@ascorbic/pds 0.1.0 → 0.2.0

package/dist/index.js

@@ -1,14 +1,15 @@
 import { DurableObject, env, waitUntil } from "cloudflare:workers";
 import { BlockMap, ReadableBlockstore, Repo, WriteOpAction, blocksToCarFile, readCarWithRoot } from "@atproto/repo";
 import { Secp256k1Keypair, randomStr, verifySignature } from "@atproto/crypto";
-import { CID } from "@atproto/lex-data";
+import { CID, asCid, isBlobRef } from "@atproto/lex-data";
 import { TID, check, didDocument, getServiceEndpoint } from "@atproto/common-web";
 import { AtUri, ensureValidDid, ensureValidHandle } from "@atproto/syntax";
 import { cidForRawBytes, decode, encode } from "@atproto/lex-cbor";
 import { Hono } from "hono";
 import { cors } from "hono/cors";
 import { SignJWT, jwtVerify } from "jose";
-import { compare } from "bcryptjs";
+import { compare, compare as compare$1 } from "bcryptjs";
+import { ATProtoOAuthProvider } from "@ascorbic/atproto-oauth-provider";
 import { Lexicons, jsonToLex } from "@atproto/lexicon";
 
 //#region rolldown:runtime
@@ -42,8 +43,9 @@ var SqliteRepoStorage = class extends ReadableBlockstore {
 	}
 	/**
 	* Initialize the database schema. Should be called once on DO startup.
+	* @param initialActive - Whether the account should start in active state (default true)
 	*/
-	initSchema() {
+	initSchema(initialActive = true) {
 		this.sql.exec(`
 			-- Block storage (MST nodes + record blocks)
 			CREATE TABLE IF NOT EXISTS blocks (
@@ -59,12 +61,13 @@ var SqliteRepoStorage = class extends ReadableBlockstore {
 				id INTEGER PRIMARY KEY CHECK (id = 1),
 				root_cid TEXT,
 				rev TEXT,
-				seq INTEGER NOT NULL DEFAULT 0
+				seq INTEGER NOT NULL DEFAULT 0,
+				active INTEGER NOT NULL DEFAULT 1
 			);
 
 			-- Initialize with empty state if not exists
-			INSERT OR IGNORE INTO repo_state (id, root_cid, rev, seq)
-			VALUES (1, NULL, NULL, 0);
+			INSERT OR IGNORE INTO repo_state (id, root_cid, rev, seq, active)
+			VALUES (1, NULL, NULL, 0, ${initialActive ? 1 : 0});
 
 			-- Firehose events (sequenced commit log)
 			CREATE TABLE IF NOT EXISTS firehose_events (
@@ -84,6 +87,23 @@ var SqliteRepoStorage = class extends ReadableBlockstore {
 
 			-- Initialize with empty preferences array if not exists
 			INSERT OR IGNORE INTO preferences (id, data) VALUES (1, '[]');
+
+			-- Track blob references in records (populated during importRepo)
+			CREATE TABLE IF NOT EXISTS record_blob (
+				recordUri TEXT NOT NULL,
+				blobCid TEXT NOT NULL,
+				PRIMARY KEY (recordUri, blobCid)
+			);
+
+			CREATE INDEX IF NOT EXISTS idx_record_blob_cid ON record_blob(blobCid);
+
+			-- Track successfully imported blobs (populated during uploadBlob)
+			CREATE TABLE IF NOT EXISTS imported_blobs (
+				cid TEXT PRIMARY KEY,
+				size INTEGER NOT NULL,
+				mimeType TEXT,
+				createdAt TEXT NOT NULL DEFAULT (datetime('now'))
+			);
 		`);
 	}
 	/**
@@ -215,6 +235,318 @@ var SqliteRepoStorage = class extends ReadableBlockstore {
 		const data = JSON.stringify(preferences);
 		this.sql.exec("UPDATE preferences SET data = ? WHERE id = 1", data);
 	}
+	/**
+	* Get the activation state of the account.
+	*/
+	async getActive() {
+		const rows = this.sql.exec("SELECT active FROM repo_state WHERE id = 1").toArray();
+		return rows.length > 0 ? rows[0].active === 1 : true;
+	}
+	/**
+	* Set the activation state of the account.
+	*/
+	async setActive(active) {
+		this.sql.exec("UPDATE repo_state SET active = ? WHERE id = 1", active ? 1 : 0);
+	}
+	/**
+	* Add a blob reference from a record.
+	*/
+	addRecordBlob(recordUri, blobCid) {
+		this.sql.exec("INSERT OR IGNORE INTO record_blob (recordUri, blobCid) VALUES (?, ?)", recordUri, blobCid);
+	}
+	/**
+	* Add multiple blob references from a record.
+	*/
+	addRecordBlobs(recordUri, blobCids) {
+		for (const cid of blobCids) this.addRecordBlob(recordUri, cid);
+	}
+	/**
+	* Remove all blob references for a record.
+	*/
+	removeRecordBlobs(recordUri) {
+		this.sql.exec("DELETE FROM record_blob WHERE recordUri = ?", recordUri);
+	}
+	/**
+	* Track an imported blob.
+	*/
+	trackImportedBlob(cid, size, mimeType) {
+		this.sql.exec("INSERT OR REPLACE INTO imported_blobs (cid, size, mimeType) VALUES (?, ?, ?)", cid, size, mimeType);
+	}
+	/**
+	* Check if a blob has been imported.
+	*/
+	isBlobImported(cid) {
+		return this.sql.exec("SELECT 1 FROM imported_blobs WHERE cid = ? LIMIT 1", cid).toArray().length > 0;
+	}
+	/**
+	* Count expected blobs (distinct blobs referenced by records).
+	*/
+	countExpectedBlobs() {
+		const rows = this.sql.exec("SELECT COUNT(DISTINCT blobCid) as count FROM record_blob").toArray();
+		return rows.length > 0 ? rows[0].count ?? 0 : 0;
+	}
+	/**
+	* Count imported blobs.
+	*/
+	countImportedBlobs() {
+		const rows = this.sql.exec("SELECT COUNT(*) as count FROM imported_blobs").toArray();
+		return rows.length > 0 ? rows[0].count ?? 0 : 0;
+	}
+	/**
+	* List blobs that are referenced but not yet imported.
