6.50.0.0

Changelog:

• http4k-template-pug4j: [Unlikely break] Pug4jTemplates.HotReload now canonicalizes the resolved template path against baseTemplateDir and rejects any ViewModel.template() that escapes the base.
• http4k-security-digest: [Unlikely break] DigestAuthProvider.verify now also rejects credentials whose uri parameter does not match the actual request URL.
• http4k-ai-mcp-*: [Unlikely Break] MCP session and message IDs now derive from SecureRandom by default.
• http4k-security-oauth: [Unlikely break] OAuth server now persists a nonce for any openid scope (previously only CodeIdToken) and validateNonceAfterToken fail-closes when the token-endpoint id_token is missing or its nonce mismatches.
• http4k-format-xml: [Unlikely break] defaultXmlParsingConfig now sets disallow-doctype-decl and FEATURE_SECURE_PROCESSING, so Body.xml()/asXmlDocument() reject any document with a <!DOCTYPE>.
• http4k-webhook: [Unlikely break] ServerFilters.VerifyWebhookSignature now also rejects messages whose webhook-timestamp is more than tolerance away from clock.instant() (default tolerance 5.minutes, clock Clock.systemUTC()), per the Standard Webhooks scheme. Captures of valid webhooks can no longer be replayed indefinitely. Pass a Clock.fixed(...) to control timing in tests.
• http4k-multipart: [Unlikely break] MultipartFormBody.from, multipartIterator() and Body.multipartForm(...) cap the body at 10MB and 1000 parts by default. Pass maxStreamLength/maxPartCount to override.
• http4k-serverless-lambda: [Unlikely break] Single-value headers from API Gateway/ALB events are no longer split on commas; values that legitimately contain commas (e.g. X-Forwarded-For: client, proxy1, proxy2) now reach the handler intact. True multi-values continue to flow via multiValueHeaders.
• http4k-connect-github: [Fix] Header.X_HUB_SIGNATURE_256 lens no longer crashes on an X-Hub-Signature-256 header missing the sha256= prefix; VerifyGitHubSignatureSha256 now returns 401 for malformed signatures instead of 500.
• http4k-ai-llm-azure: [Fix] AzureClient now attaches the API key as an outbound Authorization: Bearer header (was wired to the inbound ServerFilters.BearerAuth checker.
• http4k-config: [Fix] Secret.toString() and Secret.hashCode() no longer expose a stable hash of the plaintext (was Secret(hashcode = <Arrays.hashCode-of-plaintext>)); Secret.equals returns false for non-Secret inputs instead of throwing ClassCastException.
• http4k-multipart: [Fix] A multipart part whose first header line begins with whitespace (a folded-header continuation with nothing to continue) now raises a ParseError instead of crashing with NullPointerException.
• http4k-ops-opentelemetry: [Fix] OpenTelemetry tracing strips user:pass@ userInfo from request URIs before writing them to span attributes (url.full, legacy http.url) and the default span name, so basic-auth-in-URL credentials no longer reach the tracing backend.
• http4k-security-oauth: [Fix] Server-side PKCE is now enforced — code_challenge is stored at authorize and an S256 code_verifier is required at token. code_challenge_method=plain is rejected per RFC 7636 §7.2.
• http4k-security-oauth: [Fix] Post-callback redirect strips scheme/authority and collapses leading / and \ runs, neutralizing open-redirects of the form //evil.com and /\evil.com.
• http4k-security-oauth: [Fix] AuthRequest is re-validated at AuthenticationComplete; CSRF/nonce compare is null/blank-safe; several redirectUri!! NPEs replaced with typed InvalidAuthorizationRequest.
• http4k-security-oauth: Adds opt-in requirePkce: Boolean = false on OAuthServer. When true, every authorize/token exchange must use PKCE (recommended per RFC 9700).
• http4k-security-oauth: [Fix] AuthServerDiscovery rejects a scheme-less resource pointing at root.
• http4k-security-oauth: requirePkce is exposed on the underlying GenerateAccessToken / GenerateAccessTokenForGrantType / AuthorizationCodeAccessTokenGenerator, mitigating potential PKCE downgrade.
• http4k-security-digest: [Fix] DigestAuthProvider.verify now hashes with the configured algorithm instead of hardcoded MD5.
• http4k-*: Secret-bearing value types are now hidden() so their raw value no longer surfaces in toString().