@ascorbic/pds 0.0.0

package/dist/cli.js

@@ -0,0 +1,528 @@
+#!/usr/bin/env node
+import { defineCommand, runMain } from "citty";
+import { randomBytes } from "node:crypto";
+import * as p from "@clack/prompts";
+import { spawn } from "node:child_process";
+import { experimental_patchConfig, experimental_readRawConfig } from "wrangler";
+import { existsSync, readFileSync, writeFileSync } from "node:fs";
+import { resolve } from "node:path";
+import bcrypt from "bcryptjs";
+import { Secp256k1Keypair } from "@atproto/crypto";
+
+//#region src/cli/utils/wrangler.ts
+/**
+* Wrangler integration utilities for setting vars and secrets
+*/
+/**
+* Set a var in wrangler.jsonc using experimental_patchConfig
+*/
+function setVar(name, value) {
+	const { configPath } = experimental_readRawConfig({});
+	if (!configPath) throw new Error("No wrangler config found");
+	experimental_patchConfig(configPath, { vars: { [name]: value } });
+}
+/**
+* Set multiple vars in wrangler.jsonc
+*/
+function setVars(vars) {
+	const { configPath } = experimental_readRawConfig({});
+	if (!configPath) throw new Error("No wrangler config found");
+	experimental_patchConfig(configPath, { vars });
+}
+/**
+* Get current vars from wrangler config
+*/
+function getVars() {
+	const { rawConfig } = experimental_readRawConfig({});
+	return rawConfig.vars || {};
+}
+/**
+* Set a secret using wrangler secret put
+*/
+async function setSecret(name, value) {
+	return new Promise((resolve$1, reject) => {
+		const child = spawn("wrangler", [
+			"secret",
+			"put",
+			name
+		], { stdio: [
+			"pipe",
+			"inherit",
+			"inherit"
+		] });
+		child.stdin.write(value);
+		child.stdin.end();
+		child.on("close", (code) => {
+			if (code === 0) resolve$1();
+			else reject(/* @__PURE__ */ new Error(`wrangler secret put ${name} failed with code ${code}`));
+		});
+		child.on("error", reject);
+	});
+}
+
+//#endregion
+//#region src/cli/utils/dotenv.ts
+/**
+* .dev.vars file utilities for local development
+*/
+const DEV_VARS_FILE = ".dev.vars";
+/**
+* Parse a .dev.vars file into a record
+*/
+function readDevVars(dir = process.cwd()) {
+	const filePath = resolve(dir, DEV_VARS_FILE);
+	if (!existsSync(filePath)) return {};
+	const content = readFileSync(filePath, "utf-8");
+	const vars = {};
+	for (const line of content.split("\n")) {
+		const trimmed = line.trim();
+		if (!trimmed || trimmed.startsWith("#")) continue;
+		const eqIndex = trimmed.indexOf("=");
+		if (eqIndex === -1) continue;
+		const key = trimmed.slice(0, eqIndex).trim();
+		let value = trimmed.slice(eqIndex + 1).trim();
+		if (value.startsWith("\"") && value.endsWith("\"") || value.startsWith("'") && value.endsWith("'")) value = value.slice(1, -1);
+		vars[key] = value;
+	}
+	return vars;
+}
+/**
+* Quote a value if it contains special characters
+*/
+function quoteValue(value) {
+	if (value.includes(" ") || value.includes("\"") || value.includes("'")) return "\"" + value.replace(/"/g, "\\\"") + "\"";
+	return value;
+}
+/**
+* Write vars to .dev.vars file, preserving comments and order
+*/
+function writeDevVars(vars, dir = process.cwd()) {
+	const filePath = resolve(dir, DEV_VARS_FILE);
+	let existingLines = [];
+	if (existsSync(filePath)) existingLines = readFileSync(filePath, "utf-8").split("\n");
+	const outputLines = [];
+	const updatedKeys = /* @__PURE__ */ new Set();
+	for (const line of existingLines) {
+		const trimmed = line.trim();
+		if (!trimmed || trimmed.startsWith("#")) {
+			outputLines.push(line);
+			continue;
+		}
+		const eqIndex = trimmed.indexOf("=");
+		if (eqIndex === -1) {
+			outputLines.push(line);
+			continue;
+		}
+		const key = trimmed.slice(0, eqIndex).trim();
+		if (key in vars) {
+			outputLines.push(key + "=" + quoteValue(vars[key]));
+			updatedKeys.add(key);
+		} else outputLines.push(line);
+	}
+	for (const [key, value] of Object.entries(vars)) if (!updatedKeys.has(key)) outputLines.push(key + "=" + quoteValue(value));
+	writeFileSync(filePath, outputLines.join("\n").trimEnd() + "\n");
+}
+/**
