npm - @getcirrus/pds - Versions diffs - 0.5.0 → 0.6.0 - Mend

@getcirrus/pds 0.5.0 → 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/cli.js CHANGED Viewed

@@ -8,11 +8,12 @@ import { spawn } from "node:child_process";
 import { experimental_patchConfig, experimental_readRawConfig } from "wrangler";
 import { existsSync, readFileSync, writeFileSync } from "node:fs";
 import { resolve } from "node:path";
-import { CompositeDidDocumentResolver, DohJsonHandleResolver, PlcDidDocumentResolver, WebDidDocumentResolver } from "@atcute/identity-resolver";
 import pc from "picocolors";
+import QRCode from "qrcode";
 import { Client, ClientResponseError, ok } from "@atcute/client";
 import "@atcute/bluesky";
 import "@atcute/atproto";
+import { CompositeDidDocumentResolver, DohJsonHandleResolver, PlcDidDocumentResolver, WebDidDocumentResolver } from "@atcute/identity-resolver";
 import { getPdsEndpoint } from "@atcute/identity";
 //#region src/cli/utils/wrangler.ts
@@ -422,650 +423,182 @@ const secretCommand = defineCommand({
 });
 //#endregion
-//#region src/cli/utils/cli-helpers.ts
-/**
-* Shared CLI utilities for PDS commands
-*/
-/**
-* Prompt for text input, exiting on cancel
-*/
-async function promptText(options) {
-	const result = await p.text(options);
-	if (p.isCancel(result)) {
-		p.cancel("Cancelled");
-		process.exit(0);
-	}
-	return result;
-}
-/**
-* Prompt for confirmation, exiting on cancel
-*/
-async function promptConfirm(options) {
-	const result = await p.confirm(options);
-	if (p.isCancel(result)) {
-		p.cancel("Cancelled");
-		process.exit(0);
-	}
-	return result;
-}
+//#region src/cli/utils/pds-client.ts
 /**
-* Prompt for selection, exiting on cancel
+* HTTP client for AT Protocol PDS XRPC endpoints
+* Uses @atcute/client for type-safe XRPC calls
 */
-async function promptSelect(options) {
-	const result = await p.select(options);
-	if (p.isCancel(result)) {
-		p.cancel("Cancelled");
-		process.exit(0);
-	}
-	return result;
-}
 /**
-* Get target PDS URL based on mode
+* Create a fetch handler that adds optional auth token
 */
-function getTargetUrl(isDev, pdsHostname) {
-	if (isDev) return `http://localhost:${process.env.PORT ? parseInt(process.env.PORT) ?? "5173" : "5173"}`;
-	if (!pdsHostname) throw new Error("PDS_HOSTNAME not configured in wrangler.jsonc");
-	return `https://${pdsHostname}`;
+function createAuthHandler(baseUrl, token) {
+	return async (pathname, init) => {
+		const url = new URL(pathname, baseUrl);
+		const headers = new Headers(init.headers);
+		if (token) headers.set("Authorization", `Bearer ${token}`);
+		return fetch(url, {
+			...init,
+			headers
+		});
+	};
 }
-/**
-* Extract domain from URL
-*/
-function getDomain(url) {
-	try {
-		return new URL(url).hostname;
-	} catch {
-		return url;
+var PDSClient = class PDSClient {
+	client;
+	authToken;
+	constructor(baseUrl, authToken) {
+		this.baseUrl = baseUrl;
+		this.authToken = authToken;
+		this.client = new Client({ handler: createAuthHandler(baseUrl, authToken) });
 	}
-}
-/**
-* Detect which package manager is being used based on npm_config_user_agent
-*/
-function detectPackageManager() {
-	const userAgent = process.env.npm_config_user_agent || "";
-	if (userAgent.startsWith("yarn")) return "yarn";
-	if (userAgent.startsWith("pnpm")) return "pnpm";
-	if (userAgent.startsWith("bun")) return "bun";
-	return "npm";
-}
-/**
-* Format a command for the detected package manager
-* npm always needs "run" for scripts, pnpm/yarn/bun can use shorthand
-* except for "deploy" which conflicts with pnpm's built-in deploy command
-*/
-function formatCommand(pm, ...args) {
-	if (pm === "npm" || args[0] === "deploy") return `${pm} run ${args.join(" ")}`;
-	return `${pm} ${args.join(" ")}`;
-}
-//#endregion
-//#region src/cli/utils/handle-resolver.ts
-/**
-* Utilities for resolving AT Protocol handles to DIDs
-*/
-const resolver = new DohJsonHandleResolver({ dohUrl: "https://cloudflare-dns.com/dns-query" });
-/**
-* Resolve a handle to a DID using the AT Protocol handle resolution methods.
-* Uses DNS-over-HTTPS via Cloudflare for DNS resolution.
-*/
-async function resolveHandleToDid(handle) {
-	try {
-		return await resolver.resolve(handle, { signal: AbortSignal.timeout(1e4) });
-	} catch {
-		return null;
+	/**
+	* Set the auth token for subsequent requests
+	*/
+	setAuthToken(token) {
+		this.authToken = token;
+		this.client = new Client({ handler: createAuthHandler(this.baseUrl, token) });
 	}
-}
-//#endregion
-//#region src/did-resolver.ts
-/**
-* DID resolution for Cloudflare Workers
-*
-* Uses @atcute/identity-resolver which is already Workers-compatible
-* (uses redirect: "manual" internally).
-*/
-const PLC_DIRECTORY = "https://plc.directory";
-const TIMEOUT_MS = 3e3;
-/**
-* Wrapper that always uses globalThis.fetch so it can be mocked in tests.
-* @atcute resolvers capture the fetch reference at construction time,
-* so we need this indirection to allow test mocking.
-*/
-const stubbableFetch = (input, init) => globalThis.fetch(input, init);
-var DidResolver = class {
-	resolver;
-	timeout;
-	cache;
-	constructor(opts = {}) {
-		this.timeout = opts.timeout ?? TIMEOUT_MS;
-		this.cache = opts.didCache;
-		this.resolver = new CompositeDidDocumentResolver({ methods: {
-			plc: new PlcDidDocumentResolver({
-				apiUrl: opts.plcUrl ?? PLC_DIRECTORY,
-				fetch: stubbableFetch
-			}),
-			web: new WebDidDocumentResolver({ fetch: stubbableFetch })
-		} });
+	/**
+	* Create a session with identifier and password
+	*/
+	async createSession(identifier, password) {
+		return ok(this.client.post("com.atproto.server.createSession", { input: {
+			identifier,
+			password
+		} }));
 	}
-	async resolve(did) {
-		if (this.cache) {
-			const cached = await this.cache.checkCache(did);
-			if (cached && !cached.expired) {
-				if (cached.stale) this.cache.refreshCache(did, () => this.resolveNoCache(did), cached);
-				return cached.doc;
-			}
-		}
-		const doc = await this.resolveNoCache(did);
-		if (doc && this.cache) await this.cache.cacheDid(did, doc);
-		else if (!doc && this.cache) await this.cache.clearEntry(did);
-		return doc;
+	/**
+	* Get repository description including collections
+	*/
+	async describeRepo(did) {
+		return ok(this.client.get("com.atproto.repo.describeRepo", { params: { repo: did } }));
 	}
-	async resolveNoCache(did) {
-		const controller = new AbortController();
-		const timeoutId = setTimeout(() => controller.abort(), this.timeout);
+	/**
+	* Get profile stats from AppView (posts, follows, followers counts)
+	*/
+	async getProfileStats(did) {
 		try {
-			const doc = await this.resolver.resolve(did, { signal: controller.signal });
-			if (doc.id !== did) return null;
-			return doc;
+			const res = await fetch(`https://public.api.bsky.app/xrpc/app.bsky.actor.getProfile?actor=${encodeURIComponent(did)}`);
+			if (!res.ok) return null;
+			const profile = await res.json();
+			return {
+				postsCount: profile.postsCount ?? 0,
+				followsCount: profile.followsCount ?? 0,
+				followersCount: profile.followersCount ?? 0
+			};
 		} catch {
 			return null;
-		} finally {
-			clearTimeout(timeoutId);
 		}
 	}
-};
-//#endregion
-//#region src/cli/commands/init.ts
-/**
-* Interactive PDS setup wizard
-*/
-/**
-* Slugify a handle to create a worker name
-* e.g., "example.com" -> "example-com-pds"
-*/
-function slugifyHandle(handle) {
-	return handle.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-|-$/g, "") + "-pds";
-}
-const defaultWorkerName = "my-pds";
-/**
-* Prompt for worker name with validation
-*/
-async function promptWorkerName(handle, currentWorkerName) {
-	const placeholder = currentWorkerName && currentWorkerName !== defaultWorkerName ? currentWorkerName : slugifyHandle(handle);
-	return promptText({
-		message: "Cloudflare Worker name:",
-		placeholder,
-		initialValue: placeholder,
-		validate: (v) => {
-			if (!v) return "Worker name is required";
-			if (!/^[a-z0-9-]+$/.test(v)) return "Worker name can only contain lowercase letters, numbers, and hyphens";
-		}
-	});
-}
-/**
-* Ensure a Cloudflare account_id is configured.
-* If multiple accounts detected, prompts user to select one.
