fix(complement): Fix complement conflicting with first-run

- Disabled first-run mode when running Complement tests
- Updated logging config under complement to be a bit less verbose
- Changed test result and log output locations

.dockerignore

@@ -1,9 +1,9 @@
 # Local build and dev artifacts
 target/
+!target/debug/conduwuit
 
 # Docker files
 Dockerfile*
-docker/
 
 # IDE files
 .vscode

.forgejo/workflows/build-debian.yml

@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        container: ["ubuntu-latest", "ubuntu-previous", "debian-latest", "debian-oldstable"]
+        container: [ "ubuntu-latest", "ubuntu-previous", "debian-latest", "debian-oldstable" ]
     container:
       image: "ghcr.io/tcpipuk/act-runner:${{ matrix.container }}"
 
@@ -30,6 +30,28 @@ jobs:
           echo "version=$VERSION" >> $GITHUB_OUTPUT
           echo "distribution=$DISTRIBUTION" >> $GITHUB_OUTPUT
           echo "Debian distribution: $DISTRIBUTION ($VERSION)"
+      - name: Work around llvm-project#153385
+        id: llvm-workaround
+        run: |
+          if [ -f /usr/share/apt/default-sequoia.config ]; then
+            echo "Applying workaround for llvm-project#153385"
+            mkdir -p /etc/crypto-policies/back-ends/
+            cp /usr/share/apt/default-sequoia.config /etc/crypto-policies/back-ends/apt-sequoia.config
+            sed -i 's/\(sha1\.second_preimage_resistance = \)2026-02-01/\12026-06-01/' /etc/crypto-policies/back-ends/apt-sequoia.config
+          else
+            echo "No workaround needed for llvm-project#153385"
+          fi
+      - name: Pick compatible clang version
+        id: clang-version
+        run: |
+          # both latest need to use clang-23, but oldstable and previous can just use clang
+          if [[ "${{ matrix.container }}" == "ubuntu-latest" || "${{ matrix.container }}" == "debian-latest" ]]; then
+            echo "Using clang-23 package for ${{ matrix.container }}"
+            echo "version=clang-23" >> $GITHUB_OUTPUT
+          else
+            echo "Using default clang package for ${{ matrix.container }}"
+            echo "version=clang" >> $GITHUB_OUTPUT
+          fi
 
       - name: Checkout repository with full history
         uses: actions/checkout@v6
@@ -105,7 +127,7 @@ jobs:
         run: |
           apt-get update -y
           # Build dependencies for rocksdb
-          apt-get install -y clang liburing-dev
+          apt-get install -y liburing-dev ${{ steps.clang-version.outputs.version }}
 
       - name: Run cargo-deb
         id: cargo-deb

.github/FUNDING.yml

@@ -1,4 +1,4 @@
-github: [JadedBlueEyes, nexy7574]
+github: [JadedBlueEyes, nexy7574, gingershaped]
 custom:
   - https://ko-fi.com/nexy7574
   - https://ko-fi.com/JadedBlueEyes

.pre-commit-config.yaml

@@ -23,7 +23,7 @@ repos:
         - id: check-added-large-files
 
   - repo: https://github.com/crate-ci/typos
-    rev: v1.41.0
+    rev: v1.43.5
     hooks:
       - id: typos
       - id: typos
@@ -31,7 +31,7 @@ repos:
         stages: [commit-msg]
 
   - repo: https://github.com/crate-ci/committed
-    rev: v1.1.9
+    rev: v1.1.10
     hooks:
     - id: committed
 

.typos.toml

@@ -6,14 +6,13 @@ extend-exclude = ["*.csr", "*.lock", "pnpm-lock.yaml"]
 extend-ignore-re = [
     "(?Rm)^.*(#|//|<!--)\\s*spellchecker:disable-line(\\s*-->)$", # Ignore a line by making it trail with a `spellchecker:disable-line` comment
     "^[0-9a-f]{7,}$", # Commit hashes
-
+    "4BA7",
     # some heuristics for base64 strings
     "[A-Za-z0-9+=]{72,}",
     "([A-Za-z0-9+=]|\\\\\\s\\*){72,}",
     "[0-9+][A-Za-z0-9+]{30,}[a-z0-9+]",
     "\\$[A-Z0-9+][A-Za-z0-9+]{6,}[a-z0-9+]",
     "\\b[a-z0-9+/=][A-Za-z0-9+/=]{7,}[a-z0-9+/=][A-Z]\\b",
-
     # In the renovate config
     ".ontainer"
 ]
@@ -25,3 +24,5 @@ extend-ignore-re = [
 "continuwity" = "continuwuity"
 "execuse" = "execuse"
 "oltp" = "OTLP"
+
+rememvering = "remembering"

CHANGELOG.md

@@ -1,37 +1,150 @@
+# Continuwuity v0.5.5 (2026-02-15)
+
+## Features
+
+- Added unstable support for [MSC4406:
+  `M_SENDER_IGNORED`](https://github.com/matrix-org/matrix-spec-proposals/pull/4406).
+  Contributed by @nex ([#1308](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1308))
+- Introduce a resolver command to allow flushing a server from the cache or to flush the complete cache. Contributed by
+  @Omar007 ([#1349](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1349))
+- Improved the handling of restricted join rules and improved the performance of local-first joins. Contributed by
+  @nex. ([#1368](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1368))
+- You can now set a custom User Agent for URL previews; the default one has been modified to be less likely to be
+  rejected. Contributed by @trashpanda ([#1372](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1372))
+- Improved the first-time setup experience for new homeserver administrators:
+    - Account registration is disabled on the first run, except for with a new special registration token that is logged
+      to the console.
+    - Other helpful information is logged to the console as well, including a giant warning if open registration is
+      enabled.
+    - The default index page now says to check the console for setup instructions if no accounts have been created.
+    - Once the first admin account is created, an improved welcome message is sent to the admin room.
+
+  Contributed by @ginger.
+
+## Bugfixes
+
+- Fixed invites sent to other users in the same homeserver not being properly sent down sync. Users with missing or
+  broken invites should clear their client caches after updating to make them appear. ([#1249](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1249))
+- LDAP-enabled servers will no longer have all admins demoted when LDAP-controlled admins are not configured.
+  Contributed by @Jade ([#1307](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1307))
+- Fixed sliding sync not resolving wildcard state key requests, enabling Video/Audio calls in Element X. ([#1370](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1370))
+
+## Misc
+
+- #1344
+
+# Continuwuity v0.5.4 (2026-02-08)
+
+## Features
+
+- The announcement checker will now announce errors it encounters in the first run to the admin room, plus a few other
+  misc improvements. Contributed by @Jade ([#1288](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1288))
+- Drastically improved the performance and reliability of account deactivations. Contributed by
+  @nex ([#1314](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1314))
+- Refuse to process requests for and events in rooms that we no longer have any local users in (reduces state resets
+  and improves performance). Contributed by
+  @nex ([#1316](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1316))
+- Added server-specific admin API routes to ban and unban rooms, for use with moderation bots. Contributed by @nex
+  ([#1301](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1301))
+
+## Bugfixes
+
+- Fix the generated configuration containing uncommented optional sections. Contributed by
+  @Jade ([#1290](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1290))
+- Fixed specification non-compliance when handling remote media errors. Contributed by
+  @nex ([#1298](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1298))
+- UIAA requests which check for out-of-band success (sent by matrix-js-sdk) will no longer create unhelpful errors in
+  the logs. Contributed by @ginger ([#1305](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1305))
+- Use exists instead of contains to save writing to a buffer in `src/service/users/mod.rs`: `is_login_disabled`.
+  Contributed
+  by @aprilgrimoire. ([#1340](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1340))
+- Fixed backtraces being swallowed during panics. Contributed by
+  @jade ([#1337](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1337))
+- Fixed a potential vulnerability that could allow an evil remote server to return malicious events during the room join
+  and knock process. Contributed by @nex, reported by violet & [mat](https://matdoes.dev).
+- Fixed a race condition that could result in outlier PDUs being incorrectly marked as visible to a remote server.
+  Contributed by @nex, reported by violet & [mat](https://matdoes.dev).
+- ACLs are no longer case-sensitive. Contributed by @nex, reported by [vel](matrix:u/vel:nhjkl.com?action=chat).
+
+## Docs
+
+- Fixed Fedora install instructions. Contributed by
+  @julian45 ([#1342](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1342))
+
+# Continuwuity 0.5.3 (2026-01-12)
+
+## Features
+
+- Improve the display of nested configuration with the `!admin server show-config` command. Contributed by
+  @Jade ([#1279](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1279))
+
+## Bugfixes
+
+- Fixed `M_BAD_JSON` error when sending invites to other servers or when providing joins. Contributed by
+  @nex ([#1286](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1286))
+
+## Docs
+
+- Improve admin command documentation generation. Contributed by
+  @ginger ([#1280](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1280))
+
+## Misc
+
+- Improve timeout-related code for federation and URL previews. Contributed by
+  @Jade ([#1278](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1278))
+
 # Continuwuity 0.5.2 (2026-01-09)
 
 ## Features
 
-- Added support for issuing additional registration tokens, stored in the database, which supplement the existing registration token hardcoded in the config file. These tokens may optionally expire after a certain number of uses or after a certain amount of time has passed. Additionally, the `registration_token_file` configuration option is superseded by this feature and **has been removed**. Use the new `!admin token` command family to manage registration tokens. Contributed by @ginger (#783).
-- Implemented a configuration defined admin list independent of the admin room. Contributed by @Terryiscool160. (#1253)
-- Added support for invite and join anti-spam via Draupnir and Meowlnir, similar to that of synapse-http-antispam. Contributed by @nex. (#1263)
-- Implemented account locking functionality, to complement user suspension. Contributed by @nex. (#1266)
-- Added admin command to forcefully log out all of a user's existing sessions. Contributed by @nex. (#1271)
-- Implemented toggling the ability for an account to log in without mutating any of its data. Contributed by @nex. (#1272)
-- Add support for custom room create event timestamps, to allow generating custom prefixes in hashed room IDs. Contributed by @nex. (#1277)
-- Certain potentially dangerous admin commands are now restricted to only be usable in the admin room and server console. Contributed by @ginger.
+- Added support for issuing additional registration tokens, stored in the database, which supplement the existing
+  registration token hardcoded in the config file. These tokens may optionally expire after a certain number of uses or
+  after a certain amount of time has passed. Additionally, the `registration_token_file` configuration option is
+  superseded by this feature and **has been removed**. Use the new `!admin token` command family to manage registration
+  tokens. Contributed by @ginger (#783).
+- Implemented a configuration defined admin list independent of the admin room. Contributed by
+  @Terryiscool160. ([#1253](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1253))
+- Added support for invite and join anti-spam via Draupnir and Meowlnir, similar to that of synapse-http-antispam.
+  Contributed by @nex. ([#1263](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1263))
+- Implemented account locking functionality, to complement user suspension. Contributed by
+  @nex. ([#1266](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1266))
+- Added admin command to forcefully log out all of a user's existing sessions. Contributed by
+  @nex. ([#1271](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1271))
+- Implemented toggling the ability for an account to log in without mutating any of its data. Contributed by @nex. (
+  [#1272](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1272))
+- Add support for custom room create event timestamps, to allow generating custom prefixes in hashed room IDs.
+  Contributed by @nex. ([#1277](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1277))
+- Certain potentially dangerous admin commands are now restricted to only be usable in the admin room and server
+  console. Contributed by @ginger.
 
 ## Bugfixes
 
-- Fixed unreliable room summary fetching and improved error messages. Contributed by @nex. (#1257)
-- Client requested timeout parameter is now applied to e2ee key lookups and claims. Related federation requests are now also concurrent. Contributed by @nex. (#1261)
-- Fixed the whoami endpoint returning HTTP 404 instead of HTTP 403, which confused some appservices. Contributed by @nex. (#1276)
+- Fixed unreliable room summary fetching and improved error messages. Contributed by
+  @nex. ([#1257](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1257))
+- Client requested timeout parameter is now applied to e2ee key lookups and claims. Related federation requests are now
+  also concurrent. Contributed by @nex. ([#1261](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1261))
+- Fixed the whoami endpoint returning HTTP 404 instead of HTTP 403, which confused some appservices. Contributed by
+  @nex. ([#1276](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1276))
 
 ## Misc
 
-- The `console` feature is now enabled by default, allowing the server console to be used for running admin commands directly. To automatically open the console on startup, set the `admin_console_automatic` config option to `true`. Contributed by @ginger.
+- The `console` feature is now enabled by default, allowing the server console to be used for running admin commands
+  directly. To automatically open the console on startup, set the `admin_console_automatic` config option to `true`.
+  Contributed by @ginger.
 - We now (finally) document our container image mirrors. Contributed by @Jade
 
-
 # Continuwuity 0.5.0 (2025-12-30)
 
 **This release contains a CRITICAL vulnerability patch, and you must update as soon as possible**
 
 ## Features
 
-- Enabled the OTLP exporter in default builds, and allow configuring the exporter protocol. (@Jade). (#1251)
+- Enabled the OTLP exporter in default builds, and allow configuring the exporter protocol. (
+  @Jade). ([#1251](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1251))
 
 ## Bug Fixes
 
-- Don't allow admin room upgrades, as this can break the admin room (@timedout) (#1245)
-- Fix invalid creators in power levels during upgrade to v12 (@timedout) (#1245)
+- Don't allow admin room upgrades, as this can break the admin room (
+  @timedout) ([#1245](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1245))
+- Fix invalid creators in power levels during upgrade to v12 (
+  @timedout) ([#1245](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1245))

CONTRIBUTING.md

@@ -85,24 +85,31 @@ ### Matrix tests
 
 ### Writing documentation
 
-Continuwuity's website uses [`mdbook`][mdbook] and is deployed via CI using Cloudflare Pages
+Continuwuity's website uses [`rspress`][rspress] and is deployed via CI using Cloudflare Pages
 in the [`documentation.yml`][documentation.yml] workflow file. All documentation is in the `docs/`
 directory at the top level.
 
-To build the documentation locally:
+To load the documentation locally:
+
+1. Install NodeJS and npm from their [official website][nodejs-download] or via your package manager of choice
+
+2. From the project's root directory, install the relevant npm modules
 
-1. Install mdbook if you don't have it already:
    ```bash
-   cargo install mdbook # or cargo binstall, or another method
+   npm ci
    ```
 
