@hatk/hatk 0.0.1-alpha.6 → 0.0.1-alpha.61

package/dist/oauth/server.js

@@ -1,12 +1,13 @@
 // packages/hatk/src/oauth/server.ts
 import { generateKeyPair, importPrivateKey, computeJwkThumbprint, signJwt, parseJwt, verifyEs256, importPublicKey, randomToken, sha256, base64UrlEncode, } from "./crypto.js";
 import { parseDpopProof, createDpopProof } from "./dpop.js";
+import { initSession } from "./session.js";
 import { resolveClient, validateRedirectUri, isLoopbackClient } from "./client.js";
-import { discoverAuthServer, resolveHandle } from "./discovery.js";
-import { getServerKey, storeServerKey, storeOAuthRequest, getOAuthRequest, deleteOAuthRequest, storeAuthCode, consumeAuthCode, storeSession, checkAndStoreDpopJti, cleanupExpiredOAuth, storeRefreshToken, getRefreshToken, revokeRefreshToken, } from "./db.js";
+import { discoverAuthServer, resolveHandle, fetchProtectedResourceMetadata, fetchAuthServerMetadata } from "./discovery.js";
+import { getServerKey, storeServerKey, storeOAuthRequest, getOAuthRequest, deleteOAuthRequest, storeAuthCode, consumeAuthCode, storeSession, deleteSession, checkAndStoreDpopJti, cleanupExpiredOAuth, storeRefreshToken, getRefreshToken, revokeRefreshToken, } from "./db.js";
 import { emit } from "../logger.js";
-import { querySQL } from "../db.js";
-import { fireOnLoginHook } from "./hooks.js";
+import { querySQL } from "../database/db.js";
+import { fireOnLoginHook } from "../hooks.js";
 const SERVER_KEY_KID = 'appview-oauth-key';
 async function resolveHandleForDid(did) {
     const rows = (await querySQL('SELECT handle FROM _repos WHERE did = $1', [did]));
@@ -57,6 +58,8 @@ export async function initOAuth(_config, plcUrl, relayUrl) {
     }
     serverPrivateKey = await importPrivateKey(serverPrivateJwk);
     serverJkt = await computeJwkThumbprint(serverPublicJwk);
+    // Initialize SSR session cookie signing
+    initSession(serverPrivateJwk, _config.cookieName);
     // Periodic cleanup of expired OAuth data
     setInterval(() => cleanupExpiredOAuth().catch(() => { }), 60_000);
 }
@@ -119,6 +122,17 @@ export function getClientMetadata(issuer, config) {
     };
 }
 // --- PAR Endpoint ---
+/**
+ * Handle a Pushed Authorization Request (PAR).
+ *
+ * Supports account creation via `prompt=create`. When set, `login_hint`
+ * is treated as a PDS hostname (e.g. "selfhosted.social" or "localhost:2583")
+ * rather than a handle or DID. The auth server is discovered from the PDS's
+ * protected resource metadata, and `prompt=create` is forwarded to the PDS
+ * PAR so it shows the signup page.
+ *
+ * For normal login, `login_hint` is a handle or DID as usual.
