Release 1.3.1

CHANGELOG.md

@@ -9,6 +9,65 @@ The 0.x line is treated as a single pre-stable development series — see
 1.0.0 stabilisation cut; for 0.x history consult `git log` against the relevant
 tags.
 
+## [1.3.1] — 2026-06-06
+
+Patch release: a browser-SDK build fix, a Micronaut admin toggle, and
+supply-chain hardening. No wire-format or API-breaking changes.
+
+### Added
+
+- **Micronaut: the admin endpoints can now be disabled.** A new
+  configuration toggle lets a Micronaut host opt out of mounting
+  `PkAuthAdminController` (passkey list/rename/delete, etc.) while keeping
+  the core auth endpoints, mirroring the disable switch the other framework
+  integrations already expose. See `docs/operator-guide.md`.
+
+### Fixed
+
+- **Browser SDK builds under TypeScript 6.0.** The dev-dependency bump to
+  TypeScript 6.0 broke the `tsup` `.d.ts` pipeline with `TS5101`
+  (the injected `baseUrl` is now a deprecation error). Adding
+  `ignoreDeprecations: "6.0"` to the SDK `tsconfig.json` restores the build;
+  the ESM/CJS/DTS bundle, `tsc --noEmit`, and all vitest tests pass under
+  TS 6.0.
+
+### Security
+
+- **Dependency and CI/CD supply-chain hardening.**
+  - Every GitHub Actions `uses:` is pinned to a full commit SHA (version in a
+    trailing comment) instead of a mutable `@vN` tag — most importantly the
+    third-party `softprops/action-gh-release` in the privileged release job.
+  - The Gradle distribution is pinned via `distributionSha256Sum` in the
+    wrapper, with a `wrapper-validation` step in CI verifying
+    `gradle-wrapper.jar`.
+  - `actions/dependency-review-action` runs as a PR gate
+    (`fail-on-severity: high`) to block newly introduced dependencies with
+    known high-severity advisories.
+  - Dependabot now covers the npm ecosystem (the published browser SDK and
+    each demo's Playwright e2e suite) and gates auto-merge on update type, so
+    only patch/minor bumps are auto-approved and Actions updates never
+    auto-merge.
+  - The build/distribution trust boundary and these mitigations are
+    documented.
+
+### Changed
+
+- **Gradle dependency verification (`verification-metadata.xml`) was not
+  retained.** It was introduced during the supply-chain work and then
+  removed: with Dependabot auto-merging Gradle bumps, the checksum file would
+  have to be regenerated unattended from whatever was just downloaded
+  (notarizing rather than vetting), and it broke the build on every bump
+  because a version-catalog bump cannot update the checksums. Protection
+  against malicious dependency *releases* is provided by
+  `dependency-review-action`'s advisory database instead. The SHA-pinned
+  Actions, pinned Gradle distribution, and dependency-review gate above are
+  retained.
+
+### Dependencies
+
+- Routine Dependabot bumps across the dev/runtime dependency groups (Gradle
+  and npm) and GitHub Actions.
+
 ## [1.3.0]  — 2026-06-03
 
 Security-review follow-ups (hardening; no known exploit in the items below).
@@ -209,7 +268,8 @@ Security-review follow-ups (hardening; no known exploit in the items below).
 First stable release. Captures the surface produced by the 0.x development
 series; see `git log` for the full history.
 
-[Unreleased]: https://github.com/codeheadsystems/pk-auth/compare/v1.3.0...HEAD
+[Unreleased]: https://github.com/codeheadsystems/pk-auth/compare/v1.3.1...HEAD
+[1.3.1]: https://github.com/codeheadsystems/pk-auth/compare/v1.3.0...v1.3.1
 [1.3.0]: https://github.com/codeheadsystems/pk-auth/compare/v1.2.0...v1.3.0
 [1.2.0]: https://github.com/codeheadsystems/pk-auth/compare/v1.1.0...v1.2.0
 [1.1.0]: https://github.com/codeheadsystems/pk-auth/compare/v1.0.0...v1.1.0

clients/passkeys-browser/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pk-auth/passkeys-browser",
-  "version": "1.3.0",
+  "version": "1.3.1",
   "description": "pk-auth browser SDK: WebAuthn ceremonies + admin operations against the pk-auth wire contract.",
   "license": "MIT",
   "author": "Ned Wolpert",

gradle.properties

@@ -21,4 +21,4 @@ org.gradle.jvmargs=-Xmx2g \
 
 # Project identity
 group=com.codeheadsystems
-version=1.3.0-SNAPSHOT
+version=1.3.1-SNAPSHOT

site/index.html

@@ -1098,7 +1098,7 @@
         </svg>
         <div class="hero-text">
             <div class="hero-badges">
-              <span class="chip chip--solid">v<span class="pkv">1.3.0</span></span>
+              <span class="chip chip--solid">v<span class="pkv">1.3.1</span></span>
               <span class="chip">JDK 21</span>
               <span class="chip">MIT</span>
               <span class="chip chip--brass">WebAuthn4J</span>
@@ -1146,9 +1146,9 @@ <h1>
             <div class="code" data-filename="build.gradle.kts" aria-label="Gradle dependency snippet">
 <pre><span class="cm">// One adapter, one persistence module, done.</span>
 <span class="kw">dependencies</span> <span class="pn">{</span>
-  <span class="fn">implementation</span><span class="pn">(</span><span class="str">"com.codeheadsystems:pk-auth-spring-boot-starter:<span class="pkv">1.3.0</span>"</span><span class="pn">)</span>
-  <span class="fn">implementation</span><span class="pn">(</span><span class="str">"com.codeheadsystems:pk-auth-persistence-jdbi:<span class="pkv">1.3.0</span>"</span><span class="pn">)</span>
-  <span class="fn">implementation</span><span class="pn">(</span><span class="str">"com.codeheadsystems:pk-auth-admin-api:<span class="pkv">1.3.0</span>"</span><span class="pn">)</span>
+  <span class="fn">implementation</span><span class="pn">(</span><span class="str">"com.codeheadsystems:pk-auth-spring-boot-starter:<span class="pkv">1.3.1</span>"</span><span class="pn">)</span>
+  <span class="fn">implementation</span><span class="pn">(</span><span class="str">"com.codeheadsystems:pk-auth-persistence-jdbi:<span class="pkv">1.3.1</span>"</span><span class="pn">)</span>
+  <span class="fn">implementation</span><span class="pn">(</span><span class="str">"com.codeheadsystems:pk-auth-admin-api:<span class="pkv">1.3.1</span>"</span><span class="pn">)</span>
 <span class="pn">}</span></pre>
             </div>
             <div class="hero-annot">
@@ -1332,9 +1332,9 @@ <h3>Add the adapter, persistence, and admin API.</h3>
                 <div class="panel" data-panel="deps-gradle">
                   <div class="code" data-filename="build.gradle.kts">
 <pre><span class="kw">dependencies</span> <span class="pn">{</span>
-  <span class="fn">implementation</span><span class="pn">(</span><span class="str">"com.codeheadsystems:pk-auth-spring-boot-starter:<span class="pkv">1.3.0</span>"</span><span class="pn">)</span>
-  <span class="fn">implementation</span><span class="pn">(</span><span class="str">"com.codeheadsystems:pk-auth-persistence-jdbi:<span class="pkv">1.3.0</span>"</span><span class="pn">)</span>
-  <span class="fn">implementation</span><span class="pn">(</span><span class="str">"com.codeheadsystems:pk-auth-admin-api:<span class="pkv">1.3.0</span>"</span><span class="pn">)</span>
+  <span class="fn">implementation</span><span class="pn">(</span><span class="str">"com.codeheadsystems:pk-auth-spring-boot-starter:<span class="pkv">1.3.1</span>"</span><span class="pn">)</span>
+  <span class="fn">implementation</span><span class="pn">(</span><span class="str">"com.codeheadsystems:pk-auth-persistence-jdbi:<span class="pkv">1.3.1</span>"</span><span class="pn">)</span>
+  <span class="fn">implementation</span><span class="pn">(</span><span class="str">"com.codeheadsystems:pk-auth-admin-api:<span class="pkv">1.3.1</span>"</span><span class="pn">)</span>
 <span class="pn">}</span></pre>
                   </div>
                 </div>
@@ -1343,7 +1343,7 @@ <h3>Add the adapter, persistence, and admin API.</h3>
 <pre><span class="pn">&lt;</span><span class="ty">dependency</span><span class="pn">&gt;</span>
   <span class="pn">&lt;</span><span class="ty">groupId</span><span class="pn">&gt;</span>com.codeheadsystems<span class="pn">&lt;/</span><span class="ty">groupId</span><span class="pn">&gt;</span>
   <span class="pn">&lt;</span><span class="ty">artifactId</span><span class="pn">&gt;</span>pk-auth-spring-boot-starter<span class="pn">&lt;/</span><span class="ty">artifactId</span><span class="pn">&gt;</span>
-  <span class="pn">&lt;</span><span class="ty">version</span><span class="pn">&gt;</span><span class="pkv">1.3.0</span><span class="pn">&lt;/</span><span class="ty">version</span><span class="pn">&gt;</span>
+  <span class="pn">&lt;</span><span class="ty">version</span><span class="pn">&gt;</span><span class="pkv">1.3.1</span><span class="pn">&lt;/</span><span class="ty">version</span><span class="pn">&gt;</span>
 <span class="pn">&lt;/</span><span class="ty">dependency</span><span class="pn">&gt;</span>
 <span class="cm">&lt;!-- + pk-auth-persistence-jdbi, pk-auth-admin-api --&gt;</span></pre>
                   </div>
@@ -1754,7 +1754,7 @@ <h3>pk-auth</h3>
             A passkey credential layer for the JVM. MIT-licensed.
             Three adapters, one wire contract, your user table.
           </p>
-          <p class="ver">v<span class="pkv">1.3.0</span> &middot; JDK 21 &middot; WebAuthn4J</p>
+          <p class="ver">v<span class="pkv">1.3.1</span> &middot; JDK 21 &middot; WebAuthn4J</p>
         </div>
         <div class="footer-col">
           <h4>Read first</h4>
@@ -1814,7 +1814,7 @@ <h4>Project</h4>
 
       /* ---- Live latest version (Maven Central via shields, CORS-enabled) ----
          Keeps the page in sync with releases without editing the site; the
-         hardcoded "1.3.0" in the markup is only a fallback if the fetch fails. */
+         hardcoded "1.3.1" in the markup is only a fallback if the fetch fails. */
       var pkv = document.querySelectorAll(".pkv");
       if (pkv.length && window.fetch) {
         fetch("https://img.shields.io/maven-central/v/com.codeheadsystems/pk-auth-core.json")