theopenlane · golanglemonade · May 15, 2026 · May 15, 2026 · May 18, 2026 · May 18, 2026
@@ -21,7 +21,7 @@ require (
 	github.com/theopenlane/core/common v1.0.21
 	github.com/theopenlane/go-client v0.10.0
 	github.com/theopenlane/httpsling v0.3.0
-	github.com/theopenlane/iam v0.29.0
+	github.com/theopenlane/iam v0.30.0
 	github.com/theopenlane/utils v0.7.0
 	golang.org/x/oauth2 v0.36.0
 	golang.org/x/term v0.43.0

@@ -194,8 +194,8 @@ github.com/theopenlane/go-client v0.10.0 h1:gBEOEWXM3nP7VlXPcmgA/0RPWcvSz1XzFBwA
 github.com/theopenlane/go-client v0.10.0/go.mod h1:usNDyObWwEJmNph2vAlsYfnx1q6jxXMwOKC6kQAesFo=
 github.com/theopenlane/httpsling v0.3.0 h1:Bad0dGdqCqAB8UVDyVo+YCevzRvGHhmkK22F7T3pXtY=
 github.com/theopenlane/httpsling v0.3.0/go.mod h1:iJc3XRLYTFIpfCnPpLZVMBP0xsWIPAb7ozARtQoclAE=
-github.com/theopenlane/iam v0.29.0 h1:mmN5ZC5wfKHiMm69XpTfcqZl0IPMCFTEZuGHI7j2u4I=
-github.com/theopenlane/iam v0.29.0/go.mod h1:WIWrlNu6gBNrEVNCtdAmGX7xrnv4+J2xPl0Frjw94rE=
+github.com/theopenlane/iam v0.30.0 h1:rZcJQVfNUfxss1shF+uinF2vo7UZl9rqEcG6yl5ayRI=
+github.com/theopenlane/iam v0.30.0/go.mod h1:slggeX0cWMUakfYz0RwSZfnz5kOcKdii18sek4SfMEQ=
 github.com/theopenlane/utils v0.7.0 h1:tSN9PBC8Ywn2As3TDW/1TAfWsVsodrccec40oAhiZgo=
 github.com/theopenlane/utils v0.7.0/go.mod h1:7U9CDoVzCAFWw/JygR5ZhCKGwhHBnuJpK3Jgh1m59+w=
 github.com/tinylib/msgp v1.6.4 h1:mOwYbyYDLPj35mkA2BjjYejgJk9BuHxDdvRnb6v2ZcQ=

@@ -29,6 +29,7 @@ require (
 	github.com/agnivade/levenshtein v1.2.1 // indirect
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
 	github.com/bmatcuk/doublestar v1.3.4 // indirect
+	github.com/brianvoe/gofakeit/v7 v7.15.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/fxamacker/cbor/v2 v2.9.2 // indirect

@@ -22,8 +22,8 @@ github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig
 github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE=
 github.com/bmatcuk/doublestar v1.3.4 h1:gPypJ5xD31uhX6Tf54sDPUOBXTqKH4c9aPY66CyQrS0=
 github.com/bmatcuk/doublestar v1.3.4/go.mod h1:wiQtGV+rzVYxB7WIlirSN++5HPtPlXEo9MEoZQC/PmE=
-github.com/brianvoe/gofakeit/v7 v7.14.1 h1:a7fe3fonbj0cW3wgl5VwIKfZtiH9C3cLnwcIXWT7sow=
-github.com/brianvoe/gofakeit/v7 v7.14.1/go.mod h1:QXuPeBw164PJCzCUZVmgpgHJ3Llj49jSLVkKPMtxtxA=
+github.com/brianvoe/gofakeit/v7 v7.15.0 h1:kGLYAWN8tnmxq2PelKVK6zwpM7kMxdz9SGPH31mFkNs=
+github.com/brianvoe/gofakeit/v7 v7.15.0/go.mod h1:QXuPeBw164PJCzCUZVmgpgHJ3Llj49jSLVkKPMtxtxA=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=

@@ -141,6 +141,8 @@ CORE_AUTHZ_CREDENTIALS_AUDIENCE=""
 CORE_AUTHZ_CREDENTIALS_ISSUER=""
 CORE_AUTHZ_CREDENTIALS_SCOPES=""
 CORE_AUTHZ_MAXBATCHWRITESIZE="100"
+CORE_AUTHZ_DISABLEPARENTCONTEXT="false"
+CORE_AUTHZ_PARENTCONTEXTSKIPKINDS=""
 CORE_DB_DEBUG="false"
 CORE_DB_DATABASENAME="openlane"
 CORE_DB_DRIVERNAME="pgx"

@@ -96,6 +96,7 @@ authz:
   createnewmodel: true
   credentials:
     apitoken: "QKwHEmWX99RnFh28eSRJ3GWlfb2FQkL7toh1GJpzch1mMkVeMg"
+  disableparentcontext: true
 
