@getcirrus/pds 0.2.2

package/dist/cli.js

@@ -0,0 +1,1609 @@
+#!/usr/bin/env node
+import { defineCommand, runMain } from "citty";
+import * as p from "@clack/prompts";
+import { randomBytes } from "node:crypto";
+import { Secp256k1Keypair } from "@atproto/crypto";
+import bcrypt from "bcryptjs";
+import { spawn } from "node:child_process";
+import { experimental_patchConfig, experimental_readRawConfig } from "wrangler";
+import { existsSync, readFileSync, writeFileSync } from "node:fs";
+import { resolve } from "node:path";
+import { AtprotoDohHandleResolver } from "@atproto-labs/handle-resolver";
+import { check, didDocument, getPdsEndpoint } from "@atproto/common-web";
+import pc from "picocolors";
+
+//#region src/cli/utils/wrangler.ts
+/**
+* Wrangler integration utilities for setting vars and secrets
+*/
+/**
+* Set a var in wrangler.jsonc using experimental_patchConfig
+*/
+function setVar(name, value) {
+	const { configPath } = experimental_readRawConfig({});
+	if (!configPath) throw new Error("No wrangler config found");
+	experimental_patchConfig(configPath, { vars: { [name]: value } });
+}
+/**
+* Set multiple vars in wrangler.jsonc
+*/
+function setVars(vars) {
+	const { configPath } = experimental_readRawConfig({});
+	if (!configPath) throw new Error("No wrangler config found");
+	experimental_patchConfig(configPath, { vars });
+}
+/**
+* Get current vars from wrangler config
+*/
+function getVars() {
+	const { rawConfig } = experimental_readRawConfig({});
+	return rawConfig.vars || {};
+}
+/**
+* Get current worker name from wrangler config
+*/
+function getWorkerName() {
+	const { rawConfig } = experimental_readRawConfig({});
+	return rawConfig.name;
+}
+/**
+* Set worker name in wrangler config
+*/
+function setWorkerName(name) {
+	const { configPath } = experimental_readRawConfig({});
+	if (!configPath) throw new Error("No wrangler config found");
+	experimental_patchConfig(configPath, { name });
+}
+/**
+* Set a secret using wrangler secret put
+*/
+async function setSecret(name, value) {
+	return new Promise((resolve$1, reject) => {
+		const child = spawn("wrangler", [
+			"secret",
+			"put",
+			name
+		], { stdio: [
+			"pipe",
+			"inherit",
+			"inherit"
+		] });
+		child.stdin.write(value);
+		child.stdin.end();
+		child.on("close", (code) => {
+			if (code === 0) resolve$1();
+			else reject(/* @__PURE__ */ new Error(`wrangler secret put ${name} failed with code ${code}`));
+		});
+		child.on("error", reject);
+	});
+}
+
+//#endregion
+//#region src/cli/utils/dotenv.ts
+/**
+* .dev.vars file utilities for local development
+*/
+const DEV_VARS_FILE = ".dev.vars";
+/**
+* Parse a .dev.vars file into a record
+*/
+function readDevVars(dir = process.cwd()) {
+	const filePath = resolve(dir, DEV_VARS_FILE);
+	if (!existsSync(filePath)) return {};
+	const content = readFileSync(filePath, "utf-8");
+	const vars = {};
+	for (const line of content.split("\n")) {
+		const trimmed = line.trim();
+		if (!trimmed || trimmed.startsWith("#")) continue;
+		const eqIndex = trimmed.indexOf("=");
+		if (eqIndex === -1) continue;
+		const key = trimmed.slice(0, eqIndex).trim();
+		let value = trimmed.slice(eqIndex + 1).trim();
+		if (value.startsWith("\"") && value.endsWith("\"") || value.startsWith("'") && value.endsWith("'")) value = value.slice(1, -1);
+		vars[key] = value;
+	}
+	return vars;
+}
+/**
+* Quote a value if it contains special characters
+*/
+function quoteValue(value) {
+	if (value.includes(" ") || value.includes("\"") || value.includes("'")) return "\"" + value.replace(/"/g, "\\\"") + "\"";
+	return value;
+}
+/**
+* Write vars to .dev.vars file, preserving comments and order
+*/
+function writeDevVars(vars, dir = process.cwd()) {
+	const filePath = resolve(dir, DEV_VARS_FILE);
+	let existingLines = [];
+	if (existsSync(filePath)) existingLines = readFileSync(filePath, "utf-8").split("\n");
+	const outputLines = [];
+	const updatedKeys = /* @__PURE__ */ new Set();
+	for (const line of existingLines) {
+		const trimmed = line.trim();
+		if (!trimmed || trimmed.startsWith("#")) {
+			outputLines.push(line);
+			continue;
+		}
+		const eqIndex = trimmed.indexOf("=");
+		if (eqIndex === -1) {
+			outputLines.push(line);
+			continue;
+		}
+		const key = trimmed.slice(0, eqIndex).trim();
+		if (key in vars) {
+			outputLines.push(key + "=" + quoteValue(vars[key]));
+			updatedKeys.add(key);
+		} else outputLines.push(line);
+	}
+	for (const [key, value] of Object.entries(vars)) if (!updatedKeys.has(key)) outputLines.push(key + "=" + quoteValue(value));
+	writeFileSync(filePath, outputLines.join("\n").trimEnd() + "\n");
+}
+/**
+* Set a single var in .dev.vars
+*/
+function setDevVar(key, value, dir = process.cwd()) {
+	const vars = readDevVars(dir);
+	vars[key] = value;
+	writeDevVars(vars, dir);
+}
+
+//#endregion
+//#region src/cli/utils/secrets.ts
+/**
+* Secret generation and management utilities for PDS CLI
+*/
+/**
+* Generate a new secp256k1 signing keypair
+*/
+async function generateSigningKeypair() {
+	const keypair = await Secp256k1Keypair.create({ exportable: true });
+	return {
+		privateKey: Buffer.from(await keypair.export()).toString("hex"),
+		publicKey: keypair.did().replace("did:key:", "")
+	};
+}
+/**
+* Derive public key from an existing private key
+*/
+async function derivePublicKey(privateKeyHex) {
+	return (await Secp256k1Keypair.import(privateKeyHex)).did().replace("did:key:", "");
+}
+/**
+* Generate a random auth token (base64url, 32 bytes)
+*/
+function generateAuthToken() {
+	return randomBytes(32).toString("base64url");
+}
+/**
+* Generate a random JWT secret (base64, 32 bytes)
+*/
+function generateJwtSecret() {
+	return randomBytes(32).toString("base64");
+}
+/**
+* Hash a password using bcrypt
+*/
+async function hashPassword(password) {
+	return bcrypt.hash(password, 10);
+}
+/**
+* Prompt for password with confirmation (max 3 attempts)
+*/
+async function promptPassword(handle) {
+	const message = handle ? `Choose a password for @${handle}:` : "Enter password:";
+	const MAX_ATTEMPTS = 3;
+	let attempts = 0;
+	while (attempts < MAX_ATTEMPTS) {
+		attempts++;
+		const password = await p.password({ message });
+		if (p.isCancel(password)) {
+			p.cancel("Cancelled");
+			process.exit(0);
+		}
+		const confirm = await p.password({ message: "Confirm password:" });
+		if (p.isCancel(confirm)) {
+			p.cancel("Cancelled");
+			process.exit(0);
+		}
+		if (password === confirm) return password;
+		p.log.error("Passwords do not match. Try again.");
+	}
+	p.log.error("Too many failed attempts.");
+	p.cancel("Password setup cancelled");
+	process.exit(1);
+}
+/**
+* Set a secret value, either locally (.dev.vars) or via wrangler
+*/
+async function setSecretValue(name, value, local) {
+	if (local) setDevVar(name, value);
+	else await setSecret(name, value);
+}
+/**
+* Set a public var in wrangler.jsonc
+*/
+function setPublicVar(name, value, local) {
+	if (local) setDevVar(name, value);
+	else setVar(name, value);
+}
+
+//#endregion
+//#region src/cli/commands/secret/jwt.ts
+/**
+* JWT secret generation command
+*/
+const jwtCommand = defineCommand({
+	meta: {
+		name: "jwt",
+		description: "Generate and set JWT signing secret"
+	},
+	args: { local: {
+		type: "boolean",
+		description: "Write to .dev.vars instead of wrangler secrets",
+		default: false
+	} },
+	async run({ args }) {
+		p.intro("Generate JWT Secret");
+		const secret = generateJwtSecret();
+		try {
+			await setSecretValue("JWT_SECRET", secret, args.local);
+			p.outro(args.local ? "JWT_SECRET written to .dev.vars" : "Done!");
+		} catch (error) {
+			p.log.error(String(error));
+			process.exit(1);
+		}
+	}
+});
+
+//#endregion
+//#region src/cli/commands/secret/password.ts
+/**
+* Password hash generation command
+*/
+const passwordCommand = defineCommand({
+	meta: {
+		name: "password",
+		description: "Set account password (stored as bcrypt hash)"
+	},
+	args: { local: {
+		type: "boolean",
+		description: "Write to .dev.vars instead of wrangler secrets",
+		default: false
+	} },
+	async run({ args }) {
+		p.intro("Set Account Password");
+		const password = await promptPassword();
+		const spinner = p.spinner();
+		spinner.start("Hashing password...");
+		const passwordHash = await hashPassword(password);
+		spinner.stop("Password hashed");
+		try {
+			await setSecretValue("PASSWORD_HASH", passwordHash, args.local);
+			p.outro(args.local ? "PASSWORD_HASH written to .dev.vars" : "Done!");
+		} catch (error) {
+			p.log.error(String(error));
+			process.exit(1);
+		}
+	}
+});
+
+//#endregion
+//#region src/cli/commands/secret/key.ts
+/**
+* Signing key generation command
+*/
+const keyCommand = defineCommand({
+	meta: {
+		name: "key",
+		description: "Generate and set signing keypair"
+	},
+	args: { local: {
+		type: "boolean",
+		description: "Write to .dev.vars instead of wrangler secrets/config",
+		default: false
+	} },
+	async run({ args }) {
+		p.intro("Generate Signing Keypair");
+		const spinner = p.spinner();
+		spinner.start("Generating secp256k1 keypair...");
+		const { privateKey, publicKey } = await generateSigningKeypair();
+		spinner.stop("Keypair generated");
+		try {
+			await setSecretValue("SIGNING_KEY", privateKey, args.local);
+			setPublicVar("SIGNING_KEY_PUBLIC", publicKey, args.local);
+			p.log.info("Public key (for DID document): " + publicKey);
+			p.outro(args.local ? "SIGNING_KEY and SIGNING_KEY_PUBLIC written to .dev.vars" : "Done!");
+		} catch (error) {
+			p.log.error(String(error));
+			process.exit(1);
+		}
+	}
+});
+
+//#endregion
+//#region src/cli/commands/secret/index.ts
+/**
+* Secret management commands
+*/
+const secretCommand = defineCommand({
+	meta: {
+		name: "secret",
+		description: "Manage PDS secrets"
+	},
+	subCommands: {
+		jwt: jwtCommand,
+		password: passwordCommand,
+		key: keyCommand
+	}
+});
+
+//#endregion
+//#region src/cli/utils/cli-helpers.ts
+/**
+* Shared CLI utilities for PDS commands
+*/
+/**
+* Prompt for text input, exiting on cancel
+*/
+async function promptText(options) {
+	const result = await p.text(options);
+	if (p.isCancel(result)) {
+		p.cancel("Cancelled");
+		process.exit(0);
+	}
+	return result;
+}
+/**
+* Prompt for confirmation, exiting on cancel
+*/
+async function promptConfirm(options) {
+	const result = await p.confirm(options);
+	if (p.isCancel(result)) {
+		p.cancel("Cancelled");
+		process.exit(0);
+	}
+	return result;
+}
+/**
+* Prompt for selection, exiting on cancel
+*/
+async function promptSelect(options) {
+	const result = await p.select(options);
+	if (p.isCancel(result)) {
+		p.cancel("Cancelled");
+		process.exit(0);
+	}
+	return result;
+}
+/**
+* Get target PDS URL based on mode
+*/
+function getTargetUrl(isDev, pdsHostname) {
+	if (isDev) return `http://localhost:${process.env.PORT ? parseInt(process.env.PORT) ?? "5173" : "5173"}`;
+	if (!pdsHostname) throw new Error("PDS_HOSTNAME not configured in wrangler.jsonc");
+	return `https://${pdsHostname}`;
+}
+/**
+* Extract domain from URL
+*/
+function getDomain(url) {
+	try {
+		return new URL(url).hostname;
+	} catch {
+		return url;
+	}
+}
+
+//#endregion
+//#region src/cli/utils/handle-resolver.ts
+/**
+* Utilities for resolving AT Protocol handles to DIDs
+*/
+const resolver = new AtprotoDohHandleResolver({ dohEndpoint: "https://cloudflare-dns.com/dns-query" });
+/**
+* Resolve a handle to a DID using the AT Protocol handle resolution methods.
+* Uses DNS-over-HTTPS via Cloudflare for DNS resolution.
+*/
+async function resolveHandleToDid(handle) {
+	try {
+		return await resolver.resolve(handle, { signal: AbortSignal.timeout(1e4) });
+	} catch (err) {
+		return null;
+	}
+}
+
+//#endregion
+//#region src/did-resolver.ts
+/**
+* DID resolution for Cloudflare Workers
+*
+* We can't use @atproto/identity directly because it uses `redirect: "error"`
+* which Cloudflare Workers doesn't support. This is a simple implementation
+* that's compatible with Workers.
