style: Run linter

feat: Reduce verbosity of "remote server couldn't process pdu" warning
fix: Only pop unsigned from PDUs
2026-05-26 20:49:55 +00:00 · 2026-03-29 15:16:54 +01:00 · 2026-03-29 14:28:33 +01:00 · 2026-03-29 14:21:30 +01:00 · 2026-03-29 14:18:13 +01:00 · 2026-03-29 13:42:49 +01:00
97 changed files with 2259 additions and 942 deletions
@@ -75,7 +75,7 @@ runs:

    - name: Set up QEMU
      if: ${{ env.BUILDKIT_ENDPOINT == '' }}
-      uses: docker/setup-qemu-action@v3
+      uses: docker/setup-qemu-action@v4

    - name: Login to builtin registry
      if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
@@ -62,10 +62,6 @@ sync:
    target: registry.gitlab.com/continuwuity/continuwuity
    type: repository
    <<: *tags-main
-  - source: *source
-    target: git.nexy7574.co.uk/mirrored/continuwuity
-    type: repository
-    <<: *tags-releases
  - source: *source
    target: ghcr.io/continuwuity/continuwuity
    type: repository
@@ -0,0 +1,103 @@
+name: Check Changelog
+
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened, ready_for_review]
+
+
+concurrency:
+  group: "${{ github.workflow }}-${{ github.ref }}"
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+  pull-requests: write
+  issues: write
+
+jobs:
+  check-changelog:
+    name: Check for changelog
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          fetch-depth: 0
+          persist-credentials: false
+          sparse-checkout: .
+
+      - name: Check for changelog entry
+        id: check_files
+        run: |
+          git fetch origin ${GITHUB_BASE_REF}
+
+          # Check for Added (A) or Modified (M) files in changelog.d
+          CHANGELOG_CHANGES=$(git diff --name-status origin/${GITHUB_BASE_REF} HEAD -- changelog.d/)
+
+          SRC_CHANGES=$(git diff --name-status origin/${GITHUB_BASE_REF} HEAD -- src/)
+
+          echo "Changes in changelog.d/:"
+          echo "$CHANGELOG_CHANGES"
+          echo "Changes in src/:"
+          echo "$SRC_CHANGES"
+
+          if echo "$CHANGELOG_CHANGES" | grep -q "^[AM]"; then
+            echo "has_changelog=true" >> $GITHUB_OUTPUT
+          else
+            echo "has_changelog=false" >> $GITHUB_OUTPUT
+          fi
+
+          if [ -n "$SRC_CHANGES" ]; then
+            echo "src_changed=true" >> $GITHUB_OUTPUT
+          else
+            echo "src_changed=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Manage PR Comment
+        uses: https://github.com/actions/github-script@v8
+        env:
+          HAS_CHANGELOG: ${{ steps.check_files.outputs.has_changelog }}
+          SRC_CHANGED: ${{ steps.check_files.outputs.src_changed }}
+        with:
+          script: |
+            const hasChangelog = process.env.HAS_CHANGELOG === 'true';
+            const srcChanged = process.env.SRC_CHANGED === 'true';
+            const commentSignature = '<!-- changelog-check-action -->';
+            const commentBody = `${commentSignature}\nPlease add a changelog fragment to \`changelog.d/\` describing your changes.`;
+
+            const { data: currentUser } = await github.rest.users.getAuthenticated();
+
+            const { data: comments } = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+            });
+
+            const botComment = comments.find(comment =>
+              comment.user.id === currentUser.id &&
+              comment.body.includes(commentSignature)
+            );
+
+            const shouldWarn = srcChanged && !hasChangelog;
+
+            if (!shouldWarn) {
+              if (botComment) {
+                console.log('Changelog found or not required. Deleting existing warning comment.');
+                await github.rest.issues.deleteComment({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  comment_id: botComment.id,
+                });
+              }
+            } else {
+              if (!botComment) {
+                console.log('Changelog missing and required. Creating warning comment.');
+                await github.rest.issues.createComment({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  issue_number: context.issue.number,
+                  body: commentBody,
+                });
+              }
+            }
@@ -1,4 +1,4 @@
 github: [JadedBlueEyes, nexy7574, gingershaped]
 custom:
-  - https://ko-fi.com/nexy7574
-  - https://ko-fi.com/JadedBlueEyes
+  - https://timedout.uk/donate.html
+  - https://jade.ellis.link/sponsors
@@ -36,7 +36,7 @@ prek install
 prek --all-files
 ```

-Alternatively, you can use [pre-commit](https://pre-commit.com/):
+Alternatively, you can use [pre-commit][pre-commit]:
 ```bash
 # Requires python

@@ -52,6 +52,8 @@ pre-commit run --all-files

 These same checks are run in CI via the prek-checks workflow to ensure consistency. These must pass before the PR is merged.

+[pre-commit]: https://pre-commit.com/
+
 ### Running tests locally

 Tests, compilation, and linting can be run with standard Cargo commands:
@@ -109,7 +111,7 @@ Alternatively, you can build the documentation using `npm run docs:build` - the

 ### Commit Messages

-Continuwuity follows the [Conventional Commits](https://www.conventionalcommits.org/) specification for commit messages. This provides a standardized format that makes the commit history more readable and enables automated tools to generate changelogs.
+Continuwuity follows the [Conventional Commits][conventional-commits] specification for commit messages. This provides a standardized format that makes the commit history more readable and enables automated tools to generate changelogs.

 The basic structure is:

@@ -168,6 +170,7 @@ Contribution by users who violate either of these code of conducts may not have
 their contributions accepted. This includes users who have been banned from
 continuwuity Matrix rooms for Code of Conduct violations.

+[conventional-commits]: https://www.conventionalcommits.org/
 [issues]: https://forgejo.ellis.link/continuwuation/continuwuity/issues
 [continuwuity-matrix]: https://matrix.to/#/#continuwuity:continuwuity.org?via=continuwuity.org&via=ellis.link&via=explodie.org&via=matrix.org
 [complement]: https://github.com/matrix-org/complement/
@@ -175,3 +178,32 @@ continuwuity Matrix rooms for Code of Conduct violations.
 [nodejs-download]: https://nodejs.org/en/download
 [rspress]: https://rspress.rs/
 [documentation.yml]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/.forgejo/workflows/documentation.yml
+
+#### Writing news fragments
+
+In order to make writing our changelogs easier, we make use of [Towncrier]. Towncrier builds changelogs based on
+"news fragments", which are little markdown files in the `changelog.d/` directory that describe individual changes.
+
+When you make a pull request that changes functionality, fixes a bug, or adds documentation, please add a news fragment
+describing your change. The file name *MUST* be in the format of `{pull_request_number}.{type}`, where `{type}` is one
+of the following:
+
+- `feature` - for new features
+- `bugfix` - for bug fixes
+- `doc` - for documentation changes
+- `misc` - for other changes that don't fit the above categories
+
+For example:
+
+```bash
+$ echo "Fixed the quantum flux stabiliser. Contributed by @alice." > changelog.d/42.bugfix
+```
+
+(Note: If you want to credit yourself, you should reference your forgejo handle, however links to other platforms are also acceptable.)
+
+When the next release is made, Towncrier will automatically include your news fragment in the changelog.
+
+You can read more about writing news fragments in the [Towncrier tutorial][tt].
+
+[Towncrier]: https://towncrier.readthedocs.io/
+[tt]: https://towncrier.readthedocs.io/en/stable/tutorial.html#creating-news-fragments
@@ -93,10 +93,19 @@ dependencies = [
 ]

 [[package]]
-name = "anstyle"
-version = "1.0.13"
+name = "ansi-width"
+version = "0.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5192cca8006f1fd4f7237516f40fa183bb07f8fbdfedaa0036de5ea9b0b45e78"
+checksum = "219e3ce6f2611d83b51ec2098a12702112c29e57203a6b0a0929b2cddb486608"
+dependencies = [
+ "unicode-width 0.1.14",
+]
+
+[[package]]
+name = "anstyle"
+version = "1.0.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "940b3a0ca603d1eade50a4846a2afffd5ef57a9feac2c0e2ec2e14f9ead76000"

 [[package]]
 name = "anyhow"
@@ -221,7 +230,7 @@ dependencies = [
 "serde",
 "serde_derive",
 "unicode-ident",
- "winnow",
+ "winnow 0.7.15",
 ]

 [[package]]
@@ -271,8 +280,8 @@ checksum = "5f093eed78becd229346bf859eec0aa4dd7ddde0757287b2b4107a1f09c80002"

 [[package]]
 name = "async-channel"
-version = "2.3.1"
-source = "git+https://forgejo.ellis.link/continuwuation/async-channel?rev=92e5e74063bf2a3b10414bcc8a0d68b235644280#92e5e74063bf2a3b10414bcc8a0d68b235644280"
+version = "2.5.0"
+source = "git+https://forgejo.ellis.link/continuwuation/async-channel?rev=e990f0006b68dc9bace7a3c95fc90b5c4e44948d#e990f0006b68dc9bace7a3c95fc90b5c4e44948d"
 dependencies = [
 "concurrent-queue",
 "event-listener-strategy",
@@ -461,6 +470,7 @@ dependencies = [
 "axum",
 "axum-core",
 "bytes",
+ "cookie",
 "futures-core",
 "futures-util",
 "headers",
@@ -750,9 +760,9 @@ dependencies = [

 [[package]]
 name = "cc"
-version = "1.2.56"
+version = "1.2.57"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "aebf35691d1bfb0ac386a69bac2fde4dd276fb618cf8bf4f5318fe285e821bb2"
+checksum = "7a0dd1ca384932ff3641c8718a02769f1698e7563dc6974ffd03346116310423"
 dependencies = [
 "find-msvc-tools",
 "jobserver",
@@ -823,9 +833,9 @@ dependencies = [

 [[package]]
 name = "clap"
-version = "4.5.60"
+version = "4.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2797f34da339ce31042b27d23607e051786132987f595b02ba4f6a6dffb7030a"
+checksum = "b193af5b67834b676abd72466a96c1024e6a6ad978a1f484bd90b85c94041351"
 dependencies = [
 "clap_builder",
 "clap_derive",
@@ -833,9 +843,9 @@ dependencies = [

 [[package]]
 name = "clap_builder"
-version = "4.5.60"
+version = "4.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "24a241312cea5059b13574bb9b3861cabf758b879c15190b37b6d6fd63ab6876"
+checksum = "714a53001bf66416adb0e2ef5ac857140e7dc3a0c48fb28b2f10762fc4b5069f"
 dependencies = [
 "anstyle",
 "clap_lex",
@@ -843,9 +853,9 @@ dependencies = [

 [[package]]
 name = "clap_derive"
-version = "4.5.55"
+version = "4.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a92793da1a46a5f2a02a6f4c46c6496b28c43638adea8306fcb0caa1634f24e5"
+checksum = "1110bd8a634a1ab8cb04345d8d878267d57c3cf1b38d91b71af6686408bbca6a"
 dependencies = [
 "heck",
 "proc-macro2",
@@ -855,9 +865,9 @@ dependencies = [

 [[package]]
 name = "clap_lex"
-version = "1.0.0"
+version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3a822ea5bc7590f9d40f1ba12c0dc3c2760f3482c6984db1573ad11031420831"
+checksum = "c8d4a3bb8b1e0c1050499d1815f5ab16d04f0959b233085fb31653fbfc9d98f9"

 [[package]]
 name = "cmake"
@@ -905,7 +915,7 @@ dependencies = [

 [[package]]
 name = "conduwuit"
-version = "0.5.6"
+version = "0.5.7-alpha.1"
 dependencies = [
 "clap",
 "conduwuit_admin",
@@ -937,7 +947,7 @@ dependencies = [

 [[package]]
 name = "conduwuit_admin"
-version = "0.5.6"
+version = "0.5.7-alpha.1"
 dependencies = [
 "clap",
 "conduwuit_api",
@@ -958,7 +968,7 @@ dependencies = [

 [[package]]
 name = "conduwuit_api"
-version = "0.5.6"
+version = "0.5.7-alpha.1"
 dependencies = [
 "async-trait",
 "axum",
@@ -990,14 +1000,14 @@ dependencies = [

 [[package]]
 name = "conduwuit_build_metadata"
-version = "0.5.6"
+version = "0.5.7-alpha.1"
 dependencies = [
 "built",
 ]

 [[package]]
 name = "conduwuit_core"
-version = "0.5.6"
+version = "0.5.7-alpha.1"
 dependencies = [
 "argon2",
 "arrayvec",
@@ -1021,6 +1031,7 @@ dependencies = [
 "hardened_malloc-rs",
 "http",
 "http-body-util",
+ "hyper-util",
 "ipaddress",
 "itertools 0.14.0",
 "libc",
@@ -1059,7 +1070,7 @@ dependencies = [

 [[package]]
 name = "conduwuit_database"
-version = "0.5.6"
+version = "0.5.7-alpha.1"
 dependencies = [
 "async-channel",
 "conduwuit_core",
@@ -1077,7 +1088,7 @@ dependencies = [

 [[package]]
 name = "conduwuit_macros"
-version = "0.5.6"
+version = "0.5.7-alpha.1"
 dependencies = [
 "itertools 0.14.0",
 "proc-macro2",
@@ -1087,7 +1098,7 @@ dependencies = [

 [[package]]
 name = "conduwuit_router"
-version = "0.5.6"
+version = "0.5.7-alpha.1"
 dependencies = [
 "axum",
 "axum-client-ip",
@@ -1121,7 +1132,7 @@ dependencies = [

 [[package]]
 name = "conduwuit_service"
-version = "0.5.6"
+version = "0.5.7-alpha.1"
 dependencies = [
 "askama",
 "async-trait",
@@ -1163,16 +1174,26 @@ dependencies = [

 [[package]]
 name = "conduwuit_web"
-version = "0.5.6"
+version = "0.5.7-alpha.1"
 dependencies = [
 "askama",
+ "async-trait",
 "axum",
+ "axum-extra",
+ "base64 0.22.1",
 "conduwuit_build_metadata",
+ "conduwuit_core",
 "conduwuit_service",
 "futures",
+ "memory-serve",
 "rand 0.10.0",
+ "ruma",
+ "serde",
 "thiserror 2.0.18",
+ "tower-http",
+ "tower-sec-fetch",
 "tracing",
+ "validator",
 ]

 [[package]]
@@ -1239,7 +1260,7 @@ dependencies = [
 [[package]]
 name = "continuwuity-admin-api"
 version = "0.1.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=bb12ed288a31a23aa11b10ba0fad22b7f985eb88#bb12ed288a31a23aa11b10ba0fad22b7f985eb88"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=a97b91adcc012ef04991d823b8b5a79c6686ae48#a97b91adcc012ef04991d823b8b5a79c6686ae48"
 dependencies = [
 "ruma-common",
 "serde",
@@ -1255,6 +1276,17 @@ dependencies = [
 "unicode-segmentation",
 ]

+[[package]]
+name = "cookie"
+version = "0.18.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4ddef33a339a91ea89fb53151bd0a4689cfce27055c291dfa69945475d22c747"
+dependencies = [
+ "percent-encoding",
+ "time",
+ "version_check",
+]
+
 [[package]]
 name = "coolor"
 version = "1.1.0"
@@ -1291,8 +1323,8 @@ dependencies = [

 [[package]]
 name = "core_affinity"
-version = "0.8.1"
-source = "git+https://forgejo.ellis.link/continuwuation/core_affinity_rs?rev=9c8e51510c35077df888ee72a36b4b05637147da#9c8e51510c35077df888ee72a36b4b05637147da"
+version = "0.8.3"
+source = "git+https://forgejo.ellis.link/continuwuation/core_affinity_rs?rev=7c7a9dea35382743a63837cdd1d977efdb8f1b8a#7c7a9dea35382743a63837cdd1d977efdb8f1b8a"
 dependencies = [
 "libc",
 "num_cpus",
@@ -1507,6 +1539,41 @@ version = "2.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "817fa642fb0ee7fe42e95783e00e0969927b96091bdd4b9b1af082acd943913b"

+[[package]]
+name = "darling"
+version = "0.20.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fc7f46116c46ff9ab3eb1597a45688b6715c6e628b5c133e288e709a29bcb4ee"
+dependencies = [
+ "darling_core",
+ "darling_macro",
+]
+
+[[package]]
+name = "darling_core"
+version = "0.20.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0d00b9596d185e565c2207a0b01f8bd1a135483d02d9b7b0a54b11da8d53412e"
+dependencies = [
+ "fnv",
+ "ident_case",
+ "proc-macro2",
+ "quote",
+ "strsim",
+ "syn",
+]
+
+[[package]]
+name = "darling_macro"
+version = "0.20.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fc34b93ccb385b40dc71c6fceac4b2ad23662c7eeb248cf10d529b7e055b6ead"
+dependencies = [
+ "darling_core",
+ "quote",
+ "syn",
+]
+
 [[package]]
 name = "data-encoding"
 version = "2.10.0"
@@ -1628,7 +1695,7 @@ dependencies = [
 [[package]]
 name = "draupnir-antispam"
 version = "0.1.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=bb12ed288a31a23aa11b10ba0fad22b7f985eb88#bb12ed288a31a23aa11b10ba0fad22b7f985eb88"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=a97b91adcc012ef04991d823b8b5a79c6686ae48#a97b91adcc012ef04991d823b8b5a79c6686ae48"
 dependencies = [
 "ruma-common",
 "serde",
@@ -1758,10 +1825,9 @@ dependencies = [

 [[package]]
 name = "event-listener"
-version = "5.3.1"
-source = "git+https://forgejo.ellis.link/continuwuation/event-listener?rev=fe4aebeeaae435af60087ddd56b573a2e0be671d#fe4aebeeaae435af60087ddd56b573a2e0be671d"
+version = "5.4.1"
+source = "git+https://forgejo.ellis.link/continuwuation/event-listener?rev=b2c19bcaf5a0a69c38c034e417bda04a9b991529#b2c19bcaf5a0a69c38c034e417bda04a9b991529"
 dependencies = [
- "concurrent-queue",
 "parking",
 "pin-project-lite",
 ]
@@ -2430,13 +2496,12 @@ dependencies = [

 [[package]]
 name = "hyper-util"
-version = "0.1.17"
-source = "git+https://forgejo.ellis.link/continuwuation/hyper-util?rev=5886d5292bf704c246206ad72d010d674a7b77d0#5886d5292bf704c246206ad72d010d674a7b77d0"
+version = "0.1.20"
+source = "git+https://forgejo.ellis.link/continuwuation/hyper-util?rev=09fcd3bf4656c81a8ad573bee410ab2b57f60b86#09fcd3bf4656c81a8ad573bee410ab2b57f60b86"
 dependencies = [
 "base64 0.22.1",
 "bytes",
 "futures-channel",
- "futures-core",
 "futures-util",
 "http",
 "http-body",
@@ -2538,6 +2603,12 @@ version = "2.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3d3067d79b975e8844ca9eb072e16b31c3c1c36928edf9c6789548c524d0d954"

+[[package]]
+name = "ident_case"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b9e0384b61958566e926dc50660321d12159025e767c18e043daf26b70104c39"
+
 [[package]]
 name = "idna"
 version = "1.1.0"
@@ -2561,9 +2632,9 @@ dependencies = [

 [[package]]
 name = "image"
-version = "0.25.9"
+version = "0.25.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e6506c6c10786659413faa717ceebcb8f70731c0a60cbae39795fdf114519c1a"
+checksum = "85ab80394333c02fe689eaf900ab500fbd0c2213da414687ebf995a65d5a6104"
 dependencies = [
 "bytemuck",
 "byteorder-lite",
@@ -2579,8 +2650,8 @@ dependencies = [
 "rayon",
 "rgb",
 "tiff",
- "zune-core 0.5.1",
- "zune-jpeg 0.5.12",
+ "zune-core",
+ "zune-jpeg",
 ]

 [[package]]
@@ -2866,9 +2937,9 @@ dependencies = [

 [[package]]
 name = "libz-sys"
-version = "1.1.24"
+version = "1.1.25"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4735e9cbde5aac84a5ce588f6b23a90b9b0b528f6c5a8db8a4aff300463a0839"
+checksum = "d52f4c29e2a68ac30c9087e1b772dc9f44a2b66ed44edf2266cf2be9b03dafc1"
 dependencies = [
 "cc",
 "pkg-config",
@@ -3027,10 +3098,26 @@ version = "2.8.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f8ca58f447f06ed17d5fc4043ce1b10dd205e060fb3ce5b979b8ed8e59ff3f79"

+[[package]]
+name = "memory-serve"
+version = "2.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "81b5bbad2035f57b1e95f66da606832edd935b47d82312e38e1ccffbcfb8a427"
+dependencies = [
+ "axum",
+ "brotli",
+ "flate2",
+ "mime_guess",
+ "sha256",
+ "tracing",
+ "urlencoding",
+ "walkdir",
+]
+
 [[package]]
 name = "meowlnir-antispam"
 version = "0.1.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=bb12ed288a31a23aa11b10ba0fad22b7f985eb88#bb12ed288a31a23aa11b10ba0fad22b7f985eb88"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=a97b91adcc012ef04991d823b8b5a79c6686ae48#a97b91adcc012ef04991d823b8b5a79c6686ae48"
 dependencies = [
 "ruma-common",
 "serde",
@@ -3043,6 +3130,16 @@ version = "0.3.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6877bb514081ee2a7ff5ef9de3281f14a4dd4bceac4c09388074a6b5df8a139a"

+[[package]]
+name = "mime_guess"
+version = "2.0.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f7c44f8e672c00fe5308fa235f821cb4198414e1c77935c1ab6948d3fd78550e"
+dependencies = [
+ "mime",
+ "unicase",
+]
+
 [[package]]
 name = "minicbor"
 version = "2.2.1"
@@ -3115,9 +3212,9 @@ dependencies = [

 [[package]]
 name = "moxcms"
-version = "0.7.11"
+version = "0.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ac9557c559cd6fc9867e122e20d2cbefc9ca29d80d027a8e39310920ed2f0a97"
+checksum = "bb85c154ba489f01b25c0d36ae69a87e4a1c73a72631fc6c0eb6dde34a73e44b"
 dependencies = [
 "num-traits",
 "pxfm",
@@ -3478,9 +3575,9 @@ dependencies = [

