v0.1.0a85

Bug Fixes

• CSP nonce no longer breaks inline styles — 'unsafe-inline' in style-src is now preserved. CSP nonces only cover <style> elements, not inline style="" attributes, so the previous replacement was blocking legitimate inline styles. Nonces are now only injected into script-src. (#114)

v0.1.0a84

API Key Authentication

This release adds built-in API key support for programmatic access to Skrift.

New Features

• API keys — Generate bearer tokens (sk_...) scoped to specific permissions or roles
• Key rotation — Zero-downtime key rotation via refresh tokens (skr_...)
• Route guards — APIKeyAuth() and APIKeyOnly() markers to declare API-compatible routes
• Admin UI — Full key management at /admin/api-keys (create, edit, revoke, rotate, delete)
• Configuration — api_keys section in app.yaml for defaults (expiration, max keys per user, refresh token TTL)

Usage

curl -H "Authorization: Bearer sk_..." https://example.com/api/pages

from skrift.auth.guards import auth_guard, APIKeyAuth, Permission

@get("/api/pages", guards=[auth_guard, APIKeyAuth(), Permission("manage-pages")])
async def list_pages(self): ...

See the API Keys documentation for full details.

v0.1.0a83

Improvements

• Reorganized Claude Code skills from system-oriented to developer-task-oriented structure
• New skills: skrift-db (database/models), skrift-frontend (templates/themes/assets/CSP), skrift-events (hooks + SSE notifications), skrift-push (Web Push)
• Merged overlapping skills: auth + oauth2, hooks + notifications
• Removed low-value standalone skills (observability, theming, hooks)
• All skills updated with cross-references to related skills

v0.1.0a82

Bug Fixes

• Fix ?next= redirect URLs being lost during OAuth login session rotation

v0.1.0a81

Bug Fixes

• Fix WebSocket connections to subdomain endpoints being incorrectly routed to the primary app instead of the matching subdomain app (#108)

v0.1.0a80

Bug Fixes

• Fix event loop blocking in Web Push delivery — use async webpush_async() instead of sync webpush(), preventing Kubernetes health check timeouts (#105)
• Fix test mocks to match the async webpush change

v0.1.0a79

Bug Fixes

• Fix event loop blocking in Web Push delivery — use async webpush_async() instead of sync webpush(), preventing Kubernetes health check timeouts when sending push notifications (#105)

v0.1.0a78

Bug Fixes

• Fix gzip compression crash on Python 3.13 — Added SafeGzipCompression facade that catches ValueError from GzipFile finalizer when clients disconnect before the response completes
• Fix push subscription cleanup — Use explicit is not None check for expired subscription detection to avoid false negatives on falsy response objects

v0.1.0a77

Changes since v0.1.0a76

• Timeseries dismissed notifications: Store dismissed notification events as TIMESERIES so disconnected clients receive them on reconnect via get_since. Notification.dismissed() now uses its own UUID with the target ID in payload["notification_id"].

v0.1.0a76

Changes since v0.1.0a75

Web Push notifications now fully opt-in

• PushController must be explicitly enabled in app.yaml — no push routes, hooks, or service worker are registered by default
• Users enable push by adding skrift.controllers.push:PushController to their app.yaml controllers list
• Service worker route (/sw.js) auto-expands when PushController is loaded
• CSRF exclusions for push endpoints only added when push is enabled
• setup_push_hook() only runs when push is enabled
• Updated docs and Claude skill to reflect the opt-in approach

Full Changelog

v0.1.0a75...v0.1.0a76