npm - @getcirrus/pds - Versions diffs - 0.7.0 → 0.8.0 - Mend

@getcirrus/pds 0.7.0 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/README.md CHANGED Viewed

@@ -177,6 +177,24 @@ pds migrate --clean      # Reset and re-import
 pds activate             # Go live again
 ```
+### `pds migrate-token`
+Generates a migration token for migrating away from this PDS to another one.
+```bash
+pds migrate-token        # Generate token for production PDS
+pds migrate-token --dev  # Generate token for local development PDS
+```
+When migrating to a new PDS, the destination will ask for a confirmation token. This command generates a stateless HMAC-based token that:
+- Is valid for 15 minutes
+- Contains your DID and expiry time
+- Is cryptographically signed with your JWT secret
+- Requires no database storage
+The token is copied to your clipboard and displayed in the terminal. After migration completes, run `pds deactivate` on this PDS.
 ### `pds passkey`
 Manage passkeys for passwordless authentication.

package/dist/cli.js CHANGED Viewed

@@ -977,6 +977,27 @@ var PDSClient = class PDSClient {
 		}
 		return res.json();
 	}
+	/**
+	* Get a migration token for outbound migration.
+	* This token can be used to migrate to another PDS.
+	*/
+	async getMigrationToken() {
+		const url = new URL("/xrpc/gg.mk.experimental.getMigrationToken", this.baseUrl);
+		const headers = {};
+		if (this.authToken) headers["Authorization"] = `Bearer ${this.authToken}`;
+		const res = await fetch(url.toString(), {
+			method: "GET",
+			headers
+		});
+		if (!res.ok) return {
+			success: false,
+			error: (await res.json().catch(() => ({}))).message ?? `Request failed: ${res.status}`
+		};
+		return {
+			success: true,
+			token: (await res.json()).token
+		};
+	}
 	static RELAY_URLS = ["https://relay1.us-west.bsky.network", "https://relay1.us-east.bsky.network"];
 	/**
 	* Get relay's view of this PDS host status from a single relay.
@@ -1192,20 +1213,22 @@ async function saveTo1Password(key, handle) {
 * Captures output and throws on non-zero exit code.
 * Use this for running npm/pnpm/yarn scripts etc.
 */
-function runCommand(cmd, args) {
+function runCommand(cmd, args, options = {}) {
 	return new Promise((resolve$1, reject) => {
-		const child = spawn(cmd, args, { stdio: "pipe" });
+		const child = spawn(cmd, args, { stdio: options.stream ? "inherit" : "pipe" });
 		let output = "";
-		child.stdout?.on("data", (data) => {
-			output += data.toString();
-		});
-		child.stderr?.on("data", (data) => {
-			output += data.toString();
-		});
+		if (!options.stream) {
+			child.stdout?.on("data", (data) => {
+				output += data.toString();
+			});
+			child.stderr?.on("data", (data) => {
+				output += data.toString();
+			});
+		}
 		child.on("close", (code) => {
 			if (code === 0) resolve$1();
 			else {
-				if (output) console.error(output);
+				if (output && !options.stream) console.error(output);
 				reject(/* @__PURE__ */ new Error(`${cmd} ${args.join(" ")} failed with code ${code}`));
 			}
 		});
@@ -2098,14 +2121,12 @@ const initCommand = defineCommand({
 				initialValue: true
 			});
 			if (!p.isCancel(deployWorker) && deployWorker) {
-				spinner.start("Building and deploying to Cloudflare...");
+				p.log.step("Deploying to Cloudflare...");
 				try {
-					await runCommand(pm === "npm" ? "npm" : pm, ["run", "build"]);
-					await runCommand(pm === "npm" ? "npm" : pm, ["run", "deploy"]);
-					spinner.stop("Deployed to Cloudflare! 🚀");
+					await runCommand(pm, ["run", "deploy"], { stream: true });
+					p.log.success("Deployed to Cloudflare! 🚀");
 					deployed = true;
 				} catch (error) {
-					spinner.stop("Deployment failed");
 					p.log.error(`Failed to deploy: ${error instanceof Error ? error.message : "Unknown error"}`);