-*/
-async function ensureAccountConfigured() {
-	const spinner = p.spinner();
-	spinner.start("Checking Cloudflare account...");
-	const accounts = await detectCloudflareAccounts();
-	if (accounts === null) {
-		spinner.stop("Cloudflare account configured");
-		return;
+	/**
+	* Export repository as CAR file
+	*/
+	async getRepo(did) {
+		const response = await this.client.get("com.atproto.sync.getRepo", {
+			params: { did },
+			as: "bytes"
+		});
+		if (!response.ok) throw new ClientResponseError({
+			status: response.status,
+			headers: response.headers,
+			data: response.data
+		});
+		return response.data;
 	}
-	spinner.stop(`Found ${accounts.length} Cloudflare accounts`);
-	const selectedId = await promptSelect({
-		message: "Select your Cloudflare account:",
-		options: accounts.map((acc) => ({
-			value: acc.id,
-			label: acc.name,
-			hint: acc.id.slice(0, 8) + "..."
-		}))
-	});
-	setAccountId(selectedId);
-	const selectedName = accounts.find((a) => a.id === selectedId)?.name;
-	p.log.success(`Account "${selectedName}" saved to wrangler.jsonc`);
-}
-/**
-* Run wrangler types to regenerate TypeScript types
-*/
-function runWranglerTypes() {
-	return new Promise((resolve$1, reject) => {
-		const child = spawn("wrangler", ["types"], { stdio: "pipe" });
-		let output = "";
-		child.stdout?.on("data", (data) => {
-			output += data.toString();
-		});
-		child.stderr?.on("data", (data) => {
-			output += data.toString();
+	/**
+	* Get a blob by CID
+	*/
+	async getBlob(did, cid) {
+		const response = await this.client.get("com.atproto.sync.getBlob", {
+			params: {
+				did,
+				cid
+			},
+			as: "bytes"
 		});
-		child.on("close", (code) => {
-			if (code === 0) resolve$1();
-			else {
-				if (output) console.error(output);
-				reject(/* @__PURE__ */ new Error(`wrangler types failed with code ${code}`));
-			}
+		if (!response.ok) throw new ClientResponseError({
+			status: response.status,
+			headers: response.headers,
+			data: response.data
 		});
-		child.on("error", reject);
-	});
-}
-const initCommand = defineCommand({
-	meta: {
-		name: "init",
-		description: "Interactive PDS setup wizard"
-	},
-	args: { production: {
-		type: "boolean",
-		description: "Deploy secrets to Cloudflare?",
-		default: false
-	} },
-	async run({ args }) {
-		const pm = detectPackageManager();
-		p.intro("🦋 PDS Setup");
-		const isProduction = args.production;
-		if (isProduction) p.log.info("Production mode: secrets will be deployed to Cloudflare");
-		p.log.info("Let's set up your new home in the Atmosphere!");
-		const wranglerVars = getVars();
-		const devVars = readDevVars();
-		const currentVars = {
-			...devVars,
-			...wranglerVars
+		return {
+			bytes: response.data,
+			mimeType: response.headers.get("content-type") ?? "application/octet-stream"
 		};
-		const isMigrating = await promptConfirm({
-			message: "Are you migrating an existing Bluesky/ATProto account?",
-			initialValue: false
+	}
+	/**
+	* List blobs in repository
+	*/
+	async listBlobs(did, cursor) {
+		return ok(this.client.get("com.atproto.sync.listBlobs", { params: {
+			did,
+			...cursor && { cursor }
+		} }));
+	}
+	/**
+	* Get user preferences
+	*/
+	async getPreferences() {
+		return (await ok(this.client.get("app.bsky.actor.getPreferences", { params: {} }))).preferences;
+	}
+	/**
+	* Update user preferences
+	*/
+	async putPreferences(preferences) {
+		const url = new URL("/xrpc/app.bsky.actor.putPreferences", this.baseUrl);
+		const headers = { "Content-Type": "application/json" };
+		if (this.authToken) headers["Authorization"] = `Bearer ${this.authToken}`;
+		const res = await fetch(url.toString(), {
+			method: "POST",
+			headers,
+			body: JSON.stringify({ preferences })
 		});
-		let did;
-		let handle;
-		let hostname;
-		let workerName;
-		let initialActive;
-		const currentWorkerName = getWorkerName();
-		if (isMigrating) {
-			p.log.info("Time to pack your bags! 🧳");
-			p.log.info("Your new account will be inactive until you're ready to go live.");
-			let hostedDomains = [
-				".bsky.social",
-				".bsky.network",
-				".bsky.team"
-			];
-			const isHostedHandle = (h) => hostedDomains.some((domain) => h?.endsWith(domain));
-			let resolvedDid = null;
-			let existingHandle = null;
-			let attempts = 0;
-			const MAX_ATTEMPTS = 3;
-			while (!resolvedDid && attempts < MAX_ATTEMPTS) {
-				attempts++;
-				const currentHandle = await promptText({
-					message: "Your current Bluesky/ATProto handle:",
-					placeholder: "example.bsky.social",
-					validate: (v) => !v ? "Handle is required" : void 0
-				});
-				existingHandle = currentHandle;
-				const spinner$1 = p.spinner();
-				spinner$1.start("Finding you in the Atmosphere...");
-				resolvedDid = await resolveHandleToDid(currentHandle);
-				if (!resolvedDid) {
-					spinner$1.stop("Not found");
-					p.log.error(`Failed to resolve handle "${currentHandle}"`);
-					if (await promptSelect({
-						message: "What would you like to do?",
-						options: [{
-							value: "retry",
-							label: "Try a different handle"
-						}, {
-							value: "manual",
-							label: "Enter DID manually"
-						}]
-					}) === "manual") resolvedDid = await promptText({
-						message: "Enter your DID:",
-						placeholder: "did:plc:...",
-						validate: (v) => {
-							if (!v) return "DID is required";
-							if (!v.startsWith("did:")) return "DID must start with did:";
-						}
-					});
-				} else {
-					try {
-						const pdsService = (await new DidResolver().resolve(resolvedDid))?.service?.find((s) => s.type === "AtprotoPersonalDataServer" || s.id === "#atproto_pds");
-						if (pdsService?.serviceEndpoint) {
-							const describeRes = await fetch(`${pdsService.serviceEndpoint}/xrpc/com.atproto.server.describeServer`);
-							if (describeRes.ok) {
-								const desc = await describeRes.json();
-								if (desc.availableUserDomains?.length) hostedDomains = desc.availableUserDomains.map((d) => d.startsWith(".") ? d : `.${d}`);
-							}
-						}
-					} catch {}
-					spinner$1.stop(`Found you! ${resolvedDid}`);
-					if (isHostedHandle(existingHandle)) {
-						const theirDomain = hostedDomains.find((d) => existingHandle?.endsWith(d));
-						const domainExample = theirDomain ? `*${theirDomain}` : "*.bsky.social";
-						p.log.warn(`You'll need a custom domain for your new handle (not ${domainExample}). You can set this up after transferring your data.`);
-					}
-					if (attempts >= MAX_ATTEMPTS) {
-						p.log.error("Unable to resolve handle after 3 attempts.");
-						p.log.info("");
-						p.log.info("You can:");
-						p.log.info("  1. Double-check your handle spelling");
-						p.log.info("  2. Provide your DID directly if you know it");
-						p.log.info("  3. Run 'pds init' again when ready");
-						p.outro("Initialization cancelled.");
-						process.exit(1);
-					}
-				}
-			}
-			did = resolvedDid;
-			handle = await promptText({
-				message: "New account handle (must be a domain you control):",
-				placeholder: "example.com",
-				initialValue: existingHandle && !isHostedHandle(existingHandle) ? existingHandle : currentVars.HANDLE || "",
-				validate: (v) => {
-					if (!v) return "Handle is required";
-					if (isHostedHandle(v)) return "You need a custom domain - hosted handles like *.bsky.social won't work";
+		if (!res.ok) {
+			const errorBody = await res.json().catch(() => ({}));
+			throw new ClientResponseError({
+				status: res.status,
+				headers: res.headers,
+				data: {
+					error: errorBody.error ?? "Unknown",
+					message: errorBody.message
 				}
 			});
-			hostname = await promptText({
-				message: "Domain where you'll deploy your PDS:",
-				placeholder: handle,
-				initialValue: currentVars.PDS_HOSTNAME || handle,
-				validate: (v) => !v ? "Hostname is required" : void 0
-			});
-			workerName = await promptWorkerName(handle, currentWorkerName);
-			initialActive = "false";
-			await ensureAccountConfigured();
-		} else {
-			p.log.info("A fresh start in the Atmosphere! ✨");
-			hostname = await promptText({
-				message: "Domain where you'll deploy your PDS:",
-				placeholder: "pds.example.com",
-				initialValue: currentVars.PDS_HOSTNAME || "",
-				validate: (v) => !v ? "Hostname is required" : void 0
-			});
-			handle = await promptText({
-				message: "Account handle:",
-				placeholder: hostname,
-				initialValue: currentVars.HANDLE || hostname,
-				validate: (v) => !v ? "Handle is required" : void 0
-			});
-			const didDefault = "did:web:" + hostname;
-			did = await promptText({
-				message: "Account DID:",
-				placeholder: didDefault,
-				initialValue: currentVars.DID || didDefault,
-				validate: (v) => {
-					if (!v) return "DID is required";
-					if (!v.startsWith("did:")) return "DID must start with 'did:'";
