@hatk/hatk 0.0.1-alpha.6 → 0.0.1-alpha.61

package/dist/pds-proxy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pds-proxy.d.ts","sourceRoot":"","sources":["../src/pds-proxy.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAA;AAU9C,qBAAa,UAAW,SAAQ,KAAK;IAE1B,MAAM,EAAE,MAAM;gBAAd,MAAM,EAAE,MAAM,EACrB,OAAO,EAAE,MAAM;CAIlB;AAED,qBAAa,sBAAuB,SAAQ,UAAU;;CAIrD;AAuHD,wBAAsB,eAAe,CACnC,WAAW,EAAE,WAAW,EACxB,MAAM,EAAE;IAAE,GAAG,EAAE,MAAM,CAAA;CAAE,EACvB,KAAK,EAAE;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAAE,GAC3F,OAAO,CAAC;IAAE,GAAG,CAAC,EAAE,MAAM,CAAC;IAAC,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAwCzC;AAED,wBAAsB,eAAe,CACnC,WAAW,EAAE,WAAW,EACxB,MAAM,EAAE;IAAE,GAAG,EAAE,MAAM,CAAA;CAAE,EACvB,KAAK,EAAE;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GAC1C,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAyBlC;AAED,wBAAsB,YAAY,CAChC,WAAW,EAAE,WAAW,EACxB,MAAM,EAAE;IAAE,GAAG,EAAE,MAAM,CAAA;CAAE,EACvB,KAAK,EAAE;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAA;CAAE,GAC1F,OAAO,CAAC;IAAE,GAAG,CAAC,EAAE,MAAM,CAAC;IAAC,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAqCzC;AAED,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,MAAM,CAAA;IACb,UAAU,EAAE,MAAM,CAAA;IAClB,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAChC;AAED,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,MAAM,CAAA;IACb,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,GAAG,CAAC,EAAE,MAAM,CAAA;CACb;AAYD,wBAAsB,cAAc,CAClC,WAAW,EAAE,WAAW,EACxB,MAAM,EAAE;IAAE,GAAG,EAAE,MAAM,CAAA;CAAE,EACvB,KAAK,EAAE;IAAE,MAAM,EAAE,aAAa,EAAE,CAAA;CAAE,GACjC,OAAO,CAAC;IAAE,OAAO,CAAC,EAAE,iBAAiB,EAAE,CAAA;CAAE,CAAC,CAgE5C;AAED,wBAAsB,aAAa,CACjC,WAAW,EAAE,WAAW,EACxB,MAAM,EAAE;IAAE,GAAG,EAAE,MAAM,CAAA;CAAE,EACvB,IAAI,EAAE,UAAU,EAChB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC;IAAE,IAAI,EAAE,OAAO,CAAA;CAAE,CAAC,CAS5B"}

