Include updated root-restriction flag and debug_user release notes (#21602)

Author: mikeCRL

src/current/_includes/releases/v26.1/v26.1.0-alpha.2.md

@@ -4,6 +4,14 @@ Release Date: December 11, 2025
 
 {% include releases/new-release-downloads-docker-image.md release=include.release %}
 
+<h3 id="v26-1-0-alpha-2-security-updates">Security updates</h3>
+
+- A new, optional flag for `cockroach start` restricts the `root` user from logging in to the system via both SQL and RPC connections. This change affects the [unstated, unchangeable root access rule]({% link v26.1/security-reference/authentication.md %}#the-unstated-unchangeable-root-access-rule) and addresses compliance requirements. It is currently available in [Limited Access]({% link v26.1/cockroachdb-feature-availability.md %}#feature-availability-phases).   
+  - A new `debug_user` certificate has also been introduced for privileged RPC access to collect [debug zip]({% link v26.1/cockroach-debug-zip.md %}) information, which would otherwise be unavailable when `root` is restricted. `debug_user` must be created manually with the `CREATE USER` command and can be audited using `SHOW USERS`. It has privileged access to the `serverpb` admin and status endpoints required for debug zip collection.
+  - Ensure that none of the certificates used by the cluster or SQL/RPC clients have "root" in the SAN (Subject Alternative Name) fields, as the flag will block access to those clients.
+
+    [#155216][#155216]
+
 <h3 id="v26-1-0-alpha-2-sql-language-changes">SQL language changes</h3>
 
 - Added a new session variable, `use_swap_mutations`, which controls whether the new update swap and delete swap operators are enabled for use by `UPDATE` and `DELETE` statements. [#145019][#145019]