build(deps): bump the go-mod group with 8 updates

[dependabot]

Bumps the go-mod group with 8 updates:

Package	From	To
github.com/authzed/authzed-go	1.7.0	1.8.0
github.com/authzed/spicedb	1.49.1-0.20260205205028-286d6e84c0dd	1.49.1
github.com/mark3labs/mcp-go	0.43.2	0.44.1
golang.org/x/mod	0.32.0	0.33.0
golang.org/x/net	0.49.0	0.51.0
golang.org/x/term	0.39.0	0.40.0
google.golang.org/genproto/googleapis/rpc	0.0.0-20251124214823-79d6a2a48846	0.0.0-20260128011058-8636f8732409
google.golang.org/grpc	1.78.0	1.79.1

Updates github.com/authzed/authzed-go from 1.7.0 to 1.8.0

Release notes

Sourced from github.com/authzed/authzed-go's releases.

v1.8.0

What's Changed

• Bump golang.org/x/crypto from 0.43.0 to 0.45.0 in /magefiles by @​dependabot[bot] in authzed/authzed-go#369
• feat: add timestamp to DownloadPermissionSetsResponse by @​ostafen in authzed/authzed-go#367
• Bump actions/checkout from 5 to 6 in the github-actions group by @​dependabot[bot] in authzed/authzed-go#372
• Bump github.com/bufbuild/buf from 1.59.0 to 1.60.0 in /magefiles in the go-mod-magefiles group by @​dependabot[bot] in authzed/authzed-go#371
• Bump the go-mod group with 2 updates by @​dependabot[bot] in authzed/authzed-go#370
• chore: add conventional commit linting by @​tstirrat15 in authzed/authzed-go#373
• chore(deps): bump the go-mod group across 1 directory with 9 updates by @​dependabot[bot] in authzed/authzed-go#382
• chore(deps): bump the go-mod-magefiles group across 1 directory with 5 updates by @​dependabot[bot] in authzed/authzed-go#383
• chore: remove samber/lo dependency by @​Limero in authzed/authzed-go#387
• chore(deps): bump github.com/bufbuild/buf from 1.61.0 to 1.63.0 in /magefiles in the go-mod-magefiles group by @​dependabot[bot] in authzed/authzed-go#386
• chore(deps): bump github.com/golangci/golangci-lint/v2 from 2.7.2 to 2.8.0 in the go-mod group by @​dependabot[bot] in authzed/authzed-go#385
• feat: regenerate proto for ERROR_REASON_DATASTORE_NOT_MIGRATED by @​ivanauth in authzed/authzed-go#384
• chore(deps): bump the go-mod-magefiles group in /magefiles with 2 updates by @​dependabot[bot] in authzed/authzed-go#391
• chore(deps): bump webiny/action-conventional-commits from 1.3.0 to 1.3.1 in the github-actions group by @​dependabot[bot] in authzed/authzed-go#390
• chore(deps): bump the go-mod group with 4 updates by @​dependabot[bot] in authzed/authzed-go#389
• docs: add instructions for building with local protos by @​ivanauth in authzed/authzed-go#388
• Add API usage examples and documentation references by @​ivanauth in authzed/authzed-go#375
• chore(deps): bump the go-mod group with 3 updates by @​dependabot[bot] in authzed/authzed-go#393
• chore(deps): bump the go-mod-magefiles group across 1 directory with 3 updates by @​dependabot[bot] in authzed/authzed-go#394

New Contributors

• @​ostafen made their first contribution in authzed/authzed-go#367
• @​Limero made their first contribution in authzed/authzed-go#387
• @​ivanauth made their first contribution in authzed/authzed-go#384

Full Changelog: authzed/authzed-go@v1.7.0...v1.8.0

Commits

• d8c9a1a Merge pull request #394 from authzed/dependabot/go_modules/magefiles/go-mod-m...
• ed6f0b8 chore(deps): bump the go-mod-magefiles group across 1 directory with 3 updates
• bdf5808 Merge pull request #393 from authzed/dependabot/go_modules/go-mod-d64280bf30
• 8adc898 chore(deps): bump the go-mod group with 3 updates
• 43eca72 Merge pull request #375 from ivanauth/fix/issue-142-add-api-examples
• 2ea2f5c Merge pull request #388 from ivanauth/fix/issue-137-contributing-local-protos
• 41234c1 Merge pull request #389 from authzed/dependabot/go_modules/go-mod-bb2d16fde3
• 70ff9af Merge pull request #390 from authzed/dependabot/github_actions/github-actions...
• ea4533e Merge pull request #391 from authzed/dependabot/go_modules/magefiles/go-mod-m...
• dcb53b3 chore(deps): bump the go-mod-magefiles group
• Additional commits viewable in compare view

Updates github.com/authzed/spicedb from 1.49.1-0.20260205205028-286d6e84c0dd to 1.49.1

Release notes

Sourced from github.com/authzed/spicedb's releases.

v1.49.1

Highlights

• A fix for a low-severity GHSA in #2878

What's Changed

• fix: update IterSubjects for wildcards and Alias iterators for confomance by @​barakmich in authzed/spicedb#2864
• ci: use arm runners in integration tests by @​tstirrat15 in authzed/spicedb#2877
• fix: prevent panic on malformed cursor by @​tstirrat15 in authzed/spicedb#2878
• fix: improve LR consistency and support multiple resourcetypes by @​barakmich in authzed/spicedb#2875
• chore: add metrics and tests to all cache implementations by @​miparnisari in authzed/spicedb#2874
• fix: query both subrelation and ellipses on arrows for IterResources by @​barakmich in authzed/spicedb#2879
• chore(deps): bump the github-actions group with 5 updates by @​dependabot[bot] in authzed/spicedb#2870
• feat: finish LR consistency tests with the fix to the recursive iterator by @​barakmich in authzed/spicedb#2881
• fix: handle self keyword in warnings checks, and check these warnings are error-free in consistency by @​barakmich in authzed/spicedb#2884
• fix: make sure that use self comes out of formatter when self is used by @​tstirrat15 in authzed/spicedb#2885
• build: add new mustcallcheck analyzer and fix instances by @​tstirrat15 in authzed/spicedb#2886
• chore: implement self in schemav2 by @​tstirrat15 in authzed/spicedb#2887

Full Changelog: authzed/spicedb@v1.49.0...v1.49.1

Docker Images

This release is available at authzed/spicedb:v1.49.1, quay.io/authzed/spicedb:v1.49.1, ghcr.io/authzed/spicedb:v1.49.1

Changelog

Sourced from github.com/authzed/spicedb's changelog.

[1.49.1] - 2026-02-06

Added

• chore: add metrics and tests to all cache implementations by @​miparnisari in authzed/spicedb#2874
• feat(query planner): finish LR consistency tests with the fix to the recursive iterator by @​barakmich in authzed/spicedb#2881

Changed

• chore: implement self in schemav2 by @​tstirrat15 in authzed/spicedb#2887

Fixed

• fix: prevent panic on malformed cursor by @​tstirrat15 in authzed/spicedb#2878
• fix(query planner): update IterSubjects for wildcards and Alias iterators for confomance by @​barakmich in authzed/spicedb#2864
• fix(query planner): improve LR consistency and support multiple resourcetypes by @​barakmich in authzed/spicedb#2875
• fix(query planner): query both subrelation and ellipses on arrows for IterResources by @​barakmich in authzed/spicedb#2879
• fix: handle self keyword in warnings checks, and check these warnings are error-free in consistency by @​barakmich in authzed/spicedb#2884
• fix: make sure that use self comes out of formatter when self is used by @​tstirrat15 in authzed/spicedb#2885

Security

• A fix for a low-severity GHSA in #2878

[1.49.0] - 2026-02-03

Added

• Support for self keyword added to permissions. Previously, if you wanted to represent something like "a user should be able to view themselves," this required adding a relation to the schema and then writing a relation from the user to itself. We've added support for a self keyword in permissions that represents this directly, which reduces storage requirements, removes the need for a trip to the database, and removes a relationship that needs to be synced. For more information, see the Docs and the PR

• Experimental Postgres Foreign Data Wrapper.

