Ironflow v0.21.0
Large release. Lands Ironflow Cloud Portal (#768 SUB-6) — Next.js 16 scaffold with Better Auth, Drizzle, oRPC internal router, magic-link verify flow, OTel auto-instrumentation, and shadcn UI primitives. Ships the #640 docs publish strategy — Astro Starlight scaffold for apps/cloud-docs, brand tokens shared across 3 apps, Cloudflare Pages deploys for docs + marketing, internal-docs (LOCAL-ONLY) site over _internal/. Plus the #770 SUB-5 provisioning saga — customer-cluster TF + 15-step provision + 6-step deprovision saga, break-glass CLI, snapshot decrypt CLI. Final touch: ~50+ docs accuracy fixes auditing every guide against implementation.
Features
Section titled “Features”Cloud Portal (#768 SUB-6)
Section titled “Cloud Portal (#768 SUB-6)”- CW-1 —
apps/cloud-portalNext.js 16 scaffold + Better Auth (#908) - CW-2 — Drizzle migration + canonical Better Auth schema (#909)
- CW-3 — Cloudflare deploy workflow + rate-limit runbook (#912)
- CW-4 —
proxy.tsCSP nonce + CSRF Origin allowlist + session compose (#913) - CW-5 — oRPC internal router + canonical Zod schemas +
mapBetterAuthError(#915) - CW-6 — magic-link wait page + 6 verify states + bounded polling (#920)
- CW-7 — Mailgun webhook HMAC + delivery status (#927)
- CW-8 — health + readiness endpoints (#928)
- CW-9 — OpenTelemetry SDK + auto-instrumentation (#929)
- CW-10/11/12 — strict floor + ADR 0020 + runbooks (#932)
- CW-13 — a11y floor + AI-slop CSS guard (#934)
- CW-14 — shadcn UI primitives (six) (#936)
- SUB-6 brand tokens + surface class + IA + copy lock-in (#947)
Docs Publish Strategy (#640)
Section titled “Docs Publish Strategy (#640)”- Slice 1 —
_internal/bucket reorg + publish-policy gate (ADR 0019) (#886) - Slice 2a — Astro Starlight scaffold over
docs/(#889) - Slice 2b — local-only Starlight scaffold over
_internal/(#891) - Slice 2c — asset + blog migration + diagrams split (#892)
- Slice 2d — design polish per
variant-A-v3.png(#893) - Slice 2e — mermaid + OG + Pagefind tuning (#894)
- Slice 2f — replatform regression suite (#895)
- Slice 3 —
@ironflow/brandshared tokens consumed by 3 apps (#896) - Slice 4 — Cloudflare Pages deploy for cloud-docs (#898)
- Slice 4 — Cloudflare Pages migration for
apps/marketing(#904) - Slice 5 — delete docs-site + platform-ref mirror, supersede plan (#906)
- Rename
apps/cloud-web→apps/cloud-docs(#887)
Provisioning Saga (#770 SUB-5)
Section titled “Provisioning Saga (#770 SUB-5)”- PR1 — Hetzner + Cloudflare libs + tofu CI gate (#863)
- PR2 — saga-step helpers,
DnsApi.upsert, NATS KV mutex, customer-keys, tofu runner,provisioning_auditemitter,ironflow-bootstrap+ A12 contract test (#864–#867) - PR3 — customer-cluster TF skeleton + cloud-init phases 1..6 + meta-cluster break-glass bucket + ADR 0018 (#868–#871)
- PR4 — reserved-slugs blocklist + Mailgun pre-bounce wrapper + 15-step provision saga + production composition root (#872–#874)
- PR5 —
DeprovisionClusterFn6-step saga + clusters table + break-glass CLI + snapshot decrypt CLI + SSH host-pubkey MITM close (#875–#878)
Brand + Site Polish
Section titled “Brand + Site Polish”- Docs chrome polish — H2 rails, sidebar rails, TOC scrubber, instrument-panel hero (#902)
- Tutorial polish — MDX migration, Starlight tabs/asides, LinkCard grid (#903)
- Blog sidebar — posts/releases split + date-desc ordering (#911)
- Fish shell syntax highlighting in docs-site (#861)
- Bootstrap-NATS-KV runs
natsover SSH (embedded NATS is loopback-only) (#858) - Bootstrap-NATS-KV uses
--max-bucket-size(renamed from--max-bytes) (#857) - Install: treat already-bootstrapped boxes as binary upgrade, not error (#856)
- Smoke: replace on-box cosign verify with sha256 anchor (#855)
- Cloud-init: drop awscli + correct traefik v3.5.0 sha256 + 6 drill fixes (#853, #854)
- Cosign: accept
refs/heads/mainin cert identity (#851) - Release pipeline: point at
ghcr.io/sahina/ironflow-releases(#949, #950) - Release: include
@ironflow/langgraph+ drop deadRELEASE_VERSIONvar - Release: decouple manual + CI paths, add helm to
/release-manual - CI: make
wranglerresolvable in deploy-docs job (#948) - Docs CSP: Safari upgrade-insecure-requests + HSTS gated to prod (#941)
- Docs CSP: allow unsafe-eval in dev CSP for Next 16 + Turbopack (#938)
- Cloud-docs: collapse sidebar + widen content + curate sidebar order (#901)
- Cloud-docs: restore Starlight sidebar autogenerate via content symlinks (#899)
Documentation Accuracy Wave
Section titled “Documentation Accuracy Wave”50+ inaccuracies fixed across:
- Secure + audit guides (#925)
- Deployment guides — 14 fixes across 8 files (#924)
- Development guides (#923)
- Debugging guide (#922)
- Observability + YAML config (#921)
- Event sourcing guide (#916)
- Pub/sub how-tos (#919)
- Webhooks — guides + route inventory (#918)
- Storage — 6 guides (#917)
- AI integration guide (#926)
- JS SDK reference (#939)
- API reference index — 3 inaccuracies (#930)
- SDK reference + Starlight admonition migration (#935)
- RBAC, benchmarks, Core Concepts verification (#944)
- Guides 4-bucket sidebar reorg + MDX/Tabs migration (#914)
Cleanup
Section titled “Cleanup”- Drop dead
IRONFLOW_LICENSE_PUBLIC_KEY+ docs accuracy (#940) - Move decision-log to internal strategy (#945)
cmd/ironflowcoverage to 80% gate (#931)