88 changed files with 300 additions and 722 deletions
--- a/.changeset/lucky-sloths-tie.md
+++ b/.changeset/lucky-sloths-tie.md
@ -0,0 +1,5 @@
 ---
 "@atproto/crypto": patch
 ---
 Update noble crypto libraries
--- a/lexicons/app/bsky/actor/getSuggestions.json
+++ b/lexicons/app/bsky/actor/getSuggestions.json
@ -30,10 +30,6 @@
                "type": "ref",
                "ref": "app.bsky.actor.defs#profileView"
              }
            },
            "recId": {
              "type": "integer",
              "description": "Snowflake for this recommendation, use when submitting recommendation events."
            }
          }
        }
--- a/lexicons/app/bsky/graph/getSuggestedFollowsByActor.json
+++ b/lexicons/app/bsky/graph/getSuggestedFollowsByActor.json
@ -29,10 +29,6 @@
              "type": "boolean",
              "description": "If true, response has fallen-back to generic results, and is not scoped using relativeToDid",
              "default": false
            },
            "recId": {
              "type": "integer",
              "description": "Snowflake for this recommendation, use when submitting recommendation events."
            }
          }
        }
--- a/lexicons/app/bsky/unspecced/getSuggestionsSkeleton.json
+++ b/lexicons/app/bsky/unspecced/getSuggestionsSkeleton.json
@ -45,10 +45,6 @@
              "type": "string",
              "format": "did",
              "description": "DID of the account these suggestions are relative to. If this is returned undefined, suggestions are based on the viewer."
            },
            "recId": {
              "type": "integer",
              "description": "Snowflake for this recommendation, use when submitting recommendation events."
            }
          }
        }
--- a/packages/api/CHANGELOG.md
+++ b/packages/api/CHANGELOG.md
@ -1,11 +1,5 @@
 # @atproto/api
 ## 0.13.27
 ### Patch Changes
 - [#3364](https://github.com/bluesky-social/atproto/pull/3364) [`e277158f7`](https://github.com/bluesky-social/atproto/commit/e277158f70a831b04fde3ec84b3c1eaa6ce82e9d) Thanks [@iwsmith](https://github.com/iwsmith)! - add recId to getSuggestions
 ## 0.13.26
 ### Patch Changes
--- a/packages/api/package.json
+++ b/packages/api/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto/api",
-  "version": "0.13.27",
+  "version": "0.13.26",
  "license": "MIT",
  "description": "Client library for atproto and Bluesky",
  "keywords": [
--- a/packages/api/src/client/lexicons.ts
+++ b/packages/api/src/client/lexicons.ts
@ -12359,7 +12359,7 @@ export const schemaDict = {
              items: {
                type: 'string',
                description:
-                  'If specified, only events where the action policies match any of the given policies are returned',
+                  'If specified, only events where the policy matches the given policy are returned',
              },
            },
            cursor: {
--- a/packages/api/src/client/types/app/bsky/actor/getSuggestions.ts
+++ b/packages/api/src/client/types/app/bsky/actor/getSuggestions.ts
@ -18,8 +18,6 @@ export type InputSchema = undefined
 export interface OutputSchema {
  cursor?: string
  actors: AppBskyActorDefs.ProfileView[]
  /** Snowflake for this recommendation, use when submitting recommendation events. */
  recId?: number
  [k: string]: unknown
 }
--- a/packages/api/src/client/types/app/bsky/graph/getSuggestedFollowsByActor.ts
+++ b/packages/api/src/client/types/app/bsky/graph/getSuggestedFollowsByActor.ts
@ -18,8 +18,6 @@ export interface OutputSchema {
  suggestions: AppBskyActorDefs.ProfileView[]
  /** If true, response has fallen-back to generic results, and is not scoped using relativeToDid */
  isFallback: boolean
  /** Snowflake for this recommendation, use when submitting recommendation events. */
  recId?: number
  [k: string]: unknown
 }
--- a/packages/api/src/client/types/app/bsky/unspecced/getSuggestionsSkeleton.ts
+++ b/packages/api/src/client/types/app/bsky/unspecced/getSuggestionsSkeleton.ts
@ -24,8 +24,6 @@ export interface OutputSchema {
  actors: AppBskyUnspeccedDefs.SkeletonSearchActor[]
  /** DID of the account these suggestions are relative to. If this is returned undefined, suggestions are based on the viewer. */
  relativeToDid?: string
  /** Snowflake for this recommendation, use when submitting recommendation events. */
  recId?: number
  [k: string]: unknown
 }
--- a/packages/aws/CHANGELOG.md
+++ b/packages/aws/CHANGELOG.md
@ -1,13 +1,5 @@
 # @atproto/aws
 ## 0.2.12
 ### Patch Changes
 - Updated dependencies [[`1abfd74ec`](https://github.com/bluesky-social/atproto/commit/1abfd74ec7114e5d8e2411f7a4fa10bdce97e277)]:
  - @atproto/crypto@0.4.3
  - @atproto/repo@0.6.2
 ## 0.2.11
 ### Patch Changes
--- a/packages/aws/package.json
+++ b/packages/aws/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto/aws",
-  "version": "0.2.12",
+  "version": "0.2.11",
  "license": "MIT",
  "description": "Shared AWS cloud API helpers for atproto services",
  "keywords": [
--- a/packages/bsky/CHANGELOG.md
+++ b/packages/bsky/CHANGELOG.md
@ -1,25 +1,5 @@
 # @atproto/bsky
 ## 0.0.106
 ### Patch Changes
 - Updated dependencies [[`e277158f7`](https://github.com/bluesky-social/atproto/commit/e277158f70a831b04fde3ec84b3c1eaa6ce82e9d)]:
  - @atproto/api@0.13.27
  - @atproto-labs/fetch-node@0.1.5
 ## 0.0.105
 ### Patch Changes
 - Updated dependencies [[`1abfd74ec`](https://github.com/bluesky-social/atproto/commit/1abfd74ec7114e5d8e2411f7a4fa10bdce97e277)]:
  - @atproto/crypto@0.4.3
  - @atproto/identity@0.4.5
  - @atproto/repo@0.6.2
  - @atproto/xrpc-server@0.7.6
  - @atproto/sync@0.1.9
  - @atproto-labs/xrpc-utils@0.0.2
 ## 0.0.104
 ### Patch Changes
--- a/packages/bsky/package.json
+++ b/packages/bsky/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto/bsky",
-  "version": "0.0.106",
+  "version": "0.0.104",
  "license": "MIT",
  "description": "Reference implementation of app.bsky App View (Bluesky API)",
  "keywords": [
--- a/packages/bsky/src/api/app/bsky/actor/getSuggestions.ts
+++ b/packages/bsky/src/api/app/bsky/actor/getSuggestions.ts
@ -71,7 +71,6 @@ const skeleton = async (input: {
    return {
      dids: res.data.actors.map((a) => a.did),
      cursor: res.data.cursor,
      recId: res.data.recId,
      resHeaders: res.headers,
    }
  } else {
@ -130,7 +129,6 @@ const presentation = (input: {
  return {
    actors,
    cursor: skeleton.cursor,
    recId: skeleton.recId,
    resHeaders: skeleton.resHeaders,
  }
 }
@ -150,6 +148,5 @@ type Params = QueryParams & {
 type Skeleton = {
  dids: string[]
  cursor?: string
  recId?: number
  resHeaders?: Record<string, string>
 }
--- a/packages/bsky/src/api/app/bsky/graph/getSuggestedFollowsByActor.ts
+++ b/packages/bsky/src/api/app/bsky/graph/getSuggestedFollowsByActor.ts
@ -73,7 +73,6 @@ const skeleton = async (input: SkeletonFnInput<Context, Params>) => {
    return {
      isFallback: !res.data.relativeToDid,
      suggestedDids: res.data.actors.map((a) => a.did),
      recId: res.data.recId,
      headers: res.headers,
    }
  } else {
@ -116,12 +115,7 @@ const presentation = (
  const suggestions = mapDefined(suggestedDids, (did) =>
    ctx.views.profileDetailed(did, hydration),
  )
-  return {
+  return { isFallback: skeleton.isFallback, suggestions, headers }
    isFallback: skeleton.isFallback,
    suggestions,
    recId: skeleton.recId,
    headers,
  }
 }
 type Context = {
@ -139,6 +133,5 @@ type Params = QueryParams & {
 type SkeletonState = {
  isFallback: boolean
  suggestedDids: string[]
  recId?: number
  headers?: Record<string, string>
 }
--- a/packages/bsky/src/lexicon/types/app/bsky/actor/getSuggestions.ts
+++ b/packages/bsky/src/lexicon/types/app/bsky/actor/getSuggestions.ts
@ -19,8 +19,6 @@ export type InputSchema = undefined
 export interface OutputSchema {
