@alteran/astro 0.3.9 → 0.5.2

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Rawkode Academy
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -1,5 +1,8 @@
 # Alteran
 
+> [!WARNING]
+> This project was built using agentic coding tools and is currently undergoing a systematic review by a human in their spare time. Nobody should use this project as their PDS yet.
+
 ## Astro Integration
 
 This repository now ships an Astro integration that turns any Cloudflare Worker-backed Astro app into a single-user ATProto Personal Data Server. Install the package (or link it locally), then add the integration to your `astro.config.mjs`:
@@ -111,15 +114,15 @@ This project uses Drizzle Kit for database schema management and migrations.
 ### Migration Workflow
 
 1. **Modify Schema**: Edit [`src/db/schema.ts`](src/db/schema.ts:1) to add/modify tables or indexes
-2. **Generate Migration**: Run `bun run db:generate` to create a new migration file in `drizzle/`
-3. **Review Migration**: Check the generated SQL in `drizzle/XXXX_*.sql`
+2. **Generate Migration**: Run `bun run db:generate` to create a new migration file in `migrations/`
+3. **Review Migration**: Check the generated SQL in `migrations/XXXX_*.sql`
 4. **Apply Locally**: Run `bun run db:apply:local` to apply to local D1 database
 5. **Apply to Production**: Run `wrangler d1 migrations apply pds --remote` after deployment
 
 ### Migration Versioning
 
 - Migrations are versioned sequentially (0000, 0001, 0002, etc.)
-- Each migration is tracked in `drizzle/meta/_journal.json`
+- Each migration is tracked in `migrations/meta/_journal.json`
 - Migrations are applied in order and cannot be skipped
 - Applied migrations are recorded in D1's `_cf_KV` table
 
@@ -181,7 +184,7 @@ Set these secrets for each environment using `wrangler secret put <NAME> --env <
 | `USER_PASSWORD` | Login password | Strong password |
 | `ACCESS_TOKEN` | JWT access token secret | Random 32+ char string |
 | `REFRESH_TOKEN` | JWT refresh token secret | Random 32+ char string |
-| `REPO_SIGNING_KEY` | Ed25519 signing key (base64) | From `generate-signing-key.ts` |
+| `REPO_SIGNING_KEY` | secp256k1 signing key (hex or base64 32 bytes). Used for commits and service-auth | From `scripts/setup-secrets.ts` |
 
 **Generate secrets:**
 ```bash
@@ -189,9 +192,6 @@ Set these secrets for each environment using `wrangler secret put <NAME> --env <
 # Generates all required secrets and prints wrangler commands
 bun run scripts/setup-secrets.ts --env production --did did:web:example.com --handle user.example.com
 
-# Or generate only the repo signing key
-bun run scripts/generate-signing-key.ts
-
 # After generation, set secrets (example for production)
 wrangler secret put PDS_DID --env production
 wrangler secret put PDS_HANDLE --env production
@@ -199,8 +199,6 @@ wrangler secret put USER_PASSWORD --env production
 wrangler secret put ACCESS_TOKEN --env production
 wrangler secret put REFRESH_TOKEN --env production
 wrangler secret put REPO_SIGNING_KEY --env production
-# Optional: publish public key for DID document
-wrangler secret put REPO_SIGNING_KEY_PUBLIC --env production
 ```
 
 ### Using Cloudflare Secret Store (optional)
@@ -333,7 +331,7 @@ This PDS now implements full AT Protocol core compliance with:
 - ✅ D1 blockstore integration
 
 ### Signed Commits
-- ✅ Ed25519 cryptographic signatures
+- ✅ secp256k1 cryptographic signatures
 - ✅ AT Protocol v3 commit structure
 - ✅ TID-based revisions
 - ✅ Commit chain tracking
@@ -358,31 +356,26 @@ This PDS now implements full AT Protocol core compliance with:
 # Recommended: bootstrap all secrets (prints wrangler commands)
 bun run scripts/setup-secrets.ts --env production --did did:web:example.com --handle user.example.com
 
