Skip to content

Add atproto-oauth skill#6

Open
Ashex wants to merge 1 commit into
mainfrom
task/atproto-oauth-skill
Open

Add atproto-oauth skill#6
Ashex wants to merge 1 commit into
mainfrom
task/atproto-oauth-skill

Conversation

@Ashex

@Ashex Ashex commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator

Add a more generic atproto-oauth skill that can be used anywhere. Using this skill will prevent the use of outdated knowledge such as relying on transition scopes but also build in institutional knowledge about XRPC/RPC methods (particularly when using app.bsky RPC).

Summary by CodeRabbit

  • Documentation
    • Added guidance for setting up and using AT Protocol OAuth 2.1 flows, including security, session handling, and troubleshooting tips.
    • Clarified which skills are reusable in this repository versus pointers to external sources.
    • Updated contributor instructions for adding new skills and keeping the catalog current.
  • New Features
    • Added a new documented skill entry for AT Protocol OAuth-related tasks and debugging.

@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Adds a new AT Protocol OAuth 2.1 skill document (atproto-oauth) covering protocol requirements, DPoP, scopes, identity verification, session storage, and security guidance. Updates CONTRIBUTING.md and README.md to distinguish locally hosted vs. pointer-based skills, and adds a corresponding row to the skill-map catalog.

Changes

AT Protocol OAuth Skill Addition

Layer / File(s) Summary
atproto-oauth SKILL.md content
.agents/skills/atproto-oauth/SKILL.md
New skill document detailing mandatory OAuth 2.1 profile requirements (PKCE S256, PAR, DPoP-bound tokens), the end-to-end flow, client metadata schema, DPoP nonce handling, scope/aud grammar, identity verification, session/state storage design, security requirements, a troubleshooting cheatsheet, library guidance, and implementation guidelines.
Catalog documentation and skill-map wiring
CONTRIBUTING.md, README.md, skills/hypercerts/references/skill-map.md
CONTRIBUTING.md clarifies rules for vendoring generic vs. pointer-based app-specific skills and updates catalog-update steps; README.md restructures the "Included" section into hosted skills vs. pointers; skill-map.md adds a row mapping OAuth-related tasks to the new atproto-oauth skill.

Estimated code review effort: 2 (Simple) | ~10 minutes

Possibly related PRs

  • hypercerts-org/skills#1: Updates the same skills/hypercerts/references/skill-map.md file as part of the skill-catalog documentation for the same repository.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and concisely describes the main change: adding the atproto-oauth skill.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch task/atproto-oauth-skill

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.


## Verifying against current docs

Endpoint signatures, scope grammar, and token formats can change. If an MCP client with AT Protocol documentation access is available, use it to check current details rather than relying solely on this skill. The AT Protocol docs MCP server is available at `https://atproto.mcp.kapa.ai` if one isn't already connected.

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can be dropped if it's too large a shift from the skills approach, in my harness I include a trailing section to always verify knowledge with an mcp.

@Kzoeps

Kzoeps commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator

just a quick thought i think it might overlap quite a bit with the epds login skill as well: https://github.com/hypercerts-org/ePDS/tree/main/.agents/skills/epds-login. But i guess this is also more generic to normal pds oauth so i guess it fine? Do let me know what you think once you look into epds-login and if you think it makes sense to have this here as well then we can merge it

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.agents/skills/atproto-oauth/SKILL.md:
- Around line 56-68: The OAuth skill examples still use transition:generic as if
it were the default scope, which conflicts with the later migration-only
guidance. Update the normative example in SKILL.md and the later inline example
to use the preferred modern scope instead, and keep transition:generic only in a
clearly labeled legacy migration example. Refer to the example JSON snippet and
the later inline example so both occurrences stay consistent.
- Around line 24-46: The fenced blocks in SKILL.md are missing a language tag,
triggering markdownlint MD040 and reducing readability. Update the three
affected fences in the atproto-oauth skill content to use a plain text language
tag, keeping the existing prose and structure unchanged. Locate the code fences
in the numbered workflow section and apply the same fix consistently to all
three instances.

In `@README.md`:
- Around line 31-37: The README’s hosted-skills section is currently empty, so
the newly hosted skill is not discoverable. Update the “Included skills (hosted
here)” section to add a bullet for the hosted skill using its actual name, such
as atproto-oauth, or remove the subsection entirely until it contains real
entries. Keep the change localized to the README section that lists hosted
skills so the skill is visible to readers.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1c86a738-9f5c-47ca-82e6-9e823af5caea

📥 Commits

Reviewing files that changed from the base of the PR and between 147cbb2 and 3511e1f.

