+445

docs/superpowers/plans/2026-03-14-ssr-auth.md

reviewed

··· 1 1 + # SSR Auth Implementation Plan 2 2 + 3 3 + > **For Claude:** REQUIRED SUB-SKILL: Use superpowers:executing-plans to implement this plan task-by-task. 4 4 + 5 5 + **Goal:** Server-side session cookies so SSR knows the viewer — no auth flash, authenticated `callXrpc` during SSR. 6 6 + 7 7 + **Architecture:** OAuth callback sets a signed `HttpOnly` cookie (`did.timestamp.hmac`). SSR middleware forwards the cookie, resolves the viewer, and sets `globalThis.__hatk_viewer`. `callXrpc` and a new `getViewer()` export pick it up automatically. 8 8 + 9 9 + **Tech Stack:** Web Crypto HMAC-SHA256, existing OAuth keypair, globalThis bridge pattern. 10 10 + 11 11 + --- 12 12 + 13 13 + ### Task 1: Session Cookie Helpers 14 14 + 15 15 + **Files:** 16 16 + - Modify: `packages/hatk/src/oauth/server.ts:70-92` (after key initialization) 17 17 + 18 18 + **Step 1: Add cookie creation and parsing functions** 19 19 + 20 20 + Add after the `initOAuth` function (after line ~93). These use the existing `serverPrivateKey` from the module scope: 21 21 + 22 22 + ```typescript 23 23 + // --- SSR Session Cookie --- 24 24 + 25 25 + let _sessionCookieName = '__hatk_session' 26 26 + const SESSION_COOKIE_MAX_AGE = 30 * 24 * 60 * 60 // 30 days in seconds 27 27 + 28 28 + export function setSessionCookieName(name: string): void { 29 29 + _sessionCookieName = name 30 30 + } 31 31 + 32 32 + export function getSessionCookieName(): string { 33 33 + return _sessionCookieName 34 34 + } 35 35 + 36 36 + export async function createSessionCookie(did: string): Promise<string> { 37 37 + const timestamp = Math.floor(Date.now() / 1000) 38 38 + const payload = `${did}.${timestamp}` 39 39 + const key = await crypto.subtle.importKey( 40 40 + 'raw', 41 41 + new TextEncoder().encode(JSON.stringify(serverPrivateJwk)), 42 42 + { name: 'HMAC', hash: 'SHA-256' }, 43 43 + false, 44 44 + ['sign'], 45 45 + ) 46 46 + const sig = await crypto.subtle.sign('HMAC', key, new TextEncoder().encode(payload)) 47 47 + const signature = base64UrlEncode(new Uint8Array(sig)) 48 48 + return `${payload}.${signature}` 49 49 + } 50 50 + 51 51 + export function sessionCookieHeader(value: string, secure: boolean): string { 52 52 + const parts = [ 53 53 + `${_sessionCookieName}=${value}`, 54 54 + 'HttpOnly', 55 55 + 'SameSite=Lax', 56 56 + 'Path=/', 57 57 + `Max-Age=${SESSION_COOKIE_MAX_AGE}`, 58 58 + ] 59 59 + if (secure) parts.push('Secure') 60 60 + return parts.join('; ') 61 61 + } 62 62 + 63 63 + export function clearSessionCookieHeader(): string { 64 64 + return `${_sessionCookieName}=; HttpOnly; SameSite=Lax; Path=/; Max-Age=0` 65 65 + } 66 66 + 67 67 + export async function parseSessionCookie(request: Request): Promise<{ did: string } | null> { 68 68 + const cookieHeader = request.headers.get('cookie') 69 69 + if (!cookieHeader) return null 70 70 + const match = cookieHeader.split(';').map(c => c.trim()).find(c => c.startsWith(`${_sessionCookieName}=`)) 71 71 + if (!match) return null 72 72 + const value = match.slice(_sessionCookieName.length + 1) 73 73 + const parts = value.split('.') 74 74 + // Format: did:plc:xxx.timestamp.signature — DID contains dots so we take last 2 parts 75 75 + if (parts.length < 3) return null 76 76 + const signature = parts.pop()! 77 77 + const timestamp = parts.pop()! 78 78 + const did = parts.join('.') 79 79 + const ts = Number(timestamp) 80 80 + if (isNaN(ts) || (Date.now() / 1000 - ts) > SESSION_COOKIE_MAX_AGE) return null 81 81 + // Verify HMAC 82 82 + const payload = `${did}.${timestamp}` 83 83 + const key = await crypto.subtle.importKey( 84 84 + 'raw', 85 85 + new TextEncoder().encode(JSON.stringify(serverPrivateJwk)), 86 86 + { name: 'HMAC', hash: 'SHA-256' }, 87 87 + false, 88 88 + ['verify'], 89 89 + ) 90 90 + const sigBytes = base64UrlDecode(signature) 91 91 + const valid = await crypto.subtle.verify('HMAC', key, sigBytes, new TextEncoder().encode(payload)) 92 92 + if (!valid) return null 93 93 + return { did } 94 94 + } 95 95 + ``` 96 96 + 97 97 + Note: `base64UrlEncode` and `base64UrlDecode` are already imported from `./crypto.ts` (line 14). 98 98 + 99 99 + **Step 2: Build and verify** 100 100 + 101 101 + Run: `cd /Users/chadmiller/code/hatk/.worktrees/server-directory && npm run build` 102 102 + Expected: Clean build 103 103 + 104 104 + --- 105 105 + 106 106 + ### Task 2: Return DID from handleCallback 107 107 + 108 108 + **Files:** 109 109 + - Modify: `packages/hatk/src/oauth/server.ts:324-449` 110 110 + 111 111 + **Step 1: Add `did` to the return type and value** 112 112 + 113 113 + The `handleCallback` function (line 324) currently returns `{ requestUri, clientRedirectUri, clientState }`. Add `did`: 114 114 + 115 115 + Change line 329: 116 116 + ```typescript 117 117 + ): Promise<{ requestUri: string; clientRedirectUri: string; clientState: string | null; did: string }> { 118 118 + ``` 119 119 + 120 120 + Change line 449: 121 121 + ```typescript 122 122 + return { requestUri: request.request_uri, clientRedirectUri, clientState: request.state, did } 123 123 + ``` 124 124 + 125 125 + **Step 2: Build and verify** 126 126 + 127 127 + Run: `npm run build` 128 128 + Expected: Clean build 129 129 + 130 130 + --- 131 131 + 132 132 + ### Task 3: Set Cookie on OAuth Callback 133 133 + 134 134 + **Files:** 135 135 + - Modify: `packages/hatk/src/server.ts:660-670` 136 136 + 137 137 + **Step 1: Import new cookie functions** 138 138 + 139 139 + Add to the existing import from `./oauth/server.ts` (line 34-45): 140 140 + 141 141 + ```typescript 142 142 + import { 143 143 + // ... existing imports ... 144 144 + createSessionCookie, 145 145 + sessionCookieHeader, 146 146 + clearSessionCookieHeader, 147 147 + parseSessionCookie, 148 148 + setSessionCookieName, 149 149 + } from './oauth/server.ts' 150 150 + ``` 151 151 + 152 152 + **Step 2: Set cookie on callback redirect** 153 153 + 154 154 + Replace lines 666-667: 155 155 + ```typescript 156 156 + const result = await handleCallback(oauth, code, state, iss) 157 157 + return new Response(null, { status: 302, headers: { Location: result.clientRedirectUri } }) 158 158 + ``` 159 159 + 160 160 + With: 161 161 + ```typescript 162 162 + const result = await handleCallback(oauth, code, state, iss) 163 163 + const isSecure = requestOrigin.startsWith('https') 164 164 + const cookie = await createSessionCookie(result.did) 165 165 + return new Response(null, { 166 166 + status: 302, 167 167 + headers: [ 168 168 + ['Location', result.clientRedirectUri], 169 169 + ['Set-Cookie', sessionCookieHeader(cookie, isSecure)], 170 170 + ], 171 171 + }) 172 172 + ``` 173 173 + 174 174 + **Step 3: Build and verify** 175 175 + 176 176 + Run: `npm run build` 177 177 + Expected: Clean build 178 178 + 179 179 + --- 180 180 + 181 181 + ### Task 4: Add POST /auth/logout Route 182 182 + 183 183 + **Files:** 184 184 + - Modify: `packages/hatk/src/server.ts` (add after the `/oauth/callback` block, around line 670) 185 185 + 186 186 + **Step 1: Add the logout route** 187 187 + 188 188 + After the OAuth callback block (after line ~670, before the `/oauth/token` block): 189 189 + 190 190 + ```typescript 191 191 + // Session cookie logout 192 192 + if (url.pathname === '/auth/logout' && request.method === 'POST') { 193 193 + return new Response(null, { 194 194 + status: 200, 195 195 + headers: { 'Set-Cookie': clearSessionCookieHeader() }, 196 196 + }) 197 197 + } 198 198 + ``` 199 199 + 200 200 + **Step 2: Configure cookie name from oauth config** 201 201 + 202 202 + In the `createHandler` function, after `oauth` is set up (look for where `initOAuth` or oauth config is used), add cookie name configuration. In `createHandler` (around line 160-170), add: 203 203 + 204 204 + ```typescript 205 205 + if (oauth?.cookieName) { 206 206 + setSessionCookieName(oauth.cookieName) 207 207 + } 208 208 + ``` 209 209 + 210 210 + This requires adding `cookieName?: string` to the `OAuthConfig` type in `config.ts`. 211 211 + 212 212 + **Step 3: Build and verify** 213 213 + 214 214 + Run: `npm run build` 215 215 + Expected: Clean build 216 216 + 217 217 + --- 218 218 + 219 219 + ### Task 5: Add cookieName to OAuthConfig 220 220 + 221 221 + **Files:** 222 222 + - Modify: `packages/hatk/src/config.ts` (find OAuthConfig type) 223 223 + 224 224 + **Step 1: Add the optional field** 225 225 + 226 226 + Find the `OAuthConfig` interface/type and add: 227 227 + 228 228 + ```typescript 229 229 + cookieName?: string 230 230 + ``` 231 231 + 232 232 + **Step 2: Build and verify** 233 233 + 234 234 + Run: `npm run build` 235 235 + Expected: Clean build 236 236 + 237 237 + --- 238 238 + 239 239 + ### Task 6: Forward Cookie Header in Vite SSR Middleware 240 240 + 241 241 + **Files:** 242 242 + - Modify: `packages/hatk/src/vite-plugin.ts:186-191` 243 243 + 244 244 + **Step 1: Pass cookies to Request** 245 245 + 246 246 + Change line 188 from: 247 247 + ```typescript 248 248 + const request = new Request(fullUrl.href) 249 249 + ``` 250 250 + 251 251 + To: 252 252 + ```typescript 253 253 + const headers: Record<string, string> = {} 254 254 + if (req.headers.cookie) headers.cookie = req.headers.cookie 255 255 + const request = new Request(fullUrl.href, { headers }) 256 256 + ``` 257 257 + 258 258 + **Step 2: Build and verify** 259 259 + 260 260 + Run: `npm run build` 261 261 + Expected: Clean build 262 262 + 263 263 + --- 264 264 + 265 265 + ### Task 7: Resolve Viewer and Set globalThis in Vite SSR 266 266 + 267 267 + **Files:** 268 268 + - Modify: `packages/hatk/src/vite-plugin.ts:118-125` (module loading section) 269 269 + - Modify: `packages/hatk/src/vite-plugin.ts:188-195` (SSR render section) 270 270 + - Modify: `packages/hatk/src/dev-entry.ts:99-101` (exports) 271 271 + 272 272 + **Step 1: Export parseSessionCookie from dev-entry.ts** 273 273 + 274 274 + Add to the exports at the bottom of `dev-entry.ts`: 275 275 + 276 276 + ```typescript 277 277 + export { parseSessionCookie } from './oauth/server.ts' 278 278 + ``` 279 279 + 280 280 + **Step 2: Capture parseSessionCookie from module runner** 281 281 + 282 282 + In `vite-plugin.ts`, after line 125 (`(globalThis as any).__hatk_callXrpc = mod.callXrpc`), add: 283 283 + 284 284 + ```typescript 285 285 + // Capture cookie parser for SSR viewer resolution 286 286 + ssrParseSessionCookie = mod.parseSessionCookie 287 287 + ``` 288 288 + 289 289 + Add the variable declaration near the top of `configureServer` (near the other `let` declarations like `handler`, `ssrRenderPage`): 290 290 + 291 291 + ```typescript 292 292 + let ssrParseSessionCookie: ((request: Request) => Promise<{ did: string } | null>) | null = null 293 293 + ``` 294 294 + 295 295 + **Step 3: Set globalThis.__hatk_viewer before render, clear after** 296 296 + 297 297 + In the SSR middleware, after creating the `request` object and before calling `ssrRenderPage`, add viewer resolution: 298 298 + 299 299 + ```typescript 300 300 + // Resolve viewer from session cookie for SSR 301 301 + let viewer: { did: string } | null = null 302 302 + if (ssrParseSessionCookie) { 303 303 + try { 304 304 + viewer = await ssrParseSessionCookie(request) 305 305 + } catch {} 306 306 + } 307 307 + ;(globalThis as any).__hatk_viewer = viewer 308 308 + try { 309 309 + const renderedHtml = await ssrRenderPage!(template, request) 310 310 + // ... existing code ... 