@hatk/hatk 0.0.1-alpha.23 → 0.0.1-alpha.25

package/dist/oauth/session.js

@@ -0,0 +1,65 @@
+// SSR session cookie — signed HttpOnly cookie for server-side viewer resolution.
+// Separate from OAuth protocol flows but uses the same server keypair.
+import { base64UrlEncode, base64UrlDecode } from "./crypto.js";
+let _privateJwk;
+let _cookieName = '__hatk_session';
+const MAX_AGE = 30 * 24 * 60 * 60; // 30 days in seconds
+export function getSessionCookieName() {
+    return _cookieName;
+}
+export function initSession(privateJwk, cookieName) {
+    _privateJwk = privateJwk;
+    if (cookieName)
+        _cookieName = cookieName;
+}
+async function hmacKey(usage) {
+    return crypto.subtle.importKey('raw', new TextEncoder().encode(JSON.stringify(_privateJwk, Object.keys(_privateJwk).sort())), { name: 'HMAC', hash: 'SHA-256' }, false, [usage]);
+}
+export async function createSessionCookie(did) {
+    const timestamp = Math.floor(Date.now() / 1000);
+    const payload = `${did}.${timestamp}`;
+    const key = await hmacKey('sign');
+    const sig = await crypto.subtle.sign('HMAC', key, new TextEncoder().encode(payload));
+    return `${payload}.${base64UrlEncode(new Uint8Array(sig))}`;
+}
+export function sessionCookieHeader(value, secure) {
+    const parts = [
+        `${_cookieName}=${value}`,
+        'HttpOnly',
+        'SameSite=Lax',
+        'Path=/',
+        `Max-Age=${MAX_AGE}`,
+    ];
+    if (secure)
+        parts.push('Secure');
+    return parts.join('; ');
+}
+export function clearSessionCookieHeader() {
+    return `${_cookieName}=; HttpOnly; SameSite=Lax; Path=/; Max-Age=0`;
+}
+export async function parseSessionCookie(request) {
+    const cookieHeader = request.headers.get('cookie');
+    if (!cookieHeader)
+        return null;
+    const match = cookieHeader.split(';').map(c => c.trim()).find(c => c.startsWith(`${_cookieName}=`));
+    if (!match)
+        return null;
+    const value = match.slice(_cookieName.length + 1);
+    const parts = value.split('.');
+    // Format: did:plc:xxx.timestamp.signature — DID contains dots so take last 2 parts
+    if (parts.length < 3)
+        return null;
+    const signature = parts.pop();
+    const timestamp = parts.pop();
+    const did = parts.join('.');
+    const ts = Number(timestamp);
+    if (isNaN(ts) || (Date.now() / 1000 - ts) > MAX_AGE)
+        return null;
+    const payload = `${did}.${timestamp}`;
+    const key = await hmacKey('verify');
+    const sigBytes = base64UrlDecode(signature);
+    const valid = await crypto.subtle.verify('HMAC', key, sigBytes, new TextEncoder().encode(payload));
+    if (!valid)
+        return null;
+    return { did };
+}

package/dist/opengraph.d.ts

@@ -28,7 +28,17 @@ export interface OpengraphResult {
         description?: string;
     };
 }
+export declare function defineOG(path: string, generate: (ctx: OpengraphContext) => Promise<OpengraphResult>): {
+    __type: "og";
+    path: string;
+    generate: (ctx: OpengraphContext) => Promise<OpengraphResult>;
+};
 export declare function initOpengraph(ogDir: string): Promise<void>;
+/** Register a single OG handler from a scanned server/ module. */
+export declare function registerOgHandler(ogMod: {
+    path: string;
+    generate: (ctx: OpengraphContext) => Promise<OpengraphResult>;
+}): void;
 export declare function handleOpengraphRequest(pathname: string): Promise<Buffer | null>;
 export declare function buildOgMeta(pathname: string, origin: string): string | null;
 //# sourceMappingURL=opengraph.d.ts.map

