knowless 0.2.3 → 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +74 -2
- package/README.md +1 -1
- package/knowless.context.md +1 -1
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -15,8 +15,80 @@ Versioning is [SemVer](https://semver.org/).
|
|
|
15
15
|
|
|
16
16
|
## [Unreleased]
|
|
17
17
|
|
|
18
|
-
|
|
19
|
-
|
|
18
|
+
Walk-away is active. Per PRD §6.3, the only changes that ship after
|
|
19
|
+
v1.0.0 are:
|
|
20
|
+
|
|
21
|
+
- Security fixes (CVEs in `nodemailer` or `node:sqlite` with
|
|
22
|
+
user-visible impact)
|
|
23
|
+
- Bug fixes that don't change the API surface
|
|
24
|
+
- Documentation corrections
|
|
25
|
+
|
|
26
|
+
Feature requests are deflected to PRD §14 NO-GO, to sibling projects,
|
|
27
|
+
or to forking. The library being "done" is a feature.
|
|
28
|
+
|
|
29
|
+
## [1.0.0] — 2026-04-29
|
|
30
|
+
|
|
31
|
+
**Walk-away release.** No new API surface vs v0.2.3 — v1.0.0 is the
|
|
32
|
+
*promotion* tag, marking the library as feature-complete and the
|
|
33
|
+
maintenance mode (security + bug fixes only) as active.
|
|
34
|
+
|
|
35
|
+
This is the terminal feature release by intent (PRD §6.3). The
|
|
36
|
+
discipline that produced it: every proposed addition during the
|
|
37
|
+
v0.1.x → v0.2.x cycle was stress-tested against two questions —
|
|
38
|
+
*is this identity layer or behavior layer?* and *does the mechanism
|
|
39
|
+
live with the policy?* Items that failed either test were cut to
|
|
40
|
+
adopter / perimeter / operator code. The result is a library small
|
|
41
|
+
enough to audit in an afternoon, with one production dep, and a
|
|
42
|
+
closed feature list.
|
|
43
|
+
|
|
44
|
+
### Why v1.0.0 now
|
|
45
|
+
|
|
46
|
+
All PRD §6.1 graduation criteria are met (12/12 after the 2026-04-29
|
|
47
|
+
scope cull). The library is production-validated end-to-end:
|
|
48
|
+
|
|
49
|
+
- **One real adopter shipped on it.** addypin merged its
|
|
50
|
+
`try/knowless` branch and runs knowless as its auth+mail layer in
|
|
51
|
+
production. ~1,150 LOC of bespoke auth/mail removed; ~35 LOC of
|
|
52
|
+
knowless wiring added; ~33× reduction.
|
|
53
|
+
- **The full v0.2.x hardening cycle was driven by adopter signal.**
|
|
54
|
+
Eleven audit findings (AF-7 through AF-25) shipped or were
|
|
55
|
+
recorded as deliberate cuts. Final cycle (AF-19/20/21 operator
|
|
56
|
+
visibility, AF-26 body override, AF-27 From: display name) all
|
|
57
|
+
validated by addypin in production:
|
|
58
|
+
- v0.2.2 + AF-26: bodyOverride wired into pin-confirmation,
|
|
59
|
+
login, and resend@ flows; subject and body agree end-to-end.
|
|
60
|
+
- v0.2.3 + AF-27: fromName wired in both factories (web +
|
|
61
|
+
inbound CLI); inbox preview shows the brand name, not the
|
|
62
|
+
local-part. Validated by use, not by spec.
|
|
63
|
+
- **Test count: 235** (192 in v0.2.0 → 207 in v0.2.1 → 223 in
|
|
64
|
+
v0.2.2 → 235 in v0.2.3 → 235 in v1.0.0).
|
|
65
|
+
- **One production dep** (`nodemailer`). Storage uses `node:sqlite`
|
|
66
|
+
from the Node stdlib. No native compile, no toolchain.
|
|
67
|
+
- **`Δ_mean` for the FR-6 timing test: 0.002ms locally** — 500× under
|
|
68
|
+
the 1ms practical-effect bar.
|
|
69
|
+
|
|
70
|
+
### What walk-away means in practice
|
|
71
|
+
|
|
72
|
+
- **Pin and forget.** v1.0.0 will work the same way three years
|
|
73
|
+
later. Security patches will land in v1.x.
|
|
74
|
+
- **No v2.0.** No sessions+, no plugin system, no second mailer, no
|
|
75
|
+
SaaS counterpart. The API closes here.
|
|
76
|
+
- **No additive v1.x.** v1.1.0, v1.2.0, etc. are reserved for
|
|
77
|
+
security and bug fixes only. Feature requests are deflected.
|
|
78
|
+
This is the discipline the AF-23/24/25 cuts and the
|
|
79
|
+
AF-26/AF-27-as-v0.2.x decisions both protect: walk-away has to
|
|
80
|
+
*mean* walk-away, otherwise the promise is empty.
|
|
81
|
+
- **Procurement signal.** A library that has explicitly committed
|
|
82
|
+
to *not growing* is a different risk profile from a typical OSS
|
|
83
|
+
package. Most reviews read "still actively developed" as good —
|
|
84
|
+
but for an auth dependency, "still actively developed" is also
|
|
85
|
+
"still changing in ways you'll have to track." knowless inverts
|
|
86
|
+
that.
|
|
87
|
+
|
|
88
|
+
### Migration from v0.2.3
|
|
89
|
+
|
|
90
|
+
None. v1.0.0 is byte-equivalent to v0.2.3 source. `npm install
|
|
91
|
+
knowless@1.0.0` is a drop-in.
|
|
20
92
|
|
|
21
93
|
## [0.2.3] — 2026-04-29
|
|
22
94
|
|
package/README.md
CHANGED
|
@@ -7,7 +7,7 @@ that don't need to email their users for anything but the sign-in link.
|
|
|
7
7
|
npm install knowless
|
|
8
8
|
```
|
|
9
9
|
|
|
10
|
-
>
|
|
10
|
+
> v1.0.0 (walk-away release) | Node.js >= 22.5 | **1 production dep (nodemailer)** | Apache-2.0
|
|
11
11
|
|
|
12
12
|
## Where to go next
|
|
13
13
|
|
package/knowless.context.md
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
# knowless -- Integration Guide
|
|
2
2
|
|
|
3
3
|
> For AI assistants and developers wiring knowless into a project.
|
|
4
|
-
>
|
|
4
|
+
> v1.0.0 (walk-away release) | Node.js >= 22.5 | 1 dep (nodemailer) | Apache-2.0
|
|
5
5
|
|
|
6
6
|
## What this is
|
|
7
7
|
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "knowless",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "1.0.0",
|
|
4
4
|
"description": "Small, opinionated, full-stack passwordless auth for Node.js services that don't need to email their users for anything but the sign-in link.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"main": "./src/index.js",
|