← All releases

v0.25.6

Released: 2026-04-26 · Channel: stable · Breaking: no · Security: yes

Summary

Critical forward-secrecy fix in the community-level kick / leave flow, plus one wildcard-escape hardening in community user search. Strongly recommended for any deployment running multiple workspaces in a single chatalot instance — the model where membership boundaries between workspaces are the security trust line.

Security

Community kick / leave now rotates sender keys (critical)

The channel-level kick path correctly deleted the leaving user’s sender-key distributions and broadcast SenderKeyRotationRequired to remaining members. But the community-level kick (and voluntary leave) skipped both steps. The leaving member retained chain-key seeds and could decrypt future ciphertext on those chains.

Now both paths enumerate the community’s channels and run the same rotation flow as a per-channel kick. Mirrors routes/channels.rs:402-410.

Surfaced by an internal workspace-isolation audit done while preparing chat.seglamater.app for multi-tenant use (operator-managed public + internal + per-customer workspaces all running on a single chatalot instance). Apply this release before opening any chatalot instance to multi-tenant workspace use.

Fixed

• community_repo::search_visible_users — ILIKE wildcard escape applied. User-supplied queries containing literal %, _, or \ no longer expand as wildcards. Same pattern as user_repo::search_users. Low severity.

Upgrade path

Click Apply in the admin Updates tab. ~30 sec downtime; no schema change.

Release artifacts

Container image pushed to registry.seglamater.app/seglamater/chatalot, cosign-signed against the published public key.

← Previous: v0.25.5