v2.3.0 - MCP wedge deepening and enterprise feature parity
The "MCP wedge deepening and enterprise feature parity" release. Three major features close the gap with Auth0, Clerk, and Better-Auth.
Public API is additive with v2.2.0. Root go.mod gains zero new transitive deps; mcpresource untouched.
Highlights
Account linking + identity merge (#55)
Users can bind a new auth method to an existing account, or merge two accounts into one, behind mandatory step-up auth. Closes a gap every major auth library has.
LinkOAuthToCurrentUser/LinkPasswordToCurrentUser/MergeAccounts- HTTP endpoints under
/account/identities(link, callback, password, merge, delete) - New errors:
ErrIdentityConflict,ErrStepUpRequired,ErrLastAuthMethod - New audit events:
identity.linked,identity.unlinked,account.merged - 1,545 LOC, end-to-end tested
+8 OAuth providers, 12 total (#54)
Goth supports 35, Auth0 supports 50, Clerk supports 25. We just doubled.
- Apple (ES256 JWT client secret from .p8 key)
- Facebook, Slack, GitLab (self-hosted via
BaseURL), Bitbucket, Twitch, LinkedIn, X (PKCE-mandatory) - Each ships with its own
examples/oauth-<provider>/minimal demo - 4,127 LOC across 36 files
SIEM audit streaming sinks (#53)
SIEM integration is a procurement requirement. We now ship three sink implementations with a stable AuditSink interface.
audit/sinks/otlp-- OTLP/HTTP logs (own go.mod; root gains zero new deps)audit/sinks/splunkhec-- Splunk HEC envelope + token authaudit/sinks/webhook-- generic CloudEvents 1.0 POST with HMAC-SHA256 signature- Per-sink
WithRedactoroption for stricter PII stripping - Best-effort contract: failed sinks NEVER block storage writes
- New stats field
Stats.AuditSinkFailed
See CHANGELOG.md for the full entry.