Skip to content

build: bump the gradle-minor-and-patch group with 6 updates#7

Merged
github-actions[bot] merged 1 commit into
mainfrom
dependabot/gradle/gradle-minor-and-patch-a13ea96866
Jun 26, 2026
Merged

build: bump the gradle-minor-and-patch group with 6 updates#7
github-actions[bot] merged 1 commit into
mainfrom
dependabot/gradle/gradle-minor-and-patch-a13ea96866

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 26, 2026

Copy link
Copy Markdown
Contributor

Bumps the gradle-minor-and-patch group with 6 updates:

Package From To
com.codeheadsystems:pk-auth-core 2.0.0 2.1.0
com.codeheadsystems:pk-auth-jwt 2.0.0 2.1.0
com.codeheadsystems:pk-auth-magic-link 2.0.0 2.1.0
com.codeheadsystems:pk-auth-otp 2.0.0 2.1.0
com.codeheadsystems:pk-auth-backup-codes 2.0.0 2.1.0
com.codeheadsystems:pk-auth-testkit 2.0.0 2.1.0

Updates com.codeheadsystems:pk-auth-core from 2.0.0 to 2.1.0

Release notes

Sourced from com.codeheadsystems:pk-auth-core's releases.

Release 2.1.0

pk-auth 2.1.0

Maven Central

Add the modules you need (all share the same version):

implementation("com.codeheadsystems:pk-auth-spring-boot-starter:2.1.0")
// or :pk-auth-dropwizard / :pk-auth-micronaut for the other adapters
implementation("com.codeheadsystems:pk-auth-persistence-jdbi:2.1.0")
// testImplementation("com.codeheadsystems:pk-auth-testkit:2.1.0")
<dependency>
  <groupId>com.codeheadsystems</groupId>
  <artifactId>pk-auth-spring-boot-starter</artifactId>
  <version>2.1.0</version>
</dependency>

Modules Published

  • com.codeheadsystems:pk-auth-core:2.1.0
  • com.codeheadsystems:pk-auth-jwt:2.1.0
  • com.codeheadsystems:pk-auth-admin-api:2.1.0
  • com.codeheadsystems:pk-auth-backup-codes:2.1.0
  • com.codeheadsystems:pk-auth-magic-link:2.1.0
  • com.codeheadsystems:pk-auth-otp:2.1.0
  • com.codeheadsystems:pk-auth-persistence-jdbi:2.1.0
  • com.codeheadsystems:pk-auth-persistence-dynamodb:2.1.0
  • com.codeheadsystems:pk-auth-testkit:2.1.0
  • com.codeheadsystems:pk-auth-spring-boot-starter:2.1.0
  • com.codeheadsystems:pk-auth-dropwizard:2.1.0
  • com.codeheadsystems:pk-auth-micronaut:2.1.0

What's Changed

See commits since last release for details.

Note: Artifacts may take up to 2 hours to appear in Maven Central after release.

What's Changed

... (truncated)

Changelog

Sourced from com.codeheadsystems:pk-auth-core's changelog.

[2.1.0] — 2026-06-23

A backward-compatible minor release. The headline is crypto-agility and post-quantum readiness for passkey signature algorithms (ADR 0019): the two divergent hardcoded COSE algorithm lists are replaced by a single operator-configurable source of truth, and there is now a way to see which algorithm each stored credential uses. No public API is removed and the HTTP /auth/** wire contract is unchanged, so hosts upgrade by bumping the version.

To be precise about scope: no post-quantum signature algorithm is added — PQC for passkeys is gated end-to-end by authenticator hardware, CTAP2/FIDO2, the WebAuthn/COSE registry, and WebAuthn4J's verifier, none of which yet standardize one. The goal here is crypto-agility (clean removal of the migration obstacles) and honest documentation, not new algorithms.

Added

  • Crypto-agility for passkey signature algorithms (ADR 0019). A new framework-neutral CoseAlgorithm enum, and CeremonyConfig now carries two ordered lists: offeredAlgorithms (advertised in registration create-options) and acceptedAlgorithms (enforced on the WebAuthn4J verify path). acceptedAlgorithms is authoritative and offeredAlgorithms must be a subset. Both the create-options ceremony and the verify path derive their lists from this single config, replacing the two previously-divergent hardcoded lists, so operators can narrow either without code changes. A new 5-arg CeremonyConfig convenience constructor applies backward-compatible defaults — accepted = ES256, EdDSA, RS256, ES384, RS384 (the union of everything previously accepted, so no already-registered credential can fail verification); offered = ES256, EdDSA, RS256 (the historical create-options subset) — so every existing call site compiles and behaves identically.
  • Per-credential algorithm visibility. CredentialAlgorithms.coseAlgorithm(record) decodes the COSE algorithm already embedded in a stored public key (no schema change), and AdminService.listCredentialsByAlgorithm(actor, target, coseAlgorithm) reports which stored credentials use a given algorithm — the read side a future "re-enroll off algorithm X" campaign drives off.
  • Offered/accepted algorithm configuration wired through every adapter. The Spring Boot starter, Dropwizard, and Micronaut adapters (and the matching demo application.yml files) expose the two algorithm lists as host config, so the create-options and verify lists can be tuned without touching code.

