@alteran/astro 0.3.9 → 0.6.1

package/src/pages/oauth/par.ts

@@ -0,0 +1,121 @@
+import type { APIContext } from 'astro';
+import { errorMessage } from '../../lib/errors';
+import { getAuthzNonce, setDpopNonceHeader, verifyDpop, dpopErrorResponse } from '../../lib/oauth/dpop';
+import { DpopNonceError } from '../../lib/oauth/dpop-errors';
+import { savePar } from '../../lib/oauth/store';
+import { fetchClientMetadata, isHttpsUrl, verifyClientAssertion } from '../../lib/oauth/clients';
+
+export const prerender = false;
+
+export async function POST({ locals, request }: APIContext) {
+  const { env } = locals.runtime;
+
+  // Enforce DPoP with nonce; if missing or stale, return use_dpop_nonce
+  try {
+    const ver = await verifyDpop(env, request);
+
+    // Parse form-encoded body
+    const bodyText = await request.text();
+    const form = new URLSearchParams(bodyText);
+    const client_id = form.get('client_id') || '';
+    const response_type = form.get('response_type') || '';
+    const redirect_uri = form.get('redirect_uri') || '';
+    const scope = form.get('scope') || '';
+    const state = form.get('state') || '';
+    const code_challenge = form.get('code_challenge') || '';
+    const code_challenge_method = form.get('code_challenge_method') || '';
+    const login_hint = form.get('login_hint') || undefined;
+    const client_assertion_type = form.get('client_assertion_type') || '';
+    const client_assertion = form.get('client_assertion') || '';
+
+    if (!client_id || !isHttpsUrl(client_id)) {
+      return new Response(JSON.stringify({ error: 'invalid_client', error_description: 'client_id must be https URL' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
+    }
+    if (response_type !== 'code') {
+      return new Response(JSON.stringify({ error: 'unsupported_response_type' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
+    }
+    if (!redirect_uri || !isHttpsUrl(redirect_uri)) {
+      return new Response(JSON.stringify({ error: 'invalid_request', error_description: 'redirect_uri must be https URL' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
+    }
+    if (!scope || !scope.split(' ').includes('atproto')) {
+      return new Response(JSON.stringify({ error: 'invalid_scope' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
+    }
+    if (!state) {
+      return new Response(JSON.stringify({ error: 'invalid_request', error_description: 'state required' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
+    }
+    if (!code_challenge || code_challenge_method !== 'S256') {
+      return new Response(JSON.stringify({ error: 'invalid_request', error_description: 'PKCE (S256) required' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
+    }
+
+    // Fetch and validate client metadata
+    let clientMeta: any = null;
+    try {
+      clientMeta = await fetchClientMetadata(client_id);
+    } catch (e) {
+      return new Response(JSON.stringify({ error: 'invalid_client', error_description: errorMessage(e) ?? 'Client metadata fetch failed' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
+    }
+
+    if (clientMeta?.client_id !== client_id) {
+      return new Response(JSON.stringify({ error: 'invalid_client', error_description: 'client_id mismatch' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
+    }
+    const redirects: string[] = Array.isArray(clientMeta?.redirect_uris) ? clientMeta.redirect_uris : [];
+    if (!redirects.includes(redirect_uri)) {
+      return new Response(JSON.stringify({ error: 'invalid_request', error_description: 'redirect_uri not registered' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
+    }
+    if (clientMeta?.dpop_bound_access_tokens !== true) {
+      return new Response(JSON.stringify({ error: 'invalid_client', error_description: 'client must require DPoP' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
+    }
+    const url = new URL(request.url);
+    const issuerOrigin = `${url.protocol}//${url.host}`;
+    const authMethod = clientMeta?.token_endpoint_auth_method;
+    if (authMethod === 'private_key_jwt') {
+      // Load JWKS (inline or via URI)
+      let jwks = clientMeta?.jwks;
+      if (!jwks && typeof clientMeta?.jwks_uri === 'string') {
+        try {
+          const response = await fetch(clientMeta.jwks_uri);
+          jwks = await response.json();
+        } catch (e) {
+          return new Response(JSON.stringify({ error: 'invalid_client', error_description: 'Failed to fetch jwks_uri' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
+        }
+      }
+      if (!jwks) {
+        return new Response(JSON.stringify({ error: 'invalid_client', error_description: 'Missing JWKS' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
+      }
+      if (client_assertion_type !== 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer' || !client_assertion) {
+        return new Response(JSON.stringify({ error: 'invalid_client', error_description: 'Missing client assertion' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
+      }
+      const ok = await verifyClientAssertion(client_id, issuerOrigin, client_assertion, jwks);
+      if (!ok) {
+        return new Response(JSON.stringify({ error: 'invalid_client', error_description: 'Invalid client assertion' }), { status: 401, headers: { 'Content-Type': 'application/json' } });
+      }
+    }
+
+    const id = crypto.randomUUID().replace(/-/g, '');
+    const now = Math.floor(Date.now() / 1000);
+    const rec = {
+      client_id,
+      redirect_uri,
+      code_challenge,
+      code_challenge_method: 'S256' as const,
+      scope,
+      state,
+      login_hint,
+      dpopJkt: ver.jkt,
+      createdAt: now,
+      expiresAt: now + 300, // 5 minutes
+    };
+    await savePar(env, id, rec);
+
+    const request_uri = `urn:ietf:params:oauth:request_uri:${id}`;
+    const headers = new Headers({ 'Content-Type': 'application/json' });
+    setDpopNonceHeader(headers, await getAuthzNonce(env));
+    return new Response(JSON.stringify({ request_uri }), { status: 201, headers });
+  } catch (e) {
+    if (e instanceof DpopNonceError) {
+      return dpopErrorResponse(env, e);
+    }
+    const headers = new Headers({ 'Content-Type': 'application/json' });
+    return new Response(JSON.stringify({ error: 'invalid_request', error_description: errorMessage(e) ?? 'Unknown error' }), { status: 400, headers });
+  }
+}