+*/
+const PLC_DIRECTORY = "https://plc.directory";
+const TIMEOUT_MS = 3e3;
+var DidResolver = class {
+	plcUrl;
+	timeout;
+	cache;
+	constructor(opts = {}) {
+		this.plcUrl = opts.plcUrl ?? PLC_DIRECTORY;
+		this.timeout = opts.timeout ?? TIMEOUT_MS;
+		this.cache = opts.didCache;
+	}
+	async resolve(did) {
+		if (this.cache) {
+			const cached = await this.cache.checkCache(did);
+			if (cached && !cached.expired) {
+				if (cached.stale) this.cache.refreshCache(did, () => this.resolveNoCache(did), cached);
+				return cached.doc;
+			}
+		}
+		const doc = await this.resolveNoCache(did);
+		if (doc && this.cache) await this.cache.cacheDid(did, doc);
+		else if (!doc && this.cache) await this.cache.clearEntry(did);
+		return doc;
+	}
+	async resolveNoCache(did) {
+		if (did.startsWith("did:web:")) return this.resolveDidWeb(did);
+		if (did.startsWith("did:plc:")) return this.resolveDidPlc(did);
+		throw new Error(`Unsupported DID method: ${did}`);
+	}
+	async resolveDidWeb(did) {
+		const parts = did.split(":").slice(2);
+		if (parts.length === 0) throw new Error(`Invalid did:web format: ${did}`);
+		if (parts.length > 1) throw new Error(`Unsupported did:web with path: ${did}`);
+		const domain = decodeURIComponent(parts[0]);
+		const url = new URL(`https://${domain}/.well-known/did.json`);
+		if (url.hostname === "localhost") url.protocol = "http:";
+		const controller = new AbortController();
+		const timeoutId = setTimeout(() => controller.abort(), this.timeout);
+		try {
+			const res = await fetch(url.toString(), {
+				signal: controller.signal,
+				redirect: "manual",
+				headers: { accept: "application/did+ld+json,application/json" }
+			});
+			if (res.status >= 300 && res.status < 400) return null;
+			if (!res.ok) return null;
+			const doc = await res.json();
+			return this.validateDidDoc(did, doc);
+		} finally {
+			clearTimeout(timeoutId);
+		}
+	}
+	async resolveDidPlc(did) {
+		const url = new URL(`/${encodeURIComponent(did)}`, this.plcUrl);
+		const controller = new AbortController();
+		const timeoutId = setTimeout(() => controller.abort(), this.timeout);
+		try {
+			const res = await fetch(url.toString(), {
+				signal: controller.signal,
+				redirect: "manual",
+				headers: { accept: "application/did+ld+json,application/json" }
+			});
+			if (res.status >= 300 && res.status < 400) return null;
+			if (res.status === 404) return null;
+			if (!res.ok) throw new Error(`PLC directory error: ${res.status} ${res.statusText}`);
+			const doc = await res.json();
+			return this.validateDidDoc(did, doc);
+		} finally {
+			clearTimeout(timeoutId);
+		}
+	}
+	validateDidDoc(did, doc) {
+		if (!check.is(doc, didDocument)) return null;
+		if (doc.id !== did) return null;
+		return doc;
+	}
+};
+
+//#endregion
+//#region src/cli/commands/init.ts
+/**
+* Interactive PDS setup wizard
+*/
+/**
+* Slugify a handle to create a worker name
+* e.g., "example.com" -> "example-com-pds"
+*/
+function slugifyHandle(handle) {
+	return handle.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-|-$/g, "") + "-pds";
+}
+const defaultWorkerName = "my-pds";
+/**
+* Prompt for worker name with validation
+*/
+async function promptWorkerName(handle, currentWorkerName) {
+	const placeholder = currentWorkerName && currentWorkerName !== defaultWorkerName ? currentWorkerName : slugifyHandle(handle);
+	return promptText({
+		message: "Cloudflare Worker name:",
+		placeholder,
+		initialValue: placeholder,
+		validate: (v) => {
+			if (!v) return "Worker name is required";
+			if (!/^[a-z0-9-]+$/.test(v)) return "Worker name can only contain lowercase letters, numbers, and hyphens";
+		}
+	});
+}
+/**
+* Run wrangler types to regenerate TypeScript types
+*/
+function runWranglerTypes() {
+	return new Promise((resolve$1, reject) => {
+		const child = spawn("wrangler", ["types"], { stdio: "pipe" });
+		let output = "";
+		child.stdout?.on("data", (data) => {
+			output += data.toString();
+		});
+		child.stderr?.on("data", (data) => {
+			output += data.toString();
+		});
+		child.on("close", (code) => {
+			if (code === 0) resolve$1();
+			else {
+				if (output) console.error(output);
+				reject(/* @__PURE__ */ new Error(`wrangler types failed with code ${code}`));
+			}
+		});
+		child.on("error", reject);
+	});
+}
+const initCommand = defineCommand({
+	meta: {
+		name: "init",
+		description: "Interactive PDS setup wizard"
+	},
+	args: { production: {
+		type: "boolean",
+		description: "Deploy secrets to Cloudflare?",
+		default: false
+	} },
+	async run({ args }) {
+		p.intro("🦋 PDS Setup");
+		const isProduction = args.production;
+		if (isProduction) p.log.info("Production mode: secrets will be deployed to Cloudflare");
+		p.log.info("Let's set up your new home in the Atmosphere!");
+		const wranglerVars = getVars();
+		const devVars = readDevVars();
+		const currentVars = {
+			...devVars,
+			...wranglerVars
+		};
+		const isMigrating = await promptConfirm({
+			message: "Are you migrating an existing Bluesky/ATProto account?",
+			initialValue: false
+		});
+		let did;
+		let handle;
+		let hostname;
+		let workerName;
+		let initialActive;
+		const currentWorkerName = getWorkerName();
+		if (isMigrating) {
+			p.log.info("Time to pack your bags! 🧳");
+			p.log.info("Your new account will be inactive until you're ready to go live.");
+			let hostedDomains = [
+				".bsky.social",
+				".bsky.network",
+				".bsky.team"
+			];
+			const isHostedHandle = (h) => hostedDomains.some((domain) => h?.endsWith(domain));
+			let resolvedDid = null;
+			let existingHandle = null;
+			let attempts = 0;
+			const MAX_ATTEMPTS = 3;
+			while (!resolvedDid && attempts < MAX_ATTEMPTS) {
+				attempts++;
+				const currentHandle = await promptText({
+					message: "Your current Bluesky/ATProto handle:",
+					placeholder: "example.bsky.social",
+					validate: (v) => !v ? "Handle is required" : void 0
+				});
+				existingHandle = currentHandle;
+				const spinner$1 = p.spinner();
+				spinner$1.start("Finding you in the Atmosphere...");
+				resolvedDid = await resolveHandleToDid(currentHandle);
+				if (!resolvedDid) {
+					spinner$1.stop("Not found");
+					p.log.error(`Failed to resolve handle "${currentHandle}"`);
+					if (await promptSelect({
+						message: "What would you like to do?",
+						options: [{
+							value: "retry",
+							label: "Try a different handle"
+						}, {
+							value: "manual",
+							label: "Enter DID manually"
+						}]
+					}) === "manual") resolvedDid = await promptText({
+						message: "Enter your DID:",
+						placeholder: "did:plc:...",
+						validate: (v) => {
+							if (!v) return "DID is required";
+							if (!v.startsWith("did:")) return "DID must start with did:";
+						}
+					});
+				} else {
+					try {
+						const pdsService = (await new DidResolver().resolve(resolvedDid))?.service?.find((s) => s.type === "AtprotoPersonalDataServer" || s.id === "#atproto_pds");
+						if (pdsService?.serviceEndpoint) {
+							const describeRes = await fetch(`${pdsService.serviceEndpoint}/xrpc/com.atproto.server.describeServer`);
+							if (describeRes.ok) {
+								const desc = await describeRes.json();
+								if (desc.availableUserDomains?.length) hostedDomains = desc.availableUserDomains.map((d) => d.startsWith(".") ? d : `.${d}`);
+							}
+						}
+					} catch {}
+					spinner$1.stop(`Found you! ${resolvedDid}`);
+					if (isHostedHandle(existingHandle)) {
+						const theirDomain = hostedDomains.find((d) => existingHandle?.endsWith(d));
+						const domainExample = theirDomain ? `*${theirDomain}` : "*.bsky.social";
+						p.log.warn(`You'll need a custom domain for your new handle (not ${domainExample}). You can set this up after transferring your data.`);
+					}
+					if (attempts >= MAX_ATTEMPTS) {
+						p.log.error("Unable to resolve handle after 3 attempts.");
+						p.log.info("");
+						p.log.info("You can:");
+						p.log.info("  1. Double-check your handle spelling");
+						p.log.info("  2. Provide your DID directly if you know it");
+						p.log.info("  3. Run 'pds init' again when ready");
+						p.outro("Initialization cancelled.");
+						process.exit(1);
+					}
+				}
+			}
+			did = resolvedDid;
+			handle = await promptText({
+				message: "New account handle (must be a domain you control):",
+				placeholder: "example.com",
+				initialValue: existingHandle && !isHostedHandle(existingHandle) ? existingHandle : currentVars.HANDLE || "",
+				validate: (v) => {
+					if (!v) return "Handle is required";
+					if (isHostedHandle(v)) return "You need a custom domain - hosted handles like *.bsky.social won't work";
+				}
+			});
+			hostname = await promptText({
+				message: "Domain where you'll deploy your PDS:",
+				placeholder: handle,
+				initialValue: currentVars.PDS_HOSTNAME || handle,
+				validate: (v) => !v ? "Hostname is required" : void 0
+			});
+			workerName = await promptWorkerName(handle, currentWorkerName);
+			initialActive = "false";
+		} else {
+			p.log.info("A fresh start in the Atmosphere! ✨");
+			hostname = await promptText({
+				message: "Domain where you'll deploy your PDS:",
+				placeholder: "pds.example.com",
+				initialValue: currentVars.PDS_HOSTNAME || "",
+				validate: (v) => !v ? "Hostname is required" : void 0
+			});
+			handle = await promptText({
+				message: "Account handle:",
+				placeholder: hostname,
+				initialValue: currentVars.HANDLE || hostname,
+				validate: (v) => !v ? "Handle is required" : void 0
+			});
+			const didDefault = "did:web:" + hostname;
+			did = await promptText({
+				message: "Account DID:",
+				placeholder: didDefault,
+				initialValue: currentVars.DID || didDefault,
+				validate: (v) => {
+					if (!v) return "DID is required";
+					if (!v.startsWith("did:")) return "DID must start with 'did:'";
+				}
+			});
+			workerName = await promptWorkerName(handle, currentWorkerName);
+			initialActive = "true";
+			if (handle === hostname) p.note([
+				"Your handle matches your PDS hostname, so your PDS will",
+				"automatically handle domain verification for you!",
+				"",
+				"For did:web, your PDS serves the DID document at:",
+				`  https://${hostname}/.well-known/did.json`,
+				"",
+				"For handle verification, it serves:",
+				`  https://${hostname}/.well-known/atproto-did`,
+				"",
+				"No additional DNS or hosting setup needed. Easy! 🎉"
+			].join("\n"), "Identity Setup 🪪");
+			else p.note([
+				"For did:web, your PDS will serve the DID document at:",
+				`  https://${hostname}/.well-known/did.json`,
+				"",
+				"To verify your handle, create a DNS TXT record:",
+				`  _atproto.${handle} TXT "did=${did}"`,
+				"",
+				"Or serve a file at:",
+				`  https://${handle}/.well-known/atproto-did`,
+				`  containing: ${did}`
+			].join("\n"), "Identity Setup 🪪");
+		}
+		const spinner = p.spinner();
+		const authToken = await getOrGenerateSecret("AUTH_TOKEN", devVars, async () => {
+			spinner.start("Generating auth token...");
+			const token = generateAuthToken();
+			spinner.stop("Auth token generated");
+			return token;
+		});
+		const signingKey = await getOrGenerateSecret("SIGNING_KEY", devVars, async () => {
+			spinner.start("Generating signing keypair...");
+			const { privateKey } = await generateSigningKeypair();
+			spinner.stop("Signing keypair generated");
+			return privateKey;
+		});
+		const signingKeyPublic = await derivePublicKey(signingKey);
+		const jwtSecret = await getOrGenerateSecret("JWT_SECRET", devVars, async () => {
+			spinner.start("Generating JWT secret...");
+			const secret = generateJwtSecret();
+			spinner.stop("JWT secret generated");
+			return secret;
+		});
+		const passwordHash = await getOrGenerateSecret("PASSWORD_HASH", devVars, async () => {
+			const password = await promptPassword(handle);
+			spinner.start("Hashing password...");
+			const hash = await hashPassword(password);
+			spinner.stop("Password hashed");
+			return hash;
+		});
+		spinner.start("Updating wrangler.jsonc...");
+		setWorkerName(workerName);
+		setVars({
+			PDS_HOSTNAME: hostname,
+			DID: did,
+			HANDLE: handle,
+			SIGNING_KEY_PUBLIC: signingKeyPublic,
+			INITIAL_ACTIVE: initialActive
+		});
+		spinner.stop("wrangler.jsonc updated");
+		const local = !isProduction;
+		if (isProduction) spinner.start("Deploying secrets to Cloudflare...");
+		else spinner.start("Writing secrets to .dev.vars...");
+		await setSecretValue("AUTH_TOKEN", authToken, local);
+		await setSecretValue("SIGNING_KEY", signingKey, local);
+		await setSecretValue("JWT_SECRET", jwtSecret, local);
+		await setSecretValue("PASSWORD_HASH", passwordHash, local);
+		spinner.stop(isProduction ? "Secrets deployed" : "Secrets written to .dev.vars");
+		spinner.start("Generating TypeScript types...");
+		try {
+			await runWranglerTypes();
+			spinner.stop("TypeScript types generated");
+		} catch {