 					p.log.info(`You can deploy manually with: ${formatCommand(pm, "deploy")}`);
 				}
@@ -2495,6 +2516,97 @@ function showNextSteps(pm, sourceDomain) {
 	]), "Almost there!");
 }
+//#endregion
+//#region src/cli/commands/migrate-token.ts
+/**
+* Generate a migration token for outbound migration
+*
+* Calls the PDS API to generate a stateless HMAC token that another PDS
+* can use to request a signed PLC operation. The token is valid for 15 minutes.
+*/
+const migrateTokenCommand = defineCommand({
+	meta: {
+		name: "migrate-token",
+		description: "Generate a migration token for moving to another PDS"
+	},
+	args: { dev: {
+		type: "boolean",
+		description: "Target local development server instead of production",
+		default: false
+	} },
+	async run({ args }) {
+		const isDev = args.dev;
+		const pm = detectPackageManager();
+		p.intro("Generate Migration Token");
+		const spinner = p.spinner();
+		spinner.start("Loading configuration...");
+		const wranglerVars = getVars();
+		const config = {
+			...readDevVars(),
+			...wranglerVars
+		};
+		const pdsHostname = config.PDS_HOSTNAME;
+		const authToken = config.AUTH_TOKEN;
+		if (!pdsHostname && !isDev) {
+			spinner.stop("No PDS_HOSTNAME configured");
+			p.log.error("Run 'pds init' first to set up your PDS.");
+			p.outro("Token generation cancelled.");
+			process.exit(1);
+		}
+		if (!authToken) {
+			spinner.stop("No AUTH_TOKEN found");
+			p.log.error("AUTH_TOKEN is required to authenticate with your PDS.");
+			p.outro("Token generation cancelled.");
+			process.exit(1);
+		}
+		let targetUrl;
+		try {
+			targetUrl = getTargetUrl(isDev, pdsHostname);
+		} catch (err) {
+			spinner.stop("Configuration error");
+			p.log.error(err instanceof Error ? err.message : "Configuration error");
+			p.outro("Token generation cancelled.");
+			process.exit(1);
+		}
+		spinner.stop("Configuration loaded");
+		spinner.start("Connecting to PDS...");
+		const pdsClient = new PDSClient(targetUrl, authToken);
+		if (!await pdsClient.healthCheck()) {
+			spinner.stop("PDS not responding");
+			p.log.error(`Your PDS isn't responding at ${targetUrl}`);
+			if (isDev) p.log.info(`Start it with: ${formatCommand(pm, "dev")}`);
+			else p.log.info(`Make sure your worker is deployed: ${formatCommand(pm, "deploy")}`);
+			p.outro("Token generation cancelled.");
+			process.exit(1);
+		}
+		spinner.stop("Connected to PDS");
+		spinner.start("Generating migration token...");
+		const result = await pdsClient.getMigrationToken();
+		if (!result.success || !result.token) {
+			spinner.stop("Failed to generate token");
+			p.log.error(result.error ?? "Could not generate migration token");
+			p.outro("Token generation cancelled.");
+			process.exit(1);
+		}
+		spinner.stop("Token generated");
+		if (await copyToClipboard(result.token)) p.log.success("Migration token copied to clipboard!");
+		else p.log.info("Could not copy to clipboard. Token:");
+		console.log("");
+		console.log(pc.bold(result.token));
+		console.log("");
+		p.note([
+			"This token is valid for 15 minutes.",
+			"",
+			"Paste it into the new PDS when prompted for",
+			"a migration/confirmation code.",
+			"",
+			"Once migration is complete, you can deactivate",
+			"this PDS with: pnpm pds deactivate"
+		].join("\n"), "Next Steps");
+		p.outro("Good luck with the migration!");
+	}
+});
 //#endregion
 //#region src/cli/utils/plc-client.ts
 /**
@@ -3724,6 +3836,7 @@ runMain(defineCommand({
 		secret: secretCommand,
 		passkey: passkeyCommand,
 		migrate: migrateCommand,
+		"migrate-token": migrateTokenCommand,
 		identity: identityCommand,
 		activate: activateCommand,
 		deactivate: deactivateCommand,