-2. Build the documentation:
+3. Make changes to the document pages as you see fit
+
+4. Generate a live preview of the documentation
+
    ```bash
-   mdbook build
+   npm run docs:dev
    ```
 
-The output of the mdbook generation is in `public/`. You can open the HTML files directly in your browser without needing a web server.
+   A webserver for the docs will be spun up for you (e.g. at `http://localhost:3000`). Any changes you make to the documentation will be live-reloaded on the webpage.
 
+Alternatively, you can build the documentation using `npm run docs:build` - the output of this will be in the `/doc_build` directory. Once you're happy with your documentation updates, you can commit the changes.
 
 ### Commit Messages
 
@@ -169,5 +176,6 @@ ### Creating pull requests
 [continuwuity-matrix]: https://matrix.to/#/#continuwuity:continuwuity.org?via=continuwuity.org&via=ellis.link&via=explodie.org&via=matrix.org
 [complement]: https://github.com/matrix-org/complement/
 [sytest]: https://github.com/matrix-org/sytest/
-[mdbook]: https://rust-lang.github.io/mdBook/
+[nodejs-download]: https://nodejs.org/en/download
+[rspress]: https://rspress.rs/
 [documentation.yml]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/.forgejo/workflows/documentation.yml

Cargo.toml

@@ -12,7 +12,7 @@ license = "Apache-2.0"
 # See also `rust-toolchain.toml`
 readme = "README.md"
 repository = "https://forgejo.ellis.link/continuwuation/continuwuity"
-version = "0.5.2"
+version = "0.5.5"
 
 [workspace.metadata.crane]
 name = "conduwuit"
@@ -68,7 +68,7 @@ default-features = false
 version = "0.1.3"
 
 [workspace.dependencies.rand]
-version = "0.8.5"
+version = "0.10.0"
 
 # Used for the http request / response body type for Ruma endpoints used with reqwest
 [workspace.dependencies.bytes]
@@ -84,7 +84,7 @@ version = "1.3.1"
 version = "1.11.1"
 
 [workspace.dependencies.axum]
-version = "0.7.9"
+version = "0.8.8"
 default-features = false
 features = [
     "form",
@@ -97,7 +97,7 @@ features = [
 ]
 
 [workspace.dependencies.axum-extra]
-version = "0.9.6"
+version = "0.12.0"
 default-features = false
 features = ["typed-header", "tracing"]
 
@@ -110,7 +110,7 @@ default-features = false
 version = "0.7"
 
 [workspace.dependencies.axum-client-ip]
-version = "0.6.1"
+version = "0.7"
 
 [workspace.dependencies.tower]
 version = "0.5.2"
@@ -118,7 +118,7 @@ default-features = false
 features = ["util"]
 
 [workspace.dependencies.tower-http]
-version = "0.6.2"
+version = "0.6.8"
 default-features = false
 features = [
     "add-extension",
@@ -158,7 +158,7 @@ features = ["raw_value"]
 
 # Used for appservice registration files
 [workspace.dependencies.serde-saphyr]
-version = "0.0.10"
+version = "0.0.19"
 
 # Used to load forbidden room/user regex from config
 [workspace.dependencies.serde_regex]
@@ -253,7 +253,7 @@ features = [
 version = "0.4.0"
 
 [workspace.dependencies.libloading]
-version = "0.8.6"
+version = "0.9.0"
 
 # Validating urls in config, was already a transitive dependency
 [workspace.dependencies.url]
@@ -298,7 +298,7 @@ default-features = false
 features = ["env", "toml"]
 
 [workspace.dependencies.hickory-resolver]
-version = "0.25.1"
+version = "0.25.2"
 default-features = false
 features = [
     "serde",
@@ -342,7 +342,8 @@ version = "0.1.2"
 # Used for matrix spec type definitions and helpers
 [workspace.dependencies.ruma]
 git = "https://forgejo.ellis.link/continuwuation/ruwuma"
-rev = "f9e74cb206cfa45cf5f17d39282253b43a15fcd5"
+#branch = "conduwuit-changes"
+rev = "bb12ed288a31a23aa11b10ba0fad22b7f985eb88"
 features = [
     "compat",
     "rand",
@@ -378,7 +379,9 @@ features = [
     "unstable-msc4210", # remove legacy mentions
     "unstable-extensible-events",
     "unstable-pdu",
-    "unstable-msc4155"
+    "unstable-msc4155",
+    "unstable-msc4143", # livekit well_known response
+    "unstable-msc4284"
 ]
 
 [workspace.dependencies.rust-rocksdb]
@@ -423,7 +426,7 @@ features = ["http", "grpc-tonic", "trace", "logs", "metrics"]
 
 # optional sentry metrics for crash/panic reporting
 [workspace.dependencies.sentry]
-version = "0.45.0"
+version = "0.46.0"
 default-features = false
 features = [
     "backtrace",
@@ -439,9 +442,9 @@ features = [
 ]
 
 [workspace.dependencies.sentry-tracing]
-version = "0.45.0"
+version = "0.46.0"
 [workspace.dependencies.sentry-tower]
-version = "0.45.0"
+version = "0.46.0"
 
 # jemalloc usage
 [workspace.dependencies.tikv-jemalloc-sys]
@@ -470,7 +473,7 @@ features = ["use_std"]
 version = "0.5"
 
 [workspace.dependencies.nix]
-version = "0.30.1"
+version = "0.31.0"
 default-features = false
 features = ["resource"]
 
@@ -548,6 +551,12 @@ features = ["sync", "tls-rustls", "rustls-provider"]
 [workspace.dependencies.resolv-conf]
 version = "0.7.5"
 
+[workspace.dependencies.yansi]
+version = "1.0.1"
+
+[workspace.dependencies.askama]
+version = "0.15.0"
+
 #
 # Patches
 #

README.md

@@ -59,7 +59,13 @@ ### Can I try it out?
 
 Check out the [documentation](https://continuwuity.org) for installation instructions.
 
-There are currently no open registration Continuwuity instances available.
+If you want to try it out as a user, we have some partnered homeservers you can use:
+* You can head over to [https://federated.nexus](https://federated.nexus/) in your browser.
+  * Hit the `Apply to Join` button. Once your request has been accepted, you will receive an email with your username and password.
+  * Head over to [https://app.federated.nexus](https://app.federated.nexus/) and you can sign in there, or use any other matrix chat client you wish elsewhere.
+  * Your username for matrix will be in the form of `@username:federated.nexus`, however you can simply use the `username` part to log in. Your password is your password.
+
+* There's also [https://continuwuity.rocks/](https://continuwuity.rocks/). You can register a new account using Cinny via [this convenient link](https://app.cinny.in/register/continuwuity.rocks), or you can use Element or another matrix client *that supports registration*.
 
 ### What are we working on?
 

bin/complement

@@ -2,20 +2,19 @@
 
 set -euo pipefail
 
-# Path to Complement's source code
-#
-# The `COMPLEMENT_SRC` environment variable is set in the Nix dev shell, which
-# points to a store path containing the Complement source code. It's likely you
-# want to just pass that as the first argument to use it here.
+# The root path where complement is available.
 COMPLEMENT_SRC="${COMPLEMENT_SRC:-$1}"
 
 # A `.jsonl` file to write test logs to
-LOG_FILE="${2:-complement_test_logs.jsonl}"
+LOG_FILE="${2:-tests/test_results/complement/test_logs.jsonl}"
 
 # A `.jsonl` file to write test results to
-RESULTS_FILE="${3:-complement_test_results.jsonl}"
+RESULTS_FILE="${3:-tests/test_results/complement/test_results.jsonl}"
 
-COMPLEMENT_BASE_IMAGE="${COMPLEMENT_BASE_IMAGE:-complement-conduwuit:main}"
+# The base docker image to use for complement tests
+# You can build the default with `docker build -t continuwuity:complement -f ./docker/complement.Dockerfile .`
+# after running `cargo build`. Only the debug binary is used.
+COMPLEMENT_BASE_IMAGE="${COMPLEMENT_BASE_IMAGE:-continuwuity:complement}"
 
 # Complement tests that are skipped due to flakiness/reliability issues or we don't implement such features and won't for a long time
 SKIPPED_COMPLEMENT_TESTS='TestPartialStateJoin.*|TestRoomDeleteAlias/Parallel/Regular_users_can_add_and_delete_aliases_when_m.*|TestRoomDeleteAlias/Parallel/Can_delete_canonical_alias|TestUnbanViaInvite.*|TestRoomState/Parallel/GET_/publicRooms_lists.*"|TestRoomDeleteAlias/Parallel/Users_with_sufficient_power-level_can_delete_other.*'
@@ -34,25 +33,6 @@ toplevel="$(git rev-parse --show-toplevel)"
 
 pushd "$toplevel" > /dev/null
 
-if [ ! -f "complement_oci_image.tar.gz" ]; then
-    echo "building complement conduwuit image"
-
-    # if using macOS, use linux-complement
-    #bin/nix-build-and-cache just .#linux-complement
-    bin/nix-build-and-cache just .#complement
-    #nix build -L .#complement
-
-    echo "complement conduwuit image tar.gz built at \"result\""
-
-    echo "loading into docker"
-    docker load < result
-    popd > /dev/null
-else
-    echo "skipping building a complement conduwuit image as complement_oci_image.tar.gz was already found, loading this"
-
-    docker load < complement_oci_image.tar.gz
-    popd > /dev/null
-fi
 
 echo ""
 echo "running go test with:"
@@ -72,24 +52,16 @@ env \
 set -o pipefail
 
 # Post-process the results into an easy-to-compare format, sorted by Test name for reproducible results
-cat "$LOG_FILE" | jq -s -c 'sort_by(.Test)[]' | jq -c '
+jq -s -c 'sort_by(.Test)[]' < "$LOG_FILE" | jq -c '
     select(
         (.Action == "pass" or .Action == "fail" or .Action == "skip")
         and .Test != null
     ) | {Action: .Action, Test: .Test}
     ' > "$RESULTS_FILE"
 
-#if command -v gotestfmt &> /dev/null; then
-#    echo "using gotestfmt on $LOG_FILE"
-#    grep '{"Time":' "$LOG_FILE" | gotestfmt > "complement_test_logs_gotestfmt.log"
-#fi
-
 echo ""
 echo ""
 echo "complement logs saved at $LOG_FILE"
 echo "complement results saved at $RESULTS_FILE"
-#if command -v gotestfmt &> /dev/null; then
-#    echo "complement logs in gotestfmt pretty format outputted at complement_test_logs_gotestfmt.log (use an editor/terminal/pager that interprets ANSI colours and UTF-8 emojis)"
-#fi
 echo ""
 echo ""

changelog.d/1393.bugfix

@@ -0,0 +1 @@
+Removed non-compliant nor functional room alias lookups over federation. Contributed by @nex

changelog.d/1399.feature

@@ -0,0 +1 @@
+Outgoing presence is now disabled by default, and the config option documentation has been adjusted to more accurately represent the weight of presence, typing indicators, and read receipts. Contributed by @nex.

changelog.d/1418.bugfix

@@ -0,0 +1 @@
+Removed ability to set rocksdb as read only. Doing so would cause unintentional and buggy behaviour. Contributed by @Terryiscool160.

changelog.d/1421.bugfix

@@ -0,0 +1 @@
+Fixed a startup crash in the sender service if we can't detect the number of CPU cores, even if the `sender_workers' config option is set correctly. Contributed by @katie.

changelog.d/1428.feature

@@ -0,0 +1 @@
+Improved the concurrency handling of federation transactions, vastly improving performance and reliability by more accurately handling inbound transactions and reducing the amount of repeated wasted work. Contributed by @nex and @Jade.

changelog.d/1435.feature.md

@@ -0,0 +1 @@
+Added MSC3202 Device masquerading (not all of MSC3202). This should fix issues with enabling MSC4190 for some Mautrix bridges. Contributed by @Jade

changelog.d/1441.bugfix

@@ -0,0 +1 @@
+Removed the `allow_public_room_directory_without_auth` config option. Contributed by @0xnim.

changelog.d/1442.feature

@@ -0,0 +1 @@
+Implement MSC4143 MatrixRTC transport discovery endpoint. Move RTC foci configuration from `[global.well_known]` to a new `[global.matrix_rtc]` section with a `foci` field. Contributed by @0xnim

changelog.d/1445.bugfix

@@ -0,0 +1 @@
+Fixed sliding sync v5 list ranges always starting from 0, causing extra rooms to be unnecessarily processed and returned. Contributed by @0xnim

changelog.d/list-backups-formatting.feature

@@ -0,0 +1 @@
+Updated `list-backups` admin command to output one backup per line.

changelog.d/url-preview-fix.feature

@@ -0,0 +1 @@
+Improved URL preview fetching with a more compatible user agent for sites like YouTube Music. Added `!admin media delete-url-preview <url>` command to clear cached URL previews that were stuck and broken.

complement/complement-entrypoint.sh

@@ -0,0 +1,67 @@
+#!/usr/bin/env bash
+set -xe
+# If we have no $SERVER_NAME set, abort
+if [ -z "$SERVER_NAME" ]; then
+  echo "SERVER_NAME is not set, aborting"
+  exit 1
+fi
+
+# If /complement/ca/ca.crt or /complement/ca/ca.key are missing, abort
+if [ ! -f /complement/ca/ca.crt ] || [ ! -f /complement/ca/ca.key ]; then
+  echo "/complement/ca/ca.crt or /complement/ca/ca.key is missing, aborting"
+  exit 1
+fi
+
+# Add the root cert to the local trust store
+echo 'Installing Complement CA certificate to local trust store'
+cp /complement/ca/ca.crt /usr/local/share/ca-certificates/complement-ca.crt
+update-ca-certificates
+
+# Sign a certificate for our $SERVER_NAME
+echo "Generating and signing certificate for $SERVER_NAME"
+openssl genrsa -out "/$SERVER_NAME.key" 2048
+
+echo "Generating CSR for $SERVER_NAME"
+openssl req -new -sha256 \
+  -key "/$SERVER_NAME.key" \
+  -out "/$SERVER_NAME.csr" \
+  -subj "/C=US/ST=CA/O=Continuwuity, Inc./CN=$SERVER_NAME"\
+  -addext "subjectAltName=DNS:$SERVER_NAME"
+openssl req -in "$SERVER_NAME.csr" -noout -text
+
+echo "Signing certificate for $SERVER_NAME with Complement CA"
+cat <<EOF > ./cert.ext
+authorityKeyIdentifier=keyid,issuer
+basicConstraints = CA:FALSE
+keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation
+extendedKeyUsage = serverAuth
+subjectAltName = @alt_names
+[alt_names]
+DNS.1 = *.docker.internal
+DNS.2 = hs1
+DNS.3 = hs2
+DNS.4 = hs3
+DNS.5 = hs4
+DNS.6 = $SERVER_NAME
+IP.1 = 127.0.0.1
+EOF
+openssl x509 \
+  -req \
+  -in "/$SERVER_NAME.csr" \
+  -CA /complement/ca/ca.crt \
+  -CAkey /complement/ca/ca.key \
+  -CAcreateserial \
+  -out "/$SERVER_NAME.crt" \
+  -days 1 \
+  -sha256 \
+  -extfile ./cert.ext
+
+# Tell continuwuity where to find the certs
+export CONTINUWUITY_TLS__KEY="/$SERVER_NAME.key"
+export CONTINUWUITY_TLS__CERTS="/$SERVER_NAME.crt"
+# And who it is
+export CONTINUWUITY_SERVER_NAME="$SERVER_NAME"
+
+echo "Starting Continuwuity with SERVER_NAME=$SERVER_NAME"
+# Start continuwuity
+/usr/local/bin/conduwuit --config /etc/continuwuity/config.toml

complement/complement.config.toml

@@ -0,0 +1,53 @@
+# ============================================= #
+# Complement pre-filled configuration file      #
+#
+# DANGER: THIS FILE FORCES INSECURE VALUES.     #
+# DO NOT USE OUTSIDE THE TEST SUITE ENV!        #
+# ============================================= #
+[global]
+address = "0.0.0.0"
+allow_device_name_federation = true
+allow_guest_registration = true
+allow_public_room_directory_over_federation = true
+allow_registration = true
+database_path = "/database"
+log = "trace,h2=debug,hyper=debug,conduwuit_database=warn,conduwuit_service::manager=info,conduwuit_api::router=error,conduwuit_router=error,tower_http=error"
+port = [8008, 8448]
+trusted_servers = []
+only_query_trusted_key_servers = false
+query_trusted_key_servers_first = false
+query_trusted_key_servers_first_on_join = false
+yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse = true
+ip_range_denylist = []
+url_preview_domain_contains_allowlist = ["*"]
+url_preview_domain_explicit_denylist = ["*"]
+media_compat_file_link = false
+media_startup_check = true
+prune_missing_media = true
+log_colors = false
+admin_room_notices = false
+allow_check_for_updates = false
+intentionally_unknown_config_option_for_testing = true
+rocksdb_log_level = "info"
+rocksdb_max_log_files = 1
+rocksdb_recovery_mode = 0
+rocksdb_paranoid_file_checks = true
+log_guest_registrations = false
+allow_legacy_media = true
+startup_netburst = true
+startup_netburst_keep = -1
+allow_invalid_tls_certificates_yes_i_know_what_the_fuck_i_am_doing_with_this_and_i_know_this_is_insecure = true
+dns_timeout = 60
+dns_attempts = 20
+request_conn_timeout = 60
+request_timeout = 120
+well_known_conn_timeout = 60
+well_known_timeout = 60
+federation_idle_timeout = 300
+sender_timeout = 300
+sender_idle_timeout = 300
+sender_retry_backoff_limit = 300
+force_disable_first_run_mode = true
+
+[global.tls]
+dual_protocol = true

conduwuit-example.toml

@@ -290,6 +290,25 @@
 #
 #max_fetch_prev_events = 192
 
+# How many incoming federation transactions the server is willing to be
+# processing at any given time before it becomes overloaded and starts
+# rejecting further transactions until some slots become available.
+#
+# Setting this value too low or too high may result in unstable
+# federation, and setting it too high may cause runaway resource usage.
+#
+#max_concurrent_inbound_transactions = 150
+
+# Maximum age (in seconds) for cached federation transaction responses.
+# Entries older than this will be removed during cleanup.
+#
+#transaction_id_cache_max_age_secs = 7200 (2 hours)
+
+# Maximum number of cached federation transaction responses.
+# When the cache exceeds this limit, older entries will be removed.
+#
+#transaction_id_cache_max_entries = 8192
+
 # Default/base connection timeout (seconds). This is used only by URL
 # previews and update/news endpoint checks.
 #
@@ -433,7 +452,7 @@
 # If you would like registration only via token reg, please configure
 # `registration_token`.
 #
-#allow_registration = false
+#allow_registration = true
 
 # If registration is enabled, and this setting is true, new users
 # registered after the first admin user will be automatically suspended
@@ -527,12 +546,6 @@
 #
 #allow_public_room_directory_over_federation = false
 
-# Set this to true to allow your server's public room directory to be
-# queried without client authentication (access token) through the Client
-# APIs. Set this to false to protect against /publicRooms spiders.
-#
-#allow_public_room_directory_without_auth = false
-
 # Allow guests/unauthenticated users to access TURN credentials.
 #
 # This is the equivalent of Synapse's `turn_allow_guests` config option.
@@ -1056,14 +1069,6 @@
 #
 #rocksdb_repair = false
 
-# This item is undocumented. Please contribute documentation for it.
-#
-#rocksdb_read_only = false
-
-# This item is undocumented. Please contribute documentation for it.
-#
-#rocksdb_secondary = false
-
 # Enables idle CPU priority for compaction thread. This is not enabled by
 # default to prevent compaction from falling too far behind on busy
 # systems.
@@ -1120,27 +1125,34 @@
 
 # Allow local (your server only) presence updates/requests.
 #
-# Note that presence on continuwuity is very fast unlike Synapse's. If
-# using outgoing presence, this MUST be enabled.
+# Local presence must be enabled for outgoing presence to function.
+#
+# Note that local presence is not as heavy on the CPU as federated
+# presence, but will still become more expensive the more local users you
+# have.
 #
 #allow_local_presence = true
 
-# Allow incoming federated presence updates/requests.
+# Allow incoming federated presence updates.
 #
-# This option receives presence updates from other servers, but does not
-# send any unless `allow_outgoing_presence` is true. Note that presence on
-# continuwuity is very fast unlike Synapse's.
+# This option enables processing inbound presence updates from other
+# servers. Without it, remote users will appear as if they are always
+# offline to your local users. This does not affect typing indicators or
+# read receipts.
 #
 #allow_incoming_presence = true
 
 # Allow outgoing presence updates/requests.
 #
-# This option sends presence updates to other servers, but does not
-# receive any unless `allow_incoming_presence` is true. Note that presence
-# on continuwuity is very fast unlike Synapse's. If using outgoing
-# presence, you MUST enable `allow_local_presence` as well.
+# This option sends presence updates to other servers, and requires that
+# `allow_local_presence` is also enabled.
 #
-#allow_outgoing_presence = true
+# Note that outgoing presence is very heavy on the CPU and network, and
+# will typically cause extreme strain and slowdowns for no real benefit.
+# There are only a few clients that even implement presence, so you
+# probably don't want to enable this.
+#
+#allow_outgoing_presence = false
 
 # How many seconds without presence updates before you become idle.
 # Defaults to 5 minutes.
@@ -1174,6 +1186,10 @@
 
 # Allow sending read receipts to remote servers.
 #
+# Note that sending read receipts to remote servers in large rooms with
+# lots of other homeservers may cause additional strain on the CPU and
+# network.
+#
 #allow_outgoing_read_receipts = true
 
 # Allow local typing updates.
@@ -1185,6 +1201,10 @@
 
 # Allow outgoing typing updates to federation.
 #
+# Note that sending typing indicators to remote servers in large rooms
+# with lots of other homeservers may cause additional strain on the CPU
+# and network.
+#
 #allow_outgoing_typing = true
 
 # Allow incoming typing updates from federation.
@@ -1318,7 +1338,7 @@
 # sender user's server name, inbound federation X-Matrix origin, and
 # outbound federation handler.
 #
-# You can set this to ["*"] to block all servers by default, and then
+# You can set this to [".*"] to block all servers by default, and then
 # use `allowed_remote_server_names` to allow only specific servers.
 #
 # example: ["badserver\\.tld$", "badphrase", "19dollarfortnitecards"]
@@ -1474,6 +1494,10 @@
 #
 #url_preview_check_root_domain = false
 
+# User agent that is used specifically when fetching url previews.
+#
+#url_preview_user_agent = "continuwuity/<version> (bot; +https://continuwuity.org)"
+
 # List of forbidden room aliases and room IDs as strings of regex
 # patterns.
 #
@@ -1759,10 +1783,6 @@
 #
 #config_reload_signal = true
 
-# This item is undocumented. Please contribute documentation for it.
-#
-#ldap = false
-
 [global.tls]
 
 # Path to a valid TLS certificate file.
@@ -1824,6 +1844,16 @@
 #
 #support_mxid =
 
+# **DEPRECATED**: Use `[global.matrix_rtc].foci` instead.
+#
+# A list of MatrixRTC foci URLs which will be served as part of the
+# MSC4143 client endpoint at /.well-known/matrix/client.
+#
+# This option is deprecated and will be removed in a future release.
+# Please migrate to the new `[global.matrix_rtc]` config section.
+#
+#rtc_focus_server_urls = []
+
 [global.blurhashing]
 
 # blurhashing x component, 4 is recommended by https://blurha.sh/
@@ -1842,6 +1872,23 @@
 #
 #blurhash_max_raw_size = 33554432
 
+[global.matrix_rtc]
+
+# A list of MatrixRTC foci (transports) which will be served via the
+# MSC4143 RTC transports endpoint at
+# `/_matrix/client/v1/rtc/transports`. If you're setting up livekit,
+# you'd want something like:
+# ```toml
+# [global.matrix_rtc]
+# foci = [
+#     { type = "livekit", livekit_service_url = "https://livekit.example.com" },
+# ]
+# ```
+#
+# To disable, set this to an empty list (`[]`).
+#
+#foci = []
+
 [global.ldap]
 
 # Whether to enable LDAP login.
@@ -1930,7 +1977,9 @@
 #
 #admin_filter = ""
 
-[global.antispam.meowlnir]
+#[global.antispam]
+
+#[global.antispam.meowlnir]
 
 # The base URL on which to contact Meowlnir (before /_meowlnir/antispam).
 #
@@ -1955,7 +2004,7 @@
 #
 #check_all_joins = false
 
-[global.antispam.draupnir]
+#[global.antispam.draupnir]
 
 # The base URL on which to contact Draupnir (before /api/).
 #

docker/Dockerfile

@@ -48,11 +48,11 @@ EOF
 
 # Developer tool versions
 # renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
-ENV BINSTALL_VERSION=1.16.6
+ENV BINSTALL_VERSION=1.17.5
 # renovate: datasource=github-releases depName=psastras/sbom-rs
 ENV CARGO_SBOM_VERSION=0.9.1
 # renovate: datasource=crate depName=lddtree
-ENV LDDTREE_VERSION=0.4.0
+ENV LDDTREE_VERSION=0.5.0
 # renovate: datasource=crate depName=timelord-cli
 ENV TIMELORD_VERSION=3.0.1
 
@@ -162,6 +162,7 @@ ENV CONDUWUIT_VERSION_EXTRA=$CONDUWUIT_VERSION_EXTRA
 ENV CONTINUWUITY_VERSION_EXTRA=$CONTINUWUITY_VERSION_EXTRA
 
 ARG RUST_PROFILE=release
+ARG CARGO_FEATURES="default,http3"
 
 # Build the binary
 RUN --mount=type=cache,target=/usr/local/cargo/registry \
@@ -171,11 +172,20 @@ RUN --mount=type=cache,target=/usr/local/cargo/registry \
     set -o allexport
     set -o xtrace
     . /etc/environment
+
+    # Check if http3 feature is enabled and set appropriate RUSTFLAGS
+    if echo "${CARGO_FEATURES}" | grep -q "http3"; then
+        export RUSTFLAGS="${RUSTFLAGS} --cfg reqwest_unstable"
+    else
+        export RUSTFLAGS="${RUSTFLAGS}"
+    fi
+
     TARGET_DIR=($(cargo metadata --no-deps --format-version 1 | \
             jq -r ".target_directory"))
     mkdir /out/sbin
     PACKAGE=conduwuit
     xx-cargo build --locked --profile ${RUST_PROFILE} \
+        --no-default-features --features ${CARGO_FEATURES} \
         -p $PACKAGE;
     BINARIES=($(cargo metadata --no-deps --format-version 1 | \
         jq -r ".packages[] | select(.name == \"$PACKAGE\") | .targets[] | select( .kind | map(. == \"bin\") | any ) | .name"))

docker/complement.Dockerfile

@@ -0,0 +1,11 @@
+FROM ubuntu:latest
+EXPOSE 8008
+EXPOSE 8448
+RUN apt-get update && apt-get install -y ca-certificates liburing2 && rm -rf /var/lib/apt/lists/*
+RUN mkdir -p /etc/continuwuity /var/lib/continuwuity /usr/local/bin/
+COPY complement/complement-entrypoint.sh /usr/local/bin/complement-entrypoint.sh
+COPY complement/complement.config.toml /etc/continuwuity/config.toml
+COPY target/debug/conduwuit /usr/local/bin/conduwuit
+RUN chmod +x /usr/local/bin/conduwuit /usr/local/bin/complement-entrypoint.sh
+#HEALTHCHECK --interval=30s --timeout=5s CMD curl --fail http://localhost:8008/_continuwuity/server_version || exit 1
+ENTRYPOINT ["/usr/local/bin/complement-entrypoint.sh"]

docker/musl.Dockerfile

@@ -18,11 +18,11 @@ RUN --mount=type=cache,target=/etc/apk/cache apk add \
 
 # Developer tool versions
 # renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
-ENV BINSTALL_VERSION=1.16.6
+ENV BINSTALL_VERSION=1.17.5
 # renovate: datasource=github-releases depName=psastras/sbom-rs
 ENV CARGO_SBOM_VERSION=0.9.1
 # renovate: datasource=crate depName=lddtree
-ENV LDDTREE_VERSION=0.4.0
+ENV LDDTREE_VERSION=0.5.0
 
 # Install unpackaged tools
 RUN <<EOF

docs/_meta.json

@@ -15,9 +15,9 @@
         "label": "Deploying"
     },
     {
-        "type": "file",
-        "name": "turn",
-        "label": "TURN"
+        "type": "dir",
+        "name": "calls",
+        "label": "Calls"
     },
     {
         "type": "file",
@@ -34,6 +34,14 @@
         "name": "troubleshooting",
         "label": "Troubleshooting"
     },
+    "security",
+    {
+        "type": "dir-section-header",
+        "name": "community",
+        "label": "Community",
+        "collapsible": true,
+        "collapsed": false
+    },
     {
         "type": "divider"
     },
@@ -63,7 +71,5 @@
     },
     {
         "type": "divider"
-    },
-    "community",
-    "security"
+    }
 ]

docs/_nav.json

@@ -2,7 +2,7 @@
     {
         "text": "Guide",
         "link": "/introduction",
-        "activeMatch": "^/(introduction|configuration|deploying|turn|appservices|maintenance|troubleshooting)"
+        "activeMatch": "^/(introduction|configuration|deploying|calls|appservices|maintenance|troubleshooting)"
     },
     {
         "text": "Development",
@@ -19,16 +19,21 @@
             {
                 "text": "Admin Command Reference",
                 "link": "/reference/admin/"
-            },
-            {
-                "text": "Server Reference",
-                "link": "/reference/server"
             }
         ]
     },
     {
         "text": "Community",
-        "link": "/community"
+        "items": [
+            {
+                "text": "Community Guidelines",
+                "link": "/community/guidelines"
+            },
+            {
+                "text": "Become a Partnered Homeserver!",
+                "link": "/community/ops-guidelines"
+            }
+        ]
     },
     {
         "text": "Security",

docs/calls.mdx

@@ -0,0 +1,13 @@
+# Calls
+
+Matrix supports two types of calls:
+
+- Element Call powered by [MatrixRTC](https://half-shot.github.io/msc-crafter/#msc/4143) and [LiveKit](https://github.com/livekit/livekit)
+- Legacy calls, sometimes using Jitsi
+
+Both types of calls are supported by different sets of clients, but most clients are moving towards MatrixRTC / Element Call.
+
+For either one to work correctly, you have to do some additional setup.
+
+- For legacy calls to work, you need to set up a TURN/STUN server. [Read the TURN guide for tips on how to set up coturn](./calls/turn.mdx)
+- For MatrixRTC / Element Call to work, you have to set up the LiveKit backend (foci). LiveKit also uses TURN/STUN to increase reliability, so you might want to configure your TURN server first. [Read the LiveKit guide](./calls/livekit.mdx)

docs/calls/_meta.json

@@ -0,0 +1,12 @@
+[
+    {
+        "type": "file",
+        "name": "turn",
+        "label": "TURN"
+    },
+    {
+        "type": "file",
+        "name": "livekit",
+        "label": "MatrixRTC / LiveKit"
+    }
+]

docs/calls/livekit.mdx

@@ -0,0 +1,240 @@
+# Matrix RTC/Element Call Setup
+
+:::info
+This guide assumes that you are using docker compose for deployment. LiveKit only provides Docker images.
+:::
+
+## Instructions
+
+### 1. Domain
+
+LiveKit should live on its own domain or subdomain. In this guide we use `livekit.example.com` - this should be replaced with a domain you control.
+
+Make sure the DNS record for the (sub)domain you plan to use is pointed to your server.
+
+### 2. Services
+
+Using LiveKit with Matrix requires two services - Livekit itself, and a service (`lk-jwt-service`) that grants Matrix users permission to connect to it.
+
+You must generate a key and secret to allow the Matrix service to authenticate with LiveKit. `LK_MATRIX_KEY` should be around 20 random characters, and `LK_MATRIX_SECRET` should be around 64. Remember to replace these with the actual values!
+
+:::tip Generating the secrets
+LiveKit provides a utility to generate secure random keys
+```bash
+docker run --rm livekit/livekit-server:latest generate-keys
+```
+:::
+
+```yaml
+services:
+  lk-jwt-service:
+    image: ghcr.io/element-hq/lk-jwt-service:latest
+    container_name: lk-jwt-service
+    environment:
+      - LIVEKIT_JWT_BIND=:8081
+      - LIVEKIT_URL=wss://livekit.example.com
+      - LIVEKIT_KEY=LK_MATRIX_KEY
+      - LIVEKIT_SECRET=LK_MATRIX_SECRET
+      - LIVEKIT_FULL_ACCESS_HOMESERVERS=example.com
+    restart: unless-stopped
+    ports:
+      - "8081:8081"
+
+  livekit:
+    image: livekit/livekit-server:latest
+    container_name: livekit
+    command: --config /etc/livekit.yaml
+    restart: unless-stopped
+    volumes:
+      - ./livekit.yaml:/etc/livekit.yaml:ro
+    network_mode: "host" # /!\ LiveKit binds to all addresses by default.
+    # Make sure port 7880 is blocked by your firewall to prevent access bypassing your reverse proxy
+    # Alternatively, uncomment the lines below and comment `network_mode: "host"` above to specify port mappings.
+#    ports:
+#      - "127.0.0.1:7880:7880/tcp"
+#      - "7881:7881/tcp"
+#      - "50100-50200:50100-50200/udp"
+```
+
+Next, we need to configure LiveKit. In the same directory, create `livekit.yaml` with the following content - remembering to replace `LK_MATRIX_KEY` and `LK_MATRIX_SECRET` with the values you generated:
+
+```yaml
+port: 7880
+bind_addresses:
+  - ""
+rtc:
+  tcp_port: 7881
+  port_range_start: 50100
+  port_range_end: 50200
+  use_external_ip: true
+  enable_loopback_candidate: false
+keys:
+  LK_MATRIX_KEY: LK_MATRIX_SECRET
+```
+
+#### Firewall hints
+
+You will need to allow ports `7881/tcp` and `50100:50200/udp` through your firewall. If you use UFW, the commands are: `ufw allow 7881/tcp` and `ufw allow 50100:50200/udp`.
+
+### 3. Telling clients where to find LiveKit
+
+To tell clients where to find LiveKit, you need to add the address of your `lk-jwt-service` to the `[global.matrix_rtc]` config section using the `foci` option.
+
+The variable should be a list of servers serving as MatrixRTC endpoints. Clients discover these via the `/_matrix/client/v1/rtc/transports` endpoint (MSC4143).
+
+```toml
+[global.matrix_rtc]
+foci = [
+    { type = "livekit", livekit_service_url = "https://livekit.example.com" },
+]
+```
+
+Remember to replace the URL with the address you are deploying your instance of lk-jwt-service to.
+
+### 4. Configure your Reverse Proxy
+
+Reverse proxies can be configured in many different ways - so we can't provide a step by step for this.
+
+By default, all routes should be forwarded to Livekit with the exception of the following path prefixes, which should be forwarded to the JWT/Authentication service:
+
+- `/sfu/get`
+- `/healthz`
+- `/get_token`
+
+<details>
+    <summary>Example caddy config</summary>
+    ```
+    matrix-rtc.example.com {
+
+        # for lk-jwt-service
+        @lk-jwt-service path /sfu/get* /healthz* /get_token*
+        route @lk-jwt-service {
+            reverse_proxy 127.0.0.1:8081
+        }
+
+        # for livekit
+        reverse_proxy 127.0.0.1:7880
+    }
+    ```
+</details>
+
+<details>
+    <summary>Example nginx config</summary>
+    ```
+    server {
+        server_name matrix-rtc.example.com;
+
+        # for lk-jwt-service
+        location ~ ^/(sfu/get|healthz|get_token) {
+            proxy_pass http://127.0.0.1:8081$request_uri;
+            proxy_set_header X-Forwarded-For $remote_addr;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header Host $http_host;
+            proxy_buffering off;
+        }
+
+        # for livekit
+        location / {
+            proxy_pass http://127.0.0.1:7880$request_uri;
+            proxy_set_header X-Forwarded-For $remote_addr;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header Host $http_host;
+            proxy_buffering off;
+
+            # websocket
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
+        }
+    }
+    ```
+
+    Note that for websockets to work, you need to have this somewhere outside your server block:
+    ```
+    map $http_upgrade $connection_upgrade {
+        default upgrade;
+        ''      close;
+    }
+    ```
+</details>
+
+<details>
+    <summary>Example traefik router</summary>
+    ```
+    # on LiveKit itself
+    traefik.http.routers.livekit.rule=Host(`livekit.example.com`)
+    # on the JWT service
+    traefik.http.routers.livekit-jwt.rule=Host(`livekit.example.com`) && (PathPrefix(`/sfu/get`) || PathPrefix(`/healthz`) || PathPrefix(`/get_token`))
+    ```
+</details>
+
+
+### 6. Start Everything
+
+Start up the services using your usual method - for example `docker compose up -d`.
+
+## Additional Configuration
+
+### TURN Integration
+
+If you've already set up coturn, there may be a port clash between the two services. To fix this, make sure the `min-port` and `max-port` for coturn so it doesn't overlap with LiveKit's range:
+
+```ini
+min-port=50201
+max-port=65535
+```
+
+To improve LiveKit's reliability, you can configure it to use your coturn server.
+
+Generate a long random secret for LiveKit, and add it to your coturn config under the `static-auth-secret` option. You can add as many secrets as you want - so set a different one for each thing using your TURN server.
+
+Then configure livekit, making sure to replace `COTURN_SECRET`:
+
+```yaml
+# livekit.yaml
+rtc:
+  turn_servers:
+    - host: coturn.ellis.link
+      port: 3478
+      protocol: tcp
+      secret: "COTURN_SECRET"
+    - host: coturn.ellis.link
+      port: 5349
+      protocol: tls # Only if you've set up TLS in your coturn
+      secret: "COTURN_SECRET"
+    - host: coturn.ellis.link
+      port: 3478
+      protocol: udp
+      secret: "COTURN_SECRET"
+```
+
+## LiveKit's built in TURN server
+
+Livekit includes a built in TURN server which can be used in place of an external option. This TURN server will only work with Livekit, so you can't use it for legacy Matrix calling - or anything else.
+
+If you don't want to set up a separate TURN server, you can enable this with the following changes:
+
+```yaml
+### add this to livekit.yaml ###
+turn:
+  enabled: true
+  udp_port: 3478
+  relay_range_start: 50300
+  relay_range_end: 50400
+  domain: matrix-rtc.example.com
+```
+
+```yaml
+### Add these to docker-compose ###
+- "3478:3478/udp"
+- "50300-50400:50300-50400/udp"
+```
+
+### Related Documentation
+
+- [LiveKit GitHub](https://github.com/livekit/livekit)
+- [LiveKit Connection Tester](https://livekit.io/connection-test) - use with the token returned by `/sfu/get` or `/get_token`
+- [MatrixRTC proposal](https://half-shot.github.io/msc-crafter/#msc/4143)
+- [Synapse documentation](https://github.com/element-hq/element-call/blob/livekit/docs/self-hosting.md)
+- [Community guide](https://tomfos.tr/matrix/livekit/)
+- [Community guide](https://blog.kimiblock.top/2024/12/24/hosting-element-call/)

docs/calls/turn.mdx

@@ -0,0 +1,214 @@
+# Setting up TURN/STUN
+
+[TURN](https://en.wikipedia.org/wiki/Traversal_Using_Relays_around_NAT) and [STUN](https://en.wikipedia.org/wiki/STUN) are used as a component in many calling systems. Matrix uses them directly for legacy calls and indirectly for MatrixRTC via Livekit.
+
+Continuwuity recommends using [Coturn](https://github.com/coturn/coturn) as your TURN/STUN server, which is available as a Docker image or a distro package.
+
+## Installing Coturn
+
+### Configuration
+
+Create a configuration file called `coturn.conf` containing:
+
+```ini
+use-auth-secret
+static-auth-secret=<a secret key>
+realm=<your server domain>
+```
+
+:::tip Generating a secure secret
+A common way to generate a suitable alphanumeric secret key is by using:
+```bash
+pwgen -s 64 1
+```
+:::
+
+#### Port Configuration
+
+By default, coturn uses the following ports:
+- `3478` (UDP/TCP): Standard TURN/STUN port
+- `5349` (UDP/TCP): TURN/STUN over TLS
+- `49152-65535` (UDP): Media relay ports
+
+If you're also running LiveKit, you'll need to avoid port conflicts. Configure non-overlapping port ranges:
+
+```ini
+# In coturn.conf
+min-port=50201
+max-port=65535
+```
+
+This leaves ports `50100-50200` available for LiveKit's default configuration.
+
+### Running with Docker
+
+Run the [Coturn](https://hub.docker.com/r/coturn/coturn) image using:
+
+```bash
+docker run -d --network=host \
+  -v $(pwd)/coturn.conf:/etc/coturn/turnserver.conf \
+  coturn/coturn
+```
+
+### Running with Docker Compose
+
+Create a `docker-compose.yml` file and run `docker compose up -d`:
+
+```yaml
+version: '3'
+services:
+  turn:
+    container_name: coturn-server
+    image: docker.io/coturn/coturn
+    restart: unless-stopped
+    network_mode: "host"
+    volumes:
+      - ./coturn.conf:/etc/coturn/turnserver.conf
+```
+
+:::info Why host networking?
+Coturn uses host networking mode because it needs to bind to multiple ports and work with various network protocols. Using host networking is better for performance, and reduces configuration complexity. To understand alternative configuration options, visit [Coturn's Docker documentation](https://github.com/coturn/coturn/blob/master/docker/coturn/README.md).
+:::
+
+### Security Recommendations
+
+For security best practices, see Synapse's [Coturn documentation](https://element-hq.github.io/synapse/latest/turn-howto.html), which includes important firewall and access control recommendations.
+
+## Configuring Continuwuity
+
+Once your TURN server is running, configure Continuwuity to provide credentials to clients. Add the following to your Continuwuity configuration file:
+
+### Shared Secret Authentication (Recommended)
+
+This is the most secure method and generates time-limited credentials automatically:
+
+```toml
+# TURN URIs that clients should connect to
+turn_uris = [
+    "turn:coturn.example.com?transport=udp",
+    "turn:coturn.example.com?transport=tcp",
+    "turns:coturn.example.com?transport=udp",
+    "turns:coturn.example.com?transport=tcp"
+]
+
+# Shared secret for generating credentials (must match coturn's static-auth-secret)
+turn_secret = "<your coturn static-auth-secret>"
+
+# Optional: Read secret from a file instead (takes priority over turn_secret)
+# turn_secret_file = "/etc/continuwuity/.turn_secret"
+
+# TTL for generated credentials in seconds (default: 86400 = 24 hours)
+turn_ttl = 86400
+```
+
+:::tip Using TLS
+The `turns:` URI prefix instructs clients to connect to TURN over TLS, which is highly recommended for security. Make sure you've configured TLS in your coturn server first.
+:::
+
+### Static Credentials (Alternative)
+
+If you prefer static username/password credentials instead of shared secrets:
+
+```toml
+turn_uris = [
+    "turn:coturn.example.com?transport=udp",
+    "turn:coturn.example.com?transport=tcp"
+]
+
+turn_username = "your_username"
+turn_password = "your_password"
+```
+
+:::warning
+Static credentials are less secure than shared secrets because they don't expire and must be configured in coturn separately. It is strongly advised you use shared secret authentication.
+:::
+
+### Guest Access
+
+By default, TURN credentials require client authentication. To allow unauthenticated access:
+
+```toml
+turn_allow_guests = true
+```
+
+:::caution
+This is not recommended as it allows unauthenticated users to access your TURN server, potentially enabling abuse by bots. All major Matrix clients that support legacy calls *also* support authenticated TURN access.
+:::
+
+### Important Notes
+
+- Replace `coturn.example.com` with your actual TURN server domain (the `realm` from coturn.conf)
+- The `turn_secret` must match the `static-auth-secret` in your coturn configuration
+- Restart or reload Continuwuity after making configuration changes
+
+## Testing Your TURN Server
+
+### Testing Credentials
+
+Verify that Continuwuity is correctly serving TURN credentials to clients:
+
+```bash
+curl "https://matrix.example.com/_matrix/client/r0/voip/turnServer" \
+  -H "Authorization: Bearer <your_client_token>" | jq
+```
+
+You should receive a response like this:
+
+```json
+{
+  "username": "1752792167:@jade:example.com",
+  "password": "KjlDlawdPbU9mvP4bhdV/2c/h65=",
+  "uris": [
+    "turns:coturn.example.com?transport=udp",
+    "turns:coturn.example.com?transport=tcp",
+    "turn:coturn.example.com?transport=udp",
+    "turn:coturn.example.com?transport=tcp"
+  ],
+  "ttl": 86400
+}
+```
+
+:::note MSC4166 Compliance
+If no TURN URIs are configured (`turn_uris` is empty), Continuwuity will return a 404 Not Found response, as specified in MSC4166.
+:::
+
+### Testing Connectivity
+
+Use [Trickle ICE](https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/) to verify that the TURN credentials actually work:
+
+1. Copy the credentials from the response above
+2. Paste them into the Trickle ICE testing tool
+3. Click "Gather candidates"
+4. Look for successful `relay` candidates in the results
+
+If you see relay candidates, your TURN server is working correctly!
+
+## Troubleshooting
+
+### Clients can't connect to TURN server
+
+- Verify firewall rules allow the necessary ports (3478, 5349, and your media port range)
+- Check that DNS resolves correctly for your TURN domain
+- Ensure your `turn_secret` matches coturn's `static-auth-secret`
+- Test with Trickle ICE to isolate the issue
+
+### Port conflicts with LiveKit
+
+- Make sure coturn's `min-port` starts above LiveKit's `port_range_end` (default: 50200)
+- Or adjust LiveKit's port range to avoid coturn's default range
+
+### 404 when calling turnServer endpoint
+
+- Verify that `turn_uris` is not empty in your Continuwuity config
+- This behavior is correct per MSC4166 if no TURN URIs are configured
+
+### Credentials expire too quickly
+
+- Adjust the `turn_ttl` value in your Continuwuity configuration
+- Default is 86400 seconds (24 hours)
+
+### Related Documentation
+
+- [MatrixRTC/LiveKit Setup](./livekit.mdx) - Configure group calling with LiveKit
+- [Coturn GitHub](https://github.com/coturn/coturn) - Official coturn repository
+- [Synapse TURN Guide](https://element-hq.github.io/synapse/latest/turn-howto.html) - Additional security recommendations

docs/community/_meta.json

@@ -0,0 +1,12 @@
+[
+    {
+        "type": "file",
+        "name": "guidelines",
+        "label": "Community Guidelines"
+    },
+    {
+        "type": "file",
+        "name": "ops-guidelines",
+        "label": "Partnered Homeserver Guidelines"
+    }
+]

docs/community/ops-guidelines.mdx

@@ -0,0 +1,32 @@
+# Partnered Homeserver Operator Requirements
+> _So you want to be an officially sanctioned public Continuwuity homeserver operator?_
+
+Thank you for your interest in the project! There's a few things we need from you first to make sure your homeserver meets our quality standards and that you are prepared to handle the additional workload introduced by operating a public chat service.
+
+## Stuff you must have
+if you don't do these things we will tell you to go away
+
+- Your homeserver must be running an up-to-date version of Continuwuity
+- You must have a CAPTCHA, external registration system, or apply-to-join system that provides one-time-use invite codes (we do not accept fully open nor static token registration)
+- Your homeserver must have support details listed in [`/.well-known/matrix/support`](https://spec.matrix.org/v1.17/client-server-api/#getwell-knownmatrixsupport)
+- Your rules and guidelines must align with [the project's own code of conduct](guidelines).
+- You must be reasonably responsive (i.e. don't leave us hanging for a week if we alert you to an issue on your server)
+- Your homeserver's community rooms (if any) must be protected by a moderation bot subscribed to policy lists like the Community Moderation Effort (you can get one from https://asgard.chat if you don't want to run your own)
+
+## Stuff we encourage you to have
+not strictly required but we will consider your request more strongly if you have it
+
+- You should have automated moderation tooling that can automatically suspend abusive users on your homeserver who are added to policy lists
+- You should have multiple server administrators (increased bus factor)
+- You should have a terms of service and privacy policy prominently available
+
+## Stuff you get
+
+- Prominent listing in our README!
+- A gold star sticker
+- Access to a low noise room for more direct communication with maintainers and collaboration with fellow operators
+- Read-only access to the continuwuity internal ban list
+- Early notice of upcoming releases
+
+## Sound good?
+To get started, ping a team member in [our main chatroom](https://matrix.to/#/#continuwuity:continuwuity.org) and ask to be added to the list.

docs/deploying/docker.mdx

@@ -217,4 +217,4 @@ ### Use Traefik as Proxy
 
 ## Voice communication
 
-See the [TURN](../turn.md) page.
+See the [Calls](../calls.mdx) page.

docs/deploying/fedora.mdx

@@ -1,17 +1,18 @@
 # RPM Installation Guide
 
-Continuwuity is available as RPM packages for Fedora, RHEL, and compatible distributions.
+Continuwuity is available as RPM packages for Fedora and compatible distributions.
+We do not currently have infrastructure to build RPMs for RHEL and compatible distributions, but this is a work in progress.
 
 The RPM packaging files are maintained in the `fedora/` directory:
 - `continuwuity.spec.rpkg` - RPM spec file using rpkg macros for building from git
 - `continuwuity.service` - Systemd service file for the server
 - `RPM-GPG-KEY-continuwuity.asc` - GPG public key for verifying signed packages
 
-RPM packages built by CI are signed with our GPG key (Ed25519, ID: `5E0FF73F411AAFCA`).
+RPM packages built by CI are signed with our GPG key (RSA, ID: `6595 E8DB 9191 D39A 46D6 A514 4BA7 F590 DF0B AA1D`). # spellchecker:disable-line
 
