v0.7.0¶
Release Date: 2026-05-10
Breaking Changes¶
Project Renamed from CoreForge to SystemForge¶
The project has been renamed from CoreForge to SystemForge. All import paths must be updated:
// Before
import "github.com/grokify/coreforge/identity"
import "github.com/grokify/coreforge/session/jwt"
// After
import "github.com/grokify/systemforge/identity"
import "github.com/grokify/systemforge/session/jwt"
Migration steps:
-
Update
go.mod: -
Update all imports in your codebase:
-
Run
go mod tidyto clean up dependencies
Highlights¶
- ProductGraph Integration - Event correlation and user journey tracking with frontend-backend session linking
- Session Invalidation - Track sessions across devices with "logout all devices" functionality
- Account Lockout Protection - Brute-force attack protection with configurable lockout policies
Added¶
ProductGraph Integration¶
New integration with ProductGraph for product analytics:
import (
"github.com/grokify/systemforge/observability"
"github.com/grokify/systemforge/productgraph"
)
obs, _ := observability.New(observability.ConfigFromEnv())
obs.SetProductGraphFromEnv()
// Middleware for automatic request tracking
router.Use(obs.ProductGraphMiddleware())
// Manual event tracking
obs.TrackAPICall(ctx, "POST", "/api/checkout", 200, 150*time.Millisecond)
obs.TrackJourneyStep(ctx, "checkout_flow", "payment", "Enter Payment")
See Observability - ProductGraph Integration for details.
Session Invalidation¶
New session/invalidation package for multi-device session management:
import "github.com/grokify/systemforge/session/invalidation"
store := invalidation.NewMemoryStore() // Or NewRedisStore for production
manager := invalidation.NewManager(store,
invalidation.WithSessionTTL(24*time.Hour),
invalidation.WithMaxSessionsPerUser(5),
)
// Create session with device info
session, _ := manager.CreateSession(ctx, userID,
invalidation.WithDeviceInfo("Chrome on macOS"),
invalidation.WithIPAddress("192.168.1.100"),
)
// Logout all devices
manager.InvalidateAllSessions(ctx, userID)
// Logout other devices (keep current)
manager.InvalidateOtherSessions(ctx, userID, currentSessionID)
See Session Invalidation for details.
Account Lockout Protection¶
New identity/security package for brute-force protection:
import "github.com/grokify/systemforge/identity/security"
store := security.NewMemoryLockoutStore() // Or NewRedisLockoutStore
lockout := security.NewLockout(store,
security.WithMaxAttempts(5),
security.WithLockoutDuration(15*time.Minute),
)
// In login handler
err := lockout.CheckAndRecord(ctx, email, loginSuccess)
if errors.Is(err, security.ErrAccountLocked) {
return fmt.Errorf("account locked, try again later")
}
See Account Security for details.
Fixed¶
- Windows CI: Fixed flaky
TestSession_IsExpiredtest caused by Windows time resolution (~15.6ms) - Lint Issues: Resolved golangci-lint errcheck, gosec G115, and staticcheck SA1019 warnings
- Security Lint: Fixed gosec G710 (open redirect) and G124 (insecure cookie) warnings
Dependencies¶
| Dependency | Change |
|---|---|
| github.com/plexusone/omniobserve | 0.8.0 → 0.9.0 |
| google.golang.org/grpc | 1.80.0 → 1.81.0 |
| github.com/mattn/go-sqlite3 | 1.14.42 → 1.14.44 |
| github.com/authzed/spicedb | 1.51.1 → 1.52.0 |
| github.com/redis/go-redis/v9 | 9.18.0 → 9.19.0 |
| github.com/jackc/pgx/v5 | 5.9.1 → 5.9.2 |
| github.com/invopop/jsonschema | 0.13.0 → 0.14.0 |
Documentation¶
- Added Observability Overview with ProductGraph integration guide
- Added Session Invalidation documentation
- Added Account Security documentation
- Added ProductGraph design documents (PRD, TRD, Plan, Tasks)