-# Alternative: generate only the repo signing key
-bun run scripts/generate-signing-key.ts
+# Alternatively, supply your own secp256k1 key (32‑byte hex/base64)
 ```
 
 ### 2. Configure Secrets
 
 **Required Secrets:**
 ```bash
-wrangler secret put REPO_SIGNING_KEY  # From step 1
-wrangler secret put PDS_DID           # Your DID
-wrangler secret put PDS_HANDLE        # Your handle
-wrangler secret put USER_PASSWORD     # Login password
+wrangler secret put REPO_SIGNING_KEY         # secp256k1 (from setup-secrets)
+wrangler secret put PDS_DID                  # Your DID
+wrangler secret put PDS_HANDLE               # Your handle
+wrangler secret put USER_PASSWORD            # Login password
 wrangler secret put REFRESH_TOKEN
 wrangler secret put REFRESH_TOKEN_SECRET
-# Optional: publish raw public key for DID document
-wrangler secret put REPO_SIGNING_KEY_PUBLIC
 ```
 
 **For Local Development (.dev.vars):**
 ```env
 PDS_DID=did:plc:your-did-here
 PDS_HANDLE=your-handle.bsky.social
-REPO_SIGNING_KEY=<base64-key-from-step-1>
-# Optional: publish raw 32-byte public key in did.json
-REPO_SIGNING_KEY_PUBLIC=<base64-raw-public-key>
+REPO_SIGNING_KEY=<hex-secp256k1-private-key>
 USER_PASSWORD=your-password
 REFRESH_TOKEN=your-access-secret
 REFRESH_TOKEN_SECRET=your-refresh-secret
@@ -458,7 +451,7 @@ curl "http://localhost:4321/xrpc/com.atproto.repo.listRecords?repo=did:example:s
 - [`PROGRESS.md`](PROGRESS.md) - Development progress notes
 
 Repo signing key (REQUIRED)
-- Generate an Ed25519 signing key: `bun run scripts/generate-signing-key.ts`
+  
 - Store as `REPO_SIGNING_KEY` secret (base64-encoded private key)
 
 ## P1 Implementation - Production Readiness 🚀
@@ -470,7 +463,7 @@ This PDS now includes production-grade features for security, observability, and
 - ✅ **Token rotation** on every refresh
 - ✅ **Automatic token cleanup** (lazy cleanup on 1% of requests)
 - ✅ **Account lockout** after 5 failed login attempts (15-minute lockout)
-- ✅ **EdDSA (Ed25519) JWT signing** support (in addition to HS256)
+  
 - ✅ **Proper JWT claims**: `sub`, `aud`, `iat`, `exp`, `jti`, `scope`
 - ✅ **Production CORS validation** (no wildcard in production)
 
@@ -490,15 +483,11 @@ This PDS now includes production-grade features for security, observability, and
 
 **JWT Configuration:**
 ```bash
-# Algorithm selection (HS256 or EdDSA)
+# Service-auth uses ES256K (secp256k1) exclusively
 PDS_HOSTNAME=your-pds.example.com
 PDS_ACCESS_TTL_SEC=3600          # 1 hour
 PDS_REFRESH_TTL_SEC=2592000      # 30 days
-JWT_ALGORITHM=HS256              # or EdDSA
-
-# For EdDSA (optional)
-JWT_ED25519_PRIVATE_KEY=<base64-encoded-key>
-JWT_ED25519_PUBLIC_KEY=<base64-encoded-key>
+# No JWT_ALGORITHM flag; ES256K is always used for AppView service tokens
 ```
 
 **CORS Configuration:**
@@ -560,7 +549,7 @@ Returns `503` if any dependency is unhealthy.
 
 1. **Never use wildcard CORS in production** - Set explicit origins in `PDS_CORS_ORIGIN`
 2. **Use strong secrets** - Generate cryptographically secure values for all secrets
-3. **Enable EdDSA signing** - More secure than HS256 for production
+3. **Use ES256K (secp256k1) signing**
 4. **Monitor failed login attempts** - Check logs for suspicious activity
 5. **Set appropriate token TTLs** - Balance security and user experience
 

