Changelog

Copy Markdown

All notable changes to Lockspire will be documented in this file.

The format is based on Keep a Changelog, and versions follow Semantic Versioning.

1.0.0 (2026-05-09)

Features

  • 27-01: implement DCR JSON serialization (673b78d)
  • 27-02: implement RegistrationController and Tests (d7ee025)
  • 27-02: mount DCR endpoints in Router (548c6e4)
  • 28-01: build and mount DCR policy LiveView (2d08d7e)
  • 28-01: create DCR policy form schema (83abed0)
  • 28-02: add admin initial access tokens core logic (cdacecb)
  • 28-02: build IAT index and new liveviews (e3f17e7)
  • 28-03: add provenance filter to clients index (e3a8233)
  • 28-03: add self-registered panel and RAT rotate modal (42f7392)
  • 28-04: Complete Phase 28 Plan 04: DCR and IAT Lifecycle Telemetry (4e4a92e)
  • 29-01: truth-based registration endpoint discovery (e61a1d1)
  • 30-01: add device authorization schema and migrations (255e712)
  • 30-01: implement device authorization domain and store behavior (95de4c5)
  • 30-01: implement put_device_authorization repository behavior (00ebdea)
  • 30-02: implement device authorization protocol pipeline (bbf1bb9)
  • 30-02: implement device code generation utilities (4167afc)
  • 30-03: add POST /device/code route (e934422)
  • 30-03: implement device authorization controller and json view (ae3a7c7)
  • 31-01: extend device authorization verification state (be80f25)
  • 31-01: implement device authorization transitions (2196724)
  • 31-02: generate host-owned verification seam (7c97bac)
  • 31-02: implement controller-first verification starter seam (6421ee9)
  • 31-03: add device verification host guide (10383e8)
  • 31-03: wire phase 31 verification docs (410dc36)
  • 31-04: add device verification protocol API (211c385)
  • 31-04: emit verification uri complete responses (1deed15)
  • 32-01: add durable device polling state (72a5dce)
  • 32-01: implement durable device poll semantics (cfbfc29)
  • 32-02: audit and finalize device token redemption (8147ad8)
  • 32-02: route device grants through token exchange (79f27c6)
  • 32-03: publish device flow discovery and docs truth (69f19e6)
  • 32-03: publish device polling on token endpoint (908530d)
  • 32-03: wire device code issuance to host verification seam (b452435)
  • 33-01: implement DPoP proof validator and thumbprints (40ffca8)
  • 33-01: validate DPoP proof claims against request context (af389e1)
  • 33-02: add durable DPoP replay state model (d76a978)
  • 33-02: enforce durable DPoP replay detection (d64c555)
  • 33-03: persist explicit DPoP policy state (6da9d84)
  • 33-03: resolve effective DPoP policy (faee94e)
  • 34-01: add shared token-endpoint dpop context seam (0df116e)
  • 34-01: issue truthful dpop-bound auth-code tokens (5d010fd)
  • 34-02: enforce atomic refresh binding persistence (f7de7bc)
  • 34-02: enforce refresh dpop binding semantics (036c8f8)
  • 34-03: bind device redemption through shared dpop issuance (f235d2d)
  • 35-01: add protected-resource dpop validation (11dc70a)
  • 35-01: enforce dpop binding on userinfo (47177a3)
  • 35-02: gate discovery dpop metadata on owned routes (b0a1502)
  • 35-02: narrow public dpop support claims (820e903)
  • 35-03: add admin DPoP policy controls (2f61db1)
  • 35-03: wire DCR DPoP policy metadata (7e0ff32)
  • 36-02: expose durable cnf truth through introspection (54429f6)
  • 37-01: add protocol-owned auth_time to id tokens (2b6a3ef)
  • 37-01: reserve auth_time in host claims (a17c039)
  • 37-02: tighten authorize request parsing (7794a02)
  • 37-03: enforce silent auth and durable auth_time tokens (174cee9)
  • 37-03: persist interaction auth_time metadata (7e187e4)
  • 37-04: add phase 37 strictness proof lane (63f767d)
  • 37-04: capture phase 37 strictness proof artifacts (4b6664c)
  • 37-04: wire phase 37 conformance lanes (5de2a24)
  • 38-02: add sid field to interactions/tokens with revoke_by_sid/1 (bc60128)
  • 38-02: thread sid through token issuance pipeline and emit in ID tokens (7d779ad)
  • 39-02: add typed client logout fields (9d6d04e)
  • 39-02: reject unsupported logout metadata in dcr (8447d92)
  • 39-02: validate logout propagation client settings (e6d8d5b)
  • 39-03: add durable logout event and delivery records (d4e4f04)
  • 39-03: add logout event and delivery storage contracts (676aaf7)
  • 39-03: persist logout propagation snapshots in the repository (08db809)
  • 39-04: add logout lifecycle telemetry and audit (d97c437)
  • 39-04: implement logout token delivery worker (b872e7f)
  • 39-04: start named lockspire oban runtime (75ff291)
  • 39-05: delegate end session completion to logout propagation (59ecd99)
  • 39-05: implement transactional logout completion orchestration (cf06358)
  • 39-06: publish logout truth across discovery and admin (41f9ee5)
  • 39-06: render truthful frontchannel logout completion (bd4a0dc)
  • 41-01: add admin command boundary for security_profile with 7 tests (a0cc3ac)
  • 41-01: add security_profile migration, Ecto schemas, and round-trip tests (f7f867b)
  • 41-01: add SecurityProfile resolver, domain field additions, and unit tests (4995a8a)
  • 41-02: implement FAPI20EnforcerPlug boundary enforcer (GREEN phase) (90a9fb4)
  • 41-02: wire FAPI20EnforcerPlug into Phoenix router via :fapi_boundary pipeline (30baa00)
  • 42-01: enforce FAPI signing key lifecycle gates (2ae38ff)
  • 42-01: narrow canonical FAPI signing policy (b5f3a9c)
  • 42-02: align JAR verification with canonical FAPI policy (dc0c4b5)
  • 42-02: enforce canonical FAPI policy for ID token signing (35ea281)
  • 42-03: implement FAPI readiness rejection and admin updates (f9417dc)
  • 42-04: wire preparatory OIDF maintainer lane and algorithm lockdown (25fe77e)
  • 42-05: align discovery, JWKS, and DPoP publication with runtime truth (7abe72a)
  • 42-07: align DPoP verification with FAPI policy (b0b76d4)
  • 42-07: remove hardcoded RS256 from logout and end-session (54621c1)
  • 43-01: emit iss on authorization flow redirects (b4b3bed)
  • 43-01: emit iss on authorize error redirects (fa470a9)
  • 43-02: publish iss discovery metadata (9255599)
  • 43-02: publish par discovery requirement (36088c5)
  • 43-03: add OIDF conformance preflight task (a1f1591)
  • 43-03: pin OIDF FAPI2 plan artifact (87e7cdd)
  • 43-04: generate host fapi smoke test (2db7988)
  • 43-06: add phase 43 FAPI milestone e2e proof (dce0afc)
  • 44-01: create UsedJti domain, schema, migration, and store behaviour (1690c70)
  • 44-01: define Lockspire.Host.Context struct (b424e42)
  • 44-01: implement used jti storage and pruner (a0dd850)
  • 44-02: enforce jwks and jwks_uri coherence for private_key_jwt (8bc8054)
  • 44-03: implement private_key_jwt TTL and replay tracking (945b68b)
  • 44-api-stabilization: add strict @spec definitions to public facades (af656c6)
  • 44-api-stabilization: complete plan 44-02 and resolve test suite (61d98d1)
  • 44-api-stabilization: lock AccountResolver signatures (4ed092e)
  • 45-01: emit telemetry for device authorization and verification (1537241)
  • 45-02: implement interactions panel (c40134a)
  • 45-02: implement logout deliveries panel (515d521)
  • 45-03: implement Device Authorizations LiveView panel (b45d68b)
  • 48-00: add token exchange protocol logic and tests (87e3cf2)
  • 49-01: create TokenExchangeValidator behaviour and default-deny implementation (666e2b7)
  • 49-01: define TokenExchangeContext struct (77f0552)
  • 49-01: update Config with TokenExchangeValidator accessor (e7f4990)
  • 49-02: integrate host validator and JWT minting for token exchange (b195eaf)
  • 50-01: add max_delegation_depth to server_policies and clients (16e760d)
  • 50-01: enforce max_delegation_depth constraints (b3f11cf)
  • 50-01: update domain structs and schemas with max_delegation_depth (3af4c4f)
  • 50-02: implement default delegation validator (151c6a9)
  • 50-02: implement delegation depth enforcement (67638d5)
  • 54: add OAuth 2.0 Resource Indicators (RFC 8707) support (b11109d)
  • 55-01: add authorization_details to Interaction domain and storage (1962e36)
  • 55-01: add authorization_details to PAR domain and storage (a585b23)
  • 55-01: add migration for RAR intake state (61ed749)
  • 55-02: carry authorization_details from validated request into interaction (5118661)
  • 55-02: parse and validate authorization_details on /authorize (e56c4ac)
  • 55-02: persist authorization_details through PAR issuance (f151691)
  • 57-01: enrich active introspection with granted rar data (75e7e99)
  • 57-01: surface structural rar data in consent live (a6b2bed)
  • 58-01: publish truthful rar discovery metadata (f4b5018)
  • 59-01: admit private_key_jwt jwks_uri registration (7a93cc7)
  • 59-01: preserve jwks_uri on registration management updates (15732ca)
  • 59-02: derive private_key_jwt policy truth (429354e)
  • 59-02: surface private_key_jwt admin posture (333d14b)
  • 59-03: centralize endpoint auth discovery truth (da8be5e)
  • 67-01: align release candidate artifacts (daa706d)
  • 71-01: implement JARM core signer (a8c3daa)
  • 71-jarm-core-01: implement domain structs and migration (4d7f915)
  • 71-jarm-core-02: implement jarm core utility and discovery updates (c0db486)
  • 71-jarm-core-03: support JARM response modes in authorization flow (82fb468)
  • 72-01: persist JARM encryption client metadata (7ddf64d)
  • 72-01: validate encrypted JARM registration metadata (e198fe6)
  • 72-02: encode nested JARM responses (c64c6af)
  • 72-02: resolve JARM recipient keys (f4013f7)
  • 72-03: share truthful JARM discovery capabilities (2fb620f)
  • 73-01: add JWT introspection signer (766d5e9)
  • 73-01: return introspection success context (65ac955)
  • 73-02: negotiate JWT introspection responses (498d605)
  • implement OIDC CIBA Poll, Ping, and Push delivery modes (4bb0997)
  • jar: add JWE decryption support for request objects (4f030af)
  • phase-38: persist logout protocol and token admin cleanup (d9bc173)
  • S01-02: instrument DPoP failures with telemetry (048f6e4)
  • S01-02: instrument FAPI 2.0 failures with telemetry (cc79d8e)
  • S01-03: add optional phoenix_live_dashboard dependency (d8c6f5b)
  • S01-03: implement LiveDashboard page (fb424f7)
  • S02-01: add pruner configuration and oban setup (07ee50a)
  • S02-01: create pruner worker and emit telemetry (329eabe)
  • S02-01: implement chunked recursive deletion (d69dcb0)
  • ship v1.15 private_key_jwt client auth (48764b7)
  • v1.16: complete embedded adoption hardening (417ae8c)

Bug Fixes

  • 27: revise plans based on checker feedback (e9b9a14)
  • 30: correct device authorization mapping and contract tests (ddf93b4)
  • 32: enforce device poll expiry and pacing (0b8abdf)
  • 34-03: preserve device poll errors before dpop resolution (8607d98)
  • 35: preserve dpop challenge and client name (b20c6de)
  • 37-04: stabilize generated host conformance harness (d256da1)
  • 37: CR-01 remove decode_term_jwk Erlang deserialization fallback (a980b8b)
  • 37: CR-02 fix validate_pkce guard inversion (4cc2d61)
  • 37: CR-03 fix refresh_scope_policy_allows? always returning true (6492fca)
  • 37: CR-04 add safe_return_to guard to prevent open redirect in SessionController (03ac58b)
  • 37: merge protocol strictness conformance review fixes (fbb3729)
  • 37: WR-01 add @spec annotation to emit_success/2 in TokenExchange (ac3f3db)
  • 37: WR-02 change Interaction code_challenge_method default from :S256 to nil (533caaf)
  • 37: WR-03 fix indentation in start_authorization/3 cond branch (3209941)
  • 37: WR-04 add else clause to exchange_refresh_token/1 with block (2e2d3cc)
  • 37: WR-05 rename migration module from TestRepo to Repo namespace (9dacccc)
  • 37: WR-06 remove map_size==1 guard from ensure_supported_claims_structure (e7d5dde)
  • 42-06: apply FAPI 2.0 readiness contract and fix FAPI validation order (919683f)
  • 42-06: pass server_policy to validate_intake_metadata (ac7f16f)
  • 44-01: resolve existing Dialyzer errors (7b21951)
  • 50-verification: implement actor_token parsing and delegation depth limit (660c132)
  • 59-02: restore verification prerequisites (7d7d1b0)
  • 59-03: stop publishing unverified private_key_jwt metadata (d7f9221)
  • 71-jarm-core-01: restore missing consent grant and token domain fields (d867c09)
  • ci: satisfy dialyzer in JAR test helpers (b82ee5f)
  • ci: skip dependency review when graph is unavailable (164ea12)
  • deps: restrict oban to ~> 2.21.0 to prevent 2.22 breaking test startup (bab7552)
  • device-flow: finalize host verification proof surface (2ba1041)
  • runtime: add minimal error view (6b7f6ca)
  • test: align discovery tests with v1.13 CIBA grant type (909e6aa)

Documentation

  • 47-01: upgrade documentation to GA posture (5efa4c1)

1.0.0 (2026-05-07)

Added

  • Canonical Phoenix-first install and onboarding documentation.
  • Executable onboarding proof for the generated host seam.
  • Release-readiness CI, package metadata, changelog, and workflow scaffolding.

Changed

  • The checked-in 1.0.0 release-candidate contract keeps mix.exs, .release-please-manifest.json, CHANGELOG.md, and the expected root tag lockspire-v1.0.0 on one embedded-library release story before authenticated publish proof begins.
  • Hex-facing package metadata, release configuration, and changelog posture now describe one lockspire package and defer authenticated publish evidence to the protected hex-publish lane.

0.2.0 (2026-04-24)

Features

  • 09-02: extend preview posture contract coverage (70107c8)

Bug Fixes

  • 10-01: restore contributor gate proof (20d53f7)

0.1.2 (2026-04-24)

Bug Fixes

  • release: make recovery lane publishable (cd5e40d)
  • release: run hex tasks before docs (046a14c)

0.1.1 (2026-04-24)

Bug Fixes

  • 08-01: harden trusted release lane contract (ed52b00)
  • ci: bootstrap test db in fast lane (bcb2ce3)
  • ci: provide postgres for fast checks (6b9d761)
  • test: avoid brittle key detail id assertion (a550cbb)