Merge pull request #118 from hypercerts-org/adam/hyper-282-document-various-certified-infrastructure-services

docs: document Certified infrastructure — CGS, PDSs (HYPER-282)

Author: aspiers

components/LastUpdated.js

@@ -8,12 +8,15 @@ export function LastUpdated() {
   const date = lastUpdated[currentPath];
 
   useEffect(() => {
-    if (!date) return;
-
-    // Remove any existing last-updated element
+    // Always remove any stale last-updated element from a previous route,
+    // even if the current route has no date — otherwise the imperatively
+    // appended element survives React reconciliation and ends up stranded
+    // on the new page.
     const existing = document.querySelector('.last-updated');
     if (existing) existing.remove();
 
+    if (!date) return;
+
     const article = document.querySelector('.layout-content article');
     if (!article) return;
 

lib/lastUpdated.json

@@ -1,21 +1,22 @@
 {
-  "/architecture/account-and-identity": "2026-04-01T13:47:13+06:00",
+  "/architecture/account-and-identity": "2026-04-09T21:22:15-10:00",
+  "/architecture/certified-group-service": "2026-04-09T21:03:20-10:00",
   "/architecture/data-flow-and-lifecycle": "2026-04-01T19:28:36+06:00",
-  "/architecture/epds": "2026-04-01T13:47:13+06:00",
+  "/architecture/epds": "2026-04-09T21:22:15-10:00",
   "/architecture/indexers-and-discovery": "2026-03-05T04:01:13+08:00",
-  "/architecture/overview": "2026-03-05T20:46:24+08:00",
+  "/architecture/overview": "2026-04-09T21:22:15-10:00",
   "/architecture/portability-and-scaling": "2026-03-05T13:01:42+08:00",
   "/core-concepts/cel-work-scopes": "2026-04-01T19:28:36+06:00",
-  "/core-concepts/certified-identity": "2026-04-01T19:28:36+06:00",
+  "/core-concepts/certified-identity": "2026-04-09T21:27:54-10:00",
   "/core-concepts/common-use-cases": "2026-03-05T12:52:26+08:00",
   "/core-concepts/funding-and-value-flow": "2026-04-01T19:28:36+06:00",
   "/core-concepts/hypercerts-core-data-model": "2026-04-01T19:28:36+06:00",
   "/core-concepts/what-is-hypercerts": "2026-03-05T03:40:14+08:00",
   "/core-concepts/why-at-protocol": "2026-03-05T21:06:04+08:00",
   "/ecosystem/why-we-need-hypercerts": "2026-02-20T12:49:43+01:00",
   "/getting-started/building-on-hypercerts": "2026-03-06T22:56:46+08:00",
-  "/getting-started/quickstart": "2026-03-14T20:43:33-07:00",
-  "/getting-started/testing-and-deployment": "2026-03-05T14:36:55+06:00",
+  "/getting-started/quickstart": "2026-04-09T21:22:15-10:00",
+  "/getting-started/testing-and-deployment": "2026-04-09T21:22:15-10:00",
   "/getting-started/working-with-evaluations": "2026-04-01T19:28:36+06:00",
   "/": "2026-03-24T12:56:03-07:00",
   "/lexicons/certified-lexicons/badge-award": "2026-03-24T12:56:03-07:00",
@@ -36,12 +37,13 @@
   "/lexicons/hypercerts-lexicons/measurement": "2026-03-24T12:56:03-07:00",
   "/lexicons/hypercerts-lexicons/rights": "2026-03-24T12:56:03-07:00",
   "/lexicons/introduction-to-lexicons": "2026-03-24T12:56:03-07:00",
+  "/reference/certified-services": "2026-04-09T21:22:15-10:00",
   "/reference/faq": "2026-04-01T19:28:36+06:00",
-  "/reference/glossary": "2026-03-14T20:43:33-07:00",
+  "/reference/glossary": "2026-04-09T21:22:15-10:00",
   "/reference/release-notes-v0-11-0": "2026-04-08T16:50:34+02:00",
-  "/roadmap": "2026-04-01T19:28:36+06:00",
-  "/tools/hyperboards": "2026-04-01T19:28:36+06:00",
-  "/tools/hypercerts-cli": "2026-03-05T12:30:00+06:00",
+  "/roadmap": "2026-04-09T21:09:38Z",
+  "/tools/hyperboards": "2026-04-09T21:22:15-10:00",
+  "/tools/hypercerts-cli": "2026-04-09T21:22:15-10:00",
   "/tools/hyperindex": "2026-04-03T00:18:36+06:00",
-  "/tools/scaffold": "2026-04-01T19:28:36+06:00"
+  "/tools/scaffold": "2026-04-09T21:22:15-10:00"
 }