+* Set a single var in .dev.vars
+*/
+function setDevVar(key, value, dir = process.cwd()) {
+	const vars = readDevVars(dir);
+	vars[key] = value;
+	writeDevVars(vars, dir);
+}
+
+//#endregion
+//#region src/cli/commands/secret/jwt.ts
+/**
+* JWT secret generation command
+*/
+const jwtCommand = defineCommand({
+	meta: {
+		name: "jwt",
+		description: "Generate and set JWT signing secret"
+	},
+	args: { local: {
+		type: "boolean",
+		description: "Write to .dev.vars instead of wrangler secrets",
+		default: false
+	} },
+	async run({ args }) {
+		p.intro("Generate JWT Secret");
+		const secret = randomBytes(32).toString("base64");
+		if (args.local) {
+			setDevVar("JWT_SECRET", secret);
+			p.outro("JWT_SECRET written to .dev.vars");
+		} else {
+			const spinner = p.spinner();
+			spinner.start("Setting JWT_SECRET via wrangler...");
+			try {
+				await setSecret("JWT_SECRET", secret);
+				spinner.stop("JWT_SECRET set successfully");
+				p.outro("Done!");
+			} catch (error) {
+				spinner.stop("Failed to set JWT_SECRET");
+				p.log.error(String(error));
+				process.exit(1);
+			}
+		}
+	}
+});
+
+//#endregion
+//#region src/cli/commands/secret/password.ts
+/**
+* Password hash generation command
+*/
+const passwordCommand = defineCommand({
+	meta: {
+		name: "password",
+		description: "Set account password (stored as bcrypt hash)"
+	},
+	args: { local: {
+		type: "boolean",
+		description: "Write to .dev.vars instead of wrangler secrets",
+		default: false
+	} },
+	async run({ args }) {
+		p.intro("Set Account Password");
+		const password = await p.password({ message: "Enter password:" });
+		if (p.isCancel(password)) {
+			p.cancel("Cancelled");
+			process.exit(0);
+		}
+		const confirm = await p.password({ message: "Confirm password:" });
+		if (p.isCancel(confirm)) {
+			p.cancel("Cancelled");
+			process.exit(0);
+		}
+		if (password !== confirm) {
+			p.log.error("Passwords do not match");
+			process.exit(1);
+		}
+		const spinner = p.spinner();
+		spinner.start("Hashing password...");
+		const passwordHash = await bcrypt.hash(password, 10);
+		spinner.stop("Password hashed");
+		if (args.local) {
+			setDevVar("PASSWORD_HASH", passwordHash);
+			p.outro("PASSWORD_HASH written to .dev.vars");
+		} else {
+			spinner.start("Setting PASSWORD_HASH via wrangler...");
+			try {
+				await setSecret("PASSWORD_HASH", passwordHash);
+				spinner.stop("PASSWORD_HASH set successfully");
+				p.outro("Done!");
+			} catch (error) {
+				spinner.stop("Failed to set PASSWORD_HASH");
+				p.log.error(String(error));
+				process.exit(1);
+			}
+		}
+	}
+});
+
+//#endregion
+//#region src/cli/commands/secret/key.ts
+/**
+* Signing key generation command
+*/
+const keyCommand = defineCommand({
+	meta: {
+		name: "key",
+		description: "Generate and set signing keypair"
+	},
+	args: { local: {
+		type: "boolean",
+		description: "Write to .dev.vars instead of wrangler secrets/config",
+		default: false
+	} },
+	async run({ args }) {
+		p.intro("Generate Signing Keypair");
+		const spinner = p.spinner();
+		spinner.start("Generating secp256k1 keypair...");
+		const keypair = await Secp256k1Keypair.create({ exportable: true });
+		const privateKeyJwk = await keypair.export();
+		const publicKeyMultibase = keypair.did().replace("did:key:", "");
+		spinner.stop("Keypair generated");
+		const privateKeyJson = JSON.stringify(privateKeyJwk);
+		if (args.local) {
+			setDevVar("SIGNING_KEY", privateKeyJson);
+			setDevVar("SIGNING_KEY_PUBLIC", publicKeyMultibase);
+			p.outro("SIGNING_KEY and SIGNING_KEY_PUBLIC written to .dev.vars");
+		} else {
+			spinner.start("Setting SIGNING_KEY via wrangler secret...");
+			try {
+				await setSecret("SIGNING_KEY", privateKeyJson);
+				spinner.stop("SIGNING_KEY set");
+				spinner.start("Setting SIGNING_KEY_PUBLIC in wrangler.jsonc...");
+				setVar("SIGNING_KEY_PUBLIC", publicKeyMultibase);
+				spinner.stop("SIGNING_KEY_PUBLIC set");
+				p.outro("Done!");
+			} catch (error) {
+				spinner.stop("Failed");
