@alteran/astro 0.3.9 → 0.5.2

package/src/pages/xrpc/com.atproto.repo.applyWrites.ts

@@ -2,9 +2,13 @@ import type { APIContext } from 'astro';
 import { RepoManager } from '../../services/repo-manager';
 import { readJson } from '../../lib/util';
 import { bumpRoot } from '../../db/repo';
-import { isAuthorized, unauthorized } from '../../lib/auth';
+import { verifyResourceRequestHybrid, dpopResourceUnauthorized, handleResourceAuthError } from '../../lib/oauth/resource';
 import { isAccountActive } from '../../db/dal';
 import { checkRate } from '../../lib/ratelimit';
+import { notifySequencer } from '../../lib/sequencer';
+import { encodeBlocksForCommit } from '../../services/car';
+import { CID } from 'multiformats/cid';
+import { putRecord as dalPutRecord } from '../../db/dal';
 
 export const prerender = false;
 
@@ -14,10 +18,17 @@ export const prerender = false;
  */
 export async function POST({ locals, request }: APIContext) {
   const { env } = locals.runtime;
-  if (!(await isAuthorized(request, env))) return unauthorized();
+  try {
+    const auth = await verifyResourceRequestHybrid(env, request);
+    if (!auth) return dpopResourceUnauthorized(env);
+  } catch (error) {
+    const handled = await handleResourceAuthError(env, error);
+    if (handled) return handled;
+    throw error;
+  }
 
   // Check if account is active
-  const did = env.PDS_DID ?? 'did:example:single-user';
+  const did = env.PDS_DID as string;
   const active = await isAccountActive(env, did);
   if (!active) {
     return new Response(
@@ -33,7 +44,12 @@ export async function POST({ locals, request }: APIContext) {
   if (rateLimitResponse) return rateLimitResponse;
 
   try {
-    const body = await readJson(request);
+    const body = (await readJson(request)) as {
+      repo?: string;
+      writes?: unknown[];
+      validate?: boolean;
+      swapCommit?: string;
+    };
     const { repo, writes, validate = true, swapCommit } = body;
 
     if (!writes || !Array.isArray(writes)) {
@@ -44,34 +60,107 @@ export async function POST({ locals, request }: APIContext) {
     }
 
     const repoManager = new RepoManager(env);
-    const results = [];
+    const pdsDid = typeof env.PDS_DID === 'string' ? env.PDS_DID : '';
+    type WriteResult = { $type: string; uri?: string; cid?: string; validationStatus?: string };
+    const results: WriteResult[] = [];
+    // Accumulate ops and new MST blocks for this batch
+    const opsForCommit: { action: 'create'|'update'|'delete'; path: string; cid: import('multiformats/cid').CID | null }[] = [];
+    const newMstBlocksAll: Array<[import('multiformats/cid').CID, Uint8Array]> = [];
+    let firstPrevMst: import('multiformats/cid').CID | null = null;
+    let lastMst: import('../../lib/mst').MST | null = null;
 
+    type WriteOperation = {
+      $type?: string;
+      collection?: string;
+      rkey?: string;
+      value?: Record<string, unknown>;
+    };
     // Apply all writes atomically
-    for (const write of writes) {
+    for (const rawWrite of writes) {
+      const write = rawWrite as WriteOperation;
       const { $type, collection, rkey, value } = write;
+      if (typeof collection !== 'string' || typeof rkey !== 'string') {
+        return new Response(
+          JSON.stringify({
+            error: 'InvalidRequest',
+            message: 'collection and rkey are required strings on every write',
+          }),
+          { status: 400, headers: { 'Content-Type': 'application/json' } },
+        );
+      }
 
