Release v0.17.5

Mostro v0.17.5 is out!

This release adds anti-abuse bonds.

In simple terms: before starting certain trades, each side may need to lock a small bond. If they complete the trade normally, they get it back. If they disappear, stall the trade, or waste the other person’s time, they can lose part or all of it.

Why this matters:

• it makes spam and fake intent more expensive
• it discourages people from opening trades they don’t plan to finish
• it protects honest users from griefing and endless waiting
• it helps the marketplace stay usable without turning Mostro into a custodial system

The goal is simple:
real traders should have a smoother experience, bad actors should have a harder time.

Anti abuse bond is optional and it is decided by the Mostro node operator.

Mostro remains P2P and non-custodial, but now with stronger incentives to behave seriously.

Verifying the Release

In order to verify the release, you'll need to have gpg or gpg2 installed on your system. Once you've obtained a copy (and hopefully verified that as well), you'll first need to import the keys that have signed this release if you haven't done so already:

curl https://raw.githubusercontent.com/MostroP2P/mostro/main/keys/negrunch.asc | gpg --import
curl https://raw.githubusercontent.com/MostroP2P/mostro/main/keys/arkanoider.asc | gpg --import
curl https://raw.githubusercontent.com/MostroP2P/mostro/main/keys/catrya.asc | gpg --import

Once you have the required PGP keys, you can verify the release (assuming manifest.txt.sig.negrunch, manifest.txt.sig.arkanoider, manifest.txt.sig.catrya and manifest.txt are in the current directory) with:

gpg --verify manifest.txt.sig.negrunch manifest.txt
gpg --verify manifest.txt.sig.arkanoider manifest.txt
gpg --verify manifest.txt.sig.catrya manifest.txt

gpg: Signature made fri 10 oct 2025 11:28:03 -03
gpg:                using RSA key 1E41631D137BA2ADE55344F73852B843679AD6F0
gpg: Good signature from "Francisco Calderón <fjcalderon@gmail.com>" [ultimate]

gpg: Signature made fri 10 oct 2025 11:28:03 -03
gpg:                using RSA key 2E986CA1C5E7EA1635CD059C4989CC7415A43AEC
gpg: Good signature from "Arkanoider <github.913zc@simplelogin.com>" [ultimate]

gpg: Signature made fri 10 oct 2025 11:28:03 -03
gpg:                using RSA key 9A718444050F091D3D24CF6CE15E232F243D73E6
gpg: Good signature from "Catrya (github) <140891948+Catrya@users.noreply.github.com>" [ultimate]

That will verify the signature of the manifest file, which ensures integrity and authenticity of the archive you've downloaded locally containing the binaries. Next, depending on your operating system, you should then re-compute the sha256 hash of the archive with shasum -a 256 <filename>, compare it with the corresponding one in the manifest file, and ensure they match exactly.

What's Changed in v0.17.5

🚀 Features

• feat(price): Phase 2 — direct backup quoters + multi-source aggregation by @grunch in #773
• feat(bond): Phase 7 — maker timeout slash by @grunch in #775
• feat(bond): Phase 6 — range-order maker bond with proportional slashes by @grunch in #770
• feat(price): Phase 1 — Yadio provider + PriceManager wiring by @grunch in #753
• feat(bond): Phase 5 — maker bond (non-range) + dispute slash by @grunch in #767
• feat(bond): Phase 4.5 — re-prompt winner for payout invoice on payment failure by @grunch in #755
• feat(bond): Phase 4 — timeout slash for the taker bond by @grunch in #744
• feat(price): Phase 0 — multi-source price module foundation by @grunch in #747

🐛 Bug Fixes

• fix(price): repair test-only price seeding broken by #753/#770 merge skew by @grunch in #774
• fix: let daemon finalize disputes without solver row by @arkanoider in #746

