@ascorbic/pds 0.0.2 → 0.2.0

package/dist/cli.js

@@ -8,6 +8,9 @@ import { spawn } from "node:child_process";
 import { experimental_patchConfig, experimental_readRawConfig } from "wrangler";
 import { existsSync, readFileSync, writeFileSync } from "node:fs";
 import { resolve } from "node:path";
+import { AtprotoDohHandleResolver } from "@atproto-labs/handle-resolver";
+import { check, didDocument, getPdsEndpoint } from "@atproto/common-web";
+import pc from "picocolors";
 
 //#region src/cli/utils/wrangler.ts
 /**
@@ -37,6 +40,21 @@ function getVars() {
 	return rawConfig.vars || {};
 }
 /**
+* Get current worker name from wrangler config
+*/
+function getWorkerName() {
+	const { rawConfig } = experimental_readRawConfig({});
+	return rawConfig.name;
+}
+/**
+* Set worker name in wrangler config
+*/
+function setWorkerName(name) {
+	const { configPath } = experimental_readRawConfig({});
+	if (!configPath) throw new Error("No wrangler config found");
+	experimental_patchConfig(configPath, { name });
+}
+/**
 * Set a secret using wrangler secret put
 */
 async function setSecret(name, value) {
@@ -171,24 +189,30 @@ async function hashPassword(password) {
 	return bcrypt.hash(password, 10);
 }
 /**
-* Prompt for password with confirmation
+* Prompt for password with confirmation (max 3 attempts)
 */
-async function promptPassword() {
-	const password = await p.password({ message: "Enter password:" });
-	if (p.isCancel(password)) {
-		p.cancel("Cancelled");
-		process.exit(0);
-	}
-	const confirm = await p.password({ message: "Confirm password:" });
-	if (p.isCancel(confirm)) {
-		p.cancel("Cancelled");
-		process.exit(0);
-	}
-	if (password !== confirm) {
-		p.log.error("Passwords do not match");
-		process.exit(1);
+async function promptPassword(handle) {
+	const message = handle ? `Choose a password for @${handle}:` : "Enter password:";
+	const MAX_ATTEMPTS = 3;
+	let attempts = 0;
+	while (attempts < MAX_ATTEMPTS) {
+		attempts++;
+		const password = await p.password({ message });
+		if (p.isCancel(password)) {
+			p.cancel("Cancelled");
+			process.exit(0);
+		}
+		const confirm = await p.password({ message: "Confirm password:" });
+		if (p.isCancel(confirm)) {
+			p.cancel("Cancelled");
+			process.exit(0);
+		}
+		if (password === confirm) return password;
+		p.log.error("Passwords do not match. Try again.");
 	}
-	return password;
+	p.log.error("Too many failed attempts.");
+	p.cancel("Password setup cancelled");
+	process.exit(1);
 }
 /**
 * Set a secret value, either locally (.dev.vars) or via wrangler
@@ -315,12 +339,124 @@ const secretCommand = defineCommand({
 	}
 });
 
+//#endregion
+//#region src/cli/utils/handle-resolver.ts
+/**
+* Utilities for resolving AT Protocol handles to DIDs
+*/
+const resolver = new AtprotoDohHandleResolver({ dohEndpoint: "https://cloudflare-dns.com/dns-query" });
+/**
+* Resolve a handle to a DID using the AT Protocol handle resolution methods.
+* Uses DNS-over-HTTPS via Cloudflare for DNS resolution.
+*/
+async function resolveHandleToDid(handle) {
+	try {
+		return await resolver.resolve(handle, { signal: AbortSignal.timeout(1e4) });
+	} catch (err) {
+		return null;
+	}
+}
+
+//#endregion
+//#region src/did-resolver.ts
+/**
+* DID resolution for Cloudflare Workers
+*
+* We can't use @atproto/identity directly because it uses `redirect: "error"`
+* which Cloudflare Workers doesn't support. This is a simple implementation
+* that's compatible with Workers.
+*/
+const PLC_DIRECTORY = "https://plc.directory";
+const TIMEOUT_MS = 3e3;
+var DidResolver = class {
+	plcUrl;
+	timeout;
+	cache;
+	constructor(opts = {}) {
+		this.plcUrl = opts.plcUrl ?? PLC_DIRECTORY;
+		this.timeout = opts.timeout ?? TIMEOUT_MS;
+		this.cache = opts.didCache;
+	}
+	async resolve(did) {
+		if (this.cache) {
+			const cached = await this.cache.checkCache(did);
+			if (cached && !cached.expired) {
+				if (cached.stale) this.cache.refreshCache(did, () => this.resolveNoCache(did), cached);
+				return cached.doc;
+			}
+		}
+		const doc = await this.resolveNoCache(did);
+		if (doc && this.cache) await this.cache.cacheDid(did, doc);
+		else if (!doc && this.cache) await this.cache.clearEntry(did);
+		return doc;
+	}
+	async resolveNoCache(did) {
+		if (did.startsWith("did:web:")) return this.resolveDidWeb(did);
+		if (did.startsWith("did:plc:")) return this.resolveDidPlc(did);
+		throw new Error(`Unsupported DID method: ${did}`);
+	}
+	async resolveDidWeb(did) {
+		const parts = did.split(":").slice(2);
+		if (parts.length === 0) throw new Error(`Invalid did:web format: ${did}`);
+		if (parts.length > 1) throw new Error(`Unsupported did:web with path: ${did}`);
+		const domain = decodeURIComponent(parts[0]);
+		const url = new URL(`https://${domain}/.well-known/did.json`);
+		if (url.hostname === "localhost") url.protocol = "http:";
+		const controller = new AbortController();
+		const timeoutId = setTimeout(() => controller.abort(), this.timeout);
+		try {
+			const res = await fetch(url.toString(), {
+				signal: controller.signal,
+				redirect: "manual",
+				headers: { accept: "application/did+ld+json,application/json" }
+			});
+			if (res.status >= 300 && res.status < 400) return null;
+			if (!res.ok) return null;
+			const doc = await res.json();
+			return this.validateDidDoc(did, doc);
+		} finally {
+			clearTimeout(timeoutId);
+		}
+	}
+	async resolveDidPlc(did) {
+		const url = new URL(`/${encodeURIComponent(did)}`, this.plcUrl);
+		const controller = new AbortController();
+		const timeoutId = setTimeout(() => controller.abort(), this.timeout);
+		try {
+			const res = await fetch(url.toString(), {