lib/navigation.js

@@ -69,6 +69,10 @@ export const navigation = [
         title: "ePDS (extended PDS)",
         path: "/architecture/epds",
       },
+      {
+        title: "Certified Group Service (CGS)",
+        path: "/architecture/certified-group-service",
+      },
       {
         title: "Data Flow & Lifecycle",
         path: "/architecture/data-flow-and-lifecycle",
@@ -165,6 +169,7 @@ export const navigation = [
         title: "Lexicon v0.11.0 Release Notes",
         path: "/reference/release-notes-v0-11-0",
       },
+      { title: "Certified PDSs", path: "/reference/certified-services" },
       { title: "Glossary", path: "/reference/glossary" },
       { title: "FAQ", path: "/reference/faq" },
       { title: "Roadmap", path: "/roadmap" },

pages/architecture/account-and-identity.md

@@ -41,14 +41,14 @@ Every record you create carries your DID as the author. If you change PDS provid
 
 ## Handles (your public username) and domain verification
 
-Handles are not needed to log in to the Hypercerts ecosystem, but every user has one. They serve as human-readable names for publicly addressing others and for interacting with other applications in the AT Protocol ecosystem that haven't implemented email-based login with Certified. Your handle is a human-readable name like `alice.certified.app`. Unlike your DID, your handle can change — it's a pointer to your DID, not your identity itself.
+Handles are not needed to log in to the Hypercerts ecosystem, but every user has one. They serve as human-readable names for publicly addressing others and for interacting with other applications in the AT Protocol ecosystem that haven't implemented email-based login with Certified. Your handle is a human-readable name like `alice.certified.one`. Unlike your DID, your handle can change — it's a pointer to your DID, not your identity itself.
 
 **Organizations should use custom domain handles.** A handle like `numpy.org` proves organizational identity — anyone can verify that the DID behind `numpy.org` is controlled by whoever controls the domain.
 
 To set up a custom handle, add a DNS TXT record or host a file at `https://your-domain.com/.well-known/atproto-did`. See the [AT Protocol handle documentation](https://atproto.com/specs/handle) for details.
 
 {% callout type="note" %}
-If you sign up using your email on certified.app you will initially be given a random handle like `1lasdk.certified.app`. You can change your handle by going to your profile settings and clicking on "Change handle" on [certified.app](https://certified.app).
+If you sign up using your email on certified.app you will initially be given a random handle like `1lasdk.certified.one`. You can change your handle by going to your profile settings and clicking on "Change handle" on [certified.app](https://certified.app).
 {% /callout %}
 ---
 
@@ -60,6 +60,14 @@ For teams with multiple contributors, create a dedicated organizational account
 To set up an organizational account, create an account at [certified.app](https://certified.app) with the organization's email. Use a [custom domain handle](#handles-your-public-username-and-domain-verification) (e.g., `numpy.org`) to prove organizational identity.
 {% /callout %}
 
