Skip to content

Path to 1.0: production-readiness and adoption gaps #66

Description

@Bccorb

Context

From a project-quality review. The engineering fundamentals are strong (correct token rotation + reuse detection, constant-time comparisons, RS256 pinned, fail-closed secrets, broad test coverage). The gaps to a broad "yes, use this in production" recommendation are about project maturity, not code quality. This is a tracking issue for those.

Milestones

  • Stable, documented contract + 1.0. Freeze route/schema/token/status-code contract; finish in-flight deprecations (e.g. GET /logout). Ties into the error-shape and per-flow contract issues.
  • Independent security audit / pentest you can cite, focused on the auth, token, OTP, session, and crypto paths.
  • Reduce bus factor — a second maintainer or an org/sponsor backing, so CVE response does not depend on one person.
  • Licensing path for AGPL-averse adopters — evaluate a dual-license / commercial option so the AGPL-3.0 terms are not a hard blocker for companies.
  • Reference production deployment(s) / case study to demonstrate real-world operation.

Why it matters

For an auth server, longevity, audit attestation, and maintainer responsiveness weigh as heavily as code quality for adopters in regulated or high-stakes contexts.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requesthelp wantedExtra attention is needed

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions