Skip to content

Commit d14282e

Browse files
ksroda-saclaude
andauthored
docs: rewrite README warning section (#179)
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent 2890ff5 commit d14282e

1 file changed

Lines changed: 3 additions & 19 deletions

File tree

README.md

Lines changed: 3 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -24,9 +24,9 @@ Code snippets from these samples are extracted automatically and embedded in the
2424
2. Copy `.env.example` (or the framework's equivalent like `local.example.properties` for Android, `Config.example.xcconfig` for iOS) to the real filename and fill in your CIAM workspace's client ID, issuer URL, redirect URI, and scopes.
2525
3. Follow the sample's own `README.md` for run instructions and any framework-specific setup (Node version, JDK, Xcode, Android SDK, etc.).
2626

27-
## ⚠️ Not production-ready
27+
## Before you ship
2828

29-
These samples illustrate **one** working approach to integrating each framework with CIAM. They are intentionally minimal — small enough to read end-to-end and copy into a new project — and deliberately skip concerns that any real-world deployment must address, including (but not limited to):
29+
These samples are intentionally minimal — small enough to read end-to-end — and skip concerns that real deployments need to address, including:
3030

3131
- Hardening against the full OAuth/OIDC and SAML threat models (replay protection, token binding, audience/issuer validation beyond the library defaults, key rotation, etc.)
3232
- Comprehensive input validation and error handling
@@ -37,7 +37,7 @@ These samples illustrate **one** working approach to integrating each framework
3737
- Localization, accessibility, theming, and broader UX
3838
- Build, packaging, signing, and release pipelines
3939

40-
Treat the code as a starting point for your own implementation. Before deploying anything derived from these samples, review the relevant SecureAuth product documentation and conduct your own security review against the threat model that applies to your application. The samples are provided **AS IS** under the terms of the [LICENSE](LICENSE), without warranty of any kind.
40+
Treat the code as a starting point. Review the relevant SecureAuth product documentation and run your own security review before shipping. Provided **AS IS** under the [LICENSE](LICENSE).
4141

4242
## Repository layout
4343

@@ -57,22 +57,6 @@ scripts/ # Snippet extraction + manifest validation tools
5757

5858
Each sample is self-contained — its own build file, no shared library code — so copying a sample into your own project is a single directory move.
5959

60-
## How samples are structured
61-
62-
Source files have `@snippet:stepN:start` and `@snippet:stepN:end` markers around the lines that matter for that step. The extraction script in `scripts/` collects these into `snippets.json` for the dashboard. A per-framework `manifest.yaml` (e.g. `samples/react/manifest.yaml`) declares which scenarios the framework supports and what config rows the dashboard should display.
63-
64-
## Adding a new sample
65-
66-
1. Create `samples/<framework>/<flow>/` with a minimal working app
67-
2. Tag relevant source lines with `@snippet:stepN:start/end` and `@description` comments
68-
3. Add an entry under `scenarios:` in the framework's `manifest.yaml`
69-
4. Run `cd scripts && yarn all` to regenerate `snippets.json` + `snippet-manifest.yaml` and validate the structure
70-
5. Open a PR — per-framework CI workflows build the sample and confirm extraction stays consistent
71-
72-
## CI
73-
74-
Per-framework test workflows live in [.github/workflows/](.github/workflows/). Each workflow is path-aware: a PR only runs the matrix entries for samples whose subtree actually changed. Each workflow ends with a stable `<Framework> tests passed` aggregator job that's suitable for required-status-check gating.
75-
7660
## Reporting issues
7761

7862
- Bugs and feature requests: [open an issue](../../issues/new).

0 commit comments

Comments
 (0)