chore(release): bump package versions

[halvaradop]

Description

This pull request publishes new releases of the packages to both npm and JSR registries:

• @aura-stack/auth@0.7.0
• @aura-stack/jose@0.6.0

Registries

NPM

• https://www.npmjs.com/package/@aura-stack/auth
• https://www.npmjs.com/package/@aura-stack/jose

JSR

• https://jsr.io/@aura-stack/auth
• https://jsr.io/@aura-stack/jose

Key changes

@aura-stack/auth

• refactor: add hardening to auth flows and jose operations #165
• feat(core): add experimental Typebox schema validation #163
• feat(core): add complete schema validation to all authentication flows #162
• feat(core): add experimental Arktype support for schema validation #161
• feat(core): add experimental Valibot schema validation #160
• feat(core,jose): add JWK support across core and jose packages #159
• feat(core): support PEM-encoded keys in environment variables #158
• feat: enable CryptoKeyPair support across jose and core auth #157
• feat(oauth): add Dribble OAuth provider #153
• feat(oauth): add Click Up OAuth provider #151
• feat(core): add utility types for config inference #150

@aura-stack/jose

• refactor: add hardening to auth flows and jose operations #165
• feat(core,jose): add JWK support across core and jose packages #159
• feat: enable CryptoKeyPair support across jose and core auth #157

@coderabbitai pause

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
auth	Skipped		May 23, 2026 5:05pm

[coderabbitai]

Warning

Review limit reached

@halvaradop, we couldn't start this review because you've used your available PR reviews for now.

Your plan currently allows 1 review/hour. Refill in 44 minutes and 44 seconds.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more review capacity refills, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than trial, open-source, and free plans. In all cases, review capacity refills continuously over time.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 10d2643a-933b-4e9c-ab8b-fdf564cf6ce3

📥 Commits

Reviewing files that changed from the base of the PR and between 44acac2 and d9f8693.

📒 Files selected for processing (1)

• packages/jose/CHANGELOG.md

📝 Walkthrough

Walkthrough

This PR coordinates a dual-package release with security updates and test infrastructure improvements. Version bumps (core 0.7.0, jose 0.6.0) are accompanied by manifest and changelog updates. The secret entropy minimum is reduced from 254 to 128 bits with test coverage. Core's vitest config consolidates on jose's crypto helpers instead of Node's crypto module. Sign-in tests are updated with explicit trusted origins configuration, and identity tests gain environment cleanup between test cases.

Changes

Release and Infrastructure Coordination

Layer / File(s)	Summary
Release version and changelog updates packages/jose/deno.json, packages/jose/package.json, packages/jose/CHANGELOG.md, packages/core/deno.json, packages/core/package.json, packages/core/CHANGELOG.md	Version fields bumped to 0.7.0 (core) and 0.6.0 (jose); changelogs updated with [Unreleased] placeholders and dated release entries.
Build script and publish configuration packages/jose/package.json, packages/core/package.json	clean:cts scripts changed from conditional to unconditional find/delete; registry configuration adjusted for consistency.
Dependency and import map updates packages/core/deno.json	Router dependency bumped to ^0.7.0; new schema validation imports added for arktype, valibot, and typebox.
Secret entropy threshold reduction and test coverage packages/jose/src/secret.ts, packages/jose/test/secret.test.ts	MIN_SECRET_ENTROPY_BITS reduced from 254 to 128; new tests verify createSecret accepts getRandomBytes(32) and base64url-encoded secrets.
Vitest config switches to jose crypto helpers packages/core/vitest.config.ts	Replaces Node crypto.randomBytes with jose's getRandomBytes and base64url.encode for AURA_AUTH_SECRET and AURA_AUTH_SALT generation.
Sign-in test trusted origins configuration packages/core/test/actions/signIn/signIn.test.ts, packages/core/test/api/signIn.test.ts	Multiple test cases explicitly set trustedOrigins: [] when testing trustedProxyHeaders, ensuring consistent origin validation across cross-origin and proxy scenarios.
Test environment isolation improvements packages/core/test/identity.test.ts	Imports Vitest vi utilities and adds afterEach hook to reset environment stubs between test cases, preventing test pollution.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• aura-stack-ts/auth#91: Updates sign-in tests to explicitly set trustedOrigins, directly aligning with the retrieved PR's origin validation test configurations.
• aura-stack-ts/auth#85: Modifies MIN_SECRET_ENTROPY_BITS threshold in packages/jose/src/secret.ts, affecting createSecret entropy validation logic.
• aura-stack-ts/auth#95: Introduces web-crypto migration that this PR's vitest config now depends on via getRandomBytes and base64url encoding from jose.

Suggested labels

release

Poem

🐰 A rabbit hops through versioning trees,
With entropy bits now lighter with ease,
Test secrets born from jose's kind care,
Origins trusted, configuration fair,
Release v0.7 floats on the breeze!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title clearly and accurately summarizes the primary change: bumping package versions for a release.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch release/bump-packages

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (1)

packages/core/package.json (1)

28-28: 💤 Low value

Consider aligning registry URL format across packages.

The publishConfig.registry in packages/core/package.json includes the full package path (https://registry.npmjs.org/@aura-stack/auth), while packages/jose/package.json (line 28) was updated to use only the base URL (https://registry.npmjs.org/).

The base URL format is the standard convention for publishConfig.registry. Consider updating this value for consistency.

📝 Suggested alignment

   "publishConfig": {
     "access": "public",
-    "registry": "https://registry.npmjs.org/@aura-stack/auth"
+    "registry": "https://registry.npmjs.org/"
   },

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/core/package.json` at line 28, The publishConfig.registry value
currently contains the full package-scoped URL
("https://registry.npmjs.org/@aura-stack/auth"); update the
publishConfig.registry entry in packages' package.json (the
publishConfig.registry key) to the base registry URL
"https://registry.npmjs.org/" to match the format used in other packages (e.g.,
packages/jose) for consistency.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/core/package.json`:
- Line 19: The clean:cts npm script currently runs "find dist -type f -name
\"*.cts\" -delete" which errors if dist/ is missing; change the "clean:cts"
script so it first checks for the existence of dist (e.g., using a shell guard
like test -d dist && ...) or redirects/ignores errors (e.g., append 2>/dev/null
|| true) so the command becomes a no-op when dist/ does not exist; update the
"clean:cts" entry in package.json accordingly.

In `@packages/jose/package.json`:
- Line 19: Update the package.json "clean:cts" npm script so it no longer fails
when dist/ is missing: modify the "clean:cts" script (the script key named
clean:cts) to guard for the directory existence (e.g., wrap in if [ -d dist ];
then ...; fi) or use a safe removal that tolerates missing files (e.g., rm -f
dist/*.cts) so running pnpm clean:cts standalone returns zero even if dist/ is
absent.

In `@packages/jose/src/secret.ts`:
- Line 7: Update the docs and changelog to resolve the mismatch between the
implemented MIN_SECRET_ENTROPY_BITS = 128 (in symbol MIN_SECRET_ENTROPY_BITS
inside packages/jose/src/secret.ts and enforced by assertSecretEntropy) and the
still-documented 254-bit minimum in packages/jose/CHANGELOG.md: either change
the changelog entry to state the new enforced 128-bit minimum and add a short
migration note for users who relied on 254-bit validation, or if 254 bits must
remain the policy, revert or update MIN_SECRET_ENTROPY_BITS and
assertSecretEntropy to enforce 254; include a brief security-team
rationale/approval blurb and a breaking-change note explaining the impact on
existing secrets and recommended actions (rotate or re-generate secrets) so
documentation and code are consistent.

In `@packages/jose/test/secret.test.ts`:
- Around line 95-100: The test is incorrectly calling .toString() on the
Uint8Array returned by getRandomBytes(32), causing base64url.encode to operate
on a comma-separated string; update the test to pass the raw bytes to
base64url.encode (i.e., encode the Uint8Array returned by getRandomBytes) so
that createSecret receives a proper base64url-encoded byte string; locate the
test using getRandomBytes, base64url.encode, and createSecret and remove the
.toString() conversion, ensuring the encodedSecret is produced from the
Uint8Array directly.

---

Nitpick comments:
In `@packages/core/package.json`:
- Line 28: The publishConfig.registry value currently contains the full
package-scoped URL ("https://registry.npmjs.org/@aura-stack/auth"); update the
publishConfig.registry entry in packages' package.json (the
publishConfig.registry key) to the base registry URL
"https://registry.npmjs.org/" to match the format used in other packages (e.g.,
packages/jose) for consistency.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ed4c53f8-42a0-48f4-b507-21fd8a69d788

📥 Commits

Reviewing files that changed from the base of the PR and between 5d12468 and 44acac2.

⛔ Files ignored due to path filters (1)

• deno.lock is excluded by !**/*.lock

📒 Files selected for processing (12)

• packages/core/CHANGELOG.md
• packages/core/deno.json
• packages/core/package.json
• packages/core/test/actions/signIn/signIn.test.ts
• packages/core/test/api/signIn.test.ts
• packages/core/test/identity.test.ts
• packages/core/vitest.config.ts
• packages/jose/CHANGELOG.md
• packages/jose/deno.json
• packages/jose/package.json
• packages/jose/src/secret.ts
• packages/jose/test/secret.test.ts