package/src/pages/oauth/token.ts

@@ -0,0 +1,158 @@
+import type { APIContext } from 'astro';
+import { errorMessage } from '../../lib/errors';
+import { verifyDpop, dpopErrorResponse, getAuthzNonce } from '../../lib/oauth/dpop';
+import { DpopNonceError } from '../../lib/oauth/dpop-errors';
+import { consumeCode } from '../../lib/oauth/store';
+import { sha256b64url } from '../../lib/oauth/dpop';
+import { issueSessionTokens, verifyRefreshToken, verifyAccessToken, computeGraceExpiry } from '../../lib/session-tokens';
+import { fetchClientMetadata, verifyClientAssertion } from '../../lib/oauth/clients';
+import { storeRefreshToken, getRefreshToken, markRefreshTokenRotated } from '../../db/account';
+
+export const prerender = false;
+
+export async function POST({ locals, request }: APIContext) {
+  const { env } = locals.runtime;
+
+  try {
+    const ver = await verifyDpop(env, request);
+
+    const form = new URLSearchParams(await request.text());
+    const grant_type = form.get('grant_type') || '';
+
+    if (grant_type === 'authorization_code') {
+      const code = form.get('code') || '';
+      const client_id = form.get('client_id') || '';
+      const redirect_uri = form.get('redirect_uri') || '';
+      const code_verifier = form.get('code_verifier') || '';
+      const client_assertion_type = form.get('client_assertion_type') || '';
+      const client_assertion = form.get('client_assertion') || '';
+
+      if (!code || !client_id || !redirect_uri || !code_verifier) {
+        return jsonError('invalid_request', 'Missing parameters');
+      }
+
+      const rec = await consumeCode(env, code);
+      if (!rec) return jsonError('invalid_grant', 'Invalid or used code');
+      if (rec.client_id !== client_id) return jsonError('invalid_grant', 'client_id mismatch');
+      if (rec.redirect_uri !== redirect_uri) return jsonError('invalid_grant', 'redirect_uri mismatch');
+
+      const expected = await sha256b64url(code_verifier);
+      if (expected !== rec.code_challenge) return jsonError('invalid_grant', 'PKCE verification failed');
+
+      if (ver.jkt !== rec.dpopJkt) return jsonError('invalid_dpop', 'DPoP key mismatch');
+
+      // If confidential client, verify assertion
+      let clientMeta: any = null;
+      try {
+        clientMeta = await fetchClientMetadata(client_id);
+      } catch {
+        // Public clients have no fetchable metadata; only confidential clients gate on it below.
+      }
+      if (clientMeta?.token_endpoint_auth_method === 'private_key_jwt') {
+        let jwks = clientMeta?.jwks;
+        if (!jwks && typeof clientMeta?.jwks_uri === 'string') {
+          const response = await fetch(clientMeta.jwks_uri);
+          jwks = await response.json();
+        }
+        const origin = `${new URL(request.url).protocol}//${new URL(request.url).host}`;
+        if (!client_assertion || client_assertion_type !== 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer')
+          return jsonError('invalid_client', 'Missing client assertion');
+        const ok = await verifyClientAssertion(client_id, origin, client_assertion, jwks);
+        if (!ok) return jsonError('invalid_client', 'Invalid client assertion');
+      }
+
+      // Issue tokens bound to this DID and include DPoP cnf in access token
+      const { accessJwt, refreshJwt, refreshPayload, refreshExpiry } = await issueSessionTokens(env, rec.did);
+      await storeRefreshToken(env, { id: refreshPayload.jti, did: rec.did, expiresAt: refreshExpiry, appPasswordName: null });
+
+      // Derive expires_in from access token
+      const payload = await verifyAccessToken(env, accessJwt).catch(() => null);
+      const now = Math.floor(Date.now() / 1000);
+      const expires_in = payload && typeof payload.exp === 'number' ? Math.max(0, payload.exp - now) : 7200;
+
+      const out = {
+        access_token: accessJwt,
+        token_type: 'DPoP',
+        expires_in,
+        refresh_token: refreshJwt,
+        scope: rec.scope,
+        sub: rec.did,
+      } as const;
+      const headers = new Headers({ 'Content-Type': 'application/json' });
