Fix flaky appeal test (#3369 )

fix flaky appeal test
add pipethrough for recids on suggestions (#3365 )
2025-01-14 13:02:06 -06:00 · 2025-01-13 16:33:32 -08:00 · 2025-01-13 16:32:43 -08:00 · 2025-01-13 15:34:11 -08:00 · 2025-01-10 14:46:14 +01:00 · 2025-01-09 14:27:17 +01:00
88 changed files with 721 additions and 299 deletions
--- a/.changeset/lucky-sloths-tie.md
+++ b/.changeset/lucky-sloths-tie.md
@ -1,5 +0,0 @@
---
-"@atproto/crypto": patch
---
-
-Update noble crypto libraries
--- a/lexicons/app/bsky/actor/getSuggestions.json
+++ b/lexicons/app/bsky/actor/getSuggestions.json
@ -30,6 +30,10 @@
                "type": "ref",
                "ref": "app.bsky.actor.defs#profileView"
              }
+            },
+            "recId": {
+              "type": "integer",
+              "description": "Snowflake for this recommendation, use when submitting recommendation events."
            }
          }
        }
--- a/lexicons/app/bsky/graph/getSuggestedFollowsByActor.json
+++ b/lexicons/app/bsky/graph/getSuggestedFollowsByActor.json
@ -29,6 +29,10 @@
              "type": "boolean",
              "description": "If true, response has fallen-back to generic results, and is not scoped using relativeToDid",
              "default": false
+            },
+            "recId": {
+              "type": "integer",
+              "description": "Snowflake for this recommendation, use when submitting recommendation events."
            }
          }
        }
--- a/lexicons/app/bsky/unspecced/getSuggestionsSkeleton.json
+++ b/lexicons/app/bsky/unspecced/getSuggestionsSkeleton.json
@ -45,6 +45,10 @@
              "type": "string",
              "format": "did",
              "description": "DID of the account these suggestions are relative to. If this is returned undefined, suggestions are based on the viewer."
+            },
+            "recId": {
+              "type": "integer",
+              "description": "Snowflake for this recommendation, use when submitting recommendation events."
            }
          }
        }
--- a/packages/api/CHANGELOG.md
+++ b/packages/api/CHANGELOG.md
@ -1,5 +1,11 @@
 # @atproto/api

+## 0.13.27
+
+### Patch Changes
+
+- [#3364](https://github.com/bluesky-social/atproto/pull/3364) [`e277158f7`](https://github.com/bluesky-social/atproto/commit/e277158f70a831b04fde3ec84b3c1eaa6ce82e9d) Thanks [@iwsmith](https://github.com/iwsmith)! - add recId to getSuggestions
+
 ## 0.13.26

 ### Patch Changes
--- a/packages/api/package.json
+++ b/packages/api/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto/api",
-  "version": "0.13.26",
+  "version": "0.13.27",
  "license": "MIT",
  "description": "Client library for atproto and Bluesky",
  "keywords": [
--- a/packages/api/src/client/lexicons.ts
+++ b/packages/api/src/client/lexicons.ts
@ -12359,7 +12359,7 @@ export const schemaDict = {
              items: {
                type: 'string',
                description:
-                  'If specified, only events where the policy matches the given policy are returned',
+                  'If specified, only events where the action policies match any of the given policies are returned',
              },
            },
            cursor: {
--- a/packages/api/src/client/types/app/bsky/actor/getSuggestions.ts
+++ b/packages/api/src/client/types/app/bsky/actor/getSuggestions.ts
@ -18,6 +18,8 @@ export type InputSchema = undefined
 export interface OutputSchema {
  cursor?: string
  actors: AppBskyActorDefs.ProfileView[]
+  /** Snowflake for this recommendation, use when submitting recommendation events. */
+  recId?: number
  [k: string]: unknown
 }

--- a/packages/api/src/client/types/app/bsky/graph/getSuggestedFollowsByActor.ts
+++ b/packages/api/src/client/types/app/bsky/graph/getSuggestedFollowsByActor.ts
@ -18,6 +18,8 @@ export interface OutputSchema {
  suggestions: AppBskyActorDefs.ProfileView[]
  /** If true, response has fallen-back to generic results, and is not scoped using relativeToDid */
  isFallback: boolean
+  /** Snowflake for this recommendation, use when submitting recommendation events. */
+  recId?: number
  [k: string]: unknown
 }

--- a/packages/api/src/client/types/app/bsky/unspecced/getSuggestionsSkeleton.ts
+++ b/packages/api/src/client/types/app/bsky/unspecced/getSuggestionsSkeleton.ts
@ -24,6 +24,8 @@ export interface OutputSchema {
  actors: AppBskyUnspeccedDefs.SkeletonSearchActor[]
  /** DID of the account these suggestions are relative to. If this is returned undefined, suggestions are based on the viewer. */
  relativeToDid?: string
+  /** Snowflake for this recommendation, use when submitting recommendation events. */
+  recId?: number
  [k: string]: unknown
 }

--- a/packages/aws/CHANGELOG.md
+++ b/packages/aws/CHANGELOG.md
@ -1,5 +1,13 @@
 # @atproto/aws

+## 0.2.12
+
+### Patch Changes
+
+- Updated dependencies [[`1abfd74ec`](https://github.com/bluesky-social/atproto/commit/1abfd74ec7114e5d8e2411f7a4fa10bdce97e277)]:
+  - @atproto/crypto@0.4.3
+  - @atproto/repo@0.6.2
+
 ## 0.2.11

 ### Patch Changes
--- a/packages/aws/package.json
+++ b/packages/aws/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto/aws",
-  "version": "0.2.11",
+  "version": "0.2.12",
  "license": "MIT",
  "description": "Shared AWS cloud API helpers for atproto services",
  "keywords": [
--- a/packages/bsky/CHANGELOG.md
+++ b/packages/bsky/CHANGELOG.md
@ -1,5 +1,25 @@
 # @atproto/bsky

+## 0.0.106
+
+### Patch Changes
+
+- Updated dependencies [[`e277158f7`](https://github.com/bluesky-social/atproto/commit/e277158f70a831b04fde3ec84b3c1eaa6ce82e9d)]:
+  - @atproto/api@0.13.27
+  - @atproto-labs/fetch-node@0.1.5
+
+## 0.0.105
+
+### Patch Changes
+
+- Updated dependencies [[`1abfd74ec`](https://github.com/bluesky-social/atproto/commit/1abfd74ec7114e5d8e2411f7a4fa10bdce97e277)]:
+  - @atproto/crypto@0.4.3
+  - @atproto/identity@0.4.5
+  - @atproto/repo@0.6.2
+  - @atproto/xrpc-server@0.7.6
+  - @atproto/sync@0.1.9
+  - @atproto-labs/xrpc-utils@0.0.2
+
 ## 0.0.104

 ### Patch Changes
--- a/packages/bsky/package.json
+++ b/packages/bsky/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto/bsky",
-  "version": "0.0.104",
+  "version": "0.0.106",
  "license": "MIT",
  "description": "Reference implementation of app.bsky App View (Bluesky API)",
  "keywords": [
--- a/packages/bsky/src/api/app/bsky/actor/getSuggestions.ts
+++ b/packages/bsky/src/api/app/bsky/actor/getSuggestions.ts
@ -71,6 +71,7 @@ const skeleton = async (input: {
    return {
      dids: res.data.actors.map((a) => a.did),
      cursor: res.data.cursor,
+      recId: res.data.recId,
      resHeaders: res.headers,
    }
  } else {
@ -129,6 +130,7 @@ const presentation = (input: {
  return {
    actors,
    cursor: skeleton.cursor,
+    recId: skeleton.recId,
    resHeaders: skeleton.resHeaders,
  }
 }
@ -148,5 +150,6 @@ type Params = QueryParams & {
 type Skeleton = {
  dids: string[]
  cursor?: string
+  recId?: number
  resHeaders?: Record<string, string>
 }
--- a/packages/bsky/src/api/app/bsky/graph/getSuggestedFollowsByActor.ts
+++ b/packages/bsky/src/api/app/bsky/graph/getSuggestedFollowsByActor.ts
@ -73,6 +73,7 @@ const skeleton = async (input: SkeletonFnInput<Context, Params>) => {
    return {
      isFallback: !res.data.relativeToDid,
      suggestedDids: res.data.actors.map((a) => a.did),
+      recId: res.data.recId,
      headers: res.headers,
    }
  } else {
@ -115,7 +116,12 @@ const presentation = (
  const suggestions = mapDefined(suggestedDids, (did) =>
    ctx.views.profileDetailed(did, hydration),
  )
-  return { isFallback: skeleton.isFallback, suggestions, headers }
+  return {
+    isFallback: skeleton.isFallback,
+    suggestions,
+    recId: skeleton.recId,
+    headers,
+  }
 }

 type Context = {
@ -133,5 +139,6 @@ type Params = QueryParams & {
 type SkeletonState = {
  isFallback: boolean
  suggestedDids: string[]
+  recId?: number
  headers?: Record<string, string>
 }
--- a/packages/bsky/src/lexicon/types/app/bsky/actor/getSuggestions.ts
+++ b/packages/bsky/src/lexicon/types/app/bsky/actor/getSuggestions.ts
@ -19,6 +19,8 @@ export type InputSchema = undefined
 export interface OutputSchema {
  cursor?: string
  actors: AppBskyActorDefs.ProfileView[]
+  /** Snowflake for this recommendation, use when submitting recommendation events. */
+  recId?: number
  [k: string]: unknown
 }

--- a/packages/bsky/src/lexicon/types/app/bsky/graph/getSuggestedFollowsByActor.ts
+++ b/packages/bsky/src/lexicon/types/app/bsky/graph/getSuggestedFollowsByActor.ts
@ -19,6 +19,8 @@ export interface OutputSchema {
  suggestions: AppBskyActorDefs.ProfileView[]
  /** If true, response has fallen-back to generic results, and is not scoped using relativeToDid */
  isFallback?: boolean
+  /** Snowflake for this recommendation, use when submitting recommendation events. */
+  recId?: number
  [k: string]: unknown
 }

