@alteran/astro 0.3.9 → 0.5.2

package/src/pages/xrpc/com.atproto.server.checkAccountStatus.ts

@@ -1,6 +1,8 @@
 import type { APIContext } from 'astro';
-import { isAuthorized, unauthorized } from '../../lib/auth';
+import { errorMessage } from '../../lib/errors';
+import { AuthTokenExpiredError, expiredToken, isAuthorized, unauthorized } from '../../lib/auth';
 import { getAccountState } from '../../db/dal';
+import { toWireStatus } from '../../lib/account-state';
 import { getDb } from '../../db/client';
 import { repo_root, record, blob_ref, commit_log } from '../../db/schema';
 import { eq, count } from 'drizzle-orm';
@@ -20,15 +22,24 @@ export const prerender = false;
 export async function GET({ locals, request }: APIContext) {
   const { env } = locals.runtime;
 
-  if (!(await isAuthorized(request, env))) return unauthorized();
+  try {
+    if (!(await isAuthorized(request, env))) return unauthorized();
+  } catch (error) {
+    if (error instanceof AuthTokenExpiredError) {
+      return expiredToken();
+    }
+    throw error;
+  }
 
   try {
-    const did = env.PDS_DID ?? 'did:example:single-user';
+    const did = String(env.PDS_DID ?? 'did:example:single-user');
     const db = getDb(env);
 
-    // Get account state
+    // Get account state. No row means an unmigrated account, treated as active
+    // for backward compatibility.
     const accountState = await getAccountState(env, did);
-    const active = accountState?.active ?? true;
+    const wire = accountState ? toWireStatus(accountState) : { active: true };
+    const { active, status } = wire;
 
     // Get repo head
     const repoRoot = await db
@@ -65,6 +76,7 @@ export async function GET({ locals, request }: APIContext) {
       JSON.stringify({
         did,
         active,
+        ...(status ? { status } : {}),
         head: repoRoot?.commitCid ?? null,
         rev: repoRoot?.rev ?? 0,
         recordCount,
@@ -80,13 +92,13 @@ export async function GET({ locals, request }: APIContext) {
       }),
       { status: 200, headers: { 'Content-Type': 'application/json' } }
     );
-  } catch (error: any) {
+  } catch (error) {
     return new Response(
       JSON.stringify({
         error: 'InternalServerError',
-        message: error.message || 'Failed to check account status'
+        message: errorMessage(error) || 'Failed to check account status'
       }),
       { status: 500, headers: { 'Content-Type': 'application/json' } }
     );
   }
-}
+}

package/src/pages/xrpc/com.atproto.server.createSession.ts

@@ -7,6 +7,7 @@ import { createAccount, getAccountByIdentifier, storeRefreshToken } from '../../
 import { hashPassword, verifyPassword } from '../../lib/password';
 import { issueSessionTokens } from '../../lib/session-tokens';
 import { getRuntimeString } from '../../lib/secrets';
+import { buildDidDocument } from '../../lib/did-document';
 
 export const prerender = false;
 
@@ -33,23 +34,28 @@ export async function POST({ locals, request }: APIContext) {
     );
   }
 
-  const body = await readJson(request).catch(() => ({ identifier: '', password: '' }));
-  const identifier = typeof body.identifier === 'string' && body.identifier ? body.identifier : (await getRuntimeString(env, 'PDS_HANDLE', 'user.example'));
+  const rawBody = await readJson(request).catch(() => ({}));
+  const body = (rawBody ?? {}) as { identifier?: unknown; password?: unknown };
+  const identifier: string =
+    typeof body.identifier === 'string' && body.identifier
+      ? body.identifier
+      : (await getRuntimeString(env, 'PDS_HANDLE', 'user.example')) ?? 'user.example';
   const password = typeof body.password === 'string' ? body.password : '';
 
