fix(auth): allow auth 0.3 peer consumers

[Jess Sullivan (Jesssullivan)]

Summary

• Release metadata bump to @tummycrypt/tinyland-security@0.3.1 / tummycrypt_tinyland_security@0.3.1.
• Broaden @tummycrypt/tinyland-auth peer compatibility to ^0.2.2 || ^0.3.0.
• Validate against @tummycrypt/tinyland-auth@0.3.0 and update the Bazel module edge to tummycrypt_tinyland_auth@0.3.0.

Evidence

• pnpm typecheck passed.
• pnpm build passed.
• pnpm test passed: 119 tests.
• pnpm check:package passed.
• bazel build //:pkg //:test passed.

Context

• elders currently consumes @tummycrypt/tinyland-auth@0.3.0; this removes the false peer warning while preserving the existing 0.2.2+ consumer range.

[greptile-apps]

Greptile Summary

This PR is a patch-level release (0.3.0 → 0.3.1) that broadens the @tummycrypt/tinyland-auth peer range from ^0.2.2 to ^0.2.2 || ^0.3.0 and updates the Bazel module edge and lockfile to match 0.3.0. The change is minimal and targeted, and all stated CI checks pass.

Confidence Score: 4/5

Safe to merge; changes are limited to metadata, dependency range, and lockfile with no logic changes.

Only P2 findings present — devDependencies tracks 0.3.0 while peer range claims 0.2.2 compatibility, but this is common practice and poses no immediate runtime risk.

package.json — devDependency/peerDependency version gap.

Important Files Changed

Filename	Overview
MODULE.bazel	Bumps module version to 0.3.1 and updates tummycrypt_tinyland_auth bazel_dep to 0.3.0; straightforward and consistent with the npm changes.
package.json	Version bumped to 0.3.1; peerDependencies broadened to ^0.2.2
pnpm-lock.yaml	Lock file updated to resolve @tummycrypt/tinyland-auth@0.3.0 with new integrity hash; no anomalies.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["@tummycrypt/tinyland-security@0.3.1\n(peerDependencies)"]
    B["@tummycrypt/tinyland-auth@0.2.2+\n(^0.2.2)"]
    C["@tummycrypt/tinyland-auth@0.3.0+\n(^0.3.0)"]
    D["devDependencies / Bazel\n(tests against 0.3.0 only)"]

    A -->|"accepts (peer)"| B
    A -->|"accepts (peer)"| C
    D -->|"resolves"| C

    style B fill:#ffe0b2,stroke:#e65100
    style C fill:#c8e6c9,stroke:#2e7d32
    style D fill:#e3f2fd,stroke:#1565c0

Loading

_{Reviews (1): Last reviewed commit: "fix(auth): allow auth 0.3 peer consumers" | Re-trigger Greptile}

[greptile-apps]

Dev dep only tests against 0.3.0, not 0.2.2

devDependencies was bumped to ^0.3.0 while peerDependencies still claims ^0.2.2 compatibility. This means CI validates only against 0.3.0; any regression for 0.2.x consumers would go undetected. Consider keeping a matrix test or at least running a secondary resolve against ^0.2.2 to confirm the claimed peer range holds.

[Jess Sullivan (Jesssullivan)]

Reality check on the peer matrix concern:

• This PR intentionally moves the package dev/Bazel validation to @tummycrypt/tinyland-auth@0.3.0 because elders is already consuming auth 0.3.0.
• The ^0.2.2 side of the peer range is not newly introduced here; it is the existing published compatibility range from 0.3.0. The PR only preserves it while adding 0.3.x.
• Current source/tests do not import runtime APIs from @tummycrypt/tinyland-auth (rg over src/ and tests/ shows no imports), so the peer is optional metadata/integration compatibility rather than an active runtime dependency in this package test suite.
• Existing main/release CI has already validated this package state with auth 0.2.2; this PR adds validation against auth 0.3.0 through pnpm and Bazel.

Given that context, I am treating this as acknowledged residual matrix coverage rather than a blocker for the metadata compatibility patch.