+	*/
+	listMissingBlobs(limit = 500, cursor) {
+		const blobs = [];
+		const query = cursor ? `SELECT rb.blobCid, rb.recordUri FROM record_blob rb
+				 LEFT JOIN imported_blobs ib ON rb.blobCid = ib.cid
+				 WHERE ib.cid IS NULL AND rb.blobCid > ?
+				 ORDER BY rb.blobCid
+				 LIMIT ?` : `SELECT rb.blobCid, rb.recordUri FROM record_blob rb
+				 LEFT JOIN imported_blobs ib ON rb.blobCid = ib.cid
+				 WHERE ib.cid IS NULL
+				 ORDER BY rb.blobCid
+				 LIMIT ?`;
+		const rows = cursor ? this.sql.exec(query, cursor, limit + 1).toArray() : this.sql.exec(query, limit + 1).toArray();
+		for (const row of rows.slice(0, limit)) blobs.push({
+			cid: row.blobCid,
+			recordUri: row.recordUri
+		});
+		return {
+			blobs,
+			cursor: rows.length > limit ? blobs[blobs.length - 1]?.cid : void 0
+		};
+	}
+	/**
+	* Clear all blob tracking data (for testing).
+	*/
+	clearBlobTracking() {
+		this.sql.exec("DELETE FROM record_blob");
+		this.sql.exec("DELETE FROM imported_blobs");
+	}
+};
+
+//#endregion
+//#region src/oauth-storage.ts
+/**
+* SQLite-backed OAuth storage for Cloudflare Durable Objects.
+*
+* Implements the OAuthStorage interface from @ascorbic/atproto-oauth-provider,
+* storing OAuth data in SQLite tables within a Durable Object.
+*/
+var SqliteOAuthStorage = class {
+	constructor(sql) {
+		this.sql = sql;
+	}
+	/**
+	* Initialize the OAuth database schema. Should be called once on DO startup.
+	*/
+	initSchema() {
+		this.sql.exec(`
+			-- Authorization codes (5 min TTL)
+			CREATE TABLE IF NOT EXISTS oauth_auth_codes (
+				code TEXT PRIMARY KEY,
+				client_id TEXT NOT NULL,
+				redirect_uri TEXT NOT NULL,
+				code_challenge TEXT NOT NULL,
+				code_challenge_method TEXT NOT NULL DEFAULT 'S256',
+				scope TEXT NOT NULL,
+				sub TEXT NOT NULL,
+				expires_at INTEGER NOT NULL
+			);
+
+			CREATE INDEX IF NOT EXISTS idx_auth_codes_expires ON oauth_auth_codes(expires_at);
+
+			-- OAuth tokens
+			CREATE TABLE IF NOT EXISTS oauth_tokens (
+				access_token TEXT PRIMARY KEY,
+				refresh_token TEXT NOT NULL UNIQUE,
+				client_id TEXT NOT NULL,
+				sub TEXT NOT NULL,
+				scope TEXT NOT NULL,
+				dpop_jkt TEXT,
+				issued_at INTEGER NOT NULL,
+				expires_at INTEGER NOT NULL,
+				revoked INTEGER NOT NULL DEFAULT 0
+			);
+
+			CREATE INDEX IF NOT EXISTS idx_tokens_refresh ON oauth_tokens(refresh_token);
+			CREATE INDEX IF NOT EXISTS idx_tokens_sub ON oauth_tokens(sub);
+			CREATE INDEX IF NOT EXISTS idx_tokens_expires ON oauth_tokens(expires_at);
+
+			-- Cached client metadata
+			CREATE TABLE IF NOT EXISTS oauth_clients (
+				client_id TEXT PRIMARY KEY,
+				client_name TEXT NOT NULL,
+				redirect_uris TEXT NOT NULL,
+				logo_uri TEXT,
+				client_uri TEXT,
+				cached_at INTEGER NOT NULL
+			);
+
+			-- PAR requests (90 sec TTL)
+			CREATE TABLE IF NOT EXISTS oauth_par_requests (
+				request_uri TEXT PRIMARY KEY,
+				client_id TEXT NOT NULL,
+				params TEXT NOT NULL,
+				expires_at INTEGER NOT NULL
+			);
+
+			CREATE INDEX IF NOT EXISTS idx_par_expires ON oauth_par_requests(expires_at);
+
+			-- DPoP nonces for replay prevention (5 min TTL)
+			CREATE TABLE IF NOT EXISTS oauth_nonces (
+				nonce TEXT PRIMARY KEY,
+				created_at INTEGER NOT NULL
+			);
+
+			CREATE INDEX IF NOT EXISTS idx_nonces_created ON oauth_nonces(created_at);
+		`);
+	}
+	/**
+	* Clean up expired entries. Should be called periodically.
