Merge pull request 'deployment' (#3 ) from deployment into main

Reviewed-on: #3
Merge pull request 'feat/space-permission-cascading' (#2 ) from feat/space-permission-cascading into deployment
2026-03-20 08:05:07 +00:00 · 2026-03-20 08:03:10 +00:00 · 2026-03-20 08:52:23 +01:00 · 2026-03-20 08:52:13 +01:00 · 2026-03-20 08:52:05 +01:00 · 2026-03-20 08:51:57 +01:00
81 changed files with 5725 additions and 421 deletions
--- a/.forgejo/regsync/regsync.yml
+++ b/.forgejo/regsync/regsync.yml
@ -62,10 +62,6 @@ sync:
    target: registry.gitlab.com/continuwuity/continuwuity
    type: repository
    <<: *tags-main
-  - source: *source
-    target: git.nexy7574.co.uk/mirrored/continuwuity
-    type: repository
-    <<: *tags-releases
  - source: *source
    target: ghcr.io/continuwuity/continuwuity
    type: repository
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@ -1,4 +1,4 @@
 github: [JadedBlueEyes, nexy7574, gingershaped]
 custom:
-  - https://ko-fi.com/nexy7574
-  - https://ko-fi.com/JadedBlueEyes
+  - https://timedout.uk/donate.html
+  - https://jade.ellis.link/sponsors
--- a/Cargo.lock
+++ b/Cargo.lock
@ -94,9 +94,9 @@ dependencies = [

 [[package]]
 name = "anstyle"
-version = "1.0.13"
+version = "1.0.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5192cca8006f1fd4f7237516f40fa183bb07f8fbdfedaa0036de5ea9b0b45e78"
+checksum = "940b3a0ca603d1eade50a4846a2afffd5ef57a9feac2c0e2ec2e14f9ead76000"

 [[package]]
 name = "anyhow"
@ -221,7 +221,7 @@ dependencies = [
 "serde",
 "serde_derive",
 "unicode-ident",
- "winnow",
+ "winnow 0.7.15",
 ]

 [[package]]
@ -461,6 +461,7 @@ dependencies = [
 "axum",
 "axum-core",
 "bytes",
+ "cookie",
 "futures-core",
 "futures-util",
 "headers",
@ -750,9 +751,9 @@ dependencies = [

 [[package]]
 name = "cc"
-version = "1.2.56"
+version = "1.2.57"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "aebf35691d1bfb0ac386a69bac2fde4dd276fb618cf8bf4f5318fe285e821bb2"
+checksum = "7a0dd1ca384932ff3641c8718a02769f1698e7563dc6974ffd03346116310423"
 dependencies = [
 "find-msvc-tools",
 "jobserver",
@ -823,9 +824,9 @@ dependencies = [

 [[package]]
 name = "clap"
-version = "4.5.60"
+version = "4.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2797f34da339ce31042b27d23607e051786132987f595b02ba4f6a6dffb7030a"
+checksum = "b193af5b67834b676abd72466a96c1024e6a6ad978a1f484bd90b85c94041351"
 dependencies = [
 "clap_builder",
 "clap_derive",
@ -833,9 +834,9 @@ dependencies = [

 [[package]]
 name = "clap_builder"
-version = "4.5.60"
+version = "4.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "24a241312cea5059b13574bb9b3861cabf758b879c15190b37b6d6fd63ab6876"
+checksum = "714a53001bf66416adb0e2ef5ac857140e7dc3a0c48fb28b2f10762fc4b5069f"
 dependencies = [
 "anstyle",
 "clap_lex",
@ -843,9 +844,9 @@ dependencies = [

 [[package]]
 name = "clap_derive"
-version = "4.5.55"
+version = "4.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a92793da1a46a5f2a02a6f4c46c6496b28c43638adea8306fcb0caa1634f24e5"
+checksum = "1110bd8a634a1ab8cb04345d8d878267d57c3cf1b38d91b71af6686408bbca6a"
 dependencies = [
 "heck",
 "proc-macro2",
@ -855,9 +856,9 @@ dependencies = [

 [[package]]
 name = "clap_lex"
-version = "1.0.0"
+version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3a822ea5bc7590f9d40f1ba12c0dc3c2760f3482c6984db1573ad11031420831"
+checksum = "c8d4a3bb8b1e0c1050499d1815f5ab16d04f0959b233085fb31653fbfc9d98f9"

 [[package]]
 name = "cmake"
@ -905,7 +906,7 @@ dependencies = [

 [[package]]
 name = "conduwuit"
-version = "0.5.6"
+version = "0.5.7-alpha.1"
 dependencies = [
 "clap",
 "conduwuit_admin",
@ -937,7 +938,7 @@ dependencies = [

 [[package]]
 name = "conduwuit_admin"
-version = "0.5.6"
+version = "0.5.7-alpha.1"
 dependencies = [
 "clap",
 "conduwuit_api",
@ -958,7 +959,7 @@ dependencies = [

 [[package]]
 name = "conduwuit_api"
-version = "0.5.6"
+version = "0.5.7-alpha.1"
 dependencies = [
 "async-trait",
 "axum",
@ -990,14 +991,14 @@ dependencies = [

 [[package]]
 name = "conduwuit_build_metadata"
-version = "0.5.6"
+version = "0.5.7-alpha.1"
 dependencies = [
 "built",
 ]

 [[package]]
 name = "conduwuit_core"
-version = "0.5.6"
+version = "0.5.7-alpha.1"
 dependencies = [
 "argon2",
 "arrayvec",
@ -1059,7 +1060,7 @@ dependencies = [

 [[package]]
 name = "conduwuit_database"
-version = "0.5.6"
+version = "0.5.7-alpha.1"
 dependencies = [
 "async-channel",
 "conduwuit_core",
@ -1077,7 +1078,7 @@ dependencies = [

 [[package]]
 name = "conduwuit_macros"
-version = "0.5.6"
+version = "0.5.7-alpha.1"
 dependencies = [
 "itertools 0.14.0",
 "proc-macro2",
@ -1087,7 +1088,7 @@ dependencies = [

 [[package]]
 name = "conduwuit_router"
-version = "0.5.6"
+version = "0.5.7-alpha.1"
 dependencies = [
 "axum",
 "axum-client-ip",
@ -1121,7 +1122,7 @@ dependencies = [

 [[package]]
 name = "conduwuit_service"
-version = "0.5.6"
+version = "0.5.7-alpha.1"
 dependencies = [
 "askama",
 "async-trait",
@ -1163,16 +1164,26 @@ dependencies = [

 [[package]]
 name = "conduwuit_web"
-version = "0.5.6"
+version = "0.5.7-alpha.1"
 dependencies = [
 "askama",
+ "async-trait",
 "axum",
+ "axum-extra",
+ "base64 0.22.1",
 "conduwuit_build_metadata",
+ "conduwuit_core",
 "conduwuit_service",
 "futures",
+ "memory-serve",
 "rand 0.10.0",
+ "ruma",
+ "serde",
 "thiserror 2.0.18",
+ "tower-http",
+ "tower-sec-fetch",
 "tracing",
+ "validator",
 ]

 [[package]]
@ -1255,6 +1266,17 @@ dependencies = [
 "unicode-segmentation",
 ]

+[[package]]
+name = "cookie"
+version = "0.18.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4ddef33a339a91ea89fb53151bd0a4689cfce27055c291dfa69945475d22c747"
+dependencies = [
+ "percent-encoding",
+ "time",
+ "version_check",
+]
+
 [[package]]
 name = "coolor"
 version = "1.1.0"
@ -1507,6 +1529,41 @@ version = "2.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "817fa642fb0ee7fe42e95783e00e0969927b96091bdd4b9b1af082acd943913b"

+[[package]]
+name = "darling"
+version = "0.20.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fc7f46116c46ff9ab3eb1597a45688b6715c6e628b5c133e288e709a29bcb4ee"
+dependencies = [
+ "darling_core",
+ "darling_macro",
+]
+
+[[package]]
+name = "darling_core"
+version = "0.20.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0d00b9596d185e565c2207a0b01f8bd1a135483d02d9b7b0a54b11da8d53412e"
+dependencies = [
+ "fnv",
+ "ident_case",
+ "proc-macro2",
+ "quote",
+ "strsim",
+ "syn",
+]
+
+[[package]]
+name = "darling_macro"
+version = "0.20.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fc34b93ccb385b40dc71c6fceac4b2ad23662c7eeb248cf10d529b7e055b6ead"
+dependencies = [
+ "darling_core",
+ "quote",
+ "syn",
+]
+
 [[package]]
 name = "data-encoding"
 version = "2.10.0"
@ -2538,6 +2595,12 @@ version = "2.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3d3067d79b975e8844ca9eb072e16b31c3c1c36928edf9c6789548c524d0d954"

+[[package]]
+name = "ident_case"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b9e0384b61958566e926dc50660321d12159025e767c18e043daf26b70104c39"
+
 [[package]]
 name = "idna"
 version = "1.1.0"
@ -2561,9 +2624,9 @@ dependencies = [

 [[package]]
 name = "image"
-version = "0.25.9"
+version = "0.25.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e6506c6c10786659413faa717ceebcb8f70731c0a60cbae39795fdf114519c1a"
+checksum = "85ab80394333c02fe689eaf900ab500fbd0c2213da414687ebf995a65d5a6104"
 dependencies = [
 "bytemuck",
 "byteorder-lite",
@ -2579,8 +2642,8 @@ dependencies = [
 "rayon",
 "rgb",
 "tiff",
- "zune-core 0.5.1",
- "zune-jpeg 0.5.12",
+ "zune-core",
+ "zune-jpeg",
 ]

 [[package]]
@ -2866,9 +2929,9 @@ dependencies = [

 [[package]]
 name = "libz-sys"
-version = "1.1.24"
+version = "1.1.25"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4735e9cbde5aac84a5ce588f6b23a90b9b0b528f6c5a8db8a4aff300463a0839"
+checksum = "d52f4c29e2a68ac30c9087e1b772dc9f44a2b66ed44edf2266cf2be9b03dafc1"
 dependencies = [
 "cc",
 "pkg-config",
@ -3027,6 +3090,22 @@ version = "2.8.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f8ca58f447f06ed17d5fc4043ce1b10dd205e060fb3ce5b979b8ed8e59ff3f79"

+[[package]]
+name = "memory-serve"
+version = "2.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "81b5bbad2035f57b1e95f66da606832edd935b47d82312e38e1ccffbcfb8a427"
+dependencies = [
+ "axum",
+ "brotli",
+ "flate2",
+ "mime_guess",
+ "sha256",
+ "tracing",
+ "urlencoding",
+ "walkdir",
+]
+
 [[package]]
 name = "meowlnir-antispam"
 version = "0.1.0"
@ -3043,6 +3122,16 @@ version = "0.3.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6877bb514081ee2a7ff5ef9de3281f14a4dd4bceac4c09388074a6b5df8a139a"

+[[package]]
+name = "mime_guess"
+version = "2.0.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f7c44f8e672c00fe5308fa235f821cb4198414e1c77935c1ab6948d3fd78550e"
+dependencies = [
+ "mime",
+ "unicase",
+]
+
 [[package]]
 name = "minicbor"
 version = "2.2.1"
@ -3115,9 +3204,9 @@ dependencies = [

 [[package]]
 name = "moxcms"
-version = "0.7.11"
+version = "0.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ac9557c559cd6fc9867e122e20d2cbefc9ca29d80d027a8e39310920ed2f0a97"
+checksum = "bb85c154ba489f01b25c0d36ae69a87e4a1c73a72631fc6c0eb6dde34a73e44b"
 dependencies = [
 "num-traits",
 "pxfm",
@ -3478,9 +3567,9 @@ dependencies = [

 [[package]]
 name = "once_cell"
-version = "1.21.3"
+version = "1.21.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "42f5e15c9953c5e4ccceeb2e7382a716482c34515315f7b03532b8b4e8393d2d"
+checksum = "9f7c3e4beb33f85d45ae3e3a1792185706c8e16d043238c593331cc7cd313b50"
 dependencies = [
 "critical-section",
 "portable-atomic",
@ -3828,7 +3917,29 @@ version = "3.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e67ba7e9b2b56446f1d419b1d807906278ffa1a658a8a5d8a39dcb1f5a78614f"
 dependencies = [
- "toml_edit 0.25.4+spec-1.1.0",
+ "toml_edit 0.25.5+spec-1.1.0",
+]
+
+[[package]]
+name = "proc-macro-error-attr2"
+version = "2.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "96de42df36bb9bba5542fe9f1a054b8cc87e172759a1868aa05c1f3acc89dfc5"
+dependencies = [
+ "proc-macro2",
+ "quote",
+]
+
+[[package]]
+name = "proc-macro-error2"
+version = "2.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "11ec05c52be0a07b08061f7dd003e7d7092e0472bc731b4af7bb1ef876109802"
+dependencies = [
+ "proc-macro-error-attr2",
+ "proc-macro2",
+ "quote",
+ "syn",
 ]

 [[package]]
@ -3966,9 +4077,9 @@ dependencies = [

 [[package]]
 name = "quinn-proto"
-version = "0.11.13"
+version = "0.11.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f1906b49b0c3bc04b5fe5d86a77925ae6524a19b816ae38ce1e426255f1d8a31"
+checksum = "434b42fec591c96ef50e21e886936e66d3cc3f737104fdb9b737c40ffb94c098"
 dependencies = [
 "bytes",
 "getrandom 0.3.4",
@ -4121,9 +4232,9 @@ dependencies = [

 [[package]]
 name = "ravif"
-version = "0.12.0"
+version = "0.13.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ef69c1990ceef18a116855938e74793a5f7496ee907562bd0857b6ac734ab285"
+checksum = "e52310197d971b0f5be7fe6b57530dcd27beb35c1b013f29d66c1ad73fbbcc45"
 dependencies = [
 "avif-serialize",
 "imgref",
@ -4156,9 +4267,9 @@ dependencies = [

 [[package]]
 name = "recaptcha-verify"
-version = "0.1.6"
+version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0d694033c2b0abdbb8893edfb367f16270e790be4a67e618206d811dbe4efee4"
+checksum = "409bf11a93fe93093f3c0254aab67576524f1e0524692615b5b63091dbc88a79"
 dependencies = [
 "reqwest",
 "serde",
@ -4632,6 +4743,15 @@ version = "1.0.23"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9774ba4a74de5f7b1c1451ed6cd5285a32eddb5cccb8cc655a4e50009e06477f"

+[[package]]
+name = "same-file"
+version = "1.0.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "93fc1dc3aaa9bfed95e02e6eadabb4baf7e3078b0bd1b4d7b6b0b68378900502"
+dependencies = [
+ "winapi-util",
+]
+
 [[package]]
 name = "sanitize-filename"
 version = "0.6.0"
@ -4654,9 +4774,9 @@ dependencies = [

 [[package]]
 name = "schannel"
-version = "0.1.28"
+version = "0.1.29"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "891d81b926048e76efe18581bf793546b4c0eaf8448d72be8de2bbee5fd166e1"
+checksum = "91c1b7e4904c873ef0710c1f407dde2e6287de2bebc1bbbf7d430bb7cbffd939"
 dependencies = [
 "windows-sys 0.61.2",
 ]
@ -4856,9 +4976,9 @@ dependencies = [

 [[package]]
 name = "serde-saphyr"
-version = "0.0.19"
+version = "0.0.21"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "29fb2d57f074f415e3ea6905994be8aca2bd7a17f8a0344cc43ed15bf240a547"
+checksum = "4a6fc4aa0da972ba0f51cf5c1bb16e9dba35334adc6831b09b3ffb0ec20bb264"
 dependencies = [
 "ahash",
 "annotate-snippets",
@ -4870,7 +4990,6 @@ dependencies = [
 "regex",
 "saphyr-parser-bw",
 "serde",
- "serde_json",
 "smallvec",
 "zmij",
 ]
@ -4914,7 +5033,6 @@ version = "1.0.149"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "83fc039473c5595ace860d8c4fafa220ff474b3fc6bfdb4293327f1a37e94d86"
 dependencies = [
- "indexmap",
 "itoa",
 "memchr",
 "serde",
@ -4995,6 +5113,19 @@ dependencies = [
 "digest",
 ]

+[[package]]
+name = "sha256"
+version = "1.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f880fc8562bdeb709793f00eb42a2ad0e672c4f883bbe59122b926eca935c8f6"
+dependencies = [
+ "async-trait",
+ "bytes",
+ "hex",
+ "sha2",
+ "tokio",
+]
+
 [[package]]
 name = "sharded-slab"
 version = "0.1.7"
@ -5163,6 +5294,12 @@ dependencies = [
 "quote",
 ]

+[[package]]
+name = "strsim"
+version = "0.11.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7da8b5736845d9f2fcb837ea5d9e2628564b3b043a70948a3f0b778838c5fb4f"
+
 [[package]]
 name = "subslice"
 version = "0.2.3"
@ -5303,16 +5440,16 @@ dependencies = [

 [[package]]
 name = "tiff"
-version = "0.10.3"
+version = "0.11.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "af9605de7fee8d9551863fd692cce7637f548dbd9db9180fcc07ccc6d26c336f"
+checksum = "b63feaf3343d35b6ca4d50483f94843803b0f51634937cc2ec519fc32232bc52"
 dependencies = [
 "fax",
 "flate2",
 "half",
 "quick-error",
 "weezl",
- "zune-jpeg 0.4.21",
+ "zune-jpeg",
 ]

 [[package]]
@ -5386,9 +5523,9 @@ dependencies = [

 [[package]]
 name = "tinyvec"
-version = "1.10.0"
+version = "1.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bfa5fdc3bce6191a1dbc8c02d5c8bffcf557bafa17c124c5264a458f1b0613fa"
+checksum = "3e61e67053d25a4e82c844e8424039d9745781b3fc4f32b8d55ed50f5f667ef3"
 dependencies = [
 "tinyvec_macros",
 ]
@ -5497,7 +5634,7 @@ dependencies = [
 "toml_datetime 0.7.5+spec-1.1.0",
 "toml_parser",
 "toml_writer",
- "winnow",
+ "winnow 0.7.15",
 ]

 [[package]]
@ -5520,9 +5657,9 @@ dependencies = [

 [[package]]
 name = "toml_datetime"
-version = "1.0.0+spec-1.1.0"
+version = "1.0.1+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "32c2555c699578a4f59f0cc68e5116c8d7cabbd45e1409b989d4be085b53f13e"
+checksum = "9b320e741db58cac564e26c607d3cc1fdc4a88fd36c879568c07856ed83ff3e9"
 dependencies = [
 "serde_core",
 ]
@ -5538,28 +5675,28 @@ dependencies = [
 "serde_spanned 0.6.9",
 "toml_datetime 0.6.11",
 "toml_write",
- "winnow",
+ "winnow 0.7.15",
 ]

 [[package]]
 name = "toml_edit"
-version = "0.25.4+spec-1.1.0"
+version = "0.25.5+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7193cbd0ce53dc966037f54351dbbcf0d5a642c7f0038c382ef9e677ce8c13f2"
+checksum = "8ca1a40644a28bce036923f6a431df0b34236949d111cc07cb6dca830c9ef2e1"
 dependencies = [
 "indexmap",
- "toml_datetime 1.0.0+spec-1.1.0",
+ "toml_datetime 1.0.1+spec-1.1.0",
 "toml_parser",
- "winnow",
+ "winnow 1.0.0",
 ]

 [[package]]
 name = "toml_parser"
-version = "1.0.9+spec-1.1.0"
+version = "1.0.10+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "702d4415e08923e7e1ef96cd5727c0dfed80b4d2fa25db9647fe5eb6f7c5a4c4"
+checksum = "7df25b4befd31c4816df190124375d5a20c6b6921e2cad937316de3fccd63420"
 dependencies = [
- "winnow",
+ "winnow 1.0.0",
 ]

 [[package]]
@ -5570,9 +5707,9 @@ checksum = "5d99f8c9a7727884afe522e9bd5edbfc91a3312b36a77b5fb8926e4c31a41801"

 [[package]]
 name = "toml_writer"
-version = "1.0.6+spec-1.1.0"
+version = "1.0.7+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ab16f14aed21ee8bfd8ec22513f7287cd4a91aa92e44edfe2c17ddd004e92607"
+checksum = "f17aaa1c6e3dc22b1da4b6bba97d066e354c7945cac2f7852d4e4e7ca7a6b56d"

 [[package]]
 name = "tonic"
@ -5663,6 +5800,18 @@ version = "0.3.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "121c2a6cda46980bb0fcd1647ffaf6cd3fc79a013de288782836f6df9c48780e"

+[[package]]
+name = "tower-sec-fetch"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ff1e78d241de2527d3ef67e49d65d8cb08468c644c3aafac7a988c4accd76547"
+dependencies = [
+ "futures",
+ "http",
+ "tower",
+ "tracing",
+]
+
 [[package]]
 name = "tower-service"
 version = "0.3.3"
@ -5675,6 +5824,7 @@ version = "0.1.44"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "63e71662fa4b2a2c3a26f570f037eb95bb1f85397f3cd8076caed2f026a6d100"
 dependencies = [
+ "log",
 "pin-project-lite",
 "tracing-attributes",
 "tracing-core",
@ -5752,9 +5902,9 @@ dependencies = [

 [[package]]
 name = "tracing-subscriber"
-version = "0.3.22"
+version = "0.3.23"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2f30143827ddab0d256fd843b7a66d164e9f271cfa0dde49142c5ca0ca291f1e"
+checksum = "cb7f578e5945fb242538965c2d0b04418d38ec25c79d160cd279bf0731c8d319"
 dependencies = [
 "matchers",
 "nu-ansi-term",
@ -5896,6 +6046,12 @@ dependencies = [
 "serde_derive",
 ]

+[[package]]
+name = "urlencoding"
+version = "2.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "daf8dba3b7eb870caf1ddeed7bc9d2a049f3cfdfae7cb521b087cc33ae4c49da"
+
 [[package]]
 name = "utf-8"
 version = "0.7.6"
@ -5931,6 +6087,36 @@ dependencies = [
 "wasm-bindgen",
 ]

+[[package]]
+name = "validator"
+version = "0.20.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "43fb22e1a008ece370ce08a3e9e4447a910e92621bb49b85d6e48a45397e7cfa"
+dependencies = [
+ "idna",
+ "once_cell",
+ "regex",
+ "serde",
+ "serde_derive",
+ "serde_json",
+ "url",
+ "validator_derive",
+]
+
+[[package]]
+name = "validator_derive"
+version = "0.20.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b7df16e474ef958526d1205f6dda359fdfab79d9aa6d54bafcb92dcd07673dca"
+dependencies = [
+ "darling",
+ "once_cell",
+ "proc-macro-error2",
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
 [[package]]
 name = "valuable"
 version = "0.1.1"
@ -5949,6 +6135,16 @@ version = "0.9.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0b928f33d975fc6ad9f86c8f283853ad26bdd5b10b7f1542aa2fa15e2289105a"

+[[package]]
+name = "walkdir"
+version = "2.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "29790946404f91d9c5d06f9874efddea1dc06c5efe94541a7d6863108e3a5e4b"
+dependencies = [
+ "same-file",
+ "winapi-util",
+]
+
 [[package]]
 name = "want"
 version = "0.3.1"
@ -6163,6 +6359,15 @@ version = "0.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"

+[[package]]
+name = "winapi-util"
+version = "0.1.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c2a7b1c03c876122aa43f3020e6c3c3ee5c05081c9a00739faf7503aeba10d22"
+dependencies = [
+ "windows-sys 0.61.2",
+]
+
 [[package]]
 name = "winapi-x86_64-pc-windows-gnu"
 version = "0.4.0"
@ -6406,6 +6611,15 @@ dependencies = [
 "memchr",
 ]

+[[package]]
+name = "winnow"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a90e88e4667264a994d34e6d1ab2d26d398dcdca8b7f52bec8668957517fc7d8"
+dependencies = [
+ "memchr",
+]
+
 [[package]]
 name = "winreg"
 version = "0.50.0"
@ -6540,7 +6754,7 @@ dependencies = [

 [[package]]
 name = "xtask"
-version = "0.5.6"
+version = "0.5.7-alpha.1"
 dependencies = [
 "askama",
 "cargo_metadata",
@ -6586,18 +6800,18 @@ dependencies = [

 [[package]]
 name = "zerocopy"
-version = "0.8.41"
+version = "0.8.42"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "96e13bc581734df6250836c59a5f44f3c57db9f9acb9dc8e3eaabdaf6170254d"
+checksum = "f2578b716f8a7a858b7f02d5bd870c14bf4ddbbcf3a4c05414ba6503640505e3"
 dependencies = [
 "zerocopy-derive",
 ]

