ci: release

[mixie-bot]

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

@getcirrus/oauth-provider@0.5.0

Minor Changes

• #177 ec284fd Thanks @ascorbic! - Advertise a jwks_uri in OAuth authorization-server metadata and serve an empty JWKS at /oauth/jwks. OAuth clients that run JWKS discovery against the metadata endpoint no longer fail when talking to Cirrus. The key set is empty because Cirrus signs access tokens with HS256 (symmetric JWT_SECRET) — there are no public keys to publish.

Patch Changes

• #175 54ab459 Thanks @ascorbic! - Fix parseScope rejecting valid granular scopes that use the query-only form (e.g. repo?collection=a&collection=b) with Unknown scope resource. The parser previously only looked for : as the prefix delimiter, but per @atproto/oauth-scopes syntax a scope can use prefix:positional, prefix?query, or both. This affected permission sets whose repo permission listed multiple collections, since those expand to a single query-form token.

• #186 22f09de Thanks @ascorbic! - PAR (/oauth/par) now resolves every include:<nsid> permission-set scope eagerly and rejects with invalid_scope when an include points at a nonexistent or non-permission-set lexicon. Previously the resolver only ran at the authorize step, so clients with a typo in an include scope got a fresh request_uri from PAR and only learned about the bad scope at consent time. Matches reference oauth-provider behaviour (request-manager.ts:297-313).

• #184 47c8c1e Thanks @ascorbic! - PAR (/oauth/par) now validates redirect_uri against the client's registered redirect_uris at push time. Previously the check only ran at the authorize step, which let a malicious caller obtain a request_uri for an unregistered redirect even though the subsequent authorize would have rejected it. Reject early per RFC 6749 §3.1.2.4.

• #185 aed8e1b Thanks @ascorbic! - scopes_supported in the authorization-server metadata now lists only the values the spec calls out: atproto, transition:generic, transition:email, transition:chat.bsky. Granular resource scopes (repo:<nsid>, rpc:<lxm>, blob:<mime>, account:<…>, identity:<…>) and permission-set scopes (include:<nsid>) are parameterised and aren't enumerable, so bare prefixes like repo or include are no longer advertised — clients discover support by attempting the scope and falling back on invalid_scope, matching the reference PDS.

@getcirrus/pds@0.16.0

Minor Changes

• #179 9f8adee Thanks @ascorbic! - Implement three PDS-side identity endpoints that previously fell through to the AppView proxy and returned 501:

  • com.atproto.identity.resolveDid returns the DID document for the local account.
  • com.atproto.identity.resolveIdentity returns {did, handle, didDoc} for the local handle or DID.
  • com.atproto.identity.getRecommendedDidCredentials (authenticated) returns the rotation keys, alsoKnownAs, verification methods, and PDS service entry that a migrating account should advertise.

  Requests for foreign DIDs or handles continue to fall through to the AppView proxy unchanged.

• #171 bf2f857 Thanks @ascorbic! - The firehose now emits the sync 1.1 message shape, matching what the bsky.network relay and other AT Protocol consumers expect. Existing subscribers will start seeing new fields and new event types; nothing has to change on the consumer side, but the warnings some relays were logging against Cirrus hosts (notably missing prevData field) will stop.

  What changed on the wire:

  • #commit messages now include prevData (the prior commit's MST root CID), so relays can verify each commit inductively without re-fetching the repo. The CAR slice now also carries the MST covering-proof blocks needed for that verification.
  • Each ops[] entry on update and delete now includes prev, the previous CID of the touched record. Creates omit it as before.
  • tooBig is always false. It was previously set based on payload size, which never matched the field's meaning under sync 1.1.
  • New #account events are emitted on activation and deactivation, so relays learn about account status changes without polling. Deactivation reports status: "deactivated"; activation reports active: true with no status.
  • New #sync events are emitted on activation (after migration or initial setup), giving relays the current commit block without a diff.
  • #identity events now allow the handle field to be omitted, per spec.
  • A #info frame with name: "OutdatedCursor" is sent when a client connects with a cursor older than the retained event window. The stream continues from the oldest available event instead of disconnecting.
  • applyWrites rejects calls with more than 200 operations, matching the spec cap.

• #168 71b988e Thanks @simnaut! - Implement com.atproto.sync.getLatestCommit.

  This sync XRPC endpoint was previously unimplemented, so requests fell through to the XRPC proxy and returned 501 MethodNotImplemented. Relays call getLatestCommit during their crawl bootstrap, so a freshly created repo could never be indexed by a fresh requestCrawl. The endpoint now returns the repo's head commit as { cid, rev } (sourced from the same rpcGetRepoStatus data used by getRepoStatus/listRepos).

• #178 aceda62 Thanks @ascorbic! - Implement com.atproto.sync.listReposByCollection.

  Relays and crawlers use this endpoint to discover which PDSes host repos that contain a given record collection. The PDS now answers with { repos: [{ did }] } when its account has at least one record in the requested collection, or an empty list otherwise. Invalid or missing collection parameters return InvalidRequest.

Patch Changes

• #181 6589e1d Thanks @ascorbic! - applyWrites now returns the record CID on createResult and updateResult even when the record is removed later in the same batch. The lexicon marks cid as required, but the previous code looked it up in the post-commit MST — for a record that was created then deleted within one batch, the MST has no entry and the field was missing. The CID is now computed from the record bytes up front, matching reference PDS behaviour.

• #176 36b79fd Thanks @ascorbic! - com.atproto.repo.applyWrites now accepts batches that touch the same rkey more than once, matching the reference PDS. The common case is a create followed by a delete on the same rkey within one batch (an atomic no-op pattern several clients rely on); previously Cirrus rejected this with 400 InvalidRequest: duplicate rkey in batch. Two creates on the same rkey still fail, but now as 409 RecordAlreadyExists from the repo layer rather than a pre-flight 400.

• #177 ec284fd Thanks @ascorbic! - Advertise a jwks_uri in OAuth authorization-server metadata and serve an empty JWKS at /oauth/jwks. OAuth clients that run JWKS discovery against the metadata endpoint no longer fail when talking to Cirrus. The key set is empty because Cirrus signs access tokens with HS256 (symmetric JWT_SECRET) — there are no public keys to publish.

• #180 d107c59 Thanks @ascorbic! - Fix three conformance issues found by pdscheck:

  • com.atproto.server.getSession now accepts OAuth access tokens presented with the DPoP scheme (RFC 9449), not just Bearer. OAuth clients can now read session info without first being rejected with 401.
  • com.atproto.server.listAppPasswords returns createdAt as an RFC 3339 datetime (e.g. 2026-03-29T15:30:17.000Z) instead of the SQLite "YYYY-MM-DD HH:MM:SS" form that violated the lexicon.
  • com.atproto.server.getAccountInviteCodes is now implemented and returns { codes: [] } for authenticated callers (Cirrus has inviteCodeRequired: false, so there are no invite codes to list). Previously it fell through to the AppView proxy and returned 501.

• Updated dependencies [ec284fd, 54ab459, 22f09de, 47c8c1e, aed8e1b]:

  • @getcirrus/oauth-provider@0.5.0

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
✅ Deployment successful! View logs	atproto-pds	67f768e	May 24 2026, 10:31 PM

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/create-pds@172

npm i https://pkg.pr.new/@getcirrus/oauth-provider@172

npm i https://pkg.pr.new/@getcirrus/pds@172

commit: 67f768e

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	cirrusdocs	67f768e	Commit Preview URL Branch Preview URL	May 24 2026, 10:31 PM

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
✅ Deployment successful! View logs	pdscheck	67f768e	May 24 2026, 10:31 PM