feat: Enable debug logs in release builds

2026-05-26 20:49:55 +00:00 · 2026-05-04 21:27:34 +01:00
225 changed files with 4790 additions and 9939 deletions
@@ -44,7 +44,7 @@ runs:

    - name: Login to builtin registry
      if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
-      uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+      uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
      with:
        registry: ${{ env.BUILTIN_REGISTRY }}
        username: ${{ inputs.registry_user }}
@@ -52,7 +52,7 @@ runs:

    - name: Set up Docker Buildx
      if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
-      uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+      uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
      with:
        # Use persistent BuildKit if BUILDKIT_ENDPOINT is set (e.g. tcp://buildkit:8125)
        driver: ${{ env.BUILDKIT_ENDPOINT != '' && 'remote' || 'docker-container' }}
@@ -61,7 +61,7 @@ runs:
    - name: Extract metadata (tags) for Docker
      if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
      id: meta
-      uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
+      uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
      with:
        flavor: |
          latest=auto
@@ -67,7 +67,7 @@ runs:
      uses: ./.forgejo/actions/rust-toolchain

    - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+      uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
      with:
        # Use persistent BuildKit if BUILDKIT_ENDPOINT is set (e.g. tcp://buildkit:8125)
        driver: ${{ env.BUILDKIT_ENDPOINT != '' && 'remote' || 'docker-container' }}
@@ -79,7 +79,7 @@ runs:

    - name: Login to builtin registry
      if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
-      uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+      uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
      with:
        registry: ${{ env.BUILTIN_REGISTRY }}
        username: ${{ inputs.registry_user }}
@@ -87,7 +87,7 @@ runs:

    - name: Extract metadata (labels, annotations) for Docker
      id: meta
-      uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
+      uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
      with:
        images: ${{ inputs.images }}
        # default labels & annotations: https://github.com/docker/metadata-action/blob/master/src/meta.ts#L509
@@ -17,7 +17,7 @@ inputs:
  llvm-version:
    description: 'LLVM version to install'
    required: false
-    default: '21'
+    default: '20'

 outputs:
  llvm-version:
@@ -71,7 +71,7 @@ runs:

    - name: Install timelord-cli and git-warp-time
      if: steps.check-binaries.outputs.need-install == 'true'
-      uses: https://github.com/taiki-e/install-action@920ab1831fbf4fb3ef75c8ead83556c918bb7290 # v2
+      uses: https://github.com/taiki-e/install-action@b5fddbb5361bce8a06fb168c9d403a6cc552b084 # v2
      with:
        tool: git-warp-time,timelord-cli@3.0.1

@@ -28,7 +28,7 @@ jobs:
            const labelsToAdd = new Set();

            for (const file of fileNames) {
-              if (file.startsWith('docs/') || file.startsWith('theme/') || (file.endsWith('.md') && !file.startsWith('changelog.d/')) || file == 'rspress.config.ts') {
+              if (file.startsWith('docs/') || file.startsWith('theme/') || file.endsWith('.md') || file == 'rspress.config.ts') {
                labelsToAdd.add('Documentation');
              }
              if (file.startsWith('.forgejo/')) {
@@ -56,7 +56,7 @@ jobs:

      - name: Deploy to Cloudflare Pages (Production)
        if: github.ref == 'refs/heads/main' && vars.CLOUDFLARE_PROJECT_NAME != ''
-        uses: https://github.com/cloudflare/wrangler-action@ebbaa1584979971c8614a24965b4405ff95890e0 # v4
+        uses: https://github.com/cloudflare/wrangler-action@9acf94ace14e7dc412b076f2c5c20b8ce93c79cd # v3
        with:
          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
@@ -64,7 +64,7 @@ jobs:

      - name: Deploy to Cloudflare Pages (Preview)
        if: github.ref != 'refs/heads/main' && vars.CLOUDFLARE_PROJECT_NAME != ''
-        uses: https://github.com/cloudflare/wrangler-action@ebbaa1584979971c8614a24965b4405ff95890e0 # v4
+        uses: https://github.com/cloudflare/wrangler-action@9acf94ace14e7dc412b076f2c5c20b8ce93c79cd # v3
        with:
          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
@@ -121,7 +121,7 @@ jobs:
      - name: 🚀 Deploy to Cloudflare Pages
        if: vars.CLOUDFLARE_PROJECT_NAME != ''
        id: deploy
-        uses: https://github.com/cloudflare/wrangler-action@ebbaa1584979971c8614a24965b4405ff95890e0 # v4
+        uses: https://github.com/cloudflare/wrangler-action@9acf94ace14e7dc412b076f2c5c20b8ce93c79cd # v3
        with:
          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
@@ -55,7 +55,7 @@ jobs:
      #     repositories: continuwuity

      - name: Install regsync
-        uses: https://github.com/regclient/actions/regsync-installer@c70ad64367908075211b10dcd2ab9fad4bfa1816 # main
+        uses: https://github.com/regclient/actions/regsync-installer@f3c6d87835906c175eb6ccfc18b348b69bb447e7 # main

      - name: Check what images need mirroring
        run: |
@@ -62,7 +62,7 @@ jobs:
          registry_password: ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}
      - name: Build and push Docker image by digest
        id: build
-        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
        with:
          context: .
          file: "docker/Dockerfile"
@@ -149,7 +149,7 @@ jobs:
          registry_password: ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}
      - name: Build and push max-perf Docker image by digest
        id: build
-        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
        with:
          context: .
          file: "docker/Dockerfile"
@@ -216,7 +216,7 @@ jobs:
          path: binaries
          merge-multiple: true
      - name: Create Release and Upload
-        uses: https://github.com/softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3
+        uses: https://github.com/softprops/action-gh-release@v2
        with:
          draft: true
          files: binaries/*
@@ -43,7 +43,7 @@ jobs:
    name: Renovate
    runs-on: ubuntu-latest
    container:
-      image: ghcr.io/renovatebot/renovate:43.195.3@sha256:868dffc3d6a46f42dfefe48b6978cc063d8df9c1d58a93a694c8989afa503e34
+      image: ghcr.io/renovatebot/renovate:43.140.0@sha256:61303c28b10a491c559529fb6f41745850e4755a43a54c04c3ae6848d6eaf5cc
      options: --tmpfs /tmp:exec
    steps:
      - name: Checkout
@@ -24,7 +24,7 @@ repos:
        - id: check-added-large-files

  - repo: https://github.com/crate-ci/typos
-    rev: v1.46.2
+    rev: v1.46.0
    hooks:
      - id: typos
      - id: typos
@@ -1 +1 @@
-Contributors are expected to follow the [Continuwuity Community Guidelines](https://continuwuity.org/community/guidelines).
+Contributors are expected to follow the [Continuwuity Community Guidelines](continuwuity.org/community/guidelines).
@@ -137,9 +137,9 @@ The allowed types for commits are:

 Examples:
 ```
-feat: Add user authentication
-fix(database): Resolve connection pooling issue
-docs: Update installation instructions
+feat: add user authentication
+fix(database): resolve connection pooling issue
+docs: update installation instructions
 ```

 The project uses the `committed` hook to validate commit messages in pre-commit. This ensures all commits follow the conventional format.
@@ -12,7 +12,7 @@ license = "Apache-2.0"
 # See also `rust-toolchain.toml`
 readme = "README.md"
 repository = "https://forgejo.ellis.link/continuwuation/continuwuity"
-version = "0.5.9"
+version = "0.5.8"

 [workspace.metadata.crane]
 name = "conduwuit"
@@ -39,10 +39,10 @@ features = ["ffi", "std", "union"]
 version = "1.1.0"

 [workspace.dependencies.ctor]
-version = "1.0.6"
+version = "0.13.0"

 [workspace.dependencies.dtor]
-version = "1.0.0"
+version = "0.13.0"

 [workspace.dependencies.cargo_toml]
 version = "0.22"
@@ -164,7 +164,7 @@ features = ["raw_value"]

 # Used for appservice registration files
 [workspace.dependencies.serde-saphyr]
-version = "0.0.26"
+version = "0.0.25"

 # Used to load forbidden room/user regex from config
 [workspace.dependencies.serde_regex]
@@ -180,7 +180,7 @@ version = "0.5.3"
 features = ["alloc", "rand"]
 default-features = false

-# Used to generate thumbnails for images
+# Used to generate thumbnails for images & blurhashes
 [workspace.dependencies.image]
 version = "0.25.5"
 default-features = false
@@ -191,6 +191,14 @@ features = [
    "webp",
 ]

+[workspace.dependencies.blurhash]
+version = "0.2.3"
+default-features = false
+features = [
+    "fast-linear-to-srgb",
+    "image",
+]
+
 # logging
 [workspace.dependencies.log]
 version = "0.4.27"
@@ -344,7 +352,7 @@ version = "1.1.1"
 [workspace.dependencies.ruma]
 # version = "0.14.1"
 git = "https://github.com/ruma/ruma.git"
-rev = "9c9dccc93f054bbd28f23f630223fffa6289ecbc"
+rev = "5742fec0021b85fedbf5cd1f59c50a00bb5b9f7c"
 features = [
    "appservice-api-c",
    "client-api",
@@ -356,6 +364,7 @@ features = [
    "ring-compat",
    "compat-upload-signatures",
    "compat-optional-txn-pdus",
+    "unstable-msc2448",
    "unstable-msc2666",
    "unstable-msc2867",
    "unstable-msc2870",
@@ -384,7 +393,7 @@ features = [

 [workspace.dependencies.rust-rocksdb]
 git = "https://forgejo.ellis.link/continuwuation/rust-rocksdb-zaidoon1"
-rev = "0a25ff92f7c09b55eec496b9c192c7d5136ab2b8"
+rev = "31fb8f772c7afcdc0061ab6a40cfa3a1be2fccd9"
 default-features = false
 features = [
    "multi-threaded-cf",
@@ -404,20 +413,20 @@ default-features = false

 # optional opentelemetry, performance measurements, flamegraphs, etc for performance measurements and monitoring
 [workspace.dependencies.opentelemetry]
-version = "0.32.0"
+version = "0.31.0"

 [workspace.dependencies.tracing-flame]
 version = "0.2.0"

 [workspace.dependencies.tracing-opentelemetry]
-version = "0.33.0"
+version = "0.32.0"

 [workspace.dependencies.opentelemetry_sdk]
-version = "0.32.0"
+version = "0.31.0"
 features = ["rt-tokio"]

 [workspace.dependencies.opentelemetry-otlp]
-version = "0.32.0"
+version = "0.31.0"
 features = ["http", "grpc-tonic", "trace", "logs", "metrics"]


@@ -534,7 +543,7 @@ version = "2.1.1"
 features = ["std"]

 [workspace.dependencies.minicbor-serde]
-version = "0.7.0"
+version = "0.6.0"
 features = ["std"]

 [workspace.dependencies.maplit]
@@ -559,9 +568,6 @@ features = ["std"]
 [workspace.dependencies.nonzero_ext]
 version = "0.3.0"

-[workspace.dependencies.serde_urlencoded]
-version = "0.7.1"
-
 #
 # Patches
 #
@@ -1 +0,0 @@
-Users may now be forbidden from deactivating their own accounts with the new `allow_deactivation` config option. Contributed by @ginger.
@@ -1 +0,0 @@
-Added support for Matrix 1.16's `state_after` feature, allowing clients which understand it to sync room state changes more reliably. Contributed by @ginger.
@@ -1 +0,0 @@
-Added support for authenticating clients using the new OAuth 2.0 login API. Contributed by @ginger.
@@ -1 +0,0 @@
-Removed support for guest user registration, a little-used and deprecated approach to room previews.
@@ -1 +0,0 @@
-The deprecated `well_known.rtc_focus_server_urls` config option has been removed. MatrixRTC foci should be configured using the `matrix_rtc.foci` config option.
@@ -1 +0,0 @@
-The version of Debian that the Docker-based build process uses has been upgraded from Bookworm to Trixie, meaning that standalone binaries now have a minimum glibc of 2.41, and can no longer be used on distro versions from before 2025-01-30
@@ -1 +0,0 @@
-Support for server-side blurhashing (part of MSC2448) has been removed.
@@ -1 +0,0 @@
-Updated [MSC4284: Policy Servers](https://github.com/matrix-org/matrix-spec-proposals/pull/4284) implementation to support the newly stabilised proposal. Contributed by @nex.
@@ -1 +0,0 @@
-Add performance tuning documentation. Contributed by @stratself.
@@ -1 +0,0 @@
-Added config option for default room ACLs. Contributed by @eve.
@@ -1 +0,0 @@
-Add `!admin users reject-all-invites` to clean invite spam
@@ -1 +0,0 @@
-fix `!admin query account-data account-data-get` not returning the content
@@ -1,9 +0,0 @@
-Implemented event rejection, which should resolve and prevent future netsplits of the kinds observed
-within some Continuwuity rooms.
-Also resolved several bugs related to both soft-failing events, and event backfilling, which should
-improve state resolution stability.
-The `!admin debug get-pdu` command was updated to disambiguate event acceptance status, and
-`!admin debug show-auth-chain` was added to visually display event auth chains, which may assist
-developers in debugging strangely complex events.
-
-Contributed by @nex.
@@ -1 +0,0 @@
-Fixed an issue where Continuwuity would only advertise support for the unstable endpoint for Mutual Rooms (MSC2666), despite only supporting the stable endpoint. Contributed by @Henry-Hiles (QuadRadical)
@@ -1 +0,0 @@
-Fixed several bugs in the `POST /_matrix/client/v3/rooms/{roomId}/upgrade` endpoint. Contributed by @nex.
@@ -1 +0,0 @@
-Added full support for [MSC4168: Update `m.space.*` state on room upgrade](https://github.com/matrix-org/matrix-spec-proposals/pull/4168). Contributed by @nex.
@@ -1 +0,0 @@
-Adjusted legacy sync logic to no longer use the `roomsynctoken_shortstatehash` database column. Once this change has been confirmed to be stable and reliable, a future update will remove it entirely, significantly decreasing database sizes. Contributed by @ginger.
@@ -7,6 +7,7 @@
 [global]
 address = "0.0.0.0"
 allow_device_name_federation = true
+allow_guest_registration = true
 allow_public_room_directory_over_federation = true
 allow_registration = true
 database_path = "/database"
@@ -31,6 +32,7 @@ rocksdb_log_level = "info"
 rocksdb_max_log_files = 1
 rocksdb_recovery_mode = 0
 rocksdb_paranoid_file_checks = true
+log_guest_registrations = false
 allow_legacy_media = true
 startup_netburst = true
 startup_netburst_keep = -1
@@ -372,18 +372,21 @@
 #
 #federation_timeout = 60

-# Policy server request timeout (seconds). Generally policy
+# MSC4284 Policy server request timeout (seconds). Generally policy
 # servers should respond near instantly, however may slow down under
 # load. If a policy server doesn't respond in a short amount of time, the
 # room it is configured in may become unusable if this limit is set too
-# high. 30 seconds is a good default, however lower values may be
-# acceptable if temporary send failures are an okay trade-off.
+# high. 10 seconds is a good default, however dropping this to 3-5 seconds
+# can be acceptable.
 #
+# Please be aware that policy requests are *NOT* currently re-tried, so if
+# a spam check request fails, the event will be assumed to be not spam,
+# which in some cases may result in spam being sent to or received from
+# the room that would typically be prevented.
 #
 # About policy servers: https://matrix.org/blog/2025/04/introducing-policy-servers/
-# (Stabilized in Matrix v1.18)
 #
-#policy_server_request_timeout = 30
+#policy_server_request_timeout = 10

 # Federation client idle connection pool timeout (seconds).
 #
@@ -521,15 +524,17 @@
 #
 #recaptcha_private_site_key =

-# Controls whether users are allowed to deactivate their own accounts
-# through the account management panel or their Matrix clients. Server
-# admins can always deactivate users using the relevant admin commands.
+# Policy documents, such as terms and conditions or a privacy policy,
+# which users must agree to when registering an account.
 #
-# Note that, in some jurisdictions, you may be legally required to honor
-# users who request to deactivate their accounts if you set this option
-# to `false`.
+# Example:
+# ```ignore
+# [global.registration_terms.privacy_policy]
+# en = { name = "Privacy Policy", url = "https://homeserver.example/en/privacy_policy.html" }
+# es = { name = "Política de Privacidad", url = "https://homeserver.example/es/privacy_policy.html" }
+# ```
 #
-#allow_deactivation = true
+#registration_terms = {}

 # Controls whether encrypted rooms and events are allowed.
 #
@@ -619,30 +624,6 @@
 #
 #default_room_version = "12"

-# A default allow value for the Access Control List when creating a room.
-#
-# If a list is provided, new rooms will be created with
-# a m.room.server_acl event. Only servers which match one of the patterns
-# in the list will be permitted to participate in the room.
-#
-# ACLs in existing rooms will not be updated automatically. This is not
-# a substitute for moderation bots.
-#
-#default_room_acl_allow =
-
-# A default deny value for the Access Control List when creating a room.
-#
-# If a list is provided, new rooms will be created with
-# a m.room.server_acl event. Servers which match one of the patterns
-# in the list will be NOT permitted to participate in the room.
-#
-# This config cannot be used if the default_room_acl_allow config is used.
-#
-# ACLs in existing rooms will not be updated automatically. This is not
-# a substitute for moderation bots.
-#
-#default_room_acl_deny =
-
 # Enable OpenTelemetry OTLP tracing export. This replaces the deprecated
 # Jaeger exporter. Traces will be sent via OTLP to a collector (such as
 # Jaeger) that supports the OpenTelemetry Protocol.
@@ -1290,6 +1271,21 @@
 #
 #brotli_compression = false

+# Set to true to allow user type "guest" registrations. Some clients like
+# Element attempt to register guest users automatically.
+#
+#allow_guest_registration = false
+
+# Set to true to log guest registrations in the admin room. Note that
+# these may be noisy or unnecessary if you're a public homeserver.
+#
+#log_guest_registrations = false
+
+# Set to true to allow guest registrations/users to auto join any rooms
+# specified in `auto_join_rooms`.
+#
+#allow_guests_auto_join_rooms = false
+
 # Enable the legacy unauthenticated Matrix media repository endpoints.
 # These endpoints consist of:
 # - /_matrix/media/*/config
@@ -1589,6 +1585,19 @@
 #
 #block_non_admin_invites = false

+# Enable or disable making requests to MSC4284 Policy Servers.
+# It is recommended you keep this enabled unless you experience frequent
+# connectivity issues, such as in a restricted networking environment.
+#
+#enable_msc4284_policy_servers = true
+
+# Enable running locally generated events through configured MSC4284
+# policy servers. You may wish to disable this if your server is
+# single-user for a slight speed benefit in some rooms, but otherwise
+# should leave it enabled.
+#
+#policy_server_check_own_events = true
+
 # Allow admins to enter commands in rooms other than "#admins" (admin
 # room) by prefixing your message with "\!admin" or "\\!admin" followed up
 # a normal continuwuity admin command. The reply will be publicly visible
@@ -1793,9 +1802,11 @@
 #stream_amplification = 1024

 # Number of sender task workers; determines sender parallelism. Default is
-# core count. Override by setting a different value.
+# '0' which means the value is determined internally, likely matching the
+# number of tokio worker-threads or number of cores, etc. Override by
+# setting a non-zero value.
 #
-#sender_workers = core count
+#sender_workers = 0

 # Enables listener sockets; can be set to false to disable listening. This
 # option is intended for developer/diagnostic purposes only.
@@ -1853,11 +1864,6 @@
 #
 #support_page =

-# The ed25519 public key for the policy server available at this server's
-# name. Must be unpadded base64.
-#
-#policy_server_public_key =
-
 # Role string for server support contacts, to be served as part of the
 # MSC1929 server support endpoint at /.well-known/matrix/support.
 #
@@ -1883,6 +1889,34 @@
 #
 #support_pgp_key =

+# **DEPRECATED**: Use `[global.matrix_rtc].foci` instead.
+#
+# A list of MatrixRTC foci URLs which will be served as part of the
+# MSC4143 client endpoint at /.well-known/matrix/client.
+#
+# This option is deprecated and will be removed in a future release.
+# Please migrate to the new `[global.matrix_rtc]` config section.
+#
+#rtc_focus_server_urls = []
+
+[global.blurhashing]
+
+# blurhashing x component, 4 is recommended by https://blurha.sh/
+#
+#components_x = 4
+
+# blurhashing y component, 3 is recommended by https://blurha.sh/
+#
+#components_y = 3
+
+# Max raw size that the server will blurhash, this is the size of the
+# image after converting it to raw data, it should be higher than the
+# upload limit but not too high. The higher it is the higher the
+# potential load will be for clients requesting blurhashes. The default
+# is 33.55MB. Setting it to 0 disables blurhashing.
+#
+#blurhash_max_raw_size = 33554432
+
 [global.matrix_rtc]

 # A list of MatrixRTC foci (transports) which will be served via the
@@ -1968,10 +2002,8 @@
 #
 #sender =

-# Whether to allow public registration with an email address.
-#
-# Note that, if this option is enabled, anyone will be able to register an
-# account with just an email address.
+# Whether to require that users provide an email address when they
+# register.
 #
 # If either this option or `require_email_for_token_registration` are set,
 # users will not be allowed to remove their email address.
@@ -1979,37 +2011,6 @@
 #require_email_for_registration = false

 # Whether to require that users who register with a registration token
-# provide an email address. This option is independent of
-# `require_email_for_registration`.
+# provide an email address.
 #
 #require_email_for_token_registration = false
-
-#[global.registration_terms]
-
-# The language code to provide to clients along with the policy documents.
-#
-#language = "en"
-
-# Policy documents, such as terms and conditions or a privacy policy,
-# which users must agree to when registering an account.
-#
-# Example:
-# ```ignore
-# [global.registration_terms.documents]
-# privacy_policy = { name = "Privacy Policy", url = "https://homeserver.example/en/privacy_policy.html" }
-# ```
-#
-#documents = {}
-
-#[global.oauth]
-
-# The compatibility mode to use for OAuth.
-#
-# - "disabled": OAuth will be unavailable. Users will only be able to log
-#   in using legacy authentication.
-# - "hybrid": OAuth and legacy authentication will both be available. Some
-#   clients may only use one or the other.
-# - "exclusive": Only OAuth will be available. Clients which require
-#   legacy authentication will be unable to log in.
-#
-#compatibility_mode = "hybrid"
@@ -1,5 +1,5 @@
 ARG RUST_VERSION=1
-ARG DEBIAN_VERSION=trixie
+ARG DEBIAN_VERSION=bookworm

 FROM --platform=$BUILDPLATFORM docker.io/tonistiigi/xx AS xx
 FROM --platform=$BUILDPLATFORM rust:${RUST_VERSION}-slim-${DEBIAN_VERSION} AS base
@@ -10,7 +10,7 @@ RUN rm -f /etc/apt/apt.conf.d/docker-clean

 # Match Rustc version as close as possible
 # rustc -vV
-ARG LLVM_VERSION=22
+ARG LLVM_VERSION=21
 # ENV RUSTUP_TOOLCHAIN=${RUST_VERSION}

 # Install repo tools
@@ -22,7 +22,7 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
    --mount=type=cache,target=/var/lib/apt,sharing=locked \
    apt-get update && apt-get install -y \
    pkg-config make jq \
-    wget curl git lsb-release gpg \
+    wget curl git software-properties-common \
    file
    # golang cmake

@@ -50,7 +50,7 @@ EOF

 # Developer tool versions
 # renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
-ENV BINSTALL_VERSION=1.19.1
+ENV BINSTALL_VERSION=1.19.0
 # renovate: datasource=github-releases depName=psastras/sbom-rs
 ENV CARGO_SBOM_VERSION=0.9.1
 # renovate: datasource=crate depName=lddtree
@@ -18,7 +18,7 @@ RUN --mount=type=cache,target=/etc/apk/cache apk add \

 # Developer tool versions
 # renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
-ENV BINSTALL_VERSION=1.19.1
+ENV BINSTALL_VERSION=1.19.0
 # renovate: datasource=github-releases depName=psastras/sbom-rs
 ENV CARGO_SBOM_VERSION=0.9.1
 # renovate: datasource=crate depName=lddtree
@@ -8,11 +8,6 @@
        "type": "file",
        "name": "dns",
        "label": "DNS tuning (recommended)"
-    },
-    {
-        "type": "file",
-        "name": "performance",
-        "label": "Performance tuning"
    }

 ]
@@ -156,11 +156,9 @@ Remember to set the `Access-Control-Allow-Origin: *` header in your `/.well-know

 ## Troubleshooting

-Check that other servers can connect to you.
-Here are some tools that can help identify federation issues:
+Check with the [Matrix Connectivity Tester][federation-tester] to see that it's working.

- [Matrix Connectivity Tester](https://federationtester.mtrnord.blog/)
- [Matrix Federation Tester](https://federationtester.matrix.org/)
+[federation-tester]: https://federationtester.mtrnord.blog/

 ### Cannot log in with web clients

@@ -74,11 +74,13 @@ Some values that are commonly tuned include:

 - Increase `discard-timeout` to something like `4800` to wait longer for upstream resolvers, as recursion can take a long time to respond to some domains. Continuwuity default to `dns_timeout = 10` seconds, so dropping requests early would lead to unnecessary retries and/or failures.

-### Recursion versus forwarding
+### Using a forwarder (optional)

-Unbound by default employs **recursive resolution** and contacts many servers around the world. While this allows updated and authoritative answers and are generally viable for most users, sometimes these recursive queries can be too slow to fully resolve. As an alternative, you can consider **forwarding** your queries to public resolvers, and benefit from faster responses from their CDNs.
+Unbound by default employs **recursive resolution** and contacts many servers around the world. If this is not performant enough, consider forwarding your queries to public resolvers to benefit from their CDNs and get faster responses.

-Do note that most popular upstreams (such as Google DNS or Quad9) employ IP ratelimiting, so a generous cache is still needed to avoid making too many queries.
+However, most popular upstreams (such as Google DNS or Quad9) employ IP ratelimiting, so a generous cache is still needed to avoid making too many queries.
+
+DNS-over-TLS forwarders may also be used should you need on-the-wire encryption, but TLS overhead causes some speed penalties.

 If you want to use forwarders, configure it as follows:

@@ -97,8 +99,6 @@ forward-zone:
    # forward-addr: 2606:4700:4700::1111@53

 # alternatively, use DNS-over-TLS for forwarders.
-# this will encrypt traffic between you and the forwarder,
-# but takes more time due to TLS overhead.
 # forward-zone:
    # name: "."
    # forward-tls-upstream: yes
@@ -133,11 +133,9 @@ However, `dnsmasq` does not support TCP fallback which can be problematic when r

 [arch-linux-dnsmasq]: https://wiki.archlinux.org/title/Dnsmasq

-### Technitium DNS
+### Technitium

-[Technitium DNS Server][technitium] supports recursion as well as a myriad of forwarding protocols, allows saving cache to disk natively, and does work well with Continuwuity. Its out-of-the-box configs however ratelimits single-IP requests by a lot, and hence must be changed.
-
-You may consult this [community guide][technitium-continuwuity] for more details on setting up and fine-tuning a dedicated Technitium instance for Continuwuity.
+[Technitium][technitium] supports recursion as well as a myriad of forwarding protocols, allows saving cache to disk natively, and does work well with Continuwuity. Its default configurations however ratelimits single-IP requests by a lot, and hence must be changed. You may consult this [community guide][technitium-continuwuity] for more details on setting up a dedicated Technitium for Continuwuity.

 [technitium]: https://github.com/TechnitiumSoftware/DnsServer
 [technitium-continuwuity]: https://muoi.me/~stratself/articles/technitium-continuwuity/
@@ -152,13 +150,11 @@ Note that it is expected that not all servers will be resolved, as some of them

 ## Further steps

-It is recommended to set **`dns_cache_entries = 0`** inside Continuwuity to fully rely on the external resolver. While Continuwuity does have an internal cache, it can run into reliability issues if you're federating with many domains.
-
-Additionally, you can also make the following improvements:
+- (Recommended) Set **`dns_cache_entries = 0`** inside Continuwuity and fully rely on the more performant external resolver.

 - Consider employing **persistent cache to disk**, so your resolver can still run without hassle after a restart. Unbound, via [Cache DB module][unbound-cachedb], can use Redis as a storage backend for this feature.

- Consider [enabling **Serve Stale**][unbound-serve-stale] functionality to serve expired data beyond DNS TTLs. Since most Matrix homeservers have static IPs, this should still allow federating with them when upstream resolvers have timed out. For dnsproxy, this corresponds to its [optimistic caching options][dnsproxy-usage].
+- Consider [enabling **Serve Stale**][unbound-serve-stale] functionality to serve expired data beyond DNS TTLs. Since most Matrix homeservers have static IPs, this should help improve federation with them especially when upstream resolvers have timed out. For dnsproxy, this corresponds to its [optimistic caching options][dnsproxy-usage].

 - If you still experience DNS performance issues, another step could be to **disable DNSSEC** (which is computationally expensive) at a cost of slightly decreased security. On Unbound this is done by commenting out `trust-anchors` config options and removing the `validator` module.

@@ -1,135 +0,0 @@
-# Performance tuning
-
-Continuwuity's default configs are suited for many typical setups and scales appropriately with the size of your hardware. However, there are many scenarios where additional modifications can be made to better utilize your server resources.
-
-This page aims to outline various performance tweaks for Continuwuity and their effects. These adjustments are especially helpful for homeservers that join many large federated rooms or have many users, and it will become increasingly necessary as the Matrix network expands. As always, your mileage may vary according to your setup's specifics. If you have further discussions or recommendations, please share them in the community rooms.
-
-## DNS tuning (recommended)
-
-Please see the dedicated [DNS tuning guide](./dns.mdx).
-
-## Cache capacities
-
-If you have memory to spare, consider increasing the `cache_capacity_modifier` value to a larger number to allow more data to be stored in hot memory. This *significantly* speeds up many intensive operations (such as state resolutions) and decreases CPU usage and disk I/O. Start with a baseline of `cache_capacity_modifier = 2.0` and tune up until you are satisfied with RAM usage.
-
-On the other hand, if your system doesn't have a lot of RAM, consider decreasing the cache capacity modifier to something smaller than `1.0` to avoid low-memory issues (at the cost of higher load on disk/CPU). This recommendation also works if your system has abnormally little RAM compared to the number of CPU cores (for example, 2GB RAM for 12 cores), as cache capacities scale according to number of available cores.
-
-## Disabling some features
-
-You can disable outgoing **typing notifications** and **read markers** to reduce strain on the CPU and network when actively participating in rooms.
-
-```toml
-# disables sending read receipts
-allow_outgoing_read_receipts = false
-# disables sending typing notifications
-allow_outgoing_typing = false
-```
-
-Outgoing presence updates are also considered very expensive and have been disabled by default (`allow_outgoing_presence = false`). For more savings, you may wish to disable _all_ processing of presence entirely.
-
-```toml title=continuwuity.toml
-# disabling presence updates entirely
-allow_local_presence = false
-allow_incoming_presence = false
-allow_outgoing_presence = false
-```
-
-## Tuning database compression
-
-:::warning
-These steps SHOULD be done **before** starting Continuwuity for the first time. While switching database compression midway through is theoretically possible, this has not been tested extensively in the wild.
-:::
-
-### Changing the compression algorithm
-
-For reduced CPU usage at a tradeoff of increased storage space, consider deploying Continuwuity with the faster and less intensive `lz4` algorithm instead of `zstd` for rocksdb, and disable WAL compression entirely:
-
-```toml
-### in continuwuity.toml ###
-rocksdb_compression_algo = "lz4"
-rocksdb_wal_compression = "none"
-```
-
-This tweak can especially be helpful if you have an older or less performant CPU (e.g. a Raspberry Pi) and disk space to spare.
-
-### Increasing bottommost layer compression (`zstd` only)
-
-The bottommost layer of the database usually contains old and read-only data, so it is a suitable place for further compression. In Continuwuity, this is possible by setting `rocksdb_bottommost_compression = true` and tuning `rocksdb_bottommost_compression_level` to a more compact level than the default one used in `rocksdb_compression_level`. This tweak comes at a cost of increased CPU usage, but may prevent your database from growing too large in the long run.
-
-For those using `zstd` compression, the compression level ranges from 1 to 22. An example like this could apply:
-
-```toml
-### in continuwuity.toml ###
-rocksdb_compression_algo = "zstd"
-rocksdb_compression_level = 32767 # magic number, translates to level 3 on zstd
-rocksdb_bottommost_compression = true
-rocksdb_bottommost_compression_level = 9 # level 9 on zstd
-```
-
-For `lz4` users, the default level (`-1`) is already the most compact. You can only further decrease it to favor compression speed over ratio.
-
-Consult these documents for more information on compression tuning and levels:
-
- [Rocksdb compression documentation][rocksdb-compression]
- [Rocksdb default compression levels][rocksdb-compression-defaults]
- [Zstd manual][zstd-manual]
- [Lz4 manual][lz4-manual]
-
-[rocksdb-compression]: https://github.com/facebook/rocksdb/wiki/Compression
-[rocksdb-compression-defaults]: https://github.com/facebook/rocksdb/blob/main/include/rocksdb/options.h#L208-L217
-[zstd-manual]: https://facebook.github.io/zstd/zstd_manual.html
-[lz4-manual]: https://github.com/lz4/lz4/blob/release/doc/lz4_manual.html
-
-## Other tweaks
-
-### Using UNIX sockets
-
-If your homeserver and reverse proxy live on the same machine, you may wish to expose Continuwuity on a UNIX socket instead of a port. This removes TCP overhead between the two programs.
-
-<details>
-
-<summary>Example config with Caddy</summary>
-
-```toml
-### in continuwuity.toml ###
-
-# `address` and `port` has to be commented out first
-#address = ["127.0.0.1", "::1"]
-#port = 8008
-unix_socket_path = "/run/continuwuity/continuwuity.sock"
-```
-
-```
-### in your Caddyfile ###
-https://matrix.example.com {
-    reverse_proxy unix//run/continuwuity/continuwuity.sock
-
-    # alternatively, use the http2-plaintext protocol
-    # reverse_proxy unix+h2c//run/continuwuity/continuwuity.sock
-}
-```
-
-</details>
-
-### Tuning your trusted servers
-
-:::info Vet your trusted servers!
-Trusted servers are your first point of contact when obtaining public keys from other servers, and they could theoretically impersonate other servers and cause significant harm to your deployment. Please thoroughly verify your trusted servers' credibility before adding them to your configuration.
-:::
-
-Trusted servers are queried sequentially in the order they are listed. If you have multiple trusted servers configured, put the faster ones first:
-
-```toml
-# Example config, using maintainers' recommended homeservers
-trusted_servers = ["codestorm.net","starstruck.systems","unredacted.org","matrix.org"]
-```
-
-Avoid prioritising `matrix.org` as your primary trusted server, as it tends to be quite slow.
-
-Some users have also reported that increasing `trusted_server_batch_size` has helped with faster joins for huge rooms. Start with doubling the default to `2048` until you find a suitable value.
-
-### Enable HTTP/3 on your reverse proxy
-
-Consider enabling the newer **HTTP/3** protocol for inbound connections to Continuwuity. In Caddy HTTP/3 is allowed by default, but you must expose port :443/**udp** on your firewall.
-
-HTTP/3 can vastly improve Client-Server connections especially on unstable networks, as it reduces packet losses and latency from TCP head-of-line blocking, includes workarounds for network switching, and reduces connection establishment handshakes. Continuwuity also includes experimental _outbound_ HTTP/3 support in its Docker images, so connections between Continuwuity servers can benefit from this too.
@@ -25,9 +25,9 @@ You must generate a key and secret to allow the Matrix service to authenticate w
 :::tip Generating the secrets
 LiveKit provides a utility to generate secure random keys
 ```bash
-docker run --rm livekit/livekit-server:latest generate-keys
-# API Key:  APIUxUnMnSkuFWV
-# API Secret:  t93ZVjPeoEdyx7Wbet3kG4L3NGZIZVEFvqe0UuiVc22A
+~$ docker run --rm livekit/livekit-server:latest generate-keys
+API Key:  APIUxUnMnSkuFWV
+API Secret:  t93ZVjPeoEdyx7Wbet3kG4L3NGZIZVEFvqe0UuiVc22A
 ```
 :::

@@ -262,14 +262,14 @@ Restart LiveKit and coturn to apply these changes.