-  let account = await getAccountByIdentifier(env, identifier ?? '');
+  let account = await getAccountByIdentifier(env, identifier);
   if (!account) {
     const fallbackPassword = await getRuntimeString(env, 'USER_PASSWORD', '');
     if (fallbackPassword) {
-      const fallbackDid = await getRuntimeString(env, 'PDS_DID', 'did:example:single-user');
-      const fallbackHandle = await getRuntimeString(env, 'PDS_HANDLE', identifier);
+      const fallbackDid =
+        (await getRuntimeString(env, 'PDS_DID', 'did:example:single-user')) ?? 'did:example:single-user';
+      const fallbackHandle = (await getRuntimeString(env, 'PDS_HANDLE', identifier)) ?? identifier;
       const hashed = await hashPassword(fallbackPassword);
       await createAccount(env, {
         did: fallbackDid,
         handle: fallbackHandle,
         passwordScrypt: hashed,
       });
-      account = await getAccountByIdentifier(env, identifier ?? '');
+      account = await getAccountByIdentifier(env, identifier);
     }
   }
   const passwordHash = account?.passwordScrypt ?? null;
@@ -102,8 +108,8 @@ export async function POST({ locals, request }: APIContext) {
     await db.delete(login_attempts).where(eq(login_attempts.ip, clientIp)).run();
   }
 
-  const did = account?.did ?? (await getRuntimeString(env, 'PDS_DID', 'did:example:single-user'));
-  const handle = account?.handle ?? (await getRuntimeString(env, 'PDS_HANDLE', identifier ?? 'user.example'));
+  const did = (account?.did ?? (await getRuntimeString(env, 'PDS_DID', 'did:example:single-user')) ?? 'did:example:single-user');
+  const handle = (account?.handle ?? (await getRuntimeString(env, 'PDS_HANDLE', identifier ?? 'user.example')) ?? (identifier ?? 'user.example'));
 
   const { accessJwt, refreshJwt, refreshPayload, refreshExpiry } = await issueSessionTokens(env, did);
 
@@ -114,7 +120,21 @@ export async function POST({ locals, request }: APIContext) {
     appPasswordName: null,
   });
 
-  return new Response(JSON.stringify({ did, handle, accessJwt, refreshJwt }), {
-    headers: { 'Content-Type': 'application/json' },
-  });
+  // Build didDoc for the response (required by official API contract)
+  const didDoc = await buildDidDocument(env, did, handle);
+
+  const email = account?.email ?? (env.PDS_EMAIL as string | undefined);
+
+  return new Response(
+    JSON.stringify({
+      did,
+      didDoc,
+      handle,
+      accessJwt,
+      refreshJwt,
+      active: true,
+      ...(email ? { email, emailConfirmed: true, emailAuthFactor: false } : {}),
+    }),
+    { headers: { 'Content-Type': 'application/json' } },
+  );
 }

package/src/pages/xrpc/com.atproto.server.describeServer.ts

@@ -5,7 +5,7 @@ export const prerender = false;
 
 export function GET({ locals }: APIContext) {
   const { env } = locals.runtime;
-  const did = typeof env.PDS_DID === 'string' ? env.PDS_DID : 'did:example:single-user';
+  const did = env.PDS_DID as string;
   const availableUserDomains: string[] = [];
 
   const links = typeof env.PDS_LINK_PRIVACY === 'string' || typeof env.PDS_LINK_TOS === 'string'

package/src/pages/xrpc/com.atproto.server.getServiceAuth.ts

@@ -1,13 +1,20 @@
 import type { APIContext } from 'astro';
-import { authenticateRequest, unauthorized } from '../../lib/auth';
+import { verifyResourceRequestHybrid, dpopResourceUnauthorized, handleResourceAuthError } from '../../lib/oauth/resource';
 import { createServiceAuthToken } from '../../lib/appview';
 
 export const prerender = false;
 
