Changelog

Copy Markdown View Source

All notable changes to this project will be documented in this file.

The format follows Keep a Changelog and the project targets Semantic Versioning.

1.5.3 (2026-05-28)

Bug Fixes

  • ci: grant actions:write for release-please PR dispatch (e32d828)
  • ci: grant actions:write for release-please PR dispatch (ecf2736)
  • ci: parse spaced security-gates check names on release PRs (099b92b)
  • ci: parse spaced security-gates check names on release PRs (adabc13)
  • ci: tolerate gh pr checks exit when no checks yet (fbef01c)
  • ci: tolerate gh pr checks exit when no checks yet (98606d2)
  • docs: note hands-off release path in getting started (0f6d758)
  • docs: note hands-off release path in getting started (f19d239)

1.5.2 (2026-05-28)

Bug Fixes

  • test: isolate replay store and warm FakeIdP keypair (3635c5c)
  • test: isolate replay store and warm FakeIdP keypair (d2bb6bf)

1.5.1 (2026-05-28)

Bug Fixes

  • ci: gate Hex publish on mix qa and enforce branch protection (7303b36)
  • ci: release-please trigger for 1.5.1 (15efe67)

1.5.0 (2026-05-28)

Features

  • 45-01: add mix verify.release_parity for Hex vs tag path-set diff (7ca46c4)
  • 45-02: add verify-parity.sh milestone gate wrapper (227a3c2)
  • 49-01: add scope boundary section to conformance generator (93418a6)
  • 49-01: flip ENC manifest row from deferred to pass (f865174)
  • docs: add README Quick Look preset snippet (DX-01) (65bcf93)
  • docs: job-shaped overview hub and batteries dedupe (DX-03) (00937be)
  • install: auto-inject saml_routes on single Phoenix router (DX-02) (ca632bd)

[1.4.0]

Hex publishes 1.4.0 directly from 1.2.0 with no intermediate 1.3.0 Hex release for adopter clarity — one install line {:relyra, "~> 1.4"} receives Advanced Federation, Single Logout, and the login trace UI. The [1.3.0] section below is changelog archaeology for the v1.3 milestone only, not a skipped Hex version adopters must hunt for.

Added

  • Single Logout: SessionAdapter session-index hooks; SP- and IdP-initiated logout via Relyra.consume_logout/3; HTTP-Redirect and HTTP-POST bindings; strict logout validation pipeline (Parse → Verify → Replay → Execute); LogoutRequest/LogoutResponse on the same SaxyTree parse path as login.
  • Logout operator guide: guides/recipes/logout.md — browser cookie caveats, durable session prerequisites, absolute-timeout boundaries, and host-owned session-index linkage.
  • Incident playbook: guides/operations/incident_playbook.md — six Triage→Diagnose→Recover scenarios with evidence surfaces for telemetry, audit, and login trace.
  • Troubleshooting decoder: guides/troubleshooting.md — 78 typed SAML error atoms across seven trust-pipeline buckets, kept in sync with the codebase.
  • Login trace LiveView: ConnectionTraceLive at /relyra/admin/connections/:connection_id/trace — expandable step timeline from audit rows and telemetry.
  • Headless login trace: mix relyra.trace for the same redacted step timeline without opening the browser.
  • Shared trace export: Relyra.LoginTrace.Export redacts login-trace rows consistently for LiveView and CLI.
  • Publish hygiene: SP metadata attribute escaping; test_support excluded from production compile and Hex tarball; encrypted-assertion wire extraction uses parse-tree byte spans only; README and preset documentation aligned with shipped presets.

Changed

  • Trust audit timeline excludes domain: :login rows (login traces separate from trust mutations).
  • LoginResult.validation_trace populated on successful consume via LoginTrace telemetry handler.
  • Production elixirc_paths uses explicit lib file list (excludes test_support).