+		}
+	}
+	/**
+	* Get account status including migration progress
+	*/
+	async getAccountStatus() {
+		const url = new URL("/xrpc/com.atproto.server.getAccountStatus", this.baseUrl);
+		const headers = {};
+		if (this.authToken) headers["Authorization"] = `Bearer ${this.authToken}`;
+		const res = await fetch(url.toString(), {
+			method: "GET",
+			headers
+		});
+		if (!res.ok) {
+			const errorBody = await res.json().catch(() => ({}));
+			throw new ClientResponseError({
+				status: res.status,
+				headers: res.headers,
+				data: {
+					error: errorBody.error ?? "Unknown",
+					message: errorBody.message
 				}
 			});
-			workerName = await promptWorkerName(handle, currentWorkerName);
-			initialActive = "true";
-			await ensureAccountConfigured();
-			if (handle === hostname) p.note([
-				"Your handle matches your PDS hostname, so your PDS will",
-				"automatically handle domain verification for you!",
-				"",
-				"For did:web, your PDS serves the DID document at:",
-				`  https://${hostname}/.well-known/did.json`,
-				"",
-				"For handle verification, it serves:",
-				`  https://${hostname}/.well-known/atproto-did`,
-				"",
-				"No additional DNS or hosting setup needed. Easy! 🎉"
-			].join("\n"), "Identity Setup 🪪");
-			else p.note([
-				"For did:web, your PDS will serve the DID document at:",
-				`  https://${hostname}/.well-known/did.json`,
-				"",
-				"To verify your handle, create a DNS TXT record:",
-				`  _atproto.${handle} TXT "did=${did}"`,
-				"",
-				"Or serve a file at:",
-				`  https://${handle}/.well-known/atproto-did`,
-				`  containing: ${did}`
-			].join("\n"), "Identity Setup 🪪");
-		}
-		const spinner = p.spinner();
-		const authToken = await getOrGenerateSecret("AUTH_TOKEN", devVars, async () => {
-			spinner.start("Generating auth token...");
-			const token = generateAuthToken();
-			spinner.stop("Auth token generated");
-			return token;
-		});
-		const signingKey = await getOrGenerateSecret("SIGNING_KEY", devVars, async () => {
-			spinner.start("Generating signing keypair...");
-			const { privateKey } = await generateSigningKeypair();
-			spinner.stop("Signing keypair generated");
-			return privateKey;
-		});
-		const signingKeyPublic = await derivePublicKey(signingKey);
-		const jwtSecret = await getOrGenerateSecret("JWT_SECRET", devVars, async () => {
-			spinner.start("Generating JWT secret...");
-			const secret = generateJwtSecret();
-			spinner.stop("JWT secret generated");
-			return secret;
-		});
-		const passwordHash = await getOrGenerateSecret("PASSWORD_HASH", devVars, async () => {
-			const password = await promptPassword(handle);
-			spinner.start("Hashing password...");
-			const hash = await hashPassword(password);
-			spinner.stop("Password hashed");
-			return hash;
-		});
-		spinner.start("Updating wrangler.jsonc...");
-		setWorkerName(workerName);
-		setVars({
-			PDS_HOSTNAME: hostname,
-			DID: did,
-			HANDLE: handle,
-			SIGNING_KEY_PUBLIC: signingKeyPublic,
-			INITIAL_ACTIVE: initialActive
-		});
-		setCustomDomains([hostname]);
-		spinner.stop("wrangler.jsonc updated");
-		const local = !isProduction;
-		if (isProduction) spinner.start("Deploying secrets to Cloudflare...");
-		else spinner.start("Writing secrets to .dev.vars...");
-		await setSecretValue("AUTH_TOKEN", authToken, local);
-		await setSecretValue("SIGNING_KEY", signingKey, local);
-		await setSecretValue("JWT_SECRET", jwtSecret, local);
-		await setSecretValue("PASSWORD_HASH", passwordHash, local);
-		spinner.stop(isProduction ? "Secrets deployed" : "Secrets written to .dev.vars");
-		spinner.start("Generating TypeScript types...");
-		try {
-			await runWranglerTypes();
-			spinner.stop("TypeScript types generated");
-		} catch {
-			spinner.stop("Failed to generate types (wrangler types)");
-		}
-		p.note([
-			"  Worker name:  " + workerName,
-			"  PDS hostname: " + hostname,
-			"  DID: " + did,
-			"  Handle: " + handle,
-			"  Public signing key: " + signingKeyPublic.slice(0, 20) + "...",
-			"",
-			isProduction ? "Secrets deployed to Cloudflare ☁️" : "Secrets saved to .dev.vars",
-			"",
-			"Auth token (save this!):",
-			"  " + authToken
-		].join("\n"), "Your New Home 🏠");
-		let deployedSecrets = isProduction;
-		if (!isProduction) {
-			const deployNow = await p.confirm({
-				message: "Push secrets to Cloudflare now?",
-				initialValue: false
-			});
-			if (!p.isCancel(deployNow) && deployNow) {
-				spinner.start("Deploying secrets to Cloudflare...");
-				await setSecretValue("AUTH_TOKEN", authToken, false);
-				await setSecretValue("SIGNING_KEY", signingKey, false);
-				await setSecretValue("JWT_SECRET", jwtSecret, false);
-				await setSecretValue("PASSWORD_HASH", passwordHash, false);
-				spinner.stop("Secrets deployed to Cloudflare");
-				deployedSecrets = true;
-			}
-		}
-		if (isMigrating) p.note([
-			deployedSecrets ? "Deploy your worker and run the migration:" : "Push secrets, deploy, and run the migration:",
-			"",
-			...deployedSecrets ? [] : [`  ${formatCommand(pm, "pds", "init", "--production")}`, ""],
-			`  ${formatCommand(pm, "deploy")}`,
-			`  ${formatCommand(pm, "pds", "migrate")}`,
-			"",
-			"To test locally first:",
-			`  ${formatCommand(pm, "dev")}              # in one terminal`,
-			`  ${formatCommand(pm, "pds", "migrate", "--dev")}  # in another`,
-			"",
-			"Then update your identity and flip the switch! 🦋",
-			"  https://atproto.com/guides/account-migration"
-		].join("\n"), "Next Steps 🧳");
-		if (deployedSecrets) p.outro(`Run '${formatCommand(pm, "deploy")}' to launch your PDS! 🚀`);
-		else p.outro(`Run '${formatCommand(pm, "dev")}' to start your PDS locally! 🦋`);
-	}
-});
-/**
-* Helper to get a secret from .dev.vars or generate a new one
-*/
-async function getOrGenerateSecret(name, devVars, generate) {
-	if (devVars[name]) {
-		if (await p.confirm({
-			message: `Use ${name} from .dev.vars?`,
-			initialValue: true
-		}) === true) return devVars[name];
-	}
-	return generate();
-}
-//#endregion
-//#region src/cli/utils/pds-client.ts
-/**
-* HTTP client for AT Protocol PDS XRPC endpoints
-* Uses @atcute/client for type-safe XRPC calls
-*/
-/**
-* Create a fetch handler that adds optional auth token
-*/
-function createAuthHandler(baseUrl, token) {
-	return async (pathname, init) => {
-		const url = new URL(pathname, baseUrl);
-		const headers = new Headers(init.headers);
-		if (token) headers.set("Authorization", `Bearer ${token}`);
-		return fetch(url, {
-			...init,
-			headers
-		});
-	};
-}
-var PDSClient = class PDSClient {
-	client;
-	authToken;
-	constructor(baseUrl, authToken) {
-		this.baseUrl = baseUrl;
-		this.authToken = authToken;
-		this.client = new Client({ handler: createAuthHandler(baseUrl, authToken) });
-	}
-	/**
-	* Set the auth token for subsequent requests
-	*/
-	setAuthToken(token) {
-		this.authToken = token;
-		this.client = new Client({ handler: createAuthHandler(this.baseUrl, token) });
-	}
-	/**
-	* Create a session with identifier and password
-	*/
-	async createSession(identifier, password) {
-		return ok(this.client.post("com.atproto.server.createSession", { input: {
-			identifier,
-			password
-		} }));
-	}
-	/**
-	* Get repository description including collections
-	*/
-	async describeRepo(did) {
-		return ok(this.client.get("com.atproto.repo.describeRepo", { params: { repo: did } }));
-	}
-	/**
-	* Get profile stats from AppView (posts, follows, followers counts)
-	*/
-	async getProfileStats(did) {
-		try {
-			const res = await fetch(`https://public.api.bsky.app/xrpc/app.bsky.actor.getProfile?actor=${encodeURIComponent(did)}`);
-			if (!res.ok) return null;
-			const profile = await res.json();
-			return {
-				postsCount: profile.postsCount ?? 0,
-				followsCount: profile.followsCount ?? 0,
-				followersCount: profile.followersCount ?? 0
-			};
-		} catch {
-			return null;
 		}
+		return res.json();
 	}
 	/**
-	* Export repository as CAR file
-	*/
-	async getRepo(did) {
-		const response = await this.client.get("com.atproto.sync.getRepo", {
-			params: { did },
-			as: "bytes"
-		});
-		if (!response.ok) throw new ClientResponseError({
-			status: response.status,
-			headers: response.headers,
-			data: response.data
-		});
-		return response.data;
-	}
-	/**
-	* Get a blob by CID
-	*/
-	async getBlob(did, cid) {
-		const response = await this.client.get("com.atproto.sync.getBlob", {
-			params: {
-				did,
-				cid
-			},
-			as: "bytes"
-		});
-		if (!response.ok) throw new ClientResponseError({
-			status: response.status,
-			headers: response.headers,
-			data: response.data
-		});
-		return {
-			bytes: response.data,
-			mimeType: response.headers.get("content-type") ?? "application/octet-stream"
-		};
-	}
-	/**
-	* List blobs in repository
-	*/
-	async listBlobs(did, cursor) {
