← All releases

v0.25.8

Released: 2026-04-26 · Channel: stable · Breaking: no · Security: no (privacy improvement)

Summary

Feedback redesign. The in-app Send Feedback dialog now writes to a local feedback_submissions table on the chatalot instance itself. External fan-out (Forgejo Issues, GitHub Issues) is opt-in, fire-and-forget, and not the default. Closes the cross-tenant risk where managed-customer feedback was posted to a vendor GitHub repo — an operator on a multi-tenant deployment now sees customer feedback in their own database, where it belongs.

Privacy

Feedback lands in a local table first

Every POST /api/feedback writes a row to feedback_submissions before any external fan-out is attempted. The row carries the user, category, title, description, optional screenshot blob, status (new / triaged / closed), and a list of forwarded-to targets. The local DB is the source of truth; mirroring to a tracker is optional.

The cross-tenant leak this addresses: prior versions required GITHUB_API_TOKEN + GITHUB_REPO_* env vars to be set or the feedback button gave a dead-end UX. Operators of multi-tenant managed deployments would either disable the button or share a vendor-side GitHub repo across all customer instances. Either mode is bad for managed customers.

Added

Forgejo Issues fan-out

When FEEDBACK_FORGEJO_BASE_URL, FEEDBACK_FORGEJO_REPO, and FEEDBACK_FORGEJO_TOKEN are configured, every feedback submission is mirrored as an issue on the configured Forgejo repo. The issue is auto-tagged with an instance:<host> label (derived from PUBLIC_URL or FEEDBACK_INSTANCE_LABEL), so cross-instance triage stays clean — filter label:instance:chat.example.com in the Forgejo issue list.

Forgejo’s API is GitHub-compatible (POST /api/v1/repos/{owner}/{repo}/issues), so the fan-out code structure is essentially the same as the legacy GitHub path.

Admin "Feedback" tab

New tab in the admin panel listing submissions. Filter by status (new / triaged / closed / all), three stat cards across the top with counts, per-row expand for the description + screenshot, and one-click status mutation actions (Mark new / Mark triaged / Mark closed). Status changes record triaged_at + triaged_by for an audit trail.

New admin endpoints

• GET /api/admin/feedback?status=<new|triaged|closed|all> — paginated queue list with per-status counts.
• PATCH /api/admin/feedback/{id} — update status.
• GET /api/admin/feedback/{id}/screenshot — serves stored screenshot bytes with the original MIME.

Deprecated

GITHUB_API_TOKEN + GITHUB_REPO_OWNER + GITHUB_REPO_NAME still work for self-hosters who already wired GitHub feedback before this release, but it’s no longer the default. New Seglamater-managed instances should use the Forgejo path or local-only.

Migration

058_feedback_submissions.sql — new table with screenshot blob, status enum, status+created_at index for queue queries, plus a forwarded_to TEXT[] column to record successful fan-out targets.

Upgrade path

Click Apply in the admin Updates tab. ~30 sec downtime; one additive migration runs during the orchestrator’s migrate phase. No client-side action needed.

If you currently have GITHUB_API_TOKEN set and want to sever the GitHub forwarding path, comment out the three GitHub env vars in your .env and recreate the chatalot service (docker compose up -d chatalot). Local feedback table remains live; submissions just stop mirroring outward until you configure Forgejo (or pick another forwarding path).

Release artifacts

Container image pushed to registry.seglamater.app/seglamater/chatalot, cosign-signed against the published public key.

← Previous: v0.25.7