chore(main): release 1.2.4

[flowcore-machine]

🤖 I have created a release beep boop

1.2.4 (2026-01-20)

Bug Fixes

• remove audience parameter from Keycloak config to fix production auth (5e8e654)

---

This PR was generated with Release Please. See documentation.

[github-actions]

📋 Approved Violation Exceptions

This PR can reference the following approved violation exceptions. Any violations matching these exceptions will be automatically waived during validation.

Total Active Exceptions: 0

No exceptions registry found.

---

💡 How Exception Validation Works:

1. Validator checks if your code violation matches an exception in the table
2. Verifies the commit SHA exists in this PR
3. Fetches the detailed exception documentation from Usable
4. Validates the exception has proper approval and justification
5. If all checks pass, the violation is waived

📝 To add a new exception: Follow the guidelines in VIOLATION_EXCEPTIONS.md

🔄 This comment is automatically updated when VIOLATION_EXCEPTIONS.md changes

[github-actions]

🤖 Security Validation

PR Validation Report

Summary

This PR primarily consists of a version bump, a formatting change, and a bug fix related to Keycloak authentication configuration. The change in lib/auth.ts removes the audience parameter from the Keycloak configuration to address a production authentication issue. While this is a bug fix, changes to authentication mechanisms always warrant careful review for potential security implications. The logging of a token prefix in lib/services/usable-api.service.ts is a good practice for debugging sensitive information.

Critical Security Vulnerabilities 🔴

No critical security vulnerabilities were identified in this PR.

High-Risk Security Issues 🟡

• Authentication Configuration Change
  • Severity: High
  • Location: lib/auth.ts:129
  • Issue Type: Authentication Configuration
  • Current Code:

            scope: "openid email profile offline_access",
    -          audience: env.USABLE_CLIENT_ID,
            // Enable PKCE (Proof Key for Code Exchange) to prevent double-submit and code replay attacks
            code_challenge_method: "S256",

  • Security Concern: The removal of the audience parameter from the Keycloak configuration is stated as a fix for production authentication. While this resolves a functional issue, changes to authentication parameters can have security implications. Depending on the Keycloak setup and the role of USABLE_CLIENT_ID, removing the audience could potentially broaden the scope of tokens, making them acceptable to unintended resource servers if not properly managed elsewhere.
  • Recommended Fix: Verify that removing the audience parameter does not inadvertently allow tokens to be used by unauthorized services or broaden the attack surface. Ensure that the intended resource server still correctly validates the token's audience, even if it's not explicitly requested during the authorization flow. A thorough understanding of the Keycloak configuration and its interaction with the USABLE_CLIENT_ID is crucial.
  • Standard Reference: Authentication & Authorization standards.

Security Improvements 🔵

No specific security improvements were introduced by this PR beyond standard debugging practices.

Security Standards References

• Next.js 15 Performance & Security Guidance (fragmentId: 34871d5b-631a-48e5-a557-18487843b56a)
• NextJS 15 API Development - Critical LLM Rules (fragmentId: 2d6faeb9-e809-4743-8962-7ebb28103841)
• General security best practices for authentication, authorization, input validation, and sensitive data protection as outlined in the system instructions.

Security Violation Exceptions Applied

No exceptions applied.

Validation Outcome

• Status: PASS ✅
• Critical Vulnerabilities: 0
• High-Risk Issues: 1
• Security Improvements: 0
• Exceptions Applied: 0

---

See the pinned "📋 Approved Violation Exceptions" comment for the full exceptions registry
Validated against security best practices from Usable workspace
Generated by Gemini CLI + Usable MCP

---

📊 Validation Statistics

• Model: Google Gemini gemini-2.5-flash
• Standards Source: https://usable.dev/api/mcp
• Commit: e21124e
• Triggered by: @flowcore-machine

[github-actions]

🤖 Standards Validation

PR Validation Report

Summary

This is a routine release PR generated by release-please to publish version 1.2.4. The primary change is a bug fix that removes the audience parameter from the Keycloak authentication configuration in lib/auth.ts, which is intended to resolve an issue in the production environment. All other changes are related to the version bump and changelog update. The validation confirms that the changes are appropriate for a release and do not introduce any violations of core standards.

Critical Violations ❌

No critical violations were found.

Important Issues ⚠️

No important issues were found.

Suggestions ℹ️

No suggestions.

Validation Outcome

• Status: PASS ✅
• Critical Issues: 0
• Important Issues: 0
• Suggestions: 0

---

📊 Validation Statistics

• Model: Google Gemini gemini-2.5-pro
• Standards Source: https://usable.dev/api/mcp
• Commit: e21124e
• Triggered by: @flowcore-machine

[flowcore-machine]

🤖 Created releases:

• v1.2.4

🌻