@alteran/astro 0.3.8 → 0.5.2

package/src/pages/xrpc/[...nsid].ts

@@ -0,0 +1,61 @@
+import type { APIContext } from 'astro';
+import { proxyAppView } from '../../lib/appview';
+import { AuthTokenExpiredError, expiredToken, isAuthorized, unauthorized } from '../../lib/auth';
+
+export const prerender = false;
+
+function shouldProxy(nsid: string): boolean {
+  return (
+    nsid.startsWith('app.bsky.') ||
+    nsid.startsWith('chat.bsky.') ||
+    nsid.startsWith('tools.ozone.')
+  );
+}
+
+function nsidFromParams(params: Record<string, any>): string {
+  const p = (params as any).nsid;
+  if (Array.isArray(p)) return p.join('');
+  return typeof p === 'string' ? p : '';
+}
+
+async function handle({ locals, request, params }: APIContext): Promise<Response> {
+  const { env } = locals.runtime;
+  try {
+    if (!(await isAuthorized(request, env))) return unauthorized();
+  } catch (error) {
+    if (error instanceof AuthTokenExpiredError) {
+      return expiredToken();
+    }
+    throw error;
+  }
+
+  const nsid = nsidFromParams(params).trim();
+  console.log('xrpc catchall invoked:', { nsid, url: request.url });
+  if (!nsid) {
+    return new Response(JSON.stringify({ error: 'NotFound' }), {
+      status: 404,
+      headers: { 'Content-Type': 'application/json' },
+    });
+  }
+
+  if (!shouldProxy(nsid)) {
+    return new Response(JSON.stringify({ error: 'NotImplemented' }), {
+      status: 404,
+      headers: { 'Content-Type': 'application/json' },
+    });
+  }
+
+  return proxyAppView({ request, env, lxm: nsid });
+}
+
+export async function GET(ctx: APIContext) {
+  return handle(ctx);
+}
+
+export async function HEAD(ctx: APIContext) {
+  return handle(ctx);
+}
+
+export async function POST(ctx: APIContext) {
+  return handle(ctx);
+}

package/src/pages/xrpc/app.bsky.actor.getPreferences.ts

@@ -1,23 +1,22 @@
 import type { APIContext } from 'astro';
-import { proxyAppView } from '../../lib/appview';
-import { isAuthorized, unauthorized } from '../../lib/auth';
+import { AuthTokenExpiredError, expiredToken, isAuthorized, unauthorized } from '../../lib/auth';
 import { getActorPreferences } from '../../lib/preferences';
 
 export const prerender = false;
 
 export async function GET({ locals, request }: APIContext) {
   const { env } = locals.runtime;
-  if (!(await isAuthorized(request, env))) return unauthorized();
+  try {
+    if (!(await isAuthorized(request, env))) return unauthorized();
+  } catch (error) {
+    if (error instanceof AuthTokenExpiredError) {
+      return expiredToken();
+    }
+    throw error;
+  }
 
-  return proxyAppView({
-    request,
-    env,
-    lxm: 'app.bsky.actor.getPreferences',
-    fallback: async () => {
-      const { preferences } = await getActorPreferences(env);
-      return new Response(JSON.stringify({ preferences }), {
-        headers: { 'Content-Type': 'application/json' },
-      });
-    },
+  const { preferences } = await getActorPreferences(env);
+  return new Response(JSON.stringify({ preferences: Array.isArray(preferences) ? preferences : [] }), {
+    headers: { 'Content-Type': 'application/json' },
   });
 }

package/src/pages/xrpc/app.bsky.actor.putPreferences.ts

@@ -1,6 +1,6 @@
 import type { APIContext } from 'astro';
-import { proxyAppView } from '../../lib/appview';
-import { isAuthorized, unauthorized } from '../../lib/auth';
+import { errorCode, errorMessage } from '../../lib/errors';
+import { AuthTokenExpiredError, expiredToken, isAuthorized, unauthorized } from '../../lib/auth';
 import { readJsonBounded } from '../../lib/util';
 import { setActorPreferences } from '../../lib/preferences';
 