Changed

  • Honest JWT crypto framing (ADR 0019, documentation only — no behavior change). The HS256-vs-ES256 choice is re-documented as a trust-topology decision rather than a dev-vs-prod one: HMAC-SHA256 is not broken by Shor and retains ~128-bit security under Grover with the enforced ≥ 256-bit key, making it the quantum-conservative default for a single-issuer/single-verifier deployment; ES256 JWTs exist for untrusted third-party verification and carry Shor exposure bounded by the short token TTL. See docs/threat-model.md and

... (truncated)

Commits
  • a0d15d4 chore(release): prepare 2.1.0
  • edacec2 build(deps): Bump the dev-dependencies group with 2 updates (#92)
  • ca7d1e4 Implement "get" method for authenticator.
  • dd68d07 build(deps-dev): Bump @​types/node
  • 79e9921 build(deps): Bump the dev-dependencies group with 3 updates (#91)
  • fbe9a9a Use FakeAuthenticator, RegistrationService to test ceremony.
  • 712c8dc test(browser): fix TS6 typecheck errors in ceremonies mediation test
  • 0090da9 Create RegistrationService
  • b513429 Create a fake authenticator.
  • baa3440 build(deps-dev): Bump undici in /clients/passkeys-browser (#85)
  • Additional commits viewable in compare view

Updates com.codeheadsystems:pk-auth-jwt from 2.0.0 to 2.1.0

Release notes

Sourced from com.codeheadsystems:pk-auth-jwt's releases.

Release 2.1.0

pk-auth 2.1.0

Maven Central

Add the modules you need (all share the same version):

implementation("com.codeheadsystems:pk-auth-spring-boot-starter:2.1.0")
// or :pk-auth-dropwizard / :pk-auth-micronaut for the other adapters
implementation("com.codeheadsystems:pk-auth-persistence-jdbi:2.1.0")
// testImplementation("com.codeheadsystems:pk-auth-testkit:2.1.0")
<dependency>
  <groupId>com.codeheadsystems</groupId>
  <artifactId>pk-auth-spring-boot-starter</artifactId>
  <version>2.1.0</version>
</dependency>

Modules Published

  • com.codeheadsystems:pk-auth-core:2.1.0
  • com.codeheadsystems:pk-auth-jwt:2.1.0
  • com.codeheadsystems:pk-auth-admin-api:2.1.0
  • com.codeheadsystems:pk-auth-backup-codes:2.1.0
  • com.codeheadsystems:pk-auth-magic-link:2.1.0
  • com.codeheadsystems:pk-auth-otp:2.1.0
  • com.codeheadsystems:pk-auth-persistence-jdbi:2.1.0
  • com.codeheadsystems:pk-auth-persistence-dynamodb:2.1.0
  • com.codeheadsystems:pk-auth-testkit:2.1.0
  • com.codeheadsystems:pk-auth-spring-boot-starter:2.1.0
  • com.codeheadsystems:pk-auth-dropwizard:2.1.0
  • com.codeheadsystems:pk-auth-micronaut:2.1.0

What's Changed

See commits since last release for details.

Note: Artifacts may take up to 2 hours to appear in Maven Central after release.

What's Changed

... (truncated)

Changelog

Sourced from com.codeheadsystems:pk-auth-jwt's changelog.

[2.1.0] — 2026-06-23

A backward-compatible minor release. The headline is crypto-agility and post-quantum readiness for passkey signature algorithms (ADR 0019): the two divergent hardcoded COSE algorithm lists are replaced by a single operator-configurable source of truth, and there is now a way to see which algorithm each stored credential uses. No public API is removed and the HTTP /auth/** wire contract is unchanged, so hosts upgrade by bumping the version.

To be precise about scope: no post-quantum signature algorithm is added — PQC for passkeys is gated end-to-end by authenticator hardware, CTAP2/FIDO2, the WebAuthn/COSE registry, and WebAuthn4J's verifier, none of which yet standardize one. The goal here is crypto-agility (clean removal of the migration obstacles) and honest documentation, not new algorithms.

Added

  • Crypto-agility for passkey signature algorithms (ADR 0019). A new framework-neutral CoseAlgorithm enum, and CeremonyConfig now carries two ordered lists: offeredAlgorithms (advertised in registration create-options) and acceptedAlgorithms (enforced on the WebAuthn4J verify path). acceptedAlgorithms is authoritative and offeredAlgorithms must be a subset. Both the create-options ceremony and the verify path derive their lists from this single config, replacing the two previously-divergent hardcoded lists, so operators can narrow either without code changes. A new 5-arg CeremonyConfig convenience constructor applies backward-compatible defaults — accepted = ES256, EdDSA, RS256, ES384, RS384 (the union of everything previously accepted, so no already-registered credential can fail verification); offered = ES256, EdDSA, RS256 (the historical create-options subset) — so every existing call site compiles and behaves identically.
  • Per-credential algorithm visibility. CredentialAlgorithms.coseAlgorithm(record) decodes the COSE algorithm already embedded in a stored public key (no schema change), and AdminService.listCredentialsByAlgorithm(actor, target, coseAlgorithm) reports which stored credentials use a given algorithm — the read side a future "re-enroll off algorithm X" campaign drives off.
  • Offered/accepted algorithm configuration wired through every adapter. The Spring Boot starter, Dropwizard, and Micronaut adapters (and the matching demo application.yml files) expose the two algorithm lists as host config, so the create-options and verify lists can be tuned without touching code.

