From 4a7ddbb44e97ce2362c048cbe8dc16e6be3c3827 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20D=C3=BCren?= <andreasdueren@Mac.localdomain>
Date: Fri, 16 Jan 2026 11:08:47 -0600
Subject: [PATCH] Enable appservice mode for end-to-bridge encryption (MSC3202)

- Fix encryption with Synapse 1.141+ which blocks appservice users from /sync
- Set encryption.appservice=true in start.sh (all 3 occurrences)
- Bump version to 2.0.2
---
 CHANGELOG.md          | 18 +++++++++++++++++-
 CloudronManifest.json |  6 +++---
 start.sh              |  6 +++---
 3 files changed, 23 insertions(+), 7 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 11cf539..5835153 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,22 @@
 
 All notable changes to this Cloudron package will be documented in this file.
 
+## [2.0.2] - 2026-01-16
+
+### Fixed
+- Enable appservice mode for end-to-bridge encryption (MSC3202)
+- Fixes encryption with Synapse 1.141+ which blocks appservice users from /sync
+
+## [2.0.1] - 2025-12-20
+
+### Updated
+- Updated mautrix-whatsapp to v0.2512.0 (v25.12 upstream release)
+
+### Changes in v0.2512.0
+- Pulls in upstream Docker base update to Alpine 3.23 for the container build
+- Fixes Matrix group member invites so number ghosts are correctly disinvited when redirected to the linked LID ghost
+- See https://github.com/mautrix/whatsapp/releases/tag/v0.2512.0 for the full upstream changelog
+
 ## [2.0.0] - 2025-10-22
 
 ### Updated
@@ -55,4 +71,4 @@ All notable changes to this Cloudron package will be documented in this file.
 - Automatic homeserver domain detection from Cloudron environment
 - PostgreSQL connection string injection
 - Log file configuration
-- Registration file generation and management
\ No newline at end of file
+- Registration file generation and management
diff --git a/CloudronManifest.json b/CloudronManifest.json
index 6bab5b3..f251cdc 100644
--- a/CloudronManifest.json
+++ b/CloudronManifest.json
@@ -1,6 +1,6 @@
 {
-  "version": "2.0.0",
-  "upstreamVersion": "0.2510.0",
+  "version": "2.0.2",
+  "upstreamVersion": "0.2512.0",
   "id": "dev.maunium.whatsapp.cloudronapp",
   "title": "Matrix WhatsApp Bridge",
   "author": "Tulir Asokan <tulir@maunium.net>",
@@ -29,4 +29,4 @@
   "changelog": "file://CHANGELOG.md",
   "documentationUrl": "https://docs.mau.fi/bridges/go/whatsapp/index.html",
   "forumUrl": "https://matrix.to/#/#whatsapp:maunium.net"
-}
\ No newline at end of file
+}
diff --git a/start.sh b/start.sh
index c473d0a..825d8d0 100755
--- a/start.sh
+++ b/start.sh
@@ -81,7 +81,7 @@ if [ ! -f "$CONFIG_PATH" ]; then
             yq -i -y '.encryption.allow = true' "$CONFIG_PATH" || echo "=> ERROR: Could not configure encryption allow"
             yq -i -y '.encryption.default = false' "$CONFIG_PATH" || echo "=> ERROR: Could not configure encryption default"
             yq -i -y '.encryption.require = false' "$CONFIG_PATH" || echo "=> ERROR: Could not configure encryption require"
-            yq -i -y '.encryption.appservice = false' "$CONFIG_PATH" || echo "=> ERROR: Could not configure encryption appservice"
+            yq -i -y '.encryption.appservice = true' "$CONFIG_PATH" || echo "=> ERROR: Could not configure encryption appservice"
             yq -i -y '.encryption.plaintext_mentions = false' "$CONFIG_PATH" || echo "=> ERROR: Could not configure encryption plaintext_mentions"
             yq -i -y '.encryption.delete_keys.delete_outbound_on_ack = true' "$CONFIG_PATH" || echo "=> ERROR: Could not configure encryption delete_outbound_on_ack"
             yq -i -y '.encryption.delete_keys.dont_store_outbound = true' "$CONFIG_PATH" || echo "=> ERROR: Could not configure encryption dont_store_outbound"
@@ -179,7 +179,7 @@ else
                 yq -i -y '.encryption.allow = true' "$CONFIG_PATH" || echo "=> ERROR: Could not update encryption allow"
                 yq -i -y '.encryption.default = false' "$CONFIG_PATH" || echo "=> ERROR: Could not update encryption default"
                 yq -i -y '.encryption.require = false' "$CONFIG_PATH" || echo "=> ERROR: Could not update encryption require"
-                yq -i -y '.encryption.appservice = false' "$CONFIG_PATH" || echo "=> ERROR: Could not update encryption appservice"
+                yq -i -y '.encryption.appservice = true' "$CONFIG_PATH" || echo "=> ERROR: Could not update encryption appservice"
                 yq -i -y '.encryption.plaintext_mentions = false' "$CONFIG_PATH" || echo "=> ERROR: Could not update encryption plaintext_mentions"
                 yq -i -y '.encryption.delete_keys.delete_outbound_on_ack = true' "$CONFIG_PATH" || echo "=> ERROR: Could not update encryption delete_outbound_on_ack"
                 yq -i -y '.encryption.delete_keys.dont_store_outbound = true' "$CONFIG_PATH" || echo "=> ERROR: Could not update encryption dont_store_outbound"
@@ -209,7 +209,7 @@ else
         yq -i -y '.encryption.allow = true' "$CONFIG_PATH" || echo "=> ERROR: Could not update encryption allow"
         yq -i -y '.encryption.default = false' "$CONFIG_PATH" || echo "=> ERROR: Could not update encryption default"
         yq -i -y '.encryption.require = false' "$CONFIG_PATH" || echo "=> ERROR: Could not update encryption require"
-        yq -i -y '.encryption.appservice = false' "$CONFIG_PATH" || echo "=> ERROR: Could not update encryption appservice"
+        yq -i -y '.encryption.appservice = true' "$CONFIG_PATH" || echo "=> ERROR: Could not update encryption appservice"
         yq -i -y '.encryption.plaintext_mentions = false' "$CONFIG_PATH" || echo "=> ERROR: Could not update encryption plaintext_mentions"
         yq -i -y '.encryption.delete_keys.delete_outbound_on_ack = true' "$CONFIG_PATH" || echo "=> ERROR: Could not update encryption delete_outbound_on_ack"
         yq -i -y '.encryption.delete_keys.dont_store_outbound = true' "$CONFIG_PATH" || echo "=> ERROR: Could not update encryption dont_store_outbound"