@alteran/astro 0.1.13 → 0.3.0

package/src/db/account.ts

@@ -0,0 +1,145 @@
+import { eq, or, lt } from 'drizzle-orm';
+import { getDb } from './client';
+import { account, refresh_token_store, secret } from './schema';
+import type { Env } from '../env';
+import { normalizeHandle } from '../lib/handle';
+
+const NOW = () => Math.floor(Date.now());
+
+export type AccountRow = typeof account.$inferSelect;
+export type RefreshTokenRow = typeof refresh_token_store.$inferSelect;
+
+function normalizeIdentifier(identifier: string): { did: string | null; handle: string | null } {
+  if (!identifier) return { did: null, handle: null };
+  const trimmed = identifier.trim();
+  if (trimmed.startsWith('did:')) {
+    return { did: trimmed, handle: null };
+  }
+  return { did: null, handle: normalizeHandle(trimmed) };
+}
+
+export async function getAccountByIdentifier(env: Env, identifier: string): Promise<AccountRow | null> {
+  const db = getDb(env);
+  const ident = normalizeIdentifier(identifier);
+  const clauses = [] as any[];
+  if (ident.did) clauses.push(eq(account.did, ident.did));
+  if (ident.handle) clauses.push(eq(account.handle, ident.handle));
+  if (clauses.length === 0) return null;
+  const where = clauses.length === 1 ? clauses[0] : or(...clauses);
+  return db.select().from(account).where(where).get();
+}
+
+export async function createAccount(env: Env, data: {
+  did: string;
+  handle: string;
+  passwordScrypt: string | null;
+  email?: string | null;
+}): Promise<void> {
+  const db = getDb(env);
+  const now = NOW();
+  await db
+    .insert(account)
+    .values({
+      did: data.did,
+      handle: normalizeHandle(data.handle),
+      passwordScrypt: data.passwordScrypt ?? null,
+      email: data.email ?? null,
+      createdAt: now,
+      updatedAt: now,
+    })
+    .onConflictDoUpdate({
+      target: account.did,
+      set: {
+        handle: normalizeHandle(data.handle),
+        passwordScrypt: data.passwordScrypt ?? null,
+        email: data.email ?? null,
+        updatedAt: now,
+      },
+    });
+}
+
+export async function updateAccountPassword(env: Env, did: string, passwordScrypt: string): Promise<void> {
+  const db = getDb(env);
+  await db
+    .update(account)
+    .set({ passwordScrypt, updatedAt: NOW() })
+    .where(eq(account.did, did))
+    .run();
+}
+
+export async function storeRefreshToken(env: Env, data: {
+  id: string;
+  did: string;
+  expiresAt: number; // epoch seconds
+  appPasswordName?: string | null;
+}): Promise<void> {
+  const db = getDb(env);
+  await db
+    .insert(refresh_token_store)
+    .values({
+      id: data.id,
+      did: data.did,
+      expiresAt: data.expiresAt,
+      appPasswordName: data.appPasswordName ?? null,
+      nextId: null,
+    })
+    .onConflictDoUpdate({
+      target: refresh_token_store.id,
+      set: {
+        did: data.did,
+        expiresAt: data.expiresAt,
+        appPasswordName: data.appPasswordName ?? null,
+        nextId: null,
+      },
+    });
+}
+
+export async function markRefreshTokenRotated(env: Env, id: string, nextId: string, graceExpiresAt: number): Promise<void> {
+  const db = getDb(env);
+  await db
+    .update(refresh_token_store)
+    .set({ nextId, expiresAt: graceExpiresAt })
+    .where(eq(refresh_token_store.id, id))
+    .run();
+}
+
+export async function getRefreshToken(env: Env, id: string): Promise<RefreshTokenRow | null> {
+  const db = getDb(env);
+  return db.select().from(refresh_token_store).where(eq(refresh_token_store.id, id)).get();
+}
+
+export async function deleteRefreshToken(env: Env, id: string): Promise<void> {
+  const db = getDb(env);
+  await db.delete(refresh_token_store).where(eq(refresh_token_store.id, id)).run();
+}
+
+export async function cleanupExpiredRefreshTokens(env: Env, now: number): Promise<number> {
+  const db = getDb(env);
+  const res = await db.delete(refresh_token_store).where(lt(refresh_token_store.expiresAt, now)).run();
+  return res.meta.changes ?? 0;
+}
+
+export async function getSecret(env: Env, key: string): Promise<string | null> {
+  const db = getDb(env);
+  const row = await db.select().from(secret).where(eq(secret.key, key)).get();
+  return row?.value ?? null;
+}
+
+export async function setSecret(env: Env, key: string, value: string): Promise<void> {
+  const db = getDb(env);
+  await db
+    .insert(secret)
+    .values({ key, value, updatedAt: NOW() })
+    .onConflictDoUpdate({
+      target: secret.key,
+      set: { value, updatedAt: NOW() },
+    });
+}
+
+export async function getOrCreateSecret(env: Env, key: string, factory: () => Promise<string>): Promise<string> {
+  const existing = await getSecret(env, key);
+  if (existing) return existing;
+  const value = await factory();
+  await setSecret(env, key, value);
+  return value;
+}

