feat: Implement PKCE authentication for IndieLogin.com

This fixes critical IndieAuth authentication by implementing PKCE (Proof Key
for Code Exchange) as required by IndieLogin.com API specification.

Added:
- PKCE code_verifier and code_challenge generation (RFC 7636)
- Database column: auth_state.code_verifier for PKCE support
- Issuer validation for authentication callbacks
- Comprehensive PKCE unit tests (6 tests, all passing)
- Database migration script for code_verifier column

Changed:
- Corrected IndieLogin.com API endpoints (/authorize and /token)
- State token validation now returns code_verifier for token exchange
- Authentication flow follows IndieLogin.com API specification exactly
- Enhanced logging with code_verifier redaction

Removed:
- OAuth metadata endpoint (/.well-known/oauth-authorization-server)
  Added in v0.7.0 but not required by IndieLogin.com
- h-app microformats markup from templates
  Modified in v0.7.1 but not used by IndieLogin.com
- indieauth-metadata link from HTML head

Security:
- PKCE prevents authorization code interception attacks
- Issuer validation prevents token substitution attacks
- Code verifier securely stored, redacted in logs, and single-use

Documentation:
- Version: 0.8.0
- CHANGELOG updated with v0.8.0 entry and v0.7.x notes
- ADR-016 and ADR-017 marked as superseded by ADR-019
- Implementation report created in docs/reports/
- Test update guide created in TODO_TEST_UPDATES.md

Breaking Changes:
- Users mid-authentication will need to restart login after upgrade
- Database migration required before deployment

Related: ADR-019

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

CHANGELOG.md

@@ -7,8 +7,68 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.8.0] - 2025-11-19
+
+### Fixed
+- **CRITICAL**: Fixed IndieAuth authentication to work with IndieLogin.com API
+- Implemented required PKCE (Proof Key for Code Exchange) for security
+- Corrected IndieLogin.com API endpoints (/authorize and /token instead of /auth)
+- Added issuer validation for authentication callbacks
+
+### Added
+- PKCE code_verifier generation and storage
+- PKCE code_challenge generation (SHA256, base64-url encoded)
+- Database column: auth_state.code_verifier for PKCE support
+- Database migration script: migrations/001_add_code_verifier_to_auth_state.sql
+- Comprehensive PKCE unit tests (6 tests, all passing)
+
+### Removed
+- OAuth Client ID Metadata Document endpoint (/.well-known/oauth-authorization-server)
+  - Added in v0.7.0 but unnecessary for IndieLogin.com
+  - IndieLogin.com does not use OAuth client discovery
+- h-app microformats markup from templates
+  - Modified in v0.7.1 but unnecessary for IndieLogin.com
+  - IndieLogin.com does not parse h-app for client identification
+- indieauth-metadata link from HTML head
+
+### Changed
+- Authentication flow now follows IndieLogin.com API specification exactly
+- Database schema: auth_state table includes code_verifier column
+- State token validation now returns code_verifier for token exchange
+- Token exchange uses /token endpoint (not /auth)
+- Authorization requests use /authorize endpoint (not /auth)
+
+### Security
+- PKCE prevents authorization code interception attacks
+- Issuer validation prevents token substitution attacks
+- Code verifier securely stored and single-use
+- Code verifier redacted in logs for security
+
+### Breaking Changes
+- Users mid-authentication when upgrading will need to restart login (state tokens expire in 5 minutes)
+- Existing state tokens without code_verifier will be invalid (intentional security improvement)
+
+### Notes
+- **v0.7.0**: OAuth metadata endpoint added based on misunderstanding of requirements. This endpoint was never functional for our use case and is removed in v0.8.0.
+- **v0.7.1**: h-app visibility changes attempted to fix authentication but addressed wrong issue. h-app discovery not used by IndieLogin.com. Removed in v0.8.0.
+- **v0.8.0**: Correct implementation based on official IndieLogin.com API documentation.
+
+### Related Documentation
+- ADR-019: IndieAuth Correct Implementation Based on IndieLogin.com API
+- Design Document: docs/designs/indieauth-pkce-authentication.md
+- ADR-016: Superseded (h-app client discovery not required)
+- ADR-017: Superseded (OAuth metadata not required)
+
+### Migration Notes
+- Database migration required: Add code_verifier column to auth_state table
+- See migrations/001_add_code_verifier_to_auth_state.sql for SQL
+- See docs/designs/indieauth-pkce-authentication.md for full implementation guide
+
 ## [0.7.1] - 2025-11-19
 
+### Known Issues
+- **IndieAuth authentication still broken**: This release attempted to fix authentication by making h-app visible, but IndieLogin.com does not parse h-app. Missing PKCE implementation is the actual issue. Fixed in v0.8.0.
+
 ### Fixed
 - **IndieAuth h-app Visibility**: Removed `hidden` and `aria-hidden="true"` attributes from h-app microformat markup
   - h-app was invisible to IndieAuth parsers, preventing proper client discovery
@@ -17,6 +77,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [0.7.0] - 2025-11-19
 
+### Known Issues
+- **IndieAuth authentication still broken**: This release attempted to fix authentication by adding OAuth metadata endpoint, but this is not required by IndieLogin.com. Missing PKCE implementation is the actual issue. Fixed in v0.8.0.
+
 ### Added
 - **IndieAuth Detailed Logging**: Comprehensive logging for authentication flows
 - Logging helper functions with automatic token redaction (_redact_token, _log_http_request, _log_http_response)