       if ($type === 'com.atproto.repo.applyWrites#create') {
-        const { mst, recordCid } = await repoManager.addRecord(collection, rkey, value);
+        const { mst, recordCid, prevMstRoot, newMstBlocks } = await repoManager.addRecord(collection, rkey, value);
+        if (!firstPrevMst) firstPrevMst = prevMstRoot;
+        lastMst = mst;
+        opsForCommit.push({ action: 'create', path: `${collection}/${rkey}`, cid: recordCid });
+        for (const [cid, bytes] of newMstBlocks) newMstBlocksAll.push([cid, bytes]);
+        // Persist JSON for local reads
+        await dalPutRecord(env, {
+          uri: `at://${pdsDid}/${collection}/${rkey}`,
+          did: pdsDid,
+          cid: recordCid.toString(),
+          json: JSON.stringify(value),
+        });
         results.push({
+          $type: 'com.atproto.repo.applyWrites#createResult',
           uri: `at://${repo}/${collection}/${rkey}`,
           cid: recordCid.toString(),
+          validationStatus: 'valid',
         });
       } else if ($type === 'com.atproto.repo.applyWrites#update') {
-        const { mst, recordCid } = await repoManager.updateRecord(collection, rkey, value);
+        const { mst, recordCid, prevMstRoot, newMstBlocks } = await repoManager.updateRecord(collection, rkey, value);
+        if (!firstPrevMst) firstPrevMst = prevMstRoot;
+        lastMst = mst;
+        opsForCommit.push({ action: 'update', path: `${collection}/${rkey}`, cid: recordCid });
+        for (const [cid, bytes] of newMstBlocks) newMstBlocksAll.push([cid, bytes]);
+        await dalPutRecord(env, {
+          uri: `at://${pdsDid}/${collection}/${rkey}`,
+          did: pdsDid,
+          cid: recordCid.toString(),
+          json: JSON.stringify(value),
+        });
         results.push({
+          $type: 'com.atproto.repo.applyWrites#updateResult',
           uri: `at://${repo}/${collection}/${rkey}`,
           cid: recordCid.toString(),
+          validationStatus: 'valid',
         });
       } else if ($type === 'com.atproto.repo.applyWrites#delete') {
-        await repoManager.deleteRecord(collection, rkey);
+        const { mst, prevMstRoot, newMstBlocks } = await repoManager.deleteRecord(collection, rkey);
+        if (!firstPrevMst) firstPrevMst = prevMstRoot;
+        lastMst = mst;
+        opsForCommit.push({ action: 'delete', path: `${collection}/${rkey}`, cid: null });
+        for (const [cid, bytes] of newMstBlocks) newMstBlocksAll.push([cid, bytes]);
         results.push({
-          uri: `at://${repo}/${collection}/${rkey}`,
+          $type: 'com.atproto.repo.applyWrites#deleteResult',
         });
       }
     }
 
     // Bump repo root to create new commit
-    const { commitCid, rev } = await bumpRoot(env);
+    const currentRoot = lastMst ? await lastMst.getPointer() : undefined;
+    const { commitCid, rev, commitData, sig, blocks } = await bumpRoot(env, firstPrevMst ?? undefined, currentRoot, {
+      ops: opsForCommit,
+      newMstBlocks: newMstBlocksAll,
+    });
+
+    // Notify sequencer about the commit for firehose
+    try {
+      // Prefer commitData/sig/blocks returned by bumpRoot (authoritative)
+      await notifySequencer(env, {
+        did: pdsDid,
+        commitCid,
+        rev,
+        data: commitData,
+        sig,
+        ops: opsForCommit,
+        ...(blocks ? { blocks } : {}),
+      });
+    } catch (error) {
+      console.error('Failed to notify sequencer:', error);
+      // Don't fail the request if sequencer notification fails
+    }
 
     return new Response(
       JSON.stringify({
@@ -85,6 +174,7 @@ export async function POST({ locals, request }: APIContext) {
     );
   } catch (error) {
     console.error('applyWrites error:', error);
+    console.error('Error stack:', error instanceof Error ? error.stack : 'No stack');
     return new Response(
       JSON.stringify({ error: 'InternalServerError', message: String(error) }),
       { status: 500, headers: { 'Content-Type': 'application/json' } }

package/src/pages/xrpc/com.atproto.repo.createRecord.ts

@@ -1,5 +1,6 @@
 import type { APIContext } from 'astro';
-import { isAuthorized, unauthorized } from '../../lib/auth';
+import { errorCode, errorMessage } from '../../lib/errors';
+import { verifyResourceRequestHybrid, dpopResourceUnauthorized, handleResourceAuthError } from '../../lib/oauth/resource';
 import { checkRate } from '../../lib/ratelimit';
 import { readJsonBounded } from '../../lib/util';
 import { RepoManager } from '../../services/repo-manager';
@@ -9,7 +10,14 @@ export const prerender = false;
 
 export async function POST({ locals, request }: APIContext) {
   const { env } = locals.runtime;
-  if (!(await isAuthorized(request, env))) return unauthorized();
+  try {
+    const auth = await verifyResourceRequestHybrid(env, request);
+    if (!auth) return dpopResourceUnauthorized(env);
+  } catch (error) {
+    const handled = await handleResourceAuthError(env, error);
+    if (handled) return handled;
+    throw error;
+  }
 
   const rateLimitResponse = await checkRate(env, request, 'writes');
   if (rateLimitResponse) return rateLimitResponse;
@@ -17,28 +25,50 @@ export async function POST({ locals, request }: APIContext) {
   let body: any;
   try {
     body = await readJsonBounded(env, request);
-  } catch (e: any) {
-    if (e?.code === 'PayloadTooLarge') {
+  } catch (e) {
+    if (errorCode(e) === 'PayloadTooLarge') {
       return new Response(JSON.stringify({ error: 'PayloadTooLarge' }), { status: 413 });
     }
     return new Response(JSON.stringify({ error: 'BadRequest' }), { status: 400 });
   }
-  const { collection, rkey, record } = body ?? {};
+  const { collection, rkey } = body ?? {};
+  let { record } = body ?? {};
   if (!collection || !record) return new Response(JSON.stringify({ error: 'BadRequest' }), { status: 400 });
 
+  // Minimal schema alignment for app.bsky.feed.post: ensure required fields
+  if (collection === 'app.bsky.feed.post' && record && typeof record === 'object') {
+    if (typeof record.text !== 'string') {
+      record.text = '';
+    }
+    if (typeof record.createdAt !== 'string') {
+      record.createdAt = new Date().toISOString();
+    }
+  }
+
   const repo = new RepoManager(env);
-  const commit = await repo.createRecord(collection, record, rkey);
+  const result = await repo.createRecord(collection, record, rkey);
   await notifySequencer(env, {
-    did: env.PDS_DID ?? 'did:example:single-user',
-    commitCid: commit.commitCid,
-    rev: commit.rev,
-    data: commit.commitData,
-    sig: commit.sig,
-    ops: commit.ops,
-    blocks: commit.blocks
+    did: env.PDS_DID as string,
+    commitCid: result.commitCid,
+    rev: result.rev,
+    data: result.commitData,
+    sig: result.sig,
+    ops: result.ops,
+    blocks: result.blocks
   });
 
-  return new Response(JSON.stringify(commit), {
+  // Conform to official PDS response schema
+  const out = {
+    uri: result.uri,
+    cid: result.cid,
+    commit: {
+      cid: result.commitCid,
+      rev: result.rev,
+    },
+    validationStatus: 'unknown' as const,
+  };
+
+  return new Response(JSON.stringify(out), {
     headers: { 'Content-Type': 'application/json' },
   });
 }

package/src/pages/xrpc/com.atproto.repo.deleteRecord.ts

@@ -1,15 +1,24 @@
 import type { APIContext } from 'astro';
-import { isAuthorized, unauthorized } from '../../lib/auth';
+import { errorCode, errorMessage } from '../../lib/errors';
+import { verifyResourceRequestHybrid, dpopResourceUnauthorized, handleResourceAuthError } from '../../lib/oauth/resource';
 import { checkRate } from '../../lib/ratelimit';
 import { readJsonBounded } from '../../lib/util';
 import { RepoManager } from '../../services/repo-manager';
+import { bumpRoot } from '../../db/repo';
 import { notifySequencer } from '../../lib/sequencer';
 
 export const prerender = false;
 
 export async function POST({ locals, request }: APIContext) {
   const { env } = locals.runtime;
-  if (!(await isAuthorized(request, env))) return unauthorized();
+  try {
+    const auth = await verifyResourceRequestHybrid(env, request);
+    if (!auth) return dpopResourceUnauthorized(env);
+  } catch (error) {
+    const handled = await handleResourceAuthError(env, error);
+    if (handled) return handled;
+    throw error;
+  }
 
