docs(web/blog): announce Wheels 4.0.5 (with 4.0.4 hardening)

[bpamiri]

Adds the blog post announcing Wheels 4.0.5, written to lead with the 4.0.4 hardening substance (116 changelog entries: 13 Security · 10 Performance · 10 Added · 4 Changed · 79 Fixed) rather than treating 4.0.4 as a footnote.

Sections

• Security hardening — open-redirect WHATWG normalization, /wheels/info secret/metadata leak fixes, fail-closed dev-UI + reload gates, url.format path-traversal fix, SQL-surface tightening, trustProxyHeaders, deploy secret redaction
• Performance — lock-free model()/controller() warm path, memoized URLFor() + schema-column cache, O(1) dispatch gate
• wheels deploy grew up — ~20 Kamal-port fixes (fresh-host boot, all-or-nothing lock, secret timeout, rollback overlay, audit trail)
• Cross-engine — Adobe CF case-sensitive-FS reload 500s, BoxLang null hardening, Oracle/SQL Server identity retrieval
• New capabilities — wheels jobs work/status, wheels upgrade apply, --strict, subpath, /up endpoint
• Install it anywhere — brew/scoop/apt/dnf one-liners, arm64 Linux, daily install-smoke CI
• A note on versions — 4.0.4 superseded by 4.0.5 same-day

Targeted for CFBreak's Friday issue. Single .md file; blog visual baseline auto-refreshes post-merge.

🤖 Generated with Claude Code

[wheels-bot]

Wheels Bot — Reviewer

TL;DR — This PR adds a single blog post (web/content/blog/posts/wheels-4-0-5-released.md) announcing Wheels 4.0.5 and folding in the 4.0.4 hardening work. Frontmatter matches the established release-post convention (cross-checked against wheels-4-0-3-released.md), and every substantive feature claim verifies against the CHANGELOG / source. Two minor accuracy nits below; neither blocks. Verdict: comment.

Docs

1. wheels --version output annotation is wrong (line 107).

wheels --version   # Wheels Version: 4.0.5

The CLI does not print Wheels Version: 4.0.5. version() in cli/lucli/Module.cfc:345 builds the banner as ["Wheels " & moduleVersion & channelTag], so the actual first line is Wheels 4.0.5. Since this is published-facing copy a reader will paste and compare against, suggest changing the comment to # Wheels 4.0.5.

2. "the same day" vs the CHANGELOG's own dating (lines 22 and 93).

The post twice states 4.0.4 "was superseded by 4.0.5 the same day." The release tags are v4.0.4 at 2026-06-18 18:45 -0700 and v4.0.5 at 2026-06-19 05:09 -0700, and CHANGELOG.md dates them on different calendar days (4.0.4 => 2026-06-18, 4.0.5 => 2026-06-19). They are ~10.5h apart and land on the same UTC day (both 2026-06-19 in UTC, matching the post's publishedAt), so the claim is defensible — but it reads as inconsistent against the project's own changelog. Consider "within hours" / "the next morning" to avoid a reader spotting the 06-18 vs 06-19 mismatch.

Verified (no action needed)

Spot-checked the major claims against source/changelog — all accurate:

• trustProxyHeaders -> vendor/wheels/Global.cfc, vendor/wheels/events/init/security.cfm (+ TrustProxyHeadersSpec)
• $isSafeRedirectUrl() -> vendor/wheels/controller/redirection.cfc
• Lucee-only cfabort; 500'ing GET / on Adobe -> CHANGELOG #3029 (matches CLAUDE.md cross-engine invariant #13)
• wheels jobs work/status (#3090), /up endpoint (#3210), wheels upgrade apply + check --strict (#3035, Module.cfc:313), subpath setting

Frontmatter (title/slug/publishedAt/updatedAt/author/tags/categories/excerpt) mirrors wheels-4-0-3-released.md; publishedAt (2026-06-19) is not future-dated.

Commits

docs(web/blog): announce Wheels 4.0.5 (with 4.0.4 hardening) — valid conventional-commit type and scope, header well under 100 chars. No changelog fragment is needed (this is the announcement, not a code change; 4.0.5 is already promoted in CHANGELOG.md).