v1.4.0 — Stingray

AdAstro 1.4.0 “Stingray” is the auth hardening release.

Highlights:

• Added Microsoft login through the Supabase azure provider, using the same app-level activation model as GitHub and Google.
• Added optional TOTP/authenticator-app MFA in /profile, including enroll, verify, view, and remove flows.
• Hardened setup access so /setup and /api/setup/* stay open only before install completion and require an authenticated admin afterward.
• Hardened profile sync so only author and admin users can mirror profile edits into author metadata.
• Improved auth throttling with layered IP plus account/factor rate limits and standard rate-limit headers on selected auth endpoints.
• Changed the database role fallback so authenticated users without explicit role metadata stay reader, not author.
• Stopped automatic author provisioning/linking on auth.users creation; author records are now created or linked explicitly through admin/bootstrap flows.
• Enforced aal2 only on sensitive account actions when auth.mfa.enabled=true and a verified factor exists.
• Documented Microsoft Entra unverified-email risk and the recommended xms_edov claim configuration for Azure logins.

Migration notes:

• Existing installs should apply infra/supabase/migrations/006_auth_hardening_azure_mfa.sql.
• Fresh installs should use the updated infra/supabase/migrations/000_core.sql baseline.

Manual setup still required:

• Configure the Supabase Azure provider, tenant mode, credentials, and redirect URLs.
• Enable Supabase MFA before turning on auth.mfa.enabled.
• Review Supabase auth rate limits, CAPTCHA/Turnstile, and related dashboard-side abuse protections.

Validation:

• Targeted auth/setup/RLS hardening tests passed before release cut.
• Production deploys should still run the normal smoke checks after the live 006 migration.

v1.3.0 — Schneller

Highlights

• Added the new Loan Box bundled theme.
• Reset the theme contract around stricter semantic light/dark tokens across public and admin surfaces.
• Replaced runtime Google Fonts loading with self-hosted local font assets so theme typography stays customizable without third-party font requests.
• Fixed article card title contrast and removed unintended underline/link-color leakage from article boxes and public menus across themes.
• Trimmed public-page JavaScript by replacing the pageview tracker React island with an inline idle script and mounting the public toast host only on auth pages that use it.

Notes

• This release follows v1.2.0 — Solidbeam, which focused on hosted hardening and infra performance improvements.
• Hosted PSI/Lighthouse score deltas should still be recorded per deployment environment after rollout.

v1.2.0 — Solidbeam

Hardening and infra performance improvements

v1.1.0 — Polyglot

Added multilingual support.

v1.0.0 — Lightspeed

Full Changelog: https://github.com/burconsult/adastro/commits/v1.0.0