Changed

  • Honest JWT crypto framing (ADR 0019, documentation only — no behavior change). The HS256-vs-ES256 choice is re-documented as a trust-topology decision rather than a dev-vs-prod one: HMAC-SHA256 is not broken by Shor and retains ~128-bit security under Grover with the enforced ≥ 256-bit key, making it the quantum-conservative default for a single-issuer/single-verifier deployment; ES256 JWTs exist for untrusted third-party verification and carry Shor exposure bounded by the short token TTL. See docs/threat-model.md and

... (truncated)

Commits
  • a0d15d4 chore(release): prepare 2.1.0
  • edacec2 build(deps): Bump the dev-dependencies group with 2 updates (#92)
  • ca7d1e4 Implement "get" method for authenticator.
  • dd68d07 build(deps-dev): Bump @​types/node
  • 79e9921 build(deps): Bump the dev-dependencies group with 3 updates (#91)
  • fbe9a9a Use FakeAuthenticator, RegistrationService to test ceremony.
  • 712c8dc test(browser): fix TS6 typecheck errors in ceremonies mediation test
  • 0090da9 Create RegistrationService
  • b513429 Create a fake authenticator.
  • baa3440 build(deps-dev): Bump undici in /clients/passkeys-browser (#85)
  • Additional commits viewable in compare view

Updates com.codeheadsystems:pk-auth-magic-link from 2.0.0 to 2.1.0

Release notes

Sourced from com.codeheadsystems:pk-auth-magic-link's releases.

Release 2.1.0

pk-auth 2.1.0

Maven Central

Add the modules you need (all share the same version):

implementation("com.codeheadsystems:pk-auth-spring-boot-starter:2.1.0")
// or :pk-auth-dropwizard / :pk-auth-micronaut for the other adapters
implementation("com.codeheadsystems:pk-auth-persistence-jdbi:2.1.0")
// testImplementation("com.codeheadsystems:pk-auth-testkit:2.1.0")
<dependency>
  <groupId>com.codeheadsystems</groupId>
  <artifactId>pk-auth-spring-boot-starter</artifactId>
  <version>2.1.0</version>
</dependency>

Modules Published

  • com.codeheadsystems:pk-auth-core:2.1.0
  • com.codeheadsystems:pk-auth-jwt:2.1.0
  • com.codeheadsystems:pk-auth-admin-api:2.1.0
  • com.codeheadsystems:pk-auth-backup-codes:2.1.0
  • com.codeheadsystems:pk-auth-magic-link:2.1.0
  • com.codeheadsystems:pk-auth-otp:2.1.0
  • com.codeheadsystems:pk-auth-persistence-jdbi:2.1.0
  • com.codeheadsystems:pk-auth-persistence-dynamodb:2.1.0
  • com.codeheadsystems:pk-auth-testkit:2.1.0
  • com.codeheadsystems:pk-auth-spring-boot-starter:2.1.0
  • com.codeheadsystems:pk-auth-dropwizard:2.1.0
  • com.codeheadsystems:pk-auth-micronaut:2.1.0

What's Changed

See commits since last release for details.

Note: Artifacts may take up to 2 hours to appear in Maven Central after release.

What's Changed

... (truncated)

Changelog

Sourced from com.codeheadsystems:pk-auth-magic-link's changelog.

[2.1.0] — 2026-06-23

A backward-compatible minor release. The headline is crypto-agility and post-quantum readiness for passkey signature algorithms (ADR 0019): the two divergent hardcoded COSE algorithm lists are replaced by a single operator-configurable source of truth, and there is now a way to see which algorithm each stored credential uses. No public API is removed and the HTTP /auth/** wire contract is unchanged, so hosts upgrade by bumping the version.

To be precise about scope: no post-quantum signature algorithm is added — PQC for passkeys is gated end-to-end by authenticator hardware, CTAP2/FIDO2, the WebAuthn/COSE registry, and WebAuthn4J's verifier, none of which yet standardize one. The goal here is crypto-agility (clean removal of the migration obstacles) and honest documentation, not new algorithms.

Added

  • Crypto-agility for passkey signature algorithms (ADR 0019). A new framework-neutral CoseAlgorithm enum, and CeremonyConfig now carries two ordered lists: offeredAlgorithms (advertised in registration create-options) and acceptedAlgorithms (enforced on the WebAuthn4J verify path). acceptedAlgorithms is authoritative and offeredAlgorithms must be a subset. Both the create-options ceremony and the verify path derive their lists from this single config, replacing the two previously-divergent hardcoded lists, so operators can narrow either without code changes. A new 5-arg CeremonyConfig convenience constructor applies backward-compatible defaults — accepted = ES256, EdDSA, RS256, ES384, RS384 (the union of everything previously accepted, so no already-registered credential can fail verification); offered = ES256, EdDSA, RS256 (the historical create-options subset) — so every existing call site compiles and behaves identically.
  • Per-credential algorithm visibility. CredentialAlgorithms.coseAlgorithm(record) decodes the COSE algorithm already embedded in a stored public key (no schema change), and AdminService.listCredentialsByAlgorithm(actor, target, coseAlgorithm) reports which stored credentials use a given algorithm — the read side a future "re-enroll off algorithm X" campaign drives off.
  • Offered/accepted algorithm configuration wired through every adapter. The Spring Boot starter, Dropwizard, and Micronaut adapters (and the matching demo application.yml files) expose the two algorithm lists as host config, so the create-options and verify lists can be tuned without touching code.

