@getcirrus/pds 0.10.5 → 0.11.0

package/dist/cli.js

@@ -8,14 +8,15 @@ import { spawn } from "node:child_process";
 import { experimental_patchConfig, experimental_readRawConfig } from "wrangler";
 import { existsSync, readFileSync, writeFileSync } from "node:fs";
 import { join, resolve } from "node:path";
+import { writeFile } from "node:fs/promises";
 import pc from "picocolors";
 import QRCode from "qrcode";
 import { Client, ClientResponseError, ok } from "@atcute/client";
 import "@atcute/bluesky";
 import "@atcute/atproto";
-import { writeFile } from "node:fs/promises";
 import { CompositeDidDocumentResolver, DohJsonHandleResolver, PlcDidDocumentResolver, WebDidDocumentResolver } from "@atcute/identity-resolver";
 import { getPdsEndpoint } from "@atcute/identity";
+import { decodeAll } from "@atproto/lex-cbor";
 
 //#region src/cli/utils/wrangler.ts
 /**
@@ -276,159 +277,492 @@ function setDevVar(key, value, dir = process.cwd()) {
 }
 
 //#endregion
-//#region src/cli/utils/secrets.ts
+//#region src/cli/utils/cli-helpers.ts
 /**
-* Secret generation and management utilities for PDS CLI
+* Shared CLI utilities for PDS commands
 */
 /**
-* Generate a new secp256k1 signing keypair
+* Prompt for text input, exiting on cancel
 */
-async function generateSigningKeypair() {
-	const keypair = await Secp256k1Keypair.create({ exportable: true });
-	return {
-		privateKey: Buffer.from(await keypair.export()).toString("hex"),
-		publicKey: keypair.did().replace("did:key:", "")
-	};
+async function promptText(options) {
+	const result = await p.text(options);
+	if (p.isCancel(result)) {
+		p.cancel("Cancelled");
+		process.exit(0);
+	}
+	return result;
 }
 /**
-* Derive public key from an existing private key
+* Prompt for confirmation, exiting on cancel
 */
-async function derivePublicKey(privateKeyHex) {
-	return (await Secp256k1Keypair.import(privateKeyHex)).did().replace("did:key:", "");
+async function promptConfirm(options) {
+	const result = await p.confirm(options);
+	if (p.isCancel(result)) {
+		p.cancel("Cancelled");
+		process.exit(0);
+	}
+	return result;
 }
 /**
-* Generate a random auth token (base64url, 32 bytes)
+* Prompt for selection, exiting on cancel
 */
-function generateAuthToken() {
-	return randomBytes(32).toString("base64url");
+async function promptSelect(options) {
+	const result = await p.select(options);
+	if (p.isCancel(result)) {
+		p.cancel("Cancelled");
+		process.exit(0);
+	}
+	return result;
 }
 /**
-* Generate a random JWT secret (base64, 32 bytes)
+* Get target PDS URL based on mode
 */
-function generateJwtSecret() {
-	return randomBytes(32).toString("base64");
+function getTargetUrl(isDev, pdsHostname) {
+	if (isDev) return `http://localhost:${process.env.PORT ? parseInt(process.env.PORT) ?? "5173" : "5173"}`;
+	if (!pdsHostname) throw new Error("PDS_HOSTNAME not configured in wrangler.jsonc");
+	return `https://${pdsHostname}`;
 }
 /**
-* Hash a password using bcrypt
+* Extract domain from URL
 */
-async function hashPassword(password) {
-	return bcrypt.hash(password, 10);
+function getDomain(url) {
+	try {
+		return new URL(url).hostname;
+	} catch {
+		return url;
+	}
 }
 /**
-* Prompt for password with confirmation (max 3 attempts)
+* Detect which package manager is being used based on npm_config_user_agent
 */
-async function promptPassword(handle) {
-	const message = handle ? `Choose a password for @${handle}:` : "Enter password:";
-	const MAX_ATTEMPTS = 3;
-	let attempts = 0;
-	while (attempts < MAX_ATTEMPTS) {
-		attempts++;
-		const password = await p.password({ message });
-		if (p.isCancel(password)) {
-			p.cancel("Cancelled");
-			process.exit(0);
-		}
-		const confirm = await p.password({ message: "Confirm password:" });
-		if (p.isCancel(confirm)) {
-			p.cancel("Cancelled");
-			process.exit(0);
-		}
-		if (password === confirm) return password;
-		p.log.error("Passwords do not match. Try again.");
-	}
-	p.log.error("Too many failed attempts.");
-	p.cancel("Password setup cancelled");
-	process.exit(1);
+function detectPackageManager() {
+	const userAgent = process.env.npm_config_user_agent || "";
+	if (userAgent.startsWith("yarn")) return "yarn";
+	if (userAgent.startsWith("pnpm")) return "pnpm";
+	if (userAgent.startsWith("bun")) return "bun";
+	return "npm";
 }
 /**
-* Set a secret value, either locally (.dev.vars) or via wrangler
+* Format a command for the detected package manager
+* npm always needs "run" for scripts, pnpm/yarn/bun can use shorthand
+* except for "deploy" which conflicts with pnpm's built-in deploy command
 */
-async function setSecretValue(name, value, local) {
-	if (local) setDevVar(name, value);
-	else await setSecret(name, value);
+function formatCommand(pm, ...args) {
+	if (pm === "npm" || args[0] === "deploy") return `${pm} run ${args.join(" ")}`;
+	return `${pm} ${args.join(" ")}`;
 }
 /**
-* Set a public var in wrangler.jsonc
+* Copy text to clipboard using platform-specific command
+* Falls back gracefully if clipboard is unavailable
 */
-function setPublicVar(name, value, local) {
-	if (local) setDevVar(name, value);
-	else setVar(name, value);
+async function copyToClipboard(text) {
+	const platform = process.platform;
+	let cmd;
+	let args;
+	if (platform === "darwin") {
+		cmd = "pbcopy";
+		args = [];
+	} else if (platform === "linux") {
+		cmd = "xclip";
+		args = ["-selection", "clipboard"];
+	} else if (platform === "win32") {
+		cmd = "clip";
+		args = [];
+	} else return false;
+	return new Promise((resolve$1) => {
+		const child = spawn(cmd, args, { stdio: [
+			"pipe",
+			"ignore",
+			"ignore"
+		] });
+		child.on("error", () => resolve$1(false));
+		child.on("close", (code) => resolve$1(code === 0));
+		child.stdin?.write(text);
+		child.stdin?.end();
+	});
 }
-
-//#endregion
-//#region src/cli/commands/secret/jwt.ts
 /**
-* JWT secret generation command
+* Check if 1Password CLI (op) is available
+* Only checks on POSIX systems (macOS, Linux)
 */
-const jwtCommand = defineCommand({
-	meta: {
-		name: "jwt",
-		description: "Generate and set JWT signing secret"
-	},
-	args: { local: {
-		type: "boolean",
-		description: "Write to .dev.vars instead of wrangler secrets",
-		default: false
-	} },
-	async run({ args }) {
-		p.intro("Generate JWT Secret");
-		const secret = generateJwtSecret();
-		try {
-			await setSecretValue("JWT_SECRET", secret, args.local);
-			p.outro(args.local ? "JWT_SECRET written to .dev.vars" : "Done!");
-		} catch (error) {
-			p.log.error(String(error));
-			process.exit(1);
-		}
-	}
-});
-
-//#endregion
-//#region src/cli/commands/secret/password.ts
+async function is1PasswordAvailable() {
+	if (process.platform === "win32") return false;
+	return new Promise((resolve$1) => {
+		const child = spawn("which", ["op"], { stdio: [
+			"ignore",
+			"pipe",
+			"ignore"
+		] });
+		child.on("error", () => resolve$1(false));
+		child.on("close", (code) => resolve$1(code === 0));
+	});
+}
 /**
-* Password hash generation command
+* Save a key to 1Password using the CLI
+* Creates a secure note with the signing key
 */
-const passwordCommand = defineCommand({
-	meta: {
-		name: "password",
-		description: "Set account password (stored as bcrypt hash)"
-	},
-	args: { local: {
-		type: "boolean",
-		description: "Write to .dev.vars instead of wrangler secrets",
-		default: false
-	} },
-	async run({ args }) {
-		p.intro("Set Account Password");
-		const password = await promptPassword();
-		const spinner = p.spinner();
-		spinner.start("Hashing password...");
-		const passwordHash = await hashPassword(password);
-		spinner.stop("Password hashed");
-		try {
-			await setSecretValue("PASSWORD_HASH", passwordHash, args.local);
-			p.outro(args.local ? "PASSWORD_HASH written to .dev.vars" : "Done!");
-		} catch (error) {
-			p.log.error(String(error));
-			process.exit(1);
-		}
-	}
-});
-
-//#endregion
-//#region src/cli/commands/secret/key.ts
+async function saveTo1Password(key, handle) {
+	const itemName = `Cirrus PDS Signing Key - ${handle}`;
+	return new Promise((resolve$1) => {
+		const child = spawn("op", [
+			"item",
+			"create",
+			"--category",
+			"Secure Note",
+			"--title",
+			itemName,
+			`notesPlain=CIRRUS PDS SIGNING KEY\n\nHandle: ${handle}\nCreated: ${(/* @__PURE__ */ new Date()).toISOString()}\n\nWARNING: This key controls your identity!\n\nSIGNING KEY:\n${key}`,
+			"--tags",
+			"cirrus,pds,signing-key"
+		], { stdio: [
+			"ignore",
+			"pipe",
+			"pipe"
+		] });
+		let stderr = "";
+		child.stderr?.on("data", (data) => {
+			stderr += data.toString();
+		});
+		child.on("error", (err) => {
+			resolve$1({
+				success: false,
+				error: err.message
+			});
+		});
+		child.on("close", (code) => {
+			if (code === 0) resolve$1({
+				success: true,
+				itemName
+			});
+			else resolve$1({
+				success: false,
+				error: stderr || `1Password CLI exited with code ${code}`
+			});
+		});
+	});
+}
 /**
-* Signing key generation command
+* Save a password to 1Password as a Login item for bsky.app
 */
-const keyCommand = defineCommand({
-	meta: {
-		name: "key",
-		description: "Generate and set signing keypair"
-	},
-	args: { local: {
-		type: "boolean",
-		description: "Write to .dev.vars instead of wrangler secrets/config",
-		default: false
+async function savePasswordTo1Password(password, handle) {
+	const itemName = `Bluesky - @${handle}`;
+	return new Promise((resolve$1) => {
+		const child = spawn("op", [
+			"item",
+			"create",
+			"--category",
+			"Login",
+			"--title",
+			itemName,
+			`username=${handle}`,
+			`password=${password}`,
+			"--url=https://bsky.app",
+			"--tags",
+			"cirrus,pds,bluesky"
+		], { stdio: [
+			"ignore",
+			"pipe",
+			"pipe"
+		] });
+		let stderr = "";
+		child.stderr?.on("data", (data) => {
+			stderr += data.toString();
+		});
+		child.on("error", (err) => {
+			resolve$1({
+				success: false,
+				error: err.message
+			});
+		});
+		child.on("close", (code) => {
+			if (code === 0) resolve$1({
+				success: true,
+				itemName
+			});
+			else resolve$1({
+				success: false,
+				error: stderr || `1Password CLI exited with code ${code}`
+			});
+		});
+	});
+}
+/**
+* Run a shell command and return a promise.
+* Captures output and throws on non-zero exit code.
+* Use this for running npm/pnpm/yarn scripts etc.
+*/
+function runCommand(cmd, args, options = {}) {
+	return new Promise((resolve$1, reject) => {
+		const child = spawn(cmd, args, { stdio: options.stream ? "inherit" : "pipe" });
+		let output = "";
+		if (!options.stream) {
+			child.stdout?.on("data", (data) => {
+				output += data.toString();
+			});
+			child.stderr?.on("data", (data) => {
+				output += data.toString();
+			});
+		}
+		child.on("close", (code) => {
+			if (code === 0) resolve$1();
+			else {
+				if (output && !options.stream) console.error(output);
+				reject(/* @__PURE__ */ new Error(`${cmd} ${args.join(" ")} failed with code ${code}`));
+			}
+		});
+		child.on("error", reject);
+	});
+}
+/**
+* Save a key backup file with appropriate warnings
+*/
+async function saveKeyBackup(key, handle) {
+	const filename = `signing-key-backup-${handle.replace(/[^a-z0-9]/gi, "-")}.txt`;
+	const filepath = join(process.cwd(), filename);
+	await writeFile(filepath, [
+		"=".repeat(60),
+		"CIRRUS PDS SIGNING KEY BACKUP",
+		"=".repeat(60),
+		"",
+		`Handle: ${handle}`,
+		`Created: ${(/* @__PURE__ */ new Date()).toISOString()}`,
+		"",
+		"WARNING: This key controls your identity!",
+		"- Store this file in a secure location (password manager, encrypted drive)",
+		"- Delete this file from your local disk after backing up",
+		"- Never share this key with anyone",
+		"- If compromised, your identity can be stolen",
+		"",
+		"=".repeat(60),
+		"SIGNING KEY (hex-encoded secp256k1 private key)",
+		"=".repeat(60),
+		"",
+		key,
+		"",
+		"=".repeat(60)
+	].join("\n"), { mode: 384 });
+	return filepath;
+}
+
+//#endregion
+//#region src/cli/utils/secrets.ts
+/**
+* Secret generation and management utilities for PDS CLI
+*/
+/**
+* Generate a new secp256k1 signing keypair
+*/
+async function generateSigningKeypair() {
+	const keypair = await Secp256k1Keypair.create({ exportable: true });
+	return {
+		privateKey: Buffer.from(await keypair.export()).toString("hex"),
+		publicKey: keypair.did().replace("did:key:", "")
+	};
+}
+/**
+* Derive public key from an existing private key
+*/
+async function derivePublicKey(privateKeyHex) {
+	return (await Secp256k1Keypair.import(privateKeyHex)).did().replace("did:key:", "");
+}
+/**
+* Generate a random auth token (base64url, 32 bytes)
+*/
+function generateAuthToken() {
+	return randomBytes(32).toString("base64url");
+}
+/**
+* Generate a random JWT secret (base64, 32 bytes)
+*/
+function generateJwtSecret() {
+	return randomBytes(32).toString("base64");
+}
+/**
+* Hash a password using bcrypt
+*/
+async function hashPassword(password) {
+	return bcrypt.hash(password, 10);
+}
+/**
+* Generate a random password (base64url, 24 bytes = 32 chars)
+*/
+function generatePassword() {
+	return randomBytes(24).toString("base64url");
+}
+/**
+* Prompt for password with confirmation (max 3 attempts),
+* or generate one automatically
+*/
+async function promptPassword(handle) {
+	if (await promptSelect({
+		message: handle ? `Set a password for @${handle}:` : "Set a password:",
+		options: [{
+			value: "manual",
+			label: "Choose a password"
+		}, {
+			value: "generate",
+			label: "Generate one automatically"
+		}]
+	}) === "generate") {
+		const password = generatePassword();
+		const has1Password = await is1PasswordAvailable();
+		const saveOptions = [];
+		if (has1Password) saveOptions.push({
+			value: "1password",
+			label: "Save to 1Password",
+			hint: "as a bsky.app login"
+		});
+		saveOptions.push({
+			value: "clipboard",
+			label: "Copy to clipboard",
+			hint: "paste into password manager"