package/dist/opengraph.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"opengraph.d.ts","sourceRoot":"","sources":["../src/opengraph.ts"],"names":[],"mappings":"AAoBA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,WAAW,CAAA;AAE5C,4CAA4C;AAC5C,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAA;IACZ,KAAK,EAAE;QACL,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;QAC3B,QAAQ,CAAC,EAAE,CAAC,UAAU,GAAG,MAAM,CAAC,EAAE,GAAG,MAAM,CAAA;QAC3C,GAAG,CAAC,EAAE,MAAM,CAAA;QACZ,KAAK,CAAC,EAAE,MAAM,CAAA;QACd,MAAM,CAAC,EAAE,MAAM,CAAA;QACf,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAA;KACnB,CAAA;CACF;AAED,uDAAuD;AACvD,MAAM,WAAW,gBAAiB,SAAQ,WAAW;IACnD,UAAU,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAA;CACpD;AAED,qDAAqD;AACrD,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,UAAU,CAAA;IACnB,OAAO,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,GAAG,EAAE,CAAA;KAAE,CAAA;IAC5D,IAAI,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,WAAW,CAAC,EAAE,MAAM,CAAA;KAAE,CAAA;CAChD;AAkCD,wBAAsB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAoGhE;AAED,wBAAsB,sBAAsB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CA8BrF;AAED,wBAAgB,WAAW,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAyC3E"}
+{"version":3,"file":"opengraph.d.ts","sourceRoot":"","sources":["../src/opengraph.ts"],"names":[],"mappings":"AA+BA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,WAAW,CAAA;AAE5C,4CAA4C;AAC5C,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAA;IACZ,KAAK,EAAE;QACL,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;QAC3B,QAAQ,CAAC,EAAE,CAAC,UAAU,GAAG,MAAM,CAAC,EAAE,GAAG,MAAM,CAAA;QAC3C,GAAG,CAAC,EAAE,MAAM,CAAA;QACZ,KAAK,CAAC,EAAE,MAAM,CAAA;QACd,MAAM,CAAC,EAAE,MAAM,CAAA;QACf,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAA;KACnB,CAAA;CACF;AAED,uDAAuD;AACvD,MAAM,WAAW,gBAAiB,SAAQ,WAAW;IACnD,UAAU,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAA;CACpD;AAED,qDAAqD;AACrD,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,UAAU,CAAA;IACnB,OAAO,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,GAAG,EAAE,CAAA;KAAE,CAAA;IAC5D,IAAI,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,WAAW,CAAC,EAAE,MAAM,CAAA;KAAE,CAAA;CAChD;AAED,wBAAgB,QAAQ,CACtB,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,OAAO,CAAC,eAAe,CAAC;;;oBAA7C,gBAAgB,KAAK,OAAO,CAAC,eAAe,CAAC;EAG9D;AAkCD,wBAAsB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAoGhE;AAED,kEAAkE;AAClE,wBAAgB,iBAAiB,CAAC,KAAK,EAAE;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,OAAO,CAAC,eAAe,CAAC,CAAA;CAAE,GAAG,IAAI,CAgF9H;AAED,wBAAsB,sBAAsB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CA+BrF;AAED,wBAAgB,WAAW,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAyC3E"}

