v0.3.0-alpha.3

Third alpha of the v0.3 line. Consolidates everything since alpha.2 on crates.io.

See the CHANGELOG for the full list of changes.

Highlights

API ergonomics

• PermissionChecker::check — convenience wrapper for RBAC/ABAC-only callers (no manual session construction).
• PermissionChecker::named — checker-level tracing tag for multi-checker audit pipelines.
• EvalCtx::grant / deny / *_with_facts — shortcut methods that build a PolicyEvalResult tagged with ctx.policy_type automatically.
• Trace-aware AccessEvaluation::assert_denied_by and assert_trace_contains test helpers.

Performance

• Policy::policy_type return type changed to Cow<'static, str>. Static-name policies are zero-allocation end-to-end through the helper path.
• PolicyBuilder-built policies short-circuit batch-shared axes (.subjects(), .actions()) once per batch. Bench-measured 13–32% throughput win vs the serial-loop default, growing with batch size.
• Single-item evaluation path saves one allocation per dynamic-name policy by moving policy_type into the EvalCtx instead of cloning.

Combinators

• NotPolicy::evaluate_batch bug fix: previously tagged wrapped policy's batch leaves with "NotPolicy" instead of the inner name.
• Combinators drop redundant Cow::Owned(self.policy_type().to_string()) wrapping.

Method renames (clean break — no deprecation aliases)

• evaluate_batch_with_context_in_session_by → evaluate_batch_in_session_by_resource
• filter_authorized_with_context_in_session_by → filter_authorized_in_session_by_resource

Documentation

• "One checker per resource type" and "Modeling list/scope endpoints" recipes on PermissionChecker.
• PolicyBuilder type-inference notes (the three patterns that anchor <S, R, A, C>).
• Crate-level "When to populate the Context type" section with concrete shapes — and a new examples/mfa_freshness_context.rs grounding the guidance in code.
• FactSource (subject, scope) → resolved-id example showing the trait isn't relationship-shaped.
• Policy::evaluate_batch design-intent docs (serial-by-default and the override shapes when you need concurrency).

MSRV

• rust-version = "1.82" pinned in Cargo.toml.

Breaking since alpha.2

• Policy::policy_type return type changed (&str → Cow<'static, str>). One-line migration per impl: fn policy_type(&self) -> Cow<'static, str> { Cow::Borrowed("MyPolicy") }.
• EvalCtx / BatchEvalCtx gain a policy_type: Cow<'static, str> field. Custom Policy impls and tests that construct these directly need to populate it.
• DelegatingPolicy constructor policy_type parameter changed from impl Into<String> to impl Into<Cow<'static, str>>.
• The two batch method renames above; no deprecation aliases.

See MIGRATION.md for the 0.2 → 0.3 migration path.

v0.3.0-alpha.2

Second alpha of the v0.3 line, consolidating everything since alpha.1 on crates.io for pre-release testing.

Install: cargo add gatehouse@0.3.0-alpha.2

Pre-release. The v0.3 API may still change before the final 0.3.0. Opt in with the exact version above.

What's new since alpha.1

• Lookup-style authorization — LookupSource enumerates a candidate superset, Hydrator resolves IDs (with Option<R> for "no longer exists"), and PermissionChecker::lookup_authorized / lookup_authorized_page route candidates through the full policy stack. Cursor-progress enforced. (#24)
• Fact provenance on every decision — FactProvenance / FactOutcome attached to PolicyEvalResult::Granted / Denied. RebacPolicy records the consulted relationship, the load outcome, and any backend error detail. EvalTrace::format renders ↳ fact … lines inline. New ergonomic constructors (granted, denied, granted_with_facts, denied_with_facts) and a provenance() accessor. (#7a)
• Sans-I/O session core — the per-stripe session state machine is now a private synchronous core (FactStripeCore<K, W>) with no async, no tracing, and a generic waiter type. No public API change. (#28)
• Loom permutation-test harness — seven models cover leader-election uniqueness, exactly-once waiter wake-up, fail-closed cancellation, cache-write visibility, replacement atomicity, multi-stripe independence, and replacement rejection during in-flight loads. (#29)
• Substantive docstring improvements across RelationshipQuery, FactLoadResult, BatchEvalCtx, EvaluationSession, LoaderCancelled, FactKey, and RebacPolicy (incl. a new "provenance/log safety" caveat about Debug-rendered IDs).

Breaking since alpha.1

• PolicyEvalResult::Granted / Denied gain a provenance: Vec<FactProvenance> field. Use the new constructors instead of struct literals.
• RebacPolicy requires SubjectId: Debug and ResourceId: Debug so provenance can render the consulted relationship.

---

Full changelog: v0.3.0-alpha.1...v0.3.0-alpha.2

v0.3.0-alpha.1

First alpha of the v0.3 line, published to crates.io for pre-release testing. This is a substantial reshape of the authorization core around request-scoped fact loading and bulk evaluation.

cargo add gatehouse@0.3.0-alpha.1

Pre-release. The v0.3 API may still change before the final 0.3.0. Not selected by default version requirements — you must opt in with the exact version above.