--- a/packages/bsky/src/lexicon/types/app/bsky/unspecced/getSuggestionsSkeleton.ts
+++ b/packages/bsky/src/lexicon/types/app/bsky/unspecced/getSuggestionsSkeleton.ts
@ -25,6 +25,8 @@ export interface OutputSchema {
  actors: AppBskyUnspeccedDefs.SkeletonSearchActor[]
  /** DID of the account these suggestions are relative to. If this is returned undefined, suggestions are based on the viewer. */
  relativeToDid?: string
+  /** Snowflake for this recommendation, use when submitting recommendation events. */
+  recId?: number
  [k: string]: unknown
 }

--- a/packages/crypto/CHANGELOG.md
+++ b/packages/crypto/CHANGELOG.md
@ -1,5 +1,11 @@
 # @atproto/crypto

+## 0.4.3
+
+### Patch Changes
+
+- [#3335](https://github.com/bluesky-social/atproto/pull/3335) [`1abfd74ec`](https://github.com/bluesky-social/atproto/commit/1abfd74ec7114e5d8e2411f7a4fa10bdce97e277) Thanks [@dholms](https://github.com/dholms)! - Update noble crypto libraries
+
 ## 0.4.2

 ### Patch Changes
--- a/packages/crypto/package.json
+++ b/packages/crypto/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto/crypto",
-  "version": "0.4.2",
+  "version": "0.4.3",
  "license": "MIT",
  "description": "Library for cryptographic keys and signing in atproto",
  "keywords": [
--- a/packages/dev-env/CHANGELOG.md
+++ b/packages/dev-env/CHANGELOG.md
@ -1,5 +1,30 @@
 # @atproto/dev-env

+## 0.3.76
+
+### Patch Changes
+
+- [#3344](https://github.com/bluesky-social/atproto/pull/3344) [`48a0e9d60`](https://github.com/bluesky-social/atproto/commit/48a0e9d6060c2dc93899f13f2fc7cc76c04fbcd9) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Properly dispose of unused http responses
+
+- Updated dependencies [[`48a0e9d60`](https://github.com/bluesky-social/atproto/commit/48a0e9d6060c2dc93899f13f2fc7cc76c04fbcd9), [`e277158f7`](https://github.com/bluesky-social/atproto/commit/e277158f70a831b04fde3ec84b3c1eaa6ce82e9d)]:
+  - @atproto/ozone@0.1.67
+  - @atproto/api@0.13.27
+  - @atproto/bsky@0.0.106
+  - @atproto/pds@0.4.84
+
+## 0.3.75
+
+### Patch Changes
+
+- Updated dependencies [[`1abfd74ec`](https://github.com/bluesky-social/atproto/commit/1abfd74ec7114e5d8e2411f7a4fa10bdce97e277)]:
+  - @atproto/crypto@0.4.3
+  - @atproto/bsky@0.0.105
+  - @atproto/identity@0.4.5
+  - @atproto/ozone@0.1.66
+  - @atproto/pds@0.4.83
+  - @atproto/xrpc-server@0.7.6
+  - @atproto/sync@0.1.9
+
 ## 0.3.74

 ### Patch Changes
--- a/packages/dev-env/package.json
+++ b/packages/dev-env/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto/dev-env",
-  "version": "0.3.74",
+  "version": "0.3.76",
  "license": "MIT",
  "description": "Local development environment helper for atproto development",
  "keywords": [
--- a/packages/dev-env/src/util.ts
+++ b/packages/dev-env/src/util.ts
@ -45,7 +45,7 @@ export const mockResolvers = (idResolver: IdResolver, pds: TestPds) => {
    try {
      const res = await request(url, { headers: { host: handle } })
      if (res.statusCode !== 200) {
-        res.body.destroy()
+        await res.body.dump()
        return undefined
      }

--- a/packages/identity/CHANGELOG.md
+++ b/packages/identity/CHANGELOG.md
@ -1,5 +1,12 @@
 # @atproto/identity

+## 0.4.5
+
+### Patch Changes
+
+- Updated dependencies [[`1abfd74ec`](https://github.com/bluesky-social/atproto/commit/1abfd74ec7114e5d8e2411f7a4fa10bdce97e277)]:
+  - @atproto/crypto@0.4.3
+
 ## 0.4.4

 ### Patch Changes
--- a/packages/identity/package.json
+++ b/packages/identity/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto/identity",
-  "version": "0.4.4",
+  "version": "0.4.5",
  "license": "MIT",
  "description": "Library for decentralized identities in atproto using DIDs and handles",
  "keywords": [
--- a/packages/internal/did-resolver/CHANGELOG.md
+++ b/packages/internal/did-resolver/CHANGELOG.md
@ -1,5 +1,12 @@
 # @atproto-labs/did-resolver

+## 0.1.8
+
+### Patch Changes
+
+- Updated dependencies [[`5ece8c6ae`](https://github.com/bluesky-social/atproto/commit/5ece8c6aeab9c5c3f51295d93ed6e27c3c6095c2), [`5ece8c6ae`](https://github.com/bluesky-social/atproto/commit/5ece8c6aeab9c5c3f51295d93ed6e27c3c6095c2)]:
+  - @atproto-labs/fetch@0.2.0
+
 ## 0.1.7

 ### Patch Changes
--- a/packages/internal/did-resolver/package.json
+++ b/packages/internal/did-resolver/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto-labs/did-resolver",
-  "version": "0.1.7",
+  "version": "0.1.8",
  "license": "MIT",
  "description": "DID resolution and verification library",
  "keywords": [
--- a/packages/internal/fetch-node/CHANGELOG.md
+++ b/packages/internal/fetch-node/CHANGELOG.md
@ -1,5 +1,12 @@
 # @atproto-labs/fetch-node

+## 0.1.5
+
+### Patch Changes
+
+- Updated dependencies [[`5ece8c6ae`](https://github.com/bluesky-social/atproto/commit/5ece8c6aeab9c5c3f51295d93ed6e27c3c6095c2), [`5ece8c6ae`](https://github.com/bluesky-social/atproto/commit/5ece8c6aeab9c5c3f51295d93ed6e27c3c6095c2)]:
+  - @atproto-labs/fetch@0.2.0
+
 ## 0.1.4

 ### Patch Changes
--- a/packages/internal/fetch-node/package.json
+++ b/packages/internal/fetch-node/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto-labs/fetch-node",
-  "version": "0.1.4",
+  "version": "0.1.5",
  "license": "MIT",
  "description": "SSRF protection for fetch() in Node.js",
  "keywords": [
--- a/packages/internal/fetch/CHANGELOG.md
+++ b/packages/internal/fetch/CHANGELOG.md
@ -1,5 +1,15 @@
 # @atproto-labs/fetch

+## 0.2.0
+
+### Minor Changes
+
+- [#3343](https://github.com/bluesky-social/atproto/pull/3343) [`5ece8c6ae`](https://github.com/bluesky-social/atproto/commit/5ece8c6aeab9c5c3f51295d93ed6e27c3c6095c2) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Fix typo in `ResponseTranformer` and `fetchResponseJsonTranformer`
+
+### Patch Changes
+
+- [#3343](https://github.com/bluesky-social/atproto/pull/3343) [`5ece8c6ae`](https://github.com/bluesky-social/atproto/commit/5ece8c6aeab9c5c3f51295d93ed6e27c3c6095c2) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Response mime type check is now case-insensitive (as per rfc2616)
+
 ## 0.1.2

 ### Patch Changes
--- a/packages/internal/fetch/package.json
+++ b/packages/internal/fetch/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto-labs/fetch",
-  "version": "0.1.2",
+  "version": "0.2.0",
  "license": "MIT",
  "description": "Isomorphic wrapper utilities for fetch API",
  "keywords": [
--- a/packages/internal/fetch/src/fetch-response.ts
+++ b/packages/internal/fetch/src/fetch-response.ts
@ -14,7 +14,24 @@ import {
  logCancellationError,
 } from './util.js'

-export type ResponseTranformer = Transformer<Response>
+/**
+ * media-type     = type "/" subtype *( ";" parameter )
+ * type           = token
+ * subtype        = token
+ * token          = 1*<any CHAR except CTLs or separators>
+ * separators     = "(" | ")" | "<" | ">" | "@"
+ *                | "," | ";" | ":" | "\" | <">
+ *                | "/" | "[" | "]" | "?" | "="
+ *                | "{" | "}" | SP | HT
+ * CTL            = <any US-ASCII control character (octets 0 - 31) and DEL (127)>
+ * SP             = <US-ASCII SP, space (32)>
+ * HT             = <US-ASCII HT, horizontal-tab (9)>
+ * @note The type, subtype, and parameter attribute names are case-insensitive.
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc2616#autoid-23}
+ */
+const JSON_MIME = /^application\/(?:[^()<>@,;:/[\]\\?={} \t]+\+)?json$/i
+
+export type ResponseTransformer = Transformer<Response>
 export type ResponseMessageGetter = Transformer<Response, string | undefined>

 export class FetchResponseError extends FetchError {
@ -51,7 +68,7 @@ const extractResponseMessage: ResponseMessageGetter = async (response) => {
  try {
    if (mimeType === 'text/plain') {
      return await response.text()
-    } else if (/^application\/(?:[^+]+\+)?json$/i.test(mimeType)) {
+    } else if (JSON_MIME.test(mimeType)) {
      const json: unknown = await response.json()

      if (typeof json === 'string') return json
@ -155,7 +172,7 @@ export function cancelBodyOnError<T>(

 export function fetchOkProcessor(
  customMessage?: string | ResponseMessageGetter,
-): ResponseTranformer {
+): ResponseTransformer {
  return cancelBodyOnError((response) => {
    return fetchOkTransformer(response, customMessage)
  })
@ -169,7 +186,7 @@ export async function fetchOkTransformer(
  throw await FetchResponseError.from(response, customMessage)
 }