package/dist/pds-proxy.js

@@ -0,0 +1,277 @@
+// Shared PDS proxy functions — used by both HTTP route handlers and XRPC handlers.
+import { getSession, getServerKey, deleteSession } from "./oauth/db.js";
+import { createDpopProof } from "./oauth/dpop.js";
+import { refreshPdsSession } from "./oauth/server.js";
+import { validateRecord } from '@bigmoves/lexicon';
+import { getLexiconArray } from "./database/schema.js";
+import { insertRecord, deleteRecord as dbDeleteRecord } from "./database/db.js";
+import { emit } from "./logger.js";
+import { runLabelRules } from "./labels.js";
+export class ProxyError extends Error {
+    status;
+    constructor(status, message) {
+        super(message);
+        this.status = status;
+    }
+}
+export class ScopeMissingProxyError extends ProxyError {
+    constructor() {
+        super(401, 'ScopeMissingError');
+    }
+}
+/** Shared retry logic: DPoP nonce handling + token refresh. */
+async function withDpopRetry(oauthConfig, session, doFetch) {
+    let accessToken = session.access_token;
+    let result = await doFetch(accessToken);
+    if (result.ok)
+        return result;
+    let nonce;
+    // Step 1: handle DPoP nonce requirement
+    if (result.body.error === 'use_dpop_nonce') {
+        nonce = result.headers.get('DPoP-Nonce') || undefined;
+        if (nonce) {
+            result = await doFetch(accessToken, nonce);
+            if (result.ok)
+                return result;
+        }
+    }
+    // Step 2: handle insufficient scope — clear session so user re-authenticates with updated scopes
+    if (result.body.error === 'ScopeMissingError') {
+        await deleteSession(session.did);
+        throw new ScopeMissingProxyError();
+    }
+    // Step 3: handle expired PDS token — refresh and retry
+    // The PDS returns 'InvalidToken' or 'ExpiredToken' (AT Proto PascalCase convention)
+    // while the OAuth spec uses 'invalid_token' (RFC 6750 snake_case)
+    const err = result.body.error;
+    if (err === 'invalid_token' || err === 'InvalidToken' || err === 'ExpiredToken') {
+        const refreshed = await refreshPdsSession(oauthConfig, session);
+        if (refreshed) {
+            accessToken = refreshed.accessToken;
+            result = await doFetch(accessToken, nonce);
+            if (result.ok)
+                return result;
+            if (result.body.error === 'use_dpop_nonce') {
+                nonce = result.headers.get('DPoP-Nonce') || undefined;
+                if (nonce)
+                    result = await doFetch(accessToken, nonce);
+            }
+        }
+    }
+    return result;
+}
+async function proxyToPds(oauthConfig, session, method, pdsUrl, body) {
+    const serverKey = await getServerKey('appview-oauth-key');
+    const privateJwk = JSON.parse(serverKey.privateKey);
+    const publicJwk = JSON.parse(serverKey.publicKey);
+    return withDpopRetry(oauthConfig, session, async (token, nonce) => {
+        const proof = await createDpopProof(privateJwk, publicJwk, method, pdsUrl, token, nonce);
+        const res = await fetch(pdsUrl, {
+            method,
+            headers: {
+                'Content-Type': 'application/json',
+                Authorization: `DPoP ${token}`,
+                DPoP: proof,
+            },
+            body: JSON.stringify(body),
+        });
+        const resBody = await res.json().catch(() => ({}));
+        return { ok: res.ok, status: res.status, body: resBody, headers: res.headers };
+    });
+}
+/** Proxy a raw binary request to the user's PDS with DPoP + nonce retry + token refresh. */
+async function proxyToPdsRaw(oauthConfig, session, pdsUrl, body, contentType) {
+    const serverKey = await getServerKey('appview-oauth-key');
+    const privateJwk = JSON.parse(serverKey.privateKey);
+    const publicJwk = JSON.parse(serverKey.publicKey);
+    return withDpopRetry(oauthConfig, session, async (token, nonce) => {
+        const proof = await createDpopProof(privateJwk, publicJwk, 'POST', pdsUrl, token, nonce);
+        const res = await fetch(pdsUrl, {
+            method: 'POST',
+            headers: {
