● The design is implemented and verified. just ci passes — fmt, clippy (warnings-as-errors), 109 tests, release #32

Merged

navicore merged 1 commit from navinote-follow-ups into main

2026-05-25 14:49:39 +00:00

navicore commented

2026-05-25 14:47:46 +00:00

Owner

build.

#29 — multiple redirect URIs (CLI hardening + docs):

src/cli/client.rs: added validate_redirect_uris() — client add now fails fast if no --redirect-uri is given
(the empty-list footgun) and rejects duplicate URIs, with 3 new unit tests.
README Quick Start and CLI synopsis now show the flag repeats; the SPA section demonstrates the prod +
localhost pattern on one client_id.
(No runtime change needed — the repeatable flag and full-list validation at /authorize were already in place.)

#30 — aud convention (docs):

docs/ARCHITECTURE.md: new "JWT audience" crosscutting note — access token aud = realm URL (RFC 9068), ID token
aud = client_id.
README OIDC Endpoints: a matching note so integrators configuring a resource server validate against the realm
URL.

#31 — browser SPA example (docs):

README: new "Integrating a Browser SPA" section — register a public PKCE client, set cors_allowed_origins, a
compact JS PKCE auth-code sketch, the audience note (cross-linked to #30), and a pointer to navinote's
pwa/src/lib/auth.js.

Bookkeeping:

ROADMAP test count 106 → 109.
The design doc was fully realized, so it moved to docs/design/done/spa-integration-followups.md as a decision
record (it captures the "#29 was already mostly built" finding).

build. #29 — multiple redirect URIs (CLI hardening + docs): - src/cli/client.rs: added validate_redirect_uris() — client add now fails fast if no --redirect-uri is given (the empty-list footgun) and rejects duplicate URIs, with 3 new unit tests. - README Quick Start and CLI synopsis now show the flag repeats; the SPA section demonstrates the prod + localhost pattern on one client_id. - (No runtime change needed — the repeatable flag and full-list validation at /authorize were already in place.) #30 — aud convention (docs): - docs/ARCHITECTURE.md: new "JWT audience" crosscutting note — access token aud = realm URL (RFC 9068), ID token aud = client_id. - README OIDC Endpoints: a matching note so integrators configuring a resource server validate against the realm URL. #31 — browser SPA example (docs): - README: new "Integrating a Browser SPA" section — register a public PKCE client, set cors_allowed_origins, a compact JS PKCE auth-code sketch, the audience note (cross-linked to #30), and a pointer to navinote's pwa/src/lib/auth.js. Bookkeeping: - ROADMAP test count 106 → 109. - The design doc was fully realized, so it moved to docs/design/done/spa-integration-followups.md as a decision record (it captures the "#29 was already mostly built" finding).

navicore added 1 commit

2026-05-25 14:47:46 +00:00

● The design is implemented and verified. just ci passes — fmt, clippy (warnings-as-errors), 109 tests, release

CI / ci (pull_request) Successful in 1m39s

Details

a420063040

build.

  #29 — multiple redirect URIs (CLI hardening + docs):
  - src/cli/client.rs: added validate_redirect_uris() — client add now fails fast if no --redirect-uri is given
  (the empty-list footgun) and rejects duplicate URIs, with 3 new unit tests.
  - README Quick Start and CLI synopsis now show the flag repeats; the SPA section demonstrates the prod +
  localhost pattern on one client_id.
  - (No runtime change needed — the repeatable flag and full-list validation at /authorize were already in place.)

  #30 — aud convention (docs):
  - docs/ARCHITECTURE.md: new "JWT audience" crosscutting note — access token aud = realm URL (RFC 9068), ID token
   aud = client_id.
  - README OIDC Endpoints: a matching note so integrators configuring a resource server validate against the realm
   URL.

  #31 — browser SPA example (docs):
  - README: new "Integrating a Browser SPA" section — register a public PKCE client, set cors_allowed_origins, a
  compact JS PKCE auth-code sketch, the audience note (cross-linked to #30), and a pointer to navinote's
  pwa/src/lib/auth.js.

  Bookkeeping:
  - ROADMAP test count 106 → 109.
  - The design doc was fully realized, so it moved to docs/design/done/spa-integration-followups.md as a decision
  record (it captures the "#29 was already mostly built" finding).