docs(livekit): document nginx websockets too

Signed-off-by: rooot <hey@rooot.gay>
docs(livekit): fix port in caddy config example
2026-04-02 15:05:56 +00:00 · 2026-02-16 04:39:18 +01:00 · 2026-02-16 04:32:35 +01:00 · 2026-02-16 04:32:03 +01:00 · 2026-02-16 02:55:26 +00:00 · 2026-02-16 02:35:41 +00:00
72 changed files with 2041 additions and 1184 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,9 +1,9 @@
 # Local build and dev artifacts
 target/
+!target/debug/conduwuit

 # Docker files
 Dockerfile*
-docker/

 # IDE files
 .vscode
--- a/.forgejo/workflows/build-debian.yml
+++ b/.forgejo/workflows/build-debian.yml
@@ -17,7 +17,7 @@ jobs:
    runs-on: ubuntu-latest
    strategy:
      matrix:
-        container: ["ubuntu-latest", "ubuntu-previous", "debian-latest", "debian-oldstable"]
+        container: [ "ubuntu-latest", "ubuntu-previous", "debian-latest", "debian-oldstable" ]
    container:
      image: "ghcr.io/tcpipuk/act-runner:${{ matrix.container }}"

@@ -30,6 +30,28 @@ jobs:
          echo "version=$VERSION" >> $GITHUB_OUTPUT
          echo "distribution=$DISTRIBUTION" >> $GITHUB_OUTPUT
          echo "Debian distribution: $DISTRIBUTION ($VERSION)"
+      - name: Work around llvm-project#153385
+        id: llvm-workaround
+        run: |
+          if [ -f /usr/share/apt/default-sequoia.config ]; then
+            echo "Applying workaround for llvm-project#153385"
+            mkdir -p /etc/crypto-policies/back-ends/
+            cp /usr/share/apt/default-sequoia.config /etc/crypto-policies/back-ends/apt-sequoia.config
+            sed -i 's/\(sha1\.second_preimage_resistance = \)2026-02-01/\12026-06-01/' /etc/crypto-policies/back-ends/apt-sequoia.config
+          else
+            echo "No workaround needed for llvm-project#153385"
+          fi
+      - name: Pick compatible clang version
+        id: clang-version
+        run: |
+          # both latest need to use clang-23, but oldstable and previous can just use clang
+          if [[ "${{ matrix.container }}" == "ubuntu-latest" || "${{ matrix.container }}" == "debian-latest" ]]; then
+            echo "Using clang-23 package for ${{ matrix.container }}"
+            echo "version=clang-23" >> $GITHUB_OUTPUT
+          else
+            echo "Using default clang package for ${{ matrix.container }}"
+            echo "version=clang" >> $GITHUB_OUTPUT
+          fi

      - name: Checkout repository with full history
        uses: actions/checkout@v6
@@ -105,7 +127,7 @@ jobs:
        run: |
          apt-get update -y
          # Build dependencies for rocksdb
-          apt-get install -y clang liburing-dev
+          apt-get install -y liburing-dev ${{ steps.clang-version.outputs.version }}

      - name: Run cargo-deb
        id: cargo-deb
--- a/.typos.toml
+++ b/.typos.toml
@@ -24,3 +24,5 @@ extend-ignore-re = [
 "continuwity" = "continuwuity"
 "execuse" = "execuse"
 "oltp" = "OTLP"
+
+rememvering = "remembering"
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,25 +1,65 @@
+# Continuwuity v0.5.5 (2026-02-15)
+
+## Features
+
+- Added unstable support for [MSC4406:
+  `M_SENDER_IGNORED`](https://github.com/matrix-org/matrix-spec-proposals/pull/4406).
+  Contributed by @nex ([#1308](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1308))
+- Introduce a resolver command to allow flushing a server from the cache or to flush the complete cache. Contributed by
+  @Omar007 ([#1349](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1349))
+- Improved the handling of restricted join rules and improved the performance of local-first joins. Contributed by
+  @nex. ([#1368](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1368))
+- You can now set a custom User Agent for URL previews; the default one has been modified to be less likely to be
+  rejected. Contributed by @trashpanda ([#1372](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1372))
+- Improved the first-time setup experience for new homeserver administrators:
+    - Account registration is disabled on the first run, except for with a new special registration token that is logged
+      to the console.
+    - Other helpful information is logged to the console as well, including a giant warning if open registration is
+      enabled.
+    - The default index page now says to check the console for setup instructions if no accounts have been created.
+    - Once the first admin account is created, an improved welcome message is sent to the admin room.
+
+  Contributed by @ginger.
+
+## Bugfixes
+
+- Fixed invites sent to other users in the same homeserver not being properly sent down sync. Users with missing or
+  broken invites should clear their client caches after updating to make them appear. ([#1249](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1249))
+- LDAP-enabled servers will no longer have all admins demoted when LDAP-controlled admins are not configured.
+  Contributed by @Jade ([#1307](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1307))
+- Fixed sliding sync not resolving wildcard state key requests, enabling Video/Audio calls in Element X. ([#1370](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1370))
+
+## Misc
+
+- #1344
+
 # Continuwuity v0.5.4 (2026-02-08)

 ## Features

 - The announcement checker will now announce errors it encounters in the first run to the admin room, plus a few other
  misc improvements. Contributed by @Jade ([#1288](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1288))
- Drastically improved the performance and reliability of account deactivations. Contributed by @nex ([#1314](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1314))
+- Drastically improved the performance and reliability of account deactivations. Contributed by
+  @nex ([#1314](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1314))
 - Refuse to process requests for and events in rooms that we no longer have any local users in (reduces state resets
-  and improves performance). Contributed by @nex ([#1316](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1316))
+  and improves performance). Contributed by
+  @nex ([#1316](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1316))
 - Added server-specific admin API routes to ban and unban rooms, for use with moderation bots. Contributed by @nex
  ([#1301](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1301))

 ## Bugfixes

- Fix the generated configuration containing uncommented optional sections. Contributed by @Jade ([#1290](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1290))
- Fixed specification non-compliance when handling remote media errors. Contributed by @nex ([#1298](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1298))
+- Fix the generated configuration containing uncommented optional sections. Contributed by
+  @Jade ([#1290](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1290))
+- Fixed specification non-compliance when handling remote media errors. Contributed by
+  @nex ([#1298](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1298))
 - UIAA requests which check for out-of-band success (sent by matrix-js-sdk) will no longer create unhelpful errors in
  the logs. Contributed by @ginger ([#1305](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1305))
 - Use exists instead of contains to save writing to a buffer in `src/service/users/mod.rs`: `is_login_disabled`.
  Contributed
  by @aprilgrimoire. ([#1340](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1340))
- Fixed backtraces being swallowed during panics. Contributed by @jade ([#1337](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1337))
+- Fixed backtraces being swallowed during panics. Contributed by
+  @jade ([#1337](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1337))
 - Fixed a potential vulnerability that could allow an evil remote server to return malicious events during the room join
  and knock process. Contributed by @nex, reported by violet & [mat](https://matdoes.dev).
 - Fixed a race condition that could result in outlier PDUs being incorrectly marked as visible to a remote server.
@@ -28,25 +68,30 @@ ## Bugfixes

 ## Docs

- Fixed Fedora install instructions. Contributed by @julian45 ([#1342](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1342))
+- Fixed Fedora install instructions. Contributed by
+  @julian45 ([#1342](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1342))

 # Continuwuity 0.5.3 (2026-01-12)

 ## Features

- Improve the display of nested configuration with the `!admin server show-config` command. Contributed by @Jade ([#1279](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1279))
+- Improve the display of nested configuration with the `!admin server show-config` command. Contributed by
+  @Jade ([#1279](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1279))

 ## Bugfixes

- Fixed `M_BAD_JSON` error when sending invites to other servers or when providing joins. Contributed by @nex ([#1286](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1286))
+- Fixed `M_BAD_JSON` error when sending invites to other servers or when providing joins. Contributed by
+  @nex ([#1286](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1286))

 ## Docs

- Improve admin command documentation generation. Contributed by @ginger ([#1280](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1280))
+- Improve admin command documentation generation. Contributed by
+  @ginger ([#1280](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1280))

 ## Misc

- Improve timeout-related code for federation and URL previews. Contributed by @Jade ([#1278](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1278))
+- Improve timeout-related code for federation and URL previews. Contributed by
+  @Jade ([#1278](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1278))

 # Continuwuity 0.5.2 (2026-01-09)

@@ -57,11 +102,14 @@ ## Features
  after a certain amount of time has passed. Additionally, the `registration_token_file` configuration option is
  superseded by this feature and **has been removed**. Use the new `!admin token` command family to manage registration
  tokens. Contributed by @ginger (#783).
- Implemented a configuration defined admin list independent of the admin room. Contributed by @Terryiscool160. ([#1253](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1253))
+- Implemented a configuration defined admin list independent of the admin room. Contributed by
+  @Terryiscool160. ([#1253](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1253))
 - Added support for invite and join anti-spam via Draupnir and Meowlnir, similar to that of synapse-http-antispam.
  Contributed by @nex. ([#1263](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1263))
- Implemented account locking functionality, to complement user suspension. Contributed by @nex. ([#1266](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1266))
- Added admin command to forcefully log out all of a user's existing sessions. Contributed by @nex. ([#1271](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1271))
+- Implemented account locking functionality, to complement user suspension. Contributed by
+  @nex. ([#1266](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1266))
+- Added admin command to forcefully log out all of a user's existing sessions. Contributed by
+  @nex. ([#1271](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1271))
 - Implemented toggling the ability for an account to log in without mutating any of its data. Contributed by @nex. (
  [#1272](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1272))
 - Add support for custom room create event timestamps, to allow generating custom prefixes in hashed room IDs.
@@ -71,7 +119,8 @@ ## Features

 ## Bugfixes

- Fixed unreliable room summary fetching and improved error messages. Contributed by @nex. ([#1257](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1257))
+- Fixed unreliable room summary fetching and improved error messages. Contributed by
+  @nex. ([#1257](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1257))
 - Client requested timeout parameter is now applied to e2ee key lookups and claims. Related federation requests are now
  also concurrent. Contributed by @nex. ([#1261](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1261))
 - Fixed the whoami endpoint returning HTTP 404 instead of HTTP 403, which confused some appservices. Contributed by
@@ -90,9 +139,12 @@ # Continuwuity 0.5.0 (2025-12-30)

 ## Features

- Enabled the OTLP exporter in default builds, and allow configuring the exporter protocol. (@Jade). ([#1251](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1251))
+- Enabled the OTLP exporter in default builds, and allow configuring the exporter protocol. (
+  @Jade). ([#1251](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1251))

 ## Bug Fixes

- Don't allow admin room upgrades, as this can break the admin room (@timedout) ([#1245](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1245))
- Fix invalid creators in power levels during upgrade to v12 (@timedout) ([#1245](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1245))
+- Don't allow admin room upgrades, as this can break the admin room (
+  @timedout) ([#1245](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1245))
+- Fix invalid creators in power levels during upgrade to v12 (
+  @timedout) ([#1245](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1245))
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -617,15 +617,6 @@ dependencies = [
 "windows-link",
 ]

-[[package]]
-name = "backtrace-ext"
-version = "0.2.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "537beee3be4a18fb023b570f80e3ae28003db9167a751266b259926e25539d50"
-dependencies = [
- "backtrace",
-]
-
 [[package]]
 name = "base64"
 version = "0.21.7"
@@ -841,16 +832,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "374b7c592d9c00c1f4972ea58390ac6b18cbb6ab79011f3bdc90a0b82ca06b77"
 dependencies = [
 "serde",
- "toml 0.9.11+spec-1.1.0",
-]
-
-[[package]]
-name = "castaway"
-version = "0.2.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dec551ab6e7578819132c713a93c022a05d60159dc86e7a7050223577484c55a"
-dependencies = [
- "rustversion",
+ "toml 0.9.12+spec-1.1.0",
 ]

 [[package]]
@@ -917,9 +899,9 @@ dependencies = [

 [[package]]
 name = "clap"
-version = "4.5.57"
+version = "4.5.58"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6899ea499e3fb9305a65d5ebf6e3d2248c5fab291f300ad0a704fbe142eae31a"
+checksum = "63be97961acde393029492ce0be7a1af7e323e6bae9511ebfac33751be5e6806"
 dependencies = [
 "clap_builder",
 "clap_derive",
@@ -927,9 +909,9 @@ dependencies = [

 [[package]]
 name = "clap_builder"
-version = "4.5.57"
+version = "4.5.58"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7b12c8b680195a62a8364d16b8447b01b6c2c8f9aaf68bee653be34d4245e238"
+checksum = "7f13174bda5dfd69d7e947827e5af4b0f2f94a4a3ee92912fba07a66150f21e2"
 dependencies = [
 "anstyle",
 "clap_lex",
@@ -949,9 +931,9 @@ dependencies = [

 [[package]]
 name = "clap_lex"
-version = "0.7.7"
+version = "1.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c3e64b0cc0439b12df2fa678eae89a1c56a529fd067a9115f7827f1fffd22b32"
+checksum = "3a822ea5bc7590f9d40f1ba12c0dc3c2760f3482c6984db1573ad11031420831"

 [[package]]
 name = "cmake"
@@ -968,20 +950,6 @@ version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3d7b894f5411737b7867f4827955924d7c254fc9f4d91a6aad6b097804b1018b"

-[[package]]
-name = "compact_str"
-version = "0.8.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3b79c4069c6cad78e2e0cdfcbd26275770669fb39fd308a752dc110e83b9af32"
-dependencies = [
- "castaway",
- "cfg-if",
- "itoa",
- "rustversion",
- "ryu",
- "static_assertions",
-]
-
 [[package]]
 name = "compression-codecs"
 version = "0.4.36"
@@ -1013,7 +981,7 @@ dependencies = [

 [[package]]
 name = "conduwuit"
-version = "0.5.4"
+version = "0.5.5"
 dependencies = [
 "clap",
 "conduwuit_admin",
@@ -1030,6 +998,7 @@ dependencies = [
 "opentelemetry",
 "opentelemetry-otlp",
 "opentelemetry_sdk",
+ "parking_lot",
 "sentry",
 "sentry-tower",
 "sentry-tracing",
@@ -1044,7 +1013,7 @@ dependencies = [

 [[package]]
 name = "conduwuit_admin"
-version = "0.5.4"
+version = "0.5.5"
 dependencies = [
 "clap",
 "conduwuit_api",
@@ -1065,7 +1034,7 @@ dependencies = [

 [[package]]
 name = "conduwuit_api"
-version = "0.5.4"
+version = "0.5.5"
 dependencies = [
 "async-trait",
 "axum 0.7.9",
@@ -1097,14 +1066,14 @@ dependencies = [

 [[package]]
 name = "conduwuit_build_metadata"
-version = "0.5.4"
+version = "0.5.5"
 dependencies = [
 "built",
 ]

 [[package]]
 name = "conduwuit_core"
-version = "0.5.4"
+version = "0.5.5"
 dependencies = [
 "argon2",
 "arrayvec",
@@ -1149,14 +1118,14 @@ dependencies = [
 "serde_json",
 "serde_regex",
 "smallstr",
- "smallvec 1.15.1",
+ "smallvec",
 "thiserror 2.0.18",
 "tikv-jemalloc-ctl",
 "tikv-jemalloc-sys",
 "tikv-jemallocator",
 "tokio",
 "tokio-metrics",
- "toml 0.9.11+spec-1.1.0",
+ "toml 0.9.12+spec-1.1.0",
 "tracing",
 "tracing-core",
 "tracing-subscriber",
@@ -1165,7 +1134,7 @@ dependencies = [

 [[package]]
 name = "conduwuit_database"
-version = "0.5.4"
+version = "0.5.5"
 dependencies = [
 "async-channel",
 "conduwuit_core",
@@ -1183,7 +1152,7 @@ dependencies = [

 [[package]]
 name = "conduwuit_macros"
-version = "0.5.4"
+version = "0.5.5"
 dependencies = [
 "itertools 0.14.0",
 "proc-macro2",
@@ -1193,7 +1162,7 @@ dependencies = [

 [[package]]
 name = "conduwuit_router"
-version = "0.5.4"
+version = "0.5.5"
 dependencies = [
 "axum 0.7.9",
 "axum-client-ip",
@@ -1227,8 +1196,9 @@ dependencies = [

 [[package]]
 name = "conduwuit_service"
-version = "0.5.4"
+version = "0.5.5"
 dependencies = [
+ "askama 0.14.0",
 "async-trait",
 "base64 0.22.1",
 "blurhash",
@@ -1263,11 +1233,12 @@ dependencies = [
 "tracing",
 "url",
 "webpage",
+ "yansi",
 ]

 [[package]]
 name = "conduwuit_web"
-version = "0.5.4"
+version = "0.5.5"
 dependencies = [
 "askama 0.14.0",
 "axum 0.7.9",
@@ -1343,7 +1314,7 @@ dependencies = [
 [[package]]
 name = "continuwuity-admin-api"
 version = "0.1.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=458d52bdc7f9a07c497be94a1420ebd3d87d7b2b#458d52bdc7f9a07c497be94a1420ebd3d87d7b2b"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=b496b7f38d517149361a882e75d3fd4faf210441#b496b7f38d517149361a882e75d3fd4faf210441"
 dependencies = [
 "ruma-common",
 "serde",
@@ -1602,41 +1573,6 @@ version = "2.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "817fa642fb0ee7fe42e95783e00e0969927b96091bdd4b9b1af082acd943913b"

-[[package]]
-name = "darling"
-version = "0.20.11"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fc7f46116c46ff9ab3eb1597a45688b6715c6e628b5c133e288e709a29bcb4ee"
-dependencies = [
- "darling_core",
- "darling_macro",
-]
-
-[[package]]
-name = "darling_core"
-version = "0.20.11"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0d00b9596d185e565c2207a0b01f8bd1a135483d02d9b7b0a54b11da8d53412e"
-dependencies = [
- "fnv",
- "ident_case",
- "proc-macro2",
- "quote",
- "strsim",
- "syn",
-]
-
-[[package]]
-name = "darling_macro"
-version = "0.20.11"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fc34b93ccb385b40dc71c6fceac4b2ad23662c7eeb248cf10d529b7e055b6ead"
-dependencies = [
- "darling_core",
- "quote",
- "syn",
-]
-
 [[package]]
 name = "data-encoding"
 version = "2.10.0"
@@ -1758,7 +1694,7 @@ dependencies = [
 [[package]]
 name = "draupnir-antispam"
 version = "0.1.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=458d52bdc7f9a07c497be94a1420ebd3d87d7b2b#458d52bdc7f9a07c497be94a1420ebd3d87d7b2b"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=b496b7f38d517149361a882e75d3fd4faf210441#b496b7f38d517149361a882e75d3fd4faf210441"
 dependencies = [
 "ruma-common",
 "serde",
@@ -1917,7 +1853,7 @@ dependencies = [
 "lebe",
 "miniz_oxide",
 "rayon-core",
- "smallvec 1.15.1",
+ "smallvec",
 "zune-inflate",
 ]

@@ -2057,9 +1993,9 @@ dependencies = [

 [[package]]
 name = "futures"
-version = "0.3.31"
+version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "65bc07b1a8bc7c85c5f2e110c476c7389b4554ba72af57d8445ea63a576b0876"
+checksum = "8b147ee9d1f6d097cef9ce628cd2ee62288d963e16fb287bd9286455b241382d"
 dependencies = [
 "futures-channel",
 "futures-core",
@@ -2072,9 +2008,9 @@ dependencies = [

 [[package]]
 name = "futures-channel"
-version = "0.3.31"
+version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2dff15bf788c671c1934e366d07e30c1814a8ef514e1af724a602e8a2fbe1b10"
+checksum = "07bbe89c50d7a535e539b8c17bc0b49bdb77747034daa8087407d655f3f7cc1d"
 dependencies = [
 "futures-core",
 "futures-sink",
@@ -2082,15 +2018,15 @@ dependencies = [

 [[package]]
 name = "futures-core"
-version = "0.3.31"
+version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "05f29059c0c2090612e8d742178b0580d2dc940c837851ad723096f87af6663e"
+checksum = "7e3450815272ef58cec6d564423f6e755e25379b217b0bc688e295ba24df6b1d"

 [[package]]
 name = "futures-executor"
-version = "0.3.31"
+version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1e28d1d997f585e54aebc3f97d39e72338912123a67330d723fdbb564d646c9f"
+checksum = "baf29c38818342a3b26b5b923639e7b1f4a61fc5e76102d4b1981c6dc7a7579d"
 dependencies = [
 "futures-core",
 "futures-task",
@@ -2099,15 +2035,15 @@ dependencies = [

 [[package]]
 name = "futures-io"
-version = "0.3.31"
+version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9e5c1b78ca4aae1ac06c48a526a655760685149f0d465d21f37abfe57ce075c6"
+checksum = "cecba35d7ad927e23624b22ad55235f2239cfa44fd10428eecbeba6d6a717718"

 [[package]]
 name = "futures-macro"
-version = "0.3.31"
+version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "162ee34ebcb7c64a8abebc059ce0fee27c2262618d7b60ed8faf72fef13c3650"
+checksum = "e835b70203e41293343137df5c0664546da5745f82ec9b84d40be8336958447b"
 dependencies = [
 "proc-macro2",
 "quote",
@@ -2116,21 +2052,21 @@ dependencies = [

 [[package]]
 name = "futures-sink"
-version = "0.3.31"
+version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e575fab7d1e0dcb8d0c7bcf9a63ee213816ab51902e6d244a95819acacf1d4f7"
+checksum = "c39754e157331b013978ec91992bde1ac089843443c49cbc7f46150b0fad0893"

 [[package]]
 name = "futures-task"
-version = "0.3.31"
+version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f90f7dce0722e95104fcb095585910c0977252f286e354b5e3bd38902cd99988"
+checksum = "037711b3d59c33004d3856fbdc83b99d4ff37a24768fa1be9ce3538a1cde4393"

 [[package]]
 name = "futures-util"
-version = "0.3.31"
+version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9fa08315bb612088cc391249efdc3bc77536f16c91f6cf495e6fbe85b20a4a81"
+checksum = "389ca41296e6190b48053de0321d02a77f32f8a5d2461dd38762c0593805c6d6"
 dependencies = [
 "futures-channel",
 "futures-core",
@@ -2140,32 +2076,9 @@ dependencies = [
 "futures-task",
 "memchr",
 "pin-project-lite",
- "pin-utils",
 "slab",
 ]

-[[package]]
-name = "garde"
-version = "0.22.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3a74b56a4039a46e8c91cc9d84e8a7df4e1f8b24239ca57d1304b3263cb599b9"
-dependencies = [
- "compact_str",
- "garde_derive",
- "smallvec 1.15.1",
-]
-
-[[package]]
-name = "garde_derive"
-version = "0.22.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7224c08ec489e2840af29ed882b47f7f6ac8f4ce15c275d9fc0d6d1b94578ae6"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn",
-]
-
 [[package]]
 name = "generic-array"
 version = "0.14.7"
@@ -2364,7 +2277,7 @@ dependencies = [
 "rand 0.9.2",
 "resolv-conf",
 "serde",
- "smallvec 1.15.1",
+ "smallvec",
 "thiserror 2.0.18",
 "tokio",
 "tracing",
@@ -2482,7 +2395,7 @@ dependencies = [
 "itoa",
 "pin-project-lite",
 "pin-utils",
- "smallvec 1.15.1",
+ "smallvec",
 "tokio",
 "want",
 ]
@@ -2577,7 +2490,7 @@ dependencies = [
 "icu_normalizer_data",
 "icu_properties",
 "icu_provider",
- "smallvec 1.15.1",
+ "smallvec",
 "zerovec",
 ]

@@ -2622,12 +2535,6 @@ dependencies = [
 "zerovec",
 ]

-[[package]]
-name = "ident_case"
-version = "1.0.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b9e0384b61958566e926dc50660321d12159025e767c18e043daf26b70104c39"
-
 [[package]]
 name = "idna"
 version = "1.1.0"
@@ -2635,7 +2542,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3b0875f23caa03898994f6ddc501886a45c7d3d62d04d2d90788d47be1b1e4de"
 dependencies = [
 "idna_adapter",
- "smallvec 1.15.1",
+ "smallvec",
 "utf8_iter",
 ]

@@ -2760,12 +2667,6 @@ dependencies = [
 "serde",
 ]

-[[package]]
-name = "is_ci"
-version = "1.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7655c9839580ee829dfacba1d1278c2b7883e50a277ff7541299489d6bdfdc45"
-
 [[package]]
 name = "itertools"
 version = "0.13.0"
@@ -2920,9 +2821,9 @@ checksum = "7a79a3332a6609480d7d0c9eab957bca6b455b91bb84e66d19f5ff66294b85b8"

 [[package]]
 name = "libc"
-version = "0.2.180"
+version = "0.2.182"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bcc35a38544a891a5f7c865aca548a982ccb3b8650a5b06d0fd33a10283c56fc"
+checksum = "6800badb6cb2082ffd7b6a67e6125bb39f18782f793520caee8cb8846be06112"

 [[package]]
 name = "libfuzzer-sys"
@@ -3116,43 +3017,13 @@ checksum = "f52b00d39961fc5b2736ea853c9cc86238e165017a493d1d5c8eac6bdc4cc273"
 [[package]]
 name = "meowlnir-antispam"
 version = "0.1.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=458d52bdc7f9a07c497be94a1420ebd3d87d7b2b#458d52bdc7f9a07c497be94a1420ebd3d87d7b2b"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=b496b7f38d517149361a882e75d3fd4faf210441#b496b7f38d517149361a882e75d3fd4faf210441"
 dependencies = [
 "ruma-common",
 "serde",
 "serde_json",
 ]

-[[package]]
-name = "miette"
-version = "7.6.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5f98efec8807c63c752b5bd61f862c165c115b0a35685bdcfd9238c7aeb592b7"
-dependencies = [
- "backtrace",
- "backtrace-ext",
- "cfg-if",
- "miette-derive",
- "owo-colors",
- "supports-color",
- "supports-hyperlinks",
- "supports-unicode",
- "terminal_size",
- "textwrap",
- "unicode-width 0.1.14",
-]
-
-[[package]]
-name = "miette-derive"
-version = "7.6.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "db5b29714e950dbb20d5e6f74f9dcec4edbcc1067bb7f8ed198c097b8c1a818b"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn",
-]
-
 [[package]]
 name = "mime"
 version = "0.3.17"
@@ -3224,7 +3095,7 @@ dependencies = [
 "equivalent",
 "parking_lot",
 "portable-atomic",
- "smallvec 1.15.1",
+ "smallvec",
 "tagptr",
 "uuid",
 ]
@@ -3688,12 +3559,6 @@ dependencies = [
 "windows-sys 0.61.2",
 ]