+                'Content-Type': contentType,
+                'Content-Length': String(body.length),
+                Authorization: `DPoP ${token}`,
+                DPoP: proof,
+            },
+            body: Buffer.from(body),
+        });
+        const resBody = await res.json().catch(() => ({}));
+        return { ok: res.ok, status: res.status, body: resBody, headers: res.headers };
+    });
+}
+// --- High-level proxy functions ---
+export async function pdsCreateRecord(oauthConfig, viewer, input) {
+    const validationError = validateRecord(getLexiconArray(), input.collection, input.record);
+    if (validationError) {
+        throw new ProxyError(400, `InvalidRecord: ${validationError.path ? validationError.path + ': ' : ''}${validationError.message}`);
+    }
+    const session = await getSession(viewer.did);
+    if (!session)
+        throw new ProxyError(401, 'No PDS session for user');
+    const pdsUrl = `${session.pds_endpoint}/xrpc/com.atproto.repo.createRecord`;
+    const pdsBody = {
+        repo: viewer.did,
+        collection: input.collection,
+        rkey: input.rkey,
+        record: input.record,
+    };
+    const pdsRes = await proxyToPds(oauthConfig, session, 'POST', pdsUrl, pdsBody);
+    if (!pdsRes.ok)
+        throw new ProxyError(pdsRes.status, String(pdsRes.body.error || 'PDS write failed'));
+    try {
+        await insertRecord(input.collection, String(pdsRes.body.uri), String(pdsRes.body.cid), viewer.did, input.record);
+        await runLabelRules({
+            uri: String(pdsRes.body.uri),
+            cid: String(pdsRes.body.cid),
+            did: viewer.did,
+            collection: input.collection,
+            value: input.record,
+        });
+    }
+    catch (err) {
+        emit('pds-proxy', 'local_index_error', {
+            op: 'createRecord',
+            error: err instanceof Error ? err.message : String(err),
+        });
+    }
+    return pdsRes.body;
+}
+export async function pdsDeleteRecord(oauthConfig, viewer, input) {
+    const session = await getSession(viewer.did);
+    if (!session)
+        throw new ProxyError(401, 'No PDS session for user');
+    const pdsUrl = `${session.pds_endpoint}/xrpc/com.atproto.repo.deleteRecord`;
+    const pdsBody = {
+        repo: viewer.did,
+        collection: input.collection,
+        rkey: input.rkey,
+    };
+    const pdsRes = await proxyToPds(oauthConfig, session, 'POST', pdsUrl, pdsBody);
+    if (!pdsRes.ok)
+        throw new ProxyError(pdsRes.status, String(pdsRes.body.error || 'PDS delete failed'));
+    try {
+        const uri = `at://${viewer.did}/${input.collection}/${input.rkey}`;
+        await dbDeleteRecord(input.collection, uri);
+    }
+    catch (err) {
+        emit('pds-proxy', 'local_index_error', {
+            op: 'deleteRecord',
+            error: err instanceof Error ? err.message : String(err),
+        });
+    }
+    return pdsRes.body;
+}
+export async function pdsPutRecord(oauthConfig, viewer, input) {
+    const validationError = validateRecord(getLexiconArray(), input.collection, input.record);
+    if (validationError) {
+        throw new ProxyError(400, `InvalidRecord: ${validationError.path ? validationError.path + ': ' : ''}${validationError.message}`);
+    }
+    const session = await getSession(viewer.did);
+    if (!session)
+        throw new ProxyError(401, 'No PDS session for user');
+    const pdsUrl = `${session.pds_endpoint}/xrpc/com.atproto.repo.putRecord`;
+    const pdsBody = {
+        repo: viewer.did,
+        collection: input.collection,
+        rkey: input.rkey,
+        record: input.record,
+    };
+    const pdsRes = await proxyToPds(oauthConfig, session, 'POST', pdsUrl, pdsBody);
+    if (!pdsRes.ok)
+        throw new ProxyError(pdsRes.status, String(pdsRes.body.error || 'PDS write failed'));
+    try {
+        await insertRecord(input.collection, String(pdsRes.body.uri), String(pdsRes.body.cid), viewer.did, input.record);
+        await runLabelRules({
+            uri: String(pdsRes.body.uri),
+            cid: String(pdsRes.body.cid),
+            did: viewer.did,