@@ -8,29 +8,29 @@ export const prerender = false;
 
 export async function POST({ locals, request }: APIContext) {
   const { env } = locals.runtime;
-  if (!(await isAuthorized(request, env))) return unauthorized();
+  try {
+    if (!(await isAuthorized(request, env))) return unauthorized();
+  } catch (error) {
+    if (error instanceof AuthTokenExpiredError) {
+      return expiredToken();
+    }
+    throw error;
+  }
 
-  return proxyAppView({
-    request,
-    env,
-    lxm: 'app.bsky.actor.putPreferences',
-    fallback: async () => {
-      let body: any;
-      try {
-        body = await readJsonBounded(env, request);
-      } catch (err: any) {
-        if (err?.code === 'PayloadTooLarge') {
-          return new Response(JSON.stringify({ error: 'PayloadTooLarge' }), { status: 413 });
-        }
-        return new Response(JSON.stringify({ error: 'BadRequest' }), { status: 400 });
-      }
+  let body: any;
+  try {
+    body = await readJsonBounded(env, request);
+  } catch (error) {
+    if (errorCode(error) === 'PayloadTooLarge') {
+      return new Response(JSON.stringify({ error: 'PayloadTooLarge' }), { status: 413 });
+    }
+    return new Response(JSON.stringify({ error: 'BadRequest' }), { status: 400 });
+  }
 
-      const preferences = Array.isArray(body?.preferences) ? body.preferences : [];
-      await setActorPreferences(env, preferences);
+  const preferences = Array.isArray(body?.preferences) ? body.preferences : [];
+  await setActorPreferences(env, preferences);
 
-      return new Response(JSON.stringify({}), {
-        headers: { 'Content-Type': 'application/json' },
-      });
-    },
+  return new Response(JSON.stringify({}), {
+    headers: { 'Content-Type': 'application/json' },
   });
 }

package/src/pages/xrpc/app.bsky.unspecced.getAgeAssuranceState.ts

@@ -1,11 +1,18 @@
 import type { APIContext } from 'astro';
-import { isAuthorized, unauthorized } from '../../lib/auth';
+import { AuthTokenExpiredError, expiredToken, isAuthorized, unauthorized } from '../../lib/auth';
 
 export const prerender = false;
 
 export async function GET({ locals, request }: APIContext) {
   const { env } = locals.runtime;
-  if (!(await isAuthorized(request, env))) return unauthorized();
+  try {
+    if (!(await isAuthorized(request, env))) return unauthorized();
+  } catch (error) {
+    if (error instanceof AuthTokenExpiredError) {
+      return expiredToken();
+    }
+    throw error;
+  }
 
   return new Response(
     JSON.stringify({

package/src/pages/xrpc/chat.bsky.convo.getLog.ts

@@ -1,5 +1,5 @@
 import type { APIContext } from 'astro';
-import { isAuthorized, unauthorized } from '../../lib/auth';
+import { AuthTokenExpiredError, expiredToken, isAuthorized, unauthorized } from '../../lib/auth';
 import { getPrimaryActor } from '../../lib/actor';
 import { listChatConvoLogs } from '../../lib/chat';
 
@@ -7,7 +7,14 @@ export const prerender = false;
 
 export async function GET({ locals, request }: APIContext) {
   const { env } = locals.runtime;
-  if (!(await isAuthorized(request, env))) return unauthorized();
+  try {
+    if (!(await isAuthorized(request, env))) return unauthorized();
+  } catch (error) {
+    if (error instanceof AuthTokenExpiredError) {
+      return expiredToken();
+    }
+    throw error;
+  }
 
   const url = new URL(request.url);
   const cursorParam = url.searchParams.get('cursor');

package/src/pages/xrpc/chat.bsky.convo.listConvos.ts

@@ -1,5 +1,5 @@
 import type { APIContext } from 'astro';
-import { isAuthorized, unauthorized } from '../../lib/auth';
+import { AuthTokenExpiredError, expiredToken, isAuthorized, unauthorized } from '../../lib/auth';
 import { listChatConvos } from '../../lib/chat';
 import { getPrimaryActor } from '../../lib/actor';
 
