pozylon updated master to fix preserved watch output by moving the TypeScript watch setting into the dev script. The Fastify GraphQL route now uses the handler’s configured endpoint and simplifies request handling by returning the handler response directly.

pozylon pushed a set of auth and type-organization improvements on master: JWT verification now treats malformed JWS tokens as a handled invalid case (reducing noisy auth logs) and adds a comprehensive auth.test.ts suite covering fingerprints, signing, and token validation edge cases. The update also refactors several standalone types.ts files by moving shared types into existing implementation/schema files (e.g., localization types into schemas.ts and inlining system handler option types), and updates ticketing to define TicketingAPI in index.ts.

pozylon updated the API auth flow to drop the jsonwebtoken dependency in favor of jose, making JWT signing/verification async and updating middleware accordingly. The logoutAllSessions mutation was simplified to return only a success response (schema + tests updated), and ACL sensitive action prefixes were tightened (e.g., manageUser/updateUser/createUser).

pozylon fixed OIDC backchannel logout by refactoring it into a unified HTTP route that mounts alongside plugin routes for both Express and Fastify. The update introduces a new route-based backchannel logout implementation with stricter handling and adds comprehensive tests (including JWKS/keypair setup) to verify token verification, error cases, and session invalidation behavior.

pozylon pushed updates adding ACL audit events: permission denials now emit an ACL_DENIED event, and granted checks for “sensitive” actions (e.g., manage/login/reset/create/update) emit ACL_GRANTED_SENSITIVE, with tests updated to register and tolerate the new events. The same push also hardens the email worker’s browser preview by HTML-escaping headers/links/text to prevent injection, and extends the PricingCalculation type with optional discount/tax/pricing fields.

pozylon pushed a major auth overhaul on master, switching the API and OIDC examples (Keycloak/Zitadel) from server-side sessions to stateless JWT authentication. This adds a centralized JWT auth handler with token versioning + fingerprint protection, introduces an OIDC back-channel logout endpoint, and updates the examples to issue local JWTs after OIDC login (with nonce validation) plus a new GraphQL mutation to “logout all sessions” by revoking tokens.

pozylon pushed a major “Refactor Plugin System” update on master, introducing Unchained Engine v5.0 breaking changes. The plugin architecture is modernized to explicit, side‑effect‑free registration via a new PluginRegistry (and preset register* functions), with examples and presets updated accordingly; deprecated GraphQL order mutations/fields and router aliases were removed, and the PayPal Checkout plugin was dropped due to a deprecated SDK. This also adds framework-agnostic plugin route mounting (Express/Fastify via @whatwg-node/server), improves OIDC token verification by switching to jose + JWKS, and updates migration/changelog docs and test scripts to match the new setup.

Unchained Engine v4.6.0 is out with a set of changes documented in the changelog, covering updates that may include new capabilities and fixes across the engine. This release impacts the project by refining core behavior and potentially expanding integration points; users and integrators should review the v4.6.0 changelog for any required upgrades or API/config adjustments. Overall, it’s a mix of improvements (features and bug fixes) depending on what parts of the engine you use.

Unchained Engine v4.4.0 is out with the full set of changes detailed in the changelog (link in the release notes). This release brings a mix of updates to the engine—potentially including new capabilities and fixes—so users and integrators should review the v4.4.0 changelog to understand what to upgrade for and whether any integration adjustments are needed; overall it’s both a feature and bug-fix release.

Unchained Engine v4.2.0 is a feature-and-fixes release; the full list of changes is documented in the changelog. It updates core engine behavior and integrations, which may require users and integrators to review the changelog for any configuration or API adjustments and to take advantage of new capabilities and bug fixes.

Unchained Engine v4.0.0 (“Tell”) is a major release with changes detailed in the project changelog, and it likely includes a mix of new functionality and breaking updates. This release impacts the core engine behavior and may require users and integrators to review the changelog and update their implementations accordingly (e.g., adapting to updated APIs/configuration). Overall it’s a major feature-and-fix release with potential migration work for existing deployments.