 ## Testing

-To test that LiveKit is successfully integrated with Continuwuity, you will need to replicate its [Token Exchange Flow](https://github.com/element-hq/lk-jwt-service#%EF%B8%8F-how-it-works--token-exchange-flow). Follow the steps below while checking Docker logs (`docker-compose logs --follow`), in order to help [troubleshooting](#troubleshooting) any issues.
+To test that LiveKit is successfully integrated with Continuwuity, you will need to replicate its [Token Exchange Flow](https://github.com/element-hq/lk-jwt-service#%EF%B8%8F-how-it-works--token-exchange-flow).

 First, you will need an access token for your current login session. These can be found in your client's settings or obtained via [this website](https://timedout.uk/mxtoken.html).

-Then, using that token, fetch the discovery endpoints for MatrixRTC services:
+Then, using that token, fetch the discovery endpoints for MatrixRTC services

 ```bash
-curl -H "Authorization: Bearer <session-access-token>" \
+curl -X POST -H "Authorization: Bearer <session-access-token>" \
  https://matrix.example.com/_matrix/client/unstable/org.matrix.msc4143/rtc/transports
 ```

@@ -318,7 +318,7 @@ Replace `matrix_server_name` and `claimed_user_id` with your information, and `<
 You can then send this payload to the lk-jwt-service:

 ```bash
-curl -X POST -d @payload.json https://livekit.example.com/get_token
+~$ curl -X POST -d @payload.json https://livekit.example.com/get_token
 ```

 The lk-jwt-service will, after checking against Continuwuity, answer with a `jwt` token to create a LiveKit media room:
@@ -331,31 +331,22 @@ Use this token to test at the [LiveKit Connection Tester](https://livekit.io/con

 ## Troubleshooting

-To debug any issues, you can place a call or redo the Testing instructions, and check the container logs for any specific errors. Use `docker-compose logs --follow` to follow these logs in real-time.
+To debug any issues, you can place a call or redo the Testing instructions, and check the container logs for any specific errors. Use `docker-compose logs --follow` to follow them in real-time.

 ### Common errors in Element Call UI

 - `MISSING_MATRIX_RTC_FOCUS`: LiveKit is missing from Continuwuity's config file
 - "Waiting for media" popup always showing: a LiveKit URL has been configured in Continuwuity, but your client cannot connect to it for some reason

-For browser-based clients, you can also inspect connections using DevTools' Networking tab, to see which requests are erroring out.
-
 ### Docker loopback networking issues

 Some distros do not allow Docker containers to connect to its host's public IP by default. This would cause `lk-jwt-service` to fail connecting to `livekit` or `continuwuity` on the same host. As a result, you would see connection refused/connection timeouts log entries in the JWT service, even when `LIVEKIT_URL` has been configured correctly.

-You can also test that this is the case by cURLing from a sidecar container:
-
-```bash
-docker run --rm --net container:lk-jwt-service docker.io/curlimages/curl https://livekit.example.com
-# --- some errors ---
-```
-
 To alleviate this, you can try one of the following workarounds:

 - Use `network_mode: host` for the `lk-jwt-service` container (instead of the default bridge networking).

- Add an `extra_hosts` file mapping livekit's (and continuwuity's) domain name to a locally-reachable address:
+- Add an `extra_hosts` file mapping livekit's (and continuwuity's) domain name to a localhost address:

    ```diff
    # in docker-compose.yaml
@@ -369,7 +360,12 @@ To alleviate this, you can try one of the following workarounds:

 - (**untested, use at your own risk**) Implement an iptables workaround as shown [here](https://forums.docker.com/t/unable-to-connect-to-host-service-from-inside-docker-container/145749/6).

-After implementing the changes and restarting your compose, `lk-jwt-service` should now connect to your other services. The sidecar container test above should now return an `OK` from LiveKit.
+After implementing the changes and restarting your compose, you can test whether the connection works by cURLing from a sidecar container:
+
+```bash
+~$ docker run --rm --net container:lk-jwt-service docker.io/curlimages/curl https://livekit.example.com
+OK
+```

 ### Workaround for non-federating servers

@@ -185,15 +185,13 @@ See the [generic deployment guide](generic.mdx) for more deployment options.

 Test that your setup works by following these [instructions](./generic.mdx#how-do-i-know-it-works)

-Check your container logs using `docker-compose logs --follow` to debug any issues. See the [Troubleshooting](../troubleshooting.mdx) page for common errors and how to fix them.
-
 ## Other deployment methods

 ### Docker - Quick Run

-:::warning For testing only
-The instructions below are only meant for a quick demo of Continuwuity with **federation disabled**.
-For production deployment, we recommend using [Docker Compose](#docker-compose).
+:::note For testing only
+The instructions below are only meant for a quick demo of Continuwuity.
+For production deployment, we recommend using [Docker Compose](#docker-compose)
 :::

 Get a working Continuwuity server with an admin user in four steps:
@@ -213,7 +211,7 @@ Get a working Continuwuity server with an admin user in four steps:
      -e CONTINUWUITY_SERVER_NAME="example.com" \
      -e CONTINUWUITY_DATABASE_PATH="/var/lib/continuwuity" \
      -e CONTINUWUITY_ADDRESS="0.0.0.0" \
-      -e CONTINUWUITY_ALLOW_FEDERATION="false" \
+      -e CONTINUWUITY_ALLOW_REGISTRATION="false" \
      --name continuwuity \
      forgejo.ellis.link/continuwuation/continuwuity:latest \
      /sbin/conduwuit
@@ -235,9 +233,9 @@ Get a working Continuwuity server with an admin user in four steps:
    Pick your own username and password!
    ```

-4. Configure your reverse proxy to forward HTTPS traffic to Continuwuity at port 8008. See [Docker Compose](#docker-compose) or the [Generic instructions](./generic.mdx#setting-up-the-reverse-proxy) for examples.
+4. Configure your reverse proxy to forward HTTPS traffic to Continuwuity at port 8008. See [Docker Compose](#docker-compose) for examples.

-Once configured, log in to your server with any Matrix client, and register for an account with the registration token from step 3. If you did not configure step 4., log in via the `http://<your_server_ip>:8008` address. You will be automatically invited to the admin room where you can [manage your server](../reference/admin).
+Once configured, log in to your server with any Matrix client, and register for an account with the registration token from step 3. You'll automatically be invited to the admin room where you can [manage your server](../reference/admin).

 ### (Optional) Building Custom Images

@@ -271,5 +269,4 @@ Note that using `CTRL+c` within `docker attach`'s context will forward the signa