package/dist/opengraph.js

@@ -9,11 +9,25 @@ var __rewriteRelativeImportExtension = (this && this.__rewriteRelativeImportExte
 import { resolve } from 'node:path';
 import { readFileSync, readdirSync } from 'node:fs';
 import { log } from "./logger.js";
-import satori from 'satori';
-import { Resvg } from '@resvg/resvg-js';
+// Lazy-imported to avoid CJS require() issues in Vite's module runner
+let _satori = null;
+let _Resvg = null;
+async function getSatori() {
+    if (!_satori)
+        _satori = (await import('satori')).default;
+    return _satori;
+}
+async function getResvg() {
+    if (!_Resvg)
+        _Resvg = (await import('@resvg/resvg-js')).Resvg;
+    return _Resvg;
+}
 import { querySQL, runSQL, packCursor, unpackCursor, isTakendownDid, filterTakendownDids, searchRecords, findUriByFields, lookupByFieldBatch, countByFieldBatch, queryLabelsForUris, } from "./database/db.js";
 import { resolveRecords } from "./hydrate.js";
 import { blobUrl } from "./xrpc.js";
+export function defineOG(path, generate) {
+    return { __type: 'og', path, generate };
+}
 const handlers = [];
 const pageRoutes = [];
 let defaultFont = null;
@@ -51,7 +65,7 @@ export async function initOpengraph(ogDir) {
     for (const file of files) {
         const name = file.replace(/\.(ts|js)$/, '');
         const scriptPath = resolve(ogDir, file);
-        const mod = await import(__rewriteRelativeImportExtension(scriptPath));
+        const mod = await import(__rewriteRelativeImportExtension(/* @vite-ignore */ `${scriptPath}?t=${Date.now()}`));
         const handler = mod.default;
         if (!handler.path) {
             console.warn(`[opengraph] ${file} missing 'path' export, skipping`);
@@ -117,7 +131,7 @@ export async function initOpengraph(ogDir) {
                     ...result.options,
                     fonts: [...(defaultFont ? [defaultFont] : []), ...(result.options?.fonts || [])],
                 };
-                const svg = await satori(element, options);
+                const svg = await (await getSatori())(element, options);
                 return { svg, meta: result.meta };
             },
         });
@@ -129,6 +143,89 @@ export async function initOpengraph(ogDir) {
         }
     }
 }
+/** Register a single OG handler from a scanned server/ module. */
+export function registerOgHandler(ogMod) {
+    const { pattern, paramNames } = compilePath(ogMod.path);
+    const name = ogMod.path.replace(/^\//, '').replace(/\//g, '-').replace(/:/g, '');
+    // Load default font if not already loaded
+    if (!defaultFont) {
+        try {
+            const fontPath = resolve(import.meta.dirname, '..', 'fonts', 'Inter-Regular.woff');
+            const fontData = readFileSync(fontPath);
+            defaultFont = { name: 'Inter', data: fontData.buffer, weight: 400, style: 'normal' };
+        }
+        catch { }
+    }
+    handlers.push({
+        name,
+        path: ogMod.path,
+        pattern,
+        paramNames,
+        execute: async (params) => {
+            const ctx = {
+                db: { query: querySQL, run: runSQL },
+                params,
+                input: {},
+                limit: 1,
+                viewer: null,
+                packCursor,
+                unpackCursor,
+                isTakendown: isTakendownDid,
+                filterTakendownDids,
+                search: searchRecords,
+                resolve: resolveRecords,
+                lookup: async (collection, field, values) => {
+                    if (values.length === 0)
+                        return new Map();
+                    const unique = [...new Set(values.filter(Boolean))];
+                    return lookupByFieldBatch(collection, field, unique);
+                },
+                count: async (collection, field, values) => {
+                    if (values.length === 0)
+                        return new Map();
+                    const unique = [...new Set(values.filter(Boolean))];
+                    return countByFieldBatch(collection, field, unique);
+                },
+                exists: async (collection, filters) => {
+                    const conditions = Object.entries(filters).map(([field, value]) => ({ field, value }));
+                    const uri = await findUriByFields(collection, conditions);
+                    return uri !== null;
+                },
+                labels: queryLabelsForUris,
+                blobUrl,
+            };
+            ctx.fetchImage = async (url) => {
+                try {
+                    const resp = await fetch(url, { redirect: 'follow' });
+                    if (!resp.ok)
+                        return null;
+                    const buf = Buffer.from(await resp.arrayBuffer());
+                    const contentType = resp.headers.get('content-type') || 'image/jpeg';
+                    return `data:${contentType};base64,${buf.toString('base64')}`;
+                }
+                catch {
+                    return null;
+                }
+            };
+            const result = await ogMod.generate(ctx);
+            const element = result.element;
+            const options = {
+                width: 1200,
+                height: 630,
+                ...result.options,
+                fonts: [...(defaultFont ? [defaultFont] : []), ...(result.options?.fonts || [])],
+            };
+            const svg = await (await getSatori())(element, options);
+            return { svg, meta: result.meta };
+        },
+    });
+    const pagePath = ogMod.path.replace(/^\/og/, '');
+    if (pagePath !== ogMod.path) {
+        const compiled = compilePath(pagePath);
+        pageRoutes.push({ ogPath: ogMod.path, pattern: compiled.pattern, paramNames: compiled.paramNames, name });
+    }
+    log(`[opengraph] registered: ${name} → ${ogMod.path}`);
+}
 export async function handleOpengraphRequest(pathname) {
     const cached = cache.get(pathname);
     if (cached && cached.expires > Date.now())
@@ -143,6 +240,7 @@ export async function handleOpengraphRequest(pathname) {
         });
         try {
             const { svg, meta } = await handler.execute(params);
+            const Resvg = await getResvg();
             const png = new Resvg(svg, { fitTo: { mode: 'width', value: 1200 } }).render().asPng();
             if (cache.size >= CACHE_MAX) {
                 const oldest = cache.keys().next().value;

package/dist/pds-proxy.d.ts

@@ -0,0 +1,39 @@
+import type { OAuthConfig } from './config.ts';
+export declare class ProxyError extends Error {
+    status: number;
+    constructor(status: number, message: string);
+}
+export declare function pdsCreateRecord(oauthConfig: OAuthConfig, viewer: {
+    did: string;
+}, input: {
+    collection: string;
+    repo?: string;
+    rkey?: string;
+    record: Record<string, unknown>;
+}): Promise<{
+    uri?: string;
+    cid?: string;
+}>;
+export declare function pdsDeleteRecord(oauthConfig: OAuthConfig, viewer: {
+    did: string;
+}, input: {
+    collection: string;
+    rkey: string;
+}): Promise<Record<string, unknown>>;
+export declare function pdsPutRecord(oauthConfig: OAuthConfig, viewer: {
+    did: string;
+}, input: {
+    collection: string;
+    rkey: string;
+    record: Record<string, unknown>;
+    repo?: string;
+}): Promise<{
+    uri?: string;
+    cid?: string;
+}>;
+export declare function pdsUploadBlob(oauthConfig: OAuthConfig, viewer: {
+    did: string;
+}, body: Uint8Array, contentType: string): Promise<{
+    blob: unknown;
+}>;
+//# sourceMappingURL=pds-proxy.d.ts.map

package/dist/pds-proxy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pds-proxy.d.ts","sourceRoot":"","sources":["../src/pds-proxy.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAA;AAS9C,qBAAa,UAAW,SAAQ,KAAK;IAChB,MAAM,EAAE,MAAM;gBAAd,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM;CAGnD;AA8GD,wBAAsB,eAAe,CACnC,WAAW,EAAE,WAAW,EACxB,MAAM,EAAE;IAAE,GAAG,EAAE,MAAM,CAAA;CAAE,EACvB,KAAK,EAAE;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAAE,GAC3F,OAAO,CAAC;IAAE,GAAG,CAAC,EAAE,MAAM,CAAC;IAAC,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CA2BzC;AAED,wBAAsB,eAAe,CACnC,WAAW,EAAE,WAAW,EACxB,MAAM,EAAE;IAAE,GAAG,EAAE,MAAM,CAAA;CAAE,EACvB,KAAK,EAAE;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GAC1C,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAsBlC;AAED,wBAAsB,YAAY,CAChC,WAAW,EAAE,WAAW,EACxB,MAAM,EAAE;IAAE,GAAG,EAAE,MAAM,CAAA;CAAE,EACvB,KAAK,EAAE;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAA;CAAE,GAC1F,OAAO,CAAC;IAAE,GAAG,CAAC,EAAE,MAAM,CAAC;IAAC,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CA2BzC;AAED,wBAAsB,aAAa,CACjC,WAAW,EAAE,WAAW,EACxB,MAAM,EAAE;IAAE,GAAG,EAAE,MAAM,CAAA;CAAE,EACvB,IAAI,EAAE,UAAU,EAChB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC;IAAE,IAAI,EAAE,OAAO,CAAA;CAAE,CAAC,CAS5B"}

package/dist/pds-proxy.js

@@ -0,0 +1,173 @@
+// Shared PDS proxy functions — used by both HTTP route handlers and XRPC handlers.
+import { getSession, getServerKey } from "./oauth/db.js";
+import { createDpopProof } from "./oauth/dpop.js";
+import { refreshPdsSession } from "./oauth/server.js";
+import { validateRecord } from '@bigmoves/lexicon';
+import { getLexiconArray } from "./database/schema.js";
+import { insertRecord, deleteRecord as dbDeleteRecord } from "./database/db.js";
+import { emit } from "./logger.js";
+export class ProxyError extends Error {
+    status;
+    constructor(status, message) {
+        super(message);
+        this.status = status;
+    }
+}
+/** Shared retry logic: DPoP nonce handling + token refresh. */
+async function withDpopRetry(oauthConfig, session, doFetch) {
+    let accessToken = session.access_token;
+    let result = await doFetch(accessToken);
+    if (result.ok)
+        return result;
+    let nonce;
+    // Step 1: handle DPoP nonce requirement
+    if (result.body.error === 'use_dpop_nonce') {
+        nonce = result.headers.get('DPoP-Nonce') || undefined;
+        if (nonce) {
+            result = await doFetch(accessToken, nonce);
+            if (result.ok)
+                return result;
+        }
+    }
+    // Step 2: handle expired PDS token — refresh and retry
+    if (result.body.error === 'invalid_token') {
+        const refreshed = await refreshPdsSession(oauthConfig, session);
+        if (refreshed) {
+            accessToken = refreshed.accessToken;
+            result = await doFetch(accessToken, nonce);
+            if (result.ok)
+                return result;
+            if (result.body.error === 'use_dpop_nonce') {
+                nonce = result.headers.get('DPoP-Nonce') || undefined;
+                if (nonce)
+                    result = await doFetch(accessToken, nonce);
+            }
+        }
+    }
+    return result;
+}
+async function proxyToPds(oauthConfig, session, method, pdsUrl, body) {
+    const serverKey = await getServerKey('appview-oauth-key');
+    const privateJwk = JSON.parse(serverKey.privateKey);
+    const publicJwk = JSON.parse(serverKey.publicKey);
+    return withDpopRetry(oauthConfig, session, async (token, nonce) => {
+        const proof = await createDpopProof(privateJwk, publicJwk, method, pdsUrl, token, nonce);
+        const res = await fetch(pdsUrl, {
+            method,
+            headers: {
+                'Content-Type': 'application/json',
+                Authorization: `DPoP ${token}`,
+                DPoP: proof,
+            },
+            body: JSON.stringify(body),
+        });
+        const resBody = await res.json().catch(() => ({}));
+        return { ok: res.ok, status: res.status, body: resBody, headers: res.headers };
+    });
+}
+/** Proxy a raw binary request to the user's PDS with DPoP + nonce retry + token refresh. */
+async function proxyToPdsRaw(oauthConfig, session, pdsUrl, body, contentType) {
+    const serverKey = await getServerKey('appview-oauth-key');
+    const privateJwk = JSON.parse(serverKey.privateKey);
+    const publicJwk = JSON.parse(serverKey.publicKey);
+    return withDpopRetry(oauthConfig, session, async (token, nonce) => {
+        const proof = await createDpopProof(privateJwk, publicJwk, 'POST', pdsUrl, token, nonce);
+        const res = await fetch(pdsUrl, {
+            method: 'POST',
+            headers: {
+                'Content-Type': contentType,
+                'Content-Length': String(body.length),
+                Authorization: `DPoP ${token}`,
+                DPoP: proof,
+            },
+            body: Buffer.from(body),
+        });
+        const resBody = await res.json().catch(() => ({}));
+        return { ok: res.ok, status: res.status, body: resBody, headers: res.headers };
+    });
+}
+// --- High-level proxy functions ---