 [[package]]
 name = "zerocopy-derive"
-version = "0.8.41"
+version = "0.8.42"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3545ea9e86d12ab9bba9fcd99b54c1556fd3199007def5a03c375623d05fac1c"
+checksum = "7e6cc098ea4d3bd6246687de65af3f920c430e236bee1e3bf2e441463f08a02f"
 dependencies = [
 "proc-macro2",
 "quote",
@ -6698,12 +6912,6 @@ dependencies = [
 "pkg-config",
 ]

-[[package]]
-name = "zune-core"
-version = "0.4.12"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3f423a2c17029964870cfaabb1f13dfab7d092a62a29a89264f4d36990ca414a"
-
 [[package]]
 name = "zune-core"
 version = "0.5.1"
@ -6721,18 +6929,9 @@ dependencies = [

 [[package]]
 name = "zune-jpeg"
-version = "0.4.21"
+version = "0.5.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "29ce2c8a9384ad323cf564b67da86e21d3cfdff87908bc1223ed5c99bc792713"
+checksum = "ec5f41c76397b7da451efd19915684f727d7e1d516384ca6bd0ec43ec94de23c"
 dependencies = [
- "zune-core 0.4.12",
-]
-
-[[package]]
-name = "zune-jpeg"
-version = "0.5.12"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "410e9ecef634c709e3831c2cfdb8d9c32164fae1c67496d5b68fff728eec37fe"
-dependencies = [
- "zune-core 0.5.1",
+ "zune-core",
 ]
--- a/Cargo.toml
+++ b/Cargo.toml
@ -12,7 +12,7 @@ license = "Apache-2.0"
 # See also `rust-toolchain.toml`
 readme = "README.md"
 repository = "https://forgejo.ellis.link/continuwuation/continuwuity"
-version = "0.5.6"
+version = "0.5.7-alpha.1"

 [workspace.metadata.crane]
 name = "conduwuit"
@ -99,7 +99,7 @@ features = [
 [workspace.dependencies.axum-extra]
 version = "0.12.0"
 default-features = false
-features = ["typed-header", "tracing"]
+features = ["typed-header", "tracing", "cookie"]

 [workspace.dependencies.axum-server]
 version = "0.7.2"
@ -159,7 +159,7 @@ features = ["raw_value"]

 # Used for appservice registration files
 [workspace.dependencies.serde-saphyr]
-version = "0.0.19"
+version = "0.0.21"

 # Used to load forbidden room/user regex from config
 [workspace.dependencies.serde_regex]
@ -969,3 +969,6 @@ needless_raw_string_hashes = "allow"

 # TODO: Enable this lint & fix all instances
 collapsible_if = "allow"
+
+# TODO: break these apart
+cognitive_complexity = "allow"
--- a/changelog.d/+6368729a.feature.md
+++ b/changelog.d/+6368729a.feature.md
@ -0,0 +1 @@
+Added support for using an admin command to issue self-service password reset links.
--- a/changelog.d/+space-permission-cascading.feature.md
+++ b/changelog.d/+space-permission-cascading.feature.md
@ -0,0 +1 @@
+Add Space permission cascading: power levels cascade from Spaces to child rooms, role-based room access with custom roles, continuous enforcement (auto-join/kick), and admin commands for role management. Server-wide default controlled by `space_permission_cascading` config flag (off by default), with per-Space overrides via `!admin space roles enable/disable <space>`.
--- a/changelog.d/1527.feature.md
+++ b/changelog.d/1527.feature.md
@ -0,0 +1 @@
+Add new config option to allow or disallow search engine indexing through a `<meta ../>` tag. Defaults to blocking indexing (`content="noindex"`). Contributed by @s1lv3r and @ginger.
--- a/conduwuit-example.toml
+++ b/conduwuit-example.toml
@ -25,6 +25,10 @@
 #
 # Also see the `[global.well_known]` config section at the very bottom.
 #
+# If `client` is not set under `[global.well_known]`, the server name will
+# be used as the base domain for user-facing links (such as password
+# reset links) created by Continuwuity.
+#
 # Examples of delegation:
 # - https://continuwuity.org/.well-known/matrix/server
 # - https://continuwuity.org/.well-known/matrix/client
@ -470,6 +474,18 @@
 #
 #suspend_on_register = false

+# Server-wide default for space permission cascading (power levels and
+# role-based access). Individual Spaces can override this via the
+# `com.continuwuity.space.cascading` state event or the admin command
+# `!admin space roles enable/disable <space>`.
+#
+#space_permission_cascading = false
+
+# Maximum number of spaces to cache role data for. When exceeded the
+# cache is cleared and repopulated on demand.
+#
+#space_roles_cache_flush_threshold = 1000
+
 # Enabling this setting opens registration to anyone without restrictions.
 # This makes your server vulnerable to abuse
 #
@ -1505,6 +1521,11 @@
 #
 #url_preview_user_agent = "continuwuity/<version> (bot; +https://continuwuity.org)"

+# Determines whether audio and video files will be downloaded for URL
+# previews.
+#
+#url_preview_allow_audio_video = false
+
 # List of forbidden room aliases and room IDs as strings of regex
 # patterns.
 #
@ -1790,6 +1811,11 @@
 #
 #config_reload_signal = true

+# Allow search engines and crawlers to index Continuwuity's built-in
+# webpages served under the `/_continuwuity/` prefix.
+#
+#allow_web_indexing = false
+
 [global.tls]

 # Path to a valid TLS certificate file.
--- a/docs/advanced/delegation.mdx
+++ b/docs/advanced/delegation.mdx
@ -109,9 +109,6 @@ Restart Continuwuity and your reverse proxy. Once that's done, visit these route
 {
  "m.homeserver": {
    "base_url": "https://matrix.example.com/"
-  },
-  "org.matrix.msc3575.proxy": {
-    "url": "https://matrix.example.com/"
  }
 }
 ```
--- a/docs/deploying/docker-compose.for-traefik.yml
+++ b/docs/deploying/docker-compose.for-traefik.yml
@ -6,6 +6,7 @@ services:
    ### then you are ready to go.
    image: forgejo.ellis.link/continuwuation/continuwuity:latest
    restart: unless-stopped
+    command: /sbin/conduwuit
    volumes:
      - db:/var/lib/continuwuity
      #- ./continuwuity.toml:/etc/continuwuity.toml
--- a/docs/deploying/docker-compose.with-caddy.yml
+++ b/docs/deploying/docker-compose.with-caddy.yml
@ -23,6 +23,7 @@ services:
        ### then you are ready to go.
        image: forgejo.ellis.link/continuwuation/continuwuity:latest
        restart: unless-stopped
+        command: /sbin/conduwuit
        volumes:
            - db:/var/lib/continuwuity
            - /etc/resolv.conf:/etc/resolv.conf:ro # Use the host's DNS resolver rather than Docker's.
--- a/docs/deploying/docker-compose.with-traefik.yml
+++ b/docs/deploying/docker-compose.with-traefik.yml
@ -6,6 +6,7 @@ services:
    ### then you are ready to go.
    image: forgejo.ellis.link/continuwuation/continuwuity:latest
    restart: unless-stopped
+    command: /sbin/conduwuit
    volumes:
      - db:/var/lib/continuwuity
      - /etc/resolv.conf:/etc/resolv.conf:ro # Use the host's DNS resolver rather than Docker's.
--- a/docs/deploying/docker-compose.yml
+++ b/docs/deploying/docker-compose.yml
@ -6,6 +6,7 @@ services:
        ### then you are ready to go.
        image: forgejo.ellis.link/continuwuation/continuwuity:latest
        restart: unless-stopped
+        command: /sbin/conduwuit
        ports:
            - 8448:6167
        volumes:
--- a/docs/deploying/docker.mdx
+++ b/docs/deploying/docker.mdx
@ -78,7 +78,7 @@ docker run -d \
  -e CONTINUWUITY_ALLOW_REGISTRATION="false" \
  --name continuwuity \
  forgejo.ellis.link/continuwuation/continuwuity:latest \
-  --execute "users create-user admin"
+  /sbin/conduwuit --execute "users create-user admin"
 ```

 Replace `matrix.example.com` with your actual server name and `admin` with
@ -141,7 +141,7 @@ compose file, add under the `continuwuity` service:
 services:
    continuwuity:
        image: forgejo.ellis.link/continuwuation/continuwuity:latest
-        command: --execute "users create-user admin"
+        command: /sbin/conduwuit --execute "users create-user admin"
        # ... rest of configuration
 ```

--- a/docs/deploying/freebsd.mdx
+++ b/docs/deploying/freebsd.mdx
@ -1,7 +1,7 @@
 # Continuwuity for FreeBSD

-Continuwuity currently does not provide FreeBSD builds or FreeBSD packaging. However, Continuwuity does build and work on FreeBSD using the system-provided RocksDB.
+Continuwuity doesn't provide official FreeBSD packages; however, a community-maintained set of packages is available on [Forgejo](https://forgejo.ellis.link/katie/continuwuity-bsd). Note that these are provided as standalone packages and are not part of a FreeBSD package repository (yet), so updates need to be downloaded and installed manually.

-Contributions to get Continuwuity packaged for FreeBSD are welcome.
+Please see the installation instructions in that repository. Direct any questions to its issue tracker or to [@katie:kat5.dev](https://matrix.to/#/@katie:kat5.dev).

-Please join our [Continuwuity BSD](https://matrix.to/#/%23bsd:continuwuity.org) community room.
+For general BSD support, please join our [Continuwuity BSD](https://matrix.to/#/%23bsd:continuwuity.org) community room.
--- a/docs/deploying/kubernetes.mdx
+++ b/docs/deploying/kubernetes.mdx
@ -39,6 +39,7 @@ spec:
        - name: continuwuity
          # use a sha hash <3
          image: forgejo.ellis.link/continuwuation/continuwuity:latest
+          command: ["/sbin/conduwuit"]
          imagePullPolicy: IfNotPresent
          ports:
            - name: http
--- a/docs/plans/2026-03-17-space-permission-cascading-design.md
+++ b/docs/plans/2026-03-17-space-permission-cascading-design.md
@ -0,0 +1,226 @@
+# Space Permission Cascading — Design Document
+
+**Date:** 2026-03-17
+**Status:** Approved
+
+## Overview
+
+Server-side feature that allows user rights in a Space to cascade down to its
+direct child rooms. Includes power level cascading and role-based room access
+control. Enabled via a server-wide configuration flag, disabled by default.
+
+## Requirements
+
+1. Power levels defined in a Space cascade to all direct child rooms (Space
+   always wins over per-room overrides).
+2. Admins can define custom roles in a Space and assign them to users.
+3. Child rooms can require one or more roles for access.
+4. Enforcement is continuous — role revocation auto-kicks users from rooms they
+   no longer qualify for.
+5. Users are auto-joined to all qualifying child rooms when they join a Space or
+   receive a new role.
+6. Cascading applies to direct parent Space only; no nested cascade through
+   sub-spaces.
+7. Feature is toggled by a single server-wide config flag
+   (`space_permission_cascading`), off by default.
+
+## Configuration
+
+```toml
+# conduwuit-example.toml
+
+# Enable space permission cascading (power levels and role-based access).
+# When enabled, power levels cascade from Spaces to child rooms and rooms
+# can require roles for access. Applies to all Spaces on this server.
+# Default: false
+space_permission_cascading = false
+```
+
+## Custom State Events
+
+All events live in the Space room.
+
+### `m.space.roles` (state key: `""`)
+
+Defines the available roles for the Space. Two default roles (`admin` and `mod`)
+are created automatically when a Space is first encountered with the feature
+enabled.
+
+```json
+{
+  "roles": {
+    "admin": {
+      "description": "Space administrator",
+      "power_level": 100
+    },
+    "mod": {
+      "description": "Space moderator",
+      "power_level": 50
+    },
+    "nsfw": {
+      "description": "Access to NSFW content"
+    },
+    "vip": {
+      "description": "VIP member"
+    }
+  }
+}
+```
+
+- `description` (string, required): Human-readable description.
+- `power_level` (integer, optional): If present, users with this role receive
+  this power level in all child rooms. When a user holds multiple roles with
+  power levels, the highest value wins.
+
+### `m.space.role.member` (state key: user ID)
+
+Assigns roles to a user within the Space.
+
+```json
+{
+  "roles": ["nsfw", "vip"]
+}
+```
+
+### `m.space.role.room` (state key: room ID)
+
+Declares which roles a child room requires. A user must hold **all** listed
+roles to access the room.
+
+```json
+{
+  "required_roles": ["nsfw"]
+}
+```
+
+## Enforcement Rules
+
+All enforcement is skipped when `space_permission_cascading = false`.
+
+### 1. Join gating
+
+When a user attempts to join a room that is a direct child of a Space:
+
+- Look up the room's `m.space.role.room` event in the parent Space.
+- If the room has `required_roles`, check the user's `m.space.role.member`.
+- Reject the join if the user is missing any required role.
+
+### 2. Power level override
+
+For every user in a child room of a Space:
+
+- Look up their roles via `m.space.role.member` in the parent Space.
+- For each role that has a `power_level`, take the highest value.
+- Override the user's power level in the child room's `m.room.power_levels`.
+- Reject attempts to manually set per-room power levels that conflict with
+  Space-granted levels.
+
+### 3. Role revocation
+
+When an `m.space.role.member` event is updated and a role is removed:
+
+- Identify all child rooms that require the removed role.
+- Auto-kick the user from rooms they no longer qualify for.
+- Recalculate and update the user's power level in all child rooms.
+
+### 4. Room requirement change
+
+When an `m.space.role.room` event is updated with new requirements:
+
+- Check all current members of the room.
+- Auto-kick members who do not hold all newly required roles.
+
+### 5. Auto-join on role grant
+
+When an `m.space.role.member` event is updated and a role is added:
+
+- Find all child rooms where the user now meets all required roles.
+- Auto-join the user to qualifying rooms they are not already in.
+
+This also applies when a user first joins the Space — they are auto-joined to
+all child rooms they qualify for. Rooms with no role requirements auto-join all
+Space members.
+
+### 6. New child room
+
+When a new `m.space.child` event is added to a Space:
+
+- Auto-join all qualifying Space members to the new child room.
+
+## Caching & Indexing
+
+The source of truth is always the state events. The server maintains an
+in-memory index for fast enforcement lookups, following the same patterns as the
+existing `roomid_spacehierarchy_cache`.
+
+### Index structures
+
+| Index                        | Source event           |
+|------------------------------|------------------------|
+| Space → roles defined        | `m.space.roles`        |
+| Space → user → roles         | `m.space.role.member`  |
+| Space → room → required roles| `m.space.role.room`    |
+| Room → parent Space          | `m.space.child` (reverse lookup) |
+
+The Space → child rooms mapping already exists.
+
+### Cache invalidation triggers
+
+| Event changed              | Action                                              |
+|----------------------------|-----------------------------------------------------|
+| `m.space.roles`            | Refresh role definitions, revalidate all members    |
+| `m.space.role.member`      | Refresh user's roles, trigger auto-join/kick        |
+| `m.space.role.room`        | Refresh room requirements, trigger auto-join/kick   |
+| `m.space.child` added      | Index new child, auto-join qualifying members       |
+| `m.space.child` removed    | Remove from index (no auto-kick)                    |
+| Server startup             | Full rebuild from state events                      |
+
+## Admin Room Commands
+
+Roles are managed via the existing admin room interface, which sends the
+appropriate state events under the hood and triggers enforcement.
+
+```
+!admin space roles list <space>
+!admin space roles add <space> <role_name> [description] [power_level]
+!admin space roles remove <space> <role_name>
+!admin space roles assign <space> <user_id> <role_name>
+!admin space roles revoke <space> <user_id> <role_name>
+!admin space roles require <space> <room_id> <role_name>
+!admin space roles unrequire <space> <room_id> <role_name>
+!admin space roles user <space> <user_id>
+!admin space roles room <space> <room_id>
+```
+
+## Architecture
+
+**Approach:** Hybrid — state events for definition, database cache for
+enforcement.
+
+- State events are the source of truth and federate normally.
+- The server maintains an in-memory cache/index for fast enforcement.
+- Cache is invalidated on relevant state event changes and fully rebuilt on
+  startup.
+- All enforcement hooks (join gating, PL override, auto-join, auto-kick) check
+  the feature flag first and no-op when disabled.
+- Existing clients can manage roles via Developer Tools (custom state events).
+  The admin room commands provide a user-friendly interface.
+
+## Scope
+
+### In scope
+
+- Server-wide feature flag
+- Custom state events for role definition, assignment, and room requirements
+- Power level cascading (Space always wins)
+- Continuous enforcement (auto-join, auto-kick)
+- Admin room commands
+- In-memory caching with invalidation
+- Default `admin` (PL 100) and `mod` (PL 50) roles
+
+### Out of scope
+
+- Client-side UI for role management
+- Nested cascade through sub-spaces
+- Per-space opt-in/opt-out (it is server-wide)
+- Federation-specific logic beyond normal state event replication
--- a/docs/plans/2026-03-17-space-permission-cascading.md
+++ b/docs/plans/2026-03-17-space-permission-cascading.md
--- a/docs/public/.well-known/matrix/client
+++ b/docs/public/.well-known/matrix/client
@ -1 +1 @@
-{"m.homeserver":{"base_url": "https://matrix.continuwuity.org"},"org.matrix.msc3575.proxy":{"url": "https://matrix.continuwuity.org"},"org.matrix.msc4143.rtc_foci":[{"type":"livekit","livekit_service_url":"https://livekit.ellis.link"}]}
+{"m.homeserver":{"base_url": "https://matrix.continuwuity.org"},"org.matrix.msc4143.rtc_foci":[{"type":"livekit","livekit_service_url":"https://livekit.ellis.link"}]}
--- a/flake.lock
+++ b/flake.lock
@ -3,11 +3,11 @@
    "advisory-db": {
      "flake": false,
      "locked": {
-        "lastModified": 1772776993,
-        "narHash": "sha256-CpBa+UpogN0Xn1gMmgqQrzKGee+E8TCkgHar8/w6CRk=",
+        "lastModified": 1773786698,
+        "narHash": "sha256-o/J7ZculgwSs1L4H4UFlFZENOXTJzq1X0n71x6oNNvY=",
        "owner": "rustsec",
        "repo": "advisory-db",
-        "rev": "b3472341e37cbd4b8c27b052b2abb34792f4d3c4",
+        "rev": "99e9de91bb8b61f06ef234ff84e11f758ecd5384",
        "type": "github"
      },
      "original": {
@ -18,11 +18,11 @@
    },
    "crane": {
      "locked": {
-        "lastModified": 1772560058,
-        "narHash": "sha256-NuVKdMBJldwUXgghYpzIWJdfeB7ccsu1CC7B+NfSoZ8=",
+        "lastModified": 1773189535,
+        "narHash": "sha256-E1G/Or6MWeP+L6mpQ0iTFLpzSzlpGrITfU2220Gq47g=",
        "owner": "ipetkov",
        "repo": "crane",
-        "rev": "db590d9286ed5ce22017541e36132eab4e8b3045",
+        "rev": "6fa2fb4cf4a89ba49fc9dd5a3eb6cde99d388269",
        "type": "github"
      },
      "original": {
@ -39,11 +39,11 @@
        "rust-analyzer-src": "rust-analyzer-src"
      },
      "locked": {
-        "lastModified": 1772953398,
-        "narHash": "sha256-fTTHCaEvPLzWyZFxPud/G9HM3pNYmW/64Kj58hdH4+k=",
+        "lastModified": 1773732206,
+        "narHash": "sha256-HKibxaUXyWd4Hs+ZUnwo6XslvaFqFqJh66uL9tphU4Q=",
        "owner": "nix-community",
        "repo": "fenix",
-        "rev": "fc4863887d98fd879cf5f11af1d23d44d9bdd8ae",
+        "rev": "0aa13c1b54063a8d8679b28a5cd357ba98f4a56b",
        "type": "github"
      },
      "original": {
@ -89,11 +89,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1772773019,
-        "narHash": "sha256-E1bxHxNKfDoQUuvriG71+f+s/NT0qWkImXsYZNFFfCs=",
+        "lastModified": 1773734432,
+        "narHash": "sha256-IF5ppUWh6gHGHYDbtVUyhwy/i7D261P7fWD1bPefOsw=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "aca4d95fce4914b3892661bcb80b8087293536c6",
+        "rev": "cda48547b432e8d3b18b4180ba07473762ec8558",
        "type": "github"
      },
      "original": {
@ -132,11 +132,11 @@
    "rust-analyzer-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1772877513,
-        "narHash": "sha256-RcRGv2Bng5I9y75XwFX7oK2l6mLH1dtbTTG9U8qun0c=",
+        "lastModified": 1773697963,
+        "narHash": "sha256-xdKI77It9PM6eNrCcDZsnP4SKulZwk8VkDgBRVMnCb8=",
        "owner": "rust-lang",
        "repo": "rust-analyzer",
-        "rev": "a1b86d600f88be98643e5dd61d6ed26eda17c09e",
+        "rev": "2993637174252ff60a582fd1f55b9ab52c39db6d",
        "type": "github"
      },
      "original": {
@ -153,11 +153,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1772660329,
-        "narHash": "sha256-IjU1FxYqm+VDe5qIOxoW+pISBlGvVApRjiw/Y/ttJzY=",
+        "lastModified": 1773297127,
+        "narHash": "sha256-6E/yhXP7Oy/NbXtf1ktzmU8SdVqJQ09HC/48ebEGBpk=",
        "owner": "numtide",
        "repo": "treefmt-nix",
-        "rev": "3710e0e1218041bbad640352a0440114b1e10428",
+        "rev": "71b125cd05fbfd78cab3e070b73544abe24c5016",
        "type": "github"
      },
      "original": {
--- a/package-lock.json
+++ b/package-lock.json
@ -16,21 +16,21 @@
      }
    },
    "node_modules/@emnapi/core": {
-      "version": "1.8.1",
-      "resolved": "https://registry.npmjs.org/@emnapi/core/-/core-1.8.1.tgz",
-      "integrity": "sha512-AvT9QFpxK0Zd8J0jopedNm+w/2fIzvtPKPjqyw9jwvBaReTTqPBk9Hixaz7KbjimP+QNz605/XnjFcDAL2pqBg==",
+      "version": "1.9.0",
+      "resolved": "https://registry.npmjs.org/@emnapi/core/-/core-1.9.0.tgz",
+      "integrity": "sha512-0DQ98G9ZQZOxfUcQn1waV2yS8aWdZ6kJMbYCJB3oUBecjWYO1fqJ+a1DRfPF3O5JEkwqwP1A9QEN/9mYm2Yd0w==",
      "dev": true,
      "license": "MIT",
      "optional": true,
      "dependencies": {
-        "@emnapi/wasi-threads": "1.1.0",
+        "@emnapi/wasi-threads": "1.2.0",
        "tslib": "^2.4.0"
      }
    },
    "node_modules/@emnapi/runtime": {
-      "version": "1.8.1",
-      "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.8.1.tgz",
-      "integrity": "sha512-mehfKSMWjjNol8659Z8KxEMrdSJDDot5SXMq00dM8BN4o+CLNXQ0xH2V7EchNHV4RmbZLmmPdEaXZc5H2FXmDg==",
+      "version": "1.9.0",
+      "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.9.0.tgz",
+      "integrity": "sha512-QN75eB0IH2ywSpRpNddCRfQIhmJYBCJ1x5Lb3IscKAL8bMnVAKnRg8dCoXbHzVLLH7P38N2Z3mtulB7W0J0FKw==",
      "dev": true,
      "license": "MIT",
      "optional": true,
@ -39,9 +39,9 @@
      }
    },
    "node_modules/@emnapi/wasi-threads": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/@emnapi/wasi-threads/-/wasi-threads-1.1.0.tgz",
-      "integrity": "sha512-WI0DdZ8xFSbgMjR1sFsKABJ/C5OnRrjT06JXbZKexJGrDuPTzZdDYfFlsgcCXCyf+suG5QU2e/y1Wo2V/OapLQ==",
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/@emnapi/wasi-threads/-/wasi-threads-1.2.0.tgz",
+      "integrity": "sha512-N10dEJNSsUx41Z6pZsXU8FjPjpBEplgH24sfkmITrBED1/U2Esum9F3lfLrMjKHHjmi557zQn7kR9R+XWXu5Rg==",
      "dev": true,
      "license": "MIT",
      "optional": true,
@ -144,17 +144,22 @@
      }
    },
    "node_modules/@rsbuild/plugin-react": {
-      "version": "1.4.5",
-      "resolved": "https://registry.npmjs.org/@rsbuild/plugin-react/-/plugin-react-1.4.5.tgz",
-      "integrity": "sha512-eS2sXCedgGA/7bLu8yVtn48eE/GyPbXx4Q7OcutB01IQ1D2y8WSMBys4nwfrecy19utvw4NPn4gYDy52316+vg==",
+      "version": "1.4.6",
+      "resolved": "https://registry.npmjs.org/@rsbuild/plugin-react/-/plugin-react-1.4.6.tgz",
+      "integrity": "sha512-LAT6xHlEyZKA0VjF/ph5d50iyG+WSmBx+7g98HNZUwb94VeeTMZFB8qVptTkbIRMss3BNKOXmHOu71Lhsh9oEw==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@rspack/plugin-react-refresh": "^1.6.0",
+        "@rspack/plugin-react-refresh": "^1.6.1",
        "react-refresh": "^0.18.0"
      },
      "peerDependencies": {
        "@rsbuild/core": "^1.0.0 || ^2.0.0-0"
+      },
+      "peerDependenciesMeta": {
+        "@rsbuild/core": {
+          "optional": true
+        }
      }
    },
    "node_modules/@rspack/binding": {
@ -362,9 +367,9 @@
      }
    },
    "node_modules/@rspress/core": {
-      "version": "2.0.4",
-      "resolved": "https://registry.npmjs.org/@rspress/core/-/core-2.0.4.tgz",
-      "integrity": "sha512-OdeGMY75OFzyRZvXuBEMre3q8Y4/OjYJa4vVBDp4Z2E65LSt8+hYkzzkarEl6sFWqbp8c1o9qfSUf4xMctmKvw==",
+      "version": "2.0.5",
+      "resolved": "https://registry.npmjs.org/@rspress/core/-/core-2.0.5.tgz",
+      "integrity": "sha512-2ezGmANmIrWmhsUrvlRb9Df4xsun1BDgEertDc890aQqtKcNrbu+TBRsOoO+E/N6ioavun7JGGe1wWjvxubCHw==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
@ -372,7 +377,7 @@
        "@mdx-js/react": "^3.1.1",
        "@rsbuild/core": "2.0.0-beta.6",
        "@rsbuild/plugin-react": "~1.4.5",
-        "@rspress/shared": "2.0.4",
+        "@rspress/shared": "2.0.5",
        "@shikijs/rehype": "^4.0.1",
        "@types/unist": "^3.0.3",
        "@unhead/react": "^2.1.9",
@ -399,6 +404,8 @@
        "react-router-dom": "^7.13.1",
        "rehype-external-links": "^3.0.0",
        "rehype-raw": "^7.0.0",
+        "remark-cjk-friendly": "^2.0.1",
+        "remark-cjk-friendly-gfm-strikethrough": "^2.0.1",
        "remark-gfm": "^4.0.1",
        "remark-mdx": "^3.1.1",
        "remark-parse": "^11.0.0",
@ -420,35 +427,35 @@
      }
    },
    "node_modules/@rspress/plugin-client-redirects": {
-      "version": "2.0.4",
-      "resolved": "https://registry.npmjs.org/@rspress/plugin-client-redirects/-/plugin-client-redirects-2.0.4.tgz",
-      "integrity": "sha512-cm7VNfisVCHe+YHNjd9YrWt6/WtJ5I/oNRyjt+tqCeOcC1IJSX2LhNXpNN5h9az3wxYn37kVctBUjzqkj2FQ+A==",
+      "version": "2.0.5",
+      "resolved": "https://registry.npmjs.org/@rspress/plugin-client-redirects/-/plugin-client-redirects-2.0.5.tgz",
+      "integrity": "sha512-sxwWzwHPefSPWUyV6/AA/hBlQUeNFntL8dBQi/vZCQiZHM6ShvKbqa3s5Xu2yI7DeFKHH3jb0VGbjufu8M3Ypw==",
      "dev": true,
      "license": "MIT",
      "engines": {
        "node": "^20.19.0 || >=22.12.0"
      },
      "peerDependencies": {
-        "@rspress/core": "^2.0.4"
+        "@rspress/core": "^2.0.5"
      }
    },
    "node_modules/@rspress/plugin-sitemap": {
-      "version": "2.0.4",
-      "resolved": "https://registry.npmjs.org/@rspress/plugin-sitemap/-/plugin-sitemap-2.0.4.tgz",
-      "integrity": "sha512-TKaj3/8+P1fP3sD5NOaWVMXvRvJFQmuJQlUBxhRM0oiUHhzNNkVy/2YXkjYJuXuMhFPLnOWCjrYjTG3xcZE7Wg==",
+      "version": "2.0.5",
+      "resolved": "https://registry.npmjs.org/@rspress/plugin-sitemap/-/plugin-sitemap-2.0.5.tgz",
+      "integrity": "sha512-wBxKL8sNd3bkKFxlFtB1xJ7jCtSRDL6pfVvWsmTIbTNDPCtefd1nmiMBIDMLOR8EflwuStIz3bMQXdWpbC7ahA==",
      "dev": true,
      "license": "MIT",
      "engines": {
        "node": "^20.19.0 || >=22.12.0"
      },
      "peerDependencies": {
-        "@rspress/core": "^2.0.4"
+        "@rspress/core": "^2.0.5"
      }
    },
    "node_modules/@rspress/shared": {
-      "version": "2.0.4",
-      "resolved": "https://registry.npmjs.org/@rspress/shared/-/shared-2.0.4.tgz",
-      "integrity": "sha512-os2nzsPgHKVFXjDoW7N53rmhLChCw/y2O2TGilT4w2A4HNJa2oJwRk0UryXbxxWD5C85HErTjovs2uBdhdOTtA==",
+      "version": "2.0.5",
+      "resolved": "https://registry.npmjs.org/@rspress/shared/-/shared-2.0.5.tgz",
+      "integrity": "sha512-Wdhh+VjU8zJWoVLhv9KJTRAZQ4X2V/Z81Lo2D0hQsa0Kj5F3EaxlMt5/dhX7DoflqNuZPZk/e7CSUB+gO/Umlg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
@ -693,13 +700,13 @@
      "license": "ISC"
    },
    "node_modules/@unhead/react": {
-      "version": "2.1.10",
-      "resolved": "https://registry.npmjs.org/@unhead/react/-/react-2.1.10.tgz",
-      "integrity": "sha512-z9IzzkaCI1GyiBwVRMt4dGc2mOvsj9drbAdXGMy6DWpu9FwTR37ZTmAi7UeCVyIkpVdIaNalz7vkbvGG8afFng==",
+      "version": "2.1.12",
+      "resolved": "https://registry.npmjs.org/@unhead/react/-/react-2.1.12.tgz",
+      "integrity": "sha512-1xXFrxyw29f+kScXfEb0GxjlgtnHxoYau0qpW9k8sgWhQUNnE5gNaH3u+rNhd5IqhyvbdDRJpQ25zoz0HIyGaw==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "unhead": "2.1.10"
+        "unhead": "2.1.12"
      },
      "funding": {
        "url": "https://github.com/sponsors/harlan-zw"
@ -1285,6 +1292,19 @@
        "node": "^8.16.0 || ^10.6.0 || >=11.0.0"
      }
    },
+    "node_modules/get-east-asian-width": {
+      "version": "1.5.0",
+      "resolved": "https://registry.npmjs.org/get-east-asian-width/-/get-east-asian-width-1.5.0.tgz",
+      "integrity": "sha512-CQ+bEO+Tva/qlmw24dCejulK5pMzVnUOFOijVogd3KQs07HnRIgp8TGipvCCRT06xeYEbpbgwaCxglFyiuIcmA==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
    "node_modules/github-slugger": {
      "version": "2.0.0",
      "resolved": "https://registry.npmjs.org/github-slugger/-/github-slugger-2.0.0.tgz",
@ -1558,9 +1578,9 @@
      }
    },
    "node_modules/hookable": {
-      "version": "6.0.1",
-      "resolved": "https://registry.npmjs.org/hookable/-/hookable-6.0.1.tgz",
-      "integrity": "sha512-uKGyY8BuzN/a5gvzvA+3FVWo0+wUjgtfSdnmjtrOVwQCZPHpHDH2WRO3VZSOeluYrHoDCiXFffZXs8Dj1ULWtw==",
+      "version": "6.1.0",
+      "resolved": "https://registry.npmjs.org/hookable/-/hookable-6.1.0.tgz",
+      "integrity": "sha512-ZoKZSJgu8voGK2geJS+6YtYjvIzu9AOM/KZXsBxr83uhLL++e9pEv/dlgwgy3dvHg06kTz6JOh1hk3C8Ceiymw==",
      "dev": true,
      "license": "MIT"
    },
@ -2176,6 +2196,80 @@
        "micromark-util-types": "^2.0.0"
      }
    },
+    "node_modules/micromark-extension-cjk-friendly": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/micromark-extension-cjk-friendly/-/micromark-extension-cjk-friendly-2.0.1.tgz",
+      "integrity": "sha512-OkzoYVTL1ChbvQ8Cc1ayTIz7paFQz8iS9oIYmewncweUSwmWR+hkJF9spJ1lxB90XldJl26A1F4IkPOKS3bDXw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "devlop": "^1.1.0",
+        "micromark-extension-cjk-friendly-util": "3.0.1",
+        "micromark-util-chunked": "^2.0.1",
+        "micromark-util-resolve-all": "^2.0.1",
+        "micromark-util-symbol": "^2.0.1"
+      },
+      "engines": {
+        "node": ">=18"
+      },
+      "peerDependencies": {
+        "micromark": "^4.0.0",
+        "micromark-util-types": "^2.0.0"
+      },
+      "peerDependenciesMeta": {
+        "micromark-util-types": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/micromark-extension-cjk-friendly-gfm-strikethrough": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/micromark-extension-cjk-friendly-gfm-strikethrough/-/micromark-extension-cjk-friendly-gfm-strikethrough-2.0.1.tgz",
+      "integrity": "sha512-wVC0zwjJNqQeX+bb07YTPu/CvSAyCTafyYb7sMhX1r62/Lw5M/df3JyYaANyp8g15c1ypJRFSsookTqA1IDsUg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "devlop": "^1.1.0",
+        "get-east-asian-width": "^1.4.0",
+        "micromark-extension-cjk-friendly-util": "3.0.1",
+        "micromark-util-character": "^2.1.1",
+        "micromark-util-chunked": "^2.0.1",
+        "micromark-util-resolve-all": "^2.0.1",
+        "micromark-util-symbol": "^2.0.1"
+      },
+      "engines": {
+        "node": ">=18"
+      },
+      "peerDependencies": {
+        "micromark": "^4.0.0",
+        "micromark-util-types": "^2.0.0"
+      },
+      "peerDependenciesMeta": {
+        "micromark-util-types": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/micromark-extension-cjk-friendly-util": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/micromark-extension-cjk-friendly-util/-/micromark-extension-cjk-friendly-util-3.0.1.tgz",
+      "integrity": "sha512-GcbXqTTHOsiZHyF753oIddP/J2eH8j9zpyQPhkof6B2JNxfEJabnQqxbCgzJNuNes0Y2jTNJ3LiYPSXr6eJA8w==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "get-east-asian-width": "^1.4.0",
+        "micromark-util-character": "^2.1.1",
+        "micromark-util-symbol": "^2.0.1"
+      },
+      "engines": {
+        "node": ">=18"
+      },
+      "peerDependenciesMeta": {
+        "micromark-util-types": {
+          "optional": true
+        }
+      }
+    },
    "node_modules/micromark-extension-gfm": {
      "version": "3.0.0",
      "resolved": "https://registry.npmjs.org/micromark-extension-gfm/-/micromark-extension-gfm-3.0.0.tgz",
@ -2889,14 +2983,14 @@
      "license": "MIT"
    },
    "node_modules/oniguruma-to-es": {
-      "version": "4.3.4",
-      "resolved": "https://registry.npmjs.org/oniguruma-to-es/-/oniguruma-to-es-4.3.4.tgz",
-      "integrity": "sha512-3VhUGN3w2eYxnTzHn+ikMI+fp/96KoRSVK9/kMTcFqj1NRDh2IhQCKvYxDnWePKRXY/AqH+Fuiyb7VHSzBjHfA==",
+      "version": "4.3.5",
+      "resolved": "https://registry.npmjs.org/oniguruma-to-es/-/oniguruma-to-es-4.3.5.tgz",
+      "integrity": "sha512-Zjygswjpsewa0NLTsiizVuMQZbp0MDyM6lIt66OxsF21npUDlzpHi1Mgb/qhQdkb+dWFTzJmFbEWdvZgRho8eQ==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "oniguruma-parser": "^0.12.1",
-        "regex": "^6.0.1",
+        "regex": "^6.1.0",
        "regex-recursion": "^6.0.2"
      }
    },
@ -3242,6 +3336,50 @@
        "url": "https://opencollective.com/unified"
      }
    },
+    "node_modules/remark-cjk-friendly": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/remark-cjk-friendly/-/remark-cjk-friendly-2.0.1.tgz",
+      "integrity": "sha512-6WwkoQyZf/4j5k53zdFYrR8Ca+UVn992jXdLUSBDZR4eBpFhKyVxmA4gUHra/5fesjGIxrDhHesNr/sVoiiysA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "micromark-extension-cjk-friendly": "2.0.1"
+      },
+      "engines": {
+        "node": ">=18"
+      },
+      "peerDependencies": {
+        "@types/mdast": "^4.0.0",
+        "unified": "^11.0.0"
+      },
+      "peerDependenciesMeta": {
+        "@types/mdast": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/remark-cjk-friendly-gfm-strikethrough": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/remark-cjk-friendly-gfm-strikethrough/-/remark-cjk-friendly-gfm-strikethrough-2.0.1.tgz",
+      "integrity": "sha512-pWKj25O2eLXIL1aBupayl1fKhco+Brw8qWUWJPVB9EBzbQNd7nGLj0nLmJpggWsGLR5j5y40PIdjxby9IEYTuA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "micromark-extension-cjk-friendly-gfm-strikethrough": "2.0.1"
+      },
+      "engines": {
+        "node": ">=18"
+      },
+      "peerDependencies": {
+        "@types/mdast": "^4.0.0",
+        "unified": "^11.0.0"
+      },
+      "peerDependenciesMeta": {
+        "@types/mdast": {
+          "optional": true
+        }
+      }
+    },
    "node_modules/remark-gfm": {
      "version": "4.0.1",
      "resolved": "https://registry.npmjs.org/remark-gfm/-/remark-gfm-4.0.1.tgz",
@ -3587,9 +3725,9 @@
      }
    },
    "node_modules/unhead": {
-      "version": "2.1.10",
-      "resolved": "https://registry.npmjs.org/unhead/-/unhead-2.1.10.tgz",
-      "integrity": "sha512-We8l9uNF8zz6U8lfQaVG70+R/QBfQx1oPIgXin4BtZnK2IQpz6yazQ0qjMNVBDw2ADgF2ea58BtvSK+XX5AS7g==",
+      "version": "2.1.12",
+      "resolved": "https://registry.npmjs.org/unhead/-/unhead-2.1.12.tgz",
+      "integrity": "sha512-iTHdWD9ztTunOErtfUFk6Wr11BxvzumcYJ0CzaSCBUOEtg+DUZ9+gnE99i8QkLFT2q1rZD48BYYGXpOZVDLYkA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
--- a/pkg/conduwuit.service
+++ b/pkg/conduwuit.service
@ -18,6 +18,7 @@ Environment="CONTINUWUITY_DATABASE_PATH=%S/conduwuit"
 Environment="CONTINUWUITY_CONFIG_RELOAD_SIGNAL=true"

 LoadCredential=conduwuit.toml:/etc/conduwuit/conduwuit.toml
+RefreshOnReload=yes

 ExecStart=/usr/bin/conduwuit --config ${CREDENTIALS_DIRECTORY}/conduwuit.toml

--- a/renovate.json
+++ b/renovate.json
@ -1,6 +1,6 @@
 {
    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-    "extends": ["config:recommended", "replacements:all"],
+    "extends": ["config:recommended", "replacements:all", ":semanticCommitTypeAll(chore)"],
    "dependencyDashboard": true,
    "osvVulnerabilityAlerts": true,
    "lockFileMaintenance": {
@ -36,10 +36,18 @@
    },
    "packageRules": [
        {
-            "description": "Batch patch-level Rust dependency updates",
+            "description": "Batch minor and patch Rust dependency updates",
+            "matchManagers": ["cargo"],
+            "matchUpdateTypes": ["minor", "patch"],
+            "matchCurrentVersion": ">=1.0.0",
+            "groupName": "rust-non-major"
+        },
+        {
+            "description": "Batch patch-level zerover Rust dependency updates",
            "matchManagers": ["cargo"],
            "matchUpdateTypes": ["patch"],
-            "groupName": "rust-patch-updates"
+            "matchCurrentVersion": ">=0.1.0,<1.0.0",
+            "groupName": "rust-zerover-patch-updates"
        },
        {
            "description": "Limit concurrent Cargo PRs",
--- a/src/admin/admin.rs
+++ b/src/admin/admin.rs
@ -11,6 +11,7 @@ use crate::{
 	query::{self, QueryCommand},
 	room::{self, RoomCommand},
 	server::{self, ServerCommand},
+	space::{self, SpaceCommand},
 	token::{self, TokenCommand},
 	user::{self, UserCommand},
 };
@ -34,6 +35,10 @@ pub enum AdminCommand {
 	/// Commands for managing rooms
 	Rooms(RoomCommand),

+	#[command(subcommand)]
+	/// Commands for managing space permissions
+	Spaces(SpaceCommand),
+
 	#[command(subcommand)]
 	/// Commands for managing federation
 	Federation(FederationCommand),
@ -81,6 +86,10 @@ pub(super) async fn process(command: AdminCommand, context: &Context<'_>) -> Res
 			token::process(command, context).await
 		},
 		| Rooms(command) => room::process(command, context).await,
+		| Spaces(command) => {
+			context.bail_restricted()?;
+			space::process(command, context).await
+		},
 		| Federation(command) => federation::process(command, context).await,
 		| Server(command) => server::process(command, context).await,
 		| Debug(command) => debug::process(command, context).await,
--- a/src/admin/mod.rs
+++ b/src/admin/mod.rs
@ -17,6 +17,7 @@ pub(crate) mod media;
 pub(crate) mod query;
 pub(crate) mod room;
 pub(crate) mod server;
+pub(crate) mod space;
 pub(crate) mod token;
 pub(crate) mod user;

--- a/src/admin/space/mod.rs
+++ b/src/admin/space/mod.rs
@ -0,0 +1,15 @@
+pub(super) mod roles;
+
+use clap::Subcommand;
+use conduwuit::Result;
+
+use self::roles::SpaceRolesCommand;
+use crate::admin_command_dispatch;
+
+#[admin_command_dispatch]
+#[derive(Debug, Subcommand)]
+pub enum SpaceCommand {
+	#[command(subcommand)]
+	/// Manage space roles and permissions
+	Roles(SpaceRolesCommand),
+}
--- a/src/admin/space/roles.rs
+++ b/src/admin/space/roles.rs
@ -0,0 +1,632 @@
+use std::fmt::Write;
+
+use clap::Subcommand;
+use conduwuit::{Err, Event, Result, matrix::pdu::PduBuilder};
+use conduwuit_core::matrix::space_roles::{
+	RoleDefinition, SPACE_CASCADING_EVENT_TYPE, SPACE_ROLE_MEMBER_EVENT_TYPE,
+	SPACE_ROLE_ROOM_EVENT_TYPE, SPACE_ROLES_EVENT_TYPE, SpaceCascadingEventContent,
+	SpaceRoleMemberEventContent, SpaceRoleRoomEventContent, SpaceRolesEventContent,
+};
+use futures::StreamExt;
+use ruma::{OwnedRoomId, OwnedRoomOrAliasId, OwnedUserId, events::StateEventType};
+use serde_json::value::to_raw_value;
+
+use crate::{admin_command, admin_command_dispatch};
+
+fn roles_event_type() -> StateEventType {
+	StateEventType::from(SPACE_ROLES_EVENT_TYPE.to_owned())
+}
+
+fn member_event_type() -> StateEventType {
+	StateEventType::from(SPACE_ROLE_MEMBER_EVENT_TYPE.to_owned())
+}
+
+fn room_event_type() -> StateEventType {
+	StateEventType::from(SPACE_ROLE_ROOM_EVENT_TYPE.to_owned())
+}
+
+fn cascading_event_type() -> StateEventType {
+	StateEventType::from(SPACE_CASCADING_EVENT_TYPE.to_owned())
+}
+
+macro_rules! resolve_room_as_space {
+	($self:expr, $space:expr) => {{
+		let space_id = $self.services.rooms.alias.resolve(&$space).await?;
+		if !matches!(
+			$self
+				.services
+				.rooms
+				.state_accessor
+				.get_room_type(&space_id)
+				.await,
+			Ok(ruma::room::RoomType::Space)
+		) {
+			return Err!("The specified room is not a Space.");
+		}
+		space_id
+	}};
+}
+
+macro_rules! resolve_space {
+	($self:expr, $space:expr) => {{
+		let space_id = resolve_room_as_space!($self, $space);
+		if !$self
+			.services
+			.rooms
+			.roles
+			.is_enabled_for_space(&space_id)
+			.await
+		{
+			return $self
+				.write_str(
+					"Space permission cascading is disabled for this Space. Enable it \
+					 server-wide with `space_permission_cascading = true` in your config, or \
+					 per-Space with `!admin space roles enable <space>`.",
+				)
+				.await;
+		}
+		space_id
+	}};
+}
+
+macro_rules! custom_state_pdu {
+	($event_type:expr, $state_key:expr, $content:expr) => {
+		PduBuilder {
+			event_type: $event_type.to_owned().into(),
+			content: to_raw_value($content)
+				.map_err(|e| conduwuit::err!("Failed to serialize state event content: {e}"))?,
+			state_key: Some($state_key.to_owned().into()),
+			..PduBuilder::default()
+		}
+	};
+}
+
+/// Cascade-remove a role name from all state events of a given type. For each
+/// event that contains the role, the `$field` is filtered and the updated
+/// content is sent back as a new state event.
+macro_rules! cascade_remove_role {
+	(
+		$self:expr,
+		$shortstatehash:expr,
+		$event_type_fn:expr,
+		$event_type_const:expr,
+		$content_ty:ty,
+		$field:ident,
+		$role_name:expr,
+		$space_id:expr,
+		$state_lock:expr,
+		$server_user:expr
+	) => {{
+		let ev_type = $event_type_fn;
+		let entries: Vec<(_, ruma::OwnedEventId)> = $self
+			.services
+			.rooms
+			.state_accessor
+			.state_keys_with_ids($shortstatehash, &ev_type)
+			.collect()
+			.await;
+
+		for (state_key, event_id) in entries {
+			if let Ok(pdu) = $self.services.rooms.timeline.get_pdu(&event_id).await {
+				if let Ok(mut content) = pdu.get_content::<$content_ty>() {
+					if content.$field.contains($role_name) {
+						content.$field.retain(|r| r != $role_name);
+						$self
+							.services
+							.rooms
+							.timeline
+							.build_and_append_pdu(
+								custom_state_pdu!($event_type_const, &state_key, &content),
+								$server_user,
+								Some(&$space_id),
+								&$state_lock,
+							)
+							.await?;
+					}
+				}
+			}
+		}
+	}};
+}
+
+macro_rules! send_space_state {
+	($self:expr, $space_id:expr, $event_type:expr, $state_key:expr, $content:expr) => {{
+		let state_lock = $self.services.rooms.state.mutex.lock(&$space_id).await;
+		let server_user = &$self.services.globals.server_user;
+		$self
+			.services
+			.rooms
+			.timeline
+			.build_and_append_pdu(
+				custom_state_pdu!($event_type, $state_key, $content),
+				server_user,
+				Some(&$space_id),
+				&state_lock,
+			)
+			.await?
+	}};
+}
+
+#[admin_command_dispatch]
+#[derive(Debug, Subcommand)]
+pub enum SpaceRolesCommand {
+	/// List all roles defined in a space
+	List {
+		space: OwnedRoomOrAliasId,
+	},
+	/// Add a new role to a space
+	Add {
+		space: OwnedRoomOrAliasId,
+		role_name: String,
+		#[arg(long)]
+		description: Option<String>,
+		#[arg(long)]
+		power_level: Option<i64>,
+	},
+	/// Remove a role from a space
+	Remove {
+		space: OwnedRoomOrAliasId,
+		role_name: String,
+	},
+	/// Assign a role to a user
+	Assign {
+		space: OwnedRoomOrAliasId,
+		user_id: OwnedUserId,
+		role_name: String,
+	},
+	/// Revoke a role from a user
+	Revoke {
+		space: OwnedRoomOrAliasId,
+		user_id: OwnedUserId,
+		role_name: String,
+	},
+	/// Require a role for a room
+	Require {
+		space: OwnedRoomOrAliasId,
+		room_id: OwnedRoomId,
+		role_name: String,
+	},
+	/// Remove a role requirement from a room
+	Unrequire {
+		space: OwnedRoomOrAliasId,
+		room_id: OwnedRoomId,
+		role_name: String,
+	},
+	/// Show a user's roles in a space
+	User {
+		space: OwnedRoomOrAliasId,
+		user_id: OwnedUserId,
+	},
+	/// Show a room's role requirements in a space
+	Room {
+		space: OwnedRoomOrAliasId,
+		room_id: OwnedRoomId,
+	},
+	/// Enable space permission cascading for a specific space (overrides
+	/// server config)
+	Enable {
+		space: OwnedRoomOrAliasId,
+	},
+	/// Disable space permission cascading for a specific space (overrides
+	/// server config)
+	Disable {
+		space: OwnedRoomOrAliasId,
+	},
+	/// Show whether cascading is enabled for a space and the source (server
+	/// default or per-space override)
+	Status {
+		space: OwnedRoomOrAliasId,
+	},
+}
+
+#[admin_command]
+async fn list(&self, space: OwnedRoomOrAliasId) -> Result {
+	let space_id = resolve_space!(self, space);
+	let roles_event_type = roles_event_type();
+
+	let content: SpaceRolesEventContent = self
+		.services
+		.rooms
+		.state_accessor
+		.room_state_get_content(&space_id, &roles_event_type, "")
+		.await
+		.unwrap_or_default();
+
+	if content.roles.is_empty() {
+		return self.write_str("No roles defined in this space.").await;
+	}
+
+	let mut msg = format!("Roles in {space_id}:\n```\n");
+	for (name, def) in &content.roles {
+		let pl = def
+			.power_level
+			.map(|p| format!(" (power_level: {p})"))
+			.unwrap_or_default();
+		let _ = writeln!(msg, "- {name}: {}{pl}", def.description);
+	}
+	msg.push_str("```");
+
+	self.write_str(&msg).await
+}
+
+#[admin_command]
+async fn add(
+	&self,
+	space: OwnedRoomOrAliasId,
+	role_name: String,
+	description: Option<String>,
+	power_level: Option<i64>,
+) -> Result {
+	let space_id = resolve_space!(self, space);
+
+	if let Some(pl) = power_level {
+		if pl > i64::from(ruma::Int::MAX) || pl < i64::from(ruma::Int::MIN) {
+			return Err!(
+				"Power level must be between {} and {}.",
+				ruma::Int::MIN,
+				ruma::Int::MAX
+			);
+		}
+	}
+
+	let roles_event_type = roles_event_type();
+
+	let mut content: SpaceRolesEventContent = self
+		.services
+		.rooms
+		.state_accessor
+		.room_state_get_content(&space_id, &roles_event_type, "")
+		.await
+		.unwrap_or_default();
+
+	if content.roles.contains_key(&role_name) {
+		return Err!("Role '{role_name}' already exists in this space.");
+	}
+
+	content.roles.insert(role_name.clone(), RoleDefinition {
+		description: description.unwrap_or_else(|| role_name.clone()),
+		power_level,
+	});
+
+	send_space_state!(self, space_id, SPACE_ROLES_EVENT_TYPE, "", &content);
+
+	self.write_str(&format!("Added role '{role_name}' to space {space_id}."))
+		.await
+}
+
+#[admin_command]
+async fn remove(&self, space: OwnedRoomOrAliasId, role_name: String) -> Result {
+	let space_id = resolve_space!(self, space);
+	let roles_event_type = roles_event_type();
+
+	let mut content: SpaceRolesEventContent = self
+		.services
+		.rooms
+		.state_accessor
+		.room_state_get_content(&space_id, &roles_event_type, "")
+		.await
+		.unwrap_or_default();
+
+	if content.roles.remove(&role_name).is_none() {
+		return Err!("Role '{role_name}' does not exist in this space.");
+	}
+
+	send_space_state!(self, space_id, SPACE_ROLES_EVENT_TYPE, "", &content);
+
+	// Cascade: remove the deleted role from all member and room events
+	let server_user = &self.services.globals.server_user;
+	if let Ok(shortstatehash) = self
+		.services
+		.rooms
+		.state
+		.get_room_shortstatehash(&space_id)
+		.await
+	{
+		let state_lock = self.services.rooms.state.mutex.lock(&space_id).await;
+
+		cascade_remove_role!(
+			self,
+			shortstatehash,
+			member_event_type(),
+			SPACE_ROLE_MEMBER_EVENT_TYPE,
+			SpaceRoleMemberEventContent,
+			roles,
+			&role_name,
+			space_id,
+			state_lock,
+			server_user
+		);
+
+		cascade_remove_role!(
+			self,
+			shortstatehash,
+			room_event_type(),
+			SPACE_ROLE_ROOM_EVENT_TYPE,
+			SpaceRoleRoomEventContent,
+			required_roles,
+			&role_name,
+			space_id,
+			state_lock,
+			server_user
+		);
+	}
+
+	self.write_str(&format!("Removed role '{role_name}' from space {space_id}."))
+		.await
+}
+
+#[admin_command]
+async fn assign(
+	&self,
+	space: OwnedRoomOrAliasId,
+	user_id: OwnedUserId,
+	role_name: String,
+) -> Result {
+	let space_id = resolve_space!(self, space);
+
+	let roles_event_type = roles_event_type();
+	let role_defs: SpaceRolesEventContent = self
+		.services
+		.rooms
+		.state_accessor
+		.room_state_get_content(&space_id, &roles_event_type, "")
+		.await
+		.unwrap_or_default();
+
+	if !role_defs.roles.contains_key(&role_name) {
+		return Err!("Role '{role_name}' does not exist in this space.");
+	}
+
+	let member_event_type = member_event_type();
+
+	let mut content: SpaceRoleMemberEventContent = self
+		.services
+		.rooms
+		.state_accessor
+		.room_state_get_content(&space_id, &member_event_type, user_id.as_str())
+		.await
+		.unwrap_or_default();
+
+	if content.roles.contains(&role_name) {
+		return Err!("User {user_id} already has role '{role_name}' in this space.");
+	}
+
+	content.roles.push(role_name.clone());
+
+	send_space_state!(self, space_id, SPACE_ROLE_MEMBER_EVENT_TYPE, user_id.as_str(), &content);
+
+	self.write_str(&format!("Assigned role '{role_name}' to {user_id} in space {space_id}."))
+		.await
+}
+
+#[admin_command]
+async fn revoke(
+	&self,
+	space: OwnedRoomOrAliasId,
+	user_id: OwnedUserId,
+	role_name: String,
+) -> Result {
+	let space_id = resolve_space!(self, space);
+	let member_event_type = member_event_type();
+
+	let mut content: SpaceRoleMemberEventContent = self
+		.services
+		.rooms
+		.state_accessor
+		.room_state_get_content(&space_id, &member_event_type, user_id.as_str())
+		.await
+		.unwrap_or_default();
+
+	let original_len = content.roles.len();
+	content.roles.retain(|r| r != &role_name);
+
+	if content.roles.len() == original_len {
+		return Err!("User {user_id} does not have role '{role_name}' in this space.");
+	}
+
+	send_space_state!(self, space_id, SPACE_ROLE_MEMBER_EVENT_TYPE, user_id.as_str(), &content);
+
+	self.write_str(&format!("Revoked role '{role_name}' from {user_id} in space {space_id}."))
+		.await
+}
+
+#[admin_command]
+async fn require(
+	&self,
+	space: OwnedRoomOrAliasId,
+	room_id: OwnedRoomId,
+	role_name: String,
+) -> Result {
+	let space_id = resolve_space!(self, space);
+
+	let child_rooms = self.services.rooms.roles.get_child_rooms(&space_id).await;
+	if !child_rooms.contains(&room_id) {
+		return Err!("Room {room_id} is not a child of space {space_id}.");
+	}
+
+	let roles_event_type = roles_event_type();
+	let role_defs: SpaceRolesEventContent = self
+		.services
+		.rooms
+		.state_accessor
+		.room_state_get_content(&space_id, &roles_event_type, "")
+		.await
+		.unwrap_or_default();
+
+	if !role_defs.roles.contains_key(&role_name) {
+		return Err!("Role '{role_name}' does not exist in this space.");
+	}
+
+	let room_event_type = room_event_type();
+
+	let mut content: SpaceRoleRoomEventContent = self
+		.services
+		.rooms
+		.state_accessor
+		.room_state_get_content(&space_id, &room_event_type, room_id.as_str())
+		.await
+		.unwrap_or_default();
+
+	if content.required_roles.contains(&role_name) {
+		return Err!("Room {room_id} already requires role '{role_name}' in this space.");
+	}
+
+	content.required_roles.push(role_name.clone());
+
+	send_space_state!(self, space_id, SPACE_ROLE_ROOM_EVENT_TYPE, room_id.as_str(), &content);
+
+	self.write_str(&format!(
+		"Room {room_id} now requires role '{role_name}' in space {space_id}."
+	))
+	.await
+}
+
+#[admin_command]
+async fn unrequire(
+	&self,
+	space: OwnedRoomOrAliasId,
+	room_id: OwnedRoomId,
+	role_name: String,
+) -> Result {
+	let space_id = resolve_space!(self, space);
+	let room_event_type = room_event_type();
+
+	let mut content: SpaceRoleRoomEventContent = self
+		.services
+		.rooms
+		.state_accessor
+		.room_state_get_content(&space_id, &room_event_type, room_id.as_str())
+		.await
+		.unwrap_or_default();
+
+	let original_len = content.required_roles.len();
+	content.required_roles.retain(|r| r != &role_name);
+
+	if content.required_roles.len() == original_len {
+		return Err!("Room {room_id} does not require role '{role_name}' in this space.");
+	}
+
+	send_space_state!(self, space_id, SPACE_ROLE_ROOM_EVENT_TYPE, room_id.as_str(), &content);
+
+	self.write_str(&format!(
+		"Removed role requirement '{role_name}' from room {room_id} in space {space_id}."
+	))
+	.await
+}
+
+#[admin_command]
+async fn user(&self, space: OwnedRoomOrAliasId, user_id: OwnedUserId) -> Result {
+	let space_id = resolve_space!(self, space);
+
+	let roles = self
+		.services
+		.rooms
+		.roles
+		.get_user_roles_in_space(&space_id, &user_id)
+		.await;
+
+	match roles {
+		| Some(roles) if !roles.is_empty() => {
+			let list: String = roles
+				.iter()
+				.map(|r| format!("- {r}"))
+				.collect::<Vec<_>>()
+				.join("\n");
+			self.write_str(&format!("Roles for {user_id} in space {space_id}:\n```\n{list}\n```"))
+				.await
+		},
+		| _ =>
+			self.write_str(&format!("User {user_id} has no roles in space {space_id}."))
+				.await,
+	}
+}
+
+#[admin_command]
+async fn room(&self, space: OwnedRoomOrAliasId, room_id: OwnedRoomId) -> Result {
+	let space_id = resolve_space!(self, space);
+
+	let reqs = self
+		.services
+		.rooms
+		.roles
+		.get_room_requirements_in_space(&space_id, &room_id)
+		.await;
+
+	match reqs {
+		| Some(reqs) if !reqs.is_empty() => {
+			let list: String = reqs
+				.iter()
+				.map(|r| format!("- {r}"))
+				.collect::<Vec<_>>()
+				.join("\n");
+			self.write_str(&format!(
+				"Required roles for room {room_id} in space {space_id}:\n```\n{list}\n```"
+			))
+			.await
+		},
+		| _ =>
+			self.write_str(&format!(
+				"Room {room_id} has no role requirements in space {space_id}."
+			))
+			.await,
+	}
+}
+
+#[admin_command]
+async fn enable(&self, space: OwnedRoomOrAliasId) -> Result {
+	let space_id = resolve_room_as_space!(self, space);
+
+	self.services
+		.rooms
+		.roles
+		.ensure_default_roles(&space_id)
+		.await?;
+
+	let content = SpaceCascadingEventContent { enabled: true };
+	send_space_state!(self, space_id, SPACE_CASCADING_EVENT_TYPE, "", &content);
+
+	self.write_str(&format!("Space permission cascading enabled for {space_id}."))
+		.await
+}
+
+#[admin_command]
+async fn disable(&self, space: OwnedRoomOrAliasId) -> Result {
+	let space_id = resolve_room_as_space!(self, space);
+
+	let content = SpaceCascadingEventContent { enabled: false };
+	send_space_state!(self, space_id, SPACE_CASCADING_EVENT_TYPE, "", &content);
+
+	self.write_str(&format!("Space permission cascading disabled for {space_id}."))
+		.await
+}
+
+#[admin_command]
+async fn status(&self, space: OwnedRoomOrAliasId) -> Result {
+	let space_id = resolve_room_as_space!(self, space);
+
+	let global_default = self.services.rooms.roles.is_enabled();
+	let cascading_event_type = cascading_event_type();
+	let per_space_override: Option<bool> = self
+		.services
+		.rooms
+		.state_accessor
+		.room_state_get_content::<SpaceCascadingEventContent>(
+			&space_id,
+			&cascading_event_type,
+			"",
+		)
+		.await
+		.ok()
+		.map(|c| c.enabled);
+
+	let effective = per_space_override.unwrap_or(global_default);
+	let source = match per_space_override {
+		| Some(v) => format!("per-Space override (enabled: {v})"),
+		| None => format!("server default (space_permission_cascading: {global_default})"),
+	};
+
+	self.write_str(&format!(
+		"Cascading status for {space_id}:\n- Effective: **{effective}**\n- Source: {source}"
+	))
+	.await
+}
--- a/src/admin/user/commands.rs
+++ b/src/admin/user/commands.rs