 [[package]]
 name = "once_cell"
-version = "1.21.3"
+version = "1.21.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "42f5e15c9953c5e4ccceeb2e7382a716482c34515315f7b03532b8b4e8393d2d"
+checksum = "9f7c3e4beb33f85d45ae3e3a1792185706c8e16d043238c593331cc7cd313b50"
 dependencies = [
 "critical-section",
 "portable-atomic",
@@ -3828,7 +3925,29 @@ version = "3.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e67ba7e9b2b56446f1d419b1d807906278ffa1a658a8a5d8a39dcb1f5a78614f"
 dependencies = [
- "toml_edit 0.25.4+spec-1.1.0",
+ "toml_edit 0.25.5+spec-1.1.0",
+]
+
+[[package]]
+name = "proc-macro-error-attr2"
+version = "2.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "96de42df36bb9bba5542fe9f1a054b8cc87e172759a1868aa05c1f3acc89dfc5"
+dependencies = [
+ "proc-macro2",
+ "quote",
+]
+
+[[package]]
+name = "proc-macro-error2"
+version = "2.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "11ec05c52be0a07b08061f7dd003e7d7092e0472bc731b4af7bb1ef876109802"
+dependencies = [
+ "proc-macro-error-attr2",
+ "proc-macro2",
+ "quote",
+ "syn",
 ]

 [[package]]
@@ -3966,9 +4085,9 @@ dependencies = [

 [[package]]
 name = "quinn-proto"
-version = "0.11.13"
+version = "0.11.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f1906b49b0c3bc04b5fe5d86a77925ae6524a19b816ae38ce1e426255f1d8a31"
+checksum = "434b42fec591c96ef50e21e886936e66d3cc3f737104fdb9b737c40ffb94c098"
 dependencies = [
 "bytes",
 "getrandom 0.3.4",
@@ -4121,9 +4240,9 @@ dependencies = [

 [[package]]
 name = "ravif"
-version = "0.12.0"
+version = "0.13.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ef69c1990ceef18a116855938e74793a5f7496ee907562bd0857b6ac734ab285"
+checksum = "e52310197d971b0f5be7fe6b57530dcd27beb35c1b013f29d66c1ad73fbbcc45"
 dependencies = [
 "avif-serialize",
 "imgref",
@@ -4156,9 +4275,9 @@ dependencies = [

 [[package]]
 name = "recaptcha-verify"
-version = "0.1.6"
+version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0d694033c2b0abdbb8893edfb367f16270e790be4a67e618206d811dbe4efee4"
+checksum = "409bf11a93fe93093f3c0254aab67576524f1e0524692615b5b63091dbc88a79"
 dependencies = [
 "reqwest",
 "serde",
@@ -4280,7 +4399,7 @@ dependencies = [
 [[package]]
 name = "ruma"
 version = "0.10.1"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=bb12ed288a31a23aa11b10ba0fad22b7f985eb88#bb12ed288a31a23aa11b10ba0fad22b7f985eb88"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=a97b91adcc012ef04991d823b8b5a79c6686ae48#a97b91adcc012ef04991d823b8b5a79c6686ae48"
 dependencies = [
 "assign",
 "continuwuity-admin-api",
@@ -4303,7 +4422,7 @@ dependencies = [
 [[package]]
 name = "ruma-appservice-api"
 version = "0.10.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=bb12ed288a31a23aa11b10ba0fad22b7f985eb88#bb12ed288a31a23aa11b10ba0fad22b7f985eb88"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=a97b91adcc012ef04991d823b8b5a79c6686ae48#a97b91adcc012ef04991d823b8b5a79c6686ae48"
 dependencies = [
 "js_int",
 "ruma-common",
@@ -4315,7 +4434,7 @@ dependencies = [
 [[package]]
 name = "ruma-client-api"
 version = "0.18.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=bb12ed288a31a23aa11b10ba0fad22b7f985eb88#bb12ed288a31a23aa11b10ba0fad22b7f985eb88"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=a97b91adcc012ef04991d823b8b5a79c6686ae48#a97b91adcc012ef04991d823b8b5a79c6686ae48"
 dependencies = [
 "as_variant",
 "assign",
@@ -4338,7 +4457,7 @@ dependencies = [
 [[package]]
 name = "ruma-common"
 version = "0.13.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=bb12ed288a31a23aa11b10ba0fad22b7f985eb88#bb12ed288a31a23aa11b10ba0fad22b7f985eb88"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=a97b91adcc012ef04991d823b8b5a79c6686ae48#a97b91adcc012ef04991d823b8b5a79c6686ae48"
 dependencies = [
 "as_variant",
 "base64 0.22.1",
@@ -4370,7 +4489,7 @@ dependencies = [
 [[package]]
 name = "ruma-events"
 version = "0.28.1"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=bb12ed288a31a23aa11b10ba0fad22b7f985eb88#bb12ed288a31a23aa11b10ba0fad22b7f985eb88"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=a97b91adcc012ef04991d823b8b5a79c6686ae48#a97b91adcc012ef04991d823b8b5a79c6686ae48"
 dependencies = [
 "as_variant",
 "indexmap",
@@ -4395,7 +4514,7 @@ dependencies = [
 [[package]]
 name = "ruma-federation-api"
 version = "0.9.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=bb12ed288a31a23aa11b10ba0fad22b7f985eb88#bb12ed288a31a23aa11b10ba0fad22b7f985eb88"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=a97b91adcc012ef04991d823b8b5a79c6686ae48#a97b91adcc012ef04991d823b8b5a79c6686ae48"
 dependencies = [
 "bytes",
 "headers",
@@ -4417,7 +4536,7 @@ dependencies = [
 [[package]]
 name = "ruma-identifiers-validation"
 version = "0.9.5"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=bb12ed288a31a23aa11b10ba0fad22b7f985eb88#bb12ed288a31a23aa11b10ba0fad22b7f985eb88"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=a97b91adcc012ef04991d823b8b5a79c6686ae48#a97b91adcc012ef04991d823b8b5a79c6686ae48"
 dependencies = [
 "js_int",
 "thiserror 2.0.18",
@@ -4426,7 +4545,7 @@ dependencies = [
 [[package]]
 name = "ruma-identity-service-api"
 version = "0.9.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=bb12ed288a31a23aa11b10ba0fad22b7f985eb88#bb12ed288a31a23aa11b10ba0fad22b7f985eb88"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=a97b91adcc012ef04991d823b8b5a79c6686ae48#a97b91adcc012ef04991d823b8b5a79c6686ae48"
 dependencies = [
 "js_int",
 "ruma-common",
@@ -4436,7 +4555,7 @@ dependencies = [
 [[package]]
 name = "ruma-macros"
 version = "0.13.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=bb12ed288a31a23aa11b10ba0fad22b7f985eb88#bb12ed288a31a23aa11b10ba0fad22b7f985eb88"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=a97b91adcc012ef04991d823b8b5a79c6686ae48#a97b91adcc012ef04991d823b8b5a79c6686ae48"
 dependencies = [
 "cfg-if",
 "proc-macro-crate",
@@ -4451,7 +4570,7 @@ dependencies = [
 [[package]]
 name = "ruma-push-gateway-api"
 version = "0.9.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=bb12ed288a31a23aa11b10ba0fad22b7f985eb88#bb12ed288a31a23aa11b10ba0fad22b7f985eb88"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=a97b91adcc012ef04991d823b8b5a79c6686ae48#a97b91adcc012ef04991d823b8b5a79c6686ae48"
 dependencies = [
 "js_int",
 "ruma-common",
@@ -4463,7 +4582,7 @@ dependencies = [
 [[package]]
 name = "ruma-signatures"
 version = "0.15.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=bb12ed288a31a23aa11b10ba0fad22b7f985eb88#bb12ed288a31a23aa11b10ba0fad22b7f985eb88"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=a97b91adcc012ef04991d823b8b5a79c6686ae48#a97b91adcc012ef04991d823b8b5a79c6686ae48"
 dependencies = [
 "base64 0.22.1",
 "ed25519-dalek",
@@ -4479,8 +4598,8 @@ dependencies = [

 [[package]]
 name = "rust-librocksdb-sys"
-version = "0.39.0+10.5.1"
-source = "git+https://forgejo.ellis.link/continuwuation/rust-rocksdb-zaidoon1?rev=61d9d23872197e9ace4a477f2617d5c9f50ecb23#61d9d23872197e9ace4a477f2617d5c9f50ecb23"
+version = "0.42.0+10.10.1"
+source = "git+https://forgejo.ellis.link/continuwuation/rust-rocksdb-zaidoon1?rev=31fb8f772c7afcdc0061ab6a40cfa3a1be2fccd9#31fb8f772c7afcdc0061ab6a40cfa3a1be2fccd9"
 dependencies = [
 "bindgen",
 "bzip2-sys",
@@ -4496,8 +4615,8 @@ dependencies = [

 [[package]]
 name = "rust-rocksdb"
-version = "0.43.0"
-source = "git+https://forgejo.ellis.link/continuwuation/rust-rocksdb-zaidoon1?rev=61d9d23872197e9ace4a477f2617d5c9f50ecb23#61d9d23872197e9ace4a477f2617d5c9f50ecb23"
+version = "0.46.0"
+source = "git+https://forgejo.ellis.link/continuwuation/rust-rocksdb-zaidoon1?rev=31fb8f772c7afcdc0061ab6a40cfa3a1be2fccd9#31fb8f772c7afcdc0061ab6a40cfa3a1be2fccd9"
 dependencies = [
 "libc",
 "parking_lot",
@@ -4614,16 +4733,16 @@ checksum = "b39cdef0fa800fc44525c84ccb54a029961a8215f9619753635a9c0d2538d46d"

 [[package]]
 name = "rustyline-async"
-version = "0.4.6"
-source = "git+https://forgejo.ellis.link/continuwuation/rustyline-async?rev=e9f01cf8c6605483cb80b3b0309b400940493d7f#e9f01cf8c6605483cb80b3b0309b400940493d7f"
+version = "0.4.9"
+source = "git+https://forgejo.ellis.link/continuwuation/rustyline-async?rev=b13aca2cc08d5f78303746cd192d9a03d73e768e#b13aca2cc08d5f78303746cd192d9a03d73e768e"
 dependencies = [
+ "ansi-width",
 "crossterm",
 "futures-util",
 "pin-project",
 "thingbuf",
 "thiserror 2.0.18",
 "unicode-segmentation",
- "unicode-width 0.2.2",
 ]

 [[package]]
@@ -4632,6 +4751,15 @@ version = "1.0.23"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9774ba4a74de5f7b1c1451ed6cd5285a32eddb5cccb8cc655a4e50009e06477f"

+[[package]]
+name = "same-file"
+version = "1.0.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "93fc1dc3aaa9bfed95e02e6eadabb4baf7e3078b0bd1b4d7b6b0b68378900502"
+dependencies = [
+ "winapi-util",
+]
+
 [[package]]
 name = "sanitize-filename"
 version = "0.6.0"
@@ -4654,9 +4782,9 @@ dependencies = [

 [[package]]
 name = "schannel"
-version = "0.1.28"
+version = "0.1.29"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "891d81b926048e76efe18581bf793546b4c0eaf8448d72be8de2bbee5fd166e1"
+checksum = "91c1b7e4904c873ef0710c1f407dde2e6287de2bebc1bbbf7d430bb7cbffd939"
 dependencies = [
 "windows-sys 0.61.2",
 ]
@@ -4993,6 +5121,19 @@ dependencies = [
 "digest",
 ]

+[[package]]
+name = "sha256"
+version = "1.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f880fc8562bdeb709793f00eb42a2ad0e672c4f883bbe59122b926eca935c8f6"
+dependencies = [
+ "async-trait",
+ "bytes",
+ "hex",
+ "sha2",
+ "tokio",
+]
+
 [[package]]
 name = "sharded-slab"
 version = "0.1.7"
@@ -5161,6 +5302,12 @@ dependencies = [
 "quote",
 ]

+[[package]]
+name = "strsim"
+version = "0.11.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7da8b5736845d9f2fcb837ea5d9e2628564b3b043a70948a3f0b778838c5fb4f"
+
 [[package]]
 name = "subslice"
 version = "0.2.3"
@@ -5301,22 +5448,22 @@ dependencies = [

 [[package]]
 name = "tiff"
-version = "0.10.3"
+version = "0.11.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "af9605de7fee8d9551863fd692cce7637f548dbd9db9180fcc07ccc6d26c336f"
+checksum = "b63feaf3343d35b6ca4d50483f94843803b0f51634937cc2ec519fc32232bc52"
 dependencies = [
 "fax",
 "flate2",
 "half",
 "quick-error",
 "weezl",
- "zune-jpeg 0.4.21",
+ "zune-jpeg",
 ]

 [[package]]
 name = "tikv-jemalloc-ctl"
-version = "0.6.0"
-source = "git+https://forgejo.ellis.link/continuwuation/jemallocator?rev=82af58d6a13ddd5dcdc7d4e91eae3b63292995b8#82af58d6a13ddd5dcdc7d4e91eae3b63292995b8"
+version = "0.6.1"
+source = "git+https://forgejo.ellis.link/continuwuation/jemallocator?rev=df86ff89d4b1e223b9f7d2dd2fbb7f202da7f554#df86ff89d4b1e223b9f7d2dd2fbb7f202da7f554"
 dependencies = [
 "libc",
 "paste",
@@ -5325,8 +5472,8 @@ dependencies = [

 [[package]]
 name = "tikv-jemalloc-sys"
-version = "0.6.0+5.3.0-1-ge13ca993e8ccb9ba9847cc330696e02839f328f7"
-source = "git+https://forgejo.ellis.link/continuwuation/jemallocator?rev=82af58d6a13ddd5dcdc7d4e91eae3b63292995b8#82af58d6a13ddd5dcdc7d4e91eae3b63292995b8"
+version = "0.6.1+5.3.0-1-ge13ca993e8ccb9ba9847cc330696e02839f328f7"
+source = "git+https://forgejo.ellis.link/continuwuation/jemallocator?rev=df86ff89d4b1e223b9f7d2dd2fbb7f202da7f554#df86ff89d4b1e223b9f7d2dd2fbb7f202da7f554"
 dependencies = [
 "cc",
 "libc",
@@ -5334,8 +5481,8 @@ dependencies = [

 [[package]]
 name = "tikv-jemallocator"
-version = "0.6.0"
-source = "git+https://forgejo.ellis.link/continuwuation/jemallocator?rev=82af58d6a13ddd5dcdc7d4e91eae3b63292995b8#82af58d6a13ddd5dcdc7d4e91eae3b63292995b8"
+version = "0.6.1"
+source = "git+https://forgejo.ellis.link/continuwuation/jemallocator?rev=df86ff89d4b1e223b9f7d2dd2fbb7f202da7f554#df86ff89d4b1e223b9f7d2dd2fbb7f202da7f554"
 dependencies = [
 "libc",
 "tikv-jemalloc-sys",
@@ -5384,9 +5531,9 @@ dependencies = [

 [[package]]
 name = "tinyvec"
-version = "1.10.0"
+version = "1.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bfa5fdc3bce6191a1dbc8c02d5c8bffcf557bafa17c124c5264a458f1b0613fa"
+checksum = "3e61e67053d25a4e82c844e8424039d9745781b3fc4f32b8d55ed50f5f667ef3"
 dependencies = [
 "tinyvec_macros",
 ]
@@ -5495,7 +5642,7 @@ dependencies = [
 "toml_datetime 0.7.5+spec-1.1.0",
 "toml_parser",
 "toml_writer",
- "winnow",
+ "winnow 0.7.15",
 ]

 [[package]]
@@ -5518,9 +5665,9 @@ dependencies = [

 [[package]]
 name = "toml_datetime"
-version = "1.0.0+spec-1.1.0"
+version = "1.0.1+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "32c2555c699578a4f59f0cc68e5116c8d7cabbd45e1409b989d4be085b53f13e"
+checksum = "9b320e741db58cac564e26c607d3cc1fdc4a88fd36c879568c07856ed83ff3e9"
 dependencies = [
 "serde_core",
 ]
@@ -5536,28 +5683,28 @@ dependencies = [
 "serde_spanned 0.6.9",
 "toml_datetime 0.6.11",
 "toml_write",
- "winnow",
+ "winnow 0.7.15",
 ]

 [[package]]
 name = "toml_edit"
-version = "0.25.4+spec-1.1.0"
+version = "0.25.5+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7193cbd0ce53dc966037f54351dbbcf0d5a642c7f0038c382ef9e677ce8c13f2"
+checksum = "8ca1a40644a28bce036923f6a431df0b34236949d111cc07cb6dca830c9ef2e1"
 dependencies = [
 "indexmap",
- "toml_datetime 1.0.0+spec-1.1.0",
+ "toml_datetime 1.0.1+spec-1.1.0",
 "toml_parser",
- "winnow",
+ "winnow 1.0.0",
 ]

 [[package]]
 name = "toml_parser"
-version = "1.0.9+spec-1.1.0"
+version = "1.0.10+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "702d4415e08923e7e1ef96cd5727c0dfed80b4d2fa25db9647fe5eb6f7c5a4c4"
+checksum = "7df25b4befd31c4816df190124375d5a20c6b6921e2cad937316de3fccd63420"
 dependencies = [
- "winnow",
+ "winnow 1.0.0",
 ]

 [[package]]
@@ -5568,9 +5715,9 @@ checksum = "5d99f8c9a7727884afe522e9bd5edbfc91a3312b36a77b5fb8926e4c31a41801"

 [[package]]
 name = "toml_writer"
-version = "1.0.6+spec-1.1.0"
+version = "1.0.7+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ab16f14aed21ee8bfd8ec22513f7287cd4a91aa92e44edfe2c17ddd004e92607"
+checksum = "f17aaa1c6e3dc22b1da4b6bba97d066e354c7945cac2f7852d4e4e7ca7a6b56d"

 [[package]]
 name = "tonic"
@@ -5661,6 +5808,18 @@ version = "0.3.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "121c2a6cda46980bb0fcd1647ffaf6cd3fc79a013de288782836f6df9c48780e"

+[[package]]
+name = "tower-sec-fetch"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ff1e78d241de2527d3ef67e49d65d8cb08468c644c3aafac7a988c4accd76547"
+dependencies = [
+ "futures",
+ "http",
+ "tower",
+ "tracing",
+]
+
 [[package]]
 name = "tower-service"
 version = "0.3.3"
@@ -5673,6 +5832,7 @@ version = "0.1.44"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "63e71662fa4b2a2c3a26f570f037eb95bb1f85397f3cd8076caed2f026a6d100"
 dependencies = [
+ "log",
 "pin-project-lite",
 "tracing-attributes",
 "tracing-core",
@@ -5750,9 +5910,9 @@ dependencies = [

 [[package]]
 name = "tracing-subscriber"
-version = "0.3.22"
+version = "0.3.23"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2f30143827ddab0d256fd843b7a66d164e9f271cfa0dde49142c5ca0ca291f1e"
+checksum = "cb7f578e5945fb242538965c2d0b04418d38ec25c79d160cd279bf0731c8d319"
 dependencies = [
 "matchers",
 "nu-ansi-term",
@@ -5894,6 +6054,12 @@ dependencies = [
 "serde_derive",
 ]

+[[package]]
+name = "urlencoding"
+version = "2.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "daf8dba3b7eb870caf1ddeed7bc9d2a049f3cfdfae7cb521b087cc33ae4c49da"
+
 [[package]]
 name = "utf-8"
 version = "0.7.6"
@@ -5929,6 +6095,36 @@ dependencies = [
 "wasm-bindgen",
 ]

+[[package]]
+name = "validator"
+version = "0.20.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "43fb22e1a008ece370ce08a3e9e4447a910e92621bb49b85d6e48a45397e7cfa"
+dependencies = [
+ "idna",
+ "once_cell",
+ "regex",
+ "serde",
+ "serde_derive",
+ "serde_json",
+ "url",
+ "validator_derive",
+]
+
+[[package]]
+name = "validator_derive"
+version = "0.20.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b7df16e474ef958526d1205f6dda359fdfab79d9aa6d54bafcb92dcd07673dca"
+dependencies = [
+ "darling",
+ "once_cell",
+ "proc-macro-error2",
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
 [[package]]
 name = "valuable"
 version = "0.1.1"
@@ -5947,6 +6143,16 @@ version = "0.9.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0b928f33d975fc6ad9f86c8f283853ad26bdd5b10b7f1542aa2fa15e2289105a"

+[[package]]
+name = "walkdir"
+version = "2.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "29790946404f91d9c5d06f9874efddea1dc06c5efe94541a7d6863108e3a5e4b"
+dependencies = [
+ "same-file",
+ "winapi-util",
+]
+
 [[package]]
 name = "want"
 version = "0.3.1"
@@ -6161,6 +6367,15 @@ version = "0.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"

+[[package]]
+name = "winapi-util"
+version = "0.1.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c2a7b1c03c876122aa43f3020e6c3c3ee5c05081c9a00739faf7503aeba10d22"
+dependencies = [
+ "windows-sys 0.61.2",
+]
+
 [[package]]
 name = "winapi-x86_64-pc-windows-gnu"
 version = "0.4.0"
@@ -6404,6 +6619,15 @@ dependencies = [
 "memchr",
 ]

+[[package]]
+name = "winnow"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a90e88e4667264a994d34e6d1ab2d26d398dcdca8b7f52bec8668957517fc7d8"
+dependencies = [
+ "memchr",
+]
+
 [[package]]
 name = "winreg"
 version = "0.50.0"
@@ -6538,7 +6762,7 @@ dependencies = [

 [[package]]
 name = "xtask"
-version = "0.5.6"
+version = "0.5.7-alpha.1"
 dependencies = [
 "askama",
 "cargo_metadata",
@@ -6584,18 +6808,18 @@ dependencies = [

 [[package]]
 name = "zerocopy"
-version = "0.8.41"
+version = "0.8.42"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "96e13bc581734df6250836c59a5f44f3c57db9f9acb9dc8e3eaabdaf6170254d"
+checksum = "f2578b716f8a7a858b7f02d5bd870c14bf4ddbbcf3a4c05414ba6503640505e3"
 dependencies = [
 "zerocopy-derive",
 ]

 [[package]]
 name = "zerocopy-derive"
-version = "0.8.41"
+version = "0.8.42"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3545ea9e86d12ab9bba9fcd99b54c1556fd3199007def5a03c375623d05fac1c"
+checksum = "7e6cc098ea4d3bd6246687de65af3f920c430e236bee1e3bf2e441463f08a02f"
 dependencies = [
 "proc-macro2",
 "quote",
@@ -6696,12 +6920,6 @@ dependencies = [
 "pkg-config",
 ]