  cursor?: string
  actors: AppBskyActorDefs.ProfileView[]
  /** Snowflake for this recommendation, use when submitting recommendation events. */
  recId?: number
  [k: string]: unknown
 }
--- a/packages/bsky/src/lexicon/types/app/bsky/graph/getSuggestedFollowsByActor.ts
+++ b/packages/bsky/src/lexicon/types/app/bsky/graph/getSuggestedFollowsByActor.ts
@ -19,8 +19,6 @@ export interface OutputSchema {
  suggestions: AppBskyActorDefs.ProfileView[]
  /** If true, response has fallen-back to generic results, and is not scoped using relativeToDid */
  isFallback?: boolean
  /** Snowflake for this recommendation, use when submitting recommendation events. */
  recId?: number
  [k: string]: unknown
 }
--- a/packages/bsky/src/lexicon/types/app/bsky/unspecced/getSuggestionsSkeleton.ts
+++ b/packages/bsky/src/lexicon/types/app/bsky/unspecced/getSuggestionsSkeleton.ts
@ -25,8 +25,6 @@ export interface OutputSchema {
  actors: AppBskyUnspeccedDefs.SkeletonSearchActor[]
  /** DID of the account these suggestions are relative to. If this is returned undefined, suggestions are based on the viewer. */
  relativeToDid?: string
  /** Snowflake for this recommendation, use when submitting recommendation events. */
  recId?: number
  [k: string]: unknown
 }
--- a/packages/crypto/CHANGELOG.md
+++ b/packages/crypto/CHANGELOG.md
@ -1,11 +1,5 @@
 # @atproto/crypto
 ## 0.4.3
 ### Patch Changes
 - [#3335](https://github.com/bluesky-social/atproto/pull/3335) [`1abfd74ec`](https://github.com/bluesky-social/atproto/commit/1abfd74ec7114e5d8e2411f7a4fa10bdce97e277) Thanks [@dholms](https://github.com/dholms)! - Update noble crypto libraries
 ## 0.4.2
 ### Patch Changes
--- a/packages/crypto/package.json
+++ b/packages/crypto/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto/crypto",
-  "version": "0.4.3",
+  "version": "0.4.2",
  "license": "MIT",
  "description": "Library for cryptographic keys and signing in atproto",
  "keywords": [
--- a/packages/dev-env/CHANGELOG.md
+++ b/packages/dev-env/CHANGELOG.md
@ -1,30 +1,5 @@
 # @atproto/dev-env
 ## 0.3.76
 ### Patch Changes
 - [#3344](https://github.com/bluesky-social/atproto/pull/3344) [`48a0e9d60`](https://github.com/bluesky-social/atproto/commit/48a0e9d6060c2dc93899f13f2fc7cc76c04fbcd9) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Properly dispose of unused http responses
 - Updated dependencies [[`48a0e9d60`](https://github.com/bluesky-social/atproto/commit/48a0e9d6060c2dc93899f13f2fc7cc76c04fbcd9), [`e277158f7`](https://github.com/bluesky-social/atproto/commit/e277158f70a831b04fde3ec84b3c1eaa6ce82e9d)]:
  - @atproto/ozone@0.1.67
  - @atproto/api@0.13.27
  - @atproto/bsky@0.0.106
  - @atproto/pds@0.4.84
 ## 0.3.75
 ### Patch Changes
 - Updated dependencies [[`1abfd74ec`](https://github.com/bluesky-social/atproto/commit/1abfd74ec7114e5d8e2411f7a4fa10bdce97e277)]:
  - @atproto/crypto@0.4.3
  - @atproto/bsky@0.0.105
  - @atproto/identity@0.4.5
  - @atproto/ozone@0.1.66
  - @atproto/pds@0.4.83
  - @atproto/xrpc-server@0.7.6
  - @atproto/sync@0.1.9
 ## 0.3.74
 ### Patch Changes
--- a/packages/dev-env/package.json
+++ b/packages/dev-env/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto/dev-env",
-  "version": "0.3.76",
+  "version": "0.3.74",
  "license": "MIT",
  "description": "Local development environment helper for atproto development",
  "keywords": [
--- a/packages/dev-env/src/util.ts
+++ b/packages/dev-env/src/util.ts
@ -45,7 +45,7 @@ export const mockResolvers = (idResolver: IdResolver, pds: TestPds) => {
    try {
      const res = await request(url, { headers: { host: handle } })
      if (res.statusCode !== 200) {
-        await res.body.dump()
+        res.body.destroy()
        return undefined
      }
--- a/packages/identity/CHANGELOG.md
+++ b/packages/identity/CHANGELOG.md
@ -1,12 +1,5 @@
 # @atproto/identity
 ## 0.4.5
 ### Patch Changes
 - Updated dependencies [[`1abfd74ec`](https://github.com/bluesky-social/atproto/commit/1abfd74ec7114e5d8e2411f7a4fa10bdce97e277)]:
  - @atproto/crypto@0.4.3
 ## 0.4.4
 ### Patch Changes
--- a/packages/identity/package.json
+++ b/packages/identity/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto/identity",
-  "version": "0.4.5",
+  "version": "0.4.4",
  "license": "MIT",
  "description": "Library for decentralized identities in atproto using DIDs and handles",
  "keywords": [
--- a/packages/internal/did-resolver/CHANGELOG.md
+++ b/packages/internal/did-resolver/CHANGELOG.md
@ -1,12 +1,5 @@
 # @atproto-labs/did-resolver
 ## 0.1.8
 ### Patch Changes
 - Updated dependencies [[`5ece8c6ae`](https://github.com/bluesky-social/atproto/commit/5ece8c6aeab9c5c3f51295d93ed6e27c3c6095c2), [`5ece8c6ae`](https://github.com/bluesky-social/atproto/commit/5ece8c6aeab9c5c3f51295d93ed6e27c3c6095c2)]:
  - @atproto-labs/fetch@0.2.0
 ## 0.1.7
 ### Patch Changes
--- a/packages/internal/did-resolver/package.json
+++ b/packages/internal/did-resolver/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto-labs/did-resolver",
-  "version": "0.1.8",
+  "version": "0.1.7",
  "license": "MIT",
  "description": "DID resolution and verification library",
  "keywords": [
--- a/packages/internal/fetch-node/CHANGELOG.md
+++ b/packages/internal/fetch-node/CHANGELOG.md
@ -1,12 +1,5 @@
 # @atproto-labs/fetch-node
 ## 0.1.5
 ### Patch Changes
 - Updated dependencies [[`5ece8c6ae`](https://github.com/bluesky-social/atproto/commit/5ece8c6aeab9c5c3f51295d93ed6e27c3c6095c2), [`5ece8c6ae`](https://github.com/bluesky-social/atproto/commit/5ece8c6aeab9c5c3f51295d93ed6e27c3c6095c2)]:
  - @atproto-labs/fetch@0.2.0
 ## 0.1.4
 ### Patch Changes
--- a/packages/internal/fetch-node/package.json
+++ b/packages/internal/fetch-node/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto-labs/fetch-node",
-  "version": "0.1.5",
+  "version": "0.1.4",
  "license": "MIT",
  "description": "SSRF protection for fetch() in Node.js",
  "keywords": [
--- a/packages/internal/fetch/CHANGELOG.md
+++ b/packages/internal/fetch/CHANGELOG.md
@ -1,15 +1,5 @@
 # @atproto-labs/fetch
 ## 0.2.0
 ### Minor Changes
 - [#3343](https://github.com/bluesky-social/atproto/pull/3343) [`5ece8c6ae`](https://github.com/bluesky-social/atproto/commit/5ece8c6aeab9c5c3f51295d93ed6e27c3c6095c2) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Fix typo in `ResponseTranformer` and `fetchResponseJsonTranformer`
 ### Patch Changes
 - [#3343](https://github.com/bluesky-social/atproto/pull/3343) [`5ece8c6ae`](https://github.com/bluesky-social/atproto/commit/5ece8c6aeab9c5c3f51295d93ed6e27c3c6095c2) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Response mime type check is now case-insensitive (as per rfc2616)
 ## 0.1.2
 ### Patch Changes
--- a/packages/internal/fetch/package.json
+++ b/packages/internal/fetch/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto-labs/fetch",
-  "version": "0.2.0",
+  "version": "0.1.2",
  "license": "MIT",
  "description": "Isomorphic wrapper utilities for fetch API",
  "keywords": [
--- a/packages/internal/fetch/src/fetch-response.ts
+++ b/packages/internal/fetch/src/fetch-response.ts
@ -14,24 +14,7 @@ import {
  logCancellationError,
 } from './util.js'
-/**
+export type ResponseTranformer = Transformer<Response>
 * media-type     = type "/" subtype *( ";" parameter )
 * type           = token
 * subtype        = token
 * token          = 1*<any CHAR except CTLs or separators>
 * separators     = "(" | ")" | "<" | ">" | "@"
 *                | "," | ";" | ":" | "\" | <">
 *                | "/" | "[" | "]" | "?" | "="
 *                | "{" | "}" | SP | HT
 * CTL            = <any US-ASCII control character (octets 0 - 31) and DEL (127)>
 * SP             = <US-ASCII SP, space (32)>
 * HT             = <US-ASCII HT, horizontal-tab (9)>
 * @note The type, subtype, and parameter attribute names are case-insensitive.
 * @see {@link https://datatracker.ietf.org/doc/html/rfc2616#autoid-23}
 */
 const JSON_MIME = /^application\/(?:[^()<>@,;:/[\]\\?={} \t]+\+)?json$/i
 export type ResponseTransformer = Transformer<Response>
 export type ResponseMessageGetter = Transformer<Response, string | undefined>
 export class FetchResponseError extends FetchError {
@ -68,7 +51,7 @@ const extractResponseMessage: ResponseMessageGetter = async (response) => {
  try {
    if (mimeType === 'text/plain') {
      return await response.text()
-    } else if (JSON_MIME.test(mimeType)) {
+    } else if (/^application\/(?:[^+]+\+)?json$/i.test(mimeType)) {
      const json: unknown = await response.json()
      if (typeof json === 'string') return json
@ -172,7 +155,7 @@ export function cancelBodyOnError<T>(
 export function fetchOkProcessor(
  customMessage?: string | ResponseMessageGetter,
-): ResponseTransformer {
+): ResponseTranformer {
  return cancelBodyOnError((response) => {
    return fetchOkTransformer(response, customMessage)
  })
@ -186,7 +169,7 @@ export async function fetchOkTransformer(
  throw await FetchResponseError.from(response, customMessage)
 }
-export function fetchMaxSizeProcessor(maxBytes: number): ResponseTransformer {
+export function fetchMaxSizeProcessor(maxBytes: number): ResponseTranformer {
  if (maxBytes === Infinity) return (response) => response
  if (!Number.isFinite(maxBytes) || maxBytes < 0) {
    throw new TypeError('maxBytes must be a 0, Infinity or a positive number')
@ -217,7 +200,7 @@ export type MimeTypeCheck = string | RegExp | MimeTypeCheckFn
 export function fetchTypeProcessor(
  expectedMime: MimeTypeCheck,
  contentTypeRequired = true,
-): ResponseTransformer {
+): ResponseTranformer {
  const isExpected: MimeTypeCheckFn =
    typeof expectedMime === 'string'
      ? (mimeType) => mimeType === expectedMime
@ -237,7 +220,7 @@ export async function fetchResponseTypeChecker(
 ): Promise<Response> {
  const mimeType = extractMime(response)
  if (mimeType) {
-    if (!isExpectedMime(mimeType.toLowerCase())) {
+    if (!isExpectedMime(mimeType)) {
      throw await FetchResponseError.from(
        response,
        `Unexpected response Content-Type (${mimeType})`,
@ -260,7 +243,7 @@ export type ParsedJsonResponse<T = Json> = {
  json: T
 }
-export async function fetchResponseJsonTransformer<T = Json>(
+export async function fetchResponseJsonTranformer<T = Json>(
  response: Response,
 ): Promise<ParsedJsonResponse<T>> {
  try {
@ -277,12 +260,12 @@ export async function fetchResponseJsonTransformer<T = Json>(
 }
 export function fetchJsonProcessor<T = Json>(
-  expectedMime: MimeTypeCheck = JSON_MIME,
+  expectedMime: MimeTypeCheck = /^application\/(?:[^+]+\+)?json$/,
  contentTypeRequired = true,
 ): Transformer<Response, ParsedJsonResponse<T>> {
  return pipe(
    fetchTypeProcessor(expectedMime, contentTypeRequired),
-    cancelBodyOnError(fetchResponseJsonTransformer<T>),
+    cancelBodyOnError(fetchResponseJsonTranformer<T>),
  )
 }
--- a/packages/internal/handle-resolver-node/CHANGELOG.md
+++ b/packages/internal/handle-resolver-node/CHANGELOG.md
@ -1,12 +1,5 @@
 # @atproto-labs/handle-resolver-node
 ## 0.1.10
 ### Patch Changes
 - Updated dependencies []:
  - @atproto-labs/fetch-node@0.1.5
 ## 0.1.9
 ### Patch Changes
--- a/packages/internal/handle-resolver-node/package.json
+++ b/packages/internal/handle-resolver-node/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto-labs/handle-resolver-node",
-  "version": "0.1.10",
+  "version": "0.1.9",
  "license": "MIT",
  "description": "Node specific ATProto handle to DID resolver",
  "keywords": [
--- a/packages/internal/identity-resolver/CHANGELOG.md
+++ b/packages/internal/identity-resolver/CHANGELOG.md
@ -1,12 +1,5 @@
 # @atproto-labs/identity-resolver
 ## 0.1.10
 ### Patch Changes
 - Updated dependencies []:
  - @atproto-labs/did-resolver@0.1.8
 ## 0.1.9
 ### Patch Changes
--- a/packages/internal/identity-resolver/package.json
+++ b/packages/internal/identity-resolver/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto-labs/identity-resolver",
-  "version": "0.1.10",
+  "version": "0.1.9",
  "license": "MIT",
  "description": "A library resolving ATPROTO identities",
  "keywords": [
--- a/packages/internal/xrpc-utils/CHANGELOG.md
+++ b/packages/internal/xrpc-utils/CHANGELOG.md
@ -1,12 +1,5 @@
 # @atproto-labs/xrpc-utils
 ## 0.0.2
 ### Patch Changes
 - Updated dependencies []:
  - @atproto/xrpc-server@0.7.6
 ## 0.0.1
 ### Patch Changes
--- a/packages/internal/xrpc-utils/package.json
+++ b/packages/internal/xrpc-utils/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto-labs/xrpc-utils",
-  "version": "0.0.2",
+  "version": "0.0.1",
  "license": "MIT",
  "description": "XRPC server utilities for Node.JS",
  "keywords": [
--- a/packages/oauth/jwk-jose/CHANGELOG.md
+++ b/packages/oauth/jwk-jose/CHANGELOG.md
@ -1,16 +1,5 @@
 # @atproto/jwk-jose
 ## 0.1.3
 ### Patch Changes
 - [#2879](https://github.com/bluesky-social/atproto/pull/2879) [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Improve compatibility with runtimes relying on webcrypto (by explicit JOSE's importJWK() "alg" argument).
 - [#2879](https://github.com/bluesky-social/atproto/pull/2879) [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Remove unsafe type casting during JWT verification
 - Updated dependencies [[`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0)]:
  - @atproto/jwk@0.1.2
 ## 0.1.2
 ### Patch Changes
--- a/packages/oauth/jwk-jose/package.json
+++ b/packages/oauth/jwk-jose/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto/jwk-jose",
-  "version": "0.1.3",
+  "version": "0.1.2",
  "license": "MIT",
  "description": "`jose` based implementation of @atproto/jwk Key's",
  "keywords": [
--- a/packages/oauth/jwk-jose/src/jose-key.ts
+++ b/packages/oauth/jwk-jose/src/jose-key.ts
@ -1,19 +1,4 @@
-import {
+import { JwtVerifyError } from '@atproto/jwk'
  Jwk,
  JwkError,
  JwtCreateError,
  JwtHeader,
  JwtPayload,
  JwtVerifyError,
  Key,
  RequiredKey,
  SignedJwt,
  VerifyOptions,
  VerifyResult,
  jwkValidator,
  jwtHeaderSchema,
  jwtPayloadSchema,
 } from '@atproto/jwk'
 import {
  SignJWT,
  errors,
@ -29,6 +14,19 @@ import {
  type KeyLike,
 } from 'jose'
 import {
  Jwk,
  JwkError,
  JwtCreateError,
  JwtHeader,
  JwtPayload,
  Key,
  SignedJwt,
  VerifyOptions,
  VerifyPayload,
  VerifyResult,
  jwkValidator,
 } from '@atproto/jwk'
 import { either } from './util'
 const { JOSEError } = errors
@ -37,97 +35,53 @@ export type Importable = string | KeyLike | Jwk
 export type { GenerateKeyPairOptions, GenerateKeyPairResult }
-export class JoseKey<J extends Jwk = Jwk> extends Key<J> {
+export class JoseKey extends Key {
-  /**
+  #keyObj?: KeyLike | Uint8Array
-   * Some runtimes (e.g. Bun) require an `alg` second argument to be set when
+
-   * invoking `importJWK`. In order to be compatible with these runtimes, we
+  protected async getKey() {
   * provide the following method to ensure the `alg` is always set. We also
   * take the opportunity to ensure that the `alg` is compatible with this key.
   */
  protected async getKeyObj(alg: string) {
    if (!this.algorithms.includes(alg)) {
      throw new JwkError(`Key cannot be used with algorithm "${alg}"`)
    }
    try {
-      return await importJWK(this.jwk as JWK, alg)
+      return (this.#keyObj ||= await importJWK(this.jwk as JWK))
    } catch (cause) {
      throw new JwkError('Failed to import JWK', undefined, { cause })
    }
  }
-  async createJwt(header: JwtHeader, payload: JwtPayload): Promise<SignedJwt> {
+  async createJwt(header: JwtHeader, payload: JwtPayload) {
-    try {
+    if (header.kid && header.kid !== this.kid) {
-      const { kid } = header
+      throw new JwtCreateError(
-      if (kid && kid !== this.kid) {
+        `Invalid "kid" (${header.kid}) used to sign with key "${this.kid}"`,
-        throw new JwtCreateError(
+      )
          `Invalid "kid" (${kid}) used to sign with key "${this.kid}"`,
        )
      }
      const { alg } = header
      if (!alg) {
        throw new JwtCreateError('Missing "alg" in JWT header')
      }
      const keyObj = await this.getKeyObj(alg)
      const jwtBuilder = new SignJWT(payload).setProtectedHeader({
        ...header,
        alg,
        kid: this.kid,
      })
      const signedJwt = await jwtBuilder.sign(keyObj)
      return signedJwt as SignedJwt
    } catch (cause) {
      if (cause instanceof JOSEError) {
        throw new JwtCreateError(cause.message, cause.code, { cause })
      } else {
        throw JwtCreateError.from(cause)
      }
    }
    if (!header.alg || !this.algorithms.includes(header.alg)) {
      throw new JwtCreateError(
        `Invalid "alg" (${header.alg}) used to sign with key "${this.kid}"`,
      )
    }
    const keyObj = await this.getKey()
    return new SignJWT(payload)
      .setProtectedHeader({ ...header, kid: this.kid })
      .sign(keyObj) as Promise<SignedJwt>
  }
-  async verifyJwt<C extends string = never>(
+  async verifyJwt<
-    token: SignedJwt,
+    P extends VerifyPayload = JwtPayload,
-    options?: VerifyOptions<C>,
+    C extends string = string,
-  ): Promise<VerifyResult<C>> {
+  >(token: SignedJwt, options?: VerifyOptions<C>): Promise<VerifyResult<P, C>> {
    try {
-      const result = await jwtVerify(
+      const keyObj = await this.getKey()
-        token,
+      const result = await jwtVerify(token, keyObj, {
-        async ({ alg }) => this.getKeyObj(alg),
+        ...options,
-        { ...options, algorithms: this.algorithms } as JWTVerifyOptions,
+        algorithms: this.algorithms,
-      )
+      } as JWTVerifyOptions)
-      // @NOTE if all tokens are signed exclusively through createJwt(), then
+      return result as VerifyResult<P, C>
-      // there should be no need to parse the payload and headers here. But
+    } catch (error) {
-      // since the JWT could have been signed with the same key from somewhere
+      if (error instanceof JOSEError) {
-      // else, let's parse it to ensure the integrity (and type safety) of the
+        throw new JwtVerifyError(error.message, error.code, { cause: error })
      // data.
      const headerParsed = jwtHeaderSchema.safeParse(result.protectedHeader)
      if (!headerParsed.success) {
        throw new JwtVerifyError('Invalid JWT header', undefined, {
          cause: headerParsed.error,
        })
      }
      const payloadParsed = jwtPayloadSchema.safeParse(result.payload)
      if (!payloadParsed.success) {
        throw new JwtVerifyError('Invalid JWT payload', undefined, {
          cause: payloadParsed.error,
        })
      }
      return {
        protectedHeader: headerParsed.data,
        // "requiredClaims" enforced by jwtVerify()
        payload: payloadParsed.data as RequiredKey<JwtPayload, C>,
      }
    } catch (cause) {
      if (cause instanceof JOSEError) {
        throw new JwtVerifyError(cause.message, cause.code, { cause })
      } else {
-        throw JwtVerifyError.from(cause)
+        throw JwtVerifyError.from(error)
      }
    }
  }
--- a/packages/oauth/jwk-webcrypto/CHANGELOG.md
+++ b/packages/oauth/jwk-webcrypto/CHANGELOG.md
@ -1,13 +1,5 @@
 # @atproto/jwk-webcrypto
 ## 0.1.3
 ### Patch Changes
 - Updated dependencies [[`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0)]:
  - @atproto/jwk@0.1.2
  - @atproto/jwk-jose@0.1.3
 ## 0.1.2
 ### Patch Changes
--- a/packages/oauth/jwk-webcrypto/package.json
+++ b/packages/oauth/jwk-webcrypto/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto/jwk-webcrypto",
-  "version": "0.1.3",
+  "version": "0.1.2",
  "license": "MIT",
  "description": "Webcrypto based implementation of @atproto/jwk Key's",
  "keywords": [
@ -25,8 +25,7 @@
  },
  "dependencies": {
    "@atproto/jwk": "workspace:*",
-    "@atproto/jwk-jose": "workspace:*",
+    "@atproto/jwk-jose": "workspace:*"
    "zod": "^3.23.8"
  },
  "devDependencies": {
    "typescript": "^5.6.3"
--- a/packages/oauth/jwk-webcrypto/src/webcrypto-key.ts
+++ b/packages/oauth/jwk-webcrypto/src/webcrypto-key.ts
@ -1,20 +1,9 @@
-import { JwkError, jwkSchema } from '@atproto/jwk'
+import { Jwk, jwkSchema } from '@atproto/jwk'
 import { GenerateKeyPairOptions, JoseKey } from '@atproto/jwk-jose'
 import z from 'zod'
 import { fromSubtleAlgorithm, isCryptoKeyPair } from './util.js'
-// Webcrypto keys are bound to a single algorithm
+export class WebcryptoKey extends JoseKey {
 export const jwkWithAlgSchema = z.intersection(
  jwkSchema,
  z.object({ alg: z.string() }),
 )
 export type JwkWithAlg = z.infer<typeof jwkWithAlgSchema>
 export class WebcryptoKey<
  J extends JwkWithAlg = JwkWithAlg,
 > extends JoseKey<J> {
  // We need to override the static method generate from JoseKey because
  // the browser needs both the private and public keys
  static override async generate(
@ -37,35 +26,29 @@ export class WebcryptoKey<
    // > The "use" and "key_ops" JWK members SHOULD NOT be used together; [...]
    // > Applications should specify which of these members they use.
-    const {
+    const { key_ops: _, ...jwk } = await crypto.subtle.exportKey(
      key_ops,
      use,
      alg = fromSubtleAlgorithm(cryptoKeyPair.privateKey.algorithm),
      ...jwk
    } = await crypto.subtle.exportKey(
      'jwk',
      cryptoKeyPair.privateKey.extractable
        ? cryptoKeyPair.privateKey
        : cryptoKeyPair.publicKey,
    )
-    if (use && use !== 'sig') {
+    const use = jwk.use ?? 'sig'
-      throw new TypeError(`Unsupported JWK use "${use}"`)
+    const alg =
-    }
+      jwk.alg ?? fromSubtleAlgorithm(cryptoKeyPair.privateKey.algorithm)
-    if (key_ops && !key_ops.some((o) => o === 'sign' || o === 'verify')) {
+    if (use !== 'sig') {
-      // Make sure that "key_ops", if present, is compatible with "use"
+      throw new TypeError('Unsupported JWK use')
      throw new TypeError(`Invalid key_ops "${key_ops}" for "sig" use`)
    }
    return new WebcryptoKey(
-      jwkWithAlgSchema.parse({ ...jwk, kid, alg, use: 'sig' }),
+      jwkSchema.parse({ ...jwk, use, kid, alg }),
      cryptoKeyPair,
    )
  }
  constructor(
-    jwk: Readonly<J>,
+    jwk: Jwk,
    readonly cryptoKeyPair: CryptoKeyPair,
  ) {
    super(jwk)
@ -75,15 +58,12 @@ export class WebcryptoKey<
    return true
  }
-  get privateJwk(): Readonly<J> | undefined {
+  get privateJwk(): Jwk | undefined {
    if (super.isPrivate) return this.jwk
    throw new Error('Private Webcrypto Key not exportable')
  }
-  protected override async getKeyObj(alg: string) {
+  protected override async getKey() {
    if (this.jwk.alg !== alg) {
      throw new JwkError(`Key cannot be used with algorithm "${alg}"`)
    }
    return this.cryptoKeyPair.privateKey
  }
 }
--- a/packages/oauth/jwk/CHANGELOG.md
+++ b/packages/oauth/jwk/CHANGELOG.md
@ -1,17 +1,5 @@
 # @atproto/jwk
 ## 0.1.2
 ### Patch Changes
 - [#2879](https://github.com/bluesky-social/atproto/pull/2879) [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Mark jwk key fields as readonly
 - [#2879](https://github.com/bluesky-social/atproto/pull/2879) [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Remove unsafe type casting during JWT verification
 - [#2879](https://github.com/bluesky-social/atproto/pull/2879) [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Allow (passthrough) unknown properties in JWT payload & headers
 - [#2879](https://github.com/bluesky-social/atproto/pull/2879) [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Expose ValidationError to allow for proper error handling
 ## 0.1.1
 ### Patch Changes
--- a/packages/oauth/jwk/package.json
+++ b/packages/oauth/jwk/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto/jwk",
-  "version": "0.1.2",
+  "version": "0.1.1",
  "license": "MIT",
  "description": "A library for working with JSON Web Keys (JWKs) in TypeScript. This is meant to be extended by environment-specific libraries like @atproto/jwk-jose.",
  "keywords": [
--- a/packages/oauth/jwk/src/index.ts
+++ b/packages/oauth/jwk/src/index.ts
@ -1,8 +1,3 @@
 // Since we expose zod schemas, let's expose ZodError (under a generic name) so
 // that dependents can catch schema parsing errors without requiring an explicit
 // dependency on zod, or risking a conflict in case of mismatching zob versions.
