From 070e6d8d2736194810f098dfcf510fb48ef1e431 Mon Sep 17 00:00:00 2001
From: Jon Langevin <codingsloth@pm.me>
Date: Tue, 19 May 2026 12:38:51 -0400
Subject: [PATCH 1/2] docs(auth): verified banner + CONTRIBUTING + examples +
 CHANGELOG (QoL sweep)

- Prepend verified-status banner to README.md (buymywishlist); cross-ref workflow#714.
- Add CONTRIBUTING.md from shared plugin template.
- Add examples/minimal/config.yaml (auth.credential module + password hash/verify workflow; wfctl validate --skip-unknown-types passes).
- Add .github/ISSUE_TEMPLATE/bug_report.md + feature_request.md + PULL_REQUEST_TEMPLATE.md.
- Add [Unreleased] QoL sweep entry to CHANGELOG.md.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/ISSUE_TEMPLATE/bug_report.md      | 33 +++++++++++++++++++++++
 .github/ISSUE_TEMPLATE/feature_request.md | 27 +++++++++++++++++++
 .github/PULL_REQUEST_TEMPLATE.md          | 20 ++++++++++++++
 CHANGELOG.md                              |  5 ++++
 CONTRIBUTING.md                           | 27 +++++++++++++++++++
 README.md                                 |  2 ++
 examples/minimal/config.yaml              | 28 +++++++++++++++++++
 7 files changed, 142 insertions(+)
 create mode 100644 .github/ISSUE_TEMPLATE/bug_report.md
 create mode 100644 .github/ISSUE_TEMPLATE/feature_request.md
 create mode 100644 .github/PULL_REQUEST_TEMPLATE.md
 create mode 100644 CONTRIBUTING.md
 create mode 100644 examples/minimal/config.yaml

diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
new file mode 100644
index 0000000..2409d98
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -0,0 +1,33 @@
+---
+name: Bug report
+about: Report a bug in this plugin
+title: '[Bug] '
+labels: bug
+assignees: ''
+---
+
+## Describe the bug
+
+A clear and concise description of what the bug is.
+
+## To reproduce
+
+Steps to reproduce the behavior:
+1. Config used (redact any secrets)
+2. Command run
+3. Error output
+
+## Expected behavior
+
+What you expected to happen.
+
+## Environment
+
+- workflow engine version: <!-- e.g. 0.3.51 -->
+- plugin version: <!-- e.g. 1.0.0 -->
+- Go version: <!-- go version -->
+- OS: <!-- e.g. linux/amd64, darwin/arm64 -->
+
+## Additional context
+
+Add any other context or logs here.
diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md
new file mode 100644
index 0000000..bfcf5e9
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -0,0 +1,27 @@
+---
+name: Feature request
+about: Suggest a new capability for this plugin
+title: '[Feature] '
+labels: enhancement
+assignees: ''
+---
+
+## Summary
+
+A one-sentence description of the feature.
+
+## Motivation
+
+Why is this feature needed? What problem does it solve?
+
+## Proposed solution
+
+How would you like it to work? Include config schema changes if relevant.
+
+## Alternatives considered
+
+Any alternative approaches you considered and why you ruled them out.
+
+## Additional context
+
+Links, screenshots, or related issues.
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
new file mode 100644
index 0000000..a510115
--- /dev/null
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -0,0 +1,20 @@
+## Summary
+
+<!-- What does this PR do? 1-3 bullet points. -->
+
+## Motivation
+
+<!-- Why is this change needed? Link to issue if applicable. Closes #NNN -->
+
+## Test plan
+
+- [ ] `go build ./...` passes
+- [ ] `go vet ./...` passes
+- [ ] `go test ./...` passes
+- [ ] Manual smoke test (describe)
+
+## Checklist
+
+- [ ] CHANGELOG.md updated (Keep-a-Changelog format)
+- [ ] No secrets or credentials included
+- [ ] One feature or bugfix per PR
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5742d78..9335e58 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,10 @@
 # Changelog
 
+## [Unreleased]
+### Added
+- README verified-status banner per workflow#714 (multi-repo QoL sweep).
+- CONTRIBUTING.md, examples/minimal/config.yaml, and GitHub issue/PR templates.
+
 ## v0.2.4 (2026-05-13)
 
 ### Strict-proto config-field gaps closed (BMW local smoke vs workflow v0.51.5, round 3)
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
new file mode 100644
index 0000000..6f2ad8c
--- /dev/null
+++ b/CONTRIBUTING.md
@@ -0,0 +1,27 @@
+# Contributing to workflow-plugin-auth
+
+This plugin is part of the [GoCodeAlone/workflow](https://github.com/GoCodeAlone/workflow) ecosystem.
+
+## Before contributing
+
+Read the [upstream CONTRIBUTING.md](https://github.com/GoCodeAlone/workflow/blob/main/CONTRIBUTING.md) for general conventions, signing, and review expectations.
+
+## Local development
+
+```sh
+git clone https://github.com/GoCodeAlone/workflow-plugin-auth.git
+cd workflow-plugin-auth
+go build ./...
+go test ./...
+```
+
+## Pull requests
+
+- One feature or bugfix per PR.
+- Update CHANGELOG.md with a Keep-a-Changelog entry.
+- Add tests covering new behavior.
+- Run `go vet ./...` before pushing.
+
+## Reporting issues
+
+See the issue templates under `.github/ISSUE_TEMPLATE/`.
diff --git a/README.md b/README.md
index 801f099..27b7364 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,7 @@
 # workflow-plugin-auth
 
+> ✅ **Verified** — used in production at **buymywishlist**. This plugin has been validated end-to-end in a merged main-branch wfctl.yaml of an active GoCodeAlone project.
+
 Authentication primitives for Workflow applications.
 
