devise_scim 0.1.14 → 0.1.15

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f7eff3b7611a100515b696047c48a06bd6522ee74b08ca4dc1b6bafcc80dc0ca
-  data.tar.gz: 287fc4272e08dbc2025994b5e03bdb9d1ac94d836da7bc213d5157f01f0127b6
+  metadata.gz: f70cc2263ef16f703d8098d51c6e19011ea0819825e15a5ab603db3ce1f7aaf4
+  data.tar.gz: 166c7f9af35d0e65ca4c68683076f396e2168daaa9d3dd30373cb780c2ba1a15
 SHA512:
-  metadata.gz: 3ce6b3b4b645c9e3f454551895f67b5b3243b8a067b1f0693afea3a625861a317a53615816483807425b20c96a85e04d20e8ff478e1de3d46134f02b9185516c
-  data.tar.gz: df4c4ba45af8f26c96f2a403975eb0d2dc8af669e56b00efe843daa068badf349da2564ef7120171f28108d44aa4c8bc89f8c7e6aaf922b9e02d19a117a393ce
+  metadata.gz: b7d028e40b43a183c758b5e106ed45473f146315cc644a957c81139007fc802d0131f2174d3b2b2e5d4bdb1342910f5dc10d4e71e096647364a74841995f75a6
+  data.tar.gz: 8f014c03287d33ef0d691bd3142f8a099edc189e63b799258b4e126dd9f29ff7490d3eecfb003403d0da3a11211d514057df43a8b29353ce1b1c121b629f118c

data/AGENTS.md

@@ -12,6 +12,7 @@ This is `devise_scim` — a SCIM 2.0 server engine for Rails + Devise applicatio
 | `spec/` | RSpec suite — unit specs for every subsystem, request specs for all endpoints |
 | `spec/internal/` | Combustion test app: `db/schema.rb`, `config/routes.rb`, minimal models, warden initializer |
 | `lib/devise_scim/rspec/` | Host-app test harness: shared examples for Users/Groups/discovery endpoints, `ScimHelpers`, FactoryBot factories |
+| `lib/devise_scim/minitest.rb` | Host-app Minitest assertions (`assert_scim_status`, `assert_scim_error`, payload/header helpers) |
 
 ## Required checks before any commit
 
@@ -68,13 +69,15 @@ The multi-tenant templates reference the `tenant_fk_column` helper method define
 ```
 lib/devise_scim/auth/
   base_strategy.rb    # extracts Bearer token from Authorization header
-  token_strategy.rb   # compares against config.token (single) or ScimTenant.authenticate_token (multi)
+  token_strategy.rb   # compares against config.token (single) or tenant_model.authenticate_token (multi)
   oauth_strategy.rb   # validates Doorkeeper access tokens
 lib/devise_scim/middleware/authenticator.rb
 ```
 
 `Authenticator` is a Rack middleware inserted early in the stack. It intercepts every request whose path starts with `route_prefix`, delegates to the appropriate strategy, and either sets `env["devise_scim.tenant"]` (multi-tenant) or returns a 401 SCIM error response. It also calls `warden.custom_failure!` so Warden does not swallow the 401.
 
+In multi-tenant mode with a custom `tenant_model`, auth strategies call class methods/columns on that model (`authenticate_token`, `doorkeeper_application_id`, `active`). Include `DeviseScim::Concerns::ScimTenant` on custom tenant models to satisfy that contract.
+
 Do not move auth logic into controllers — the middleware layer is the single authentication boundary.
 
 ## Filter system

data/CHANGELOG.md

@@ -1,5 +1,14 @@
 ## [Unreleased]
 
+## [0.1.15] - 2026-05-02
+
+- docs: update AGENTS.md with Minitest assertions and clarify auth strategies
+- chore: create SECURITY.md for security policy and guidelines
+- Update issue templates
+- fix: correct link to contributing guidelines in README
+- fix: correct link to contributing guidelines in README
+- Remove test log and ignoring it
+
 ## [0.1.14] - 2026-04-28
 
 - ci: populate CHANGELOG with commits on release

data/README.md

@@ -344,5 +344,5 @@ MIT. Used at your own risk. No liability is held by the author.
 
 This gem was developed with significant assistance from Claude (Anthropic). Contributions and audits welcome, AI or otherwise.
 
-1. Please follow the [contributing guidelines](CONTRIBUTING.md) for submitting pull requests and reporting issues.
+1. Please follow the [contributing guidelines](docs/contributing.md) for submitting pull requests and reporting issues.
 2. Ensure your code adheres to the [code of conduct](CODE_OF_CONDUCT.md) and is tested with the provided test harness.

data/SECURITY.md

@@ -0,0 +1,64 @@
+# Security Policy
+
+`devise_scim` handles authentication and authorization for SCIM 2.0 endpoints — bearer token validation, OAuth 2.0 client-credentials flows, and tenant isolation. Security issues in this library can directly affect identity provisioning pipelines, so responsible disclosure is taken seriously.
+
+## Supported Versions
+
+This project is pre-1.0. Only the **latest released version** receives security fixes. There are no backport commitments to older patch or minor versions.
+
+| Version | Supported |
+| ------- | --------- |
+| Latest `0.1.x` | ✅ |
+| Older `0.1.x` | ❌ |
+
+Once the gem reaches 1.0, the policy will be updated to cover the latest minor series.
+
+## Scope
+
+**In scope** — vulnerabilities in this gem's code:
+
+- Bearer token validation bypass or timing attacks
+- OAuth 2.0 client-credentials flow weaknesses
+- Tenant isolation failures (cross-tenant data leakage in multi-tenant mode)
+- SCIM filter injection or attribute exposure beyond configured mappings
+- Authentication bypasses in `ScimAdapter` hooks
+- Input validation gaps that allow privilege escalation via provisioned attributes
+- RFC 7643 / RFC 7644 non-conformance that creates a security boundary violation
+
+**Out of scope:**
+
+- Vulnerabilities in your own application's Devise configuration
+- Weaknesses in the identity provider (Okta, Azure AD, OneLogin, etc.)
+- Issues requiring a misconfigured `devise_scim` initializer to reproduce (e.g., storing tokens in source control)
+- General Rails or Devise security issues unrelated to SCIM handling
+
+If you are unsure whether an issue is in scope, report it anyway — it will be evaluated.
+
+## Reporting a Vulnerability
+
+**Use GitHub's private vulnerability reporting.** Do not open a public issue.
+
+1. Go to the [Security tab](https://github.com/vertigo-prime/devise_scim/security) of this repository.
+2. Click **"Report a vulnerability"**.
+3. Fill in: affected version(s), steps to reproduce, potential impact, and any suggested fix.
+
+This opens a private channel visible only to the maintainer.
+
+## Response Timeline
+
+This is a solo-maintained project. Responses are best-effort, not guaranteed within a business SLA.
+
+| Event | Target |
+| ----- | ------ |
+| Acknowledgement | Within 7 days |
+| Severity assessment | Within 14 days |
+| Patch for critical issues | Within 30 days |
+| Patch for moderate issues | Within 60 days |
+
+If a critical vulnerability has not received acknowledgement within 7 days, a follow-up in the private thread is welcome.
+
+## Coordinated Disclosure
+
+Please allow time to patch before any public disclosure. A 90-day window from initial report is the standard expectation. For critical issues with active exploitation, a shorter timeline can be negotiated — mention it in the report.
+
+Once a fix is released, credit will be given in the CHANGELOG and release notes unless anonymity is requested.

data/lib/devise_scim/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module DeviseScim
-  VERSION = "0.1.14"
+  VERSION = "0.1.15"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: devise_scim
 version: !ruby/object:Gem::Version
-  version: 0.1.14
+  version: 0.1.15
 platform: ruby
 authors:
 - Vertigo-Prime
@@ -84,6 +84,7 @@ files:
 - LICENSE.txt
 - README.md
 - Rakefile
+- SECURITY.md
 - app/controllers/devise_scim/application_controller.rb
 - app/controllers/devise_scim/groups_controller.rb
 - app/controllers/devise_scim/resource_types_controller.rb