@@ -7,7 +7,14 @@ export const prerender = false;
 
 export async function GET({ locals, request }: APIContext) {
   const { env } = locals.runtime;
-  if (!(await isAuthorized(request, env))) return unauthorized();
+  try {
+    if (!(await isAuthorized(request, env))) return unauthorized();
+  } catch (error) {
+    if (error instanceof AuthTokenExpiredError) {
+      return expiredToken();
+    }
+    throw error;
+  }
 
   const url = new URL(request.url);
   const limitInput = Number.parseInt(url.searchParams.get('limit') ?? '', 10);

package/src/pages/xrpc/com.atproto.identity.getRecommendedDidCredentials.ts

@@ -1,7 +1,6 @@
 import type { APIContext } from 'astro';
-import { isAuthorized, unauthorized } from '../../lib/auth';
+import { AuthTokenExpiredError, expiredToken, isAuthorized, unauthorized } from '../../lib/auth';
 import { resolveSecret } from '../../lib/secrets';
-import * as uint8arrays from 'uint8arrays';
 
 export const prerender = false;
 
@@ -15,49 +14,53 @@ export const prerender = false;
 export async function GET({ locals, request }: APIContext) {
   const { env } = locals.runtime;
 
-  if (!(await isAuthorized(request, env))) return unauthorized();
+  try {
+    if (!(await isAuthorized(request, env))) return unauthorized();
+  } catch (error) {
+    if (error instanceof AuthTokenExpiredError) {
+      return expiredToken();
+    }
+    throw error;
+  }
 
   try {
     const handle = (await resolveSecret(env.PDS_HANDLE)) ?? 'example.com';
     const hostname = env.PDS_HOSTNAME ?? handle;
 
-    // Load signing key (Ed25519 PKCS#8 base64)
-    const signingKeyBase64 = await resolveSecret(env.REPO_SIGNING_KEY);
-    if (!signingKeyBase64) {
+    // Always ES256K: derive did:key from the secp256k1 signing key
+    let didKey: string | undefined;
+    const priv = (await resolveSecret(env.REPO_SIGNING_KEY))?.trim();
+    if (!priv) {
       return new Response(
-        JSON.stringify({
-          error: 'InvalidRequest',
-          message: 'Signing key not configured'
-        }),
-        { status: 400, headers: { 'Content-Type': 'application/json' } }
+        JSON.stringify({ error: 'InvalidRequest', message: 'REPO_SIGNING_KEY not configured for ES256K' }),
+        { status: 400, headers: { 'Content-Type': 'application/json' } },
+      );
+    }
+    try {
+      const { Secp256k1Keypair } = await import('@atproto/crypto');
+      let keypair: { did: () => string };
+      if (/^[0-9a-fA-F]{64}$/.test(priv)) {
+        keypair = await Secp256k1Keypair.import(priv);
+      } else {
+        const bin = atob(priv.replace(/\s+/g, ''));
+        const bytes = new Uint8Array(bin.length);
+        for (let i = 0; i < bin.length; i++) bytes[i] = bin.charCodeAt(i);
+        keypair = await Secp256k1Keypair.import(bytes);
+      }
+      didKey = keypair.did();
+    } catch (keypairError) {
+      console.error('REPO_SIGNING_KEY did:key derivation failed:', keypairError);
+      return new Response(
+        JSON.stringify({ error: 'InvalidRequest', message: 'Failed to derive secp256k1 did:key from REPO_SIGNING_KEY' }),
+        { status: 400, headers: { 'Content-Type': 'application/json' } },
       );
     }
-
-    // Import Ed25519 private key from PKCS#8 base64
-    const b64 = signingKeyBase64.replace(/\s+/g, '');
-    const bin = atob(b64);
-    const pkcs8 = new Uint8Array(bin.length);
-    for (let i = 0; i < bin.length; i++) pkcs8[i] = bin.charCodeAt(i);
-
-    // Ed25519 PKCS#8 format: the public key is the last 32 bytes of the private key section
-    // PKCS#8 structure for Ed25519:
-    // - Header (16 bytes)
-    // - Private key (32 bytes)
-    // - Public key (32 bytes)
-    // Total: 80 bytes for unencrypted PKCS#8
-    const publicKeyBytes = pkcs8.slice(-32);
-
-    // Create did:key from public key
-    // Ed25519 multicodec prefix is 0xed01
-    const multicodecPrefix = new Uint8Array([0xed, 0x01]);
-    const multicodecKey = new Uint8Array(multicodecPrefix.length + publicKeyBytes.length);
-    multicodecKey.set(multicodecPrefix);
-    multicodecKey.set(publicKeyBytes, multicodecPrefix.length);
-
-    const didKey = 'did:key:z' + uint8arrays.toString(multicodecKey, 'base58btc');
 
     // Get current PLC data to preserve rotation keys
-    const did = (await resolveSecret(env.PDS_DID)) ?? 'did:example:single-user';
+    const did = await resolveSecret(env.PDS_DID);
+    if (!did) {
+      return new Response(JSON.stringify({ error: 'InvalidRequest', message: 'PDS_DID is not configured' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
+    }
     const plcResponse = await fetch(`https://plc.directory/${did}/data`);
 
     let rotationKeys: string[] = [];
@@ -69,9 +72,7 @@ export async function GET({ locals, request }: APIContext) {
     const credentials = {
       rotationKeys,
       alsoKnownAs: [`at://${handle}`],
-      verificationMethods: {
-        atproto: didKey
-      },
+      verificationMethods: { atproto: didKey },
       services: {
         atproto_pds: {
           type: 'AtprotoPersonalDataServer',
@@ -84,14 +85,15 @@ export async function GET({ locals, request }: APIContext) {
       JSON.stringify(credentials),
       { status: 200, headers: { 'Content-Type': 'application/json' } }
     );
-  } catch (error: any) {
+  } catch (error) {
     console.error('Get recommended credentials error:', error);
+    const message = error instanceof Error ? error.message : 'Failed to get recommended credentials';
     return new Response(
       JSON.stringify({
         error: 'InternalServerError',
-        message: error.message || 'Failed to get recommended credentials'
+        message,
       }),
       { status: 500, headers: { 'Content-Type': 'application/json' } }
     );
   }
-}
+}

package/src/pages/xrpc/com.atproto.identity.requestPlcOperationSignature.ts

@@ -1,5 +1,5 @@
 import type { APIContext } from 'astro';
-import { isAuthorized, unauthorized } from '../../lib/auth';
+import { AuthTokenExpiredError, expiredToken, isAuthorized, unauthorized } from '../../lib/auth';
 
 export const prerender = false;
 
@@ -15,8 +15,15 @@ export const prerender = false;
 export async function POST({ locals, request }: APIContext) {
   const { env } = locals.runtime;
 
-  if (!(await isAuthorized(request, env))) {
-    return unauthorized();
+  try {
+    if (!(await isAuthorized(request, env))) {
+      return unauthorized();
+    }
+  } catch (error) {
+    if (error instanceof AuthTokenExpiredError) {
+      return expiredToken();
+    }
+    throw error;
   }
 
   return new Response(null, { status: 200 });

package/src/pages/xrpc/com.atproto.identity.resolveHandle.ts

@@ -1,4 +1,5 @@
 import type { APIContext } from 'astro';
+import { getAppViewConfig } from '../../lib/appview';
 
 export const prerender = false;
 