+      headers.set('DPoP-Nonce', await getAuthzNonce(env));
+      return new Response(JSON.stringify(out), { status: 200, headers });
+    }
+
+    if (grant_type === 'refresh_token') {
+      const refresh_token = form.get('refresh_token') || '';
+      const client_id = form.get('client_id') || '';
+      const client_assertion_type = form.get('client_assertion_type') || '';
+      const client_assertion = form.get('client_assertion') || '';
+      if (!refresh_token) return jsonError('invalid_request', 'Missing refresh_token');
+
+      // If confidential client, verify assertion
+      if (client_id) {
+        let clientMeta: any = null;
+        try {
+          clientMeta = await fetchClientMetadata(client_id);
+        } catch {
+          // Public clients have no fetchable metadata; only confidential clients gate on it below.
+        }
+        if (clientMeta?.token_endpoint_auth_method === 'private_key_jwt') {
+          let jwks = clientMeta?.jwks;
+          if (!jwks && typeof clientMeta?.jwks_uri === 'string') {
+            const response = await fetch(clientMeta.jwks_uri);
+            jwks = await response.json();
+          }
+          const origin = `${new URL(request.url).protocol}//${new URL(request.url).host}`;
+          if (!client_assertion || client_assertion_type !== 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer')
+            return jsonError('invalid_client', 'Missing client assertion');
+          const ok = await verifyClientAssertion(client_id, origin, client_assertion, jwks);
+          if (!ok) return jsonError('invalid_client', 'Invalid client assertion');
+        }
+      }
+
+      const verification = await verifyRefreshToken(env, refresh_token).catch(() => null);
+      if (!verification || !verification.decoded) return jsonError('invalid_grant', 'Invalid refresh token');
+      const nowSec = Math.floor(Date.now() / 1000);
+      if (verification.decoded.exp <= nowSec) return jsonError('invalid_grant', 'Expired refresh token');
+
+      const stored = await getRefreshToken(env, verification.decoded.jti);
+      if (!stored) return jsonError('invalid_grant', 'Refresh token revoked');
+      if (stored.expiresAt <= nowSec) return jsonError('invalid_grant', 'Expired refresh token');
+      if (stored.did !== verification.decoded.sub) return jsonError('invalid_grant', 'Subject mismatch');
+
+      const did = stored.did;
+      // Rotate refresh, issue new pair
+      const { accessJwt, refreshJwt, refreshPayload, refreshExpiry } = await issueSessionTokens(env, did, { jti: stored.nextId ?? undefined });
+      await storeRefreshToken(env, { id: refreshPayload.jti, did, expiresAt: refreshExpiry, appPasswordName: stored.appPasswordName ?? null });
+      const graceExpiry = computeGraceExpiry(stored.expiresAt, nowSec);
+      await markRefreshTokenRotated(env, verification.decoded.jti, refreshPayload.jti, graceExpiry);
+
+      const payload = await verifyAccessToken(env, accessJwt).catch(() => null);
+      const expires_in = payload && typeof payload.exp === 'number' ? Math.max(0, payload.exp - nowSec) : 7200;
+
+      const out = {
+        access_token: accessJwt,
+        token_type: 'DPoP',
+        expires_in,
+        refresh_token: refreshJwt,
+        scope: 'atproto',
+        sub: did,
+      } as const;
+      const headers = new Headers({ 'Content-Type': 'application/json' });
+      headers.set('DPoP-Nonce', await getAuthzNonce(env));
+      return new Response(JSON.stringify(out), { status: 200, headers });
+    }
+
+    return jsonError('unsupported_grant_type', 'grant_type must be authorization_code or refresh_token');
+  } catch (e) {
+    if (e instanceof DpopNonceError) return dpopErrorResponse(env, e);
+    return jsonError('invalid_request', errorMessage(e) ?? 'Unknown error');
+  }
+}
+
+function jsonError(code: string, desc?: string): Response {
+  const headers = new Headers({ 'Content-Type': 'application/json' });
+  return new Response(JSON.stringify({ error: code, error_description: desc }), { status: 400, headers });
+}

package/src/pages/ready.ts

@@ -6,8 +6,8 @@ export async function GET({ locals }: APIContext) {
   const { env } = locals.runtime;
 
   try {
-    if (env.DB) {
-      await env.DB.prepare('select 1').first();
+    if (env.ALTERAN_DB) {
+      await env.ALTERAN_DB.prepare('select 1').first();
     }
     return new Response('ok');
   } catch (e) {

package/src/pages/xrpc/[...nsid].ts

@@ -0,0 +1,61 @@
+import type { APIContext } from 'astro';
+import { proxyAppView } from '../../lib/appview';
+import { AuthTokenExpiredError, expiredToken, isAuthorized, unauthorized } from '../../lib/auth';
+
+export const prerender = false;
+
+function shouldProxy(nsid: string): boolean {
+  return (
+    nsid.startsWith('app.bsky.') ||
+    nsid.startsWith('chat.bsky.') ||
+    nsid.startsWith('tools.ozone.')
+  );
+}
+
+function nsidFromParams(params: Record<string, any>): string {
+  const p = (params as any).nsid;
+  if (Array.isArray(p)) return p.join('');
+  return typeof p === 'string' ? p : '';
+}
+
+async function handle({ locals, request, params }: APIContext): Promise<Response> {
+  const { env } = locals.runtime;
+  try {
+    if (!(await isAuthorized(request, env))) return unauthorized();
+  } catch (error) {
+    if (error instanceof AuthTokenExpiredError) {
+      return expiredToken();
+    }
+    throw error;
+  }
+
+  const nsid = nsidFromParams(params).trim();
+  console.log('xrpc catchall invoked:', { nsid, url: request.url });
+  if (!nsid) {
+    return new Response(JSON.stringify({ error: 'NotFound' }), {
+      status: 404,
+      headers: { 'Content-Type': 'application/json' },
+    });
+  }
+
+  if (!shouldProxy(nsid)) {
+    return new Response(JSON.stringify({ error: 'NotImplemented' }), {
+      status: 404,
+      headers: { 'Content-Type': 'application/json' },
+    });
+  }
+
+  return proxyAppView({ request, env, lxm: nsid });
+}
+
+export async function GET(ctx: APIContext) {
+  return handle(ctx);
+}
+
+export async function HEAD(ctx: APIContext) {
+  return handle(ctx);
+}
+
+export async function POST(ctx: APIContext) {
+  return handle(ctx);
+}