-[[package]]
-name = "owo-colors"
-version = "4.2.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9c6901729fa79e91a0913333229e9ca5dc725089d1c363b2f4b4760709dc4a52"
-
 [[package]]
 name = "parking"
 version = "2.2.1"
@@ -3721,7 +3586,7 @@ dependencies = [
 "libc",
 "petgraph",
 "redox_syscall",
- "smallvec 1.15.1",
+ "smallvec",
 "windows-link",
 ]

@@ -3931,28 +3796,6 @@ dependencies = [
 "toml_edit 0.23.10+spec-1.0.0",
 ]

-[[package]]
-name = "proc-macro-error-attr2"
-version = "2.0.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "96de42df36bb9bba5542fe9f1a054b8cc87e172759a1868aa05c1f3acc89dfc5"
-dependencies = [
- "proc-macro2",
- "quote",
-]
-
-[[package]]
-name = "proc-macro-error2"
-version = "2.0.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "11ec05c52be0a07b08061f7dd003e7d7092e0472bc731b4af7bb1ef876109802"
-dependencies = [
- "proc-macro-error-attr2",
- "proc-macro2",
- "quote",
- "syn",
-]
-
 [[package]]
 name = "proc-macro2"
 version = "1.0.106"
@@ -4389,7 +4232,7 @@ dependencies = [
 [[package]]
 name = "ruma"
 version = "0.10.1"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=458d52bdc7f9a07c497be94a1420ebd3d87d7b2b#458d52bdc7f9a07c497be94a1420ebd3d87d7b2b"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=b496b7f38d517149361a882e75d3fd4faf210441#b496b7f38d517149361a882e75d3fd4faf210441"
 dependencies = [
 "assign",
 "continuwuity-admin-api",
@@ -4412,7 +4255,7 @@ dependencies = [
 [[package]]
 name = "ruma-appservice-api"
 version = "0.10.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=458d52bdc7f9a07c497be94a1420ebd3d87d7b2b#458d52bdc7f9a07c497be94a1420ebd3d87d7b2b"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=b496b7f38d517149361a882e75d3fd4faf210441#b496b7f38d517149361a882e75d3fd4faf210441"
 dependencies = [
 "js_int",
 "ruma-common",
@@ -4424,7 +4267,7 @@ dependencies = [
 [[package]]
 name = "ruma-client-api"
 version = "0.18.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=458d52bdc7f9a07c497be94a1420ebd3d87d7b2b#458d52bdc7f9a07c497be94a1420ebd3d87d7b2b"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=b496b7f38d517149361a882e75d3fd4faf210441#b496b7f38d517149361a882e75d3fd4faf210441"
 dependencies = [
 "as_variant",
 "assign",
@@ -4447,7 +4290,7 @@ dependencies = [
 [[package]]
 name = "ruma-common"
 version = "0.13.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=458d52bdc7f9a07c497be94a1420ebd3d87d7b2b#458d52bdc7f9a07c497be94a1420ebd3d87d7b2b"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=b496b7f38d517149361a882e75d3fd4faf210441#b496b7f38d517149361a882e75d3fd4faf210441"
 dependencies = [
 "as_variant",
 "base64 0.22.1",
@@ -4466,7 +4309,7 @@ dependencies = [
 "serde",
 "serde_html_form",
 "serde_json",
- "smallvec 1.15.1",
+ "smallvec",
 "thiserror 2.0.18",
 "time",
 "tracing",
@@ -4479,7 +4322,7 @@ dependencies = [
 [[package]]
 name = "ruma-events"
 version = "0.28.1"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=458d52bdc7f9a07c497be94a1420ebd3d87d7b2b#458d52bdc7f9a07c497be94a1420ebd3d87d7b2b"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=b496b7f38d517149361a882e75d3fd4faf210441#b496b7f38d517149361a882e75d3fd4faf210441"
 dependencies = [
 "as_variant",
 "indexmap",
@@ -4493,7 +4336,7 @@ dependencies = [
 "ruma-macros",
 "serde",
 "serde_json",
- "smallvec 1.15.1",
+ "smallvec",
 "thiserror 2.0.18",
 "tracing",
 "url",
@@ -4504,7 +4347,7 @@ dependencies = [
 [[package]]
 name = "ruma-federation-api"
 version = "0.9.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=458d52bdc7f9a07c497be94a1420ebd3d87d7b2b#458d52bdc7f9a07c497be94a1420ebd3d87d7b2b"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=b496b7f38d517149361a882e75d3fd4faf210441#b496b7f38d517149361a882e75d3fd4faf210441"
 dependencies = [
 "bytes",
 "headers",
@@ -4526,7 +4369,7 @@ dependencies = [
 [[package]]
 name = "ruma-identifiers-validation"
 version = "0.9.5"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=458d52bdc7f9a07c497be94a1420ebd3d87d7b2b#458d52bdc7f9a07c497be94a1420ebd3d87d7b2b"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=b496b7f38d517149361a882e75d3fd4faf210441#b496b7f38d517149361a882e75d3fd4faf210441"
 dependencies = [
 "js_int",
 "thiserror 2.0.18",
@@ -4535,7 +4378,7 @@ dependencies = [
 [[package]]
 name = "ruma-identity-service-api"
 version = "0.9.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=458d52bdc7f9a07c497be94a1420ebd3d87d7b2b#458d52bdc7f9a07c497be94a1420ebd3d87d7b2b"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=b496b7f38d517149361a882e75d3fd4faf210441#b496b7f38d517149361a882e75d3fd4faf210441"
 dependencies = [
 "js_int",
 "ruma-common",
@@ -4545,7 +4388,7 @@ dependencies = [
 [[package]]
 name = "ruma-macros"
 version = "0.13.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=458d52bdc7f9a07c497be94a1420ebd3d87d7b2b#458d52bdc7f9a07c497be94a1420ebd3d87d7b2b"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=b496b7f38d517149361a882e75d3fd4faf210441#b496b7f38d517149361a882e75d3fd4faf210441"
 dependencies = [
 "cfg-if",
 "proc-macro-crate",
@@ -4560,7 +4403,7 @@ dependencies = [
 [[package]]
 name = "ruma-push-gateway-api"
 version = "0.9.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=458d52bdc7f9a07c497be94a1420ebd3d87d7b2b#458d52bdc7f9a07c497be94a1420ebd3d87d7b2b"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=b496b7f38d517149361a882e75d3fd4faf210441#b496b7f38d517149361a882e75d3fd4faf210441"
 dependencies = [
 "js_int",
 "ruma-common",
@@ -4572,7 +4415,7 @@ dependencies = [
 [[package]]
 name = "ruma-signatures"
 version = "0.15.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=458d52bdc7f9a07c497be94a1420ebd3d87d7b2b#458d52bdc7f9a07c497be94a1420ebd3d87d7b2b"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=b496b7f38d517149361a882e75d3fd4faf210441#b496b7f38d517149361a882e75d3fd4faf210441"
 dependencies = [
 "base64 0.22.1",
 "ed25519-dalek",
@@ -4751,12 +4594,12 @@ dependencies = [

 [[package]]
 name = "saphyr-parser-bw"
-version = "0.0.607"
+version = "0.0.608"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2f9bae8d059bf1ca32753cf3cdafbf5d391502de2fc2ca54510811fe9c100d90"
+checksum = "d55ae5ea09894b6d5382621db78f586df37ef18ab581bf32c754e75076b124b1"
 dependencies = [
 "arraydeque",
- "smallvec 2.0.0-alpha.12",
+ "smallvec",
 "thiserror 2.0.18",
 ]

@@ -4963,26 +4806,22 @@ dependencies = [

 [[package]]
 name = "serde-saphyr"
-version = "0.0.17"
+version = "0.0.19"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bc14a55107113a16346915d7e3d78acc539a923458385db89670e22cac106d7a"
+checksum = "29fb2d57f074f415e3ea6905994be8aca2bd7a17f8a0344cc43ed15bf240a547"
 dependencies = [
 "ahash",
 "annotate-snippets",
 "base64 0.22.1",
 "encoding_rs_io",
- "figment",
- "garde",
 "getrandom 0.3.4",
- "miette",
 "nohash-hasher",
 "num-traits",
 "regex",
 "saphyr-parser-bw",
 "serde",
 "serde_json",
- "smallvec 2.0.0-alpha.12",
- "validator",
+ "smallvec",
 "zmij",
 ]

@@ -5195,7 +5034,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "862077b1e764f04c251fe82a2ef562fd78d7cadaeb072ca7c2bcaf7217b1ff3b"
 dependencies = [
 "serde",
- "smallvec 1.15.1",
+ "smallvec",
 ]

 [[package]]
@@ -5207,12 +5046,6 @@ dependencies = [
 "serde",
 ]

-[[package]]
-name = "smallvec"
-version = "2.0.0-alpha.12"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ef784004ca8777809dcdad6ac37629f0a97caee4c685fcea805278d81dd8b857"
-
 [[package]]
 name = "socket2"
 version = "0.5.10"
@@ -5249,12 +5082,6 @@ version = "1.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6ce2be8dc25455e1f91df71bfa12ad37d7af1092ae736f3a6cd0e37bc7810596"

-[[package]]
-name = "static_assertions"
-version = "1.1.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a2eb9349b6444b326872e140eb1cf5e7c522154d69e7a0ffb0fb81c06b37543f"
-
 [[package]]
 name = "strict"
 version = "0.2.0"
@@ -5286,12 +5113,6 @@ dependencies = [
 "quote",
 ]

-[[package]]
-name = "strsim"
-version = "0.11.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7da8b5736845d9f2fcb837ea5d9e2628564b3b043a70948a3f0b778838c5fb4f"
-
 [[package]]
 name = "subslice"
 version = "0.2.3"
@@ -5307,32 +5128,11 @@ version = "2.6.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292"

-[[package]]
-name = "supports-color"
-version = "3.0.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c64fc7232dd8d2e4ac5ce4ef302b1d81e0b80d055b9d77c7c4f51f6aa4c867d6"
-dependencies = [
- "is_ci",
-]
-
-[[package]]
-name = "supports-hyperlinks"
-version = "3.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e396b6523b11ccb83120b115a0b7366de372751aa6edf19844dfb13a6af97e91"
-
-[[package]]
-name = "supports-unicode"
-version = "3.0.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b7401a30af6cb5818bb64852270bb722533397edcfc7344954a38f420819ece2"
-
 [[package]]
 name = "syn"
-version = "2.0.114"
+version = "2.0.116"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d4d107df263a3013ef9b1879b0df87d706ff80f65a86ea879bd9c31f9b307c2a"
+checksum = "3df424c70518695237746f84cede799c9c58fcb37450d7b23716568cc8bc69cb"
 dependencies = [
 "proc-macro2",
 "quote",
@@ -5392,26 +5192,6 @@ dependencies = [
 "unicode-width 0.1.14",
 ]

-[[package]]
-name = "terminal_size"
-version = "0.4.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "60b8cb979cb11c32ce1603f8137b22262a9d131aaa5c37b5678025f22b8becd0"
-dependencies = [
- "rustix",
- "windows-sys 0.60.2",
-]
-
-[[package]]
-name = "textwrap"
-version = "0.16.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c13547615a44dc9c452a8a534638acdf07120d4b6847c8178705da06306a3057"
-dependencies = [
- "unicode-linebreak",
- "unicode-width 0.2.2",
-]
-
 [[package]]
 name = "thingbuf"
 version = "0.1.6"
@@ -5657,9 +5437,9 @@ dependencies = [

 [[package]]
 name = "toml"
-version = "0.9.11+spec-1.1.0"
+version = "0.9.12+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f3afc9a848309fe1aaffaed6e1546a7a14de1f935dc9d89d32afd9a44bab7c46"
+checksum = "cf92845e79fc2e2def6a5d828f0801e29a2f8acc037becc5ab08595c7d5e9863"
 dependencies = [
 "indexmap",
 "serde_core",
@@ -5716,9 +5496,9 @@ dependencies = [

 [[package]]
 name = "toml_parser"
-version = "1.0.6+spec-1.1.0"
+version = "1.0.8+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a3198b4b0a8e11f09dd03e133c0280504d0801269e9afa46362ffde1cbeebf44"
+checksum = "0742ff5ff03ea7e67c8ae6c93cac239e0d9784833362da3f9a9c1da8dfefcbdc"
 dependencies = [
 "winnow",
 ]
@@ -5903,7 +5683,7 @@ checksum = "1ac28f2d093c6c477eaa76b23525478f38de514fa9aeb1285738d4b97a9552fc"
 dependencies = [
 "js-sys",
 "opentelemetry",
- "smallvec 1.15.1",
+ "smallvec",
 "tracing",
 "tracing-core",
 "tracing-log",
@@ -5922,7 +5702,7 @@ dependencies = [
 "once_cell",
 "regex-automata",
 "sharded-slab",
- "smallvec 1.15.1",
+ "smallvec",
 "thread_local",
 "tracing",
 "tracing-core",
@@ -5986,12 +5766,6 @@ version = "1.0.22"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9312f7c4f6ff9069b165498234ce8be658059c6728633667c526e27dc2cf1df5"

-[[package]]
-name = "unicode-linebreak"
-version = "0.1.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3b09c83c3c29d37506a3e260c08c03743a6bb66a9cd432c6934ab501a190571f"
-
 [[package]]
 name = "unicode-segmentation"
 version = "1.12.0"
@@ -6092,36 +5866,6 @@ dependencies = [
 "wasm-bindgen",
 ]

-[[package]]
-name = "validator"
-version = "0.20.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "43fb22e1a008ece370ce08a3e9e4447a910e92621bb49b85d6e48a45397e7cfa"
-dependencies = [
- "idna",
- "once_cell",
- "regex",
- "serde",
- "serde_derive",
- "serde_json",
- "url",
- "validator_derive",
-]
-
-[[package]]
-name = "validator_derive"
-version = "0.20.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b7df16e474ef958526d1205f6dda359fdfab79d9aa6d54bafcb92dcd07673dca"
-dependencies = [
- "darling",
- "once_cell",
- "proc-macro-error2",
- "proc-macro2",
- "quote",
- "syn",
-]
-
 [[package]]
 name = "valuable"
 version = "0.1.1"
@@ -6592,7 +6336,7 @@ dependencies = [

 [[package]]
 name = "xtask"
-version = "0.5.4"
+version = "0.5.5"
 dependencies = [
 "askama 0.15.4",
 "cargo_metadata",
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -12,7 +12,7 @@ license = "Apache-2.0"
 # See also `rust-toolchain.toml`
 readme = "README.md"
 repository = "https://forgejo.ellis.link/continuwuation/continuwuity"
-version = "0.5.4"
+version = "0.5.5"

 [workspace.metadata.crane]
 name = "conduwuit"
@@ -158,7 +158,7 @@ features = ["raw_value"]

 # Used for appservice registration files
 [workspace.dependencies.serde-saphyr]
-version = "0.0.17"
+version = "0.0.19"

 # Used to load forbidden room/user regex from config
 [workspace.dependencies.serde_regex]
@@ -342,7 +342,7 @@ version = "0.1.2"
 # Used for matrix spec type definitions and helpers
 [workspace.dependencies.ruma]
 git = "https://forgejo.ellis.link/continuwuation/ruwuma"
-rev = "458d52bdc7f9a07c497be94a1420ebd3d87d7b2b"
+rev = "b496b7f38d517149361a882e75d3fd4faf210441"
 features = [
    "compat",
    "rand",
@@ -378,7 +378,8 @@ features = [
    "unstable-msc4210", # remove legacy mentions
    "unstable-extensible-events",
    "unstable-pdu",
-    "unstable-msc4155"
+    "unstable-msc4155",
+    "unstable-msc4143", # livekit well_known response
 ]

 [workspace.dependencies.rust-rocksdb]
@@ -548,6 +549,12 @@ features = ["sync", "tls-rustls", "rustls-provider"]
 [workspace.dependencies.resolv-conf]
 version = "0.7.5"

+[workspace.dependencies.yansi]
+version = "1.0.1"
+
+[workspace.dependencies.askama]
+version = "0.14.0"
+
 #
 # Patches
 #
--- a/changelog.d/1249.bugfix.md
+++ b/changelog.d/1249.bugfix.md
@@ -1 +0,0 @@
-Fixed invites sent to other users in the same homeserver not being properly sent down sync. Users with missing or broken invites should clear their client caches after updating to make them appear.
--- a/changelog.d/1349.feature
+++ b/changelog.d/1349.feature
@@ -1 +0,0 @@
-Introduce a resolver command to allow flushing a server from the cache or to flush the complete cache. Contributed by @Omar007
--- a/conduwuit-example.toml
+++ b/conduwuit-example.toml
@@ -433,7 +433,7 @@
 # If you would like registration only via token reg, please configure
 # `registration_token`.
 #
-#allow_registration = false
+#allow_registration = true

 # If registration is enabled, and this setting is true, new users
 # registered after the first admin user will be automatically suspended
@@ -1474,6 +1474,10 @@
 #
 #url_preview_check_root_domain = false

+# User agent that is used specifically when fetching url previews.
+#
+#url_preview_user_agent = "continuwuity/<version> (bot; +https://continuwuity.org)"
+
 # List of forbidden room aliases and room IDs as strings of regex
 # patterns.
 #
@@ -1820,6 +1824,17 @@
 #
 #support_mxid =

+# A list of MatrixRTC foci URLs which will be served as part of the
+# MSC4143 client endpoint at /.well-known/matrix/client.  If you're
+# setting up livekit, you'd want something like:
+# rtc_focus_server_urls = [
+#     { type = "livekit", livekit_service_url = "https://livekit.example.com" },
+# ]
+#
+# To disable, set this to be an empty vector (`[]`).
+#
+#rtc_focus_server_urls = []
+
 [global.blurhashing]

 # blurhashing x component, 4 is recommended by https://blurha.sh/
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -48,7 +48,7 @@ EOF

 # Developer tool versions
 # renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
-ENV BINSTALL_VERSION=1.17.4
+ENV BINSTALL_VERSION=1.17.5
 # renovate: datasource=github-releases depName=psastras/sbom-rs
 ENV CARGO_SBOM_VERSION=0.9.1
 # renovate: datasource=crate depName=lddtree
--- a/docker/complement.Dockerfile
+++ b/docker/complement.Dockerfile
@@ -2,9 +2,9 @@ FROM ubuntu:latest
 EXPOSE 8008
 EXPOSE 8448
 RUN apt-get update && apt-get install -y ca-certificates liburing2 && rm -rf /var/lib/apt/lists/*
-RUN mkdir -p /etc/continuwuity /var/lib/continuwuity
-COPY docker/complement-entrypoint.sh /usr/local/bin/complement-entrypoint.sh
-COPY docker/complement.config.toml /etc/continuwuity/config.toml
+RUN mkdir -p /etc/continuwuity /var/lib/continuwuity /usr/local/bin/
+COPY complement/complement-entrypoint.sh /usr/local/bin/complement-entrypoint.sh
+COPY complement/complement.config.toml /etc/continuwuity/config.toml
 COPY target/debug/conduwuit /usr/local/bin/conduwuit
 RUN chmod +x /usr/local/bin/conduwuit /usr/local/bin/complement-entrypoint.sh
 #HEALTHCHECK --interval=30s --timeout=5s CMD curl --fail http://localhost:8008/_continuwuity/server_version || exit 1
--- a/docker/musl.Dockerfile
+++ b/docker/musl.Dockerfile
@@ -18,7 +18,7 @@ RUN --mount=type=cache,target=/etc/apk/cache apk add \

