[0.3.0] — 2026-06-27
A sandboxed WebAssembly extension platform, plus a round of federation,
end-to-end-encryption, and client-compatibility hardening.
Added
- Extension platform. Sandboxed WebAssembly plugins (wasmtime + the
Component Model) hook the server at well-defined points without forking it.
Decision points —check_registration,check_login,check_media_upload,
check_profile_update,check_room_create— allow / deny / modify a
request;on_eventobserves events asynchronously;filter_sync_event
shapes what a client sees in/sync; inbound federated events can be
soft-failed by a plugin. Plugins get three capabilities — structured
logging, anemit-eventbot channel, and per-plugin key/value state — all
behind a manifest whose grants are reconciled against the component's actual
imports before it loads. Per-plugin fuel, memory, and wall-clock limits;
hot-reload on SIGHUP. Ships an SDK and example plugins. - Third-party protocols + matrix-rtc transports.
GET /_matrix/client/v3/thirdparty/protocolsand the MSC4143rtc/transports
discovery endpoint.
Security
/keys/queryno longer leaks other users'user_signing_keys— they
are returned only for a self-query, per spec. (Cross-user leakage corrupted
the client trust model and showed verified users as untrusted.)/preview_urlSSRF guard. The URL-preview fetch refuses targets that
resolve to private/internal addresses, re-validates each redirect hop, pins
the connection to the validated address, and caps the response body.
Operators with internal preview targets opt out via
[media] url_preview_allow_private_ips.- Cross-signing signature uploads are scoped to the caller — a client can
no longer fold signatures attributed to another user, or into another user's
device/signing keys (cross-user signing is limited to the master key). The
cross-signing-key UIA gate keys off key material, not signatures. - Cap federation response bodies (key server 256 KiB, general 100 MiB).
Fixed
- Federation signing keys. Refetch a remote server's keys when a signature
references an unknown key id instead of serving a stale cached key; accept
events signed with a server's rotated-out keys within their validity window. - E2EE / devices. Preserve cross-signing signatures across a key re-upload
(a verified device no longer reverts to unverified); track device
last_seen; deliver to-device messages delete-on-ack on both/syncand
sliding sync (a dropped sync can't lose a verification request); notify a
user's other devices and room-mates when a device is deleted. - Client compatibility. Stop a
/syncbusy-loop on lazy-loaded
incremental syncs; emit the MSC4222state_afterunder the key matching the
client's opt-in param (rooms no longer render as "v1"/empty in Element);
keep room heroes' membership through lazy-load (fixes "Empty room" on fresh
login); align the/loginwell_knownbase URL with discovery; return
M_UNRECOGNIZEDfor auth-metadata when delegated auth is off.