   const rateLimitResponse = await checkRate(env, request, 'writes');
   if (rateLimitResponse) return rateLimitResponse;
@@ -17,8 +26,8 @@ export async function POST({ locals, request }: APIContext) {
   let body: any;
   try {
     body = await readJsonBounded(env, request);
-  } catch (e: any) {
-    if (e?.code === 'PayloadTooLarge') {
+  } catch (e) {
+    if (errorCode(e) === 'PayloadTooLarge') {
       return new Response(JSON.stringify({ error: 'PayloadTooLarge' }), { status: 413 });
     }
     return new Response(JSON.stringify({ error: 'BadRequest' }), { status: 400 });
@@ -27,18 +36,37 @@ export async function POST({ locals, request }: APIContext) {
   if (!collection || !rkey) return new Response(JSON.stringify({ error: 'BadRequest' }), { status: 400 });
 
   const repo = new RepoManager(env);
-  const commit = await repo.deleteRecord(collection, rkey);
+  // Perform the delete in the MST, gather prev/new roots & new blocks
+  const { mst, prevMstRoot, uri, newMstBlocks } = await repo.deleteRecord(collection, rkey);
+
+  // Build ops & bump the repo root to create a signed commit
+  const currentRoot = await mst.getPointer();
+  const opsForCommit = [{ action: 'delete' as const, path: `${collection}/${rkey}`, cid: null }];
+  const { commitCid, rev, commitData, sig, blocks } = await bumpRoot(env, prevMstRoot ?? undefined, currentRoot, {
+    ops: opsForCommit,
+    newMstBlocks: Array.from(newMstBlocks),
+  });
+
+  // Notify sequencer with a complete payload matching handleCommitNotification
   await notifySequencer(env, {
-    did: env.PDS_DID ?? 'did:example:single-user',
-    commitCid: commit.commitCid,
-    rev: commit.rev,
-    data: commit.commitData,
-    sig: commit.sig,
-    ops: commit.ops,
-    blocks: commit.blocks
+    did: env.PDS_DID as string,
+    commitCid,
+    rev,
+    data: commitData,
+    sig,
+    ops: opsForCommit,
+    blocks,
   });
 
-  return new Response(JSON.stringify(commit), {
+  // Respond with official schema
+  const out = {
+    commit: {
+      cid: commitCid,
+      rev,
+    },
+  };
+
+  return new Response(JSON.stringify(out), {
     headers: { 'Content-Type': 'application/json' },
   });
 }

package/src/pages/xrpc/com.atproto.repo.describeRepo.ts

@@ -10,8 +10,8 @@ export const prerender = false;
 export async function GET({ locals, url }: APIContext) {
   const { env } = locals.runtime;
 
-  const repo = url.searchParams.get('repo') || env.PDS_DID || 'did:example:single-user';
-  const did = env.PDS_DID || 'did:example:single-user';
+  const repo = url.searchParams.get('repo') || (env.PDS_DID as string);
+  const did = env.PDS_DID as string;
   const handle = env.PDS_HANDLE || 'user.example.com';
 
   // Get repo root to check if repo exists

package/src/pages/xrpc/com.atproto.repo.getRecord.ts

@@ -1,5 +1,6 @@
 import type { APIContext } from 'astro';
 import { getRecord as dalGetRecord } from '../../db/dal';
+import { proxyAppView } from '../../lib/appview';
 
 export const prerender = false;
 
@@ -8,7 +9,7 @@ export async function GET({ locals, request }: APIContext) {
   const url = new URL(request.url);
   let uri = url.searchParams.get('uri');
   if (!uri) {
-    const repo = url.searchParams.get('repo') ?? (env.PDS_DID ?? 'did:example:single-user');
+    const repo = url.searchParams.get('repo') ?? (env.PDS_DID as string);
     const collection = url.searchParams.get('collection');
     const rkey = url.searchParams.get('rkey');
     if (repo && collection && rkey) uri = `at://${repo}/${collection}/${rkey}`;
@@ -16,6 +17,18 @@ export async function GET({ locals, request }: APIContext) {
 
   if (!uri) return new Response(JSON.stringify({ error: 'BadRequest', message: 'query param uri required' }), { status: 400 });
 
