KafScale · novatechflow · Jun 2, 2026 · Jun 2, 2026
diff --git a/docs/releases/v1.6.0.md b/docs/releases/v1.6.0.md
@@ -0,0 +1,51 @@
+<!--
+Copyright 2026 Alexander Alten (novatechflow), NovaTechflow (novatechflow.com).
+This project is supported and financed by Scalytics, Inc. (www.scalytics.io).
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+
+# v1.6.0
+
+Release date: 2026-06-02
+
+## Highlights
+
+- Added Large File Support (LFS) across the proxy, console, operator surface, and multi-language client SDKs. This release introduces a new LFS HTTP API, LFS tracker flow, console visibility, and deployment assets for running the feature in Kubernetes and Docker-based environments.
+- Added DR-side topic recovery with `kafscale-cli restore`, including exact restore handling when segment contents permit safe truncation at a timestamp boundary.
+- Improved Kafka compatibility and runtime behavior with on-demand metadata refresh, broader `LIST_GROUPS` version negotiation for older admin clients, group coordination fixes, and processor durability work for restore and parallel processing paths.
+
+## Upgrade notes
+
+- Helm users must treat this as an upgrade with manual review. The standalone `lfs-proxy` values surface was removed. LFS now hangs off the unified proxy and is enabled through `proxy.lfs.enabled=true`.
+- Helm defaults changed in ways that can affect existing values overlays. `operator.replicaCount` now defaults to `1`, and several auth and etcd password fields now expect `null` or `existingSecret` wiring instead of inline default strings.
+- Broker examples and restore flows were hardened to avoid unsafe S3 defaults. Review any local demo or example-based S3 configuration before upgrading.
+
+## Bug fixes
+
+- Fixed Kafka admin compatibility for consumer group listing by widening `LIST_GROUPS` version advertisement to support older clients.
+- Fixed broker behavior to return protocol errors instead of dropping connections in failing request paths.
+- Fixed duplicate offset assignment risk with lease-based partition ownership and reduced group coordination split-brain behavior by routing coordination requests through a single broker path.
+- Fixed restore and read paths to handle orphaned S3 segments gracefully and added exact-cutoff recovery behavior when segment structure makes it safe.
+- Fixed produce request encoding for multi-partition tagged fields and improved metadata routing and refresh behavior during fetch and produce operations.
+
+## Security fixes
+
+- Blocked S3 bucket takeover scenarios caused by unsafe example defaults in broker and LFS-related paths.
+- Bumped `pgproto3` to a patched pseudo-version and merged follow-up dependency remediation across storage, controller, and workflow dependencies.
+
+## Maintenance
+
+- Replaced the hand-rolled Kafka wire protocol path with franz-go `kmsg` handling to reduce protocol drift and improve compatibility coverage.
+- Added an explicit CodeQL workflow for PR and push coverage and refreshed multiple CI, Docker, Go, and AWS dependency versions.
+- Expanded onboarding and example coverage with the E10-E50 walkthroughs and LFS demo assets.