chore: add dockerignore for scripts, local artifacts, and env files

The image previously inherited everything from a `COPY . .`, including
.env (secrets), local notes.db copies, and admin scripts that should
not run in prod containers.

.dockerignore

@@ -0,0 +1,25 @@
+# version control / editor / OS
+.git/
+.gitignore
+.github/
+.idea/
+.vscode/
+.DS_Store
+
+# local SQLite + sidecars (DB lives at /data in the container)
+*.db
+*.db-shm
+*.db-wal
+*.db-journal
+remote-db/
+
+# secrets — provide via the orchestrator's env config, not baked into the image
+.env
+.env.*
+
+# admin / dev-only scripts (run locally, not in prod containers)
+scripts/
+
+# logs and caches
+*.log
+.cache/

deno.json

@@ -5,7 +5,8 @@
     "server": "deno run --watch --allow-net --allow-read --allow-write --allow-env --allow-ffi --unstable-ffi server.ts",
     "server:prod": "deno run --allow-net --allow-read --allow-write --allow-env --allow-ffi --unstable-ffi server.ts",
     "migrate": "deno run --allow-net --allow-read --allow-write --allow-env --allow-ffi --unstable-ffi src/migrations/init.ts",
-    "webhooks": "deno run --allow-net --allow-env scripts/manage-webhooks.ts"
+    "webhooks": "deno run --allow-net --allow-env scripts/manage-webhooks.ts",
+    "webhooks:all": "deno run --allow-net --allow-env scripts/list-all-webhooks.ts"
   },
   "imports": {
     "@db/sqlite": "jsr:@db/sqlite@^0.13.0",

jetstream.ts

@@ -59,7 +59,7 @@ const fireWebhooks = async (
   await dispatchAll(webhooks, payload, `${verb} ${did}`);
 };
 
-const BULK_CREATE_DEBOUNCE_MS = 400;
+const BULK_CREATE_DEBOUNCE_MS = 500;
 
 type BulkBuffer = {
   records: Record<string, unknown>[];
@@ -72,6 +72,7 @@ const flushBulkCreate = async (did: string): Promise<void> => {
   if (!buffer) return;
   bulkBuffers.delete(did);
   const webhooks = getWebhooksByDidAndVerb(did, "bulk-create");
+  log(`[jetstream] bulk-create ${did}: ${buffer.records.length} record(s)`);
   await dispatchAll(
     webhooks,
     { event: "bulk-create", did, records: buffer.records },
@@ -98,10 +99,7 @@ const queueBulkCreate = (
   }
   bulkBuffers.set(did, {
     records: [record],
-    timer: setTimeout(
+    timer: setTimeout(() => flushBulkCreate(did), BULK_CREATE_DEBOUNCE_MS),
-      () => flushBulkCreate(did),
-      BULK_CREATE_DEBOUNCE_MS,
-    ),
   });
 };
 
@@ -116,7 +114,10 @@ const jetstream = new Jetstream({
 
 jetstream.onCreate("space.remanso.note", async (event) => {
   try {
-    const { did, commit: { rkey, record } } = event;
+    const {
+      did,
+      commit: { rkey, record },
+    } = event;
     log(`[jetstream] creating ${did}/${rkey}...`);
     const note = record as unknown as Omit<Note, "did" | "rkey">;
     upsertNote({ did, rkey, ...note });
@@ -130,7 +131,10 @@ jetstream.onCreate("space.remanso.note", async (event) => {
 
 jetstream.onUpdate("space.remanso.note", async (event) => {
   try {
-    const { did, commit: { rkey, record } } = event;
+    const {
+      did,
+      commit: { rkey, record },
+    } = event;
     log(`[jetstream] updating ${did}/${rkey}...`);
     const note = record as unknown as Omit<Note, "did" | "rkey">;
     upsertNote({ did, rkey, ...note });
@@ -145,7 +149,10 @@ jetstream.onUpdate("space.remanso.note", async (event) => {
 
 jetstream.onDelete("space.remanso.note", async (event) => {
   try {
-    const { did, commit: { rkey } } = event;
+    const {
+      did,
+      commit: { rkey },
+    } = event;
     log(`[jetstream] deleting ${did}/${rkey}...`);
     deleteNote({ did, rkey });
     log(`[jetstream] delete ${did}/${rkey}`);

scripts/_atproto-session.ts

@@ -0,0 +1,97 @@
+// Shared helpers for admin scripts that authenticate against the Remanso API
+// using an AT Protocol session. The handle is resolved to a DID, the DID is
+// resolved to a PDS, and a session is created against that PDS — yielding an
+// access JWT the API can verify with `authenticateRequest`.
+
+type ResolveHandleResponse = { did: string };
+type DidDocument = {
+  service?: { id: string; serviceEndpoint: string }[];
+};
+export type CreateSessionResponse = { did: string; accessJwt: string };
+
+export const parseArgs = (args: string[]): Record<string, string> => {
+  const out: Record<string, string> = {};
+  for (let i = 0; i < args.length; i++) {
+    const arg = args[i];
+    if (!arg.startsWith("--")) continue;
+    const key = arg.slice(2);
+    const next = args[i + 1];
+    if (next === undefined || next.startsWith("--")) {
+      out[key] = "true";
+    } else {
+      out[key] = next;
+      i++;
+    }
+  }
+  return out;
+};
+
+export const resolveHandleToDid = async (handle: string): Promise<string> => {
+  const url =
+    `https://public.api.bsky.app/xrpc/com.atproto.identity.resolveHandle?handle=${
+      encodeURIComponent(handle)
+    }`;
+  const res = await fetch(url);
+  if (!res.ok) {
+    throw new Error(
+      `resolveHandle failed for ${handle} (${res.status}): ${await res.text()}`,
+    );
+  }
+  const { did } = await res.json() as ResolveHandleResponse;
+  return did;
+};
+
+export const resolveDidToPds = async (did: string): Promise<string> => {
+  if (!did.startsWith("did:plc:")) {
+    throw new Error(
+      `Unsupported DID method (server only handles did:plc): ${did}`,
+    );
+  }
+  const res = await fetch(`https://plc.directory/${did}`);
+  if (!res.ok) {
+    throw new Error(`plc.directory lookup failed (${res.status})`);
+  }
+  const doc = await res.json() as DidDocument;
+  const pds = doc.service?.find((s) => s.id === "#atproto_pds");
+  if (!pds) throw new Error("No #atproto_pds service in DID document");
+  return pds.serviceEndpoint;
+};
+
+export const createSession = async (
+  pds: string,
+  identifier: string,
+  password: string,
+): Promise<CreateSessionResponse> => {
+  const res = await fetch(`${pds}/xrpc/com.atproto.server.createSession`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ identifier, password }),
+  });
+  if (!res.ok) {
+    throw new Error(
+      `createSession failed (${res.status}): ${await res.text()}`,
+    );
+  }
+  return await res.json();
+};
+
+// Convenience: pull credentials from flags or env, resolve the full session
+// chain in one call. Throws if required inputs are missing.
+export const sessionFromFlagsOrEnv = async (
+  flags: Record<string, string>,
+): Promise<{ session: CreateSessionResponse; api: string }> => {
+  const handle = flags.handle ?? Deno.env.get("ATPROTO_HANDLE");
+  const password = flags["app-password"] ??
+    Deno.env.get("ATPROTO_APP_PASSWORD");
+  const api = flags.api ?? Deno.env.get("REMANSO_API") ??
+    "https://api.remanso.space";
+  if (!handle) throw new Error("ATPROTO_HANDLE (or --handle) is required");
+  if (!password) {
+    throw new Error("ATPROTO_APP_PASSWORD (or --app-password) is required");
+  }
+  const did = await resolveHandleToDid(handle);
+  const pds = await resolveDidToPds(did);
+  console.log(`[resolve] ${handle} → ${did} via ${pds}`);
+  const session = await createSession(pds, handle, password);
+  return { session, api };
+};

scripts/list-all-webhooks.ts

@@ -0,0 +1,52 @@
+// Admin: list every webhook subscription via the Remanso API. Requires the
+// authenticated DID to be in the server-side ADMIN_DIDS allowlist.
+//
+//   deno task webhooks:all
+//
+// Inputs (env or flag, env preferred):
+//   ATPROTO_HANDLE        / --handle        e.g. alice.eurosky.social
+//   ATPROTO_APP_PASSWORD  / --app-password  app password (NOT your account password)
+//   REMANSO_API           / --api           default: https://api.remanso.space
+
+const HELP = `
+Usage:
+  deno task webhooks:all
+
+Inputs (env or flag, env preferred):
+  ATPROTO_HANDLE        / --handle        your AT Protocol handle
+  ATPROTO_APP_PASSWORD  / --app-password  app password (NOT your account password)
+  REMANSO_API           / --api           default: https://api.remanso.space
+`;
+
+import { parseArgs, sessionFromFlagsOrEnv } from "./_atproto-session.ts";
+
+const die = (msg: string): never => {
+  console.error(`error: ${msg}`);
+  console.error(HELP);
+  Deno.exit(1);
+};
+
+const main = async () => {
+  const flags = parseArgs(Deno.args);
+  if (flags.help === "true" || flags.h === "true") {
+    console.log(HELP);
+    Deno.exit(0);
+  }
+
+  const { session, api } = await sessionFromFlagsOrEnv(flags).catch(
+    (e: Error) => die(e.message),
+  );
+
+  const res = await fetch(`${api}/admin/webhooks`, {
+    headers: { "Authorization": `Bearer ${session.accessJwt}` },
+  });
+  if (!res.ok) {
+    console.error(`list-all failed (${res.status}): ${await res.text()}`);
+    Deno.exit(1);
+  }
+  const rows = await res.json();
+  console.log(JSON.stringify(rows, null, 2));
+  console.error(`[done] ${rows.length} subscription(s) at ${api}`);
+};
+
+await main();

