ci: release

[mixie-bot]

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

@getcirrus/oauth-provider@0.4.0

Minor Changes

• #158 ec935b1 Thanks @ascorbic! - Support granular OAuth permissions and permission sets per the atproto permission spec.

  • repo:, rpc:, blob:, account:, identity: scopes are parsed and enforced (via @atproto/oauth-scopes); transition:generic / transition:email / transition:chat.bsky keep working through the transitional shim.
  • verifyAccessToken now accepts a (perms) => p.assertRepo({ collection, action })-style check callback in addition to the legacy required-scope string.
  • PDS write endpoints (createRecord, putRecord, deleteRecord, applyWrites, uploadBlob) assert the matching scope before dispatching.
  • include:NSID?aud=... permission-set scopes are resolved via @atcute/lexicon-resolver and expanded inline at code-issuance time, so resource-server checks never need network access. The PDS caches resolved permission sets in DO SQLite with the spec's stale-while-revalidate semantics (24h soft / 90d hard).
  • The consent UI groups long granular-scope lists by NSID authority and collapses them behind a <details> disclosure, so a 30-scope client like tangled.org renders as a few audit-friendly lines instead of a wall of text. include: scopes render the resolved bundle's title/detail.

  Note on legacy auth: session JWTs (from createSession / app-password flow), service JWTs, and the static AUTH_TOKEN continue to bypass scope checks at resource handlers — they're treated as fully-trusted callers per their original semantics (app-password equivalents). The new rpc: proxy enforcement only applies to OAuth (DPoP) tokens; legacy clients can still call any AppView method via the proxy regardless of granular scopes.

Patch Changes

• #155 d1a7074 Thanks @a-lavis! - Fix two OAuth token refresh bugs that prevented spec-compliant clients (e.g. tangled.org via indigo) from refreshing their session after the access token expired.
  • Track access and refresh expiry separately on TokenData (accessExpiresAt / refreshExpiresAt) instead of a single expiresAt. cleanup() now prunes by refreshExpiresAt, so a row isn't deleted while its refresh token is still valid. The PDS SQLite store migrates legacy oauth_tokens rows in place, deriving refresh_expires_at as MAX(expires_at, issued_at + REFRESH_TOKEN_TTL).
  • The PDS auth middleware now sends WWW-Authenticate: DPoP error="invalid_token" on 401 responses for invalid/expired OAuth access tokens, as required by the atproto XRPC spec. Clients that gate refresh on this header (indigo, and others) will now refresh automatically instead of staying logged-in-but-broken until the user signs out.

@getcirrus/pds@0.14.0

Minor Changes

• #158 ec935b1 Thanks @ascorbic! - Support granular OAuth permissions and permission sets per the atproto permission spec.

  • repo:, rpc:, blob:, account:, identity: scopes are parsed and enforced (via @atproto/oauth-scopes); transition:generic / transition:email / transition:chat.bsky keep working through the transitional shim.
  • verifyAccessToken now accepts a (perms) => p.assertRepo({ collection, action })-style check callback in addition to the legacy required-scope string.
  • PDS write endpoints (createRecord, putRecord, deleteRecord, applyWrites, uploadBlob) assert the matching scope before dispatching.
  • include:NSID?aud=... permission-set scopes are resolved via @atcute/lexicon-resolver and expanded inline at code-issuance time, so resource-server checks never need network access. The PDS caches resolved permission sets in DO SQLite with the spec's stale-while-revalidate semantics (24h soft / 90d hard).
  • The consent UI groups long granular-scope lists by NSID authority and collapses them behind a <details> disclosure, so a 30-scope client like tangled.org renders as a few audit-friendly lines instead of a wall of text. include: scopes render the resolved bundle's title/detail.

  Note on legacy auth: session JWTs (from createSession / app-password flow), service JWTs, and the static AUTH_TOKEN continue to bypass scope checks at resource handlers — they're treated as fully-trusted callers per their original semantics (app-password equivalents). The new rpc: proxy enforcement only applies to OAuth (DPoP) tokens; legacy clients can still call any AppView method via the proxy regardless of granular scopes.

Patch Changes

• #153 6e4d81d Thanks @georgemblack! - Fix com.atproto.server.checkAccountStatus response to be lexicon-compliant: privateStateValues is a required integer (not nullable), so return 0 instead of null in both the activated and not-activated branches.

• #155 d1a7074 Thanks @a-lavis! - Fix two OAuth token refresh bugs that prevented spec-compliant clients (e.g. tangled.org via indigo) from refreshing their session after the access token expired.

  • Track access and refresh expiry separately on TokenData (accessExpiresAt / refreshExpiresAt) instead of a single expiresAt. cleanup() now prunes by refreshExpiresAt, so a row isn't deleted while its refresh token is still valid. The PDS SQLite store migrates legacy oauth_tokens rows in place, deriving refresh_expires_at as MAX(expires_at, issued_at + REFRESH_TOKEN_TTL).
  • The PDS auth middleware now sends WWW-Authenticate: DPoP error="invalid_token" on 401 responses for invalid/expired OAuth access tokens, as required by the atproto XRPC spec. Clients that gate refresh on this header (indigo, and others) will now refresh automatically instead of staying logged-in-but-broken until the user signs out.

• Updated dependencies [ec935b1, d1a7074]:

  • @getcirrus/oauth-provider@0.4.0

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
✅ Deployment successful! View logs	atproto-pds	c4f33ec	May 04 2026, 10:31 PM

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/create-pds@159

npm i https://pkg.pr.new/@getcirrus/oauth-provider@159

npm i https://pkg.pr.new/@getcirrus/pds@159

commit: c4f33ec