311 311 + } finally { 312 312 + ;(globalThis as any).__hatk_viewer = null 313 313 + } 314 314 + ``` 315 315 + 316 316 + This replaces the current `const renderedHtml = await ssrRenderPage!(template, request)` call (line 191) with a try/finally block. 317 317 + 318 318 + **Step 4: Build and verify** 319 319 + 320 320 + Run: `npm run build` 321 321 + Expected: Clean build 322 322 + 323 323 + --- 324 324 + 325 325 + ### Task 8: Thread Viewer Through callXrpc 326 326 + 327 327 + **Files:** 328 328 + - Modify: `packages/hatk/src/xrpc.ts:310-330` 329 329 + 330 330 + **Step 1: Pass viewer from globalThis in both paths** 331 331 + 332 332 + Replace lines 317-327: 333 333 + 334 334 + ```typescript 335 335 + // In externalized module context (e.g. SSR), delegate to the runner's callXrpc via globalThis. 336 336 + // The runner's module instance has all registered handlers; this (Node's) instance may not. 337 337 + if (handlers.size === 0 && (globalThis as any).__hatk_callXrpc) { 338 338 + return (globalThis as any).__hatk_callXrpc(nsid, params, input) 339 339 + } 340 340 + const stringParams: Record<string, string> = {} 341 341 + for (const [k, v] of Object.entries(params)) { 342 342 + if (v != null) stringParams[k] = String(v) 343 343 + } 344 344 + const limit = params.limit ? Number(params.limit) : 20 345 345 + const cursor = params.cursor ?? undefined 346 346 + const result = await executeXrpc(nsid, stringParams, cursor, limit, null, input) 347 347 + ``` 348 348 + 349 349 + With: 350 350 + 351 351 + ```typescript 352 352 + const viewer = (globalThis as any).__hatk_viewer ?? null 353 353 + // In externalized module context (e.g. SSR), delegate to the runner's callXrpc via globalThis. 354 354 + // The runner's module instance has all registered handlers; this (Node's) instance may not. 355 355 + if (handlers.size === 0 && (globalThis as any).__hatk_callXrpc) { 356 356 + return (globalThis as any).__hatk_callXrpc(nsid, params, input) 357 357 + } 358 358 + const stringParams: Record<string, string> = {} 359 359 + for (const [k, v] of Object.entries(params)) { 360 360 + if (v != null) stringParams[k] = String(v) 361 361 + } 362 362 + const limit = params.limit ? Number(params.limit) : 20 363 363 + const cursor = params.cursor ?? undefined 364 364 + const result = await executeXrpc(nsid, stringParams, cursor, limit, viewer, input) 365 365 + ``` 366 366 + 367 367 + Note: The bridge path (`__hatk_callXrpc`) calls the runner's `callXrpc`, which will also read `globalThis.__hatk_viewer` — so both paths get the viewer. 368 368 + 369 369 + **Step 2: Build and verify** 370 370 + 371 371 + Run: `npm run build` 372 372 + Expected: Clean build 373 373 + 374 374 + --- 375 375 + 376 376 + ### Task 9: Add getViewer() to Codegen 377 377 + 378 378 + **Files:** 379 379 + - Modify: `packages/hatk/src/cli.ts:1748-1768` 380 380 + 381 381 + **Step 1: Add getViewer() export to generated client file** 382 382 + 383 383 + After the `callXrpc` function generation (after line 1768, before `writeFileSync`), add: 384 384 + 385 385 + ```typescript 386 386 + clientOut += `\nexport function getViewer(): { did: string } | null {\n` 387 387 + clientOut += ` if (typeof window === 'undefined') {\n` 388 388 + clientOut += ` return (globalThis as any).__hatk_viewer ?? null\n` 389 389 + clientOut += ` }\n` 390 390 + clientOut += ` // Client-side: delegate to OAuth client\n` 391 391 + clientOut += ` try {\n` 392 392 + clientOut += ` const mod = (globalThis as any).__hatk_auth\n` 393 393 + clientOut += ` if (mod?.viewerDid) {\n` 394 394 + clientOut += ` const did = mod.viewerDid()\n` 395 395 + clientOut += ` return did ? { did } : null\n` 396 396 + clientOut += ` }\n` 397 397 + clientOut += ` } catch {}\n` 398 398 + clientOut += ` return null\n` 399 399 + clientOut += `}\n` 400 400 + ``` 401 401 + 402 402 + Note: The client-side path reads from `globalThis.__hatk_auth` — templates wire this up by setting `(globalThis as any).__hatk_auth = { viewerDid }` in their auth module. This avoids the generated file importing template-specific auth code. 403 403 + 404 404 + **Step 2: Build and verify** 405 405 + 406 406 + Run: `npm run build` 407 407 + Expected: Clean build 408 408 + 409 409 + --- 410 410 + 411 411 + ### Task 10: Test End-to-End with Statusphere Template 412 412 + 413 413 + **Step 1: Regenerate client types** 414 414 + 415 415 + ```bash 416 416 + cd /Users/chadmiller/code/hatk-template-statusphere 417 417 + node /Users/chadmiller/code/hatk/.worktrees/server-directory/packages/hatk/dist/cli.js generate types 418 418 + ``` 419 419 + 420 420 + Verify `hatk.generated.client.ts` now exports `getViewer`. 421 421 + 422 422 + **Step 2: Wire up globalThis.__hatk_auth in template's auth module** 423 423 + 424 424 + In `hatk-template-statusphere/app/lib/auth.ts`, add near the bottom: 425 425 + 426 426 + ```typescript 427 427 + // Expose viewer for SSR getViewer() bridge 428 428 + ;(globalThis as any).__hatk_auth = { viewerDid } 429 429 + ``` 430 430 + 431 431 + **Step 3: Update Home.svelte to use getViewer()** 432 432 + 433 433 + Import `getViewer` from `../hatk.generated.client.ts` and use it to conditionally render auth UI without flash. 434 434 + 435 435 + **Step 4: Run dev server and test** 436 436 + 437 437 + ```bash 438 438 + cd /Users/chadmiller/code/hatk-template-statusphere 439 439 + npm run dev 440 440 + ``` 441 441 + 442 442 + 1. Visit page — should SSR the feed, auth section hidden during SSR 443 443 + 2. Log in — should set `__hatk_session` cookie (check DevTools → Application → Cookies) 444 444 + 3. Refresh page — server should resolve viewer from cookie, SSR authenticated UI 445 445 + 4. Log out — cookie should be cleared

