v1.1.3

Summary

This patch release promotes the runtime and deployment hardening work to production.

Included

• deterministic release promotion with a pinned Railway CLI version
• fail-fast validation for token duration configuration
• safer production defaults for /metrics, with optional bearer protection via METRICS_AUTH_TOKEN
• bounded in-memory rate-limit fallback behaviour under Redis degradation
• explicit bearer header parsing that resolves the CodeQL regex finding

Operational impact

Production promotion stays release-driven and fully verified, and the default runtime posture is safer under both configuration drift and dependency degradation.

v1.1.2

Summary

This patch release restores the hardened release-driven deployment flow end-to-end.

Included

• production release validation now resolves Railway environment secrets directly in the post-deploy validation job
• release-driven smoke validation works with GitHub Environment-scoped secrets again
• repository and OpenAPI version metadata are aligned to 1.1.2

Operational impact

Published releases should now complete the full promotion path: verify exact ref, deploy, and validate smoke in production.

v1.1.1

Summary

This patch release formalises the current production state and tightens the repository promotion model.

Included

• public Swagger UI now resolves and executes against the deployed HTTPS origin
• deploy workflow now verifies the exact promotion candidate before deployment
• production deploys are release-driven and require public smoke validation
• manual deploys are now intentionally oriented toward non-production environments

Operational impact

Production promotion is now stricter, more auditable, and less prone to noisy failed deploy attempts.

v1.1.0

Highlights

• Public Railway deployment with reproducible GitHub Actions delivery and smoke validation.
• Session-backed auth lifecycle with replay-resistant refresh-token rotation and server-side revocation.
• Prometheus metrics, Grafana assets, and a published k6 benchmark baseline.
• Repository architecture decisions, threat model, proof snapshot, and live demo/docs links.

Included work

• Public demo environment and deployment workflow
• Smoke validation hardening for redirects and startup timing
• Railway/Prisma production packaging fixes
• Auth service metrics endpoint and observability assets
• Benchmark report and portfolio proof snapshot polish
• Final README/repository narrative pass with live links

Public endpoints

• API: https://auth-api-production-a97b.up.railway.app
• Swagger UI: https://auth-api-production-a97b.up.railway.app/docs
• OpenAPI: https://auth-api-production-a97b.up.railway.app/docs.json

v1.0.0

Stable baseline release for the production-grade core auth service.

Highlights

• session-based auth lifecycle with refresh-token rotation and replay detection
• split quality and integration validation in GitHub Actions
• contract-driven documentation and explicit local/CI migration flow
• repository governance with PR template, contribution guide, and Dependabot policy

This release marks the project as the maintained baseline for future auth-service work, without expanding scope into broader identity-platform features.