package/src/db/dal.ts

@@ -1,11 +1,17 @@
 import { getDb } from './client';
 import { record, type NewRecordRow, blob_ref, blob_usage, blob_quota } from './schema';
 import type { Env } from '../env';
-import { eq, inArray, and } from 'drizzle-orm';
+import { eq, inArray, and, sql } from 'drizzle-orm';
 
 export async function putRecord(env: Env, row: NewRecordRow) {
   const db = getDb(env);
-  await db.insert(record).values(row).onConflictDoUpdate({ target: record.uri, set: { cid: row.cid, json: row.json } });
+  await db.insert(record).values(row).onConflictDoUpdate({
+    target: record.uri,
+    set: {
+      cid: sql.raw(`excluded.${record.cid.name}`),
+      json: sql.raw(`excluded.${record.json.name}`)
+    }
+  });
 }
 
 export async function getRecord(env: Env, uri: string) {
@@ -35,7 +41,15 @@ export async function putBlobRef(env: Env, did: string, cid: string, key: string
   await db
     .insert(blob_ref)
     .values({ did, cid, key, mime, size })
-    .onConflictDoUpdate({ target: blob_ref.cid, set: { did, key, mime, size } });
+    .onConflictDoUpdate({
+      target: blob_ref.cid,
+      set: {
+        did: sql.raw(`excluded.${blob_ref.did.name}`),
+        key: sql.raw(`excluded.${blob_ref.key.name}`),
+        mime: sql.raw(`excluded.${blob_ref.mime.name}`),
+        size: sql.raw(`excluded.${blob_ref.size.name}`)
+      }
+    });
 }
 
 export async function setRecordBlobUsage(env: Env, uri: string, keys: string[]) {
@@ -71,20 +85,24 @@ export async function updateBlobQuota(env: Env, did: string, bytesAdded: number,
   const db = getDb(env);
   const current = await getBlobQuota(env, did);
 
+  const newTotalBytes = current.total_bytes + bytesAdded;
+  const newBlobCount = current.blob_count + countAdded;
+  const now = Date.now();
+
   await db
     .insert(blob_quota)
     .values({
       did,
-      total_bytes: current.total_bytes + bytesAdded,
-      blob_count: current.blob_count + countAdded,
-      updated_at: Date.now(),
+      total_bytes: newTotalBytes,
+      blob_count: newBlobCount,
+      updated_at: now,
     })
     .onConflictDoUpdate({
       target: blob_quota.did,
       set: {
-        total_bytes: current.total_bytes + bytesAdded,
-        blob_count: current.blob_count + countAdded,
-        updated_at: Date.now(),
+        total_bytes: sql.raw(`excluded.${blob_quota.total_bytes.name}`),
+        blob_count: sql.raw(`excluded.${blob_quota.blob_count.name}`),
+        updated_at: sql.raw(`excluded.${blob_quota.updated_at.name}`),
       },
     });
 }

package/src/db/repo.ts

@@ -1,14 +1,15 @@
 import type { Env } from '../env';
 import { drizzle } from 'drizzle-orm/d1';
-import { eq } from 'drizzle-orm';
+import { eq, sql } from 'drizzle-orm';
 import { repo_root, commit_log } from './schema';
 import { RepoManager } from '../services/repo-manager';
 import { createCommit, signCommit, commitCid, generateTid, serializeCommit } from '../lib/commit';
 import { CID } from 'multiformats/cid';
+import { resolveSecret } from '../lib/secrets';
 
 export async function getRoot(env: Env) {
   const db = drizzle(env.DB);
-  const did = env.PDS_DID ?? 'did:example:single-user';
+  const did = (await resolveSecret(env.PDS_DID)) ?? 'did:example:single-user';
   return db.select().from(repo_root).where(eq(repo_root.did, did)).get();
 }
 
