Changelog

Copy Markdown

All notable changes to Lockspire will be documented in this file.

The format is based on Keep a Changelog, and versions follow Semantic Versioning.

1.1.0 (2026-05-26)

Features

  • 91-01: add shared remote jwks diagnostics taxonomy (13064b7)
  • 91-01: align jarm remote jwks diagnostics (0fbd363)
  • 91-01: normalize private_key_jwt remote jwks incidents (93c71a5)
  • 91-02: add remote jwks doctor surface (445f511)
  • 91-02: surface remote jwks truth in admin client detail (a26dce5)

Bug Fixes

  • phase-91: wire remote jwks operator diagnostics (ce8f313)

[Unreleased]

Added

  • Automatic DPoP-Nonce challenge and retry support across the shipped Lockspire-owned DPoP surfaces and the canonical Phoenix protected-route pipeline.
  • Dynamic Client Registration and RFC 7592 management support for the existing logout propagation metadata fields.
  • A narrow client_secret_jwt direct-client authentication slice on the shipped Lockspire-owned endpoints that already reuse the shared verifier.
  • Shared remote-jwks_uri diagnostics plus mix lockspire.doctor remote-jwks and matching admin support surfaces for the shipped private_key_jwt and JARM remote-key story.

Changed

  • The canonical advanced-setup support contract now aligns runtime behavior, admin wording, doctor output, and public docs for remote jwks_uri, mTLS setup, logout propagation, and the protected-route plug pipeline.
  • The public support posture now reflects one near-complete embedded-provider story rather than an actively expanding feature roadmap; new milestones should be trigger-based and evidence-driven.

Fixed

  • Release-truth docs now describe the shipped Phoenix protected-route plug pipeline and stop treating it as future work.
  • 39-04: start named lockspire oban runtime (75ff291)
  • 39-05: delegate end session completion to logout propagation (59ecd99)
  • 39-05: implement transactional logout completion orchestration (cf06358)
  • 39-06: publish logout truth across discovery and admin (41f9ee5)
  • 39-06: render truthful frontchannel logout completion (bd4a0dc)
  • 41-01: add admin command boundary for security_profile with 7 tests (a0cc3ac)
  • 41-01: add security_profile migration, Ecto schemas, and round-trip tests (f7f867b)
  • 41-01: add SecurityProfile resolver, domain field additions, and unit tests (4995a8a)
  • 41-02: implement FAPI20EnforcerPlug boundary enforcer (GREEN phase) (90a9fb4)
  • 41-02: wire FAPI20EnforcerPlug into Phoenix router via :fapi_boundary pipeline (30baa00)
  • 42-01: enforce FAPI signing key lifecycle gates (2ae38ff)
  • 42-01: narrow canonical FAPI signing policy (b5f3a9c)
  • 42-02: align JAR verification with canonical FAPI policy (dc0c4b5)
  • 42-02: enforce canonical FAPI policy for ID token signing (35ea281)
  • 42-03: implement FAPI readiness rejection and admin updates (f9417dc)
  • 42-04: wire preparatory OIDF maintainer lane and algorithm lockdown (25fe77e)
  • 42-05: align discovery, JWKS, and DPoP publication with runtime truth (7abe72a)
  • 42-07: align DPoP verification with FAPI policy (b0b76d4)
  • 42-07: remove hardcoded RS256 from logout and end-session (54621c1)
  • 43-01: emit iss on authorization flow redirects (b4b3bed)
  • 43-01: emit iss on authorize error redirects (fa470a9)
  • 43-02: publish iss discovery metadata (9255599)
  • 43-02: publish par discovery requirement (36088c5)
  • 43-03: add OIDF conformance preflight task (a1f1591)
  • 43-03: pin OIDF FAPI2 plan artifact (87e7cdd)
  • 43-04: generate host fapi smoke test (2db7988)
  • 43-06: add phase 43 FAPI milestone e2e proof (dce0afc)
  • 44-01: create UsedJti domain, schema, migration, and store behaviour (1690c70)
  • 44-01: define Lockspire.Host.Context struct (b424e42)
  • 44-01: implement used jti storage and pruner (a0dd850)
  • 44-02: enforce jwks and jwks_uri coherence for private_key_jwt (8bc8054)
  • 44-03: implement private_key_jwt TTL and replay tracking (945b68b)
  • 44-api-stabilization: add strict @spec definitions to public facades (af656c6)
  • 44-api-stabilization: complete plan 44-02 and resolve test suite (61d98d1)
  • 44-api-stabilization: lock AccountResolver signatures (4ed092e)
  • 45-01: emit telemetry for device authorization and verification (1537241)
  • 45-02: implement interactions panel (c40134a)
  • 45-02: implement logout deliveries panel (515d521)
  • 45-03: implement Device Authorizations LiveView panel (b45d68b)
  • 48-00: add token exchange protocol logic and tests (87e3cf2)
  • 49-01: create TokenExchangeValidator behaviour and default-deny implementation (666e2b7)
  • 49-01: define TokenExchangeContext struct (77f0552)
  • 49-01: update Config with TokenExchangeValidator accessor (e7f4990)
  • 49-02: integrate host validator and JWT minting for token exchange (b195eaf)
  • 50-01: add max_delegation_depth to server_policies and clients (16e760d)
  • 50-01: enforce max_delegation_depth constraints (b3f11cf)
  • 50-01: update domain structs and schemas with max_delegation_depth (3af4c4f)
  • 50-02: implement default delegation validator (151c6a9)
  • 50-02: implement delegation depth enforcement (67638d5)
  • 54: add OAuth 2.0 Resource Indicators (RFC 8707) support (b11109d)
  • 55-01: add authorization_details to Interaction domain and storage (1962e36)
  • 55-01: add authorization_details to PAR domain and storage (a585b23)
  • 55-01: add migration for RAR intake state (61ed749)
  • 55-02: carry authorization_details from validated request into interaction (5118661)
  • 55-02: parse and validate authorization_details on /authorize (e56c4ac)
  • 55-02: persist authorization_details through PAR issuance (f151691)
  • 57-01: enrich active introspection with granted rar data (75e7e99)
  • 57-01: surface structural rar data in consent live (a6b2bed)
  • 58-01: publish truthful rar discovery metadata (f4b5018)
  • 59-01: admit private_key_jwt jwks_uri registration (7a93cc7)
  • 59-01: preserve jwks_uri on registration management updates (15732ca)
  • 59-02: derive private_key_jwt policy truth (429354e)
  • 59-02: surface private_key_jwt admin posture (333d14b)
  • 59-03: centralize endpoint auth discovery truth (da8be5e)
  • 67-01: align release candidate artifacts (daa706d)
  • 71-01: implement JARM core signer (a8c3daa)
  • 71-jarm-core-01: implement domain structs and migration (4d7f915)
  • 71-jarm-core-02: implement jarm core utility and discovery updates (c0db486)
  • 71-jarm-core-03: support JARM response modes in authorization flow (82fb468)
  • 72-01: persist JARM encryption client metadata (7ddf64d)
  • 72-01: validate encrypted JARM registration metadata (e198fe6)
  • 72-02: encode nested JARM responses (c64c6af)
  • 72-02: resolve JARM recipient keys (f4013f7)
  • 72-03: share truthful JARM discovery capabilities (2fb620f)
  • 73-01: add JWT introspection signer (766d5e9)
  • 73-01: return introspection success context (65ac955)
  • 73-02: negotiate JWT introspection responses (498d605)
  • implement OIDC CIBA Poll, Ping, and Push delivery modes (4bb0997)
  • jar: add JWE decryption support for request objects (4f030af)
  • phase-38: persist logout protocol and token admin cleanup (d9bc173)
  • S01-02: instrument DPoP failures with telemetry (048f6e4)
  • S01-02: instrument FAPI 2.0 failures with telemetry (cc79d8e)
  • S01-03: add optional phoenix_live_dashboard dependency (d8c6f5b)
  • S01-03: implement LiveDashboard page (fb424f7)
  • S02-01: add pruner configuration and oban setup (07ee50a)
  • S02-01: create pruner worker and emit telemetry (329eabe)
  • S02-01: implement chunked recursive deletion (d69dcb0)
  • ship v1.15 private_key_jwt client auth (48764b7)
  • v1.16: complete embedded adoption hardening (417ae8c)

Bug Fixes

  • 27: revise plans based on checker feedback (e9b9a14)
  • 30: correct device authorization mapping and contract tests (ddf93b4)
  • 32: enforce device poll expiry and pacing (0b8abdf)
  • 34-03: preserve device poll errors before dpop resolution (8607d98)
  • 35: preserve dpop challenge and client name (b20c6de)
  • 37-04: stabilize generated host conformance harness (d256da1)
  • 37: CR-01 remove decode_term_jwk Erlang deserialization fallback (a980b8b)
  • 37: CR-02 fix validate_pkce guard inversion (4cc2d61)
  • 37: CR-03 fix refresh_scope_policy_allows? always returning true (6492fca)
  • 37: CR-04 add safe_return_to guard to prevent open redirect in SessionController (03ac58b)
  • 37: merge protocol strictness conformance review fixes (fbb3729)
  • 37: WR-01 add @spec annotation to emit_success/2 in TokenExchange (ac3f3db)
  • 37: WR-02 change Interaction code_challenge_method default from :S256 to nil (533caaf)
  • 37: WR-03 fix indentation in start_authorization/3 cond branch (3209941)
  • 37: WR-04 add else clause to exchange_refresh_token/1 with block (2e2d3cc)
  • 37: WR-05 rename migration module from TestRepo to Repo namespace (9dacccc)
  • 37: WR-06 remove map_size==1 guard from ensure_supported_claims_structure (e7d5dde)
  • 42-06: apply FAPI 2.0 readiness contract and fix FAPI validation order (919683f)
  • 42-06: pass server_policy to validate_intake_metadata (ac7f16f)
  • 44-01: resolve existing Dialyzer errors (7b21951)
  • 50-verification: implement actor_token parsing and delegation depth limit (660c132)
  • 59-02: restore verification prerequisites (7d7d1b0)
  • 59-03: stop publishing unverified private_key_jwt metadata (d7f9221)
  • 71-jarm-core-01: restore missing consent grant and token domain fields (d867c09)
  • ci: satisfy dialyzer in JAR test helpers (b82ee5f)
  • ci: skip dependency review when graph is unavailable (164ea12)
  • deps: restrict oban to ~> 2.21.0 to prevent 2.22 breaking test startup (bab7552)
  • device-flow: finalize host verification proof surface (2ba1041)
  • runtime: add minimal error view (6b7f6ca)
  • test: align discovery tests with v1.13 CIBA grant type (909e6aa)

Documentation

  • 47-01: upgrade documentation to GA posture (5efa4c1)

1.0.0 (2026-05-07)

Added

  • Canonical Phoenix-first install and onboarding documentation.
  • Executable onboarding proof for the generated host seam.
  • Release-readiness CI, package metadata, changelog, and workflow scaffolding.

Changed

  • The checked-in 1.0.0 release-candidate contract keeps mix.exs, .release-please-manifest.json, CHANGELOG.md, and the expected root tag lockspire-v1.0.0 on one embedded-library release story before authenticated publish proof begins.
  • Hex-facing package metadata, release configuration, and changelog posture now describe one lockspire package and defer authenticated publish evidence to the protected hex-publish lane.

0.2.0 (2026-04-24)

Features

  • 09-02: extend preview posture contract coverage (70107c8)

Bug Fixes

  • 10-01: restore contributor gate proof (20d53f7)

0.1.2 (2026-04-24)

Bug Fixes

  • release: make recovery lane publishable (cd5e40d)
  • release: run hex tasks before docs (046a14c)

0.1.1 (2026-04-24)

Bug Fixes

  • 08-01: harden trusted release lane contract (ed52b00)
  • ci: bootstrap test db in fast lane (bcb2ce3)
  • ci: provide postgres for fast checks (6b9d761)
  • test: avoid brittle key detail id assertion (a550cbb)