diff --git a/cc-ci-plan/upstream/bluesky-pds.md b/cc-ci-plan/upstream/bluesky-pds.md
new file mode 100644
index 0000000..4fb49dd
--- /dev/null
+++ b/cc-ci-plan/upstream/bluesky-pds.md
@@ -0,0 +1,34 @@
+# Upstream sources — bluesky-pds
+
+| service | image | source repo | releases / changelog |
+|---------|-------|-------------|----------------------|
+| app | ghcr.io/bluesky-social/pds | https://github.com/bluesky-social/pds | git tags `vX.Y.Z` (no GitHub Releases objects — `releases/latest` 404s) |
+| caddy | docker.io/caddy:2 | https://github.com/caddyserver/caddy | https://github.com/caddyserver/caddy/releases |
+
+## Standing notes (researched 2026-06-11, bsky phase)
+
+- **`:0.4` is a MOVING tag that now tracks upstream main, not the 0.4.x release line.**
+  As of 2026-06-11, `ghcr.io/bluesky-social/pds:0.4` == `latest` (manifest digest
+  `sha256:871194d2…`, created 2026-05-30) and contains `@atproto/pds` **0.5.1** on
+  **Node v24.15.0** with the service restructured to run TypeScript directly:
+  `CMD ["node", "--enable-source-maps", "index.ts"]`, `/app/index.ts` (NO `index.js`),
+  plus a bundled `goat` CLI at /usr/local/bin/goat. This matches the current `main`
+  Dockerfile (`FROM node:24.15-alpine3.23`, `COPY ./service`, CMD index.ts).
+  Any recipe override that assumes `/app/index.js` crash-loops MODULE_NOT_FOUND on it.
+- **Exact-version tags keep the classic layout through v0.4.219** (newest exact tag as of
+  2026-06-11; ghcr digest `sha256:e0b756701c92…`): `FROM node:20.20-alpine3.23`,
+  WORKDIR `/app`, `/app/index.js` present, `dumb-init` at /usr/bin/dumb-init,
+  `CMD ["node", "--enable-source-maps", "index.js"]`, `@atproto/pds: 0.4.219`
+  (verified by running the image: Node v20.20.2). Exact tags published:
+  …0.4.135, 0.4.136, 0.4.138, 0.4.158, 0.4.169, 0.4.182, 0.4.188, 0.4.193, 0.4.204,
+  0.4.208, 0.4.219 — plus an anomalous `0.4.5001` (avoid; looks like a mis-tag).
+- **Env interface stable across 0.4.x:** the recipe's env (PDS_HOSTNAME,
+  PDS_DATA_DIRECTORY, PDS_BLOBSTORE_DISK_LOCATION, PDS_BLOB_UPLOAD_LIMIT,
+  PDS_EMAIL_SMTP_URL, PDS_EMAIL_FROM_ADDRESS, PDS_INVITE_REQUIRED, LOG_ENABLED) and
+  secret-fed vars (PDS_JWT_SECRET, PDS_ADMIN_PASSWORD,
+  PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX) are the same set upstream's installer
+  (`installer.sh` / compose.yaml on the pds repo) uses for 0.4.x. No migrations
+  required for a same-series re-pin.
+- **Pin guidance:** always pin an EXACT version tag (e.g. `0.4.219`); never `:0.4`
+  or `latest` — upstream demonstrably republishes the minor tag with main builds.
+  Health endpoint: `GET /xrpc/_health` on port 3000 (unchanged).