Include package name in healthcheck version (#129)

* chore: report the package name in the healthcheck endpoint

* Format

Author: ascorbic

.changeset/twenty-canyons-run.md

@@ -0,0 +1,5 @@
+---
+"@getcirrus/pds": patch
+---
+
+Include "cirrus" in the version string returned from the health check endpoint.

README.md

@@ -90,11 +90,13 @@ If you've cloned to a new machine and see the "Key Recovery Required" error:
 ### If You've Lost Your Key
 
 **For did:web users:**
+
 - Generate a new key by clearing `.dev.vars` and re-running `pds init`
 - Old signatures become unverifiable – followers may see warnings
 - Your identity continues, but there's no cryptographic proof of continuity
 
 **For did:plc users:**
+
 - If you have a recovery key registered with PLC, you can rotate to a new signing key
 - Without a recovery key, you'll need to start a new identity
 - See the [AT Protocol PLC documentation](https://github.com/did-method-plc/did-method-plc) for recovery operations

packages/create-pds/templates/pds-worker/README.md

@@ -37,6 +37,7 @@ pnpm pds init
 ```
 
 This prompts for:
+
 - **PDS hostname** – The deployment domain (e.g., `pds.example.com`)
 - **Handle** – The Bluesky username (e.g., `alice.example.com`)
 - **Password** – For logging in from Bluesky apps
@@ -97,6 +98,7 @@ pnpm pds identity
 ```
 
 This updates your DID document to point to your new PDS. You'll need to:
+
 1. Enter your password for the source PDS
 2. Enter the confirmation token sent to your email
 
@@ -129,47 +131,48 @@ pnpm pds status                  # Verify everything is working
 
 ## CLI Commands
 
-| Command | Description |
-|---------|-------------|
-| `pnpm pds init` | Interactive setup wizard (prompts for Cloudflare deploy) |
-| `pnpm pds migrate` | Transfer account from source PDS |
-| `pnpm pds migrate --clean` | Reset and re-import data |
-| `pnpm pds identity` | Update DID document to point to new PDS |
-| `pnpm pds activate` | Enable writes (go live) |
-| `pnpm pds deactivate` | Disable writes (for re-import) |
-| `pnpm pds status` | Check account and repository status |
-| `pnpm pds passkey add` | Register a passkey for passwordless login |
-| `pnpm pds secret key` | Generate new signing keypair |
-| `pnpm pds secret jwt` | Generate new JWT secret |
-| `pnpm pds secret password` | Set account password |
+| Command                    | Description                                              |
+| -------------------------- | -------------------------------------------------------- |
+| `pnpm pds init`            | Interactive setup wizard (prompts for Cloudflare deploy) |
+| `pnpm pds migrate`         | Transfer account from source PDS                         |
+| `pnpm pds migrate --clean` | Reset and re-import data                                 |
+| `pnpm pds identity`        | Update DID document to point to new PDS                  |
+| `pnpm pds activate`        | Enable writes (go live)                                  |
+| `pnpm pds deactivate`      | Disable writes (for re-import)                           |
+| `pnpm pds status`          | Check account and repository status                      |
+| `pnpm pds passkey add`     | Register a passkey for passwordless login                |
+| `pnpm pds secret key`      | Generate new signing keypair                             |
+| `pnpm pds secret jwt`      | Generate new JWT secret                                  |
+| `pnpm pds secret password` | Set account password                                     |
 
 Add `--dev` to target your local development server instead of production.
 
 ## Configuration
 
 ### Public Variables (wrangler.jsonc)
 
-| Variable | Description |
-|----------|-------------|
-| `PDS_HOSTNAME` | Public hostname (e.g., pds.example.com) |
-| `DID` | Account DID |
-| `HANDLE` | Account handle |
-| `SIGNING_KEY_PUBLIC` | Public key for DID document |
+| Variable             | Description                             |
+| -------------------- | --------------------------------------- |
+| `PDS_HOSTNAME`       | Public hostname (e.g., pds.example.com) |
+| `DID`                | Account DID                             |
+| `HANDLE`             | Account handle                          |
+| `SIGNING_KEY_PUBLIC` | Public key for DID document             |
 
