@alteran/astro 0.3.9 → 0.6.1

package/src/lib/auth.ts

@@ -1,6 +1,8 @@
 import type { APIContext } from 'astro';
 import type { Env } from '../env';
+import { AuthTokenExpiredError } from './auth-errors';
 import { verifyJwt, type JwtClaims } from './jwt';
+import { bearerToken } from './util';
 
 export interface AuthContext {
   token: string;
@@ -9,18 +11,57 @@ export interface AuthContext {
 
 export async function isAuthorized(request: Request, env: Env): Promise<boolean> {
   const auth = request.headers.get('authorization');
-  if (!auth || !auth.startsWith('Bearer ')) return false;
-  const token = auth.slice(7);
+
+  console.error('=== AUTH DEBUG START ===');
+  console.error('URL:', request.url);
+  console.error('Has Auth Header:', !!auth);
+  console.error('Auth Prefix:', auth?.substring(0, 30));
+  console.error('=== AUTH DEBUG END ===');
+
+  const token = bearerToken(request);
+  if (!token) {
+    console.error('RESULT: No Bearer or DPoP token found');
+    return false;
+  }
+
+  console.error('Token Length:', token.length);
+  console.error('Token Prefix:', token.substring(0, 30));
+
   // Prefer JWT
-  const ver = await verifyJwt(env, token).catch((err) => {
-    console.error('JWT verification error:', err);
-    return null;
-  });
-  if (ver && ver.valid && ver.payload.t === 'access') return true;
+  let ver;
+  try {
+    ver = await verifyJwt(env, token);
+  } catch (error) {
+    if (error instanceof AuthTokenExpiredError) {
+      throw error;
+    }
+    console.error('JWT VERIFICATION ERROR:', error instanceof Error ? error.message : String(error));
+    return false;
+  }
+
+  console.error('JWT Valid:', ver?.valid);
+  console.error('JWT Type:', ver?.payload?.t);
+  console.error('JWT Sub:', ver?.payload?.sub);
+
+  if (ver && ver.valid && ver.payload.t === 'access') {
+    console.error('RESULT: JWT Success');
+    return true;
+  }
+
   // Back-compat local escape hatch if explicitly enabled
   const allowDev = (env as any).PDS_ALLOW_DEV_TOKEN === '1';
-  if (allowDev && token === 'dev-access-token') return true;
-  if (allowDev && env.USER_PASSWORD && token === env.USER_PASSWORD) return true;
+  console.error('Allow Dev Token:', allowDev);
+
+  if (allowDev && token === 'dev-access-token') {
+    console.error('RESULT: Dev token accepted');
+    return true;
+  }
+  if (allowDev && env.USER_PASSWORD && token === env.USER_PASSWORD) {
+    console.error('RESULT: User password accepted');
+    return true;
+  }
+
+  console.error('RESULT: Unauthorized');
   return false;
 }
 
@@ -29,15 +70,22 @@ export function unauthorized() {
 }
 
 export async function authenticateRequest(request: Request, env: Env): Promise<AuthContext | null> {
-  const auth = request.headers.get('authorization');
-  if (!auth || !auth.startsWith('Bearer ')) return null;
-  const token = auth.slice(7);
-  const ver = await verifyJwt(env, token).catch((err) => {
-    console.error('JWT verification error:', err);
+  const token = bearerToken(request);
+  if (!token) return null;
+  let ver;
+  try {
+    ver = await verifyJwt(env, token);
+  } catch (error) {
+    if (error instanceof AuthTokenExpiredError) {
+      throw error;
+    }
+    console.error('JWT verification error:', error);
     return null;
-  });
+  }
   if (!ver || !ver.valid) return null;
   const claims = ver.payload as JwtClaims;
   if (claims.t !== 'access') return null;
   return { token, claims };
 }
+
+export { AuthTokenExpiredError, expiredToken } from './auth-errors';

package/src/lib/blockstore-gc.ts

@@ -11,7 +11,7 @@ import * as dagCbor from '@ipld/dag-cbor';
  * This traverses the MST structure to find all blocks that are still in use
  */
 async function collectReferencedCids(env: Env, keepCommits: number = 10000): Promise<Set<string>> {
-  const db = drizzle(env.DB);
+  const db = drizzle(env.ALTERAN_DB);
   const referenced = new Set<string>();
 