-[[package]]
-name = "zune-core"
-version = "0.4.12"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3f423a2c17029964870cfaabb1f13dfab7d092a62a29a89264f4d36990ca414a"
-
 [[package]]
 name = "zune-core"
 version = "0.5.1"
@@ -6719,18 +6937,9 @@ dependencies = [

 [[package]]
 name = "zune-jpeg"
-version = "0.4.21"
+version = "0.5.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "29ce2c8a9384ad323cf564b67da86e21d3cfdff87908bc1223ed5c99bc792713"
+checksum = "ec5f41c76397b7da451efd19915684f727d7e1d516384ca6bd0ec43ec94de23c"
 dependencies = [
- "zune-core 0.4.12",
-]
-
-[[package]]
-name = "zune-jpeg"
-version = "0.5.12"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "410e9ecef634c709e3831c2cfdb8d9c32164fae1c67496d5b68fff728eec37fe"
-dependencies = [
- "zune-core 0.5.1",
+ "zune-core",
 ]
@@ -12,7 +12,7 @@ license = "Apache-2.0"
 # See also `rust-toolchain.toml`
 readme = "README.md"
 repository = "https://forgejo.ellis.link/continuwuation/continuwuity"
-version = "0.5.6"
+version = "0.5.7-alpha.1"

 [workspace.metadata.crane]
 name = "conduwuit"
@@ -99,7 +99,7 @@ features = [
 [workspace.dependencies.axum-extra]
 version = "0.12.0"
 default-features = false
-features = ["typed-header", "tracing"]
+features = ["typed-header", "tracing", "cookie"]

 [workspace.dependencies.axum-server]
 version = "0.7.2"
@@ -278,7 +278,7 @@ features = [
 ]

 [workspace.dependencies.hyper-util]
-version = "=0.1.17"
+version = "=0.1.20"
 default-features = false
 features = [
    "server-auto",
@@ -332,7 +332,7 @@ version = "0.4.0"

 # used for MPMC channels
 [workspace.dependencies.async-channel]
-version = "2.3.1"
+version = "2.5.0"

 [workspace.dependencies.async-trait]
 version = "0.1.88"
@@ -344,7 +344,7 @@ version = "0.1.2"
 [workspace.dependencies.ruma]
 git = "https://forgejo.ellis.link/continuwuation/ruwuma"
 #branch = "conduwuit-changes"
-rev = "bb12ed288a31a23aa11b10ba0fad22b7f985eb88"
+rev = "a97b91adcc012ef04991d823b8b5a79c6686ae48"
 features = [
    "compat",
    "rand",
@@ -388,7 +388,7 @@ features = [

 [workspace.dependencies.rust-rocksdb]
 git = "https://forgejo.ellis.link/continuwuation/rust-rocksdb-zaidoon1"
-rev = "61d9d23872197e9ace4a477f2617d5c9f50ecb23"
+rev = "31fb8f772c7afcdc0061ab6a40cfa3a1be2fccd9"
 default-features = false
 features = [
    "multi-threaded-cf",
@@ -451,7 +451,7 @@ version = "0.46.0"
 # jemalloc usage
 [workspace.dependencies.tikv-jemalloc-sys]
 git = "https://forgejo.ellis.link/continuwuation/jemallocator"
-rev = "82af58d6a13ddd5dcdc7d4e91eae3b63292995b8"
+rev = "df86ff89d4b1e223b9f7d2dd2fbb7f202da7f554"
 default-features = false
 features = [
    "background_threads_runtime_support",
@@ -459,7 +459,7 @@ features = [
 ]
 [workspace.dependencies.tikv-jemallocator]
 git = "https://forgejo.ellis.link/continuwuation/jemallocator"
-rev = "82af58d6a13ddd5dcdc7d4e91eae3b63292995b8"
+rev = "df86ff89d4b1e223b9f7d2dd2fbb7f202da7f554"
 default-features = false
 features = [
    "background_threads_runtime_support",
@@ -467,7 +467,7 @@ features = [
 ]
 [workspace.dependencies.tikv-jemalloc-ctl]
 git = "https://forgejo.ellis.link/continuwuation/jemallocator"
-rev = "82af58d6a13ddd5dcdc7d4e91eae3b63292995b8"
+rev = "df86ff89d4b1e223b9f7d2dd2fbb7f202da7f554"
 default-features = false
 features = ["use_std"]

@@ -493,7 +493,7 @@ features = [
 ]

 [workspace.dependencies.rustyline-async]
-version = "0.4.3"
+version = "0.4.9"
 default-features = false

 [workspace.dependencies.termimad]
@@ -526,7 +526,7 @@ version = "0.4.13"
 version = "2.0"

 [workspace.dependencies.core_affinity]
-version = "0.8.1"
+version = "0.8.3"

 [workspace.dependencies.libc]
 version = "0.2"
@@ -550,9 +550,6 @@ version = "0.12.0"
 default-features = false
 features = ["sync", "tls-rustls", "rustls-provider"]

-[workspace.dependencies.resolv-conf]
-version = "0.7.5"
-
 [workspace.dependencies.yansi]
 version = "1.0.1"

@@ -571,25 +568,25 @@ version = "0.15.0"
 # adds event for CTRL+\: https://forgejo.ellis.link/continuwuation/rustyline-async/src/branch/main/.patchy/0001-add-event-for-ctrl.patch
 [patch.crates-io.rustyline-async]
 git = "https://forgejo.ellis.link/continuwuation/rustyline-async"
-rev = "e9f01cf8c6605483cb80b3b0309b400940493d7f"
+rev = "b13aca2cc08d5f78303746cd192d9a03d73e768e"

 # adds LIFO queue scheduling; this should be updated with PR progress.
 [patch.crates-io.event-listener]
 git = "https://forgejo.ellis.link/continuwuation/event-listener"
-rev = "fe4aebeeaae435af60087ddd56b573a2e0be671d"
+rev = "b2c19bcaf5a0a69c38c034e417bda04a9b991529"
 [patch.crates-io.async-channel]
 git = "https://forgejo.ellis.link/continuwuation/async-channel"
-rev = "92e5e74063bf2a3b10414bcc8a0d68b235644280"
+rev = "e990f0006b68dc9bace7a3c95fc90b5c4e44948d"

 # adds affinity masks for selecting more than one core at a time
 [patch.crates-io.core_affinity]
 git = "https://forgejo.ellis.link/continuwuation/core_affinity_rs"
-rev = "9c8e51510c35077df888ee72a36b4b05637147da"
+rev = "7c7a9dea35382743a63837cdd1d977efdb8f1b8a"

 # reverts hyperium#148 conflicting with our delicate federation resolver hooks
 [patch.crates-io.hyper-util]
 git = "https://forgejo.ellis.link/continuwuation/hyper-util"
-rev = "5886d5292bf704c246206ad72d010d674a7b77d0"
+rev = "09fcd3bf4656c81a8ad573bee410ab2b57f60b86"

 #
 # Our crates
@@ -969,3 +966,6 @@ needless_raw_string_hashes = "allow"

 # TODO: Enable this lint & fix all instances
 collapsible_if = "allow"
+
+# TODO: break these apart
+cognitive_complexity = "allow"
@@ -0,0 +1 @@
+Added support for using an admin command to issue self-service password reset links.
@@ -0,0 +1 @@
+Fixed room alias deletion so removing one local alias no longer removes other aliases from room alias listings.
@@ -0,0 +1 @@
+Added Testing and Troubleshooting instructions for Livekit documentation. Contributed by @stratself.
@@ -0,0 +1 @@
+Add new config option to allow or disallow search engine indexing through a `<meta ../>` tag. Defaults to blocking indexing (`content="noindex"`). Contributed by @s1lv3r and @ginger.
@@ -0,0 +1 @@
+Stripped `join_authorised_via_users_server` from json if user is already in room (@partha:cxy.run)
@@ -0,0 +1 @@
+Fixed internal server errors for fetching thumbnails. Contributed by @PerformativeJade
@@ -0,0 +1 @@
+Drop unnecessary fields when converting an event into the federation format, saving bandwidth. Contributed by @nex.
@@ -25,6 +25,10 @@
 #
 # Also see the `[global.well_known]` config section at the very bottom.
 #
+# If `client` is not set under `[global.well_known]`, the server name will
+# be used as the base domain for user-facing links (such as password
+# reset links) created by Continuwuity.
+#
 # Examples of delegation:
 # - https://continuwuity.org/.well-known/matrix/server
 # - https://continuwuity.org/.well-known/matrix/client
@@ -91,6 +95,10 @@
 # engine API. To use this, set a database backup path that continuwuity
 # can write to.
 #
+# If you are using systemd, you will need to add the path to
+# ReadWritePaths in the service file, preferably via a drop-in file
+# through `systemctl edit`.
+#
 # For more information, see:
 # https://continuwuity.org/maintenance.html#backups
 #
@@ -1795,6 +1803,11 @@
 #
 #config_reload_signal = true

+# Allow search engines and crawlers to index Continuwuity's built-in
+# webpages served under the `/_continuwuity/` prefix.
+#
+#allow_web_indexing = false
+
 [global.tls]

 # Path to a valid TLS certificate file.
@@ -10,7 +10,7 @@ RUN rm -f /etc/apt/apt.conf.d/docker-clean

 # Match Rustc version as close as possible
 # rustc -vV
-ARG LLVM_VERSION=20
+ARG LLVM_VERSION=21
 # ENV RUSTUP_TOOLCHAIN=${RUST_VERSION}

 # Install repo tools
@@ -48,7 +48,7 @@ EOF

 # Developer tool versions
 # renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
-ENV BINSTALL_VERSION=1.17.7
+ENV BINSTALL_VERSION=1.17.8
 # renovate: datasource=github-releases depName=psastras/sbom-rs
 ENV CARGO_SBOM_VERSION=0.9.1
 # renovate: datasource=crate depName=lddtree
@@ -18,7 +18,7 @@ RUN --mount=type=cache,target=/etc/apk/cache apk add \

 # Developer tool versions
 # renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
-ENV BINSTALL_VERSION=1.17.7
+ENV BINSTALL_VERSION=1.17.8
 # renovate: datasource=github-releases depName=psastras/sbom-rs
 ENV CARGO_SBOM_VERSION=0.9.1
 # renovate: datasource=crate depName=lddtree
@@ -109,9 +109,6 @@ Restart Continuwuity and your reverse proxy. Once that's done, visit these route
 {
  "m.homeserver": {
    "base_url": "https://matrix.example.com/"
-  },
-  "org.matrix.msc3575.proxy": {
-    "url": "https://matrix.example.com/"
  }
 }
 ```
@@ -10,4 +10,4 @@ Both types of calls are supported by different sets of clients, but most clients
 For either one to work correctly, you have to do some additional setup.

 - For legacy calls to work, you need to set up a TURN/STUN server. [Read the TURN guide for tips on how to set up coturn](./calls/turn.mdx)
- For MatrixRTC / Element Call to work, you have to set up the LiveKit backend (foci). LiveKit also uses TURN/STUN to increase reliability, so you might want to configure your TURN server first. [Read the LiveKit guide](./calls/livekit.mdx)
+- For MatrixRTC / Element Call to work, you have to set up the LiveKit backend (foci). LiveKit also uses TURN/STUN to increase reliability - you can set up its built-in TURN server, or integrate with an existing one. [Read the LiveKit guide](./calls/livekit.mdx)
@@ -4,6 +4,10 @@
 This guide assumes that you are using docker compose for deployment. LiveKit only provides Docker images.
 :::

+:::tip
+You can find help setting up Matrix RTC in our dedicated room - [#matrixrtc:continuwuity.org](https://matrix.to/#/%23matrixrtc%3Acontinuwuity.org)
+:::
+
 ## Instructions

 ### 1. Domain
@@ -14,17 +18,21 @@ Make sure the DNS record for the (sub)domain you plan to use is pointed to your

 ### 2. Services

-Using LiveKit with Matrix requires two services - Livekit itself, and a service (`lk-jwt-service`) that grants Matrix users permission to connect to it.
+Using LiveKit with Matrix requires two services - LiveKit itself, and a service (`lk-jwt-service`) that grants Matrix users permission to connect to it.

 You must generate a key and secret to allow the Matrix service to authenticate with LiveKit. `LK_MATRIX_KEY` should be around 20 random characters, and `LK_MATRIX_SECRET` should be around 64. Remember to replace these with the actual values!

 :::tip Generating the secrets
 LiveKit provides a utility to generate secure random keys
 ```bash
-docker run --rm livekit/livekit-server:latest generate-keys
+~$ docker run --rm livekit/livekit-server:latest generate-keys
+API Key:  APIUxUnMnSkuFWV
+API Secret:  t93ZVjPeoEdyx7Wbet3kG4L3NGZIZVEFvqe0UuiVc22A
 ```
 :::

+Create a `docker-compose.yml` file as following:
+
 ```yaml
 services:
  lk-jwt-service:
@@ -32,10 +40,11 @@ services:
    container_name: lk-jwt-service
    environment:
      - LIVEKIT_JWT_BIND=:8081
-      - LIVEKIT_URL=wss://livekit.example.com
-      - LIVEKIT_KEY=LK_MATRIX_KEY
-      - LIVEKIT_SECRET=LK_MATRIX_SECRET
-      - LIVEKIT_FULL_ACCESS_HOMESERVERS=example.com
+      - LIVEKIT_URL=wss://livekit.example.com # your LiveKit domain
+      - LIVEKIT_FULL_ACCESS_HOMESERVERS=example.com # your server_name
+      # Replace these with the generated values as above
+      - LIVEKIT_KEY=LK_MATRIX_KEY # APIUxUnMnSkuFWV
+      - LIVEKIT_SECRET=LK_MATRIX_SECRET # t93ZVjPeoEdyx7Wbet3kG4L3NGZIZVEFvqe0UuiVc22A
    restart: unless-stopped
    ports:
      - "8081:8081"
@@ -70,6 +79,8 @@ rtc:
  enable_loopback_candidate: false
 keys:
  LK_MATRIX_KEY: LK_MATRIX_SECRET
+  # replace these with your key-secret pair. Example:
+  # APIUxUnMnSkuFWV: t93ZVjPeoEdyx7Wbet3kG4L3NGZIZVEFvqe0UuiVc22A
 ```

 #### Firewall hints
@@ -95,7 +106,7 @@ Remember to replace the URL with the address you are deploying your instance of

 Reverse proxies can be configured in many different ways - so we can't provide a step by step for this.

-By default, all routes should be forwarded to Livekit with the exception of the following path prefixes, which should be forwarded to the JWT/Authentication service:
+All paths should be forwarded to LiveKit by default, with the exception of the following path prefixes, which should be forwarded to the JWT/Authentication service:

 - `/sfu/get`
 - `/healthz`
@@ -104,7 +115,7 @@ By default, all routes should be forwarded to Livekit with the exception of the
 <details>
    <summary>Example caddy config</summary>
    ```
-    matrix-rtc.example.com {
+    livekit.example.com {

        # for lk-jwt-service
        @lk-jwt-service path /sfu/get* /healthz* /get_token*
@@ -122,7 +133,7 @@ By default, all routes should be forwarded to Livekit with the exception of the
    <summary>Example nginx config</summary>
    ```
    server {
-        server_name matrix-rtc.example.com;
+        server_name livekit.example.com;

        # for lk-jwt-service
        location ~ ^/(sfu/get|healthz|get_token) {
@@ -133,7 +144,7 @@ By default, all routes should be forwarded to Livekit with the exception of the
            proxy_buffering off;
        }

-        # for livekit
+        # for LiveKit
        location / {
            proxy_pass http://127.0.0.1:7880$request_uri;
            proxy_set_header X-Forwarded-For $remote_addr;
@@ -173,44 +184,11 @@ By default, all routes should be forwarded to Livekit with the exception of the

 Start up the services using your usual method - for example `docker compose up -d`.

-## Additional Configuration
+## Additional TURN configuration

-### TURN Integration
+### Using LiveKit's built-in TURN server

-If you've already set up coturn, there may be a port clash between the two services. To fix this, make sure the `min-port` and `max-port` for coturn so it doesn't overlap with LiveKit's range:
-
-```ini
-min-port=50201
-max-port=65535
-```
-
-To improve LiveKit's reliability, you can configure it to use your coturn server.
-
-Generate a long random secret for LiveKit, and add it to your coturn config under the `static-auth-secret` option. You can add as many secrets as you want - so set a different one for each thing using your TURN server.
-
-Then configure livekit, making sure to replace `COTURN_SECRET`:
-
-```yaml
-# livekit.yaml
-rtc:
-  turn_servers:
-    - host: coturn.ellis.link
-      port: 3478
-      protocol: tcp
-      secret: "COTURN_SECRET"
-    - host: coturn.ellis.link
-      port: 5349
-      protocol: tls # Only if you've set up TLS in your coturn
-      secret: "COTURN_SECRET"
-    - host: coturn.ellis.link
-      port: 3478
-      protocol: udp
-      secret: "COTURN_SECRET"
-```
-
-## LiveKit's built in TURN server
-
-Livekit includes a built in TURN server which can be used in place of an external option. This TURN server will only work with Livekit, so you can't use it for legacy Matrix calling - or anything else.
+LiveKit includes a built-in TURN server which can be used in place of an external option. This TURN server will only work with LiveKit, so you can't use it for legacy Matrix calling or anything else.

 If you don't want to set up a separate TURN server, you can enable this with the following changes:

@@ -221,20 +199,175 @@ turn:
  udp_port: 3478
  relay_range_start: 50300
  relay_range_end: 50400
-  domain: matrix-rtc.example.com
+  domain: livekit.example.com
 ```

 ```yaml
-### Add these to docker-compose ###
- "3478:3478/udp"
- "50300-50400:50300-50400/udp"
+### add these to livekit's docker-compose ###
+ports:
+  - "3478:3478/udp"
+  - "50300-50400:50300-50400/udp"
+### if you're using `network_mode: host`, you can skip this part
 ```

-### Related Documentation
+Recreate the LiveKit container (with `docker-compose up -d livekit`) to apply these changes. Remember to allow the new `3478/udp` and `50100:50200/udp` ports through your firewall.

- [LiveKit GitHub](https://github.com/livekit/livekit)
- [LiveKit Connection Tester](https://livekit.io/connection-test) - use with the token returned by `/sfu/get` or `/get_token`
- [MatrixRTC proposal](https://half-shot.github.io/msc-crafter/#msc/4143)
- [Synapse documentation](https://github.com/element-hq/element-call/blob/livekit/docs/self-hosting.md)
- [Community guide](https://tomfos.tr/matrix/livekit/)
- [Community guide](https://blog.kimiblock.top/2024/12/24/hosting-element-call/)
+### Integration with an external TURN server
+
+If you've already [set up coturn](./turn), you can configure Livekit to use it.
+
+:::tip Avoid port clashes between the two services
+
+Before continuing, make sure coturn's `min-port` and `max-port` do not overlap with LiveKit's port range:
+
+```ini
+# in your coturn.conf
+min-port=50201
+max-port=65535
+```
+:::
+
+Generate a long random secret for LiveKit, and add it to your coturn config under the `static-auth-secret` option. You can add as many secrets as you want, so set a different one for LiveKit to use.
+
+Then configure LiveKit, making sure to replace `COTURN_SECRET` with the one you generated:
+
+```yaml
+# livekit.yaml
+rtc:
+  turn_servers:
+    - host: coturn.example.com
+      port: 3478
+      protocol: udp
+      secret: "COTURN_SECRET"
+    - host: coturn.example.com
+      port: 3478
+      protocol: tcp
+      secret: "COTURN_SECRET"
+    - host: coturn.example.com
+      port: 5349
+      protocol: tls # Only if you have already set up TLS in your coturn
+      secret: "COTURN_SECRET"
+```
+
+Restart LiveKit and coturn to apply these changes.
+
+## Testing
+
+To test that LiveKit is successfully integrated with Continuwuity, you will need to replicate its [Token Exchange Flow](https://github.com/element-hq/lk-jwt-service#%EF%B8%8F-how-it-works--token-exchange-flow).
+
+First, you will need an access token for your current login session. These can be found in your client's settings or obtained via [this website](https://timedout.uk/mxtoken.html).
+
+Then, using that token, request another OpenID token for use with the lk-jwt-service:
+
+```bash
+~$ curl -X POST -H "Authorization: Bearer <session-access-token>" \
+  https://matrix.example.com/_matrix/client/v3/user/@user:example.com/openid/request_token
+{"access_token":"<openid_access_token>","token_type":"Bearer","matrix_server_name":"example.com","expires_in":3600}
+```
+
+Next, create a `payload.json` file with the following content:
+
+<details>
+
+<summary>`payload.json`</summary>
+
+```json
+{
+    "room_id": "abc",
+    "slot_id": "xyz",
+    "openid_token": {
+        "matrix_server_name": "example.com",
+        "access_token": "<openid_access_token>",
+        "token_type": "Bearer"
+    },
+    "member": {
+        "id": "xyz",
+        "claimed_device_id": "DEVICEID",
+        "claimed_user_id": "@user:example.com"
+    }
+}
+```
+
+Replace `matrix_server_name` and `claimed_user_id` with your information, and `<openid_access_token>` with the one you got from the previous step. Other values can be left as-is.
+
+</details>
+
+You can then send this payload to the lk-jwt-service:
+
+```bash
+~$ curl -X POST -d @payload.json https://livekit.example.com/get_token
+{"url":"wss://livekit.example.com","jwt":"a_really_really_long_string"}
+```
+
+The lk-jwt-service will, after checking against Continuwuity, answer with a `jwt` token to create a LiveKit media room. Use this token to test at the [LiveKit Connection Tester](https://livekit.io/connection-test). If everything works there, then you have set up LiveKit successfully!
+
+## Troubleshooting
+
+To debug any issues, you can place a call or redo the Testing instructions, and check the container logs for any specific errors. Use `docker-compose logs --follow` to follow them in real-time.
+
+### Common errors in Element Call UI
+
+- `MISSING_MATRIX_RTC_FOCUS`: LiveKit is missing from Continuwuity's config file
+- "Waiting for media" popup always showing: a LiveKit URL has been configured in Continuwuity, but your client cannot connect to it for some reason
+
+### Docker loopback networking issues
+
+Some distros do not allow Docker containers to connect to its host's public IP by default. This would cause `lk-jwt-service` to fail connecting to `livekit` or `continuwuity` on the same host. As a result, you would see connection refused/connection timeouts log entries in the JWT service, even when `LIVEKIT_URL` has been configured correctly.
+
+To alleviate this, you can try one of the following workarounds:
+
+- Use `network_mode: host` for the `lk-jwt-service` container (instead of the default bridge networking).
+
+- Add an `extra_hosts` file mapping livekit's (and continuwuity's) domain name to a localhost address:
+
+    ```diff
+    # in docker-compose.yaml
+    services:
+      lk-jwt-service:
+        ...
+    +    extra_hosts:
+    +     - "livekit.example.com:127.0.0.1"
+    +     - "matrix.example.com:127.0.0.1"
+    ```
+
+- (**untested, use at your own risk**) Implement an iptables workaround as shown [here](https://forums.docker.com/t/unable-to-connect-to-host-service-from-inside-docker-container/145749/6).
+
+After implementing the changes and restarting your compose, you can test whether the connection works by cURLing from a sidecar container:
+
+```bash
+~$ docker run --rm --net container:lk-jwt-service docker.io/curlimages/curl https://livekit.example.com
+OK
+```
+
+### Workaround for non-federating servers
+
+When deploying on servers with federation disabled (`allow_federation = false`), LiveKit will fail as it can't fetch the required [OpenID endpoint](https://spec.matrix.org/v1.17/server-server-api/#get_matrixfederationv1openiduserinfo) via federation paths.
+
+As a workaround, you can enable federation, but forbid all remote servers via the following config parameters:
+
+```toml
+### in your continuwuity.toml file ###
+allow_federation = true
+forbidden_remote_server_names = [".*"]
+```
+
+Subscribe to issue [!1440](https://forgejo.ellis.link/continuwuation/continuwuity/issues/1440) for future updates on this matter.
+
+## Related Documentation
+
+Guides:
+
+- [Element Call self-hosting documentation](https://github.com/element-hq/element-call/blob/livekit/docs/self-hosting.md)
+- [Community guide with overview of LiveKit's mechanisms](https://tomfos.tr/matrix/livekit/)
+- [Community guide using systemd](https://blog.kimiblock.top/2024/12/24/hosting-element-call/)
+
+Specifications:
+
+- [MatrixRTC proposal](https://github.com/matrix-org/matrix-spec-proposals/pull/4143)
+- [LiveKit proposal](https://github.com/matrix-org/matrix-spec-proposals/pull/4195)
+
+Source code:
+
+- [Element Call](https://github.com/element-hq/element-call)
+- [lk-jwt-service](https://github.com/element-hq/lk-jwt-service)
+- [LiveKit server](https://github.com/livekit/livekit)
@@ -1 +0,0 @@
-../CONTRIBUTING.md
@@ -6,6 +6,7 @@ services:
    ### then you are ready to go.
    image: forgejo.ellis.link/continuwuation/continuwuity:latest
    restart: unless-stopped
+    command: /sbin/conduwuit
    volumes:
      - db:/var/lib/continuwuity
      #- ./continuwuity.toml:/etc/continuwuity.toml
@@ -23,6 +23,7 @@ services:
        ### then you are ready to go.
        image: forgejo.ellis.link/continuwuation/continuwuity:latest
        restart: unless-stopped
+        command: /sbin/conduwuit
        volumes:
            - db:/var/lib/continuwuity
            - /etc/resolv.conf:/etc/resolv.conf:ro # Use the host's DNS resolver rather than Docker's.
@@ -6,6 +6,7 @@ services:
    ### then you are ready to go.
    image: forgejo.ellis.link/continuwuation/continuwuity:latest
    restart: unless-stopped
+    command: /sbin/conduwuit
    volumes:
      - db:/var/lib/continuwuity
      - /etc/resolv.conf:/etc/resolv.conf:ro # Use the host's DNS resolver rather than Docker's.
@@ -6,6 +6,7 @@ services:
        ### then you are ready to go.
        image: forgejo.ellis.link/continuwuation/continuwuity:latest
        restart: unless-stopped
+        command: /sbin/conduwuit
        ports:
            - 8448:6167
        volumes:
@@ -78,7 +78,7 @@ docker run -d \
  -e CONTINUWUITY_ALLOW_REGISTRATION="false" \
  --name continuwuity \
  forgejo.ellis.link/continuwuation/continuwuity:latest \
-  --execute "users create-user admin"
+  /sbin/conduwuit --execute "users create-user admin"
 ```

 Replace `matrix.example.com` with your actual server name and `admin` with
@@ -141,7 +141,7 @@ compose file, add under the `continuwuity` service:
 services:
    continuwuity:
        image: forgejo.ellis.link/continuwuation/continuwuity:latest
-        command: --execute "users create-user admin"
+        command: /sbin/conduwuit --execute "users create-user admin"
        # ... rest of configuration
 ```