 ## Module Types
diff --git a/examples/minimal/config.yaml b/examples/minimal/config.yaml
new file mode 100644
index 0000000..2ea3070
--- /dev/null
+++ b/examples/minimal/config.yaml
@@ -0,0 +1,28 @@
+# Minimal workflow-plugin-auth example.
+# Demonstrates password hashing and verification using auth.credential module.
+#
+# Usage:
+#   wfctl validate --skip-unknown-types examples/minimal/config.yaml
+
+modules:
+  - name: auth-credential
+    type: auth.credential
+    config:
+      rp_display_name: "My App"
+      rp_id: "example.com"
+      origin: "https://example.com"
+      optional: true
+
+workflows:
+  password-auth:
+    trigger:
+      type: http
+      config:
+        path: /auth/password
+        method: POST
+    steps:
+      - name: hash-password
+        type: step.auth_password_hash
+
+      - name: verify-password
+        type: step.auth_password_verify

From 01aab69d4dd0a2808df8abcf5ec84016bcff8ffe Mon Sep 17 00:00:00 2001
From: Jon Langevin <codingsloth@pm.me>
Date: Tue, 19 May 2026 12:43:51 -0400
Subject: [PATCH 2/2] fix(auth): challenge-based example + GH_TOKEN install
 docs per spec-reviewer

- Replace password-hash example with signed-challenge generate/verify workflow
  (step.auth_challenge_generate + step.auth_challenge_verify; JWT-equivalent
  using signing_secret). auth.jwt module does not exist in this plugin; challenge
  steps are the canonical signed-token primitive. wfctl validate passes.
- Document GH_TOKEN requirement for wfctl plugin install in README Installation
  section and CONTRIBUTING.md (plugin marked private in registry).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 CONTRIBUTING.md              |  9 +++++++++
 README.md                    | 11 +++++++++++
 examples/minimal/config.yaml | 22 +++++++++++++++-------
 3 files changed, 35 insertions(+), 7 deletions(-)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 6f2ad8c..1b64f75 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -6,6 +6,15 @@ This plugin is part of the [GoCodeAlone/workflow](https://github.com/GoCodeAlone
 
 Read the [upstream CONTRIBUTING.md](https://github.com/GoCodeAlone/workflow/blob/main/CONTRIBUTING.md) for general conventions, signing, and review expectations.
 
+## Installation note
+
+This plugin is marked `private` in the workflow registry. `wfctl plugin install` requires:
+
+```sh
+export GH_TOKEN=<github-personal-access-token-with-read:packages>
+wfctl plugin install workflow-plugin-auth
+```
+
 ## Local development
 
 ```sh
diff --git a/README.md b/README.md
index 27b7364..a0c25c4 100644
--- a/README.md
+++ b/README.md
@@ -4,6 +4,17 @@
 
 Authentication primitives for Workflow applications.
 
+## Installation
+
+This plugin is marked `private` in the workflow registry, meaning `wfctl plugin install` requires a GitHub token with `read:packages` scope:
+
+```sh
+export GH_TOKEN=<your-github-personal-access-token>
+wfctl plugin install workflow-plugin-auth
+```
+
+The plugin binary itself is distributed via public GitHub Releases — `GH_TOKEN` is only required for the registry lookup step.
+
 ## Module Types
 
 - `auth.credential` - WebAuthn/passkey relying-party configuration.
diff --git a/examples/minimal/config.yaml b/examples/minimal/config.yaml
index 2ea3070..49d916a 100644
--- a/examples/minimal/config.yaml
+++ b/examples/minimal/config.yaml
@@ -1,5 +1,8 @@
 # Minimal workflow-plugin-auth example.
-# Demonstrates password hashing and verification using auth.credential module.
+# Demonstrates signed-challenge generation and verification (JWT-equivalent auth flow).
+#
+# Prerequisites:
+#   export AUTH_SIGNING_SECRET=<your-signing-secret>
 #
 # Usage:
 #   wfctl validate --skip-unknown-types examples/minimal/config.yaml
@@ -14,15 +17,20 @@ modules:
       optional: true
 
 workflows:
-  password-auth:
+  generate-challenge:
     trigger:
       type: http
       config:
-        path: /auth/password
+        path: /auth/challenge
         method: POST
     steps:
-      - name: hash-password
-        type: step.auth_password_hash
+      - name: generate
+        type: step.auth_challenge_generate
+        config:
+          signing_secret: ${AUTH_SIGNING_SECRET}
+          ttl_minutes: 10
 
-      - name: verify-password
-        type: step.auth_password_verify
+      - name: verify
+        type: step.auth_challenge_verify
+        config:
+          signing_secret: ${AUTH_SIGNING_SECRET}