diff --git a/.changeset/agent-guide-nk-optional.md b/.changeset/agent-guide-nk-optional.md deleted file mode 100644 index fa8a62d..0000000 --- a/.changeset/agent-guide-nk-optional.md +++ /dev/null @@ -1,7 +0,0 @@ ---- -"@ingram-tech/agent-guide": patch ---- - -Note that `nk` is optional convenience that only orchestrates the standard tools -— a nextkit site must stay buildable with plain `next build` / `next dev`. Keeps -the agent guide consistent with the prime directive. diff --git a/.changeset/agent-guide-route-conventions.md b/.changeset/agent-guide-route-conventions.md deleted file mode 100644 index 8cfd89c..0000000 --- a/.changeset/agent-guide-route-conventions.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -"@ingram-tech/agent-guide": minor ---- - -Add a "Route & URL conventions" section: `/api/…` is the public API only, and all -plumbing lives under `/internal/…` — the OAuth/app-install handshake at -`/internal/connect//{start,callback}`, inbound provider webhooks at -`/internal/webhooks/`, and workers/crons at `/internal/{worker,cron}/`. -Keeps connector wiring consistent across nextkit apps. diff --git a/.changeset/botprotection-token-docs.md b/.changeset/botprotection-token-docs.md deleted file mode 100644 index 9e21999..0000000 --- a/.changeset/botprotection-token-docs.md +++ /dev/null @@ -1,8 +0,0 @@ ---- -"@ingram-tech/bot-protection": patch ---- - -Clarify in the timing-token docs that it is a *timing-window* gate, not a -per-submission nonce: a token can be replayed within its `[minMs, maxMs]` window, -so it composes with the honeypot and BotID layers rather than providing single-use -semantics on its own. diff --git a/.changeset/email-keys-no-cast.md b/.changeset/email-keys-no-cast.md deleted file mode 100644 index eda0030..0000000 --- a/.changeset/email-keys-no-cast.md +++ /dev/null @@ -1,7 +0,0 @@ ---- -"@ingram-tech/email": patch ---- - -`keys()` now narrows the validated env vars with a combined guard instead of -`as string` casts — no behavior change, but it follows the house "no `as` on -external input" rule that the package documents. diff --git a/.changeset/newsletter-zod-rows.md b/.changeset/newsletter-zod-rows.md deleted file mode 100644 index fc17129..0000000 --- a/.changeset/newsletter-zod-rows.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -"@ingram-tech/newsletter": minor ---- - -Validate Supabase rows with Zod at the boundary instead of `as`-casting them, per -the house "validate external input with Zod" rule. Row types are now inferred -from the schemas (single source of truth), the subscribe path now checks the -previously-dropped lookup error, and `zod` is a new runtime dependency. Malformed -rows now throw a clear validation error rather than flowing through as a bad type. diff --git a/.changeset/nk-auth-supabase-ssl-pool.md b/.changeset/nk-auth-supabase-ssl-pool.md deleted file mode 100644 index 5a2fbd9..0000000 --- a/.changeset/nk-auth-supabase-ssl-pool.md +++ /dev/null @@ -1,10 +0,0 @@ ---- -"@ingram-tech/nk-auth": patch ---- - -`createAuthPool` now connects to managed Postgres (e.g. Supabase) over TLS -without chain verification when no `caCert` is given and the host is remote — -Supabase's cert chain isn't in Node's trust store, so plain `pg` verification -fails with "self-signed certificate in certificate chain" (this 500'd peppost's -login in production). Local connections stay non-TLS; `caCert` still does full -verification. `sslmode` is stripped from the URL so `pg` honors the ssl object. diff --git a/.changeset/strict-no-bang-no-any.md b/.changeset/strict-no-bang-no-any.md deleted file mode 100644 index 4fb0457..0000000 --- a/.changeset/strict-no-bang-no-any.