0.10.2 - 2026-05-22

Changed

• forge new pins the skill installer to the CLI release tag. The forge-idiomatic-engineer skill is installed from tree/v<version> instead of tree/main, so a scaffolded project gets the skill matching the CLI that created it. The manual bunx skills add line in generated READMEs is pinned the same way.

Fixed

• Browser-originated webhook calls. Webhook routes now ride the gateway's shared middleware stack instead of a separate router with a hand-rolled CORS layer. The old stack deadlocked browser POSTs after the CORS preflight and omitted x-webhook-timestamp from the allowed headers, so an in-app fetch to a webhook would fail. The gateway CORS policy now allows x-webhook-timestamp.
• forge generate now syncs the SvelteKit toolchain. It runs svelte-kit sync after emitting bindings, regenerating .svelte-kit/tsconfig.json (which the project tsconfig.json extends). A bare forge generate previously left that file stale, so svelte-check / bun run check failed until the dev server regenerated it.

Full Changelog: v0.10.0...v0.10.2

0.10.0 - 2026-05-21

This release collapses the runtime into a single-pool doctrine, unifies handler registration, overhauls reactivity, and hardens the security surface. Pre-1.0 policy applies: breaking changes are listed but no migration shims are kept.

Added

• Cargo feature flags for runtime subsystems. Forge subsystems are opt-in via Cargo features. forge-runtime exposes gateway, jobs, workflows, cron, daemons, geoip, otel. The public forge crate composes them into presets: full (default), worker, api, minimal. Approximate cold-build savings on the demo template: worker -55%/-65% (compile/target), api -25%/-30%, minimal -65%/-75%.

  forge = { version = "0.10", default-features = false, features = ["worker"] }

• release-fast build profile. Release-quality optimization without LTO or single-codegen-unit. Use with cargo build --profile release-fast.
• Typed config with ${ENV_VAR} / ${VAR-default} substitution. Per-section files under forge-core/config/. New [workflow], [cron], [daemon] sections drive poll intervals; gateway.max_json_body_size is now configurable.
• KV store primitive (ctx.kv) backed by Postgres, with namespace isolation.
• Email primitive (ctx.email_sender) for mutations.
• PgNotifyBus multiplexer. One LISTEN connection multiplexes every notify channel; consumers subscribe in-process. Workflow wakeups and cache invalidations ride this bus.
• Cross-node cache invalidation via the forge_changes broadcast channel; mutations invalidate cache by the intersection of read-set columns and written columns.
• Admin API for operator workflow actions (cancel, force-abort) and queue tier observability. Phase 9-10 workflow cancel exposed at the gateway.
• Schema JSON emission from the codegen pipeline; structural syn::Type walk (no string-based fallback) drives both TypeScript and Dioxus type mapping.
• docs/: quick start, security model, production architecture, role resolver, tenant isolation, migrations, cluster setup, cargo features, admin API, health probes, workflow status, error catalog, reactivity, worker queue, MCP/OAuth, stability posture, pitfalls reference, observability profile, signals endpoint and frontend client API, testing framework, onboarding. Skill references kept in sync.

Changed

• Single-pool doctrine. Removed ForgePool newtype. One primary pool plus optional read replicas (round-robin, health-checked) serves every workload — queries, mutations, jobs, cron, workflows, daemons, observability, signals. Workload isolation belongs at the worker level.
• Function registry unification. FunctionExecutor folded into FunctionRouter; MCP and webhooks now dispatch through the same registry as queries and mutations. Eight Auto* inventory types collapsed into a single AutoHandler.
• Macro pipeline. Attribute parsing moved to darling derives. Regex fallback in SQL table extraction replaced with a strict sqlparser walk (unparseable SQL is a compile error; explicit tables(...) is required when extraction is impossible). Compile-time wire-type validation on #[query], #[mutation], #[mcp_tool]. register = false opt-out for inventory auto-registration. Span info on every diagnostic.
• Migration runner renamed to forge_system_migrations. Per-migration transactions, SHA-256 drift detection, bounded advisory lock acquire, non-transactional mode, forge_validate_identifier helper for dynamic SQL identifiers. Rollback dropped (forward-only).
• Workflow runtime. WorkflowStatus simplified from 12 variants to 6 (with blocked statuses non-terminal). Step persistence is synchronous. Sub-job dispatch is atomic with job completion. Cron and workflows now run on the shared job worker pool. Leader-gated scheduler.
• Reactivity engine. Invalidation engine and SSE session map moved from RwLock to DashMap with atomic counters; cross-shard deadlock removed; broadcast-lag triggers durable resync (with idempotency guard); PgListener tasks reconnect with exponential backoff; fan-out data wrapped in Arc to eliminate per-subscriber cloning.
• Mutation dispatch. OutboxBuffer replaced with in-transaction dispatch in MutationContext. Transactional mutation timeout bound to SET LOCAL statement_timeout. Trace IDs propagate onto workflow runs.
• Auth attribute rename. #[query(public)] / #[query(unscoped)] renamed to auth / scope. Compile-time scope check tracks all CTEs, rejects literal scope-column bindings, removes the tables() bypass, and detects pool delegation in private queries.
• Single signal endpoint at POST /_api/signal (collapses three prior endpoints). Frontend signal clients updated.
• Password hashing uses argon2id (replaces bcrypt).
• Dev profile uses debug = "line-tables-only", split-debuginfo = "unpacked", codegen-units = 256, and disables debug info on dependencies.
• Observability is a no-op stub when otel is disabled; structured logs still ship via tracing-subscriber.
• GeoIP is opt-in; disabling the feature skips the build-time db_ip download.
• CI enforces cargo audit --deny warnings, raw-SQL bash lint replaced with clippy disallowed_methods, sqlx cache integrity check, dioxus WASM built with --release in forge test, integration jobs gated on the guardrail jobs.
• Function registry uses ahash for faster lookups. Mutation deps batched into a single Arc to cut per-request atomics.