package/src/pages/xrpc/app.bsky.actor.getPreferences.ts

@@ -1,23 +1,22 @@
 import type { APIContext } from 'astro';
-import { proxyAppView } from '../../lib/appview';
-import { isAuthorized, unauthorized } from '../../lib/auth';
+import { AuthTokenExpiredError, expiredToken, isAuthorized, unauthorized } from '../../lib/auth';
 import { getActorPreferences } from '../../lib/preferences';
 
 export const prerender = false;
 
 export async function GET({ locals, request }: APIContext) {
   const { env } = locals.runtime;
-  if (!(await isAuthorized(request, env))) return unauthorized();
+  try {
+    if (!(await isAuthorized(request, env))) return unauthorized();
+  } catch (error) {
+    if (error instanceof AuthTokenExpiredError) {
+      return expiredToken();
+    }
+    throw error;
+  }
 
-  return proxyAppView({
-    request,
-    env,
-    lxm: 'app.bsky.actor.getPreferences',
-    fallback: async () => {
-      const { preferences } = await getActorPreferences(env);
-      return new Response(JSON.stringify({ preferences }), {
-        headers: { 'Content-Type': 'application/json' },
-      });
-    },
+  const { preferences } = await getActorPreferences(env);
+  return new Response(JSON.stringify({ preferences: Array.isArray(preferences) ? preferences : [] }), {
+    headers: { 'Content-Type': 'application/json' },
   });
 }

package/src/pages/xrpc/app.bsky.actor.putPreferences.ts

@@ -1,6 +1,6 @@
 import type { APIContext } from 'astro';
-import { proxyAppView } from '../../lib/appview';
-import { isAuthorized, unauthorized } from '../../lib/auth';
+import { errorCode, errorMessage } from '../../lib/errors';
+import { AuthTokenExpiredError, expiredToken, isAuthorized, unauthorized } from '../../lib/auth';
 import { readJsonBounded } from '../../lib/util';
 import { setActorPreferences } from '../../lib/preferences';
 
@@ -8,29 +8,29 @@ export const prerender = false;
 
 export async function POST({ locals, request }: APIContext) {
   const { env } = locals.runtime;
-  if (!(await isAuthorized(request, env))) return unauthorized();
+  try {
+    if (!(await isAuthorized(request, env))) return unauthorized();
+  } catch (error) {
+    if (error instanceof AuthTokenExpiredError) {
+      return expiredToken();
+    }
+    throw error;
+  }
 
-  return proxyAppView({
-    request,
-    env,
-    lxm: 'app.bsky.actor.putPreferences',
-    fallback: async () => {
-      let body: any;
-      try {
-        body = await readJsonBounded(env, request);
-      } catch (err: any) {
-        if (err?.code === 'PayloadTooLarge') {
-          return new Response(JSON.stringify({ error: 'PayloadTooLarge' }), { status: 413 });
-        }
-        return new Response(JSON.stringify({ error: 'BadRequest' }), { status: 400 });
-      }
+  let body: any;
+  try {
+    body = await readJsonBounded(env, request);
+  } catch (error) {
+    if (errorCode(error) === 'PayloadTooLarge') {
+      return new Response(JSON.stringify({ error: 'PayloadTooLarge' }), { status: 413 });
+    }
+    return new Response(JSON.stringify({ error: 'BadRequest' }), { status: 400 });
+  }
 
-      const preferences = Array.isArray(body?.preferences) ? body.preferences : [];
-      await setActorPreferences(env, preferences);
+  const preferences = Array.isArray(body?.preferences) ? body.preferences : [];
+  await setActorPreferences(env, preferences);
 
