+1 -2

CHANGELOG.md

··· 97 97 - 11 comprehensive test cases for logger functionality 98 98 - Added `DID` field to `internalOAuthState` for reliable session creation 99 99 - Added `JWKSURI` field to `AuthServerMetadata` (not currently used, reserved for future) 100 100 - - Comprehensive JWT validation module (jwt.go) remains available for future use or custom implementations 101 101 - - JWT test suite (jwt_test.go) provides examples of token validation if needed 100 100 + - JWT validation functionality is available in internal/jwt package 102 101 - OAuth state store now includes automatic expiration and cleanup mechanism 103 102 - **SECURITY**: Added comprehensive input validation module (validation.go) 104 103 - Handle format validation using AT Protocol syntax package

+2 -2

TODO.md

··· 204 204 - No signature verification or claim validation performed 205 205 206 206 **Available Resources:** 207 207 - - jwt.go and jwt_test.go remain in codebase for reference or custom implementations 208 208 - - Full JWT validation example code available if needed for other purposes 207 207 + - JWT verification code is in internal/jwt package for internal use only 208 208 + - Not exposed in public API per AT Protocol OAuth specification 209 209 210 210 **Impact:** This is the CORRECT behavior per AT Protocol specification. Client-side JWT validation would be redundant and against spec. 211 211

+36

VERSION.md

··· 76 76 77 77 Track minor version changes here for future releases. 78 78 79 79 + ### v1.1.3 (2025-10-29) 80 80 + 81 81 + **Cleanup** 82 82 + - Removed empty jwt.go file from root directory 83 83 + - JWT functionality remains available in internal/jwt package (unchanged) 84 84 + - Pure housekeeping cleanup from Phase 1 refactoring 85 85 + 86 86 + **Documentation Updates** 87 87 + - CHANGELOG.md: Updated JWT reference to point to internal/jwt 88 88 + - TODO.md: Clarified that JWT code is internal-only per AT Protocol spec 89 89 + - Removed outdated references to jwt.go and jwt_test.go 90 90 + 91 91 + **Technical Details** 92 92 + - jwt.go contained only `package bskyoauth` declaration (1 line, no content) 93 93 + - File was leftover from Phase 1 refactoring when JWT moved to internal/ 94 94 + - Actual JWT verification code remains in internal/jwt/verify.go (unchanged) 95 95 + - internal/jwt package is used internally by the library 96 96 + 97 97 + **No Functional Changes** 98 98 + - ✅ No API changes 99 99 + - ✅ No behavior changes 100 100 + - ✅ No new features 101 101 + - ✅ No bug fixes 102 102 + - ✅ Pure cleanup of empty file 103 103 + 104 104 + **Backward Compatibility** 105 105 + - ✅ 100% compatible with v1.1.2 106 106 + - ✅ No breaking changes 107 107 + - ✅ jwt.go was empty, removal has zero impact 108 108 + - ✅ All existing code continues to work 109 109 + 110 110 + **Why This Matters** 111 111 + - Cleaner codebase without confusing empty files 112 112 + - Accurate documentation reflecting current structure 113 113 + - Clear indication that JWT is internal-only (per AT Protocol OAuth spec) 114 114 + 79 115 ### v1.1.2 (2025-10-29) 80 116 81 117 **Enhancements**

-1

jwt.go

··· 1 1 - package bskyoauth