📒 Files selected for processing (4)
  • .agents/skills/atproto-oauth/SKILL.md
  • CONTRIBUTING.md
  • README.md
  • skills/hypercerts/references/skill-map.md

Comment on lines +24 to +46
```
1. Resolve identity handle/DID → DID document → PDS URL (via #atproto_pds service)
2. Discover PDS GET {PDS}/.well-known/oauth-protected-resource
→ authorization_servers[0] (must be exactly one)
3. Discover AS GET {AS}/.well-known/oauth-authorization-server
→ issuer, authorization_endpoint, token_endpoint,
pushed_authorization_request_endpoint,
require_pushed_authorization_requests=true,
authorization_response_iss_parameter_supported=true,
client_id_metadata_document_supported=true,
dpop_signing_alg_values_supported ⊇ [ES256],
code_challenge_methods_supported ⊇ [S256]
4. PAR POST {par_endpoint} with client assertion (confidential) + DPoP proof
→ 400 use_dpop_nonce on first try → retry with nonce → 201 request_uri
5. Redirect GET {authorize_endpoint}?client_id=...&request_uri=... (nothing else)
6. User approves on AS
7. Callback GET {redirect_uri}?code=...&state=...&iss=...
verify state exists (delete row = single-use), verify iss == stored issuer
8. Token exchange POST {token_endpoint}: code + code_verifier + client assertion + DPoP
→ access_token, refresh_token, scope, sub (DID), token_type=DPoP
9. Identity verification sub → DID doc → #atproto_pds → matches PDS from step 2 → AS matches step 3
10. Resource requests Authorization: DPoP <access_token> + DPoP proof with ath=SHA-256(access_token)
```

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Add a language tag to the fenced examples.

These three code fences trip markdownlint (MD040) and are harder to scan without a language. text is sufficient for each.

Suggested change
-```
+```text

Apply the same change to the other two fences.

Also applies to: 83-86, 118-122

🧰 Tools
🪛 markdownlint-cli2 (0.22.1)

[warning] 24-24: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🪛 SkillSpector (2.3.7)

[error] 149: [PE3] Credential Access: Code accesses credential files (SSH keys, AWS credentials, etc.). This could indicate credential theft attempts.

Remediation: Remove references to credential paths. Use environment variables or secrets managers. For docs, use placeholder paths (e.g., /path/to/config). Never load .env or token files in production code paths.

(Privilege Escalation (PE3))

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.agents/skills/atproto-oauth/SKILL.md around lines 24 - 46, The fenced
blocks in SKILL.md are missing a language tag, triggering markdownlint MD040 and
reducing readability. Update the three affected fences in the atproto-oauth
skill content to use a plain text language tag, keeping the existing prose and
structure unchanged. Locate the code fences in the numbered workflow section and
apply the same fix consistently to all three instances.

Source: Linters/SAST tools

Comment on lines +56 to +68
```json
{
"client_id": "https://example.app/oauth-client-metadata.json",
"application_type": "web",
"grant_types": ["authorization_code", "refresh_token"],
"response_types": ["code"],
"scope": "atproto transition:generic",
"redirect_uris": ["https://example.app/oauth/callback"],
"dpop_bound_access_tokens": true,
"token_endpoint_auth_method": "private_key_jwt",
"token_endpoint_auth_signing_alg": "ES256",
"jwks_uri": "https://example.app/.well-known/jwks.json"
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Don't teach transition:generic as the default path.

The normative examples still include the coarse transition scope, which conflicts with the later guidance to reserve transitional scopes for legacy ports. Keep it only as a clearly labeled migration-only example.

Suggested change
-  "scope": "atproto transition:generic",
+  "scope": "atproto repo:app.bsky.feed.post?action=create",

Apply the same replacement in the later inline example at Line 96.

Also applies to: 96-97

🧰 Tools
🪛 SkillSpector (2.3.7)

[error] 149: [PE3] Credential Access: Code accesses credential files (SSH keys, AWS credentials, etc.). This could indicate credential theft attempts.

Remediation: Remove references to credential paths. Use environment variables or secrets managers. For docs, use placeholder paths (e.g., /path/to/config). Never load .env or token files in production code paths.

(Privilege Escalation (PE3))

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.agents/skills/atproto-oauth/SKILL.md around lines 56 - 68, The OAuth skill
examples still use transition:generic as if it were the default scope, which
conflicts with the later migration-only guidance. Update the normative example
in SKILL.md and the later inline example to use the preferred modern scope
instead, and keep transition:generic only in a clearly labeled legacy migration
example. Refer to the example JSON snippet and the later inline example so both
occurrences stay consistent.

Comment thread README.md
Comment on lines +31 to +37
## Included skills (hosted here)

The meta-skill points to:
Generic, reusable skills that are not tied to any specific app live directly in this repository under `.agents/skills`.

## Included pointers (hosted elsewhere)

App-specific focused skills remain pointers to their source repositories:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Surface the newly hosted skill.

The new hosted-skills subsection is empty, so atproto-oauth still isn't discoverable from the README. Add a bullet here or remove the subsection until it lists actual items.

Suggested change
 ## Included skills (hosted here)
 
 Generic, reusable skills that are not tied to any specific app live directly in this repository under `.agents/skills`.
+
+- `atproto-oauth` — AT Protocol OAuth 2.1 guidance
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
## Included skills (hosted here)
The meta-skill points to:
Generic, reusable skills that are not tied to any specific app live directly in this repository under `.agents/skills`.
## Included pointers (hosted elsewhere)
App-specific focused skills remain pointers to their source repositories:
## Included skills (hosted here)
Generic, reusable skills that are not tied to any specific app live directly in this repository under `.agents/skills`.
- `atproto-oauth` — AT Protocol OAuth 2.1 guidance
## Included pointers (hosted elsewhere)
App-specific focused skills remain pointers to their source repositories:
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@README.md` around lines 31 - 37, The README’s hosted-skills section is
currently empty, so the newly hosted skill is not discoverable. Update the
“Included skills (hosted here)” section to add a bullet for the hosted skill
using its actual name, such as atproto-oauth, or remove the subsection entirely
until it contains real entries. Keep the change localized to the README section
that lists hosted skills so the skill is visible to readers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants