fix(pds): store blobs from Worker, not the firehose-holding DO

[ascorbic]

Summary

• Follow-up to fix(pds): prevent relay desync after failed write #162. A blob upload (even a small link-card OG image) intermittently triggered Durable Object storage operation exceeded timeout which caused object to be reset on com.atproto.repo.uploadBlob, which dropped the relay's subscribeRepos firehose connection and left it desynced until a manual requestCrawl.
• Root cause: uploadBlob computed the CID and did the R2 put inside the AccountDurableObject. That DO is single-threaded and also holds the firehose WebSocket; awaiting an R2 put inside it pins the input gate, and R2 latency is independent of object size — even a small image can stall long enough for Cloudflare to reset the object.
• Fix: the stateless Worker now computes the CID and writes to R2 directly, mirroring the existing sync.getBlob download path (which already bypasses the DO with the comment "R2ObjectBody can't be serialized across RPC"). The DO is only called for the small imported_blobs tracking row via a new rpcTrackBlob. rpcUploadBlob is removed.

Why #162 didn't cover this

#162 fixed in-memory Repo divergence in the record-write paths. This is a different mechanism: the whole DO is reset, not a caught write error, so that fix can't apply. The two together close both desync paths.

Test plan

• pnpm --filter @getcirrus/pds test:unit — 273 tests pass (incl. blobs.test.ts)
• Production: post a link card with an OG thumbnail repeatedly; confirm the relay keeps tracking with no manual requestCrawl

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
✅ Deployment successful! View logs	atproto-pds	5e70483	May 15 2026, 07:10 PM

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/create-pds@165

npm i https://pkg.pr.new/@getcirrus/oauth-provider@165

npm i https://pkg.pr.new/@getcirrus/pds@165

commit: 5e70483