+ */
 export async function handlePar(config, body, dpopHeader, requestUrl) {
     // Validate client DPoP proof
     const dpop = await parseDpopProof(dpopHeader, 'POST', requestUrl);
@@ -143,36 +157,72 @@ export async function handlePar(config, body, dpopHeader, requestUrl) {
         throw new Error('code_challenge is required');
     if (body.code_challenge_method && body.code_challenge_method !== 'S256')
         throw new Error('Only S256 supported');
-    // Resolve DID from login_hint
+    // Resolve DID and PDS from login_hint
+    const prompt = body.prompt;
     let did = body.login_hint;
-    if (did && !did.startsWith('did:')) {
-        did = await resolveHandle(did, _relayUrl);
-    }
-    // Discover user's PDS auth server
     let pdsRequestUri;
     let pdsAuthServer;
     let pdsCodeVerifier;
     let pdsState;
-    if (did) {
+    let pdsEndpoint;
+    if (prompt === 'create' && body.login_hint) {
+        // Account creation: login_hint is a PDS URL, discover auth server from it directly
+        let pdsUrl;
+        if (body.login_hint.startsWith('http')) {
+            pdsUrl = body.login_hint;
+        }
+        else if (body.login_hint.match(/^localhost[:/]/)) {
+            pdsUrl = `http://${body.login_hint}`;
+        }
+        else {
+            pdsUrl = `https://${body.login_hint}`;
+        }
+        pdsEndpoint = pdsUrl;
+        const protectedResource = await fetchProtectedResourceMetadata(pdsUrl);
+        pdsAuthServer = protectedResource.authorization_servers[0];
+        if (!pdsAuthServer)
+            throw new Error(`No auth server for PDS ${pdsUrl}`);
+        did = undefined; // no DID yet for account creation
+    }
+    else if (did && !did.startsWith('did:')) {
+        try {
+            did = await resolveHandle(did, _relayUrl);
+        }
+        catch {
+            throw new Error('Handle not found');
+        }
+    }
+    // Discover user's PDS auth server (for login flow with a resolved DID)
+    if (did && !pdsAuthServer) {
         const discovery = await discoverAuthServer(did, _plcUrl);
         pdsAuthServer = discovery.authServerEndpoint;
+        pdsEndpoint = discovery.pdsEndpoint;
+    }
+    if (pdsAuthServer) {
+        const authServerMetadata = await fetchAuthServerMetadata(pdsAuthServer);
         // Create PKCE for our PAR to the PDS
         pdsCodeVerifier = randomToken();
         const pdsCodeChallenge = base64UrlEncode(await sha256(pdsCodeVerifier));
         pdsState = randomToken(); // unique state to correlate callback
         // PAR to the PDS
-        const parEndpoint = discovery.authServerMetadata.pushed_authorization_request_endpoint || `${pdsAuthServer}/oauth/par`;
+        const parEndpoint = authServerMetadata.pushed_authorization_request_endpoint || `${pdsAuthServer}/oauth/par`;
         const serverDpopProof = await createDpopProof(serverPrivateJwk, serverPublicJwk, 'POST', parEndpoint);
-        const pdsParBody = new URLSearchParams({
+        const pdsParParams = {
             client_id: pdsClientId(config.issuer, config),
             redirect_uri: pdsRedirectUri(config.issuer),
             response_type: 'code',
             code_challenge: pdsCodeChallenge,
             code_challenge_method: 'S256',
             scope: body.scope || 'atproto transition:generic',
-            login_hint: body.login_hint || did,
             state: pdsState,
-        });
+        };
+        if (prompt === 'create') {
+            pdsParParams.prompt = 'create';
+        }
+        if (did) {
+            pdsParParams.login_hint = body.login_hint || did;
+        }
+        const pdsParBody = new URLSearchParams(pdsParParams);
         const pdsParRes = await fetch(parEndpoint, {
             method: 'POST',
             headers: { 'Content-Type': 'application/x-www-form-urlencoded', DPoP: serverDpopProof },
@@ -234,6 +284,7 @@ export async function handlePar(config, body, dpopHeader, requestUrl) {
         dpopJkt: dpop.jkt,
         pdsRequestUri,
         pdsAuthServer,
+        pdsEndpoint,
         pdsCodeVerifier,
         pdsState,
         did,
@@ -253,10 +304,130 @@ export function buildAuthorizeRedirect(config, request) {
     });
     return `${request.pds_auth_server}/oauth/authorize?${params}`;
 }
+// --- Server-initiated login (no DPoP required from browser) ---
+/**
+ * Initiate a server-side OAuth login or account creation flow.
+ *
+ * For account creation, pass `{ prompt: 'create', pds: 'selfhosted.social' }`.
+ * The `pds` is a bare hostname; the auth server is discovered from its
+ * protected resource metadata.
