Version Packages

[github-actions]

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

@ingram-tech/agent-guide@0.2.0

Minor Changes

• 9aba41f: Add login-auth URL conventions and list @ingram-tech/nk-auth under "What nextkit
  provides". Better Auth (via nk-auth) mounts at /auth through basePath: authBasePath — not the framework default /api/auth — so login / social OAuth
  callbacks are <site>/auth/callback/<provider>, distinct from connector /
  app-install callbacks at /internal/connect/<provider>/callback. Stops agents
  defaulting to the /api/auth callback path and registering the wrong redirect URI.
• d6bd292: Add a "Route & URL conventions" section: /api/… is the public API only, and all
  plumbing lives under /internal/… — the OAuth/app-install handshake at
  /internal/connect/<provider>/{start,callback}, inbound provider webhooks at
  /internal/webhooks/<provider>, and workers/crons at /internal/{worker,cron}/<name>.
  Keeps connector wiring consistent across nextkit apps.

Patch Changes

• 258cd15: Add @ingram-tech/nk-db to the package list (the Postgres data layer: pool +
  raw-SQL helpers + Drizzle + PGlite harness), and update the nk dev line — it
  now boots local PGlite via @ingram-tech/nk-db (then Next), not local Supabase.
• 56b48c3: Note that nk is optional convenience that only orchestrates the standard tools
  — a nextkit site must stay buildable with plain next build / next dev. Keeps
  the agent guide consistent with the prime directive.

@ingram-tech/newsletter@0.3.0

Minor Changes

• 16abb6f: Validate Supabase rows with Zod at the boundary instead of as-casting them, per
  the house "validate external input with Zod" rule. Row types are now inferred
  from the schemas (single source of truth), the subscribe path now checks the
  previously-dropped lookup error, and zod is a new runtime dependency. Malformed
  rows now throw a clear validation error rather than flowing through as a bad type.

Patch Changes

• Updated dependencies [568ea58]
  • @ingram-tech/email@0.1.2

@ingram-tech/biome-config@0.1.1

Patch Changes

• 419b229: Deprecated in favor of @ingram-tech/oxlint-config. The fleet has moved from
  Biome to the oxc toolchain (oxlint + oxfmt). This package is frozen and gets no
  further rule updates; it stays published only so existing pins keep resolving.
  The @biomejs/biome peer dependency is dropped so the deprecated package no
  longer pulls Biome into installs. Migrate with the codemod in
  docs/oxlint-migration.md.

@ingram-tech/bot-protection@0.3.1

Patch Changes

• 3904231: Clarify in the timing-token docs that it is a timing-window gate, not a
  per-submission nonce: a token can be replayed within its [minMs, maxMs] window,
  so it composes with the honeypot and BotID layers rather than providing single-use
  semantics on its own.

@ingram-tech/email@0.1.2

Patch Changes

• 568ea58: keys() now narrows the validated env vars with a combined guard instead of
  as string casts — no behavior change, but it follows the house "no as on
  external input" rule that the package documents.

@ingram-tech/nk-auth@0.3.1

Patch Changes

• 258cd15: createAuthPool now delegates to createPool from the new @ingram-tech/nk-db
  dependency, so Better Auth and app queries share one pool implementation and TLS
  code path (the "one pool per process" rule). Its signature is unchanged. One
  behaviour change: connections to a local host (127.0.0.1/localhost) now cap
  at max: 1 (required by the PGlite socket); non-local pools are unchanged.
• 0a8812a: Docs & comments: remove references to private product names (nextkit is open
  source — it describes the shared foundation generically, not the apps that
  consume it). No code or API changes.