Ironflow v0.22.5
v0.22.5 completes the deny-only policy enforcement story started in v0.22.4, ships the public JS SDK mirror on npm with sigstore provenance, and expands the JS SDK documentation significantly.
Breaking Changes
Section titled “Breaking Changes”- Policy
effect=allowrejected at write boundaries (#972) — Creating or updating a policy witheffect: "allow"now returns HTTP 400 (policy_effect_allow_deprecated). Existing allow rows remain inert at eval but are marked deprecated in the dashboard. See the policy-allow-deprecation runbook for migration guidance.
Features
Section titled “Features”- Public JS SDK mirror (#976) —
@ironflow/{core,browser,node,langgraph}are now published via the publicsahina/ironflow-jsmirror with sigstore keyless provenance on every release. npmrepositorylinks now resolve to a publicly verifiable Git SHA. - Discord waitlist notifications (#978) — Configure
DISCORD_WAITLIST_WEBHOOK_URLon the marketing Cloudflare Worker to receive a rich embed whenever a new signup is added to the waitlist.
- Dashboard: opening a legacy
allowpolicy for edit no longer causes a TypeScript build failure — it coerces todenyon save (#977). - Navigation: cross-site Cloud↔Docs links now correctly set
external: true, restoringtarget="_blank" rel="noopener"(#970).
Improvements
Section titled “Improvements”- JS SDK documentation (#975) — Comprehensive README audit across all four packages:
@ironflow/core(+476 lines),@ironflow/node(+318 lines),@ironflow/langgraph(82 → 230 lines), and@ironflow/browser. New sections cover Agent Primitives, Secrets, Schema Registry, Webhooks, Time-Travel, and Paused State.