scripts/manage-webhooks.ts

@@ -1,21 +1,14 @@
-// Manage webhook subscriptions on the Remanso API using a Bluesky session
+// Manage webhook subscriptions on the Remanso API. Resolves your PDS from
-// token from your own PDS. Usage:
+// your AT Protocol handle, logs in with an app password, then registers or
+// deletes webhooks against the Remanso API.
 //
 //   deno task webhooks register --url https://your-receiver --verb bulk-create
 //   deno task webhooks delete-all
 //
-// Required env vars (or matching --flags):
+// Inputs (env or flag, env preferred):
-//   BSKY_IDENTIFIER  your handle (e.g. alice.eurosky.social) or email
+//   ATPROTO_HANDLE        / --handle        e.g. alice.eurosky.social
-//   BSKY_PASSWORD    app password (NOT your main password)
+//   ATPROTO_APP_PASSWORD  / --app-password  app password (NOT your account password)
-//   BSKY_PDS         your PDS base URL (default: https://bsky.social)
+//   REMANSO_API           / --api           default: https://api.remanso.space
-//   REMANSO_API      Remanso API base URL (default: https://api.remanso.space)
-//
-// Example for an eurosky-hosted account:
-//
-//   BSKY_IDENTIFIER=alice.eurosky.social \
-//   BSKY_PASSWORD='xxxx-xxxx-xxxx-xxxx' \
-//   BSKY_PDS=https://eurosky.social \
-//   deno task webhooks register --url https://example.com/hook --verb bulk-create
 
 const HELP = `
 Usage:
@@ -25,36 +18,26 @@ Usage:
       [--method POST] \\
       [--token <outbound-bearer>]
 
+  deno task webhooks list
+
+  deno task webhooks delete --id <id>
+
   deno task webhooks delete-all
 
-Auth (env or flag, env preferred):
+Inputs (env or flag, env preferred):
-  BSKY_IDENTIFIER / --identifier
+  ATPROTO_HANDLE        / --handle        your AT Protocol handle
-  BSKY_PASSWORD   / --password
+  ATPROTO_APP_PASSWORD  / --app-password  app password (NOT your account password)
-  BSKY_PDS        / --pds       (default: https://bsky.social)
+  REMANSO_API           / --api           default: https://api.remanso.space
-  REMANSO_API     / --api       (default: https://api.remanso.space)
+
+Your PDS is resolved automatically from the handle.
 `;
 
-type CreateSessionResponse = {
+import {
-  did: string;
+  createSession,
-  accessJwt: string;
+  parseArgs,
-};
+  resolveDidToPds,
-
+  resolveHandleToDid,
-const parseArgs = (args: string[]): Record<string, string> => {
+} from "./_atproto-session.ts";
-  const out: Record<string, string> = {};
-  for (let i = 0; i < args.length; i++) {
-    const arg = args[i];
-    if (!arg.startsWith("--")) continue;
-    const key = arg.slice(2);
-    const next = args[i + 1];
-    if (next === undefined || next.startsWith("--")) {
-      out[key] = "true";
-    } else {
-      out[key] = next;
-      i++;
-    }
-  }
-  return out;
-};
 
 const die = (msg: string): never => {
   console.error(`error: ${msg}`);
@@ -62,24 +45,6 @@ const die = (msg: string): never => {
   Deno.exit(1);
 };
 
