Skip to content

1.50.0 — Kochab

Choose a tag to compare

View all tags
@MichaelSowah MichaelSowah released this 04 Jun 22:09
· 115 commits to main since this release
v1.50.0
bb7b9b7
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Theme: Provider-agnostic identity & core-owned schema. The concrete user store is extracted to the first-party
glueful/users extension behind UserProviderInterface/UserIdentity, leaving a lean, swappable core that's
safe-by-default. The framework now owns the schema for its own subsystems — the auth security spine plus DB-backed
platform capabilities (queue, scheduler, notifications, metrics, locks, uploads, archive) — as first-class,
config-gated, source-tracked migrations, replacing lazy runtime DDL. Also: a declarative permission catalog with
drift/sync tooling, ordered package-scoped migrations, and column-aware soft-delete.

⚠️ Breaking

Applications must enable a user store — install + enable glueful/users (the api-skeleton does so by default).
Without one, core binds the fail-closed NullUserProvider and authentication is disabled by design. See
docs/IDENTITY.md.

Added

  • Declarative permission catalog (Permission/Role DTOs, ServiceProvider::permissions()/roles() hooks,
    validated PermissionRegistry).
  • Permission visibility & sync CLI: permissions:list, permissions:diff, permissions:sync [--prune].
  • Permission ergonomics: voters()/policies() hooks; actingWithPermissions()/actingWithRoles() +
    InMemoryPermissionProvider.
  • Identity seam: immutable UserIdentity, UserProviderInterface, IdentityClaimsProviderInterface, fail-closed
    NullUserProvider, IdentityResolver.
  • Ordered, package-scoped migrations: MigrationPriority tiers + source-tracked migrations table.
  • Core-owned security-spine schema (auth_sessions, auth_refresh_tokens, api_keys) and config-gated
    platform-capability migrations (config/capabilities.php).
  • TwoFactorServiceInterface so 2FA can be provided by an extension behind a core contract.

Changed

  • Attribute enforcement routes through PermissionManager::can() (single entry point).
  • Column-aware soft-delete on writes.
  • AuthenticatedUser removed — UserIdentity is the one runtime identity.
  • api_keys.user_iduser_uuid.
  • No runtime DDL for queue/scheduler/notifications/metrics — schema owned by core migrations (php glueful migrate:run).

Removed

  • The concrete user store (Glueful\Models\User, UserRepository, in-core UserProvider,
    2FA/email-verification/account CLI) — extracted to glueful/users.
Assets 2
Loading