+	*/
+	cleanup() {
+		const now = Date.now();
+		this.sql.exec("DELETE FROM oauth_auth_codes WHERE expires_at < ?", now);
+		this.sql.exec("DELETE FROM oauth_tokens WHERE expires_at < ? AND revoked = 0", now);
+		this.sql.exec("DELETE FROM oauth_par_requests WHERE expires_at < ?", now);
+		const nonceExpiry = now - 300 * 1e3;
+		this.sql.exec("DELETE FROM oauth_nonces WHERE created_at < ?", nonceExpiry);
+	}
+	async saveAuthCode(code, data) {
+		this.sql.exec(`INSERT INTO oauth_auth_codes
+			(code, client_id, redirect_uri, code_challenge, code_challenge_method, scope, sub, expires_at)
+			VALUES (?, ?, ?, ?, ?, ?, ?, ?)`, code, data.clientId, data.redirectUri, data.codeChallenge, data.codeChallengeMethod, data.scope, data.sub, data.expiresAt);
+	}
+	async getAuthCode(code) {
+		const rows = this.sql.exec(`SELECT client_id, redirect_uri, code_challenge, code_challenge_method, scope, sub, expires_at
+				FROM oauth_auth_codes WHERE code = ?`, code).toArray();
+		if (rows.length === 0) return null;
+		const row = rows[0];
+		const expiresAt = row.expires_at;
+		if (Date.now() > expiresAt) {
+			this.sql.exec("DELETE FROM oauth_auth_codes WHERE code = ?", code);
+			return null;
+		}
+		return {
+			clientId: row.client_id,
+			redirectUri: row.redirect_uri,
+			codeChallenge: row.code_challenge,
+			codeChallengeMethod: row.code_challenge_method,
+			scope: row.scope,
+			sub: row.sub,
+			expiresAt
+		};
+	}
+	async deleteAuthCode(code) {
+		this.sql.exec("DELETE FROM oauth_auth_codes WHERE code = ?", code);
+	}
+	async saveTokens(data) {
+		this.sql.exec(`INSERT INTO oauth_tokens
+			(access_token, refresh_token, client_id, sub, scope, dpop_jkt, issued_at, expires_at, revoked)
+			VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)`, data.accessToken, data.refreshToken, data.clientId, data.sub, data.scope, data.dpopJkt ?? null, data.issuedAt, data.expiresAt, data.revoked ? 1 : 0);
+	}
+	async getTokenByAccess(accessToken) {
+		const rows = this.sql.exec(`SELECT access_token, refresh_token, client_id, sub, scope, dpop_jkt, issued_at, expires_at, revoked
+				FROM oauth_tokens WHERE access_token = ?`, accessToken).toArray();
+		if (rows.length === 0) return null;
+		const row = rows[0];
+		const revoked = Boolean(row.revoked);
+		const expiresAt = row.expires_at;
+		if (revoked || Date.now() > expiresAt) return null;
+		return {
+			accessToken: row.access_token,
+			refreshToken: row.refresh_token,
+			clientId: row.client_id,
+			sub: row.sub,
+			scope: row.scope,
+			dpopJkt: row.dpop_jkt ?? void 0,
+			issuedAt: row.issued_at,
+			expiresAt,
+			revoked
+		};
+	}
+	async getTokenByRefresh(refreshToken) {
+		const rows = this.sql.exec(`SELECT access_token, refresh_token, client_id, sub, scope, dpop_jkt, issued_at, expires_at, revoked
+				FROM oauth_tokens WHERE refresh_token = ?`, refreshToken).toArray();
+		if (rows.length === 0) return null;
+		const row = rows[0];
+		const revoked = Boolean(row.revoked);
+		if (revoked) return null;
+		return {
+			accessToken: row.access_token,
+			refreshToken: row.refresh_token,
+			clientId: row.client_id,
+			sub: row.sub,
+			scope: row.scope,
+			dpopJkt: row.dpop_jkt ?? void 0,
+			issuedAt: row.issued_at,
+			expiresAt: row.expires_at,
+			revoked
+		};
+	}
+	async revokeToken(accessToken) {
+		this.sql.exec("UPDATE oauth_tokens SET revoked = 1 WHERE access_token = ?", accessToken);
+	}
+	async revokeAllTokens(sub) {
+		this.sql.exec("UPDATE oauth_tokens SET revoked = 1 WHERE sub = ?", sub);
+	}
+	async saveClient(clientId, metadata) {
+		this.sql.exec(`INSERT OR REPLACE INTO oauth_clients
+			(client_id, client_name, redirect_uris, logo_uri, client_uri, cached_at)
+			VALUES (?, ?, ?, ?, ?, ?)`, clientId, metadata.clientName, JSON.stringify(metadata.redirectUris), metadata.logoUri ?? null, metadata.clientUri ?? null, metadata.cachedAt ?? Date.now());
+	}
+	async getClient(clientId) {
+		const rows = this.sql.exec(`SELECT client_id, client_name, redirect_uris, logo_uri, client_uri, cached_at
+				FROM oauth_clients WHERE client_id = ?`, clientId).toArray();
+		if (rows.length === 0) return null;
+		const row = rows[0];
+		return {
+			clientId: row.client_id,
+			clientName: row.client_name,
+			redirectUris: JSON.parse(row.redirect_uris),
+			logoUri: row.logo_uri ?? void 0,
+			clientUri: row.client_uri ?? void 0,
+			cachedAt: row.cached_at
+		};
+	}
+	async savePAR(requestUri, data) {
+		this.sql.exec(`INSERT INTO oauth_par_requests (request_uri, client_id, params, expires_at)
+			VALUES (?, ?, ?, ?)`, requestUri, data.clientId, JSON.stringify(data.params), data.expiresAt);
+	}
+	async getPAR(requestUri) {
+		const rows = this.sql.exec(`SELECT client_id, params, expires_at FROM oauth_par_requests WHERE request_uri = ?`, requestUri).toArray();
+		if (rows.length === 0) return null;
+		const row = rows[0];
+		const expiresAt = row.expires_at;
+		if (Date.now() > expiresAt) {
+			this.sql.exec("DELETE FROM oauth_par_requests WHERE request_uri = ?", requestUri);
+			return null;
+		}
+		return {
+			clientId: row.client_id,
+			params: JSON.parse(row.params),
+			expiresAt
+		};
+	}
+	async deletePAR(requestUri) {
+		this.sql.exec("DELETE FROM oauth_par_requests WHERE request_uri = ?", requestUri);
+	}
+	async checkAndSaveNonce(nonce) {
+		if (this.sql.exec("SELECT 1 FROM oauth_nonces WHERE nonce = ? LIMIT 1", nonce).toArray().length > 0) return false;
+		this.sql.exec("INSERT INTO oauth_nonces (nonce, created_at) VALUES (?, ?)", nonce, Date.now());
+		return true;
+	}
+	/**
+	* Clear all OAuth data (for testing).
+	*/
+	destroy() {
+		this.sql.exec("DELETE FROM oauth_auth_codes");
+		this.sql.exec("DELETE FROM oauth_tokens");
+		this.sql.exec("DELETE FROM oauth_clients");
+		this.sql.exec("DELETE FROM oauth_par_requests");
+		this.sql.exec("DELETE FROM oauth_nonces");
+	}
 };
 
 //#endregion
@@ -361,6 +693,7 @@ var BlobStore = class {
 */
 var AccountDurableObject = class extends DurableObject {
 	storage = null;
+	oauthStorage = null;
 	repo = null;
 	keypair = null;
 	sequencer = null;
@@ -379,8 +712,11 @@ var AccountDurableObject = class extends DurableObject {
 	async ensureStorageInitialized() {
 		if (!this.storageInitialized) await this.ctx.blockConcurrencyWhile(async () => {
 			if (this.storageInitialized) return;
+			const initialActive = this.env.INITIAL_ACTIVE === void 0 || this.env.INITIAL_ACTIVE === "true" || this.env.INITIAL_ACTIVE === "1";
 			this.storage = new SqliteRepoStorage(this.ctx.storage.sql);
-			this.storage.initSchema();
+			this.storage.initSchema(initialActive);
+			this.oauthStorage = new SqliteOAuthStorage(this.ctx.storage.sql);
+			this.oauthStorage.initSchema();
 			this.sequencer = new Sequencer(this.ctx.storage.sql);
 			this.storageInitialized = true;
 		});
@@ -407,6 +743,13 @@ var AccountDurableObject = class extends DurableObject {
 		return this.storage;
 	}
 	/**
+	* Get the OAuth storage adapter for OAuth operations.
+	*/
+	async getOAuthStorage() {
+		await this.ensureStorageInitialized();
+		return this.oauthStorage;
+	}
+	/**
 	* Get the Repo instance for repository operations.
 	*/
 	async getRepo() {
@@ -414,6 +757,12 @@ var AccountDurableObject = class extends DurableObject {
 		return this.repo;
 	}
 	/**
+	* Ensure the account is active. Throws error if deactivated.
+	*/
+	async ensureActive() {
+		if (!await (await this.getStorage()).getActive()) throw new Error("AccountDeactivated: Account is deactivated. Call activateAccount to enable writes.");
+	}
+	/**
 	* Get the signing keypair for repository operations.
 	*/
 	async getKeypair() {
@@ -455,7 +804,7 @@ var AccountDurableObject = class extends DurableObject {
 		if (!record) return null;
 		return {
 			cid: recordCid.toString(),
-			record
+			record: serializeRecord(record)
 		};
 	}
 	/**
@@ -473,7 +822,7 @@ var AccountDurableObject = class extends DurableObject {
 			records.push({
 				uri: AtUri.make(repo.did, record.collection, record.rkey).toString(),
 				cid: record.cid.toString(),
-				value: record.record
+				value: serializeRecord(record.record)
 			});
 			if (records.length >= opts.limit + 1) break;
 		}
@@ -489,6 +838,7 @@ var AccountDurableObject = class extends DurableObject {
 	* RPC method: Create a record
 	*/
 	async rpcCreateRecord(collection, rkey, record) {
+		await this.ensureActive();
 		const repo = await this.getRepo();
 		const keypair = await this.getKeypair();
 		const actualRkey = rkey || TID.nextStr();
@@ -539,6 +889,7 @@ var AccountDurableObject = class extends DurableObject {
 	* RPC method: Delete a record
 	*/
 	async rpcDeleteRecord(collection, rkey) {
+		await this.ensureActive();
 		const repo = await this.getRepo();
 		const keypair = await this.getKeypair();
 		if (!await repo.getRecord(collection, rkey)) return null;
@@ -578,6 +929,7 @@ var AccountDurableObject = class extends DurableObject {
 	* RPC method: Put a record (create or update)
 	*/
 	async rpcPutRecord(collection, rkey, record) {
+		await this.ensureActive();
 		const repo = await this.getRepo();
 		const keypair = await this.getKeypair();
 		const op = await repo.getRecord(collection, rkey) !== null ? {
@@ -633,6 +985,7 @@ var AccountDurableObject = class extends DurableObject {
 	* RPC method: Apply multiple writes (batch create/update/delete)
 	*/
 	async rpcApplyWrites(writes) {
+		await this.ensureActive();
 		const repo = await this.getRepo();
 		const keypair = await this.getKeypair();
 		const ops = [];
@@ -761,23 +1114,54 @@ var AccountDurableObject = class extends DurableObject {
 		return blocksToCarFile(root, blocks);
 	}
 	/**
+	* RPC method: Get specific blocks by CID as CAR file
+	* Used for partial sync and migration.
+	*/
+	async rpcGetBlocks(cids) {
+		const storage = await this.getStorage();
+		const root = await storage.getRoot();
+		if (!root) throw new Error("No repository root found");
+		const blocks = new BlockMap();
+		for (const cidStr of cids) {
+			const cid = CID.parse(cidStr);
+			const bytes = await storage.getBytes(cid);
+			if (bytes) blocks.set(cid, bytes);
+		}
+		return blocksToCarFile(root, blocks);
+	}
+	/**
 	* RPC method: Import repo from CAR file
 	* This is used for account migration - importing an existing repository
 	* from another PDS.