+export async function pdsCreateRecord(oauthConfig, viewer, input) {
+    const validationError = validateRecord(getLexiconArray(), input.collection, input.record);
+    if (validationError) {
+        throw new ProxyError(400, `InvalidRecord: ${validationError.path ? validationError.path + ': ' : ''}${validationError.message}`);
+    }
+    const session = await getSession(viewer.did);
+    if (!session)
+        throw new ProxyError(401, 'No PDS session for user');
+    const pdsUrl = `${session.pds_endpoint}/xrpc/com.atproto.repo.createRecord`;
+    const pdsBody = {
+        repo: viewer.did,
+        collection: input.collection,
+        rkey: input.rkey,
+        record: input.record,
+    };
+    const pdsRes = await proxyToPds(oauthConfig, session, 'POST', pdsUrl, pdsBody);
+    if (!pdsRes.ok)
+        throw new ProxyError(pdsRes.status, String(pdsRes.body.error || 'PDS write failed'));
+    try {
+        await insertRecord(input.collection, String(pdsRes.body.uri), String(pdsRes.body.cid), viewer.did, input.record);
+    }
+    catch (err) {
+        emit('pds-proxy', 'local_index_error', { op: 'createRecord', error: err instanceof Error ? err.message : String(err) });
+    }
+    return pdsRes.body;
+}
+export async function pdsDeleteRecord(oauthConfig, viewer, input) {
+    const session = await getSession(viewer.did);
+    if (!session)
+        throw new ProxyError(401, 'No PDS session for user');
+    const pdsUrl = `${session.pds_endpoint}/xrpc/com.atproto.repo.deleteRecord`;
+    const pdsBody = {
+        repo: viewer.did,
+        collection: input.collection,
+        rkey: input.rkey,
+    };
+    const pdsRes = await proxyToPds(oauthConfig, session, 'POST', pdsUrl, pdsBody);
+    if (!pdsRes.ok)
+        throw new ProxyError(pdsRes.status, String(pdsRes.body.error || 'PDS delete failed'));
+    try {
+        const uri = `at://${viewer.did}/${input.collection}/${input.rkey}`;
+        await dbDeleteRecord(input.collection, uri);
+    }
+    catch (err) {
+        emit('pds-proxy', 'local_index_error', { op: 'deleteRecord', error: err instanceof Error ? err.message : String(err) });
+    }
+    return pdsRes.body;
+}
+export async function pdsPutRecord(oauthConfig, viewer, input) {
+    const validationError = validateRecord(getLexiconArray(), input.collection, input.record);
+    if (validationError) {
+        throw new ProxyError(400, `InvalidRecord: ${validationError.path ? validationError.path + ': ' : ''}${validationError.message}`);
+    }
+    const session = await getSession(viewer.did);
+    if (!session)
+        throw new ProxyError(401, 'No PDS session for user');
+    const pdsUrl = `${session.pds_endpoint}/xrpc/com.atproto.repo.putRecord`;
+    const pdsBody = {
+        repo: viewer.did,
+        collection: input.collection,
+        rkey: input.rkey,
+        record: input.record,
+    };
+    const pdsRes = await proxyToPds(oauthConfig, session, 'POST', pdsUrl, pdsBody);
+    if (!pdsRes.ok)
+        throw new ProxyError(pdsRes.status, String(pdsRes.body.error || 'PDS write failed'));
+    try {
+        await insertRecord(input.collection, String(pdsRes.body.uri), String(pdsRes.body.cid), viewer.did, input.record);
+    }
+    catch (err) {
+        emit('pds-proxy', 'local_index_error', { op: 'putRecord', error: err instanceof Error ? err.message : String(err) });
+    }
+    return pdsRes.body;
+}
+export async function pdsUploadBlob(oauthConfig, viewer, body, contentType) {
+    const session = await getSession(viewer.did);
+    if (!session)
+        throw new ProxyError(401, 'No PDS session for user');
+    const pdsUrl = `${session.pds_endpoint}/xrpc/com.atproto.repo.uploadBlob`;
+    const pdsRes = await proxyToPdsRaw(oauthConfig, session, pdsUrl, body, contentType);
+    if (!pdsRes.ok)
+        throw new ProxyError(pdsRes.status, String(pdsRes.body.error || 'PDS upload failed'));
+    return pdsRes.body;
+}

