GoatFlow 0.6.5 is our biggest release to date. The plugin platform that was a design doc in 0.6.4 is now real, shipping alongside two-factor authentication, API tokens, an MCP server for AI integrations, and a demo mode for public instances.
GoatKit Plugin Platform
The headline feature: GoatKit now has a working plugin system with dual runtime support.
WASM Plugins run in a sandboxed wazero environment. Write a plugin in Go, compile with TinyGo, and it runs anywhere GoatFlow does. The host API gives plugins access to database queries, caching, HTTP requests, email, and i18n — all through a controlled interface.
gRPC Plugins use HashiCorp’s go-plugin for native Go extensions. These run as separate processes communicating over gRPC, ideal for I/O-heavy workloads that need full Go standard library access.
The Statistics & Reporting module ships as the first WASM plugin, providing ticket overview, status breakdown, and trend charts on the dashboard. An example Hello World plugin and full developer documentation are included for anyone wanting to build their own.
Plugins are managed through a new admin UI at /admin/plugins with enable/disable controls and a log viewer. State is persisted through the existing sysconfig system — no extra config files needed.
Plugin Developer Tooling
A new gk CLI (cmd/gk/) scaffolds new plugins:
make plugin-init NAME=my-reports RUNTIME=wasm
This generates the plugin structure, build script, and manifest. Comprehensive guides cover both runtimes:
- Author Guide — Plugin creation, packaging, and lifecycle
- Host API Reference — All available host functions
- WASM Tutorial — Step-by-step WASM plugin walkthrough
- gRPC Tutorial — Native plugin development guide
Two-Factor Authentication
GoatFlow now supports TOTP-based 2FA for both agents and customers.
Setup is straightforward: scan a QR code with any authenticator app (Google Authenticator, Authy, etc.), confirm with a code, and receive 8 single-use recovery codes for emergencies.
The security model is thorough:
- 256-bit random session tokens with 5-minute expiry and IP binding
- Rate limiting (5 attempts) to prevent brute force
- Admin override for locked-out users
- Full audit trail of all 2FA events
- 75 tests covering unit, security, and end-to-end scenarios
A threat model document (docs/security/TOTP_THREAT_MODEL.md) details the design decisions.
API Tokens
Personal Access Tokens enable programmatic API access for agents and customers. Tokens support scoped permissions (tickets:read, tickets:write, admin:*) with RBAC inheritance, configurable expiration, and rate limiting.
The token format uses a gf_ prefix with SHA256 hash storage — tokens are never stored in plaintext.
This unlocks automation scripts, CI/CD pipelines, and the MCP integration below.
MCP Server
GoatFlow ships an MCP (Model Context Protocol) server, enabling AI assistants to interact with your helpdesk through a standardised interface.
The multi-user proxy architecture means each API token owner’s permissions apply to all operations. An admin’s token sees everything; an agent’s token is filtered by their queue access. Ten tools are available out of the box: ticket CRUD, search, queue listing, user management, statistics, and SQL queries (admin-only).
RBAC Enforcement
Every statistics and queue endpoint now enforces role-based access control. Dashboard counts, trend data, agent performance metrics, and CSV exports are all filtered by the requesting user’s queue permissions. Unauthorised access returns 404 (not 403) to avoid revealing ticket existence.
Demo Mode
For public demo instances, a new demo mode restricts password and MFA changes while storing preferences (language, theme) in session-only cookies. The next visitor always gets a clean experience.
Enable it with app.demo_mode: true in config or GOATFLOW_APP_DEMO_MODE=true as an environment variable.
Coachmarks
A lightweight onboarding system highlights features for new users. Tooltip-style balloons appear next to UI elements with configurable timing and view limits. Tips are theme-aware, using CSS variables for consistent styling across all themes.
Users can reset feature highlights from their profile page to see tips again.
Wallpaper Toggle
Themes that include background wallpapers (like GoatFlow Classic) now have a toggle in the theme selector. Preference is persisted per-user, and themes without wallpaper automatically grey out the option.
Dark Theme Contrast
338 CSS overrides remap hardcoded Tailwind utility classes to theme variables, fixing contrast issues across all dark themes without touching any templates. The Nineties Vibe theme received additional fixes for muted text and button contrast.
OpenAPI Documentation
The API specification has been expanded from ~2,500 to 4,845 lines covering 94 endpoints. Swagger UI is available at /swagger/ for interactive API exploration.
What’s Next
0.7.0 will expand the plugin platform with a marketplace, hot reload, and new plugins for FAQ management and calendar integration.
Links: