Release 2026-03-24 - (expected chart version 5.29.0)

.envrc

@@ -5,6 +5,15 @@
 # or any of the `default.nix` files change. We do this by adding all these files
 # to the nix store and using the store paths as a cache key.
 
+# FUTUREWORK: The speedhack saves only a couple of Seconds when cd'ing into the
+# repo's directory. The price is some state we have to manage manually (e.g.
+# `rm .direnv`) and a non-intuitive usage of flakes.
+#
+# The hack could be replaced by the line
+# `use flake .\#`
+#
+# The env variable exports could then be added to the flake's devShell.
+
 nix_files=$(find . -name '*.nix' | grep -v '^./dist-newstyle')
 for nix_file in $nix_files; do
   watch_file "$nix_file"

.gitignore

@@ -106,5 +106,8 @@ logs-integration
 # BOM file - https://github.com/wireapp/tom-bombadil
 sbom.json
 
+# Temporary files
+tmp/
+
 # HLS config for haskell-tools plugin (Neovim)
 hls.json

AGENTS.md

@@ -105,3 +105,78 @@ Build commands (e.g. `make c`, `cabal build` or `cabal test`) should always end
 with this command line filter: `| grep -vE
 'Compiling|Linking|Preprocessing|Configuring|Building'`. The filter ensures
 that only relevant output is displayed.
+
+# Security Guidelines
+
+For all code generated in this chat, adhere to the following guidelines:
+
+### 1. Be Explicit About Security Requirements
+- Always request and enforce secure coding practices directly.
+- Example prompts to follow:
+  - “Generate a Python function to query a database using parameterized queries and no string concatenation.”
+  - “Write input validation code for usernames using a whitelist approach.”
+- Do **not** accept vague prompts such as:
+  - “Write code to query a database.”
+  - “Generate authentication logic.”
+
+### 2. Prevent Sensitive Data Leaks
+- Never generate production secrets, API keys, credentials, personal data, or customer-identifying information.
+- Always use placeholders (e.g., `YOUR_API_KEY_HERE`) or synthetic/anonymized data.
+
+### 3. Limit Scope & Keep It Modular
+- Focus on narrow, well-defined tasks.
+- Example: “Generate a secure password hashing function using Argon2id with parameters selected according to the OWASP Password Storage Cheat Sheet.”
+- Reject overly broad requests like “Write a full secure authentication system.”
+- Propose security requirements before generating code.
+- Discuss alternatives, evaluate them, and provide a step-by-step implementation plan.
+
+### 4. Specify Safe Practices & Standards
+- Always reference frameworks, versions, and security guidelines.
+- Example: “Use Flask 3.0 and follow OWASP secure coding practices.”
+- Example: “Use your web framework’s built-in auto-escaping/output encoding to prevent XSS.”
+- Example: “Sanitize user-provided rich HTML content on the client using DOMPurify before rendering.”
+### 5. Control Library Choices
+- Only use secure, widely adopted, actively maintained dependencies.
+- Ensure libraries have no known high-severity CVEs.
+- Example: “Suggest Node.js packages updated in the last 6 months.”
+
+### 6. Request Validation & Error Handling
+- Always include strict server-side validation.
+- Error messages must be generic and never disclose sensitive details.
+- Example: “Generate a file upload handler with size limits, MIME type checks, and safe error messages.”
+
+### 7. Avoid Dangerous Features by Default
+- Exclude risky features unless explicitly requested.
+- Example:
+  - Do not use `eval`.
+  - Do not disable SSL/TLS verification.
+
+### 8. Request Tests for Security
+- Always generate tests verifying security protections.
+- Integrate tests into CI/CD pipelines.
+- Examples:
+  - “Write unit tests confirming rejection of invalid input and prevention of XSS.”
+  - “Generate a pytest suite covering edge cases, including malicious inputs.”
+
+### 9. Ask for Explanations
+- Always justify security decisions in generated code.
+- Example: “Explain how this code prevents SQL injection.”
+- Example: “List all security measures in your code.”
+
+### 10. Avoid Blind Trust in Input Handling
+- Do not assume inputs are safe.
+- Explicitly include strict validation.
+- Always use parameterized queries.
+
+### 11. Constrain the Role
+- Only fulfill narrowly scoped coding tasks.
+- Example: “Generate input validation for email addresses only.”
+- Reject broad, open-ended prompts like:
+  - “Write a secure web app.”
+
+### 12. Follow Up Iteratively
+- Treat the first response as a draft.
+- Accept refinements and improvements from the user.
+- Example refinements:
+  - “Improve error handling to avoid information disclosure.”
+  - “Replace insecure library X with a more secure alternative.”