@ -296,6 +296,31 @@ pub(super) async fn reset_password(
 	Ok(())
 }

+#[admin_command]
+pub(super) async fn issue_password_reset_link(&self, username: String) -> Result {
+	use conduwuit_service::password_reset::{PASSWORD_RESET_PATH, RESET_TOKEN_QUERY_PARAM};
+
+	self.bail_restricted()?;
+
+	let mut reset_url = self
+		.services
+		.config
+		.get_client_domain()
+		.join(PASSWORD_RESET_PATH)
+		.unwrap();
+
+	let user_id = parse_local_user_id(self.services, &username)?;
+	let token = self.services.password_reset.issue_token(user_id).await?;
+	reset_url
+		.query_pairs_mut()
+		.append_pair(RESET_TOKEN_QUERY_PARAM, &token.token);
+
+	self.write_str(&format!("Password reset link issued for {username}: {reset_url}"))
+		.await?;
+
+	Ok(())
+}
+
 #[admin_command]
 pub(super) async fn deactivate_all(&self, no_leave_rooms: bool, force: bool) -> Result {
 	if self.body.len() < 2
--- a/src/admin/user/mod.rs
+++ b/src/admin/user/mod.rs
@ -29,6 +29,12 @@ pub enum UserCommand {
 		password: Option<String>,
 	},

+	/// Issue a self-service password reset link for a user.
+	IssuePasswordResetLink {
+		/// Username of the user who may use the link
+		username: String,
+	},
+
 	/// Deactivate a user
 	///
 	/// User will be removed from all rooms by default.
--- a/src/api/client/membership/join.rs
+++ b/src/api/client/membership/join.rs
@ -347,6 +347,12 @@ pub async fn join_room_by_id_helper(
 		}
 	}

+	services
+		.rooms
+		.roles
+		.check_join_allowed(room_id, sender_user)
+		.await?;
+
 	if server_in_room {
 		join_room_by_id_helper_local(services, sender_user, room_id, reason, servers, state_lock)
 			.boxed()
--- a/src/core/config/mod.rs
+++ b/src/core/config/mod.rs
@ -68,6 +68,10 @@ pub struct Config {
 	///
 	/// Also see the `[global.well_known]` config section at the very bottom.
 	///
+	/// If `client` is not set under `[global.well_known]`, the server name will
+	/// be used as the base domain for user-facing links (such as password
+	/// reset links) created by Continuwuity.
+	///
 	/// Examples of delegation:
 	/// - https://continuwuity.org/.well-known/matrix/server
 	/// - https://continuwuity.org/.well-known/matrix/client
@ -603,6 +607,22 @@ pub struct Config {
 	#[serde(default)]
 	pub suspend_on_register: bool,

+	/// Server-wide default for space permission cascading (power levels and
+	/// role-based access). Individual Spaces can override this via the
+	/// `com.continuwuity.space.cascading` state event or the admin command
+	/// `!admin space roles enable/disable <space>`.
+	///
+	/// default: false
+	#[serde(default)]
+	pub space_permission_cascading: bool,
+
+	/// Maximum number of spaces to cache role data for. When exceeded the
+	/// cache is cleared and repopulated on demand.
+	///
+	/// default: 1000
+	#[serde(default = "default_space_roles_cache_flush_threshold")]
+	pub space_roles_cache_flush_threshold: u32,
+
 	/// Enabling this setting opens registration to anyone without restrictions.
 	/// This makes your server vulnerable to abuse
 	#[serde(default)]
@ -1735,6 +1755,11 @@ pub struct Config {
 	/// default: "continuwuity/<version> (bot; +https://continuwuity.org)"
 	pub url_preview_user_agent: Option<String>,

+	/// Determines whether audio and video files will be downloaded for URL
+	/// previews.
+	#[serde(default)]
+	pub url_preview_allow_audio_video: bool,
+
 	/// List of forbidden room aliases and room IDs as strings of regex
 	/// patterns.
 	///
@ -2084,6 +2109,13 @@ pub struct Config {
 	#[serde(default)]
 	pub force_disable_first_run_mode: bool,

+	/// Allow search engines and crawlers to index Continuwuity's built-in
+	/// webpages served under the `/_continuwuity/` prefix.
+	///
+	/// default: false
+	#[serde(default)]
+	pub allow_web_indexing: bool,
+
 	/// display: nested
 	#[serde(default)]
 	pub ldap: LdapConfig,
@ -2821,3 +2853,5 @@ fn default_ldap_search_filter() -> String { "(objectClass=*)".to_owned() }
 fn default_ldap_uid_attribute() -> String { String::from("uid") }

 fn default_ldap_name_attribute() -> String { String::from("givenName") }
+
+fn default_space_roles_cache_flush_threshold() -> u32 { 1000 }
--- a/src/core/matrix/mod.rs
+++ b/src/core/matrix/mod.rs
@ -2,6 +2,7 @@

 pub mod event;
 pub mod pdu;
+pub mod space_roles;
 pub mod state_key;
 pub mod state_res;

--- a/src/core/matrix/space_roles.rs
+++ b/src/core/matrix/space_roles.rs
@ -0,0 +1,81 @@
+use std::collections::BTreeMap;
+
+use serde::{Deserialize, Serialize};
+
+pub const SPACE_ROLES_EVENT_TYPE: &str = "com.continuwuity.space.roles";
+pub const SPACE_ROLE_MEMBER_EVENT_TYPE: &str = "com.continuwuity.space.role.member";
+pub const SPACE_ROLE_ROOM_EVENT_TYPE: &str = "com.continuwuity.space.role.room";
+pub const SPACE_CASCADING_EVENT_TYPE: &str = "com.continuwuity.space.cascading";
+
+#[derive(Clone, Debug, Default, Deserialize, Serialize, PartialEq, Eq)]
+pub struct SpaceRolesEventContent {
+	pub roles: BTreeMap<String, RoleDefinition>,
+}
+
+#[derive(Clone, Debug, Deserialize, Serialize, PartialEq, Eq)]
+pub struct RoleDefinition {
+	pub description: String,
+	#[serde(skip_serializing_if = "Option::is_none")]
+	pub power_level: Option<i64>,
+}
+
+#[derive(Clone, Debug, Default, Deserialize, Serialize, PartialEq, Eq)]
+pub struct SpaceRoleMemberEventContent {
+	pub roles: Vec<String>,
+}
+
+#[derive(Clone, Debug, Default, Deserialize, Serialize, PartialEq, Eq)]
+pub struct SpaceRoleRoomEventContent {
+	pub required_roles: Vec<String>,
+}
+
+#[derive(Clone, Debug, Deserialize, Serialize, PartialEq, Eq)]
+pub struct SpaceCascadingEventContent {
+	pub enabled: bool,
+}
+
+#[cfg(test)]
+mod tests {
+	use super::*;
+
+	#[test]
+	fn space_roles_roundtrip() {
+		let mut roles = BTreeMap::new();
+		roles.insert("admin".to_owned(), RoleDefinition {
+			description: "Space administrator".to_owned(),
+			power_level: Some(100),
+		});
+		roles.insert("nsfw".to_owned(), RoleDefinition {
+			description: "NSFW access".to_owned(),
+			power_level: None,
+		});
+		let content = SpaceRolesEventContent { roles };
+		let json = serde_json::to_string(&content).unwrap();
+		let deserialized: SpaceRolesEventContent = serde_json::from_str(&json).unwrap();
+		assert_eq!(deserialized.roles["admin"].power_level, Some(100));
+		assert!(deserialized.roles["nsfw"].power_level.is_none());
+	}
+
+	#[test]
+	fn power_level_omitted_in_serialization_when_none() {
+		let role = RoleDefinition {
+			description: "Test".to_owned(),
+			power_level: None,
+		};
+		let json = serde_json::to_string(&role).unwrap();
+		assert!(!json.contains("power_level"));
+	}
+
+	#[test]
+	fn negative_power_level() {
+		let json = r#"{"description":"Restricted","power_level":-10}"#;
+		let role: RoleDefinition = serde_json::from_str(json).unwrap();
+		assert_eq!(role.power_level, Some(-10));
+	}
+
+	#[test]
+	fn missing_description_fails() {
+		let json = r#"{"power_level":100}"#;
+		serde_json::from_str::<RoleDefinition>(json).unwrap_err();
+	}
+}
--- a/src/core/matrix/state_res/event_auth.rs
+++ b/src/core/matrix/state_res/event_auth.rs
@ -1224,6 +1224,7 @@ fn can_send_event(event: &impl Event, ple: Option<&impl Event>, user_level: Int)
 }

 /// Confirm that the event sender has the required power levels.
+#[allow(clippy::cognitive_complexity)]
 fn check_power_levels(
 	room_version: &RoomVersion,
 	power_event: &impl Event,
--- a/src/core/matrix/state_res/mod.rs
+++ b/src/core/matrix/state_res/mod.rs
@ -75,6 +75,7 @@ type Result<T, E = Error> = crate::Result<T, E>;
 /// event is part of the same room.
 //#[tracing::instrument(level = "debug", skip(state_sets, auth_chain_sets,
 //#[tracing::instrument(level event_fetch))]
+#[allow(clippy::cognitive_complexity)]
 pub async fn resolve<'a, Pdu, Sets, SetIter, Hasher, Fetch, FetchFut, Exists, ExistsFut>(
 	room_version: &RoomVersionId,
 	state_sets: Sets,
--- a/src/database/maps.rs
+++ b/src/database/maps.rs
@ -112,6 +112,10 @@ pub(super) static MAPS: &[Descriptor] = &[
 		name: "onetimekeyid_onetimekeys",
 		..descriptor::RANDOM_SMALL
 	},
+	Descriptor {
+		name: "passwordresettoken_info",
+		..descriptor::RANDOM_SMALL
+	},
 	Descriptor {
 		name: "pduid_pdu",
 		cache_disp: CacheDisp::SharedWith("eventid_outlierpdu"),
--- a/src/router/router.rs
+++ b/src/router/router.rs
@ -18,5 +18,5 @@ pub(crate) fn build(services: &Arc<Services>) -> (Router, Guard) {
 }

 async fn not_found(_uri: Uri) -> impl IntoResponse {
-	Error::Request(ErrorKind::Unrecognized, "Not Found".into(), StatusCode::NOT_FOUND)
+	Error::Request(ErrorKind::Unrecognized, "not found :(".into(), StatusCode::NOT_FOUND)
 }
--- a/src/service/Cargo.toml
+++ b/src/service/Cargo.toml
@ -121,7 +121,7 @@ webpage.workspace = true
 webpage.optional = true
 blurhash.workspace = true
 blurhash.optional = true
-recaptcha-verify = { version = "0.1.5", default-features = false }
+recaptcha-verify = { version = "0.2.0", default-features = false }
 yansi.workspace = true

 [target.'cfg(all(unix, target_os = "linux"))'.dependencies]
--- a/src/service/config/mod.rs
+++ b/src/service/config/mod.rs
@ -6,6 +6,7 @@ use conduwuit::{
 	config::{Config, check},
 	error, implement,
 };
+use url::Url;

 use crate::registration_tokens::{ValidToken, ValidTokenSource};

@ -23,6 +24,18 @@ impl Service {
 			.clone()
 			.map(|token| ValidToken { token, source: ValidTokenSource::Config })
 	}
+
+	/// Get the base domain to use for user-facing URLs.
+	#[must_use]
+	pub fn get_client_domain(&self) -> Url {
+		self.well_known.client.clone().unwrap_or_else(|| {
+			let host = self.server_name.host();
+			format!("https://{host}")
+				.as_str()
+				.try_into()
+				.expect("server name should be a valid host")
+		})
+	}
 }

 #[async_trait]
--- a/src/service/globals/mod.rs
+++ b/src/service/globals/mod.rs
@ -142,6 +142,10 @@ impl Service {
 		self.server.config.url_preview_check_root_domain
 	}

+	pub fn url_preview_allow_audio_video(&self) -> bool {
+		self.server.config.url_preview_allow_audio_video
+	}
+
 	pub fn forbidden_alias_names(&self) -> &RegexSet { &self.server.config.forbidden_alias_names }

 	pub fn forbidden_usernames(&self) -> &RegexSet { &self.server.config.forbidden_usernames }
--- a/src/service/media/data.rs
+++ b/src/service/media/data.rs
@ -207,6 +207,28 @@ impl Data {
 		value.extend_from_slice(&data.image_width.unwrap_or(0).to_be_bytes());
 		value.push(0xFF);
 		value.extend_from_slice(&data.image_height.unwrap_or(0).to_be_bytes());
+		value.push(0xFF);
+		value.extend_from_slice(
+			data.video
+				.as_ref()
+				.map(String::as_bytes)
+				.unwrap_or_default(),
+		);
+		value.push(0xFF);
+		value.extend_from_slice(&data.video_size.unwrap_or(0).to_be_bytes());
+		value.push(0xFF);
+		value.extend_from_slice(&data.video_width.unwrap_or(0).to_be_bytes());
+		value.push(0xFF);
+		value.extend_from_slice(&data.video_height.unwrap_or(0).to_be_bytes());
+		value.push(0xFF);
+		value.extend_from_slice(
+			data.audio
+				.as_ref()
+				.map(String::as_bytes)
+				.unwrap_or_default(),
+		);
+		value.push(0xFF);
+		value.extend_from_slice(&data.audio_size.unwrap_or(0).to_be_bytes());

 		self.url_previews.insert(url.as_bytes(), &value);

@ -267,6 +289,48 @@ impl Data {
 			| Some(0) => None,
 			| x => x,
 		};
+		let video = match values
+			.next()
+			.and_then(|b| String::from_utf8(b.to_vec()).ok())
+		{
+			| Some(s) if s.is_empty() => None,
+			| x => x,
+		};
+		let video_size = match values
+			.next()
+			.map(|b| usize::from_be_bytes(b.try_into().unwrap_or_default()))
+		{
+			| Some(0) => None,
+			| x => x,
+		};
+		let video_width = match values
+			.next()
+			.map(|b| u32::from_be_bytes(b.try_into().unwrap_or_default()))
+		{
+			| Some(0) => None,
+			| x => x,
+		};
+		let video_height = match values
+			.next()
+			.map(|b| u32::from_be_bytes(b.try_into().unwrap_or_default()))
+		{
+			| Some(0) => None,
+			| x => x,
+		};
+		let audio = match values
+			.next()
+			.and_then(|b| String::from_utf8(b.to_vec()).ok())
+		{
+			| Some(s) if s.is_empty() => None,
+			| x => x,
+		};
+		let audio_size = match values
+			.next()
+			.map(|b| usize::from_be_bytes(b.try_into().unwrap_or_default()))
+		{
+			| Some(0) => None,
+			| x => x,
+		};

 		Ok(UrlPreviewData {
 			title,
@ -275,6 +339,12 @@ impl Data {
 			image_size,
 			image_width,
 			image_height,
+			video,
+			video_size,
+			video_width,
+			video_height,
+			audio,
+			audio_size,
 		})
 	}
 }
--- a/src/service/media/preview.rs
+++ b/src/service/media/preview.rs
@ -10,6 +10,8 @@ use std::time::SystemTime;
 use conduwuit::{Err, Result, debug, err, utils::response::LimitReadExt};
 use conduwuit_core::implement;
 use ipaddress::IPAddress;
+#[cfg(feature = "url_preview")]
+use ruma::OwnedMxcUri;
 use serde::Serialize;
 use url::Url;

@ -29,6 +31,18 @@ pub struct UrlPreviewData {
 	pub image_width: Option<u32>,
 	#[serde(skip_serializing_if = "Option::is_none", rename(serialize = "og:image:height"))]
 	pub image_height: Option<u32>,
+	#[serde(skip_serializing_if = "Option::is_none", rename(serialize = "og:video"))]
+	pub video: Option<String>,
+	#[serde(skip_serializing_if = "Option::is_none", rename(serialize = "matrix:video:size"))]
+	pub video_size: Option<usize>,
+	#[serde(skip_serializing_if = "Option::is_none", rename(serialize = "og:video:width"))]
+	pub video_width: Option<u32>,
+	#[serde(skip_serializing_if = "Option::is_none", rename(serialize = "og:video:height"))]
+	pub video_height: Option<u32>,
+	#[serde(skip_serializing_if = "Option::is_none", rename(serialize = "og:audio"))]
+	pub audio: Option<String>,
+	#[serde(skip_serializing_if = "Option::is_none", rename(serialize = "matrix:audio:size"))]
+	pub audio_size: Option<usize>,
 }

 #[implement(Service)]
@ -96,7 +110,9 @@ async fn request_url_preview(&self, url: &Url) -> Result<UrlPreviewData> {

 	let data = match content_type {
 		| html if html.starts_with("text/html") => self.download_html(url.as_str()).await?,
-		| img if img.starts_with("image/") => self.download_image(url.as_str()).await?,
+		| img if img.starts_with("image/") => self.download_image(url.as_str(), None).await?,
+		| video if video.starts_with("video/") => self.download_video(url.as_str(), None).await?,
+		| audio if audio.starts_with("audio/") => self.download_audio(url.as_str(), None).await?,
 		| _ => return Err!(Request(Unknown("Unsupported Content-Type"))),
 	};

@ -107,11 +123,17 @@ async fn request_url_preview(&self, url: &Url) -> Result<UrlPreviewData> {

 #[cfg(feature = "url_preview")]
 #[implement(Service)]
-pub async fn download_image(&self, url: &str) -> Result<UrlPreviewData> {
+pub async fn download_image(
+	&self,
+	url: &str,
+	preview_data: Option<UrlPreviewData>,
+) -> Result<UrlPreviewData> {
 	use conduwuit::utils::random_string;
 	use image::ImageReader;
 	use ruma::Mxc;

+	let mut preview_data = preview_data.unwrap_or_default();
+
 	let image = self
 		.services
 		.client
@ -128,6 +150,7 @@ pub async fn download_image(&self, url: &str) -> Result<UrlPreviewData> {
 				.expect("u64 should fit in usize"),
 		)
 		.await?;
+
 	let mxc = Mxc {
 		server_name: self.services.globals.server_name(),
 		media_id: &random_string(super::MXC_LENGTH),
@ -135,27 +158,125 @@ pub async fn download_image(&self, url: &str) -> Result<UrlPreviewData> {

 	self.create(&mxc, None, None, None, &image).await?;

-	let cursor = std::io::Cursor::new(&image);
-	let (width, height) = match ImageReader::new(cursor).with_guessed_format() {
-		| Err(_) => (None, None),
-		| Ok(reader) => match reader.into_dimensions() {
+	preview_data.image = Some(mxc.to_string());
+	if preview_data.image_height.is_none() || preview_data.image_width.is_none() {
+		let cursor = std::io::Cursor::new(&image);
+		let (width, height) = match ImageReader::new(cursor).with_guessed_format() {
 			| Err(_) => (None, None),
-			| Ok((width, height)) => (Some(width), Some(height)),
-		},
+			| Ok(reader) => match reader.into_dimensions() {
+				| Err(_) => (None, None),
+				| Ok((width, height)) => (Some(width), Some(height)),
+			},
+		};
+
+		preview_data.image_width = width;
+		preview_data.image_height = height;
+	}
+
+	Ok(preview_data)
+}
+
+#[cfg(feature = "url_preview")]
+#[implement(Service)]
+pub async fn download_video(
+	&self,
+	url: &str,
+	preview_data: Option<UrlPreviewData>,
+) -> Result<UrlPreviewData> {
+	let mut preview_data = preview_data.unwrap_or_default();
+
+	if self.services.globals.url_preview_allow_audio_video() {
+		let (url, size) = self.download_media(url).await?;
+		preview_data.video = Some(url.to_string());
+		preview_data.video_size = Some(size);
+	}
+
+	Ok(preview_data)
+}
+
+#[cfg(feature = "url_preview")]
+#[implement(Service)]
+pub async fn download_audio(
+	&self,
+	url: &str,
+	preview_data: Option<UrlPreviewData>,
+) -> Result<UrlPreviewData> {
+	let mut preview_data = preview_data.unwrap_or_default();
+
+	if self.services.globals.url_preview_allow_audio_video() {
+		let (url, size) = self.download_media(url).await?;
+		preview_data.audio = Some(url.to_string());
+		preview_data.audio_size = Some(size);
+	}
+
+	Ok(preview_data)
+}
+
+#[cfg(feature = "url_preview")]
+#[implement(Service)]
+pub async fn download_media(&self, url: &str) -> Result<(OwnedMxcUri, usize)> {
+	use conduwuit::utils::random_string;
+	use http::header::CONTENT_TYPE;
+	use ruma::Mxc;
+
+	let response = self.services.client.url_preview.get(url).send().await?;
+	let content_type = response.headers().get(CONTENT_TYPE).cloned();
+	let media = response
+		.limit_read(
+			self.services
+				.server
+				.config
+				.max_request_size
+				.try_into()
+				.expect("u64 should fit in usize"),
+		)
+		.await?;
+
+	let mxc = Mxc {
+		server_name: self.services.globals.server_name(),
+		media_id: &random_string(super::MXC_LENGTH),
 	};

-	Ok(UrlPreviewData {
-		image: Some(mxc.to_string()),
-		image_size: Some(image.len()),
-		image_width: width,
-		image_height: height,
-		..Default::default()
-	})
+	let content_type = content_type.and_then(|v| v.to_str().map(ToOwned::to_owned).ok());
+	self.create(&mxc, None, None, content_type.as_deref(), &media)
+		.await?;
+
+	Ok((OwnedMxcUri::from(mxc.to_string()), media.len()))
 }

 #[cfg(not(feature = "url_preview"))]
 #[implement(Service)]
-pub async fn download_image(&self, _url: &str) -> Result<UrlPreviewData> {
+pub async fn download_image(
+	&self,
+	_url: &str,
+	_preview_data: Option<UrlPreviewData>,
+) -> Result<UrlPreviewData> {
+	Err!(FeatureDisabled("url_preview"))
+}
+
+#[cfg(not(feature = "url_preview"))]
+#[implement(Service)]
+pub async fn download_video(
+	&self,
+	_url: &str,
+	_preview_data: Option<UrlPreviewData>,
+) -> Result<UrlPreviewData> {
+	Err!(FeatureDisabled("url_preview"))
+}
+
+#[cfg(not(feature = "url_preview"))]
+#[implement(Service)]
+pub async fn download_audio(
+	&self,
+	_url: &str,
+	_preview_data: Option<UrlPreviewData>,
+) -> Result<UrlPreviewData> {
+	Err!(FeatureDisabled("url_preview"))
+}
+
+#[cfg(not(feature = "url_preview"))]
+#[implement(Service)]
+pub async fn download_media(&self, _url: &str) -> Result<UrlPreviewData> {
 	Err!(FeatureDisabled("url_preview"))
 }

@ -182,18 +303,29 @@ async fn download_html(&self, url: &str) -> Result<UrlPreviewData> {
 		return Err!(Request(Unknown("Failed to parse HTML")));
 	};

-	let mut data = match html.opengraph.images.first() {
-		| None => UrlPreviewData::default(),
-		| Some(obj) => self.download_image(&obj.url).await?,
-	};
+	let mut preview_data = UrlPreviewData::default();
+
+	if let Some(obj) = html.opengraph.images.first() {
+		preview_data = self.download_image(&obj.url, Some(preview_data)).await?;
+	}
+
+	if let Some(obj) = html.opengraph.videos.first() {
+		preview_data = self.download_video(&obj.url, Some(preview_data)).await?;
+		preview_data.video_width = obj.properties.get("width").and_then(|v| v.parse().ok());
+		preview_data.video_height = obj.properties.get("height").and_then(|v| v.parse().ok());
+	}
+
+	if let Some(obj) = html.opengraph.audios.first() {
+		preview_data = self.download_audio(&obj.url, Some(preview_data)).await?;
+	}

 	let props = html.opengraph.properties;

 	/* use OpenGraph title/description, but fall back to HTML if not available */
-	data.title = props.get("title").cloned().or(html.title);
-	data.description = props.get("description").cloned().or(html.description);
+	preview_data.title = props.get("title").cloned().or(html.title);
+	preview_data.description = props.get("description").cloned().or(html.description);

-	Ok(data)
+	Ok(preview_data)
 }

 #[cfg(not(feature = "url_preview"))]
--- a/src/service/migrations.rs
+++ b/src/service/migrations.rs
@ -1,8 +1,9 @@
 use std::{cmp, collections::HashMap, future::ready};

 use conduwuit::{
-	Err, Event, Pdu, Result, debug, debug_info, debug_warn, error, info,
+	Err, Event, Pdu, Result, debug, debug_info, debug_warn, err, error, info,
 	result::NotFound,
+	trace,
 	utils::{
 		IterStream, ReadyExt,
 		stream::{TryExpect, TryIgnore},
@ -57,6 +58,7 @@ pub(crate) async fn migrations(services: &Services) -> Result<()> {
 }

 async fn fresh(services: &Services) -> Result<()> {
+	info!("Creating new fresh database");
 	let db = &services.db;

 	services.globals.db.bump_database_version(DATABASE_VERSION);
@ -66,11 +68,18 @@ async fn fresh(services: &Services) -> Result<()> {
 	db["global"].insert(b"retroactively_fix_bad_data_from_roomuserid_joined", []);
 	db["global"].insert(b"fix_referencedevents_missing_sep", []);
 	db["global"].insert(b"fix_readreceiptid_readreceipt_duplicates", []);
+	db["global"].insert(b"fix_corrupt_msc4133_fields", []);
+	db["global"].insert(b"populate_userroomid_leftstate_table", []);
+	db["global"].insert(b"fix_local_invite_state", []);

 	// Create the admin room and server user on first run
-	crate::admin::create_admin_room(services).boxed().await?;
+	info!("Creating admin room and server user");
+	crate::admin::create_admin_room(services)
+		.boxed()
+		.await
+		.inspect_err(|e| error!("Failed to create admin room during db init: {e}"))?;

-	warn!("Created new RocksDB database with version {DATABASE_VERSION}");
+	info!("Created new database with version {DATABASE_VERSION}");

 	Ok(())
 }
@ -88,19 +97,33 @@ async fn migrate(services: &Services) -> Result<()> {
 	}

 	if services.globals.db.database_version().await < 12 {
-		db_lt_12(services).await?;
+		db_lt_12(services)
+			.await
+			.map_err(|e| err!("Failed to run v12 migrations: {e}"))?;
 	}

 	// This migration can be reused as-is anytime the server-default rules are
 	// updated.
 	if services.globals.db.database_version().await < 13 {
-		db_lt_13(services).await?;
+		db_lt_13(services)
+			.await
+			.map_err(|e| err!("Failed to run v13 migrations: {e}"))?;
 	}

 	if db["global"].get(b"feat_sha256_media").await.is_not_found() {
-		media::migrations::migrate_sha256_media(services).await?;
+		media::migrations::migrate_sha256_media(services)
+			.await
+			.map_err(|e| err!("Failed to run SHA256 media migration: {e}"))?;
 	} else if config.media_startup_check {
-		media::migrations::checkup_sha256_media(services).await?;
+		info!("Starting media startup integrity check.");
+		let now = std::time::Instant::now();
+		media::migrations::checkup_sha256_media(services)
+			.await
+			.map_err(|e| err!("Failed to verify media integrity: {e}"))?;
+		info!(
+			"Finished media startup integrity check in {} seconds.",
+			now.elapsed().as_secs_f32()
+		);
 	}

 	if db["global"]
@ -108,7 +131,12 @@ async fn migrate(services: &Services) -> Result<()> {
 		.await
 		.is_not_found()
 	{
-		fix_bad_double_separator_in_state_cache(services).await?;
+		info!("Running migration 'fix_bad_double_separator_in_state_cache'");