+### Role-based governance with CGS
+
+Sharing a single app password across an organisation is the simplest path but has real limits: every team member ends up with the same level of access, there's no audit trail, and revoking one person's access means rotating the password for everyone.
+
+The [Certified Group Service (CGS)](/architecture/certified-group-service) is the more principled answer. CGS sits in front of a PDS and adds **role-based access control** on top of a shared repository — multiple identities can co-manage the same ATProto repo with distinct member, admin, and owner roles, and every action is written to a per-group audit log. Members authenticate as themselves (not as the organisation), so access can be granted or revoked per-person without disturbing anyone else.
+
+Certified operates a hosted CGS instance (used by "create a group" flows on [certified.app](https://certified.app)), and CGS is also self-hostable if you want to run your own. Note: groups created via the hosted flow currently land on a test PDS — see [Certified PDSs](/reference/certified-services) for environment caveats. See the [CGS architecture page](/architecture/certified-group-service) for the full model.
+
 ---
 
 ## Authentication

pages/architecture/certified-group-service.md

@@ -0,0 +1,148 @@
+---
+title: Certified Group Service (CGS)
+description: How CGS adds role-based access control to group-governed AT Protocol repositories without modifying the underlying PDS.
+---
+
+# Certified Group Service (CGS)
+
+In standard AT Protocol, each repository is controlled by a single identity (DID) — there's no built-in way for multiple users to collaboratively manage the same repo with different permission levels.
+
+The [Certified Group Service](https://github.com/hypercerts-org/certified-group-service) (CGS) fills that gap. It's an AT Protocol service that sits between clients and a group's backing PDS, enforcing role-based access control, tracking record authorship, and keeping a full audit log. From the client's perspective, a group looks like any other AT Protocol repository — it just happens to be co-governed.
+
+Certified operates a hosted CGS instance, but CGS is also designed to be **self-hostable per operator** — anyone can run their own instance and point it at whichever PDS backs the group (including, but not limited to, the [Certified-operated PDSs](/reference/certified-services)).
+
+Today, a given CGS deployment points at a single backing PDS (configured via the `GROUP_PDS_URL` environment variable), and every group it registers lives on that PDS. Operators who want to host groups across multiple PDSs currently run multiple CGS instances. This is a current architectural constraint rather than a fundamental one, and may evolve in the future.
+
+## System overview
+
+```text
+Any AT Protocol client
+  │
+  │  atproto-proxy: did:plc:GROUP#certified_group
+  ▼
+User's PDS
+  │
+  │  Authorization: Bearer <service-auth-jwt>
+  │  (signed with user's key, iss=user, aud=group)
+  ▼
+┌──────────────────────────────────┐
+│  Certified Group Service         │
+│                                  │
+│  1. AuthVerifier  (JWT → DID)    │
+│  2. RbacChecker   (DID → role)   │
+│  3. PDS proxy     (forward)      │
+│  4. AuditLogger   (record all)   │
+└──────────────────────────────────┘
+  │
+  ▼
+Group's backing PDS
+```
+
+Clients never call CGS directly. Instead they send a normal XRPC request to their own PDS with an `atproto-proxy` header pointing at the group DID and service fragment (`did:plc:GROUP#certified_group`). The user's PDS resolves the group's DID document, finds the `#certified_group` service endpoint, mints a service auth JWT signed with the user's key, and forwards the request to CGS. This is the same proxying mechanism used by Ozone labeling services.
+
+## Integrating from an app
+
+Apps don't call CGS directly. Your backend uses an authenticated `AtpAgent` for the user and sends XRPC requests *to the user's PDS* with an `atproto-proxy` header set to `did:plc:<groupDid>#certified_group`. The PDS handles service auth and forwards the request to CGS on your behalf. See the upstream [integration guide](https://github.com/hypercerts-org/certified-group-service/blob/main/docs/integration-guide.md) for a worked example.
+
+One important gotcha: CGS uses **custom NSIDs** for record operations — `app.certified.group.repo.createRecord`, `putRecord`, `deleteRecord`, `uploadBlob` — instead of the standard `com.atproto.repo.*`. This is deliberate: if your app called `com.atproto.repo.createRecord`, the user's PDS would handle it itself and write to the user's own repo, not proxy it to CGS. The custom NSIDs are unrecognized by the PDS, so it looks them up in the group's DID document and routes them to CGS. Use the custom NSIDs in your proxied calls.
+
+## Authentication
+
+Every request to CGS arrives with `Authorization: Bearer <JWT>`. The `AuthVerifier` runs the following checks:
+
+1. **Signature** — verified against the issuer's DID document via `@atproto/xrpc-server`'s `verifyJwt()`.
+2. **Audience** — the JWT's `aud` must match a group DID registered with this CGS instance.
+3. **Lexicon method** — the JWT's `lxm` must match the requested XRPC method (from an allowlist of record and group-management operations).
+4. **Token lifetime** — `exp - iat` must not exceed the nonce TTL (120 seconds), so that tokens can't outlive the replay-prevention window.
+5. **Nonce (replay prevention)** — the JWT's `jti` is checked against a short-lived nonce cache. If it's been seen before, the request is rejected.
+
+If all checks pass, the handler receives `{ iss: callerDid, aud: groupDid }` and proceeds to authorization.
+