+            collection: input.collection,
+            value: input.record,
+        });
+    }
+    catch (err) {
+        emit('pds-proxy', 'local_index_error', { op: 'putRecord', error: err instanceof Error ? err.message : String(err) });
+    }
+    return pdsRes.body;
+}
+/** Map dev.hatk.applyWrites#* types to com.atproto.repo.applyWrites#* for PDS. */
+function toPdsWriteType($type) {
+    return $type.replace('dev.hatk.applyWrites#', 'com.atproto.repo.applyWrites#');
+}
+function isCreateOrUpdate($type) {
+    const mapped = toPdsWriteType($type);
+    return mapped === 'com.atproto.repo.applyWrites#create' || mapped === 'com.atproto.repo.applyWrites#update';
+}
+export async function pdsApplyWrites(oauthConfig, viewer, input) {
+    // Validate all create/update records before sending
+    for (const write of input.writes) {
+        if (isCreateOrUpdate(write.$type) && write.value) {
+            const validationError = validateRecord(getLexiconArray(), write.collection, write.value);
+            if (validationError) {
+                throw new ProxyError(400, `InvalidRecord: ${validationError.path ? validationError.path + ': ' : ''}${validationError.message}`);
+            }
+        }
+    }
+    const session = await getSession(viewer.did);
+    if (!session)
+        throw new ProxyError(401, 'No PDS session for user');
+    const pdsUrl = `${session.pds_endpoint}/xrpc/com.atproto.repo.applyWrites`;
+    const pdsBody = {
+        repo: viewer.did,
+        writes: input.writes.map((w) => ({ ...w, $type: toPdsWriteType(w.$type) })),
+    };
+    const pdsRes = await proxyToPds(oauthConfig, session, 'POST', pdsUrl, pdsBody);
+    if (!pdsRes.ok)
+        throw new ProxyError(pdsRes.status, String(pdsRes.body.error || 'PDS applyWrites failed'));
+    // Index results locally
+    const results = pdsRes.body.results ?? [];
+    for (let i = 0; i < input.writes.length; i++) {
+        const write = input.writes[i];
+        const result = results[i];
+        try {
+            const mapped = toPdsWriteType(write.$type);
+            if (mapped === 'com.atproto.repo.applyWrites#create' && result?.uri && result?.cid && write.value) {
+                await insertRecord(write.collection, result.uri, result.cid, viewer.did, write.value);
+                await runLabelRules({
+                    uri: result.uri,
+                    cid: result.cid,
+                    did: viewer.did,
+                    collection: write.collection,
+                    value: write.value,
+                });
+            }
+            else if (mapped === 'com.atproto.repo.applyWrites#update' && result?.uri && result?.cid && write.value) {
+                await insertRecord(write.collection, result.uri, result.cid, viewer.did, write.value);
+                await runLabelRules({
+                    uri: result.uri,
+                    cid: result.cid,
+                    did: viewer.did,
+                    collection: write.collection,
+                    value: write.value,
+                });
+            }
+            else if (mapped === 'com.atproto.repo.applyWrites#delete' && write.rkey) {
+                const uri = `at://${viewer.did}/${write.collection}/${write.rkey}`;
+                await dbDeleteRecord(write.collection, uri);
+            }
+        }
+        catch (err) {
+            emit('pds-proxy', 'local_index_error', {
+                op: 'applyWrites',
+                error: err instanceof Error ? err.message : String(err),
+            });
+        }
+    }
+    return pdsRes.body;
+}
+export async function pdsUploadBlob(oauthConfig, viewer, body, contentType) {
+    const session = await getSession(viewer.did);
+    if (!session)
+        throw new ProxyError(401, 'No PDS session for user');
+    const pdsUrl = `${session.pds_endpoint}/xrpc/com.atproto.repo.uploadBlob`;
+    const pdsRes = await proxyToPdsRaw(oauthConfig, session, pdsUrl, body, contentType);
+    if (!pdsRes.ok)
+        throw new ProxyError(pdsRes.status, String(pdsRes.body.error || 'PDS upload failed'));
+    return pdsRes.body;
+}