+		fix_bad_double_separator_in_state_cache(services)
+			.await
+			.map_err(|e| {
+				err!("Failed to run 'fix_bad_double_separator_in_state_cache' migration: {e}")
+			})?;
 	}

 	if db["global"]
@ -116,7 +144,15 @@ async fn migrate(services: &Services) -> Result<()> {
 		.await
 		.is_not_found()
 	{
-		retroactively_fix_bad_data_from_roomuserid_joined(services).await?;
+		info!("Running migration 'retroactively_fix_bad_data_from_roomuserid_joined'");
+		retroactively_fix_bad_data_from_roomuserid_joined(services)
+			.await
+			.map_err(|e| {
+				err!(
+					"Failed to run 'retroactively_fix_bad_data_from_roomuserid_joined' \
+					 migration: {e}"
+				)
+			})?;
 	}

 	if db["global"]
@ -125,7 +161,12 @@ async fn migrate(services: &Services) -> Result<()> {
 		.is_not_found()
 		|| services.globals.db.database_version().await < 17
 	{
-		fix_referencedevents_missing_sep(services).await?;
+		info!("Running migration 'fix_referencedevents_missing_sep'");
+		fix_referencedevents_missing_sep(services)
+			.await
+			.map_err(|e| {
+				err!("Failed to run 'fix_referencedevents_missing_sep' migration': {e}")
+			})?;
 	}

 	if db["global"]
@ -134,7 +175,12 @@ async fn migrate(services: &Services) -> Result<()> {
 		.is_not_found()
 		|| services.globals.db.database_version().await < 17
 	{
-		fix_readreceiptid_readreceipt_duplicates(services).await?;
+		info!("Running migration 'fix_readreceiptid_readreceipt_duplicates'");
+		fix_readreceiptid_readreceipt_duplicates(services)
+			.await
+			.map_err(|e| {
+				err!("Failed to run 'fix_readreceiptid_readreceipt_duplicates' migration': {e}")
+			})?;
 	}

 	if services.globals.db.database_version().await < 17 {
@ -147,7 +193,10 @@ async fn migrate(services: &Services) -> Result<()> {
 		.await
 		.is_not_found()
 	{
-		fix_corrupt_msc4133_fields(services).await?;
+		info!("Running migration 'fix_corrupt_msc4133_fields'");
+		fix_corrupt_msc4133_fields(services)
+			.await
+			.map_err(|e| err!("Failed to run 'fix_corrupt_msc4133_fields' migration': {e}"))?;
 	}

 	if services.globals.db.database_version().await < 18 {
@ -160,7 +209,12 @@ async fn migrate(services: &Services) -> Result<()> {
 		.await
 		.is_not_found()
 	{
-		populate_userroomid_leftstate_table(services).await?;
+		info!("Running migration 'populate_userroomid_leftstate_table'");
+		populate_userroomid_leftstate_table(services)
+			.await
+			.map_err(|e| {
+				err!("Failed to run 'populate_userroomid_leftstate_table' migration': {e}")
+			})?;
 	}

 	if db["global"]
@ -168,14 +222,17 @@ async fn migrate(services: &Services) -> Result<()> {
 		.await
 		.is_not_found()
 	{
-		fix_local_invite_state(services).await?;
+		info!("Running migration 'fix_local_invite_state'");
+		fix_local_invite_state(services)
+			.await
+			.map_err(|e| err!("Failed to run 'fix_local_invite_state' migration': {e}"))?;
 	}

 	assert_eq!(
 		services.globals.db.database_version().await,
 		DATABASE_VERSION,
-		"Failed asserting local database version {} is equal to known latest conduwuit database \
-		 version {}",
+		"Failed asserting local database version {} is equal to known latest continuwuity \
+		 database version {}",
 		services.globals.db.database_version().await,
 		DATABASE_VERSION,
 	);
@ -370,7 +427,7 @@ async fn db_lt_13(services: &Services) -> Result<()> {
 }

 async fn fix_bad_double_separator_in_state_cache(services: &Services) -> Result<()> {
-	warn!("Fixing bad double separator in state_cache roomuserid_joined");
+	info!("Fixing bad double separator in state_cache roomuserid_joined");

 	let db = &services.db;
 	let roomuserid_joined = &db["roomuserid_joined"];
@ -414,7 +471,7 @@ async fn fix_bad_double_separator_in_state_cache(services: &Services) -> Result<
 }

 async fn retroactively_fix_bad_data_from_roomuserid_joined(services: &Services) -> Result<()> {
-	warn!("Retroactively fixing bad data from broken roomuserid_joined");
+	info!("Retroactively fixing bad data from broken roomuserid_joined");

 	let db = &services.db;
 	let _cork = db.cork_and_sync();
@ -504,7 +561,7 @@ async fn retroactively_fix_bad_data_from_roomuserid_joined(services: &Services)
 }

 async fn fix_referencedevents_missing_sep(services: &Services) -> Result {
-	warn!("Fixing missing record separator between room_id and event_id in referencedevents");
+	info!("Fixing missing record separator between room_id and event_id in referencedevents");

 	let db = &services.db;
 	let cork = db.cork_and_sync();
@ -552,7 +609,7 @@ async fn fix_readreceiptid_readreceipt_duplicates(services: &Services) -> Result
 	type ArrayId = ArrayString<MAX_BYTES>;
 	type Key<'a> = (&'a RoomId, u64, &'a UserId);

-	warn!("Fixing undeleted entries in readreceiptid_readreceipt...");
+	info!("Fixing undeleted entries in readreceiptid_readreceipt...");

 	let db = &services.db;
 	let cork = db.cork_and_sync();
@ -606,7 +663,7 @@ async fn fix_corrupt_msc4133_fields(services: &Services) -> Result {
 	use serde_json::{Value, from_slice};
 	type KeyVal<'a> = ((OwnedUserId, String), &'a [u8]);

-	warn!("Fixing corrupted `us.cloke.msc4175.tz` fields...");
+	info!("Fixing corrupted `us.cloke.msc4175.tz` fields...");

 	let db = &services.db;
 	let cork = db.cork_and_sync();
@ -746,7 +803,18 @@ async fn fix_local_invite_state(services: &Services) -> Result {
 	let fixed =  userroomid_invitestate.stream()
 		// if they're a local user on this homeserver
 		.try_filter(|((user_id, _), _): &KeyVal<'_>| ready(services.globals.user_is_local(user_id)))
-		.and_then(async |((user_id, room_id), stripped_state): KeyVal<'_>| Ok::<_, conduwuit::Error>((user_id.to_owned(), room_id.to_owned(), stripped_state.deserialize()?)))
+		.and_then(async |((user_id, room_id), stripped_state): KeyVal<'_>| Ok::<_,
+			conduwuit::Error>((user_id.to_owned(), room_id.to_owned(), stripped_state.deserialize
+		().unwrap_or_else(|e| {
+			trace!("Failed to deserialize: {:?}", stripped_state.json());
+			warn!(
+				%user_id,
+				%room_id,
+				"Failed to deserialize stripped state for invite, removing from db: {e}"
+			);
+			userroomid_invitestate.del((user_id, room_id));
+			vec![]
+		}))))
 		.try_fold(0_usize, async |mut fixed, (user_id, room_id, stripped_state)| {
 			// and their invite state is None
 			if stripped_state.is_empty()
--- a/src/service/mod.rs
+++ b/src/service/mod.rs
@ -23,6 +23,7 @@ pub mod globals;
 pub mod key_backups;
 pub mod media;
 pub mod moderation;
+pub mod password_reset;
 pub mod presence;
 pub mod pusher;
 pub mod registration_tokens;
--- a/src/service/password_reset/data.rs
+++ b/src/service/password_reset/data.rs
@ -0,0 +1,68 @@
+use std::{
+	sync::Arc,
+	time::{Duration, SystemTime},
+};
+
+use conduwuit::utils::{ReadyExt, stream::TryExpect};
+use database::{Database, Deserialized, Json, Map};
+use ruma::{OwnedUserId, UserId};
+use serde::{Deserialize, Serialize};
+
+pub(super) struct Data {
+	passwordresettoken_info: Arc<Map>,
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+pub struct ResetTokenInfo {
+	pub user: OwnedUserId,
+	pub issued_at: SystemTime,
+}
+
+impl ResetTokenInfo {
+	// one hour
+	const MAX_TOKEN_AGE: Duration = Duration::from_secs(60 * 60);
+
+	pub fn is_valid(&self) -> bool {
+		let now = SystemTime::now();
+
+		now.duration_since(self.issued_at)
+			.is_ok_and(|duration| duration < Self::MAX_TOKEN_AGE)
+	}
+}
+
+impl Data {
+	pub(super) fn new(db: &Arc<Database>) -> Self {
+		Self {
+			passwordresettoken_info: db["passwordresettoken_info"].clone(),
+		}
+	}
+
+	/// Associate a reset token with its info in the database.
+	pub(super) fn save_token(&self, token: &str, info: &ResetTokenInfo) {
+		self.passwordresettoken_info.raw_put(token, Json(info));
+	}
+
+	/// Lookup the info for a reset token.
+	pub(super) async fn lookup_token_info(&self, token: &str) -> Option<ResetTokenInfo> {
+		self.passwordresettoken_info
+			.get(token)
+			.await
+			.deserialized()
+			.ok()
+	}
+
+	/// Find a user's existing reset token, if any.
+	pub(super) async fn find_token_for_user(
+		&self,
+		user: &UserId,
+	) -> Option<(String, ResetTokenInfo)> {
+		self.passwordresettoken_info
+			.stream::<'_, String, ResetTokenInfo>()
+			.expect_ok()
+			.ready_find(|(_, info)| info.user == user)
+			.await
+	}
+
+	/// Remove a reset token.
+	pub(super) fn remove_token(&self, token: &str) { self.passwordresettoken_info.remove(token); }
+}
--- a/src/service/password_reset/mod.rs
+++ b/src/service/password_reset/mod.rs
@ -0,0 +1,120 @@
+mod data;
+
+use std::{sync::Arc, time::SystemTime};
+
+use conduwuit::{Err, Result, utils};
+use data::{Data, ResetTokenInfo};
+use ruma::OwnedUserId;
+
+use crate::{Dep, globals, users};
+
+pub const PASSWORD_RESET_PATH: &str = "/_continuwuity/account/reset_password";
+pub const RESET_TOKEN_QUERY_PARAM: &str = "token";
+const RESET_TOKEN_LENGTH: usize = 32;
+
+pub struct Service {
+	db: Data,
+	services: Services,
+}
+
+struct Services {
+	users: Dep<users::Service>,
+	globals: Dep<globals::Service>,
+}
+
+#[derive(Debug)]
+pub struct ValidResetToken {
+	pub token: String,
+	pub info: ResetTokenInfo,
+}
+
+impl crate::Service for Service {
+	fn build(args: crate::Args<'_>) -> Result<Arc<Self>> {
+		Ok(Arc::new(Self {
+			db: Data::new(args.db),
+			services: Services {
+				users: args.depend::<users::Service>("users"),
+				globals: args.depend::<globals::Service>("globals"),
+			},
+		}))
+	}
+
+	fn name(&self) -> &str { crate::service::make_name(std::module_path!()) }
+}
+
+impl Service {
+	/// Generate a random string suitable to be used as a password reset token.
+	#[must_use]
+	pub fn generate_token_string() -> String { utils::random_string(RESET_TOKEN_LENGTH) }
+
+	/// Issue a password reset token for `user`, who must be a local user with
+	/// the `password` origin.
+	pub async fn issue_token(&self, user_id: OwnedUserId) -> Result<ValidResetToken> {
+		if !self.services.globals.user_is_local(&user_id) {
+			return Err!("Cannot issue a password reset token for remote user {user_id}");
+		}
+
+		if user_id == self.services.globals.server_user {
+			return Err!("Cannot issue a password reset token for the server user");
+		}
+
+		if self
+			.services
+			.users
+			.origin(&user_id)
+			.await
+			.unwrap_or_else(|_| "password".to_owned())
+			!= "password"
+		{
+			return Err!("Cannot issue a password reset token for non-internal user {user_id}");
+		}
+
+		if self.services.users.is_deactivated(&user_id).await? {
+			return Err!("Cannot issue a password reset token for deactivated user {user_id}");
+		}
+
+		if let Some((existing_token, _)) = self.db.find_token_for_user(&user_id).await {
+			self.db.remove_token(&existing_token);
+		}
+
+		let token = Self::generate_token_string();
+		let info = ResetTokenInfo {
+			user: user_id,
+			issued_at: SystemTime::now(),
+		};
+
+		self.db.save_token(&token, &info);
+
+		Ok(ValidResetToken { token, info })
+	}
+
+	/// Check if `token` represents a valid, non-expired password reset token.
+	pub async fn check_token(&self, token: &str) -> Option<ValidResetToken> {
+		self.db.lookup_token_info(token).await.and_then(|info| {
+			if info.is_valid() {
+				Some(ValidResetToken { token: token.to_owned(), info })
+			} else {
+				self.db.remove_token(token);
+				None
+			}
+		})
+	}
+
+	/// Consume the supplied valid token, using it to change its user's password
+	/// to `new_password`.
+	pub async fn consume_token(
+		&self,
+		ValidResetToken { token, info }: ValidResetToken,
+		new_password: &str,
+	) -> Result<()> {
+		if info.is_valid() {
+			self.db.remove_token(&token);
+			self.services
+				.users
+				.set_password(&info.user, Some(new_password))
+				.await?;
+		}
+
+		Ok(())
+	}
+}
--- a/src/service/rooms/mod.rs
+++ b/src/service/rooms/mod.rs
@ -7,6 +7,7 @@ pub mod metadata;
 pub mod outlier;
 pub mod pdu_metadata;
 pub mod read_receipt;
+pub mod roles;
 pub mod search;
 pub mod short;
 pub mod spaces;
@ -31,6 +32,7 @@ pub struct Service {
 	pub outlier: Arc<outlier::Service>,
 	pub pdu_metadata: Arc<pdu_metadata::Service>,
 	pub read_receipt: Arc<read_receipt::Service>,
+	pub roles: Arc<roles::Service>,
 	pub search: Arc<search::Service>,
 	pub short: Arc<short::Service>,
 	pub spaces: Arc<spaces::Service>,
--- a/src/service/rooms/roles/mod.rs
+++ b/src/service/rooms/roles/mod.rs
--- a/src/service/rooms/roles/tests.rs
+++ b/src/service/rooms/roles/tests.rs
@ -0,0 +1,204 @@
+use std::collections::{BTreeMap, HashSet};
+
+use conduwuit_core::matrix::space_roles::RoleDefinition;
+
+use super::{compute_user_power_level, roles_satisfy_requirements};
+
+pub(super) fn make_roles(entries: &[(&str, Option<i64>)]) -> BTreeMap<String, RoleDefinition> {
+	entries
+		.iter()
+		.map(|(name, pl)| {
+			((*name).to_owned(), RoleDefinition {
+				description: format!("{name} role"),
+				power_level: *pl,
+			})
+		})
+		.collect()
+}
+
+pub(super) fn make_set(items: &[&str]) -> HashSet<String> {
+	items.iter().map(|s| (*s).to_owned()).collect()
+}
+
+#[test]
+fn power_level_single_role() {
+	let roles = make_roles(&[("admin", Some(100)), ("mod", Some(50))]);
+	assert_eq!(compute_user_power_level(&roles, &make_set(&["admin"])), Some(100));
+}
+
+#[test]
+fn power_level_multiple_roles_takes_highest() {
+	let roles = make_roles(&[("admin", Some(100)), ("mod", Some(50)), ("helper", Some(25))]);
+	assert_eq!(compute_user_power_level(&roles, &make_set(&["mod", "helper"])), Some(50));
+}
+
+#[test]
+fn power_level_no_power_roles() {
+	let roles = make_roles(&[("nsfw", None), ("vip", None)]);
+	assert_eq!(compute_user_power_level(&roles, &make_set(&["nsfw", "vip"])), None);
+}
+
+#[test]
+fn power_level_mixed_roles() {
+	let roles = make_roles(&[("mod", Some(50)), ("nsfw", None)]);
+	assert_eq!(compute_user_power_level(&roles, &make_set(&["mod", "nsfw"])), Some(50));
+}
+
+#[test]
+fn power_level_no_roles_assigned() {
+	let roles = make_roles(&[("admin", Some(100))]);
+	assert_eq!(compute_user_power_level(&roles, &HashSet::new()), None);
+}
+
+#[test]
+fn power_level_unknown_role_ignored() {
+	let roles = make_roles(&[("admin", Some(100))]);
+	assert_eq!(compute_user_power_level(&roles, &make_set(&["nonexistent"])), None);
+}
+
+#[test]
+fn qualifies_with_all_required_roles() {
+	assert!(roles_satisfy_requirements(
+		&make_set(&["nsfw", "vip"]),
+		&make_set(&["nsfw", "vip", "extra"]),
+	));
+}
+
+#[test]
+fn does_not_qualify_missing_one_role() {
+	assert!(!roles_satisfy_requirements(&make_set(&["nsfw", "vip"]), &make_set(&["nsfw"]),));
+}
+
+#[test]
+fn qualifies_with_no_requirements() {
+	assert!(roles_satisfy_requirements(&HashSet::new(), &make_set(&["nsfw"])));
+}
+
+#[test]
+fn does_not_qualify_with_no_roles() {
+	assert!(!roles_satisfy_requirements(&make_set(&["nsfw"]), &HashSet::new()));
+}
+
+// Multi-space scenarios
+
+#[test]
+fn multi_space_highest_pl_wins() {
+	let space_a_roles = make_roles(&[("mod", Some(50))]);
+	let space_b_roles = make_roles(&[("admin", Some(100))]);
+
+	let user_roles_a = make_set(&["mod"]);
+	let user_roles_b = make_set(&["admin"]);
+
+	let pl_a = compute_user_power_level(&space_a_roles, &user_roles_a);
+	let pl_b = compute_user_power_level(&space_b_roles, &user_roles_b);
+
+	let effective = [pl_a, pl_b].into_iter().flatten().max();
+	assert_eq!(effective, Some(100));
+}
+
+#[test]
+fn multi_space_one_space_has_no_pl() {
+	let space_a_roles = make_roles(&[("nsfw", None)]);
+	let space_b_roles = make_roles(&[("mod", Some(50))]);
+
+	let user_roles_a = make_set(&["nsfw"]);
+	let user_roles_b = make_set(&["mod"]);
+
+	let pl_a = compute_user_power_level(&space_a_roles, &user_roles_a);
+	let pl_b = compute_user_power_level(&space_b_roles, &user_roles_b);
+
+	let effective = [pl_a, pl_b].into_iter().flatten().max();
+	assert_eq!(effective, Some(50));
+}
+
+#[test]
+fn multi_space_neither_has_pl() {
+	let space_a_roles = make_roles(&[("nsfw", None)]);
+	let space_b_roles = make_roles(&[("vip", None)]);
+
+	let user_roles_a = make_set(&["nsfw"]);
+	let user_roles_b = make_set(&["vip"]);
+
+	let pl_a = compute_user_power_level(&space_a_roles, &user_roles_a);
+	let pl_b = compute_user_power_level(&space_b_roles, &user_roles_b);
+
+	let effective = [pl_a, pl_b].into_iter().flatten().max();
+	assert_eq!(effective, None);
+}
+
+#[test]
+fn multi_space_user_only_in_one_space() {
+	let space_a_roles = make_roles(&[("admin", Some(100))]);
+	let space_b_roles = make_roles(&[("mod", Some(50))]);
+
+	let user_roles_a = make_set(&["admin"]);
+	let user_roles_b: HashSet<String> = HashSet::new();
+
+	let pl_a = compute_user_power_level(&space_a_roles, &user_roles_a);
+	let pl_b = compute_user_power_level(&space_b_roles, &user_roles_b);
+
+	let effective = [pl_a, pl_b].into_iter().flatten().max();
+	assert_eq!(effective, Some(100));
+}
+
+#[test]
+fn multi_space_qualifies_in_one_not_other() {
+	let space_a_reqs = make_set(&["staff"]);
+	let space_b_reqs = make_set(&["nsfw"]);
+
+	let user_roles = make_set(&["nsfw"]);
+
+	assert!(!roles_satisfy_requirements(&space_a_reqs, &user_roles));
+	assert!(roles_satisfy_requirements(&space_b_reqs, &user_roles));
+}
+
+#[test]
+fn multi_space_qualifies_after_role_revoke_via_other_space() {
+	let space_a_reqs = make_set(&["nsfw"]);
+	let space_b_reqs = make_set(&["vip"]);
+
+	let user_roles_after_revoke = make_set(&["vip"]);
+
+	assert!(!roles_satisfy_requirements(&space_a_reqs, &user_roles_after_revoke));
+	assert!(roles_satisfy_requirements(&space_b_reqs, &user_roles_after_revoke));
+}
+
+#[test]
+fn multi_space_room_has_reqs_in_one_space_only() {
+	let space_a_reqs = make_set(&["admin"]);
+	let space_b_reqs: HashSet<String> = HashSet::new();
+
+	let user_roles = make_set(&["nsfw"]);
+
+	assert!(!roles_satisfy_requirements(&space_a_reqs, &user_roles));
+	assert!(roles_satisfy_requirements(&space_b_reqs, &user_roles));
+}
+
+#[test]
+fn multi_space_no_qualification_anywhere() {
+	let space_a_reqs = make_set(&["staff"]);
+	let space_b_reqs = make_set(&["admin"]);
+
+	let user_roles = make_set(&["nsfw"]);
+
+	let qualifies_a = roles_satisfy_requirements(&space_a_reqs, &user_roles);
+	let qualifies_b = roles_satisfy_requirements(&space_b_reqs, &user_roles);
+
+	assert!(!qualifies_a);
+	assert!(!qualifies_b);
+	assert!(!(qualifies_a || qualifies_b));
+}
+
+#[test]
+fn multi_space_same_role_different_pl() {
+	let space_a_roles = make_roles(&[("mod", Some(50))]);
+	let space_b_roles = make_roles(&[("mod", Some(75))]);
+
+	let user_roles = make_set(&["mod"]);
+
+	let pl_a = compute_user_power_level(&space_a_roles, &user_roles);
+	let pl_b = compute_user_power_level(&space_b_roles, &user_roles);
+
+	let effective = [pl_a, pl_b].into_iter().flatten().max();
+	assert_eq!(effective, Some(75));
+}
--- a/src/service/rooms/timeline/append.rs
+++ b/src/service/rooms/timeline/append.rs
@ -327,7 +327,7 @@ where
 			}
 		},
 		| TimelineEventType::SpaceChild =>
-			if let Some(_state_key) = pdu.state_key() {
+			if pdu.state_key().is_some() {
 				self.services
 					.spaces
 					.roomid_spacehierarchy_cache
@ -359,6 +359,8 @@ where
 		| _ => {},
 	}

+	self.services.roles.on_pdu_appended(room_id, &pdu);
+
 	// CONCERN: If we receive events with a relation out-of-order, we never write
 	// their relation / thread. We need some kind of way to trigger when we receive
 	// this event, and potentially a way to rebuild the table entirely.
--- a/src/service/rooms/timeline/build.rs
+++ b/src/service/rooms/timeline/build.rs
@ -97,6 +97,17 @@ pub async fn build_and_append_pdu(
 			)));
 		}
 	}
+	if *pdu.kind() == TimelineEventType::RoomPowerLevels {
+		if let Ok(proposed) =
+			pdu.get_content::<ruma::events::room::power_levels::RoomPowerLevelsEventContent>()
+		{
+			self.services
+				.roles
+				.validate_pl_change(&room_id, pdu.sender(), &proposed)
+				.await?;
+		}
+	}
+
 	if *pdu.kind() == TimelineEventType::RoomCreate {
 		trace!("Creating shortroomid for {room_id}");
 		self.services
--- a/src/service/rooms/timeline/mod.rs
+++ b/src/service/rooms/timeline/mod.rs
@ -80,6 +80,7 @@ struct Services {
 	threads: Dep<rooms::threads::Service>,
 	search: Dep<rooms::search::Service>,
 	spaces: Dep<rooms::spaces::Service>,
+	roles: Dep<rooms::roles::Service>,
 	event_handler: Dep<rooms::event_handler::Service>,
 }

@ -112,6 +113,7 @@ impl crate::Service for Service {
 				threads: args.depend::<rooms::threads::Service>("rooms::threads"),
 				search: args.depend::<rooms::search::Service>("rooms::search"),
 				spaces: args.depend::<rooms::spaces::Service>("rooms::spaces"),
+				roles: args.depend::<rooms::roles::Service>("rooms::roles"),
 				event_handler: args
 					.depend::<rooms::event_handler::Service>("rooms::event_handler"),
 			},
--- a/src/service/server_keys/acquire.rs
+++ b/src/service/server_keys/acquire.rs
@ -228,7 +228,7 @@ async fn acquire_notary_result(&self, missing: &mut Batch, server_keys: ServerSi
 	self.add_signing_keys(server_keys.clone()).await;

 	if let Some(key_ids) = missing.get_mut(server) {
-		key_ids.retain(|key_id| key_exists(&server_keys, key_id));
+		key_ids.retain(|key_id| !key_exists(&server_keys, key_id));
 		if key_ids.is_empty() {
 			missing.remove(server);
 		}
--- a/src/service/services.rs
+++ b/src/service/services.rs
@ -1,7 +1,7 @@
 use std::{any::Any, collections::BTreeMap, sync::Arc};

 use conduwuit::{
-	Result, Server, SyncRwLock, debug, debug_info, info, trace, utils::stream::IterStream,
+	Result, Server, SyncRwLock, debug, debug_info, error, info, trace, utils::stream::IterStream,
 };
 use database::Database;
 use futures::{Stream, StreamExt, TryStreamExt};
@ -11,8 +11,8 @@ use crate::{
 	account_data, admin, announcements, antispam, appservice, client, config, emergency,
 	federation, firstrun, globals, key_backups,
 	manager::Manager,
-	media, moderation, presence, pusher, registration_tokens, resolver, rooms, sending,
-	server_keys,
+	media, moderation, password_reset, presence, pusher, registration_tokens, resolver, rooms,
+	sending, server_keys,
 	service::{self, Args, Map, Service},
 	sync, transactions, uiaa, users,
 };
@ -27,6 +27,7 @@ pub struct Services {
 	pub globals: Arc<globals::Service>,
 	pub key_backups: Arc<key_backups::Service>,
 	pub media: Arc<media::Service>,
+	pub password_reset: Arc<password_reset::Service>,
 	pub presence: Arc<presence::Service>,
 	pub pusher: Arc<pusher::Service>,
 	pub registration_tokens: Arc<registration_tokens::Service>,
@ -81,6 +82,7 @@ impl Services {
 			globals: build!(globals::Service),
 			key_backups: build!(key_backups::Service),
 			media: build!(media::Service),
+			password_reset: build!(password_reset::Service),
 			presence: build!(presence::Service),
 			pusher: build!(pusher::Service),
 			registration_tokens: build!(registration_tokens::Service),
@ -94,6 +96,7 @@ impl Services {
 				outlier: build!(rooms::outlier::Service),
 				pdu_metadata: build!(rooms::pdu_metadata::Service),
 				read_receipt: build!(rooms::read_receipt::Service),
+				roles: build!(rooms::roles::Service),
 				search: build!(rooms::search::Service),
 				short: build!(rooms::short::Service),
 				spaces: build!(rooms::spaces::Service),
@ -125,10 +128,12 @@ impl Services {
 	}

 	pub async fn start(self: &Arc<Self>) -> Result<Arc<Self>> {
-		debug_info!("Starting services...");
+		info!("Starting services...");

 		self.admin.set_services(Some(Arc::clone(self)).as_ref());
-		super::migrations::migrations(self).await?;
+		super::migrations::migrations(self)
+			.await
+			.inspect_err(|e| error!("Migrations failed: {e}"))?;
 		self.manager
 			.lock()
 			.await
@ -147,7 +152,7 @@ impl Services {
 				.await;
 		}

-		debug_info!("Services startup complete.");