package/index.js

@@ -36,6 +36,7 @@ const CORE_ROUTES = [
   { pattern: '/xrpc/com.atproto.sync.getLatestCommit', entrypoint: './src/pages/xrpc/com.atproto.sync.getLatestCommit.ts' },
   { pattern: '/xrpc/com.atproto.sync.getRecord', entrypoint: './src/pages/xrpc/com.atproto.sync.getRecord.ts' },
   { pattern: '/xrpc/com.atproto.sync.getRepo', entrypoint: './src/pages/xrpc/com.atproto.sync.getRepo.ts' },
+  { pattern: '/xrpc/com.atproto.sync.getRepoStatus', entrypoint: './src/pages/xrpc/com.atproto.sync.getRepoStatus.ts' },
   { pattern: '/xrpc/com.atproto.sync.getRepo.json', entrypoint: './src/pages/xrpc/com.atproto.sync.getRepo.json.ts' },
   { pattern: '/xrpc/com.atproto.sync.getRepo.range', entrypoint: './src/pages/xrpc/com.atproto.sync.getRepo.range.ts' },
   { pattern: '/xrpc/com.atproto.sync.listBlobs', entrypoint: './src/pages/xrpc/com.atproto.sync.listBlobs.ts' },
@@ -43,22 +44,14 @@ const CORE_ROUTES = [
   // Additional atproto endpoints
   { pattern: '/xrpc/com.atproto.identity.signPlcOperation', entrypoint: './src/pages/xrpc/com.atproto.identity.signPlcOperation.ts' },
   { pattern: '/xrpc/com.atproto.server.getServiceAuth', entrypoint: './src/pages/xrpc/com.atproto.server.getServiceAuth.ts' },
-  // AppView proxy endpoints (bsky)
-  { pattern: '/xrpc/app.bsky.actor.getProfile', entrypoint: './src/pages/xrpc/app.bsky.actor.getProfile.ts' },
-  { pattern: '/xrpc/app.bsky.actor.getProfiles', entrypoint: './src/pages/xrpc/app.bsky.actor.getProfiles.ts' },
+  // AppView proxy endpoints (bsky) — local-only where required
   { pattern: '/xrpc/app.bsky.actor.getPreferences', entrypoint: './src/pages/xrpc/app.bsky.actor.getPreferences.ts' },
   { pattern: '/xrpc/app.bsky.actor.putPreferences', entrypoint: './src/pages/xrpc/app.bsky.actor.putPreferences.ts' },
-  { pattern: '/xrpc/app.bsky.feed.getAuthorFeed', entrypoint: './src/pages/xrpc/app.bsky.feed.getAuthorFeed.ts' },
-  { pattern: '/xrpc/app.bsky.feed.getPostThread', entrypoint: './src/pages/xrpc/app.bsky.feed.getPostThread.ts' },
-  { pattern: '/xrpc/app.bsky.feed.getPosts', entrypoint: './src/pages/xrpc/app.bsky.feed.getPosts.ts' },
-  { pattern: '/xrpc/app.bsky.feed.getTimeline', entrypoint: './src/pages/xrpc/app.bsky.feed.getTimeline.ts' },
-  { pattern: '/xrpc/app.bsky.graph.getFollowers', entrypoint: './src/pages/xrpc/app.bsky.graph.getFollowers.ts' },
-  { pattern: '/xrpc/app.bsky.graph.getFollows', entrypoint: './src/pages/xrpc/app.bsky.graph.getFollows.ts' },
   { pattern: '/xrpc/app.bsky.labeler.getServices', entrypoint: './src/pages/xrpc/app.bsky.labeler.getServices.ts' },
-  { pattern: '/xrpc/app.bsky.notification.getUnreadCount', entrypoint: './src/pages/xrpc/app.bsky.notification.getUnreadCount.ts' },
-  { pattern: '/xrpc/app.bsky.notification.listNotifications', entrypoint: './src/pages/xrpc/app.bsky.notification.listNotifications.ts' },
   { pattern: '/xrpc/app.bsky.unspecced.getAgeAssuranceState', entrypoint: './src/pages/xrpc/app.bsky.unspecced.getAgeAssuranceState.ts' },
   { pattern: '/xrpc/app.bsky.unspecced.getConfig', entrypoint: './src/pages/xrpc/app.bsky.unspecced.getConfig.ts' },
+  // Catchall for proxied XRPC endpoints (app.bsky.*, chat.bsky.*, tools.ozone.*)
+  { pattern: '/xrpc/[...nsid]', entrypoint: './src/pages/xrpc/[...nsid].ts' },
   // Chat endpoints (proxied)
   { pattern: '/xrpc/chat.bsky.convo.getLog', entrypoint: './src/pages/xrpc/chat.bsky.convo.getLog.ts' },
   { pattern: '/xrpc/chat.bsky.convo.listConvos', entrypoint: './src/pages/xrpc/chat.bsky.convo.listConvos.ts' },
@@ -75,6 +68,7 @@ const DEBUG_ROUTES = [
   { pattern: '/debug/db/commits', entrypoint: './src/pages/debug/db/commits.ts' },
   { pattern: '/debug/gc/blobs', entrypoint: './src/pages/debug/gc/blobs.ts' },
   { pattern: '/debug/record', entrypoint: './src/pages/debug/record.ts' },
+  { pattern: '/debug/sequencer', entrypoint: './src/pages/debug/sequencer.ts' },
 ];
 