-		return ok(this.client.get("com.atproto.sync.listBlobs", { params: {
-			did,
-			...cursor && { cursor }
-		} }));
-	}
-	/**
-	* Get user preferences
-	*/
-	async getPreferences() {
-		return (await ok(this.client.get("app.bsky.actor.getPreferences", { params: {} }))).preferences;
-	}
-	/**
-	* Update user preferences
+	* Import repository from CAR file
 	*/
-	async putPreferences(preferences) {
-		const url = new URL("/xrpc/app.bsky.actor.putPreferences", this.baseUrl);
-		const headers = { "Content-Type": "application/json" };
+	async importRepo(carBytes) {
+		const url = new URL("/xrpc/com.atproto.repo.importRepo", this.baseUrl);
+		const headers = { "Content-Type": "application/vnd.ipld.car" };
 		if (this.authToken) headers["Authorization"] = `Bearer ${this.authToken}`;
 		const res = await fetch(url.toString(), {
 			method: "POST",
 			headers,
-			body: JSON.stringify({ preferences })
+			body: carBytes
 		});
 		if (!res.ok) {
 			const errorBody = await res.json().catch(() => ({}));
@@ -1078,58 +611,10 @@ var PDSClient = class PDSClient {
 				}
 			});
 		}
+		return res.json();
 	}
 	/**
-	* Get account status including migration progress
-	*/
-	async getAccountStatus() {
-		const url = new URL("/xrpc/com.atproto.server.getAccountStatus", this.baseUrl);
-		const headers = {};
-		if (this.authToken) headers["Authorization"] = `Bearer ${this.authToken}`;
-		const res = await fetch(url.toString(), {
-			method: "GET",
-			headers
-		});
-		if (!res.ok) {
-			const errorBody = await res.json().catch(() => ({}));
-			throw new ClientResponseError({
-				status: res.status,
-				headers: res.headers,
-				data: {
-					error: errorBody.error ?? "Unknown",
-					message: errorBody.message
-				}
-			});
-		}
-		return res.json();
-	}
-	/**
-	* Import repository from CAR file
-	*/
-	async importRepo(carBytes) {
-		const url = new URL("/xrpc/com.atproto.repo.importRepo", this.baseUrl);
-		const headers = { "Content-Type": "application/vnd.ipld.car" };
-		if (this.authToken) headers["Authorization"] = `Bearer ${this.authToken}`;
-		const res = await fetch(url.toString(), {
-			method: "POST",
-			headers,
-			body: carBytes
-		});
-		if (!res.ok) {
-			const errorBody = await res.json().catch(() => ({}));
-			throw new ClientResponseError({
-				status: res.status,
-				headers: res.headers,
-				data: {
-					error: errorBody.error ?? "Unknown",
-					message: errorBody.message
-				}
-			});
-		}
-		return res.json();
-	}
-	/**
-	* List blobs that are missing (referenced but not imported)
+	* List blobs that are missing (referenced but not imported)
 	*/
 	async listMissingBlobs(limit, cursor) {
 		return ok(this.client.get("com.atproto.repo.listMissingBlobs", { params: {
@@ -1303,121 +788,1062 @@ var PDSClient = class PDSClient {
 				}
 			});
 		}
-		return res.json();
-	}
-	/**
-	* Check handle verification via HTTP well-known
-	*/
-	async checkHandleViaHttp(handle) {
-		try {
-			const res = await fetch(`https://${handle}/.well-known/atproto-did`);
-			if (!res.ok) return null;
-			return (await res.text()).trim() || null;
-		} catch {
-			return null;
-		}
-	}
-	/**
-	* Check handle verification via DNS TXT record (using DNS-over-HTTPS)
-	*/
-	async checkHandleViaDns(handle) {
-		try {
-			const res = await fetch(`https://cloudflare-dns.com/dns-query?name=_atproto.${handle}&type=TXT`, { headers: { Accept: "application/dns-json" } });
-			if (!res.ok) return null;
-			const txtRecord = (await res.json()).Answer?.find((a) => a.data?.includes("did="));
-			if (!txtRecord) return null;
-			return txtRecord.data.match(/did=([^\s"]+)/)?.[1] ?? null;
-		} catch {
-			return null;
-		}
-	}
-	/**
-	* Get a record from the repository
-	*/
-	async getRecord(repo, collection, rkey) {
-		try {
-			return await ok(this.client.get("com.atproto.repo.getRecord", { params: {
-				repo,
-				collection,
-				rkey
-			} }));
-		} catch (err) {
-			if (err instanceof ClientResponseError && err.status === 404) return null;
-			throw err;
-		}
-	}
-	/**
-	* Create or update a record in the repository
-	*/
-	async putRecord(repo, collection, rkey, record) {
-		return ok(this.client.post("com.atproto.repo.putRecord", { input: {
-			repo,
-			collection,
-			rkey,
-			record
-		} }));
-	}
-	/**
-	* Get the user's profile record
-	*/
-	async getProfile(did) {
-		const record = await this.getRecord(did, "app.bsky.actor.profile", "self");
-		if (!record) return null;
-		return record.value;
-	}
-	/**
-	* Create or update the user's profile
-	*/
-	async putProfile(did, profile) {
-		return this.putRecord(did, "app.bsky.actor.profile", "self", {
-			$type: "app.bsky.actor.profile",
-			...profile
+		return res.json();
+	}
+	/**
+	* Check handle verification via HTTP well-known
+	*/
+	async checkHandleViaHttp(handle) {
+		try {
+			const res = await fetch(`https://${handle}/.well-known/atproto-did`);
+			if (!res.ok) return null;
+			return (await res.text()).trim() || null;
+		} catch {
+			return null;
+		}
+	}
+	/**
+	* Check handle verification via DNS TXT record (using DNS-over-HTTPS)
+	*/
+	async checkHandleViaDns(handle) {
+		try {
+			const res = await fetch(`https://cloudflare-dns.com/dns-query?name=_atproto.${handle}&type=TXT`, { headers: { Accept: "application/dns-json" } });
+			if (!res.ok) return null;
+			const txtRecord = (await res.json()).Answer?.find((a) => a.data?.includes("did="));
+			if (!txtRecord) return null;
+			return txtRecord.data.match(/did=([^\s"]+)/)?.[1] ?? null;
+		} catch {
+			return null;
+		}
+	}
+	/**
+	* Get a record from the repository
+	*/
+	async getRecord(repo, collection, rkey) {
+		try {
+			return await ok(this.client.get("com.atproto.repo.getRecord", { params: {
+				repo,
+				collection,
+				rkey
+			} }));
+		} catch (err) {
+			if (err instanceof ClientResponseError && err.status === 404) return null;
+			throw err;
+		}
+	}
+	/**
+	* Create or update a record in the repository
+	*/
+	async putRecord(repo, collection, rkey, record) {
+		return ok(this.client.post("com.atproto.repo.putRecord", { input: {
+			repo,
+			collection,
+			rkey,
+			record
+		} }));
+	}
+	/**
+	* Get the user's profile record
+	*/
+	async getProfile(did) {
+		const record = await this.getRecord(did, "app.bsky.actor.profile", "self");
+		if (!record) return null;
+		return record.value;
+	}
+	/**
+	* Create or update the user's profile
+	*/
+	async putProfile(did, profile) {
+		return this.putRecord(did, "app.bsky.actor.profile", "self", {
+			$type: "app.bsky.actor.profile",
+			...profile
+		});
+	}
+	/**
+	* Initialize passkey registration
+	* Returns a URL for the user to visit on their device
+	*/
+	async initPasskeyRegistration(name) {
+		const url = new URL("/passkey/init", this.baseUrl);
+		const headers = { "Content-Type": "application/json" };
+		if (this.authToken) headers["Authorization"] = `Bearer ${this.authToken}`;
+		const res = await fetch(url.toString(), {
+			method: "POST",
+			headers,
+			body: JSON.stringify({ name })
+		});
+		if (!res.ok) {
+			const errorBody = await res.json().catch(() => ({}));
+			throw new ClientResponseError({
+				status: res.status,
+				headers: res.headers,
+				data: {
+					error: errorBody.error ?? "Unknown",
+					message: errorBody.message
+				}
+			});
+		}
+		return res.json();
+	}
+	/**
+	* List all registered passkeys
+	*/
+	async listPasskeys() {
+		const url = new URL("/passkey/list", this.baseUrl);
+		const headers = {};
+		if (this.authToken) headers["Authorization"] = `Bearer ${this.authToken}`;
+		const res = await fetch(url.toString(), {
+			method: "GET",
+			headers
+		});
+		if (!res.ok) {
+			const errorBody = await res.json().catch(() => ({}));
+			throw new ClientResponseError({
+				status: res.status,
+				headers: res.headers,
+				data: {
+					error: errorBody.error ?? "Unknown",
+					message: errorBody.message
+				}
+			});
+		}
+		return res.json();
+	}
+	/**
+	* Delete a passkey by credential ID
+	*/
+	async deletePasskey(credentialId) {
+		const url = new URL("/passkey/delete", this.baseUrl);
+		const headers = { "Content-Type": "application/json" };
+		if (this.authToken) headers["Authorization"] = `Bearer ${this.authToken}`;
+		const res = await fetch(url.toString(), {
+			method: "POST",
+			headers,
+			body: JSON.stringify({ id: credentialId })
+		});
+		if (!res.ok) {
+			const errorBody = await res.json().catch(() => ({}));
+			throw new ClientResponseError({
+				status: res.status,
+				headers: res.headers,
+				data: {
+					error: errorBody.error ?? "Unknown",
+					message: errorBody.message
+				}
+			});
+		}
+		return res.json();
+	}
+	static RELAY_URLS = ["https://relay1.us-west.bsky.network", "https://relay1.us-east.bsky.network"];
+	/**
+	* Get relay's view of this PDS host status from a single relay.
+	* Calls com.atproto.sync.getHostStatus on the relay.
+	*/
+	async getRelayHostStatus(pdsHostname, relayUrl) {
+		try {
+			const url = new URL("/xrpc/com.atproto.sync.getHostStatus", relayUrl);
+			url.searchParams.set("hostname", pdsHostname);
+			const res = await fetch(url.toString());
+			if (!res.ok) return null;
+			return {
+				...await res.json(),
+				relay: relayUrl
+			};
+		} catch {
+			return null;
+		}
+	}
+	/**
+	* Get relay status from all known relays.
+	* Returns results from each relay that responds.
+	*/
+	async getAllRelayHostStatus(pdsHostname) {
+		return (await Promise.all(PDSClient.RELAY_URLS.map((url) => this.getRelayHostStatus(pdsHostname, url)))).filter((r) => r !== null);
+	}
+	/**
+	* Request the relay to crawl this PDS.
+	* This notifies the Bluesky relay that the PDS is active and ready for federation.
+	* Uses bsky.network by default (the main relay endpoint).
+	*/
+	async requestCrawl(pdsHostname, relayUrl = "https://bsky.network") {
+		try {
+			const url = new URL("/xrpc/com.atproto.sync.requestCrawl", relayUrl);
+			return (await fetch(url.toString(), {
+				method: "POST",
+				headers: { "Content-Type": "application/json" },
+				body: JSON.stringify({ hostname: pdsHostname })
+			})).ok;
+		} catch {
+			return false;
+		}
+	}
+};
+//#endregion
+//#region src/cli/utils/cli-helpers.ts
+/**
+* Shared CLI utilities for PDS commands
+*/
+/**
+* Prompt for text input, exiting on cancel
+*/
+async function promptText(options) {
+	const result = await p.text(options);
+	if (p.isCancel(result)) {
+		p.cancel("Cancelled");
+		process.exit(0);
+	}
+	return result;
+}
+/**
+* Prompt for confirmation, exiting on cancel
+*/
+async function promptConfirm(options) {
+	const result = await p.confirm(options);
+	if (p.isCancel(result)) {
+		p.cancel("Cancelled");
+		process.exit(0);
+	}
+	return result;
+}
+/**
+* Prompt for selection, exiting on cancel
+*/
+async function promptSelect(options) {
+	const result = await p.select(options);
+	if (p.isCancel(result)) {
+		p.cancel("Cancelled");
+		process.exit(0);
+	}
+	return result;
+}
+/**
+* Get target PDS URL based on mode
+*/
+function getTargetUrl(isDev, pdsHostname) {
+	if (isDev) return `http://localhost:${process.env.PORT ? parseInt(process.env.PORT) ?? "5173" : "5173"}`;
+	if (!pdsHostname) throw new Error("PDS_HOSTNAME not configured in wrangler.jsonc");
+	return `https://${pdsHostname}`;
+}
+/**
+* Extract domain from URL
+*/
+function getDomain(url) {
+	try {
+		return new URL(url).hostname;
+	} catch {
+		return url;
+	}
+}
+/**
+* Detect which package manager is being used based on npm_config_user_agent
+*/
+function detectPackageManager() {
+	const userAgent = process.env.npm_config_user_agent || "";
+	if (userAgent.startsWith("yarn")) return "yarn";
+	if (userAgent.startsWith("pnpm")) return "pnpm";
+	if (userAgent.startsWith("bun")) return "bun";
+	return "npm";
+}
+/**
+* Format a command for the detected package manager
+* npm always needs "run" for scripts, pnpm/yarn/bun can use shorthand
+* except for "deploy" which conflicts with pnpm's built-in deploy command
+*/
+function formatCommand(pm, ...args) {
+	if (pm === "npm" || args[0] === "deploy") return `${pm} run ${args.join(" ")}`;
+	return `${pm} ${args.join(" ")}`;
+}
+//#endregion
+//#region src/cli/commands/passkey/add.ts
+/**
+* Add passkey command
+*
+* Generates a registration URL for the user to visit on their device.
+*/
+const addCommand = defineCommand({
+	meta: {
+		name: "add",
+		description: "Add a new passkey to your account"
+	},
+	args: {
+		dev: {
+			type: "boolean",
+			description: "Target local development server instead of production",
+			default: false
+		},
+		name: {
+			type: "string",
+			alias: "n",
+			description: "Name for this passkey (e.g., 'iPhone', 'MacBook')"
+		}
+	},
+	async run({ args }) {
+		const isDev = args.dev;
+		p.intro("🔐 Add Passkey");
+		const vars = getVars();
+		let targetUrl;
+		try {
+			targetUrl = getTargetUrl(isDev, vars.PDS_HOSTNAME);
+		} catch (err) {
+			p.log.error(err instanceof Error ? err.message : "Configuration error");
+			p.log.info("Run 'pds init' first to configure your PDS.");
+			process.exit(1);
+		}
+		const targetDomain = getDomain(targetUrl);
+		const wranglerVars = getVars();
+		const authToken = {
+			...readDevVars(),
+			...wranglerVars
+		}.AUTH_TOKEN;
+		if (!authToken) {
+			p.log.error("No AUTH_TOKEN found. Run 'pds init' first.");
+			p.outro("Cancelled.");
+			process.exit(1);
+		}
+		let passkeyName = args.name;
+		if (!passkeyName) passkeyName = await promptText({
+			message: "Name for this passkey (optional):",
+			placeholder: "iPhone, MacBook, etc."
