What shipped

App launcher, admin impersonation, passwordless-only toggle, and i18n completion.

• App launcher — per-workspace tile grid at /t/{slug}/launcher showing entitled applications based on client-scoped roles
• Admin impersonation — act-as-user sessions with RFC 8693 act claim, dual-session model, cascade revocation on impersonator logout
• Passwordless-only toggle — workspaces can disable password login entirely, enforcing magic-link-only authentication
• i18n completion — zero hardcoded English strings remaining in auth and portal views, 174 Spanish translation keys shipped
• Migrations V40 (launcher columns) and V41 (impersonation FK)

Tenant backup & restore — encrypted, portable workspace snapshots via CLI and admin API.

• Export tenant — CLI export-tenant and admin API endpoint produce encrypted .bkp1 archives (PBKDF2 600k iterations + AES-256-GCM)
• Import tenant — CLI import-tenant and admin API endpoint restore workspaces with schema-version compatibility validation
• Portable bkp1 envelope format — self-contained metadata, salt, IV, and ciphertext in a single file
• Migration V39 adds password_login_enabled toggle for passwordless workspace configuration

OIDC silent SSO — prompt=none, max_age, id_token_hint, and path-scoped witness cookies.

• Silent SSO via prompt=none — resource providers can check for existing sessions without user interaction
• prompt=login and prompt=consent support per OIDC Core specification
• max_age parameter enforces re-authentication after a specified duration
• id_token_hint validation for session identity matching
• auth_time claim added to ID tokens for session age verification
• KOTAUTH_SSO path-scoped witness cookie for portal silent SSO detection
• Migration V38 adds auth_time tracking to session records

Redis sidecar — distributed rate limiting and session storage for multi-instance deployments.

• Optional Redis sidecar via KAUTH_REDIS_URL — drop-in upgrade from in-memory stores
• Distributed rate limiting with Lua scripts — consistent enforcement across all Kotauth instances
• Distributed session storage — sticky sessions no longer required behind a load balancer
• Fail-closed semantics — Redis unavailability rejects requests rather than bypassing limits
• Lettuce client with connection pooling and automatic reconnection
• 6 new environment variables for Redis connection tuning
• Migration V32 adds multi-tenant CORS configuration columns

Internationalization — volume-mounted JSON translation bundles with Accept-Language resolution.

• i18n framework — TranslationPort and EnglishStrings default implementation with ViewContext pattern
• Volume-mounted JSON bundles via KAUTH_I18N_BUNDLE_DIR — add languages without recompiling
• Accept-Language header resolution with quality-factor ranking and graceful fallback to English
• Migration V37 adds default_locale column to tenant settings

Cross-device magic-link fix — cookie check reordered before token consumption.

• Fixed cross-device magic-link failure — route now checks KOTAUTH_AUTH_CONTEXT cookie before consuming the one-time token, preventing token waste on device mismatch

Magic-link passwordless sign-in — email-based authentication with same-device binding.

• Magic-link passwordless login — 15-minute one-time tokens delivered via email, no password required
• Same-device cookie binding via KOTAUTH_AUTH_CONTEXT — prevents token replay from a different browser
• User-enumeration safe — consistent response timing regardless of whether the email exists
• MFA invariant preserved — magic-link authenticates the first factor, TOTP still required if enrolled
• New REST API endpoints: POST /magic-link/send and GET /magic-link/consume
• Migration V36 adds magic-link token storage and tracking

Programmatic user onboarding APIs and HIBP breached-password detection.

• Invite API — POST /users/invite for headless user onboarding without the admin UI
• Send-reset-email API — POST /users/{id}/send-reset-email triggers password reset flow programmatically
• Temporary-password API — POST /users/{id}/temporary-password sets a one-time password with mandatory CHANGE_PASSWORD required action
• HIBP breached-password detection — k-Anonymity range queries against the Have I Been Pwned API during registration and password changes
• BreachedPasswordPort — pluggable interface for password breach checking in the domain layer
• Migration V35 adds breach-detection configuration columns

Custom user attributes and JWT claim mapping — project per-user metadata into access and ID tokens.