-      return new Response(JSON.stringify({}), {
-        headers: { 'Content-Type': 'application/json' },
-      });
-    },
+  return new Response(JSON.stringify({}), {
+    headers: { 'Content-Type': 'application/json' },
   });
 }

package/src/pages/xrpc/app.bsky.unspecced.getAgeAssuranceState.ts

@@ -1,11 +1,18 @@
 import type { APIContext } from 'astro';
-import { isAuthorized, unauthorized } from '../../lib/auth';
+import { AuthTokenExpiredError, expiredToken, isAuthorized, unauthorized } from '../../lib/auth';
 
 export const prerender = false;
 
 export async function GET({ locals, request }: APIContext) {
   const { env } = locals.runtime;
-  if (!(await isAuthorized(request, env))) return unauthorized();
+  try {
+    if (!(await isAuthorized(request, env))) return unauthorized();
+  } catch (error) {
+    if (error instanceof AuthTokenExpiredError) {
+      return expiredToken();
+    }
+    throw error;
+  }
 
   return new Response(
     JSON.stringify({

package/src/pages/xrpc/chat.bsky.convo.getLog.ts

@@ -1,5 +1,5 @@
 import type { APIContext } from 'astro';
-import { isAuthorized, unauthorized } from '../../lib/auth';
+import { AuthTokenExpiredError, expiredToken, isAuthorized, unauthorized } from '../../lib/auth';
 import { getPrimaryActor } from '../../lib/actor';
 import { listChatConvoLogs } from '../../lib/chat';
 
@@ -7,7 +7,14 @@ export const prerender = false;
 
 export async function GET({ locals, request }: APIContext) {
   const { env } = locals.runtime;
-  if (!(await isAuthorized(request, env))) return unauthorized();
+  try {
+    if (!(await isAuthorized(request, env))) return unauthorized();
+  } catch (error) {
+    if (error instanceof AuthTokenExpiredError) {
+      return expiredToken();
+    }
+    throw error;
+  }
 
   const url = new URL(request.url);
   const cursorParam = url.searchParams.get('cursor');

package/src/pages/xrpc/chat.bsky.convo.listConvos.ts

@@ -1,5 +1,5 @@
 import type { APIContext } from 'astro';
-import { isAuthorized, unauthorized } from '../../lib/auth';
+import { AuthTokenExpiredError, expiredToken, isAuthorized, unauthorized } from '../../lib/auth';
 import { listChatConvos } from '../../lib/chat';
 import { getPrimaryActor } from '../../lib/actor';
 
@@ -7,7 +7,14 @@ export const prerender = false;
 
 export async function GET({ locals, request }: APIContext) {
   const { env } = locals.runtime;
-  if (!(await isAuthorized(request, env))) return unauthorized();
+  try {
+    if (!(await isAuthorized(request, env))) return unauthorized();
+  } catch (error) {
+    if (error instanceof AuthTokenExpiredError) {
+      return expiredToken();
+    }
+    throw error;
+  }
 
   const url = new URL(request.url);
   const limitInput = Number.parseInt(url.searchParams.get('limit') ?? '', 10);

package/src/pages/xrpc/com.atproto.identity.getRecommendedDidCredentials.ts

@@ -1,7 +1,6 @@
 import type { APIContext } from 'astro';
-import { isAuthorized, unauthorized } from '../../lib/auth';
+import { AuthTokenExpiredError, expiredToken, isAuthorized, unauthorized } from '../../lib/auth';
 import { resolveSecret } from '../../lib/secrets';
-import * as uint8arrays from 'uint8arrays';
 
 export const prerender = false;
 
@@ -15,49 +14,53 @@ export const prerender = false;
 export async function GET({ locals, request }: APIContext) {
   const { env } = locals.runtime;
 
-  if (!(await isAuthorized(request, env))) return unauthorized();
+  try {
+    if (!(await isAuthorized(request, env))) return unauthorized();
+  } catch (error) {
+    if (error instanceof AuthTokenExpiredError) {
+      return expiredToken();
+    }
+    throw error;
+  }
 
   try {
     const handle = (await resolveSecret(env.PDS_HANDLE)) ?? 'example.com';
     const hostname = env.PDS_HOSTNAME ?? handle;
 
