Today we are talking about Content, syndication, and Synchronization between Drupal Sites with guest Thiemo Müller. We'll also cover Drupal core 11.4 as our module of the week.
Are you excited for a feature release of Drupal core that delivers even more performance acceleration, a modernized developer experience, and a slew of administrator and editor improvements? Drupal core 11.4 delivers all that and more
When Drupal 11.3 was released, we talked about what a massive performance jump it represented, the biggest improvement in a decade. 11.4 has done it again! Database queries are reduced by half, across a range of requests due to optimizations in how entity fields are loaded. Overall, that represents a nearly ⅔ improvement for database and cache lookups on a cold cache compared to Drupal 11.0 or 10.6
Entity listing queries have also been refactored to use fewer table joins, reducing slow queries. Additionally, the link field introduces a resolvable_uri property and token, which returns a ready-to-use front-end link (like /#main-content) right out of the API instead of raw internal URIs, which will be a huge benefit for anyone using Drupal for decoupled and JSON:API-based use cases
Applying recipes in Drupal 11.4 is significantly faster, reportedly twice as fast, and that includes installing Drupal CMS
Drupal now supports Brotli compression, which should yield 15-25% better compression of CSS and JS assets
Security
Drupal 11.4 offers a new password hashing algorithm, argon2id, that will become the default in Drupal 12 later this year
Also, the drupal/core-recommended package no longer strictly locks minor versions for critical dependencies like Guzzle, Twig, or Symfony Polyfills, making it easier to immediately receive important security updates
Drupal's default robots.txt now blocks well-behaved search crawlers from indexing search queries, helping to solve a potential source of traffic overload on sites using faceted search
Developer experience
There's been a significant shift towards the adoption of PHP Attributes in recent Drupal releases, and 11.4 is no exception
You can now define application routes directly within your PHP controller and form classes using the Symfony #[Route] attribute. This drastically reduces the need to jump back and forth into *.routing.yml files
The new #[Bundle] attribute allows developers to define bundle classes directly, eliminating the need to write old-school entity_type_info or entity_type_info_alter hook implementations.
All core .theme and .theme-settings.php files have been moved entirely to PHP classes. Support for legacy .theme files will be dropped in Drupal 13. Furthermore, dozens of core .module files have been fully converted into clean PHP classes
Front controllers now leverage the symfony/runtime component to isolate bootstrapping logic from request handling, preparing the Drupal core architecture for advanced environments like FrankenPHP, known for its blazing-fast performance, among other features
Drupal 11.4 introduces a native, extensible command-line tool (./vendor/bin/dr) built in partnership with Drush maintainers. This kicks off a transitional period where Drush commands will gradually be migrated to the core native binary
Also, the new HttpKernelUiHelperTrait for kernel tests lets developers make mock HTTP requests and assertions without running the full Drupal site installer. This allows many traditional browser tests to be rewritten as much faster kernel tests
Editor experience
Drupal 11.4 includes the new Default Admin theme, a version of the popular Gin admin theme, now in core
The Navigation module is now enabled by default, replacing the legacy toolbar
CKEditor once again has a fullscreen button available without a contrib add-on, allowing editors to fully immerse themselves in a WYSIWYG element's content, great for working on long-format pieces
Deprecations
The initial 11.4.0 release actually removed a number of core recipes. They were since restored in an 11.4.1 release, but they are deprecated and will be removed from Drupal 12
Also on their way out are a number of modules, including Ban, Contact, Field Layout, History, Migrate Drupal and its UI, Search, Settings Tray, Shortcut, Telephone, Toolbar, and a flag module called layout_builder_expose_all_field_blocks. For themes, Claro, Stable 9, and Olivero are all deprecated, and will be moved from core. We'll include the meta issue about these deprecation in the show notes, and if any of these are important to you, it's worth tracking where they are on the path of moving to contrib
This is the second and final part of a two-part guide to building a component-based corporate website with Drupal Paragraphs. Turn the bare components from part 1 into a flexible, production-grade library with color variants, responsive layouts, spacing controls, conditional fields, and admin UX.
Add style variants with CSS custom properties and Paragraphs behavior plugins, build mobile-first responsive layouts, give editors margin and padding controls, and polish the admin experience with Gin, conditional fields, and smart defaults.
Recent Drupal news fits inside a wider question Dries Buytaert raised in his blog post, License-only versus Stewarded Open Source: what turns code that is merely available into infrastructure people can depend on? The distinction is useful because this week's updates are not only about individual announcements. They show the work that sits behind dependable open source: governance, maintenance, security response, shared knowledge, and long-term care.
The 2026 Drupal Association at-large board election brings that work into the governance layer. One community-elected seat on the association's board is now moving through its election cycle, giving individual members a direct role in how Drupal's institutional support is represented. In a project where technical decisions and community structures constantly shape each other, governance is not a background process. It is part of how shared infrastructure is kept accountable.
The same distinction between availability and dependability appears in the ten contributed-project security advisories published on 8 July 2026. Four were rated Critical. Three direct site owners to uninstall unsupported projects, while the fourth addresses SQL injection in Location Selector. Unsupported projects may still exist in repositories and production sites, but that does not make them safe to keep using.
For site teams, the response is practical rather than abstract. Affected modules need to be identified, fixed releases need to be applied where available, and unsupported projects without advisory-listed fixes need to be removed. This is the maintenance layer of open source that rarely attracts attention until something breaks.
ECA crossing 20,000 reported Drupal site installations shows the same issue from the maintainer side. The Event-Condition-Action module allows site builders to model workflows through events, conditions, and actions instead of relying on custom glue code. Adoption at that scale is not just a usage milestone; it changes the weight of future commits, API decisions, and compatibility promises.
In a written response to The DropTimes, project co-founder Jürgen Haas said the milestone changes how he thinks about maintenance responsibility. That is the cost of relevance in practical form. Once a module becomes part of thousands of working sites, its maintainers are no longer only improving a tool. They are helping support a piece of shared infrastructure.
The week's event deadlines extend the same theme into community programming. Pacific Northwest Drupal Summit 2026 is accepting proposals ahead of its October event in Vancouver, British Columbia, while DrupalCamp Italy 2026 has extended its Call for Papers to 31 July 2026 for its one-day camp in Bologna. Event programmes are another support structure for the ecosystem because they turn project work, lessons, failures, and experiments into knowledge others can use.
Taken together, these updates make a selected but coherent brief. They are not the whole week in Drupal, and they are not a ranking of every important story. They are a thread through the work that keeps open source dependable after the code is released: electing representatives, closing security gaps, maintaining widely used modules, and making room for contributors to share what they are learning.
This is part 1 of a two-part guide to building a component-based corporate website with Drupal Paragraphs. By the end of the series you'll have a library of 10-12 universal paragraph types with style variants, responsive layouts, and editor-friendly spacing controls.
Plan a reusable component library, set up the Paragraphs module, and build Hero, Text + Image, and Feature Grid paragraph types with Twig templates and CSS.
At DrupalCon Rotterdam 2026, AI takes its place at the heart of how modern Drupal platforms are built, integrated, and scaled. The Development, AI & Agentic Architecture track puts that front and centre-focusing on complex architectures, automation, and intelligent systems in real-world environments.
This is not about hype. It's about what's already changing.
AI is moving from experimentation to everyday use-powering intelligent search, automating workflows, enabling personalization, and supporting content creation. It's reshaping how digital teams operate and how platforms deliver value.
But with that power comes responsibility.
In the Drupal ecosystem, AI is being approached with a clear focus on privacy, transparency, accountability, security, resilience, and human control. This is where the conversation gets real-and where Drupal stands out.
From possibility to practice
At DrupalCon, the key question isn't just what AI can do. It's how to use it effectively in complex, production-ready environments.
Teams are actively exploring:
How to integrate AI without introducing unnecessary complexity
How to protect data while maintaining performance and scalability
How to ensure systems remain transparent, governed, and maintainable over time
These are not theoretical challenges-they're critical decisions shaping the next generation of digital platforms.
Why Drupal leads this conversation
Drupal provides a unique foundation for making AI practical.
Here, AI is not explored in isolation, It's applied within structured content models, complex workflows, deep integrations, and strong governance frameworks-all backed by open-source principles.
For attendees, this makes AI more than a trend. It becomes a tangible, actionable part of modern Drupal delivery.
Be part of what's next
DrupalCon Rotterdam 2026 is where AI moves from idea to implementation.
If you want to understand how intelligent systems are being applied in real Drupal projects-and how to use them responsibly and effectively-this is where the conversation happens.
- Article by Daniela Moreira.
