Skip to content

Commit e4e6f03

Browse files
committed
Added npm published event and doc fixes
1 parent 4f66a08 commit e4e6f03

6 files changed

Lines changed: 99 additions & 5 deletions

File tree

CHANGELOG.md

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -64,6 +64,17 @@ Security-review follow-ups (hardening; no known exploit in the items below).
6464
handle a `null` jti, and that the Spring JWT filter is additive (never
6565
clears a pre-existing `SecurityContext`).
6666

67+
### Distribution
68+
69+
- **The browser SDK is now published to npm as
70+
[`@pk-auth/passkeys-browser`](https://www.npmjs.com/package/@pk-auth/passkeys-browser)
71+
at `1.3.0`** — its first npm release. The SDK version tracks the pk-auth
72+
server release it speaks to, so `1.3.0` matches this release's Maven
73+
Central artifacts. Install with `npm install @pk-auth/passkeys-browser`.
74+
See [`RELEASE.md`](./RELEASE.md) for the publish steps. (The example
75+
apps still consume the SDK via a relative `dist/` import built by
76+
Gradle, not the published package.)
77+
6778
## [1.2.0] — 2026-06-02
6879

6980
### Security

DESIGN.md

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -120,7 +120,7 @@ modules implement SPIs declared in core and are wired in by the host.
120120
| `pk-auth-spring-boot-starter` | Spring Boot 4 / Spring Security 7 autoconfigure + controller. |
121121
| `pk-auth-dropwizard` | Dropwizard 5 `ConfiguredBundle` + Dagger 2 wiring + Jersey resources. |
122122
| `pk-auth-micronaut` | Micronaut 4 controllers + `@Filter` JWT validation (no Micronaut Security). |
123-
| `clients/passkeys-browser` | TypeScript SDK. ESM + CJS, zero deps, vitest-tested. |
123+
| `clients/passkeys-browser` | TypeScript SDK (npm: `@pk-auth/passkeys-browser`). ESM + CJS, zero deps, vitest-tested. |
124124
| `examples/{spring-boot,dropwizard,micronaut}-demo` | Runnable demos with the shared SPA. |
125125

126126
## 4. The wire contract
@@ -340,7 +340,10 @@ SPIs.
340340
## 9. The TS SDK
341341

342342
`clients/passkeys-browser/` is a zero-dep TypeScript SDK that ships
343-
both ESM and CJS bundles. Two clients:
343+
both ESM and CJS bundles, published on npm as
344+
[`@pk-auth/passkeys-browser`](https://www.npmjs.com/package/@pk-auth/passkeys-browser)
345+
(`npm install @pk-auth/passkeys-browser`; its version tracks the pk-auth
346+
server release it speaks to). Two clients:
344347

345348
- **`PkAuthCeremonyClient`** — full `register()` and `authenticate()`
346349
flows that wrap `navigator.credentials.{create,get}`, handling all

GETTING_STARTED.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -117,6 +117,12 @@ Skip them and the feature isn't exposed.
117117
|---|---|---|
118118
| `clients/passkeys-browser` (`@pk-auth/passkeys-browser`) | Zero-dependency TypeScript SDK. `PkAuthCeremonyClient` wraps `navigator.credentials.{create,get}` and handles all the base64url ↔ ArrayBuffer conversions. `PkAuthAdminClient` calls the admin endpoints with a bearer token. ESM + CJS bundles. | If your frontend talks to pk-auth from a browser. Skip if you're calling the JSON endpoints from a non-browser client (mobile, server-to-server). |
119119

120+
The SDK is on npm — its version tracks the pk-auth release it speaks to:
121+
122+
```sh
123+
npm install @pk-auth/passkeys-browser
124+
```
125+
120126
## 3. What you have to do (the SPI surface)
121127

122128
pk-auth's design assumes **your app already has a user table**. It doesn't

README.md

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -52,7 +52,9 @@ What you get out of the box:
5252
- Persistence options: in-memory (testkit), JDBI + Postgres with Flyway
5353
migrations, or DynamoDB single-table.
5454
- A zero-dependency browser SDK (`@pk-auth/passkeys-browser`) covering
55-
both ceremony and admin operations.
55+
both ceremony and admin operations, published on npm
56+
(`npm install @pk-auth/passkeys-browser`). Its version tracks the
57+
pk-auth server release it speaks to.
5658

5759
```mermaid
5860
flowchart LR

SECURITY.md

Lines changed: 71 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,71 @@
1+
# Security Policy
2+
3+
pk-auth is an authentication library, so security reports are taken seriously
4+
and handled with priority. Thank you for helping keep it and its users safe.
5+
6+
## Supported versions
7+
8+
Fixes land on the latest published `1.x` line. Maven Central and npm releases
9+
are immutable, so a security fix ships as a new patch (or minor) release rather
10+
than a re-publish of an affected version — upgrade to the latest release to pick
11+
it up.
12+
13+
| Version | Supported |
14+
| ------------------ | ------------------ |
15+
| Latest `1.x` release | :white_check_mark: |
16+
| Older `1.x` releases | Fix only via the next release |
17+
| `0.x` (pre-stable) | :x: |
18+
19+
The browser SDK (`@pk-auth/passkeys-browser`) shares the same version line as
20+
the JVM artifacts and follows the same support window.
21+
22+
## Reporting a vulnerability
23+
24+
**Please do not open a public issue, pull request, or discussion for a
25+
suspected vulnerability.** Public disclosure before a fix is available puts
26+
downstream users at risk.
27+
28+
Use one of these private channels instead:
29+
30+
1. **GitHub private vulnerability reporting (preferred).** On the repository,
31+
go to the **Security** tab → **Report a vulnerability**, or open
32+
<https://github.com/codeheadsystems/pk-auth/security/advisories/new>. This
33+
creates a private advisory thread visible only to you and the maintainers.
34+
2. **Email.** Send details to **ned.wolpert@gmail.com** with `pk-auth security`
35+
in the subject line.
36+
37+
Please include, as far as you can:
38+
39+
- The affected module(s) and version (e.g. `pk-auth-core 1.3.0`).
40+
- A description of the issue and its impact (what an attacker can do).
41+
- Steps to reproduce — a minimal proof of concept, failing test, or request
42+
sequence is ideal.
43+
- Any relevant configuration (adapter, persistence backend, SPI implementations).
44+
45+
## What to expect
46+
47+
- **Acknowledgement** within **3 business days**.
48+
- An initial assessment (severity, affected versions, whether it reproduces)
49+
within **10 business days**.
50+
- We aim to ship a fix within **90 days** of triage and will keep you updated on
51+
progress. Complex issues may take longer; we will say so.
52+
- We follow **coordinated disclosure**: we ask that you keep the report private
53+
until a fix is released and a GitHub Security Advisory is published. We are
54+
happy to credit you in the advisory unless you prefer to remain anonymous.
55+
56+
## Scope
57+
58+
This policy covers the pk-auth library, its three host adapters
59+
(`pk-auth-spring-boot-starter`, `pk-auth-dropwizard`, `pk-auth-micronaut`), the
60+
wire contract, and the browser SDK in this repository.
61+
62+
It does **not** cover the responsibilities a host application retains — TLS,
63+
network ingress, secrets management, and the authorization layer above
64+
authentication. See [`docs/threat-model.md`](docs/threat-model.md) for the
65+
trust boundaries and STRIDE analysis, and [`docs/stability.md`](docs/stability.md)
66+
for the SPI versioning and stability guarantees.
67+
68+
> **Maturity note.** As stated in the repository README, this project's code is
69+
> AI-generated and has not undergone a formal third-party security review unless
70+
> a note in the repository says otherwise. Evaluate it accordingly before
71+
> production use.

site/index.html

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1567,10 +1567,10 @@ <h4>Admin &amp; SDK</h4>
15671567
</div>
15681568
<div class="module-card">
15691569
<div class="module-card-top">
1570-
<span class="module-card-name"><b>npm:</b>@pk-auth/passkeys-browser</span>
1570+
<span class="module-card-name"><b>npm:</b><a href="https://www.npmjs.com/package/@pk-auth/passkeys-browser">@pk-auth/passkeys-browser</a></span>
15711571
<span class="tag">TypeScript</span>
15721572
</div>
1573-
<p>Zero-dependency ceremony + admin clients. ESM and CJS bundles. Handles all <code>ArrayBuffer</code> &harr; <code>base64url</code> wrangling around <code>navigator.credentials</code>. The refresh client returns a typed result sum &mdash; it never throws on 401.</p>
1573+
<p>Zero-dependency ceremony + admin clients, on npm (<code>npm install @pk-auth/passkeys-browser</code>) &mdash; its version tracks the server release. ESM and CJS bundles. Handles all <code>ArrayBuffer</code> &harr; <code>base64url</code> wrangling around <code>navigator.credentials</code>. The refresh client returns a typed result sum &mdash; it never throws on 401.</p>
15741574
</div>
15751575
</div>
15761576
</div>
@@ -1780,6 +1780,7 @@ <h4>Project</h4>
17801780
<li><a href="https://github.com/codeheadsystems/pk-auth">Source on GitHub</a></li>
17811781
<li><a href="https://github.com/codeheadsystems/pk-auth/issues">Issues</a></li>
17821782
<li><a href="https://central.sonatype.com/search?q=g:com.codeheadsystems">Maven Central</a></li>
1783+
<li><a href="https://www.npmjs.com/package/@pk-auth/passkeys-browser">Browser SDK on npm</a></li>
17831784
<li><a href="https://github.com/codeheadsystems/pk-auth/blob/main/CONTRIBUTING.md">Contributing</a></li>
17841785
</ul>
17851786
</div>

0 commit comments

Comments
 (0)