git.stevedylan.dev

feat: initial oauth implementation 960999bb

Steve · 2026-02-02 10:25 10 file(s) · +812 −44

bun.lock +67 −1

    },
    "packages/cli": {
      "name": "sequoia-cli",
      "version": "0.2.0",
      "version": "0.2.1",
      "bin": {
        "sequoia": "dist/index.js",
      },
      "dependencies": {
        "@atproto/api": "^0.18.17",
        "@atproto/oauth-client-node": "^0.3.16",
        "@clack/prompts": "^1.0.0",
        "cmd-ts": "^0.14.3",
        "glob": "^13.0.0",
        "mime-types": "^2.1.35",
        "minimatch": "^10.1.1",
        "open": "^11.0.0",
      },
      "devDependencies": {
        "@biomejs/biome": "^2.3.13",

  "packages": {
    "@antfu/install-pkg": ["@antfu/install-pkg@1.1.0", "", { "dependencies": { "package-manager-detector": "^1.3.0", "tinyexec": "^1.0.1" } }, "sha512-MGQsmw10ZyI+EJo45CdSER4zEb+p31LpDAFp2Z3gkSd1yqVZGi0Ebx++YTEMonJy4oChEMLsxZ64j8FH6sSqtQ=="],

    "@atproto-labs/did-resolver": ["@atproto-labs/did-resolver@0.2.6", "", { "dependencies": { "@atproto-labs/fetch": "0.2.3", "@atproto-labs/pipe": "0.1.1", "@atproto-labs/simple-store": "0.3.0", "@atproto-labs/simple-store-memory": "0.1.4", "@atproto/did": "0.3.0", "zod": "^3.23.8" } }, "sha512-2K1bC04nI2fmgNcvof+yA28IhGlpWn2JKYlPa7To9JTKI45FINCGkQSGiL2nyXlyzDJJ34fZ1aq6/IRFIOIiqg=="],

    "@atproto-labs/fetch": ["@atproto-labs/fetch@0.2.3", "", { "dependencies": { "@atproto-labs/pipe": "0.1.1" } }, "sha512-NZtbJOCbxKUFRFKMpamT38PUQMY0hX0p7TG5AEYOPhZKZEP7dHZ1K2s1aB8MdVH0qxmqX7nQleNrrvLf09Zfdw=="],

    "@atproto-labs/fetch-node": ["@atproto-labs/fetch-node@0.2.0", "", { "dependencies": { "@atproto-labs/fetch": "0.2.3", "@atproto-labs/pipe": "0.1.1", "ipaddr.js": "^2.1.0", "undici": "^6.14.1" } }, "sha512-Krq09nH/aeoiU2s9xdHA0FjTEFWG9B5FFenipv1iRixCcPc7V3DhTNDawxG9gI8Ny0k4dBVS9WTRN/IDzBx86Q=="],

    "@atproto-labs/handle-resolver": ["@atproto-labs/handle-resolver@0.3.6", "", { "dependencies": { "@atproto-labs/simple-store": "0.3.0", "@atproto-labs/simple-store-memory": "0.1.4", "@atproto/did": "0.3.0", "zod": "^3.23.8" } }, "sha512-qnSTXvOBNj1EHhp2qTWSX8MS5q3AwYU5LKlt5fBvSbCjgmTr2j0URHCv+ydrwO55KvsojIkTMgeMOh4YuY4fCA=="],

    "@atproto-labs/handle-resolver-node": ["@atproto-labs/handle-resolver-node@0.1.25", "", { "dependencies": { "@atproto-labs/fetch-node": "0.2.0", "@atproto-labs/handle-resolver": "0.3.6", "@atproto/did": "0.3.0" } }, "sha512-NY9WYM2VLd3IuMGRkkmvGBg8xqVEaK/fitv1vD8SMXqFTekdpjOLCCyv7EFtqVHouzmDcL83VOvWRfHVa8V9Yw=="],

    "@atproto-labs/identity-resolver": ["@atproto-labs/identity-resolver@0.3.6", "", { "dependencies": { "@atproto-labs/did-resolver": "0.2.6", "@atproto-labs/handle-resolver": "0.3.6" } }, "sha512-qoWqBDRobln0NR8L8dQjSp79E0chGkBhibEgxQa2f9WD+JbJdjQ0YvwwO5yeQn05pJoJmAwmI2wyJ45zjU7aWg=="],

    "@atproto-labs/pipe": ["@atproto-labs/pipe@0.1.1", "", {}, "sha512-hdNw2oUs2B6BN1lp+32pF7cp8EMKuIN5Qok2Vvv/aOpG/3tNSJ9YkvfI0k6Zd188LeDDYRUpYpxcoFIcGH/FNg=="],

    "@atproto-labs/simple-store": ["@atproto-labs/simple-store@0.3.0", "", {}, "sha512-nOb6ONKBRJHRlukW1sVawUkBqReLlLx6hT35VS3imaNPwiXDxLnTK7lxw3Lrl9k5yugSBDQAkZAq3MPTEFSUBQ=="],

    "@atproto-labs/simple-store-memory": ["@atproto-labs/simple-store-memory@0.1.4", "", { "dependencies": { "@atproto-labs/simple-store": "0.3.0", "lru-cache": "^10.2.0" } }, "sha512-3mKY4dP8I7yKPFj9VKpYyCRzGJOi5CEpOLPlRhoJyLmgs3J4RzDrjn323Oakjz2Aj2JzRU/AIvWRAZVhpYNJHw=="],

    "@atproto/api": ["@atproto/api@0.18.17", "", { "dependencies": { "@atproto/common-web": "^0.4.13", "@atproto/lexicon": "^0.6.1", "@atproto/syntax": "^0.4.3", "@atproto/xrpc": "^0.7.7", "await-lock": "^2.2.2", "multiformats": "^9.9.0", "tlds": "^1.234.0", "zod": "^3.23.8" } }, "sha512-TeJkLGPkiK3jblwTDSNTH+CnS6WgaOiHDZeVVzywtxomyyF0FpQVSMz5eP3sDhxyHJqpI3E2AOYD7PO/JSbzJw=="],

    "@atproto/common-web": ["@atproto/common-web@0.4.13", "", { "dependencies": { "@atproto/lex-data": "0.0.9", "@atproto/lex-json": "0.0.9", "@atproto/syntax": "0.4.3", "zod": "^3.23.8" } }, "sha512-TewRUyB/dVJ5PtI3QmJzEgT3wDsvpnLJ+48hPl+LuUueJPamZevXKJN6dFjtbKAMFRnl2bKfdsf79qwvdSaLKQ=="],

    "@atproto/did": ["@atproto/did@0.3.0", "", { "dependencies": { "zod": "^3.23.8" } }, "sha512-raUPzUGegtW/6OxwCmM8bhZvuIMzxG5t9oWsth6Tp91Kb5fTnHV2h/KKNF1C82doeA4BdXCErTyg7ISwLbQkzA=="],

    "@atproto/jwk": ["@atproto/jwk@0.6.0", "", { "dependencies": { "multiformats": "^9.9.0", "zod": "^3.23.8" } }, "sha512-bDoJPvt7TrQVi/rBfBrSSpGykhtIriKxeYCYQTiPRKFfyRhbgpElF0wPXADjIswnbzZdOwbY63az4E/CFVT3Tw=="],

    "@atproto/jwk-jose": ["@atproto/jwk-jose@0.1.11", "", { "dependencies": { "@atproto/jwk": "0.6.0", "jose": "^5.2.0" } }, "sha512-i4Fnr2sTBYmMmHXl7NJh8GrCH+tDQEVWrcDMDnV5DjJfkgT17wIqvojIw9SNbSL4Uf0OtfEv6AgG0A+mgh8b5Q=="],

    "@atproto/jwk-webcrypto": ["@atproto/jwk-webcrypto@0.2.0", "", { "dependencies": { "@atproto/jwk": "0.6.0", "@atproto/jwk-jose": "0.1.11", "zod": "^3.23.8" } }, "sha512-UmgRrrEAkWvxwhlwe30UmDOdTEFidlIzBC7C3cCbeJMcBN1x8B3KH+crXrsTqfWQBG58mXgt8wgSK3Kxs2LhFg=="],

    "@atproto/lex-data": ["@atproto/lex-data@0.0.9", "", { "dependencies": { "multiformats": "^9.9.0", "tslib": "^2.8.1", "uint8arrays": "3.0.0", "unicode-segmenter": "^0.14.0" } }, "sha512-1slwe4sG0cyWtsq16+rBoWIxNDqGPkkvN+PV6JuzA7dgUK9bjUmXBGQU4eZlUPSS43X1Nhmr/9VjgKmEzU9vDw=="],