@@ -22,7 +23,7 @@ export async function bumpRoot(env: Env, prevMstRoot?: CID): Promise<{
   mstRoot: CID;
 }> {
   const db = drizzle(env.DB);
-  const did = env.PDS_DID ?? 'did:example:single-user';
+  const did = (await resolveSecret(env.PDS_DID)) ?? 'did:example:single-user';
 
   // Resolve signing key (use ephemeral dev key if not configured and not production)
   const signingKey = await getSigningKey(env);
@@ -54,19 +55,19 @@ export async function bumpRoot(env: Env, prevMstRoot?: CID): Promise<{
   const cid = await commitCid(signedCommit);
   const cidString = cid.toString();
 
-  // Update repo root
+  // Update repo root - use sql.raw with excluded to properly reference INSERT values
   await db
     .insert(repo_root)
     .values({
       did,
       commitCid: cidString,
-      rev: parseInt(rev, 36), // Convert TID to number for compatibility
+      rev, // Store TID as text
     })
     .onConflictDoUpdate({
       target: repo_root.did,
       set: {
-        commitCid: cidString,
-        rev: parseInt(rev, 36),
+        commitCid: sql.raw('excluded.commit_cid'),
+        rev: sql.raw('excluded.rev'),
       },
     })
     .run();
@@ -111,7 +112,7 @@ export async function appendCommit(env: Env, cid: string, rev: string, data: str
 let cachedDevSigningKey: string | undefined;
 
 async function getSigningKey(env: Env): Promise<string> {
-  const configured = env.REPO_SIGNING_KEY;
+  const configured = await resolveSecret(env.REPO_SIGNING_KEY);
   if (configured && configured.trim() !== '') return configured;
 
   const envName = (env as any).ENVIRONMENT || 'development';

package/src/db/schema.ts

@@ -1,9 +1,36 @@
-import { sqliteTable, text, integer, index, primaryKey } from 'drizzle-orm/sqlite-core';
+import { sqliteTable, text, integer, index, primaryKey, uniqueIndex } from 'drizzle-orm/sqlite-core';
+
+export const secret = sqliteTable('secret', {
+  key: text('key').primaryKey().notNull(),
+  value: text('value').notNull(),
+  updatedAt: integer('updated_at', { mode: 'number' }).notNull(),
+});
+
+export const account = sqliteTable('account', {
+  did: text('did').primaryKey().notNull(),
+  handle: text('handle').notNull(),
+  passwordScrypt: text('password_scrypt'),
+  email: text('email'),
+  createdAt: integer('created_at', { mode: 'number' }).notNull(),
+  updatedAt: integer('updated_at', { mode: 'number' }).notNull(),
+}, (table) => ({
+  handleIdx: uniqueIndex('account_handle_unique').on(table.handle),
+}));
+
+export const refresh_token_store = sqliteTable('refresh_token', {
+  id: text('id').primaryKey().notNull(),
+  did: text('did').notNull(),
+  expiresAt: integer('expires_at', { mode: 'number' }).notNull(),
+  appPasswordName: text('app_password_name'),
+  nextId: text('next_id'),
+}, (table) => ({
+  didIdx: index('refresh_token_did_idx').on(table.did),
+}));
 
 export const repo_root = sqliteTable('repo_root', {
   did: text('did').primaryKey().notNull(),
   commitCid: text('commit_cid').notNull(),
-  rev: integer('rev').notNull(),
+  rev: text('rev').notNull(), // TID format (e.g., "3m2biurz7cl27")
 });
 
 export const record = sqliteTable('record', {
@@ -61,15 +88,6 @@ export const blockstore = sqliteTable('blockstore', {
   bytes: text('bytes'),
 });
 
