v1.2.0

v1.2.0

Released: 6 June 2026
Commit: 86762b8

Client

• Direct message E2E: When encryption is enabled, DMs use the same wire path as channel text (encrypted plus base64 nonce || ciphertext with the global key). Applies to :dm <user> <msg>, DM mode compose, and code snippets sent while a DM thread is open (:code / Alt+C) (client/main.go, shared/crypto.go)
• Code snippets in DM mode: :code / Alt+C while a DM thread is open routes through the DM send path (and E2E when enabled), not channel text (client/main.go)

Server

• WebSocket Origin: Origin checks compare parsed hostnames instead of substring matching; empty origin remains allowed for TUI clients (server/request_context.go, server/handlers.go)
• Allowed origins: Optional MARCHAT_ALLOWED_ORIGINS comma-separated allowlist for extra WebSocket origins
• Trusted proxies: getClientIP and web-admin login rate limiting honor X-Forwarded-For / X-Real-IP only when the immediate peer is listed in MARCHAT_TRUSTED_PROXIES (comma-separated IPs or CIDRs) (server/request_context.go)

Plugins

• Store downloads: Validate SHA-256 checksums before extraction (HTTP and file://), reject oversize archives, and roll back failed updates (plugin/store, plugin/manager)
• Install path: Parse file:// URLs correctly on Linux and Windows via plugin/fileurl; detect archive type from the URL path (including query strings); extract to a staging directory with zip-slip checks; set the execute bit on the plugin binary by exact name match after ZIP/TAR extract; do not leave an empty plugin directory when install download fails

Documentation

• README, ARCHITECTURE, PROTOCOL, CLIENT_HOOKS, deploy/CADDY-REVERSE-PROXY.md, and SECURITY.md updated for DM E2E, trusted-proxy client IP, and stricter Origin checks

CI and packaging

• Go: 1.25.11 in go.mod, go.yml, release.yml, and Dockerfile builder image; nested plugin/sdk and plugin/examples/echo modules aligned on the same go directive
• Dependencies: golang.org/x/crypto v0.52.0; modernc.org/sqlite v1.51.0 (was v1.50.0); transitive filippo.io/edwards25519 v1.2.0 via github.com/go-sql-driver/mysql

Version and packaging

• Install and build defaults: install.ps1, install.sh, build-release.ps1, scripts/build-windows.ps1, and scripts/build-linux.sh download and build against v1.2.0 release assets on GitHub.
• Docs and metadata: SECURITY.md and README (version badge, install snippets, Docker tag) reference v1.2.0; canonical Homebrew, Scoop, winget, Chocolatey, and AUR templates in packaging/ target v1.2.0 (refresh zip SHA256 from published assets before choco pack / manifest validation).

Assets

• marchat-v1.2.0-linux-amd64.zip
• marchat-v1.2.0-linux-arm64.zip
• marchat-v1.2.0-windows-amd64.zip
• marchat-v1.2.0-darwin-amd64.zip
• marchat-v1.2.0-darwin-arm64.zip

Full Changelog: v1.1.0...v1.2.0

Breaking changes

• Reverse proxies: Servers behind Caddy, nginx, or similar must set MARCHAT_TRUSTED_PROXIES to the proxy peer IP or CIDR if you rely on X-Forwarded-For for client IP logging or web-admin login rate limits. Without it, only RemoteAddr is used.
• WebSocket Origin: Stricter hostname matching may reject origins that previously passed substring checks. Add legitimate origins to MARCHAT_ALLOWED_ORIGINS if needed.
• WebSocket JSON protocol: No other intentional breaking change; DM E2E uses the existing encrypted text wire shape when E2E is enabled.

Migration guide

• Binaries: use v1.2.0 archives from this release page, or install.ps1 / install.sh with their default version.
• Server behind a proxy: set MARCHAT_TRUSTED_PROXIES (see deploy/CADDY-REVERSE-PROXY.md); restart after upgrade.
• Client / server: restart after upgrade; no database schema changes in this release.
• Audits: run govulncheck ./... on Go 1.25.11+ when checking toolchain and dependency exposure (see SECURITY.md for scanner vs reachability notes)

Docker Image

A multi-architecture Docker image (linux/amd64, linux/arm64) is available on Docker Hub:

docker pull codecodesxyz/marchat:v1.2.0
# or use latest tag
docker pull codecodesxyz/marchat:latest