0.0.0-beta.2

.github/dependabot.yml

@@ -5,7 +5,11 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+    groups:
+      everything:
+        patterns:
+          - "*"
   - package-ecosystem: npm
     directory: "/"
     schedule:
-      interval: "weekly"
+      interval: "weekly"

.github/workflows/release.yml

@@ -4,6 +4,8 @@ on:
   pull_request:
     types: [closed]
     branches: [main]
+    paths:
+      - 'package.json'
 
 env:
   NODE_VERSION: 24.x

.github/workflows/test-sast.yml

@@ -1,4 +1,4 @@
-name: "Test (sast)"
+name: Tests (sast)
 
 on:
   pull_request:
@@ -31,7 +31,7 @@ jobs:
           ignore-unfixed: true
           exit-code: 1
           format: github
-  
+
   trivy-license:
     name: "Trivy: Licensing"
     runs-on: ubuntu-latest
@@ -56,12 +56,12 @@ jobs:
           hide-progress: true
           exit-code: 0
           format: table
-  
+
   lockfile:
     name: "lockfile-lint: SAST package-lock.json"
     runs-on: ubuntu-latest
     if: (github.actor != 'dependabot[bot]')
-    
+
     steps:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -77,7 +77,7 @@ jobs:
         run: |
           ./node_modules/.bin/lockfile-lint --path package-lock.json --type npm --allowed-hosts npm --validate-https
 
-        
+
   # https://github.com/github/codeql-action
   codeql:
     name: "CodeQL: SAST"

.github/workflows/test-types.yml

@@ -0,0 +1,29 @@
+name: Tests (types)
+
+on:
+  pull_request:
+
+env:
+  NODE_VERSION: 24.x
+
+permissions:
+  contents: read
+
+jobs:
+  types:
+    name: Tests (types)
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Setup Node.js ${{ env.NODE_VERSION }}
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          registry-url: https://registry.npmjs.org
+      - name: Install dependencies
+        run: |
+          npm ci --ignore-scripts
+      - name: Check typings
+        run: npm run test:types

.github/workflows/website-cloudflare-pages.yml

@@ -0,0 +1,47 @@
+name: Publish Website
+
+on:
+  workflow_dispatch:
+  push:
+    paths:
+      - "websites/**"
+    branches:
+      - main
+
+env:
+  NODE_VERSION: 24.x
+  DOMAIN_NAME: 1auth.js.org
+
+permissions:
+  contents: read
+
+jobs:
+  website:
+    name: Publish website
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Setup Node.js ${{ env.NODE_VERSION }}
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          registry-url: "https://registry.npmjs.org"
+      - name: Install dependencies
+        run: |
+          npm ci --ignore-scripts --workspace websites/${{ env.DOMAIN_NAME }}
+      - name: Build website
+        working-directory: websites/${{ env.DOMAIN_NAME }}
+        run: |
+          npm run build
+      - name: Publish website
+        uses: cloudflare/wrangler-action@da0e0dfe58b7a431659754fdf3f186c529afbe65 # v3.14.1
+        with:
+          workingDirectory: websites/${{ env.DOMAIN_NAME }}
+          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+          command: |
+            pages deploy

README.md

@@ -5,7 +5,7 @@
 <p>
   <a href="https://github.com/willfarrell/1auth/actions/workflows/test-unit.yml"><img src="https://github.com/willfarrell/1auth/actions/workflows/test-unit.yml/badge.svg" alt="GitHub Actions unit test status"></a>
   <a href="https://github.com/willfarrell/1auth/actions/workflows/test-dast.yml"><img src="https://github.com/willfarrell/1auth/actions/workflows/test-dast.yml/badge.svg" alt="GitHub Actions dast test status"></a>
-  <a href="https://github.com/willfarrell/1auth/actions/workflows/test-perf.yml"><img src="https://github.com/willfarrell/1auth/actions/workflows/test-pref.yml/badge.svg" alt="GitHub Actions perf test status"></a>
+  <a href="https://github.com/willfarrell/1auth/actions/workflows/test-perf.yml"><img src="https://github.com/willfarrell/1auth/actions/workflows/test-perf.yml/badge.svg" alt="GitHub Actions perf test status"></a>
   <a href="https://github.com/willfarrell/1auth/actions/workflows/test-sast.yml"><img src="https://github.com/willfarrell/1auth/actions/workflows/test-sast.yml/badge.svg" alt="GitHub Actions SAST test status"></a>
   <a href="https://github.com/willfarrell/1auth/actions/workflows/test-lint.yml"><img src="https://github.com/willfarrell/1auth/actions/workflows/test-lint.yml/badge.svg" alt="GitHub Actions lint test status"></a>
   <br/>
@@ -134,4 +134,4 @@ session({
 
 ## License
 
-Licensed under [MIT License](LICENSE). Copyright (c) 1985-2025 [will Farrell](https://github.com/willfarrell) and all [contributors](https://github.com/willfarrell/1auth/graphs/contributors).
+Licensed under [MIT License](LICENSE). Copyright (c) 2020-2026 [will Farrell](https://github.com/willfarrell) and [contributors](https://github.com/willfarrell/1auth/graphs/contributors).

SECURITY.md

@@ -28,8 +28,20 @@ Only the latest major version is supported for security updates.
 
 ## Threat model
 
+The primary threats this library is designed to mitigate:
+
+- **Credential stuffing / brute force:** Timing-safe authentication with minimum duration (`setTimeout`), Argon2id password hashing with configurable cost.
+- **Session hijacking:** HMAC-signed session IDs, encrypted session storage, per-session encryption keys.
+- **Credential theft at rest:** Per-record ChaCha20-Poly1305 encryption with per-user derived keys.
+- **Account enumeration:** Constant-time authentication responses via `setTimeout` to prevent timing side-channels.
+- **Token replay:** OTP tokens are expired/removed after single use.
+
 ## Trust Boundaries
 
+- **Client ↔ Application Server:** All user inputs (credentials, tokens, session IDs) are validated at entry.
+- **Application Server ↔ Database:** All sensitive fields are encrypted before storage; digests are used for lookups instead of plaintext.
+- **Application Server ↔ Notification Service:** Tokens are sent through notification channels, never returned in API responses directly.
+
 ## Reporting a Vulnerability
 
 The core OSS team and community take all security vulnerabilities

biome.json

@@ -1,12 +1,12 @@
 {
-	"$schema": "https://biomejs.dev/schemas/2.3.14/schema.json",
+	"$schema": "https://biomejs.dev/schemas/2.4.6/schema.json",
 	"vcs": {
-		"enabled": false,
+		"enabled": true,
 		"clientKind": "git",
-		"useIgnoreFile": false
+		"useIgnoreFile": true
 	},
 	"files": {
-		"ignoreUnknown": false
+		"ignoreUnknown": true
 	},
 	"formatter": {
 		"enabled": true,
@@ -15,9 +15,21 @@
 	"linter": {
 		"enabled": true,
 		"rules": {
-			"recommended": true
+			"recommended": true,
+			"complexity": {
+				"noBannedTypes": "off"
+			},
+			"correctness": {
+				"noUnusedFunctionParameters": "off"
+			},
+			"suspicious": {
+				"noExplicitAny": "off"
+			}
 		}
 	},
+	"html": {
+		"experimentalFullSupportEnabled": true
+	},
 	"javascript": {
 		"formatter": {
 			"quoteStyle": "double"
@@ -30,5 +42,15 @@
 				"organizeImports": "on"
 			}
 		}
-	}
+	},
+	"overrides": [
+		{
+			"includes": ["**/*.svelte"],
+			"css": {
+				"linter": {
+					"enabled": false
+				}
+			}
+		}
+	]
 }

docs/GOVERNANCE.md

@@ -2,15 +2,15 @@
 
 ## Roles
 
-### [Owner](TODO link to org group)
+### [Owner](https://github.com/orgs/1auth-js/teams/owner)
 
 Also known as a core maintainer. Have a long history with the project, have a deep understanding of the codebase, and decide the direction of the project.
 
-### [Security](TODO link to org group)
+### [Security](https://github.com/orgs/1auth-js/teams/security)
 
 Are responsible to respond and remediate security disclosures.
 
-### [Reviewer](TODO link to org group)
+### [Reviewer](https://github.com/orgs/1auth-js/teams/reviewer)
 
 Group of people responsible for reviewing pull requests.
 

license.json

@@ -24,6 +24,7 @@
 		"**/*.md",
 		"**/*.yml",
 		"test/**/*",
-		"website/**/*"
+		"websites/**/*",
+		".DS_Store"
 	]
 }