+## Authorization (RBAC)
+
+Roles are strictly hierarchical and compared numerically. A higher level grants every permission of the lower levels.
+
+```text
+member (0)  <  admin (1)  <  owner (2)
+```
+
+### Permission matrix
+
+| Operation | Minimum role |
+|---|---|
+| Create records, upload blobs, edit any record, list members | member |
+| Delete records you authored | member |
+| Delete any member's record | admin |
+| Edit the group's profile | admin |
+| Add / remove members | admin |
+| Query the audit log | admin |
+| Change a member's role | owner |
+
+### Special rules
+
+- **Cannot modify equal or higher roles.** An admin cannot remove another admin; only an owner can.
+- **`member.add` cannot assign `owner`.** New owners must be promoted by an existing owner via `role.set`.
+- **Self-removal always succeeds.** Any member can remove themselves, regardless of role.
+- **Last-owner protection.** The system atomically prevents demoting or removing the only remaining owner.
+- **Authorship is tracked per record.** CGS maintains a `group_record_authors` table so `deleteOwnRecord` (member) can be distinguished from `deleteAnyRecord` (admin).
+
+## PDS proxying and credentials
+
+Once a request is authorized, CGS forwards it to the group's backing PDS using stored credentials:
+
+- **Credential storage.** The group's PDS app password (and, where applicable, the recovery keypair used for PLC operations) is stored encrypted with AES-256-GCM, using a 32-byte master key from the service's `ENCRYPTION_KEY` environment variable.
+- **Agent pool.** An authenticated `AtpAgent` per group is cached in memory; stale sessions are refreshed automatically on `AuthenticationRequired` / `ExpiredToken` errors.
+- **Blob uploads.** `uploadBlob` requests are streamed to the PDS with an enforced `MAX_BLOB_SIZE` limit (checked both upfront via `Content-Length` and incrementally during the stream).
+
+## Audit logging
+
+Every meaningful action — permitted or denied — is written to the per-group `group_audit_log` table. Each entry captures:
+
+- **Who** — the caller's DID (`actor_did`)
+- **What** — the operation name (e.g. `createRecord`, `member.add`)
+- **Where** — collection and rkey, for record-level operations
+- **Result** — `permitted` or `denied` (plus a reason for denials)
+- **Tracing** — the JWT's `jti`, for correlation with auth logs
+- **When** — ISO timestamp
+
+Admins can query the audit log via `app.certified.group.audit.query`.
+
+## Group lifecycle
+
+Groups are created via `app.certified.group.register`, which requires a service auth JWT proving the caller controls the prospective owner DID. During registration, CGS:
+
+1. Creates a new PDS account on the instance's configured backing PDS and receives a new group DID.
+2. Generates a recovery keypair and registers a `#certified_group` service entry in the group's DID document via a PLC operation.
+3. Stores the encrypted app password and recovery key in its own database.
+4. Seeds the caller as the group's first owner.
+
+From then on, the group's DID is co-governed through CGS: owners promote admins, admins manage members, and members interact with the repository subject to the permission matrix above.
+
+## Storage
+
+CGS uses SQLite for all persistence:
+
+- A **global database** holds the group registry (`groups` table) and the nonce cache.
+- Each group gets its **own per-group database**, named by the SHA-256 hash of the group DID. This isolates group data and keeps audit logs per-group.
+- All databases use WAL mode for concurrent read performance.
+
+## Future directions
+
+The current RBAC model — three fixed roles (`member`, `admin`, `owner`) with a hard-coded permission matrix — is intentionally simple. It covers the common case of a small group co-managing a repository, but it is a starting point rather than an endpoint. Directions being explored as groups' governance needs mature:
+
+- **Customizable roles.** Let each group define its own roles and permissions instead of relying on a fixed three-tier hierarchy.
+- **Finer-grained permissions.** Scope permissions per collection or record type — for example, a role that can only create records in one lexicon, or only edit the group profile.
+- **Group-level governance.** Move beyond unilateral admin/owner actions toward proposals, voting, or quorum-based decisions for sensitive operations.
+- **Time-bound and delegated roles.** Temporary elevations — e.g. an admin grants another member `admin` for 24 hours, after which the role automatically reverts.
+- **Credential-based membership.** Derive membership and roles from external signals (verifiable credentials, badges, tokens) rather than only manual `member.add` calls.
+- **Multiple backing PDSs per instance.** Today, one CGS deployment is bound to a single backing PDS. Supporting multiple PDSs per instance (or per group) would let a single deployment host groups across different PDS providers.
+
+None of the above are committed features; they're possibilities being shaped by user and developer needs and feedback.
+
+## Further reading
+
+- [CGS repository](https://github.com/hypercerts-org/certified-group-service)
+- [Architecture doc](https://github.com/hypercerts-org/certified-group-service/blob/main/docs/architecture.md) — full data model, startup sequence, and implementation details
+- [Integration guide](https://github.com/hypercerts-org/certified-group-service/blob/main/docs/integration-guide.md)
+- [API reference](https://github.com/hypercerts-org/certified-group-service/blob/main/docs/api-reference.md)
+- [Deployment guide](https://github.com/hypercerts-org/certified-group-service/blob/main/docs/deployment.md) — for running your own CGS instance