 # Developer tool versions
 # renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
-ENV BINSTALL_VERSION=1.17.4
+ENV BINSTALL_VERSION=1.17.5
 # renovate: datasource=github-releases depName=psastras/sbom-rs
 ENV CARGO_SBOM_VERSION=0.9.1
 # renovate: datasource=crate depName=lddtree
--- a/docs/_meta.json
+++ b/docs/_meta.json
@@ -15,9 +15,9 @@
        "label": "Deploying"
    },
    {
-        "type": "file",
-        "name": "turn",
-        "label": "TURN"
+        "type": "dir",
+        "name": "calls",
+        "label": "Calls"
    },
    {
        "type": "file",
--- a/docs/_nav.json
+++ b/docs/_nav.json
@@ -2,7 +2,7 @@
    {
        "text": "Guide",
        "link": "/introduction",
-        "activeMatch": "^/(introduction|configuration|deploying|turn|appservices|maintenance|troubleshooting)"
+        "activeMatch": "^/(introduction|configuration|deploying|calls|appservices|maintenance|troubleshooting)"
    },
    {
        "text": "Development",
--- a/docs/calls.mdx
+++ b/docs/calls.mdx
@@ -0,0 +1,13 @@
+# Calls
+
+Matrix supports two types of calls:
+
+- Element Call powered by [MatrixRTC](https://half-shot.github.io/msc-crafter/#msc/4143) and [LiveKit](https://github.com/livekit/livekit)
+- Legacy calls, sometimes using Jitsi
+
+Both types of calls are supported by different sets of clients, but most clients are moving towards MatrixRTC / Element Call.
+
+For either one to work correctly, you have to do some additional setup.
+
+- For legacy calls to work, you need to set up a TURN/STUN server. [Read the TURN guide for tips on how to set up coturn](./calls/turn.mdx)
+- For MatrixRTC / Element Call to work, you have to set up the LiveKit backend (foci). LiveKit also uses TURN/STUN to increase reliability, so you might want to configure your TURN server first. [Read the LiveKit guide](./calls/livekit.mdx)
--- a/docs/calls/_meta.json
+++ b/docs/calls/_meta.json
@@ -0,0 +1,12 @@
+[
+    {
+        "type": "file",
+        "name": "turn",
+        "label": "TURN"
+    },
+    {
+        "type": "file",
+        "name": "livekit",
+        "label": "MatrixRTC / LiveKit"
+    }
+]
--- a/docs/calls/livekit.mdx
+++ b/docs/calls/livekit.mdx
@@ -0,0 +1,269 @@
+# Matrix RTC/Element Call Setup
+
+:::info
+This guide assumes that you are using docker compose for deployment. LiveKit only provides Docker images.
+:::
+
+## Instructions
+
+### 1. Domain
+
+LiveKit should live on its own domain or subdomain. In this guide we use `livekit.example.com` - this should be replaced with a domain you control.
+
+Make sure the DNS record for the (sub)domain you plan to use is pointed to your server.
+
+### 2. Services
+
+Using LiveKit with Matrix requires two services - Livekit itself, and a service (`lk-jwt-service`) that grants Matrix users permission to connect to it.
+
+You must generate a key and secret to allow the Matrix service to authenticate with LiveKit. `LK_MATRIX_KEY` should be around 20 random characters, and `LK_MATRIX_SECRET` should be around 64. Remember to replace these with the actual values!
+
+:::tip Generating the secrets
+LiveKit provides a utility to generate secure random keys
+```bash
+docker run --rm livekit/livekit-server:latest generate-keys
+```
+:::
+
+```yaml
+services:
+  lk-jwt-service:
+    image: ghcr.io/element-hq/lk-jwt-service:latest
+    container_name: lk-jwt-service
+    environment:
+      - LIVEKIT_JWT_BIND=:8081
+      - LIVEKIT_URL=wss://livekit.example.com
+      - LIVEKIT_KEY=LK_MATRIX_KEY
+      - LIVEKIT_SECRET=LK_MATRIX_SECRET
+      - LIVEKIT_FULL_ACCESS_HOMESERVERS=example.com
+    restart: unless-stopped
+    ports:
+      - "8081:8081"
+
+  livekit:
+    image: livekit/livekit-server:latest
+    container_name: livekit
+    command: --config /etc/livekit.yaml
+    restart: unless-stopped
+    volumes:
+      - ./livekit.yaml:/etc/livekit.yaml:ro
+    network_mode: "host" # /!\ LiveKit binds to all addresses by default.
+    # Make sure port 7880 is blocked by your firewall to prevent access bypassing your reverse proxy
+    # Alternatively, uncomment the lines below and comment `network_mode: "host"` above to specify port mappings.
+#    ports:
+#      - "127.0.0.1:7880:7880/tcp"
+#      - "7881:7881/tcp"
+#      - "50100-50200:50100-50200/udp"
+```
+
+Next, we need to configure LiveKit. In the same directory, create `livekit.yaml` with the following content - remembering to replace `LK_MATRIX_KEY` and `LK_MATRIX_SECRET` with the values you generated:
+
+```yaml
+port: 7880
+bind_addresses:
+  - ""
+rtc:
+  tcp_port: 7881
+  port_range_start: 50100
+  port_range_end: 50200
+  use_external_ip: true
+  enable_loopback_candidate: false
+keys:
+  LK_MATRIX_KEY: LK_MATRIX_SECRET
+```
+
+#### Firewall hints
+
+You will need to allow ports `7881/tcp` and `50100:50200/udp` through your firewall. If you use UFW, the commands are: `ufw allow 7881/tcp` and `ufw allow 50100:50200/udp`.
+
+### 3. Telling clients where to find LiveKit
+
+To tell clients where to find LiveKit, you need to add the address of your `lk-jwt-service` to your client .well-known file. To do so, in the config section `global.well-known`, add (or modify) the option `rtc_focus_server_urls`.
+
+The variable should be a list of servers serving as MatrixRTC endpoints to serve in the well-known file to the client.
+
+```toml
+rtc_focus_server_urls = [
+    { type = "livekit", livekit_service_url = "https://livekit.example.com" },
+]
+```
+
+Remember to replace the URL with the address you are deploying your instance of lk-jwt-service to.
+
+#### Serving .well-known manually
+
+If you don't let Continuwuity serve your `.well-known` files, you need to add the following lines to your `.well-known/matrix/client` file, remembering to replace the URL with your own `lk-jwt-service` deployment:
+
+```json
+  "org.matrix.msc4143.rtc_foci": [
+    {
+      "type": "livekit",
+      "livekit_service_url": "https://livekit.example.com"
+    }
+  ]
+```
+
+The final file should look something like this:
+
+```json
+{
+  "m.homeserver": {
+    "base_url":"https://matrix.example.com"
+  },
+  "org.matrix.msc4143.rtc_foci": [
+    {
+      "type": "livekit",
+      "livekit_service_url": "https://livekit.example.com"
+    }
+  ]
+}
+```
+
+### 4. Configure your Reverse Proxy
+
+Reverse proxies can be configured in many different ways - so we can't provide a step by step for this.
+
+By default, all routes should be forwarded to Livekit with the exception of the following path prefixes, which should be forwarded to the JWT/Authentication service:
+
+- `/sfu/get`
+- `/healthz`
+- `/get_token`
+
+<details>
+    <summary>Example caddy config</summary>
+    ```
+    matrix-rtc.example.com {
+
+        # for lk-jwt-service
+        @lk-jwt-service path /sfu/get* /healthz* /get_token*
+        route @lk-jwt-service {
+            reverse_proxy 127.0.0.1:8081
+        }
+
+        # for livekit
+        reverse_proxy 127.0.0.1:7880
+    }
+    ```
+</details>
+
+<details>
+    <summary>Example nginx config</summary>
+    ```
+    server {
+        server_name matrix-rtc.example.com;
+
+        # for lk-jwt-service
+        location ~ ^/(sfu/get|healthz|get_token) {
+            proxy_pass http://127.0.0.1:8081$request_uri;
+            proxy_set_header X-Forwarded-For $remote_addr;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header Host $http_host;
+            proxy_buffering off;  
+        }
+
+        # for livekit
+        location / {
+            proxy_pass http://127.0.0.1:7880$request_uri;
+            proxy_set_header X-Forwarded-For $remote_addr;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header Host $http_host;
+            proxy_buffering off;
+
+            # websocket
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
+        }
+    }
+    ```
+
+    Note that for websockets to work, you need to have this somewhere outside your server block:
+    ```
+    map $http_upgrade $connection_upgrade {
+        default upgrade;
+        ''      close;
+    }
+    ```
+</details>
+
+<details>
+    <summary>Example traefik router</summary>
+    ```
+    # on LiveKit itself
+    traefik.http.routers.livekit.rule=Host(`livekit.example.com`)
+    # on the JWT service
+    traefik.http.routers.livekit-jwt.rule=Host(`livekit.example.com`) && (PathPrefix(`/sfu/get`) || PathPrefix(`/healthz`) || PathPrefix(`/get_token`))
+    ```
+</details>
+
+
+### 6. Start Everything
+
+Start up the services using your usual method - for example `docker compose up -d`.
+
+## Additional Configuration
+
+### TURN Integration
+
+If you've already set up coturn, there may be a port clash between the two services. To fix this, make sure the `min-port` and `max-port` for coturn so it doesn't overlap with LiveKit's range:
+
+```ini
+min-port=50201
+max-port=65535
+```
+
+To improve LiveKit's reliability, you can configure it to use your coturn server.
+
+Generate a long random secret for LiveKit, and add it to your coturn config under the `static-auth-secret` option. You can add as many secrets as you want - so set a different one for each thing using your TURN server.
+
+Then configure livekit, making sure to replace `COTURN_SECRET`:
+
+```yaml
+# livekit.yaml
+rtc:
+  turn_servers:
+    - host: coturn.ellis.link
+      port: 3478
+      protocol: tcp
+      secret: "COTURN_SECRET"
+    - host: coturn.ellis.link
+      port: 5349
+      protocol: tls # Only if you've set up TLS in your coturn
+      secret: "COTURN_SECRET"
+    - host: coturn.ellis.link
+      port: 3478
+      protocol: udp
+      secret: "COTURN_SECRET"
+```
+
+## LiveKit's built in TURN server
+
+Livekit includes a built in TURN server which can be used in place of an external option. This TURN server will only work with Livekit, so you can't use it for legacy Matrix calling - or anything else.
+
+If you don't want to set up a separate TURN server, you can enable this with the following changes:
+
+```yaml
+### add this to livekit.yaml ###
+turn:
+  enabled: true
+  udp_port: 3478
+  relay_range_start: 50300
+  relay_range_end: 50400
+  domain: matrix-rtc.example.com
+```
+
+```yaml
+### Add these to docker-compose ###
+- "3478:3478/udp"
+- "50300-50400:50300-50400/udp"
+```
+
+### Related Documentation
+
+- [LiveKit GitHub](https://github.com/livekit/livekit)
+- [LiveKit Connection Tester](https://livekit.io/connection-test) - use with the token returned by `/sfu/get` or `/get_token`
+- [MatrixRTC proposal](https://half-shot.github.io/msc-crafter/#msc/4143)
+- [Synapse documentation](https://github.com/element-hq/element-call/blob/livekit/docs/self-hosting.md)
+- [Community guide](https://tomfos.tr/matrix/livekit/)
+- [Community guide](https://blog.kimiblock.top/2024/12/24/hosting-element-call/)
+-
--- a/docs/calls/turn.mdx
+++ b/docs/calls/turn.mdx
@@ -0,0 +1,214 @@
+# Setting up TURN/STUN
+
+[TURN](https://en.wikipedia.org/wiki/Traversal_Using_Relays_around_NAT) and [STUN](https://en.wikipedia.org/wiki/STUN) are used as a component in many calling systems. Matrix uses them directly for legacy calls and indirectly for MatrixRTC via Livekit.
+
+Continuwuity recommends using [Coturn](https://github.com/coturn/coturn) as your TURN/STUN server, which is available as a Docker image or a distro package.
+
+## Installing Coturn
+
+### Configuration
+
+Create a configuration file called `coturn.conf` containing:
+
+```ini
+use-auth-secret
+static-auth-secret=<a secret key>
+realm=<your server domain>
+```
+
+:::tip Generating a secure secret
+A common way to generate a suitable alphanumeric secret key is by using:
+```bash
+pwgen -s 64 1
+```
+:::
+
+#### Port Configuration
+
+By default, coturn uses the following ports:
+- `3478` (UDP/TCP): Standard TURN/STUN port
+- `5349` (UDP/TCP): TURN/STUN over TLS
+- `49152-65535` (UDP): Media relay ports
+
+If you're also running LiveKit, you'll need to avoid port conflicts. Configure non-overlapping port ranges:
+
+```ini
+# In coturn.conf
+min-port=50201
+max-port=65535
+```
+
+This leaves ports `50100-50200` available for LiveKit's default configuration.
+
+### Running with Docker
+
+Run the [Coturn](https://hub.docker.com/r/coturn/coturn) image using:
+
+```bash
+docker run -d --network=host \
+  -v $(pwd)/coturn.conf:/etc/coturn/turnserver.conf \
+  coturn/coturn
+```
+
+### Running with Docker Compose
+
+Create a `docker-compose.yml` file and run `docker compose up -d`:
+
+```yaml
+version: '3'
+services:
+  turn:
+    container_name: coturn-server
+    image: docker.io/coturn/coturn
+    restart: unless-stopped
+    network_mode: "host"
+    volumes:
+      - ./coturn.conf:/etc/coturn/turnserver.conf
+```
+
+:::info Why host networking?
+Coturn uses host networking mode because it needs to bind to multiple ports and work with various network protocols. Using host networking is better for performance, and reduces configuration complexity. To understand alternative configuration options, visit [Coturn's Docker documentation](https://github.com/coturn/coturn/blob/master/docker/coturn/README.md).
+:::
+
+### Security Recommendations
+
+For security best practices, see Synapse's [Coturn documentation](https://element-hq.github.io/synapse/latest/turn-howto.html), which includes important firewall and access control recommendations.
+
+## Configuring Continuwuity
+
+Once your TURN server is running, configure Continuwuity to provide credentials to clients. Add the following to your Continuwuity configuration file:
+
+### Shared Secret Authentication (Recommended)
+
+This is the most secure method and generates time-limited credentials automatically:
+
+```toml
+# TURN URIs that clients should connect to
+turn_uris = [
+    "turn:coturn.example.com?transport=udp",
+    "turn:coturn.example.com?transport=tcp",
+    "turns:coturn.example.com?transport=udp",
+    "turns:coturn.example.com?transport=tcp"
+]
+
+# Shared secret for generating credentials (must match coturn's static-auth-secret)
+turn_secret = "<your coturn static-auth-secret>"
+
+# Optional: Read secret from a file instead (takes priority over turn_secret)
+# turn_secret_file = "/etc/continuwuity/.turn_secret"
+
+# TTL for generated credentials in seconds (default: 86400 = 24 hours)
+turn_ttl = 86400
+```
+
+:::tip Using TLS
+The `turns:` URI prefix instructs clients to connect to TURN over TLS, which is highly recommended for security. Make sure you've configured TLS in your coturn server first.
+:::
+
+### Static Credentials (Alternative)
+
+If you prefer static username/password credentials instead of shared secrets:
+
+```toml
+turn_uris = [
+    "turn:coturn.example.com?transport=udp",
+    "turn:coturn.example.com?transport=tcp"
+]
+
+turn_username = "your_username"
+turn_password = "your_password"
+```
+
+:::warning
+Static credentials are less secure than shared secrets because they don't expire and must be configured in coturn separately. It is strongly advised you use shared secret authentication.
+:::
+
+### Guest Access
+
+By default, TURN credentials require client authentication. To allow unauthenticated access:
+
+```toml
+turn_allow_guests = true
+```
+
+:::caution
+This is not recommended as it allows unauthenticated users to access your TURN server, potentially enabling abuse by bots. All major Matrix clients that support legacy calls *also* support authenticated TURN access.
+:::
+
+### Important Notes
+
+- Replace `coturn.example.com` with your actual TURN server domain (the `realm` from coturn.conf)
+- The `turn_secret` must match the `static-auth-secret` in your coturn configuration
+- Restart or reload Continuwuity after making configuration changes
+
+## Testing Your TURN Server
+
+### Testing Credentials
+
+Verify that Continuwuity is correctly serving TURN credentials to clients:
+
+```bash
+curl "https://matrix.example.com/_matrix/client/r0/voip/turnServer" \
+  -H "Authorization: Bearer <your_client_token>" | jq
+```
+
+You should receive a response like this:
+
+```json
+{
+  "username": "1752792167:@jade:example.com",
+  "password": "KjlDlawdPbU9mvP4bhdV/2c/h65=",
+  "uris": [
+    "turns:coturn.example.com?transport=udp",
+    "turns:coturn.example.com?transport=tcp",
+    "turn:coturn.example.com?transport=udp",
+    "turn:coturn.example.com?transport=tcp"
+  ],
+  "ttl": 86400
+}
+```
+
+:::note MSC4166 Compliance
+If no TURN URIs are configured (`turn_uris` is empty), Continuwuity will return a 404 Not Found response, as specified in MSC4166.
+:::
+
+### Testing Connectivity
+
+Use [Trickle ICE](https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/) to verify that the TURN credentials actually work:
+
+1. Copy the credentials from the response above
+2. Paste them into the Trickle ICE testing tool
+3. Click "Gather candidates"
+4. Look for successful `relay` candidates in the results
+
+If you see relay candidates, your TURN server is working correctly!
+
+## Troubleshooting
+
+### Clients can't connect to TURN server
+
+- Verify firewall rules allow the necessary ports (3478, 5349, and your media port range)
+- Check that DNS resolves correctly for your TURN domain
+- Ensure your `turn_secret` matches coturn's `static-auth-secret`
+- Test with Trickle ICE to isolate the issue
+
+### Port conflicts with LiveKit
+
+- Make sure coturn's `min-port` starts above LiveKit's `port_range_end` (default: 50200)
+- Or adjust LiveKit's port range to avoid coturn's default range
+
+### 404 when calling turnServer endpoint
+
+- Verify that `turn_uris` is not empty in your Continuwuity config
+- This behavior is correct per MSC4166 if no TURN URIs are configured
+
+### Credentials expire too quickly
+
+- Adjust the `turn_ttl` value in your Continuwuity configuration
+- Default is 86400 seconds (24 hours)
+
+### Related Documentation
+
+- [MatrixRTC/LiveKit Setup](./livekit.mdx) - Configure group calling with LiveKit
+- [Coturn GitHub](https://github.com/coturn/coturn) - Official coturn repository
+- [Synapse TURN Guide](https://element-hq.github.io/synapse/latest/turn-howto.html) - Additional security recommendations
--- a/docs/deploying/docker.mdx
+++ b/docs/deploying/docker.mdx
@@ -217,4 +217,4 @@ ### Use Traefik as Proxy