-const createSession = async (
-  pds: string,
-  identifier: string,
-  password: string,
-): Promise<CreateSessionResponse> => {
-  const res = await fetch(`${pds}/xrpc/com.atproto.server.createSession`, {
-    method: "POST",
-    headers: { "Content-Type": "application/json" },
-    body: JSON.stringify({ identifier, password }),
-  });
-  if (!res.ok) {
-    throw new Error(
-      `createSession failed (${res.status}): ${await res.text()}`,
-    );
-  }
-  return await res.json();
-};
-
 const main = async () => {
   const [command, ...rest] = Deno.args;
   if (!command || command === "--help" || command === "-h") {
@@ -88,17 +53,19 @@ const main = async () => {
   }
 
   const flags = parseArgs(rest);
-  const identifier = flags.identifier ?? Deno.env.get("BSKY_IDENTIFIER");
+  const handle = flags.handle ?? Deno.env.get("ATPROTO_HANDLE");
-  const password = flags.password ?? Deno.env.get("BSKY_PASSWORD");
+  const password = flags["app-password"] ??
-  const pds = flags.pds ?? Deno.env.get("BSKY_PDS") ?? "https://bsky.social";
+    Deno.env.get("ATPROTO_APP_PASSWORD");
   const api = flags.api ?? Deno.env.get("REMANSO_API") ??
     "https://api.remanso.space";
 
-  if (!identifier) die("BSKY_IDENTIFIER (or --identifier) is required");
+  if (!handle) die("ATPROTO_HANDLE (or --handle) is required");
-  if (!password) die("BSKY_PASSWORD (or --password) is required");
+  if (!password) die("ATPROTO_APP_PASSWORD (or --app-password) is required");
 
-  const session = await createSession(pds, identifier, password);
+  const did = await resolveHandleToDid(handle);
-  console.log(`[auth] verified DID: ${session.did} via ${pds}`);
+  const pds = await resolveDidToPds(did);
+  console.log(`[resolve] ${handle} → ${did} via ${pds}`);
+  const session = await createSession(pds, handle, password);
 
   if (command === "register") {
     const url = flags.url ?? die("--url is required for register");
@@ -124,6 +91,32 @@ const main = async () => {
     return;
   }
 
+  if (command === "list") {
+    const res = await fetch(`${api}/${session.did}/webhooks`, {
+      headers: { "Authorization": `Bearer ${session.accessJwt}` },
+    });
+    if (!res.ok) {
+      console.error(`list failed (${res.status}): ${await res.text()}`);
+      Deno.exit(1);
+    }
+    console.log(JSON.stringify(await res.json(), null, 2));
+    return;
+  }
+
+  if (command === "delete") {
+    const id = flags.id ?? die("--id is required for delete");
+    const res = await fetch(`${api}/${session.did}/webhooks/${id}`, {
+      method: "DELETE",
+      headers: { "Authorization": `Bearer ${session.accessJwt}` },
+    });
+    if (!res.ok) {
+      console.error(`delete failed (${res.status}): ${await res.text()}`);
+      Deno.exit(1);
+    }
+    console.log(`[done] webhook ${id} deleted`);
+    return;
+  }
+
   if (command === "delete-all") {
     const res = await fetch(`${api}/${session.did}/webhooks`, {
       method: "DELETE",

server.ts

@@ -1,15 +1,71 @@
 import { Application, Router } from "@oak/oak";
 import {
   addWebhookSubscription,
+  deleteWebhookById,
   deleteWebhooksByDid,
   getNotes,
   getNotesByDid,
   getNotesByDids,
+  listAllWebhooks,
+  listWebhooksByDid,
   type WebhookVerb,
 } from "./src/data/db.ts";
 import { authenticateRequest } from "./src/auth/verify.ts";
 import { log } from "./src/log.ts";
 
+type AuthCtx = {
+  request: { headers: { get(key: string): string | null } };
+  response: { status: number; body: unknown };
+};
+
+const requireDidOwnership = async (
+  ctx: AuthCtx,
+  did: string,
+): Promise<boolean> => {
+  let verifiedDid: string;
+  try {
+    verifiedDid = await authenticateRequest(
+      ctx.request.headers.get("Authorization"),
+    );
+  } catch {
+    ctx.response.status = 401;
+    ctx.response.body = { error: "Unauthorized" };
+    return false;
+  }
+  if (verifiedDid !== did) {
+    ctx.response.status = 403;
+    ctx.response.body = { error: "You can only manage your own webhooks" };
+    return false;
+  }
+  return true;
+};
+
+const ADMIN_DIDS = new Set(
+  (Deno.env.get("ADMIN_DIDS") ?? "")
+    .split(",")
+    .map((d) => d.trim())
+    .filter(Boolean),
+);
+
+const requireAdmin = async (ctx: AuthCtx): Promise<boolean> => {
+  let verifiedDid: string;
+  try {
+    verifiedDid = await authenticateRequest(
+      ctx.request.headers.get("Authorization"),
+    );
+  } catch {
+    ctx.response.status = 401;
+    ctx.response.body = { error: "Unauthorized" };
+    return false;
+  }
+  if (!ADMIN_DIDS.has(verifiedDid)) {
+    ctx.response.status = 403;
+    ctx.response.body = { error: "Admin only" };
+    return false;
+  }
+  return true;
+};
+
 const router = new Router();
 
 const PAGINATION = 20;
@@ -88,23 +144,20 @@ router.post("/notes/feed", async (ctx) => {
 
 const ALLOWED_VERBS = ["create", "delete", "bulk-create"] as const;
 