 	*/
 	async rpcImportRepo(carBytes) {
 		await this.ensureStorageInitialized();
-		if (await this.storage.getRoot()) throw new Error("Repository already exists. Cannot import over existing repository.");
+		const isActive = await this.storage.getActive();
+		const existingRoot = await this.storage.getRoot();
+		if (isActive && existingRoot) throw new Error("Repository already exists. Cannot import over existing repository.");
+		if (existingRoot) {
+			await this.storage.destroy();
+			this.repo = null;
+			this.repoInitialized = false;
+		}
 		const { root: rootCid, blocks } = await readCarWithRoot(carBytes);
 		const importRev = TID.nextStr();
 		await this.storage.putMany(blocks, importRev);
 		this.keypair = await Secp256k1Keypair.import(this.env.SIGNING_KEY);
 		this.repo = await Repo.load(this.storage, rootCid);
+		await this.storage.updateRoot(rootCid, this.repo.commit.rev);
 		if (this.repo.did !== this.env.DID) {
 			await this.storage.destroy();
 			throw new Error(`DID mismatch: CAR file contains DID ${this.repo.did}, but expected ${this.env.DID}`);
 		}
 		this.repoInitialized = true;
+		for await (const record of this.repo.walkRecords()) {
+			const blobCids = extractBlobCids(record.record);
+			if (blobCids.length > 0) {
+				const uri = AtUri.make(this.repo.did, record.collection, record.rkey).toString();
+				this.storage.addRecordBlobs(uri, blobCids);
+			}
+		}
 		return {
 			did: this.repo.did,
 			rev: this.repo.commit.rev,
@@ -791,7 +1175,9 @@ var AccountDurableObject = class extends DurableObject {
 		if (!this.blobStore) throw new Error("Blob storage not configured");
 		const MAX_BLOB_SIZE = 5 * 1024 * 1024;
 		if (bytes.length > MAX_BLOB_SIZE) throw new Error(`Blob too large: ${bytes.length} bytes (max ${MAX_BLOB_SIZE})`);
-		return this.blobStore.putBlob(bytes, mimeType);
+		const blobRef = await this.blobStore.putBlob(bytes, mimeType);
+		(await this.getStorage()).trackImportedBlob(blobRef.ref.$link, bytes.length, mimeType);
+		return blobRef;
 	}
 	/**
 	* RPC method: Get a blob from R2
@@ -919,6 +1305,76 @@ var AccountDurableObject = class extends DurableObject {
 		await (await this.getStorage()).putPreferences(preferences);
 	}
 	/**
+	* RPC method: Get account activation state
+	*/
+	async rpcGetActive() {
+		return (await this.getStorage()).getActive();
+	}
+	/**
+	* RPC method: Activate account
+	*/
+	async rpcActivateAccount() {
+		await (await this.getStorage()).setActive(true);
+	}
+	/**
+	* RPC method: Deactivate account
+	*/
+	async rpcDeactivateAccount() {
+		await (await this.getStorage()).setActive(false);
+	}
+	/**
+	* RPC method: Count blocks in storage
+	*/
+	async rpcCountBlocks() {
+		return (await this.getStorage()).countBlocks();
+	}
+	/**
+	* RPC method: Count records in repository
+	*/
+	async rpcCountRecords() {
+		const repo = await this.getRepo();
+		let count = 0;
+		for await (const _record of repo.walkRecords()) count++;
+		return count;
+	}
+	/**
+	* RPC method: Count expected blobs (referenced in records)
+	*/
+	async rpcCountExpectedBlobs() {
+		return (await this.getStorage()).countExpectedBlobs();
+	}
+	/**
+	* RPC method: Count imported blobs
+	*/
+	async rpcCountImportedBlobs() {
+		return (await this.getStorage()).countImportedBlobs();
+	}
+	/**
+	* RPC method: List missing blobs (referenced but not imported)
+	*/
+	async rpcListMissingBlobs(limit = 500, cursor) {
+		return (await this.getStorage()).listMissingBlobs(limit, cursor);
+	}
+	/**
+	* RPC method: Reset migration state.
+	* Clears imported repo and blob tracking to allow re-import.
+	* Only works when account is deactivated.
+	*/
+	async rpcResetMigration() {
+		const storage = await this.getStorage();
+		if (await storage.getActive()) throw new Error("AccountActive: Cannot reset migration on an active account. Deactivate first.");
+		const blocksDeleted = await storage.countBlocks();
+		const blobsCleared = storage.countImportedBlobs();
+		await storage.destroy();
+		storage.clearBlobTracking();
+		this.repo = null;
+		this.repoInitialized = false;
+		return {
+			blocksDeleted,
+			blobsCleared
+		};
+	}
+	/**
 	* Emit an identity event to notify downstream services to refresh identity cache.
 	*/
 	async rpcEmitIdentityEvent(handle) {
@@ -949,6 +1405,62 @@ var AccountDurableObject = class extends DurableObject {
 		}
 		return { seq };
 	}
+	/** Save an authorization code */
+	async rpcSaveAuthCode(code, data) {
+		await (await this.getOAuthStorage()).saveAuthCode(code, data);
+	}
+	/** Get authorization code data */
+	async rpcGetAuthCode(code) {
+		return (await this.getOAuthStorage()).getAuthCode(code);
+	}
+	/** Delete an authorization code */
+	async rpcDeleteAuthCode(code) {
+		await (await this.getOAuthStorage()).deleteAuthCode(code);
+	}
+	/** Save token data */
+	async rpcSaveTokens(data) {
+		await (await this.getOAuthStorage()).saveTokens(data);
+	}
+	/** Get token data by access token */
+	async rpcGetTokenByAccess(accessToken) {
+		return (await this.getOAuthStorage()).getTokenByAccess(accessToken);
+	}
+	/** Get token data by refresh token */
+	async rpcGetTokenByRefresh(refreshToken) {
+		return (await this.getOAuthStorage()).getTokenByRefresh(refreshToken);
+	}
+	/** Revoke a token */
+	async rpcRevokeToken(accessToken) {
+		await (await this.getOAuthStorage()).revokeToken(accessToken);
+	}
+	/** Revoke all tokens for a user */
+	async rpcRevokeAllTokens(sub) {
+		await (await this.getOAuthStorage()).revokeAllTokens(sub);
+	}
+	/** Save client metadata */
+	async rpcSaveClient(clientId, metadata) {
+		await (await this.getOAuthStorage()).saveClient(clientId, metadata);
+	}
+	/** Get client metadata */
+	async rpcGetClient(clientId) {
+		return (await this.getOAuthStorage()).getClient(clientId);
+	}
+	/** Save PAR data */
+	async rpcSavePAR(requestUri, data) {
+		await (await this.getOAuthStorage()).savePAR(requestUri, data);
+	}
+	/** Get PAR data */
+	async rpcGetPAR(requestUri) {
+		return (await this.getOAuthStorage()).getPAR(requestUri);
+	}
+	/** Delete PAR data */
+	async rpcDeletePAR(requestUri) {
+		await (await this.getOAuthStorage()).deletePAR(requestUri);
+	}
+	/** Check and save DPoP nonce */
+	async rpcCheckAndSaveNonce(nonce) {
+		return (await this.getOAuthStorage()).checkAndSaveNonce(nonce);
+	}
 	/**
 	* HTTP fetch handler for WebSocket upgrades.
 	* This is used instead of RPC to avoid WebSocket serialization errors.
@@ -958,6 +1470,40 @@ var AccountDurableObject = class extends DurableObject {
 		return new Response("Method not allowed", { status: 405 });
 	}
 };
+/**
+* Serialize a record for JSON by converting CID objects to { $link: "..." } format.
+* CBOR-decoded records contain raw CID objects that need conversion for JSON serialization.
+*/
+function serializeRecord(obj) {
+	if (obj === null || obj === void 0) return obj;
+	const cid = asCid(obj);
+	if (cid) return { $link: cid.toString() };
+	if (Array.isArray(obj)) return obj.map(serializeRecord);
+	if (typeof obj === "object") {
+		const result = {};
+		for (const [key, value] of Object.entries(obj)) result[key] = serializeRecord(value);
+		return result;
+	}
+	return obj;
+}
+/**
+* Extract blob CIDs from a record by recursively searching for blob references.
