v1.0.0 — Identity, accounts & read endpoints

First release of glueful/users — the first-party identity store and account
lifecycle for Glueful — now including config-driven account read endpoints.

Endpoints

• GET /me — authenticated principal's account + nested profile (always on).
• GET /users/{uuid} — another user's account + public profile. Off by default
  (USERS_USER_LOOKUP_ENABLED=true), requires users.read.
• GET /users — paginated list + nested public profile. Off by default
  (USERS_USER_LOOKUP_ENABLED=true and USERS_USER_LIST_ENABLED=true), requires
  users.read. Supports ?page/?per_page (clamped), per-item ?fields=, and
  ?filter[...]/?sort/?search over username + profile name.

Also in 1.0.0 (foundation)

• First-party user store (users + profiles) and UserRepository.
• Identity seam (UserProvider → core UserProviderInterface).
• Account-lifecycle endpoints (/auth email verification + password recovery).
• Email-PIN two-factor authentication (/2fa, TWO_FACTOR_ENABLED).

Highlights

• Safe by default — per-audience exposable columns, hard denylist
  (password/deleted_at/user_uuid), custom profiles columns opt-in only.
• Field selection — prune-only REST dot-paths; disallowed fields omitted (never a
  400); all-disallowed → {}.
• List safety — single LEFT JOIN (no N+1); soft-deleted profiles never affect
  membership or ordering; email filtering gated; status not filterable by default.

Configuration

Env	Default	Effect
USERS_USER_LOOKUP_ENABLED	false	Enables GET /users/{uuid}
USERS_USER_LIST_ENABLED	false	Enables GET /users (also needs lookup on)
USERS_USER_LIST_ALLOW_EMAIL_FILTER	false	Allow email in list filter/search

Exposable columns are configured in config/users.php (copy into your app's config/
to override).

Requirements

• PHP 8.3+
• glueful/framework ^1.50.1
• glueful/email-notification (suggested) for password-reset / verification delivery

Full changelog: see CHANGELOG.md.