package/dist/push.d.ts

@@ -0,0 +1,34 @@
+export interface ApnsConfig {
+    keyFile: string;
+    keyId: string;
+    teamId: string;
+    bundleId: string;
+    production?: boolean;
+}
+export interface PushConfig {
+    apns: ApnsConfig;
+}
+export interface PushPayload {
+    did: string;
+    title: string;
+    body: string;
+    data?: Record<string, string>;
+    collapseId?: string;
+    badge?: number;
+}
+export interface PushInterface {
+    send: (payload: PushPayload) => Promise<void>;
+}
+/** Initialize push with config. Must be called before send(). */
+export declare function initPush(config: PushConfig, configDir: string): void;
+/** Check if push is configured and available. */
+export declare function isPushEnabled(): boolean;
+/** Build the push interface injected into hook contexts. */
+export declare function buildPushInterface(): PushInterface;
+/** Register a push token for a DID. Upserts on conflict. */
+export declare function registerToken(did: string, token: string, platform: string): Promise<void>;
+/** Remove a push token. */
+export declare function removeToken(token: string): Promise<void>;
+/** Unregister a specific token for a DID. */
+export declare function unregisterToken(did: string, token: string): Promise<void>;
+//# sourceMappingURL=push.d.ts.map

package/dist/push.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"push.d.ts","sourceRoot":"","sources":["../src/push.ts"],"names":[],"mappings":"AAeA,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,MAAM,CAAA;IACf,KAAK,EAAE,MAAM,CAAA;IACb,MAAM,EAAE,MAAM,CAAA;IACd,QAAQ,EAAE,MAAM,CAAA;IAChB,UAAU,CAAC,EAAE,OAAO,CAAA;CACrB;AAED,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,UAAU,CAAA;CACjB;AAED,MAAM,WAAW,WAAW;IAC1B,GAAG,EAAE,MAAM,CAAA;IACX,KAAK,EAAE,MAAM,CAAA;IACb,IAAI,EAAE,MAAM,CAAA;IACZ,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;IAC7B,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,KAAK,CAAC,EAAE,MAAM,CAAA;CACf;AAED,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,CAAC,OAAO,EAAE,WAAW,KAAK,OAAO,CAAC,IAAI,CAAC,CAAA;CAC9C;AAOD,iEAAiE;AACjE,wBAAgB,QAAQ,CAAC,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,GAAG,IAAI,CASpE;AAED,iDAAiD;AACjD,wBAAgB,aAAa,IAAI,OAAO,CAEvC;AAED,4DAA4D;AAC5D,wBAAgB,kBAAkB,IAAI,aAAa,CAElD;AAoJD,4DAA4D;AAC5D,wBAAsB,aAAa,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAO/F;AAED,2BAA2B;AAC3B,wBAAsB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAE9D;AAED,6CAA6C;AAC7C,wBAAsB,eAAe,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAE/E"}

