docs: Changelog

(means that you don't have to specify conduwuit in docker image runs)

.forgejo/actions/create-docker-manifest/action.yml

@@ -44,7 +44,7 @@ runs:
 
     - name: Login to builtin registry
       if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
-      uses: docker/login-action@v4
+      uses: docker/login-action@v3
       with:
         registry: ${{ env.BUILTIN_REGISTRY }}
         username: ${{ inputs.registry_user }}
@@ -52,7 +52,7 @@ runs:
 
     - name: Set up Docker Buildx
       if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
-      uses: docker/setup-buildx-action@v4
+      uses: docker/setup-buildx-action@v3
       with:
         # Use persistent BuildKit if BUILDKIT_ENDPOINT is set (e.g. tcp://buildkit:8125)
         driver: ${{ env.BUILDKIT_ENDPOINT != '' && 'remote' || 'docker-container' }}
@@ -61,7 +61,7 @@ runs:
     - name: Extract metadata (tags) for Docker
       if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
       id: meta
-      uses: docker/metadata-action@v6
+      uses: docker/metadata-action@v5
       with:
         flavor: |
           latest=auto

.forgejo/actions/prepare-docker-build/action.yml

@@ -67,7 +67,7 @@ runs:
       uses: ./.forgejo/actions/rust-toolchain
 
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v4
+      uses: docker/setup-buildx-action@v3
       with:
         # Use persistent BuildKit if BUILDKIT_ENDPOINT is set (e.g. tcp://buildkit:8125)
         driver: ${{ env.BUILDKIT_ENDPOINT != '' && 'remote' || 'docker-container' }}
@@ -79,7 +79,7 @@ runs:
 
     - name: Login to builtin registry
       if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
-      uses: docker/login-action@v4
+      uses: docker/login-action@v3
       with:
         registry: ${{ env.BUILTIN_REGISTRY }}
         username: ${{ inputs.registry_user }}
@@ -87,7 +87,7 @@ runs:
 
     - name: Extract metadata (labels, annotations) for Docker
       id: meta
-      uses: docker/metadata-action@v6
+      uses: docker/metadata-action@v5
       with:
         images: ${{ inputs.images }}
         # default labels & annotations: https://github.com/docker/metadata-action/blob/master/src/meta.ts#L509
@@ -152,7 +152,7 @@ runs:
 
     - name: inject cache into docker
       if: ${{ env.BUILDKIT_ENDPOINT == '' }}
-      uses: https://github.com/reproducible-containers/buildkit-cache-dance@v3.3.2
+      uses: https://github.com/reproducible-containers/buildkit-cache-dance@v3.3.0
       with:
         cache-map: |
           {

.forgejo/regsync/regsync.yml

@@ -62,6 +62,10 @@ sync:
     target: registry.gitlab.com/continuwuity/continuwuity
     type: repository
     <<: *tags-main
+  - source: *source
+    target: git.nexy7574.co.uk/mirrored/continuwuity
+    type: repository
+    <<: *tags-releases
   - source: *source
     target: ghcr.io/continuwuity/continuwuity
     type: repository

.forgejo/workflows/build-debian.yml

@@ -30,22 +30,22 @@ jobs:
           echo "version=$VERSION" >> $GITHUB_OUTPUT
           echo "distribution=$DISTRIBUTION" >> $GITHUB_OUTPUT
           echo "Debian distribution: $DISTRIBUTION ($VERSION)"
-      #- name: Work around llvm-project#153385
-      #  id: llvm-workaround
-      #  run: |
-      #    if [ -f /usr/share/apt/default-sequoia.config ]; then
-      #      echo "Applying workaround for llvm-project#153385"
-      #      mkdir -p /etc/crypto-policies/back-ends/
-      #      cp /usr/share/apt/default-sequoia.config /etc/crypto-policies/back-ends/apt-sequoia.config
-      #      sed -i 's/\(sha1\.second_preimage_resistance = \)2026-02-01/\12026-06-01/' /etc/crypto-policies/back-ends/apt-sequoia.config
-      #    else
-      #      echo "No workaround needed for llvm-project#153385"
-      #    fi
+      - name: Work around llvm-project#153385
+        id: llvm-workaround
+        run: |
+          if [ -f /usr/share/apt/default-sequoia.config ]; then
+            echo "Applying workaround for llvm-project#153385"
+            mkdir -p /etc/crypto-policies/back-ends/
+            cp /usr/share/apt/default-sequoia.config /etc/crypto-policies/back-ends/apt-sequoia.config
+            sed -i 's/\(sha1\.second_preimage_resistance = \)2026-02-01/\12026-06-01/' /etc/crypto-policies/back-ends/apt-sequoia.config
+          else
+            echo "No workaround needed for llvm-project#153385"
+          fi
       - name: Pick compatible clang version
         id: clang-version
         run: |
           # both latest need to use clang-23, but oldstable and previous can just use clang
-          if [[ "${{ matrix.container }}" == "ubuntu-latest" ]]; then
+          if [[ "${{ matrix.container }}" == "ubuntu-latest" || "${{ matrix.container }}" == "debian-latest" ]]; then
             echo "Using clang-23 package for ${{ matrix.container }}"
             echo "version=clang-23" >> $GITHUB_OUTPUT
           else

.forgejo/workflows/release-image.yml

@@ -59,7 +59,7 @@ jobs:
           registry_password: ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}
       - name: Build and push Docker image by digest
         id: build
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@v6
         with:
           context: .
           file: "docker/Dockerfile"
@@ -146,7 +146,7 @@ jobs:
           registry_password: ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}
       - name: Build and push max-perf Docker image by digest
         id: build
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@v6
         with:
           context: .
           file: "docker/Dockerfile"

.forgejo/workflows/renovate.yml

@@ -43,7 +43,7 @@ jobs:
     name: Renovate
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/renovatebot/renovate:43.59.4@sha256:f951508dea1e7d71cbe6deca298ab0a05488e7631229304813f630cc06010892
+      image: ghcr.io/renovatebot/renovate:42.70.2@sha256:3c2ac1b94fa92ef2fa4d1a0493f2c3ba564454720a32fdbcac2db2846ff1ee47
       options: --tmpfs /tmp:exec
     steps:
       - name: Checkout

.forgejo/workflows/update-flake-hashes.yml

@@ -23,7 +23,7 @@ jobs:
           persist-credentials: true
           token: ${{ secrets.FORGEJO_TOKEN }}
 
-      - uses: https://github.com/cachix/install-nix-action@19effe9fe722874e6d46dd7182e4b8b7a43c4a99 # v31.10.0
+      - uses: https://github.com/cachix/install-nix-action@4e002c8ec80594ecd40e759629461e26c8abed15 # v31.9.0
         with:
           nix_path: nixpkgs=channel:nixos-unstable
 

.github/FUNDING.yml

@@ -1,4 +1,4 @@
 github: [JadedBlueEyes, nexy7574, gingershaped]
 custom:
-  - https://timedout.uk/donate.html
-  - https://jade.ellis.link/sponsors
+  - https://ko-fi.com/nexy7574
+  - https://ko-fi.com/JadedBlueEyes

.pre-commit-config.yaml

@@ -1,6 +1,5 @@
 default_install_hook_types:
   - pre-commit
-  - pre-push
   - commit-msg
 default_stages:
   - pre-commit
@@ -24,7 +23,7 @@ repos:
         - id: check-added-large-files
 
   - repo: https://github.com/crate-ci/typos
-    rev: v1.44.0
+    rev: v1.43.5
     hooks:
       - id: typos
       - id: typos
@@ -32,7 +31,7 @@ repos:
         stages: [commit-msg]
 
   - repo: https://github.com/crate-ci/committed
-    rev: v1.1.11
+    rev: v1.1.10
     hooks:
     - id: committed
 
@@ -46,14 +45,3 @@ repos:
         pass_filenames: false
         stages:
             - pre-commit
-
-  - repo: local
-    hooks:
-      - id: cargo-clippy
-        name: cargo clippy
-        entry: cargo clippy -- -D warnings
-        language: system
-        pass_filenames: false
-        types: [rust]
-        stages:
-          - pre-push

CHANGELOG.md

@@ -1,32 +1,3 @@
-# Continuwuity 0.5.6 (2026-03-03)
-
-## Security
-
-- Admin escape commands received over federation will never be executed, as this is never valid in a genuine situation. Contributed by @Jade.
-- Fixed data amplification vulnerability (CWE-409) that affected configurations with server-side compression enabled (non-default). Contributed by @nex.
-
-## Features
-
-- Outgoing presence is now disabled by default, and the config option documentation has been adjusted to more accurately represent the weight of presence, typing indicators, and read receipts. Contributed by @nex. ([#1399](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1399))
-- Improved the concurrency handling of federation transactions, vastly improving performance and reliability by more accurately handling inbound transactions and reducing the amount of repeated wasted work. Contributed by @nex and @Jade. ([#1428](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1428))
-- Added [MSC3202](https://github.com/matrix-org/matrix-spec-proposals/pull/3202) Device masquerading (not all of MSC3202). This should fix issues with enabling [MSC4190](https://github.com/matrix-org/matrix-spec-proposals/pull/4190) for some Mautrix bridges. Contributed by @Jade ([#1435](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1435))
-- Added [MSC3814](https://github.com/matrix-org/matrix-spec-proposals/pull/3814) Dehydrated Devices - you can now decrypt messages sent while all devices were logged out. ([#1436](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1436))
-- Implement [MSC4143](https://github.com/matrix-org/matrix-spec-proposals/pull/4143) MatrixRTC transport discovery endpoint. Move RTC foci configuration from `[global.well_known]` to a new `[global.matrix_rtc]` section with a `foci` field. Contributed by @0xnim ([#1442](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1442))
-- Updated `list-backups` admin command to output one backup per line. ([#1394](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1394))
-- Improved URL preview fetching with a more compatible user agent for sites like YouTube Music. Added `!admin media delete-url-preview <url>` command to clear cached URL previews that were stuck and broken. ([#1434](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1434))
-
-## Bugfixes
-
-- Removed non-compliant nor functional room alias lookups over federation. Contributed by @nex ([#1393](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1393))
-- Removed ability to set rocksdb as read only. Doing so would cause unintentional and buggy behaviour. Contributed by @Terryiscool160. ([#1418](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1418))
-- Fixed a startup crash in the sender service if we can't detect the number of CPU cores, even if the `sender_workers` config option is set correctly. Contributed by @katie. ([#1421](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1421))
-- Removed the `allow_public_room_directory_without_auth` config option. Contributed by @0xnim. ([#1441](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1441))
-- Fixed sliding sync v5 list ranges always starting from 0, causing extra rooms to be unnecessarily processed and returned. Contributed by @0xnim ([#1445](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1445))
-- Fixed a bug that (repairably) caused a room split between continuwuity and non-continuwuity servers when the room had both `m.room.policy` and `org.matrix.msc4284.policy` in its room state. Contributed by @nex ([#1481](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1481))
-- Fixed `!admin media delete --mxc <url>` responding with an error message when the media was deleted successfully. Contributed by @lynxize
-- Fixed spurious 404 media errors in the logs. Contributed by @benbot.
-- Fixed spurious warn about needed backfill via federation for non-federated rooms. Contributed by @kraem.
-
 # Continuwuity v0.5.5 (2026-02-15)
 
 ## Features

CONTRIBUTING.md

@@ -22,18 +22,22 @@ Continuwuity uses pre-commit hooks to enforce various coding standards and catch
 - Validating YAML, JSON, and TOML files
 - Checking for merge conflicts
 
-You can run these checks locally by installing [prek](https://github.com/j178/prek):
+You can run these checks locally by installing [prefligit](https://github.com/j178/prefligit):
 
 
 ```bash
-# Install prek using cargo-binstall
-cargo binstall prek
+# Requires UV: https://docs.astral.sh/uv/getting-started/installation/
+# Mac/linux: curl -LsSf https://astral.sh/uv/install.sh | sh
+# Windows: powershell -ExecutionPolicy ByPass -c "irm https://astral.sh/uv/install.ps1 | iex"
+
+# Install prefligit using cargo-binstall
+cargo binstall prefligit
 
 # Install git hooks to run checks automatically
-prek install
+prefligit install
 
 # Run all checks
-prek --all-files
+prefligit --all-files
 ```
 
