@alteran/astro 0.1.0

package/package.json

@@ -0,0 +1,75 @@
+{
+  "name": "@alteran/astro",
+  "version": "0.1.0",
+  "description": "Astro integration for running a Cloudflare-hosted Bluesky PDS with Alteran.",
+  "module": "index.js",
+  "types": "index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./index.d.ts",
+      "import": "./index.js"
+    }
+  },
+  "type": "module",
+  "files": [
+    "index.js",
+    "index.d.ts",
+    "src",
+    "types"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "dev": "astro dev",
+    "build": "astro build",
+    "preview": "astro preview",
+    "deploy": "astro build && wrangler deploy",
+    "iac:deploy": "bunx alchemy deploy iac/alchemy.run.ts",
+    "iac:destroy": "bunx alchemy destroy iac/alchemy.run.ts",
+    "iac:plan": "bunx alchemy plan iac/alchemy.run.ts",
+    "db:generate": "bunx drizzle-kit generate",
+    "db:apply": "wrangler d1 migrations apply pds",
+    "db:apply:local": "bunx wrangler d1 migrations apply pds --local",
+    "db:apply:local:direct": "wrangler d1 migrations apply pds --local",
+    "db:reset:local": "rm -rf .wrangler/state && rm -rf drizzle && bun run db:generate && bun run db:apply:local"
+  },
+  "devDependencies": {
+    "@astrojs/cloudflare": "^11.0.4",
+    "@atproto/api": "^0.17.0",
+    "@cloudflare/vite-plugin": "^1.13.8",
+    "alchemy": "^0.70.2",
+    "@types/bun": "latest",
+    "astro": "^4.16.9",
+    "drizzle-kit": "^0.31.5",
+    "miniflare": "3",
+    "vite": "^7.1.8",
+    "wrangler": "^4.40.3"
+  },
+  "peerDependencies": {
+    "typescript": "^5"
+  },
+  "dependencies": {
+    "@iconify-json/simple-icons": "^1.2.53",
+    "@ipld/car": "^5.4.2",
+    "@ipld/dag-cbor": "^9.2.5",
+    "@noble/hashes": "^2.0.1",
+    "astro-icon": "^1.1.5",
+    "dotenv": "^17.2.3",
+    "drizzle-orm": "^0.44.6",
+    "@cloudflare/workers-types": "^4.20251001.0",
+    "get-port": "^7.1.0",
+    "hono": "^4.9.9",
+    "multiformats": "^13.4.1",
+    "uint8arrays": "^5.1.0"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/alteran-dev/alteran.git"
+  },
+  "bugs": {
+    "url": "https://github.com/alteran-dev/alteran/issues"
+  },
+  "homepage": "https://github.com/alteran-dev/alteran#readme",
+  "license": "MIT"
+}

package/src/_worker.ts

@@ -0,0 +1,44 @@
+import { handle } from 'astro/internal/handler';
+import { onRequest } from './middleware';
+import { seed } from './db/seed';
+import { validateConfigOrThrow } from './lib/config';
+import type { Env } from './env';
+
+export default {
+  async fetch(request: Request, env: Env, ctx: ExecutionContext) {
+    // Validate configuration on startup (fail fast if invalid)
+    try {
+      validateConfigOrThrow(env);
+    } catch (error) {
+      return new Response(
+        JSON.stringify({
+          error: 'ConfigurationError',
+          message: error instanceof Error ? error.message : 'Invalid configuration',
+        }),
+        {
+          status: 500,
+          headers: { 'Content-Type': 'application/json' },
+        }
+      );
+    }
+
+    await seed(env.DB, env.PDS_DID ?? 'did:example:single-user');
+
+    const url = new URL(request.url);
+    if (url.pathname === '/xrpc/com.atproto.sync.subscribeRepos') {
+      const upgrade = request.headers.get('upgrade');
+      if (upgrade !== 'websocket') return new Response('Expected websocket', { status: 426 });
+      if (!env.SEQUENCER) return new Response('Sequencer not configured', { status: 503 });
+
+      const id = env.SEQUENCER.idFromName('default');
+      const stub = env.SEQUENCER.get(id);
+      return stub.fetch(request as any);
+    }
+
+    const locals: any = { runtime: { env, ctx, request } };
+    return await onRequest(locals as any, async () => await handle(locals as any));
+  },
+};
+
+// Export Durable Object(s)
+export { Sequencer } from './worker/sequencer';

