2.3.0

What's Changed

• feat: Fine-Grained Authorization with Keycloak-Core Policy Engine by @lakhansamani in #607
• chore(authz): consistent authz prefix on admin GraphQL ops; my_permissions → permissions by @lakhansamani in #610
• Chore/authz graphql naming consistency by @lakhansamani in #611
• chore: CNCF Sandbox prep — community files + Apache-2.0 relicense by @lakhansamani in #612
• chore: use quay for docker image registry by @lakhansamani in #613
• Chore use quay by @lakhansamani in #622
• security: remediate dependency vulnerabilities across Go and npm by @lakhansamani in #623
• fix: trigger scorecard on default branch events, not releases by @lakhansamani in #624
• feat(authz): replace bespoke FGA with embedded OpenFGA ReBAC engine by @lakhansamani in #625
• ci: publish proto schema to the Buf Schema Registry by @lakhansamani in #627
• fix(storage): drop stale unique email/phone constraints on upgrade by @lakhansamani in #628
• ci: avoid duplicate workflow runs across PR and merge by @lakhansamani in #630
• fix(storage): clear legacy unique email/phone objects name-agnostically (< 2.3.0 upgrades) by @lakhansamani in #629
• fix(storage): silence GORM logger in legacy-uniqueness cleanup (fixes smoke mcp_stdio) by @lakhansamani in #632
• feat(api): AuthorizerAdmin service (gRPC + REST) + module-wide lint gate by @lakhansamani in #631
• ci: bump GitHub Actions to Node 24 runtimes by @lakhansamani in #633
• build(docker): expose gRPC port 9091 by @lakhansamani in #634
• feat(api)!: serve all auth ops on gRPC/REST + flatten response envelope by @lakhansamani in #635
• feat(grpc): auth interceptor, authctx principal, and client metadata helpers by @lakhansamani in #636

Full Changelog: 2.2.1...2.3.0