package/dist/push.js

@@ -0,0 +1,184 @@
+/**
+ * Push notification delivery via APNs HTTP/2.
+ *
+ * Provides `push.send()` for use in on-commit hook context. Looks up device
+ * tokens, builds APNs payloads, and sends via HTTP/2. Self-cleans invalid
+ * tokens on Apple 410 responses. Fire-and-forget — failures are logged via
+ * `emit()` but never throw.
+ */
+import { connect } from 'node:http2';
+import { readFileSync } from 'node:fs';
+import { createSign } from 'node:crypto';
+import { resolve } from 'node:path';
+import { emit } from "./logger.js";
+import { runSQL, querySQL } from "./database/db.js";
+let pushConfig = null;
+let apnsKey = null;
+let cachedJwt = null;
+let http2Session = null;
+/** Initialize push with config. Must be called before send(). */
+export function initPush(config, configDir) {
+    pushConfig = config;
+    const keyPath = resolve(configDir, config.apns.keyFile);
+    try {
+        apnsKey = readFileSync(keyPath, 'utf8');
+    }
+    catch {
+        emit('push', 'init_error', { error: `APNs key file not found: ${keyPath}` });
+        pushConfig = null;
+    }
+}
+/** Check if push is configured and available. */
+export function isPushEnabled() {
+    return pushConfig !== null && apnsKey !== null;
+}
+/** Build the push interface injected into hook contexts. */
+export function buildPushInterface() {
+    return { send };
+}
+/** Create a JWT for APNs authentication (cached for 50 minutes). */
+function getApnsJwt() {
+    if (cachedJwt && Date.now() < cachedJwt.expires)
+        return cachedJwt.token;
+    if (!pushConfig || !apnsKey)
+        throw new Error('Push not initialized');
+    const header = Buffer.from(JSON.stringify({
+        alg: 'ES256',
+        kid: pushConfig.apns.keyId,
+    })).toString('base64url');
+    const now = Math.floor(Date.now() / 1000);
+    const claims = Buffer.from(JSON.stringify({
+        iss: pushConfig.apns.teamId,
+        iat: now,
+    })).toString('base64url');
+    const signer = createSign('SHA256');
+    signer.update(`${header}.${claims}`);
+    const signature = signer.sign(apnsKey, 'base64url');
+    const token = `${header}.${claims}.${signature}`;
+    cachedJwt = { token, expires: Date.now() + 50 * 60 * 1000 };
+    return token;
+}
+/** Get or create an HTTP/2 connection to APNs. */
+function getHttp2Session() {
+    if (http2Session && !http2Session.closed && !http2Session.destroyed) {
+        return http2Session;
+    }
+    const host = pushConfig?.apns.production !== false
+        ? 'https://api.push.apple.com'
+        : 'https://api.sandbox.push.apple.com';
+    emit('push', 'connecting', { host });
+    http2Session = connect(host, {
+        peerMaxConcurrentStreams: 100,
+    });
+    http2Session.on('connect', () => {
+        emit('push', 'connected', { host });
+    });
+    http2Session.on('error', (err) => {
+        emit('push', 'connection_error', { host, error: err.message });
+        http2Session = null;
+    });
+    http2Session.on('close', () => {
+        http2Session = null;
+    });
+    return http2Session;
+}
+/** Send a push notification to all devices registered for a DID. */
+async function send(payload) {
+    if (!pushConfig || !apnsKey)
+        return;
+    const tokens = await querySQL(`SELECT token, platform FROM _push_tokens WHERE did = $1`, [payload.did]);
+    if (tokens.length === 0)
+        return;
+    const jwt = getApnsJwt();
+    const aps = {
+        alert: { title: payload.title, body: payload.body },
+        sound: 'default',
+    };
+    if (payload.badge !== undefined) {
+        aps.badge = payload.badge;
+    }
+    const apnsPayload = JSON.stringify({
+        aps,
+        ...(payload.data || {}),
+    });
+    for (const { token, platform } of tokens) {
+        if (platform !== 'apns')
+            continue;
+        sendToApns(token, apnsPayload, jwt, payload).catch(() => { });
+    }
+}
+/** Send a single APNs push and handle the response. */
+async function sendToApns(token, payload, jwt, original) {
+    const session = getHttp2Session();
+    const headers = {
+        ':method': 'POST',
+        ':path': `/3/device/${token}`,
+        'authorization': `bearer ${jwt}`,
+        'apns-topic': pushConfig.apns.bundleId,
+        'apns-push-type': 'alert',
+    };
+    if (original.collapseId) {
+        headers['apns-collapse-id'] = original.collapseId;
+    }
+    return new Promise((resolve) => {
+        const req = session.request(headers);
+        let settled = false;
+        const done = () => { if (settled)
+            return; settled = true; resolve(); };
+        req.setTimeout(15_000, () => {
+            req.close();
+            emit('push', 'send_error', { did: original.did, error: 'APNs request timed out' });
+            done();
+        });
+        let status = 0;
+        let body = '';
+        req.on('response', (headers) => {
+            status = headers[':status'];
+        });
+        req.on('data', (chunk) => {
+            body += chunk.toString();
+        });
+        req.on('end', async () => {
+            if (settled)
+                return;
+            if (status === 200) {
+                emit('push', 'sent', { did: original.did, token: token.slice(0, 8) + '...' });
+            }
+            else if (status === 410) {
+                // Token is no longer valid — remove it
+                await removeToken(token).catch(() => { });
+                emit('push', 'token_removed', { did: original.did, reason: 'expired' });
+            }
+            else {
+                emit('push', 'send_error', {
+                    did: original.did,
+                    status,
+                    body: body.slice(0, 200),
+                });
+            }
+            done();
+        });
+        req.on('error', (err) => {
+            if (settled)
+                return;
+            emit('push', 'send_error', { did: original.did, error: err.message });
+            done();
+        });
+        req.write(payload);
+        req.end();
+    });
+}
+/** Register a push token for a DID. Upserts on conflict. */
+export async function registerToken(did, token, platform) {
+    await runSQL(`INSERT INTO _push_tokens (did, token, platform, created_at)
+     VALUES ($1, $2, $3, $4)
+     ON CONFLICT (did, token) DO UPDATE SET platform = excluded.platform`, [did, token, platform, new Date().toISOString()]);
+}
+/** Remove a push token. */
+export async function removeToken(token) {
+    await runSQL(`DELETE FROM _push_tokens WHERE token = $1`, [token]);
+}
+/** Unregister a specific token for a DID. */
+export async function unregisterToken(did, token) {
+    await runSQL(`DELETE FROM _push_tokens WHERE did = $1 AND token = $2`, [did, token]);
+}