package/dist/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","names":[],"sources":["../src/storage.ts","../src/oauth-storage.ts","../src/blobs.ts","../src/types.ts","../src/account-do.ts","../src/index.ts"],"sourcesContent":[],"mappings":";;;;;;;;;;;;;;;;cAUa,iBAAA,SACJ,kBAAA,YACG;EAFC,QAAA,GAAA;EAIa,WAAA,CAAA,GAAA,EAAA,UAAA;EA2FA;;;;EAiCR,UAAA,CAAA,aAAA,CAAA,EAAA,OAAA,CAAA,EAAA,IAAA;EAQG;;;EAcL,OAAA,CAAA,CAAA,EAvDE,OAuDF,CAvDU,GAuDV,GAAA,IAAA,CAAA;EAAM;;;EAU8C,MAAA,CAAA,CAAA,EApDnD,OAoDmD,CAAA,MAAA,GAAA,IAAA,CAAA;EAArC;;;EAmB4B,MAAA,CAAA,CAAA,EA7D1C,OA6D0C,CAAA,MAAA,CAAA;EAYpC;;;EAoBmB,OAAA,CAAA,CAAA,EAnFxB,OAmFwB,CAAA,MAAA,CAAA;EAWf;;;EA6CT,QAAA,CAAA,GAAA,EAnIG,GAmIH,CAAA,EAnIS,OAmIT,CAnIiB,UAmIjB,GAAA,IAAA,CAAA;EAUI;;;EAoCF,GAAA,CAAA,GAAA,EAnKJ,GAmKI,CAAA,EAnKE,OAmKF,CAAA,OAAA,CAAA;EAUe;;;EA2JtB,SAAA,CAAA,IAAA,EA9TU,GA8TV,EAAA,CAAA,EA9TkB,OA8TlB,CAAA;IA8BI,MAAA,EA5VgC,QA4VhC;IA3fR,OAAA,EA+J2D,GA/J3D,EAAA;EACG,CAAA,CAAA;EAAW;;;gBAiLF,YAAY,0BAA0B;EC/K9C;;;EAuG0C,OAAA,CAAA,MAAA,EDoFhC,QCpFgC,EAAA,GAAA,EAAA,MAAA,CAAA,EDoFR,OCpFQ,CAAA,IAAA,CAAA;EAgBb;;;EAsClB,UAAA,CAAA,GAAA,EDkDD,GClDC,EAAA,GAAA,EAAA,MAAA,CAAA,EDkDkB,OClDlB,CAAA,IAAA,CAAA;EAAY;;;EAiDoB,WAAA,CAAA,MAAA,EDY7B,UCZ6B,CAAA,EDYhB,OCZgB,CAAA,IAAA,CAAA;EAAR;;;EA4CF,WAAA,CAAA,CAAA,EDGxB,OCHwB,CAAA,MAAA,CAAA;EAAiB;;;EAwCtB,OAAA,CAAA,CAAA,ED3BvB,OC2BuB,CAAA,IAAA,CAAA;EAAU;;;EAuCb,WAAA,CAAA,CAAA,EDxDhB,OCwDgB,CAAA,MAAA,CAAA;EAWG;;;oBDzDhB;;;AEvSzB;0CFyT+C;;;AGpT/C;EAkBiC,SAAA,CAAA,CAAA,EH0Sb,OG1Sa,CAAA,OAAA,CAAA;EAAvB;;;8BHoTyB;;;AItSnC;EAAwD,aAAA,CAAA,SAAA,EAAA,MAAA,EAAA,OAAA,EAAA,MAAA,CAAA,EAAA,IAAA;EAUtC;;;EA6GW,cAAA,CAAA,SAAA,EAAA,MAAA,EAAA,QAAA,EAAA,MAAA,EAAA,CAAA,EAAA,IAAA;EAAR;;;EAgBK,iBAAA,CAAA,SAAA,EAAA,MAAA,CAAA,EAAA,IAAA;EAAR;;;EAqBG,iBAAA,CAAA,GAAA,EAAA,MAAA,EAAA,IAAA,EAAA,MAAA,EAAA,QAAA,EAAA,MAAA,CAAA,EAAA,IAAA;EAQA;;;EAsCX,cAAI,CAAA,GAAA,EAAA,MAAA,CAAA,EAAA,OAAA;EAFV;;;EA8EA,kBAAA,CAAA,CAAA,EAAA,MAAA;EA8EA;;;EA6JO,kBAAA,CAAA,CAAA,EAAA,MAAA;EAFP;;;EA6KoB,gBAAA,CAAA,KAAA,CAAA,EAAA,MAAA,EAAA,MAAA,CAAA,EAAA,MAAA,CAAA,EAAA;IA6BqB,KAAA,EJ7UhC,KI6UgC,CAAA;MAAR,GAAA,EAAA,MAAA;MA2BN,SAAA,EAAA,MAAA;IAAa,CAAA,CAAA;IAsEhB,MAAA,CAAA,EAAA,MAAA;EAAuC,CAAA;EAAR;;;EAiJrB,iBAAA,CAAA,CAAA,EAAA,IAAA;EAAkB;;;EAqCnC,WAAA,CAAA,YAAA,EAAA,MAAA,EAAA,SAAA,EJljBR,UIkjBQ,EAAA,OAAA,EAAA,MAAA,EAAA,IAAA,CAAA,EAAA,MAAA,CAAA,EAAA,IAAA;EASd;;;EAkBqB,UAAA,CAAA,YAAA,EAAA,MAAA,CAAA,EAAA;IASsB,YAAA,EAAA,MAAA;IAQ3B,SAAA,EJ3kBV,UI2kBU;IAQM,OAAA,EAAA,MAAA;IAQE,IAAA,EAAA,MAAA,GAAA,IAAA;IAYN,SAAA,EAAA,MAAA;IAQC,UAAA,EAAA,MAAA,GAAA,IAAA;EAYM,CAAA,GAAA,IAAA;EAQA;;;EAwBJ,YAAA,CAAA,CAAA,EJ7nBX,KI6nBW,CAAA;IAkCiB,YAAA,EAAA,MAAA;IAkDpB,IAAA,EAAA,MAAA,GAAA,IAAA;IAQM,SAAA,EAAA,MAAA;IAAO,UAAA,EAAA,MAAA,GAsBM,IAAA;EACxC,CAAA,CAAA;EAAO;;;EAcoC,aAAA,CAAA,YAOH,EAAA,MAAA,CAAA,EAAA,OAAA;EACxC;;;EAQO,oBAAA,CAAA,YAQqC,EAAA,MAAA,EAAA,OAAA,EAAA,MAAA,CAAA,EAAA,IAAA;EAA5C;;;EAY2C,WAAA,CAAA,CAAA,EAAA,OAAA;EAS3C;;;EAQO,gBAAA,CAAA,KAAA,EAQiC,MAAA,EAAA,SAAA,EAAA,MAAA,EAAA,SAAA,EAAA,MAAA,EAAA,IAAA,CAAA,EAAA,MAAA,CAAA,EAAA,IAAA;EACxC;;;EAcqC,mBAAA,CAAA,KAAA,EAAA,MAAA,CAAA,EAAA;IAMG,SAAA,EAAA,MAAA;IAY/B,IAAA,EAAA,MAAA,GAAA,IAAA;EAGT,CAAA,GAAA,IAAA;EAQS;;;EAWa,oBAAA,CAAA,CAAA,EAAA,IAAA;;;;;;;;;;cH12Cb,kBAAA,YAA8B;;mBACjB;EDLb;;;EA+FK,UAAA,CAAA,CAAA,EAAA,IAAA;EAaD;;;EA4BI,OAAA,CAAA,CAAA,EAAA,IAAA;EAAc,YAAA,CAAA,IAAA,EAAA,MAAA,EAAA,IAAA,EC7BK,YD6BL,CAAA,EC7BoB,OD6BpB,CAAA,IAAA,CAAA;EAAR,WAAA,CAAA,IAAA,EAAA,MAAA,CAAA,ECbO,ODaP,CCbe,YDaf,GAAA,IAAA,CAAA;EAcX,cAAA,CAAA,IAAA,EAAA,MAAA,CAAA,ECGqB,ODHrB,CAAA,IAAA,CAAA;EAAM,UAAA,CAAA,IAAA,ECWE,SDXF,CAAA,ECWc,ODXd,CAAA,IAAA,CAAA;EAUC,gBAAA,CAAA,WAAA,EAAA,MAAA,CAAA,ECkBuB,ODlBvB,CCkB+B,SDlB/B,GAAA,IAAA,CAAA;EAA0B,iBAAA,CAAA,YAAA,EAAA,MAAA,CAAA,ECkDD,ODlDC,CCkDO,SDlDP,GAAA,IAAA,CAAA;EAAmB,WAAA,CAAA,WAAA,EAAA,MAAA,CAAA,EC+E3B,OD/E2B,CAAA,IAAA,CAAA;EAArC,eAAA,CAAA,GAAA,EAAA,MAAA,CAAA,ECsFM,ODtFN,CAAA,IAAA,CAAA;EAmBV,UAAA,CAAA,QAAA,EAAA,MAAA,EAAA,QAAA,EC2EyB,cD3EzB,CAAA,EC2E0C,OD3E1C,CAAA,IAAA,CAAA;EAAY,SAAA,CAAA,QAAA,EAAA,MAAA,CAAA,ECyFG,ODzFH,CCyFW,cDzFX,GAAA,IAAA,CAAA;EAA0B,OAAA,CAAA,UAAA,EAAA,MAAA,EAAA,IAAA,ECmHlB,ODnHkB,CAAA,ECmHR,ODnHQ,CAAA,IAAA,CAAA;EAYpC,MAAA,CAAA,UAAA,EAAA,MAAA,CAAA,ECkHY,ODlHZ,CCkHoB,ODlHpB,GAAA,IAAA,CAAA;EAAwB,SAAA,CAAA,UAAA,EAAA,MAAA,CAAA,EC8IT,OD9IS,CAAA,IAAA,CAAA;EAoBxB,iBAAA,CAAA,KAAA,EAAA,MAAA,CAAA,ECqIkB,ODrIlB,CAAA,OAAA,CAAA;EAAmB;;;EA8CpB,OAAA,CAAA,CAAA,EAAA,IAAA;EAUJ;;;EAsC6B,qBAAA,CAAA,SAAA,EAAA,MAAA,CAAA,EAAA,IAAA;EAQ3B;;;;EAqKP,wBAAA,CAAA,SAAA,EAAA,MAAA,CAAA,EAAA,OAAA;;;;UEteI,OAAA;;;;;;;;;;;;;;UCKA,MAAA;;;;EHGJ,MAAA,EAAA,MAAA;EAIa;EA2FA,YAAA,EAAA,MAAA;EAAR;EAaD,UAAA,EAAA,MAAA;EAUA;EAUC,WAAA,EAAA,MAAA;EAQG;EAAc,kBAAA,EAAA,MAAA;EAAR;EAcX,UAAA,EAAA,MAAA;EAAM;EAUC,aAAA,EAAA,MAAA;EAA0B;EAAmB,OAAA,EGjJ1D,sBHiJ0D,CGjJnC,oBHiJmC,CAAA;EAArC;EAmBV,KAAA,CAAA,EGlKZ,QHkKY;EAAY;EAA0B,cAAA,CAAA,EAAA,MAAA;;;;;;;AAnL3D;;;;;;AAgIkB,cInGL,oBAAA,SAA6B,aJmGxB,CInGsC,MJmGtC,CAAA,CAAA;EAQG,QAAA,OAAA;EAAc,QAAA,YAAA;EAAR,QAAA,IAAA;EAcX,QAAA,OAAA;EAAM,QAAA,SAAA;EAUC,QAAA,SAAA;EAA0B,QAAA,kBAAA;EAAmB,QAAA,eAAA;EAArC,WAAA,CAAA,GAAA,EIzHb,kBJyHa,EAAA,GAAA,EIzHY,MJyHZ;EAmBV;;;EAYE,QAAA,wBAAA;EAAwB;;;EA+BpB,QAAA,UAAA;EAAa;;;;EAiEf,KAAA,CAAA,CAAA,EItLA,OJsLA,CAAA,IAAA,CAAA;EAkBsB;;;EAwGlC,QAAA,qBAAA;EAkDA;;;EA1cJ,UAAA,CAAA,CAAA,EImJY,OJnJZ,CImJoB,iBJnJpB,CAAA;EACG;;;qBI0Jc,QAAQ;;AHxJlC;;EAuGwC,OAAA,CAAA,CAAA,EGyDtB,OHzDsB,CGyDd,IHzDc,CAAA;EAAe;;;EA8ClB,YAAA,CAAA,CAAA,EGmBd,OHnBc,CAAA,IAAA,CAAA;EAQb;;;EAiBsB,UAAA,CAAA,CAAA,EGOzB,OHPyB,CGOjB,gBHPiB,CAAA;EAgCU;;;EAoCnB,OAAA,CAAA,IAAA,EGrDhB,IHqDgB,CAAA,EGrDT,OHqDS,CAAA,IAAA,CAAA;EAQS;;;EAcV,eAAA,CAAA,CAAA,EGpEV,OHoEU,CAAA;IA0BK,GAAA,EAAA,MAAA;IAAU,WAAA,EAAA,MAAA,EAAA;IAWR,GAAA,EAAA,MAAA;EAAR,CAAA,CAAA;EA4BG;;;EAzUiB,YAAA,CAAA,UAAA,EAAA,MAAA,EAAA,IAAA,EAAA,MAAA,CAAA,EGiOnD,OHjOmD,CAAA;;YGmO7C,GAAA,CAAI;;EF/OG;;;;ICKA,KAAM,EAAA,MAAA;IAkBU,MAAA,CAAA,EAAA,MAAA;IAAvB,OAAA,CAAA,EAAA,OAAA;EAED,CAAA,CAAA,ECuPL,ODvPK,CAAA;IAAQ,OAAA,ECwPN,KDxPM,CAAA;;;;ICYJ,CAAA,CAAA;IAA2C,MAAA,CAAA,EAAA,MAAA;EAUtC,CAAA,CAAA;EAAyB;;;EA6GtB,eAAA,CAAA,UAAA,EAAA,MAAA,EAAA,IAAA,EAAA,MAAA,GAAA,SAAA,EAAA,MAAA,EAAA,OAAA,CAAA,EA+JjB,OA/JiB,CAAA;IAQa,GAAA,EAAA,MAAA;IAAR,GAAA,EAAA,MAAA;IAQA,MAAA,EAAA;MAAR,GAAA,EAAA,MAAA;MAQK,GAAA,EAAA,MAAA;IAaM,CAAA;EAAR,CAAA,CAAA;EAQA;;;EAsCX,eAAI,CAAA,UAAA,EAAA,MAAA,EAAA,IAAA,EAAA,MAAA,CAAA,EA0JV,OA1JU,CAAA;IAFV,MAAA,EAAA;MAoCO,GAAA,EAAA,MAAA;MADP,GAAA,EAAA,MAAA;IA2CA,CAAA;EA8EA,CAAA,GAAA,IAAA,CAAA;EA+DA;;;EA4FA,YAAA,CAAA,UAAA,EAAA,MAAA,EAAA,IAAA,EAAA,MAAA,EAAA,MAAA,EAAA,OAAA,CAAA,EA5FA,OA4FA,CAAA;IA6JuB,GAAA,EAAA,MAAA;IAgBK,GAAA,EAAA,MAAA;IAAR,MAAA,EAAA;MA6BqB,GAAA,EAAA,MAAA;MAAR,GAAA,EAAA,MAAA;IA2BN,CAAA;IAAa,gBAAA,EAAA,MAAA;EAsEhB,CAAA,CAAA;EAAuC;;;EAyBhC,cAAA,CAAA,MAAA,EA1UzB,KA0UyB,CAAA;IAwHG,KAAA,EAAA,MAAA;IAAkB,UAAA,EAAA,MAAA;IAAR,IAAA,CAAA,EAAA,MAAA;IAoCzC,KAAA,CAAA,EAAA,OAAA;EACc,CAAA,CAAA,CAAA,EAjejB,OAieiB,CAAA;IASd,MAAA,EAAA;MAWuB,GAAA,EAAA,MAAA;MAAkB,GAAA,EAAA,MAAA;IAOpB,CAAA;IASsB,OAAA,EAngBvC,KAmgBuC,CAAA;MAQ3B,KAAA,EAAA,MAAA;MAQM,GAAA,CAAA,EAAA,MAAA;MAQE,GAAA,CAAA,EAAA,MAAA;MAYN,gBAAA,CAAA,EAAA,MAAA;IAQC,CAAA,CAAA;EAYM,CAAA,CAAA;EAQA;;;EAwBJ,gBAAA,CAAA,CAAA,EAhcD,OAgcC,CAAA;IAkCiB,GAAA,EAAA,MAAA;IAkDpB,IAAA,EAAA,MAAA;IAQM,GAAA,EAAA,MAAA;EAAO,CAAA,CAAA;EAuBlC;;;EAcoC,aAAA,CAAA,CAAA,EAjjBhB,OAijBgB,CAjjBR,UAijBQ,CAAA;EAAO;;;;EAgBpC,YAAA,CAAA,IAAA,EAAA,MAQqC,EAAA,CAAA,EA5iBX,OA4iBW,CA5iBH,UA4iBG,CAAA;EAA5C;;;;;EAqBO,aAAA,CAAA,QAAA,EAtiBoB,UA8iBiB,CAAA,EA9iBJ,OA8iBI,CAAA;IAA5C,GAAA,EAAA,MAAA;IAAO,GAAA,EAAA,MAAA;IASP,GAAA,EAAA,MAAA;EAAO,CAAA,CAAA;EAQP;;;EAwBS,aAAA,CAAA,KAAA,EAjhBe,UAihBf,EAAA,QAAA,EAAA,MAAA,CAAA,EAjhB8C,OAihB9C,CAjhBsD,OAihBtD,CAAA;EAGT;;;EAmB8B,UAAA,CAAA,MAAA,EAAA,MAAA,CAAA,EA9gBC,OA8gBD,CA9gBS,YA8gBT,GAAA,IAAA,CAAA;EAAR;;;EA0BD,QAAA,WAAA;EAWrB;;;EAoBmD,QAAA,iBAAA;EASxB;;;EAn5CW,QAAA,mBAAA;EAAa;;;;~~ECiCjD~~;;;EAAG,QAAA,gBAAA;EAAA;;;;;;;;;;;~~iCD05B6B~~,UAAU,QAAQ;;;;wBAoCjD,8BACc;;;;sBASd;;;;sBAWuB,kBAAkB;;;;uBAOpB;;;;;;6CASsB;;;;kBAQ3B;;;;wBAQM;;;;0BAQE;;;;oBAYN;;;;qBAQC;;;;2BAYM;;;;2BAQA;;;;wDAW5B;WACK;;;;;;;;;;;uBAYmB;;;;;;;wCAkCiB;;;;;;oBAkDpB;;;;;;0BAQM;;;;;sCAAO,0BAAA,CAsBM,eACxC;;gCAQA,QARO,0BAAA,CAQqC,YAAA;;mCAMR;;sBAAO,0BAAA,CAOH,YACxC;;4CAQA,QARO,0BAAA,CAQqC,SAAA;;8CAQ5C,QARO,0BAAA,CAQqC,SAAA;;uCAMJ;;mCAMJ;;4CAAO,0BAAA,CAQC,iBAC5C;;kCAQA,QARO,0BAAA,CAQqC,cAAA;;uCAArC,0BAAA,CAQiC,UACxC;;iCAQA,QARO,0BAAA,CAQqC,OAAA;;oCAMP;;uCAMG;;kDAY/B,6CAGT;;uCAMwC;;eAE/B;;;;;;;qBAWa,QAAQ;;;;;;;0CAWa;;kEAS3C;;oBAMqB;;2FAWrB;;yCAQA;;;;;+CAMgD;;kDAMG;;;;;iBASxB,UAAU,QAAQ;;;;~~cCl3C3C~~,KAAG;YAAwB;GAAM,WAAA,CAAA,WAAA"}
1	+ {"version":3,"file":"index.d.ts","names":[],"sources":["../src/storage.ts","../src/oauth-storage.ts","../src/blobs.ts","../src/types.ts","../src/account-do.ts","../src/index.ts"],"sourcesContent":[],"mappings":";;;;;;;;;;;;;;;;cAUa,iBAAA,SACJ,kBAAA,YACG;EAFC,QAAA,GAAA;EAIa,WAAA,CAAA,GAAA,EAAA,UAAA;EA2FA;;;;EAiCR,UAAA,CAAA,aAAA,CAAA,EAAA,OAAA,CAAA,EAAA,IAAA;EAQG;;;EAcL,OAAA,CAAA,CAAA,EAvDE,OAuDF,CAvDU,GAuDV,GAAA,IAAA,CAAA;EAAM;;;EAU8C,MAAA,CAAA,CAAA,EApDnD,OAoDmD,CAAA,MAAA,GAAA,IAAA,CAAA;EAArC;;;EAmB4B,MAAA,CAAA,CAAA,EA7D1C,OA6D0C,CAAA,MAAA,CAAA;EAYpC;;;EAoBmB,OAAA,CAAA,CAAA,EAnFxB,OAmFwB,CAAA,MAAA,CAAA;EAWf;;;EA6CT,QAAA,CAAA,GAAA,EAnIG,GAmIH,CAAA,EAnIS,OAmIT,CAnIiB,UAmIjB,GAAA,IAAA,CAAA;EAUI;;;EAoCF,GAAA,CAAA,GAAA,EAnKJ,GAmKI,CAAA,EAnKE,OAmKF,CAAA,OAAA,CAAA;EAUe;;;EA2JtB,SAAA,CAAA,IAAA,EA9TU,GA8TV,EAAA,CAAA,EA9TkB,OA8TlB,CAAA;IA8BI,MAAA,EA5VgC,QA4VhC;IA3fR,OAAA,EA+J2D,GA/J3D,EAAA;EACG,CAAA,CAAA;EAAW;;;gBAiLF,YAAY,0BAA0B;EC/K9C;;;EAuG0C,OAAA,CAAA,MAAA,EDoFhC,QCpFgC,EAAA,GAAA,EAAA,MAAA,CAAA,EDoFR,OCpFQ,CAAA,IAAA,CAAA;EAgBb;;;EAsClB,UAAA,CAAA,GAAA,EDkDD,GClDC,EAAA,GAAA,EAAA,MAAA,CAAA,EDkDkB,OClDlB,CAAA,IAAA,CAAA;EAAY;;;EAiDoB,WAAA,CAAA,MAAA,EDY7B,UCZ6B,CAAA,EDYhB,OCZgB,CAAA,IAAA,CAAA;EAAR;;;EA4CF,WAAA,CAAA,CAAA,EDGxB,OCHwB,CAAA,MAAA,CAAA;EAAiB;;;EAwCtB,OAAA,CAAA,CAAA,ED3BvB,OC2BuB,CAAA,IAAA,CAAA;EAAU;;;EAuCb,WAAA,CAAA,CAAA,EDxDhB,OCwDgB,CAAA,MAAA,CAAA;EAWG;;;oBDzDhB;;;AEvSzB;0CFyT+C;;;AGpT/C;EAkBiC,SAAA,CAAA,CAAA,EH0Sb,OG1Sa,CAAA,OAAA,CAAA;EAAvB;;;8BHoTyB;;;AItSnC;EAAwD,aAAA,CAAA,SAAA,EAAA,MAAA,EAAA,OAAA,EAAA,MAAA,CAAA,EAAA,IAAA;EAUtC;;;EA6GW,cAAA,CAAA,SAAA,EAAA,MAAA,EAAA,QAAA,EAAA,MAAA,EAAA,CAAA,EAAA,IAAA;EAAR;;;EAgBK,iBAAA,CAAA,SAAA,EAAA,MAAA,CAAA,EAAA,IAAA;EAAR;;;EAqBG,iBAAA,CAAA,GAAA,EAAA,MAAA,EAAA,IAAA,EAAA,MAAA,EAAA,QAAA,EAAA,MAAA,CAAA,EAAA,IAAA;EAQA;;;EAsCX,cAAI,CAAA,GAAA,EAAA,MAAA,CAAA,EAAA,OAAA;EAFV;;;EA8EA,kBAAA,CAAA,CAAA,EAAA,MAAA;EA8EA;;;EA6JO,kBAAA,CAAA,CAAA,EAAA,MAAA;EAFP;;;EA6KoB,gBAAA,CAAA,KAAA,CAAA,EAAA,MAAA,EAAA,MAAA,CAAA,EAAA,MAAA,CAAA,EAAA;IA6BqB,KAAA,EJ7UhC,KI6UgC,CAAA;MAAR,GAAA,EAAA,MAAA;MA2BN,SAAA,EAAA,MAAA;IAAa,CAAA,CAAA;IAsEhB,MAAA,CAAA,EAAA,MAAA;EAAuC,CAAA;EAAR;;;EAiJrB,iBAAA,CAAA,CAAA,EAAA,IAAA;EAAkB;;;EAqCnC,WAAA,CAAA,YAAA,EAAA,MAAA,EAAA,SAAA,EJljBR,UIkjBQ,EAAA,OAAA,EAAA,MAAA,EAAA,IAAA,CAAA,EAAA,MAAA,CAAA,EAAA,IAAA;EASd;;;EAkBqB,UAAA,CAAA,YAAA,EAAA,MAAA,CAAA,EAAA;IASsB,YAAA,EAAA,MAAA;IAQ3B,SAAA,EJ3kBV,UI2kBU;IAQM,OAAA,EAAA,MAAA;IAQE,IAAA,EAAA,MAAA,GAAA,IAAA;IAYN,SAAA,EAAA,MAAA;IAQC,UAAA,EAAA,MAAA,GAAA,IAAA;EAYM,CAAA,GAAA,IAAA;EAQA;;;EAwBJ,YAAA,CAAA,CAAA,EJ7nBX,KI6nBW,CAAA;IAkCiB,YAAA,EAAA,MAAA;IAkDpB,IAAA,EAAA,MAAA,GAAA,IAAA;IAQM,SAAA,EAAA,MAAA;IAAO,UAAA,EAAA,MAAA,GAsBM,IAAA;EACxC,CAAA,CAAA;EAAO;;;EAcoC,aAAA,CAAA,YAOH,EAAA,MAAA,CAAA,EAAA,OAAA;EACxC;;;EAQO,oBAAA,CAAA,YAQqC,EAAA,MAAA,EAAA,OAAA,EAAA,MAAA,CAAA,EAAA,IAAA;EAA5C;;;EAY2C,WAAA,CAAA,CAAA,EAAA,OAAA;EAS3C;;;EAQO,gBAAA,CAAA,KAAA,EAQiC,MAAA,EAAA,SAAA,EAAA,MAAA,EAAA,SAAA,EAAA,MAAA,EAAA,IAAA,CAAA,EAAA,MAAA,CAAA,EAAA,IAAA;EACxC;;;EAcqC,mBAAA,CAAA,KAAA,EAAA,MAAA,CAAA,EAAA;IAMG,SAAA,EAAA,MAAA;IAY/B,IAAA,EAAA,MAAA,GAAA,IAAA;EAGT,CAAA,GAAA,IAAA;EAQS;;;EAWa,oBAAA,CAAA,CAAA,EAAA,IAAA;;;;;;;;;;cH12Cb,kBAAA,YAA8B;;mBACjB;EDLb;;;EA+FK,UAAA,CAAA,CAAA,EAAA,IAAA;EAaD;;;EA4BI,OAAA,CAAA,CAAA,EAAA,IAAA;EAAc,YAAA,CAAA,IAAA,EAAA,MAAA,EAAA,IAAA,EC7BK,YD6BL,CAAA,EC7BoB,OD6BpB,CAAA,IAAA,CAAA;EAAR,WAAA,CAAA,IAAA,EAAA,MAAA,CAAA,ECbO,ODaP,CCbe,YDaf,GAAA,IAAA,CAAA;EAcX,cAAA,CAAA,IAAA,EAAA,MAAA,CAAA,ECGqB,ODHrB,CAAA,IAAA,CAAA;EAAM,UAAA,CAAA,IAAA,ECWE,SDXF,CAAA,ECWc,ODXd,CAAA,IAAA,CAAA;EAUC,gBAAA,CAAA,WAAA,EAAA,MAAA,CAAA,ECkBuB,ODlBvB,CCkB+B,SDlB/B,GAAA,IAAA,CAAA;EAA0B,iBAAA,CAAA,YAAA,EAAA,MAAA,CAAA,ECkDD,ODlDC,CCkDO,SDlDP,GAAA,IAAA,CAAA;EAAmB,WAAA,CAAA,WAAA,EAAA,MAAA,CAAA,EC+E3B,OD/E2B,CAAA,IAAA,CAAA;EAArC,eAAA,CAAA,GAAA,EAAA,MAAA,CAAA,ECsFM,ODtFN,CAAA,IAAA,CAAA;EAmBV,UAAA,CAAA,QAAA,EAAA,MAAA,EAAA,QAAA,EC2EyB,cD3EzB,CAAA,EC2E0C,OD3E1C,CAAA,IAAA,CAAA;EAAY,SAAA,CAAA,QAAA,EAAA,MAAA,CAAA,ECyFG,ODzFH,CCyFW,cDzFX,GAAA,IAAA,CAAA;EAA0B,OAAA,CAAA,UAAA,EAAA,MAAA,EAAA,IAAA,ECmHlB,ODnHkB,CAAA,ECmHR,ODnHQ,CAAA,IAAA,CAAA;EAYpC,MAAA,CAAA,UAAA,EAAA,MAAA,CAAA,ECkHY,ODlHZ,CCkHoB,ODlHpB,GAAA,IAAA,CAAA;EAAwB,SAAA,CAAA,UAAA,EAAA,MAAA,CAAA,EC8IT,OD9IS,CAAA,IAAA,CAAA;EAoBxB,iBAAA,CAAA,KAAA,EAAA,MAAA,CAAA,ECqIkB,ODrIlB,CAAA,OAAA,CAAA;EAAmB;;;EA8CpB,OAAA,CAAA,CAAA,EAAA,IAAA;EAUJ;;;EAsC6B,qBAAA,CAAA,SAAA,EAAA,MAAA,CAAA,EAAA,IAAA;EAQ3B;;;;EAqKP,wBAAA,CAAA,SAAA,EAAA,MAAA,CAAA,EAAA,OAAA;;;;UEteI,OAAA;;;;;;;;;;;;;;UCKA,MAAA;;;;EHGJ,MAAA,EAAA,MAAA;EAIa;EA2FA,YAAA,EAAA,MAAA;EAAR;EAaD,UAAA,EAAA,MAAA;EAUA;EAUC,WAAA,EAAA,MAAA;EAQG;EAAc,kBAAA,EAAA,MAAA;EAAR;EAcX,UAAA,EAAA,MAAA;EAAM;EAUC,aAAA,EAAA,MAAA;EAA0B;EAAmB,OAAA,EGjJ1D,sBHiJ0D,CGjJnC,oBHiJmC,CAAA;EAArC;EAmBV,KAAA,CAAA,EGlKZ,QHkKY;EAAY;EAA0B,cAAA,CAAA,EAAA,MAAA;;;;;;;AAnL3D;;;;;;AAgIkB,cInGL,oBAAA,SAA6B,aJmGxB,CInGsC,MJmGtC,CAAA,CAAA;EAQG,QAAA,OAAA;EAAc,QAAA,YAAA;EAAR,QAAA,IAAA;EAcX,QAAA,OAAA;EAAM,QAAA,SAAA;EAUC,QAAA,SAAA;EAA0B,QAAA,kBAAA;EAAmB,QAAA,eAAA;EAArC,WAAA,CAAA,GAAA,EIzHb,kBJyHa,EAAA,GAAA,EIzHY,MJyHZ;EAmBV;;;EAYE,QAAA,wBAAA;EAAwB;;;EA+BpB,QAAA,UAAA;EAAa;;;;EAiEf,KAAA,CAAA,CAAA,EItLA,OJsLA,CAAA,IAAA,CAAA;EAkBsB;;;EAwGlC,QAAA,qBAAA;EAkDA;;;EA1cJ,UAAA,CAAA,CAAA,EImJY,OJnJZ,CImJoB,iBJnJpB,CAAA;EACG;;;qBI0Jc,QAAQ;;AHxJlC;;EAuGwC,OAAA,CAAA,CAAA,EGyDtB,OHzDsB,CGyDd,IHzDc,CAAA;EAAe;;;EA8ClB,YAAA,CAAA,CAAA,EGmBd,OHnBc,CAAA,IAAA,CAAA;EAQb;;;EAiBsB,UAAA,CAAA,CAAA,EGOzB,OHPyB,CGOjB,gBHPiB,CAAA;EAgCU;;;EAoCnB,OAAA,CAAA,IAAA,EGrDhB,IHqDgB,CAAA,EGrDT,OHqDS,CAAA,IAAA,CAAA;EAQS;;;EAcV,eAAA,CAAA,CAAA,EGpEV,OHoEU,CAAA;IA0BK,GAAA,EAAA,MAAA;IAAU,WAAA,EAAA,MAAA,EAAA;IAWR,GAAA,EAAA,MAAA;EAAR,CAAA,CAAA;EA4BG;;;EAzUiB,YAAA,CAAA,UAAA,EAAA,MAAA,EAAA,IAAA,EAAA,MAAA,CAAA,EGiOnD,OHjOmD,CAAA;;YGmO7C,GAAA,CAAI;;EF/OG;;;;ICKA,KAAM,EAAA,MAAA;IAkBU,MAAA,CAAA,EAAA,MAAA;IAAvB,OAAA,CAAA,EAAA,OAAA;EAED,CAAA,CAAA,ECuPL,ODvPK,CAAA;IAAQ,OAAA,ECwPN,KDxPM,CAAA;;;;ICYJ,CAAA,CAAA;IAA2C,MAAA,CAAA,EAAA,MAAA;EAUtC,CAAA,CAAA;EAAyB;;;EA6GtB,eAAA,CAAA,UAAA,EAAA,MAAA,EAAA,IAAA,EAAA,MAAA,GAAA,SAAA,EAAA,MAAA,EAAA,OAAA,CAAA,EA+JjB,OA/JiB,CAAA;IAQa,GAAA,EAAA,MAAA;IAAR,GAAA,EAAA,MAAA;IAQA,MAAA,EAAA;MAAR,GAAA,EAAA,MAAA;MAQK,GAAA,EAAA,MAAA;IAaM,CAAA;EAAR,CAAA,CAAA;EAQA;;;EAsCX,eAAI,CAAA,UAAA,EAAA,MAAA,EAAA,IAAA,EAAA,MAAA,CAAA,EA0JV,OA1JU,CAAA;IAFV,MAAA,EAAA;MAoCO,GAAA,EAAA,MAAA;MADP,GAAA,EAAA,MAAA;IA2CA,CAAA;EA8EA,CAAA,GAAA,IAAA,CAAA;EA+DA;;;EA4FA,YAAA,CAAA,UAAA,EAAA,MAAA,EAAA,IAAA,EAAA,MAAA,EAAA,MAAA,EAAA,OAAA,CAAA,EA5FA,OA4FA,CAAA;IA6JuB,GAAA,EAAA,MAAA;IAgBK,GAAA,EAAA,MAAA;IAAR,MAAA,EAAA;MA6BqB,GAAA,EAAA,MAAA;MAAR,GAAA,EAAA,MAAA;IA2BN,CAAA;IAAa,gBAAA,EAAA,MAAA;EAsEhB,CAAA,CAAA;EAAuC;;;EAyBhC,cAAA,CAAA,MAAA,EA1UzB,KA0UyB,CAAA;IAwHG,KAAA,EAAA,MAAA;IAAkB,UAAA,EAAA,MAAA;IAAR,IAAA,CAAA,EAAA,MAAA;IAoCzC,KAAA,CAAA,EAAA,OAAA;EACc,CAAA,CAAA,CAAA,EAjejB,OAieiB,CAAA;IASd,MAAA,EAAA;MAWuB,GAAA,EAAA,MAAA;MAAkB,GAAA,EAAA,MAAA;IAOpB,CAAA;IASsB,OAAA,EAngBvC,KAmgBuC,CAAA;MAQ3B,KAAA,EAAA,MAAA;MAQM,GAAA,CAAA,EAAA,MAAA;MAQE,GAAA,CAAA,EAAA,MAAA;MAYN,gBAAA,CAAA,EAAA,MAAA;IAQC,CAAA,CAAA;EAYM,CAAA,CAAA;EAQA;;;EAwBJ,gBAAA,CAAA,CAAA,EAhcD,OAgcC,CAAA;IAkCiB,GAAA,EAAA,MAAA;IAkDpB,IAAA,EAAA,MAAA;IAQM,GAAA,EAAA,MAAA;EAAO,CAAA,CAAA;EAuBlC;;;EAcoC,aAAA,CAAA,CAAA,EAjjBhB,OAijBgB,CAjjBR,UAijBQ,CAAA;EAAO;;;;EAgBpC,YAAA,CAAA,IAAA,EAAA,MAQqC,EAAA,CAAA,EA5iBX,OA4iBW,CA5iBH,UA4iBG,CAAA;EAA5C;;;;;EAqBO,aAAA,CAAA,QAAA,EAtiBoB,UA8iBiB,CAAA,EA9iBJ,OA8iBI,CAAA;IAA5C,GAAA,EAAA,MAAA;IAAO,GAAA,EAAA,MAAA;IASP,GAAA,EAAA,MAAA;EAAO,CAAA,CAAA;EAQP;;;EAwBS,aAAA,CAAA,KAAA,EAjhBe,UAihBf,EAAA,QAAA,EAAA,MAAA,CAAA,EAjhB8C,OAihB9C,CAjhBsD,OAihBtD,CAAA;EAGT;;;EAmB8B,UAAA,CAAA,MAAA,EAAA,MAAA,CAAA,EA9gBC,OA8gBD,CA9gBS,YA8gBT,GAAA,IAAA,CAAA;EAAR;;;EA0BD,QAAA,WAAA;EAWrB;;;EAoBmD,QAAA,iBAAA;EASxB;;;EAn5CW,QAAA,mBAAA;EAAa;;;;ECkCjD;;;EAAG,QAAA,gBAAA;EAAA;;;;;;;;;;;iCDy5B6B,UAAU,QAAQ;;;;wBAoCjD,8BACc;;;;sBASd;;;;sBAWuB,kBAAkB;;;;uBAOpB;;;;;;6CASsB;;;;kBAQ3B;;;;wBAQM;;;;0BAQE;;;;oBAYN;;;;qBAQC;;;;2BAYM;;;;2BAQA;;;;wDAW5B;WACK;;;;;;;;;;;uBAYmB;;;;;;;wCAkCiB;;;;;;oBAkDpB;;;;;;0BAQM;;;;;sCAAO,0BAAA,CAsBM,eACxC;;gCAQA,QARO,0BAAA,CAQqC,YAAA;;mCAMR;;sBAAO,0BAAA,CAOH,YACxC;;4CAQA,QARO,0BAAA,CAQqC,SAAA;;8CAQ5C,QARO,0BAAA,CAQqC,SAAA;;uCAMJ;;mCAMJ;;4CAAO,0BAAA,CAQC,iBAC5C;;kCAQA,QARO,0BAAA,CAQqC,cAAA;;uCAArC,0BAAA,CAQiC,UACxC;;iCAQA,QARO,0BAAA,CAQqC,OAAA;;oCAMP;;uCAMG;;kDAY/B,6CAGT;;uCAMwC;;eAE/B;;;;;;;qBAWa,QAAQ;;;;;;;0CAWa;;kEAS3C;;oBAMqB;;2FAWrB;;yCAQA;;;;;+CAMgD;;kDAMG;;;;;iBASxB,UAAU,QAAQ;;;;cCj3C3C,KAAG;YAAwB;GAAM,WAAA,CAAA,WAAA"}

package/dist/index.js CHANGED Viewed

@@ -8,7 +8,7 @@ import { CODEC_RAW, create, fromString, toString } from "@atcute/cid";
 import { Hono } from "hono";
 import { cors } from "hono/cors";
 import { isDid, isHandle } from "@atcute/lexicons/syntax";
-import { SignJWT, jwtVerify } from "jose";
+import { SignJWT, base64url, jwtVerify } from "jose";
 import { compare, compare as compare$1 } from "bcryptjs";
 import { ATProtoOAuthProvider } from "@getcirrus/oauth-provider";
 import { generateAuthenticationOptions, generateRegistrationOptions, verifyAuthenticationResponse, verifyRegistrationResponse } from "@simplewebauthn/server";
@@ -1816,7 +1816,7 @@ function extractBlobCids(obj) {
 //#endregion
 //#region src/service-auth.ts
-const MINUTE = 60 * 1e3;
+const SERVICE_JWT_EXPIRY_SECONDS = 300;
 /**
 * Shared keypair cache for signing and verification.
 */
@@ -1847,7 +1847,7 @@ function noUndefinedVals(obj) {
 async function createServiceJwt(params) {
 	const { iss, aud, keypair } = params;
 	const iat = Math.floor(Date.now() / 1e3);
-	const exp = iat + MINUTE / 1e3;
+	const exp = iat + SERVICE_JWT_EXPIRY_SECONDS;
 	const lxm = params.lxm ?? void 0;
 	const jti = randomStr(16, "hex");
 	const header = {
@@ -1893,7 +1893,7 @@ async function verifyServiceJwt(token, signingKey, expectedAudience, expectedIss
 //#endregion
 //#region src/session.ts
-const ACCESS_TOKEN_LIFETIME = "2h";
+const ACCESS_TOKEN_LIFETIME = "15m";
 const REFRESH_TOKEN_LIFETIME = "90d";
 /**
 * Create a secret key from string for HS256 signing
@@ -2387,7 +2387,7 @@ async function requireAuth(c, next) {
 * Uses @atcute/identity-resolver which is already Workers-compatible
 * (uses redirect: "manual" internally).
 */
-const PLC_DIRECTORY = "https://plc.directory";
+const PLC_DIRECTORY$1 = "https://plc.directory";
 const TIMEOUT_MS = 3e3;
 /**
 * Wrapper that always uses globalThis.fetch so it can be mocked in tests.
@@ -2404,7 +2404,7 @@ var DidResolver = class {
 		this.cache = opts.didCache;
 		this.resolver = new CompositeDidDocumentResolver({ methods: {
 			plc: new PlcDidDocumentResolver({
-				apiUrl: opts.plcUrl ?? PLC_DIRECTORY,
+				apiUrl: opts.plcUrl ?? PLC_DIRECTORY$1,
 				fetch: stubbableFetch
 			}),
 			web: new WebDidDocumentResolver({ fetch: stubbableFetch })
@@ -3334,6 +3334,176 @@ async function resetMigration(c, accountDO) {
 	}
 }
+//#endregion
+//#region src/migration-token.ts
+/**
+* Stateless migration tokens for outbound account migration
+*
+* Uses HMAC-SHA256 to create tokens that encode the DID and expiry time.