    "@atproto/lex-json": ["@atproto/lex-json@0.0.9", "", { "dependencies": { "@atproto/lex-data": "0.0.9", "tslib": "^2.8.1" } }, "sha512-Q2v1EVZcnd+ndyZj1r2UlGikA7q6It24CFPLbxokcf5Ba4RBupH8IkkQX7mqUDSRWPgQdmZYIdW9wUln+MKDqw=="],

    "@atproto/lexicon": ["@atproto/lexicon@0.6.1", "", { "dependencies": { "@atproto/common-web": "^0.4.13", "@atproto/syntax": "^0.4.3", "iso-datestring-validator": "^2.2.2", "multiformats": "^9.9.0", "zod": "^3.23.8" } }, "sha512-/vI1kVlY50Si+5MXpvOucelnYwb0UJ6Qto5mCp+7Q5C+Jtp+SoSykAPVvjVtTnQUH2vrKOFOwpb3C375vSKzXw=="],

    "@atproto/oauth-client": ["@atproto/oauth-client@0.5.14", "", { "dependencies": { "@atproto-labs/did-resolver": "0.2.6", "@atproto-labs/fetch": "0.2.3", "@atproto-labs/handle-resolver": "0.3.6", "@atproto-labs/identity-resolver": "0.3.6", "@atproto-labs/simple-store": "0.3.0", "@atproto-labs/simple-store-memory": "0.1.4", "@atproto/did": "0.3.0", "@atproto/jwk": "0.6.0", "@atproto/oauth-types": "0.6.2", "@atproto/xrpc": "0.7.7", "core-js": "^3", "multiformats": "^9.9.0", "zod": "^3.23.8" } }, "sha512-sPH+vcdq9maTEAhJI0HzmFcFAMrkCS19np+RUssNkX6kS8Xr3OYr57tvYRCbkcnIyYTfYcxKQgpwHKx3RVEaYw=="],

    "@atproto/oauth-client-node": ["@atproto/oauth-client-node@0.3.16", "", { "dependencies": { "@atproto-labs/did-resolver": "0.2.6", "@atproto-labs/handle-resolver-node": "0.1.25", "@atproto-labs/simple-store": "0.3.0", "@atproto/did": "0.3.0", "@atproto/jwk": "0.6.0", "@atproto/jwk-jose": "0.1.11", "@atproto/jwk-webcrypto": "0.2.0", "@atproto/oauth-client": "0.5.14", "@atproto/oauth-types": "0.6.2" } }, "sha512-2dooMzxAkiQ4MkOAZlEQ3iwbB9SEovrbIKMNuBbVCLQYORVNxe20tMdjs3lvhrzdpzvaHLlQnJJhw5dA9VELFw=="],

    "@atproto/oauth-types": ["@atproto/oauth-types@0.6.2", "", { "dependencies": { "@atproto/did": "0.3.0", "@atproto/jwk": "0.6.0", "zod": "^3.23.8" } }, "sha512-2cuboM4RQBCYR8NQC5uGRkW6KgCgKyq/B5/+tnMmWZYtZGVUQvsUWQHK/ZiMCnVXbcDNtc/RIEJQJDZ8FXMoxg=="],

    "@atproto/syntax": ["@atproto/syntax@0.4.3", "", { "dependencies": { "tslib": "^2.8.1" } }, "sha512-YoZUz40YAJr5nPwvCDWgodEOlt5IftZqPJvA0JDWjuZKD8yXddTwSzXSaKQAzGOpuM+/A3uXRtPzJJqlScc+iA=="],

    "@atproto/xrpc": ["@atproto/xrpc@0.7.7", "", { "dependencies": { "@atproto/lexicon": "^0.6.0", "zod": "^3.23.8" } }, "sha512-K1ZyO/BU8JNtXX5dmPp7b5UrkLMMqpsIa/Lrj5D3Su+j1Xwq1m6QJ2XJ1AgjEjkI1v4Muzm7klianLE6XGxtmA=="],


    "bun-types": ["bun-types@1.3.7", "", { "dependencies": { "@types/node": "*" } }, "sha512-qyschsA03Qz+gou+apt6HNl6HnI+sJJLL4wLDke4iugsE6584CMupOtTY1n+2YC9nGVrEKUlTs99jjRLKgWnjQ=="],

    "bundle-name": ["bundle-name@4.1.0", "", { "dependencies": { "run-applescript": "^7.0.0" } }, "sha512-tjwM5exMg6BGRI+kNmTntNsvdZS1X8BFYS6tnJ2hdH0kVxM6/eVZ2xy+FqStSWvYmtfFMDLIxurorHwDKfDz5Q=="],

    "bytes": ["bytes@3.1.2", "", {}, "sha512-/Nf7TyzTx6S3yRJObOAV7956r8cr2+Oj8AC5dt8wSP3BQAoeX58NoHyCU8P8zGkNXStjTSi6fzO6F0pBdcYbEg=="],

    "cac": ["cac@6.7.14", "", {}, "sha512-b6Ilus+c3RrdDk+JhLKUAQfzzgLEPy6wcXqS7f/xe1EETvsDP6GORG7SFuOs6cID5YkqchW/LXZbX5bc8j7ZcQ=="],

    "convert-source-map": ["convert-source-map@2.0.0", "", {}, "sha512-Kvp459HrV2FEJ1CAsi1Ku+MY3kasH19TFykTz2xWmMeq6bk2NU3XXvfJ+Q61m0xktWwt+1HSYf3JZsTms3aRJg=="],

    "cookie": ["cookie@1.1.1", "", {}, "sha512-ei8Aos7ja0weRpFzJnEA9UHJ/7XQmqglbRwnf2ATjcB9Wq874VKH9kfjjirM6UhU2/E5fFYadylyhFldcqSidQ=="],

    "core-js": ["core-js@3.48.0", "", {}, "sha512-zpEHTy1fjTMZCKLHUZoVeylt9XrzaIN2rbPXEt0k+q7JE5CkCZdo6bNq55bn24a69CH7ErAVLKijxJja4fw+UQ=="],

    "cose-base": ["cose-base@1.0.3", "", { "dependencies": { "layout-base": "^1.0.0" } }, "sha512-s9whTXInMSgAp/NVXVNuVxVKzGH2qck3aQlVHxDCdAEPgtMKwc4Wq6/QKhgdEdgbLSi9rBTAcPoRa6JpiG4ksg=="],



    "deepmerge": ["deepmerge@4.3.1", "", {}, "sha512-3sUqbMEc77XqpdNO7FRyRog+eW3ph+GYCbj+rK+uYyRMuwsVy0rMiVtPn+QJlKFvWP/1PYpapqYn0Me2knFn+A=="],

    "default-browser": ["default-browser@5.4.0", "", { "dependencies": { "bundle-name": "^4.1.0", "default-browser-id": "^5.0.0" } }, "sha512-XDuvSq38Hr1MdN47EDvYtx3U0MTqpCEn+F6ft8z2vYDzMrvQhVp0ui9oQdqW3MvK3vqUETglt1tVGgjLuJ5izg=="],

    "default-browser-id": ["default-browser-id@5.0.1", "", {}, "sha512-x1VCxdX4t+8wVfd1so/9w+vQ4vx7lKd2Qp5tDRutErwmR85OgmfX7RlLRMWafRMY7hbEiXIbudNrjOAPa/hL8Q=="],

    "define-lazy-prop": ["define-lazy-prop@3.0.0", "", {}, "sha512-N+MeXYoqr3pOgn8xfyRPREN7gHakLYjhsHhWGT3fWAiL4IkAt0iDw14QiiEm2bE30c5XX5q0FtAA3CK5f9/BUg=="],

    "delaunator": ["delaunator@5.0.1", "", { "dependencies": { "robust-predicates": "^3.0.2" } }, "sha512-8nvh+XBe96aCESrGOqMp/84b13H9cdKbG5P2ejQCh4d4sK9RL4371qou9drQjMhvnPmhWl5hnmqbEE0fXr9Xnw=="],

    "depd": ["depd@2.0.0", "", {}, "sha512-g7nH6P6dyDioJogAAGprGpCtVImJhpPk/roCzdb3fIh61/s/nPsfR6onyMwkCAR/OlC3yBC0lESvUoQEAssIrw=="],


    "internmap": ["internmap@1.0.1", "", {}, "sha512-lDB5YccMydFBtasVtxnZ3MRBHuaoE8GKsppq+EchKL2U4nK/DmEpPHNH8MZe5HkMtpSiTSOZwfN0tzYjO/lJEw=="],

    "ipaddr.js": ["ipaddr.js@2.3.0", "", {}, "sha512-Zv/pA+ciVFbCSBBjGfaKUya/CcGmUHzTydLMaTwrUUEM2DIEO3iZvueGxmacvmN50fGpGVKeTXpb2LcYQxeVdg=="],

    "is-alphabetical": ["is-alphabetical@2.0.1", "", {}, "sha512-FWyyY60MeTNyeSRpkM2Iry0G9hpr7/9kD40mD/cGQEuilcZYS4okz8SN2Q6rLCJ8gbCt6fN+rC+6tMGS99LaxQ=="],

