chore(release): bump cli 0.32.0, acton 0.31.0, backend 0.12.0#65
Merged
Conversation
Release rolling up the production-audit gap PRs (#61, #62, #63, #64). BREAKING (pre-1.0 minor): schema-forge-backend 0.11 → 0.12 AuthStore trait gains required `record_login(username, at)` method. Downstream impls must add it. schema-forge-acton 0.30 → 0.31 DynAuthStore trait gains required `record_login` shim. `access::filter_entity_fields` now returns `Vec<String>` (dropped field names) instead of `()`. Callers binding the return value must update.
rrrodzilla
added a commit
that referenced
this pull request
May 28, 2026
* feat(auth): add GET /auth/me principal endpoint (#70) Surfaces the resolved principal to clients that cannot decrypt the PASETO: user_id (the User entity id), email, display_name, roles, the user's full tenant membership set (tenant_chain), the active tenant, and the projected principal_claims. This is the client-side anchor for 'signed in as / current org' chrome and a tenant switcher, removing the racy email->user_id lookup. Scope decision — switch-tenant uses what #67 shipped: #67 made the active tenant a per-request 'X-Active-Tenant: <type>:<id>' header resolved by the tenant_scope middleware, not a token claim. Switching tenants therefore needs no new token and no /auth/switch-tenant endpoint: the client sends a different header. /auth/me reports active_tenant by honoring that same header (valid member -> that tenant; sole membership -> implied; else null), and returns the header name so clients don't hard-code it. - tenant_scope middleware now skips /forge/auth/* so /auth/me returns the FULL membership set (the multi-membership header requirement would otherwise 400 exactly the users it serves); this also keeps /auth/refresh usable for multi-membership users. - resolve_active_tenant is a pure, unit-tested helper; parse_active_tenant reused from tenant_scope (no duplicate grammar). - Tests: 7 unit (resolver + serde shape) + 4 integration (full membership set, header-resolved active tenant, non-member header -> null, no-claims -> 401). No version bump (release bumps land separately, per #65). No public trait changes — reuses the list_tenant_memberships added in #67. * docs(auth): document GET /auth/me in the tenant-chain contract (#70) Add §10.7 to principal-claims-reference.md covering /auth/me as the client-side read of the X-Active-Tenant contract: full membership set, header-mirrored active_tenant resolution, tenant_scope exemption, and that switching uses the shipped header (no switch-tenant endpoint / no active-tenant claim). Cross-link from §10.2.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Release bump rolling up the production-audit gap PRs (#61, #62, #63, #64).
AuthStore::record_loginrequired method (#61)DynAuthStore::record_loginshim +filter_entity_fieldsreturn type change (#61, #63)Pre-1.0 minor bumps per CHANGELOG convention. Release tag will be
v0.32.0after merge.Test plan
cargo update -wcleancargo check --workspace --features schema-forge-acton/surrealdbclean