 ```bash
 # Import the signing key
-sudo rpm --import https://forgejo.ellis.link/continuwuation/continuwuity/raw/branch/main/fedora/RPM-GPG-KEY-continuwuity.asc
+sudo rpm --import https://forgejo.ellis.link/api/packages/continuwuation/rpm/repository.key
 
 # Verify a downloaded package
 rpm --checksig continuwuity-*.rpm
@@ -23,7 +24,7 @@ ## Installation methods
 
 ```bash
 # Add the repository and install
-sudo dnf config-manager addrepo --from-repofile=https://forgejo.ellis.link/api/packages/continuwuation/rpm/stable/continuwuation.repo
+sudo dnf config-manager addrepo --from-repofile=https://forgejo.ellis.link/api/packages/continuwuation/rpm/stable.repo
 sudo dnf install continuwuity
 ```
 
@@ -31,7 +32,7 @@ # Add the repository and install
 
 ```bash
 # Add the dev repository and install
-sudo dnf config-manager addrepo --from-repofile=https://forgejo.ellis.link/api/packages/continuwuation/rpm/dev/continuwuation.repo
+sudo dnf config-manager addrepo --from-repofile=https://forgejo.ellis.link/api/packages/continuwuation/rpm/dev.repo
 sudo dnf install continuwuity
 ```
 
@@ -39,23 +40,10 @@ # Add the dev repository and install
 
 ```bash
 # Branch names are sanitized (slashes become hyphens, lowercase only)
-sudo dnf config-manager addrepo --from-repofile=https://forgejo.ellis.link/api/packages/continuwuation/rpm/tom-new-feature/continuwuation.repo
+sudo dnf config-manager addrepo --from-repofile=https://forgejo.ellis.link/api/packages/continuwuation/rpm/tom-new-feature.repo
 sudo dnf install continuwuity
 ```
 
-**Direct installation** without adding repository
-
-```bash
-# Latest stable release
-sudo dnf install https://forgejo.ellis.link/api/packages/continuwuation/rpm/stable/continuwuity
-
-# Latest development build
-sudo dnf install https://forgejo.ellis.link/api/packages/continuwuation/rpm/dev/continuwuity
-
-# Specific feature branch
-sudo dnf install https://forgejo.ellis.link/api/packages/continuwuation/rpm/branch-name/continuwuity
-```
-
 **Manual repository configuration** (alternative method)
 
 ```bash
@@ -65,7 +53,7 @@ # Specific feature branch
 baseurl=https://forgejo.ellis.link/api/packages/continuwuation/rpm/stable
 enabled=1
 gpgcheck=1
-gpgkey=https://forgejo.ellis.link/continuwuation/continuwuity/raw/branch/main/fedora/RPM-GPG-KEY-continuwuity.asc
+gpgkey=https://forgejo.ellis.link/api/packages/continuwuation/rpm/repository.key
 EOF
 
 sudo dnf install continuwuity

docs/deploying/freebsd.mdx

@@ -3,3 +3,5 @@ # Continuwuity for FreeBSD
 Continuwuity currently does not provide FreeBSD builds or FreeBSD packaging. However, Continuwuity does build and work on FreeBSD using the system-provided RocksDB.
 
 Contributions to get Continuwuity packaged for FreeBSD are welcome.
+
+Please join our [Continuwuity BSD](https://matrix.to/#/%23bsd:continuwuity.org) community room.

docs/deploying/generic.mdx

@@ -56,6 +56,8 @@ ### Building with the Rust toolchain
 
 You can build Continuwuity using `cargo build --release`.
 
+Continuwuity supports various optional features that can be enabled during compilation. Please see the Cargo.toml file for a comprehensive list, or ask in our rooms.
+
 ### Building with Nix
 
 If you prefer, you can use Nix (or [Lix](https://lix.systems)) to build Continuwuity. This provides improved reproducibility and makes it easy to set up a build environment and generate output. This approach also allows for easy cross-compilation.
@@ -269,7 +271,7 @@ # If federation is enabled
 ```
 
 - To check if your server can communicate with other homeservers, use the
-[Matrix Federation Tester](https://federationtester.matrix.org/). If you can
+[Matrix Federation Tester](https://federationtester.mtrnord.blog/). If you can
 register but cannot join federated rooms, check your configuration and verify
 that port 8448 is open and forwarded correctly.
 