+		info!("Services startup complete.");

 		Ok(Arc::clone(self))
 	}
--- a/src/service/uiaa/mod.rs
+++ b/src/service/uiaa/mod.rs
@ -181,20 +181,11 @@ pub async fn try_auth(
 			uiaainfo.completed.push(AuthType::Password);
 		},
 		| AuthData::ReCaptcha(r) => {
-			if self.services.config.recaptcha_private_site_key.is_none() {
+			let Some(ref private_site_key) = self.services.config.recaptcha_private_site_key
+			else {
 				return Err!(Request(Forbidden("ReCaptcha is not configured.")));
-			}
-			match recaptcha_verify::verify(
-				self.services
-					.config
-					.recaptcha_private_site_key
-					.as_ref()
-					.unwrap(),
-				r.response.as_str(),
-				None,
-			)
-			.await
-			{
+			};
+			match recaptcha_verify::verify_v3(private_site_key, r.response.as_str(), None).await {
 				| Ok(()) => {
 					uiaainfo.completed.push(AuthType::ReCaptcha);
 				},
--- a/src/web/Cargo.toml
+++ b/src/web/Cargo.toml
@ -20,12 +20,25 @@ crate-type = [
 [dependencies]
 conduwuit-build-metadata.workspace = true
 conduwuit-service.workspace = true
+conduwuit-core.workspace = true
+async-trait.workspace = true
 askama.workspace = true
 axum.workspace = true
+axum-extra.workspace = true
+base64.workspace = true
 futures.workspace = true
 tracing.workspace = true
 rand.workspace = true
+ruma.workspace = true
 thiserror.workspace = true
+tower-http.workspace = true
+serde.workspace = true
+memory-serve = "2.1.0"
+validator = { version = "0.20.0", features = ["derive"] }
+tower-sec-fetch = { version = "0.1.2", features = ["tracing"] }
+
+[build-dependencies]
+memory-serve = "2.1.0"

 [lints]
 workspace = true
--- a/src/web/askama.toml
+++ b/src/web/askama.toml
@ -0,0 +1,2 @@
+[general]
+dirs = ["pages/templates"]
--- a/src/web/build.rs
+++ b/src/web/build.rs
@ -0,0 +1 @@
+fn main() { memory_serve::load_directory("./pages/resources"); }
--- a/src/web/css/index.css
+++ b/src/web/css/index.css
@ -1,94 +0,0 @@
-:root {
-    color-scheme: light;
-    --font-stack: sans-serif;
-
-    --background-color: #fff;
-    --text-color: #000;
-
-    --bg: oklch(0.76 0.0854 317.27);
-    --panel-bg: oklch(0.91 0.042 317.27);
-
-    --name-lightness: 0.45;
-
-    @media (prefers-color-scheme: dark) {
-        color-scheme: dark;
-        --text-color: #fff;
-        --bg: oklch(0.15 0.042 317.27);
-        --panel-bg: oklch(0.24 0.03 317.27);
-
-        --name-lightness: 0.8;
-    }
-
-    --c1: oklch(0.44 0.177 353.06);
-    --c2: oklch(0.59 0.158 150.88);
-
-    --normal-font-size: 1rem;
-    --small-font-size: 0.8rem;
-}
-
-body {
-    color: var(--text-color);
-    font-family: var(--font-stack);
-    margin: 0;
-    padding: 0;
-    display: grid;
-    place-items: center;
-    min-height: 100vh;
-}
-
-html {
-    background-color: var(--bg);
-    background-image: linear-gradient(
-        70deg,
-        oklch(from var(--bg) l + 0.2 c h),
-        oklch(from var(--bg) l - 0.2 c h)
-    );
-    font-size: 16px;
-}
-
-.panel {
-    width: min(clamp(24rem, 12rem + 40vw, 48rem), calc(100vw - 3rem));
-    border-radius: 15px;
-    background-color: var(--panel-bg);
-    padding-inline: 1.5rem;
-    padding-block: 1rem;
-    box-shadow: 0 0.25em 0.375em hsla(0, 0%, 0%, 0.1);
-}
-
-@media (max-width: 24rem) {
-    .panel {
-        padding-inline: 0.25rem;
-        width: calc(100vw - 0.5rem);
-        border-radius: 0;
-        margin-block-start: 0.2rem;
-    }
-    main {
-        height: 100%;
-    }
-}
-
-footer {
-    padding-inline: 0.25rem;
-    height: max(fit-content, 2rem);
-}
-
-.project-name {
-    text-decoration: none;
-    background: linear-gradient(
-        130deg,
-        oklch(from var(--c1) var(--name-lightness) c h),
-        oklch(from var(--c2) var(--name-lightness) c h)
-    );
-    background-clip: text;
-    color: transparent;
-    filter: brightness(1.2);
-}
-
-b {
-    color: oklch(from var(--c2) var(--name-lightness) c h);
-}
-
-.logo {
-    width: 100%;
-    height: 64px;
-}
--- a/src/web/mod.rs
+++ b/src/web/mod.rs
@ -1,86 +1,113 @@
+use std::any::Any;
+
 use askama::Template;
 use axum::{
 	Router,
-	extract::State,
-	http::{StatusCode, header},
+	extract::rejection::{FormRejection, QueryRejection},
+	http::{HeaderValue, StatusCode, header},
 	response::{Html, IntoResponse, Response},
-	routing::get,
 };
-use conduwuit_build_metadata::{GIT_REMOTE_COMMIT_URL, GIT_REMOTE_WEB_URL, version_tag};
 use conduwuit_service::state;
+use tower_http::{catch_panic::CatchPanicLayer, set_header::SetResponseHeaderLayer};
+use tower_sec_fetch::SecFetchLayer;

-pub fn build() -> Router<state::State> {
-	Router::<state::State>::new()
-		.route("/", get(index_handler))
-		.route("/_continuwuity/logo.svg", get(logo_handler))
-}
+use crate::pages::TemplateContext;

-async fn index_handler(
-	State(services): State<state::State>,
-) -> Result<impl IntoResponse, WebError> {
-	#[derive(Debug, Template)]
-	#[template(path = "index.html.j2")]
-	struct Index<'a> {
-		nonce: &'a str,
-		server_name: &'a str,
-		first_run: bool,
-	}
-	let nonce = rand::random::<u64>().to_string();
+mod pages;

-	let template = Index {
-		nonce: &nonce,
-		server_name: services.config.server_name.as_str(),
-		first_run: services.firstrun.is_first_run(),
-	};
-	Ok((
-		[(
-			header::CONTENT_SECURITY_POLICY,
-			format!("default-src 'nonce-{nonce}'; img-src 'self';"),
-		)],
-		Html(template.render()?),
-	))
-}
+type State = state::State;

-async fn logo_handler() -> impl IntoResponse {
-	(
-		[(header::CONTENT_TYPE, "image/svg+xml")],
-		include_str!("templates/logo.svg").to_owned(),
-	)
-}
+const CATASTROPHIC_FAILURE: &str = "cat-astrophic failure! we couldn't even render the error template. \
+please contact the team @ https://continuwuity.org";

 #[derive(Debug, thiserror::Error)]
 enum WebError {
+	#[error("Failed to validate form body: {0}")]
+	ValidationError(#[from] validator::ValidationErrors),
+	#[error("{0}")]
+	QueryRejection(#[from] QueryRejection),
+	#[error("{0}")]
+	FormRejection(#[from] FormRejection),
+	#[error("{0}")]
+	BadRequest(String),
+
+	#[error("This page does not exist.")]
+	NotFound,
+
 	#[error("Failed to render template: {0}")]
 	Render(#[from] askama::Error),
+	#[error("{0}")]
+	InternalError(#[from] conduwuit_core::Error),
+	#[error("Request handler panicked! {0}")]
+	Panic(String),
 }

 impl IntoResponse for WebError {
 	fn into_response(self) -> Response {
 		#[derive(Debug, Template)]
 		#[template(path = "error.html.j2")]
-		struct Error<'a> {
-			nonce: &'a str,
-			err: WebError,
+		struct Error {
+			error: WebError,
+			status: StatusCode,
+			context: TemplateContext,
 		}

-		let nonce = rand::random::<u64>().to_string();
-
 		let status = match &self {
-			| Self::Render(_) => StatusCode::INTERNAL_SERVER_ERROR,
+			| Self::ValidationError(_)
+			| Self::BadRequest(_)
+			| Self::QueryRejection(_)
+			| Self::FormRejection(_) => StatusCode::BAD_REQUEST,
+			| Self::NotFound => StatusCode::NOT_FOUND,
+			| _ => StatusCode::INTERNAL_SERVER_ERROR,
 		};
-		let tmpl = Error { nonce: &nonce, err: self };
-		if let Ok(body) = tmpl.render() {
-			(
-				status,
-				[(
-					header::CONTENT_SECURITY_POLICY,
-					format!("default-src 'none' 'nonce-{nonce}';"),
-				)],
-				Html(body),
-			)
-				.into_response()
+
+		let template = Error {
+			error: self,
+			status,
+			context: TemplateContext {
+				// Statically set false to prevent error pages from being indexed.
+				allow_indexing: false,
+			},
+		};
+
+		if let Ok(body) = template.render() {
+			(status, Html(body)).into_response()
 		} else {
-			(status, "Something went wrong").into_response()
+			(status, CATASTROPHIC_FAILURE).into_response()
 		}
 	}
 }
+
+pub fn build() -> Router<state::State> {
+	#[allow(clippy::wildcard_imports)]
+	use pages::*;
+
+	Router::new()
+		.merge(index::build())
+		.nest(
+			"/_continuwuity/",
+			Router::new()
+				.merge(resources::build())
+				.merge(password_reset::build())
+				.merge(debug::build())
+				.fallback(async || WebError::NotFound),
+		)
+		.layer(CatchPanicLayer::custom(|panic: Box<dyn Any + Send + 'static>| {
+			let details = if let Some(s) = panic.downcast_ref::<String>() {
+				s.clone()
+			} else if let Some(s) = panic.downcast_ref::<&str>() {
+				(*s).to_owned()
+			} else {
+				"(opaque panic payload)".to_owned()
+			};
+
+			WebError::Panic(details).into_response()
+		}))
+		.layer(SetResponseHeaderLayer::if_not_present(
+			header::CONTENT_SECURITY_POLICY,
+			HeaderValue::from_static("default-src 'self'; img-src 'self' data:;"),
+		))
+		.layer(SecFetchLayer::new(|policy| {
+			policy.allow_safe_methods().reject_missing_metadata();
+		}))
+}
--- a/src/web/pages/components/form.rs
+++ b/src/web/pages/components/form.rs
@ -0,0 +1,98 @@
+use askama::{Template, filters::HtmlSafe};
+use validator::ValidationErrors;
+
+/// A reusable form component with field validation.
+#[derive(Debug, Template)]
+#[template(path = "_components/form.html.j2", print = "code")]
+pub(crate) struct Form<'a> {
+	pub inputs: Vec<FormInput<'a>>,
+	pub validation_errors: Option<ValidationErrors>,
+	pub submit_label: &'a str,
+}
+
+impl HtmlSafe for Form<'_> {}
+
+/// An input element in a form component.
+#[derive(Debug, Clone, Copy)]
+pub(crate) struct FormInput<'a> {
+	/// The field name of the input.
+	pub id: &'static str,
+	/// The `type` property of the input.
+	pub input_type: &'a str,
+	/// The contents of the input's label.
+	pub label: &'a str,
+	/// Whether the input is required. Defaults to `true`.
+	pub required: bool,
+	/// The autocomplete mode for the input. Defaults to `on`.
+	pub autocomplete: &'a str,
+
+	// This is a hack to make the form! macro's support for client-only fields
+	// work properly. Client-only fields are specified in the macro without a type and aren't
+	// included in the POST body or as a field in the generated struct.
+	// To keep the field from being included in the POST body, its `name` property needs not to
+	// be set in the template. Because of limitations of macro_rules!'s repetition feature, this
+	// field needs to exist to allow the template to check if the field is client-only.
+	#[doc(hidden)]
+	pub type_name: Option<&'static str>,
+}
+
+impl Default for FormInput<'_> {
+	fn default() -> Self {
+		Self {
+			id: "",
+			input_type: "text",
+			label: "",
+			required: true,
+			autocomplete: "",
+
+			type_name: None,
+		}
+	}
+}
+
+/// Generate a deserializable struct which may be turned into a [`Form`]
+/// for inclusion in another template.
+#[macro_export]
+macro_rules! form {
+    (
+        $(#[$struct_meta:meta])*
+        struct $struct_name:ident {
+            $(
+                $(#[$field_meta:meta])*
+                $name:ident$(: $type:ty)? where { $($prop:ident: $value:expr),* }
+            ),*
+
+            submit: $submit_label:expr
+        }
+    ) => {
+        #[derive(Debug, serde::Deserialize, validator::Validate)]
+        $(#[$struct_meta])*
+        struct $struct_name {
+            $(
+                $(#[$field_meta])*
+                $(pub $name: $type,)?
+            )*
+        }
+
+        impl $struct_name {
+            /// Generate a [`Form`] which matches the shape of this struct.
+            #[allow(clippy::needless_update)]
+            fn build(validation_errors: Option<validator::ValidationErrors>) -> $crate::pages::components::form::Form<'static> {
+                $crate::pages::components::form::Form {
+                    inputs: vec![
+                        $(
+                            $crate::pages::components::form::FormInput {
+                                id: stringify!($name),
+                                $(type_name: Some(stringify!($type)),)?
+                                $($prop: $value),*,
+                                ..Default::default()
+                            },
+                        )*
+                    ],
+                    validation_errors,
+                    submit_label: $submit_label,
+                }
+            }
+        }
+    };
+}
--- a/src/web/pages/components/mod.rs
+++ b/src/web/pages/components/mod.rs
@ -0,0 +1,71 @@
+use askama::{Template, filters::HtmlSafe};
+use base64::Engine;
+use conduwuit_core::result::FlatOk;
+use conduwuit_service::Services;
+use ruma::UserId;
+
+pub(super) mod form;
+
+#[derive(Debug)]
+pub(super) enum AvatarType<'a> {
+	Initial(char),
+	Image(&'a str),
+}
+
+#[derive(Debug, Template)]
+#[template(path = "_components/avatar.html.j2")]
+pub(super) struct Avatar<'a> {
+	pub(super) avatar_type: AvatarType<'a>,
+}
+
+impl HtmlSafe for Avatar<'_> {}
+
+#[derive(Debug, Template)]
+#[template(path = "_components/user_card.html.j2")]
+pub(super) struct UserCard<'a> {
+	pub user_id: &'a UserId,
+	pub display_name: Option<String>,
+	pub avatar_src: Option<String>,
+}
+
+impl HtmlSafe for UserCard<'_> {}
+
+impl<'a> UserCard<'a> {
+	pub(super) async fn for_local_user(services: &Services, user_id: &'a UserId) -> Self {
+		let display_name = services.users.displayname(user_id).await.ok();
+
+		let avatar_src = async {
+			let avatar_url = services.users.avatar_url(user_id).await.ok()?;
+			let avatar_mxc = avatar_url.parts().ok()?;
+			let file = services.media.get(&avatar_mxc).await.flat_ok()?;
+
+			Some(format!(
+				"data:{};base64,{}",
+				file.content_type
+					.unwrap_or_else(|| "application/octet-stream".to_owned()),
+				file.content
+					.map(|content| base64::prelude::BASE64_STANDARD.encode(content))
+					.unwrap_or_default(),
+			))
+		}
+		.await;
+
+		Self { user_id, display_name, avatar_src }
+	}
+
+	fn avatar(&'a self) -> Avatar<'a> {
+		let avatar_type = if let Some(ref avatar_src) = self.avatar_src {
+			AvatarType::Image(avatar_src)
+		} else if let Some(initial) = self
+			.display_name
+			.as_ref()
+			.and_then(|display_name| display_name.chars().next())
+		{
+			AvatarType::Initial(initial)
+		} else {
+			AvatarType::Initial(self.user_id.localpart().chars().next().unwrap())
+		};
+
+		Avatar { avatar_type }
+	}
+}
--- a/src/web/pages/debug.rs
+++ b/src/web/pages/debug.rs
@ -0,0 +1,17 @@
+use std::convert::Infallible;
+
+use axum::{Router, routing::get};
+use conduwuit_core::Error;
+
+use crate::WebError;
+
+pub(crate) fn build() -> Router<crate::State> {
+	Router::new()
+		.route("/_debug/panic", get(async || -> Infallible { panic!("Guru meditation error") }))
+		.route(
+			"/_debug/error",
+			get(async || -> WebError {
+				Error::Err(std::borrow::Cow::Borrowed("Guru meditation error")).into()
+			}),
+		)
+}
--- a/src/web/pages/index.rs
+++ b/src/web/pages/index.rs
@ -0,0 +1,28 @@
+use askama::Template;
+use axum::{Router, extract::State, response::IntoResponse, routing::get};
+
+use crate::{WebError, template};
+
+pub(crate) fn build() -> Router<crate::State> {
+	Router::new()
+		.route("/", get(index_handler))
+		.route("/_continuwuity/", get(index_handler))
+}
+
+async fn index_handler(
+	State(services): State<crate::State>,
+) -> Result<impl IntoResponse, WebError> {
+	template! {
+		struct Index<'a> use "index.html.j2" {
+			server_name: &'a str,
+			first_run: bool
+		}
+	}
+
+	Ok(Index::new(
+		&services,
+		services.globals.server_name().as_str(),
+		services.firstrun.is_first_run(),
+	)
+	.into_response())
+}
--- a/src/web/pages/mod.rs
+++ b/src/web/pages/mod.rs
@ -0,0 +1,53 @@
+mod components;
+pub(super) mod debug;
+pub(super) mod index;
+pub(super) mod password_reset;
+pub(super) mod resources;
+
+#[derive(Debug)]
+pub(crate) struct TemplateContext {
+	pub allow_indexing: bool,
+}
+
+impl From<&crate::State> for TemplateContext {
+	fn from(state: &crate::State) -> Self {
+		Self {
+			allow_indexing: state.config.allow_web_indexing,
+		}
+	}
+}
+
+#[macro_export]
+macro_rules! template {
+    (
+        struct $name:ident $(<$lifetime:lifetime>)? use $path:literal {
+            $($field_name:ident: $field_type:ty),*
+        }
+    ) => {
+        #[derive(Debug, askama::Template)]
+        #[template(path = $path)]
+        struct $name$(<$lifetime>)? {
+            context: $crate::pages::TemplateContext,
+            $($field_name: $field_type,)*
+        }
+
+        impl$(<$lifetime>)? $name$(<$lifetime>)? {
+            fn new(state: &$crate::State, $($field_name: $field_type,)*) -> Self {
+                Self {
+                    context: state.into(),
+                    $($field_name,)*
+                }
+            }
+        }
+
+        #[allow(single_use_lifetimes)]
+        impl$(<$lifetime>)? axum::response::IntoResponse for $name$(<$lifetime>)? {
+            fn into_response(self) -> axum::response::Response {
+                match self.render() {
+                    Ok(rendered) => axum::response::Html(rendered).into_response(),
+                    Err(err) => $crate::WebError::from(err).into_response()
+                }
+            }
+        }
+    };
+}
--- a/src/web/pages/password_reset.rs
+++ b/src/web/pages/password_reset.rs
@ -0,0 +1,120 @@
+use askama::Template;
+use axum::{
+	Router,
+	extract::{
+		Query, State,
+		rejection::{FormRejection, QueryRejection},
+	},
+	http::StatusCode,
+	response::{IntoResponse, Response},
+	routing::get,
+};
+use serde::Deserialize;
+use validator::Validate;
+
+use crate::{
+	WebError, form,
+	pages::components::{UserCard, form::Form},
+	template,
+};
+
+const INVALID_TOKEN_ERROR: &str = "Invalid reset token. Your reset link may have expired.";
+
+#[derive(Deserialize)]
+struct PasswordResetQuery {
+	token: String,
+}
+
+template! {
+	struct PasswordReset<'a> use "password_reset.html.j2" {
+		user_card: UserCard<'a>,
+		body: PasswordResetBody
+	}
+}
+
+#[derive(Debug)]
+enum PasswordResetBody {
+	Form(Form<'static>),
+	Success,
+}
+
+form! {
+	struct PasswordResetForm {
+		#[validate(length(min = 1, message = "Password cannot be empty"))]
+		new_password: String where {
+			input_type: "password",
+			label: "New password",
+			autocomplete: "new-password"
+		},
+
+		#[validate(must_match(other = "new_password", message = "Passwords must match"))]
+		confirm_new_password: String where {
+			input_type: "password",
+			label: "Confirm new password",
+			autocomplete: "new-password"
+		}
+
+		submit: "Reset Password"
+	}
+}
+
+pub(crate) fn build() -> Router<crate::State> {
+	Router::new()
+		.route("/account/reset_password", get(get_password_reset).post(post_password_reset))
+}
+
+async fn password_reset_form(
+	services: crate::State,
+	query: PasswordResetQuery,
+	reset_form: Form<'static>,
+) -> Result<impl IntoResponse, WebError> {
+	let Some(token) = services.password_reset.check_token(&query.token).await else {
+		return Err(WebError::BadRequest(INVALID_TOKEN_ERROR.to_owned()));
+	};
+
+	let user_card = UserCard::for_local_user(&services, &token.info.user).await;
+
+	Ok(PasswordReset::new(&services, user_card, PasswordResetBody::Form(reset_form))
+		.into_response())
+}
+
+async fn get_password_reset(
+	State(services): State<crate::State>,
+	query: Result<Query<PasswordResetQuery>, QueryRejection>,
+) -> Result<impl IntoResponse, WebError> {
+	let Query(query) = query?;
+
+	password_reset_form(services, query, PasswordResetForm::build(None)).await
+}
+
+async fn post_password_reset(
+	State(services): State<crate::State>,
+	query: Result<Query<PasswordResetQuery>, QueryRejection>,
+	form: Result<axum::Form<PasswordResetForm>, FormRejection>,
+) -> Result<Response, WebError> {
+	let Query(query) = query?;
+	let axum::Form(form) = form?;
+
+	match form.validate() {
+		| Ok(()) => {
+			let Some(token) = services.password_reset.check_token(&query.token).await else {
+				return Err(WebError::BadRequest(INVALID_TOKEN_ERROR.to_owned()));
+			};
+			let user_id = token.info.user.clone();
+
+			services
+				.password_reset
+				.consume_token(token, &form.new_password)
+				.await?;
+
+			let user_card = UserCard::for_local_user(&services, &user_id).await;
+			Ok(PasswordReset::new(&services, user_card, PasswordResetBody::Success)
+				.into_response())
+		},
+		| Err(err) => Ok((
+			StatusCode::BAD_REQUEST,
+			password_reset_form(services, query, PasswordResetForm::build(Some(err))).await,
+		)
+			.into_response()),
+	}
+}
--- a/src/web/pages/resources.rs
+++ b/src/web/pages/resources.rs
@ -0,0 +1,9 @@
+use axum::Router;
+
+pub(crate) fn build() -> Router<crate::State> {
+	Router::new().nest(
+		"/resources/",
+		#[allow(unused_qualifications)]
+		memory_serve::load!().index_file(None).into_router(),
+	)
+}
--- a/src/web/pages/resources/common.css
+++ b/src/web/pages/resources/common.css
@ -0,0 +1,185 @@
+:root {
+    color-scheme: light;
+    --font-stack: sans-serif;
+
+    --background-color: #fff;
+    --text-color: #000;
+    --secondary: #666;
+    --bg: oklch(0.76 0.0854 317.27);
+    --panel-bg: oklch(0.91 0.042 317.27);
+    --c1: oklch(0.44 0.177 353.06);
+    --c2: oklch(0.59 0.158 150.88);
+
+    --name-lightness: 0.45;
+    --background-lightness: 0.9;
+
+    --background-gradient:
+        radial-gradient(42.12% 56.13% at 100% 0%, oklch(from var(--c2) var(--background-lightness) c h) 0%, #fff0 100%),
+        radial-gradient(42.01% 79.63% at 52.86% 0%, #d9ff5333 0%, #fff0 100%),
+        radial-gradient(79.67% 58.09% at 0% 0%, oklch(from var(--c1) var(--background-lightness) c h) 0%, #fff0 100%);
+
+    --normal-font-size: 1rem;
+    --small-font-size: 0.8rem;
+
+    --border-radius-sm: 5px;
+    --border-radius-lg: 15px;
+
+    @media (prefers-color-scheme: dark) {
+        color-scheme: dark;
+        --text-color: #fff;
+        --secondary: #888;
+        --bg: oklch(0.15 0.042 317.27);
+        --panel-bg: oklch(0.24 0.03 317.27);
+
+        --name-lightness: 0.8;
+        --background-lightness: 0.2;
+
+        --background-gradient:
+            radial-gradient(
+                42.12% 56.13% at 100% 0%,
+                oklch(from var(--c2) var(--background-lightness) c h) 0%,
+                #12121200 100%
+            ),
+            radial-gradient(55.81% 87.78% at 48.37% 0%, #000 0%, #12121200 89.55%),
+            radial-gradient(
+                122.65% 88.24% at 0% 0%,
+                oklch(from var(--c1) var(--background-lightness) c h) 0%,
+                #12121200 100%
+            );
+    }
+}
+
+* {
+    box-sizing: border-box;
+}
+
+body {
+    display: grid;
+    margin: 0;
+    padding: 0;
+    place-items: center;
+    min-height: 100vh;
+
+    color: var(--text-color);
+    font-family: var(--font-stack);
+    line-height: 1.5;
+}
+
+html {
+    background-color: var(--bg);
+    background-image: var(--background-gradient);
+    font-size: var(--normal-font-size);
+}
+
+footer {
+    padding-inline: 0.25rem;
+    height: max(fit-content, 2rem);
+
+    .logo {
+        width: 100%;
+        height: 64px;
+    }
+}
+
+p {
+    margin: 1rem 0;
+}
+
+em {
+    color: oklch(from var(--c2) var(--name-lightness) c h);
+    font-weight: bold;
+    font-style: normal;
+}
+
+small {
+    color: var(--secondary);
+}
+
+small.error {
+    display: block;
+    color: red;
+    font-size: small;
+    font-style: italic;
+    margin-bottom: 0.5rem;
+}
+
+.panel {
+    --preferred-width: 12rem + 40dvw;
+    --maximum-width: 48rem;
+
+    width: min(clamp(24rem, var(--preferred-width), var(--maximum-width)), calc(100dvw - 3rem));
+    border-radius: var(--border-radius-lg);
+    background-color: var(--panel-bg);
+    padding-inline: 1.5rem;
+    padding-block: 1rem;
+    box-shadow: 0 0.25em 0.375em hsla(0, 0%, 0%, 0.1);
+
+    &.narrow {
+        --preferred-width: 12rem + 20dvw;
+        --maximum-width: 36rem;
+
+        input, button {
+            width: 100%;
+        }
+    }
+}
+
+label {