+				signal: controller.signal,
+				redirect: "manual",
+				headers: { accept: "application/did+ld+json,application/json" }
+			});
+			if (res.status >= 300 && res.status < 400) return null;
+			if (res.status === 404) return null;
+			if (!res.ok) throw new Error(`PLC directory error: ${res.status} ${res.statusText}`);
+			const doc = await res.json();
+			return this.validateDidDoc(did, doc);
+		} finally {
+			clearTimeout(timeoutId);
+		}
+	}
+	validateDidDoc(did, doc) {
+		if (!check.is(doc, didDocument)) return null;
+		if (doc.id !== did) return null;
+		return doc;
+	}
+};
+
 //#endregion
 //#region src/cli/commands/init.ts
 /**
 * Interactive PDS setup wizard
 */
 /**
+* Slugify a handle to create a worker name
+* e.g., "example.com" -> "example-com-pds"
+*/
+function slugifyHandle(handle) {
+	return handle.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-|-$/g, "") + "-pds";
+}
+/**
 * Run wrangler types to regenerate TypeScript types
 */
 function runWranglerTypes() {
@@ -354,48 +490,233 @@ const initCommand = defineCommand({
 		default: false
 	} },
 	async run({ args }) {
-		p.intro("PDS Setup Wizard");
+		p.intro("🦋 PDS Setup");
 		const isProduction = args.production;
 		if (isProduction) p.log.info("Production mode: secrets will be deployed via wrangler");
+		else p.log.info("Let's set up your new home in the Atmosphere!");
 		const wranglerVars = getVars();
 		const devVars = readDevVars();
 		const currentVars = {
 			...devVars,
 			...wranglerVars
 		};
-		const hostname = await p.text({
-			message: "PDS hostname:",
-			placeholder: "pds.example.com",
-			initialValue: currentVars.PDS_HOSTNAME || "",
-			validate: (v) => !v ? "Hostname is required" : void 0
+		const isMigrating = await p.confirm({
+			message: "Are you migrating an existing Bluesky account? 🦋",
+			initialValue: false
 		});
-		if (p.isCancel(hostname)) {
-			p.cancel("Cancelled");
+		if (p.isCancel(isMigrating)) {
+			p.cancel("Setup cancelled");
 			process.exit(0);
 		}
-		const handle = await p.text({
-			message: "Account handle:",
-			placeholder: "alice." + hostname,
-			initialValue: currentVars.HANDLE || "",
-			validate: (v) => !v ? "Handle is required" : void 0
-		});
-		if (p.isCancel(handle)) {
-			p.cancel("Cancelled");
-			process.exit(0);
-		}
-		const didDefault = "did:web:" + hostname;
-		const did = await p.text({
-			message: "Account DID:",
-			placeholder: didDefault,
-			initialValue: currentVars.DID || didDefault,
-			validate: (v) => {
-				if (!v) return "DID is required";
-				if (!v.startsWith("did:")) return "DID must start with did:";
+		let did;
+		let handle;
+		let hostname;
+		let workerName;
+		let initialActive;
+		const currentWorkerName = getWorkerName();
+		if (isMigrating) {
+			p.log.info("Time to pack your bags! 🧳");
+			p.log.info("Your account will be inactive until you've moved your data over.");
+			let hostedDomains = [
+				".bsky.social",
+				".bsky.network",
+				".bsky.team"
+			];
+			const isHostedHandle = (h) => hostedDomains.some((domain) => h.endsWith(domain));
+			let resolvedDid = null;
+			let existingHandle = null;
+			let attempts = 0;
+			const MAX_ATTEMPTS = 3;
+			while (!resolvedDid && attempts < MAX_ATTEMPTS) {
+				attempts++;
+				const currentHandle = await p.text({
+					message: "Your current Bluesky/ATProto handle:",
+					placeholder: "example.bsky.social",
+					validate: (v) => !v ? "Handle is required" : void 0
+				});
+				if (p.isCancel(currentHandle)) {
+					p.cancel("Cancelled");
+					process.exit(0);
+				}
+				existingHandle = currentHandle;
+				const spinner$1 = p.spinner();
+				spinner$1.start("Finding you in the Atmosphere...");
+				resolvedDid = await resolveHandleToDid(currentHandle);
+				if (!resolvedDid) {
+					spinner$1.stop("Not found");
+					p.log.error(`Failed to resolve handle "${currentHandle}"`);
+					const action = await p.select({
+						message: "What would you like to do?",
+						options: [{
+							value: "retry",
+							label: "Try a different handle"
+						}, {
+							value: "manual",
+							label: "Enter DID manually"
+						}]
+					});
+					if (p.isCancel(action)) {
+						p.cancel("Cancelled");
+						process.exit(0);
+					}
+					if (action === "manual") {
+						const manualDid = await p.text({
+							message: "Enter your DID:",
+							placeholder: "did:plc:...",
+							validate: (v) => {
+								if (!v) return "DID is required";
+								if (!v.startsWith("did:")) return "DID must start with did:";
+							}
+						});
+						if (p.isCancel(manualDid)) {
+							p.cancel("Cancelled");
+							process.exit(0);
+						}
+						resolvedDid = manualDid;
+					}
+				} else {
+					try {
+						const pdsService = (await new DidResolver().resolve(resolvedDid))?.service?.find((s) => s.type === "AtprotoPersonalDataServer" || s.id === "#atproto_pds");
+						if (pdsService?.serviceEndpoint) {
+							const describeRes = await fetch(`${pdsService.serviceEndpoint}/xrpc/com.atproto.server.describeServer`);
+							if (describeRes.ok) {
+								const desc = await describeRes.json();
+								if (desc.availableUserDomains?.length) hostedDomains = desc.availableUserDomains.map((d) => d.startsWith(".") ? d : `.${d}`);
+							}
+						}
+					} catch {}
+					spinner$1.stop(`Found you! ${resolvedDid}`);
+					if (isHostedHandle(existingHandle)) {
+						const theirDomain = hostedDomains.find((d) => existingHandle.endsWith(d));
+						const domainExample = theirDomain ? `*${theirDomain}` : "*.bsky.social";
+						p.log.warn(`You'll need a custom domain for your new handle (not ${domainExample}). You can set this up after transferring your data.`);