    "is-alphanumerical": ["is-alphanumerical@2.0.1", "", { "dependencies": { "is-alphabetical": "^2.0.0", "is-decimal": "^2.0.0" } }, "sha512-hmbYhX/9MUMF5uh7tOXyK/n0ZvWpad5caBA17GsC6vyuCqaWliRG5K1qS9inmUhEMaOBIW7/whAnSwveW/LtZw=="],

    "is-decimal": ["is-decimal@2.0.1", "", {}, "sha512-AAB9hiomQs5DXWcRB1rqsxGUstbRroFOPPVAomNk/3XHR5JyEZChOyTWe2oayKnsSsr/kcGqF+z6yuH6HHpN0A=="],

    "is-docker": ["is-docker@3.0.0", "", { "bin": { "is-docker": "cli.js" } }, "sha512-eljcgEDlEns/7AXFosB5K/2nCM4P7FQPkGc/DWLy5rmFEWvZayGrik1d9/QIY5nJ4f9YsVvBkA6kJpHn9rISdQ=="],

    "is-hexadecimal": ["is-hexadecimal@2.0.1", "", {}, "sha512-DgZQp241c8oO6cA1SbTEWiXeoxV42vlcJxgH+B3hi1AiqqKruZR3ZGF8In3fj4+/y/7rHvlOZLZtgJ/4ttYGZg=="],

    "is-in-ssh": ["is-in-ssh@1.0.0", "", {}, "sha512-jYa6Q9rH90kR1vKB6NM7qqd1mge3Fx4Dhw5TVlK1MUBqhEOuCagrEHMevNuCcbECmXZ0ThXkRm+Ymr51HwEPAw=="],

    "is-inside-container": ["is-inside-container@1.0.0", "", { "dependencies": { "is-docker": "^3.0.0" }, "bin": { "is-inside-container": "cli.js" } }, "sha512-KIYLCCJghfHZxqjYBE7rEy0OBuTd5xCHS7tHVgvCLkx7StIoaxwNW3hCALgEUjFfeRk+MG/Qxmp/vtETEF3tRA=="],

    "is-interactive": ["is-interactive@2.0.0", "", {}, "sha512-qP1vozQRI+BMOPcjFzrjXuQvdak2pHNUMZoeG2eRbiSqyvbEf/wQtEOTOX1guk6E3t36RkaqiSt8A/6YElNxLQ=="],

    "is-plain-obj": ["is-plain-obj@4.1.0", "", {}, "sha512-+Pgi+vMuUNkJyExiMBt5IlFoMyKnr5zhJ4Uspz58WOhBF5QoIZkFyNHIbBAtHwzVAgk5RtndVNsDRN61/mmDqg=="],


    "is-unicode-supported": ["is-unicode-supported@1.3.0", "", {}, "sha512-43r2mRvz+8JRIKnWJ+3j8JtjRKZ6GmjzfaE/qiBJnikNnYv/6bagRJ1kUhNk8R5EX/GkobD+r+sfxCPJsiKBLQ=="],

    "is-wsl": ["is-wsl@3.1.0", "", { "dependencies": { "is-inside-container": "^1.0.0" } }, "sha512-UcVfVfaK4Sc4m7X3dUSoHoozQGBEFeDC+zVo06t98xe8CzHSZZBekNXH+tu0NalHolcJ/QAGqS46Hef7QXBIMw=="],

    "isexe": ["isexe@2.0.0", "", {}, "sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw=="],

    "iso-datestring-validator": ["iso-datestring-validator@2.2.2", "", {}, "sha512-yLEMkBbLZTlVQqOnQ4FiMujR6T4DEcCb1xizmvXS+OxuhwcbtynoosRzdMA69zZCShCNAbi+gJ71FxZBBXx1SA=="],

    "javascript-stringify": ["javascript-stringify@2.1.0", "", {}, "sha512-JVAfqNPTvNq3sB/VHQJAFxN/sPgKnsKrCwyRt15zwNCdrMMJDdcEOdubuy+DuJYYdm0ox1J4uzEuYKkN+9yhVg=="],

    "jiti": ["jiti@2.6.1", "", { "bin": { "jiti": "lib/jiti-cli.mjs" } }, "sha512-ekilCSN1jwRvIbgeg/57YFh8qQDNbwDb9xT/qu2DAHbFFZUicIl4ygVaAvzveMhMVr3LnpSKTNnwt8PoOfmKhQ=="],

    "jose": ["jose@5.10.0", "", {}, "sha512-s+3Al/p9g32Iq+oqXxkW//7jk2Vig6FF1CFqzVXoTUXt2qz89YWbL+OwS17NFYEvxC35n0FKeGO2LGYSxeM2Gg=="],

    "js-tokens": ["js-tokens@4.0.0", "", {}, "sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ=="],


    "onetime": ["onetime@5.1.2", "", { "dependencies": { "mimic-fn": "^2.1.0" } }, "sha512-kbpaSSGJTWdAY5KPVeMOKXSrPtr8C8C7wodJbcsd51jRnmD+GZu8Y0VoU6Dm5Z4vWr0Ig/1NKuWRKf7j5aaYSg=="],

    "oniguruma-to-es": ["oniguruma-to-es@2.3.0", "", { "dependencies": { "emoji-regex-xs": "^1.0.0", "regex": "^5.1.1", "regex-recursion": "^5.1.1" } }, "sha512-bwALDxriqfKGfUufKGGepCzu9x7nJQuoRoAFp4AnwehhC2crqrDIAP/uN2qdlsAvSMpeRC3+Yzhqc7hLmle5+g=="],

    "open": ["open@11.0.0", "", { "dependencies": { "default-browser": "^5.4.0", "define-lazy-prop": "^3.0.0", "is-in-ssh": "^1.0.0", "is-inside-container": "^1.0.0", "powershell-utils": "^0.1.0", "wsl-utils": "^0.3.0" } }, "sha512-smsWv2LzFjP03xmvFoJ331ss6h+jixfA4UUV/Bsiyuu4YJPfN+FIQGOIiv4w9/+MoHkfkJ22UIaQWRVFRfH6Vw=="],

    "ora": ["ora@7.0.1", "", { "dependencies": { "chalk": "^5.3.0", "cli-cursor": "^4.0.0", "cli-spinners": "^2.9.0", "is-interactive": "^2.0.0", "is-unicode-supported": "^1.3.0", "log-symbols": "^5.1.0", "stdin-discarder": "^0.1.0", "string-width": "^6.1.0", "strip-ansi": "^7.1.0" } }, "sha512-0TUxTiFJWv+JnjWm4o9yvuskpEJLXTcng8MJuKd+SzAzp2o+OP3HWqNhB4OdJRt1Vsd9/mR0oyaEYlOnL7XIRw=="],



    "postcss-value-parser": ["postcss-value-parser@4.2.0", "", {}, "sha512-1NNCs6uurfkVbeXG4S8JFT9t19m45ICnif8zWLd5oPSZ50QnwMfK+H3jv408d4jw/7Bttv5axS5IiHoLaVNHeQ=="],

    "powershell-utils": ["powershell-utils@0.1.0", "", {}, "sha512-dM0jVuXJPsDN6DvRpea484tCUaMiXWjuCn++HGTqUWzGDjv5tZkEZldAJ/UMlqRYGFrD/etByo4/xOuC/snX2A=="],

    "property-information": ["property-information@6.5.0", "", {}, "sha512-PgTgs/BlvHxOu8QuEN7wi5A0OmXaBcHpmCSTehcs6Uuu9IkDIEo13Hy7n898RHfrQ49vKCoGeWZSaAK01nwVig=="],