 export async function GET({ locals, request }: APIContext) {
   const { env } = locals.runtime;
-  const auth = await authenticateRequest(request, env);
-  if (!auth) return unauthorized();
+  let auth: { did: string; token: string } | null = null;
+  try {
+    auth = await verifyResourceRequestHybrid(env, request);
+    if (!auth) return dpopResourceUnauthorized(env);
+  } catch (error) {
+    const handled = await handleResourceAuthError(env, error);
+    if (handled) return handled;
+    throw error;
+  }
 
   const url = new URL(request.url);
   const audienceParam = url.searchParams.get('aud');
@@ -50,11 +57,11 @@ export async function GET({ locals, request }: APIContext) {
   }
 
   try {
-    const token = await createServiceAuthToken(env, auth.claims.sub, audience, lexiconMethod, expiresIn);
+    const token = await createServiceAuthToken(env, auth.did, audience, lexiconMethod, expiresIn);
     return new Response(JSON.stringify({ token }), {
       headers: { 'Content-Type': 'application/json' },
     });
-  } catch (error: any) {
+  } catch (error) {
     console.error('service auth error:', error);
     return new Response(JSON.stringify({ error: 'InternalServerError' }), {
       status: 500,

package/src/pages/xrpc/com.atproto.server.getSession.ts

@@ -1,4 +1,6 @@
 import type { APIContext } from 'astro';
+import { AuthTokenExpiredError, authenticateRequest, expiredToken, unauthorized } from '../../lib/auth';
+import { getAccountByIdentifier } from '../../db/account';
 
 export const prerender = false;
 
@@ -6,20 +8,32 @@ export const prerender = false;
  * com.atproto.server.getSession
  * Get information about the current session
  */
-export async function GET({ locals }: APIContext) {
+export async function GET({ locals, request }: APIContext) {
   const { env } = locals.runtime;
 
-  // TODO: Implement proper session validation from Authorization header
-  // For now, return basic session info for single-user PDS
+  // Validate the access token
+  let authContext;
+  try {
+    authContext = await authenticateRequest(request, env);
+  } catch (error) {
+    if (error instanceof AuthTokenExpiredError) {
+      return expiredToken();
+    }
+    throw error;
+  }
+  if (!authContext) {
+    return unauthorized();
+  }
 
-  const did = env.PDS_DID ?? 'did:example:single-user';
-  const handle = env.PDS_HANDLE ?? 'user.example.com';
+  const did = authContext.claims.sub;
+  const account = await getAccountByIdentifier(env, did);
+  const handle = account?.handle ?? (env.PDS_HANDLE as string) ?? 'user.example.com';
 
   return new Response(
     JSON.stringify({
       did,
       handle,
-      email: 'user@example.com', // Single-user PDS doesn't have email
+      email: account?.email ?? (env.PDS_EMAIL as string | undefined) ?? 'user@example.com',
       emailConfirmed: true,
       emailAuthFactor: false,
       didDoc: {
@@ -31,7 +45,7 @@ export async function GET({ locals }: APIContext) {
           {
             id: '#atproto_pds',
             type: 'AtprotoPersonalDataServer',
-            serviceEndpoint: `https://${handle}`,
+            serviceEndpoint: `https://${env.PDS_HOSTNAME ?? handle}`,
           },
         ],
       },
@@ -43,4 +57,4 @@ export async function GET({ locals }: APIContext) {
       },
     }
   );
-};
+};

package/src/pages/xrpc/com.atproto.server.refreshSession.ts

@@ -1,90 +1,48 @@
 import type { APIContext } from 'astro';
 import { bearerToken } from '../../lib/util';
 import { lazyCleanupExpiredTokens } from '../../lib/token-cleanup';
-import { getRuntimeString } from '../../lib/secrets';
-import { getAccountByIdentifier, getRefreshToken, markRefreshTokenRotated, storeRefreshToken } from '../../db/account';
-import { verifyRefreshToken, issueSessionTokens, computeGraceExpiry } from '../../lib/session-tokens';
+import { attemptRefresh, type RefreshOutcome } from '../../lib/refresh-session';
+import { buildDidDocument } from '../../lib/did-document';
+import { getAccountState } from '../../db/dal';
+import { getAccountByIdentifier } from '../../db/account';
+import { toWireStatus } from '../../lib/account-state';
 