 ### Secrets (.dev.vars or Cloudflare)
 
-| Variable | Description |
-|----------|-------------|
-| `AUTH_TOKEN` | Bearer token for API write operations |
-| `SIGNING_KEY` | Private signing key |
-| `JWT_SECRET` | Secret for session tokens |
-| `PASSWORD_HASH` | Bcrypt hash of the account password |
+| Variable        | Description                           |
+| --------------- | ------------------------------------- |
+| `AUTH_TOKEN`    | Bearer token for API write operations |
+| `SIGNING_KEY`   | Private signing key                   |
+| `JWT_SECRET`    | Secret for session tokens             |
+| `PASSWORD_HASH` | Bcrypt hash of the account password   |
 
 ## Handle Verification
 
 Bluesky verifies control of the handle domain.
 
 **If the handle matches the PDS hostname** (for example, both are `pds.example.com`):
+
 - No extra setup needed. The PDS handles verification automatically.
 
 **If the handle is on a different domain** (for example, handle `alice.example.com`, PDS at `pds.example.com`):
@@ -205,12 +208,14 @@ Ensure the worker is deployed (`pnpm run deploy`) or the dev server is running (
 ### "Failed to resolve handle"
 
 Check the handle configuration:
+
 - For DNS verification: ensure the TXT record has propagated (`dig TXT _atproto.yourhandle.com`)
 - For same-domain handles: ensure the PDS is accessible at `https://yourdomain.com/.well-known/atproto-did`
 
 ### Migration issues
 
 If migration fails partway through:
+
 - Run `pnpm pds migrate` again to resume from where you left off
 - Use `pnpm pds migrate --clean` to start fresh (only on deactivated accounts)
 

packages/oauth-provider/README.md

@@ -29,28 +29,28 @@ import { OAuthStorage } from "./your-storage-implementation";
 
 // Initialize the provider
 const provider = new OAuthProvider({
-  issuer: "https://your-pds.example.com",
-  storage: new OAuthStorage(),
+	issuer: "https://your-pds.example.com",
+	storage: new OAuthStorage(),
 });
 
 // Handle OAuth endpoints in your Worker
 app.post("/oauth/par", async (c) => {
-  const result = await provider.handlePAR(await c.req.formData());
-  return c.json(result);
+	const result = await provider.handlePAR(await c.req.formData());
+	return c.json(result);
 });
 
 app.get("/oauth/authorize", async (c) => {
-  const result = await provider.handleAuthorize(c.req.url);
-  // Show authorization UI to user
-  return c.html(renderAuthUI(result));
+	const result = await provider.handleAuthorize(c.req.url);
+	// Show authorization UI to user
+	return c.html(renderAuthUI(result));
 });
 
 app.post("/oauth/token", async (c) => {
-  const result = await provider.handleToken(
-    await c.req.formData(),
-    c.req.header("DPoP"),
-  );
-  return c.json(result);
+	const result = await provider.handleToken(
+		await c.req.formData(),
+		c.req.header("DPoP"),
+	);
+	return c.json(result);
 });
 ```
 
@@ -72,29 +72,29 @@ The provider uses a storage interface that you implement for your backend:
 