 const pkgRoot = new URL('.', import.meta.url);
@@ -133,23 +127,35 @@ export default function alteran(options = {}) {
           enforce: 'post',
           apply: 'build',
           transform(code, id) {
-            if (!id.includes('@astrojs-ssr-virtual-entry')) return null;
-            if (!code.includes('const _exports = createExports')) return null;
-            if (code.includes("const Sequencer = _exports['Sequencer'];")) return null;
-
-            const replacedInit = code.replace(
-              'const __astrojsSsrVirtualEntry = _exports.default;',
-              "const Sequencer = _exports['Sequencer'];\nconst __astrojsSsrVirtualEntry = _exports.default;"
-            );
-
-            if (replacedInit === code) return null;
-
-            const replacedExport = replacedInit.replace(
-              'export { __astrojsSsrVirtualEntry as default, pageMap };',
-              'export { Sequencer, __astrojsSsrVirtualEntry as default, pageMap };'
-            );
-
-            return { code: replacedExport, map: null };
+            if (code.includes("_exports['Sequencer']") || code.includes('_exports.Sequencer')) {
+              return null;
+            }
+
+            // Astro 6: virtual:astro:legacy-ssr-entry — the resolved id is `\0virtual:astro:legacy-ssr-entry`.
+            // The body is a thin wrapper that re-exports `_exports.default`; we tack on a named Sequencer export.
+            if (id.includes('virtual:astro:legacy-ssr-entry')) {
+              return {
+                code: `${code}\nexport const Sequencer = _exports['Sequencer'];\n`,
+                map: null,
+              };
+            }
+
+            // Astro 5: @astrojs-ssr-virtual-entry — the body assigns `_exports` and exports a default; patch both.
+            if (id.includes('@astrojs-ssr-virtual-entry')) {
+              if (!code.includes('const _exports = createExports')) return null;
+              const withSequencer = code.replace(
+                'const __astrojsSsrVirtualEntry = _exports.default;',
+                "const Sequencer = _exports['Sequencer'];\nconst __astrojsSsrVirtualEntry = _exports.default;",
+              );
+              if (withSequencer === code) return null;
+              const reexported = withSequencer.replace(
+                'export { __astrojsSsrVirtualEntry as default, pageMap };',
+                'export { Sequencer, __astrojsSsrVirtualEntry as default, pageMap };',
+              );
+              return { code: reexported, map: null };
+            }
+
+            return null;
           },
         });
 

package/migrations/0007_bored_spitfire.sql

@@ -0,0 +1,26 @@
+CREATE TABLE `account` (
+	`did` text PRIMARY KEY NOT NULL,
+	`handle` text NOT NULL,
+	`password_scrypt` text,
+	`email` text,
+	`created_at` integer NOT NULL,
+	`updated_at` integer NOT NULL
+);
+--> statement-breakpoint
+CREATE UNIQUE INDEX `account_handle_unique` ON `account` (`handle`);--> statement-breakpoint
+CREATE TABLE `refresh_token` (
+	`id` text PRIMARY KEY NOT NULL,
+	`did` text NOT NULL,
+	`expires_at` integer NOT NULL,
+	`app_password_name` text,
+	`next_id` text
+);
+--> statement-breakpoint
+CREATE INDEX `refresh_token_did_idx` ON `refresh_token` (`did`);--> statement-breakpoint
+CREATE TABLE `secret` (
+	`key` text PRIMARY KEY NOT NULL,
+	`value` text NOT NULL,
+	`updated_at` integer NOT NULL
+);
+--> statement-breakpoint
+DROP TABLE `token_revocation`;

package/migrations/0008_furry_ozymandias.sql

@@ -0,0 +1,2 @@
+ALTER TABLE `account_state` ADD `status` text;--> statement-breakpoint
+ALTER TABLE `account_state` ADD `suspended_until` integer;