package/dist/renderer.d.ts

@@ -0,0 +1,27 @@
+export interface SSRManifest {
+    getPreloadTags(url: string): string;
+}
+export interface RenderResult {
+    html: string;
+    head?: string;
+}
+export type RendererHandler = (request: Request, manifest: SSRManifest) => Promise<RenderResult>;
+export declare function defineRenderer(handler: RendererHandler): {
+    __type: "renderer";
+    handler: RendererHandler;
+};
+export declare function registerRenderer(handler: RendererHandler): void;
+export declare function setSSRManifest(manifest: SSRManifest): void;
+export declare function getRenderer(): RendererHandler | null;
+export declare function getSSRManifest(): SSRManifest | null;
+/**
+ * Render an HTML page by calling the user's renderer and assembling the result
+ * into the index.html template.
+ *
+ * @param template - The index.html content (with <!--ssr-outlet--> placeholder)
+ * @param request - The incoming Request
+ * @param ogMeta - Optional OG meta tags to inject
+ * @returns Assembled HTML string, or null if no renderer is registered
+ */
+export declare function renderPage(template: string, request: Request, ogMeta?: string | null): Promise<string | null>;
+//# sourceMappingURL=renderer.d.ts.map

package/dist/renderer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"renderer.d.ts","sourceRoot":"","sources":["../src/renderer.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,WAAW;IAC1B,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAA;CACpC;AAED,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAA;IACZ,IAAI,CAAC,EAAE,MAAM,CAAA;CACd;AAED,MAAM,MAAM,eAAe,GAAG,CAAC,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,WAAW,KAAK,OAAO,CAAC,YAAY,CAAC,CAAA;AAKhG,wBAAgB,cAAc,CAAC,OAAO,EAAE,eAAe;;;EAEtD;AAED,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,eAAe,GAAG,IAAI,CAG/D;AAED,wBAAgB,cAAc,CAAC,QAAQ,EAAE,WAAW,GAAG,IAAI,CAE1D;AAED,wBAAgB,WAAW,IAAI,eAAe,GAAG,IAAI,CAEpD;AAED,wBAAgB,cAAc,IAAI,WAAW,GAAG,IAAI,CAEnD;AAED;;;;;;;;GAQG;AACH,wBAAsB,UAAU,CAC9B,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,OAAO,EAChB,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,GACrB,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAsBxB"}

package/dist/renderer.js

@@ -0,0 +1,46 @@
+import { log } from "./logger.js";
+let renderer = null;
+let ssrManifest = null;
+export function defineRenderer(handler) {
+    return { __type: 'renderer', handler };
+}
+export function registerRenderer(handler) {
+    renderer = handler;
+    log('[renderer] SSR renderer registered');
+}
+export function setSSRManifest(manifest) {
+    ssrManifest = manifest;
+}
+export function getRenderer() {
+    return renderer;
+}
+export function getSSRManifest() {
+    return ssrManifest;
+}
+/**
+ * Render an HTML page by calling the user's renderer and assembling the result
+ * into the index.html template.
+ *
+ * @param template - The index.html content (with <!--ssr-outlet--> placeholder)
+ * @param request - The incoming Request
+ * @param ogMeta - Optional OG meta tags to inject
+ * @returns Assembled HTML string, or null if no renderer is registered
+ */
+export async function renderPage(template, request, ogMeta) {
+    if (!renderer)
+        return null;
+    const manifest = ssrManifest || { getPreloadTags: () => '' };
+    const result = await renderer(request, manifest);
+    let html = template;
+    // Inject SSR head tags (preloads, styles)
+    if (result.head) {
+        html = html.replace('</head>', `${result.head}\n</head>`);
+    }
+    // Inject OG meta tags
+    if (ogMeta) {
+        html = html.replace('</head>', `${ogMeta}\n</head>`);
+    }
+    // Inject rendered HTML into the outlet
+    html = html.replace('<!--ssr-outlet-->', result.html);
+    return html;
+}

package/dist/response.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Create a JSON Response with optional gzip compression.
+ * Mirrors the old jsonResponse/sendJson behavior.
+ */
+export declare function json(data: unknown, status?: number, acceptEncoding?: string | null): Response;
+/** Create a JSON error Response. */
+export declare function jsonError(status: number, message: string, acceptEncoding?: string | null): Response;
+/** CORS preflight Response. */
+export declare function cors(): Response;
+/** Add CORS headers to an existing Response. */
+export declare function withCors(response: Response): Response;
+/** Create a static file Response with correct MIME type. */
+export declare function file(content: Buffer | Uint8Array, contentType: string, cacheControl?: string): Response;
+/** 404 Not Found. */
+export declare function notFound(): Response;
+//# sourceMappingURL=response.d.ts.map

package/dist/response.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"response.d.ts","sourceRoot":"","sources":["../src/response.ts"],"names":[],"mappings":"AAGA;;;GAGG;AACH,wBAAgB,IAAI,CAAC,IAAI,EAAE,OAAO,EAAE,MAAM,SAAM,EAAE,cAAc,CAAC,EAAE,MAAM,GAAG,IAAI,GAAG,QAAQ,CAuB1F;AAED,oCAAoC;AACpC,wBAAgB,SAAS,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,cAAc,CAAC,EAAE,MAAM,GAAG,IAAI,GAAG,QAAQ,CAEnG;AAED,+BAA+B;AAC/B,wBAAgB,IAAI,IAAI,QAAQ,CAS/B;AAED,gDAAgD;AAChD,wBAAgB,QAAQ,CAAC,QAAQ,EAAE,QAAQ,GAAG,QAAQ,CAUrD;AAED,4DAA4D;AAC5D,wBAAgB,IAAI,CAAC,OAAO,EAAE,MAAM,GAAG,UAAU,EAAE,WAAW,EAAE,MAAM,EAAE,YAAY,CAAC,EAAE,MAAM,GAAG,QAAQ,CAQvG;AAED,qBAAqB;AACrB,wBAAgB,QAAQ,IAAI,QAAQ,CAEnC"}

package/dist/response.js

@@ -0,0 +1,69 @@
+import { gzipSync } from 'node:zlib';
+import { normalizeValue } from "./database/db.js";
+/**
+ * Create a JSON Response with optional gzip compression.
+ * Mirrors the old jsonResponse/sendJson behavior.
+ */
+export function json(data, status = 200, acceptEncoding) {
+    const body = Buffer.from(JSON.stringify(data, (_, v) => normalizeValue(v)));
+    if (body.length > 1024 && acceptEncoding && /\bgzip\b/.test(acceptEncoding)) {
+        const compressed = gzipSync(body);
+        return new Response(compressed, {
+            status,
+            headers: {
+                'Content-Type': 'application/json',
+                'Content-Encoding': 'gzip',
+                'Vary': 'Accept-Encoding',
+                ...(status === 200 ? { 'Cache-Control': 'no-store' } : {}),
+            },
+        });
+    }
+    return new Response(body, {
+        status,
+        headers: {
+            'Content-Type': 'application/json',
+            ...(status === 200 ? { 'Cache-Control': 'no-store' } : {}),
+        },
+    });
+}
+/** Create a JSON error Response. */
+export function jsonError(status, message, acceptEncoding) {
+    return json({ error: message }, status, acceptEncoding);
+}
+/** CORS preflight Response. */
+export function cors() {
+    return new Response(null, {
+        status: 200,
+        headers: {
+            'Access-Control-Allow-Origin': '*',
+            'Access-Control-Allow-Headers': '*',
+            'Access-Control-Allow-Methods': 'GET, POST, OPTIONS',
+        },
+    });
+}
+/** Add CORS headers to an existing Response. */
+export function withCors(response) {
+    const headers = new Headers(response.headers);
+    headers.set('Access-Control-Allow-Origin', '*');
+    headers.set('Access-Control-Allow-Headers', '*');
+    headers.set('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
+    return new Response(response.body, {
+        status: response.status,
+        statusText: response.statusText,
+        headers,
+    });
+}
+/** Create a static file Response with correct MIME type. */
+export function file(content, contentType, cacheControl) {
+    return new Response(Buffer.from(content), {
+        status: 200,
+        headers: {
+            'Content-Type': contentType,
+            ...(cacheControl ? { 'Cache-Control': cacheControl } : {}),
+        },
+    });
+}
+/** 404 Not Found. */
+export function notFound() {
+    return new Response('Not Found', { status: 404 });
+}

package/dist/scanner.d.ts

@@ -0,0 +1,21 @@
+export interface ScannedModule {
+    path: string;
+    name: string;
+    mod: any;
+}
+export interface ScanResult {
+    feeds: ScannedModule[];
+    queries: ScannedModule[];
+    procedures: ScannedModule[];
+    hooks: ScannedModule[];
+    setup: ScannedModule[];
+    labels: ScannedModule[];
+    og: ScannedModule[];
+    renderer: ScannedModule | null;
+}
+/**
+ * Scan a directory for hatk server modules.
+ * Each file's default export is inspected for a `__type` tag.
+ */
+export declare function scanServerDir(serverDir: string): Promise<ScanResult>;
+//# sourceMappingURL=scanner.d.ts.map

package/dist/scanner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scanner.d.ts","sourceRoot":"","sources":["../src/scanner.ts"],"names":[],"mappings":"AAIA,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAA;IACZ,IAAI,EAAE,MAAM,CAAA;IACZ,GAAG,EAAE,GAAG,CAAA;CACT;AAED,MAAM,WAAW,UAAU;IACzB,KAAK,EAAE,aAAa,EAAE,CAAA;IACtB,OAAO,EAAE,aAAa,EAAE,CAAA;IACxB,UAAU,EAAE,aAAa,EAAE,CAAA;IAC3B,KAAK,EAAE,aAAa,EAAE,CAAA;IACtB,KAAK,EAAE,aAAa,EAAE,CAAA;IACtB,MAAM,EAAE,aAAa,EAAE,CAAA;IACvB,EAAE,EAAE,aAAa,EAAE,CAAA;IACnB,QAAQ,EAAE,aAAa,GAAG,IAAI,CAAA;CAC/B;AAmBD;;;GAGG;AACH,wBAAsB,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,CA2D1E"}