+    display: block;
+}
+
+input, button {
+    display: inline-block;
+    padding: 0.5em;
+    margin-bottom: 0.5em;
+
+    font-size: inherit;
+    font-family: inherit;
+    color: white;
+    background-color: transparent;
+
+    border: none;
+    border-radius: var(--border-radius-sm);
+}
+
+input {
+    border: 2px solid var(--secondary);
+
+    &:focus-visible {
+        outline: 2px solid var(--c1);
+        border-color: transparent;
+    }
+}
+
+button {
+    background-color: var(--c1);
+    transition: opacity .2s;
+
+    &:enabled:hover {
+        opacity: 0.8;
+        cursor: pointer;
+    }
+}
+
+h1 {
+    margin-top: 0;
+    margin-bottom: 0.67em;
+}
+
+@media (max-width: 425px) {
+    main {
+        padding-block-start: 2rem;
+        width: 100%;
+    }
+
+    .panel {
+        border-radius: 0;
+        width: 100%;
+    }
+}
+
+@media (max-width: 799px) {
+    input, button {
+        width: 100%;
+    }
+}
--- a/src/web/pages/resources/components.css
+++ b/src/web/pages/resources/components.css
@ -0,0 +1,44 @@
+.avatar {
+    --avatar-size: 56px;
+
+    display: inline-block;
+    aspect-ratio: 1 / 1;
+    inline-size: var(--avatar-size);
+    border-radius: 50%;
+
+    text-align: center;
+    text-transform: uppercase;
+    font-size: calc(var(--avatar-size) * 0.5);
+    font-weight: 700;
+    line-height: calc(var(--avatar-size) - 2px);
+
+    color: oklch(from var(--c1) calc(l + 0.2) c h);
+    background-color: var(--c1);
+}
+
+.user-card {
+    display: flex;
+    flex-direction: row;
+    align-items: center;
+    gap: 16px;
+
+    background-color: oklch(from var(--panel-bg) calc(l - 0.05) c h);
+    border-radius: var(--border-radius-lg);
+    padding: 16px;
+
+    .info {
+        flex: 1 1;
+
+        p {
+            margin: 0;
+
+            &.display-name {
+                font-weight: 700;
+            }
+
+            &:nth-of-type(2) {
+                color: var(--secondary);
+            }
+        }
+    }
+}
--- a/src/web/pages/resources/error.css
+++ b/src/web/pages/resources/error.css
@ -0,0 +1,13 @@
+.k10y {
+    font-family: monospace;
+    font-size: x-small;
+    font-weight: 700;
+    transform: translate(1rem, 1.6rem);
+    color: var(--secondary);
+    user-select: none;
+}
+
+h1 {
+    display: flex;
+    align-items: center;
+}
--- a/src/web/pages/resources/index.css
+++ b/src/web/pages/resources/index.css
@ -0,0 +1,11 @@
+.project-name {
+    text-decoration: none;
+    background: linear-gradient(
+        130deg,
+        oklch(from var(--c1) var(--name-lightness) c h),
+        oklch(from var(--c2) var(--name-lightness) c h)
+    );
+    background-clip: text;
+    color: transparent;
+    filter: brightness(1.2);
+}
--- a/src/web/pages/resources/logo.svg
+++ b/src/web/pages/resources/logo.svg
@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   width="447.99823"
+   height="447.99823"
+   viewBox="0 0 447.99823 447.99823"
+   version="1.1"
+   id="svg1"
+   xml:space="preserve"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg"><defs
+     id="defs1" /><g
+     id="layer1"
+     transform="translate(-32.000893,-32.000893)"><circle
+       style="fill:#9b4bd4;fill-opacity:1;stroke:#000000;stroke-width:10;stroke-dasharray:none;stroke-opacity:1"
+       id="path1"
+       cy="256"
+       cx="256"
+       r="176" /><path
+       style="fill:#de6cd3;fill-opacity:1;stroke:#000000;stroke-width:10;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
+       d="m 41,174 69,36 C 135,126 175,102 226,94 l -12,31 62,-44 -69,-44 15,30 C 128,69 84,109 41,172 Z"
+       id="path7" /><path
+       style="fill:#de6cd3;fill-opacity:1;stroke:#000000;stroke-width:10;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
+       d="m 338,41 -36,69 c 84,25 108,65 116,116 l -31,-12 44,62 44,-69 -30,15 C 443,128 403,84 340,41 Z"
+       id="path6" /><path
+       style="fill:#de6cd3;fill-opacity:1;stroke:#000000;stroke-width:10;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
+       d="m 471,338 -69,-36 c -25,84 -65,108 -116,116 l 12,-31 -62,44 69,44 -15,-30 c 94,-2 138,-42 181,-105 z"
+       id="path8" /><path
+       style="fill:#de6cd3;fill-opacity:1;stroke:#000000;stroke-width:10;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
+       d="m 174,471 36,-69 C 126,377 102,337 94,286 l 31,12 -44,-62 -44,69 30,-15 c 2,94 42,138 105,181 z"
+       id="path9" /><g
+       id="g15"
+       transform="translate(-5.4157688e-4)"><path
+         style="fill:none;stroke:#000000;stroke-width:10;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1;paint-order:normal"
+         d="m 155.45977,224.65379 c -7.25909,13.49567 -7.25909,26.09161 -6.35171,39.58729 0.90737,11.69626 12.7034,24.29222 24.49943,26.09164 21.77727,3.59884 28.12898,-20.69338 28.12898,-20.69338 0,0 4.53693,-15.29508 5.4443,-40.48699"
+         id="path11" /><path
+         style="fill:none;stroke:#000000;stroke-width:10;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1;paint-order:normal"
+         d="m 218.96706,278.05399 c 3.00446,17.12023 7.52704,24.88918 19.22704,28.48918 9,2.7 22.5,-4.5 22.5,-16.2 0.9,21.6 17.1,17.1 19.8,17.1 11.7,-1.8 18.9,-14.4 16.2,-30.6"
+         id="path12" /><path
+         style="fill:none;stroke:#000000;stroke-width:10;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1;paint-order:normal"
+         d="m 305.6941,230.94317 c 1.8,27 6.3,40.5 6.3,40.5 8.1,27 28.8,19.8 28.8,19.8 18.9,-7.2 22.5,-24.3 22.5,-30.6 0,-25.2 -6.3,-35.1 -6.3,-35.1"
+         id="path13" /></g></g></svg>
--- a/src/web/pages/templates/_components/avatar.html.j2
+++ b/src/web/pages/templates/_components/avatar.html.j2
@ -0,0 +1,6 @@
+{% match avatar_type %}
+    {% when AvatarType::Initial with (initial) %}
+    <span class="avatar" role="img">{{ initial }}</span>
+    {% when AvatarType::Image with (src) %}
+    <img class="avatar" src="{{ src }}">
+{% endmatch %}
--- a/src/web/pages/templates/_components/form.html.j2
+++ b/src/web/pages/templates/_components/form.html.j2
@ -0,0 +1,30 @@
+<form method="post">
+    {% let validation_errors = validation_errors.clone().unwrap_or_default() %}
+    {% let field_errors = validation_errors.field_errors() %}
+    {% for input in inputs %}
+        <p>
+            <label for="{{ input.id }}">{{ input.label }}</label>
+            {% let name = std::borrow::Cow::from(*input.id) %}
+            {% if let Some(errors) = field_errors.get(name) %}
+                {% for error in errors %}
+                    <small class="error">
+                        {% if let Some(message) = error.message %}
+                            {{ message }}
+                        {% else %}
+                            Mysterious validation error <code>{{ error.code }}</code>!
+                        {% endif %}
+                    </small>
+                {% endfor %}
+            {% endif %}
+            <input
+                type="{{ input.input_type }}"
+                id="{{ input.id }}"
+                autocomplete="{{ input.autocomplete }}"
+                {% if input.type_name.is_some() %}name="{{ input.id }}"{% endif %}
+                {% if input.required %}required{% endif %}
+            >
+        </p>
+    {% endfor %}
+
+    <button type="submit">{{ submit_label }}</button>
+</form>
--- a/src/web/pages/templates/_components/user_card.html.j2
+++ b/src/web/pages/templates/_components/user_card.html.j2
@ -0,0 +1,9 @@
+<div class="user-card">
+    {{ avatar() }}
+    <div class="info">
+        {% if let Some(display_name) = display_name %}
+        <p class="display-name">{{ display_name }}</p>
+        {% endif %}
+        <p class="user_id">{{ user_id }}</p>
+    </div>
+</div>
--- a/src/web/pages/templates/_layout.html.j2
+++ b/src/web/pages/templates/_layout.html.j2
@ -5,23 +5,24 @@
    <meta charset="UTF-8" />
    <title>{% block title %}Continuwuity{% endblock %}</title>
    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    {%- if !context.allow_indexing %}
+    <meta name="robots" content="noindex" />
+    {%- endif %}

-    <link rel="icon" href="/_continuwuity/logo.svg">
-    <style type="text/css" nonce="{{ nonce }}">
-        /*<![CDATA[*/
-            {{ include_str !("css/index.css") | safe }}
-        /*]]>*/
-    </style>
+    <link rel="icon" href="/_continuwuity/resources/logo.svg">
+    <link rel="stylesheet" href="/_continuwuity/resources/common.css">
+    <link rel="stylesheet" href="/_continuwuity/resources/components.css">
+    {% block head %}{% endblock %}
 </head>

 <body>
    <main>{%~ block content %}{% endblock ~%}</main>
    {%~ block footer ~%}
        <footer>
-            <img class="logo" src="/_continuwuity/logo.svg">
+            <img class="logo" src="/_continuwuity/resources/logo.svg">
            <p>Powered by <a href="https://continuwuity.org">Continuwuity</a> {{ env!("CARGO_PKG_VERSION") }}
-                {%~ if let Some(version_info) = self::version_tag() ~%}
-                    {%~ if let Some(url) = GIT_REMOTE_COMMIT_URL.or(GIT_REMOTE_WEB_URL) ~%}
+                {%~ if let Some(version_info) = conduwuit_build_metadata::version_tag() ~%}
+                    {%~ if let Some(url) = conduwuit_build_metadata::GIT_REMOTE_COMMIT_URL.or(conduwuit_build_metadata::GIT_REMOTE_WEB_URL) ~%}
                        (<a href="{{ url }}">{{ version_info }}</a>)
                    {%~ else ~%}
                        ({{ version_info }})
--- a/src/web/pages/templates/error.html.j2
+++ b/src/web/pages/templates/error.html.j2
@ -0,0 +1,41 @@
+{% extends "_layout.html.j2" %}
+
+{%- block head -%}
+<link rel="stylesheet" href="/_continuwuity/resources/error.css">
+{%- endblock -%}
+
+{%- block title -%}
+🐈 Request Error
+{%- endblock -%}
+
+{%- block content -%}
+<pre class="k10y" aria-hidden>
+　　　 　  ／＞　　 フ
+　　　 　  | 　_　 _|
+　 　　  ／` ミ＿xノ
+　　 　 /　　　 　 |
+　　　 /　 ヽ　　 ﾉ
+　 　 │　　|　|　|
+　／￣|　　 |　|　|
+　| (￣ヽ＿_ヽ_)__)
+　＼二つ
+</pre>
+<div class="panel">
+    <h1>
+        {% if status == StatusCode::NOT_FOUND %}
+        Not found
+        {% else if status == StatusCode::INTERNAL_SERVER_ERROR %}
+        Internal server error
+        {% else %}
+        Bad request
+        {% endif %}
+    </h1>
+
+    {% if status == StatusCode::INTERNAL_SERVER_ERROR %}
+    <p>Please <a href="https://forgejo.ellis.link/continuwuation/continuwuity/issues/new">submit a bug report</a> 🥺</p>
+    {% endif %}
+
+    <pre><code>{{ error }}</code></pre>
+</div>
+
+{%- endblock -%}
--- a/src/web/pages/templates/index.html.j2
+++ b/src/web/pages/templates/index.html.j2
@ -1,4 +1,9 @@
 {% extends "_layout.html.j2" %}
+
+{%- block head -%}
+<link rel="stylesheet" href="/_continuwuity/resources/index.css">
+{%- endblock -%}
+
 {%- block content -%}
 <div class="panel">
    <h1>
@ -6,7 +11,7 @@
    </h1>
    <p>Continuwuity is successfully installed and working.</p>
    {%- if first_run %}
-    <p>To get started, <b>check the server logs</b> for instructions on how to create the first account.</p>
+    <p>To get started, <em>check the server logs</em> for instructions on how to create the first account.</p>
    <p>For support, take a look at the <a href="https://continuwuity.org/introduction">documentation</a> or join the <a href="https://matrix.to/#/#continuwuity:continuwuity.org?via=continuwuity.org&via=ellis.link&via=explodie.org&via=matrix.org">Continuwuity Matrix room</a>.</p>
    {%- else %}
    <p>To get started, <a href="https://matrix.org/ecosystem/clients">choose a client</a> and connect to <code>{{ server_name }}</code>.</p>
--- a/src/web/pages/templates/password_reset.html.j2
+++ b/src/web/pages/templates/password_reset.html.j2
@ -0,0 +1,18 @@
+{% extends "_layout.html.j2" %}
+
+{%- block title -%}
+Reset Password
+{%- endblock -%}
+
+{%- block content -%}
+<div class="panel narrow">
+    <h1>Reset Password</h1>
+    {{ user_card }}
+    {% match body %}
+        {% when PasswordResetBody::Form(reset_form) %}
+        {{ reset_form }}
+        {% when PasswordResetBody::Success %}
+        <p>Your password has been reset successfully.</p>
+    {% endmatch %}
+</div>
+{%- endblock -%}
--- a/src/web/templates/error.html.j2
+++ b/src/web/templates/error.html.j2
@ -1,20 +0,0 @@
-{% extends "_layout.html.j2" %}
-
-{%- block title -%}
-Server Error
-{%- endblock -%}
-
-{%- block content -%}
-<h1>
-    {%- match err -%}
-    {% else -%} 500: Internal Server Error
-    {%- endmatch -%}
-</h1>
-
-{%- match err -%}
-    {% when WebError::Render(err) -%}
-        <pre>{{ err }}</pre>
-    {% else -%} <p>An error occurred</p>
-{%- endmatch -%}
-
-{%- endblock -%}
--- a/src/web/templates/logo.svg
+++ b/src/web/templates/logo.svg
@ -1 +0,0 @@
-../../../docs/public/assets/logo.svg
Author	SHA1	Message	Date
ember	20b1529dc4	Merge pull request 'deployment' (#3 ) from deployment into main Some checks failed Release Docker Image / Build linux-amd64 (release) (push) Waiting to run Details Release Docker Image / Build linux-arm64 (release) (push) Waiting to run Details Release Docker Image / Create Multi-arch Release Manifest (push) Blocked by required conditions Details Release Docker Image / Build linux-amd64 (max-perf) (push) Blocked by required conditions Details Release Docker Image / Build linux-arm64 (max-perf) (push) Blocked by required conditions Details Release Docker Image / Create Max-Perf Manifest (push) Blocked by required conditions Details Documentation / Build and Deploy Documentation (push) Has been skipped Details Checks / Prek / Pre-commit & Formatting (push) Failing after 5s Details Checks / Prek / Clippy and Cargo Tests (push) Failing after 5s Details Reviewed-on: #3	2026-03-20 08:05:07 +00:00
ember	bba5318ce8	Merge pull request 'feat/space-permission-cascading' (#2 ) from feat/space-permission-cascading into deployment Some checks failed Documentation / Build and Deploy Documentation (pull_request) Has been skipped Details Checks / Prek / Pre-commit & Formatting (pull_request) Failing after 4s Details Checks / Prek / Clippy and Cargo Tests (pull_request) Failing after 5s Details Reviewed-on: #2	2026-03-20 08:03:10 +00:00
ember33	1f91a74b27	feat(spaces): wire up enforcement hooks in join, append, and build paths Some checks failed Documentation / Build and Deploy Documentation (pull_request) Has been skipped Details Checks / Prek / Pre-commit & Formatting (pull_request) Failing after 5s Details Checks / Prek / Clippy and Cargo Tests (pull_request) Failing after 6s Details Update flake hashes / update-flake-hashes (pull_request) Failing after 6s Details Add minimal integration points in existing files: - append.rs: call on_pdu_appended for event-driven enforcement - build.rs: call validate_pl_change to protect space-managed PLs - join.rs: call check_join_allowed to gate joins on role requirements - timeline/mod.rs: add roles service dependency	2026-03-20 08:52:23 +01:00
ember33	5f901a560b	feat(spaces): add admin commands for space role management Add !admin space roles subcommands: list, add, remove, assign, revoke, require, unrequire, user, room, enable, disable, status. The remove command uses cascade_remove_role macro to deduplicate member and room cleanup loops. Role definitions, assignments, and room requirements are managed via state events.	2026-03-20 08:52:13 +01:00
ember33	59401e1786	feat(spaces): add space roles service with enforcement and caching Implement the roles service with well-factored helper methods: - Cache population via load_user_roles, load_room_requirements, load_child_rooms_index helpers - Enforcement dispatch via enforce_roles_change, enforce_member_change, enforce_room_change, enforce_cascading_toggle - Child management via handle_child_added, handle_child_removed - Kick logic via user_qualifies_in_any_parent, kick_user_from_room - PL computation via compute_effective_pl (highest-wins across spaces) - Per-space enable/disable, graceful shutdown guards	2026-03-20 08:52:05 +01:00
ember33	95fa3b022a	feat(spaces): add custom state event types and config for space permission cascading Add four custom Matrix state event content types for space role management: space roles definitions, per-user role assignments, per-room role requirements, and per-space cascading override. Add server config options: space_permission_cascading (default false) as the server-wide toggle, and space_roles_cache_flush_threshold (default 1000) for cache management.	2026-03-20 08:51:57 +01:00
Jade Ellis	6b013bcf60	chore: Update funding links	2026-03-19 12:45:12 +00:00
Ginger	05a49ceb60	chore: Whitelist cognitive_complexity lint	2026-03-18 13:59:48 -04:00
Ginger	728c5828ba	feat: Add a panic handler and clean up error page	2026-03-18 13:43:34 -04:00
Ginger	50c94d85a1	fix: Code cleanup	2026-03-18 13:18:53 -04:00
Ginger	0cc188f62c	fix: Remove redirect on index	2026-03-18 12:42:55 -04:00
Ginger	6451671f66	fix: Update doc comment	2026-03-18 12:42:55 -04:00
theS1LV3R	ca21a885d5	chore: Rename option index_page_allow_indexing to allow_web_indexing	2026-03-18 12:42:55 -04:00
Ginger	4af4110f6d	chore: Update news fragment	2026-03-18 12:42:55 -04:00
Ginger	51b450c05c	feat: Use a context struct to store global template context	2026-03-18 12:42:55 -04:00
theS1LV3R	f9d1f71343	fix: Fix logic error	2026-03-18 12:42:55 -04:00
theS1LV3R	7901e4b996	chore: Add news fragment for !1527	2026-03-18 12:42:55 -04:00
theS1LV3R	7b6bf4b78e	feat: Add option for a noindex meta tag on the HTML index page Adds a new config option `index_page_allow_indexing` which defaults to false. Fixes: !1527	2026-03-18 12:42:55 -04:00
Ginger	67d5619ccb	fix: Fix password reset page appearance in light mode	2026-03-18 12:42:55 -04:00
Ginger	bf001f96d6	feat: Restrict reset token command	2026-03-18 12:42:55 -04:00
Ginger	ae2b87f03f	fix: Fix M_NOT_FOUND for users with no origin set	2026-03-18 12:42:55 -04:00
Ginger	957cd3502f	fix: Evil CSS hackery	2026-03-18 12:42:55 -04:00
Ginger	a109542eb8	fix: Disable text selection on k10y	2026-03-18 12:42:55 -04:00
Ginger	8c4844b00b	fix: Use error page for extractor rejections	2026-03-18 12:42:55 -04:00
Ginger	eec7103910	feat: Implement dedicated 404 page for routes under `/_continuwuity/`	2026-03-18 12:42:55 -04:00
Ginger	43aa172829	feat: Move index to `/_continuwuity/`	2026-03-18 12:42:55 -04:00
Ginger	9b4c483b6d	chore: Remove unnecessary database map left over from refactor	2026-03-18 12:42:55 -04:00
Ginger	b885e206ce	fix: Use server name in index again	2026-03-18 12:42:55 -04:00
Ginger	07a935f625	fix: Add CSRF protection	2026-03-18 12:42:55 -04:00
Ginger	d13801e976	fix: Disallow issuing password reset tokens for deactivated users	2026-03-18 12:42:55 -04:00
Ginger	5716c36b47	chore: Change password reset page path	2026-03-18 12:42:55 -04:00
Ginger	f11943b956	chore: News fragment	2026-03-18 12:42:55 -04:00
Ginger	8b726a9c94	chore: Cleanup	2026-03-18 12:42:55 -04:00
Ginger	ffa3c53847	feat: Implement a webpage for self-service password resets	2026-03-18 12:42:55 -04:00
Ginger	da8833fca4	feat: Implement a command for issuing password reset links	2026-03-18 12:42:55 -04:00
Ginger	267feb3c09	feat: Add a new service for handling password resets	2026-03-18 12:42:55 -04:00
Ginger	3d50af0943	refactor: Split web code into multiple files, improve static resource loading	2026-03-18 12:42:55 -04:00
Ginger	9515019641	fix: Allow cognitive_complexity on two particularly large functions	2026-03-18 10:57:50 -04:00
Renovate Bot	f0f53dfada	chore(deps): lock file maintenance	2026-03-18 05:05:56 +00:00
ember33	3bfd10efab	docs: add implementation plan for space permission cascading 15-task plan covering config flag, custom event types, service layer, cache, enforcement hooks, admin commands, and testing. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-17 15:04:32 +01:00
ember33	835d434d92	docs: add design doc for space permission cascading Covers power level cascading from Spaces to child rooms, role-based room access control, continuous enforcement, and admin room commands. Feature will be behind a server-wide config flag. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-17 14:59:48 +01:00
Renovate Bot	acef746d26	fix(deps): Update rust crate recaptcha-verify to 0.2.0	2026-03-17 13:20:50 +00:00
Jade Ellis	3356b60e97	chore: Remove git.nexy7574.co.uk mirror This mirror seems to have some issues preventing regsync from working.	2026-03-16 18:13:26 +00:00
Jade Ellis	c988c2b387	chore: Release	2026-03-16 16:48:53 +00:00
theS1LV3R	3121229707	docs: Update docker documentation to add /sbin/conduwuit to examples These will likely have to be updated when !1485 goes through. Fixes: !1529	2026-03-15 00:21:37 +00:00
Shane Jaroch	ff85145ee8	fix: missing logic inversion for acquired keys (should speed up room joins)	2026-03-13 20:54:38 -04:00
lveneris	f61d1a11e0	chore: set correct commit types for all renovate PRs	2026-03-09 21:51:21 +00:00
lveneris	11ba8979ff	chore: batch non-major non-zerover cargo renovate PRs	2026-03-09 21:51:21 +00:00
Ginger	f6956ccf12	fix: Nuke all remaining references to MSC3575 in docs and code	2026-03-09 17:11:19 +00:00
Kimiblock Moe	977a5ac8c1	Enable the reloading of systemd credentials systemd v260 has introduced a new option: RefreshOnReload, of which when set to true automatically reloads all confext and credential files. This should eliminate the full restart requirement to reload a changed configuration.	2026-03-09 16:08:47 +00:00
timedout	906c3df953	style: Reduce migration warning verbosity to info They aren't actually warning of anything	2026-03-09 13:30:24 +00:00
timedout	33e5fdc16f	style: Reduce verbosity of `fix_corrupt_msc4133_fields`	2026-03-09 13:30:24 +00:00
timedout	77ac17855a	fix: Don't fail on invalid stripped state entries during migration	2026-03-09 13:30:24 +00:00
timedout	65ffcd2884	perf: Insert missed migration markers into fresh databases	2026-03-09 13:30:24 +00:00
timedout	7ec88bdbfe	feat: Make noise about migrations and make errors more informative	2026-03-09 13:30:24 +00:00
Ginger	da3fac8cb4	fix: Use more robust check for max_request_size	2026-03-09 13:27:39 +00:00
Trash Panda	3366113939	fix: Retrieve content_type and video width/height	2026-03-09 13:27:39 +00:00
Trash Panda	9039784f41	fix: Clippy lints	2026-03-09 13:27:39 +00:00
Trash Panda	7f165e5bbe	fix: Refactor and block media downloads larger than max_request_size	2026-03-09 13:27:39 +00:00
Trash Panda	c97111e3ca	fix: Update example config	2026-03-09 13:27:39 +00:00
Trash Panda	e8746760fa	feat(url-preview): Optionally download audio/video files for url preview requests	2026-03-09 13:27:39 +00:00
Katie Kloss	9dbd75e740	docs: Update FreeBSD instructions	2026-03-09 13:26:57 +00:00
Renovate Bot	85b2fd91b9	chore(deps): update rust crate serde-saphyr to 0.0.21	2026-03-09 13:26:23 +00:00
Renovate Bot	6420c218a9	chore(deps): update node-patch-updates to v2.0.5	2026-03-09 12:59:58 +00:00
				`@ -0,0 +1 @@`
				`Added support for using an admin command to issue self-service password reset links.`
				`@ -0,0 +1 @@`
				Add Space permission cascading: power levels cascade from Spaces to child rooms, role-based room access with custom roles, continuous enforcement (auto-join/kick), and admin commands for role management. Server-wide default controlled by `space_permission_cascading` config flag (off by default), with per-Space overrides via `!admin space roles enable/disable <space>`.
				`@ -0,0 +1 @@`
				Add new config option to allow or disallow search engine indexing through a `<meta ../>` tag. Defaults to blocking indexing (`content="noindex"`). Contributed by @s1lv3r and @ginger.
				`@ -0,0 +1 @@`
				`fn main() { memory_serve::load_directory("./pages/resources"); }`