+398

docs/superpowers/plans/2026-03-14-typed-xrpc-actions.md

reviewed

··· 1 1 + # Typed XRPC Actions Implementation Plan 2 2 + 3 3 + > **For Claude:** REQUIRED SUB-SKILL: Use superpowers:executing-plans to implement this plan task-by-task. 4 4 + 5 5 + **Goal:** Make `callXrpc` handle procedures (POST/body) and blob uploads on client and server, with SvelteKit remote functions (`command`) for mutations. 6 6 + 7 7 + **Architecture:** Extract PDS proxy into shared functions. Register write ops as XRPC handlers. Update codegen for procedure-aware `callXrpc`. Update `getViewer()` to resolve from cookies via `getRequestEvent()`. Template uses `command()` remote functions for mutations. 8 8 + 9 9 + **Tech Stack:** TypeScript, SvelteKit remote functions, AT Protocol OAuth/DPoP 10 10 + 11 11 + --- 12 12 + 13 13 + ### Task 1: Extract PDS proxy logic into pds-proxy.ts 14 14 + 15 15 + **Files:** 16 16 + - Create: `packages/hatk/src/pds-proxy.ts` 17 17 + - Modify: `packages/hatk/src/server.ts` 18 18 + 19 19 + **Step 1: Create pds-proxy.ts** 20 20 + 21 21 + Move `proxyToPds` (server.ts:991-1052) and `proxyToPdsRaw` (server.ts:1055-1114) into a new file `packages/hatk/src/pds-proxy.ts`. Then add four high-level functions that wrap these: 22 22 + 23 23 + ```ts 24 24 + import type { OAuthConfig } from './config.ts' 25 25 + import { getSession } from './oauth/db.ts' 26 26 + import { getServerKey } from './oauth/db.ts' 27 27 + import { createDpopProof } from './oauth/dpop.ts' 28 28 + import { refreshPdsSession } from './oauth/server.ts' 29 29 + import { validateRecord } from '@bigmoves/lexicon' 30 30 + import { getLexiconArray } from './database/schema.ts' 31 31 + import { insertRecord, deleteRecord as dbDeleteRecord } from './database/db.ts' 32 32 + 33 33 + export class ProxyError extends Error { 34 34 + constructor(public status: number, message: string) { 35 35 + super(message) 36 36 + } 37 37 + } 38 38 + ``` 39 39 + 40 40 + Move `proxyToPds` and `proxyToPdsRaw` as-is (private functions). 41 41 + 42 42 + Then add these exported functions: 43 43 + 44 44 + - `pdsCreateRecord(oauthConfig, viewer, input: { collection, repo?, rkey?, record })` — validates record, gets session, proxies to PDS `com.atproto.repo.createRecord`, indexes locally 45 45 + - `pdsDeleteRecord(oauthConfig, viewer, input: { collection, rkey })` — gets session, proxies to PDS `com.atproto.repo.deleteRecord`, deletes locally 46 46 + - `pdsPutRecord(oauthConfig, viewer, input: { collection, rkey, record, repo? })` — validates, gets session, proxies to PDS `com.atproto.repo.putRecord`, re-indexes 47 47 + - `pdsUploadBlob(oauthConfig, viewer, body: Uint8Array, contentType: string)` — gets session, proxies raw to PDS `com.atproto.repo.uploadBlob` 48 48 + 49 49 + All throw `ProxyError` on auth/validation/PDS errors. 50 50 + 51 51 + Reference the existing server.ts route handlers (lines 726-848) for exact logic — each function is a direct extraction of that code. 52 52 + 53 53 + **Step 2: Update server.ts HTTP routes to use shared functions** 54 54 + 55 55 + Import `{ pdsCreateRecord, pdsDeleteRecord, pdsPutRecord, pdsUploadBlob, ProxyError }` from `./pds-proxy.ts`. 56 56 + 57 57 + Replace each HTTP route handler body (createRecord ~727-763, deleteRecord ~766-792, putRecord ~795-831, uploadBlob ~834-848) with: 58 58 + 59 59 + ```ts 60 60 + if (!viewer) return withCors(jsonError(401, 'Authentication required', acceptEncoding)) 61 61 + const body = JSON.parse(await request.text()) 62 62 + try { 63 63 + const result = await pdsCreateRecord(oauth, viewer, body) 64 64 + return withCors(json(result, 200, acceptEncoding)) 65 65 + } catch (err: any) { 66 66 + if (err instanceof ProxyError) return withCors(jsonError(err.status, err.message, acceptEncoding)) 67 67 + throw err 68 68 + } 69 69 + ``` 70 70 + 71 71 + (Adjust per endpoint — uploadBlob reads `request.arrayBuffer()` and passes content-type.) 72 72 + 73 73 + Delete the now-unused `proxyToPds` and `proxyToPdsRaw` from the bottom of server.ts. Remove any imports that are now only used by the deleted functions (check `getServerKey`, `createDpopProof` — they may still be used by admin proxy or elsewhere). 74 74 + 75 75 + **Step 3: Verify** 76 76 + 77 77 + Run: `npm run build` 78 78 + 79 79 + **Step 4: Commit** 80 80 + 81 81 + ``` 82 82 + refactor: extract PDS proxy logic into shared pds-proxy.ts 83 83 + ``` 84 84 + 85 85 + --- 86 86 + 87 87 + ### Task 2: Register write operations as core XRPC handlers 88 88 + 89 89 + **Files:** 90 90 + - Modify: `packages/hatk/src/server.ts:67-149` (registerCoreHandlers) 91 91 + - Modify: `packages/hatk/src/main.ts:117` 92 92 + - Modify: `packages/hatk/src/dev-entry.ts:61` 93 93 + 94 94 + **Step 1: Add oauth parameter to registerCoreHandlers** 95 95 + 96 96 + Change signature at server.ts:67: 97 97 + 98 98 + ```ts 99 99 + export function registerCoreHandlers(collections: string[], oauth: OAuthConfig | null): void { 100 100 + ``` 101 101 + 102 102 + Add import for `OAuthConfig` type if needed. 