🎟️ Join Us at DrupalCon Rotterdam 2026
Continue the conversation at DrupalCon Rotterdam 2026, where the Development, AI & Agentic Architecture track explores the technologies, strategies, and decisions shaping open digital ecosystems.
Accessibility failures often surface after budgets, architecture, and delivery plans are already fixed. Mike Gifford argues that public agencies can reduce that pattern by contributing fixes upstream.
Editors often rely on developers for simple display variations. ERVMS moves those decisions into the editorial workflow without changing Drupal's existing display architecture.
Drupal Anti-Spam: NoBotIQ vs CAPTCHA, Honeypot, CleanTalk, and Other Solutionsadmin
Hi friends! It's been a while since our last article, and you might have been wondering when we'd be back with something new. Thanks for your patience-we're excited to return with a fresh topic that many Drupal site owners, marketers, and developers deal with on a regular basis: spam. Drupal websites can be secure, flexible, and high-performing. But there is one issue that keeps bothering site owners, marketers, and developers again and again. It is spam.
Spam is no longer only about strange messages in a contact form. Today, it can mean fake registrations, low-quality leads, disposable emails, bot-driven submissions, and AI-generated junk content. All of this creates extra moderation work, pollutes your CRM, and wastes your team's time.
That is exactly why Drupal anti-spam protection matters much more now than it did a few years ago.
Near the end of most Open Source licenses, usually in capital letters, sits a clause that disclaims almost everything: no warranty, no liability, use at your own risk.
For an organization that depends on that code, the clause is harsh. If the code fails and takes your data or revenue with it, the license owes you nothing. No fix, no refund, and no one to explain what went wrong.
That is the license doing its job. It makes the code available and protects the people who share it. Without that protection, sharing code could become a gift that backfires: a generous act turned into unlimited legal risk.
But the license can only answer the legal questions: who may use the code, on what terms, and what risk the authors are willing to accept. It cannot tell you what kind of Open Source project you are working with.
Some Open Source is "License-only Open Source": code released under an Open Source license, without active stewardship or any promise of ongoing care. There is no guarantee of updates, fixes, security response, or long-term support.
Other Open Source is "Stewarded Open Source": code cared for as shared infrastructure. Maintainers review contributions, fix bugs, respond to security issues, manage releases, provide long-term support, and much more. Organizations fund maintainers, support core development, donate infrastructure, and absorb costs end users never see.
Both types of projects are Open Source, but they are not the same. A weekend hobby project and business-critical software can ship under the exact same license. Legally, they look identical. Practically, they are worlds apart.
The difference is stewardship. The license makes code available; stewardship makes it dependable. And the more people or organizations depend on a project, the more stewardship it often requires.
Responsibility is the tax on relevance.
Distinguishing license-only from stewarded Open Source gives us the vocabulary to describe two very different realities that the words "Open Source" alone do not capture.
For example, the distinction becomes useful when we talk about contribution. If a company depends on Open Source, should it give back?
For license-only Open Source, the answer can be simple: no one is required to contribute, and that is the point. The code was shared freely, without a promise of care or an expectation of return.
Stewarded Open Source is different. The license may still require nothing, but the work does not happen for free. Someone is paying to keep your code usable, secure, and available. When you depend on that work, the question is not only what the license allows, but who helps carry the responsibilities beyond what the license requires.
The license says use at your own risk. Stewardship is what happens when people decide you should not have to.
This is the fifth post in our GitLab issue migration series. So far we've covered the immediate changes, the new workflow for migrated projects, how to use it, and what the migration looks like from a contributor's perspective. This post is about which projects we're migrating next, and why.
We are now migrating projects maintained by Ripple Makers, the individual members of the Drupal Association. If you're a Ripple Maker who maintains one or more contrib projects, this is our thank you for your membership.
Why members first?
Migrating issues to GitLab, and running GitLab itself, has a real cost. There is engineering time for the migration tooling, upgrades for git.drupalcode.org, and ongoing work on the integrations that keep contribution credit, issue forks, and the rest of the Drupal.org glue working smoothly.
That cost is covered by the people and organizations who fund the Drupal Association: Ripple Makers and Drupal Certified Partners. As we schedule migration batches, we are prioritizing projects maintained by members and projects supported by Drupal Certified Partners.
To be clear: every project will eventually be migrated. Membership doesn't change whether your project moves; it changes when. Prioritizing members is a small way to say thank you to the people whose contributions make the infrastructure itself possible.
Not a member yet?
If you'd like your projects prioritized, and, more importantly, if you'd like to support the infrastructure that the whole Drupal ecosystem runs on, this is a good moment:
Membership funds don't just pay for GitLab. They keep Drupal.org, project packaging, GitLab CI, automatic updates infrastructure, and more running for everyone, members and non-members alike.
Reporting bugs and getting help
Found a bug in the migration itself or in the integration between Drupal.org and GitLab? Please file it in the Drupal.org customizations issue queue.
Have a question, or want to share feedback on the new workflow? Join the #gitlab-issues-feedback channel on the Drupal community Slack.
We're continuing to iterate on this transition based on what we hear from maintainers and contributors in migrated projects. Your feedback now shapes the experience for the rest of contrib later.
Following our announcement last week introducing Inside AI and Outside AI, we are excited to share how we are scaling our leadership and organizational structure to support these two parallel workstreams.
What started as an ambitious vision originally founded by Jamie Abrahams from FreelyGive quickly gained community-wide momentum. In June 2025, our founding partners - 1xINTERNET, Acquia, Dropsolid, FreelyGive, and Salsa Digital - came together to establish the official Drupal AI Initiative, providing a cohesive strategy, baseline funding, and dedicated staff. Since then, the initiative has grown rapidly to encompass over 30 partner organizations, with many of their team members stepping directly into key leadership and execution roles.
To support our rapid growth and ensure effective daily coordination, we are evolving our structure into a more robust, three-tier governance model comprising a Drupal AI Board, a Drupal AI Leadership Team, and our existing community of AI Partners.
The Drupal AI Leadership Team
The purpose of the Drupal AI Leadership Team is to coordinate day-to-day project execution, align technical and cross-functional work streams, and ensure all initiative activities successfully deliver on our strategic goals.
At the center of this governance evolution, this team formalizes leadership roles that have organically emerged and evolved over the past year. Rather than introducing a brand-new operational layer, this structure officially empowers the individual contributors who have already been actively driving the initiative's day-to-day work.
By having dedicated, individual leads taking ownership of specific subject-matter areas, we ensure that every key aspect of the initiative has focused guidance. This structure also provides a natural avenue for our partner organizations to showcase their technical talent and gain visibility within the ecosystem, while placing experienced contributors in charge of critical technical and horizontal areas.
The Leadership Team's execution is divided into two distinct, cooperative disciplines:
Functional Leads: Individuals who maintain direct ownership of specific functional modules or recipes (such as Agents, Search, or the Context Control Center) and align development roadmaps with the broader goals of the initiative.
Cross-Functional Leads: Leads who provide horizontal support across the entire initiative for critical non-feature disciplines like UX, QA, Marketing, Documentation, and Community coordination.
This division ensures that technical teams can focus on delivering robust functionality, while cross-functional leads act as an internal agency to validate, test, document, and promote those features before they reach users.
In an upcoming post, we will share more details about the leadership team structure, introduce our current domain leads, and outline vacant positions.
The Drupal AI Board
Our founding partners, who previously made up the initiative's core steering group, are transitioning to become the members of the Drupal AI Board.
The Board serves as the strategic and supporting foundation for the Leadership Team, establishing a strong, predictable operational environment. Rather than individual developers having to balance ecosystem coordination, funding allocations, and administrative hurdles alongside daily coding, the Board takes on these responsibilities.
Composed of our founding partner companies, the Board is responsible for setting the high-level strategy, defining the general initiative direction, and prioritizing our long-term roadmap. In addition to guiding this overarching strategy, the Board provides baseline initiative funding and staff, manages overall ecosystem alignment, and secures ongoing partner resource commitments. This structural backing ensures a stable operational runway, allowing the Board to focus on defining leadership functions, appointing execution leads, and securing the necessary resource allocations so developers can focus strictly on build and delivery.
What Changes? (And What Stays the Same)
For the developers, builders, and content creators actively contributing to the initiative, the day-to-day experience will feel familiar, but with clearer support structures.
Our established sprinting procedures remain completely unchanged. The community and partner teams will continue to collaborate on their scheduled sprints.
However, we are introducing two key improvements:
Clear Authority and Direction: Our leads now have clear authority over their respective subject-matter areas. They will provide structured guidance and continuously groomed, public backlogs of issues for the contributors to Drupal AI.
Improved Delivery and Speed: With structured coordination, individual contributions will integrate more seamlessly into the broader roadmap. Distributing this responsibility across more shoulders allows us to increase our overall delivery speed and execute on more complex strategic goals simultaneously.
This structural evolution ensures that everything built by both Inside AI and Outside AI integrates seamlessly with the broader Drupal AI roadmap and aligns directly with our collective short term and long-term goals.
How to Get Involved
As we step into this new phase of growth, we are looking for dedicated partners and brilliant minds to help execute our goals.
Become a Lead: If you have proven leadership within the Drupal AI ecosystem and want to actively guide a subject area (committing 1-2 days per week), we want to hear from you. Board-appointed lead positions are open to active, dedicated contributors.
Contribute to the Initiative: You can get involved with the initiative's next phase by:
Exploring options to become an AI Partner to collaborate with our growing network of supporting organizations.
The Drupal AI Initiative is made possible by the generous funding, resources, and technical contributions of our partner network. We are incredibly grateful to these companies for driving the future of open-source AI:
Join Martin, Andy and Mike as they discuss what Drupal site templates are and how they differ from Drupal's traditionally bare-bones starting point, aiming to reduce setup effort and total cost of ownership while making Drupal competitive again for small nonprofits and smaller sites. They compare building templates versus client sites, covering the evolution from early Layout Builder/Recipes work to today's simpler packaging via a Drush site:export workflow, plus tooling like DripYard Recipe Builder for extracting reusable "recipe" parts.
Based in London, Ontario, Martin transitioned from graphic design to web development, ultimately specializing in Drupal in 2005. Currently working as a Product Marketing Manager at Acquia, he is Triple Certified in Drupal and UX-certified by the world-renowned Nielsen Norman Group. His key contributions include: As a speaker & writer, presenting at Drupalcamps and Drupalcons, and a published blogger across multiple platforms, including the Acquia Dev Portal and opensource.com; as a podcast host, participating in the Talking Drupal podcast, including as the "Module of the Week" correspondent; and as an open source maintainer, developing and maintaining popular Drupal contrib modules and recipes, including Smart Date and Fullcalendar.
Andy Giles
Andy is a Drupal back-end developer. In 2012, he founded Blue Oak Interactive, a development and consulting agency focused on complex Drupal site builds, particularly in e-commerce. In 2025, he partnered with Mike Herchel to launch Dripyard, a premium Drupal theme designed to reduce the cost of ownership and enhance the developer experience for modern Drupal projects.
Mike Herchel
Mike is a founder & developer at Dripyard, and is a longtime contributor to Drupal. He has played a key role in modernizing Drupal's frontend architecture, performance, and accessibility, and is known for helping bring Drupal's component-driven development into mainstream use. Mike has delivered projects for organizations including IBM, the U.S. Small Business Administration, and the U.S. court system. He is a frequent speaker on performance, accessibility, and modern frontend practices.
Using AI to Moderate Content in an Existing Drupal WorkflowJoel SteidlDrupal
A New Solution to An Old Problem
Content moderation is a data processing problem. For large sites with many content contributors, moderators can get bogged down catching obvious content policy violations without having time to do real editorial work.
Meanwhile, AI is great at fast, consistent classification of text, which is exactly the kind of work that can clog an editorial queue. It's not a replacement for human judgment: it makes mistakes, it can be gamed, and it lacks context. But as a first-pass filter, AI can meaningfully shrink the noise that reaches a human reviewer.
This post walks through adding that type of AI content filter to an existing Drupal workflow using contrib modules and no custom code.
Implementing the Solution
Modules
The full solution uses zero custom code. Here are the key contrib modules:
The assumption is that a site already has a working Content Moderation workflow. The AI gate slots in between author submission and the editor queue:
[Before]
Draft → Needs Review → Published
[After]
Draft → Needs Review → [AI gate] → AI Review Passed → Published
↘ Rejected
To support this, the workflow needs two new states (AI Review Passed, Rejected) and two new transitions (AI Approve, AI Reject). Those transitions should not be granted to any UI role as they're triggered only by ECA.
The five modules listed above need to be installed, an AI provider configured with a securely stored API key, and the updated workflow applied to the relevant content type.
Workflow state diagram
The ECA Model
This is the core of the implementation.
Create a new ECA model at Admin → Configuration → ECA. The model has five nodes:
1. Event - Workflow: state transition Fires when an article transitions to needs_review.
2. Action - Token: set value Stores [entity:body:value] into a token named moderation_input. This uses ECA's token replacement, which resolves field values correctly at runtime. (A note on this: the more obvious Get field value action returns null for body fields in practice - token replacement is the right approach here.)
3. Action - Moderation (from AI Integration for ECA) Calls the AI provider's moderation operation. Set model to openai / omni-moderation-latest, token input to moderation_input, and token result to ai_result. The result token exposes [ai_result:flagged] (1 or 0) and [ai_result:information] (per-category scores).
4. Action - Workflow: transition (condition: [ai_result:flagged] = 1) Transitions to rejected. Revision log: AI moderation: content flagged.
The conditions use ECA's built-in Compare two scalar values plugin. Steps 4 and 5 share the same condition - one negated, one not.
ECA model visualModeration action configuration panel
Testing
Submitting a benign article routes it to ai_review_passed with the pass log entry. Submitting content that violates the violence policy routes it to rejected with the flagged log entry. Both transitions appear in the node's revision history with the AI-stamped message.
Node revision history on a rejected article
Going Further
Custom Moderation Prompts
The OpenAI Moderation API uses fixed categories. If your policy doesn't map to them cleanly - community guidelines, brand safety rules, domain-specific restrictions - you can replace the Moderation action with a Chat action and a configurable system prompt. The rest of the ECA model stays the same.
With a Chat action returning structured JSON (response_format: json_object), you define exactly what the AI evaluates and how it reports back. The downstream ECA conditions check the response token the same way. This makes the screening logic editable in the UI without a code change or redeploy.
Giving Authors a Path Forward
A bare rejection with no context isn't great author experience. ECA can handle the follow-on steps too. On the rejection branch, you can chain additional actions before or after the transition: send the author an email using [ai_result:information] to surface which categories were flagged, set a message on the form, or move the node to a Needs Revision state rather than a hard Rejected - giving authors the ability to edit and resubmit rather than starting over.
You could also model a full revision loop: Rejected → Needs Revision → Needs Review (with the AI check firing again on resubmit). Whether that's appropriate depends on your content volume and how much trust you extend to repeat offenders, but the workflow and ECA config support it without any custom code.
Closing Notes
The drupal/ai_integration_eca module is what makes this approach work cleanly. Without it, inserting AI into an ECA model would require a custom action plugin. With it, the entire integration is UI-configurable and exportable as config.
A few things worth knowing before you build on this:
The ai_eca submodule inside drupal/ai is deprecated as of 1.x. Use drupal/ai_integration_eca (a separate package) instead.
drupal/ai_integration_eca is still at RC as of this writing - worth checking for a stable release before going to production.
coder.ddev.com gives you a full DDEV environment in the cloud, no local Docker required. This is a quick look at using it for a TYPO3 project with the freeform template.
For general background on coder.ddev.com, including access requirements and the other available templates, see the announcement post.
Watch the Video
What You'll See
How to get access to coder.ddev.com
Creating a coder.ddev.com workspace with the freeform template
Cloning the rfay/typo3demo project and running ddev coder-setup + ddev start
Fixing a trustedHostsPattern error with ddev restart after Composer brings in the rest of the code
The working site and TYPO3 backend on the workspace's *.coder.ddev.com subdomain
Two ways to share it: natively with other coder.ddev.com users, or publicly with ddev share
Steps
Get access to coder.ddev.com either via your organization having "partner" status with DDEV Foundation or by asking for access.
Log in to coder.ddev.com with GitHub and create a workspace using the freeform template. The project name you choose matters, since coder.ddev.com uses it to set up proxying.
Open a terminal in the workspace (web terminal, VS Code Web, or SSH via the coder CLI) and clone your TYPO3 project.
Run ddev coder-setup once in the project directory, then ddev start. If the project has a post-start Composer install hook, like rfay/typo3demo, it'll finish setting itself up automatically.
If ddev launch shows a trusted-host error, it's because Composer brought in the rest of the code after the first ddev start already generated additional.php. Run ddev restart to regenerate it, then reload.
Sharing What You Built
The workspace can be shared with other coder.ddev.com users directly, without any extra setup.
It can also be shared with ddev share, since rfay/typo3demo uses a relative base (/camino) instead of a hardcoded URL. Projects that do hardcode a full URL in base need the pre-share/post-share hook fix described in Sharing Your TYPO3 Project with ddev share.
Architecture choices become clearer when the CMS is not the whole application. Yii3 helps frame where Drupal should lead and where a separate PHP service may belong.