@hatk/hatk 0.0.1-alpha.6 → 0.0.1-alpha.60

package/dist/mst.d.ts

@@ -1,6 +1,23 @@
+/** A single entry from a Merkle Search Tree — a record path paired with its content CID. */
 export interface MstEntry {
+    /** Record path, e.g. "xyz.marketplace.listing/3mfniulnr7c2g" */
     path: string;
+    /** CID of the record's CBOR block */
     cid: string;
 }
-export declare function walkMst(blocks: Map<string, Uint8Array>, rootCid: string): MstEntry[];
+/**
+ * Walk an AT Protocol Merkle Search Tree (MST) in key order, yielding every record entry.
+ *
+ * The MST is a prefix-compressed B+ tree used by AT Protocol repositories to map
+ * record paths to CIDs. Each node contains a left subtree pointer, an array of entries
+ * (each with a prefix length, key suffix, value CID, and right subtree pointer), and
+ * keys are reconstructed by combining the prefix of the previous key with the suffix.
+ *
+ * @param blocks - Block store that resolves CIDs to raw CBOR bytes
+ * @param rootCid - CID of the MST root node
+ * @yields {MstEntry} Record entries in lexicographic key order
+ */
+export declare function walkMst(blocks: {
+    get(cid: string): Uint8Array | undefined;
+}, rootCid: string): Generator<MstEntry>;
 //# sourceMappingURL=mst.d.ts.map

package/dist/mst.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"mst.d.ts","sourceRoot":"","sources":["../src/mst.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,QAAQ;IACvB,IAAI,EAAE,MAAM,CAAA;IACZ,GAAG,EAAE,MAAM,CAAA;CACZ;AAED,wBAAgB,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,QAAQ,EAAE,CAiCpF"}
+{"version":3,"file":"mst.d.ts","sourceRoot":"","sources":["../src/mst.ts"],"names":[],"mappings":"AAEA,4FAA4F;AAC5F,MAAM,WAAW,QAAQ;IACvB,gEAAgE;IAChE,IAAI,EAAE,MAAM,CAAA;IACZ,qCAAqC;IACrC,GAAG,EAAE,MAAM,CAAA;CACZ;AAED;;;;;;;;;;;GAWG;AACH,wBAAiB,OAAO,CAAC,MAAM,EAAE;IAAE,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,GAAG,SAAS,CAAA;CAAE,EAAE,OAAO,EAAE,MAAM,GAAG,SAAS,CAAC,QAAQ,CAAC,CA+BnH"}

package/dist/mst.js

@@ -1,14 +1,26 @@
 import { cborDecode } from "./cbor.js";
-export function walkMst(blocks, rootCid) {
-    const entries = [];
-    function visit(cid, prefix) {
+/**
+ * Walk an AT Protocol Merkle Search Tree (MST) in key order, yielding every record entry.
+ *
+ * The MST is a prefix-compressed B+ tree used by AT Protocol repositories to map
+ * record paths to CIDs. Each node contains a left subtree pointer, an array of entries
+ * (each with a prefix length, key suffix, value CID, and right subtree pointer), and
+ * keys are reconstructed by combining the prefix of the previous key with the suffix.
+ *
+ * @param blocks - Block store that resolves CIDs to raw CBOR bytes
+ * @param rootCid - CID of the MST root node
+ * @yields {MstEntry} Record entries in lexicographic key order
+ */
+export function* walkMst(blocks, rootCid) {
+    /** Recursively visit an MST node, reconstructing full keys from prefix-compressed entries. */
+    function* visit(cid, prefix) {
         const data = blocks.get(cid);
         if (!data)
             return prefix;
         const { value: node } = cborDecode(data);
         // Visit left subtree
         if (node.l?.$link)
-            visit(node.l.$link, prefix);
+            yield* visit(node.l.$link, prefix);
         let lastKey = prefix;
         for (const entry of node.e || []) {
             const keySuffix = entry.k instanceof Uint8Array ? new TextDecoder().decode(entry.k) : entry.k;
@@ -16,15 +28,14 @@ export function walkMst(blocks, rootCid) {
             const fullKey = lastKey.substring(0, prefixLen) + keySuffix;
             lastKey = fullKey;
             if (entry.v?.$link) {
-                entries.push({ path: fullKey, cid: entry.v.$link });
+                yield { path: fullKey, cid: entry.v.$link };
             }
             // Visit right subtree
             if (entry.t?.$link) {
-                visit(entry.t.$link, lastKey);
+                yield* visit(entry.t.$link, lastKey);
             }
         }
         return lastKey;
     }
-    visit(rootCid, '');
-    return entries;
+    yield* visit(rootCid, '');
 }