 - For smooth federation, set up a caching resolver according to the [**DNS tuning guide**](../advanced/dns.mdx) (recommended)
 - To set up Audio/Video communication, see the [**Calls**](../calls.mdx) page.
- Consult the [Maintenance](../maintenance.mdx) page for guidance on maintaining your homeserver.
 - If you want to set up an appservice, take a look at the [**Appservice Guide**](../appservices.mdx).
@@ -260,7 +260,7 @@ Pick your own username and password!
 ```

 You can then open [a Matrix client][matrix-clients],
-enter your homeserver address, and register with the provided token.
+enter your homeserver address, and try to register with the provided token.
 By default, the first user is the instance's first admin. They will be added
 to the `#admin:example.com` room and be able to [issue admin commands](../reference/admin/index.md).

@@ -268,13 +268,9 @@ to the `#admin:example.com` room and be able to [issue admin commands](../refere

 ## How do I know it works?

-To check if your server can communicate with other homeservers,
-use an external testing tool:
-
- [Matrix Connectivity Tester](https://federationtester.mtrnord.blog/)
- [Matrix Federation Tester](https://federationtester.matrix.org/)
-
-If you can register your account but cannot join federated rooms, check your configuration
+To check if your server can communicate with other homeservers, use the
+[Matrix Federation Tester](https://federationtester.mtrnord.blog/). If you can
+register your account but cannot join federated rooms, check your configuration
 and verify that your federation endpoints are opened and forwarded correctly.

 As a quick health check, you can also use these cURL commands:
@@ -296,5 +292,4 @@ curl https://example.com/_matrix/client/versions

 - For smooth federation, set up a caching resolver according to the [**DNS tuning guide**](../advanced/dns.mdx) (recommended)
 - For Audio/Video call functionality see the [**Calls**](../calls.md) page.
- Consult the [Maintenance](../maintenance.mdx) page for guidance on maintaining your homeserver.
 - If you want to set up an appservice, take a look at the [**Appservice Guide**](../appservices.md).
@@ -6,10 +6,10 @@
            "message": "Welcome to Continuwuity! Important announcements about the project will appear here."
        },
        {
-            "id": 13,
-            "mention_room": true,
-            "date": "2026-05-08",
-            "message": "[v0.5.9](https://forgejo.ellis.link/continuwuation/continuwuity/releases/tag/v0.5.9) has been released, fixing a few low-severity federation-related vulnerabilities. It is recommended you read the changelog and update as soon as possible. There are no new features or other changes in this release, only related bugfixes. Deployments tracking the main branch should also update to the latest commit."
+            "id": 12,
+            "mention_room": false,
+            "date": "2026-04-24",
+            "message": "[v0.5.8](https://forgejo.ellis.link/continuwuation/continuwuity/releases/tag/v0.5.8) is out! This is a patch release which fixes a bug in 0.5.7's email support -- upgrade soon if you use that feature."
        }
    ]
 }
@@ -7,7 +7,7 @@ Admin commands allow server administrators to manage the server from within thei

 * All commands listed here may be used by server administrators in the admin room by sending them as messages.
 * If the `admin_escape_commands` configuration option is enabled, server administrators may run certain commands in public rooms by prefixing them with a single backslash. These commands will only run on _their_ homeserver, even if they are a member of another homeserver's admin room. Some sensitive commands cannot be used outside the admin room and will return an error.
-* All commands listed here may be used in the server's console, if it is enabled. Commands entered in the console do not require the `!admin` prefix.
+* All commands listed here may be used in the server's console, if it is enabled. Commands entered in the console do not require the `!admin` prefix. If Continuwuity is deployed via Docker, be sure to set the appropriate options detailed in [the Docker deployment guide](../../deploying/docker.mdx#accessing-the-servers-console) to enable access to the server's console.

 ## Categories

@@ -146,7 +146,7 @@ cargo clippy \
    --locked \
    --profile test \
    --no-default-features \
-    --features=console,systemd,element_hacks,direct_tls,perf_measurements,brotli_compression \
+    --features=console,systemd,element_hacks,direct_tls,perf_measurements,brotli_compression,blurhashing \
    --color=always \
    -- \
    -D warnings
@@ -3,11 +3,11 @@
    "advisory-db": {
      "flake": false,
      "locked": {
-        "lastModified": 1779575509,
-        "narHash": "sha256-wXKYURZz76ZC5lbuDA1oVQA/MxSB3pSJ1raF1HG0oIc=",
+        "lastModified": 1777645914,
+        "narHash": "sha256-P1T7QVQS13OvkXEuEhI91CLaQfyv6iqV9vW8IBLLDYg=",
        "owner": "rustsec",
        "repo": "advisory-db",
-        "rev": "831c50f4a4304068f125e603add6a8839f08b3eb",
+        "rev": "d6ba1f7070ba91f45efe372d68eb648be67d0417",
        "type": "github"
      },
      "original": {
@@ -18,11 +18,11 @@
    },
    "crane": {
      "locked": {
-        "lastModified": 1779130139,
-        "narHash": "sha256-BLrtr42azquO7MdGFU5a7KiMl3YpFlTeIXqy1fT5GlQ=",
+        "lastModified": 1777335812,
+        "narHash": "sha256-bEg5xoAxAwsyfnGhkEX7RJViTIBIYPd8ISg4O1c0HFc=",
        "owner": "ipetkov",
        "repo": "crane",
-        "rev": "edb38893982a3338972bb4a2ec7ce7c29ba10fd9",
+        "rev": "5e0fb2f64edff2822249f21293b8304dedaaf676",
        "type": "github"
      },
      "original": {
@@ -39,11 +39,11 @@
        "rust-analyzer-src": "rust-analyzer-src"
      },
      "locked": {
-        "lastModified": 1779612045,
-        "narHash": "sha256-+7lfNVnmXJDkiRYHd5NoNwYoyUcc0LcXPaIJqjO7VWM=",
+        "lastModified": 1777624102,
+        "narHash": "sha256-thSyElkje577x/kAbP72nHlfiFc1a+tCudskLPHXe9s=",
        "owner": "nix-community",
        "repo": "fenix",
-        "rev": "d7be747f0a65af378de515fc3cee131bf99a008f",
+        "rev": "4d81601e0b73f20d81d066754ad0e7d1e7f75a06",
        "type": "github"
      },
      "original": {
@@ -74,11 +74,11 @@
        "nixpkgs-lib": "nixpkgs-lib"
      },
      "locked": {
-        "lastModified": 1778716662,
-        "narHash": "sha256-m1Yf0wZ8j1OHjTc2UwHwyQRSnNeSgLJOd7q5Y45hzi4=",
+        "lastModified": 1775087534,
+        "narHash": "sha256-91qqW8lhL7TLwgQWijoGBbiD4t7/q75KTi8NxjVmSmA=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "f7c1a2d347e4c52d5fb8d10cb4d94b5884e546fb",
+        "rev": "3107b77cd68437b9a76194f0f7f9c55f2329ca5b",
        "type": "github"
      },
      "original": {
@@ -89,11 +89,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1779508470,
-        "narHash": "sha256-Ap9KJX+5xHIn3bPIpfNgT6MEXdAECECwo4/rmlQD74M=",
+        "lastModified": 1777268161,
+        "narHash": "sha256-bxrdOn8SCOv8tN4JbTF/TXq7kjo9ag4M+C8yzzIRYbE=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "29916453413845e54a65b8a1cf996842300cd299",
+        "rev": "1c3fe55ad329cbcb28471bb30f05c9827f724c76",
        "type": "github"
      },
      "original": {
@@ -105,11 +105,11 @@
    },
    "nixpkgs-lib": {
      "locked": {
-        "lastModified": 1777168982,
-        "narHash": "sha256-GOkGPcboWE9BmGCRMLX3worL4EMnsnG8MyKmXNeYuhQ=",
+        "lastModified": 1774748309,
+        "narHash": "sha256-+U7gF3qxzwD5TZuANzZPeJTZRHS29OFQgkQ2kiTJBIQ=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
-        "rev": "f5901329dade4a6ea039af1433fb087bd9c1fe14",
+        "rev": "333c4e0545a6da976206c74db8773a1645b5870a",
        "type": "github"
      },
      "original": {
@@ -132,11 +132,11 @@
    "rust-analyzer-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1779569060,
-        "narHash": "sha256-NSnk5D+3KEfRdbgPijs33N2RAKSG6A74SwfnynLcouo=",
+        "lastModified": 1777583169,
+        "narHash": "sha256-dVJ4+wrRKc8oIgp3rLOFSq1obt/sCKlXy3h47qof/w0=",
        "owner": "rust-lang",
        "repo": "rust-analyzer",
-        "rev": "987ea33645ab1c709b1df6823038abcb2fe8973e",
+        "rev": "aa64e4828a2bbba44463c1229a81c748d3cce583",
        "type": "github"
      },
      "original": {
@@ -5,11 +5,11 @@
  liburing,
  craneLib,
  pkg-config,
+  callPackage,
  rustPlatform,
  cargoExtraArgs ? "",
  rustflags ? "",
-  target_cpu ? null,
-  rocksdb,
+  rocksdb ? callPackage ./rocksdb.nix { },
  profile ? "release",
 }:
 let
@@ -39,10 +39,7 @@ let
      ROCKSDB_LIB_DIR = "${rocksdb}/lib";
      CARGO_PROFILE = profile;
      RUSTFLAGS = rustflags;
-    }
-    // (lib.optionalAttrs (target_cpu != null) {
-      TARGET_CPU = target_cpu;
-    });
+    };
  };
 in
 craneLib.buildPackage (
@@ -59,7 +56,7 @@ craneLib.buildPackage (
        ]
      }"

-      patchelf --set-rpath "$old_rpath:$extra_rpath" $out/bin/conduwuit
+      patchelf  --set-rpath "$old_rpath:$extra_rpath" $out/bin/conduwuit
    '';

    meta = {
@@ -15,7 +15,6 @@
        rocksdb = pkgs.callPackage ./rocksdb.nix { };
        default = pkgs.callPackage ./continuwuity.nix {
          inherit self craneLib;
-          inherit (self'.packages) rocksdb;
          # extra features via `cargoExtraArgs`
          cargoExtraArgs = "-F http3";
          # extra RUSTFLAGS via `rustflags`
@@ -23,13 +22,11 @@
          rustflags = "--cfg reqwest_unstable";
        };
        # users may also override this with other cargo profiles to build for other feature sets
-        # for features configuration see `default` package which enables http3 by default
-
-        # example: different compilation profile and different target_cpu
-        max-perf-haswell = self'.packages.default.override {
-          # compiles explicitly for haswell arch cpus
-          target_cpu = "haswell";
-          # compiles slower but with more thorough optimizations
+        #
+        # other examples include:
+        #
+        # - release-high-perf
+        max-perf = self'.packages.default.override {
          profile = "release-max-perf";
        };
      };
@@ -1,7 +1,5 @@
 {
-  # stdenv,
-  # enableJemalloc ? stdenv.hostPlatform.isLinux,
-  enableJemalloc ? false,
+  stdenv,
  rocksdb,
  fetchFromGitea,
  rust-jemalloc-sys-unprefixed,
@@ -15,16 +13,16 @@
  #
  # [1]: https://github.com/tikv/jemallocator/blob/ab0676d77e81268cd09b059260c75b38dbef2d51/jemalloc-sys/src/env.rs#L17
  jemalloc = rust-jemalloc-sys-unprefixed;
-  inherit enableJemalloc;
+  enableJemalloc = stdenv.hostPlatform.isLinux;
 }).overrideAttrs
  ({
-    version = "continuwuity-v0.5.0-unstable-2026-05-19";
+    version = "continuwuity-v0.5.0-unstable-2026-03-27";
    src = fetchFromGitea {
      domain = "forgejo.ellis.link";
      owner = "continuwuation";
      repo = "rocksdb";
-      rev = "3756b2b905e13216d8b56bcc783d814e7b073aff";
-      hash = "sha256-rSv4fr2bf9JJwdodgeuPCuceeh7k97KVxrAOC0wyPQY=";
+      rev = "463f47afceebfe088f6922420265546bd237f249";
+      hash = "sha256-1ef75IDMs5Hba4VWEyXPJb02JyShy5k4gJfzGDhopRk=";
    };

    # We have this already at https://forgejo.ellis.link/continuwuation/rocksdb/commit/a935c0273e1ba44eacf88ce3685a9b9831486155
@@ -16,7 +16,7 @@
            file = inputs.self + "/rust-toolchain.toml";

            # See also `rust-toolchain.toml`
-            sha256 = "sha256-gh/xTkxKHL4eiRXzWv8KP7vfjSk61Iq48x47BEDFgfk=";
+            sha256 = "sha256-sqSWJDUxc+zaz1nBWMAJKTAGBuGWP25GCftIOlCEAtA=";
          };
        in
        {
@@ -125,13 +125,13 @@
      }
    },
    "node_modules/@rsbuild/core": {
-      "version": "2.0.7",
-      "resolved": "https://registry.npmjs.org/@rsbuild/core/-/core-2.0.7.tgz",
-      "integrity": "sha512-LsBONEzsjzOAqO72ot39eI7g53zSfF9QuDXTu4ks8IUX+EZsxRSniQfc+1zVA6a6y3b9KUUtG96avoMLKbWklQ==",
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/@rsbuild/core/-/core-2.0.3.tgz",
+      "integrity": "sha512-2myp7jUgGen50saxW8OJD/eMVKp7HnuBN5MUzwRb6mDbRZZVpoorfI4LQqiGSBNjGLB6jltvx/R2yHmcmnchwg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@rspack/core": "~2.0.4",
+        "@rspack/core": "~2.0.1",
        "@swc/helpers": "^0.5.21"
      },
      "bin": {
@@ -169,28 +169,28 @@
      }
    },
    "node_modules/@rspack/binding": {
-      "version": "2.0.4",
-      "resolved": "https://registry.npmjs.org/@rspack/binding/-/binding-2.0.4.tgz",
-      "integrity": "sha512-/QeJDPUw/lWkBJESG264KA9u6/rAjvoJhKncU4rkTi5Ap45kue5HTgOzr0ufxKdd2Xl72fjFBuqlKmtFDD5LiQ==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/binding/-/binding-2.0.1.tgz",
+      "integrity": "sha512-ynV1gw4KqFtQ0P+ZZh76SUj49wBb2FuHW3zSmHverHWuxBhzvrZS6/dZ+fCFQG8bTTPtrPz0RQUTN3uEDbPVBQ==",
      "dev": true,
      "license": "MIT",
      "optionalDependencies": {
-        "@rspack/binding-darwin-arm64": "2.0.4",
-        "@rspack/binding-darwin-x64": "2.0.4",
-        "@rspack/binding-linux-arm64-gnu": "2.0.4",
-        "@rspack/binding-linux-arm64-musl": "2.0.4",
-        "@rspack/binding-linux-x64-gnu": "2.0.4",
-        "@rspack/binding-linux-x64-musl": "2.0.4",
-        "@rspack/binding-wasm32-wasi": "2.0.4",
-        "@rspack/binding-win32-arm64-msvc": "2.0.4",
-        "@rspack/binding-win32-ia32-msvc": "2.0.4",
-        "@rspack/binding-win32-x64-msvc": "2.0.4"
+        "@rspack/binding-darwin-arm64": "2.0.1",
+        "@rspack/binding-darwin-x64": "2.0.1",
+        "@rspack/binding-linux-arm64-gnu": "2.0.1",
+        "@rspack/binding-linux-arm64-musl": "2.0.1",
+        "@rspack/binding-linux-x64-gnu": "2.0.1",
+        "@rspack/binding-linux-x64-musl": "2.0.1",
+        "@rspack/binding-wasm32-wasi": "2.0.1",
+        "@rspack/binding-win32-arm64-msvc": "2.0.1",
+        "@rspack/binding-win32-ia32-msvc": "2.0.1",
+        "@rspack/binding-win32-x64-msvc": "2.0.1"
      }
    },
    "node_modules/@rspack/binding-darwin-arm64": {
-      "version": "2.0.4",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-darwin-arm64/-/binding-darwin-arm64-2.0.4.tgz",
-      "integrity": "sha512-0Q1QXFEsZfDc4opiDnb8q50KlBbC2VovViDaYlMJZBzvjAo325mh3itXPfz7YZ31M+TxRE7TUiJXH3ltiV1Hdg==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-darwin-arm64/-/binding-darwin-arm64-2.0.1.tgz",
+      "integrity": "sha512-CGFO5zmajD1Itch1lxAI7+gvKiagzyqXopHv/jHG9Su2WWQ2/Nhn2/rkSpdp6ptE9ri6+6tCOOahf099/v/Xog==",
      "cpu": [
        "arm64"
      ],
@@ -202,9 +202,9 @@
      ]
    },
    "node_modules/@rspack/binding-darwin-x64": {
-      "version": "2.0.4",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-darwin-x64/-/binding-darwin-x64-2.0.4.tgz",
-      "integrity": "sha512-oO5J2QYf7+H+aYRj85EiGrDOoDEE9EDDl7NgXv46iWvIF0wXowEHXqnjMFxHxRq2Vf6scT+0yYQX9blWcvMWAA==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-darwin-x64/-/binding-darwin-x64-2.0.1.tgz",
+      "integrity": "sha512-2vvBNBoS09/PurupBwSrlTZd8283o00B8v20ncsNUdEff41uCR/hzIrYoTIVWnVST+Gt5O1+cfcfORp397lajg==",
      "cpu": [
        "x64"
      ],
@@ -216,9 +216,9 @@
      ]
    },
    "node_modules/@rspack/binding-linux-arm64-gnu": {
-      "version": "2.0.4",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-2.0.4.tgz",
-      "integrity": "sha512-BEk6mIYBK4BihW9qXXITJORrVXecTlkRjrqhgefili4xjXtLdcUnxAm9sN/2oJ8m378n2h33qDh4gr2orPBFWQ==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-2.0.1.tgz",
+      "integrity": "sha512-uvNXk6ahE3AH3h2avnd1Mgno68YQpS4cfX1OkOGWIC/roL+NrOP2XVXV4yfVAoydPALDO7AfbIfN0QdmBK3rsA==",
      "cpu": [
        "arm64"
      ],
@@ -233,9 +233,9 @@
      ]
    },
    "node_modules/@rspack/binding-linux-arm64-musl": {
-      "version": "2.0.4",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-musl/-/binding-linux-arm64-musl-2.0.4.tgz",
-      "integrity": "sha512-Hyt3z1RwNcSMIoaoWLN4Hb/696/O5JPukf8rXQASvf2UkC+X3ij7tr+8lMSYi3Zysi1QL375CnT4fNoABEW0JA==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-musl/-/binding-linux-arm64-musl-2.0.1.tgz",
+      "integrity": "sha512-S/a6uN9PiZ5O/PjSqyIXhuRC1lVzeJkJV69NeLk5sIEUiDQ/aQGZG97uN+tluwpbo1tPbLJkdHYETfjspOX4Pg==",
      "cpu": [
        "arm64"
      ],
@@ -250,9 +250,9 @@
      ]
    },
    "node_modules/@rspack/binding-linux-x64-gnu": {
-      "version": "2.0.4",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-gnu/-/binding-linux-x64-gnu-2.0.4.tgz",
-      "integrity": "sha512-xHorBPBZAg0Pn9Q0k9dWZ9euowieDxcSOzQ9JhTCmhDY6wZH5M/kCBFlCs/OQeW5/NUArW3x3MwEdO/0QJHMxg==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-gnu/-/binding-linux-x64-gnu-2.0.1.tgz",
+      "integrity": "sha512-C13Kk0OkZiocZVj187Sf753UH6pDXnuEu6vzUvi3qv9ltibG1ki0H2Y8isXBYL2cHQOV+hk0g1S6/4z3TTB97A==",
      "cpu": [
        "x64"
      ],
@@ -267,9 +267,9 @@
      ]
    },
    "node_modules/@rspack/binding-linux-x64-musl": {
-      "version": "2.0.4",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-musl/-/binding-linux-x64-musl-2.0.4.tgz",
-      "integrity": "sha512-QLxEGUXofF0kVNU12Y2NT3Qi9lGs+WbnYpapVeb+2IXtrAXJfU7Rhy7lAp5GLMzYMQNrKKL9SVnTWKbODbNW9Q==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-musl/-/binding-linux-x64-musl-2.0.1.tgz",
+      "integrity": "sha512-TQsiBFpEDGkuvK9tNdGj/Uc+AIytzqhxXH/1jKU6M24cWB1DTw/Cx7DdrkCBDyq3129K3POLdujvbWCGqBzQUw==",
      "cpu": [
        "x64"
      ],
@@ -284,9 +284,9 @@
      ]
    },
    "node_modules/@rspack/binding-wasm32-wasi": {
-      "version": "2.0.4",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-wasm32-wasi/-/binding-wasm32-wasi-2.0.4.tgz",
-      "integrity": "sha512-YhN8HkiH46ONU9tm5dyoXDImDWGpU7E4SPqGI4OyAVF0445uIChurIUmTIOYcD6cg81GGeIjozWJOcb635Dcqw==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-wasm32-wasi/-/binding-wasm32-wasi-2.0.1.tgz",
+      "integrity": "sha512-wk3gyUgBW/ayP49bI54bkY8+EQnfBHxdoe9dz3oobSTZQc8AOWwmUUDEPltW8rUvPOM6dfHECTOUMnfaf2f5yA==",
      "cpu": [
        "wasm32"
      ],
@@ -300,9 +300,9 @@
      }
    },
    "node_modules/@rspack/binding-win32-arm64-msvc": {
-      "version": "2.0.4",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-2.0.4.tgz",
-      "integrity": "sha512-MUlYIz82xQRN0aoiXXyEBrNVUwiOSSFRi7nuCgUKduaSdlbPWzCY31IdtOygZ06LVp5JIGUEtyqSrjQq4FrMRw==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-2.0.1.tgz",
+      "integrity": "sha512-rHjLcy3VcAC3+x+PxH+gwhwv6tPe0JdXTNT5eAOs9wgZIM6T9p4wre49+K4Qy98+Fb7TTbLX0ObUitlOkGwTSA==",
      "cpu": [
        "arm64"
      ],
@@ -314,9 +314,9 @@
      ]
    },
    "node_modules/@rspack/binding-win32-ia32-msvc": {
-      "version": "2.0.4",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-ia32-msvc/-/binding-win32-ia32-msvc-2.0.4.tgz",
-      "integrity": "sha512-D7UcIFMzlY2yhhyuW4Ej15gBWmTwUM5DxuObl3Kv31qRv/pmV3MsqUeG5m2dqLbUxzqPH87qnp0cArbkJQ1b+w==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-ia32-msvc/-/binding-win32-ia32-msvc-2.0.1.tgz",
+      "integrity": "sha512-Ad1vVqMBBnd4T8rsORngu9sl2kyRTlS4kMlvFudjzl1X2UFArEDBe0YVGNN7ZvahM12CErUx2WiN8Sd8pb+qXQ==",
      "cpu": [
        "ia32"
      ],
@@ -328,9 +328,9 @@
      ]
    },
    "node_modules/@rspack/binding-win32-x64-msvc": {
-      "version": "2.0.4",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-x64-msvc/-/binding-win32-x64-msvc-2.0.4.tgz",
-      "integrity": "sha512-MnYKPfdrAEbtpKg/1SZ6cNtzreIRyQJK4APbxLLPXENdTH5QXQkaTjLMKEeJcJ51FRhI/+yNpOUm2oTHdCQ1Og==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-x64-msvc/-/binding-win32-x64-msvc-2.0.1.tgz",
+      "integrity": "sha512-oPM2Jtm7HOlmxl/aBfleAVlL6t9VeHx6WvEets7BBJMInemFXAQd4CErRqybf7rXutACzLeUWBOue4Jpd1/ykw==",
      "cpu": [
        "x64"
      ],
@@ -342,13 +342,13 @@
      ]
    },
    "node_modules/@rspack/core": {
-      "version": "2.0.4",
-      "resolved": "https://registry.npmjs.org/@rspack/core/-/core-2.0.4.tgz",
-      "integrity": "sha512-OuxdQeeKWQpNvFBRDOcnoSaQvp6E4APM/6JJMM/k0p6oL1TEFQVGdNu3VGY4mRAsebnNBXapMVMhj+v66Bn2pg==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/core/-/core-2.0.1.tgz",
+      "integrity": "sha512-lgfZiExh8kDR/3obgi3RQKwKG5av1Xf5qDN1aVde777W9pbmx0Pqvrww1qtNvJ+gobEjbrrn5HEZWYGe0VLmcA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@rspack/binding": "2.0.4"
+        "@rspack/binding": "2.0.1"
      },
      "engines": {
        "node": "^20.19.0 || >=22.12.0"
@@ -383,20 +383,20 @@
      }
    },
    "node_modules/@rspress/core": {
-      "version": "2.0.13",
-      "resolved": "https://registry.npmjs.org/@rspress/core/-/core-2.0.13.tgz",
-      "integrity": "sha512-lbaBA5eqh7wKdH98TUQEI+SfS3Z6YgaNCup3X+ttrYVLOrxN8PJvbedo6fFAcl+wP3XLy6D0pcnnzAgu8y3tdg==",
+      "version": "2.0.10",
+      "resolved": "https://registry.npmjs.org/@rspress/core/-/core-2.0.10.tgz",
+      "integrity": "sha512-DvoV7YUW538x0CVAGyYPKfjUHgEuq7Z8LZq1cpfUgBpA1DynFUK3Ls6spvdoAHAl3l0AN+xxOHpu/sRVhzqi/A==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@mdx-js/mdx": "^3.1.1",
        "@mdx-js/react": "^3.1.1",
-        "@rsbuild/core": "^2.0.7",
+        "@rsbuild/core": "^2.0.2",
        "@rsbuild/plugin-react": "~2.0.0",
-        "@rspress/shared": "2.0.13",
+        "@rspress/shared": "2.0.10",
        "@shikijs/rehype": "^4.0.2",
        "@types/unist": "^3.0.3",
-        "@unhead/react": "^2.1.15",
+        "@unhead/react": "^2.1.13",
        "body-scroll-lock": "4.0.0-beta.0",
        "clsx": "2.1.1",
        "copy-to-clipboard": "^3.3.3",
@@ -407,12 +407,12 @@
        "mdast-util-mdxjs-esm": "^2.0.1",
        "medium-zoom": "1.1.0",
        "nprogress": "^0.2.0",
-        "react": "^19.2.6",
-        "react-dom": "^19.2.6",
+        "react": "^19.2.5",
+        "react-dom": "^19.2.5",
        "react-lazy-with-preload": "^2.2.1",
        "react-reconciler": "0.33.0",
-        "react-render-to-markdown": "19.1.0",
-        "react-router-dom": "^7.15.1",
+        "react-render-to-markdown": "19.0.1",
+        "react-router-dom": "^7.13.2",
        "rehype-external-links": "^3.0.0",
        "rehype-raw": "^7.0.0",
        "remark-cjk-friendly": "^2.0.1",
@@ -436,9 +436,9 @@
      }
    },
    "node_modules/@rspress/plugin-client-redirects": {
-      "version": "2.0.13",
-      "resolved": "https://registry.npmjs.org/@rspress/plugin-client-redirects/-/plugin-client-redirects-2.0.13.tgz",
-      "integrity": "sha512-dP753ASTvH6eDtSEulcqq2lE/kTSdOWSCw0nzvXG+7atTWTHDp6z47uH3CGD8E78cBuKyEi4OH+U7V0EtCTc0Q==",
+      "version": "2.0.10",
+      "resolved": "https://registry.npmjs.org/@rspress/plugin-client-redirects/-/plugin-client-redirects-2.0.10.tgz",
+      "integrity": "sha512-ImOm3h/cbXiJXIvpwv3Wn9rM91xgdhKbD2WX+WlMlWO4AtQfKR4XFrVhIZZAkrt09eeotRIklA7nu8Nuzzzbsw==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -449,9 +449,9 @@
      }
    },
    "node_modules/@rspress/plugin-sitemap": {
-      "version": "2.0.13",
-      "resolved": "https://registry.npmjs.org/@rspress/plugin-sitemap/-/plugin-sitemap-2.0.13.tgz",
-      "integrity": "sha512-JtkNlxNuA7BzknKIrLvLQkSk0XVi7OXzrE76ma/cLvleccNWr8LGrHtrac4IrDr+HauK4WKTM2JaHGGHUdOUKw==",
+      "version": "2.0.10",
+      "resolved": "https://registry.npmjs.org/@rspress/plugin-sitemap/-/plugin-sitemap-2.0.10.tgz",
+      "integrity": "sha512-PZLig9+OlnyLcy6x9BlEqWSRef6TzDWB6Dlh2/hY41FtKlhyb7d7U56RGlLselWaQV54SHVa6H/y611A56ZI2g==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -462,26 +462,26 @@
      }
    },
    "node_modules/@rspress/shared": {
-      "version": "2.0.13",
-      "resolved": "https://registry.npmjs.org/@rspress/shared/-/shared-2.0.13.tgz",
-      "integrity": "sha512-LmDfr7+MDNWRBbxcNoWkW68A35oRonpDJq2Jlx3L8GCzG4sAsyd6Yw0DebTWAxx7hVOXGMf37nEf1J4aOLEZfg==",
+      "version": "2.0.10",
+      "resolved": "https://registry.npmjs.org/@rspress/shared/-/shared-2.0.10.tgz",
+      "integrity": "sha512-Kx10OAHWqi2jvW7ScmBUbkGjnwv4E6rEoelUchcL8It8nQ4nAVk0xvvES7m64knEon55zDbs8JQumCjbHu801Q==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@rsbuild/core": "^2.0.7",
+        "@rsbuild/core": "^2.0.2",
        "@shikijs/rehype": "^4.0.2",
        "unified": "^11.0.5"
      }
    },
    "node_modules/@shikijs/core": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/@shikijs/core/-/core-4.1.0.tgz",
-      "integrity": "sha512-jLJtSJeuFffqX6/inRE1zqU5aFv2hrszvYgq3OjbAgFRZiWv7abKMDdQzYxuSDfmUPQozZvI/kuy6VMTvnvqTQ==",
+      "version": "4.0.2",
+      "resolved": "https://registry.npmjs.org/@shikijs/core/-/core-4.0.2.tgz",
+      "integrity": "sha512-hxT0YF4ExEqB8G/qFdtJvpmHXBYJ2lWW7qTHDarVkIudPFE6iCIrqdgWxGn5s+ppkGXI0aEGlibI0PAyzP3zlw==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@shikijs/primitive": "4.1.0",
-        "@shikijs/types": "4.1.0",
+        "@shikijs/primitive": "4.0.2",
+        "@shikijs/types": "4.0.2",
        "@shikijs/vscode-textmate": "^10.0.2",
        "@types/hast": "^3.0.4",
        "hast-util-to-html": "^9.0.5"
@@ -491,28 +491,28 @@
      }
    },
    "node_modules/@shikijs/engine-javascript": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/@shikijs/engine-javascript/-/engine-javascript-4.1.0.tgz",
-      "integrity": "sha512-YquhawCUgaBfhsS72e2Y/dI59gCBNPHu3fEO/tvLaXrTssxZrY5ddjtNLTwndrMgPo8b3IscE+xoICDzpTmlFQ==",
+      "version": "4.0.2",
+      "resolved": "https://registry.npmjs.org/@shikijs/engine-javascript/-/engine-javascript-4.0.2.tgz",
+      "integrity": "sha512-7PW0Nm49DcoUIQEXlJhNNBHyoGMjalRETTCcjMqEaMoJRLljy1Bi/EGV3/qLBgLKQejdspiiYuHGQW6dX94Nag==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@shikijs/types": "4.1.0",
+        "@shikijs/types": "4.0.2",
        "@shikijs/vscode-textmate": "^10.0.2",
-        "oniguruma-to-es": "^4.3.6"
+        "oniguruma-to-es": "^4.3.4"
      },
      "engines": {
        "node": ">=20"
      }
    },
    "node_modules/@shikijs/engine-oniguruma": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/@shikijs/engine-oniguruma/-/engine-oniguruma-4.1.0.tgz",
-      "integrity": "sha512-axLpjVs45YBvvINa+dJF+NPW+KtFkNXsFr4SDw2BMj9GdeMnGxVB9PQb2xXlJYovslt/nz6giedAyOANkfc7hg==",
+      "version": "4.0.2",
+      "resolved": "https://registry.npmjs.org/@shikijs/engine-oniguruma/-/engine-oniguruma-4.0.2.tgz",
+      "integrity": "sha512-UpCB9Y2sUKlS9z8juFSKz7ZtysmeXCgnRF0dlhXBkmQnek7lAToPte8DkxmEYGNTMii72zU/lyXiCB6StuZeJg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@shikijs/types": "4.1.0",
+        "@shikijs/types": "4.0.2",
        "@shikijs/vscode-textmate": "^10.0.2"
      },
      "engines": {
@@ -520,26 +520,26 @@
      }
    },
    "node_modules/@shikijs/langs": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/@shikijs/langs/-/langs-4.1.0.tgz",
-      "integrity": "sha512-nwOMruEkbgdZfQ/b8CgpNBVOpvG1k0N5tbmgiFeqsan401+x3ILqlzZJowSla4Agmq4hG2Uf2wh5jLTEhR8VSg==",
+      "version": "4.0.2",
+      "resolved": "https://registry.npmjs.org/@shikijs/langs/-/langs-4.0.2.tgz",
+      "integrity": "sha512-KaXby5dvoeuZzN0rYQiPMjFoUrz4hgwIE+D6Du9owcHcl6/g16/yT5BQxSW5cGt2MZBz6Hl0YuRqf12omRfUUg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@shikijs/types": "4.1.0"
+        "@shikijs/types": "4.0.2"
      },
      "engines": {
        "node": ">=20"
      }
    },
    "node_modules/@shikijs/primitive": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/@shikijs/primitive/-/primitive-4.1.0.tgz",
-      "integrity": "sha512-zx2/2Uwj2q9X3KSyYREEhXO23xBw5WUhP4orK2lE4r+t9JGITmEe0JH+wPmJhqHpOT2bRRs6lAL945+LDvOAGw==",
+      "version": "4.0.2",
+      "resolved": "https://registry.npmjs.org/@shikijs/primitive/-/primitive-4.0.2.tgz",
+      "integrity": "sha512-M6UMPrSa3fN5ayeJwFVl9qWofl273wtK1VG8ySDZ1mQBfhCpdd8nEx7nPZ/tk7k+TYcpqBZzj/AnwxT9lO+HJw==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@shikijs/types": "4.1.0",
+        "@shikijs/types": "4.0.2",
        "@shikijs/vscode-textmate": "^10.0.2",
        "@types/hast": "^3.0.4"
      },
@@ -548,16 +548,16 @@
      }
    },
    "node_modules/@shikijs/rehype": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/@shikijs/rehype/-/rehype-4.1.0.tgz",
-      "integrity": "sha512-HQwltCcO2/UiFz44/8whyji4rP1VghLu++MgvQn+lQA8/gvuycGkay8DH8o8VAOvLBDKGOkBEw7cC1Cm33GObQ==",
+      "version": "4.0.2",
+      "resolved": "https://registry.npmjs.org/@shikijs/rehype/-/rehype-4.0.2.tgz",
+      "integrity": "sha512-cmPlKLD8JeojasNFoY64162ScpEdEdQUMuVodPCrv1nx1z3bjmGwoKWDruQWa/ejSznImlaeB0Ty6Q3zPaVQAA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@shikijs/types": "4.1.0",
+        "@shikijs/types": "4.0.2",
        "@types/hast": "^3.0.4",
        "hast-util-to-string": "^3.0.1",
-        "shiki": "4.1.0",
+        "shiki": "4.0.2",
        "unified": "^11.0.5",
        "unist-util-visit": "^5.1.0"
      },
@@ -566,22 +566,22 @@
      }
    },
    "node_modules/@shikijs/themes": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/@shikijs/themes/-/themes-4.1.0.tgz",
-      "integrity": "sha512-emCcTnUM7yO2wltYbaxm+yLvcCI4+h8XBKc4KmJ7EZUXoSGjcCHifkI//R4OFit9ewpg7H2/9tjOuXrT2v/Knw==",
+      "version": "4.0.2",
+      "resolved": "https://registry.npmjs.org/@shikijs/themes/-/themes-4.0.2.tgz",
+      "integrity": "sha512-mjCafwt8lJJaVSsQvNVrJumbnnj1RI8jbUKrPKgE6E3OvQKxnuRoBaYC51H4IGHePsGN/QtALglWBU7DoKDFnA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@shikijs/types": "4.1.0"
+        "@shikijs/types": "4.0.2"
      },
      "engines": {
        "node": ">=20"
      }
    },
    "node_modules/@shikijs/types": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/@shikijs/types/-/types-4.1.0.tgz",
-      "integrity": "sha512-3EQWX54fMpniOrDblzAhiwiJwpiTMW6+B9DWyUd9ska483tbayFYuw47UxwuPknI31bKnySfVQ/QW+jFL4rFdA==",
+      "version": "4.0.2",
+      "resolved": "https://registry.npmjs.org/@shikijs/types/-/types-4.0.2.tgz",
+      "integrity": "sha512-qzbeRooUTPnLE+sHD/Z8DStmaDgnbbc/pMrU203950aRqjX/6AFHeDYT+j00y2lPdz0ywJKx7o/7qnqTivtlXg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
@@ -610,9 +610,9 @@
      }
    },
    "node_modules/@tybys/wasm-util": {
-      "version": "0.10.2",
-      "resolved": "https://registry.npmjs.org/@tybys/wasm-util/-/wasm-util-0.10.2.tgz",
-      "integrity": "sha512-RoBvJ2X0wuKlWFIjrwffGw1IqZHKQqzIchKaadZZfnNpsAYp2mM0h36JtPCjNDAHGgYez/15uMBpfGwchhiMgg==",
+      "version": "0.10.1",
+      "resolved": "https://registry.npmjs.org/@tybys/wasm-util/-/wasm-util-0.10.1.tgz",
+      "integrity": "sha512-9tTaPJLSiejZKx+Bmog4uSubteqTvFrVrURwkmHixBo0G4seD0zUxp98E1DzUBJxLQ3NPwXrGKDiVjwx/DpPsg==",
      "dev": true,
      "license": "MIT",
      "optional": true,
@@ -631,9 +631,9 @@
      }
    },
    "node_modules/@types/estree": {
-      "version": "1.0.9",
-      "resolved": "https://registry.npmjs.org/@types/estree/-/estree-1.0.9.tgz",
-      "integrity": "sha512-GhdPgy1el4/ImP05X05Uw4cw2/M93BCUmnEvWZNStlCzEKME4Fkk+YpoA5OiHNQmoS7Cafb8Xa3Pya8m1Qrzeg==",
+      "version": "1.0.8",
+      "resolved": "https://registry.npmjs.org/@types/estree/-/estree-1.0.8.tgz",
+      "integrity": "sha512-dWHzHa2WqEXI/O1E9OjrocMTKJl2mSrEolh1Iomrv6U+JuNwaHXsXx9bLu5gG7BUWFIN0skIQJQ/L1rIex4X6w==",
      "dev": true,
      "license": "MIT"
    },
@@ -682,9 +682,9 @@
      "license": "MIT"
    },
    "node_modules/@types/react": {
-      "version": "19.2.15",
-      "resolved": "https://registry.npmjs.org/@types/react/-/react-19.2.15.tgz",
-      "integrity": "sha512-eRwcGNHve+E8qtEQSSRl6urh+rFop4v8gm6O8rGv25CodbvFdLjA1vVQ1KkiFE0w0UPOnb8tDiFKL5lp0rtY5Q==",
+      "version": "19.2.14",
+      "resolved": "https://registry.npmjs.org/@types/react/-/react-19.2.14.tgz",
+      "integrity": "sha512-ilcTH/UniCkMdtexkoCN0bI7pMcJDvmQFPvuPvmEaYA/NSfFTAgdUSLAoVjaRJm7+6PvcM+q1zYOwS4wTYMF9w==",
      "dev": true,
      "license": "MIT",
      "peer": true,
@@ -700,20 +700,20 @@
      "license": "MIT"
    },
    "node_modules/@ungap/structured-clone": {
-      "version": "1.3.1",
-      "resolved": "https://registry.npmjs.org/@ungap/structured-clone/-/structured-clone-1.3.1.tgz",
-      "integrity": "sha512-mUFwbeTqrVgDQxFveS+df2yfap6iuP20NAKAsBt5jDEoOTDew+zwLAOilHCeQJOVSvmgCX4ogqIrA0mnyr08yQ==",
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/@ungap/structured-clone/-/structured-clone-1.3.0.tgz",
+      "integrity": "sha512-WmoN8qaIAo7WTYWbAZuG8PYEhn5fkz7dZrqTBZ7dtt//lL2Gwms1IcnQ5yHqjDfX8Ft5j4YzDM23f87zBfDe9g==",
      "dev": true,
      "license": "ISC"
    },
    "node_modules/@unhead/react": {
-      "version": "2.1.15",
-      "resolved": "https://registry.npmjs.org/@unhead/react/-/react-2.1.15.tgz",
-      "integrity": "sha512-5hfAaZ3XJq9JkspRzZdSPsMrXXA8v/SKiEOxZcN9L40o44byF/50bcQuOLgSSCAx8802mI5VG32KZXWTtsLu9Q==",
+      "version": "2.1.13",
+      "resolved": "https://registry.npmjs.org/@unhead/react/-/react-2.1.13.tgz",
+      "integrity": "sha512-gC48tNJ0UtbithkiKCc2WUlxbVVk5o171EtruS2w2hQUblfYFHzCPu2hljjT1e0tUHXXqN8EMv7mpxHddMB2sg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "unhead": "2.1.15"
+        "unhead": "2.1.13"
      },
      "funding": {
        "url": "https://github.com/sponsors/harlan-zw"
@@ -1150,9 +1150,9 @@
      "license": "Apache-2.0"
    },
    "node_modules/get-east-asian-width": {
-      "version": "1.6.0",
-      "resolved": "https://registry.npmjs.org/get-east-asian-width/-/get-east-asian-width-1.6.0.tgz",
-      "integrity": "sha512-QRbvDIbx6YklUe6RxeTeleMR0yv3cYH6PsPZHcnVn7xv7zO1BHN8r0XETu8n6Ye3Q+ahtSarc3WgtNWmehIBfA==",
+      "version": "1.5.0",
+      "resolved": "https://registry.npmjs.org/get-east-asian-width/-/get-east-asian-width-1.5.0.tgz",
+      "integrity": "sha512-CQ+bEO+Tva/qlmw24dCejulK5pMzVnUOFOijVogd3KQs07HnRIgp8TGipvCCRT06xeYEbpbgwaCxglFyiuIcmA==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -2753,9 +2753,9 @@
      }
    },
    "node_modules/react": {
-      "version": "19.2.6",
-      "resolved": "https://registry.npmjs.org/react/-/react-19.2.6.tgz",
-      "integrity": "sha512-sfWGGfavi0xr8Pg0sVsyHMAOziVYKgPLNrS7ig+ivMNb3wbCBw3KxtflsGBAwD3gYQlE/AEZsTLgToRrSCjb0Q==",
+      "version": "19.2.5",
+      "resolved": "https://registry.npmjs.org/react/-/react-19.2.5.tgz",
+      "integrity": "sha512-llUJLzz1zTUBrskt2pwZgLq59AemifIftw4aB7JxOqf1HY2FDaGDxgwpAPVzHU1kdWabH7FauP4i1oEeer2WCA==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -2763,16 +2763,16 @@