💼 Other

• Update CHANGELOG for version 0.17.5 by @grunch

📚 Documentation

• docs(bond): Phase 8 — public config exposure + operator docs by @grunch in #777
• docs: document daemon event kinds by @ermeme[bot] in #769
• docs: clarify Cashu escrow uses per-order trade keys by @grunch in #757
• docs: add Cashu 2-of-3 multisig escrow architecture spec by @a1denvalu3 in #756

⚙️ Miscellaneous Tasks

• Release mostro version 0.17.5 by @grunch

Contributors

• @grunch made their contribution
• @ermeme[bot] made their contribution in #769
• @a1denvalu3 made their contribution in #756
• @arkanoider made their contribution in #746

Full Changelog: v0.17.4...v0.17.5

Release v0.17.4

Verifying the Release

In order to verify the release, you'll need to have gpg or gpg2 installed on your system. Once you've obtained a copy (and hopefully verified that as well), you'll first need to import the keys that have signed this release if you haven't done so already:

curl https://raw.githubusercontent.com/MostroP2P/mostro/main/keys/negrunch.asc | gpg --import
curl https://raw.githubusercontent.com/MostroP2P/mostro/main/keys/arkanoider.asc | gpg --import
curl https://raw.githubusercontent.com/MostroP2P/mostro/main/keys/catrya.asc | gpg --import

Once you have the required PGP keys, you can verify the release (assuming manifest.txt.sig.negrunch, manifest.txt.sig.arkanoider, manifest.txt.sig.catrya and manifest.txt are in the current directory) with:

gpg --verify manifest.txt.sig.negrunch manifest.txt
gpg --verify manifest.txt.sig.arkanoider manifest.txt
gpg --verify manifest.txt.sig.catrya manifest.txt

gpg: Signature made fri 10 oct 2025 11:28:03 -03
gpg:                using RSA key 1E41631D137BA2ADE55344F73852B843679AD6F0
gpg: Good signature from "Francisco Calderón <fjcalderon@gmail.com>" [ultimate]

gpg: Signature made fri 10 oct 2025 11:28:03 -03
gpg:                using RSA key 2E986CA1C5E7EA1635CD059C4989CC7415A43AEC
gpg: Good signature from "Arkanoider <github.913zc@simplelogin.com>" [ultimate]

gpg: Signature made fri 10 oct 2025 11:28:03 -03
gpg:                using RSA key 9A718444050F091D3D24CF6CE15E232F243D73E6
gpg: Good signature from "Catrya (github) <140891948+Catrya@users.noreply.github.com>" [ultimate]

That will verify the signature of the manifest file, which ensures integrity and authenticity of the archive you've downloaded locally containing the binaries. Next, depending on your operating system, you should then re-compute the sha256 hash of the archive with shasum -a 256 <filename>, compare it with the corresponding one in the manifest file, and ensure they match exactly.

What's Changed in v0.17.4

🚀 Features

• feat(bond): Phase 3.5 — payout confirmation to the winner by @grunch in #743
• feat(bond): Phase 3 — payout flow for slashed bonds by @grunch in #738
• feat(bond): Phase 2 — solver-directed dispute slash by @grunch in #737
• feat: support MOSTRO_NSEC_PRIVKEY env var for Nostr private key by @AndreaDiazCorreia in #713
• feat(bond): Phase 1.5 — dedicated PayBondInvoice action + WaitingTakerBond status by @grunch in #736
• feat(bond): concurrent taker bonds, first-to-lock wins (Phase 0+1) by @grunch in #733
• feat(bond): align AntiAbuseBondSettings with spec — slash split, claim window, drop unused dispute flag by @grunch in #728
• feat(bond): add Forfeited terminal state for long-stop bond payout by @grunch in #727
• feat(bond): add Phase 0 schema columns for split, forfeit window, and retry separation by @grunch in #726
• feat: added catrya key for manifest signature by @Catrya in #724
• feat(bond): anti-abuse bond phase 1 — taker lifecycle (lock + always release) by @grunch in #719
• feat(nip59): adopt mostro-core 0.10.0 dual-key gift wrap transport by @grunch in #718
• feat(bond): anti-abuse bond phase 0 foundation by @grunch in #712

