00.72.00

Latest release — available on Maven Central. This is the current published version; the credential stack from 00.71.00 ships as part of this line. The public DX types carry @ExperimentalSecurityApi until the wiring follow-ups planned for V00.73.

Release date: 2026-06-08 Previous release: 00.71.00 Maven coordinates (parent): com.svenruppert:security-for-flow-parent:00.72.00

The developer-experience release. It introduces no new security primitives and replaces no SPI — it lowers the integration barrier built up across V00.60–V00.71 with a typed fluent bootstrap, a dependency-free @SecurityAutoService processor, a Vaadin starter, and a diagnostics API. Fully additive: every existing META-INF/services file, every direct SecurityServiceResolver call and every hand-wired bootstrap keeps working unchanged.

The “now it’s easy” story

Before — know the SPIs, write the META-INF/services files by hand, get the wiring order right. After:

SecurityRuntime runtime = VaadinSecurity.bootstrap()
    .subjectType(User.class)
    .authentication(new MyAuthService())
    .authorization(new MyAuthzService())
    .audit(a -> a.ringBuffer(256).logging())
    .sessions(s -> s.idleTimeout(Duration.ofMinutes(30)).rotateOnLogin())
    .loginRoute("/login")
    .securedComponents()
    .mode(SecurityBootstrapMode.PRODUCTION)
    .install();

runtime.log();                 // secret-free, multi-line startup log
runtime.warnings().forEach(...); // missing / duplicate / conflicting SPIs

// No hand-written META-INF/services file needed:
@SecurityAutoService(AuthenticationService.class)
public final class MyAuthService implements AuthenticationService<Credentials, User> { … }

Highlights

22 reactor modules — seven new DX modules: security-dx, security-dx-vaadin, security-dx-rest, security-dx-standalone, security-autoservice-annotations, security-autoservice-processor, security-vaadin-starter.
Typed fluent bootstrap — VaadinSecurity.bootstrap() / RestSecurity.bootstrap() / StandaloneSecurity.bootstrap() over a shared CommonSecurityBootstrap<B> contract, returning a diagnostic SecurityRuntime.
SecurityBootstrapMode — COMMUNITY_DEFAULTS / DEVELOPMENT / PRODUCTION / STRICT. STRICT raises SecurityBootstrapException on any missing critical SPI; the others record warnings.
@SecurityAutoService — annotation-only (RetentionPolicy.SOURCE)
- a JDK-only processor that generates META-INF/services/*. No external auto-service library (Maven Enforcer blocks it reactor-wide). A marker-comment protocol preserves hand-written entries across rebuilds.
security-vaadin-starter — declarative SecuredUi.button / link / menuItem builders, @SecureRoute(roles, permissions, policy) with most-restrictive-wins semantics, and developmentDefaults() / productionDefaults() / strictDefaults() profiles.
SecurityDiagnostics.inspect() — surfaces active services (with defaulted=true for every applied default), the generated compile-time wrappers via SecurityProcessorReport, and missing/duplicate/conflicting SPI detection. Never includes secrets — subject IDs, role and permission names only; no credentials, tokens or pepper material.
No new runtime dependency in security-core — the DX modules add no third-party runtime jars; the AutoService processor is JDK-only.

Module structure (16 → 22)

New module	Headline
`security-dx`	`CommonSecurityBootstrap<B>`, `SecurityRuntime`, `SecurityBootstrapMode`, `SecurityDiagnostics`, `DiagnosticContributor` SPI, `WrapperIndexReader`
`security-dx-vaadin`	`VaadinSecurity.bootstrap()` facade + `VaadinDiagnosticContributor`
`security-dx-rest`	`RestSecurity.bootstrap()` facade + default `RestDecisionMapper` / `RestErrorBodyStrategy`
`security-dx-standalone`	`StandaloneSecurity.bootstrap()` facade
`security-autoservice-annotations`	`@SecurityAutoService` (source-retention)
`security-autoservice-processor`	JDK-only processor emitting `META-INF/services/*`
`security-vaadin-starter`	`SecuredUi`, `@SecureRoute`, three profiles

The ten V00.60–V00.71 modules are unchanged; security-core stays exactly where V00.71 left it.

Mutation coverage

The five core V00.71 modules were re-run — no regression (identical to the V00.71 baseline). The seven new DX modules ship at a first-PIT profile (recorded as a starting point; uplift tracked for V00.73):

DX module	Mutation
`security-dx`	49 % (47/96)
`security-dx-vaadin`	61 % (14/23)
`security-dx-rest`	54 % (15/28)
`security-dx-standalone`	43 % (9/21)
`security-vaadin-starter`	66 % (49/74)
`security-autoservice-processor`	52 % (34/65)
`security-autoservice-annotations`	n/a (annotation-only)

Staged for V00.73

The bootstrap records configuration today; some live wiring is a follow-up, kept out of V00.72 to preserve the “behaviour of security-processor unchanged” invariant:

Sub-builder → PolicyRegistry / SecurityServiceResolver live wiring
The wrapper-index writer in security-processor (the reader ships in V00.72; until the writer lands, SecurityProcessorReport surfaces no entries unless an index is present)
Removal of @ExperimentalSecurityApi from the DX surface

Migration

Nothing required — V00.72 is additive. To adopt the DX layer once it publishes: add the relevant security-dx-* facade, replace hand-written service files with @SecurityAutoService, and (Vaadin) opt into security-vaadin-starter. The manual SPI path stays fully supported.

00.71.00