• User attributes — per-user key-value metadata (64-char keys, 1024-char values) stored alongside the user record, manageable via admin UI and REST API
• Claim mappers — tenant-level rules that project user attributes into JWT access and/or ID tokens, with a dedicated admin settings page
• 41 reserved OIDC/KotAuth claim names blocked to prevent accidental overwrite of standard claims (sub, iss, email, etc.)
• Caching claim mapper service with 60-second TTL for the hot token-issuance path — immediate invalidation on mapper changes
• Refresh-token flow re-projects claims on every renewal — attribute changes propagate without waiting for token expiry
• 6 new REST API endpoints across 2 resource groups (user attributes, claim mappers) with 4 new API scopes
• PII warning in admin UI and OpenAPI spec — attribute values flow unencrypted into JWTs
• Migrations V33 (user_attributes) and V34 (tenant_claim_mappers) with composite keys, cascade deletes, and unique constraints

OAuth2 CSP form-action fix and X-Forwarded-* header support for reverse-proxy deployments.

• TenantCspPlugin — tenant-scoped Content-Security-Policy form-action directive derived from registered client redirect URIs, fixing Chromium CSP violations on OAuth2 redirects
• X-Forwarded-* header support — generated URLs (invite emails, social callbacks, OIDC discovery) now use correct scheme behind TLS-terminating proxies
• Shared buildCspPolicy helper eliminates duplication between global and tenant-scoped CSP directives

Multi-tenant CORS policy auto-derived from client redirect URIs.

• TenantCorsPlugin — allowed origins automatically derived from registered OAuth client redirect URIs per tenant
• CORS credentials toggle on workspace security settings for BFF / cookie-based cross-origin flows
• CorsOriginCache with 60-second TTL — immediate invalidation on application or settings changes
• OIDC discovery and JWKS endpoints use Access-Control-Allow-Origin: * per spec
• Denied origins logged as structured WARN for operator debugging

Fix Flyway service SPI file merging in shadow JAR.

• Shadow JAR duplicatesStrategy changed to INCLUDE with mergeServiceFiles() — fixes Flyway 10+ boot crash where location scanner plugins were silently dropped

Major framework upgrade — Ktor 3.4.2, Gradle 9.4.1, and comprehensive route refactoring.

• Ktor upgraded from 2.3.12 to 3.4.2 — all 4 intercept blocks converted to route-scoped plugins (AuthTenantPlugin, AdminSessionGuardPlugin, WorkspaceResolverPlugin, ApiContextPlugin)
• Gradle upgraded from 8.5 to 9.4.1 — configuration cache fully functional with 272ms cached re-runs
• Flyway upgraded to 12.4.0 — resolves transitive vulnerability, zero API changes
• logstash-logback-encoder upgraded to 8.1 — patches jackson-core vulnerability (GHSA-72hv-8253-57qq), Jackson forced to 2.21.0
• delay() calls converted to Duration API — delay(1.hours) instead of delay(3_600_000)
• CI workflow updated to use project wrapper (./gradlew) instead of hardcoded Gradle version
• Dockerfile switched from gradle:8-jdk17 to eclipse-temurin:17-jdk with wrapper-based builds
• Removed dead code: unused pageHeaderWithTitleRow function and stale Netty/Jackson version constraints

Exposed ORM and Flyway upgrades — zero code changes required.

• Exposed ORM upgraded from 0.55.0 to 0.61.0 — clean drop-in with bug fixes and performance improvements
• Flyway upgraded from 9.22.3 to 11.8.2 — added required flyway-database-postgresql artifact for Flyway 10+ module split

Security patches for two high-severity Netty CVEs and Kotlin 2.3 upgrade.

• Netty upgraded to 4.1.132.Final — patches CVE-2026-33870 (HTTP request smuggling, High) and CVE-2026-33871 (HTTP/2 CONTINUATION frame DoS, High)
• Kotlin upgraded from 1.9.24 to 2.3.20 — enables K2 compiler, source-compatible with no breaking changes

Admin-initiated signing key rotation with JWT kid headers and zero-downtime key rollover.

• Admin key rotation — generate a new RS256 key pair, promote to active, demote previous key to verification-only from the admin console
• JWT kid header on all issued tokens (access, id_token, client credentials) per RFC 7517
• Key retirement — disable old keys to remove from JWKS once all tokens have expired
• Signing keys management page with key history table, status badges (Active, Verification only, Retired), and one-click actions
• Token verification reads kid from JWT header with graceful fallback for legacy tokens without kid
• New audit events: ADMIN_KEY_ROTATED and ADMIN_KEY_RETIRED
• Migration V31 adds active flag to tenant_keys with unique-per-tenant constraint and backfill

Internal code optimizations — N+1 query fixes, shared SecureTokens, and admin route helpers.

