What shipped

Admin-initiated signing key rotation with JWT kid headers and zero-downtime key rollover.

• Admin key rotation — generate a new RS256 key pair, promote to active, demote previous key to verification-only from the admin console
• JWT kid header on all issued tokens (access, id_token, client credentials) per RFC 7517
• Key retirement — disable old keys to remove from JWKS once all tokens have expired
• Signing keys management page with key history table, status badges (Active, Verification only, Retired), and one-click actions
• Token verification reads kid from JWT header with graceful fallback for legacy tokens without kid
• New audit events: ADMIN_KEY_ROTATED and ADMIN_KEY_RETIRED
• Migration V31 adds active flag to tenant_keys with unique-per-tenant constraint and backfill

Internal code optimizations — N+1 query fixes, shared SecureTokens, and admin route helpers.

• AdminRouteContext helper extracts session, workspace, and workspace pairs in one call across all admin handlers
• SecureTokens singleton replaces 12 scattered SecureRandom() instantiations with a shared thread-safe instance
• Batch user hydration for role and group detail pages eliminates N+1 queries
• Password policy validation extracted into shared method — removes duplication across reset, invite, and change flows
• Typed ID extraction helper replaces 33 inline toIntOrNull() patterns across 3 route files

User invitations with branded email flow, required actions framework, and purpose-scoped tokens.

• Invite users via email — admins create users and send branded invite emails with a 72-hour activation link
• Accept-invite page with real-time password policy validation, tenant branding, and automatic account activation
• Required actions framework — extensible SET_PASSWORD action stored as PostgreSQL text[] array, no migration needed for new actions
• Token purpose discriminator — invite and password-reset tokens are cryptographically separated, cross-purpose usage rejected at the service layer
• Resend invite from admin user detail page — generates a new token and invalidates the previous one
• Sentinel password hash ("!") prevents wasted bcrypt cycles on accounts that haven't completed setup
• New audit events: USER_INVITE_SENT and USER_INVITE_ACCEPTED tracked in the audit log

Portal social accounts, search-based entity picker, RBAC improvements, and pagination.

• Portal connected social accounts — users can view linked Google and GitHub identities from the self-service profile page
• Entity picker component — search-as-you-type replaces native dropdowns for role and group user assignment with debounced htmx search, keyboard navigation, and ARIA combobox pattern
• RBAC assigned users table on role detail page — shows all assigned users with links and remove actions
• User pagination (25/page) with position-aware subtitles ("Showing 1–25 of 247 users") and search composition via ?q=alice&page=2
• Sessions list capped at 100 most recent with dedicated count query
• JavaScript modernized across all bundles — var to const/let, arrow functions, template literals, optional chaining

Auto-update check, version badge, and release infrastructure.

• Auto-update check — server queries a version manifest on startup and surfaces available updates in the admin console
• Version badge displayed in admin UI header showing the current running version
• KAUTH_UPDATE_CHECK env flag (default: true) to disable update checks for air-gapped deployments
• KAUTH_UPDATE_CHECK_URL to override the manifest URL for private registries
• Release infrastructure — CI manifest publishing, GitHub Pages CNAME, and release issue template

REST API partial updates, toast notifications for user actions, and admin UX polish.

• REST API partial updates — PUT /users/{id} and PUT /applications/{id} now accept partial payloads, omitted fields retain current values
• Toast notifications for user actions — enable/disable user, revoke sessions, and resend verification email now show immediate feedback
• CSS tooltip component using data-tooltip attribute with disabled-state awareness via :has(:disabled)
• Audit log filter auto-submits on change — no more clicking the Filter button
• Settings save buttons show "Saving…" during form submission across all admin settings pages
• Danger zone cards display dynamic text reflecting current user state (disable/enable)

Workspace session management, SMTP testing, webhook recovery, and a redesigned audit log.

• Workspace "Revoke all sessions" — bulk revocation across all users with confirmation dialog and audit event
• SMTP test email button — send a branded test email from the settings page to verify SMTP configuration
• Webhook recovery sweep — background job retries pending deliveries every 5 minutes, auto-fails orphaned deliveries
• Workspace logos in admin console — topbar switcher, dropdown, and detail page show configured logos
• Audit log redesigned — color-coded event badges, human-readable labels, linked client names, and grouped filter with 55 event types across 7 categories
• Composite role expansion rewritten as a single recursive CTE — replaces per-level BFS queries
• Typed webhook events — string constants replaced with a compile-time safe WebhookEventType enum

Client-side polish — inline password validation, toast notifications, and full CSP compliance.

• Real-time password validation checklist on all password fields — shows per-tenant policy requirements as you type
• Auto-dismissing toast notifications replace persistent URL banners across admin and portal
• Full CSP compliance — all inline event handlers replaced with event delegation, zero unsafe-inline violations
• QRCode.js bundled locally — MFA enrollment works fully offline and in air-gapped environments
• CSS token architecture refactored with shared structural tokens across all 4 bundles
• Button and form CSS layered into shared base with context-specific overrides (auth vs portal)

Security hardening — encrypted keys at rest, mandatory secret key, CLI tools, and rate limiting everywhere.