103 103 + 104 104 + **Step 2: Register write handlers at end of registerCoreHandlers** 105 105 + 106 106 + ```ts 107 107 + if (oauth) { 108 108 + registerCoreXrpcHandler('dev.hatk.createRecord', async (_params, _cursor, _limit, viewer, input) => { 109 109 + if (!viewer) throw new InvalidRequestError('Authentication required') 110 110 + return pdsCreateRecord(oauth, viewer, input as any) 111 111 + }) 112 112 + registerCoreXrpcHandler('dev.hatk.deleteRecord', async (_params, _cursor, _limit, viewer, input) => { 113 113 + if (!viewer) throw new InvalidRequestError('Authentication required') 114 114 + return pdsDeleteRecord(oauth, viewer, input as any) 115 115 + }) 116 116 + registerCoreXrpcHandler('dev.hatk.putRecord', async (_params, _cursor, _limit, viewer, input) => { 117 117 + if (!viewer) throw new InvalidRequestError('Authentication required') 118 118 + return pdsPutRecord(oauth, viewer, input as any) 119 119 + }) 120 120 + registerCoreXrpcHandler('dev.hatk.uploadBlob', async (_params, _cursor, _limit, viewer, input) => { 121 121 + if (!viewer) throw new InvalidRequestError('Authentication required') 122 122 + return pdsUploadBlob(oauth, viewer, input as any, 'application/octet-stream') 123 123 + }) 124 124 + } 125 125 + ``` 126 126 + 127 127 + **Step 3: Update call sites** 128 128 + 129 129 + - `main.ts:117`: `registerCoreHandlers(collections, config.oauth)` 130 130 + - `dev-entry.ts:61`: `registerCoreHandlers(collections, <oauth variable>)` — check what the oauth config variable is named in dev-entry.ts 131 131 + 132 132 + **Step 4: Verify** 133 133 + 134 134 + Run: `npm run build` 135 135 + 136 136 + **Step 5: Commit** 137 137 + 138 138 + ``` 139 139 + feat: register write operations as core XRPC handlers 140 140 + ``` 141 141 + 142 142 + --- 143 143 + 144 144 + ### Task 3: Update codegen for procedure-aware callXrpc 145 145 + 146 146 + **Files:** 147 147 + - Modify: `packages/hatk/src/cli.ts:1718-1787` 148 148 + 149 149 + **Step 1: Collect procedure and blob nsids** 150 150 + 151 151 + After the entries loop (~line 1425), add: 152 152 + 153 153 + ```ts 154 154 + const procedureNsids: string[] = [] 155 155 + const blobInputNsids: string[] = [] 156 156 + for (const { nsid, defType } of entries) { 157 157 + if (defType === 'procedure') { 158 158 + const lex = lexicons.get(nsid) 159 159 + const inputEncoding = lex?.defs?.main?.input?.encoding 160 160 + if (inputEncoding === '*/*') { 161 161 + blobInputNsids.push(nsid) 162 162 + } else { 163 163 + procedureNsids.push(nsid) 164 164 + } 165 165 + } 166 166 + } 167 167 + ``` 168 168 + 169 169 + **Step 2: Replace callXrpc generation block** 170 170 + 171 171 + Replace lines ~1748-1769 with new code that: 172 172 + 173 173 + 1. Emits `const _procedures = new Set([...])` and `const _blobInputs = new Set([...])` 174 174 + 2. Uses `CallArg<K>` type instead of `ExtractParams` — resolves `input` for procedures, `params` for queries 175 175 + 3. Server-side bridge: procedures pass `(nsid, {}, arg)`, queries pass `(nsid, arg)` 176 176 + 4. Client-side: blob inputs POST raw with `blob.type`, procedures POST JSON, queries GET with query params 177 177 + 178 178 + Delete the old `ExtractParams` type emission. 179 179 + 180 180 + **Step 3: Update getViewer() to resolve from cookies** 181 181 + 182 182 + In the `getViewer()` generation block (~lines 1771-1785), update the server-side path to try `getRequestEvent()` cookies: 183 183 + 184 184 + ```ts 185 185 + clientOut += `\nexport function getViewer(): { did: string } | null {\n` 186 186 + clientOut += ` const ssrViewer = (globalThis as any).__hatk_viewer\n` 187 187 + clientOut += ` if (typeof window === 'undefined') {\n` 188 188 + clientOut += ` if (ssrViewer) return ssrViewer\n` 189 189 + clientOut += ` // Try resolving from request cookies (SvelteKit remote functions, load, etc.)\n` 190 190 + clientOut += ` try {\n` 191 191 + clientOut += ` const { getRequestEvent } = require('$app/server')\n` 192 192 + clientOut += ` const event = getRequestEvent()\n` 193 193 + clientOut += ` const cookieValue = event.cookies.get('__hatk_session')\n` 194 194 + clientOut += ` // parseSessionCookie is sync-incompatible, so we can't call it here.\n` 195 195 + clientOut += ` // The viewer should be set via layout.server.ts instead.\n` 196 196 + clientOut += ` } catch {}\n` 197 197 + clientOut += ` return null\n` 198 198 + clientOut += ` }\n` 199 199 + ``` 200 200 + 201 201 + Wait — `parseSessionCookie` is async. `getViewer()` is sync. We can't call it. 202 202 + 203 203 + **Revised approach:** Keep `getViewer()` sync. The viewer is already set on `globalThis.__hatk_viewer` by the layout.server.ts load function. Remote functions run in the same request context, so the viewer set during layout load is available. No change needed to `getViewer()` — it already works. 204 204 + 205 205 + Verify: in the statusphere template's `+layout.server.ts`, the load function sets `(globalThis as any).__hatk_viewer = viewer`. Since remote functions run server-side in the same request lifecycle, `getViewer()` will pick it up from `globalThis.__hatk_viewer`. 206 206 + 207 207 + **Actually** — `globalThis` is shared across all requests on the server. Setting `__hatk_viewer` in one request's layout load would leak to another request. This is a race condition. 208 208 + 209 209 + **Better approach:** Make `getViewer()` async on the server and use the `__hatk_parseSessionCookie` bridge with `getRequestEvent()`: 210 210 + 211 211 + ```ts 212 212 + clientOut += `\nexport async function getViewer(): Promise<{ did: string } | null> {\n` 213 213 + clientOut += ` if (typeof window === 'undefined') {\n` 214 214 + clientOut += ` try {\n` 215 215 + clientOut += ` const parse = (globalThis as any).__hatk_parseSessionCookie\n` 216 216 + clientOut += ` if (parse) {\n` 217 217 + clientOut += ` const { getRequestEvent } = await import('$app/server')\n` 218 218 + clientOut += ` const event = getRequestEvent()\n` 219 219 + clientOut += ` const cookieValue = event.cookies.get('__hatk_session')\n` 220 220 + clientOut += ` if (cookieValue) {\n` 221 221 + clientOut += ` const request = new Request('http://localhost', {\n` 222 222 + clientOut += ` headers: { cookie: \`__hatk_session=\${cookieValue}\` },\n` 223 223 + clientOut += ` })\n` 224 224 + clientOut += ` return parse(request)\n` 225 225 + clientOut += ` }\n` 226 226 + clientOut += ` }\n` 227 227 + clientOut += ` } catch {}\n` 228 228 + clientOut += ` return (globalThis as any).__hatk_viewer ?? null\n` 229 229 + clientOut += ` }\n` 230 230 + clientOut += ` try {\n` 231 231 + clientOut += ` const mod = (globalThis as any).__hatk_auth\n` 232 232 + clientOut += ` if (mod?.viewerDid) {\n` 233 233 + clientOut += ` const did = mod.viewerDid()\n` 234 234 + clientOut += ` if (did) return { did }\n` 235 235 + clientOut += ` }\n` 236 236 + clientOut += ` } catch {}\n` 237 237 + clientOut += ` return (globalThis as any).__hatk_viewer ?? null\n` 238 238 + clientOut += `}\n` 239 239 + ``` 240 240 + 241 241 + This changes `getViewer()` from sync to async. Update any existing usages. The `+layout.server.ts` in the template already has its own cookie parsing, so this mainly benefits remote functions. 242 242 + 243 243 + **Note:** The `import('$app/server')` will fail in non-SvelteKit contexts. The `try/catch` handles that gracefully, falling back to `__hatk_viewer`. 244 244 + 245 245 + **Step 4: Verify** 246 246 + 247 247 + Run: `npm run build` 248 248 + 249 249 + **Step 5: Commit** 250 250 + 251 251 + ``` 252 252 + feat: codegen emits procedure-aware callXrpc with async getViewer 253 253 + ``` 254 254 + 255 255 + --- 256 256 + 257 257 + ### Task 4: Enable remote functions in statusphere template 258 258 + 259 259 + **Files:** 260 260 + - Modify: `/Users/chadmiller/code/hatk-template-statusphere/svelte.config.js` 261 261 + - Create: `/Users/chadmiller/code/hatk-template-statusphere/app/routes/status.remote.ts` 262 262 + - Modify: `/Users/chadmiller/code/hatk-template-statusphere/app/routes/+page.svelte` 263 263 + 264 264 + **Step 1: Enable experimental remote functions** 265 265 + 266 266 + In `svelte.config.js`, add: 267 267 + 268 268 + ```js 269 269 + export default { 270 270 + compilerOptions: { 271 271 + experimental: { 272 272 + async: true, 273 273 + }, 274 274 + }, 275 275 + kit: { 276 276 + adapter: adapter(), 277 277 + files: { src: 'app' }, 278 278 + alias: { 279 279 + $hatk: './hatk.generated.ts', 280 280 + '$hatk/client': './hatk.generated.client.ts', 281 281 + }, 282 282 + experimental: { 283 283 + remoteFunctions: true, 284 284 + }, 285 285 + }, 286 286 + } 287 287 + ``` 288 288 + 289 289 + **Step 2: Regenerate client file** 290 290 + 291 291 + Run in template: `npx hatk generate` 292 292 + 293 293 + Verify `hatk.generated.client.ts` has `_procedures` set and updated `callXrpc`. 294 294 + 295 295 + **Step 3: Create remote functions file** 296 296 + 297 297 + Create `app/routes/status.remote.ts`: 298 298 + 299 299 + ```ts 300 300 + import { command } from '$app/server' 301 301 + import { callXrpc, getViewer } from '$hatk/client' 302 302 + 303 303 + export const createStatus = command(async (emoji: string) => { 304 304 + const viewer = await getViewer() 305 305 + if (!viewer) throw new Error('Not authenticated') 306 306 + return callXrpc('dev.hatk.createRecord', { 307 307 + collection: 'xyz.statusphere.status' as const, 308 308 + repo: viewer.did, 309 309 + record: { status: emoji, createdAt: new Date().toISOString() }, 310 310 + }) 311 311 + }) 312 312 + 313 313 + export const deleteStatus = command(async (rkey: string) => { 314 314 + const viewer = await getViewer() 315 315 + if (!viewer) throw new Error('Not authenticated') 316 316 + return callXrpc('dev.hatk.deleteRecord', { 317 317 + collection: 'xyz.statusphere.status' as const, 318 318 + rkey, 319 319 + }) 320 320 + }) 321 321 + ``` 322 322 + 323 323 + **Step 4: Update +page.svelte to use remote functions** 324 324 + 325 325 + Import remote functions: 326 326 + ```ts 327 327 + import { createStatus, deleteStatus } from './status.remote' 328 328 + ``` 329 329 + 330 330 + Remove the manual `xrpc()` helper function. 331 331 + 332 332 + Remove the local `createStatus()` and `deleteStatus()` functions and replace with calls to the imported remote functions: 333 333 + 334 334 + ```ts 335 335 + async function handleCreateStatus(emoji: string) { 336 336 + if (isMutating) return 337 337 + const did = data.viewer!.did 338 338 + const profile = viewerProfile 339 339 + 340 340 + const optimisticItem: StatusView = { 341 341 + uri: `at://${did}/xyz.statusphere.status/optimistic-${Date.now()}`, 342 342 + status: emoji, 343 343 + createdAt: new Date().toISOString(), 344 344 + author: { did, handle: profile?.handle || did, displayName: profile?.displayName }, 345 345 + } 346 346 + items = [optimisticItem, ...items] 347 347 + isMutating = true 348 348 + 349 349 + try { 350 350 + const res = await createStatus(emoji) 351 351 + items = items.map(i => i.uri === optimisticItem.uri ? { ...optimisticItem, uri: res.uri! } : i) 352 352 + } catch { 353 353 + items = items.filter(i => i.uri !== optimisticItem.uri) 354 354 + } finally { 355 355 + isMutating = false 356 356 + } 357 357 + } 358 358 + 359 359 + async function handleDeleteStatus(uri: string) { 360 360 + if (isMutating) return 361 361 + const removed = items.find(i => i.uri === uri) 362 362 + items = items.filter(i => i.uri !== uri) 363 363 + isMutating = true 364 364 + 365 365 + try { 366 366 + await deleteStatus(uri.split('/').pop()!) 367 367 + } catch { 368 368 + if (removed) items = [removed, ...items] 369 369 + } finally { 370 370 + isMutating = false 371 371 + } 372 372 + } 373 373 + ``` 374 374 + 375 375 + Update onclick handlers in template to use `handleCreateStatus` and `handleDeleteStatus`. 376 376 + 377 377 + Keep `loadMore` using client-side `callXrpc` directly (it's a query, not a mutation). 378 378 + 379 379 + **Step 5: Rebuild hatk and re-link** 380 380 + 381 381 + ```bash 382 382 + cd /path/to/hatk && npm run build 383 383 + cd /path/to/statusphere && npm link @hatk/hatk 384 384 + ``` 385 385 + 386 386 + **Step 6: Manual test** 387 387 + 388 388 + Start dev server and test: 389 389 + 1. Sign in via OAuth 390 390 + 2. Create a status (should use remote function → server-side callXrpc) 391 391 + 3. Delete a status 392 392 + 4. Load more (client-side callXrpc query) 393 393 + 394 394 + **Step 7: Commit** 395 395 + 396 396 + ``` 397 397 + feat: use SvelteKit remote functions for statusphere mutations 398 398 + ```

+68

docs/superpowers/specs/2026-03-14-ssr-auth-design.md

reviewed

··· 1 1 + # SSR Auth Design 2 2 + 3 3 + ## Context 4 4 + 5 5 + hatk apps use DPoP-bound JWT auth for API requests, managed by `@hatk/oauth-client` in the browser. During SSR, the server has no way to identify the viewer — the Vite SSR middleware creates a bare `Request` with no headers, and DPoP tokens don't travel with page navigations. This causes a flash: the server renders the "Sign in" form, then the client hydrates and swaps in the authenticated UI. 6 6 + 7 7 + ## Goals 8 8 + 9 9 + 1. Server knows the viewer during SSR — no auth UI flash 10 10 + 2. `callXrpc` during SSR is automatically authenticated 11 11 + 3. Framework-agnostic — works with Svelte, React, Vue 12 12 + 4. No new database tables or dependencies 13 13 + 5. Coexists with existing client-side OAuth 14 14 + 15 15 + ## Design 16 16 + 17 17 + ### Cookie Lifecycle 18 18 + 19 19 + During the OAuth callback (`/oauth/callback`), after storing the PDS session, the server sets an `HttpOnly` cookie. The cookie value is a signed token: `did.timestamp.signature` — the user's DID, a Unix timestamp (seconds), and an HMAC-SHA256 signature using the server's existing OAuth keypair. 20 20 + 21 21 + Cookie attributes: 22 22 + - `HttpOnly` — not accessible to JavaScript 23 23 + - `Secure` — HTTPS only in production 24 24 + - `SameSite=Lax` — sent on navigations, not cross-site requests 25 25 + - `Path=/` 26 26 + - `Max-Age=2592000` (30 days) 27 27 + 28 28 + Cookie name defaults to `__hatk_session`. Configurable via `oauth: { cookieName: 'my_app_session' }` in `hatk.config.ts` for apps sharing a domain. 29 29 + 30 30 + A new `POST /auth/logout` endpoint clears the cookie (`Max-Age=0`). 31 31 + 32 32 + On SSR requests, the server parses the cookie, verifies the signature, checks the timestamp isn't expired, and extracts the DID. Invalid or missing cookie → `viewer = null`. No DB lookup needed. 33 33 + 34 34 + ### Threading the Viewer Through SSR 35 35 + 36 36 + The Vite plugin SSR middleware forwards the `Cookie` header when constructing the Request (currently creates a bare `new Request(url)`). 37 37 + 38 38 + Before calling `renderPage`, the server resolves the viewer from the cookie and sets `globalThis.__hatk_viewer = viewer` (where viewer is `{ did: string } | null`). After rendering, it clears `globalThis.__hatk_viewer` to prevent leaking between requests. 39 39 + 40 40 + `callXrpc` in the globalThis bridge automatically picks up `globalThis.__hatk_viewer` and passes it to handlers. Template code doesn't change — `await callXrpc('dev.hatk.getFeed', { feed: 'mine' })` just works with auth context. 41 41 + 42 42 + ### Component Access 43 43 + 44 44 + The generated `hatk.generated.client.ts` exports a `getViewer()` function: 45 45 + - During SSR: reads `globalThis.__hatk_viewer` 46 46 + - In the browser: delegates to the OAuth client's `viewerDid()` 47 47 + 48 48 + Components use `getViewer()` to conditionally render auth UI. The server already knows if you're logged in, so no flash. 49 49 + 50 50 + ### Always On 51 51 + 52 52 + If OAuth is configured, the session cookie is always set during callback. Templates that don't use `getViewer()` during SSR just never read it. No config flag needed to enable — you use it or you don't. 53 53 + 54 54 + ## What Changes Where 55 55 + 56 56 + - **`oauth/server.ts`** — `createSessionCookie(did, keypair)` and `parseSessionCookie(cookie, keypair)` helpers. HMAC-SHA256 sign/verify. 57 57 + - **`server.ts`** — `/oauth/callback` sets `Set-Cookie` header. New `POST /auth/logout` route. `resolveViewerFromCookie(request)` parses cookie → `{ did } | null`. 58 58 + - **`vite-plugin.ts`** — SSR middleware forwards `Cookie` header in Request. Before render, resolve viewer and set `globalThis.__hatk_viewer`. Clear after render. 59 59 + - **`xrpc.ts`** — `callXrpc` globalThis bridge passes `globalThis.__hatk_viewer` as the viewer argument. 60 60 + - **`cli.ts` (codegen)** — `hatk.generated.client.ts` gets `getViewer()` export. 61 61 + - **`dev-entry.ts`** — Export cookie resolution so vite plugin can call it via module runner. 62 62 + 63 63 + ## Not In Scope 64 64 + 65 65 + - Per-route auth requirements (middleware/guards) 66 66 + - Role-based access control 67 67 + - Cookie refresh/rotation (cookie outlives or matches PDS session) 68 68 + - CSRF protection beyond `SameSite=Lax`

+216

docs/superpowers/specs/2026-03-14-typed-xrpc-actions-design.md

reviewed

··· 1 1 + # Typed XRPC Actions Design 2 2 + 3 3 + **Goal:** Make `callXrpc` handle procedures (POST with JSON body) and blob uploads in addition to queries, working on both client and server (SvelteKit form actions). 4 4 + 5 5 + **Architecture:** Extract PDS proxy logic into shared functions. Register write operations as core XRPC handlers so server-side `callXrpc` works. Update generated client code to detect procedures vs queries and use POST vs GET accordingly. 6 6 + 7 7 + --- 8 8 + 9 9 + ## 1. Generated Client `callXrpc` 10 10 + 11 11 + The codegen in `cli.ts` already knows which lexicons are `type: "procedure"` vs `type: "query"`. Generate two runtime sets in `hatk.generated.client.ts`: 12 12 + 13 13 + ```ts 14 14 + const _procedures = new Set(['dev.hatk.createRecord', 'dev.hatk.deleteRecord', 'dev.hatk.putRecord']) 15 15 + const _blobInputs = new Set(['dev.hatk.uploadBlob']) 16 16 + ``` 17 17 + 18 18 + Update `callXrpc` to branch on these: 19 19 + 20 20 + ```ts 21 21 + type CallArg<K extends keyof XrpcSchema> = 22 22 + XrpcSchema[K] extends { input: infer I } ? I : 23 23 + XrpcSchema[K] extends { params: infer P } ? P : 24 24 + Record<string, unknown> 25 25 + 26 26 + export async function callXrpc<K extends keyof XrpcSchema & string>( 27 27 + nsid: K, 28 28 + arg?: CallArg<K>, 29 29 + ): Promise<OutputOf<K>> { 30 30 + // Server-side bridge (SSR / form actions) 31 31 + if (typeof window === 'undefined') { 32 32 + const bridge = (globalThis as any).__hatk_callXrpc 33 33 + if (bridge) return bridge(nsid, arg) as Promise<OutputOf<K>> 34 34 + throw new Error('callXrpc: server bridge not available') 35 35 + } 36 36 + 37 37 + const url = new URL(`/xrpc/${nsid}`, window.location.origin) 38 38 + 39 39 + // Blob upload: POST raw body 40 40 + if (_blobInputs.has(nsid)) { 41 41 + const blob = arg as Blob | ArrayBuffer 42 42 + const contentType = blob instanceof Blob ? blob.type : 'application/octet-stream' 43 43 + const res = await fetch(url, { 44 44 + method: 'POST', 45 45 + headers: { 'Content-Type': contentType }, 46 46 + body: blob, 47 47 + }) 48 48 + if (!res.ok) throw new Error(`XRPC ${nsid} failed: ${res.status}`) 49 49 + return res.json() as Promise<OutputOf<K>> 50 50 + } 51 51 + 52 52 + // Procedure: POST JSON body 53 53 + if (_procedures.has(nsid)) { 54 54 + const res = await fetch(url, { 55 55 + method: 'POST', 56 56 + headers: { 'Content-Type': 'application/json' }, 57 57 + body: JSON.stringify(arg), 58 58 + }) 59 59 + if (!res.ok) throw new Error(`XRPC ${nsid} failed: ${res.status}`) 60 60 + return res.json() as Promise<OutputOf<K>> 61 61 + } 62 62 + 63 63 + // Query: GET with query params 64 64 + for (const [k, v] of Object.entries(arg || {})) { 65 65 + if (v != null) url.searchParams.set(k, String(v)) 66 66 + } 67 67 + const res = await fetch(url) 68 68 + if (!res.ok) throw new Error(`XRPC ${nsid} failed: ${res.status}`) 69 69 + return res.json() as Promise<OutputOf<K>> 70 70 + } 71 71 + ``` 72 72 + 73 73 + User-defined procedures (via `defineProcedure`) are also included in the `_procedures` set. 74 74 + 75 75 + ## 2. Shared PDS Proxy Functions 76 76 + 77 77 + Extract from `server.ts` into a new file `pds-proxy.ts`: 78 78 + 79 79 + ```ts 80 80 + // packages/hatk/src/pds-proxy.ts 81 81 + 82 82 + export async function proxyCreateRecord( 83 83 + viewer: { did: string }, 84 84 + input: { collection: string; repo: string; record: unknown }, 85 85 + ): Promise<{ uri?: string; cid?: string }> 86 86 + 87 87 + export async function proxyDeleteRecord( 88 88 + viewer: { did: string }, 89 89 + input: { collection: string; rkey: string }, 90 90 + ): Promise<{}> 91 91 + 92 92 + export async function proxyPutRecord( 93 93 + viewer: { did: string }, 94 94 + input: { collection: string; rkey: string; record: unknown; repo?: string }, 95 95 + ): Promise<{ uri?: string; cid?: string }> 96 96 + 97 97 + export async function proxyUploadBlob( 98 98 + viewer: { did: string }, 99 99 + blob: Blob | ArrayBuffer, 100 100 + contentType: string, 101 101 + ): Promise<{ blob: unknown }> 102 102 + ``` 103 103 + 104 104 + Each function: 105 105 + 1. Looks up the viewer's PDS session from the DB 106 106 + 2. Creates a DPoP proof for the PDS endpoint 107 107 + 3. Proxies the request to the PDS 108 108 + 4. Handles DPoP nonce retry 109 109 + 5. Handles token refresh if expired 110 110 + 111 111 + This is the same logic currently in `server.ts` HTTP route handlers, extracted to be reusable. 112 112 + 113 113 + ## 3. Register Write Operations as Core XRPC Handlers 114 114 + 115 115 + In `server.ts` `initServer()`, register alongside existing handlers: 116 116 + 117 117 + ```ts 118 118 + registerCoreXrpcHandler('dev.hatk.createRecord', async (_params, _cursor, _limit, viewer, input) => { 119 119 + if (!viewer) throw new InvalidRequestError('Authentication required') 120 120 + return proxyCreateRecord(viewer, input as any) 121 121 + }) 122 122 + 123 123 + registerCoreXrpcHandler('dev.hatk.deleteRecord', async (_params, _cursor, _limit, viewer, input) => { 124 124 + if (!viewer) throw new InvalidRequestError('Authentication required') 125 125 + return proxyDeleteRecord(viewer, input as any) 126 126 + }) 127 127 + 128 128 + registerCoreXrpcHandler('dev.hatk.putRecord', async (_params, _cursor, _limit, viewer, input) => { 129 129 + if (!viewer) throw new InvalidRequestError('Authentication required') 130 130 + return proxyPutRecord(viewer, input as any) 131 131 + }) 132 132 + 133 133 + registerCoreXrpcHandler('dev.hatk.uploadBlob', async (_params, _cursor, _limit, viewer, input) => { 134 134 + if (!viewer) throw new InvalidRequestError('Authentication required') 135 135 + return proxyUploadBlob(viewer, input as any, 'application/octet-stream') 136 136 + }) 137 137 + ``` 138 138 + 139 139 + The existing HTTP routes in `server.ts` call the same `proxy*` functions but stay in place for direct HTTP access. 140 140 + 141 141 + ## 4. Server-Side Bridge for Procedures 142 142 + 143 143 + The `callXrpc` bridge in `xrpc.ts` already passes `input` through: 144 144 + 145 145 + ```ts 146 146 + export async function callXrpc(nsid, params, input) { 147 147 + // ... 148 148 + const result = await executeXrpc(nsid, stringParams, cursor, limit, viewer, input) 149 149 + } 150 150 + ``` 151 151 + 152 152 + For procedures called via the bridge, `params` will be the input body (since `callXrpc` has a single `arg` parameter). The bridge needs to detect this: if the arg is an object with procedure-shaped data (not query params), pass it as `input` rather than `params`. 153 153 + 154 154 + The simplest approach: the generated client code passes a third argument for procedures: 155 155 + 156 156 + ```ts 157 157 + // In generated client, server-side branch: 158 158 + if (_procedures.has(nsid) || _blobInputs.has(nsid)) { 159 159 + if (bridge) return bridge(nsid, {}, arg) as Promise<OutputOf<K>> 160 160 + } 161 161 + if (bridge) return bridge(nsid, arg) as Promise<OutputOf<K>> 162 162 + ``` 163 163 + 164 164 + This keeps the bridge contract clean — queries pass `(nsid, params)`, procedures pass `(nsid, {}, input)`. 165 165 + 166 166 + ## 5. Template Usage 167 167 + 168 168 + After this change, the statusphere template's `+page.svelte` replaces the manual `xrpc()` helper: 169 169 + 170 170 + ```svelte 171 171 + <script lang="ts"> 172 172 + import { callXrpc } from '$hatk/client' 173 173 + 174 174 + async function createStatus(emoji: string) { 175 175 + await callXrpc('dev.hatk.createRecord', { 176 176 + collection: 'xyz.statusphere.status', 177 177 + repo: did, 178 178 + record: { status: emoji, createdAt: new Date().toISOString() }, 179 179 + }) 180 180 + } 181 181 + 182 182 + async function deleteStatus(uri: string) { 183 183 + await callXrpc('dev.hatk.deleteRecord', { 184 184 + collection: 'xyz.statusphere.status', 185 185 + rkey: uri.split('/').pop()!, 186 186 + }) 187 187 + } 188 188 + </script> 189 189 + ``` 190 190 + 191 191 + And SvelteKit form actions work too: 192 192 + 193 193 + ```ts 194 194 + // +page.server.ts 195 195 + import { callXrpc } from '$hatk/client' 196 196 + 197 197 + export const actions = { 198 198 + create: async ({ request, cookies }) => { 199 199 + const data = await request.formData() 200 200 + await callXrpc('dev.hatk.createRecord', { 201 201 + collection: 'xyz.statusphere.status', 202 202 + repo: viewer.did, 203 203 + record: { status: data.get('emoji'), createdAt: new Date().toISOString() }, 204 204 + }) 205 205 + } 206 206 + } 207 207 + ``` 208 208 + 209 209 + ## Summary of Changes 210 210 + 211 211 + | File | Change | 212 212 + |------|--------| 213 213 + | `cli.ts` (codegen) | Emit `_procedures` and `_blobInputs` sets, update `callXrpc` signature and body in client file | 214 214 + | `pds-proxy.ts` (new) | Extracted PDS proxy functions | 215 215 + | `server.ts` | HTTP routes delegate to `pds-proxy.ts`, register write ops as core XRPC handlers | 216 216 + | `xrpc.ts` | No changes needed (already supports `input` parameter) |