Skip to content

v0.5.0

Choose a tag to compare

@github-actions github-actions released this 03 Jul 12:03

The auth release. Scaffolded auth-jwt services gain staff roles and RBAC, a new
internalauth capability secures service-to-service calls behind the gateway, and
maestro is now MIT licensed.

Added

  • RBAC in the auth-jwt preset. A users.role staff tier flows into the
    access-token role claim and is enforced with ginx.RequireRole. Staff roles
    are MFA-gated: a role is only asserted when TOTP MFA is active, so a stolen
    password can never mint a staff token.
  • internalauth capability. Gateway-to-service identity. The gateway mints a
    short-lived ES256 assertion in X-Internal-Auth, services verify it with the
    gateway's public key, and internal hops forward it. Includes zero-downtime key
    rotation and a boot self-test. Opt-in, delivered by the api-gateway preset.
  • ginx.VerifyGateway and ginx.RequireRole middleware, plus gateway
    identity headers, so a service behind the gateway derives a trusted caller and
    staff tier from a verified assertion.
  • jwtx gains Verifier.WithLeeway for clock-skew tolerance on short-lived
    cross-host tokens, flexible raw-or-base64 EC key parsing, and a role claim.
  • mailer gains message attachments, for shipping a file such as a calendar
    .ics.

Fixed

  • Generated main.go discards the log.Sync error explicitly, so a fresh
    project no longer fails its own scaffolded errcheck lint on the first CI run.
    Affects the http, grpc, and worker service shapes.
  • The project init walker now rewrites cross-package imports in shipped starter
    packages, so a starter that imports a sibling resolves against the project
    module instead of maestro.

Changed

  • Relicensed from proprietary to MIT.
  • ginx.AuthMiddleware's verify callback now also returns the caller's staff
    role. The generated auth service was updated in lockstep, so new projects stay
    consistent.

Compatibility

  • New projects scaffolded on 0.5.0 include the RBAC schema and middleware.
    Projects generated on 0.4.0 keep working as-is. There is no forced migration.