+		}, {
+			value: "show",
+			label: "Display it",
+			hint: "shown in terminal"
+		});
+		const saveChoice = await promptSelect({
+			message: "Where should we save the password?",
+			options: saveOptions
+		});
+		if (saveChoice === "1password") {
+			const spinner = p.spinner();
+			spinner.start("Saving to 1Password...");
+			const result = await savePasswordTo1Password(password, handle ?? "");
+			if (result.success) {
+				spinner.stop("Saved to 1Password");
+				p.log.success(`Created: "${result.itemName}"`);
+			} else {
+				spinner.stop("Failed to save to 1Password");
+				p.log.error(result.error || "Unknown error");
+				if (await copyToClipboard(password)) p.log.info("Copied to clipboard instead");
+				else {
+					p.note(password, "Generated password");
+					p.log.warn("Save this password somewhere safe!");
+				}
+			}
+		} else if (saveChoice === "clipboard") if (await copyToClipboard(password)) p.log.success("Password generated and copied to clipboard");
+		else {
+			p.note(password, "Generated password");
+			p.log.warn("Could not copy to clipboard — save this password somewhere safe!");
+		}
+		else {
+			p.note(password, "Generated password");
+			p.log.warn("Save this password somewhere safe!");
+		}
+		return password;
+	}
+	const message = handle ? `Choose a password for @${handle}:` : "Enter password:";
+	const MAX_ATTEMPTS = 3;
+	let attempts = 0;
+	while (attempts < MAX_ATTEMPTS) {
+		attempts++;
+		const password = await p.password({ message });
+		if (p.isCancel(password)) {
+			p.cancel("Cancelled");
+			process.exit(0);
+		}
+		const confirm = await p.password({ message: "Confirm password:" });
+		if (p.isCancel(confirm)) {
+			p.cancel("Cancelled");
+			process.exit(0);
+		}
+		if (password === confirm) return password;
+		p.log.error("Passwords do not match. Try again.");
+	}
+	p.log.error("Too many failed attempts.");
+	p.cancel("Password setup cancelled");
+	process.exit(1);
+}
+/**
+* Set a secret value, either locally (.dev.vars) or via wrangler
+*/
+async function setSecretValue(name, value, local) {
+	if (local) setDevVar(name, value);
+	else await setSecret(name, value);
+}
+/**
+* Set a public var in wrangler.jsonc
+*/
+function setPublicVar(name, value, local) {
+	if (local) setDevVar(name, value);
+	else setVar(name, value);
+}
+
+//#endregion
+//#region src/cli/commands/secret/jwt.ts
+/**
+* JWT secret generation command
+*/
+const jwtCommand = defineCommand({
+	meta: {
+		name: "jwt",
+		description: "Generate and set JWT signing secret"
+	},
+	args: { local: {
+		type: "boolean",
+		description: "Write to .dev.vars instead of wrangler secrets",
+		default: false
+	} },
+	async run({ args }) {
+		p.intro("Generate JWT Secret");
+		const secret = generateJwtSecret();
+		try {
+			await setSecretValue("JWT_SECRET", secret, args.local);
+			p.outro(args.local ? "JWT_SECRET written to .dev.vars" : "Done!");
+		} catch (error) {
+			p.log.error(String(error));
+			process.exit(1);
+		}
+	}
+});
+
+//#endregion
+//#region src/cli/commands/secret/password.ts
+/**
+* Password hash generation command
+*/
+const passwordCommand = defineCommand({
+	meta: {
+		name: "password",
+		description: "Set account password (stored as bcrypt hash)"
+	},
+	args: { local: {
+		type: "boolean",
+		description: "Write to .dev.vars instead of wrangler secrets",
+		default: false
+	} },
+	async run({ args }) {
+		p.intro("Set Account Password");
+		const password = await promptPassword();
+		const spinner = p.spinner();
+		spinner.start("Hashing password...");
+		const passwordHash = await hashPassword(password);
+		spinner.stop("Password hashed");
+		try {
+			await setSecretValue("PASSWORD_HASH", passwordHash, args.local);
+			p.outro(args.local ? "PASSWORD_HASH written to .dev.vars" : "Done!");
+		} catch (error) {
+			p.log.error(String(error));
+			process.exit(1);
+		}
+	}
+});
+
+//#endregion
+//#region src/cli/commands/secret/key.ts
+/**
+* Signing key generation command
+*/
+const keyCommand = defineCommand({
+	meta: {
+		name: "key",
+		description: "Generate and set signing keypair"
+	},
+	args: { local: {
+		type: "boolean",
+		description: "Write to .dev.vars instead of wrangler secrets/config",
+		default: false
 	} },
 	async run({ args }) {
 		p.intro("Generate Signing Keypair");
@@ -913,56 +1247,7 @@ var PDSClient = class PDSClient {
 		const res = await fetch(url.toString(), {
 			method: "POST",
 			headers,
-			body: JSON.stringify({ name })
-		});
-		if (!res.ok) {
-			const errorBody = await res.json().catch(() => ({}));
-			throw new ClientResponseError({
-				status: res.status,
-				headers: res.headers,
-				data: {
-					error: errorBody.error ?? "Unknown",
-					message: errorBody.message
-				}
-			});
-		}
-		return res.json();
-	}
-	/**
-	* List all registered passkeys
-	*/
-	async listPasskeys() {
-		const url = new URL("/passkey/list", this.baseUrl);
-		const headers = {};
-		if (this.authToken) headers["Authorization"] = `Bearer ${this.authToken}`;
-		const res = await fetch(url.toString(), {
-			method: "GET",
-			headers
-		});
-		if (!res.ok) {
-			const errorBody = await res.json().catch(() => ({}));
-			throw new ClientResponseError({
-				status: res.status,
-				headers: res.headers,
-				data: {
-					error: errorBody.error ?? "Unknown",
-					message: errorBody.message
-				}
-			});
-		}
-		return res.json();
-	}
-	/**
-	* Delete a passkey by credential ID
-	*/
-	async deletePasskey(credentialId) {
-		const url = new URL("/passkey/delete", this.baseUrl);
-		const headers = { "Content-Type": "application/json" };
-		if (this.authToken) headers["Authorization"] = `Bearer ${this.authToken}`;
-		const res = await fetch(url.toString(), {
-			method: "POST",
-			headers,
-			body: JSON.stringify({ id: credentialId })
+			body: JSON.stringify({ name })
 		});
 		if (!res.ok) {
 			const errorBody = await res.json().catch(() => ({}));
@@ -978,293 +1263,152 @@ var PDSClient = class PDSClient {
 		return res.json();
 	}
 	/**
-	* Get a migration token for outbound migration.
-	* This token can be used to migrate to another PDS.
+	* List all registered passkeys
 	*/
-	async getMigrationToken() {
-		const url = new URL("/xrpc/gg.mk.experimental.getMigrationToken", this.baseUrl);
+	async listPasskeys() {
+		const url = new URL("/passkey/list", this.baseUrl);
 		const headers = {};
 		if (this.authToken) headers["Authorization"] = `Bearer ${this.authToken}`;
 		const res = await fetch(url.toString(), {
 			method: "GET",
 			headers
 		});
-		if (!res.ok) return {
-			success: false,
-			error: (await res.json().catch(() => ({}))).message ?? `Request failed: ${res.status}`
-		};
-		return {
-			success: true,
-			token: (await res.json()).token
-		};
-	}
-	static RELAY_URLS = ["https://relay1.us-west.bsky.network", "https://relay1.us-east.bsky.network"];
-	/**
-	* Get relay's view of this PDS host status from a single relay.
