@alteran/astro 0.7.7 → 0.8.1

package/src/pages/xrpc/com.atproto.repo.describeRepo.ts

@@ -1,5 +1,11 @@
 import type { APIContext } from 'astro';
-import { getRoot } from '../../db/repo';
+import { buildDidDocument } from '../../lib/did-document';
+import {
+  configuredDid,
+  configuredHandle,
+  didDocClaimsHandle,
+  handleResolvesToDid,
+} from '../../lib/public-host';
 
 export const prerender = false;
 
@@ -10,30 +16,25 @@ export const prerender = false;
 export async function GET({ locals, url }: APIContext) {
   const { env } = locals.runtime;
 
-  const repo = url.searchParams.get('repo') || (env.PDS_DID as string);
-  const did = env.PDS_DID as string;
-  const handle = env.PDS_HANDLE || 'user.example.com';
+  const repo = url.searchParams.get('repo');
+  const did = await configuredDid(env);
+  const handle = await configuredHandle(env);
+  if (repo && repo !== did && repo.toLowerCase() !== handle.toLowerCase()) {
+    return new Response(
+      JSON.stringify({ error: 'NotFound', message: 'Repo not found' }),
+      { status: 404, headers: { 'Content-Type': 'application/json' } },
+    );
+  }
 
-  // Get repo root to check if repo exists
-  const root = await getRoot(env);
+  const didDoc = await buildDidDocument(env, did, handle);
+  const handleIsCorrect = didDocClaimsHandle(didDoc, handle) &&
+    await handleResolvesToDid(env, handle, did);
 
   return new Response(
     JSON.stringify({
       did,
       handle,
-      didDoc: {
-        '@context': ['https://www.w3.org/ns/did/v1'],
-        id: did,
-        alsoKnownAs: [`at://${handle}`],
-        verificationMethod: [],
-        service: [
-          {
-            id: '#atproto_pds',
-            type: 'AtprotoPersonalDataServer',
-            serviceEndpoint: `https://${handle}`,
-          },
-        ],
-      },
+      didDoc,
       collections: [
         'app.bsky.feed.post',
         'app.bsky.feed.like',
@@ -41,7 +42,7 @@ export async function GET({ locals, url }: APIContext) {
         'app.bsky.graph.follow',
         'app.bsky.actor.profile',
       ],
-      handleIsCorrect: true,
+      handleIsCorrect,
     }),
     {
       status: 200,

package/src/pages/xrpc/com.atproto.repo.getRecord.ts

@@ -30,7 +30,12 @@ export async function GET({ locals, request }: APIContext) {
   }
 
   const row = await dalGetRecord(env, uri);
-  if (!row) return new Response(JSON.stringify({ error: 'NotFound' }), { status: 404 });
+  if (!row) {
+    return new Response(
+      JSON.stringify({ error: 'RecordNotFound', message: `Could not locate record: ${uri}` }),
+      { status: 400, headers: { 'Content-Type': 'application/json' } },
+    );
+  }
 
   return new Response(JSON.stringify({ uri: row.uri, cid: row.cid, value: JSON.parse(row.json) }), {
     headers: { 'Content-Type': 'application/json' },

package/src/pages/xrpc/com.atproto.repo.listMissingBlobs.ts

@@ -1,6 +1,7 @@
 import type { APIContext } from 'astro';
 import { errorMessage } from '../../lib/errors';
-import { authErrorResponse, isAuthorized, unauthorized } from '../../lib/auth';
+import { authErrorResponse, authenticateRequest, unauthorized } from '../../lib/auth';
+import { canUseAppPasswordLevelAccess } from '../../lib/auth-scope';
 import { getDb } from '../../db/client';
 import { record, blob_ref } from '../../db/schema';
 import { eq } from 'drizzle-orm';
@@ -18,7 +19,8 @@ export async function GET({ locals, request, url }: APIContext) {
   const { env } = locals.runtime;
 
   try {
-    if (!(await isAuthorized(request, env))) return unauthorized();
+    const auth = await authenticateRequest(request, env);
+    if (!auth || !canUseAppPasswordLevelAccess(auth.access)) return unauthorized();
   } catch (error) {
     const handled = await authErrorResponse(env, error);
     if (handled) return handled;