 export const prerender = false;
 
 export async function POST({ locals, request }: APIContext) {
   const { env } = locals.runtime;
   const token = bearerToken(request);
-  if (!token) {
-    return new Response(
-      JSON.stringify({ error: 'AuthRequired', message: 'No authorization token provided' }),
-      { status: 401, headers: { 'Content-Type': 'application/json' } }
-    );
-  }
-
-  const verification = await verifyRefreshToken(env, token).catch(() => null);
-  if (!verification) {
-    return new Response(
-      JSON.stringify({ error: 'InvalidToken', message: 'Invalid or expired refresh token' }),
-      { status: 401, headers: { 'Content-Type': 'application/json' } }
-    );
-  }
-
   const nowSec = Math.floor(Date.now() / 1000);
-  const { decoded } = verification;
 
-  if (!decoded || typeof decoded.jti !== 'string') {
-    return new Response(
-      JSON.stringify({ error: 'InvalidToken', message: 'Malformed refresh token' }),
-      { status: 401, headers: { 'Content-Type': 'application/json' } }
-    );
-  }
-
-  if (typeof decoded.exp !== 'number' || decoded.exp <= nowSec) {
-    return new Response(
-      JSON.stringify({ error: 'ExpiredToken', message: 'Refresh token expired' }),
-      { status: 401, headers: { 'Content-Type': 'application/json' } }
-    );
-  }
+  const outcome: RefreshOutcome = await attemptRefresh({ env, token, nowSec });
 
-  const stored = await getRefreshToken(env, decoded.jti);
-  if (!stored) {
-    return new Response(
-      JSON.stringify({ error: 'InvalidToken', message: 'Refresh token has been revoked' }),
-      { status: 401, headers: { 'Content-Type': 'application/json' } }
-    );
-  }
-
-  if (stored.expiresAt <= nowSec) {
-    return new Response(
-      JSON.stringify({ error: 'ExpiredToken', message: 'Refresh token expired' }),
-      { status: 401, headers: { 'Content-Type': 'application/json' } }
-    );
-  }
+  // Cleanup is best-effort and runs ~1% of the time regardless of outcome.
+  lazyCleanupExpiredTokens(env).catch(console.error);
 
-  if (stored.did !== decoded.sub) {
+  if (outcome.tag === 'failure') {
     return new Response(
-      JSON.stringify({ error: 'InvalidToken', message: 'Token subject mismatch' }),
-      { status: 401, headers: { 'Content-Type': 'application/json' } }
+      JSON.stringify({ error: outcome.code, message: outcome.message }),
+      { status: outcome.status, headers: { 'Content-Type': 'application/json' } },
     );
   }
 
-  const account = await getAccountByIdentifier(env, stored.did);
-  const did = stored.did;
-  const handle = account?.handle ?? (await getRuntimeString(env, 'PDS_HANDLE', 'user.example'));
-
-  // Rotate: generate new token pair with new JTI
-  const { accessJwt, refreshJwt, refreshPayload, refreshExpiry } = await issueSessionTokens(env, did, { jti: stored.nextId ?? undefined });
-
-  await storeRefreshToken(env, {
-    id: refreshPayload.jti,
-    did,
-    expiresAt: refreshExpiry,
-    appPasswordName: stored.appPasswordName ?? null,
-  });
-
-  const graceExpiry = computeGraceExpiry(stored.expiresAt, nowSec);
-  await markRefreshTokenRotated(env, decoded.jti, refreshPayload.jti, graceExpiry);
-
-  // Lazy cleanup of expired tokens (runs 1% of the time)
-  lazyCleanupExpiredTokens(env).catch(console.error);
-
-  return new Response(JSON.stringify({ did, handle, accessJwt, refreshJwt }), {
-    headers: { 'Content-Type': 'application/json' },
-  });
+  const didDoc = await buildDidDocument(env, outcome.did, outcome.handle);
+  const accountState = await getAccountState(env, outcome.did);
+  const wire = accountState ? toWireStatus(accountState) : { active: true };
+  const account = await getAccountByIdentifier(env, outcome.did);
+  const email = account?.email ?? (env.PDS_EMAIL as string | undefined);
+
+  return new Response(
+    JSON.stringify({
+      did: outcome.did,
+      didDoc,
+      handle: outcome.handle,
+      accessJwt: outcome.accessJwt,
+      refreshJwt: outcome.refreshJwt,
+      active: wire.active,
+      ...(wire.status ? { status: wire.status } : {}),
+      ...(email ? { email, emailConfirmed: true, emailAuthFactor: false } : {}),
+    }),
+    { headers: { 'Content-Type': 'application/json' } },
+  );
 }