package/dist/oauth/db.d.ts

@@ -1,4 +1,4 @@
-export declare const OAUTH_DDL = "\nCREATE TABLE IF NOT EXISTS _oauth_keys (\n  kid TEXT PRIMARY KEY,\n  private_key TEXT NOT NULL,\n  public_key TEXT NOT NULL,\n  created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP\n);\n\nCREATE TABLE IF NOT EXISTS _oauth_sessions (\n  did TEXT PRIMARY KEY,\n  pds_endpoint TEXT NOT NULL,\n  access_token TEXT NOT NULL,\n  refresh_token TEXT,\n  dpop_jkt TEXT NOT NULL,\n  token_expires_at INTEGER,\n  created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,\n  updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP\n);\n\nCREATE TABLE IF NOT EXISTS _oauth_requests (\n  request_uri TEXT PRIMARY KEY,\n  client_id TEXT NOT NULL,\n  redirect_uri TEXT NOT NULL,\n  scope TEXT,\n  state TEXT,\n  code_challenge TEXT NOT NULL,\n  code_challenge_method TEXT NOT NULL DEFAULT 'S256',\n  dpop_jkt TEXT NOT NULL,\n  pds_request_uri TEXT,\n  pds_auth_server TEXT,\n  pds_code_verifier TEXT,\n  pds_state TEXT,\n  did TEXT,\n  login_hint TEXT,\n  expires_at INTEGER NOT NULL\n);\n\nCREATE TABLE IF NOT EXISTS _oauth_codes (\n  code TEXT PRIMARY KEY,\n  request_uri TEXT NOT NULL,\n  created_at INTEGER NOT NULL\n);\n\nCREATE TABLE IF NOT EXISTS _oauth_refresh_tokens (\n  token TEXT PRIMARY KEY,\n  client_id TEXT NOT NULL,\n  did TEXT NOT NULL,\n  dpop_jkt TEXT NOT NULL,\n  scope TEXT,\n  created_at INTEGER NOT NULL,\n  expires_at INTEGER,\n  revoked INTEGER NOT NULL DEFAULT 0\n);\n\nCREATE TABLE IF NOT EXISTS _oauth_dpop_jtis (\n  jti TEXT PRIMARY KEY,\n  expires_at INTEGER NOT NULL\n);\n";
+export declare const OAUTH_DDL = "\nCREATE TABLE IF NOT EXISTS _oauth_keys (\n  kid TEXT PRIMARY KEY,\n  private_key TEXT NOT NULL,\n  public_key TEXT NOT NULL,\n  created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP\n);\n\nCREATE TABLE IF NOT EXISTS _oauth_sessions (\n  did TEXT PRIMARY KEY,\n  pds_endpoint TEXT NOT NULL,\n  pds_auth_server TEXT,\n  access_token TEXT NOT NULL,\n  refresh_token TEXT,\n  dpop_jkt TEXT NOT NULL,\n  token_expires_at INTEGER,\n  created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,\n  updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP\n);\n\nCREATE TABLE IF NOT EXISTS _oauth_requests (\n  request_uri TEXT PRIMARY KEY,\n  client_id TEXT NOT NULL,\n  redirect_uri TEXT NOT NULL,\n  scope TEXT,\n  state TEXT,\n  code_challenge TEXT NOT NULL,\n  code_challenge_method TEXT NOT NULL DEFAULT 'S256',\n  dpop_jkt TEXT NOT NULL,\n  pds_request_uri TEXT,\n  pds_auth_server TEXT,\n  pds_endpoint TEXT,\n  pds_code_verifier TEXT,\n  pds_state TEXT,\n  did TEXT,\n  login_hint TEXT,\n  expires_at INTEGER NOT NULL\n);\n\nCREATE TABLE IF NOT EXISTS _oauth_codes (\n  code TEXT PRIMARY KEY,\n  request_uri TEXT NOT NULL,\n  created_at INTEGER NOT NULL\n);\n\nCREATE TABLE IF NOT EXISTS _oauth_refresh_tokens (\n  token TEXT PRIMARY KEY,\n  client_id TEXT NOT NULL,\n  did TEXT NOT NULL,\n  dpop_jkt TEXT NOT NULL,\n  scope TEXT,\n  created_at INTEGER NOT NULL,\n  expires_at INTEGER,\n  revoked INTEGER NOT NULL DEFAULT 0\n);\n\nCREATE TABLE IF NOT EXISTS _oauth_dpop_jtis (\n  jti TEXT PRIMARY KEY,\n  expires_at INTEGER NOT NULL\n);\n";
 export declare function getServerKey(kid: string): Promise<{
     privateKey: string;
     publicKey: string;
@@ -14,6 +14,7 @@ export declare function storeOAuthRequest(requestUri: string, data: {
     dpopJkt: string;
     pdsRequestUri?: string;
     pdsAuthServer?: string;
+    pdsEndpoint?: string;
     pdsCodeVerifier?: string;
     pdsState?: string;
     did?: string;
@@ -26,6 +27,7 @@ export declare function storeAuthCode(code: string, requestUri: string): Promise
 export declare function consumeAuthCode(code: string): Promise<string | null>;
 export declare function storeSession(did: string, data: {
     pdsEndpoint: string;
+    pdsAuthServer?: string;
     accessToken: string;
     refreshToken?: string;
     dpopJkt: string;