+			spinner.stop("Failed to generate types (wrangler types)");
+		}
+		p.note([
+			"  Worker name:  " + workerName,
+			"  PDS hostname: " + hostname,
+			"  DID: " + did,
+			"  Handle: " + handle,
+			"  Public signing key: " + signingKeyPublic.slice(0, 20) + "...",
+			"",
+			isProduction ? "Secrets deployed to Cloudflare ☁️" : "Secrets saved to .dev.vars",
+			"",
+			"Auth token (save this!):",
+			"  " + authToken
+		].join("\n"), "Your New Home 🏠");
+		let deployedSecrets = isProduction;
+		if (!isProduction) {
+			const deployNow = await p.confirm({
+				message: "Push secrets to Cloudflare now?",
+				initialValue: false
+			});
+			if (!p.isCancel(deployNow) && deployNow) {
+				spinner.start("Deploying secrets to Cloudflare...");
+				await setSecretValue("AUTH_TOKEN", authToken, false);
+				await setSecretValue("SIGNING_KEY", signingKey, false);
+				await setSecretValue("JWT_SECRET", jwtSecret, false);
+				await setSecretValue("PASSWORD_HASH", passwordHash, false);
+				spinner.stop("Secrets deployed to Cloudflare");
+				deployedSecrets = true;
+			}
+		}
+		if (isMigrating) p.note([
+			deployedSecrets ? "Deploy your worker and run the migration:" : "Push secrets, deploy, and run the migration:",
+			"",
+			...deployedSecrets ? [] : ["  pnpm pds init --production", ""],
+			"  wrangler deploy",
+			"  pnpm pds migrate",
+			"",
+			"To test locally first:",
+			"  pnpm dev              # in one terminal",
+			"  pnpm pds migrate --dev  # in another",
+			"",
+			"Then update your identity and flip the switch! 🦋",
+			"  https://atproto.com/guides/account-migration"
+		].join("\n"), "Next Steps 🧳");
+		if (deployedSecrets) p.outro("Run 'wrangler deploy' to launch your PDS! 🚀");
+		else p.outro("Run 'pnpm dev' to start your PDS locally! 🦋");
+	}
+});
+/**
+* Helper to get a secret from .dev.vars or generate a new one
+*/
+async function getOrGenerateSecret(name, devVars, generate) {
+	if (devVars[name]) {
+		if (await p.confirm({
+			message: `Use ${name} from .dev.vars?`,
+			initialValue: true
+		}) === true) return devVars[name];
+	}
+	return generate();
+}
+
+//#endregion
+//#region src/cli/utils/pds-client.ts
+var PDSClientError = class extends Error {
+	constructor(status, error, message) {
+		super(message);
+		this.status = status;
+		this.error = error;
+		this.name = "PDSClientError";
+	}
+};
+var PDSClient = class {
+	authToken;
+	constructor(baseUrl, authToken) {
+		this.baseUrl = baseUrl;
+		this.authToken = authToken;
+	}
+	/**
+	* Set the auth token for subsequent requests
+	*/
+	setAuthToken(token) {
+		this.authToken = token;
+	}
+	/**
+	* Make an XRPC request
+	*/
+	async xrpc(method, endpoint, options = {}) {
+		const url = new URL(`/xrpc/${endpoint}`, this.baseUrl);
+		if (options.params) for (const [key, value] of Object.entries(options.params)) url.searchParams.set(key, value);
+		const headers = {};
+		if (options.auth && this.authToken) headers["Authorization"] = `Bearer ${this.authToken}`;
+		if (options.contentType) headers["Content-Type"] = options.contentType;
+		else if (options.body && !(options.body instanceof Uint8Array)) headers["Content-Type"] = "application/json";
+		const res = await fetch(url.toString(), {
+			method,
+			headers,
+			body: options.body ? options.body instanceof Uint8Array ? options.body : JSON.stringify(options.body) : void 0
+		});
+		if (!res.ok) {
+			const errorBody = await res.json().catch(() => ({}));
+			throw new PDSClientError(res.status, errorBody.error ?? "Unknown", errorBody.message ?? `Request failed: ${res.status}`);
+		}
+		if ((res.headers.get("content-type") ?? "").includes("application/json")) return res.json();
+		return {};
+	}
+	/**
+	* Make a raw request that returns bytes
+	*/
+	async xrpcBytes(method, endpoint, options = {}) {
+		const url = new URL(`/xrpc/${endpoint}`, this.baseUrl);
+		if (options.params) for (const [key, value] of Object.entries(options.params)) url.searchParams.set(key, value);
+		const headers = {};
+		if (options.auth && this.authToken) headers["Authorization"] = `Bearer ${this.authToken}`;
+		if (options.contentType) headers["Content-Type"] = options.contentType;
+		const res = await fetch(url.toString(), {
+			method,
+			headers,
+			body: options.body
+		});
+		if (!res.ok) {
+			const errorBody = await res.json().catch(() => ({}));
+			throw new PDSClientError(res.status, errorBody.error ?? "Unknown", errorBody.message ?? `Request failed: ${res.status}`);
+		}
+		return {
+			bytes: new Uint8Array(await res.arrayBuffer()),
+			mimeType: res.headers.get("content-type") ?? "application/octet-stream"
+		};
+	}
+	/**
+	* Create a session with identifier and password
+	*/
+	async createSession(identifier, password) {
+		return this.xrpc("POST", "com.atproto.server.createSession", { body: {
+			identifier,
+			password
+		} });
+	}
+	/**
+	* Get repository description including collections
+	*/
+	async describeRepo(did) {
+		return this.xrpc("GET", "com.atproto.repo.describeRepo", { params: { repo: did } });
+	}
+	/**
+	* Get profile stats from AppView (posts, follows, followers counts)
+	*/
+	async getProfileStats(did) {
+		try {
+			const res = await fetch(`https://public.api.bsky.app/xrpc/app.bsky.actor.getProfile?actor=${encodeURIComponent(did)}`);
+			if (!res.ok) return null;
+			const profile = await res.json();
+			return {
+				postsCount: profile.postsCount ?? 0,
+				followsCount: profile.followsCount ?? 0,
+				followersCount: profile.followersCount ?? 0
+			};
+		} catch {
+			return null;
+		}
+	}
+	/**
+	* Export repository as CAR file
+	*/
+	async getRepo(did) {
+		const { bytes } = await this.xrpcBytes("GET", "com.atproto.sync.getRepo", { params: { did } });
+		return bytes;
+	}
+	/**
+	* Get a blob by CID
+	*/
+	async getBlob(did, cid) {
+		return this.xrpcBytes("GET", "com.atproto.sync.getBlob", { params: {
+			did,
+			cid
+		} });
+	}
+	/**
+	* List blobs in repository
+	*/
+	async listBlobs(did, cursor) {
+		const params = { did };
+		if (cursor) params.cursor = cursor;
+		return this.xrpc("GET", "com.atproto.sync.listBlobs", { params });
+	}
+	/**
+	* Get user preferences
+	*/
+	async getPreferences() {
+		return (await this.xrpc("GET", "app.bsky.actor.getPreferences", { auth: true })).preferences;
+	}
+	/**
+	* Update user preferences
+	*/
+	async putPreferences(preferences) {
+		await this.xrpc("POST", "app.bsky.actor.putPreferences", {
+			body: { preferences },
+			auth: true
+		});
+	}
+	/**
