pubky
diff --git a/‎pkg/README.md‎
Lines changed: 70 additions & 24 deletions b/‎pkg/README.md‎
Lines changed: 70 additions & 24 deletions
diff --git a/‎src/constants.rs‎
Lines changed: 0 additions & 10 deletions b/‎src/constants.rs‎
Lines changed: 0 additions & 10 deletions
diff --git a/‎src/lib.rs‎
Lines changed: 4 additions & 4 deletions b/‎src/lib.rs‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎src/limits.rs‎
Lines changed: 94 additions & 0 deletions b/‎src/limits.rs‎
Lines changed: 94 additions & 0 deletions
diff --git a/‎src/models/blob.rs‎
Lines changed: 4 additions & 4 deletions b/‎src/models/blob.rs‎
Lines changed: 4 additions & 4 deletions
@@ -71,12 +71,12 @@ async function createUser(pubkyId) {
   const specs = new PubkySpecsBuilder(pubkyId);
 
   // Create user object with minimal fields
-  const {user, meta} = specs.createUser(
+  const { user, meta } = specs.createUser(
     "Alice", // Name
     "Hello from WASM", // Bio
     null, // Image URL or File
     null, // Links
-    "active" // Status
+    "active", // Status
   );
 
   // meta contains { id, path, url }.
@@ -112,12 +112,12 @@ async function createPost(pubkyId, content) {
   const specs = new PubkySpecsBuilder(pubkyId);
 
   // Create the Post object
-  const {post, meta} = specs.createPost(
+  const { post, meta } = specs.createPost(
     content,
     PubkyAppPostKind.Short,
     null, // parent post URI (for replies)
     null, // embed object (for reposts)
-    null  // attachments (array of file URLs, max 3)
+    null, // attachments (array of file URLs, max 3)
   );
 
   // Store the post
@@ -128,7 +128,7 @@ async function createPost(pubkyId, content) {
   });
 
   console.log("Post stored at:", meta.url);
-  return {post, meta};
+  return { post, meta };
 }
 ```
 
@@ -143,12 +143,12 @@ async function createPostWithAttachments(pubkyId, content, fileUrls) {
   const specs = new PubkySpecsBuilder(pubkyId);
 
   // Create post with attachments (max 3 allowed)
-  const {post, meta} = specs.createPost(
+  const { post, meta } = specs.createPost(
     content,
     PubkyAppPostKind.Image,
     null, // parent
     null, // embed
-    fileUrls // e.g. ["pubky://user/pub/pubky.app/files/abc123"]
+    fileUrls, // e.g. ["pubky://user/pub/pubky.app/files/abc123"]
   );
 
   const postJson = post.toJson();
@@ -160,7 +160,7 @@ async function createPostWithAttachments(pubkyId, content, fileUrls) {
   });
 
   console.log("Post with attachments stored at:", meta.url);
-  return {post, meta};
+  return { post, meta };
 }
 ```
 
@@ -174,7 +174,7 @@ async function followUser(myPubkyId, userToFollow) {
   const client = new Client();
   const specs = new PubkySpecsBuilder(myPubkyId);
 
-  const {follow, meta} = specs.createFollow(userToFollow);
+  const { follow, meta } = specs.createFollow(userToFollow);
 
   // We only need to store the JSON in the homeserver
   await client.fetch(meta.url, {
@@ -215,18 +215,18 @@ async function uploadFile(pubkyId, fileData, fileName, contentType, fileSize) {
 
   // First, create and store the blob (raw binary data)
   const { blob, meta: blobMeta } = specs.createBlob(fileData);
-  
+
   await client.fetch(blobMeta.url, {
     method: "PUT",
     body: JSON.stringify(blob.toJson()),
   });
 
