Platform v0.2.1 — 2026-06-15

The trust and durability release. Licenses behave correctly end-to-end. Production code paths are durable under load and graceful at shutdown. Customer-facing surfaces no longer expose internal cruft. The pro twin pipeline carries no false positives in its conformance posture.

Pairs with the wt CLI v0.3.0 release — MCP install / trial / license-refresh tools require platform v0.2.1 or later.

What changed

License lifecycle is correct end-to-end

cmd/issue-license rejects --ttl-days > 7. The 7-day trial cap is now policy-as-code, with a tripwire test enforcing it at build time.
Weekly re-issue scheduler integrated with the workers WaitGroup, cancellable on shutdown. Runs at WT_LICENSE_REISSUE_INTERVAL (default 84 hours — mid-window).
Cross-repo NotAfter boundary parity locked in. Both the app-side license verifier and the pro-side twinkit-pro validator treat NotAfter as exclusive — JWT/RFC exp convention. Eliminates a 1ns semantic divergence at the boundary instant.
657-LoC lifecycle test scaffold covering 10 cases: TTL cap, expiry boundary, mid-request expiry, re-issue, scheduler firing and drain, clock skew, goroutine-leak verification.

Authentication and identity hardened

Audience-fallback on telemetry ingest closed — TwinName in the request body no longer overrides the audience claim in the license token. Closes an auth-bypass class.
atomic.Bool guard plus panic-on-duplicate Clerk SetKey registration.
Webhook secret placeholder tripwire in prod — boot panics if the platform’s webhook signing secret is still set to the env.example placeholder, mirroring the existing Clerk sk_test_placeholder guard.

Production durability and graceful shutdown

/health now exercises db.PingContext, blob storage, and per-twin reachability via a typed TwinReachabilityChecker interface. Aggregate {summary, unreachable[]} response shape; no fail-fast; 2-second per-sub-check timeout.
Rate-limiter sweeper is WaitGroup-tracked.
AccountResolver honors request-context cancellation; the install handler propagates context.
Telemetry emitter — overflow flush goroutine WaitGroup-tracked; the retry-backoff loop selects on stopCh so Stop() returns in bounded time rather than the cumulative sleep budget.
Twin-iconik handler Shutdown(ctx) drains background completion goroutines. With this, zero fire-and-forget goroutines remain fleet-wide across all 28 twins.

Pro twin pipeline truthfulness

Three phases of work landed in the pro repo across the v0.2.1 cycle. The headline outcome: the conformance gate’s audit script grew from 42 → 52 checks (PFTI Phases 1 + 2), 391 routes were triaged into a canonical 4-bucket vocabulary (admin_endpoint, vendor_spec_under_specification, intentional_extension, pending_fix), and 14 real twin bugs surfaced through the triage — independently tracked.

Phase 1 — manifest cleanup across 28 twins. Legacy field bleed purged; verdict vocabulary extended (NOT_APPLICABLE, UNRUNNABLE); coverage shape normalized.
Phase 2 — per-route divergence triage across 12 clean twins, with vocabulary + schema additions for the new triage buckets. Five drifted twins explicitly deferred to a Phase 4 release with blocker tracking.
Phase 3 — atomic-writes promotion. twinkit-pro/persist.AtomicWriteFile is now a public package; 7 direct-write sites converted; the audit gained check 16m banning regression. Goroutine-hygiene cleanup completed in parallel.

Twin-builder discipline captured

Comment-vs-route-registration drift detection — handler doc comments correctly named vendor URLs but router registration drifted, so customer SDK callers 404’d silently. Build-time lint pattern documented.
Single-shared-divergence-record pattern — when 10+ routes share a systemic cause, one shared record + a revisit_trigger beats N per-route entries.
Conformance-gate enhancement spec for Phase 4 design.
False-positive taxonomy — a 4-source taxonomy of twin_only_extensions false positives surfaced via cross-twin synthesis. Roughly 270 of ~365 flagged routes across 12 triaged twins were gate-design false positives, not real twin drift.

CLI hardening (rides v0.2.1 — see wt v0.3.0 release notes)

New internal/httpclient package with TLS 1.2 floor + 30-second default timeout + project User-Agent. 12 call sites rewired.
wt_live_ → wt_ API-key prefix rename.
Telemetry ingest receives shared ReadHeaderTimeout, constant-time Bearer compare, 32-byte minimum key floor enforcement, structured slog handler.
Deferred panic recovery at main() top.

Web hygiene

PII strings purged from prod bundle and sibling fixtures.
Catalog cleanup: three real-name references the v0.2.0 cleanup missed are gone.

New commands

See the wt CLI v0.3.0 release notes — wt verify (CI entitlement gate) and wt replay are the customer-facing new commands.

New MCP tools

See the wt CLI v0.3.0 release notes — wt_install, wt_license_refresh, and wt_trial require this platform v0.2.1 release on the target environment.

Breaking changes

None at the platform layer. The CLI’s wt_subscribe reshape (per-twin verb → org-plan-relationship verb) is documented in the wt CLI v0.3.0 release notes — agents calling wt_subscribe with a twin_name parameter need to switch to wt_install.

Deprecations

None.

Known limitations

wt_install against production currently returns SETUP_REQUIRED because the platform-side install-bundle signing key is not yet populated on production. The envelope shape is correct; the install path is intentionally deferred until the MCP-auth design lands. Community twin install via wt install <twin>@<version> is unaffected.
Automated billing is out of scope for v0.2.1. Early-customer billing remains bespoke / direct-invoice; automated billing arrives in v0.2.2.

Dependencies and coordination

Requires wt v0.3.0 or later for the new MCP install / trial / license-refresh flows. Earlier CLI versions still work for catalog, status, and per-twin subscribe via the legacy shape.
Compatible with all existing twin versions in the registry. No twin contract changes in this release.

Install

The platform is operator-deployed via Docker Compose. For the customer-facing CLI:

brew upgrade wondertwin-ai/tap/wt
wt version    # 0.3.0 or later