-	* Calls com.atproto.sync.getHostStatus on the relay.
-	*/
-	async getRelayHostStatus(pdsHostname, relayUrl) {
-		try {
-			const url = new URL("/xrpc/com.atproto.sync.getHostStatus", relayUrl);
-			url.searchParams.set("hostname", pdsHostname);
-			const res = await fetch(url.toString());
-			if (!res.ok) return null;
-			return {
-				...await res.json(),
-				relay: relayUrl
-			};
-		} catch {
-			return null;
+		if (!res.ok) {
+			const errorBody = await res.json().catch(() => ({}));
+			throw new ClientResponseError({
+				status: res.status,
+				headers: res.headers,
+				data: {
+					error: errorBody.error ?? "Unknown",
+					message: errorBody.message
+				}
+			});
 		}
+		return res.json();
 	}
 	/**
-	* Get relay status from all known relays.
-	* Returns results from each relay that responds.
-	*/
-	async getAllRelayHostStatus(pdsHostname) {
-		return (await Promise.all(PDSClient.RELAY_URLS.map((url) => this.getRelayHostStatus(pdsHostname, url)))).filter((r) => r !== null);
-	}
-	/**
-	* Request the relay to crawl this PDS.
-	* This notifies the Bluesky relay that the PDS is active and ready for federation.
-	* Uses bsky.network by default (the main relay endpoint).
+	* Delete a passkey by credential ID
 	*/
-	async requestCrawl(pdsHostname, relayUrl = "https://bsky.network") {
-		try {
-			const url = new URL("/xrpc/com.atproto.sync.requestCrawl", relayUrl);
-			return (await fetch(url.toString(), {
-				method: "POST",
-				headers: { "Content-Type": "application/json" },
-				body: JSON.stringify({ hostname: pdsHostname })
-			})).ok;
-		} catch {
-			return false;
-		}
-	}
-};
-
-//#endregion
-//#region src/cli/utils/cli-helpers.ts
-/**
-* Shared CLI utilities for PDS commands
-*/
-/**
-* Prompt for text input, exiting on cancel
-*/
-async function promptText(options) {
-	const result = await p.text(options);
-	if (p.isCancel(result)) {
-		p.cancel("Cancelled");
-		process.exit(0);
-	}
-	return result;
-}
-/**
-* Prompt for confirmation, exiting on cancel
-*/
-async function promptConfirm(options) {
-	const result = await p.confirm(options);
-	if (p.isCancel(result)) {
-		p.cancel("Cancelled");
-		process.exit(0);
-	}
-	return result;
-}
-/**
-* Prompt for selection, exiting on cancel
-*/
-async function promptSelect(options) {
-	const result = await p.select(options);
-	if (p.isCancel(result)) {
-		p.cancel("Cancelled");
-		process.exit(0);
-	}
-	return result;
-}
-/**
-* Get target PDS URL based on mode
-*/
-function getTargetUrl(isDev, pdsHostname) {
-	if (isDev) return `http://localhost:${process.env.PORT ? parseInt(process.env.PORT) ?? "5173" : "5173"}`;
-	if (!pdsHostname) throw new Error("PDS_HOSTNAME not configured in wrangler.jsonc");
-	return `https://${pdsHostname}`;
-}
-/**
-* Extract domain from URL
-*/
-function getDomain(url) {
-	try {
-		return new URL(url).hostname;
-	} catch {
-		return url;
-	}
-}
-/**
-* Detect which package manager is being used based on npm_config_user_agent
-*/
-function detectPackageManager() {
-	const userAgent = process.env.npm_config_user_agent || "";
-	if (userAgent.startsWith("yarn")) return "yarn";
-	if (userAgent.startsWith("pnpm")) return "pnpm";
-	if (userAgent.startsWith("bun")) return "bun";
-	return "npm";
-}
-/**
-* Format a command for the detected package manager
-* npm always needs "run" for scripts, pnpm/yarn/bun can use shorthand
-* except for "deploy" which conflicts with pnpm's built-in deploy command
-*/
-function formatCommand(pm, ...args) {
-	if (pm === "npm" || args[0] === "deploy") return `${pm} run ${args.join(" ")}`;
-	return `${pm} ${args.join(" ")}`;
-}
-/**
-* Copy text to clipboard using platform-specific command
-* Falls back gracefully if clipboard is unavailable
-*/
-async function copyToClipboard(text) {
-	const platform = process.platform;
-	let cmd;
-	let args;
-	if (platform === "darwin") {
-		cmd = "pbcopy";
-		args = [];
-	} else if (platform === "linux") {
-		cmd = "xclip";
-		args = ["-selection", "clipboard"];
-	} else if (platform === "win32") {
-		cmd = "clip";
-		args = [];
-	} else return false;
-	return new Promise((resolve$1) => {
-		const child = spawn(cmd, args, { stdio: [
-			"pipe",
-			"ignore",
-			"ignore"
-		] });
-		child.on("error", () => resolve$1(false));
-		child.on("close", (code) => resolve$1(code === 0));
-		child.stdin?.write(text);
-		child.stdin?.end();
-	});
-}
-/**
-* Check if 1Password CLI (op) is available
-* Only checks on POSIX systems (macOS, Linux)
-*/
-async function is1PasswordAvailable() {
-	if (process.platform === "win32") return false;
-	return new Promise((resolve$1) => {
-		const child = spawn("which", ["op"], { stdio: [
-			"ignore",
-			"pipe",
-			"ignore"
-		] });
-		child.on("error", () => resolve$1(false));
-		child.on("close", (code) => resolve$1(code === 0));
-	});
-}
-/**
-* Save a key to 1Password using the CLI
-* Creates a secure note with the signing key
-*/
-async function saveTo1Password(key, handle) {
-	const itemName = `Cirrus PDS Signing Key - ${handle}`;
-	return new Promise((resolve$1) => {
-		const child = spawn("op", [
-			"item",
-			"create",
-			"--category",
-			"Secure Note",
-			"--title",
-			itemName,
-			`notesPlain=CIRRUS PDS SIGNING KEY\n\nHandle: ${handle}\nCreated: ${(/* @__PURE__ */ new Date()).toISOString()}\n\nWARNING: This key controls your identity!\n\nSIGNING KEY:\n${key}`,
-			"--tags",
-			"cirrus,pds,signing-key"
-		], { stdio: [
-			"ignore",
-			"pipe",
-			"pipe"
-		] });
-		let stderr = "";
-		child.stderr?.on("data", (data) => {
-			stderr += data.toString();
-		});
-		child.on("error", (err) => {
-			resolve$1({
-				success: false,
-				error: err.message
-			});
-		});
-		child.on("close", (code) => {
-			if (code === 0) resolve$1({
-				success: true,
-				itemName
-			});
-			else resolve$1({
-				success: false,
-				error: stderr || `1Password CLI exited with code ${code}`
-			});
-		});
-	});
-}
-/**
-* Run a shell command and return a promise.
-* Captures output and throws on non-zero exit code.
-* Use this for running npm/pnpm/yarn scripts etc.