-export function fetchMaxSizeProcessor(maxBytes: number): ResponseTranformer {
+export function fetchMaxSizeProcessor(maxBytes: number): ResponseTransformer {
  if (maxBytes === Infinity) return (response) => response
  if (!Number.isFinite(maxBytes) || maxBytes < 0) {
    throw new TypeError('maxBytes must be a 0, Infinity or a positive number')
@ -200,7 +217,7 @@ export type MimeTypeCheck = string | RegExp | MimeTypeCheckFn
 export function fetchTypeProcessor(
  expectedMime: MimeTypeCheck,
  contentTypeRequired = true,
-): ResponseTranformer {
+): ResponseTransformer {
  const isExpected: MimeTypeCheckFn =
    typeof expectedMime === 'string'
      ? (mimeType) => mimeType === expectedMime
@ -220,7 +237,7 @@ export async function fetchResponseTypeChecker(
 ): Promise<Response> {
  const mimeType = extractMime(response)
  if (mimeType) {
-    if (!isExpectedMime(mimeType)) {
+    if (!isExpectedMime(mimeType.toLowerCase())) {
      throw await FetchResponseError.from(
        response,
        `Unexpected response Content-Type (${mimeType})`,
@ -243,7 +260,7 @@ export type ParsedJsonResponse<T = Json> = {
  json: T
 }

-export async function fetchResponseJsonTranformer<T = Json>(
+export async function fetchResponseJsonTransformer<T = Json>(
  response: Response,
 ): Promise<ParsedJsonResponse<T>> {
  try {
@ -260,12 +277,12 @@ export async function fetchResponseJsonTranformer<T = Json>(
 }

 export function fetchJsonProcessor<T = Json>(
-  expectedMime: MimeTypeCheck = /^application\/(?:[^+]+\+)?json$/,
+  expectedMime: MimeTypeCheck = JSON_MIME,
  contentTypeRequired = true,
 ): Transformer<Response, ParsedJsonResponse<T>> {
  return pipe(
    fetchTypeProcessor(expectedMime, contentTypeRequired),
-    cancelBodyOnError(fetchResponseJsonTranformer<T>),
+    cancelBodyOnError(fetchResponseJsonTransformer<T>),
  )
 }

--- a/packages/internal/handle-resolver-node/CHANGELOG.md
+++ b/packages/internal/handle-resolver-node/CHANGELOG.md
@ -1,5 +1,12 @@
 # @atproto-labs/handle-resolver-node

+## 0.1.10
+
+### Patch Changes
+
+- Updated dependencies []:
+  - @atproto-labs/fetch-node@0.1.5
+
 ## 0.1.9

 ### Patch Changes
--- a/packages/internal/handle-resolver-node/package.json
+++ b/packages/internal/handle-resolver-node/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto-labs/handle-resolver-node",
-  "version": "0.1.9",
+  "version": "0.1.10",
  "license": "MIT",
  "description": "Node specific ATProto handle to DID resolver",
  "keywords": [
--- a/packages/internal/identity-resolver/CHANGELOG.md
+++ b/packages/internal/identity-resolver/CHANGELOG.md
@ -1,5 +1,12 @@
 # @atproto-labs/identity-resolver

+## 0.1.10
+
+### Patch Changes
+
+- Updated dependencies []:
+  - @atproto-labs/did-resolver@0.1.8
+
 ## 0.1.9

 ### Patch Changes
--- a/packages/internal/identity-resolver/package.json
+++ b/packages/internal/identity-resolver/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto-labs/identity-resolver",
-  "version": "0.1.9",
+  "version": "0.1.10",
  "license": "MIT",
  "description": "A library resolving ATPROTO identities",
  "keywords": [
--- a/packages/internal/xrpc-utils/CHANGELOG.md
+++ b/packages/internal/xrpc-utils/CHANGELOG.md
@ -1,5 +1,12 @@
 # @atproto-labs/xrpc-utils

+## 0.0.2
+
+### Patch Changes
+
+- Updated dependencies []:
+  - @atproto/xrpc-server@0.7.6
+
 ## 0.0.1

 ### Patch Changes
--- a/packages/internal/xrpc-utils/package.json
+++ b/packages/internal/xrpc-utils/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto-labs/xrpc-utils",
-  "version": "0.0.1",
+  "version": "0.0.2",
  "license": "MIT",
  "description": "XRPC server utilities for Node.JS",
  "keywords": [
--- a/packages/oauth/jwk-jose/CHANGELOG.md
+++ b/packages/oauth/jwk-jose/CHANGELOG.md
@ -1,5 +1,16 @@
 # @atproto/jwk-jose

+## 0.1.3
+
+### Patch Changes
+
+- [#2879](https://github.com/bluesky-social/atproto/pull/2879) [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Improve compatibility with runtimes relying on webcrypto (by explicit JOSE's importJWK() "alg" argument).
+
+- [#2879](https://github.com/bluesky-social/atproto/pull/2879) [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Remove unsafe type casting during JWT verification
+
+- Updated dependencies [[`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0)]:
+  - @atproto/jwk@0.1.2
+
 ## 0.1.2

 ### Patch Changes
--- a/packages/oauth/jwk-jose/package.json
+++ b/packages/oauth/jwk-jose/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto/jwk-jose",
-  "version": "0.1.2",
+  "version": "0.1.3",
  "license": "MIT",
  "description": "`jose` based implementation of @atproto/jwk Key's",
  "keywords": [
--- a/packages/oauth/jwk-jose/src/jose-key.ts
+++ b/packages/oauth/jwk-jose/src/jose-key.ts
@ -1,4 +1,19 @@
-import { JwtVerifyError } from '@atproto/jwk'
+import {
+  Jwk,
+  JwkError,
+  JwtCreateError,
+  JwtHeader,
+  JwtPayload,
+  JwtVerifyError,
+  Key,
+  RequiredKey,
+  SignedJwt,
+  VerifyOptions,
+  VerifyResult,
+  jwkValidator,
+  jwtHeaderSchema,
+  jwtPayloadSchema,
+} from '@atproto/jwk'
 import {
  SignJWT,
  errors,
@ -14,19 +29,6 @@ import {
  type KeyLike,
 } from 'jose'

-import {
-  Jwk,
-  JwkError,
-  JwtCreateError,
-  JwtHeader,
-  JwtPayload,
-  Key,
-  SignedJwt,
-  VerifyOptions,
-  VerifyPayload,
-  VerifyResult,
-  jwkValidator,
-} from '@atproto/jwk'
 import { either } from './util'

 const { JOSEError } = errors
@ -35,53 +37,97 @@ export type Importable = string | KeyLike | Jwk

 export type { GenerateKeyPairOptions, GenerateKeyPairResult }

-export class JoseKey extends Key {
-  #keyObj?: KeyLike | Uint8Array
-
-  protected async getKey() {
+export class JoseKey<J extends Jwk = Jwk> extends Key<J> {
+  /**
+   * Some runtimes (e.g. Bun) require an `alg` second argument to be set when
+   * invoking `importJWK`. In order to be compatible with these runtimes, we
+   * provide the following method to ensure the `alg` is always set. We also
+   * take the opportunity to ensure that the `alg` is compatible with this key.
+   */
+  protected async getKeyObj(alg: string) {
+    if (!this.algorithms.includes(alg)) {
+      throw new JwkError(`Key cannot be used with algorithm "${alg}"`)
+    }
    try {
-      return (this.#keyObj ||= await importJWK(this.jwk as JWK))
+      return await importJWK(this.jwk as JWK, alg)
    } catch (cause) {
      throw new JwkError('Failed to import JWK', undefined, { cause })
    }
  }

-  async createJwt(header: JwtHeader, payload: JwtPayload) {
-    if (header.kid && header.kid !== this.kid) {
-      throw new JwtCreateError(
-        `Invalid "kid" (${header.kid}) used to sign with key "${this.kid}"`,
-      )
-    }
+  async createJwt(header: JwtHeader, payload: JwtPayload): Promise<SignedJwt> {
+    try {
+      const { kid } = header
+      if (kid && kid !== this.kid) {
+        throw new JwtCreateError(
+          `Invalid "kid" (${kid}) used to sign with key "${this.kid}"`,
+        )
+      }

-    if (!header.alg || !this.algorithms.includes(header.alg)) {
-      throw new JwtCreateError(
-        `Invalid "alg" (${header.alg}) used to sign with key "${this.kid}"`,
-      )
-    }
+      const { alg } = header
+      if (!alg) {
+        throw new JwtCreateError('Missing "alg" in JWT header')
+      }

-    const keyObj = await this.getKey()
-    return new SignJWT(payload)
-      .setProtectedHeader({ ...header, kid: this.kid })
-      .sign(keyObj) as Promise<SignedJwt>
+      const keyObj = await this.getKeyObj(alg)
+      const jwtBuilder = new SignJWT(payload).setProtectedHeader({
+        ...header,
+        alg,
+        kid: this.kid,
+      })
+
+      const signedJwt = await jwtBuilder.sign(keyObj)
+
+      return signedJwt as SignedJwt
+    } catch (cause) {
+      if (cause instanceof JOSEError) {
+        throw new JwtCreateError(cause.message, cause.code, { cause })
+      } else {
+        throw JwtCreateError.from(cause)
+      }
+    }
  }

-  async verifyJwt<
-    P extends VerifyPayload = JwtPayload,
-    C extends string = string,
-  >(token: SignedJwt, options?: VerifyOptions<C>): Promise<VerifyResult<P, C>> {
+  async verifyJwt<C extends string = never>(
+    token: SignedJwt,
+    options?: VerifyOptions<C>,
+  ): Promise<VerifyResult<C>> {
    try {
-      const keyObj = await this.getKey()
-      const result = await jwtVerify(token, keyObj, {
-        ...options,
-        algorithms: this.algorithms,
-      } as JWTVerifyOptions)
+      const result = await jwtVerify(
+        token,
+        async ({ alg }) => this.getKeyObj(alg),
+        { ...options, algorithms: this.algorithms } as JWTVerifyOptions,
+      )