@@ -39,6 +39,7 @@ spec:
        - name: continuwuity
          # use a sha hash <3
          image: forgejo.ellis.link/continuwuation/continuwuity:latest
+          command: ["/sbin/conduwuit"]
          imagePullPolicy: IfNotPresent
          ports:
            - name: http
@@ -1,203 +0,0 @@
-# Contributing guide
-
-This page is about contributing to Continuwuity. The
-[development](./index.mdx) and [code style guide](./code_style.mdx) pages may be of interest for you as well.
-
-If you would like to work on an [issue][issues] that is not assigned, preferably
-ask in the Matrix room first at [#continuwuity:continuwuity.org][continuwuity-matrix],
-and comment on it.
-
-### Code Style
-
-Please review and follow the [code style guide](./code_style) for formatting, linting, naming conventions, and other code standards.
-
-### Pre-commit Checks
-
-Continuwuity uses pre-commit hooks to enforce various coding standards and catch common issues before they're committed. These checks include:
-
- Code formatting and linting
- Typo detection (both in code and commit messages)
- Checking for large files
- Ensuring proper line endings and no trailing whitespace
- Validating YAML, JSON, and TOML files
- Checking for merge conflicts
-
-You can run these checks locally by installing [prefligit](https://github.com/j178/prefligit):
-
-
-```bash
-# Requires UV: https://docs.astral.sh/uv/getting-started/installation/
-# Mac/linux: curl -LsSf https://astral.sh/uv/install.sh | sh
-# Windows: powershell -ExecutionPolicy ByPass -c "irm https://astral.sh/uv/install.ps1 | iex"
-
-# Install prefligit using cargo-binstall
-cargo binstall prefligit
-
-# Install git hooks to run checks automatically
-prefligit install
-
-# Run all checks
-prefligit --all-files
-```
-
-Alternatively, you can use [pre-commit](https://pre-commit.com/):
-```bash
-# Requires python
-
-# Install pre-commit
-pip install pre-commit
-
-# Install the hooks
-pre-commit install
-
-# Run all checks manually
-pre-commit run --all-files
-```
-
-These same checks are run in CI via the prefligit-checks workflow to ensure consistency. These must pass before the PR is merged.
-
-### Running tests locally
-
-Tests, compilation, and linting can be run with standard Cargo commands:
-
-```bash
-# Run tests
-cargo test
-
-# Check compilation
-cargo check --workspace --features full
-
-# Run lints
-cargo clippy --workspace --features full
-# Auto-fix: cargo clippy --workspace --features full --fix --allow-staged;
-
-# Format code (must use nightly)
-cargo +nightly fmt
-```
-
-### Matrix tests
-
-Continuwuity uses [Complement][complement] for Matrix protocol compliance testing. Complement tests are run manually by developers, and documentation on how to run these tests locally is currently being developed.
-
-If your changes are done to fix Matrix tests, please note that in your pull request. If more Complement tests start failing from your changes, please review the logs and determine if they're intended or not.
-
-[Sytest][sytest] is currently unsupported.
-
-### Writing documentation
-
-Continuwuity's website uses [`mdbook`][mdbook] and is deployed via CI using Cloudflare Pages
-in the [`documentation.yml`][documentation.yml] workflow file. All documentation is in the `docs/`
-directory at the top level.
-
-To build the documentation locally:
-
-1. Install mdbook if you don't have it already:
-   ```bash
-   cargo install mdbook # or cargo binstall, or another method
-   ```
-
-2. Build the documentation:
-   ```bash
-   mdbook build
-   ```
-
-The output of the mdbook generation is in `public/`. You can open the HTML files directly in your browser without needing a web server.
-
-
-### Commit Messages
-
-Continuwuity follows the [Conventional Commits](https://www.conventionalcommits.org/) specification for commit messages. This provides a standardized format that makes the commit history more readable and enables automated tools to generate changelogs.
-
-The basic structure is:
-
-```
-<type>[(optional scope)]: <description>
-
-[optional body]
-
-[optional footer(s)]
-```
-
-The allowed types for commits are:
- `fix`: Bug fixes
- `feat`: New features
- `docs`: Documentation changes
- `style`: Changes that don't affect the meaning of the code (formatting, etc.)
- `refactor`: Code changes that neither fix bugs nor add features
- `perf`: Performance improvements
- `test`: Adding or fixing tests
- `build`: Changes to the build system or dependencies
- `ci`: Changes to CI configuration
- `chore`: Other changes that don't modify source or test files
-
-Examples:
-```
-feat: add user authentication
-fix(database): resolve connection pooling issue
-docs: update installation instructions
-```
-
-The project uses the `committed` hook to validate commit messages in pre-commit. This ensures all commits follow the conventional format.
-
-### Creating pull requests
-
-Please try to keep contributions to the Forgejo Instance. While the mirrors of continuwuity
-allow for pull/merge requests, there is no guarantee the maintainers will see them in a timely
-manner. Additionally, please mark WIP or unfinished or incomplete PRs as drafts.
-This prevents us from having to ping once in a while to double check the status
-of it, especially when the CI completed successfully and everything so it
-*looks* done.
-
-Before submitting a pull request, please ensure:
-1. Your code passes all CI checks (formatting, linting, typo detection, etc.). Run pre-commit for this.
-2. Your code follows the [code style guide](./code_style)
-3. Your commit messages follow the conventional commits format
-4. Tests are added for new functionality
-5. Documentation is updated if needed
-6. You have written a [news fragment](#writing-news-fragments) for your changes
-
-Direct all PRs/MRs to the `main` branch.
-
-By sending a pull request or patch, you are agreeing that your changes are
-allowed to be licenced under the Apache-2.0 licence and all of your conduct is
-in line with the Contributor's Covenant, and continuwuity's Code of Conduct.
-
-Contribution by users who violate either of these code of conducts may not have
-their contributions accepted. This includes users who have been banned from
-continuwuity Matrix rooms for Code of Conduct violations.
-
-[issues]: https://forgejo.ellis.link/continuwuation/continuwuity/issues
-[continuwuity-matrix]: https://matrix.to/#/#continuwuity:continuwuity.org?via=continuwuity.org&via=ellis.link&via=explodie.org&via=matrix.org
-[complement]: https://github.com/matrix-org/complement/
-[sytest]: https://github.com/matrix-org/sytest/
-[mdbook]: https://rust-lang.github.io/mdBook/
-[documentation.yml]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/.forgejo/workflows/documentation.yml
-
-#### Writing news fragments
-
-In order to make writing our changelogs easier, we make use of [Towncrier]. Towncrier builds changelogs based on
-"news fragments", which are little markdown files in the `changelog.d/` directory that describe individual changes.
-
-When you make a pull request that changes functionality, fixes a bug, or adds documentation, please add a news fragment
-describing your change. The file name *MUST* be in the format of `{pull_request_number}.{type}`, where `{type}` is one
-of the following:
-
- `feature` - for new features
- `bugfix` - for bug fixes
- `doc` - for documentation changes
- `misc` - for other changes that don't fit the above categories
-
-For example:
-
-```bash
-$ echo "Fixed the quantum flux stabiliser. Contributed by @alice." > changelog.d/42.bugfix
-```
-
-(Note: If you want to credit yourself, you should reference your forgejo handle, however links to other platforms are also acceptable.)
-
-When the next release is made, Towncrier will automatically include your news fragment in the changelog.
-
-You can read more about writing news fragments in the [Towncrier tutorial][tt].
-
-[Towncrier]: https://towncrier.readthedocs.io/
-[tt]: https://towncrier.readthedocs.io/en/stable/tutorial.html#creating-news-fragments
@@ -0,0 +1 @@
+../../CONTRIBUTING.md
@@ -1 +1 @@
-{"m.homeserver":{"base_url": "https://matrix.continuwuity.org"},"org.matrix.msc3575.proxy":{"url": "https://matrix.continuwuity.org"},"org.matrix.msc4143.rtc_foci":[{"type":"livekit","livekit_service_url":"https://livekit.ellis.link"}]}
+{"m.homeserver":{"base_url": "https://matrix.continuwuity.org"},"org.matrix.msc4143.rtc_foci":[{"type":"livekit","livekit_service_url":"https://livekit.ellis.link"}]}
@@ -1,6 +1,6 @@
 {
    "$schema": "http://json-schema.org/draft-04/schema#",
-    "$id": "https://continwuity.org/schema/announcements.schema.json",
+    "$id": "https://continuwuity.org/schema/announcements.schema.json",
    "type": "object",
    "properties": {
      "announcements": {
@@ -3,11 +3,11 @@
    "advisory-db": {
      "flake": false,
      "locked": {
-        "lastModified": 1772776993,
-        "narHash": "sha256-CpBa+UpogN0Xn1gMmgqQrzKGee+E8TCkgHar8/w6CRk=",
+        "lastModified": 1773786698,
+        "narHash": "sha256-o/J7ZculgwSs1L4H4UFlFZENOXTJzq1X0n71x6oNNvY=",
        "owner": "rustsec",
        "repo": "advisory-db",
-        "rev": "b3472341e37cbd4b8c27b052b2abb34792f4d3c4",
+        "rev": "99e9de91bb8b61f06ef234ff84e11f758ecd5384",
        "type": "github"
      },
      "original": {
@@ -18,11 +18,11 @@
    },
    "crane": {
      "locked": {
-        "lastModified": 1772560058,
-        "narHash": "sha256-NuVKdMBJldwUXgghYpzIWJdfeB7ccsu1CC7B+NfSoZ8=",
+        "lastModified": 1773189535,
+        "narHash": "sha256-E1G/Or6MWeP+L6mpQ0iTFLpzSzlpGrITfU2220Gq47g=",
        "owner": "ipetkov",
        "repo": "crane",
-        "rev": "db590d9286ed5ce22017541e36132eab4e8b3045",
+        "rev": "6fa2fb4cf4a89ba49fc9dd5a3eb6cde99d388269",
        "type": "github"
      },
      "original": {
@@ -39,11 +39,11 @@
        "rust-analyzer-src": "rust-analyzer-src"
      },
      "locked": {
-        "lastModified": 1772953398,
-        "narHash": "sha256-fTTHCaEvPLzWyZFxPud/G9HM3pNYmW/64Kj58hdH4+k=",
+        "lastModified": 1773732206,
+        "narHash": "sha256-HKibxaUXyWd4Hs+ZUnwo6XslvaFqFqJh66uL9tphU4Q=",
        "owner": "nix-community",
        "repo": "fenix",
-        "rev": "fc4863887d98fd879cf5f11af1d23d44d9bdd8ae",
+        "rev": "0aa13c1b54063a8d8679b28a5cd357ba98f4a56b",
        "type": "github"
      },
      "original": {
@@ -89,11 +89,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1772773019,
-        "narHash": "sha256-E1bxHxNKfDoQUuvriG71+f+s/NT0qWkImXsYZNFFfCs=",
+        "lastModified": 1773734432,
+        "narHash": "sha256-IF5ppUWh6gHGHYDbtVUyhwy/i7D261P7fWD1bPefOsw=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "aca4d95fce4914b3892661bcb80b8087293536c6",
+        "rev": "cda48547b432e8d3b18b4180ba07473762ec8558",
        "type": "github"
      },
      "original": {
@@ -132,11 +132,11 @@
    "rust-analyzer-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1772877513,
-        "narHash": "sha256-RcRGv2Bng5I9y75XwFX7oK2l6mLH1dtbTTG9U8qun0c=",
+        "lastModified": 1773697963,
+        "narHash": "sha256-xdKI77It9PM6eNrCcDZsnP4SKulZwk8VkDgBRVMnCb8=",
        "owner": "rust-lang",
        "repo": "rust-analyzer",
-        "rev": "a1b86d600f88be98643e5dd61d6ed26eda17c09e",
+        "rev": "2993637174252ff60a582fd1f55b9ab52c39db6d",
        "type": "github"
      },
      "original": {
@@ -153,11 +153,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1772660329,
-        "narHash": "sha256-IjU1FxYqm+VDe5qIOxoW+pISBlGvVApRjiw/Y/ttJzY=",
+        "lastModified": 1773297127,
+        "narHash": "sha256-6E/yhXP7Oy/NbXtf1ktzmU8SdVqJQ09HC/48ebEGBpk=",
        "owner": "numtide",
        "repo": "treefmt-nix",
-        "rev": "3710e0e1218041bbad640352a0440114b1e10428",
+        "rev": "71b125cd05fbfd78cab3e070b73544abe24c5016",
        "type": "github"
      },
      "original": {
@@ -15,7 +15,7 @@
            file = inputs.self + "/rust-toolchain.toml";

