Implement the roles service that manages space permission cascading:
- In-memory cache populated from state events, rebuilt on startup
- Join gating, power level sync (highest-wins across parent spaces),
auto-join on role grant, auto-kick on role revocation
- Per-space enable/disable via com.continuwuity.space.cascading event
- Background enforcement tasks with semaphore-limited concurrency
- Graceful shutdown support via server.running() checks
Add four custom Matrix state event content types for space role
management: space roles definitions, per-user role assignments,
per-room role requirements, and per-space cascading override.
Add server config options: space_permission_cascading (default false)
as the server-wide toggle, and space_roles_cache_flush_threshold
(default 1000) for cache management.
15-task plan covering config flag, custom event types, service layer,
cache, enforcement hooks, admin commands, and testing.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Covers power level cascading from Spaces to child rooms, role-based
room access control, continuous enforcement, and admin room commands.
Feature will be behind a server-wide config flag.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
systemd v260 has introduced a new option: RefreshOnReload, of which when set to true automatically reloads all confext and credential files. This should eliminate the full restart requirement to reload a changed configuration.
Add Quick Run section with complete getting-started workflow including
admin user creation via --execute flag. Consolidate Docker Compose to
treat reverse proxy as essential with Traefik/Caddy/nginx examples.
Move detailed image building to development guide, keeping deployment
docs focused on using pre-built images.
Create environment variables reference with practical examples and
context. Clarify built-in TLS is for testing only; production should
use reverse proxies.
* rename "Continuwuity and Matrix issues" to just "Continuwuity issues"
* move "Config not applying" subsection to C10y issues section
* rename "General potential issues" to just "DNS issues" - this section
will be elaborated later in a DNS tuning page