 export { ZodError as ValidationError } from 'zod'
 export * from './alg.js'
 export * from './errors.js'
 export * from './jwk.js'
--- a/packages/oauth/jwk/src/jwt-verify.ts
+++ b/packages/oauth/jwk/src/jwt-verify.ts
@ -1,7 +1,7 @@
 import { JwtHeader, JwtPayload } from './jwt.js'
 import { RequiredKey } from './util.js'
-export type VerifyOptions<C extends string = never> = {
+export type VerifyOptions<C extends string = string> = {
  audience?: string | readonly string[]
  /** in seconds */
  clockTolerance?: number
@ -14,7 +14,9 @@ export type VerifyOptions<C extends string = never> = {
  requiredClaims?: readonly C[]
 }
-export type VerifyResult<C extends string = never> = {
+export type VerifyPayload = Record<string, unknown>
-  payload: RequiredKey<JwtPayload, C>
+
 export type VerifyResult<P extends VerifyPayload, C extends string> = {
  payload: RequiredKey<P & JwtPayload, C>
  protectedHeader: JwtHeader
 }
--- a/packages/oauth/jwk/src/jwt.ts
+++ b/packages/oauth/jwk/src/jwt.ts
@ -24,154 +24,150 @@ export const isUnsignedJwt = (data: unknown): data is UnsignedJwt =>
 /**
 * @see {@link https://www.rfc-editor.org/rfc/rfc7515.html#section-4}
 */
-export const jwtHeaderSchema = z
+export const jwtHeaderSchema = z.object({
-  .object({
+  /** "alg" (Algorithm) Header Parameter */
-    /** "alg" (Algorithm) Header Parameter */
+  alg: z.string(),
-    alg: z.string(),
+  /** "jku" (JWK Set URL) Header Parameter */
-    /** "jku" (JWK Set URL) Header Parameter */
+  jku: z.string().url().optional(),
-    jku: z.string().url().optional(),
+  /** "jwk" (JSON Web Key) Header Parameter */
-    /** "jwk" (JSON Web Key) Header Parameter */
+  jwk: z
-    jwk: z
+    .object({
-      .object({
+      kty: z.string(),
-        kty: z.string(),
+      crv: z.string().optional(),
-        crv: z.string().optional(),
+      x: z.string().optional(),
-        x: z.string().optional(),
+      y: z.string().optional(),
-        y: z.string().optional(),
+      e: z.string().optional(),
-        e: z.string().optional(),
+      n: z.string().optional(),
-        n: z.string().optional(),
+    })
-      })
+    .optional(),
-      .optional(),
+  /** "kid" (Key ID) Header Parameter */
-    /** "kid" (Key ID) Header Parameter */
+  kid: z.string().optional(),
-    kid: z.string().optional(),
+  /** "x5u" (X.509 URL) Header Parameter */
-    /** "x5u" (X.509 URL) Header Parameter */
+  x5u: z.string().optional(),
-    x5u: z.string().optional(),
+  /** "x5c" (X.509 Certificate Chain) Header Parameter */
-    /** "x5c" (X.509 Certificate Chain) Header Parameter */
+  x5c: z.array(z.string()).optional(),
-    x5c: z.array(z.string()).optional(),
+  /** "x5t" (X.509 Certificate SHA-1 Thumbprint) Header Parameter */
-    /** "x5t" (X.509 Certificate SHA-1 Thumbprint) Header Parameter */
+  x5t: z.string().optional(),
-    x5t: z.string().optional(),
+  /** "x5t#S256" (X.509 Certificate SHA-256 Thumbprint) Header Parameter */
-    /** "x5t#S256" (X.509 Certificate SHA-256 Thumbprint) Header Parameter */
+  'x5t#S256': z.string().optional(),
-    'x5t#S256': z.string().optional(),
+  /** "typ" (Type) Header Parameter */
-    /** "typ" (Type) Header Parameter */
+  typ: z.string().optional(),
-    typ: z.string().optional(),
+  /** "cty" (Content Type) Header Parameter */
-    /** "cty" (Content Type) Header Parameter */
+  cty: z.string().optional(),
-    cty: z.string().optional(),
+  /** "crit" (Critical) Header Parameter */
-    /** "crit" (Critical) Header Parameter */
+  crit: z.array(z.string()).optional(),
-    crit: z.array(z.string()).optional(),
+})
  })
  .passthrough()
 export type JwtHeader = z.infer<typeof jwtHeaderSchema>
 // https://www.iana.org/assignments/jwt/jwt.xhtml
-export const jwtPayloadSchema = z
+export const jwtPayloadSchema = z.object({
-  .object({
+  iss: z.string().optional(),
-    iss: z.string().optional(),
+  aud: z.union([z.string(), z.array(z.string()).nonempty()]).optional(),
-    aud: z.union([z.string(), z.array(z.string()).nonempty()]).optional(),
+  sub: z.string().optional(),
-    sub: z.string().optional(),
+  exp: z.number().int().optional(),
-    exp: z.number().int().optional(),
+  nbf: z.number().int().optional(),
-    nbf: z.number().int().optional(),
+  iat: z.number().int().optional(),
-    iat: z.number().int().optional(),
+  jti: z.string().optional(),
-    jti: z.string().optional(),
+  htm: z.string().optional(),
-    htm: z.string().optional(),
+  htu: z.string().optional(),
-    htu: z.string().optional(),
+  ath: z.string().optional(),
-    ath: z.string().optional(),
+  acr: z.string().optional(),
-    acr: z.string().optional(),
+  azp: z.string().optional(),
-    azp: z.string().optional(),
+  amr: z.array(z.string()).optional(),
-    amr: z.array(z.string()).optional(),
+  // https://datatracker.ietf.org/doc/html/rfc7800
-    // https://datatracker.ietf.org/doc/html/rfc7800
+  cnf: z
-    cnf: z
+    .object({
-      .object({
+      kid: z.string().optional(), // Key ID
-        kid: z.string().optional(), // Key ID
+      jwk: jwkPubSchema.optional(), // JWK
-        jwk: jwkPubSchema.optional(), // JWK
+      jwe: z.string().optional(), // Encrypted key
-        jwe: z.string().optional(), // Encrypted key
+      jku: z.string().url().optional(), // JWK Set URI ("kid" should also be provided)
        jku: z.string().url().optional(), // JWK Set URI ("kid" should also be provided)
-        // https://datatracker.ietf.org/doc/html/rfc9449#section-6.1
+      // https://datatracker.ietf.org/doc/html/rfc9449#section-6.1
-        jkt: z.string().optional(),
+      jkt: z.string().optional(),
-        // https://datatracker.ietf.org/doc/html/rfc8705
+      // https://datatracker.ietf.org/doc/html/rfc8705
-        'x5t#S256': z.string().optional(), // X.509 Certificate SHA-256 Thumbprint
+      'x5t#S256': z.string().optional(), // X.509 Certificate SHA-256 Thumbprint
-        // https://datatracker.ietf.org/doc/html/rfc9203
+      // https://datatracker.ietf.org/doc/html/rfc9203
-        osc: z.string().optional(), // OSCORE_Input_Material carrying the parameters for using OSCORE per-message security with implicit key confirmation
+      osc: z.string().optional(), // OSCORE_Input_Material carrying the parameters for using OSCORE per-message security with implicit key confirmation
-      })
+    })
-      .optional(),
+    .optional(),
-    client_id: z.string().optional(),
+  client_id: z.string().optional(),
-    scope: z.string().optional(),
+  scope: z.string().optional(),
-    nonce: z.string().optional(),
+  nonce: z.string().optional(),
-    at_hash: z.string().optional(),
+  at_hash: z.string().optional(),
-    c_hash: z.string().optional(),
+  c_hash: z.string().optional(),
-    s_hash: z.string().optional(),
+  s_hash: z.string().optional(),
-    auth_time: z.number().int().optional(),
+  auth_time: z.number().int().optional(),
-    // https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
+  // https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
-    // OpenID: "profile" scope
+  // OpenID: "profile" scope
-    name: z.string().optional(),
+  name: z.string().optional(),
-    family_name: z.string().optional(),
+  family_name: z.string().optional(),
-    given_name: z.string().optional(),
+  given_name: z.string().optional(),
-    middle_name: z.string().optional(),
+  middle_name: z.string().optional(),
-    nickname: z.string().optional(),
+  nickname: z.string().optional(),
-    preferred_username: z.string().optional(),
+  preferred_username: z.string().optional(),
-    gender: z.string().optional(), // OpenID only defines "male" and "female" without forbidding other values
+  gender: z.string().optional(), // OpenID only defines "male" and "female" without forbidding other values
-    picture: z.string().url().optional(),
+  picture: z.string().url().optional(),
-    profile: z.string().url().optional(),
+  profile: z.string().url().optional(),
-    website: z.string().url().optional(),
+  website: z.string().url().optional(),
-    birthdate: z
+  birthdate: z
-      .string()
+    .string()
-      .regex(/\d{4}-\d{2}-\d{2}/) // YYYY-MM-DD
+    .regex(/\d{4}-\d{2}-\d{2}/) // YYYY-MM-DD
-      .optional(),
+    .optional(),
-    zoneinfo: z
+  zoneinfo: z
-      .string()
+    .string()
-      .regex(/^[A-Za-z0-9_/]+$/)
+    .regex(/^[A-Za-z0-9_/]+$/)
-      .optional(),
+    .optional(),
-    locale: z
+  locale: z
-      .string()
+    .string()
-      .regex(/^[a-z]{2}(-[A-Z]{2})?$/)
+    .regex(/^[a-z]{2}(-[A-Z]{2})?$/)
-      .optional(),
+    .optional(),
-    updated_at: z.number().int().optional(),
+  updated_at: z.number().int().optional(),
-    // OpenID: "email" scope
+  // OpenID: "email" scope
-    email: z.string().optional(),
+  email: z.string().optional(),
-    email_verified: z.boolean().optional(),
+  email_verified: z.boolean().optional(),
-    // OpenID: "phone" scope
+  // OpenID: "phone" scope
-    phone_number: z.string().optional(),
+  phone_number: z.string().optional(),
-    phone_number_verified: z.boolean().optional(),
+  phone_number_verified: z.boolean().optional(),
-    // OpenID: "address" scope
+  // OpenID: "address" scope
-    // https://openid.net/specs/openid-connect-core-1_0.html#AddressClaim
+  // https://openid.net/specs/openid-connect-core-1_0.html#AddressClaim
-    address: z
+  address: z
-      .object({
+    .object({
-        formatted: z.string().optional(),
+      formatted: z.string().optional(),
-        street_address: z.string().optional(),
+      street_address: z.string().optional(),
-        locality: z.string().optional(),
+      locality: z.string().optional(),
-        region: z.string().optional(),
+      region: z.string().optional(),
-        postal_code: z.string().optional(),
+      postal_code: z.string().optional(),
-        country: z.string().optional(),
+      country: z.string().optional(),
-      })
+    })
-      .optional(),
+    .optional(),
-    // https://datatracker.ietf.org/doc/html/rfc9396#section-14.2
+  // https://datatracker.ietf.org/doc/html/rfc9396#section-14.2
-    authorization_details: z
+  authorization_details: z
-      .array(
+    .array(
-        z
+      z
-          .object({
+        .object({
-            type: z.string(),
+          type: z.string(),
-            // https://datatracker.ietf.org/doc/html/rfc9396#section-2.2
+          // https://datatracker.ietf.org/doc/html/rfc9396#section-2.2
-            locations: z.array(z.string()).optional(),
+          locations: z.array(z.string()).optional(),
-            actions: z.array(z.string()).optional(),
+          actions: z.array(z.string()).optional(),
-            datatypes: z.array(z.string()).optional(),
+          datatypes: z.array(z.string()).optional(),
-            identifier: z.string().optional(),
+          identifier: z.string().optional(),
-            privileges: z.array(z.string()).optional(),
+          privileges: z.array(z.string()).optional(),
-          })
+        })
-          .passthrough(),
+        .passthrough(),
-      )
+    )
-      .optional(),
+    .optional(),
-  })
+})
  .passthrough()
 export type JwtPayload = z.infer<typeof jwtPayloadSchema>
--- a/packages/oauth/jwk/src/key.ts
+++ b/packages/oauth/jwk/src/key.ts
@ -1,14 +1,12 @@
 import { jwkAlgorithms } from './alg.js'
 import { JwkError } from './errors.js'
 import { Jwk, jwkSchema } from './jwk.js'
-import { VerifyOptions, VerifyResult } from './jwt-verify.js'
+import { VerifyOptions, VerifyPayload, VerifyResult } from './jwt-verify.js'
 import { JwtHeader, JwtPayload, SignedJwt } from './jwt.js'
 import { cachedGetter } from './util.js'
-const jwkSchemaReadonly = jwkSchema.readonly()
+export abstract class Key {
-
+  constructor(protected readonly jwk: Readonly<Jwk>) {
 export abstract class Key<J extends Jwk = Jwk> {
  constructor(protected readonly jwk: Readonly<J>) {
    // A key should always be used either for signing or encryption.
    if (!jwk.use) throw new JwkError('Missing "use" Parameter value')
  }
@ -26,28 +24,25 @@ export abstract class Key<J extends Jwk = Jwk> {
    return false
  }
-  get privateJwk(): Readonly<J> | undefined {
+  get privateJwk(): Jwk | undefined {
    return this.isPrivate ? this.jwk : undefined
  }
  @cachedGetter
-  get publicJwk():
+  get publicJwk(): Jwk | undefined {
    | Readonly<Exclude<J, { kty: 'oct' }> & { d?: never }>
    | undefined {
    if (this.isSymetric) return undefined
-
+    if (this.isPrivate) {
-    return jwkSchemaReadonly.parse({
+      const { d: _, ...jwk } = this.jwk as any
-      ...this.jwk,
+      return jwk
-      d: undefined,
+    }
-      k: undefined,
+    return this.jwk
    }) as Exclude<J, { kty: 'oct' }> & { d?: never }
  }
  @cachedGetter
-  get bareJwk(): Readonly<Jwk> | undefined {
+  get bareJwk(): Jwk | undefined {
    if (this.isSymetric) return undefined
    const { kty, crv, e, n, x, y } = this.jwk as any
-    return jwkSchemaReadonly.parse({ crv, e, kty, n, x, y })
+    return jwkSchema.parse({ crv, e, kty, n, x, y })
  }
  get use() {
@ -69,7 +64,7 @@ export abstract class Key<J extends Jwk = Jwk> {
  }
  get crv() {
-    return (this.jwk as { crv: undefined } | Extract<J, { crv: unknown }>).crv
+    return (this.jwk as { crv: undefined } | Extract<Jwk, { crv: unknown }>).crv
  }
  /**
@ -78,7 +73,7 @@ export abstract class Key<J extends Jwk = Jwk> {
   */
  @cachedGetter
  get algorithms(): readonly string[] {
-    return Object.freeze(Array.from(jwkAlgorithms(this.jwk)))
+    return Array.from(jwkAlgorithms(this.jwk))
  }
  /**
@ -91,8 +86,8 @@ export abstract class Key<J extends Jwk = Jwk> {
   *
   * @throws {JwtVerifyError} if the JWT is invalid
   */
-  abstract verifyJwt<C extends string = never>(
+  abstract verifyJwt<
-    token: SignedJwt,
+    P extends VerifyPayload = JwtPayload,
-    options?: VerifyOptions<C>,
+    C extends string = string,
-  ): Promise<VerifyResult<C>>
+  >(token: SignedJwt, options?: VerifyOptions<C>): Promise<VerifyResult<P, C>>
 }
--- a/packages/oauth/jwk/src/keyset.ts
+++ b/packages/oauth/jwk/src/keyset.ts
@ -213,10 +213,13 @@ export class Keyset<K extends Key = Key> implements Iterable<K> {
    }
  }
-  async verifyJwt<C extends string = never>(
+  async verifyJwt<
    P extends Record<string, unknown> = JwtPayload,
    C extends string = string,
  >(
    token: SignedJwt,
    options?: VerifyOptions<C>,
-  ): Promise<VerifyResult<C> & { key: K }> {
+  ): Promise<VerifyResult<P, C> & { key: K }> {
    const { header } = unsafeDecodeJwt(token)
    const { kid, alg } = header
@ -224,7 +227,7 @@ export class Keyset<K extends Key = Key> implements Iterable<K> {
    for (const key of this.list({ kid, alg })) {
      try {
-        const result = await key.verifyJwt<C>(token, options)
+        const result = await key.verifyJwt<P, C>(token, options)
        return { ...result, key }
      } catch (err) {
        errors.push(err)
--- a/packages/oauth/jwk/src/util.ts
+++ b/packages/oauth/jwk/src/util.ts
@ -5,12 +5,12 @@ import { RefinementCtx, ZodIssueCode } from 'zod'
 export type Simplify<T> = { [K in keyof T]: T[K] } & {}
 export type Override<T, V> = Simplify<V & Omit<T, keyof V>>
-export type RequiredKey<T, K extends keyof T = never> = Simplify<
+export type RequiredKey<T, K extends string> = Simplify<
-  T & {
+  string extends K
-    [L in K]-?: unknown extends T[L]
+    ? T
-      ? NonNullable<unknown> | null
+    : {
-      : Exclude<T[L], undefined>
+        [L in K]: Exclude<L extends keyof T ? T[L] : unknown, undefined>
-  }
+      } & Omit<T, K>
 >
 // eslint-disable-next-line @typescript-eslint/ban-types
--- a/packages/oauth/oauth-client-browser/CHANGELOG.md
+++ b/packages/oauth/oauth-client-browser/CHANGELOG.md
@ -1,16 +1,5 @@
 # @atproto/oauth-client-browser
 ## 0.3.7
 ### Patch Changes
 - Updated dependencies [[`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0)]:
  - @atproto/jwk@0.1.2
  - @atproto/jwk-webcrypto@0.1.3
  - @atproto/oauth-client@0.3.7
  - @atproto/oauth-types@0.2.2
  - @atproto-labs/did-resolver@0.1.8
 ## 0.3.6
 ### Patch Changes
--- a/packages/oauth/oauth-client-browser/package.json
+++ b/packages/oauth/oauth-client-browser/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto/oauth-client-browser",
-  "version": "0.3.7",
+  "version": "0.3.6",
  "license": "MIT",
  "description": "ATPROTO OAuth client for the browser (relies on WebCrypto & Indexed DB)",
  "keywords": [
--- a/packages/oauth/oauth-client-node/CHANGELOG.md
+++ b/packages/oauth/oauth-client-node/CHANGELOG.md
@ -1,18 +1,5 @@
 # @atproto/oauth-client-node
 ## 0.2.7
 ### Patch Changes
 - Updated dependencies [[`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0)]:
  - @atproto/jwk@0.1.2
  - @atproto/jwk-jose@0.1.3
  - @atproto/jwk-webcrypto@0.1.3
  - @atproto/oauth-client@0.3.7
  - @atproto/oauth-types@0.2.2
  - @atproto-labs/did-resolver@0.1.8
  - @atproto-labs/handle-resolver-node@0.1.10
 ## 0.2.6
 ### Patch Changes
--- a/packages/oauth/oauth-client-node/package.json
+++ b/packages/oauth/oauth-client-node/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto/oauth-client-node",
-  "version": "0.2.7",
+  "version": "0.2.6",
  "license": "MIT",
  "description": "ATPROTO OAuth client for the NodeJS",
  "keywords": [
--- a/packages/oauth/oauth-client/CHANGELOG.md
+++ b/packages/oauth/oauth-client/CHANGELOG.md
@ -1,16 +1,5 @@
 # @atproto/oauth-client
 ## 0.3.7
 ### Patch Changes
 - Updated dependencies [[`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`5ece8c6ae`](https://github.com/bluesky-social/atproto/commit/5ece8c6aeab9c5c3f51295d93ed6e27c3c6095c2), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`5ece8c6ae`](https://github.com/bluesky-social/atproto/commit/5ece8c6aeab9c5c3f51295d93ed6e27c3c6095c2)]:
  - @atproto/jwk@0.1.2
  - @atproto-labs/fetch@0.2.0
  - @atproto/oauth-types@0.2.2
  - @atproto-labs/did-resolver@0.1.8
  - @atproto-labs/identity-resolver@0.1.10
 ## 0.3.6
 ### Patch Changes
--- a/packages/oauth/oauth-client/package.json
+++ b/packages/oauth/oauth-client/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto/oauth-client",
-  "version": "0.3.7",
+  "version": "0.3.6",
  "license": "MIT",
  "description": "OAuth client for ATPROTO PDS. This package serves as common base for environment-specific implementations (NodeJS, Browser, React-Native).",
  "keywords": [
--- a/packages/oauth/oauth-provider/CHANGELOG.md
+++ b/packages/oauth/oauth-provider/CHANGELOG.md
@ -1,16 +1,5 @@
 # @atproto/oauth-provider
 ## 0.2.12
 ### Patch Changes
 - Updated dependencies [[`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`5ece8c6ae`](https://github.com/bluesky-social/atproto/commit/5ece8c6aeab9c5c3f51295d93ed6e27c3c6095c2), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`5ece8c6ae`](https://github.com/bluesky-social/atproto/commit/5ece8c6aeab9c5c3f51295d93ed6e27c3c6095c2)]:
  - @atproto/jwk@0.1.2
  - @atproto/jwk-jose@0.1.3
  - @atproto-labs/fetch@0.2.0
  - @atproto/oauth-types@0.2.2
  - @atproto-labs/fetch-node@0.1.5
 ## 0.2.11
 ### Patch Changes
--- a/packages/oauth/oauth-provider/package.json
+++ b/packages/oauth/oauth-provider/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto/oauth-provider",
-  "version": "0.2.12",
+  "version": "0.2.11",
  "license": "MIT",
  "description": "Generic OAuth2 and OpenID Connect provider for Node.js. Currently only supports features needed for Atproto.",
  "keywords": [
--- a/packages/oauth/oauth-provider/src/signer/signed-token-payload.ts
+++ b/packages/oauth/oauth-provider/src/signer/signed-token-payload.ts
@ -27,8 +27,7 @@ export const signedTokenPayloadSchema = z.intersection(
      jti: tokenIdSchema,
      sub: subSchema,
      client_id: clientIdSchema,
-    })
+    }),
    .passthrough(),