 ## Voice communication

-See the [TURN](../turn.md) page.
+See the [Calls](../calls.mdx) page.
--- a/docs/deploying/generic.mdx
+++ b/docs/deploying/generic.mdx
@@ -269,7 +269,7 @@ # If federation is enabled
 ```

 - To check if your server can communicate with other homeservers, use the
-[Matrix Federation Tester](https://federationtester.matrix.org/). If you can
+[Matrix Federation Tester](https://federationtester.mtrnord.blog/). If you can
 register but cannot join federated rooms, check your configuration and verify
 that port 8448 is open and forwarded correctly.

@@ -277,7 +277,7 @@ # What's next?

 ## Audio/Video calls

-For Audio/Video call functionality see the [TURN Guide](../turn.md).
+For Audio/Video call functionality see the [Calls](../calls.md) page.

 ## Appservices

--- a/docs/index.mdx
+++ b/docs/index.mdx
@@ -19,6 +19,16 @@
    src: /assets/logo.svg
    alt: continuwuity logo

+beforeFeatures:
+  - title: Matrix for Discord users
+    details: New to Matrix? Learn how Matrix compares to Discord
+    link: https://joinmatrix.org/guide/matrix-vs-discord/
+    buttonText: Find Out the Difference
+  - title: How Matrix Works
+    details: Learn how Matrix works under the hood, and what that means
+    link: https://matrix.org/docs/matrix-concepts/elements-of-matrix/
+    buttonText: Read the Guide
+
 features:
  - title: 🚀 High Performance
    details: Built with Rust for exceptional speed and efficiency. Designed to run smoothly even on modest hardware.
--- a/docs/turn.mdx
+++ b/docs/turn.mdx
@@ -1,94 +0,0 @@
-# Setting up TURN/STURN
-
-In order to make or receive calls, a TURN server is required. Continuwuity suggests
-using [Coturn](https://github.com/coturn/coturn) for this purpose, which is also
-available as a Docker image.
-
-### Configuration
-
-Create a configuration file called `coturn.conf` containing:
-
-```
-use-auth-secret
-static-auth-secret=<a secret key>
-realm=<your server domain>
-```
-
-A common way to generate a suitable alphanumeric secret key is by using `pwgen
-s 64 1`.
-
-These same values need to be set in Continuwuity. See the [example
-config](./reference/config.mdx) in the TURN section for configuring these and
-restart Continuwuity after.
-
-`turn_secret` or a path to `turn_secret_file` must have a value of your
-coturn `static-auth-secret`, or use `turn_username` and `turn_password`
-if using legacy username:password TURN authentication (not preferred).
-
-`turn_uris` must be the list of TURN URIs you would like to send to the client.
-Typically you will just replace the example domain `example.turn.uri` with the
-`realm` you set from the example config.
-
-If you are using TURN over TLS, you can replace `turn:` with `turns:` in the
-`turn_uris` config option to instruct clients to attempt to connect to
-TURN over TLS. This is highly recommended.
-
-If you need unauthenticated access to the TURN URIs, or some clients may be
-having trouble, you can enable `turn_guest_access` in Continuwuity which disables
-authentication for the TURN URI endpoint `/_matrix/client/v3/voip/turnServer`
-
-### Run
-
-Run the [Coturn](https://hub.docker.com/r/coturn/coturn) image using
-
-```bash
-docker run -d --network=host -v
-$(pwd)/coturn.conf:/etc/coturn/turnserver.conf coturn/coturn
-```
-
-or docker-compose. For the latter, paste the following section into a file
-called `docker-compose.yml` and run `docker compose up -d` in the same
-directory.
-
-```yml
-version: 3
-services:
-    turn:
-      container_name: coturn-server
-      image: docker.io/coturn/coturn
-      restart: unless-stopped
-      network_mode: "host"
-      volumes:
-        - ./coturn.conf:/etc/coturn/turnserver.conf
-```
-
-To understand why the host networking mode is used and explore alternative
-configuration options, please visit [Coturn's Docker
-documentation](https://github.com/coturn/coturn/blob/master/docker/coturn/README.md).
-
-For security recommendations see Synapse's [Coturn
-documentation](https://element-hq.github.io/synapse/latest/turn-howto.html).
-
-### Testing
-
-To make sure turn credentials are being correctly served to clients, you can manually make a HTTP request to the turnServer endpoint.
-
-`curl "https://<matrix.example.com>/_matrix/client/r0/voip/turnServer" -H 'Authorization: Bearer <your_client_token>' | jq`
-
-You should get a response like this:
-
-```json
-{
-  "username": "1752792167:@jade:example.com",
-  "password": "KjlDlawdPbU9mvP4bhdV/2c/h65=",
-  "uris": [
-    "turns:coturn.example.com?transport=udp",
-    "turns:coturn.example.com?transport=tcp",
-    "turn:coturn.example.com?transport=udp",
-    "turn:coturn.example.com?transport=tcp"
-  ],
-  "ttl": 86400
-}
-```
-
-You can test these credentials work using [Trickle ICE](https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/)
--- a/nix/packages/uwulib/build.nix
+++ b/nix/packages/uwulib/build.nix
@@ -20,7 +20,7 @@ rec {
      # we need to keep the `web` directory which would be filtered out by the regular source filtering function
      #
      # https://crane.dev/API.html#cranelibcleancargosource
-      isWebTemplate = path: _type: builtins.match ".*src/web.*" path != null;
+      isWebTemplate = path: _type: builtins.match ".*(src/(web|service)|docs).*" path != null;
      isRust = craneLib.filterCargoSources;
      isNix = path: _type: builtins.match ".+/nix.*" path != null;
      webOrRustNotNix = p: t: !(isNix p t) && (isWebTemplate p t || isRust p t);
--- a/package-lock.json
+++ b/package-lock.json
@@ -119,14 +119,13 @@
      }
    },
    "node_modules/@rsbuild/core": {
-      "version": "2.0.0-beta.1",
-      "resolved": "https://registry.npmjs.org/@rsbuild/core/-/core-2.0.0-beta.1.tgz",
-      "integrity": "sha512-m7L3oi4evTDODcY+Qk3cmY/p7GCaauSRe00D0AkXVohNvxFBt7F49uPwBSThS24I9d31zFuAED2jFqBeBlDqWw==",
+      "version": "2.0.0-beta.3",
+      "resolved": "https://registry.npmjs.org/@rsbuild/core/-/core-2.0.0-beta.3.tgz",
+      "integrity": "sha512-dfH+Pt2GuF3rWOWGsf5XOhn3Zarvr4DoHwoI1arAsCGvpzoeud3DNGmWPy13tngj0r/YvQRcPTRBCRV4RP5CMw==",
      "dev": true,
      "license": "MIT",
-      "peer": true,
      "dependencies": {
-        "@rspack/core": "2.0.0-alpha.1",
+        "@rspack/core": "2.0.0-beta.0",
        "@swc/helpers": "^0.5.18",
        "jiti": "^2.6.1"
      },
@@ -160,28 +159,28 @@
      }
    },
    "node_modules/@rspack/binding": {
-      "version": "2.0.0-alpha.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding/-/binding-2.0.0-alpha.1.tgz",
-      "integrity": "sha512-Glz0SNFYPtNVM+ExJ4ocSzW+oQhb1iHTmxqVEAILbL17Hq3N/nwZpo1cWEs6hJjn8cosJIb1VKbbgb/1goEtCQ==",
+      "version": "2.0.0-beta.0",
+      "resolved": "https://registry.npmjs.org/@rspack/binding/-/binding-2.0.0-beta.0.tgz",
+      "integrity": "sha512-L6PPqhwZWC2vzwdhBItNPXw+7V4sq+MBDRXLdd8NMqaJSCB5iKdJIbpbEQucST9Nn7V28IYoQTXs6+ol5vWUBA==",
      "dev": true,
      "license": "MIT",
      "optionalDependencies": {
-        "@rspack/binding-darwin-arm64": "2.0.0-alpha.1",
-        "@rspack/binding-darwin-x64": "2.0.0-alpha.1",
-        "@rspack/binding-linux-arm64-gnu": "2.0.0-alpha.1",
-        "@rspack/binding-linux-arm64-musl": "2.0.0-alpha.1",
-        "@rspack/binding-linux-x64-gnu": "2.0.0-alpha.1",
-        "@rspack/binding-linux-x64-musl": "2.0.0-alpha.1",
-        "@rspack/binding-wasm32-wasi": "2.0.0-alpha.1",
-        "@rspack/binding-win32-arm64-msvc": "2.0.0-alpha.1",
-        "@rspack/binding-win32-ia32-msvc": "2.0.0-alpha.1",
-        "@rspack/binding-win32-x64-msvc": "2.0.0-alpha.1"
+        "@rspack/binding-darwin-arm64": "2.0.0-beta.0",
+        "@rspack/binding-darwin-x64": "2.0.0-beta.0",
+        "@rspack/binding-linux-arm64-gnu": "2.0.0-beta.0",
+        "@rspack/binding-linux-arm64-musl": "2.0.0-beta.0",
+        "@rspack/binding-linux-x64-gnu": "2.0.0-beta.0",
+        "@rspack/binding-linux-x64-musl": "2.0.0-beta.0",
+        "@rspack/binding-wasm32-wasi": "2.0.0-beta.0",
+        "@rspack/binding-win32-arm64-msvc": "2.0.0-beta.0",
+        "@rspack/binding-win32-ia32-msvc": "2.0.0-beta.0",
+        "@rspack/binding-win32-x64-msvc": "2.0.0-beta.0"
      }
    },
    "node_modules/@rspack/binding-darwin-arm64": {
-      "version": "2.0.0-alpha.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-darwin-arm64/-/binding-darwin-arm64-2.0.0-alpha.1.tgz",
-      "integrity": "sha512-+6E6pYgpKvs41cyOlqRjpCT3djjL9hnntF61JumM/TNo1aTYXMNNG4b8ZsLMpBq5ZwCy9Dg8oEDe8AZ84rfM7A==",
+      "version": "2.0.0-beta.0",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-darwin-arm64/-/binding-darwin-arm64-2.0.0-beta.0.tgz",
+      "integrity": "sha512-PPx1+SPEROSvDKmBuCbsE7W9tk07ajPosyvyuafv2wbBI6PW2rNcz62uzpIFS+FTgwwZ5u/06WXRtlD2xW9bKg==",
      "cpu": [
        "arm64"
      ],
@@ -193,9 +192,9 @@
      ]
    },
    "node_modules/@rspack/binding-darwin-x64": {
-      "version": "2.0.0-alpha.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-darwin-x64/-/binding-darwin-x64-2.0.0-alpha.1.tgz",
-      "integrity": "sha512-Ccf9NNupVe67vlaS9zKQJ+BvsAn385uBC1vXnYaUxxHoY/tEwNJf6t+XyDARt7mCtT7+Bu4L/iJ/JEF/MsO5zg==",
+      "version": "2.0.0-beta.0",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-darwin-x64/-/binding-darwin-x64-2.0.0-beta.0.tgz",
+      "integrity": "sha512-GucsfjrSKBZ9cuOTXmHWxeY2wPmaNyvGNxTyzttjRcfwqOWz8r+ku6PCsMSXUqxZRYWW1L9mvtTdlDrzTYJZ0w==",
      "cpu": [
        "x64"
      ],
@@ -207,9 +206,9 @@
      ]
    },
    "node_modules/@rspack/binding-linux-arm64-gnu": {
-      "version": "2.0.0-alpha.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-2.0.0-alpha.1.tgz",
-      "integrity": "sha512-B7omNsPSsinOq2VRD4d4VFrLgHceMQobqlLg0txFUZ7PDjE307gpTcGViWQlUhNCbkZXMPzDeXBFa5ZlEmxgnA==",
+      "version": "2.0.0-beta.0",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-2.0.0-beta.0.tgz",
+      "integrity": "sha512-nTtYtklRZD4sb2RIFCF9YS8tZ/MjpqIBKVS3YIvdXcfHUdVfmQHTZGtwEuZGg6AxTC5L1hcvkYmTXCG0ok7auw==",
      "cpu": [
        "arm64"
      ],
@@ -221,9 +220,9 @@
      ]
    },
    "node_modules/@rspack/binding-linux-arm64-musl": {
-      "version": "2.0.0-alpha.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-musl/-/binding-linux-arm64-musl-2.0.0-alpha.1.tgz",
-      "integrity": "sha512-NCG401ofZcDKlTWD8VHv76Y+02Stmd9Nu5MRbVUBOCTVgXMj8Mgrm5XsGBWUjzd5J/Mvo2hstCKIZxNzmPd8uQ==",
+      "version": "2.0.0-beta.0",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-musl/-/binding-linux-arm64-musl-2.0.0-beta.0.tgz",
+      "integrity": "sha512-S2fshx0Rf7/XYwoMLaqFsVg4y+VAfHzubrczy8AW5xIs6UNC3eRLVTgShLerUPtF6SG+v6NQxQ9JI3vOo2qPOA==",
      "cpu": [
        "arm64"
      ],
@@ -235,9 +234,9 @@
      ]
    },
    "node_modules/@rspack/binding-linux-x64-gnu": {
-      "version": "2.0.0-alpha.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-gnu/-/binding-linux-x64-gnu-2.0.0-alpha.1.tgz",
-      "integrity": "sha512-Xgp8wJ5gjpPG8I3VMEsVAesfckWryQVUhJkHcxPfNi72QTv8UkMER7Jl+JrlQk7K7nMO5ltokx/VGl1c3tMx+w==",
+      "version": "2.0.0-beta.0",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-gnu/-/binding-linux-x64-gnu-2.0.0-beta.0.tgz",
+      "integrity": "sha512-yx5Fk1gl7lfkvqcjolNLCNeduIs6C2alMsQ/kZ1pLeP5MPquVOYNqs6EcDPIp+fUjo3lZYtnJBiZKK+QosbzYg==",
      "cpu": [
        "x64"
      ],
@@ -249,9 +248,9 @@
      ]
    },
    "node_modules/@rspack/binding-linux-x64-musl": {
-      "version": "2.0.0-alpha.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-musl/-/binding-linux-x64-musl-2.0.0-alpha.1.tgz",
-      "integrity": "sha512-lrYKcOgsPA1UMswxzFAV37ofkznbtTLCcEas6lxtlT3Dr28P6VRzC8TgVbIiprkm10I0BlThQWDJ3aGzzLj9Kg==",
+      "version": "2.0.0-beta.0",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-musl/-/binding-linux-x64-musl-2.0.0-beta.0.tgz",
+      "integrity": "sha512-sBX4b2W0PgehlAVT224k0Q6GaH6t9HP+hBNDrbX/g6d0hfxZN56gm5NfOTOD1Rien4v7OBEejJ3/uFbm1WjwYQ==",
      "cpu": [
        "x64"
      ],
@@ -263,9 +262,9 @@
      ]
    },
    "node_modules/@rspack/binding-wasm32-wasi": {
-      "version": "2.0.0-alpha.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-wasm32-wasi/-/binding-wasm32-wasi-2.0.0-alpha.1.tgz",
-      "integrity": "sha512-rppGiT7CtXlM8st+IgzBDqb7V//1xx5Oe0SY1sxxw0cfOGMpIQCwhJqx/uI6ioqJLZLGX/obt359+hPXyqGl4w==",
+      "version": "2.0.0-beta.0",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-wasm32-wasi/-/binding-wasm32-wasi-2.0.0-beta.0.tgz",
+      "integrity": "sha512-o6OatnNvb4kCzXbCaomhENGaCsO3naIyAqqErew90HeAwa1lfY3NhRfDLeIyuANQ+xqFl34/R7n8q3ZDx3nd4Q==",
      "cpu": [
        "wasm32"
      ],
@@ -277,9 +276,9 @@
      }
    },
    "node_modules/@rspack/binding-win32-arm64-msvc": {
-      "version": "2.0.0-alpha.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-2.0.0-alpha.1.tgz",
-      "integrity": "sha512-yD2g1JmnCxrix/344r7lBn+RH+Nv8uWP0UDP8kwv4kQGCWr4U7IP8PKFpoyulVOgOUjvJpgImeyrDJ7R8he+5w==",
+      "version": "2.0.0-beta.0",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-2.0.0-beta.0.tgz",
+      "integrity": "sha512-neCzVllXzIqM8p8qKb89qV7wyk233gC/V9VrHIKbGeQjAEzpBsk5GOWlFbq5DDL6tivQ+uzYaTrZWm9tb2qxXg==",
      "cpu": [
        "arm64"
      ],
@@ -291,9 +290,9 @@
      ]
    },
    "node_modules/@rspack/binding-win32-ia32-msvc": {
-      "version": "2.0.0-alpha.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-ia32-msvc/-/binding-win32-ia32-msvc-2.0.0-alpha.1.tgz",
-      "integrity": "sha512-5qpQL5Qz3uYb56pwffEGzznXSX9TNkLpigQbIObfnUwX7WkdjgTT7oTHpjn2sRSLLNiJ/jCp2r4ZHvjmnNRsRA==",
+      "version": "2.0.0-beta.0",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-ia32-msvc/-/binding-win32-ia32-msvc-2.0.0-beta.0.tgz",
+      "integrity": "sha512-/f0n2eO+DxMKQm9IebeMQJITx8M/+RvY/i8d3sAQZBgR53izn8y7EcDlidXpr24/2DvkLbiub8IyCKPlhLB+1A==",
      "cpu": [
        "ia32"
      ],
@@ -305,9 +304,9 @@
      ]
    },
    "node_modules/@rspack/binding-win32-x64-msvc": {
-      "version": "2.0.0-alpha.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-x64-msvc/-/binding-win32-x64-msvc-2.0.0-alpha.1.tgz",
-      "integrity": "sha512-dZ76NN9tXLaF2gnB/pU+PcK4Adf9tj8dY06KcWk5F81ur2V4UbrMfkWJkQprur8cgL/F49YtFMRWa4yp/qNbpQ==",
+      "version": "2.0.0-beta.0",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-x64-msvc/-/binding-win32-x64-msvc-2.0.0-beta.0.tgz",
+      "integrity": "sha512-dx4zgiAT88EQE7kEUpr7Z9EZAwLnO5FhzWzvd/cDK4bkqYsx+rTklgf/c0EYPBeroXCxlGiMsuC9wHAFNK7sFw==",
      "cpu": [
        "x64"
      ],
@@ -319,13 +318,13 @@
      ]
    },
    "node_modules/@rspack/core": {
-      "version": "2.0.0-alpha.1",
-      "resolved": "https://registry.npmjs.org/@rspack/core/-/core-2.0.0-alpha.1.tgz",
-      "integrity": "sha512-2KK3hbxrRqzxtzg+ka7LsiEKIWIGIQz317k9HHC2U4IC5yLJ31K8y/vQfA1aIT2QcFls9gW7GyRjp8A4X5cvLA==",
+      "version": "2.0.0-beta.0",
+      "resolved": "https://registry.npmjs.org/@rspack/core/-/core-2.0.0-beta.0.tgz",
+      "integrity": "sha512-aEqlQQjiXixT5i9S4DFtiAap8ZjF6pOgfY2ALHOizins/QqWyB8dyLxSoXdzt7JixmKcFmHkbL9XahO28BlVUA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@rspack/binding": "2.0.0-alpha.1",
+        "@rspack/binding": "2.0.0-beta.0",
        "@rspack/lite-tapable": "1.1.0"
      },
      "engines": {
@@ -372,21 +371,20 @@
      }
    },
    "node_modules/@rspress/core": {
-      "version": "2.0.2",
-      "resolved": "https://registry.npmjs.org/@rspress/core/-/core-2.0.2.tgz",
-      "integrity": "sha512-tU8rUVaPyC8o8k4ezgigRVQuZhBAC41KWdwZZ0BldN6o+QXSEIb722RnxCTpa9FGK2riqcwJgM+OqqcqXsFpmw==",
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/@rspress/core/-/core-2.0.3.tgz",
+      "integrity": "sha512-a+JJFiALqMxGJBqR38/lkN6tas42UF4jRIhu6RilC/3DdqpfqR8j6jjQFOmqoNKo6ZGXW2W+i1Pscn6drvoG3w==",
      "dev": true,
      "license": "MIT",
-      "peer": true,
      "dependencies": {
        "@mdx-js/mdx": "^3.1.1",
        "@mdx-js/react": "^3.1.1",
-        "@rsbuild/core": "2.0.0-beta.1",
+        "@rsbuild/core": "2.0.0-beta.3",
        "@rsbuild/plugin-react": "~1.4.5",
-        "@rspress/shared": "2.0.2",
+        "@rspress/shared": "2.0.3",
        "@shikijs/rehype": "^3.21.0",
        "@types/unist": "^3.0.3",
-        "@unhead/react": "^2.1.2",
+        "@unhead/react": "^2.1.4",
        "body-scroll-lock": "4.0.0-beta.0",
        "cac": "^6.7.14",
        "chokidar": "^3.6.0",
@@ -430,39 +428,39 @@
      }
    },
    "node_modules/@rspress/plugin-client-redirects": {
-      "version": "2.0.2",
-      "resolved": "https://registry.npmjs.org/@rspress/plugin-client-redirects/-/plugin-client-redirects-2.0.2.tgz",
-      "integrity": "sha512-FOxUBDOGP06+1hL4jgbIxUe0XoEduXIQ0rSjWjzpo2mC+qTdhZUGJ0xYE2laQIfJXYv/up5zk25zjxUBnxsejw==",
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/@rspress/plugin-client-redirects/-/plugin-client-redirects-2.0.3.tgz",
+      "integrity": "sha512-9+SoAbfoxM6OCRWx8jWHHi2zwJDcNaej/URx0CWZk8tvQ618yJW5mXJydknlac62399eYh/F7C3w8TZM3ORGVA==",
      "dev": true,
      "license": "MIT",
      "engines": {
        "node": "^20.19.0 || >=22.12.0"
      },
      "peerDependencies": {
-        "@rspress/core": "^2.0.2"
+        "@rspress/core": "^2.0.3"
      }
    },
    "node_modules/@rspress/plugin-sitemap": {
-      "version": "2.0.2",
-      "resolved": "https://registry.npmjs.org/@rspress/plugin-sitemap/-/plugin-sitemap-2.0.2.tgz",
-      "integrity": "sha512-3E0yEif4Pj3RX+QVOsyWXW6IIjuhwh93bhVSmhShmTKi8opH5vnHcRVZZ1z7X/P3MHXFTrC925F8383Sl2qOEg==",
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/@rspress/plugin-sitemap/-/plugin-sitemap-2.0.3.tgz",
+      "integrity": "sha512-SKa7YEAdkUqya2YjMKbakg3kcYMkXgXhTQdDsHd+QlJWN8j8cDPiCcctMZu8iIPeKZlb+hTJkTWvh27LSIKdOA==",
      "dev": true,
      "license": "MIT",
      "engines": {
        "node": "^20.19.0 || >=22.12.0"
      },
      "peerDependencies": {
-        "@rspress/core": "^2.0.2"
+        "@rspress/core": "^2.0.3"
      }
    },
    "node_modules/@rspress/shared": {
-      "version": "2.0.2",
-      "resolved": "https://registry.npmjs.org/@rspress/shared/-/shared-2.0.2.tgz",
-      "integrity": "sha512-9+QC8UL1gV2KpRZx4n55vAl6bE38y7eDnGJhdFSHdJkpFbUCiJDk9ZcR6jD/Rrtq7vlT0gfumUk640pxpi3IDQ==",
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/@rspress/shared/-/shared-2.0.3.tgz",
+      "integrity": "sha512-yI9G4P165fSsmm6QoYTUrdgUis1aFnDh04GcM4SQIpL3itvEZhGtItgoeGkX9EWbnEjhriwI8mTqDDJIp+vrGA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@rsbuild/core": "2.0.0-beta.1",
+        "@rsbuild/core": "2.0.0-beta.3",
        "@shikijs/rehype": "^3.21.0",
        "gray-matter": "4.0.3",
        "lodash-es": "^4.17.23",
@@ -564,7 +562,6 @@
      "integrity": "sha512-TXTnIcNJQEKwThMMqBXsZ4VGAza6bvN4pa41Rkqoio6QBKMvo+5lexeTMScGCIxtzgQJzElcvIltani+adC5PQ==",
      "dev": true,
      "license": "Apache-2.0",
-      "peer": true,
      "dependencies": {
        "tslib": "^2.8.0"
      }
@@ -667,13 +664,13 @@
      "license": "ISC"
    },
    "node_modules/@unhead/react": {
-      "version": "2.1.2",
-      "resolved": "https://registry.npmjs.org/@unhead/react/-/react-2.1.2.tgz",
-      "integrity": "sha512-VNKa0JJZq5Jp28VuiOMfjAA7CTLHI0SdW/Hs1ZPq2PsNV/cgxGv8quFBGXWx4gfoHB52pejO929RKjIpYX5+iQ==",
+      "version": "2.1.4",
+      "resolved": "https://registry.npmjs.org/@unhead/react/-/react-2.1.4.tgz",
+      "integrity": "sha512-3DzMi5nJkUyLVfQF/q78smCvcSy84TTYgTwXVz5s3AjUcLyHro5Z7bLWriwk1dn5+YRfEsec8aPkLCMi5VjMZg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "unhead": "2.1.2"
+        "unhead": "2.1.4"
      },
      "funding": {
        "url": "https://github.com/sponsors/harlan-zw"
@@ -688,7 +685,6 @@
      "integrity": "sha512-NZyJarBfL7nWwIq+FDL6Zp/yHEhePMNnnJ0y3qfieCrmNvYct8uvtiV41UvlSe6apAfk0fY1FbWx+NwfmpvtTg==",
      "dev": true,
      "license": "MIT",
-      "peer": true,
      "bin": {
        "acorn": "bin/acorn"
      },
@@ -942,7 +938,8 @@
      "resolved": "https://registry.npmjs.org/csstype/-/csstype-3.2.3.tgz",
      "integrity": "sha512-z1HGKcYy2xA8AGQfwrn0PAy+PB7X/GSj3UVJW9qKyn43xWa+gl5nXmU4qqLMRzWVLFC8KusUX8T/0kCiOYpAIQ==",
      "dev": true,
-      "license": "MIT"
+      "license": "MIT",
+      "peer": true
    },
    "node_modules/debug": {
      "version": "4.4.3",
@@ -2972,7 +2969,6 @@
      "integrity": "sha512-9nfp2hYpCwOjAN+8TZFGhtWEwgvWHXqESH8qT89AT/lWklpLON22Lc8pEtnpsZz7VmawabSU0gCjnj8aC0euHQ==",
      "dev": true,
      "license": "MIT",
-      "peer": true,
      "engines": {
        "node": ">=0.10.0"
      }
@@ -2983,7 +2979,6 @@
      "integrity": "sha512-AXJdLo8kgMbimY95O2aKQqsz2iWi9jMgKJhRBAxECE4IFxfcazB2LmzloIoibJI3C12IlY20+KFaLv+71bUJeQ==",
      "dev": true,
      "license": "MIT",
-      "peer": true,
      "dependencies": {
        "scheduler": "^0.27.0"
      },
@@ -3020,7 +3015,6 @@
      "integrity": "sha512-QgT5//D3jfjJb6Gsjxv0Slpj23ip+HtOpnNgnb2S5zU3CB26G/IDPGoy4RJB42wzFE46DRsstbW6tKHoKbhAxw==",
      "dev": true,
      "license": "MIT",
-      "peer": true,
      "engines": {
        "node": ">=0.10.0"
      }
@@ -3488,7 +3482,6 @@
      "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
      "dev": true,
      "license": "MIT",
-      "peer": true,
      "engines": {
        "node": ">=12"
      },
@@ -3570,9 +3563,9 @@
      }
    },
    "node_modules/unhead": {
-      "version": "2.1.2",
-      "resolved": "https://registry.npmjs.org/unhead/-/unhead-2.1.2.tgz",
-      "integrity": "sha512-vSihrxyb+zsEUfEbraZBCjdE0p/WSoc2NGDrpwwSNAwuPxhYK1nH3eegf02IENLpn1sUhL8IoO84JWmRQ6tILA==",
+      "version": "2.1.4",
+      "resolved": "https://registry.npmjs.org/unhead/-/unhead-2.1.4.tgz",
+      "integrity": "sha512-+5091sJqtNNmgfQ07zJOgUnMIMKzVKAWjeMlSrTdSGPB6JSozhpjUKuMfWEoLxlMAfhIvgOU8Me0XJvmMA/0fA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
--- a/rspress.config.ts
+++ b/rspress.config.ts
@@ -56,6 +56,9 @@ export default defineConfig({
        }, {
            from: '/community$',
            to: '/community/guidelines'
+        }, {
+            from: "^/turn",
+            to: "/calls/turn",
        }
        ]
    })],
--- a/src/admin/room/commands.rs
+++ b/src/admin/room/commands.rs
@@ -4,12 +4,14 @@

 use crate::{PAGE_SIZE, admin_command, get_room_info};

+#[allow(clippy::fn_params_excessive_bools)]
 #[admin_command]
 pub(super) async fn list_rooms(
 	&self,
 	page: Option<usize>,
 	exclude_disabled: bool,
 	exclude_banned: bool,
+	include_empty: bool,
 	no_details: bool,
 ) -> Result {
 	// TODO: i know there's a way to do this with clap, but i can't seem to find it
@@ -28,6 +30,20 @@ pub(super) async fn list_rooms(
 				.then_some(room_id)
 		})
 		.then(|room_id| get_room_info(self.services, room_id))
+		.then(|(room_id, total_members, name)| async move {
+			let local_members: Vec<_> = self
+				.services
+				.rooms
+				.state_cache
+				.active_local_users_in_room(&room_id)
+				.collect()
+				.await;
+			let local_members = local_members.len();
+			(room_id, total_members, local_members, name)
+		})
+		.filter_map(|(room_id, total_members, local_members, name)| async move {
+			(include_empty || local_members > 0).then_some((room_id, total_members, name))
+		})
 		.collect::<Vec<_>>()
 		.await;

--- a/src/admin/room/mod.rs
+++ b/src/admin/room/mod.rs
@@ -30,6 +30,10 @@ pub enum RoomCommand {
 		#[arg(long)]
 		exclude_banned: bool,

+		/// Includes disconnected/empty rooms (rooms with zero members)
+		#[arg(long)]
+		include_empty: bool,
+
 		#[arg(long)]
 		/// Whether to only output room IDs without supplementary room
 		/// information
--- a/src/admin/user/commands.rs
+++ b/src/admin/user/commands.rs
@@ -5,7 +5,7 @@

 use api::client::{full_user_deactivate, join_room_by_id_helper, leave_room, remote_leave_room};
 use conduwuit::{
-	Err, Result, debug, debug_warn, error, info, is_equal_to,
+	Err, Result, debug_warn, error, info,
 	matrix::{Event, pdu::PduBuilder},
 	utils::{self, ReadyExt},
 	warn,
@@ -140,7 +140,6 @@ pub(super) async fn create_user(&self, username: String, password: Option<String
 						self.services.globals.server_name().to_owned(),
 						room_server_name.to_owned(),
 					],
-					None,
 					&None,
 				)
 				.await
@@ -168,27 +167,8 @@ pub(super) async fn create_user(&self, username: String, password: Option<String

 	// we dont add a device since we're not the user, just the creator

-	// if this account creation is from the CLI / --execute, invite the first user
-	// to admin room
-	if let Ok(admin_room) = self.services.admin.get_admin_room().await {
-		if self
-			.services
-			.rooms
-			.state_cache
-			.room_joined_count(&admin_room)
-			.await
-			.is_ok_and(is_equal_to!(1))
-		{
-			self.services
-				.admin
-				.make_user_admin(&user_id)
-				.boxed()
-				.await?;
-			warn!("Granting {user_id} admin privileges as the first user");
-		}
-	} else {
-		debug!("create_user admin command called without an admin room being available");
-	}
+	// Make the first user to register an administrator and disable first-run mode.
+	self.services.firstrun.empower_first_user(&user_id).await?;

 	self.write_str(&format!("Created user with user_id: {user_id} and password: `{password}`"))
 		.await
@@ -549,7 +529,6 @@ pub(super) async fn force_join_list_of_local_users(
 			&room_id,
 			Some(String::from(BULK_JOIN_REASON)),
 			&servers,
-			None,
 			&None,
 		)
 		.await
@@ -635,7 +614,6 @@ pub(super) async fn force_join_all_local_users(
 			&room_id,
 			Some(String::from(BULK_JOIN_REASON)),
 			&servers,
-			None,
 			&None,
 		)
 		.await
@@ -675,8 +653,7 @@ pub(super) async fn force_join_room(
 		self.services.globals.user_is_local(&user_id),
 		"Parsed user_id must be a local user"
 	);