    "radix-ui": ["radix-ui@1.4.3", "", { "dependencies": { "@radix-ui/primitive": "1.1.3", "@radix-ui/react-accessible-icon": "1.1.7", "@radix-ui/react-accordion": "1.2.12", "@radix-ui/react-alert-dialog": "1.1.15", "@radix-ui/react-arrow": "1.1.7", "@radix-ui/react-aspect-ratio": "1.1.7", "@radix-ui/react-avatar": "1.1.10", "@radix-ui/react-checkbox": "1.3.3", "@radix-ui/react-collapsible": "1.1.12", "@radix-ui/react-collection": "1.1.7", "@radix-ui/react-compose-refs": "1.1.2", "@radix-ui/react-context": "1.1.2", "@radix-ui/react-context-menu": "2.2.16", "@radix-ui/react-dialog": "1.1.15", "@radix-ui/react-direction": "1.1.1", "@radix-ui/react-dismissable-layer": "1.1.11", "@radix-ui/react-dropdown-menu": "2.1.16", "@radix-ui/react-focus-guards": "1.1.3", "@radix-ui/react-focus-scope": "1.1.7", "@radix-ui/react-form": "0.1.8", "@radix-ui/react-hover-card": "1.1.15", "@radix-ui/react-label": "2.1.7", "@radix-ui/react-menu": "2.1.16", "@radix-ui/react-menubar": "1.1.16", "@radix-ui/react-navigation-menu": "1.2.14", "@radix-ui/react-one-time-password-field": "0.1.8", "@radix-ui/react-password-toggle-field": "0.1.3", "@radix-ui/react-popover": "1.1.15", "@radix-ui/react-popper": "1.2.8", "@radix-ui/react-portal": "1.1.9", "@radix-ui/react-presence": "1.1.5", "@radix-ui/react-primitive": "2.1.3", "@radix-ui/react-progress": "1.1.7", "@radix-ui/react-radio-group": "1.3.8", "@radix-ui/react-roving-focus": "1.1.11", "@radix-ui/react-scroll-area": "1.2.10", "@radix-ui/react-select": "2.2.6", "@radix-ui/react-separator": "1.1.7", "@radix-ui/react-slider": "1.3.6", "@radix-ui/react-slot": "1.2.3", "@radix-ui/react-switch": "1.2.6", "@radix-ui/react-tabs": "1.1.13", "@radix-ui/react-toast": "1.2.15", "@radix-ui/react-toggle": "1.1.10", "@radix-ui/react-toggle-group": "1.1.11", "@radix-ui/react-toolbar": "1.1.11", "@radix-ui/react-tooltip": "1.2.8", "@radix-ui/react-use-callback-ref": "1.1.1", "@radix-ui/react-use-controllable-state": "1.2.2", "@radix-ui/react-use-effect-event": "0.0.2", "@radix-ui/react-use-escape-keydown": "1.1.1", "@radix-ui/react-use-is-hydrated": "0.1.0", "@radix-ui/react-use-layout-effect": "1.1.1", "@radix-ui/react-use-size": "1.1.1", "@radix-ui/react-visually-hidden": "1.2.3" }, "peerDependencies": { "@types/react": "*", "@types/react-dom": "*", "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc", "react-dom": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" }, "optionalPeers": ["@types/react", "@types/react-dom"] }, "sha512-aWizCQiyeAenIdUbqEpXgRA1ya65P13NKn/W8rWkcN0OPkRDxdBVLWnIEDsS2RpwCK2nobI7oMUSmexzTDyAmA=="],

    "rollup": ["rollup@4.57.0", "", { "dependencies": { "@types/estree": "1.0.8" }, "optionalDependencies": { "@rollup/rollup-android-arm-eabi": "4.57.0", "@rollup/rollup-android-arm64": "4.57.0", "@rollup/rollup-darwin-arm64": "4.57.0", "@rollup/rollup-darwin-x64": "4.57.0", "@rollup/rollup-freebsd-arm64": "4.57.0", "@rollup/rollup-freebsd-x64": "4.57.0", "@rollup/rollup-linux-arm-gnueabihf": "4.57.0", "@rollup/rollup-linux-arm-musleabihf": "4.57.0", "@rollup/rollup-linux-arm64-gnu": "4.57.0", "@rollup/rollup-linux-arm64-musl": "4.57.0", "@rollup/rollup-linux-loong64-gnu": "4.57.0", "@rollup/rollup-linux-loong64-musl": "4.57.0", "@rollup/rollup-linux-ppc64-gnu": "4.57.0", "@rollup/rollup-linux-ppc64-musl": "4.57.0", "@rollup/rollup-linux-riscv64-gnu": "4.57.0", "@rollup/rollup-linux-riscv64-musl": "4.57.0", "@rollup/rollup-linux-s390x-gnu": "4.57.0", "@rollup/rollup-linux-x64-gnu": "4.57.0", "@rollup/rollup-linux-x64-musl": "4.57.0", "@rollup/rollup-openbsd-x64": "4.57.0", "@rollup/rollup-openharmony-arm64": "4.57.0", "@rollup/rollup-win32-arm64-msvc": "4.57.0", "@rollup/rollup-win32-ia32-msvc": "4.57.0", "@rollup/rollup-win32-x64-gnu": "4.57.0", "@rollup/rollup-win32-x64-msvc": "4.57.0", "fsevents": "~2.3.2" }, "bin": { "rollup": "dist/bin/rollup" } }, "sha512-e5lPJi/aui4TO1LpAXIRLySmwXSE8k3b9zoGfd42p67wzxog4WHjiZF3M2uheQih4DGyc25QEV4yRBbpueNiUA=="],

    "roughjs": ["roughjs@4.6.6", "", { "dependencies": { "hachure-fill": "^0.5.2", "path-data-parser": "^0.1.0", "points-on-curve": "^0.2.0", "points-on-path": "^0.2.1" } }, "sha512-ZUz/69+SYpFN/g/lUlo2FXcIjRkSu3nDarreVdGGndHEBJ6cXPdKguS8JGxwj5HA5xIbVKSmLgr5b3AWxtRfvQ=="],

    "run-applescript": ["run-applescript@7.1.0", "", {}, "sha512-DPe5pVFaAsinSaV6QjQ6gdiedWDcRCbUuiQfQa2wmWV7+xC9bGulGI8+TdRmoFkAPaBXk8CrAbnlY2ISniJ47Q=="],

    "rw": ["rw@1.3.3", "", {}, "sha512-PdhdWy89SiZogBLaw42zdeqtRJ//zFd2PgQavcICDUgJT5oW10QCRKbJ6bg4r0/UY2M6BWd5tkxuGFRvCkgfHQ=="],



    "uint8arrays": ["uint8arrays@3.0.0", "", { "dependencies": { "multiformats": "^9.4.2" } }, "sha512-HRCx0q6O9Bfbp+HHSfQQKD7wU70+lydKVt4EghkdOvlK/NlrF90z+eXV34mUd48rNvVJXwkrMSPpCATkct8fJA=="],

    "undici": ["undici@6.23.0", "", {}, "sha512-VfQPToRA5FZs/qJxLIinmU59u0r7LXqoJkCzinq3ckNJp3vKEh7jTWN589YQ5+aoAC/TGRLyJLCPKcLQbM8r9g=="],

    "undici-types": ["undici-types@6.21.0", "", {}, "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ=="],

    "unicode-segmenter": ["unicode-segmenter@0.14.5", "", {}, "sha512-jHGmj2LUuqDcX3hqY12Ql+uhUTn8huuxNZGq7GvtF6bSybzH3aFgedYu/KTzQStEgt1Ra2F3HxadNXsNjb3m3g=="],

    "web-namespaces": ["web-namespaces@2.0.1", "", {}, "sha512-bKr1DkiNa2krS7qxNtdrtHAmzuYGFQLiQ13TsorsdT6ULTkPLKuu5+GsFpDlg6JFjUTwX2DyhMPG2be8uPrqsQ=="],

    "which": ["which@2.0.2", "", { "dependencies": { "isexe": "^2.0.0" }, "bin": { "node-which": "./bin/node-which" } }, "sha512-BLI3Tl1TW3Pvl70l3yq3Y64i+awpwXqsGBYWkkqMtnbXgrMD+yj7rhW0kuEDxzJaYXGjEW5ogapKNMEKNMjibA=="],

    "wsl-utils": ["wsl-utils@0.3.1", "", { "dependencies": { "is-wsl": "^3.1.0", "powershell-utils": "^0.1.0" } }, "sha512-g/eziiSUNBSsdDJtCLB8bdYEUMj4jR7AGeUo96p/3dTafgjHhpF4RiCFPiRILwjQoDXx5MqkBr4fwWtR3Ky4Wg=="],

    "yallist": ["yallist@3.1.1", "", {}, "sha512-a4UGQaWPH59mOXUYnAG2ewncQS4i4F43Tv3JoAM+s2VDAmS9NsK8GpDMLrCHPksFT7h3K6TOoUNn2pb7RoXx4g=="],


packages/cli/package.json +3 −1

30	30		},
31	31		"dependencies": {
32	32		"@atproto/api": "^0.18.17",
	33	+	"@atproto/oauth-client-node": "^0.3.16",
33	34		"@clack/prompts": "^1.0.0",
34	35		"cmd-ts": "^0.14.3",
35	36		"glob": "^13.0.0",
36	37		"mime-types": "^2.1.35",
37		-	"minimatch": "^10.1.1"
	38	+	"minimatch": "^10.1.1",
	39	+	"open": "^11.0.0"
38	40		}
39	41		}

packages/cli/src/commands/auth.ts +1 −0


			// Save credentials
			await saveCredentials({
				type: "app-password",
				pdsUrl,
				identifier: identifier,
				password: appPassword,