 )
 export type SignedTokenPayload = Simplify<
--- a/packages/oauth/oauth-provider/src/signer/signer.ts
+++ b/packages/oauth/oauth-provider/src/signer/signer.ts
@ -19,7 +19,7 @@ import {
  signedTokenPayloadSchema,
 } from './signed-token-payload.js'
-export type SignPayload = JwtPayload & { iss?: never }
+export type SignPayload = Omit<JwtPayload, 'iss'>
 export class Signer {
  constructor(
@ -27,11 +27,11 @@ export class Signer {
    public readonly keyset: Keyset,
  ) {}
-  async verify<C extends string = never>(
+  async verify<P extends Record<string, unknown> = JwtPayload>(
    token: SignedJwt,
-    options?: Omit<VerifyOptions<C>, 'issuer'>,
+    options?: Omit<VerifyOptions, 'issuer'>,
  ) {
-    return this.keyset.verifyJwt<C>(token, {
+    return this.keyset.verifyJwt<P>(token, {
      ...options,
      issuer: [this.issuer],
    })
@ -84,16 +84,18 @@ export class Signer {
    )
  }
-  async verifyAccessToken<C extends string = never>(
+  async verifyAccessToken(token: SignedJwt) {
-    token: SignedJwt,
+    const result = await this.verify<SignedTokenPayload>(token, {
-    options?: Omit<VerifyOptions<C>, 'issuer' | 'typ'>,
+      typ: 'at+jwt',
-  ) {
+    })
-    const result = await this.verify<C>(token, { ...options, typ: 'at+jwt' })
+
-    type Payload = typeof result.payload // RequiredKey<JwtPayload, C>
+    // The result is already type casted as an AccessTokenPayload, but we need
-    return {
+    // to actually verify this. That should already be covered by the fact that
-      protectedHeader: result.protectedHeader,
+    // we don't sign 'at+jwt' tokens without a valid token ID. Let's double
-      payload: signedTokenPayloadSchema.parse(result.payload) as Payload &
+    // check in case another version/implementation was used to generate the
-        SignedTokenPayload,
+    // token.
-    }
+    signedTokenPayloadSchema.parse(result.payload)
    return result
  }
 }
--- a/packages/oauth/oauth-provider/src/token/token-manager.ts
+++ b/packages/oauth/oauth-provider/src/token/token-manager.ts
@ -462,7 +462,6 @@ export class TokenManager {
      case isSignedJwt(token): {
        const { payload } = await this.signer.verify(token, {
          clockTolerance: Infinity,
          requiredClaims: ['jti'],
        })
        const tokenId = tokenIdSchema.parse(payload.jti)
        await this.store.deleteToken(tokenId)
--- a/packages/oauth/oauth-types/CHANGELOG.md
+++ b/packages/oauth/oauth-types/CHANGELOG.md
@ -1,12 +1,5 @@
 # @atproto/oauth-types
 ## 0.2.2
 ### Patch Changes
 - Updated dependencies [[`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0), [`2889c7699`](https://github.com/bluesky-social/atproto/commit/2889c76995ce3c569f595ac3c678218e9ce659f0)]:
  - @atproto/jwk@0.1.2
 ## 0.2.1
 ### Patch Changes
--- a/packages/oauth/oauth-types/package.json
+++ b/packages/oauth/oauth-types/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto/oauth-types",
-  "version": "0.2.2",
+  "version": "0.2.1",
  "license": "MIT",
  "description": "OAuth typing & validation library",
  "keywords": [
--- a/packages/ozone/CHANGELOG.md
+++ b/packages/ozone/CHANGELOG.md
@ -1,23 +1,5 @@
 # @atproto/ozone
 ## 0.1.67
 ### Patch Changes
 - [#3344](https://github.com/bluesky-social/atproto/pull/3344) [`48a0e9d60`](https://github.com/bluesky-social/atproto/commit/48a0e9d6060c2dc93899f13f2fc7cc76c04fbcd9) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Properly dispose of unused http responses
 - Updated dependencies [[`e277158f7`](https://github.com/bluesky-social/atproto/commit/e277158f70a831b04fde3ec84b3c1eaa6ce82e9d)]:
  - @atproto/api@0.13.27
 ## 0.1.66
 ### Patch Changes
 - Updated dependencies [[`1abfd74ec`](https://github.com/bluesky-social/atproto/commit/1abfd74ec7114e5d8e2411f7a4fa10bdce97e277)]:
  - @atproto/crypto@0.4.3
  - @atproto/identity@0.4.5
  - @atproto/xrpc-server@0.7.6
 ## 0.1.65
 ### Patch Changes
--- a/packages/ozone/package.json
+++ b/packages/ozone/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto/ozone",
-  "version": "0.1.67",
+  "version": "0.1.65",
  "license": "MIT",
  "description": "Backend service for moderating the Bluesky network.",
  "keywords": [
--- a/packages/ozone/src/daemon/blob-diverter.ts
+++ b/packages/ozone/src/daemon/blob-diverter.ts
@ -46,7 +46,7 @@ export class BlobDiverter {
      })
    if (blobResponse.statusCode !== 200) {
-      await blobResponse.body.dump()
+      blobResponse.body.destroy()
      throw new XRPCError(
        blobResponse.statusCode,
        undefined,
@ -72,7 +72,7 @@ export class BlobDiverter {
      }
    } catch (err) {
      // Typically un-supported content encoding
-      await blobResponse.body.dump()
+      blobResponse.body.destroy()
      throw err
    }
  }
@ -99,7 +99,7 @@ export class BlobDiverter {
      })
    if (result.statusCode !== 200) {
-      await result.body.dump()
+      result.body.destroy()
      throw new XRPCError(
        result.statusCode,
        undefined,
--- a/packages/ozone/src/lexicon/lexicons.ts
+++ b/packages/ozone/src/lexicon/lexicons.ts
@ -12359,7 +12359,7 @@ export const schemaDict = {
              items: {
                type: 'string',
                description:
-                  'If specified, only events where the action policies match any of the given policies are returned',
+                  'If specified, only events where the policy matches the given policy are returned',
              },
            },
            cursor: {
--- a/packages/ozone/src/lexicon/types/app/bsky/actor/getSuggestions.ts
+++ b/packages/ozone/src/lexicon/types/app/bsky/actor/getSuggestions.ts
@ -19,8 +19,6 @@ export type InputSchema = undefined
 export interface OutputSchema {
  cursor?: string
  actors: AppBskyActorDefs.ProfileView[]
  /** Snowflake for this recommendation, use when submitting recommendation events. */
  recId?: number
  [k: string]: unknown
 }
--- a/packages/ozone/src/lexicon/types/app/bsky/graph/getSuggestedFollowsByActor.ts
+++ b/packages/ozone/src/lexicon/types/app/bsky/graph/getSuggestedFollowsByActor.ts
@ -19,8 +19,6 @@ export interface OutputSchema {
  suggestions: AppBskyActorDefs.ProfileView[]
  /** If true, response has fallen-back to generic results, and is not scoped using relativeToDid */
  isFallback?: boolean
  /** Snowflake for this recommendation, use when submitting recommendation events. */
  recId?: number
  [k: string]: unknown
 }
--- a/packages/ozone/src/lexicon/types/app/bsky/unspecced/getSuggestionsSkeleton.ts
+++ b/packages/ozone/src/lexicon/types/app/bsky/unspecced/getSuggestionsSkeleton.ts
@ -25,8 +25,6 @@ export interface OutputSchema {
  actors: AppBskyUnspeccedDefs.SkeletonSearchActor[]
  /** DID of the account these suggestions are relative to. If this is returned undefined, suggestions are based on the viewer. */
  relativeToDid?: string
  /** Snowflake for this recommendation, use when submitting recommendation events. */
  recId?: number
  [k: string]: unknown
 }
--- a/packages/pds/CHANGELOG.md
+++ b/packages/pds/CHANGELOG.md
@ -1,26 +1,5 @@
 # @atproto/pds
 ## 0.4.84
 ### Patch Changes
 - Updated dependencies [[`e277158f7`](https://github.com/bluesky-social/atproto/commit/e277158f70a831b04fde3ec84b3c1eaa6ce82e9d)]:
  - @atproto/api@0.13.27
  - @atproto/oauth-provider@0.2.12
  - @atproto-labs/fetch-node@0.1.5
 ## 0.4.83
 ### Patch Changes
 - Updated dependencies [[`1abfd74ec`](https://github.com/bluesky-social/atproto/commit/1abfd74ec7114e5d8e2411f7a4fa10bdce97e277)]:
  - @atproto/crypto@0.4.3
  - @atproto/aws@0.2.12
  - @atproto/identity@0.4.5
  - @atproto/repo@0.6.2
  - @atproto/xrpc-server@0.7.6
  - @atproto-labs/xrpc-utils@0.0.2
 ## 0.4.82
 ### Patch Changes
--- a/packages/pds/package.json
+++ b/packages/pds/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto/pds",