@@ -10,8 +11,8 @@ export async function GET({ locals, url }: APIContext) {
   const { env } = locals.runtime;
 
   const handle = url.searchParams.get('handle');
-  const configuredHandle = env.PDS_HANDLE || 'user.example.com';
-  const did = env.PDS_DID || 'did:example:single-user';
+  const configuredHandle = String(env.PDS_HANDLE || 'user.example.com');
+  const did = String(env.PDS_DID || 'did:example:single-user');
 
   if (!handle) {
     return new Response(
@@ -20,8 +21,8 @@ export async function GET({ locals, url }: APIContext) {
     );
   }
 
-  // Single-user PDS: only resolve if handle matches configured handle
-  if (handle === configuredHandle) {
+  // Single-user PDS: resolve the local configured handle directly
+  if (handle.toLowerCase() === configuredHandle.toLowerCase()) {
     return new Response(
       JSON.stringify({ did }),
       {
@@ -31,8 +32,38 @@ export async function GET({ locals, url }: APIContext) {
     );
   }
 
-  return new Response(
-    JSON.stringify({ error: 'HandleNotFound' }),
-    { status: 404, headers: { 'Content-Type': 'application/json' } }
-  );
-}
+  // For non-local handles, mirror upstream PDS behavior:
+  // proxy the resolution to the configured AppView (or api.bsky.app by default).
+  try {
+    const app = getAppViewConfig(env);
+    const base = app?.url || 'https://api.bsky.app';
+    const upstream = new URL('/xrpc/com.atproto.identity.resolveHandle', base);
+    upstream.searchParams.set('handle', handle);
+
+    const response = await fetch(upstream.toString(), {
+      headers: { accept: 'application/json' },
+    });
+
+    if (response.ok) {
+      // Pass through upstream JSON (e.g. { did })
+      return new Response(await response.text(), {
+        status: 200,
+        headers: { 'Content-Type': 'application/json' },
+      });
+    }
+
+    // Map upstream failures to the standard InvalidRequest shape used by PDS
+    const text = await response.text().catch(() => '');
+    const body = text ? (() => { try { return JSON.parse(text); } catch { return null; } })() : null;
+    const message = body?.message || 'Unable to resolve handle';
+    return new Response(
+      JSON.stringify({ error: 'InvalidRequest', message }),
+      { status: 400, headers: { 'Content-Type': 'application/json' } }
+    );
+  } catch {
+    return new Response(
+      JSON.stringify({ error: 'InvalidRequest', message: 'Unable to resolve handle' }),
+      { status: 400, headers: { 'Content-Type': 'application/json' } }
+    );
+  }
+}

package/src/pages/xrpc/com.atproto.identity.signPlcOperation.ts

@@ -1,5 +1,5 @@
 import type { APIContext } from 'astro';
-import { isAuthorized, unauthorized } from '../../lib/auth';
+import { AuthTokenExpiredError, expiredToken, isAuthorized, unauthorized } from '../../lib/auth';
 import { resolveSecret } from '../../lib/secrets';
 
 export const prerender = false;
@@ -15,7 +15,14 @@ export const prerender = false;
 export async function POST({ locals, request }: APIContext) {
   const { env } = locals.runtime;
 
-  if (!(await isAuthorized(request, env))) return unauthorized();
+  try {
+    if (!(await isAuthorized(request, env))) return unauthorized();
+  } catch (error) {
+    if (error instanceof AuthTokenExpiredError) {
+      return expiredToken();
+    }
+    throw error;
+  }
 
   try {
     const body = await request.json() as {
@@ -36,53 +43,58 @@ export async function POST({ locals, request }: APIContext) {
       return jsonErr(400, 'InvalidRequest', 'PDS_DID is not configured');
     }
 
