v1.2.2

What's Changed

• ci(release): make the release workflow idempotent by @Jaro-c in #37
• ci(release): promote release-workflow idempotency fix to main by @Jaro-c in #38
• chore: sync develop with main's release merge commits by @Jaro-c in #39
• chore: remove develop branch, consolidate to main by @Jaro-c in #47
• chore(deps): bump securego/gosec from 64b97151cd7b978abdf8d2f1159a4e9096a12c2b to 4ead098510926e1015958a36dc966bfcb7f6ee11 by @dependabot[bot] in #45
• chore(deps): bump actions/stale from 9.1.0 to 10.2.0 by @dependabot[bot] in #46
• chore(deps): bump golang.org/x/text from 0.35.0 to 0.36.0 by @dependabot[bot] in #40
• chore(deps): bump golang.org/x/net from 0.51.0 to 0.53.0 by @dependabot[bot] in #42
• chore(deps): bump actions/upload-artifact from 4.6.2 to 7.0.1 by @dependabot[bot] in #41
• chore(deps): bump codecov/codecov-action from 5.5.4 to 6.0.0 by @dependabot[bot] in #43
• chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 by @dependabot[bot] in #44
• chore(release): v1.2.2 — dependency updates by @Jaro-c in #48

New Contributors

• @dependabot[bot] made their first contribution in #45

Full Changelog: v1.2.1...v1.2.2

v1.2.1 — documentation polish

Documentation-only release. No code behaviour changes; safe drop-in upgrade from v1.2.0.

🐛 Fixed — stale version claims

• README.md — API Stability section no longer claims the library is pre-v1. The versioning policy now describes the real v1.x guarantees and references the v1.2.0 defence-in-depth additions.
• SECURITY.md — Supported Versions policy no longer frames stable v1.0.0 as a future event. Current v1.x support is documented with a non-breaking-upgrade guarantee and a pointer to the CHANGELOG.
• CODE_OF_CONDUCT.md — Enforcement Code-of-Conduct reports were routed to GitHub's security advisory page. They are now routed to the maintainer directly; the private advisory is retained only as a clearly-flagged fallback.

🔄 Changed — godoc clarifications

• auth/jwt/config.go — `Audience` field docs now state explicitly that only the first value is enforced on verification, and that it is snapshotted at `New()` to defend against post-init mutation.
• auth/password/password.go — `Verify` docs now list the exact PHC parameter ranges enforced (Memory 8 MiB – 4 GiB, Iterations 1 – 20, Parallelism ≥ 1).
• internal/keymanager — package doc now documents the 4 KiB key-file size cap and its rationale.

⬆️ Upgrade

```
go get github.com/Jaro-c/authcore@v1.2.1
```

Full Changelog: v1.2.0...v1.2.1

v1.2.0 — defence-in-depth hardenings

Defence-in-depth release. Five complementary validations close the last round of edge cases flagged in the pre-v1 gap audit. No public API changes; existing callers upgrade without modification, although the tightened validation can reject configurations or inputs that were previously silently accepted.

🔒 Added — JWT module

• validateConfig now caps AccessTokenTTL at 24 hours and RefreshTokenTTL at 365 days. Prevents operators from accidentally issuing effectively permanent bearer tokens.
• VerifyAccessToken / RotateTokens now assert that the token's JOSE kid header matches the module's current key id. Unknown kids return ErrTokenInvalid. Future-proofs multi-key rotation.

🔑 Added — Password module

• Hash, Verify, and ValidatePolicy now normalise plaintext to Unicode NFC before hashing or policy checks. A user who registers on macOS (precomposed accents) can now sign in on Linux (decomposed form) without being locked out.

📧 Added — Email module

• ValidateAndNormalize now converts Unicode domain parts to their ASCII (punycode) form via `golang.org/x/net/idna` before validation. Users with internationalised domains (`münchen.de`, `例え.jp`) can now register; the canonical form stored in your database is always ASCII.

🗝️ Added — Key manager

• All key-loading paths now share a `readCapped` helper that rejects any key file larger than 4 KiB (healthy Ed25519 PEM is ~200 bytes). Protects startup from a corrupted or attacker-replaced key file that would otherwise be loaded whole into memory.

📦 Dependencies

• Added `golang.org/x/net v0.51.0` (idna). Post-GO-2026-4559, not affected by the advisory.
• Added `golang.org/x/text v0.35.0` (unicode/norm).

⬆️ Upgrade

```
go get github.com/Jaro-c/authcore@v1.2.0
```

Full Changelog: v1.1.2...v1.2.0

v1.1.2 — security hardening

Security-hardening release. No public API changes; existing callers upgrade without modification. Two verification paths are now stricter, which can reject previously-accepted tokens and stored hashes that were produced under inconsistent configuration.

🔒 Security

JWT module (github.com/Jaro-c/authcore/auth/jwt)

• VerifyAccessToken and RotateTokens now enforce the iss claim against Config.Issuer, mirroring the existing aud check. Previously, a token signed by a trusted key was accepted regardless of which service issued it — a cross-service key-reuse gap. Tokens with a mismatched issuer now return ErrTokenInvalid.

Password module (github.com/Jaro-c/authcore/auth/password)

• parsePHC now bounds the m= (memory), t= (iterations), and p= (parallelism) parameters read from the stored hash to the same ceilings validateConfig enforces at construction time. A corrupted or attacker-supplied hash of the form \$argon2id\$v=19\$m=4000000000,… previously caused argon2.IDKey to attempt a multi-TiB allocation and crash the process on Verify; such hashes now return ErrInvalidHash before any key derivation.

🛡️ Hardening

JWT module

• verifyAccessToken / verifyRefreshToken internal helpers take audience string (previously []string). The module snapshots Config.Audience[0] into a private primaryAudience field at construction, making the verify path immune to post-init mutation of the caller's audience slice.

🐛 Fixed

• module.go constructor convention comment now lists the actual per-module signatures (jwt.New[T], variadic password.New, variadic email.New, username.New(p) only) instead of the outdated one-size-fits-all form.

⬆️ Upgrade

```
go get github.com/Jaro-c/authcore@v1.1.2
```

Full Changelog: v1.1.1...v1.1.2

v1.1.1: feat(password): export ValidatePolicy for fail-fast handler validation

Exposes the internal checkPolicy check as a public method on *Password.
Callers can call ValidatePolicy before Hash to return a descriptive error
to the client without spending CPU on Argon2id.

Release v1.1.0

New: auth/password module — Argon2id password hashing with built-in policy
Security: golang.org/x/crypto v0.45.0, minimum Go 1.26.1
Fixed: 4 documentation inaccuracies