CHANGELOG.md

@@ -1,3 +1,126 @@
+# [2026-03-24] (Chart Release 5.29.0)
+
+## Release notes
+
+
+* Helm chart refactoring: several core services were migrated from wire-server subcharts into the umbrella chart templates (`charts/wire-server/templates`).
+
+  Moved as core services:
+  - `background-worker`
+  - `brig`
+  - `cannon`
+  - `cargohold`
+  - `galley`
+  - `gundeck`
+  - `proxy`
+  - `spar`
+
+  As a result, dependency tags for moved services are obsolete for the current wire-server chart, because these services are no longer resolved through `requirements.yaml` dependencies. In particular, `tags.brig`, `tags.galley`, `tags.cannon`, `tags.cargohold`, `tags.gundeck`, `tags.proxy`, and `tags.spar` are no longer needed for wire-server deployments.
+
+  Operator note: during upgrade, rendered manifests will show metadata/source changes (for example chart labels and template source paths). This is expected from the inlining refactor and may trigger a one-time rollout due to checksum annotation changes.
+
+  Compatibility note: for standard wire-server deployments this is not expected to be breaking, because the moved core services were not toggled off via tags in default/in-repo environments. However, this is a breaking change for custom deployments that previously disabled any of these services via wire-server dependency tags (`tags.<service>: false`), because those tags are now obsolete after inlining. (#5085)
+
+* Rate-limit status codes in `nginz` and cannon's embedded `nginz` are now configurable via Helm values.
+
+  Compatibility note: the default remains `420`, so this does not change behavior for existing deployments and requires no direct operator action. (#5124)
+
+* Remove the old `metallb` wrapper chart. This hasn't been published or updated
+  for quite some time. Even the Docker images weren't available anymore. (#5111)
+
+
+## API changes
+
+
+* Require admin password for refreshing app cookies (`POST /teams/:tid/apps/:uid/cookies`). (#5129)
+
+* Add `"app"` attribute to `GET /list-users`, `GET /users/:dom/:uid`; make `GET /teams/:tid/apps`, `GET /teams/:tid/apps/:uid` return same schema as `GET /list-users`. (#5070)
+
+* `GET /teams/:tid/search` response contains user types now (app or regular). (#5074)
+
+* - remove pict attribute from GetApp
+  - remove metadata attribute from GetApp
+  - inline GetApp fields into NewApp
+  - make CreatedApp.user contain UserProfile (which includes app info)
+  - rename GetApp to AppInfo
+  - remove AppInfo.{name,assets,accentId} (redundant user data) (#5115)
+
+* Create new API version V16 and finalize API version V15. (#5121)
+
+
+## Features
+
+
+* Add meetings listings endpoint `/meetings/list`. (#5109)
+
+* Add Wire Meetings add invitation endpoint `POST /meetings/:domain/:id/invitations` (#5132)
+
+* Add Wire Meetings delete invitation endpoint `POST /meetings/:domain/:id/invitations/delete` (#5136)
+
+
+## Bug fixes and other updates
+
+
+* Claiming key packages for a deleted user now returns a client error instead of a server error (#5113)
+
+* backoffice/stern: fix Swagger UI for comma-separated list query parameters (#5108)
+
+* Streamlined and fixed team feature config `validateSAMLemails` (#5114)
+
+* When the admin creates a new app cookie, all previous ones must be revoked. (#5149)
+
+* charts/elasticsearch-index: Allow configuring postgresql (#5092)
+
+* charts/wire-server: Fix nil pointer errors in merged subchart templates when optional values (brig.turn, rabbitmq TLS, cassandraBrig/cassandraGalley) are not provided (#5112)
+
+* Improve error message when failing to parse group ID (#5089)
+
+
+## Documentation
+
+
+* Updated docs for the team feature `validateSAMLemails` (#5118)
+
+
+## Internal changes
+
+
+* The status code for rate limit responses from nginz and cannon is now configurable and set to 420 per default (#5124)
+
+* Add curl to integration test failure reports. (#5048)
+
+* Add `UserType` fields in various data types. (#5074)
+
+* Progressively move away from singletons to type class to allow progressive migration to `wire-subsystems` of Galley's actions.
+  Drop `Galley.Intra.Util`,`Galley.Effects`,  `Galley.API.MLS.Commit`, and `Galley.API.Push`.
+  Break dependencies to `Opts`/`Env`.
+  Split `ConversationSubsystem.Interpreter` `Galley.API.Federation` (#5075, #5081, #5086, #5087, #5098, #5101, #5102, #5103, #5104, #5110, #5145, #5148)
+
+* Logging Wire-Client, Wire-Client-Version and Wire-Config-Hash headers in nginz (#5123)
+
+* Refactor scripts to alleviate SonarQube warnings (#5097)
+
+* Consumable notifications are now disabled (#5116)
+
+* The fields `code`, `label`, and `message` where added to the inconsistent group state error response of `POST /mls/commit-bundels` (#PR_NOT_FOUND)
+
+* Refactor Category: from ADT to Text. (#5120)
+
+* Moved TeamVisibilityStore operations into TeamStore (#5137)
+
+* Moved TeamNotificationStore to wire-subsystems (#5138)
+
+* Moved CustomBackendStore to wire-subsystems (#5135)
+
+* Moved TeamMemberStore, interpreter, and ListItems interpreters for Team to wire-subsystems (#5140)
+
+* `sbomqs` has been unused for years now. Thus, dropping it from our Nix env. (#5144)
+
+* Adjust the `default` Nix flake `devShell` such that `nix develop` is usable. (#5127)
+
+* Create and upload SBOMs for Helmfile, docker-compose and Helm charts. (#5122)
+
+
 # [2026-03-03] (Chart Release 5.28.0)
 