-*/
-function runCommand(cmd, args, options = {}) {
-	return new Promise((resolve$1, reject) => {
-		const child = spawn(cmd, args, { stdio: options.stream ? "inherit" : "pipe" });
-		let output = "";
-		if (!options.stream) {
-			child.stdout?.on("data", (data) => {
-				output += data.toString();
-			});
-			child.stderr?.on("data", (data) => {
-				output += data.toString();
+	async deletePasskey(credentialId) {
+		const url = new URL("/passkey/delete", this.baseUrl);
+		const headers = { "Content-Type": "application/json" };
+		if (this.authToken) headers["Authorization"] = `Bearer ${this.authToken}`;
+		const res = await fetch(url.toString(), {
+			method: "POST",
+			headers,
+			body: JSON.stringify({ id: credentialId })
+		});
+		if (!res.ok) {
+			const errorBody = await res.json().catch(() => ({}));
+			throw new ClientResponseError({
+				status: res.status,
+				headers: res.headers,
+				data: {
+					error: errorBody.error ?? "Unknown",
+					message: errorBody.message
+				}
 			});
 		}
-		child.on("close", (code) => {
-			if (code === 0) resolve$1();
-			else {
-				if (output && !options.stream) console.error(output);
-				reject(/* @__PURE__ */ new Error(`${cmd} ${args.join(" ")} failed with code ${code}`));
-			}
+		return res.json();
+	}
+	/**
+	* Get a migration token for outbound migration.
+	* This token can be used to migrate to another PDS.
+	*/
+	async getMigrationToken() {
+		const url = new URL("/xrpc/gg.mk.experimental.getMigrationToken", this.baseUrl);
+		const headers = {};
+		if (this.authToken) headers["Authorization"] = `Bearer ${this.authToken}`;
+		const res = await fetch(url.toString(), {
+			method: "GET",
+			headers
 		});
-		child.on("error", reject);
-	});
-}
-/**
-* Save a key backup file with appropriate warnings
-*/
-async function saveKeyBackup(key, handle) {
-	const filename = `signing-key-backup-${handle.replace(/[^a-z0-9]/gi, "-")}.txt`;
-	const filepath = join(process.cwd(), filename);
-	await writeFile(filepath, [
-		"=".repeat(60),
-		"CIRRUS PDS SIGNING KEY BACKUP",
-		"=".repeat(60),
-		"",
-		`Handle: ${handle}`,
-		`Created: ${(/* @__PURE__ */ new Date()).toISOString()}`,
-		"",
-		"WARNING: This key controls your identity!",
-		"- Store this file in a secure location (password manager, encrypted drive)",
-		"- Delete this file from your local disk after backing up",
-		"- Never share this key with anyone",
-		"- If compromised, your identity can be stolen",
-		"",
-		"=".repeat(60),
-		"SIGNING KEY (hex-encoded secp256k1 private key)",
-		"=".repeat(60),
-		"",
-		key,
-		"",
-		"=".repeat(60)
-	].join("\n"), { mode: 384 });
-	return filepath;
-}
+		if (!res.ok) return {
+			success: false,
+			error: (await res.json().catch(() => ({}))).message ?? `Request failed: ${res.status}`
+		};
+		return {
+			success: true,
+			token: (await res.json()).token
+		};
+	}
+	/**
+	* List notifications (proxied through PDS to AppView)
+	*/
+	async listNotifications(limit = 25) {
+		const url = new URL("/xrpc/app.bsky.notification.listNotifications", this.baseUrl);
+		url.searchParams.set("limit", String(limit));
+		const headers = {};
+		if (this.authToken) headers["Authorization"] = `Bearer ${this.authToken}`;
+		const res = await fetch(url.toString(), { headers });
+		if (!res.ok) throw new Error(`Failed to get notifications: ${res.status}`);
+		return res.json();
+	}
+	/**
+	* List repos (for getting PDS rev)
+	*/
+	async listRepos() {
+		const url = new URL("/xrpc/com.atproto.sync.listRepos", this.baseUrl);
+		const res = await fetch(url.toString());
+		if (!res.ok) throw new Error(`Failed to list repos: ${res.status}`);
+		return res.json();
+	}
+	/**
+	* List records in a collection
+	*/
+	async listRecords(did, collection, limit = 100) {
+		const url = new URL("/xrpc/com.atproto.repo.listRecords", this.baseUrl);
+		url.searchParams.set("repo", did);
+		url.searchParams.set("collection", collection);
+		url.searchParams.set("limit", String(limit));
+		const res = await fetch(url.toString());
+		if (!res.ok) throw new Error(`Failed to list records: ${res.status}`);
+		return res.json();
+	}
+	static RELAY_URLS = ["https://relay1.us-west.bsky.network", "https://relay1.us-east.bsky.network"];
+	/**
+	* Get relay's view of this PDS host status from a single relay.
+	* Calls com.atproto.sync.getHostStatus on the relay.
+	*/
+	async getRelayHostStatus(pdsHostname, relayUrl) {
+		try {
+			const url = new URL("/xrpc/com.atproto.sync.getHostStatus", relayUrl);
+			url.searchParams.set("hostname", pdsHostname);
+			const res = await fetch(url.toString());
+			if (!res.ok) return null;
+			return {
+				...await res.json(),
+				relay: relayUrl
+			};
+		} catch {
+			return null;
+		}
+	}
+	/**
+	* Get relay status from all known relays.
+	* Returns results from each relay that responds.
+	*/
+	async getAllRelayHostStatus(pdsHostname) {
+		return (await Promise.all(PDSClient.RELAY_URLS.map((url) => this.getRelayHostStatus(pdsHostname, url)))).filter((r) => r !== null);
+	}
+	/**
+	* Request the relay to crawl this PDS.
+	* This notifies the Bluesky relay that the PDS is active and ready for federation.
+	* Uses bsky.network by default (the main relay endpoint).