🐛 Bug Fixes

• fix(price): tolerate null rates in Yadio /exrates/BTC response by @grunch in #748
• fix: include created_at on AddInvoice SmallOrder by @arkanoider in #739
• fix(bond): align bond invoice memo with spec §6.1 by @grunch in #735
• fix(restore-session): re-send AddInvoice for failed payments on session restore by @codaMW in #721

💼 Other

• Update CHANGELOG for version 0.17.4 by @grunch
• Revert "fix(restore-session): re-send AddInvoice for failed payments on session restore" by @grunch in #722
• Add read and read-write dispute solver permissions by @mostronatorcoder[bot] in #708

📚 Documentation

• docs: spec for multi-source price providers (remove Yadio single point of failure) by @grunch in #745
• docs(bond): add Phase 3.5 — payout confirmation to the winner by @grunch in #742
• docs(bond): fold taker_* columns into Phase 0 schema by @grunch in #734
• docs(bond): switch Phase 1.5 to concurrent taker bonds, first-to-lock wins by @grunch in #732
• docs(bond): spec cancel_action handling for WaitingTakerBond status by @grunch in #730
• docs(bond): note that mostro-core 0.11.0 ships Phase 1.5 + Phase 2 variants by @grunch in #729
• docs(bond): decouple slash from trade outcome; clarify maker/taker vs… by @grunch in #725

⚙️ Miscellaneous Tasks

• Release mostro version 0.17.4 by @grunch

Contributors

• @grunch made their contribution
• @arkanoider made their contribution in #739
• @AndreaDiazCorreia made their contribution in #713
• @Catrya made their contribution in #724
• @codaMW made their contribution in #721
• @mostronatorcoder[bot] made their contribution in #708

Full Changelog: v0.17.3...v0.17.4

Release v0.17.3

Verifying the Release

In order to verify the release, you'll need to have gpg or gpg2 installed on your system. Once you've obtained a copy (and hopefully verified that as well), you'll first need to import the keys that have signed this release if you haven't done so already:

curl https://raw.githubusercontent.com/MostroP2P/mostro/main/keys/negrunch.asc | gpg --import
curl https://raw.githubusercontent.com/MostroP2P/mostro/main/keys/arkanoider.asc | gpg --import

Once you have the required PGP keys, you can verify the release (assuming manifest.txt.sig.negrunch, manifest.txt.sig.arkanoider and manifest.txt are in the current directory) with:

gpg --verify manifest.txt.sig.negrunch manifest.txt
gpg --verify manifest.txt.sig.arkanoider manifest.txt

gpg: Signature made fri 10 oct 2025 11:28:03 -03
gpg:                using RSA key 1E41631D137BA2ADE55344F73852B843679AD6F0
gpg: Good signature from "Francisco Calderón <fjcalderon@gmail.com>" [ultimate]

gpg: Signature made fri 10 oct 2025 11:28:03 -03
gpg:                using RSA key 2E986CA1C5E7EA1635CD059C4989CC7415A43AEC
gpg: Good signature from "Arkanoider <github.913zc@simplelogin.com>" [ultimate]

That will verify the signature of the manifest file, which ensures integrity and authenticity of the archive you've downloaded locally containing the binaries. Next, depending on your operating system, you should then re-compute the sha256 hash of the archive with shasum -a 256 <filename>, compare it with the corresponding one in the manifest file, and ensure they match exactly.