package/src/pages/xrpc/com.atproto.repo.putRecord.ts

@@ -1,72 +1,109 @@
 import type { APIContext } from 'astro';
-import { errorCode, errorMessage } from '../../lib/errors';
-import { verifyResourceRequestHybrid, dpopResourceUnauthorized, handleResourceAuthError } from '../../lib/oauth/resource';
+import { errorCode } from '../../lib/errors';
+import { verifyResourceRequestHybrid, dpopResourceUnauthorized, handleResourceAuthError, insufficientScopeResponse } from '../../lib/oauth/resource';
+import { canWriteRepo } from '../../lib/auth-scope';
 import { checkRate } from '../../lib/ratelimit';
 import { readJsonBounded } from '../../lib/util';
-import { RepoManager } from '../../services/repo-manager';
 import { notifySequencer } from '../../lib/sequencer';
+import { deleteUnreferencedBlobKeys, isAccountActive, sweepEligibleUnreferencedBlobKeys } from '../../db/dal';
+import {
+  assertRepoWriteInput,
+  handleRepoWriteError,
+  jsonError,
+  preparePutRecord,
+  putRecordAuthorizations,
+  RepoWriteError,
+  retryNoSwapCommit,
+} from '../../lib/repo-write-validation';
 
 export const prerender = false;
 
 export async function POST({ locals, request }: APIContext) {
-  const { env } = locals.runtime;
+  const { env, ctx } = locals.runtime;
+  let auth: NonNullable<Awaited<ReturnType<typeof verifyResourceRequestHybrid>>>;
   try {
-    const auth = await verifyResourceRequestHybrid(env, request);
-    if (!auth) return dpopResourceUnauthorized(env);
+    const verified = await verifyResourceRequestHybrid(env, request);
+    if (!verified) return dpopResourceUnauthorized(env);
+    auth = verified;
   } catch (error) {
     const handled = await handleResourceAuthError(env, error);
     if (handled) return handled;
     throw error;
   }
 
-  const rateLimitResponse = await checkRate(env, request, 'writes');
-  if (rateLimitResponse) return rateLimitResponse;
-
-  let body: any;
+  let body: unknown;
   try {
     body = await readJsonBounded(env, request);
-  } catch (e) {
-    if (errorCode(e) === 'PayloadTooLarge') {
-      return new Response(JSON.stringify({ error: 'PayloadTooLarge' }), { status: 413 });
+  } catch (error) {
+    const rateLimitResponse = await checkRate(env, request, 'writes', { key: auth.did });
+    if (rateLimitResponse) return rateLimitResponse;
+    if (errorCode(error) === 'PayloadTooLarge') {
+      return jsonError('PayloadTooLarge', undefined, 413);
     }
-    return new Response(JSON.stringify({ error: 'BadRequest' }), { status: 400 });
+    return jsonError('BadRequest');
   }
-  const { collection, rkey } = body ?? {};
-  let { record } = body ?? {};
-  if (!collection || !rkey || !record) return new Response(JSON.stringify({ error: 'BadRequest' }), { status: 400 });
 
-  if (collection === 'app.bsky.feed.post' && record && typeof record === 'object') {
-    if (typeof record.text !== 'string') {
-      record.text = '';
-    }
-    if (typeof record.createdAt !== 'string') {
-      record.createdAt = new Date().toISOString();
+  let writeRateCharged = false;
+  try {
+    const input = assertRepoWriteInput('com.atproto.repo.putRecord', body);
+    for (const write of putRecordAuthorizations(input)) {
+      if (!canWriteRepo(auth.access, write.collection, write.action)) return insufficientScopeResponse();
     }
-  }
 
-  const repo = new RepoManager(env);
-  const result = await repo.putRecord(collection, rkey, record);
-  await notifySequencer(env, {
-    did: env.PDS_DID as string,
-    commitCid: result.commitCid,
-    rev: result.rev,
-    data: result.commitData,
-    sig: result.sig,
-    ops: result.ops,
-    blocks: result.blocks
-  });
+    const rateLimitResponse = await checkRate(env, request, 'writes', { key: auth.did });
+    writeRateCharged = true;
+    if (rateLimitResponse) return rateLimitResponse;
 