-	join_room_by_id_helper(self.services, &user_id, &room_id, None, &servers, None, &None)
-		.await?;
+	join_room_by_id_helper(self.services, &user_id, &room_id, None, &servers, &None).await?;

 	self.write_str(&format!("{user_id} has been joined to {room_id}.",))
 		.await
--- a/src/api/client/account.rs
+++ b/src/api/client/account.rs
@@ -3,7 +3,7 @@
 use axum::extract::State;
 use axum_client_ip::InsecureClientIp;
 use conduwuit::{
-	Err, Error, Event, Result, debug_info, err, error, info, is_equal_to,
+	Err, Error, Event, Result, debug_info, err, error, info,
 	matrix::pdu::PduBuilder,
 	utils::{self, ReadyExt, stream::BroadbandExt},
 	warn,
@@ -148,7 +148,12 @@ pub(crate) async fn register_route(
 	let is_guest = body.kind == RegistrationKind::Guest;
 	let emergency_mode_enabled = services.config.emergency_password.is_some();

-	if !services.config.allow_registration && body.appservice_info.is_none() {
+	// Allow registration if it's enabled in the config file or if this is the first
+	// run (so the first user account can be created)
+	let allow_registration =
+		services.config.allow_registration || services.firstrun.is_first_run();
+
+	if !allow_registration && body.appservice_info.is_none() {
 		match (body.username.as_ref(), body.initial_device_display_name.as_ref()) {
 			| (Some(username), Some(device_display_name)) => {
 				info!(
@@ -185,17 +190,10 @@ pub(crate) async fn register_route(
 		)));
 	}

-	if is_guest
-		&& (!services.config.allow_guest_registration
-			|| (services.config.allow_registration
-				&& services
-					.registration_tokens
-					.get_config_file_token()
-					.is_some()))
-	{
+	if is_guest && !services.config.allow_guest_registration {
 		info!(
-			"Guest registration disabled / registration enabled with token configured, \
-			 rejecting guest registration attempt, initial device name: \"{}\"",
+			"Guest registration disabled, rejecting guest registration attempt, initial device \
+			 name: \"{}\"",
 			body.initial_device_display_name.as_deref().unwrap_or("")
 		);
 		return Err!(Request(GuestAccessForbidden("Guest registration is disabled.")));
@@ -309,54 +307,63 @@ pub(crate) async fn register_route(
 	let skip_auth = body.appservice_info.is_some() || is_guest;

 	// Populate required UIAA flows
-	if services
-		.registration_tokens
-		.iterate_tokens()
-		.next()
-		.await
-		.is_some()
-	{
-		// Registration token required
+
+	if services.firstrun.is_first_run() {
+		// Registration token forced while in first-run mode
 		uiaainfo.flows.push(AuthFlow {
 			stages: vec![AuthType::RegistrationToken],
 		});
-	}
-	if services.config.recaptcha_private_site_key.is_some() {
-		if let Some(pubkey) = &services.config.recaptcha_site_key {
-			// ReCaptcha required
-			uiaainfo
-				.flows
-				.push(AuthFlow { stages: vec![AuthType::ReCaptcha] });
-			uiaainfo.params = serde_json::value::to_raw_value(&serde_json::json!({
-				"m.login.recaptcha": {
-					"public_key": pubkey,
-				},
-			}))
-			.expect("Failed to serialize recaptcha params");
-		}
-	}
-
-	if uiaainfo.flows.is_empty() && !skip_auth {
-		// Registration isn't _disabled_, but there's no captcha configured and no
-		// registration tokens currently set. Bail out by default unless open
-		// registration was explicitly enabled.
-		if !services
-			.config
-			.yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse
+	} else {
+		if services
+			.registration_tokens
+			.iterate_tokens()
+			.next()
+			.await
+			.is_some()
 		{
-			return Err!(Request(Forbidden(
-				"This server is not accepting registrations at this time."
-			)));
+			// Registration token required
+			uiaainfo.flows.push(AuthFlow {
+				stages: vec![AuthType::RegistrationToken],
+			});
 		}

-		// We have open registration enabled (😧), provide a dummy stage
-		uiaainfo = UiaaInfo {
-			flows: vec![AuthFlow { stages: vec![AuthType::Dummy] }],
-			completed: Vec::new(),
-			params: Box::default(),
-			session: None,
-			auth_error: None,
-		};
+		if services.config.recaptcha_private_site_key.is_some() {
+			if let Some(pubkey) = &services.config.recaptcha_site_key {
+				// ReCaptcha required
+				uiaainfo
+					.flows
+					.push(AuthFlow { stages: vec![AuthType::ReCaptcha] });
+				uiaainfo.params = serde_json::value::to_raw_value(&serde_json::json!({
+					"m.login.recaptcha": {
+						"public_key": pubkey,
+					},
+				}))
+				.expect("Failed to serialize recaptcha params");
+			}
+		}
+
+		if uiaainfo.flows.is_empty() && !skip_auth {
+			// Registration isn't _disabled_, but there's no captcha configured and no
+			// registration tokens currently set. Bail out by default unless open
+			// registration was explicitly enabled.
+			if !services
+				.config
+				.yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse
+			{
+				return Err!(Request(Forbidden(
+					"This server is not accepting registrations at this time."
+				)));
+			}
+
+			// We have open registration enabled (😧), provide a dummy stage
+			uiaainfo = UiaaInfo {
+				flows: vec![AuthFlow { stages: vec![AuthType::Dummy] }],
+				completed: Vec::new(),
+				params: Box::default(),
+				session: None,
+				auth_error: None,
+			};
+		}
 	}

 	if !skip_auth {
@@ -514,39 +521,29 @@ pub(crate) async fn register_route(
 		}
 	}

-	// If this is the first real user, grant them admin privileges except for guest
-	// users
-	// Note: the server user is generated first
 	if !is_guest {
-		if let Ok(admin_room) = services.admin.get_admin_room().await {
-			if services
-				.rooms
-				.state_cache
-				.room_joined_count(&admin_room)
-				.await
-				.is_ok_and(is_equal_to!(1))
-			{
-				services.admin.make_user_admin(&user_id).boxed().await?;
-				warn!("Granting {user_id} admin privileges as the first user");
-			} else if services.config.suspend_on_register {
-				// This is not an admin, suspend them.
-				// Note that we can still do auto joins for suspended users
+		// Make the first user to register an administrator and disable first-run mode.
+		let was_first_user = services.firstrun.empower_first_user(&user_id).await?;
+
+		// If the registering user was not the first and we're suspending users on
+		// register, suspend them.
+		if !was_first_user && services.config.suspend_on_register {
+			// Note that we can still do auto joins for suspended users
+			services
+				.users
+				.suspend_account(&user_id, &services.globals.server_user)
+				.await;
+			// And send an @room notice to the admin room, to prompt admins to review the
+			// new user and ideally unsuspend them if deemed appropriate.
+			if services.server.config.admin_room_notices {
 				services
-					.users
-					.suspend_account(&user_id, &services.globals.server_user)
-					.await;
-				// And send an @room notice to the admin room, to prompt admins to review the
-				// new user and ideally unsuspend them if deemed appropriate.
-				if services.server.config.admin_room_notices {
-					services
-						.admin
-						.send_loud_message(RoomMessageEventContent::text_plain(format!(
-							"User {user_id} has been suspended as they are not the first user \
-							 on this server. Please review and unsuspend them if appropriate."
-						)))
-						.await
-						.ok();
-				}
+					.admin
+					.send_loud_message(RoomMessageEventContent::text_plain(format!(
+						"User {user_id} has been suspended as they are not the first user on \
+						 this server. Please review and unsuspend them if appropriate."
+					)))
+					.await
+					.ok();
 			}
 		}
 	}
@@ -583,7 +580,6 @@ pub(crate) async fn register_route(
 					&room_id,
 					Some("Automatically joining this room upon registration".to_owned()),
 					&[services.globals.server_name().to_owned(), room_server_name.to_owned()],
-					None,
 					&body.appservice_info,
 				)
 				.boxed()
--- a/src/api/client/context.rs
+++ b/src/api/client/context.rs
@@ -16,7 +16,10 @@

 use crate::{
 	Ruma,
-	client::message::{event_filter, ignored_filter, lazy_loading_witness, visibility_filter},
+	client::{
+		is_ignored_pdu,
+		message::{event_filter, ignored_filter, lazy_loading_witness, visibility_filter},
+	},
 };

 const LIMIT_MAX: usize = 100;
@@ -78,6 +81,9 @@ pub(crate) async fn get_context_route(
 		return Err!(Request(NotFound("Event not found.")));
 	}

+	// Return M_SENDER_IGNORED if the sender of base_event is ignored (MSC4406)
+	is_ignored_pdu(&services, &base_pdu, sender_user).await?;
+
 	let base_count = base_id.pdu_count();

 	let base_event = ignored_filter(&services, (base_count, base_pdu), sender_user);
--- a/src/api/client/membership/join.rs
+++ b/src/api/client/membership/join.rs
@@ -3,7 +3,7 @@
 use axum::extract::State;
 use axum_client_ip::InsecureClientIp;
 use conduwuit::{
-	Err, Result, debug, debug_info, debug_warn, err, error, info,
+	Err, Result, debug, debug_info, debug_warn, err, error, info, is_true,
 	matrix::{
 		StateKey,
 		event::{gen_event_id, gen_event_id_canonical_json},
@@ -26,7 +26,7 @@
 	api::{
 		client::{
 			error::ErrorKind,
-			membership::{ThirdPartySigned, join_room_by_id, join_room_by_id_or_alias},
+			membership::{join_room_by_id, join_room_by_id_or_alias},
 		},
 		federation::{self},
 	},
@@ -34,7 +34,7 @@
 	events::{
 		StateEventType,
 		room::{
-			join_rules::{AllowRule, JoinRule},
+			join_rules::JoinRule,
 			member::{MembershipState, RoomMemberEventContent},
 		},
 	},
@@ -48,9 +48,13 @@
 		timeline::pdu_fits,
 	},
 };
+use tokio::join;

 use super::{banned_room_check, validate_remote_member_event_stub};
-use crate::Ruma;
+use crate::{
+	Ruma,
+	server::{select_authorising_user, user_can_perform_restricted_join},
+};

 /// # `POST /_matrix/client/r0/rooms/{roomId}/join`
 ///
@@ -116,7 +120,6 @@ pub(crate) async fn join_room_by_id_route(
 		&body.room_id,
 		body.reason.clone(),
 		&servers,
-		body.third_party_signed.as_ref(),
 		&body.appservice_info,
 	)
 	.boxed()
@@ -248,7 +251,6 @@ pub(crate) async fn join_room_by_id_or_alias_route(
 		&room_id,
 		body.reason.clone(),
 		&servers,
-		body.third_party_signed.as_ref(),
 		appservice_info,
 	)
 	.boxed()
@@ -263,7 +265,6 @@ pub async fn join_room_by_id_helper(
 	room_id: &RoomId,
 	reason: Option<String>,
 	servers: &[OwnedServerName],
-	third_party_signed: Option<&ThirdPartySigned>,
 	appservice_info: &Option<RegistrationInfo>,
 ) -> Result<join_room_by_id::v3::Response> {
 	let state_lock = services.rooms.state.mutex.lock(room_id).await;
@@ -351,17 +352,9 @@ pub async fn join_room_by_id_helper(
 	}

 	if server_in_room {
-		join_room_by_id_helper_local(
-			services,
-			sender_user,
-			room_id,
-			reason,
-			servers,
-			third_party_signed,
-			state_lock,
-		)
-		.boxed()
-		.await?;
+		join_room_by_id_helper_local(services, sender_user, room_id, reason, servers, state_lock)
+			.boxed()
+			.await?;
 	} else {
 		// Ask a remote server if we are not participating in this room
 		join_room_by_id_helper_remote(
@@ -370,7 +363,6 @@ pub async fn join_room_by_id_helper(
 			room_id,
 			reason,
 			servers,
-			third_party_signed,
 			state_lock,
 		)
 		.boxed()
@@ -386,7 +378,6 @@ async fn join_room_by_id_helper_remote(
 	room_id: &RoomId,
 	reason: Option<String>,
 	servers: &[OwnedServerName],
-	_third_party_signed: Option<&ThirdPartySigned>,
 	state_lock: RoomMutexGuard,
 ) -> Result {
 	info!("Joining {room_id} over federation.");
@@ -396,11 +387,10 @@ async fn join_room_by_id_helper_remote(

 	info!("make_join finished");

-	let Some(room_version_id) = make_join_response.room_version else {
-		return Err!(BadServerResponse("Remote room version is not supported by conduwuit"));
-	};
+	let room_version_id = make_join_response.room_version.unwrap_or(RoomVersionId::V1);

 	if !services.server.supported_room_version(&room_version_id) {
+		// How did we get here?
 		return Err!(BadServerResponse(
 			"Remote room version {room_version_id} is not supported by conduwuit"
 		));
@@ -429,10 +419,6 @@ async fn join_room_by_id_helper_remote(
 		}
 	};

-	join_event_stub.insert(
-		"origin".to_owned(),
-		CanonicalJsonValue::String(services.globals.server_name().as_str().to_owned()),
-	);
 	join_event_stub.insert(
 		"origin_server_ts".to_owned(),
 		CanonicalJsonValue::Integer(
@@ -744,87 +730,45 @@ async fn join_room_by_id_helper_local(
 	room_id: &RoomId,
 	reason: Option<String>,
 	servers: &[OwnedServerName],
-	_third_party_signed: Option<&ThirdPartySigned>,
 	state_lock: RoomMutexGuard,
 ) -> Result {
-	debug_info!("We can join locally");
-	let join_rules = services.rooms.state_accessor.get_join_rules(room_id).await;
+	info!("Joining room locally");

-	let mut restricted_join_authorized = None;
-	match join_rules {
-		| JoinRule::Restricted(restricted) | JoinRule::KnockRestricted(restricted) => {
-			for restriction in restricted.allow {
-				match restriction {
-					| AllowRule::RoomMembership(membership) => {
-						if services
-							.rooms
-							.state_cache
-							.is_joined(sender_user, &membership.room_id)
-							.await
-						{
-							restricted_join_authorized = Some(true);
-							break;
-						}
-					},
-					| AllowRule::UnstableSpamChecker => {
-						match services
-							.antispam
-							.meowlnir_accept_make_join(room_id.to_owned(), sender_user.to_owned())
-							.await
-						{
-							| Ok(()) => {
-								restricted_join_authorized = Some(true);
-								break;
-							},
-							| Err(_) =>
-								return Err!(Request(Forbidden(
-									"Antispam rejected join request."
-								))),
-						}
-					},
-					| _ => {},
-				}
+	let (room_version, join_rules, is_invited) = join!(
+		services.rooms.state.get_room_version(room_id),
+		services.rooms.state_accessor.get_join_rules(room_id),
+		services.rooms.state_cache.is_invited(sender_user, room_id)
+	);
+
+	let room_version = room_version?;
+	let mut auth_user: Option<OwnedUserId> = None;
+	if !is_invited && matches!(join_rules, JoinRule::Restricted(_) | JoinRule::KnockRestricted(_))
+	{
+		use RoomVersionId::*;
+		if !matches!(room_version, V1 | V2 | V3 | V4 | V5 | V6 | V7) {
+			// This is a restricted room, check if we can complete the join requirements
+			// locally.
+			let needs_auth_user =
+				user_can_perform_restricted_join(services, sender_user, room_id, &room_version)
+					.await;
+			if needs_auth_user.is_ok_and(is_true!()) {
+				// If there was an error or the value is false, we'll try joining over
+				// federation. Since it's Ok(true), we can authorise this locally.
+				// If we can't select a local user, this will remain None, the join will fail,
+				// and we'll fall back to federation.
+				auth_user = select_authorising_user(services, room_id, sender_user, &state_lock)
+					.await
+					.ok();
 			}
-		},
-		| _ => {},
-	}
-	let join_authorized_via_users_server = if restricted_join_authorized.is_none() {
-		None
-	} else {
-		match restricted_join_authorized.unwrap() {
-			| true => services
-				.rooms
-				.state_cache
-				.local_users_in_room(room_id)
-				.filter(|user| {
-					trace!("Checking if {user} can invite {sender_user} to {room_id}");
-					services.rooms.state_accessor.user_can_invite(
-						room_id,
-						user,
-						sender_user,
-						&state_lock,
-					)
-				})
-				.boxed()
-				.next()
-				.await
-				.map(ToOwned::to_owned),
-			| false => {
-				warn!(
-					"Join authorization failed for restricted join in room {room_id} for user \
-					 {sender_user}"
-				);
-				return Err!(Request(Forbidden("You are not authorized to join this room.")));
-			},
 		}
-	};
+	}

 	let content = RoomMemberEventContent {
 		displayname: services.users.displayname(sender_user).await.ok(),
 		avatar_url: services.users.avatar_url(sender_user).await.ok(),
 		blurhash: services.users.blurhash(sender_user).await.ok(),
 		reason: reason.clone(),
-		join_authorized_via_users_server,
+		join_authorized_via_users_server: auth_user,
 		..RoomMemberEventContent::new(MembershipState::Join)
 	};

@@ -840,6 +784,7 @@ async fn join_room_by_id_helper_local(
 		)
 		.await
 	else {
+		info!("Joined room locally");
 		return Ok(());
 	};

@@ -847,138 +792,13 @@ async fn join_room_by_id_helper_local(
 		return Err(error);
 	}

-	warn!(
+	info!(
 		?error,
-		servers = %servers.len(),
-		"Could not join restricted room locally, attempting remote join",
+		remote_servers = %servers.len(),
+		"Could not join room locally, attempting remote join",
 	);
-	let Ok((make_join_response, remote_server)) =
-		make_join_request(services, sender_user, room_id, servers).await
-	else {
-		return Err(error);
-	};
-
-	let Some(room_version_id) = make_join_response.room_version else {
-		return Err!(BadServerResponse("Remote room version is not supported by conduwuit"));
-	};
-
-	if !services.server.supported_room_version(&room_version_id) {
-		return Err!(BadServerResponse(
-			"Remote room version {room_version_id} is not supported by conduwuit"
-		));
-	}
-
-	let mut join_event_stub: CanonicalJsonObject =
-		serde_json::from_str(make_join_response.event.get()).map_err(|e| {
-			err!(BadServerResponse("Invalid make_join event json received from server: {e:?}"))
-		})?;
-
-	validate_remote_member_event_stub(
-		&MembershipState::Join,
-		sender_user,
-		room_id,
-		&join_event_stub,
-	)?;
-
-	let join_authorized_via_users_server = join_event_stub
-		.get("content")
-		.map(|s| {
-			s.as_object()?
-				.get("join_authorised_via_users_server")?
-				.as_str()
-		})
-		.and_then(|s| OwnedUserId::try_from(s.unwrap_or_default()).ok());
-
-	join_event_stub.insert(
-		"origin".to_owned(),
-		CanonicalJsonValue::String(services.globals.server_name().as_str().to_owned()),
-	);
-	join_event_stub.insert(
-		"origin_server_ts".to_owned(),
-		CanonicalJsonValue::Integer(
-			utils::millis_since_unix_epoch()
-				.try_into()
-				.expect("Timestamp is valid js_int value"),
-		),
-	);
-	join_event_stub.insert(
-		"content".to_owned(),
-		to_canonical_value(RoomMemberEventContent {
-			displayname: services.users.displayname(sender_user).await.ok(),
-			avatar_url: services.users.avatar_url(sender_user).await.ok(),
-			blurhash: services.users.blurhash(sender_user).await.ok(),
-			reason,
-			join_authorized_via_users_server,
-			..RoomMemberEventContent::new(MembershipState::Join)
-		})
-		.expect("event is valid, we just created it"),
-	);
-
-	// We keep the "event_id" in the pdu only in v1 or
-	// v2 rooms
-	match room_version_id {
-		| RoomVersionId::V1 | RoomVersionId::V2 => {},
-		| _ => {
-			join_event_stub.remove("event_id");
-		},
-	}
-
-	// In order to create a compatible ref hash (EventID) the `hashes` field needs
-	// to be present
-	services
-		.server_keys
-		.hash_and_sign_event(&mut join_event_stub, &room_version_id)?;
-
-	// Generate event id
-	let event_id = gen_event_id(&join_event_stub, &room_version_id)?;
-
-	// Add event_id back
-	join_event_stub
-		.insert("event_id".to_owned(), CanonicalJsonValue::String(event_id.clone().into()));
-
-	// It has enough fields to be called a proper event now
-	let join_event = join_event_stub;
-
-	let send_join_response = services
-		.sending
-		.send_synapse_request(
-			&remote_server,
-			federation::membership::create_join_event::v2::Request {
-				room_id: room_id.to_owned(),
-				event_id: event_id.clone(),
-				omit_members: false,
-				pdu: services
-					.sending
-					.convert_to_outgoing_federation_event(join_event.clone())
-					.await,
-			},
-		)
-		.await?;
-
-	if let Some(signed_raw) = send_join_response.room_state.event {
-		let (signed_event_id, signed_value) =
-			gen_event_id_canonical_json(&signed_raw, &room_version_id).map_err(|e| {
-				err!(Request(BadJson(warn!("Could not convert event to canonical JSON: {e}"))))
-			})?;
-
-		if signed_event_id != event_id {
-			return Err!(Request(BadJson(
-				warn!(%signed_event_id, %event_id, "Server {remote_server} sent event with wrong event ID")
-			)));
-		}
-
-		drop(state_lock);
-		services
-			.rooms
-			.event_handler
-			.handle_incoming_pdu(&remote_server, room_id, &signed_event_id, signed_value, true)
-			.boxed()
-			.await?;
-	} else {
-		return Err(error);
-	}
-
-	Ok(())
+	join_room_by_id_helper_remote(services, sender_user, room_id, reason, servers, state_lock)
+		.await
 }

 async fn make_join_request(
@@ -987,17 +807,16 @@ async fn make_join_request(
 	room_id: &RoomId,
 	servers: &[OwnedServerName],
 ) -> Result<(federation::membership::prepare_join_event::v1::Response, OwnedServerName)> {
-	let mut make_join_response_and_server =
-		Err!(BadServerResponse("No server available to assist in joining."));
-
-	let mut make_join_counter: usize = 0;
-	let mut incompatible_room_version_count: usize = 0;
+	let mut make_join_counter: usize = 1;

 	for remote_server in servers {
 		if services.globals.server_is_ours(remote_server) {
 			continue;
 		}
-		info!("Asking {remote_server} for make_join ({make_join_counter})");
+		info!(
+			"Asking {remote_server} for make_join (attempt {make_join_counter}/{})",
+			servers.len()
+		);
 		let make_join_response = services
 			.sending
 			.send_federation_request(
@@ -1025,47 +844,44 @@ async fn make_join_request(
 					warn!("make_join response from {remote_server} failed validation: {e}");
 					continue;
 				}
-				make_join_response_and_server = Ok((response, remote_server.clone()));
-				break;
+				return Ok((response, remote_server.clone()));
 			},
-			| Err(e) => {
-				info!("make_join request to {remote_server} failed: {e}");
-				if matches!(
-					e.kind(),
-					ErrorKind::IncompatibleRoomVersion { .. } | ErrorKind::UnsupportedRoomVersion
-				) {
-					incompatible_room_version_count =
-						incompatible_room_version_count.saturating_add(1);
-				}
-
-				if incompatible_room_version_count > 15 {
+			| Err(e) => match e.kind() {
+				| ErrorKind::UnableToAuthorizeJoin => {
 					info!(
-						"15 servers have responded with M_INCOMPATIBLE_ROOM_VERSION or \
-						 M_UNSUPPORTED_ROOM_VERSION, assuming that conduwuit does not support \
-						 the room version {room_id}: {e}"
+						"{remote_server} was unable to verify the joining user satisfied \
+						 restricted join requirements: {e}. Will continue trying."
 					);
-					make_join_response_and_server =
-						Err!(BadServerResponse("Room version is not supported by Conduwuit"));
-					return make_join_response_and_server;
-				}
-
-				if make_join_counter > 40 {
+				},
+				| ErrorKind::UnableToGrantJoin => {
+					info!(
+						"{remote_server} believes the joining user satisfies restricted join \
+						 rules, but is unable to authorise a join for us. Will continue trying."
+					);
+				},
+				| ErrorKind::IncompatibleRoomVersion { room_version } => {
 					warn!(
-						"40 servers failed to provide valid make_join response, assuming no \
-						 server can assist in joining."
+						"{remote_server} reports the room we are trying to join is \
+						 v{room_version}, which we do not support."
 					);
-					make_join_response_and_server =
-						Err!(BadServerResponse("No server available to assist in joining."));
-
-					return make_join_response_and_server;
-				}
+					return Err(e);
+				},
+				| ErrorKind::Forbidden { .. } => {
+					warn!("{remote_server} refuses to let us join: {e}.");
+					return Err(e);
+				},
+				| ErrorKind::NotFound => {
+					info!(
+						"{remote_server} does not know about {room_id}: {e}. Will continue \
+						 trying."
+					);
+				},
+				| _ => {
+					info!("{remote_server} failed to make_join: {e}. Will continue trying.");
+				},
 			},
 		}
-
-		if make_join_response_and_server.is_ok() {
-			break;
-		}
 	}
-
-	make_join_response_and_server
+	info!("All {} servers were unable to assist in joining {room_id} :(", servers.len());
+	Err!(BadServerResponse("No server available to assist in joining."))
 }
--- a/src/api/client/membership/knock.rs
+++ b/src/api/client/membership/knock.rs
@@ -253,7 +253,6 @@ async fn knock_room_by_id_helper(
 				room_id,
 				reason.clone(),
 				servers,
-				None,
 				&None,
 			)
 			.await
--- a/src/api/client/message.rs
+++ b/src/api/client/message.rs
@@ -1,7 +1,7 @@
 use axum::extract::State;
 use axum_client_ip::InsecureClientIp;
 use conduwuit::{
-	Err, Result, at, debug_warn,
+	Err, Error, Result, at, debug_warn,
 	matrix::{
 		event::{Event, Matches},
 		pdu::PduCount,
@@ -26,7 +26,7 @@
 	DeviceId, RoomId, UserId,
 	api::{
 		Direction,
-		client::{filter::RoomEventFilter, message::get_message_events},
+		client::{error::ErrorKind, filter::RoomEventFilter, message::get_message_events},
 	},
 	events::{
 		AnyStateEvent, StateEventType,
@@ -279,23 +279,30 @@ pub(crate) async fn ignored_filter(

 	is_ignored_pdu(services, pdu, user_id)
 		.await
+		.unwrap_or(true)
 		.eq(&false)
 		.then_some(item)
 }

+/// Determine whether a PDU should be ignored for a given recipient user.
+/// Returns True if this PDU should be ignored, returns False otherwise.
+///
+/// The error SenderIgnored is returned if the sender or the sender's server is
+/// ignored by the relevant user. If the error cannot be returned to the user,
+/// it should equate to a true value (i.e. ignored).
 #[inline]
 pub(crate) async fn is_ignored_pdu<Pdu>(
 	services: &Services,
 	event: &Pdu,
 	recipient_user: &UserId,
-) -> bool
+) -> Result<bool>
 where
 	Pdu: Event + Send + Sync,
 {
 	// exclude Synapse's dummy events from bloating up response bodies. clients
 	// don't need to see this.
 	if event.kind().to_cow_str() == "org.matrix.dummy_event" {
-		return true;
+		return Ok(true);
 	}

 	let sender_user = event.sender();
@@ -310,21 +317,27 @@ pub(crate) async fn is_ignored_pdu<Pdu>(

 	if !type_ignored {
 		// We cannot safely ignore this type
-		return false;
+		return Ok(false);
 	}

 	if server_ignored {
 		// the sender's server is ignored, so ignore this event
-		return true;
+		return Err(Error::BadRequest(
+			ErrorKind::SenderIgnored { sender: None },
+			"The sender's server is ignored by this server.",
+		));
 	}

 	if user_ignored && !services.config.send_messages_from_ignored_users_to_client {
 		// the recipient of this PDU has the sender ignored, and we're not
 		// configured to send ignored messages to clients
-		return true;
+		return Err(Error::BadRequest(
+			ErrorKind::SenderIgnored { sender: Some(event.sender().to_owned()) },
+			"You have ignored this sender.",
+		));
 	}

-	false
+	Ok(false)
 }

 #[inline]
--- a/src/api/client/relations.rs
+++ b/src/api/client/relations.rs
@@ -1,6 +1,6 @@
 use axum::extract::State;
 use conduwuit::{
-	Err, Result, at, debug_warn,
+	Err, Result, at, debug_warn, err,
 	matrix::{Event, event::RelationTypeEqual, pdu::PduCount},
 	utils::{IterStream, ReadyExt, result::FlatOk, stream::WidebandExt},
 };
@@ -18,7 +18,7 @@
 	events::{TimelineEventType, relation::RelationType},
 };

-use crate::Ruma;
+use crate::{Ruma, client::is_ignored_pdu};

 /// # `GET /_matrix/client/r0/rooms/{roomId}/relations/{eventId}/{relType}/{eventType}`
 pub(crate) async fn get_relating_events_with_rel_type_and_event_type_route(
@@ -118,6 +118,14 @@ async fn paginate_relations_with_filter(
 		debug_warn!(req_evt = %target, %room_id, "Event relations requested by {sender_user} but is not allowed to see it, returning 404");
 		return Err!(Request(NotFound("Event not found.")));
 	}
+	let target_pdu = services
+		.rooms
+		.timeline
+		.get_pdu(target)
+		.await
+		.map_err(|_| err!(Request(NotFound("Event not found."))))?;
+	// Return M_SENDER_IGNORED if the sender of base_event is ignored (MSC4406)
+	is_ignored_pdu(services, &target_pdu, sender_user).await?;

 	let start: PduCount = from
 		.map(str::parse)
@@ -159,6 +167,7 @@ async fn paginate_relations_with_filter(
 		.ready_take_while(|(count, _)| Some(*count) != to)
 		.take(limit)
 		.wide_filter_map(|item| visibility_filter(services, sender_user, item))
+		.wide_filter_map(|item| ignored_filter(services, item, sender_user))
 		.then(async |mut pdu| {
 			if let Err(e) = services
 				.rooms
@@ -214,3 +223,17 @@ async fn visibility_filter<Pdu: Event + Send + Sync>(
 		.await
 		.then_some(item)
 }
+
+async fn ignored_filter<Pdu: Event + Send + Sync>(
+	services: &Services,
+	item: (PduCount, Pdu),
+	sender_user: &UserId,
+) -> Option<(PduCount, Pdu)> {
+	let (_, pdu) = &item;
+
+	if is_ignored_pdu(services, pdu, sender_user).await.ok()? {
+		None
+	} else {
+		Some(item)
+	}
+}
--- a/src/api/client/room/event.rs
+++ b/src/api/client/room/event.rs
@@ -29,7 +29,7 @@ pub(crate) async fn get_room_event_route(

 	let (mut event, visible) = try_join(event, visible).await?;

-	if !visible || is_ignored_pdu(services, &event, body.sender_user()).await {
+	if !visible || is_ignored_pdu(services, &event, body.sender_user()).await? {
 		return Err!(Request(Forbidden("You don't have permission to view this event.")));
 	}

--- a/src/api/client/session.rs
+++ b/src/api/client/session.rs
@@ -107,7 +107,7 @@ pub(super) async fn ldap_login(
 ) -> Result<OwnedUserId> {
 	let (user_dn, is_ldap_admin) = match services.config.ldap.bind_dn.as_ref() {
 		| Some(bind_dn) if bind_dn.contains("{username}") =>
-			(bind_dn.replace("{username}", lowercased_user_id.localpart()), false),
+			(bind_dn.replace("{username}", lowercased_user_id.localpart()), None),
 		| _ => {
 			debug!("Searching user in LDAP");

@@ -144,12 +144,16 @@ pub(super) async fn ldap_login(
 			.await?;
 	}

-	let is_conduwuit_admin = services.admin.user_is_admin(lowercased_user_id).await;
+	// Only sync admin status if LDAP can actually determine it.
+	// None means LDAP cannot determine admin status (manual config required).
+	if let Some(is_ldap_admin) = is_ldap_admin {
+		let is_conduwuit_admin = services.admin.user_is_admin(lowercased_user_id).await;

-	if is_ldap_admin && !is_conduwuit_admin {
-		Box::pin(services.admin.make_user_admin(lowercased_user_id)).await?;
-	} else if !is_ldap_admin && is_conduwuit_admin {
-		Box::pin(services.admin.revoke_admin(lowercased_user_id)).await?;
+		if is_ldap_admin && !is_conduwuit_admin {
+			Box::pin(services.admin.make_user_admin(lowercased_user_id)).await?;
+		} else if !is_ldap_admin && is_conduwuit_admin {
+			Box::pin(services.admin.revoke_admin(lowercased_user_id)).await?;
+		}
 	}

 	Ok(user_id)
--- a/src/api/client/sync/v5.rs
+++ b/src/api/client/sync/v5.rs
@@ -30,7 +30,8 @@
 	api::client::sync::sync_events::{self, DeviceLists, UnreadNotificationsCount},
 	directory::RoomTypeFilter,
 	events::{
-		AnyRawAccountDataEvent, AnySyncEphemeralRoomEvent, StateEventType, TimelineEventType,
+		AnyRawAccountDataEvent, AnySyncEphemeralRoomEvent, AnySyncStateEvent, StateEventType,
+		TimelineEventType,
 		room::member::{MembershipState, RoomMemberEventContent},
 		typing::TypingEventContent,
 	},
@@ -533,6 +534,9 @@ async fn process_rooms<'a, Rooms>(
 				}
 			});

+		let required_state =
+			collect_required_state(services, room_id, required_state_request).await;
+
 		let room_events: Vec<_> = timeline_pdus
 			.iter()
 			.stream()
@@ -551,21 +555,6 @@ async fn process_rooms<'a, Rooms>(
 			}
 		}

-		let required_state = required_state_request
-			.iter()
-			.stream()
-			.filter_map(|state| async move {
-				services
-					.rooms
-					.state_accessor
-					.room_state_get(room_id, &state.0, &state.1)
-					.await
-					.map(Event::into_format)
-					.ok()
-			})
-			.collect()
-			.await;
-
 		// Heroes
 		let heroes: Vec<_> = services
 			.rooms
@@ -689,6 +678,51 @@ async fn process_rooms<'a, Rooms>(
 	Ok(rooms)
 }

+/// Collect the required state events for a room
+async fn collect_required_state(
+	services: &Services,
+	room_id: &RoomId,
+	required_state_request: &BTreeSet<TypeStateKey>,
+) -> Vec<Raw<AnySyncStateEvent>> {
+	let mut required_state = Vec::new();
+	let mut wildcard_types: HashSet<&StateEventType> = HashSet::new();
+
+	for (event_type, state_key) in required_state_request {
+		if wildcard_types.contains(event_type) {
+			continue;
+		}
+
+		if state_key.as_str() == "*" {
+			wildcard_types.insert(event_type);
+			if let Ok(keys) = services
+				.rooms
+				.state_accessor
+				.room_state_keys(room_id, event_type)
+				.await
+			{
+				for key in keys {
+					if let Ok(event) = services
+						.rooms
+						.state_accessor
+						.room_state_get(room_id, event_type, &key)
+						.await
+					{
+						required_state.push(Event::into_format(event));
+					}
+				}
+			}
+		} else if let Ok(event) = services
+			.rooms
+			.state_accessor
+			.room_state_get(room_id, event_type, state_key)
+			.await
+		{
+			required_state.push(Event::into_format(event));
+		}
+	}
+	required_state
+}
+
 async fn collect_typing_events(
 	services: &Services,
 	sender_user: &UserId,
--- a/src/api/client/well_known.rs
+++ b/src/api/client/well_known.rs
@@ -27,6 +27,7 @@ pub(crate) async fn well_known_client(
 		identity_server: None,
 		sliding_sync_proxy: Some(SlidingSyncProxyInfo { url: client_url }),
 		tile_server: None,
+		rtc_foci: services.config.well_known.rtc_focus_server_urls.clone(),
 	})
 }

--- a/src/api/server/get_missing_events.rs
+++ b/src/api/server/get_missing_events.rs
@@ -1,6 +1,9 @@
+use std::collections::{HashSet, VecDeque};
+
 use axum::extract::State;
-use conduwuit::{Err, Result, debug, debug_error, info, utils::to_canonical_object};
-use ruma::api::federation::event::get_missing_events;
+use conduwuit::{Err, Event, Result, debug, info, trace, utils::to_canonical_object, warn};
+use ruma::{OwnedEventId, api::federation::event::get_missing_events};
+use serde_json::{json, value::RawValue};

 use super::AccessCheck;
 use crate::Ruma;
@@ -45,59 +48,76 @@ pub(crate) async fn get_missing_events_route(
 		.unwrap_or(LIMIT_DEFAULT)
 		.min(LIMIT_MAX);

-	let mut queued_events = body.latest_events.clone();
-	// the vec will never have more entries the limit
-	let mut events = Vec::with_capacity(limit);
+	let room_version = services.rooms.state.get_room_version(&body.room_id).await?;

-	let mut i: usize = 0;
-	while i < queued_events.len() && events.len() < limit {
-		let Ok(pdu) = services.rooms.timeline.get_pdu(&queued_events[i]).await else {
-			debug!(
-				body.origin = body.origin.as_ref().map(tracing::field::display),
-				"Event {} does not exist locally, skipping", &queued_events[i]
-			);
-			i = i.saturating_add(1);
+	let mut queue: VecDeque<OwnedEventId> = VecDeque::from(body.latest_events.clone());
+	let mut results: Vec<Box<RawValue>> = Vec::with_capacity(limit);
+	let mut seen: HashSet<OwnedEventId> = HashSet::from_iter(body.earliest_events.clone());
+
+	while let Some(next_event_id) = queue.pop_front() {
+		if seen.contains(&next_event_id) {
+			trace!(%next_event_id, "already seen event, skipping");
 			continue;
+		}
+
+		if results.len() >= limit {
+			debug!(%next_event_id, "reached limit of events to return, breaking");
+			break;
+		}
+
+		let mut pdu = match services.rooms.timeline.get_pdu(&next_event_id).await {
+			| Ok(pdu) => pdu,
+			| Err(e) => {
+				warn!("could not find event {next_event_id} while walking missing events: {e}");
+				continue;
+			},
 		};
-
-		if body.earliest_events.contains(&queued_events[i]) {
-			i = i.saturating_add(1);
-			continue;
+		if pdu.room_id_or_hash() != body.room_id {
+			return Err!(Request(Unknown(
+				"Event {next_event_id} is not in room {}",
+				body.room_id
+			)));
 		}

 		if !services
 			.rooms
 			.state_accessor
-			.server_can_see_event(body.origin(), &body.room_id, &queued_events[i])
+			.server_can_see_event(body.origin(), &body.room_id, pdu.event_id())
 			.await
 		{
-			debug!(
-				body.origin = body.origin.as_ref().map(tracing::field::display),
-				"Server cannot see {:?} in {:?}, skipping", pdu.event_id, pdu.room_id
-			);
-			i = i.saturating_add(1);
-			continue;
+			debug!(%next_event_id, origin = %body.origin(), "redacting event origin cannot see");
+			pdu.redact(&room_version, json!({}))?;
 		}

-		i = i.saturating_add(1);
-		let Ok(event) = to_canonical_object(&pdu) else {
-			debug_error!(
-				body.origin = body.origin.as_ref().map(tracing::field::display),
-				"Failed to convert PDU in database to canonical JSON: {pdu:?}"
-			);
-			continue;
-		};
-
-		let prev_events = pdu.prev_events.iter().map(ToOwned::to_owned);
-
-		let event = services
-			.sending
-			.convert_to_outgoing_federation_event(event)
-			.await;
-
-		queued_events.extend(prev_events);
-		events.push(event);
+		trace!(
+			%next_event_id,
+			prev_events = ?pdu.prev_events().collect::<Vec<_>>(),
+			"adding event to results and queueing prev events"
+		);
+		queue.extend(pdu.prev_events.clone());
+		seen.insert(next_event_id.clone());
+		if body.latest_events.contains(&next_event_id) {
+			continue; // Don't include latest_events in results,
+			// but do include their prev_events in the queue
+		}
+		results.push(
+			services
+				.sending
+				.convert_to_outgoing_federation_event(to_canonical_object(pdu)?)
+				.await,
+		);
+		trace!(
+			%next_event_id,
+			queue_len = queue.len(),
+			seen_len = seen.len(),
+			results_len = results.len(),
+			"event added to results"
+		);
 	}

-	Ok(get_missing_events::v1::Response { events })
+	if !queue.is_empty() {
+		debug!("limit reached before queue was empty");
+	}
+	results.reverse(); // return oldest first
+	Ok(get_missing_events::v1::Response { events: results })
 }
--- a/src/api/server/invite.rs
+++ b/src/api/server/invite.rs
@@ -2,7 +2,7 @@
 use axum_client_ip::InsecureClientIp;
 use base64::{Engine as _, engine::general_purpose};
 use conduwuit::{
-	Err, Error, PduEvent, Result, err,
+	Err, Error, PduEvent, Result, err, error,
 	matrix::{Event, event::gen_event_id},
 	utils::{self, hash::sha256},
 	warn,
@@ -199,20 +199,27 @@ pub(crate) async fn create_invite_route(

 		for appservice in services.appservice.read().await.values() {
 			if appservice.is_user_match(&recipient_user) {
+				let request = ruma::api::appservice::event::push_events::v1::Request {
+					events: vec![pdu.to_format()],
+					txn_id: general_purpose::URL_SAFE_NO_PAD
+						.encode(sha256::hash(pdu.event_id.as_bytes()))
+						.into(),
+					ephemeral: Vec::new(),
+					to_device: Vec::new(),
+				};
 				services
 					.sending
-					.send_appservice_request(
-						appservice.registration.clone(),
-						ruma::api::appservice::event::push_events::v1::Request {
-							events: vec![pdu.to_format()],
-							txn_id: general_purpose::URL_SAFE_NO_PAD
-								.encode(sha256::hash(pdu.event_id.as_bytes()))
-								.into(),
-							ephemeral: Vec::new(),
-							to_device: Vec::new(),
-						},
-					)
-					.await?;
+					.send_appservice_request(appservice.registration.clone(), request)
+					.await
+					.map_err(|e| {
+						error!(
+							"failed to notify appservice {} about incoming invite: {e}",
+							appservice.registration.id
+						);
+						err!(BadServerResponse(
+							"Failed to notify appservice about incoming invite."
+						))
+					})?;
 			}
 		}
 	}
--- a/src/api/server/make_join.rs
+++ b/src/api/server/make_join.rs
@@ -16,6 +16,8 @@
 	},
 };
 use serde_json::value::to_raw_value;
+use service::rooms::state::RoomMutexGuard;
+use tokio::join;

 use crate::Ruma;

@@ -85,16 +87,24 @@ pub(crate) async fn create_join_event_template_route(
 	}

 	let state_lock = services.rooms.state.mutex.lock(&body.room_id).await;
-	let is_invited = services
-		.rooms
-		.state_cache
-		.is_invited(&body.user_id, &body.room_id)
-		.await;
+	let (is_invited, is_joined) = join!(
+		services
+			.rooms
+			.state_cache
+			.is_invited(&body.user_id, &body.room_id),
+		services
+			.rooms
+			.state_cache
+			.is_joined(&body.user_id, &body.room_id)
+	);
 	let join_authorized_via_users_server: Option<OwnedUserId> = {
 		use RoomVersionId::*;
-		if matches!(room_version_id, V1 | V2 | V3 | V4 | V5 | V6 | V7) || is_invited {
-			// room version does not support restricted join rules, or the user is currently
-			// already invited
+		if is_joined || is_invited {
+			// User is already joined or invited and consequently does not need an
+			// authorising user
+			None
+		} else if matches!(room_version_id, V1 | V2 | V3 | V4 | V5 | V6 | V7) {
+			// room version does not support restricted join rules
 			None
 		} else if user_can_perform_restricted_join(
 			&services,
@@ -104,32 +114,10 @@ pub(crate) async fn create_join_event_template_route(
 		)
 		.await?
 		{
-			let Some(auth_user) = services
-				.rooms
-				.state_cache
-				.local_users_in_room(&body.room_id)
-				.filter(|user| {
-					services.rooms.state_accessor.user_can_invite(
-						&body.room_id,
-						user,
-						&body.user_id,
-						&state_lock,
-					)
-				})
-				.boxed()
-				.next()
-				.await
-				.map(ToOwned::to_owned)
-			else {
-				info!(
-					"No local user is able to authorize the join of {} into {}",
-					&body.user_id, &body.room_id
-				);
-				return Err!(Request(UnableToGrantJoin(
-					"No user on this server is able to assist in joining."
-				)));
-			};
-			Some(auth_user)
+			Some(
+				select_authorising_user(&services, &body.room_id, &body.user_id, &state_lock)
+					.await?,
+			)
 		} else {
 			None
 		}
@@ -159,9 +147,7 @@ pub(crate) async fn create_join_event_template_route(
 		)
 		.await?;
 	drop(state_lock);
-
-	// room v3 and above removed the "event_id" field from remote PDU format
-	maybe_strip_event_id(&mut pdu_json, &room_version_id)?;
+	pdu_json.remove("event_id");

 	Ok(prepare_join_event::v1::Response {
 		room_version: Some(room_version_id),
@@ -169,6 +155,38 @@ pub(crate) async fn create_join_event_template_route(
 	})
 }

+/// Attempts to find a user who is able to issue an invite in the target room.
+pub(crate) async fn select_authorising_user(
+	services: &Services,
+	room_id: &RoomId,
+	user_id: &UserId,
+	state_lock: &RoomMutexGuard,
+) -> Result<OwnedUserId> {
+	let auth_user = services
+		.rooms
+		.state_cache
+		.local_users_in_room(room_id)
+		.filter(|user| {
+			services
+				.rooms
+				.state_accessor
+				.user_can_invite(room_id, user, user_id, state_lock)
+		})
+		.boxed()
+		.next()
+		.await
+		.map(ToOwned::to_owned);
+
+	match auth_user {
+		| Some(auth_user) => Ok(auth_user),
+		| None => {
+			Err!(Request(UnableToGrantJoin(
+				"No user on this server is able to assist in joining."
+			)))
+		},
+	}
+}
+
 /// Checks whether the given user can join the given room via a restricted join.
 pub(crate) async fn user_can_perform_restricted_join(
 	services: &Services,
@@ -180,12 +198,9 @@ pub(crate) async fn user_can_perform_restricted_join(

 	// restricted rooms are not supported on <=v7
 	if matches!(room_version_id, V1 | V2 | V3 | V4 | V5 | V6 | V7) {
-		return Ok(false);
-	}
-
-	if services.rooms.state_cache.is_joined(user_id, room_id).await {
-		// joining user is already joined, there is nothing we need to do
-		return Ok(false);
+		// This should be impossible as it was checked earlier on, but retain this check
+		// for safety.
+		unreachable!("user_can_perform_restricted_join got incompatible room version");
 	}

 	let Ok(join_rules_event_content) = services
@@ -205,17 +220,31 @@ pub(crate) async fn user_can_perform_restricted_join(
 	let (JoinRule::Restricted(r) | JoinRule::KnockRestricted(r)) =
 		join_rules_event_content.join_rule
 	else {
+		// This is not a restricted room
 		return Ok(false);
 	};

 	if r.allow.is_empty() {
-		debug_info!("{room_id} is restricted but the allow key is empty");
-		return Ok(false);
+		// This will never be authorisable, return forbidden.
+		return Err!(Request(Forbidden("You are not invited to this room.")));
 	}

+	let mut could_satisfy = true;
 	for allow_rule in &r.allow {
 		match allow_rule {
 			| AllowRule::RoomMembership(membership) => {
+				if !services
+					.rooms
+					.state_cache
+					.server_in_room(services.globals.server_name(), &membership.room_id)
+					.await
+				{
+					// Since we can't check this room, mark could_satisfy as false
+					// so that we can return M_UNABLE_TO_AUTHORIZE_JOIN later.
+					could_satisfy = false;
+					continue;
+				}
+
 				if services
 					.rooms
 					.state_cache
@@ -239,6 +268,8 @@ pub(crate) async fn user_can_perform_restricted_join(
 					| Err(_) => Err!(Request(Forbidden("Antispam rejected join request."))),
 				},
 			| _ => {
+				// We don't recognise this join rule, so we cannot satisfy the request.
+				could_satisfy = false;
 				debug_info!(
 					"Unsupported allow rule in restricted join for room {}: {:?}",
 					room_id,
@@ -248,9 +279,23 @@ pub(crate) async fn user_can_perform_restricted_join(
 		}
 	}

-	Err!(Request(UnableToAuthorizeJoin(
-		"Joining user is not known to be in any required room."
-	)))
+	if could_satisfy {
+		// We were able to check all the restrictions and can be certain that the
+		// prospective member is not permitted to join.
+		Err!(Request(Forbidden(
+			"You do not belong to any of the rooms or spaces required to join this room."
+		)))
+	} else {
+		// We were unable to check all the restrictions. This usually means we aren't in
+		// one of the rooms this one is restricted to, ergo can't check its state for
+		// the user's membership, and consequently the user *might* be able to join if
+		// they ask another server.
+		Err!(Request(UnableToAuthorizeJoin(
+			"You do not belong to any of the recognised rooms or spaces required to join this \
+			 room, but this server is unable to verify every requirement. You may be able to \
+			 join via another server."
+		)))
+	}
 }

 pub(crate) fn maybe_strip_event_id(
--- a/src/core/config/mod.rs
+++ b/src/core/config/mod.rs
@@ -19,7 +19,7 @@
 use regex::RegexSet;
 use ruma::{
 	OwnedRoomId, OwnedRoomOrAliasId, OwnedServerName, OwnedUserId, RoomVersionId,
-	api::client::discovery::discover_support::ContactRole,
+	api::client::discovery::{discover_homeserver::RtcFocusInfo, discover_support::ContactRole},
 };
 use serde::{Deserialize, de::IgnoredAny};
 use url::Url;
@@ -559,7 +559,7 @@ pub struct Config {
 	///
 	/// If you would like registration only via token reg, please configure
 	/// `registration_token`.
-	#[serde(default)]
+	#[serde(default = "true_fn")]
 	pub allow_registration: bool,

 	/// If registration is enabled, and this setting is true, new users
@@ -1696,6 +1696,11 @@ pub struct Config {
 	#[serde(default)]
 	pub url_preview_check_root_domain: bool,

+	/// User agent that is used specifically when fetching url previews.
+	///
+	/// default: "continuwuity/<version> (bot; +https://continuwuity.org)"
+	pub url_preview_user_agent: Option<String>,
+
 	/// List of forbidden room aliases and room IDs as strings of regex
 	/// patterns.
 	///
@@ -2111,6 +2116,19 @@ pub struct WellKnownConfig {
 	/// If no email or mxid is specified, all of the server's admins will be
 	/// listed.
 	pub support_mxid: Option<OwnedUserId>,
+
+	/// A list of MatrixRTC foci URLs which will be served as part of the
+	/// MSC4143 client endpoint at /.well-known/matrix/client.  If you're
+	/// setting up livekit, you'd want something like:
+	/// rtc_focus_server_urls = [
+	///     { type = "livekit", livekit_service_url = "https://livekit.example.com" },
+	/// ]
+	///
+	/// To disable, set this to be an empty vector (`[]`).
+	///
+	/// default: []
+	#[serde(default = "default_rtc_focus_urls")]
+	pub rtc_focus_server_urls: Vec<RtcFocusInfo>,
 }

 #[derive(Clone, Copy, Debug, Deserialize, Default)]
@@ -2608,6 +2626,9 @@ fn default_rocksdb_stats_level() -> u8 { 1 }
 #[inline]
 pub fn default_default_room_version() -> RoomVersionId { RoomVersionId::V11 }

+#[must_use]
+pub fn default_rtc_focus_urls() -> Vec<RtcFocusInfo> { vec![] }
+
 fn default_ip_range_denylist() -> Vec<String> {
 	vec![
 		"127.0.0.0/8".to_owned(),
--- a/src/core/error/response.rs
+++ b/src/core/error/response.rs
@@ -85,7 +85,8 @@ pub(super) fn bad_request_code(kind: &ErrorKind) -> StatusCode {
 		| Unrecognized => StatusCode::METHOD_NOT_ALLOWED,

 		// 404
-		| NotFound | NotImplemented | FeatureDisabled => StatusCode::NOT_FOUND,
+		| NotFound | NotImplemented | FeatureDisabled | SenderIgnored { .. } =>
+			StatusCode::NOT_FOUND,

 		// 403
 		| GuestAccessForbidden
--- a/src/core/info/version.rs
+++ b/src/core/info/version.rs
@@ -8,9 +8,11 @@
 use std::sync::OnceLock;

 static BRANDING: &str = "continuwuity";
+static WEBSITE: &str = "https://continuwuity.org";
 static SEMANTIC: &str = env!("CARGO_PKG_VERSION");

 static VERSION: OnceLock<String> = OnceLock::new();
+static VERSION_UA: OnceLock<String> = OnceLock::new();
 static USER_AGENT: OnceLock<String> = OnceLock::new();

 #[inline]
@@ -19,11 +21,18 @@ pub fn name() -> &'static str { BRANDING }

 #[inline]
 pub fn version() -> &'static str { VERSION.get_or_init(init_version) }
+#[inline]
+pub fn version_ua() -> &'static str { VERSION_UA.get_or_init(init_version_ua) }

 #[inline]
 pub fn user_agent() -> &'static str { USER_AGENT.get_or_init(init_user_agent) }

-fn init_user_agent() -> String { format!("{}/{}", name(), version()) }
+fn init_user_agent() -> String { format!("{}/{} (bot; +{WEBSITE})", name(), version_ua()) }
+
+fn init_version_ua() -> String {
+	conduwuit_build_metadata::version_tag()
+		.map_or_else(|| SEMANTIC.to_owned(), |extra| format!("{SEMANTIC}+{extra}"))
+}

 fn init_version() -> String {
 	conduwuit_build_metadata::version_tag()
--- a/src/main/Cargo.toml
+++ b/src/main/Cargo.toml
@@ -230,6 +230,7 @@ tracing-opentelemetry.workspace = true
 tracing-subscriber.workspace = true
 tracing.workspace = true
 tracing-journald = { workspace = true, optional = true }
+parking_lot.workspace = true


 [target.'cfg(all(not(target_env = "msvc"), target_os = "linux"))'.dependencies]
--- a/src/main/deadlock.rs
+++ b/src/main/deadlock.rs
@@ -0,0 +1,36 @@
+use std::{thread, time::Duration};
+
+/// Runs a loop that checks for deadlocks every 10 seconds.
+///
+/// Note that this requires the `deadlock_detection` parking_lot feature to be
+/// enabled.
+pub(crate) fn deadlock_detection_thread() {
+	loop {
+		thread::sleep(Duration::from_secs(10));
+		let deadlocks = parking_lot::deadlock::check_deadlock();
+		if deadlocks.is_empty() {
+			continue;
+		}
+
+		eprintln!("{} deadlocks detected", deadlocks.len());
+		for (i, threads) in deadlocks.iter().enumerate() {
+			eprintln!("Deadlock #{i}");
+			for t in threads {
+				eprintln!("Thread Id {:#?}", t.thread_id());
+				eprintln!("{:#?}", t.backtrace());
+			}
+		}
+	}
+}
+
+/// Spawns the deadlock detection thread.
+///
+/// This thread will run in the background and check for deadlocks every 10
+/// seconds. When a deadlock is detected, it will print detailed information to
+/// stderr.
+pub(crate) fn spawn() {
+	thread::Builder::new()
+		.name("deadlock_detector".to_owned())
+		.spawn(deadlock_detection_thread)
+		.expect("failed to spawn deadlock detection thread");
+}
--- a/src/main/mod.rs
+++ b/src/main/mod.rs
@@ -5,6 +5,7 @@
 use conduwuit_core::{debug_info, error};

 mod clap;
+mod deadlock;
 mod logging;
 mod mods;
 mod panic;
@@ -27,6 +28,9 @@ pub fn run() -> Result<()> {
 }

 pub fn run_with_args(args: &Args) -> Result<()> {
+	// Spawn deadlock detection thread
+	deadlock::spawn();
+
 	let runtime = runtime::new(args)?;
 	let server = Server::new(args, Some(runtime.handle()))?;

--- a/src/router/run.rs
