Oh What A Tangled Code We Weave

Just one topic today since it took a bit more time to dissect the topic than I anticipated.

Hit me up if you have any issues getting your own “knot” untangled.

Oh What A Tangled Code We Weave

Tangled (Blog | Bsky) is a new platform for Git-based collaboration that blends the benefits of decentralized systems with human-friendly social features. It’s built on top of the AT Protocol (i.e., the thing that Bsky invented), seeking to give developers ownership of our code while fostering open-source community governance and a more social coding experience, free from billionaire and empire controls.

If U.S. and global Drop readers haven’t yet received the memo that you should be avoiding U.S.-hosted services and billionaire/global-mega-corp controlled platforms, consider said memo now delivered.

Instead of choosing between a fully federated model like Forgejo (which uses ActivityPub) or a purely peer-to-peer approach like Radicle, Tangled provides a decentralized social networking framework with a central identity system. If you have a looksie into the AT Protocol documentation, you’ll find key concepts like:

• Repositories: These are self-authenticating storage units for a our content.
• Lexicon: This is a schema language used to define the structure of data within the AT Protocol.
• App Views: The documentation refers to these as consolidated views into the network. In Tangled’s case, the app view at tangled.sh provides a unified interface for accessing and contributing to repositories hosted across different “knots.”

To put that last bullet a different way, Tangled “knots” are lightweight servers that host Git repositories. These knots can be single-tenant (think self-hosting on a Raspberry Pi) or multi-tenant (for larger community servers). Tangled provides (free) managed knots as a default, lowering the barrier to entry.

The project is still in its early stages, with the Tangled team actively developing core features while “dogfooding” the platform themselves. Their design decisions are guided by three principles: data ownership, low barrier to entry, and a strong interactive experience. The goal is to make collaboration feel natural and intuitive, even within a decentralized environment.

For readers that just want to try it out head on over to tangled.sh and you can see the “firehose”:

To do much beyond being a voyeur and/or cloning repos over HTTPS, you’ll need to authenticate to the network via your Bluesky handle and a generated app password (I’m confident oauth is coming at some point for Tangled). Once you login, tap your handle (upper-right corner) and add some SSH public keys (via “settings”).

I made a repo for this Bonus Drop:

 to test it out and give y’all something to poke at.

The point of Tangled is to foster decentralized social coding, which means if you’re going to be serious about using this service, you should create your own “knot” (a cute word for a Tangled instance that will broker access to the repos via the Tangled AppView and git SSH/HTTPS ops).

The core project Readme has all you need to walkthrough the creation of an instance. There are three Golang binaries (well, four, really, but you’re likely going to rely on Tangled for the AppView) in the mix.

keyfetch is a program designed to run as an SSH AuthorizedKeysCommand. It fetches SSH public keys from an internal API endpoint and formats them for use with SSH authentication. When a user attempts to connect via SSH, keyfetch:

• retrieves a list of authorized keys from a specified internal API endpoint
• formats these keys with specific command restrictions
• outputs the formatted keys to be used by the SSH server for authentication

This lets the Tangled platform dynamically manage SSH access to Git repositories based on user credentials stored in its system. If you did load your PUBLIC keys into Tangled, you can run keyfetch manually (after you successfully bootstrap your knot) to see the output.

knotserver/knot is a core component of the architecture that manages the “knots” — those lightweight, headless servers that host Git repositories. The knotserver:

• sets up and manages the database for storing repository information
• implements role-based access control (RBAC) for repository permissions
• integrates with Jetstream for event handling and communication
• runs both a main server and an internal server on different ports

The knotserver essentially provides the backend infrastructure for hosting and managing repositories within a knot, handling authentication, authorization, and API endpoints.

repoguard acts as a security layer between SSH connections and Git operations. It:

• validates incoming Git commands from users connecting via SSH
• resolves user identities (handles or DIDs) to their proper DID format
• verifies that users have appropriate permissions for the requested operations
• executes the Git commands in a controlled environment
• logs all access attempts and operations for security purposes

repoguard ensures that only authorized users can perform specific Git operations on repositories, providing security and access control at the Git command level.

Together, these three components form part of the infrastructure that enables Tangled’s decentralized Git collaboration platform, with keyfetch handling SSH key management, knotserver providing the repository hosting backend, and repoguard securing Git operations.

I rean it on one of my public internet-facing services, but since the recommended config is to use a reverse proxy to the localhost port 5555 service (which I used Caddy for), there is nothing stopping you from running this instance on your local network and reverse proxying to a Tailscale interface.

NOTE: if you use their recommended systemd setup, you’ll need to modify knotserver.service and change ExecStart=/usr/local/bin/knotserver to ExecStart=/usr/local/bin/knot and make sure to restart sshd.

If you hit up knot.hrbrmstr.app you’ll get:

This is a knot server. More info at https://tangled.sh

instead of that minimalist web interface you saw on tangled.sh.

The reason for this is that Tangled provides the AppView to the federated AT protocol brokered knot instances (much in the same way Bluesky is the AppView for all Bluesky-compatible PDS instances and WhiteWind is the blog hub AppView for all of the WhiteWind compatible PDS isntances).

Sice this is all happening on the AT protocol, we can even explore things from the protocol-perspective.

If you start at my (or your did): https://pdsls.dev/at://did:plc:hgyzg2hn6zxpqokmp5c2xrdo, you can see all of the available collections:

app.bsky.actor.profile
app.bsky.feed.like
app.bsky.feed.post
app.bsky.feed.postgate
app.bsky.feed.repost
app.bsky.feed.threadgate
app.bsky.graph.block
app.bsky.graph.follow
app.bsky.graph.list
app.bsky.graph.listblock
app.bsky.graph.listitem
blue.zio.atfile.upload
chat.bsky.actor.declaration
com.whtwnd.blog.entry
sh.tangled.feed.star
sh.tangled.graph.follow
sh.tangled.publicKey
sh.tangled.repo
sh.tangled.repo.issue
sh.tangled.repo.issue.comment

Well, look at all the ones on the sh.tangled.* PDS!

If we follow one repo path to the end: https://pdsls.dev/at://did:plc:hgyzg2hn6zxpqokmp5c2xrdo/sh.tangled.repo/3ljx2j3twex22, we can get the metadata:

{
  "knot": "knot.hrbrmstr.app",
  "name": "my-first-self-hosted-knot-repo",
  "$type": "sh.tangled.repo",
  "owner": "did:plc:hgyzg2hn6zxpqokmp5c2xrdo",
  "addedAt": "2025-03-09T12:37:24Z"
}

This also means there’s nothing stopping anyone from building off of this new ecosystem.

I’m not sure why I find Tangled easier to grok (thanks to a certain individual and service I think I need to find a new word to use) than Radicle, but it seems to fit my mental model better.

You can check out both the example repo for this post, or the uncreatively-named one on my knot.

If you join Tangled drop me a note so I can follow you there, and send me your handle if you’d like to see how it works when you hit up my instance.

FIN

Remember, you can follow and interact with the full text of The Daily Drop’s free posts on:

• 🐘 Mastodon via @dailydrop.hrbrmstr.dev@dailydrop.hrbrmstr.dev
• 🦋 Bluesky via https://bsky.app/profile/dailydrop.hrbrmstr.dev.web.brid.gy

Also, refer to:

• this post, and
• this post

to see how to access a regularly updated database of all the Drops with extracted links, and full-text search capability. ☮️