+	*/
+	async requestCrawl(pdsHostname, relayUrl = "https://bsky.network") {
+		try {
+			const url = new URL("/xrpc/com.atproto.sync.requestCrawl", relayUrl);
+			return (await fetch(url.toString(), {
+				method: "POST",
+				headers: { "Content-Type": "application/json" },
+				body: JSON.stringify({ hostname: pdsHostname })
+			})).ok;
+		} catch {
+			return false;
+		}
+	}
+};
 
 //#endregion
 //#region src/cli/commands/passkey/add.ts
@@ -3801,7 +3945,8 @@ const statusCommand = defineCommand({
 		}
 		try {
 			const firehose = await client.getFirehoseStatus();
-			console.log(`  ${INFO} ${firehose.subscribers} firehose subscriber${firehose.subscribers !== 1 ? "s" : ""}, seq: ${firehose.latestSeq ?? "none"}`);
+			const subCount = firehose.subscribers.length;
+			console.log(`  ${INFO} ${subCount} firehose subscriber${subCount !== 1 ? "s" : ""}, seq: ${firehose.latestSeq ?? "none"}`);
 		} catch {
 			console.log(`  ${pc.dim("  Could not get firehose status")}`);
 		}
@@ -3896,6 +4041,576 @@ const emitIdentityCommand = defineCommand({
 	}
 });
 
+//#endregion
+//#region src/cli/commands/dashboard.ts
+/**
+* Live terminal dashboard for PDS monitoring
+*/
+function stripAnsi(s) {
+	return s.replace(/\x1b\[[0-9;]*m/g, "");
+}
+function visibleLength(s) {
+	return stripAnsi(s).length;
+}
+function padRight(s, width) {
+	const pad = width - visibleLength(s);
+	return pad > 0 ? s + " ".repeat(pad) : s;
+}
+function truncate(s, width) {
+	if (visibleLength(s) <= width) return s;
+	return stripAnsi(s).slice(0, width - 1) + pc.dim("…");
+}
+function enterAltScreen() {
+	process.stdout.write("\x1B[?1049h");
+}
+function exitAltScreen() {
+	process.stdout.write("\x1B[?1049l");
+}
+function hideCursor() {
+	process.stdout.write("\x1B[?25l");
+}
+function showCursor() {
+	process.stdout.write("\x1B[?25h");
+}
+function clearScreen() {
+	process.stdout.write("\x1B[2J\x1B[H");
+}
+function renderColumns(cols, widths) {
+	const maxRows = Math.max(...cols.map((c) => c.length));
+	const lines = [];
+	for (let i = 0; i < maxRows; i++) {
+		let line = "";
+		for (let j = 0; j < cols.length; j++) {
+			const cell = cols[j][i] ?? "";
+			line += padRight(cell, widths[j]);
+		}
+		lines.push(line);
+	}
+	return lines;
+}
+function parseFirehoseMessage(data) {
+	try {
+		const decoded = [...decodeAll(data)];
+		if (decoded.length !== 2) return null;
+		const header = decoded[0];
+		const body = decoded[1];
+		if (!header || header.op !== 1) return null;
+		if (!body || typeof body.seq !== "number") return null;
+		if (header.t === "#commit") return {
+			seq: body.seq,
+			type: "commit",
+			ops: (body.ops ?? []).map((op) => ({
+				action: op.action,
+				path: op.path
+			}))
+		};
+		if (header.t === "#identity") return {
+			seq: body.seq,
+			type: "identity",
+			ops: [],
+			handle: body.handle
+		};
+		return null;
+	} catch {
+		return null;
+	}
+}
+const COLLECTION_NAMES = {
+	"app.bsky.feed.post": "posts",
+	"app.bsky.feed.like": "likes",
+	"app.bsky.graph.follow": "follows",
+	"app.bsky.feed.repost": "reposts",
+	"app.bsky.actor.profile": "profile",
+	"app.bsky.graph.block": "blocks",
+	"app.bsky.graph.list": "lists",
+	"app.bsky.graph.listitem": "list items",
+	"app.bsky.feed.generator": "feeds",
+	"app.bsky.feed.threadgate": "threadgates",
+	"app.bsky.graph.starterpack": "starter packs",
+	"chat.bsky.actor.declaration": "chat",
+	"app.bsky.feed.postgate": "postgates",
+	"app.bsky.labeler.service": "labeler"
+};
+/** Sort priority for collections (lower = first). Unlisted collections sort alphabetically at the end. */
+const COLLECTION_ORDER = {
+	"app.bsky.feed.post": 1,
+	"app.bsky.feed.like": 2,
+	"app.bsky.graph.follow": 3,
+	"app.bsky.feed.repost": 4,
+	"app.bsky.graph.list": 5,
+	"app.bsky.feed.generator": 6,
+	"app.bsky.graph.block": 7,
+	"app.bsky.graph.starterpack": 8,
+	"app.bsky.actor.profile": 100
+};
+function friendlyName(collection) {
+	return COLLECTION_NAMES[collection] ?? collection.split(".").pop() ?? collection;
+}
+/** Shorten IPv6 addresses by collapsing the longest zero run to :: */
+function shortenIP(ip) {
+	if (!ip.includes(":")) return ip;
+	const parts = ip.split(":");
+	let bestStart = -1;
+	let bestLen = 0;
+	let curStart = -1;
+	let curLen = 0;
+	for (let i = 0; i < parts.length; i++) if (parts[i] === "0" || parts[i] === "0000" || parts[i] === "") {
+		if (curStart === -1) curStart = i;
+		curLen++;
+	} else {
+		if (curLen > bestLen) {
+			bestStart = curStart;
+			bestLen = curLen;
+		}
+		curStart = -1;
+		curLen = 0;
+	}
+	if (curLen > bestLen) {
+		bestStart = curStart;
+		bestLen = curLen;
+	}
+	if (bestLen < 2) return parts.map((p$1) => p$1.replace(/^0+(?=.)/, "")).join(":");
+	const before = parts.slice(0, bestStart).map((p$1) => p$1.replace(/^0+(?=.)/, ""));
+	const after = parts.slice(bestStart + bestLen).map((p$1) => p$1.replace(/^0+(?=.)/, ""));
+	return (before.length ? before.join(":") : "") + "::" + (after.length ? after.join(":") : "");
+}
+const REASON_ICON = {
+	like: pc.red("♥"),
+	repost: pc.green("↻"),
+	follow: pc.cyan("+"),
+	mention: pc.yellow("@"),
+	reply: pc.cyan("↩"),
+	quote: pc.yellow("❝"),
+	"starterpack-joined": pc.cyan("★")
+};
+const REASON_TEXT = {
+	like: "liked your post",
+	repost: "reposted your post",
+	follow: "followed you",
+	mention: "mentioned you",
+	reply: "replied to you",
+	quote: "quoted your post",
+	"starterpack-joined": "joined your starter pack"
+};
+function relativeTime(ts) {
+	const diff = Math.floor((Date.now() - ts) / 1e3);
+	if (diff < 10) return "just now";
+	if (diff < 60) return `${diff}s ago`;
+	if (diff < 3600) return `${Math.floor(diff / 60)}m ago`;
+	if (diff < 86400) return `${Math.floor(diff / 3600)}h ago`;
+	return `${Math.floor(diff / 86400)}d ago`;
+}
+const MAX_EVENTS = 100;
+function createInitialState() {
+	return {
+		collections: [],
+		syncStatus: "checking",
+		relayRev: null,
+		pdsRev: null,
+		subscribers: 0,
+		latestSeq: null,
+		subscriberDetails: [],
+		events: [],
+		notifications: [],
+		accountActive: false,
+		wsConnected: false,
+		statusMessage: null,
+		statusMessageTimeout: null
+	};
+}
+async function fetchRepo(client, did, state, render) {
+	try {
+		const repo = (await client.listRepos()).repos?.[0];
+		if (repo) state.pdsRev = repo.rev;
+		const collections = (await client.describeRepo(did)).collections ?? [];
+		const results = await Promise.all(collections.map(async (col) => {
+			const data = await client.listRecords(did, col, 100);
+			return {
+				name: col,
+				friendlyName: friendlyName(col),
+				count: data.records?.length ?? 0,
+				hasMore: !!data.cursor
+			};
+		}));
+		results.sort((a, b) => {
+			const oa = COLLECTION_ORDER[a.name] ?? 50;
+			const ob = COLLECTION_ORDER[b.name] ?? 50;
+			if (oa !== ob) return oa - ob;
+			return a.friendlyName.localeCompare(b.friendlyName);
+		});
+		state.collections = results.filter((c) => c.count > 0);
+		render();
+	} catch {}
+}
+async function fetchRelaySync(did, state, render) {
+	if (!state.pdsRev) return;
+	try {
+		const res = await fetch(`https://bsky.network/xrpc/com.atproto.sync.getLatestCommit?did=${encodeURIComponent(did)}`);
+		if (res.status === 404) state.syncStatus = "unknown";
+		else if (res.ok) {
+			const data = await res.json();
+			state.syncStatus = data.rev === state.pdsRev ? "synced" : "behind";
+			state.relayRev = data.rev;
+		} else state.syncStatus = "error";
+		render();
+	} catch {
+		state.syncStatus = "error";
+		render();
+	}
+}
+async function fetchFirehoseStatus(client, state, render) {
+	try {
+		const data = await client.getFirehoseStatus();
+		state.subscribers = data.subscribers?.length ?? 0;
+		state.subscriberDetails = data.subscribers ?? [];
+		if (data.latestSeq != null) state.latestSeq = data.latestSeq;
+		render();
+	} catch {}
+}
+async function fetchNotifications(client, state, render) {
+	try {
+		state.notifications = ((await client.listNotifications(25)).notifications ?? []).map((n) => ({
+			time: new Date(n.indexedAt).toLocaleTimeString("en-GB", {
+				hour12: false,
+				hour: "2-digit",
+				minute: "2-digit"
+			}),
+			icon: REASON_ICON[n.reason] ?? "?",
+			author: n.author.displayName || n.author.handle,
+			text: REASON_TEXT[n.reason] ?? n.reason,
+			isRead: n.isRead
+		}));
+		render();
+	} catch {}
+}
+async function fetchAccountStatus(client, state, render) {
+	try {
+		state.accountActive = (await client.getAccountStatus()).active;
+		render();
+	} catch {}
+}
+function connectFirehose(targetUrl, state, render) {
+	let ws = null;
+	let reconnectTimer = null;
+	let closed = false;
+	function connect() {
+		if (closed) return;
+		try {
+			const url = `${targetUrl.startsWith("https") ? "wss:" : "ws:"}//${targetUrl.replace(/^https?:\/\//, "")}/xrpc/com.atproto.sync.subscribeRepos`;
+			ws = new WebSocket(url);
+			ws.binaryType = "arraybuffer";
+			ws.onopen = () => {
+				state.wsConnected = true;
+				render();
+			};
+			ws.onmessage = (e) => {
+				const event = parseFirehoseMessage(new Uint8Array(e.data));
+				if (!event) return;
+				const time = (/* @__PURE__ */ new Date()).toLocaleTimeString("en-GB", { hour12: false });
+				if (event.type === "identity") state.events.unshift({
+					time,
+					seq: event.seq,
+					action: "identity",
+					path: event.handle ?? ""
+				});
+				else for (const op of event.ops) state.events.unshift({
+					time,
+					seq: event.seq,
+					action: op.action,
+					path: op.path
+				});
+				if (state.events.length > MAX_EVENTS) state.events.length = MAX_EVENTS;
+				render();
+			};
+			ws.onclose = () => {
+				state.wsConnected = false;
+				render();
+				if (!closed) reconnectTimer = setTimeout(connect, 3e3);
+			};
+			ws.onerror = () => {
+				state.wsConnected = false;
+				render();
+			};
+		} catch {}
+	}
+	connect();
+	return { close() {
+		closed = true;
+		if (reconnectTimer) clearTimeout(reconnectTimer);
+		if (ws) {
+			ws.onclose = null;
+			ws.close();
+		}
+	} };
+}
+function renderDashboard(state, config) {
+	const cols = process.stdout.columns || 80;
+	const rows = process.stdout.rows || 24;
+	const lines = [];
+	const indent = "  ";
+	lines.push("");
+	lines.push(`${indent}${pc.bold("☁  CIRRUS")}  ${pc.dim("·")}  ${pc.cyan(config.hostname)}  ${pc.dim("·")}  ${pc.dim("v" + config.version)}`);
+	lines.push(`${indent}   ${pc.white("@" + config.handle)}  ${pc.dim("·")}  ${pc.dim(config.did)}`);
+	lines.push("");
+	const colWidth = Math.floor((cols - 6) / 3);
+	const col1 = [pc.dim("REPOSITORY"), ""];
+	if (state.collections.length === 0) col1.push(pc.dim("Loading…"));
+	else for (const c of state.collections) {
+		const name = c.friendlyName.padEnd(16);
+		const count = String(c.count).padStart(5);
+		const more = c.hasMore ? "+" : " ";
+		col1.push(`${name} ${pc.bold(count)}${more}`);
+	}
+	const col2 = [pc.dim("FEDERATION"), ""];
+	col2.push(pc.dim("bsky.network"));
+	const statusColors = {
+		synced: pc.green,
+		behind: pc.yellow,
+		error: pc.red,
+		checking: pc.dim,
+		unknown: pc.dim
+	};
+	const dotColors = {
+		synced: pc.green("●"),
+		behind: pc.yellow("●"),
+		error: pc.red("●"),
+		checking: pc.dim("○"),
+		unknown: pc.dim("○")
+	};
+	const colorFn = statusColors[state.syncStatus] ?? pc.dim;
+	col2.push(`${dotColors[state.syncStatus] ?? pc.dim("○")} ${colorFn(state.syncStatus.toUpperCase())}`);
+	if (state.relayRev) col2.push(pc.dim(`rev: ${state.relayRev.slice(0, 12)}`));
+	const col3 = [pc.dim("FIREHOSE"), ""];
+	const subDot = state.subscribers > 0 ? pc.green("●") : pc.dim("○");
+	col3.push(`${subDot} ${pc.bold(String(state.subscribers))} subscriber${state.subscribers !== 1 ? "s" : ""}`);
+	col3.push(pc.dim(`seq: ${state.latestSeq != null ? state.latestSeq : "—"}`));
+	if (state.subscriberDetails.length > 0) {
+		col3.push("");
+		for (const sub of state.subscriberDetails.slice(0, 5)) {
+			const ip = sub.ip ? `  ${shortenIP(sub.ip)}` : "";
+			col3.push(pc.dim(`${relativeTime(sub.connectedAt)}  cursor: ${sub.cursor}${ip}`));
+		}
+	}
+	const columnLines = renderColumns([
+		col1,
+		col2,
+		col3
+	], [
+		colWidth,
+		colWidth,
+		colWidth
+	]);
+	for (const line of columnLines) lines.push(indent + line);
+	lines.push("");
+	const remaining = rows - lines.length - 3;
+	const notifHeight = Math.max(3, Math.floor(remaining * .4));
+	const eventsHeight = Math.max(3, remaining - notifHeight);
+	const notifSeparator = "─".repeat(Math.max(0, cols - visibleLength(indent + "NOTIFICATIONS ") - 2));
+	lines.push(`${indent}${pc.dim("NOTIFICATIONS " + notifSeparator)}`);
+	if (state.notifications.length === 0) {
+		lines.push(`${indent}${pc.dim("No notifications yet")}`);
+		for (let i = 1; i < notifHeight - 1; i++) lines.push("");
+	} else {
+		const visibleNotifs = state.notifications.slice(0, notifHeight - 1);
+		for (const n of visibleNotifs) {
+			const readDim = n.isRead ? pc.dim : (s) => s;
+			const line = `${indent}${pc.dim(n.time)}  ${n.icon}  ${readDim(n.author)} ${readDim(pc.dim(n.text))}`;
+			lines.push(truncate(line, cols));
+		}
+		for (let i = visibleNotifs.length; i < notifHeight - 1; i++) lines.push("");
+	}
+	lines.push("");
+	const wsStatusText = state.wsConnected ? "● connected" : "○ disconnected";
+	indent + "";
+	const eventsSuffix = "  " + wsStatusText + "  ";
+	const eventsSeparator = "─".repeat(Math.max(0, cols - 9 - eventsSuffix.length));
+	const wsStatus = state.wsConnected ? pc.green(wsStatusText) : pc.dim(wsStatusText);
+	lines.push(`${indent}${pc.dim("EVENTS " + eventsSeparator)}  ${wsStatus}`);
+	if (state.events.length === 0) {
+		lines.push(`${indent}${pc.dim("Waiting for events…")}`);
+		for (let i = 1; i < eventsHeight - 1; i++) lines.push("");
+	} else {
+		const visibleEvents = state.events.slice(0, eventsHeight - 1);
