@getcirrus/pds 0.2.5 → 0.3.0

package/dist/cli.js

@@ -8,9 +8,10 @@ import { spawn } from "node:child_process";
 import { experimental_patchConfig, experimental_readRawConfig } from "wrangler";
 import { existsSync, readFileSync, writeFileSync } from "node:fs";
 import { resolve } from "node:path";
-import { AtprotoDohHandleResolver } from "@atproto-labs/handle-resolver";
-import { check, didDocument, getPdsEndpoint } from "@atproto/common-web";
+import { CompositeDidDocumentResolver, DohJsonHandleResolver, PlcDidDocumentResolver, WebDidDocumentResolver } from "@atcute/identity-resolver";
 import pc from "picocolors";
+import { Client, ClientResponseError, ok } from "@atcute/client";
+import { getPdsEndpoint } from "@atcute/identity";
 
 //#region src/cli/utils/wrangler.ts
 /**
@@ -77,6 +78,85 @@ async function setSecret(name, value) {
 		child.on("error", reject);
 	});
 }
+/**
+* Get account_id from wrangler config
+*/
+function getAccountId() {
+	const { rawConfig } = experimental_readRawConfig({});
+	return rawConfig.account_id;
+}
+/**
+* Set account_id in wrangler config
+*/
+function setAccountId(accountId) {
+	const { configPath } = experimental_readRawConfig({});
+	if (!configPath) throw new Error("No wrangler config found");
+	experimental_patchConfig(configPath, { account_id: accountId });
+}
+/**
+* Set custom domain routes in wrangler config
+*/
+function setCustomDomains(domains) {
+	const { configPath } = experimental_readRawConfig({});
+	if (!configPath) throw new Error("No wrangler config found");
+	experimental_patchConfig(configPath, { routes: domains.map((pattern) => ({
+		pattern,
+		custom_domain: true
+	})) });
+}
+/**
+* Detect available Cloudflare accounts by running wrangler whoami.
+* Returns array of accounts if multiple found, null if single account or already configured.
+*/
+async function detectCloudflareAccounts() {
+	if (getAccountId()) return null;
+	const { stdout, stderr } = await runWranglerWithOutput(["whoami"]);
+	const output = stdout + stderr;
+	const accounts = [];
+	const regex = /│\s*([^│]+?)\s*│\s*([a-f0-9]{32})\s*│/g;
+	let match;
+	while ((match = regex.exec(output)) !== null) {
+		const name = match[1]?.trim();
+		const id = match[2];
+		if (name && id && name !== "Account Name") accounts.push({
+			name,
+			id
+		});
+	}
+	return accounts.length > 1 ? accounts : null;
+}
+/**
+* Run a wrangler command and capture output
+*/
+function runWranglerWithOutput(args) {
+	return new Promise((resolve$1) => {
+		const child = spawn("wrangler", args, { stdio: [
+			"pipe",
+			"pipe",
+			"pipe"
+		] });
+		let stdout = "";
+		let stderr = "";
+		child.stdout?.on("data", (data) => {
+			stdout += data.toString();
+		});
+		child.stderr?.on("data", (data) => {
+			stderr += data.toString();
+		});
+		child.on("close", () => {
+			resolve$1({
+				stdout,
+				stderr
+			});
+		});
+		child.on("error", () => {
+			resolve$1({
+				stdout,
+				stderr
+			});
+		});
+	});
+}
 
 //#endregion
 //#region src/cli/utils/dotenv.ts
@@ -395,13 +475,32 @@ function getDomain(url) {
 		return url;
 	}
 }
+/**
+* Detect which package manager is being used based on npm_config_user_agent
+*/
+function detectPackageManager() {
+	const userAgent = process.env.npm_config_user_agent || "";
+	if (userAgent.startsWith("yarn")) return "yarn";
+	if (userAgent.startsWith("pnpm")) return "pnpm";
+	if (userAgent.startsWith("bun")) return "bun";
+	return "npm";
+}
+/**
+* Format a command for the detected package manager
+* npm always needs "run" for scripts, pnpm/yarn/bun can use shorthand
+* except for "deploy" which conflicts with pnpm's built-in deploy command
+*/
+function formatCommand(pm, ...args) {
+	if (pm === "npm" || args[0] === "deploy") return `${pm} run ${args.join(" ")}`;
+	return `${pm} ${args.join(" ")}`;
+}
 
 //#endregion
 //#region src/cli/utils/handle-resolver.ts
 /**
 * Utilities for resolving AT Protocol handles to DIDs
 */
-const resolver = new AtprotoDohHandleResolver({ dohEndpoint: "https://cloudflare-dns.com/dns-query" });
+const resolver = new DohJsonHandleResolver({ dohUrl: "https://cloudflare-dns.com/dns-query" });
 /**
 * Resolve a handle to a DID using the AT Protocol handle resolution methods.
 * Uses DNS-over-HTTPS via Cloudflare for DNS resolution.
@@ -409,7 +508,7 @@ const resolver = new AtprotoDohHandleResolver({ dohEndpoint: "https://cloudflare
 async function resolveHandleToDid(handle) {
 	try {
 		return await resolver.resolve(handle, { signal: AbortSignal.timeout(1e4) });
-	} catch (err) {
+	} catch {
 		return null;
 	}
 }
@@ -419,20 +518,31 @@ async function resolveHandleToDid(handle) {
 /**
 * DID resolution for Cloudflare Workers
 *
-* We can't use @atproto/identity directly because it uses `redirect: "error"`
-* which Cloudflare Workers doesn't support. This is a simple implementation
-* that's compatible with Workers.
+* Uses @atcute/identity-resolver which is already Workers-compatible
+* (uses redirect: "manual" internally).