packages/cli/src/commands/login.ts (added) +296 −0

1	+	import * as http from "node:http";
2	+	import { log, note, select, spinner, text } from "@clack/prompts";
3	+	import { command, flag, option, optional, string } from "cmd-ts";
4	+	import { resolveHandleToDid } from "../lib/atproto";
5	+	import {
6	+	getCallbackPort,
7	+	getCallbackUrl,
8	+	getOAuthClient,
9	+	getOAuthScope,
10	+	} from "../lib/oauth-client";
11	+	import {
12	+	deleteOAuthSession,
13	+	getOAuthStorePath,
14	+	listOAuthSessions,
15	+	} from "../lib/oauth-store";
16	+	import { exitOnCancel } from "../lib/prompts";
17	+
18	+	const CALLBACK_TIMEOUT_MS = 5 * 60 * 1000; // 5 minutes
19	+
20	+	export const loginCommand = command({
21	+	name: "login",
22	+	description: "Login with OAuth (browser-based authentication)",
23	+	args: {
24	+	logout: option({
25	+	long: "logout",
26	+	description: "Remove OAuth session for a specific DID",
27	+	type: optional(string),
28	+	}),
29	+	list: flag({
30	+	long: "list",
31	+	description: "List all stored OAuth sessions",
32	+	}),
33	+	},
34	+	handler: async ({ logout, list }) => {
35	+	// List sessions
36	+	if (list) {
37	+	const sessions = await listOAuthSessions();
38	+	if (sessions.length === 0) {
39	+	log.info("No OAuth sessions stored");
40	+	} else {
41	+	log.info("OAuth sessions:");
42	+	for (const did of sessions) {
43	+	console.log(` - ${did}`);
44	+	}
45	+	}
46	+	return;
47	+	}
48	+
49	+	// Logout
50	+	if (logout !== undefined) {
51	+	const did = logout \|\| undefined;
52	+
53	+	if (!did) {
54	+	// No DID provided - show available and prompt
55	+	const sessions = await listOAuthSessions();
56	+	if (sessions.length === 0) {
57	+	log.info("No OAuth sessions found");
58	+	return;
59	+	}
60	+	if (sessions.length === 1) {
61	+	const deleted = await deleteOAuthSession(sessions[0]!);
62	+	if (deleted) {
63	+	log.success(`Removed OAuth session for ${sessions[0]}`);
64	+	}
65	+	return;
66	+	}
67	+	// Multiple sessions - prompt
68	+	const selected = exitOnCancel(
69	+	await select({
70	+	message: "Select session to remove:",
71	+	options: sessions.map((d) => ({ value: d, label: d })),
72	+	}),
73	+	);
74	+	const deleted = await deleteOAuthSession(selected);
75	+	if (deleted) {
76	+	log.success(`Removed OAuth session for ${selected}`);
77	+	}
78	+	return;
79	+	}
80	+
81	+	const deleted = await deleteOAuthSession(did);
82	+	if (deleted) {
83	+	log.success(`Removed OAuth session for ${did}`);
84	+	} else {
85	+	log.info(`No OAuth session found for ${did}`);
86	+	}
87	+	return;
88	+	}
89	+
90	+	// OAuth login flow
91	+	note(
92	+	"OAuth login will open your browser to authenticate.\n\n" +
93	+	"This is more secure than app passwords and tokens refresh automatically.",
94	+	"OAuth Login",
95	+	);
96	+
97	+	const handle = exitOnCancel(
98	+	await text({
99	+	message: "Handle or DID:",
100	+	placeholder: "yourhandle.bsky.social",
101	+	}),
102	+	);
103	+
104	+	if (!handle) {
105	+	log.error("Handle is required");
106	+	process.exit(1);
107	+	}
108	+
109	+	const s = spinner();
110	+	s.start("Resolving identity...");
111	+
112	+	let did: string;
113	+	try {
114	+	did = await resolveHandleToDid(handle);
115	+	s.stop(`Identity resolved`);
116	+	} catch (error) {
117	+	s.stop("Failed to resolve identity");
118	+	if (error instanceof Error) {
119	+	log.error(`Error: ${error.message}`);
120	+	} else {
121	+	log.error(`Error: ${error}`);
122	+	}
123	+	process.exit(1);
124	+	}
125	+
126	+	s.start("Initializing OAuth...");
127	+
128	+	try {
129	+	const client = await getOAuthClient();
130	+
131	+	// Generate authorization URL using the resolved DID
132	+	const authUrl = await client.authorize(did, {
133	+	scope: getOAuthScope(),
134	+	});
135	+
136	+	log.info(`Login URL: ${authUrl}`);
137	+
138	+	s.message("Opening browser...");
139	+
140	+	// Try to open browser
141	+	let browserOpened = true;
142	+	try {
143	+	const open = (await import("open")).default;
144	+	await open(authUrl.toString());
145	+	} catch {
146	+	browserOpened = false;
147	+	}
148	+
149	+	s.message("Waiting for authentication...");
150	+
151	+	// Show URL info
152	+	if (!browserOpened) {
153	+	s.stop("Could not open browser automatically");
154	+	log.warn("Please open the following URL in your browser:");
155	+	log.info(authUrl.toString());
156	+	s.start("Waiting for authentication...");
157	+	}
158	+
159	+	// Start HTTP server to receive callback
160	+	const result = await waitForCallback();
161	+
162	+	if (!result.success) {
163	+	s.stop("Authentication failed");
164	+	log.error(result.error \|\| "OAuth callback failed");
165	+	process.exit(1);
166	+	}
167	+
168	+	s.message("Completing authentication...");
169	+
170	+	// Exchange code for tokens
171	+	const { session } = await client.callback(
172	+	new URLSearchParams(result.params!),
173	+	);
174	+
175	+	// Try to get the handle for display (use the original handle input as fallback)
176	+	let displayName = handle;
177	+	try {
178	+	// The session should have the DID, we can use the original handle they entered
179	+	// or we could fetch the profile to get the current handle
180	+	displayName = handle.startsWith("did:") ? session.did : handle;
181	+	} catch {
182	+	displayName = session.did;
183	+	}
184	+
185	+	s.stop(`Logged in as ${displayName}`);
186	+
187	+	log.success(`OAuth session saved to ${getOAuthStorePath()}`);
188	+	log.info("Your session will refresh automatically when needed.");
189	+
190	+	// Exit cleanly - the OAuth client may have background processes
191	+	process.exit(0);
192	+	} catch (error) {
193	+	s.stop("OAuth login failed");
194	+	if (error instanceof Error) {
195	+	log.error(`Error: ${error.message}`);
196	+	} else {
197	+	log.error(`Error: ${error}`);
198	+	}
199	+	process.exit(1);
200	+	}
201	+	},
202	+	});
203	+
204	+	interface CallbackResult {
205	+	success: boolean;
206	+	params?: Record<string, string>;
207	+	error?: string;
208	+	}
209	+
210	+	function waitForCallback(): Promise<CallbackResult> {
211	+	return new Promise((resolve) => {
212	+	const port = getCallbackPort();
213	+	let timeoutId: ReturnType<typeof setTimeout> \| undefined;
214	+
215	+	const server = http.createServer((req, res) => {
216	+	const url = new URL(req.url \|\| "/", `http://127.0.0.1:${port}`);
217	+
218	+	if (url.pathname === "/oauth/callback") {
219	+	const params: Record<string, string> = {};
220	+	url.searchParams.forEach((value, key) => {
221	+	params[key] = value;
222	+	});
223	+
224	+	// Clear the timeout
225	+	if (timeoutId) clearTimeout(timeoutId);
226	+
227	+	// Check for error
228	+	if (params.error) {
229	+	res.writeHead(200, { "Content-Type": "text/html" });
230	+	res.end(`
231	+	<html>
232	+	<body style="font-family: system-ui; padding: 2rem; text-align: center;">
233	+	<h1>Authentication Failed</h1>
234	+	<p>${params.error_description \|\| params.error}</p>
235	+	<p>You can close this window.</p>
236	+	</body>
237	+	</html>
238	+	`);
239	+	server.close(() => {
240	+	resolve({
241	+	success: false,
242	+	error: params.error_description \|\| params.error,
243	+	});
244	+	});
245	+	return;
246	+	}
247	+
248	+	// Success
249	+	res.writeHead(200, { "Content-Type": "text/html" });
250	+	res.end(`
251	+	<html>
252	+	<body style="font-family: system-ui; padding: 2rem; text-align: center;">
253	+	<h1>Authentication Successful</h1>
254	+	<p>You can close this window and return to the terminal.</p>
255	+	</body>
256	+	</html>
257	+	`);
258	+	server.close(() => {
259	+	resolve({ success: true, params });
260	+	});
261	+	return;
262	+	}
263	+
264	+	// Not the callback path
265	+	res.writeHead(404);
266	+	res.end("Not found");
267	+	});
268	+
269	+	server.on("error", (err: NodeJS.ErrnoException) => {
270	+	if (timeoutId) clearTimeout(timeoutId);
271	+	if (err.code === "EADDRINUSE") {
272	+	resolve({
273	+	success: false,
274	+	error: `Port ${port} is already in use. Please close the application using that port and try again.`,
275	+	});
276	+	} else {
277	+	resolve({
278	+	success: false,
279	+	error: `Server error: ${err.message}`,
280	+	});
281	+	}
282	+	});
283	+
284	+	server.listen(port, "127.0.0.1");
285	+
286	+	// Timeout after 5 minutes
287	+	timeoutId = setTimeout(() => {
288	+	server.close(() => {
289	+	resolve({
290	+	success: false,
291	+	error: "Timeout waiting for OAuth callback. Please try again.",
292	+	});
293	+	});
294	+	}, CALLBACK_TIMEOUT_MS);
295	+	});
296	+	}

packages/cli/src/index.ts +2 −0

import { authCommand } from "./commands/auth";
import { initCommand } from "./commands/init";
import { injectCommand } from "./commands/inject";
import { loginCommand } from "./commands/login";
import { publishCommand } from "./commands/publish";
import { syncCommand } from "./commands/sync";


		auth: authCommand,
		init: initCommand,
		inject: injectCommand,
		login: loginCommand,
		publish: publishCommand,
		sync: syncCommand,
	},

packages/cli/src/lib/atproto.ts +61 −15

import { AtpAgent } from "@atproto/api";
import { Agent, AtpAgent } from "@atproto/api";
import * as mimeTypes from "mime-types";
import * as fs from "node:fs/promises";
import * as path from "node:path";
import { stripMarkdownForText } from "./markdown";
import { getOAuthClient } from "./oauth-client";
import type {
	BlobObject,
	BlogPost,

	PublisherConfig,
	StrongRef,
} from "./types";
import { isAppPasswordCredentials, isOAuthCredentials } from "./types";

async function fileExists(filePath: string): Promise<boolean> {
	try {

	}
}

/**
 * Resolve a handle to a DID
 */
export async function resolveHandleToDid(handle: string): Promise<string> {
	if (handle.startsWith("did:")) {
		return handle;
	}

	// Try to resolve handle via Bluesky API
	const resolveUrl = `https://public.api.bsky.app/xrpc/com.atproto.identity.resolveHandle?handle=${encodeURIComponent(handle)}`;
	const resolveResponse = await fetch(resolveUrl);
	if (!resolveResponse.ok) {
		throw new Error("Could not resolve handle");
	}
	const resolveData = (await resolveResponse.json()) as { did: string };
	return resolveData.did;
}

export async function resolveHandleToPDS(handle: string): Promise<string> {
	// First, resolve the handle to a DID
	let did: string;

	if (handle.startsWith("did:")) {
		did = handle;
	} else {
		// Try to resolve handle via Bluesky API
		const resolveUrl = `https://public.api.bsky.app/xrpc/com.atproto.identity.resolveHandle?handle=${encodeURIComponent(handle)}`;
		const resolveResponse = await fetch(resolveUrl);
		if (!resolveResponse.ok) {
			throw new Error("Could not resolve handle");
		}
		const resolveData = (await resolveResponse.json()) as { did: string };
		did = resolveData.did;
	}
	const did = await resolveHandleToDid(handle);

	// Now resolve the DID to get the PDS URL from the DID document
	let pdsUrl: string | undefined;

}

export async function createAgent(credentials: Credentials): Promise<AtpAgent> {
	if (isOAuthCredentials(credentials)) {
		// OAuth flow - restore session from stored tokens
		const client = await getOAuthClient();
		try {
			const oauthSession = await client.restore(credentials.did);
			// Wrap the OAuth session in an Agent which provides the atproto API
			const agent = new Agent(oauthSession) as unknown as AtpAgent;

			// The Agent class doesn't have session.did like AtpAgent does
			// We need to set up a compatible session object for the rest of our code
			agent.session = {
				did: oauthSession.did,
				handle: credentials.handle,
				accessJwt: "",
				refreshJwt: "",
				active: true,
			};

			return agent;
		} catch (error) {
			if (error instanceof Error) {
				// Check for common OAuth errors
				if (
					error.message.includes("expired") ||
					error.message.includes("revoked")
				) {
					throw new Error(
						`OAuth session expired or revoked. Please run 'sequoia login' to re-authenticate.`,
					);
				}
			}
			throw error;
		}
	}

	// App password flow
	if (!isAppPasswordCredentials(credentials)) {
		throw new Error("Invalid credential type");
	}
	const agent = new AtpAgent({ service: credentials.pdsUrl });

	await agent.login({

packages/cli/src/lib/credentials.ts +133 −26

import * as fs from "node:fs/promises";
import * as os from "node:os";
import * as path from "node:path";
import type { Credentials } from "./types";
import { getOAuthSession, listOAuthSessions } from "./oauth-store";
import type {
	AppPasswordCredentials,
	Credentials,
	LegacyCredentials,
	OAuthCredentials,
} from "./types";

const CONFIG_DIR = path.join(os.homedir(), ".config", "sequoia");
const CREDENTIALS_FILE = path.join(CONFIG_DIR, "credentials.json");

// Stored credentials keyed by identifier
type CredentialsStore = Record<string, Credentials>;
// Stored credentials keyed by identifier (can be legacy or typed)
type CredentialsStore = Record<
	string,
	AppPasswordCredentials | LegacyCredentials
>;

async function fileExists(filePath: string): Promise<boolean> {
	try {

}

/**
 * Load all stored credentials
 * Normalize credentials to have explicit type
 */
function normalizeCredentials(
	creds: AppPasswordCredentials | LegacyCredentials,
): AppPasswordCredentials {
	// If it already has type, return as-is
	if ("type" in creds && creds.type === "app-password") {
		return creds;
	}
	// Migrate legacy format
	return {
		type: "app-password",
		pdsUrl: creds.pdsUrl,
		identifier: creds.identifier,
		password: creds.password,
	};
}

async function loadCredentialsStore(): Promise<CredentialsStore> {
	if (!(await fileExists(CREDENTIALS_FILE))) {
		return {};


		// Handle legacy single-credential format (migrate on read)
		if (parsed.identifier && parsed.password) {
			const legacy = parsed as Credentials;
			const legacy = parsed as LegacyCredentials;
			return { [legacy.identifier]: legacy };
		}


}

/**
 * Try to load OAuth credentials for a given profile (DID or handle)
 */
async function tryLoadOAuthCredentials(
	profile: string,
): Promise<OAuthCredentials | null> {
	// If it looks like a DID, try to get the session directly
	if (profile.startsWith("did:")) {
		const session = await getOAuthSession(profile);
		if (session) {
			return {
				type: "oauth",
				did: profile,
				handle: profile, // We don't have the handle stored, use DID
				pdsUrl: "https://bsky.social", // Will be resolved from DID doc
			};
		}
	}

	// Otherwise, check all OAuth sessions to find a matching handle
	// (This is a fallback - handle matching isn't perfect without storing handles)
	const sessions = await listOAuthSessions();
	for (const did of sessions) {
		// Could enhance this by storing handle with session, but for now
		// just return null if profile isn't a DID
	}

	return null;
}

/**
 * Load credentials for a specific identity or resolve which to use.
 *
 * Priority:
 * 1. Full env vars (ATP_IDENTIFIER + ATP_APP_PASSWORD)
 * 2. SEQUOIA_PROFILE env var - selects from stored credentials
 * 2. SEQUOIA_PROFILE env var - selects from stored credentials (app-password or OAuth DID)
 * 3. projectIdentity parameter (from sequoia.json)
 * 4. If only one identity stored, use it
 * 4. If only one identity stored (app-password or OAuth), use it
 * 5. Return null (caller should prompt user)
 */
export async function loadCredentials(


	if (envIdentifier && envPassword) {
		return {
			type: "app-password",
			identifier: envIdentifier,
			password: envPassword,
			pdsUrl: envPdsUrl || "https://bsky.social",

	}

	const store = await loadCredentialsStore();
	const identifiers = Object.keys(store);

	if (identifiers.length === 0) {
		return null;
	}
	const appPasswordIds = Object.keys(store);
	const oauthDids = await listOAuthSessions();

	// 2. SEQUOIA_PROFILE env var
	const profileEnv = process.env.SEQUOIA_PROFILE;
	if (profileEnv && store[profileEnv]) {
		return store[profileEnv];
	if (profileEnv) {
		// Try app-password credentials first
		if (store[profileEnv]) {
			return normalizeCredentials(store[profileEnv]);
		}
		// Try OAuth session (profile could be a DID)
		const oauth = await tryLoadOAuthCredentials(profileEnv);
		if (oauth) {
			return oauth;
		}
	}

	// 3. Project-specific identity (from sequoia.json)
	if (projectIdentity && store[projectIdentity]) {
		return store[projectIdentity];
	if (projectIdentity) {
		if (store[projectIdentity]) {
			return normalizeCredentials(store[projectIdentity]);
		}
		const oauth = await tryLoadOAuthCredentials(projectIdentity);
		if (oauth) {
			return oauth;
		}
	}