+  // If the repo is not hosted here, proxy to AppView like upstream PDS does
+  const localDid = env.PDS_DID || '';
+  const repoParam = url.searchParams.get('repo') || '';
+  let repoDid = repoParam;
+  if (!repoDid && uri.startsWith('at://')) {
+    const m = uri.match(/^at:\/\/([^/]+)\//);
+    if (m) repoDid = m[1];
+  }
+  if (repoDid && localDid && repoDid !== localDid) {
+    return proxyAppView({ request, env, lxm: 'com.atproto.repo.getRecord' });
+  }
+
   const row = await dalGetRecord(env, uri);
   if (!row) return new Response(JSON.stringify({ error: 'NotFound' }), { status: 404 });
 

package/src/pages/xrpc/com.atproto.repo.listMissingBlobs.ts

@@ -1,5 +1,6 @@
 import type { APIContext } from 'astro';
-import { isAuthorized, unauthorized } from '../../lib/auth';
+import { errorMessage } from '../../lib/errors';
+import { AuthTokenExpiredError, expiredToken, isAuthorized, unauthorized } from '../../lib/auth';
 import { getDb } from '../../db/client';
 import { record, blob_ref } from '../../db/schema';
 import { eq } from 'drizzle-orm';
@@ -16,10 +17,17 @@ export const prerender = false;
 export async function GET({ locals, request, url }: APIContext) {
   const { env } = locals.runtime;
 
-  if (!(await isAuthorized(request, env))) return unauthorized();
+  try {
+    if (!(await isAuthorized(request, env))) return unauthorized();
+  } catch (error) {
+    if (error instanceof AuthTokenExpiredError) {
+      return expiredToken();
+    }
+    throw error;
+  }
 
   try {
-    const did = env.PDS_DID ?? 'did:example:single-user';
+    const did = String(env.PDS_DID ?? 'did:example:single-user');
     const limit = parseInt(url.searchParams.get('limit') || '500');
     const cursor = url.searchParams.get('cursor') || '';
 
@@ -76,13 +84,13 @@ export async function GET({ locals, request, url }: APIContext) {
       }),
       { status: 200, headers: { 'Content-Type': 'application/json' } }
     );
-  } catch (error: any) {
+  } catch (error) {
     return new Response(
       JSON.stringify({
         error: 'InternalServerError',
-        message: error.message || 'Failed to list missing blobs'
+        message: errorMessage(error) || 'Failed to list missing blobs'
       }),
       { status: 500, headers: { 'Content-Type': 'application/json' } }
     );
   }
-}
+}

package/src/pages/xrpc/com.atproto.repo.listRecords.ts

@@ -10,7 +10,7 @@ export const prerender = false;
 export async function GET({ locals, url }: APIContext) {
   const { env } = locals.runtime;
 
-  const repo = url.searchParams.get('repo') || env.PDS_DID || 'did:example:single-user';
+  const repo = url.searchParams.get('repo') || (env.PDS_DID as string);
   const collection = url.searchParams.get('collection');
   const limit = parseInt(url.searchParams.get('limit') || '50', 10);
   const cursor = url.searchParams.get('cursor') || undefined;

package/src/pages/xrpc/com.atproto.repo.putRecord.ts

@@ -1,5 +1,6 @@
 import type { APIContext } from 'astro';
-import { isAuthorized, unauthorized } from '../../lib/auth';
+import { errorCode, errorMessage } from '../../lib/errors';
+import { verifyResourceRequestHybrid, dpopResourceUnauthorized, handleResourceAuthError } from '../../lib/oauth/resource';
 import { checkRate } from '../../lib/ratelimit';
 import { readJsonBounded } from '../../lib/util';
 import { RepoManager } from '../../services/repo-manager';
@@ -9,7 +10,14 @@ export const prerender = false;
 
 export async function POST({ locals, request }: APIContext) {
   const { env } = locals.runtime;
-  if (!(await isAuthorized(request, env))) return unauthorized();
+  try {
+    const auth = await verifyResourceRequestHybrid(env, request);
+    if (!auth) return dpopResourceUnauthorized(env);
+  } catch (error) {
+    const handled = await handleResourceAuthError(env, error);
+    if (handled) return handled;
+    throw error;
+  }
 