-  const out = {
-    uri: result.uri,
-    cid: result.cid,
-    commit: {
-      cid: result.commitCid,
-      rev: result.rev,
-    },
-    validationStatus: 'unknown' as const,
-  };
+    if (!(await isAccountActive(env, auth.did))) {
+      return jsonError('AccountDeactivated', 'Account is deactivated. Activate it before making changes.', 403);
+    }
 
-  return new Response(JSON.stringify(out), {
-    headers: { 'Content-Type': 'application/json' },
-  });
+    const { prepared, result } = await retryNoSwapCommit(input, async () => {
+      const prepared = await preparePutRecord(env, auth, input);
+      const { write, repo } = prepared;
+      const result = await repo.putRecord(
+        write.collection,
+        write.rkey,
+        write.record,
+        write.blobKeys,
+        prepared.expectedCommitCid,
+      );
+      return { prepared, result };
+    });
+    if (result.commitCid && result.rev && result.commitData && result.sig && result.blocks) {
+      await notifySequencer(env, {
+        did: prepared.did,
+        commitCid: result.commitCid,
+        rev: result.rev,
+        data: result.commitData,
+        sig: result.sig,
+        ops: result.ops,
+        blocks: result.blocks
+      });
+      await deleteUnreferencedBlobKeys(env, result.dereferencedBlobKeys).catch((error) => {
+        console.warn('[putRecord] Failed to clean dereferenced blobs:', error);
+      });
+      ctx?.waitUntil(sweepEligibleUnreferencedBlobKeys(env).catch((error) => {
+        console.warn('[putRecord] Failed to sweep dereferenced blobs:', error);
+      }));
+    }
+
+    return new Response(JSON.stringify({
+      uri: result.uri,
+      cid: result.cid,
+      ...(result.commitCid && result.rev ? { commit: {
+        cid: result.commitCid,
+        rev: result.rev,
+      } } : {}),
+      validationStatus: prepared.write.validationStatus,
+    }), {
+      headers: { 'Content-Type': 'application/json' },
+    });
+  } catch (error) {
+    if (!writeRateCharged && error instanceof RepoWriteError) {
+      const rateLimitResponse = await checkRate(env, request, 'writes', { key: auth.did });
+      if (rateLimitResponse) return rateLimitResponse;
+    }
+    return handleRepoWriteError(error);
+  }
 }

package/src/pages/xrpc/com.atproto.repo.uploadBlob.ts

@@ -1,52 +1,48 @@
 import type { APIContext } from 'astro';
-import { errorMessage } from '../../lib/errors';
-import { verifyResourceRequestHybrid, dpopResourceUnauthorized, handleResourceAuthError } from '../../lib/oauth/resource';
+import type { Env } from '../../env';
+import { PayloadTooLarge } from '../../lib/errors';
+import {
+  verifyResourceRequestHybrid,
+  dpopResourceUnauthorized,
+  handleResourceAuthError,
+  insufficientScopeResponse,
+  type ResourceAuthContext,
+} from '../../lib/oauth/resource';
+import { canUploadBlob } from '../../lib/auth-scope';
 import { verifyServiceAuth, isServiceAuthToken } from '../../lib/service-auth';
 import { checkRate } from '../../lib/ratelimit';
-import { isAllowedMime, sniffMime, baseMime } from '../../lib/util';
-import { R2BlobStore } from '../../services/r2-blob-store';
-import { putBlobRef, checkBlobQuota, updateBlobQuota, isAccountActive } from '../../db/dal';
+import { sniffMime, baseMime, readBodyBounded, readStreamBounded } from '../../lib/util';
+import {
+  deleteUnreferencedBlobRef,
+  isAccountActive,
+  registerBlobRefWithQuota,
+  sweepEligibleUnreferencedBlobKeys,
+} from '../../db/dal';
 import { resolveSecret } from '../../lib/secrets';
 import { CID } from 'multiformats/cid';
 import { sha256 } from 'multiformats/hashes/sha2';
+import { jsonError } from '../../lib/repo-write-error';
 
 export const prerender = false;
 
