v1.0 Release Notes
Plystra v1.0 Release Notes
Section titled “Plystra v1.0 Release Notes”Document Status
Section titled “Document Status”| Field | Value |
|---|---|
| Product | Plystra |
| Version | v1.0 |
| Document Type | Release notes |
| Status | Draft |
| Release Type | Stable Self-Hosted Core |
1. Release Summary
Section titled “1. Release Summary”Plystra v1.0 is the first stable Core release of Plystra.
This release establishes Plystra as a self-hosted identity, authorization, resource governance, and audit core for applications that need account-identity separation and explainable permission decisions.
The core model is:
User -> UserMember -> Member -> SpaceThe core promise is:
User logs in.UserMember authorizes the bridge.Member acts.Space isolates.Group scopes.Permission decides.Resource is governed.AuditLog explains.v1.0 is Core-focused. Console, SDK repos, plugin runtime, Data Console, templates, and Cloud are not blocking components for this release.
2. Highlights
Section titled “2. Highlights”Plystra v1.0 adds:
Ent-backed Core schemaVersioned database migrationsCore CRUD APIsResource Registry registration APIAuthorization check APIAuthorization explain APIAuditLog query APIStandard health endpointsStructured JSON request loggingRecovery middlewareCORS configurationCanonical request ID outputBearer session protection for non-public Core APIsDisabled-by-default Data Console and metrics surfacesDocker self-hosted baselineOpenAPI v1.0Finance Reviewer demo casesv1.0 readiness documentation3. Core Model Stabilization
Section titled “3. Core Model Stabilization”v1.0 stabilizes the core entities:
UserSpaceGroupMemberUserMemberRolePermissionMemberRoleRolePermissionResourceAuditLogA User is a login account.
A User does not directly own Space permissions.
UserMember
Section titled “UserMember”A UserMember is the binding that allows a User to act as a Member.
Revoked or expired UserMember bindings deny authorization.
Member
Section titled “Member”A Member is an in-space actor identity.
Permissions are granted to Members through Role grants.
A Space is the permission and data boundary.
A Group is a tree node inside a Space.
Group tree scopes use safe materialized path matching.
Resource
Section titled “Resource”A Resource is a governable business object that can enter the authorization chain.
AuditLog
Section titled “AuditLog”AuditLog records decision-time snapshots and is append-only.
4. Added Ent-backed Core Schema
Section titled “4. Added Ent-backed Core Schema”v1.0 introduces Ent for the Core repository.
Ent is used for:
schema definitiongenerated query codepersistence modelingdatabase consistencymigration supportImportant design rules:
UserMember is a first-class entity.MemberRole is a first-class entity.scope_anchor_group_id remains explicit.Generated Ent structs are not public API contracts.External repositories must not import core/ent.5. Added Versioned Migrations
Section titled “5. Added Versioned Migrations”v1.0 includes versioned migrations.
This release includes new migrations from the latest Core alignment work:
010011012These migrations complete required v1.0 Core fields, schema alignment, and clean-empty-database Ent drift closure.
Migration tooling supports:
plystractl migrate upplystractl migrate verifyplystractl ent checkProduction mode intentionally rejects unsafe Ent auto apply behavior.
Users must use versioned migrations for production upgrades.
6. Added Core CRUD APIs
Section titled “6. Added Core CRUD APIs”v1.0 adds CRUD APIs for the stable Core entities:
UsersSpacesGroupsMembersUserMembersRolesPermissionsMemberRolesRolePermissionsResourcesAuditLogsSupported lifecycle actions include, where applicable:
createreadlistpatchdisablerestorerevokearchivequeryAuditLogs are read/query only.
AuditLog update and delete are intentionally not exposed.
7. Added Authorization APIs
Section titled “7. Added Authorization APIs”v1.0 adds:
POST /api/v1/authz/checkPOST /api/v1/authz/explainauthz/check
Section titled “authz/check”Returns a compact authorization decision.
Includes:
decisiondeny_codereasontrace_idaudit_log_id if writtenrequest_idauthz/explain
Section titled “authz/explain”Returns a full authorization trace.
Includes:
actor snapshotspace snapshottarget resource snapshotmatched candidatesscope checksdecisiondeny_codereasonaudit context8. Added Resource Registry Registration API
Section titled “8. Added Resource Registry Registration API”v1.0 adds a Resource Registry registration API.
Resources can now enter the authorization chain through:
resource_typespace_idgroup_idowner_member_idmetadataThis allows newly registered resource types to participate in:
authz/checkauthz/explainAuditLogPermission evaluationScope resolution9. Added AuditLog Query API
Section titled “9. Added AuditLog Query API”v1.0 adds AuditLog query APIs.
AuditLogs can be queried by:
actor_user_idactor_member_idactor_user_member_idresource_typeresource_iddecisiondeny_coderequest_idcreated_at rangeAuditLog traces store decision-time snapshots.
Historical logs remain explainable even if live Role, Permission, Group, Member, or Resource records change later.
10. Added Health, Ready, and Version Endpoints
Section titled “10. Added Health, Ready, and Version Endpoints”v1.0 adds standard health endpoints:
GET /api/v1/healthGET /api/v1/readyGET /api/v1/version/health
Section titled “/health”Reports basic service health.
/ready
Section titled “/ready”Checks database and migration readiness.
/version
Section titled “/version”Reports version, schema version, and related build information.
11. Added Structured JSON Request Logging
Section titled “11. Added Structured JSON Request Logging”v1.0 adds structured JSON request logging.
Logs include:
timestamplevelrequest_idmethodpathstatuslatencyremote_ipuser_agenterror information when presentThis improves production debugging and allows request logs to be correlated with API responses and AuditLog entries.
12. Added Recovery Middleware
Section titled “12. Added Recovery Middleware”v1.0 adds recovery middleware.
Behavior:
panic is recoveredsafe error response is returnedrequest_id is includedpanic is loggedstack details are not exposed to clients in production13. Added CORS Configuration
Section titled “13. Added CORS Configuration”v1.0 adds CORS configuration.
Configuration is environment-driven.
Operators should review allowed origins before production deployment.
Production mode rejects wildcard CORS origins. Use explicit origins in CORS_ALLOWED_ORIGINS.
13.1 Added Admin Token Protection
Section titled “13.1 Added Admin Token Protection”Non-public Core API routes require Authorization: Bearer <access_token> for a user with an active admin grant.
Public operational endpoints are limited to health, readiness, and version routes. Session auth endpoints use their own credential or bearer-token checks.
AuditLog, Resource Registry, Core CRUD, authorization, plugin/template management, and preview data APIs are not anonymously accessible.
Opaque bearer session tokens are stored as HMAC hashes using PLYSTRA_SESSION_SECRET.
13.2 Disabled Preview Surfaces By Default
Section titled “13.2 Disabled Preview Surfaces By Default”Data Console routes and metrics are disabled by default:
DATA_CONSOLE_ENABLED=falseMETRICS_ENABLED=falseOperators must explicitly enable them when needed.
14. Added Docker Self-Hosted Baseline
Section titled “14. Added Docker Self-Hosted Baseline”v1.0 includes:
Dockerfiledocker-compose.yml.env.exampleplystra-core servicepostgres serviceThis provides a baseline self-hosted deployment path.
The Docker Compose setup is intended for:
local developmentself-hosted evaluationsmall deployment baselineProduction operators should review:
TLS terminationreverse proxyPostgreSQL backupsenvironment secretsaudit log retentionupgrade process15. Added OpenAPI v1.0
Section titled “15. Added OpenAPI v1.0”v1.0 updates OpenAPI documentation for the stable Core API.
OpenAPI includes:
authz/checkauthz/explainCore CRUD APIsResource RegistryAuditLog queryhealth endpointserror enveloperequest_id fieldsdeny code referencesThe OpenAPI document is the foundation for future SDK generation.
16. Added Finance Reviewer Demo
Section titled “16. Added Finance Reviewer Demo”v1.0 includes the Finance Reviewer demo with four required cases.
| Case | Actor | Target | Decision | Purpose |
|---|---|---|---|---|
| 1 | Alice via Finance Reviewer | Finance/APAC invoice | allow | proves group_tree allow |
| 2 | Alice via Finance Reviewer | Legal/EMEA invoice | deny SCOPE_OUT_OF_BOUNDS | proves scope boundary |
| 3 | Bob via same Finance Reviewer | Finance/APAC invoice | allow | proves multiple Users can share a Member |
| 4 | Alice via revoked binding | Finance/APAC invoice | deny USER_MEMBER_REVOKED | proves UserMember is an independent authorization bridge |
17. Request ID
Section titled “17. Request ID”v1.0 returns request ID once, at the top level of the response envelope:
{ "request_id": "req_..."}Core does not return meta.request_id.
18. Notes
Section titled “18. Notes”Core Scope
Section titled “Core Scope”v1.0 is Core-focused.
The following may exist as positive enhancements but are not release blockers:
sibling repositoriesConsole-related metadataplugin metadataearly SDK preparationEnt Auto Apply
Section titled “Ent Auto Apply”Production mode intentionally rejects unsafe Ent auto apply behavior.
Use versioned migrations instead.
AuditLog
Section titled “AuditLog”AuditLog is append-only.
Do not expect update or delete APIs for AuditLog.
Plugin Schema
Section titled “Plugin Schema”Plugin schema extension is deferred.
Plugins must not modify Core Ent schemas or import generated Core Ent packages.
19. Breaking Changes
Section titled “19. Breaking Changes”Document project-specific breaking changes here before final release.
Known breaking changes in the current dev line:
response envelope has one top-level request_id and no meta.request_idoperational aliases under /system/* and /api/v1/system/* are removedtop-level AuditLog route is /api/v1/audit/logsHTTP authz accepts nested actor onlypassword verification accepts Argon2id hashes only20. Upgrade Notes
Section titled “20. Upgrade Notes”Before upgrading:
backup PostgreSQLreview migration notesstop Core service if requiredapply versioned migrationsverify migrationsstart Core servicerun doctorsmoke test health/ready/versionsmoke test authz/check and authz/explainRecommended commands:
plystractl migrate upplystractl migrate verifyplystractl ent checkplystractl doctorProduction operators must not use Ent auto migration as an upgrade mechanism.
21. Validation Summary
Section titled “21. Validation Summary”Before publishing this release, maintainers should verify:
go test ./...PLYSTRA_DATABASE_URL=... go test ./...plystractl migrate upplystractl migrate verifyplystractl ent checkplystractl doctorproduction ent apply rejectionFinance Reviewer four demo caseshealth/ready/versionauthz/checkauthz/explainResource RegistryCore CRUD APIsAuditLog queryOpenAPI route consistencyDocker Compose quickstart22. Known Limitations
Section titled “22. Known Limitations”v1.0 does not include:
full Consolefull Data Consoleofficial SDK GAplugin runtime GAplugin marketplacetemplate installerCloud hostingenterprise SSOadvanced policy languageworkflow enginestorage servicerealtime serviceserverless functionsThese are planned for later versions.
23. Recommended Next Version Focus
Section titled “23. Recommended Next Version Focus”After v1.0, recommended priorities are:
v1.1 Core hardeningv1.2 SDK and integrationsv1.3 Data Console GAv1.4 First-party pluginsv1.5 Templates GAv1.6 Production self-hostingDo not start all of these at once.
24. Final Statement
Section titled “24. Final Statement”Plystra v1.0 is not stable because it has many features.
It is stable because the Core model is consistently implemented:
User logs in.UserMember authorizes the bridge.Member acts.Space isolates.Group scopes.Permission decides.Resource is governed.AuditLog explains.All future features should strengthen this model rather than dilute it.