Fixed

• Mutation transactions could panic on commit because a lingering Arc<Transaction> clone in the context prevented try_unwrap. The context is dropped before commit/rollback on both paths.
• Cron split-brain under leader failover. Stale claim reclaim is now safe; change_log trim race resolved; clock skew handled via DB clock.
• DashMap cross-shard deadlock in the realtime fan-out path; serialized_len passed through to avoid re-serialization.
• Job attempts counter is monotonic in stale reclaim.
• Workflow event notify sends an empty payload (no payload-size limits hit).
• Daemon failover uses a dedicated heartbeat connection; fan-out is isolated per node.
• Shutdown broadcast, SSE task overhead, mock dispatch ordering, signal partition routing, and hash collisions in cache keys.
• Error chains preserved through ForgeError (no more lossy to_string() rewrites in hot paths).
• to_snake_case acronym handling produces idiomatic names; pluralize consolidated and quiz pluralization fixed.

Removed

• [realtime] change_tracking_row_threshold config knob (and its adaptive_row_threshold alias).
• /rpc/batch endpoint and matching config and docs.
• forge_leaders.term fencing column and all dead fence-term SQL.
• Signal WebVital and Identify event types (web-vitals were never wired correctly post-rewrite; identify was unused).
• Legacy webhook signature schemes and unused JWT algorithm variants.
• Row-level change tracking infrastructure.
• OutboxBuffer, LeaderGuard, IdempotencySource::parse (Box::leak helper), JobContext::set_saved (redundant), ForgePool newtype, orphaned workflow readiness module.
• geoip removed from default features.

Security

• JWT. alg=none rejection with regression tests; algorithm-confusion test coverage. Issued JWTs stamped with kid header, validation routed through it. New jwks_require_kid config to guard against key-confusion attacks. Legacy JWT secrets require valid_until; expired entries dropped at startup. Positive token cache (60s TTL) avoids per-request validation. aud promoted from custom claims map to a typed field.
• Sessions. Session cookie bound to coarsened client IP + UA hash. Constant-time comparisons for PKCE, CSRF, and SSE session secrets. Per-user session caps enforced.
• Webhook replay window enforced for non-Stripe signatures. Webhook signature attribute parsed via syn AST (not substring matching).
• SSRF. DNS-level guard via a custom reqwest resolver; private host names redacted from SSRFError Display.
• Gateway startup. Auth config validated in ForgeBuilder::build(). Refuses to start with cors_origins = ["*"] in production. JSON depth scan on all POST requests regardless of content-type. Dev auth mode blocked on cloud platforms via env guards; fails closed when FORGE_ENV=production.
• OAuth. Resolved client IP used for rate-limit buckets. Per-field validation on register requests. HTML-escape and URL-encode helpers for redirect surfaces.
• Scope hardening. Tenant ID enforced at dispatch time (403 on mismatch). Mutations now go through the same scope check as queries. owner_subject required on typed job dispatch. Auth context restored in job/workflow executors from owner_subject.
• Logging. Attacker-controlled strings sanitized before logging to prevent log injection. Legacy extract_client_ip replaced by trusted-proxy validation.
• Supply chain. deny.toml migrated to cargo-deny v2 schema; template crates marked non-publishable. cargo audit --deny warnings enforced. js_sys::eval in dioxus signals replaced with wasm-bindgen inline_js. Root docker-compose hardened: dev DB bound to loopback, shm_size and restart policy set.

Notes

• Existing apps see no behavior change if they keep the default feature set (default = ["full"]).
• Macro/feature mismatch (e.g. #[forge::job] without the jobs feature) produces a compile error at the generated forge::AutoJob reference.
• Pre-1.0 policy: no migration shims. Renames are direct; deprecated surfaces are removed in this release rather than aliased.

What's Changed

• Adding multiple options for terminating TLS directly in a forge app i… by @GoatedChopin in #21
• rearchitect runtime, workflows, security, and reactivity by @isala404 in #24

Full Changelog: https://github.com/isala404/forge/c...

0.9.0 - 2026-04-23

Added

• Web Vitals ingestion endpoint (POST /_api/signal/vital) for LCP, CLS, INP, FCP, TTFB, navigation timing, long tasks, and resource events (up to 50 entries per batch). New SignalEventType::WebVital and SignalEventType::ServerExecution variants.
• Client SDKs (@forge-rs/svelte and forge-dioxus) auto-capture Web Vitals, network.online/network.offline transitions, and persist the pending event queue to localStorage so events survive reloads. New config flags: autoWebVitals, autoNetworkEvents, respectDnt, persistQueue. Manual signals.vital(name, value, extra?) API on both SDKs.
• Auto-emitted server_execution signals for every job, cron, workflow step, webhook, and daemon tick, plus auth.failed and rate_limit.exceeded diagnostic signals from gateway middleware. New forge_runtime::signals::{emit_server_execution, emit_web_vital, emit_diagnostic, emit_raw} helpers for handlers that want to emit outside the RPC path.
• GeoIP enrichment on every signal event. Embedded DB-IP Country Lite database ships by default (zero config, ISO country code in new country column). Optional [signals] geoip_db_path = "..." points at a MaxMind MMDB for city-level resolution (populates new city column).
• Webhook signature support for Stripe (#[webhook(stripe_webhooks("SECRET_ENV"))] with 5-minute replay window), Shopify (shopify_webhooks, HMAC-SHA256 base64), Standard Webhooks (standard_webhooks, Polar/Svix/Clerk compatible with whsec_ and polar_whs_ prefix handling), and Ed25519 asymmetric signatures (ed25519("header", "PUBKEY_ENV")).
• Reactive mutation helpers in generated Svelte bindings: mutations now return a ReactiveMutation<Args, Result> with mutate, pending, and error runes state.
• gateway.max_file_size config option (default "10mb") separate from gateway.max_body_size (default "20mb") so per-file upload caps and full-body RPC caps can be tuned independently.
• Dioxus ForgeClientConfig gains a refresh_token async provider for handling 401s, matching the Svelte client.
• forge check now scans src/ for direct INSERT/UPDATE/DELETE against forge_* system tables and fails with guidance to use ctx.dispatch_job(), ctx.start_workflow(), or ctx.issue_token_pair() instead.
• New SRE Grafana dashboard (forge-sre.json) covering service health, jobs, workflows, reactor, crons, security, infra, errors, logs, and traces. Business dashboard expanded with geography, retention, funnel, and feature-adoption panels.

Changed

• BREAKING: Custom routes registered via custom_routes now run through the gateway middleware stack (auth, CORS, tracing, concurrency limit, timeouts) and are merged under /_api. Handlers that assumed a bare axum router without Forge middleware need updating.
• BREAKING: forge_new scaffolded projects now pin [package] version to 1.0.0 instead of inheriting the forge workspace version, so user projects start their own version history.
• /_api/signal/{event,view,user,vital} short-circuit requests carrying DNT: 1 or Sec-GPC: 1. /_api/signal/report still accepts reports (crash visibility from opted-out browsers) but drops persistent identifiers. Client SDKs disable themselves automatically when the browser sets DNT/GPC.
• Client SDKs now flush on both visibilitychange and pagehide (Safari sometimes only fires one) and drain the offline queue on reconnect.
• Generated reactive.svelte.ts wires subscription lifecycle to Svelte $effect so queries unsubscribe on component destruction without manual cleanup.
• Dioxus bumped to 0.7.5; CI workflows install dioxus-cli@0.7.5.
• CI split into a reusable template-smoke.yml workflow: PRs run a smoke subset (with-svelte/demo + with-dioxus/demo) plus a workspace integration job, main-branch pushes run the full 6-template matrix. New /test-template and /squash-merge chatops commands.