   const rateLimitResponse = await checkRate(env, request, 'writes');
   if (rateLimitResponse) return rateLimitResponse;
@@ -17,28 +25,48 @@ export async function POST({ locals, request }: APIContext) {
   let body: any;
   try {
     body = await readJsonBounded(env, request);
-  } catch (e: any) {
-    if (e?.code === 'PayloadTooLarge') {
+  } catch (e) {
+    if (errorCode(e) === 'PayloadTooLarge') {
       return new Response(JSON.stringify({ error: 'PayloadTooLarge' }), { status: 413 });
     }
     return new Response(JSON.stringify({ error: 'BadRequest' }), { status: 400 });
   }
-  const { collection, rkey, record } = body ?? {};
+  const { collection, rkey } = body ?? {};
+  let { record } = body ?? {};
   if (!collection || !rkey || !record) return new Response(JSON.stringify({ error: 'BadRequest' }), { status: 400 });
 
+  if (collection === 'app.bsky.feed.post' && record && typeof record === 'object') {
+    if (typeof record.text !== 'string') {
+      record.text = '';
+    }
+    if (typeof record.createdAt !== 'string') {
+      record.createdAt = new Date().toISOString();
+    }
+  }
+
   const repo = new RepoManager(env);
-  const commit = await repo.putRecord(collection, rkey, record);
+  const result = await repo.putRecord(collection, rkey, record);
   await notifySequencer(env, {
-    did: env.PDS_DID ?? 'did:example:single-user',
-    commitCid: commit.commitCid,
-    rev: commit.rev,
-    data: commit.commitData,
-    sig: commit.sig,
-    ops: commit.ops,
-    blocks: commit.blocks
+    did: env.PDS_DID as string,
+    commitCid: result.commitCid,
+    rev: result.rev,
+    data: result.commitData,
+    sig: result.sig,
+    ops: result.ops,
+    blocks: result.blocks
   });
 
-  return new Response(JSON.stringify(commit), {
+  const out = {
+    uri: result.uri,
+    cid: result.cid,
+    commit: {
+      cid: result.commitCid,
+      rev: result.rev,
+    },
+    validationStatus: 'unknown' as const,
+  };
+
+  return new Response(JSON.stringify(out), {
     headers: { 'Content-Type': 'application/json' },
   });
 }

package/src/pages/xrpc/com.atproto.repo.uploadBlob.ts

@@ -1,16 +1,48 @@
 import type { APIContext } from 'astro';
-import { isAuthorized, unauthorized } from '../../lib/auth';
+import { errorMessage } from '../../lib/errors';
+import { verifyResourceRequestHybrid, dpopResourceUnauthorized, handleResourceAuthError } from '../../lib/oauth/resource';
+import { verifyServiceAuth, isServiceAuthToken } from '../../lib/service-auth';
 import { checkRate } from '../../lib/ratelimit';
-import { isAllowedMime } from '../../lib/util';
+import { isAllowedMime, sniffMime, baseMime } from '../../lib/util';
 import { R2BlobStore } from '../../services/r2-blob-store';
 import { putBlobRef, checkBlobQuota, updateBlobQuota, isAccountActive } from '../../db/dal';
 import { resolveSecret } from '../../lib/secrets';
+import { CID } from 'multiformats/cid';
+import { sha256 } from 'multiformats/hashes/sha2';
 
 export const prerender = false;
 
 export async function POST({ locals, request }: APIContext) {
   const { env } = locals.runtime;
-  if (!(await isAuthorized(request, env))) return unauthorized();
+  
+  // Check if this is a service auth request (from video.bsky.app, etc.)
+  const authHeader = request.headers.get('authorization');
+  const token = authHeader?.startsWith('Bearer ') ? authHeader.slice(7).trim() : null;
+  
+  let isServiceAuth = false;
+  if (token && isServiceAuthToken(token)) {
+    const serviceAuth = await verifyServiceAuth(env, request);
+    if (serviceAuth) {
+      isServiceAuth = true;
+    } else {
+      return new Response(
+        JSON.stringify({ error: 'AuthRequired', message: 'Invalid service auth token' }),
+        { status: 401, headers: { 'Content-Type': 'application/json' } }
+      );
+    }
+  }
+
+  // If not service auth, verify as user request
+  if (!isServiceAuth) {
+    try {
+      const auth = await verifyResourceRequestHybrid(env, request);
+      if (!auth) return dpopResourceUnauthorized(env);
+    } catch (error) {
+      const handled = await handleResourceAuthError(env, error);
+      if (handled) return handled;
+      throw error;
+    }
+  }
 