@@ -277,7 +279,7 @@ # What's next?
 
 ## Audio/Video calls
 
-For Audio/Video call functionality see the [TURN Guide](../turn.md).
+For Audio/Video call functionality see the [Calls](../calls.md) page.
 
 ## Appservices
 

docs/deploying/kubernetes.mdx

@@ -1,7 +1,109 @@
 # Continuwuity for Kubernetes
 
 Continuwuity doesn't support horizontal scalability or distributed loading
-natively. However, [a community-maintained Helm Chart is available here to run
+natively. However, a deployment in Kubernetes is very similar to the docker
+setup. This is because Continuwuity can be fully configured using environment
+variables. A sample StatefulSet is shared below. The only thing missing is
+a PVC definition (named `continuwuity-data`) for the volume mounted to
+the StatefulSet, an Ingress resources to point your webserver to the
+Continuwuity Pods, and a Service resource (targeting `app.kubernetes.io/name: continuwuity`)
+to glue the Ingress and Pod together.
+
+Carefully go through the `env` section and add, change, and remove any env vars you like using the [Configuration reference](https://continuwuity.org/reference/config.html)
+
+```yaml
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: continuwuity
+  namespace: matrix
+  labels:
+    app.kubernetes.io/name: continuwuity
+spec:
+  replicas: 1
+  serviceName: continuwuity
+  podManagementPolicy: Parallel
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: continuwuity
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: continuwuity
+    spec:
+      securityContext:
+        sysctls:
+          - name: net.ipv4.ip_unprivileged_port_start
+            value: "0"
+      containers:
+        - name: continuwuity
+          # use a sha hash <3
+          image: forgejo.ellis.link/continuwuation/continuwuity:latest
+          imagePullPolicy: IfNotPresent
+          ports:
+            - name: http
+              containerPort: 80
+          volumeMounts:
+            - mountPath: /data
+              name: data
+              subPath: data
+          securityContext:
+            capabilities:
+              add:
+                - NET_BIND_SERVICE
+          env:
+            - name: TOKIO_WORKER_THREADS
+              value: "2"
+            - name: CONTINUWUITY_SERVER_NAME
+              value: "example.com"
+            - name: CONTINUWUITY_DATABASE_PATH
+              value: "/data/db"
+            - name: CONTINUWUITY_DATABASE_BACKEND
+              value: "rocksdb"
+            - name: CONTINUWUITY_PORT
+              value: "80"
+            - name: CONTINUWUITY_MAX_REQUEST_SIZE
+              value: "20000000"
+            - name: CONTINUWUITY_ALLOW_FEDERATION
+              value: "true"
+            - name: CONTINUWUITY_TRUSTED_SERVERS
+              value: '["matrix.org"]'
+            - name: CONTINUWUITY_ADDRESS
+              value: "0.0.0.0"
+            - name: CONTINUWUITY_ROCKSDB_PARALLELISM_THREADS
+              value: "1"
+            - name: CONTINUWUITY_WELL_KNOWN__SERVER
+              value: "matrix.example.com:443"
+            - name: CONTINUWUITY_WELL_KNOWN__CLIENT
+              value: "https://matrix.example.com"
+            - name: CONTINUWUITY_ALLOW_REGISTRATION
+              value: "false"
+            - name: RUST_LOG
+              value: info
+          readinessProbe:
+            httpGet:
+              path: /_matrix/federation/v1/version
+              port: http
+            periodSeconds: 4
+            failureThreshold: 5
+          resources:
+            # Continuwuity might use quite some RAM :3
+            requests:
+              cpu: "2"
+              memory: "512Mi"
+            limits:
+              cpu: "4"
+              memory: "2048Mi"
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: continuwuity-data
+```
+
+---
+
+Apart from manually configuring the containers,
+[a community-maintained Helm Chart is available here to run
 conduwuit on Kubernetes](https://gitlab.cronce.io/charts/conduwuit)
 
 This should be compatible with Continuwuity, but you will need to change the image reference.

docs/index.mdx

@@ -19,6 +19,16 @@
     src: /assets/logo.svg
     alt: continuwuity logo
 
+beforeFeatures:
+  - title: Matrix for Discord users
+    details: New to Matrix? Learn how Matrix compares to Discord
+    link: https://joinmatrix.org/guide/matrix-vs-discord/
+    buttonText: Find Out the Difference
+  - title: How Matrix Works
+    details: Learn how Matrix works under the hood, and what that means
+    link: https://matrix.org/docs/matrix-concepts/elements-of-matrix/
+    buttonText: Read the Guide
+
 features:
   - title: 🚀 High Performance
     details: Built with Rust for exceptional speed and efficiency. Designed to run smoothly even on modest hardware.

docs/introduction.mdx

@@ -51,7 +51,13 @@ ## Can I try it out?
 
 Check out the [documentation](https://continuwuity.org) for installation instructions.
 
-There are currently no open registration continuwuity instances available.
+If you want to try it out as a user, we have some partnered homeservers you can use:
+* You can head over to [https://federated.nexus](https://federated.nexus/) in your browser.
+  * Hit the `Apply to Join` button. Once your request has been accepted, you will receive an email with your username and password.
+  * Head over to [https://app.federated.nexus](https://app.federated.nexus/) and you can sign in there, or use any other matrix chat client you wish elsewhere.
+  * Your username for matrix will be in the form of `@username:federated.nexus`, however you can simply use the `username` part to log in. Your password is your password.
+
+* There's also [https://continuwuity.rocks/](https://continuwuity.rocks/). You can register a new account using Cinny via [this convenient link](https://app.cinny.in/register/continuwuity.rocks), or you can use Element or another matrix client *that supports registration*.
 
 ## What are we working on?
 

docs/public/.well-known/continuwuity/announcements

@@ -6,10 +6,10 @@
             "message": "Welcome to Continuwuity! Important announcements about the project will appear here."
         },
         {
-            "id": 7,
-            "mention_room": true,
-            "date": "2025-12-30",
-            "message": "Continuwuity v0.5.1 has been released. **The release contains a fix for the critical vulnerability [GHSA-m5p2-vccg-8c9v](https://github.com/continuwuity/continuwuity/security/advisories/GHSA-m5p2-vccg-8c9v) (embargoed) affecting all Conduit-derived servers. Update as soon as possible.**\n\nThis has been *actively exploited* to attempt account takeover and forge events bricking the Continuwuity rooms. The new space is accessible at [Continuwuity (room list)](https://matrix.to/#/!8cR4g-i9ucof69E4JHNg9LbPVkGprHb3SzcrGBDDJgk?via=continuwuity.org&via=starstruck.systems&via=gingershaped.computer)\n"
+            "id": 9,
+            "mention_room": false,
+            "date": "2026-02-09",
+            "message": "Yesterday we released [v0.5.4](https://forgejo.ellis.link/continuwuation/continuwuity/releases/tag/v0.5.4). Bugfixes, performance improvements and more moderation features! There's also a security fix, so please update as soon as possible. Don't forget to join [our announcements channel](https://matrix.to/#/!jIdNjSM5X-V5JVx2h2kAhUZIIQ08GyzPL55NFZAH1vM/%2489TY9CqRg4-ff1MGo3Ulc5r5X4pakfdzT-99RD8Docc?via=ellis.link&via=explodie.org&via=matrix.org) to get important information sooner <3 "
         }
     ]
 }

docs/reference/admin/debug.md

@@ -118,10 +118,6 @@ ## `!admin debug time`
 
 Print the current time
 
-## `!admin debug list-dependencies`
-
-List dependencies
-
 ## `!admin debug database-stats`
 
 Get database statistics

docs/reference/admin/media.md

@@ -36,3 +36,7 @@ ## `!admin media delete-all-from-user`
 ## `!admin media delete-all-from-server`
 
 Deletes all remote media from the specified remote server. This will always ignore errors by default
+
+## `!admin media delete-url-preview`
+
+Deletes a cached URL preview, forcing it to be re-fetched. Use --all to purge all cached URL previews

docs/reference/admin/query.md

@@ -112,6 +112,19 @@ ### `!admin query resolver overrides-cache`
 
 Query the overrides cache
 
+### `!admin query resolver flush-cache`
+
+Flush a given server from the resolver caches or flush them completely
+
+* Examples:
+  * Flush a specific server:
+
+    `!admin query resolver flush-cache matrix.example.com`
+
+  * Flush all resolver caches completely:
+
+    `!admin query resolver flush-cache --all`
+
 ## `!admin query pusher`
 
 pusher service

docs/reference/admin/server.md

@@ -16,10 +16,6 @@ ## `!admin server reload-config`
 
 Reload configuration values
 
-## `!admin server list-features`
-
-List the features built into the server
-
 ## `!admin server memory-usage`
 
 Print database memory usage statistics

docs/troubleshooting.mdx

@@ -1,13 +1,28 @@
 # Troubleshooting Continuwuity
 
-> **Docker users ⚠️**
->
-> Docker can be difficult to use and debug. It's common for Docker
-> misconfigurations to cause issues, particularly with networking and permissions.
-> Please check that your issues are not due to problems with your Docker setup.
+:::warning{title="Docker users:"}
+Docker can be difficult to use and debug. It's common for Docker
+misconfigurations to cause issues, particularly with networking and permissions.
+Please check that your issues are not due to problems with your Docker setup.
+:::
 
 ## Continuwuity and Matrix issues
 
+### Slow joins to rooms
+
+Some slowness is to be expected if you're the first person on your homserver to join a room (which will
+always be the case for single-user homeservers). In this situation, your homeserver has to verify the signatures of
+all of the state events sent by other servers before your join. To make this process as fast as possible, make sure you have
+multiple fast, trusted servers listed in `trusted_servers` in your configuration, and ensure
+`query_trusted_key_servers_first_on_join` is set to true (the default).
+If you need suggestions for trusted servers, ask in the Continuwuity main room.
+
+However, _very_ slow joins, especially to rooms with only a few users in them or rooms created by another user
+on your homeserver, may be caused by [issue !779](https://forgejo.ellis.link/continuwuation/continuwuity/issues/779),
+which is a longstanding bug with synchronizing room joins to clients. In this situation, you did succeed in joining the room, but
+the bug caused your homeserver to forget to tell your client. **To fix this, clear your client's cache.** Both Element and Cinny
+have a button to clear their cache in the "About" section of their settings.
+
 ### Lost access to admin room
 
 You can reinvite yourself to the admin room through the following methods:
@@ -20,6 +35,16 @@ ### Lost access to admin room
 
 ## General potential issues
 
+### Configuration not working as expected
+
+Sometimes you can make a mistake in your configuration that
+means things don't get passed to Continuwuity correctly.
+This is particularly easy to do with environment variables.
+To check what configuration Continuwuity actually sees, you can
+use the `!admin server show-config` command in your admin room.
+Beware that this prints out any secrets in your configuration,
+so you might want to delete the result afterwards!
+
 ### Potential DNS issues when using Docker
 
 Docker's DNS setup for containers in a non-default network intercepts queries to
@@ -139,7 +164,7 @@ ### Database corruption
 
 ## Debugging
 
-Note that users should not really be debugging things. If you find yourself
+Note that users should not really need to debug things. If you find yourself
 debugging and find the issue, please let us know and/or how we can fix it.
 Various debug commands can be found in `!admin debug`.
 
@@ -178,6 +203,31 @@ ### Pinging servers
 and simply fetches a string on a static JSON endpoint. It is very low cost both
 bandwidth and computationally.
 
+### Enabling backtraces for errors
+
+Continuwuity can capture backtraces (stack traces) for errors to help diagnose
+issues. Backtraces show the exact sequence of function calls that led to an
+error, which is invaluable for debugging.
+
+To enable backtraces, set the `RUST_BACKTRACE` environment variable before starting Continuwuity:
+
+```bash
+# For both panics and errors
+RUST_BACKTRACE=1 ./conduwuit
+
+```
+
+For systemd deployments, add this to your service file:
+
+```ini
+[Service]
+Environment="RUST_BACKTRACE=1"
+```
+
+Backtrace capture has a performance cost. Avoid leaving it on.
+You can also enable it only for panics by setting
+`RUST_BACKTRACE=1` and `RUST_LIB_BACKTRACE=0`.
+
 ### Allocator memory stats
 
 When using jemalloc with jemallocator's `stats` feature (`--enable-stats`), you

docs/turn.mdx

@@ -1,94 +0,0 @@
-# Setting up TURN/STURN
-
-In order to make or receive calls, a TURN server is required. Continuwuity suggests
-using [Coturn](https://github.com/coturn/coturn) for this purpose, which is also
-available as a Docker image.
-
-### Configuration
-
-Create a configuration file called `coturn.conf` containing:
-
-```
-use-auth-secret
-static-auth-secret=<a secret key>
-realm=<your server domain>
-```
-
-A common way to generate a suitable alphanumeric secret key is by using `pwgen
--s 64 1`.
-
-These same values need to be set in Continuwuity. See the [example
-config](./reference/config.mdx) in the TURN section for configuring these and
-restart Continuwuity after.
-
-`turn_secret` or a path to `turn_secret_file` must have a value of your
-coturn `static-auth-secret`, or use `turn_username` and `turn_password`
-if using legacy username:password TURN authentication (not preferred).
-
-`turn_uris` must be the list of TURN URIs you would like to send to the client.
-Typically you will just replace the example domain `example.turn.uri` with the
-`realm` you set from the example config.
-
-If you are using TURN over TLS, you can replace `turn:` with `turns:` in the
-`turn_uris` config option to instruct clients to attempt to connect to
-TURN over TLS. This is highly recommended.
-
-If you need unauthenticated access to the TURN URIs, or some clients may be
-having trouble, you can enable `turn_guest_access` in Continuwuity which disables
-authentication for the TURN URI endpoint `/_matrix/client/v3/voip/turnServer`
-
-### Run
-
-Run the [Coturn](https://hub.docker.com/r/coturn/coturn) image using
-
-```bash
-docker run -d --network=host -v
-$(pwd)/coturn.conf:/etc/coturn/turnserver.conf coturn/coturn
-```
-
-or docker-compose. For the latter, paste the following section into a file
-called `docker-compose.yml` and run `docker compose up -d` in the same
-directory.
-
-```yml
-version: 3
-services:
-    turn:
-      container_name: coturn-server
-      image: docker.io/coturn/coturn
-      restart: unless-stopped
-      network_mode: "host"
-      volumes:
-        - ./coturn.conf:/etc/coturn/turnserver.conf
-```
-
-To understand why the host networking mode is used and explore alternative
-configuration options, please visit [Coturn's Docker
-documentation](https://github.com/coturn/coturn/blob/master/docker/coturn/README.md).
-
-For security recommendations see Synapse's [Coturn
-documentation](https://element-hq.github.io/synapse/latest/turn-howto.html).
-
-### Testing
-
-To make sure turn credentials are being correctly served to clients, you can manually make a HTTP request to the turnServer endpoint.
-
-`curl "https://<matrix.example.com>/_matrix/client/r0/voip/turnServer" -H 'Authorization: Bearer <your_client_token>' | jq`
-
-You should get a response like this:
-
-```json
-{
-  "username": "1752792167:@jade:example.com",
-  "password": "KjlDlawdPbU9mvP4bhdV/2c/h65=",
-  "uris": [
-    "turns:coturn.example.com?transport=udp",
-    "turns:coturn.example.com?transport=tcp",
-    "turn:coturn.example.com?transport=udp",
-    "turn:coturn.example.com?transport=tcp"
-  ],
-  "ttl": 86400
-}
-```
-
-You can test these credentials work using [Trickle ICE](https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/)

nix/packages/uwulib/build.nix

@@ -20,7 +20,7 @@ rec {
       # we need to keep the `web` directory which would be filtered out by the regular source filtering function
       #
       # https://crane.dev/API.html#cranelibcleancargosource
-      isWebTemplate = path: _type: builtins.match ".*src/web.*" path != null;
+      isWebTemplate = path: _type: builtins.match ".*(src/(web|service)|docs).*" path != null;
       isRust = craneLib.filterCargoSources;
       isNix = path: _type: builtins.match ".+/nix.*" path != null;
       webOrRustNotNix = p: t: !(isNix p t) && (isWebTemplate p t || isRust p t);
@@ -77,7 +77,12 @@ rec {
     craneLib.buildDepsOnly (
       (commonAttrs commonAttrsArgs)
       // {
-        env = uwuenv.buildDepsOnlyEnv // (makeRocksDBEnv { inherit rocksdb; });
+        env = uwuenv.buildDepsOnlyEnv
+              // (makeRocksDBEnv { inherit rocksdb; })
+              // {
+                # required since we started using unstable reqwest apparently ... otherwise the all-features build will fail
+                RUSTFLAGS = "--cfg reqwest_unstable";
+              };
         inherit (features) cargoExtraArgs;
       }
 
@@ -102,7 +107,13 @@ rec {
         '';
         cargoArtifacts = deps;
         doCheck = true;
-        env = uwuenv.buildPackageEnv // rocksdbEnv;
+        env =
+          uwuenv.buildPackageEnv
+          // rocksdbEnv
+          // {
+            # required since we started using unstable reqwest apparently ... otherwise the all-features build will fail
+            RUSTFLAGS = "--cfg reqwest_unstable";
+          };
         passthru.env = uwuenv.buildPackageEnv // rocksdbEnv;
         meta.mainProgram = crateInfo.pname;
         inherit (features) cargoExtraArgs;

package.json

@@ -22,10 +22,9 @@
   "license": "ISC",
   "type": "commonjs",
   "devDependencies": {
-    "@rspress/core": "^2.0.0-rc.1",
-    "@rspress/plugin-client-redirects": "^2.0.0-alpha.12",
-    "@rspress/plugin-preview": "^2.0.0-beta.35",
-    "@rspress/plugin-sitemap": "^2.0.0-beta.23",
+    "@rspress/core": "^2.0.0",
+    "@rspress/plugin-client-redirects": "^2.0.0",
+    "@rspress/plugin-sitemap": "^2.0.0",
     "typescript": "^5.9.3"
   }
 }

release.toml

@@ -1 +1,8 @@
 tag-message = "chore: Release v{{version}}"
+tag-prefix = ""
+shared-version = true
+
+publish = false
+
+sign-commit = true
+sign-tag = true

renovate.json

@@ -1,6 +1,7 @@
 {
     "$schema": "https://docs.renovatebot.com/renovate-schema.json",
     "extends": ["config:recommended", "replacements:all"],
+    "dependencyDashboard": true,
     "osvVulnerabilityAlerts": true,
     "lockFileMaintenance": {
         "enabled": true,
@@ -57,12 +58,25 @@
             "matchUpdateTypes": ["minor", "patch"],
             "groupName": "github-actions-non-major"
         },
+        {
+            "description": "Batch patch-level Node.js dependency updates",
+            "matchManagers": ["npm"],
+            "matchUpdateTypes": ["patch"],
+            "groupName": "node-patch-updates"
+        },
         {
             "description": "Pin forgejo artifact actions to prevent breaking changes",
             "matchManagers": ["github-actions"],
             "matchPackageNames": ["forgejo/upload-artifact", "forgejo/download-artifact"],
             "enabled": false
         },
+        {
+            "description": "Auto-merge crate-ci/typos minor updates",
+            "matchPackageNames": ["crate-ci/typos"],
+            "matchUpdateTypes": ["minor", "patch"],
+            "automerge": true,
+            "automergeStrategy": "fast-forward"
+        },
         {
             "description": "Auto-merge renovatebot docker image updates",
             "matchDatasources": ["docker"],

rspress.config.ts

@@ -1,5 +1,4 @@
 import { defineConfig } from '@rspress/core';
-import { pluginPreview } from '@rspress/plugin-preview';
 import { pluginSitemap } from '@rspress/plugin-sitemap';
 import { pluginClientRedirects } from '@rspress/plugin-client-redirects';
 