Fixed

• Mutation transactions could panic on commit because a lingering Arc<Transaction> clone in the context prevented try_unwrap from succeeding. The context is now dropped before commit/rollback on both success and error paths.
• RPC calls from tokens whose user was deleted now return 401 instead of executing against a phantom identity; non-public functions verify the user still exists before dispatching.
• start_workflow() inside a transactional mutation now resolves the active version and signature at call time, so "no active version" errors surface immediately instead of after commit. PendingWorkflow carries workflow_version and workflow_signature; forge_workflow_runs inserts include both.
• Startup now rejects configurations where gateway.max_file_size > gateway.max_body_size with a clear error instead of silently accepting an impossible combination.
• OTLP endpoint configuration is reliable: otlp_endpoint = "${FORGE_OTEL_ENDPOINT-http://localhost:4318}" in forge.toml uses the generic env-var substitution instead of the previous bespoke override path.

What's Changed

• Feature/custom routes middleware and max_size fix by @GoatedChopin in #19
• Bump dioxus to 0.7.5 and regenerate lockfile by @wheregmis in #20
• Split CI into PR smoke + workspace integration via reusable workflow by @isala404 in #22

New Contributors

• @wheregmis made their first contribution in #20

Full Changelog: v0.8.4...v0.9.0

0.8.4 - 2026-04-11

Added

• Fire-and-forget mutation helpers (mutate, mutateWith) with global error routing via onMutationError callback in both Svelte and Dioxus clients.
• anonymize_ip option in [signals] config for GDPR-compliant IP anonymization before visitor ID hashing.
• Per-mutation upload size limits via max_upload_size attribute.
• DbConn type exposed for direct database access in test contexts.
• TestMcpToolContext builder for unit testing MCP tool handlers.
• Performance benchmarking guide in documentation.

Changed

• Template dependency versions derived from CARGO_PKG_VERSION at build time, keeping scaffolded projects in sync automatically.
• Benchmark loadgen rewritten with sharded per-thread metrics, configurable warmup phase, and structured JSON output.
• Test suite trimmed: low-value tests replaced with targeted coverage for security-sensitive paths and edge cases.

Fixed

• SSE automatically reconnects after token refresh in both Svelte and Dioxus clients, fixing stale subscriptions after silent token rotation.
• Auth errors from subscription registration now propagate to onAuthError callback instead of silently retrying with an expired token.
• TOCTOU race conditions in OAuth token exchange and job claim paths where concurrent requests could bypass validation.
• Token binding bypass where a rotated refresh token could be replayed from a different session.
• Input validation gaps in webhook signature verification and signals endpoints.

Full Changelog: v0.8.3...v0.8.4

0.8.3 - 2026-04-01

Added

• Configurable global and per-mutation request body size limits (max_body_size in forge.toml and per-function attribute).
• .env.example files for all example projects so fresh clones have visible environment setup.

Changed

• Query scope enforcement (user_id/owner_id filtering for private queries) moved from runtime checks to compile-time SQL analysis via sql_extractor. Invalid scoping now fails at cargo build instead of at request time.
• Dioxus frontend dependencies updated to published forge-dioxus crate versions, removing path dependency overrides.
• Redundant auth checks removed from benchmark suite.

Fixed

• max_body_size config no longer leaks into JSON RPC endpoints. Multipart size limits are now correctly scoped to upload routes only, restoring HTTP-layer safety for standard RPC calls.

What's Changed

• Allowing configuration of global and per-mutation max size by @GoatedChopin in #18

New Contributors

• @GoatedChopin made their first contribution in #18

Full Changelog: v0.8.2...v0.8.3

0.8.2 - 2026-03-29

Added

• Product analytics and diagnostics system ([signals] in forge.toml): auto-captures all RPC calls, page views, custom events, error reports, and breadcrumb trails with zero configuration. GDPR-compliant visitor tracking via daily-rotating SHA256(IP+UA+salt), bot detection, session management, and Grafana dashboards over PostgreSQL datasource.
• ForgeSignals client API for Svelte and Dioxus with event batching, flushing, and page view auto-tracking.
• Correlation IDs (x-correlation-id) linking frontend events to backend RPC calls.
• Versioned workflows with signature guards: cryptographic contract signing via FNV-1a hash of persisted shape (name, version, step/wait keys, timeout, types). Mismatched runs block at resume with BlockedSignatureMismatch/BlockedMissingVersion status instead of silently corrupting.
• Operator controls for blocked workflows: cancel_by_operator and retire_unresumable terminal actions.
• /_api/ready reports unhealthy when blocked workflow runs exist.
• FORGE_HOST and FORGE_PORT environment variables override config at runtime.
• FORGE_OTEL_TRACES, FORGE_OTEL_METRICS, FORGE_OTEL_LOGS for per-signal observability toggle without config file changes.
• Cluster node discovery and improved multi-node coordination.
• MCP SSE streaming for Model Context Protocol tool calls.
• Startup banner on server init.

