v0.5.0
The auth release. Scaffolded auth-jwt services gain staff roles and RBAC, a new
internalauth capability secures service-to-service calls behind the gateway, and
maestro is now MIT licensed.
Added
- RBAC in the auth-jwt preset. A
users.rolestaff tier flows into the
access-tokenroleclaim and is enforced withginx.RequireRole. Staff roles
are MFA-gated: a role is only asserted when TOTP MFA is active, so a stolen
password can never mint a staff token. internalauthcapability. Gateway-to-service identity. The gateway mints a
short-lived ES256 assertion inX-Internal-Auth, services verify it with the
gateway's public key, and internal hops forward it. Includes zero-downtime key
rotation and a boot self-test. Opt-in, delivered by the api-gateway preset.ginx.VerifyGatewayandginx.RequireRolemiddleware, plus gateway
identity headers, so a service behind the gateway derives a trusted caller and
staff tier from a verified assertion.- jwtx gains
Verifier.WithLeewayfor clock-skew tolerance on short-lived
cross-host tokens, flexible raw-or-base64 EC key parsing, and aroleclaim. - mailer gains message attachments, for shipping a file such as a calendar
.ics.
Fixed
- Generated
main.godiscards thelog.Syncerror explicitly, so a fresh
project no longer fails its own scaffolded errcheck lint on the first CI run.
Affects the http, grpc, and worker service shapes. - The project init walker now rewrites cross-package imports in shipped starter
packages, so a starter that imports a sibling resolves against the project
module instead of maestro.
Changed
- Relicensed from proprietary to MIT.
ginx.AuthMiddleware's verify callback now also returns the caller's staff
role. The generated auth service was updated in lockstep, so new projects stay
consistent.
Compatibility
- New projects scaffolded on 0.5.0 include the RBAC schema and middleware.
Projects generated on 0.4.0 keep working as-is. There is no forced migration.