+ */
+export async function serverLogin(config, handle, options) {
+    let did;
+    let pdsAuthServer;
+    let pdsEndpoint;
+    if (options?.prompt === 'create' && options?.pds) {
+        // Account creation: discover auth server from PDS hostname
+        const pdsUrl = options.pds.startsWith('http')
+            ? options.pds
+            : options.pds.match(/^localhost[:/]/)
+                ? `http://${options.pds}`
+                : `https://${options.pds}`;
+        pdsEndpoint = pdsUrl;
+        const protectedResource = await fetchProtectedResourceMetadata(pdsUrl);
+        pdsAuthServer = protectedResource.authorization_servers[0];
+        if (!pdsAuthServer)
+            throw new Error(`No auth server for PDS ${pdsUrl}`);
+    }
+    else {
+        // Normal login: resolve handle to DID
+        did = handle;
+        if (!did.startsWith('did:')) {
+            did = await resolveHandle(handle, _relayUrl);
+        }
+        const discovery = await discoverAuthServer(did, _plcUrl);
+        pdsAuthServer = discovery.authServerEndpoint;
+        pdsEndpoint = discovery.pdsEndpoint;
+    }
+    const authServerMetadata = await fetchAuthServerMetadata(pdsAuthServer);
+    // Create PKCE for PAR to PDS
+    const pdsCodeVerifier = randomToken();
+    const pdsCodeChallenge = base64UrlEncode(await sha256(pdsCodeVerifier));
+    const pdsState = randomToken();
+    // PAR to the PDS
+    const parEndpoint = authServerMetadata.pushed_authorization_request_endpoint || `${pdsAuthServer}/oauth/par`;
+    const serverDpopProof = await createDpopProof(serverPrivateJwk, serverPublicJwk, 'POST', parEndpoint);
+    const scope = config.scopes?.join(' ') || 'atproto transition:generic';
+    const pdsParParams = {
+        client_id: pdsClientId(config.issuer, config),
+        redirect_uri: pdsRedirectUri(config.issuer),
+        response_type: 'code',
+        code_challenge: pdsCodeChallenge,
+        code_challenge_method: 'S256',
+        scope,
+        state: pdsState,
+    };
+    if (options?.prompt === 'create') {
+        pdsParParams.prompt = 'create';
+    }
+    if (did) {
+        pdsParParams.login_hint = handle;
+    }
+    const pdsParBody = new URLSearchParams(pdsParParams);
+    let pdsRequestUri;
+    const pdsParRes = await fetch(parEndpoint, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded', DPoP: serverDpopProof },
+        body: pdsParBody.toString(),
+    });
+    if (!pdsParRes.ok) {
+        const errBody = await pdsParRes.json().catch(() => ({}));
+        if (errBody.error === 'use_dpop_nonce') {
+            const nonce = pdsParRes.headers.get('DPoP-Nonce');
+            if (nonce) {
+                const retryProof = await createDpopProof(serverPrivateJwk, serverPublicJwk, 'POST', parEndpoint, undefined, nonce);
+                const retryRes = await fetch(parEndpoint, {
+                    method: 'POST',
+                    headers: { 'Content-Type': 'application/x-www-form-urlencoded', DPoP: retryProof },
+                    body: pdsParBody.toString(),
+                });
+                if (!retryRes.ok) {
+                    const retryErr = await retryRes.json().catch(() => ({}));
+                    throw new Error(`PDS PAR failed: ${retryRes.status} ${retryErr.error_description || retryErr.error || ''}`);
+                }
+                const retryData = await retryRes.json();
+                pdsRequestUri = retryData.request_uri;
+            }
+        }
+        else {
+            throw new Error(`PDS PAR failed: ${pdsParRes.status} ${errBody.error_description || errBody.error || ''}`);
+        }
+    }
+    else {
+        const pdsParData = await pdsParRes.json();
+        pdsRequestUri = pdsParData.request_uri;
+    }
+    // Store the request so the callback can find it
+    const requestUri = `urn:ietf:params:oauth:request_uri:${randomToken()}`;
+    const expiresAt = Math.floor(Date.now() / 1000) + 600;
+    await storeOAuthRequest(requestUri, {
+        clientId: pdsClientId(config.issuer, config),
+        redirectUri: '/',
+        scope,
+        state: pdsState,
+        codeChallenge: '',
+        codeChallengeMethod: 'S256',
+        dpopJkt: serverJkt,
+        pdsRequestUri,
+        pdsAuthServer,
+        pdsEndpoint,
+        pdsCodeVerifier,
+        pdsState,
+        did,
+        loginHint: handle,
+        expiresAt,
+    });
+    // Build redirect URL to PDS
+    const params = new URLSearchParams({
+        request_uri: pdsRequestUri,
+        client_id: pdsClientId(config.issuer, config),
+    });
+    return `${pdsAuthServer}/oauth/authorize?${params}`;
+}
 // --- OAuth Callback (PDS redirects here) ---
 export async function handleCallback(config, code, state, iss) {
     // Find the matching OAuth request by pds_state (unique per PAR)
-    const { querySQL } = await import("../db.js");
+    const { querySQL } = await import("../database/db.js");