@@ -41,7 +40,7 @@ export default defineConfig({
         },
     },
 
-    plugins: [pluginPreview(), pluginSitemap({
+    plugins: [pluginSitemap({
         siteUrl: 'https://continuwuity.org', // TODO: Set automatically in build pipeline
     }),
     pluginClientRedirects({
@@ -54,6 +53,12 @@ export default defineConfig({
         }, {
             from: '/server_reference',
             to: '/reference/server'
+        }, {
+            from: '/community$',
+            to: '/community/guidelines'
+        }, {
+            from: "^/turn",
+            to: "/calls/turn",
         }
         ]
     })],

src/admin/Cargo.toml

@@ -87,7 +87,6 @@ serde-saphyr.workspace = true
 tokio.workspace = true
 tracing-subscriber.workspace = true
 tracing.workspace = true
-ctor.workspace = true
 
 [lints]
 workspace = true

src/admin/debug/commands.rs

@@ -819,32 +819,6 @@ pub(super) async fn time(&self) -> Result {
 	self.write_str(&now).await
 }
 
-#[admin_command]
-pub(super) async fn list_dependencies(&self, names: bool) -> Result {
-	if names {
-		let out = info::cargo::dependencies_names().join(" ");
-		return self.write_str(&out).await;
-	}
-
-	let mut out = String::new();
-	let deps = info::cargo::dependencies();
-	writeln!(out, "| name | version | features |")?;
-	writeln!(out, "| ---- | ------- | -------- |")?;
-	for (name, dep) in deps {
-		let version = dep.try_req().unwrap_or("*");
-		let feats = dep.req_features();
-		let feats = if !feats.is_empty() {
-			feats.join(" ")
-		} else {
-			String::new()
-		};
-
-		writeln!(out, "| {name} | {version} | {feats} |")?;
-	}
-
-	self.write_str(&out).await
-}
-
 #[admin_command]
 pub(super) async fn database_stats(
 	&self,

src/admin/debug/mod.rs

@@ -206,12 +206,6 @@ pub enum DebugCommand {
 	/// Print the current time
 	Time,
 
-	/// List dependencies
-	ListDependencies {
-		#[arg(short, long)]
-		names: bool,
-	},
-
 	/// Get database statistics
 	DatabaseStats {
 		property: Option<String>,

src/admin/federation/commands.rs

@@ -30,12 +30,15 @@ pub(super) async fn incoming_federation(&self) -> Result {
 			.federation_handletime
 			.read();
 
-		let mut msg = format!("Handling {} incoming pdus:\n", map.len());
+		let mut msg = format!(
+			"Handling {} incoming PDUs across {} active transactions:\n",
+			map.len(),
+			self.services.transactions.txn_active_handle_count()
+		);
 		for (r, (e, i)) in map.iter() {
 			let elapsed = i.elapsed();
 			writeln!(msg, "{} {}: {}m{}s", r, e, elapsed.as_secs() / 60, elapsed.as_secs() % 60)?;
 		}
-
 		msg
 	};
 

src/admin/media/commands.rs

@@ -29,7 +29,9 @@ pub(super) async fn delete(
 			.delete(&mxc.as_str().try_into()?)
 			.await?;
 
-		return Err!("Deleted the MXC from our database and on our filesystem.",);
+		return self
+			.write_str("Deleted the MXC from our database and on our filesystem.")
+			.await;
 	}
 
 	if let Some(event_id) = event_id {
@@ -388,3 +390,19 @@ pub(super) async fn get_remote_thumbnail(
 	self.write_str(&format!("```\n{result:#?}\nreceived {len} bytes for file content.\n```"))
 		.await
 }
+
+#[admin_command]
+pub(super) async fn delete_url_preview(&self, url: Option<String>, all: bool) -> Result {
+	if all {
+		self.services.media.clear_url_previews().await;
+
+		return self.write_str("Deleted all cached URL previews.").await;
+	}
+
+	let url = url.expect("clap enforces url is required unless --all");
+
+	self.services.media.remove_url_preview(&url).await?;
+
+	self.write_str(&format!("Deleted cached URL preview for: {url}"))
+		.await
+}

src/admin/media/mod.rs

@@ -108,4 +108,16 @@ pub enum MediaCommand {
 		#[arg(long, default_value("800"))]
 		height: u32,
 	},
+
+	/// Deletes a cached URL preview, forcing it to be re-fetched.
+	/// Use --all to purge all cached URL previews.
+	DeleteUrlPreview {
+		/// The URL to clear from the saved preview data
+		#[arg(required_unless_present = "all")]
+		url: Option<String>,
+
+		/// Purge all cached URL previews
+		#[arg(long, conflicts_with = "url")]
+		all: bool,
+	},
 }

src/admin/mod.rs

@@ -30,11 +30,8 @@
 
 pub(crate) const PAGE_SIZE: usize = 100;
 
-use ctor::{ctor, dtor};
-
 conduwuit::mod_ctor! {}
 conduwuit::mod_dtor! {}
-conduwuit::rustc_flags_capture! {}
 
 pub use crate::admin::AdminCommand;
 

src/admin/query/raw.rs

@@ -209,7 +209,7 @@ pub(super) async fn compact(
 	let parallelism = parallelism.unwrap_or(1);
 	let results = maps
 		.into_iter()
-		.try_stream()
+		.try_stream::<conduwuit::Error>()
 		.paralleln_and_then(runtime, parallelism, move |map| {
 			map.compact_blocking(options.clone())?;
 			Ok(map.name().to_owned())

src/admin/query/resolver.rs

@@ -1,5 +1,5 @@
 use clap::Subcommand;
-use conduwuit::{Result, utils::time};
+use conduwuit::{Err, Result, utils::time};
 use futures::StreamExt;
 use ruma::OwnedServerName;
 
@@ -7,6 +7,7 @@
 
 #[admin_command_dispatch]
 #[derive(Debug, Subcommand)]
+#[allow(clippy::enum_variant_names)]
 /// Resolver service and caches
 pub enum ResolverCommand {
 	/// Query the destinations cache
@@ -18,6 +19,24 @@ pub enum ResolverCommand {
 	OverridesCache {
 		name: Option<String>,
 	},
+
+	/// Flush a given server from the resolver caches or flush them completely
+	///
+	/// * Examples:
+	///   * Flush a specific server:
+	///
+	///     `!admin query resolver flush-cache matrix.example.com`
+	///
+	///   * Flush all resolver caches completely:
+	///
+	///     `!admin query resolver flush-cache --all`
+	#[command(verbatim_doc_comment)]
+	FlushCache {
+		name: Option<OwnedServerName>,
+
+		#[arg(short, long)]
+		all: bool,
+	},
 }
 
 #[admin_command]
@@ -69,3 +88,18 @@ async fn overrides_cache(&self, server_name: Option<String>) -> Result {
 
 	Ok(())
 }
+
+#[admin_command]
+async fn flush_cache(&self, name: Option<OwnedServerName>, all: bool) -> Result {
+	if all {
+		self.services.resolver.cache.clear().await;
+		writeln!(self, "Resolver caches cleared!").await
+	} else if let Some(name) = name {
+		self.services.resolver.cache.del_destination(&name);
+		self.services.resolver.cache.del_override(&name);
+		self.write_str(&format!("Cleared {name} from resolver caches!"))
+			.await
+	} else {
+		Err!("Missing name. Supply a name or use --all to flush the whole cache.")
+	}
+}

src/admin/room/commands.rs

@@ -4,12 +4,14 @@
 
 use crate::{PAGE_SIZE, admin_command, get_room_info};
 
+#[allow(clippy::fn_params_excessive_bools)]
 #[admin_command]
 pub(super) async fn list_rooms(
 	&self,
 	page: Option<usize>,
 	exclude_disabled: bool,
 	exclude_banned: bool,
+	include_empty: bool,
 	no_details: bool,
 ) -> Result {
 	// TODO: i know there's a way to do this with clap, but i can't seem to find it
@@ -28,6 +30,20 @@ pub(super) async fn list_rooms(
 				.then_some(room_id)
 		})
 		.then(|room_id| get_room_info(self.services, room_id))
+		.then(|(room_id, total_members, name)| async move {
+			let local_members: Vec<_> = self
+				.services
+				.rooms
+				.state_cache
+				.active_local_users_in_room(&room_id)
+				.collect()
+				.await;
+			let local_members = local_members.len();
+			(room_id, total_members, local_members, name)
+		})
+		.filter_map(|(room_id, total_members, local_members, name)| async move {
+			(include_empty || local_members > 0).then_some((room_id, total_members, name))
+		})
 		.collect::<Vec<_>>()
 		.await;
 

src/admin/room/mod.rs

@@ -30,6 +30,10 @@ pub enum RoomCommand {
 		#[arg(long)]
 		exclude_banned: bool,
 
+		/// Includes disconnected/empty rooms (rooms with zero members)
+		#[arg(long)]
+		include_empty: bool,
+
 		#[arg(long)]
 		/// Whether to only output room IDs without supplementary room
 		/// information

src/admin/room/moderation.rs

@@ -89,13 +89,7 @@ async fn ban_room(&self, room: OwnedRoomOrAliasId) -> Result {
 			 locally, if not using get_alias_helper to fetch room ID remotely"
 		);
 
-		match self
-			.services
-			.rooms
-			.alias
-			.resolve_alias(room_alias, None)
-			.await
-		{
+		match self.services.rooms.alias.resolve_alias(room_alias).await {
 			| Ok((room_id, servers)) => {
 				debug!(
 					%room_id,
@@ -235,7 +229,7 @@ async fn ban_list_of_rooms(&self) -> Result {
 										.services
 										.rooms
 										.alias
-										.resolve_alias(room_alias, None)
+										.resolve_alias(room_alias)
 										.await
 									{
 										| Ok((room_id, servers)) => {
@@ -388,13 +382,7 @@ async fn unban_room(&self, room: OwnedRoomOrAliasId) -> Result {
 					 room ID over federation"
 				);
 
-				match self
-					.services
-					.rooms
-					.alias
-					.resolve_alias(room_alias, None)
-					.await
-				{
+				match self.services.rooms.alias.resolve_alias(room_alias).await {
 					| Ok((room_id, servers)) => {
 						debug!(
 							%room_id,

src/admin/server/commands.rs

@@ -1,7 +1,7 @@
-use std::{fmt::Write, path::PathBuf, sync::Arc};
+use std::{path::PathBuf, sync::Arc};
 
 use conduwuit::{
-	Err, Result, info,
+	Err, Result,
 	utils::{stream::IterStream, time},
 	warn,
 };
@@ -59,34 +59,6 @@ pub(super) async fn reload_config(&self, path: Option<PathBuf>) -> Result {
 		.await
 }
 
-#[admin_command]
-pub(super) async fn list_features(&self, available: bool, enabled: bool, comma: bool) -> Result {
-	let delim = if comma { "," } else { " " };
-	if enabled && !available {
-		let features = info::rustc::features().join(delim);
-		let out = format!("`\n{features}\n`");
-		return self.write_str(&out).await;
-	}
-
-	if available && !enabled {
-		let features = info::cargo::features().join(delim);
-		let out = format!("`\n{features}\n`");
-		return self.write_str(&out).await;
-	}
-
-	let mut features = String::new();
-	let enabled = info::rustc::features();
-	let available = info::cargo::features();
-	for feature in available {
-		let active = enabled.contains(&feature.as_str());
-		let emoji = if active { "✅" } else { "❌" };
-		let remark = if active { "[enabled]" } else { "" };
-		writeln!(features, "{emoji} {feature} {remark}")?;
-	}
-
-	self.write_str(&features).await
-}
-
 #[admin_command]
 pub(super) async fn memory_usage(&self) -> Result {
 	let services_usage = self.services.memory_usage().await?;
@@ -114,7 +86,7 @@ pub(super) async fn list_backups(&self) -> Result {
 		.db
 		.backup_list()?
 		.try_stream()
-		.try_for_each(|result| write!(self, "{result}"))
+		.try_for_each(|result| writeln!(self, "{result}"))
 		.await
 }
 

src/admin/server/mod.rs

@@ -21,18 +21,6 @@ pub enum ServerCommand {
 		path: Option<PathBuf>,
 	},
 
-	/// List the features built into the server
-	ListFeatures {
-		#[arg(short, long)]
-		available: bool,
-
-		#[arg(short, long)]
-		enabled: bool,
-
-		#[arg(short, long)]
-		comma: bool,
-	},
-
 	/// Print database memory usage statistics
 	MemoryUsage,
 

src/admin/user/commands.rs

@@ -3,12 +3,9 @@
 	fmt::Write as _,
 };
 
-use api::client::{
-	full_user_deactivate, join_room_by_id_helper, leave_all_rooms, leave_room, remote_leave_room,
-	update_avatar_url, update_displayname,
-};
+use api::client::{full_user_deactivate, join_room_by_id_helper, leave_room, remote_leave_room};
 use conduwuit::{
-	Err, Result, debug, debug_warn, error, info, is_equal_to,
+	Err, Result, debug_warn, error, info,
 	matrix::{Event, pdu::PduBuilder},
 	utils::{self, ReadyExt},
 	warn,
@@ -143,7 +140,6 @@ pub(super) async fn create_user(&self, username: String, password: Option<String
 						self.services.globals.server_name().to_owned(),
 						room_server_name.to_owned(),
 					],
-					None,
 					&None,
 				)
 				.await
@@ -171,27 +167,8 @@ pub(super) async fn create_user(&self, username: String, password: Option<String
 
 	// we dont add a device since we're not the user, just the creator
 
-	// if this account creation is from the CLI / --execute, invite the first user
-	// to admin room
-	if let Ok(admin_room) = self.services.admin.get_admin_room().await {
-		if self
-			.services
-			.rooms
-			.state_cache
-			.room_joined_count(&admin_room)
-			.await
-			.is_ok_and(is_equal_to!(1))
-		{
-			self.services
-				.admin
-				.make_user_admin(&user_id)
-				.boxed()
-				.await?;
-			warn!("Granting {user_id} admin privileges as the first user");
-		}
-	} else {
-		debug!("create_user admin command called without an admin room being available");
-	}
+	// Make the first user to register an administrator and disable first-run mode.
+	self.services.firstrun.empower_first_user(&user_id).await?;
 
 	self.write_str(&format!("Created user with user_id: {user_id} and password: `{password}`"))
 		.await
@@ -227,9 +204,6 @@ pub(super) async fn deactivate(&self, no_leave_rooms: bool, user_id: String) ->
 		full_user_deactivate(self.services, &user_id, &all_joined_rooms)
 			.boxed()
 			.await?;
-		update_displayname(self.services, &user_id, None, &all_joined_rooms).await;
-		update_avatar_url(self.services, &user_id, None, None, &all_joined_rooms).await;
-		leave_all_rooms(self.services, &user_id).await;
 	}
 
 	self.write_str(&format!("User {user_id} has been deactivated"))
@@ -406,10 +380,6 @@ pub(super) async fn deactivate_all(&self, no_leave_rooms: bool, force: bool) ->
 					full_user_deactivate(self.services, &user_id, &all_joined_rooms)
 						.boxed()
 						.await?;
-					update_displayname(self.services, &user_id, None, &all_joined_rooms).await;
-					update_avatar_url(self.services, &user_id, None, None, &all_joined_rooms)
-						.await;
-					leave_all_rooms(self.services, &user_id).await;
 				}
 			},
 		}
@@ -559,7 +529,6 @@ pub(super) async fn force_join_list_of_local_users(
 			&room_id,
 			Some(String::from(BULK_JOIN_REASON)),
 			&servers,
-			None,
 			&None,
 		)
 		.await
@@ -645,7 +614,6 @@ pub(super) async fn force_join_all_local_users(
 			&room_id,
 			Some(String::from(BULK_JOIN_REASON)),
 			&servers,
-			None,
 			&None,
 		)
 		.await
@@ -685,8 +653,7 @@ pub(super) async fn force_join_room(
 		self.services.globals.user_is_local(&user_id),
 		"Parsed user_id must be a local user"
 	);
-	join_room_by_id_helper(self.services, &user_id, &room_id, None, &servers, None, &None)
-		.await?;
+	join_room_by_id_helper(self.services, &user_id, &room_id, None, &servers, &None).await?;
 
 	self.write_str(&format!("{user_id} has been joined to {room_id}.",))
 		.await

src/api/Cargo.toml

@@ -28,6 +28,10 @@ gzip_compression = [
 	"conduwuit-service/gzip_compression",
 	"reqwest/gzip",
 ]
+http3 = [
+	"conduwuit-core/http3",
+	"conduwuit-service/http3",
+]
 io_uring = [
 	"conduwuit-service/io_uring",
 ]
@@ -91,7 +95,6 @@ serde.workspace = true
 sha1.workspace = true
 tokio.workspace = true
 tracing.workspace = true
-ctor.workspace = true
 
 [lints]
 workspace = true

src/api/admin/mod.rs

@@ -0,0 +1 @@
+pub mod rooms;

src/api/admin/rooms/ban.rs

@@ -0,0 +1,132 @@
+use axum::extract::State;
+use conduwuit::{Err, Result, info, utils::ReadyExt, warn};
+use futures::{FutureExt, StreamExt};
+use ruma::{
+	OwnedRoomAliasId, continuwuity_admin_api::rooms,
+	events::room::message::RoomMessageEventContent,
+};
+
+use crate::{Ruma, client::leave_room};
+
+/// # `PUT /_continuwuity/admin/rooms/{roomID}/ban`
+///
+/// Bans or unbans a room.
+pub(crate) async fn ban_room(
+	State(services): State<crate::State>,
+	body: Ruma<rooms::ban::v1::Request>,
+) -> Result<rooms::ban::v1::Response> {
+	let sender_user = body.sender_user();
+	if !services.users.is_admin(sender_user).await {
+		return Err!(Request(Forbidden("Only server administrators can use this endpoint")));
+	}
+
+	if body.banned {
+		// Don't ban again if already banned
+		if services.rooms.metadata.is_banned(&body.room_id).await {
+			return Err!(Request(InvalidParam("Room is already banned")));
+		}
+		info!(%sender_user, "Banning room {}", body.room_id);
+
+		services
+			.admin
+			.notice(&format!("{sender_user} banned {} (ban in progress)", body.room_id))
+			.await;
+
+		let mut users = services
+			.rooms
+			.state_cache
+			.room_members(&body.room_id)
+			.map(ToOwned::to_owned)
+			.ready_filter(|user| services.globals.user_is_local(user))
+			.boxed();
+		let mut evicted = Vec::new();
+		let mut failed_evicted = Vec::new();
+
+		while let Some(ref user_id) = users.next().await {
+			info!("Evicting user {} from room {}", user_id, body.room_id);
+			match leave_room(&services, user_id, &body.room_id, None)
+				.boxed()
+				.await
+			{
+				| Ok(()) => {
+					services.rooms.state_cache.forget(&body.room_id, user_id);
+					evicted.push(user_id.clone());
+				},
+				| Err(e) => {
+					warn!("Failed to evict user {} from room {}: {}", user_id, body.room_id, e);
+					failed_evicted.push(user_id.clone());
+				},
+			}
+		}
+
+		let aliases: Vec<OwnedRoomAliasId> = services
+			.rooms
+			.alias
+			.local_aliases_for_room(&body.room_id)
+			.map(ToOwned::to_owned)
+			.collect::<Vec<_>>()
+			.await;
+		for alias in &aliases {
+			info!("Removing alias {} for banned room {}", alias, body.room_id);
+			services
+				.rooms
+				.alias
+				.remove_alias(alias, &services.globals.server_user)
+				.await?;
+		}
+
+		services.rooms.directory.set_not_public(&body.room_id); // remove from the room directory
+		services.rooms.metadata.ban_room(&body.room_id, true); // prevent further joins
+		services.rooms.metadata.disable_room(&body.room_id, true); // disable federation
+
+		services
+			.admin
+			.notice(&format!(
+				"Finished banning {}: Removed {} users ({} failed) and {} aliases",
+				body.room_id,
+				evicted.len(),
+				failed_evicted.len(),
+				aliases.len()
+			))
+			.await;
+		if !evicted.is_empty() || !failed_evicted.is_empty() || !aliases.is_empty() {
+			let msg = services
+				.admin
+				.text_or_file(RoomMessageEventContent::text_markdown(format!(
+					"Removed users:\n{}\n\nFailed to remove users:\n{}\n\nRemoved aliases: {}",
+					evicted
+						.iter()
+						.map(|u| u.as_str())
+						.collect::<Vec<_>>()
+						.join("\n"),
+					failed_evicted
+						.iter()
+						.map(|u| u.as_str())
+						.collect::<Vec<_>>()
+						.join("\n"),
+					aliases
+						.iter()
+						.map(|a| a.as_str())
+						.collect::<Vec<_>>()
+						.join(", "),
+				)))
+				.await;
+			services.admin.send_message(msg).await.ok();
+		}
+
+		Ok(rooms::ban::v1::Response::new(evicted, failed_evicted, aliases))
+	} else {
+		// Don't unban if not banned
+		if !services.rooms.metadata.is_banned(&body.room_id).await {
+			return Err!(Request(InvalidParam("Room is not banned")));
+		}
+		info!(%sender_user, "Unbanning room {}", body.room_id);
+		services.rooms.metadata.disable_room(&body.room_id, false);
+		services.rooms.metadata.ban_room(&body.room_id, false);
+		services
+			.admin
+			.notice(&format!("{sender_user} unbanned {}", body.room_id))
+			.await;
+		Ok(rooms::ban::v1::Response::new(Vec::new(), Vec::new(), Vec::new()))
+	}
+}

src/api/admin/rooms/list.rs

@@ -0,0 +1,35 @@
+use axum::extract::State;
+use conduwuit::{Err, Result};
+use futures::StreamExt;
+use ruma::{OwnedRoomId, continuwuity_admin_api::rooms};
+
+use crate::Ruma;
+
+/// # `GET /_continuwuity/admin/rooms/list`
+///
+/// Lists all rooms known to this server, excluding banned ones.
+pub(crate) async fn list_rooms(
+	State(services): State<crate::State>,
+	body: Ruma<rooms::list::v1::Request>,
+) -> Result<rooms::list::v1::Response> {
+	let sender_user = body.sender_user();
+	if !services.users.is_admin(sender_user).await {
+		return Err!(Request(Forbidden("Only server administrators can use this endpoint")));
+	}
+
+	let mut rooms: Vec<OwnedRoomId> = services
+		.rooms
+		.metadata
+		.iter_ids()
+		.filter_map(|room_id| async move {
+			if !services.rooms.metadata.is_banned(room_id).await {
+				Some(room_id.to_owned())
+			} else {
+				None
+			}
+		})
+		.collect()
+		.await;
+	rooms.sort();
+	Ok(rooms::list::v1::Response::new(rooms))
+}

src/api/admin/rooms/mod.rs

@@ -0,0 +1,2 @@
+pub mod ban;
+pub mod list;

src/api/client/account.rs

@@ -3,7 +3,7 @@
 use axum::extract::State;
 use axum_client_ip::InsecureClientIp;
 use conduwuit::{
-	Err, Error, Event, Result, debug_info, err, error, info, is_equal_to,
+	Err, Error, Event, Result, debug_info, err, error, info,
 	matrix::pdu::PduBuilder,
 	utils::{self, ReadyExt, stream::BroadbandExt},
 	warn,
@@ -26,6 +26,7 @@
 	events::{
 		GlobalAccountDataEventType, StateEventType,
 		room::{
+			member::{MembershipState, RoomMemberEventContent},
 			message::RoomMessageEventContent,
 			power_levels::{RoomPowerLevels, RoomPowerLevelsEventContent},
 		},
@@ -147,7 +148,12 @@ pub(crate) async fn register_route(
 	let is_guest = body.kind == RegistrationKind::Guest;
 	let emergency_mode_enabled = services.config.emergency_password.is_some();
 