      }
    },
    "node_modules/react-dom": {
-      "version": "19.2.6",
-      "resolved": "https://registry.npmjs.org/react-dom/-/react-dom-19.2.6.tgz",
-      "integrity": "sha512-0prMI+hvBbPjsWnxDLxlCGyM8PN6UuWjEUCYmZhO67xIV9Xasa/r/vDnq+Xyq4Lo27g8QSbO5YzARu0D1Sps3g==",
+      "version": "19.2.5",
+      "resolved": "https://registry.npmjs.org/react-dom/-/react-dom-19.2.5.tgz",
+      "integrity": "sha512-J5bAZz+DXMMwW/wV3xzKke59Af6CHY7G4uYLN1OvBcKEsWOs4pQExj86BBKamxl/Ik5bx9whOrvBlSDfWzgSag==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "scheduler": "^0.27.0"
      },
      "peerDependencies": {
-        "react": "^19.2.6"
+        "react": "^19.2.5"
      }
    },
    "node_modules/react-lazy-with-preload": {
@@ -2809,9 +2809,9 @@
      }
    },
    "node_modules/react-render-to-markdown": {
-      "version": "19.1.0",
-      "resolved": "https://registry.npmjs.org/react-render-to-markdown/-/react-render-to-markdown-19.1.0.tgz",
-      "integrity": "sha512-dF9b3tO41ezqdmHP8X92kbHbMexJ6iC7iHw4ykC8fwiO7DgpFc9PhMoKlI+BcPzRxGcWgQSdrixVB9RykhjJpQ==",
+      "version": "19.0.1",
+      "resolved": "https://registry.npmjs.org/react-render-to-markdown/-/react-render-to-markdown-19.0.1.tgz",
+      "integrity": "sha512-BPv48o+ubcu2JyUDIktvJXFqLIZqR7hA4mvGu1eFIofz9fogT2me9UvXwRvqvGs9jEtNaJkxZIUKUX0oiK4hDA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
@@ -2822,9 +2822,9 @@
      }
    },
    "node_modules/react-router": {
-      "version": "7.15.1",
-      "resolved": "https://registry.npmjs.org/react-router/-/react-router-7.15.1.tgz",
-      "integrity": "sha512-R8rl9HhgikFYoPJymnUtPXWbnDb3oget6lQnfIoupbt61aT9aOhRkDsY2XRhZRyX1Z/8a5sL74fXmFNm3NRK5A==",
+      "version": "7.14.2",
+      "resolved": "https://registry.npmjs.org/react-router/-/react-router-7.14.2.tgz",
+      "integrity": "sha512-yCqNne6I8IB6rVCH7XUvlBK7/QKyqypBFGv+8dj4QBFJiiRX+FG7/nkdAvGElyvVZ/HQP5N19wzteuTARXi5Gw==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
@@ -2845,13 +2845,13 @@
      }
    },
    "node_modules/react-router-dom": {
-      "version": "7.15.1",
-      "resolved": "https://registry.npmjs.org/react-router-dom/-/react-router-dom-7.15.1.tgz",
-      "integrity": "sha512-AzF62gjY6U9rkMq4RfP/r2EVtQ7DMfNMjyOp/flLTCrtRylLiK4wT4pSq6O8rOXZ2eXdZYJPEYe+ifomiv+Igg==",
+      "version": "7.14.2",
+      "resolved": "https://registry.npmjs.org/react-router-dom/-/react-router-dom-7.14.2.tgz",
+      "integrity": "sha512-YZcM5ES8jJSM+KrJ9BdvHHqlnGTg5tH3sC5ChFRj4inosKctdyzBDhOyyHdGk597q2OT6NTrCA1OvB/YDwfekQ==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "react-router": "7.15.1"
+        "react-router": "7.14.2"
      },
      "engines": {
        "node": ">=20.0.0"
@@ -3164,18 +3164,18 @@
      "license": "MIT"
    },
    "node_modules/shiki": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/shiki/-/shiki-4.1.0.tgz",
-      "integrity": "sha512-l/ABZPUR5v70jI10EzqfMS/I96vjSGv2y0ihUV+WYFzv0EfvW4s54m0Lg8wCrrL+2IkwBzFTuxkZjPf8b2NX9Q==",
+      "version": "4.0.2",
+      "resolved": "https://registry.npmjs.org/shiki/-/shiki-4.0.2.tgz",
+      "integrity": "sha512-eAVKTMedR5ckPo4xne/PjYQYrU3qx78gtJZ+sHlXEg5IHhhoQhMfZVzetTYuaJS0L2Ef3AcCRzCHV8T0WI6nIQ==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@shikijs/core": "4.1.0",
-        "@shikijs/engine-javascript": "4.1.0",
-        "@shikijs/engine-oniguruma": "4.1.0",
-        "@shikijs/langs": "4.1.0",
-        "@shikijs/themes": "4.1.0",
-        "@shikijs/types": "4.1.0",
+        "@shikijs/core": "4.0.2",
+        "@shikijs/engine-javascript": "4.0.2",
+        "@shikijs/engine-oniguruma": "4.0.2",
+        "@shikijs/langs": "4.0.2",
+        "@shikijs/themes": "4.0.2",
+        "@shikijs/types": "4.0.2",
        "@shikijs/vscode-textmate": "^10.0.2",
        "@types/hast": "^3.0.4"
      },
@@ -3290,9 +3290,9 @@
      }
    },
    "node_modules/unhead": {
-      "version": "2.1.15",
-      "resolved": "https://registry.npmjs.org/unhead/-/unhead-2.1.15.tgz",
-      "integrity": "sha512-MCt5T90mCWyr3Z6pUCdM9lVRXoMoVBlL7z7U4CYVIiaDiuzad/UCfLuMqz5MeNmpZUgoBCQnrucJimU7EZR+XA==",
+      "version": "2.1.13",
+      "resolved": "https://registry.npmjs.org/unhead/-/unhead-2.1.13.tgz",
+      "integrity": "sha512-jO9M1sI6b2h/1KpIu4Jeu+ptumLmUKboRRLxys5pYHFeT+lqTzfNHbYUX9bxVDhC1FBszAGuWcUVlmvIPsah8Q==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
@@ -5,7 +5,7 @@
    "osvVulnerabilityAlerts": true,
    "lockFileMaintenance": {
        "enabled": true,
-        "schedule": ["* * * * 0,6"]
+        "schedule": ["at any time"]
    },
    "platformAutomerge": true,
    "nix": {
@@ -66,17 +66,6 @@
            "matchUpdateTypes": ["minor", "patch"],
            "groupName": "github-actions-non-major"
        },
-        {
-            "description": "Batch GitHub Actions digest updates",
-            "matchManagers": ["github-actions"],
-            "matchUpdateTypes": ["digest"],
-            "groupName": "github-actions-digest",
-            "automerge": true,
-            "automergeStrategy": "fast-forward",
-            "schedule": [
-              "* 0-7 * * 2"
-            ]
-        },
        {
            "description": "Batch patch-level Node.js dependency updates",
            "matchManagers": ["npm"],
@@ -94,10 +83,7 @@
            "matchPackageNames": ["crate-ci/typos"],
            "matchUpdateTypes": ["minor", "patch"],
            "automerge": true,
-            "automergeStrategy": "fast-forward",
-            "schedule": [
-              "* 0-7 * * 3"
-            ]
+            "automergeStrategy": "fast-forward"
        },
        {
            "description": "Auto-merge renovatebot docker image updates",
@@ -105,9 +91,7 @@
            "matchPackageNames": ["ghcr.io/renovatebot/renovate"],
            "automerge": true,
            "automergeStrategy": "fast-forward",
-            "schedule": [
-              "* 0-7 * * 1"
-            ]
+            "extends": ["schedule:earlyMondays"]
        }
    ],
    "customManagers": [
@@ -10,7 +10,7 @@

 [toolchain]
 profile = "minimal"
-channel = "1.95.0"
+channel = "1.92.0"
 components = [
    # For rust-analyzer
    "rust-src",
@@ -16,7 +16,7 @@ use crate::{
 };

 #[derive(Debug, Parser)]
-#[command(name = conduwuit_core::BRANDING, version = conduwuit_core::version())]
+#[command(name = conduwuit_core::name(), version = conduwuit_core::version())]
 pub enum AdminCommand {
 	#[command(subcommand)]
 	/// Commands for managing appservices
@@ -1,5 +1,5 @@
 use std::{
-	collections::{HashMap, HashSet},
+	collections::HashMap,
 	fmt::Write,
 	iter::once,
 	time::{Instant, SystemTime},
@@ -22,7 +22,7 @@ use futures::{FutureExt, StreamExt, TryStreamExt};
 use lettre::message::Mailbox;
 use ruma::{
 	CanonicalJsonObject, CanonicalJsonValue, EventId, OwnedEventId, OwnedRoomId,
-	OwnedRoomOrAliasId, OwnedServerName, RoomId, RoomVersionId, UInt,
+	OwnedRoomOrAliasId, OwnedServerName, RoomId, RoomVersionId,
 	api::federation::event::get_room_state, events::AnyStateEvent, serde::Raw,
 };
 use service::rooms::{
@@ -69,205 +69,6 @@ pub(super) async fn get_auth_chain(&self, event_id: OwnedEventId) -> Result {
 	self.write_str(&out).await
 }

-#[derive(Clone, Copy, Eq, PartialEq)]
-enum NodeStatus {
-	Normal(bool),
-	SoftFailed(bool),
-	Rejected(bool),
-}
-
-struct AuthChild {
-	node_id: String,
-	event_id: OwnedEventId,
-	depth: UInt,
-	ts: UInt,
-	first_seen: bool,
-	pdu: Option<PduEvent>,
-}
-
-fn render_node(
-	graph: &mut String,
-	node_id: &str,
-	event_id: &EventId,
-	name: &str,
-	status: NodeStatus,
-) -> Result {
-	let evt_str = event_id.to_string();
-
-	let status_label = match status {
-		| NodeStatus::Normal(false) => format!("{evt_str}: {name}"),
-		| NodeStatus::Normal(true) => format!("{evt_str}: {name} (missing locally)"),
-		| NodeStatus::SoftFailed(false) => format!("{evt_str}: {name} (soft-failed)"),
-		| NodeStatus::SoftFailed(true) =>
-			format!("{evt_str}: {name} (soft-failed & missing locally)"),
-		| NodeStatus::Rejected(false) => format!("{evt_str}: {name} (rejected)"),
-		| NodeStatus::Rejected(true) => format!("{evt_str}: {name} (rejected & missing locally)"),
-	};
-
-	writeln!(graph, "{node_id}[\"{}\"]", status_label.as_str())?;
-
-	match status {
-		| NodeStatus::Rejected(_) => writeln!(graph, "class {node_id} rejected;")?,
-		| NodeStatus::SoftFailed(_) => writeln!(graph, "class {node_id} soft_failed;")?,
-		| NodeStatus::Normal(_) => {},
-	}
-
-	Ok(())
-}
-
-#[admin_command]
-pub(super) async fn show_auth_chain(&self, event_id: OwnedEventId) -> Result {
-	let node_status = async |event_id: &EventId, missing: bool| -> NodeStatus {
-		if self
-			.services
-			.rooms
-			.pdu_metadata
-			.is_event_rejected(event_id)
-			.await
-		{
-			NodeStatus::Rejected(missing)
-		} else if self
-			.services
-			.rooms
-			.pdu_metadata
-			.is_event_soft_failed(event_id)
-			.await
-		{
-			NodeStatus::SoftFailed(missing)
-		} else {
-			NodeStatus::Normal(missing)
-		}
-	};
-
-	let Ok(root) = self.services.rooms.timeline.get_pdu(&event_id).await else {
-		return Err!("Event not found.");
-	};
-
-	let mut graph = String::from(
-		"```mermaid\n%% This is a mermaid graph. You can plug this output into\n\
-		%% https://mermaid.live/edit to visualise it on-the-fly.\nflowchart TD\n\
-		classDef rejected fill:#ffe5e5,stroke:#cc0000,stroke-width:2px,color:#000;\n\
-		classDef soft_failed fill:#fff6cc,stroke:#c9a400,stroke-width:2px,color:#000;\n"
-	);
-
-	let mut node_ids: HashMap<OwnedEventId, String> = HashMap::new();
-	let mut cached_events: HashMap<OwnedEventId, PduEvent> =
-		HashMap::from([(event_id.clone(), root.clone())]);
-	let mut scheduled: HashSet<OwnedEventId> = HashSet::from([event_id.clone()]);
-	let mut visited: HashSet<OwnedEventId> = HashSet::new();
-	let mut stack = vec![root];
-	let mut next_node_id = 0_usize;
-
-	let node_id_for = |event_id: &OwnedEventId,
-	                   node_ids: &mut HashMap<OwnedEventId, String>,
-	                   next_node_id: &mut usize| {
-		node_ids
-			.entry(event_id.clone())
-			.or_insert_with(|| {
-				let id = format!("n{}", *next_node_id);
-				*next_node_id = next_node_id.saturating_add(1);
-				id
-			})
-			.clone()
-	};
-	let node_name = |e: &PduEvent| {
-		if let Some(state_key) = e.state_key() {
-			format!("{},'{}'", e.event_type(), state_key)
-		} else {
-			format!("{}", e.event_type())
-		}
-	};
-
-	while let Some(event) = stack.pop() {
-		let current_event_id = event.event_id().to_owned();
-		if !visited.insert(current_event_id.clone()) {
-			continue;
-		}
-
-		let current_node_id = node_id_for(&current_event_id, &mut node_ids, &mut next_node_id);
-		let current_status = node_status(&current_event_id, false).await;
-
-		render_node(
-			&mut graph,
-			&current_node_id,
-			&current_event_id,
-			&node_name(&event),
-			current_status,
-		)?;
-
-		let mut children = Vec::with_capacity(event.auth_events.len());
-		for auth_event_id in event.auth_events().rev() {
-			let auth_event_id = auth_event_id.to_owned();
-			let auth_node_id = node_id_for(&auth_event_id, &mut node_ids, &mut next_node_id);
-			writeln!(graph, "{current_node_id} --> {auth_node_id}")?;
-
-			let first_seen = scheduled.insert(auth_event_id.clone());
-			let auth_pdu = if let Some(auth_pdu) = cached_events.get(&auth_event_id) {
-				// NOTE: events might be referenced multiple times (like the create event)
-				// so this saves some cheeky db lookup time
-				Some(auth_pdu.clone())
-			} else if first_seen {
-				match self.services.rooms.timeline.get_pdu(&auth_event_id).await {
-					| Ok(auth_event) => {
-						cached_events.insert(auth_event_id.clone(), auth_event.clone());
-						Some(auth_event)
-					},
-					| Err(_) => None,
-				}
-			} else {
-				None
-			};
-
-			// NOTE: Depth is used as the primary sorting key here, even though it has no
-			// bearing on state resolution or anything. Timestamp is used as a
-			// tiebreaker, failing back to lexicographical comparison.
-			let (depth, ts) = auth_pdu
-				.as_ref()
-				.map_or((UInt::MAX, UInt::MAX), |pdu| (pdu.depth, pdu.origin_server_ts));
-
-			children.push(AuthChild {
-				node_id: auth_node_id,
-				event_id: auth_event_id,
-				depth,
-				ts,
-				first_seen,
-				pdu: auth_pdu,
-			});
-		}
-
-		children.sort_by(|a, b| {
-			a.depth
-				.cmp(&b.depth)
-				.then(a.ts.cmp(&b.ts))
-				.then(a.event_id.as_str().cmp(b.event_id.as_str()))
-		});
-
-		for child in children.into_iter().rev() {
-			if !child.first_seen {
-				continue;
-			}
-
-			if let Some(child_pdu) = child.pdu {
-				// We have this PDU so will want to traverse it.
-				stack.push(child_pdu);
-			} else {
-				// We don't have this PDU locally so we can't traverse its auth events,
-				// but we can still render it as a node.
-				render_node(
-					&mut graph,
-					&child.node_id,
-					&child.event_id,
-					"",
-					node_status(&child.event_id, true).await,
-				)?;
-			}
-		}
-	}
-
-	graph.push_str("```\n");
-	self.write_str(&graph).await
-}
-
 #[admin_command]
 pub(super) async fn parse_pdu(&self) -> Result {
 	if self.body.len() < 2
@@ -310,31 +111,15 @@ pub(super) async fn get_pdu(&self, event_id: OwnedEventId) -> Result {
 		outlier = true;
 		pdu_json = self.services.rooms.timeline.get_pdu_json(&event_id).await;
 	}
-	let rejected = self
-		.services
-		.rooms
-		.pdu_metadata
-		.is_event_rejected(&event_id)
-		.await;
-	let soft_failed = self
-		.services
-		.rooms
-		.pdu_metadata
-		.is_event_soft_failed(&event_id)
-		.await;

 	match pdu_json {
 		| Err(_) => return Err!("PDU not found locally."),
 		| Ok(json) => {
 			let text = serde_json::to_string_pretty(&json)?;
-			let msg = if rejected {
-				"Rejected PDU:"
-			} else if soft_failed {
-				"Soft-failed PDU:"
-			} else if outlier {
-				"Outlier PDU:"
+			let msg = if outlier {
+				"Outlier (Rejected / Soft Failed) PDU found in our database"
 			} else {
-				"PDU:"
+				"PDU found in our database"
 			};
 			write!(self, "{msg}\n```json\n{text}\n```")
 		},
@@ -829,10 +614,6 @@ pub(super) async fn force_set_room_state_from_server(
 				.await;

 			state.insert(shortstatekey, pdu.event_id.clone());
-			self.services
-				.rooms
-				.pdu_metadata
-				.clear_pdu_markers(pdu.event_id());
 		}
 	}

@@ -850,10 +631,6 @@ pub(super) async fn force_set_room_state_from_server(
 			.rooms
 			.outlier
 			.add_pdu_outlier(&event_id, &value);
-		self.services
-			.rooms
-			.pdu_metadata
-			.clear_pdu_markers(&event_id);
 	}

 	info!("Resolving new room state");
@@ -885,7 +662,10 @@ pub(super) async fn force_set_room_state_from_server(
 		.force_state(room_id.clone().as_ref(), short_state_hash, added, removed, &state_lock)
 		.await?;

-	info!("Updating joined counts for room");
+	info!(
+		"Updating joined counts for room just in case (e.g. we may have found a difference in \
+		 the room's m.room.member state"
+	);
 	self.services
 		.rooms
 		.state_cache
@@ -17,21 +17,12 @@ pub enum DebugCommand {
 		message: Vec<String>,
 	},

-	/// Loads the auth_chain of a PDU, reporting how long it took.
+	/// Get the auth_chain of a PDU
 	GetAuthChain {
 		/// An event ID (the $ character followed by the base64 reference hash)
 		event_id: OwnedEventId,
 	},

-	/// Walks & displays the auth_chain of a PDU in a mermaid graph format.
-	///
-	/// This is useless to basically anyone but developers, and is also probably
-	/// slow and memory hungry.
-	ShowAuthChain {
-		/// The root event ID to start walking back from.
-		event_id: OwnedEventId,
-	},
-
 	/// Parse and print a PDU from a JSON
 	///
 	/// The PDU event is only checked for validity and is not added to the
@@ -102,6 +102,10 @@ pub(super) async fn remote_user_in_rooms(&self, user_id: OwnedUserId) -> Result
 		);
 	}

+	if !self.services.users.exists(&user_id).await {
+		return Err!("Remote user does not exist in our database.",);
+	}
+
 	let mut rooms: Vec<(OwnedRoomId, u64, String)> = self
 		.services
 		.rooms
@@ -1,8 +1,7 @@
 use clap::Subcommand;
 use conduwuit::Result;
-use conduwuit_database::Deserialized as _;
 use futures::StreamExt;
-use ruma::{OwnedRoomId, OwnedUserId, exports::serde::Serialize};
+use ruma::{OwnedRoomId, OwnedUserId};

 use crate::{admin_command, admin_command_dispatch};

@@ -59,22 +58,13 @@ async fn account_data_get(
 	room_id: Option<OwnedRoomId>,
 ) -> Result {
 	let timer = tokio::time::Instant::now();
-	let result = self
+	let results = self
 		.services
 		.account_data
 		.get_raw(room_id.as_deref(), &user_id, &kind)
 		.await;
 	let query_time = timer.elapsed();

-	let json = serde_json::to_string_pretty(&match room_id {
-		| None => result
-			.deserialized::<ruma::serde::Raw<ruma::events::AnyGlobalAccountDataEvent>>()?
-			.serialize(serde_json::value::Serializer)?,
-		| Some(_) => result
-			.deserialized::<ruma::serde::Raw<ruma::events::AnyRoomAccountDataEvent>>()?
-			.serialize(serde_json::value::Serializer)?,
-	})?;
-
-	self.write_str(&format!("Query completed in {query_time:?}:\n\n```rs\n{json}\n```"))
+	self.write_str(&format!("Query completed in {query_time:?}:\n\n```rs\n{results:#?}\n```"))
 		.await
 }
@@ -15,6 +15,10 @@ pub enum UsersCommand {

 	IterUsers2,

+	PasswordHash {
+		user_id: OwnedUserId,
+	},
+
 	ListDevices {
 		user_id: OwnedUserId,
 	},
@@ -231,6 +235,16 @@ async fn count_users(&self) -> Result {
 		.await
 }

+#[admin_command]
+async fn password_hash(&self, user_id: OwnedUserId) -> Result {
+	let timer = tokio::time::Instant::now();
+	let result = self.services.users.password_hash(&user_id).await;
+	let query_time = timer.elapsed();
+
+	self.write_str(&format!("Query completed in {query_time:?}:\n\n```rs\n{result:#?}\n```"))
+		.await
+}
+
 #[admin_command]
 async fn list_devices(&self, user_id: OwnedUserId) -> Result {
 	let timer = tokio::time::Instant::now();
@@ -30,37 +30,14 @@ pub(super) async fn issue_token(&self, expires: super::TokenExpires) -> Result {
 		.issue_token(self.sender_or_service_user().into(), expires);

 	self.write_str(&format!(
-		"New registration token issued: `{token}` . {}.",
+		"New registration token issued: `{token}`. {}.",
 		if let Some(expires) = info.expires {
 			format!("{expires}")
 		} else {
 			"Never expires".to_owned()
 		}
 	))
-	.await?;
-
-	if self
-		.services
-		.config
-		.oauth
-		.compatibility_mode
-		.oauth_available()
-	{
-		self.write_str(&format!(
-			"\nInvite link using this token: {}",
-			self.services
-				.config
-				.get_client_domain()
-				.join(&format!(
-					"{}/account/register/?flow=trusted&token={token}",
-					conduwuit::ROUTE_PREFIX
-				))
-				.unwrap()
-		))
-		.await?;
-	}
-
-	Ok(())
+	.await
 }

 #[admin_command]
@@ -1,10 +1,14 @@
-use std::collections::{BTreeMap, HashSet};
+use std::{
+	collections::{BTreeMap, HashSet},
+	fmt::Write as _,
+};

 use api::client::{
-	full_user_deactivate, leave_room, recreate_push_rules_and_return, remote_leave_room,
+	full_user_deactivate, join_room_by_id_helper, leave_room, recreate_push_rules_and_return,
+	remote_leave_room,
 };
 use conduwuit::{
-	Err, Result, debug_warn, info,
+	Err, Result, debug_warn, error, info,
 	matrix::{Event, pdu::PartialPdu},
 	utils::{self, ReadyExt},
 	warn,
@@ -20,7 +24,6 @@ use ruma::{
 		tag::{TagEvent, TagEventContent, TagInfo},
 	},
 };
-use service::users::HashedPassword;

 use crate::{
 	admin_command, get_room_info,
@@ -50,22 +53,128 @@ pub(super) async fn list_users(&self) -> Result {
 #[admin_command]
 pub(super) async fn create_user(&self, username: String, password: Option<String>) -> Result {
 	// Validate user id
-	let user_id = self
-		.services
+	let user_id = parse_local_user_id(self.services, &username)?;
+
+	if let Err(e) = user_id.validate_strict() {
+		if self.services.config.emergency_password.is_none() {
+			return Err!("Username {user_id} contains disallowed characters or spaces: {e}");
+		}
+	}
+
+	if self.services.users.exists(&user_id).await {
+		return Err!("User {user_id} already exists");
+	}
+
+	let password = password.unwrap_or_else(|| utils::random_string(AUTO_GEN_PASSWORD_LENGTH));
+
+	// Create user
+	self.services
 		.users
-		.determine_registration_user_id(Some(username), None, None)
+		.create(&user_id, Some(password.as_str()))
 		.await?;

-	let password = HashedPassword::new(
-		&password.unwrap_or_else(|| utils::random_string(AUTO_GEN_PASSWORD_LENGTH)),
-	)?;
+	// Default to pretty displayname
+	let mut displayname = user_id.localpart().to_owned();
+
+	// If `new_user_displayname_suffix` is set, registration will push whatever
+	// content is set to the user's display name with a space before it
+	if !self
+		.services
+		.server
+		.config
+		.new_user_displayname_suffix
+		.is_empty()
+	{
+		write!(displayname, " {}", self.services.server.config.new_user_displayname_suffix)?;
+	}

 	self.services
 		.users
-		.create_local_account(&user_id, password, None)
-		.await;
+		.set_displayname(&user_id, Some(displayname));

-	self.write_str(&format!("Created user {user_id}")).await
+	// Initial account data
+	self.services
+		.account_data
+		.update(
+			None,
+			&user_id,
+			ruma::events::GlobalAccountDataEventType::PushRules
+				.to_string()
+				.into(),
+			&serde_json::to_value(ruma::events::push_rules::PushRulesEvent::new(
+				ruma::events::push_rules::PushRulesEventContent::new(
+					ruma::push::Ruleset::server_default(&user_id),
+				),
+			))
+			.unwrap(),
+		)
+		.await?;
+
+	if !self.services.server.config.auto_join_rooms.is_empty() {
+		for room in &self.services.server.config.auto_join_rooms {
+			let Ok(room_id) = self.services.rooms.alias.resolve(room).await else {
+				error!(
+					%user_id,
+					"Failed to resolve room alias to room ID when attempting to auto join {room}, skipping"
+				);
+				continue;
+			};
+
+			if !self
+				.services
+				.rooms
+				.state_cache
+				.server_in_room(self.services.globals.server_name(), &room_id)
+				.await
+			{
+				warn!(
+					"Skipping room {room} to automatically join as we have never joined before."
+				);
+				continue;
+			}
+
+			if let Some(room_server_name) = room.server_name() {
+				match join_room_by_id_helper(
+					self.services,
+					&user_id,
+					&room_id,
+					Some("Automatically joining this room upon registration".to_owned()),
+					&[
+						self.services.globals.server_name().to_owned(),
+						room_server_name.to_owned(),
+					],
+					&None,
+				)
+				.await
+				{
+					| Ok(_response) => {
+						info!("Automatically joined room {room} for user {user_id}");
+					},
+					| Err(e) => {
+						// don't return this error so we don't fail registrations
+						error!(
+							"Failed to automatically join room {room} for user {user_id}: {e}"
+						);
+						self.services
+							.admin
+							.send_text(&format!(
+								"Failed to automatically join room {room} for user {user_id}: \
+								 {e}"
+							))
+							.await;
+					},
+				}
+			}
+		}
+	}
+
+	// we dont add a device since we're not the user, just the creator
+
+	// Make the first user to register an administrator and disable first-run mode.
+	self.services.firstrun.empower_first_user(&user_id).await?;
+
+	self.write_str(&format!("Created user with user_id: {user_id} and password: `{password}`"))
+		.await
 }

 #[admin_command]
@@ -165,13 +274,17 @@ pub(super) async fn reset_password(

 	let new_password = password.unwrap_or_else(|| utils::random_string(AUTO_GEN_PASSWORD_LENGTH));

-	self.services
+	match self
+		.services
 		.users
-		.set_password(&user_id, Some(HashedPassword::new(&new_password)?));
-
-	self.write_str(&format!(
-		"Successfully reset the password for user {user_id}: `{new_password}`"
-	))
+		.set_password(&user_id, Some(new_password.as_str()))
+		.await
+	{
+		| Err(e) => return Err!("Couldn't reset the password for user {user_id}: {e}"),
+		| Ok(()) => {
+			write!(self, "Successfully reset the password for user {user_id}: `{new_password}`")
+		},
+	}
 	.await?;

 	if logout {
@@ -191,6 +304,31 @@ pub(super) async fn reset_password(
 	Ok(())
 }

+#[admin_command]
+pub(super) async fn issue_password_reset_link(&self, username: String) -> Result {
+	use conduwuit_service::password_reset::{PASSWORD_RESET_PATH, RESET_TOKEN_QUERY_PARAM};
+
+	self.bail_restricted()?;
+
+	let mut reset_url = self
+		.services
+		.config
+		.get_client_domain()
+		.join(PASSWORD_RESET_PATH)
+		.unwrap();
+
+	let user_id = parse_local_user_id(self.services, &username)?;
+	let token = self.services.password_reset.issue_token(user_id).await?;
+	reset_url
+		.query_pairs_mut()
+		.append_pair(RESET_TOKEN_QUERY_PARAM, &token.token);
+
+	self.write_str(&format!("Password reset link issued for {username}: {reset_url}"))
+		.await?;
+
+	Ok(())
+}
+
 #[admin_command]
 pub(super) async fn deactivate_all(&self, no_leave_rooms: bool, force: bool) -> Result {
 	if self.body.len() < 2
@@ -293,82 +431,6 @@ pub(super) async fn deactivate_all(&self, no_leave_rooms: bool, force: bool) ->
 	.await
 }

-#[admin_command]
-pub(super) async fn list_invited_rooms(&self, user_id: String) -> Result {
-	// Validate user id
-	let user_id = parse_local_user_id(self.services, &user_id)?;
-
-	let mut rooms: Vec<((OwnedRoomId, u64, String), Result<OwnedUserId>)> = self
-		.services
-		.rooms
-		.state_cache
-		.rooms_invited(&user_id)
-		.then(async |(room_id, _)| {
-			let sender = self
-				.services
-				.rooms
-				.state_cache
-				.invite_sender(&user_id, &room_id)
-				.await;
-			(get_room_info(self.services, &room_id).await, sender)
-		})
-		.collect()
-		.await;
-
-	if rooms.is_empty() {
-		return Err!("User is not invited to any rooms.");
-	}
-
-	rooms.sort_by_key(|r| r.0.1);
-	rooms.reverse();
-
-	let body = rooms
-		.iter()
-		.map(|((id, members, name), sender)| match sender {
-			| Ok(user_id) =>
-				format!("{id}\tInviter: {user_id}\tMembers: {members}\tName: {name}"),
-			| Err(_) => format!("{id}\tMembers: {members}\tName: {name}"),
-		})
-		.collect::<Vec<_>>()
-		.join("\n");
-
-	self.write_str(&format!("Rooms {user_id} is Invited to ({}):\n```\n{body}\n```", rooms.len()))
-		.await
-}
-
-#[admin_command]
-pub(super) async fn reject_all_invites(&self, user_id: String) -> Result {
-	let user_id = parse_local_user_id(self.services, &user_id)?;
-
-	assert!(
-		self.services.globals.user_is_local(&user_id),
-		"Parsed user_id must be a local user"
-	);
-
-	let fails = self
-		.services
-		.rooms
-		.state_cache
-		.rooms_invited(&user_id)
-		.filter_map(async |(room_id, _)| {
-			match leave_room(self.services, &user_id, &room_id, None).await {
-				| Err(ref e) => {
-					warn!(%user_id, "Failed to leave {room_id}: {e}");
-					Some(())
-				},
-				| Ok(()) => None,
-			}
-		})
-		.count()
-		.await;
-
-	if fails > 0 {
-		return Err!("{fails} invites could not be rejected");
-	}
-
-	self.write_str("Successfully rejected all invites.").await
-}
-
 #[admin_command]
 pub(super) async fn list_joined_rooms(&self, user_id: String) -> Result {
 	// Validate user id
@@ -494,12 +556,15 @@ pub(super) async fn force_join_list_of_local_users(
 	let mut successful_joins: usize = 0;

 	for user_id in user_ids {
-		match self
-			.services
-			.rooms
-			.membership
-			.join_room(&user_id, &room_id, Some(String::from(BULK_JOIN_REASON)), &servers)
-			.await
+		match join_room_by_id_helper(
+			self.services,
+			&user_id,
+			&room_id,
+			Some(String::from(BULK_JOIN_REASON)),
+			&servers,
+			&None,
+		)
+		.await
 		{
 			| Ok(_res) => {
 				successful_joins = successful_joins.saturating_add(1);
@@ -575,12 +640,15 @@ pub(super) async fn force_join_all_local_users(
 		.collect::<Vec<_>>()
 		.await
 	{
-		match self
-			.services
-			.rooms
-			.membership
-			.join_room(user_id, &room_id, Some(String::from(BULK_JOIN_REASON)), &servers)
-			.await
+		match join_room_by_id_helper(
+			self.services,
+			user_id,
+			&room_id,
+			Some(String::from(BULK_JOIN_REASON)),
+			&servers,
+			&None,
+		)
+		.await
 		{
 			| Ok(_res) => {
 				successful_joins = successful_joins.saturating_add(1);
@@ -604,29 +672,20 @@ pub(super) async fn force_join_room(
 	&self,
 	user_id: String,
 	room_id: OwnedRoomOrAliasId,
-	via: Option<String>,
 ) -> Result {
 	let user_id = parse_local_user_id(self.services, &user_id)?;
-	let (room_id, mut servers) = self
+	let (room_id, servers) = self
 		.services
 		.rooms
 		.alias
 		.resolve_with_servers(&room_id, None)
 		.await?;
-	if let Some(via) = via.map(ServerName::parse).transpose()? {
-		servers.retain(|n| *n != via);
-		servers.insert(0, via);
-	}

 	assert!(
 		self.services.globals.user_is_local(&user_id),
 		"Parsed user_id must be a local user"
 	);
-	self.services
-		.rooms
-		.membership
-		.join_room(&user_id, &room_id, None, &servers)
-		.await?;
+	join_room_by_id_helper(self.services, &user_id, &room_id, None, &servers, &None).await?;

 	self.write_str(&format!("{user_id} has been joined to {room_id}."))
 		.await
@@ -29,6 +29,12 @@ pub enum UserCommand {
 		password: Option<String>,
 	},

+	/// Issue a self-service password reset link for a user.
+	IssuePasswordResetLink {
+		/// Username of the user who may use the link
+		username: String,
+	},
+
 	/// Get a user's associated email address.
 	GetEmail {
 		user_id: String,
@@ -154,17 +160,6 @@ pub enum UserCommand {
 	#[clap(alias = "list")]
 	ListUsers,

-	/// Lists all the rooms (local and remote) that the specified user is
-	///   invited to
-	ListInvitedRooms {
-		user_id: String,
-	},
-
-	/// Manually make a user reject all current invites
-	RejectAllInvites {
-		user_id: String,
-	},
-
 	/// Lists all the rooms (local and remote) that the specified user is
 	///   joined in
 	ListJoinedRooms {
@@ -173,15 +168,8 @@ pub enum UserCommand {

 	/// Manually join a local user to a room.
 	ForceJoinRoom {
-		/// The user to join
 		user_id: String,
-		/// The room to join
 		room_id: OwnedRoomOrAliasId,
-		/// The server name to join via.
-		///
-		/// This server will always be tried first, however if more are
-		/// available, they may be tried after.
-		via: Option<String>,
 	},

 	/// Manually leave a local user from a room.
@@ -48,7 +48,7 @@ pub(crate) fn parse_local_user_id(services: &Services, user_id: &str) -> Result<
 	Ok(user_id)
 }

-/// Parses user ID that is an active (not deactivated) local user
+/// Parses user ID that is an active (not guest or deactivated) local user
 pub(crate) async fn parse_active_local_user_id(
 	services: &Services,
 	user_id: &str,
@@ -24,9 +24,9 @@ use ruma::{
 		power_levels::RoomPowerLevelsEventContent,
 	},
 };
-use service::{mailer::messages, uiaa::UiaaInitiator, users::HashedPassword};
+use service::{mailer::messages, uiaa::Identity};

-use super::{DEVICE_ID_LENGTH, TOKEN_LENGTH};
+use super::{DEVICE_ID_LENGTH, TOKEN_LENGTH, join_room_by_id_helper};
 use crate::Ruma;

 pub(crate) mod register;
@@ -121,7 +121,7 @@ pub(crate) async fn change_password_route(
 				&body.auth,
 				vec![AuthFlow::new(vec![AuthType::Password])],
 				Box::default(),
-				Some(UiaaInitiator::new(user_id, body.sender_device())),
+				Some(Identity::from_user_id(user_id)),
 			)
 			.await?
 	} else {
@@ -150,7 +150,8 @@ pub(crate) async fn change_password_route(

 	services
 		.users
-		.set_password(&sender_user, Some(HashedPassword::new(&body.new_password)?));
+		.set_password(&sender_user, Some(&body.new_password))
+		.await?;

 	if body.logout_devices {
 		// Logout all devices except the current one
@@ -187,7 +188,7 @@ pub(crate) async fn change_password_route(
 	if services.server.config.admin_room_notices {
 		services
 			.admin
-			.notice(&format!("User {sender_user} changed their password."))
+			.notice(&format!("User {} changed their password.", &sender_user))
 			.await;
 	}

@@ -238,11 +239,19 @@ pub(crate) async fn request_password_change_token_via_email_route(
 ///
 /// Note: Also works for Application Services
 pub(crate) async fn whoami_route(
-	State(_): State<crate::State>,
+	State(services): State<crate::State>,
 	body: Ruma<whoami::v3::Request>,
 ) -> Result<whoami::v3::Response> {
-	Ok(assign!(whoami::v3::Response::new(body.sender_user().to_owned(), false), {
-		device_id: body.sender_device,
+	let is_guest = services
+		.users
+		.is_deactivated(body.sender_user())
+		.await
+		.map_err(|_| {
+			err!(Request(Forbidden("Application service has not registered this user.")))
+		})? && body.appservice_info.is_none();
+
+	Ok(assign!(whoami::v3::Response::new(body.sender_user().to_owned(), is_guest), {
+		device_id: body.sender_device.clone(),
 	}))
 }

@@ -270,17 +279,10 @@ pub(crate) async fn deactivate_route(
 		.as_ref()
 		.ok_or_else(|| err!(Request(MissingToken("Missing access token."))))?;

-	if !services.config.allow_deactivation {
-		return Err!(Request(Unauthorized(
-			"You may not deactivate your own account. Contact your server's administrator for \
-			 assistance."
-		)));
-	}
-
 	// Prompt the user to confirm with their password using UIAA
 	let _ = services
 		.uiaa
-		.authenticate_password(&body.auth, sender_user, body.sender_device(), None)
+		.authenticate_password(&body.auth, Some(Identity::from_user_id(sender_user)))
 		.await?;

 	// Remove profile pictures and display name
@@ -329,6 +331,8 @@ pub(crate) async fn check_registration_token_validity(
 /// Runs through all the deactivation steps:
 ///
 /// - Mark as deactivated
+/// - Removing display name
+/// - Removing avatar URL and blurhash
 /// - Removing all profile data
 /// - Leaving all rooms (and forgets all of them)
 pub async fn full_user_deactivate(
@@ -1,30 +1,40 @@
-use std::collections::HashMap;
+use std::{collections::HashMap, fmt::Write};

 use axum::extract::State;
 use axum_client_ip::ClientIp;
 use conduwuit::{
-	Err, Result, debug_info, info,
+	Err, Result, debug_info, error, info,
 	utils::{self},
+	warn,
 };
 use conduwuit_service::Services;
-use futures::StreamExt;
+use futures::{FutureExt, StreamExt};
 use lettre::{Address, message::Mailbox};
+use register::RegistrationKind;
 use ruma::{
+	OwnedUserId, UserId,
 	api::client::{
 		account::{
-			register::{self, LoginType, RegistrationKind},
+			register::{self, LoginType},
 			request_registration_token_via_email,
 		},
 		uiaa::{AuthFlow, AuthType},
 	},
 	assign,
+	events::{
+		GlobalAccountDataEventType, push_rules::PushRulesEvent,
+		room::message::RoomMessageEventContent,
+	},
+	push,
 };
 use serde_json::value::RawValue;
-use service::{mailer::messages, users::HashedPassword};
+use service::mailer::messages;

-use super::{DEVICE_ID_LENGTH, TOKEN_LENGTH};
+use super::{DEVICE_ID_LENGTH, TOKEN_LENGTH, join_room_by_id_helper};
 use crate::Ruma;

+const RANDOM_USER_ID_LENGTH: usize = 10;
+
 /// # `POST /_matrix/client/v3/register`
 ///
 /// Register an account on this homeserver.
@@ -32,6 +42,16 @@ use crate::Ruma;
 /// You can use [`GET
 /// /_matrix/client/v3/register/available`](fn.get_register_available_route.
 /// html) to check if the user id is valid and available.
+///
+/// - Only works if registration is enabled
+/// - If type is guest: ignores all parameters except
+///   initial_device_display_name
+/// - If sender is not appservice: Requires UIAA (but we only use a dummy stage)
+/// - If type is not guest and no username is given: Always fails after UIAA
+///   check
+/// - Creates a new account and populates it with default account data
+/// - If `inhibit_login` is false: Creates a device and returns device id and
+///   access_token
 #[allow(clippy::doc_markdown)]
 #[tracing::instrument(skip_all, fields(%client), name = "register", level = "info")]
 pub(crate) async fn register_route(
@@ -39,9 +59,8 @@ pub(crate) async fn register_route(
 	ClientIp(client): ClientIp,
 	body: Ruma<register::v3::Request>,
 ) -> Result<register::v3::Response> {
-	if body.kind != RegistrationKind::User {
-		return Err!(Request(GuestAccessForbidden("Guests may not register on this server.")));
-	}
+	let is_guest = body.kind == RegistrationKind::Guest;
+	let emergency_mode_enabled = services.config.emergency_password.is_some();

 	// Allow registration if it's enabled in the config file or if this is the first
 	// run (so the first user account can be created)
@@ -49,73 +68,161 @@ pub(crate) async fn register_route(
 		services.config.allow_registration || services.firstrun.is_first_run();

 	if !allow_registration && body.appservice_info.is_none() {
-		info!(
-			?body.username,
-			?body.initial_device_display_name,
-			"Rejecting registration attempt as registration is disabled"
-		);
+		match (body.username.as_ref(), body.initial_device_display_name.as_ref()) {
+			| (Some(username), Some(device_display_name)) => {
+				info!(
+					%is_guest,
+					user = %username,
+					device_name = %device_display_name,
+					"Rejecting registration attempt as registration is disabled"
+				);
+			},
+			| (Some(username), _) => {
+				info!(
+					%is_guest,
+					user = %username,
+					"Rejecting registration attempt as registration is disabled"
+				);
+			},
+			| (_, Some(device_display_name)) => {
+				info!(
+					%is_guest,
+					device_name = %device_display_name,
+					"Rejecting registration attempt as registration is disabled"
+				);
+			},
+			| (None, _) => {
+				info!(
+					%is_guest,
+					"Rejecting registration attempt as registration is disabled"
+				);
+			},
+		}

 		return Err!(Request(Forbidden(
 			"This server is not accepting registrations at this time."
 		)));
 	}

-	let user_id = if body.body.login_type == Some(LoginType::ApplicationService) {
-		let Some(appservice_info) = &body.appservice_info else {
-			return Err!(Request(Forbidden(
-				"Only appservices can use the appservice login type."
-			)));
-		};
+	if is_guest && !services.config.allow_guest_registration {
+		info!(
+			"Guest registration disabled, rejecting guest registration attempt, initial device \
+			 name: \"{}\"",
+			body.initial_device_display_name.as_deref().unwrap_or("")
+		);
+		return Err!(Request(GuestAccessForbidden("Guest registration is disabled.")));
+	}

-		let user_id = services
-			.users
-			.determine_registration_user_id(body.username.clone(), None, Some(appservice_info))
-			.await?;
+	// forbid guests from registering if there is not a real admin user yet. give
+	// generic user error.
+	if is_guest && services.firstrun.is_first_run() {
+		warn!(
+			"Guest account attempted to register before a real admin user has been registered, \
+			 rejecting registration. Guest's initial device name: \"{}\"",
+			body.initial_device_display_name.as_deref().unwrap_or("")
+		);
+		return Err!(Request(Forbidden(
+			"This server is not accepting registrations at this time."
+		)));
+	}

-		services.users.create(&user_id, None).await?;
+	// Appeservices and guests get to skip auth
+	let skip_auth = body.appservice_info.is_some() || is_guest;

-		user_id
+	let identity = if skip_auth {
+		// Appservices and guests have no identity
+		None
 	} else {
 		// Perform UIAA to determine the user's identity
 		let (flows, params) = create_registration_uiaa_session(&services).await?;

-		let identity = services
-			.uiaa
-			.authenticate(&body.auth, flows, params, None)
-			.await?;
-
-		let password = if let Some(password) = &body.password {
-			HashedPassword::new(password)?
-		} else {
-			return Err!(Request(InvalidParam("A password must be provided.")));
-		};
-
-		let user_id = services
-			.users
-			.determine_registration_user_id(body.username.clone(), identity.email.as_ref(), None)
-			.await?;
-
-		services
-			.users
-			.create_local_account(&user_id, password, identity.email)
-			.await;
-
-		user_id
+		Some(
+			services
+				.uiaa
+				.authenticate(&body.auth, flows, params, None)
+				.await?,
+		)
 	};

-	let (token, device) = if !body.inhibit_login {
-		// If UIAA is disabled, we can't create a device. In that case only appservices
-		// can reach this point in the first place, so we return an error for them.
-		if !services.config.oauth.compatibility_mode.uiaa_available() {
-			return Err!(Request(AppserviceLoginUnsupported(
-				"User-interactive appservice registration is not available on this server."
-			)));
+	// If the user didn't supply a username but did supply an email, use
+	// the email's user as their initial localpart to avoid falling back to
+	// a randomly generated localpart
+	let supplied_username = body.username.clone().or_else(|| {
+		if let Some(identity) = &identity
+			&& let Some(email) = &identity.email
+		{
+			Some(email.user().to_owned())
+		} else {
+			None
 		}
+	});

-		// Generate new device id if the user didn't specify one
-		let device_id = body
-			.device_id
-			.clone()
+	let user_id = determine_registration_user_id(
+		&services,
+		supplied_username,
+		is_guest,
+		emergency_mode_enabled,
+	)
+	.await?;
+
+	if body.body.login_type == Some(LoginType::ApplicationService) {
+		// For appservice logins, make sure that the user ID is in the appservice's
+		// namespace
+
+		match body.appservice_info {
+			| Some(ref info) =>
+				if !info.is_user_match(&user_id) && !emergency_mode_enabled {
+					return Err!(Request(Exclusive(
+						"Username is not in an appservice namespace."
+					)));
+				},
+			| _ => {
+				return Err!(Request(MissingToken("Missing appservice token.")));
+			},
+		}
+	} else if services.appservice.is_exclusive_user_id(&user_id).await && !emergency_mode_enabled
+	{
+		// For non-appservice logins, ban user IDs which are in an appservice's
+		// namespace (unless emergency mode is enabled)
+		return Err!(Request(Exclusive("Username is reserved by an appservice.")));
+	}
+
+	let password = if is_guest { None } else { body.password.as_deref() };
+
+	// Create user
+	services.users.create(&user_id, password).await?;
+
+	// Set an initial display name
+	let mut displayname = user_id.localpart().to_owned();
+
+	// Apply the new user displayname suffix, if it's set
+	if !services.globals.new_user_displayname_suffix().is_empty()
+		&& body.appservice_info.is_none()
+	{
+		write!(displayname, " {}", services.server.config.new_user_displayname_suffix)?;
+	}
+
+	services
+		.users
+		.set_displayname(&user_id, Some(displayname.clone()));
+
+	// Initial account data
+	services
+		.account_data
+		.update(
+			None,
+			&user_id,
+			GlobalAccountDataEventType::PushRules.to_string().into(),
+			&serde_json::to_value(PushRulesEvent::new(
+				push::Ruleset::server_default(&user_id).into(),
+			))
+			.expect("should be able to serialize push rules"),
+		)
+		.await?;
+
+	// Generate new device id if the user didn't specify one
+	let (token, device) = if !body.inhibit_login {
+		let device_id = if is_guest { None } else { body.device_id.clone() }
 			.unwrap_or_else(|| utils::random_string(DEVICE_ID_LENGTH).into());

 		// Generate new token for the device
@@ -128,7 +235,6 @@ pub(crate) async fn register_route(
 				&user_id,
 				&device_id,
 				&new_token,
-				None,
 				body.initial_device_display_name.clone(),
 				Some(client.to_string()),
 			)
@@ -139,7 +245,151 @@ pub(crate) async fn register_route(
 		(None, None)
 	};

-	debug_info!(%user_id, ?device, "New account created via legacy registration");
+	debug_info!(%user_id, ?device, "User account was created");
+
+	// If the user registered with an email, associate it with their account.
+	if let Some(identity) = identity
+		&& let Some(email) = identity.email
+	{
+		// This may fail if the email is already in use, but we already check for that
+		// in `/requestToken`, so ignoring the error is acceptable here in the rare case
+		// that an email is sniped by another user between the `/requestToken` request
+		// and the `/register` request.
+		let _ = services
+			.threepid
+			.associate_localpart_email(user_id.localpart(), &email)
+			.await;
+	}
+
+	let device_display_name = body.initial_device_display_name.as_deref().unwrap_or("");
+
+	// log in conduit admin channel if a non-guest user registered
+	if body.appservice_info.is_none() && !is_guest {
+		if !device_display_name.is_empty() {
+			let notice = format!(
+				"New user \"{user_id}\" registered on this server from IP {client} and device \
+				 display name \"{device_display_name}\""
+			);
+
+			info!("{notice}");
+			if services.server.config.admin_room_notices {
+				services.admin.notice(&notice).await;
+			}
+		} else {
+			let notice = format!("New user \"{user_id}\" registered on this server.");
+
+			info!("{notice}");
+			if services.server.config.admin_room_notices {
+				services.admin.notice(&notice).await;
+			}
+		}
+	}
+
+	// log in conduit admin channel if a guest registered
+	if body.appservice_info.is_none() && is_guest && services.config.log_guest_registrations {
+		debug_info!("New guest user \"{user_id}\" registered on this server.");
+
+		if !device_display_name.is_empty() {
+			if services.server.config.admin_room_notices {
+				services
+					.admin
+					.notice(&format!(
+						"Guest user \"{user_id}\" with device display name \
+						 \"{device_display_name}\" registered on this server from IP {client}"
+					))
+					.await;
+			}
+		} else {
+			#[allow(clippy::collapsible_else_if)]
+			if services.server.config.admin_room_notices {
+				services
+					.admin
+					.notice(&format!(
+						"Guest user \"{user_id}\" with no device display name registered on \
+						 this server from IP {client}",
+					))
+					.await;
+			}
+		}
+	}
+
+	if !is_guest {
+		// Make the first user to register an administrator and disable first-run mode.
+		let was_first_user = services.firstrun.empower_first_user(&user_id).await?;
+
+		// If the registering user was not the first and we're suspending users on
+		// register, suspend them.
+		if !was_first_user && services.config.suspend_on_register {
+			// Note that we can still do auto joins for suspended users
+			services
+				.users
+				.suspend_account(&user_id, &services.globals.server_user)
+				.await;
+			// And send an @room notice to the admin room, to prompt admins to review the
+			// new user and ideally unsuspend them if deemed appropriate.
+			if services.server.config.admin_room_notices {
+				services
+					.admin
+					.send_loud_message(RoomMessageEventContent::text_plain(format!(
+						"User {user_id} has been suspended as they are not the first user on \
+						 this server. Please review and unsuspend them if appropriate."
+					)))
+					.await
+					.ok();
+			}
+		}
+	}
+
+	if body.appservice_info.is_none()
+		&& !services.server.config.auto_join_rooms.is_empty()
+		&& (services.config.allow_guests_auto_join_rooms || !is_guest)
+	{
+		for room in &services.server.config.auto_join_rooms {
+			let Ok(room_id) = services.rooms.alias.resolve(room).await else {
+				error!(
+					"Failed to resolve room alias to room ID when attempting to auto join \
+					 {room}, skipping"
+				);
+				continue;
+			};
+
+			if !services
+				.rooms
+				.state_cache
+				.server_in_room(services.globals.server_name(), &room_id)
+				.await
+			{
+				warn!(
+					"Skipping room {room} to automatically join as we have never joined before."
+				);
+				continue;
+			}
+
+			if let Some(room_server_name) = room.server_name() {
+				match join_room_by_id_helper(
+					&services,
+					&user_id,
+					&room_id,
+					Some("Automatically joining this room upon registration".to_owned()),
+					&[services.globals.server_name().to_owned(), room_server_name.to_owned()],
+					&body.appservice_info,
+				)
+				.boxed()
+				.await
+				{
+					| Err(e) => {
+						// don't return this error so we don't fail registrations
+						error!(
+							"Failed to automatically join room {room} for user {user_id}: {e}"
+						);
+					},
+					| _ => {
+						info!("Automatically joined room {room} for user {user_id}");
+					},
+				}
+			}
+		}
+	}

 	Ok(assign!(register::v3::Response::new(user_id), {
 		access_token: token,
@@ -211,21 +461,21 @@ async fn create_registration_uiaa_session(

 		// Require all users to agree to the terms and conditions, if configured
 		let terms = &services.config.registration_terms;
-		if !terms.documents.is_empty() {
-			let mut terms_map = HashMap::new();
+		if !terms.is_empty() {
+			let mut terms =
+				serde_json::to_value(terms.clone()).expect("failed to serialize terms");

-			for (id, document) in &terms.documents {
-				terms_map.insert(id.to_owned(), serde_json::json!({
-					terms.language.clone(): serde_json::to_value(document).expect("should be able to serialize document")
-				}));
+			// Insert a dummy `version` field
+			for (_, documents) in terms.as_object_mut().unwrap() {
+				let documents = documents.as_object_mut().unwrap();
+
+				documents.insert("version".to_owned(), "latest".into());
 			}

-			terms_map.insert("version".to_owned(), "latest".into());
-
 			params.insert(
 				AuthType::Terms.as_str().to_owned(),
 				serde_json::json!({
-					"policies": terms_map,
+					"policies": terms,
 				}),
 			);

@@ -258,6 +508,84 @@ async fn create_registration_uiaa_session(
 	Ok((flows, params))
 }

+async fn determine_registration_user_id(
+	services: &Services,
+	supplied_username: Option<String>,
+	is_guest: bool,
+	emergency_mode_enabled: bool,
+) -> Result<OwnedUserId> {
+	if let Some(supplied_username) = supplied_username
+		&& !is_guest
+	{
+		// The user gets to pick their username. Do some validation to make sure it's
+		// acceptable.
+
+		// Don't allow registration with forbidden usernames.
+		if services
+			.globals
+			.forbidden_usernames()
+			.is_match(&supplied_username)
+			&& !emergency_mode_enabled
+		{
+			return Err!(Request(Forbidden("Username is forbidden")));
+		}
+
+		// Create and validate the user ID
+		let user_id = match UserId::parse_with_server_name(
+			&supplied_username,
+			services.globals.server_name(),
+		) {
+			| Ok(user_id) => {
+				if let Err(e) = user_id.validate_strict() {
+					// Unless we are in emergency mode, we should follow synapse's behaviour on
+					// not allowing things like spaces and UTF-8 characters in usernames
+					if !emergency_mode_enabled {
+						return Err!(Request(InvalidUsername(debug_warn!(
+							"Username {supplied_username} contains disallowed characters or \
+							 spaces: {e}"
+						))));
+					}
+				}
+
+				// Don't allow registration with user IDs that aren't local
+				if !services.globals.user_is_local(&user_id) {
+					return Err!(Request(InvalidUsername(
+						"Username {supplied_username} is not local to this server"
+					)));
+				}
+
+				user_id
+			},
+			| Err(e) => {
+				return Err!(Request(InvalidUsername(debug_warn!(
+					"Username {supplied_username} is not valid: {e}"
+				))));
+			},
+		};
+
+		if services.users.exists(&user_id).await {
+			return Err!(Request(UserInUse("User ID is not available.")));
+		}
+
+		Ok(user_id)
+	} else {
+		// The user is a guest or didn't specify a username. Generate a username for
+		// them.
+
+		loop {
+			let user_id = UserId::parse_with_server_name(
+				utils::random_string(RANDOM_USER_ID_LENGTH).to_lowercase(),
+				services.globals.server_name(),
+			)
+			.unwrap();
+
+			if !services.users.exists(&user_id).await {
+				break Ok(user_id);
+			}
+		}
+	}
+}
+
 /// # `POST /_matrix/client/v3/register/email/requestToken`
 ///
 /// Requests a validation email for the purpose of registering a new account.
@@ -11,7 +11,7 @@ use ruma::{
 	},
 	thirdparty::{Medium, ThirdPartyIdentifierInit},
 };
-use service::mailer::messages;
+use service::{mailer::messages, uiaa::Identity};

 use crate::Ruma;

@@ -116,15 +116,14 @@ pub(crate) async fn add_3pid_route(
 	// Require password auth to add an email
 	let _ = services
 		.uiaa
-		.authenticate_password(&body.auth, sender_user, body.sender_device(), None)
+		.authenticate_password(&body.auth, Some(Identity::from_user_id(sender_user)))
 		.await?;

 	let email = services
 		.threepid
-		.get_valid_session(&body.sid, &body.client_secret)
+		.consume_valid_session(&body.sid, &body.client_secret)
 		.await
-		.map_err(|message| err!(Request(ThreepidAuthFailed("{message}"))))?
-		.consume();
+		.map_err(|message| err!(Request(ThreepidAuthFailed("{message}"))))?;

 	services
 		.threepid
@@ -8,6 +8,7 @@ use ruma::{
 		self, delete_device, delete_devices, get_device, get_devices, update_device,
 	},
 };
+use service::uiaa::Identity;

 use crate::{Ruma, client::DEVICE_ID_LENGTH};

@@ -94,7 +95,6 @@ pub(crate) async fn update_device_route(
 					&device_id,
 					&appservice.registration.as_token,
 					None,
-					None,
 					Some(client.to_string()),
 				)
 				.await?;
@@ -126,7 +126,7 @@ pub(crate) async fn delete_device_route(
 		// Prompt the user to confirm with their password using UIAA
 		let _ = services
 			.uiaa
-			.authenticate_password(&body.auth, sender_user, body.sender_device(), None)
+			.authenticate_password(&body.auth, Some(Identity::from_user_id(sender_user)))
 			.await?;
 	}

@@ -162,7 +162,7 @@ pub(crate) async fn delete_devices_route(
 		// Prompt the user to confirm with their password using UIAA
 		let _ = services
 			.uiaa
-			.authenticate_password(&body.auth, sender_user, body.sender_device(), None)
+			.authenticate_password(&body.auth, Some(Identity::from_user_id(sender_user)))
 			.await?;
 	}

@@ -122,6 +122,16 @@ pub(crate) async fn set_room_visibility_route(
 		return Err!(Request(UserSuspended("You cannot perform this action while suspended.")));
 	}

+	if services
+		.users
+		.is_deactivated(sender_user)
+		.await
+		.unwrap_or(false)
+		&& body.appservice_info.is_none()
+	{
+		return Err!(Request(Forbidden("Guests cannot publish to room directories")));
+	}
+
 	if !user_can_publish_room(&services, sender_user, &body.room_id).await? {
 		return Err!(Request(Forbidden("User is not allowed to publish this room")));
 	}
@@ -26,7 +26,7 @@ use ruma::{
 	serde::Raw,
 };
 use serde_json::json;
-use service::oauth::OAuthTicket;
+use service::uiaa::Identity;

 use crate::Ruma;

@@ -204,12 +204,7 @@ pub(crate) async fn upload_signing_keys_route(
 	{
 		let _ = services
 			.uiaa
-			.authenticate_password(
-				&body.auth,
-				sender_user,
-				body.sender_device(),
-				Some(OAuthTicket::CrossSigningReset),
-			)
+			.authenticate_password(&body.auth, Some(Identity::from_user_id(sender_user)))
 			.await?;
 	}

@@ -21,6 +21,7 @@ use ruma::{
 		},
 		media::create_content,
 	},
+	assign,
 };
 use service::media::mxc::Mxc;

@@ -75,7 +76,17 @@ pub(crate) async fn create_content_route(
 		return Err!(Request(Unknown("Failed to save uploaded media")));
 	}

-	Ok(create_content::v3::Response::new(mxc.to_string().into()))
+	let blurhash = body.generate_blurhash.then(|| {
+		services
+			.media
+			.create_blurhash(&body.file, content_type, filename)
+			.ok()
+			.flatten()
+	});
+
+	Ok(assign!(create_content::v3::Response::new(mxc.to_string().into()), {
+		blurhash: blurhash.flatten(),
+	}))
 }

 /// # `GET /_matrix/client/v1/media/thumbnail/{serverName}/{mediaId}`
@@ -247,6 +247,7 @@ pub(crate) async fn invite_helper(
 	let mut content = RoomMemberEventContent::new(MembershipState::Invite);
 	content.displayname = services.users.displayname(recipient_user).await.ok();
 	content.avatar_url = services.users.avatar_url(recipient_user).await.ok();
+	content.blurhash = services.users.blurhash(recipient_user).await.ok();
 	content.is_direct = Some(is_direct);
 	content.reason = reason;

@@ -1,18 +1,58 @@
+use std::{borrow::Borrow, collections::HashMap, iter::once, sync::Arc};
+
 use axum::extract::State;
 use axum_client_ip::ClientIp;
 use conduwuit::{
-	Err, Result, debug,
+	Err, Result, debug, debug_info, debug_warn, err, error, info, is_true,
+	matrix::{
+		StateKey,
+		event::{gen_event_id, gen_event_id_canonical_json},
+		pdu::{PartialPdu, PduEvent},
+		state_res,
+	},
 	result::FlatOk,
-	utils::{shuffle, stream::IterStream},
+	trace,
+	utils::{
+		self, shuffle,
+		stream::{IterStream, ReadyExt},
+		to_canonical_object,
+	},
+	warn,
 };
-use futures::{FutureExt, StreamExt};
+use futures::{FutureExt, StreamExt, TryFutureExt};
 use ruma::{
-	OwnedRoomId, OwnedServerName, OwnedUserId, UserId,
-	api::client::membership::{join_room_by_id, join_room_by_id_or_alias},
+	CanonicalJsonObject, CanonicalJsonValue, OwnedRoomId, OwnedServerName, OwnedUserId, RoomId,
+	RoomVersionId, UserId,
+	api::{
+		client::membership::{join_room_by_id, join_room_by_id_or_alias},
+		error::{ErrorKind, IncompatibleRoomVersionErrorData},
+		federation::{self},
+	},
+	canonical_json::to_canonical_value,
+	events::{
+		StateEventType,
+		room::{
+			join_rules::JoinRule,
+			member::{MembershipState, RoomMemberEventContent},
+		},
+	},
 };
+use service::{
+	Services,
+	appservice::RegistrationInfo,
+	rooms::{
+		state::RoomMutexGuard,
+		state_compressor::{CompressedState, HashSetCompressStateEvent},
+		timeline::pdu_fits,
+	},
+};
+use tokio::join;

-use super::banned_room_check;
-use crate::Ruma;
+use super::{banned_room_check, validate_remote_member_event_stub};
+use crate::{
+	Ruma,
+	server::{select_authorising_user, user_can_perform_restricted_join},
+};

 /// # `POST /_matrix/client/r0/rooms/{roomId}/join`
 ///
@@ -72,14 +112,16 @@ pub(crate) async fn join_room_by_id_route(
 	shuffle(&mut servers);
 	let servers = deprioritize(servers, &services.config.deprioritize_joins_through_servers);

-	let room_id = services
-		.rooms
-		.membership
-		.join_room(sender_user, &body.room_id, body.reason.clone(), &servers)
-		.boxed()
-		.await?;
-
-	Ok(join_room_by_id::v3::Response::new(room_id))
+	join_room_by_id_helper(
+		&services,
+		sender_user,
+		&body.room_id,
+		body.reason.clone(),
+		&servers,
+		&body.appservice_info,
+	)
+	.boxed()
+	.await
 }

 /// # `POST /_matrix/client/r0/join/{roomIdOrAlias}`
@@ -98,6 +140,7 @@ pub(crate) async fn join_room_by_id_or_alias_route(
 	body: Ruma<join_room_by_id_or_alias::v3::Request>,
 ) -> Result<join_room_by_id_or_alias::v3::Response> {
 	let sender_user = body.sender_user();
+	let appservice_info = &body.appservice_info;
 	let body = &body.body;
 	if services.users.is_suspended(sender_user).await? {
 		return Err!(Request(UserSuspended("You cannot perform this action while suspended.")));
@@ -192,14 +235,650 @@ pub(crate) async fn join_room_by_id_or_alias_route(
 	};

 	let servers = deprioritize(servers, &services.config.deprioritize_joins_through_servers);
-	let room_id = services
+	let join_room_response = join_room_by_id_helper(
+		&services,
+		sender_user,
+		&room_id,
+		body.reason.clone(),
+		&servers,
+		appservice_info,
+	)
+	.boxed()
+	.await?;
+
+	Ok(join_room_by_id_or_alias::v3::Response::new(join_room_response.room_id))
+}
+
+pub async fn join_room_by_id_helper(
+	services: &Services,
+	sender_user: &UserId,
+	room_id: &RoomId,
+	reason: Option<String>,
+	servers: &[OwnedServerName],
+	appservice_info: &Option<RegistrationInfo>,
+) -> Result<join_room_by_id::v3::Response> {
+	let state_lock = services.rooms.state.mutex.lock(room_id).await;
+
+	let user_is_guest = services
+		.users
+		.is_deactivated(sender_user)
+		.await
+		.unwrap_or(false)
+		&& appservice_info.is_none();
+
+	if user_is_guest && !services.rooms.state_accessor.guest_can_join(room_id).await {
+		return Err!(Request(Forbidden("Guests are not allowed to join this room")));
+	}
+
+	if services
 		.rooms
-		.membership
-		.join_room(sender_user, &room_id, body.reason.clone(), &servers)
+		.state_cache
+		.is_joined(sender_user, room_id)
+		.await
+	{
+		debug_warn!("{sender_user} is already joined in {room_id}");
+		return Ok(join_room_by_id::v3::Response::new(room_id.to_owned()));
+	}
+
+	if let Err(e) = services
+		.antispam
+		.user_may_join_room(
+			sender_user.to_owned(),
+			room_id.to_owned(),
+			services
+				.rooms
+				.state_cache
+				.is_invited(sender_user, room_id)
+				.await,
+		)
+		.await
+	{
+		warn!("Antispam prevented user {} from joining room {}: {}", sender_user, room_id, e);
+		return Err!(Request(Forbidden("You are not allowed to join this room.")));
+	}
+
+	let server_in_room = services
+		.rooms
+		.state_cache
+		.server_in_room(services.globals.server_name(), room_id)
+		.await;
+
+	// Only check our known membership if we're already in the room.
+	// See: https://forgejo.ellis.link/continuwuation/continuwuity/issues/855
+	let membership = if server_in_room {
+		services
+			.rooms
+			.state_accessor
+			.get_member(room_id, sender_user)
+			.await
+	} else {
+		debug!("Ignoring local state for join {room_id}, we aren't in the room yet.");
+		Ok(RoomMemberEventContent::new(MembershipState::Leave))
+	};
+	if let Ok(m) = membership {
+		if m.membership == MembershipState::Ban {
+			debug_warn!("{sender_user} is banned from {room_id} but attempted to join");
+			// TODO: return reason
+			return Err!(Request(Forbidden("You are banned from the room.")));
+		}
+	}
+
+	if !server_in_room && servers.is_empty() {
+		return Err!(Request(NotFound(
+			"No servers were provided to assist in joining the room remotely, and we are not \
+			 already participating in the room."
+		)));
+	}
+
+	if services.antispam.check_all_joins() {
+		if let Err(e) = services
+			.antispam
+			.meowlnir_accept_make_join(room_id.to_owned(), sender_user.to_owned())
+			.await
+		{
+			warn!("Antispam prevented user {} from joining room {}: {}", sender_user, room_id, e);
+			return Err!(Request(Forbidden("Antispam rejected join request.")));
+		}
+	}
+
+	if server_in_room {
+		join_room_by_id_helper_local(services, sender_user, room_id, reason, servers, state_lock)
+			.boxed()
+			.await?;
+	} else {
+		// Ask a remote server if we are not participating in this room
+		join_room_by_id_helper_remote(
+			services,
+			sender_user,
+			room_id,
+			reason,
+			servers,
+			state_lock,
+		)
 		.boxed()
 		.await?;
+	}
+	Ok(join_room_by_id::v3::Response::new(room_id.to_owned()))
+}

-	Ok(join_room_by_id_or_alias::v3::Response::new(room_id))
+#[tracing::instrument(skip_all, fields(%sender_user, %room_id), name = "join_remote", level = "info")]
+async fn join_room_by_id_helper_remote(
+	services: &Services,
+	sender_user: &UserId,
+	room_id: &RoomId,
+	reason: Option<String>,
+	servers: &[OwnedServerName],
+	state_lock: RoomMutexGuard,
+) -> Result {
+	info!("Joining {room_id} over federation.");
+
+	let (make_join_response, remote_server) =
+		make_join_request(services, sender_user, room_id, servers).await?;
+
+	info!("make_join finished");
+
+	let room_version = make_join_response.room_version.unwrap_or(RoomVersionId::V1);
+	let room_version_rules = room_version
+		.rules()
+		.expect("room version should have defined rules");
+
+	if !services.server.supported_room_version(&room_version) {
+		// How did we get here?
+		return Err!(BadServerResponse("Remote room version {room_version} is not supported"));
+	}
+
+	let mut join_event_stub: CanonicalJsonObject =
+		serde_json::from_str(make_join_response.event.get()).map_err(|e| {
+			err!(BadServerResponse(warn!(
+				"Invalid make_join event json received from server: {e:?}"
+			)))
+		})?;
+
+	let join_authorized_via_users_server = {
+		use RoomVersionId::*;
+		if !matches!(room_version, V1 | V2 | V3 | V4 | V5 | V6 | V7) {
+			join_event_stub
+				.get("content")
+				.map(|s| {
+					s.as_object()?
+						.get("join_authorised_via_users_server")?
+						.as_str()
+				})
+				.and_then(|s| OwnedUserId::try_from(s.unwrap_or_default()).ok())
+		} else {
+			None
+		}
+	};
+
+	join_event_stub.insert(
+		"origin_server_ts".to_owned(),
+		CanonicalJsonValue::Integer(
+			utils::millis_since_unix_epoch()
+				.try_into()
+				.expect("Timestamp is valid js_int value"),
+		),
+	);
+
+	let mut join_content = RoomMemberEventContent::new(MembershipState::Join);
+	join_content.displayname = services.users.displayname(sender_user).await.ok();
+	join_content.avatar_url = services.users.avatar_url(sender_user).await.ok();
+	join_content.blurhash = services.users.blurhash(sender_user).await.ok();
+	join_content.reason = reason;
+	join_content
+		.join_authorized_via_users_server
+		.clone_from(&join_authorized_via_users_server);
+
+	join_event_stub.insert(
+		"content".to_owned(),
+		to_canonical_value(join_content).expect("event is valid, we just created it"),
+	);
+
+	// Remove event id if it exists
+	join_event_stub.remove("event_id");
+
+	// In order to create a compatible ref hash (EventID) the `hashes` field needs
+	// to be present
+	services
+		.server_keys
+		.hash_and_sign_event(&mut join_event_stub, &room_version_rules)?;
+
+	// Generate event id
+	let event_id = gen_event_id(&join_event_stub, &room_version_rules)?;
+
+	// Add event_id back
+	join_event_stub
+		.insert("event_id".to_owned(), CanonicalJsonValue::String(event_id.clone().into()));
+
+	// It has enough fields to be called a proper event now
+	let mut join_event = join_event_stub;
+
+	info!("Asking {remote_server} for send_join in room {room_id}");
+	let send_join_request = federation::membership::create_join_event::v2::Request::new(
+		room_id.to_owned(),
+		event_id.clone(),
+		services
+			.sending
+			.convert_to_outgoing_federation_event(join_event.clone())
+			.await,
+	);
+
+	let send_join_response = match services
+		.sending
+		.send_synapse_request(&remote_server, send_join_request)
+		.await
+	{
+		| Ok(response) => response,
+		| Err(e) => {
+			error!("send_join failed: {e}");
+			return Err(e);
+		},
+	};
+
+	info!("send_join finished");
+
+	if join_authorized_via_users_server.is_some() {
+		if let Some(signed_raw) = &send_join_response.room_state.event {
+			debug_info!(
+				"There is a signed event with join_authorized_via_users_server. This room is \
+				 probably using restricted joins. Adding signature to our event"
+			);
+
+			let (signed_event_id, signed_value) =
+				gen_event_id_canonical_json(signed_raw, &room_version_rules).map_err(|e| {
+					err!(Request(BadJson(warn!(
+						"Could not convert event to canonical JSON: {e}"
+					))))
+				})?;
+
+			if signed_event_id != event_id {
+				return Err!(Request(BadJson(warn!(
+					%signed_event_id, %event_id,
+					"Server {remote_server} sent event with wrong event ID"
+				))));
+			}
+
+			match signed_value["signatures"]
+				.as_object()
+				.ok_or_else(|| {
+					err!(BadServerResponse(warn!(
+						"Server {remote_server} sent invalid signatures type"
+					)))
+				})
+				.and_then(|e| {
+					e.get(remote_server.as_str()).ok_or_else(|| {
+						err!(BadServerResponse(warn!(
+							"Server {remote_server} did not send its signature for a restricted \
+							 room"
+						)))
+					})
+				}) {
+				| Ok(signature) => {
+					join_event
+						.get_mut("signatures")
+						.expect("we created a valid pdu")
+						.as_object_mut()
+						.expect("we created a valid pdu")
+						.insert(remote_server.to_string(), signature.clone());
+				},
+				| Err(e) => {
+					warn!(
+						"Server {remote_server} sent invalid signature in send_join signatures \
+						 for event {signed_value:?}: {e:?}",
+					);
+				},
+			}
+		}
+	}
+
+	services
+		.rooms
+		.short
+		.get_or_create_shortroomid(room_id)
+		.await;
+
+	info!("Parsing join event");
+	let parsed_join_pdu = PduEvent::from_id_val(&event_id, join_event.clone())
+		.map_err(|e| err!(BadServerResponse("Invalid join event PDU: {e:?}")))?;
+
+	info!("Acquiring server signing keys for response events");
+	let resp_events = &send_join_response.room_state;
+	let resp_state = &resp_events.state;
+	let resp_auth = &resp_events.auth_chain;
+	services
+		.server_keys
+		.acquire_events_pubkeys(resp_auth.iter().chain(resp_state.iter()))
+		.await;
+
+	info!("Going through send_join response room_state");
+	let cork = services.db.cork_and_flush();
+	let state = send_join_response
+		.room_state
+		.state
+		.iter()
+		.stream()
+		.then(|pdu| {
+			services
+				.server_keys
+				.validate_and_add_event_id_no_fetch(pdu, &room_version_rules)
+				.inspect_err(|e| {
+					debug_warn!("Could not validate send_join response room_state event: {e:?}");
+				})
+				.inspect(|_| debug!("Completed validating send_join response room_state event"))
+		})
+		.ready_filter_map(Result::ok)
+		.fold(HashMap::new(), |mut state, (event_id, value)| async move {
+			let pdu = match PduEvent::from_id_val(&event_id, value.clone()) {
+				| Ok(pdu) => pdu,
+				| Err(e) => {
+					debug_warn!("Invalid PDU in send_join response: {e:?}: {value:#?}");
+					return state;
+				},
+			};
+			if !pdu_fits(&mut value.clone()) {
+				warn!(
+					"dropping incoming PDU {event_id} in room {room_id} from room join because \
+					 it exceeds 65535 bytes or is otherwise too large."
+				);
+				return state;
+			}
+			services.rooms.outlier.add_pdu_outlier(&event_id, &value);
+			if let Some(state_key) = &pdu.state_key {
+				let shortstatekey = services
+					.rooms
+					.short
+					.get_or_create_shortstatekey(&pdu.kind.to_string().into(), state_key)
+					.await;
+
+				state.insert(shortstatekey, pdu.event_id.clone());
+			}
+			state
+		})
+		.await;
+
+	drop(cork);
+
+	info!("Going through send_join response auth_chain");
+	let cork = services.db.cork_and_flush();
+	send_join_response
+		.room_state
+		.auth_chain
+		.iter()
+		.stream()
+		.then(|pdu| {
+			services
+				.server_keys
+				.validate_and_add_event_id_no_fetch(pdu, &room_version_rules)
+		})
+		.ready_filter_map(Result::ok)
+		.ready_for_each(|(event_id, value)| {
+			trace!(%event_id, "Adding PDU as an outlier from send_join auth_chain");
+			services.rooms.outlier.add_pdu_outlier(&event_id, &value);
+		})
+		.await;
+
+	drop(cork);
+
+	debug!("Running send_join auth check");
+	let fetch_state = &state;
+	let state_fetch = |k: StateEventType, s: StateKey| async move {
+		let shortstatekey = services.rooms.short.get_shortstatekey(&k, &s).await.ok()?;
+
+		let event_id = fetch_state.get(&shortstatekey)?;
+		services.rooms.timeline.get_pdu(event_id).await.ok()
+	};
+
+	let auth_check = state_res::event_auth::auth_check(
+		&room_version.rules().unwrap(),
+		&parsed_join_pdu,
+		None, // TODO: third party invite
+		|k, s| state_fetch(k.clone(), s.into()),
+		&state_fetch(StateEventType::RoomCreate, "".into())
+			.await
+			.expect("create event is missing from send_join auth"),
+	)
+	.await
+	.map_err(|e| err!(Request(Forbidden(warn!("Auth check failed: {e:?}")))))?;
+
+	if !auth_check {
+		return Err!(Request(Forbidden("Auth check failed")));
+	}
+
+	info!("Compressing state from send_join");
+	let compressed: CompressedState = services
+		.rooms
+		.state_compressor
+		.compress_state_events(state.iter().map(|(ssk, eid)| (ssk, eid.borrow())))
+		.collect()
+		.await;
+
+	debug!("Saving compressed state");
+	let HashSetCompressStateEvent {
+		shortstatehash: statehash_before_join,
+		added,
+		removed,
+	} = services
+		.rooms
+		.state_compressor
+		.save_state(room_id, Arc::new(compressed))
+		.await?;
+
+	debug!("Forcing state for new room");
+	services
+		.rooms
+		.state
+		.force_state(room_id, statehash_before_join, added, removed, &state_lock)
+		.await?;
+
+	debug!("Updating joined counts for new room");
+	services
+		.rooms
+		.state_cache
+		.update_joined_count(room_id)
+		.await;
+
+	// We append to state before appending the pdu, so we don't have a moment in
+	// time with the pdu without it's state. This is okay because append_pdu can't
+	// fail.
+	let statehash_after_join = services
+		.rooms
+		.state
+		.append_to_state(&parsed_join_pdu, room_id)
+		.await?;
+
+	info!("Appending new room join event");
+	services
+		.rooms
+		.timeline
+		.append_pdu(
+			&parsed_join_pdu,
+			join_event,
+			once(parsed_join_pdu.event_id.borrow()),
+			&state_lock,
+			room_id,
+		)
+		.await?;
+
+	info!("Setting final room state for new room");
+	// We set the room state after inserting the pdu, so that we never have a moment
+	// in time where events in the current room state do not exist
+	services
+		.rooms
+		.state
+		.set_room_state(room_id, statehash_after_join, &state_lock);
+
+	Ok(())
+}
+
+#[tracing::instrument(skip_all, fields(%sender_user, %room_id), name = "join_local", level = "info")]
+async fn join_room_by_id_helper_local(
+	services: &Services,
+	sender_user: &UserId,
+	room_id: &RoomId,
+	reason: Option<String>,
+	servers: &[OwnedServerName],
+	state_lock: RoomMutexGuard,
+) -> Result {
+	info!("Joining room locally");
+
+	let (room_version, join_rules, is_invited) = join!(
+		services.rooms.state.get_room_version(room_id),
+		services.rooms.state_accessor.get_join_rules(room_id),
+		services.rooms.state_cache.is_invited(sender_user, room_id)
+	);
+
+	let room_version = room_version?;
+	let mut auth_user: Option<OwnedUserId> = None;
+	if !is_invited && matches!(join_rules, JoinRule::Restricted(_) | JoinRule::KnockRestricted(_))
+	{
+		use RoomVersionId::*;
+		if !matches!(room_version, V1 | V2 | V3 | V4 | V5 | V6 | V7) {
+			// This is a restricted room, check if we can complete the join requirements
+			// locally.
+			let needs_auth_user =
+				user_can_perform_restricted_join(services, sender_user, room_id).await;
+			if needs_auth_user.is_ok_and(is_true!()) {
+				// If there was an error or the value is false, we'll try joining over
+				// federation. Since it's Ok(true), we can authorise this locally.
+				// If we can't select a local user, this will remain None, the join will fail,
+				// and we'll fall back to federation.
+				auth_user = select_authorising_user(services, room_id, sender_user, &state_lock)
+					.await
+					.ok();
+			}
+		}
+	}
+
+	let mut content = RoomMemberEventContent::new(MembershipState::Join);
+	content.displayname = services.users.displayname(sender_user).await.ok();
+	content.avatar_url = services.users.avatar_url(sender_user).await.ok();
+	content.blurhash = services.users.blurhash(sender_user).await.ok();
+	content.reason.clone_from(&reason);
+	content.join_authorized_via_users_server = auth_user;
+
+	// Try normal join first
+	let Err(error) = services
+		.rooms
+		.timeline
+		.build_and_append_pdu(
+			PartialPdu::state(sender_user.to_string(), &content),
+			sender_user,
+			Some(room_id),
+			&state_lock,
+		)
+		.await
+	else {
+		info!("Joined room locally");
+		return Ok(());
+	};
+
+	if servers.is_empty() || servers.len() == 1 && services.globals.server_is_ours(&servers[0]) {
+		if !services.rooms.metadata.exists(room_id).await {
+			return Err!(Request(
+				Unknown(
+					"Room was not found locally and no servers were found to help us discover it"
+				),
+				NOT_FOUND
+			));
+		}
+
+		return Err(error);
+	}
+
+	info!(
+		?error,
+		remote_servers = %servers.len(),
+		"Could not join room locally, attempting remote join",
+	);
+	join_room_by_id_helper_remote(services, sender_user, room_id, reason, servers, state_lock)
+		.await
+}
+
+async fn make_join_request(
+	services: &Services,
+	sender_user: &UserId,
+	room_id: &RoomId,
+	servers: &[OwnedServerName],
+) -> Result<(federation::membership::prepare_join_event::v1::Response, OwnedServerName)> {
+	let mut make_join_counter: usize = 1;
+
+	for remote_server in servers {
+		if services.globals.server_is_ours(remote_server) {
+			continue;
+		}
+		info!(
+			"Asking {remote_server} for make_join (attempt {make_join_counter}/{})",
+			servers.len()
+		);
+
+		let mut request = federation::membership::prepare_join_event::v1::Request::new(
+			room_id.to_owned(),
+			sender_user.to_owned(),
+		);
+		request.ver = services.server.supported_room_versions().collect();
+
+		let make_join_response = services
+			.sending
+			.send_federation_request(remote_server, request)
+			.await;
+
+		trace!("make_join response: {:?}", make_join_response);
+		make_join_counter = make_join_counter.saturating_add(1);
+
+		match make_join_response {
+			| Ok(response) => {
+				info!("Received make_join response from {remote_server}");
+				if let Err(e) = validate_remote_member_event_stub(
+					&MembershipState::Join,
+					sender_user,
+					room_id,
+					&to_canonical_object(&response.event)?,
+				) {
+					warn!("make_join response from {remote_server} failed validation: {e}");
+					continue;
+				}
+				return Ok((response, remote_server.clone()));
+			},
+			| Err(e) => match e.kind() {
+				| ErrorKind::UnableToAuthorizeJoin => {
+					info!(
+						"{remote_server} was unable to verify the joining user satisfied \
+						 restricted join requirements: {e}. Will continue trying."
+					);
+				},
+				| ErrorKind::UnableToGrantJoin => {
+					info!(
+						"{remote_server} believes the joining user satisfies restricted join \
+						 rules, but is unable to authorise a join for us. Will continue trying."
+					);
+				},
+				| ErrorKind::IncompatibleRoomVersion(IncompatibleRoomVersionErrorData {
+					room_version,
+					..
+				}) => {
+					warn!(
+						"{remote_server} reports the room we are trying to join is \
+						 v{room_version}, which we do not support."
+					);
+					return Err(e);
+				},
+				| ErrorKind::Forbidden => {
+					warn!("{remote_server} refuses to let us join: {e}.");
+					return Err(e);
+				},
+				| ErrorKind::NotFound => {
+					info!(
+						"{remote_server} does not know about {room_id}: {e}. Will continue \
+						 trying."
+					);
+				},
+				| _ => {
+					info!("{remote_server} failed to make_join: {e}. Will continue trying.");
+				},
+			},
+		}
+	}
+	info!("All {} servers were unable to assist in joining {room_id} :(", servers.len());
+	Err!(BadServerResponse("No server available to assist in joining."))
 }

 /// Moves deprioritized servers (if any) to the back of the list.
@@ -33,13 +33,12 @@ use ruma::{
 use service::{
 	Services,
 	rooms::{
-		membership::validate_remote_member_event_stub,
 		state::RoomMutexGuard,
 		state_compressor::{CompressedState, HashSetCompressStateEvent},
 	},
 };

-use super::banned_room_check;
+use super::{banned_room_check, join::join_room_by_id_helper, validate_remote_member_event_stub};
 use crate::Ruma;

 /// # `POST /_matrix/client/*/knock/{roomIdOrAlias}`
@@ -239,11 +238,15 @@ async fn knock_room_by_id_helper(
 			// join_room_by_id_helper We need to release the lock here and let
 			// join_room_by_id_helper acquire it again
 			drop(state_lock);
-			match services
-				.rooms
-				.membership
-				.join_room(sender_user, room_id, reason.clone(), servers)
-				.await
+			match join_room_by_id_helper(
+				services,
+				sender_user,
+				room_id,
+				reason.clone(),
+				servers,
+				&None,
+			)
+			.await
 			{
 				| Ok(_) => return Ok(knock_room::v3::Response::new(room_id.to_owned())),
 				| Err(e) => {
@@ -343,6 +346,7 @@ async fn knock_room_helper_local(
 	let mut content = RoomMemberEventContent::new(MembershipState::Knock);
 	content.displayname = services.users.displayname(sender_user).await.ok();
 	content.avatar_url = services.users.avatar_url(sender_user).await.ok();
+	content.blurhash = services.users.blurhash(sender_user).await.ok();
 	content.reason.clone_from(&reason.clone());

 	// Try normal knock first
@@ -526,6 +530,7 @@ async fn knock_room_helper_remote(
 	let mut knock_content = RoomMemberEventContent::new(MembershipState::Knock);
 	knock_content.displayname = services.users.displayname(sender_user).await.ok();
 	knock_content.avatar_url = services.users.avatar_url(sender_user).await.ok();
+	knock_content.blurhash = services.users.blurhash(sender_user).await.ok();
 	knock_content.reason = reason;

 	knock_event_stub.insert(
@@ -19,8 +19,9 @@ use ruma::{
 		room::member::{MembershipState, RoomMemberEventContent},
 	},
 };
-use service::{Services, rooms::membership::validate_remote_member_event_stub};
+use service::Services;

+use super::validate_remote_member_event_stub;
 use crate::Ruma;

 /// # `POST /_matrix/client/v3/rooms/{roomId}/leave`
@@ -13,10 +13,16 @@ use std::net::IpAddr;
 use axum::extract::State;
 use conduwuit::{Err, Result, warn};
 use futures::{FutureExt, StreamExt};
-use ruma::{OwnedRoomId, RoomId, ServerName, UserId, api::client::membership::joined_rooms};
+use ruma::{
+	CanonicalJsonObject, OwnedRoomId, RoomId, ServerName, UserId,
+	api::client::membership::joined_rooms,
+	events::{
+		StaticEventContent,
+		room::member::{MembershipState, RoomMemberEventContent},
+	},
+};
 use service::Services;

-pub use self::leave::{leave_all_rooms, leave_room, remote_leave_room};
 pub(crate) use self::{
 	ban::ban_user_route,
 	forget::forget_room_route,
@@ -28,6 +34,10 @@ pub(crate) use self::{
 	members::{get_member_events_route, joined_members_route},
 	unban::unban_user_route,
 };
+pub use self::{
+	join::join_room_by_id_helper,
+	leave::{leave_all_rooms, leave_room, remote_leave_room},
+};
 use crate::{Ruma, client::full_user_deactivate};

 /// # `POST /_matrix/client/r0/joined_rooms`
@@ -105,7 +115,11 @@ pub(crate) async fn banned_room_check(
 			return Err!(Request(Forbidden("This room is banned on this homeserver.")));
 		}
 	} else if let Some(server_name) = server_name {
-		if services.moderation.is_remote_server_forbidden(server_name) {
+		if services
+			.config
+			.forbidden_remote_server_names
+			.is_match(server_name.host())
+		{
 			warn!(
 				"User {user_id} who is not an admin tried joining a room which has the server \
 				 name {server_name} that is globally forbidden. Rejecting.",
@@ -145,3 +159,80 @@ pub(crate) async fn banned_room_check(

 	Ok(())
 }
+
+/// Validates that an event returned from a remote server by `/make_*`
+/// actually is a membership event with the expected fields.
+///
+/// Without checking this, the remote server could use the remote membership
+/// mechanism to trick our server into signing arbitrary malicious events.
+pub(crate) fn validate_remote_member_event_stub(
+	membership: &MembershipState,
+	user_id: &UserId,
+	room_id: &RoomId,
+	event_stub: &CanonicalJsonObject,
+) -> Result<()> {
+	let Some(event_type) = event_stub.get("type") else {
+		return Err!(BadServerResponse(
+			"Remote server returned member event with missing type field"
+		));
+	};
+	if event_type != &RoomMemberEventContent::TYPE {
+		return Err!(BadServerResponse(
+			"Remote server returned member event with invalid event type"
+		));
+	}
+
+	let Some(sender) = event_stub.get("sender") else {
+		return Err!(BadServerResponse(
+			"Remote server returned member event with missing sender field"
+		));
+	};
+	if sender != &user_id.as_str() {
+		return Err!(BadServerResponse(
+			"Remote server returned member event with incorrect sender"
+		));
+	}
+
+	let Some(state_key) = event_stub.get("state_key") else {
+		return Err!(BadServerResponse(
+			"Remote server returned member event with missing state_key field"
+		));
+	};
+	if state_key != &user_id.as_str() {
+		return Err!(BadServerResponse(
+			"Remote server returned member event with incorrect state_key"
+		));
+	}
+
+	let Some(event_room_id) = event_stub.get("room_id") else {
+		return Err!(BadServerResponse(
+			"Remote server returned member event with missing room_id field"
+		));
+	};
+	if event_room_id != &room_id.as_str() {
+		return Err!(BadServerResponse(
+			"Remote server returned member event with incorrect room_id"
+		));
+	}
+
+	let Some(content) = event_stub
+		.get("content")
+		.and_then(|content| content.as_object())
+	else {
+		return Err!(BadServerResponse(
+			"Remote server returned member event with missing content field"
+		));
+	};
+	let Some(event_membership) = content.get("membership") else {
+		return Err!(BadServerResponse(
+			"Remote server returned member event with missing membership field"
+		));
+	};
+	if event_membership != &membership.as_str() {
+		return Err!(BadServerResponse(
+			"Remote server returned member event with incorrect membership type"
+		));
+	}
+
+	Ok(())
+}
@@ -307,7 +307,7 @@ where
 	}

 	let sender_user = event.sender();
-	let type_ignored = IGNORED_MESSAGE_TYPES.contains(event.kind());
+	let type_ignored = IGNORED_MESSAGE_TYPES.binary_search(event.kind()).is_ok();
 	let server_ignored = services
 		.moderation
 		.is_remote_server_ignored(sender_user.server_name());
@@ -16,7 +16,6 @@ pub(super) mod media_legacy;
 pub(super) mod membership;
 pub(super) mod message;
 pub(super) mod mutual_rooms;
-pub(super) mod oauth;
 pub(super) mod openid;
 pub(super) mod presence;
 pub(super) mod profile;
@@ -59,10 +58,9 @@ pub(super) use keys::*;
 pub(super) use media::*;
 pub(super) use media_legacy::*;
 pub(super) use membership::*;
-pub use membership::{leave_all_rooms, leave_room, remote_leave_room};
+pub use membership::{join_room_by_id_helper, leave_all_rooms, leave_room, remote_leave_room};
 pub(super) use message::*;
 pub(super) use mutual_rooms::*;
-pub(super) use oauth::*;
 pub(super) use openid::*;
 pub(super) use presence::*;
 pub(super) use profile::*;
@@ -75,7 +73,6 @@ pub(super) use report::*;
 pub(super) use room::*;
 pub(super) use search::*;
 pub(super) use send::*;
-pub use session::handle_login;
 pub(super) use session::*;
 pub(super) use space::*;
 pub(super) use state::*;
@@ -21,6 +21,10 @@ pub(crate) async fn get_mutual_rooms_route(
 		return Err!(Request(Unknown("You cannot request rooms in common with yourself.")));
 	}

+	if !services.users.exists(&body.user_id).await {
+		return Ok(mutual_rooms::unstable::Response::new(vec![]));
+	}
+
 	let mutual_rooms = services
 		.rooms
 		.state_cache
@@ -1,56 +0,0 @@
-use axum::{
-	Json, Router,
-	extract::{Request, State},
-	middleware::{self, Next},
-	response::{IntoResponse, Response},
-	routing::method_routing::{get, post},
-};
-use const_str::concat;
-use http::StatusCode;
-use serde_json::json;
-pub(crate) use server_metadata::*;
-
-mod register_client;
-mod server_metadata;
-mod token;
-
-const BASE_PATH: &str = concat!(conduwuit_core::ROUTE_PREFIX, "/oauth2/");
-const AUTH_CODE_PATH: &str = "grant/authorization_code";
-const JWKS_URI_PATH: &str = "client/keys.json";
-const CLIENT_REGISTER_PATH: &str = "client/register";
-const TOKEN_REVOKE_PATH: &str = "client/revoke";
-const TOKEN_PATH: &str = "grant/token";
-const ACCOUNT_MANAGEMENT_PATH: &str = concat!(conduwuit_core::ROUTE_PREFIX, "/account/deeplink");
-
-pub(crate) fn router(state: crate::State) -> Router<crate::State> {
-	Router::new()
-		.nest(BASE_PATH, oauth_router())
-		.route(
-			"/.well-known/openid-configuration",
-			get(
-				// TODO(unspecced): used by old versions of the matrix-js-sdk
-				async |State(services): State<crate::State>| {
-					Json(authorization_server_metadata(&services).await)
-				},
-			),
-		)
-		.layer(middleware::from_fn_with_state(
-			state,
-			async |State(state): State<crate::State>, request: Request, next: Next| -> Response {
-				if state.config.oauth.compatibility_mode.oauth_available() {
-					next.run(request).await
-				} else {
-					(StatusCode::NOT_FOUND, "OAuth is unavailable on this server").into_response()
-				}
-			},
-		))
-}
-
-fn oauth_router() -> Router<crate::State> {
-	Router::new()
-		.route(concat!("/", CLIENT_REGISTER_PATH), post(register_client::register_client_route))
-		// TODO(unspecced): used by old versions of the matrix-js-sdk
-		.route(concat!("/", JWKS_URI_PATH), get(async || Json(json!({"keys": []}))))
-		.route(concat!("/", TOKEN_PATH), post(token::token_route))
-		.route(concat!("/", TOKEN_REVOKE_PATH), post(token::revoke_token_route))
-}
@@ -1,28 +0,0 @@
-use axum::{
-	Json,
-	extract::State,
-	response::{IntoResponse, Response},
-};
-use http::StatusCode;
-use serde::Serialize;
-use service::oauth::client_metadata::ClientMetadata;
-
-#[derive(Serialize)]
-struct RegisteredClient {
-	client_id: String,
-	#[serde(flatten)]
-	metadata: ClientMetadata,
-}
-
-pub(crate) async fn register_client_route(
-	State(services): State<crate::State>,
-	Json(metadata): Json<ClientMetadata>,
-) -> Result<Response, Response> {
-	let client_id = services
-		.oauth
-		.register_client(&metadata)
-		.await
-		.map_err(|err| (StatusCode::BAD_REQUEST, err.to_owned()).into_response())?;
-
-	Ok(Json(RegisteredClient { client_id, metadata }).into_response())
-}
@@ -1,62 +0,0 @@
-use axum::extract::State;
-use conduwuit::{Err, Result};
-use ruma::{
-	api::client::discovery::get_authorization_server_metadata::{
-		self, v1::AccountManagementAction,
-	},
-	serde::Raw,
-};
-use serde_json::{Value, json};
-use service::Services;
-
-use crate::{
-	Ruma,
-	client::oauth::{
-		ACCOUNT_MANAGEMENT_PATH, AUTH_CODE_PATH, CLIENT_REGISTER_PATH, JWKS_URI_PATH, TOKEN_PATH,
-		TOKEN_REVOKE_PATH,
-	},
-};
-
-pub(crate) async fn get_authorization_server_metadata_route(
-	State(services): State<crate::State>,
-	_body: Ruma<get_authorization_server_metadata::v1::Request>,
-) -> Result<get_authorization_server_metadata::v1::Response> {
-	if !services.config.oauth.compatibility_mode.oauth_available() {
-		return Err!(Request(Unrecognized("OAuth is unavailable on this server")));
-	}
-
-	let metadata = Raw::new(&authorization_server_metadata(&services).await).unwrap();
-
-	Ok(get_authorization_server_metadata::v1::Response::new(metadata.cast_unchecked()))
-}
-
-pub(crate) async fn authorization_server_metadata(services: &Services) -> Value {
-	let endpoint_base = services
-		.config
-		.get_client_domain()
-		.join(super::BASE_PATH)
-		.unwrap();
-
-	json!({
-		"account_management_uri": endpoint_base.join(ACCOUNT_MANAGEMENT_PATH).unwrap(),
-		"account_management_actions_supported": [
-			AccountManagementAction::AccountDeactivate,
-			AccountManagementAction::CrossSigningReset,
-			AccountManagementAction::DeviceDelete,
-			AccountManagementAction::DeviceView,
-			AccountManagementAction::DevicesList,
-			AccountManagementAction::Profile,
-		],
-		"authorization_endpoint": endpoint_base.join(AUTH_CODE_PATH).unwrap(),
-		"code_challenge_methods_supported": ["S256"],
-		"grant_types_supported": ["authorization_code", "refresh_token"],
-		"issuer": services.config.get_client_domain(),
-		"jwks_uri": endpoint_base.join(JWKS_URI_PATH).unwrap(),
-		"prompt_values_supported": ["create"],
-		"registration_endpoint": endpoint_base.join(CLIENT_REGISTER_PATH).unwrap(),
-		"response_modes_supported": ["query", "fragment"],
-		"response_types_supported": ["code"],
-		"revocation_endpoint": endpoint_base.join(TOKEN_REVOKE_PATH).unwrap(),
-		"token_endpoint": endpoint_base.join(TOKEN_PATH).unwrap(),
-	})
-}
@@ -1,23 +0,0 @@
-use axum::{Form, Json, extract::State, response::IntoResponse};
-use http::StatusCode;
-use service::oauth::grant::{RevokeTokenRequest, TokenRequest};
-
-pub(crate) async fn token_route(
-	State(services): State<crate::State>,
-	Form(request): Form<TokenRequest>,
-) -> impl IntoResponse {
-	match services.oauth.issue_token(request).await {
-		| Ok(response) => Ok(Json(response)),
-		| Err(err) => Err((StatusCode::BAD_REQUEST, err.message())),
-	}
-}
-
-pub(crate) async fn revoke_token_route(
-	State(services): State<crate::State>,
-	Form(request): Form<RevokeTokenRequest>,
-) -> impl IntoResponse {
-	match services.oauth.revoke_token(request.token).await {
-		| Ok(()) => Ok(StatusCode::OK),
-		| Err(err) => Err((StatusCode::BAD_REQUEST, err.message())),
-	}
-}
@@ -23,7 +23,8 @@ use crate::Ruma;

 /// # `GET /_matrix/client/v3/profile/{userId}`
 ///
-/// Returns the user's profile information.
+/// Returns the displayname, avatar_url, blurhash, and custom profile fields of
+/// the user.
 ///
 /// - If user is on another server and we do not have a local copy already,
 ///   fetch profile over federation.
@@ -321,15 +322,25 @@ async fn set_profile_field(
 			services.users.set_avatar_url(user_id, None);
 		},
 		| other =>
-			services
-				.users
-				.set_profile_key(user_id, other.field_name().as_str(), other.value()),
+			if other.field_name().as_str() == "blurhash" {
+				if let Some(Value::String(blurhash)) = other.value() {
+					services.users.set_blurhash(user_id, Some(blurhash));
+				} else {
+					services.users.set_blurhash(user_id, None);
+				}
+			} else {
+				services.users.set_profile_key(
+					user_id,
+					other.field_name().as_str(),
+					other.value(),
+				);
+			},
 	}

 	// If the user is local and changed their displayname or avatar_url, update it
 	// in all their joined rooms
 	if matches!(field_name, ProfileFieldName::AvatarUrl | ProfileFieldName::DisplayName)
-		&& services.globals.user_is_local(user_id)
+		&& services.users.is_active_local(user_id).await
 	{
 		let displayname = services.users.displayname(user_id).await.ok();
 		let avatar_url = services.users.avatar_url(user_id).await.ok();
@@ -219,14 +219,14 @@ async fn is_event_report_valid(
 fn build_report(report: Report) -> RoomMessageEventContent {
 	let mut text =
 		format!("@room New {} report received from {}:\n\n", report.report_type, report.sender);
-	if let Some(user_id) = report.user_id {
-		let _ = writeln!(text, "- Reported User ID: `{user_id}`");
+	if report.user_id.is_some() {
+		let _ = writeln!(text, "- Reported User ID: `{}`", report.user_id.unwrap());
 	}
-	if let Some(room_id) = report.room_id {
-		let _ = writeln!(text, "- Reported Room ID: `{room_id}`");
+	if report.room_id.is_some() {
+		let _ = writeln!(text, "- Reported Room ID: `{}`", report.room_id.unwrap());
 	}
-	if let Some(event_id) = report.event_id {
-		let _ = writeln!(text, "- Reported Event ID: `{event_id}`");
+	if report.event_id.is_some() {
+		let _ = writeln!(text, "- Reported Event ID: `{}`", report.event_id.unwrap());
 	}
 	let _ = writeln!(text, "- Report Reason: {}", report.reason);

@@ -10,7 +10,7 @@ use conduwuit_service::{Services, appservice::RegistrationInfo};
 use futures::FutureExt;
 use ruma::{
 	CanonicalJsonObject, CanonicalJsonValue, Int, MilliSecondsSinceUnixEpoch, OwnedRoomAliasId,
-	OwnedUserId, RoomAliasId, RoomId, RoomVersionId, UserId,
+	OwnedRoomId, OwnedUserId, RoomAliasId, RoomId, RoomVersionId, UserId,
 	api::client::room::{self, create_room},
 	assign,
 	events::{
@@ -24,7 +24,6 @@ use ruma::{
 			member::{MembershipState, RoomMemberEventContent},
 			name::RoomNameEventContent,
 			power_levels::RoomPowerLevelsEventContent,
-			server_acl::RoomServerAclEventContent,
 			topic::RoomTopicEventContent,
 		},
 	},
@@ -87,41 +86,25 @@ pub(crate) async fn create_room_route(
 	};
 	let room_version_rules = room_version.rules().unwrap();

-	// For custom room IDs, if the user is creating a room with a v1 room ID format,
-	// we can just use that ID directly. However, if it's a custom *v2* room ID, we
-	// need to make sure that we don't generate one, which would in turn trick us
-	// into generating invalid v2 room events.
-	//
-	// expect_room_id is the custom room ID that the user is expecting - for v2
-	// formatted rooms, we check that the m.room.create event's generated room ID
-	// exactly matches this, and abort if it doesn't. Otherwise, we use it as the
-	// room ID itself.
-	let expect_room_id = {
-		let body_ref = body.json_body.as_ref().unwrap();
-		if let Some(CanonicalJsonValue::String(room_id)) = body_ref
-			.get("fi.mau.room_id")
-			.or_else(|| body_ref.get("room_id"))
-		{
-			Some(
-				RoomId::parse(room_id)
-					.map_err(|e| err!(Request(BadJson("Malformed custom room ID: {e}"))))?,
-			)
-		} else {
-			None
-		}
-	};
-
-	let room_id = match room_version_rules.room_id_format {
-		| RoomIdFormatVersion::V1 => Some(
-			expect_room_id
-				.clone()
-				.unwrap_or_else(|| RoomId::new_v1(services.globals.server_name())),
-		),
+	let room_id: Option<OwnedRoomId> = match room_version_rules.room_id_format {
+		| RoomIdFormatVersion::V1 => {
+			// Check for custom room ID field
+			if let Some(CanonicalJsonValue::String(room_id)) =
+				body.json_body.as_ref().unwrap().get("room_id")
+			{
+				Some(
+					RoomId::parse(room_id)
+						.map_err(|_| err!(Request(BadJson("Malformed custom room ID"))))?,
+				)
+			} else {
+				Some(RoomId::new_v1(services.globals.server_name()))
+			}
+		},
 		| _ => None,
 	};

 	// check if room ID doesn't already exist instead of erroring on auth check
-	if let Some(room_id) = room_id.as_ref().or(expect_room_id.as_ref()) {
+	if let Some(ref room_id) = room_id {
 		if services.rooms.short.get_shortroomid(room_id).await.is_ok() {
 			return Err!(Request(RoomInUse("Room with that custom room ID already exists",)));
 		}
@@ -260,16 +243,15 @@ pub(crate) async fn create_room_route(

 	// Allow requesters to override the `origin_server_ts` to customize room ids
 	// from v12 onwards
-	let custom_origin_server_ts = {
-		let body_ref = body.json_body.as_ref().unwrap();
-		body_ref
-			.get("origin_server_ts")
-			.or_else(|| body_ref.get("fi.mau.origin_server_ts"))
-			.and_then(CanonicalJsonValue::as_integer)
-			.map(Into::into)
-			.and_then(|value: i64| value.try_into().ok())
-			.map(MilliSecondsSinceUnixEpoch)
-	};
+	let custom_origin_server_ts = body
+		.json_body
+		.as_ref()
+		.unwrap()
+		.get("origin_server_ts")
+		.and_then(CanonicalJsonValue::as_integer)
+		.map(Into::into)
+		.and_then(|value: i64| value.try_into().ok())
+		.map(MilliSecondsSinceUnixEpoch);

 	let create_event_id = services
 		.rooms
@@ -299,13 +281,6 @@ pub(crate) async fn create_room_route(
 	};
 	drop(state_lock);
 	debug!("Room created with ID {room_id}");
-	if let Some(expected_room_id) = expect_room_id
-		&& expected_room_id != room_id
-	{
-		return Err!(BadServerResponse(
-			"Room's final room ID was {room_id}, but expected {expected_room_id}"
-		));
-	}
 	let state_lock = services.rooms.state.mutex.lock(room_id.as_str()).await;

 	// 2. Let the room creator join
@@ -313,6 +288,7 @@ pub(crate) async fn create_room_route(
 	let mut join_event = RoomMemberEventContent::new(MembershipState::Join);
 	join_event.displayname = services.users.displayname(sender_user).await.ok();
 	join_event.avatar_url = services.users.avatar_url(sender_user).await.ok();
+	join_event.blurhash = services.users.blurhash(sender_user).await.ok();
 	join_event.is_direct = Some(body.is_direct);

 	debug_info!("Joining {sender_user} to room {room_id}");
@@ -478,32 +454,7 @@ pub(crate) async fn create_room_route(
 		.boxed()
 		.await?;

-	// 6. Initial state events provided by the homeserver
-
-	let mut server_initial_state: Vec<PartialPdu> = Vec::new();
-
-	if let Some(allow_list) = services.server.config.default_room_acl_allow.clone() {
-		server_initial_state.push(PartialPdu::state(
-			String::new(),
-			&RoomServerAclEventContent::new(true, allow_list, vec![]),
-		));
-	} else if let Some(deny_list) = services.server.config.default_room_acl_deny.clone() {
-		server_initial_state.push(PartialPdu::state(
-			String::new(),
-			&RoomServerAclEventContent::new(true, vec!["*".to_owned()], deny_list),
-		));
-	}
-
-	for pdu in server_initial_state {
-		services
-			.rooms
-			.timeline
-			.build_and_append_pdu(pdu, sender_user, Some(&room_id), &state_lock)
-			.boxed()
-			.await?;
-	}
-
-	// 7. Events listed in initial_state
+	// 6. Events listed in initial_state
 	for event in &body.initial_state {
 		let mut partial_pdu = event
 			.deserialize_as_unchecked::<PartialPdu>()
@@ -531,7 +482,7 @@ pub(crate) async fn create_room_route(
 			.await?;
 	}

-	// 8. Events implied by name and topic
+	// 7. Events implied by name and topic
 	if let Some(name) = &body.name {
 		services
 			.rooms
@@ -560,7 +511,7 @@ pub(crate) async fn create_room_route(
 			.await?;
 	}

-	// 9. Events implied by invite (and TODO: invite_3pid)
+	// 8. Events implied by invite (and TODO: invite_3pid)
 	drop(state_lock);
 	for recipient_user in &invitees {
 		if let Err(e) =
@@ -586,7 +537,10 @@ pub(crate) async fn create_room_route(
 		if services.server.config.admin_room_notices {
 			services
 				.admin
-				.send_text(&format!("{sender_user} made {room_id} public to the room directory"))
+				.send_text(&format!(
+					"{sender_user} made {} public to the room directory",
+					&room_id
+				))
 				.await;
 		}
 		info!("{sender_user} made {0} public to the room directory", &room_id);
@@ -2,267 +2,47 @@ use std::cmp::max;

 use axum::extract::State;
 use conduwuit::{
-	Err, Error, Event, Result, debug,
-	debug::DebugInspect,
-	err, error,
-	info::room_version::UNSTABLE_ROOM_VERSIONS,
+	Err, Error, Event, Result, debug, err, info,
 	matrix::{StateKey, pdu::PartialPdu},
 };
 use futures::{FutureExt, StreamExt};
 use ruma::{
-	OwnedEventId, OwnedRoomId, RoomId, UserId,
+	CanonicalJsonObject, RoomId, RoomVersionId,
 	api::{client::room::upgrade_room, error::ErrorKind},
 	assign,
 	events::{
-		StateEventType,
+		StateEventType, TimelineEventType,
 		room::{
-			create::{PreviousRoom, RoomCreateEventContent},
+			create::PreviousRoom,
 			member::{MembershipState, RoomMemberEventContent},
 			power_levels::RoomPowerLevelsEventContent,
 			tombstone::RoomTombstoneEventContent,
 		},
-		space::{child::SpaceChildEventContent, parent::SpaceParentEventContent},
+		space::child::{RedactedSpaceChildEventContent, SpaceChildEventContent},
 	},
 	int,
 	room_version_rules::RoomIdFormatVersion,
 };
-use serde_json::value::to_raw_value;
+use serde_json::{json, value::to_raw_value};

 use crate::router::Ruma;

 /// Recommended transferable state events list from the spec
 const TRANSFERABLE_STATE_EVENTS: &[StateEventType; 11] = &[
-	StateEventType::RoomServerAcl,
-	StateEventType::RoomEncryption,
-	StateEventType::RoomName,
 	StateEventType::RoomAvatar,
-	StateEventType::RoomTopic,
+	StateEventType::RoomEncryption,
 	StateEventType::RoomGuestAccess,
 	StateEventType::RoomHistoryVisibility,
 	StateEventType::RoomJoinRules,
+	StateEventType::RoomName,
 	StateEventType::RoomPowerLevels,
-	StateEventType::SpaceParent,
+	StateEventType::RoomServerAcl,
+	StateEventType::RoomTopic,
+	// Not explicitly recommended in spec, but very useful.
 	StateEventType::SpaceChild,
+	StateEventType::SpaceParent, // TODO: m.room.policy?
 ];

-/// Updates spaces that are marked as parents of old_room_id to instead point to
-/// the new room ID.
-///
-/// See: https://github.com/matrix-org/matrix-spec-proposals/pull/4168
-async fn update_parents(
-	services: &crate::State,
-	sender: &UserId,
-	old_room_id: &RoomId,
-	new_room_id: &RoomId,
-) -> Result {
-	// Fetch the spaces which this room claims are its parents.
-
-	// In rooms that reference the old room via m.space.child events...
-	let parents = services
-		.rooms
-		.state_accessor
-		.room_state_keys(old_room_id, &StateEventType::SpaceParent)