+		for (const ev of visibleEvents) {
+			const actionColor = {
+				create: pc.green,
+				update: pc.yellow,
+				delete: pc.red,
+				identity: pc.cyan
+			}[ev.action] ?? pc.dim;
+			const line = `${indent}${pc.dim(ev.time)}  ${pc.dim("#" + String(ev.seq).padStart(4))}  ${actionColor(ev.action.toUpperCase().padEnd(7))}  ${ev.path}`;
+			lines.push(truncate(line, cols));
+		}
+		for (let i = visibleEvents.length; i < eventsHeight - 1; i++) lines.push("");
+	}
+	lines.push("");
+	const accountStatus = state.accountActive ? pc.green("● active") : pc.yellow("○ deactivated");
+	let footer = `${indent}${pc.dim("[a]")} activate  ${pc.dim("·")}  ${pc.dim("[r]")} crawl  ${pc.dim("·")}  ${pc.dim("[e]")} emit identity  ${pc.dim("·")}  ${pc.dim("[q]")} quit`;
+	if (state.statusMessage) footer += `     ${pc.yellow(state.statusMessage)}`;
+	else footer += `     ${accountStatus}`;
+	lines.push(footer);
+	while (lines.length < rows) lines.push("");
+	const output = lines.slice(0, rows).map((l) => padRight(l, cols)).join("\n");
+	process.stdout.write("\x1B[H" + output);
+}
+function setStatusMessage(state, message, render, durationMs = 3e3) {
+	if (state.statusMessageTimeout) clearTimeout(state.statusMessageTimeout);
+	state.statusMessage = message;
+	render();
+	state.statusMessageTimeout = setTimeout(() => {
+		state.statusMessage = null;
+		render();
+	}, durationMs);
+}
+const dashboardCommand = defineCommand({
+	meta: {
+		name: "dashboard",
+		description: "Live dashboard for PDS monitoring"
+	},
+	args: { dev: {
+		type: "boolean",
+		description: "Target local development server instead of production",
+		default: false
+	} },
+	async run({ args }) {
+		const isDev = args.dev;
+		const wranglerVars = getVars();
+		const config = {
+			...readDevVars(),
+			...wranglerVars
+		};
+		let targetUrl;
+		try {
+			targetUrl = getTargetUrl(isDev, config.PDS_HOSTNAME);
+		} catch (err) {
+			console.error(pc.red("Error:"), err instanceof Error ? err.message : "Configuration error");
+			console.log(pc.dim("Run 'pds init' first to configure your PDS."));
+			process.exit(1);
+		}
+		const authToken = config.AUTH_TOKEN;
+		const handle = config.HANDLE ?? "";
+		const did = config.DID ?? "";
+		if (!authToken) {
+			console.error(pc.red("Error:"), "No AUTH_TOKEN found. Run 'pds init' first.");
+			process.exit(1);
+		}
+		const client = new PDSClient(targetUrl, authToken);
+		if (!await client.healthCheck()) {
+			console.error(pc.red("Error:"), `PDS not responding at ${targetUrl}`);
+			process.exit(1);
+		}
+		const state = createInitialState();
+		const dashConfig = {
+			hostname: config.PDS_HOSTNAME ?? targetUrl,
+			handle,
+			did,
+			version: "0.10.6"
+		};
+		const render = () => renderDashboard(state, dashConfig);
+		enterAltScreen();
+		hideCursor();
+		clearScreen();
+		const intervals = [];
+		let firehose = null;
+		function cleanup() {
+			for (const interval of intervals) clearInterval(interval);
+			if (firehose) firehose.close();
+			if (state.statusMessageTimeout) clearTimeout(state.statusMessageTimeout);
+			if (process.stdin.isTTY) process.stdin.setRawMode(false);
+			showCursor();
+			exitAltScreen();
+		}
+		process.on("SIGINT", () => {
+			cleanup();
+			process.exit(0);
+		});
+		process.on("SIGTERM", () => {
+			cleanup();
+			process.exit(0);
+		});
+		render();
+		await Promise.all([
+			fetchRepo(client, did, state, render),
+			fetchFirehoseStatus(client, state, render),
+			fetchAccountStatus(client, state, render),
+			fetchNotifications(client, state, render)
+		]);
+		await fetchRelaySync(did, state, render);
+		intervals.push(setInterval(() => fetchRepo(client, did, state, render), 3e4));
+		intervals.push(setInterval(() => fetchRelaySync(did, state, render), 5e3));
+		intervals.push(setInterval(() => fetchFirehoseStatus(client, state, render), 1e4));
+		intervals.push(setInterval(() => fetchNotifications(client, state, render), 15e3));
+		intervals.push(setInterval(() => fetchAccountStatus(client, state, render), 3e4));
+		firehose = connectFirehose(targetUrl, state, render);
+		process.stdout.on("resize", render);
+		if (process.stdin.isTTY) {
+			process.stdin.setRawMode(true);
+			process.stdin.resume();
+			process.stdin.setEncoding("utf8");
+			let activateConfirmTimeout = null;
+			let awaitingActivateConfirm = false;
+			process.stdin.on("data", async (key) => {
+				if (key === "") {
+					cleanup();
+					process.exit(0);
+				}
+				if (key === "q" || key === "Q") {
+					cleanup();
+					process.exit(0);
+				}
+				if (key === "a" || key === "A") {
+					if (awaitingActivateConfirm) {
+						awaitingActivateConfirm = false;
+						if (activateConfirmTimeout) clearTimeout(activateConfirmTimeout);
+						setStatusMessage(state, "Activating…", render, 1e4);
+						try {
+							await client.activateAccount();
+							state.accountActive = true;
+							const pdsHostname = config.PDS_HOSTNAME;
+							if (pdsHostname && !isDev) await client.requestCrawl(pdsHostname);
+							try {
+								await client.emitIdentity();
+							} catch {}
+							setStatusMessage(state, pc.green("✓ Activated! Crawl requested."), render, 5e3);
+						} catch (err) {
+							setStatusMessage(state, pc.red(`\u2717 ${err instanceof Error ? err.message : "Activation failed"}`), render, 5e3);
+						}
+					} else {
+						awaitingActivateConfirm = true;
+						setStatusMessage(state, "Press [a] again to activate", render, 3e3);
+						activateConfirmTimeout = setTimeout(() => {
+							awaitingActivateConfirm = false;
+							state.statusMessage = null;
+							render();
+						}, 3e3);
+					}
+					return;
+				}
+				if (key === "r" || key === "R") {
+					const pdsHostname = config.PDS_HOSTNAME;
+					if (!pdsHostname || isDev) {
+						setStatusMessage(state, pc.yellow("No PDS hostname configured"), render);
+						return;
+					}
+					setStatusMessage(state, "Requesting crawl…", render, 1e4);
+					setStatusMessage(state, await client.requestCrawl(pdsHostname) ? pc.green("✓ Crawl requested") : pc.red("✗ Crawl request failed"), render);
+					return;
+				}
+				if (key === "e" || key === "E") {
+					setStatusMessage(state, "Emitting identity…", render, 1e4);
+					try {
+						const result = await client.emitIdentity();
+						setStatusMessage(state, pc.green(`\u2713 Identity emitted (seq: ${result.seq})`), render);
+					} catch (err) {
+						setStatusMessage(state, pc.red(`\u2717 ${err instanceof Error ? err.message : "Failed"}`), render);
+					}
+					return;
+				}
+			});
+		}
+	}
+});
+
 //#endregion
 //#region src/cli/index.ts
 /**
@@ -3917,7 +4632,8 @@ runMain(defineCommand({
 		activate: activateCommand,
 		deactivate: deactivateCommand,
 		status: statusCommand,
-		"emit-identity": emitIdentityCommand
+		"emit-identity": emitIdentityCommand,
+		dashboard: dashboardCommand
 	}
 }));