-    // Load PLC rotation key (hex-encoded secp256k1 private key).
-    // MUST be the rotation key currently present in the PLC document.
-    const privHex = ((await resolveSecret(env.PDS_PLC_ROTATION_KEY as any)) || '').trim();
+    const privHex = ((await resolveSecret(env.PDS_PLC_ROTATION_KEY)) || '').trim();
     if (!privHex) {
       return jsonErr(500, 'ServerMisconfigured', 'PDS_PLC_ROTATION_KEY is not configured');
     }
-    // Lazy-load deps compatible with Workers runtime
     const { Secp256k1Keypair } = await import('@atproto/crypto');
-    const dagCbor: any = await import('@ipld/dag-cbor');
+    const dagCbor = await import('@ipld/dag-cbor');
     const { sha256 } = await import('multiformats/hashes/sha2');
     const { CID } = await import('multiformats/cid');
-    const u8a: any = await import('uint8arrays');
+    const u8a = await import('uint8arrays');
 
     const signer = await Secp256k1Keypair.import(privHex);
 
-    // Fetch last op for prev CID
-    const lastRes = await fetch(`https://plc.directory/${encodeURIComponent(did)}/log/last`);
-    if (!lastRes.ok) {
-      const text = await lastRes.text();
-      return jsonErr(lastRes.status, 'PlcFetchFailed', `Failed to fetch last op: ${text}`);
+    const lastResponse = await fetch(`https://plc.directory/${encodeURIComponent(did)}/log/last`);
+    if (!lastResponse.ok) {
+      const text = await lastResponse.text();
+      return jsonErr(lastResponse.status, 'PlcFetchFailed', `Failed to fetch last op: ${text}`);
     }
-    const lastOp = await lastRes.json();
-    if ((lastOp as any)?.type === 'plc_tombstone') {
+    const lastOp = (await lastResponse.json()) as { type?: string };
+    if (lastOp?.type === 'plc_tombstone') {
       return jsonErr(400, 'DidTombstoned', 'DID is tombstoned');
     }
     const lastOpCbor = dagCbor.encode(lastOp);
     const mh = await sha256.digest(lastOpCbor);
     const prevCid = CID.createV1(dagCbor.code, mh);
 
-    // Fetch current document data as defaults and to verify rotation key
-    const dataRes = await fetch(`https://plc.directory/${encodeURIComponent(did)}/data`);
-    if (!dataRes.ok) {
-      const text = await dataRes.text();
-      return jsonErr(dataRes.status, 'PlcFetchFailed', `Failed to fetch document data: ${text}`);
+    const dataResponse = await fetch(`https://plc.directory/${encodeURIComponent(did)}/data`);
+    if (!dataResponse.ok) {
+      const text = await dataResponse.text();
+      return jsonErr(dataResponse.status, 'PlcFetchFailed', `Failed to fetch document data: ${text}`);
     }
-    const doc = (await dataRes.json()) as any;
+    type PlcDoc = {
+      rotationKeys?: string[];
+      alsoKnownAs?: string[];
+      verificationMethods?: Record<string, string>;
+      services?: Record<string, { type?: string; endpoint?: string }>;
+    };
+    const doc = (await dataResponse.json()) as PlcDoc;
 
     const rotationKeys = body.rotationKeys ?? doc.rotationKeys ?? [];
     const alsoKnownAs = body.alsoKnownAs ?? doc.alsoKnownAs ?? [];
     const verificationMethods = body.verificationMethods ?? doc.verificationMethods ?? {};
-    const services = body.services ?? doc.services ?? {};
+    const services = (body.services ?? doc.services ?? {}) as Record<
+      string,
+      { type?: string; endpoint?: string }
+    >;
 
-    if (!services.atproto_pds || typeof services.atproto_pds !== 'object') {
+    const pdsService = services.atproto_pds;
+    if (!pdsService || typeof pdsService !== 'object') {
       return jsonErr(400, 'InvalidRequest', 'Missing atproto_pds service in PLC operation');
     }
-    if (!services.atproto_pds.type) {
-      services.atproto_pds.type = 'AtprotoPersonalDataServer';
+    if (!pdsService.type) {
+      pdsService.type = 'AtprotoPersonalDataServer';
     }
 
     const unsignedOp = {
@@ -96,10 +108,9 @@ export async function POST({ locals, request }: APIContext) {
 
     const bytes = dagCbor.encode(unsignedOp);
     const sig = await signer.sign(bytes);
-    const sigB64 = (u8a.toString as any)(sig, 'base64url');
+    const sigB64 = u8a.toString(sig, 'base64url');
     const operation = { ...unsignedOp, sig: sigB64 };
 
-    // sanity: ensure our configured rotation key is included
     const signerDid = (await (await import('@atproto/crypto')).Secp256k1Keypair.import(privHex)).did();
     if (!rotationKeys.includes(signerDid)) {
       return jsonErr(
@@ -113,9 +124,10 @@ export async function POST({ locals, request }: APIContext) {
       status: 200,
       headers: { 'Content-Type': 'application/json' },
     });
-  } catch (error: any) {
+  } catch (error) {
     console.error('signPlcOperation error:', error);
-    return jsonErr(500, 'InternalServerError', error?.message || 'Failed to sign PLC operation');
+    const message = error instanceof Error ? error.message : 'Failed to sign PLC operation';
+    return jsonErr(500, 'InternalServerError', message);
   }
 }
 

package/src/pages/xrpc/com.atproto.identity.submitPlcOperation.ts

@@ -1,5 +1,6 @@
 import type { APIContext } from 'astro';
-import { isAuthorized, unauthorized } from '../../lib/auth';
+import { errorMessage } from '../../lib/errors';
+import { AuthTokenExpiredError, expiredToken, isAuthorized, unauthorized } from '../../lib/auth';
 import { resolveSecret } from '../../lib/secrets';
 
 export const prerender = false;
@@ -14,7 +15,14 @@ export const prerender = false;
 export async function POST({ locals, request }: APIContext) {
   const { env } = locals.runtime;
 
-  if (!(await isAuthorized(request, env))) return unauthorized();
+  try {
+    if (!(await isAuthorized(request, env))) return unauthorized();
+  } catch (error) {
+    if (error instanceof AuthTokenExpiredError) {
+      return expiredToken();
+    }
+    throw error;
+  }
 
   try {
     const body = await request.json() as { operation?: any };
@@ -30,7 +38,13 @@ export async function POST({ locals, request }: APIContext) {
       );
     }
 
-    const did = (await resolveSecret(env.PDS_DID)) ?? 'did:example:single-user';
+    const did = await resolveSecret(env.PDS_DID);
+    if (!did) {
+      return new Response(
+        JSON.stringify({ error: 'InvalidRequest', message: 'PDS_DID is not configured' }),
+        { status: 400, headers: { 'Content-Type': 'application/json' } }
+      );
+    }
 
     console.log('Submitting PLC operation:', {
       did,
@@ -78,14 +92,14 @@ export async function POST({ locals, request }: APIContext) {
       JSON.stringify({ success: true }),
       { status: 200, headers: { 'Content-Type': 'application/json' } }
     );
-  } catch (error: any) {
+  } catch (error) {
     console.error('Submit PLC operation error:', error);
     return new Response(
       JSON.stringify({
         error: 'InternalServerError',
-        message: error.message || 'Failed to submit PLC operation'
+        message: errorMessage(error) || 'Failed to submit PLC operation'
       }),
       { status: 500, headers: { 'Content-Type': 'application/json' } }
     );
   }
-}
+}

package/src/pages/xrpc/com.atproto.identity.updateHandle.ts

@@ -11,7 +11,7 @@ export async function POST({ locals, request }: APIContext) {
   const { env } = locals.runtime;
 
   try {
-    const body = await readJson(request);
+    const body = (await readJson(request)) as { handle?: string };
     const { handle } = body;
 
     if (!handle) {