 # session settings
 sessions:

@@ -71,12 +71,15 @@ authz:
         clientsecret: ""
         issuer: ""
         scopes: ""
+    disableparentcontext: false
     enabled: true
     hosturl: https://authz.theopenlane.io
     maxbatchwritesize: 100
     modelfile: fga/model/model.fga
     modelid: ""
     modulefile: ""
+    parentcontextconditions: []
+    parentcontextskipkinds: []
     storeid: ""
     storename: openlane
 cloudflare:

@@ -597,6 +597,19 @@ data:
       {{- if .Values.openlane.coreConfiguration.authz.maxbatchwritesize }}
       maxbatchwritesize: {{ .Values.openlane.coreConfiguration.authz.maxbatchwritesize }}
       {{- end }}
+      {{- if .Values.openlane.coreConfiguration.authz.disableparentcontext }}
+      disableparentcontext: {{ .Values.openlane.coreConfiguration.authz.disableparentcontext }}
+      {{- end }}
+      {{- $sliceValue := (.Values.openlane.coreConfiguration.authz.parentcontextskipkinds | default (list)) }}
+      {{- if gt (len $sliceValue) 0 }}
+      parentcontextskipkinds:
+      {{- toYaml $sliceValue | nindent 8 }}
+      {{- end }}
+      {{- $sliceValue := (.Values.openlane.coreConfiguration.authz.parentcontextconditions | default (list)) }}
+      {{- if gt (len $sliceValue) 0 }}
+      parentcontextconditions:
+      {{- toYaml $sliceValue | nindent 8 }}
+      {{- end }}
     {{- end }}
     {{- if .Values.openlane.coreConfiguration.db }}
     db:

@@ -306,6 +306,12 @@ coreConfiguration:
       scopes: ""  # @schema type:string
     # -- maximum number of writes per batch in a transaction
     maxbatchwritesize: 100  # @schema type:integer; default:100
+    # -- disables the automatic addition of parent context tuples
+    disableparentcontext: false  # @schema type:boolean; default:false
+    # -- entity kind names that should not have parent context tuples added
+    parentcontextskipkinds: []
+    # -- relationship conditions to apply on parent context tuples per entity kind
+    parentcontextconditions: []
   # -- DB contains the database configuration for the ent client
   db:
     # -- debug enables printing the debug database logs

@@ -104,12 +104,12 @@ require (
 	github.com/theopenlane/go-client v0.10.0
 	github.com/theopenlane/gqlgen-plugins v0.14.7
 	github.com/theopenlane/httpsling v0.3.0
-	github.com/theopenlane/iam v0.29.0
+	github.com/theopenlane/iam v0.30.0
 	github.com/theopenlane/newman v0.4.0
 	github.com/theopenlane/riverboat v0.8.8
 	github.com/theopenlane/utils v0.7.0
 	github.com/tmc/langchaingo v0.1.14
-	github.com/urfave/cli/v3 v3.8.0
+	github.com/urfave/cli/v3 v3.9.0
 	github.com/vektah/gqlparser/v2 v2.5.33
 	github.com/xeipuuv/gojsonschema v1.2.0
 	github.com/yuin/goldmark v1.8.2
@@ -122,7 +122,7 @@ require (
 	golang.org/x/sync v0.20.0
 	golang.org/x/text v0.37.0
 	golang.org/x/tools v0.45.0
-	google.golang.org/api v0.278.0
+	google.golang.org/api v0.279.0
 	gopkg.in/yaml.v3 v3.0.1
 	gotest.tools/v3 v3.5.2
 )

@@ -742,8 +742,8 @@ github.com/theopenlane/gqlgen-plugins v0.14.7 h1:B9I6tpgevch3xQfV3qqRTpxHIlJvwtX
 github.com/theopenlane/gqlgen-plugins v0.14.7/go.mod h1:fUjo1cVKEAPLhtRrH+iJtrfivCNp+GxVSB/UJgVBDuA=
 github.com/theopenlane/httpsling v0.3.0 h1:Bad0dGdqCqAB8UVDyVo+YCevzRvGHhmkK22F7T3pXtY=
 github.com/theopenlane/httpsling v0.3.0/go.mod h1:iJc3XRLYTFIpfCnPpLZVMBP0xsWIPAb7ozARtQoclAE=
-github.com/theopenlane/iam v0.29.0 h1:mmN5ZC5wfKHiMm69XpTfcqZl0IPMCFTEZuGHI7j2u4I=
-github.com/theopenlane/iam v0.29.0/go.mod h1:WIWrlNu6gBNrEVNCtdAmGX7xrnv4+J2xPl0Frjw94rE=
+github.com/theopenlane/iam v0.30.0 h1:rZcJQVfNUfxss1shF+uinF2vo7UZl9rqEcG6yl5ayRI=
+github.com/theopenlane/iam v0.30.0/go.mod h1:slggeX0cWMUakfYz0RwSZfnz5kOcKdii18sek4SfMEQ=
 github.com/theopenlane/newman v0.4.0 h1:HiYMASHH3WD63M5GIwYFokf81Gq8lZ0Q/D5eget73x4=
 github.com/theopenlane/newman v0.4.0/go.mod h1:KqTNABh60+NafNhmTvFvFXYYeDl78n+BFZrkhdm60Fo=
 github.com/theopenlane/oscalot v0.1.0 h1:ExYiMU4Q1ezbGq77sxkgahmfmc46L+2NqB39fg0HXjU=
@@ -773,8 +773,8 @@ github.com/tmc/langchaingo v0.1.14 h1:o1qWBPigAIuFvrG6cjTFo0cZPFEZ47ZqpOYMjM15yZ
 github.com/tmc/langchaingo v0.1.14/go.mod h1:aKKYXYoqhIDEv7WKdpnnCLRaqXic69cX9MnDUk72378=
 github.com/ugorji/go/codec v1.3.0 h1:Qd2W2sQawAfG8XSvzwhBeoGq71zXOC/Q1E9y/wUcsUA=
 github.com/ugorji/go/codec v1.3.0/go.mod h1:pRBVtBSKl77K30Bv8R2P+cLSGaTtex6fsA2Wjqmfxj4=
-github.com/urfave/cli/v3 v3.8.0 h1:XqKPrm0q4P0q5JpoclYoCAv0/MIvH/jZ2umzuf8pNTI=
-github.com/urfave/cli/v3 v3.8.0/go.mod h1:ysVLtOEmg2tOy6PknnYVhDoouyC/6N42TMeoMzskhso=
+github.com/urfave/cli/v3 v3.9.0 h1:AV9lIiPv3ukYnxunaCUsHnEozptYmDN2F0+yWqLMn/c=
+github.com/urfave/cli/v3 v3.9.0/go.mod h1:ysVLtOEmg2tOy6PknnYVhDoouyC/6N42TMeoMzskhso=
 github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
 github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
 github.com/valyala/fastjson v1.6.10 h1:/yjJg8jaVQdYR3arGxPE2X5z89xrlhS0eGXdv+ADTh4=
@@ -970,8 +970,8 @@ golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da h1:noIWHXmPHxILtqtCOPIhS
 golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da/go.mod h1:NDW/Ps6MPRej6fsCIbMTohpP40sJ/P/vI1MoTEGwX90=
 gonum.org/v1/gonum v0.17.0 h1:VbpOemQlsSMrYmn7T2OUvQ4dqxQXU+ouZFQsZOx50z4=
 gonum.org/v1/gonum v0.17.0/go.mod h1:El3tOrEuMpv2UdMrbNlKEh9vd86bmQ6vqIcDwxEOc1E=
-google.golang.org/api v0.278.0 h1:W7jiRvRi53VYFfZ/HoZjQBtJk7gOFbHD8ot1RzVZU6E=
-google.golang.org/api v0.278.0/go.mod h1:B9TqLBwJqVjp1mtt7WeoQwWRwvu/400y5lETOql+giQ=
+google.golang.org/api v0.279.0 h1:hsx2M2OaRcaKtVYK6vXEUnQvdjnend7ZYES+lYaot74=
+google.golang.org/api v0.279.0/go.mod h1:B9TqLBwJqVjp1mtt7WeoQwWRwvu/400y5lETOql+giQ=
 google.golang.org/genproto v0.0.0-20260319201613-d00831a3d3e7 h1:XzmzkmB14QhVhgnawEVsOn6OFsnpyxNPRY9QV01dNB0=
 google.golang.org/genproto v0.0.0-20260319201613-d00831a3d3e7/go.mod h1:L43LFes82YgSonw6iTXTxXUX1OlULt4AQtkik4ULL/I=
 google.golang.org/genproto/googleapis/api v0.0.0-20260504160031-60b97b32f348 h1:U8orV30l6KpDsi9dxU0CoJZGbjS8EEpw+6ba+XwGPQA=

@@ -82,6 +82,7 @@ func (suite *HookTestSuite) setupClient() *generated.Client {
 		fgatest.WithModelFile(fgaModelFile),
 		fgatest.WithEnvVars(coreutils.GetDefaultFGAEnvs()),
 		fgatest.WithVersion(version),
+		fgatest.WithDisableParentContext(),
 	)
 	ctx := context.Background()
 

@@ -170,6 +170,7 @@ func (suite *GraphTestSuite) SetupSuite(t *testing.T) {
 		fgatest.WithModelFile(fgaModelFile),
 		fgatest.WithEnvVars(coreutils.GetDefaultFGAEnvs()),
 		fgatest.WithVersion(version),
+		fgatest.WithDisableParentContext(),
 	)
 
 	ctx := context.Background()