   // Get DID from environment (single-user PDS)
   const did = (await resolveSecret(env.PDS_DID)) ?? 'did:example:single-user';
@@ -30,12 +62,29 @@ export async function POST({ locals, request }: APIContext) {
   const rateLimitResponse = await checkRate(env, request, 'blob');
   if (rateLimitResponse) return rateLimitResponse;
 
-  const buf = await request.arrayBuffer();
-  const contentType = request.headers.get('content-type') ?? 'application/octet-stream';
+  // Decompress if Content-Encoding is present (some clients may compress uploads)
+  const enc = (request.headers.get('content-encoding') || '').toLowerCase();
+  let buf: ArrayBuffer;
+  if (enc && (enc === 'gzip' || enc === 'br' || enc === 'deflate')) {
+    try {
+      // @ts-ignore: DecompressionStream is available in CF Workers runtime
+      const ds = new DecompressionStream(enc);
+      const decompressed = request.body?.pipeThrough(ds);
+      buf = await new Response(decompressed).arrayBuffer();
+    } catch {
+      // Fallback to raw body if decompression not supported
+      buf = await request.arrayBuffer();
+    }
+  } else {
+    buf = await request.arrayBuffer();
+  }
+  const headerMime = baseMime(request.headers.get('content-type'));
+  const sniffed = sniffMime(buf);
+  // Prefer sniffed MIME like upstream PDS; fall back to header
+  const contentType = sniffed || headerMime;
 
   // Skip MIME type validation during migration - accept all types
-  // Uncomment the line below to re-enable MIME type restrictions after migration
-  // if (!isAllowedMime(env, contentType)) return new Response(JSON.stringify({ error: 'UnsupportedMediaType' }), { status: 415 });
+  // Uncomment to enforce: if (!isAllowedMime(env, contentType)) return new Response(JSON.stringify({ error: 'UnsupportedMediaType' }), { status: 415 });
 
   // Check quota before upload
   const canUpload = await checkBlobQuota(env, did, buf.byteLength);
@@ -51,19 +100,31 @@ export async function POST({ locals, request }: APIContext) {
 
   const store = new R2BlobStore(env);
   try {
-    const res = await store.put(buf, { contentType });
+    const response = await store.put(buf, { contentType });
+
+    // Compute a CIDv1 (raw) for the blob so clients receive a valid CID link
+    const digest = await sha256.digest(new Uint8Array(buf));
+    const cid = CID.createV1(0x55, digest); // 0x55 = raw codec
+    const cidStr = cid.toString();
 
     // Register blob ref with CID-based key
-    await putBlobRef(env, did, res.sha256, res.key, contentType, res.size);
+    await putBlobRef(env, did, cidStr, response.key, contentType, response.size);
 
     // Update quota
-    await updateBlobQuota(env, did, res.size, 1);
+    await updateBlobQuota(env, did, response.size, 1);
+
+    // Mirror upstream shape exactly; helpful debugging header
+    // Conform to lexicon: blob object must include $type: 'blob'
+    const body = { blob: { $type: 'blob', ref: { $link: cidStr }, mimeType: contentType, size: response.size } };
+    const headers: Record<string, string> = { 'Content-Type': 'application/json' };
+    // Debug-only headers (safe for clients to ignore)
+    headers['x-sniffed-mime'] = sniffed || '';
+    headers['x-header-mime'] = headerMime;
+    if (enc) headers['x-upload-encoding'] = enc;
 
-    return new Response(JSON.stringify({ blob: { ref: { $link: res.key }, mimeType: contentType, size: res.size } }), {
-      headers: { 'Content-Type': 'application/json' },
-    });
-  } catch (e: any) {
-    if (String(e.message || '').startsWith('BlobTooLarge')) return new Response(JSON.stringify({ error: 'PayloadTooLarge' }), { status: 413 });
+    return new Response(JSON.stringify(body), { headers });
+  } catch (e) {
+    if (String(errorMessage(e) || '').startsWith('BlobTooLarge')) return new Response(JSON.stringify({ error: 'PayloadTooLarge' }), { status: 413 });
     return new Response(JSON.stringify({ error: 'UploadFailed' }), { status: 500 });
   }
 }