v0.2.0 Release Notes

Release Date: 2026-03-08

CoreForge v0.2.0 introduces SpiceDB for Zanzibar-style relationship-based access control (ReBAC), a principal-based identity model, and SCIM 2.0 user provisioning. This release also removes the Casbin authorization provider in favor of SpiceDB.

Highlights

• SpiceDB authorization provider for Zanzibar-style relationship-based access control (ReBAC)
• Principal-based identity model supporting humans, agents, applications, and service principals
• SCIM 2.0 user provisioning with filter, patch, and bulk operations
• Identity-authorization sync automatically maintains SpiceDB relationships on identity changes

What's New

SpiceDB Authorization

A complete SpiceDB integration for fine-grained, relationship-based access control:

• Embedded mode for development with in-memory or PostgreSQL datastores
• Remote mode for production SpiceDB clusters
• BaseSchema providing organization and platform permission models
• ResourceSchema() helper for defining custom resource types
• RelationshipSyncer interface for identity lifecycle integration
• Integration tests with embedded SpiceDB server

Principal-Based Identity

A unified identity model supporting multiple principal types:

• Human principals with email, password hash, locale, timezone, and avatar
• Agent principals for AI/bot identities
• Application principals for OAuth client applications
• ServicePrincipal for service-to-service authentication
• PrincipalMembership for organization role assignments
• PrincipalToken for token lifecycle management

SCIM 2.0 Provisioning

Standards-compliant user provisioning for enterprise identity management:

• User CRUD endpoints following SCIM 2.0 specification
• Filter support for querying users by attributes
• Patch operations with CoreForge-compliant handling
• Bulk operations for batch user management
• Enterprise extension support for department, manager, etc.

Coreauth Authentication Server

A standalone authentication server built on Fosite:

• OAuth 2.0 endpoints for authorization, token, and introspection
• OIDC discovery and JWKS endpoints
• Principal integration with the new identity model
• CLI tool for server and key management operations

Identity-Authorization Sync

Automatic synchronization between identity and authorization layers:

• RelationshipSyncer interface for abstracting sync operations
• SpiceDB syncer implementation with batch support
• No-op syncer for deployments without SpiceDB
• Strict and eventual sync modes for consistency trade-offs
• Organization service wiring for membership sync
• Principal service wiring for lifecycle sync

Breaking Changes

Casbin Removal

The Casbin authorization provider has been removed. Applications using Casbin should migrate to either:

• SpiceDB provider for relationship-based access control
• Simple provider for basic role hierarchy checks

Migration steps:

1. Replace authz/casbin imports with authz/spicedb
2. Update provider initialization to use SpiceDB
3. Define SpiceDB schema for your resource types
4. Migrate existing policies to SpiceDB relationships

Identity Model Changes

The identity model has been refactored to use principals:

• User entity renamed to Human (principal subtype)
• Membership replaced by PrincipalMembership
• New Principal entity as unified identity root

Installation

go get github.com/grokify/coreforge@v0.2.0

Quick Start: SpiceDB

package main

import (
    "context"
    "github.com/grokify/coreforge/authz/spicedb"
)

func main() {
    // Create embedded SpiceDB client (development)
    client, err := spicedb.NewClient(spicedb.Config{
        Mode: spicedb.ModeEmbedded,
        EmbeddedConfig: &spicedb.EmbeddedConfig{
            Datastore: "memory",
        },
    })
    if err != nil {
        panic(err)
    }
    defer client.Close()

    // Write schema
    schema := spicedb.BaseSchema + spicedb.ResourceSchema("document")
    if err := client.WriteSchema(context.Background(), schema); err != nil {
        panic(err)
    }

    // Create provider
    provider := spicedb.NewProvider(client)

    // Check permission
    allowed, err := provider.Can(ctx, principal, "view", resource)
}

Quick Start: Principal Identity

package main

import (
    "context"
    "github.com/grokify/coreforge/identity/principal"
)

func main() {
    svc := principal.NewService(entClient)

    // Create human principal
    human, err := svc.CreateHuman(ctx, principal.CreateHumanInput{
        Email:           "user@example.com",
        DisplayName:     "Example User",
        IsPlatformAdmin: false,
    })
}

Migration Guide

From v0.1.0

1. Update imports: Replace authz/casbin with authz/spicedb or authz/simple
2. Update identity code: Use Human instead of User, PrincipalMembership instead of Membership
3. Add SpiceDB schema: Define your resource types using BaseSchema and ResourceSchema()
4. Wire syncer: Inject RelationshipSyncer into identity services

SpiceDB Setup

For production, deploy SpiceDB separately:

# docker-compose.yml
services:
  spicedb:
    image: authzed/spicedb:latest
    command: serve
    environment:
      SPICEDB_GRPC_PRESHARED_KEY: your-secret-key
      SPICEDB_DATASTORE_ENGINE: postgres
      SPICEDB_DATASTORE_CONN_URI: postgres://...
    ports:
      - "50051:50051"

Configure CoreForge to connect:

client, err := spicedb.NewClient(spicedb.Config{
    Mode:     spicedb.ModeRemote,
    Endpoint: "localhost:50051",
    Token:    "your-secret-key",
    Insecure: true, // For development only
})

Documentation

• SpiceDB Setup Guide
• SpiceDB Schema Reference
• Authorization Integration
• Identity Module
• SCIM 2.0 Provisioning

What's Next

Future releases will include:

• Cedar authorization provider (alternative to SpiceDB)
• Redis-backed feature flag store
• SAML/OIDC enterprise SSO
• WebAuthn hardware security key binding
• Audit logging for authorization decisions

Links

• GitHub Repository
• Full Changelog
• Issue Tracker