MeshMonitor v4.6.3

Patch release focused on MQTT-source permissions and map visibility. v4.6.2 reworked MQTT ingest end-to-end so cross-source dedup and channel decryption finally work; v4.6.3 fixes the permission and rendering gaps that release exposed. The MQTT ingest path now stamps node.channel with the channel-database-encoded virtual channel id so the map filter can honor Virtual Channel Permissions; previously anonymous and non-admin viewers saw zero nodes on the map for MQTT sources regardless of what was granted. The traceroute and neighbor-info endpoints are now channel-gated, so the map no longer renders line segments between coordinates of nodes the user has no permission to view ("floating lines"). MeshCore contacts are now mirrored to meshcore_nodes on ingest so the remote-telemetry scheduler can correctly classify repeater targets — closes the user-visible part of #3092 for deployments with repeaters that don't anonymously answer LPP requests. Unified Messages now keeps tapback metadata across multi-source merges so reactions stop flickering between rendering as emoji pills and full inline messages. A long-standing puppeteer install failure on Linux LXC / baremetal was fixed by skipping the Chrome download via .npmrc. Companion features include an opt-in MQTT-broker zero-hop injection mode (prevent RF rebroadcast of MQTT-bridged packets), scroll-position-aware infinite scrollback for MeshCore channels, and a Catppuccin restyle of the MQTT permissions hint banner.

Features

• #3100 feat(mqtt-broker): optional zero-hop injection to prevent RF rebroadcast of MQTT-bridged packets (closes #3084)
• #3102 feat(meshcore): scroll-position-aware infinite scrollback for MeshCore channels with "Jump to Bottom" button (closes #3101)
• #3108 feat(mqtt): route MQTT channel permissions through channel_database so MQTT-source access is keyed by channel name across all sources, not by per-source slot. Hides the channel_0..7 toggles for MQTT scopes and directs admins to Virtual Channel Permissions.

Bug Fixes

• #3098 fix(install): skip puppeteer Chrome download via .npmrc so installs no longer fail on Linux LXC, Raspbian baremetal, and other environments without GUI dependencies (closes #3097)
• #3103 fix(security): enforce per-source ACLs on retroactive decrypt; register the channel_database permission resource
• #3104 fix(prune-roi): cascade bridge prune to the parent mqtt_broker source so geo-membership state stays consistent across linked sources
• #3105 fix(unified): preserve tapback metadata (emoji, replyId) across MQTT ingest + cross-source merge — reactions no longer flicker between rendering as emoji pills and as full inline messages
• #3107 fix(meshcore): persist contact advType to meshcore_nodes so the remote-telemetry scheduler can correctly classify repeater targets and route them through the SendStatusReq + guest-login paths added in #3094 (closes #3092)
• #3109 fix(users): use Catppuccin variables for the MQTT permissions hint banner so it's readable in both light and dark themes
• #3110 fix(mqtt): stamp node.channel = CHANNEL_DB_OFFSET + dbId on MQTT NODEINFO and POSITION ingest so the map filter honors Virtual Channel Permissions, and channel-gate the /traceroutes and /neighbor-info endpoints so non-admins no longer see traceroute / neighbor lines floating between hidden nodes

Docs

• #3106 docs(claude): drop worktree restriction from CLAUDE.md
• #3111 chore(release): bump version to 4.6.3 (this release) — also adds the v4.6.3 permissions blog post

Issues Resolved

• #3084 — [FEAT] MQTT Broker: Optional zero-hop injection
• #3092 — [BUG] MeshCore telemetry retrieval fails on every repeater (meshcore-only setup) — final fix; the in-memory contact advType is now persisted so the scheduler picks the repeater paths
• #3097 — 4.6.2-1 install fails on Linux LXC: Puppeteer Chrome extraction error
• #3101 — MeshCore channel display: implement infinite scrollback

Upgrade notes

Action required if you have anonymous or non-admin map viewers on MQTT sources:

1. Open Users → Permissions → scope to each MQTT source. The channel_0..7 grid is now hidden for MQTT scopes; a banner directs you to Virtual Channel Permissions below.
2. Scroll down to Virtual Channel Permissions and grant View on Map and Read on the relevant channel_database rows (e.g. LongFast, MediumFast) for each user (including Anonymous if applicable).
3. Existing nodes with channel=NULL will recover as each MQTT node re-broadcasts NODEINFO (typically every few hours). If you don't want to wait, restart the MQTT broker / bridge container.

MeshCore repeater telemetry: if you have repeaters with Telemetry Retrieval enabled and were seeing only LPP timeouts on v4.6.2 (issue #3092), 4.6.3 finally activates the SendStatusReq + guest-login paths shipped in v4.6.2's #3094 — they were never being invoked because advType wasn't being persisted to the database.

Full Changelog

https://github.com/Yeraze/meshmonitor/compare/v4.6.2-1...v4.6.3

🚀 MeshMonitor v4.6.3

📦 Installation

Docker (recommended):

docker run -d \
  --name meshmonitor \
  -p 8080:3001 \
  -v meshmonitor-data:/data \
  ghcr.io/Yeraze/meshmonitor:4.6.3

🧪 Testing

✅ All tests passed
✅ TypeScript checks passed
✅ Docker images built for linux/amd64, linux/arm64, linux/arm/v7

📋 Changes

See commit history for detailed changes.