# Changelog

All notable changes to this project will be documented in this file.

## [Unreleased]

### Security / Correctness — Review-v2 blockers fixed
- **B1:** `SecurityConfig` `SecurityFilterChain` is now `securityMatcher`-scoped to plate-auth's own
  endpoints (`/api/auth/**`, `/api/invitations/**`, `/api/access-requests/**`, `/api/admin/**`, `/api/me`,
  `/api/memberships/**`). Previously an unscoped `@Order(-100)` chain with `anyRequest().authenticated()`
  would hijack the consuming app's own routes. (panel B1)
- **B2:** Removed `@ComponentScan(basePackages="de.platesoft.auth")` from `PlateAuthAutoConfiguration`
  (auto-configuration anti-pattern per Spring Boot guidance). Replaced with explicit `@Import` of the
  concrete `@Configuration` classes + `@Service`/`@RestController` components. (panel B2)
- **B4:** CORS now fails closed by default. Empty `plate.auth.cors.allowed-origins` disables CORS for
  plate-auth endpoints (same-origin only) instead of defaulting to `allowedOriginPatterns("*")`. (panel B4)
- **B5:** Removed dead `RefreshToken` entity + `RefreshTokenRepository`. v0.1 issues stateless JWT refresh
  tokens (per the documented threat model); rotation/family-tracking is deferred to v0.3. (panel B5)
- **W-A:** Documented the `OnboardingHook` transaction contract (hooks run inside the exchange
  transaction; keep them fast + idempotent).

### Added
- Initial project scaffold (W1)
- Maven parent POM with `${revision}` CI-friendly versioning
- `plate-auth-starter` module skeleton
- `@platesoft/auth` npm package skeleton (tsup + ESM/CJS dual build)
- Gitea Actions CI + release pipelines
- Apache-2.0 LICENSE