+* Blob refs have the structure: { $type: "blob", ref: CID, mimeType, size }
+*/
+function extractBlobCids(obj) {
+	const cids = [];
+	function walk(value) {
+		if (value === null || value === void 0) return;
+		if (isBlobRef(value)) {
+			cids.push(value.ref.toString());
+			return;
+		}
+		if (Array.isArray(value)) for (const item of value) walk(item);
+		else if (typeof value === "object") for (const key of Object.keys(value)) walk(value[key]);
+	}
+	walk(obj);
+	return cids;
+}
 
 //#endregion
 //#region src/service-auth.ts
@@ -1095,14 +1641,184 @@ async function verifyRefreshToken(token, jwtSecret, serviceDid) {
 	return payload;
 }
 
+//#endregion
+//#region src/oauth.ts
+/**
+* OAuth 2.1 integration for the PDS
+*
+* Connects the @ascorbic/atproto-oauth-provider package with the PDS
+* by providing storage through Durable Objects and user authentication
+* through the existing session system.
+*/
+/**
+* Proxy storage class that delegates to DO RPC methods
+*
+* This is needed because SqliteOAuthStorage instances contain a SQL connection
+* that can't be serialized across the DO RPC boundary. Instead, we delegate each
+* storage operation to individual RPC methods that pass only serializable data.
+*/
+var DOProxyOAuthStorage = class {
+	constructor(accountDO) {
+		this.accountDO = accountDO;
+	}
+	async saveAuthCode(code, data) {
+		await this.accountDO.rpcSaveAuthCode(code, data);
+	}
+	async getAuthCode(code) {
+		return this.accountDO.rpcGetAuthCode(code);
+	}
+	async deleteAuthCode(code) {
+		await this.accountDO.rpcDeleteAuthCode(code);
+	}
+	async saveTokens(data) {
+		await this.accountDO.rpcSaveTokens(data);
+	}
+	async getTokenByAccess(accessToken) {
+		return this.accountDO.rpcGetTokenByAccess(accessToken);
+	}
+	async getTokenByRefresh(refreshToken) {
+		return this.accountDO.rpcGetTokenByRefresh(refreshToken);
+	}
+	async revokeToken(accessToken) {
+		await this.accountDO.rpcRevokeToken(accessToken);
+	}
+	async revokeAllTokens(sub) {
+		await this.accountDO.rpcRevokeAllTokens(sub);
+	}
+	async saveClient(clientId, metadata) {
+		await this.accountDO.rpcSaveClient(clientId, metadata);
+	}
+	async getClient(clientId) {
+		return this.accountDO.rpcGetClient(clientId);
+	}
+	async savePAR(requestUri, data) {
+		await this.accountDO.rpcSavePAR(requestUri, data);
+	}
+	async getPAR(requestUri) {
+		return this.accountDO.rpcGetPAR(requestUri);
+	}
+	async deletePAR(requestUri) {
+		await this.accountDO.rpcDeletePAR(requestUri);
+	}
+	async checkAndSaveNonce(nonce) {
+		return this.accountDO.rpcCheckAndSaveNonce(nonce);
+	}
+};
+/**
+* Get the OAuth provider for the given environment
+* Exported for use in auth middleware for token verification
+*/
+function getProvider(env$2) {
+	return new ATProtoOAuthProvider({
+		storage: new DOProxyOAuthStorage(getAccountDO$1(env$2)),
+		issuer: `https://${env$2.PDS_HOSTNAME}`,
+		dpopRequired: true,
+		enablePAR: true,
+		verifyUser: async (password) => {
+			if (!await compare(password, env$2.PASSWORD_HASH)) return null;
+			return {
+				sub: env$2.DID,
+				handle: env$2.HANDLE
+			};
+		}
+	});
+}
+let getAccountDO$1;
+/**
+* Create OAuth routes for the PDS
+*
+* This creates a Hono sub-app with all OAuth endpoints:
+* - GET /.well-known/oauth-authorization-server - Server metadata
+* - GET /oauth/authorize - Authorization endpoint
+* - POST /oauth/authorize - Handle authorization consent
+* - POST /oauth/token - Token endpoint
+* - POST /oauth/par - Pushed Authorization Request
+*
+* @param accountDOGetter Function to get the account DO stub
+*/
+function createOAuthApp(accountDOGetter) {
+	getAccountDO$1 = accountDOGetter;
+	const oauth = new Hono();
+	oauth.get("/.well-known/oauth-authorization-server", (c) => {
+		return getProvider(c.env).handleMetadata();
+	});
+	oauth.get("/.well-known/oauth-protected-resource", (c) => {
+		const issuer = `https://${c.env.PDS_HOSTNAME}`;
+		return c.json({
+			resource: issuer,
+			authorization_servers: [issuer],
+			scopes_supported: [
+				"atproto",
+				"transition:generic",
+				"transition:chat.bsky"
+			]
+		});
+	});
+	oauth.get("/oauth/authorize", async (c) => {
+		return getProvider(c.env).handleAuthorize(c.req.raw);
+	});
+	oauth.post("/oauth/authorize", async (c) => {
+		return getProvider(c.env).handleAuthorize(c.req.raw);
+	});
+	oauth.post("/oauth/token", async (c) => {
+		return getProvider(c.env).handleToken(c.req.raw);
+	});
+	oauth.post("/oauth/par", async (c) => {
+		return getProvider(c.env).handlePAR(c.req.raw);
+	});
+	oauth.post("/oauth/revoke", async (c) => {
+		const contentType = c.req.header("Content-Type") ?? "";
+		let token;
+		try {
+			if (contentType.includes("application/json")) token = (await c.req.json()).token;
+			else if (contentType.includes("application/x-www-form-urlencoded")) {
+				const body = await c.req.text();
+				token = Object.fromEntries(new URLSearchParams(body).entries()).token;
+			} else if (!contentType) token = void 0;
+			else return c.json({
+				error: "invalid_request",
+				error_description: "Content-Type must be application/x-www-form-urlencoded (per RFC 7009) or application/json"
+			}, 400);
+		} catch {
+			return c.json({
+				error: "invalid_request",
+				error_description: "Failed to parse request body"
+			}, 400);
+		}
+		if (!token) return c.json({});
+		const accountDO = getAccountDO$1(c.env);
+		await accountDO.rpcRevokeToken(token);
+		const tokenData = await accountDO.rpcGetTokenByRefresh(token);
+		if (tokenData) await accountDO.rpcRevokeToken(tokenData.accessToken);
+		return c.json({});
+	});
+	return oauth;
+}
+
 //#endregion
 //#region src/middleware/auth.ts
 async function requireAuth(c, next) {
 	const auth = c.req.header("Authorization");
-	if (!auth?.startsWith("Bearer ")) return c.json({
+	if (!auth) return c.json({
 		error: "AuthMissing",
 		message: "Authorization header required"
 	}, 401);
+	if (auth.startsWith("DPoP ")) {
+		const tokenData = await getProvider(c.env).verifyAccessToken(c.req.raw);
+		if (!tokenData) return c.json({
+			error: "AuthenticationRequired",
+			message: "Invalid OAuth access token"
+		}, 401);
+		c.set("auth", {
+			did: tokenData.sub,
+			scope: tokenData.scope
+		});
+		return next();
+	}
+	if (!auth.startsWith("Bearer ")) return c.json({
+		error: "AuthMissing",
+		message: "Invalid authorization scheme"
+	}, 401);
 	const token = auth.slice(7);
 	if (token === c.env.AUTH_TOKEN) {
 		c.set("auth", {
@@ -1345,28 +2061,33 @@ async function handleXrpcProxy(c, didResolver$1, getKeypair$1) {
 		const endpoint = isChat ? "https://api.bsky.chat" : "https://api.bsky.app";
 		targetUrl = new URL(`/xrpc/${lxm}${url.search}`, endpoint);
 	}
-	const auth = c.req.header("Authorization");
 	let headers = {};
-	if (auth?.startsWith("Bearer ")) {
+	const auth = c.req.header("Authorization");
+	let userDid;
+	if (auth?.startsWith("DPoP ")) try {
+		const tokenData = await getProvider(c.env).verifyAccessToken(c.req.raw);
+		if (tokenData) userDid = tokenData.sub;
+	} catch {}
+	else if (auth?.startsWith("Bearer ")) {
 		const token = auth.slice(7);
 		const serviceDid = `did:web:${c.env.PDS_HOSTNAME}`;
 		try {
-			let userDid;
 			if (token === c.env.AUTH_TOKEN) userDid = c.env.DID;
 			else {
 				const payload = await verifyAccessToken(token, c.env.JWT_SECRET, serviceDid);
-				if (!payload.sub) throw new Error("Missing sub claim in token");
-				userDid = payload.sub;
+				if (payload.sub) userDid = payload.sub;
 			}
-			const keypair = await getKeypair$1();
-			headers["Authorization"] = `Bearer ${await createServiceJwt({
-				iss: userDid,
-				aud: audienceDid,
-				lxm,
-				keypair
-			})}`;
 		} catch {}
 	}
+	if (userDid) try {
+		const keypair = await getKeypair$1();
+		headers["Authorization"] = `Bearer ${await createServiceJwt({
+			iss: userDid,
+			aud: audienceDid,
+			lxm,
+			keypair
+		})}`;
+	} catch {}
 	const forwardHeaders = new Headers(c.req.raw.headers);
 	for (const header of [
 		"authorization",
@@ -1483,6 +2204,38 @@ async function listBlobs(c, _accountDO) {
 	if (listed.truncated && listed.cursor) result.cursor = listed.cursor;
 	return c.json(result);
 }
+async function getBlocks(c, accountDO) {
+	const did = c.req.query("did");
+	const cidsParam = c.req.queries("cids");
+	if (!did) return c.json({
+		error: "InvalidRequest",
+		message: "Missing required parameter: did"
+	}, 400);
+	if (!cidsParam || cidsParam.length === 0) return c.json({
+		error: "InvalidRequest",
+		message: "Missing required parameter: cids"
+	}, 400);
+	try {
+		ensureValidDid(did);
+	} catch (err) {
+		return c.json({
+			error: "InvalidRequest",
+			message: `Invalid DID format: ${err instanceof Error ? err.message : String(err)}`
+		}, 400);
+	}
+	if (did !== c.env.DID) return c.json({
+		error: "RepoNotFound",
+		message: `Repository not found for DID: ${did}`
+	}, 404);
+	const carBytes = await accountDO.rpcGetBlocks(cidsParam);
+	return new Response(carBytes, {
+		status: 200,
+		headers: {
+			"Content-Type": "application/vnd.ipld.car",
+			"Content-Length": carBytes.length.toString()
+		}
+	});
+}
 async function getBlob(c, _accountDO) {
 	const did = c.req.query("did");
 	const cid = c.req.query("cid");
@@ -5066,6 +5819,17 @@ async function importRepo(c, accountDO) {
 		throw err;
 	}
 }
+/**
+* List blobs that are referenced in records but not yet imported.
+* Used during migration to track which blobs still need to be uploaded.