• KAUTH_SECRET_KEY is now required in all environments — no dev-mode fallback, server refuses to start without it
• RSA private keys encrypted at rest with AES-256-GCM — existing plaintext keys auto-migrated on startup
• KAUTH_ADMIN_BYPASS removed entirely — admin auth is exclusively OAuth PKCE, with CLI recovery for lockouts
• CLI infrastructure: generate-secret-key and reset-admin-mfa subcommands via java -jar kauth.jar cli
• MFA challenge rate limiting (5 attempts/5 min) and password reset rate limiting (3 attempts/5 min)
• findById tenant scoping enforced at the database query level — cross-tenant lookups are structurally impossible
• Client secrets no longer appear in URLs — uses server-side FlashStore with one-time read semantics
• HTTP response compression (gzip/deflate), static asset cache headers, and 12 missing FK indexes added

New /authorize endpoint, JS bundling with SRI, and bundled Swagger UI for air-gapped deploys.

• New /authorize shorthand endpoint replaces the verbose /protocol/openid-connect/auth path
• JS bundled with esbuild into 4 minified files with SRI integrity hashes on all script tags
• Swagger UI bundled locally — API docs work in air-gapped environments without CDN access
• Password show/hide toggle on all password fields across login, register, and reset forms
• Session revocation DB check on every request — revoking from admin immediately invalidates cookies
• Email templates redesigned with TenantTheme branding — accent colors, logos, and responsive layout

Security hardening, admin OAuth dogfooding, and account lockout protection.

• Admin console now authenticates via OAuth Authorization Code + PKCE through the master tenant
• Account lockout with configurable failed login threshold and duration — locked users get an email with a password reset link
• OIDC end-session logout with id_token_hint and open redirect prevention
• Break-glass admin bypass (KAUTH_ADMIN_BYPASS) for recovery scenarios
• Password changed and account locked email notifications on all relevant paths
• HMAC-signed admin cookies, Content-Security-Policy header, SameSite cookie attributes
• CVE patches for Netty, Jackson, Logback, and PostgreSQL JDBC

Critical bug fixes for email verification, audit log parsing, and rate limiting.

• Fixed broken email verification links that produced relative URLs
• Audit log details now properly parsed — admin UI and API show full event context
• Rate limit keys scoped per tenant — one workspace's traffic no longer affects another
• Session cleanup background job purges expired sessions hourly
• Composite database indexes for faster session and audit queries

Security patch release addressing 5 CVEs and adding transport hardening.

• Mitigated Netty HTTP/2 DDoS (CVE-2025-55163) and native SSL crash (CVE-2025-24970)
• Fixed Jackson async parser DoS, Logback RCE, and PostgreSQL JDBC MITM vulnerabilities
• Added SameSite=Lax on session cookies and Content-Security-Policy header
• Thread-safe JWT cache prevents data race under concurrent token issuance

Connection pooling, async email, and multi-architecture Docker images.

• HikariCP connection pool replaces bare JDBC — eliminates 10-20ms overhead per DB call
• Email delivery moved to background coroutines — login responses return immediately
• Multi-arch Docker images (amd64 + arm64) built natively in CI — no QEMU emulation
• Route intercept pattern eliminates ~80 duplicate database calls across admin and auth routes

External database support and documentation improvements.

• New compose file for external databases — bring your own PostgreSQL from RDS, Supabase, Neon, Railway, or Render
• Updated documentation with provider-specific connection strings and SSL configuration

Zero-config quickstart with pre-loaded demo data.

• One-command quickstart with demo data — evaluate Kotauth without any configuration
• PostgreSQL port no longer exposed to host in default compose — only accessible within Docker network

Major internal refactor — route splitting, composition root extraction, and injectable services.

• AdminRoutes and AuthRoutes split from ~1800 lines each into 7 focused files
• ServiceGraph composition root extracted with fail-fast environment validation
• EncryptionService converted to injectable class — no more static System.getenv() calls
• RateLimiter extracted behind domain port interface

Initial stable release with full OAuth2/OIDC, multi-tenancy, RBAC, MFA, and audit logging.

• Complete OAuth 2.0 / OIDC provider with Authorization Code + PKCE, Client Credentials, and token rotation
• Multi-tenant workspaces with per-tenant RS256 key pairs, branding, and isolated user directories
• RBAC with composite role inheritance, hierarchical groups, and tenant/client scoping
• TOTP MFA with recovery codes, social login (Google/GitHub), and user self-service portal
• Admin console, 30+ REST API endpoints with OpenAPI 3.1, HMAC-signed webhooks, and 30+ audit event types