-	if !services.config.allow_registration && body.appservice_info.is_none() {
+	// Allow registration if it's enabled in the config file or if this is the first
+	// run (so the first user account can be created)
+	let allow_registration =
+		services.config.allow_registration || services.firstrun.is_first_run();
+
+	if !allow_registration && body.appservice_info.is_none() {
 		match (body.username.as_ref(), body.initial_device_display_name.as_ref()) {
 			| (Some(username), Some(device_display_name)) => {
 				info!(
@@ -184,17 +190,10 @@ pub(crate) async fn register_route(
 		)));
 	}
 
-	if is_guest
-		&& (!services.config.allow_guest_registration
-			|| (services.config.allow_registration
-				&& services
-					.registration_tokens
-					.get_config_file_token()
-					.is_some()))
-	{
+	if is_guest && !services.config.allow_guest_registration {
 		info!(
-			"Guest registration disabled / registration enabled with token configured, \
-			 rejecting guest registration attempt, initial device name: \"{}\"",
+			"Guest registration disabled, rejecting guest registration attempt, initial device \
+			 name: \"{}\"",
 			body.initial_device_display_name.as_deref().unwrap_or("")
 		);
 		return Err!(Request(GuestAccessForbidden("Guest registration is disabled.")));
@@ -253,6 +252,13 @@ pub(crate) async fn register_route(
 						}
 					}
 
+					// Don't allow registration with user IDs that aren't local
+					if !services.globals.user_is_local(&user_id) {
+						return Err!(Request(InvalidUsername(
+							"Username {body_username} is not local to this server"
+						)));
+					}
+
 					user_id
 				},
 				| Err(e) => {
@@ -308,54 +314,63 @@ pub(crate) async fn register_route(
 	let skip_auth = body.appservice_info.is_some() || is_guest;
 
 	// Populate required UIAA flows
-	if services
-		.registration_tokens
-		.iterate_tokens()
-		.next()
-		.await
-		.is_some()
-	{
-		// Registration token required
+
+	if services.firstrun.is_first_run() {
+		// Registration token forced while in first-run mode
 		uiaainfo.flows.push(AuthFlow {
 			stages: vec![AuthType::RegistrationToken],
 		});
-	}
-	if services.config.recaptcha_private_site_key.is_some() {
-		if let Some(pubkey) = &services.config.recaptcha_site_key {
-			// ReCaptcha required
-			uiaainfo
-				.flows
-				.push(AuthFlow { stages: vec![AuthType::ReCaptcha] });
-			uiaainfo.params = serde_json::value::to_raw_value(&serde_json::json!({
-				"m.login.recaptcha": {
-					"public_key": pubkey,
-				},
-			}))
-			.expect("Failed to serialize recaptcha params");
-		}
-	}
-
-	if uiaainfo.flows.is_empty() && !skip_auth {
-		// Registration isn't _disabled_, but there's no captcha configured and no
-		// registration tokens currently set. Bail out by default unless open
-		// registration was explicitly enabled.
-		if !services
-			.config
-			.yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse
+	} else {
+		if services
+			.registration_tokens
+			.iterate_tokens()
+			.next()
+			.await
+			.is_some()
 		{
-			return Err!(Request(Forbidden(
-				"This server is not accepting registrations at this time."
-			)));
+			// Registration token required
+			uiaainfo.flows.push(AuthFlow {
+				stages: vec![AuthType::RegistrationToken],
+			});
 		}
 
-		// We have open registration enabled (😧), provide a dummy stage
-		uiaainfo = UiaaInfo {
-			flows: vec![AuthFlow { stages: vec![AuthType::Dummy] }],
-			completed: Vec::new(),
-			params: Box::default(),
-			session: None,
-			auth_error: None,
-		};
+		if services.config.recaptcha_private_site_key.is_some() {
+			if let Some(pubkey) = &services.config.recaptcha_site_key {
+				// ReCaptcha required
+				uiaainfo
+					.flows
+					.push(AuthFlow { stages: vec![AuthType::ReCaptcha] });
+				uiaainfo.params = serde_json::value::to_raw_value(&serde_json::json!({
+					"m.login.recaptcha": {
+						"public_key": pubkey,
+					},
+				}))
+				.expect("Failed to serialize recaptcha params");
+			}
+		}
+
+		if uiaainfo.flows.is_empty() && !skip_auth {
+			// Registration isn't _disabled_, but there's no captcha configured and no
+			// registration tokens currently set. Bail out by default unless open
+			// registration was explicitly enabled.
+			if !services
+				.config
+				.yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse
+			{
+				return Err!(Request(Forbidden(
+					"This server is not accepting registrations at this time."
+				)));
+			}
+
+			// We have open registration enabled (😧), provide a dummy stage
+			uiaainfo = UiaaInfo {
+				flows: vec![AuthFlow { stages: vec![AuthType::Dummy] }],
+				completed: Vec::new(),
+				params: Box::default(),
+				session: None,
+				auth_error: None,
+			};
+		}
 	}
 
 	if !skip_auth {
@@ -513,39 +528,29 @@ pub(crate) async fn register_route(
 		}
 	}
 
-	// If this is the first real user, grant them admin privileges except for guest
-	// users
-	// Note: the server user is generated first
 	if !is_guest {
-		if let Ok(admin_room) = services.admin.get_admin_room().await {
-			if services
-				.rooms
-				.state_cache
-				.room_joined_count(&admin_room)
-				.await
-				.is_ok_and(is_equal_to!(1))
-			{
-				services.admin.make_user_admin(&user_id).boxed().await?;
-				warn!("Granting {user_id} admin privileges as the first user");
-			} else if services.config.suspend_on_register {
-				// This is not an admin, suspend them.
-				// Note that we can still do auto joins for suspended users
+		// Make the first user to register an administrator and disable first-run mode.
+		let was_first_user = services.firstrun.empower_first_user(&user_id).await?;
+
+		// If the registering user was not the first and we're suspending users on
+		// register, suspend them.
+		if !was_first_user && services.config.suspend_on_register {
+			// Note that we can still do auto joins for suspended users
+			services
+				.users
+				.suspend_account(&user_id, &services.globals.server_user)
+				.await;
+			// And send an @room notice to the admin room, to prompt admins to review the
+			// new user and ideally unsuspend them if deemed appropriate.
+			if services.server.config.admin_room_notices {
 				services
-					.users
-					.suspend_account(&user_id, &services.globals.server_user)
-					.await;
-				// And send an @room notice to the admin room, to prompt admins to review the
-				// new user and ideally unsuspend them if deemed appropriate.
-				if services.server.config.admin_room_notices {
-					services
-						.admin
-						.send_loud_message(RoomMessageEventContent::text_plain(format!(
-							"User {user_id} has been suspended as they are not the first user \
-							 on this server. Please review and unsuspend them if appropriate."
-						)))
-						.await
-						.ok();
-				}
+					.admin
+					.send_loud_message(RoomMessageEventContent::text_plain(format!(
+						"User {user_id} has been suspended as they are not the first user on \
+						 this server. Please review and unsuspend them if appropriate."
+					)))
+					.await
+					.ok();
 			}
 		}
 	}
@@ -582,7 +587,6 @@ pub(crate) async fn register_route(
 					&room_id,
 					Some("Automatically joining this room upon registration".to_owned()),
 					&[services.globals.server_name().to_owned(), room_server_name.to_owned()],
-					None,
 					&body.appservice_info,
 				)
 				.boxed()
@@ -815,9 +819,6 @@ pub(crate) async fn deactivate_route(
 		.collect()
 		.await;
 
-	super::update_displayname(&services, sender_user, None, &all_joined_rooms).await;
-	super::update_avatar_url(&services, sender_user, None, None, &all_joined_rooms).await;
-
 	full_user_deactivate(&services, sender_user, &all_joined_rooms)
 		.boxed()
 		.await?;
@@ -907,9 +908,6 @@ pub async fn full_user_deactivate(
 ) -> Result<()> {
 	services.users.deactivate_account(user_id).await.ok();
 
-	super::update_displayname(services, user_id, None, all_joined_rooms).await;
-	super::update_avatar_url(services, user_id, None, None, all_joined_rooms).await;
-
 	services
 		.users
 		.all_profile_keys(user_id)
@@ -918,9 +916,11 @@ pub async fn full_user_deactivate(
 		})
 		.await;
 
-	for room_id in all_joined_rooms {
-		let state_lock = services.rooms.state.mutex.lock(room_id).await;
+	// TODO: Rescind all user invites
 
+	let mut pdu_queue: Vec<(PduBuilder, &OwnedRoomId)> = Vec::new();
+
+	for room_id in all_joined_rooms {
 		let room_power_levels = services
 			.rooms
 			.state_accessor
@@ -948,30 +948,33 @@ pub async fn full_user_deactivate(
 		if user_can_demote_self {
 			let mut power_levels_content = room_power_levels.unwrap_or_default();
 			power_levels_content.users.remove(user_id);
-
-			// ignore errors so deactivation doesn't fail
-			match services
-				.rooms
-				.timeline
-				.build_and_append_pdu(
-					PduBuilder::state(String::new(), &power_levels_content),
-					user_id,
-					Some(room_id),
-					&state_lock,
-				)
-				.await
-			{
-				| Err(e) => {
-					warn!(%room_id, %user_id, "Failed to demote user's own power level: {e}");
-				},
-				| _ => {
-					info!("Demoted {user_id} in {room_id} as part of account deactivation");
-				},
-			}
+			let pl_evt = PduBuilder::state(String::new(), &power_levels_content);
+			pdu_queue.push((pl_evt, room_id));
 		}
+
+		// Leave the room
+		pdu_queue.push((
+			PduBuilder::state(user_id.to_string(), &RoomMemberEventContent {
+				avatar_url: None,
+				blurhash: None,
+				membership: MembershipState::Leave,
+				displayname: None,
+				join_authorized_via_users_server: None,
+				reason: None,
+				is_direct: None,
+				third_party_invite: None,
+				redact_events: None,
+			}),
+			room_id,
+		));
+
+		// TODO: Redact all messages sent by the user in the room
 	}
 
-	super::leave_all_rooms(services, user_id).boxed().await;
+	super::update_all_rooms(services, pdu_queue, user_id).await;
+	for room_id in all_joined_rooms {
+		services.rooms.state_cache.forget(room_id, user_id);
+	}
 
 	Ok(())
 }

src/api/client/account_data.rs

@@ -9,7 +9,7 @@
 	},
 	events::{
 		AnyGlobalAccountDataEventContent, AnyRoomAccountDataEventContent,
-		GlobalAccountDataEventType, RoomAccountDataEventType,
+		RoomAccountDataEventType,
 	},
 	serde::Raw,
 };
@@ -126,12 +126,6 @@ async fn set_account_data(
 		)));
 	}
 
-	if event_type_s == GlobalAccountDataEventType::PushRules.to_cow_str() {
-		return Err!(Request(BadJson(
-			"This endpoint cannot be used for setting/configuring push rules."
-		)));
-	}
-
 	let data: serde_json::Value = serde_json::from_str(data.get())
 		.map_err(|e| err!(Request(BadJson(warn!("Invalid JSON provided: {e}")))))?;
 

src/api/client/alias.rs

@@ -1,12 +1,6 @@
 use axum::extract::State;
-use conduwuit::{Err, Result, debug};
-use conduwuit_service::Services;
-use futures::StreamExt;
-use rand::seq::SliceRandom;
-use ruma::{
-	OwnedServerName, RoomAliasId, RoomId,
-	api::client::alias::{create_alias, delete_alias, get_alias},
-};
+use conduwuit::{Err, Result};
+use ruma::api::client::alias::{create_alias, delete_alias, get_alias};
 
 use crate::Ruma;
 
@@ -96,65 +90,9 @@ pub(crate) async fn get_alias_route(
 ) -> Result<get_alias::v3::Response> {
 	let room_alias = body.body.room_alias;
 
-	let Ok((room_id, servers)) = services.rooms.alias.resolve_alias(&room_alias, None).await
-	else {
+	let Ok((room_id, servers)) = services.rooms.alias.resolve_alias(&room_alias).await else {
 		return Err!(Request(NotFound("Room with alias not found.")));
 	};
 
-	let servers = room_available_servers(&services, &room_id, &room_alias, servers).await;
-	debug!(%room_alias, %room_id, "available servers: {servers:?}");
-
 	Ok(get_alias::v3::Response::new(room_id, servers))
 }
-
-async fn room_available_servers(
-	services: &Services,
-	room_id: &RoomId,
-	room_alias: &RoomAliasId,
-	pre_servers: Vec<OwnedServerName>,
-) -> Vec<OwnedServerName> {
-	// find active servers in room state cache to suggest
-	let mut servers: Vec<OwnedServerName> = services
-		.rooms
-		.state_cache
-		.room_servers(room_id)
-		.map(ToOwned::to_owned)
-		.collect()
-		.await;
-
-	// push any servers we want in the list already (e.g. responded remote alias
-	// servers, room alias server itself)
-	servers.extend(pre_servers);
-
-	servers.sort_unstable();
-	servers.dedup();
-
-	// shuffle list of servers randomly after sort and dedupe
-	servers.shuffle(&mut rand::thread_rng());
-
-	// insert our server as the very first choice if in list, else check if we can
-	// prefer the room alias server first
-	match servers
-		.iter()
-		.position(|server_name| services.globals.server_is_ours(server_name))
-	{
-		| Some(server_index) => {
-			servers.swap_remove(server_index);
-			servers.insert(0, services.globals.server_name().to_owned());
-		},
-		| _ => {
-			match servers
-				.iter()
-				.position(|server| server == room_alias.server_name())
-			{
-				| Some(alias_server_index) => {
-					servers.swap_remove(alias_server_index);
-					servers.insert(0, room_alias.server_name().into());
-				},
-				| _ => {},
-			}
-		},
-	}
-
-	servers
-}

src/api/client/context.rs

@@ -16,7 +16,10 @@
 
 use crate::{
 	Ruma,
-	client::message::{event_filter, ignored_filter, lazy_loading_witness, visibility_filter},
+	client::{
+		is_ignored_pdu,
+		message::{event_filter, ignored_filter, lazy_loading_witness, visibility_filter},
+	},
 };
 
 const LIMIT_MAX: usize = 100;
@@ -78,6 +81,9 @@ pub(crate) async fn get_context_route(
 		return Err!(Request(NotFound("Event not found.")));
 	}
 
+	// Return M_SENDER_IGNORED if the sender of base_event is ignored (MSC4406)
+	is_ignored_pdu(&services, &base_pdu, sender_user).await?;
+
 	let base_count = base_id.pdu_count();
 
 	let base_event = ignored_filter(&services, (base_count, base_pdu), sender_user);

src/api/client/keys.rs

@@ -91,8 +91,11 @@ pub(crate) async fn upload_keys_route(
 			.users
 			.get_device_keys(sender_user, sender_device)
 			.await
+			.and_then(|keys| keys.deserialize().map_err(Into::into))
 		{
-			if existing_keys.json().get() == device_keys.json().get() {
+			// NOTE: also serves as a workaround for a nheko bug which omits cross-signing
+			// NOTE: signatures when re-uploading the same DeviceKeys.
+			if existing_keys.keys == deser_device_keys.keys {
 				debug!(
 					%sender_user,
 					%sender_device,

src/api/client/media.rs

@@ -6,6 +6,7 @@
 	Err, Result, err,
 	utils::{self, content_disposition::make_content_disposition, math::ruma_from_usize},
 };
+use conduwuit_core::error;
 use conduwuit_service::{
 	Services,
 	media::{CACHE_CONTROL_IMMUTABLE, CORP_CROSS_ORIGIN, Dim, FileMeta, MXC_LENGTH},
@@ -144,12 +145,22 @@ pub(crate) async fn get_content_route(
 		server_name: &body.server_name,
 		media_id: &body.media_id,
 	};
-
 	let FileMeta {
 		content,
 		content_type,
 		content_disposition,
-	} = fetch_file(&services, &mxc, user, body.timeout_ms, None).await?;
+	} = match fetch_file(&services, &mxc, user, body.timeout_ms, None).await {
+		| Ok(meta) => meta,
+		| Err(conduwuit::Error::Io(e)) => match e.kind() {
+			| std::io::ErrorKind::NotFound => return Err!(Request(NotFound("Media not found."))),
+			| std::io::ErrorKind::PermissionDenied => {
+				error!("Permission denied when trying to read file: {e:?}");
+				return Err!(Request(Unknown("Unknown error when fetching file.")));
+			},
+			| _ => return Err!(Request(Unknown("Unknown error when fetching file."))),
+		},
+		| Err(_) => return Err!(Request(Unknown("Unknown error when fetching file."))),
+	};
 
 	Ok(get_content::v1::Response {
 		file: content.expect("entire file contents"),
@@ -185,7 +196,18 @@ pub(crate) async fn get_content_as_filename_route(
 		content,
 		content_type,
 		content_disposition,
-	} = fetch_file(&services, &mxc, user, body.timeout_ms, Some(&body.filename)).await?;
+	} = match fetch_file(&services, &mxc, user, body.timeout_ms, None).await {
+		| Ok(meta) => meta,
+		| Err(conduwuit::Error::Io(e)) => match e.kind() {
+			| std::io::ErrorKind::NotFound => return Err!(Request(NotFound("Media not found."))),
+			| std::io::ErrorKind::PermissionDenied => {
+				error!("Permission denied when trying to read file: {e:?}");
+				return Err!(Request(Unknown("Unknown error when fetching file.")));
+			},
+			| _ => return Err!(Request(Unknown("Unknown error when fetching file."))),
+		},
+		| Err(_) => return Err!(Request(Unknown("Unknown error when fetching file."))),
+	};
 
 	Ok(get_content_as_filename::v1::Response {
 		file: content.expect("entire file contents"),

src/api/client/membership/join.rs

@@ -3,7 +3,7 @@
 use axum::extract::State;
 use axum_client_ip::InsecureClientIp;
 use conduwuit::{
-	Err, Result, debug, debug_info, debug_warn, err, error, info,
+	Err, Result, debug, debug_info, debug_warn, err, error, info, is_true,
 	matrix::{
 		StateKey,
 		event::{gen_event_id, gen_event_id_canonical_json},
@@ -15,6 +15,7 @@
 	utils::{
 		self, shuffle,
 		stream::{IterStream, ReadyExt},
+		to_canonical_object,
 	},
 	warn,
 };
@@ -25,7 +26,7 @@
 	api::{
 		client::{
 			error::ErrorKind,
-			membership::{ThirdPartySigned, join_room_by_id, join_room_by_id_or_alias},
+			membership::{join_room_by_id, join_room_by_id_or_alias},
 		},
 		federation::{self},
 	},
@@ -33,7 +34,7 @@
 	events::{
 		StateEventType,
 		room::{
-			join_rules::{AllowRule, JoinRule},
+			join_rules::JoinRule,
 			member::{MembershipState, RoomMemberEventContent},
 		},
 	},
@@ -47,9 +48,13 @@
 		timeline::pdu_fits,
 	},
 };
+use tokio::join;
 
 use super::{banned_room_check, validate_remote_member_event_stub};
-use crate::Ruma;
+use crate::{
+	Ruma,
+	server::{select_authorising_user, user_can_perform_restricted_join},
+};
 