  In #2806, we added a new experimental command to SpiceDB that serves a Postgres Foreign Data Wrapper: spicedb postgres-fdw [flags]. If you configure your Postgres instance accordingly, it can speak to SpiceDB through the FDW as a proxy, allowing you to write queries like:

  -- Check if user:alice has permission to view document:readme
  SELECT has_permission
  FROM permissions
  WHERE resource_type = 'document'
    AND resource_id = 'readme'
    AND permission = 'view'
    AND subject_type = 'user'
    AND subject_id = 'alice';

  You can now express checks and lookups as SELECTs and JOINs in your main application code, and you can read, write, and delete relationships using Postgres as the client. For more information, see the documentation in the repo.

  NOTE:

  • This feature is experimental. We'd welcome you trying it out and providing feedback, but it will likely change before its final GA'd form.
  • This feature DOES NOT solve the Dual-Write Problem. You can make updates in the context of a Postgres transaction, but Postgres's FDW protocol doesn't support a two-phase commit semantic, which means there are still failure modes where a transactional write will land in SpiceDB but not Postgres or vice-versa.

• Query Planner

  This release includes the first experimental handle on our new Query Planner. If you run SpiceDB with the new --experimental-query-plan flag, SpiceDB will use the query planner to resolve queries. This is mostly provided for the curious; there's still work to do on statistics sources and optimizations before we expect that it will provide performance benefits across most workloads. We don't yet recommend turning on this flag in your system outside of experiments in your local or development environments. We'll continue work and let you know when it's ready for production.

... (truncated)

Commits

• See full diff in compare view

Updates github.com/mark3labs/mcp-go from 0.43.2 to 0.44.1

Release notes

Sourced from github.com/mark3labs/mcp-go's releases.

Release v0.44.1

No release notes provided.

