@getcirrus/pds 0.7.0 → 0.9.0

package/README.md

@@ -177,6 +177,24 @@ pds migrate --clean      # Reset and re-import
 pds activate             # Go live again
 ```
 
+### `pds migrate-token`
+
+Generates a migration token for migrating away from this PDS to another one.
+
+```bash
+pds migrate-token        # Generate token for production PDS
+pds migrate-token --dev  # Generate token for local development PDS
+```
+
+When migrating to a new PDS, the destination will ask for a confirmation token. This command generates a stateless HMAC-based token that:
+
+- Is valid for 15 minutes
+- Contains your DID and expiry time
+- Is cryptographically signed with your JWT secret
+- Requires no database storage
+
+The token is copied to your clipboard and displayed in the terminal. After migration completes, run `pds deactivate` on this PDS.
+
 ### `pds passkey`
 
 Manage passkeys for passwordless authentication.

package/dist/cli.js

@@ -977,6 +977,27 @@ var PDSClient = class PDSClient {
 		}
 		return res.json();
 	}
+	/**
+	* Get a migration token for outbound migration.
+	* This token can be used to migrate to another PDS.
+	*/
+	async getMigrationToken() {
+		const url = new URL("/xrpc/gg.mk.experimental.getMigrationToken", this.baseUrl);
+		const headers = {};
+		if (this.authToken) headers["Authorization"] = `Bearer ${this.authToken}`;
+		const res = await fetch(url.toString(), {
+			method: "GET",
+			headers
+		});
+		if (!res.ok) return {
+			success: false,
+			error: (await res.json().catch(() => ({}))).message ?? `Request failed: ${res.status}`
+		};
+		return {
+			success: true,
+			token: (await res.json()).token
+		};
+	}
 	static RELAY_URLS = ["https://relay1.us-west.bsky.network", "https://relay1.us-east.bsky.network"];
 	/**
 	* Get relay's view of this PDS host status from a single relay.
@@ -1192,20 +1213,22 @@ async function saveTo1Password(key, handle) {
 * Captures output and throws on non-zero exit code.
 * Use this for running npm/pnpm/yarn scripts etc.
 */
-function runCommand(cmd, args) {
+function runCommand(cmd, args, options = {}) {
 	return new Promise((resolve$1, reject) => {
-		const child = spawn(cmd, args, { stdio: "pipe" });
+		const child = spawn(cmd, args, { stdio: options.stream ? "inherit" : "pipe" });
 		let output = "";
-		child.stdout?.on("data", (data) => {
-			output += data.toString();
-		});
-		child.stderr?.on("data", (data) => {
-			output += data.toString();
-		});
+		if (!options.stream) {
+			child.stdout?.on("data", (data) => {
+				output += data.toString();
+			});
+			child.stderr?.on("data", (data) => {
+				output += data.toString();
+			});
+		}
 		child.on("close", (code) => {
 			if (code === 0) resolve$1();
 			else {
-				if (output) console.error(output);
+				if (output && !options.stream) console.error(output);
 				reject(/* @__PURE__ */ new Error(`${cmd} ${args.join(" ")} failed with code ${code}`));
 			}
 		});
@@ -2098,14 +2121,12 @@ const initCommand = defineCommand({
 				initialValue: true
 			});
 			if (!p.isCancel(deployWorker) && deployWorker) {
-				spinner.start("Building and deploying to Cloudflare...");
+				p.log.step("Deploying to Cloudflare...");
 				try {
-					await runCommand(pm === "npm" ? "npm" : pm, ["run", "build"]);
-					await runCommand(pm === "npm" ? "npm" : pm, ["run", "deploy"]);
-					spinner.stop("Deployed to Cloudflare! 🚀");
+					await runCommand(pm, ["run", "deploy"], { stream: true });
+					p.log.success("Deployed to Cloudflare! 🚀");
 					deployed = true;
 				} catch (error) {
-					spinner.stop("Deployment failed");
 					p.log.error(`Failed to deploy: ${error instanceof Error ? error.message : "Unknown error"}`);
 					p.log.info(`You can deploy manually with: ${formatCommand(pm, "deploy")}`);
 				}
@@ -2495,6 +2516,97 @@ function showNextSteps(pm, sourceDomain) {
 	]), "Almost there!");
 }
 
+//#endregion
+//#region src/cli/commands/migrate-token.ts
+/**
+* Generate a migration token for outbound migration
+*
+* Calls the PDS API to generate a stateless HMAC token that another PDS
+* can use to request a signed PLC operation. The token is valid for 15 minutes.
+*/
+const migrateTokenCommand = defineCommand({
+	meta: {
+		name: "migrate-token",
+		description: "Generate a migration token for moving to another PDS"
+	},
+	args: { dev: {
+		type: "boolean",
+		description: "Target local development server instead of production",
+		default: false
+	} },
+	async run({ args }) {
+		const isDev = args.dev;
+		const pm = detectPackageManager();
+		p.intro("Generate Migration Token");
+		const spinner = p.spinner();
+		spinner.start("Loading configuration...");
+		const wranglerVars = getVars();
+		const config = {
+			...readDevVars(),
+			...wranglerVars
+		};
+		const pdsHostname = config.PDS_HOSTNAME;
+		const authToken = config.AUTH_TOKEN;
+		if (!pdsHostname && !isDev) {
+			spinner.stop("No PDS_HOSTNAME configured");
+			p.log.error("Run 'pds init' first to set up your PDS.");
+			p.outro("Token generation cancelled.");
+			process.exit(1);
+		}
+		if (!authToken) {
+			spinner.stop("No AUTH_TOKEN found");
+			p.log.error("AUTH_TOKEN is required to authenticate with your PDS.");
+			p.outro("Token generation cancelled.");
+			process.exit(1);
+		}
+		let targetUrl;
+		try {
+			targetUrl = getTargetUrl(isDev, pdsHostname);
+		} catch (err) {
+			spinner.stop("Configuration error");
+			p.log.error(err instanceof Error ? err.message : "Configuration error");
+			p.outro("Token generation cancelled.");
+			process.exit(1);
+		}
+		spinner.stop("Configuration loaded");
+		spinner.start("Connecting to PDS...");
+		const pdsClient = new PDSClient(targetUrl, authToken);
+		if (!await pdsClient.healthCheck()) {
+			spinner.stop("PDS not responding");
+			p.log.error(`Your PDS isn't responding at ${targetUrl}`);
+			if (isDev) p.log.info(`Start it with: ${formatCommand(pm, "dev")}`);
+			else p.log.info(`Make sure your worker is deployed: ${formatCommand(pm, "deploy")}`);
+			p.outro("Token generation cancelled.");
+			process.exit(1);
+		}
+		spinner.stop("Connected to PDS");
+		spinner.start("Generating migration token...");
+		const result = await pdsClient.getMigrationToken();
+		if (!result.success || !result.token) {
+			spinner.stop("Failed to generate token");
+			p.log.error(result.error ?? "Could not generate migration token");
+			p.outro("Token generation cancelled.");
+			process.exit(1);
+		}
+		spinner.stop("Token generated");
+		if (await copyToClipboard(result.token)) p.log.success("Migration token copied to clipboard!");
+		else p.log.info("Could not copy to clipboard. Token:");
+		console.log("");
+		console.log(pc.bold(result.token));
+		console.log("");
+		p.note([
+			"This token is valid for 15 minutes.",
+			"",
+			"Paste it into the new PDS when prompted for",
+			"a migration/confirmation code.",
+			"",
+			"Once migration is complete, you can deactivate",
+			"this PDS with: pnpm pds deactivate"
+		].join("\n"), "Next Steps");
+		p.outro("Good luck with the migration!");
+	}
+});
+
 //#endregion
 //#region src/cli/utils/plc-client.ts
 /**
@@ -3724,6 +3836,7 @@ runMain(defineCommand({
 		secret: secretCommand,
 		passkey: passkeyCommand,
 		migrate: migrateCommand,
+		"migrate-token": migrateTokenCommand,
 		identity: identityCommand,
 		activate: activateCommand,
 		deactivate: deactivateCommand,

package/dist/index.d.ts

@@ -439,6 +439,13 @@ declare class AccountDurableObject extends DurableObject<PDSEnv> {
    * Used for partial sync and migration.
    */
   rpcGetBlocks(cids: string[]): Promise<Uint8Array>;
+  /**
+   * RPC method: Get record with proof as CAR file.
+   * Returns the commit block and all MST blocks needed to verify
+   * the existence (or non-existence) of a record.
+   * Used by com.atproto.sync.getRecord for record verification.
+   */
+  rpcGetRecordProof(collection: string, rkey: string): Promise<Uint8Array>;
   /**
    * RPC method: Import repo from CAR file
    * This is used for account migration - importing an existing repository

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","names":[],"sources":["../src/storage.ts","../src/oauth-storage.ts","../src/blobs.ts","../src/types.ts","../src/account-do.ts","../src/index.ts"],"sourcesContent":[],"mappings":";;;;;;;;;;;;;;;;cAUa,iBAAA,SACJ,kBAAA,YACG;EAFC,QAAA,GAAA;EAIa,WAAA,CAAA,GAAA,EAAA,UAAA;EA2FA;;;;EAiCR,UAAA,CAAA,aAAA,CAAA,EAAA,OAAA,CAAA,EAAA,IAAA;EAQG;;;EAcL,OAAA,CAAA,CAAA,EAvDE,OAuDF,CAvDU,GAuDV,GAAA,IAAA,CAAA;EAAM;;;EAU8C,MAAA,CAAA,CAAA,EApDnD,OAoDmD,CAAA,MAAA,GAAA,IAAA,CAAA;EAArC;;;EAmB4B,MAAA,CAAA,CAAA,EA7D1C,OA6D0C,CAAA,MAAA,CAAA;EAYpC;;;EAoBmB,OAAA,CAAA,CAAA,EAnFxB,OAmFwB,CAAA,MAAA,CAAA;EAWf;;;EA6CT,QAAA,CAAA,GAAA,EAnIG,GAmIH,CAAA,EAnIS,OAmIT,CAnIiB,UAmIjB,GAAA,IAAA,CAAA;EAUI;;;EAoCF,GAAA,CAAA,GAAA,EAnKJ,GAmKI,CAAA,EAnKE,OAmKF,CAAA,OAAA,CAAA;EAUe;;;EA2JtB,SAAA,CAAA,IAAA,EA9TU,GA8TV,EAAA,CAAA,EA9TkB,OA8TlB,CAAA;IA8BI,MAAA,EA5VgC,QA4VhC;IA3fR,OAAA,EA+J2D,GA/J3D,EAAA;EACG,CAAA,CAAA;EAAW;;;gBAiLF,YAAY,0BAA0B;EC/K9C;;;EAuG0C,OAAA,CAAA,MAAA,EDoFhC,QCpFgC,EAAA,GAAA,EAAA,MAAA,CAAA,EDoFR,OCpFQ,CAAA,IAAA,CAAA;EAgBb;;;EAsClB,UAAA,CAAA,GAAA,EDkDD,GClDC,EAAA,GAAA,EAAA,MAAA,CAAA,EDkDkB,OClDlB,CAAA,IAAA,CAAA;EAAY;;;EAiDoB,WAAA,CAAA,MAAA,EDY7B,UCZ6B,CAAA,EDYhB,OCZgB,CAAA,IAAA,CAAA;EAAR;;;EA4CF,WAAA,CAAA,CAAA,EDGxB,OCHwB,CAAA,MAAA,CAAA;EAAiB;;;EAwCtB,OAAA,CAAA,CAAA,ED3BvB,OC2BuB,CAAA,IAAA,CAAA;EAAU;;;EAuCb,WAAA,CAAA,CAAA,EDxDhB,OCwDgB,CAAA,MAAA,CAAA;EAWG;;;oBDzDhB;;;AEvSzB;0CFyT+C;;;AGpT/C;EAkBiC,SAAA,CAAA,CAAA,EH0Sb,OG1Sa,CAAA,OAAA,CAAA;EAAvB;;;8BHoTyB;;;AItSnC;EAAwD,aAAA,CAAA,SAAA,EAAA,MAAA,EAAA,OAAA,EAAA,MAAA,CAAA,EAAA,IAAA;EAUtC;;;EA6GW,cAAA,CAAA,SAAA,EAAA,MAAA,EAAA,QAAA,EAAA,MAAA,EAAA,CAAA,EAAA,IAAA;EAAR;;;EAgBK,iBAAA,CAAA,SAAA,EAAA,MAAA,CAAA,EAAA,IAAA;EAAR;;;EAqBG,iBAAA,CAAA,GAAA,EAAA,MAAA,EAAA,IAAA,EAAA,MAAA,EAAA,QAAA,EAAA,MAAA,CAAA,EAAA,IAAA;EAQA;;;EAsCX,cAAI,CAAA,GAAA,EAAA,MAAA,CAAA,EAAA,OAAA;EAFV;;;EA8EA,kBAAA,CAAA,CAAA,EAAA,MAAA;EA8EA;;;EA6JO,kBAAA,CAAA,CAAA,EAAA,MAAA;EAFP;;;EA6KoB,gBAAA,CAAA,KAAA,CAAA,EAAA,MAAA,EAAA,MAAA,CAAA,EAAA,MAAA,CAAA,EAAA;IA6BqB,KAAA,EJ7UhC,KI6UgC,CAAA;MAAR,GAAA,EAAA,MAAA;MA2BN,SAAA,EAAA,MAAA;IAAa,CAAA,CAAA;IAsEhB,MAAA,CAAA,EAAA,MAAA;EAAuC,CAAA;EAAR;;;EAiJrB,iBAAA,CAAA,CAAA,EAAA,IAAA;EAAkB;;;EAqCnC,WAAA,CAAA,YAAA,EAAA,MAAA,EAAA,SAAA,EJljBR,UIkjBQ,EAAA,OAAA,EAAA,MAAA,EAAA,IAAA,CAAA,EAAA,MAAA,CAAA,EAAA,IAAA;EASd;;;EAkBqB,UAAA,CAAA,YAAA,EAAA,MAAA,CAAA,EAAA;IASsB,YAAA,EAAA,MAAA;IAQ3B,SAAA,EJ3kBV,UI2kBU;IAQM,OAAA,EAAA,MAAA;IAQE,IAAA,EAAA,MAAA,GAAA,IAAA;IAYN,SAAA,EAAA,MAAA;IAQC,UAAA,EAAA,MAAA,GAAA,IAAA;EAYM,CAAA,GAAA,IAAA;EAQA;;;EAwBJ,YAAA,CAAA,CAAA,EJ7nBX,KI6nBW,CAAA;IAkCiB,YAAA,EAAA,MAAA;IAkDpB,IAAA,EAAA,MAAA,GAAA,IAAA;IAQM,SAAA,EAAA,MAAA;IAAO,UAAA,EAAA,MAAA,GAsBM,IAAA;EACxC,CAAA,CAAA;EAAO;;;EAcoC,aAAA,CAAA,YAOH,EAAA,MAAA,CAAA,EAAA,OAAA;EACxC;;;EAQO,oBAAA,CAAA,YAQqC,EAAA,MAAA,EAAA,OAAA,EAAA,MAAA,CAAA,EAAA,IAAA;EAA5C;;;EAY2C,WAAA,CAAA,CAAA,EAAA,OAAA;EAS3C;;;EAQO,gBAAA,CAAA,KAAA,EAQiC,MAAA,EAAA,SAAA,EAAA,MAAA,EAAA,SAAA,EAAA,MAAA,EAAA,IAAA,CAAA,EAAA,MAAA,CAAA,EAAA,IAAA;EACxC;;;EAcqC,mBAAA,CAAA,KAAA,EAAA,MAAA,CAAA,EAAA;IAMG,SAAA,EAAA,MAAA;IAY/B,IAAA,EAAA,MAAA,GAAA,IAAA;EAGT,CAAA,GAAA,IAAA;EAQS;;;EAWa,oBAAA,CAAA,CAAA,EAAA,IAAA;;;;;;;;;;cH12Cb,kBAAA,YAA8B;;mBACjB;EDLb;;;EA+FK,UAAA,CAAA,CAAA,EAAA,IAAA;EAaD;;;EA4BI,OAAA,CAAA,CAAA,EAAA,IAAA;EAAc,YAAA,CAAA,IAAA,EAAA,MAAA,EAAA,IAAA,EC7BK,YD6BL,CAAA,EC7BoB,OD6BpB,CAAA,IAAA,CAAA;EAAR,WAAA,CAAA,IAAA,EAAA,MAAA,CAAA,ECbO,ODaP,CCbe,YDaf,GAAA,IAAA,CAAA;EAcX,cAAA,CAAA,IAAA,EAAA,MAAA,CAAA,ECGqB,ODHrB,CAAA,IAAA,CAAA;EAAM,UAAA,CAAA,IAAA,ECWE,SDXF,CAAA,ECWc,ODXd,CAAA,IAAA,CAAA;EAUC,gBAAA,CAAA,WAAA,EAAA,MAAA,CAAA,ECkBuB,ODlBvB,CCkB+B,SDlB/B,GAAA,IAAA,CAAA;EAA0B,iBAAA,CAAA,YAAA,EAAA,MAAA,CAAA,ECkDD,ODlDC,CCkDO,SDlDP,GAAA,IAAA,CAAA;EAAmB,WAAA,CAAA,WAAA,EAAA,MAAA,CAAA,EC+E3B,OD/E2B,CAAA,IAAA,CAAA;EAArC,eAAA,CAAA,GAAA,EAAA,MAAA,CAAA,ECsFM,ODtFN,CAAA,IAAA,CAAA;EAmBV,UAAA,CAAA,QAAA,EAAA,MAAA,EAAA,QAAA,EC2EyB,cD3EzB,CAAA,EC2E0C,OD3E1C,CAAA,IAAA,CAAA;EAAY,SAAA,CAAA,QAAA,EAAA,MAAA,CAAA,ECyFG,ODzFH,CCyFW,cDzFX,GAAA,IAAA,CAAA;EAA0B,OAAA,CAAA,UAAA,EAAA,MAAA,EAAA,IAAA,ECmHlB,ODnHkB,CAAA,ECmHR,ODnHQ,CAAA,IAAA,CAAA;EAYpC,MAAA,CAAA,UAAA,EAAA,MAAA,CAAA,ECkHY,ODlHZ,CCkHoB,ODlHpB,GAAA,IAAA,CAAA;EAAwB,SAAA,CAAA,UAAA,EAAA,MAAA,CAAA,EC8IT,OD9IS,CAAA,IAAA,CAAA;EAoBxB,iBAAA,CAAA,KAAA,EAAA,MAAA,CAAA,ECqIkB,ODrIlB,CAAA,OAAA,CAAA;EAAmB;;;EA8CpB,OAAA,CAAA,CAAA,EAAA,IAAA;EAUJ;;;EAsC6B,qBAAA,CAAA,SAAA,EAAA,MAAA,CAAA,EAAA,IAAA;EAQ3B;;;;EAqKP,wBAAA,CAAA,SAAA,EAAA,MAAA,CAAA,EAAA,OAAA;;;;UEteI,OAAA;;;;;;;;;;;;;;UCKA,MAAA;;;;EHGJ,MAAA,EAAA,MAAA;EAIa;EA2FA,YAAA,EAAA,MAAA;EAAR;EAaD,UAAA,EAAA,MAAA;EAUA;EAUC,WAAA,EAAA,MAAA;EAQG;EAAc,kBAAA,EAAA,MAAA;EAAR;EAcX,UAAA,EAAA,MAAA;EAAM;EAUC,aAAA,EAAA,MAAA;EAA0B;EAAmB,OAAA,EGjJ1D,sBHiJ0D,CGjJnC,oBHiJmC,CAAA;EAArC;EAmBV,KAAA,CAAA,EGlKZ,QHkKY;EAAY;EAA0B,cAAA,CAAA,EAAA,MAAA;;;;;;;AAnL3D;;;;;;AAgIkB,cInGL,oBAAA,SAA6B,aJmGxB,CInGsC,MJmGtC,CAAA,CAAA;EAQG,QAAA,OAAA;EAAc,QAAA,YAAA;EAAR,QAAA,IAAA;EAcX,QAAA,OAAA;EAAM,QAAA,SAAA;EAUC,QAAA,SAAA;EAA0B,QAAA,kBAAA;EAAmB,QAAA,eAAA;EAArC,WAAA,CAAA,GAAA,EIzHb,kBJyHa,EAAA,GAAA,EIzHY,MJyHZ;EAmBV;;;EAYE,QAAA,wBAAA;EAAwB;;;EA+BpB,QAAA,UAAA;EAAa;;;;EAiEf,KAAA,CAAA,CAAA,EItLA,OJsLA,CAAA,IAAA,CAAA;EAkBsB;;;EAwGlC,QAAA,qBAAA;EAkDA;;;EA1cJ,UAAA,CAAA,CAAA,EImJY,OJnJZ,CImJoB,iBJnJpB,CAAA;EACG;;;qBI0Jc,QAAQ;;AHxJlC;;EAuGwC,OAAA,CAAA,CAAA,EGyDtB,OHzDsB,CGyDd,IHzDc,CAAA;EAAe;;;EA8ClB,YAAA,CAAA,CAAA,EGmBd,OHnBc,CAAA,IAAA,CAAA;EAQb;;;EAiBsB,UAAA,CAAA,CAAA,EGOzB,OHPyB,CGOjB,gBHPiB,CAAA;EAgCU;;;EAoCnB,OAAA,CAAA,IAAA,EGrDhB,IHqDgB,CAAA,EGrDT,OHqDS,CAAA,IAAA,CAAA;EAQS;;;EAcV,eAAA,CAAA,CAAA,EGpEV,OHoEU,CAAA;IA0BK,GAAA,EAAA,MAAA;IAAU,WAAA,EAAA,MAAA,EAAA;IAWR,GAAA,EAAA,MAAA;EAAR,CAAA,CAAA;EA4BG;;;EAzUiB,YAAA,CAAA,UAAA,EAAA,MAAA,EAAA,IAAA,EAAA,MAAA,CAAA,EGiOnD,OHjOmD,CAAA;;YGmO7C,GAAA,CAAI;;EF/OG;;;;ICKA,KAAM,EAAA,MAAA;IAkBU,MAAA,CAAA,EAAA,MAAA;IAAvB,OAAA,CAAA,EAAA,OAAA;EAED,CAAA,CAAA,ECuPL,ODvPK,CAAA;IAAQ,OAAA,ECwPN,KDxPM,CAAA;;;;ICYJ,CAAA,CAAA;IAA2C,MAAA,CAAA,EAAA,MAAA;EAUtC,CAAA,CAAA;EAAyB;;;EA6GtB,eAAA,CAAA,UAAA,EAAA,MAAA,EAAA,IAAA,EAAA,MAAA,GAAA,SAAA,EAAA,MAAA,EAAA,OAAA,CAAA,EA+JjB,OA/JiB,CAAA;IAQa,GAAA,EAAA,MAAA;IAAR,GAAA,EAAA,MAAA;IAQA,MAAA,EAAA;MAAR,GAAA,EAAA,MAAA;MAQK,GAAA,EAAA,MAAA;IAaM,CAAA;EAAR,CAAA,CAAA;EAQA;;;EAsCX,eAAI,CAAA,UAAA,EAAA,MAAA,EAAA,IAAA,EAAA,MAAA,CAAA,EA0JV,OA1JU,CAAA;IAFV,MAAA,EAAA;MAoCO,GAAA,EAAA,MAAA;MADP,GAAA,EAAA,MAAA;IA2CA,CAAA;EA8EA,CAAA,GAAA,IAAA,CAAA;EA+DA;;;EA4FA,YAAA,CAAA,UAAA,EAAA,MAAA,EAAA,IAAA,EAAA,MAAA,EAAA,MAAA,EAAA,OAAA,CAAA,EA5FA,OA4FA,CAAA;IA6JuB,GAAA,EAAA,MAAA;IAgBK,GAAA,EAAA,MAAA;IAAR,MAAA,EAAA;MA6BqB,GAAA,EAAA,MAAA;MAAR,GAAA,EAAA,MAAA;IA2BN,CAAA;IAAa,gBAAA,EAAA,MAAA;EAsEhB,CAAA,CAAA;EAAuC;;;EAyBhC,cAAA,CAAA,MAAA,EA1UzB,KA0UyB,CAAA;IAwHG,KAAA,EAAA,MAAA;IAAkB,UAAA,EAAA,MAAA;IAAR,IAAA,CAAA,EAAA,MAAA;IAoCzC,KAAA,CAAA,EAAA,OAAA;EACc,CAAA,CAAA,CAAA,EAjejB,OAieiB,CAAA;IASd,MAAA,EAAA;MAWuB,GAAA,EAAA,MAAA;MAAkB,GAAA,EAAA,MAAA;IAOpB,CAAA;IASsB,OAAA,EAngBvC,KAmgBuC,CAAA;MAQ3B,KAAA,EAAA,MAAA;MAQM,GAAA,CAAA,EAAA,MAAA;MAQE,GAAA,CAAA,EAAA,MAAA;MAYN,gBAAA,CAAA,EAAA,MAAA;IAQC,CAAA,CAAA;EAYM,CAAA,CAAA;EAQA;;;EAwBJ,gBAAA,CAAA,CAAA,EAhcD,OAgcC,CAAA;IAkCiB,GAAA,EAAA,MAAA;IAkDpB,IAAA,EAAA,MAAA;IAQM,GAAA,EAAA,MAAA;EAAO,CAAA,CAAA;EAuBlC;;;EAcoC,aAAA,CAAA,CAAA,EAjjBhB,OAijBgB,CAjjBR,UAijBQ,CAAA;EAAO;;;;EAgBpC,YAAA,CAAA,IAAA,EAAA,MAQqC,EAAA,CAAA,EA5iBX,OA4iBW,CA5iBH,UA4iBG,CAAA;EAA5C;;;;;EAqBO,aAAA,CAAA,QAAA,EAtiBoB,UA8iBiB,CAAA,EA9iBJ,OA8iBI,CAAA;IAA5C,GAAA,EAAA,MAAA;IAAO,GAAA,EAAA,MAAA;IASP,GAAA,EAAA,MAAA;EAAO,CAAA,CAAA;EAQP;;;EAwBS,aAAA,CAAA,KAAA,EAjhBe,UAihBf,EAAA,QAAA,EAAA,MAAA,CAAA,EAjhB8C,OAihB9C,CAjhBsD,OAihBtD,CAAA;EAGT;;;EAmB8B,UAAA,CAAA,MAAA,EAAA,MAAA,CAAA,EA9gBC,OA8gBD,CA9gBS,YA8gBT,GAAA,IAAA,CAAA;EAAR;;;EA0BD,QAAA,WAAA;EAWrB;;;EAoBmD,QAAA,iBAAA;EASxB;;;EAn5CW,QAAA,mBAAA;EAAa;;;;ECiCjD;;;EAAG,QAAA,gBAAA;EAAA;;;;;;;;;;;iCD05B6B,UAAU,QAAQ;;;;wBAoCjD,8BACc;;;;sBASd;;;;sBAWuB,kBAAkB;;;;uBAOpB;;;;;;6CASsB;;;;kBAQ3B;;;;wBAQM;;;;0BAQE;;;;oBAYN;;;;qBAQC;;;;2BAYM;;;;2BAQA;;;;wDAW5B;WACK;;;;;;;;;;;uBAYmB;;;;;;;wCAkCiB;;;;;;oBAkDpB;;;;;;0BAQM;;;;;sCAAO,0BAAA,CAsBM,eACxC;;gCAQA,QARO,0BAAA,CAQqC,YAAA;;mCAMR;;sBAAO,0BAAA,CAOH,YACxC;;4CAQA,QARO,0BAAA,CAQqC,SAAA;;8CAQ5C,QARO,0BAAA,CAQqC,SAAA;;uCAMJ;;mCAMJ;;4CAAO,0BAAA,CAQC,iBAC5C;;kCAQA,QARO,0BAAA,CAQqC,cAAA;;uCAArC,0BAAA,CAQiC,UACxC;;iCAQA,QARO,0BAAA,CAQqC,OAAA;;oCAMP;;uCAMG;;kDAY/B,6CAGT;;uCAMwC;;eAE/B;;;;;;;qBAWa,QAAQ;;;;;;;0CAWa;;kEAS3C;;oBAMqB;;2FAWrB;;yCAQA;;;;;+CAMgD;;kDAMG;;;;;iBASxB,UAAU,QAAQ;;;;cCl3C3C,KAAG;YAAwB;GAAM,WAAA,CAAA,WAAA"}
+{"version":3,"file":"index.d.ts","names":[],"sources":["../src/storage.ts","../src/oauth-storage.ts","../src/blobs.ts","../src/types.ts","../src/account-do.ts","../src/index.ts"],"sourcesContent":[],"mappings":";;;;;;;;;;;;;;;;cAUa,iBAAA,SACJ,kBAAA,YACG;EAFC,QAAA,GAAA;EAIa,WAAA,CAAA,GAAA,EAAA,UAAA;EA2FA;;;;EAiCR,UAAA,CAAA,aAAA,CAAA,EAAA,OAAA,CAAA,EAAA,IAAA;EAQG;;;EAcL,OAAA,CAAA,CAAA,EAvDE,OAuDF,CAvDU,GAuDV,GAAA,IAAA,CAAA;EAAM;;;EAU8C,MAAA,CAAA,CAAA,EApDnD,OAoDmD,CAAA,MAAA,GAAA,IAAA,CAAA;EAArC;;;EAmB4B,MAAA,CAAA,CAAA,EA7D1C,OA6D0C,CAAA,MAAA,CAAA;EAYpC;;;EAoBmB,OAAA,CAAA,CAAA,EAnFxB,OAmFwB,CAAA,MAAA,CAAA;EAWf;;;EA6CT,QAAA,CAAA,GAAA,EAnIG,GAmIH,CAAA,EAnIS,OAmIT,CAnIiB,UAmIjB,GAAA,IAAA,CAAA;EAUI;;;EAoCF,GAAA,CAAA,GAAA,EAnKJ,GAmKI,CAAA,EAnKE,OAmKF,CAAA,OAAA,CAAA;EAUe;;;EA2JtB,SAAA,CAAA,IAAA,EA9TU,GA8TV,EAAA,CAAA,EA9TkB,OA8TlB,CAAA;IA8BI,MAAA,EA5VgC,QA4VhC;IA3fR,OAAA,EA+J2D,GA/J3D,EAAA;EACG,CAAA,CAAA;EAAW;;;gBAiLF,YAAY,0BAA0B;EC/K9C;;;EAuG0C,OAAA,CAAA,MAAA,EDoFhC,QCpFgC,EAAA,GAAA,EAAA,MAAA,CAAA,EDoFR,OCpFQ,CAAA,IAAA,CAAA;EAgBb;;;EAsClB,UAAA,CAAA,GAAA,EDkDD,GClDC,EAAA,GAAA,EAAA,MAAA,CAAA,EDkDkB,OClDlB,CAAA,IAAA,CAAA;EAAY;;;EAiDoB,WAAA,CAAA,MAAA,EDY7B,UCZ6B,CAAA,EDYhB,OCZgB,CAAA,IAAA,CAAA;EAAR;;;EA4CF,WAAA,CAAA,CAAA,EDGxB,OCHwB,CAAA,MAAA,CAAA;EAAiB;;;EAwCtB,OAAA,CAAA,CAAA,ED3BvB,OC2BuB,CAAA,IAAA,CAAA;EAAU;;;EAuCb,WAAA,CAAA,CAAA,EDxDhB,OCwDgB,CAAA,MAAA,CAAA;EAWG;;;oBDzDhB;;;AEvSzB;0CFyT+C;;;AGpT/C;EAkBiC,SAAA,CAAA,CAAA,EH0Sb,OG1Sa,CAAA,OAAA,CAAA;EAAvB;;;8BHoTyB;;;AIrSnC;EAAwD,aAAA,CAAA,SAAA,EAAA,MAAA,EAAA,OAAA,EAAA,MAAA,CAAA,EAAA,IAAA;EAUtC;;;EA6GW,cAAA,CAAA,SAAA,EAAA,MAAA,EAAA,QAAA,EAAA,MAAA,EAAA,CAAA,EAAA,IAAA;EAAR;;;EAgBK,iBAAA,CAAA,SAAA,EAAA,MAAA,CAAA,EAAA,IAAA;EAAR;;;EAqBG,iBAAA,CAAA,GAAA,EAAA,MAAA,EAAA,IAAA,EAAA,MAAA,EAAA,QAAA,EAAA,MAAA,CAAA,EAAA,IAAA;EAQA;;;EAsCX,cAAI,CAAA,GAAA,EAAA,MAAA,CAAA,EAAA,OAAA;EAFV;;;EA8EA,kBAAA,CAAA,CAAA,EAAA,MAAA;EA8EA;;;EA6JO,kBAAA,CAAA,CAAA,EAAA,MAAA;EAFP;;;EA6KoB,gBAAA,CAAA,KAAA,CAAA,EAAA,MAAA,EAAA,MAAA,CAAA,EAAA,MAAA,CAAA,EAAA;IA6BqB,KAAA,EJ9UhC,KI8UgC,CAAA;MAAR,GAAA,EAAA,MAAA;MA+BzB,SAAA,EAAA,MAAA;IAAR,CAAA,CAAA;IAkC2B,MAAA,CAAA,EAAA,MAAA;EAAa,CAAA;EAsEhB;;;EAyBe,iBAAA,CAAA,CAAA,EAAA,IAAA;EAAR;;;EAwHa,WAAA,CAAA,YAAA,EAAA,MAAA,EAAA,SAAA,EJpjBnC,UIojBmC,EAAA,OAAA,EAAA,MAAA,EAAA,IAAA,CAAA,EAAA,MAAA,CAAA,EAAA,IAAA;EAoCzC;;;EAqBuB,UAAA,CAAA,YAAA,EAAA,MAAA,CAAA,EAAA;IAAkB,YAAA,EAAA,MAAA;IAOpB,SAAA,EJjmBf,UIimBe;IASsB,OAAA,EAAA,MAAA;IAQ3B,IAAA,EAAA,MAAA,GAAA,IAAA;IAQM,SAAA,EAAA,MAAA;IAQE,UAAA,EAAA,MAAA,GAAA,IAAA;EAYN,CAAA,GAAA,IAAA;EAQC;;;EAgCjB,YAAA,CAAA,CAAA,EJxpBQ,KIwpBR,CAAA;IADL,YAAA,EAAA,MAAA;IAawB,IAAA,EAAA,MAAA,GAAA,IAAA;IAkCiB,SAAA,EAAA,MAAA;IAkDpB,UAAA,EAAA,MAAA,GAAA,IAAA;EAQM,CAAA,CAAA;EAAO;;;EA+BlC,aAAA,CAAA,YAAA,EAAA,MAAA,CAAA,EAAA,OAAA;EAMoC;;;EAQ7B,oBAAA,CAAA,YAQqC,EAAA,MAAA,EAAA,OAAA,EAAA,MAAA,CAAA,EAAA,IAAA;EAA5C;;;EAcwC,WAAA,CAAA,CAAA,EAAA,OAAA;EAMJ;;;EAS7B,gBAAA,CAAA,KAAA,EAQqC,MAAA,EAAA,SAAA,EAAA,MAAA,EAAA,SAAA,EAAA,MAAA,EAAA,IAAA,CAAA,EAAA,MAAA,CAAA,EAAA,IAAA;EAA5C;;;EASO,mBAAA,CAAA,KAQqC,EAAA,MAAA,CAAA,EAAA;IAA5C,SAAA,EAAA,MAAA;IAMqC,IAAA,EAAA,MAAA,GAAA,IAAA;EAMG,CAAA,GAAA,IAAA;EAY/B;;;EAS+B,oBAAA,CAAA,CAAA,EAAA,IAAA;;;;;;;;;;cHp4C/B,kBAAA,YAA8B;;mBACjB;EDLb;;;EA+FK,UAAA,CAAA,CAAA,EAAA,IAAA;EAaD;;;EA4BI,OAAA,CAAA,CAAA,EAAA,IAAA;EAAc,YAAA,CAAA,IAAA,EAAA,MAAA,EAAA,IAAA,EC7BK,YD6BL,CAAA,EC7BoB,OD6BpB,CAAA,IAAA,CAAA;EAAR,WAAA,CAAA,IAAA,EAAA,MAAA,CAAA,ECbO,ODaP,CCbe,YDaf,GAAA,IAAA,CAAA;EAcX,cAAA,CAAA,IAAA,EAAA,MAAA,CAAA,ECGqB,ODHrB,CAAA,IAAA,CAAA;EAAM,UAAA,CAAA,IAAA,ECWE,SDXF,CAAA,ECWc,ODXd,CAAA,IAAA,CAAA;EAUC,gBAAA,CAAA,WAAA,EAAA,MAAA,CAAA,ECkBuB,ODlBvB,CCkB+B,SDlB/B,GAAA,IAAA,CAAA;EAA0B,iBAAA,CAAA,YAAA,EAAA,MAAA,CAAA,ECkDD,ODlDC,CCkDO,SDlDP,GAAA,IAAA,CAAA;EAAmB,WAAA,CAAA,WAAA,EAAA,MAAA,CAAA,EC+E3B,OD/E2B,CAAA,IAAA,CAAA;EAArC,eAAA,CAAA,GAAA,EAAA,MAAA,CAAA,ECsFM,ODtFN,CAAA,IAAA,CAAA;EAmBV,UAAA,CAAA,QAAA,EAAA,MAAA,EAAA,QAAA,EC2EyB,cD3EzB,CAAA,EC2E0C,OD3E1C,CAAA,IAAA,CAAA;EAAY,SAAA,CAAA,QAAA,EAAA,MAAA,CAAA,ECyFG,ODzFH,CCyFW,cDzFX,GAAA,IAAA,CAAA;EAA0B,OAAA,CAAA,UAAA,EAAA,MAAA,EAAA,IAAA,ECmHlB,ODnHkB,CAAA,ECmHR,ODnHQ,CAAA,IAAA,CAAA;EAYpC,MAAA,CAAA,UAAA,EAAA,MAAA,CAAA,ECkHY,ODlHZ,CCkHoB,ODlHpB,GAAA,IAAA,CAAA;EAAwB,SAAA,CAAA,UAAA,EAAA,MAAA,CAAA,EC8IT,OD9IS,CAAA,IAAA,CAAA;EAoBxB,iBAAA,CAAA,KAAA,EAAA,MAAA,CAAA,ECqIkB,ODrIlB,CAAA,OAAA,CAAA;EAAmB;;;EA8CpB,OAAA,CAAA,CAAA,EAAA,IAAA;EAUJ;;;EAsC6B,qBAAA,CAAA,SAAA,EAAA,MAAA,CAAA,EAAA,IAAA;EAQ3B;;;;EAqKP,wBAAA,CAAA,SAAA,EAAA,MAAA,CAAA,EAAA,OAAA;;;;UEteI,OAAA;;;;;;;;;;;;;;UCKA,MAAA;;;;EHGJ,MAAA,EAAA,MAAA;EAIa;EA2FA,YAAA,EAAA,MAAA;EAAR;EAaD,UAAA,EAAA,MAAA;EAUA;EAUC,WAAA,EAAA,MAAA;EAQG;EAAc,kBAAA,EAAA,MAAA;EAAR;EAcX,UAAA,EAAA,MAAA;EAAM;EAUC,aAAA,EAAA,MAAA;EAA0B;EAAmB,OAAA,EGjJ1D,sBHiJ0D,CGjJnC,oBHiJmC,CAAA;EAArC;EAmBV,KAAA,CAAA,EGlKZ,QHkKY;EAAY;EAA0B,cAAA,CAAA,EAAA,MAAA;;;;;;;AAnL3D;;;;;;AAgIkB,cIlGL,oBAAA,SAA6B,aJkGxB,CIlGsC,MJkGtC,CAAA,CAAA;EAQG,QAAA,OAAA;EAAc,QAAA,YAAA;EAAR,QAAA,IAAA;EAcX,QAAA,OAAA;EAAM,QAAA,SAAA;EAUC,QAAA,SAAA;EAA0B,QAAA,kBAAA;EAAmB,QAAA,eAAA;EAArC,WAAA,CAAA,GAAA,EIxHb,kBJwHa,EAAA,GAAA,EIxHY,MJwHZ;EAmBV;;;EAYE,QAAA,wBAAA;EAAwB;;;EA+BpB,QAAA,UAAA;EAAa;;;;EAiEf,KAAA,CAAA,CAAA,EIrLA,OJqLA,CAAA,IAAA,CAAA;EAkBsB;;;EAwGlC,QAAA,qBAAA;EAkDA;;;EA1cJ,UAAA,CAAA,CAAA,EIoJY,OJpJZ,CIoJoB,iBJpJpB,CAAA;EACG;;;qBI2Jc,QAAQ;;AHzJlC;;EAuGwC,OAAA,CAAA,CAAA,EG0DtB,OH1DsB,CG0Dd,IH1Dc,CAAA;EAAe;;;EA8ClB,YAAA,CAAA,CAAA,EGoBd,OHpBc,CAAA,IAAA,CAAA;EAQb;;;EAiBsB,UAAA,CAAA,CAAA,EGQzB,OHRyB,CGQjB,gBHRiB,CAAA;EAgCU;;;EAoCnB,OAAA,CAAA,IAAA,EGpDhB,IHoDgB,CAAA,EGpDT,OHoDS,CAAA,IAAA,CAAA;EAQS;;;EAcV,eAAA,CAAA,CAAA,EGnEV,OHmEU,CAAA;IA0BK,GAAA,EAAA,MAAA;IAAU,WAAA,EAAA,MAAA,EAAA;IAWR,GAAA,EAAA,MAAA;EAAR,CAAA,CAAA;EA4BG;;;EAzUiB,YAAA,CAAA,UAAA,EAAA,MAAA,EAAA,IAAA,EAAA,MAAA,CAAA,EGkOnD,OHlOmD,CAAA;;YGoO7C,GAAA,CAAI;;EFhPG;;;;ICKA,KAAM,EAAA,MAAA;IAkBU,MAAA,CAAA,EAAA,MAAA;IAAvB,OAAA,CAAA,EAAA,OAAA;EAED,CAAA,CAAA,ECwPL,ODxPK,CAAA;IAAQ,OAAA,ECyPN,KDzPM,CAAA;;;;ICaJ,CAAA,CAAA;IAA2C,MAAA,CAAA,EAAA,MAAA;EAUtC,CAAA,CAAA;EAAyB;;;EA6GtB,eAAA,CAAA,UAAA,EAAA,MAAA,EAAA,IAAA,EAAA,MAAA,GAAA,SAAA,EAAA,MAAA,EAAA,OAAA,CAAA,EA+JjB,OA/JiB,CAAA;IAQa,GAAA,EAAA,MAAA;IAAR,GAAA,EAAA,MAAA;IAQA,MAAA,EAAA;MAAR,GAAA,EAAA,MAAA;MAQK,GAAA,EAAA,MAAA;IAaM,CAAA;EAAR,CAAA,CAAA;EAQA;;;EAsCX,eAAI,CAAA,UAAA,EAAA,MAAA,EAAA,IAAA,EAAA,MAAA,CAAA,EA0JV,OA1JU,CAAA;IAFV,MAAA,EAAA;MAoCO,GAAA,EAAA,MAAA;MADP,GAAA,EAAA,MAAA;IA2CA,CAAA;EA8EA,CAAA,GAAA,IAAA,CAAA;EA+DA;;;EA4FA,YAAA,CAAA,UAAA,EAAA,MAAA,EAAA,IAAA,EAAA,MAAA,EAAA,MAAA,EAAA,OAAA,CAAA,EA5FA,OA4FA,CAAA;IA6JuB,GAAA,EAAA,MAAA;IAgBK,GAAA,EAAA,MAAA;IAAR,MAAA,EAAA;MA6BqB,GAAA,EAAA,MAAA;MAAR,GAAA,EAAA,MAAA;IA+BzB,CAAA;IAAR,gBAAA,EAAA,MAAA;EAkC2B,CAAA,CAAA;EAAa;;;EAsEe,cAAA,CAAA,MAAA,EAvVjD,KAuViD,CAAA;IAyBhB,KAAA,EAAA,MAAA;IAAR,UAAA,EAAA,MAAA;IAwHG,IAAA,CAAA,EAAA,MAAA;IAAkB,KAAA,CAAA,EAAA,OAAA;EAAR,CAAA,CAAA,CAAA,EAle5C,OAke4C,CAAA;IAoCzC,MAAA,EAAA;MACc,GAAA,EAAA,MAAA;MASd,GAAA,EAAA,MAAA;IAWuB,CAAA;IAAkB,OAAA,EAzhBrC,KAyhBqC,CAAA;MAOpB,KAAA,EAAA,MAAA;MASsB,GAAA,CAAA,EAAA,MAAA;MAQ3B,GAAA,CAAA,EAAA,MAAA;MAQM,gBAAA,CAAA,EAAA,MAAA;IAQE,CAAA,CAAA;EAYN,CAAA,CAAA;EAQC;;;EAgCjB,gBAAA,CAAA,CAAA,EA1dkB,OA0dlB,CAAA;IADL,GAAA,EAAA,MAAA;IAawB,IAAA,EAAA,MAAA;IAkCiB,GAAA,EAAA,MAAA;EAkDpB,CAAA,CAAA;EAQM;;;EAuBpB,aAAA,CAAA,CAAA,EAzkBa,OAilBwB,CAjlBhB,UAilBgB,CAAA;EAA5C;;;;EAcO,YAAA,CAAA,IAAA,EAAA,MAQqC,EAAA,CAAA,EA1kBX,OA0kBW,CA1kBH,UA0kBG,CAAA;EAA5C;;;;;;EA6BA,iBAAA,CAAA,UAAA,EAAA,MAAA,EAAA,IAAA,EAAA,MAAA,CAAA,EAxkBA,OAwkBA,CAxkBQ,UAwkBR,CAAA;EAAO;;;;;EAyBP,aAAA,CAAA,QAAA,EA/jB2B,UA+jB3B,CAAA,EA/jBwC,OA+jBxC,CAAA;IAMqC,GAAA,EAAA,MAAA;IAMG,GAAA,EAAA,MAAA;IAY/B,GAAA,EAAA,MAAA;EAGT,CAAA,CAAA;EAQS;;;EAWa,aAAA,CAAA,KAAA,EAviBE,UAuiBF,EAAA,QAAA,EAAA,MAAA,CAAA,EAviBiC,OAuiBjC,CAviByC,OAuiBzC,CAAA;EAWqB;;;EA0B3C,UAAA,CAAA,MAAA,EAAA,MAAA,CAAA,EAnjB+B,OAmjB/B,CAnjBuC,YAmjBvC,GAAA,IAAA,CAAA;EAQA;;;EAqB2B,QAAA,WAAA;EAAkB;;;EAz7CM,QAAA,iBAAA;;;;ECiCjD,QAAsC,mBAAA;EAAX;;;EAAxB,QAAA,gBAAA;;;;;;;;;;;;;;;;iCDg8B6B,UAAU,QAAQ;;;;wBAoCjD,8BACc;;;;sBASd;;;;sBAWuB,kBAAkB;;;;uBAOpB;;;;;;6CASsB;;;;kBAQ3B;;;;wBAQM;;;;0BAQE;;;;oBAYN;;;;qBAQC;;;;2BAYM;;;;2BAQA;;;;wDAW5B;WACK;;;;;;;;;;;uBAYmB;;;;;;;wCAkCiB;;;;;;oBAkDpB;;;;;;0BAQM;;;;;sCAAO,0BAAA,CAsBM,eACxC;;gCAQA,QARO,0BAAA,CAQqC,YAAA;;mCAMR;;sBAAO,0BAAA,CAOH,YACxC;;4CAQA,QARO,0BAAA,CAQqC,SAAA;;8CAQ5C,QARO,0BAAA,CAQqC,SAAA;;uCAMJ;;mCAMJ;;4CAAO,0BAAA,CAQC,iBAC5C;;kCAQA,QARO,0BAAA,CAQqC,cAAA;;uCAArC,0BAAA,CAQiC,UACxC;;iCAQA,QARO,0BAAA,CAQqC,OAAA;;oCAMP;;uCAMG;;kDAY/B,6CAGT;;uCAMwC;;eAE/B;;;;;;;qBAWa,QAAQ;;;;;;;0CAWa;;kEAS3C;;oBAMqB;;2FAWrB;;yCAQA;;;;;+CAMgD;;kDAMG;;;;;iBASxB,UAAU,QAAQ;;;;cCx5C3C,KAAG;YAAwB;GAAM,WAAA,CAAA,WAAA"}

package/dist/index.js

@@ -1,5 +1,5 @@
 import { DurableObject, env, waitUntil } from "cloudflare:workers";
-import { BlockMap, ReadableBlockstore, Repo, WriteOpAction, blocksToCarFile, readCarWithRoot } from "@atproto/repo";
+import { BlockMap, ReadableBlockstore, Repo, WriteOpAction, blocksToCarFile, getRecords, readCarWithRoot } from "@atproto/repo";
 import { Secp256k1Keypair, randomStr, verifySignature } from "@atproto/crypto";
 import { CID, asCid, isBlobRef } from "@atproto/lex-data";
 import { now } from "@atcute/tid";
@@ -7,8 +7,8 @@ import { decode, encode, fromBytes, isBytes, toBytes, toCidLink } from "@atcute/
 import { CODEC_RAW, create, fromString, toString } from "@atcute/cid";
 import { Hono } from "hono";
 import { cors } from "hono/cors";
-import { isDid, isHandle } from "@atcute/lexicons/syntax";
-import { SignJWT, jwtVerify } from "jose";
+import { isDid, isHandle, isNsid, isRecordKey } from "@atcute/lexicons/syntax";
+import { SignJWT, base64url, jwtVerify } from "jose";
 import { compare, compare as compare$1 } from "bcryptjs";
 import { ATProtoOAuthProvider } from "@getcirrus/oauth-provider";
 import { generateAuthenticationOptions, generateRegistrationOptions, verifyAuthenticationResponse, verifyRegistrationResponse } from "@simplewebauthn/server";
@@ -1365,6 +1365,30 @@ var AccountDurableObject = class extends DurableObject {
 		return blocksToCarFile(root, blocks);
 	}
 	/**
+	* RPC method: Get record with proof as CAR file.
+	* Returns the commit block and all MST blocks needed to verify
+	* the existence (or non-existence) of a record.
+	* Used by com.atproto.sync.getRecord for record verification.
+	*/
+	async rpcGetRecordProof(collection, rkey) {
+		const storage = await this.getStorage();
+		const root = await storage.getRoot();
+		if (!root) throw new Error("No repository root found");
+		const carChunks = [];
+		for await (const chunk of getRecords(storage, root, [{
+			collection,
+			rkey
+		}])) carChunks.push(chunk);
