All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
| Symbol | Change | Migration |
|---|---|---|
SpiceDBRetriever |
Removed | Use base_retriever | SpiceDBAuthFilter and pass subject_id via config={"configurable": {"subject_id": "alice"}} |
SpiceDBAuthLambda |
Removed | Use SpiceDBAuthFilter directly in chains: RunnableLambda(retriever) | auth_filter |
create_auth_node |
Renamed to create_check_permissions_node |
Update imports and call sites |
fail_open parameter |
Removed from all components | Remove the argument — errors now propagate instead of silently granting access |
SpiceDBPreFilterRetriever— LangChainBaseRetrieverusing SpiceDB'sLookupResourcesAPI. Fetches authorized resource IDs first, then runs a filtered vector store search. Use when users have access to a small fraction of a large corpus.create_check_permissions_node— LangGraph node factory (renamed fromcreate_auth_node). Post-filter: checks permissions on already-retrieved documents.create_lookup_resources_node— LangGraph node factory for pre-filter authorization. CallsLookupResources, runs a filtered vector search, and writesauthorized_documentsto state. No separate retrieval node needed.SpiceDBAuthorizer.lookup_resources()— underlying method wrapping SpiceDB'sLookupResourcesstreaming gRPC API.
SpiceDBRetriever— superseded bySpiceDBAuthFilter(more composable, supports runtime user injection).SpiceDBAuthLambda— superseded bySpiceDBAuthFilter.fail_openparameter — was silently granting full access on SpiceDB failures; errors now always propagate.
Initial release.
SpiceDBAuthFilter— post-filter authorization as a LangChainRunnableSpiceDBPermissionTool— single permission check for LangChain agentsSpiceDBBulkPermissionTool— bulk permission checks for LangChain agentscreate_auth_node/AuthorizationNode— post-filter LangGraph nodesRAGAuthState— typed state for LangGraph RAG workflows