   // Get recent commits
@@ -60,12 +60,13 @@ async function collectReferencedCids(env: Env, keepCommits: number = 10000): Pro
  * Recursively traverse MST nodes to collect all CIDs
  */
 async function traverseMst(env: Env, rootCid: string, referenced: Set<string>): Promise<void> {
-  const db = drizzle(env.DB);
+  const db = drizzle(env.ALTERAN_DB);
   const visited = new Set<string>();
   const queue = [rootCid];
 
   while (queue.length > 0) {
-    const cidStr = queue.shift()!;
+    const cidStr = queue.shift();
+    if (cidStr === undefined) break;
 
     if (visited.has(cidStr)) continue;
     visited.add(cidStr);
@@ -127,7 +128,7 @@ async function traverseMst(env: Env, rootCid: string, referenced: Set<string>):
  * @returns Number of blocks removed
  */
 export async function pruneOrphanedBlocks(env: Env, keepCommits: number = 10000): Promise<number> {
-  const db = drizzle(env.DB);
+  const db = drizzle(env.ALTERAN_DB);
 
   // Collect all CIDs referenced by recent commits
   const referenced = await collectReferencedCids(env, keepCommits);
@@ -180,7 +181,7 @@ export async function getBlockstoreStats(env: Env): Promise<{
   total: number;
   totalSize: number;
 }> {
-  const db = drizzle(env.DB);
+  const db = drizzle(env.ALTERAN_DB);
   const blocks = await db.select().from(blockstore).all();
 
   const totalSize = blocks.reduce((sum, block) => {

package/src/lib/cache.ts

@@ -97,12 +97,26 @@ export function getCacheKey(request: Request, prefix?: string): string {
 /**
  * Get cached response from Cache API
  */
+function resolveDefaultCache(): Cache | null {
+  if (typeof caches === 'undefined') {
+    return null;
+  }
+  try {
+    return ((caches as any).default ?? null) as Cache | null;
+  } catch {
+    return null;
+  }
+}
+
 export async function getCachedResponse(
   request: Request,
   options?: { prefix?: string }
 ): Promise<Response | null> {
   try {
-    const cache = (caches as any).default as Cache;
+    const cache = resolveDefaultCache();
+    if (!cache) {
+      return null;
+    }
     const cacheKey = getCacheKey(request, options?.prefix);
     const cacheUrl = new URL(cacheKey, request.url);
     const cacheRequest = new Request(cacheUrl, request);
@@ -123,7 +137,10 @@ export async function putCachedResponse(
   options: CacheOptions
 ): Promise<void> {
   try {
-    const cache = (caches as any).default as Cache;
+    const cache = resolveDefaultCache();
+    if (!cache) {
+      return;
+    }
     const cacheKey = getCacheKey(request, options.prefix);
     const cacheUrl = new URL(cacheKey, request.url);
     const cacheRequest = new Request(cacheUrl, request);
@@ -155,7 +172,10 @@ export async function invalidateCache(
   options?: { prefix?: string }
 ): Promise<boolean> {
   try {
-    const cache = (caches as any).default as Cache;
+    const cache = resolveDefaultCache();
+    if (!cache) {
+      return false;
+    }
     const cacheKey = getCacheKey(request, options?.prefix);
     const cacheUrl = new URL(cacheKey, request.url);
     const cacheRequest = new Request(cacheUrl, request);
@@ -183,7 +203,13 @@ export async function withCache(
   // Check cache first
   const cached = await getCachedResponse(request, { prefix: options.prefix });
   if (cached) {
-    return cached;
+    // Clone the cached response to avoid immutable headers issue
+    // Cache API responses have immutable headers which Astro may try to modify
+    return new Response(cached.body, {
+      status: cached.status,
+      statusText: cached.statusText,
+      headers: new Headers(cached.headers),
+    });
   }
 
   // Generate response

package/src/lib/chat.ts

@@ -10,30 +10,30 @@ export interface ListConvosFilters {
 export interface ConvoView {
   id: string;
   rev: string;
-  members: any[];
+  members: unknown[];
   muted: boolean;
   unreadCount: number;
   status?: string;
-  lastMessage?: any;
-  lastReaction?: any;
+  lastMessage?: unknown;
+  lastReaction?: unknown;
 }
 
 export type ConvoLogEntry =
   | { $type: 'chat.bsky.convo.defs#logBeginConvo'; rev: string; convoId: string }
-  | { $type: 'chat.bsky.convo.defs#logCreateMessage'; rev: string; convoId: string; message: any }
+  | { $type: 'chat.bsky.convo.defs#logCreateMessage'; rev: string; convoId: string; message: unknown }
   | {
       $type: 'chat.bsky.convo.defs#logAddReaction';
       rev: string;
       convoId: string;
-      message: any;
-      reaction: any;
+      message: unknown;
+      reaction: unknown;
     };
 
 export async function ensureChatTables(env: Env) {
   if (tablesEnsured) return;
 
   // Create chat_convo table
-  await env.DB.prepare(
+  await env.ALTERAN_DB.prepare(
     'CREATE TABLE IF NOT EXISTS chat_convo (' +
     'id TEXT PRIMARY KEY, ' +
     'rev TEXT NOT NULL, ' +
@@ -48,7 +48,7 @@ export async function ensureChatTables(env: Env) {
   ).run();
 
   // Create chat_convo_member table
-  await env.DB.prepare(
+  await env.ALTERAN_DB.prepare(
     'CREATE TABLE IF NOT EXISTS chat_convo_member (' +
     'convo_id TEXT NOT NULL, ' +
     'did TEXT NOT NULL, ' +
@@ -61,7 +61,7 @@ export async function ensureChatTables(env: Env) {
   ).run();
 
   // Create index
-  await env.DB.prepare(
+  await env.ALTERAN_DB.prepare(
     'CREATE INDEX IF NOT EXISTS chat_convo_member_did_idx ON chat_convo_member (did)'
   ).run();
 
@@ -103,7 +103,7 @@ export async function listChatConvos(
   query += ' ORDER BY rowid DESC LIMIT ?';
   params.push(limit);
 
-  const result = await env.DB.prepare(query).bind(...params).all<{
+  const result = await env.ALTERAN_DB.prepare(query).bind(...params).all<{
     rowid: number;
     id: string;
     rev: string;
@@ -119,7 +119,7 @@ export async function listChatConvos(
 
   if (result.results) {
     for (const row of result.results) {
-      const members = await env.DB.prepare(
+      const members = await env.ALTERAN_DB.prepare(
         `SELECT did, handle, display_name, avatar FROM chat_convo_member WHERE convo_id = ? ORDER BY position ASC`
       )
         .bind(row.id)
@@ -130,8 +130,14 @@ export async function listChatConvos(
           avatar: string | null;
         }>();
 
-      const memberViews = (members.results ?? []).map((member) => {
-        const view: any = {
+      type MemberView = {
+        did: string;
+        handle: string;
+        displayName?: string;
+        avatar?: string;
+      };
+      const memberViews: MemberView[] = (members.results ?? []).map((member) => {
+        const view: MemberView = {
           did: member.did,
           handle: member.handle,
         };
@@ -180,7 +186,7 @@ export async function listChatConvoLogs(env: Env, did: string, cursor?: number,
   query += ' ORDER BY rowid DESC LIMIT ?';
   params.push(limit);
 
-  const result = await env.DB.prepare(query).bind(...params).all<{
+  const result = await env.ALTERAN_DB.prepare(query).bind(...params).all<{
     rowid: number;
     id: string;
     rev: string;

package/src/lib/commit-log-pruning.ts

@@ -18,7 +18,7 @@ import { logger } from './logger';
  * @returns Number of commits pruned
  */
 export async function pruneOldCommits(env: Env, keepCount: number = 10000): Promise<number> {
-  const db = drizzle(env.DB);
+  const db = drizzle(env.ALTERAN_DB);
 