-  "version": "0.4.84",
+  "version": "0.4.82",
  "license": "MIT",
  "description": "Reference implementation of atproto Personal Data Server (PDS)",
  "keywords": [
--- a/packages/pds/src/lexicon/lexicons.ts
+++ b/packages/pds/src/lexicon/lexicons.ts
@ -12359,7 +12359,7 @@ export const schemaDict = {
              items: {
                type: 'string',
                description:
-                  'If specified, only events where the action policies match any of the given policies are returned',
+                  'If specified, only events where the policy matches the given policy are returned',
              },
            },
            cursor: {
--- a/packages/pds/src/lexicon/types/app/bsky/actor/getSuggestions.ts
+++ b/packages/pds/src/lexicon/types/app/bsky/actor/getSuggestions.ts
@ -19,8 +19,6 @@ export type InputSchema = undefined
 export interface OutputSchema {
  cursor?: string
  actors: AppBskyActorDefs.ProfileView[]
  /** Snowflake for this recommendation, use when submitting recommendation events. */
  recId?: number
  [k: string]: unknown
 }
--- a/packages/pds/src/lexicon/types/app/bsky/graph/getSuggestedFollowsByActor.ts
+++ b/packages/pds/src/lexicon/types/app/bsky/graph/getSuggestedFollowsByActor.ts
@ -19,8 +19,6 @@ export interface OutputSchema {
  suggestions: AppBskyActorDefs.ProfileView[]
  /** If true, response has fallen-back to generic results, and is not scoped using relativeToDid */
  isFallback?: boolean
  /** Snowflake for this recommendation, use when submitting recommendation events. */
  recId?: number
  [k: string]: unknown
 }
--- a/packages/pds/src/lexicon/types/app/bsky/unspecced/getSuggestionsSkeleton.ts
+++ b/packages/pds/src/lexicon/types/app/bsky/unspecced/getSuggestionsSkeleton.ts
@ -25,8 +25,6 @@ export interface OutputSchema {
  actors: AppBskyUnspeccedDefs.SkeletonSearchActor[]
  /** DID of the account these suggestions are relative to. If this is returned undefined, suggestions are based on the viewer. */
  relativeToDid?: string
  /** Snowflake for this recommendation, use when submitting recommendation events. */
  recId?: number
  [k: string]: unknown
 }
--- a/packages/pds/tests/_util.ts
+++ b/packages/pds/tests/_util.ts
@ -5,7 +5,6 @@ import { CID } from 'multiformats/cid'
 import { Server } from 'node:http'
 import { AddressInfo } from 'node:net'
 import { FeedViewPost } from '../src/lexicon/types/app/bsky/feed/defs'
 import { ToolsOzoneModerationDefs } from '@atproto/api'
 // Swap out identifiers and dates with stable
 // values for the purpose of snapshot testing
@ -203,21 +202,3 @@ export async function stopServer(server: Server) {
    })
  })
 }
 const normalizeSubjectStatus = (
  subject: ToolsOzoneModerationDefs.SubjectStatusView,
 ) => {
  return { ...subject, tags: subject.tags?.sort() }
 }
 export const forSubjectStatusSnapshot = (
  status:
    | ToolsOzoneModerationDefs.SubjectStatusView
    | ToolsOzoneModerationDefs.SubjectStatusView[],
 ) => {
  if (Array.isArray(status)) {
    return forSnapshot(status.map(normalizeSubjectStatus))
  }
  return forSnapshot(normalizeSubjectStatus(status))
 }
--- a/packages/pds/tests/takedown-appeal.test.ts
+++ b/packages/pds/tests/takedown-appeal.test.ts
@ -1,6 +1,6 @@
 import { AtpAgent, ComAtprotoModerationDefs } from '@atproto/api'
 import { SeedClient, TestNetwork } from '@atproto/dev-env'
-import { forSubjectStatusSnapshot } from './_util'
+import { forSnapshot } from './_util'
 import { ids } from '../src/lexicon/lexicons'
 describe('appeal account takedown', () => {
@ -35,7 +35,6 @@ describe('appeal account takedown', () => {
      email: 'jeff@test.com',
      password: 'password',
    })
    await network.processAll()
    // Emit a takedown event
    await network.ozone.getModClient().performTakedown({
@ -98,9 +97,7 @@ describe('appeal account takedown', () => {
    )
    expect(result.subjectStatuses[0].appealed).toBe(true)
-    expect(
+    expect(forSnapshot(result.subjectStatuses[0])).toMatchSnapshot()
      forSubjectStatusSnapshot(result.subjectStatuses[0]),
    ).toMatchSnapshot()
  })
  it('takendown actor is not allowed to create reports.', async () => {
--- a/packages/repo/CHANGELOG.md
+++ b/packages/repo/CHANGELOG.md
@ -1,12 +1,5 @@
 # @atproto/repo
 ## 0.6.2
 ### Patch Changes
 - Updated dependencies [[`1abfd74ec`](https://github.com/bluesky-social/atproto/commit/1abfd74ec7114e5d8e2411f7a4fa10bdce97e277)]:
  - @atproto/crypto@0.4.3
 ## 0.6.1
 ### Patch Changes
--- a/packages/repo/package.json
+++ b/packages/repo/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto/repo",
-  "version": "0.6.2",
+  "version": "0.6.1",
  "license": "MIT",
  "description": "atproto repo and MST implementation",
  "keywords": [
--- a/packages/sync/CHANGELOG.md
+++ b/packages/sync/CHANGELOG.md
@ -1,14 +1,5 @@
 # @atproto/sync
 ## 0.1.9
 ### Patch Changes
 - Updated dependencies []:
  - @atproto/identity@0.4.5
  - @atproto/repo@0.6.2
  - @atproto/xrpc-server@0.7.6
 ## 0.1.8
 ### Patch Changes
--- a/packages/sync/package.json
+++ b/packages/sync/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto/sync",
-  "version": "0.1.9",
+  "version": "0.1.8",
  "license": "MIT",
  "description": "atproto sync library",
  "keywords": [
--- a/packages/xrpc-server/CHANGELOG.md
+++ b/packages/xrpc-server/CHANGELOG.md
@ -1,12 +1,5 @@
 # @atproto/xrpc-server
 ## 0.7.6
 ### Patch Changes
 - Updated dependencies [[`1abfd74ec`](https://github.com/bluesky-social/atproto/commit/1abfd74ec7114e5d8e2411f7a4fa10bdce97e277)]:
  - @atproto/crypto@0.4.3
 ## 0.7.5
 ### Patch Changes
--- a/packages/xrpc-server/package.json
+++ b/packages/xrpc-server/package.json
@ -1,6 +1,6 @@
 {
  "name": "@atproto/xrpc-server",
-  "version": "0.7.6",
+  "version": "0.7.5",
  "license": "MIT",
  "description": "atproto HTTP API (XRPC) server library",
  "keywords": [
@ -37,7 +37,7 @@
    "@atproto/crypto": "workspace:^",
    "@types/express": "^4.17.13",
    "@types/express-serve-static-core": "^4.17.36",
-    "@types/http-errors": "^2.0.4",
+    "@types/http-errors": "^2.0.1",
    "@types/ws": "^8.5.4",
    "get-port": "^6.1.2",
    "jest": "^28.1.2",
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@ -201,7 +201,7 @@ importers:
        version: 0.0.1
      '@types/http-errors':
        specifier: ^2.0.1
-        version: 2.0.4
+        version: 2.0.1
      compression:
        specifier: ^1.7.4
        version: 1.7.4
@ -812,9 +812,6 @@ importers:
      '@atproto/jwk-jose':
        specifier: workspace:*
        version: link:../jwk-jose
      zod:
        specifier: ^3.23.8
        version: 3.23.8
    devDependencies:
      typescript:
        specifier: ^5.6.3
@ -1569,8 +1566,8 @@ importers:
        specifier: ^4.17.36
        version: 4.17.36
      '@types/http-errors':
-        specifier: ^2.0.4
+        specifier: ^2.0.1
-        version: 2.0.4
+        version: 2.0.1
      '@types/ws':
        specifier: ^8.5.4
        version: 8.5.4
@ -6313,8 +6310,8 @@ packages:
      '@types/node': 18.19.67
    dev: true
-  /@types/http-errors@2.0.4:
+  /@types/http-errors@2.0.1:
-    resolution: {integrity: sha512-D0CFMMtydbJAegzOyHjtiKPLlvnm3iTZyZRSZoLq2mRhDdmLfIWOCYPfQJ4cu2erKghU++QvjcUjp/5h7hESpA==}
+    resolution: {integrity: sha512-/K3ds8TRAfBvi5vfjuz8y6+GiAYBZ0x4tXv1Av6CWBWn0IlADc+ZX9pMq7oU0fNQPnBwIZl3rmeLp6SBApbxSQ==}
  /@types/is-ci@3.0.0:
    resolution: {integrity: sha512-Q0Op0hdWbYd1iahB+IFNQcWXFq4O0Q5MwQP7uN0souuQ4rPg1vEYcnIOfr1gY+M+6rc8FGoRaBO1mOOvL29sEQ==}
@ -6450,7 +6447,7 @@ packages:
  /@types/serve-static@1.15.2:
    resolution: {integrity: sha512-J2LqtvFYCzaj8pVYKw8klQXrLLk7TBZmQ4ShlcdkELFKGwGMfevMLneMMRkMgZxotOD9wg497LpC7O8PcvAmfw==}
    dependencies:
-      '@types/http-errors': 2.0.4
+      '@types/http-errors': 2.0.1
      '@types/mime': 3.0.1
      '@types/node': 18.19.67