+++ b/src/router/run.rs
@@ -39,7 +39,15 @@ pub(crate) async fn run(services: Arc<Services>) -> Result<()> {
 			.runtime()
 			.spawn(serve::serve(services.clone(), handle.clone(), tx.subscribe()));

-	// Focal point
+	// Run startup admin commands.
+	// This has to be done after the admin service is initialized otherwise it
+	// panics.
+	services.admin.startup_execute().await?;
+
+	// Print first-run banner if necessary. This needs to be done after the startup
+	// admin commands are run in case one of them created the first user.
+	services.firstrun.print_first_run_banner();
+
 	debug!("Running");
 	let res = tokio::select! {
 		res = &mut listener => res.map_err(Error::from).unwrap_or_else(Err),
--- a/src/service/Cargo.toml
+++ b/src/service/Cargo.toml
@@ -79,6 +79,7 @@ zstd_compression = [
 ]

 [dependencies]
+askama.workspace = true
 async-trait.workspace = true
 base64.workspace = true
 bytes.workspace = true
@@ -118,6 +119,7 @@ webpage.optional = true
 blurhash.workspace = true
 blurhash.optional = true
 recaptcha-verify = { version = "0.1.5", default-features = false }
+yansi.workspace = true

 [target.'cfg(all(unix, target_os = "linux"))'.dependencies]
 sd-notify.workspace = true
--- a/src/service/admin/execute.rs
+++ b/src/service/admin/execute.rs
@@ -26,7 +26,7 @@ pub(super) async fn console_auto_stop(&self) {

 /// Execute admin commands after startup
 #[implement(super::Service)]
-pub(super) async fn startup_execute(&self) -> Result {
+pub async fn startup_execute(&self) -> Result {
 	// List of commands to execute
 	let commands = &self.services.server.config.admin_execute;

--- a/src/service/admin/grant.rs
+++ b/src/service/admin/grant.rs
@@ -9,7 +9,6 @@
 		RoomAccountDataEventType, StateEventType,
 		room::{
 			member::{MembershipState, RoomMemberEventContent},
-			message::RoomMessageEventContent,
 			power_levels::RoomPowerLevelsEventContent,
 		},
 		tag::{TagEvent, TagEventContent, TagInfo},
@@ -126,23 +125,6 @@ pub async fn make_user_admin(&self, user_id: &UserId) -> Result {
 		}
 	}

-	if self.services.server.config.admin_room_notices {
-		let welcome_message = String::from(
-			"## Thank you for trying out Continuwuity!\n\nContinuwuity is a hard fork of conduwuit, which is also a hard fork of Conduit, currently in Beta. The Beta status initially was inherited from Conduit, however overtime this Beta status is rapidly becoming less and less relevant as our codebase significantly diverges more and more. Continuwuity is quite stable and very usable as a daily driver and for a low-medium sized homeserver. There is still a lot of more work to be done, but it is in a far better place than the project was in early 2024.\n\nHelpful links:\n> Source code: https://forgejo.ellis.link/continuwuation/continuwuity\n> Documentation: https://continuwuity.org/\n> Report issues: https://forgejo.ellis.link/continuwuation/continuwuity/issues\n\nFor a list of available commands, send the following message in this room: `!admin --help`\n\nHere are some rooms you can join (by typing the command into your client) -\n\nContinuwuity space: `/join #space:continuwuity.org`\nContinuwuity main room (Ask questions and get notified on updates): `/join #continuwuity:continuwuity.org`\nContinuwuity offtopic room: `/join #offtopic:continuwuity.org`",
-		);
-
-		// Send welcome message
-		self.services
-			.timeline
-			.build_and_append_pdu(
-				PduBuilder::timeline(&RoomMessageEventContent::text_markdown(welcome_message)),
-				server_user,
-				Some(&room_id),
-				&state_lock,
-			)
-			.await?;
-	}
-
 	Ok(())
 }

--- a/src/service/admin/mod.rs
+++ b/src/service/admin/mod.rs
@@ -137,7 +137,6 @@ async fn worker(self: Arc<Self>) -> Result<()> {
 		let mut signals = self.services.server.signal.subscribe();
 		let receiver = self.channel.1.clone();

-		self.startup_execute().await?;
 		self.console_auto_start().await;

 		loop {
--- a/src/service/announcements/mod.rs
+++ b/src/service/announcements/mod.rs
@@ -18,7 +18,7 @@
 use std::{sync::Arc, time::Duration};

 use async_trait::async_trait;
-use conduwuit::{Result, Server, debug, error, info, warn};
+use conduwuit::{Result, Server, debug, error, warn};
 use database::{Deserialized, Map};
 use rand::Rng;
 use ruma::events::{Mentions, room::message::RoomMessageEventContent};
@@ -155,11 +155,6 @@ async fn check(&self) -> Result<()> {

 	#[tracing::instrument(skip_all)]
 	async fn handle(&self, announcement: &CheckForAnnouncementsResponseEntry) {
-		if let Some(date) = &announcement.date {
-			info!("[announcements] {date} {:#}", announcement.message);
-		} else {
-			info!("[announcements] {:#}", announcement.message);
-		}
 		let mut message = RoomMessageEventContent::text_markdown(format!(
 			"### New announcement{}\n\n{}",
 			announcement
--- a/src/service/client/mod.rs
+++ b/src/service/client/mod.rs
@@ -36,6 +36,11 @@ fn build(args: crate::Args<'_>) -> Result<Arc<Self>> {
 			.clone()
 			.and_then(Either::right);

+		let url_preview_user_agent = config
+			.url_preview_user_agent
+			.clone()
+			.unwrap_or_else(|| conduwuit::version::user_agent().to_owned());
+
 		Ok(Arc::new(Self {
 			default: base(config)?
 				.dns_resolver(resolver.resolver.clone())
@@ -49,6 +54,7 @@ fn build(args: crate::Args<'_>) -> Result<Arc<Self>> {
 				.dns_resolver(resolver.resolver.clone())
 				.timeout(Duration::from_secs(config.url_preview_timeout))
 				.redirect(redirect::Policy::limited(3))
+				.user_agent(url_preview_user_agent)
 				.build()?,

 			extern_media: base(config)?
--- a/src/service/config/mod.rs
+++ b/src/service/config/mod.rs
@@ -7,12 +7,25 @@
 	error, implement,
 };

+use crate::registration_tokens::{ValidToken, ValidTokenSource};
+
 pub struct Service {
 	server: Arc<Server>,
 }

 const SIGNAL: &str = "SIGUSR1";

+impl Service {
+	/// Get the registration token set in the config file, if it exists.
+	#[must_use]
+	pub fn get_config_file_token(&self) -> Option<ValidToken> {
+		self.registration_token.clone().map(|token| ValidToken {
+			token,
+			source: ValidTokenSource::ConfigFile,
+		})
+	}
+}
+
 #[async_trait]
 impl crate::Service for Service {
 	fn build(args: crate::Args<'_>) -> Result<Arc<Self>> {
--- a/src/service/firstrun/mod.rs
+++ b/src/service/firstrun/mod.rs
@@ -0,0 +1,302 @@
+use std::{
+	io::IsTerminal,
+	sync::{Arc, OnceLock},
+};
+
+use askama::Template;
+use async_trait::async_trait;
+use conduwuit::{Result, info, utils::ReadyExt};
+use futures::StreamExt;
+use ruma::{UserId, events::room::message::RoomMessageEventContent};
+
+use crate::{
+	Dep, admin, config, globals,
+	registration_tokens::{self, ValidToken, ValidTokenSource},
+	users,
+};
+
+pub struct Service {
+	services: Services,
+	/// Represents the state of first run mode.
+	///
+	/// First run mode is either active or inactive at server start. It may
+	/// transition from active to inactive, but only once, and can never
+	/// transition the other way. Additionally, whether the server is in first
+	/// run mode or not can only be determined when all services are
+	/// constructed. The outer `OnceLock` represents the unknown state of first
+	/// run mode, and the inner `OnceLock` enforces the one-time transition from
+	/// active to inactive.
+	///
+	/// Consequently, this marker may be in one of three states:
+	/// 1. OnceLock<uninitialized>, representing the unknown state of first run
+	///    mode during server startup. Once server startup is complete, the
+	///    marker transitions to state 2 or directly to state 3.
+	/// 2. OnceLock<OnceLock<uninitialized>>, representing first run mode being
+	///    active. The marker may only transition to state 3 from here.
+	/// 3. OnceLock<OnceLock<()>>, representing first run mode being inactive.
+	///    The marker may not transition out of this state.
+	first_run_marker: OnceLock<OnceLock<()>>,
+	/// A single-use registration token which may be used to create the first
+	/// account.
+	first_account_token: String,
+}
+
+struct Services {
+	config: Dep<config::Service>,
+	users: Dep<users::Service>,
+	globals: Dep<globals::Service>,
+	admin: Dep<admin::Service>,
+}
+
+#[async_trait]
+impl crate::Service for Service {
+	fn build(args: crate::Args<'_>) -> Result<Arc<Self>> {
+		Ok(Arc::new(Self {
+			services: Services {
+				config: args.depend::<config::Service>("config"),
+				users: args.depend::<users::Service>("users"),
+				globals: args.depend::<globals::Service>("globals"),
+				admin: args.depend::<admin::Service>("admin"),
+			},
+			// marker starts in an indeterminate state
+			first_run_marker: OnceLock::new(),
+			first_account_token: registration_tokens::Service::generate_token_string(),
+		}))
+	}
+
+	fn name(&self) -> &str { crate::service::make_name(std::module_path!()) }
+
+	async fn worker(self: Arc<Self>) -> Result {
+		// first run mode will be enabled if there are no local users
+		let is_first_run = self
+			.services
+			.users
+			.list_local_users()
+			.ready_filter(|user| *user != self.services.globals.server_user)
+			.next()
+			.await
+			.is_none();
+
+		self.first_run_marker
+			.set(if is_first_run {
+				// first run mode is active (empty inner lock)
+				OnceLock::new()
+			} else {
+				// first run mode is inactive (already filled inner lock)
+				OnceLock::from(())
+			})
+			.expect("Service worker should only be called once");
+
+		Ok(())
+	}
+}
+
+impl Service {
+	/// Check if first run mode is active.
+	pub fn is_first_run(&self) -> bool {
+		self.first_run_marker
+			.get()
+			.expect("First run mode should not be checked during server startup")
+			.get()
+			.is_none()
+	}
+
+	/// Disable first run mode and begin normal operation.
+	///
+	/// Returns true if first run mode was successfully disabled, and false if
+	/// first run mode was already disabled.
+	fn disable_first_run(&self) -> bool {
+		self.first_run_marker
+			.get()
+			.expect("First run mode should not be disabled during server startup")
+			.set(())
+			.is_ok()
+	}
+
+	/// If first-run mode is active, grant admin powers to the specified user
+	/// and disable first-run mode.
+	///
+	/// Returns Ok(true) if the specified user was the first user, and Ok(false)
+	/// if they were not.
+	pub async fn empower_first_user(&self, user: &UserId) -> Result<bool> {
+		#[derive(Template)]
+		#[template(path = "welcome.md.j2")]
+		struct WelcomeMessage<'a> {
+			config: &'a Dep<config::Service>,
+			domain: &'a str,
+		}
+
+		// If first run mode isn't active, do nothing.
+		if !self.disable_first_run() {
+			return Ok(false);
+		}
+
+		self.services.admin.make_user_admin(user).await?;
+
+		// Send the welcome message
+		let welcome_message = WelcomeMessage {
+			config: &self.services.config,
+			domain: self.services.globals.server_name().as_str(),
+		}
+		.render()
+		.expect("should have been able to render welcome message template");
+
+		self.services
+			.admin
+			.send_loud_message(RoomMessageEventContent::text_markdown(welcome_message))
+			.await?;
+
+		info!("{user} has been invited to the admin room as the first user.");
+
+		Ok(true)
+	}
+
+	/// Get the single-use registration token which may be used to create the
+	/// first account.
+	pub fn get_first_account_token(&self) -> Option<ValidToken> {
+		if self.is_first_run() {
+			Some(ValidToken {
+				token: self.first_account_token.clone(),
+				source: ValidTokenSource::FirstAccount,
+			})
+		} else {
+			None
+		}
+	}
+
+	pub fn print_first_run_banner(&self) {
+		use yansi::Paint;
+		// This function is specially called by the core after all other
+		// services have started. It runs last to ensure that the banner it
+		// prints comes after any other logging which may occur on startup.
+
+		if !self.is_first_run() {
+			return;
+		}
+
+		eprintln!();
+		eprintln!("{}", "============".bold());
+		eprintln!(
+			"Welcome to {} {}!",
+			"Continuwuity".bold().bright_magenta(),
+			conduwuit::version::version().bold()
+		);
+		eprintln!();
+		eprintln!(
+			"In order to use your new homeserver, you need to create its first user account."
+		);
+		eprintln!(
+			"Open your Matrix client of choice and register an account on {} using the \
+			 registration token {} . Pick your own username and password!",
+			self.services.globals.server_name().bold().green(),
+			self.first_account_token.as_str().bold().green()
+		);
+
+		match (
+			self.services.config.allow_registration,
+			self.services.config.get_config_file_token().is_some(),
+		) {
+			| (true, true) => {
+				eprintln!(
+					"{} until you create an account using the token above.",
+					"The registration token you set in your configuration will not function"
+						.red()
+				);
+			},
+			| (true, false) => {
+				eprintln!(
+					"{} until you create an account using the token above.",
+					"Nobody else will be able to register".green()
+				);
+			},
+			| (false, true) => {
+				eprintln!(
+					"{} because you have disabled registration in your configuration. If this \
+					 is not desired, set `allow_registration` to true and restart Continuwuity.",
+					"The registration token you set in your configuration will not be usable"
+						.yellow()
+				);
+			},
+			| (false, false) => {
+				eprintln!(
+					"{} to allow you to create an account. Because registration is not enabled \
+					 in your configuration, it will be disabled again once your account is \
+					 created.",
+					"Registration has been temporarily enabled".yellow()
+				);
+			},
+		}
+		eprintln!(
+			"{} https://matrix.org/ecosystem/clients/",
+			"Find a list of Matrix clients here:".bold()
+		);
+
+		if self.services.config.suspend_on_register {
+			eprintln!(
+				"{} Because you enabled suspend-on-register in your configuration, accounts \
+				 created after yours will be automatically suspended.",
+				"Your account will not be suspended when you register.".green()
+			);
+		}
+
+		if self
+			.services
+			.config
+			.yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse
+		{
+			eprintln!();
+			eprintln!(
+				"{}",
+				"You have enabled open registration in your configuration! You almost certainly \
+				 do not want to do this."
+					.bold()
+					.on_red()
+			);
+			eprintln!(
+				"{}",
+				"Servers with open, unrestricted registration are prone to abuse by spammers. \
+				 Users on your server may be unable to join chatrooms which block open \
+				 registration servers."
+					.red()
+			);
+			eprintln!(
+				"If you enabled it only for the purpose of creating the first account, {} and \
+				 create the first account using the token above.",
+				"disable it now, restart Continuwuity,".red(),
+			);
+			// TODO link to a guide on setting up reCAPTCHA
+		}
+
+		if self.services.config.emergency_password.is_some() {
+			eprintln!();
+			eprintln!(
+				"{}",
+				"You have set an emergency password for the server user! You almost certainly \
+				 do not want to do this."
+					.red()
+			);
+			eprintln!(
+				"If you set the password only for the purpose of creating the first account, {} \
+				 and create the first account using the token above.",
+				"disable it now, restart Continuwuity,".red(),
+			);
+		}
+
+		eprintln!();
+		if std::io::stdin().is_terminal() && self.services.config.admin_console_automatic {
+			eprintln!(
+				"You may also create the first user through the admin console below using the \
+				 `users create-user` command."
+			);
+		} else {
+			eprintln!(
+				"If you're running the server interactively, you may also create the first user \
+				 through the admin console using the `users create-user` command. Press Ctrl-C \
+				 to open the console."
+			);
+		}
+		eprintln!("If you need assistance setting up your homeserver, make a Matrix account on another homeserver and join our chatroom: https://matrix.to/#/#continuwuity:continuwuity.org");
+
+		eprintln!("{}", "============".bold());
+	}
+}
--- a/src/service/mod.rs
+++ b/src/service/mod.rs
@@ -18,6 +18,7 @@
 pub mod config;
 pub mod emergency;
 pub mod federation;
+pub mod firstrun;
 pub mod globals;
 pub mod key_backups;
 pub mod media;
--- a/src/service/registration_tokens/mod.rs
+++ b/src/service/registration_tokens/mod.rs
@@ -1,14 +1,17 @@
 mod data;

-use std::sync::Arc;
+use std::{future::ready, pin::Pin, sync::Arc};

 use conduwuit::{Err, Result, utils};
 use data::Data;
 pub use data::{DatabaseTokenInfo, TokenExpires};
-use futures::{Stream, StreamExt, stream};
+use futures::{
+	Stream, StreamExt,
+	stream::{iter, once},
+};
 use ruma::OwnedUserId;

-use crate::{Dep, config};
+use crate::{Dep, config, firstrun};

 const RANDOM_TOKEN_LENGTH: usize = 16;

@@ -19,6 +22,7 @@ pub struct Service {

 struct Services {
 	config: Dep<config::Service>,
+	firstrun: Dep<firstrun::Service>,
 }

 /// A validated registration token which may be used to create an account.
@@ -46,6 +50,9 @@ pub enum ValidTokenSource {
 	ConfigFile,
 	/// A database token which has been checked to be valid.
 	Database(DatabaseTokenInfo),
+	/// The single-use token which may be used to create the homeserver's first
+	/// account.
+	FirstAccount,
 }

 impl std::fmt::Display for ValidTokenSource {
@@ -53,6 +60,7 @@ fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
 		match self {
 			| Self::ConfigFile => write!(f, "Token defined in config."),
 			| Self::Database(info) => info.fmt(f),
+			| Self::FirstAccount => write!(f, "Initial setup token."),
 		}
 	}
 }
@@ -63,6 +71,7 @@ fn build(args: crate::Args<'_>) -> Result<Arc<Self>> {
 			db: Data::new(args.db),
 			services: Services {
 				config: args.depend::<config::Service>("config"),
+				firstrun: args.depend::<firstrun::Service>("firstrun"),
 			},
 		}))
 	}
@@ -71,45 +80,51 @@ fn name(&self) -> &str { crate::service::make_name(std::module_path!()) }
 }

 impl Service {
+	/// Generate a random string suitable to be used as a registration token.
+	#[must_use]
+	pub fn generate_token_string() -> String { utils::random_string(RANDOM_TOKEN_LENGTH) }
+
 	/// Issue a new registration token and save it in the database.
 	pub fn issue_token(
 		&self,
 		creator: OwnedUserId,
 		expires: Option<TokenExpires>,
 	) -> (String, DatabaseTokenInfo) {
-		let token = utils::random_string(RANDOM_TOKEN_LENGTH);
+		let token = Self::generate_token_string();
 		let info = DatabaseTokenInfo::new(creator, expires);

 		self.db.save_token(&token, &info);
 		(token, info)
 	}

-	/// Get the registration token set in the config file, if it exists.
-	pub fn get_config_file_token(&self) -> Option<ValidToken> {
-		self.services
-			.config
-			.registration_token
-			.clone()
-			.map(|token| ValidToken {
-				token,
-				source: ValidTokenSource::ConfigFile,
-			})
+	/// Get all the "special" registration tokens that aren't defined in the
+	/// database.
+	fn iterate_static_tokens(&self) -> impl Iterator<Item = ValidToken> {
+		// This does not include the first-account token, because it's special:
+		// no other registration tokens are valid when it is set.
+		self.services.config.get_config_file_token().into_iter()
 	}

 	/// Validate a registration token.
 	pub async fn validate_token(&self, token: String) -> Option<ValidToken> {
-		// Check the registration token in the config first
-		if self
-			.get_config_file_token()
-			.is_some_and(|valid_token| valid_token == *token)
-		{
-			return Some(ValidToken {
-				token,
-				source: ValidTokenSource::ConfigFile,
-			});
+		// Check for the first-account token first
+		if let Some(first_account_token) = self.services.firstrun.get_first_account_token() {
+			if first_account_token == *token {
+				return Some(first_account_token);
+			}
+
+			// If the first-account token is set, no other tokens are valid
+			return None;
 		}

-		// Now check the database
+		// Then static registration tokens
+		for static_token in self.iterate_static_tokens() {
+			if static_token == *token {
+				return Some(static_token);
+			}
+		}
+
+		// Then check the database
 		if let Some(token_info) = self.db.lookup_token_info(&token).await
 			&& token_info.is_valid()
 		{
@@ -126,14 +141,14 @@ pub async fn validate_token(&self, token: String) -> Option<ValidToken> {
 	/// Mark a valid token as having been used to create a new account.
 	pub fn mark_token_as_used(&self, ValidToken { token, source }: ValidToken) {
 		match source {
-			| ValidTokenSource::ConfigFile => {
-				// we don't track uses of the config file token, do nothing
-			},
 			| ValidTokenSource::Database(mut info) => {
 				info.uses = info.uses.saturating_add(1);

 				self.db.save_token(&token, &info);
 			},
+			| _ => {
+				// Do nothing for other token sources.
+			},
 		}
 	}

@@ -144,7 +159,6 @@ pub fn mark_token_as_used(&self, ValidToken { token, source }: ValidToken) {
 	pub fn revoke_token(&self, ValidToken { token, source }: ValidToken) -> Result {
 		match source {
 			| ValidTokenSource::ConfigFile => {
-				// the config file token cannot be revoked
 				Err!(
 					"The token set in the config file cannot be revoked. Edit the config file \
 					 to change it."
@@ -154,11 +168,19 @@ pub fn revoke_token(&self, ValidToken { token, source }: ValidToken) -> Result {
 				self.db.revoke_token(&token);
 				Ok(())
 			},
+			| ValidTokenSource::FirstAccount => {
+				Err!("The initial setup token cannot be revoked.")
+			},
 		}
 	}

 	/// Iterate over all valid registration tokens.
-	pub fn iterate_tokens(&self) -> impl Stream<Item = ValidToken> + Send + '_ {
+	pub fn iterate_tokens(&self) -> Pin<Box<dyn Stream<Item = ValidToken> + Send + '_>> {
+		// If the first-account token is set, no other tokens are valid
+		if let Some(first_account_token) = self.services.firstrun.get_first_account_token() {
+			return once(ready(first_account_token)).boxed();
+		}
+
 		let db_tokens = self
 			.db
 			.iterate_and_clean_tokens()
@@ -167,6 +189,6 @@ pub fn iterate_tokens(&self) -> impl Stream<Item = ValidToken> + Send + '_ {
 				source: ValidTokenSource::Database(info),
 			});

-		stream::iter(self.get_config_file_token()).chain(db_tokens)
+		iter(self.iterate_static_tokens()).chain(db_tokens).boxed()
 	}
 }
--- a/src/service/rooms/event_handler/handle_incoming_pdu.rs
+++ b/src/service/rooms/event_handler/handle_incoming_pdu.rs
@@ -4,18 +4,83 @@
 };

 use conduwuit::{
-	Err, Event, Result, debug::INFO_SPAN_LEVEL, defer, err, implement, info,
-	utils::stream::IterStream, warn,
+	Err, Event, PduEvent, Result, debug::INFO_SPAN_LEVEL, debug_error, debug_info, defer, err,
+	implement, info, trace, utils::stream::IterStream, warn,
 };
 use futures::{
 	FutureExt, TryFutureExt, TryStreamExt,
-	future::{OptionFuture, try_join5},
+	future::{OptionFuture, try_join4},
+};
+use ruma::{
+	CanonicalJsonValue, EventId, OwnedUserId, RoomId, ServerName, UserId,
+	events::{
+		StateEventType, TimelineEventType,
+		room::member::{MembershipState, RoomMemberEventContent},
+	},
 };
-use ruma::{CanonicalJsonValue, EventId, RoomId, ServerName, UserId, events::StateEventType};
 use tracing::debug;

 use crate::rooms::timeline::{RawPduId, pdu_fits};

+async fn should_rescind_invite(
+	services: &crate::rooms::event_handler::Services,
+	content: &mut BTreeMap<String, CanonicalJsonValue>,
+	sender: &UserId,
+	room_id: &RoomId,
+) -> Result<Option<PduEvent>> {
+	// We insert a bogus event ID since we can't actually calculate the right one
+	content.insert("event_id".to_owned(), CanonicalJsonValue::String("$rescind".to_owned()));
+	let pdu_event = serde_json::from_value::<PduEvent>(
+		serde_json::to_value(&content).expect("CanonicalJsonObj is a valid JsonValue"),
+	)
+	.map_err(|e| err!("invalid PDU: {e}"))?;
+
+	if pdu_event.room_id().is_none_or(|r| r != room_id)
+		&& pdu_event.sender() != sender
+		&& pdu_event.event_type() != &TimelineEventType::RoomMember
+		&& pdu_event.state_key().is_none_or(|v| v == sender.as_str())
+	{
+		return Ok(None);
+	}
+
+	let target_user_id = UserId::parse(pdu_event.state_key().unwrap())?;
+	if pdu_event
+		.get_content::<RoomMemberEventContent>()?
+		.membership
+		!= MembershipState::Leave
+	{
+		return Ok(None); // Not a leave event
+	}
+
+	// Does the target user have a pending invite?
+	let Ok(pending_invite_state) = services
+		.state_cache
+		.invite_state(target_user_id, room_id)
+		.await
+	else {
+		return Ok(None); // No pending invite, so nothing to rescind
+	};
+	for event in pending_invite_state {
+		if event
+			.get_field::<String>("type")?
+			.is_some_and(|t| t == "m.room.member")
+			|| event
+				.get_field::<OwnedUserId>("state_key")?
+				.is_some_and(|s| s == *target_user_id)
+			|| event
+				.get_field::<OwnedUserId>("sender")?
+				.is_some_and(|s| s == *sender)
+			|| event
+				.get_field::<RoomMemberEventContent>("content")?
+				.is_some_and(|c| c.membership == MembershipState::Invite)
+		{
+			return Ok(Some(pdu_event));
+		}
+	}
+
+	Ok(None)
+}
+
 /// When receiving an event one needs to:
 /// 0. Check the server is in the room
 /// 1. Skip the PDU if we already know about it
@@ -69,6 +134,7 @@ pub async fn handle_incoming_pdu<'a>(
 		);
 		return Err!(Request(TooLarge("PDU is too large")));
 	}
+	trace!("processing incoming pdu from {origin} for room {room_id} with event id {event_id}");

 	// 1.1 Check we even know about the room
 	let meta_exists = self.services.metadata.exists(room_id).map(Ok);
@@ -91,24 +157,14 @@ pub async fn handle_incoming_pdu<'a>(
 		.then(|| self.acl_check(sender.server_name(), room_id))
 		.into();

-	// Fetch create event
-	let create_event =
-		self.services
-			.state_accessor
-			.room_state_get(room_id, &StateEventType::RoomCreate, "");
-