            # See also `rust-toolchain.toml`
-            sha256 = "sha256-SJwZ8g0zF2WrKDVmHrVG3pD2RGoQeo24MEXnNx5FyuI=";
+            sha256 = "sha256-sqSWJDUxc+zaz1nBWMAJKTAGBuGWP25GCftIOlCEAtA=";
          };
        in
        {
@@ -17,6 +17,7 @@
      # basic nix shell containing all things necessary to build continuwuity in all flavors manually (on x86_64-linux)
      devShells.default = uwulib.build.craneLib.devShell {
        packages = [
+          pkgs.nodejs
          pkgs.pkg-config
          pkgs.liburing
          pkgs.rust-jemalloc-sys-unprefixed
@@ -12,25 +12,25 @@
        "@rspress/core": "^2.0.0",
        "@rspress/plugin-client-redirects": "^2.0.0",
        "@rspress/plugin-sitemap": "^2.0.0",
-        "typescript": "^5.9.3"
+        "typescript": "^6.0.0"
      }
    },
    "node_modules/@emnapi/core": {
-      "version": "1.8.1",
-      "resolved": "https://registry.npmjs.org/@emnapi/core/-/core-1.8.1.tgz",
-      "integrity": "sha512-AvT9QFpxK0Zd8J0jopedNm+w/2fIzvtPKPjqyw9jwvBaReTTqPBk9Hixaz7KbjimP+QNz605/XnjFcDAL2pqBg==",
+      "version": "1.9.1",
+      "resolved": "https://registry.npmjs.org/@emnapi/core/-/core-1.9.1.tgz",
+      "integrity": "sha512-mukuNALVsoix/w1BJwFzwXBN/dHeejQtuVzcDsfOEsdpCumXb/E9j8w11h5S54tT1xhifGfbbSm/ICrObRb3KA==",
      "dev": true,
      "license": "MIT",
      "optional": true,
      "dependencies": {
-        "@emnapi/wasi-threads": "1.1.0",
+        "@emnapi/wasi-threads": "1.2.0",
        "tslib": "^2.4.0"
      }
    },
    "node_modules/@emnapi/runtime": {
-      "version": "1.8.1",
-      "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.8.1.tgz",
-      "integrity": "sha512-mehfKSMWjjNol8659Z8KxEMrdSJDDot5SXMq00dM8BN4o+CLNXQ0xH2V7EchNHV4RmbZLmmPdEaXZc5H2FXmDg==",
+      "version": "1.9.1",
+      "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.9.1.tgz",
+      "integrity": "sha512-VYi5+ZVLhpgK4hQ0TAjiQiZ6ol0oe4mBx7mVv7IflsiEp0OWoVsp/+f9Vc1hOhE0TtkORVrI1GvzyreqpgWtkA==",
      "dev": true,
      "license": "MIT",
      "optional": true,
@@ -39,9 +39,9 @@
      }
    },
    "node_modules/@emnapi/wasi-threads": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/@emnapi/wasi-threads/-/wasi-threads-1.1.0.tgz",
-      "integrity": "sha512-WI0DdZ8xFSbgMjR1sFsKABJ/C5OnRrjT06JXbZKexJGrDuPTzZdDYfFlsgcCXCyf+suG5QU2e/y1Wo2V/OapLQ==",
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/@emnapi/wasi-threads/-/wasi-threads-1.2.0.tgz",
+      "integrity": "sha512-N10dEJNSsUx41Z6pZsXU8FjPjpBEplgH24sfkmITrBED1/U2Esum9F3lfLrMjKHHjmi557zQn7kR9R+XWXu5Rg==",
      "dev": true,
      "license": "MIT",
      "optional": true,
@@ -106,26 +106,30 @@
      }
    },
    "node_modules/@napi-rs/wasm-runtime": {
-      "version": "1.0.7",
-      "resolved": "https://registry.npmjs.org/@napi-rs/wasm-runtime/-/wasm-runtime-1.0.7.tgz",
-      "integrity": "sha512-SeDnOO0Tk7Okiq6DbXmmBODgOAb9dp9gjlphokTUxmt8U3liIP1ZsozBahH69j/RJv+Rfs6IwUKHTgQYJ/HBAw==",
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/@napi-rs/wasm-runtime/-/wasm-runtime-1.1.1.tgz",
+      "integrity": "sha512-p64ah1M1ld8xjWv3qbvFwHiFVWrq1yFvV4f7w+mzaqiR4IlSgkqhcRdHwsGgomwzBH51sRY4NEowLxnaBjcW/A==",
      "dev": true,
      "license": "MIT",
      "optional": true,
      "dependencies": {
-        "@emnapi/core": "^1.5.0",
-        "@emnapi/runtime": "^1.5.0",
+        "@emnapi/core": "^1.7.1",
+        "@emnapi/runtime": "^1.7.1",
        "@tybys/wasm-util": "^0.10.1"
+      },
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/Brooooooklyn"
      }
    },
    "node_modules/@rsbuild/core": {
-      "version": "2.0.0-beta.6",
-      "resolved": "https://registry.npmjs.org/@rsbuild/core/-/core-2.0.0-beta.6.tgz",
-      "integrity": "sha512-DUBhUzvzj6xlGUAHTTipFskSuZmVEuTX7lGU+ToPuo8n3bsQrWn/UBOEQAd45g66k7QfXadoZ/v7eodQErpvGQ==",
+      "version": "2.0.0-beta.10",
+      "resolved": "https://registry.npmjs.org/@rsbuild/core/-/core-2.0.0-beta.10.tgz",
+      "integrity": "sha512-6xalOGzWjamJQvC+qnAipo6azfW3cn9JSRSkTMBz/hiXFzcfy54GX31gCDhRY0TooEisyJ2wbGWjGcT8zPwwxg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@rspack/core": "2.0.0-beta.3",
+        "@rspack/core": "2.0.0-beta.8",
        "@swc/helpers": "^0.5.19"
      },
      "bin": {
@@ -144,42 +148,47 @@
      }
    },
    "node_modules/@rsbuild/plugin-react": {
-      "version": "1.4.5",
-      "resolved": "https://registry.npmjs.org/@rsbuild/plugin-react/-/plugin-react-1.4.5.tgz",
-      "integrity": "sha512-eS2sXCedgGA/7bLu8yVtn48eE/GyPbXx4Q7OcutB01IQ1D2y8WSMBys4nwfrecy19utvw4NPn4gYDy52316+vg==",
+      "version": "1.4.6",
+      "resolved": "https://registry.npmjs.org/@rsbuild/plugin-react/-/plugin-react-1.4.6.tgz",
+      "integrity": "sha512-LAT6xHlEyZKA0VjF/ph5d50iyG+WSmBx+7g98HNZUwb94VeeTMZFB8qVptTkbIRMss3BNKOXmHOu71Lhsh9oEw==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@rspack/plugin-react-refresh": "^1.6.0",
+        "@rspack/plugin-react-refresh": "^1.6.1",
        "react-refresh": "^0.18.0"
      },
      "peerDependencies": {
        "@rsbuild/core": "^1.0.0 || ^2.0.0-0"
+      },
+      "peerDependenciesMeta": {
+        "@rsbuild/core": {
+          "optional": true
+        }
      }
    },
    "node_modules/@rspack/binding": {
-      "version": "2.0.0-beta.3",
-      "resolved": "https://registry.npmjs.org/@rspack/binding/-/binding-2.0.0-beta.3.tgz",
-      "integrity": "sha512-GSj+d8AlLs1oElhYq32vIN/eAsxWG9jy0EiNgSxWTt5Gdamv87kcvsV4jwfWIjlltdnBIJgey2RnU+hDZlTAvw==",
+      "version": "2.0.0-beta.8",
+      "resolved": "https://registry.npmjs.org/@rspack/binding/-/binding-2.0.0-beta.8.tgz",
+      "integrity": "sha512-6tG/yYhUIF1zcEF7qw9GPA1Bwj5gq+Hqy4OzVzIBUWOn/2bKsFTWuorEJh8Yx1LwOnjNO7O+NbsATvk5zEOGKQ==",
      "dev": true,
      "license": "MIT",
      "optionalDependencies": {
-        "@rspack/binding-darwin-arm64": "2.0.0-beta.3",
-        "@rspack/binding-darwin-x64": "2.0.0-beta.3",
-        "@rspack/binding-linux-arm64-gnu": "2.0.0-beta.3",
-        "@rspack/binding-linux-arm64-musl": "2.0.0-beta.3",
-        "@rspack/binding-linux-x64-gnu": "2.0.0-beta.3",
-        "@rspack/binding-linux-x64-musl": "2.0.0-beta.3",
-        "@rspack/binding-wasm32-wasi": "2.0.0-beta.3",
-        "@rspack/binding-win32-arm64-msvc": "2.0.0-beta.3",
-        "@rspack/binding-win32-ia32-msvc": "2.0.0-beta.3",
-        "@rspack/binding-win32-x64-msvc": "2.0.0-beta.3"
+        "@rspack/binding-darwin-arm64": "2.0.0-beta.8",
+        "@rspack/binding-darwin-x64": "2.0.0-beta.8",
+        "@rspack/binding-linux-arm64-gnu": "2.0.0-beta.8",
+        "@rspack/binding-linux-arm64-musl": "2.0.0-beta.8",
+        "@rspack/binding-linux-x64-gnu": "2.0.0-beta.8",
+        "@rspack/binding-linux-x64-musl": "2.0.0-beta.8",
+        "@rspack/binding-wasm32-wasi": "2.0.0-beta.8",
+        "@rspack/binding-win32-arm64-msvc": "2.0.0-beta.8",
+        "@rspack/binding-win32-ia32-msvc": "2.0.0-beta.8",
+        "@rspack/binding-win32-x64-msvc": "2.0.0-beta.8"
      }
    },
    "node_modules/@rspack/binding-darwin-arm64": {
-      "version": "2.0.0-beta.3",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-darwin-arm64/-/binding-darwin-arm64-2.0.0-beta.3.tgz",
-      "integrity": "sha512-QebSomLWlCbFsC0sfDuGqLJtkgyrnr38vrCepWukaAXIY4ANy5QB49LDKdLpVv6bKlC95MpnW37NvSNWY5GMYA==",
+      "version": "2.0.0-beta.8",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-darwin-arm64/-/binding-darwin-arm64-2.0.0-beta.8.tgz",
+      "integrity": "sha512-h3x2GreEh8J36A3cWFeHZGTuz4vjUArk9dBDq8fZSyaUQQQox/lp8bUOGa/2YuYUOXk0gei2GN+/BVi2R5p39A==",
      "cpu": [
        "arm64"
      ],
@@ -191,9 +200,9 @@
      ]
    },
    "node_modules/@rspack/binding-darwin-x64": {
-      "version": "2.0.0-beta.3",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-darwin-x64/-/binding-darwin-x64-2.0.0-beta.3.tgz",
-      "integrity": "sha512-EysmBq+sz+Ph0bu0gXpU1uuZG9gXgjqY+w3MJel+ieTFyQO3L/R56V32McgssMbheJbYcviDDn7Tz4D+lTvdJA==",
+      "version": "2.0.0-beta.8",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-darwin-x64/-/binding-darwin-x64-2.0.0-beta.8.tgz",
+      "integrity": "sha512-+XTA37+FZjXgwxkNX94T/EqspFO8Q3Km4CklQ3nOQzieMi31w+TLBB0uTsnT1ugp0UTN5PHLd4DFK1SQB7Ckbg==",
      "cpu": [
        "x64"
      ],
@@ -205,13 +214,16 @@
      ]
    },
    "node_modules/@rspack/binding-linux-arm64-gnu": {
-      "version": "2.0.0-beta.3",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-2.0.0-beta.3.tgz",
-      "integrity": "sha512-iFPj4TQZKewnqWPfTbyk3F8QCBI/Edv7TVSRIPBHRnCM0lvYZl/8IZlUzXSamLvrtDpouF0nUzht/fktoWOhAg==",
+      "version": "2.0.0-beta.8",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-2.0.0-beta.8.tgz",
+      "integrity": "sha512-vD2+ztbMmeBR65jBlwUZCNIjUzO0exp/LaPSMIhLlqPlk670gMCQ7fmKo3tSgQ9tobfizEA/Atdy3/lW1Rl64A==",
      "cpu": [
        "arm64"
      ],
      "dev": true,
+      "libc": [
+        "glibc"
+      ],
      "license": "MIT",
      "optional": true,
      "os": [
@@ -219,13 +231,16 @@
      ]
    },
    "node_modules/@rspack/binding-linux-arm64-musl": {
-      "version": "2.0.0-beta.3",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-musl/-/binding-linux-arm64-musl-2.0.0-beta.3.tgz",
-      "integrity": "sha512-355mygfCNb0eF/y4HgtJcd0i9csNTG4Z15PCCplIkSAKJpFpkORM2xJb50BqsbhVafYl6AHoBlGWAo9iIzUb/w==",
+      "version": "2.0.0-beta.8",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-musl/-/binding-linux-arm64-musl-2.0.0-beta.8.tgz",
+      "integrity": "sha512-jJ1XB7Yz9YdPRA6MJ35S9/mb+3jeI4p9v78E3dexzCPA3G4X7WXbyOcRbUlYcyOlE5MtX5O19rDexqWlkD9tVw==",
      "cpu": [
        "arm64"
      ],
      "dev": true,
+      "libc": [
+        "musl"
+      ],
      "license": "MIT",
      "optional": true,
      "os": [
@@ -233,13 +248,16 @@
      ]
    },
    "node_modules/@rspack/binding-linux-x64-gnu": {
-      "version": "2.0.0-beta.3",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-gnu/-/binding-linux-x64-gnu-2.0.0-beta.3.tgz",
-      "integrity": "sha512-U8a+bcP/tkMyiwiO9XfeRYYO20YPGiZNxWWt7FEsdmRuRAl6M+EmWaJllJFQtKH+GG8IN93pNoVPMvARjLoJOQ==",
+      "version": "2.0.0-beta.8",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-gnu/-/binding-linux-x64-gnu-2.0.0-beta.8.tgz",
+      "integrity": "sha512-qy+fK/tiYw3KvGjTGGMu/mWOdvBYrMO8xva/ouiaRTrx64PPZ6vyqFXOUfHj9rhY5L6aU2NTObpV6HZHcBtmhQ==",
      "cpu": [
        "x64"
      ],
      "dev": true,
+      "libc": [
+        "glibc"
+      ],
      "license": "MIT",
      "optional": true,
      "os": [
@@ -247,13 +265,16 @@
      ]
    },
    "node_modules/@rspack/binding-linux-x64-musl": {
-      "version": "2.0.0-beta.3",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-musl/-/binding-linux-x64-musl-2.0.0-beta.3.tgz",
-      "integrity": "sha512-g81rqkaqDFRTID2VrHBYeM+xZe8yWov7IcryTrl9RGXXr61s+6Tu/mWyM378PuHOCyMNu7G3blVaSjLvKauG6Q==",
+      "version": "2.0.0-beta.8",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-musl/-/binding-linux-x64-musl-2.0.0-beta.8.tgz",
+      "integrity": "sha512-eJF1IsayHhsURu5Dp6fzdr5jYGeJmoREOZAc9UV3aEqY6zNAcWgZT1RwKCCujJylmHgCTCOuxqdK/VdFJqWDyw==",
      "cpu": [
        "x64"
      ],
      "dev": true,
+      "libc": [
+        "musl"
+      ],
      "license": "MIT",
      "optional": true,
      "os": [
@@ -261,9 +282,9 @@
      ]
    },
    "node_modules/@rspack/binding-wasm32-wasi": {
-      "version": "2.0.0-beta.3",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-wasm32-wasi/-/binding-wasm32-wasi-2.0.0-beta.3.tgz",
-      "integrity": "sha512-tzGd8H2oj5F3oR/Hxp+J68zVU/nG+9ndH2KK3/RieVjNAiVNHCR0/ZU9D47s6fnmvWOqAQ1qO8gnVoVLopC4YA==",
+      "version": "2.0.0-beta.8",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-wasm32-wasi/-/binding-wasm32-wasi-2.0.0-beta.8.tgz",
+      "integrity": "sha512-HssdOQE8i+nUWoK+NDeD5OSyNxf80k3elKCl/due3WunoNn0h6tUTSZ8QB+bhcT4tjH9vTbibWZIT91avtvUNw==",
      "cpu": [
        "wasm32"
      ],
@@ -271,13 +292,13 @@
      "license": "MIT",
      "optional": true,
      "dependencies": {
-        "@napi-rs/wasm-runtime": "1.0.7"
+        "@napi-rs/wasm-runtime": "1.1.1"
      }
    },
    "node_modules/@rspack/binding-win32-arm64-msvc": {
-      "version": "2.0.0-beta.3",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-2.0.0-beta.3.tgz",
-      "integrity": "sha512-TZZRSWa34sm5WyoQHwnyBjLJ4w3fcWRYA9ybYjSVWjUU6tVGdMiHiZp+WexUpIETvChLXU1JENNmBg/U7wvZEA==",
+      "version": "2.0.0-beta.8",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-2.0.0-beta.8.tgz",
+      "integrity": "sha512-RuHbXuIMJr0ANMFoGXIb3sUZE5VwIsJw70u3TKPwfoaOFiJjgW7Pi2JTLPoTYfOlE+CNcu2ldX8VJRBbktR4NA==",
      "cpu": [
        "arm64"
      ],
@@ -289,9 +310,9 @@
      ]
    },
    "node_modules/@rspack/binding-win32-ia32-msvc": {
-      "version": "2.0.0-beta.3",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-ia32-msvc/-/binding-win32-ia32-msvc-2.0.0-beta.3.tgz",
-      "integrity": "sha512-VFnfdbJhyl6gNW1VzTyd1ZrHCboHPR7vrOalEsulQRqVNbtDkjm1sqLHtDcLmhTEv0a9r4lli8uubWDwmel8KQ==",
+      "version": "2.0.0-beta.8",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-ia32-msvc/-/binding-win32-ia32-msvc-2.0.0-beta.8.tgz",
+      "integrity": "sha512-ajzIOk30zjTKPiay+d6oV7lqzzqdgIXQhDD5YtcOqPn7NTh7949EB1NZX5l3Ueh1m8k4DSe7n07qFLjHDhZ8jw==",
      "cpu": [
        "ia32"
      ],
@@ -303,9 +324,9 @@
      ]
    },
    "node_modules/@rspack/binding-win32-x64-msvc": {
-      "version": "2.0.0-beta.3",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-x64-msvc/-/binding-win32-x64-msvc-2.0.0-beta.3.tgz",
-      "integrity": "sha512-rwZ6Y3b3oqPj+ZDPPRxr3136HUPKDSlPQa4v7bBOPLDlrFDFOynMIEqDUUi5+8lPaUQ8WWR0aJK4cgcTTT0Siw==",
+      "version": "2.0.0-beta.8",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-x64-msvc/-/binding-win32-x64-msvc-2.0.0-beta.8.tgz",
+      "integrity": "sha512-MqPuHCbxyLSEjavbhYapHs7cvs2zSA9GKd8nJtDuSMmDTVHFzwHfUXTffUMFB4JTCAvdpMn8XtOG/UOW5QVRCA==",
      "cpu": [
        "x64"
      ],
@@ -317,13 +338,13 @@
      ]
    },
    "node_modules/@rspack/core": {
-      "version": "2.0.0-beta.3",
-      "resolved": "https://registry.npmjs.org/@rspack/core/-/core-2.0.0-beta.3.tgz",
-      "integrity": "sha512-VuLteRIesuyFFTXZaciUY0lwDZiwMc7JcpE8guvjArztDhtpVvlaOcLlVBp/Yza8c/Tk8Dxwe1ARzFL7xG1/0w==",
+      "version": "2.0.0-beta.8",
+      "resolved": "https://registry.npmjs.org/@rspack/core/-/core-2.0.0-beta.8.tgz",
+      "integrity": "sha512-GHiMNhcxfzJV3DqxIYYjiBGzhFkwwt+jSJl8+aVFRbQM0AYRdZJSfQDH4G5rHD1gO2yc3ktOOMHYnZWNtXCwdA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@rspack/binding": "2.0.0-beta.3"
+        "@rspack/binding": "2.0.0-beta.8"
      },
      "engines": {
        "node": "^20.19.0 || >=22.12.0"
@@ -362,20 +383,20 @@
      }
    },
    "node_modules/@rspress/core": {
-      "version": "2.0.5",
-      "resolved": "https://registry.npmjs.org/@rspress/core/-/core-2.0.5.tgz",
-      "integrity": "sha512-2ezGmANmIrWmhsUrvlRb9Df4xsun1BDgEertDc890aQqtKcNrbu+TBRsOoO+E/N6ioavun7JGGe1wWjvxubCHw==",
+      "version": "2.0.7",
+      "resolved": "https://registry.npmjs.org/@rspress/core/-/core-2.0.7.tgz",
+      "integrity": "sha512-+HH6EVSs1SVvm+6l78lluK8u70ihKVX26VHEqYJzTBHLtipMXllmX2mfkjCoATEP2uqU+es4xSPurss+AztHWg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@mdx-js/mdx": "^3.1.1",
        "@mdx-js/react": "^3.1.1",
-        "@rsbuild/core": "2.0.0-beta.6",
-        "@rsbuild/plugin-react": "~1.4.5",
-        "@rspress/shared": "2.0.5",
-        "@shikijs/rehype": "^4.0.1",
+        "@rsbuild/core": "2.0.0-beta.10",
+        "@rsbuild/plugin-react": "~1.4.6",
+        "@rspress/shared": "2.0.7",
+        "@shikijs/rehype": "^4.0.2",
        "@types/unist": "^3.0.3",
-        "@unhead/react": "^2.1.9",
+        "@unhead/react": "^2.1.12",
        "body-scroll-lock": "4.0.0-beta.0",
        "cac": "^7.0.0",
        "chokidar": "^3.6.0",
@@ -406,7 +427,7 @@
        "remark-parse": "^11.0.0",
        "remark-stringify": "^11.0.0",
        "scroll-into-view-if-needed": "^3.1.0",
-        "shiki": "^4.0.1",
+        "shiki": "^4.0.2",
        "tinyglobby": "^0.2.15",
        "tinypool": "^1.1.1",
        "unified": "^11.0.5",
@@ -422,40 +443,40 @@
      }
    },
    "node_modules/@rspress/plugin-client-redirects": {
-      "version": "2.0.5",
-      "resolved": "https://registry.npmjs.org/@rspress/plugin-client-redirects/-/plugin-client-redirects-2.0.5.tgz",
-      "integrity": "sha512-sxwWzwHPefSPWUyV6/AA/hBlQUeNFntL8dBQi/vZCQiZHM6ShvKbqa3s5Xu2yI7DeFKHH3jb0VGbjufu8M3Ypw==",
+      "version": "2.0.7",
+      "resolved": "https://registry.npmjs.org/@rspress/plugin-client-redirects/-/plugin-client-redirects-2.0.7.tgz",
+      "integrity": "sha512-fH8HMUktt5ar6alSpGSDE/+dgY+TU/h0bW+4ntysUApKodNF1vg4ta60qju+5guWeRXD/35nH6rMV2Z0nW9BfQ==",
      "dev": true,
      "license": "MIT",
      "engines": {
        "node": "^20.19.0 || >=22.12.0"
      },
      "peerDependencies": {
-        "@rspress/core": "^2.0.5"
+        "@rspress/core": "^2.0.7"
      }
    },
    "node_modules/@rspress/plugin-sitemap": {
-      "version": "2.0.5",
-      "resolved": "https://registry.npmjs.org/@rspress/plugin-sitemap/-/plugin-sitemap-2.0.5.tgz",
-      "integrity": "sha512-wBxKL8sNd3bkKFxlFtB1xJ7jCtSRDL6pfVvWsmTIbTNDPCtefd1nmiMBIDMLOR8EflwuStIz3bMQXdWpbC7ahA==",
+      "version": "2.0.7",
+      "resolved": "https://registry.npmjs.org/@rspress/plugin-sitemap/-/plugin-sitemap-2.0.7.tgz",
+      "integrity": "sha512-K4Y8yhpiQkF+cbpfgVhdj/sfwq0K/12AusT06gfVSdJV7R4GvJO28y1GxfrsHlki8nopWu8Zqfqb3dcrNlccfA==",
      "dev": true,
      "license": "MIT",
      "engines": {
        "node": "^20.19.0 || >=22.12.0"
      },
      "peerDependencies": {
-        "@rspress/core": "^2.0.5"
+        "@rspress/core": "^2.0.7"
      }
    },
    "node_modules/@rspress/shared": {
-      "version": "2.0.5",
-      "resolved": "https://registry.npmjs.org/@rspress/shared/-/shared-2.0.5.tgz",
-      "integrity": "sha512-Wdhh+VjU8zJWoVLhv9KJTRAZQ4X2V/Z81Lo2D0hQsa0Kj5F3EaxlMt5/dhX7DoflqNuZPZk/e7CSUB+gO/Umlg==",
+      "version": "2.0.7",
+      "resolved": "https://registry.npmjs.org/@rspress/shared/-/shared-2.0.7.tgz",
+      "integrity": "sha512-x7OqCGP5Ir1/X+6fvhtApw/ObHfwVIdWne6LlX3GGUHyHF+01yci6vrUzEP2R6PainnqySzW2+345C6zZ3dZuA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@rsbuild/core": "2.0.0-beta.6",
-        "@shikijs/rehype": "^4.0.1",
+        "@rsbuild/core": "2.0.0-beta.10",
+        "@shikijs/rehype": "^4.0.2",
        "gray-matter": "4.0.3",
        "lodash-es": "^4.17.23",
        "unified": "^11.0.5"
@@ -695,13 +716,13 @@
      "license": "ISC"
    },
    "node_modules/@unhead/react": {
-      "version": "2.1.10",
-      "resolved": "https://registry.npmjs.org/@unhead/react/-/react-2.1.10.tgz",
-      "integrity": "sha512-z9IzzkaCI1GyiBwVRMt4dGc2mOvsj9drbAdXGMy6DWpu9FwTR37ZTmAi7UeCVyIkpVdIaNalz7vkbvGG8afFng==",
+      "version": "2.1.12",
+      "resolved": "https://registry.npmjs.org/@unhead/react/-/react-2.1.12.tgz",
+      "integrity": "sha512-1xXFrxyw29f+kScXfEb0GxjlgtnHxoYau0qpW9k8sgWhQUNnE5gNaH3u+rNhd5IqhyvbdDRJpQ25zoz0HIyGaw==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "unhead": "2.1.10"
+        "unhead": "2.1.12"
      },
      "funding": {
        "url": "https://github.com/sponsors/harlan-zw"
@@ -1573,9 +1594,9 @@
      }
    },
    "node_modules/hookable": {
-      "version": "6.0.1",
-      "resolved": "https://registry.npmjs.org/hookable/-/hookable-6.0.1.tgz",
-      "integrity": "sha512-uKGyY8BuzN/a5gvzvA+3FVWo0+wUjgtfSdnmjtrOVwQCZPHpHDH2WRO3VZSOeluYrHoDCiXFffZXs8Dj1ULWtw==",
+      "version": "6.1.0",
+      "resolved": "https://registry.npmjs.org/hookable/-/hookable-6.1.0.tgz",
+      "integrity": "sha512-ZoKZSJgu8voGK2geJS+6YtYjvIzu9AOM/KZXsBxr83uhLL++e9pEv/dlgwgy3dvHg06kTz6JOh1hk3C8Ceiymw==",
      "dev": true,
      "license": "MIT"
    },
@@ -2978,14 +2999,14 @@
      "license": "MIT"
    },
    "node_modules/oniguruma-to-es": {
-      "version": "4.3.4",
-      "resolved": "https://registry.npmjs.org/oniguruma-to-es/-/oniguruma-to-es-4.3.4.tgz",
-      "integrity": "sha512-3VhUGN3w2eYxnTzHn+ikMI+fp/96KoRSVK9/kMTcFqj1NRDh2IhQCKvYxDnWePKRXY/AqH+Fuiyb7VHSzBjHfA==",
+      "version": "4.3.5",
+      "resolved": "https://registry.npmjs.org/oniguruma-to-es/-/oniguruma-to-es-4.3.5.tgz",
+      "integrity": "sha512-Zjygswjpsewa0NLTsiizVuMQZbp0MDyM6lIt66OxsF21npUDlzpHi1Mgb/qhQdkb+dWFTzJmFbEWdvZgRho8eQ==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "oniguruma-parser": "^0.12.1",
-        "regex": "^6.0.1",
+        "regex": "^6.1.0",
        "regex-recursion": "^6.0.2"
      }
    },
@@ -3706,9 +3727,9 @@
      "license": "0BSD"
    },
    "node_modules/typescript": {
-      "version": "5.9.3",
-      "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.9.3.tgz",
-      "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==",
+      "version": "6.0.2",
+      "resolved": "https://registry.npmjs.org/typescript/-/typescript-6.0.2.tgz",
+      "integrity": "sha512-bGdAIrZ0wiGDo5l8c++HWtbaNCWTS4UTv7RaTH/ThVIgjkveJt83m74bBHMJkuCbslY8ixgLBVZJIOiQlQTjfQ==",
      "dev": true,
      "license": "Apache-2.0",
      "bin": {
@@ -3720,9 +3741,9 @@
      }
    },
    "node_modules/unhead": {
-      "version": "2.1.10",
-      "resolved": "https://registry.npmjs.org/unhead/-/unhead-2.1.10.tgz",
-      "integrity": "sha512-We8l9uNF8zz6U8lfQaVG70+R/QBfQx1oPIgXin4BtZnK2IQpz6yazQ0qjMNVBDw2ADgF2ea58BtvSK+XX5AS7g==",
+      "version": "2.1.12",
+      "resolved": "https://registry.npmjs.org/unhead/-/unhead-2.1.12.tgz",
+      "integrity": "sha512-iTHdWD9ztTunOErtfUFk6Wr11BxvzumcYJ0CzaSCBUOEtg+DUZ9+gnE99i8QkLFT2q1rZD48BYYGXpOZVDLYkA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
@@ -25,6 +25,6 @@
    "@rspress/core": "^2.0.0",
    "@rspress/plugin-client-redirects": "^2.0.0",
    "@rspress/plugin-sitemap": "^2.0.0",
-    "typescript": "^5.9.3"
+    "typescript": "^6.0.0"
  }
 }
@@ -1,6 +1,6 @@
 {
    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-    "extends": ["config:recommended", "replacements:all"],
+    "extends": ["config:recommended", "replacements:all", ":semanticCommitTypeAll(chore)", "helpers:pinGitHubActionDigests"],
    "dependencyDashboard": true,
    "osvVulnerabilityAlerts": true,
    "lockFileMaintenance": {
@@ -36,10 +36,18 @@
    },
    "packageRules": [
        {
-            "description": "Batch patch-level Rust dependency updates",
+            "description": "Batch minor and patch Rust dependency updates",
+            "matchManagers": ["cargo"],
+            "matchUpdateTypes": ["minor", "patch"],
+            "matchCurrentVersion": ">=1.0.0",
+            "groupName": "rust-non-major"
+        },
+        {
+            "description": "Batch patch-level zerover Rust dependency updates",
            "matchManagers": ["cargo"],
            "matchUpdateTypes": ["patch"],
-            "groupName": "rust-patch-updates"
+            "matchCurrentVersion": ">=0.1.0,<1.0.0",
+            "groupName": "rust-zerover-patch-updates"
        },
        {
            "description": "Limit concurrent Cargo PRs",
@@ -87,16 +95,16 @@
        }
    ],
    "customManagers": [
-       {
-         "customType": "regex",
-         "description": "Update _VERSION variables in Dockerfiles",
-         "managerFilePatterns": [
-           "/(^|/)([Dd]ocker|[Cc]ontainer)file[^/]*$/",
-           "/(^|/|\\.)([Dd]ocker|[Cc]ontainer)file$/"
-         ],
-         "matchStrings": [
-           "# renovate: datasource=(?<datasource>[a-zA-Z0-9-._]+?) depName=(?<depName>[^\\s]+?)(?: (lookupName|packageName)=(?<packageName>[^\\s]+?))?(?: versioning=(?<versioning>[^\\s]+?))?(?: extractVersion=(?<extractVersion>[^\\s]+?))?(?: registryUrl=(?<registryUrl>[^\\s]+?))?\\s+(?:ENV\\s+|ARG\\s+)?[A-Za-z0-9_]+?_VERSION[ =][\"']?(?<currentValue>.+?)[\"']?\\s+(?:(?:ENV\\s+|ARG\\s+)?[A-Za-z0-9_]+?_CHECKSUM[ =][\"']?(?<currentDigest>.+?)[\"']?\\s)?"
-         ]
-       }
+        {
+            "customType": "regex",
+            "description": "Update _VERSION variables in Dockerfiles",
+            "managerFilePatterns": [
+                "/(^|/)([Dd]ocker|[Cc]ontainer)file[^/]*$/",
+                "/(^|/|\\.)([Dd]ocker|[Cc]ontainer)file$/"
+            ],
+            "matchStrings": [
+                "# renovate: datasource=(?<datasource>[a-zA-Z0-9-._]+?) depName=(?<depName>[^\\s]+?)(?: (lookupName|packageName)=(?<packageName>[^\\s]+?))?(?: versioning=(?<versioning>[^\\s]+?))?(?: extractVersion=(?<extractVersion>[^\\s]+?))?(?: registryUrl=(?<registryUrl>[^\\s]+?))?\\s+(?:ENV\\s+|ARG\\s+)?[A-Za-z0-9_]+?_VERSION[ =][\"']?(?<currentValue>.+?)[\"']?\\s+(?:(?:ENV\\s+|ARG\\s+)?[A-Za-z0-9_]+?_CHECKSUM[ =][\"']?(?<currentDigest>.+?)[\"']?\\s)?"
+            ]
+        }
    ]
 }
@@ -10,7 +10,7 @@

