Version: 3.9.3

Bug Fixes

• Bearer Authentication - Resolved a Bearer token error (-32001) that denied every permission-gated API method for mobile and token-based integrations. The Sanctum-guard session stored the raw role integer instead of the role name the permission engine expects (#3525)

Improvements

• Unified Session Handling - All authentication paths (web login, API key, and Bearer token) now build the user session through a single factory, so the role and two-factor state can no longer diverge between them. This also makes two-factor handling consistent for token-based authentication and adds clearer diagnostics when an unresolvable role is encountered (#3526)
• API Auth Test Coverage - The Bearer JSON-RPC contract tests now run through the real server auth path and cover non-manager roles, catching authorization regressions for non-admin users that owner-only testing missed (#3526)

What's Changed

Other Changes

• fix(auth): authenticate Bearer/PAT via core token store (real Bearer fix) by @marcelfolaron in #3522
• fix(routing): self-heal stale route cache + correct BadMethodCallException import by @marcelfolaron in #3523
• Release v3.9.2 by @marcelfolaron in #3524
• fix(auth): Sanctum-guard session stores role name not raw int (fixes Bearer -32001 on all gated methods) by @marcelfolaron in #3525
• Release v3.9.3 by @marcelfolaron in #3526

Full Changelog: v3.9.1...v3.9.3