update

patching/120-ozone-runtimeEnvVars.diff

@@ -0,0 +1,119 @@
+diff --git a/app/layout.tsx b/app/layout.tsx
+index bfc3470..9350629 100644
+--- a/app/layout.tsx
++++ b/app/layout.tsx
+@@ -5,6 +5,7 @@ import 'yet-another-react-lightbox/styles.css'
+ import 'yet-another-react-lightbox/plugins/thumbnails.css'
+ import 'yet-another-react-lightbox/plugins/captions.css'
+ import { ToastContainer } from 'react-toastify'
++import { PublicEnvScript } from 'next-runtime-env';
+ 
+ import { Shell } from '@/shell/Shell'
+ import { CommandPaletteRoot } from '@/shell/CommandPalette/Root'
+@@ -36,6 +37,7 @@ export default function RootLayout({
+         isDarkModeEnabled() ? 'dark' : ''
+       }`}
+     >
++      <head>
+       <title>Ozone</title>
+       <link
+         rel="icon"
+@@ -43,6 +45,8 @@ export default function RootLayout({
+         sizes="any"
+       />
+       <meta name="viewport" content="width=device-width, initial-scale=1" />
++      <PublicEnvScript />
++      </head>
+       <body className="h-full overflow-hidden">
+         <ToastContainer
+           position="bottom-right"
+diff --git a/environment.d.ts b/environment.d.ts
+index 7a47cc2..33ab29f 100644
+--- a/environment.d.ts
++++ b/environment.d.ts
+@@ -9,6 +9,8 @@ declare global {
+       NEXT_PUBLIC_OZONE_SERVICE_DID?: string // e.g. did:plc:xxx#atproto_labeler
+       NEXT_PUBLIC_OZONE_PUBLIC_URL?: string // e.g. https://ozone.example.com (falls back to window.location.origin)
+       NEXT_PUBLIC_SOCIAL_APP_URL?: string // e.g. https://bsky.app
++      NEXT_PUBLIC_SOCIAL_APP_DOMAIN?: string // e.g. bsky.app
++      NEXT_PUBLIC_HANDLE_RESOLVER_URL?: string // e.g. https://api.bsky.app
+     }
+   }
+ }
+diff --git a/lib/constants.ts b/lib/constants.ts
+index fe7c0e8..c286ac6 100644
+--- a/lib/constants.ts
++++ b/lib/constants.ts
+@@ -1,29 +1,32 @@
++import { env } from 'next-runtime-env';
++
+ export const OAUTH_SCOPE = 'atproto transition:generic'
+
+ export const OZONE_SERVICE_DID =
+-  process.env.NEXT_PUBLIC_OZONE_SERVICE_DID || undefined
++  env('NEXT_PUBLIC_OZONE_SERVICE_DID') || undefined
+
+ export const OZONE_PUBLIC_URL =
+-  process.env.NEXT_PUBLIC_OZONE_PUBLIC_URL || undefined
++  env('NEXT_PUBLIC_OZONE_PUBLIC_URL') || undefined
+
+ export const PLC_DIRECTORY_URL =
+-  process.env.NEXT_PUBLIC_PLC_DIRECTORY_URL ||
++  env('NEXT_PUBLIC_PLC_DIRECTORY_URL') ||
+   (process.env.NODE_ENV === 'development'
+     ? 'http://localhost:2582'
+     : 'https://plc.directory')
+ 
+-export const QUEUE_CONFIG = process.env.NEXT_PUBLIC_QUEUE_CONFIG || '{}'
++export const QUEUE_CONFIG = env('NEXT_PUBLIC_QUEUE_CONFIG') || '{}'
+
+-export const QUEUE_SEED = process.env.NEXT_PUBLIC_QUEUE_SEED || ''
++export const QUEUE_SEED = env('NEXT_PUBLIC_QUEUE_SEED') || ''
+
++export const SOCIAL_APP_DOMAIN = env('NEXT_PUBLIC_SOCIAL_APP_DOMAIN') || 'bsky.app'
+ export const SOCIAL_APP_URL =
+-  process.env.NEXT_PUBLIC_SOCIAL_APP_URL ||
++  env('NEXT_PUBLIC_SOCIAL_APP_URL') ||
+   (process.env.NODE_ENV === 'development'
+     ? 'http://localhost:2584'
+-    : 'https://bsky.app')
++    : `https://${SOCIAL_APP_DOMAIN}`)
+
+ export const HANDLE_RESOLVER_URL =
+-  process.env.NEXT_PUBLIC_HANDLE_RESOLVER_URL ||
++  env('NEXT_PUBLIC_HANDLE_RESOLVER_URL') ||
+   (process.env.NODE_ENV === 'development'
+     ? 'http://localhost:2584'
+     : 'https://api.bsky.app')
+diff --git a/lib/util.ts b/lib/util.ts
+index 0aa4460..ecec7d1 100644
+--- a/lib/util.ts
++++ b/lib/util.ts
+@@ -1,5 +1,5 @@
+ import { CollectionId } from '@/reports/helpers/subject'
+-import { SOCIAL_APP_URL } from './constants'
++import { SOCIAL_APP_URL, SOCIAL_APP_DOMAIN } from './constants'
+ import { AtUri } from '@atproto/api'
+ 
+ export function classNames(...classes: (string | undefined)[]) {
+@@ -57,7 +57,7 @@ export function takesKeyboardEvt(el?: EventTarget | null) {
+   )
+ }
+ 
+-const blueSkyUrlMatcher = new RegExp('(https?://)?.*bsky.app')
++const blueSkyUrlMatcher = new RegExp('(https?://)?.*'+ `${SOCIAL_APP_DOMAIN}`)
+ 
+ export const isBlueSkyAppUrl = (url: string) => blueSkyUrlMatcher.test(url)
+ 
+diff --git a/package.json b/package.json
+index 8919841..750dce9 100644
+--- a/package.json
++++ b/package.json
+@@ -37,6 +37,7 @@
+     "kbar": "^0.1.0-beta.45",
+     "lande": "^1.0.10",
+     "next": "15.2.4",
++    "next-runtime-env": "^3.2.1",
+     "react": "19.1.0",
+     "react-dom": "19.1.0",
+     "react-dropzone": "^14.3.5",

patching/121-ozone-constants-fix.patch

@@ -0,0 +1,99 @@
+--- a/lib/constants.ts
++++ b/lib/constants.ts
+@@ -1,29 +1,32 @@
++import { env } from 'next-runtime-env';
++
+ export const OAUTH_SCOPE = 'atproto transition:generic transition:chat.bsky'
+ 
+ export const OZONE_SERVICE_DID =
+-  process.env.NEXT_PUBLIC_OZONE_SERVICE_DID || undefined
++  env('NEXT_PUBLIC_OZONE_SERVICE_DID') || undefined
+ 
+ export const OZONE_PUBLIC_URL =
+-  process.env.NEXT_PUBLIC_OZONE_PUBLIC_URL || undefined
++  env('NEXT_PUBLIC_OZONE_PUBLIC_URL') || undefined
+ 
+ export const PLC_DIRECTORY_URL =
+-  process.env.NEXT_PUBLIC_PLC_DIRECTORY_URL ||
++  env('NEXT_PUBLIC_PLC_DIRECTORY_URL') ||
+   (process.env.NODE_ENV === 'development'
+     ? 'http://localhost:2582'
+     : 'https://plc.directory')
+ 
+-export const QUEUE_CONFIG = process.env.NEXT_PUBLIC_QUEUE_CONFIG || '{}'
++export const QUEUE_CONFIG = env('NEXT_PUBLIC_QUEUE_CONFIG') || '{}'
+ 
+-export const QUEUE_SEED = process.env.NEXT_PUBLIC_QUEUE_SEED || ''
++export const QUEUE_SEED = env('NEXT_PUBLIC_QUEUE_SEED') || ''
+ 
++export const SOCIAL_APP_DOMAIN = env('NEXT_PUBLIC_SOCIAL_APP_DOMAIN') || 'bsky.app'
+ export const SOCIAL_APP_URL =
+-  process.env.NEXT_PUBLIC_SOCIAL_APP_URL ||
++  env('NEXT_PUBLIC_SOCIAL_APP_URL') ||
+   (process.env.NODE_ENV === 'development'
+     ? 'http://localhost:2584'
+-    : 'https://bsky.app')
++    : `https://${SOCIAL_APP_DOMAIN}`)
+ 
+ export const HANDLE_RESOLVER_URL =
+-  process.env.NEXT_PUBLIC_HANDLE_RESOLVER_URL ||
++  env('NEXT_PUBLIC_HANDLE_RESOLVER_URL') ||
+   (process.env.NODE_ENV === 'development'
+     ? 'http://localhost:2584'
+     : 'https://api.bsky.app')
+@@ -36,25 +39,25 @@
+ 
+ export const NEW_ACCOUNT_MARKER_THRESHOLD_IN_DAYS = process.env
+   .NEXT_PUBLIC_NEW_ACCOUNT_MARKER_THRESHOLD_IN_DAYS
+-  ? parseInt(process.env.NEXT_PUBLIC_NEW_ACCOUNT_MARKER_THRESHOLD_IN_DAYS)
++  ? parseInt(env('NEXT_PUBLIC_NEW_ACCOUNT_MARKER_THRESHOLD_IN_DAYS'))
+   : 7
+ 
+ export const YOUNG_ACCOUNT_MARKER_THRESHOLD_IN_DAYS = process.env
+   .NEXT_PUBLIC_YOUNG_ACCOUNT_MARKER_THRESHOLD_IN_DAYS
+-  ? parseInt(process.env.NEXT_PUBLIC_YOUNG_ACCOUNT_MARKER_THRESHOLD_IN_DAYS)
++  ? parseInt(env('NEXT_PUBLIC_YOUNG_ACCOUNT_MARKER_THRESHOLD_IN_DAYS'))
+   : 30
+ 
+ export const DOMAINS_ALLOWING_EMAIL_COMMUNICATION = (
+-  process.env.NEXT_PUBLIC_DOMAINS_ALLOWING_EMAIL_COMMUNICATION || ''
++  env('NEXT_PUBLIC_DOMAINS_ALLOWING_EMAIL_COMMUNICATION') || ''
+ ).split(',')
+ 
+ export const HIGH_PROFILE_FOLLOWER_THRESHOLD = process.env
+   .NEXT_PUBLIC_HIGH_PROFILE_FOLLOWER_THRESHOLD
+-  ? parseInt(process.env.NEXT_PUBLIC_HIGH_PROFILE_FOLLOWER_THRESHOLD)
++  ? parseInt(env('NEXT_PUBLIC_HIGH_PROFILE_FOLLOWER_THRESHOLD'))
+   : Infinity
+ 
+ export const FALLBACK_VIDEO_URL = (
+-  process.env.NEXT_PUBLIC_FALLBACK_VIDEO_URL || ''
++  env('NEXT_PUBLIC_FALLBACK_VIDEO_URL') || ''
+ ).split(':')
+ 
+ // strike to account suspension duration mapping (in hours)
+@@ -87,18 +90,18 @@
+ 
+ export const STRIKE_TO_SUSPENSION_DURATION_IN_HOURS =
+   parseStrikeSuspensionConfig(
+-    process.env.NEXT_PUBLIC_STRIKE_SUSPENSION_CONFIG || '',
++    env('NEXT_PUBLIC_STRIKE_SUSPENSION_CONFIG') || '',
+   )
+ 
+ export const AUTOMATED_ACTION_EMAIL_IDS = {
+   warningWithTakedown:
+-    process.env.NEXT_PUBLIC_WARNING_WITH_TAKEDOWN_EMAIL_TEMPLATE_ID,
++    env('NEXT_PUBLIC_WARNING_WITH_TAKEDOWN_EMAIL_TEMPLATE_ID'),
+   suspensionWithTakedown:
+-    process.env.NEXT_PUBLIC_SUSPENSION_WITH_TAKEDOWN_EMAIL_TEMPLATE_ID,
++    env('NEXT_PUBLIC_SUSPENSION_WITH_TAKEDOWN_EMAIL_TEMPLATE_ID'),
+   suspensionWithoutTakedown:
+-    process.env.NEXT_PUBLIC_SUSPENSION_WITHOUT_TAKEDOWN_EMAIL_TEMPLATE_ID,
++    env('NEXT_PUBLIC_SUSPENSION_WITHOUT_TAKEDOWN_EMAIL_TEMPLATE_ID'),
+   permanentTakedown:
+-    process.env.NEXT_PUBLIC_PERMANENT_TAKEDOWN_EMAIL_TEMPLATE_ID,
++    env('NEXT_PUBLIC_PERMANENT_TAKEDOWN_EMAIL_TEMPLATE_ID'),
+   takedownWithoutStrike:
+-    process.env.NEXT_PUBLIC_TAKEDOWN_WITHOUT_STRIKE_EMAIL_TEMPLATE_ID,
++    env('NEXT_PUBLIC_TAKEDOWN_WITHOUT_STRIKE_EMAIL_TEMPLATE_ID'),
+ }