package/src/app.ts

@@ -0,0 +1,10 @@
+export function createApp() {
+  return {
+    // Lazy-import the worker to avoid hard dependency on Astro internals during tests
+    fetch: async (req: Request, env: any, ctx: ExecutionContext) => {
+      const worker = await import('./_worker');
+      return (worker as any).default.fetch(req, env, ctx);
+    },
+  } as const;
+}
+

package/src/db/client.ts

@@ -0,0 +1,7 @@
+// Types via tsconfig.app.json
+import { drizzle } from 'drizzle-orm/d1';
+import type { Env } from '../env';
+
+export function getDb(env: Env) {
+  return drizzle(env.DB);
+}

package/src/db/dal.ts

@@ -0,0 +1,97 @@
+import { getDb } from './client';
+import { record, type NewRecordRow, blob_ref, blob_usage, blob_quota } from './schema';
+import type { Env } from '../env';
+import { eq, inArray, and } from 'drizzle-orm';
+
+export async function putRecord(env: Env, row: NewRecordRow) {
+  const db = getDb(env);
+  await db.insert(record).values(row).onConflictDoUpdate({ target: record.uri, set: { cid: row.cid, json: row.json } });
+}
+
+export async function getRecord(env: Env, uri: string) {
+  const db = getDb(env);
+  const res = await db.select().from(record).where(eq(record.uri, uri)).get();
+  return res ?? null;
+}
+
+export async function deleteRecord(env: Env, uri: string) {
+  const db = getDb(env);
+  await db.delete(record).where(eq(record.uri, uri)).run();
+}
+
+export async function listRecords(env: Env) {
+  const db = getDb(env);
+  return db.select().from(record).all();
+}
+
+export async function getRecordsByCids(env: Env, cids: string[]) {
+  if (!cids.length) return [] as Awaited<ReturnType<typeof listRecords>>;
+  const db = getDb(env);
+  return db.select().from(record).where(inArray(record.cid, cids)).all();
+}
+
+export async function putBlobRef(env: Env, did: string, cid: string, key: string, mime: string, size: number) {
+  const db = getDb(env);
+  await db
+    .insert(blob_ref)
+    .values({ did, cid, key, mime, size })
+    .onConflictDoUpdate({ target: blob_ref.cid, set: { did, key, mime, size } });
+}
+
+export async function setRecordBlobUsage(env: Env, uri: string, keys: string[]) {
+  const db = getDb(env);
+  // remove existing usage for this record
+  await db.delete(blob_usage).where(eq(blob_usage.recordUri, uri)).run();
+  // insert new usage
+  for (const key of keys) {
+    await db.insert(blob_usage).values({ recordUri: uri, key }).run();
+  }
+}
+
+export async function listOrphanBlobKeys(env: Env): Promise<string[]> {
+  const db = getDb(env);
+  // select keys in blob that are not referenced in blob_usage
+  const all = await db.select().from(blob_ref).all();
+  const used = new Set((await db.select().from(blob_usage).all()).map((u) => u.key));
+  return all.map((b) => b.key).filter((k) => !used.has(k));
+}
+
+export async function deleteBlobByKey(env: Env, key: string) {
+  const db = getDb(env);
+  await db.delete(blob_ref).where(eq(blob_ref.key, key)).run();
+}
+
+export async function getBlobQuota(env: Env, did: string) {
+  const db = getDb(env);
+  const quota = await db.select().from(blob_quota).where(eq(blob_quota.did, did)).get();
+  return quota ?? { did, total_bytes: 0, blob_count: 0, updated_at: Date.now() };
+}
+
+export async function updateBlobQuota(env: Env, did: string, bytesAdded: number, countAdded: number) {
+  const db = getDb(env);
+  const current = await getBlobQuota(env, did);
+
+  await db
+    .insert(blob_quota)
+    .values({
+      did,
+      total_bytes: current.total_bytes + bytesAdded,
+      blob_count: current.blob_count + countAdded,
+      updated_at: Date.now(),
+    })
+    .onConflictDoUpdate({
+      target: blob_quota.did,
+      set: {
+        total_bytes: current.total_bytes + bytesAdded,
+        blob_count: current.blob_count + countAdded,
+        updated_at: Date.now(),
+      },
+    });
+}
+
+export async function checkBlobQuota(env: Env, did: string, additionalBytes: number): Promise<boolean> {
+  const quota = await getBlobQuota(env, did);
+  const maxBytes = parseInt((env as any).PDS_BLOB_QUOTA_BYTES || '10737418240', 10); // Default: 10GB
+
+  return (quota.total_bytes + additionalBytes) <= maxBytes;
+}