+		const totalLength = carChunks.reduce((acc, chunk) => acc + chunk.length, 0);
+		const result = new Uint8Array(totalLength);
+		let offset = 0;
+		for (const chunk of carChunks) {
+			result.set(chunk, offset);
+			offset += chunk.length;
+		}
+		return result;
+	}
+	/**
 	* RPC method: Import repo from CAR file
 	* This is used for account migration - importing an existing repository
 	* from another PDS.
@@ -1816,7 +1840,7 @@ function extractBlobCids(obj) {
 
 //#endregion
 //#region src/service-auth.ts
-const MINUTE = 60 * 1e3;
+const SERVICE_JWT_EXPIRY_SECONDS = 300;
 /**
 * Shared keypair cache for signing and verification.
 */
@@ -1847,7 +1871,7 @@ function noUndefinedVals(obj) {
 async function createServiceJwt(params) {
 	const { iss, aud, keypair } = params;
 	const iat = Math.floor(Date.now() / 1e3);
-	const exp = iat + MINUTE / 1e3;
+	const exp = iat + SERVICE_JWT_EXPIRY_SECONDS;
 	const lxm = params.lxm ?? void 0;
 	const jti = randomStr(16, "hex");
 	const header = {
@@ -1893,7 +1917,7 @@ async function verifyServiceJwt(token, signingKey, expectedAudience, expectedIss
 
 //#endregion
 //#region src/session.ts
-const ACCESS_TOKEN_LIFETIME = "2h";
+const ACCESS_TOKEN_LIFETIME = "15m";
 const REFRESH_TOKEN_LIFETIME = "90d";
 /**
 * Create a secret key from string for HS256 signing
@@ -2387,7 +2411,7 @@ async function requireAuth(c, next) {
 * Uses @atcute/identity-resolver which is already Workers-compatible
 * (uses redirect: "manual" internally).
 */
-const PLC_DIRECTORY = "https://plc.directory";
+const PLC_DIRECTORY$1 = "https://plc.directory";
 const TIMEOUT_MS = 3e3;
 /**
 * Wrapper that always uses globalThis.fetch so it can be mocked in tests.
@@ -2404,7 +2428,7 @@ var DidResolver = class {
 		this.cache = opts.didCache;
 		this.resolver = new CompositeDidDocumentResolver({ methods: {
 			plc: new PlcDidDocumentResolver({
-				apiUrl: opts.plcUrl ?? PLC_DIRECTORY,
+				apiUrl: opts.plcUrl ?? PLC_DIRECTORY$1,
 				fetch: stubbableFetch
 			}),
 			web: new WebDidDocumentResolver({ fetch: stubbableFetch })
@@ -2753,6 +2777,55 @@ async function getBlob(c, _accountDO) {
 		}
 	});
 }
+async function getRecord$1(c, accountDO) {
+	const did = c.req.query("did");
+	const collection = c.req.query("collection");
+	const rkey = c.req.query("rkey");
+	if (!did) return c.json({
+		error: "InvalidRequest",
+		message: "Missing required parameter: did"
+	}, 400);
+	if (!collection) return c.json({
+		error: "InvalidRequest",
+		message: "Missing required parameter: collection"
+	}, 400);
+	if (!rkey) return c.json({
+		error: "InvalidRequest",
+		message: "Missing required parameter: rkey"
+	}, 400);
+	if (!isDid(did)) return c.json({
+		error: "InvalidRequest",
+		message: "Invalid DID format"
+	}, 400);
+	if (!isNsid(collection)) return c.json({
+		error: "InvalidRequest",
+		message: "Invalid collection format (must be NSID)"
+	}, 400);
+	if (!isRecordKey(rkey)) return c.json({
+		error: "InvalidRequest",
+		message: "Invalid rkey format"
+	}, 400);
+	if (did !== c.env.DID) return c.json({
+		error: "RepoNotFound",
+		message: `Repository not found for DID: ${did}`
+	}, 404);
+	try {
+		const carBytes = await accountDO.rpcGetRecordProof(collection, rkey);
+		return new Response(carBytes, {
+			status: 200,
+			headers: {
+				"Content-Type": "application/vnd.ipld.car",
+				"Content-Length": carBytes.length.toString()
+			}
+		});
+	} catch (err) {
+		console.error("Error getting record proof:", err);
+		return c.json({
+			error: "InternalServerError",
+			message: "Failed to get record proof"
+		}, 500);
+	}
+}
 
 //#endregion
 //#region src/validation.ts
@@ -3334,6 +3407,176 @@ async function resetMigration(c, accountDO) {
 	}
 }
 
+//#endregion
+//#region src/migration-token.ts
+/**
+* Stateless migration tokens for outbound account migration
+*
+* Uses HMAC-SHA256 to create tokens that encode the DID and expiry time.
+* No database storage required - validity is verified by the signature.
+*
+* Token format: base64url(payload).base64url(signature)
+* Payload: {"did":"did:plc:xxx","exp":1736600000}
+*
+* Tokens expire after 15 minutes - enough time to complete the migration
+* process but short enough to limit exposure if the token is leaked.
+*/
+const TOKEN_EXPIRY = 15 * (60 * 1e3);
+/**
+* Create an HMAC-SHA256 signature
+*/
+async function hmacSign(data, secret) {
+	const encoder = new TextEncoder();
+	const key = await crypto.subtle.importKey("raw", encoder.encode(secret), {
+		name: "HMAC",
+		hash: "SHA-256"
+	}, false, ["sign"]);
+	return crypto.subtle.sign("HMAC", key, encoder.encode(data));
+}
+/**
+* Verify an HMAC-SHA256 signature
+*/
+async function hmacVerify(data, signature, secret) {
+	const encoder = new TextEncoder();
+	const key = await crypto.subtle.importKey("raw", encoder.encode(secret), {
+		name: "HMAC",
+		hash: "SHA-256"
+	}, false, ["verify"]);
+	return crypto.subtle.verify("HMAC", key, signature, encoder.encode(data));
+}
+/**
+* Create a migration token for outbound migration
+*
+* @param did - The user's DID
+* @param jwtSecret - The JWT_SECRET used for signing
+* @returns A stateless, signed token
+*/
+async function createMigrationToken(did, jwtSecret) {
+	const payload = {
+		did,
+		exp: Math.floor((Date.now() + TOKEN_EXPIRY) / 1e3)
+	};
+	const payloadStr = JSON.stringify(payload);
+	const payloadB64 = base64url.encode(new TextEncoder().encode(payloadStr));
+	const signature = await hmacSign(payloadB64, jwtSecret);
+	return `${payloadB64}.${base64url.encode(new Uint8Array(signature))}`;
+}
+/**
+* Validate a migration token
+*
+* @param token - The token to validate
+* @param expectedDid - The expected DID (must match token payload)
+* @param jwtSecret - The JWT_SECRET used for verification
+* @returns The payload if valid, null if invalid/expired
+*/
+async function validateMigrationToken(token, expectedDid, jwtSecret) {
+	const parts = token.split(".");
+	if (parts.length !== 2) return null;
+	const [payloadB64, signatureB64] = parts;
+	try {
+		if (!await hmacVerify(payloadB64, base64url.decode(signatureB64).buffer, jwtSecret)) return null;
+		const payloadStr = new TextDecoder().decode(base64url.decode(payloadB64));
+		const payload = JSON.parse(payloadStr);
+		if (payload.did !== expectedDid) return null;
+		const now$1 = Math.floor(Date.now() / 1e3);
+		if (payload.exp < now$1) return null;
+		return payload;
+	} catch {
+		return null;
+	}
+}
+
+//#endregion
+//#region src/xrpc/identity.ts
+const PLC_DIRECTORY = "https://plc.directory";
+/**
+* Request a PLC operation signature for outbound migration.
+*
+* In Bluesky's implementation, this sends an email with a token.
+* In Cirrus, we're single-user with no email, so we just return success.
+* The user gets the token via `pds migrate-token` CLI.
+*
+* Endpoint: POST com.atproto.identity.requestPlcOperationSignature
+*/
+async function requestPlcOperationSignature(c) {
+	return new Response(null, { status: 200 });
+}
+/**
+* Sign a PLC operation for migrating to a new PDS.
+*
+* Validates the migration token and returns a signed PLC operation
+* that updates the DID document to point to the new PDS.
+*
+* Endpoint: POST com.atproto.identity.signPlcOperation
+*/
+async function signPlcOperation(c) {
+	const body = await c.req.json();
+	const { token } = body;
+	if (!token) return c.json({
+		error: "InvalidRequest",
+		message: "Missing required parameter: token"
+	}, 400);
+	if (!await validateMigrationToken(token, c.env.DID, c.env.JWT_SECRET)) return c.json({
+		error: "InvalidToken",
+		message: "Invalid or expired migration token"
+	}, 400);
+	const currentOp = await getLatestPlcOperation(c.env.DID);
+	if (!currentOp) return c.json({
+		error: "InternalServerError",
+		message: "Could not fetch current PLC state"
+	}, 500);
+	const signedOp = await signOperation({
+		type: "plc_operation",
+		prev: currentOp.cid,
+		rotationKeys: body.rotationKeys ?? currentOp.operation.rotationKeys,
+		alsoKnownAs: body.alsoKnownAs ?? currentOp.operation.alsoKnownAs,
+		verificationMethods: body.verificationMethods ?? currentOp.operation.verificationMethods,
+		services: body.services ?? currentOp.operation.services
+	}, await Secp256k1Keypair.import(c.env.SIGNING_KEY));
+	return c.json({ operation: signedOp });
+}
+/**
+* Get the latest PLC operation for a DID
+*/
+async function getLatestPlcOperation(did) {
+	try {
+		const res = await fetch(`${PLC_DIRECTORY}/${did}/log/audit`);
+		if (!res.ok) return null;
+		return (await res.json()).filter((op) => !op.nullified).pop() ?? null;
+	} catch {
+		return null;
+	}
+}
+/**
+* Sign a PLC operation with the given keypair
+*
+* PLC operations are signed by:
+* 1. CBOR-encoding the unsigned operation
+* 2. Signing the bytes with secp256k1
+* 3. Adding the signature as base64url
+*/
+async function signOperation(op, keypair) {
+	const bytes = encode(op);
+	const sig = await keypair.sign(bytes);
+	return {
+		...op,
+		sig: base64url.encode(sig)
+	};
+}
+/**
+* Generate a migration token for the CLI.
+*
+* This endpoint allows the CLI to generate a token that can be used
+* to complete an outbound migration without requiring the secret
+* to be available client-side.
+*
+* Endpoint: GET gg.mk.experimental.getMigrationToken
+*/
+async function getMigrationToken(c) {
+	const token = await createMigrationToken(c.env.DID, c.env.JWT_SECRET);
+	return c.json({ token });
+}
+
 //#endregion
 //#region src/passkey-ui.ts
 /**
@@ -3755,7 +3998,7 @@ function renderPasskeyErrorPage(error, description) {
 
 //#endregion
 //#region package.json
-var version = "0.7.0";
+var version = "0.9.0";
 
 //#endregion
 //#region src/index.ts
@@ -3886,6 +4129,7 @@ app.get("/xrpc/com.atproto.sync.getBlocks", (c) => getBlocks(c, getAccountDO(c.e
 app.get("/xrpc/com.atproto.sync.getBlob", (c) => getBlob(c, getAccountDO(c.env)));
 app.get("/xrpc/com.atproto.sync.listRepos", (c) => listRepos(c, getAccountDO(c.env)));
 app.get("/xrpc/com.atproto.sync.listBlobs", (c) => listBlobs(c, getAccountDO(c.env)));
+app.get("/xrpc/com.atproto.sync.getRecord", (c) => getRecord$1(c, getAccountDO(c.env)));
 app.get("/xrpc/com.atproto.sync.subscribeRepos", async (c) => {
 	if (c.req.header("Upgrade") !== "websocket") return c.json({
 		error: "InvalidRequest",
@@ -3920,6 +4164,9 @@ app.use("/xrpc/com.atproto.identity.resolveHandle", async (c, next) => {
 	if (c.req.query("handle") === c.env.HANDLE) return c.json({ did: c.env.DID });
 	await next();
 });
+app.post("/xrpc/com.atproto.identity.requestPlcOperationSignature", requireAuth, requestPlcOperationSignature);
+app.post("/xrpc/com.atproto.identity.signPlcOperation", requireAuth, signPlcOperation);
+app.get("/xrpc/gg.mk.experimental.getMigrationToken", requireAuth, getMigrationToken);
 app.post("/xrpc/com.atproto.server.createSession", createSession);
 app.post("/xrpc/com.atproto.server.refreshSession", refreshSession);
 app.get("/xrpc/com.atproto.server.getSession", getSession);