-      return result as VerifyResult<P, C>
-    } catch (error) {
-      if (error instanceof JOSEError) {
-        throw new JwtVerifyError(error.message, error.code, { cause: error })
+      // @NOTE if all tokens are signed exclusively through createJwt(), then
+      // there should be no need to parse the payload and headers here. But
+      // since the JWT could have been signed with the same key from somewhere
+      // else, let's parse it to ensure the integrity (and type safety) of the
+      // data.
+      const headerParsed = jwtHeaderSchema.safeParse(result.protectedHeader)
+      if (!headerParsed.success) {
+        throw new JwtVerifyError('Invalid JWT header', undefined, {
+          cause: headerParsed.error,
+        })
+      }
+
+      const payloadParsed = jwtPayloadSchema.safeParse(result.payload)
+      if (!payloadParsed.success) {
+        throw new JwtVerifyError('Invalid JWT payload', undefined, {
+          cause: payloadParsed.error,
+        })
+      }
+
+      return {
+        protectedHeader: headerParsed.data,
+        // "requiredClaims" enforced by jwtVerify()
+        payload: payloadParsed.data as RequiredKey<JwtPayload, C>,
+      }
+    } catch (cause) {
+      if (cause instanceof JOSEError) {
+        throw new JwtVerifyError(cause.message, cause.code, { cause })
      } else {
-        throw JwtVerifyError.from(error)
+        throw JwtVerifyError.from(cause)
      }
    }
  }
--- a/packages/oauth/jwk-webcrypto/CHANGELOG.md
+++ b/packages/oauth/jwk-webcrypto/CHANGELOG.md
@ -1,5 +1,13 @@
 # @atproto/jwk-webcrypto

+## 0.1.3
+
+### Patch Changes
+
+- Updated dependencies [[`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0)]:
+  - @atproto/jwk@0.1.2
+  - @atproto/jwk-jose@0.1.3
+
 ## 0.1.2

 ### Patch Changes
--- a/packages/oauth/jwk-webcrypto/package.json
+++ b/packages/oauth/jwk-webcrypto/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto/jwk-webcrypto",
-  "version": "0.1.2",
+  "version": "0.1.3",
  "license": "MIT",
  "description": "Webcrypto based implementation of @atproto/jwk Key's",
  "keywords": [
@ -25,7 +25,8 @@
  },
  "dependencies": {
    "@atproto/jwk": "workspace:*",
-    "@atproto/jwk-jose": "workspace:*"
+    "@atproto/jwk-jose": "workspace:*",
+    "zod": "^3.23.8"
  },
  "devDependencies": {
    "typescript": "^5.6.3"
--- a/packages/oauth/jwk-webcrypto/src/webcrypto-key.ts
+++ b/packages/oauth/jwk-webcrypto/src/webcrypto-key.ts
@ -1,9 +1,20 @@
-import { Jwk, jwkSchema } from '@atproto/jwk'
+import { JwkError, jwkSchema } from '@atproto/jwk'
 import { GenerateKeyPairOptions, JoseKey } from '@atproto/jwk-jose'
+import z from 'zod'

 import { fromSubtleAlgorithm, isCryptoKeyPair } from './util.js'

-export class WebcryptoKey extends JoseKey {
+// Webcrypto keys are bound to a single algorithm
+export const jwkWithAlgSchema = z.intersection(
+  jwkSchema,
+  z.object({ alg: z.string() }),
+)
+
+export type JwkWithAlg = z.infer<typeof jwkWithAlgSchema>
+
+export class WebcryptoKey<
+  J extends JwkWithAlg = JwkWithAlg,
+> extends JoseKey<J> {
  // We need to override the static method generate from JoseKey because
  // the browser needs both the private and public keys
  static override async generate(
@ -26,29 +37,35 @@ export class WebcryptoKey extends JoseKey {
    // > The "use" and "key_ops" JWK members SHOULD NOT be used together; [...]
    // > Applications should specify which of these members they use.

-    const { key_ops: _, ...jwk } = await crypto.subtle.exportKey(
+    const {
+      key_ops,
+      use,
+      alg = fromSubtleAlgorithm(cryptoKeyPair.privateKey.algorithm),
+      ...jwk
+    } = await crypto.subtle.exportKey(
      'jwk',
      cryptoKeyPair.privateKey.extractable
        ? cryptoKeyPair.privateKey
        : cryptoKeyPair.publicKey,
    )

-    const use = jwk.use ?? 'sig'
-    const alg =
-      jwk.alg ?? fromSubtleAlgorithm(cryptoKeyPair.privateKey.algorithm)
+    if (use && use !== 'sig') {
+      throw new TypeError(`Unsupported JWK use "${use}"`)
+    }

-    if (use !== 'sig') {
-      throw new TypeError('Unsupported JWK use')
+    if (key_ops && !key_ops.some((o) => o === 'sign' || o === 'verify')) {
+      // Make sure that "key_ops", if present, is compatible with "use"
+      throw new TypeError(`Invalid key_ops "${key_ops}" for "sig" use`)
    }

    return new WebcryptoKey(
-      jwkSchema.parse({ ...jwk, use, kid, alg }),
+      jwkWithAlgSchema.parse({ ...jwk, kid, alg, use: 'sig' }),
      cryptoKeyPair,
    )
  }

  constructor(
-    jwk: Jwk,
+    jwk: Readonly<J>,
    readonly cryptoKeyPair: CryptoKeyPair,
  ) {
    super(jwk)
@ -58,12 +75,15 @@ export class WebcryptoKey extends JoseKey {
    return true
  }

-  get privateJwk(): Jwk | undefined {
+  get privateJwk(): Readonly<J> | undefined {
    if (super.isPrivate) return this.jwk
    throw new Error('Private Webcrypto Key not exportable')
  }

-  protected override async getKey() {
+  protected override async getKeyObj(alg: string) {
+    if (this.jwk.alg !== alg) {
+      throw new JwkError(`Key cannot be used with algorithm "${alg}"`)
+    }
    return this.cryptoKeyPair.privateKey
  }
 }
--- a/packages/oauth/jwk/CHANGELOG.md
+++ b/packages/oauth/jwk/CHANGELOG.md
@ -1,5 +1,17 @@
 # @atproto/jwk

+## 0.1.2
+
+### Patch Changes
+
+- [#2879](https://github.com/bluesky-social/atproto/pull/2879) [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Mark jwk key fields as readonly
+
+- [#2879](https://github.com/bluesky-social/atproto/pull/2879) [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Remove unsafe type casting during JWT verification
+
+- [#2879](https://github.com/bluesky-social/atproto/pull/2879) [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Allow (passthrough) unknown properties in JWT payload & headers
+
+- [#2879](https://github.com/bluesky-social/atproto/pull/2879) [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Expose ValidationError to allow for proper error handling
+
 ## 0.1.1

 ### Patch Changes
--- a/packages/oauth/jwk/package.json
+++ b/packages/oauth/jwk/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto/jwk",
-  "version": "0.1.1",
+  "version": "0.1.2",
  "license": "MIT",
  "description": "A library for working with JSON Web Keys (JWKs) in TypeScript. This is meant to be extended by environment-specific libraries like @atproto/jwk-jose.",
  "keywords": [
--- a/packages/oauth/jwk/src/index.ts
+++ b/packages/oauth/jwk/src/index.ts
@ -1,3 +1,8 @@
+// Since we expose zod schemas, let's expose ZodError (under a generic name) so
+// that dependents can catch schema parsing errors without requiring an explicit
+// dependency on zod, or risking a conflict in case of mismatching zob versions.
+export { ZodError as ValidationError } from 'zod'
+
 export * from './alg.js'
 export * from './errors.js'
 export * from './jwk.js'
--- a/packages/oauth/jwk/src/jwt-verify.ts
+++ b/packages/oauth/jwk/src/jwt-verify.ts
@ -1,7 +1,7 @@
 import { JwtHeader, JwtPayload } from './jwt.js'
 import { RequiredKey } from './util.js'

-export type VerifyOptions<C extends string = string> = {
+export type VerifyOptions<C extends string = never> = {
  audience?: string | readonly string[]
  /** in seconds */
  clockTolerance?: number
@ -14,9 +14,7 @@ export type VerifyOptions<C extends string = string> = {
  requiredClaims?: readonly C[]
 }

-export type VerifyPayload = Record<string, unknown>
-
-export type VerifyResult<P extends VerifyPayload, C extends string> = {
-  payload: RequiredKey<P & JwtPayload, C>
+export type VerifyResult<C extends string = never> = {
+  payload: RequiredKey<JwtPayload, C>
  protectedHeader: JwtHeader
 }
--- a/packages/oauth/jwk/src/jwt.ts
+++ b/packages/oauth/jwk/src/jwt.ts
@ -24,150 +24,154 @@ export const isUnsignedJwt = (data: unknown): data is UnsignedJwt =>
 /**
 * @see {@link https://www.rfc-editor.org/rfc/rfc7515.html#section-4}
 */
-export const jwtHeaderSchema = z.object({
-  /** "alg" (Algorithm) Header Parameter */
-  alg: z.string(),
-  /** "jku" (JWK Set URL) Header Parameter */
-  jku: z.string().url().optional(),
-  /** "jwk" (JSON Web Key) Header Parameter */
-  jwk: z
-    .object({
-      kty: z.string(),
-      crv: z.string().optional(),
-      x: z.string().optional(),
-      y: z.string().optional(),
-      e: z.string().optional(),
-      n: z.string().optional(),
-    })
-    .optional(),
-  /** "kid" (Key ID) Header Parameter */
-  kid: z.string().optional(),
-  /** "x5u" (X.509 URL) Header Parameter */
-  x5u: z.string().optional(),
-  /** "x5c" (X.509 Certificate Chain) Header Parameter */
-  x5c: z.array(z.string()).optional(),
-  /** "x5t" (X.509 Certificate SHA-1 Thumbprint) Header Parameter */
-  x5t: z.string().optional(),
-  /** "x5t#S256" (X.509 Certificate SHA-256 Thumbprint) Header Parameter */
-  'x5t#S256': z.string().optional(),
-  /** "typ" (Type) Header Parameter */
-  typ: z.string().optional(),
-  /** "cty" (Content Type) Header Parameter */
-  cty: z.string().optional(),
-  /** "crit" (Critical) Header Parameter */
-  crit: z.array(z.string()).optional(),
-})
+export const jwtHeaderSchema = z
+  .object({
+    /** "alg" (Algorithm) Header Parameter */
+    alg: z.string(),
+    /** "jku" (JWK Set URL) Header Parameter */
+    jku: z.string().url().optional(),
+    /** "jwk" (JSON Web Key) Header Parameter */
+    jwk: z
+      .object({
+        kty: z.string(),
+        crv: z.string().optional(),
+        x: z.string().optional(),
+        y: z.string().optional(),
+        e: z.string().optional(),
+        n: z.string().optional(),
+      })
+      .optional(),
+    /** "kid" (Key ID) Header Parameter */
+    kid: z.string().optional(),
+    /** "x5u" (X.509 URL) Header Parameter */
+    x5u: z.string().optional(),
+    /** "x5c" (X.509 Certificate Chain) Header Parameter */
+    x5c: z.array(z.string()).optional(),
+    /** "x5t" (X.509 Certificate SHA-1 Thumbprint) Header Parameter */
+    x5t: z.string().optional(),
+    /** "x5t#S256" (X.509 Certificate SHA-256 Thumbprint) Header Parameter */
+    'x5t#S256': z.string().optional(),
+    /** "typ" (Type) Header Parameter */
+    typ: z.string().optional(),
+    /** "cty" (Content Type) Header Parameter */
+    cty: z.string().optional(),
+    /** "crit" (Critical) Header Parameter */
+    crit: z.array(z.string()).optional(),
+  })
+  .passthrough()