 [toolchain]
 profile = "minimal"
-channel = "1.90.0"
+channel = "1.92.0"
 components = [
    # For rust-analyzer
    "rust-src",
@@ -296,6 +296,31 @@ pub(super) async fn reset_password(
 	Ok(())
 }

+#[admin_command]
+pub(super) async fn issue_password_reset_link(&self, username: String) -> Result {
+	use conduwuit_service::password_reset::{PASSWORD_RESET_PATH, RESET_TOKEN_QUERY_PARAM};
+
+	self.bail_restricted()?;
+
+	let mut reset_url = self
+		.services
+		.config
+		.get_client_domain()
+		.join(PASSWORD_RESET_PATH)
+		.unwrap();
+
+	let user_id = parse_local_user_id(self.services, &username)?;
+	let token = self.services.password_reset.issue_token(user_id).await?;
+	reset_url
+		.query_pairs_mut()
+		.append_pair(RESET_TOKEN_QUERY_PARAM, &token.token);
+
+	self.write_str(&format!("Password reset link issued for {username}: {reset_url}"))
+		.await?;
+
+	Ok(())
+}
+
 #[admin_command]
 pub(super) async fn deactivate_all(&self, no_leave_rooms: bool, force: bool) -> Result {
 	if self.body.len() < 2
@@ -29,6 +29,12 @@ pub enum UserCommand {
 		password: Option<String>,
 	},

+	/// Issue a self-service password reset link for a user.
+	IssuePasswordResetLink {
+		/// Username of the user who may use the link
+		username: String,
+	},
+
 	/// Deactivate a user
 	///
 	/// User will be removed from all rooms by default.
@@ -114,7 +114,19 @@ pub(crate) async fn get_content_thumbnail_route(
 		content,
 		content_type,
 		content_disposition,
-	} = fetch_thumbnail(&services, &mxc, user, body.timeout_ms, &dim).await?;
+	} = match fetch_thumbnail(&services, &mxc, user, body.timeout_ms, &dim).await {
+		| Ok(meta) => meta,
+		| Err(conduwuit::Error::Io(e)) => match e.kind() {
+			| std::io::ErrorKind::NotFound =>
+				return Err!(Request(NotFound("Thumbnail not found."))),
+			| std::io::ErrorKind::PermissionDenied => {
+				error!("Permission denied when trying to read file: {e:?}");
+				return Err!(Request(Unknown("Unknown error when fetching thumbnail.")));
+			},
+			| _ => return Err!(Request(Unknown("Unknown error when fetching thumbnail."))),
+		},
+		| Err(_) => return Err!(Request(Unknown("Unknown error when fetching thumbnail."))),
+	};

 	Ok(get_content_thumbnail::v1::Response {
 		file: content.expect("entire file contents"),
@@ -584,7 +584,7 @@ async fn join_room_by_id_helper_remote(
 					return state;
 				},
 			};
-			if !pdu_fits(&mut value.clone()) {
+			if !pdu_fits(&value) {
 				warn!(
 					"dropping incoming PDU {event_id} in room {room_id} from room join because \
 					 it exceeds 65535 bytes or is otherwise too large."
@@ -409,11 +409,6 @@ async fn knock_room_helper_local(
 		room_id,
 		&knock_event_stub,
 	)?;
-
-	knock_event_stub.insert(
-		"origin".to_owned(),
-		CanonicalJsonValue::String(services.globals.server_name().as_str().to_owned()),
-	);
 	knock_event_stub.insert(
 		"origin_server_ts".to_owned(),
 		CanonicalJsonValue::Integer(
@@ -9,7 +9,7 @@ use conduwuit::{
 };
 use futures::{FutureExt, StreamExt, pin_mut};
 use ruma::{
-	CanonicalJsonObject, CanonicalJsonValue, OwnedServerName, RoomId, RoomVersionId, UserId,
+	CanonicalJsonObject, CanonicalJsonValue, OwnedServerName, RoomId, UserId,
 	api::{
 		client::membership::leave_room,
 		federation::{self},
@@ -337,6 +337,7 @@ pub async fn remote_leave_room<S: ::std::hash::BuildHasher>(
 			"Invalid make_leave event json received from {remote_server} for {room_id}: {e:?}"
 		)))
 	})?;
+	leave_event_stub.remove("event_id");

 	validate_remote_member_event_stub(
 		&MembershipState::Leave,
@@ -345,11 +346,6 @@ pub async fn remote_leave_room<S: ::std::hash::BuildHasher>(
 		&leave_event_stub,
 	)?;

-	// TODO: Is origin needed?
-	leave_event_stub.insert(
-		"origin".to_owned(),
-		CanonicalJsonValue::String(services.globals.server_name().as_str().to_owned()),
-	);
 	leave_event_stub.insert(
 		"origin_server_ts".to_owned(),
 		CanonicalJsonValue::Integer(
@@ -365,14 +361,6 @@ pub async fn remote_leave_room<S: ::std::hash::BuildHasher>(
 		}
 	}

-	// room v3 and above removed the "event_id" field from remote PDU format
-	match room_version_id {
-		| RoomVersionId::V1 | RoomVersionId::V2 => {},
-		| _ => {
-			leave_event_stub.remove("event_id");
-		},
-	}
-
 	// In order to create a compatible ref hash (EventID) the `hashes` field needs
 	// to be present
 	services
@@ -1,3 +1,5 @@
+#[cfg(test)]
+mod tests;
 use axum::extract::State;
 use axum_client_ip::InsecureClientIp;
 use conduwuit::{
@@ -194,6 +196,7 @@ async fn send_state_event_for_key_helper(
 	state_key: &str,
 	timestamp: Option<MilliSecondsSinceUnixEpoch>,
 ) -> Result<OwnedEventId> {
+	let json: &mut Raw<AnyStateEventContent> = &mut json.clone();
 	allowed_to_send_state_event(services, room_id, event_type, state_key, json).await?;
 	let state_lock = services.rooms.state.mutex.lock(room_id).await;
 	let event_id = services
@@ -221,7 +224,7 @@ async fn allowed_to_send_state_event(
 	room_id: &RoomId,
 	event_type: &StateEventType,
 	state_key: &str,
-	json: &Raw<AnyStateEventContent>,
+	json: &mut Raw<AnyStateEventContent>,
 ) -> Result {
 	match event_type {
 		| StateEventType::RoomCreate => {
@@ -366,7 +369,7 @@ async fn allowed_to_send_state_event(
 			}
 		},
 		| StateEventType::RoomMember => match json.deserialize_as::<RoomMemberEventContent>() {
-			| Ok(membership_content) => {
+			| Ok(mut membership_content) => {
 				let Ok(state_key) = UserId::parse(state_key) else {
 					return Err!(Request(BadJson(
 						"Membership event has invalid or non-existent state key"
@@ -376,20 +379,24 @@ async fn allowed_to_send_state_event(
 				if let Some(authorising_user) =
 					membership_content.join_authorized_via_users_server
 				{
-					if membership_content.membership != MembershipState::Join {
-						return Err!(Request(BadJson(
-							"join_authorised_via_users_server is only for member joins"
-						)));
-					}
-
+					// join_authorized_via_users_server must be thrown away, if user is already a
+					// member of the room.
 					if services
 						.rooms
 						.state_cache
 						.is_joined(state_key, room_id)
 						.await
 					{
-						return Err!(Request(InvalidParam(
-							"{state_key} is already joined, an authorising user is not required."
+						membership_content.join_authorized_via_users_server = None;
+						*json = Raw::<AnyStateEventContent>::from_json_string(
+							serde_json::to_string(&membership_content)?,
+						)?;
+						return Ok(());
+					}
+
+					if membership_content.membership != MembershipState::Join {
+						return Err!(Request(BadJson(
+							"join_authorised_via_users_server is only for member joins"
 						)));
 					}

@@ -0,0 +1,34 @@
+use super::*;
+
+#[test]
+fn test_strip_room_member() -> Result<()> {
+	//Test setup
+	let body = r#"
+		{
+			"avatar_url": "Something",
+			"displayname": "Someone",
+			"join_authorized_via_users_server": "@someone:domain.tld",
+			"membership": "join"
+		}"#;
+	println!("JSON (original): {body}");
+	let json: &mut Raw<AnyStateEventContent> =
+		&mut Raw::<AnyStateEventContent>::from_json_string(body.to_owned())?;
+	let mut membership_content: RoomMemberEventContent =
+		json.deserialize_as::<RoomMemberEventContent>()?;
+
+	//Begin Test
+	membership_content.join_authorized_via_users_server = None;
+	*json = Raw::<AnyStateEventContent>::from_json_string(serde_json::to_string(
+		&membership_content,
+	)?)?;
+
+	//Compare result
+	let result = json.json().get();
+	println!("JSON (modified): {result}");
+	assert_eq!(
+		result,
+		r#"{"avatar_url":"Something","displayname":"Someone","membership":"join"}"#
+	);
+
+	Ok(())
+}
@@ -114,6 +114,7 @@ tracing.workspace = true
 url.workspace = true
 parking_lot.workspace = true
 lock_api.workspace = true
+hyper-util.workspace = true

 [target.'cfg(unix)'.dependencies]
 nix.workspace = true
@@ -68,6 +68,10 @@ pub struct Config {
 	///
 	/// Also see the `[global.well_known]` config section at the very bottom.
 	///
+	/// If `client` is not set under `[global.well_known]`, the server name will
+	/// be used as the base domain for user-facing links (such as password
+	/// reset links) created by Continuwuity.
+	///
 	/// Examples of delegation:
 	/// - https://continuwuity.org/.well-known/matrix/server
 	/// - https://continuwuity.org/.well-known/matrix/client
@@ -141,6 +145,10 @@ pub struct Config {
 	/// engine API. To use this, set a database backup path that continuwuity
 	/// can write to.
 	///
+	/// If you are using systemd, you will need to add the path to
+	/// ReadWritePaths in the service file, preferably via a drop-in file
+	/// through `systemctl edit`.
+	///
 	/// For more information, see:
 	/// https://continuwuity.org/maintenance.html#backups
 	///
@@ -2089,6 +2097,13 @@ pub struct Config {
 	#[serde(default)]
 	pub force_disable_first_run_mode: bool,

+	/// Allow search engines and crawlers to index Continuwuity's built-in
+	/// webpages served under the `/_continuwuity/` prefix.
+	///
+	/// default: false
+	#[serde(default)]
+	pub allow_web_indexing: bool,
+
 	/// display: nested
 	#[serde(default)]
 	pub ldap: LdapConfig,
@@ -4,7 +4,7 @@ mod panic;
 mod response;
 mod serde;

-use std::{any::Any, borrow::Cow, convert::Infallible, sync::PoisonError};
+use std::{any::Any, borrow::Cow, convert::Infallible, error::Error as _, sync::PoisonError};

 pub use self::{err::visit, log::*};

@@ -66,8 +66,8 @@ pub enum Error {
 	Poison(Cow<'static, str>),
 	#[error("Regex error: {0}")]
 	Regex(#[from] regex::Error),
-	#[error("Request error: {0}")]
-	Reqwest(#[from] reqwest::Error),
+	#[error("{0}")]
+	Reqwest(FormattedReqwestError),
 	#[error("{0}")]
 	SerdeDe(Cow<'static, str>),
 	#[error("{0}")]
@@ -236,3 +236,41 @@ pub fn infallible(_e: &Infallible) {
 #[must_use]
 #[allow(clippy::needless_pass_by_value)]
 pub fn sanitized_message(e: Error) -> String { e.sanitized_message() }
+
+#[derive(Debug)]
+pub struct FormattedReqwestError(reqwest::Error);
+
+impl std::ops::Deref for FormattedReqwestError {
+	type Target = reqwest::Error;
+
+	fn deref(&self) -> &Self::Target { &self.0 }
+}
+
+impl std::error::Error for FormattedReqwestError {
+	fn source(&self) -> Option<&(dyn std::error::Error + 'static)> { self.0.source() }
+}
+
+impl std::fmt::Display for FormattedReqwestError {
+	fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+		if let Some(hyper_error) = self.0.source()
+			&& hyper_error.is::<hyper_util::client::legacy::Error>()
+			&& let Some(real_error) = hyper_error.source()
+		{
+			if let Some(real_reason) = real_error.source() {
+				write!(f, "{real_error}: {real_reason}")
+			} else {
+				write!(f, "{real_error}")
+			}
+		} else {
+			write!(f, "Request error: {}", &self.0)
+		}
+	}
+}
+
+impl From<reqwest::Error> for FormattedReqwestError {
+	fn from(err: reqwest::Error) -> Self { Self(err) }
+}
+
+impl From<reqwest::Error> for Error {
+	fn from(err: reqwest::Error) -> Self { Self::Reqwest(err.into()) }
+}
@@ -1224,6 +1224,7 @@ fn can_send_event(event: &impl Event, ple: Option<&impl Event>, user_level: Int)
 }

 /// Confirm that the event sender has the required power levels.
+#[allow(clippy::cognitive_complexity)]
 fn check_power_levels(
 	room_version: &RoomVersion,
 	power_event: &impl Event,
@@ -75,6 +75,7 @@ type Result<T, E = Error> = crate::Result<T, E>;
 /// event is part of the same room.
 //#[tracing::instrument(level = "debug", skip(state_sets, auth_chain_sets,
 //#[tracing::instrument(level event_fetch))]
+#[allow(clippy::cognitive_complexity)]
 pub async fn resolve<'a, Pdu, Sets, SetIter, Hasher, Fetch, FetchFut, Exists, ExistsFut>(
 	room_version: &RoomVersionId,
 	state_sets: Sets,
@@ -70,15 +70,17 @@ fn descriptor_cf_options(
 		);
 	}

-	opts.set_options_from_string("{{arena_block_size=2097152;}}")
+	let mut opts = opts
+		.get_options_from_string("{{arena_block_size=2097152;}}")
 		.map_err(map_err)?;

 	#[cfg(debug_assertions)]
-	opts.set_options_from_string(
-		"{{paranoid_checks=true;paranoid_file_checks=true;force_consistency_checks=true;\
-		 verify_sst_unique_id_in_manifest=true;}}",
-	)
-	.map_err(map_err)?;
+	let opts = opts
+		.get_options_from_string(
+			"{{paranoid_checks=true;paranoid_file_checks=true;force_consistency_checks=true;\
+			 verify_sst_unique_id_in_manifest=true;}}",
+		)
+		.map_err(map_err)?;

 	Ok(opts)
 }
@@ -105,7 +107,7 @@ fn set_table_options(opts: &mut Options, desc: &Descriptor, cache: Option<&Cache
 		prepopulate,
 	);

-	opts.set_options_from_string(&string).map_err(map_err)?;
+	let mut opts = opts.get_options_from_string(&string).map_err(map_err)?;

 	opts.set_block_based_table_factory(&table);

@@ -138,7 +138,7 @@ fn set_logging_defaults(opts: &mut Options, config: &Config) {
 	if config.rocksdb_log_stderr {
 		opts.set_stderr_logger(rocksdb_log_level, "rocksdb");
 	} else {
-		opts.set_callback_logger(rocksdb_log_level, &handle_log);
+		opts.set_callback_logger(rocksdb_log_level, handle_log);
 	}
 }

@@ -112,6 +112,10 @@ pub(super) static MAPS: &[Descriptor] = &[
 		name: "onetimekeyid_onetimekeys",
 		..descriptor::RANDOM_SMALL
 	},
+	Descriptor {
+		name: "passwordresettoken_info",
+		..descriptor::RANDOM_SMALL
+	},
 	Descriptor {
 		name: "pduid_pdu",
 		cache_disp: CacheDisp::SharedWith("eventid_outlierpdu"),
@@ -1,5 +1,4 @@
 use std::{
-	env::args,
 	iter::once,
 	sync::{
 		Arc, OnceLock,
@@ -19,7 +18,7 @@ use tokio::runtime::Builder;

 use crate::{clap::Args, server::Server};

-const WORKER_NAME: &str = "c10y:worker";
+const WORKER_NAME: &str = "conduwuit:worker";
 const WORKER_MIN: usize = 2;
 const WORKER_KEEPALIVE: u64 = 36;
 const MAX_BLOCKING_THREADS: usize = 1024;
@@ -18,5 +18,5 @@ pub(crate) fn build(services: &Arc<Services>) -> (Router, Guard) {
 }

 async fn not_found(_uri: Uri) -> impl IntoResponse {
-	Error::Request(ErrorKind::Unrecognized, "Not Found".into(), StatusCode::NOT_FOUND)
+	Error::Request(ErrorKind::Unrecognized, "not found :(".into(), StatusCode::NOT_FOUND)
 }
@@ -121,7 +121,7 @@ webpage.workspace = true
 webpage.optional = true
 blurhash.workspace = true
 blurhash.optional = true
-recaptcha-verify = { version = "0.1.5", default-features = false }
+recaptcha-verify = { version = "0.2.0", default-features = false }
 yansi.workspace = true

 [target.'cfg(all(unix, target_os = "linux"))'.dependencies]
@@ -6,6 +6,7 @@ use conduwuit::{
 	config::{Config, check},
 	error, implement,
 };
+use url::Url;

 use crate::registration_tokens::{ValidToken, ValidTokenSource};

@@ -23,6 +24,18 @@ impl Service {
 			.clone()
 			.map(|token| ValidToken { token, source: ValidTokenSource::Config })
 	}
+
+	/// Get the base domain to use for user-facing URLs.
+	#[must_use]
+	pub fn get_client_domain(&self) -> Url {
+		self.well_known.client.clone().unwrap_or_else(|| {
+			let host = self.server_name.host();
+			format!("https://{host}")
+				.as_str()
+				.try_into()
+				.expect("server name should be a valid host")
+		})
+	}
 }

 #[async_trait]
@@ -23,6 +23,7 @@ pub mod globals;
 pub mod key_backups;
 pub mod media;
 pub mod moderation;
+pub mod password_reset;
 pub mod presence;
 pub mod pusher;
 pub mod registration_tokens;
@@ -0,0 +1,68 @@
+use std::{
+	sync::Arc,
+	time::{Duration, SystemTime},
+};
+
+use conduwuit::utils::{ReadyExt, stream::TryExpect};
+use database::{Database, Deserialized, Json, Map};
+use ruma::{OwnedUserId, UserId};
+use serde::{Deserialize, Serialize};
+
+pub(super) struct Data {
+	passwordresettoken_info: Arc<Map>,
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+pub struct ResetTokenInfo {
+	pub user: OwnedUserId,
+	pub issued_at: SystemTime,
+}
+
+impl ResetTokenInfo {
+	// one hour
+	const MAX_TOKEN_AGE: Duration = Duration::from_secs(60 * 60);
+
+	pub fn is_valid(&self) -> bool {
+		let now = SystemTime::now();
+
+		now.duration_since(self.issued_at)
+			.is_ok_and(|duration| duration < Self::MAX_TOKEN_AGE)
+	}
+}
+
+impl Data {
+	pub(super) fn new(db: &Arc<Database>) -> Self {
+		Self {
+			passwordresettoken_info: db["passwordresettoken_info"].clone(),
+		}
+	}
+
+	/// Associate a reset token with its info in the database.
+	pub(super) fn save_token(&self, token: &str, info: &ResetTokenInfo) {
+		self.passwordresettoken_info.raw_put(token, Json(info));
+	}
+
+	/// Lookup the info for a reset token.
+	pub(super) async fn lookup_token_info(&self, token: &str) -> Option<ResetTokenInfo> {
+		self.passwordresettoken_info
+			.get(token)
+			.await
+			.deserialized()
+			.ok()
+	}
+
+	/// Find a user's existing reset token, if any.
+	pub(super) async fn find_token_for_user(
+		&self,
+		user: &UserId,
+	) -> Option<(String, ResetTokenInfo)> {
+		self.passwordresettoken_info
+			.stream::<'_, String, ResetTokenInfo>()
+			.expect_ok()
+			.ready_find(|(_, info)| info.user == user)
+			.await
+	}
+
+	/// Remove a reset token.
+	pub(super) fn remove_token(&self, token: &str) { self.passwordresettoken_info.remove(token); }
+}
@@ -0,0 +1,120 @@
+mod data;
+
+use std::{sync::Arc, time::SystemTime};
+
+use conduwuit::{Err, Result, utils};
+use data::{Data, ResetTokenInfo};
+use ruma::OwnedUserId;
+
+use crate::{Dep, globals, users};
+
+pub const PASSWORD_RESET_PATH: &str = "/_continuwuity/account/reset_password";
+pub const RESET_TOKEN_QUERY_PARAM: &str = "token";
+const RESET_TOKEN_LENGTH: usize = 32;
+
+pub struct Service {
+	db: Data,
+	services: Services,
+}
+
+struct Services {
+	users: Dep<users::Service>,
+	globals: Dep<globals::Service>,
+}
+
+#[derive(Debug)]
+pub struct ValidResetToken {
+	pub token: String,
+	pub info: ResetTokenInfo,
+}
+
+impl crate::Service for Service {
+	fn build(args: crate::Args<'_>) -> Result<Arc<Self>> {
+		Ok(Arc::new(Self {
+			db: Data::new(args.db),
+			services: Services {
+				users: args.depend::<users::Service>("users"),
+				globals: args.depend::<globals::Service>("globals"),
+			},
+		}))
+	}
+
+	fn name(&self) -> &str { crate::service::make_name(std::module_path!()) }
+}
+
+impl Service {
+	/// Generate a random string suitable to be used as a password reset token.
+	#[must_use]
+	pub fn generate_token_string() -> String { utils::random_string(RESET_TOKEN_LENGTH) }
+
+	/// Issue a password reset token for `user`, who must be a local user with
+	/// the `password` origin.
+	pub async fn issue_token(&self, user_id: OwnedUserId) -> Result<ValidResetToken> {
+		if !self.services.globals.user_is_local(&user_id) {
+			return Err!("Cannot issue a password reset token for remote user {user_id}");
+		}
+
+		if user_id == self.services.globals.server_user {
+			return Err!("Cannot issue a password reset token for the server user");
+		}
+
+		if self
+			.services
+			.users
+			.origin(&user_id)
+			.await
+			.unwrap_or_else(|_| "password".to_owned())
+			!= "password"
+		{
+			return Err!("Cannot issue a password reset token for non-internal user {user_id}");
+		}
+
+		if self.services.users.is_deactivated(&user_id).await? {
+			return Err!("Cannot issue a password reset token for deactivated user {user_id}");
+		}
+
+		if let Some((existing_token, _)) = self.db.find_token_for_user(&user_id).await {
+			self.db.remove_token(&existing_token);
+		}
+
+		let token = Self::generate_token_string();
+		let info = ResetTokenInfo {
+			user: user_id,
+			issued_at: SystemTime::now(),
+		};
+
+		self.db.save_token(&token, &info);
+
+		Ok(ValidResetToken { token, info })
+	}
+
+	/// Check if `token` represents a valid, non-expired password reset token.
+	pub async fn check_token(&self, token: &str) -> Option<ValidResetToken> {
+		self.db.lookup_token_info(token).await.and_then(|info| {
+			if info.is_valid() {
+				Some(ValidResetToken { token: token.to_owned(), info })
+			} else {
+				self.db.remove_token(token);
+				None
+			}
+		})
+	}
+
+	/// Consume the supplied valid token, using it to change its user's password
+	/// to `new_password`.
+	pub async fn consume_token(
+		&self,
+		ValidResetToken { token, info }: ValidResetToken,
+		new_password: &str,
+	) -> Result<()> {
+		if info.is_valid() {
+			self.db.remove_token(&token);
+			self.services
+				.users
+				.set_password(&info.user, Some(new_password))
+				.await?;
+		}
+
+		Ok(())
+	}
+}
@@ -1,7 +1,7 @@
 use std::{fmt::Debug, mem, sync::Arc};

 use bytes::BytesMut;
-use conduwuit::{debug, debug_info, utils::response::LimitReadExt};
+use conduwuit::utils::response::LimitReadExt;
 use conduwuit_core::{
 	Err, Event, Result, debug_warn, err, trace,
 	utils::{stream::TryIgnore, string_from_bytes},
@@ -220,13 +220,7 @@ impl Service {
 			}
 		}

-		let response = self
-			.services
-			.client
-			.pusher
-			.execute(reqwest_request)
-			.await
-			.inspect(|r| debug!("Received response from push gateway {dest}: {r:?}"));
+		let response = self.services.client.pusher.execute(reqwest_request).await;

 		match response {
 			| Ok(mut response) => {
@@ -496,28 +490,9 @@ impl Service {
 						.await
 						.ok();
 				}
-				debug_info!(
-					%url,
-					?notify,
-					?event,
-					"Sending notification to push gateway for {} in {}",
-					event.event_id(),
-					event.room_id_or_hash(),
-				);
+
 				self.send_request(&http.url, send_event_notification::v1::Request::new(notify))
-					.await
-					.inspect(|_| {
-						debug_info!(
-							"Successfully sent push notification for {}",
-							event.event_id()
-						)
-					})
-					.inspect_err(|e| {
-						debug_warn!(
-							"Failed to send push notification for {}: {e}",
-							event.event_id()
-						)
-					})?;
+					.await?;

 				Ok(())
 			},
@@ -26,7 +26,10 @@ pub(super) async fn request_well_known(&self, dest: &str) -> Result<Option<Strin
 		return Ok(None);
 	}

-	let text = response.limit_read_text(8192).await?;
+	let Ok(text) = response.limit_read_text(8192).await else {
+		debug!("failed to read well-known response (too large or non-text content)");
+		return Ok(None);
+	};
 	trace!("response text: {text:?}");

 	let body: serde_json::Value = serde_json::from_str(&text).unwrap_or_default();
@@ -104,17 +104,13 @@ impl Service {
 			return Err!(Request(Forbidden("User is not permitted to remove this alias.")));
 		}

+		let alias_full = alias.as_bytes().to_vec();
 		let alias = alias.alias();
 		let Ok(room_id) = self.db.alias_roomid.get(&alias).await else {
 			return Err!(Request(NotFound("Alias does not exist or is invalid.")));
 		};

-		let prefix = (&room_id, Interfix);
-		self.db
-			.aliasid_alias
-			.keys_prefix_raw(&prefix)
-			.ignore_err()
-			.ready_for_each(|key| self.db.aliasid_alias.remove(key))
+		self.remove_aliasid_alias_entries(&room_id, &alias_full)
 			.await;

 		self.db.alias_roomid.remove(alias.as_bytes());
@@ -274,6 +270,22 @@ impl Service {
 		self.db.alias_userid.get(alias.alias()).await.deserialized()
 	}

+	async fn remove_aliasid_alias_entries(&self, room_id: &[u8], alias_full: &[u8]) {
+		let prefix = (room_id, Interfix);
+		let keys: Vec<Vec<u8>> = self
+			.db
+			.aliasid_alias
+			.stream_prefix_raw(&prefix)
+			.ignore_err()
+			.ready_filter_map(|(key, value)| (value == alias_full).then_some(key.to_vec()))
+			.collect()
+			.await;
+
+		for key in keys {
+			self.db.aliasid_alias.remove(&key);
+		}
+	}
+
 	async fn resolve_appservice_alias(
 		&self,
 		room_alias: &RoomAliasId,
@@ -127,12 +127,12 @@ pub async fn handle_incoming_pdu<'a>(
 	if let Ok(pdu_id) = self.services.timeline.get_pdu_id(event_id).await {
 		return Ok(Some(pdu_id));
 	}
-	if !pdu_fits(&mut value.clone()) {
+	if !pdu_fits(&value) {
 		warn!(
 			"dropping incoming PDU {event_id} in room {room_id} from {origin} because it \
 			 exceeds 65535 bytes or is otherwise too large."
 		);
-		return Err!(Request(TooLarge("PDU is too large")));
+		return Err!(Request(TooLarge("PDU {event_id} is too large")));
 	}
 	trace!("processing incoming PDU from {origin} for room {room_id} with event id {event_id}");

@@ -1,8 +1,7 @@
 use std::collections::{BTreeMap, HashMap, hash_map};

 use conduwuit::{
-	Err, Event, PduEvent, Result, debug, debug_info, debug_warn, err, implement, state_res,
-	trace, warn,
+	Err, Event, PduEvent, Result, debug, debug_info, debug_warn, err, implement, state_res, trace,
 };
 use futures::future::ready;
 use ruma::{
@@ -11,7 +10,6 @@ use ruma::{
 };

 use super::{check_room_id, get_room_version_id, to_room_version};
-use crate::rooms::timeline::pdu_fits;

 #[implement(super::Service)]
 #[allow(clippy::too_many_arguments)]
@@ -27,18 +25,9 @@ pub(super) async fn handle_outlier_pdu<'a, Pdu>(
 where
 	Pdu: Event + Send + Sync,
 {
-	if !pdu_fits(&mut value.clone()) {
-		warn!(
-			"dropping incoming PDU {event_id} in room {room_id} from {origin} because it \
-			 exceeds 65535 bytes or is otherwise too large."
-		);
-		return Err!(Request(TooLarge("PDU is too large")));
-	}
 	// 1. Remove unsigned field
 	value.remove("unsigned");

-	// TODO: For RoomVersion6 we must check that Raw<..> is canonical do we anywhere?: https://matrix.org/docs/spec/rooms/v6#canonical-json
-
 	// 2. Check signatures, otherwise drop
 	// 3. check content hash, redact if doesn't match
 	let room_version_id = get_room_version_id(create_event)?;
@@ -22,33 +22,18 @@ use serde_json::value::{RawValue, to_raw_value};

 use super::RoomMutexGuard;

-pub fn pdu_fits(owned_obj: &mut CanonicalJsonObject) -> bool {
+#[must_use]
+pub fn pdu_fits(owned_obj: &CanonicalJsonObject) -> bool {
 	// room IDs, event IDs, senders, types, and state keys must all be <= 255 bytes
-	if let Some(CanonicalJsonValue::String(room_id)) = owned_obj.get("room_id") {
-		if room_id.len() > 255 {
-			return false;
-		}
-	}
-	if let Some(CanonicalJsonValue::String(event_id)) = owned_obj.get("event_id") {
-		if event_id.len() > 255 {
-			return false;
-		}
-	}
-	if let Some(CanonicalJsonValue::String(sender)) = owned_obj.get("sender") {
-		if sender.len() > 255 {
-			return false;
-		}
-	}
-	if let Some(CanonicalJsonValue::String(kind)) = owned_obj.get("type") {
-		if kind.len() > 255 {
-			return false;
-		}
-	}
-	if let Some(CanonicalJsonValue::String(state_key)) = owned_obj.get("state_key") {
-		if state_key.len() > 255 {
-			return false;
+	const STANDARD_KEYS: [&str; 5] = ["room_id", "event_id", "sender", "type", "state_key"];
+	for key in STANDARD_KEYS {
+		if let Some(CanonicalJsonValue::String(v)) = owned_obj.get(key) {
+			if v.len() > 255 {
+				return false;
+			}
 		}
 	}
+
 	// Now check the full PDU size
 	match serde_json::to_string(owned_obj) {
 		| Ok(s) => s.len() <= 65535,
@@ -259,14 +244,9 @@ pub async fn create_hash_and_sign_event(
 	let mut pdu_json = utils::to_canonical_object(&pdu).map_err(|e| {
 		err!(Request(BadJson(warn!("Failed to convert PDU to canonical JSON: {e}"))))
 	})?;
-
-	// room v3 and above removed the "event_id" field from remote PDU format
-	match room_version_id {
-		| RoomVersionId::V1 | RoomVersionId::V2 => {},
-		| _ => {
-			pdu_json.remove("event_id");
-		},
-	}
+	pdu_json.remove("event_id");
+	// We need to pop unsigned temporarily for the size check
+	let unsigned_tmp = pdu_json.remove_entry("unsigned");

 	trace!("hashing and signing event {}", pdu.event_id);
 	if let Err(e) = self
@@ -276,24 +256,28 @@ pub async fn create_hash_and_sign_event(
 	{
 		return match e {
 			| Error::Signatures(ruma::signatures::Error::PduSize) => {
-				Err!(Request(TooLarge("Message/PDU is too long (exceeds 65535 bytes)")))
+				// Ruma does do a PDU size check when generating the content hash, but it
+				// doesn't do it very correctly.
+				Err!(Request(TooLarge("PDU is too long large (exceeds 65535 bytes)")))
 			},
 			| _ => Err!(Request(Unknown(warn!("Signing event failed: {e}")))),
 		};
 	}
+	// Verify that the *full* PDU isn't over 64KiB.
+	if !pdu_fits(&pdu_json) {
+		return Err!(Request(TooLarge("PDU is too long large (exceeds 65535 bytes)")));
+	}
+	// Re-insert unsigned data
+	if let Some((key, value)) = unsigned_tmp {
+		pdu_json.insert(key, value);
+	}
+
 	// Generate event id
 	pdu.event_id = gen_event_id(&pdu_json, &room_version_id)?;
 	pdu_json.insert("event_id".into(), CanonicalJsonValue::String(pdu.event_id.clone().into()));
-	// Verify that the *full* PDU isn't over 64KiB.
-	// Ruma only validates that it's under 64KiB before signing and hashing.
-	// Has to be cloned to prevent mutating pdu_json itself :(
-	if !pdu_fits(&mut pdu_json.clone()) {
-		// feckin huge PDU mate
-		return Err!(Request(TooLarge("Message/PDU is too long (exceeds 65535 bytes)")));
-	}

 	// Check with the policy server
-	if room_id.is_some() {
+	if let Some(room_id) = pdu.room_id() {
 		trace!(
 			"Checking event in room {} with policy server",
 			pdu.room_id.as_ref().map_or("None", |id| id.as_str())
@@ -301,7 +285,7 @@ pub async fn create_hash_and_sign_event(
 		match self
 			.services
 			.event_handler
-			.ask_policy_server(&pdu, &mut pdu_json, pdu.room_id().expect("has room ID"), false)
+			.ask_policy_server(&pdu, &mut pdu_json, room_id, false)
 			.await
 		{
 			| Ok(true) => {},
@@ -42,7 +42,6 @@ pub struct Service {
 struct Services {
 	client: Dep<client::Service>,
 	globals: Dep<globals::Service>,
-	state: Dep<rooms::state::Service>,
 	state_cache: Dep<rooms::state_cache::Service>,
 	user: Dep<rooms::user::Service>,
 	users: Dep<users::Service>,
@@ -86,7 +85,6 @@ impl crate::Service for Service {
 			services: Services {
 				client: args.depend::<client::Service>("client"),
 				globals: args.depend::<globals::Service>("globals"),
-				state: args.depend::<rooms::state::Service>("rooms::state"),
 				state_cache: args.depend::<rooms::state_cache::Service>("rooms::state_cache"),
 				user: args.depend::<rooms::user::Service>("rooms::user"),
 				users: args.depend::<users::Service>("users"),
@@ -9,6 +9,7 @@ use std::{
 };

 use base64::{Engine as _, engine::general_purpose::URL_SAFE_NO_PAD};
+use conduwuit::info;
 use conduwuit_core::{
 	Error, Event, Result, at, debug, err, error,
 	result::LogErr,
@@ -28,7 +29,7 @@ use futures::{
 };
 use ruma::{
 	CanonicalJsonObject, MilliSecondsSinceUnixEpoch, OwnedRoomId, OwnedServerName, OwnedUserId,
-	RoomId, RoomVersionId, ServerName, UInt,
+	RoomId, ServerName, UInt,
 	api::{
 		appservice::event::push_events::v1::EphemeralData,
 		federation::transactions::{
@@ -866,9 +867,12 @@ impl Service {

 		for (event_id, result) in result.iter().flat_map(|resp| resp.pdus.iter()) {
 			if let Err(e) = result {
-				warn!(
-					%txn_id, %server,
-					"error sending PDU {event_id} to remote server: {e:?}"
+				info!(
+					%txn_id,
+					%server,
+					%event_id,
+					remote_error=?e,
+					"remote server encountered an error while processing an event"
 				);
 			}
 		}
@@ -879,41 +883,18 @@ impl Service {
 		}
 	}

-	/// This does not return a full `Pdu` it is only to satisfy ruma's types.
+	/// Filters through a PDU JSON blob, retaining only keys that are expected
+	/// over federation.
 	pub async fn convert_to_outgoing_federation_event(
 		&self,
 		mut pdu_json: CanonicalJsonObject,
 	) -> Box<RawJsonValue> {
-		if let Some(unsigned) = pdu_json
-			.get_mut("unsigned")
-			.and_then(|val| val.as_object_mut())
-		{
-			unsigned.remove("transaction_id");
-		}
-
-		// room v3 and above removed the "event_id" field from remote PDU format
-		if let Some(room_id) = pdu_json
-			.get("room_id")
-			.and_then(|val| RoomId::parse(val.as_str()?).ok())
-		{
-			match self.services.state.get_room_version(room_id).await {
-				| Ok(room_version_id) => match room_version_id {
-					| RoomVersionId::V1 | RoomVersionId::V2 => {},
-					| _ => _ = pdu_json.remove("event_id"),
-				},
-				| Err(_) => _ = pdu_json.remove("event_id"),
-			}
-		} else {
-			pdu_json.remove("event_id");
-		}
-
-		// TODO: another option would be to convert it to a canonical string to validate
-		// size and return a Result<Raw<...>>
-		// serde_json::from_str::<Raw<_>>(
-		//     ruma::serde::to_canonical_json_string(pdu_json).expect("CanonicalJson is
-		// valid serde_json::Value"), )
-		// .expect("Raw::from_value always works")
-
+		pdu_json.remove("unsigned");
+		// NOTE: Historically there have been attempts to further reduce the amount of
+		// data sent over the wire to remote servers. However, so far, the only key
+		// that is safe to drop entirely is `unsigned` - the rest of the keys are
+		// actually included as part of the content hash, and will cause issues if
+		// removed, even if they're irrelevant.
 		to_raw_value(&pdu_json).expect("CanonicalJson is valid serde_json::Value")
 	}
 }
@@ -228,7 +228,7 @@ async fn acquire_notary_result(&self, missing: &mut Batch, server_keys: ServerSi
 	self.add_signing_keys(server_keys.clone()).await;

 	if let Some(key_ids) = missing.get_mut(server) {
-		key_ids.retain(|key_id| key_exists(&server_keys, key_id));
+		key_ids.retain(|key_id| !key_exists(&server_keys, key_id));
 		if key_ids.is_empty() {
 			missing.remove(server);
 		}
@@ -11,8 +11,8 @@ use crate::{
 	account_data, admin, announcements, antispam, appservice, client, config, emergency,
 	federation, firstrun, globals, key_backups,
 	manager::Manager,
-	media, moderation, presence, pusher, registration_tokens, resolver, rooms, sending,
-	server_keys,
+	media, moderation, password_reset, presence, pusher, registration_tokens, resolver, rooms,
+	sending, server_keys,
 	service::{self, Args, Map, Service},
 	sync, transactions, uiaa, users,
 };
@@ -27,6 +27,7 @@ pub struct Services {
 	pub globals: Arc<globals::Service>,
 	pub key_backups: Arc<key_backups::Service>,
 	pub media: Arc<media::Service>,
+	pub password_reset: Arc<password_reset::Service>,
 	pub presence: Arc<presence::Service>,
 	pub pusher: Arc<pusher::Service>,
 	pub registration_tokens: Arc<registration_tokens::Service>,
@@ -81,6 +82,7 @@ impl Services {
 			globals: build!(globals::Service),
 			key_backups: build!(key_backups::Service),
 			media: build!(media::Service),
+			password_reset: build!(password_reset::Service),
 			presence: build!(presence::Service),
 			pusher: build!(pusher::Service),
 			registration_tokens: build!(registration_tokens::Service),
@@ -181,20 +181,11 @@ pub async fn try_auth(
 			uiaainfo.completed.push(AuthType::Password);
 		},
 		| AuthData::ReCaptcha(r) => {
-			if self.services.config.recaptcha_private_site_key.is_none() {
+			let Some(ref private_site_key) = self.services.config.recaptcha_private_site_key
+			else {
 				return Err!(Request(Forbidden("ReCaptcha is not configured.")));
-			}
-			match recaptcha_verify::verify(
-				self.services
-					.config
-					.recaptcha_private_site_key
-					.as_ref()
-					.unwrap(),
-				r.response.as_str(),
-				None,
-			)
-			.await
-			{
+			};
+			match recaptcha_verify::verify_v3(private_site_key, r.response.as_str(), None).await {
 				| Ok(()) => {
 					uiaainfo.completed.push(AuthType::ReCaptcha);
 				},
@@ -20,12 +20,25 @@ crate-type = [
 [dependencies]
 conduwuit-build-metadata.workspace = true
 conduwuit-service.workspace = true
+conduwuit-core.workspace = true
+async-trait.workspace = true
 askama.workspace = true
 axum.workspace = true
+axum-extra.workspace = true
+base64.workspace = true
 futures.workspace = true
 tracing.workspace = true
 rand.workspace = true
+ruma.workspace = true
 thiserror.workspace = true
+tower-http.workspace = true
+serde.workspace = true
+memory-serve = "2.1.0"
+validator = { version = "0.20.0", features = ["derive"] }
+tower-sec-fetch = { version = "0.1.2", features = ["tracing"] }
+
+[build-dependencies]
+memory-serve = "2.1.0"