Changed

  • Honest JWT crypto framing (ADR 0019, documentation only — no behavior change). The HS256-vs-ES256 choice is re-documented as a trust-topology decision rather than a dev-vs-prod one: HMAC-SHA256 is not broken by Shor and retains ~128-bit security under Grover with the enforced ≥ 256-bit key, making it the quantum-conservative default for a single-issuer/single-verifier deployment; ES256 JWTs exist for untrusted third-party verification and carry Shor exposure bounded by the short token TTL. See docs/threat-model.md and

... (truncated)

Commits
  • a0d15d4 chore(release): prepare 2.1.0
  • edacec2 build(deps): Bump the dev-dependencies group with 2 updates (#92)
  • ca7d1e4 Implement "get" method for authenticator.
  • dd68d07 build(deps-dev): Bump @​types/node
  • 79e9921 build(deps): Bump the dev-dependencies group with 3 updates (#91)
  • fbe9a9a Use FakeAuthenticator, RegistrationService to test ceremony.
  • 712c8dc test(browser): fix TS6 typecheck errors in ceremonies mediation test
  • 0090da9 Create RegistrationService
  • b513429 Create a fake authenticator.
  • baa3440 build(deps-dev): Bump undici in /clients/passkeys-browser (#85)
  • Additional commits viewable in compare view

Updates com.codeheadsystems:pk-auth-otp from 2.0.0 to 2.1.0

Release notes

Sourced from com.codeheadsystems:pk-auth-otp's releases.

Release 2.1.0

pk-auth 2.1.0

Maven Central

Add the modules you need (all share the same version):

implementation("com.codeheadsystems:pk-auth-spring-boot-starter:2.1.0")
// or :pk-auth-dropwizard / :pk-auth-micronaut for the other adapters
implementation("com.codeheadsystems:pk-auth-persistence-jdbi:2.1.0")
// testImplementation("com.codeheadsystems:pk-auth-testkit:2.1.0")
<dependency>
  <groupId>com.codeheadsystems</groupId>
  <artifactId>pk-auth-spring-boot-starter</artifactId>
  <version>2.1.0</version>
</dependency>

Modules Published

  • com.codeheadsystems:pk-auth-core:2.1.0
  • com.codeheadsystems:pk-auth-jwt:2.1.0
  • com.codeheadsystems:pk-auth-admin-api:2.1.0
  • com.codeheadsystems:pk-auth-backup-codes:2.1.0
  • com.codeheadsystems:pk-auth-magic-link:2.1.0
  • com.codeheadsystems:pk-auth-otp:2.1.0
  • com.codeheadsystems:pk-auth-persistence-jdbi:2.1.0
  • com.codeheadsystems:pk-auth-persistence-dynamodb:2.1.0
  • com.codeheadsystems:pk-auth-testkit:2.1.0
  • com.codeheadsystems:pk-auth-spring-boot-starter:2.1.0
  • com.codeheadsystems:pk-auth-dropwizard:2.1.0
  • com.codeheadsystems:pk-auth-micronaut:2.1.0

What's Changed

See commits since last release for details.

Note: Artifacts may take up to 2 hours to appear in Maven Central after release.

What's Changed

... (truncated)

Changelog

Sourced from com.codeheadsystems:pk-auth-otp's changelog.

[2.1.0] — 2026-06-23

A backward-compatible minor release. The headline is crypto-agility and post-quantum readiness for passkey signature algorithms (ADR 0019): the two divergent hardcoded COSE algorithm lists are replaced by a single operator-configurable source of truth, and there is now a way to see which algorithm each stored credential uses. No public API is removed and the HTTP /auth/** wire contract is unchanged, so hosts upgrade by bumping the version.

To be precise about scope: no post-quantum signature algorithm is added — PQC for passkeys is gated end-to-end by authenticator hardware, CTAP2/FIDO2, the WebAuthn/COSE registry, and WebAuthn4J's verifier, none of which yet standardize one. The goal here is crypto-agility (clean removal of the migration obstacles) and honest documentation, not new algorithms.

Added

  • Crypto-agility for passkey signature algorithms (ADR 0019). A new framework-neutral CoseAlgorithm enum, and CeremonyConfig now carries two ordered lists: offeredAlgorithms (advertised in registration create-options) and acceptedAlgorithms (enforced on the WebAuthn4J verify path). acceptedAlgorithms is authoritative and offeredAlgorithms must be a subset. Both the create-options ceremony and the verify path derive their lists from this single config, replacing the two previously-divergent hardcoded lists, so operators can narrow either without code changes. A new 5-arg CeremonyConfig convenience constructor applies backward-compatible defaults — accepted = ES256, EdDSA, RS256, ES384, RS384 (the union of everything previously accepted, so no already-registered credential can fail verification); offered = ES256, EdDSA, RS256 (the historical create-options subset) — so every existing call site compiles and behaves identically.
  • Per-credential algorithm visibility. CredentialAlgorithms.coseAlgorithm(record) decodes the COSE algorithm already embedded in a stored public key (no schema change), and AdminService.listCredentialsByAlgorithm(actor, target, coseAlgorithm) reports which stored credentials use a given algorithm — the read side a future "re-enroll off algorithm X" campaign drives off.
  • Offered/accepted algorithm configuration wired through every adapter. The Spring Boot starter, Dropwizard, and Micronaut adapters (and the matching demo application.yml files) expose the two algorithm lists as host config, so the create-options and verify lists can be tuned without touching code.

