# Changelog

All notable changes to this project will be documented in this file.

The format follows [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

---

## [Unreleased]

---

## [0.2.0] - 2026-04-23

### Added

- `GET /sitemap.xml` endpoint: returns a well-formed XML Sitemap (Sitemaps protocol 0.9) containing one `<url><loc>` per knowledge item from the KME Knowledge Search Service
- `sitemapFlow()` async function in `kmeContentSourceAdapter.js` — settings validation, OIDC token reuse, search API call, XML build via `xmlBuilder`, 10-second timeout, 502/504/500 error responses
- `getValidToken()` shared helper extracted from the existing OIDC auth flow — used by both sitemap and non-sitemap paths
- URL routing at IIFE entry point: requests ending in `/sitemap.xml` → `sitemapFlow()`, all others → `oidcAuthFlow()`
- Three new fields in `src/globalVariables/kme_CSA_settings.json`: `searchApiBaseUrl`, `tenant`, `proxyBaseUrl`
- Three new placeholder fields in `src/globalVariables/kme_CSA_settings.json.example`
- Unit tests for sitemap flow: happy path (items present), empty results, `vkm:url` filtering, 502/504/500 error scenarios, non-sitemap regression tests
- Contract tests for sitemap endpoint: full round-trip 200, empty results 200, 502 upstream error, 504 timeout

---

## [0.1.0] - 2026-04-23

### Added

- `src/proxyScripts/kmeContentSourceAdapter.js` — OIDC authentication proxy script running in a Node.js VM sandbox (zero imports/exports)
- `src/globalVariables/kme_CSA_settings.json` — OIDC credentials and token endpoint configuration (gitignored)
- `src/globalVariables/kme_CSA_settings.json.example` — placeholder settings file for version control
- Redis-backed token cache (`authorization` hash, fields `token` and `expiry`) — token persists across adapter restarts
- Token stampede guard via in-process `_pendingFetch` promise — only one token fetch in-flight at a time
- Absolute Unix epoch expiry check (`Date.now() / 1000 < expiry`)
- `200 OK / Authorized` response on successful authentication
- `401 Unauthorized` response with descriptive message on auth failure (bad credentials, timeout, unreachable service)
- 5-second timeout on OIDC token POST requests
- Structured logging throughout proxy script using `console.debug`, `console.info`, and `console.error`
- `redis` dependency wired into VM context via `createClient().connect()` in `server.js`
- Unit tests (`tests/unit/proxy.test.js`) — 12 tests covering US1, US2, US3, and stampede guard
- Contract tests (`tests/contract/proxy-http.test.js`) — 2 tests covering HTTP 200/401 response shape

[Unreleased]: https://github.com/your-org/kme-content-adapter/compare/v0.1.0...HEAD
[0.1.0]: https://github.com/your-org/kme-content-adapter/releases/tag/v0.1.0