+	* Get account status including migration progress
+	*/
+	async getAccountStatus() {
+		return this.xrpc("GET", "com.atproto.server.getAccountStatus", { auth: true });
+	}
+	/**
+	* Import repository from CAR file
+	*/
+	async importRepo(carBytes) {
+		return this.xrpc("POST", "com.atproto.repo.importRepo", {
+			body: carBytes,
+			contentType: "application/vnd.ipld.car",
+			auth: true
+		});
+	}
+	/**
+	* List blobs that are missing (referenced but not imported)
+	*/
+	async listMissingBlobs(limit, cursor) {
+		const params = {};
+		if (limit) params.limit = String(limit);
+		if (cursor) params.cursor = cursor;
+		return this.xrpc("GET", "com.atproto.repo.listMissingBlobs", {
+			params,
+			auth: true
+		});
+	}
+	/**
+	* Upload a blob
+	*/
+	async uploadBlob(bytes, mimeType) {
+		return (await this.xrpc("POST", "com.atproto.repo.uploadBlob", {
+			body: bytes,
+			contentType: mimeType,
+			auth: true
+		})).blob;
+	}
+	/**
+	* Reset migration state (only works on deactivated accounts)
+	*/
+	async resetMigration() {
+		return this.xrpc("POST", "gg.mk.experimental.resetMigration", { auth: true });
+	}
+	/**
+	* Activate account to enable writes
+	*/
+	async activateAccount() {
+		await this.xrpc("POST", "com.atproto.server.activateAccount", { auth: true });
+	}
+	/**
+	* Deactivate account to disable writes
+	*/
+	async deactivateAccount() {
+		await this.xrpc("POST", "com.atproto.server.deactivateAccount", { auth: true });
+	}
+	/**
+	* Check if the PDS is reachable
+	*/
+	async healthCheck() {
+		try {
+			return (await fetch(new URL("/xrpc/_health", this.baseUrl).toString())).ok;
+		} catch {
+			return false;
+		}
+	}
+};
+
+//#endregion
+//#region src/cli/commands/migrate.ts
+function detectPackageManager() {
+	const userAgent = process.env.npm_config_user_agent || "";
+	if (userAgent.startsWith("yarn")) return "yarn";
+	if (userAgent.startsWith("pnpm")) return "pnpm";
+	if (userAgent.startsWith("bun")) return "bun";
+	return "npm";
+}
+const brightNote$1 = (lines) => lines.map((l) => `\x1b[0m${l}`).join("\n");
+/**
+* Format number with commas
+*/
+function num(n) {
+	return n.toLocaleString();
+}
+/**
+* Format bytes to human-readable size
+*/
+function formatBytes(bytes) {
+	if (bytes < 1024) return `${bytes} B`;
+	if (bytes < 1024 * 1024) return `${(bytes / 1024).toFixed(1)} KB`;
+	return `${(bytes / (1024 * 1024)).toFixed(1)} MB`;
+}
+const migrateCommand = defineCommand({
+	meta: {
+		name: "migrate",
+		description: "Migrate account from source PDS to your new PDS"
+	},
+	args: {
+		clean: {
+			type: "boolean",
+			description: "Reset migration and start fresh",
+			default: false
+		},
+		dev: {
+			type: "boolean",
+			description: "Target local development server instead of production",
+			default: false
+		}
+	},
+	async run({ args }) {
+		const packageManager = detectPackageManager();
+		const pm = packageManager === "npm" ? "npm run" : packageManager;
+		const isDev = args.dev;
+		const vars = getVars();
+		let targetUrl;
+		try {
+			targetUrl = getTargetUrl(isDev, vars.PDS_HOSTNAME);
+		} catch (err) {
+			p.log.error(err instanceof Error ? err.message : "Configuration error");
+			p.log.info("Run 'pds init' first to configure your PDS.");
+			process.exit(1);
+		}
+		const targetDomain = getDomain(targetUrl);
+		p.intro("🦋 PDS Migration");
+		const spinner = p.spinner();
+		spinner.start(`Checking PDS at ${targetDomain}...`);
+		const targetClient = new PDSClient(targetUrl);
+		if (!await targetClient.healthCheck()) {
+			spinner.stop(`PDS not responding at ${targetDomain}`);
+			if (isDev) {
+				p.log.error(`Your local PDS isn't running at ${targetUrl}`);
+				p.log.info(`Start it with: ${pm} dev`);
+			} else {
+				p.log.error(`Your PDS isn't responding at ${targetUrl}`);
+				p.log.info("Make sure your worker is deployed: wrangler deploy");
+				p.log.info(`Or test locally first: ${pm} pds migrate --dev`);
+			}
+			p.outro("Migration cancelled.");
+			process.exit(1);
+		}
+		spinner.stop(`Connected to ${targetDomain}`);
+		const wranglerVars = getVars();
+		const config = {
+			...readDevVars(),
+			...wranglerVars
+		};
+		const did = config.DID;
+		const handle = config.HANDLE;
+		const authToken = config.AUTH_TOKEN;
+		if (!did) {
+			p.log.error("No DID configured. Run 'pds init' first.");
+			p.outro("Migration cancelled.");
+			process.exit(1);
+		}
+		if (!authToken) {
+			p.log.error("No AUTH_TOKEN found. Run 'pds init' first.");
+			p.outro("Migration cancelled.");
+			process.exit(1);
+		}
+		targetClient.setAuthToken(authToken);
+		spinner.start(`Looking up @${handle}...`);
+		const didDoc = await new DidResolver().resolve(did);
+		if (!didDoc) {
+			spinner.stop("Failed to resolve DID");
+			p.log.error(`Could not resolve DID: ${did}`);
+			p.outro("Migration cancelled.");
+			process.exit(1);
+		}
+		const sourcePdsUrl = getPdsEndpoint(didDoc);
+		if (!sourcePdsUrl) {
+			spinner.stop("No PDS found in DID document");
+			p.log.error("Could not find PDS endpoint in DID document");
+			p.outro("Migration cancelled.");
+			process.exit(1);
+		}
+		const sourceDomain = getDomain(sourcePdsUrl);
+		spinner.stop(`Found your account at ${sourceDomain}`);
+		spinner.start("Checking account status...");
+		const pdsDisplayName = sourceDomain.endsWith(".bsky.network") ? "bsky.social" : sourceDomain;
+		let status;
+		try {
+			status = await targetClient.getAccountStatus();
+		} catch (err) {
+			spinner.stop("Failed to get account status");
+			p.log.error(err instanceof Error ? err.message : "Could not get account status");
+			p.outro("Migration cancelled.");
+			process.exit(1);
+		}
+		spinner.stop("Account status retrieved");
+		if (args.clean) {
+			if (status.active) {
+				p.log.error("Cannot reset: account is active");
+				p.log.info("The --clean flag only works on deactivated accounts.");
+				p.log.info("Your account is already live");
+				p.log.info("");
+				p.log.info("If you need to re-import, first deactivate:");
+				p.log.info("  pnpm pds deactivate");
+				p.outro("Migration cancelled.");
+				process.exit(1);
+			}
+			p.note(brightNote$1([
+				pc.bold("This will permanently delete from your new PDS:"),
+				"",
+				`  • ${num(status.repoBlocks)} repository blocks`,
+				`  • ${num(status.importedBlobs)} imported images`,
+				"  • All blob tracking data",
+				"",
+				pc.bold(`Your data on ${pdsDisplayName} is NOT affected.`),
+				"You'll need to re-import everything."
+			]), "⚠️  Reset Migration Data");
+			const confirmReset = await p.confirm({
+				message: "Are you sure you want to delete this data?",
+				initialValue: false
+			});
+			if (p.isCancel(confirmReset) || !confirmReset) {
+				p.cancel("Keeping your data.");
+				process.exit(0);
+			}
+			spinner.start("Resetting migration state...");
+			try {
+				const result = await targetClient.resetMigration();
+				spinner.stop(`Deleted ${num(result.blocksDeleted)} blocks, ${num(result.blobsCleared)} blobs`);
+			} catch (err) {
+				spinner.stop("Reset failed");
+				p.log.error(err instanceof Error ? err.message : "Could not reset migration");
+				p.outro("Migration cancelled.");
+				process.exit(1);
+			}
+			p.log.success("Clean slate! Starting fresh migration...");
+			status = await targetClient.getAccountStatus();
+		}
+		if (status.active) {
+			p.log.warn(`Your account is already active at ${targetDomain}!`);
+			p.log.info("No migration needed - your PDS is live.");
+			p.outro("All good!");
+			return;
+		}
+		spinner.start(`Fetching your account details from ${pdsDisplayName}...`);
+		const sourceClient = new PDSClient(sourcePdsUrl);
+		try {
+			await sourceClient.describeRepo(did);
+		} catch (err) {
+			spinner.stop("Failed to fetch account details");
+			p.log.error(err instanceof Error ? err.message : "Could not fetch account details from source PDS");
+			p.outro("Migration cancelled.");
+			process.exit(1);
+		}
+		const profileStats = await sourceClient.getProfileStats(did);
+		spinner.stop("Account details fetched");
+		const needsRepoImport = status.repoBlocks === 0 || status.indexedRecords === 0 && status.expectedBlobs === 0;
+		const needsBlobSync = status.expectedBlobs - status.importedBlobs > 0 || needsRepoImport;
+		if (!needsRepoImport && needsBlobSync) {
+			p.log.info("Welcome back!");
+			p.log.info("Looks like you started packing earlier. Let's pick up where we left off.");
+			p.note([
+				`@${handle} (${did.slice(0, 20)}...)`,
+				"",
+				"✓ Repository imported",
+				`◐ Media: ${num(status.importedBlobs)}/${num(status.expectedBlobs)} images and videos transferred`
+			].join("\n"), "Migration Progress");
+			const continueTransfer = await p.confirm({
+				message: "Continue transferring images and video?",
+				initialValue: true
+			});
+			if (p.isCancel(continueTransfer) || !continueTransfer) {
+				p.cancel("Migration paused.");
+				process.exit(0);
+			}
+		} else if (needsRepoImport) {
+			p.log.info("Time to pack your bags!");
+			p.log.info("Let's clone your account to its new home in the Atmosphere.");
+			const statsLines = profileStats ? [
+				`  📝 ${num(profileStats.postsCount)} posts`,
+				`  👥 ${num(profileStats.followsCount)} follows`,
+				`  ...plus all your images, likes and preferences`
+			] : [`  📝 Posts, follows, images, likes and preferences`];
+			p.note(brightNote$1([
+				pc.bold(`@${handle}`) + ` (${did.slice(0, 20)}...)`,
+				"",
+				`Currently at:  ${sourceDomain}`,
+				`Moving to:     ${targetDomain}`,
+				"",
+				"What you're bringing:",
+				...statsLines
+			]), "Your Bluesky Account 🦋");
+			p.log.info(`This will copy your data - nothing is changed or deleted on your current PDS.`);
+			const proceed = await p.confirm({
+				message: "Ready to start moving?",
+				initialValue: true
+			});
+			if (p.isCancel(proceed) || !proceed) {
+				p.cancel("Migration cancelled.");
+				process.exit(0);
+			}
+		} else {
+			p.log.success("Everything looks good!");
+			showNextSteps(pm, pdsDisplayName);
+			p.outro("Welcome to your new home in the Atmosphere! 🦋");
+			return;
+		}
+		const password = await p.password({ message: `Your password for ${pdsDisplayName}:` });
+		if (p.isCancel(password)) {
+			p.cancel("Migration cancelled.");
+			process.exit(0);
+		}
+		spinner.start(`Logging in to ${pdsDisplayName}...`);
+		try {
+			const session = await sourceClient.createSession(did, password);
+			sourceClient.setAuthToken(session.accessJwt);
+			spinner.stop("Authenticated successfully");
+		} catch (err) {
+			spinner.stop("Login failed");
+			if (err instanceof PDSClientError) p.log.error(`Authentication failed: ${err.message}`);
+			else p.log.error(err instanceof Error ? err.message : "Authentication failed");
+			p.outro("Migration cancelled.");
+			process.exit(1);
+		}
+		if (needsRepoImport) {
+			spinner.start(`Exporting your repository from ${pdsDisplayName}...`);
+			let carBytes;
+			try {
+				carBytes = await sourceClient.getRepo(did);
+				spinner.stop(`Downloaded ${formatBytes(carBytes.length)} from ${sourceDomain}`);
+			} catch (err) {
+				spinner.stop("Export failed");
+				p.log.error(err instanceof Error ? err.message : "Could not export repository");
+				p.outro("Migration cancelled.");
+				process.exit(1);
+			}
+			spinner.start(`Importing to ${targetDomain}...`);
+			try {
+				await targetClient.importRepo(carBytes);
+				spinner.stop("Repository imported");
+			} catch (err) {
+				spinner.stop("Import failed");
+				p.log.error(err instanceof Error ? err.message : "Could not import repository");
+				p.outro("Migration cancelled.");
+				process.exit(1);
+			}
+			status = await targetClient.getAccountStatus();
+		}
+		spinner.start("Migrating your preferences...");
+		try {
+			const preferences = await sourceClient.getPreferences();
+			if (preferences.length > 0) {
+				await targetClient.putPreferences(preferences);
+				spinner.stop(`Migrated ${preferences.length} preference${preferences.length === 1 ? "" : "s"}`);
+			} else spinner.stop("No preferences to migrate");
+		} catch (err) {
+			spinner.stop("Skipped preferences (not available)");
+		}
+		if (status.expectedBlobs - status.importedBlobs > 0) {
+			let synced = 0;
+			let totalBlobs = 0;
+			let cursor;
+			let failedBlobs = [];
+			const progressBar = (current, total) => {
+				const width = 20;
+				const ratio = total > 0 ? Math.min(1, current / total) : 0;
+				const filled = Math.round(ratio * width);
+				const empty = width - filled;
+				return `${"█".repeat(filled)}${"░".repeat(empty)} ${current}/${total}`;
+			};
+			spinner.start("Counting images to transfer...");
+			let countCursor;
+			do {
+				const page = await targetClient.listMissingBlobs(500, countCursor);
+				totalBlobs += page.blobs.length;
+				countCursor = page.cursor;
+			} while (countCursor);
+			spinner.message(`Transferring media ${progressBar(0, totalBlobs)}`);
+			do {
+				const page = await targetClient.listMissingBlobs(100, cursor);
+				cursor = page.cursor;
+				for (const blob of page.blobs) try {
+					const { bytes, mimeType } = await sourceClient.getBlob(did, blob.cid);
+					await targetClient.uploadBlob(bytes, mimeType);
+					synced++;
+					spinner.message(`Transferring media ${progressBar(synced, totalBlobs)}`);
+				} catch (err) {
+					synced++;
+					failedBlobs.push(blob.cid);
+					spinner.message(`Transferring media ${progressBar(synced, totalBlobs)}`);
+				}
+			} while (cursor);
+			if (failedBlobs.length > 0) {
+				spinner.stop(`Transferred ${num(synced - failedBlobs.length)} images and videos (${failedBlobs.length} failed)`);
+				p.log.warn(`Run 'pds migrate' again to retry failed transfers.`);
+			} else spinner.stop(`Transferred ${num(synced)} images and videos`);
+		}
+		spinner.start("Verifying migration...");
+		const finalStatus = await targetClient.getAccountStatus();
+		spinner.stop("Verification complete");
+		if (finalStatus.importedBlobs >= finalStatus.expectedBlobs) p.log.success("All packed and moved!");
+		else {
