Missing changelogs from 02-24 to 04-13

AGENTS.md

@@ -64,6 +64,7 @@ The canonical review policy lives in `REVIEW.md` (root). It applies equally to l
 - If a new page is added, make sure it appears in sidebars.js and check if its worth adding to core_concepts/index.mdx
 - New features shall have a dedicated changelog page and directory, like [this](./changelog/2025-08-19-kubernetes-native-autoscaling/index.md)
 - Changelogs should have tags (in Sentence case). In particular follow the color titles referenced in @src/theme/BlogPostItem/Container/index.js: (like 'App editor', 'Flow editor', 'Enterprise')
+- Changelog `index.md` files contain frontmatter only — do NOT add any markdown body after the closing `---`. Body content is ignored by the changelog renderer; everything users see comes from the `title`, `description`, and `features` fields. Put any extra context into `description` (which can be longer for changelog entries since it doubles as the page summary) rather than as prose below the frontmatter.
 - Major features shall be referenced in the [features list](./src/components/pricing/FeatureList.js), in particular if they are Enterprise features
 
 ## Cross-referencing and backlinks
@@ -103,7 +104,7 @@ The canonical review policy lives in `REVIEW.md` (root). It applies equally to l
 - **Prefer question-based descriptions** to match how users and AI systems query for information (e.g. "How do I deploy Windmill on Kubernetes?" rather than "Guide to deploying Windmill on Kubernetes")
 - For integration pages, use the pattern: "How do I connect X to Windmill? [What you can do]."
 - For docs pages, use a question that the page answers (e.g. "How do I set up workers in Windmill? Configure worker groups, assign tags, and scale compute.")
-- For changelog entries, summarize the feature in one sentence
+- For changelog entries, summarize the feature in one or two sentences. Since the changelog renderer ignores any body content after the frontmatter, the description is the only prose users will see — keep it factual but include enough context (what changed, where it appears, key constraints) to stand on its own.
 
 ### JSON-LD structured data
 Every non-doc page should include a `<script type="application/ld+json">` block inside `<Head>` for search engine and AI extraction. Follow these patterns:

changelog/2026-02-25-entra-id-database-auth/index.md

@@ -0,0 +1,13 @@
+---
+slug: entra-id-database-auth
+title: Azure Entra ID authentication for MS SQL
+tags: ['Resources', 'Enterprise']
+description: MS SQL Server resources can now authenticate using Azure AD (Entra) OAuth tokens through the aad_token field, alongside username/password and Windows Integrated Authentication. Uses the Windmill Azure OAuth setup with the database.windows.net scope.
+features:
+  [
+    'Azure AD (Entra) authentication for MS SQL Server resources via the aad_token field.',
+    'Three authentication methods supported: username/password, Azure AD, and Windows Integrated Authentication.',
+    'Uses the Windmill OAuth setup with the https://database.windows.net//.default scope.',
+  ]
+docs: /docs/integrations/mssql
+---

changelog/2026-02-26-otel-http-protobuf-exporter/index.md

@@ -0,0 +1,13 @@
+---
+slug: otel-http-protobuf-exporter
+title: HTTP and protobuf OTEL exporters
+tags: ['Self-hosted']
+description: Windmill can now export OpenTelemetry traces, metrics, and logs over HTTP/protobuf and HTTP/JSON in addition to gRPC, broadening the set of compatible OTLP collectors and managed observability backends.
+features:
+  [
+    'New OTLP exporter protocol options: gRPC, HTTP/protobuf, and HTTP/JSON.',
+    'Compatible with managed observability backends that only accept HTTP-based OTLP.',
+    'Exporter protocol is configurable per signal alongside the existing endpoint setting.',
+  ]
+docs: /docs/misc/guides/otel
+---

changelog/2026-02-27-websocket-trigger-heartbeat/index.md

@@ -0,0 +1,13 @@
+---
+slug: websocket-trigger-heartbeat
+title: Application-level heartbeat for WebSocket triggers
+tags: ['Triggers']
+description: WebSocket triggers can now send periodic application-level keep-alive messages with optional state extraction from incoming messages, supporting protocols like Discord Gateway, STOMP, and custom APIs without spawning jobs.
+features:
+  [
+    'Configurable heartbeat message and interval, sent at the Rust level with zero job overhead.',
+    'Optional state field that captures a value from each inbound message and substitutes it into the heartbeat via {{state}}.',
+    'Works for protocols that require app-level keep-alives (Discord Gateway, STOMP, custom APIs).',
+  ]
+docs: /docs/core_concepts/websocket_triggers#application-level-heartbeat
+---

changelog/2026-02-28-trigger-filters-or-logic/index.md

@@ -0,0 +1,13 @@
+---
+slug: trigger-filters-or-logic
+title: OR logic for WebSocket and Kafka trigger filters
+tags: ['Triggers']
+description: WebSocket and Kafka triggers now support combining multiple filters with OR in addition to the default AND, so a single trigger can match any one of several payload patterns instead of all of them.
+features:
+  [
+    'Filter logic selector on WebSocket and Kafka triggers: AND (default) or OR.',
+    'OR matches messages that satisfy any of the configured filters.',
+    'Existing triggers default to AND; the selector only appears when at least one filter is configured.',
+  ]
+docs: /docs/core_concepts/websocket_triggers
+---

changelog/2026-03-02-self-approval-wac/index.md

@@ -0,0 +1,13 @@
+---
+slug: self-approval-wac
+title: selfApproval option for workflows as code
+tags: ['Workflows as code', 'Enterprise']
+description: Approval steps in workflows as code now expose a selfApproval flag (TypeScript) and self_approval (Python) to control whether the user who triggered the workflow can also approve it, matching the visual flow editor toggle.
+features:
+  [
+    'New selfApproval / self_approval parameter on approval steps in workflows as code.',
+    'Set to false to require a different approver, matching the visual flow editor toggle.',
+    'Available in the TypeScript and Python WAC SDKs.',
+  ]
+docs: /docs/core_concepts/workflows_as_code
+---

changelog/2026-03-03-instance-ai-settings/index.md

@@ -0,0 +1,13 @@
+---
+slug: instance-ai-settings
+title: Instance-level AI settings
+tags: ['AI', 'Self-hosted']
+description: Superadmins can configure AI providers (OpenAI, Anthropic, Google AI, Azure, Bedrock, customai) at the instance level so every workspace inherits the same models, headers, and routing without per-workspace setup.
+features:
+  [
+    'Configure AI providers (OpenAI, Anthropic, Google AI, Azure, Bedrock, customai, etc.) once at the instance level.',
+    'Workspaces inherit instance defaults and can still override per-workspace.',
+    'Centralizes model selection, base URLs, and shared credentials for self-hosted deployments.',
+  ]
+docs: /docs/advanced/instance_settings
+---

changelog/2026-03-04-http-route-workspace-prefix/index.md

@@ -0,0 +1,13 @@
+---
+slug: http-route-workspace-prefix
+title: Enforce HTTP route workspace prefix instance-wide
+tags: ['Triggers', 'Self-hosted']
+description: Self-hosted superadmins can now require every HTTP route to be served under /api/r/{workspace_id}/{route} via a single instance setting, matching the Cloud behavior and locking the per-route toggle.
+features:
+  [
+    'New "HTTP route workspace prefix" instance setting under superadmin settings.',
+    'When enabled, all routes are served under /api/r/{workspace_id}/{route}, regardless of the per-route toggle.',
+    'The per-route toggle is disabled and labeled as enforced by the instance setting.',
+  ]
+docs: /docs/core_concepts/http_routing#workspace-prefix
+---

changelog/2026-03-07-git-sync-community-edition/index.md

@@ -0,0 +1,13 @@
+---
+slug: git-sync-community-edition
+title: Git sync available on Community Edition
+tags: ['Self-hosted']
+description: Git sync is now available on Community Edition for workspaces with up to 2 users, in addition to Cloud and Enterprise Self-Hosted, with the same feature set including push, pull, GPG signing, and wmill.yaml configuration.
+features:
+  [
+    'Git sync on Community Edition workspaces with up to 2 users.',
+    'Same feature set as the Enterprise version: push, pull, GPG signing, wmill.yaml-driven configuration.',
+    'Pricing-tier difference is enforced at the workspace user count, not at feature flags.',
+  ]
+docs: /docs/advanced/git_sync
+---

changelog/2026-03-08-otel-metrics/index.md

@@ -0,0 +1,13 @@
+---
+slug: otel-metrics
+title: Windmill operational metrics over OTLP
+tags: ['Self-hosted']
+description: Windmill can now export its own operational metrics to any OTLP-compatible collector alongside traces and logs, complementing the existing Prometheus /metrics endpoint with a push-based option.
+features:
+  [
+    'New "Metrics" toggle under Instance settings → OTEL/Prom.',
+    'Operational metrics pushed to the same OTLP collector used for traces and logs.',
+    'Complements the Prometheus /metrics scrape endpoint on port 8001 (push vs. pull).',
+  ]
+docs: /docs/misc/guides/otel#exporting-windmill-metrics-via-otlp
+---

changelog/2026-03-09-otel-trace-context-env-vars/index.md

@@ -0,0 +1,13 @@
+---
+slug: otel-trace-context-env-vars
+title: OTEL trace context exposed in jobs
+tags: ['Self-hosted']
+description: When OTEL tracing is enabled, Windmill now exposes the W3C trace context of each job as TRACEPARENT and related env vars in the runtime, so user scripts can propagate context to downstream services across all supported languages.
+features:
+  [
+    'TRACEPARENT environment variable set on every job runtime when OTEL is enabled.',
+    'Format follows the W3C Trace Context spec: 00-{trace_id}-{span_id}-01.',
+    'Available across all supported languages: Python, Bash, Bun, Deno, Go, TypeScript, Rust, C#, Ruby, Nu, Java, PHP.',
+  ]
+docs: /docs/misc/guides/otel#otel-trace-context-in-jobs
+---

changelog/2026-03-10-vertex-ai-routing/index.md

@@ -0,0 +1,13 @@
+---
+slug: vertex-ai-routing
+title: Route Anthropic and Google AI through Vertex AI
+tags: ['AI']
+description: The googleai and anthropic AI resources now expose a platform field to switch between the provider's standard API and Google Vertex AI, using a Google Cloud service account access token for authentication.
+features:
+  [
+    'platform: google_vertex_ai option on googleai and anthropic resources.',
+    'Set base_url to your Vertex endpoint and api_key to a Google Cloud OAuth2 access token (Vertex AI User role).',
+    'Run Claude models on Vertex AI from existing Anthropic-shaped scripts and AI agents.',
+  ]
+docs: /docs/core_concepts/ai_generation
+---

changelog/2026-03-11-data-table-postgres-trigger/index.md

@@ -0,0 +1,13 @@
+---
+slug: data-table-postgres-trigger
+title: Data tables as Postgres trigger sources
+tags: ['Data tables', 'Triggers']
+description: Data tables backed by a Postgres resource can now be used anywhere a Postgres resource is expected, including as the source of a Postgres trigger, without exposing the underlying database connection string to users.
+features:
+  [
+    'Data tables backed by the instance database or a workspace Postgres resource are now valid Postgres resources.',
+    'Use a data table directly as the source of a Postgres trigger to react to INSERT/UPDATE/DELETE events.',
+    'Works in the Database Studio app component without manual resource wiring.',
+  ]
+docs: /docs/core_concepts/persistent_storage/data_tables
+---

changelog/2026-03-12-secret-masking-job-logs/index.md

@@ -0,0 +1,14 @@
+---
+slug: secret-masking-job-logs
+title: Secret masking in job logs
+tags: ['Security']
+description: Windmill now masks secret values in job logs automatically, replacing all but the first 3 characters with stars and emitting a one-time notice. Masking happens in-memory so plaintext never lands in job_logs.
+features:
+  [
+    'Plaintext values of secret variables and $encrypted: arguments are tracked per-job and masked in stdout/stderr before logs are persisted.',
+    'First 3 characters are kept for debuggability; the rest is replaced by *****.',
+    'Only values of 8 characters or more are masked, to avoid false positives like "true" or "1234".',
+    'Masking happens in-memory before logs are written to the database, so plaintext never lands in job_logs.',
+  ]
+docs: /docs/core_concepts/variables_and_secrets#secret-masking-in-job-logs
+---

changelog/2026-03-16-pdf-input-ai-agent/index.md

@@ -0,0 +1,13 @@
+---
+slug: pdf-input-ai-agent
+title: PDF input for AI agents
+tags: ['AI']
+description: AI agent steps can now accept PDF documents as input alongside images, with provider-specific encoding for Anthropic, OpenAI, and Google AI handled automatically. Requires a workspace-level S3 object storage.
+features:
+  [
+    'PDF documents can be passed as attachments to AI agent steps.',
+    'Provider-specific encoding handled automatically: Anthropic document blocks, OpenAI input_file blocks, Google AI inline data.',
+    'MIME type detected from the file extension; requires workspace-level S3 object storage.',
+  ]
+docs: /docs/core_concepts/ai_agents
+---

changelog/2026-03-17-customai-custom-headers/index.md

@@ -0,0 +1,13 @@
+---
+slug: customai-custom-headers
+title: Custom headers on AI requests
+tags: ['AI']
+description: The customai resource accepts a headers object to attach arbitrary headers to every AI request, and a new AI_HTTP_HEADERS env var applies headers globally across all providers (OpenAI, Anthropic, Azure, Bedrock).
+features:
+  [
+    'headers field on customai resources: map of header names to values, attached to every request made with that resource.',
+    'AI_HTTP_HEADERS env var on the server and workers attaches headers to every outgoing AI request across all providers (OpenAI, Anthropic, Azure, Bedrock, etc.).',
+    'Useful for upstream proxies, gateway authentication, and routing metadata.',
+  ]
+docs: /docs/core_concepts/ai_generation
+---