     let request = null;
     if (state) {
         const rows = await querySQL(`SELECT * FROM _oauth_requests WHERE pds_state = $1 AND expires_at > $2`, [
@@ -329,29 +500,31 @@ export async function handleCallback(config, code, state, iss) {
     const did = tokenData.sub;
     if (!did)
         throw new Error('PDS token response missing sub (DID)');
-    // Store PDS session server-side
+    // Store PDS session server-side — pds_endpoint is the actual data PDS
+    // (e.g. leccinum.us-west.host.bsky.network), pds_auth_server is the OAuth server (bsky.social)
     await storeSession(did, {
-        pdsEndpoint: request.pds_auth_server.replace('/oauth', ''),
+        pdsEndpoint: request.pds_endpoint,
+        pdsAuthServer: request.pds_auth_server,
         accessToken: tokenData.access_token,
         refreshToken: tokenData.refresh_token,
         dpopJkt: serverJkt,
         tokenExpiresAt: tokenData.expires_in ? Math.floor(Date.now() / 1000) + tokenData.expires_in : undefined,
     });
-    await fireOnLoginHook(did);
+    await fireOnLoginHook(did, config);
     // Generate authorization code for the client
     const clientCode = randomToken();
     await storeAuthCode(clientCode, request.request_uri);
     // Update the request with the DID (in case it wasn't set during PAR)
     if (!request.did && did) {
-        const { runSQL } = await import("../db.js");
-        await runSQL('UPDATE _oauth_requests SET did = $1 WHERE request_uri = $2', did, request.request_uri);
+        const { runSQL } = await import("../database/db.js");
+        await runSQL('UPDATE _oauth_requests SET did = $1 WHERE request_uri = $2', [did, request.request_uri]);
     }
     // Build redirect back to client
     const params = new URLSearchParams({ code: clientCode, iss: config.issuer });
     if (request.state)
         params.set('state', request.state);
     const clientRedirectUri = `${request.redirect_uri}?${params}`;
-    return { requestUri: request.request_uri, clientRedirectUri, clientState: request.state };
+    return { requestUri: request.request_uri, clientRedirectUri, clientState: request.state, did };
 }
 // --- Token Endpoint ---
 export async function handleToken(config, body, dpopHeader, requestUrl) {
@@ -492,7 +665,8 @@ async function handleRefreshTokenGrant(config, body, dpopHeader, requestUrl) {
 export async function refreshPdsSession(config, session) {
     if (!session.refresh_token)
         return null;
-    const tokenEndpoint = `${session.pds_endpoint}/oauth/token`;
+    // Use auth server for token endpoint (falls back to pds_endpoint for sessions created before this fix)
+    const tokenEndpoint = `${session.pds_auth_server || session.pds_endpoint}/oauth/token`;
     const clientId = pdsClientId(config.issuer, config);
     const dpopProof = await createDpopProof(serverPrivateJwk, serverPublicJwk, 'POST', tokenEndpoint);
     const body = new URLSearchParams({
@@ -526,12 +700,14 @@ export async function refreshPdsSession(config, session) {
             did: session.did,
             pds_endpoint: session.pds_endpoint,
         });
+        await deleteSession(session.did);
         return null;
     }
     const tokenData = await tokenRes.json();
     // Update stored session
     await storeSession(session.did, {
         pdsEndpoint: session.pds_endpoint,
+        pdsAuthServer: session.pds_auth_server,
         accessToken: tokenData.access_token,
         refreshToken: tokenData.refresh_token || session.refresh_token,
         dpopJkt: session.dpop_jkt,

package/dist/oauth/session.d.ts

@@ -0,0 +1,11 @@
+export type SessionData = {
+    did: string;
+    handle: string;
+};
+export declare function getSessionCookieName(): string;
+export declare function initSession(privateJwk: JsonWebKey, cookieName?: string): void;
+export declare function createSessionCookie(data: SessionData): Promise<string>;
+export declare function sessionCookieHeader(value: string, secure: boolean): string;
+export declare function clearSessionCookieHeader(): string;
+export declare function parseSessionCookie(request: Request): Promise<SessionData | null>;
+//# sourceMappingURL=session.d.ts.map

package/dist/oauth/session.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.d.ts","sourceRoot":"","sources":["../../src/oauth/session.ts"],"names":[],"mappings":"AASA,MAAM,MAAM,WAAW,GAAG;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAA;AAEzD,wBAAgB,oBAAoB,IAAI,MAAM,CAE7C;AAED,wBAAgB,WAAW,CAAC,UAAU,EAAE,UAAU,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAG7E;AAcD,wBAAsB,mBAAmB,CAAC,IAAI,EAAE,WAAW,GAAG,OAAO,CAAC,MAAM,CAAC,CAM5E;AAED,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,GAAG,MAAM,CAI1E;AAED,wBAAgB,wBAAwB,IAAI,MAAM,CAEjD;AAED,wBAAsB,kBAAkB,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAuBtF"}

package/dist/oauth/session.js

@@ -0,0 +1,65 @@
+// SSR session cookie — AES-GCM encrypted HttpOnly cookie for server-side viewer resolution.
+// Separate from OAuth protocol flows but uses the same server keypair for key derivation.
+import { base64UrlEncode, base64UrlDecode } from "./crypto.js";
+let _privateJwk;
+let _cookieName = '__hatk_session';
+const MAX_AGE = 30 * 24 * 60 * 60; // 30 days in seconds
+export function getSessionCookieName() {
+    return _cookieName;
+}
+export function initSession(privateJwk, cookieName) {
+    _privateJwk = privateJwk;
+    if (cookieName)
+        _cookieName = cookieName;
+}
+async function aesKey() {
+    const raw = new TextEncoder().encode(JSON.stringify(_privateJwk, Object.keys(_privateJwk).sort()));
+    const keyMaterial = await crypto.subtle.importKey('raw', raw, 'HKDF', false, ['deriveKey']);
+    return crypto.subtle.deriveKey({ name: 'HKDF', hash: 'SHA-256', salt: new Uint8Array(0), info: new TextEncoder().encode('hatk-session-cookie') }, keyMaterial, { name: 'AES-GCM', length: 256 }, false, ['encrypt', 'decrypt']);
+}
+export async function createSessionCookie(data) {
+    const payload = JSON.stringify({ ...data, ts: Math.floor(Date.now() / 1000) });
+    const iv = crypto.getRandomValues(new Uint8Array(12));
+    const key = await aesKey();
+    const ciphertext = await crypto.subtle.encrypt({ name: 'AES-GCM', iv }, key, new TextEncoder().encode(payload));
+    return `${base64UrlEncode(iv)}.${base64UrlEncode(new Uint8Array(ciphertext))}`;
+}
+export function sessionCookieHeader(value, secure) {
+    const parts = [`${_cookieName}=${value}`, 'HttpOnly', 'SameSite=Lax', 'Path=/', `Max-Age=${MAX_AGE}`];
+    if (secure)
+        parts.push('Secure');
+    return parts.join('; ');
+}
+export function clearSessionCookieHeader() {
+    return `${_cookieName}=; HttpOnly; SameSite=Lax; Path=/; Max-Age=0`;
+}
+export async function parseSessionCookie(request) {
+    const cookieHeader = request.headers.get('cookie');
+    if (!cookieHeader)
+        return null;
+    const match = cookieHeader
+        .split(';')
+        .map((c) => c.trim())
+        .find((c) => c.startsWith(`${_cookieName}=`));
+    if (!match)
+        return null;
+    const value = match.slice(_cookieName.length + 1);
+    const parts = value.split('.');
+    if (parts.length !== 2)
+        return null;
+    try {
+        const iv = base64UrlDecode(parts[0]);
+        const ciphertext = base64UrlDecode(parts[1]);
+        const key = await aesKey();
+        const plaintext = await crypto.subtle.decrypt({ name: 'AES-GCM', iv }, key, ciphertext);
+        const data = JSON.parse(new TextDecoder().decode(plaintext));
+        if (!data.did || !data.handle || !data.ts)
+            return null;
+        if (Date.now() / 1000 - data.ts > MAX_AGE)
+            return null;
+        return { did: data.did, handle: data.handle };
+    }
+    catch {
+        return null;
+    }
+}

package/dist/opengraph.d.ts

@@ -28,7 +28,17 @@ export interface OpengraphResult {
         description?: string;
     };
 }
+export declare function defineOG(path: string, generate: (ctx: OpengraphContext) => Promise<OpengraphResult>): {
+    __type: "og";
+    path: string;
+    generate: (ctx: OpengraphContext) => Promise<OpengraphResult>;
+};
 export declare function initOpengraph(ogDir: string): Promise<void>;
+/** Register a single OG handler from a scanned server/ module. */
+export declare function registerOgHandler(ogMod: {
+    path: string;
+    generate: (ctx: OpengraphContext) => Promise<OpengraphResult>;
+}): void;
 export declare function handleOpengraphRequest(pathname: string): Promise<Buffer | null>;
 export declare function buildOgMeta(pathname: string, origin: string): string | null;
 //# sourceMappingURL=opengraph.d.ts.map

package/dist/opengraph.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"opengraph.d.ts","sourceRoot":"","sources":["../src/opengraph.ts"],"names":[],"mappings":"AAoBA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,WAAW,CAAA;AAE5C,4CAA4C;AAC5C,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAA;IACZ,KAAK,EAAE;QACL,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;QAC3B,QAAQ,CAAC,EAAE,CAAC,UAAU,GAAG,MAAM,CAAC,EAAE,GAAG,MAAM,CAAA;QAC3C,GAAG,CAAC,EAAE,MAAM,CAAA;QACZ,KAAK,CAAC,EAAE,MAAM,CAAA;QACd,MAAM,CAAC,EAAE,MAAM,CAAA;QACf,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAA;KACnB,CAAA;CACF;AAED,uDAAuD;AACvD,MAAM,WAAW,gBAAiB,SAAQ,WAAW;IACnD,UAAU,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAA;CACpD;AAED,qDAAqD;AACrD,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,UAAU,CAAA;IACnB,OAAO,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,GAAG,EAAE,CAAA;KAAE,CAAA;IAC5D,IAAI,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,WAAW,CAAC,EAAE,MAAM,CAAA;KAAE,CAAA;CAChD;AAkCD,wBAAsB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAoGhE;AAED,wBAAsB,sBAAsB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CA8BrF;AAED,wBAAgB,WAAW,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAyC3E"}
+{"version":3,"file":"opengraph.d.ts","sourceRoot":"","sources":["../src/opengraph.ts"],"names":[],"mappings":"AAiBA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,WAAW,CAAA;AAE5C,4CAA4C;AAC5C,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAA;IACZ,KAAK,EAAE;QACL,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;QAC3B,QAAQ,CAAC,EAAE,CAAC,UAAU,GAAG,MAAM,CAAC,EAAE,GAAG,MAAM,CAAA;QAC3C,GAAG,CAAC,EAAE,MAAM,CAAA;QACZ,KAAK,CAAC,EAAE,MAAM,CAAA;QACd,MAAM,CAAC,EAAE,MAAM,CAAA;QACf,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAA;KACnB,CAAA;CACF;AAED,uDAAuD;AACvD,MAAM,WAAW,gBAAiB,SAAQ,WAAW;IACnD,UAAU,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAA;CACpD;AAED,qDAAqD;AACrD,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,UAAU,CAAA;IACnB,OAAO,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,GAAG,EAAE,CAAA;KAAE,CAAA;IAC5D,IAAI,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,WAAW,CAAC,EAAE,MAAM,CAAA;KAAE,CAAA;CAChD;AAED,wBAAgB,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,OAAO,CAAC,eAAe,CAAC;;;oBAA7C,gBAAgB,KAAK,OAAO,CAAC,eAAe,CAAC;EAEnG;AAkCD,wBAAsB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CA0EhE;AAED,kEAAkE;AAClE,wBAAgB,iBAAiB,CAAC,KAAK,EAAE;IACvC,IAAI,EAAE,MAAM,CAAA;IACZ,QAAQ,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,OAAO,CAAC,eAAe,CAAC,CAAA;CAC9D,GAAG,IAAI,CAsDP;AAED,wBAAsB,sBAAsB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CA+BrF;AAED,wBAAgB,WAAW,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAyC3E"}

package/dist/opengraph.js

@@ -9,11 +9,23 @@ var __rewriteRelativeImportExtension = (this && this.__rewriteRelativeImportExte
 import { resolve } from 'node:path';
 import { readFileSync, readdirSync } from 'node:fs';
 import { log } from "./logger.js";
-import satori from 'satori';
-import { Resvg } from '@resvg/resvg-js';
-import { querySQL, runSQL, packCursor, unpackCursor, isTakendownDid, filterTakendownDids, searchRecords, findUriByFields, lookupByFieldBatch, countByFieldBatch, queryLabelsForUris, } from "./db.js";
-import { resolveRecords } from "./hydrate.js";
-import { blobUrl } from "./xrpc.js";
+// Lazy-imported to avoid CJS require() issues in Vite's module runner
+let _satori = null;
+let _Resvg = null;
+async function getSatori() {
+    if (!_satori)
+        _satori = (await import('satori')).default;
+    return _satori;
+}
+async function getResvg() {
+    if (!_Resvg)
+        _Resvg = (await import('@resvg/resvg-js')).Resvg;
+    return _Resvg;
+}
+import { buildXrpcContext } from "./xrpc.js";
+export function defineOG(path, generate) {
+    return { __type: 'og', path, generate };
+}
 const handlers = [];
 const pageRoutes = [];
 let defaultFont = null;
@@ -51,7 +63,7 @@ export async function initOpengraph(ogDir) {
     for (const file of files) {
         const name = file.replace(/\.(ts|js)$/, '');
         const scriptPath = resolve(ogDir, file);
-        const mod = await import(__rewriteRelativeImportExtension(scriptPath));
+        const mod = await import(__rewriteRelativeImportExtension(/* @vite-ignore */ `${scriptPath}?t=${Date.now()}`));