package/dist/oauth/db.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"db.d.ts","sourceRoot":"","sources":["../../src/oauth/db.ts"],"names":[],"mappings":"AAMA,eAAO,MAAM,SAAS,87CA0DrB,CAAA;AAID,wBAAsB,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAAC,CAIzG;AAED,wBAAsB,cAAc,CAAC,GAAG,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAOtG;AAID,wBAAsB,iBAAiB,CACrC,UAAU,EAAE,MAAM,EAClB,IAAI,EAAE;IACJ,QAAQ,EAAE,MAAM,CAAA;IAChB,WAAW,EAAE,MAAM,CAAA;IACnB,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,aAAa,EAAE,MAAM,CAAA;IACrB,mBAAmB,CAAC,EAAE,MAAM,CAAA;IAC5B,OAAO,EAAE,MAAM,CAAA;IACf,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,eAAe,CAAC,EAAE,MAAM,CAAA;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,SAAS,EAAE,MAAM,CAAA;CAClB,GACA,OAAO,CAAC,IAAI,CAAC,CAoBf;AAED,wBAAsB,eAAe,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,CAM7E;AAED,wBAAsB,kBAAkB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAE1E;AAID,wBAAsB,aAAa,CAAC,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAOnF;AAED,wBAAsB,eAAe,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAK1E;AAID,wBAAsB,YAAY,CAChC,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;IACJ,WAAW,EAAE,MAAM,CAAA;IACnB,WAAW,EAAE,MAAM,CAAA;IACnB,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,OAAO,EAAE,MAAM,CAAA;IACf,cAAc,CAAC,EAAE,MAAM,CAAA;CACxB,GACA,OAAO,CAAC,IAAI,CAAC,CAWf;AAED,wBAAsB,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,CAGjE;AAED,wBAAsB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAE9D;AAID,wBAAsB,iBAAiB,CACrC,KAAK,EAAE,MAAM,EACb,IAAI,EAAE;IACJ,QAAQ,EAAE,MAAM,CAAA;IAChB,GAAG,EAAE,MAAM,CAAA;IACX,OAAO,EAAE,MAAM,CAAA;IACf,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,SAAS,CAAC,EAAE,MAAM,CAAA;CACnB,GACA,OAAO,CAAC,IAAI,CAAC,CAcf;AAED,wBAAsB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,CAGxE;AAED,wBAAsB,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAErE;AAID,wBAAsB,oBAAoB,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAK3F;AAED,wBAAsB,mBAAmB,IAAI,OAAO,CAAC,IAAI,CAAC,CASzD"}
+{"version":3,"file":"db.d.ts","sourceRoot":"","sources":["../../src/oauth/db.ts"],"names":[],"mappings":"AAMA,eAAO,MAAM,SAAS,6+CA4DrB,CAAA;AAID,wBAAsB,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAAC,CAIzG;AAED,wBAAsB,cAAc,CAAC,GAAG,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAMtG;AAID,wBAAsB,iBAAiB,CACrC,UAAU,EAAE,MAAM,EAClB,IAAI,EAAE;IACJ,QAAQ,EAAE,MAAM,CAAA;IAChB,WAAW,EAAE,MAAM,CAAA;IACnB,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,aAAa,EAAE,MAAM,CAAA;IACrB,mBAAmB,CAAC,EAAE,MAAM,CAAA;IAC5B,OAAO,EAAE,MAAM,CAAA;IACf,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,eAAe,CAAC,EAAE,MAAM,CAAA;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,SAAS,EAAE,MAAM,CAAA;CAClB,GACA,OAAO,CAAC,IAAI,CAAC,CAuBf;AAED,wBAAsB,eAAe,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,CAM7E;AAED,wBAAsB,kBAAkB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAE1E;AAID,wBAAsB,aAAa,CAAC,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAMnF;AAED,wBAAsB,eAAe,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAK1E;AAID,wBAAsB,YAAY,CAChC,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;IACJ,WAAW,EAAE,MAAM,CAAA;IACnB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,WAAW,EAAE,MAAM,CAAA;IACnB,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,OAAO,EAAE,MAAM,CAAA;IACf,cAAc,CAAC,EAAE,MAAM,CAAA;CACxB,GACA,OAAO,CAAC,IAAI,CAAC,CAMf;AAED,wBAAsB,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,CAGjE;AAED,wBAAsB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAE9D;AAID,wBAAsB,iBAAiB,CACrC,KAAK,EAAE,MAAM,EACb,IAAI,EAAE;IACJ,QAAQ,EAAE,MAAM,CAAA;IAChB,GAAG,EAAE,MAAM,CAAA;IACX,OAAO,EAAE,MAAM,CAAA;IACf,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,SAAS,CAAC,EAAE,MAAM,CAAA;CACnB,GACA,OAAO,CAAC,IAAI,CAAC,CAQf;AAED,wBAAsB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,CAGxE;AAED,wBAAsB,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAErE;AAID,wBAAsB,oBAAoB,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAK3F;AAED,wBAAsB,mBAAmB,IAAI,OAAO,CAAC,IAAI,CAAC,CAQzD"}

package/dist/oauth/db.js

@@ -1,5 +1,5 @@
 // packages/hatk/src/oauth/db.ts
-import { querySQL, runSQL } from "../db.js";
+import { querySQL, runSQL } from "../database/db.js";
 // --- DDL ---
 export const OAUTH_DDL = `
 CREATE TABLE IF NOT EXISTS _oauth_keys (
@@ -12,6 +12,7 @@ CREATE TABLE IF NOT EXISTS _oauth_keys (
 CREATE TABLE IF NOT EXISTS _oauth_sessions (
   did TEXT PRIMARY KEY,
   pds_endpoint TEXT NOT NULL,
+  pds_auth_server TEXT,
   access_token TEXT NOT NULL,
   refresh_token TEXT,
   dpop_jkt TEXT NOT NULL,
@@ -31,6 +32,7 @@ CREATE TABLE IF NOT EXISTS _oauth_requests (
   dpop_jkt TEXT NOT NULL,
   pds_request_uri TEXT,
   pds_auth_server TEXT,
+  pds_endpoint TEXT,
   pds_code_verifier TEXT,
   pds_state TEXT,
   did TEXT,
@@ -62,18 +64,39 @@ CREATE TABLE IF NOT EXISTS _oauth_dpop_jtis (
 `;
 // --- Key Management ---
 export async function getServerKey(kid) {
-    const rows = await querySQL('SELECT private_key, public_key FROM _oauth_keys WHERE kid = $1', [kid]);
+    const rows = (await querySQL('SELECT private_key, public_key FROM _oauth_keys WHERE kid = $1', [kid]));
     if (rows.length === 0)
         return null;
     return { privateKey: rows[0].private_key, publicKey: rows[0].public_key };
 }
 export async function storeServerKey(kid, privateKey, publicKey) {
-    await runSQL('INSERT OR REPLACE INTO _oauth_keys (kid, private_key, public_key) VALUES ($1, $2, $3)', kid, privateKey, publicKey);
+    await runSQL('INSERT OR REPLACE INTO _oauth_keys (kid, private_key, public_key) VALUES ($1, $2, $3)', [
+        kid,
+        privateKey,
+        publicKey,
+    ]);
 }
 // --- OAuth Request Storage ---
 export async function storeOAuthRequest(requestUri, data) {
-    await runSQL(`INSERT INTO _oauth_requests (request_uri, client_id, redirect_uri, scope, state, code_challenge, code_challenge_method, dpop_jkt, pds_request_uri, pds_auth_server, pds_code_verifier, pds_state, did, login_hint, expires_at)
-     VALUES ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12,$13,$14,$15)`, requestUri, data.clientId, data.redirectUri, data.scope || null, data.state || null, data.codeChallenge, data.codeChallengeMethod || 'S256', data.dpopJkt, data.pdsRequestUri || null, data.pdsAuthServer || null, data.pdsCodeVerifier || null, data.pdsState || null, data.did || null, data.loginHint || null, data.expiresAt);
+    await runSQL(`INSERT INTO _oauth_requests (request_uri, client_id, redirect_uri, scope, state, code_challenge, code_challenge_method, dpop_jkt, pds_request_uri, pds_auth_server, pds_endpoint, pds_code_verifier, pds_state, did, login_hint, expires_at)
+     VALUES ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12,$13,$14,$15,$16)`, [
+        requestUri,
+        data.clientId,
+        data.redirectUri,
+        data.scope || null,
+        data.state || null,
+        data.codeChallenge,
+        data.codeChallengeMethod || 'S256',
+        data.dpopJkt,
+        data.pdsRequestUri || null,
+        data.pdsAuthServer || null,
+        data.pdsEndpoint || null,
+        data.pdsCodeVerifier || null,
+        data.pdsState || null,
+        data.did || null,
+        data.loginHint || null,
+        data.expiresAt,
+    ]);
 }
 export async function getOAuthRequest(requestUri) {
     const rows = await querySQL('SELECT * FROM _oauth_requests WHERE request_uri = $1 AND expires_at > $2', [
@@ -83,57 +106,63 @@ export async function getOAuthRequest(requestUri) {
     return rows.length > 0 ? rows[0] : null;
 }
 export async function deleteOAuthRequest(requestUri) {
-    await runSQL('DELETE FROM _oauth_requests WHERE request_uri = $1', requestUri);
+    await runSQL('DELETE FROM _oauth_requests WHERE request_uri = $1', [requestUri]);
 }
 // --- Authorization Codes ---
 export async function storeAuthCode(code, requestUri) {
-    await runSQL('INSERT INTO _oauth_codes (code, request_uri, created_at) VALUES ($1, $2, $3)', code, requestUri, Math.floor(Date.now() / 1000));
+    await runSQL('INSERT INTO _oauth_codes (code, request_uri, created_at) VALUES ($1, $2, $3)', [
+        code,
+        requestUri,
+        Math.floor(Date.now() / 1000),
+    ]);
 }
 export async function consumeAuthCode(code) {
-    const rows = await querySQL('SELECT request_uri FROM _oauth_codes WHERE code = $1', [code]);
+    const rows = (await querySQL('SELECT request_uri FROM _oauth_codes WHERE code = $1', [code]));
     if (rows.length === 0)
         return null;
-    await runSQL('DELETE FROM _oauth_codes WHERE code = $1', code);
+    await runSQL('DELETE FROM _oauth_codes WHERE code = $1', [code]);
     return rows[0].request_uri;
 }
 // --- Sessions ---
 export async function storeSession(did, data) {
-    await runSQL(`INSERT OR REPLACE INTO _oauth_sessions (did, pds_endpoint, access_token, refresh_token, dpop_jkt, token_expires_at, updated_at)
-     VALUES ($1,$2,$3,$4,$5,$6,CURRENT_TIMESTAMP)`, did, data.pdsEndpoint, data.accessToken, data.refreshToken || null, data.dpopJkt, data.tokenExpiresAt || null);
+    await runSQL(`INSERT OR REPLACE INTO _oauth_sessions (did, pds_endpoint, pds_auth_server, access_token, refresh_token, dpop_jkt, token_expires_at, updated_at)
+     VALUES ($1,$2,$3,$4,$5,$6,$7,CURRENT_TIMESTAMP)`, [did, data.pdsEndpoint, data.pdsAuthServer || null, data.accessToken, data.refreshToken || null, data.dpopJkt, data.tokenExpiresAt || null]);
 }
 export async function getSession(did) {
     const rows = await querySQL('SELECT * FROM _oauth_sessions WHERE did = $1', [did]);
     return rows.length > 0 ? rows[0] : null;
 }
 export async function deleteSession(did) {
-    await runSQL('DELETE FROM _oauth_sessions WHERE did = $1', did);
+    await runSQL('DELETE FROM _oauth_sessions WHERE did = $1', [did]);
 }
 // --- Refresh Tokens ---
 export async function storeRefreshToken(token, data) {
     const now = Math.floor(Date.now() / 1000);
     const expiresAt = data.expiresAt ?? now + 14 * 86400; // 14 days default
     await runSQL(`INSERT INTO _oauth_refresh_tokens (token, client_id, did, dpop_jkt, scope, created_at, expires_at)
-     VALUES ($1,$2,$3,$4,$5,$6,$7)`, token, data.clientId, data.did, data.dpopJkt, data.scope || null, now, expiresAt);
+     VALUES ($1,$2,$3,$4,$5,$6,$7)`, [token, data.clientId, data.did, data.dpopJkt, data.scope || null, now, expiresAt]);
 }
 export async function getRefreshToken(token) {
     const rows = await querySQL('SELECT * FROM _oauth_refresh_tokens WHERE token = $1', [token]);
     return rows.length > 0 ? rows[0] : null;
 }
 export async function revokeRefreshToken(token) {
-    await runSQL('UPDATE _oauth_refresh_tokens SET revoked = 1 WHERE token = $1', token);
+    await runSQL('UPDATE _oauth_refresh_tokens SET revoked = 1 WHERE token = $1', [token]);
 }
 // --- DPoP JTI Replay Protection ---
 export async function checkAndStoreDpopJti(jti, expiresAt) {
     const rows = await querySQL('SELECT 1 FROM _oauth_dpop_jtis WHERE jti = $1', [jti]);
     if (rows.length > 0)
         return false;
-    await runSQL('INSERT INTO _oauth_dpop_jtis (jti, expires_at) VALUES ($1, $2)', jti, expiresAt);
+    await runSQL('INSERT INTO _oauth_dpop_jtis (jti, expires_at) VALUES ($1, $2)', [jti, expiresAt]);
     return true;
 }
 export async function cleanupExpiredOAuth() {
     const now = Math.floor(Date.now() / 1000);
-    await runSQL('DELETE FROM _oauth_dpop_jtis WHERE expires_at < $1', now);
-    await runSQL('DELETE FROM _oauth_requests WHERE expires_at < $1', now);
-    await runSQL('DELETE FROM _oauth_codes WHERE created_at < $1', now - 600);
-    await runSQL('DELETE FROM _oauth_refresh_tokens WHERE revoked = 1 OR (expires_at IS NOT NULL AND expires_at < $1)', now);
+    await runSQL('DELETE FROM _oauth_dpop_jtis WHERE expires_at < $1', [now]);
+    await runSQL('DELETE FROM _oauth_requests WHERE expires_at < $1', [now]);
+    await runSQL('DELETE FROM _oauth_codes WHERE created_at < $1', [now - 600]);
+    await runSQL('DELETE FROM _oauth_refresh_tokens WHERE revoked = 1 OR (expires_at IS NOT NULL AND expires_at < $1)', [
+        now,
+    ]);
 }