package/src/db/repo.ts

@@ -0,0 +1,135 @@
+import type { Env } from '../env';
+import { drizzle } from 'drizzle-orm/d1';
+import { eq } from 'drizzle-orm';
+import { repo_root, commit_log } from './schema';
+import { RepoManager } from '../services/repo-manager';
+import { createCommit, signCommit, commitCid, generateTid, serializeCommit } from '../lib/commit';
+import { CID } from 'multiformats/cid';
+
+export async function getRoot(env: Env) {
+  const db = drizzle(env.DB);
+  const did = env.PDS_DID ?? 'did:example:single-user';
+  return db.select().from(repo_root).where(eq(repo_root.did, did)).get();
+}
+
+/**
+ * Bump the repository root to a new revision with signed commit
+ */
+export async function bumpRoot(env: Env, prevMstRoot?: CID): Promise<{
+  commitCid: string;
+  rev: string;
+  ops: import('../lib/firehose/frames').RepoOp[];
+  mstRoot: CID;
+}> {
+  const db = drizzle(env.DB);
+  const did = env.PDS_DID ?? 'did:example:single-user';
+
+  // Resolve signing key (use ephemeral dev key if not configured and not production)
+  const signingKey = await getSigningKey(env);
+
+  // Get current repo state
+  const row = await db.select().from(repo_root).where(eq(repo_root.did, did)).get();
+  const prevCommitCid = row?.commitCid ? CID.parse(row.commitCid) : null;
+
+  // Get the current MST root
+  const repoManager = new RepoManager(env);
+  const mst = await repoManager.getOrCreateRoot();
+  const mstRootCid = await mst.getPointer();
+
+  // Extract operations if we have a previous MST root
+  const ops = prevMstRoot
+    ? await repoManager.extractOps(prevMstRoot, mstRootCid)
+    : [];
+
+  // Generate new revision (TID)
+  const rev = generateTid();
+
+  // Create commit
+  const commit = createCommit(did, mstRootCid, rev, prevCommitCid);
+
+  // Sign commit
+  const signedCommit = await signCommit(commit, signingKey);
+
+  // Calculate commit CID
+  const cid = await commitCid(signedCommit);
+  const cidString = cid.toString();
+
+  // Update repo root
+  await db
+    .insert(repo_root)
+    .values({
+      did,
+      commitCid: cidString,
+      rev: parseInt(rev, 36), // Convert TID to number for compatibility