 */
 const PLC_DIRECTORY = "https://plc.directory";
 const TIMEOUT_MS = 3e3;
+/**
+* Wrapper that always uses globalThis.fetch so it can be mocked in tests.
+* @atcute resolvers capture the fetch reference at construction time,
+* so we need this indirection to allow test mocking.
+*/
+const stubbableFetch = (input, init) => globalThis.fetch(input, init);
 var DidResolver = class {
-	plcUrl;
+	resolver;
 	timeout;
 	cache;
 	constructor(opts = {}) {
-		this.plcUrl = opts.plcUrl ?? PLC_DIRECTORY;
 		this.timeout = opts.timeout ?? TIMEOUT_MS;
 		this.cache = opts.didCache;
+		this.resolver = new CompositeDidDocumentResolver({ methods: {
+			plc: new PlcDidDocumentResolver({
+				apiUrl: opts.plcUrl ?? PLC_DIRECTORY,
+				fetch: stubbableFetch
+			}),
+			web: new WebDidDocumentResolver({ fetch: stubbableFetch })
+		} });
 	}
 	async resolve(did) {
 		if (this.cache) {
@@ -448,57 +558,18 @@ var DidResolver = class {
 		return doc;
 	}
 	async resolveNoCache(did) {
-		if (did.startsWith("did:web:")) return this.resolveDidWeb(did);
-		if (did.startsWith("did:plc:")) return this.resolveDidPlc(did);
-		throw new Error(`Unsupported DID method: ${did}`);
-	}
-	async resolveDidWeb(did) {
-		const parts = did.split(":").slice(2);
-		if (parts.length === 0) throw new Error(`Invalid did:web format: ${did}`);
-		if (parts.length > 1) throw new Error(`Unsupported did:web with path: ${did}`);
-		const domain = decodeURIComponent(parts[0]);
-		const url = new URL(`https://${domain}/.well-known/did.json`);
-		if (url.hostname === "localhost") url.protocol = "http:";
 		const controller = new AbortController();
 		const timeoutId = setTimeout(() => controller.abort(), this.timeout);
 		try {
-			const res = await fetch(url.toString(), {
-				signal: controller.signal,
-				redirect: "manual",
-				headers: { accept: "application/did+ld+json,application/json" }
-			});
-			if (res.status >= 300 && res.status < 400) return null;
-			if (!res.ok) return null;
-			const doc = await res.json();
-			return this.validateDidDoc(did, doc);
-		} finally {
-			clearTimeout(timeoutId);
-		}
-	}
-	async resolveDidPlc(did) {
-		const url = new URL(`/${encodeURIComponent(did)}`, this.plcUrl);
-		const controller = new AbortController();
-		const timeoutId = setTimeout(() => controller.abort(), this.timeout);
-		try {
-			const res = await fetch(url.toString(), {
-				signal: controller.signal,
-				redirect: "manual",
-				headers: { accept: "application/did+ld+json,application/json" }
-			});
-			if (res.status >= 300 && res.status < 400) return null;
-			if (res.status === 404) return null;
-			if (!res.ok) throw new Error(`PLC directory error: ${res.status} ${res.statusText}`);
-			const doc = await res.json();
-			return this.validateDidDoc(did, doc);
+			const doc = await this.resolver.resolve(did, { signal: controller.signal });
+			if (doc.id !== did) return null;
+			return doc;
+		} catch {
+			return null;
 		} finally {
 			clearTimeout(timeoutId);
 		}
 	}
-	validateDidDoc(did, doc) {
-		if (!check.is(doc, didDocument)) return null;
-		if (doc.id !== did) return null;
-		return doc;
-	}
 };
 
 //#endregion
@@ -530,6 +601,31 @@ async function promptWorkerName(handle, currentWorkerName) {
 	});
 }
 /**
+* Ensure a Cloudflare account_id is configured.
+* If multiple accounts detected, prompts user to select one.
+*/
+async function ensureAccountConfigured() {
+	const spinner = p.spinner();
+	spinner.start("Checking Cloudflare account...");
+	const accounts = await detectCloudflareAccounts();
+	if (accounts === null) {
+		spinner.stop("Cloudflare account configured");
+		return;
+	}
+	spinner.stop(`Found ${accounts.length} Cloudflare accounts`);
+	const selectedId = await promptSelect({
+		message: "Select your Cloudflare account:",
+		options: accounts.map((acc) => ({
+			value: acc.id,
+			label: acc.name,
+			hint: acc.id.slice(0, 8) + "..."
