Release: v1.0.1-alpha-29

The http-csrf-protection interceptor only protects handlers that run through the default interceptor stack. Apps that mount their own routes as a Ring handler in front of the platform handler bypass CSRF entirely: csrf/token is never bound (so hidden-field and the <meta> tag emit nothing) and POSTs are never validated (BOU-59).

boundary-platform now ships interceptors/wrap-csrf, the Ring-middleware form of the interceptor. It applies the same binding model and rules — session/pre-session binding, opt-in enforcement, exempt paths, safe methods skipped. State-changing requests get a 403 on a bad or absent token; safe and authenticated requests get csrf/token bound around the handler so forms, hx-headers, and the page layout’s <meta> tag emit the token as usual.

The Clojars artifact published as 1.0.1-alpha-28 predated the BOU-56 merge while the git tag contained it — the jar on Clojars did not match the tag. Root cause: the publish workflow triggered on v*-prefixed tags, but releases use unprefixed tags (1.0.1-alpha-N), so it never fired and releases were done manually, where a version bump ahead of the merged source froze a stale jar under an immutable coordinate (BOU-59).

The publish pipeline is now tag-triggered, guarded, and verified:

alpha-29 is the first release through the fixed pipeline. It re-ships the BOU-56 CSRF deltas — the hx-headers helper and the opt-in (:enabled? false) default — that the stale alpha-28 Clojars artifact never carried.

All 25 libraries bumped to v1.0.1-alpha-29 to maintain lockstep versioning.

Re-run the installer to pick up the latest release:

If you depend on alpha-28 from Clojars, bump straight to alpha-29 — it is the artifact alpha-28 was supposed to be, plus wrap-csrf. No migration steps beyond those already described in the alpha-28 notes.

Feedback and issues welcome on GitHub.