Context
From a project-quality review. The engineering fundamentals are strong (correct token rotation + reuse detection, constant-time comparisons, RS256 pinned, fail-closed secrets, broad test coverage). The gaps to a broad "yes, use this in production" recommendation are about project maturity, not code quality. This is a tracking issue for those.
Milestones
Why it matters
For an auth server, longevity, audit attestation, and maintainer responsiveness weigh as heavily as code quality for adopters in regulated or high-stakes contexts.
Context
From a project-quality review. The engineering fundamentals are strong (correct token rotation + reuse detection, constant-time comparisons, RS256 pinned, fail-closed secrets, broad test coverage). The gaps to a broad "yes, use this in production" recommendation are about project maturity, not code quality. This is a tracking issue for those.
Milestones
GET /logout). Ties into the error-shape and per-flow contract issues.Why it matters
For an auth server, longevity, audit attestation, and maintainer responsiveness weigh as heavily as code quality for adopters in regulated or high-stakes contexts.