+					}
+					if (attempts >= MAX_ATTEMPTS) {
+						p.log.error("Unable to resolve handle after 3 attempts.");
+						p.log.info("");
+						p.log.info("You can:");
+						p.log.info("  1. Double-check your handle spelling");
+						p.log.info("  2. Provide your DID directly if you know it");
+						p.log.info("  3. Run 'pds init' again when ready");
+						p.outro("Initialization cancelled.");
+						process.exit(1);
+					}
+				}
 			}
-		});
-		if (p.isCancel(did)) {
-			p.cancel("Cancelled");
-			process.exit(0);
+			did = resolvedDid;
+			const defaultHandle = existingHandle && !isHostedHandle(existingHandle) ? existingHandle : currentVars.HANDLE || "";
+			handle = await p.text({
+				message: "New account handle (must be a domain you control):",
+				placeholder: "example.com",
+				initialValue: defaultHandle,
+				validate: (v) => {
+					if (!v) return "Handle is required";
+					if (isHostedHandle(v)) return "You need a custom domain - hosted handles like *.bsky.social won't work";
+				}
+			});
+			if (p.isCancel(handle)) {
+				p.cancel("Cancelled");
+				process.exit(0);
+			}
+			hostname = await p.text({
+				message: "Domain where you'll deploy your PDS:",
+				placeholder: handle,
+				initialValue: currentVars.PDS_HOSTNAME || handle,
+				validate: (v) => !v ? "Hostname is required" : void 0
+			});
+			if (p.isCancel(hostname)) {
+				p.cancel("Cancelled");
+				process.exit(0);
+			}
+			const defaultWorkerName = currentWorkerName || slugifyHandle(handle);
+			workerName = await p.text({
+				message: "Cloudflare Worker name:",
+				placeholder: defaultWorkerName,
+				initialValue: defaultWorkerName,
+				validate: (v) => {
+					if (!v) return "Worker name is required";
+					if (!/^[a-z0-9-]+$/.test(v)) return "Worker name can only contain lowercase letters, numbers, and hyphens";
+				}
+			});
+			if (p.isCancel(workerName)) {
+				p.cancel("Cancelled");
+				process.exit(0);
+			}
+			initialActive = "false";
+		} else {
+			p.log.info("A fresh start in the Atmosphere! ✨");
+			hostname = await p.text({
+				message: "Domain where you'll deploy your PDS:",
+				placeholder: "pds.example.com",
+				initialValue: currentVars.PDS_HOSTNAME || "",
+				validate: (v) => !v ? "Hostname is required" : void 0
+			});
+			if (p.isCancel(hostname)) {
+				p.cancel("Cancelled");
+				process.exit(0);
+			}
+			handle = await p.text({
+				message: "Account handle:",
+				placeholder: hostname,
+				initialValue: currentVars.HANDLE || hostname,
+				validate: (v) => !v ? "Handle is required" : void 0
+			});
+			if (p.isCancel(handle)) {
+				p.cancel("Cancelled");
+				process.exit(0);
+			}
+			const didDefault = "did:web:" + hostname;
+			did = await p.text({
+				message: "Account DID:",
+				placeholder: didDefault,
+				initialValue: currentVars.DID || didDefault,
+				validate: (v) => {
+					if (!v) return "DID is required";
+					if (!v.startsWith("did:")) return "DID must start with did:";
+				}
+			});
+			if (p.isCancel(did)) {
+				p.cancel("Cancelled");
+				process.exit(0);
+			}
+			const defaultWorkerName = currentWorkerName || slugifyHandle(handle);
+			workerName = await p.text({
+				message: "Cloudflare Worker name:",
+				placeholder: defaultWorkerName,
+				initialValue: defaultWorkerName,
+				validate: (v) => {
+					if (!v) return "Worker name is required";
+					if (!/^[a-z0-9-]+$/.test(v)) return "Worker name can only contain lowercase letters, numbers, and hyphens";
+				}
+			});
+			if (p.isCancel(workerName)) {
+				p.cancel("Cancelled");
+				process.exit(0);
+			}
+			initialActive = "true";
+			if (handle === hostname) p.note([
+				"Your handle matches your PDS hostname, so your PDS will",
+				"automatically handle domain verification for you!",
+				"",
+				"For did:web, your PDS serves the DID document at:",
+				`  https://${hostname}/.well-known/did.json`,
+				"",
+				"For handle verification, it serves:",
+				`  https://${hostname}/.well-known/atproto-did`,
+				"",
+				"No additional DNS or hosting setup needed. Easy! 🎉"
+			].join("\n"), "Identity Setup 🪪");
+			else p.note([
+				"For did:web, your PDS will serve the DID document at:",
+				`  https://${hostname}/.well-known/did.json`,
+				"",
+				"To verify your handle, create a DNS TXT record:",
+				`  _atproto.${handle} TXT "did=${did}"`,
+				"",
+				"Or serve a file at:",
+				`  https://${handle}/.well-known/atproto-did`,
+				`  containing: ${did}`
+			].join("\n"), "Identity Setup 🪪");
 		}
 		const spinner = p.spinner();
 		let authToken;
@@ -424,14 +745,14 @@ const initCommand = defineCommand({
 				return secret;
 			});
 			passwordHash = await getOrGenerateSecret("PASSWORD_HASH", devVars, async () => {
-				const password = await promptPassword();
+				const password = await promptPassword(handle);
 				spinner.start("Hashing password...");
 				const hash = await hashPassword(password);
 				spinner.stop("Password hashed");
 				return hash;
 			});
 		} else {
-			const password = await promptPassword();
+			const password = await promptPassword(handle);
 			spinner.start("Hashing password...");
 			passwordHash = await hashPassword(password);
 			spinner.stop("Password hashed");
@@ -448,11 +769,13 @@ const initCommand = defineCommand({
 			spinner.stop("Signing keypair generated");
 		}
 		spinner.start("Updating wrangler.jsonc...");
+		setWorkerName(workerName);
 		setVars({
 			PDS_HOSTNAME: hostname,
 			DID: did,
 			HANDLE: handle,
-			SIGNING_KEY_PUBLIC: signingKeyPublic
+			SIGNING_KEY_PUBLIC: signingKeyPublic,
+			INITIAL_ACTIVE: initialActive
 		});
 		spinner.stop("wrangler.jsonc updated");
 		const local = !isProduction;
@@ -471,20 +794,49 @@ const initCommand = defineCommand({
 			spinner.stop("Failed to generate types (wrangler types)");
 		}
 		p.note([
-			"Configuration summary:",
-			"",
-			"  PDS_HOSTNAME: " + hostname,
+			"  Worker name:  " + workerName,
+			"  PDS hostname: " + hostname,
 			"  DID: " + did,
-			"  HANDLE: " + handle,
-			"  SIGNING_KEY_PUBLIC: " + signingKeyPublic,
+			"  Handle: " + handle,
+			"  Public signing key: " + signingKeyPublic.slice(0, 20) + "...",
 			"",
-			isProduction ? "Secrets deployed to Cloudflare" : "Secrets saved to .dev.vars",
+			isProduction ? "Secrets deployed to Cloudflare ☁️" : "Secrets saved to .dev.vars",
 			"",
 			"Auth token (save this!):",
 			"  " + authToken
-		].join("\n"), "Setup Complete");
-		if (isProduction) p.outro("Your PDS is configured! Run 'wrangler deploy' to deploy.");
-		else p.outro("Your PDS is configured! Run 'pnpm dev' to start locally.");
+		].join("\n"), "Your New Home 🏠");
+		let deployedSecrets = isProduction;
+		if (!isProduction) {
+			const deployNow = await p.confirm({
+				message: "Push secrets to Cloudflare now?",
+				initialValue: false
+			});
+			if (!p.isCancel(deployNow) && deployNow) {
+				spinner.start("Deploying secrets to Cloudflare...");
+				await setSecretValue("AUTH_TOKEN", authToken, false);
+				await setSecretValue("SIGNING_KEY", signingKey, false);
+				await setSecretValue("JWT_SECRET", jwtSecret, false);
+				await setSecretValue("PASSWORD_HASH", passwordHash, false);
+				spinner.stop("Secrets deployed to Cloudflare");
+				deployedSecrets = true;
+			}
+		}
+		if (isMigrating) p.note([
+			deployedSecrets ? "Deploy your worker and run the migration:" : "Push secrets, deploy, and run the migration:",
+			"",
+			...deployedSecrets ? [] : ["  pnpm pds init --production", ""],
+			"  wrangler deploy",
+			"  pnpm pds migrate",
+			"",
+			"To test locally first:",
+			"  pnpm dev              # in one terminal",
+			"  pnpm pds migrate --dev  # in another",
+			"",
+			"Then update your identity and flip the switch! 🦋",
+			"  https://atproto.com/guides/account-migration"
+		].join("\n"), "Next Steps 🧳");
+		if (deployedSecrets) p.outro("Run 'wrangler deploy' to launch your PDS! 🚀");
+		else p.outro("Run 'pnpm dev' to start your PDS locally! 🦋");
 	}
 });
 /**
@@ -505,6 +857,757 @@ async function getOrGenerateSecret(name, devVars, generate) {
 	return generate();
 }
 
+//#endregion
+//#region src/cli/utils/pds-client.ts
+var PDSClientError = class extends Error {
+	constructor(status, error, message) {
+		super(message);
+		this.status = status;
+		this.error = error;
+		this.name = "PDSClientError";
+	}
+};
+var PDSClient = class {
+	authToken;
+	constructor(baseUrl, authToken) {
+		this.baseUrl = baseUrl;
+		this.authToken = authToken;
+	}
+	/**
+	* Set the auth token for subsequent requests
+	*/
+	setAuthToken(token) {
+		this.authToken = token;
+	}
+	/**
+	* Make an XRPC request
+	*/
+	async xrpc(method, endpoint, options = {}) {
+		const url = new URL(`/xrpc/${endpoint}`, this.baseUrl);
+		if (options.params) for (const [key, value] of Object.entries(options.params)) url.searchParams.set(key, value);
+		const headers = {};
+		if (options.auth && this.authToken) headers["Authorization"] = `Bearer ${this.authToken}`;
+		if (options.contentType) headers["Content-Type"] = options.contentType;
+		else if (options.body && !(options.body instanceof Uint8Array)) headers["Content-Type"] = "application/json";
+		const res = await fetch(url.toString(), {
+			method,
+			headers,
+			body: options.body ? options.body instanceof Uint8Array ? options.body : JSON.stringify(options.body) : void 0
+		});
+		if (!res.ok) {
+			const errorBody = await res.json().catch(() => ({}));
+			throw new PDSClientError(res.status, errorBody.error ?? "Unknown", errorBody.message ?? `Request failed: ${res.status}`);
+		}
+		if ((res.headers.get("content-type") ?? "").includes("application/json")) return res.json();
+		return {};
+	}
+	/**
+	* Make a raw request that returns bytes
+	*/
+	async xrpcBytes(method, endpoint, options = {}) {
+		const url = new URL(`/xrpc/${endpoint}`, this.baseUrl);
+		if (options.params) for (const [key, value] of Object.entries(options.params)) url.searchParams.set(key, value);
+		const headers = {};
+		if (options.auth && this.authToken) headers["Authorization"] = `Bearer ${this.authToken}`;
+		if (options.contentType) headers["Content-Type"] = options.contentType;
+		const res = await fetch(url.toString(), {
+			method,
+			headers,
+			body: options.body
+		});
+		if (!res.ok) {
+			const errorBody = await res.json().catch(() => ({}));
+			throw new PDSClientError(res.status, errorBody.error ?? "Unknown", errorBody.message ?? `Request failed: ${res.status}`);
+		}
+		return {
+			bytes: new Uint8Array(await res.arrayBuffer()),
+			mimeType: res.headers.get("content-type") ?? "application/octet-stream"
+		};
+	}
+	/**
+	* Create a session with identifier and password
+	*/
+	async createSession(identifier, password) {
+		return this.xrpc("POST", "com.atproto.server.createSession", { body: {
+			identifier,
+			password
+		} });
+	}
+	/**
+	* Get repository description including collections
+	*/
+	async describeRepo(did) {
+		return this.xrpc("GET", "com.atproto.repo.describeRepo", { params: { repo: did } });
+	}
+	/**
+	* Get profile stats from AppView (posts, follows, followers counts)
+	*/
+	async getProfileStats(did) {
+		try {
+			const res = await fetch(`https://public.api.bsky.app/xrpc/app.bsky.actor.getProfile?actor=${encodeURIComponent(did)}`);
+			if (!res.ok) return null;
+			const profile = await res.json();
+			return {
+				postsCount: profile.postsCount ?? 0,
+				followsCount: profile.followsCount ?? 0,
+				followersCount: profile.followersCount ?? 0
+			};
+		} catch {
+			return null;
+		}
+	}
+	/**
+	* Export repository as CAR file
+	*/
+	async getRepo(did) {
+		const { bytes } = await this.xrpcBytes("GET", "com.atproto.sync.getRepo", { params: { did } });
+		return bytes;
+	}
+	/**
+	* Get a blob by CID
+	*/
+	async getBlob(did, cid) {
+		return this.xrpcBytes("GET", "com.atproto.sync.getBlob", { params: {
+			did,
+			cid
+		} });
+	}
+	/**
+	* List blobs in repository
+	*/
+	async listBlobs(did, cursor) {
+		const params = { did };
+		if (cursor) params.cursor = cursor;
+		return this.xrpc("GET", "com.atproto.sync.listBlobs", { params });
+	}
+	/**
+	* Get account status including migration progress
+	*/
+	async getAccountStatus() {
+		return this.xrpc("GET", "com.atproto.server.getAccountStatus", { auth: true });
+	}
+	/**
+	* Import repository from CAR file
+	*/
+	async importRepo(carBytes) {
+		return this.xrpc("POST", "com.atproto.repo.importRepo", {
+			body: carBytes,
+			contentType: "application/vnd.ipld.car",
+			auth: true
+		});
+	}
+	/**
+	* List blobs that are missing (referenced but not imported)
+	*/
+	async listMissingBlobs(limit, cursor) {
+		const params = {};
+		if (limit) params.limit = String(limit);
+		if (cursor) params.cursor = cursor;
+		return this.xrpc("GET", "com.atproto.repo.listMissingBlobs", {
+			params,
+			auth: true
+		});
+	}
+	/**
+	* Upload a blob
+	*/
+	async uploadBlob(bytes, mimeType) {
+		return (await this.xrpc("POST", "com.atproto.repo.uploadBlob", {
+			body: bytes,
+			contentType: mimeType,
+			auth: true
+		})).blob;
+	}
+	/**
+	* Reset migration state (only works on deactivated accounts)
+	*/
+	async resetMigration() {
+		return this.xrpc("POST", "gg.mk.experimental.resetMigration", { auth: true });
+	}
+	/**
+	* Activate account to enable writes
+	*/
+	async activateAccount() {
+		await this.xrpc("POST", "com.atproto.server.activateAccount", { auth: true });
+	}
+	/**
+	* Deactivate account to disable writes
+	*/
+	async deactivateAccount() {
+		await this.xrpc("POST", "com.atproto.server.deactivateAccount", { auth: true });
+	}
+	/**
+	* Check if the PDS is reachable
+	*/
+	async healthCheck() {
+		try {
+			return (await fetch(new URL("/xrpc/_health", this.baseUrl).toString())).ok;
+		} catch {
+			return false;
+		}
+	}
+};
+
+//#endregion
+//#region src/cli/utils/cli-helpers.ts
+/**
+* Shared CLI utilities for PDS commands
+*/
+/**
+* Get target PDS URL based on mode
+*/
+function getTargetUrl(isDev, pdsHostname) {
+	const LOCAL_PDS_URL = "http://localhost:5173";
+	if (isDev) return LOCAL_PDS_URL;
+	if (!pdsHostname) throw new Error("PDS_HOSTNAME not configured in wrangler.jsonc");
+	return `https://${pdsHostname}`;
+}
+/**
+* Extract domain from URL
+*/
+function getDomain(url) {
+	try {
+		return new URL(url).hostname;
+	} catch {
+		return url;
+	}
+}
+
+//#endregion
+//#region src/cli/commands/migrate.ts
+function detectPackageManager() {
+	const userAgent = process.env.npm_config_user_agent || "";
+	if (userAgent.startsWith("yarn")) return "yarn";
+	if (userAgent.startsWith("pnpm")) return "pnpm";
+	if (userAgent.startsWith("bun")) return "bun";
+	return "npm";
+}
+const brightNote$1 = (lines) => lines.map((l) => `\x1b[0m${l}`).join("\n");
+const bold$1 = (text) => pc.bold(text);
+/**
+* Format number with commas
+*/
+function formatNumber(n) {
+	return n.toLocaleString();
+}
+/**
+* Format bytes to human-readable size
+*/
+function formatBytes(bytes) {
+	if (bytes < 1024) return `${bytes} B`;
+	if (bytes < 1024 * 1024) return `${(bytes / 1024).toFixed(1)} KB`;
+	return `${(bytes / (1024 * 1024)).toFixed(1)} MB`;
+}
+const migrateCommand = defineCommand({
+	meta: {
+		name: "migrate",
+		description: "Migrate account from source PDS to your new PDS"
+	},
+	args: {
+		clean: {
+			type: "boolean",
+			description: "Reset migration and start fresh",
+			default: false
+		},
+		dev: {
+			type: "boolean",
+			description: "Target local development server instead of production",
+			default: false
+		}
+	},
+	async run({ args }) {
+		const pm = detectPackageManager();
+		const isDev = args.dev;
+		const vars = getVars();
+		let targetUrl;
+		try {
+			targetUrl = getTargetUrl(isDev, vars.PDS_HOSTNAME);
+		} catch (err) {
+			p.log.error(err instanceof Error ? err.message : "Configuration error");
+			p.log.info("Run 'pds init' first to configure your PDS.");
+			process.exit(1);
+		}
+		const targetDomain = getDomain(targetUrl);
+		p.intro("🦋 PDS Migration");
+		const spinner = p.spinner();
+		spinner.start(`Checking PDS at ${targetDomain}...`);
+		const targetClient = new PDSClient(targetUrl);
+		if (!await targetClient.healthCheck()) {
+			spinner.stop(`PDS not responding at ${targetDomain}`);
+			if (isDev) {
+				p.log.error(`Your local PDS isn't running at ${targetUrl}`);
+				p.log.info(`Start it with: ${pm} dev`);
+			} else {
+				p.log.error(`Your PDS isn't responding at ${targetUrl}`);
+				p.log.info("Make sure your worker is deployed: wrangler deploy");
+				p.log.info(`Or test locally first: ${pm} pds migrate --dev`);
+			}
+			p.outro("Migration cancelled.");
+			process.exit(1);
+		}
+		spinner.stop(`Connected to ${targetDomain}`);
+		const wranglerVars = getVars();
+		const config = {
+			...readDevVars(),
+			...wranglerVars
+		};
+		const did = config.DID;
+		const handle = config.HANDLE;
+		const authToken = config.AUTH_TOKEN;
+		if (!did) {
+			p.log.error("No DID configured. Run 'pds init' first.");
+			p.outro("Migration cancelled.");
+			process.exit(1);
+		}
+		if (!authToken) {
+			p.log.error("No AUTH_TOKEN found. Run 'pds init' first.");
+			p.outro("Migration cancelled.");
+			process.exit(1);
+		}
+		targetClient.setAuthToken(authToken);
+		spinner.start(`Looking up @${handle}...`);
+		const didDoc = await new DidResolver().resolve(did);
+		if (!didDoc) {
+			spinner.stop("Failed to resolve DID");
+			p.log.error(`Could not resolve DID: ${did}`);
+			p.outro("Migration cancelled.");
+			process.exit(1);
+		}
+		const sourcePdsUrl = getPdsEndpoint(didDoc);
+		if (!sourcePdsUrl) {
+			spinner.stop("No PDS found in DID document");
+			p.log.error("Could not find PDS endpoint in DID document");
+			p.outro("Migration cancelled.");
+			process.exit(1);
+		}
+		const sourceDomain = getDomain(sourcePdsUrl);
+		spinner.stop(`Found your account at ${sourceDomain}`);
+		spinner.start("Checking account status...");
+		let status;
+		try {
+			status = await targetClient.getAccountStatus();
+		} catch (err) {
+			spinner.stop("Failed to get account status");
+			p.log.error(err instanceof Error ? err.message : "Could not get account status");
+			p.outro("Migration cancelled.");
+			process.exit(1);
+		}
+		spinner.stop("Account status retrieved");
+		if (args.clean) {
+			if (status.active) {
+				p.log.error("Cannot reset: account is active");
+				p.log.info("The --clean flag only works on deactivated accounts.");
+				p.log.info("Your account is already live in the Atmosphere.");
+				p.log.info("");
+				p.log.info("If you need to re-import, first deactivate:");
+				p.log.info("  pnpm pds deactivate");
+				p.outro("Migration cancelled.");
+				process.exit(1);
+			}
+			p.note(brightNote$1([
+				bold$1("This will permanently delete from your new PDS:"),
+				"",
+				`  • ${formatNumber(status.repoBlocks)} repository blocks`,
+				`  • ${formatNumber(status.importedBlobs)} imported images`,
+				"  • All blob tracking data",
+				"",
+				bold$1(`Your data on ${sourceDomain} is NOT affected.`),
+				"You'll need to re-import everything."
+			]), "⚠️  Reset Migration Data");
+			const confirmReset = await p.confirm({
+				message: "Are you sure you want to delete this data?",
+				initialValue: false
+			});
+			if (p.isCancel(confirmReset) || !confirmReset) {
+				p.cancel("Keeping your data.");
+				process.exit(0);
+			}
+			spinner.start("Resetting migration state...");
+			try {
+				const result = await targetClient.resetMigration();
+				spinner.stop(`Deleted ${formatNumber(result.blocksDeleted)} blocks, ${formatNumber(result.blobsCleared)} blobs`);
+			} catch (err) {
+				spinner.stop("Reset failed");
+				p.log.error(err instanceof Error ? err.message : "Could not reset migration");
+				p.outro("Migration cancelled.");
+				process.exit(1);
+			}
+			p.log.success("Clean slate! Starting fresh migration...");
+			status = await targetClient.getAccountStatus();
+		}
+		if (status.active) {
+			p.log.warn("Your account is already active in the Atmosphere!");
+			p.log.info("No migration needed - your PDS is live.");
+			p.outro("All good! 🦋");
+			return;
+		}
+		spinner.start(`Fetching your account details from ${sourceDomain}...`);
+		const sourceClient = new PDSClient(sourcePdsUrl);
+		try {
+			await sourceClient.describeRepo(did);
+		} catch (err) {
+			spinner.stop("Failed to fetch account details");
+			p.log.error(err instanceof Error ? err.message : "Could not fetch account details from source PDS");
+			p.outro("Migration cancelled.");
+			process.exit(1);
+		}
+		const profileStats = await sourceClient.getProfileStats(did);
+		spinner.stop("Account details fetched");
+		const needsRepoImport = status.repoBlocks === 0 || status.indexedRecords === 0 && status.expectedBlobs === 0;
+		const needsBlobSync = status.expectedBlobs - status.importedBlobs > 0 || needsRepoImport;
+		if (!needsRepoImport && needsBlobSync) {
+			p.log.info("Welcome back!");
+			p.log.info("Looks like you started packing earlier. Let's pick up where we left off.");
+			p.note([
+				`@${handle} (${did.slice(0, 20)}...)`,
+				"",
+				"✓ Repository imported",
+				`◐ Images: ${formatNumber(status.importedBlobs)}/${formatNumber(status.expectedBlobs)} transferred`
+			].join("\n"), "Migration Progress");
+			const continueTransfer = await p.confirm({
+				message: "Continue transferring images?",
+				initialValue: true
+			});
+			if (p.isCancel(continueTransfer) || !continueTransfer) {
+				p.cancel("Migration paused.");
+				process.exit(0);
+			}
+		} else if (needsRepoImport) {
+			p.log.info("Time to pack your bags!");
+			p.log.info("Let's move your Bluesky account to its new home in the Atmosphere.");
+			const statsLines = profileStats ? [
+				`  📝 ${formatNumber(profileStats.postsCount)} posts`,
+				`  👥 ${formatNumber(profileStats.followsCount)} follows`,
+				`  ...plus all your images, likes, and blocks`
+			] : [`  📝 Posts, follows, images, likes, and blocks`];
+			p.note(brightNote$1([
+				bold$1(`@${handle}`) + ` (${did.slice(0, 20)}...)`,
+				"",
+				`Currently at:  ${sourceDomain}`,
+				`Moving to:     ${targetDomain}`,
+				"",
+				"What you're bringing:",
+				...statsLines
+			]), "Your Bluesky Account 🦋");
+			p.log.info("This will copy your data - nothing is changed or deleted on Bluesky.");
+			const proceed = await p.confirm({
+				message: "Ready to start packing?",
+				initialValue: true
+			});
+			if (p.isCancel(proceed) || !proceed) {
+				p.cancel("Migration cancelled.");
+				process.exit(0);
+			}
+		} else {
+			p.log.success("All packed and moved! 🦋");
+			showNextSteps(pm, sourceDomain);
+			p.outro("Welcome to your new home in the Atmosphere! 🦋");
+			return;
+		}
+		const isBlueskyPds = sourceDomain.endsWith(".bsky.network");
+		const passwordPrompt = isBlueskyPds ? "Your current Bluesky password:" : `Your ${sourceDomain} password:`;
+		const password = await p.password({ message: passwordPrompt });
+		if (p.isCancel(password)) {
+			p.cancel("Migration cancelled.");
+			process.exit(0);
+		}
+		spinner.start(`Logging in to ${isBlueskyPds ? "Bluesky" : sourceDomain}...`);
+		try {
+			const session = await sourceClient.createSession(did, password);
+			sourceClient.setAuthToken(session.accessJwt);
+			spinner.stop("Authenticated successfully");
+		} catch (err) {
+			spinner.stop("Login failed");
+			if (err instanceof PDSClientError) p.log.error(`Authentication failed: ${err.message}`);
+			else p.log.error(err instanceof Error ? err.message : "Authentication failed");
+			p.outro("Migration cancelled.");
+			process.exit(1);
+		}
+		if (needsRepoImport) {
+			spinner.start("Packing your repository...");
+			let carBytes;
+			try {
+				carBytes = await sourceClient.getRepo(did);
+				spinner.stop(`Downloaded ${formatBytes(carBytes.length)} from ${sourceDomain}`);
+			} catch (err) {
+				spinner.stop("Export failed");
+				p.log.error(err instanceof Error ? err.message : "Could not export repository");
+				p.outro("Migration cancelled.");
+				process.exit(1);
+			}
+			spinner.start(`Unpacking at ${targetDomain}...`);
+			try {
+				await targetClient.importRepo(carBytes);
+				spinner.stop("Repository imported");
+			} catch (err) {
+				spinner.stop("Import failed");
+				p.log.error(err instanceof Error ? err.message : "Could not import repository");
+				p.outro("Migration cancelled.");
+				process.exit(1);
+			}
+			status = await targetClient.getAccountStatus();
+		}
+		if (status.expectedBlobs - status.importedBlobs > 0) {
+			let synced = 0;
+			let totalBlobs = 0;
+			let cursor;
+			let failedBlobs = [];
+			const progressBar = (current, total) => {
+				const width = 20;
+				const ratio = total > 0 ? Math.min(1, current / total) : 0;
+				const filled = Math.round(ratio * width);
+				const empty = width - filled;
+				return `${"█".repeat(filled)}${"░".repeat(empty)} ${current}/${total}`;
+			};
+			spinner.start("Counting images to transfer...");
+			let countCursor;
+			do {
+				const page = await targetClient.listMissingBlobs(500, countCursor);
+				totalBlobs += page.blobs.length;
+				countCursor = page.cursor;
+			} while (countCursor);
+			spinner.message(`Transferring images ${progressBar(0, totalBlobs)}`);
+			do {
+				const page = await targetClient.listMissingBlobs(100, cursor);
+				cursor = page.cursor;
+				for (const blob of page.blobs) try {
+					const { bytes, mimeType } = await sourceClient.getBlob(did, blob.cid);
+					await targetClient.uploadBlob(bytes, mimeType);
+					synced++;
+					spinner.message(`Transferring images ${progressBar(synced, totalBlobs)}`);
+				} catch (err) {
+					synced++;
+					failedBlobs.push(blob.cid);
+					spinner.message(`Transferring images ${progressBar(synced, totalBlobs)}`);
+				}
+			} while (cursor);
+			if (failedBlobs.length > 0) {
+				spinner.stop(`Transferred ${formatNumber(synced - failedBlobs.length)} images (${failedBlobs.length} failed)`);
+				p.log.warn(`Run 'pds migrate' again to retry failed transfers.`);
+			} else spinner.stop(`Transferred ${formatNumber(synced)} images`);
+		}
+		spinner.start("Verifying migration...");
+		const finalStatus = await targetClient.getAccountStatus();
+		spinner.stop("Verification complete");
+		if (finalStatus.importedBlobs >= finalStatus.expectedBlobs) p.log.success("All packed and moved! 🦋");
+		else {
+			p.log.warn(`Migration partially complete. ${finalStatus.expectedBlobs - finalStatus.importedBlobs} images remaining.`);
+			p.log.info("Run 'pds migrate' again to continue.");
+		}
+		showNextSteps(pm, sourceDomain);
+		p.outro("Welcome to your new home in the Atmosphere! 🦋");
+	}
+});
+function showNextSteps(pm, sourceDomain) {
+	p.note(brightNote$1([
+		bold$1("Your data is safe in your new PDS."),
+		"Two more steps to go live in the Atmosphere:",
+		"",
+		bold$1("1. Update your identity"),
+		"   Tell the network where you live now.",
+		`   (Requires email verification from ${sourceDomain})`,
+		"",
+		bold$1("2. Flip the switch"),
+		`   ${pm} pds activate`,
+		"",
+		"Docs: https://atproto.com/guides/account-migration"
+	]), "Almost there!");
+}
+
+//#endregion
+//#region src/cli/commands/activate.ts
+/**
+* Activate account command - enables writes after migration
+*/
+const activateCommand = defineCommand({
+	meta: {
+		name: "activate",
+		description: "Activate your account to enable writes and go live"
+	},
+	args: { dev: {
+		type: "boolean",
+		description: "Target local development server instead of production",
+		default: false
+	} },
+	async run({ args }) {
+		const isDev = args.dev;
+		p.intro("🦋 Activate Account");
+		const vars = getVars();
+		let targetUrl;
+		try {
+			targetUrl = getTargetUrl(isDev, vars.PDS_HOSTNAME);
+		} catch (err) {
+			p.log.error(err instanceof Error ? err.message : "Configuration error");
+			p.log.info("Run 'pds init' first to configure your PDS.");
+			process.exit(1);
+		}
+		const targetDomain = getDomain(targetUrl);
+		const wranglerVars = getVars();
+		const config = {
+			...readDevVars(),
+			...wranglerVars
+		};
+		const authToken = config.AUTH_TOKEN;
+		const handle = config.HANDLE;
+		if (!authToken) {
+			p.log.error("No AUTH_TOKEN found. Run 'pds init' first.");
+			p.outro("Activation cancelled.");
+			process.exit(1);
+		}
+		const client = new PDSClient(targetUrl, authToken);
+		const spinner = p.spinner();
+		spinner.start(`Checking PDS at ${targetDomain}...`);
+		if (!await client.healthCheck()) {
+			spinner.stop(`PDS not responding at ${targetDomain}`);
+			p.log.error(`Your PDS isn't responding at ${targetUrl}`);
+			if (!isDev) p.log.info("Make sure your worker is deployed: wrangler deploy");
+			p.outro("Activation cancelled.");
+			process.exit(1);
+		}
+		spinner.stop(`Connected to ${targetDomain}`);
+		spinner.start("Checking account status...");
+		const status = await client.getAccountStatus();
+		spinner.stop("Account status retrieved");
+		if (status.active) {
+			p.log.warn("Your account is already active!");
+			p.log.info("No action needed - you're live in the Atmosphere. 🦋");
+			p.outro("All good!");
+			return;
+		}
+		p.note([
+			`@${handle || "your-handle"}`,
+			"",
+			"This will enable writes and make your account live.",
+			"Make sure you've:",
+			"  ✓ Updated your DID document to point here",
+			"  ✓ Completed email verification (if required)"
+		].join("\n"), "Ready to go live?");
+		const confirm = await p.confirm({
+			message: "Activate account?",
+			initialValue: true
+		});
+		if (p.isCancel(confirm) || !confirm) {
+			p.cancel("Activation cancelled.");
+			process.exit(0);
+		}
+		spinner.start("Activating account...");
+		try {
+			await client.activateAccount();
+			spinner.stop("Account activated!");
+		} catch (err) {
+			spinner.stop("Activation failed");
+			p.log.error(err instanceof Error ? err.message : "Could not activate account");
+			p.outro("Activation failed.");
+			process.exit(1);
+		}
+		p.log.success("Welcome to the Atmosphere! 🦋");
+		p.log.info("Your account is now live and accepting writes.");
+		p.outro("All set!");
+	}
+});
+
+//#endregion
+//#region src/cli/commands/deactivate.ts
+/**
+* Deactivate account command - disables writes for re-import
+*/
+const brightNote = (lines) => lines.map((l) => `\x1b[0m${l}`).join("\n");
+const bold = (text) => pc.bold(text);
+const deactivateCommand = defineCommand({
+	meta: {
+		name: "deactivate",
+		description: "Deactivate your account to enable re-import"
+	},
+	args: { dev: {
+		type: "boolean",
+		description: "Target local development server instead of production",
+		default: false
+	} },
+	async run({ args }) {
+		const isDev = args.dev;
+		p.intro("🦋 Deactivate Account");
+		const vars = getVars();
+		let targetUrl;
+		try {
+			targetUrl = getTargetUrl(isDev, vars.PDS_HOSTNAME);
+		} catch (err) {
+			p.log.error(err instanceof Error ? err.message : "Configuration error");
+			p.log.info("Run 'pds init' first to configure your PDS.");
+			process.exit(1);
+		}
+		const targetDomain = getDomain(targetUrl);
+		const wranglerVars = getVars();
+		const config = {
+			...readDevVars(),
+			...wranglerVars
+		};
+		const authToken = config.AUTH_TOKEN;
+		const handle = config.HANDLE;
+		if (!authToken) {
+			p.log.error("No AUTH_TOKEN found. Run 'pds init' first.");
+			p.outro("Deactivation cancelled.");
+			process.exit(1);
+		}
+		const client = new PDSClient(targetUrl, authToken);
+		const spinner = p.spinner();
+		spinner.start(`Checking PDS at ${targetDomain}...`);
+		if (!await client.healthCheck()) {
+			spinner.stop(`PDS not responding at ${targetDomain}`);
+			p.log.error(`Your PDS isn't responding at ${targetUrl}`);
+			if (!isDev) p.log.info("Make sure your worker is deployed: wrangler deploy");
+			p.outro("Deactivation cancelled.");
+			process.exit(1);
+		}
+		spinner.stop(`Connected to ${targetDomain}`);
+		spinner.start("Checking account status...");
+		const status = await client.getAccountStatus();
+		spinner.stop("Account status retrieved");
+		if (!status.active) {
+			p.log.warn("Your account is already deactivated.");
+			p.log.info("Writes are disabled. Use 'pds activate' to re-enable.");
+			p.outro("Already deactivated.");
+			return;
+		}
+		p.note(brightNote([
+			bold(`⚠️  WARNING: This will disable writes for @${handle || "your-handle"}`),
+			"",
+			"Your account will:",
+			"  • Stop accepting new posts, follows, and other writes",
+			"  • Remain readable in the Atmosphere",
+			"  • Allow you to use 'pds migrate --clean' to re-import",
+			"",
+			bold("Only deactivate if you need to re-import your data.")
+		]), "Deactivate Account");
+		const confirm = await p.confirm({
+			message: "Are you sure you want to deactivate?",
+			initialValue: false
+		});
+		if (p.isCancel(confirm) || !confirm) {
+			p.cancel("Deactivation cancelled.");
+			process.exit(0);
+		}
+		spinner.start("Deactivating account...");
+		try {
+			await client.deactivateAccount();
+			spinner.stop("Account deactivated");
+		} catch (err) {
+			spinner.stop("Deactivation failed");
+			p.log.error(err instanceof Error ? err.message : "Could not deactivate account");
+			p.outro("Deactivation failed.");
+			process.exit(1);
+		}
+		p.log.success("Account deactivated");
+		p.log.info("Writes are now disabled.");
+		p.log.info("");
+		p.log.info("To re-import your data:");
+		p.log.info("  pnpm pds migrate --clean");
+		p.log.info("");
+		p.log.info("To re-enable writes:");
+		p.log.info("  pnpm pds activate");
+		p.outro("Deactivated.");
+	}
+});
+
 //#endregion
 //#region src/cli/index.ts
 /**
@@ -518,7 +1621,10 @@ runMain(defineCommand({
 	},
 	subCommands: {
 		init: initCommand,
-		secret: secretCommand
+		secret: secretCommand,
+		migrate: migrateCommand,
+		activate: activateCommand,
+		deactivate: deactivateCommand
 	}
 }));