Security

  • Logout crypto: XMLDSig verification before session termination; redirect signatures verified against raw query octets; replay protection on logout messages.
  • Login trace redaction: security tests ensure LiveView and CLI never render raw XML, PEM, certificate bodies, signature values, or key material.
  • Metadata XSS defense-in-depth: interpolated SP metadata attributes are XML-escaped before publish.
  • One trust path for encrypted assertions: wire extraction uses parse-tree byte spans only — no parallel regex locator on the auth boundary.

[1.3.0]

This section records the v1.3 Advanced Federation milestone only — no Hex release at 1.3.0 (historical record).

Added

  • Encrypted assertions (ENC-01/02): KeyResolver behaviour + KeyResolver.Default (SP private key from app config only); Relyra.Security.XMLEnc.decrypt/3 with RSA-OAEP + AES-GCM behind AlgorithmPolicy; decrypt-then-reparse pipeline stage in ValidationPipeline (:decrypt_assertion pre-stage); cleartext+encrypted ambiguity guard (:ambiguous_assertion before crypto); SP metadata encryption KeyDescriptor; 7-fixture ENC-01 adversarial corpus in mix ci.security.
  • Signed AuthnRequests (AUTHN-01): HTTP-Redirect query signing (sign_redirect_query/3 raw-octet invariant); sign_authn_requests connection toggle; SP metadata AuthnRequestsSigned + signing KeyDescriptor; ADFS provider preset + guides/recipes/adfs.md; 5-fixture AUTHN-01 adversarial corpus in mix ci.security.
  • AlgorithmPolicy + schema: Key-transport and content-encryption enforcement; RSA-PKCS1v1.5 blocked; AES-CBC blocked by default with time-boxed escape hatch; GCM auth-tag length guard; cert party/use columns; sign_authn_requests migration.
  • Documentation (DOCS-02): guides/recipes/generic_saml.md — SP/IdP metadata reference, decoder tables for IBM Security Verify, CyberArk, Oracle Access Manager, PingFederate, CA SiteMinder; security checklist, debugging flow, cert rotation.
  • Documentation (DOCS-03): guides/identity_mapping_and_provisioning.md — NameID vs attribute mapping patterns, JIT decision tree, UserMapper examples, SCIM non-goal.

Changed

  • PureBeam.build_parsed_doc/1 tolerates encrypted-only Responses pre-decrypt (encrypted_pending path) without weakening cleartext gates.
  • SP metadata build order: signing + encryption KeyDescriptors before ACS (schema-valid).

Security

  • Decrypt-then-reparse invariant: decrypted bytes MUST pass PureBeam.parse_safely/2 AND Signature.do_verify/4 before identity fields — CVE-2025-54419 class read-before-verify rejected by adversarial corpus.
  • Single opaque :decryption_failed for all decryption failure modes (no padding oracle via distinct atoms).
  • Document KeyInfo ignored for decryption key material — configured KeyResolver only.
  • Ambiguity guard: cleartext + encrypted assertion → :ambiguous_assertion pre-crypto (CVE-2026-2092 class).
  • Redirect AuthnRequest signing: golden corpus enforces no re-serialization before sign; ADFS +-encoding variant covered.
  • AlgorithmPolicy: RSA-OAEP SHA-256 URI blocked pending OTP support; zero new Hex deps for XML-Enc (OTP stdlib only).

1.2.0 (2026-05-25)

Features

  • 28-01: implement SaxyTree handler with ns stack + 3 normalizations (8738532)
  • 28-02: enveloped-sig transform pruning + PrefixList forced render + transform allowlist (ae9f16f)
  • 28-02: implement exclusive C14N 1.0 serialization core (b666926)
  • 28-03: bind exact tree node + delegate canonicalize/2 to the C14N engine (5565df5)
  • 28-03: route parse_safely onto the saxy tree, retire regex extractors (915d460)
  • 29-01: add ordered content field to SaxyTree.Node (D-09) (4411f91)
  • 29-02: add AlgorithmPolicy.digest_atom_for_signature_method/1 (RSA→atom, ECDSA fail-closed) (e63216e)
  • 29-02: surface D-02 fields (SignedInfo node, base64 Digest/SignatureValue) per candidate (5d1cfc9)
  • 29-03: wire real XMLDSig crypto into the [candidate] arm (D-01) (2e45689)
  • 29-04: build genuine XMLDSig test-signer (D-11) (c45864f)
  • 29-05: add metadata-root signed-candidates producer in pure_beam (502417f)
  • 29-05: rewire metadata pre-parse onto tree builder + prove SIGV-04 (6d4931e)
  • 30-01: delegate FakeIdP.sign to genuine signer + expose trust cert (D-01/D-03) (18f5bd8)
  • 30-03: add c14n-differential rejection row to security corpus (c7ec6a2)

Bug Fixes

  • 28-03: correct prot-unsigned-001 expectation to missing_protocol_field (63c5ca5)
  • 29-01: walk content in document order in C14N.render_element/3 (D-09) (8052658)
  • 29: close metadata trust bypass (CR-01) and pin over DER (CR-02) (8910200)
  • 29: thread cert_chain in plan 03 + add existing-test triage task to plan 04 (13094ef)
  • 29: tolerate line-wrapped base64 in Signature/DigestValue (WR-01) (ef44482)
  • 30-01: reconcile FakeIdP response_xml shape for genuine signing (D-02) (f9047fe)
  • 30-04: make ci.security honestly gate every security suite (cmd mix test per line) (8a144ed)
  • 30: harden ci.security meta-gate (AST parse, tag anchor, corpus_gate coverage) (07f4727)
  • deps: bump postgrex/plug/phoenix for CVEs; ignore unreachable decimal advisory (520d713)

1.1.0 (2026-05-08)

Features

  • 01-02: add pure-beam XML adapter baseline (68f1041)
  • 01-02: add stable Relyra.Error contract (5077f9d)
  • 01-02: freeze hardened XML seam behaviour (ed7257e)
  • 01-03: add compile-time parser path guard (74bac6e)
  • 02-01: add protocol and relay state contract tests (9225186)
  • 02-01: enforce opaque relay state contract (d21697f)
  • 02-01: implement login request and binding primitives (b0d49b6)
  • 02-02: bind signature verification to exact signed node (2aeba97)
  • 02-02: enforce strict signature algorithm policy (88d43db)
  • 02-03: add ordered consume response pipeline (d7db968)
  • 02-03: add response and assertion validators (47981a2)
  • 03-01: add fail-closed default adapter scaffolding (f4acf93)
  • 03-01: freeze phase 3 behaviour contracts (9841e09)
  • 03-02: add atomic ETS request and replay adapters (223cb72)
  • 03-02: add optional Ecto-backed request and replay stores (4a801f9)
  • 03-03: persist request intent and gate consume success (a6cf9aa)
  • 05-01: add telemetry catalog and event spans (07b503f)
  • 06-01: add provider presets, TestSupport, installer, and docs (670ee92)
  • 06-01: close release-discipline gap and add provider audience hint (bdb7c9a)
  • 11-02: add mapping persistence migration coverage (06856c6)
  • 11-03: harden audited trust mutations (c546b6b)
  • 11-04: persist and hydrate mapping config (dd9da43)
  • 12-12-01: canonicalize metadata certificate candidates (6d5d652)
  • 14-01: author 11-VERIFICATION.md with serial CFG-05 packet (4339dca)
  • 15-01: create connection list, detail components and normalize risk flag names (0bdf7b1)
  • 15-02: extract connection form and preset picker components (e133380)
  • 15-02: wire URL-driven presets to the form (50640b8)
  • 15-03: embed risk panel across relevant views (4916649)
  • 15-03: wire lifecycle events to Ecto boundaries and add status badges (0a16b0a)
  • 16-01: establish metadata liveview skeleton and route (and missing 15-01 files) (c52a008)
  • 16-02: add active highlighting to metadata history stream (8ee6076)
  • 16-03: finalize Phase 16 execution and verification (43ce682)
  • 16-03: implement async manual metadata refresh (50a0ebd)
  • 17-01: handle optimistic locking conflicts on certificate updates (8400944)
  • 17-01: implement semantic slot-based timeline UI for certificates (cf7f016)
  • 17-02: implement 3-step staged rollover with typed verification (0399604)
  • 18-01: implement typed mapping forms in live admin (15bb5f4)
  • 18-02: implement audit timeline filtering and expandable details (7ced8fc)
  • 19-01: implement allow_idp_initiated flag for connections (26e822c)
  • 19-02: implement safe local redirect utility (4fab9cf)
  • 19: implement IdP-initiated SSO support and result normalization (101e2a6)
  • 20-01: implement BulkActions coordinator (69be2d9)
  • 20-02: add multi-select UI to ConnectionList (4c3bf15)
  • 20: implement bulk operations for connections and UI multi-selection (6e75525)
  • 21-01: add migration extending relyra_metadata_sources with auto-refresh (7dcf2ea)
  • 21-01: extend MetadataSource schema with auto-refresh fields and changesets (d8eb04b)
  • 21-02: pure cadence + backoff helpers with property-style jitter envelopes (7cfbf02)
  • 21-02: pure failure classifier with one clause per Phase-21 error code (f8620bf)
  • 21-03: add TrustAnchor + DriftDetector pure helpers (1c02e38)
  • 21-03: relocate security corpus + add CorpusGate runtime gate (9400a0d)
  • 21-04: add MetadataApply.resume_auto_refresh/3 single-tx Resume seam (b94ce16)
  • 21-04: add Signature.verify_metadata_root/4 metadata-root shim (35a3da4)
  • 21-04: wrap record_attempt in transact and co-commit health state (2de8899)
  • 21-05: add OptionalDeps.Oban gateway and Workers.MetadataRefresh (ff88242)
  • 21-05: add Scheduler.run_due/2 and AutoRefresh.refresh/2 wrapper (3b60a04)
  • 21-06: add Auto-refresh health card + Resume now to ConnectionMetadataLive (35a4cc7)
  • 21-06: surface auto_refresh_health on the connection list (D-29) (67da767)
  • 21-07: add Metadata.pin_trust_fingerprint/3 + two operator Mix tasks (aa25260)
  • 21-07: add optional Oban dep, ci.oban_smoke alias, README operations (f4bf983)
  • 21-07: document auto_refresh telemetry catalog + LogAlerts handler (06ca068)
  • 21.1-01: forward audit context from Refresh.refresh/2 into apply_revision and record_attempt (closes CFG-07) (80d9001)
  • 22-01: implement certificate expiry traversal engine (13bf7f8)
  • 22-01: implement telemetry for expiring certificates (eef99d4)
  • 23-01: build diagnostic bundle orchestration service (9b4250c)
  • 23-01: implement explicit redaction AllowList for diagnostic exports (74a6efb)
  • 23-02: add download diagnostic bundle UI button to admin UI (fe394bf)
  • 23-02: create mix task for CLI diagnostic bundle export (1f074ba)
  • 23-02: implement HTTP download endpoint for diagnostic bundle (7ce0184)
  • 24-01: implement request store type injection (aff2a30)
  • 24-01: implement session revocation adapter support (f425c18)
  • 24-02: implement LogoutRequest builder (9bfd22c)
  • 24-03: implement logout bindings parser for redirect (d4654ee)
  • 25-01: add shared conformance fixture loader (1f98ee5)
  • 25-01: harden PureBeam seam behavior (e8cfab9)
  • 25-02: expand pinned security regression corpus (c80b6ab)
  • 25-02: implement SP conformance lane (9c3e79a)
  • 25-03: generate conformance report from manifest state (a9a7d58)
  • 27-03: add batteries included proof artifact (0b1ffc9)

Bug Fixes

  • 01-03: stabilize security aliases and verification lanes (e850c7f)
  • 02-01: align request primitives with verification gate checks (1938caf)
  • 02-02: format signature policy and binding files (ff0b471)
  • 02-03: format consume pipeline sources (a07ed0d)
  • 03-01: format contract defaults for strict verification (7066eda)
  • 12-12-02: preserve staged metadata apply semantics (c5c937e)
  • 12-12-02: repair refresh candidate seam (206bdd5)
  • 21.2: revise plans based on checker feedback (5030090)
  • test: ensure MetadataRefresh is loaded before function_exported? check (abc24fa)

1.0.0 (2026-05-08)

Features

  • 01-02: add pure-beam XML adapter baseline (68f1041)
  • 01-02: add stable Relyra.Error contract (5077f9d)
  • 01-02: freeze hardened XML seam behaviour (ed7257e)
  • 01-03: add compile-time parser path guard (74bac6e)
  • 02-01: add protocol and relay state contract tests (9225186)
  • 02-01: enforce opaque relay state contract (d21697f)
  • 02-01: implement login request and binding primitives (b0d49b6)
  • 02-02: bind signature verification to exact signed node (2aeba97)
  • 02-02: enforce strict signature algorithm policy (88d43db)
  • 02-03: add ordered consume response pipeline (d7db968)
  • 02-03: add response and assertion validators (47981a2)
  • 03-01: add fail-closed default adapter scaffolding (f4acf93)
  • 03-01: freeze phase 3 behaviour contracts (9841e09)
  • 03-02: add atomic ETS request and replay adapters (223cb72)
  • 03-02: add optional Ecto-backed request and replay stores (4a801f9)
  • 03-03: persist request intent and gate consume success (a6cf9aa)
  • 05-01: add telemetry catalog and event spans (07b503f)
  • 06-01: add provider presets, TestSupport, installer, and docs (670ee92)
  • 06-01: close release-discipline gap and add provider audience hint (bdb7c9a)
  • 11-02: add mapping persistence migration coverage (06856c6)
  • 11-03: harden audited trust mutations (c546b6b)
  • 11-04: persist and hydrate mapping config (dd9da43)
  • 12-12-01: canonicalize metadata certificate candidates (6d5d652)
  • 14-01: author 11-VERIFICATION.md with serial CFG-05 packet (4339dca)
  • 15-01: create connection list, detail components and normalize risk flag names (0bdf7b1)
  • 15-02: extract connection form and preset picker components (e133380)
  • 15-02: wire URL-driven presets to the form (50640b8)
  • 15-03: embed risk panel across relevant views (4916649)
  • 15-03: wire lifecycle events to Ecto boundaries and add status badges (0a16b0a)
  • 16-01: establish metadata liveview skeleton and route (and missing 15-01 files) (c52a008)
  • 16-02: add active highlighting to metadata history stream (8ee6076)
  • 16-03: finalize Phase 16 execution and verification (43ce682)
  • 16-03: implement async manual metadata refresh (50a0ebd)
  • 17-01: handle optimistic locking conflicts on certificate updates (8400944)
  • 17-01: implement semantic slot-based timeline UI for certificates (cf7f016)
  • 17-02: implement 3-step staged rollover with typed verification (0399604)
  • 18-01: implement typed mapping forms in live admin (15bb5f4)
  • 18-02: implement audit timeline filtering and expandable details (7ced8fc)
  • 19-01: implement allow_idp_initiated flag for connections (26e822c)
  • 19-02: implement safe local redirect utility (4fab9cf)
  • 19: implement IdP-initiated SSO support and result normalization (101e2a6)
  • 20-01: implement BulkActions coordinator (69be2d9)
  • 20-02: add multi-select UI to ConnectionList (4c3bf15)
  • 20: implement bulk operations for connections and UI multi-selection (6e75525)
  • 21-01: add migration extending relyra_metadata_sources with auto-refresh (7dcf2ea)
  • 21-01: extend MetadataSource schema with auto-refresh fields and changesets (d8eb04b)
  • 21-02: pure cadence + backoff helpers with property-style jitter envelopes (7cfbf02)
  • 21-02: pure failure classifier with one clause per Phase-21 error code (f8620bf)
  • 21-03: add TrustAnchor + DriftDetector pure helpers (1c02e38)
  • 21-03: relocate security corpus + add CorpusGate runtime gate (9400a0d)
  • 21-04: add MetadataApply.resume_auto_refresh/3 single-tx Resume seam (b94ce16)
  • 21-04: add Signature.verify_metadata_root/4 metadata-root shim (35a3da4)
  • 21-04: wrap record_attempt in transact and co-commit health state (2de8899)
  • 21-05: add OptionalDeps.Oban gateway and Workers.MetadataRefresh (ff88242)
  • 21-05: add Scheduler.run_due/2 and AutoRefresh.refresh/2 wrapper (3b60a04)
  • 21-06: add Auto-refresh health card + Resume now to ConnectionMetadataLive (35a4cc7)
  • 21-06: surface auto_refresh_health on the connection list (D-29) (67da767)
  • 21-07: add Metadata.pin_trust_fingerprint/3 + two operator Mix tasks (aa25260)
  • 21-07: add optional Oban dep, ci.oban_smoke alias, README operations (f4bf983)
  • 21-07: document auto_refresh telemetry catalog + LogAlerts handler (06ca068)
  • 21.1-01: forward audit context from Refresh.refresh/2 into apply_revision and record_attempt (closes CFG-07) (80d9001)
  • 22-01: implement certificate expiry traversal engine (13bf7f8)
  • 22-01: implement telemetry for expiring certificates (eef99d4)
  • 23-01: build diagnostic bundle orchestration service (9b4250c)
  • 23-01: implement explicit redaction AllowList for diagnostic exports (74a6efb)
  • 23-02: add download diagnostic bundle UI button to admin UI (fe394bf)
  • 23-02: create mix task for CLI diagnostic bundle export (1f074ba)
  • 23-02: implement HTTP download endpoint for diagnostic bundle (7ce0184)
  • 24-01: implement request store type injection (aff2a30)
  • 24-01: implement session revocation adapter support (f425c18)
  • 24-02: implement LogoutRequest builder (9bfd22c)
  • 24-03: implement logout bindings parser for redirect (d4654ee)
  • 25-01: add shared conformance fixture loader (1f98ee5)
  • 25-01: harden PureBeam seam behavior (e8cfab9)
  • 25-02: expand pinned security regression corpus (c80b6ab)
  • 25-02: implement SP conformance lane (9c3e79a)
  • 25-03: generate conformance report from manifest state (a9a7d58)
  • 27-03: add batteries included proof artifact (0b1ffc9)

Bug Fixes

  • 01-03: stabilize security aliases and verification lanes (e850c7f)
  • 02-01: align request primitives with verification gate checks (1938caf)
  • 02-02: format signature policy and binding files (ff0b471)
  • 02-03: format consume pipeline sources (a07ed0d)
  • 03-01: format contract defaults for strict verification (7066eda)
  • 12-12-02: preserve staged metadata apply semantics (c5c937e)
  • 12-12-02: repair refresh candidate seam (206bdd5)
  • 21.2: revise plans based on checker feedback (5030090)
  • test: ensure MetadataRefresh is loaded before function_exported? check (abc24fa)

[Unreleased]

[0.1.0] - 2026-05-08

Added

  • Initial public release of the strict-by-default SAML 2.0 SP surface.
  • Provider presets for Okta, Entra, and Google Workspace.
  • Relyra.TestSupport, Relyra.TestSupport.FakeIdP, and installer scaffolding.
  • Release hardening metadata, parity checks, and release-time prerequisite guidance.