+		}))
+	});
+	setAccountId(selectedId);
+	const selectedName = accounts.find((a) => a.id === selectedId)?.name;
+	p.log.success(`Account "${selectedName}" saved to wrangler.jsonc`);
+}
+/**
 * Run wrangler types to regenerate TypeScript types
 */
 function runWranglerTypes() {
@@ -563,6 +659,7 @@ const initCommand = defineCommand({
 		default: false
 	} },
 	async run({ args }) {
+		const pm = detectPackageManager();
 		p.intro("🦋 PDS Setup");
 		const isProduction = args.production;
 		if (isProduction) p.log.info("Production mode: secrets will be deployed to Cloudflare");
@@ -674,6 +771,7 @@ const initCommand = defineCommand({
 			});
 			workerName = await promptWorkerName(handle, currentWorkerName);
 			initialActive = "false";
+			await ensureAccountConfigured();
 		} else {
 			p.log.info("A fresh start in the Atmosphere! ✨");
 			hostname = await promptText({
@@ -700,6 +798,7 @@ const initCommand = defineCommand({
 			});
 			workerName = await promptWorkerName(handle, currentWorkerName);
 			initialActive = "true";
+			await ensureAccountConfigured();
 			if (handle === hostname) p.note([
 				"Your handle matches your PDS hostname, so your PDS will",
 				"automatically handle domain verification for you!",
@@ -760,6 +859,7 @@ const initCommand = defineCommand({
 			SIGNING_KEY_PUBLIC: signingKeyPublic,
 			INITIAL_ACTIVE: initialActive
 		});
+		setCustomDomains([hostname]);
 		spinner.stop("wrangler.jsonc updated");
 		const local = !isProduction;
 		if (isProduction) spinner.start("Deploying secrets to Cloudflare...");
@@ -807,19 +907,19 @@ const initCommand = defineCommand({
 		if (isMigrating) p.note([
 			deployedSecrets ? "Deploy your worker and run the migration:" : "Push secrets, deploy, and run the migration:",
 			"",
-			...deployedSecrets ? [] : ["  pnpm pds init --production", ""],
-			"  wrangler deploy",
-			"  pnpm pds migrate",
+			...deployedSecrets ? [] : [`  ${formatCommand(pm, "pds", "init", "--production")}`, ""],
+			`  ${formatCommand(pm, "deploy")}`,
+			`  ${formatCommand(pm, "pds", "migrate")}`,
 			"",
 			"To test locally first:",
-			"  pnpm dev              # in one terminal",
-			"  pnpm pds migrate --dev  # in another",
+			`  ${formatCommand(pm, "dev")}              # in one terminal`,
+			`  ${formatCommand(pm, "pds", "migrate", "--dev")}  # in another`,
 			"",
 			"Then update your identity and flip the switch! 🦋",
 			"  https://atproto.com/guides/account-migration"
 		].join("\n"), "Next Steps 🧳");
-		if (deployedSecrets) p.outro("Run 'wrangler deploy' to launch your PDS! 🚀");
-		else p.outro("Run 'pnpm dev' to start your PDS locally! 🦋");
+		if (deployedSecrets) p.outro(`Run '${formatCommand(pm, "deploy")}' to launch your PDS! 🚀`);
+		else p.outro(`Run '${formatCommand(pm, "dev")}' to start your PDS locally! 🦋`);
 	}
 });
 /**
@@ -837,85 +937,53 @@ async function getOrGenerateSecret(name, devVars, generate) {
 
 //#endregion
 //#region src/cli/utils/pds-client.ts
-var PDSClientError = class extends Error {
-	constructor(status, error, message) {
-		super(message);
-		this.status = status;
-		this.error = error;
-		this.name = "PDSClientError";
-	}
-};
+/**
+* HTTP client for AT Protocol PDS XRPC endpoints
+* Uses @atcute/client for type-safe XRPC calls
+*/
+/**
+* Create a fetch handler that adds optional auth token
+*/
+function createAuthHandler(baseUrl, token) {
+	return async (pathname, init) => {
+		const url = new URL(pathname, baseUrl);
+		const headers = new Headers(init.headers);
+		if (token) headers.set("Authorization", `Bearer ${token}`);
+		return fetch(url, {
+			...init,
+			headers
+		});
+	};
+}
 var PDSClient = class {
+	client;
 	authToken;
 	constructor(baseUrl, authToken) {
 		this.baseUrl = baseUrl;
 		this.authToken = authToken;
+		this.client = new Client({ handler: createAuthHandler(baseUrl, authToken) });
 	}
 	/**
 	* Set the auth token for subsequent requests
 	*/
 	setAuthToken(token) {
 		this.authToken = token;
-	}
-	/**
-	* Make an XRPC request
-	*/
-	async xrpc(method, endpoint, options = {}) {
-		const url = new URL(`/xrpc/${endpoint}`, this.baseUrl);
-		if (options.params) for (const [key, value] of Object.entries(options.params)) url.searchParams.set(key, value);
-		const headers = {};
-		if (options.auth && this.authToken) headers["Authorization"] = `Bearer ${this.authToken}`;
-		if (options.contentType) headers["Content-Type"] = options.contentType;
-		else if (options.body && !(options.body instanceof Uint8Array)) headers["Content-Type"] = "application/json";
-		const res = await fetch(url.toString(), {
-			method,
-			headers,
-			body: options.body ? options.body instanceof Uint8Array ? options.body : JSON.stringify(options.body) : void 0
-		});
-		if (!res.ok) {
-			const errorBody = await res.json().catch(() => ({}));
-			throw new PDSClientError(res.status, errorBody.error ?? "Unknown", errorBody.message ?? `Request failed: ${res.status}`);
-		}
-		if ((res.headers.get("content-type") ?? "").includes("application/json")) return res.json();
-		return {};
-	}
-	/**
-	* Make a raw request that returns bytes
-	*/
-	async xrpcBytes(method, endpoint, options = {}) {
-		const url = new URL(`/xrpc/${endpoint}`, this.baseUrl);
-		if (options.params) for (const [key, value] of Object.entries(options.params)) url.searchParams.set(key, value);
-		const headers = {};
-		if (options.auth && this.authToken) headers["Authorization"] = `Bearer ${this.authToken}`;
-		if (options.contentType) headers["Content-Type"] = options.contentType;
-		const res = await fetch(url.toString(), {