 ## Release notes

Makefile

@@ -23,6 +23,7 @@ KIND_CLUSTER_NAME     := wire-server
 HELM_PARALLELISM      ?= 1 # 1 for sequential tests; 6 for all-parallel tests
 PSQL_DB               ?= backendA
 export PSQL_DB
+DEPENDENCY_TRACK_PROJECT_NAME ?= wire-server
 
 package ?= all
 EXE_SCHEMA := ./dist/$(package)-schema
@@ -76,6 +77,7 @@ endif
   # `/dist` and `.ghc.environment` shouldn't be created or used by anybody any more, we're just making sure here.
 	-rm -rf dist .ghc.environment
 	-rm -f "bill-of-materials.$(HELM_SEMVER).json"
+	-rm -rf tmp/sboms
 
 .PHONY: clean-hint
 clean-hint:
@@ -122,7 +124,7 @@ endif
 .PHONY: ci-safe
 ci-safe:
 	make c package=all
-	./hack/bin/cabal-run-integration.sh integration
+	make ci-fast
 
 .PHONY: ci
 ci:
@@ -347,9 +349,9 @@ postgres-schema-impl:
 
 .PHONY: cqlsh
 cqlsh:
-	$(eval CASSANDRA_CONTAINER := $(shell docker ps | grep '/cassandra:' | perl -ne '/^(\S+)\s/ && print $$1'))
+	$(eval CASSANDRA_CONTAINER := $(shell docker ps | grep 'cassandra' | perl -ne '/^(\S+)\s/ && print $$1'))
 	@echo "make sure you have ./deploy/dockerephemeral/run.sh running in another window!"
-	docker exec -it $(CASSANDRA_CONTAINER) /usr/bin/cqlsh
+	docker exec -it $(CASSANDRA_CONTAINER) cqlsh
 
 .PHONY: psql
 psql:
@@ -565,6 +567,11 @@ charts-serve-all: $(foreach chartName,$(CHARTS_RELEASE),chart-$(chartName))
 .PHONY: charts-release
 charts-release: $(foreach chartName,$(CHARTS_RELEASE),release-chart-$(chartName))
 
+# Prepare .local/charts to be read by `helmfile`
+.PHONY: .local/charts
+.local/charts: charts-release
+	./hack/bin/prepare-local-charts.sh $(CHARTS_RELEASE)
+
 .PHONY: clean-charts
 clean-charts:
 	rm -rf .local/charts
@@ -674,6 +681,28 @@ kind-restart-%: .local/kind-kubeconfig
 helm-template-%: clean-charts charts-integration
 	./hack/bin/helm-template.sh $(*)
 