+const UPLOAD_BLOB_LXM = 'com.atproto.repo.uploadBlob';
+
+type UploadAuth =
+  | { tag: 'service' }
+  | { tag: 'user'; auth: ResourceAuthContext };
+
 export async function POST({ locals, request }: APIContext) {
   const { env } = locals.runtime;
-  
-  // Check if this is a service auth request (from video.bsky.app, etc.)
-  const authHeader = request.headers.get('authorization');
-  const token = authHeader?.startsWith('Bearer ') ? authHeader.slice(7).trim() : null;
-  
-  let isServiceAuth = false;
-  if (token && isServiceAuthToken(token)) {
-    const serviceAuth = await verifyServiceAuth(env, request);
-    if (serviceAuth) {
-      isServiceAuth = true;
-    } else {
-      return new Response(
-        JSON.stringify({ error: 'AuthRequired', message: 'Invalid service auth token' }),
-        { status: 401, headers: { 'Content-Type': 'application/json' } }
-      );
-    }
+  const did = await resolveSecret(env.PDS_DID);
+  if (!did) {
+    return jsonError('InternalServerError', 'PDS_DID is not configured', 500);
   }
-
-  // If not service auth, verify as user request
-  if (!isServiceAuth) {
-    try {
-      const auth = await verifyResourceRequestHybrid(env, request);
-      if (!auth) return dpopResourceUnauthorized(env);
-    } catch (error) {
-      const handled = await handleResourceAuthError(env, error);
-      if (handled) return handled;
-      throw error;
-    }
+  const uploadAuth = await authenticateUpload(env, request, did);
+  if (uploadAuth instanceof Response) return uploadAuth;
+  if (uploadAuth.tag === 'user' && uploadAuth.auth.did !== did) {
+    return jsonError('InvalidRequest', 'authenticated user does not own this repo', 400);
   }
 
-  // Get DID from environment (single-user PDS)
-  const did = (await resolveSecret(env.PDS_DID)) ?? 'did:example:single-user';
-
   // Check if account is active
   const active = await isAccountActive(env, did);
   if (!active) {
@@ -59,72 +55,197 @@ export async function POST({ locals, request }: APIContext) {
     );
   }
 
-  const rateLimitResponse = await checkRate(env, request, 'blob');
+  const rateLimitResponse = await checkRate(env, request, 'blob', { key: did });
   if (rateLimitResponse) return rateLimitResponse;
 
-  // Decompress if Content-Encoding is present (some clients may compress uploads)
-  const enc = (request.headers.get('content-encoding') || '').toLowerCase();
-  let buf: ArrayBuffer;
-  if (enc && (enc === 'gzip' || enc === 'br' || enc === 'deflate')) {
-    try {
-      // @ts-ignore: DecompressionStream is available in CF Workers runtime
-      const ds = new DecompressionStream(enc);
-      const decompressed = request.body?.pipeThrough(ds);
-      buf = await new Response(decompressed).arrayBuffer();
-    } catch {
-      // Fallback to raw body if decompression not supported
-      buf = await request.arrayBuffer();
+  const encoding = uploadEncoding(request);
+  if (!isSupportedUploadEncoding(encoding)) {
+    return jsonError('InvalidRequest', `unsupported content-encoding: ${encoding}`, 400);
+  }
+  let bytes: Uint8Array;
+  try {
+    bytes = await readUploadBytes(request, maxBlobBytes(env), encoding);
+  } catch (error) {
+    if (error instanceof PayloadTooLarge) {
+      return jsonError('PayloadTooLarge', 'blob exceeds maximum size', 413);
     }
-  } else {
-    buf = await request.arrayBuffer();
+    return jsonError('InvalidRequest', 'failed to read upload body', 400);
   }
+  const buf = toArrayBuffer(bytes);
   const headerMime = baseMime(request.headers.get('content-type'));
   const sniffed = sniffMime(buf);
-  // Prefer sniffed MIME like upstream PDS; fall back to header
-  const contentType = sniffed || headerMime;
+  const contentType = resolveUploadMime(headerMime, sniffed);
+  if (uploadAuth.tag === 'user' && !canUploadBlob(uploadAuth.auth.access, contentType)) {
+    return insufficientScopeResponse();
+  }
 
   // Skip MIME type validation during migration - accept all types
   // Uncomment to enforce: if (!isAllowedMime(env, contentType)) return new Response(JSON.stringify({ error: 'UnsupportedMediaType' }), { status: 415 });
 