Changed

  • Honest JWT crypto framing (ADR 0019, documentation only — no behavior change). The HS256-vs-ES256 choice is re-documented as a trust-topology decision rather than a dev-vs-prod one: HMAC-SHA256 is not broken by Shor and retains ~128-bit security under Grover with the enforced ≥ 256-bit key, making it the quantum-conservative default for a single-issuer/single-verifier deployment; ES256 JWTs exist for untrusted third-party verification and carry Shor exposure bounded by the short token TTL. See docs/threat-model.md and

... (truncated)

Commits
  • a0d15d4 chore(release): prepare 2.1.0
  • edacec2 build(deps): Bump the dev-dependencies group with 2 updates (#92)
  • ca7d1e4 Implement "get" method for authenticator.
  • dd68d07 build(deps-dev): Bump @​types/node
  • 79e9921 build(deps): Bump the dev-dependencies group with 3 updates (#91)
  • fbe9a9a Use FakeAuthenticator, RegistrationService to test ceremony.
  • 712c8dc test(browser): fix TS6 typecheck errors in ceremonies mediation test
  • 0090da9 Create RegistrationService
  • b513429 Create a fake authenticator.
  • baa3440 build(deps-dev): Bump undici in /clients/passkeys-browser (#85)
  • Additional commits viewable in compare view

Updates com.codeheadsystems:pk-auth-backup-codes from 2.0.0 to 2.1.0

Release notes

Sourced from com.codeheadsystems:pk-auth-backup-codes's releases.

Release 2.1.0

pk-auth 2.1.0

Maven Central

Add the modules you need (all share the same version):

implementation("com.codeheadsystems:pk-auth-spring-boot-starter:2.1.0")
// or :pk-auth-dropwizard / :pk-auth-micronaut for the other adapters
implementation("com.codeheadsystems:pk-auth-persistence-jdbi:2.1.0")
// testImplementation("com.codeheadsystems:pk-auth-testkit:2.1.0")
<dependency>
  <groupId>com.codeheadsystems</groupId>
  <artifactId>pk-auth-spring-boot-starter</artifactId>
  <version>2.1.0</version>
</dependency>

Modules Published

  • com.codeheadsystems:pk-auth-core:2.1.0
  • com.codeheadsystems:pk-auth-jwt:2.1.0
  • com.codeheadsystems:pk-auth-admin-api:2.1.0
  • com.codeheadsystems:pk-auth-backup-codes:2.1.0
  • com.codeheadsystems:pk-auth-magic-link:2.1.0
  • com.codeheadsystems:pk-auth-otp:2.1.0
  • com.codeheadsystems:pk-auth-persistence-jdbi:2.1.0
  • com.codeheadsystems:pk-auth-persistence-dynamodb:2.1.0
  • com.codeheadsystems:pk-auth-testkit:2.1.0
  • com.codeheadsystems:pk-auth-spring-boot-starter:2.1.0
  • com.codeheadsystems:pk-auth-dropwizard:2.1.0
  • com.codeheadsystems:pk-auth-micronaut:2.1.0

What's Changed

See commits since last release for details.

Note: Artifacts may take up to 2 hours to appear in Maven Central after release.

What's Changed

... (truncated)

Changelog

Sourced from com.codeheadsystems:pk-auth-backup-codes's changelog.

[2.1.0] — 2026-06-23

A backward-compatible minor release. The headline is crypto-agility and post-quantum readiness for passkey signature algorithms (ADR 0019): the two divergent hardcoded COSE algorithm lists are replaced by a single operator-configurable source of truth, and there is now a way to see which algorithm each stored credential uses. No public API is removed and the HTTP /auth/** wire contract is unchanged, so hosts upgrade by bumping the version.

To be precise about scope: no post-quantum signature algorithm is added — PQC for passkeys is gated end-to-end by authenticator hardware, CTAP2/FIDO2, the WebAuthn/COSE registry, and WebAuthn4J's verifier, none of which yet standardize one. The goal here is crypto-agility (clean removal of the migration obstacles) and honest documentation, not new algorithms.

Added

  • Crypto-agility for passkey signature algorithms (ADR 0019). A new framework-neutral CoseAlgorithm enum, and CeremonyConfig now carries two ordered lists: offeredAlgorithms (advertised in registration create-options) and acceptedAlgorithms (enforced on the WebAuthn4J verify path). acceptedAlgorithms is authoritative and offeredAlgorithms must be a subset. Both the create-options ceremony and the verify path derive their lists from this single config, replacing the two previously-divergent hardcoded lists, so operators can narrow either without code changes. A new 5-arg CeremonyConfig convenience constructor applies backward-compatible defaults — accepted = ES256, EdDSA, RS256, ES384, RS384 (the union of everything previously accepted, so no already-registered credential can fail verification); offered = ES256, EdDSA, RS256 (the historical create-options subset) — so every existing call site compiles and behaves identically.
  • Per-credential algorithm visibility. CredentialAlgorithms.coseAlgorithm(record) decodes the COSE algorithm already embedded in a stored public key (no schema change), and AdminService.listCredentialsByAlgorithm(actor, target, coseAlgorithm) reports which stored credentials use a given algorithm — the read side a future "re-enroll off algorithm X" campaign drives off.
  • Offered/accepted algorithm configuration wired through every adapter. The Spring Boot starter, Dropwizard, and Micronaut adapters (and the matching demo application.yml files) expose the two algorithm lists as host config, so the create-options and verify lists can be tuned without touching code.

Changed

  • Honest JWT crypto framing (ADR 0019, documentation only — no behavior change). The HS256-vs-ES256 choice is re-documented as a trust-topology decision rather than a dev-vs-prod one: HMAC-SHA256 is not broken by Shor and retains ~128-bit security under Grover with the enforced ≥ 256-bit key, making it the quantum-conservative default for a single-issuer/single-verifier deployment; ES256 JWTs exist for untrusted third-party verification and carry Shor exposure bounded by the short token TTL. See docs/threat-model.md and

... (truncated)

Commits
  • a0d15d4 chore(release): prepare 2.1.0
  • edacec2 build(deps): Bump the dev-dependencies group with 2 updates (#92)
  • ca7d1e4 Implement "get" method for authenticator.
  • dd68d07 build(deps-dev): Bump @​types/node
  • 79e9921 build(deps): Bump the dev-dependencies group with 3 updates (#91)
  • fbe9a9a Use FakeAuthenticator, RegistrationService to test ceremony.
  • 712c8dc test(browser): fix TS6 typecheck errors in ceremonies mediation test
  • 0090da9 Create RegistrationService
  • b513429 Create a fake authenticator.
  • baa3440 build(deps-dev): Bump undici in /clients/passkeys-browser (#85)
  • Additional commits viewable in compare view

Updates com.codeheadsystems:pk-auth-testkit from 2.0.0 to 2.1.0

Release notes

Sourced from com.codeheadsystems:pk-auth-testkit's releases.

Release 2.1.0

pk-auth 2.1.0

Maven Central

Add the modules you need (all share the same version):

implementation("com.codeheadsystems:pk-auth-spring-boot-starter:2.1.0")
// or :pk-auth-dropwizard / :pk-auth-micronaut for the other adapters
implementation("com.codeheadsystems:pk-auth-persistence-jdbi:2.1.0")
// testImplementation("com.codeheadsystems:pk-auth-testkit:2.1.0")
<dependency>
  <groupId>com.codeheadsystems</groupId>
  <artifactId>pk-auth-spring-boot-starter</artifactId>
  <version>2.1.0</version>
</dependency>

Modules Published

  • com.codeheadsystems:pk-auth-core:2.1.0
  • com.codeheadsystems:pk-auth-jwt:2.1.0
  • com.codeheadsystems:pk-auth-admin-api:2.1.0
  • com.codeheadsystems:pk-auth-backup-codes:2.1.0
  • com.codeheadsystems:pk-auth-magic-link:2.1.0
  • com.codeheadsystems:pk-auth-otp:2.1.0
  • com.codeheadsystems:pk-auth-persistence-jdbi:2.1.0
  • com.codeheadsystems:pk-auth-persistence-dynamodb:2.1.0
  • com.codeheadsystems:pk-auth-testkit:2.1.0
  • com.codeheadsystems:pk-auth-spring-boot-starter:2.1.0
  • com.codeheadsystems:pk-auth-dropwizard:2.1.0
  • com.codeheadsystems:pk-auth-micronaut:2.1.0

What's Changed

See commits since last release for details.

Note: Artifacts may take up to 2 hours to appear in Maven Central after release.

What's Changed

... (truncated)

Changelog

Sourced from com.codeheadsystems:pk-auth-testkit's changelog.

[2.1.0] — 2026-06-23

A backward-compatible minor release. The headline is crypto-agility and post-quantum readiness for passkey signature algorithms (ADR 0019): the two divergent hardcoded COSE algorithm lists are replaced by a single operator-configurable source of truth, and there is now a way to see which algorithm each stored credential uses. No public API is removed and the HTTP /auth/** wire contract is unchanged, so hosts upgrade by bumping the version.

To be precise about scope: no post-quantum signature algorithm is added — PQC for passkeys is gated end-to-end by authenticator hardware, CTAP2/FIDO2, the WebAuthn/COSE registry, and WebAuthn4J's verifier, none of which yet standardize one. The goal here is crypto-agility (clean removal of the migration obstacles) and honest documentation, not new algorithms.

Added

  • Crypto-agility for passkey signature algorithms (ADR 0019). A new framework-neutral CoseAlgorithm enum, and CeremonyConfig now carries two ordered lists: offeredAlgorithms (advertised in registration create-options) and acceptedAlgorithms (enforced on the WebAuthn4J verify path). acceptedAlgorithms is authoritative and offeredAlgorithms must be a subset. Both the create-options ceremony and the verify path derive their lists from this single config, replacing the two previously-divergent hardcoded lists, so operators can narrow either without code changes. A new 5-arg CeremonyConfig convenience constructor applies backward-compatible defaults — accepted = ES256, EdDSA, RS256, ES384, RS384 (the union of everything previously accepted, so no already-registered credential can fail verification); offered = ES256, EdDSA, RS256 (the historical create-options subset) — so every existing call site compiles and behaves identically.
  • Per-credential algorithm visibility. CredentialAlgorithms.coseAlgorithm(record) decodes the COSE algorithm already embedded in a stored public key (no schema change), and AdminService.listCredentialsByAlgorithm(actor, target, coseAlgorithm) reports which stored credentials use a given algorithm — the read side a future "re-enroll off algorithm X" campaign drives off.
  • Offered/accepted algorithm configuration wired through every adapter. The Spring Boot starter, Dropwizard, and Micronaut adapters (and the matching demo application.yml files) expose the two algorithm lists as host config, so the create-options and verify lists can be tuned without touching code.