pages/architecture/epds.md

@@ -7,7 +7,7 @@ description: How the ePDS adds email/OTP login on top of AT Protocol without cha
 
 The ePDS adds email-based, passwordless sign-in on top of a standard AT Protocol PDS. Users enter their email, receive a one-time code, and end up with a normal AT Protocol session tied to a DID.
 
-Certified hosts an ePDS instance at [certified.one](https://certified.one).
+Certified operates production, staging, and test ePDS instances. See [Certified services](/reference/certified-services) for the current hostnames and guidance on which to use in which scenario.
 
 For applications, the important part is that ePDS still finishes by issuing a standard AT Protocol authorization code. In practice, this means you can integrate it with [`@atproto/oauth-client-node`](https://github.com/bluesky-social/atproto/tree/main/packages/oauth/oauth-client-node).
 
@@ -62,7 +62,7 @@ const oauthClient = new NodeOAuthClient({
   sessionStore,
 })
 
-const url = await oauthClient.authorize('alice.certified.app', {
+const url = await oauthClient.authorize('alice.certified.one', {
   scope: 'atproto transition:generic',
 })
 
@@ -103,7 +103,7 @@ const oauthClient = new NodeOAuthClient({
   sessionStore,
 })
 
-const url = await oauthClient.authorize('alice.certified.app', {
+const url = await oauthClient.authorize('alice.certified.one', {
   scope: 'atproto transition:generic',
 })
 
@@ -191,6 +191,8 @@ The extra branding fields customize the hosted login and email experience. `epds
 ## Further reading
 
 - [Account & Identity Setup](/architecture/account-and-identity)
+- [Certified PDSs](/reference/certified-services) — the production, staging, and test ePDS instances Certified operates
+- [Certified Group Service (CGS)](/architecture/certified-group-service) — a governance layer that sits in front of a PDS to support multi-identity, role-based repo management
 - [Scaffold Starter App](/tools/scaffold)
 - [ePDS repository](https://github.com/hypercerts-org/ePDS)
 - Install the ePDS agent skill with `npx skills add hypercerts-org/ePDS --skill epds-login`