         const handler = mod.default;
         if (!handler.path) {
             console.warn(`[opengraph] ${file} missing 'path' export, skipping`);
@@ -64,38 +76,10 @@ export async function initOpengraph(ogDir) {
             pattern,
             paramNames,
             execute: async (params) => {
-                const ctx = {
-                    db: { query: querySQL, run: runSQL },
-                    params,
-                    input: {},
-                    limit: 1,
-                    viewer: null,
-                    packCursor,
-                    unpackCursor,
-                    isTakendown: isTakendownDid,
-                    filterTakendownDids,
-                    search: searchRecords,
-                    resolve: resolveRecords,
-                    lookup: async (collection, field, values) => {
-                        if (values.length === 0)
-                            return new Map();
-                        const unique = [...new Set(values.filter(Boolean))];
-                        return lookupByFieldBatch(collection, field, unique);
-                    },
-                    count: async (collection, field, values) => {
-                        if (values.length === 0)
-                            return new Map();
-                        const unique = [...new Set(values.filter(Boolean))];
-                        return countByFieldBatch(collection, field, unique);
-                    },
-                    exists: async (collection, filters) => {
-                        const conditions = Object.entries(filters).map(([field, value]) => ({ field, value }));
-                        const uri = await findUriByFields(collection, conditions);
-                        return uri !== null;
-                    },
-                    labels: queryLabelsForUris,
-                    blobUrl,
-                };
+                const ctx = buildXrpcContext(params, undefined, 1, null);
+                // Override blobUrl to use _og presets (jpeg) — satori doesn't support webp
+                const origBlobUrl = ctx.blobUrl;
+                ctx.blobUrl = (did, ref, preset = 'avatar') => origBlobUrl(did, ref, `${preset}_og`);
                 ctx.fetchImage = async (url) => {
                     try {
                         const resp = await fetch(url, { redirect: 'follow' });
@@ -117,7 +101,7 @@ export async function initOpengraph(ogDir) {
                     ...result.options,
                     fonts: [...(defaultFont ? [defaultFont] : []), ...(result.options?.fonts || [])],
                 };
-                const svg = await satori(element, options);
+                const svg = await (await getSatori())(element, options);
                 return { svg, meta: result.meta };
             },
         });
@@ -129,6 +113,61 @@ export async function initOpengraph(ogDir) {
         }
     }
 }
+/** Register a single OG handler from a scanned server/ module. */
+export function registerOgHandler(ogMod) {
+    const { pattern, paramNames } = compilePath(ogMod.path);
+    const name = ogMod.path.replace(/^\//, '').replace(/\//g, '-').replace(/:/g, '');
+    // Load default font if not already loaded
+    if (!defaultFont) {
+        try {
+            const fontPath = resolve(import.meta.dirname, '..', 'fonts', 'Inter-Regular.woff');
+            const fontData = readFileSync(fontPath);
+            defaultFont = { name: 'Inter', data: fontData.buffer, weight: 400, style: 'normal' };
+        }
+        catch { }
+    }
+    handlers.push({
+        name,
+        path: ogMod.path,
+        pattern,
+        paramNames,
+        execute: async (params) => {
+            const ctx = buildXrpcContext(params, undefined, 1, null);
+            // Override blobUrl to use _og presets (jpeg) — satori doesn't support webp
+            const origBlobUrl = ctx.blobUrl;
+            ctx.blobUrl = (did, ref, preset = 'avatar') => origBlobUrl(did, ref, `${preset}_og`);
+            ctx.fetchImage = async (url) => {
+                try {
+                    const resp = await fetch(url, { redirect: 'follow' });
+                    if (!resp.ok)
+                        return null;
+                    const buf = Buffer.from(await resp.arrayBuffer());
+                    const contentType = resp.headers.get('content-type') || 'image/jpeg';
+                    return `data:${contentType};base64,${buf.toString('base64')}`;
+                }
+                catch {
+                    return null;
+                }
+            };
+            const result = await ogMod.generate(ctx);
+            const element = result.element;
+            const options = {
+                width: 1200,
+                height: 630,
+                ...result.options,
+                fonts: [...(defaultFont ? [defaultFont] : []), ...(result.options?.fonts || [])],
+            };
+            const svg = await (await getSatori())(element, options);
+            return { svg, meta: result.meta };
+        },
+    });
+    const pagePath = ogMod.path.replace(/^\/og/, '');
+    if (pagePath !== ogMod.path) {
+        const compiled = compilePath(pagePath);
+        pageRoutes.push({ ogPath: ogMod.path, pattern: compiled.pattern, paramNames: compiled.paramNames, name });
+    }
+    log(`[opengraph] registered: ${name} → ${ogMod.path}`);
+}
 export async function handleOpengraphRequest(pathname) {
     const cached = cache.get(pathname);
     if (cached && cached.expires > Date.now())
@@ -143,6 +182,7 @@ export async function handleOpengraphRequest(pathname) {
         });
         try {
             const { svg, meta } = await handler.execute(params);
+            const Resvg = await getResvg();
             const png = new Resvg(svg, { fitTo: { mode: 'width', value: 1200 } }).render().asPng();
             if (cache.size >= CACHE_MAX) {
                 const oldest = cache.keys().next().value;
@@ -153,7 +193,7 @@ export async function handleOpengraphRequest(pathname) {
             return png;
         }
         catch (err) {
-            console.error(`[opengraph] error in ${handler.name}:`, err.message);
+            console.error(`[opengraph] error in ${handler.name}:`, err.message, err.stack);
             return null;
         }
     }

package/dist/pds-proxy.d.ts

@@ -0,0 +1,60 @@
+import type { OAuthConfig } from './config.ts';
+export declare class ProxyError extends Error {
+    status: number;
+    constructor(status: number, message: string);
+}
+export declare class ScopeMissingProxyError extends ProxyError {
+    constructor();
+}
+export declare function pdsCreateRecord(oauthConfig: OAuthConfig, viewer: {
+    did: string;
+}, input: {
+    collection: string;
+    repo?: string;
+    rkey?: string;
+    record: Record<string, unknown>;
+}): Promise<{
+    uri?: string;
+    cid?: string;
+}>;
+export declare function pdsDeleteRecord(oauthConfig: OAuthConfig, viewer: {
+    did: string;
+}, input: {
+    collection: string;
+    rkey: string;
+}): Promise<Record<string, unknown>>;
+export declare function pdsPutRecord(oauthConfig: OAuthConfig, viewer: {
+    did: string;
+}, input: {
+    collection: string;
+    rkey: string;
+    record: Record<string, unknown>;
+    repo?: string;
+}): Promise<{
+    uri?: string;
+    cid?: string;
+}>;
+export interface ApplyWritesOp {
+    $type: string;
+    collection: string;
+    rkey?: string;
+    value?: Record<string, unknown>;
+}
+export interface ApplyWritesResult {
+    $type: string;
+    uri?: string;
+    cid?: string;
+}
+export declare function pdsApplyWrites(oauthConfig: OAuthConfig, viewer: {
+    did: string;
+}, input: {
+    writes: ApplyWritesOp[];
+}): Promise<{
+    results?: ApplyWritesResult[];
+}>;
+export declare function pdsUploadBlob(oauthConfig: OAuthConfig, viewer: {
+    did: string;
+}, body: Uint8Array, contentType: string): Promise<{
+    blob: unknown;
+}>;
+//# sourceMappingURL=pds-proxy.d.ts.map