   // Then create the file metadata pointing to the blob
   const { file, meta: fileMeta } = specs.createFile(
-    fileName,       // e.g. "vacation-photo.jpg"
-    blobMeta.url,   // Reference to the blob
-    contentType,    // e.g. "image/jpeg"
-    fileSize        // Size in bytes
+    fileName, // e.g. "vacation-photo.jpg"
+    blobMeta.url, // Reference to the blob
+    contentType, // e.g. "image/jpeg"
+    fileSize, // Size in bytes
   );
 
   await client.fetch(fileMeta.url, {
@@ -287,16 +287,16 @@ const userId = "8kkppkmiubfq4pxn6f73nqrhhhgkb5xyfprntc9si3np9ydbotto";
 const targetUserId = "dzswkfy7ek3bqnoc89jxuqqfbzhjrj6mi8qthgbxxcqkdugm3rio";
 
 // Build URIs for different resources
-userUriBuilder(userId);                    // pubky://{userId}/pub/pubky.app/profile.json
-postUriBuilder(userId, "0033SSE3B1FQ0");   // pubky://{userId}/pub/pubky.app/posts/{postId}
-bookmarkUriBuilder(userId, "ABC123");      // pubky://{userId}/pub/pubky.app/bookmarks/{bookmarkId}
-followUriBuilder(userId, targetUserId);    // pubky://{userId}/pub/pubky.app/follows/{targetUserId}
-tagUriBuilder(userId, "XYZ789");           // pubky://{userId}/pub/pubky.app/tags/{tagId}
-muteUriBuilder(userId, targetUserId);      // pubky://{userId}/pub/pubky.app/mutes/{targetUserId}
-lastReadUriBuilder(userId);                // pubky://{userId}/pub/pubky.app/last_read
-blobUriBuilder(userId, "BLOB123");         // pubky://{userId}/pub/pubky.app/blobs/{blobId}
-fileUriBuilder(userId, "FILE456");         // pubky://{userId}/pub/pubky.app/files/{fileId}
-feedUriBuilder(userId, "FEED789");         // pubky://{userId}/pub/pubky.app/feeds/{feedId}
+userUriBuilder(userId); // pubky://{userId}/pub/pubky.app/profile.json
+postUriBuilder(userId, "0033SSE3B1FQ0"); // pubky://{userId}/pub/pubky.app/posts/{postId}
+bookmarkUriBuilder(userId, "ABC123"); // pubky://{userId}/pub/pubky.app/bookmarks/{bookmarkId}
+followUriBuilder(userId, targetUserId); // pubky://{userId}/pub/pubky.app/follows/{targetUserId}
+tagUriBuilder(userId, "XYZ789"); // pubky://{userId}/pub/pubky.app/tags/{tagId}
+muteUriBuilder(userId, targetUserId); // pubky://{userId}/pub/pubky.app/mutes/{targetUserId}
+lastReadUriBuilder(userId); // pubky://{userId}/pub/pubky.app/last_read
+blobUriBuilder(userId, "BLOB123"); // pubky://{userId}/pub/pubky.app/blobs/{blobId}
+fileUriBuilder(userId, "FILE456"); // pubky://{userId}/pub/pubky.app/files/{fileId}
+feedUriBuilder(userId, "FEED789"); // pubky://{userId}/pub/pubky.app/feeds/{feedId}
 ```
 
 ---
@@ -330,6 +330,52 @@ A `ParsedUriResult` object with:
 
 ---
 
+## Validation limits
+
+The WASM builder exposes validation limits as a JSON object so UIs can reuse
+the canonical rules without duplicating magic numbers.
+
+```js
+import init, { PubkySpecsBuilder } from "pubky-app-specs";
+
+await init();
+const builder = new PubkySpecsBuilder("pubky_id_here");
+const limits = builder.validationLimits;
+
+console.log(limits);
+```
+
+Example output shape:
+
+```json
+{
+  "maxBlobSizeBytes": 104857600,
+  "maxFileSizeBytes": 104857600,
+  "tagLabelMinLength": 1,
+  "tagLabelMaxLength": 20,
+  "tagInvalidChars": [",", ":", " ", "\t", "\n", "\r"],
+  "userNameMinLength": 3,
+  "userNameMaxLength": 50,
+  "userBioMaxLength": 160,
+  "userImageUrlMaxLength": 300,
+  "userLinksMaxCount": 5,
+  "userLinkTitleMaxLength": 100,
+  "userLinkUrlMaxLength": 300,