Release v0.44.0

What's Changed

• feat: defer tool loading to enable Anthropic's "Tool Search" pattern by @​wolfeidau in mark3labs/mcp-go#644
• fix: return an error if the responseWriter does not support Flush by @​JoelPfaffDD in mark3labs/mcp-go#652
• Add Icons support for MCP spec 2025-11-25 compliance by @​dask-58 in mark3labs/mcp-go#660
• fix: add ErrUnauthorized sentinel for static token 401 responses by @​ezynda3 in mark3labs/mcp-go#661
• Add lastModified field to Annotations for MCP spec 2025-11-25 by @​dask-58 in mark3labs/mcp-go#663
• Add server-side support for MCP tasks by @​JAORMX in mark3labs/mcp-go#635
• fix: drain all pending notification before writing the response to avoid missing notifications by @​archit-harness in mark3labs/mcp-go#670
• fix for nil resources slice by @​furysama in mark3labs/mcp-go#665
• Add docstrings for annotation-related functions by @​ezynda3 in mark3labs/mcp-go#673
• fix: add timeout for SSE response waiting to prevent indefinite blocking by @​everfid-ever in mark3labs/mcp-go#668
• Try OAuth Authorization Server Metadata first by @​staugaard in mark3labs/mcp-go#669
• fix(oauth): check for OAuth error responses even when status code is 200 by @​sd2k in mark3labs/mcp-go#646
• fix: Add missing session cleanup to the StreamableHTTPServer DELETE handler by @​cnnrznn in mark3labs/mcp-go#667
• Implement Elicitation URL mode for MCP spec 2025-11-25 by @​dask-58 in mark3labs/mcp-go#666
• feat: Add Host header override support for manual DNS resolution by @​ComingCL in mark3labs/mcp-go#674
• fix: low mcp version been selected by mcp server, mcp server may also raise 'unsupported protocol version 2025-11-25' error by @​yuehaii in mark3labs/mcp-go#687
• Add AdditionalProperties to ToolInputSchema by @​mohit-gupta-glean in mark3labs/mcp-go#678
• fix: fix TestSSE_SendRequest_Timeout flaky test by @​everfid-ever in mark3labs/mcp-go#683
• feat:add version 2025-11-25 & unit test for version by @​CocaineCong in mark3labs/mcp-go#684
• fix: use sync.Once for thread-safe Close in StreamableHTTP by @​semihbkgr in mark3labs/mcp-go#685
• docs: fix ListTools usage to include ListToolsRequest parameter by @​everfid-ever in mark3labs/mcp-go#681
• fix: return 404 instead of 400 for invalid session IDs by @​burugo in mark3labs/mcp-go#689
• fix: rename NewToolResultAudio second parameter from imageData to aud… by @​mosesyu95 in mark3labs/mcp-go#691
• Server handlers implementation for auto-completion by @​ezraisw in mark3labs/mcp-go#679
• Fix: the header information set by the client being lost. by @​button-chen in mark3labs/mcp-go#686
• Set test client info by @​urisimchoni in mark3labs/mcp-go#692
• refactor: fix modernize lint issues by @​alexandear in mark3labs/mcp-go#699
• refactor: simplify tests with the usetesting linter by @​alexandear in mark3labs/mcp-go#703
• typo: fix duplicate description of mcp-go in README by @​milairhu in mark3labs/mcp-go#701
• feat(server): implement task-augmented tools capability by @​ezynda3 in mark3labs/mcp-go#707
• tool "properties" and "required" fields missing if set them as null, AdditionalProperties can't be masharl by @​yuehaii in mark3labs/mcp-go#713
• Fix no way to detect connection closure in non-NO_ERROR cases by @​manx98 in mark3labs/mcp-go#709
• fix: accept HTTP 204 No Content in SendNotification by @​satish-karri-glean in mark3labs/mcp-go#717
• fix: use custom session id generator when provided by @​FlameHost10 in mark3labs/mcp-go#715
• fix: SendRequest hangs forever when server process dies by @​ichoosetoaccept in mark3labs/mcp-go#714

New Contributors

• @​wolfeidau made their first contribution in mark3labs/mcp-go#644
• @​JoelPfaffDD made their first contribution in mark3labs/mcp-go#652
• @​dask-58 made their first contribution in mark3labs/mcp-go#660
• @​JAORMX made their first contribution in mark3labs/mcp-go#635
• @​archit-harness made their first contribution in mark3labs/mcp-go#670
• @​furysama made their first contribution in mark3labs/mcp-go#665
• @​everfid-ever made their first contribution in mark3labs/mcp-go#668
• @​staugaard made their first contribution in mark3labs/mcp-go#669

... (truncated)

Commits

• 6bea1d4 fix: add session idle TTL sweeper to prevent transport state leak (#724)
• 0510f0c fix: SendRequest hangs forever when server process dies (#714)
• 962f31b fix: use custom session id generator when provided (#715)
• 7ce32bf fix: accept HTTP 204 No Content in SendNotification (#717)
• 7c44752 fix(ci): pin Go version to 1.25 in lint workflow
• 859588d fix: call onConnectionLost when SSE connection closes, not only on NO_ERROR (...
• b2fb8ba tool "properties" and "required" fields missing if set them as null, Addition...
• e2c1762 feat(server): implement task-augmented tools capability (#707)
• 45740a0 typo: fix duplicate description of mcp-go in README (#701)
• d46cf85 refactor: simplify tests with the usetesting linter (#703)
• Additional commits viewable in compare view

Updates golang.org/x/mod from 0.32.0 to 0.33.0

Commits

• 27761a2 go.mod: update golang.org/x dependencies
• See full diff in compare view