+		}) || void 0;
+		const client = new PDSClient(targetUrl, authToken);
+		const spinner = p.spinner();
+		spinner.start(`Checking PDS at ${targetDomain}...`);
+		if (!await client.healthCheck()) {
+			spinner.stop(`PDS not responding at ${targetDomain}`);
+			p.log.error(`Your PDS isn't responding at ${targetUrl}`);
+			p.outro("Cancelled.");
+			process.exit(1);
+		}
+		spinner.stop(`Connected to ${targetDomain}`);
+		spinner.start("Generating registration link...");
+		let registration;
+		try {
+			registration = await client.initPasskeyRegistration(passkeyName);
+			spinner.stop("Registration link ready");
+		} catch (err) {
+			spinner.stop("Failed to generate registration link");
+			let errorMessage = "Could not generate registration link";
+			if (err instanceof Error) errorMessage = err.message;
+			const errObj = err;
+			if (errObj?.data?.message) errorMessage = errObj.data.message;
+			else if (errObj?.data?.error) errorMessage = errObj.data.error;
+			p.log.error(errorMessage);
+			p.outro("Cancelled.");
+			process.exit(1);
+		}
+		const expiresIn = Math.round((registration.expiresAt - Date.now()) / 1e3 / 60);
+		p.log.info("");
+		p.log.info(pc.bold("Scan this QR code on your phone, or open the URL:"));
+		p.log.info("");
+		const qrString = await QRCode.toString(registration.url, {
+			type: "terminal",
+			small: true
+		});
+		console.log(qrString);
+		p.log.info(`  ${pc.cyan(registration.url)}`);
+		p.log.info("");
+		p.log.info(pc.dim(`This link expires in ${expiresIn} minutes.`));
+		p.log.info("");
+		const done = await p.text({
+			message: "Press Enter when you've completed registration on your device",
+			placeholder: "(or Ctrl+C to cancel)",
+			defaultValue: ""
+		});
+		if (p.isCancel(done)) {
+			p.cancel("Cancelled.");
+			process.exit(0);
+		}
+		spinner.start("Verifying registration...");
+		try {
+			const result = await client.listPasskeys();
+			const twoMinutesAgo = Date.now() - 120 * 1e3;
+			if (result.passkeys.some((pk) => {
+				return (/* @__PURE__ */ new Date(pk.createdAt.replace(" ", "T") + "Z")).getTime() > twoMinutesAgo;
+			})) {
+				spinner.stop("Passkey registered successfully!");
+				p.log.success("Your passkey is ready to use.");
+			} else {
+				spinner.stop("Registration not detected");
+				p.log.warn("Could not verify registration. Check 'pds passkey list' to see your passkeys.");
+			}
+		} catch {
+			spinner.stop("Could not verify registration");
+			p.log.warn("Check 'pds passkey list' to see your passkeys.");
+		}
+		p.outro("Done!");
+	}
+});
+//#endregion
+//#region src/cli/commands/passkey/list.ts
+/**
+* List passkeys command
+*/
+/**
+* Format a date as yyyy-mm-dd hh:mm
+*/
+function formatDateTime(isoString) {
+	const d = new Date(isoString);
+	return `${d.getFullYear()}-${String(d.getMonth() + 1).padStart(2, "0")}-${String(d.getDate()).padStart(2, "0")} ${String(d.getHours()).padStart(2, "0")}:${String(d.getMinutes()).padStart(2, "0")}`;
+}
+const listCommand = defineCommand({
+	meta: {
+		name: "list",
+		description: "List all registered passkeys"
+	},
+	args: { dev: {
+		type: "boolean",
+		description: "Target local development server instead of production",
+		default: false
+	} },
+	async run({ args }) {
+		const isDev = args.dev;
+		p.intro("🔐 Passkeys");
+		const vars = getVars();
+		let targetUrl;
+		try {
+			targetUrl = getTargetUrl(isDev, vars.PDS_HOSTNAME);
+		} catch (err) {
+			p.log.error(err instanceof Error ? err.message : "Configuration error");
+			p.log.info("Run 'pds init' first to configure your PDS.");
+			process.exit(1);
+		}
+		const targetDomain = getDomain(targetUrl);
+		const wranglerVars = getVars();
+		const authToken = {
+			...readDevVars(),
+			...wranglerVars
+		}.AUTH_TOKEN;
+		if (!authToken) {
+			p.log.error("No AUTH_TOKEN found. Run 'pds init' first.");
+			p.outro("Cancelled.");
+			process.exit(1);
+		}
+		const client = new PDSClient(targetUrl, authToken);
+		const spinner = p.spinner();
+		spinner.start(`Checking PDS at ${targetDomain}...`);
+		if (!await client.healthCheck()) {
+			spinner.stop(`PDS not responding at ${targetDomain}`);
+			p.log.error(`Your PDS isn't responding at ${targetUrl}`);
+			p.outro("Cancelled.");
+			process.exit(1);
+		}
+		spinner.stop(`Connected to ${targetDomain}`);
+		spinner.start("Fetching passkeys...");
+		let result;
+		try {
+			result = await client.listPasskeys();
+			spinner.stop("Passkeys retrieved");
+		} catch (err) {
+			spinner.stop("Failed to fetch passkeys");
+			p.log.error(err instanceof Error ? err.message : "Could not fetch passkeys");
+			p.outro("Failed.");
+			process.exit(1);
+		}
+		if (result.passkeys.length === 0) {
+			p.log.info("No passkeys registered.");
+			p.log.info(`Run ${pc.cyan("pds passkey add")} to register a passkey.`);
+		} else {
+			p.log.info("");
+			p.log.info(`${pc.bold("Registered passkeys:")}`);
+			p.log.info("");
+			for (const pk of result.passkeys) {
+				const name = pk.name || pc.dim("(unnamed)");
+				const created = formatDateTime(pk.createdAt);
+				const lastUsed = pk.lastUsedAt ? formatDateTime(pk.lastUsedAt) : pc.dim("never");
+				const idPreview = pk.id.slice(0, 16) + "...";
+				console.log(`  ${pc.green("●")} ${pc.bold(name)}`);
+				console.log(`    ${pc.dim("ID:")} ${idPreview}`);
+				console.log(`    ${pc.dim("Created:")} ${created}  ${pc.dim("Last used:")} ${lastUsed}`);
+				console.log("");
+			}
+			p.log.info(pc.dim(`Total: ${result.passkeys.length} passkey(s)`));
+		}
+		p.outro("Done!");
+	}
+});
+//#endregion
+//#region src/cli/commands/passkey/remove.ts
+/**
+* Remove passkey command
+*/
+const removeCommand = defineCommand({
+	meta: {
+		name: "remove",
+		description: "Remove a passkey from your account"
+	},
+	args: {
+		dev: {
+			type: "boolean",
+			description: "Target local development server instead of production",
+			default: false
+		},
+		id: {
+			type: "string",
+			description: "Credential ID of the passkey to remove"
+		},
+		yes: {
+			type: "boolean",
+			alias: "y",
+			description: "Skip confirmation",
+			default: false
+		}
+	},
+	async run({ args }) {
+		const isDev = args.dev;
+		const skipConfirm = args.yes;
+		p.intro("🔐 Remove Passkey");
+		const vars = getVars();
+		let targetUrl;
+		try {
+			targetUrl = getTargetUrl(isDev, vars.PDS_HOSTNAME);
+		} catch (err) {
+			p.log.error(err instanceof Error ? err.message : "Configuration error");
+			p.log.info("Run 'pds init' first to configure your PDS.");
+			process.exit(1);
+		}
+		const targetDomain = getDomain(targetUrl);
+		const wranglerVars = getVars();
+		const authToken = {
+			...readDevVars(),
+			...wranglerVars
+		}.AUTH_TOKEN;
+		if (!authToken) {
+			p.log.error("No AUTH_TOKEN found. Run 'pds init' first.");
+			p.outro("Cancelled.");
+			process.exit(1);
+		}
+		const client = new PDSClient(targetUrl, authToken);
+		const spinner = p.spinner();
+		spinner.start(`Checking PDS at ${targetDomain}...`);
+		if (!await client.healthCheck()) {
+			spinner.stop(`PDS not responding at ${targetDomain}`);
+			p.log.error(`Your PDS isn't responding at ${targetUrl}`);
+			p.outro("Cancelled.");
+			process.exit(1);
+		}
+		spinner.stop(`Connected to ${targetDomain}`);
+		let credentialId = args.id;
+		if (!credentialId) {
+			spinner.start("Fetching passkeys...");
+			let result;
+			try {
+				result = await client.listPasskeys();
+				spinner.stop("Passkeys retrieved");
+			} catch (err) {
+				spinner.stop("Failed to fetch passkeys");
+				p.log.error(err instanceof Error ? err.message : "Could not fetch passkeys");
+				p.outro("Failed.");
+				process.exit(1);
+			}
+			if (result.passkeys.length === 0) {
+				p.log.info("No passkeys to remove.");
+				p.outro("Done!");
+				return;
+			}
+			const options = result.passkeys.map((pk) => ({
+				value: pk.id,
+				label: pk.name || "(unnamed)",
+				hint: `Created ${new Date(pk.createdAt).toLocaleDateString()}`
+			}));
+			const selected = await p.select({
+				message: "Select passkey to remove:",
+				options
+			});
+			if (p.isCancel(selected)) {
+				p.cancel("Cancelled.");
+				process.exit(0);
+			}
+			credentialId = selected;
+		}
+		if (!skipConfirm) {
+			const confirm = await p.confirm({
+				message: `Remove this passkey? This cannot be undone.`,
+				initialValue: false
+			});
+			if (p.isCancel(confirm) || !confirm) {
+				p.cancel("Cancelled.");
+				process.exit(0);
+			}
+		}
+		spinner.start("Removing passkey...");
+		try {
+			if ((await client.deletePasskey(credentialId)).success) {
+				spinner.stop("Passkey removed");
+				p.log.success("Passkey has been removed from your account.");
+			} else {
+				spinner.stop("Failed to remove passkey");
+				p.log.error("Passkey not found or could not be removed.");
+			}
+		} catch (err) {
+			spinner.stop("Failed to remove passkey");
+			p.log.error(err instanceof Error ? err.message : "Could not remove passkey");
+			p.outro("Failed.");
+			process.exit(1);
+		}
+		p.outro("Done!");
+	}
+});
+//#endregion
+//#region src/cli/commands/passkey/index.ts
+/**
+* Passkey management commands
+*/
+const passkeyCommand = defineCommand({
+	meta: {
+		name: "passkey",
+		description: "Manage passkeys for passwordless authentication"
+	},
+	subCommands: {
+		add: addCommand,
+		list: listCommand,
+		remove: removeCommand
+	}
+});
+//#endregion
+//#region src/cli/utils/handle-resolver.ts
+/**
+* Utilities for resolving AT Protocol handles to DIDs
+*/
+const resolver = new DohJsonHandleResolver({ dohUrl: "https://cloudflare-dns.com/dns-query" });
+/**
+* Resolve a handle to a DID using the AT Protocol handle resolution methods.
+* Uses DNS-over-HTTPS via Cloudflare for DNS resolution.
+*/
+async function resolveHandleToDid(handle) {
+	try {
+		return await resolver.resolve(handle, { signal: AbortSignal.timeout(1e4) });
+	} catch {
+		return null;
+	}
+}
+//#endregion
+//#region src/did-resolver.ts
+/**
+* DID resolution for Cloudflare Workers
+*
+* Uses @atcute/identity-resolver which is already Workers-compatible
+* (uses redirect: "manual" internally).
+*/
+const PLC_DIRECTORY = "https://plc.directory";
+const TIMEOUT_MS = 3e3;
+/**
+* Wrapper that always uses globalThis.fetch so it can be mocked in tests.
+* @atcute resolvers capture the fetch reference at construction time,
+* so we need this indirection to allow test mocking.
+*/
+const stubbableFetch = (input, init) => globalThis.fetch(input, init);
+var DidResolver = class {
+	resolver;
+	timeout;
+	cache;
+	constructor(opts = {}) {
+		this.timeout = opts.timeout ?? TIMEOUT_MS;
+		this.cache = opts.didCache;
+		this.resolver = new CompositeDidDocumentResolver({ methods: {
+			plc: new PlcDidDocumentResolver({
+				apiUrl: opts.plcUrl ?? PLC_DIRECTORY,
+				fetch: stubbableFetch
+			}),
+			web: new WebDidDocumentResolver({ fetch: stubbableFetch })
+		} });
+	}
+	async resolve(did) {
+		if (this.cache) {
+			const cached = await this.cache.checkCache(did);
+			if (cached && !cached.expired) {
+				if (cached.stale) this.cache.refreshCache(did, () => this.resolveNoCache(did), cached);
+				return cached.doc;
+			}
+		}
+		const doc = await this.resolveNoCache(did);
+		if (doc && this.cache) await this.cache.cacheDid(did, doc);
+		else if (!doc && this.cache) await this.cache.clearEntry(did);
+		return doc;
+	}
+	async resolveNoCache(did) {
+		const controller = new AbortController();
+		const timeoutId = setTimeout(() => controller.abort(), this.timeout);
+		try {
+			const doc = await this.resolver.resolve(did, { signal: controller.signal });
+			if (doc.id !== did) return null;
+			return doc;
+		} catch {
+			return null;
+		} finally {
+			clearTimeout(timeoutId);
+		}
+	}
+};
+//#endregion
+//#region src/cli/commands/init.ts
+/**
+* Interactive PDS setup wizard
+*/
+/**
+* Slugify a handle to create a worker name
+* e.g., "example.com" -> "example-com-pds"
+*/
+function slugifyHandle(handle) {
+	return handle.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-|-$/g, "") + "-pds";
+}
+const defaultWorkerName = "my-pds";
+/**
+* Prompt for worker name with validation
+*/
+async function promptWorkerName(handle, currentWorkerName) {
+	const placeholder = currentWorkerName && currentWorkerName !== defaultWorkerName ? currentWorkerName : slugifyHandle(handle);
+	return promptText({
+		message: "Cloudflare Worker name:",
+		placeholder,
+		initialValue: placeholder,
+		validate: (v) => {
+			if (!v) return "Worker name is required";
+			if (!/^[a-z0-9-]+$/.test(v)) return "Worker name can only contain lowercase letters, numbers, and hyphens";
+		}
+	});
+}
+/**
+* Ensure a Cloudflare account_id is configured.
+* If multiple accounts detected, prompts user to select one.
+*/
+async function ensureAccountConfigured() {
+	const spinner = p.spinner();
+	spinner.start("Checking Cloudflare account...");
+	const accounts = await detectCloudflareAccounts();
+	if (accounts === null) {
+		spinner.stop("Cloudflare account configured");
+		return;
+	}
+	spinner.stop(`Found ${accounts.length} Cloudflare accounts`);
+	const selectedId = await promptSelect({
+		message: "Select your Cloudflare account:",
+		options: accounts.map((acc) => ({
+			value: acc.id,
+			label: acc.name,
+			hint: acc.id.slice(0, 8) + "..."
+		}))
+	});
+	setAccountId(selectedId);
+	const selectedName = accounts.find((a) => a.id === selectedId)?.name;
+	p.log.success(`Account "${selectedName}" saved to wrangler.jsonc`);
+}
+/**
+* Run wrangler types to regenerate TypeScript types
+*/
+function runWranglerTypes() {
+	return new Promise((resolve$1, reject) => {
+		const child = spawn("wrangler", ["types"], { stdio: "pipe" });
+		let output = "";
+		child.stdout?.on("data", (data) => {
+			output += data.toString();
+		});
+		child.stderr?.on("data", (data) => {
+			output += data.toString();
+		});
+		child.on("close", (code) => {
+			if (code === 0) resolve$1();
+			else {
+				if (output) console.error(output);
+				reject(/* @__PURE__ */ new Error(`wrangler types failed with code ${code}`));
+			}
+		});
+		child.on("error", reject);
+	});
+}
+const initCommand = defineCommand({
+	meta: {
+		name: "init",
+		description: "Interactive PDS setup wizard"
+	},
+	args: { production: {
+		type: "boolean",
+		description: "Deploy secrets to Cloudflare?",
+		default: false
+	} },
+	async run({ args }) {
+		const pm = detectPackageManager();
+		p.intro("🦋 PDS Setup");
+		const isProduction = args.production;
+		if (isProduction) p.log.info("Production mode: secrets will be deployed to Cloudflare");
+		p.log.info("Let's set up your new home in the Atmosphere!");
+		const wranglerVars = getVars();
+		const devVars = readDevVars();
+		const currentVars = {
+			...devVars,
+			...wranglerVars
+		};
+		const isMigrating = await promptConfirm({
+			message: "Are you migrating an existing Bluesky/ATProto account?",
+			initialValue: false
+		});
+		let did;
+		let handle;
+		let hostname;
+		let workerName;
+		let initialActive;
+		const currentWorkerName = getWorkerName();
+		if (isMigrating) {
+			p.log.info("Time to pack your bags! 🧳");
+			p.log.info("Your new account will be inactive until you're ready to go live.");
+			let hostedDomains = [
+				".bsky.social",
+				".bsky.network",
+				".bsky.team"
+			];
+			const isHostedHandle = (h) => hostedDomains.some((domain) => h?.endsWith(domain));
+			let resolvedDid = null;
+			let existingHandle = null;
+			let attempts = 0;
+			const MAX_ATTEMPTS = 3;
+			while (!resolvedDid && attempts < MAX_ATTEMPTS) {
+				attempts++;
+				const currentHandle = await promptText({
+					message: "Your current Bluesky/ATProto handle:",
+					placeholder: "example.bsky.social",
+					validate: (v) => !v ? "Handle is required" : void 0
+				});
+				existingHandle = currentHandle;
+				const spinner$1 = p.spinner();
+				spinner$1.start("Finding you in the Atmosphere...");
+				resolvedDid = await resolveHandleToDid(currentHandle);
+				if (!resolvedDid) {
+					spinner$1.stop("Not found");
+					p.log.error(`Failed to resolve handle "${currentHandle}"`);
+					if (await promptSelect({
+						message: "What would you like to do?",
+						options: [{
+							value: "retry",
+							label: "Try a different handle"
+						}, {
+							value: "manual",
+							label: "Enter DID manually"
+						}]
+					}) === "manual") resolvedDid = await promptText({
+						message: "Enter your DID:",
+						placeholder: "did:plc:...",
+						validate: (v) => {
+							if (!v) return "DID is required";
+							if (!v.startsWith("did:")) return "DID must start with did:";
+						}
+					});
+				} else {
+					try {
+						const pdsService = (await new DidResolver().resolve(resolvedDid))?.service?.find((s) => s.type === "AtprotoPersonalDataServer" || s.id === "#atproto_pds");
+						if (pdsService?.serviceEndpoint) {
+							const describeRes = await fetch(`${pdsService.serviceEndpoint}/xrpc/com.atproto.server.describeServer`);
+							if (describeRes.ok) {
+								const desc = await describeRes.json();
+								if (desc.availableUserDomains?.length) hostedDomains = desc.availableUserDomains.map((d) => d.startsWith(".") ? d : `.${d}`);
+							}
+						}
+					} catch {}
+					spinner$1.stop(`Found you! ${resolvedDid}`);
+					if (isHostedHandle(existingHandle)) {
+						const theirDomain = hostedDomains.find((d) => existingHandle?.endsWith(d));
+						const domainExample = theirDomain ? `*${theirDomain}` : "*.bsky.social";
+						p.log.warn(`You'll need a custom domain for your new handle (not ${domainExample}). You can set this up after transferring your data.`);
+					}
+					if (attempts >= MAX_ATTEMPTS) {
+						p.log.error("Unable to resolve handle after 3 attempts.");
+						p.log.info("");
+						p.log.info("You can:");
+						p.log.info("  1. Double-check your handle spelling");
+						p.log.info("  2. Provide your DID directly if you know it");
+						p.log.info("  3. Run 'pds init' again when ready");
+						p.outro("Initialization cancelled.");
+						process.exit(1);
+					}
+				}
+			}
+			did = resolvedDid;
+			handle = await promptText({
+				message: "New account handle (must be a domain you control):",
+				placeholder: "example.com",
+				initialValue: existingHandle && !isHostedHandle(existingHandle) ? existingHandle : currentVars.HANDLE || "",
+				validate: (v) => {
+					if (!v) return "Handle is required";
+					if (isHostedHandle(v)) return "You need a custom domain - hosted handles like *.bsky.social won't work";
+				}
+			});
+			hostname = await promptText({
+				message: "Domain where you'll deploy your PDS:",
+				placeholder: handle,
+				initialValue: currentVars.PDS_HOSTNAME || handle,
+				validate: (v) => !v ? "Hostname is required" : void 0
+			});
+			workerName = await promptWorkerName(handle, currentWorkerName);
+			initialActive = "false";
+			await ensureAccountConfigured();
+		} else {
+			p.log.info("A fresh start in the Atmosphere! ✨");
+			hostname = await promptText({
+				message: "Domain where you'll deploy your PDS:",
+				placeholder: "pds.example.com",
+				initialValue: currentVars.PDS_HOSTNAME || "",
+				validate: (v) => !v ? "Hostname is required" : void 0
+			});
+			handle = await promptText({
+				message: "Account handle:",
+				placeholder: hostname,
+				initialValue: currentVars.HANDLE || hostname,
+				validate: (v) => !v ? "Handle is required" : void 0
+			});
+			const didDefault = "did:web:" + hostname;
+			did = await promptText({
+				message: "Account DID:",
+				placeholder: didDefault,
+				initialValue: currentVars.DID || didDefault,
+				validate: (v) => {
+					if (!v) return "DID is required";
+					if (!v.startsWith("did:")) return "DID must start with 'did:'";
+				}
+			});
+			workerName = await promptWorkerName(handle, currentWorkerName);
+			initialActive = "true";
+			await ensureAccountConfigured();
+			if (handle === hostname) p.note([
+				"Your handle matches your PDS hostname, so your PDS will",
+				"automatically handle domain verification for you!",
+				"",
+				"For did:web, your PDS serves the DID document at:",
+				`  https://${hostname}/.well-known/did.json`,
+				"",
+				"For handle verification, it serves:",
+				`  https://${hostname}/.well-known/atproto-did`,
+				"",
+				"No additional DNS or hosting setup needed. Easy! 🎉"
+			].join("\n"), "Identity Setup 🪪");
+			else p.note([
+				"For did:web, your PDS will serve the DID document at:",
+				`  https://${hostname}/.well-known/did.json`,
+				"",
+				"To verify your handle, create a DNS TXT record:",
+				`  _atproto.${handle} TXT "did=${did}"`,
+				"",
+				"Or serve a file at:",
+				`  https://${handle}/.well-known/atproto-did`,
+				`  containing: ${did}`
+			].join("\n"), "Identity Setup 🪪");
+		}
+		const spinner = p.spinner();
+		const authToken = await getOrGenerateSecret("AUTH_TOKEN", devVars, async () => {
+			spinner.start("Generating auth token...");
+			const token = generateAuthToken();
+			spinner.stop("Auth token generated");
+			return token;
 		});
-	}
-	static RELAY_URLS = ["https://relay1.us-west.bsky.network", "https://relay1.us-east.bsky.network"];
-	/**
-	* Get relay's view of this PDS host status from a single relay.
-	* Calls com.atproto.sync.getHostStatus on the relay.
-	*/
-	async getRelayHostStatus(pdsHostname, relayUrl) {
+		const signingKey = await getOrGenerateSecret("SIGNING_KEY", devVars, async () => {
+			spinner.start("Generating signing keypair...");
+			const { privateKey } = await generateSigningKeypair();
+			spinner.stop("Signing keypair generated");
+			return privateKey;
+		});
+		const signingKeyPublic = await derivePublicKey(signingKey);
+		const jwtSecret = await getOrGenerateSecret("JWT_SECRET", devVars, async () => {
+			spinner.start("Generating JWT secret...");
+			const secret = generateJwtSecret();
+			spinner.stop("JWT secret generated");
+			return secret;
+		});
+		const passwordHash = await getOrGenerateSecret("PASSWORD_HASH", devVars, async () => {
+			const password = await promptPassword(handle);
+			spinner.start("Hashing password...");
+			const hash = await hashPassword(password);
+			spinner.stop("Password hashed");
+			return hash;
+		});
+		spinner.start("Updating wrangler.jsonc...");
+		setWorkerName(workerName);
+		setVars({
+			PDS_HOSTNAME: hostname,
+			DID: did,
+			HANDLE: handle,
+			SIGNING_KEY_PUBLIC: signingKeyPublic,
+			INITIAL_ACTIVE: initialActive
+		});
+		setCustomDomains([hostname]);
+		spinner.stop("wrangler.jsonc updated");
+		const local = !isProduction;
+		if (isProduction) spinner.start("Deploying secrets to Cloudflare...");
+		else spinner.start("Writing secrets to .dev.vars...");
+		await setSecretValue("AUTH_TOKEN", authToken, local);
+		await setSecretValue("SIGNING_KEY", signingKey, local);
+		await setSecretValue("JWT_SECRET", jwtSecret, local);
+		await setSecretValue("PASSWORD_HASH", passwordHash, local);
+		spinner.stop(isProduction ? "Secrets deployed" : "Secrets written to .dev.vars");
+		spinner.start("Generating TypeScript types...");
 		try {
-			const url = new URL("/xrpc/com.atproto.sync.getHostStatus", relayUrl);
-			url.searchParams.set("hostname", pdsHostname);
-			const res = await fetch(url.toString());
-			if (!res.ok) return null;
-			return {
-				...await res.json(),
-				relay: relayUrl
-			};
+			await runWranglerTypes();
+			spinner.stop("TypeScript types generated");
 		} catch {
-			return null;
+			spinner.stop("Failed to generate types (wrangler types)");
 		}
-	}
-	/**
-	* Get relay status from all known relays.
-	* Returns results from each relay that responds.
-	*/
-	async getAllRelayHostStatus(pdsHostname) {
-		return (await Promise.all(PDSClient.RELAY_URLS.map((url) => this.getRelayHostStatus(pdsHostname, url)))).filter((r) => r !== null);
-	}
-	/**
-	* Request the relay to crawl this PDS.
-	* This notifies the Bluesky relay that the PDS is active and ready for federation.
-	* Uses bsky.network by default (the main relay endpoint).
-	*/
-	async requestCrawl(pdsHostname, relayUrl = "https://bsky.network") {
-		try {
-			const url = new URL("/xrpc/com.atproto.sync.requestCrawl", relayUrl);
-			return (await fetch(url.toString(), {
-				method: "POST",
-				headers: { "Content-Type": "application/json" },
-				body: JSON.stringify({ hostname: pdsHostname })
-			})).ok;
-		} catch {
-			return false;
+		p.note([
+			"  Worker name:  " + workerName,
+			"  PDS hostname: " + hostname,
+			"  DID: " + did,
+			"  Handle: " + handle,
+			"  Public signing key: " + signingKeyPublic.slice(0, 20) + "...",
+			"",
+			isProduction ? "Secrets deployed to Cloudflare ☁️" : "Secrets saved to .dev.vars",
+			"",
+			"Auth token (save this!):",
+			"  " + authToken
+		].join("\n"), "Your New Home 🏠");
+		let deployedSecrets = isProduction;
+		if (!isProduction) {
+			const deployNow = await p.confirm({
+				message: "Push secrets to Cloudflare now?",
+				initialValue: false
+			});
+			if (!p.isCancel(deployNow) && deployNow) {
+				spinner.start("Deploying secrets to Cloudflare...");
+				await setSecretValue("AUTH_TOKEN", authToken, false);
+				await setSecretValue("SIGNING_KEY", signingKey, false);
+				await setSecretValue("JWT_SECRET", jwtSecret, false);
+				await setSecretValue("PASSWORD_HASH", passwordHash, false);
+				spinner.stop("Secrets deployed to Cloudflare");
+				deployedSecrets = true;
+			}
 		}
+		if (isMigrating) p.note([
+			deployedSecrets ? "Deploy your worker and run the migration:" : "Push secrets, deploy, and run the migration:",
+			"",
+			...deployedSecrets ? [] : [`  ${formatCommand(pm, "pds", "init", "--production")}`, ""],
+			`  ${formatCommand(pm, "deploy")}`,
+			`  ${formatCommand(pm, "pds", "migrate")}`,
+			"",
+			"To test locally first:",
+			`  ${formatCommand(pm, "dev")}              # in one terminal`,
+			`  ${formatCommand(pm, "pds", "migrate", "--dev")}  # in another`,
+			"",
+			"Then update your identity and flip the switch! 🦋",
+			"  https://atproto.com/guides/account-migration"
+		].join("\n"), "Next Steps 🧳");
+		if (deployedSecrets) p.outro(`Run '${formatCommand(pm, "deploy")}' to launch your PDS! 🚀`);
+		else p.outro(`Run '${formatCommand(pm, "dev")}' to start your PDS locally! 🦋`);
 	}
-};
+});
+/**
+* Helper to get a secret from .dev.vars or generate a new one
+*/
+async function getOrGenerateSecret(name, devVars, generate) {
+	if (devVars[name]) {
+		if (await p.confirm({
+			message: `Use ${name} from .dev.vars?`,
+			initialValue: true
+		}) === true) return devVars[name];
+	}
+	return generate();
+}
 //#endregion
 //#region src/cli/commands/migrate.ts
@@ -2600,6 +3026,7 @@ runMain(defineCommand({
 	subCommands: {
 		init: initCommand,
 		secret: secretCommand,
+		passkey: passkeyCommand,
 		migrate: migrateCommand,
 		activate: activateCommand,
 		deactivate: deactivateCommand,