-    // Load signing key (Ed25519 PKCS#8 base64)
-    const signingKeyBase64 = await resolveSecret(env.REPO_SIGNING_KEY);
-    if (!signingKeyBase64) {
+    // Always ES256K: derive did:key from the secp256k1 signing key
+    let didKey: string | undefined;
+    const priv = (await resolveSecret(env.REPO_SIGNING_KEY))?.trim();
+    if (!priv) {
       return new Response(
-        JSON.stringify({
-          error: 'InvalidRequest',
-          message: 'Signing key not configured'
-        }),
-        { status: 400, headers: { 'Content-Type': 'application/json' } }
+        JSON.stringify({ error: 'InvalidRequest', message: 'REPO_SIGNING_KEY not configured for ES256K' }),
+        { status: 400, headers: { 'Content-Type': 'application/json' } },
+      );
+    }
+    try {
+      const { Secp256k1Keypair } = await import('@atproto/crypto');
+      let keypair: { did: () => string };
+      if (/^[0-9a-fA-F]{64}$/.test(priv)) {
+        keypair = await Secp256k1Keypair.import(priv);
+      } else {
+        const bin = atob(priv.replace(/\s+/g, ''));
+        const bytes = new Uint8Array(bin.length);
+        for (let i = 0; i < bin.length; i++) bytes[i] = bin.charCodeAt(i);
+        keypair = await Secp256k1Keypair.import(bytes);
+      }
+      didKey = keypair.did();
+    } catch (keypairError) {
+      console.error('REPO_SIGNING_KEY did:key derivation failed:', keypairError);
+      return new Response(
+        JSON.stringify({ error: 'InvalidRequest', message: 'Failed to derive secp256k1 did:key from REPO_SIGNING_KEY' }),
+        { status: 400, headers: { 'Content-Type': 'application/json' } },
       );
     }
-
-    // Import Ed25519 private key from PKCS#8 base64
-    const b64 = signingKeyBase64.replace(/\s+/g, '');
-    const bin = atob(b64);
-    const pkcs8 = new Uint8Array(bin.length);
-    for (let i = 0; i < bin.length; i++) pkcs8[i] = bin.charCodeAt(i);
-
-    // Ed25519 PKCS#8 format: the public key is the last 32 bytes of the private key section
-    // PKCS#8 structure for Ed25519:
-    // - Header (16 bytes)
-    // - Private key (32 bytes)
-    // - Public key (32 bytes)
-    // Total: 80 bytes for unencrypted PKCS#8
-    const publicKeyBytes = pkcs8.slice(-32);
-
-    // Create did:key from public key
-    // Ed25519 multicodec prefix is 0xed01
-    const multicodecPrefix = new Uint8Array([0xed, 0x01]);
-    const multicodecKey = new Uint8Array(multicodecPrefix.length + publicKeyBytes.length);
-    multicodecKey.set(multicodecPrefix);
-    multicodecKey.set(publicKeyBytes, multicodecPrefix.length);
-
-    const didKey = 'did:key:z' + uint8arrays.toString(multicodecKey, 'base58btc');
 
     // Get current PLC data to preserve rotation keys
-    const did = (await resolveSecret(env.PDS_DID)) ?? 'did:example:single-user';
+    const did = await resolveSecret(env.PDS_DID);
+    if (!did) {
+      return new Response(JSON.stringify({ error: 'InvalidRequest', message: 'PDS_DID is not configured' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
+    }
     const plcResponse = await fetch(`https://plc.directory/${did}/data`);
 
     let rotationKeys: string[] = [];
@@ -69,9 +72,7 @@ export async function GET({ locals, request }: APIContext) {
     const credentials = {
       rotationKeys,
       alsoKnownAs: [`at://${handle}`],
-      verificationMethods: {
-        atproto: didKey
-      },
+      verificationMethods: { atproto: didKey },
       services: {
         atproto_pds: {
           type: 'AtprotoPersonalDataServer',
@@ -84,14 +85,15 @@ export async function GET({ locals, request }: APIContext) {
       JSON.stringify(credentials),
       { status: 200, headers: { 'Content-Type': 'application/json' } }
     );
-  } catch (error: any) {
+  } catch (error) {
     console.error('Get recommended credentials error:', error);
+    const message = error instanceof Error ? error.message : 'Failed to get recommended credentials';
     return new Response(
       JSON.stringify({
         error: 'InternalServerError',
-        message: error.message || 'Failed to get recommended credentials'
+        message,
       }),
       { status: 500, headers: { 'Content-Type': 'application/json' } }
     );
   }
-}
+}