package/dist/renderer.d.ts

@@ -0,0 +1,27 @@
+export interface SSRManifest {
+    getPreloadTags(url: string): string;
+}
+export interface RenderResult {
+    html: string;
+    head?: string;
+}
+export type RendererHandler = (request: Request, manifest: SSRManifest) => Promise<RenderResult>;
+export declare function defineRenderer(handler: RendererHandler): {
+    __type: "renderer";
+    handler: RendererHandler;
+};
+export declare function registerRenderer(handler: RendererHandler): void;
+export declare function setSSRManifest(manifest: SSRManifest): void;
+export declare function getRenderer(): RendererHandler | null;
+export declare function getSSRManifest(): SSRManifest | null;
+/**
+ * Render an HTML page by calling the user's renderer and assembling the result
+ * into the index.html template.
+ *
+ * @param template - The index.html content (with <!--ssr-outlet--> placeholder)
+ * @param request - The incoming Request
+ * @param ogMeta - Optional OG meta tags to inject
+ * @returns Assembled HTML string, or null if no renderer is registered
+ */
+export declare function renderPage(template: string, request: Request, ogMeta?: string | null): Promise<string | null>;
+//# sourceMappingURL=renderer.d.ts.map

package/dist/renderer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"renderer.d.ts","sourceRoot":"","sources":["../src/renderer.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,WAAW;IAC1B,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAA;CACpC;AAED,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAA;IACZ,IAAI,CAAC,EAAE,MAAM,CAAA;CACd;AAED,MAAM,MAAM,eAAe,GAAG,CAAC,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,WAAW,KAAK,OAAO,CAAC,YAAY,CAAC,CAAA;AAKhG,wBAAgB,cAAc,CAAC,OAAO,EAAE,eAAe;;;EAEtD;AAED,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,eAAe,GAAG,IAAI,CAG/D;AAED,wBAAgB,cAAc,CAAC,QAAQ,EAAE,WAAW,GAAG,IAAI,CAE1D;AAED,wBAAgB,WAAW,IAAI,eAAe,GAAG,IAAI,CAEpD;AAED,wBAAgB,cAAc,IAAI,WAAW,GAAG,IAAI,CAEnD;AAED;;;;;;;;GAQG;AACH,wBAAsB,UAAU,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAsBnH"}

package/dist/renderer.js

@@ -0,0 +1,46 @@
+import { log } from "./logger.js";
+let renderer = null;
+let ssrManifest = null;
+export function defineRenderer(handler) {
+    return { __type: 'renderer', handler };
+}
+export function registerRenderer(handler) {
+    renderer = handler;
+    log('[renderer] SSR renderer registered');
+}
+export function setSSRManifest(manifest) {
+    ssrManifest = manifest;
+}
+export function getRenderer() {
+    return renderer;
+}
+export function getSSRManifest() {
+    return ssrManifest;
+}
+/**
+ * Render an HTML page by calling the user's renderer and assembling the result
+ * into the index.html template.
+ *
+ * @param template - The index.html content (with <!--ssr-outlet--> placeholder)
+ * @param request - The incoming Request
+ * @param ogMeta - Optional OG meta tags to inject
+ * @returns Assembled HTML string, or null if no renderer is registered
+ */
+export async function renderPage(template, request, ogMeta) {
+    if (!renderer)
+        return null;
+    const manifest = ssrManifest || { getPreloadTags: () => '' };
+    const result = await renderer(request, manifest);
+    let html = template;
+    // Inject SSR head tags (preloads, styles)
+    if (result.head) {
+        html = html.replace('</head>', `${result.head}\n</head>`);
+    }
+    // Inject OG meta tags
+    if (ogMeta) {
+        html = html.replace('</head>', `${ogMeta}\n</head>`);
+    }
+    // Inject rendered HTML into the outlet
+    html = html.replace('<!--ssr-outlet-->', result.html);
+    return html;
+}

package/dist/resolve-hatk.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Register a Node.js module resolve hook so dynamic import() of server files
+ * can resolve the $hatk alias to the generated entry points.
+ */
+export declare function registerHatkResolveHook(): void;
+//# sourceMappingURL=resolve-hatk.d.ts.map

package/dist/resolve-hatk.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolve-hatk.d.ts","sourceRoot":"","sources":["../src/resolve-hatk.ts"],"names":[],"mappings":"AAIA;;;GAGG;AACH,wBAAgB,uBAAuB,IAAI,IAAI,CAU9C"}

package/dist/resolve-hatk.js

@@ -0,0 +1,20 @@
+import { resolve } from 'node:path';
+import { pathToFileURL } from 'node:url';
+import { registerHooks } from 'node:module';
+/**
+ * Register a Node.js module resolve hook so dynamic import() of server files
+ * can resolve the $hatk alias to the generated entry points.
+ */
+export function registerHatkResolveHook() {
+    const hatkUrl = pathToFileURL(resolve('hatk.generated.ts')).href;
+    const hatkClientUrl = pathToFileURL(resolve('hatk.generated.client.ts')).href;
+    registerHooks({
+        resolve(specifier, context, nextResolve) {
+            if (specifier === '$hatk/client')
+                return { url: hatkClientUrl, shortCircuit: true };
+            if (specifier === '$hatk')
+                return { url: hatkUrl, shortCircuit: true };
+            return nextResolve(specifier, context);
+        },
+    });
+}

package/dist/response.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Create a JSON Response with optional gzip compression.
+ * Mirrors the old jsonResponse/sendJson behavior.
+ */
+export declare function json(data: unknown, status?: number, acceptEncoding?: string | null): Response;
+/** Create a JSON error Response. */
+export declare function jsonError(status: number, message: string, acceptEncoding?: string | null): Response;
+/** CORS preflight Response. */
+export declare function cors(): Response;
+/** Add CORS headers to an existing Response. */
+export declare function withCors(response: Response): Response;
+/** Create a static file Response with correct MIME type. */
+export declare function file(content: Buffer | Uint8Array, contentType: string, cacheControl?: string): Response;
+/** 404 Not Found. */
+export declare function notFound(): Response;
+//# sourceMappingURL=response.d.ts.map

package/dist/response.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"response.d.ts","sourceRoot":"","sources":["../src/response.ts"],"names":[],"mappings":"AAGA;;;GAGG;AACH,wBAAgB,IAAI,CAAC,IAAI,EAAE,OAAO,EAAE,MAAM,SAAM,EAAE,cAAc,CAAC,EAAE,MAAM,GAAG,IAAI,GAAG,QAAQ,CAuB1F;AAED,oCAAoC;AACpC,wBAAgB,SAAS,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,cAAc,CAAC,EAAE,MAAM,GAAG,IAAI,GAAG,QAAQ,CAEnG;AAED,+BAA+B;AAC/B,wBAAgB,IAAI,IAAI,QAAQ,CAS/B;AAED,gDAAgD;AAChD,wBAAgB,QAAQ,CAAC,QAAQ,EAAE,QAAQ,GAAG,QAAQ,CAUrD;AAED,4DAA4D;AAC5D,wBAAgB,IAAI,CAAC,OAAO,EAAE,MAAM,GAAG,UAAU,EAAE,WAAW,EAAE,MAAM,EAAE,YAAY,CAAC,EAAE,MAAM,GAAG,QAAQ,CAQvG;AAED,qBAAqB;AACrB,wBAAgB,QAAQ,IAAI,QAAQ,CAEnC"}