   // Get the sequence number of the Nth most recent commit
   const threshold = await db
@@ -60,7 +60,7 @@ export async function getCommitLogStats(env: Env): Promise<{
   oldest: number | null;
   newest: number | null;
 }> {
-  const db = drizzle(env.DB);
+  const db = drizzle(env.ALTERAN_DB);
 
   const [oldest, newest, count] = await Promise.all([
     db.select({ seq: commit_log.seq }).from(commit_log).orderBy(commit_log.seq).limit(1).get(),

package/src/lib/commit.ts

@@ -1,6 +1,8 @@
 import { CID } from 'multiformats/cid';
 import * as dagCbor from '@ipld/dag-cbor';
 import { sha256 } from 'multiformats/hashes/sha2';
+import { Secp256k1Keypair, verifySignature } from '@atproto/crypto';
+import { ServerMisconfigured } from './errors';
 
 /**
  * AT Protocol Commit Structure
@@ -12,7 +14,7 @@ import { sha256 } from 'multiformats/hashes/sha2';
  * - data: CID of the MST root
  * - rev: Revision number (TID format)
  * - prev: CID of the previous commit (null for first commit)
- * - sig: Ed25519 signature over the commit data
+ * - sig: secp256k1 signature over the commit data (64-byte compact)
  */
 
 export interface CommitData {
@@ -46,34 +48,37 @@ export function createCommit(
 }
 
 /**
- * Sign a commit with Ed25519 private key
+ * Sign a commit with secp256k1 private key
  */
 export async function signCommit(
   commit: CommitData,
-  privateKeyBase64: string,
+  privateKey: string,
 ): Promise<SignedCommit> {
   // Encode commit to CBOR for signing
   const commitBytes = dagCbor.encode(commit);
 
-  // Import private key (PKCS#8 base64)
-  const b64 = privateKeyBase64.replace(/\s+/g, '');
-  const bin = atob(b64);
-  const pkcs8 = new Uint8Array(bin.length);
-  for (let i = 0; i < bin.length; i++) pkcs8[i] = bin.charCodeAt(i);
-  const privateKey = await crypto.subtle.importKey(
-    'pkcs8',
-    pkcs8,
-    { name: 'Ed25519', namedCurve: 'Ed25519' } as any,
-    false,
-    ['sign']
-  );
-
-  // Sign the commit bytes
-  const signature = await crypto.subtle.sign('Ed25519', privateKey, new Uint8Array(commitBytes as unknown as Uint8Array));
+  // Accept hex (preferred) or base64 input for the 32-byte secp256k1 private key
+  const cleaned = privateKey.trim();
+  let keypair: Secp256k1Keypair;
+  if (/^[0-9a-fA-F]{64}$/.test(cleaned)) {
+    keypair = await Secp256k1Keypair.import(cleaned);
+  } else {
+    // try base64
+    try {
+      const bin = atob(cleaned.replace(/\s+/g, ''));
+      const priv = new Uint8Array(bin.length);
+      for (let i = 0; i < bin.length; i++) priv[i] = bin.charCodeAt(i);
+      keypair = await Secp256k1Keypair.import(priv);
+    } catch {
+      throw new ServerMisconfigured('Invalid REPO_SIGNING_KEY format: expected 32-byte hex or base64');
+    }
+  }
+
+  const signature = await keypair.sign(new Uint8Array(commitBytes as unknown as Uint8Array));
 
   return {
     ...commit,
-    sig: new Uint8Array(signature),
+    sig: signature,
   };
 }
 
@@ -82,28 +87,13 @@ export async function signCommit(
  */
 export async function verifyCommit(
   signedCommit: SignedCommit,
-  publicKeyBase64: string,
+  didKey: string,
 ): Promise<boolean> {
   try {
     // Extract commit data (without signature)
     const { sig, ...commit } = signedCommit;
     const commitBytes = dagCbor.encode(commit);
-
-    // Import public key (SPKI base64)
-    const b64 = publicKeyBase64.replace(/\s+/g, '');
-    const bin = atob(b64);
-    const spki = new Uint8Array(bin.length);
-    for (let i = 0; i < bin.length; i++) spki[i] = bin.charCodeAt(i);
-    const publicKey = await crypto.subtle.importKey(
-      'spki',
-      spki,
-      { name: 'Ed25519', namedCurve: 'Ed25519' } as any,
-      false,
-      ['verify']
-    );
-
-    // Verify signature
-    return await crypto.subtle.verify('Ed25519', publicKey, sig as any, new Uint8Array(commitBytes as unknown as Uint8Array));
+    return verifySignature(didKey, new Uint8Array(commitBytes as unknown as Uint8Array), sig);
   } catch (error) {
     console.error('Commit verification failed:', error);
     return false;

package/src/lib/config.ts

@@ -20,21 +20,26 @@ const OPTIONAL_VARS = {
   PDS_CORS_ORIGIN: '*',
   PDS_SEQ_WINDOW: '512',
   ENVIRONMENT: 'development',
-  PDS_BSKY_APP_VIEW_URL: 'https://public.api.bsky.app',
+  PDS_BSKY_APP_VIEW_URL: 'https://api.bsky.app',
   PDS_BSKY_APP_VIEW_DID: 'did:web:api.bsky.app',
   PDS_BSKY_APP_VIEW_CDN_URL_PATTERN: '',
+  // Additional proxied services
+  PDS_BSKY_CHAT_URL: 'https://api.bsky.chat',
+  PDS_BSKY_CHAT_DID: 'did:web:api.bsky.chat',
+  PDS_OZONE_URL: 'https://mod.bsky.app',
+  PDS_OZONE_DID: 'did:plc:ar7c4by46qjdydhdevvrndac',
 } as const;
 
 /**
  * Configuration validation result
  */
 export interface ConfigValidationResult {
-  valid: boolean;
-  missing: string[];
-  warnings: string[];
-  config: {
-    required: Record<string, string>;
-    optional: Record<string, string>;
+  readonly valid: boolean;
+  readonly missing: readonly string[];
+  readonly warnings: readonly string[];
+  readonly config: {
+    readonly required: Readonly<Record<string, string>>;
+    readonly optional: Readonly<Record<string, string>>;
   };
 }
 
@@ -76,13 +81,13 @@ export function validateConfig(env: Env): ConfigValidationResult {
   }
 
   // DID format validation
-  const did = env.PDS_DID;
+  const did = typeof env.PDS_DID === 'string' ? env.PDS_DID : undefined;
   if (did && !did.startsWith('did:')) {
     warnings.push(`PDS_DID should start with 'did:' (got: ${did})`);
   }
 
   // Handle format validation
-  const handle = env.PDS_HANDLE;
+  const handle = typeof env.PDS_HANDLE === 'string' ? env.PDS_HANDLE : undefined;
   if (handle && handle.includes('://')) {
     warnings.push(`PDS_HANDLE should not include protocol (got: ${handle})`);
   }
@@ -108,9 +113,7 @@ export function validateConfig(env: Env): ConfigValidationResult {
     warnings.push('REPO_SIGNING_KEY is not set - repository commits will not be signed');
   }
 
-  if (!env.PDS_SERVICE_SIGNING_KEY_HEX) {
-    warnings.push('PDS_SERVICE_SIGNING_KEY_HEX is not set - service-to-service authentication will be disabled');
-  }
+  // Service-auth uses REPO_SIGNING_KEY (secp256k1). No separate service key required.
 
   const valid = missing.length === 0;
 
@@ -184,10 +187,18 @@ export function validateConfigOrThrow(env: Env): void {
 export function getConfig(env: Env) {
   const result = validateConfig(env);
 
+  const did = env.PDS_DID;
+  const handle = env.PDS_HANDLE;
+  if (typeof did !== 'string' || did === '' || typeof handle !== 'string' || handle === '') {
+    throw new Error(
+      `getConfig called with invalid configuration. Missing: ${result.missing.join(', ')}`,
+    );
+  }
+
   return {
     // Required
-    did: env.PDS_DID!,
-    handle: env.PDS_HANDLE!,
+    did,
+    handle,
 