• AdminRouteContext helper extracts session, workspace, and workspace pairs in one call across all admin handlers
• SecureTokens singleton replaces 12 scattered SecureRandom() instantiations with a shared thread-safe instance
• Batch user hydration for role and group detail pages eliminates N+1 queries
• Password policy validation extracted into shared method — removes duplication across reset, invite, and change flows
• Typed ID extraction helper replaces 33 inline toIntOrNull() patterns across 3 route files

User invitations with branded email flow, required actions framework, and purpose-scoped tokens.

• Invite users via email — admins create users and send branded invite emails with a 72-hour activation link
• Accept-invite page with real-time password policy validation, tenant branding, and automatic account activation
• Required actions framework — extensible SET_PASSWORD action stored as PostgreSQL text[] array, no migration needed for new actions
• Token purpose discriminator — invite and password-reset tokens are cryptographically separated, cross-purpose usage rejected at the service layer
• Resend invite from admin user detail page — generates a new token and invalidates the previous one
• Sentinel password hash ("!") prevents wasted bcrypt cycles on accounts that haven't completed setup
• New audit events: USER_INVITE_SENT and USER_INVITE_ACCEPTED tracked in the audit log

Portal social accounts, search-based entity picker, RBAC improvements, and pagination.

• Portal connected social accounts — users can view linked Google and GitHub identities from the self-service profile page
• Entity picker component — search-as-you-type replaces native dropdowns for role and group user assignment with debounced htmx search, keyboard navigation, and ARIA combobox pattern
• RBAC assigned users table on role detail page — shows all assigned users with links and remove actions
• User pagination (25/page) with position-aware subtitles ("Showing 1–25 of 247 users") and search composition via ?q=alice&page=2
• Sessions list capped at 100 most recent with dedicated count query
• JavaScript modernized across all bundles — var to const/let, arrow functions, template literals, optional chaining

Auto-update check, version badge, and release infrastructure.

• Auto-update check — server queries a version manifest on startup and surfaces available updates in the admin console
• Version badge displayed in admin UI header showing the current running version
• KAUTH_UPDATE_CHECK env flag (default: true) to disable update checks for air-gapped deployments
• KAUTH_UPDATE_CHECK_URL to override the manifest URL for private registries
• Release infrastructure — CI manifest publishing, GitHub Pages CNAME, and release issue template

REST API partial updates, toast notifications for user actions, and admin UX polish.

• REST API partial updates — PUT /users/{id} and PUT /applications/{id} now accept partial payloads, omitted fields retain current values
• Toast notifications for user actions — enable/disable user, revoke sessions, and resend verification email now show immediate feedback
• CSS tooltip component using data-tooltip attribute with disabled-state awareness via :has(:disabled)
• Audit log filter auto-submits on change — no more clicking the Filter button
• Settings save buttons show "Saving…" during form submission across all admin settings pages
• Danger zone cards display dynamic text reflecting current user state (disable/enable)

Workspace session management, SMTP testing, webhook recovery, and a redesigned audit log.

• Workspace "Revoke all sessions" — bulk revocation across all users with confirmation dialog and audit event
• SMTP test email button — send a branded test email from the settings page to verify SMTP configuration
• Webhook recovery sweep — background job retries pending deliveries every 5 minutes, auto-fails orphaned deliveries
• Workspace logos in admin console — topbar switcher, dropdown, and detail page show configured logos
• Audit log redesigned — color-coded event badges, human-readable labels, linked client names, and grouped filter with 55 event types across 7 categories
• Composite role expansion rewritten as a single recursive CTE — replaces per-level BFS queries
• Typed webhook events — string constants replaced with a compile-time safe WebhookEventType enum

Client-side polish — inline password validation, toast notifications, and full CSP compliance.

• Real-time password validation checklist on all password fields — shows per-tenant policy requirements as you type
• Auto-dismissing toast notifications replace persistent URL banners across admin and portal
• Full CSP compliance — all inline event handlers replaced with event delegation, zero unsafe-inline violations
• QRCode.js bundled locally — MFA enrollment works fully offline and in air-gapped environments
• CSS token architecture refactored with shared structural tokens across all 4 bundles
• Button and form CSS layered into shared base with context-specific overrides (auth vs portal)

Security hardening — encrypted keys at rest, mandatory secret key, CLI tools, and rate limiting everywhere.

• KAUTH_SECRET_KEY is now required in all environments — no dev-mode fallback, server refuses to start without it
• RSA private keys encrypted at rest with AES-256-GCM — existing plaintext keys auto-migrated on startup
• KAUTH_ADMIN_BYPASS removed entirely — admin auth is exclusively OAuth PKCE, with CLI recovery for lockouts
• CLI infrastructure: generate-secret-key and reset-admin-mfa subcommands via java -jar kauth.jar cli
• MFA challenge rate limiting (5 attempts/5 min) and password reset rate limiting (3 attempts/5 min)
• findById tenant scoping enforced at the database query level — cross-tenant lookups are structurally impossible
• Client secrets no longer appear in URLs — uses server-side FlashStore with one-time read semantics
• HTTP response compression (gzip/deflate), static asset cache headers, and 12 missing FK indexes added

New /authorize endpoint, JS bundling with SRI, and bundled Swagger UI for air-gapped deploys.

• New /authorize shorthand endpoint replaces the verbose /protocol/openid-connect/auth path
• JS bundled with esbuild into 4 minified files with SRI integrity hashes on all script tags
• Swagger UI bundled locally — API docs work in air-gapped environments without CDN access
• Password show/hide toggle on all password fields across login, register, and reset forms
• Session revocation DB check on every request — revoking from admin immediately invalidates cookies
• Email templates redesigned with TenantTheme branding — accent colors, logos, and responsive layout

Security hardening, admin OAuth dogfooding, and account lockout protection.

• Admin console now authenticates via OAuth Authorization Code + PKCE through the master tenant
• Account lockout with configurable failed login threshold and duration — locked users get an email with a password reset link
• OIDC end-session logout with id_token_hint and open redirect prevention
• Break-glass admin bypass (KAUTH_ADMIN_BYPASS) for recovery scenarios
• Password changed and account locked email notifications on all relevant paths
• HMAC-signed admin cookies, Content-Security-Policy header, SameSite cookie attributes
• CVE patches for Netty, Jackson, Logback, and PostgreSQL JDBC

Critical bug fixes for email verification, audit log parsing, and rate limiting.

• Fixed broken email verification links that produced relative URLs
• Audit log details now properly parsed — admin UI and API show full event context
• Rate limit keys scoped per tenant — one workspace's traffic no longer affects another
• Session cleanup background job purges expired sessions hourly
• Composite database indexes for faster session and audit queries

Security patch release addressing 5 CVEs and adding transport hardening.

• Mitigated Netty HTTP/2 DDoS (CVE-2025-55163) and native SSL crash (CVE-2025-24970)
• Fixed Jackson async parser DoS, Logback RCE, and PostgreSQL JDBC MITM vulnerabilities
• Added SameSite=Lax on session cookies and Content-Security-Policy header
• Thread-safe JWT cache prevents data race under concurrent token issuance

Connection pooling, async email, and multi-architecture Docker images.

• HikariCP connection pool replaces bare JDBC — eliminates 10-20ms overhead per DB call
• Email delivery moved to background coroutines — login responses return immediately
• Multi-arch Docker images (amd64 + arm64) built natively in CI — no QEMU emulation
• Route intercept pattern eliminates ~80 duplicate database calls across admin and auth routes

External database support and documentation improvements.

• New compose file for external databases — bring your own PostgreSQL from RDS, Supabase, Neon, Railway, or Render
• Updated documentation with provider-specific connection strings and SSL configuration

Zero-config quickstart with pre-loaded demo data.

• One-command quickstart with demo data — evaluate Kotauth without any configuration
• PostgreSQL port no longer exposed to host in default compose — only accessible within Docker network

Major internal refactor — route splitting, composition root extraction, and injectable services.

• AdminRoutes and AuthRoutes split from ~1800 lines each into 7 focused files
• ServiceGraph composition root extracted with fail-fast environment validation
• EncryptionService converted to injectable class — no more static System.getenv() calls
• RateLimiter extracted behind domain port interface

Initial stable release with full OAuth2/OIDC, multi-tenancy, RBAC, MFA, and audit logging.

• Complete OAuth 2.0 / OIDC provider with Authorization Code + PKCE, Client Credentials, and token rotation
• Multi-tenant workspaces with per-tenant RS256 key pairs, branding, and isolated user directories
• RBAC with composite role inheritance, hierarchical groups, and tenant/client scoping
• TOTP MFA with recovery codes, social login (Google/GitHub), and user self-service portal
• Admin console, 30+ REST API endpoints with OpenAPI 3.1, HMAC-signed webhooks, and 30+ audit event types