package/dist/oauth/server.d.ts

@@ -59,20 +59,44 @@ export declare function getClientMetadata(issuer: string, config: OAuthConfig):
     dpop_bound_access_tokens: boolean;
     scope: string;
 };
+/**
+ * Handle a Pushed Authorization Request (PAR).
+ *
+ * Supports account creation via `prompt=create`. When set, `login_hint`
+ * is treated as a PDS hostname (e.g. "selfhosted.social" or "localhost:2583")
+ * rather than a handle or DID. The auth server is discovered from the PDS's
+ * protected resource metadata, and `prompt=create` is forwarded to the PDS
+ * PAR so it shows the signup page.
+ *
+ * For normal login, `login_hint` is a handle or DID as usual.
+ */
 export declare function handlePar(config: OAuthConfig, body: Record<string, string>, dpopHeader: string, requestUrl: string): Promise<{
     request_uri: string;
     expires_in: number;
 }>;
 export declare function buildAuthorizeRedirect(config: OAuthConfig, request: any): string;
+/**
+ * Initiate a server-side OAuth login or account creation flow.
+ *
+ * For account creation, pass `{ prompt: 'create', pds: 'selfhosted.social' }`.
+ * The `pds` is a bare hostname; the auth server is discovered from its
+ * protected resource metadata.
+ */
+export declare function serverLogin(config: OAuthConfig, handle: string, options?: {
+    prompt?: string;
+    pds?: string;
+}): Promise<string>;
 export declare function handleCallback(config: OAuthConfig, code: string, state: string | null, iss: string | null): Promise<{
     requestUri: string;
     clientRedirectUri: string;
     clientState: string | null;
+    did: string;
 }>;
 export declare function handleToken(config: OAuthConfig, body: Record<string, string>, dpopHeader: string, requestUrl: string): Promise<any>;
 export declare function refreshPdsSession(config: OAuthConfig, session: {
     did: string;
     pds_endpoint: string;
+    pds_auth_server?: string;
     refresh_token: string;
     dpop_jkt: string;
 }): Promise<{

package/dist/oauth/server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/oauth/server.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,cAAc,CAAA;AA0E/C,wBAAsB,SAAS,CAAC,OAAO,EAAE,WAAW,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAmBrG;AAID,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW;;;;;;;;;;;;;;;;;;;EAqBxE;AAED,wBAAgB,4BAA4B,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW;;;;;EAO/E;AAED,wBAAgB,OAAO;;;;;;;;;;;;;;;;;;;;;;EAWtB;AAED,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW;;;;;;;;;EAcpE;AAID,wBAAsB,SAAS,CAC7B,MAAM,EAAE,WAAW,EACnB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAC5B,UAAU,EAAE,MAAM,EAClB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC;IAAE,WAAW,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,MAAM,CAAA;CAAE,CAAC,CAuItD;AAID,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE,GAAG,GAAG,MAAM,CAShF;AAID,wBAAsB,cAAc,CAClC,MAAM,EAAE,WAAW,EACnB,IAAI,EAAE,MAAM,EACZ,KAAK,EAAE,MAAM,GAAG,IAAI,EACpB,GAAG,EAAE,MAAM,GAAG,IAAI,GACjB,OAAO,CAAC;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,iBAAiB,EAAE,MAAM,CAAC;IAAC,WAAW,EAAE,MAAM,GAAG,IAAI,CAAA;CAAE,CAAC,CAyHxF;AAID,wBAAsB,WAAW,CAC/B,MAAM,EAAE,WAAW,EACnB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAC5B,UAAU,EAAE,MAAM,EAClB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,GAAG,CAAC,CAUd;AA0JD,wBAAsB,iBAAiB,CACrC,MAAM,EAAE,WAAW,EACnB,OAAO,EAAE;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,YAAY,EAAE,MAAM,CAAC;IAAC,aAAa,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GACtF,OAAO,CAAC;IAAE,WAAW,EAAE,MAAM,CAAC;IAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAAC,CAmEpF;AAID,wBAAsB,YAAY,CAChC,UAAU,EAAE,MAAM,GAAG,IAAI,EACzB,UAAU,EAAE,MAAM,GAAG,IAAI,EACzB,MAAM,EAAE,MAAM,EACd,GAAG,EAAE,MAAM,GACV,OAAO,CAAC;IAAE,GAAG,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAAC,CA0BjC"}
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/oauth/server.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,cAAc,CAAA;AA4E/C,wBAAsB,SAAS,CAAC,OAAO,EAAE,WAAW,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAsBrG;AAID,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW;;;;;;;;;;;;;;;;;;;EAqBxE;AAED,wBAAgB,4BAA4B,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW;;;;;EAO/E;AAED,wBAAgB,OAAO;;;;;;;;;;;;;;;;;;;;;;EAWtB;AAED,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW;;;;;;;;;EAcpE;AAID;;;;;;;;;;GAUG;AACH,wBAAsB,SAAS,CAC7B,MAAM,EAAE,WAAW,EACnB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAC5B,UAAU,EAAE,MAAM,EAClB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC;IAAE,WAAW,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,MAAM,CAAA;CAAE,CAAC,CAwKtD;AAID,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE,GAAG,GAAG,MAAM,CAShF;AAID;;;;;;GAMG;AACH,wBAAsB,WAAW,CAC/B,MAAM,EAAE,WAAW,EACnB,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,MAAM,CAAC;IAAC,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,GAC1C,OAAO,CAAC,MAAM,CAAC,CA6HjB;AAID,wBAAsB,cAAc,CAClC,MAAM,EAAE,WAAW,EACnB,IAAI,EAAE,MAAM,EACZ,KAAK,EAAE,MAAM,GAAG,IAAI,EACpB,GAAG,EAAE,MAAM,GAAG,IAAI,GACjB,OAAO,CAAC;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,iBAAiB,EAAE,MAAM,CAAC;IAAC,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,CAAC,CA2HrG;AAID,wBAAsB,WAAW,CAC/B,MAAM,EAAE,WAAW,EACnB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAC5B,UAAU,EAAE,MAAM,EAClB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,GAAG,CAAC,CAUd;AA0JD,wBAAsB,iBAAiB,CACrC,MAAM,EAAE,WAAW,EACnB,OAAO,EAAE;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,YAAY,EAAE,MAAM,CAAC;IAAC,eAAe,CAAC,EAAE,MAAM,CAAC;IAAC,aAAa,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GAChH,OAAO,CAAC;IAAE,WAAW,EAAE,MAAM,CAAC;IAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAAC,CAsEpF;AAID,wBAAsB,YAAY,CAChC,UAAU,EAAE,MAAM,GAAG,IAAI,EACzB,UAAU,EAAE,MAAM,GAAG,IAAI,EACzB,MAAM,EAAE,MAAM,EACd,GAAG,EAAE,MAAM,GACV,OAAO,CAAC;IAAE,GAAG,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAAC,CA0BjC"}