-  // Check quota before upload
-  const canUpload = await checkBlobQuota(env, did, buf.byteLength);
-  if (!canUpload) {
-    return new Response(
-      JSON.stringify({
-        error: 'BlobQuotaExceeded',
-        message: 'Blob storage quota exceeded'
-      }),
-      { status: 413 }
-    );
-  }
+  await sweepEligibleUnreferencedBlobKeys(env, { did, limit: 20 }).catch((error) => {
+    console.warn('[uploadBlob] Failed to sweep dereferenced blobs:', error);
+  });
 
-  const store = new R2BlobStore(env);
+  let registeredCid: string | undefined;
   try {
-    const response = await store.put(buf, { contentType });
-
-    // Compute a CIDv1 (raw) for the blob so clients receive a valid CID link
-    const digest = await sha256.digest(new Uint8Array(buf));
-    const cid = CID.createV1(0x55, digest); // 0x55 = raw codec
-    const cidStr = cid.toString();
+    const identity = await blobIdentity(env, buf);
 
-    // Register blob ref with CID-based key
-    await putBlobRef(env, did, cidStr, response.key, contentType, response.size);
+    const registration = await registerBlobRefWithQuota(
+      env,
+      did,
+      identity.cid,
+      identity.key,
+      contentType,
+      identity.size,
+    );
+    if (registration.tag === 'quotaExceeded') {
+      return new Response(
+        JSON.stringify({
+          error: 'BlobQuotaExceeded',
+          message: 'Blob storage quota exceeded',
+        }),
+        { status: 413, headers: { 'Content-Type': 'application/json' } },
+      );
+    }
+    if (registration.tag === 'registered') registeredCid = identity.cid;
 
-    // Update quota
-    await updateBlobQuota(env, did, response.size, 1);
+    await ensureBlobObject(env, registration.blob.key, buf, registration.blob.mime, registration.blob.size);
 
     // Mirror upstream shape exactly; helpful debugging header
     // Conform to lexicon: blob object must include $type: 'blob'
-    const body = { blob: { $type: 'blob', ref: { $link: cidStr }, mimeType: contentType, size: response.size } };
+    const body = {
+      blob: {
+        $type: 'blob',
+        ref: { $link: registration.blob.cid },
+        mimeType: registration.blob.mime,
+        size: registration.blob.size,
+      },
+    };
     const headers: Record<string, string> = { 'Content-Type': 'application/json' };
     // Debug-only headers (safe for clients to ignore)
     headers['x-sniffed-mime'] = sniffed || '';
     headers['x-header-mime'] = headerMime;
-    if (enc) headers['x-upload-encoding'] = enc;
+    if (encoding) headers['x-upload-encoding'] = encoding;
 
