docs(release): Prepare documentation for v0.27.0

CHANGELOG.md

@@ -5,6 +5,14 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.27.0] - 2026-03-06
+
+### Added
+- Added global `SECRET_VALUE_SIZE_LIMIT_BYTES` (default 512KB) to prevent DoS attacks via excessively large secret payloads.
+- Added global HTTP request payload size limit middleware (`MAX_REQUEST_BODY_SIZE`, default 1MB).
+- Added Auth Token Revocation endpoints (`DELETE /v1/token`, `DELETE /v1/clients/:id/tokens`), state tracking in the database, and `purge-auth-tokens` CLI command.
+- Added optional AEAD `context` parameter for Transit key encryption and decryption to cryptographically bind ciphertext to additional context data.
+
 ## [0.26.0] - 2026-03-04
 
 ### Added
@@ -433,6 +441,7 @@ If you are using `sslmode=disable` (PostgreSQL) or `tls=false` (MySQL) in produc
 - Security model documentation
 - Architecture documentation
 
+[0.27.0]: https://github.com/allisson/secrets/compare/v0.26.0...v0.27.0
 [0.26.0]: https://github.com/allisson/secrets/compare/v0.25.0...v0.26.0
 [0.25.0]: https://github.com/allisson/secrets/compare/v0.24.0...v0.25.0
 [0.24.0]: https://github.com/allisson/secrets/compare/v0.23.0...v0.24.0

cmd/app/main.go

@@ -12,7 +12,7 @@ import (
 
 // Build-time version information (injected via ldflags during build).
 var (
-	version   = "v0.26.0" // Semantic version with "v" prefix (e.g., "v0.12.0")
+	version   = "v0.27.0" // Semantic version with "v" prefix (e.g., "v0.12.0")
 	buildDate = "unknown" // ISO 8601 build timestamp
 	commitSHA = "unknown" // Git commit SHA
 )

docs/auth/authentication.md

@@ -100,6 +100,28 @@ Rate limiting note:
 - `POST /v1/token` is rate-limited per client IP when `RATE_LIMIT_TOKEN_ENABLED=true`
 - Protected endpoints called with issued tokens are rate-limited per authenticated client
 
+## Token Revocation
+
+Tokens can be revoked before they naturally expire. Revoked tokens are immediately rejected by the authentication middleware.
+
+**Revoke Current Token:**
+
+```bash
+curl -X DELETE http://localhost:8080/v1/token \
+  -H "Authorization: Bearer <current-token>"
+```
+
+**Revoke All Tokens for a Client:**
+
+Requires `delete` capability on `/v1/clients/:id/tokens`.
+
+```bash
+curl -X DELETE http://localhost:8080/v1/clients/<target-client-id>/tokens \
+  -H "Authorization: Bearer <admin-token>"
+```
+
+*Note: Expired and revoked tokens can be permanently deleted from the database using the `purge-auth-tokens` CLI command.*
+
 ## Account Lockout
 
 `POST /v1/token` enforces account lockout to prevent brute-force attacks.

docs/configuration.md

@@ -151,6 +151,12 @@ This timeout controls how long idle connections are kept open between requests.
 | High-security/low-trust | 5 | 5 | 30 | Aggressive timeouts reduce attack surface |
 | Large payload operations | 60 | 60 | 120 | Accommodate large secret transfers |
 
+### MAX_REQUEST_BODY_SIZE
+
+Maximum size of incoming HTTP request bodies in bytes (default: `1048576` - 1 MB).
+
+This limit protects the server from Denial-of-Service (DoS) attacks via excessively large payloads. Requests exceeding this limit receive a `413 Payload Too Large` error.
+
 ### LOG_LEVEL
 
 Logging level. Supported values: `debug`, `info`, `warn`, `error`, `fatal`, `panic` (default: `info`).