Rebuild for v1.0.0: postgres-only, slug-keyed authz, predicate API

Drops the Dialect/Queries abstraction in favor of a single PostgreSQL 16+
implementation collapsed into the root authkit package, removes the
public store interfaces, and reshapes the authorization model around
seeded slugs (roles, permissions, abilities) with optional labels.

Schema is now squashed into one migrations/0001_init.sql and applied
automatically on authkit.New (opt-out via Config.SkipAutoMigrate). A
schema verifier checks tables/columns/types/nullability on startup,
tolerates extra columns, and falls back to default table names when a
configured override is missing.

Auth API: CreateUser + SetPassword replace Register; password is
nullable. Email OTP (RequestEmailOTP/ConsumeEmailOTP) joins magic links
and password reset, all with anti-enumeration silent-success defaults
and a Config.RevealUnknownEmail opt-in. Service tokens drop owner
columns and validate ability slugs against authkit_abilities at issue.
Direct user permissions live alongside role-derived ones; queries
return their UNION.

Predicate API: HasRole/HasPermission/HasAbility leaves with
AnyLogin/AllLogin/AnyServiceKey/AllServiceKey combinators. Validate
runs at middleware construction, panicking on unknown slugs.

Middleware collapses to RequireLogin (cookie + JWT), RequireGuest
(configurable OnAuthenticated), and RequireServiceKey. UserIDFromCtx /
UserFromCtx (lazy) / RefreshUserInCtx provide request-lifetime user
caching. Cookie defaults flip to Secure=true and HttpOnly=true via
*bool with BoolPtr opt-out.

CLIs ship under cmd/perms, cmd/roles, cmd/abilities for seeding the
authorization vocabulary; the library never seeds rows itself.

Tests cover unit-level (slug validation + fuzz, opaque secrets, email
normalization, extractors, predicates, OTP generator) and integration
flows gated on AUTHKIT_TEST_DATABASE_URL (every Auth method, schema
drift detection, migration idempotency, lazy user cache, all middleware
paths).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

models.go

@@ -7,6 +7,9 @@ import (
 	"github.com/google/uuid"
 )
 
+// User is the canonical account record. Password hash is empty (and stored
+// NULL in the DB) when no credential has been set — accounts created via
+// invite or magic-link-only flows live in this state until SetPassword runs.
 type User struct {
 	ID              uuid.UUID
 	Email           string
@@ -14,12 +17,12 @@ type User struct {
 	EmailVerifiedAt *time.Time
 	PasswordHash    string
 	SessionVersion  int
-	FailedLogins    int
 	LastLoginAt     *time.Time
 	CreatedAt       time.Time
 	UpdatedAt       time.Time
 }
 
+// Session is an opaque server-side credential bound to one user.
 type Session struct {
 	IDHash     []byte
 	UserID     uuid.UUID
@@ -30,35 +33,36 @@ type Session struct {
 	ExpiresAt  time.Time
 }
 
+// TokenKind enumerates the single-use credentials persisted in authkit_tokens.
 type TokenKind string
 
 const (
 	TokenEmailVerify   TokenKind = "email_verify"
 	TokenPasswordReset TokenKind = "password_reset"
 	TokenMagicLink     TokenKind = "magic_link"
+	TokenEmailOTP      TokenKind = "email_otp"
 	TokenRefresh       TokenKind = "refresh"
 )
 
+// Token is one row in authkit_tokens. AttemptsRemaining is non-nil only for
+// tokens that allow retry on incorrect input (email OTPs); other kinds are
+// strictly one-shot via ConsumeToken.
 type Token struct {
-	Hash       []byte
-	Kind       TokenKind
-	UserID     uuid.UUID
-	ChainID    *string
-	ConsumedAt *time.Time
-	CreatedAt  time.Time
-	ExpiresAt  time.Time
+	Hash              []byte
+	Kind              TokenKind
+	UserID            uuid.UUID
+	ChainID           *string
+	ConsumedAt        *time.Time
+	AttemptsRemaining *int
+	CreatedAt         time.Time
+	ExpiresAt         time.Time
 }
 
-// ServiceKey is an owner-agnostic credential for server-to-server auth.
-// OwnerID is not constrained to authkit_users — OwnerKind labels the owner
-// namespace (e.g. "application", "tenant") and consumers manage their own
-// cascade-on-delete. It is the only credential type that carries free-form
-// abilities; user-bound credentials (sessions, JWTs) prove identity and
-// resolve permissions through RBAC instead.
+// ServiceKey is a machine credential. It carries no identity — service tokens
+// are produced by applications for outbound API access or inbound automation,
+// and authorize via Abilities resolved through the join table.
 type ServiceKey struct {
 	IDHash     []byte
-	OwnerID    uuid.UUID
-	OwnerKind  string
 	Name       string
 	Abilities  []string
 	LastUsedAt *time.Time
@@ -67,26 +71,41 @@ type ServiceKey struct {
 	RevokedAt  *time.Time
 }
 
-// HasAbility reports whether the service key carries the named ability.
-func (k *ServiceKey) HasAbility(name string) bool {
+// HasAbility reports whether the service key carries the named ability slug.
+func (k *ServiceKey) HasAbility(slug string) bool {
 	for _, a := range k.Abilities {
-		if a == name {
+		if a == slug {
 			return true
 		}
 	}
 	return false
 }
 
+// Role groups permissions for assignment to users. Slug is the immutable
+// business key; Label is an optional human-readable name.
 type Role struct {
-	ID          uuid.UUID
-	Name        string
-	Description string
-	CreatedAt   time.Time
+	ID        uuid.UUID
+	Slug      string
+	Label     string
+	CreatedAt time.Time
 }
 
+// Permission is a unit of authorization. Granted to users either through a
+// role or directly via authkit_user_permissions.
 type Permission struct {
-	ID          uuid.UUID
-	Name        string
-	Description string
-	CreatedAt   time.Time
+	ID        uuid.UUID
+	Slug      string
+	Label     string
+	CreatedAt time.Time
+}
+
+// Ability is a unit of authorization for service tokens. Abilities are a
+// separate vocabulary from Permissions because they target machines, not
+// users — keep them distinct so middleware predicates remain clear about
+// which subject they're authorizing.
+type Ability struct {
+	ID        uuid.UUID
+	Slug      string
+	Label     string
+	CreatedAt time.Time
 }