 /// # `POST /_matrix/client/r0/rooms/{roomId}/join`
 ///
@@ -115,7 +120,6 @@ pub(crate) async fn join_room_by_id_route(
 		&body.room_id,
 		body.reason.clone(),
 		&servers,
-		body.third_party_signed.as_ref(),
 		&body.appservice_info,
 	)
 	.boxed()
@@ -194,11 +198,7 @@ pub(crate) async fn join_room_by_id_or_alias_route(
 			(servers, room_id)
 		},
 		| Err(room_alias) => {
-			let (room_id, mut servers) = services
-				.rooms
-				.alias
-				.resolve_alias(&room_alias, Some(body.via.clone()))
-				.await?;
+			let (room_id, mut servers) = services.rooms.alias.resolve_alias(&room_alias).await?;
 
 			banned_room_check(
 				&services,
@@ -247,7 +247,6 @@ pub(crate) async fn join_room_by_id_or_alias_route(
 		&room_id,
 		body.reason.clone(),
 		&servers,
-		body.third_party_signed.as_ref(),
 		appservice_info,
 	)
 	.boxed()
@@ -262,7 +261,6 @@ pub async fn join_room_by_id_helper(
 	room_id: &RoomId,
 	reason: Option<String>,
 	servers: &[OwnedServerName],
-	third_party_signed: Option<&ThirdPartySigned>,
 	appservice_info: &Option<RegistrationInfo>,
 ) -> Result<join_room_by_id::v3::Response> {
 	let state_lock = services.rooms.state.mutex.lock(room_id).await;
@@ -350,17 +348,9 @@ pub async fn join_room_by_id_helper(
 	}
 
 	if server_in_room {
-		join_room_by_id_helper_local(
-			services,
-			sender_user,
-			room_id,
-			reason,
-			servers,
-			third_party_signed,
-			state_lock,
-		)
-		.boxed()
-		.await?;
+		join_room_by_id_helper_local(services, sender_user, room_id, reason, servers, state_lock)
+			.boxed()
+			.await?;
 	} else {
 		// Ask a remote server if we are not participating in this room
 		join_room_by_id_helper_remote(
@@ -369,7 +359,6 @@ pub async fn join_room_by_id_helper(
 			room_id,
 			reason,
 			servers,
-			third_party_signed,
 			state_lock,
 		)
 		.boxed()
@@ -385,7 +374,6 @@ async fn join_room_by_id_helper_remote(
 	room_id: &RoomId,
 	reason: Option<String>,
 	servers: &[OwnedServerName],
-	_third_party_signed: Option<&ThirdPartySigned>,
 	state_lock: RoomMutexGuard,
 ) -> Result {
 	info!("Joining {room_id} over federation.");
@@ -395,11 +383,10 @@ async fn join_room_by_id_helper_remote(
 
 	info!("make_join finished");
 
-	let Some(room_version_id) = make_join_response.room_version else {
-		return Err!(BadServerResponse("Remote room version is not supported by conduwuit"));
-	};
+	let room_version_id = make_join_response.room_version.unwrap_or(RoomVersionId::V1);
 
 	if !services.server.supported_room_version(&room_version_id) {
+		// How did we get here?
 		return Err!(BadServerResponse(
 			"Remote room version {room_version_id} is not supported by conduwuit"
 		));
@@ -428,10 +415,6 @@ async fn join_room_by_id_helper_remote(
 		}
 	};
 
-	join_event_stub.insert(
-		"origin".to_owned(),
-		CanonicalJsonValue::String(services.globals.server_name().as_str().to_owned()),
-	);
 	join_event_stub.insert(
 		"origin_server_ts".to_owned(),
 		CanonicalJsonValue::Integer(
@@ -743,87 +726,45 @@ async fn join_room_by_id_helper_local(
 	room_id: &RoomId,
 	reason: Option<String>,
 	servers: &[OwnedServerName],
-	_third_party_signed: Option<&ThirdPartySigned>,
 	state_lock: RoomMutexGuard,
 ) -> Result {
-	debug_info!("We can join locally");
-	let join_rules = services.rooms.state_accessor.get_join_rules(room_id).await;
+	info!("Joining room locally");
 
-	let mut restricted_join_authorized = None;
-	match join_rules {
-		| JoinRule::Restricted(restricted) | JoinRule::KnockRestricted(restricted) => {
-			for restriction in restricted.allow {
-				match restriction {
-					| AllowRule::RoomMembership(membership) => {
-						if services
-							.rooms
-							.state_cache
-							.is_joined(sender_user, &membership.room_id)
-							.await
-						{
-							restricted_join_authorized = Some(true);
-							break;
-						}
-					},
-					| AllowRule::UnstableSpamChecker => {
-						match services
-							.antispam
-							.meowlnir_accept_make_join(room_id.to_owned(), sender_user.to_owned())
-							.await
-						{
-							| Ok(()) => {
-								restricted_join_authorized = Some(true);
-								break;
-							},
-							| Err(_) =>
-								return Err!(Request(Forbidden(
-									"Antispam rejected join request."
-								))),
-						}
-					},
-					| _ => {},
-				}
+	let (room_version, join_rules, is_invited) = join!(
+		services.rooms.state.get_room_version(room_id),
+		services.rooms.state_accessor.get_join_rules(room_id),
+		services.rooms.state_cache.is_invited(sender_user, room_id)
+	);
+
+	let room_version = room_version?;
+	let mut auth_user: Option<OwnedUserId> = None;
+	if !is_invited && matches!(join_rules, JoinRule::Restricted(_) | JoinRule::KnockRestricted(_))
+	{
+		use RoomVersionId::*;
+		if !matches!(room_version, V1 | V2 | V3 | V4 | V5 | V6 | V7) {
+			// This is a restricted room, check if we can complete the join requirements
+			// locally.
+			let needs_auth_user =
+				user_can_perform_restricted_join(services, sender_user, room_id, &room_version)
+					.await;
+			if needs_auth_user.is_ok_and(is_true!()) {
+				// If there was an error or the value is false, we'll try joining over
+				// federation. Since it's Ok(true), we can authorise this locally.
+				// If we can't select a local user, this will remain None, the join will fail,
+				// and we'll fall back to federation.
+				auth_user = select_authorising_user(services, room_id, sender_user, &state_lock)
+					.await
+					.ok();
 			}
-		},
-		| _ => {},
-	}
-	let join_authorized_via_users_server = if restricted_join_authorized.is_none() {
-		None
-	} else {
-		match restricted_join_authorized.unwrap() {
-			| true => services
-				.rooms
-				.state_cache
-				.local_users_in_room(room_id)
-				.filter(|user| {
-					trace!("Checking if {user} can invite {sender_user} to {room_id}");
-					services.rooms.state_accessor.user_can_invite(
-						room_id,
-						user,
-						sender_user,
-						&state_lock,
-					)
-				})
-				.boxed()
-				.next()
-				.await
-				.map(ToOwned::to_owned),
-			| false => {
-				warn!(
-					"Join authorization failed for restricted join in room {room_id} for user \
-					 {sender_user}"
-				);
-				return Err!(Request(Forbidden("You are not authorized to join this room.")));
-			},
 		}
-	};
+	}
 
 	let content = RoomMemberEventContent {
 		displayname: services.users.displayname(sender_user).await.ok(),
 		avatar_url: services.users.avatar_url(sender_user).await.ok(),
 		blurhash: services.users.blurhash(sender_user).await.ok(),
 		reason: reason.clone(),
-		join_authorized_via_users_server,
+		join_authorized_via_users_server: auth_user,
 		..RoomMemberEventContent::new(MembershipState::Join)
 	};
 
@@ -839,6 +780,7 @@ async fn join_room_by_id_helper_local(
 		)
 		.await
 	else {
+		info!("Joined room locally");
 		return Ok(());
 	};
 
@@ -846,138 +788,13 @@ async fn join_room_by_id_helper_local(
 		return Err(error);
 	}
 
-	warn!(
+	info!(
 		?error,
-		servers = %servers.len(),
-		"Could not join restricted room locally, attempting remote join",
+		remote_servers = %servers.len(),
+		"Could not join room locally, attempting remote join",
 	);
-	let Ok((make_join_response, remote_server)) =
-		make_join_request(services, sender_user, room_id, servers).await
-	else {
-		return Err(error);
-	};
-
-	let Some(room_version_id) = make_join_response.room_version else {
-		return Err!(BadServerResponse("Remote room version is not supported by conduwuit"));
-	};
-
-	if !services.server.supported_room_version(&room_version_id) {
-		return Err!(BadServerResponse(
-			"Remote room version {room_version_id} is not supported by conduwuit"
-		));
-	}
-
-	let mut join_event_stub: CanonicalJsonObject =
-		serde_json::from_str(make_join_response.event.get()).map_err(|e| {
-			err!(BadServerResponse("Invalid make_join event json received from server: {e:?}"))
-		})?;
-
-	validate_remote_member_event_stub(
-		&MembershipState::Join,
-		sender_user,
-		room_id,
-		&join_event_stub,
-	)?;
-
-	let join_authorized_via_users_server = join_event_stub
-		.get("content")
-		.map(|s| {
-			s.as_object()?
-				.get("join_authorised_via_users_server")?
-				.as_str()
-		})
-		.and_then(|s| OwnedUserId::try_from(s.unwrap_or_default()).ok());
-
-	join_event_stub.insert(
-		"origin".to_owned(),
-		CanonicalJsonValue::String(services.globals.server_name().as_str().to_owned()),
-	);
-	join_event_stub.insert(
-		"origin_server_ts".to_owned(),
-		CanonicalJsonValue::Integer(
-			utils::millis_since_unix_epoch()
-				.try_into()
-				.expect("Timestamp is valid js_int value"),
-		),
-	);
-	join_event_stub.insert(
-		"content".to_owned(),
-		to_canonical_value(RoomMemberEventContent {
-			displayname: services.users.displayname(sender_user).await.ok(),
-			avatar_url: services.users.avatar_url(sender_user).await.ok(),
-			blurhash: services.users.blurhash(sender_user).await.ok(),
-			reason,
-			join_authorized_via_users_server,
-			..RoomMemberEventContent::new(MembershipState::Join)
-		})
-		.expect("event is valid, we just created it"),
-	);
-
-	// We keep the "event_id" in the pdu only in v1 or
-	// v2 rooms
-	match room_version_id {
-		| RoomVersionId::V1 | RoomVersionId::V2 => {},
-		| _ => {
-			join_event_stub.remove("event_id");
-		},
-	}
-
-	// In order to create a compatible ref hash (EventID) the `hashes` field needs
-	// to be present
-	services
-		.server_keys
-		.hash_and_sign_event(&mut join_event_stub, &room_version_id)?;
-
-	// Generate event id
-	let event_id = gen_event_id(&join_event_stub, &room_version_id)?;
-
-	// Add event_id back
-	join_event_stub
-		.insert("event_id".to_owned(), CanonicalJsonValue::String(event_id.clone().into()));
-
-	// It has enough fields to be called a proper event now
-	let join_event = join_event_stub;
-
-	let send_join_response = services
-		.sending
-		.send_synapse_request(
-			&remote_server,
-			federation::membership::create_join_event::v2::Request {
-				room_id: room_id.to_owned(),
-				event_id: event_id.clone(),
-				omit_members: false,
-				pdu: services
-					.sending
-					.convert_to_outgoing_federation_event(join_event.clone())
-					.await,
-			},
-		)
-		.await?;
-
-	if let Some(signed_raw) = send_join_response.room_state.event {
-		let (signed_event_id, signed_value) =
-			gen_event_id_canonical_json(&signed_raw, &room_version_id).map_err(|e| {
-				err!(Request(BadJson(warn!("Could not convert event to canonical JSON: {e}"))))
-			})?;
-
-		if signed_event_id != event_id {
-			return Err!(Request(BadJson(
-				warn!(%signed_event_id, %event_id, "Server {remote_server} sent event with wrong event ID")
-			)));
-		}
-
-		drop(state_lock);
-		services
-			.rooms
-			.event_handler
-			.handle_incoming_pdu(&remote_server, room_id, &signed_event_id, signed_value, true)
-			.boxed()
-			.await?;
-	} else {
-		return Err(error);
-	}
-
-	Ok(())
+	join_room_by_id_helper_remote(services, sender_user, room_id, reason, servers, state_lock)
+		.await
 }
 
 async fn make_join_request(
@@ -986,17 +803,16 @@ async fn make_join_request(
 	room_id: &RoomId,
 	servers: &[OwnedServerName],
 ) -> Result<(federation::membership::prepare_join_event::v1::Response, OwnedServerName)> {
-	let mut make_join_response_and_server =
-		Err!(BadServerResponse("No server available to assist in joining."));
-
-	let mut make_join_counter: usize = 0;
-	let mut incompatible_room_version_count: usize = 0;
+	let mut make_join_counter: usize = 1;
 
 	for remote_server in servers {
 		if services.globals.server_is_ours(remote_server) {
 			continue;
 		}
-		info!("Asking {remote_server} for make_join ({make_join_counter})");
+		info!(
+			"Asking {remote_server} for make_join (attempt {make_join_counter}/{})",
+			servers.len()
+		);
 		let make_join_response = services
 			.sending
 			.send_federation_request(
@@ -1012,44 +828,56 @@ async fn make_join_request(
 		trace!("make_join response: {:?}", make_join_response);
 		make_join_counter = make_join_counter.saturating_add(1);
 
-		if let Err(ref e) = make_join_response {
-			if matches!(
-				e.kind(),
-				ErrorKind::IncompatibleRoomVersion { .. } | ErrorKind::UnsupportedRoomVersion
-			) {
-				incompatible_room_version_count =
-					incompatible_room_version_count.saturating_add(1);
-			}
-
-			if incompatible_room_version_count > 15 {
-				info!(
-					"15 servers have responded with M_INCOMPATIBLE_ROOM_VERSION or \
-					 M_UNSUPPORTED_ROOM_VERSION, assuming that conduwuit does not support the \
-					 room version {room_id}: {e}"
-				);
-				make_join_response_and_server =
-					Err!(BadServerResponse("Room version is not supported by Conduwuit"));
-				return make_join_response_and_server;
-			}
-
-			if make_join_counter > 40 {
-				warn!(
-					"40 servers failed to provide valid make_join response, assuming no server \
-					 can assist in joining."
-				);
-				make_join_response_and_server =
-					Err!(BadServerResponse("No server available to assist in joining."));
-
-				return make_join_response_and_server;
-			}
-		}
-
-		make_join_response_and_server = make_join_response.map(|r| (r, remote_server.clone()));
-
-		if make_join_response_and_server.is_ok() {
-			break;
+		match make_join_response {
+			| Ok(response) => {
+				info!("Received make_join response from {remote_server}");
+				if let Err(e) = validate_remote_member_event_stub(
+					&MembershipState::Join,
+					sender_user,
+					room_id,
+					&to_canonical_object(&response.event)?,
+				) {
+					warn!("make_join response from {remote_server} failed validation: {e}");
+					continue;
+				}
+				return Ok((response, remote_server.clone()));
+			},
+			| Err(e) => match e.kind() {
+				| ErrorKind::UnableToAuthorizeJoin => {
+					info!(
+						"{remote_server} was unable to verify the joining user satisfied \
+						 restricted join requirements: {e}. Will continue trying."
+					);
+				},
+				| ErrorKind::UnableToGrantJoin => {
+					info!(
+						"{remote_server} believes the joining user satisfies restricted join \
+						 rules, but is unable to authorise a join for us. Will continue trying."
+					);
+				},
+				| ErrorKind::IncompatibleRoomVersion { room_version } => {
+					warn!(
+						"{remote_server} reports the room we are trying to join is \
+						 v{room_version}, which we do not support."
+					);
+					return Err(e);
+				},
+				| ErrorKind::Forbidden { .. } => {
+					warn!("{remote_server} refuses to let us join: {e}.");
+					return Err(e);
+				},
+				| ErrorKind::NotFound => {
+					info!(
+						"{remote_server} does not know about {room_id}: {e}. Will continue \
+						 trying."
+					);
+				},
+				| _ => {
+					info!("{remote_server} failed to make_join: {e}. Will continue trying.");
+				},
+			},
 		}
 	}
-
-	make_join_response_and_server
+	info!("All {} servers were unable to assist in joining {room_id} :(", servers.len());
+	Err!(BadServerResponse("No server available to assist in joining."))
 }

src/api/client/membership/knock.rs

@@ -10,7 +10,7 @@
 	},
 	result::FlatOk,
 	trace,
-	utils::{self, shuffle, stream::IterStream},
+	utils::{self, shuffle, stream::IterStream, to_canonical_object},
 	warn,
 };
 use futures::{FutureExt, StreamExt};
@@ -102,11 +102,7 @@ pub(crate) async fn knock_room_route(
 			(servers, room_id)
 		},
 		| Err(room_alias) => {
-			let (room_id, mut servers) = services
-				.rooms
-				.alias
-				.resolve_alias(&room_alias, Some(body.via.clone()))
-				.await?;
+			let (room_id, mut servers) = services.rooms.alias.resolve_alias(&room_alias).await?;
 
 			banned_room_check(
 				&services,
@@ -253,7 +249,6 @@ async fn knock_room_by_id_helper(
 				room_id,
 				reason.clone(),
 				servers,
-				None,
 				&None,
 			)
 			.await
@@ -741,6 +736,17 @@ async fn make_knock_request(
 
 		trace!("make_knock response: {make_knock_response:?}");
 		make_knock_counter = make_knock_counter.saturating_add(1);
+		if let Ok(r) = &make_knock_response {
+			if let Err(e) = validate_remote_member_event_stub(
+				&MembershipState::Knock,
+				sender_user,
+				room_id,
+				&to_canonical_object(&r.event)?,
+			) {
+				warn!("make_knock response from {remote_server} failed validation: {e}");
+				continue;
+			}
+		}
 
 		make_knock_response_and_server = make_knock_response.map(|r| (r, remote_server.clone()));
 

src/api/client/membership/mod.rs

@@ -231,7 +231,7 @@ pub(crate) fn validate_remote_member_event_stub(
 	};
 	if event_membership != &membership.as_str() {
 		return Err!(BadServerResponse(
-			"Remote server returned member event with incorrect room_id"
+			"Remote server returned member event with incorrect membership type"
 		));
 	}
 

src/api/client/message.rs

@@ -1,7 +1,7 @@
 use axum::extract::State;
 use axum_client_ip::InsecureClientIp;
 use conduwuit::{
-	Err, Result, at, debug_warn,
+	Err, Error, Result, at, debug_warn,
 	matrix::{
 		event::{Event, Matches},
 		pdu::PduCount,
@@ -26,7 +26,7 @@
 	DeviceId, RoomId, UserId,
 	api::{
 		Direction,
-		client::{filter::RoomEventFilter, message::get_message_events},
+		client::{error::ErrorKind, filter::RoomEventFilter, message::get_message_events},
 	},
 	events::{
 		AnyStateEvent, StateEventType,
@@ -279,23 +279,30 @@ pub(crate) async fn ignored_filter(
 
 	is_ignored_pdu(services, pdu, user_id)
 		.await
+		.unwrap_or(true)
 		.eq(&false)
 		.then_some(item)
 }
 
+/// Determine whether a PDU should be ignored for a given recipient user.
+/// Returns True if this PDU should be ignored, returns False otherwise.
+///
+/// The error SenderIgnored is returned if the sender or the sender's server is
+/// ignored by the relevant user. If the error cannot be returned to the user,
+/// it should equate to a true value (i.e. ignored).
 #[inline]
 pub(crate) async fn is_ignored_pdu<Pdu>(
 	services: &Services,
 	event: &Pdu,
 	recipient_user: &UserId,
-) -> bool
+) -> Result<bool>
 where
 	Pdu: Event + Send + Sync,
 {
 	// exclude Synapse's dummy events from bloating up response bodies. clients
 	// don't need to see this.
 	if event.kind().to_cow_str() == "org.matrix.dummy_event" {
-		return true;
+		return Ok(true);
 	}
 
 	let sender_user = event.sender();
@@ -310,21 +317,27 @@ pub(crate) async fn is_ignored_pdu<Pdu>(
 
 	if !type_ignored {
 		// We cannot safely ignore this type
-		return false;
+		return Ok(false);
 	}
 
 	if server_ignored {
 		// the sender's server is ignored, so ignore this event
-		return true;
+		return Err(Error::BadRequest(
+			ErrorKind::SenderIgnored { sender: None },
+			"The sender's server is ignored by this server.",
+		));
 	}
 
 	if user_ignored && !services.config.send_messages_from_ignored_users_to_client {
 		// the recipient of this PDU has the sender ignored, and we're not
 		// configured to send ignored messages to clients
-		return true;
+		return Err(Error::BadRequest(
+			ErrorKind::SenderIgnored { sender: Some(event.sender().to_owned()) },
+			"You have ignored this sender.",
+		));
 	}
 
-	false
+	Ok(false)
 }
 
 #[inline]
@@ -371,11 +384,3 @@ pub(crate) async fn is_ignored_invite(
 		.invite_filter_level(&sender_user, recipient_user)
 		.await == FilterLevel::Ignore
 }
-
-#[cfg_attr(debug_assertions, ctor::ctor)]
-fn _is_sorted() {
-	debug_assert!(
-		IGNORED_MESSAGE_TYPES.is_sorted(),
-		"IGNORED_MESSAGE_TYPES must be sorted by the developer"
-	);
-}

src/api/client/relations.rs

@@ -1,6 +1,6 @@
 use axum::extract::State;
 use conduwuit::{
-	Err, Result, at, debug_warn,
+	Err, Result, at, debug_warn, err,
 	matrix::{Event, event::RelationTypeEqual, pdu::PduCount},
 	utils::{IterStream, ReadyExt, result::FlatOk, stream::WidebandExt},
 };
@@ -18,7 +18,7 @@
 	events::{TimelineEventType, relation::RelationType},
 };
 
-use crate::Ruma;
+use crate::{Ruma, client::is_ignored_pdu};
 
