+1 -1

docs/TEST_AUDIT.md

reviewed

··· 82 82 - PLC identity success procedures now also match the official runtime’s empty-body `200` surface: `com.atproto.identity.requestPlcOperationSignature`, `com.atproto.identity.updateHandle`, and `com.atproto.identity.submitPlcOperation`. 83 83 - Remaining lexicon-void admin/sync/temp procedures now also stay on the empty-body `200` surface instead of returning local JSON `{}` objects, including `com.atproto.admin.updateAccountHandle`, `updateAccountEmail`, `disableInviteCodes`, `updateAccountSigningKey`, `com.atproto.sync.requestCrawl`, `notifyOfUpdate`, `com.atproto.temp.requestPhoneVerification`, `revokeAccountCredentials`, and `com.atproto.repo.importRepo`. 84 84 - `app.bsky.actor.putPreferences` and `/oauth/revoke` now also keep their void-style empty-body `200` surface instead of returning local JSON `{}` objects. 85 85 - - The executable differential harness now also pins empty-body success semantics for `com.atproto.repo.importRepo` and the successful admin `updateAccountEmail` / `updateAccountHandle` flows instead of leaving those response-shape checks purely local. 85 85 + - The executable differential harness now also pins empty-body success semantics for `com.atproto.repo.importRepo`, successful admin `updateAccountEmail` / `updateAccountHandle`, and successful `com.atproto.admin.disableInviteCodes` flows instead of leaving those response-shape checks purely local. 86 86 - Password-bearing account endpoints need the same bounded-length behavior as the official runtime: `createAccount` rejects passwords longer than 256 characters, `createSession` rejects passwords longer than 512 characters with the reset hint, and `resetPassword` / `deleteAccount` reject overlong password inputs with `Invalid password length.` 87 87 - The executable reference harness now also pins those password-boundary semantics directly, including the official `AuthenticationRequired` error shape for overlong `createSession` requests and case-insensitive `requestPasswordReset` email lookup. 88 88 - `com.atproto.server.createAccount` with an explicit `did` must behave like an authenticated migration flow: require auth from that same DID, keep the existing DID document, and start the new account deactivated until activation catches the DID document up to the new PDS.

+13

script/differential-validate

reviewed

··· 2731 2731 check($unused_batch->is_success, "$name createInviteCodes succeeds for unused-code batch"); 2732 2732 next unless $unused_batch->is_success; 2733 2733 my $unused_code = (($unused_batch->json || {})->{codes} || [])->[0]{codes}[0]; 2734 2734 + my $disable_unused = post_json( 2735 2735 + $server{$name}{origin}, 2736 2736 + 'com.atproto.admin.disableInviteCodes', 2737 2737 + { 2738 2738 + codes => [$unused_code], 2739 2739 + }, 2740 2740 + admin_auth_header($server{$name}{admin_password}), 2741 2741 + ); 2742 2742 + check($disable_unused->is_success, "$name disableInviteCodes succeeds"); 2734 2743 2735 2744 my $invite_first = post_json($server{$name}{origin}, 'com.atproto.server.createAccount', { 2736 2745 handle => $name eq 'reference' ? 'invite-a-ref.test' : 'invite-a-perl.test', ··· 2802 2811 }; 2803 2812 2804 2813 $server{$name}{admin_invite_code_listing} = { 2814 2814 + disable_unused => { 2815 2815 + status => $disable_unused->code // 0, 2816 2816 + body => $disable_unused->body, 2817 2817 + }, 2805 2818 recent => { 2806 2819 cursor_present => defined(($recent->json || {})->{cursor}) ? 1 : 0, 2807 2820 codes => $normalize_codes->(($recent->json || {})->{codes} || []),