# Changelog ## 0.3.0 - Makes `@smb-tech/logger-core` and `@smb-tech/logger-node` required runtime dependencies. - Routes every `createLogger()` event through `NodeLogger` and the canonical SMB logging schema. - Removes the secondary JSON serializer, direct console fallback and legacy `writer` option. - Renames lower-level logger lifecycle APIs to `initializeLogger()`, `shutdownLogger()` and `LoggerInitializationOptions`. - Adds centralized, idempotent `initializeServiceFramework()` and `shutdownServiceFramework()` APIs. - Supports code-based logging configuration with environment-variable fallbacks and clean logger shutdown. - Uses logger-node `RequestContextStore` as the single AsyncLocalStorage for tracing, MDC and logging. - Removes the trace runtime adapter and the service framework's duplicate AsyncLocalStorage. - Adds the ESM/CommonJS/TypeScript `@smb-tech/service-framework-js/runtime` export. - Adds an extensible request-scoped MDC contract with protected framework fields. - Adds `setMdcField`, `setMdcFields`, `getMdc`, `removeMdcField` and concurrency-safe `withMdc`. - Moves trace, client and service metadata from log `data` into `mdc`. - Keeps operational event fields in `data` and prevents reserved MDC fields from being duplicated there. - Preserves MDC through asynchronous Next.js handlers, Express middleware, errors and response completion. - Adds Express request completion logging with `finish`/`close` deduplication. - Merges SMB OAuth, JWT, assertion and P12 fields into logger-core's final sensitive-key policy. - Redacts URL credentials, OAuth fragments, authorization codes, custom query secrets and binary values. - Handles cyclic arrays safely and prevents custom redaction options from disabling mandatory SMB defaults. - Adds sanitized `HTTP request failed` logs for Next.js and Express under the original request MDC. - Reuses the Express service logger for trace, error and completion lifecycle events. - Adds the reserved `meta.error` logging contract and routes exceptions through `LogEvent.error()`. - Serializes native JavaScript errors, causes, `AggregateError` entries and `DOMException` metadata. - Normalizes non-`Error` thrown values, including `undefined`, primitives, functions and circular objects. - Preserves `AppError` code, HTTP status, exposure policy, redacted details and recursively normalized causes. - Prevents hostile or malformed thrown values from breaking exception logging. - Adds reusable default and type-specific error policies for log severity, operational classification and reporting. - Applies custom error policy resolvers to Next.js route handlers and the Express error handler. - Preserves nested `cause` chains and safely serializes mixed, circular and bounded `AggregateError` entries. - Reports aggregate entry counts and truncation without exposing sensitive nested values. - Unifies Next.js, Express and Fastify error presentation, policy resolution and request-failure logging. - Keeps the Fastify request MDC active through the framework continuation and error handler. - Falls back safely when application error policies or logging implementations fail. - Sanitizes and bounds public descriptions and prevents CRLF injection in authentication headers. - Requires an explicit non-production option before exposing internal development messages. - Adds a dedicated error-contract regression suite covering thrown-value matrices, policies, causes, aggregates, security and framework adapters. - Adds `npm run test:errors` for focused validation of the complete error-handling contract. - Prevents internal error messages from leaking through the public `ErrorPresentation.logContext`. - Adds the OAuth-neutral `createNextApiService()` preset with route, logger, HTTP client and lifecycle helpers. - Adds reusable service HTTP configuration from `SERVICE_HTTP_*` environment variables. - Routes reserved `meta.tags` into the canonical top-level tags array with validation and deduplication. - Adds `oauth_key_signature` to mandatory sensitive-data redaction. - Keeps exception details out of log `data` and applies sensitive-data redaction before serialization. - Adds dedicated MDC contract tests for scoped restoration, limits, immutable snapshots and concurrent isolation. - Adds concurrent Next.js and real Express lifecycle integration tests, including traced errors and completion logs. - Adds migration contract tests and a service-by-service migration guide from `0.2.x`. - Adds internal and external HTTP profiles with explicit trace propagation controls. - Adds bounded response buffering, validated timeouts/retries and configurable response body logging. - Adds a reusable remote JWKS resolver with URI caching and concurrent request deduplication. - Secures remote JWKS loading with HTTPS, host/port allowlists, private-network blocking and redirect validation. - Enforces JWKS response-size, key-count, key-type, algorithm, duplicate-`kid` and public-key-only policies. - Routes `JwksTokenVerifier` remote key loading through the hardened resolver while preserving existing configuration. - Adds the unified `OAuthAssertionSigner` contract for client assertions and JWT bearer grant assertions. - Lets `OAuthGatewayClient` generate and sign both assertion types internally from one configured signer. - Adds arbitrary JWT bearer claims plus separate assertion and token-request scope controls. - Preserves pre-signed JWT bearer assertions and the legacy `clientAssertionSigner` configuration. - Adds optional environment-driven assertion signer creation to `createOAuthGatewayClientFromEnv()`. - Separates `CORE_OAUTH_ASSERTION_AUDIENCE` from inbound token validation audience configuration. - Validates custom claims as bounded, deeply cloned JSON and rejects unsafe keys, cycles and accessors. - Bounds OAuth assertion TTL to 1-600 seconds across runtime signers and CLI commands. - Caches verified P12 key material and derived `kid` once per active signing-key generation. - Verifies that the selected alias certificate matches its RSA private key before signing. - Adds lazy cache invalidation and atomic signing-key rotation with rollback on candidate failure. - Exposes public signing-key metadata and rotation controls through `OAuthGatewayClient`. - Adds normalized OAuth configuration, P12, certificate, alias and assertion-signing errors. - Adds sanitized key lifecycle and assertion-signing logs without tokens, assertions, P12 or passwords. - Adds end-to-end OAuth assertion tests with real in-memory P12 material and RS256 verification. - Verifies automatic Client Credentials and JWT bearer forms, custom claims, key rotation rollback and log redaction. - Adds runnable environment-based examples for both automatic OAuth assertion grants. - Documents migration from JKS, external binaries and manually generated assertions to the `0.3.0` P12 client. ## 0.2.0 - Adds first-class presets for Next.js BFFs, Express APIs and internal service clients. - Adds simplified per-route scope configuration for Next.js and Express presets. - Adds OAuth Authorization Server Metadata discovery for issuer and JWKS configuration. - Adds optional, failure-isolated HTTP, token validation, JWKS refresh and authentication failure hooks. - Publishes a formal `npx` CLI for client assertions, JWT bearer assertions and P12/password Base64 encoding. - Adds a packed-tarball consumer smoke test for ESM, CommonJS, subpaths, declarations and CLI resolution. ## 0.1.0 - Initial SMB Tech service framework package. - Adds tracing, logging, REST client logging, OAuth2 validation, PKCS#12/P12-based assertion signing, standard errors and framework adapters.