Updates golang.org/x/net from 0.49.0 to 0.51.0

Commits

• 60b3f6f internal/http3: prevent Server handler from writing longer body than declared
• b0ca456 internal/http3: fix Write in Server Handler returning the wrong value
• 1558ba7 publicsuffix: update to 2026-02-06
• 4e1c745 internal/http3: make Server response include headers that can be inferred
• 19f580f http2: fix nil panic in typeFrameParser for unassigned frame types
• 818aad7 internal/http3: add server to client trailer header support
• c1bbe1a internal/http3: add client to server trailer header support
• 29181b8 all: remove go1.25 and older build constraints
• 8109305 all: upgrade go directive to at least 1.25.0 [generated]
• 0b37bdf quic: don't run TestStreamsCreateConcurrency in synctest bubble
• Additional commits viewable in compare view

Updates golang.org/x/term from 0.39.0 to 0.40.0

Commits

• 3aff304 go.mod: update golang.org/x dependencies
• See full diff in compare view

Updates google.golang.org/genproto/googleapis/rpc from 0.0.0-20251124214823-79d6a2a48846 to 0.0.0-20260128011058-8636f8732409

Commits

• See full diff in compare view

Updates google.golang.org/grpc from 1.78.0 to 1.79.1

Release notes

Sourced from google.golang.org/grpc's releases.

Release 1.79.1

Bug Fixes

• grpc: Remove the -dev suffix from the User-Agent header. (grpc/grpc-go#8902)

Release 1.79.0

API Changes

• mem: Add experimental API SetDefaultBufferPool to change the default buffer pool. (#8806)
  • Special Thanks: @​vanja-p
• experimental/stats: Update MetricsRecorder to require embedding the new UnimplementedMetricsRecorder (a no-op struct) in all implementations for forward compatibility. (#8780)

Behavior Changes

• balancer/weightedtarget: Remove handling of Addresses and only handle Endpoints in resolver updates. (#8841)

New Features

• experimental/stats: Add support for asynchronous gauge metrics through the new AsyncMetricReporter and RegisterAsyncReporter APIs. (#8780)
• pickfirst: Add support for weighted random shuffling of endpoints, as described in gRFC A113.
  • This is enabled by default, and can be turned off using the environment variable GRPC_EXPERIMENTAL_PF_WEIGHTED_SHUFFLING. (#8864)
• xds: Implement :authority rewriting, as specified in gRFC A81. (#8779)
• balancer/randomsubsetting: Implement the random_subsetting LB policy, as specified in gRFC A68. (#8650)
  • Special Thanks: @​marek-szews

Bug Fixes

• credentials/tls: Fix a bug where the port was not stripped from the authority override before validation. (#8726)
  • Special Thanks: @​Atul1710
• xds/priority: Fix a bug causing delayed failover to lower-priority clusters when a higher-priority cluster is stuck in CONNECTING state. (#8813)
• health: Fix a bug where health checks failed for clients using legacy compression options (WithDecompressor or RPCDecompressor). (#8765)
  • Special Thanks: @​sanki92
• transport: Fix an issue where the HTTP/2 server could skip header size checks when terminating a stream early. (#8769)
  • Special Thanks: @​joybestourous
• server: Propagate status detail headers, if available, when terminating a stream during request header processing. (#8754)
  • Special Thanks: @​joybestourous

Performance Improvements

• credentials/alts: Optimize read buffer alignment to reduce copies. (#8791)
• mem: Optimize pooling and creation of buffer objects. (#8784)
• transport: Reduce slice re-allocations by reserving slice capacity. (#8797)

Commits

• 782f2de Change version to 1.79.1 (#8902)
• 850eccb Change version to 1.79.1-dev (#8851)
• 765ff05 Change version to 1.79.0 (#8850)
• 68804be Cherry pick #8864 to v1.79.x (#8896)
• 0381eb6 xds: Support :authority header rewriting for LOGICAL_DNS clusters (#8822)
• 90f571d xds: remove references to ResolverState.Addresses (#8841)
• 679565f xds: remove HashKey field from xdsresource.Endpoint struct (#8844)
• bb2073d mem: Allow overriding the default buffer pool. (#8806)
• bd4444a Fix flaky TestServer_RedundantUpdateSuppression. (#8839)
• 623b3f0 test: add regression test for RecvMsg() error shadowing #7510 (#8820)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.