v1.21 batch: Phases 91-96 verified (B2B-01..03, HARD-01..02, HARD-03/API-01)

.github/workflows/hex-publish.yml

@@ -19,7 +19,7 @@ on:
         type: string
 
 permissions:
-  contents: read
+  contents: write
 
 jobs:
   publish:
@@ -66,6 +66,16 @@ jobs:
       - name: Verify release version in mix.exs
         run: grep -n "@version \"${{ inputs.release_version }}\"" mix.exs
 
+      - name: Sync changelog summary into GitHub release body
+        env:
+          GH_TOKEN: ${{ github.token }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
+        run: |
+          chmod +x scripts/release/sync_release_summary.sh
+          scripts/release/sync_release_summary.sh \
+            "${{ inputs.release_version }}" \
+            "${{ inputs.tag }}"
+
       - name: Fetch library deps
         run: mix deps.get
 

.github/workflows/release-please.yml

@@ -47,9 +47,31 @@ jobs:
           config-file: release-please-config.json
           manifest-file: .release-please-manifest.json
 
+  sync-release-summary:
+    name: Sync GitHub release summary
+    needs: release-please
+    if: ${{ needs.release-please.outputs.release_created == 'true' }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: ${{ needs.release-please.outputs.tag_name }}
+
+      - name: Sync changelog summary into GitHub release body
+        env:
+          GH_TOKEN: ${{ secrets.RELEASE_PLEASE_TOKEN || github.token }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
+        run: |
+          chmod +x scripts/release/sync_release_summary.sh
+          scripts/release/sync_release_summary.sh \
+            "${{ needs.release-please.outputs.version }}" \
+            "${{ needs.release-please.outputs.tag_name }}"
+
   publish-hex:
     name: Publish to Hex.pm
-    needs: release-please
+    needs: [release-please, sync-release-summary]
     if: ${{ needs.release-please.outputs.release_created == 'true' }}
     runs-on: ubuntu-latest
     permissions:

.planning/AUDIT-ATOMICITY-DEFAULTS.md

@@ -34,7 +34,7 @@
 
 ### D-AUD-06 — Caller contract when audit insert fails (audit-only paths)
 
-- Public functions that today return **`:ok`** and use **`log_safe`/`log_multi_safe`** for **side-channel audit** keep **`:ok`** on audit subsystem failure; emit **`[:sigra, :audit, :log_safe_error]`** (or the same telemetry contract as `emit_log_safe_error`) so operators can alert; **raise** only on programmer-wiring errors. **`@doc`** must state **`:ok` does not guarantee** the audit row exists.
+- Public functions that today return **`:ok`** and use **`log_safe`/`log_multi_safe`** for **side-channel audit** keep **`:ok`** on audit subsystem failure **when the audit row is not co-fated with a durable partner write**. This covers three legitimate sub-classes: **detection-only** (the audit row is the forensic record), **pre-domain** (the event fires before a persistence target exists), and **audit-only helpers**. Emit **`[:sigra, :audit, :log_safe_error]`** (or the same telemetry contract as `emit_log_safe_error`) so operators can alert; **raise** only on programmer-wiring errors. **`@doc`** must state **`:ok` does not guarantee** the audit row exists.
 
 ### D-AUD-07 — ExUnit layout for audit fault injection
 

.planning/MILESTONES.md

@@ -585,3 +585,76 @@
 - [v1.15 Requirements](milestones/v1.15-REQUIREMENTS.md)
 
