Version Packages

packages/agent-guide/CHANGELOG.md

@@ -1,5 +1,21 @@
 # @ingram-tech/agent-guide
 
+## 0.2.0
+
+### Minor Changes
+
+- d6bd292: Add a "Route & URL conventions" section: `/api/…` is the public API only, and all
+  plumbing lives under `/internal/…` — the OAuth/app-install handshake at
+  `/internal/connect/<provider>/{start,callback}`, inbound provider webhooks at
+  `/internal/webhooks/<provider>`, and workers/crons at `/internal/{worker,cron}/<name>`.
+  Keeps connector wiring consistent across nextkit apps.
+
+### Patch Changes
+
+- 56b48c3: Note that `nk` is optional convenience that only orchestrates the standard tools
+  — a nextkit site must stay buildable with plain `next build` / `next dev`. Keeps
+  the agent guide consistent with the prime directive.
+
 ## 0.1.1
 
 ### Patch Changes

packages/agent-guide/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@ingram-tech/agent-guide",
-	"version": "0.1.1",
+	"version": "0.2.0",
 	"description": "Brief nextkit conventions for AI agents — imported into a consuming site's CLAUDE.md so guidance propagates with version bumps.",
 	"license": "MIT",
 	"repository": {

packages/biome-config/CHANGELOG.md

@@ -0,0 +1,11 @@
+# @ingram-tech/biome-config
+
+## 0.2.0
+
+### Minor Changes
+
+- c763c17: Enforce `noNonNullAssertion` and `noExplicitAny` as **errors** (previously
+  `warn`), so the house rules "no non-null `!`" and "no `any`" actually fail
+  `biome check` instead of only being documented. Sites that currently rely on `!`
+  or explicit `any` will see new errors — replace `!` with guard clauses / optional
+  chaining, and give `any` a real type (or `unknown` + narrowing).

packages/biome-config/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@ingram-tech/biome-config",
-	"version": "0.1.0",
+	"version": "0.2.0",
 	"description": "Shared Biome configuration for Ingram Technologies Next.js projects.",
 	"license": "MIT",
 	"repository": {

packages/bot-protection/CHANGELOG.md

@@ -1,5 +1,14 @@
 # @ingram-tech/bot-protection
 
+## 0.3.1
+
+### Patch Changes
+
+- 3904231: Clarify in the timing-token docs that it is a _timing-window_ gate, not a
+  per-submission nonce: a token can be replayed within its `[minMs, maxMs]` window,
+  so it composes with the honeypot and BotID layers rather than providing single-use
+  semantics on its own.
+
 ## 0.3.0
 
 ### Minor Changes

packages/bot-protection/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@ingram-tech/bot-protection",
-	"version": "0.3.0",
+	"version": "0.3.1",
 	"description": "Invisible, layered bot protection for forms — honeypot + signed timing token + Vercel BotID.",
 	"license": "MIT",
 	"type": "module",

packages/email/CHANGELOG.md

@@ -1,5 +1,13 @@
 # @ingram-tech/email
 
+## 0.1.2
+
+### Patch Changes
+
+- 568ea58: `keys()` now narrows the validated env vars with a combined guard instead of
+  `as string` casts — no behavior change, but it follows the house "no `as` on
+  external input" rule that the package documents.
+
 ## 0.1.1
 
 ### Patch Changes

packages/email/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@ingram-tech/email",
-	"version": "0.1.1",
+	"version": "0.1.2",
 	"description": "Zero-dependency Cloudflare Email Sending client for Ingram Technologies Next.js projects.",
 	"license": "MIT",
 	"type": "module",

packages/newsletter/CHANGELOG.md

@@ -1,5 +1,20 @@
 # @ingram-tech/newsletter
 
+## 0.3.0
+
+### Minor Changes
+
+- 16abb6f: Validate Supabase rows with Zod at the boundary instead of `as`-casting them, per
+  the house "validate external input with Zod" rule. Row types are now inferred
+  from the schemas (single source of truth), the subscribe path now checks the
+  previously-dropped lookup error, and `zod` is a new runtime dependency. Malformed
+  rows now throw a clear validation error rather than flowing through as a bad type.
+
+### Patch Changes
+
+- Updated dependencies [568ea58]
+  - @ingram-tech/email@0.1.2
+
 ## 0.2.0
 
 ### Minor Changes

packages/newsletter/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@ingram-tech/newsletter",
-	"version": "0.2.0",
+	"version": "0.3.0",
 	"description": "Supabase-backed newsletter subscriptions + sending, with RFC 8058 one-click unsubscribe.",
 	"license": "MIT",
 	"type": "module",

packages/nk-auth/CHANGELOG.md

@@ -0,0 +1,12 @@
+# @ingram-tech/nk-auth
+
+## 0.2.2
+
+### Patch Changes
+
+- 564413c: `createAuthPool` now connects to managed Postgres (e.g. Supabase) over TLS
+  without chain verification when no `caCert` is given and the host is remote —
+  Supabase's cert chain isn't in Node's trust store, so plain `pg` verification
+  fails with "self-signed certificate in certificate chain" (this 500'd peppost's
+  login in production). Local connections stay non-TLS; `caCert` still does full
+  verification. `sslmode` is stripped from the URL so `pg` honors the ssl object.

packages/nk-auth/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@ingram-tech/nk-auth",
-	"version": "0.2.1",
+	"version": "0.2.2",
 	"description": "The Ingram Better Auth foundation: composable presets (org, dual-shape JWT, Supabase RLS bridge, active-org hooks, pg pool) for Next.js sites.",
 	"license": "MIT",
 	"type": "module",