-export const token_revocation = sqliteTable('token_revocation', {
-  jti: text('jti').primaryKey().notNull(),
-  exp: integer('exp').notNull(),
-  revoked_at: integer('revoked_at').notNull(),
-}, (table) => ({
-  // Index for cleanup queries (finding expired tokens)
-  expIdx: index('token_revocation_exp_idx').on(table.exp),
-}));
-
 export const login_attempts = sqliteTable('login_attempts', {
   ip: text('ip').primaryKey().notNull(),
   attempts: integer('attempts').notNull().default(0),

package/src/lib/actor.ts

@@ -0,0 +1,133 @@
+import { getDb } from '../db/client';
+import { record } from '../db/schema';
+import { resolveSecret } from './secrets';
+import type { Env } from '../env';
+import { eq } from 'drizzle-orm';
+
+interface ProfileRecord {
+  displayName?: string;
+  description?: string;
+  pronouns?: string;
+  website?: string;
+  avatar?: string;
+  banner?: string;
+  joinedViaStarterPack?: any;
+  pinnedPost?: any;
+  labels?: any;
+  createdAt?: string;
+}
+
+export interface PrimaryActor {
+  did: string;
+  handle: string;
+  displayName?: string;
+  description?: string;
+  pronouns?: string;
+  website?: string;
+  avatar?: string;
+  banner?: string;
+  labels?: any;
+  createdAt?: string;
+}
+
+const PROFILE_COLLECTION = 'app.bsky.actor.profile';
+
+export async function fetchProfileRecord(env: Env, did: string): Promise<ProfileRecord | null> {
+  const db = getDb(env);
+
+  const targetUri = `at://${did}/${PROFILE_COLLECTION}/self`;
+  const byDid = await db.select().from(record).where(eq(record.uri, targetUri)).get();
+  if (byDid?.json) {
+    try {
+      return JSON.parse(byDid.json) as ProfileRecord;
+    } catch {
+      return null;
+    }
+  }
+
+  // Fallback: pick the most recent profile record regardless of DID
+  const fallback = await env.DB.prepare(
+    'SELECT json FROM record WHERE uri LIKE ? ORDER BY rowid DESC LIMIT 1'
+  )
+    .bind(`%/${PROFILE_COLLECTION}/%`)
+    .first<{ json: string }>();
+
+  if (fallback?.json) {
+    try {
+      return JSON.parse(fallback.json) as ProfileRecord;
+    } catch {
+      return null;
+    }
+  }
+
+  return null;
+}
+
+export async function getPrimaryActor(env: Env): Promise<PrimaryActor> {
+  const did = (await resolveSecret(env.PDS_DID)) ?? 'did:example:single-user';
+  const handle = (await resolveSecret(env.PDS_HANDLE)) ?? 'user.example.com';
+
+  const profile = await fetchProfileRecord(env, did);
+
+  return {
+    did,
+    handle,
+    displayName: profile?.displayName ?? handle,
+    description: profile?.description,
+    pronouns: profile?.pronouns,
+    website: profile?.website,
+    avatar: profile?.avatar,
+    banner: profile?.banner,
+    labels: profile?.labels,
+    createdAt: profile?.createdAt,
+  };
+}
+
+export function matchesPrimaryActor(identifier: string | null | undefined, actor: PrimaryActor): boolean {
+  if (!identifier) return false;
+  const lower = identifier.toLowerCase();
+  return lower === actor.did.toLowerCase() || lower === actor.handle.toLowerCase();
+}
+
+export function buildProfileViewBasic(actor: PrimaryActor) {
+  const createdAt = actor.createdAt ?? new Date().toISOString();
+  const labels = Array.isArray(actor.labels) ? actor.labels : [];
+  return {
+    $type: 'app.bsky.actor.defs#profileViewBasic',
+    did: actor.did,
+    handle: actor.handle,
+    displayName: actor.displayName,
+    pronouns: actor.pronouns,
+    avatar: actor.avatar,
+    createdAt,
+    associated: { $type: 'app.bsky.actor.defs#profileAssociated' },
+    labels,
+  };
+}
+
+export function buildProfileView(actor: PrimaryActor) {
+  const basic = buildProfileViewBasic(actor);
+  return {
+    ...basic,
+    $type: 'app.bsky.actor.defs#profileView',
+    description: actor.description,
+    indexedAt: actor.createdAt ?? new Date().toISOString(),
+  };
+}
+
+export function buildProfileViewDetailed(actor: PrimaryActor, counts: {
+  followers: number;
+  follows: number;
+  posts: number;
+}) {
+  const view = buildProfileView(actor);
+  return {
+    ...view,
+    $type: 'app.bsky.actor.defs#profileViewDetailed',
+    banner: actor.banner,
+    website: actor.website,
+    followersCount: counts.followers,
+    followsCount: counts.follows,
+    postsCount: counts.posts,
+  };
+}