LastSaaS Version Notes

LastSaaS Version Notes

Release history for LastSaaS, the free open-source SaaS boilerplate. Full version notes are also available in VERSIONS.md on GitHub.

v1.3 — March 5, 2026

DataDog observability, event flow visualization, configurable sessions, and platform hardening

DataDog Integration New

  • Optional, zero-config DataDog observability — just add an API key
  • Health metrics forwarded automatically: CPU, memory, disk, HTTP latency, MongoDB, goroutines
  • All syslog entries forwarded as structured DataDog logs (every severity level)
  • Critical/high syslog entries additionally sent as DataDog events for alerting
  • Integration service checks: MongoDB, Stripe, Resend, OAuth, WebAuthn, SAML
  • Telemetry events forwarded as count metrics
  • Canonical hostname resolution (e.g. lastsaas.fly.dev) with machine/region tags
  • App-prefixed metric names for multi-product differentiation
  • Four independent async flush loops (metrics, events, logs, service checks)
  • No DataDog Agent required — direct REST API submission
  • API key validation and startup verification

Event Flow Visualization New

  • Event definitions with admin CRUD (name, description, parent dependency)
  • Sankey flow visualization showing how users flow through product stages
  • Node annotations with counts and percentage flow-through from parent
  • Dependency graph auto-switches between Flow and Graph sub-tabs
  • “Today” time filter added to all Product Analytics tabs (funnel, engagement, events)

Platform Improvements

  • Configurable session TTLs via admin config (access token, refresh token durations)
  • Resiliency pass: singleflight KPI cache, flush reliability, idle-aware timer
  • Backend error handling audit with consistent patterns across all handlers
  • Health system observer callbacks for extensible metric forwarding
  • Syslog callback now fires for all severity levels (was critical/high only)
  • React 19 strict type fixes

v1.2 — March 1, 2026

Product analytics, CI/CD, security hardening, and infrastructure improvements

Product Analytics & Telemetry New

  • 5-tab PM dashboard: Funnel, KPIs, Retention, Engagement, Events
  • Conversion funnel (visitor → signup → checkout → paid → upgrade)
  • SaaS KPIs: MRR, ARR, ARPU, LTV, churn, trial conversion
  • Retention cohort heatmap (weekly/monthly)
  • DAU/WAU/MAU engagement metrics for paying subscribers
  • Custom event explorer with trend charts
  • Go SDK for zero-overhead in-process event tracking
  • REST API for anonymous page views and authenticated custom events
  • Auto-instrumented: registration, login, checkout, subscription, plan changes
  • 365-day TTL auto-expiration on telemetry events

CI/CD & Testing New

  • GitHub Actions CI with Go build, lint, and test
  • Codecov integration with coverage badges
  • Comprehensive backend test suite (auth, middleware, Stripe, webhooks, models)
  • Hybrid validation: Go struct tags + MongoDB JSON Schema across 15 collections
  • Frontend test setup with Vitest

Security Hardening

  • Timing-safe auth: dummy bcrypt on failed login prevents account enumeration
  • Rate limit IP detection via trusted proxy headers (was spoofable)
  • Password reset tokens hashed at rest (was plaintext), expiry reduced to 30 min
  • All sessions revoked on password change
  • Trial abuse detection across tenant and user history
  • Stripe Customer ID cross-referencing to prevent subscription reassignment
  • Webhook secrets encrypted at rest (AES-256-GCM)
  • NoSQL injection protection in all search endpoints
  • XSS fix in email fallback templates; DOMPurify for branding injection
  • CSV injection protection on all exports
  • Refund/dispute webhook handlers (charge.refunded, charge.dispute.*)
  • Impersonation window tightened from 15 to 5 minutes
  • 1MB request body size limit on all API routes

MCP Server Improvements

  • Expanded to 32 read-only tools across 14 categories (was 16 mixed read/write)
  • 6 new PM/telemetry tools: funnel, KPIs, retention, engagement, custom events, event types
  • MCP registry manifests and GoReleaser distribution
  • Additional tools: About, Health Metrics, Entitlements, Credit Bundles, Root Members, Webhooks

Infrastructure & Quality

  • OpenAPI 3.0 spec served at /api/docs as JSON
  • Structured API errors with machine-readable codes and request IDs
  • X-Request-ID and X-API-Version headers on all responses
  • Server-side app name injection (eliminates title flicker)
  • Structured logging migration (log.Printf → log/slog)
  • Batch query optimization in admin (replaced N+1 with $in queries)
  • Reusable UI component library (Alert, Badge, Button, Card, Input, Modal, Select, Textarea)
  • Send Test Email button on health dashboard for Resend verification

v1.0 — February 25, 2026

Initial public release

Multi-tenant architecture with role-based access control. Three-tier admin access. Email/password, MFA/TOTP, magic link, OAuth (Google/GitHub/Microsoft), and Passkey/WebAuthn authentication. Stripe Checkout with per-seat pricing, free trials, Stripe Tax, promotion codes, credit bundles, PDF invoices, and multi-currency support. White-label branding with custom theming, landing pages, and nav configuration. System health monitoring with real-time dashboards. API keys, outgoing webhooks (19 event types), and built-in API documentation. Admin dashboard with impersonation, financial charting, announcements, messaging, and CSV export. CLI tools, Dockerized Fly.io deployment, and graceful shutdown.

MIT License · Copyright 2026 Metavert LLC