Rebuild for v1.0.0: postgres-only, slug-keyed authz, predicate API

Drops the Dialect/Queries abstraction in favor of a single PostgreSQL 16+
implementation collapsed into the root authkit package, removes the
public store interfaces, and reshapes the authorization model around
seeded slugs (roles, permissions, abilities) with optional labels.

Schema is now squashed into one migrations/0001_init.sql and applied
automatically on authkit.New (opt-out via Config.SkipAutoMigrate). A
schema verifier checks tables/columns/types/nullability on startup,
tolerates extra columns, and falls back to default table names when a
configured override is missing.

Auth API: CreateUser + SetPassword replace Register; password is
nullable. Email OTP (RequestEmailOTP/ConsumeEmailOTP) joins magic links
and password reset, all with anti-enumeration silent-success defaults
and a Config.RevealUnknownEmail opt-in. Service tokens drop owner
columns and validate ability slugs against authkit_abilities at issue.
Direct user permissions live alongside role-derived ones; queries
return their UNION.

Predicate API: HasRole/HasPermission/HasAbility leaves with
AnyLogin/AllLogin/AnyServiceKey/AllServiceKey combinators. Validate
runs at middleware construction, panicking on unknown slugs.

Middleware collapses to RequireLogin (cookie + JWT), RequireGuest
(configurable OnAuthenticated), and RequireServiceKey. UserIDFromCtx /
UserFromCtx (lazy) / RefreshUserInCtx provide request-lifetime user
caching. Cookie defaults flip to Secure=true and HttpOnly=true via
*bool with BoolPtr opt-out.

CLIs ship under cmd/perms, cmd/roles, cmd/abilities for seeding the
authorization vocabulary; the library never seeds rows itself.

Tests cover unit-level (slug validation + fuzz, opaque secrets, email
normalization, extractors, predicates, OTP generator) and integration
flows gated on AUTHKIT_TEST_DATABASE_URL (every Auth method, schema
drift detection, migration idempotency, lazy user cache, all middleware
paths).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

doc.go

@@ -1,14 +1,24 @@
-// Package authkit is an authentication and authorization toolkit for Go web
-// services. It defines storage interfaces (UserStore, SessionStore, TokenStore,
-// ServiceKeyStore, RoleStore, PermissionStore) and a high-level Auth service
-// that composes them to support registration, password login, opaque
-// server-side sessions, JWT access plus rotating refresh tokens, email
-// verification, password resets, magic-link passwordless login, role-based
-// access control, and owner-agnostic service tokens with custom abilities for
-// server-to-server auth.
+// Package authkit is a pragmatic authentication and authorization toolkit
+// for Go web services on PostgreSQL 16+.
 //
-// Default Postgres implementations of every store live in the pgstore
-// subpackage. Argon2id password hashing lives in hasher. Framework-neutral
-// HTTP middleware (compatible with lightmux and any net/http stack) lives in
-// middleware.
+// Drop authkit into a net/http stack and get registration, password login,
+// opaque server-side sessions, JWT access tokens with rotating refresh,
+// email verification, password reset, magic-link login, email OTP, and
+// owner-agnostic service tokens with consumer-defined abilities.
+// Authorization is flat RBAC with both role-derived and direct user
+// permissions.
+//
+// Roles, permissions, and abilities are seeded by the consumer (typically
+// via the cmd/perms, cmd/roles, and cmd/abilities CLIs that ship with this
+// repo). The library does not seed any rows automatically — applications
+// own their authorization vocabulary.
+//
+// Migrations and schema verification run at startup. Set
+// Config.SkipAutoMigrate to disable.
+//
+// The library does not send email or otherwise reach out to users.
+// Token-minting flows (RequestEmailVerification, RequestPasswordReset,
+// RequestMagicLink, RequestEmailOTP, IssueServiceKey, IssueSession,
+// IssueJWT) return the plaintext to the caller exactly once — show it to
+// the user immediately; only its SHA-256 hash is persisted.
 package authkit