-			method,
-			headers,
-			body: options.body
-		});
-		if (!res.ok) {
-			const errorBody = await res.json().catch(() => ({}));
-			throw new PDSClientError(res.status, errorBody.error ?? "Unknown", errorBody.message ?? `Request failed: ${res.status}`);
-		}
-		return {
-			bytes: new Uint8Array(await res.arrayBuffer()),
-			mimeType: res.headers.get("content-type") ?? "application/octet-stream"
-		};
+		this.client = new Client({ handler: createAuthHandler(this.baseUrl, token) });
 	}
 	/**
 	* Create a session with identifier and password
 	*/
 	async createSession(identifier, password) {
-		return this.xrpc("POST", "com.atproto.server.createSession", { body: {
+		return ok(this.client.post("com.atproto.server.createSession", { input: {
 			identifier,
 			password
-		} });
+		} }));
 	}
 	/**
 	* Get repository description including collections
 	*/
 	async describeRepo(did) {
-		return this.xrpc("GET", "com.atproto.repo.describeRepo", { params: { repo: did } });
+		return ok(this.client.get("com.atproto.repo.describeRepo", { params: { repo: did } }));
 	}
 	/**
 	* Get profile stats from AppView (posts, follows, followers counts)
@@ -938,96 +1006,199 @@ var PDSClient = class {
 	* Export repository as CAR file
 	*/
 	async getRepo(did) {
-		const { bytes } = await this.xrpcBytes("GET", "com.atproto.sync.getRepo", { params: { did } });
-		return bytes;
+		const response = await this.client.get("com.atproto.sync.getRepo", {
+			params: { did },
+			as: "bytes"
+		});
+		if (!response.ok) throw new ClientResponseError({
+			status: response.status,
+			headers: response.headers,
+			data: response.data
+		});
+		return response.data;
 	}
 	/**
 	* Get a blob by CID
 	*/
 	async getBlob(did, cid) {
-		return this.xrpcBytes("GET", "com.atproto.sync.getBlob", { params: {
-			did,
-			cid
-		} });
+		const response = await this.client.get("com.atproto.sync.getBlob", {
+			params: {
+				did,
+				cid
+			},
+			as: "bytes"
+		});
+		if (!response.ok) throw new ClientResponseError({
+			status: response.status,
+			headers: response.headers,
+			data: response.data
+		});
+		return {
+			bytes: response.data,
+			mimeType: response.headers.get("content-type") ?? "application/octet-stream"
+		};
 	}
 	/**
 	* List blobs in repository
 	*/
 	async listBlobs(did, cursor) {
-		const params = { did };
-		if (cursor) params.cursor = cursor;
-		return this.xrpc("GET", "com.atproto.sync.listBlobs", { params });
+		return ok(this.client.get("com.atproto.sync.listBlobs", { params: {
+			did,
+			...cursor && { cursor }
+		} }));
 	}
 	/**
 	* Get user preferences
 	*/
 	async getPreferences() {
-		return (await this.xrpc("GET", "app.bsky.actor.getPreferences", { auth: true })).preferences;
+		return (await ok(this.client.get("app.bsky.actor.getPreferences", { params: {} }))).preferences;
 	}
 	/**
 	* Update user preferences
 	*/
 	async putPreferences(preferences) {
-		await this.xrpc("POST", "app.bsky.actor.putPreferences", {
-			body: { preferences },
-			auth: true
+		const url = new URL("/xrpc/app.bsky.actor.putPreferences", this.baseUrl);
+		const headers = { "Content-Type": "application/json" };
+		if (this.authToken) headers["Authorization"] = `Bearer ${this.authToken}`;
+		const res = await fetch(url.toString(), {
+			method: "POST",
+			headers,
+			body: JSON.stringify({ preferences })
 		});
+		if (!res.ok) {
+			const errorBody = await res.json().catch(() => ({}));
+			throw new ClientResponseError({
+				status: res.status,
+				headers: res.headers,
+				data: {
+					error: errorBody.error ?? "Unknown",
+					message: errorBody.message
+				}
+			});
+		}
 	}
 	/**
 	* Get account status including migration progress
 	*/
 	async getAccountStatus() {
-		return this.xrpc("GET", "com.atproto.server.getAccountStatus", { auth: true });
+		const url = new URL("/xrpc/com.atproto.server.getAccountStatus", this.baseUrl);
+		const headers = {};
+		if (this.authToken) headers["Authorization"] = `Bearer ${this.authToken}`;
+		const res = await fetch(url.toString(), {
+			method: "GET",
+			headers
+		});
+		if (!res.ok) {
+			const errorBody = await res.json().catch(() => ({}));
+			throw new ClientResponseError({
+				status: res.status,
+				headers: res.headers,
+				data: {
+					error: errorBody.error ?? "Unknown",
+					message: errorBody.message
+				}
+			});
+		}
+		return res.json();
 	}
 	/**
 	* Import repository from CAR file
 	*/
 	async importRepo(carBytes) {
-		return this.xrpc("POST", "com.atproto.repo.importRepo", {
-			body: carBytes,
-			contentType: "application/vnd.ipld.car",
-			auth: true
+		const url = new URL("/xrpc/com.atproto.repo.importRepo", this.baseUrl);
+		const headers = { "Content-Type": "application/vnd.ipld.car" };
+		if (this.authToken) headers["Authorization"] = `Bearer ${this.authToken}`;
+		const res = await fetch(url.toString(), {
+			method: "POST",
+			headers,
+			body: carBytes
 		});
+		if (!res.ok) {
+			const errorBody = await res.json().catch(() => ({}));
+			throw new ClientResponseError({
+				status: res.status,
+				headers: res.headers,
+				data: {
+					error: errorBody.error ?? "Unknown",
+					message: errorBody.message
+				}
+			});
+		}
+		return res.json();
 	}
 	/**
 	* List blobs that are missing (referenced but not imported)
 	*/
 	async listMissingBlobs(limit, cursor) {
-		const params = {};
-		if (limit) params.limit = String(limit);
-		if (cursor) params.cursor = cursor;
-		return this.xrpc("GET", "com.atproto.repo.listMissingBlobs", {
-			params,
-			auth: true
-		});