+			p.log.warn(`Migration partially complete. ${finalStatus.expectedBlobs - finalStatus.importedBlobs} images remaining.`);
+			p.log.info("Run 'pds migrate' again to continue.");
+		}
+		showNextSteps(pm, pdsDisplayName);
+		p.outro("Welcome to your new home in the Atmosphere! 🦋");
+	}
+});
+function showNextSteps(pm, sourceDomain) {
+	p.note(brightNote$1([
+		pc.bold("Your data is safe in your new PDS."),
+		"Two more steps to go live:",
+		"",
+		pc.bold("1. Update your identity"),
+		"   Tell the network where you live now.",
+		`   (Requires email verification from ${sourceDomain})`,
+		"",
+		pc.bold("2. Flip the switch"),
+		`   ${pm} pds activate`,
+		"",
+		"Docs: https://atproto.com/guides/account-migration"
+	]), "Almost there!");
+}
+
+//#endregion
+//#region src/cli/commands/activate.ts
+/**
+* Activate account command - enables writes after migration
+*/
+const activateCommand = defineCommand({
+	meta: {
+		name: "activate",
+		description: "Activate your account to enable writes and go live"
+	},
+	args: { dev: {
+		type: "boolean",
+		description: "Target local development server instead of production",
+		default: false
+	} },
+	async run({ args }) {
+		const isDev = args.dev;
+		p.intro("🦋 Activate Account");
+		const vars = getVars();
+		let targetUrl;
+		try {
+			targetUrl = getTargetUrl(isDev, vars.PDS_HOSTNAME);
+		} catch (err) {
+			p.log.error(err instanceof Error ? err.message : "Configuration error");
+			p.log.info("Run 'pds init' first to configure your PDS.");
+			process.exit(1);
+		}
+		const targetDomain = getDomain(targetUrl);
+		const wranglerVars = getVars();
+		const config = {
+			...readDevVars(),
+			...wranglerVars
+		};
+		const authToken = config.AUTH_TOKEN;
+		const handle = config.HANDLE;
+		if (!authToken) {
+			p.log.error("No AUTH_TOKEN found. Run 'pds init' first.");
+			p.outro("Activation cancelled.");
+			process.exit(1);
+		}
+		const client = new PDSClient(targetUrl, authToken);
+		const spinner = p.spinner();
+		spinner.start(`Checking PDS at ${targetDomain}...`);
+		if (!await client.healthCheck()) {
+			spinner.stop(`PDS not responding at ${targetDomain}`);
+			p.log.error(`Your PDS isn't responding at ${targetUrl}`);
+			if (!isDev) p.log.info("Make sure your worker is deployed: wrangler deploy");
+			p.outro("Activation cancelled.");
+			process.exit(1);
+		}
+		spinner.stop(`Connected to ${targetDomain}`);
+		spinner.start("Checking account status...");
+		const status = await client.getAccountStatus();
+		spinner.stop("Account status retrieved");
+		if (status.active) {
+			p.log.warn("Your account is already active!");
+			p.log.info("No action needed - you're live in the Atmosphere. 🦋");
+			p.outro("All good!");
+			return;
+		}
+		p.note([
+			`@${handle || "your-handle"}`,
+			"",
+			"This will enable writes and make your account live.",
+			"Make sure you've:",
+			"  ✓ Updated your DID document to point here",
+			"  ✓ Completed email verification (if required)"
+		].join("\n"), "Ready to go live?");
+		const confirm = await p.confirm({
+			message: "Activate account?",
+			initialValue: true
+		});
+		if (p.isCancel(confirm) || !confirm) {
+			p.cancel("Activation cancelled.");
+			process.exit(0);
+		}
+		spinner.start("Activating account...");
+		try {
+			await client.activateAccount();
+			spinner.stop("Account activated!");
+		} catch (err) {
+			spinner.stop("Activation failed");
+			p.log.error(err instanceof Error ? err.message : "Could not activate account");
+			p.outro("Activation failed.");
+			process.exit(1);
+		}
+		p.log.success("Welcome to the Atmosphere! 🦋");
+		p.log.info("Your account is now live and accepting writes.");
+		p.outro("All set!");
+	}
+});
+
+//#endregion
+//#region src/cli/commands/deactivate.ts
+/**
+* Deactivate account command - disables writes for re-import
+*/
+const brightNote = (lines) => lines.map((l) => `\x1b[0m${l}`).join("\n");
+const bold = (text) => pc.bold(text);
+const deactivateCommand = defineCommand({
+	meta: {
+		name: "deactivate",
+		description: "Deactivate your account to enable re-import"
+	},
+	args: { dev: {
+		type: "boolean",
+		description: "Target local development server instead of production",
+		default: false
+	} },
+	async run({ args }) {
+		const isDev = args.dev;
+		p.intro("🦋 Deactivate Account");
+		const vars = getVars();
+		let targetUrl;
+		try {
+			targetUrl = getTargetUrl(isDev, vars.PDS_HOSTNAME);
+		} catch (err) {
+			p.log.error(err instanceof Error ? err.message : "Configuration error");
+			p.log.info("Run 'pds init' first to configure your PDS.");
+			process.exit(1);
+		}
+		const targetDomain = getDomain(targetUrl);
+		const wranglerVars = getVars();
+		const config = {
+			...readDevVars(),
+			...wranglerVars
+		};
+		const authToken = config.AUTH_TOKEN;
+		const handle = config.HANDLE;
+		if (!authToken) {
+			p.log.error("No AUTH_TOKEN found. Run 'pds init' first.");
+			p.outro("Deactivation cancelled.");
+			process.exit(1);
+		}
+		const client = new PDSClient(targetUrl, authToken);
+		const spinner = p.spinner();
+		spinner.start(`Checking PDS at ${targetDomain}...`);
+		if (!await client.healthCheck()) {
+			spinner.stop(`PDS not responding at ${targetDomain}`);
+			p.log.error(`Your PDS isn't responding at ${targetUrl}`);
+			if (!isDev) p.log.info("Make sure your worker is deployed: wrangler deploy");
+			p.outro("Deactivation cancelled.");
+			process.exit(1);
+		}
+		spinner.stop(`Connected to ${targetDomain}`);
+		spinner.start("Checking account status...");
+		const status = await client.getAccountStatus();
+		spinner.stop("Account status retrieved");
+		if (!status.active) {
+			p.log.warn("Your account is already deactivated.");
+			p.log.info("Writes are disabled. Use 'pds activate' to re-enable.");
+			p.outro("Already deactivated.");
+			return;
+		}
+		p.note(brightNote([
+			bold(`⚠️  WARNING: This will disable writes for @${handle || "your-handle"}`),
+			"",
+			"Your account will:",
+			"  • Stop accepting new posts, follows, and other writes",
+			"  • Remain readable in the Atmosphere",
+			"  • Allow you to use 'pds migrate --clean' to re-import",
+			"",
+			bold("Only deactivate if you need to re-import your data.")
+		]), "Deactivate Account");
+		const confirm = await p.confirm({
+			message: "Are you sure you want to deactivate?",
+			initialValue: false
+		});
+		if (p.isCancel(confirm) || !confirm) {
+			p.cancel("Deactivation cancelled.");
+			process.exit(0);
+		}
+		spinner.start("Deactivating account...");
+		try {
+			await client.deactivateAccount();
+			spinner.stop("Account deactivated");
+		} catch (err) {
+			spinner.stop("Deactivation failed");
+			p.log.error(err instanceof Error ? err.message : "Could not deactivate account");
+			p.outro("Deactivation failed.");
+			process.exit(1);
+		}
+		p.log.success("Account deactivated");
+		p.log.info("Writes are now disabled.");
+		p.log.info("");
+		p.log.info("To re-import your data:");
+		p.log.info("  pnpm pds migrate --clean");
+		p.log.info("");
+		p.log.info("To re-enable writes:");
+		p.log.info("  pnpm pds activate");
+		p.outro("Deactivated.");
+	}
+});
+
+//#endregion
+//#region src/cli/index.ts
+/**
+* PDS CLI - Setup and management for AT Protocol PDS on Cloudflare Workers
+*/
+runMain(defineCommand({
+	meta: {
+		name: "pds",
+		version: "0.0.0",
+		description: "AT Protocol PDS setup and management CLI"
+	},
+	subCommands: {
+		init: initCommand,
+		secret: secretCommand,
+		migrate: migrateCommand,
+		activate: activateCommand,
+		deactivate: deactivateCommand
+	}
+}));
+
+//#endregion
+export {  };