+    })
+    .onConflictDoUpdate({
+      target: repo_root.did,
+      set: {
+        commitCid: cidString,
+        rev: parseInt(rev, 36),
+      },
+    })
+    .run();
+
+  // Serialize commit for storage
+  const commitBytes = serializeCommit(signedCommit);
+  const commitData = JSON.stringify({
+    did: signedCommit.did,
+    version: signedCommit.version,
+    data: signedCommit.data.toString(),
+    rev: signedCommit.rev,
+    prev: signedCommit.prev?.toString() || null,
+  });
+  // Encode signature to base64 (workers-safe)
+  let s = '';
+  for (const b of signedCommit.sig) s += String.fromCharCode(b);
+  const sigBase64 = btoa(s);
+
+  // Append to commit log
+  await appendCommit(env, cidString, rev, commitData, sigBase64);
+
+  return { commitCid: cidString, rev, ops, mstRoot: mstRootCid };
+}
+
+export async function appendCommit(env: Env, cid: string, rev: string, data: string, sig: string) {
+  const db = drizzle(env.DB);
+  const ts = Date.now();
+
+  await db
+    .insert(commit_log)
+    .values({
+      cid,
+      rev,
+      data,
+      sig,
+      ts,
+    })
+    .run();
+}
+
+// Cache for dev-mode ephemeral signing key (in-memory for worker/astro dev)
+let cachedDevSigningKey: string | undefined;
+
+async function getSigningKey(env: Env): Promise<string> {
+  const configured = env.REPO_SIGNING_KEY;
+  if (configured && configured.trim() !== '') return configured;
+
+  const envName = (env as any).ENVIRONMENT || 'development';
+  if (envName !== 'production') {
+    if (cachedDevSigningKey) return cachedDevSigningKey;
+    // Generate an ephemeral Ed25519 keypair and cache private key (PKCS#8 base64)
+    const keyPair = await crypto.subtle.generateKey(
+      { name: 'Ed25519', namedCurve: 'Ed25519' } as any,
+      true,
+      ['sign', 'verify']
+    );
+    const pkcs8 = await crypto.subtle.exportKey('pkcs8', keyPair.privateKey);
+    let s = '';
+    const u8 = new Uint8Array(pkcs8);
+    for (let i = 0; i < u8.length; i++) s += String.fromCharCode(u8[i]);
+    cachedDevSigningKey = btoa(s);
+    return cachedDevSigningKey;
+  }
+
+  throw new Error('REPO_SIGNING_KEY not configured');
+}