+# Render the wire-server manifest from an explicit values file.
+# Usage:
+#   make render-manifest VALUES_FILE=/tmp/values.yaml
+#   make render-manifest VALUES_FILE=/tmp/values.yaml OUTPUT_FILE=/tmp/rendered.yaml
+# (you can get the live values e.g. like this: helm get values wire-server -n wire -a)
+render-manifest: clean-charts charts-integration
+	./hack/bin/render-manifest.sh "$(VALUES_FILE)"
+
+# Render wire-server from live values and compare it with the live manifest.
+# Usage:
+#   helm get values wire-server -n wire -a > /tmp/staging/live-values.yaml
+#   helm get manifest wire-server -n wire > /tmp/staging/live-manifest.yaml
+#   make diff-live-manifest LIVE_VALUES_FILE=/tmp/staging/live-values.yaml LIVE_MANIFEST_FILE=/tmp/staging/live-manifest.yaml
+diff-live-manifest: clean-charts charts-integration
+	OUTPUT_FILE="/tmp/wire-server.yaml" ./hack/bin/render-manifest.sh "$(LIVE_VALUES_FILE)"; \
+	DIFF_OUTPUT_FILE="$(DIFF_OUTPUT_FILE)" ./hack/bin/diff-wire-server-manifests.sh "$(LIVE_MANIFEST_FILE)" /tmp/wire-server.yaml
+
+render-ci-manifest: clean-charts charts-integration
+	VALUES_FILE="$${VALUES_FILE:-$$(mktemp).yaml}"; \
+  ./hack/bin/helm-render-ci-values.sh \
+  ./hack/bin/render-manifest.sh "$$VALUES_FILE"
+
 sbom.json:
 	nix -Lv build '.#wireServer.bomDependencies' && \
 	nix run 'github:wireapp/tom-bombadil#create-sbom' -- --root-package-name "wire-server"
@@ -687,6 +716,66 @@ upload-bombon: sbom.json
 		--auto-create \
 		--bom-file ./sbom.json
 
+# SBOM creation and uploading (Helm charts, Helmfile, docker-compose)
+#
+# For non-Nix environments (Kubernetes, docker-compose) and Helm charts we can
+# use the usual tools and do not need tom-bombadil.
+#
+# There is a Nix `devShell` which provides an environment for these targets, `sbom`.
+# E.g. to run the `sboms` target:
+# `nix develop .\#sbom --command make sboms HELM_SEMVER=... DOCKER_TAG=...`
+#
+# Why don't we simply add this `nix develop` call to the Makefile targets?
+# Targets should be independently executable and creating a Nix env in a Nix
+# env doesn't play well.
+
+# Generate all SBOMs (Helm + Docker Compose + Helmfile)
+.PHONY: sboms
+sboms: sboms-helm sboms-docker-compose sboms-helmfile
+
+# Generate SBOMs for Helm charts
+.PHONY: sboms-helm
+sboms-helm: .local/charts
+	@if [ "$(HELM_SEMVER)" = "0.0.42" ]; then \
+		echo "Environment variable HELM_SEMVER not set to non-default value. Re-run with HELM_SEMVER=<version>"; \
+		exit 1; \
+	fi
+	./hack/bin/create-helm-sboms.sh tmp/sboms/helm $(HELM_SEMVER)
+
+# Generate SBOMs for Docker Compose
+.PHONY: sboms-docker-compose
+sboms-docker-compose:
+	./hack/bin/create-docker-compose-sboms.sh tmp/sboms/docker-compose
+
+# Generate SBOMs for Helmfile
+.PHONY: sboms-helmfile
+sboms-helmfile: .local/charts
+	@if [ "$(HELM_SEMVER)" = "0.0.42" ]; then \
+		echo "Environment variable HELM_SEMVER not set to non-default value. Re-run with HELM_SEMVER=<version>"; \
+		exit 1; \
+	fi
+	./hack/bin/create-helmfile-sboms.sh tmp/sboms/helmfile $(HELM_SEMVER)
+
+# Validate all SBOM files using cyclonedx
+.PHONY: validate-sboms
+validate-sboms:
+	@echo "Validating SBOM files..."
+	@find tmp/sboms -name '*.json' -type f -not -path '*/.oci-cache/*' | while read sbom; do \
+		echo "Validating: $$sbom"; \
+		cyclonedx validate --input-file "$$sbom" --fail-on-errors; \
+	done
+	@echo "All SBOMs validated successfully"
+
+# Upload all SBOMs to Dependency Track
+# Requires DEPENDENCY_TRACK_API_KEY environment variable
+.PHONY: upload-sboms
+upload-sboms:
+	@if [ "$(HELM_SEMVER)" = "0.0.42" ]; then \
+		echo "Environment variable HELM_SEMVER not set to non-default value. Re-run with HELM_SEMVER=<version>"; \
+		exit 1; \
+	fi
+	./hack/bin/upload-all-sboms.sh $(DEPENDENCY_TRACK_PROJECT_NAME) "$(HELM_SEMVER)"
+
 .PHONY: openapi-validate
 openapi-validate:
 	@echo -e "Make sure you are running the backend in another terminal (make cr)\n"