package/src/pages/xrpc/com.atproto.sync.getBlob.ts

@@ -2,6 +2,10 @@ import type { APIContext } from 'astro';
 import { getDb } from '../../db/client';
 import { blob_ref } from '../../db/schema';
 import { eq } from 'drizzle-orm';
+import { CID } from 'multiformats/cid';
+import { sha256 } from 'multiformats/hashes/sha2';
+import { putBlobRef } from '../../db/dal';
+import { isAccountActive } from '../../db/dal';
 
 export const prerender = false;
 
@@ -19,66 +23,111 @@ export async function GET({ locals, url }: APIContext) {
   const { env } = locals.runtime;
 
   try {
+    const configuredDid = typeof env.PDS_DID === 'string' ? env.PDS_DID : undefined;
+    const did = url.searchParams.get('did') ?? configuredDid;
     const cid = url.searchParams.get('cid');
-    if (!cid) {
+    if (!did || !cid) {
       return new Response(
         JSON.stringify({
           error: 'InvalidRequest',
-          message: 'cid parameter is required'
+          message: 'did and cid parameters are required'
         }),
         { status: 400, headers: { 'Content-Type': 'application/json' } }
       );
     }
 
+    const active = await isAccountActive(env, did);
+    if (!active) {
+      return new Response(
+        JSON.stringify({ error: 'AccountInactive', message: 'Account is not active' }),
+        { status: 403, headers: { 'Content-Type': 'application/json' } }
+      );
+    }
+
     const db = getDb(env);
 
     // Look up blob metadata by CID
-    const blobMeta = await db
+    let blobMeta = await db
       .select()
       .from(blob_ref)
       .where(eq(blob_ref.cid, cid))
       .get();
 
-    if (!blobMeta) {
+    let key: string | null = blobMeta?.key ?? null;
+    let mime: string = blobMeta?.mime ?? 'application/octet-stream';
+    let size: number | null = blobMeta?.size ?? null;
+
+    // Fallback for older uploads: derive R2 key from CID (raw/sha256) if DB row missing
+    if (!key) {
+      try {
+        const link = CID.parse(cid);
+        // blob CIDs are raw (0x55) with sha256 multihash
+        if (link.multihash.code !== sha256.code) {
+          return new Response(
+            JSON.stringify({ error: 'InvalidRequest', message: 'Unsupported multihash' }),
+            { status: 400, headers: { 'Content-Type': 'application/json' } }
+          );
+        }
+        // Recreate legacy R2 key scheme used by store.put()
+        const digest = link.multihash.digest; // Uint8Array
+        // base64url encode
+        let s = '';
+        for (const b of digest) s += String.fromCharCode(b);
+        const b64url = btoa(s).replaceAll('+', '-').replaceAll('/', '_').replace(/=+$/, '');
+        key = `blobs/by-cid/${b64url}`;
+      } catch {
+        key = null;
+      }
+    }
+
+    if (!key) {
       return new Response(
-        JSON.stringify({
-          error: 'BlobNotFound',
-          message: 'Blob not found'
-        }),
-        { status: 404, headers: { 'Content-Type': 'application/json' } }
+        JSON.stringify({ error: 'InvalidRequest', message: 'Blob not found' }),
+        { status: 400, headers: { 'Content-Type': 'application/json' } }
       );
     }
 
     // Fetch blob from R2
     const r2 = env.BLOBS;
-    const object = await r2.get(blobMeta.key);
+    const object = await r2.get(key);
 
     if (!object) {
       return new Response(
-        JSON.stringify({
-          error: 'BlobNotFound',
-          message: 'Blob not found in storage'
-        }),
-        { status: 404, headers: { 'Content-Type': 'application/json' } }
+        JSON.stringify({ error: 'InvalidRequest', message: 'Blob not found' }),
+        { status: 400, headers: { 'Content-Type': 'application/json' } }
       );
     }
 
-    // Stream the blob with appropriate content type
-    return new Response(object.body as any, {
+    if (!blobMeta) {
+      try {
+        size = object.size ?? size ?? 0;
+        await putBlobRef(env, did, cid, key, mime, Number(size ?? 0));
+      } catch (backfillError) {
+        // Backfill is opportunistic; serving the blob is the priority.
+        console.warn('getBlob backfill failed:', backfillError);
+      }
+    }
+
+    // workers-types' ReadableStream lacks the DOM-types readMany member; the
+    // shapes are wire-compatible at runtime, so widen through unknown.
+    return new Response(object.body as unknown as ReadableStream<Uint8Array>, {
       status: 200,
       headers: {
-        'Content-Type': blobMeta.mime,
-        'Content-Length': blobMeta.size.toString(),
+        'Content-Type': mime,
+        ...(size != null ? { 'Content-Length': String(size) } : {}),
         'Cache-Control': 'public, max-age=31536000, immutable',
+        'x-content-type-options': 'nosniff',
+        'content-security-policy': "default-src 'none'; sandbox",
       },
     });
-  } catch (error: any) {
+  } catch (error) {
+    const message = error instanceof Error ? error.message : 'Failed to retrieve blob';
     return new Response(
       JSON.stringify({
         error: 'InternalServerError',
-        message: error.message || 'Failed to retrieve blob'
+        message,
       }),
       { status: 500, headers: { 'Content-Type': 'application/json' } }
     );
   }
-}
+}

package/src/pages/xrpc/com.atproto.sync.getCheckout.json.ts

@@ -8,7 +8,7 @@ export const prerender = false;
 export async function GET({ locals, request }: APIContext) {
   const { env } = locals.runtime;
   const url = new URL(request.url);
-  const did = url.searchParams.get('did') ?? (env.PDS_DID ?? 'did:example:single-user');
+  const did = url.searchParams.get('did') ?? (env.PDS_DID as string);
   const head = await getRepoRoot(env);
   const rows = await dalListRecords(env);
   const records = rows

package/src/pages/xrpc/com.atproto.sync.getCheckout.ts

@@ -6,7 +6,7 @@ export const prerender = false;
 export async function GET({ locals, request }: APIContext) {
   const { env } = locals.runtime;
   const url = new URL(request.url);
-  const did = url.searchParams.get('did') ?? (env.PDS_DID ?? 'did:example:single-user');
+  const did = url.searchParams.get('did') ?? (env.PDS_DID as string);
 
   // Support commit range queries
   const fromParam = url.searchParams.get('from');

package/src/pages/xrpc/com.atproto.sync.getHead.ts

@@ -6,6 +6,11 @@ export const prerender = false;
 export async function GET({ locals }: APIContext) {
   const { env } = locals.runtime;
   const root = await getRepoRoot(env);
-  if (!root) return new Response(JSON.stringify({ root: null, rev: 0 }), { headers: { 'Content-Type': 'application/json' } });
-  return new Response(JSON.stringify({ root: root.commitCid, rev: root.rev }), { headers: { 'Content-Type': 'application/json' } });
+  if (!root) {
+    return new Response(
+      JSON.stringify({ error: 'HeadNotFound', message: 'Head not found' }),
+      { status: 404, headers: { 'Content-Type': 'application/json' } }
+    );
+  }
+  return new Response(JSON.stringify({ root: root.commitCid }), { headers: { 'Content-Type': 'application/json' } });
 }

package/src/pages/xrpc/com.atproto.sync.getLatestCommit.ts

@@ -10,7 +10,7 @@ export const prerender = false;
 export async function GET({ locals, url }: APIContext) {
   const { env } = locals.runtime;
 
-  const did = url.searchParams.get('did') || env.PDS_DID || 'did:example:single-user';
+  const did = url.searchParams.get('did') || (env.PDS_DID as string);
 
   try {
     const root = await getRoot(env);

package/src/pages/xrpc/com.atproto.sync.getRecord.ts

@@ -1,9 +1,6 @@
 import type { APIContext } from 'astro';
 import { RepoManager } from '../../services/repo-manager';
-import { encodeRecordBlock } from '../../services/car';
-import * as dagCbor from '@ipld/dag-cbor';
-import { CID } from 'multiformats/cid';
-import { sha256 } from 'multiformats/hashes/sha2';
+import { buildRecordProofCar } from '../../services/car';
 
 export const prerender = false;
 
@@ -14,7 +11,7 @@ export const prerender = false;
 export async function GET({ locals, url }: APIContext) {
   const { env } = locals.runtime;
 
-  const did = url.searchParams.get('did') || env.PDS_DID || 'did:example:single-user';
+  const did = url.searchParams.get('did') || (env.PDS_DID as string);
   const collection = url.searchParams.get('collection');
   const rkey = url.searchParams.get('rkey');
 
@@ -26,31 +23,12 @@ export async function GET({ locals, url }: APIContext) {
   }
 
   try {
-    const repoManager = new RepoManager(env);
-    const record = await repoManager.getRecord(collection, rkey);
-
-    if (!record) {
-      return new Response(
-        JSON.stringify({ error: 'RecordNotFound' }),
-        { status: 404, headers: { 'Content-Type': 'application/json' } }
-      );
-    }
-
-    // Encode the record as a single-block CAR snapshot (root = record CID)
-    const { cid, bytes } = await encodeRecordBlock(record);
-
-    // Minimal CAR encoding (header + single block)
-    const header = dagCbor.encode({ version: 1, roots: [cid] });
-    const varint = (n: number) => { const a:number[]=[]; while(n>=0x80){a.push((n&0x7f)|0x80); n>>>=7;} a.push(n); return new Uint8Array(a); };
-    const concat = (parts: Uint8Array[]) => { const len = parts.reduce((n,p)=>n+p.byteLength,0); const out = new Uint8Array(len); let o=0; for(const p of parts){out.set(p,o); o+=p.byteLength;} return out; };
-    const block = concat([cid.bytes, bytes]);
-    const carBytes = concat([varint(header.byteLength), header, varint(block.byteLength), block]);
-
-    return new Response(carBytes as any, {
+    const { bytes } = await buildRecordProofCar(env as any, did, collection, rkey);
+    return new Response(bytes as any, {
       status: 200,
       headers: {
         'Content-Type': 'application/vnd.ipld.car; version=1',
-        'Content-Disposition': 'inline; filename="record.car"',
+        'Content-Disposition': 'inline; filename="record-proof.car"',
       },
     });
   } catch (error) {

package/src/pages/xrpc/com.atproto.sync.getRepo.json.ts

@@ -8,7 +8,7 @@ export const prerender = false;
 export async function GET({ locals, request }: APIContext) {
   const { env } = locals.runtime;
   const url = new URL(request.url);
-  const did = url.searchParams.get('did') ?? (env.PDS_DID ?? 'did:example:single-user');
+  const did = url.searchParams.get('did') ?? (env.PDS_DID as string);
   const head = await getRepoRoot(env);
   const rows = await dalListRecords(env);
   const records = rows