 export type JwtHeader = z.infer<typeof jwtHeaderSchema>

 // https://www.iana.org/assignments/jwt/jwt.xhtml
-export const jwtPayloadSchema = z.object({
-  iss: z.string().optional(),
-  aud: z.union([z.string(), z.array(z.string()).nonempty()]).optional(),
-  sub: z.string().optional(),
-  exp: z.number().int().optional(),
-  nbf: z.number().int().optional(),
-  iat: z.number().int().optional(),
-  jti: z.string().optional(),
-  htm: z.string().optional(),
-  htu: z.string().optional(),
-  ath: z.string().optional(),
-  acr: z.string().optional(),
-  azp: z.string().optional(),
-  amr: z.array(z.string()).optional(),
-  // https://datatracker.ietf.org/doc/html/rfc7800
-  cnf: z
-    .object({
-      kid: z.string().optional(), // Key ID
-      jwk: jwkPubSchema.optional(), // JWK
-      jwe: z.string().optional(), // Encrypted key
-      jku: z.string().url().optional(), // JWK Set URI ("kid" should also be provided)
+export const jwtPayloadSchema = z
+  .object({
+    iss: z.string().optional(),
+    aud: z.union([z.string(), z.array(z.string()).nonempty()]).optional(),
+    sub: z.string().optional(),
+    exp: z.number().int().optional(),
+    nbf: z.number().int().optional(),
+    iat: z.number().int().optional(),
+    jti: z.string().optional(),
+    htm: z.string().optional(),
+    htu: z.string().optional(),
+    ath: z.string().optional(),
+    acr: z.string().optional(),
+    azp: z.string().optional(),
+    amr: z.array(z.string()).optional(),
+    // https://datatracker.ietf.org/doc/html/rfc7800
+    cnf: z
+      .object({
+        kid: z.string().optional(), // Key ID
+        jwk: jwkPubSchema.optional(), // JWK
+        jwe: z.string().optional(), // Encrypted key
+        jku: z.string().url().optional(), // JWK Set URI ("kid" should also be provided)

-      // https://datatracker.ietf.org/doc/html/rfc9449#section-6.1
-      jkt: z.string().optional(),
+        // https://datatracker.ietf.org/doc/html/rfc9449#section-6.1
+        jkt: z.string().optional(),

-      // https://datatracker.ietf.org/doc/html/rfc8705
-      'x5t#S256': z.string().optional(), // X.509 Certificate SHA-256 Thumbprint
+        // https://datatracker.ietf.org/doc/html/rfc8705
+        'x5t#S256': z.string().optional(), // X.509 Certificate SHA-256 Thumbprint

-      // https://datatracker.ietf.org/doc/html/rfc9203
-      osc: z.string().optional(), // OSCORE_Input_Material carrying the parameters for using OSCORE per-message security with implicit key confirmation
-    })
-    .optional(),
+        // https://datatracker.ietf.org/doc/html/rfc9203
+        osc: z.string().optional(), // OSCORE_Input_Material carrying the parameters for using OSCORE per-message security with implicit key confirmation
+      })
+      .optional(),

-  client_id: z.string().optional(),
+    client_id: z.string().optional(),

-  scope: z.string().optional(),
-  nonce: z.string().optional(),
+    scope: z.string().optional(),
+    nonce: z.string().optional(),

-  at_hash: z.string().optional(),
-  c_hash: z.string().optional(),
-  s_hash: z.string().optional(),
-  auth_time: z.number().int().optional(),
+    at_hash: z.string().optional(),
+    c_hash: z.string().optional(),
+    s_hash: z.string().optional(),
+    auth_time: z.number().int().optional(),

-  // https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
+    // https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims

-  // OpenID: "profile" scope
-  name: z.string().optional(),
-  family_name: z.string().optional(),
-  given_name: z.string().optional(),
-  middle_name: z.string().optional(),
-  nickname: z.string().optional(),
-  preferred_username: z.string().optional(),
-  gender: z.string().optional(), // OpenID only defines "male" and "female" without forbidding other values
-  picture: z.string().url().optional(),
-  profile: z.string().url().optional(),
-  website: z.string().url().optional(),
-  birthdate: z
-    .string()
-    .regex(/\d{4}-\d{2}-\d{2}/) // YYYY-MM-DD
-    .optional(),
-  zoneinfo: z
-    .string()
-    .regex(/^[A-Za-z0-9_/]+$/)
-    .optional(),
-  locale: z
-    .string()
-    .regex(/^[a-z]{2}(-[A-Z]{2})?$/)
-    .optional(),
-  updated_at: z.number().int().optional(),
+    // OpenID: "profile" scope
+    name: z.string().optional(),
+    family_name: z.string().optional(),
+    given_name: z.string().optional(),
+    middle_name: z.string().optional(),
+    nickname: z.string().optional(),
+    preferred_username: z.string().optional(),
+    gender: z.string().optional(), // OpenID only defines "male" and "female" without forbidding other values
+    picture: z.string().url().optional(),
+    profile: z.string().url().optional(),
+    website: z.string().url().optional(),
+    birthdate: z
+      .string()
+      .regex(/\d{4}-\d{2}-\d{2}/) // YYYY-MM-DD
+      .optional(),
+    zoneinfo: z
+      .string()
+      .regex(/^[A-Za-z0-9_/]+$/)
+      .optional(),
+    locale: z
+      .string()
+      .regex(/^[a-z]{2}(-[A-Z]{2})?$/)
+      .optional(),
+    updated_at: z.number().int().optional(),

-  // OpenID: "email" scope
-  email: z.string().optional(),
-  email_verified: z.boolean().optional(),
+    // OpenID: "email" scope
+    email: z.string().optional(),
+    email_verified: z.boolean().optional(),

-  // OpenID: "phone" scope
-  phone_number: z.string().optional(),
-  phone_number_verified: z.boolean().optional(),
+    // OpenID: "phone" scope
+    phone_number: z.string().optional(),
+    phone_number_verified: z.boolean().optional(),

-  // OpenID: "address" scope
-  // https://openid.net/specs/openid-connect-core-1_0.html#AddressClaim
-  address: z
-    .object({
-      formatted: z.string().optional(),
-      street_address: z.string().optional(),
-      locality: z.string().optional(),
-      region: z.string().optional(),
-      postal_code: z.string().optional(),
-      country: z.string().optional(),
-    })
-    .optional(),
+    // OpenID: "address" scope
+    // https://openid.net/specs/openid-connect-core-1_0.html#AddressClaim
+    address: z
+      .object({
+        formatted: z.string().optional(),
+        street_address: z.string().optional(),
+        locality: z.string().optional(),
+        region: z.string().optional(),
+        postal_code: z.string().optional(),
+        country: z.string().optional(),
+      })
+      .optional(),

-  // https://datatracker.ietf.org/doc/html/rfc9396#section-14.2
-  authorization_details: z
-    .array(
-      z
-        .object({
-          type: z.string(),
-          // https://datatracker.ietf.org/doc/html/rfc9396#section-2.2
-          locations: z.array(z.string()).optional(),
-          actions: z.array(z.string()).optional(),
-          datatypes: z.array(z.string()).optional(),
-          identifier: z.string().optional(),
-          privileges: z.array(z.string()).optional(),
-        })
-        .passthrough(),
-    )
-    .optional(),
-})
+    // https://datatracker.ietf.org/doc/html/rfc9396#section-14.2
+    authorization_details: z
+      .array(
+        z
+          .object({
+            type: z.string(),
+            // https://datatracker.ietf.org/doc/html/rfc9396#section-2.2
+            locations: z.array(z.string()).optional(),
+            actions: z.array(z.string()).optional(),
+            datatypes: z.array(z.string()).optional(),
+            identifier: z.string().optional(),
+            privileges: z.array(z.string()).optional(),
+          })
+          .passthrough(),
+      )
+      .optional(),
+  })
+  .passthrough()

 export type JwtPayload = z.infer<typeof jwtPayloadSchema>
--- a/packages/oauth/jwk/src/key.ts
+++ b/packages/oauth/jwk/src/key.ts
@ -1,12 +1,14 @@
 import { jwkAlgorithms } from './alg.js'
 import { JwkError } from './errors.js'
 import { Jwk, jwkSchema } from './jwk.js'
-import { VerifyOptions, VerifyPayload, VerifyResult } from './jwt-verify.js'
+import { VerifyOptions, VerifyResult } from './jwt-verify.js'
 import { JwtHeader, JwtPayload, SignedJwt } from './jwt.js'
 import { cachedGetter } from './util.js'

