diff --git a/Cargo.lock b/Cargo.lock
index 8fdd327..a895881 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2732,7 +2732,7 @@ checksum = "92ecc6618181def0457392ccd0ee51198e065e016d1d527a7ac1b6dc7c1f09d2"
[[package]]
name = "itsgoin-cli"
-version = "0.6.1"
+version = "0.6.2"
dependencies = [
"anyhow",
"hex",
@@ -2744,7 +2744,7 @@ dependencies = [
[[package]]
name = "itsgoin-core"
-version = "0.6.1"
+version = "0.6.2"
dependencies = [
"anyhow",
"base64 0.22.1",
@@ -2767,7 +2767,7 @@ dependencies = [
[[package]]
name = "itsgoin-desktop"
-version = "0.6.1"
+version = "0.6.2"
dependencies = [
"anyhow",
"base64 0.22.1",
diff --git a/crates/cli/Cargo.toml b/crates/cli/Cargo.toml
index 4e58bf6..478c1d2 100644
--- a/crates/cli/Cargo.toml
+++ b/crates/cli/Cargo.toml
@@ -1,6 +1,6 @@
[package]
name = "itsgoin-cli"
-version = "0.6.1"
+version = "0.6.2"
edition = "2021"
[[bin]]
diff --git a/crates/core/Cargo.toml b/crates/core/Cargo.toml
index 0b7c6a0..a894f92 100644
--- a/crates/core/Cargo.toml
+++ b/crates/core/Cargo.toml
@@ -1,6 +1,6 @@
[package]
name = "itsgoin-core"
-version = "0.6.1"
+version = "0.6.2"
edition = "2021"
[dependencies]
diff --git a/crates/tauri-app/Cargo.toml b/crates/tauri-app/Cargo.toml
index 87f1f4d..17975ed 100644
--- a/crates/tauri-app/Cargo.toml
+++ b/crates/tauri-app/Cargo.toml
@@ -1,6 +1,6 @@
[package]
name = "itsgoin-desktop"
-version = "0.6.1"
+version = "0.6.2"
edition = "2021"
[lib]
diff --git a/crates/tauri-app/tauri.conf.json b/crates/tauri-app/tauri.conf.json
index 4bf316a..19dc5b3 100644
--- a/crates/tauri-app/tauri.conf.json
+++ b/crates/tauri-app/tauri.conf.json
@@ -1,6 +1,6 @@
{
"productName": "itsgoin",
- "version": "0.6.1",
+ "version": "0.6.2",
"identifier": "com.itsgoin.app",
"build": {
"frontendDist": "../../frontend",
diff --git a/website/download.html b/website/download.html
index 1ef9567..2c06425 100644
--- a/website/download.html
+++ b/website/download.html
@@ -46,6 +46,38 @@
v0.5.3 is kept online only as an upgrade bridge — it no longer connects to the live network.
+ v0.6.2 — April 22, 2026
+ Every remaining persona-signed direct push is off the wire. Deletes, visibility changes, profile updates, and group-key distribution now travel as encrypted / signed posts through the CDN. Groups are a first-class primitive. Plus two pre-release fixes — an admin-forgery check on group keys and a cap on concurrent port-scan hole punches that explains the 10 Mbps upload storm some users saw on VPNs.
+
+
+
+
+ - Deletes + visibility changes travel as signed control posts through the CDN. The
DeleteRecord / VisibilityUpdate direct pushes are gone.
+ - Profile display data (name, bio, avatar) travels as a persona-signed profile post. Peer-visible names are back — but bound to the posting identity, not the network endpoint.
+ - Rich comments — a comment can reference a separate post for long bodies or attachments; inline preview is signed alongside the reference.
+ - Groups as a primitive — many-way posting anchored at a public root post. Circles remain one-way (admin-only).
+ - Group keys distribute as encrypted posts — the
GroupKeyDistribute wire message is gone.
+ - Audience removed. Simpler social graph; anyone-can-send model via follows.
+ - PostPush / PostNotification wire messages retired — all content propagates via CDN.