package/src/db/schema.ts

@@ -0,0 +1,89 @@
+import { sqliteTable, text, integer, index, primaryKey } from 'drizzle-orm/sqlite-core';
+
+export const repo_root = sqliteTable('repo_root', {
+  did: text('did').primaryKey().notNull(),
+  commitCid: text('commit_cid').notNull(),
+  rev: integer('rev').notNull(),
+});
+
+export const record = sqliteTable('record', {
+  uri: text('uri').primaryKey().notNull(),
+  did: text('did').notNull(),
+  cid: text('cid').notNull(),
+  json: text('json').notNull(),
+  createdAt: integer('created_at', { mode: 'number' }).default(0),
+}, (table) => ({
+  // Index for collection queries (did + collection extracted from uri)
+  didIdx: index('record_did_idx').on(table.did),
+  // Index for CID lookups (used in getRecordsByCids)
+  cidIdx: index('record_cid_idx').on(table.cid),
+}));
+
+export const blob_ref = sqliteTable('blob', {
+  cid: text('cid').primaryKey().notNull(),
+  did: text('did').notNull(),
+  key: text('key').notNull(),
+  mime: text('mime').notNull(),
+  size: integer('size').notNull(),
+});
+
+export const blob_usage = sqliteTable('blob_usage', {
+  recordUri: text('record_uri').notNull(),
+  key: text('key').notNull(),
+}, (table) => ({
+  // Composite primary key on recordUri and key
+  pk: primaryKey({ columns: [table.recordUri, table.key] }),
+  // Index for GC queries (finding blobs by record)
+  recordUriIdx: index('blob_usage_record_uri_idx').on(table.recordUri),
+}));
+
+// Commit log stores full commit history for firehose and sync
+// Pruning policy: Keep last N commits (default: 10000) to prevent unbounded growth
+// Older commits can be safely removed as they're not needed for sync after a certain point
+// The MST and current repo state are preserved independently
+export const commit_log = sqliteTable('commit_log', {
+  seq: integer('seq').primaryKey(),
+  cid: text('cid').notNull(),
+  rev: text('rev').notNull(), // TID format
+  data: text('data').notNull(), // Full commit object as JSON
+  sig: text('sig').notNull(), // Signature as base64
+  ts: integer('ts').notNull(),
+}, (table) => ({
+  // Index for pruning old commits
+  seqIdx: index('commit_log_seq_idx').on(table.seq),
+}));
+
+// Blockstore stores MST nodes (Merkle Search Tree blocks)
+// Each MST node is stored as a CBOR-encoded block identified by its CID
+// GC policy: Remove blocks not referenced by recent commits (keep blocks from last N commits)
+export const blockstore = sqliteTable('blockstore', {
+  cid: text('cid').primaryKey(),
+  bytes: text('bytes'),
+});
+
+export const token_revocation = sqliteTable('token_revocation', {
+  jti: text('jti').primaryKey().notNull(),
+  exp: integer('exp').notNull(),
+  revoked_at: integer('revoked_at').notNull(),
+}, (table) => ({
+  // Index for cleanup queries (finding expired tokens)
+  expIdx: index('token_revocation_exp_idx').on(table.exp),
+}));
+
+export const login_attempts = sqliteTable('login_attempts', {
+  ip: text('ip').primaryKey().notNull(),
+  attempts: integer('attempts').notNull().default(0),
+  locked_until: integer('locked_until'),
+  last_attempt: integer('last_attempt').notNull(),
+});
+
+// Blob quota tracking per DID
+export const blob_quota = sqliteTable('blob_quota', {
+  did: text('did').primaryKey().notNull(),
+  total_bytes: integer('total_bytes').notNull().default(0),
+  blob_count: integer('blob_count').notNull().default(0),
+  updated_at: integer('updated_at').notNull(),
+});
+
+export type RecordRow = typeof record.$inferSelect;
+export type NewRecordRow = typeof record.$inferInsert;

package/src/db/seed.ts

@@ -0,0 +1,14 @@
+import { drizzle } from 'drizzle-orm/d1';
+import { repo_root } from './schema';
+
+export async function seed(db: D1Database, did: string) {
+  const d1 = drizzle(db);
+  const rows = await d1.select().from(repo_root).all();
+  if (rows.length === 0) {
+    await d1.insert(repo_root).values({
+      did,
+      commitCid: 'bafyreih2y3p6t2i4y567q2z5q2z5q2z5q2z5q2z5q2z5q2z5q2z5q2z5q',
+      rev: 0,
+    });
+  }
+}

package/src/env.d.ts

@@ -0,0 +1,4 @@
+/// <reference path="../.astro/types.d.ts" />
+/// <reference path="../types/env.d.ts" />
+
+export type { Env, PdsLocals } from '../types/env';

package/src/handlers/debug.ts

@@ -0,0 +1,34 @@
+import type { APIContext } from 'astro';
+import { putRecord as dalPutRecord, getRecord as dalGetRecord } from '../db/dal';
+
+export async function POST_db_bootstrap(ctx: APIContext) {
+  const env: any = (ctx.locals as any).runtime?.env ?? (ctx.locals as any) ?? (globalThis as any);
+  const db = env.DB;
+  await db.exec("CREATE TABLE IF NOT EXISTS record (uri TEXT PRIMARY KEY, cid TEXT NOT NULL, json TEXT NOT NULL, created_at INTEGER DEFAULT (strftime('%s','now')));");
+  await db.exec("CREATE TABLE IF NOT EXISTS blob (cid TEXT PRIMARY KEY, key TEXT NOT NULL, mime TEXT NOT NULL, size INTEGER NOT NULL);");
+  await db.exec("CREATE TABLE IF NOT EXISTS blob_usage (record_uri TEXT NOT NULL, key TEXT NOT NULL);");
+  await db.exec("CREATE TABLE IF NOT EXISTS repo_root (did TEXT PRIMARY KEY, commit_cid TEXT NOT NULL, rev INTEGER NOT NULL);");
+  await db.exec("CREATE INDEX IF NOT EXISTS record_cid_idx ON record(cid);");
+  await db.exec("CREATE INDEX IF NOT EXISTS blob_usage_record_idx ON blob_usage(record_uri);");
+  return new Response('ok');
+}
+
+export async function POST_record(ctx: APIContext) {
+  const env: any = (ctx.locals as any).runtime?.env ?? (ctx.locals as any) ?? (globalThis as any);
+  const body: any = await ctx.request.json().catch(() => ({} as any));
+  const uri = body.uri;
+  if (!uri) return new Response('missing uri', { status: 400 });
+  const row = { uri, cid: 'cid-dev', json: JSON.stringify(body.json ?? { hello: 'world' }) } as const;
+  await dalPutRecord(env, row as any);
+  return Response.json({ ok: true });
+}
+
+export async function GET_record(ctx: APIContext) {
+  const env: any = (ctx.locals as any).runtime?.env ?? (ctx.locals as any) ?? (globalThis as any);
+  const url = new URL(ctx.request.url);
+  const uri = url.searchParams.get('uri');
+  if (!uri) return new Response('missing uri', { status: 400 });
+  const row = await dalGetRecord(env, uri);
+  if (!row) return new Response('Not Found', { status: 404 });
+  return Response.json(row);
+}

package/src/handlers/health.ts

@@ -0,0 +1,6 @@
+import type { APIContext } from 'astro';
+
+export async function GET(_ctx: APIContext) {
+  return new Response('ok', { status: 200 });
+}
+

package/src/handlers/ready.ts

@@ -0,0 +1,14 @@
+import type { APIContext } from 'astro';
+
+export async function GET(ctx: APIContext) {
+  try {
+    const db = (ctx.locals as any).runtime?.env?.DB ?? (ctx.locals as any).DB ?? (globalThis as any).DB;
+    if (db) {
+      await db.prepare('select 1').first();
+    }
+    return new Response('ok', { status: 200 });
+  } catch {
+    return new Response('db not ready', { status: 503 });
+  }
+}
+

package/src/handlers/root.ts

@@ -0,0 +1,5 @@
+import type { APIContext } from 'astro';
+
+export async function GET(_ctx: APIContext) {
+  return new Response('Alteran is alive', { status: 200 });
+}

package/src/handlers/wellknown.ts

@@ -0,0 +1,7 @@
+import type { APIContext } from 'astro';
+
+export async function GET(ctx: APIContext) {
+  const env: any = (ctx.locals as any).runtime?.env ?? (ctx.locals as any) ?? (globalThis as any);
+  return new Response(env.PDS_DID ?? '', { status: 200 });
+}
+