-	let (meta_exists, is_disabled, (), (), ref create_event) = try_join5(
+	let (meta_exists, is_disabled, (), ()) = try_join4(
 		meta_exists,
 		is_disabled,
 		origin_acl_check,
 		sender_acl_check.map(|o| o.unwrap_or(Ok(()))),
-		create_event,
 	)
-	.await?;
-
-	if !meta_exists {
-		return Err!(Request(NotFound("Room is unknown to this server")));
-	}
+	.await
+	.inspect_err(|e| debug_error!("failed to handle incoming PDU: {e}"))?;

 	if is_disabled {
 		return Err!(Request(Forbidden("Federation of this room is disabled by this server.")));
@@ -120,6 +176,23 @@ pub async fn handle_incoming_pdu<'a>(
 		.server_in_room(self.services.globals.server_name(), room_id)
 		.await
 	{
+		// Is this a federated invite rescind?
+		// copied from https://github.com/element-hq/synapse/blob/7e4588a/synapse/handlers/federation_event.py#L255-L300
+		if value.get("type").and_then(|t| t.as_str()) == Some("m.room.member") {
+			if let Some(pdu) =
+				should_rescind_invite(&self.services, &mut value.clone(), sender, room_id).await?
+			{
+				debug_info!(
+					"Invite to {room_id} appears to have been rescinded by {sender}, marking as \
+					 left"
+				);
+				self.services
+					.state_cache
+					.mark_as_left(sender, room_id, Some(pdu))
+					.await;
+				return Ok(None);
+			}
+		}
 		info!(
 			%origin,
 			"Dropping inbound PDU for room we aren't participating in"
@@ -127,6 +200,17 @@ pub async fn handle_incoming_pdu<'a>(
 		return Err!(Request(NotFound("This server is not participating in that room.")));
 	}

+	if !meta_exists {
+		return Err!(Request(NotFound("Room is unknown to this server")));
+	}
+
+	// Fetch create event
+	let create_event = &(self
+		.services
+		.state_accessor
+		.room_state_get(room_id, &StateEventType::RoomCreate, "")
+		.await?);
+
 	let (incoming_pdu, val) = self
 		.handle_outlier_pdu(origin, create_event, event_id, room_id, value, false)
 		.await?;
--- a/src/service/rooms/event_handler/parse_incoming_pdu.rs
+++ b/src/service/rooms/event_handler/parse_incoming_pdu.rs
@@ -56,7 +56,7 @@ pub async fn parse_incoming_pdu(&self, pdu: &RawJsonValue) -> Result<Parsed> {
 		.state
 		.get_room_version(&room_id)
 		.await
-		.map_err(|_| err!("Server is not in room {room_id}"))?;
+		.unwrap_or(RoomVersionId::V1);
 	let (event_id, value) = gen_event_id_canonical_json(pdu, &room_version_id).map_err(|e| {
 		err!(Request(InvalidParam("Could not convert event to canonical json: {e}")))
 	})?;
--- a/src/service/rooms/event_handler/policy_server.rs
+++ b/src/service/rooms/event_handler/policy_server.rs
@@ -58,7 +58,11 @@ pub async fn ask_policy_server(
 		.state_accessor
 		.room_state_get_content(room_id, &StateEventType::RoomPolicy, "")
 		.await
-		.inspect_err(|e| debug_error!("failed to load room policy server state event: {e}"))
+		.inspect_err(|e| {
+			if !e.is_not_found() {
+				debug_error!("failed to load room policy server state event: {e}");
+			}
+		})
 		.map(|c: RoomPolicyEventContent| c)
 	else {
 		debug!("room has no policy server configured");
--- a/src/service/services.rs
+++ b/src/service/services.rs
@@ -9,7 +9,7 @@

 use crate::{
 	account_data, admin, announcements, antispam, appservice, client, config, emergency,
-	federation, globals, key_backups,
+	federation, firstrun, globals, key_backups,
 	manager::Manager,
 	media, moderation, presence, pusher, registration_tokens, resolver, rooms, sending,
 	server_keys,
@@ -33,6 +33,7 @@ pub struct Services {
 	pub resolver: Arc<resolver::Service>,
 	pub rooms: rooms::Service,
 	pub federation: Arc<federation::Service>,
+	pub firstrun: Arc<firstrun::Service>,
 	pub sending: Arc<sending::Service>,
 	pub server_keys: Arc<server_keys::Service>,
 	pub sync: Arc<sync::Service>,
@@ -67,6 +68,9 @@ macro_rules! build {
 		}

 		Ok(Arc::new(Self {
+			// firstrun service should be built first so other services
+			// can check first-run state
+			firstrun: build!(firstrun::Service),
 			account_data: build!(account_data::Service),
 			admin: build!(admin::Service),
 			appservice: build!(appservice::Service),
@@ -144,6 +148,7 @@ pub async fn start(self: &Arc<Self>) -> Result<Arc<Self>> {
 		}

 		debug_info!("Services startup complete.");
+
 		Ok(Arc::clone(self))
 	}

--- a/src/service/templates/welcome.md.j2
+++ b/src/service/templates/welcome.md.j2
@@ -0,0 +1,29 @@
+## Thank you for trying out Continuwuity!
+
+Your new homeserver is ready to use! {%- if config.allow_federation %} To make sure you can federate with the rest of the Matrix network, consider checking your domain (`{{ domain }}`) with a federation tester like [this one](https://connectivity-tester.mtrnord.blog/). {%- endif %}
+
+{% if config.get_config_file_token().is_some() -%}
+Users may now create accounts normally using the configured registration token.
+{%- else if config.recaptcha_site_key.is_some() -%}
+Users may now create accounts normally after solving a CAPTCHA.
+{%- else if config.yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse -%}
+**This server has open, unrestricted registration enabled!** Anyone, including spammers, may now create an account with no further steps. If this is not desired behavior, set `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` to `false` in your configuration and restart the server.
+{%- else if config.allow_registration -%}
+To allow more users to register, use the `!admin token` admin commands to issue registration tokens, or set a registration token in the configuration.
+{%- else -%}
+You've disabled registration. To create more accounts, use the `!admin users create-user` admin command.
+{%- endif %}
+
+This room is your server's admin room. You can send messages starting with `!admin` in this room to perform a range of administrative actions.
+To view a list of available commands, send the following message: `!admin --help`
+
+Project chatrooms:
+> Support chatroom: https://matrix.to/#/#continuwuity:continuwuity.org
+> Update announcements: https://matrix.to/#/#announcements:continuwuity.org
+> Other chatrooms: https://matrix.to/#/#space:continuwuity.org
+>
+
+Helpful links:
+> Source code: https://forgejo.ellis.link/continuwuation/continuwuity
+> Documentation: https://continuwuity.org/
+> Report issues: https://forgejo.ellis.link/continuwuation/continuwuity/issues
--- a/src/service/users/mod.rs
+++ b/src/service/users/mod.rs
@@ -187,7 +187,9 @@ pub async fn create(
 		self.db
 			.userid_origin
 			.insert(user_id, origin.unwrap_or("password"));
-		self.set_password(user_id, password).await
+		self.set_password(user_id, password).await?;
+
+		Ok(())
 	}

 	/// Deactivate account
@@ -1269,12 +1271,12 @@ pub fn set_profile_key(
 	}

 	#[cfg(not(feature = "ldap"))]
-	pub async fn search_ldap(&self, _user_id: &UserId) -> Result<Vec<(String, bool)>> {
+	pub async fn search_ldap(&self, _user_id: &UserId) -> Result<Vec<(String, Option<bool>)>> {
 		Err!(FeatureDisabled("ldap"))
 	}

 	#[cfg(feature = "ldap")]
-	pub async fn search_ldap(&self, user_id: &UserId) -> Result<Vec<(String, bool)>> {
+	pub async fn search_ldap(&self, user_id: &UserId) -> Result<Vec<(String, Option<bool>)>> {
 		let localpart = user_id.localpart().to_owned();
 		let lowercased_localpart = localpart.to_lowercase();

@@ -1318,7 +1320,7 @@ pub async fn search_ldap(&self, user_id: &UserId) -> Result<Vec<(String, bool)>>
 			.inspect(|(entries, result)| trace!(?entries, ?result, "LDAP Search"))
 			.map_err(|e| err!(Ldap(error!(?attr, ?user_filter, "LDAP search error: {e}"))))?;

-		let mut dns: HashMap<String, bool> = entries
+		let mut dns: HashMap<String, Option<bool>> = entries
 			.into_iter()
 			.filter_map(|entry| {
 				let search_entry = SearchEntry::construct(entry);
@@ -1329,11 +1331,16 @@ pub async fn search_ldap(&self, user_id: &UserId) -> Result<Vec<(String, bool)>>
 					.into_iter()
 					.chain(search_entry.attrs.get(&config.name_attribute))
 					.any(|ids| ids.contains(&localpart) || ids.contains(&lowercased_localpart))
-					.then_some((search_entry.dn, false))
+					.then_some((search_entry.dn, None))
 			})
 			.collect();

 		if !config.admin_filter.is_empty() {
+			// Update all existing entries to Some(false) since we can now determine admin
+			// status
+			for admin_status in dns.values_mut() {
+				*admin_status = Some(false);
+			}
 			let admin_base_dn = if config.admin_base_dn.is_empty() {
 				&config.base_dn
 			} else {
@@ -1362,7 +1369,7 @@ pub async fn search_ldap(&self, user_id: &UserId) -> Result<Vec<(String, bool)>>
 					.into_iter()
 					.chain(search_entry.attrs.get(&config.name_attribute))
 					.any(|ids| ids.contains(&localpart) || ids.contains(&lowercased_localpart))
-					.then_some((search_entry.dn, true))
+					.then_some((search_entry.dn, Some(true)))
 			}));
 		}

--- a/src/web/Cargo.toml
+++ b/src/web/Cargo.toml
@@ -20,9 +20,7 @@ crate-type = [
 [dependencies]
 conduwuit-build-metadata.workspace = true
 conduwuit-service.workspace = true
-
-askama = "0.14.0"
-
+askama.workspace = true
 axum.workspace = true
 futures.workspace = true
 tracing.workspace = true
--- a/src/web/css/index.css
+++ b/src/web/css/index.css
@@ -83,3 +83,12 @@ footer {
    color: transparent;
    filter: brightness(1.2);
 }
+
+b {
+    color: oklch(from var(--c2) var(--name-lightness) c h);
+}
+
+.logo {
+    width: 100%;
+    height: 64px;
+}
--- a/src/web/mod.rs
+++ b/src/web/mod.rs
@@ -10,8 +10,9 @@
 use conduwuit_service::state;

 pub fn build() -> Router<state::State> {
-	let router = Router::<state::State>::new();
-	router.route("/", get(index_handler))
+	Router::<state::State>::new()
+		.route("/", get(index_handler))
+		.route("/_continuwuity/logo.svg", get(logo_handler))
 }

 async fn index_handler(
@@ -19,22 +20,34 @@ async fn index_handler(
 ) -> Result<impl IntoResponse, WebError> {
 	#[derive(Debug, Template)]
 	#[template(path = "index.html.j2")]
-	struct Tmpl<'a> {
+	struct Index<'a> {
 		nonce: &'a str,
 		server_name: &'a str,
+		first_run: bool,
 	}
 	let nonce = rand::random::<u64>().to_string();

-	let template = Tmpl {
+	let template = Index {
 		nonce: &nonce,
 		server_name: services.config.server_name.as_str(),
+		first_run: services.firstrun.is_first_run(),
 	};
 	Ok((
-		[(header::CONTENT_SECURITY_POLICY, format!("default-src 'none' 'nonce-{nonce}';"))],
+		[(
+			header::CONTENT_SECURITY_POLICY,
+			format!("default-src 'nonce-{nonce}'; img-src 'self';"),
+		)],
 		Html(template.render()?),
 	))
 }

+async fn logo_handler() -> impl IntoResponse {
+	(
+		[(header::CONTENT_TYPE, "image/svg+xml")],
+		include_str!("templates/logo.svg").to_owned(),
+	)
+}
+
 #[derive(Debug, thiserror::Error)]
 enum WebError {
 	#[error("Failed to render template: {0}")]
@@ -45,7 +58,7 @@ impl IntoResponse for WebError {
 	fn into_response(self) -> Response {
 		#[derive(Debug, Template)]
 		#[template(path = "error.html.j2")]
-		struct Tmpl<'a> {
+		struct Error<'a> {
 			nonce: &'a str,
 			err: WebError,
 		}
@@ -55,7 +68,7 @@ struct Tmpl<'a> {
 		let status = match &self {
 			| Self::Render(_) => StatusCode::INTERNAL_SERVER_ERROR,
 		};
-		let tmpl = Tmpl { nonce: &nonce, err: self };
+		let tmpl = Error { nonce: &nonce, err: self };
 		if let Ok(body) = tmpl.render() {
 			(
 				status,
--- a/src/web/templates/_layout.html.j2
+++ b/src/web/templates/_layout.html.j2
@@ -6,6 +6,7 @@
    <title>{% block title %}Continuwuity{% endblock %}</title>
    <meta name="viewport" content="width=device-width, initial-scale=1" />

+    <link rel="icon" href="/_continuwuity/logo.svg">
    <style type="text/css" nonce="{{ nonce }}">
        /*<![CDATA[*/
            {{ include_str !("css/index.css") | safe }}
@@ -17,7 +18,8 @@
    <main>{%~ block content %}{% endblock ~%}</main>
    {%~ block footer ~%}
        <footer>
-            <p>Powered by <a href="https://continuwuity.org">Continuwuity</a>
+            <img class="logo" src="/_continuwuity/logo.svg">
+            <p>Powered by <a href="https://continuwuity.org">Continuwuity</a> {{ env!("CARGO_PKG_VERSION") }}
                {%~ if let Some(version_info) = self::version_tag() ~%}
                    {%~ if let Some(url) = GIT_REMOTE_COMMIT_URL.or(GIT_REMOTE_WEB_URL) ~%}
                        (<a href="{{ url }}">{{ version_info }}</a>)
--- a/src/web/templates/index.html.j2
+++ b/src/web/templates/index.html.j2
@@ -1,16 +1,16 @@
 {% extends "_layout.html.j2" %}
 {%- block content -%}
-<div class="orb"></div>
 <div class="panel">
-    <h1>Welcome to <a class="project-name" href="https://continuwuity.org">Continuwuity</a>!</h1>
-    <p>Continuwuity is successfully installed and working. </p>
-    <p>To get started, you can:</p>
-    <ul>
-        <li>Read the <a href="https://continuwuity.org/introduction">documentation</a></li>
-        <li>Join the <a href="https://matrix.to/#/#continuwuity:continuwuity.org?via=continuwuity.org&via=ellis.link&via=explodie.org&via=matrix.org">Continuwuity Matrix room</a> or <a href="https://matrix.to/#/#space:continuwuity.org?via=continuwuity.org&via=ellis.link&via=explodie.org&via=matrix.org">space</a></li>
-        <li>Log in with a <a href="https://matrix.org/ecosystem/clients/">client</a></li>
-        <li>Ensure <a href="https://federationtester.matrix.org/#{{ server_name }}">federation</a> works</li>
-    </ul>
+    <h1>
+        Welcome to <a class="project-name" href="https://continuwuity.org">Continuwuity</a>!
+    </h1>
+    <p>Continuwuity is successfully installed and working.</p>
+    {%- if first_run %}
+    <p>To get started, <b>check the server logs</b> for instructions on how to create the first account.</p>
+    <p>For support, take a look at the <a href="https://continuwuity.org/introduction">documentation</a> or join the <a href="https://matrix.to/#/#continuwuity:continuwuity.org?via=continuwuity.org&via=ellis.link&via=explodie.org&via=matrix.org">Continuwuity Matrix room</a>.</p>
+    {%- else %}
+    <p>To get started, <a href="https://matrix.org/ecosystem/clients">choose a client</a> and connect to <code>{{ server_name }}</code>.</p>
+    {%- endif %}
 </div>

 {%- endblock content -%}
--- a/src/web/templates/logo.svg
+++ b/src/web/templates/logo.svg
@@ -0,0 +1 @@
+../../../docs/public/assets/logo.svg
--- a/theme/index.css
+++ b/theme/index.css
@@ -105,3 +105,68 @@ body:not(.notTopArrived) header.rp-nav {
 .rspress-logo {
    height: 32px;
 }
+
+/* pre-hero */
+.custom-section {
+    padding: 4rem 1.5rem;
+    background: var(--rp-c-bg);
+}
+
+.custom-cards {
+    display: flex;
+    gap: 2rem;
+    max-width: 800px;
+    margin: 0 auto;
+    justify-content: center;
+    flex-wrap: wrap;
+}
+
+.custom-card {
+    padding: 2rem;
+    border: 1px solid var(--rp-c-divider-light);
+    border-radius: 12px;
+    background: var(--rp-c-bg-soft);
+    text-decoration: none;
+    color: var(--rp-c-text-1);
+    transition: all 0.3s ease;
+    display: flex;
+    flex-direction: column;
+    flex: 1;
+    min-width: 280px;
+    max-width: 350px;
+}
+
+.custom-card:hover {
+    border-color: var(--rp-c-brand);
+    box-shadow: 0 4px 12px rgba(0, 0, 0, 0.1);
+    transform: translateY(-2px);
+}
+
+.custom-card h3 {
+    margin: 0 0 1rem 0;
+    font-size: 1.25rem;
+    font-weight: 600;
+    color: var(--rp-c-text-0);
+}
+
+.custom-card p {
+    margin: 0 0 1.5rem 0;
+    color: var(--rp-c-text-2);
+    line-height: 1.6;
+    flex: 1;
+}
+
+.custom-card-button {
+    display: inline-block;
+    padding: 0.5rem 1.5rem;
+    background: var(--rp-c-brand);
+    color: white;
+    border-radius: 6px;
+    font-weight: 500;
+    text-align: center;
+    transition: background 0.2s ease;
+}
+
+.custom-card:hover .custom-card-button {
+    background: var(--rp-c-brand-light);
+}
--- a/theme/index.tsx
+++ b/theme/index.tsx
@@ -12,6 +12,23 @@ function HomeLayout(props: HomeLayoutProps) {

    return (
        <BasicHomeLayout
+            beforeFeatures={
+                frontmatter.beforeFeatures ? (
+                    <section className="custom-section">
+                        <div className="rp-container">
+                            <div className="custom-cards">
+                                {frontmatter.beforeFeatures.map((item: any, index: number) => (
+                                    <a key={index} href={item.link} className="custom-card" target="_blank" rel="noopener noreferrer">
+                                        <h3>{item.title}</h3>
+                                        <p>{item.details}</p>
+                                        <span className="custom-card-button">{item.buttonText || 'Learn More'} →</span>
+                                    </a>
+                                ))}
+                            </div>
+                        </div>
+                    </section>
+                ) : <></>
+            }
            afterFeatures={
                (frontmatter.doc) ?
                <main className="rp-doc-layout__doc-container">
Author	SHA1	Message	Date
rooot	c91e9951a6	docs(livekit): document nginx websockets too Signed-off-by: rooot <hey@rooot.gay>	2026-02-16 04:39:18 +01:00
rooot	de6a44d272	docs(livekit): fix port in caddy config example Signed-off-by: rooot <hey@rooot.gay>	2026-02-16 04:32:35 +01:00
rooot	c2ea303363	docs(livekit): add nginx proxy example Signed-off-by: rooot <hey@rooot.gay>	2026-02-16 04:32:03 +01:00
Jade Ellis	cacd8681d1	docs: Update & apply feedback	2026-02-16 02:55:26 +00:00
burgundia	b095518e6f	Update documentation to feature LiveKit-related configuration options present in continuwuity.toml	2026-02-16 02:35:41 +00:00
Jade Ellis	a91add4aca	docs: Apply feedback	2026-02-16 02:35:41 +00:00
Jade Ellis	7fec48423a	chore: Style	2026-02-16 02:35:40 +00:00
Jade Ellis	2f6b7c7a40	docs: Update TURN guide	2026-02-16 02:35:40 +00:00
Jade Ellis	48ab6adec1	chore: Apply review comments	2026-02-16 02:35:40 +00:00
Jade Ellis	592244d5aa	docs: Last dead link	2026-02-16 02:35:40 +00:00
Jade Ellis	091893f8bc	fix: oops	2026-02-16 02:35:40 +00:00
Jade Ellis	6eba6a838e	docs: Fix broken links	2026-02-16 02:35:39 +00:00
Jade Ellis	1a11c784f5	docs: Write up how to set up LiveKit calling	2026-02-16 02:35:38 +00:00
Renovate Bot	55ccfdb973	chore(deps): update rust-patch-updates	2026-02-15 23:04:26 +00:00
Henry-Hiles	a9a39e6d5e	fix: Update regex for web template in uwulib build	2026-02-15 23:04:05 +00:00
Jade Ellis	38bf1ccbcc	refactor: Drop duplicate clone	2026-02-15 23:03:23 +00:00
timedout	b7a8cbdb42	feat: Exclude empty rooms from `!admin rooms list` by default Reviewed-By: Ginger <ginger@gingershaped.computer>	2026-02-15 23:03:23 +00:00
Ginger	4e1dac32a5	fix: Don't panic when running startup admin commands	2026-02-15 17:32:26 -05:00
timedout	7b21c3fd9f	chore: Update changelog	2026-02-15 20:39:14 +00:00
timedout	f566ca1b93	chore: Release 0.5.5	2026-02-15 20:31:58 +00:00
timedout	debe411e23	fix(ci): Work around LLVM issue & dynamically select clang pkg version	2026-02-15 20:27:55 +00:00
timedout	dc0d6a9220	fix: Install clang-23 specifically clang (clang-22) is busted	2026-02-15 19:09:33 +00:00
timedout	2efdb6fb0d	fix: Work around https://github.com/llvm/llvm-project/issues/153385	2026-02-15 18:55:17 +00:00
Ginger	576348a445	fix: Set default value of `allow_registration` to `true`	2026-02-15 18:05:42 +00:00
Ginger	f322b6dca0	chore: News fragment	2026-02-15 18:05:42 +00:00
Ginger	a1ed77a99c	feat: Add a link to the clients list on matrix.org	2026-02-15 18:05:42 +00:00
Ginger	01b5dffeee	feat: Default index page improvements - Add project logo to footer and favicon - Display different messages depending on if first-run mode is active	2026-02-15 18:05:42 +00:00
Ginger	ea3c00da43	chore: Clippy fixes	2026-02-15 18:05:42 +00:00
Ginger	047eba0442	feat: Improve the initial setup experience - Issue a single-use token for initial account creation - Disable registration through other methods until the first account is made - Print helpful instructions to the console on the first run - Improve the welcome message sent in the admin room on first run	2026-02-15 18:05:42 +00:00
Ginger	11a088be5d	feat: Stop logging announcements to the console	2026-02-15 18:05:42 +00:00
Ginger	dc6bd4e541	fix: Silence unnecessary policy server errors in debug builds	2026-02-15 18:05:42 +00:00
Ginger	2bf9207cc4	feat: Add skeleton first-run service	2026-02-15 18:05:42 +00:00
Ginger	b2a87e2fb9	refactor: Add support for multiple static tokens to registration token service	2026-02-15 18:05:42 +00:00
timedout	7d0686f33c	fix: Error response can leak appservice token Reviewed-By: Ginger <ginger@gingershaped.computer> Reviewed-By: Jade Ellis <jade@ellis.link>	2026-02-15 17:58:48 +00:00
Jade Ellis	082c44f355	fix: Only sync LDAP admin status when `admin_filter` is configured Closes #1307	2026-02-15 16:17:26 +00:00
Jade Ellis	117c581948	fix: Correct incorrectly inverted boolean expression	2026-02-15 16:11:19 +00:00
timedout	cb846a3ad1	style: Invert pending_invite_state check	2026-02-15 16:11:19 +00:00
timedout	81b984b2cc	style: Compress should_rescind_invite	2026-02-15 16:11:19 +00:00
timedout	e2961390ee	feat: Support rescinding invites over federation	2026-02-15 16:11:19 +00:00
timedout	cb75e836e0	style: Update error messages in make_join.rs	2026-02-15 16:11:19 +00:00
nexy7574	cb7a988b1b	chore: Add news frag	2026-02-15 16:11:19 +00:00
nexy7574	aa5400bcef	style: Fix IncompatibleRoomVersion log line	2026-02-15 16:11:18 +00:00
nexy7574	ff4dddd673	fix: Refactor local join process	2026-02-15 16:11:18 +00:00
nexy7574	c22b17fb29	fix: Return accurate errors in make_join for restricted rooms	2026-02-15 16:11:18 +00:00
timedout	3da7fa24db	fix: Produce more useful errors in make_join_request	2026-02-15 16:11:18 +00:00
timedout	d15ac1d3c1	fix: Use 404 instead of 400 (and include sender)	2026-02-15 15:55:36 +00:00
timedout	a9ebdf58e2	feat: Filter ignored PDUs in relations	2026-02-15 15:55:35 +00:00
timedout	f1ab27d344	feat: Return SENDER_IGNORED error for context and relations	2026-02-15 15:55:35 +00:00
timedout	8bc6e6ccca	feat: Return SENDER_IGNORED error in is_ignored_pdu	2026-02-15 15:55:32 +00:00
Jade Ellis	60a3abe752	refactor: Use HashSet	2026-02-15 15:35:29 +00:00
Ellie	e3b874d336	fix(sync): handle wildcard state keys in sliding sync required_state	2026-02-15 15:35:29 +00:00
Jade Ellis	f3f82831b4	docs: Changelog	2026-02-15 15:23:15 +00:00
Jade Ellis	26aac1408e	fix: Correct user agent changes Correct the domain Remove "embed" in the UA because the global UA was modified, rather than just the one for preview requests	2026-02-15 15:21:06 +00:00
Trash Panda	be8f62396a	feat(core): Change default user agent	2026-02-15 15:21:06 +00:00
Trash Panda	40996a6602	feat(core): Add config option for the url preview user agent	2026-02-15 15:21:05 +00:00
Jade Ellis	9cae531f90	doc: Changelog	2026-02-15 15:19:03 +00:00
Jade Ellis	56eea935b6	feat: Deadlock detector thread	2026-02-15 15:19:02 +00:00
Renovate Bot	fcb646f8c4	chore(deps): update rust-patch-updates	2026-02-15 05:02:30 +00:00
Jade Ellis	57b21c1b32	docs: Add links to matrix guides	2026-02-14 19:29:07 +00:00
Ginger	8d66500c99	chore: Code cleanup	2026-02-14 14:12:57 -05:00
Simon Gardling	abacf1dc20	chore: News fragment	2026-02-14 14:12:42 -05:00
Simon Gardling	134e5cadaf	fix(sliding-sync): Properly handle wildcard state_key Fixes calls as described in https://forgejo.ellis.link/continuwuation/continuwuity/issues/1306	2026-02-14 14:12:35 -05:00
Renovate Bot	8ec0f0d830	chore(deps): update dependency @rspress/plugin-client-redirects to v2.0.3	2026-02-14 14:14:40 +00:00
Renovate Bot	0453544036	chore(deps): update dependency cargo-bins/cargo-binstall to v1.17.5	2026-02-14 05:03:21 +00:00
Jade Ellis	89ad809270	docs: Correct comment on rtc_focus_server_urls	2026-02-13 19:52:39 +00:00
Chris W Jones	ecd3a4eb41	build: Update ruwuma for RTC Foci responses	2026-02-13 19:52:39 +00:00
Chris W Jones	5506997ca0	feat: Add config option for livekit This adds a new config option under `global.well_known` for livekit server URLs. It also updates the well_known client API endpoint to return this list. Closes #1355	2026-02-13 19:52:39 +00:00
Renovate Bot	abc0683d59	chore(deps): update dependency @rspress/core to v2.0.3	2026-02-13 19:32:56 +00:00
Renovate Bot	dd60beb9fb	chore(deps): update dependency @rspress/plugin-sitemap to v2.0.3	2026-02-13 05:04:20 +00:00
arxari	d9520f9382	Change the federation testing site in the docs to a more verbose one The new site is easy to use at a glance but provides more advanced info if needed Nexxy approved https://matrix.to/#/#offtopic:continuwuity.org/$rHSywj-s3v9onrROBcwDCHnnOpPVFbu0-Xgrh9A4btw	2026-02-12 20:13:47 +00:00
arxari	40bb5366bb	Change the federation testing site to a more verbose one The new site is easy to use at a glance but provides more advanced info if needed Nexxy approved https://matrix.to/#/#offtopic:continuwuity.org/$rHSywj-s3v9onrROBcwDCHnnOpPVFbu0-Xgrh9A4btw	2026-02-12 20:11:20 +00:00
timedout	f82bd77073	style: Fix clippy issues	2026-02-12 19:10:13 +00:00
timedout	7d84ba5ff2	fix: Don't include latest_events in output	2026-02-12 17:37:29 +00:00
timedout	69a8937584	fix: Complement runner	2026-02-12 17:23:39 +00:00
timedout	b2ec13d342	fix: Redo the get_missing_events federation route	2026-02-12 16:48:12 +00:00
				`@@ -1 +0,0 @@`
				`Fixed invites sent to other users in the same homeserver not being properly sent down sync. Users with missing or broken invites should clear their client caches after updating to make them appear.`
				`@@ -1 +0,0 @@`
				`Introduce a resolver command to allow flushing a server from the cache or to flush the complete cache. Contributed by @Omar007`