+ - Port-scan hole punches are now capped at 1 concurrent — fixes sustained multi-Mbps upload on obfuscated VPNs after anchor connect.
+ - Outgoing-connect dedup — auto-reconnect, rebalance, and relay-introduction no longer race to the same peer.
+ - Security fix: group-key distribution verifies the claimed admin matches the post author, preventing a pollution attack where a peer who knows your posting id could overwrite your stored group key.
+
+ v0.6.2 is a wire-breaking fork from v0.6.1 (the retired message types are not optional). Upgrade both ends.
+
v0.6.1 — April 22, 2026
Network identity is now fully separated from posting identity on every install. Plus: Android auto-backup disabled by default, Reset actually resets, import preserves your personas, and display name is optional.
@@ -128,6 +160,22 @@
Changelog
+
v0.6.2 — April 22, 2026
+
+ - Deletes and visibility changes travel as signed control posts. New
VisibilityIntent::Control post type carries a signed DeletePost / UpdateVisibility operation. Receivers verify the ed25519 signature against the target post's author, then apply. DeleteRecord and VisibilityUpdate wire pushes are removed.
+ - Persona display data (name / bio / avatar) travels as a signed profile post. New
VisibilityIntent::Profile; authored by the posting identity, propagates via the CDN. The ProfileUpdate wire message keeps only routing fields (anchors, recent_peers, preferred_peers).
+ - Rich comments.
InlineComment gains an optional ref_post_id; when set, content is a short preview and the full body (long text, attachments) lives in the referenced post. Signature binds the reference so a peer can't strip or swap it.
+ - Groups vs circles. Groups are a new many-way primitive — anchored at a public root post, any member can post to the group once they have the seed. Circles stay one-way (admin-only). The distinction is a
canonical_root_post_id field on the group-key record; groups reuse the same encryption machinery.
+ - Group-key distribution as an encrypted post. The
GroupKeyDistribute (0xA0) wire push is retired. Admins publish an encrypted post carrying the seed; members decrypt with their posting secret. Removes the last persona-signed direct push.
+ - Audience primitive removed. No more audience tables, no more
AudienceRequest/AudienceResponse wire messages, no more SocialRelation::Audience/Mutual. Comment permission AudienceOnly renamed to FollowersOnly.
+ - PostPush + PostNotification retired. All content propagates only via CDN (pull + header-diff neighbor propagation).
BlobDeleteNotice also retired — orphan blobs on remote holders evict via LRU.
+ - Security: group-key admin-forgery rejection. Distribution posts whose inner
admin field doesn't match the post's author are rejected before storage. Prevents an attacker who knows a victim's posting id and the target group_id from overwriting the victim's legitimate group-key record.
+ - Bandwidth: port-scan hole punch capped at one concurrent scanner. Each scanner fires ~100 QUIC ClientHellos/sec for up to 5 minutes. Without a cap, parallel referrals could drive sustained multi-Mbps upload — especially on obfuscated VPNs where every probe stalls at a proxy timeout. Extra callers fall back to the standard 2s-round hole punch.
+ - Outgoing-connect dedup.
PendingConnectGuard prevents auto-reconnect, rebalance-slots, and relay-introduction from racing to connect to the same peer. Same-peer only — different peers connect independently; inbound connections are unaffected.
+ - Merged-pull bugfix. The pull query now includes every posting identity we hold (not just the network id), so DMs addressed to any of our personas are found via the recipient-match path.
+
+
v0.6.2 is a wire-breaking fork from v0.6.1. Retired message types (0x42 PostNotification, 0x43 PostPush, 0x44 AudienceRequest, 0x45 AudienceResponse, 0x95 BlobDeleteNotice, 0xA0 GroupKeyDistribute) are not optional — upgrade both ends.
+
v0.6.1 — April 22, 2026
- Network ID and posting ID are now separate by default. Fresh installs generate two independent ed25519 keys. Upgraders rotate their network key on first launch; the old key stays as the default posting persona. Peers see the same author; only the QUIC endpoint changes.