Fixed

• SvelteKit example build.rs files now track frontend/.env for rebuild, fixing forge test failures where stale PUBLIC_API_URL was embedded after env patching.
• Normalized Playwright ACTION_TIMEOUT across all examples to 5s local / 15s CI; job/workflow tests use dedicated 15s timeout.

Changed

• All internal sqlx queries migrated to compile-time checked sqlx::query!/sqlx::query_as! macros with inline parameters. Runtime dynamic queries removed.
• Security hardened: JWT claims sanitized before trust, state machine transitions validated, RPC input size/rate DoS limits enforced.
• Test infrastructure refactored for improved flexibility across Dioxus and Svelte Playwright configurations.

Removed

• All legacy compatibility code: deprecated context decorators, old client generation path, obsolete config fields, and unused example functions removed as part of zero tech debt policy.

Full Changelog: v0.7.4...v0.8.2

0.7.4 - 2026-03-26

Added

• OAuth 2.1 authorization server with PKCE support
• Router and layout systems for all frontend templates
• cargo install forgex documented as alternative installation method

Changed

• OAuth implementation refactored with improved type generation and built-in types
• Examples switched to workspace/path dependencies with version rewriting deferred to archive time
• forge dev command removed in favor of docker compose directly
• Frontend API URLs updated to use port 9081 across all examples and test configurations

Fixed

• sqlx cache correctly copied into crate directories for publish
• Publish step fails on real errors instead of silently continuing

0.7.3 - 2026-03-25

Added

• HTTP transport for MCP tool access alongside existing SSE/streamable transport
• JWT authentication with refresh token rotation, auto-registration, and embedded frontend auth provider
• Demo components for auth, stats, MCP tools, and live data across both Dioxus and Svelte frontends
• Comprehensive e2e test suite for demo project covering all feature sections with isolated test data

Changed

• Default backend port changed from 8080 to 9081 to avoid conflicts with common dev servers
• Default frontend port standardized to 9080 across all templates and configurations
• CORS origins now include both localhost and 127.0.0.1 variants by default
• Removed kanban-board and support-desk-with-mcp example projects (functionality consolidated into demo templates)

Fixed

• Template scaffolding hardened for standalone project builds with correct dependency versions
• CI auto-format step now runs before forge check to prevent generated code lint failures
• Dioxus frontend dependency resolution and webhook test timeouts

0.7.2 - 2026-03-20

Added

• ForgeDb executor wrapper providing automatic db.query tracing spans on all database operations
• Benchmark suite with RPC latency, realtime propagation, and subscription scaling measurements
• Load generator (loadgen) for simulating concurrent users with SSE connections and RPC workloads
• Dioxus codegen: query-first API with Mutation struct and builder DTOs for cleaner frontend bindings
• Environment configuration files (.env) committed for all examples to simplify local development

Changed

• Codegen internals refactored into unified binding and emit modules shared across Svelte and Dioxus generators
• Dioxus and Svelte runtime packages updated with improved realtime messaging and client libraries
• CI test isolation improved for Dioxus WASM targets with timer fixes
• Documentation refined across build guides, configuration, and skill references

Fixed

• Runtime wiring for cluster heartbeat, gateway request handling, and realtime subsystem initialization
• Clippy indexing_slicing warnings in ForgeDb SQL operation detection
• Loadgen while_let_loop and argument count lint issues

0.7.1 - 2026-03-14

Added

• Template catalog system (.forge-template.toml) with bundled project templates replacing dynamic scaffolding
• Non-interactive skill install support for CI environments
• Dioxus frontend lockfile generation for reproducible builds

Changed

• forge new uses bundled template catalogs instead of dynamic file-by-file scaffolding
• Examples reorganized by frontend framework (with-svelte/, with-dioxus/) with minimal, demo, and feature-specific variants
• Dioxus frontend development moved to native builds outside Docker
• Release workflow refactored into reusable CI scripts (scripts/ci/)
• Crate publish made idempotent with dirty check fixes for forge-dioxus

Fixed

• Clippy warnings (collapsible_if, needless_borrows, explicit_auto_deref) across crates
• CI template builds using unchecked sqlx macros to avoid requiring database at compile time
• Dioxus test suite gracefully skipped when dx CLI is unavailable