 Alternatively, you can use [pre-commit](https://pre-commit.com/):
@@ -50,7 +54,7 @@ pre-commit install
 pre-commit run --all-files
 ```
 
-These same checks are run in CI via the prek-checks workflow to ensure consistency. These must pass before the PR is merged.
+These same checks are run in CI via the prefligit-checks workflow to ensure consistency. These must pass before the PR is merged.
 
 ### Running tests locally
 

Cargo.toml

@@ -12,7 +12,7 @@ license = "Apache-2.0"
 # See also `rust-toolchain.toml`
 readme = "README.md"
 repository = "https://forgejo.ellis.link/continuwuation/continuwuity"
-version = "0.5.7-alpha.1"
+version = "0.5.5"
 
 [workspace.metadata.crane]
 name = "conduwuit"
@@ -99,7 +99,7 @@ features = [
 [workspace.dependencies.axum-extra]
 version = "0.12.0"
 default-features = false
-features = ["typed-header", "tracing", "cookie"]
+features = ["typed-header", "tracing"]
 
 [workspace.dependencies.axum-server]
 version = "0.7.2"
@@ -144,7 +144,6 @@ features = [
     "socks",
     "hickory-dns",
     "http2",
-    "stream",
 ]
 
 [workspace.dependencies.serde]
@@ -159,7 +158,7 @@ features = ["raw_value"]
 
 # Used for appservice registration files
 [workspace.dependencies.serde-saphyr]
-version = "0.0.21"
+version = "0.0.19"
 
 # Used to load forbidden room/user regex from config
 [workspace.dependencies.serde_regex]
@@ -969,6 +968,3 @@ needless_raw_string_hashes = "allow"
 
 # TODO: Enable this lint & fix all instances
 collapsible_if = "allow"
-
-# TODO: break these apart
-cognitive_complexity = "allow"

bin/complement

@@ -6,10 +6,10 @@ set -euo pipefail
 COMPLEMENT_SRC="${COMPLEMENT_SRC:-$1}"
 
 # A `.jsonl` file to write test logs to
-LOG_FILE="${2:-tests/test_results/complement/test_logs.jsonl}"
+LOG_FILE="${2:-complement_test_logs.jsonl}"
 
 # A `.jsonl` file to write test results to
-RESULTS_FILE="${3:-tests/test_results/complement/test_results.jsonl}"
+RESULTS_FILE="${3:-complement_test_results.jsonl}"
 
 # The base docker image to use for complement tests
 # You can build the default with `docker build -t continuwuity:complement -f ./docker/complement.Dockerfile .`

changelog.d/+6368729a.feature.md

@@ -1 +0,0 @@
-Added support for using an admin command to issue self-service password reset links.

changelog.d/+6e57599d.bugfix.md

@@ -1 +0,0 @@
-Stopped left rooms from being unconditionally sent on initial sync, hopefully fixing spurious appearances of left rooms in some clients (and making sync faster as a bonus). Contributed by @ginger

changelog.d/+space-permission-cascading.feature.md

@@ -1 +0,0 @@
-Add Space permission cascading: power levels cascade from Spaces to child rooms, role-based room access with custom roles, continuous enforcement (auto-join/kick), and admin commands for role management. Server-wide default controlled by `space_permission_cascading` config flag (off by default), with per-Space overrides via `!admin space roles enable/disable <space>`.

changelog.d/1265.bugfix

@@ -1 +0,0 @@
-Fixed corrupted appservice registrations causing the server to enter a crash loop. Contributed by @nex.

changelog.d/1371.feature.md

@@ -1 +0,0 @@
-Re-added support for reading registration tokens from a file. Contributed by @ginger and @benbot.

changelog.d/1393.bugfix

@@ -0,0 +1 @@
+Removed non-compliant nor functional room alias lookups over federation. Contributed by @nex

changelog.d/1399.feature

@@ -0,0 +1 @@
+Outgoing presence is now disabled by default, and the config option documentation has been adjusted to more accurately represent the weight of presence, typing indicators, and read receipts. Contributed by @nex.

changelog.d/1418.bugfix

@@ -0,0 +1 @@
+Removed ability to set rocksdb as read only. Doing so would cause unintentional and buggy behaviour. Contributed by @Terryiscool160.

changelog.d/1421.bugfix

@@ -0,0 +1 @@
+Fixed a startup crash in the sender service if we can't detect the number of CPU cores, even if the `sender_workers' config option is set correctly. Contributed by @katie.

changelog.d/1428.feature

@@ -0,0 +1 @@
+Improved the concurrency handling of federation transactions, vastly improving performance and reliability by more accurately handling inbound transactions and reducing the amount of repeated wasted work. Contributed by @nex and @Jade.

changelog.d/1435.feature.md

@@ -0,0 +1 @@
+Added MSC3202 Device masquerading (not all of MSC3202). This should fix issues with enabling MSC4190 for some Mautrix bridges. Contributed by @Jade

changelog.d/1436.feature.md

@@ -0,0 +1 @@
+Added MSC3814 Dehydrated Devices - you can now decrypt messages sent while all devices were logged out.

changelog.d/1441.bugfix

@@ -0,0 +1 @@
+Removed the `allow_public_room_directory_without_auth` config option. Contributed by @0xnim.

changelog.d/1442.feature

@@ -0,0 +1 @@
+Implement MSC4143 MatrixRTC transport discovery endpoint. Move RTC foci configuration from `[global.well_known]` to a new `[global.matrix_rtc]` section with a `foci` field. Contributed by @0xnim

changelog.d/1445.bugfix

@@ -0,0 +1 @@
+Fixed sliding sync v5 list ranges always starting from 0, causing extra rooms to be unnecessarily processed and returned. Contributed by @0xnim

changelog.d/1448.bugfix

@@ -1 +0,0 @@
-Prevent removing the admin room alias (`#admins`) to avoid accidentally breaking admin room functionality. Contributed by @0xnim

changelog.d/1485.feature.md

@@ -0,0 +1 @@
+BREAKING: Added an entrypoint to the Docker image. This means you no longer need to specify the binary when running a command using the image. Contributed by @Jade

changelog.d/1527.feature.md

@@ -1 +0,0 @@
-Add new config option to allow or disallow search engine indexing through a `<meta ../>` tag. Defaults to blocking indexing (`content="noindex"`). Contributed by @s1lv3r and @ginger.

changelog.d/list-backups-formatting.feature

@@ -0,0 +1 @@
+Updated `list-backups` admin command to output one backup per line.

changelog.d/url-preview-fix.feature

@@ -0,0 +1 @@
+Improved URL preview fetching with a more compatible user agent for sites like YouTube Music. Added `!admin media delete-url-preview <url>` command to clear cached URL previews that were stuck and broken.

clippy.toml

@@ -15,18 +15,6 @@ disallowed-macros = [
 	{ path = "log::trace", reason = "use conduwuit_core::trace" },
 ]
 
-[[disallowed-methods]]
-path = "tokio::spawn"
-reason = "use and pass conduwuit_core::server::Server::runtime() to spawn from"
-
-[[disallowed-methods]]
-path = "reqwest::Response::bytes"
-reason = "bytes is unsafe, use limit_read via the conduwuit_core::utils::LimitReadExt trait instead"
-
-[[disallowed-methods]]
-path = "reqwest::Response::text"
-reason = "text is unsafe, use limit_read_text via the conduwuit_core::utils::LimitReadExt trait instead"
-
-[[disallowed-methods]]
-path = "reqwest::Response::json"
-reason = "json is unsafe, use limit_read_text via the conduwuit_core::utils::LimitReadExt trait instead"
+disallowed-methods = [
+    { path = "tokio::spawn", reason = "use and pass conduuwit_core::server::Server::runtime() to spawn from" },
+]

complement/complement.config.toml

@@ -11,7 +11,7 @@ allow_guest_registration = true
 allow_public_room_directory_over_federation = true
 allow_registration = true
 database_path = "/database"
-log = "trace,h2=debug,hyper=debug,conduwuit_database=warn,conduwuit_service::manager=info,conduwuit_api::router=error,conduwuit_router=error,tower_http=error"
+log = "trace,h2=debug,hyper=debug"
 port = [8008, 8448]
 trusted_servers = []
 only_query_trusted_key_servers = false
@@ -24,7 +24,7 @@ url_preview_domain_explicit_denylist = ["*"]
 media_compat_file_link = false
 media_startup_check = true
 prune_missing_media = true
-log_colors = false
+log_colors = true
 admin_room_notices = false
 allow_check_for_updates = false
 intentionally_unknown_config_option_for_testing = true
@@ -47,7 +47,6 @@ federation_idle_timeout = 300
 sender_timeout = 300
 sender_idle_timeout = 300
 sender_retry_backoff_limit = 300
-force_disable_first_run_mode = true
 
 [global.tls]
 dual_protocol = true

conduwuit-example.toml

@@ -25,10 +25,6 @@
 #
 # Also see the `[global.well_known]` config section at the very bottom.
 #
-# If `client` is not set under `[global.well_known]`, the server name will
-# be used as the base domain for user-facing links (such as password
-# reset links) created by Continuwuity.
-#
 # Examples of delegation:
 # - https://continuwuity.org/.well-known/matrix/server
 # - https://continuwuity.org/.well-known/matrix/client
@@ -474,43 +470,24 @@
 #
 #suspend_on_register = false
 
-# Server-wide default for space permission cascading (power levels and
-# role-based access). Individual Spaces can override this via the
-# `com.continuwuity.space.cascading` state event or the admin command
-# `!admin space roles enable/disable <space>`.
-#
-#space_permission_cascading = false
-
-# Maximum number of spaces to cache role data for. When exceeded the
-# cache is cleared and repopulated on demand.
-#
-#space_roles_cache_flush_threshold = 1000
-
 # Enabling this setting opens registration to anyone without restrictions.
 # This makes your server vulnerable to abuse
 #
 #yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse = false
 
 # A static registration token that new users will have to provide when
-# creating an account. This token does not supersede tokens from other
-# sources, such as the `!admin token` command or the
-# `registration_token_file` configuration option.
+# creating an account. If unset and `allow_registration` is true,
+# you must set
+# `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse`
+# to true to allow open registration without any conditions.
+#
+# If you do not want to set a static token, the `!admin token` commands
+# may also be used to manage registration tokens.
 #
 # example: "o&^uCtes4HPf0Vu@F20jQeeWE7"
 #
 #registration_token =
 
-# A path to a file containing static registration tokens, one per line.
-# Tokens in this file do not supersede tokens from other sources, such as
-# the `!admin token` command or the `registration_token` configuration
-# option.
-#
-# The file will be read once, when Continuwuity starts. It is not
-# currently reread when the server configuration is reloaded. If the file
-# cannot be read, Continuwuity will fail to start.
-#
-#registration_token_file =
-
 # The public site key for reCaptcha. If this is provided, reCaptcha
 # becomes required during registration. If both captcha *and*
 # registration token are enabled, both will be required during
@@ -1521,11 +1498,6 @@
 #
 #url_preview_user_agent = "continuwuity/<version> (bot; +https://continuwuity.org)"
 
-# Determines whether audio and video files will be downloaded for URL
-# previews.
-#
-#url_preview_allow_audio_video = false
-
 # List of forbidden room aliases and room IDs as strings of regex
 # patterns.
 #
@@ -1811,11 +1783,6 @@
 #
 #config_reload_signal = true
 
-# Allow search engines and crawlers to index Continuwuity's built-in
-# webpages served under the `/_continuwuity/` prefix.
-#
-#allow_web_indexing = false
-
 [global.tls]
 
 # Path to a valid TLS certificate file.

docker/Dockerfile

@@ -48,7 +48,7 @@ EOF
 
 # Developer tool versions
 # renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
-ENV BINSTALL_VERSION=1.17.7
+ENV BINSTALL_VERSION=1.17.5
 # renovate: datasource=github-releases depName=psastras/sbom-rs
 ENV CARGO_SBOM_VERSION=0.9.1
 # renovate: datasource=crate depName=lddtree
@@ -281,4 +281,5 @@ ENV LD_LIBRARY_PATH=/usr/lib
 # Continuwuity default port
 EXPOSE 8008
 
+ENTRYPOINT [ "/sbin/conduwuit" ]
 CMD ["/sbin/conduwuit"]

docker/musl.Dockerfile

@@ -18,7 +18,7 @@ RUN --mount=type=cache,target=/etc/apk/cache apk add \
 
 # Developer tool versions
 # renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
-ENV BINSTALL_VERSION=1.17.7
+ENV BINSTALL_VERSION=1.17.5
 # renovate: datasource=github-releases depName=psastras/sbom-rs
 ENV CARGO_SBOM_VERSION=0.9.1
 # renovate: datasource=crate depName=lddtree

docs/_meta.json

@@ -34,11 +34,6 @@
         "name": "troubleshooting",
         "label": "Troubleshooting"
     },
-    {
-        "type": "dir",
-        "name": "advanced",
-        "label": "Advanced"
-    },
     "security",
     {
         "type": "dir-section-header",
@@ -69,11 +64,6 @@
         "label": "Configuration Reference",
         "name": "/reference/config"
     },
-    {
-        "type": "file",
-        "label": "Environment Variables",
-        "name": "/reference/environment-variables"
-    },
     {
         "type": "dir",
         "label": "Admin Command Reference",

docs/_nav.json

@@ -2,7 +2,7 @@
     {
         "text": "Guide",
         "link": "/introduction",
-        "activeMatch": "^/(introduction|configuration|deploying|calls|appservices|maintenance|troubleshooting|advanced)"
+        "activeMatch": "^/(introduction|configuration|deploying|calls|appservices|maintenance|troubleshooting)"
     },
     {
         "text": "Development",

docs/advanced/_meta.json

@@ -1,7 +0,0 @@
-[
-    {
-        "type": "file",
-        "name": "delegation",
-        "label": "Delegation / split-domain"
-    }
-]

docs/advanced/delegation.mdx

@@ -1,206 +0,0 @@
-# Delegation/split-domain deployment
-
-Matrix allows clients and servers to discover a homeserver's "true" destination via **`.well-known` delegation**. This is especially useful if you would like to:
-
-- Serve Continuwuity on a subdomain while having only the base domain for your usernames
-- Use a port other than `:8448` for server-to-server connections
-
-This guide will show you how to have `@user:example.com` usernames while serving Continuwuity on `https://matrix.example.com`. It assumes you are using port 443 for both client-to-server connections and server-to-server federation.
-
-## Configuration
-
-First, ensure you have set up A/AAAA records for `matrix.example.com` and `example.com` pointing to your IP.
-
-Then, ensure that the `server_name` field matches your intended username suffix. If this is not the case, you **MUST** wipe the database directory and reinstall Continuwuity with your desired `server_name`.
-
-Then, in the `[global.well_known]` section of your config file, add the following fields:
-
-```toml
-[global.well_known]
-
-client = "https://matrix.example.com"
-
-# port number MUST be specified
-server = "matrix.example.com:443"
-
-# (optional) customize your support contacts
-#support_page =
-#support_role = "m.role.admin"
-#support_email =
-#support_mxid = "@user:example.com"
-```
-
-Alternatively if you are using Docker, you can set the `CONTINUWUITY_WELL_KNOWN` environment variable as below:
-
-```yaml
-services:
-  continuwuity:
-    ...
-    environment:
-      CONTINUWUITY_WELL_KNOWN: |
-        {
-        client=https://matrix.example.com,
-        server=matrix.example.com:443
-        }
-```
-
-## Serving with a reverse proxy
-
-After doing the steps above, Continuwuity will serve these 3 JSON files:
-
-- `/.well-known/matrix/client`: for Client-Server discovery
-- `/.well-known/matrix/server`: for Server-Server (federation) discovery
-- `/.well-known/matrix/support`: admin contact details (strongly recommended to have)
-
-To enable full discovery, you will need to reverse proxy these paths from the base domain back to Continuwuity.
-
-<details>
-
-<summary>For Caddy</summary>
-
-```
-matrix.example.com:443 {
-  reverse_proxy 127.0.0.1:8008
-}
-
-example.com:443 {
-  reverse_proxy /.well-known/matrix* 127.0.0.1:8008
-}
-```
-
-</details>
-
-<details>
-
-<summary>For Traefik (via Docker labels)</summary>
-
-```
-services:
-  continuwuity:
-    ...
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.continuwuity.rule=(Host(`matrix.example.com`) || (Host(`example.com`) && PathPrefix(`/.well-known/matrix`)))"
-      - "traefik.http.routers.continuwuity.service=continuwuity"
-      - "traefik.http.services.continuwuity.loadbalancer.server.port=8008"
-```
-
-</details>
-
-Restart Continuwuity and your reverse proxy. Once that's done, visit these routes and check that the responses match the examples below:
-
-<details open>
-
-<summary>`https://example.com/.well-known/matrix/server`</summary>
-
-```json
-{
-  "m.server": "matrix.example.com:443"
-}
-```
-
-</details>
-
-<details open>
-
-<summary>`https://example.com/.well-known/matrix/client`</summary>
-
-```json
-{
-  "m.homeserver": {
-    "base_url": "https://matrix.example.com/"
-  }
-}
-```
-
-</details>
-
-## Troubleshooting
-
-### Cannot log in with web clients
-
-Make sure there is an `Access-Control-Allow-Origin: *` header in your `/.well-known/matrix/client` path. While Continuwuity serves this header by default, it may be dropped by reverse proxies or other middlewares.
-
----
-
-## Using SRV records (not recommended)
-
-:::warning
-The following methods are **not recommended** due to increased complexity with little benefits. If you have already set up `.well-known` delegation as above, you can safely skip this part.
-:::
-
-The following methods uses SRV DNS records and only work with federation traffic. They are only included for completeness.
-
-<details>
-
-<summary>Using only SRV records</summary>
-
-If you can't set up `/.well-known/matrix/server` on :443 for some reason, you can set up a SRV record (via your DNS provider) as below:
-
-- Service and name: `_matrix-fed._tcp.example.com.`
-- Priority: `10` (can be any number)
-- Weight: `10` (can be any number)
-- Port: `443`
-- Target: `matrix.example.com.`
-
-On the target's IP at port 443, you must configure a valid route and cert for your server name, `example.com`. Therefore, this method only works to redirect traffic into the right IP/port combo, and can not delegate your federation to a different domain.
-
-</details>
-
-<details>
-
-<summary>Using SRV records + .well-known</summary>
-
-You can also set up `/.well-known/matrix/server` with a delegated domain but no ports:
-
-```toml
-[global.well_known]
-server = "matrix.example.com"
-```
-
-Then, set up a SRV record (via your DNS provider) to announce the port number as below:
-
-- Service and name: `_matrix-fed._tcp.matrix.example.com.`
-- Priority: `10` (can be any number)
-- Weight: `10` (can be any number)
-- Port: `443`
-- Target: `matrix.example.com.`
-
-On the target's IP at port 443, you'll need to provide a valid route and cert for `matrix.example.com`. It provides the same feature as pure `.well-known` delegation, albeit with more parts to handle.
-
-</details>
-
-<details>
-
-<summary>Using SRV records as a fallback for .well-known delegation</summary>
-
-Assume your delegation is as below:
-
-```toml
-[global.well_known]
-server = "example.com:443"
-```
-
-If your Continuwuity instance becomes temporarily unreachable, other servers will not be able to find your `/.well-known/matrix/server` file, and defaults to using `server_name:8448`. This incorrect cache can persist for a long time, and would hinder re-federation when your server eventually comes back online.
-
-If you want other servers to default to using port :443 even when it is offline, you could set up a SRV record (via your DNS provider) as follows:
-
-- Service and name: `_matrix-fed._tcp.example.com.`
-- Priority: `10` (can be any number)
-- Weight: `10` (can be any number)
-- Port: `443`
-- Target: `example.com.`
-
-On the target's IP at port 443, you'll need to provide a valid route and cert for `example.com`.
-
-</details>
-
----
-
-## Related Documentation
-
-See the following Matrix Specs for full details on client/server resolution mechanisms:
-
-- [Server-to-Server resolution](https://spec.matrix.org/v1.17/server-server-api/#resolving-server-names) (see this for more information on SRV records)
-- [Client-to-Server resolution](https://spec.matrix.org/v1.17/client-server-api/#server-discovery)
-- [MSC1929: Homeserver Admin Contact and Support page](https://github.com/matrix-org/matrix-spec-proposals/pull/1929)

docs/configuration.mdx

@@ -13,9 +13,8 @@ settings.
 
 The config file to use can be specified on the commandline when running
 Continuwuity by specifying the `-c`, `--config` flag. Alternatively, you can use
-the environment variable `CONTINUWUITY_CONFIG` to specify the config file to be
-used; see [the section on environment variables](#environment-variables) for
-more information.
+the environment variable `CONDUWUIT_CONFIG` to specify the config file to used.
+Conduit's environment variables are supported for backwards compatibility.
 
 ## Option commandline flag
 
@@ -53,15 +52,13 @@ This commandline argument can be paired with the `--option` flag.
 
 All of the settings that are found in the config file can be specified by using
 environment variables. The environment variable names should be all caps and
-prefixed with `CONTINUWUITY_`.
+prefixed with `CONDUWUIT_`.
 
 For example, if the setting you are changing is `max_request_size`, then the
-environment variable to set is `CONTINUWUITY_MAX_REQUEST_SIZE`.
+environment variable to set is `CONDUWUIT_MAX_REQUEST_SIZE`.
 
 To modify config options not in the `[global]` context such as
-`[global.well_known]`, use the `__` suffix split:
-`CONTINUWUITY_WELL_KNOWN__SERVER`
+`[global.well_known]`, use the `__` suffix split: `CONDUWUIT_WELL_KNOWN__SERVER`
 
-Conduit and conduwuit's environment variables are also supported for backwards
-compatibility, via the `CONDUIT_` and `CONDUWUIT_` prefixes respectively (e.g.
+Conduit's environment variables are supported for backwards compatibility (e.g.
 `CONDUIT_SERVER_NAME`).

docs/deploying/docker-compose.for-traefik.yml

@@ -6,9 +6,9 @@ services:
     ### then you are ready to go.
     image: forgejo.ellis.link/continuwuation/continuwuity:latest
     restart: unless-stopped
-    command: /sbin/conduwuit
     volumes:
       - db:/var/lib/continuwuity
+      - /etc/resolv.conf:/etc/resolv.conf:ro # Use the host's DNS resolver rather than Docker's.
       #- ./continuwuity.toml:/etc/continuwuity.toml
     networks:
       - proxy

docs/deploying/docker-compose.with-caddy.yml

@@ -16,14 +16,14 @@ services:
         restart: unless-stopped
         labels:
             caddy: example.com
-            caddy.reverse_proxy: /.well-known/matrix/* homeserver:6167
+            caddy.0_respond: /.well-known/matrix/server {"m.server":"matrix.example.com:443"}
+            caddy.1_respond: /.well-known/matrix/client {"m.server":{"base_url":"https://matrix.example.com"},"m.homeserver":{"base_url":"https://matrix.example.com"},"org.matrix.msc3575.proxy":{"url":"https://matrix.example.com"}}
 
     homeserver:
         ### If you already built the Continuwuity image with 'docker build' or want to use a registry image,
         ### then you are ready to go.
         image: forgejo.ellis.link/continuwuation/continuwuity:latest
         restart: unless-stopped
-        command: /sbin/conduwuit
         volumes:
             - db:/var/lib/continuwuity
             - /etc/resolv.conf:/etc/resolv.conf:ro # Use the host's DNS resolver rather than Docker's.
@@ -42,10 +42,6 @@ services:
             #CONTINUWUITY_LOG: warn,state_res=warn
             CONTINUWUITY_ADDRESS: 0.0.0.0
             #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
-
-            # Required for .well-known delegation - edit these according to your chosen domain
-            CONTINUWUITY_WELL_KNOWN__CLIENT: https://matrix.example.com
-            CONTINUWUITY_WELL_KNOWN__SERVER: matrix.example.com:443
         networks:
             - caddy
         labels:

docs/deploying/docker-compose.with-traefik.yml

@@ -6,7 +6,6 @@ services:
     ### then you are ready to go.
     image: forgejo.ellis.link/continuwuation/continuwuity:latest
     restart: unless-stopped
-    command: /sbin/conduwuit
     volumes:
       - db:/var/lib/continuwuity
       - /etc/resolv.conf:/etc/resolv.conf:ro # Use the host's DNS resolver rather than Docker's.

docs/deploying/docker-compose.yml

@@ -6,7 +6,6 @@ services:
         ### then you are ready to go.
         image: forgejo.ellis.link/continuwuation/continuwuity:latest
         restart: unless-stopped
-        command: /sbin/conduwuit
         ports:
             - 8448:6167
         volumes:

docs/deploying/docker.mdx

@@ -2,26 +2,28 @@
 
 ## Docker
 
-To run Continuwuity with Docker, you can either build the image yourself or pull
-it from a registry.
+To run Continuwuity with Docker, you can either build the image yourself or pull it
+from a registry.
 
 ### Use a registry
 
-Available OCI images:
+OCI images for Continuwuity are available in the registries listed below.
 
-| Registry         | Image                                                                                                                                                       | Notes                                                                        |
-| ---------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------- |
-| Forgejo Registry | [forgejo.ellis.link/continuwuation/continuwuity:latest](https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/latest)                 | Latest tagged image.                                                         |
-| Forgejo Registry | [forgejo.ellis.link/continuwuation/continuwuity:main](https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/main)                     | Main branch image.                                                           |
-| Forgejo Registry | [forgejo.ellis.link/continuwuation/continuwuity:latest-maxperf](https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/latest-maxperf) | [Performance optimised version.](./generic.mdx#performance-optimised-builds) |
-| Forgejo Registry | [forgejo.ellis.link/continuwuation/continuwuity:main-maxperf](https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/main-maxperf)     | [Performance optimised version.](./generic.mdx#performance-optimised-builds) |
+| Registry        | Image                                                           | Notes                  |
+| --------------- | --------------------------------------------------------------- | -----------------------|
+| Forgejo Registry| [forgejo.ellis.link/continuwuation/continuwuity:latest](https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/latest)     | Latest tagged image.   |
+| Forgejo Registry| [forgejo.ellis.link/continuwuation/continuwuity:main](https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/main)       | Main branch image.     |
+| Forgejo Registry| [forgejo.ellis.link/continuwuation/continuwuity:latest-maxperf](https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/latest-maxperf) | [Performance optimised version.](./generic.mdx#performance-optimised-builds) |
+| Forgejo Registry| [forgejo.ellis.link/continuwuation/continuwuity:main-maxperf](https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/main-maxperf)   | [Performance optimised version.](./generic.mdx#performance-optimised-builds) |
 
-**Example:**
+Use
 