Changed

  • Honest JWT crypto framing (ADR 0019, documentation only — no behavior change). The HS256-vs-ES256 choice is re-documented as a trust-topology decision rather than a dev-vs-prod one: HMAC-SHA256 is not broken by Shor and retains ~128-bit security under Grover with the enforced ≥ 256-bit key, making it the quantum-conservative default for a single-issuer/single-verifier deployment; ES256 JWTs exist for untrusted third-party verification and carry Shor exposure bounded by the short token TTL. See docs/threat-model.md and

... (truncated)

Commits
  • a0d15d4 chore(release): prepare 2.1.0
  • edacec2 build(deps): Bump the dev-dependencies group with 2 updates (#92)
  • ca7d1e4 Implement "get" method for authenticator.
  • dd68d07 build(deps-dev): Bump @​types/node
  • 79e9921 build(deps): Bump the dev-dependencies group with 3 updates (#91)
  • fbe9a9a Use FakeAuthenticator, RegistrationService to test ceremony.
  • 712c8dc test(browser): fix TS6 typecheck errors in ceremonies mediation test
  • 0090da9 Create RegistrationService
  • b513429 Create a fake authenticator.
  • baa3440 build(deps-dev): Bump undici in /clients/passkeys-browser (#85)
  • Additional commits viewable in compare view

Updates com.codeheadsystems:pk-auth-jwt from 2.0.0 to 2.1.0

Release notes

Sourced from com.codeheadsystems:pk-auth-jwt's releases.

Release 2.1.0

pk-auth 2.1.0

Maven Central

Add the modules you need (all share the same version):

implementation("com.codeheadsystems:pk-auth-spring-boot-starter:2.1.0")
// or :pk-auth-dropwizard / :pk-auth-micronaut for the other adapters
implementation("com.codeheadsystems:pk-auth-persistence-jdbi:2.1.0")
// testImplementation("com.codeheadsystems:pk-auth-testkit:2.1.0")
<dependency>
  <groupId>com.codeheadsystems</groupId>
  <artifactId>pk-auth-spring-boot-starter</artifactId>
  <version>2.1.0</version>
</dependency>

Modules Published

  • com.codeheadsystems:pk-auth-core:2.1.0
  • com.codeheadsystems:pk-auth-jwt:2.1.0
  • com.codeheadsystems:pk-auth-admin-api:2.1.0
  • com.codeheadsystems:pk-auth-backup-codes:2.1.0
  • com.codeheadsystems:pk-auth-magic-link:2.1.0
  • com.codeheadsystems:pk-auth-otp:2.1.0
  • com.codeheadsystems:pk-auth-persistence-jdbi:2.1.0
  • com.codeheadsystems:pk-auth-persistence-dynamodb:2.1.0
  • com.codeheadsystems:pk-auth-testkit:2.1.0
  • com.codeheadsystems:pk-auth-spring-boot-starter:2.1.0
  • com.codeheadsystems:pk-auth-dropwizard:2.1.0
  • com.codeheadsystems:pk-auth-micronaut:2.1.0

What's Changed

See commits since last release for details.

Note: Artifacts may take up to 2 hours to appear in Maven Central after release.

What's Changed

... (truncated)

Changelog

Sourced from com.codeheadsystems:pk-auth-jwt's changelog.

[2.1.0] — 2026-06-23

A backward-compatible minor release. The headline is crypto-agility and post-quantum readiness for passkey signature algorithms (ADR 0019): the two divergent hardcoded COSE algorithm lists are replaced by a single operator-configurable source of truth, and there is now a way to see which algorithm each stored credential uses. No public API is removed and the HTTP /auth/** wire contract is unchanged, so hosts upgrade by bumping the version.

To be precise about scope: no post-quantum signature algorithm is added — PQC for passkeys is gated end-to-end by authenticator hardware, CTAP2/FIDO2, the WebAuthn/COSE registry, and WebAuthn4J's verifier, none of which yet standardize one. The goal here is crypto-agility (clean removal of the migration obstacles) and honest documentation, not new algorithms.

Added

  • Crypto-agility for passkey signature algorithms (ADR 0019). A new framework-neutral CoseAlgorithm enum, and CeremonyConfig now carries two ordered lists: offeredAlgorithms (advertised in registration create-options) and acceptedAlgorithms (enforced on the WebAuthn4J verify path). acceptedAlgorithms is authoritative and offeredAlgorithms must be a subset. Both the create-options ceremony and the verify path derive their lists from this single config, replacing the two previously-divergent hardcoded lists, so operators can narrow either without code changes. A new 5-arg CeremonyConfig convenience constructor applies backward-compatible defaults — accepted = ES256, EdDSA, RS256, ES384, RS384 (the union of everything previously accepted,...

    Description has been truncated

@dependabot
build: bump the gradle-minor-and-patch group with 6 updates
a9c3c3b 
Bumps the gradle-minor-and-patch group with 6 updates:

| Package | From | To |
| --- | --- | --- |
| [com.codeheadsystems:pk-auth-core](https://github.com/codeheadsystems/pk-auth) | `2.0.0` | `2.1.0` |
| [com.codeheadsystems:pk-auth-jwt](https://github.com/codeheadsystems/pk-auth) | `2.0.0` | `2.1.0` |
| [com.codeheadsystems:pk-auth-magic-link](https://github.com/codeheadsystems/pk-auth) | `2.0.0` | `2.1.0` |
| [com.codeheadsystems:pk-auth-otp](https://github.com/codeheadsystems/pk-auth) | `2.0.0` | `2.1.0` |
| [com.codeheadsystems:pk-auth-backup-codes](https://github.com/codeheadsystems/pk-auth) | `2.0.0` | `2.1.0` |
| [com.codeheadsystems:pk-auth-testkit](https://github.com/codeheadsystems/pk-auth) | `2.0.0` | `2.1.0` |


Updates `com.codeheadsystems:pk-auth-core` from 2.0.0 to 2.1.0
- [Release notes](https://github.com/codeheadsystems/pk-auth/releases)
- [Changelog](https://github.com/codeheadsystems/pk-auth/blob/main/CHANGELOG.md)
- [Commits](codeheadsystems/pk-auth@v2.0.0...v2.1.0)