-export abstract class Key {
-  constructor(protected readonly jwk: Readonly<Jwk>) {
+const jwkSchemaReadonly = jwkSchema.readonly()
+
+export abstract class Key<J extends Jwk = Jwk> {
+  constructor(protected readonly jwk: Readonly<J>) {
    // A key should always be used either for signing or encryption.
    if (!jwk.use) throw new JwkError('Missing "use" Parameter value')
  }
@ -24,25 +26,28 @@ export abstract class Key {
    return false
  }

-  get privateJwk(): Jwk | undefined {
+  get privateJwk(): Readonly<J> | undefined {
    return this.isPrivate ? this.jwk : undefined
  }

  @cachedGetter
-  get publicJwk(): Jwk | undefined {
+  get publicJwk():
+    | Readonly<Exclude<J, { kty: 'oct' }> & { d?: never }>
+    | undefined {
    if (this.isSymetric) return undefined
-    if (this.isPrivate) {
-      const { d: _, ...jwk } = this.jwk as any
-      return jwk
-    }
-    return this.jwk
+
+    return jwkSchemaReadonly.parse({
+      ...this.jwk,
+      d: undefined,
+      k: undefined,
+    }) as Exclude<J, { kty: 'oct' }> & { d?: never }
  }

  @cachedGetter
-  get bareJwk(): Jwk | undefined {
+  get bareJwk(): Readonly<Jwk> | undefined {
    if (this.isSymetric) return undefined
    const { kty, crv, e, n, x, y } = this.jwk as any
-    return jwkSchema.parse({ crv, e, kty, n, x, y })
+    return jwkSchemaReadonly.parse({ crv, e, kty, n, x, y })
  }

  get use() {
@ -64,7 +69,7 @@ export abstract class Key {
  }

  get crv() {
-    return (this.jwk as { crv: undefined } | Extract<Jwk, { crv: unknown }>).crv
+    return (this.jwk as { crv: undefined } | Extract<J, { crv: unknown }>).crv
  }

  /**
@ -73,7 +78,7 @@ export abstract class Key {
   */
  @cachedGetter
  get algorithms(): readonly string[] {
-    return Array.from(jwkAlgorithms(this.jwk))
+    return Object.freeze(Array.from(jwkAlgorithms(this.jwk)))
  }

  /**
@ -86,8 +91,8 @@ export abstract class Key {
   *
   * @throws {JwtVerifyError} if the JWT is invalid
   */
-  abstract verifyJwt<
-    P extends VerifyPayload = JwtPayload,
-    C extends string = string,
-  >(token: SignedJwt, options?: VerifyOptions<C>): Promise<VerifyResult<P, C>>
+  abstract verifyJwt<C extends string = never>(
+    token: SignedJwt,
+    options?: VerifyOptions<C>,
+  ): Promise<VerifyResult<C>>
 }
--- a/packages/oauth/jwk/src/keyset.ts
+++ b/packages/oauth/jwk/src/keyset.ts
@ -213,13 +213,10 @@ export class Keyset<K extends Key = Key> implements Iterable<K> {
    }
  }

-  async verifyJwt<
-    P extends Record<string, unknown> = JwtPayload,
-    C extends string = string,
-  >(
+  async verifyJwt<C extends string = never>(
    token: SignedJwt,
    options?: VerifyOptions<C>,
-  ): Promise<VerifyResult<P, C> & { key: K }> {
+  ): Promise<VerifyResult<C> & { key: K }> {
    const { header } = unsafeDecodeJwt(token)
    const { kid, alg } = header

@ -227,7 +224,7 @@ export class Keyset<K extends Key = Key> implements Iterable<K> {

    for (const key of this.list({ kid, alg })) {
      try {
-        const result = await key.verifyJwt<P, C>(token, options)
+        const result = await key.verifyJwt<C>(token, options)
        return { ...result, key }
      } catch (err) {
        errors.push(err)
--- a/packages/oauth/jwk/src/util.ts
+++ b/packages/oauth/jwk/src/util.ts
@ -5,12 +5,12 @@ import { RefinementCtx, ZodIssueCode } from 'zod'
 export type Simplify<T> = { [K in keyof T]: T[K] } & {}
 export type Override<T, V> = Simplify<V & Omit<T, keyof V>>

-export type RequiredKey<T, K extends string> = Simplify<
-  string extends K
-    ? T
-    : {
-        [L in K]: Exclude<L extends keyof T ? T[L] : unknown, undefined>
-      } & Omit<T, K>
+export type RequiredKey<T, K extends keyof T = never> = Simplify<
+  T & {
+    [L in K]-?: unknown extends T[L]
+      ? NonNullable<unknown> | null
+      : Exclude<T[L], undefined>
+  }
 >

 // eslint-disable-next-line @typescript-eslint/ban-types
--- a/packages/oauth/oauth-client-browser/CHANGELOG.md
+++ b/packages/oauth/oauth-client-browser/CHANGELOG.md
@ -1,5 +1,16 @@
 # @atproto/oauth-client-browser

+## 0.3.7
+
+### Patch Changes
+
+- Updated dependencies [[`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0)]:
+  - @atproto/jwk@0.1.2
+  - @atproto/jwk-webcrypto@0.1.3
+  - @atproto/oauth-client@0.3.7
+  - @atproto/oauth-types@0.2.2
+  - @atproto-labs/did-resolver@0.1.8
+
 ## 0.3.6

 ### Patch Changes
--- a/packages/oauth/oauth-client-browser/package.json
+++ b/packages/oauth/oauth-client-browser/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto/oauth-client-browser",
-  "version": "0.3.6",
+  "version": "0.3.7",
  "license": "MIT",
  "description": "ATPROTO OAuth client for the browser (relies on WebCrypto & Indexed DB)",
  "keywords": [
--- a/packages/oauth/oauth-client-node/CHANGELOG.md
+++ b/packages/oauth/oauth-client-node/CHANGELOG.md
@ -1,5 +1,18 @@
 # @atproto/oauth-client-node

+## 0.2.7
+
+### Patch Changes
+
+- Updated dependencies [[`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0)]:
+  - @atproto/jwk@0.1.2
+  - @atproto/jwk-jose@0.1.3
+  - @atproto/jwk-webcrypto@0.1.3
+  - @atproto/oauth-client@0.3.7
+  - @atproto/oauth-types@0.2.2
+  - @atproto-labs/did-resolver@0.1.8
+  - @atproto-labs/handle-resolver-node@0.1.10
+
 ## 0.2.6

 ### Patch Changes
--- a/packages/oauth/oauth-client-node/package.json
+++ b/packages/oauth/oauth-client-node/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto/oauth-client-node",
-  "version": "0.2.6",
+  "version": "0.2.7",
  "license": "MIT",
  "description": "ATPROTO OAuth client for the NodeJS",
  "keywords": [
--- a/packages/oauth/oauth-client/CHANGELOG.md
+++ b/packages/oauth/oauth-client/CHANGELOG.md
@ -1,5 +1,16 @@
 # @atproto/oauth-client

+## 0.3.7
+
+### Patch Changes
+
+- Updated dependencies [[`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`5ece8c6ae`](https://github.com/bluesky-social/atproto/commit/5ece8c6aeab9c5c3f51295d93ed6e27c3c6095c2), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`5ece8c6ae`](https://github.com/bluesky-social/atproto/commit/5ece8c6aeab9c5c3f51295d93ed6e27c3c6095c2)]:
+  - @atproto/jwk@0.1.2
+  - @atproto-labs/fetch@0.2.0
+  - @atproto/oauth-types@0.2.2
+  - @atproto-labs/did-resolver@0.1.8
+  - @atproto-labs/identity-resolver@0.1.10
+
 ## 0.3.6

 ### Patch Changes
--- a/packages/oauth/oauth-client/package.json
+++ b/packages/oauth/oauth-client/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto/oauth-client",
-  "version": "0.3.6",
+  "version": "0.3.7",
  "license": "MIT",
  "description": "OAuth client for ATPROTO PDS. This package serves as common base for environment-specific implementations (NodeJS, Browser, React-Native).",
  "keywords": [
--- a/packages/oauth/oauth-provider/CHANGELOG.md
+++ b/packages/oauth/oauth-provider/CHANGELOG.md
@ -1,5 +1,16 @@
 # @atproto/oauth-provider

+## 0.2.12
+
+### Patch Changes
+
+- Updated dependencies [[`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`5ece8c6ae`](https://github.com/bluesky-social/atproto/commit/5ece8c6aeab9c5c3f51295d93ed6e27c3c6095c2), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`5ece8c6ae`](https://github.com/bluesky-social/atproto/commit/5ece8c6aeab9c5c3f51295d93ed6e27c3c6095c2)]:
+  - @atproto/jwk@0.1.2
+  - @atproto/jwk-jose@0.1.3
+  - @atproto-labs/fetch@0.2.0
+  - @atproto/oauth-types@0.2.2
+  - @atproto-labs/fetch-node@0.1.5
+
 ## 0.2.11

 ### Patch Changes
--- a/packages/oauth/oauth-provider/package.json
+++ b/packages/oauth/oauth-provider/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto/oauth-provider",
-  "version": "0.2.11",
+  "version": "0.2.12",
  "license": "MIT",
  "description": "Generic OAuth2 and OpenID Connect provider for Node.js. Currently only supports features needed for Atproto.",
  "keywords": [
--- a/packages/oauth/oauth-provider/src/signer/signed-token-payload.ts
+++ b/packages/oauth/oauth-provider/src/signer/signed-token-payload.ts
@ -27,7 +27,8 @@ export const signedTokenPayloadSchema = z.intersection(
      jti: tokenIdSchema,
      sub: subSchema,
      client_id: clientIdSchema,
-    }),
+    })
+    .passthrough(),
 )

 export type SignedTokenPayload = Simplify<
--- a/packages/oauth/oauth-provider/src/signer/signer.ts
+++ b/packages/oauth/oauth-provider/src/signer/signer.ts
@ -19,7 +19,7 @@ import {
  signedTokenPayloadSchema,
 } from './signed-token-payload.js'

