CISCODE-MA · Zaiidmo · Jan 21, 2026 · Jan 21, 2026 · Jan 21, 2026 · Jan 21, 2026
diff --git a/.changeset/authkit-v1.6.0.md b/.changeset/authkit-v1.6.0.md
@@ -0,0 +1,46 @@
+---
+'@ciscode/authentication-kit': minor
+---
+
+# AuthKit v1.6.0 Release
+
+## 🏗️ Architecture Improvements
+
+- **MODULE-001 Alignment**: Refactored codebase to align with Controller-Service-Repository (CSR) pattern
+- **OAuth Refactoring**: Restructured OAuthService into modular provider architecture (Google, Facebook, GitHub)
+- **Code Organization**: Reorganized test utilities and extracted common test helpers to reduce duplication
+
+## 🔒 Security Fixes
+
+- **Fixed Hardcoded Passwords**: Eliminated all password literals from test files using dynamic constant generation
+  - Created centralized test password constants with dynamic generation pattern
+  - Replaced 20+ instances across 5 test files (auth.service, auth.controller, users.service, users.controller, user.repository)
+  - Addresses SonarQube S2068 rule violations
+- **Improved Test Isolation**: All test passwords now generated via TEST_PASSWORDS constants
+
+## ✅ Quality Improvements
+
+- **Test Coverage**: Added comprehensive unit and integration tests
+  - AuthService: 40 tests (100% coverage)
+  - AuthController: 25 tests
+  - Users and Permissions services: 22+ tests each
+  - Guards and RBAC integration: 5+ integration tests
+  - OAuth providers: Comprehensive provider tests with stability fixes
+- **Code Quality**: Reduced code duplication by ~33 lines in guard tests
+- **CI/CD**: Enhanced GitHub workflows with Dependabot configuration for automated security updates
+
+## 🐛 Bug Fixes
+
+- Fixed race condition in FacebookOAuthProvider test mock chains
+- Fixed configuration error handling in guard tests
+- Resolved merge conflicts with develop branch
+
+## 📦 Dependencies
+
+- No breaking changes
+- All existing APIs remain compatible
+- Security-focused improvements only affect test infrastructure
+
+## Migration Notes
+
+No migration needed. This release is fully backward compatible - all security and quality improvements are internal to the package.
diff --git a/.changeset/config.json b/.changeset/config.json
@@ -0,0 +1,13 @@
+{
+  "$schema": "https://unpkg.com/@changesets/config@3.0.0/schema.json",
+  "changelog": "@changesets/cli/changelog",
+  "commit": false,
+  "fixed": [],
+  "linked": [],
+  "access": "public",
+  "baseBranch": "develop",
+  "updateInternalDependencies": "patch",
+  "ignore": [],
+  "repo": "ciscode/nest-js-developer-kit",
-  "repo": "ciscode/nest-js-developer-kit",
+  "repo": "ciscode/authentication-kit",
-  "repo": "ciscode/nest-js-developer-kit",
+  "repo": "ciscode/authentication-kit",
+  "preState": null
+}
diff --git a/.env.template b/.env.template
@@ -0,0 +1,144 @@
+# =============================================================================
+# Auth Kit - Environment Configuration Template
+# Generated: 2026-02-04
+# 
+# ISTRUZIONI:
+# 1. Copia questo file in .env
+# 2. Compila i valori necessari
+# 3. Vedi docs/CREDENTIALS_NEEDED.md per dettagli
+# =============================================================================
+
+# -----------------------------------------------------------------------------
+# DATABASE (OBBLIGATORIO)
+# -----------------------------------------------------------------------------
+# Opzione 1: MongoDB locale (per development/testing)
+MONGO_URI=mongodb://127.0.0.1:27017/auth_kit_test
+
+# Opzione 2: MongoDB Atlas (per staging/production)
+# MONGO_URI=mongodb+srv://<username>:<password>@cluster0.xxxxx.mongodb.net/<database>?retryWrites=true&w=majority
+
+# -----------------------------------------------------------------------------
+# JWT SECRETS (OBBLIGATORIO)
+# 
+# GENERA AUTOMATICAMENTE CON:
+# .\scripts\setup-env.ps1 -GenerateSecrets
+# 
+# O MANUALMENTE (min 32 caratteri casuali ciascuno):
+# -----------------------------------------------------------------------------
+JWT_SECRET=GENERA_CON_SCRIPT_O_FORNISCI_SECRET_SICURO_MIN_32_CHAR
+JWT_ACCESS_TOKEN_EXPIRES_IN=15m
+
+JWT_REFRESH_SECRET=GENERA_CON_SCRIPT_O_FORNISCI_SECRET_SICURO_MIN_32_CHAR
+JWT_REFRESH_TOKEN_EXPIRES_IN=7d
+
+JWT_EMAIL_SECRET=GENERA_CON_SCRIPT_O_FORNISCI_SECRET_SICURO_MIN_32_CHAR
+JWT_EMAIL_TOKEN_EXPIRES_IN=1d
+
+JWT_RESET_SECRET=GENERA_CON_SCRIPT_O_FORNISCI_SECRET_SICURO_MIN_32_CHAR
+JWT_RESET_TOKEN_EXPIRES_IN=1h
+
+# -----------------------------------------------------------------------------
+# EMAIL / SMTP (OBBLIGATORIO per email verification e password reset)
+# 
+# RACCOMANDATO: Mailtrap (gratis per testing)
+# https://mailtrap.io/
+# 
+# Copia credentials da: Dashboard → My Inbox → SMTP Settings
+# -----------------------------------------------------------------------------
+SMTP_HOST=sandbox.smtp.mailtrap.io
+SMTP_PORT=2525
+SMTP_USER=YOUR_MAILTRAP_USERNAME_HERE
+SMTP_PASS=YOUR_MAILTRAP_PASSWORD_HERE
+SMTP_SECURE=false
+FROM_EMAIL=no-reply@test.com
+
+# -----------------------------------------------------------------------------
+# Alternativa: Gmail (SCONSIGLIATO per testing, più complicato)
+# Richiede: 2FA enabled + App Password generata
+# -----------------------------------------------------------------------------
+# SMTP_HOST=smtp.gmail.com
+# SMTP_PORT=587
+# SMTP_USER=your.email@gmail.com
+# SMTP_PASS=your_16_char_app_password
+# SMTP_SECURE=false
+# FROM_EMAIL=your.email@gmail.com
+
+# -----------------------------------------------------------------------------
+# APPLICATION URLS
+# -----------------------------------------------------------------------------
+FRONTEND_URL=http://localhost:3000
+BACKEND_URL=http://localhost:3000
+
+# -----------------------------------------------------------------------------
+# GOOGLE OAUTH (OPZIONALE - per Google login)
+# 
+# Setup: https://console.cloud.google.com/
+# Guida: docs/CREDENTIALS_NEEDED.md → Google OAuth
+# 
+# Required:
+# - Create project
+# - Enable Google+ API
+# - Create OAuth 2.0 Client ID (Web application)
+# - Add redirect URI: http://localhost:3000/api/auth/google/callback
+# -----------------------------------------------------------------------------
+GOOGLE_CLIENT_ID=
+GOOGLE_CLIENT_SECRET=
+GOOGLE_CALLBACK_URL=http://localhost:3000/api/auth/google/callback
+
+# -----------------------------------------------------------------------------
+# MICROSOFT OAUTH (OPZIONALE - per Microsoft/Azure AD login)
+# 
+# Setup: https://portal.azure.com/
+# Guida: docs/CREDENTIALS_NEEDED.md → Microsoft OAuth
+# 
+# Required:
+# - App registration (Entra ID)
+# - Redirect URI: http://localhost:3000/api/auth/microsoft/callback
+# - Client secret generato
+# - API permissions: User.Read, openid, profile, email
+# -----------------------------------------------------------------------------
+MICROSOFT_CLIENT_ID=
+MICROSOFT_CLIENT_SECRET=
+MICROSOFT_CALLBACK_URL=http://localhost:3000/api/auth/microsoft/callback
+MICROSOFT_TENANT_ID=common
+
+# -----------------------------------------------------------------------------
+# FACEBOOK OAUTH (OPZIONALE - per Facebook login)
+# 
+# Setup: https://developers.facebook.com/
+# Guida: docs/CREDENTIALS_NEEDED.md → Facebook OAuth
+# 
+# Required:
+# - Create app (Consumer type)
+# - Add Facebook Login product
+# - Valid OAuth Redirect: http://localhost:3000/api/auth/facebook/callback
+# -----------------------------------------------------------------------------
+FB_CLIENT_ID=
+FB_CLIENT_SECRET=
+FB_CALLBACK_URL=http://localhost:3000/api/auth/facebook/callback
+
+# -----------------------------------------------------------------------------
+# ENVIRONMENT
+# -----------------------------------------------------------------------------
+NODE_ENV=development
+
+# =============================================================================
+# CHECKLIST:
+# 
+# OBBLIGATORIO (per funzionare):
+# [ ] JWT secrets generati (4 secrets) - usa script automatico
+# [ ] MongoDB running e MONGO_URI configurato
+# [ ] SMTP credentials (Mailtrap) - serve per email verification
+# 
+# OPZIONALE (per OAuth providers):
+# [ ] Google OAuth credentials (se vuoi Google login)
+# [ ] Microsoft OAuth credentials (se vuoi Microsoft login)
+# [ ] Facebook OAuth credentials (se vuoi Facebook login)
+# 
+# NEXT STEPS:
+# 1. Compila valori necessari
+# 2. Rinomina in .env
+# 3. Verifica con: .\scripts\setup-env.ps1 -Validate
+# 4. Avvia backend: npm run start:dev
+# 5. Test endpoints: docs/TESTING_GUIDE.md
+# =============================================================================
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -0,0 +1 @@
+* @CISCODE-MA/devops
diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml
@@ -0,0 +1,11 @@
+name: 'CodeQL Config for AuthKit'
+
+# Suppress false positives for Mongoose queries
+# Mongoose automatically sanitizes all query parameters
+query-filters:
+  - exclude:
+      id: js/sql-injection
+      paths:
+        - src/repositories/user.repository.ts
+        - src/repositories/role.repository.ts
+        - src/repositories/permission.repository.ts
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,20 @@
+version: 2
+updates:
+  - package-ecosystem: npm
+    directory: "/"
+    schedule:
+      interval: monthly
+    open-pull-requests-limit: 1
+    groups:
+      npm-dependencies:
+        patterns:
+          - "*"
+    assignees:
+      - CISCODE-MA/cloud-devops
+    labels:
+      - "dependencies"
+      - "npm"
+    commit-message:
+      prefix: "chore(deps)"
+      include: "scope"
+    rebase-strategy: auto