 /// # `GET /_matrix/client/r0/rooms/{roomId}/relations/{eventId}/{relType}/{eventType}`
 pub(crate) async fn get_relating_events_with_rel_type_and_event_type_route(
@@ -118,6 +118,14 @@ async fn paginate_relations_with_filter(
 		debug_warn!(req_evt = %target, %room_id, "Event relations requested by {sender_user} but is not allowed to see it, returning 404");
 		return Err!(Request(NotFound("Event not found.")));
 	}
+	let target_pdu = services
+		.rooms
+		.timeline
+		.get_pdu(target)
+		.await
+		.map_err(|_| err!(Request(NotFound("Event not found."))))?;
+	// Return M_SENDER_IGNORED if the sender of base_event is ignored (MSC4406)
+	is_ignored_pdu(services, &target_pdu, sender_user).await?;
 
 	let start: PduCount = from
 		.map(str::parse)
@@ -159,6 +167,7 @@ async fn paginate_relations_with_filter(
 		.ready_take_while(|(count, _)| Some(*count) != to)
 		.take(limit)
 		.wide_filter_map(|item| visibility_filter(services, sender_user, item))
+		.wide_filter_map(|item| ignored_filter(services, item, sender_user))
 		.then(async |mut pdu| {
 			if let Err(e) = services
 				.rooms
@@ -214,3 +223,17 @@ async fn visibility_filter<Pdu: Event + Send + Sync>(
 		.await
 		.then_some(item)
 }
+
+async fn ignored_filter<Pdu: Event + Send + Sync>(
+	services: &Services,
+	item: (PduCount, Pdu),
+	sender_user: &UserId,
+) -> Option<(PduCount, Pdu)> {
+	let (_, pdu) = &item;
+
+	if is_ignored_pdu(services, pdu, sender_user).await.ok()? {
+		None
+	} else {
+		Some(item)
+	}
+}

src/api/client/report.rs

@@ -4,7 +4,6 @@
 use axum_client_ip::InsecureClientIp;
 use conduwuit::{Err, Event, Result, debug_info, info, matrix::pdu::PduEvent, utils::ReadyExt};
 use conduwuit_service::Services;
-use rand::Rng;
 use ruma::{
 	EventId, OwnedEventId, OwnedRoomId, OwnedUserId, RoomId, UserId,
 	api::client::{
@@ -244,7 +243,7 @@ fn build_report(report: Report) -> RoomMessageEventContent {
 /// random delay sending a response per spec suggestion regarding
 /// enumerating for potential events existing in our server.
 async fn delay_response() {
-	let time_to_wait = rand::thread_rng().gen_range(2..5);
+	let time_to_wait = rand::random_range(2..5);
 	debug_info!(
 		"Got successful /report request, waiting {time_to_wait} seconds before sending \
 		 successful response."

src/api/client/room/event.rs

@@ -29,7 +29,7 @@ pub(crate) async fn get_room_event_route(
 
 	let (mut event, visible) = try_join(event, visible).await?;
 
-	if !visible || is_ignored_pdu(services, &event, body.sender_user()).await {
+	if !visible || is_ignored_pdu(services, &event, body.sender_user()).await? {
 		return Err!(Request(Forbidden("You don't have permission to view this event.")));
 	}
 

src/api/client/send.rs

@@ -50,8 +50,8 @@ pub(crate) async fn send_message_event_route(
 
 	// Check if this is a new transaction id
 	if let Ok(response) = services
-		.transaction_ids
-		.existing_txnid(sender_user, sender_device, &body.txn_id)
+		.transactions
+		.get_client_txn(sender_user, sender_device, &body.txn_id)
 		.await
 	{
 		// The client might have sent a txnid of the /sendToDevice endpoint
@@ -92,7 +92,7 @@ pub(crate) async fn send_message_event_route(
 		)
 		.await?;
 
-	services.transaction_ids.add_txnid(
+	services.transactions.add_client_txnid(
 		sender_user,
 		sender_device,
 		&body.txn_id,

src/api/client/session.rs

@@ -107,7 +107,7 @@ pub(super) async fn ldap_login(
 ) -> Result<OwnedUserId> {
 	let (user_dn, is_ldap_admin) = match services.config.ldap.bind_dn.as_ref() {
 		| Some(bind_dn) if bind_dn.contains("{username}") =>
-			(bind_dn.replace("{username}", lowercased_user_id.localpart()), false),
+			(bind_dn.replace("{username}", lowercased_user_id.localpart()), None),
 		| _ => {
 			debug!("Searching user in LDAP");
 
@@ -144,12 +144,16 @@ pub(super) async fn ldap_login(
 			.await?;
 	}
 
-	let is_conduwuit_admin = services.admin.user_is_admin(lowercased_user_id).await;
+	// Only sync admin status if LDAP can actually determine it.
+	// None means LDAP cannot determine admin status (manual config required).
+	if let Some(is_ldap_admin) = is_ldap_admin {
+		let is_conduwuit_admin = services.admin.user_is_admin(lowercased_user_id).await;
 
-	if is_ldap_admin && !is_conduwuit_admin {
-		Box::pin(services.admin.make_user_admin(lowercased_user_id)).await?;
-	} else if !is_ldap_admin && is_conduwuit_admin {
-		Box::pin(services.admin.revoke_admin(lowercased_user_id)).await?;
+		if is_ldap_admin && !is_conduwuit_admin {
+			Box::pin(services.admin.make_user_admin(lowercased_user_id)).await?;
+		} else if !is_ldap_admin && is_conduwuit_admin {
+			Box::pin(services.admin.revoke_admin(lowercased_user_id)).await?;
+		}
 	}
 
 	Ok(user_id)

src/api/client/state.rs

@@ -342,10 +342,10 @@ async fn allowed_to_send_state_event(
 					}
 
 					for alias in aliases {
-						let (alias_room_id, _servers) = services
+						let (alias_room_id, _) = services
 							.rooms
 							.alias
-							.resolve_alias(&alias, None)
+							.resolve_alias(&alias)
 							.await
 							.map_err(|e| {
 								err!(Request(Unknown("Failed resolving alias \"{alias}\": {e}")))

src/api/client/sync/v5.rs

@@ -30,7 +30,8 @@
 	api::client::sync::sync_events::{self, DeviceLists, UnreadNotificationsCount},
 	directory::RoomTypeFilter,
 	events::{
-		AnyRawAccountDataEvent, AnySyncEphemeralRoomEvent, StateEventType, TimelineEventType,
+		AnyRawAccountDataEvent, AnySyncEphemeralRoomEvent, AnySyncStateEvent, StateEventType,
+		TimelineEventType,
 		room::member::{MembershipState, RoomMemberEventContent},
 		typing::TypingEventContent,
 	},
@@ -335,7 +336,9 @@ async fn handle_lists<'a, Rooms, AllRooms>(
 		let ranges = list.ranges.clone();
 
 		for mut range in ranges {
-			range.0 = uint!(0);
+			range.0 = range
+				.0
+				.min(UInt::try_from(active_rooms.len()).unwrap_or(UInt::MAX));
 			range.1 = range.1.checked_add(uint!(1)).unwrap_or(range.1);
 			range.1 = range
 				.1
@@ -533,6 +536,9 @@ async fn process_rooms<'a, Rooms>(
 				}
 			});
 
+		let required_state =
+			collect_required_state(services, room_id, required_state_request).await;
+
 		let room_events: Vec<_> = timeline_pdus
 			.iter()
 			.stream()
@@ -551,21 +557,6 @@ async fn process_rooms<'a, Rooms>(
 			}
 		}
 
-		let required_state = required_state_request
-			.iter()
-			.stream()
-			.filter_map(|state| async move {
-				services
-					.rooms
-					.state_accessor
-					.room_state_get(room_id, &state.0, &state.1)
-					.await
-					.map(Event::into_format)
-					.ok()
-			})
-			.collect()
-			.await;
-
 		// Heroes
 		let heroes: Vec<_> = services
 			.rooms
@@ -689,6 +680,51 @@ async fn process_rooms<'a, Rooms>(
 	Ok(rooms)
 }
 
+/// Collect the required state events for a room
+async fn collect_required_state(
+	services: &Services,
+	room_id: &RoomId,
+	required_state_request: &BTreeSet<TypeStateKey>,
+) -> Vec<Raw<AnySyncStateEvent>> {
+	let mut required_state = Vec::new();
+	let mut wildcard_types: HashSet<&StateEventType> = HashSet::new();
+
+	for (event_type, state_key) in required_state_request {
+		if wildcard_types.contains(event_type) {
+			continue;
+		}
+
+		if state_key.as_str() == "*" {
+			wildcard_types.insert(event_type);
+			if let Ok(keys) = services
+				.rooms
+				.state_accessor
+				.room_state_keys(room_id, event_type)
+				.await
+			{
+				for key in keys {
+					if let Ok(event) = services
+						.rooms
+						.state_accessor
+						.room_state_get(room_id, event_type, &key)
+						.await
+					{
+						required_state.push(Event::into_format(event));
+					}
+				}
+			}
+		} else if let Ok(event) = services
+			.rooms
+			.state_accessor
+			.room_state_get(room_id, event_type, state_key)
+			.await
+		{
+			required_state.push(Event::into_format(event));
+		}
+	}
+	required_state
+}
+
 async fn collect_typing_events(
 	services: &Services,
 	sender_user: &UserId,

src/api/client/to_device.rs

@@ -26,8 +26,8 @@ pub(crate) async fn send_event_to_device_route(
 
 	// Check if this is a new transaction id
 	if services
-		.transaction_ids
-		.existing_txnid(sender_user, sender_device, &body.txn_id)
+		.transactions
+		.get_client_txn(sender_user, sender_device, &body.txn_id)
 		.await
 		.is_ok()
 	{
@@ -104,8 +104,8 @@ pub(crate) async fn send_event_to_device_route(
 
 	// Save transaction id with empty data
 	services
-		.transaction_ids
-		.add_txnid(sender_user, sender_device, &body.txn_id, &[]);
+		.transactions
+		.add_client_txnid(sender_user, sender_device, &body.txn_id, &[]);
 
 	Ok(send_event_to_device::v3::Response {})
 }

src/api/client/well_known.rs

@@ -27,9 +27,32 @@ pub(crate) async fn well_known_client(
 		identity_server: None,
 		sliding_sync_proxy: Some(SlidingSyncProxyInfo { url: client_url }),
 		tile_server: None,
+		rtc_foci: services
+			.config
+			.matrix_rtc
+			.effective_foci(&services.config.well_known.rtc_focus_server_urls)
+			.to_vec(),
 	})
 }
 
+/// # `GET /_matrix/client/v1/rtc/transports`
+/// # `GET /_matrix/client/unstable/org.matrix.msc4143/rtc/transports`
+///
+/// Returns the list of MatrixRTC foci (transports) configured for this
+/// homeserver, implementing MSC4143.
+pub(crate) async fn get_rtc_transports(
+	State(services): State<crate::State>,
+	_body: Ruma<ruma::api::client::discovery::get_rtc_transports::Request>,
+) -> Result<ruma::api::client::discovery::get_rtc_transports::Response> {
+	Ok(ruma::api::client::discovery::get_rtc_transports::Response::new(
+		services
+			.config
+			.matrix_rtc
+			.effective_foci(&services.config.well_known.rtc_focus_server_urls)
+			.to_vec(),
+	))
+}
+
 /// # `GET /.well-known/matrix/support`
 ///
 /// Server support contact and support page of a homeserver's domain.

src/api/mod.rs

@@ -1,12 +1,13 @@
 #![type_length_limit = "16384"] //TODO: reduce me
 #![allow(clippy::toplevel_ref_arg)]
 
+extern crate conduwuit_core as conduwuit;
+extern crate conduwuit_service as service;
 pub mod client;
 pub mod router;
 pub mod server;
 
-extern crate conduwuit_core as conduwuit;
-extern crate conduwuit_service as service;
+pub mod admin;
 
 pub(crate) use self::router::{Ruma, RumaResponse, State};
 

src/api/router.rs

@@ -17,7 +17,7 @@
 
 use self::handler::RouterExt;
 pub(super) use self::{args::Args as Ruma, response::RumaResponse};
-use crate::{client, server};
+use crate::{admin, client, server};
 
 pub fn build(router: Router<State>, server: &Server) -> Router<State> {
 	let config = &server.config;
@@ -122,23 +122,23 @@ pub fn build(router: Router<State>, server: &Server) -> Router<State> {
 		// Ruma doesn't have support for multiple paths for a single endpoint yet, and these routes
 		// share one Ruma request / response type pair with {get,send}_state_event_for_key_route
 		.route(
-			"/_matrix/client/r0/rooms/:room_id/state/:event_type",
+			"/_matrix/client/r0/rooms/{room_id}/state/{event_type}",
 			get(client::get_state_events_for_empty_key_route)
 				.put(client::send_state_event_for_empty_key_route),
 		)
 		.route(
-			"/_matrix/client/v3/rooms/:room_id/state/:event_type",
+			"/_matrix/client/v3/rooms/{room_id}/state/{event_type}",
 			get(client::get_state_events_for_empty_key_route)
 				.put(client::send_state_event_for_empty_key_route),
 		)
 		// These two endpoints allow trailing slashes
 		.route(
-			"/_matrix/client/r0/rooms/:room_id/state/:event_type/",
+			"/_matrix/client/r0/rooms/{room_id}/state/{event_type}/",
 			get(client::get_state_events_for_empty_key_route)
 				.put(client::send_state_event_for_empty_key_route),
 		)
 		.route(
-			"/_matrix/client/v3/rooms/:room_id/state/:event_type/",
+			"/_matrix/client/v3/rooms/{room_id}/state/{event_type}/",
 			get(client::get_state_events_for_empty_key_route)
 				.put(client::send_state_event_for_empty_key_route),
 		)
@@ -177,24 +177,27 @@ pub fn build(router: Router<State>, server: &Server) -> Router<State> {
 		.ruma_route(&client::get_mutual_rooms_route)
 		.ruma_route(&client::get_room_summary)
 		.route(
-			"/_matrix/client/unstable/im.nheko.summary/rooms/:room_id_or_alias/summary",
+			"/_matrix/client/unstable/im.nheko.summary/rooms/{room_id_or_alias}/summary",
 			get(client::get_room_summary_legacy)
 		)
 		.ruma_route(&client::get_suspended_status)
 		.ruma_route(&client::put_suspended_status)
 		.ruma_route(&client::well_known_support)
 		.ruma_route(&client::well_known_client)
+		.ruma_route(&client::get_rtc_transports)
 		.route("/_conduwuit/server_version", get(client::conduwuit_server_version))
 		.route("/_continuwuity/server_version", get(client::conduwuit_server_version))
 		.ruma_route(&client::room_initial_sync_route)
-		.route("/client/server.json", get(client::syncv3_client_server_json));
+		.route("/client/server.json", get(client::syncv3_client_server_json))
+		.ruma_route(&admin::rooms::ban::ban_room)
+		.ruma_route(&admin::rooms::list::list_rooms);
 
 	if config.allow_federation {
 		router = router
 			.ruma_route(&server::get_server_version_route)
 			.route("/_matrix/key/v2/server", get(server::get_server_keys_route))
 			.route(
-				"/_matrix/key/v2/server/:key_id",
+				"/_matrix/key/v2/server/{key_id}",
 				get(server::get_server_keys_deprecated_route),
 			)
 			.ruma_route(&server::get_public_rooms_route)
@@ -230,9 +233,9 @@ pub fn build(router: Router<State>, server: &Server) -> Router<State> {
 			.route("/_continuwuity/local_user_count", get(client::conduwuit_local_user_count));
 	} else {
 		router = router
-			.route("/_matrix/federation/*path", any(federation_disabled))
+			.route("/_matrix/federation/{*path}", any(federation_disabled))
 			.route("/.well-known/matrix/server", any(federation_disabled))
-			.route("/_matrix/key/*path", any(federation_disabled))
+			.route("/_matrix/key/{*path}", any(federation_disabled))
 			.route("/_conduwuit/local_user_count", any(federation_disabled))
 			.route("/_continuwuity/local_user_count", any(federation_disabled));
 	}
@@ -251,27 +254,27 @@ pub fn build(router: Router<State>, server: &Server) -> Router<State> {
 				get(client::get_media_preview_legacy_legacy_route),
 			)
 			.route(
-				"/_matrix/media/v1/download/:server_name/:media_id",
+				"/_matrix/media/v1/download/{server_name}/{media_id}",
 				get(client::get_content_legacy_legacy_route),
 			)
 			.route(
-				"/_matrix/media/v1/download/:server_name/:media_id/:file_name",
+				"/_matrix/media/v1/download/{server_name}/{media_id}/{file_name}",
 				get(client::get_content_as_filename_legacy_legacy_route),
 			)
 			.route(
-				"/_matrix/media/v1/thumbnail/:server_name/:media_id",
+				"/_matrix/media/v1/thumbnail/{server_name}/{media_id}",
 				get(client::get_content_thumbnail_legacy_legacy_route),
 			);
 	} else {
 		router = router
-			.route("/_matrix/media/v1/*path", any(legacy_media_disabled))
+			.route("/_matrix/media/v1/{*path}", any(legacy_media_disabled))
 			.route("/_matrix/media/v3/config", any(legacy_media_disabled))
-			.route("/_matrix/media/v3/download/*path", any(legacy_media_disabled))
-			.route("/_matrix/media/v3/thumbnail/*path", any(legacy_media_disabled))
+			.route("/_matrix/media/v3/download/{*path}", any(legacy_media_disabled))
+			.route("/_matrix/media/v3/thumbnail/{*path}", any(legacy_media_disabled))
 			.route("/_matrix/media/v3/preview_url", any(redirect_legacy_preview))
 			.route("/_matrix/media/r0/config", any(legacy_media_disabled))
-			.route("/_matrix/media/r0/download/*path", any(legacy_media_disabled))
-			.route("/_matrix/media/r0/thumbnail/*path", any(legacy_media_disabled))
+			.route("/_matrix/media/r0/download/{*path}", any(legacy_media_disabled))
+			.route("/_matrix/media/r0/thumbnail/{*path}", any(legacy_media_disabled))
 			.route("/_matrix/media/r0/preview_url", any(redirect_legacy_preview));
 	}
 

src/api/router/args.rs

@@ -1,6 +1,5 @@
 use std::{mem, ops::Deref};
 
-use async_trait::async_trait;
 use axum::{body::Body, extract::FromRequest};
 use bytes::{BufMut, Bytes, BytesMut};
 use conduwuit::{Error, Result, debug, debug_warn, err, trace, utils::string::EMPTY};
@@ -79,7 +78,6 @@ impl<T> Deref for Args<T>
 	fn deref(&self) -> &Self::Target { &self.body }
 }
 
-#[async_trait]
 impl<T> FromRequest<State, Body> for Args<T>
 where
 	T: IncomingRequest + Send + Sync + 'static,

src/api/router/auth.rs

@@ -14,7 +14,8 @@
 	pin_mut,
 };
 use ruma::{
-	CanonicalJsonObject, CanonicalJsonValue, OwnedDeviceId, OwnedServerName, OwnedUserId, UserId,
+	CanonicalJsonObject, CanonicalJsonValue, DeviceId, OwnedDeviceId, OwnedServerName,
+	OwnedUserId, UserId,
 	api::{
 		AuthScheme, IncomingRequest, Metadata,
 		client::{
@@ -54,7 +55,8 @@ pub(super) async fn auth(
 	json_body: Option<&CanonicalJsonValue>,
 	metadata: &Metadata,
 ) -> Result<Auth> {
-	let bearer: Option<TypedHeader<Authorization<Bearer>>> = request.parts.extract().await?;
+	let bearer: Option<TypedHeader<Authorization<Bearer>>> =
+		request.parts.extract().await.unwrap_or(None);
 	let token = match &bearer {
 		| Some(TypedHeader(Authorization(bearer))) => Some(bearer.token()),
 		| None => request.query.access_token.as_deref(),
@@ -65,23 +67,17 @@ pub(super) async fn auth(
 	if metadata.authentication == AuthScheme::None {
 		match metadata {
 			| &get_public_rooms::v3::Request::METADATA => {
-				if !services
-					.server
-					.config
-					.allow_public_room_directory_without_auth
-				{
-					match token {
-						| Token::Appservice(_) | Token::User(_) => {
-							// we should have validated the token above
-							// already
-						},
-						| Token::None | Token::Invalid => {
-							return Err(Error::BadRequest(
-								ErrorKind::MissingToken,
-								"Missing or invalid access token.",
-							));
-						},
-					}
+				match token {
+					| Token::Appservice(_) | Token::User(_) => {
+						// we should have validated the token above
+						// already
+					},
+					| Token::None | Token::Invalid => {
+						return Err(Error::BadRequest(
+							ErrorKind::MissingToken,
+							"Missing or invalid access token.",
+						));
+					},
 				}
 			},
 			| &get_profile::v3::Request::METADATA
@@ -233,10 +229,33 @@ async fn auth_appservice(
 		return Err!(Request(Exclusive("User is not in namespace.")));
 	}
 
+	// MSC3202/MSC4190: Handle device_id masquerading for appservices.
+	// The device_id can be provided via `device_id` or
+	// `org.matrix.msc3202.device_id` query parameter.
+	let sender_device = if let Some(ref device_id_str) = request.query.device_id {
+		let device_id: &DeviceId = device_id_str.as_str().into();
+
+		// Verify the device exists for this user
+		if services
+			.users
+			.get_device_metadata(&user_id, device_id)
+			.await
+			.is_err()
+		{
+			return Err!(Request(Forbidden(
+				"Device does not exist for user or appservice cannot masquerade as this device."
+			)));
+		}
+
+		Some(device_id.to_owned())
+	} else {
+		None
+	};
+
 	Ok(Auth {
 		origin: None,
 		sender_user: Some(user_id),
-		sender_device: None,
+		sender_device,
 		appservice_info: Some(*info),
 	})
 }