-export type SignPayload = Omit<JwtPayload, 'iss'>
+export type SignPayload = JwtPayload & { iss?: never }

 export class Signer {
  constructor(
@ -27,11 +27,11 @@ export class Signer {
    public readonly keyset: Keyset,
  ) {}

-  async verify<P extends Record<string, unknown> = JwtPayload>(
+  async verify<C extends string = never>(
    token: SignedJwt,
-    options?: Omit<VerifyOptions, 'issuer'>,
+    options?: Omit<VerifyOptions<C>, 'issuer'>,
  ) {
-    return this.keyset.verifyJwt<P>(token, {
+    return this.keyset.verifyJwt<C>(token, {
      ...options,
      issuer: [this.issuer],
    })
@ -84,18 +84,16 @@ export class Signer {
    )
  }

-  async verifyAccessToken(token: SignedJwt) {
-    const result = await this.verify<SignedTokenPayload>(token, {
-      typ: 'at+jwt',
-    })
-
-    // The result is already type casted as an AccessTokenPayload, but we need
-    // to actually verify this. That should already be covered by the fact that
-    // we don't sign 'at+jwt' tokens without a valid token ID. Let's double
-    // check in case another version/implementation was used to generate the
-    // token.
-    signedTokenPayloadSchema.parse(result.payload)
-
-    return result
+  async verifyAccessToken<C extends string = never>(
+    token: SignedJwt,
+    options?: Omit<VerifyOptions<C>, 'issuer' | 'typ'>,
+  ) {
+    const result = await this.verify<C>(token, { ...options, typ: 'at+jwt' })
+    type Payload = typeof result.payload // RequiredKey<JwtPayload, C>
+    return {
+      protectedHeader: result.protectedHeader,
+      payload: signedTokenPayloadSchema.parse(result.payload) as Payload &
+        SignedTokenPayload,
+    }
  }
 }
--- a/packages/oauth/oauth-provider/src/token/token-manager.ts
+++ b/packages/oauth/oauth-provider/src/token/token-manager.ts
@ -462,6 +462,7 @@ export class TokenManager {
      case isSignedJwt(token): {
        const { payload } = await this.signer.verify(token, {
          clockTolerance: Infinity,
+          requiredClaims: ['jti'],
        })
        const tokenId = tokenIdSchema.parse(payload.jti)
        await this.store.deleteToken(tokenId)
--- a/packages/oauth/oauth-types/CHANGELOG.md
+++ b/packages/oauth/oauth-types/CHANGELOG.md
@ -1,5 +1,12 @@
 # @atproto/oauth-types

+## 0.2.2
+
+### Patch Changes
+
+- Updated dependencies [[`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0)]:
+  - @atproto/jwk@0.1.2
+
 ## 0.2.1

 ### Patch Changes
--- a/packages/oauth/oauth-types/package.json
+++ b/packages/oauth/oauth-types/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto/oauth-types",
-  "version": "0.2.1",
+  "version": "0.2.2",
  "license": "MIT",
  "description": "OAuth typing & validation library",
  "keywords": [
--- a/packages/ozone/CHANGELOG.md
+++ b/packages/ozone/CHANGELOG.md
@ -1,5 +1,23 @@
 # @atproto/ozone

+## 0.1.67
+
+### Patch Changes
+
+- [#3344](https://github.com/bluesky-social/atproto/pull/3344) [`48a0e9d60`](https://github.com/bluesky-social/atproto/commit/48a0e9d6060c2dc93899f13f2fc7cc76c04fbcd9) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Properly dispose of unused http responses
+
+- Updated dependencies [[`e277158f7`](https://github.com/bluesky-social/atproto/commit/e277158f70a831b04fde3ec84b3c1eaa6ce82e9d)]:
+  - @atproto/api@0.13.27
+
+## 0.1.66
+
+### Patch Changes
+
+- Updated dependencies [[`1abfd74ec`](https://github.com/bluesky-social/atproto/commit/1abfd74ec7114e5d8e2411f7a4fa10bdce97e277)]:
+  - @atproto/crypto@0.4.3
+  - @atproto/identity@0.4.5
+  - @atproto/xrpc-server@0.7.6
+
 ## 0.1.65

 ### Patch Changes
--- a/packages/ozone/package.json
+++ b/packages/ozone/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto/ozone",
-  "version": "0.1.65",
+  "version": "0.1.67",
  "license": "MIT",
  "description": "Backend service for moderating the Bluesky network.",
  "keywords": [
--- a/packages/ozone/src/daemon/blob-diverter.ts
+++ b/packages/ozone/src/daemon/blob-diverter.ts
@ -46,7 +46,7 @@ export class BlobDiverter {
      })

    if (blobResponse.statusCode !== 200) {
-      blobResponse.body.destroy()
+      await blobResponse.body.dump()
      throw new XRPCError(
        blobResponse.statusCode,
        undefined,
@ -72,7 +72,7 @@ export class BlobDiverter {
      }
    } catch (err) {
      // Typically un-supported content encoding
-      blobResponse.body.destroy()
+      await blobResponse.body.dump()
      throw err
    }
  }
@ -99,7 +99,7 @@ export class BlobDiverter {
      })

    if (result.statusCode !== 200) {
-      result.body.destroy()
+      await result.body.dump()
      throw new XRPCError(
        result.statusCode,
        undefined,
--- a/packages/ozone/src/lexicon/lexicons.ts
+++ b/packages/ozone/src/lexicon/lexicons.ts
@ -12359,7 +12359,7 @@ export const schemaDict = {
              items: {
                type: 'string',
                description:
-                  'If specified, only events where the policy matches the given policy are returned',
+                  'If specified, only events where the action policies match any of the given policies are returned',
              },
            },
            cursor: {
--- a/packages/ozone/src/lexicon/types/app/bsky/actor/getSuggestions.ts
+++ b/packages/ozone/src/lexicon/types/app/bsky/actor/getSuggestions.ts
@ -19,6 +19,8 @@ export type InputSchema = undefined
 export interface OutputSchema {
  cursor?: string
  actors: AppBskyActorDefs.ProfileView[]
+  /** Snowflake for this recommendation, use when submitting recommendation events. */
+  recId?: number
  [k: string]: unknown
 }

--- a/packages/ozone/src/lexicon/types/app/bsky/graph/getSuggestedFollowsByActor.ts
+++ b/packages/ozone/src/lexicon/types/app/bsky/graph/getSuggestedFollowsByActor.ts
@ -19,6 +19,8 @@ export interface OutputSchema {
  suggestions: AppBskyActorDefs.ProfileView[]
  /** If true, response has fallen-back to generic results, and is not scoped using relativeToDid */
  isFallback?: boolean
+  /** Snowflake for this recommendation, use when submitting recommendation events. */
+  recId?: number
  [k: string]: unknown
 }

--- a/packages/ozone/src/lexicon/types/app/bsky/unspecced/getSuggestionsSkeleton.ts
+++ b/packages/ozone/src/lexicon/types/app/bsky/unspecced/getSuggestionsSkeleton.ts
@ -25,6 +25,8 @@ export interface OutputSchema {
  actors: AppBskyUnspeccedDefs.SkeletonSearchActor[]
  /** DID of the account these suggestions are relative to. If this is returned undefined, suggestions are based on the viewer. */
  relativeToDid?: string
+  /** Snowflake for this recommendation, use when submitting recommendation events. */
+  recId?: number
  [k: string]: unknown
 }

--- a/packages/pds/CHANGELOG.md
+++ b/packages/pds/CHANGELOG.md
@ -1,5 +1,26 @@
 # @atproto/pds

+## 0.4.84
+
+### Patch Changes
+
+- Updated dependencies [[`e277158f7`](https://github.com/bluesky-social/atproto/commit/e277158f70a831b04fde3ec84b3c1eaa6ce82e9d)]:
+  - @atproto/api@0.13.27
+  - @atproto/oauth-provider@0.2.12
+  - @atproto-labs/fetch-node@0.1.5
+
+## 0.4.83
+
+### Patch Changes
+
+- Updated dependencies [[`1abfd74ec`](https://github.com/bluesky-social/atproto/commit/1abfd74ec7114e5d8e2411f7a4fa10bdce97e277)]:
+  - @atproto/crypto@0.4.3
+  - @atproto/aws@0.2.12
+  - @atproto/identity@0.4.5
+  - @atproto/repo@0.6.2
+  - @atproto/xrpc-server@0.7.6
+  - @atproto-labs/xrpc-utils@0.0.2
+
 ## 0.4.82

 ### Patch Changes
--- a/packages/pds/package.json
+++ b/packages/pds/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto/pds",
-  "version": "0.4.82",
+  "version": "0.4.84",
  "license": "MIT",
  "description": "Reference implementation of atproto Personal Data Server (PDS)",
  "keywords": [
--- a/packages/pds/src/lexicon/lexicons.ts
+++ b/packages/pds/src/lexicon/lexicons.ts
@ -12359,7 +12359,7 @@ export const schemaDict = {
              items: {
                type: 'string',
                description:
-                  'If specified, only events where the policy matches the given policy are returned',
+                  'If specified, only events where the action policies match any of the given policies are returned',
              },
            },
            cursor: {
--- a/packages/pds/src/lexicon/types/app/bsky/actor/getSuggestions.ts
+++ b/packages/pds/src/lexicon/types/app/bsky/actor/getSuggestions.ts
@ -19,6 +19,8 @@ export type InputSchema = undefined
 export interface OutputSchema {
  cursor?: string
  actors: AppBskyActorDefs.ProfileView[]
+  /** Snowflake for this recommendation, use when submitting recommendation events. */
+  recId?: number
  [k: string]: unknown
 }

--- a/packages/pds/src/lexicon/types/app/bsky/graph/getSuggestedFollowsByActor.ts
+++ b/packages/pds/src/lexicon/types/app/bsky/graph/getSuggestedFollowsByActor.ts
@ -19,6 +19,8 @@ export interface OutputSchema {
  suggestions: AppBskyActorDefs.ProfileView[]
  /** If true, response has fallen-back to generic results, and is not scoped using relativeToDid */
  isFallback?: boolean
+  /** Snowflake for this recommendation, use when submitting recommendation events. */
+  recId?: number
  [k: string]: unknown
 }

