feat(2): Q4.3 — bluesky-pds Phase-2 enrollment + 3 tests cold green

- tests/bluesky-pds/recipe_meta.py: HEALTH_PATH=/xrpc/_health, 600s timeouts.
- tests/bluesky-pds/install_steps.sh: recipe needs pds_plc_rotation_key (32-byte secp256k1
  hex, marked generate=false). Hook generates via cc-ci-run python (secrets.token_bytes(32);
  random 32-byte value is almost-always a valid secp256k1 private key, ~2^-128 fail rate).
  Inserted via 'abra app secret insert' under TTY-wrap. Per-run class-B; destroyed at teardown.
- tests/bluesky-pds/PARITY.md: no health_check.py in the recipe-maintainer corpus -> Phase-2
  health_check aligned with parity convention. goat_account.py parity deferred (needs goat CLI
  in container; operational complexity).
- 3 functional tests:
  - test_health_check.py: GET /xrpc/_health -> 200, {version: ...}.
  - test_describe_server.py: GET /xrpc/com.atproto.server.describeServer -> 200, JSON with
    atproto config keys (availableUserDomains/inviteCodeRequired/links/did).
  - test_session_auth.py: GET /xrpc/com.atproto.server.getSession (no auth) -> 401 + JSON
    XRPC error envelope. (Replaced test_well_known_did — /.well-known/atproto-did isn't
    auto-published by the recipe.)

Cold-verifiable: ssh cc-ci 'RECIPE=bluesky-pds STAGES=install,custom cc-ci-run runner/run_recipe_ci.py'
  install + 3 custom tests all PASS, deploy-count=1.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

tests/bluesky-pds/functional/test_describe_server.py

@@ -0,0 +1,31 @@
+"""bluesky-pds — recipe-specific functional test (Phase 2 P3).
+
+GETs `/xrpc/com.atproto.server.describeServer` — the public atproto XRPC endpoint that advertises
+the PDS's configuration. Asserts the response is JSON with at least one of the documented PDS
+config fields (`availableUserDomains` array of hosting domains, OR `inviteCodeRequired` bool).
+
+Non-vacuous: distinguishes a working atproto PDS from a generic HTTP 200 (a misconfigured server
+that returns 200 from /xrpc/* but with a non-atproto shape would fail).
+"""
+
+from __future__ import annotations
+
+import os
+import sys
+
+sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "..", "runner"))
+from harness import http as harness_http  # noqa: E402
+
+
+def test_describe_server_returns_atproto_envelope(live_app):
+    """GET /xrpc/com.atproto.server.describeServer → 200 + atproto config JSON."""
+    url = f"https://{live_app}/xrpc/com.atproto.server.describeServer"
+    status, body = harness_http.retry_http_get(url, expect_status=200, max_wait=60, interval=3)
+    assert status == 200, f"GET {url} HTTP {status} (expected 200)"
+    assert isinstance(body, dict), f"describe-server returned non-dict: {type(body).__name__}"
+    # At least one of these atproto-spec fields must be present
+    expected_any = ("availableUserDomains", "inviteCodeRequired", "links", "did")
+    present = [k for k in expected_any if k in body]
+    assert present, (
+        f"describe-server missing all of {expected_any}; got keys: {sorted(body.keys())[:20]}"
+    )

tests/bluesky-pds/functional/test_health_check.py

@@ -0,0 +1,22 @@
+"""bluesky-pds — Phase-2 health_check (recipe-maintainer corpus has no health_check.py).
+
+Tests the PDS's `/xrpc/_health` endpoint; asserts 200 + JSON with a `version` field.
+"""
+
+from __future__ import annotations
+
+import os
+import sys
+
+sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "..", "runner"))
+from harness import http as harness_http  # noqa: E402
+
+
+def test_pds_health_returns_version(live_app):
+    """GET /xrpc/_health → 200, JSON {"version": "..."}."""
+    url = f"https://{live_app}/xrpc/_health"
+    status, body = harness_http.retry_http_get(url, expect_status=200, max_wait=60, interval=3)
+    assert status == 200, f"GET {url} HTTP {status} (expected 200)"
+    assert isinstance(body, dict) and isinstance(body.get("version"), str) and body["version"], (
+        f"GET {url} response is not the expected health envelope: {body!r}"
+    )

tests/bluesky-pds/functional/test_session_auth.py

@@ -0,0 +1,35 @@
+"""bluesky-pds — recipe-specific functional test (Phase 2 P3).
+
+GETs the atproto session endpoint `/xrpc/com.atproto.server.getSession` WITHOUT an auth header.
+Asserts the PDS responds with 401 Unauthorized — proves the auth subsystem is wired correctly:
+- 200 = anonymous access leaked (would be a security bug).
+- 401 = correctly enforced.
+- 404 = route missing (PDS misconfigured).
+- 5xx = backend broken.
+
+Distinguishes "the atproto XRPC server is alive AND its auth contract is enforced" from generic
+HTTP 200 health. Non-vacuous: each non-401 status indicates a different class of defect.
+"""
+
+from __future__ import annotations
+
+import os
+import sys
+
+sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "..", "runner"))
+from harness import http as harness_http  # noqa: E402
+
+
+def test_get_session_requires_auth(live_app):
+    """GET /xrpc/com.atproto.server.getSession (no token) → 401."""
+    url = f"https://{live_app}/xrpc/com.atproto.server.getSession"
+    status, body = harness_http.retry_http_get(url, expect_status=401, max_wait=60, interval=3)
+    assert status == 401, (
+        f"GET {url} returned {status}, expected 401 (auth required). "
+        f"200 = anonymous leak; 404 = route missing; 5xx = backend broken. "
+        f"body: {body!r}"
+    )
+    # The XRPC error envelope is JSON with an `error` field per the atproto spec.
+    assert isinstance(body, dict) and body.get("error"), (
+        f"expected XRPC JSON error envelope; got: {body!r}"
+    )