@@ -154,6 +154,7 @@ func (suite *HandlerTestSuite) SetupSuite() {
 		fgatest.WithModelFile(fgaModelFile),
 		fgatest.WithEnvVars(coreutils.GetDefaultFGAEnvs()),
 		fgatest.WithVersion(version),
+		fgatest.WithDisableParentContext(),
 	)
 
 	// shared token manager to avoid RSA key generation

@@ -111,6 +111,7 @@ func (s *WorkflowEngineTestSuite) SetupSuite() {
 		fgatest.WithModelFile(fgaModelFile),
 		fgatest.WithEnvVars(coreutils.GetDefaultFGAEnvs()),
 		fgatest.WithVersion(version),
+		fgatest.WithDisableParentContext(),
 	)
 
 	fgaClient, err := s.ofgaTF.NewFgaClient(s.ctx)

@@ -77,7 +77,12 @@ Config contains the configuration for the core server
         }
     },
     "authz": {
-        "credentials": {}
+        "credentials": {},
+        "parentcontextconditions": [
+            {
+                "context": {}
+            }
+        ]
     },
     "db": {},
     "jobqueue": {
@@ -884,13 +889,21 @@ OauthProviderConfig represents the configuration for OAuth providers such as Git
 |**modulefile**|`string`|path to the fga module file<br/>|no|
 |[**credentials**](#authzcredentials)|`object`||no|
 |**maxbatchwritesize**|`integer`|maximum number of writes per batch in a transaction<br/>|no|
+|**disableparentcontext**|`boolean`|disables the automatic addition of parent context tuples<br/>|no|
+|[**parentcontextskipkinds**](#authzparentcontextskipkinds)|`string[]`||no|
+|[**parentcontextconditions**](#authzparentcontextconditions)|`array`||no|
 
 **Additional Properties:** not allowed  
 **Example**
 
 ```json
 {
-    "credentials": {}
+    "credentials": {},
+    "parentcontextconditions": [
+        {
+            "context": {}
+        }
+    ]
 }
 ```
 
@@ -909,6 +922,27 @@ OauthProviderConfig represents the configuration for OAuth providers such as Git
 |**scopes**|`string`|scopes for the openFGA client<br/>||
 
 **Additional Properties:** not allowed  
+<a name="authzparentcontextskipkinds"></a>
+### authz\.parentcontextskipkinds: array
+
+**Items**
+
+**Item Type:** `string`  
+<a name="authzparentcontextconditions"></a>
+### authz\.parentcontextconditions: array
+
+**Items**
+
+**Example**
+
+```json
+[
+    {
+        "context": {}
+    }
+]
+```
+
 <a name="db"></a>
 ## db: object
 

@@ -8,6 +8,12 @@
       },
       "type": "array"
     },
+    "[]fgax.ParentContextConditionConfig": {
+      "items": {
+        "$ref": "#/$defs/fgax.ParentContextConditionConfig"
+      },
+      "type": "array"
+    },
     "[]ratelimit.RateOption": {
       "items": {
         "$ref": "#/$defs/ratelimit.RateOption"
@@ -782,6 +788,18 @@
         "maxbatchwritesize": {
           "type": "integer",
           "description": "maximum number of writes per batch in a transaction"
+        },
+        "disableparentcontext": {
+          "type": "boolean",
+          "description": "disables the automatic addition of parent context tuples"
+        },
+        "parentcontextskipkinds": {
+          "$ref": "#/$defs/[]string",
+          "description": "entity kind names that should not have parent context tuples added"
+        },
+        "parentcontextconditions": {
+          "$ref": "#/$defs/[]fgax.ParentContextConditionConfig",
+          "description": "relationship conditions to apply on parent context tuples per entity kind"
         }
       },
       "additionalProperties": false,
@@ -820,6 +838,24 @@
       "additionalProperties": false,
       "type": "object"
     },
+    "fgax.ParentContextConditionConfig": {
+      "properties": {
+        "kind": {
+          "type": "string",
+          "description": "entity kind name the condition applies to"
+        },
+        "name": {
+          "type": "string",
+          "description": "condition name defined in the authorization model"
+        },
+        "context": {
+          "$ref": "#/$defs/map[string]interface {}",
+          "description": "condition context parameters"
+        }
+      },
+      "additionalProperties": false,
+      "type": "object"
+    },
     "github.ProviderConfig": {
       "properties": {
         "clientid": {
@@ -963,6 +999,9 @@
       },
       "type": "object"
     },
+    "map[string]interface {}": {
+      "type": "object"
+    },
     "map[string]river.QueueConfig": {
       "additionalProperties": {
         "$ref": "#/$defs/river.QueueConfig"