 ```typescript
 export interface OAuthProviderStorage {
-  // Authorization codes
-  saveAuthCode(code: string, data: AuthCodeData): Promise<void>;
-  getAuthCode(code: string): Promise<AuthCodeData | null>;
-  deleteAuthCode(code: string): Promise<void>;
-
-  // Access/refresh tokens
-  saveTokens(data: TokenData): Promise<void>;
-  getTokenByAccess(accessToken: string): Promise<TokenData | null>;
-  getTokenByRefresh(refreshToken: string): Promise<TokenData | null>;
-  revokeToken(accessToken: string): Promise<void>;
-  revokeAllTokens(sub: string): Promise<void>;
-
-  // Client metadata cache
-  saveClient(clientId: string, metadata: ClientMetadata): Promise<void>;
-  getClient(clientId: string): Promise<ClientMetadata | null>;
-
-  // PAR (Pushed Authorization Requests)
-  savePAR(requestUri: string, data: PARData): Promise<void>;
-  getPAR(requestUri: string): Promise<PARData | null>;
-  deletePAR(requestUri: string): Promise<void>;
-
-  // DPoP nonce tracking
-  checkAndSaveNonce(nonce: string): Promise<boolean>;
+	// Authorization codes
+	saveAuthCode(code: string, data: AuthCodeData): Promise<void>;
+	getAuthCode(code: string): Promise<AuthCodeData | null>;
+	deleteAuthCode(code: string): Promise<void>;
+
+	// Access/refresh tokens
+	saveTokens(data: TokenData): Promise<void>;
+	getTokenByAccess(accessToken: string): Promise<TokenData | null>;
+	getTokenByRefresh(refreshToken: string): Promise<TokenData | null>;
+	revokeToken(accessToken: string): Promise<void>;
+	revokeAllTokens(sub: string): Promise<void>;
+
+	// Client metadata cache
+	saveClient(clientId: string, metadata: ClientMetadata): Promise<void>;
+	getClient(clientId: string): Promise<ClientMetadata | null>;
+
+	// PAR (Pushed Authorization Requests)
+	savePAR(requestUri: string, data: PARData): Promise<void>;
+	getPAR(requestUri: string): Promise<PARData | null>;
+	deletePAR(requestUri: string): Promise<void>;
+
+	// DPoP nonce tracking
+	checkAndSaveNonce(nonce: string): Promise<boolean>;
 }
 ```
 
@@ -122,8 +122,8 @@ Response:
 
 ```json
 {
-  "request_uri": "urn:ietf:params:oauth:request_uri:XXXXXX",
-  "expires_in": 90
+	"request_uri": "urn:ietf:params:oauth:request_uri:XXXXXX",
+	"expires_in": 90
 }
 ```
 
@@ -162,12 +162,12 @@ Response:
 
 ```json
 {
-  "access_token": "XXXXXX",
-  "token_type": "DPoP",
-  "expires_in": 3600,
-  "refresh_token": "YYYYYY",
-  "scope": "atproto",
-  "sub": "did:plc:abc123"
+	"access_token": "XXXXXX",
+	"token_type": "DPoP",
+	"expires_in": 3600,
+	"refresh_token": "YYYYYY",
+	"scope": "atproto",
+	"sub": "did:plc:abc123"
 }
 ```
 
@@ -202,14 +202,14 @@ Clients are identified by a URL pointing to their metadata document:
 
 ```json
 {
-  "client_id": "https://client.example.com/client-metadata.json",
-  "client_name": "Example App",
-  "redirect_uris": ["https://client.example.com/callback"],
-  "grant_types": ["authorization_code", "refresh_token"],
-  "response_types": ["code"],
-  "scope": "atproto",
-  "token_endpoint_auth_method": "none",
-  "application_type": "web"
+	"client_id": "https://client.example.com/client-metadata.json",
+	"client_name": "Example App",
+	"redirect_uris": ["https://client.example.com/callback"],
+	"grant_types": ["authorization_code", "refresh_token"],
+	"response_types": ["code"],
+	"scope": "atproto",
+	"token_endpoint_auth_method": "none",
+	"application_type": "web"
 }
 ```
 
@@ -224,15 +224,15 @@ This provider is designed to work seamlessly with `@atproto/oauth-client`:
 import { OAuthClient } from "@atproto/oauth-client";
 
 const client = new OAuthClient({
-  clientMetadata: {
-    client_id: "https://my-app.example.com/client-metadata.json",
-    redirect_uris: ["https://my-app.example.com/callback"],
-  },
+	clientMetadata: {
+		client_id: "https://my-app.example.com/client-metadata.json",
+		redirect_uris: ["https://my-app.example.com/callback"],
+	},
 });
 
 // Initiate login
 const authUrl = await client.authorize("https://user-pds.example.com", {
-  scope: "atproto",
+	scope: "atproto",
 });
 
 // Handle callback
@@ -245,8 +245,8 @@ The provider returns standard OAuth 2.1 error responses:
 
 ```json
 {
-  "error": "invalid_request",
-  "error_description": "Missing required parameter: code_challenge"
+	"error": "invalid_request",
+	"error_description": "Missing required parameter: code_challenge"
 }
 ```