-		.await
-		.debug_inspect(|k| debug!(?old_room_id, "Parents: {k:?}"))?;
-
-	for raw_parent_id in parents {
-		let parent_id = RoomId::parse(&raw_parent_id)?;
-		if !services
-			.rooms
-			.state_cache
-			.is_joined(sender, &parent_id)
-			.await
-		{
-			debug!(%parent_id, "Skipping space as sender is not joined");
-			continue; // Skip updating rooms the sender isn't in.
-		}
-		let state_lock = services.rooms.state.mutex.lock(parent_id.as_str()).await;
-		// We're now fetching state from the *space* that has the old room as a *child*.
-		// Follow along. This will be on the test.
-		let Ok(child) = services
-			.rooms
-			.state_accessor
-			.room_state_get_content::<SpaceChildEventContent>(
-				&parent_id,
-				&StateEventType::SpaceChild,
-				old_room_id.as_str(),
-			)
-			.await
-			.debug_inspect_err(|e| {
-				error!(
-					?parent_id,
-					old_room_id=?old_room_id,
-					new_room_id=?new_room_id,
-					%e,
-					"failed to fetch m.space.child from parent"
-				);
-			})
-		else {
-			// If the space does not have a child event for this room, we can skip it
-			continue;
-		};
-
-		// ...the upgrading server SHOULD send a new m.space.child event with state_key
-		// set to the new room's ID, copying the order and suggested fields from the
-		// content of the m.space.child with state_key of the previous room ID.
-		services
-			.rooms
-			.timeline
-			.build_and_append_pdu(
-				PartialPdu::state(
-					new_room_id.as_str(),
-					&assign!(
-						SpaceChildEventContent::new(vec![sender.server_name().to_owned()]),
-						{
-							order: child.order,
-							suggested: child.suggested,
-						}
-					),
-				),
-				sender,
-				Some(&parent_id),
-				&state_lock,
-			)
-			.boxed()
-			.await
-			.debug_inspect_err(|e| {
-				error!(
-					?parent_id,
-					old_room_id=?old_room_id,
-					new_room_id=?new_room_id,
-					%e,
-					"failed to send m.space.child to parent during room upgrade"
-				);
-			})
-			.ok();
-		drop(state_lock);
-	}
-
-	Ok(())
-}
-
-/// If the room being upgraded is a space, replace all m.space.parent references
-/// in its children to point at the newly upgraded room ID, so that they point
-/// at the new space.
-///
-/// See: https://github.com/matrix-org/matrix-spec-proposals/pull/4168
-async fn update_children(
-	services: &crate::State,
-	sender: &UserId,
-	old_room_id: &RoomId,
-	new_room_id: &RoomId,
-) -> Result {
-	// Fetch the children of this space.
-	// Note that this might not actually be a space, but just a room that has
-	// children.
-
-	// In rooms that reference the old room via m.space.parent events...
-	// NOTE: Doing that would be expensive. We'll instead fetch rooms which the
-	// space claims are children.
-	let parents = services
-		.rooms
-		.state_accessor
-		.room_state_keys(old_room_id, &StateEventType::SpaceChild)
-		.await
-		.debug_inspect(|k| debug!(?old_room_id, "Children: {k:?}"))?;
-
-	for raw_child_id in parents {
-		let child_id = RoomId::parse(&raw_child_id)?;
-		if !services
-			.rooms
-			.state_cache
-			.is_joined(sender, &child_id)
-			.await
-		{
-			debug!(%child_id, "Skipping child room as sender is not joined");
-			continue;
-		}
-		let state_lock = services.rooms.state.mutex.lock(child_id.as_str()).await;
-		// We're now fetching state from the *child* that has the old space as a
-		// *parent*. Follow along. This will also be on the test.
-		let Ok(ref parent) = services
-			.rooms
-			.state_accessor
-			.room_state_get_content::<SpaceParentEventContent>(
-				&child_id,
-				&StateEventType::SpaceParent,
-				old_room_id.as_str(),
-			)
-			.await
-			.debug_inspect_err(|e| {
-				error!(
-					?child_id,
-					old_room_id=?old_room_id,
-					new_room_id=?new_room_id,
-					%e,
-					"failed to fetch m.space.parent from child"
-				);
-			})
-		else {
-			// If the child does not have a parent event for this room, we can skip it.
-			continue;
-		};
-
-		// ... the upgrading server SHOULD send a new m.space.parent event with
-		// state_key set to the new room's ID.
-		services
-			.rooms
-			.timeline
-			.build_and_append_pdu(
-				PartialPdu::state(
-					new_room_id.as_str(),
-					&assign!(SpaceParentEventContent::new(vec![sender.server_name().to_owned()]), { canonical: parent.canonical }),
-				),
-				sender,
-				Some(&child_id),
-				&state_lock,
-			)
-			.boxed()
-			.await
-			.debug_inspect_err(|e| error!(
-				child_id=?child_id,
-				old_room_id=?old_room_id,
-				new_room_id=?new_room_id,
-				%e,
-				"failed to send updated m.space.parent to child during room upgrade"
-			))
-			.ok();
-
-		// If the previous m.space.parent event has canonical set to true in content,
-		// homeservers SHOULD update the old state event to set canonical to false,
-		// while setting it to true in the newly-sent m.space.parent event.
-		if parent.canonical {
-			services
-				.rooms
-				.timeline
-				.build_and_append_pdu(
-					PartialPdu::state(
-						old_room_id.as_str(),
-						&assign!(parent.clone(), {canonical: false}),
-					),
-					sender,
-					Some(&child_id),
-					&state_lock,
-				)
-				.boxed()
-				.await
-				.debug_inspect_err(|e| {
-					error!(
-						child_id=?child_id,
-						old_room_id=?old_room_id,
-						new_room_id=?new_room_id,
-						%e,
-						"failed to send non-canonical m.space.parent to child room"
-					);
-				})
-				.ok();
-		}
-		drop(state_lock);
-	}
-
-	Ok(())
-}
-
 /// # `POST /_matrix/client/r0/rooms/{roomId}/upgrade`
 ///
 /// Upgrades the room.
@@ -277,14 +57,10 @@ pub(crate) async fn upgrade_room_route(
 	State(services): State<crate::State>,
 	body: Ruma<upgrade_room::v3::Request>,
 ) -> Result<upgrade_room::v3::Response> {
-	let sender_user = body.sender_user();
+	// TODO[v12]: Handle additional creators
+	let sender_user = body.sender_user.as_ref().expect("user is authenticated");

-	let (supported, forbid_unstable, is_unstable) = (
-		services.server.supported_room_version(&body.new_version),
-		!services.config.allow_unstable_room_versions,
-		UNSTABLE_ROOM_VERSIONS.contains(&body.new_version),
-	);
-	if !supported || (forbid_unstable && is_unstable) {
+	if !services.server.supported_room_version(&body.new_version) {
 		return Err(Error::BadRequest(
 			ErrorKind::UnsupportedRoomVersion,
 			"This server does not support that room version.",
@@ -301,15 +77,17 @@ pub(crate) async fn upgrade_room_route(
 		return Err!(Request(Forbidden("Upgrading the admin room this way is not allowed.")));
 	}

-	// 1. Check that the user has permission to send m.room.tombstone events in the
-	//    room.
+	// First, check if the user has permission to upgrade the room (send tombstone
+	// event)
 	let old_room_state_lock = services.rooms.state.mutex.lock(body.room_id.as_str()).await;

-	// Check tombstone permission by attempting to create (but not send) the event.
-	services
+	// Check tombstone permission by attempting to create (but not send) the event
+	// Note that this does internally call the policy server with a fake room ID,
+	// which may not be good?
+	let tombstone_test_result = services
 		.rooms
 		.timeline
-		.create_event(
+		.create_hash_and_sign_event(
 			PartialPdu::state(
 				StateKey::new(),
 				&RoomTombstoneEventContent::new(
@@ -321,104 +99,157 @@ pub(crate) async fn upgrade_room_route(
 			Some(&body.room_id),
 			&old_room_state_lock,
 		)
-		.await
-		.map_err(|_| {
-			err!(Request(Forbidden("You do not have permission to upgrade this room.")))
-		})?;
+		.await;
+
+	if let Err(_e) = tombstone_test_result {
+		return Err!(Request(Forbidden("User does not have permission to upgrade this room.")));
+	}
+
+	drop(old_room_state_lock);

 	// Create a replacement room
-	let new_version_rules = body
+	let room_version_rules = body
 		.new_version
 		.rules()
 		.expect("new room version should have defined rules");
-
-	let last_event = if new_version_rules
-		.authorization
-		.room_create_event_id_as_room_id
-	{
-		None
+	let replacement_room_owned = if room_version_rules.room_id_format == RoomIdFormatVersion::V2 {
+		Some(RoomId::new_v1(services.globals.server_name()))
 	} else {
-		Some(
-			services
-				.rooms
-				.state
-				.get_forward_extremities(&body.room_id)
-				.collect::<Vec<OwnedEventId>>()
-				.await[0]
-				.clone(),
-		)
+		None
 	};
-	let old_create_event: RoomCreateEventContent = services
+	let replacement_room: Option<&RoomId> = replacement_room_owned.as_ref().map(AsRef::as_ref);
+	let replacement_room_tmp = match replacement_room {
+		| Some(v) => v,
+		| None => &RoomId::new_v1(services.globals.server_name()),
+	};
+
+	let _short_id = services
+		.rooms
+		.short
+		.get_or_create_shortroomid(replacement_room_tmp)
+		.await;
+
+	// For pre-v12 rooms, send tombstone before creating replacement room
+	let tombstone_event_id = if room_version_rules.room_id_format != RoomIdFormatVersion::V2 {
+		let state_lock = services.rooms.state.mutex.lock(body.room_id.as_str()).await;
+		// Send a m.room.tombstone event to the old room to indicate that it is not
+		// intended to be used any further
+		let tombstone_event_id = services
+			.rooms
+			.timeline
+			.build_and_append_pdu(
+				PartialPdu::state(
+					StateKey::new(),
+					&RoomTombstoneEventContent::new(
+						"This room has been replaced".to_owned(),
+						replacement_room.unwrap().to_owned(),
+					),
+				),
+				sender_user,
+				Some(&body.room_id),
+				&state_lock,
+			)
+			.boxed()
+			.await?;
+		// Change lock to replacement room
+		drop(state_lock);
+		Some(tombstone_event_id)
+	} else {
+		None
+	};
+	let state_lock = services
+		.rooms
+		.state
+		.mutex
+		.lock(replacement_room_tmp.as_str())
+		.await;
+
+	// Get the old room creation event
+	let mut create_event_content: CanonicalJsonObject = services
 		.rooms
 		.state_accessor
 		.room_state_get_content(&body.room_id, &StateEventType::RoomCreate, "")
 		.await
 		.map_err(|_| err!(Database("Found room without m.room.create event.")))?;
-	let create_event_content = if new_version_rules.authorization.use_room_create_sender {
-		RoomCreateEventContent::new_v1(sender_user.to_owned())
-	} else {
-		RoomCreateEventContent::new_v11()
-	};
-	#[allow(deprecated)]
-	let create_event_content = {
-		assign!(
-			create_event_content,
-			{
-				additional_creators: if new_version_rules.authorization.additional_room_creators {
-					body.additional_creators.clone()
-				} else { Vec::new() },
-				creator: if new_version_rules.authorization.use_room_create_sender {
-					None
-				} else { Some(sender_user.to_owned()) },
-				predecessor: Some(assign!(PreviousRoom::new(body.room_id.clone()), {
-					event_id: last_event,
-				})),
-				room_type: old_create_event.room_type.clone(),
-				room_version: body.new_version.clone(),
-			}
-		)
+
+	// Use the m.room.tombstone event as the predecessor
+
+	let predecessor = {
+		#[allow(deprecated, reason = "Clients still use event_id even though it's deprecated")]
+		Some(assign!(PreviousRoom::new(body.room_id.clone()), {
+			event_id: tombstone_event_id,
+		}))
 	};

-	let replacement_room_id: Option<OwnedRoomId> =
-		if new_version_rules.room_id_format == RoomIdFormatVersion::V2 {
-			None
-		} else {
-			Some(RoomId::new_v1(services.globals.server_name()))
-		};
+	// Send a m.room.create event containing a predecessor field and the applicable
+	// room_version
+	{
+		use RoomVersionId::*;
+		match body.new_version {
+			| V1 | V2 | V3 | V4 | V5 | V6 | V7 | V8 | V9 | V10 => {
+				create_event_content.insert(
+					"creator".into(),
+					json!(&sender_user).try_into().map_err(|e| {
+						info!("Error forming creation event: {e}");
+						Error::BadRequest(ErrorKind::BadJson, "Error forming creation event")
+					})?,
+				);
+			},
+			| _ => {
+				// "creator" key no longer exists in V11 rooms
+				create_event_content.remove("creator");
+			},
+			// TODO(hydra): additional_creators
+		}
+	}
+
+	create_event_content.insert(
+		"room_version".into(),
+		json!(&body.new_version)
+			.try_into()
+			.map_err(|_| Error::BadRequest(ErrorKind::BadJson, "Error forming creation event"))?,
+	);
+	create_event_content.insert(
+		"predecessor".into(),
+		json!(predecessor)
+			.try_into()
+			.map_err(|_| Error::BadRequest(ErrorKind::BadJson, "Error forming creation event"))?,
+	);
+
+	// Validate creation event content
+	if serde_json::from_str::<CanonicalJsonObject>(
+		to_raw_value(&create_event_content)
+			.expect("Error forming creation event")
+			.get(),
+	)
+	.is_err()
+	{
+		return Err(Error::BadRequest(ErrorKind::BadJson, "Error forming creation event"));
+	}

-	let new_room_state_lock = if let Some(new_room_id) = replacement_room_id.as_ref() {
-		services.rooms.state.mutex.lock(new_room_id.as_str()).await
-	} else {
-		// NOTE: Using a hardcoded room ID for the temporary mutex means only one room
-		// can be created at a time. This is actually beneficial, as it reduces the
-		// risk of concurrent in-flight collisions.
-		services.rooms.state.mutex.lock("!new-room").await
-	};
-	debug!("Upgrading {} to room version {}", &body.room_id, &body.new_version);
 	let create_event_id = services
 		.rooms
 		.timeline
 		.build_and_append_pdu(
-			PartialPdu::state(StateKey::new(), &create_event_content),
+			PartialPdu {
+				event_type: TimelineEventType::RoomCreate,
+				content: to_raw_value(&create_event_content)
+					.expect("event is valid, we just created it"),
+				unsigned: None,
+				state_key: Some(StateKey::new()),
+				redacts: None,
+				timestamp: None,
+			},
 			sender_user,
-			replacement_room_id.as_deref(),
-			&new_room_state_lock,
+			replacement_room,
+			&state_lock,
 		)
 		.boxed()
 		.await?;
-	drop(new_room_state_lock);
-	// re-acquire a new lock with the new room ID.
-	// We don't actually need a state lock for sending the m.room.create event, but
-	// we get one anyway because the function requires it and I can't be bothered
-	// refactoring it.
-	let (replacement_room_id, new_room_state_lock) =
-		if new_version_rules.room_id_format == RoomIdFormatVersion::V2 {
-			let parsed_room_id = RoomId::new_v2(
-				create_event_id
-					.as_str()
-					.strip_prefix("$")
-					.expect("event ID must start with $ sigil"),
-			)?;
+	let create_id = create_event_id.as_str().replace('$', "!");
+	let (replacement_room, state_lock) =
+		if room_version_rules.room_id_format == RoomIdFormatVersion::V2 {
+			let parsed_room_id = RoomId::parse(&create_id)?;
 			let lock = services
 				.rooms
 				.state
@@ -427,13 +258,9 @@ pub(crate) async fn upgrade_room_route(
 				.await;
 			(Some(parsed_room_id), lock)
 		} else {
-			let new_room_id =
-				replacement_room_id.expect("replacement room id should be known by now");
-			let lock = services.rooms.state.mutex.lock(new_room_id.as_str()).await;
-			(Some(new_room_id), lock)
+			(replacement_room.map(ToOwned::to_owned), state_lock)
 		};

-	debug!("Upgraded {} to {}", &body.room_id, replacement_room_id.as_deref().unwrap());
 	// Join the new room
 	services
 		.rooms
@@ -444,16 +271,17 @@ pub(crate) async fn upgrade_room_route(
 				&assign!(RoomMemberEventContent::new(MembershipState::Join), {
 					displayname: services.users.displayname(sender_user).await.ok(),
 					avatar_url: services.users.avatar_url(sender_user).await.ok(),
+					blurhash: services.users.blurhash(sender_user).await.ok(),
 				}),
 			),
 			sender_user,
-			replacement_room_id.as_deref(),
-			&new_room_state_lock,
+			replacement_room.as_deref(),
+			&state_lock,
 		)
 		.boxed()
 		.await?;

-	// 3. Replicate transferable state events to the new room
+	// Replicate transferable state events to the new room
 	for event_type in TRANSFERABLE_STATE_EVENTS {
 		let state_keys = services
 			.rooms
@@ -470,45 +298,26 @@ pub(crate) async fn upgrade_room_route(
 				| Ok(v) => v.content().to_owned(),
 				| Err(_) => continue, // Skipping missing events.
 			};
+			if event_content.get() == "{}" {
+				// If the event content is empty, we skip it
+				continue;
+			}
 			// If this is a power levels event, and the new room version has creators,
 			// we need to make sure they dont appear in the users block of power levels.
 			if *event_type == StateEventType::RoomPowerLevels {
-				let creators = body
-					.additional_creators
-					.clone()
-					.iter()
-					.chain(std::iter::once(&sender_user.to_owned()))
-					.map(ToOwned::to_owned)
-					.collect::<Vec<_>>();
+				// TODO(v12): additional creators
+				let creators = vec![sender_user];
 				let mut power_levels_event_content: RoomPowerLevelsEventContent =
 					serde_json::from_str(event_content.get()).map_err(|_| {
 						err!(Request(BadJson("Power levels event content is not valid")))
 					})?;
 				for creator in creators {
-					if new_version_rules
-						.authorization
-						.explicitly_privilege_room_creators
-					{
-						power_levels_event_content.users.remove(&creator);
-					} else {
-						power_levels_event_content.users.insert(
-							creator.clone(),
-							max(
-								int!(100),
-								power_levels_event_content
-									.users
-									.get(&creator)
-									.copied()
-									.unwrap_or_default(),
-							),
-						);
-					}
+					power_levels_event_content.users.remove(creator);
 				}
 				event_content = to_raw_value(&power_levels_event_content)
 					.expect("event is valid, we just deserialized and modified it");
 			}

-			debug!(%event_type, ?state_key, "Transferring state event to new room");
 			services
 				.rooms
 				.timeline
@@ -520,15 +329,15 @@ pub(crate) async fn upgrade_room_route(
 						..Default::default()
 					},
 					sender_user,
-					replacement_room_id.as_deref(),
-					&new_room_state_lock,
+					replacement_room.as_deref(),
+					&state_lock,
 				)
 				.boxed()
 				.await?;
 		}
 	}

-	// 4. Move any local aliases to the new room
+	// Moves any local aliases to the new room
 	let mut local_aliases = services
 		.rooms
 		.alias
@@ -536,7 +345,6 @@ pub(crate) async fn upgrade_room_route(
 		.boxed();

 	while let Some(alias) = local_aliases.next().await {
-		debug!(?alias, "Migrating alias");
 		services
 			.rooms
 			.alias
@@ -545,31 +353,11 @@ pub(crate) async fn upgrade_room_route(

 		services.rooms.alias.set_alias(
 			&alias,
-			replacement_room_id.as_deref().unwrap(),
+			replacement_room.as_ref().unwrap(),
 			sender_user,
 		)?;
 	}

-	// 5. Send a `m.room.tombstone` event to the old room to indicate that it is not
-	//    intended to be used any further.
-	debug!(target=?body.room_id, "Sending tombstone to old room");
-	services
-		.rooms
-		.timeline
-		.build_and_append_pdu(
-			PartialPdu::state(
-				StateKey::new(),
-				&RoomTombstoneEventContent::new(
-					"This room has been replaced".to_owned(),
-					replacement_room_id.clone().unwrap(),
-				),
-			),
-			sender_user,
-			Some(&body.room_id),
-			&old_room_state_lock,
-		)
-		.await?;
-
 	// Get the old room power levels
 	let mut power_levels = services
 		.rooms
@@ -591,10 +379,8 @@ pub(crate) async fn upgrade_room_route(
 	power_levels.events_default = new_level;
 	power_levels.invite = new_level;

-	// 6. Modify the power levels in the old room to prevent sending of events and
+	// Modify the power levels in the old room to prevent sending of events and
 	// inviting new users
-	// Spec dictates that this is allowed to fail.
-	debug!(target=?body.room_id, ?new_level, "Raising power level in old room to lock it");
 	services
 		.rooms
 		.timeline
@@ -605,50 +391,117 @@ pub(crate) async fn upgrade_room_route(
 			),
 			sender_user,
 			Some(&body.room_id),
-			&old_room_state_lock,
+			&state_lock,
 		)
 		.boxed()
-		.await
-		.ok();
+		.await?;

-	// MSC4168: Update spaces that reference this room to point at the new room.
-	debug!("Updating parent spaces");
-	update_parents(
-		&services,
-		sender_user,
-		&body.room_id,
-		replacement_room_id.as_deref().unwrap(),
-	)
-	.await
-	.inspect_err(|e| {
-		error!(
-			old_room_id=?body.room_id,
-			new_room_id=?replacement_room_id.as_deref().unwrap(),
-			%e,
-			"failed to update parent spaces during room upgrade"
-		);
-	})
-	.ok();
+	drop(state_lock);

-	// MSC4168: Update child rooms to point at the new space, where possible
-	debug!("Updating space children");
-	update_children(
-		&services,
-		sender_user,
-		&body.room_id,
-		replacement_room_id.as_deref().unwrap(),
-	)
-	.await
-	.inspect_err(|e| {
-		error!(
-			old_room_id=?body.room_id,
-			new_room_id=?replacement_room_id.as_deref().unwrap(),
-			%e,
-			"failed to update space children during room upgrade"
+	// For v12 rooms, send tombstone AFTER creating replacement room
+	if room_version_rules.room_id_format == RoomIdFormatVersion::V2 {
+		let old_room_state_lock = services.rooms.state.mutex.lock(body.room_id.as_str()).await;
+		// For v12 rooms, no event reference in predecessor due to cyclic dependency -
+		// could best effort one maybe?
+		services
+			.rooms
+			.timeline
+			.build_and_append_pdu(
+				PartialPdu::state(
+					StateKey::new(),
+					&RoomTombstoneEventContent::new(
+						"This room has been replaced".to_owned(),
+						replacement_room.as_ref().unwrap().to_owned(),
+					),
+				),
+				sender_user,
+				Some(&body.room_id),
+				&old_room_state_lock,
+			)
+			.await?;
+		drop(old_room_state_lock);
+	}
+
+	// Check if the old room has a space parent, and if so, whether we should update
+	// it (m.space.parent, room_id)
+	let parents = services
+		.rooms
+		.state_accessor
+		.room_state_keys(&body.room_id, &StateEventType::SpaceParent)
+		.await?;
+
+	for raw_space_id in parents {
+		let space_id = RoomId::parse(&raw_space_id)?;
+		let Ok(child) = services
+			.rooms
+			.state_accessor
+			.room_state_get_content::<SpaceChildEventContent>(
+				&space_id,
+				&StateEventType::SpaceChild,
+				body.room_id.as_str(),
+			)
+			.await
+		else {
+			// If the space does not have a child event for this room, we can skip it
+			continue;
+		};
+		debug!(
+			"Updating space {space_id} child event for room {} to {}",
+			&body.room_id,
+			replacement_room.as_ref().unwrap()
 		);
-	})
-	.ok();
+		// First, drop the space's child event
+		let state_lock = services.rooms.state.mutex.lock(space_id.as_str()).await;
+		debug!("Removing space child event for room {} in space {space_id}", &body.room_id);
+		services
+			.rooms
+			.timeline
+			.build_and_append_pdu(
+				PartialPdu {
+					event_type: StateEventType::SpaceChild.into(),
+					content: to_raw_value(&RedactedSpaceChildEventContent::new())
+						.expect("event is valid, we just created it"),
+					state_key: Some(body.room_id.clone().as_str().into()),
+					..Default::default()
+				},
+				sender_user,
+				Some(&space_id),
+				&state_lock,
+			)
+			.boxed()
+			.await
+			.ok();
+		// Now, add a new child event for the replacement room
+		debug!(
+			"Adding space child event for room {} in space {space_id}",
+			replacement_room.as_ref().unwrap()
+		);
+		services
+			.rooms
+			.timeline
+			.build_and_append_pdu(
+				PartialPdu::state(
+					replacement_room.as_ref().unwrap().as_str(),
+					&assign!(SpaceChildEventContent::new(vec![sender_user.server_name().to_owned()]), {
+						order: child.order,
+						suggested: child.suggested,
+					}),
+				),
+				sender_user,
+				Some(&space_id),
+				&state_lock,
+			)
+			.boxed()
+			.await
+			.ok();
+		debug!(
+			"Finished updating space {space_id} child event for room {} to {}",
+			&body.room_id,
+			replacement_room.as_ref().unwrap()
+		);
+		drop(state_lock);
+	}

 	// Return the replacement room id
-	Ok(upgrade_room::v3::Response::new(replacement_room_id.unwrap()))
+	Ok(upgrade_room::v3::Response::new(replacement_room.as_ref().unwrap().to_owned()))
 }
@@ -4,9 +4,10 @@ use axum::extract::State;
 use axum_client_ip::ClientIp;
 use conduwuit::{
 	Err, Result, debug, err, info,
-	utils::{self, ReadyExt, stream::BroadbandExt},
+	utils::{self, ReadyExt, hash, stream::BroadbandExt},
 	warn,
 };
+use conduwuit_core::debug_error;
 use conduwuit_service::Services;
 use futures::StreamExt;
 use lettre::Address;
@@ -21,7 +22,7 @@ use ruma::{
 			},
 			login::{
 				self,
-				v3::{DiscoveryInfo, HomeserverInfo, LoginInfo},
+				v3::{DiscoveryInfo, HomeserverInfo},
 			},
 			logout, logout_all,
 		},
@@ -29,6 +30,7 @@ use ruma::{
 	},
 	assign,
 };
+use service::uiaa::Identity;

 use super::{DEVICE_ID_LENGTH, TOKEN_LENGTH};
 use crate::Ruma;
@@ -43,12 +45,6 @@ pub(crate) async fn get_login_types_route(
 	ClientIp(client): ClientIp,
 	_body: Ruma<get_login_types::v3::Request>,
 ) -> Result<get_login_types::v3::Response> {
-	if !services.config.oauth.compatibility_mode.uiaa_available() {
-		return Err!(Request(Unrecognized(
-			"User-interactive authentication is not available on this server."
-		)));
-	}
-
 	Ok(get_login_types::v3::Response::new(vec![
 		get_login_types::v3::LoginType::Password(PasswordLoginType::default()),
 		get_login_types::v3::LoginType::ApplicationService(ApplicationServiceLoginType::default()),
@@ -58,7 +54,38 @@ pub(crate) async fn get_login_types_route(
 	]))
 }

-pub async fn handle_login(
+/// Authenticates the given user by its ID and its password.
+///
+/// Returns the user ID if successful, and an error otherwise.
+#[tracing::instrument(skip_all, fields(%user_id), name = "password", level = "debug")]
+pub(crate) async fn password_login(
+	services: &Services,
+	user_id: &UserId,
+	lowercased_user_id: &UserId,
+	password: &str,
+) -> Result<OwnedUserId> {
+	let (hash, user_id) = match services.users.password_hash(user_id).await {
+		| Ok(hash) => (hash, user_id),
+		| Err(_) => services
+			.users
+			.password_hash(lowercased_user_id)
+			.await
+			.map(|hash| (hash, lowercased_user_id))
+			.map_err(|_| err!(Request(Forbidden("Invalid identifier or password."))))?,
+	};
+
+	if hash.is_empty() {
+		return Err!(Request(UserDeactivated("The user has been deactivated")));
+	}
+
+	hash::verify_password(password, &hash)
+		.inspect_err(|e| debug_error!("{e}"))
+		.map_err(|_| err!(Request(Forbidden("Invalid identifier or password."))))?;
+
+	Ok(user_id.to_owned())
+}
+
+pub(crate) async fn handle_login(
 	services: &Services,
 	identifier: Option<&UserIdentifier>,
 	password: &str,
@@ -88,16 +115,28 @@ pub async fn handle_login(
 		UserId::parse_with_server_name(user_id_or_localpart, &services.config.server_name)
 			.map_err(|_| err!(Request(InvalidUsername("User ID is malformed"))))?;

-	if !services.globals.user_is_local(&user_id) {
+	let lowercased_user_id = UserId::parse_with_server_name(
+		user_id.localpart().to_lowercase(),
+		&services.config.server_name,
+	)
+	.unwrap();
+
+	if !services.globals.user_is_local(&user_id)
+		|| !services.globals.user_is_local(&lowercased_user_id)
+	{
 		return Err!(Request(InvalidParam("User ID does not belong to this homeserver")));
 	}

+	if services.users.is_locked(&user_id).await? {
+		return Err!(Request(UserLocked("This account has been locked.")));
+	}
+
 	if services.users.is_login_disabled(&user_id).await {
 		warn!(%user_id, "user attempted to log in with a login-disabled account");
 		return Err!(Request(Forbidden("This account is not permitted to log in.")));
 	}

-	services.users.check_password(&user_id, password).await
+	password_login(services, &user_id, &lowercased_user_id, password).await
 }

 /// # `POST /_matrix/client/v3/login`
@@ -120,29 +159,19 @@ pub(crate) async fn login_route(
 	ClientIp(client): ClientIp,
 	body: Ruma<login::v3::Request>,
 ) -> Result<login::v3::Response> {
-	if !services.config.oauth.compatibility_mode.uiaa_available() {
-		return match body.login_info {
-			| LoginInfo::ApplicationService(_) => {
-				Err!(Request(AppserviceLoginUnsupported(
-					"User-interactive appservice login is not available on this server."
-				)))
-			},
-			| _ => {
-				Err!(Request(Unrecognized(
-					"User-interactive authentication is not available on this server."
-				)))
-			},
-		};
-	}
-
 	let emergency_mode_enabled = services.config.emergency_password.is_some();

 	// Validate login method
+	// TODO: Other login methods
 	let user_id = match &body.login_info {
 		#[allow(deprecated)]
-		| LoginInfo::Password(login::v3::Password { identifier, password, user, .. }) =>
-			handle_login(&services, identifier.as_ref(), password, user.as_ref()).await?,
-		| LoginInfo::Token(login::v3::Token { token, .. }) => {
+		| login::v3::LoginInfo::Password(login::v3::Password {
+			identifier,
+			password,
+			user,
+			..
+		}) => handle_login(&services, identifier.as_ref(), password, user.as_ref()).await?,
+		| login::v3::LoginInfo::Token(login::v3::Token { token, .. }) => {
 			debug!("Got token login type");
 			if !services.server.config.login_via_existing_session {
 				return Err!(Request(Unknown("Token login is not enabled.")));
@@ -150,7 +179,7 @@ pub(crate) async fn login_route(
 			services.users.find_from_login_token(token).await?
 		},
 		#[allow(deprecated)]
-		| LoginInfo::ApplicationService(login::v3::ApplicationService {
+		| login::v3::LoginInfo::ApplicationService(login::v3::ApplicationService {
 			identifier,
 			user,
 			..
@@ -184,6 +213,7 @@ pub(crate) async fn login_route(
 			user_id
 		},
 		| _ => {
+			debug!("/login json_body: {:?}", &body.json_body);
 			return Err!(Request(Unknown(
 				debug_warn!(?body.login_info, "Invalid or unsupported login type")
 			)));
@@ -213,7 +243,7 @@ pub(crate) async fn login_route(
 	if device_exists {
 		services
 			.users
-			.set_token(&user_id, &device_id, &token, None)
+			.set_token(&user_id, &device_id, &token)
 			.await?;
 	} else {
 		services
@@ -222,7 +252,6 @@ pub(crate) async fn login_route(
 				&user_id,
 				&device_id,
 				&token,
-				None,
 				body.initial_device_display_name.clone(),
 				Some(client.to_string()),
 			)
@@ -261,7 +290,7 @@ pub(crate) async fn login_token_route(
 	ClientIp(client): ClientIp,
 	body: Ruma<get_login_token::v1::Request>,
 ) -> Result<get_login_token::v1::Response> {
-	if !services.config.login_via_existing_session {
+	if !services.server.config.login_via_existing_session {
 		return Err!(Request(Forbidden("Login via an existing session is not enabled")));
 	}

@@ -270,7 +299,7 @@ pub(crate) async fn login_token_route(
 	// Prompt the user to confirm with their password using UIAA
 	let _ = services
 		.uiaa
-		.authenticate_password(&body.auth, sender_user, body.sender_device(), None)
+		.authenticate_password(&body.auth, Some(Identity::from_user_id(sender_user)))
 		.await?;

 	let login_token = utils::random_string(TOKEN_LENGTH);
@@ -48,13 +48,6 @@ async fn load_timeline(
 	ending_count: Option<PduCount>,
 	limit: usize,
 ) -> Result<TimelinePdus> {
-	if let (Some(starting_count), Some(ending_count)) = (starting_count, ending_count) {
-		debug_assert!(
-			starting_count <= ending_count,
-			"starting count {starting_count} > ending count {ending_count}"
-		);
-	}
-
 	let mut pdu_stream = match starting_count {
 		| Some(starting_count) => {
 			let last_timeline_count = services
@@ -38,7 +38,6 @@ use ruma::{
 	uint,
 };
 use service::{account_data::AnyRawAccountDataEvent, rooms::short::ShortStateHash};
-use tokio::pin;

 use super::{load_timeline, share_encrypted_room};
 use crate::client::{
@@ -97,19 +96,12 @@ pub(super) async fn load_joined_room(
 		);
 	}

-	let state_events =
-		StateEvents::with_events(state_events.into_iter().map(Event::into_format).collect());
-
 	let joined_room = assign!(JoinedRoom::new(), {
 		account_data,
 		summary: summary.unwrap_or_default(),
 		unread_notifications: notification_counts.unwrap_or_default(),
 		timeline,
-		state: if sync_context.use_state_after {
-			RoomState::After(state_events)
-		} else {
-			RoomState::Before(state_events)
-		},
+		state: RoomState::Before(StateEvents::with_events(state_events.into_iter().map(Event::into_format).collect())),
 		ephemeral,
 		unread_thread_notifications: BTreeMap::new(),
 	});
@@ -352,7 +344,7 @@ struct ShortStateHashes {
 #[tracing::instrument(level = "debug", skip_all)]
 async fn fetch_shortstatehashes(
 	services: &Services,
-	SyncContext { last_sync_end_count, .. }: SyncContext<'_>,
+	SyncContext { last_sync_end_count, current_count, .. }: SyncContext<'_>,
 	room_id: &RoomId,
 ) -> Result<ShortStateHashes> {
 	// the room state currently.
@@ -362,41 +354,46 @@ async fn fetch_shortstatehashes(
 		.rooms
 		.state
 		.get_room_shortstatehash(room_id)
-		.map_err(|_| err!(Database(error!("Room {room_id} has no state"))))
-		.await?;
+		.map_err(|_| err!(Database(error!("Room {room_id} has no state"))));

-	// The room state as of the end of the last sync.
-	// This will be None if we are doing an initial sync.
+	// the room state as of the end of the last sync.
+	// this will be None if we are doing an initial sync or if we just joined this
+	// room.
 	let last_sync_end_shortstatehash =
-		OptionFuture::from(last_sync_end_count.map(async |last_sync_end_count| {
-			pin! {
-				let pdus = services
-					.rooms
-					.timeline
-					.pdus(room_id, Some(PduCount::Normal(last_sync_end_count)))
-					.ignore_err();
-			}
-
-			match pdus.next().await {
-				| Some((_, pdu_after_last_sync_end)) => {
-					trace!(?pdu_after_last_sync_end.event_id, "pdu at last sync end");
-
-					services
-						.rooms
-						.state_accessor
-						.pdu_shortstatehash(&pdu_after_last_sync_end.event_id)
-						.await
-						.map_err(|err| err!("Last sync end PDU has no shortstatehash: {err}"))
-				},
-				| None => {
-					// No events have been sent since the last sync, or we just joined this room,
-					// so the state then is the same as the state now
-					Ok(current_shortstatehash)
-				},
-			}
+		OptionFuture::from(last_sync_end_count.map(|last_sync_end_count| {
+			// look up the shortstatehash saved by the last sync's call to
+			// `associate_token_shortstatehash`
+			services
+				.rooms
+				.user
+				.get_token_shortstatehash(room_id, last_sync_end_count)
+				.inspect_err(move |_| {
+					debug_warn!(
+						token = last_sync_end_count,
+						"Room has no shortstatehash for this token"
