ingester will
backfill the missed db operations.

Signed-off-by: Seongmin Lee <git@boltless.me>

Signed-off-by: Seongmin Lee <git@boltless.me>

migrate tables: `stars`, `reactions`, `follows`, `public_keys`

Two major changes:

1. Remove autoincrement id for these tables.

AUTOINCREMENT primary key does not help much for these tables and only
introduces slice performance overhead. Use default `rowid` with
non-autoincrement integer instead.

2. Remove unique constraints other than `(did, rkey)`

We cannot block users creating non-unique atproto records. Appview needs
to handle those properly. For example, if user unstar a repo, appview
should delete all existing star records pointing to that repo.

To allow this, remove all constraints other than `(did, rkey)`.


Minor changes done while migrating tables:

- rename `thread_at` in `reactions` to `subject_at` to match with other
tables
- follow common column names like `did` and `created`
- allow self-follow (similar reason to 2nd major change. we should block
it from service layer instead)

Signed-off-by: Seongmin Lee <git@boltless.me>

Appview cannot modify the user-owned record on repository deletion

Signed-off-by: Seongmin Lee <git@boltless.me>

Signed-off-by: Seongmin Lee <git@boltless.me>

- RBAC should be enforced on service logic.
- We should not check for referenced records existence from db due to
the nature of atproto.
- Comment depth validation is not necessary. We can accept them and just
don't render replies with deeper depth.

Move markdown sanitizer to dedicated package to avoid import cycle

Signed-off-by: Seongmin Lee <git@boltless.me>

Signed-off-by: oppiliappan <me@oppi.li>

Signed-off-by: Lewis <lewis@tangled.org>

Signed-off-by: Lewis <lewis@tangled.org>

Signed-off-by: Lewis <lewis@tangled.org>

Signed-off-by: Lewis <lewis@tangled.org>

Signed-off-by: Lewis <lewis@tangled.org>

Signed-off-by: oppiliappan <me@oppi.li>

Signed-off-by: Lewis <lewis@tangled.org>

Signed-off-by: Anirudh Oppiliappan <anirudh@tangled.org>

Signed-off-by: oppiliappan <me@oppi.li>

Signed-off-by: oppiliappan <me@oppi.li>

Signed-off-by: Seongmin Lee <git@boltless.me>

🤑📈

Signed-off-by: Anirudh Oppiliappan <anirudh@tangled.org>

Signed-off-by: Anirudh Oppiliappan <anirudh@tangled.org>

Signed-off-by: Anirudh Oppiliappan <anirudh@tangled.org>

Signed-off-by: Anirudh Oppiliappan <anirudh@tangled.org>

Signed-off-by: Anirudh Oppiliappan <anirudh@tangled.org>

Signed-off-by: Anirudh Oppiliappan <anirudh@tangled.org>

Signed-off-by: Anirudh Oppiliappan <anirudh@tangled.org>

Signed-off-by: Anirudh Oppiliappan <anirudh@tangled.org>

Compares the incoming host to the domain in the KV map, and fetches the
relevant site from R2. Written in Rust, compiled to wasm using
`worker-build`.

Signed-off-by: Anirudh Oppiliappan <anirudh@tangled.org>

wip: repo pages settings and cf r2/kv setup

Signed-off-by: Anirudh Oppiliappan <anirudh@tangled.org>

Signed-off-by: Anirudh Oppiliappan <anirudh@tangled.org>

Signed-off-by: Anirudh Oppiliappan <anirudh@tangled.org>

Signed-off-by: Anirudh Oppiliappan <anirudh@tangled.org>

Signed-off-by: Anirudh Oppiliappan <anirudh@tangled.org>

Signed-off-by: Anirudh Oppiliappan <anirudh@tangled.org>

Signed-off-by: Anirudh Oppiliappan <anirudh@tangled.org>

Signed-off-by: Anirudh Oppiliappan <anirudh@tangled.org>

Signed-off-by: Anirudh Oppiliappan <anirudh@tangled.org>

Signed-off-by: Anirudh Oppiliappan <anirudh@tangled.org>

Orphaned `sh.tangled.string` records on users' PDSs cannot be cleaned up
by the appview and they would need to be removed manually by each user.

Signed-off-by: Youn Mélois <youn@melois.dev>

Add support for AVIF, JPEG XL, and HEIF image formats across the stack:

- knotserver/xrpc: override MIME types for formats that Go's
http.DetectContentType does not recognize (.avif, .jxl, .heic, .heif),
using a switch statement like the existing .svg override
- camo: add image/avif, image/heif, and image/jxl to the allowed MIME
types list
- appview/repo: add .avif, .jxl, .heic, .heif to the image extension
list in the blob viewer

Without these changes, AVIF files (and other modern formats) are rejected
by the knot server with a 403 (detected as application/octet-stream),
blocked by the camo proxy with a 415, and not previewed in the blob viewer.

Signed-off-by: Niclas Overby <niclas@overby.me>

Both policies were rebuilt on every NewSanitizer() call. This included
compiling the chroma syntax-highlight class regex by iterating
chroma.StandardTypes and joining ~200 type names into a regex alternation,
on every invocation — including from inside the pull request HTTP handler,
making it a per-request cost.

Move both policies to package-level vars initialized once in init().
NewSanitizer() is now a pair of pointer assignments. This is safe per the
bluemonday README: "it is safe to use the policy in multiple goroutines".

Signed-off-by: Matías Insaurralde <matias@insaurral.de>

Signed-off-by: oppiliappan <me@oppi.li>

The devshell copied assets from the Nix store with preserved mode
bits, which left files in appview/pages/static read-only and caused
repeated cp permission errors on subsequent nix develop runs.

Stop preserving mode so generated static files remain writable across
shell entries.

AI-assisted: OpenCode (openai/gpt-5.3-codex)
Signed-off-by: Alessio Caiazza <code.git@caiazza.info>

Signed-off-by: oppiliappan <me@oppi.li>

Signed-off-by: oppiliappan <me@oppi.li>

The appview crashes on startup if Redis is not running:

appview: failed to start appview err="failed to start oauth handler:
failed to connect to redis: dial tcp [::1]:6379: connect: connection refused"

Reorder the "Running the appview" section so the Redis and
OAuth JWKs prerequisites come before the watch-appview command,
matching the actual dependency order.

Signed-off-by: Alessio Caiazza <code.git@caiazza.info>

Signed-off-by: Evan Jarrett <evan@evanjarrett.com>

Signed-off-by: Anirudh Oppiliappan <anirudh@tangled.org>

do not refresh after token expiry, do it before

Signed-off-by: oppiliappan <me@oppi.li>

Signed-off-by: oppiliappan <me@oppi.li>

Signed-off-by: oppiliappan <me@oppi.li>

Signed-off-by: oppiliappan <me@oppi.li>

Move blobPattern, treePattern, and pathAfterRefRE to package-level
vars so they are compiled once and reused across GetRepoInfo and
path resolution calls instead of recompiling on every request.

Signed-off-by: Matías Insaurralde <matias@insaurral.de>

the learn-more button in the features set caused an overflow on home
page.

Signed-off-by: oppiliappan <me@oppi.li>

Signed-off-by: marco.tngl.sh <dev@marco.social>

Signed-off-by: marco.tngl.sh <dev@marco.social>

Signed-off-by: marco.tngl.sh <dev@marco.social>