- Added Temporal Cloud active credential validation via GET https://saas-api.tmprl.cloud/cloud/current-identity using bearer auth, so Temporal keys validate against provider APIs instead of generic OIDC discovery.
- Fixed JWT issuer normalization to treat bare host issuers (e.g. iss: temporal.io) as HTTPS URLs during discovery, avoiding low-level URL builder failures.
- Added crates/kingfisher-rules/build.rs to ensure embedded rule assets rebuild when files under crates/kingfisher-rules/data change.
- Added Temporal Cloud active credential validation via GET https://saas-api.tmprl.cloud/cloud/current-identity using bearer auth, so Temporal keys validate against provider APIs instead of generic OIDC discovery.
- Fixed JWT issuer normalization to treat bare host issuers (e.g. iss: temporal.io) as HTTPS URLs during discovery, avoiding low-level URL builder failures.
- Added crates/kingfisher-rules/build.rs to ensure embedded rule assets rebuild when files under crates/kingfisher-rules/data change.
- Added revocation support for Vercel app tokens (vca_, vcr_) via https://api.vercel.com/login/oauth/token/revoke. Requires VERCEL_APP_CLIENT_ID (or NEXT_PUBLIC_VERCEL_APP_CLIENT_ID) and VERCEL_APP_CLIENT_SECRET.
- Fixed validate/revoke command generation to omit regex named captures (e.g., BODY, CHECKSUM) when they are not used by validation/revocation templates, so rules like Vercel no longer produce unnecessary --var BODY=... arguments.
- Added revocation support for Vercel app tokens (vca_, vcr_) via https://api.vercel.com/login/oauth/token/revoke. Requires VERCEL_APP_CLIENT_ID (or NEXT_PUBLIC_VERCEL_APP_CLIENT_ID) and VERCEL_APP_CLIENT_SECRET.
- Fixed validate/revoke command generation to omit regex named captures (e.g., BODY, CHECKSUM) when they are not used by validation/revocation templates, so rules like Vercel no longer produce unnecessary --var BODY=... arguments.
- Prevented transient HTTP validation failures (429/5xx) from being cached, avoiding cache poisoning that could suppress later successful validations in the same scan.
- Switch validation endpoint from /-/npm/v1/user to /-/whoami which
works for all token types regardless of scope/permissions
- Fix revocation token matching: use Regex extractor with Liquid-rendered
prefix ({{ TOKEN | prefix: 8 }}) to locate the correct token in the
list response instead of blindly taking objects[0]
- Add Liquid template rendering support in multi-step revocation
extraction patterns (render_extractor) for dynamic matching
- Add debug logging of HTTP response status and body during revocation
so -v flag shows full API responses for troubleshooting
- Include response body in extraction failure error messages
Co-authored-by: Cursor <cursoragent@cursor.com>