+		return ok(this.client.get("com.atproto.repo.listMissingBlobs", { params: {
+			...limit && { limit },
+			...cursor && { cursor }
+		} }));
 	}
 	/**
 	* Upload a blob
 	*/
 	async uploadBlob(bytes, mimeType) {
-		return (await this.xrpc("POST", "com.atproto.repo.uploadBlob", {
-			body: bytes,
-			contentType: mimeType,
-			auth: true
-		})).blob;
+		const url = new URL("/xrpc/com.atproto.repo.uploadBlob", this.baseUrl);
+		const headers = { "Content-Type": mimeType };
+		if (this.authToken) headers["Authorization"] = `Bearer ${this.authToken}`;
+		const res = await fetch(url.toString(), {
+			method: "POST",
+			headers,
+			body: bytes
+		});
+		if (!res.ok) {
+			const errorBody = await res.json().catch(() => ({}));
+			throw new ClientResponseError({
+				status: res.status,
+				headers: res.headers,
+				data: {
+					error: errorBody.error ?? "Unknown",
+					message: errorBody.message
+				}
+			});
+		}
+		return (await res.json()).blob;
 	}
 	/**
 	* Reset migration state (only works on deactivated accounts)
+	* Custom endpoint - not in standard lexicons
 	*/
 	async resetMigration() {
-		return this.xrpc("POST", "gg.mk.experimental.resetMigration", { auth: true });
+		const url = new URL("/xrpc/gg.mk.experimental.resetMigration", this.baseUrl);
+		const headers = {};
+		if (this.authToken) headers["Authorization"] = `Bearer ${this.authToken}`;
+		const res = await fetch(url.toString(), {
+			method: "POST",
+			headers
+		});
+		if (!res.ok) {
+			const errorBody = await res.json().catch(() => ({}));
+			throw new ClientResponseError({
+				status: res.status,
+				headers: res.headers,
+				data: {
+					error: errorBody.error ?? "Unknown",
+					message: errorBody.message
+				}
+			});
+		}
+		return res.json();
 	}
 	/**
 	* Activate account to enable writes
 	*/
 	async activateAccount() {
-		await this.xrpc("POST", "com.atproto.server.activateAccount", { auth: true });
+		await ok(this.client.post("com.atproto.server.activateAccount", { as: null }));
 	}
 	/**
 	* Deactivate account to disable writes
 	*/
 	async deactivateAccount() {
-		await this.xrpc("POST", "com.atproto.server.deactivateAccount", { auth: true });
+		await ok(this.client.post("com.atproto.server.deactivateAccount", {
+			input: {},
+			as: null
+		}));
 	}
 	/**
 	* Check if the PDS is reachable
@@ -1039,17 +1210,128 @@ var PDSClient = class {
 			return false;
 		}
 	}
+	/**
+	* Get DID document from PDS
+	*/
+	async getDidDocument() {
+		const res = await fetch(new URL("/.well-known/did.json", this.baseUrl));
+		if (!res.ok) throw new Error("Failed to fetch DID document");
+		return res.json();
+	}
+	/**
+	* Resolve handle to DID via public API
+	*/
+	async resolveHandle(handle) {
+		try {
+			const res = await fetch(`https://public.api.bsky.app/xrpc/com.atproto.identity.resolveHandle?handle=${encodeURIComponent(handle)}`);
+			if (!res.ok) return null;
+			return (await res.json()).did;
+		} catch {
+			return null;
+		}
+	}
+	/**
+	* Resolve DID to get service endpoints (supports did:plc and did:web)
+	*/
+	async resolveDid(did) {
+		try {
+			let doc;
+			if (did.startsWith("did:plc:")) {
+				const res = await fetch(`https://plc.directory/${did}`);
+				if (!res.ok) return { pdsEndpoint: null };
+				doc = await res.json();
+			} else if (did.startsWith("did:web:")) {
+				const hostname = did.slice(8);
+				const res = await fetch(`https://${hostname}/.well-known/did.json`);
+				if (!res.ok) return { pdsEndpoint: null };
+				doc = await res.json();
+			} else return { pdsEndpoint: null };
+			return { pdsEndpoint: (doc.service?.find((s) => s.type === "AtprotoPersonalDataServer"))?.serviceEndpoint ?? null };
+		} catch {
+			return { pdsEndpoint: null };
+		}
+	}
+	/**
+	* Check if profile is indexed by AppView
+	*/
+	async checkAppViewIndexing(did) {
+		try {
+			return (await fetch(`https://public.api.bsky.app/xrpc/app.bsky.actor.getProfile?actor=${encodeURIComponent(did)}`)).ok;
+		} catch {
+			return false;
+		}
+	}
+	/**
+	* Get firehose status (subscribers, seq)
+	* Custom endpoint - not in standard lexicons
+	*/
+	async getFirehoseStatus() {
+		const url = new URL("/xrpc/gg.mk.experimental.getFirehoseStatus", this.baseUrl);
+		const headers = {};
+		if (this.authToken) headers["Authorization"] = `Bearer ${this.authToken}`;
+		const res = await fetch(url.toString(), {
+			method: "GET",
+			headers
+		});
+		if (!res.ok) {
+			const errorBody = await res.json().catch(() => ({}));
+			throw new ClientResponseError({
+				status: res.status,
+				headers: res.headers,
+				data: {
+					error: errorBody.error ?? "Unknown",
+					message: errorBody.message
+				}
+			});
+		}
+		return res.json();
+	}
+	/**
+	* Check handle verification via HTTP well-known
+	*/
+	async checkHandleViaHttp(handle) {
+		try {
+			const res = await fetch(`https://${handle}/.well-known/atproto-did`);
+			if (!res.ok) return null;
+			return (await res.text()).trim() || null;
+		} catch {
+			return null;
+		}
+	}
+	/**
+	* Check handle verification via DNS TXT record (using DNS-over-HTTPS)
+	*/
+	async checkHandleViaDns(handle) {
+		try {
+			const res = await fetch(`https://cloudflare-dns.com/dns-query?name=_atproto.${handle}&type=TXT`, { headers: { Accept: "application/dns-json" } });
+			if (!res.ok) return null;
+			const txtRecord = (await res.json()).Answer?.find((a) => a.data?.includes("did="));
+			if (!txtRecord) return null;
+			return txtRecord.data.match(/did=([^\s"]+)/)?.[1] ?? null;
+		} catch {
+			return null;
+		}
+	}
+	/**
+	* Request the relay to crawl this PDS.