     return new Response(JSON.stringify(body), { headers });
-  } catch (e) {
-    if (String(errorMessage(e) || '').startsWith('BlobTooLarge')) return new Response(JSON.stringify({ error: 'PayloadTooLarge' }), { status: 413 });
+  } catch (error) {
+    if (registeredCid) await deleteUnreferencedBlobRef(env, did, registeredCid).catch(() => undefined);
+    if (error instanceof PayloadTooLarge) {
+      return jsonError('PayloadTooLarge', 'blob exceeds maximum size', 413);
+    }
     return new Response(JSON.stringify({ error: 'UploadFailed' }), { status: 500 });
   }
 }
+
+async function authenticateUpload(env: Env, request: Request, did: string): Promise<UploadAuth | Response> {
+  const authHeader = request.headers.get('authorization');
+  const token = authHeader?.startsWith('Bearer ') ? authHeader.slice(7).trim() : null;
+
+  if (token && isServiceAuthToken(token)) {
+    const serviceAuth = await verifyServiceAuth(env, request);
+    if (!serviceAuth || serviceAuth.lxm !== UPLOAD_BLOB_LXM || serviceAuth.iss !== did) {
+      return jsonError('InvalidToken', 'Invalid service auth token', 401);
+    }
+    return { tag: 'service' };
+  }
+
+  try {
+    const auth = await verifyResourceRequestHybrid(env, request);
+    if (!auth) return dpopResourceUnauthorized(env);
+    return { tag: 'user', auth };
+  } catch (error) {
+    const handled = await handleResourceAuthError(env, error);
+    if (handled) return handled;
+    throw error;
+  }
+}
+
+async function readUploadBytes(
+  request: Request,
+  maxBytes: number,
+  encoding: string,
+): Promise<Uint8Array> {
+  if (!isCompressedEncoding(encoding)) {
+    return readBodyBounded(request, maxBytes);
+  }
+  const decompressed = request.body?.pipeThrough(createDecompressionStream(encoding));
+  return readStreamBounded(decompressed ?? null, maxBytes);
+}
+
+function uploadEncoding(request: Request): string {
+  return (request.headers.get('content-encoding') || '').trim().toLowerCase();
+}
+
+function isCompressedEncoding(encoding: string): boolean {
+  return encoding === 'gzip' || encoding === 'deflate' || encoding === 'deflate-raw';
+}
+
+function isSupportedUploadEncoding(encoding: string): boolean {
+  return encoding === '' || isCompressedEncoding(encoding);
+}
+
+function resolveUploadMime(headerMime: string, sniffed: string | null): string {
+  if (!sniffed) return headerMime;
+  if (sniffed === 'video/webm' && (headerMime === 'audio/webm' || headerMime === 'video/webm')) {
+    return headerMime;
+  }
+  if (sniffed === 'video/mp4' && (headerMime === 'audio/mp4' || headerMime === 'video/mp4')) {
+    return headerMime;
+  }
+  return sniffed;
+}
+
+function createDecompressionStream(encoding: string): TransformStream<Uint8Array, Uint8Array> {
+  const Decompression = globalThis.DecompressionStream as unknown as {
+    new (format: string): TransformStream<Uint8Array, Uint8Array>;
+  };
+  return new Decompression(encoding);
+}
+
+function toArrayBuffer(bytes: Uint8Array): ArrayBuffer {
+  return bytes.buffer.slice(bytes.byteOffset, bytes.byteOffset + bytes.byteLength) as ArrayBuffer;
+}
+
+type BlobIdentity = {
+  cid: string;
+  key: string;
+  size: number;
+};
+
+async function blobIdentity(env: Env, body: ArrayBuffer): Promise<BlobIdentity> {
+  const size = body.byteLength;
+  const limit = maxBlobBytes(env);
+  if (size > limit) throw new PayloadTooLarge('blob exceeds maximum size');
+
+  const digest = await sha256.digest(new Uint8Array(body));
+  const cid = CID.createV1(0x55, digest);
+  return {
+    cid: cid.toString(),
+    key: `blobs/by-cid/${base64Url(digest.digest)}`,
+    size,
+  };
+}
+
+async function ensureBlobObject(
+  env: Env,
+  key: string,
+  body: ArrayBuffer,
+  contentType: string,
+  expectedSize: number,
+): Promise<void> {
+  const existing = await env.ALTERAN_BLOBS.head(key);
+  if (existing?.size === expectedSize) return;
+  await env.ALTERAN_BLOBS.put(key, body, { httpMetadata: { contentType } });
+}
+
+function maxBlobBytes(env: Env, defaultMax = 5 * 1024 * 1024): number {
+  const raw = env.PDS_MAX_BLOB_SIZE;
+  const parsed = raw ? Number(raw) : defaultMax;
+  return Number.isFinite(parsed) && parsed > 0 ? parsed : defaultMax;
+}
+
+function base64Url(bytes: Uint8Array): string {
+  let value = '';
+  for (const byte of bytes) value += String.fromCharCode(byte);
+  return btoa(value).replaceAll('+', '-').replaceAll('/', '_').replace(/=+$/, '');
+}

package/src/pages/xrpc/com.atproto.server.checkAccountStatus.ts

@@ -1,6 +1,7 @@
 import type { APIContext } from 'astro';
 import { errorMessage } from '../../lib/errors';
-import { authErrorResponse, isAuthorized, unauthorized } from '../../lib/auth';
+import { authErrorResponse, authenticateRequest, unauthorized } from '../../lib/auth';
+import { canAccessFullAccount } from '../../lib/auth-scope';
 import { getAccountState } from '../../db/dal';
 import { toWireStatus } from '../../lib/account-state';
 import { getDb } from '../../db/client';
@@ -23,7 +24,8 @@ export async function GET({ locals, request }: APIContext) {
   const { env } = locals.runtime;
 
   try {
-    if (!(await isAuthorized(request, env))) return unauthorized();
+    const auth = await authenticateRequest(request, env);
+    if (!auth || !canAccessFullAccount(auth.access)) return unauthorized();
   } catch (error) {
     const handled = await authErrorResponse(env, error);
     if (handled) return handled;