+router.get("/admin/webhooks", async (ctx) => {
+  if (!(await requireAdmin(ctx))) return;
+  ctx.response.body = listAllWebhooks();
+});
+
+router.get("/:did/webhooks", async (ctx) => {
+  const { did } = ctx.params;
+  if (!(await requireDidOwnership(ctx, did))) return;
+  ctx.response.body = listWebhooksByDid(did);
+});
+
 router.post("/:did/webhooks", async (ctx) => {
   const { did } = ctx.params;
-  let verifiedDid: string;
+  if (!(await requireDidOwnership(ctx, did))) return;
-  try {
-    verifiedDid = await authenticateRequest(
-      ctx.request.headers.get("Authorization"),
-    );
-  } catch {
-    ctx.response.status = 401;
-    ctx.response.body = { error: "Unauthorized" };
-    return;
-  }
-  if (verifiedDid !== did) {
-    ctx.response.status = 403;
-    ctx.response.body = { error: "You can only manage your own webhooks" };
-    return;
-  }
   const body = await ctx.request.body.json();
   const { method, url, token, verb } = body ?? {};
   if (!method || !url) {
@@ -129,25 +182,25 @@ router.post("/:did/webhooks", async (ctx) => {
 
 router.delete("/:did/webhooks", async (ctx) => {
   const { did } = ctx.params;
-  let verifiedDid: string;
+  if (!(await requireDidOwnership(ctx, did))) return;
-  try {
-    verifiedDid = await authenticateRequest(
-      ctx.request.headers.get("Authorization"),
-    );
-  } catch {
-    ctx.response.status = 401;
-    ctx.response.body = { error: "Unauthorized" };
-    return;
-  }
-  if (verifiedDid !== did) {
-    ctx.response.status = 403;
-    ctx.response.body = { error: "You can only manage your own webhooks" };
-    return;
-  }
   deleteWebhooksByDid(did);
   ctx.response.status = 204;
 });
 
+router.delete("/:did/webhooks/:id", async (ctx) => {
+  const { did, id } = ctx.params;
+  if (!(await requireDidOwnership(ctx, did))) return;
+  const numericId = Number(id);
+  if (!Number.isInteger(numericId) || numericId <= 0) {
+    ctx.response.status = 400;
+    ctx.response.body = { error: "id must be a positive integer" };
+    return;
+  }
+  const deleted = deleteWebhookById({ did, id: numericId });
+  ctx.response.status = deleted ? 204 : 404;
+  if (!deleted) ctx.response.body = { error: "webhook not found" };
+});
+
 // router.delete("/:did/:rkey", async (ctx) => {
 //   const { did, rkey } = ctx.params;
 //   let verifiedDid: string;

src/data/db.ts

@@ -119,6 +119,29 @@ export const deleteWebhooksByDid = (did: string): void => {
   db.exec("DELETE FROM webhook_subscription WHERE did = ?", did);
 };
 
+export const deleteWebhookById = (
+  { did, id }: { did: string; id: number },
+): boolean => {
+  const result = db.prepare(
+    "DELETE FROM webhook_subscription WHERE did = ? AND id = ?",
+  ).run(did, id);
+  return result > 0;
+};
+
+export const listWebhooksByDid = (
+  did: string,
+): Omit<WebhookSubscriptionRow, "token">[] => {
+  return db.prepare(
+    "SELECT id, did, method, url, verb FROM webhook_subscription WHERE did = ? ORDER BY id DESC",
+  ).all<Omit<WebhookSubscriptionRow, "token">>(did);
+};
+
+export const listAllWebhooks = (): Omit<WebhookSubscriptionRow, "token">[] => {
+  return db.prepare(
+    "SELECT id, did, method, url, verb FROM webhook_subscription ORDER BY did, id",
+  ).all<Omit<WebhookSubscriptionRow, "token">>();
+};
+
 export const getWebhooksByDidAndVerb = (
   did: string,
   verb: WebhookVerb,