 ---
+
+## v1.20 GA Launch (SEED closure + public release) (Shipped: 2026-04-28)
+
+**Scope:** 6 phases (**85–90**), 14 on-disk plans. (Phase 90 waived).
+
+**What shipped:** **AUD-21** — OAuth audit atomicity closure, converting remaining `log_safe/3` clusters in Phase 45 T2 to atomic `Repo.transaction/1` + `Ecto.Multi`. **GAUAT-01..09** — Fully automated E2E harnesses for email visual QA, OAuth real-credential cycles, MFA backup-code rotation, and getting-started proof, resulting in SEED-001 closure. **LAUNCH-01..07** — Hex v1.20.0 publish, README promotion, and CHANGELOG alignment.
+
+### Key accomplishments
+
+1. **AUD-21 closure** — Phase 9 C-1 caveat officially downgraded to PASS.
+2. **GAUAT zero-human proof** — Replaced all manual SEED-001 testing requirements with deterministic CI automation (Playwright + Premailex).
+3. **v1.20.0 Public Launch** — Reached the "use this in production" inflexion point.
+
+### Stats
+
+- **Requirements:** 21/21 requirements satisfied/waived.
+- **Milestone audit:** **passed** ([`milestones/v1.20-MILESTONE-AUDIT.md`](milestones/v1.20-MILESTONE-AUDIT.md)).
+- **Timeline:** 2026-04-25 → 2026-04-28.
+
+### Tech debt carried forward
+
+- Lockspire glue package deferred.
+- Week-one launch-feedback follow-ups deferred to patch milestone.
+
+**Archive:**
+
+- [v1.20 Roadmap](milestones/v1.20-ROADMAP.md)
+- [v1.20 Requirements](milestones/v1.20-REQUIREMENTS.md)
+- [v1.20 Milestone Audit](milestones/v1.20-MILESTONE-AUDIT.md)
+
+---
+
+## v1.21 B2B-ready & production-honest (Shipped: 2026-05-06)
+
+**Scope:** 6 phases (**91–96**), 33 on-disk plan summaries (across 26 PLAN.md files; some phases inline-summarized).
+
+**What shipped:** First milestone after v1.20 public launch. Three legs converged. **Leg 1 — B2B trust** (Phases **91**, **92**, **93**) — `Sigra.Plug.RequireOrgMfa` + `enforce_mfa_for_members` + admin LiveView toggle + atomic `organization.mfa_policy_change` audit row (**B2B-01**); `Sigra.Authz` `can?/3` behaviour + nullable `role` on `OrganizationMembership` + scope-struct `:role` propagation + role-based-access-control recipe (zero opinionated roles in `lib/sigra/`) (**B2B-02**); org-scoped service-account tokens via `client_credentials` grant on existing JWT path + `current_scope.actor_type: :service_account` discriminator + 5 SA-mutation rollback proofs (**B2B-03**, re-verified 22/22 after gap-closure plans 06–10 + critical fixes in commit `bf5a8a8`). **Leg 2 — Production hardening** (Phases **94**, **95**) — `mix sigra.install` refuses non-Postgres adapter at pre-flight + removed MySQL/SQLite placeholder branches + aligned `mix.exs` description / README / getting-started narrative; environmental Oban-test caveat closed in 2026-05-06 audit (**HARD-01**); `Sigra.OptionalDeps` SOT + raise-on-missing for Oban/Bcrypt/EQRCode + `mix sigra.doctor` per-feature dep matrix + 3 dep-off CI lanes (**HARD-02**, only v1.21 phase with `nyquist_compliant: true`). **Leg 3 — OAuth + API polish** (Phase **96**) — per-provider OAuth refresh dispatch for GitHub/Apple/Facebook/Generic via Assent + atomic `oauth.token_refreshed` audit (**HARD-03**); single-pass `Sigra.Plug.RateLimit` emitting `X-RateLimit-Limit/Remaining/Reset` + `Retry-After` from Hammer state, wired into generated host's `:auth_rate_limit` pipeline (**API-01**) — 122 passing tests across 4 evidence sections.
+
+### Key accomplishments
+
+1. **Org-level MFA enforcement** — Atomic policy-change audit + plug + LiveView gate; full library suite green (33 doctests, 3 properties, 2214 tests, 0 failures).
+2. **RBAC seams without opinions** — `Sigra.Authz` ships as behaviour-only; library has zero `:owner / :admin / :member` constants; recipe is the only place those names appear, illustratively.
+3. **M2M service-account tokens** — `client_credentials` grant on existing JWT path; scope-struct `actor_type` discriminator; SA short-circuits user-membership and org-MFA checks; 5/5 mutations co-fated with audit (D-AUD-08).
+4. **Honest Postgres-only narrative** — Aligned the documented adapter support to what CI actually exercises and what migrations actually implement.
+5. **Optional-dep boot validation** — `mix sigra.doctor` reports per-feature status; missing optional deps raise tagged errors at first use instead of compiling to silent `nil`; CI matrix toggles each off.
+6. **OAuth refresh dispatch + rate-limit headers** — Closed the `lib/sigra/oauth.ex:174` "not yet implemented" warning across 4 providers with atomic audit; clients on rate-limited paths get standards-compliant headers for backoff.
+
+### Stats
+
+- **Requirements:** 7/7 requirements satisfied (B2B-01, B2B-02, B2B-03, HARD-01, HARD-02, HARD-03, API-01).
+- **Milestone audit:** **tech_debt → reconciled** ([`milestones/v1.21-MILESTONE-AUDIT.md`](milestones/v1.21-MILESTONE-AUDIT.md)). Substantive 7/7 with passing test evidence; bookkeeping reconciled 2026-05-06.
+- **Timeline:** 2026-04-28 → 2026-05-06 (8 days).
+- **Cross-phase wires verified:** B2B-02 `:actor_type` reservation → B2B-03 `:service_account` population; B2B-02 host-supplied `:roles` → B2B-03 SA short-circuit; HARD-01 Postgres-only → HARD-02 `mix sigra.doctor`; HARD-03 OAuth refresh → API-01 rate-limit headers.
+
+### Known deferred items at close (non-blocking)
+
+- 2 install-smoke pending todos from 2026-04-30: JOSE.JWT.peek_payload/1 undefined warning + transient Postgres `too_many_connections` during install smoke (both surfaced during Phase 94 work).
+- `DEF-92-02-01` — InvitationAcceptLive audit-Multi-step name collision (pre-existing bug from commit `5e6c026`, predates Phase 92; recommended landing point not yet assigned).
+- Nyquist VALIDATION.md gaps — only Phase 95 has `nyquist_compliant: true`; 91/92/93 have draft VALIDATION.md (`nyquist_compliant: false`); 94/96 missing entirely. Optional retroactive fill via `/gsd-validate-phase`.
+
+### Tech debt carried forward
+
+- Webhooks (`WH-01..03`) — deferred to v1.22 as its own design-first milestone (event schema, signed delivery, retry/dead-letter, host UX).
+- Tier-3 polish carried in Future Requirements: Session UX (`SESS-01..03`), Email overrides + i18n + bounce (`EMAIL-01..03`), Passkey multi-authenticator + recovery (`PK-01..03`), DataExport depth (`DATA-01..03`).
+- `sigra_lockspire` glue package per **ADR 001** — still awaiting companion-app trigger.
+
+**Archive:**
+
+- [v1.21 Roadmap](milestones/v1.21-ROADMAP.md)
+- [v1.21 Requirements](milestones/v1.21-REQUIREMENTS.md)
+- [v1.21 Milestone Audit](milestones/v1.21-MILESTONE-AUDIT.md)
+
+---