package/dist/oauth/server.js

@@ -1,12 +1,13 @@
 // packages/hatk/src/oauth/server.ts
 import { generateKeyPair, importPrivateKey, computeJwkThumbprint, signJwt, parseJwt, verifyEs256, importPublicKey, randomToken, sha256, base64UrlEncode, } from "./crypto.js";
 import { parseDpopProof, createDpopProof } from "./dpop.js";
+import { initSession } from "./session.js";
 import { resolveClient, validateRedirectUri, isLoopbackClient } from "./client.js";
-import { discoverAuthServer, resolveHandle } from "./discovery.js";
-import { getServerKey, storeServerKey, storeOAuthRequest, getOAuthRequest, deleteOAuthRequest, storeAuthCode, consumeAuthCode, storeSession, checkAndStoreDpopJti, cleanupExpiredOAuth, storeRefreshToken, getRefreshToken, revokeRefreshToken, } from "./db.js";
+import { discoverAuthServer, resolveHandle, fetchProtectedResourceMetadata, fetchAuthServerMetadata } from "./discovery.js";
+import { getServerKey, storeServerKey, storeOAuthRequest, getOAuthRequest, deleteOAuthRequest, storeAuthCode, consumeAuthCode, storeSession, deleteSession, checkAndStoreDpopJti, cleanupExpiredOAuth, storeRefreshToken, getRefreshToken, revokeRefreshToken, } from "./db.js";
 import { emit } from "../logger.js";
-import { querySQL } from "../db.js";
-import { fireOnLoginHook } from "./hooks.js";
+import { querySQL } from "../database/db.js";
+import { fireOnLoginHook } from "../hooks.js";
 const SERVER_KEY_KID = 'appview-oauth-key';
 async function resolveHandleForDid(did) {
     const rows = (await querySQL('SELECT handle FROM _repos WHERE did = $1', [did]));
@@ -57,6 +58,8 @@ export async function initOAuth(_config, plcUrl, relayUrl) {
     }
     serverPrivateKey = await importPrivateKey(serverPrivateJwk);
     serverJkt = await computeJwkThumbprint(serverPublicJwk);
+    // Initialize SSR session cookie signing
+    initSession(serverPrivateJwk, _config.cookieName);
     // Periodic cleanup of expired OAuth data
     setInterval(() => cleanupExpiredOAuth().catch(() => { }), 60_000);
 }
@@ -119,6 +122,17 @@ export function getClientMetadata(issuer, config) {
     };
 }
 // --- PAR Endpoint ---
+/**
+ * Handle a Pushed Authorization Request (PAR).
+ *
+ * Supports account creation via `prompt=create`. When set, `login_hint`
+ * is treated as a PDS hostname (e.g. "selfhosted.social" or "localhost:2583")
+ * rather than a handle or DID. The auth server is discovered from the PDS's
+ * protected resource metadata, and `prompt=create` is forwarded to the PDS
+ * PAR so it shows the signup page.
+ *
+ * For normal login, `login_hint` is a handle or DID as usual.
+ */
 export async function handlePar(config, body, dpopHeader, requestUrl) {
     // Validate client DPoP proof
     const dpop = await parseDpopProof(dpopHeader, 'POST', requestUrl);
@@ -143,36 +157,72 @@ export async function handlePar(config, body, dpopHeader, requestUrl) {
         throw new Error('code_challenge is required');
     if (body.code_challenge_method && body.code_challenge_method !== 'S256')
         throw new Error('Only S256 supported');
-    // Resolve DID from login_hint
+    // Resolve DID and PDS from login_hint
+    const prompt = body.prompt;
     let did = body.login_hint;
-    if (did && !did.startsWith('did:')) {
-        did = await resolveHandle(did, _relayUrl);
-    }
-    // Discover user's PDS auth server
     let pdsRequestUri;
     let pdsAuthServer;
     let pdsCodeVerifier;
     let pdsState;
-    if (did) {
+    let pdsEndpoint;
+    if (prompt === 'create' && body.login_hint) {
+        // Account creation: login_hint is a PDS URL, discover auth server from it directly
+        let pdsUrl;
+        if (body.login_hint.startsWith('http')) {
+            pdsUrl = body.login_hint;
+        }
+        else if (body.login_hint.match(/^localhost[:/]/)) {
+            pdsUrl = `http://${body.login_hint}`;
+        }
+        else {
+            pdsUrl = `https://${body.login_hint}`;
+        }
+        pdsEndpoint = pdsUrl;
+        const protectedResource = await fetchProtectedResourceMetadata(pdsUrl);
+        pdsAuthServer = protectedResource.authorization_servers[0];
+        if (!pdsAuthServer)
+            throw new Error(`No auth server for PDS ${pdsUrl}`);
+        did = undefined; // no DID yet for account creation
+    }
+    else if (did && !did.startsWith('did:')) {
+        try {
+            did = await resolveHandle(did, _relayUrl);
+        }
+        catch {
+            throw new Error('Handle not found');
+        }
+    }
+    // Discover user's PDS auth server (for login flow with a resolved DID)
+    if (did && !pdsAuthServer) {
         const discovery = await discoverAuthServer(did, _plcUrl);
         pdsAuthServer = discovery.authServerEndpoint;
+        pdsEndpoint = discovery.pdsEndpoint;
+    }
+    if (pdsAuthServer) {
+        const authServerMetadata = await fetchAuthServerMetadata(pdsAuthServer);
         // Create PKCE for our PAR to the PDS
         pdsCodeVerifier = randomToken();
         const pdsCodeChallenge = base64UrlEncode(await sha256(pdsCodeVerifier));
         pdsState = randomToken(); // unique state to correlate callback
         // PAR to the PDS
-        const parEndpoint = discovery.authServerMetadata.pushed_authorization_request_endpoint || `${pdsAuthServer}/oauth/par`;
+        const parEndpoint = authServerMetadata.pushed_authorization_request_endpoint || `${pdsAuthServer}/oauth/par`;
         const serverDpopProof = await createDpopProof(serverPrivateJwk, serverPublicJwk, 'POST', parEndpoint);
-        const pdsParBody = new URLSearchParams({
+        const pdsParParams = {
             client_id: pdsClientId(config.issuer, config),
             redirect_uri: pdsRedirectUri(config.issuer),
             response_type: 'code',
             code_challenge: pdsCodeChallenge,
             code_challenge_method: 'S256',
             scope: body.scope || 'atproto transition:generic',
-            login_hint: body.login_hint || did,
             state: pdsState,
-        });
+        };
+        if (prompt === 'create') {
+            pdsParParams.prompt = 'create';
+        }
+        if (did) {
+            pdsParParams.login_hint = body.login_hint || did;
+        }
+        const pdsParBody = new URLSearchParams(pdsParParams);
         const pdsParRes = await fetch(parEndpoint, {
             method: 'POST',
             headers: { 'Content-Type': 'application/x-www-form-urlencoded', DPoP: serverDpopProof },
@@ -234,6 +284,7 @@ export async function handlePar(config, body, dpopHeader, requestUrl) {
         dpopJkt: dpop.jkt,
         pdsRequestUri,
         pdsAuthServer,
+        pdsEndpoint,
         pdsCodeVerifier,
         pdsState,
         did,
@@ -253,10 +304,130 @@ export function buildAuthorizeRedirect(config, request) {
     });
     return `${request.pds_auth_server}/oauth/authorize?${params}`;
 }
+// --- Server-initiated login (no DPoP required from browser) ---
+/**
+ * Initiate a server-side OAuth login or account creation flow.
+ *
+ * For account creation, pass `{ prompt: 'create', pds: 'selfhosted.social' }`.
+ * The `pds` is a bare hostname; the auth server is discovered from its
+ * protected resource metadata.
+ */
+export async function serverLogin(config, handle, options) {
+    let did;
+    let pdsAuthServer;
+    let pdsEndpoint;
+    if (options?.prompt === 'create' && options?.pds) {
+        // Account creation: discover auth server from PDS hostname
+        const pdsUrl = options.pds.startsWith('http')
+            ? options.pds
+            : options.pds.match(/^localhost[:/]/)
+                ? `http://${options.pds}`
+                : `https://${options.pds}`;
+        pdsEndpoint = pdsUrl;
+        const protectedResource = await fetchProtectedResourceMetadata(pdsUrl);
+        pdsAuthServer = protectedResource.authorization_servers[0];
+        if (!pdsAuthServer)
+            throw new Error(`No auth server for PDS ${pdsUrl}`);
+    }
+    else {
+        // Normal login: resolve handle to DID
+        did = handle;
+        if (!did.startsWith('did:')) {
+            did = await resolveHandle(handle, _relayUrl);
+        }
+        const discovery = await discoverAuthServer(did, _plcUrl);
+        pdsAuthServer = discovery.authServerEndpoint;
+        pdsEndpoint = discovery.pdsEndpoint;
+    }
+    const authServerMetadata = await fetchAuthServerMetadata(pdsAuthServer);
+    // Create PKCE for PAR to PDS
+    const pdsCodeVerifier = randomToken();
+    const pdsCodeChallenge = base64UrlEncode(await sha256(pdsCodeVerifier));
+    const pdsState = randomToken();
+    // PAR to the PDS
+    const parEndpoint = authServerMetadata.pushed_authorization_request_endpoint || `${pdsAuthServer}/oauth/par`;
+    const serverDpopProof = await createDpopProof(serverPrivateJwk, serverPublicJwk, 'POST', parEndpoint);
+    const scope = config.scopes?.join(' ') || 'atproto transition:generic';
+    const pdsParParams = {
+        client_id: pdsClientId(config.issuer, config),
+        redirect_uri: pdsRedirectUri(config.issuer),
+        response_type: 'code',
+        code_challenge: pdsCodeChallenge,
+        code_challenge_method: 'S256',
+        scope,
+        state: pdsState,
+    };
+    if (options?.prompt === 'create') {
+        pdsParParams.prompt = 'create';
+    }
+    if (did) {
+        pdsParParams.login_hint = handle;
+    }
+    const pdsParBody = new URLSearchParams(pdsParParams);
+    let pdsRequestUri;
+    const pdsParRes = await fetch(parEndpoint, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded', DPoP: serverDpopProof },
+        body: pdsParBody.toString(),
+    });
+    if (!pdsParRes.ok) {
+        const errBody = await pdsParRes.json().catch(() => ({}));
+        if (errBody.error === 'use_dpop_nonce') {
+            const nonce = pdsParRes.headers.get('DPoP-Nonce');
+            if (nonce) {
+                const retryProof = await createDpopProof(serverPrivateJwk, serverPublicJwk, 'POST', parEndpoint, undefined, nonce);
+                const retryRes = await fetch(parEndpoint, {
+                    method: 'POST',
+                    headers: { 'Content-Type': 'application/x-www-form-urlencoded', DPoP: retryProof },
+                    body: pdsParBody.toString(),
+                });
+                if (!retryRes.ok) {
+                    const retryErr = await retryRes.json().catch(() => ({}));