+  "userStatusMaxLength": 50,
+  "postShortContentMaxLength": 2000,
+  "postLongContentMaxLength": 50000,
+  "postAttachmentsMaxCount": 3,
+  "postAttachmentUrlMaxLength": 200,
+  "postAllowedAttachmentProtocols": ["pubky", "http", "https"],
+  "fileNameMinLength": 1,
+  "fileNameMaxLength": 255,
+  "fileSrcMaxLength": 1024,
+  "feedTagsMaxCount": 5
+}
+```
+
+---
+
 ## 📄 License
 
 MIT
@@ -5,13 +5,3 @@ pub static VERSION: &str = "0.4.0";
 pub static PUBLIC_PATH: &str = "/pub/";
 pub static APP_PATH: &str = "pubky.app/";
 pub static PROTOCOL: &str = "pubky://";
-
-// Size limits
-/// Maximum blob/file size (100 MB) in bytes
-pub static MAX_SIZE: usize = 100 * (1 << 20); // 100MB
-
-// Tag validation constants (shared across models)
-pub const MAX_TAG_LABEL_LENGTH: usize = 20;
-pub const MIN_TAG_LABEL_LENGTH: usize = 1;
-/// Disallowed characters, in addition to whitespace chars
-pub const INVALID_TAG_CHARS: &[char] = &[',', ':'];
@@ -1,16 +1,16 @@
 mod common;
 mod constants;
+pub mod limits;
 mod models;
 pub mod traits;
 mod types;
 mod uri_parser;
 mod utils;
 
 // Re-export constants
-pub use constants::{
-    APP_PATH, INVALID_TAG_CHARS, MAX_SIZE, MAX_TAG_LABEL_LENGTH, MIN_TAG_LABEL_LENGTH, PROTOCOL,
-    PUBLIC_PATH, VERSION,
-};
+pub use constants::{APP_PATH, PROTOCOL, PUBLIC_PATH, VERSION};
+#[doc(inline)]
+pub use limits::*;
 // Re-export domain types
 pub use models::blob::PubkyAppBlob;
 pub use models::bookmark::PubkyAppBookmark;
 
@@ -0,0 +1,94 @@
+//! Validation limits for pubky-app-specs data models.
+//!
+//! These constants are the single source of truth for client-side validation.
+//!
+//! # Examples
+//! Serialize the bundled limits for client consumption.
+//! ```
+//! use pubky_app_specs::VALIDATION_LIMITS;
+//!
+//! let limits_json = serde_json::to_value(&VALIDATION_LIMITS).unwrap();
+//! assert!(limits_json.is_object());
+//! ```
+
+use serde::Serialize;
+
+/// Bundled validation limits for quick consumption.
+#[derive(Debug, Clone, Copy, Serialize)]
+#[serde(rename_all = "camelCase")]
+pub struct ValidationLimits {
+    /// Maximum blob/file size in bytes.
+    ///
+    /// Chosen to cap user storage per upload and align with homeserver limits.
+    pub max_blob_size_bytes: usize,
+    /// Maximum file size in bytes.
+    ///
+    /// Kept in sync with blob validation since files are blob-backed.
+    pub max_file_size_bytes: usize,
+    /// Minimum number of characters for tag labels.
+    pub tag_label_min_length: usize,
+    /// Maximum number of characters for tag labels.
+    pub tag_label_max_length: usize,
+    /// Disallowed characters, including common whitespace.
+    pub tag_invalid_chars: &'static [char],
+    /// Minimum username length in characters.
+    pub user_name_min_length: usize,
+    /// Maximum username length in characters.
+    pub user_name_max_length: usize,
+    /// Maximum bio length in characters.
+    pub user_bio_max_length: usize,
+    /// Maximum image URL length in characters.
+    pub user_image_url_max_length: usize,
+    /// Maximum number of profile links.
+    pub user_links_max_count: usize,
+    /// Maximum link title length in characters.
+    pub user_link_title_max_length: usize,
+    /// Maximum link URL length in characters.
+    pub user_link_url_max_length: usize,
+    /// Maximum status length in characters.
+    pub user_status_max_length: usize,