Upgrading from 0.2.x

v0.3 is a breaking release. RelationshipResolver is gone, the Policy trait is session-aware, and checker evaluation now takes an explicit EvaluationSession. See MIGRATION.md for step-by-step upgrade instructions, including the policy_type and RBAC/ABAC-only (EvaluationSession::empty()) cases.

Breaking

• FactSource-backed ReBAC — RelationshipResolver removed. RebacPolicy now extracts subject/resource IDs, builds RelationshipQuery keys, and loads relationship facts through a request-scoped EvaluationSession backed by a FactSource. (#20)
• Session-aware policy API — Policy::evaluate_access(...) is replaced by Policy::evaluate(&EvalCtx) and Policy::evaluate_batch(&BatchEvalCtx). Checker evaluation takes an explicit EvaluationSession; RBAC/ABAC-only callers use EvaluationSession::empty().
• Borrowed policy type names — Policy::policy_type now returns &str instead of allocating a String.
• Sync policy inputs — Subject, Resource, Action, and Context must now be Sync so batch contexts can borrow them across async evaluation.

Added

• Batch authorization — evaluate or filter caller-owned resource/context pairs, preserving input order and duplicates; OR-across-policies semantics match single-item evaluate. (#17)
• Fact-loading layer — FactKey, FactLoadResult, FactLoadError, FactSource, and RelationshipQuery, with request-scoped caching, duplicate-key expansion, source chunking via FactSource::max_batch_size, and in-flight load coalescing.
• EvaluationSession ergonomics — builder() to declare sources in one place; shared_empty() for hot RBAC/ABAC-only paths; non-panicking try_register/try_register_arc/try_replace/try_replace_arc.
• DelegatingPolicy — cross-domain delegation through a child PermissionChecker, preserving child batch evaluation and trace output.
• Resource-only batch helpers — evaluate_batch_resources_in_session and filter_authorized_resources_in_session for unit-context batches; with_max_batch_size as a defensive policy-batch cap.
• Examples & benchmarks — PostgreSQL 18 bulk ReBAC example (unnest ... WITH ORDINALITY, point-vs-bulk), Axum bulk listing endpoint, in-RAM ReBAC example, and Criterion benchmarks for session overhead, latency-injected batching, and in-flight coalescing.

Changed

• AndPolicy, OrPolicy, NotPolicy, boxed dyn Policy, and RebacPolicy preserve batching through their batch paths.
• register/register_arc fail fast on duplicate registration; use replace/replace_arc to overwrite intentionally, or the try_* variants to get errors instead of panics.
• Tracing records single-item outcome fields, batch item/grant/deny counts, and per-policy chunk pending/grant/deny counts.
• README and rustdocs reframed around an in-process authorization engine with request-scoped fact loading, documenting decision semantics, batch tracing fields, and the typed-relation-to-backend-storage boundary for SQL-backed sources.

Fixed

• Fact sources returning the wrong number of results fail closed with FactLoadError::SourceContractViolation instead of panicking or returning partial results.
• Cancelled or panicking leader tasks wake in-flight waiters with FactLoadError::LoaderCancelled instead of leaving them pending forever.
• Source replacement checks in-flight loads, swaps the source, and clears cached facts under one session registry lock, so readers cannot observe stale cached facts after a replacement.
• SQL-backed example fact sources map backend errors to fail-closed FactLoadResult::Error instead of panicking.

---

Full changelog: v0.2.0...v0.3.0-alpha.1

v0.2.0

Breaking

• Generic relationship types for ReBAC: RelationshipResolver<S, R> is now RelationshipResolver<S, R, Re> and RebacPolicy gains a Re type parameter. This allows using enums or other domain-specific types instead of &str for compile-time safety. Re must implement Display for human-readable policy evaluation messages. (#10, #14)

Added

• #![warn(missing_docs)] lint enforced — all public items now have documentation. (#13)
• Quick Start section in module-level docs showing PolicyBuilder usage.
• Standalone doc examples for PolicyBuilder, RbacPolicy, EvalTrace, and AccessEvaluation::to_result.
• Enum-based relationship example in examples/rebac_policy.rs.
• 35 new tests covering AbacPolicy, RbacPolicy, PolicyBuilder, AccessEvaluation, EvalTrace, PolicyEvalResult, CombineOp, PermissionChecker, SecurityRuleMetadata, and EmptyPoliciesError.

Changed

• Updated dependencies. (#12)

v0.1.4

• Add benchmarks
• Address several low-hanging performance optimizations
• Refined the security rule telemetry to reuse cached policy metadata and emit structured tracing::trace! events

v0.1.3: LICENSE as MIT (#2)

Add MIT license explicitly

v0.1.2

Documentation release

v0.1.1

Initial release to crates.io