+					);
+				})
+				.ok()
 		}))
-		.await
-		.transpose()?;
+		.map(Option::flatten)
+		.map(Ok);
+
+	let (current_shortstatehash, last_sync_end_shortstatehash) =
+		try_join(current_shortstatehash, last_sync_end_shortstatehash).await?;
+
+	/*
+	associate the `current_count` with the `current_shortstatehash`, so we can
+	use it on the next sync as the `last_sync_end_shortstatehash`.
+
+	TODO: the table written to by this call grows extremely fast, gaining one new entry for each
+	joined room on _every single sync request_. we need to find a better way to remember the shortstatehash
+	between syncs.
+	*/
+	services
+		.rooms
+		.user
+		.associate_token_shortstatehash(room_id, current_count, current_shortstatehash)
+		.await;

 	Ok(ShortStateHashes {
 		current_shortstatehash,
@@ -455,7 +452,6 @@ async fn build_state_events(
 		syncing_user,
 		last_sync_end_count,
 		full_state,
-		use_state_after,
 		..
 	} = sync_context;

@@ -464,28 +460,32 @@ async fn build_state_events(
 		last_sync_end_shortstatehash,
 	} = shortstatehashes;

-	let timeline_start_shortstatehash = if let Some((count, pdu)) = timeline.pdus.front() {
-		if matches!(count, PduCount::Backfilled(_)) {
-			// We don't have shortstatehashes for backfilled PDUs, the best we can
-			// do is to use the current state
-			current_shortstatehash
-		} else {
-			services
+	// the spec states that the `state` property only includes state events up to
+	// the beginning of the timeline, so we determine the state of the syncing room
+	// as of the first timeline event. NOTE: this explanation is not entirely
+	// accurate; see the implementation of `build_state_incremental`.
+	let timeline_start_shortstatehash = async {
+		if let Some((_, pdu)) = timeline.pdus.front() {
+			if let Ok(shortstatehash) = services
 				.rooms
 				.state_accessor
 				.pdu_shortstatehash(&pdu.event_id)
 				.await
-				.map_err(|err| err!("Timeline start has no shortstatehash: {err}"))?
+			{
+				return shortstatehash;
+			}
 		}
-	} else {
-		// if the timeline is empty there can't possibly be any changes to the state
-		return Ok(vec![]);
+
+		current_shortstatehash
 	};

 	// the user IDs of members whose membership needs to be sent to the client, if
 	// lazy-loading is enabled.
 	let lazily_loaded_members =
-		prepare_lazily_loaded_members(services, sync_context, room_id, timeline.senders()).await;
+		prepare_lazily_loaded_members(services, sync_context, room_id, timeline.senders());
+
+	let (timeline_start_shortstatehash, lazily_loaded_members) =
+		join(timeline_start_shortstatehash, lazily_loaded_members).await;

 	// compute the state delta between the previous sync and this sync.
 	match (last_sync_end_count, last_sync_end_shortstatehash) {
@@ -494,15 +494,16 @@ async fn build_state_events(
 		is Some (meaning the syncing user didn't just join this room for the first time ever), and `full_state` is false,
 		then use `build_state_incremental`.
 		*/
-		| (Some(_), Some(last_sync_end_shortstatehash)) if !full_state =>
+		| (Some(last_sync_end_count), Some(last_sync_end_shortstatehash)) if !full_state =>
 			build_state_incremental(
 				services,
 				syncing_user,
+				room_id,
+				PduCount::Normal(last_sync_end_count),
 				last_sync_end_shortstatehash,
 				timeline_start_shortstatehash,
 				current_shortstatehash,
 				timeline,
-				use_state_after,
 				lazily_loaded_members.as_ref(),
 			)
 			.boxed()
@@ -517,8 +518,6 @@ async fn build_state_events(
 				services,
 				syncing_user,
 				timeline_start_shortstatehash,
-				current_shortstatehash,
-				use_state_after,
 				lazily_loaded_members.as_ref(),
 			)
 			.boxed()
@@ -599,25 +598,23 @@ async fn check_joined_since_last_sync(
 	ShortStateHashes { last_sync_end_shortstatehash, .. }: ShortStateHashes,
 	SyncContext { syncing_user, .. }: SyncContext<'_>,
 ) -> Result<bool> {
-	let Some(last_sync_end_shortstatehash) = last_sync_end_shortstatehash else {
-		// For initial syncs always return false, since there's no "last sync" for the
-		// user to have joined since.
-		return Ok(false);
+	// fetch the syncing user's membership event during the last sync.
+	// this will be None if `previous_sync_end_shortstatehash` is None.
+	let membership_during_previous_sync = match last_sync_end_shortstatehash {
+		| Some(last_sync_end_shortstatehash) => services
+			.rooms
+			.state_accessor
+			.state_get_content(
+				last_sync_end_shortstatehash,
+				&StateEventType::RoomMember,
+				syncing_user.as_str(),
+			)
+			.await
+			.inspect_err(|_| debug_warn!("User has no previous membership"))
+			.ok(),
+		| None => None,
 	};

-	// Fetch the syncing user's membership event during the last sync.
-	let membership_during_previous_sync = services
-		.rooms
-		.state_accessor
-		.state_get_content(
-			last_sync_end_shortstatehash,
-			&StateEventType::RoomMember,
-			syncing_user.as_str(),
-		)
-		.await
-		.inspect_err(|_| debug_warn!("User has no previous membership"))
-		.ok();
-
 	// TODO: If the requesting user got state-reset out of the room, this
 	// will be `true` when it shouldn't be. this function should never be called
 	// in that situation, but it may be if the membership cache didn't get updated.
@@ -181,9 +181,6 @@ pub(super) async fn load_left_room(
 		.collect::<Vec<_>>()
 		.await;

-	let state_events =
-		StateEvents::with_events(state_events.into_iter().map(Event::into_format).collect());
-
 	Ok(Some(assign!(LeftRoom::new(), {
 		account_data: RoomAccountData::new(),
 		timeline: assign!(Timeline::new(), {
@@ -191,11 +188,7 @@ pub(super) async fn load_left_room(
 			prev_batch: Some(current_count.to_string()),
 			events: raw_timeline_pdus,
 		}),
-		state: if sync_context.use_state_after {
-			State::After(state_events)
-		} else {
-			State::Before(state_events)
-		},
+		state: State::Before(StateEvents::with_events(state_events.into_iter().map(Event::into_format).collect())),
 	})))
 }

@@ -271,8 +264,6 @@ async fn build_left_state_and_timeline(
 		services,
 		syncing_user,
 		timeline_start_shortstatehash,
-		leave_shortstatehash,
-		sync_context.use_state_after,
 		lazily_loaded_members.as_ref(),
 	)
 	.await?;
@@ -11,11 +11,12 @@ use std::{
 use axum::extract::State;
 use axum_client_ip::ClientIp;
 use conduwuit::{
-	Err, Result, at, error, extract_variant,
+	Err, Result, at, extract_variant,
 	utils::{
 		ReadyExt, TryFutureExtExt,
 		stream::{BroadbandExt, Tools, WidebandExt},
 	},
+	warn,
 };
 use conduwuit_service::Services;
 use futures::{FutureExt, StreamExt, TryFutureExt, future::OptionFuture};
@@ -109,9 +110,6 @@ struct SyncContext<'a> {
 	/// The sync filter, which the client uses to specify what data should be
 	/// included in the sync response.
 	filter: &'a FilterDefinition,
-	/// Whether the state at the end of the timeline should be used when
-	/// calculating state diffs for sync.
-	use_state_after: bool,
 }

 impl<'a> SyncContext<'a> {
@@ -263,7 +261,6 @@ pub(crate) async fn build_sync_events(
 		current_count,
 		full_state,
 		filter: &filter,
-		use_state_after: body.use_state_after,
 	};

 	let joined_rooms = services
@@ -276,7 +273,7 @@ pub(crate) async fn build_sync_events(
 			match joined_room {
 				| Ok((room, updates)) => Some((room_id, room, updates)),
 				| Err(err) => {
-					error!(?err, %room_id, "error loading joined room");
+					warn!(?err, %room_id, "error loading joined room");
 					None
 				},
 			}
@@ -305,7 +302,7 @@ pub(crate) async fn build_sync_events(
 				| Ok(Some(left_room)) => Some((room_id, left_room)),
 				| Ok(None) => None,
 				| Err(err) => {
-					error!(?err, %room_id, "error loading joined room");
+					warn!(?err, %room_id, "error loading joined room");
 					None
 				},
 			}
@@ -1,8 +1,11 @@
-use std::collections::HashSet;
+use std::{collections::BTreeSet, ops::ControlFlow};

 use conduwuit::{
-	Result, at,
-	matrix::{Event, pdu::PduEvent},
+	Result, at, is_equal_to,
+	matrix::{
+		Event,
+		pdu::{PduCount, PduEvent},
+	},
 	utils::{
 		BoolExt, IterStream, ReadyExt, TryFutureExtExt,
 		stream::{BroadbandExt, TryIgnore},
@@ -13,7 +16,9 @@ use conduwuit_service::{
 	rooms::{lazy_loading::MemberSet, short::ShortStateHash},
 };
 use futures::{FutureExt, StreamExt};
-use ruma::{OwnedEventId, UserId, events::StateEventType};
+use itertools::Itertools;
+use ruma::{OwnedEventId, RoomId, UserId, events::StateEventType};
+use service::rooms::short::ShortEventId;
 use tracing::trace;

 use crate::client::TimelinePdus;
@@ -34,19 +39,13 @@ pub(super) async fn build_state_initial(
 	services: &Services,
 	sender_user: &UserId,
 	timeline_start_shortstatehash: ShortStateHash,
-	timeline_end_shortstatehash: ShortStateHash,
-	use_state_after: bool,
 	lazily_loaded_members: Option<&MemberSet>,
 ) -> Result<Vec<PduEvent>> {
 	// load the keys and event IDs of the state events at the start of the timeline
 	let (shortstatekeys, event_ids): (Vec<_>, Vec<_>) = services
 		.rooms
 		.state_accessor
-		.state_full_ids(if use_state_after {
-			timeline_end_shortstatehash
-		} else {
-			timeline_start_shortstatehash
-		})
+		.state_full_ids(timeline_start_shortstatehash)
 		.unzip()
 		.await;

@@ -93,34 +92,82 @@ pub(super) async fn build_state_initial(
 pub(super) async fn build_state_incremental<'a>(
 	services: &Services,
 	sender_user: &'a UserId,
+	room_id: &RoomId,
+	last_sync_end_count: PduCount,
 	last_sync_end_shortstatehash: ShortStateHash,
 	timeline_start_shortstatehash: ShortStateHash,
 	timeline_end_shortstatehash: ShortStateHash,
 	timeline: &TimelinePdus,
-	use_state_after: bool,
 	lazily_loaded_members: Option<&'a MemberSet>,
 ) -> Result<Vec<PduEvent>> {
-	let mut state_event_ids: HashSet<OwnedEventId> = HashSet::new();
+	/*
+	NB: a limited sync is one where `timeline.limited == true`. Synapse calls this a "gappy" sync internally.

-	trace!(
-		%use_state_after,
-		%last_sync_end_shortstatehash,
-		%timeline_start_shortstatehash,
-		%timeline_end_shortstatehash,
-		"computing state for incremental sync"
-	);
+	The algorithm implemented in this function is, currently, quite different from the algorithm vaguely described
+	by the Matrix specification. This is because the specification's description of the `state` property does not accurately
+	reflect how Synapse behaves, and therefore how client SDKs behave. Notable differences include:
+	1. We do not compute the delta using the naive approach of "every state event from the end of the last sync
+	   up to the start of this sync's timeline". see below for details.
+	2. If lazy-loading is enabled, we include lazily-loaded membership events. The specific users to include are determined
+	   elsewhere and supplied to this function in the `lazily_loaded_members` parameter.
+	*/

-	// Fetch lazy-loaded membership events if lazy-loading is enabled
-	if let Some(lazily_loaded_members) = lazily_loaded_members
-		&& !lazily_loaded_members.is_empty()
-	{
-		trace!("including lazy membership events for members: {:?}", lazily_loaded_members);
+	/*
+	the `state` property of an incremental sync which isn't limited are _usually_ empty.
+	(note: the specification says that the `state` property is _always_ empty for limited syncs, which is incorrect.)
+	however, if an event in the timeline (`timeline.pdus`) merges a split in the room's DAG (i.e. has multiple `prev_events`),
+	the state at the _end_ of the timeline may include state events which were merged in and don't exist in the state
+	at the _start_ of the timeline. because this is uncommon, we check here to see if any events in the timeline
+	merged a split in the DAG.

-		services
+	see: https://github.com/element-hq/synapse/issues/16941
+	*/
+
+	let timeline_is_linear = timeline.pdus.is_empty() || {
+		let last_pdu_of_last_sync = services
 			.rooms
-			.short
-			.multi_get_eventid_from_short::<'_, OwnedEventId, _>(
-				lazily_loaded_members
+			.timeline
+			.pdus_rev(room_id, Some(last_sync_end_count.saturating_add(1)))
+			.boxed()
+			.next()
+			.await
+			.transpose()
+			.expect("last sync should have had some PDUs")
+			.map(at!(1));
+
+		// make sure the prev_events of each pdu in the timeline refer only to the
+		// previous pdu
+		timeline
+			.pdus
+			.iter()
+			.try_fold(last_pdu_of_last_sync.map(|pdu| pdu.event_id), |prev_event_id, (_, pdu)| {
+				if let Ok(pdu_prev_event_id) = pdu.prev_events.iter().exactly_one() {
+					if prev_event_id
+						.as_ref()
+						.is_none_or(is_equal_to!(pdu_prev_event_id))
+					{
+						return ControlFlow::Continue(Some(pdu_prev_event_id.to_owned()));
+					}
+				}
+
+				trace!(
+					"pdu {:?} has split prev_events (expected {:?}): {:?}",
+					pdu.event_id, prev_event_id, pdu.prev_events
+				);
+				ControlFlow::Break(())
+			})
+			.is_continue()
+	};
+
+	if timeline_is_linear && !timeline.limited {
+		// if there are no splits in the DAG and the timeline isn't limited, then
+		// `state` will always be empty unless lazy loading is enabled.
+
+		if let Some(lazily_loaded_members) = lazily_loaded_members {
+			if !timeline.pdus.is_empty() {
+				// lazy loading is enabled, so we return the membership events which were
+				// requested by the caller.
+				let lazy_membership_events: Vec<_> = lazily_loaded_members
 					.iter()
 					.stream()
 					.broad_filter_map(|user_id| async move {
@@ -131,24 +178,71 @@ pub(super) async fn build_state_incremental<'a>(
 						services
 							.rooms
 							.state_accessor
-							.state_get_shortid(
+							.state_get(
 								timeline_start_shortstatehash,
 								&StateEventType::RoomMember,
 								user_id.as_str(),
 							)
 							.ok()
 							.await
-					}),
-			)
-			.ignore_err()
-			.ready_for_each(|event_id| {
-				state_event_ids.insert(event_id);
-			})
-			.await;
+					})
+					.collect()
+					.await;
+
+				if !lazy_membership_events.is_empty() {
+					trace!(
+						"syncing lazy membership events for members: {:?}",
+						lazy_membership_events
+							.iter()
+							.map(|pdu| pdu.state_key().unwrap())
+							.collect::<Vec<_>>()
+					);
+				}
+				return Ok(lazy_membership_events);
+			}
+		}
+
+		// lazy loading is disabled, `state` is empty.
+		return Ok(vec![]);
 	}

-	// Fetch the state events added since the last sync.
-	services
+	/*
+	at this point, either the timeline is `limited` or the DAG has a split in it. this necessitates
+	computing the incremental state (which may be empty).
+
+	NOTE: this code path does not use the `lazy_membership_events` parameter. any changes to membership will be included
+	in the incremental state. therefore, the incremental state may include "redundant" membership events,
+	which we do not filter out because A. the spec forbids lazy-load filtering if the timeline is `limited`,
+	and B. DAG splits which require sending extra membership state events are (probably) uncommon enough that
+	the performance penalty is acceptable.
+	*/
+
+	trace!(%timeline_is_linear, %timeline.limited, "computing state for incremental sync");
+
+	// fetch the shorteventids of state events in the timeline
+	let state_events_in_timeline: BTreeSet<ShortEventId> = services
+		.rooms
+		.short
+		.multi_get_or_create_shorteventid(timeline.pdus.iter().filter_map(|(_, pdu)| {
+			if pdu.state_key().is_some() {
+				Some(pdu.event_id.as_ref())
+			} else {
+				None
+			}
+		}))
+		.collect()
+		.await;
+
+	trace!("{} state events in timeline", state_events_in_timeline.len());
+
+	/*
+	fetch the state events which were added since the last sync.
+
+	specifically we fetch the difference between the state at the last sync and the state at the _end_
+	of the timeline, and then we filter out state events in the timeline itself using the shorteventids we fetched.
+	this is necessary to account for splits in the DAG, as explained above.
+	*/
+	let state_diff = services
 		.rooms
 		.short
 		.multi_get_eventid_from_short::<'_, OwnedEventId, _>(
@@ -158,29 +252,18 @@ pub(super) async fn build_state_incremental<'a>(
 				.state_added((last_sync_end_shortstatehash, timeline_end_shortstatehash))
 				.await?
 				.stream()
-				.map(at!(1)),
+				.ready_filter_map(|(_, shorteventid)| {
+					if state_events_in_timeline.contains(&shorteventid) {
+						None
+					} else {
+						Some(shorteventid)
+					}
+				}),
 		)
-		.ignore_err()
-		.ready_for_each(|event_id| {
-			state_event_ids.insert(event_id);
-		})
-		.await;
+		.ignore_err();

-	if !use_state_after {
-		// If state_after isn't enabled, filter out state events which also exist
-		// in the timeline. If splits exist in the DAG, this may not be exactly the same
-		// thing as the state diff ending at the start of the timeline, but Synapse
-		// also does this and it's technically more useful behavior anyway.
-		// See: https://github.com/element-hq/synapse/issues/16941
-
-		for (_, pdu) in &timeline.pdus {
-			state_event_ids.remove(pdu.event_id());
-		}
-	}
-
-	// Finally, fetch the PDU contents and collect them into a vec
-	let state_diff_pdus = state_event_ids
-		.stream()
+	// finally, fetch the PDU contents and collect them into a vec
+	let state_diff_pdus = state_diff
 		.broad_filter_map(|event_id| async move {
 			services
 				.rooms
@@ -15,7 +15,7 @@ use conduwuit::{
 		BoolExt, FutureBoolExt, IterStream, ReadyExt, TryFutureExtExt,
 		future::ReadyEqExt,
 		math::{ruma_from_usize, usize_from_ruma},
-		stream::{TryIgnore, WidebandExt},
+		stream::WidebandExt,
 	},
 	warn,
 };
@@ -41,7 +41,6 @@ use ruma::{
 	uint,
 };
 use service::account_data::AnyRawAccountDataEvent;
-use tokio::pin;

 use super::share_encrypted_room;
 use crate::{
@@ -70,6 +69,7 @@ pub(crate) async fn sync_events_v5_route(
 	ClientIp(client_ip): ClientIp,
 	body: Ruma<sync_events::v5::Request>,
 ) -> Result<sync_events::v5::Response> {
+	debug_assert!(DEFAULT_BUMP_TYPES.is_sorted(), "DEFAULT_BUMP_TYPES is not sorted");
 	let ref sender_user = body.sender_user().to_owned();
 	let ref sender_device = body.sender_device().to_owned();

@@ -858,27 +858,12 @@ where
 			continue;
 		};

-		let since_shortstatehash = async {
-			pin! {
-				let pdus_rev = services
-					.rooms
-					.timeline
-					.pdus_rev(room_id, Some(PduCount::Normal(globalsince.saturating_sub(1))))
-					.ignore_err();
-			}
-
-			let (_, pdu_at_last_sync_end) = pdus_rev.next().await?;
-
-			Some(
-				services
-					.rooms
-					.state_accessor
-					.pdu_shortstatehash(&pdu_at_last_sync_end.event_id)
-					.await
-					.expect("pdu should have a shortstatehash"),
-			)
-		}
-		.await;
+		let since_shortstatehash = services
+			.rooms
+			.user
+			.get_token_shortstatehash(room_id, globalsince)
+			.await
+			.ok();

 		let encrypted_room = services
 			.rooms
@@ -1,8 +1,7 @@
+use std::collections::BTreeMap;
+
 use axum::{Json, extract::State, response::IntoResponse};
-use conduwuit::{
-	Result,
-	matrix::versions::{unstable_features, versions},
-};
+use conduwuit::Result;
 use futures::StreamExt;
 use ruma::{api::client::discovery::get_supported_versions, assign};

@@ -23,10 +22,47 @@ use crate::Ruma;
 pub(crate) async fn get_supported_versions_route(
 	_body: Ruma<get_supported_versions::Request>,
 ) -> Result<get_supported_versions::Response> {
-	Ok(assign!(
-		get_supported_versions::Response::new(versions()),
-		{ unstable_features: unstable_features() }
-	))
+	let versions = vec![
+		"r0.0.1".to_owned(),
+		"r0.1.0".to_owned(),
+		"r0.2.0".to_owned(),
+		"r0.3.0".to_owned(),
+		"r0.4.0".to_owned(),
+		"r0.5.0".to_owned(),
+		"r0.6.0".to_owned(),
+		"r0.6.1".to_owned(),
+		"v1.1".to_owned(),
+		"v1.2".to_owned(),
+		"v1.3".to_owned(),
+		"v1.4".to_owned(),
+		"v1.5".to_owned(),
+		"v1.8".to_owned(),
+		"v1.11".to_owned(),
+		"v1.12".to_owned(),
+		"v1.13".to_owned(),
+		"v1.14".to_owned(),
+	];
+
+	let unstable_features = BTreeMap::from_iter([
+		("org.matrix.e2e_cross_signing".to_owned(), true),
+		("org.matrix.msc2285.stable".to_owned(), true), /* private read receipts (https://github.com/matrix-org/matrix-spec-proposals/pull/2285) */
+		("uk.half-shot.msc2666.query_mutual_rooms".to_owned(), true), /* query mutual rooms (https://github.com/matrix-org/matrix-spec-proposals/pull/2666) */
+		("org.matrix.msc2836".to_owned(), true), /* threading/threads (https://github.com/matrix-org/matrix-spec-proposals/pull/2836) */
+		("org.matrix.msc2946".to_owned(), true), /* spaces/hierarchy summaries (https://github.com/matrix-org/matrix-spec-proposals/pull/2946) */
+		("org.matrix.msc3026.busy_presence".to_owned(), true), /* busy presence status (https://github.com/matrix-org/matrix-spec-proposals/pull/3026) */
+		("org.matrix.msc3814".to_owned(), true),               /* dehydrated devices */
+		("org.matrix.msc3827".to_owned(), true), /* filtering of /publicRooms by room type (https://github.com/matrix-org/matrix-spec-proposals/pull/3827) */
+		("org.matrix.msc3952_intentional_mentions".to_owned(), true), /* intentional mentions (https://github.com/matrix-org/matrix-spec-proposals/pull/3952) */
+		("org.matrix.msc3916.stable".to_owned(), true), /* authenticated media (https://github.com/matrix-org/matrix-spec-proposals/pull/3916) */
+		("org.matrix.msc4180".to_owned(), true), /* stable flag for 3916 (https://github.com/matrix-org/matrix-spec-proposals/pull/4180) */
+		("uk.tcpip.msc4133".to_owned(), true), /* Extending User Profile API with Key:Value Pairs (https://github.com/matrix-org/matrix-spec-proposals/pull/4133) */
+		("us.cloke.msc4175".to_owned(), true), /* Profile field for user time zone (https://github.com/matrix-org/matrix-spec-proposals/pull/4175) */
+		("org.matrix.simplified_msc3575".to_owned(), true), /* Simplified Sliding sync (https://github.com/matrix-org/matrix-spec-proposals/pull/4186) */
+		("uk.timedout.msc4323".to_owned(), true), /* agnostic suspend (https://github.com/matrix-org/matrix-spec-proposals/pull/4323) */
+		("org.matrix.msc4155".to_owned(), true), /* invite filtering (https://github.com/matrix-org/matrix-spec-proposals/pull/4155) */
+	]);
+
+	Ok(assign!(get_supported_versions::Response::new(versions), { unstable_features }))
 }

 /// # `GET /_conduwuit/server_version`
@@ -35,8 +71,8 @@ pub(crate) async fn get_supported_versions_route(
 /// `/_matrix/federation/v1/version`
 pub(crate) async fn conduwuit_server_version() -> Result<impl IntoResponse> {
 	Ok(Json(serde_json::json!({
-		"name": conduwuit::BRANDING,
-		"version": conduwuit::version(),
+		"name": conduwuit::version::name(),
+		"version": conduwuit::version::version(),
 	})))
 }

@@ -44,7 +80,7 @@ pub(crate) async fn conduwuit_server_version() -> Result<impl IntoResponse> {
 ///
 /// conduwuit-specific API to return the amount of users registered on this
 /// homeserver. Endpoint is disabled if federation is disabled for privacy. This
-/// only includes active users (not deactivated, etc)
+/// only includes active users (not deactivated, no guests, etc)
 pub(crate) async fn conduwuit_local_user_count(
 	State(services): State<crate::State>,
 ) -> Result<impl IntoResponse> {
@@ -2,8 +2,8 @@ use axum::extract::State;
 use conduwuit::{Err, Result};
 use ruma::{
 	api::client::discovery::{
-		discover_homeserver::{self, HomeserverInfo},
-		discover_policy_server, discover_support,
+		discover_homeserver::{self, HomeserverInfo, RtcFocusInfo},
+		discover_support::{self, Contact, ContactRole},
 	},
 	assign,
 };
@@ -31,8 +31,10 @@ pub(crate) async fn well_known_client(
 		rtc_foci: services
 			.config
 			.matrix_rtc
-			.foci
-			.clone()
+			.effective_foci(&services.config.well_known.rtc_focus_server_urls)
+			.into_iter()
+			.map(|focus| RtcFocusInfo::new(focus.transport_type(), focus.data().into_owned()).unwrap())
+			.collect()
 	}))
 }

@@ -46,7 +48,10 @@ pub(crate) async fn get_rtc_transports(
 	_body: Ruma<ruma::api::client::rtc::transports::v1::Request>,
 ) -> Result<ruma::api::client::rtc::transports::v1::Response> {
 	Ok(ruma::api::client::rtc::transports::v1::Response::new(
-		services.config.matrix_rtc.foci.clone(),
+		services
+			.config
+			.matrix_rtc
+			.effective_foci(&services.config.well_known.rtc_focus_server_urls),
 	))
 }

@@ -66,7 +71,46 @@ pub(crate) async fn well_known_support(
 		.as_ref()
 		.map(ToString::to_string);

-	let contacts = services.admin.get_support_contacts().await;
+	let email_address = services.config.well_known.support_email.clone();
+	let matrix_id = services.config.well_known.support_mxid.clone();
+	let pgp_key = services.config.well_known.support_pgp_key.clone();
+
+	// TODO: support defining multiple contacts in the config
+	let mut contacts: Vec<Contact> = vec![];
+
+	let role = services
+		.config
+		.well_known
+		.support_role
+		.clone()
+		.unwrap_or(ContactRole::Admin);
+
+	// Add configured contact if at least one contact method is specified
+	let configured_contact = match (matrix_id, email_address) {
+		| (Some(matrix_id), email_address) =>
+			Some(assign!(Contact::with_matrix_id(role, matrix_id), { email_address })),
+		| (None, Some(email_address)) => Some(Contact::with_email_address(role, email_address)),
+		| (None, None) => None,
+	};
+
+	if let Some(mut configured_contact) = configured_contact {
+		configured_contact.pgp_key = pgp_key;
+
+		contacts.push(configured_contact);
+	}
+
+	// Try to add admin users as contacts if no contacts are configured
+	if contacts.is_empty() {
+		let admin_users = services.admin.get_admins().await;
+
+		for user_id in &admin_users {
+			if *user_id == services.globals.server_user {
+				continue;
+			}
+
+			contacts.push(Contact::with_matrix_id(ContactRole::Admin, user_id.to_owned()));
+		}
+	}

 	if contacts.is_empty() && support_page.is_none() {
 		// No admin room, no configured contacts, and no support page
@@ -75,18 +119,3 @@ pub(crate) async fn well_known_support(

 	Ok(assign!(discover_support::Response::with_contacts(contacts), { support_page }))
 }
-
-/// # `GET /.well-known/matrix/policy_server`
-///
-/// Advertises the policy server's public key, allowing clients to discover the
-/// values to be set in m.room.policy. Introduced in spec v1.18.
-pub(crate) async fn well_known_policy_server(
-	State(services): State<crate::State>,
-	_body: Ruma<discover_policy_server::Request>,
-) -> Result<discover_policy_server::Response> {
-	if let Some(key) = services.config.well_known.policy_server_public_key.clone() {
-		Ok(discover_policy_server::Response::new(key))
-	} else {
-		Err!(Request(NotFound("No policy server available.")))
-	}
-}
@@ -1,5 +1,4 @@
 #![type_length_limit = "16384"] //TODO: reduce me
-#![recursion_limit = "256"] // My Giant Async Function
 #![allow(clippy::toplevel_ref_arg)]

 extern crate conduwuit_core as conduwuit;
@@ -10,7 +10,7 @@ use axum::{
 	response::{IntoResponse, Redirect},
 	routing::{any, get, post},
 };
-use conduwuit::err;
+use conduwuit::{Server, err};
 pub(super) use conduwuit_service::state::State;
 use http::{Uri, uri};

@@ -18,8 +18,8 @@ use self::handler::RouterExt;
 pub(super) use self::{args::Args as Ruma, response::RumaResponse};
 use crate::{admin, client, server};

-pub fn build(router: Router<State>, state: State) -> Router<State> {
-	let config = &state.server.config;
+pub fn build(router: Router<State>, server: &Server) -> Router<State> {
+	let config = &server.config;
 	let mut router = router
        .ruma_route(&client::appservice_ping)
 		.ruma_route(&client::get_supported_versions_route)
@@ -183,11 +183,8 @@ pub fn build(router: Router<State>, state: State) -> Router<State> {
 		.ruma_route(&client::put_suspended_status)
 		.ruma_route(&client::well_known_support)
 		.ruma_route(&client::well_known_client)
-		.ruma_route(&client::well_known_policy_server)
 		.ruma_route(&client::get_rtc_transports)
 		.ruma_route(&client::room_initial_sync_route)
-		.ruma_route(&client::get_authorization_server_metadata_route)
-		.merge(client::oauth::router(state))
 		.route("/_conduwuit/server_version", get(client::conduwuit_server_version))
 		.route("/_continuwuity/server_version", get(client::conduwuit_server_version))
 		.ruma_route(&admin::rooms::ban::ban_room)
@@ -1,7 +1,6 @@
 use std::any::{Any, TypeId};

-use conduwuit::{Err, Error, Result, err};
-use http::StatusCode;
+use conduwuit::{Err, Result, err};
 use ruma::{
 	OwnedDeviceId, OwnedServerName, OwnedUserId, UserId,
 	api::{
@@ -10,16 +9,12 @@ use ruma::{
 			AccessToken, AccessTokenOptional, AppserviceToken, AppserviceTokenOptional,
 			AuthScheme, NoAccessToken, NoAuthentication,
 		},
-		client,
-		error::{ErrorKind, UnknownTokenErrorData},
 		federation::authentication::ServerSignatures,
 	},
-	assign,
 };
 use service::{
 	Services,
 	server_keys::{PubKeyMap, PubKeys},
-	users::AccessTokenStatus,
 };

 use crate::{router::args::AuthQueryParams, service::appservice::RegistrationInfo};
@@ -90,21 +85,10 @@ impl CheckAuth for ServerSignatures {
 		let keys: PubKeyMap = [(output.origin.as_str().into(), keys)].into();

 		match output.verify_request(request, destination, &keys) {
-			| Ok(()) => {
-				if services
-					.moderation
-					.is_remote_server_forbidden(&output.origin)
-				{
-					return Err!(Request(Forbidden(
-						"You are blocked from federating with this server."
-					)));
-				}
-
-				Ok(Auth {
-					origin: Some(output.origin.clone()),
-					..Default::default()
-				})
-			},
+			| Ok(()) => Ok(Auth {
+				origin: Some(output.origin.clone()),
+				..Default::default()
+			}),
 			| Err(err) =>
 				Err!(Request(Unauthorized(warn!("Failed to verify X-Matrix header: {err}")))),
 		}
@@ -119,21 +103,12 @@ impl CheckAuth for AccessToken {
 		query: AuthQueryParams,
 		route: TypeId,
 	) -> Result<Auth> {
+		// Check for appservice tokens first
+
 		let (sender_user, sender_device, appservice_info) = {
-			if let Some((sender_user, sender_device, status)) =
+			if let Ok((sender_user, sender_device)) =
 				services.users.find_from_token(&output).await
 			{
-				// If the token is expired we return a soft logout
-				if matches!(status, AccessTokenStatus::Expired) {
-					return Err(Error::Request(
-						ErrorKind::UnknownToken(
-							assign!(UnknownTokenErrorData::new(), { soft_logout: true }),
-						),
-						"This token has expired".into(),
-						StatusCode::UNAUTHORIZED,
-					));
-				}
-
 				// Locked users can only use /logout and /logout/all
 				if services
 					.users
@@ -141,10 +116,11 @@ impl CheckAuth for AccessToken {
 					.await
 					.is_ok_and(std::convert::identity)
 				{
-					if !(route == TypeId::of::<client::session::logout::v3::Request>()
-						|| route == TypeId::of::<client::session::logout_all::v3::Request>())
-					{
-						return Err!(Request(UserLocked("Your account is locked.")));
+					if !(route == TypeId::of::<ruma::api::client::session::logout::v3::Request>()
+						|| route
+							== TypeId::of::<ruma::api::client::session::logout_all::v3::Request>(
+							)) {
+						return Err!(Request(Unauthorized("Your account is locked.")));
 					}
 				}

@@ -192,11 +168,7 @@ impl CheckAuth for AccessToken {

 				(Some(sender_user), sender_device, Some(appservice_info))
 			} else {
-				return Err(Error::Request(
-					ErrorKind::UnknownToken(UnknownTokenErrorData::new()),
-					"Invalid token".into(),
-					StatusCode::UNAUTHORIZED,
-				));
+				return Err!(Request(Unauthorized("Invalid access token.")));
 			}
 		};

@@ -286,19 +258,6 @@ impl CheckAuth for NoAccessToken {
 			err!(Request(Unauthorized(warn!("Failed to extract authorization: {}", err))))
 		})?;

-		// Check special access restrictions
-		if (route == TypeId::of::<client::profile::get_avatar_url::v3::Request>()
-			|| route == TypeId::of::<client::profile::get_display_name::v3::Request>()
-			|| route == TypeId::of::<client::profile::get_profile_field::v3::Request>()
-			|| route == TypeId::of::<client::profile::get_profile::v3::Request>())
-			&& services.config.require_auth_for_profile_requests
-			&& token.is_none()
-		{
-			return Err!(Request(Unauthorized(
-				"This server requires authentication to access user profiles."
-			)));
-		}
-
 		<AccessTokenOptional as CheckAuth>::verify(services, token, request, query, route).await
 	}
 }
@@ -22,15 +22,6 @@ pub(crate) async fn get_event_route(
 		.await
 		.map_err(|_| err!(Request(NotFound("Event not found."))))?;

-	if services
-		.rooms
-		.pdu_metadata
-		.is_event_rejected(&body.event_id)
-		.await
-	{
-		return Err!(Request(NotFound("Event not found.")));
-	}
-
 	let room_id: &RoomId = event
 		.get("room_id")
 		.and_then(|val| val.as_str())
--- a/Show More
+++ b/Show More
				`@@ -1 +0,0 @@`
				Users may now be forbidden from deactivating their own accounts with the new `allow_deactivation` config option. Contributed by @ginger.
				`@@ -1 +0,0 @@`
				Added support for Matrix 1.16's `state_after` feature, allowing clients which understand it to sync room state changes more reliably. Contributed by @ginger.
				`@@ -1 +0,0 @@`
				`Added support for authenticating clients using the new OAuth 2.0 login API. Contributed by @ginger.`
				`@@ -1 +0,0 @@`
				`Removed support for guest user registration, a little-used and deprecated approach to room previews.`
				`@@ -1 +0,0 @@`
				The deprecated `well_known.rtc_focus_server_urls` config option has been removed. MatrixRTC foci should be configured using the `matrix_rtc.foci` config option.
				`@@ -1 +0,0 @@`
				`The version of Debian that the Docker-based build process uses has been upgraded from Bookworm to Trixie, meaning that standalone binaries now have a minimum glibc of 2.41, and can no longer be used on distro versions from before 2025-01-30`
				`@@ -1 +0,0 @@`
				`Support for server-side blurhashing (part of MSC2448) has been removed.`
				`@@ -1 +0,0 @@`
				`Updated [MSC4284: Policy Servers](https://github.com/matrix-org/matrix-spec-proposals/pull/4284) implementation to support the newly stabilised proposal. Contributed by @nex.`
				`@@ -1 +0,0 @@`
				`Add performance tuning documentation. Contributed by @stratself.`
				`@@ -1 +0,0 @@`
				`Added config option for default room ACLs. Contributed by @eve.`