+*/
+async function listMissingBlobs(c, accountDO) {
+	const limitStr = c.req.query("limit");
+	const cursor = c.req.query("cursor");
+	const limit = limitStr ? Math.min(Number.parseInt(limitStr, 10), 500) : 500;
+	const result = await accountDO.rpcListMissingBlobs(limit, cursor || void 0);
+	return c.json(result);
+}
 
 //#endregion
 //#region src/xrpc/server.ts
@@ -5089,7 +5853,7 @@ async function createSession(c) {
 		error: "AuthenticationRequired",
 		message: "Invalid identifier or password"
 	}, 401);
-	if (!await compare(password, c.env.PASSWORD_HASH)) return c.json({
+	if (!await compare$1(password, c.env.PASSWORD_HASH)) return c.json({
 		error: "AuthenticationRequired",
 		message: "Invalid identifier or password"
 	}, 401);
@@ -5176,31 +5940,40 @@ async function deleteSession(c) {
 	return c.json({});
 }
 /**
-* Get account status - used for migration checks
+* Get account status - used for migration checks and progress tracking
 */
 async function getAccountStatus(c, accountDO) {
 	try {
 		const status = await accountDO.rpcGetRepoStatus();
+		const active = await accountDO.rpcGetActive();
+		const [repoBlocks, indexedRecords, expectedBlobs, importedBlobs] = await Promise.all([
+			accountDO.rpcCountBlocks(),
+			accountDO.rpcCountRecords(),
+			accountDO.rpcCountExpectedBlobs(),
+			accountDO.rpcCountImportedBlobs()
+		]);
 		return c.json({
-			activated: true,
+			active,
 			validDid: true,
+			repoCommit: status.head,
 			repoRev: status.rev,
-			repoBlocks: null,
-			indexedRecords: null,
+			repoBlocks,
+			indexedRecords,
 			privateStateValues: null,
-			expectedBlobs: null,
-			importedBlobs: null
+			expectedBlobs,
+			importedBlobs
 		});
 	} catch (err) {
 		return c.json({
-			activated: false,
+			active: false,
 			validDid: true,
+			repoCommit: null,
 			repoRev: null,
-			repoBlocks: null,
-			indexedRecords: null,
+			repoBlocks: 0,
+			indexedRecords: 0,
 			privateStateValues: null,
-			expectedBlobs: null,
-			importedBlobs: null
+			expectedBlobs: 0,
+			importedBlobs: 0
 		});
 	}
 }
@@ -5224,10 +5997,58 @@ async function getServiceAuth(c) {
 	});
 	return c.json({ token });
 }
+/**
+* Activate account - enables writes and firehose events
+*/
+async function activateAccount(c, accountDO) {
+	try {
+		await accountDO.rpcActivateAccount();
+		return c.json({ success: true });
+	} catch (err) {
+		return c.json({
+			error: "InternalServerError",
+			message: err instanceof Error ? err.message : "Unknown error"
+		}, 500);
+	}
+}
+/**
+* Deactivate account - disables writes while keeping reads available
+*/
+async function deactivateAccount(c, accountDO) {
+	try {
+		await accountDO.rpcDeactivateAccount();
+		return c.json({ success: true });
+	} catch (err) {
+		return c.json({
+			error: "InternalServerError",
+			message: err instanceof Error ? err.message : "Unknown error"
+		}, 500);
+	}
+}
+/**
+* Reset migration state - clears imported repo and blob tracking.
+* Only works on deactivated accounts.
+*/
+async function resetMigration(c, accountDO) {
+	try {
+		const result = await accountDO.rpcResetMigration();
+		return c.json(result);
+	} catch (err) {
+		const message = err instanceof Error ? err.message : "Unknown error";
+		if (message.includes("AccountActive")) return c.json({
+			error: "AccountActive",
+			message: "Cannot reset migration on an active account. Deactivate first."
+		}, 400);
+		return c.json({
+			error: "InternalServerError",
+			message
+		}, 500);
+	}
+}
 
 //#endregion
 //#region package.json
-var version = "0.1.0";
+var version = "0.2.0";
 
 //#endregion
 //#region src/index.ts
@@ -5309,6 +6130,7 @@ app.get("/health", (c) => c.json({
 }));
 app.get("/xrpc/com.atproto.sync.getRepo", (c) => getRepo(c, getAccountDO(c.env)));
 app.get("/xrpc/com.atproto.sync.getRepoStatus", (c) => getRepoStatus(c, getAccountDO(c.env)));
+app.get("/xrpc/com.atproto.sync.getBlocks", (c) => getBlocks(c, getAccountDO(c.env)));
 app.get("/xrpc/com.atproto.sync.getBlob", (c) => getBlob(c, getAccountDO(c.env)));
 app.get("/xrpc/com.atproto.sync.listRepos", (c) => listRepos(c, getAccountDO(c.env)));
 app.get("/xrpc/com.atproto.sync.listBlobs", (c) => listBlobs(c, getAccountDO(c.env)));
@@ -5328,6 +6150,7 @@ app.post("/xrpc/com.atproto.repo.uploadBlob", requireAuth, (c) => uploadBlob(c,
 app.post("/xrpc/com.atproto.repo.applyWrites", requireAuth, (c) => applyWrites(c, getAccountDO(c.env)));
 app.post("/xrpc/com.atproto.repo.putRecord", requireAuth, (c) => putRecord(c, getAccountDO(c.env)));
 app.post("/xrpc/com.atproto.repo.importRepo", requireAuth, (c) => importRepo(c, getAccountDO(c.env)));
+app.get("/xrpc/com.atproto.repo.listMissingBlobs", requireAuth, (c) => listMissingBlobs(c, getAccountDO(c.env)));
 app.get("/xrpc/com.atproto.server.describeServer", describeServer);
 app.use("/xrpc/com.atproto.identity.resolveHandle", async (c, next) => {
 	if (c.req.query("handle") === c.env.HANDLE) return c.json({ did: c.env.DID });
@@ -5338,6 +6161,9 @@ app.post("/xrpc/com.atproto.server.refreshSession", refreshSession);
 app.get("/xrpc/com.atproto.server.getSession", getSession);
 app.post("/xrpc/com.atproto.server.deleteSession", deleteSession);
 app.get("/xrpc/com.atproto.server.getAccountStatus", requireAuth, (c) => getAccountStatus(c, getAccountDO(c.env)));
+app.post("/xrpc/com.atproto.server.activateAccount", requireAuth, (c) => activateAccount(c, getAccountDO(c.env)));
+app.post("/xrpc/com.atproto.server.deactivateAccount", requireAuth, (c) => deactivateAccount(c, getAccountDO(c.env)));
+app.post("/xrpc/gg.mk.experimental.resetMigration", requireAuth, (c) => resetMigration(c, getAccountDO(c.env)));
 app.get("/xrpc/com.atproto.server.getServiceAuth", requireAuth, getServiceAuth);
 app.get("/xrpc/app.bsky.actor.getPreferences", requireAuth, async (c) => {
 	const result = await getAccountDO(c.env).rpcGetPreferences();
@@ -5362,6 +6188,8 @@ app.post("/admin/emit-identity", requireAuth, async (c) => {
 	const result = await getAccountDO(c.env).rpcEmitIdentityEvent(c.env.HANDLE);
 	return c.json(result);
 });
+const oauthApp = createOAuthApp(getAccountDO);
+app.route("/", oauthApp);
 app.all("/xrpc/*", (c) => handleXrpcProxy(c, didResolver, getKeypair));
 var src_default = app;