1.0.0

Sync your Obsidian vault to an atproto PDS - private notes
encrypted end-to-end, public notes published via standard.site. One engine,
two backends, opt-in per note.

Highlights

• Private notes (default). Mark a note pds: true to encrypt it
  client-side (Argon2id + AES-256-GCM) and store it as an opaque record on
  your PDS. Only you can read it.
• Public notes. Mark publish: true to publish as a
  site.standard.document, shown by standard.site readers such as Leaflet.
  Includes a publication helper - name, base URL, theme, icon, discovery,
  and .well-known domain verification.
• Two-way sync. Push, pull/restore, last-write-wins with conflict
  copies, orphan deletion, and self-healing compare-and-swap writes.
• Auth. OAuth (PKCE + DPoP, no backend) or app password, with
  credentials stored in your OS keychain.
• Auto-sync. On edit and/or on an interval, with a
  status-bar indicator. Works on desktop and mobile.

Install (manual)

1. Download main.js and manifest.json below.
2. Drop both into <vault>/.obsidian/plugins/pds-sync/.
3. Enable PDS Sync in Settings -> Community plugins.

Then in Settings -> PDS Sync: connect, set an encryption passphrase, flag a
note (pds: true or publish: true), and run Sync vault to PDS.

Before you rely on private notes

Encrypted records live in your public, firehose-archived repo, so the
ciphertext can be attacked offline indefinitely. Your passphrase is the only
secret - use a long one, and note that losing it means the private notes are
unrecoverable. Full security model in the README.

Requirements

• Obsidian 1.5.0+ (keychain storage needs 1.11.4+; older versions fall back
  to a local file).
• An atproto account / PDS.

Talks only to atproto infrastructure - no analytics or telemetry.

Verify

main.js is built in CI with signed build provenance:
gh attestation verify main.js --repo Moshyfawn/obsidian-pds-sync