0.25.21

2026-05-29 — current release.

Highlights

Admin Integrations: stop pasting your session JWT

The way you connect external tools (Hivemind, the Vantage cockpit, future installers) to a chatalot instance used to involve opening the browser DevTools, going into Local Storage, copying chatalot_access_token, and pasting it into the consumer's "Connect" modal. That token is a full session JWT — anything you can do, the consumer can do, for as long as your session lives.

There's now a purpose-built surface in the admin UI: Admin → Integrations. Click Generate Integration Token, give it a label, pick a scope, optionally set an expiry. Plaintext shows exactly once; paste it into the consumer. Revoke from the same page. The list shows every active or expired non-default-scope token across all bots — one "what's connected to this chatalot" view.

New scope: bot:provision

The new scope grants exactly four routes — POST /admin/bots, GET /admin/bots, GET /admin/bots/{id}, POST /admin/bots/{id}/tokens. Cannot send messages, manage communities, suspend users, delete bots, or revoke other tokens. Intended for the create-bot-and-mint-token pattern Hivemind Connect drives once per install.

The Integrations wizard also exposes metrics (introduced in 0.25.19 for the Vantage cockpit), so all scoped tokens land on a single surface regardless of consumer.

Database

Migration 064_bot_token_scope_provision.sql extends the bot_tokens.scope CHECK constraint to allow bot:provision. Existing rows untouched.

Upgrade

Managed instances apply this release via the in-app Admin → Updates page (signed image + HMAC-authenticated apply). No operator action required beyond clicking Apply.

Signing

cosign verify \
    --key https://updates.seglamater.app/.well-known/keys/chatalot.pub \
    registry.seglamater.app/seglamater/chatalot:0.25.21

Tickets

← All releases