Updates `com.codeheadsystems:pk-auth-jwt` from 2.0.0 to 2.1.0
- [Release notes](https://github.com/codeheadsystems/pk-auth/releases)
- [Changelog](https://github.com/codeheadsystems/pk-auth/blob/main/CHANGELOG.md)
- [Commits](codeheadsystems/pk-auth@v2.0.0...v2.1.0)

Updates `com.codeheadsystems:pk-auth-magic-link` from 2.0.0 to 2.1.0
- [Release notes](https://github.com/codeheadsystems/pk-auth/releases)
- [Changelog](https://github.com/codeheadsystems/pk-auth/blob/main/CHANGELOG.md)
- [Commits](codeheadsystems/pk-auth@v2.0.0...v2.1.0)

Updates `com.codeheadsystems:pk-auth-otp` from 2.0.0 to 2.1.0
- [Release notes](https://github.com/codeheadsystems/pk-auth/releases)
- [Changelog](https://github.com/codeheadsystems/pk-auth/blob/main/CHANGELOG.md)
- [Commits](codeheadsystems/pk-auth@v2.0.0...v2.1.0)

Updates `com.codeheadsystems:pk-auth-backup-codes` from 2.0.0 to 2.1.0
- [Release notes](https://github.com/codeheadsystems/pk-auth/releases)
- [Changelog](https://github.com/codeheadsystems/pk-auth/blob/main/CHANGELOG.md)
- [Commits](codeheadsystems/pk-auth@v2.0.0...v2.1.0)

Updates `com.codeheadsystems:pk-auth-testkit` from 2.0.0 to 2.1.0
- [Release notes](https://github.com/codeheadsystems/pk-auth/releases)
- [Changelog](https://github.com/codeheadsystems/pk-auth/blob/main/CHANGELOG.md)
- [Commits](codeheadsystems/pk-auth@v2.0.0...v2.1.0)

Updates `com.codeheadsystems:pk-auth-jwt` from 2.0.0 to 2.1.0
- [Release notes](https://github.com/codeheadsystems/pk-auth/releases)
- [Changelog](https://github.com/codeheadsystems/pk-auth/blob/main/CHANGELOG.md)
- [Commits](codeheadsystems/pk-auth@v2.0.0...v2.1.0)

Updates `com.codeheadsystems:pk-auth-magic-link` from 2.0.0 to 2.1.0
- [Release notes](https://github.com/codeheadsystems/pk-auth/releases)
- [Changelog](https://github.com/codeheadsystems/pk-auth/blob/main/CHANGELOG.md)
- [Commits](codeheadsystems/pk-auth@v2.0.0...v2.1.0)

Updates `com.codeheadsystems:pk-auth-otp` from 2.0.0 to 2.1.0
- [Release notes](https://github.com/codeheadsystems/pk-auth/releases)
- [Changelog](https://github.com/codeheadsystems/pk-auth/blob/main/CHANGELOG.md)
- [Commits](codeheadsystems/pk-auth@v2.0.0...v2.1.0)

Updates `com.codeheadsystems:pk-auth-backup-codes` from 2.0.0 to 2.1.0
- [Release notes](https://github.com/codeheadsystems/pk-auth/releases)
- [Changelog](https://github.com/codeheadsystems/pk-auth/blob/main/CHANGELOG.md)
- [Commits](codeheadsystems/pk-auth@v2.0.0...v2.1.0)

Updates `com.codeheadsystems:pk-auth-testkit` from 2.0.0 to 2.1.0
- [Release notes](https://github.com/codeheadsystems/pk-auth/releases)
- [Changelog](https://github.com/codeheadsystems/pk-auth/blob/main/CHANGELOG.md)
- [Commits](codeheadsystems/pk-auth@v2.0.0...v2.1.0)

---
updated-dependencies:
- dependency-name: com.codeheadsystems:pk-auth-core
  dependency-version: 2.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gradle-minor-and-patch
- dependency-name: com.codeheadsystems:pk-auth-jwt
  dependency-version: 2.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gradle-minor-and-patch
- dependency-name: com.codeheadsystems:pk-auth-magic-link
  dependency-version: 2.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gradle-minor-and-patch
- dependency-name: com.codeheadsystems:pk-auth-otp
  dependency-version: 2.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gradle-minor-and-patch
- dependency-name: com.codeheadsystems:pk-auth-backup-codes
  dependency-version: 2.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gradle-minor-and-patch
- dependency-name: com.codeheadsystems:pk-auth-testkit
  dependency-version: 2.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gradle-minor-and-patch
- dependency-name: com.codeheadsystems:pk-auth-jwt
  dependency-version: 2.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gradle-minor-and-patch
- dependency-name: com.codeheadsystems:pk-auth-magic-link
  dependency-version: 2.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gradle-minor-and-patch
- dependency-name: com.codeheadsystems:pk-auth-otp
  dependency-version: 2.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gradle-minor-and-patch
- dependency-name: com.codeheadsystems:pk-auth-backup-codes
  dependency-version: 2.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gradle-minor-and-patch
- dependency-name: com.codeheadsystems:pk-auth-testkit
  dependency-version: 2.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gradle-minor-and-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github

dependabot Bot commented on behalf of github Jun 26, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: dependencies, gradle. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@github-actions github-actions Bot merged commit e74aba3 into main Jun 26, 2026
3 checks passed
@github-actions github-actions Bot deleted the dependabot/gradle/gradle-minor-and-patch-a13ea96866 branch June 26, 2026 11:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants