Tuwunel 1.8.2
July 17, 2026
New Features & Enhancements
-
URL preview media proxying relays link-preview media through the server, now covering
og:videoandog:audioalongside images, so the third party sees Tuwunel rather than the requesting client. Nothing is stored permanently: preview media becomes a lazymxc://reference fetched from source on demand. Aurl_preview_user_agentoption, with a separateurl_preview_media_user_agent, lets previews work for sites that block the default agent. Shipped by @az4521 in (#508), closing their own request for video previews (#394). The preview store is rebuilt on CBOR at the same time, replacing a byte-separated format that could shear fields. -
Distribution packaging expands to RPM with a COPR build pipeline (fixes #251) and a SELinux policy module shipped as a
selinuxsubpackage (#412), plus an apt repository published from CI and Debian packaging that adopts an existing conduwuit or Conduit database in place. Courtesy of @x86pup. -
Online backups can now be restored and verified, joined by a
delete-backupsadmin command, graciously contributed by @x86pup. -
MatrixRTC transport discovery (MSC4143) is served without an access token, so Element Call can find a server's transports; contributed by @basnijholt in (#512).
-
A container
HEALTHCHECK, backed by a new liveness-probe mode, lets orchestrators track readiness, with appreciation to @x86pup. -
A
dns_serversconfig option makes the/etc/resolv.confdependency optional, tip of the hat to @x86pup. -
The Synapse-compatible admin API grows again (#38): server-notice endpoints, user redaction and login-as, federation destination management, and media info, purge, and statistics.
-
Appservice transaction extensions deliver richer data to appservices: device-list changes and one-time-key counts with unused fallback key types (MSC3202), and to-device events (MSC4203). Opened by @dark-collective in (#502) and (#501).
-
Forward-extremity capping and pruning guards against extremity blowup with a scored prune engine that always leaves a survivor and protects the local server's own leaves, a cap applied on the federation receive path, and admin
roomcommands to list and prune a room's extremities. -
Local state derivation for incoming federation events lands in observation mode (#419). The server derives an event's state from local ancestry and calls
/state_idsonly for physically absent events, running alongside the existing fetch and comparing while the fetched result stays authoritative. -
Long admin command output is split across chained reply or thread events, and oversized output is attached as an uploaded file, raised by @grinapo in (#471).
-
Pushers rejected by the push gateway are now removed, backed by push-gateway conformance tests and UnifiedPush documentation, raised by @NinekoTheCat in (#20).
-
Support for Matrix v1.18 and v1.19 is declared in
/versions. -
The
max_fetch_prev_eventsdefault is raised to 1024.
Bug Fixes
-
Federation delivery no longer runs hot against a peer that has come back. The per-server backoff gate consulted only the current time bucket, so it re-authorized attempts at every timeout boundary and never honored the computed earliest retry, and a stale set of reachability rows could keep muting a recovered server. The verdict now derives from a server's full failure history, a returning peer clears the whole streak, and the old rows are cleared once on upgrade (da0c3f6, ec049f6). Sincere apologies to anyone whose outbound federation lagged to a server that had recovered.
-
A proxy or CDN answering a federation request with non-JSON is treated as transient rather than evicting the route outright, and route override eviction is fixed for well-known and SRV-delegated topologies where it was a no-op (b33415d).
-
Tuwunel refuses to initialize over the remnants of a database that lacks a readable manifest, instead of treating them as obsolete files and deleting them on open (fixes #510). Reported and diagnosed by @ItsLiyua, whose detail on the two parallel database directories localized the cause.
-
Native OIDC login completes again: the redirect-completion path returned 405 and produced a redirect Chrome refused (fixes #504, #505). Reported by @isniz and @achetronic.
-
One-time-key counts match Synapse's shape, and an explicit zero count is preserved, so a client whose key pool is drained still sees
signed_curve25519and replenishes instead of starving (007033c, 164b8da). Contributed by @basnijholt in (#511). -
A soft-failed inbound event could compute an empty forward-extremity set and, once persisted, remove every leaf and wedge local sends until a remote event arrived; the previous band is now preserved, and a detached non-create local event on an empty frontier is refused rather than silently forking the room (e0f1034, 1f1dea6).
-
The inbound federation profile query returns 404
M_NOT_FOUNDfor an unknown user instead of an empty 200 (76ea07f). -
The room ephemeral section is always present in
/syncresponses now, thanks to @x86pup (79bb4af). -
An empty
device_idis treated as unspecified and a device id is generated (cfe73cb). -
A systemd unit no longer sticks in the deactivating state after an in-place admin restart, fixed by @x86pup (68e034d).
-
Non-Linux builds get several repairs, courtesy of @obodnikov: resource-usage reporting compiles on non-unix and no longer panics in macOS thread usage (#509), Ctrl+C actually shuts the server down on non-unix targets (#507), and platform-gated admin commands compile on every target (#506).
-
Backup requests that cannot create a backup error instead of reporting success, and backup engine errors propagate rather than being swallowed (f6de800, 9b54209). Credit to @x86pup.
-
@x86pup corrected documented config defaults that disagreed with the code (bb9dfb2), and the
notification_push_pathdescription is set right (e16a3ae).