	// 4. If only one identity, use it
	if (identifiers.length === 1 && identifiers[0]) {
		return store[identifiers[0]] ?? null;
	// 4. If only one identity total, use it
	const totalIdentities = appPasswordIds.length + oauthDids.length;
	if (totalIdentities === 1) {
		if (appPasswordIds.length === 1 && appPasswordIds[0]) {
			return normalizeCredentials(store[appPasswordIds[0]]!);
		}
		if (oauthDids.length === 1 && oauthDids[0]) {
			const session = await getOAuthSession(oauthDids[0]);
			if (session) {
				return {
					type: "oauth",
					did: oauthDids[0],
					handle: oauthDids[0],
					pdsUrl: "https://bsky.social",
				};
			}
		}
	}

	// Multiple identities exist but none selected
	// Multiple identities exist but none selected, or no identities
	return null;
}

/**
 * Get a specific identity by identifier
 * Get a specific identity by identifier (app-password only)
 */
export async function getCredentials(
	identifier: string,
): Promise<Credentials | null> {
): Promise<AppPasswordCredentials | null> {
	const store = await loadCredentialsStore();
	return store[identifier] || null;
	const creds = store[identifier];
	if (!creds) return null;
	return normalizeCredentials(creds);
}

/**
 * List all stored identities
 * List all stored app-password identities
 */
export async function listCredentials(): Promise<string[]> {
	const store = await loadCredentialsStore();

}

/**
 * Save credentials for an identity (adds or updates)
 * List all credentials (both app-password and OAuth)
 */
export async function listAllCredentials(): Promise<
	Array<{ id: string; type: "app-password" | "oauth" }>
> {
	const store = await loadCredentialsStore();
	const oauthDids = await listOAuthSessions();

	const result: Array<{ id: string; type: "app-password" | "oauth" }> = [];

	for (const id of Object.keys(store)) {
		result.push({ id, type: "app-password" });
	}

	for (const did of oauthDids) {
		result.push({ id: did, type: "oauth" });
	}

	return result;
}

/**
 * Save app-password credentials for an identity (adds or updates)
 */
export async function saveCredentials(credentials: Credentials): Promise<void> {
export async function saveCredentials(
	credentials: AppPasswordCredentials,
): Promise<void> {
	const store = await loadCredentialsStore();
	store[credentials.identifier] = credentials;
	await saveCredentialsStore(store);

packages/cli/src/lib/oauth-client.ts (added) +91 −0

1	+	import {
2	+	NodeOAuthClient,
3	+	type NodeOAuthClientOptions,
4	+	} from "@atproto/oauth-client-node";
5	+	import { sessionStore, stateStore } from "./oauth-store";
6	+
7	+	const CALLBACK_PORT = 4000;
8	+	const CALLBACK_HOST = "127.0.0.1";
9	+	const CALLBACK_URL = `http://${CALLBACK_HOST}:${CALLBACK_PORT}/oauth/callback`;
10	+
11	+	// OAuth scope for Sequoia CLI - includes atproto base scope plus our collections
12	+	const OAUTH_SCOPE =
13	+	"atproto repo:site.standard.document repo:site.standard.publication repo:app.bsky.feed.post blob:/";
14	+
15	+	let oauthClient: NodeOAuthClient \| null = null;
16	+
17	+	// Simple lock implementation for CLI (single process, no contention)
18	+	// This prevents the "No lock mechanism provided" warning
19	+	const locks = new Map<string, Promise<void>>();
20	+
21	+	async function requestLock(key: string, fn: () => Promise<void>): Promise<void> {
22	+	// Wait for any existing lock on this key
23	+	while (locks.has(key)) {
24	+	await locks.get(key);
25	+	}
26	+
27	+	// Create our lock
28	+	let resolve: () => void;
29	+	const lockPromise = new Promise<void>((r) => {
30	+	resolve = r;
31	+	});
32	+	locks.set(key, lockPromise);
33	+
34	+	try {
35	+	await fn();
36	+	} finally {
37	+	locks.delete(key);
38	+	resolve!();
39	+	}
40	+	}
41	+
42	+	/**
43	+	* Get or create the OAuth client singleton
44	+	*/
45	+	export async function getOAuthClient(): Promise<NodeOAuthClient> {
46	+	if (oauthClient) {
47	+	return oauthClient;
48	+	}
49	+
50	+	// Build client_id with required parameters
51	+	const clientIdParams = new URLSearchParams();
52	+	clientIdParams.append("redirect_uri", CALLBACK_URL);
53	+	clientIdParams.append("scope", OAUTH_SCOPE);
54	+
55	+	const clientOptions: NodeOAuthClientOptions = {
56	+	clientMetadata: {
57	+	client_id: `http://localhost?${clientIdParams.toString()}`,
58	+	client_name: "Sequoia CLI",
59	+	client_uri: "https://github.com/stevedylandev/sequoia",
60	+	redirect_uris: [CALLBACK_URL],
61	+	grant_types: ["authorization_code", "refresh_token"],
62	+	response_types: ["code"],
63	+	token_endpoint_auth_method: "none",
64	+	application_type: "web",
65	+	scope: OAUTH_SCOPE,
66	+	dpop_bound_access_tokens: false,
67	+	},
68	+	stateStore,
69	+	sessionStore,
70	+	// Configure identity resolution
71	+	plcDirectoryUrl: "https://plc.directory",
72	+	// Provide lock mechanism to prevent warning
73	+	requestLock,
74	+	};
75	+
76	+	oauthClient = new NodeOAuthClient(clientOptions);
77	+
78	+	return oauthClient;
79	+	}
80	+
81	+	export function getOAuthScope(): string {
82	+	return OAUTH_SCOPE;
83	+	}
84	+
85	+	export function getCallbackUrl(): string {
86	+	return CALLBACK_URL;
87	+	}
88	+
89	+	export function getCallbackPort(): number {
90	+	return CALLBACK_PORT;
91	+	}

packages/cli/src/lib/oauth-store.ts (added) +124 −0

1	+	import * as fs from "node:fs/promises";
2	+	import * as os from "node:os";
3	+	import * as path from "node:path";
4	+	import type {
5	+	NodeSavedSession,
6	+	NodeSavedSessionStore,
7	+	NodeSavedState,
8	+	NodeSavedStateStore,
9	+	} from "@atproto/oauth-client-node";
10	+
11	+	const CONFIG_DIR = path.join(os.homedir(), ".config", "sequoia");
12	+	const OAUTH_FILE = path.join(CONFIG_DIR, "oauth.json");
13	+
14	+	interface OAuthStore {
15	+	states: Record<string, NodeSavedState>;
16	+	sessions: Record<string, NodeSavedSession>;
17	+	}
18	+
19	+	async function fileExists(filePath: string): Promise<boolean> {
20	+	try {
21	+	await fs.access(filePath);
22	+	return true;
23	+	} catch {
24	+	return false;
25	+	}
26	+	}
27	+
28	+	async function loadOAuthStore(): Promise<OAuthStore> {
29	+	if (!(await fileExists(OAUTH_FILE))) {
30	+	return { states: {}, sessions: {} };
31	+	}
32	+
33	+	try {
34	+	const content = await fs.readFile(OAUTH_FILE, "utf-8");
35	+	return JSON.parse(content) as OAuthStore;
36	+	} catch {
37	+	return { states: {}, sessions: {} };
38	+	}
39	+	}
40	+
41	+	async function saveOAuthStore(store: OAuthStore): Promise<void> {
42	+	await fs.mkdir(CONFIG_DIR, { recursive: true });
43	+	await fs.writeFile(OAUTH_FILE, JSON.stringify(store, null, 2));
44	+	await fs.chmod(OAUTH_FILE, 0o600);
45	+	}
46	+
47	+	/**
48	+	* State store for PKCE flow (temporary, used during auth)
49	+	*/
50	+	export const stateStore: NodeSavedStateStore = {
51	+	async set(key: string, state: NodeSavedState): Promise<void> {
52	+	const store = await loadOAuthStore();
53	+	store.states[key] = state;
54	+	await saveOAuthStore(store);
55	+	},
56	+
57	+	async get(key: string): Promise<NodeSavedState \| undefined> {
58	+	const store = await loadOAuthStore();
59	+	return store.states[key];
60	+	},
61	+
62	+	async del(key: string): Promise<void> {
63	+	const store = await loadOAuthStore();
64	+	delete store.states[key];
65	+	await saveOAuthStore(store);
66	+	},
67	+	};
68	+
69	+	/**
70	+	* Session store for OAuth tokens (persistent)
71	+	*/
72	+	export const sessionStore: NodeSavedSessionStore = {
73	+	async set(sub: string, session: NodeSavedSession): Promise<void> {
74	+	const store = await loadOAuthStore();
75	+	store.sessions[sub] = session;
76	+	await saveOAuthStore(store);
77	+	},
78	+
79	+	async get(sub: string): Promise<NodeSavedSession \| undefined> {
80	+	const store = await loadOAuthStore();
81	+	return store.sessions[sub];
82	+	},
83	+
84	+	async del(sub: string): Promise<void> {
85	+	const store = await loadOAuthStore();
86	+	delete store.sessions[sub];
87	+	await saveOAuthStore(store);
88	+	},
89	+	};
90	+
91	+	/**
92	+	* List all stored OAuth session DIDs
93	+	*/
94	+	export async function listOAuthSessions(): Promise<string[]> {
95	+	const store = await loadOAuthStore();
96	+	return Object.keys(store.sessions);
97	+	}
98	+
99	+	/**
100	+	* Get an OAuth session by DID
101	+	*/
102	+	export async function getOAuthSession(
103	+	did: string,
104	+	): Promise<NodeSavedSession \| undefined> {
105	+	const store = await loadOAuthStore();
106	+	return store.sessions[did];
107	+	}
108	+
109	+	/**
110	+	* Delete an OAuth session by DID
111	+	*/
112	+	export async function deleteOAuthSession(did: string): Promise<boolean> {
113	+	const store = await loadOAuthStore();
114	+	if (!store.sessions[did]) {
115	+	return false;
116	+	}
117	+	delete store.sessions[did];
118	+	await saveOAuthStore(store);
119	+	return true;
120	+	}
121	+
122	+	export function getOAuthStorePath(): string {
123	+	return OAUTH_FILE;
124	+	}

packages/cli/src/lib/types.ts +34 −1

	bluesky?: BlueskyConfig; // Optional Bluesky posting configuration
}

export interface Credentials {
// Legacy credentials format (for backward compatibility during migration)
export interface LegacyCredentials {
	pdsUrl: string;
	identifier: string;
	password: string;
}

// App password credentials (explicit type)
export interface AppPasswordCredentials {
	type: "app-password";
	pdsUrl: string;
	identifier: string;
	password: string;
}

// OAuth credentials (references stored OAuth session)
export interface OAuthCredentials {
	type: "oauth";
	did: string;
	handle: string;
	pdsUrl: string;
}

// Union type for all credential types
export type Credentials = AppPasswordCredentials | OAuthCredentials;

// Helper to check credential type
export function isOAuthCredentials(
	creds: Credentials,
): creds is OAuthCredentials {
	return creds.type === "oauth";
}

export function isAppPasswordCredentials(
	creds: Credentials,
): creds is AppPasswordCredentials {
	return creds.type === "app-password";
}

export interface PostFrontmatter {

158	158
159	159		// Save credentials
160	160		await saveCredentials({
	161	+	type: "app-password",
161	162		pdsUrl,
162	163		identifier: identifier,
163	164		password: appPassword,

4	4		import { authCommand } from "./commands/auth";
5	5		import { initCommand } from "./commands/init";
6	6		import { injectCommand } from "./commands/inject";
	7	+	import { loginCommand } from "./commands/login";
7	8		import { publishCommand } from "./commands/publish";
8	9		import { syncCommand } from "./commands/sync";
9	10

38	39		auth: authCommand,
39	40		init: initCommand,
40	41		inject: injectCommand,
	42	+	login: loginCommand,
41	43		publish: publishCommand,
42	44		sync: syncCommand,
43	45		},

1		-	import { AtpAgent } from "@atproto/api";
	1	+	import { Agent, AtpAgent } from "@atproto/api";
2	2		import * as mimeTypes from "mime-types";
3	3		import * as fs from "node:fs/promises";
4	4		import * as path from "node:path";
5	5		import { stripMarkdownForText } from "./markdown";
	6	+	import { getOAuthClient } from "./oauth-client";
6	7		import type {
7	8		BlobObject,
8	9		BlogPost,

10	11		PublisherConfig,
11	12		StrongRef,
12	13		} from "./types";
	14	+	import { isAppPasswordCredentials, isOAuthCredentials } from "./types";
13	15
14	16		async function fileExists(filePath: string): Promise<boolean> {
15	17		try {

20	22		}
21	23		}
22	24
	25	+	/**
	26	+	* Resolve a handle to a DID
	27	+	*/
	28	+	export async function resolveHandleToDid(handle: string): Promise<string> {
	29	+	if (handle.startsWith("did:")) {
	30	+	return handle;
	31	+	}
	32	+
	33	+	// Try to resolve handle via Bluesky API
	34	+	const resolveUrl = `https://public.api.bsky.app/xrpc/com.atproto.identity.resolveHandle?handle=${encodeURIComponent(handle)}`;
	35	+	const resolveResponse = await fetch(resolveUrl);
	36	+	if (!resolveResponse.ok) {
	37	+	throw new Error("Could not resolve handle");
	38	+	}
	39	+	const resolveData = (await resolveResponse.json()) as { did: string };
	40	+	return resolveData.did;
	41	+	}
	42	+
23	43		export async function resolveHandleToPDS(handle: string): Promise<string> {
24	44		// First, resolve the handle to a DID
25		-	let did: string;
26		-
27		-	if (handle.startsWith("did:")) {
28		-	did = handle;
29		-	} else {
30		-	// Try to resolve handle via Bluesky API
31		-	const resolveUrl = `https://public.api.bsky.app/xrpc/com.atproto.identity.resolveHandle?handle=${encodeURIComponent(handle)}`;
32		-	const resolveResponse = await fetch(resolveUrl);
33		-	if (!resolveResponse.ok) {
34		-	throw new Error("Could not resolve handle");
35		-	}
36		-	const resolveData = (await resolveResponse.json()) as { did: string };
37		-	did = resolveData.did;
38		-	}
	45	+	const did = await resolveHandleToDid(handle);
39	46
40	47		// Now resolve the DID to get the PDS URL from the DID document
41	48		let pdsUrl: string \| undefined;

90	97		}
91	98
92	99		export async function createAgent(credentials: Credentials): Promise<AtpAgent> {
	100	+	if (isOAuthCredentials(credentials)) {
	101	+	// OAuth flow - restore session from stored tokens
	102	+	const client = await getOAuthClient();
	103	+	try {
	104	+	const oauthSession = await client.restore(credentials.did);
	105	+	// Wrap the OAuth session in an Agent which provides the atproto API
	106	+	const agent = new Agent(oauthSession) as unknown as AtpAgent;
	107	+
	108	+	// The Agent class doesn't have session.did like AtpAgent does
	109	+	// We need to set up a compatible session object for the rest of our code
	110	+	agent.session = {
	111	+	did: oauthSession.did,
	112	+	handle: credentials.handle,
	113	+	accessJwt: "",
	114	+	refreshJwt: "",
	115	+	active: true,
	116	+	};
	117	+
	118	+	return agent;
	119	+	} catch (error) {
	120	+	if (error instanceof Error) {
	121	+	// Check for common OAuth errors
	122	+	if (
	123	+	error.message.includes("expired") \|\|
	124	+	error.message.includes("revoked")
	125	+	) {
	126	+	throw new Error(
	127	+	`OAuth session expired or revoked. Please run 'sequoia login' to re-authenticate.`,
	128	+	);
	129	+	}
	130	+	}
	131	+	throw error;
	132	+	}
	133	+	}
	134	+
	135	+	// App password flow
	136	+	if (!isAppPasswordCredentials(credentials)) {
	137	+	throw new Error("Invalid credential type");
	138	+	}
93	139		const agent = new AtpAgent({ service: credentials.pdsUrl });
94	140
95	141		await agent.login({

37	37		bluesky?: BlueskyConfig; // Optional Bluesky posting configuration
38	38		}
39	39
40		-	export interface Credentials {
	40	+	// Legacy credentials format (for backward compatibility during migration)
	41	+	export interface LegacyCredentials {
41	42		pdsUrl: string;
42	43		identifier: string;
43	44		password: string;
	45	+	}
	46	+
	47	+	// App password credentials (explicit type)
	48	+	export interface AppPasswordCredentials {
	49	+	type: "app-password";
	50	+	pdsUrl: string;
	51	+	identifier: string;
	52	+	password: string;
	53	+	}
	54	+
	55	+	// OAuth credentials (references stored OAuth session)
	56	+	export interface OAuthCredentials {
	57	+	type: "oauth";
	58	+	did: string;
	59	+	handle: string;
	60	+	pdsUrl: string;
	61	+	}
	62	+
	63	+	// Union type for all credential types
	64	+	export type Credentials = AppPasswordCredentials \| OAuthCredentials;
	65	+
	66	+	// Helper to check credential type
	67	+	export function isOAuthCredentials(
	68	+	creds: Credentials,
	69	+	): creds is OAuthCredentials {
	70	+	return creds.type === "oauth";
	71	+	}
	72	+
	73	+	export function isAppPasswordCredentials(
	74	+	creds: Credentials,
	75	+	): creds is AppPasswordCredentials {
	76	+	return creds.type === "app-password";
44	77		}
45	78
46	79		export interface PostFrontmatter {