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -"@ingram-tech/biome-config": minor ---- - -Enforce `noNonNullAssertion` and `noExplicitAny` as **errors** (previously -`warn`), so the house rules "no non-null `!`" and "no `any`" actually fail -`biome check` instead of only being documented. Sites that currently rely on `!` -or explicit `any` will see new errors — replace `!` with guard clauses / optional -chaining, and give `any` a real type (or `unknown` + narrowing). diff --git a/packages/agent-guide/CHANGELOG.md b/packages/agent-guide/CHANGELOG.md index 694c538..40976fc 100644 --- a/packages/agent-guide/CHANGELOG.md +++ b/packages/agent-guide/CHANGELOG.md @@ -1,5 +1,21 @@ # @ingram-tech/agent-guide +## 0.2.0 + +### Minor Changes + +- d6bd292: Add a "Route & URL conventions" section: `/api/…` is the public API only, and all + plumbing lives under `/internal/…` — the OAuth/app-install handshake at + `/internal/connect//{start,callback}`, inbound provider webhooks at + `/internal/webhooks/`, and workers/crons at `/internal/{worker,cron}/`. + Keeps connector wiring consistent across nextkit apps. + +### Patch Changes + +- 56b48c3: Note that `nk` is optional convenience that only orchestrates the standard tools + — a nextkit site must stay buildable with plain `next build` / `next dev`. Keeps + the agent guide consistent with the prime directive. + ## 0.1.1 ### Patch Changes diff --git a/packages/agent-guide/package.json b/packages/agent-guide/package.json index f549ac9..5b7d9c5 100644 --- a/packages/agent-guide/package.json +++ b/packages/agent-guide/package.json @@ -1,6 +1,6 @@ { "name": "@ingram-tech/agent-guide", - "version": "0.1.1", + "version": "0.2.0", "description": "Brief nextkit conventions for AI agents — imported into a consuming site's CLAUDE.md so guidance propagates with version bumps.", "license": "MIT", "repository": { diff --git a/packages/biome-config/CHANGELOG.md b/packages/biome-config/CHANGELOG.md new file mode 100644 index 0000000..1696054 --- /dev/null +++ b/packages/biome-config/CHANGELOG.md @@ -0,0 +1,11 @@ +# @ingram-tech/biome-config + +## 0.2.0 + +### Minor Changes + +- c763c17: Enforce `noNonNullAssertion` and `noExplicitAny` as **errors** (previously + `warn`), so the house rules "no non-null `!`" and "no `any`" actually fail + `biome check` instead of only being documented. Sites that currently rely on `!` + or explicit `any` will see new errors — replace `!` with guard clauses / optional + chaining, and give `any` a real type (or `unknown` + narrowing). diff --git a/packages/biome-config/package.json b/packages/biome-config/package.json index 6e1cdd3..98b602f 100644 --- a/packages/biome-config/package.json +++ b/packages/biome-config/package.json @@ -1,6 +1,6 @@ { "name": "@ingram-tech/biome-config", - "version": "0.1.0", + "version": "0.2.0", "description": "Shared Biome configuration for Ingram Technologies Next.js projects.", "license": "MIT", "repository": { diff --git a/packages/bot-protection/CHANGELOG.md b/packages/bot-protection/CHANGELOG.md index ee6a49d..9a50efd 100644 --- a/packages/bot-protection/CHANGELOG.md +++ b/packages/bot-protection/CHANGELOG.md @@ -1,5 +1,14 @@ # @ingram-tech/bot-protection +## 0.3.1 + +### Patch Changes + +- 3904231: Clarify in the timing-token docs that it is a _timing-window_ gate, not a + per-submission nonce: a token can be replayed within its `[minMs, maxMs]` window, + so it composes with the honeypot and BotID layers rather than providing single-use + semantics on its own. + ## 0.3.0 ### Minor Changes diff --git a/packages/bot-protection/package.json b/packages/bot-protection/package.json index d3ce208..b34f370 