 ```bash
-docker image pull forgejo.ellis.link/continuwuation/continuwuity:main-maxperf
+docker image pull $LINK
 ```
 
+to pull it to your machine.
+
 #### Mirrors
 
 Images are mirrored to multiple locations automatically, on a schedule:
@@ -31,146 +33,39 @@ Images are mirrored to multiple locations automatically, on a schedule:
 - `registry.gitlab.com/continuwuity/continuwuity`
 - `git.nexy7574.co.uk/mirrored/continuwuity` (releases only, no `main`)
 
-### Quick Run
+### Run
 
-Get a working Continuwuity server with an admin user in four steps:
-
-#### Prerequisites
-
-Continuwuity requires HTTPS for Matrix federation. You'll need:
-
-- A domain name pointing to your server
-- A reverse proxy with SSL/TLS certificates (Traefik, Caddy, nginx, etc.)
-
-See [Docker Compose](#docker-compose) for complete examples.
-
-#### Environment Variables
-
-- `CONTINUWUITY_SERVER_NAME` - Your Matrix server's domain name
-- `CONTINUWUITY_DATABASE_PATH` - Where to store your database (must match the
-  volume mount)
-- `CONTINUWUITY_ADDRESS` - Bind address (use `0.0.0.0` to listen on all
-  interfaces)
-- `CONTINUWUITY_ALLOW_REGISTRATION` - Set to `false` to disable registration, or
-  use with `CONTINUWUITY_REGISTRATION_TOKEN` to require a token (see
-  [reference](../reference/environment-variables.mdx#registration--user-configuration)
-  for details)
-
-See the
-[Environment Variables Reference](../reference/environment-variables.mdx) for
-more configuration options.
-
-#### 1. Pull the image
+When you have the image, you can simply run it with
 
 ```bash
-docker pull forgejo.ellis.link/continuwuation/continuwuity:latest
+docker run -d -p 8448:6167 \
+    -v db:/var/lib/continuwuity/ \
+    -e CONTINUWUITY_SERVER_NAME="your.server.name" \
+    -e CONTINUWUITY_ALLOW_REGISTRATION=false \
+    --name continuwuity $LINK
 ```
 
-#### 2. Start the server with initial admin user
+or you can use [Docker Compose](#docker-compose).
 
-```bash
-docker run -d \
-  -p 6167:6167 \
-  -v continuwuity_db:/var/lib/continuwuity \
-  -e CONTINUWUITY_SERVER_NAME="matrix.example.com" \
-  -e CONTINUWUITY_DATABASE_PATH="/var/lib/continuwuity" \
-  -e CONTINUWUITY_ADDRESS="0.0.0.0" \
-  -e CONTINUWUITY_ALLOW_REGISTRATION="false" \
-  --name continuwuity \
-  forgejo.ellis.link/continuwuation/continuwuity:latest \
-  /sbin/conduwuit --execute "users create-user admin"
-```
+The `-d` flag lets the container run in detached mode. You may supply an
+optional `continuwuity.toml` config file, the example config can be found
+[here](../reference/config.mdx). You can pass in different env vars to
+change config values on the fly. You can even configure Continuwuity completely by
+using env vars. For an overview of possible values, please take a look at the
+<a href="/examples/docker-compose.yml" target="_blank">`docker-compose.yml`</a> file.
 
-Replace `matrix.example.com` with your actual server name and `admin` with
-your preferred username.
-
-#### 3. Get your admin password
-
-```bash
-docker logs continuwuity 2>&1 | grep "Created user"
-```
-
-You'll see output like:
-
-```
-Created user with user_id: @admin:matrix.example.com and password: `[auto-generated-password]`
-```
-
-#### 4. Configure your reverse proxy
-
-Configure your reverse proxy to forward HTTPS traffic to Continuwuity. See
-[Docker Compose](#docker-compose) for examples.
-
-Once configured, log in with any Matrix client using `@admin:matrix.example.com`
-and the generated password. You'll automatically be invited to the admin room
-where you can manage your server.
+If you just want to test Continuwuity for a short time, you can use the `--rm`
+flag, which cleans up everything related to your container after you stop
+it.
 
 ### Docker Compose
 
-Docker Compose is the recommended deployment method. These examples include
-reverse proxy configurations for Matrix federation.
+If the `docker run` command is not suitable for you or your setup, you can also use one
+of the provided `docker-compose` files.
 
-#### Matrix Federation Requirements
+Depending on your proxy setup, you can use one of the following files:
 
-For Matrix federation to work, you need to serve `.well-known/matrix/client` and
-`.well-known/matrix/server` endpoints. You can achieve this either by:
-
-1. **Using a well-known service** - The compose files below include an nginx
-   container to serve these files
-2. **Using Continuwuity's built-in delegation** (easier for Traefik) - Configure
-   delegation files in your config, then proxy `/.well-known/matrix/*` to
-   Continuwuity
-
-**Traefik example using built-in delegation:**
-
-```yaml
-labels:
-  traefik.http.routers.continuwuity.rule: >-
-    (Host(`matrix.example.com`) ||
-     (Host(`example.com`) && PathPrefix(`/.well-known/matrix`)))
-```
-
-This routes your Matrix domain and well-known paths to Continuwuity.
-
-#### Creating Your First Admin User
-
-Add the `--execute` command to create an admin user on first startup. In your
-compose file, add under the `continuwuity` service:
-
-```yaml
-services:
-    continuwuity:
-        image: forgejo.ellis.link/continuwuation/continuwuity:latest
-        command: /sbin/conduwuit --execute "users create-user admin"
-        # ... rest of configuration
-```
-
-Then retrieve the auto-generated password:
-
-```bash
-docker compose logs continuwuity | grep "Created user"
-```
-
-#### Choose Your Reverse Proxy
-
-Select the compose file that matches your setup:
-
-:::note DNS Performance
-Docker's default DNS resolver can cause performance issues with Matrix
-federation. If you experience slow federation or DNS timeouts, you may need to
-use your host's DNS resolver instead. Add this volume mount to the
-`continuwuity` service:
-
-```yaml
-volumes:
-  - /etc/resolv.conf:/etc/resolv.conf:ro
-```
-
-See [Troubleshooting - DNS Issues](../troubleshooting.mdx#potential-dns-issues-when-using-docker)
-for more details and alternative solutions.
-:::
-
-##### For existing Traefik setup
+### For existing Traefik setup
 
 <details>
 <summary>docker-compose.for-traefik.yml</summary>
@@ -181,7 +76,7 @@ for more details and alternative solutions.
 
 </details>
 
-##### With Traefik included
+### With Traefik included
 
 <details>
 <summary>docker-compose.with-traefik.yml</summary>
@@ -192,7 +87,7 @@ for more details and alternative solutions.
 
 </details>
 
-##### With Caddy Docker Proxy
+### With Caddy Docker Proxy
 
 <details>
 <summary>docker-compose.with-caddy.yml</summary>
@@ -203,15 +98,9 @@ Replace all `example.com` placeholders with your own domain.
 
 ```
 
-If you don't already have a network for Caddy to monitor, create one first:
-
-```bash
-docker network create caddy
-```
-
 </details>
 
-##### For other reverse proxies
+### For other reverse proxies
 
 <details>
 <summary>docker-compose.yml</summary>
@@ -222,7 +111,7 @@ docker network create caddy
 
 </details>
 
-##### Override file for customisation
+### Override file
 
 <details>
 <summary>docker-compose.override.yml</summary>
@@ -233,24 +122,98 @@ docker network create caddy
 
 </details>
 
-#### Starting Your Server
+When picking the Traefik-related compose file, rename it to
+`docker-compose.yml`, and rename the override file to
+`docker-compose.override.yml`. Edit the latter with the values you want for your
+server.
 
-1. Choose your compose file and rename it to `docker-compose.yml`
-2. If using the override file, rename it to `docker-compose.override.yml` and
-   edit your values
-3. Start the server:
+When picking the `caddy-docker-proxy` compose file, it's important to first
+create the `caddy` network before spinning up the containers:
+
+```bash
+docker network create caddy
+```
+
+After that, you can rename it to `docker-compose.yml` and spin up the
+containers!
+
+Additional info about deploying Continuwuity can be found [here](generic.mdx).
+
+### Build
+
+Official Continuwuity images are built using **Docker Buildx** and the Dockerfile found at [`docker/Dockerfile`][dockerfile-path]. This approach uses common Docker tooling and enables efficient multi-platform builds.
+
+The resulting images are widely compatible with Docker and other container runtimes like Podman or containerd.
+
+The images *do not contain a shell*. They contain only the Continuwuity binary, required libraries, TLS certificates, and metadata.
+
+<details>
+<summary>Click to view the Dockerfile</summary>
+
+You can also <a href="https://forgejo.ellis.link/continuwuation/continuwuation/src/branch/main/docker/Dockerfile" target="_blank">view the Dockerfile on Forgejo</a>.
+
+```dockerfile file="../../docker/Dockerfile"
+
+```
+
+</details>
+
+To build an image locally using Docker Buildx, you can typically run a command like:
+
+```bash
+# Build for the current platform and load into the local Docker daemon
+docker buildx build --load --tag continuwuity:latest -f docker/Dockerfile .
+
+# Example: Build for specific platforms and push to a registry.
+# docker buildx build --platform linux/amd64,linux/arm64 --tag registry.io/org/continuwuity:latest -f docker/Dockerfile . --push
+
+# Example: Build binary optimised for the current CPU (standard release profile)
+# docker buildx build --load \
+#   --tag continuwuity:latest \
+#   --build-arg TARGET_CPU=native \
+#   -f docker/Dockerfile .
+
+# Example: Build maxperf variant (release-max-perf profile with LTO)
+# Optimised for runtime performance and smaller binary size, but requires longer build time
+# docker buildx build --load \
+#   --tag continuwuity:latest-maxperf \
+#   --build-arg TARGET_CPU=native \
+#   --build-arg RUST_PROFILE=release-max-perf \
+#   -f docker/Dockerfile .
+```
+
+Refer to the Docker Buildx documentation for more advanced build options.
+
+[dockerfile-path]: https://forgejo.ellis.link/continuwuation/continuwuation/src/branch/main/docker/Dockerfile
+
+### Run
+
+If you have already built the image or want to use one from the registries, you
+can start the container and everything else in the compose file in detached
+mode with:
 
 ```bash
 docker compose up -d
 ```
 
-See the [generic deployment guide](generic.mdx) for more deployment options.
+> **Note:** Don't forget to modify and adjust the compose file to your needs.
 
-### Building Custom Images
+### Use Traefik as Proxy
 
-For information on building your own Continuwuity Docker images, see the
-[Building Docker Images](../development/index.mdx#building-docker-images)
-section in the development documentation.
+As a container user, you probably know about Traefik. It is an easy-to-use
+reverse proxy for making containerized apps and services available through the
+web. With the Traefik-related docker-compose files provided above, it is equally easy
+to deploy and use Continuwuity, with a small caveat. If you have already looked at
+the files, you should have seen the `well-known` service, which is the
+small caveat. Traefik is simply a proxy and load balancer and cannot
+serve any kind of content. For Continuwuity to federate, we need to either
+expose ports `443` and `8448` or serve two endpoints: `.well-known/matrix/client`
+and `.well-known/matrix/server`.
+
+With the service `well-known`, we use a single `nginx` container that serves
+those two files.
+
+Alternatively, you can use Continuwuity's built-in delegation file capability. Set up the delegation files in the configuration file, and then proxy paths under `/.well-known/matrix` to continuwuity. For example, the label ``traefik.http.routers.continuwuity.rule=(Host(`matrix.ellis.link`) || (Host(`ellis.link`) && PathPrefix(`/.well-known/matrix`)))`` does this for the domain `ellis.link`.
 
 ## Voice communication
 

docs/deploying/freebsd.mdx

@@ -1,7 +1,7 @@
 # Continuwuity for FreeBSD
 
-Continuwuity doesn't provide official FreeBSD packages; however, a community-maintained set of packages is available on [Forgejo](https://forgejo.ellis.link/katie/continuwuity-bsd). Note that these are provided as standalone packages and are not part of a FreeBSD package repository (yet), so updates need to be downloaded and installed manually.
+Continuwuity currently does not provide FreeBSD builds or FreeBSD packaging. However, Continuwuity does build and work on FreeBSD using the system-provided RocksDB.
 
-Please see the installation instructions in that repository. Direct any questions to its issue tracker or to [@katie:kat5.dev](https://matrix.to/#/@katie:kat5.dev).
+Contributions to get Continuwuity packaged for FreeBSD are welcome.
 
-For general BSD support, please join our [Continuwuity BSD](https://matrix.to/#/%23bsd:continuwuity.org) community room.
+Please join our [Continuwuity BSD](https://matrix.to/#/%23bsd:continuwuity.org) community room.

docs/deploying/kubernetes.mdx

@@ -39,7 +39,6 @@ spec:
         - name: continuwuity
           # use a sha hash <3
           image: forgejo.ellis.link/continuwuation/continuwuity:latest
-          command: ["/sbin/conduwuit"]
           imagePullPolicy: IfNotPresent
           ports:
             - name: http

docs/development/index.mdx

@@ -2,8 +2,7 @@
 
 Information about developing the project. If you are only interested in using
 it, you can safely ignore this page. If you plan on contributing, see the
-[contributor's guide](./contributing.mdx) and
-[code style guide](./code_style.mdx).
+[contributor's guide](./contributing.mdx) and [code style guide](./code_style.mdx).
 
 ## Continuwuity project layout
 
@@ -13,98 +12,86 @@ members are under `src/`. The workspace definition is at the top level / root
 `Cargo.toml`.
 
 The crate names are generally self-explanatory:
-
 - `admin` is the admin room
 - `api` is the HTTP API, Matrix C-S and S-S endpoints, etc
-- `core` is core Continuwuity functionality like config loading, error
-  definitions, global utilities, logging infrastructure, etc
-- `database` is RocksDB methods, helpers, RocksDB config, and general database
-  definitions, utilities, or functions
-- `macros` are Continuwuity Rust [macros][macros] like general helper macros,
-  logging and error handling macros, and [syn][syn] and [procedural
-  macros][proc-macro] used for admin room commands and others
+- `core` is core Continuwuity functionality like config loading, error definitions,
+global utilities, logging infrastructure, etc
+- `database` is RocksDB methods, helpers, RocksDB config, and general database definitions,
+utilities, or functions
+- `macros` are Continuwuity Rust [macros][macros] like general helper macros, logging
+and error handling macros, and [syn][syn] and [procedural macros][proc-macro]
+used for admin room commands and others
 - `main` is the "primary" sub-crate. This is where the `main()` function lives,
-  tokio worker and async initialisation, Sentry initialisation, [clap][clap]
-  init, and signal handling. If you are adding new [Rust features][features],
-  they _must_ go here.
-- `router` is the webserver and request handling bits, using axum, tower,
-  tower-http, hyper, etc, and the [global server state][state] to access
-  `services`.
+tokio worker and async initialisation, Sentry initialisation, [clap][clap] init,
+and signal handling. If you are adding new [Rust features][features], they *must*
+go here.
+- `router` is the webserver and request handling bits, using axum, tower, tower-http,
+hyper, etc, and the [global server state][state] to access `services`.
 - `service` is the high-level database definitions and functions for data,
-  outbound/sending code, and other business logic such as media fetching.
+outbound/sending code, and other business logic such as media fetching.
 
-It is highly unlikely you will ever need to add a new workspace member, but if
-you truly find yourself needing to, we recommend reaching out to us in the
-Matrix room for discussions about it beforehand.
+It is highly unlikely you will ever need to add a new workspace member, but
+if you truly find yourself needing to, we recommend reaching out to us in
+the Matrix room for discussions about it beforehand.
 
 The primary inspiration for this design was apart of hot reloadable development,
-to support "Continuwuity as a library" where specific parts can simply be
-swapped out. There is evidence Conduit wanted to go this route too as `axum` is
-technically an optional feature in Conduit, and can be compiled without the
-binary or axum library for handling inbound web requests; but it was never
-completed or worked.
+to support "Continuwuity as a library" where specific parts can simply be swapped out.
+There is evidence Conduit wanted to go this route too as `axum` is technically an
+optional feature in Conduit, and can be compiled without the binary or axum library
+for handling inbound web requests; but it was never completed or worked.
 
-See the Rust documentation on [Workspaces][workspaces] for general questions and
-information on Cargo workspaces.
+See the Rust documentation on [Workspaces][workspaces] for general questions
+and information on Cargo workspaces.
 
 ## Adding compile-time [features][features]
 
-If you'd like to add a compile-time feature, you must first define it in the
-`main` workspace crate located in `src/main/Cargo.toml`. The feature must enable
-a feature in the other workspace crate(s) you intend to use it in. Then the said
-workspace crate(s) must define the feature there in its `Cargo.toml`.
+If you'd like to add a compile-time feature, you must first define it in
+the `main` workspace crate located in `src/main/Cargo.toml`. The feature must
+enable a feature in the other workspace crate(s) you intend to use it in. Then
+the said workspace crate(s) must define the feature there in its `Cargo.toml`.
 
-So, if this is adding a feature to the API such as `woof`, you define the
-feature in the `api` crate's `Cargo.toml` as `woof = []`. The feature definition
-in `main`'s `Cargo.toml` will be `woof = ["conduwuit-api/woof"]`.
+So, if this is adding a feature to the API such as `woof`, you define the feature
+in the `api` crate's `Cargo.toml` as `woof = []`. The feature definition in `main`'s
+`Cargo.toml` will be `woof = ["conduwuit-api/woof"]`.
 
-The rationale for this is due to Rust / Cargo not supporting ["workspace level
-features"][9], we must make a choice of; either scattering features all over the
-workspace crates, making it difficult for anyone to add or remove default
-features; or define all the features in one central workspace crate that
-propagate down/up to the other workspace crates. It is a Cargo pitfall, and we'd
-like to see better developer UX in Rust's Workspaces.
+The rationale for this is due to Rust / Cargo not supporting
+["workspace level features"][9], we must make a choice of; either scattering
+features all over the workspace crates, making it difficult for anyone to add
+or remove default features; or define all the features in one central workspace
+crate that propagate down/up to the other workspace crates. It is a Cargo pitfall,
+and we'd like to see better developer UX in Rust's Workspaces.
 
-Additionally, the definition of one single place makes "feature collection" in
-our Nix flake a million times easier instead of collecting and deduping them all
-from searching in all the workspace crates' `Cargo.toml`s. Though we wouldn't
-need to do this if Rust supported workspace-level features to begin with.
+Additionally, the definition of one single place makes "feature collection" in our
+Nix flake a million times easier instead of collecting and deduping them all from
+searching in all the workspace crates' `Cargo.toml`s. Though we wouldn't need to
+do this if Rust supported workspace-level features to begin with.
 
 ## List of forked dependencies
 
-During Continuwuity (and prior projects) development, we have had to fork some
-dependencies to support our use-cases. These forks exist for various reasons
-including features that upstream projects won't accept, faster-paced
-development, Continuwuity-specific usecases, or lack of time to upstream
-changes.
+During Continuwuity (and prior projects) development, we have had to fork some dependencies to support our use-cases.
+These forks exist for various reasons including features that upstream projects won't accept,
+faster-paced development, Continuwuity-specific usecases, or lack of time to upstream changes.
 
-All forked dependencies are maintained under the
-[continuwuation organization on Forgejo](https://forgejo.ellis.link/continuwuation):
+All forked dependencies are maintained under the [continuwuation organization on Forgejo](https://forgejo.ellis.link/continuwuation):
 
-- [ruwuma][continuwuation-ruwuma] - Fork of [ruma/ruma][ruma] with various
-  performance improvements, more features and better client/server interop
-- [rocksdb][continuwuation-rocksdb] - Fork of [facebook/rocksdb][rocksdb] via
-  [`@zaidoon1`][8] with liburing build fixes and GCC debug build fixes
-- [jemallocator][continuwuation-jemallocator] - Fork of
-  [tikv/jemallocator][jemallocator] fixing musl builds, suspicious code, and
-  adding support for redzones in Valgrind
-- [rustyline-async][continuwuation-rustyline-async] - Fork of
-  [zyansheep/rustyline-async][rustyline-async] with tab completion callback and
-  `CTRL+\` signal quit event for Continuwuity console CLI
-- [rust-rocksdb][continuwuation-rust-rocksdb] - Fork of
-  [rust-rocksdb/rust-rocksdb][rust-rocksdb] fixing musl build issues, removing
-  unnecessary `gtest` include, and using our RocksDB and jemallocator forks
-- [tracing][continuwuation-tracing] - Fork of [tokio-rs/tracing][tracing]
-  implementing `Clone` for `EnvFilter` to support dynamically changing tracing
-  environments
+- [ruwuma][continuwuation-ruwuma] - Fork of [ruma/ruma][ruma] with various performance improvements, more features and better client/server interop
+- [rocksdb][continuwuation-rocksdb] - Fork of [facebook/rocksdb][rocksdb] via [`@zaidoon1`][8] with liburing build fixes and GCC debug build fixes
+- [jemallocator][continuwuation-jemallocator] - Fork of [tikv/jemallocator][jemallocator] fixing musl builds, suspicious code,
+  and adding support for redzones in Valgrind
+- [rustyline-async][continuwuation-rustyline-async] - Fork of [zyansheep/rustyline-async][rustyline-async] with tab completion callback
+  and `CTRL+\` signal quit event for Continuwuity console CLI
+- [rust-rocksdb][continuwuation-rust-rocksdb] - Fork of [rust-rocksdb/rust-rocksdb][rust-rocksdb] fixing musl build issues,
+  removing unnecessary `gtest` include, and using our RocksDB and jemallocator forks
+- [tracing][continuwuation-tracing] - Fork of [tokio-rs/tracing][tracing] implementing `Clone` for `EnvFilter` to
+  support dynamically changing tracing environments
 
 ## Debugging with `tokio-console`
 
 [`tokio-console`][7] can be a useful tool for debugging and profiling. To make a
-`tokio-console`-enabled build of Continuwuity, enable the `tokio_console`
-feature, disable the default `release_max_log_level` feature, and set the
-`--cfg tokio_unstable` flag to enable experimental tokio APIs. A build might
-look like this:
+`tokio-console`-enabled build of Continuwuity, enable the `tokio_console` feature,
+disable the default `release_max_log_level` feature, and set the `--cfg
+tokio_unstable` flag to enable experimental tokio APIs. A build might look like
+this:
 
 ```bash
 RUSTFLAGS="--cfg tokio_unstable" cargo +nightly build \
@@ -113,84 +100,34 @@ RUSTFLAGS="--cfg tokio_unstable" cargo +nightly build \
     --features=systemd,element_hacks,gzip_compression,brotli_compression,zstd_compression,tokio_console
 ```
 
-You will also need to enable the `tokio_console` config option in Continuwuity
-when starting it. This was due to tokio-console causing gradual memory
-leak/usage if left enabled.
+You will also need to enable the `tokio_console` config option in Continuwuity when
+starting it. This was due to tokio-console causing gradual memory leak/usage
+if left enabled.
 
 ## Building Docker Images
 
-Official Continuwuity images are built using **Docker Buildx** and the
-Dockerfile found at [`docker/Dockerfile`][dockerfile-path].
-
-The images are compatible with Docker and other container runtimes like Podman
-or containerd.
-
-The images _do not contain a shell_. They contain only the Continuwuity binary,
-required libraries, TLS certificates, and metadata.
-
-<details>
-<summary>Click to view the Dockerfile</summary>
-
-You can also
-
-<a
-    href="<https://forgejo.ellis.link/continuwuation/continuwuation/src/branch/main/docker/Dockerfile>"
-    target="_blank"
->
-    view the Dockerfile on Forgejo
-</a>
-.
-
-```dockerfile file="../../docker/Dockerfile"
-
-```
-
-</details>
-
-### Building Locally
-
-To build an image locally using Docker Buildx:
+To build a Docker image for Continuwuity, use the standard Docker build command:
 
 ```bash
-# Build for the current platform and load into the local Docker daemon
-docker buildx build --load --tag continuwuity:latest -f docker/Dockerfile .
-
-# Example: Build for specific platforms and push to a registry
-# docker buildx build --platform linux/amd64,linux/arm64 --tag registry.io/org/continuwuity:latest -f docker/Dockerfile . --push
-
-# Example: Build binary optimised for the current CPU (standard release profile)
-# docker buildx build --load \
-#   --tag continuwuity:latest \
-#   --build-arg TARGET_CPU=native \
-#   -f docker/Dockerfile .
-
-# Example: Build maxperf variant (release-max-perf profile with LTO)
-# docker buildx build --load \
-#   --tag continuwuity:latest-maxperf \
-#   --build-arg TARGET_CPU=native \
-#   --build-arg RUST_PROFILE=release-max-perf \
-#   -f docker/Dockerfile .
+docker build -f docker/Dockerfile .
 ```
 
-Refer to the Docker Buildx documentation for more advanced build options.
+The image can be cross-compiled for different architectures.
 
-[dockerfile-path]:
-    https://forgejo.ellis.link/continuwuation/continuwuation/src/branch/main/docker/Dockerfile
 [continuwuation-ruwuma]: https://forgejo.ellis.link/continuwuation/ruwuma
 [continuwuation-rocksdb]: https://forgejo.ellis.link/continuwuation/rocksdb
-[continuwuation-jemallocator]:
-    https://forgejo.ellis.link/continuwuation/jemallocator
-[continuwuation-rustyline-async]:
-    https://forgejo.ellis.link/continuwuation/rustyline-async
-[continuwuation-rust-rocksdb]:
-    https://forgejo.ellis.link/continuwuation/rust-rocksdb
+[continuwuation-jemallocator]: https://forgejo.ellis.link/continuwuation/jemallocator
+[continuwuation-rustyline-async]: https://forgejo.ellis.link/continuwuation/rustyline-async
+[continuwuation-rust-rocksdb]: https://forgejo.ellis.link/continuwuation/rust-rocksdb
 [continuwuation-tracing]: https://forgejo.ellis.link/continuwuation/tracing
+
 [ruma]: https://github.com/ruma/ruma/
 [rocksdb]: https://github.com/facebook/rocksdb/
 [jemallocator]: https://github.com/tikv/jemallocator/
 [rustyline-async]: https://github.com/zyansheep/rustyline-async/
 [rust-rocksdb]: https://github.com/rust-rocksdb/rust-rocksdb/
 [tracing]: https://github.com/tokio-rs/tracing/
+
 [7]: https://docs.rs/tokio-console/latest/tokio_console/
 [8]: https://github.com/zaidoon1/
 [9]: https://github.com/rust-lang/cargo/issues/12162

docs/plans/2026-03-17-space-permission-cascading-design.md

@@ -1,226 +0,0 @@
-# Space Permission Cascading — Design Document
-
-**Date:** 2026-03-17
-**Status:** Approved
-
-## Overview
-
-Server-side feature that allows user rights in a Space to cascade down to its
-direct child rooms. Includes power level cascading and role-based room access
-control. Enabled via a server-wide configuration flag, disabled by default.
-
-## Requirements
-
-1. Power levels defined in a Space cascade to all direct child rooms (Space
-   always wins over per-room overrides).
-2. Admins can define custom roles in a Space and assign them to users.
-3. Child rooms can require one or more roles for access.
-4. Enforcement is continuous — role revocation auto-kicks users from rooms they
-   no longer qualify for.
-5. Users are auto-joined to all qualifying child rooms when they join a Space or
-   receive a new role.
-6. Cascading applies to direct parent Space only; no nested cascade through
-   sub-spaces.
-7. Feature is toggled by a single server-wide config flag
-   (`space_permission_cascading`), off by default.
-
-## Configuration
-
-```toml
-# conduwuit-example.toml
-
-# Enable space permission cascading (power levels and role-based access).
-# When enabled, power levels cascade from Spaces to child rooms and rooms
-# can require roles for access. Applies to all Spaces on this server.
-# Default: false
-space_permission_cascading = false
-```
-
-## Custom State Events
-
-All events live in the Space room.
-
-### `m.space.roles` (state key: `""`)
-
-Defines the available roles for the Space. Two default roles (`admin` and `mod`)
-are created automatically when a Space is first encountered with the feature
-enabled.
-
-```json
-{
-  "roles": {
-    "admin": {
-      "description": "Space administrator",
-      "power_level": 100
-    },
-    "mod": {
-      "description": "Space moderator",
-      "power_level": 50
-    },
-    "nsfw": {
-      "description": "Access to NSFW content"
-    },
-    "vip": {
-      "description": "VIP member"
-    }
-  }
-}
-```
-
-- `description` (string, required): Human-readable description.
-- `power_level` (integer, optional): If present, users with this role receive
-  this power level in all child rooms. When a user holds multiple roles with
-  power levels, the highest value wins.
-
-### `m.space.role.member` (state key: user ID)
-
-Assigns roles to a user within the Space.
-
-```json
-{
-  "roles": ["nsfw", "vip"]
-}
-```
-
-### `m.space.role.room` (state key: room ID)
-
-Declares which roles a child room requires. A user must hold **all** listed
-roles to access the room.
-
-```json
-{
-  "required_roles": ["nsfw"]
-}
-```
-
-## Enforcement Rules
-
-All enforcement is skipped when `space_permission_cascading = false`.
-
-### 1. Join gating
-
-When a user attempts to join a room that is a direct child of a Space:
-
-- Look up the room's `m.space.role.room` event in the parent Space.
-- If the room has `required_roles`, check the user's `m.space.role.member`.
-- Reject the join if the user is missing any required role.
-
-### 2. Power level override
-
-For every user in a child room of a Space:
-
-- Look up their roles via `m.space.role.member` in the parent Space.
-- For each role that has a `power_level`, take the highest value.
-- Override the user's power level in the child room's `m.room.power_levels`.
-- Reject attempts to manually set per-room power levels that conflict with
-  Space-granted levels.
-
-### 3. Role revocation
-
-When an `m.space.role.member` event is updated and a role is removed:
-
-- Identify all child rooms that require the removed role.
-- Auto-kick the user from rooms they no longer qualify for.
-- Recalculate and update the user's power level in all child rooms.
-
-### 4. Room requirement change
-
-When an `m.space.role.room` event is updated with new requirements:
-
-- Check all current members of the room.
-- Auto-kick members who do not hold all newly required roles.
-
-### 5. Auto-join on role grant
-
-When an `m.space.role.member` event is updated and a role is added:
-
-- Find all child rooms where the user now meets all required roles.
-- Auto-join the user to qualifying rooms they are not already in.
-
-This also applies when a user first joins the Space — they are auto-joined to
-all child rooms they qualify for. Rooms with no role requirements auto-join all
-Space members.
-
-### 6. New child room
-
-When a new `m.space.child` event is added to a Space:
-
-- Auto-join all qualifying Space members to the new child room.
-
-## Caching & Indexing
-
-The source of truth is always the state events. The server maintains an
-in-memory index for fast enforcement lookups, following the same patterns as the
-existing `roomid_spacehierarchy_cache`.
-
-### Index structures
-
-| Index                        | Source event           |
-|------------------------------|------------------------|
-| Space → roles defined        | `m.space.roles`        |
-| Space → user → roles         | `m.space.role.member`  |
-| Space → room → required roles| `m.space.role.room`    |
-| Room → parent Space          | `m.space.child` (reverse lookup) |
-
-The Space → child rooms mapping already exists.
-
-### Cache invalidation triggers
-
-| Event changed              | Action                                              |
-|----------------------------|-----------------------------------------------------|
-| `m.space.roles`            | Refresh role definitions, revalidate all members    |
-| `m.space.role.member`      | Refresh user's roles, trigger auto-join/kick        |
-| `m.space.role.room`        | Refresh room requirements, trigger auto-join/kick   |
-| `m.space.child` added      | Index new child, auto-join qualifying members       |
-| `m.space.child` removed    | Remove from index (no auto-kick)                    |
-| Server startup             | Full rebuild from state events                      |
-
-## Admin Room Commands
-
-Roles are managed via the existing admin room interface, which sends the
-appropriate state events under the hood and triggers enforcement.
-
-```
-!admin space roles list <space>
-!admin space roles add <space> <role_name> [description] [power_level]
-!admin space roles remove <space> <role_name>
-!admin space roles assign <space> <user_id> <role_name>
-!admin space roles revoke <space> <user_id> <role_name>
-!admin space roles require <space> <room_id> <role_name>
-!admin space roles unrequire <space> <room_id> <role_name>
-!admin space roles user <space> <user_id>
-!admin space roles room <space> <room_id>
-```
-
-## Architecture
-
-**Approach:** Hybrid — state events for definition, database cache for
-enforcement.
-
-- State events are the source of truth and federate normally.
-- The server maintains an in-memory cache/index for fast enforcement.
-- Cache is invalidated on relevant state event changes and fully rebuilt on
-  startup.
-- All enforcement hooks (join gating, PL override, auto-join, auto-kick) check
-  the feature flag first and no-op when disabled.
-- Existing clients can manage roles via Developer Tools (custom state events).
-  The admin room commands provide a user-friendly interface.
-
-## Scope
-
-### In scope
-
-- Server-wide feature flag
-- Custom state events for role definition, assignment, and room requirements
-- Power level cascading (Space always wins)
-- Continuous enforcement (auto-join, auto-kick)
-- Admin room commands
-- In-memory caching with invalidation
-- Default `admin` (PL 100) and `mod` (PL 50) roles
-
-### Out of scope
-
-- Client-side UI for role management
-- Nested cascade through sub-spaces
-- Per-space opt-in/opt-out (it is server-wide)
-- Federation-specific logic beyond normal state event replication

docs/public/.well-known/continuwuity/announcements

@@ -6,10 +6,10 @@
             "message": "Welcome to Continuwuity! Important announcements about the project will appear here."
         },
         {
-            "id": 10,
+            "id": 9,
             "mention_room": false,
-            "date": "2026-03-03",
-            "message": "We've just released [v0.5.6](https://forgejo.ellis.link/continuwuation/continuwuity/releases/tag/v0.5.6), which contains a few  security improvements - plus significant reliability and performance improvements. Please update as soon as possible. \n\nWe released [v0.5.5](https://forgejo.ellis.link/continuwuation/continuwuity/releases/tag/v0.5.5) two weeks ago, but it skipped your admin room straight to [our announcements channel](https://matrix.to/#/!jIdNjSM5X-V5JVx2h2kAhUZIIQ08GyzPL55NFZAH1vM?via=ellis.link&via=gingershaped.computer&via=matrix.org). Make sure you're there to get important information as soon as we announce it! [Our space](https://matrix.to/#/!8cR4g-i9ucof69E4JHNg9LbPVkGprHb3SzcrGBDDJgk?via=continuwuity.org&via=ellis.link&via=matrix.org) has also gained a bunch of new and interesting rooms - be there or be square."
+            "date": "2026-02-09",
+            "message": "Yesterday we released [v0.5.4](https://forgejo.ellis.link/continuwuation/continuwuity/releases/tag/v0.5.4). Bugfixes, performance improvements and more moderation features! There's also a security fix, so please update as soon as possible. Don't forget to join [our announcements channel](https://matrix.to/#/!jIdNjSM5X-V5JVx2h2kAhUZIIQ08GyzPL55NFZAH1vM/%2489TY9CqRg4-ff1MGo3Ulc5r5X4pakfdzT-99RD8Docc?via=ellis.link&via=explodie.org&via=matrix.org) to get important information sooner <3 "
         }
     ]
 }

docs/public/.well-known/matrix/client

@@ -1 +1 @@
-{"m.homeserver":{"base_url": "https://matrix.continuwuity.org"},"org.matrix.msc4143.rtc_foci":[{"type":"livekit","livekit_service_url":"https://livekit.ellis.link"}]}
+{"m.homeserver":{"base_url": "https://matrix.continuwuity.org"},"org.matrix.msc3575.proxy":{"url": "https://matrix.continuwuity.org"},"org.matrix.msc4143.rtc_foci":[{"type":"livekit","livekit_service_url":"https://livekit.ellis.link"}]}

docs/reference/_meta.json

@@ -4,11 +4,6 @@
         "name": "config",
         "label": "Configuration"
     },
-    {
-        "type": "file",
-        "name": "environment-variables",
-        "label": "Environment Variables"
-    },
     {
         "type": "file",
         "name": "admin",

docs/reference/admin/media.md

@@ -27,7 +27,7 @@ default.
   * Delete all remote and local media from 3 days ago, up until now:
 
     `!admin media delete-past-remote-media -a 3d
---yes-i-want-to-delete-local-media`
+-yes-i-want-to-delete-local-media`
 
 ## `!admin media delete-all-from-user`
 

docs/reference/environment-variables.mdx

@@ -1,281 +0,0 @@
-# Environment Variables
-
-Continuwuity can be configured entirely through environment variables, making it
-ideal for containerised deployments and infrastructure-as-code scenarios.
-
-This is a convenience reference and may not be exhaustive. The
-[Configuration Reference](./config.mdx) is the primary source for all
-configuration options.
-
-## Prefix System
-
-Continuwuity supports three environment variable prefixes for backwards
-compatibility:
-
-- `CONTINUWUITY_*` (current, recommended)
-- `CONDUWUIT_*` (compatibility)
-- `CONDUIT_*` (legacy)
-
-All three prefixes work identically. Use double underscores (`__`) to represent
-nested configuration sections from the TOML config.
-
-**Examples:**
-
-```bash
-# Simple top-level config
-CONTINUWUITY_SERVER_NAME="matrix.example.com"
-CONTINUWUITY_PORT="8008"
-
-# Nested config sections use double underscores
-# This maps to [database] section in TOML
-CONTINUWUITY_DATABASE__PATH="/var/lib/continuwuity"
-
-# This maps to [tls] section in TOML
-CONTINUWUITY_TLS__CERTS="/path/to/cert.pem"
-```
-
-## Configuration File Override
-
-You can specify a custom configuration file path:
-
-- `CONTINUWUITY_CONFIG` - Path to continuwuity.toml (current)
-- `CONDUWUIT_CONFIG` - Path to config file (compatibility)
-- `CONDUIT_CONFIG` - Path to config file (legacy)
-
-## Essential Variables
-
-These are the minimum variables needed for a working deployment:
-
-| Variable                     | Description                        | Default                |
-| ---------------------------- | ---------------------------------- | ---------------------- |
-| `CONTINUWUITY_SERVER_NAME`   | Your Matrix server's domain name   | Required               |
-| `CONTINUWUITY_DATABASE_PATH` | Path to RocksDB database directory | `/var/lib/conduwuit`   |
-| `CONTINUWUITY_ADDRESS`       | IP address to bind to              | `["127.0.0.1", "::1"]` |
-| `CONTINUWUITY_PORT`          | Port to listen on                  | `8008`                 |
-
-## Network Configuration
-
-| Variable                         | Description                                     | Default                |
-| -------------------------------- | ----------------------------------------------- | ---------------------- |
-| `CONTINUWUITY_ADDRESS`           | Bind address (use `0.0.0.0` for all interfaces) | `["127.0.0.1", "::1"]` |
-| `CONTINUWUITY_PORT`              | HTTP port                                       | `8008`                 |
-| `CONTINUWUITY_UNIX_SOCKET_PATH`  | UNIX socket path (alternative to TCP)           | -                      |
-| `CONTINUWUITY_UNIX_SOCKET_PERMS` | Socket permissions (octal)                      | `660`                  |
-
-## Database Configuration
-
-| Variable                                   | Description                 | Default              |
-| ------------------------------------------ | --------------------------- | -------------------- |
-| `CONTINUWUITY_DATABASE_PATH`               | RocksDB data directory      | `/var/lib/conduwuit` |
-| `CONTINUWUITY_DATABASE_BACKUP_PATH`        | Backup directory            | -                    |
-| `CONTINUWUITY_DATABASE_BACKUPS_TO_KEEP`    | Number of backups to retain | `1`                  |
-| `CONTINUWUITY_DB_CACHE_CAPACITY_MB`        | Database read cache (MB)    | -                    |
-| `CONTINUWUITY_DB_WRITE_BUFFER_CAPACITY_MB` | Write cache (MB)            | -                    |
-
-## Cache Configuration
-
-| Variable                                 | Description              |
-| ---------------------------------------- | ------------------------ |
-| `CONTINUWUITY_CACHE_CAPACITY_MODIFIER`   | LRU cache multiplier     |
-| `CONTINUWUITY_PDU_CACHE_CAPACITY`        | PDU cache entries        |
-| `CONTINUWUITY_AUTH_CHAIN_CACHE_CAPACITY` | Auth chain cache entries |
-
-## DNS Configuration
-
-Configure DNS resolution behaviour for federation and external requests.
-
-| Variable                             | Description                  | Default  |
-| ------------------------------------ | ---------------------------- | -------- |
-| `CONTINUWUITY_DNS_CACHE_ENTRIES`     | Max DNS cache entries        | `32768`  |
-| `CONTINUWUITY_DNS_MIN_TTL`           | Minimum cache TTL (seconds)  | `10800`  |
-| `CONTINUWUITY_DNS_MIN_TTL_NXDOMAIN`  | NXDOMAIN cache TTL (seconds) | `259200` |
-| `CONTINUWUITY_DNS_ATTEMPTS`          | Retry attempts               | -        |
-| `CONTINUWUITY_DNS_TIMEOUT`           | Query timeout (seconds)      | -        |
-| `CONTINUWUITY_DNS_TCP_FALLBACK`      | Allow TCP fallback           | -        |
-| `CONTINUWUITY_QUERY_ALL_NAMESERVERS` | Query all nameservers        | -        |
-| `CONTINUWUITY_QUERY_OVER_TCP_ONLY`   | TCP-only queries             | -        |
-
-## Request Configuration
-
-| Variable                             | Description                   |
-| ------------------------------------ | ----------------------------- |
-| `CONTINUWUITY_MAX_REQUEST_SIZE`      | Max HTTP request size (bytes) |
-| `CONTINUWUITY_REQUEST_CONN_TIMEOUT`  | Connection timeout (seconds)  |
-| `CONTINUWUITY_REQUEST_TIMEOUT`       | Overall request timeout       |
-| `CONTINUWUITY_REQUEST_TOTAL_TIMEOUT` | Total timeout                 |
-| `CONTINUWUITY_REQUEST_IDLE_TIMEOUT`  | Idle timeout                  |
-| `CONTINUWUITY_REQUEST_IDLE_PER_HOST` | Idle connections per host     |
-
-## Federation Configuration
-
-Control how your server federates with other Matrix servers.
-
-| Variable                                       | Description                   | Default |
-| ---------------------------------------------- | ----------------------------- | ------- |
-| `CONTINUWUITY_ALLOW_FEDERATION`                | Enable federation             | `true`  |
-| `CONTINUWUITY_FEDERATION_LOOPBACK`             | Allow loopback federation     | -       |
-| `CONTINUWUITY_FEDERATION_CONN_TIMEOUT`         | Connection timeout            | -       |
-| `CONTINUWUITY_FEDERATION_TIMEOUT`              | Request timeout               | -       |
-| `CONTINUWUITY_FEDERATION_IDLE_TIMEOUT`         | Idle timeout                  | -       |
-| `CONTINUWUITY_FEDERATION_IDLE_PER_HOST`        | Idle connections per host     | -       |
-| `CONTINUWUITY_TRUSTED_SERVERS`                 | JSON array of trusted servers | -       |
-| `CONTINUWUITY_QUERY_TRUSTED_KEY_SERVERS_FIRST` | Query trusted first           | -       |
-| `CONTINUWUITY_ONLY_QUERY_TRUSTED_KEY_SERVERS`  | Only query trusted            | -       |
-
-**Example:**
-
-```bash
-# Trust matrix.org for key verification
-CONTINUWUITY_TRUSTED_SERVERS='["matrix.org"]'
-```
-
-## Registration & User Configuration
-
-Control user registration and account creation behaviour.
-
-| Variable                                   | Description           | Default |
-| ------------------------------------------ | --------------------- | ------- |
-| `CONTINUWUITY_ALLOW_REGISTRATION`          | Enable registration   | `true`  |
-| `CONTINUWUITY_REGISTRATION_TOKEN`          | Token requirement     | -       |
-| `CONTINUWUITY_SUSPEND_ON_REGISTER`         | Suspend new accounts  | -       |
-| `CONTINUWUITY_NEW_USER_DISPLAYNAME_SUFFIX` | Display name suffix   | 🏳️‍⚧️      |
-| `CONTINUWUITY_RECAPTCHA_SITE_KEY`          | reCAPTCHA site key    | -       |
-| `CONTINUWUITY_RECAPTCHA_PRIVATE_SITE_KEY`  | reCAPTCHA private key | -       |
-
-**Example:**
-
-```bash
-# Disable open registration
-CONTINUWUITY_ALLOW_REGISTRATION="false"
-
-# Require a registration token
-CONTINUWUITY_REGISTRATION_TOKEN="your_secret_token_here"
-```
-
-## Feature Configuration
-
-| Variable                                                   | Description                | Default |
-| ---------------------------------------------------------- | -------------------------- | ------- |
-| `CONTINUWUITY_ALLOW_ENCRYPTION`                            | Enable E2EE                | `true`  |
-| `CONTINUWUITY_ALLOW_ROOM_CREATION`                         | Enable room creation       | -       |
-| `CONTINUWUITY_ALLOW_UNSTABLE_ROOM_VERSIONS`                | Allow unstable versions    | -       |
-| `CONTINUWUITY_DEFAULT_ROOM_VERSION`                        | Default room version       | `v11`   |
-| `CONTINUWUITY_REQUIRE_AUTH_FOR_PROFILE_REQUESTS`           | Auth for profiles          | -       |
-| `CONTINUWUITY_ALLOW_PUBLIC_ROOM_DIRECTORY_OVER_FEDERATION` | Federate directory         | -       |
-| `CONTINUWUITY_ALLOW_PUBLIC_ROOM_DIRECTORY_WITHOUT_AUTH`    | Unauth directory           | -       |
-| `CONTINUWUITY_ALLOW_DEVICE_NAME_FEDERATION`                | Device names in federation | -       |
-
-## TLS Configuration
-
-Built-in TLS support is primarily for testing. **For production deployments,
-especially when federating on the internet, use a reverse proxy** (Traefik,
-Caddy, nginx) to handle TLS termination.
-
-| Variable                          | Description               |
-| --------------------------------- | ------------------------- |
-| `CONTINUWUITY_TLS__CERTS`         | TLS certificate file path |
-| `CONTINUWUITY_TLS__KEY`           | TLS private key path      |
-| `CONTINUWUITY_TLS__DUAL_PROTOCOL` | Support TLS 1.2 + 1.3     |
-
-**Example (testing only):**
-
-```bash
-CONTINUWUITY_TLS__CERTS="/etc/letsencrypt/live/matrix.example.com/fullchain.pem"
-CONTINUWUITY_TLS__KEY="/etc/letsencrypt/live/matrix.example.com/privkey.pem"
-```
-
-## Logging Configuration
-
-Control log output format and verbosity.
-
-| Variable                       | Description        | Default |
-| ------------------------------ | ------------------ | ------- |
-| `CONTINUWUITY_LOG`             | Log filter level   | -       |
-| `CONTINUWUITY_LOG_COLORS`      | ANSI colours       | `true`  |
-| `CONTINUWUITY_LOG_SPAN_EVENTS` | Log span events    | `none`  |
-| `CONTINUWUITY_LOG_THREAD_IDS`  | Include thread IDs | -       |
-
-**Examples:**
-
-```bash
-# Set log level to info
-CONTINUWUITY_LOG="info"
-
-# Enable debug logging for specific modules
-CONTINUWUITY_LOG="warn,continuwuity::api=debug"
-
-# Disable colours for log aggregation
-CONTINUWUITY_LOG_COLORS="false"
-```
-
-## Observability Configuration
-
-| Variable                                 | Description           |
-| ---------------------------------------- | --------------------- |
-| `CONTINUWUITY_ALLOW_OTLP`                | Enable OpenTelemetry  |
-| `CONTINUWUITY_OTLP_FILTER`               | OTLP filter level     |
-| `CONTINUWUITY_OTLP_PROTOCOL`             | Protocol (http/grpc)  |
-| `CONTINUWUITY_TRACING_FLAME`             | Enable flame graphs   |
-| `CONTINUWUITY_TRACING_FLAME_FILTER`      | Flame graph filter    |
-| `CONTINUWUITY_TRACING_FLAME_OUTPUT_PATH` | Output directory      |
-| `CONTINUWUITY_SENTRY`                    | Enable Sentry         |
-| `CONTINUWUITY_SENTRY_ENDPOINT`           | Sentry DSN            |
-| `CONTINUWUITY_SENTRY_SEND_SERVER_NAME`   | Include server name   |
-| `CONTINUWUITY_SENTRY_TRACES_SAMPLE_RATE` | Sample rate (0.0-1.0) |
-
-## Admin Configuration
-
-Configure admin users and automated command execution.
-
-| Variable                                   | Description                      | Default           |
-| ------------------------------------------ | -------------------------------- | ----------------- |
-| `CONTINUWUITY_ADMINS_LIST`                 | JSON array of admin user IDs     | -                 |
-| `CONTINUWUITY_ADMINS_FROM_ROOM`            | Derive admins from room          | -                 |
-| `CONTINUWUITY_ADMIN_ESCAPE_COMMANDS`       | Allow `\` prefix in public rooms | -                 |
-| `CONTINUWUITY_ADMIN_CONSOLE_AUTOMATIC`     | Auto-activate console            | -                 |
-| `CONTINUWUITY_ADMIN_EXECUTE`               | JSON array of startup commands   | -                 |
-| `CONTINUWUITY_ADMIN_EXECUTE_ERRORS_IGNORE` | Ignore command errors            | -                 |
-| `CONTINUWUITY_ADMIN_SIGNAL_EXECUTE`        | Commands on SIGUSR2              | -                 |
-| `CONTINUWUITY_ADMIN_ROOM_TAG`              | Admin room tag                   | `m.server_notice` |
-
-**Examples:**
-
-```bash
-# Create admin user on startup
-CONTINUWUITY_ADMIN_EXECUTE='["users create-user admin", "users make-user-admin admin"]'
-
-# Specify admin users directly
-CONTINUWUITY_ADMINS_LIST='["@alice:example.com", "@bob:example.com"]'
-```
-
-## Media & URL Preview Configuration
-
-| Variable                                             | Description        |
-| ---------------------------------------------------- | ------------------ |
-| `CONTINUWUITY_URL_PREVIEW_BOUND_INTERFACE`           | Bind interface     |
-| `CONTINUWUITY_URL_PREVIEW_DOMAIN_CONTAINS_ALLOWLIST` | Domain allowlist   |
-| `CONTINUWUITY_URL_PREVIEW_DOMAIN_EXPLICIT_ALLOWLIST` | Explicit allowlist |
-| `CONTINUWUITY_URL_PREVIEW_DOMAIN_EXPLICIT_DENYLIST`  | Explicit denylist  |
-| `CONTINUWUITY_URL_PREVIEW_MAX_SPIDER_SIZE`           | Max fetch size     |
-| `CONTINUWUITY_URL_PREVIEW_TIMEOUT`                   | Fetch timeout      |
-| `CONTINUWUITY_IP_RANGE_DENYLIST`                     | IP range denylist  |
-
-## Tokio Runtime Configuration
-
-These can be set as environment variables or CLI arguments:
-
-| Variable                                  | Description                |
-| ----------------------------------------- | -------------------------- |
-| `TOKIO_WORKER_THREADS`                    | Worker thread count        |
-| `TOKIO_GLOBAL_QUEUE_INTERVAL`             | Global queue interval      |
-| `TOKIO_EVENT_INTERVAL`                    | Event interval             |
-| `TOKIO_MAX_IO_EVENTS_PER_TICK`            | Max I/O events per tick    |
-| `CONTINUWUITY_RUNTIME_HISTOGRAM_INTERVAL` | Histogram bucket size (μs) |
-| `CONTINUWUITY_RUNTIME_HISTOGRAM_BUCKETS`  | Bucket count               |
-| `CONTINUWUITY_RUNTIME_WORKER_AFFINITY`    | Enable worker affinity     |
-
-## See Also
-
-- [Configuration Reference](./config.mdx) - Complete TOML configuration
-  documentation
-- [Admin Commands](./admin/) - Admin command reference

docs/troubleshooting.mdx

@@ -6,7 +6,7 @@ misconfigurations to cause issues, particularly with networking and permissions.
 Please check that your issues are not due to problems with your Docker setup.
 :::
 
-## Continuwuity issues
+## Continuwuity and Matrix issues
 
 ### Slow joins to rooms
 
@@ -23,16 +23,6 @@ which is a longstanding bug with synchronizing room joins to clients. In this si
 the bug caused your homeserver to forget to tell your client. **To fix this, clear your client's cache.** Both Element and Cinny
 have a button to clear their cache in the "About" section of their settings.
 
-### Configuration not working as expected
-
-Sometimes you can make a mistake in your configuration that
-means things don't get passed to Continuwuity correctly.
-This is particularly easy to do with environment variables.
-To check what configuration Continuwuity actually sees, you can
-use the `!admin server show-config` command in your admin room.
-Beware that this prints out any secrets in your configuration,
-so you might want to delete the result afterwards!
-
 ### Lost access to admin room
 
 You can reinvite yourself to the admin room through the following methods:
@@ -43,7 +33,17 @@ argument once to invite yourslf to the admin room on startup
 - Or specify the `emergency_password` config option to allow you to temporarily
 log into the server account (`@conduit`) from a web client
 
-## DNS issues
+## General potential issues
+
+### Configuration not working as expected
+
+Sometimes you can make a mistake in your configuration that
+means things don't get passed to Continuwuity correctly.
+This is particularly easy to do with environment variables.
+To check what configuration Continuwuity actually sees, you can
+use the `!admin server show-config` command in your admin room.
+Beware that this prints out any secrets in your configuration,
+so you might want to delete the result afterwards!
 
 ### Potential DNS issues when using Docker
 

flake.lock

@@ -3,11 +3,11 @@
     "advisory-db": {
       "flake": false,
       "locked": {
-        "lastModified": 1773786698,
-        "narHash": "sha256-o/J7ZculgwSs1L4H4UFlFZENOXTJzq1X0n71x6oNNvY=",
+        "lastModified": 1766324728,
+        "narHash": "sha256-9C+WyE5U3y5w4WQXxmb0ylRyMMsPyzxielWXSHrcDpE=",
         "owner": "rustsec",
         "repo": "advisory-db",
-        "rev": "99e9de91bb8b61f06ef234ff84e11f758ecd5384",
+        "rev": "c88b88c62bda077be8aa621d4e89d8701e39cb5d",
         "type": "github"
       },
       "original": {
@@ -18,11 +18,11 @@
     },
     "crane": {
       "locked": {
-        "lastModified": 1773189535,
-        "narHash": "sha256-E1G/Or6MWeP+L6mpQ0iTFLpzSzlpGrITfU2220Gq47g=",
+        "lastModified": 1766194365,
+        "narHash": "sha256-4AFsUZ0kl6MXSm4BaQgItD0VGlEKR3iq7gIaL7TjBvc=",
         "owner": "ipetkov",
         "repo": "crane",
-        "rev": "6fa2fb4cf4a89ba49fc9dd5a3eb6cde99d388269",
+        "rev": "7d8ec2c71771937ab99790b45e6d9b93d15d9379",
         "type": "github"
       },
       "original": {
@@ -39,11 +39,11 @@
         "rust-analyzer-src": "rust-analyzer-src"
       },
       "locked": {
-        "lastModified": 1773732206,
-        "narHash": "sha256-HKibxaUXyWd4Hs+ZUnwo6XslvaFqFqJh66uL9tphU4Q=",
+        "lastModified": 1766299592,
+        "narHash": "sha256-7u+q5hexu2eAxL2VjhskHvaUKg+GexmelIR2ve9Nbb4=",
         "owner": "nix-community",
         "repo": "fenix",
-        "rev": "0aa13c1b54063a8d8679b28a5cd357ba98f4a56b",
+        "rev": "381579dee168d5ced412e2990e9637ecc7cf1c5d",
         "type": "github"
       },
       "original": {
@@ -55,11 +55,11 @@
     "flake-compat": {
       "flake": false,
       "locked": {
-        "lastModified": 1767039857,
-        "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=",
+        "lastModified": 1765121682,
+        "narHash": "sha256-4VBOP18BFeiPkyhy9o4ssBNQEvfvv1kXkasAYd0+rrA=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab",
+        "rev": "65f23138d8d09a92e30f1e5c87611b23ef451bf3",
         "type": "github"
       },
       "original": {
@@ -74,11 +74,11 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1772408722,
-        "narHash": "sha256-rHuJtdcOjK7rAHpHphUb1iCvgkU3GpfvicLMwwnfMT0=",
+        "lastModified": 1765835352,
+        "narHash": "sha256-XswHlK/Qtjasvhd1nOa1e8MgZ8GS//jBoTqWtrS1Giw=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "f20dc5d9b8027381c474144ecabc9034d6a839a3",
+        "rev": "a34fae9c08a15ad73f295041fec82323541400a9",
         "type": "github"
       },
       "original": {
@@ -89,11 +89,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1773734432,
-        "narHash": "sha256-IF5ppUWh6gHGHYDbtVUyhwy/i7D261P7fWD1bPefOsw=",
+        "lastModified": 1766070988,
+        "narHash": "sha256-G/WVghka6c4bAzMhTwT2vjLccg/awmHkdKSd2JrycLc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "cda48547b432e8d3b18b4180ba07473762ec8558",
+        "rev": "c6245e83d836d0433170a16eb185cefe0572f8b8",
         "type": "github"
       },
       "original": {
@@ -105,11 +105,11 @@
     },
     "nixpkgs-lib": {
       "locked": {
-        "lastModified": 1772328832,
-        "narHash": "sha256-e+/T/pmEkLP6BHhYjx6GmwP5ivonQQn0bJdH9YrRB+Q=",
+        "lastModified": 1765674936,
+        "narHash": "sha256-k00uTP4JNfmejrCLJOwdObYC9jHRrr/5M/a/8L2EIdo=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "c185c7a5e5dd8f9add5b2f8ebeff00888b070742",
+        "rev": "2075416fcb47225d9b68ac469a5c4801a9c4dd85",
         "type": "github"
       },
       "original": {
@@ -132,11 +132,11 @@
     "rust-analyzer-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1773697963,
-        "narHash": "sha256-xdKI77It9PM6eNrCcDZsnP4SKulZwk8VkDgBRVMnCb8=",
+        "lastModified": 1766253897,
+        "narHash": "sha256-ChK07B1aOlJ4QzWXpJo+y8IGAxp1V9yQ2YloJ+RgHRw=",
         "owner": "rust-lang",
         "repo": "rust-analyzer",
-        "rev": "2993637174252ff60a582fd1f55b9ab52c39db6d",
+        "rev": "765b7bdb432b3740f2d564afccfae831d5a972e4",
         "type": "github"
       },
       "original": {
@@ -153,11 +153,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1773297127,
-        "narHash": "sha256-6E/yhXP7Oy/NbXtf1ktzmU8SdVqJQ09HC/48ebEGBpk=",
+        "lastModified": 1766000401,
+        "narHash": "sha256-+cqN4PJz9y0JQXfAK5J1drd0U05D5fcAGhzhfVrDlsI=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "71b125cd05fbfd78cab3e070b73544abe24c5016",
+        "rev": "42d96e75aa56a3f70cab7e7dc4a32868db28e8fd",
         "type": "github"
       },
       "original": {

nix/checks/default.nix

@@ -12,6 +12,7 @@
 
       rocksdbAllFeatures = self'.packages.rocksdb.override {
         enableJemalloc = true;
+        enableLiburing = true;
       };
 
       commonAttrs = (uwulib.build.commonAttrs { }) // {

nix/packages/continuwuity/default.nix

@@ -27,6 +27,7 @@
               commonAttrsArgs.profile = "release";
               rocksdb = self'.packages.rocksdb.override {
                 enableJemalloc = true;
+                enableLiburing = true;
               };
               features = {
                 enabledFeatures = "all";

nix/packages/rocksdb/package.nix

@@ -7,6 +7,7 @@
   rust-jemalloc-sys-unprefixed,
 
   enableJemalloc ? false,
+  enableLiburing ? false,
 
   fetchFromGitea,
 
@@ -31,7 +32,7 @@ in
 
   # for some reason enableLiburing in nixpkgs rocksdb is default true
   # which breaks Darwin entirely
-  enableLiburing = notDarwin;
+  enableLiburing = enableLiburing && notDarwin;
 }).overrideAttrs
   (old: {
     src = fetchFromGitea {
@@ -73,7 +74,7 @@ in
         "USE_RTTI"
       ]);
 
-    enableLiburing = notDarwin;
+    enableLiburing = enableLiburing && notDarwin;
 
     # outputs has "tools" which we don't need or use
     outputs = [ "out" ];

nix/shells/default.nix

@@ -11,6 +11,7 @@
       uwulib = inputs.self.uwulib.init pkgs;
       rocksdbAllFeatures = self'.packages.rocksdb.override {
         enableJemalloc = true;
+        enableLiburing = true;
       };
     in
     {

pkg/conduwuit.service

@@ -18,7 +18,6 @@ Environment="CONTINUWUITY_DATABASE_PATH=%S/conduwuit"
 Environment="CONTINUWUITY_CONFIG_RELOAD_SIGNAL=true"
 
 LoadCredential=conduwuit.toml:/etc/conduwuit/conduwuit.toml
-RefreshOnReload=yes
 
 ExecStart=/usr/bin/conduwuit --config ${CREDENTIALS_DIRECTORY}/conduwuit.toml
 

renovate.json

@@ -1,6 +1,6 @@
 {
     "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-    "extends": ["config:recommended", "replacements:all", ":semanticCommitTypeAll(chore)"],
+    "extends": ["config:recommended", "replacements:all"],
     "dependencyDashboard": true,
     "osvVulnerabilityAlerts": true,
     "lockFileMaintenance": {
@@ -36,18 +36,10 @@
     },
     "packageRules": [
         {
-            "description": "Batch minor and patch Rust dependency updates",
-            "matchManagers": ["cargo"],
-            "matchUpdateTypes": ["minor", "patch"],
-            "matchCurrentVersion": ">=1.0.0",
-            "groupName": "rust-non-major"
-        },
-        {
-            "description": "Batch patch-level zerover Rust dependency updates",
+            "description": "Batch patch-level Rust dependency updates",
             "matchManagers": ["cargo"],
             "matchUpdateTypes": ["patch"],
-            "matchCurrentVersion": ">=0.1.0,<1.0.0",
-            "groupName": "rust-zerover-patch-updates"
+            "groupName": "rust-patch-updates"
         },
         {
             "description": "Limit concurrent Cargo PRs",

src/admin/admin.rs

@@ -11,7 +11,6 @@ use crate::{
 	query::{self, QueryCommand},
 	room::{self, RoomCommand},
 	server::{self, ServerCommand},
-	space::{self, SpaceCommand},
 	token::{self, TokenCommand},
 	user::{self, UserCommand},
 };
@@ -35,10 +34,6 @@ pub enum AdminCommand {
 	/// Commands for managing rooms
 	Rooms(RoomCommand),
 
-	#[command(subcommand)]
-	/// Commands for managing space permissions
-	Spaces(SpaceCommand),
-
 	#[command(subcommand)]
 	/// Commands for managing federation
 	Federation(FederationCommand),
@@ -86,10 +81,6 @@ pub(super) async fn process(command: AdminCommand, context: &Context<'_>) -> Res
 			token::process(command, context).await
 		},
 		| Rooms(command) => room::process(command, context).await,
-		| Spaces(command) => {
-			context.bail_restricted()?;
-			space::process(command, context).await
-		},
 		| Federation(command) => federation::process(command, context).await,
 		| Server(command) => server::process(command, context).await,
 		| Debug(command) => debug::process(command, context).await,

src/admin/federation/commands.rs

@@ -1,6 +1,6 @@
 use std::fmt::Write;
 
-use conduwuit::{Err, Result, utils::response::LimitReadExt};
+use conduwuit::{Err, Result};
 use futures::StreamExt;
 use ruma::{OwnedRoomId, OwnedServerName, OwnedUserId};
 
@@ -55,15 +55,7 @@ pub(super) async fn fetch_support_well_known(&self, server_name: OwnedServerName
 		.send()
 		.await?;
 
-	let text = response
-		.limit_read_text(
-			self.services
-				.config
-				.max_request_size
-				.try_into()
-				.expect("u64 fits into usize"),
-		)
-		.await?;
+	let text = response.text().await?;
 
 	if text.is_empty() {
 		return Err!("Response text/body is empty.");

src/admin/media/mod.rs

@@ -40,7 +40,7 @@ pub enum MediaCommand {
 	///   * Delete all remote and local media from 3 days ago, up until now:
 	///
 	///     `!admin media delete-past-remote-media -a 3d
-	///--yes-i-want-to-delete-local-media`
+	///-yes-i-want-to-delete-local-media`
 	#[command(verbatim_doc_comment)]
 	DeletePastRemoteMedia {
 		/// The relative time (e.g. 30s, 5m, 7d) from now within which to

src/admin/mod.rs

@@ -17,7 +17,6 @@ pub(crate) mod media;
 pub(crate) mod query;
 pub(crate) mod room;
 pub(crate) mod server;
-pub(crate) mod space;
 pub(crate) mod token;
 pub(crate) mod user;
 

src/admin/space/mod.rs

@@ -1,15 +0,0 @@
-pub(super) mod roles;
-
-use clap::Subcommand;
-use conduwuit::Result;
-
-use self::roles::SpaceRolesCommand;
-use crate::admin_command_dispatch;
-
-#[admin_command_dispatch]
-#[derive(Debug, Subcommand)]
-pub enum SpaceCommand {
-	#[command(subcommand)]
-	/// Manage space roles and permissions
-	Roles(SpaceRolesCommand),
-}

src/admin/space/roles.rs

@@ -1,632 +0,0 @@
-use std::fmt::Write;
-
-use clap::Subcommand;
-use conduwuit::{Err, Event, Result, matrix::pdu::PduBuilder};
-use conduwuit_core::matrix::space_roles::{
-	RoleDefinition, SPACE_CASCADING_EVENT_TYPE, SPACE_ROLE_MEMBER_EVENT_TYPE,
-	SPACE_ROLE_ROOM_EVENT_TYPE, SPACE_ROLES_EVENT_TYPE, SpaceCascadingEventContent,
-	SpaceRoleMemberEventContent, SpaceRoleRoomEventContent, SpaceRolesEventContent,
-};
-use futures::StreamExt;
-use ruma::{OwnedRoomId, OwnedRoomOrAliasId, OwnedUserId, events::StateEventType};
-use serde_json::value::to_raw_value;
-
-use crate::{admin_command, admin_command_dispatch};
-
-fn roles_event_type() -> StateEventType {
-	StateEventType::from(SPACE_ROLES_EVENT_TYPE.to_owned())
-}
-
-fn member_event_type() -> StateEventType {
-	StateEventType::from(SPACE_ROLE_MEMBER_EVENT_TYPE.to_owned())
-}
-
-fn room_event_type() -> StateEventType {
-	StateEventType::from(SPACE_ROLE_ROOM_EVENT_TYPE.to_owned())
-}
-
-fn cascading_event_type() -> StateEventType {
-	StateEventType::from(SPACE_CASCADING_EVENT_TYPE.to_owned())
-}
-
-macro_rules! resolve_room_as_space {
-	($self:expr, $space:expr) => {{
-		let space_id = $self.services.rooms.alias.resolve(&$space).await?;
-		if !matches!(
-			$self
-				.services
-				.rooms
-				.state_accessor
-				.get_room_type(&space_id)
-				.await,
-			Ok(ruma::room::RoomType::Space)
-		) {
-			return Err!("The specified room is not a Space.");
-		}
-		space_id
-	}};
-}
-
-macro_rules! resolve_space {
-	($self:expr, $space:expr) => {{
-		let space_id = resolve_room_as_space!($self, $space);
-		if !$self
-			.services
-			.rooms
-			.roles
-			.is_enabled_for_space(&space_id)
-			.await
-		{
-			return $self
-				.write_str(
-					"Space permission cascading is disabled for this Space. Enable it \
-					 server-wide with `space_permission_cascading = true` in your config, or \
-					 per-Space with `!admin space roles enable <space>`.",
-				)
-				.await;
-		}
-		space_id
-	}};
-}
-
-macro_rules! custom_state_pdu {
-	($event_type:expr, $state_key:expr, $content:expr) => {
-		PduBuilder {
-			event_type: $event_type.to_owned().into(),
-			content: to_raw_value($content)
-				.map_err(|e| conduwuit::err!("Failed to serialize state event content: {e}"))?,
-			state_key: Some($state_key.to_owned().into()),
-			..PduBuilder::default()
-		}
-	};
-}
-
-/// Cascade-remove a role name from all state events of a given type. For each
-/// event that contains the role, the `$field` is filtered and the updated
-/// content is sent back as a new state event.
-macro_rules! cascade_remove_role {
-	(
-		$self:expr,
-		$shortstatehash:expr,
-		$event_type_fn:expr,
-		$event_type_const:expr,
-		$content_ty:ty,
-		$field:ident,
-		$role_name:expr,
-		$space_id:expr,
-		$state_lock:expr,
-		$server_user:expr
-	) => {{
-		let ev_type = $event_type_fn;
-		let entries: Vec<(_, ruma::OwnedEventId)> = $self
-			.services
-			.rooms
-			.state_accessor
-			.state_keys_with_ids($shortstatehash, &ev_type)
-			.collect()
-			.await;
-
-		for (state_key, event_id) in entries {
-			if let Ok(pdu) = $self.services.rooms.timeline.get_pdu(&event_id).await {
-				if let Ok(mut content) = pdu.get_content::<$content_ty>() {
-					if content.$field.contains($role_name) {
-						content.$field.retain(|r| r != $role_name);
-						$self
-							.services
-							.rooms
-							.timeline
-							.build_and_append_pdu(
-								custom_state_pdu!($event_type_const, &state_key, &content),
-								$server_user,
-								Some(&$space_id),
-								&$state_lock,
-							)
-							.await?;
-					}
-				}
-			}
-		}
-	}};
-}
-
-macro_rules! send_space_state {
-	($self:expr, $space_id:expr, $event_type:expr, $state_key:expr, $content:expr) => {{
-		let state_lock = $self.services.rooms.state.mutex.lock(&$space_id).await;
-		let server_user = &$self.services.globals.server_user;
-		$self
-			.services
-			.rooms
-			.timeline
-			.build_and_append_pdu(
-				custom_state_pdu!($event_type, $state_key, $content),
-				server_user,
-				Some(&$space_id),
-				&state_lock,
-			)
-			.await?
-	}};
-}
-
-#[admin_command_dispatch]
-#[derive(Debug, Subcommand)]
-pub enum SpaceRolesCommand {
-	/// List all roles defined in a space
-	List {
-		space: OwnedRoomOrAliasId,
-	},
-	/// Add a new role to a space
-	Add {
-		space: OwnedRoomOrAliasId,
-		role_name: String,
-		#[arg(long)]
-		description: Option<String>,
-		#[arg(long)]
-		power_level: Option<i64>,
-	},
-	/// Remove a role from a space
-	Remove {
-		space: OwnedRoomOrAliasId,
-		role_name: String,
-	},
-	/// Assign a role to a user
-	Assign {
-		space: OwnedRoomOrAliasId,
-		user_id: OwnedUserId,
-		role_name: String,
-	},
-	/// Revoke a role from a user
-	Revoke {
-		space: OwnedRoomOrAliasId,
-		user_id: OwnedUserId,
-		role_name: String,
-	},
-	/// Require a role for a room
-	Require {
-		space: OwnedRoomOrAliasId,
-		room_id: OwnedRoomId,
-		role_name: String,
-	},
-	/// Remove a role requirement from a room
-	Unrequire {
-		space: OwnedRoomOrAliasId,
-		room_id: OwnedRoomId,
-		role_name: String,
-	},
-	/// Show a user's roles in a space
-	User {
-		space: OwnedRoomOrAliasId,
-		user_id: OwnedUserId,
-	},
-	/// Show a room's role requirements in a space
-	Room {
-		space: OwnedRoomOrAliasId,
-		room_id: OwnedRoomId,
-	},
-	/// Enable space permission cascading for a specific space (overrides
-	/// server config)
-	Enable {
-		space: OwnedRoomOrAliasId,
-	},
-	/// Disable space permission cascading for a specific space (overrides
-	/// server config)
-	Disable {
-		space: OwnedRoomOrAliasId,
-	},
-	/// Show whether cascading is enabled for a space and the source (server
-	/// default or per-space override)
-	Status {
-		space: OwnedRoomOrAliasId,
-	},
-}
-
-#[admin_command]
-async fn list(&self, space: OwnedRoomOrAliasId) -> Result {
-	let space_id = resolve_space!(self, space);
-	let roles_event_type = roles_event_type();
-
-	let content: SpaceRolesEventContent = self
-		.services
-		.rooms
-		.state_accessor
-		.room_state_get_content(&space_id, &roles_event_type, "")
-		.await
-		.unwrap_or_default();
-
-	if content.roles.is_empty() {
-		return self.write_str("No roles defined in this space.").await;
-	}
-
-	let mut msg = format!("Roles in {space_id}:\n```\n");
-	for (name, def) in &content.roles {
-		let pl = def
-			.power_level
-			.map(|p| format!(" (power_level: {p})"))
-			.unwrap_or_default();
-		let _ = writeln!(msg, "- {name}: {}{pl}", def.description);
-	}
-	msg.push_str("```");
-
-	self.write_str(&msg).await
-}
-
-#[admin_command]
-async fn add(
-	&self,
-	space: OwnedRoomOrAliasId,
-	role_name: String,
-	description: Option<String>,
-	power_level: Option<i64>,
-) -> Result {
-	let space_id = resolve_space!(self, space);
-
-	if let Some(pl) = power_level {
-		if pl > i64::from(ruma::Int::MAX) || pl < i64::from(ruma::Int::MIN) {
-			return Err!(
-				"Power level must be between {} and {}.",
-				ruma::Int::MIN,
-				ruma::Int::MAX
-			);
-		}
-	}
-
-	let roles_event_type = roles_event_type();
-
-	let mut content: SpaceRolesEventContent = self
-		.services
-		.rooms
-		.state_accessor
-		.room_state_get_content(&space_id, &roles_event_type, "")
-		.await
-		.unwrap_or_default();
-
-	if content.roles.contains_key(&role_name) {
-		return Err!("Role '{role_name}' already exists in this space.");
-	}
-
-	content.roles.insert(role_name.clone(), RoleDefinition {
-		description: description.unwrap_or_else(|| role_name.clone()),
-		power_level,
-	});
-
-	send_space_state!(self, space_id, SPACE_ROLES_EVENT_TYPE, "", &content);
-
-	self.write_str(&format!("Added role '{role_name}' to space {space_id}."))
-		.await
-}
-
-#[admin_command]
-async fn remove(&self, space: OwnedRoomOrAliasId, role_name: String) -> Result {
-	let space_id = resolve_space!(self, space);
-	let roles_event_type = roles_event_type();
-
-	let mut content: SpaceRolesEventContent = self
-		.services
-		.rooms
-		.state_accessor
-		.room_state_get_content(&space_id, &roles_event_type, "")
-		.await
-		.unwrap_or_default();
-
-	if content.roles.remove(&role_name).is_none() {
-		return Err!("Role '{role_name}' does not exist in this space.");
-	}
-
-	send_space_state!(self, space_id, SPACE_ROLES_EVENT_TYPE, "", &content);
-
-	// Cascade: remove the deleted role from all member and room events
-	let server_user = &self.services.globals.server_user;
-	if let Ok(shortstatehash) = self
-		.services
-		.rooms
-		.state
-		.get_room_shortstatehash(&space_id)
-		.await
-	{
-		let state_lock = self.services.rooms.state.mutex.lock(&space_id).await;
-
-		cascade_remove_role!(
-			self,
-			shortstatehash,
-			member_event_type(),
-			SPACE_ROLE_MEMBER_EVENT_TYPE,
-			SpaceRoleMemberEventContent,
-			roles,
-			&role_name,
-			space_id,
-			state_lock,
-			server_user
-		);
-
-		cascade_remove_role!(
-			self,
-			shortstatehash,
-			room_event_type(),
-			SPACE_ROLE_ROOM_EVENT_TYPE,
-			SpaceRoleRoomEventContent,
-			required_roles,
-			&role_name,
-			space_id,
-			state_lock,
-			server_user
-		);
-	}
-
-	self.write_str(&format!("Removed role '{role_name}' from space {space_id}."))
-		.await
-}
-
-#[admin_command]
-async fn assign(
-	&self,
-	space: OwnedRoomOrAliasId,
-	user_id: OwnedUserId,
-	role_name: String,
-) -> Result {
-	let space_id = resolve_space!(self, space);
-
-	let roles_event_type = roles_event_type();
-	let role_defs: SpaceRolesEventContent = self
-		.services
-		.rooms
-		.state_accessor
-		.room_state_get_content(&space_id, &roles_event_type, "")
-		.await
-		.unwrap_or_default();
-
-	if !role_defs.roles.contains_key(&role_name) {
-		return Err!("Role '{role_name}' does not exist in this space.");
-	}
-
-	let member_event_type = member_event_type();
-
-	let mut content: SpaceRoleMemberEventContent = self
-		.services
-		.rooms
-		.state_accessor
-		.room_state_get_content(&space_id, &member_event_type, user_id.as_str())
-		.await
-		.unwrap_or_default();
-
-	if content.roles.contains(&role_name) {
-		return Err!("User {user_id} already has role '{role_name}' in this space.");
-	}
-
-	content.roles.push(role_name.clone());
-
-	send_space_state!(self, space_id, SPACE_ROLE_MEMBER_EVENT_TYPE, user_id.as_str(), &content);
-
-	self.write_str(&format!("Assigned role '{role_name}' to {user_id} in space {space_id}."))
-		.await
-}
-
-#[admin_command]
-async fn revoke(
-	&self,
-	space: OwnedRoomOrAliasId,
-	user_id: OwnedUserId,
-	role_name: String,
-) -> Result {
-	let space_id = resolve_space!(self, space);
-	let member_event_type = member_event_type();
-
-	let mut content: SpaceRoleMemberEventContent = self
-		.services
-		.rooms
-		.state_accessor
-		.room_state_get_content(&space_id, &member_event_type, user_id.as_str())
-		.await
-		.unwrap_or_default();
-
-	let original_len = content.roles.len();
-	content.roles.retain(|r| r != &role_name);
-
-	if content.roles.len() == original_len {
-		return Err!("User {user_id} does not have role '{role_name}' in this space.");
-	}
-
-	send_space_state!(self, space_id, SPACE_ROLE_MEMBER_EVENT_TYPE, user_id.as_str(), &content);
-
-	self.write_str(&format!("Revoked role '{role_name}' from {user_id} in space {space_id}."))
-		.await
-}
-
-#[admin_command]
-async fn require(
-	&self,
-	space: OwnedRoomOrAliasId,
-	room_id: OwnedRoomId,
-	role_name: String,
-) -> Result {
-	let space_id = resolve_space!(self, space);
-
-	let child_rooms = self.services.rooms.roles.get_child_rooms(&space_id).await;
-	if !child_rooms.contains(&room_id) {
-		return Err!("Room {room_id} is not a child of space {space_id}.");
-	}
-
-	let roles_event_type = roles_event_type();
-	let role_defs: SpaceRolesEventContent = self
-		.services
-		.rooms
-		.state_accessor
-		.room_state_get_content(&space_id, &roles_event_type, "")
-		.await
-		.unwrap_or_default();
-
-	if !role_defs.roles.contains_key(&role_name) {
-		return Err!("Role '{role_name}' does not exist in this space.");
-	}
-
-	let room_event_type = room_event_type();
-
-	let mut content: SpaceRoleRoomEventContent = self
-		.services
-		.rooms
-		.state_accessor
-		.room_state_get_content(&space_id, &room_event_type, room_id.as_str())
-		.await
-		.unwrap_or_default();
-
-	if content.required_roles.contains(&role_name) {
-		return Err!("Room {room_id} already requires role '{role_name}' in this space.");
-	}
-
-	content.required_roles.push(role_name.clone());
-
-	send_space_state!(self, space_id, SPACE_ROLE_ROOM_EVENT_TYPE, room_id.as_str(), &content);
-
-	self.write_str(&format!(
-		"Room {room_id} now requires role '{role_name}' in space {space_id}."
-	))
-	.await
-}
-
-#[admin_command]
-async fn unrequire(
-	&self,
-	space: OwnedRoomOrAliasId,
-	room_id: OwnedRoomId,
-	role_name: String,
-) -> Result {
-	let space_id = resolve_space!(self, space);
-	let room_event_type = room_event_type();
-
-	let mut content: SpaceRoleRoomEventContent = self
-		.services
-		.rooms
-		.state_accessor
-		.room_state_get_content(&space_id, &room_event_type, room_id.as_str())
-		.await
-		.unwrap_or_default();
-
-	let original_len = content.required_roles.len();
-	content.required_roles.retain(|r| r != &role_name);
-
-	if content.required_roles.len() == original_len {
-		return Err!("Room {room_id} does not require role '{role_name}' in this space.");
-	}
-
-	send_space_state!(self, space_id, SPACE_ROLE_ROOM_EVENT_TYPE, room_id.as_str(), &content);
-
-	self.write_str(&format!(
-		"Removed role requirement '{role_name}' from room {room_id} in space {space_id}."
-	))
-	.await
-}
-
-#[admin_command]
-async fn user(&self, space: OwnedRoomOrAliasId, user_id: OwnedUserId) -> Result {
-	let space_id = resolve_space!(self, space);
-
-	let roles = self
-		.services
-		.rooms
-		.roles
-		.get_user_roles_in_space(&space_id, &user_id)
-		.await;
-
-	match roles {
-		| Some(roles) if !roles.is_empty() => {
-			let list: String = roles
-				.iter()
-				.map(|r| format!("- {r}"))
-				.collect::<Vec<_>>()
-				.join("\n");
-			self.write_str(&format!("Roles for {user_id} in space {space_id}:\n```\n{list}\n```"))
-				.await
-		},
-		| _ =>
-			self.write_str(&format!("User {user_id} has no roles in space {space_id}."))
-				.await,
-	}
-}
-
-#[admin_command]
-async fn room(&self, space: OwnedRoomOrAliasId, room_id: OwnedRoomId) -> Result {
-	let space_id = resolve_space!(self, space);
-
-	let reqs = self
-		.services
-		.rooms
-		.roles
-		.get_room_requirements_in_space(&space_id, &room_id)
-		.await;
-
-	match reqs {
-		| Some(reqs) if !reqs.is_empty() => {
-			let list: String = reqs
-				.iter()
-				.map(|r| format!("- {r}"))
-				.collect::<Vec<_>>()
-				.join("\n");
-			self.write_str(&format!(
-				"Required roles for room {room_id} in space {space_id}:\n```\n{list}\n```"
-			))
-			.await
-		},
-		| _ =>
-			self.write_str(&format!(
-				"Room {room_id} has no role requirements in space {space_id}."
-			))
-			.await,
-	}
-}
-
-#[admin_command]
-async fn enable(&self, space: OwnedRoomOrAliasId) -> Result {
-	let space_id = resolve_room_as_space!(self, space);
-
-	self.services
-		.rooms
-		.roles
-		.ensure_default_roles(&space_id)
-		.await?;
-
-	let content = SpaceCascadingEventContent { enabled: true };
-	send_space_state!(self, space_id, SPACE_CASCADING_EVENT_TYPE, "", &content);
-
-	self.write_str(&format!("Space permission cascading enabled for {space_id}."))
-		.await
-}
-
-#[admin_command]
-async fn disable(&self, space: OwnedRoomOrAliasId) -> Result {
-	let space_id = resolve_room_as_space!(self, space);
-
-	let content = SpaceCascadingEventContent { enabled: false };
-	send_space_state!(self, space_id, SPACE_CASCADING_EVENT_TYPE, "", &content);
-
-	self.write_str(&format!("Space permission cascading disabled for {space_id}."))
-		.await
-}
-
-#[admin_command]
-async fn status(&self, space: OwnedRoomOrAliasId) -> Result {
-	let space_id = resolve_room_as_space!(self, space);
-
-	let global_default = self.services.rooms.roles.is_enabled();
-	let cascading_event_type = cascading_event_type();
-	let per_space_override: Option<bool> = self
-		.services
-		.rooms
-		.state_accessor
-		.room_state_get_content::<SpaceCascadingEventContent>(
-			&space_id,
-			&cascading_event_type,
-			"",
-		)
-		.await
-		.ok()
-		.map(|c| c.enabled);
-
-	let effective = per_space_override.unwrap_or(global_default);
-	let source = match per_space_override {
-		| Some(v) => format!("per-Space override (enabled: {v})"),
-		| None => format!("server default (space_permission_cascading: {global_default})"),
-	};
-
-	self.write_str(&format!(
-		"Cascading status for {space_id}:\n- Effective: **{effective}**\n- Source: {source}"
-	))
-	.await
-}

src/admin/user/commands.rs

@@ -296,31 +296,6 @@ pub(super) async fn reset_password(
 	Ok(())
 }
 
-#[admin_command]
-pub(super) async fn issue_password_reset_link(&self, username: String) -> Result {
-	use conduwuit_service::password_reset::{PASSWORD_RESET_PATH, RESET_TOKEN_QUERY_PARAM};
-
-	self.bail_restricted()?;
-
-	let mut reset_url = self
-		.services
-		.config
-		.get_client_domain()
-		.join(PASSWORD_RESET_PATH)
-		.unwrap();
-
-	let user_id = parse_local_user_id(self.services, &username)?;
-	let token = self.services.password_reset.issue_token(user_id).await?;
-	reset_url
-		.query_pairs_mut()
-		.append_pair(RESET_TOKEN_QUERY_PARAM, &token.token);
-
-	self.write_str(&format!("Password reset link issued for {username}: {reset_url}"))
-		.await?;
-
-	Ok(())
-}
-
 #[admin_command]
 pub(super) async fn deactivate_all(&self, no_leave_rooms: bool, force: bool) -> Result {
 	if self.body.len() < 2

src/admin/user/mod.rs

@@ -29,12 +29,6 @@ pub enum UserCommand {
 		password: Option<String>,
 	},
 
-	/// Issue a self-service password reset link for a user.
-	IssuePasswordResetLink {
-		/// Username of the user who may use the link
-		username: String,
-	},
-
 	/// Deactivate a user
 	///
 	/// User will be removed from all rooms by default.

src/api/client/membership/join.rs

@@ -347,12 +347,6 @@ pub async fn join_room_by_id_helper(
 		}
 	}
 
-	services
-		.rooms
-		.roles
-		.check_join_allowed(room_id, sender_user)
-		.await?;
-
 	if server_in_room {
 		join_room_by_id_helper_local(services, sender_user, room_id, reason, servers, state_lock)
 			.boxed()

src/api/client/sync/v3/joined.rs

@@ -270,7 +270,7 @@ async fn build_state_and_timeline(
 	// joined since the last sync, that being the syncing user's join event. if
 	// it's empty something is wrong.
 	if joined_since_last_sync && timeline.pdus.is_empty() {
-		debug_warn!("timeline for newly joined room is empty");
+		warn!("timeline for newly joined room is empty");
 	}
 
 	let (summary, device_list_updates) = try_join(

src/api/client/sync/v3/left.rs

@@ -1,5 +1,5 @@
 use conduwuit::{
-	Event, PduEvent, Result, at, debug_warn,
+	Event, PduCount, PduEvent, Result, at, debug_warn,
 	pdu::EventHash,
 	trace,
 	utils::{self, IterStream, future::ReadyEqExt, stream::WidebandExt as _},
@@ -68,13 +68,9 @@ pub(super) async fn load_left_room(
 		return Ok(None);
 	}
 
-	// return early if:
-	// - this is an initial sync and the room filter doesn't include leaves, or
-	// - this is an incremental sync, and we've already synced the leave, and the
-	//   room filter doesn't include leaves
-	if last_sync_end_count.is_none_or(|last_sync_end_count| last_sync_end_count >= left_count)
-		&& !filter.room.include_leave
-	{
+	// return early if this is an incremental sync, and we've already synced this
+	// leave to the user, and `include_leave` isn't set on the filter.
+	if !filter.room.include_leave && last_sync_end_count >= Some(left_count) {
 		return Ok(None);
 	}
 
@@ -199,13 +195,27 @@ async fn build_left_state_and_timeline(
 	leave_shortstatehash: ShortStateHash,
 	prev_membership_event: PduEvent,
 ) -> Result<(TimelinePdus, Vec<PduEvent>)> {
-	let SyncContext { syncing_user, filter, .. } = sync_context;
+	let SyncContext {
+		syncing_user,
+		last_sync_end_count,
+		filter,
+		..
+	} = sync_context;
 
-	let timeline_start_count = services
-		.rooms
-		.timeline
-		.get_pdu_count(&prev_membership_event.event_id)
-		.await?;
+	let timeline_start_count = if let Some(last_sync_end_count) = last_sync_end_count {
+		// for incremental syncs, start the timeline after `since`
+		PduCount::Normal(last_sync_end_count)
+	} else {
+		// for initial syncs, start the timeline after the previous membership
+		// event. we don't want to include the membership event itself
+		// because clients get confused when they see a `join`
+		// membership event in a `leave` room.
+		services
+			.rooms
+			.timeline
+			.get_pdu_count(&prev_membership_event.event_id)
+			.await?
+	};
 
 	// end the timeline at the user's leave event
 	let timeline_end_count = services

src/api/client/sync/v3/mod.rs

@@ -297,18 +297,12 @@ pub(crate) async fn build_sync_events(
 		.rooms
 		.state_cache
 		.rooms_left(syncing_user)
-		.broad_filter_map(|(room_id, leave_pdu)| async {
-			let left_room = load_left_room(services, context, room_id.clone(), leave_pdu).await;
-
-			match left_room {
-				| Ok(Some(left_room)) => Some((room_id, left_room)),
-				| Ok(None) => None,
-				| Err(err) => {
-					warn!(?err, %room_id, "error loading joined room");
-					None
-				},
-			}
+		.broad_filter_map(|(room_id, leave_pdu)| {
+			load_left_room(services, context, room_id.clone(), leave_pdu)
+				.map_ok(move |left_room| (room_id, left_room))
+				.ok()
 		})
+		.ready_filter_map(|(room_id, left_room)| left_room.map(|left_room| (room_id, left_room)))
 		.collect();
 
 	let invited_rooms = services

src/core/config/check.rs

@@ -174,7 +174,6 @@ pub fn check(config: &Config) -> Result {
 	if config.allow_registration
 		&& config.yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse
 		&& config.registration_token.is_none()
-		&& config.registration_token_file.is_none()
 	{
 		warn!(
 			"Open registration is enabled via setting \

src/core/config/mod.rs

@@ -68,10 +68,6 @@ pub struct Config {
 	///
 	/// Also see the `[global.well_known]` config section at the very bottom.
 	///
-	/// If `client` is not set under `[global.well_known]`, the server name will
-	/// be used as the base domain for user-facing links (such as password
-	/// reset links) created by Continuwuity.
-	///
 	/// Examples of delegation:
 	/// - https://continuwuity.org/.well-known/matrix/server
 	/// - https://continuwuity.org/.well-known/matrix/client
@@ -607,47 +603,25 @@ pub struct Config {
 	#[serde(default)]
 	pub suspend_on_register: bool,
 
-	/// Server-wide default for space permission cascading (power levels and
-	/// role-based access). Individual Spaces can override this via the
-	/// `com.continuwuity.space.cascading` state event or the admin command
-	/// `!admin space roles enable/disable <space>`.
-	///
-	/// default: false
-	#[serde(default)]
-	pub space_permission_cascading: bool,
-
-	/// Maximum number of spaces to cache role data for. When exceeded the
-	/// cache is cleared and repopulated on demand.
-	///
-	/// default: 1000
-	#[serde(default = "default_space_roles_cache_flush_threshold")]
-	pub space_roles_cache_flush_threshold: u32,
-
 	/// Enabling this setting opens registration to anyone without restrictions.
 	/// This makes your server vulnerable to abuse
 	#[serde(default)]
 	pub yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse: bool,
 
 	/// A static registration token that new users will have to provide when
-	/// creating an account. This token does not supersede tokens from other
-	/// sources, such as the `!admin token` command or the
-	/// `registration_token_file` configuration option.
+	/// creating an account. If unset and `allow_registration` is true,
+	/// you must set
+	/// `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse`
+	/// to true to allow open registration without any conditions.
+	///
+	/// If you do not want to set a static token, the `!admin token` commands
+	/// may also be used to manage registration tokens.
 	///
 	/// example: "o&^uCtes4HPf0Vu@F20jQeeWE7"
 	///
 	/// display: sensitive
 	pub registration_token: Option<String>,
 
-	/// A path to a file containing static registration tokens, one per line.
-	/// Tokens in this file do not supersede tokens from other sources, such as
-	/// the `!admin token` command or the `registration_token` configuration
-	/// option.
-	///
-	/// The file will be read once, when Continuwuity starts. It is not
-	/// currently reread when the server configuration is reloaded. If the file
-	/// cannot be read, Continuwuity will fail to start.
-	pub registration_token_file: Option<PathBuf>,
-
 	/// The public site key for reCaptcha. If this is provided, reCaptcha
 	/// becomes required during registration. If both captcha *and*
 	/// registration token are enabled, both will be required during
@@ -1755,11 +1729,6 @@ pub struct Config {
 	/// default: "continuwuity/<version> (bot; +https://continuwuity.org)"
 	pub url_preview_user_agent: Option<String>,
 
-	/// Determines whether audio and video files will be downloaded for URL
-	/// previews.
-	#[serde(default)]
-	pub url_preview_allow_audio_video: bool,
-
 	/// List of forbidden room aliases and room IDs as strings of regex
 	/// patterns.
 	///
@@ -2099,23 +2068,6 @@ pub struct Config {
 	pub allow_invalid_tls_certificates_yes_i_know_what_the_fuck_i_am_doing_with_this_and_i_know_this_is_insecure:
 		bool,
 
-	/// Forcibly disables first-run mode.
-	///
-	/// This is intended to be used for Complement testing to allow the test
-	/// suite to register users, because first-run mode interferes with open
-	/// registration.
-	///
-	/// display: hidden
-	#[serde(default)]
-	pub force_disable_first_run_mode: bool,
-
-	/// Allow search engines and crawlers to index Continuwuity's built-in
-	/// webpages served under the `/_continuwuity/` prefix.
-	///
-	/// default: false
-	#[serde(default)]
-	pub allow_web_indexing: bool,
-
 	/// display: nested
 	#[serde(default)]
 	pub ldap: LdapConfig,
@@ -2853,5 +2805,3 @@ fn default_ldap_search_filter() -> String { "(objectClass=*)".to_owned() }
 fn default_ldap_uid_attribute() -> String { String::from("uid") }
 
 fn default_ldap_name_attribute() -> String { String::from("givenName") }
-
-fn default_space_roles_cache_flush_threshold() -> u32 { 1000 }

src/core/error/mod.rs

@@ -191,7 +191,6 @@ impl Error {
 			| Self::Reqwest(error) => error.status().unwrap_or(StatusCode::INTERNAL_SERVER_ERROR),
 			| Self::Conflict(_) => StatusCode::CONFLICT,
 			| Self::Io(error) => response::io_error_code(error.kind()),
-			| Self::Uiaa(_) => StatusCode::UNAUTHORIZED,
 			| _ => StatusCode::INTERNAL_SERVER_ERROR,
 		}
 	}

src/core/matrix/mod.rs

@@ -2,7 +2,6 @@
 
 pub mod event;
 pub mod pdu;
-pub mod space_roles;
 pub mod state_key;
 pub mod state_res;
 

src/core/matrix/space_roles.rs

@@ -1,81 +0,0 @@
-use std::collections::BTreeMap;
-
-use serde::{Deserialize, Serialize};
-
-pub const SPACE_ROLES_EVENT_TYPE: &str = "com.continuwuity.space.roles";
-pub const SPACE_ROLE_MEMBER_EVENT_TYPE: &str = "com.continuwuity.space.role.member";
-pub const SPACE_ROLE_ROOM_EVENT_TYPE: &str = "com.continuwuity.space.role.room";
-pub const SPACE_CASCADING_EVENT_TYPE: &str = "com.continuwuity.space.cascading";
-
-#[derive(Clone, Debug, Default, Deserialize, Serialize, PartialEq, Eq)]
-pub struct SpaceRolesEventContent {
-	pub roles: BTreeMap<String, RoleDefinition>,
-}
-
-#[derive(Clone, Debug, Deserialize, Serialize, PartialEq, Eq)]
-pub struct RoleDefinition {
-	pub description: String,
-	#[serde(skip_serializing_if = "Option::is_none")]
-	pub power_level: Option<i64>,
-}
-
-#[derive(Clone, Debug, Default, Deserialize, Serialize, PartialEq, Eq)]
-pub struct SpaceRoleMemberEventContent {
-	pub roles: Vec<String>,
-}
-
-#[derive(Clone, Debug, Default, Deserialize, Serialize, PartialEq, Eq)]
-pub struct SpaceRoleRoomEventContent {
-	pub required_roles: Vec<String>,
-}
-
-#[derive(Clone, Debug, Deserialize, Serialize, PartialEq, Eq)]
-pub struct SpaceCascadingEventContent {
-	pub enabled: bool,
-}
-
-#[cfg(test)]
-mod tests {
-	use super::*;
-
-	#[test]
-	fn space_roles_roundtrip() {
-		let mut roles = BTreeMap::new();
-		roles.insert("admin".to_owned(), RoleDefinition {
-			description: "Space administrator".to_owned(),
-			power_level: Some(100),
-		});
-		roles.insert("nsfw".to_owned(), RoleDefinition {
-			description: "NSFW access".to_owned(),
-			power_level: None,
-		});
-		let content = SpaceRolesEventContent { roles };
-		let json = serde_json::to_string(&content).unwrap();
-		let deserialized: SpaceRolesEventContent = serde_json::from_str(&json).unwrap();
-		assert_eq!(deserialized.roles["admin"].power_level, Some(100));
-		assert!(deserialized.roles["nsfw"].power_level.is_none());
-	}
-
-	#[test]
-	fn power_level_omitted_in_serialization_when_none() {
-		let role = RoleDefinition {
-			description: "Test".to_owned(),
-			power_level: None,
-		};
-		let json = serde_json::to_string(&role).unwrap();
-		assert!(!json.contains("power_level"));
-	}
-
-	#[test]
-	fn negative_power_level() {
-		let json = r#"{"description":"Restricted","power_level":-10}"#;
-		let role: RoleDefinition = serde_json::from_str(json).unwrap();
-		assert_eq!(role.power_level, Some(-10));
-	}
-
-	#[test]
-	fn missing_description_fails() {
-		let json = r#"{"power_level":100}"#;
-		serde_json::from_str::<RoleDefinition>(json).unwrap_err();
-	}
-}

src/core/matrix/state_res/event_auth.rs

@@ -1224,7 +1224,6 @@ fn can_send_event(event: &impl Event, ple: Option<&impl Event>, user_level: Int)
 }
 
 /// Confirm that the event sender has the required power levels.
-#[allow(clippy::cognitive_complexity)]
 fn check_power_levels(
 	room_version: &RoomVersion,
 	power_event: &impl Event,

src/core/matrix/state_res/mod.rs

@@ -75,7 +75,6 @@ type Result<T, E = Error> = crate::Result<T, E>;
 /// event is part of the same room.
 //#[tracing::instrument(level = "debug", skip(state_sets, auth_chain_sets,
 //#[tracing::instrument(level event_fetch))]
-#[allow(clippy::cognitive_complexity)]
 pub async fn resolve<'a, Pdu, Sets, SetIter, Hasher, Fetch, FetchFut, Exists, ExistsFut>(
 	room_version: &RoomVersionId,
 	state_sets: Sets,

src/core/utils/mod.rs

@@ -11,7 +11,6 @@ pub mod json;
 pub mod math;
 pub mod mutex_map;
 pub mod rand;
-pub mod response;
 pub mod result;
 pub mod set;
 pub mod stream;

src/core/utils/response.rs

@@ -1,51 +0,0 @@
-use futures::StreamExt;
-use num_traits::ToPrimitive;
-
-use crate::Err;
-
-/// Reads the response body while enforcing a maximum size limit to prevent
-/// memory exhaustion.
-pub async fn limit_read(response: reqwest::Response, max_size: u64) -> crate::Result<Vec<u8>> {
-	if response.content_length().is_some_and(|len| len > max_size) {
-		return Err!(BadServerResponse("Response too large"));
-	}
-	let mut data = Vec::new();
-	let mut reader = response.bytes_stream();
-
-	while let Some(chunk) = reader.next().await {
-		let chunk = chunk?;
-		data.extend_from_slice(&chunk);
-
-		if data.len() > max_size.to_usize().expect("max_size must fit in usize") {
-			return Err!(BadServerResponse("Response too large"));
-		}
-	}
-
-	Ok(data)
-}
-
-/// Reads the response body as text while enforcing a maximum size limit to
-/// prevent memory exhaustion.
-pub async fn limit_read_text(
-	response: reqwest::Response,
-	max_size: u64,
-) -> crate::Result<String> {
-	let text = String::from_utf8(limit_read(response, max_size).await?)?;
-	Ok(text)
-}
-
-#[allow(async_fn_in_trait)]
-pub trait LimitReadExt {
-	async fn limit_read(self, max_size: u64) -> crate::Result<Vec<u8>>;
-	async fn limit_read_text(self, max_size: u64) -> crate::Result<String>;
-}
-
-impl LimitReadExt for reqwest::Response {
-	async fn limit_read(self, max_size: u64) -> crate::Result<Vec<u8>> {
-		limit_read(self, max_size).await
-	}
-
-	async fn limit_read_text(self, max_size: u64) -> crate::Result<String> {
-		limit_read_text(self, max_size).await
-	}
-}

src/database/maps.rs

@@ -112,10 +112,6 @@ pub(super) static MAPS: &[Descriptor] = &[
 		name: "onetimekeyid_onetimekeys",
 		..descriptor::RANDOM_SMALL
 	},
-	Descriptor {
-		name: "passwordresettoken_info",
-		..descriptor::RANDOM_SMALL
-	},
 	Descriptor {
 		name: "pduid_pdu",
 		cache_disp: CacheDisp::SharedWith("eventid_outlierpdu"),

src/router/router.rs

@@ -18,5 +18,5 @@ pub(crate) fn build(services: &Arc<Services>) -> (Router, Guard) {
 }
 
 async fn not_found(_uri: Uri) -> impl IntoResponse {
-	Error::Request(ErrorKind::Unrecognized, "not found :(".into(), StatusCode::NOT_FOUND)
+	Error::Request(ErrorKind::Unrecognized, "Not Found".into(), StatusCode::NOT_FOUND)
 }

src/service/Cargo.toml

@@ -121,7 +121,7 @@ webpage.workspace = true
 webpage.optional = true
 blurhash.workspace = true
 blurhash.optional = true
-recaptcha-verify = { version = "0.2.0", default-features = false }
+recaptcha-verify = { version = "0.1.5", default-features = false }
 yansi.workspace = true
 
 [target.'cfg(all(unix, target_os = "linux"))'.dependencies]

src/service/admin/mod.rs

@@ -530,12 +530,7 @@ impl Service {
 		Ok(())
 	}
 
-	pub async fn is_admin_command<E>(
-		&self,
-		event: &E,
-		body: &str,
-		sent_locally: bool,
-	) -> Option<InvocationSource>
+	pub async fn is_admin_command<E>(&self, event: &E, body: &str) -> Option<InvocationSource>
 	where
 		E: Event + Send + Sync,
 	{
@@ -585,15 +580,6 @@ impl Service {
 				return None;
 			}
 
-			// Escaped commands must be sent locally (via client API), not via federation
-			if !sent_locally {
-				conduwuit::warn!(
-					"Ignoring escaped admin command from {} that arrived via federation",
-					event.sender()
-				);
-				return None;
-			}
-
 			// Looks good
 			Some(InvocationSource::EscapedCommand)
 		}

src/service/announcements/mod.rs

@@ -18,7 +18,7 @@
 use std::{sync::Arc, time::Duration};
 
 use async_trait::async_trait;
-use conduwuit::{Result, Server, debug, error, utils::response::LimitReadExt, warn};
+use conduwuit::{Result, Server, debug, error, warn};
 use database::{Deserialized, Map};
 use ruma::events::{Mentions, room::message::RoomMessageEventContent};
 use serde::Deserialize;
@@ -137,7 +137,7 @@ impl Service {
 			.get(CHECK_FOR_ANNOUNCEMENTS_URL)
 			.send()
 			.await?
-			.limit_read_text(1024 * 1024)
+			.text()
 			.await?;
 
 		let response = serde_json::from_str::<CheckForAnnouncementsResponse>(&response)?;

src/service/appservice/mod.rs

@@ -272,10 +272,7 @@ impl Service {
 			.get(id)
 			.await
 			.and_then(|ref bytes| serde_saphyr::from_slice(bytes).map_err(Into::into))
-			.map_err(|e| {
-				self.db.id_appserviceregistrations.remove(id);
-				err!(Database("Invalid appservice {id:?} registration: {e:?}. Removed."))
-			})
+			.map_err(|e| err!(Database("Invalid appservice {id:?} registration: {e:?}")))
 	}
 
 	pub fn read(&self) -> impl Future<Output = RwLockReadGuard<'_, Registrations>> + Send {

src/service/config/mod.rs

@@ -6,7 +6,6 @@ use conduwuit::{
 	config::{Config, check},
 	error, implement,
 };
-use url::Url;
 
 use crate::registration_tokens::{ValidToken, ValidTokenSource};
 
@@ -20,20 +19,9 @@ impl Service {
 	/// Get the registration token set in the config file, if it exists.
 	#[must_use]
 	pub fn get_config_file_token(&self) -> Option<ValidToken> {
-		self.registration_token
-			.clone()
-			.map(|token| ValidToken { token, source: ValidTokenSource::Config })
-	}
-
-	/// Get the base domain to use for user-facing URLs.
-	#[must_use]
-	pub fn get_client_domain(&self) -> Url {
-		self.well_known.client.clone().unwrap_or_else(|| {
-			let host = self.server_name.host();
-			format!("https://{host}")
-				.as_str()
-				.try_into()
-				.expect("server name should be a valid host")
+		self.registration_token.clone().map(|token| ValidToken {
+			token,
+			source: ValidTokenSource::ConfigFile,
 		})
 	}
 }

src/service/federation/execute.rs

@@ -2,8 +2,8 @@ use std::{fmt::Debug, mem};
 
 use bytes::Bytes;
 use conduwuit::{
-	Err, Error, Result, debug, debug::INFO_SPAN_LEVEL, debug_error, debug_warn, err, implement,
-	trace, utils::response::LimitReadExt,
+	Err, Error, Result, debug, debug::INFO_SPAN_LEVEL, debug_error, debug_warn, err,
+	error::inspect_debug_log, implement, trace,
 };
 use http::{HeaderValue, header::AUTHORIZATION};
 use ipaddress::IPAddress;
@@ -133,22 +133,7 @@ async fn handle_response<T>(
 where
 	T: OutgoingRequest + Send,
 {
-	const HUGE_ENDPOINTS: [&str; 2] =
-		["/_matrix/federation/v2/send_join/", "/_matrix/federation/v2/state/"];
-	let size_limit: u64 = if HUGE_ENDPOINTS.iter().any(|e| url.path().starts_with(e)) {
-		// Some federation endpoints can return huge response bodies, so we'll bump the
-		// limit for those endpoints specifically.
-		self.services
-			.server
-			.config
-			.max_request_size
-			.saturating_mul(10)
-	} else {
-		self.services.server.config.max_request_size
-	}
-	.try_into()
-	.expect("size_limit (usize) should fit within a u64");
-	let response = into_http_response(dest, actual, method, url, response, size_limit).await?;
+	let response = into_http_response(dest, actual, method, url, response).await?;
 
 	T::IncomingResponse::try_from_http_response(response)
 		.map_err(|e| err!(BadServerResponse("Server returned bad 200 response: {e:?}")))
@@ -160,7 +145,6 @@ async fn into_http_response(
 	method: &Method,
 	url: &Url,
 	mut response: Response,
-	max_size: u64,
 ) -> Result<http::Response<Bytes>> {
 	let status = response.status();
 	trace!(
@@ -183,14 +167,14 @@ async fn into_http_response(
 	);
 
 	trace!("Waiting for response body...");
+	let body = response
+		.bytes()
+		.await
+		.inspect_err(inspect_debug_log)
+		.unwrap_or_else(|_| Vec::new().into());
+
 	let http_response = http_response_builder
-		.body(
-			response
-				.limit_read(max_size)
-				.await
-				.unwrap_or_default()
-				.into(),
-		)
+		.body(body)
 		.expect("reqwest body is valid http body");
 
 	debug!("Got {status:?} for {method} {url}");

src/service/firstrun/mod.rs

@@ -67,17 +67,15 @@ impl crate::Service for Service {
 	fn name(&self) -> &str { crate::service::make_name(std::module_path!()) }
 
 	async fn worker(self: Arc<Self>) -> Result {
-		// first run mode will be enabled if there are no local users, provided it's not
-		// forcibly disabled for Complement tests
-		let is_first_run = !self.services.config.force_disable_first_run_mode
-			&& self
-				.services
-				.users
-				.list_local_users()
-				.ready_filter(|user| *user != self.services.globals.server_user)
-				.next()
-				.await
-				.is_none();
+		// first run mode will be enabled if there are no local users
+		let is_first_run = self
+			.services
+			.users
+			.list_local_users()
+			.ready_filter(|user| *user != self.services.globals.server_user)
+			.next()
+			.await
+			.is_none();
 
 		self.first_run_marker
 			.set(if is_first_run {

src/service/globals/mod.rs

@@ -142,10 +142,6 @@ impl Service {
 		self.server.config.url_preview_check_root_domain
 	}
 
-	pub fn url_preview_allow_audio_video(&self) -> bool {
-		self.server.config.url_preview_allow_audio_video
-	}
-
 	pub fn forbidden_alias_names(&self) -> &RegexSet { &self.server.config.forbidden_alias_names }
 
 	pub fn forbidden_usernames(&self) -> &RegexSet { &self.server.config.forbidden_usernames }

src/service/media/data.rs

@@ -207,28 +207,6 @@ impl Data {
 		value.extend_from_slice(&data.image_width.unwrap_or(0).to_be_bytes());
 		value.push(0xFF);
 		value.extend_from_slice(&data.image_height.unwrap_or(0).to_be_bytes());
-		value.push(0xFF);
-		value.extend_from_slice(
-			data.video
-				.as_ref()
-				.map(String::as_bytes)
-				.unwrap_or_default(),
-		);
-		value.push(0xFF);
-		value.extend_from_slice(&data.video_size.unwrap_or(0).to_be_bytes());
-		value.push(0xFF);
-		value.extend_from_slice(&data.video_width.unwrap_or(0).to_be_bytes());
-		value.push(0xFF);
-		value.extend_from_slice(&data.video_height.unwrap_or(0).to_be_bytes());
-		value.push(0xFF);
-		value.extend_from_slice(
-			data.audio
-				.as_ref()
-				.map(String::as_bytes)
-				.unwrap_or_default(),
-		);
-		value.push(0xFF);
-		value.extend_from_slice(&data.audio_size.unwrap_or(0).to_be_bytes());
 
 		self.url_previews.insert(url.as_bytes(), &value);
 
@@ -289,48 +267,6 @@ impl Data {
 			| Some(0) => None,
 			| x => x,
 		};
-		let video = match values
-			.next()
-			.and_then(|b| String::from_utf8(b.to_vec()).ok())
-		{
-			| Some(s) if s.is_empty() => None,
-			| x => x,
-		};
-		let video_size = match values
-			.next()
-			.map(|b| usize::from_be_bytes(b.try_into().unwrap_or_default()))
-		{
-			| Some(0) => None,
-			| x => x,
-		};
-		let video_width = match values
-			.next()
-			.map(|b| u32::from_be_bytes(b.try_into().unwrap_or_default()))
-		{
-			| Some(0) => None,
-			| x => x,
-		};
-		let video_height = match values
-			.next()
-			.map(|b| u32::from_be_bytes(b.try_into().unwrap_or_default()))
-		{
-			| Some(0) => None,
-			| x => x,
-		};
-		let audio = match values
-			.next()
-			.and_then(|b| String::from_utf8(b.to_vec()).ok())
-		{
-			| Some(s) if s.is_empty() => None,
-			| x => x,
-		};
-		let audio_size = match values
-			.next()
-			.map(|b| usize::from_be_bytes(b.try_into().unwrap_or_default()))
-		{
-			| Some(0) => None,
-			| x => x,
-		};
 
 		Ok(UrlPreviewData {
 			title,
@@ -339,12 +275,6 @@ impl Data {
 			image_size,
 			image_width,
 			image_height,
-			video,
-			video_size,
-			video_width,
-			video_height,
-			audio,
-			audio_size,
 		})
 	}
 }