Conversation
… contracts README.md API Stability section still said "v0.x (current)" and "v1.0.0 (future)". v1.2.0 ships as a stable v1.x release, so the versioning policy now describes the actual v1.x guarantees and references v1.2.0's defence-in-depth additions. Links to CHANGELOG.md for the full history. SECURITY.md Supported-versions policy referenced a "stable v1.0.0" as something yet to come. Replaced with a v1.x table, the upgrade-within-v1.x non-breaking guarantee, and a note that minor releases may tighten validation (citing v1.2.0 as the current example). CODE_OF_CONDUCT.md Enforcement section routed Code-of-Conduct reports to GitHub's security-advisory page, which is semantically wrong (CoC != vulnerability) and exposes reporters to the security triage workflow. Preferred channel is now a direct message to the maintainer via their GitHub profile, with the private advisory retained only as a fallback (and with a note that its "security" framing is reused here out of necessity, not because CoC reports are security issues). auth/jwt/config.go Audience field godoc now states explicitly that only the first value is enforced at verification, and that this first value is snapshotted into a private field at New() time so callers who later mutate the slice cannot panic or weaken the verifier. Matches the implementation contract introduced in v1.2.0. auth/password/password.go Verify godoc listed "parameters outside the supported range" but did not say what the ranges were. Added a bullet list mirroring Config validation: Memory 8 MiB – 4 GiB, Iterations 1 – 20, Parallelism ≥ 1. internal/keymanager/keymanager.go Package docs now mention the 4 KiB key-file size cap introduced in v1.2.0 so consumers reading the package godoc understand the DoS protection without having to read generate.go.
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
Jaro-c
added a commit
that referenced
this pull request
Apr 19, 2026
Aggregates the docs polish work from PR #34 under a v1.2.1 header so consumers reading the CHANGELOG (or pkg.go.dev release notes) can see what changed between v1.2.0 and v1.2.1 without having to diff the source. No code changes land with this release.
This was referenced Apr 19, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Seven targeted docs fixes from the post-v1.2.0 review. No production code changes; only user-facing text and godoc.
Stale version claims (critical)
## API Stability— said "v0.x (current)" and "v1.0.0 (future)". Replaced with accurate v1.x policy + reference to v1.2.0 hardenings.## Supported Versions— "stable v1.0.0" framed as future event. Replaced with v1.x support table + non-breaking upgrade guarantee.Wrong reporting channel
## Enforcement— CoC reports were routed to GitHub's security advisory page. Now: preferred channel is the maintainer's GitHub profile; private advisory only as a clearly-flagged fallback.v1.2.0 feature contracts in godoc
Audience— explains theprimaryAudiencesnapshot: only the first value is enforced on verify, and it is captured atNew()to defend against post-init mutation.Verify— adds explicit ranges for the PHC bounds check (Memory 8 MiB – 4 GiB, Iterations 1 – 20, Parallelism ≥ 1).generate.go).Out of scope
Not touching README hero tagline or features bullets in this PR — both were flagged as "could be punchier" but the fixes are subjective.
Test plan
go build ./...go vet ./...go test ./... -count=1— all pass (no test changes, no behaviour changes)gofmt -l .clean