@alteran/astro 0.3.9 → 0.5.2

package/src/lib/cache.ts

@@ -97,12 +97,26 @@ export function getCacheKey(request: Request, prefix?: string): string {
 /**
  * Get cached response from Cache API
  */
+function resolveDefaultCache(): Cache | null {
+  if (typeof caches === 'undefined') {
+    return null;
+  }
+  try {
+    return ((caches as any).default ?? null) as Cache | null;
+  } catch {
+    return null;
+  }
+}
+
 export async function getCachedResponse(
   request: Request,
   options?: { prefix?: string }
 ): Promise<Response | null> {
   try {
-    const cache = (caches as any).default as Cache;
+    const cache = resolveDefaultCache();
+    if (!cache) {
+      return null;
+    }
     const cacheKey = getCacheKey(request, options?.prefix);
     const cacheUrl = new URL(cacheKey, request.url);
     const cacheRequest = new Request(cacheUrl, request);
@@ -123,7 +137,10 @@ export async function putCachedResponse(
   options: CacheOptions
 ): Promise<void> {
   try {
-    const cache = (caches as any).default as Cache;
+    const cache = resolveDefaultCache();
+    if (!cache) {
+      return;
+    }
     const cacheKey = getCacheKey(request, options.prefix);
     const cacheUrl = new URL(cacheKey, request.url);
     const cacheRequest = new Request(cacheUrl, request);
@@ -155,7 +172,10 @@ export async function invalidateCache(
   options?: { prefix?: string }
 ): Promise<boolean> {
   try {
-    const cache = (caches as any).default as Cache;
+    const cache = resolveDefaultCache();
+    if (!cache) {
+      return false;
+    }
     const cacheKey = getCacheKey(request, options?.prefix);
     const cacheUrl = new URL(cacheKey, request.url);
     const cacheRequest = new Request(cacheUrl, request);
@@ -183,7 +203,13 @@ export async function withCache(
   // Check cache first
   const cached = await getCachedResponse(request, { prefix: options.prefix });
   if (cached) {
-    return cached;
+    // Clone the cached response to avoid immutable headers issue
+    // Cache API responses have immutable headers which Astro may try to modify
+    return new Response(cached.body, {
+      status: cached.status,
+      statusText: cached.statusText,
+      headers: new Headers(cached.headers),
+    });
   }
 
   // Generate response

package/src/lib/chat.ts

@@ -10,23 +10,23 @@ export interface ListConvosFilters {
 export interface ConvoView {
   id: string;
   rev: string;
-  members: any[];
+  members: unknown[];
   muted: boolean;
   unreadCount: number;
   status?: string;
-  lastMessage?: any;
-  lastReaction?: any;
+  lastMessage?: unknown;
+  lastReaction?: unknown;
 }
 
 export type ConvoLogEntry =
   | { $type: 'chat.bsky.convo.defs#logBeginConvo'; rev: string; convoId: string }
-  | { $type: 'chat.bsky.convo.defs#logCreateMessage'; rev: string; convoId: string; message: any }
+  | { $type: 'chat.bsky.convo.defs#logCreateMessage'; rev: string; convoId: string; message: unknown }
   | {
       $type: 'chat.bsky.convo.defs#logAddReaction';
       rev: string;
       convoId: string;
-      message: any;
-      reaction: any;
+      message: unknown;
+      reaction: unknown;
     };
 
 export async function ensureChatTables(env: Env) {
@@ -130,8 +130,14 @@ export async function listChatConvos(
           avatar: string | null;
         }>();
 
-      const memberViews = (members.results ?? []).map((member) => {
-        const view: any = {
+      type MemberView = {
+        did: string;
+        handle: string;
+        displayName?: string;
+        avatar?: string;
+      };
+      const memberViews: MemberView[] = (members.results ?? []).map((member) => {
+        const view: MemberView = {
           did: member.did,
           handle: member.handle,
         };

package/src/lib/commit.ts

@@ -1,6 +1,8 @@
 import { CID } from 'multiformats/cid';
 import * as dagCbor from '@ipld/dag-cbor';
 import { sha256 } from 'multiformats/hashes/sha2';
+import { Secp256k1Keypair, verifySignature } from '@atproto/crypto';
+import { ServerMisconfigured } from './errors';
 
 /**
  * AT Protocol Commit Structure
@@ -12,7 +14,7 @@ import { sha256 } from 'multiformats/hashes/sha2';
  * - data: CID of the MST root
  * - rev: Revision number (TID format)
  * - prev: CID of the previous commit (null for first commit)
- * - sig: Ed25519 signature over the commit data
+ * - sig: secp256k1 signature over the commit data (64-byte compact)
  */
 
 export interface CommitData {
@@ -46,34 +48,37 @@ export function createCommit(
 }
 
 /**
- * Sign a commit with Ed25519 private key
+ * Sign a commit with secp256k1 private key
  */
 export async function signCommit(
   commit: CommitData,
-  privateKeyBase64: string,
+  privateKey: string,
 ): Promise<SignedCommit> {
   // Encode commit to CBOR for signing
   const commitBytes = dagCbor.encode(commit);
 
-  // Import private key (PKCS#8 base64)
-  const b64 = privateKeyBase64.replace(/\s+/g, '');
-  const bin = atob(b64);
-  const pkcs8 = new Uint8Array(bin.length);
-  for (let i = 0; i < bin.length; i++) pkcs8[i] = bin.charCodeAt(i);
-  const privateKey = await crypto.subtle.importKey(
-    'pkcs8',
-    pkcs8,
-    { name: 'Ed25519', namedCurve: 'Ed25519' } as any,
-    false,
-    ['sign']
-  );
-
-  // Sign the commit bytes
-  const signature = await crypto.subtle.sign('Ed25519', privateKey, new Uint8Array(commitBytes as unknown as Uint8Array));
+  // Accept hex (preferred) or base64 input for the 32-byte secp256k1 private key
+  const cleaned = privateKey.trim();
+  let keypair: Secp256k1Keypair;
+  if (/^[0-9a-fA-F]{64}$/.test(cleaned)) {
+    keypair = await Secp256k1Keypair.import(cleaned);
+  } else {
+    // try base64
+    try {
+      const bin = atob(cleaned.replace(/\s+/g, ''));
+      const priv = new Uint8Array(bin.length);
+      for (let i = 0; i < bin.length; i++) priv[i] = bin.charCodeAt(i);
+      keypair = await Secp256k1Keypair.import(priv);
+    } catch {
+      throw new ServerMisconfigured('Invalid REPO_SIGNING_KEY format: expected 32-byte hex or base64');
+    }
+  }
+
+  const signature = await keypair.sign(new Uint8Array(commitBytes as unknown as Uint8Array));
 
   return {
     ...commit,
-    sig: new Uint8Array(signature),
+    sig: signature,
   };
 }
 
@@ -82,28 +87,13 @@ export async function signCommit(
  */
 export async function verifyCommit(
   signedCommit: SignedCommit,
-  publicKeyBase64: string,
+  didKey: string,
 ): Promise<boolean> {
   try {
     // Extract commit data (without signature)
     const { sig, ...commit } = signedCommit;
     const commitBytes = dagCbor.encode(commit);
-
-    // Import public key (SPKI base64)
-    const b64 = publicKeyBase64.replace(/\s+/g, '');
-    const bin = atob(b64);
-    const spki = new Uint8Array(bin.length);
-    for (let i = 0; i < bin.length; i++) spki[i] = bin.charCodeAt(i);
-    const publicKey = await crypto.subtle.importKey(
-      'spki',
-      spki,
-      { name: 'Ed25519', namedCurve: 'Ed25519' } as any,
-      false,
-      ['verify']
-    );
-
-    // Verify signature
-    return await crypto.subtle.verify('Ed25519', publicKey, sig as any, new Uint8Array(commitBytes as unknown as Uint8Array));
+    return verifySignature(didKey, new Uint8Array(commitBytes as unknown as Uint8Array), sig);
   } catch (error) {
     console.error('Commit verification failed:', error);
     return false;

package/src/lib/config.ts

@@ -20,21 +20,26 @@ const OPTIONAL_VARS = {
   PDS_CORS_ORIGIN: '*',
   PDS_SEQ_WINDOW: '512',
   ENVIRONMENT: 'development',
-  PDS_BSKY_APP_VIEW_URL: 'https://public.api.bsky.app',
+  PDS_BSKY_APP_VIEW_URL: 'https://api.bsky.app',
   PDS_BSKY_APP_VIEW_DID: 'did:web:api.bsky.app',
   PDS_BSKY_APP_VIEW_CDN_URL_PATTERN: '',
+  // Additional proxied services
+  PDS_BSKY_CHAT_URL: 'https://api.bsky.chat',
+  PDS_BSKY_CHAT_DID: 'did:web:api.bsky.chat',
+  PDS_OZONE_URL: 'https://mod.bsky.app',
+  PDS_OZONE_DID: 'did:plc:ar7c4by46qjdydhdevvrndac',
 } as const;
 
 /**
  * Configuration validation result
  */
 export interface ConfigValidationResult {
-  valid: boolean;
-  missing: string[];
-  warnings: string[];
-  config: {
-    required: Record<string, string>;
-    optional: Record<string, string>;
+  readonly valid: boolean;
+  readonly missing: readonly string[];
+  readonly warnings: readonly string[];
+  readonly config: {
+    readonly required: Readonly<Record<string, string>>;
+    readonly optional: Readonly<Record<string, string>>;
   };
 }
 
@@ -76,13 +81,13 @@ export function validateConfig(env: Env): ConfigValidationResult {
   }
 
   // DID format validation
-  const did = env.PDS_DID;
+  const did = typeof env.PDS_DID === 'string' ? env.PDS_DID : undefined;
   if (did && !did.startsWith('did:')) {
     warnings.push(`PDS_DID should start with 'did:' (got: ${did})`);
   }
 
   // Handle format validation
-  const handle = env.PDS_HANDLE;
+  const handle = typeof env.PDS_HANDLE === 'string' ? env.PDS_HANDLE : undefined;
   if (handle && handle.includes('://')) {
     warnings.push(`PDS_HANDLE should not include protocol (got: ${handle})`);
   }
@@ -108,9 +113,7 @@ export function validateConfig(env: Env): ConfigValidationResult {
     warnings.push('REPO_SIGNING_KEY is not set - repository commits will not be signed');
   }
 
-  if (!env.PDS_SERVICE_SIGNING_KEY_HEX) {
-    warnings.push('PDS_SERVICE_SIGNING_KEY_HEX is not set - service-to-service authentication will be disabled');
-  }
+  // Service-auth uses REPO_SIGNING_KEY (secp256k1). No separate service key required.
 
   const valid = missing.length === 0;
 
@@ -184,10 +187,18 @@ export function validateConfigOrThrow(env: Env): void {
 export function getConfig(env: Env) {
   const result = validateConfig(env);
 
+  const did = env.PDS_DID;
+  const handle = env.PDS_HANDLE;
+  if (typeof did !== 'string' || did === '' || typeof handle !== 'string' || handle === '') {
+    throw new Error(
+      `getConfig called with invalid configuration. Missing: ${result.missing.join(', ')}`,
+    );
+  }
+
   return {
     // Required
-    did: env.PDS_DID!,
-    handle: env.PDS_HANDLE!,
+    did,
+    handle,
 
     // Optional with defaults
     allowedMime: result.config.optional.PDS_ALLOWED_MIME.split(','),
@@ -209,7 +220,7 @@ export function getConfig(env: Env) {
     hostname: env.PDS_HOSTNAME,
     accessTtlSec: env.PDS_ACCESS_TTL_SEC ? parseInt(env.PDS_ACCESS_TTL_SEC) : 3600,
     refreshTtlSec: env.PDS_REFRESH_TTL_SEC ? parseInt(env.PDS_REFRESH_TTL_SEC) : 2592000,
-    serviceSigningKeyHex: env.PDS_SERVICE_SIGNING_KEY_HEX,
+    serviceSigningKeyHex: undefined,
   };
 }
 

package/src/lib/did-document.ts

@@ -0,0 +1,32 @@
+import type { Env } from '../env';
+import { getRuntimeString } from './secrets';
+
+export interface DidDocument {
+  '@context': string[];
+  id: string;
+  alsoKnownAs: string[];
+  verificationMethod: any[];
+  service: Array<{
+    id: string;
+    type: string;
+    serviceEndpoint: string;
+  }>;
+}
+
+export async function buildDidDocument(env: Env, did: string, handle: string): Promise<DidDocument> {
+  const hostname = await getRuntimeString(env, 'PDS_HOSTNAME', handle);
+
+  return {
+    '@context': ['https://www.w3.org/ns/did/v1'],
+    id: did,
+    alsoKnownAs: [`at://${handle}`],
+    verificationMethod: [],
+    service: [
+      {
+        id: '#atproto_pds',
+        type: 'AtprotoPersonalDataServer',
+        serviceEndpoint: `https://${hostname}`,
+      },
+    ],
+  };
+}

package/src/lib/errors.ts

@@ -93,6 +93,38 @@ export class InternalServerError extends XRPCError {
   }
 }
 
+// 400 - Invalid atproto-proxy header
+export class InvalidProxyHeader extends XRPCError {
+  constructor(message: string = 'Invalid atproto-proxy header', details?: Record<string, unknown>) {
+    super('InvalidProxyHeader', message, 400, details);
+    this.name = 'InvalidProxyHeader';
+  }
+}
+
+// 502 - Upstream proxy or DID resolution failure
+export class UpstreamProxyFailure extends XRPCError {
+  constructor(message: string = 'Upstream proxy failure', details?: Record<string, unknown>) {
+    super('UpstreamProxyFailure', message, 502, details);
+    this.name = 'UpstreamProxyFailure';
+  }
+}
+
+// 500 - Server misconfiguration (missing secrets, invalid signing key, etc)
+export class ServerMisconfigured extends XRPCError {
+  constructor(message: string = 'Server misconfigured', details?: Record<string, unknown>) {
+    super('ServerMisconfigured', message, 500, details);
+    this.name = 'ServerMisconfigured';
+  }
+}
+
+// 413 - Payload too large (rejected before parsing)
+export class PayloadTooLarge extends XRPCError {
+  constructor(message: string = 'Payload too large', details?: Record<string, unknown>) {
+    super('PayloadTooLarge', message, 413, details);
+    this.name = 'PayloadTooLarge';
+  }
+}
+
 /**
  * User-friendly error messages
  * Maps technical errors to actionable guidance
@@ -121,6 +153,28 @@ export function categorizeError(status: number): 'client' | 'server' {
   return status >= 400 && status < 500 ? 'client' : 'server';
 }
 
+/**
+ * Narrow an unknown thrown value to extract its `code` and `message` fields
+ * without resorting to `any`. Useful in catch blocks for libraries that
+ * decorate Errors with custom code strings (jose, ResourceAuthError, etc.).
+ */
+export function errorCode(error: unknown): string | undefined {
+  if (error && typeof error === 'object' && 'code' in error) {
+    const value = (error as { code: unknown }).code;
+    return typeof value === 'string' ? value : undefined;
+  }
+  return undefined;
+}
+
+export function errorMessage(error: unknown): string {
+  if (error instanceof Error) return error.message;
+  if (error && typeof error === 'object' && 'message' in error) {
+    const value = (error as { message: unknown }).message;
+    if (typeof value === 'string') return value;
+  }
+  return String(error);
+}
+
 /**
  * Convert any error to XRPCError
  */

package/src/lib/feed.ts

@@ -30,18 +30,17 @@ function parseRow(row: PostRow): ParsedPost | null {
     const record = JSON.parse(row.json) ?? {};
     if (record && typeof record === 'object' && !Array.isArray(record)) {
       const collection = inferCollectionFromUri(row.uri);
-      if (collection && typeof (record as any).$type !== 'string') {
-        (record as any).$type = collection;
+      const writable = record as Record<string, unknown>;
+      if (collection && typeof writable.$type !== 'string') {
+        writable.$type = collection;
       }
-      if (typeof (record as any).createdAt !== 'string') {
-        (record as any).createdAt = new Date().toISOString();
+      if (typeof writable.createdAt !== 'string') {
+        writable.createdAt = new Date().toISOString();
       }
     }
 
-    const createdAt =
-      record && typeof record === 'object' && typeof (record as any).createdAt === 'string'
-        ? (record as any).createdAt
-        : new Date().toISOString();
+    const createdAtField = (record as Record<string, unknown>).createdAt;
+    const createdAt = typeof createdAtField === 'string' ? createdAtField : new Date().toISOString();
 
     return {
       uri: row.uri,
@@ -72,27 +71,27 @@ export async function listPosts(env: Env, limit: number, cursor?: string): Promi
   }
   params.push(safeLimit);
 
-  const res = await env.DB.prepare(
+  const response = await env.DB.prepare(
     `SELECT rowid, uri, cid, json FROM record WHERE ${where} ORDER BY rowid DESC LIMIT ?`
   )
     .bind(...params)
     .all<PostRow>();
 
-  if (!res?.results) return [];
-  return res.results.map(parseRow).filter((row): row is ParsedPost => row !== null);
+  if (!response?.results) return [];
+  return response.results.map(parseRow).filter((row): row is ParsedPost => row !== null);
 }
 
 export async function getPostsByUris(env: Env, uris: string[]): Promise<ParsedPost[]> {
   if (!uris.length) return [];
   const placeholders = uris.map(() => '?').join(',');
-  const res = await env.DB.prepare(
+  const response = await env.DB.prepare(
     `SELECT rowid, uri, cid, json FROM record WHERE uri IN (${placeholders})`
   )
     .bind(...uris)
     .all<PostRow>();
 
-  if (!res?.results) return [];
-  return res.results.map(parseRow).filter((row): row is ParsedPost => row !== null);
+  if (!response?.results) return [];
+  return response.results.map(parseRow).filter((row): row is ParsedPost => row !== null);
 }
 
 export async function buildFeedViewPosts(env: Env, posts: ParsedPost[]) {
@@ -143,23 +142,23 @@ export async function countPosts(env: Env): Promise<number> {
   const actor = await getPrimaryActor(env);
   const prefix = `at://${actor.did}/${POST_COLLECTION}/`;
   const upperBound = `${prefix}{`; // '{' sorts after 'z', safely bounding rkeys
-  const res = await env.DB.prepare(
+  const response = await env.DB.prepare(
     'SELECT COUNT(*) as count FROM record WHERE uri >= ? AND uri < ?'
   )
     .bind(prefix, upperBound)
     .first<{ count: number }>();
-  return res?.count ?? 0;
+  return response?.count ?? 0;
 }
 
 export async function getPostByUri(env: Env, uri: string): Promise<ParsedPost | null> {
-  const res = await env.DB.prepare(
+  const response = await env.DB.prepare(
     'SELECT rowid, uri, cid, json FROM record WHERE uri = ? LIMIT 1'
   )
     .bind(uri)
     .first<PostRow>();
 
-  if (!res) return null;
-  return parseRow(res);
+  if (!response) return null;
+  return parseRow(response);
 }
 
 export type { ParsedPost };