Add pdscheck — pure-client-side PDS conformance verifier (#174)

* feat(check): add pdscheck — a pure-client-side PDS conformance verifier

New app at apps/check/ (deployed to check.cirrus.earth). Solid + Vite +
Tailwind v4, served as static assets via Wrangler. Tests AT Protocol PDS
conformance across three modes:

- Read-only: identity resolution, server endpoints, repo reads, sync 1.1
  firehose, blobs, OAuth discovery
- Write tests: lifecycle of createRecord / applyWrites / uploadBlob /
  putRecord / deleteRecord (OAuth-authenticated, ephemeral session)
- OAuth conformance: full PAR + DPoP + PKCE + iss + revocation flow, with
  isolated probes for unregistered redirect_uri rejection, permission-set
  resolution (bogus, advertised, and published site.standard.authFull),
  and post-token scope/boundary enforcement

Firehose sampling uses cursor=0 historical replay with cap (200) /
timeout (8s) / inactivity (1.5s) / diversity-aware exit (creates +
updates/deletes seen). Reports termination reason so users can tell
"hit the cap" from "PDS went idle".

Validates every response against atcute lexicon schemas and links every
check to its spec section. Designed to be a one-stop conformance check
for anyone running a PDS implementation.

* fix(check): handle permission-set expansion in scope-echoed check

Permission sets get resolved by the AS into either an echoed include:
literal (the grant preserves the reference; AS recomputes at refresh)
or expanded resource scopes (a snapshot of the computed permissions).
Both are spec-valid — atproto.com/specs/permission doesn't mandate
either representation in the token's scope claim.

Previously the check flagged the expanded form as a "narrowing" because
the include: token was dropped and replaced with repo?collection=X&...
tokens. Now it recognizes pure expansion (only include: dropped, scopes
added) as a pass with the expansion surfaced as evidence.

Also teach scopeGrantsWriteTo about the multi-collection token form
(repo?collection=X&collection=Y) that expansion produces, alongside the
existing single-collection form (repo:X). Without this, boundary write
checks falsely reported no write coverage after a permission set
expanded.

* fix(check): align granular-scope discovery checks with actual spec

Two of the three granular-scope advertisement checks were checking for
syntax that pre-dated the final atproto.com/specs/permission spec and
flagged spec-conformant ASes as warnings:

- scope-phase2-granular looked for repo:read, repo:write:<nsid>,
  account.*, pds.* — none of these are in the actual spec. The real
  grammar uses bare resource-type tokens (repo, rpc, blob, account,
  identity) with parameters appended at request time by the client.
  Removed entirely; it was redundant with scope-resource-buckets.

- scope-permission-sets looked for include:<nsid> strings in
  scopes_supported, but specific NSIDs are dynamically resolved at PAR
  time via lexicon resolution — the AS only advertises bare `include`
  as a resource type. Updated to check for that.

- scope-resource-buckets reworked to expect all five resource tokens
  (repo, rpc, blob, identity, account) and warn on partial coverage.

Spec URLs now point at atproto.com/specs/permission instead of the
obsolete proposal discussion thread.

* feat(check): pivot to other check modes from OAuth result page

The OAuth conformance result only offered "verify a different account",
forcing users back to the landing page when they wanted to also run
read-only or write tests against the same target. Add the same pivot
buttons RunView already shows.

The handlers exit the flow first (clearing flow state and signing out),
then start the requested run mode against the OAuth target.

* fix(check): drop grade letter, keep score

* feat(check): sample live firehose during write probe

The anonymous firehose sample is historical (cursor=0), so on long-lived
PDSes every #commit frame can predate the Sync 1.1 upgrade — producing
false fails on `commit-has-prevdata` and `commit-ops-have-prev`.

Two changes:

- Anonymous: downgrade the strict pass/fail to a tri-state. Any sampled
  frame with prevData → pass. None at all → warn (ambiguous: PDS may not
  support Sync 1.1, or the sample may predate the upgrade). Same shape
  for ops[].prev on update/delete.
- Authenticated write probe: subscribe to the firehose with no cursor
  before the create/applyWrites/uploadBlob/delete run, then close +
  validate after. Fresh frames go through the same validators in strict
  mode, giving a definitive Sync 1.1 verdict.

* Fix docs builds

* chore(check): drop empty test script

The package has no test files; vitest run was failing CI with
"No test files found" plus a jsdom env-detection complaint.
Removing the script lets pnpm's filtered test runner skip the
package cleanly.

* chore(check): drop unused deps + knip ignores worktrees

apps/check was pulling six runtime deps and vitest with no consumers:
@atcute/bluesky, @atcute/tid, @kobalte/core, @solid-primitives/storage,
jose, multiformats. Drop them from package.json. Also un-export two
oauth-flow helpers that are only used within the same module.

Ignore .claude/** in knip — local subagent worktrees pollute results
without affecting CI.