+				p.log.error(String(error));
+				process.exit(1);
+			}
+		}
+		p.log.info("Public key (for DID document): " + publicKeyMultibase);
+	}
+});
+
+//#endregion
+//#region src/cli/commands/secret/index.ts
+/**
+* Secret management commands
+*/
+const secretCommand = defineCommand({
+	meta: {
+		name: "secret",
+		description: "Manage PDS secrets"
+	},
+	subCommands: {
+		jwt: jwtCommand,
+		password: passwordCommand,
+		key: keyCommand
+	}
+});
+
+//#endregion
+//#region src/cli/commands/init.ts
+/**
+* Interactive PDS setup wizard
+*/
+/**
+* Run wrangler types to regenerate TypeScript types
+*/
+function runWranglerTypes() {
+	return new Promise((resolve$1, reject) => {
+		const child = spawn("wrangler", ["types"], { stdio: "inherit" });
+		child.on("close", (code) => {
+			if (code === 0) resolve$1();
+			else reject(/* @__PURE__ */ new Error(`wrangler types failed with code ${code}`));
+		});
+		child.on("error", reject);
+	});
+}
+const initCommand = defineCommand({
+	meta: {
+		name: "init",
+		description: "Interactive PDS setup wizard"
+	},
+	args: { production: {
+		type: "boolean",
+		description: "Deploy secrets to Cloudflare (prompts to reuse .dev.vars values)",
+		default: false
+	} },
+	async run({ args }) {
+		p.intro("PDS Setup Wizard");
+		const isProduction = args.production;
+		if (isProduction) p.log.info("Production mode: secrets will be deployed via wrangler");
+		const wranglerVars = getVars();
+		const devVars = readDevVars();
+		const currentVars = {
+			...devVars,
+			...wranglerVars
+		};
+		const hostname = await p.text({
+			message: "PDS hostname:",
+			placeholder: "pds.example.com",
+			initialValue: currentVars.PDS_HOSTNAME || "",
+			validate: (v) => !v ? "Hostname is required" : void 0
+		});
+		if (p.isCancel(hostname)) {
+			p.cancel("Cancelled");
+			process.exit(0);
+		}
+		const handle = await p.text({
+			message: "Account handle:",
+			placeholder: "alice." + hostname,
+			initialValue: currentVars.HANDLE || "",
+			validate: (v) => !v ? "Handle is required" : void 0
+		});
+		if (p.isCancel(handle)) {
+			p.cancel("Cancelled");
+			process.exit(0);
+		}
+		const didDefault = "did:web:" + hostname;
+		const did = await p.text({
+			message: "Account DID:",
+			placeholder: didDefault,
+			initialValue: currentVars.DID || didDefault,
+			validate: (v) => {
+				if (!v) return "DID is required";
+				if (!v.startsWith("did:")) return "DID must start with did:";
+			}
+		});
+		if (p.isCancel(did)) {
+			p.cancel("Cancelled");
+			process.exit(0);
+		}
+		const spinner = p.spinner();
+		let authToken;
+		let signingKey;
+		let signingKeyPublic;
+		let jwtSecret;
+		let passwordHash;
+		if (isProduction) {
+			authToken = await getOrGenerateSecret("AUTH_TOKEN", devVars, async () => {
+				spinner.start("Generating auth token...");
+				const token = randomBytes(32).toString("base64url");
+				spinner.stop("Auth token generated");
+				return token;
+			});
+			signingKey = await getOrGenerateSecret("SIGNING_KEY", devVars, async () => {
+				spinner.start("Generating signing keypair...");
+				const keypair = await Secp256k1Keypair.create({ exportable: true });
+				const key = JSON.stringify(await keypair.export());
+				spinner.stop("Signing keypair generated");
+				return key;
+			});
+			signingKeyPublic = (await Secp256k1Keypair.import(JSON.parse(signingKey))).did().replace("did:key:", "");
+			jwtSecret = await getOrGenerateSecret("JWT_SECRET", devVars, async () => {
+				spinner.start("Generating JWT secret...");
+				const secret = randomBytes(32).toString("base64");
+				spinner.stop("JWT secret generated");
+				return secret;
+			});
+			passwordHash = await getOrGenerateSecret("PASSWORD_HASH", devVars, async () => {
+				const password = await p.password({ message: "Account password:" });
+				if (p.isCancel(password)) {
+					p.cancel("Cancelled");
+					process.exit(0);
+				}
+				const confirm = await p.password({ message: "Confirm password:" });
+				if (p.isCancel(confirm)) {
+					p.cancel("Cancelled");
+					process.exit(0);
+				}
+				if (password !== confirm) {
+					p.log.error("Passwords do not match");
+					process.exit(1);
+				}
+				spinner.start("Hashing password...");
+				const hash = await bcrypt.hash(password, 10);
+				spinner.stop("Password hashed");
+				return hash;
+			});
+		} else {
+			const password = await p.password({ message: "Account password:" });
+			if (p.isCancel(password)) {
+				p.cancel("Cancelled");
+				process.exit(0);
+			}
+			const confirm = await p.password({ message: "Confirm password:" });
+			if (p.isCancel(confirm)) {
+				p.cancel("Cancelled");
+				process.exit(0);
+			}
+			if (password !== confirm) {
+				p.log.error("Passwords do not match");
+				process.exit(1);
+			}
+			spinner.start("Hashing password...");
+			passwordHash = await bcrypt.hash(password, 10);
+			spinner.stop("Password hashed");
+			spinner.start("Generating JWT secret...");
+			jwtSecret = randomBytes(32).toString("base64");
+			spinner.stop("JWT secret generated");
+			spinner.start("Generating auth token...");
+			authToken = randomBytes(32).toString("base64url");
+			spinner.stop("Auth token generated");
+			spinner.start("Generating signing keypair...");
+			const keypair = await Secp256k1Keypair.create({ exportable: true });
+			signingKey = JSON.stringify(await keypair.export());
+			signingKeyPublic = keypair.did().replace("did:key:", "");
+			spinner.stop("Signing keypair generated");
+		}
+		spinner.start("Updating wrangler.jsonc...");
+		setVars({
+			PDS_HOSTNAME: hostname,
+			DID: did,
+			HANDLE: handle,
+			SIGNING_KEY_PUBLIC: signingKeyPublic
+		});
+		spinner.stop("wrangler.jsonc updated");
+		if (isProduction) {
+			spinner.start("Setting AUTH_TOKEN...");
+			await setSecret("AUTH_TOKEN", authToken);
+			spinner.stop("AUTH_TOKEN set");
+			spinner.start("Setting SIGNING_KEY...");
+			await setSecret("SIGNING_KEY", signingKey);
+			spinner.stop("SIGNING_KEY set");
+			spinner.start("Setting JWT_SECRET...");
+			await setSecret("JWT_SECRET", jwtSecret);
+			spinner.stop("JWT_SECRET set");
+			spinner.start("Setting PASSWORD_HASH...");
+			await setSecret("PASSWORD_HASH", passwordHash);
+			spinner.stop("PASSWORD_HASH set");
+		} else {
+			spinner.start("Writing secrets to .dev.vars...");
+			writeDevVars({
+				AUTH_TOKEN: authToken,
+				SIGNING_KEY: signingKey,
+				JWT_SECRET: jwtSecret,
+				PASSWORD_HASH: passwordHash
+			});
+			spinner.stop("Secrets written to .dev.vars");
+		}
+		spinner.start("Generating TypeScript types...");
+		try {
+			await runWranglerTypes();
+			spinner.stop("TypeScript types generated");
+		} catch {
+			spinner.stop("Failed to generate types (wrangler types)");
+		}
+		p.note([
+			"Configuration summary:",
+			"",
+			"  PDS_HOSTNAME: " + hostname,
+			"  DID: " + did,
+			"  HANDLE: " + handle,
+			"  SIGNING_KEY_PUBLIC: " + signingKeyPublic,
+			"",
+			isProduction ? "Secrets deployed to Cloudflare" : "Secrets saved to .dev.vars",
+			"",
+			"Auth token (save this!):",
+			"  " + authToken
+		].join("\n"), "Setup Complete");
+		if (isProduction) p.outro("Your PDS is configured! Run 'wrangler deploy' to deploy.");
+		else p.outro("Your PDS is configured! Run 'pnpm dev' to start locally.");
+	}
+});
+/**
+* Helper to get a secret from .dev.vars or generate a new one
+*/
+async function getOrGenerateSecret(name, devVars, generate) {
+	if (devVars[name]) {
+		const useExisting = await p.confirm({
+			message: `Use ${name} from .dev.vars?`,
+			initialValue: true
+		});
+		if (p.isCancel(useExisting)) {
+			p.cancel("Cancelled");
+			process.exit(0);
+		}
+		if (useExisting) return devVars[name];
+	}
+	return generate();
+}
+
+//#endregion
+//#region src/cli/index.ts
+/**
+* PDS CLI - Setup and management for AT Protocol PDS on Cloudflare Workers
+*/
+runMain(defineCommand({
+	meta: {
+		name: "pds",
+		version: "0.0.0",
+		description: "AT Protocol PDS setup and management CLI"
+	},
+	subCommands: {
+		init: initCommand,
+		secret: secretCommand
+	}
+}));
+
+//#endregion
+export {  };