patching/122-ozone-enable-daemon.diff

@@ -0,0 +1,82 @@
+diff --git a/service/index.js b/service/index.js
+index 943c281..7721cd9 100644
+--- a/service/index.js
++++ b/service/index.js
+@@ -1,5 +1,7 @@
+ const next = require('next')
+-const {
++const ozone = require('@atproto/ozone')
++/*
++{
+   readEnv,
+   httpLogger,
+   envToCfg,
+@@ -7,6 +9,7 @@ const {
+   OzoneService,
+   Database,
+ } = require('@atproto/ozone')
++*/
+ const pkg = require('@atproto/ozone/package.json')
+ 
+ async function main() {
+@@ -16,37 +19,48 @@ async function main() {
+   const frontendHandler = frontend.getRequestHandler()
+   await frontend.prepare()
+   // backend
+-  const env = readEnv()
++  const env = ozone.readEnv()
+   env.version ??= pkg.version
+-  const config = envToCfg(env)
+-  const secrets = envToSecrets(env)
++  const config = ozone.envToCfg(env)
++  const secrets = ozone.envToSecrets(env)
+   const migrate = process.env.OZONE_DB_MIGRATE === '1'
+   if (migrate) {
+-    const db = new Database({
++    const db = new ozone.Database({
+       url: config.db.postgresUrl,
+       schema: config.db.postgresSchema,
+     })
+     await db.migrateToLatestOrThrow()
+     await db.close()
+   }
+-  const ozone = await OzoneService.create(config, secrets)
++  const server = await ozone.OzoneService.create(config, secrets)
+   // setup handlers
+-  ozone.app.get('/.well-known/ozone-metadata.json', (_req, res) => {
++  server.app.get('/.well-known/ozone-metadata.json', (_req, res) => {
+     return res.json({
+-      did: ozone.ctx.cfg.service.did,
+-      url: ozone.ctx.cfg.service.publicUrl,
+-      publicKey: ozone.ctx.signingKey.did(),
++      did: server.ctx.cfg.service.did,
++      url: server.ctx.cfg.service.publicUrl,
++      publicKey: server.ctx.signingKey.did(),
+     })
+   })
+   // Note: We must use `use()` here. This should be the last middleware.
+-  ozone.app.use((req, res) => {
++  server.app.use((req, res) => {
+     void frontendHandler(req, res, undefined)
+   })
+   // run
+-  const httpServer = await ozone.start()
++  const httpServer = await server.start()
++  // starts: involve ops from atproto/packages/dev-env/src/ozone.ts >>>
++  ozone.httpLogger.info('starts ozone daemon')
++  const daemon = await ozone.OzoneDaemon.create(config, secrets)
++  await daemon.start()
++  //if (process.env.OZONE_ENABLE_EVENT_REVERSER != 'true') // atproto/services/ozone/daemon.js doesn't stop eventReverser
++  //{
++  //    ozone.httpLogger.info('disable ozone daemon eventReverser')
++  //    await daemon.ctx.eventReverser.destroy()
++  //}
++  // ends: involve ops from atproto/packages/dev-env/src/ozone.ts <<<
++
+   /** @type {import('net').AddressInfo} */
+   const addr = httpServer.address()
+-  httpLogger.info(`Ozone is running at http://localhost:${addr.port}`)
++  ozone.httpLogger.info(`Ozone is running at http://localhost:${addr.port}`)
+ }
+ 
+ main().catch(console.error)

patching/130-atproto-ozone-enable-daemon-v2.patch

@@ -0,0 +1,28 @@
+--- a/services/ozone/api.js
++++ b/services/ozone/api.js
+@@ -23,6 +23,7 @@
+   Database,
+   OzoneService,
+   envToCfg,
++  OzoneDaemon,
+   envToSecrets,
+   httpLogger,
+   readEnv,
+@@ -79,10 +80,17 @@
+ 
+   httpLogger.info('ozone is running')
+ 
++  // Start OzoneDaemon for label events
++  httpLogger.info('starting ozone daemon')
++  const daemon = await OzoneDaemon.create(cfg, secrets)
++  await daemon.start()
++  httpLogger.info('ozone daemon is running')
++
+   // Graceful shutdown (see also https://aws.amazon.com/blogs/containers/graceful-shutdowns-with-ecs/)
+   process.on('SIGTERM', async () => {
+     httpLogger.info('ozone is stopping')
+ 
++    await daemon.destroy()
+     await ozone.destroy()
+ 
+     httpLogger.info('ozone is stopped')

patching/130-atproto-ozone-enable-daemon.patch

@@ -0,0 +1,33 @@
+--- a/services/ozone/api.js
++++ b/services/ozone/api.js
+@@ -20,6 +20,7 @@ const {
+   MultiImageInvalidator,
+ } = require('@atproto/aws')
+ const {
+   Database,
+   OzoneService,
++  OzoneDaemon,
+   envToCfg,
+   envToSecrets,
+   httpLogger,
+@@ -76,10 +77,17 @@ const main = async () => {
+   const ozone = await OzoneService.create(cfg, secrets, { imgInvalidator })
+
+   await ozone.start()
+
+   httpLogger.info('ozone is running')
+
++  // Start OzoneDaemon for label events
++  httpLogger.info('starting ozone daemon')
++  const daemon = await OzoneDaemon.create(cfg, secrets)
++  await daemon.start()
++  httpLogger.info('ozone daemon is running')
++
+   // Graceful shutdown (see also https://aws.amazon.com/blogs/containers/graceful-shutdowns-with-ecs/)
+   process.on('SIGTERM', async () => {
+     httpLogger.info('ozone is stopping')
+
++    await daemon.destroy()
+     await ozone.destroy()
+
+     httpLogger.info('ozone is stopped')

patching/4367-atproto-services-bsky-api.diff

@@ -0,0 +1,160 @@
+--- a/services/bsky/api.js	2025-12-03 11:04:54
++++ b/services/bsky/api.js	2025-12-03 11:00:02
+@@ -1,62 +1,105 @@
+ /* eslint-env node */
+ /* eslint-disable import/order */
+-
++// https://github.com/bluesky-social/atproto/blob/main/services/bsky/api.js
+ 'use strict'
+ 
+-const dd = require('dd-trace')
++//const dd = require('dd-trace')
++//
++//dd.tracer
++//  .init()
++//  .use('http2', {
++//    client: true, // calls into dataplane
++//    server: false,
++//  })
++//  .use('express', {
++//    hooks: {
++//      request: (span, req) => {
++//        maintainXrpcResource(span, req)
++//      },
++//    },
++//  })
+ 
+-dd.tracer
+-  .init()
+-  .use('http2', {
+-    client: true, // calls into dataplane
+-    server: false,
+-  })
+-  .use('express', {
+-    hooks: {
+-      request: (span, req) => {
+-        maintainXrpcResource(span, req)
+-      },
+-    },
+-  })
+-
+ // modify tracer in order to track calls to dataplane as a service with proper resource names
+ const DATAPLANE_PREFIX = '/bsky.Service/'
+-const origStartSpan = dd.tracer._tracer.startSpan
+-dd.tracer._tracer.startSpan = function (name, options) {
+-  if (
+-    name !== 'http.request' ||
+-    options?.tags?.component !== 'http2' ||
+-    !options?.tags?.['http.url']
+-  ) {
+-    return origStartSpan.call(this, name, options)
+-  }
+-  const uri = new URL(options.tags['http.url'])
+-  if (!uri.pathname.startsWith(DATAPLANE_PREFIX)) {
+-    return origStartSpan.call(this, name, options)
+-  }
+-  options.tags['service.name'] = 'dataplane-bsky'
+-  options.tags['resource.name'] = uri.pathname.slice(DATAPLANE_PREFIX.length)
+-  return origStartSpan.call(this, name, options)
+-}
++//const origStartSpan = dd.tracer._tracer.startSpan
++//dd.tracer._tracer.startSpan = function (name, options) {
++//  if (
++//    name !== 'http.request' ||
++//    options?.tags?.component !== 'http2' ||
++//    !options?.tags?.['http.url']
++//  ) {
++//    return origStartSpan.call(this, name, options)
++//  }
++//  const uri = new URL(options.tags['http.url'])
++//  if (!uri.pathname.startsWith(DATAPLANE_PREFIX)) {
++//    return origStartSpan.call(this, name, options)
++//  }
++//  options.tags['service.name'] = 'dataplane-bsky'
++//  options.tags['resource.name'] = uri.pathname.slice(DATAPLANE_PREFIX.length)
++//  return origStartSpan.call(this, name, options)
++//}
+ 
+ // Tracer code above must come before anything else
+ const assert = require('node:assert')
+ const cluster = require('node:cluster')
+ const path = require('node:path')
+ 
+-const { BskyAppView, ServerConfig } = require('@atproto/bsky')
+-const { Secp256k1Keypair } = require('@atproto/crypto')
++const bsky = require('/app/packages/bsky') // import all bsky features
++const { Secp256k1Keypair } = require('/app/packages/crypto')
+ 
+ const main = async () => {
+   const env = getEnv()
+-  const config = ServerConfig.readEnv()
++  const config = bsky.ServerConfig.readEnv()
+   assert(env.serviceSigningKey, 'must set BSKY_SERVICE_SIGNING_KEY')
+   const signingKey = await Secp256k1Keypair.import(env.serviceSigningKey)
+-  const bsky = BskyAppView.create({ config, signingKey })
+-  await bsky.start()
++
++// starts: involve logics in packages/dev-env/src/bsky.ts >>>>>>>>>>>>>
++// Separate migration db in case migration changes some connection state that we need in the tests, e.g. "alter database ... set ..."
++  const migrationDb = new bsky.Database({
++      url: env.dbPostgresUrl,
++      schema: env.dbPostgresSchema,
++    })
++  if (env.migration) {
++      await migrationDb.migrateToOrThrow(env.migration)
++  } else {
++      await migrationDb.migrateToLatestOrThrow()
++  }
++  await migrationDb.close()
++
++  const db = new bsky.Database({
++      url: env.dbPostgresUrl,
++      schema: env.dbPostgresSchema,
++      poolSize: 10,
++  })
++
++  const dataplane = await bsky.DataPlaneServer.create(
++      db,
++      env.dataplanePort,
++      config.didPlcUrl
++  )
++
++  const bsync = await bsky.MockBsync.create(db, env.bsyncPort)
++
++// ends: involve logics in packages/dev-env/src/bsky.ts   <<<<<<<<<<<<<
++
++  const server = bsky.BskyAppView.create({ config, signingKey })
++// starts: involve logics in packages/dev-env/src/bsky.ts >>>>>>>>>>>>>
++  const sub = new bsky.RepoSubscription({
++      service: env.repoProvider,
++      db,
++      idResolver: dataplane.idResolver,
++      background: new bsky.BackgroundQueue(db),
++    })
++// ends: involve logics in packages/dev-env/src/bsky.ts   <<<<<<<<<<<<<
++  await server.start()
++  sub.start() // involve logics in packages/dev-env/src/bsky.ts
+   // Graceful shutdown (see also https://aws.amazon.com/blogs/containers/graceful-shutdowns-with-ecs/)
+   const shutdown = async () => {
+-    await bsky.destroy()
++    await server.destroy()
++    await bsync.destroy()
++    await dataplane.destroy()
++    await sub.destroy()
++    await db.close()
+   }
+   process.on('SIGTERM', shutdown)
+   process.on('disconnect', shutdown) // when clustering
+@@ -64,6 +107,12 @@
+ 
+ const getEnv = () => ({
+   serviceSigningKey: process.env.BSKY_SERVICE_SIGNING_KEY || undefined,
++  dbPostgresUrl:     process.env.BSKY_DB_POSTGRES_URL     || undefined,
++  dbPostgresSchema:  process.env.BSKY_DB_POSTGRES_SCHEMA  || undefined,
++  dataplanePort :    maybeParseInt(process.env.BSKY_DATAPLANE_PORT)     || undefined,
++  bsyncPort :        maybeParseInt(process.env.BSKY_BSYNC_PORT)         || undefined,
++  migration:         process.env.ENABLE_MIGRATIONS === 'true'           || undefined,
++  repoProvider:      process.env.BSKY_REPO_PROVIDER                     || undefined
+ })
+ 
+ const maybeParseInt = (str) => {

patching/4367-atproto-services-pds-index.diff

@@ -0,0 +1,20 @@
+--- a/services/pds/index.js	2025-12-03 11:04:54
++++ b/services/pds/index.js	2025-12-02 22:11:39
+@@ -1,5 +1,5 @@
+ /* eslint-env node */
+-
++// https://github.com/bluesky-social/atproto/blob/main/services/pds/index.js
+ 'use strict'
+ 
+ const {
+@@ -8,8 +8,8 @@
+   envToSecrets,
+   httpLogger,
+   readEnv,
+-} = require('@atproto/pds')
+-const pkg = require('@atproto/pds/package.json')
++} = require('/app/packages/pds')
++const pkg = require('/app/packages/pds/package.json')
+ 
+ const main = async () => {
+   const env = readEnv()

patching/8980-social-app-disable-external-services.diff

@@ -0,0 +1,17 @@
+--- a/src/state/geolocation/const.ts
++++ b/src/state/geolocation/const.ts
+@@ -3,9 +3,10 @@ import {BAPP_CONFIG_DEV_URL, IS_DEV} from '#/env'
+ import {type Device} from '#/storage'
+
+ export const IPCC_URL = `https://bsky.app/ipcc`
+-export const BAPP_CONFIG_URL_PROD = `https://ip.bsky.app/config`
+-export const BAPP_CONFIG_URL = IS_DEV
+-  ? (BAPP_CONFIG_DEV_URL ?? BAPP_CONFIG_URL_PROD)
+-  : BAPP_CONFIG_URL_PROD
++// Disabled for self-hosted environment to avoid CORS errors
++// export const BAPP_CONFIG_URL_PROD = `https://ip.bsky.app/config`
++// export const BAPP_CONFIG_URL = IS_DEV
++//   ? (BAPP_CONFIG_DEV_URL ?? BAPP_CONFIG_URL_PROD)
++//   : BAPP_CONFIG_URL_PROD
++export const BAPP_CONFIG_URL = null
+ export const GEOLOCATION_CONFIG_URL = BAPP_CONFIG_URL

patching/8980-social-app-disable-proxy.diff

@@ -0,0 +1,44 @@
+diff --git a/src/state/session/agent.ts b/src/state/session/agent.ts
+index 36d19299b..ba095436a 100644
+--- a/src/state/session/agent.ts
++++ b/src/state/session/agent.ts
+@@ -39,7 +39,8 @@ export function createPublicAgent() {
+   configureModerationForGuest() // Side effect but only relevant for tests
+ 
+   const agent = new BskyAppAgent({service: PUBLIC_BSKY_SERVICE})
+-  agent.configureProxy(BLUESKY_PROXY_HEADER.get())
++  // Disable proxy for self-hosted environments
++  // agent.configureProxy(BLUESKY_PROXY_HEADER.get())
+   return agent
+ }
+ 
+@@ -77,7 +78,8 @@ export async function createAgentAndResume(
+     }
+   }
+ 
+-  agent.configureProxy(BLUESKY_PROXY_HEADER.get())
++  // Disable proxy for self-hosted environments
++  // agent.configureProxy(BLUESKY_PROXY_HEADER.get())
+ 
+   return agent.prepare(gates, moderation, onSessionChange)
+ }
+@@ -112,7 +114,8 @@ export async function createAgentAndLogin(
+   const gates = tryFetchGates(account.did, 'prefer-fresh-gates')
+   const moderation = configureModerationForAccount(agent, account)
+ 
+-  agent.configureProxy(BLUESKY_PROXY_HEADER.get())
++  // Disable proxy for self-hosted environments
++  // agent.configureProxy(BLUESKY_PROXY_HEADER.get())
+ 
+   return agent.prepare(gates, moderation, onSessionChange)
+ }
+@@ -201,7 +204,8 @@ export async function createAgentAndCreateAccount(
+     logger.error(e, {message: `session: failed snoozeEmailConfirmationPrompt`})
+   }
+ 
+-  agent.configureProxy(BLUESKY_PROXY_HEADER.get())
++  // Disable proxy for self-hosted environments
++  // agent.configureProxy(BLUESKY_PROXY_HEADER.get())
+ 
+   return agent.prepare(gates, moderation, onSessionChange)
+ }