+                    throw new Error(`PDS PAR failed: ${retryRes.status} ${retryErr.error_description || retryErr.error || ''}`);
+                }
+                const retryData = await retryRes.json();
+                pdsRequestUri = retryData.request_uri;
+            }
+        }
+        else {
+            throw new Error(`PDS PAR failed: ${pdsParRes.status} ${errBody.error_description || errBody.error || ''}`);
+        }
+    }
+    else {
+        const pdsParData = await pdsParRes.json();
+        pdsRequestUri = pdsParData.request_uri;
+    }
+    // Store the request so the callback can find it
+    const requestUri = `urn:ietf:params:oauth:request_uri:${randomToken()}`;
+    const expiresAt = Math.floor(Date.now() / 1000) + 600;
+    await storeOAuthRequest(requestUri, {
+        clientId: pdsClientId(config.issuer, config),
+        redirectUri: '/',
+        scope,
+        state: pdsState,
+        codeChallenge: '',
+        codeChallengeMethod: 'S256',
+        dpopJkt: serverJkt,
+        pdsRequestUri,
+        pdsAuthServer,
+        pdsEndpoint,
+        pdsCodeVerifier,
+        pdsState,
+        did,
+        loginHint: handle,
+        expiresAt,
+    });
+    // Build redirect URL to PDS
+    const params = new URLSearchParams({
+        request_uri: pdsRequestUri,
+        client_id: pdsClientId(config.issuer, config),
+    });
+    return `${pdsAuthServer}/oauth/authorize?${params}`;
+}
 // --- OAuth Callback (PDS redirects here) ---
 export async function handleCallback(config, code, state, iss) {
     // Find the matching OAuth request by pds_state (unique per PAR)
-    const { querySQL } = await import("../db.js");
+    const { querySQL } = await import("../database/db.js");
     let request = null;
     if (state) {
         const rows = await querySQL(`SELECT * FROM _oauth_requests WHERE pds_state = $1 AND expires_at > $2`, [
@@ -329,29 +500,31 @@ export async function handleCallback(config, code, state, iss) {
     const did = tokenData.sub;
     if (!did)
         throw new Error('PDS token response missing sub (DID)');
-    // Store PDS session server-side
+    // Store PDS session server-side — pds_endpoint is the actual data PDS
+    // (e.g. leccinum.us-west.host.bsky.network), pds_auth_server is the OAuth server (bsky.social)
     await storeSession(did, {
-        pdsEndpoint: request.pds_auth_server.replace('/oauth', ''),
+        pdsEndpoint: request.pds_endpoint,
+        pdsAuthServer: request.pds_auth_server,
         accessToken: tokenData.access_token,
         refreshToken: tokenData.refresh_token,
         dpopJkt: serverJkt,
         tokenExpiresAt: tokenData.expires_in ? Math.floor(Date.now() / 1000) + tokenData.expires_in : undefined,
     });
-    await fireOnLoginHook(did);
+    await fireOnLoginHook(did, config);
     // Generate authorization code for the client
     const clientCode = randomToken();
     await storeAuthCode(clientCode, request.request_uri);
     // Update the request with the DID (in case it wasn't set during PAR)
     if (!request.did && did) {
-        const { runSQL } = await import("../db.js");
-        await runSQL('UPDATE _oauth_requests SET did = $1 WHERE request_uri = $2', did, request.request_uri);
+        const { runSQL } = await import("../database/db.js");
+        await runSQL('UPDATE _oauth_requests SET did = $1 WHERE request_uri = $2', [did, request.request_uri]);
     }
     // Build redirect back to client
     const params = new URLSearchParams({ code: clientCode, iss: config.issuer });
     if (request.state)
         params.set('state', request.state);
     const clientRedirectUri = `${request.redirect_uri}?${params}`;
-    return { requestUri: request.request_uri, clientRedirectUri, clientState: request.state };
+    return { requestUri: request.request_uri, clientRedirectUri, clientState: request.state, did };
 }
 // --- Token Endpoint ---
 export async function handleToken(config, body, dpopHeader, requestUrl) {
@@ -492,7 +665,8 @@ async function handleRefreshTokenGrant(config, body, dpopHeader, requestUrl) {
 export async function refreshPdsSession(config, session) {
     if (!session.refresh_token)
         return null;
-    const tokenEndpoint = `${session.pds_endpoint}/oauth/token`;
+    // Use auth server for token endpoint (falls back to pds_endpoint for sessions created before this fix)
+    const tokenEndpoint = `${session.pds_auth_server || session.pds_endpoint}/oauth/token`;
     const clientId = pdsClientId(config.issuer, config);
     const dpopProof = await createDpopProof(serverPrivateJwk, serverPublicJwk, 'POST', tokenEndpoint);
     const body = new URLSearchParams({
@@ -526,12 +700,14 @@ export async function refreshPdsSession(config, session) {
             did: session.did,
             pds_endpoint: session.pds_endpoint,
         });
+        await deleteSession(session.did);
         return null;
     }
     const tokenData = await tokenRes.json();
     // Update stored session
     await storeSession(session.did, {
         pdsEndpoint: session.pds_endpoint,
+        pdsAuthServer: session.pds_auth_server,
         accessToken: tokenData.access_token,
         refreshToken: tokenData.refresh_token || session.refresh_token,
         dpopJkt: session.dpop_jkt,