+    /// Maximum character count for short posts.
+    pub post_short_content_max_length: usize,
+    /// Maximum character count for long posts.
+    pub post_long_content_max_length: usize,
+    /// Maximum number of attachments per post.
+    pub post_attachments_max_count: usize,
+    /// Maximum length for attachment URLs.
+    pub post_attachment_url_max_length: usize,
+    /// Allowed protocols for attachment URLs.
+    pub post_allowed_attachment_protocols: &'static [&'static str],
+    /// Minimum file name length in characters.
+    pub file_name_min_length: usize,
+    /// Maximum file name length in characters.
+    pub file_name_max_length: usize,
+    /// Maximum file src length in characters.
+    pub file_src_max_length: usize,
+    /// Maximum number of tags allowed in a feed.
+    pub feed_tags_max_count: usize,
+}
+
+/// All validation limits in a single bundle.
+pub const VALIDATION_LIMITS: ValidationLimits = ValidationLimits {
+    max_blob_size_bytes: 100 * (1 << 20), // 100 MB cap aligned with homeserver limits.
+    max_file_size_bytes: 100 * (1 << 20), // Kept in sync with blob validation.
+    tag_label_min_length: 1,
+    tag_label_max_length: 20,
+    tag_invalid_chars: &[',', ':', ' ', '\t', '\n', '\r'],
+    user_name_min_length: 3,
+    user_name_max_length: 50,
+    user_bio_max_length: 160,
+    user_image_url_max_length: 300,
+    user_links_max_count: 5,
+    user_link_title_max_length: 100,
+    user_link_url_max_length: 300,
+    user_status_max_length: 50,
+    post_short_content_max_length: 2000,
+    post_long_content_max_length: 50_000,
+    post_attachments_max_count: 3,
+    post_attachment_url_max_length: 200,
+    post_allowed_attachment_protocols: &["pubky", "http", "https"],
+    file_name_min_length: 1,
+    file_name_max_length: 255,
+    file_src_max_length: 1024,
+    feed_tags_max_count: 5,
+};
@@ -1,5 +1,5 @@
 use crate::{
-    constants::MAX_SIZE,
+    limits::VALIDATION_LIMITS,
     traits::{HasIdPath, HashId, Validatable},
     APP_PATH, PUBLIC_PATH,
 };
@@ -93,7 +93,7 @@ impl Validatable for PubkyAppBlob {
         if self.0.is_empty() {
             return Err("Validation Error: Blob size cannot be zero".to_string());
         }
-        if self.0.len() > MAX_SIZE {
+        if self.0.len() > VALIDATION_LIMITS.max_blob_size_bytes {
             return Err("Validation Error: Blob size exceeds maximum limit of 100MB".to_string());
         }
 
@@ -141,7 +141,7 @@ mod tests {
     #[test]
     fn test_validate_size_errors() {
         // Test blob at max size (should pass)
-        let max_size_blob = PubkyAppBlob(vec![0; MAX_SIZE]);
+        let max_size_blob = PubkyAppBlob(vec![0; VALIDATION_LIMITS.max_blob_size_bytes]);
         let id = max_size_blob.create_id();
         let result = max_size_blob.validate(Some(&id));
         assert!(result.is_ok(), "Blob at max size should be valid");
@@ -154,7 +154,7 @@ mod tests {
         assert!(result.unwrap_err().contains("cannot be zero"));
 
         // Test blob exceeding max size (should fail)
-        let oversized_blob = PubkyAppBlob(vec![0; MAX_SIZE + 1]);
+        let oversized_blob = PubkyAppBlob(vec![0; VALIDATION_LIMITS.max_blob_size_bytes + 1]);
         let id = oversized_blob.create_id();
         let result = oversized_blob.validate(Some(&id));
         assert!(result.is_err());