package/src/handlers/xrpc.repo.core.ts

@@ -0,0 +1,57 @@
+import type { APIContext } from 'astro';
+import { RepoManager } from '../services/repo-manager';
+
+async function readJson(req: Request): Promise<any> { try { return await req.json(); } catch { return {}; } }
+
+function bearer(req: Request): string | null { const h = req.headers.get('authorization')||''; const m = /^Bearer\s+(.+)$/i.exec(h); return m?m[1]:null; }
+async function verifyJwt(_ctx: APIContext, token: string): Promise<any | null> { try { return { payload: JSON.parse(atob(token)) }; } catch { return null; } }
+
+async function ensureAuth(ctx: APIContext): Promise<boolean> {
+  const token = bearer(ctx.request);
+  if (!token) return false;
+  const ver = await verifyJwt(ctx, token);
+  return !!ver;
+}
+
+export async function createRecord(ctx: APIContext) {
+  if (!(await ensureAuth(ctx))) return Response.json({ error: 'AuthRequired' }, { status: 401 });
+  const { collection, rkey, record } = await readJson(ctx.request);
+  if (!collection || !record) return Response.json({ error: 'BadRequest' }, { status: 400 });
+  const env: any = (ctx.locals as any).runtime?.env ?? (ctx.locals as any) ?? (globalThis as any);
+  const repo = new RepoManager(env);
+  const commit = await repo.createRecord(collection, record, rkey);
+  return Response.json(commit);
+}
+
+export async function putRecord(ctx: APIContext) {
+  if (!(await ensureAuth(ctx))) return Response.json({ error: 'AuthRequired' }, { status: 401 });
+  const { collection, rkey, record } = await readJson(ctx.request);
+  if (!collection || !rkey || !record) return Response.json({ error: 'BadRequest' }, { status: 400 });
+  const env: any = (ctx.locals as any).runtime?.env ?? (ctx.locals as any) ?? (globalThis as any);
+  const repo = new RepoManager(env);
+  const commit = await repo.putRecord(collection, rkey, record);
+  return Response.json(commit);
+}
+
+export async function deleteRecord(ctx: APIContext) {
+  if (!(await ensureAuth(ctx))) return Response.json({ error: 'AuthRequired' }, { status: 401 });
+  const { collection, rkey } = await readJson(ctx.request);
+  if (!collection || !rkey) return Response.json({ error: 'BadRequest' }, { status: 400 });
+  const env: any = (ctx.locals as any).runtime?.env ?? (ctx.locals as any) ?? (globalThis as any);
+  const repo = new RepoManager(env);
+  const commit = await repo.deleteRecord(collection, rkey);
+  return Response.json(commit);
+}
+
+export async function getRecord(ctx: APIContext) {
+  const url = new URL(ctx.request.url);
+  const repo = url.searchParams.get('repo') || '';
+  const collection = url.searchParams.get('collection') || '';
+  const rkey = url.searchParams.get('rkey') || '';
+  if (!repo || !collection || !rkey) return Response.json({ error: 'BadRequest' }, { status: 400 });
+  const env: any = (ctx.locals as any).runtime?.env ?? (ctx.locals as any) ?? (globalThis as any);
+  const manager = new RepoManager(env);
+  const res = await manager.getRecord(collection, rkey);
+  if (!res) return Response.json({ error: 'NotFound' }, { status: 404 });
+  return Response.json(res);
+}

package/src/handlers/xrpc.server.createSession.ts

@@ -0,0 +1,25 @@
+import type { APIContext } from 'astro';
+
+async function readJson(req: Request): Promise<any> {
+  try { return await req.json(); } catch { return {}; }
+}
+
+async function signJwt(_ctx: APIContext, payload: any, _kind: 'access'|'refresh'): Promise<string> {
+  // Keep simple non-cryptographic token for tests; reuse existing shape
+  const base = { ...payload, exp: Math.floor(Date.now()/1000)+3600 };
+  return btoa(JSON.stringify(base));
+}
+
+export async function POST(ctx: APIContext) {
+  const { identifier, password } = await readJson(ctx.request);
+  const env: any = (ctx.locals as any).runtime?.env ?? (ctx.locals as any) ?? (globalThis as any);
+  const ok = !!password && password === (env.USER_PASSWORD ?? 'changeme');
+  if (!ok) return Response.json({ error: 'InvalidPassword' }, { status: 401 });
+  const did = env.PDS_DID ?? 'did:example:single-user';
+  const handle = env.PDS_HANDLE ?? identifier ?? 'user.example';
+  const jti = crypto.randomUUID();
+  const accessJwt = await signJwt(ctx, { sub: did, handle, t: 'access' }, 'access');
+  const refreshJwt = await signJwt(ctx, { sub: did, handle, t: 'refresh', jti }, 'refresh');
+  return Response.json({ did, handle, accessJwt, refreshJwt });
+}
+