What's Changed in v0.17.3

🐛 Bug Fixes

• fix: fix for bug introduced in 0.17.2 blocking range orders by @arkanoider in #705

💼 Other

• Update CHANGELOG for version 0.17.3 by @grunch

⚙️ Miscellaneous Tasks

• Release mostro version 0.17.3 by @grunch

Contributors

• @grunch made their contribution
• @arkanoider made their contribution in #705

Full Changelog: v0.17.2...v0.17.3

Release v0.17.2

Verifying the Release

In order to verify the release, you'll need to have gpg or gpg2 installed on your system. Once you've obtained a copy (and hopefully verified that as well), you'll first need to import the keys that have signed this release if you haven't done so already:

curl https://raw.githubusercontent.com/MostroP2P/mostro/main/keys/negrunch.asc | gpg --import
curl https://raw.githubusercontent.com/MostroP2P/mostro/main/keys/arkanoider.asc | gpg --import

Once you have the required PGP keys, you can verify the release (assuming manifest.txt.sig.negrunch, manifest.txt.sig.arkanoider and manifest.txt are in the current directory) with:

gpg --verify manifest.txt.sig.negrunch manifest.txt
gpg --verify manifest.txt.sig.arkanoider manifest.txt

gpg: Signature made fri 10 oct 2025 11:28:03 -03
gpg:                using RSA key 1E41631D137BA2ADE55344F73852B843679AD6F0
gpg: Good signature from "Francisco Calderón <fjcalderon@gmail.com>" [ultimate]

gpg: Signature made fri 10 oct 2025 11:28:03 -03
gpg:                using RSA key 2E986CA1C5E7EA1635CD059C4989CC7415A43AEC
gpg: Good signature from "Arkanoider <github.913zc@simplelogin.com>" [ultimate]

That will verify the signature of the manifest file, which ensures integrity and authenticity of the archive you've downloaded locally containing the binaries. Next, depending on your operating system, you should then re-compute the sha256 hash of the archive with shasum -a 256 <filename>, compare it with the corresponding one in the manifest file, and ensure they match exactly.

What's Changed in v0.17.2

🚀 Features

• feat: add interactive setup wizard for first-time configuration by @AndreaDiazCorreia in #696

🐛 Bug Fixes

• fix: validate fiat_amount and amount in order_action by @mostronatorcoder[bot] in #702
• fix: prevent stale Order writes from causing duplicate payments by @Catrya in #692

💼 Other

• Update CHANGELOG for version 0.17.2 by @grunch
• Include solver_pubkey in restore disputes response by @BraCR10 in #690

⚙️ Miscellaneous Tasks

• Release mostro version 0.17.2 by @grunch

Contributors

• @grunch made their contribution
• @mostronatorcoder[bot] made their contribution in #702
• @AndreaDiazCorreia made their contribution in #696
• @Catrya made their contribution in #692
• @BraCR10 made their contribution in #690

Full Changelog: v0.17.1...v0.17.2

Release v0.17.1

Verifying the Release

In order to verify the release, you'll need to have gpg or gpg2 installed on your system. Once you've obtained a copy (and hopefully verified that as well), you'll first need to import the keys that have signed this release if you haven't done so already:

curl https://raw.githubusercontent.com/MostroP2P/mostro/main/keys/negrunch.asc | gpg --import
curl https://raw.githubusercontent.com/MostroP2P/mostro/main/keys/arkanoider.asc | gpg --import

Once you have the required PGP keys, you can verify the release (assuming manifest.txt.sig.negrunch, manifest.txt.sig.arkanoider and manifest.txt are in the current directory) with:

gpg --verify manifest.txt.sig.negrunch manifest.txt
gpg --verify manifest.txt.sig.arkanoider manifest.txt

gpg: Signature made fri 10 oct 2025 11:28:03 -03
gpg:                using RSA key 1E41631D137BA2ADE55344F73852B843679AD6F0
gpg: Good signature from "Francisco Calderón <fjcalderon@gmail.com>" [ultimate]

gpg: Signature made fri 10 oct 2025 11:28:03 -03
gpg:                using RSA key 2E986CA1C5E7EA1635CD059C4989CC7415A43AEC
gpg: Good signature from "Arkanoider <github.913zc@simplelogin.com>" [ultimate]

That will verify the signature of the manifest file, which ensures integrity and authenticity of the archive you've downloaded locally containing the binaries. Next, depending on your operating system, you should then re-compute the sha256 hash of the archive with shasum -a 256 <filename>, compare it with the corresponding one in the manifest file, and ensure they match exactly.

What's Changed in v0.17.1

🚀 Features

• feat: publish exchange rates to Nostr by @mostronatorcoder[bot] in #685
• feat: include Mostro pubkey in order event source tag by @mostronatorcoder[bot] in #679
• feat: total remove of database encrytpion logic by @arkanoider in #676

💼 Other

• Update CHANGELOG for version 0.17.1 by @grunch
• Change default value of max_routing_fee by @grunch in #688
• Encryption removed by @arkanoider in #674

📚 Documentation

• docs: add branch protection rules documentation by @mostronatorcoder[bot] in #686
• refactor: split cross-kind y-tag changes into scoped follow-up PRs for s by @JiwaniZakir in #677

🧪 Testing

• test: add end-to-end y-tag emission coverage for order/info/dispute/admin/dev-fee events by @codaMW in #668

⚙️ Miscellaneous Tasks

• Release mostro version 0.17.1 by @grunch
• Improved github actions: bumped action for checkout and also MSRV version by @arkanoider in #687

Contributors

• @grunch made their contribution
• @arkanoider made their contribution in #687
• @mostronatorcoder[bot] made their contribution in #686
• @JiwaniZakir made their contribution in #677
• @codaMW made their contribution in #668

Full Changelog: v0.17.0...v0.17.1

Release v0.17.0

Verifying the Release

In order to verify the release, you'll need to have gpg or gpg2 installed on your system. Once you've obtained a copy (and hopefully verified that as well), you'll first need to import the keys that have signed this release if you haven't done so already:

curl https://raw.githubusercontent.com/MostroP2P/mostro/main/keys/negrunch.asc | gpg --import
curl https://raw.githubusercontent.com/MostroP2P/mostro/main/keys/arkanoider.asc | gpg --import

Once you have the required PGP keys, you can verify the release (assuming manifest.txt.sig.negrunch, manifest.txt.sig.arkanoider and manifest.txt are in the current directory) with:

gpg --verify manifest.txt.sig.negrunch manifest.txt
gpg --verify manifest.txt.sig.arkanoider manifest.txt

gpg: Signature made fri 10 oct 2025 11:28:03 -03
gpg:                using RSA key 1E41631D137BA2ADE55344F73852B843679AD6F0
gpg: Good signature from "Francisco Calderón <fjcalderon@gmail.com>" [ultimate]

gpg: Signature made fri 10 oct 2025 11:28:03 -03
gpg:                using RSA key 2E986CA1C5E7EA1635CD059C4989CC7415A43AEC
gpg: Good signature from "Arkanoider <github.913zc@simplelogin.com>" [ultimate]

That will verify the signature of the manifest file, which ensures integrity and authenticity of the archive you've downloaded locally containing the binaries. Next, depending on your operating system, you should then re-compute the sha256 hash of the archive with shasum -a 256 <filename>, compare it with the corresponding one in the manifest file, and ensure they match exactly.

What's Changed in v0.17.0

💼 Other

• Update CHANGELOG for version 0.17.0 by @grunch

🚜 Refactor

• refactor: remove from_globals() and construct AppContext explicitly (#656 PR F) by @mostronatorcoder[bot] in #672
• refactor: add keys to AppContext (#656 PR E) by @mostronatorcoder[bot] in #670
• refactor: migrate scheduler to AppContext (#656 PR D) by @mostronatorcoder[bot] in #667
• refactor: remove global accesses from handler paths (#656 PR C) by @mostronatorcoder[bot] in #666
• refactor: simplify dispatcher by removing pool parameter (#656 PR B) by @mostronatorcoder[bot] in #665
• refactor: remove legacy DI wrapper signatures (#656 PR A) by @mostronatorcoder[bot] in #663

📚 Documentation

• docs: update architecture docs for DI migration (#656) by @mostronatorcoder[bot] in #673

⚙️ Miscellaneous Tasks

• Release mostro version 0.17.0 by @grunch

Contributors

• @grunch made their contribution
• @mostronatorcoder[bot] made their contribution in #673

Full Changelog: v0.16.5...v0.17.0

Release v0.16.5

Verifying the Release

In order to verify the release, you'll need to have gpg or gpg2 installed on your system. Once you've obtained a copy (and hopefully verified that as well), you'll first need to import the keys that have signed this release if you haven't done so already:

curl https://raw.githubusercontent.com/MostroP2P/mostro/main/keys/negrunch.asc | gpg --import
curl https://raw.githubusercontent.com/MostroP2P/mostro/main/keys/arkanoider.asc | gpg --import

Once you have the required PGP keys, you can verify the release (assuming manifest.txt.sig.negrunch, manifest.txt.sig.arkanoider and manifest.txt are in the current directory) with:

gpg --verify manifest.txt.sig.negrunch manifest.txt
gpg --verify manifest.txt.sig.arkanoider manifest.txt

gpg: Signature made fri 10 oct 2025 11:28:03 -03
gpg:                using RSA key 1E41631D137BA2ADE55344F73852B843679AD6F0
gpg: Good signature from "Francisco Calderón <fjcalderon@gmail.com>" [ultimate]

gpg: Signature made fri 10 oct 2025 11:28:03 -03
gpg:                using RSA key 2E986CA1C5E7EA1635CD059C4989CC7415A43AEC
gpg: Good signature from "Arkanoider <github.913zc@simplelogin.com>" [ultimate]

That will verify the signature of the manifest file, which ensures integrity and authenticity of the archive you've downloaded locally containing the binaries. Next, depending on your operating system, you should then re-compute the sha256 hash of the archive with shasum -a 256 <filename>, compare it with the corresponding one in the manifest file, and ensure they match exactly.

What's Changed in v0.16.5

💼 Other

• Update CHANGELOG for version 0.16.5 by @grunch
• Adding instance name to "y" tags by @sergey3bv in #653

🚜 Refactor

• refactor: complete phase-5 handler DI migration to AppContext (#639) by @mostronatorcoder[bot] in #657
• refactor: wire AppContext into dispatcher and migrate cancel module (#639 phase 2) by @mostronatorcoder[bot] in #652
• refactor: add AppContext struct for dependency injection (#639 phase 1) by @mostronatorcoder[bot] in #651
• refactor: remove password infrastructure and all encryption code paths by @mostronatorcoder[bot] in #647
• refactor: remove dual encrypted/unencrypted code paths in db.rs by @mostronatorcoder[bot] in #646
• refactor: remove encryption from app layer and util by @mostronatorcoder[bot] in #645
• refactor: add --decrypt-db CLI command for database migration by @mostronatorcoder[bot] in #644
• refactor: add deprecation warning for MOSTRO_DB_PASSWORD by @mostronatorcoder[bot] in #643

🧪 Testing

• test: add phase-4 cancel unit tests using AppContext builder (#639) by @mostronatorcoder[bot] in #655
• test: add phase-3 mock test context utilities for AppContext (#639) by @mostronatorcoder[bot] in #654
• test: add 28 mutation testing tests for db module by @mostronatorcoder[bot] in #640

⚙️ Miscellaneous Tasks

• Release mostro version 0.16.5 by @grunch
• ci: make PR mutation testing opt-in via label by @mostronatorcoder[bot] in #648

◀️ Revert

• revert: logical revert of PR #617 targeted update behavior by @mostronatorcoder[bot] in #659

Contributors

• @grunch made their contribution
• @sergey3bv made their contribution in #653
• @mostronatorcoder[bot] made their contribution in #659

Full Changelog: v0.16.4...v0.16.5

Release v0.16.4

Verifying the Release

In order to verify the release, you'll need to have gpg or gpg2 installed on your system. Once you've obtained a copy (and hopefully verified that as well), you'll first need to import the keys that have signed this release if you haven't done so already:

curl https://raw.githubusercontent.com/MostroP2P/mostro/main/keys/negrunch.asc | gpg --import
curl https://raw.githubusercontent.com/MostroP2P/mostro/main/keys/arkanoider.asc | gpg --import

Once you have the required PGP keys, you can verify the release (assuming manifest.txt.sig.negrunch, manifest.txt.sig.arkanoider and manifest.txt are in the current directory) with:

gpg --verify manifest.txt.sig.negrunch manifest.txt
gpg --verify manifest.txt.sig.arkanoider manifest.txt

gpg: Signature made fri 10 oct 2025 11:28:03 -03
gpg:                using RSA key 1E41631D137BA2ADE55344F73852B843679AD6F0
gpg: Good signature from "Francisco Calderón <fjcalderon@gmail.com>" [ultimate]

gpg: Signature made fri 10 oct 2025 11:28:03 -03
gpg:                using RSA key 2E986CA1C5E7EA1635CD059C4989CC7415A43AEC
gpg: Good signature from "Arkanoider <github.913zc@simplelogin.com>" [ultimate]

That will verify the signature of the manifest file, which ensures integrity and authenticity of the archive you've downloaded locally containing the binaries. Next, depending on your operating system, you should then re-compute the sha256 hash of the archive with shasum -a 256 <filename>, compare it with the corresponding one in the manifest file, and ensure they match exactly.

What's Changed in v0.16.4

🚀 Features

• feat: add days field to user rating event (kind 38384) by @Catrya in #625
• feat: implement mutation testing for Rust codebase quality assurance by @mostronatorcoder[bot] in #619
• feat: added latest tag to both mostro docker versions by @arkanoider in #610
• feat: add expiration to rating events (kind 38384) by @mostronatorcoder[bot] in #612

🐛 Bug Fixes

• fix: use targeted SQL updates in check_failure_retries and payment_success by @Catrya in #617
• fix: prevent duplicate dev fee payments via idempotency check by @mostronatorcoder[bot] in #622
• fix: use expiration settings instead of hardcoded 24h for order events by @mostronatorcoder[bot] in #614
• fix: close active dispute when seller releases funds by @Mostrica in #606

💼 Other

• Update CHANGELOG for version 0.16.4 by @grunch
• Deduplicate db test helpers by @grunch in #629
• Automated badge for toolchain and version in README.md by @arkanoider in #628
• Fix restore session dispute initiator by @BraCR10 in #599

🚜 Refactor

• refactor: extract dev fee logic into dedicated module by @arkanoider in #627

📚 Documentation

• docs: fix inconsistent pubkey format in rating and info event examples by @mostronatorcoder[bot] in #615

⚙️ Miscellaneous Tasks

• Release mostro version 0.16.4 by @grunch

Contributors

• @grunch made their contribution
• @arkanoider made their contribution in #627
• @Catrya made their contribution in #617
• @mostronatorcoder[bot] made their contribution in #622
• @BraCR10 made their contribution in #599
• @Mostrica made their contribution in #606

Full Changelog: v0.16.3...v0.16.4

Release v0.16.3

Verifying the Release

In order to verify the release, you'll need to have gpg or gpg2 installed on your system. Once you've obtained a copy (and hopefully verified that as well), you'll first need to import the keys that have signed this release if you haven't done so already:

curl https://raw.githubusercontent.com/MostroP2P/mostro/main/keys/negrunch.asc | gpg --import
curl https://raw.githubusercontent.com/MostroP2P/mostro/main/keys/arkanoider.asc | gpg --import

Once you have the required PGP keys, you can verify the release (assuming manifest.txt.sig.negrunch, manifest.txt.sig.arkanoider and manifest.txt are in the current directory) with:

gpg --verify manifest.txt.sig.negrunch manifest.txt
gpg --verify manifest.txt.sig.arkanoider manifest.txt

gpg: Signature made fri 10 oct 2025 11:28:03 -03
gpg:                using RSA key 1E41631D137BA2ADE55344F73852B843679AD6F0
gpg: Good signature from "Francisco Calderón <fjcalderon@gmail.com>" [ultimate]

gpg: Signature made fri 10 oct 2025 11:28:03 -03
gpg:                using RSA key 2E986CA1C5E7EA1635CD059C4989CC7415A43AEC
gpg: Good signature from "Arkanoider <github.913zc@simplelogin.com>" [ultimate]

That will verify the signature of the manifest file, which ensures integrity and authenticity of the archive you've downloaded locally containing the binaries. Next, depending on your operating system, you should then re-compute the sha256 hash of the archive with shasum -a 256 <filename>, compare it with the corresponding one in the manifest file, and ensure they match exactly.

What's Changed in v0.16.3

🚀 Features

• feat(docker): plain image, settings.tpl.toml, StartOS as mostro-startos by @arkanoider in #597

🐛 Bug Fixes

• fix: prevent buyer_invoice leak to seller in DM payloads by @Catrya in #609

💼 Other

• Update CHANGELOG for version 0.16.3 by @grunch
• Add configurable per-kind event expiration to prevent storage bloat by @mostronator in #603
• Fix Docker DB password startup flow by @grunch in #604

⚙️ Miscellaneous Tasks

• Release mostro version 0.16.3 by @grunch

Contributors

• @grunch made their contribution
• @Catrya made their contribution in #609
• @mostronator made their contribution in #603
• @arkanoider made their contribution in #597

Full Changelog: v0.16.2...v0.16.3

Release v0.16.2

Verifying the Release

In order to verify the release, you'll need to have gpg or gpg2 installed on your system. Once you've obtained a copy (and hopefully verified that as well), you'll first need to import the keys that have signed this release if you haven't done so already:

curl https://raw.githubusercontent.com/MostroP2P/mostro/main/keys/negrunch.asc | gpg --import
curl https://raw.githubusercontent.com/MostroP2P/mostro/main/keys/arkanoider.asc | gpg --import

Once you have the required PGP keys, you can verify the release (assuming manifest.txt.sig.negrunch, manifest.txt.sig.arkanoider and manifest.txt are in the current directory) with:

gpg --verify manifest.txt.sig.negrunch manifest.txt
gpg --verify manifest.txt.sig.arkanoider manifest.txt

gpg: Signature made fri 10 oct 2025 11:28:03 -03
gpg:                using RSA key 1E41631D137BA2ADE55344F73852B843679AD6F0
gpg: Good signature from "Francisco Calderón <fjcalderon@gmail.com>" [ultimate]

gpg: Signature made fri 10 oct 2025 11:28:03 -03
gpg:                using RSA key 2E986CA1C5E7EA1635CD059C4989CC7415A43AEC
gpg: Good signature from "Arkanoider <github.913zc@simplelogin.com>" [ultimate]

That will verify the signature of the manifest file, which ensures integrity and authenticity of the archive you've downloaded locally containing the binaries. Next, depending on your operating system, you should then re-compute the sha256 hash of the archive with shasum -a 256 <filename>, compare it with the corresponding one in the manifest file, and ensure they match exactly.

What's Changed in v0.16.2

🐛 Bug Fixes

• fix: prevent redundant LND queries for confirmed dev fee payments by @mostronator in #586
• fix: check LN payment status before resetting on dev fee timeout by @mostronator in #582
• fix: prevent duplicate dev fee payment on timeout by @mostronator in #584
• fix: add rate limiting to ValidateDbPassword RPC endpoint by @mostronator in #580
• fix: close active dispute when order is cooperatively canceled by @mostronator in #578

💼 Other

• Update CHANGELOG for version 0.16.2 by @grunch
• update readme: add mostrix and mobile client, remove mostro-web by @Catrya in #576

📚 Documentation

• docs: add fenced code block language specifier guideline to AGENTS.md by @mostronator in #579

⚙️ Miscellaneous Tasks

• Release mostro version 0.16.2 by @grunch
• chore: update Rust toolchain from 1.90.0 to 1.93.0 by @mostronator in #581

Contributors

• @grunch made their contribution
• @mostronator made their contribution in #586
• @Catrya made their contribution in #576

Full Changelog: v0.16.1...v0.16.2