+	* This notifies the Bluesky relay that the PDS is active and ready for federation.
+	*/
+	async requestCrawl(pdsHostname, relayUrl = "https://bsky.network") {
+		try {
+			const url = new URL("/xrpc/com.atproto.sync.requestCrawl", relayUrl);
+			return (await fetch(url.toString(), {
+				method: "POST",
+				headers: { "Content-Type": "application/json" },
+				body: JSON.stringify({ hostname: pdsHostname })
+			})).ok;
+		} catch {
+			return false;
+		}
+	}
 };
 
 //#endregion
 //#region src/cli/commands/migrate.ts
-function detectPackageManager() {
-	const userAgent = process.env.npm_config_user_agent || "";
-	if (userAgent.startsWith("yarn")) return "yarn";
-	if (userAgent.startsWith("pnpm")) return "pnpm";
-	if (userAgent.startsWith("bun")) return "bun";
-	return "npm";
-}
 const brightNote$1 = (lines) => lines.map((l) => `\x1b[0m${l}`).join("\n");
 /**
 * Format number with commas
@@ -1083,8 +1365,7 @@ const migrateCommand = defineCommand({
 		}
 	},
 	async run({ args }) {
-		const packageManager = detectPackageManager();
-		const pm = packageManager === "npm" ? "npm run" : packageManager;
+		const pm = detectPackageManager();
 		const isDev = args.dev;
 		const vars = getVars();
 		let targetUrl;
@@ -1104,11 +1385,11 @@ const migrateCommand = defineCommand({
 			spinner.stop(`PDS not responding at ${targetDomain}`);
 			if (isDev) {
 				p.log.error(`Your local PDS isn't running at ${targetUrl}`);
-				p.log.info(`Start it with: ${pm} dev`);
+				p.log.info(`Start it with: ${formatCommand(pm, "dev")}`);
 			} else {
 				p.log.error(`Your PDS isn't responding at ${targetUrl}`);
-				p.log.info("Make sure your worker is deployed: wrangler deploy");
-				p.log.info(`Or test locally first: ${pm} pds migrate --dev`);
+				p.log.info(`Make sure your worker is deployed: ${formatCommand(pm, "deploy")}`);
+				p.log.info(`Or test locally first: ${formatCommand(pm, "pds", "migrate", "--dev")}`);
 			}
 			p.outro("Migration cancelled.");
 			process.exit(1);
@@ -1169,7 +1450,7 @@ const migrateCommand = defineCommand({
 				p.log.info("Your account is already live");
 				p.log.info("");
 				p.log.info("If you need to re-import, first deactivate:");
-				p.log.info("  pnpm pds deactivate");
+				p.log.info(`  ${formatCommand(pm, "pds", "deactivate")}`);
 				p.outro("Migration cancelled.");
 				process.exit(1);
 			}
@@ -1285,7 +1566,7 @@ const migrateCommand = defineCommand({
 			spinner.stop("Authenticated successfully");
 		} catch (err) {
 			spinner.stop("Login failed");
-			if (err instanceof PDSClientError) p.log.error(`Authentication failed: ${err.message}`);
+			if (err instanceof ClientResponseError) p.log.error(`Authentication failed: ${err.description ?? err.message}`);
 			else p.log.error(err instanceof Error ? err.message : "Authentication failed");
 			p.outro("Migration cancelled.");
 			process.exit(1);
@@ -1385,7 +1666,7 @@ function showNextSteps(pm, sourceDomain) {
 		`   (Requires email verification from ${sourceDomain})`,
 		"",
 		pc.bold("2. Flip the switch"),
-		`   ${pm} pds activate`,
+		`   ${formatCommand(pm, "pds", "activate")}`,
 		"",
 		"Docs: https://atproto.com/guides/account-migration"
 	]), "Almost there!");
@@ -1407,6 +1688,7 @@ const activateCommand = defineCommand({
 		default: false
 	} },
 	async run({ args }) {
+		const pm = detectPackageManager();
 		const isDev = args.dev;
 		p.intro("🦋 Activate Account");
 		const vars = getVars();
@@ -1437,7 +1719,7 @@ const activateCommand = defineCommand({
 		if (!await client.healthCheck()) {
 			spinner.stop(`PDS not responding at ${targetDomain}`);
 			p.log.error(`Your PDS isn't responding at ${targetUrl}`);
-			if (!isDev) p.log.info("Make sure your worker is deployed: wrangler deploy");
+			if (!isDev) p.log.info(`Make sure your worker is deployed: ${formatCommand(pm, "deploy")}`);
 			p.outro("Activation cancelled.");
 			process.exit(1);
 		}
@@ -1446,8 +1728,23 @@ const activateCommand = defineCommand({
 		const status = await client.getAccountStatus();
 		spinner.stop("Account status retrieved");
 		if (status.active) {
-			p.log.warn("Your account is already active!");
-			p.log.info("No action needed - you're live in the Atmosphere. 🦋");
+			p.log.info("Your account is already active.");
+			const pdsHostname$1 = config.PDS_HOSTNAME;
+			if (pdsHostname$1 && !isDev) {
+				const pingRelay = await p.confirm({
+					message: "Notify the relay? (useful if posts aren't being indexed)",
+					initialValue: false
+				});
+				if (p.isCancel(pingRelay)) {
+					p.cancel("Cancelled.");
+					process.exit(0);
+				}
+				if (pingRelay) {
+					spinner.start("Notifying relay...");
+					if (await client.requestCrawl(pdsHostname$1)) spinner.stop("Relay notified");
+					else spinner.stop("Could not notify relay");
+				}
+			}
 			p.outro("All good!");
 			return;
 		}
@@ -1477,6 +1774,15 @@ const activateCommand = defineCommand({
 			p.outro("Activation failed.");
 			process.exit(1);
 		}
+		const pdsHostname = config.PDS_HOSTNAME;
+		if (pdsHostname && !isDev) {
+			spinner.start("Notifying relay...");
+			if (await client.requestCrawl(pdsHostname)) spinner.stop("Relay notified");
+			else {
+				spinner.stop("Could not notify relay");
+				p.log.warn("Run 'pds activate' again later to retry notifying the relay.");
+			}
+		}
 		p.log.success("Welcome to the Atmosphere! 🦋");
 		p.log.info("Your account is now live and accepting writes.");
 		p.outro("All set!");
@@ -1501,6 +1807,7 @@ const deactivateCommand = defineCommand({
 		default: false
 	} },
 	async run({ args }) {
+		const pm = detectPackageManager();
 		const isDev = args.dev;
 		p.intro("🦋 Deactivate Account");
 		const vars = getVars();
@@ -1531,7 +1838,7 @@ const deactivateCommand = defineCommand({
 		if (!await client.healthCheck()) {
 			spinner.stop(`PDS not responding at ${targetDomain}`);
 			p.log.error(`Your PDS isn't responding at ${targetUrl}`);
-			if (!isDev) p.log.info("Make sure your worker is deployed: wrangler deploy");
+			if (!isDev) p.log.info(`Make sure your worker is deployed: ${formatCommand(pm, "deploy")}`);
 			p.outro("Deactivation cancelled.");
 			process.exit(1);
 		}
@@ -1577,14 +1884,190 @@ const deactivateCommand = defineCommand({
 		p.log.info("Writes are now disabled.");
 		p.log.info("");
 		p.log.info("To re-import your data:");
-		p.log.info("  pnpm pds migrate --clean");
+		p.log.info(`  ${formatCommand(pm, "pds", "migrate", "--clean")}`);
 		p.log.info("");
 		p.log.info("To re-enable writes:");
-		p.log.info("  pnpm pds activate");
+		p.log.info(`  ${formatCommand(pm, "pds", "activate")}`);
 		p.outro("Deactivated.");
 	}
 });
 
+//#endregion
+//#region src/cli/commands/status.ts
+/**
+* Status command - comprehensive PDS health and configuration check
+*/
+const CHECK = pc.green("✓");
+const CROSS = pc.red("✗");
+const WARN = pc.yellow("!");
+const INFO = pc.cyan("ℹ");
+const statusCommand = defineCommand({
+	meta: {
+		name: "status",
+		description: "Check PDS health and configuration"
+	},
+	args: { dev: {
+		type: "boolean",
+		description: "Target local development server instead of production",
+		default: false
+	} },
+	async run({ args }) {
+		const isDev = args.dev;
+		const wranglerVars = getVars();
+		const config = {
+			...readDevVars(),
+			...wranglerVars
+		};
+		let targetUrl;
+		try {
+			targetUrl = getTargetUrl(isDev, config.PDS_HOSTNAME);
+		} catch (err) {
+			console.error(pc.red("Error:"), err instanceof Error ? err.message : "Configuration error");
+			console.log(pc.dim("Run 'pds init' first to configure your PDS."));
+			process.exit(1);
+		}
+		const authToken = config.AUTH_TOKEN;
+		const did = config.DID;
+		const handle = config.HANDLE;
+		const pdsHostname = config.PDS_HOSTNAME;
+		if (!authToken) {
+			console.error(pc.red("Error:"), "No AUTH_TOKEN found. Run 'pds init' first.");
+			process.exit(1);
+		}
+		console.log();
+		console.log(pc.bold("PDS Status Check"));
+		console.log("=".repeat(50));
+		console.log(`Endpoint: ${pc.cyan(targetUrl)}`);
+		console.log();
+		const client = new PDSClient(targetUrl, authToken);
+		let hasErrors = false;
+		let hasWarnings = false;
+		console.log(pc.bold("Connectivity"));
+		if (await client.healthCheck()) console.log(`  ${CHECK} PDS reachable`);
+		else {
+			console.log(`  ${CROSS} PDS not responding`);
+			hasErrors = true;
+			console.log();
+			console.log(pc.red("Cannot continue - PDS is not reachable."));
+			if (!isDev) console.log(pc.dim("Make sure your worker is deployed: wrangler deploy"));
+			process.exit(1);
+		}
+		let status;
+		try {
+			status = await client.getAccountStatus();
+			console.log(`  ${CHECK} Account status retrieved`);
+		} catch (err) {
+			console.log(`  ${CROSS} Failed to get account status`);
+			hasErrors = true;
+			console.log();
+			console.log(pc.red("Error:"), err instanceof Error ? err.message : "Unknown error");
+			process.exit(1);
+		}
+		console.log();
+		console.log(pc.bold("Repository"));
+		if (status.repoCommit && status.indexedRecords > 0) {
+			const shortCid = status.repoCommit.slice(0, 12) + "..." + status.repoCommit.slice(-4);
+			const shortRev = status.repoRev ? status.repoRev.slice(0, 8) + "..." : "none";
+			console.log(`  ${CHECK} Initialized: ${pc.dim(shortCid)} (rev: ${shortRev})`);
+			console.log(`  ${INFO} ${status.repoBlocks.toLocaleString()} blocks, ${status.indexedRecords.toLocaleString()} records`);
+		} else {
+			console.log(`  ${WARN} Repository empty (no records)`);
+			console.log(pc.dim("      Run 'pds migrate' to import from another PDS"));
+			hasWarnings = true;
+		}
+		console.log();
+		console.log(pc.bold("Identity"));
+		if (did) {
+			const didType = did.startsWith("did:plc:") ? "did:plc" : did.startsWith("did:web:") ? "did:web" : "unknown";
+			console.log(`  ${INFO} DID: ${pc.dim(did)} (${didType})`);
+		}
+		if (handle) console.log(`  ${INFO} Handle: ${pc.cyan(`@${handle}`)}`);
+		if (did) {
+			const resolved = await client.resolveDid(did);
+			const resolveMethod = did.startsWith("did:plc:") ? "plc.directory" : did.startsWith("did:web:") ? "/.well-known/did.json" : "unknown";
+			if (resolved.pdsEndpoint) {
+				const expectedEndpoint = `https://${pdsHostname}`;
+				if (resolved.pdsEndpoint === expectedEndpoint || resolved.pdsEndpoint === pdsHostname) console.log(`  ${CHECK} DID resolves to this PDS (via ${resolveMethod})`);
+				else {
+					console.log(`  ${CROSS} DID resolves to different PDS`);
+					console.log(pc.dim(`      Resolved via: ${resolveMethod}`));
+					console.log(pc.dim(`      Expected: ${expectedEndpoint}`));
+					console.log(pc.dim(`      Got: ${resolved.pdsEndpoint}`));
+					hasErrors = true;
+				}
+			} else {
+				console.log(`  ${WARN} Could not resolve DID`);
+				if (did.startsWith("did:plc:")) console.log(pc.dim("      Check plc.directory or update DID document"));
+				else if (did.startsWith("did:web:")) console.log(pc.dim("      Ensure /.well-known/did.json is accessible"));
+				hasWarnings = true;
+			}
+		} else {
+			console.log(`  ${WARN} DID not configured`);
+			hasWarnings = true;
+		}
+		if (handle) {
+			const [httpDid, dnsDid] = await Promise.all([client.checkHandleViaHttp(handle), client.checkHandleViaDns(handle)]);
+			const httpValid = httpDid === did;
+			const dnsValid = dnsDid === did;
+			if (httpValid || dnsValid) {
+				const methods = [];
+				if (dnsValid) methods.push("DNS");
+				if (httpValid) methods.push("HTTP");
+				console.log(`  ${CHECK} Handle verified via ${methods.join(" + ")}`);
+			} else if (httpDid || dnsDid) {
+				console.log(`  ${CROSS} Handle resolves to different DID`);
+				console.log(pc.dim(`      Expected: ${did}`));
+				if (httpDid) console.log(pc.dim(`      HTTP well-known: ${httpDid}`));
+				if (dnsDid) console.log(pc.dim(`      DNS TXT: ${dnsDid}`));
+				hasErrors = true;
+			} else {
+				console.log(`  ${WARN} Handle not resolving`);
+				if (handle === pdsHostname) console.log(pc.dim("      Ensure /.well-known/atproto-did returns your DID"));
+				else console.log(pc.dim(`      Add DNS TXT record: _atproto.${handle} → did=...`));
+				hasWarnings = true;
+			}
+		}
+		console.log();
+		if (status.expectedBlobs > 0) {
+			console.log(pc.bold("Blobs"));
+			if (status.importedBlobs === status.expectedBlobs) console.log(`  ${CHECK} ${status.importedBlobs}/${status.expectedBlobs} blobs imported`);
+			else {
+				const missing = status.expectedBlobs - status.importedBlobs;
+				console.log(`  ${WARN} ${status.importedBlobs}/${status.expectedBlobs} blobs imported (${missing} missing)`);
+				hasWarnings = true;
+			}
+			console.log();
+		}
+		console.log(pc.bold("Federation"));
+		if (did) if (await client.checkAppViewIndexing(did)) console.log(`  ${CHECK} Profile indexed by AppView`);
+		else {
+			console.log(`  ${WARN} Profile not found on AppView`);
+			console.log(pc.dim("      This may be normal for new accounts"));
+			hasWarnings = true;
+		}
+		try {
+			const firehose = await client.getFirehoseStatus();
+			console.log(`  ${INFO} ${firehose.subscribers} firehose subscriber${firehose.subscribers !== 1 ? "s" : ""}, seq: ${firehose.latestSeq ?? "none"}`);
+		} catch {
+			console.log(`  ${pc.dim("  Could not get firehose status")}`);
+		}
+		console.log();
+		console.log(pc.bold("Account"));
+		if (status.active) console.log(`  ${CHECK} Active (accepting writes)`);
+		else {
+			console.log(`  ${WARN} Deactivated (writes disabled)`);
+			console.log(pc.dim("      Run 'pds activate' when ready to go live"));
+			hasWarnings = true;
+		}
+		console.log();
+		if (hasErrors) {
+			console.log(pc.red(pc.bold("Some checks failed!")));
+			process.exit(1);
+		} else if (hasWarnings) console.log(pc.yellow("All checks passed with warnings."));
+		else console.log(pc.green(pc.bold("All checks passed!")));
+	}
+});
+
 //#endregion
 //#region src/cli/index.ts
 /**
@@ -1601,7 +2084,8 @@ runMain(defineCommand({
 		secret: secretCommand,
 		migrate: migrateCommand,
 		activate: activateCommand,
-		deactivate: deactivateCommand
+		deactivate: deactivateCommand,
+		status: statusCommand
 	}
 }));