     // Optional with defaults
     allowedMime: result.config.optional.PDS_ALLOWED_MIME.split(','),
@@ -209,7 +220,7 @@ export function getConfig(env: Env) {
     hostname: env.PDS_HOSTNAME,
     accessTtlSec: env.PDS_ACCESS_TTL_SEC ? parseInt(env.PDS_ACCESS_TTL_SEC) : 3600,
     refreshTtlSec: env.PDS_REFRESH_TTL_SEC ? parseInt(env.PDS_REFRESH_TTL_SEC) : 2592000,
-    serviceSigningKeyHex: env.PDS_SERVICE_SIGNING_KEY_HEX,
+    serviceSigningKeyHex: undefined,
   };
 }
 

package/src/lib/did-document.ts

@@ -0,0 +1,32 @@
+import type { Env } from '../env';
+import { getRuntimeString } from './secrets';
+
+export interface DidDocument {
+  '@context': string[];
+  id: string;
+  alsoKnownAs: string[];
+  verificationMethod: any[];
+  service: Array<{
+    id: string;
+    type: string;
+    serviceEndpoint: string;
+  }>;
+}
+
+export async function buildDidDocument(env: Env, did: string, handle: string): Promise<DidDocument> {
+  const hostname = await getRuntimeString(env, 'PDS_HOSTNAME', handle);
+
+  return {
+    '@context': ['https://www.w3.org/ns/did/v1'],
+    id: did,
+    alsoKnownAs: [`at://${handle}`],
+    verificationMethod: [],
+    service: [
+      {
+        id: '#atproto_pds',
+        type: 'AtprotoPersonalDataServer',
+        serviceEndpoint: `https://${hostname}`,
+      },
+    ],
+  };
+}

package/src/lib/errors.ts

@@ -93,6 +93,38 @@ export class InternalServerError extends XRPCError {
   }
 }
 
+// 400 - Invalid atproto-proxy header
+export class InvalidProxyHeader extends XRPCError {
+  constructor(message: string = 'Invalid atproto-proxy header', details?: Record<string, unknown>) {
+    super('InvalidProxyHeader', message, 400, details);
+    this.name = 'InvalidProxyHeader';
+  }
+}
+
+// 502 - Upstream proxy or DID resolution failure
+export class UpstreamProxyFailure extends XRPCError {
+  constructor(message: string = 'Upstream proxy failure', details?: Record<string, unknown>) {
+    super('UpstreamProxyFailure', message, 502, details);
+    this.name = 'UpstreamProxyFailure';
+  }
+}
+
+// 500 - Server misconfiguration (missing secrets, invalid signing key, etc)
+export class ServerMisconfigured extends XRPCError {
+  constructor(message: string = 'Server misconfigured', details?: Record<string, unknown>) {
+    super('ServerMisconfigured', message, 500, details);
+    this.name = 'ServerMisconfigured';
+  }
+}
+
+// 413 - Payload too large (rejected before parsing)
+export class PayloadTooLarge extends XRPCError {
+  constructor(message: string = 'Payload too large', details?: Record<string, unknown>) {
+    super('PayloadTooLarge', message, 413, details);
+    this.name = 'PayloadTooLarge';
+  }
+}
+
 /**
  * User-friendly error messages
  * Maps technical errors to actionable guidance
@@ -121,6 +153,28 @@ export function categorizeError(status: number): 'client' | 'server' {
   return status >= 400 && status < 500 ? 'client' : 'server';
 }
 
+/**
+ * Narrow an unknown thrown value to extract its `code` and `message` fields
+ * without resorting to `any`. Useful in catch blocks for libraries that
+ * decorate Errors with custom code strings (jose, ResourceAuthError, etc.).
+ */
+export function errorCode(error: unknown): string | undefined {
+  if (error && typeof error === 'object' && 'code' in error) {
+    const value = (error as { code: unknown }).code;
+    return typeof value === 'string' ? value : undefined;
+  }
+  return undefined;
+}
+
+export function errorMessage(error: unknown): string {
+  if (error instanceof Error) return error.message;
+  if (error && typeof error === 'object' && 'message' in error) {
+    const value = (error as { message: unknown }).message;
+    if (typeof value === 'string') return value;
+  }
+  return String(error);
+}
+
 /**
  * Convert any error to XRPCError
  */