Author: ascorbic

apps/check/.gitignore

@@ -0,0 +1,10 @@
+node_modules
+dist
+.wrangler
+.dev.vars*
+!.dev.vars.example
+.env*
+!.env.example
+*.tsbuildinfo
+.DS_Store
+*.log

apps/check/index.html

@@ -0,0 +1,18 @@
+<!doctype html>
+<html lang="en">
+	<head>
+		<meta charset="UTF-8" />
+		<meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover" />
+		<meta name="color-scheme" content="light dark" />
+		<meta name="description" content="Verify your AT Protocol PDS." />
+		<title>☁️ check</title>
+		<link
+			rel="icon"
+			href="data:image/svg+xml,%3Csvg%20xmlns='http://www.w3.org/2000/svg'%20viewBox='0%200%20100%20100'%3E%3Ctext%20y='.9em'%20font-size='90'%3E%E2%98%81%EF%B8%8F%3C/text%3E%3C/svg%3E"
+		/>
+	</head>
+	<body>
+		<div id="root"></div>
+		<script type="module" src="/src/main.tsx"></script>
+	</body>
+</html>

apps/check/lexicons/earth/cirrus/check/testrecord.json

@@ -0,0 +1,45 @@
+{
+	"lexicon": 1,
+	"id": "earth.cirrus.check.testrecord",
+	"description": "Ephemeral test record created by pdscheck during PDS write verification. Records of this type are created and deleted within a single verification run; any leftover record can be safely deleted by hand. The namespace does not federate to app.bsky.* services.",
+	"defs": {
+		"main": {
+			"type": "record",
+			"description": "A disposable verification artifact.",
+			"key": "tid",
+			"record": {
+				"type": "object",
+				"required": ["createdAt"],
+				"properties": {
+					"createdAt": {
+						"type": "string",
+						"format": "datetime",
+						"description": "When this record was created."
+					},
+					"message": {
+						"type": "string",
+						"description": "Human-readable identifier — typically a fixed string flagging that the record is safe to delete.",
+						"maxLength": 256
+					},
+					"verifier": {
+						"type": "string",
+						"format": "uri",
+						"description": "Origin of the pdscheck instance that created the record, for tracing leftovers back to a specific verifier deployment.",
+						"maxLength": 256
+					},
+					"runId": {
+						"type": "string",
+						"description": "Identifier of the verification run that created the record. Useful for correlating leftovers with a specific test execution.",
+						"maxLength": 64
+					},
+					"blob": {
+						"type": "blob",
+						"description": "Optional blob attachment used to exercise uploadBlob and blob references.",
+						"accept": ["*/*"],
+						"maxSize": 1048576
+					}
+				}
+			}
+		}
+	}
+}

apps/check/package.json

@@ -0,0 +1,37 @@
+{
+	"name": "@getcirrus/check",
+	"version": "0.0.0",
+	"private": true,
+	"type": "module",
+	"description": "Web-based PDS verifier for AT Protocol",
+	"scripts": {
+		"dev": "vite",
+		"build": "vite build",
+		"preview": "vite preview",
+		"wrangler:dev": "wrangler dev",
+		"deploy": "vite build && wrangler deploy",
+		"check": "tsc --noEmit"
+	},
+	"dependencies": {
+		"@atcute/atproto": "^4.0.0",
+		"@atcute/cbor": "^2.3.3",
+		"@atcute/cid": "^2.4.1",
+		"@atcute/client": "^5.0.0",
+		"@atcute/identity": "^2.0.0",
+		"@atcute/identity-resolver": "^2.0.0",
+		"@atcute/lexicons": "^2.0.0",
+		"@atcute/oauth-browser-client": "^4.0.0",
+		"@ipld/car": "^5.4.6",
+		"idb-keyval": "^6.2.4",
+		"oauth4webapi": "^3.8.6",
+		"solid-js": "^1.9.13"
+	},
+	"devDependencies": {
+		"@tailwindcss/vite": "^4.3.0",
+		"tailwindcss": "^4.3.0",
+		"typescript": "^6.0.3",
+		"vite": "^8.0.14",
+		"vite-plugin-solid": "^2.11.12",
+		"wrangler": "^4.94.0"
+	}
+}

apps/check/public/client-metadata.json

@@ -0,0 +1,15 @@
+{
+	"client_id": "https://check.cirrus.earth/client-metadata.json",
+	"client_name": "check · a PDS validator",
+	"client_uri": "https://check.cirrus.earth",
+	"redirect_uris": [
+		"https://check.cirrus.earth/oauth/callback",
+		"https://check.cirrus.earth/oauth/flow-callback"
+	],
+	"scope": "atproto transition:generic repo:earth.cirrus.check.testrecord include:site.standard.authFull",
+	"grant_types": ["authorization_code", "refresh_token"],
+	"response_types": ["code"],
+	"application_type": "web",
+	"token_endpoint_auth_method": "none",
+	"dpop_bound_access_tokens": true
+}