+* No database storage required - validity is verified by the signature.
+*
+* Token format: base64url(payload).base64url(signature)
+* Payload: {"did":"did:plc:xxx","exp":1736600000}
+*
+* Tokens expire after 15 minutes - enough time to complete the migration
+* process but short enough to limit exposure if the token is leaked.
+*/
+const TOKEN_EXPIRY = 15 * (60 * 1e3);
+/**
+* Create an HMAC-SHA256 signature
+*/
+async function hmacSign(data, secret) {
+	const encoder = new TextEncoder();
+	const key = await crypto.subtle.importKey("raw", encoder.encode(secret), {
+		name: "HMAC",
+		hash: "SHA-256"
+	}, false, ["sign"]);
+	return crypto.subtle.sign("HMAC", key, encoder.encode(data));
+}
+/**
+* Verify an HMAC-SHA256 signature
+*/
+async function hmacVerify(data, signature, secret) {
+	const encoder = new TextEncoder();
+	const key = await crypto.subtle.importKey("raw", encoder.encode(secret), {
+		name: "HMAC",
+		hash: "SHA-256"
+	}, false, ["verify"]);
+	return crypto.subtle.verify("HMAC", key, signature, encoder.encode(data));
+}
+/**
+* Create a migration token for outbound migration
+*
+* @param did - The user's DID
+* @param jwtSecret - The JWT_SECRET used for signing
+* @returns A stateless, signed token
+*/
+async function createMigrationToken(did, jwtSecret) {
+	const payload = {
+		did,
+		exp: Math.floor((Date.now() + TOKEN_EXPIRY) / 1e3)
+	};
+	const payloadStr = JSON.stringify(payload);
+	const payloadB64 = base64url.encode(new TextEncoder().encode(payloadStr));
+	const signature = await hmacSign(payloadB64, jwtSecret);
+	return `${payloadB64}.${base64url.encode(new Uint8Array(signature))}`;
+}
+/**
+* Validate a migration token
+*
+* @param token - The token to validate
+* @param expectedDid - The expected DID (must match token payload)
+* @param jwtSecret - The JWT_SECRET used for verification
+* @returns The payload if valid, null if invalid/expired
+*/
+async function validateMigrationToken(token, expectedDid, jwtSecret) {
+	const parts = token.split(".");
+	if (parts.length !== 2) return null;
+	const [payloadB64, signatureB64] = parts;
+	try {
+		if (!await hmacVerify(payloadB64, base64url.decode(signatureB64).buffer, jwtSecret)) return null;
+		const payloadStr = new TextDecoder().decode(base64url.decode(payloadB64));
+		const payload = JSON.parse(payloadStr);
+		if (payload.did !== expectedDid) return null;
+		const now$1 = Math.floor(Date.now() / 1e3);
+		if (payload.exp < now$1) return null;
+		return payload;
+	} catch {
+		return null;
+	}
+}
+//#endregion
+//#region src/xrpc/identity.ts
+const PLC_DIRECTORY = "https://plc.directory";
+/**
+* Request a PLC operation signature for outbound migration.
+*
+* In Bluesky's implementation, this sends an email with a token.
+* In Cirrus, we're single-user with no email, so we just return success.
+* The user gets the token via `pds migrate-token` CLI.
+*
+* Endpoint: POST com.atproto.identity.requestPlcOperationSignature
+*/
+async function requestPlcOperationSignature(c) {
+	return new Response(null, { status: 200 });
+}
+/**
+* Sign a PLC operation for migrating to a new PDS.
+*
+* Validates the migration token and returns a signed PLC operation
+* that updates the DID document to point to the new PDS.
+*
+* Endpoint: POST com.atproto.identity.signPlcOperation
+*/
+async function signPlcOperation(c) {
+	const body = await c.req.json();
+	const { token } = body;
+	if (!token) return c.json({
+		error: "InvalidRequest",
+		message: "Missing required parameter: token"
+	}, 400);
+	if (!await validateMigrationToken(token, c.env.DID, c.env.JWT_SECRET)) return c.json({
+		error: "InvalidToken",
+		message: "Invalid or expired migration token"
+	}, 400);
+	const currentOp = await getLatestPlcOperation(c.env.DID);
+	if (!currentOp) return c.json({
+		error: "InternalServerError",
+		message: "Could not fetch current PLC state"
+	}, 500);
+	const signedOp = await signOperation({
+		type: "plc_operation",
+		prev: currentOp.cid,
+		rotationKeys: body.rotationKeys ?? currentOp.operation.rotationKeys,
+		alsoKnownAs: body.alsoKnownAs ?? currentOp.operation.alsoKnownAs,
+		verificationMethods: body.verificationMethods ?? currentOp.operation.verificationMethods,
+		services: body.services ?? currentOp.operation.services
+	}, await Secp256k1Keypair.import(c.env.SIGNING_KEY));
+	return c.json({ operation: signedOp });
+}
+/**
+* Get the latest PLC operation for a DID
+*/
+async function getLatestPlcOperation(did) {
+	try {
+		const res = await fetch(`${PLC_DIRECTORY}/${did}/log/audit`);
+		if (!res.ok) return null;
+		return (await res.json()).filter((op) => !op.nullified).pop() ?? null;
+	} catch {
+		return null;
+	}
+}
+/**
+* Sign a PLC operation with the given keypair
+*
+* PLC operations are signed by:
+* 1. CBOR-encoding the unsigned operation
+* 2. Signing the bytes with secp256k1
+* 3. Adding the signature as base64url
+*/
+async function signOperation(op, keypair) {
+	const bytes = encode(op);
+	const sig = await keypair.sign(bytes);
+	return {
+		...op,
+		sig: base64url.encode(sig)
+	};
+}
+/**
+* Generate a migration token for the CLI.
+*
+* This endpoint allows the CLI to generate a token that can be used
+* to complete an outbound migration without requiring the secret
+* to be available client-side.
+*
+* Endpoint: GET gg.mk.experimental.getMigrationToken
+*/
+async function getMigrationToken(c) {
+	const token = await createMigrationToken(c.env.DID, c.env.JWT_SECRET);
+	return c.json({ token });
+}
 //#endregion
 //#region src/passkey-ui.ts
 /**
@@ -3755,7 +3925,7 @@ function renderPasskeyErrorPage(error, description) {
 //#endregion
 //#region package.json
-var version = "0.7.0";
+var version = "0.8.0";
 //#endregion
 //#region src/index.ts
@@ -3920,6 +4090,9 @@ app.use("/xrpc/com.atproto.identity.resolveHandle", async (c, next) => {
 	if (c.req.query("handle") === c.env.HANDLE) return c.json({ did: c.env.DID });
 	await next();
 });
+app.post("/xrpc/com.atproto.identity.requestPlcOperationSignature", requireAuth, requestPlcOperationSignature);
+app.post("/xrpc/com.atproto.identity.signPlcOperation", requireAuth, signPlcOperation);
+app.get("/xrpc/gg.mk.experimental.getMigrationToken", requireAuth, getMigrationToken);
 app.post("/xrpc/com.atproto.server.createSession", createSession);
 app.post("/xrpc/com.atproto.server.refreshSession", refreshSession);
 app.get("/xrpc/com.atproto.server.getSession", getSession);