100644 --- a/packages/bot-protection/package.json +++ b/packages/bot-protection/package.json @@ -1,6 +1,6 @@ { "name": "@ingram-tech/bot-protection", - "version": "0.3.0", + "version": "0.3.1", "description": "Invisible, layered bot protection for forms — honeypot + signed timing token + Vercel BotID.", "license": "MIT", "type": "module", diff --git a/packages/email/CHANGELOG.md b/packages/email/CHANGELOG.md index 3a12745..0976f91 100644 --- a/packages/email/CHANGELOG.md +++ b/packages/email/CHANGELOG.md @@ -1,5 +1,13 @@ # @ingram-tech/email +## 0.1.2 + +### Patch Changes + +- 568ea58: `keys()` now narrows the validated env vars with a combined guard instead of + `as string` casts — no behavior change, but it follows the house "no `as` on + external input" rule that the package documents. + ## 0.1.1 ### Patch Changes diff --git a/packages/email/package.json b/packages/email/package.json index de9007a..e8eaee4 100644 --- a/packages/email/package.json +++ b/packages/email/package.json @@ -1,6 +1,6 @@ { "name": "@ingram-tech/email", - "version": "0.1.1", + "version": "0.1.2", "description": "Zero-dependency Cloudflare Email Sending client for Ingram Technologies Next.js projects.", "license": "MIT", "type": "module", diff --git a/packages/newsletter/CHANGELOG.md b/packages/newsletter/CHANGELOG.md index 1228f6f..32112d3 100644 --- a/packages/newsletter/CHANGELOG.md +++ b/packages/newsletter/CHANGELOG.md @@ -1,5 +1,20 @@ # @ingram-tech/newsletter +## 0.3.0 + +### Minor Changes + +- 16abb6f: Validate Supabase rows with Zod at the boundary instead of `as`-casting them, per + the house "validate external input with Zod" rule. Row types are now inferred + from the schemas (single source of truth), the subscribe path now checks the + previously-dropped lookup error, and `zod` is a new runtime dependency. Malformed + rows now throw a clear validation error rather than flowing through as a bad type. + +### Patch Changes + +- Updated dependencies [568ea58] + - @ingram-tech/email@0.1.2 + ## 0.2.0 ### Minor Changes diff --git a/packages/newsletter/package.json b/packages/newsletter/package.json index 6848734..0b73ab5 100644 --- a/packages/newsletter/package.json +++ b/packages/newsletter/package.json @@ -1,6 +1,6 @@ { "name": "@ingram-tech/newsletter", - "version": "0.2.0", + "version": "0.3.0", "description": "Supabase-backed newsletter subscriptions + sending, with RFC 8058 one-click unsubscribe.", "license": "MIT", "type": "module", diff --git a/packages/nk-auth/CHANGELOG.md b/packages/nk-auth/CHANGELOG.md new file mode 100644 index 0000000..fe7576c --- /dev/null +++ b/packages/nk-auth/CHANGELOG.md @@ -0,0 +1,12 @@ +# @ingram-tech/nk-auth + +## 0.2.2 + +### Patch Changes + +- 564413c: `createAuthPool` now connects to managed Postgres (e.g. Supabase) over TLS + without chain verification when no `caCert` is given and the host is remote — + Supabase's cert chain isn't in Node's trust store, so plain `pg` verification + fails with "self-signed certificate in certificate chain" (this 500'd peppost's + login in production). Local connections stay non-TLS; `caCert` still does full + verification. `sslmode` is stripped from the URL so `pg` honors the ssl object. diff --git a/packages/nk-auth/package.json b/packages/nk-auth/package.json index bdc7e8d..b7ea99d 100644 --- a/packages/nk-auth/package.json +++ b/packages/nk-auth/package.json @@ -1,6 +1,6 @@ { "name": "@ingram-tech/nk-auth", - "version": "0.2.1", + "version": "0.2.2", "description": "The Ingram Better Auth foundation: composable presets (org, dual-shape JWT, Supabase RLS bridge, active-org hooks, pg pool) for Next.js sites.", "license": "MIT", "type": "module",