# Changelog

## v1.0.0

Initial release.

### `authmw`

- `BagEnricher` type — `func(bag security.SecurityBag, r *http.Request) security.SecurityBag`;
  enriches the request-scoped SecurityBag after the base Identity is built. Register via
  `WithBagEnricher`. Multiple enrichers run in registration order, each receiving the bag
  returned by the previous one.
- `SetTokenData` — integration contract for provider packages (auth-jwt, auth-firebase).
  Stores uid and raw claims in context via typed keys; consumed by `EnrichmentMiddleware`.
- `GetClaims` — exported accessor for raw token claims stored by `SetTokenData`. Available
  to custom `IdentityEnricher` implementations and `ClaimsPermissionProvider`.
- `EnrichmentMiddleware` — builds a `security.SecurityBag` from uid+claims. Calls the
  application `IdentityEnricher`, wraps the Identity in a SecurityBag, runs all registered
  `BagEnricher` functions in order, then stores the bag via `security.SetBagInContext`.
  Accepts `logging.Logger`; routes errors through `httputil.Error` (401 on missing token,
  500 on enricher failure).
- `AuthzMiddleware` — per-route permission gate. Returns 401 on missing identity, 403 on
  provider error or insufficient permissions (fail-closed).
- `IdentityEnricher` interface — implemented by the application to load user data from uid+claims.
- `EnrichOpt` type — `func(*enrichConfig)`.
- `WithTenantHeader(header string) EnrichOpt` — reads Identity.TenantID from a named request
  header. Implemented as a `BagEnricher` internally.
- `WithBagEnricher(fn BagEnricher) EnrichOpt` — registers a custom enricher. Use for any
  attribute beyond TenantID: hardware IDs, grant codes, etc.

### `rbac`

- `NewClaimsPermissionProvider` — reads pre-computed bitmasks from JWT claims in context.
  Flat format: `claims[claimsKey][resource] = mask`. Wildcard `"*"` fallback.
  Handles int64, float64, json.Number.
- `NewCachedPermissionProvider` — wraps any `security.PermissionProvider` with TTL caching.
  Default cache key: `"rbac:{uid}:{resource}"` (single-tenant) or
  `"rbac:{tenantID}:{uid}:{resource}"` (multi-tenant). TenantID sourced from the SecurityBag
  in context automatically. Accepts `...CachedOpt` for customization.
- `CachedOpt` type — `func(*cachedConfig)`.
- `WithCacheKey(fn func(security.SecurityBag, string, string) string) CachedOpt` — overrides
  the default cache key function. Use when additional bag attributes (hardware IDs, grant codes)
  must be part of the key.
- `NewChainPermissionProvider` — tries providers in order; returns first non-zero mask. Errors
  short-circuit.
- `Cache` interface — pluggable cache backend. Satisfied by `einherjar/cache-valkey` via duck
  typing.