00.70.00

Release date: 2026-05-31 Previous release: 00.60.00 Maven coordinates (parent): com.svenruppert:security-for-flow-parent:00.70.00

Closes the Konzept-V00.70 milestone — all eight phases ship: multi-tenant foundation (TenantId / ResourceRef), 11 persistence-store SPIs with an Eclipse-Store reference layer, store-backed services on top of those SPIs, SecurityVersion drift-detection end-to-end across Vaadin / REST / standalone, the Policy + Method-Security annotation processor, hierarchy-aware permissions, account-lifecycle services (password reset, email verification, API keys, rotating refresh tokens, sliding-window rate limit), and a Phase-8 UI layer with secured Vaadin components plus an OpenAPI security-metadata exporter.

No breaking API change for code that already used the 00.60 contracts. New SPIs are opt-in and marked @ExperimentalSecurityApi while the V00.70 surface settles.

Highlights

• 13 reactor modules — security-persistence-testkit and security-persistence-eclipsestore join the library.
• Multi-tenancy foundation — TenantId(value) with DEFAULT, tenant-aware ResourceRef and ResourceAccessContext; every Phase-2 store key and Phase-4/7 service is tenant-scoped.
• 11 persistence-store SPIs — AuditEventStore, SessionStore, LoginAttemptStore, RoleAssignmentStore, BootstrapStateStore, RememberMeTokenStore, PasswordResetTokenStore, EmailVerificationTokenStore, ApiKeyStore, RefreshTokenStore, RateLimitStore — every record hash-only or single-use as appropriate, every key tenant-scoped. See Persistence.
• Contract testkit + Eclipse-Store reference — security-persistence-testkit ships @Test default contracts that any store adapter implements; security-persistence-eclipsestore is validated by the same 95+ contract suite as the in-memory defaults.
• SecurityVersion drift detection end-to-end — role refresh for active sessions: sealed SecurityVersionStatus(Current | Drifted), SecurityVersionEnforcer, the SessionStale audit event, a Vaadin enforcer listener (reroutes drifted sessions to login) and a REST filter (401 + WWW-Authenticate: SessionStale, RFC 7235).
• Six store-backed services — drop-in replacements for the in-memory defaults once a real store is wired.
• Method-Security annotation processor — @Secured concrete classes get a generated <Type>Secured subclass at compile time; the runtime SecuredProxy.wrap(...) path is the dynamic-proxy companion. Both route through one SecurityEnforcer. See Method Security.
• Policy API — @RequiresPolicy, PolicyRegistry, sealed PolicyDecision(Allowed | Denied | StepUpRequired). See Policy API.
• Account-lifecycle stack — PasswordResetService + EmailVerificationService with a SecurityNotificationSender SPI (LoggingNotificationSender default).
• API keys + rotating refresh tokens — ApiKeyAuthenticationService, TokenService with replay-defense via markReplaced(...) chain links.
• Sliding-window RateLimitPolicy — pluggable per-scope rate limit, separate from LoginAttemptPolicy.
• Hierarchy-aware permissions — RoleHierarchy SPI; two new annotations @RequiresAnyPermission, @RequiresAllPermissions.
• Phase-8 secured Vaadin components — SecuredButton (default DISABLE), SecuredRouterLink (default HIDE), SecuredMenuItem, plus SessionManagementView and an OpenApiSecurityMetadataGenerator.
• 27 sealed AuditEvent variants — 11 new on top of the 16 from 00.60.

Module structure (10 → 13)

New decision hierarchies (sealed)

Mutation coverage

The parent POM’s pitest-test-classes typo (junit.com.svenruppert.* → com.svenruppert.*) was fixed — these are the first accurate measurements since the property regressed.

¹ The security-vaadin dip reflects the Phase-4c enforcer listener and the Phase-8 components landing — the gap is dominated by VoidMethodCallMutator survivors on component-construction setters with no testable side effect. Absolute kill count rose from ~91 (00.60) to 242 (00.70).

² security-processor is 82 % with 100 % line coverage; the five survivors are BooleanFalseReturnValsMutator flips on internal guard returns.

Reactor totals: 1655+ tests across 14 modules, all green under ./mvnw verify.

Migration from 00.60.00

Source-compatible. Code using the 00.60 contracts compiles unchanged. The deltas worth knowing:

1. POMs — version property is now 00.70.00.
2. Sealed AuditEvent switches — an exhaustive switch over AuditEvent needs cases for the 11 new variants (SessionStale, PasswordResetRequested, PasswordResetCompleted, EmailVerificationRequested, EmailVerified, ApiKeyUsed, ApiKeyDenied, TokenRotated, RateLimitExceeded, PolicyEvaluated, StepUpChallenged). The compiler enforces this, so it’s hard to miss.
3. PIT property typo fix — pitest-test-classes corrected to com.svenruppert.*.
4. Optional security-persistence-eclipsestore — wire it as a runtime dependency to swap every InMemory*Store default for the durable Eclipse-Store impl. Registration via META-INF/services/; no code change in the consuming application.

Build

• Java 26 (sealed types, records, pattern matching)
• Vaadin 25.1.1 (vaadin-core, no Hilla)
• Jetty 12.1.8 EE11 for the Vaadin demos
• Maven 4 (pinned via ./mvnw; minimum 4.0.0-rc-5)
• Eclipse Store 4.1.0 — optional, only for security-persistence-eclipsestore
• proxybuilder 00.11.00 — for the compile-time annotation processor
• ./mvnw verify builds all 14 modules + demos; library javadocs build clean.