--- a/packages/pds/src/lexicon/types/app/bsky/unspecced/getSuggestionsSkeleton.ts
+++ b/packages/pds/src/lexicon/types/app/bsky/unspecced/getSuggestionsSkeleton.ts
@ -25,6 +25,8 @@ export interface OutputSchema {
  actors: AppBskyUnspeccedDefs.SkeletonSearchActor[]
  /** DID of the account these suggestions are relative to. If this is returned undefined, suggestions are based on the viewer. */
  relativeToDid?: string
+  /** Snowflake for this recommendation, use when submitting recommendation events. */
+  recId?: number
  [k: string]: unknown
 }

--- a/packages/pds/tests/_util.ts
+++ b/packages/pds/tests/_util.ts
@ -5,6 +5,7 @@ import { CID } from 'multiformats/cid'
 import { Server } from 'node:http'
 import { AddressInfo } from 'node:net'
 import { FeedViewPost } from '../src/lexicon/types/app/bsky/feed/defs'
+import { ToolsOzoneModerationDefs } from '@atproto/api'

 // Swap out identifiers and dates with stable
 // values for the purpose of snapshot testing
@ -202,3 +203,21 @@ export async function stopServer(server: Server) {
    })
  })
 }
+
+const normalizeSubjectStatus = (
+  subject: ToolsOzoneModerationDefs.SubjectStatusView,
+) => {
+  return { ...subject, tags: subject.tags?.sort() }
+}
+
+export const forSubjectStatusSnapshot = (
+  status:
+    | ToolsOzoneModerationDefs.SubjectStatusView
+    | ToolsOzoneModerationDefs.SubjectStatusView[],
+) => {
+  if (Array.isArray(status)) {
+    return forSnapshot(status.map(normalizeSubjectStatus))
+  }
+
+  return forSnapshot(normalizeSubjectStatus(status))
+}
--- a/packages/pds/tests/takedown-appeal.test.ts
+++ b/packages/pds/tests/takedown-appeal.test.ts
@ -1,6 +1,6 @@
 import { AtpAgent, ComAtprotoModerationDefs } from '@atproto/api'
 import { SeedClient, TestNetwork } from '@atproto/dev-env'
-import { forSnapshot } from './_util'
+import { forSubjectStatusSnapshot } from './_util'
 import { ids } from '../src/lexicon/lexicons'

 describe('appeal account takedown', () => {
@ -35,6 +35,7 @@ describe('appeal account takedown', () => {
      email: 'jeff@test.com',
      password: 'password',
    })
+    await network.processAll()

    // Emit a takedown event
    await network.ozone.getModClient().performTakedown({
@ -97,7 +98,9 @@ describe('appeal account takedown', () => {
    )

    expect(result.subjectStatuses[0].appealed).toBe(true)
-    expect(forSnapshot(result.subjectStatuses[0])).toMatchSnapshot()
+    expect(
+      forSubjectStatusSnapshot(result.subjectStatuses[0]),
+    ).toMatchSnapshot()
  })

  it('takendown actor is not allowed to create reports.', async () => {
--- a/packages/repo/CHANGELOG.md
+++ b/packages/repo/CHANGELOG.md
@ -1,5 +1,12 @@
 # @atproto/repo

+## 0.6.2
+
+### Patch Changes
+
+- Updated dependencies [[`1abfd74ec`](https://github.com/bluesky-social/atproto/commit/1abfd74ec7114e5d8e2411f7a4fa10bdce97e277)]:
+  - @atproto/crypto@0.4.3
+
 ## 0.6.1

 ### Patch Changes
--- a/packages/repo/package.json
+++ b/packages/repo/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto/repo",
-  "version": "0.6.1",
+  "version": "0.6.2",
  "license": "MIT",
  "description": "atproto repo and MST implementation",
  "keywords": [
--- a/packages/sync/CHANGELOG.md
+++ b/packages/sync/CHANGELOG.md
@ -1,5 +1,14 @@
 # @atproto/sync

+## 0.1.9
+
+### Patch Changes
+
+- Updated dependencies []:
+  - @atproto/identity@0.4.5
+  - @atproto/repo@0.6.2
+  - @atproto/xrpc-server@0.7.6
+
 ## 0.1.8

 ### Patch Changes
--- a/packages/sync/package.json
+++ b/packages/sync/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto/sync",
-  "version": "0.1.8",
+  "version": "0.1.9",
  "license": "MIT",
  "description": "atproto sync library",
  "keywords": [
--- a/packages/xrpc-server/CHANGELOG.md
+++ b/packages/xrpc-server/CHANGELOG.md
@ -1,5 +1,12 @@
 # @atproto/xrpc-server

+## 0.7.6
+
+### Patch Changes
+
+- Updated dependencies [[`1abfd74ec`](https://github.com/bluesky-social/atproto/commit/1abfd74ec7114e5d8e2411f7a4fa10bdce97e277)]:
+  - @atproto/crypto@0.4.3
+
 ## 0.7.5

 ### Patch Changes
--- a/packages/xrpc-server/package.json
+++ b/packages/xrpc-server/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto/xrpc-server",
-  "version": "0.7.5",
+  "version": "0.7.6",
  "license": "MIT",
  "description": "atproto HTTP API (XRPC) server library",
  "keywords": [
@ -37,7 +37,7 @@
    "@atproto/crypto": "workspace:^",
    "@types/express": "^4.17.13",
    "@types/express-serve-static-core": "^4.17.36",
-    "@types/http-errors": "^2.0.1",
+    "@types/http-errors": "^2.0.4",
    "@types/ws": "^8.5.4",
    "get-port": "^6.1.2",
    "jest": "^28.1.2",
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@ -201,7 +201,7 @@ importers:
        version: 0.0.1
      '@types/http-errors':
        specifier: ^2.0.1
-        version: 2.0.1
+        version: 2.0.4
      compression:
        specifier: ^1.7.4
        version: 1.7.4
@ -812,6 +812,9 @@ importers:
      '@atproto/jwk-jose':
        specifier: workspace:*
        version: link:../jwk-jose
+      zod:
+        specifier: ^3.23.8
+        version: 3.23.8
    devDependencies:
      typescript:
        specifier: ^5.6.3
@ -1566,8 +1569,8 @@ importers:
        specifier: ^4.17.36
        version: 4.17.36
      '@types/http-errors':
-        specifier: ^2.0.1
-        version: 2.0.1
+        specifier: ^2.0.4
+        version: 2.0.4
      '@types/ws':
        specifier: ^8.5.4
        version: 8.5.4
@ -6310,8 +6313,8 @@ packages:
      '@types/node': 18.19.67
    dev: true

-  /@types/http-errors@2.0.1:
-    resolution: {integrity: sha512-/K3ds8TRAfBvi5vfjuz8y6+GiAYBZ0x4tXv1Av6CWBWn0IlADc+ZX9pMq7oU0fNQPnBwIZl3rmeLp6SBApbxSQ==}
+  /@types/http-errors@2.0.4:
+    resolution: {integrity: sha512-D0CFMMtydbJAegzOyHjtiKPLlvnm3iTZyZRSZoLq2mRhDdmLfIWOCYPfQJ4cu2erKghU++QvjcUjp/5h7hESpA==}

  /@types/is-ci@3.0.0:
    resolution: {integrity: sha512-Q0Op0hdWbYd1iahB+IFNQcWXFq4O0Q5MwQP7uN0souuQ4rPg1vEYcnIOfr1gY+M+6rc8FGoRaBO1mOOvL29sEQ==}
@ -6447,7 +6450,7 @@ packages:
  /@types/serve-static@1.15.2:
    resolution: {integrity: sha512-J2LqtvFYCzaj8pVYKw8klQXrLLk7TBZmQ4ShlcdkELFKGwGMfevMLneMMRkMgZxotOD9wg497LpC7O8PcvAmfw==}
    dependencies:
-      '@types/http-errors': 2.0.1
+      '@types/http-errors': 2.0.4
      '@types/mime': 3.0.1
      '@types/node': 18.19.67
Author	SHA1	Message	Date
Daniel Holmgren	3f93d8cabf	Fix flaky appeal test (#3369 ) fix flaky appeal test	2025-01-14 13:02:06 -06:00
Hailey	17057144d8	add pipethrough for recids on suggestions (#3365 ) * add pipethrough * add missing	2025-01-13 16:33:32 -08:00
github-actions[bot]	a44db38d05	Version packages (#3345 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2025-01-13 16:32:43 -08:00
Ian Wesley-Smith	e277158f70	Add recId to getSuggestionsSkeleton (#3364 ) * Add recId to getSuggestionsSkeleton * codegen * add recId to app client endpoints * codegen * changeset --------- Co-authored-by: Hailey <me@haileyok.com>	2025-01-13 15:34:11 -08:00
Matthieu Sieben	d97272de0b	Fixes lexgen on main (#3351 ) fix lexgen	2025-01-10 14:46:14 +01:00
Matthieu Sieben	5ece8c6aea	Fix typo in "@atproto/fetch" (#3343 ) * fix typo * Response mime type check is now case-insensitive	2025-01-09 14:27:17 +01:00
Matthieu Sieben	2889c76995	Improve type safety and compatibility with Bun (#2879 ) * jwk: Improve type safety and compatibility with Bun * improve type safety of jwk keys * improve typing of verifyAccessToken * update @types/http-errors * Better report invalid content-encoding errors * Mark jwk key fields as readonly	2025-01-09 14:26:07 +01:00
Matthieu Sieben	48a0e9d606	Properly dispose of unused undici HTTP responses (#3344 ) Properly dispose of unused http responses	2025-01-09 14:18:07 +01:00
Foysal Ahamed	9dc7251fc7	✅ Update snapshot check for tags array (#3340 )	2025-01-08 17:24:31 +01:00
github-actions[bot]	5b6e0611d6	Version packages (#3336 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2025-01-07 12:06:16 -06:00