 [lints]
 workspace = true
@@ -0,0 +1,2 @@
+[general]
+dirs = ["pages/templates"]
@@ -0,0 +1 @@
+fn main() { memory_serve::load_directory("./pages/resources"); }
@@ -1,94 +0,0 @@
-:root {
-    color-scheme: light;
-    --font-stack: sans-serif;
-
-    --background-color: #fff;
-    --text-color: #000;
-
-    --bg: oklch(0.76 0.0854 317.27);
-    --panel-bg: oklch(0.91 0.042 317.27);
-
-    --name-lightness: 0.45;
-
-    @media (prefers-color-scheme: dark) {
-        color-scheme: dark;
-        --text-color: #fff;
-        --bg: oklch(0.15 0.042 317.27);
-        --panel-bg: oklch(0.24 0.03 317.27);
-
-        --name-lightness: 0.8;
-    }
-
-    --c1: oklch(0.44 0.177 353.06);
-    --c2: oklch(0.59 0.158 150.88);
-
-    --normal-font-size: 1rem;
-    --small-font-size: 0.8rem;
-}
-
-body {
-    color: var(--text-color);
-    font-family: var(--font-stack);
-    margin: 0;
-    padding: 0;
-    display: grid;
-    place-items: center;
-    min-height: 100vh;
-}
-
-html {
-    background-color: var(--bg);
-    background-image: linear-gradient(
-        70deg,
-        oklch(from var(--bg) l + 0.2 c h),
-        oklch(from var(--bg) l - 0.2 c h)
-    );
-    font-size: 16px;
-}
-
-.panel {
-    width: min(clamp(24rem, 12rem + 40vw, 48rem), calc(100vw - 3rem));
-    border-radius: 15px;
-    background-color: var(--panel-bg);
-    padding-inline: 1.5rem;
-    padding-block: 1rem;
-    box-shadow: 0 0.25em 0.375em hsla(0, 0%, 0%, 0.1);
-}
-
-@media (max-width: 24rem) {
-    .panel {
-        padding-inline: 0.25rem;
-        width: calc(100vw - 0.5rem);
-        border-radius: 0;
-        margin-block-start: 0.2rem;
-    }
-    main {
-        height: 100%;
-    }
-}
-
-footer {
-    padding-inline: 0.25rem;
-    height: max(fit-content, 2rem);
-}
-
-.project-name {
-    text-decoration: none;
-    background: linear-gradient(
-        130deg,
-        oklch(from var(--c1) var(--name-lightness) c h),
-        oklch(from var(--c2) var(--name-lightness) c h)
-    );
-    background-clip: text;
-    color: transparent;
-    filter: brightness(1.2);
-}
-
-b {
-    color: oklch(from var(--c2) var(--name-lightness) c h);
-}
-
-.logo {
-    width: 100%;
-    height: 64px;
-}
@@ -1,86 +1,113 @@
+use std::any::Any;
+
 use askama::Template;
 use axum::{
 	Router,
-	extract::State,
-	http::{StatusCode, header},
+	extract::rejection::{FormRejection, QueryRejection},
+	http::{HeaderValue, StatusCode, header},
 	response::{Html, IntoResponse, Response},
-	routing::get,
 };
-use conduwuit_build_metadata::{GIT_REMOTE_COMMIT_URL, GIT_REMOTE_WEB_URL, version_tag};
 use conduwuit_service::state;
+use tower_http::{catch_panic::CatchPanicLayer, set_header::SetResponseHeaderLayer};
+use tower_sec_fetch::SecFetchLayer;

-pub fn build() -> Router<state::State> {
-	Router::<state::State>::new()
-		.route("/", get(index_handler))
-		.route("/_continuwuity/logo.svg", get(logo_handler))
-}
+use crate::pages::TemplateContext;

-async fn index_handler(
-	State(services): State<state::State>,
-) -> Result<impl IntoResponse, WebError> {
-	#[derive(Debug, Template)]
-	#[template(path = "index.html.j2")]
-	struct Index<'a> {
-		nonce: &'a str,
-		server_name: &'a str,
-		first_run: bool,
-	}
-	let nonce = rand::random::<u64>().to_string();
+mod pages;

-	let template = Index {
-		nonce: &nonce,
-		server_name: services.config.server_name.as_str(),
-		first_run: services.firstrun.is_first_run(),
-	};
-	Ok((
-		[(
-			header::CONTENT_SECURITY_POLICY,
-			format!("default-src 'nonce-{nonce}'; img-src 'self';"),
-		)],
-		Html(template.render()?),
-	))
-}
+type State = state::State;

-async fn logo_handler() -> impl IntoResponse {
-	(
-		[(header::CONTENT_TYPE, "image/svg+xml")],
-		include_str!("templates/logo.svg").to_owned(),
-	)
-}
+const CATASTROPHIC_FAILURE: &str = "cat-astrophic failure! we couldn't even render the error template. \
+please contact the team @ https://continuwuity.org";

 #[derive(Debug, thiserror::Error)]
 enum WebError {
+	#[error("Failed to validate form body: {0}")]
+	ValidationError(#[from] validator::ValidationErrors),
+	#[error("{0}")]
+	QueryRejection(#[from] QueryRejection),
+	#[error("{0}")]
+	FormRejection(#[from] FormRejection),
+	#[error("{0}")]
+	BadRequest(String),
+
+	#[error("This page does not exist.")]
+	NotFound,
+
 	#[error("Failed to render template: {0}")]
 	Render(#[from] askama::Error),
+	#[error("{0}")]
+	InternalError(#[from] conduwuit_core::Error),
+	#[error("Request handler panicked! {0}")]
+	Panic(String),
 }

 impl IntoResponse for WebError {
 	fn into_response(self) -> Response {
 		#[derive(Debug, Template)]
 		#[template(path = "error.html.j2")]
-		struct Error<'a> {
-			nonce: &'a str,
-			err: WebError,
+		struct Error {
+			error: WebError,
+			status: StatusCode,
+			context: TemplateContext,
 		}

-		let nonce = rand::random::<u64>().to_string();
-
 		let status = match &self {
-			| Self::Render(_) => StatusCode::INTERNAL_SERVER_ERROR,
+			| Self::ValidationError(_)
+			| Self::BadRequest(_)
+			| Self::QueryRejection(_)
+			| Self::FormRejection(_) => StatusCode::BAD_REQUEST,
+			| Self::NotFound => StatusCode::NOT_FOUND,
+			| _ => StatusCode::INTERNAL_SERVER_ERROR,
 		};
-		let tmpl = Error { nonce: &nonce, err: self };
-		if let Ok(body) = tmpl.render() {
-			(
-				status,
-				[(
-					header::CONTENT_SECURITY_POLICY,
-					format!("default-src 'none' 'nonce-{nonce}';"),
-				)],
-				Html(body),
-			)
-				.into_response()
+
+		let template = Error {
+			error: self,
+			status,
+			context: TemplateContext {
+				// Statically set false to prevent error pages from being indexed.
+				allow_indexing: false,
+			},
+		};
+
+		if let Ok(body) = template.render() {
+			(status, Html(body)).into_response()
 		} else {
-			(status, "Something went wrong").into_response()
+			(status, CATASTROPHIC_FAILURE).into_response()
 		}
 	}
 }
+
+pub fn build() -> Router<state::State> {
+	#[allow(clippy::wildcard_imports)]
+	use pages::*;
+
+	Router::new()
+		.merge(index::build())
+		.nest(
+			"/_continuwuity/",
+			Router::new()
+				.merge(resources::build())
+				.merge(password_reset::build())
+				.merge(debug::build())
+				.fallback(async || WebError::NotFound),
+		)
+		.layer(CatchPanicLayer::custom(|panic: Box<dyn Any + Send + 'static>| {
+			let details = if let Some(s) = panic.downcast_ref::<String>() {
+				s.clone()
+			} else if let Some(s) = panic.downcast_ref::<&str>() {
+				(*s).to_owned()
+			} else {
+				"(opaque panic payload)".to_owned()
+			};
+
+			WebError::Panic(details).into_response()
+		}))
+		.layer(SetResponseHeaderLayer::if_not_present(
+			header::CONTENT_SECURITY_POLICY,
+			HeaderValue::from_static("default-src 'self'; img-src 'self' data:;"),
+		))
+		.layer(SecFetchLayer::new(|policy| {
+			policy.allow_safe_methods().reject_missing_metadata();
+		}))
+}
@@ -0,0 +1,98 @@
+use askama::{Template, filters::HtmlSafe};
+use validator::ValidationErrors;
+
+/// A reusable form component with field validation.
+#[derive(Debug, Template)]
+#[template(path = "_components/form.html.j2", print = "code")]
+pub(crate) struct Form<'a> {
+	pub inputs: Vec<FormInput<'a>>,
+	pub validation_errors: Option<ValidationErrors>,
+	pub submit_label: &'a str,
+}
+
+impl HtmlSafe for Form<'_> {}
+
+/// An input element in a form component.
+#[derive(Debug, Clone, Copy)]
+pub(crate) struct FormInput<'a> {
+	/// The field name of the input.
+	pub id: &'static str,
+	/// The `type` property of the input.
+	pub input_type: &'a str,
+	/// The contents of the input's label.
+	pub label: &'a str,
+	/// Whether the input is required. Defaults to `true`.
+	pub required: bool,
+	/// The autocomplete mode for the input. Defaults to `on`.
+	pub autocomplete: &'a str,
+
+	// This is a hack to make the form! macro's support for client-only fields
+	// work properly. Client-only fields are specified in the macro without a type and aren't
+	// included in the POST body or as a field in the generated struct.
+	// To keep the field from being included in the POST body, its `name` property needs not to
+	// be set in the template. Because of limitations of macro_rules!'s repetition feature, this
+	// field needs to exist to allow the template to check if the field is client-only.
+	#[doc(hidden)]
+	pub type_name: Option<&'static str>,
+}
+
+impl Default for FormInput<'_> {
+	fn default() -> Self {
+		Self {
+			id: "",
+			input_type: "text",
+			label: "",
+			required: true,
+			autocomplete: "",
+
+			type_name: None,
+		}
+	}
+}
+
+/// Generate a deserializable struct which may be turned into a [`Form`]
+/// for inclusion in another template.
+#[macro_export]
+macro_rules! form {
+    (
+        $(#[$struct_meta:meta])*
+        struct $struct_name:ident {
+            $(
+                $(#[$field_meta:meta])*
+                $name:ident$(: $type:ty)? where { $($prop:ident: $value:expr),* }
+            ),*
+
+            submit: $submit_label:expr
+        }
+    ) => {
+        #[derive(Debug, serde::Deserialize, validator::Validate)]
+        $(#[$struct_meta])*
+        struct $struct_name {
+            $(
+                $(#[$field_meta])*
+                $(pub $name: $type,)?
+            )*
+        }
+
+        impl $struct_name {
+            /// Generate a [`Form`] which matches the shape of this struct.
+            #[allow(clippy::needless_update)]
+            fn build(validation_errors: Option<validator::ValidationErrors>) -> $crate::pages::components::form::Form<'static> {
+                $crate::pages::components::form::Form {
+                    inputs: vec![
+                        $(
+                            $crate::pages::components::form::FormInput {
+                                id: stringify!($name),
+                                $(type_name: Some(stringify!($type)),)?
+                                $($prop: $value),*,
+                                ..Default::default()
+                            },
+                        )*
+                    ],
+                    validation_errors,
+                    submit_label: $submit_label,
+                }
+            }
+        }
+    };
+}
@@ -0,0 +1,71 @@
+use askama::{Template, filters::HtmlSafe};
+use base64::Engine;
+use conduwuit_core::result::FlatOk;
+use conduwuit_service::Services;
+use ruma::UserId;
+
+pub(super) mod form;
+
+#[derive(Debug)]
+pub(super) enum AvatarType<'a> {
+	Initial(char),
+	Image(&'a str),
+}
+
+#[derive(Debug, Template)]
+#[template(path = "_components/avatar.html.j2")]
+pub(super) struct Avatar<'a> {
+	pub(super) avatar_type: AvatarType<'a>,
+}
+
+impl HtmlSafe for Avatar<'_> {}
+
+#[derive(Debug, Template)]
+#[template(path = "_components/user_card.html.j2")]
+pub(super) struct UserCard<'a> {
+	pub user_id: &'a UserId,
+	pub display_name: Option<String>,
+	pub avatar_src: Option<String>,
+}
+
+impl HtmlSafe for UserCard<'_> {}
+
+impl<'a> UserCard<'a> {
+	pub(super) async fn for_local_user(services: &Services, user_id: &'a UserId) -> Self {
+		let display_name = services.users.displayname(user_id).await.ok();
+
+		let avatar_src = async {
+			let avatar_url = services.users.avatar_url(user_id).await.ok()?;
+			let avatar_mxc = avatar_url.parts().ok()?;
+			let file = services.media.get(&avatar_mxc).await.flat_ok()?;
+
+			Some(format!(
+				"data:{};base64,{}",
+				file.content_type
+					.unwrap_or_else(|| "application/octet-stream".to_owned()),
+				file.content
+					.map(|content| base64::prelude::BASE64_STANDARD.encode(content))
+					.unwrap_or_default(),
+			))
+		}
+		.await;
+
+		Self { user_id, display_name, avatar_src }
+	}
+
+	fn avatar(&'a self) -> Avatar<'a> {
+		let avatar_type = if let Some(ref avatar_src) = self.avatar_src {
+			AvatarType::Image(avatar_src)
+		} else if let Some(initial) = self
+			.display_name
+			.as_ref()
+			.and_then(|display_name| display_name.chars().next())
+		{
+			AvatarType::Initial(initial)
+		} else {
+			AvatarType::Initial(self.user_id.localpart().chars().next().unwrap())
+		};
+
+		Avatar { avatar_type }
+	}
+}
@@ -0,0 +1,17 @@
+use std::convert::Infallible;
+
+use axum::{Router, routing::get};
+use conduwuit_core::Error;
+
+use crate::WebError;
+
+pub(crate) fn build() -> Router<crate::State> {
+	Router::new()
+		.route("/_debug/panic", get(async || -> Infallible { panic!("Guru meditation error") }))
+		.route(
+			"/_debug/error",
+			get(async || -> WebError {
+				Error::Err(std::borrow::Cow::Borrowed("Guru meditation error")).into()
+			}),
+		)
+}
@@ -0,0 +1,28 @@
+use askama::Template;
+use axum::{Router, extract::State, response::IntoResponse, routing::get};
+
+use crate::{WebError, template};
+
+pub(crate) fn build() -> Router<crate::State> {
+	Router::new()
+		.route("/", get(index_handler))
+		.route("/_continuwuity/", get(index_handler))
+}
+
+async fn index_handler(
+	State(services): State<crate::State>,
+) -> Result<impl IntoResponse, WebError> {
+	template! {
+		struct Index<'a> use "index.html.j2" {
+			server_name: &'a str,
+			first_run: bool
+		}
+	}
+
+	Ok(Index::new(
+		&services,
+		services.globals.server_name().as_str(),
+		services.firstrun.is_first_run(),
+	)
+	.into_response())
+}
@@ -0,0 +1,53 @@
+mod components;
+pub(super) mod debug;
+pub(super) mod index;
+pub(super) mod password_reset;
+pub(super) mod resources;
+
+#[derive(Debug)]
+pub(crate) struct TemplateContext {
+	pub allow_indexing: bool,
+}
+
+impl From<&crate::State> for TemplateContext {
+	fn from(state: &crate::State) -> Self {
+		Self {
+			allow_indexing: state.config.allow_web_indexing,
+		}
+	}
+}
+
+#[macro_export]
+macro_rules! template {
+    (
+        struct $name:ident $(<$lifetime:lifetime>)? use $path:literal {
+            $($field_name:ident: $field_type:ty),*
+        }
+    ) => {
+        #[derive(Debug, askama::Template)]
+        #[template(path = $path)]
+        struct $name$(<$lifetime>)? {
+            context: $crate::pages::TemplateContext,
+            $($field_name: $field_type,)*
+        }
+
+        impl$(<$lifetime>)? $name$(<$lifetime>)? {
+            fn new(state: &$crate::State, $($field_name: $field_type,)*) -> Self {
+                Self {
+                    context: state.into(),
+                    $($field_name,)*
+                }
+            }
+        }
+
+        #[allow(single_use_lifetimes)]
+        impl$(<$lifetime>)? axum::response::IntoResponse for $name$(<$lifetime>)? {
+            fn into_response(self) -> axum::response::Response {
+                match self.render() {
+                    Ok(rendered) => axum::response::Html(rendered).into_response(),
+                    Err(err) => $crate::WebError::from(err).into_response()
+                }
+            }
+        }
+    };
+}
@@ -0,0 +1,120 @@
+use askama::Template;
+use axum::{
+	Router,
+	extract::{
+		Query, State,
+		rejection::{FormRejection, QueryRejection},
+	},
+	http::StatusCode,
+	response::{IntoResponse, Response},
+	routing::get,
+};
+use serde::Deserialize;
+use validator::Validate;
+
+use crate::{
+	WebError, form,
+	pages::components::{UserCard, form::Form},
+	template,
+};
+
+const INVALID_TOKEN_ERROR: &str = "Invalid reset token. Your reset link may have expired.";
+
+#[derive(Deserialize)]
+struct PasswordResetQuery {
+	token: String,
+}
+
+template! {
+	struct PasswordReset<'a> use "password_reset.html.j2" {
+		user_card: UserCard<'a>,
+		body: PasswordResetBody
+	}
+}
+
+#[derive(Debug)]
+enum PasswordResetBody {
+	Form(Form<'static>),
+	Success,
+}
+
+form! {
+	struct PasswordResetForm {
+		#[validate(length(min = 1, message = "Password cannot be empty"))]
+		new_password: String where {
+			input_type: "password",
+			label: "New password",
+			autocomplete: "new-password"
+		},
+
+		#[validate(must_match(other = "new_password", message = "Passwords must match"))]
+		confirm_new_password: String where {
+			input_type: "password",
+			label: "Confirm new password",
+			autocomplete: "new-password"
+		}
+
+		submit: "Reset Password"
+	}
+}
+
+pub(crate) fn build() -> Router<crate::State> {
+	Router::new()
+		.route("/account/reset_password", get(get_password_reset).post(post_password_reset))
+}
+
+async fn password_reset_form(
+	services: crate::State,
+	query: PasswordResetQuery,
+	reset_form: Form<'static>,
+) -> Result<impl IntoResponse, WebError> {
+	let Some(token) = services.password_reset.check_token(&query.token).await else {
+		return Err(WebError::BadRequest(INVALID_TOKEN_ERROR.to_owned()));
+	};
+
+	let user_card = UserCard::for_local_user(&services, &token.info.user).await;
+
+	Ok(PasswordReset::new(&services, user_card, PasswordResetBody::Form(reset_form))
+		.into_response())
+}
+
+async fn get_password_reset(
+	State(services): State<crate::State>,
+	query: Result<Query<PasswordResetQuery>, QueryRejection>,
+) -> Result<impl IntoResponse, WebError> {
+	let Query(query) = query?;
+
+	password_reset_form(services, query, PasswordResetForm::build(None)).await
+}
+
+async fn post_password_reset(
+	State(services): State<crate::State>,
+	query: Result<Query<PasswordResetQuery>, QueryRejection>,
+	form: Result<axum::Form<PasswordResetForm>, FormRejection>,
+) -> Result<Response, WebError> {
+	let Query(query) = query?;
+	let axum::Form(form) = form?;
+
+	match form.validate() {
+		| Ok(()) => {
+			let Some(token) = services.password_reset.check_token(&query.token).await else {
+				return Err(WebError::BadRequest(INVALID_TOKEN_ERROR.to_owned()));
+			};
+			let user_id = token.info.user.clone();
+
+			services
+				.password_reset
+				.consume_token(token, &form.new_password)
+				.await?;
+
+			let user_card = UserCard::for_local_user(&services, &user_id).await;
+			Ok(PasswordReset::new(&services, user_card, PasswordResetBody::Success)
+				.into_response())
+		},
+		| Err(err) => Ok((
+			StatusCode::BAD_REQUEST,
+			password_reset_form(services, query, PasswordResetForm::build(Some(err))).await,
+		)
+			.into_response()),
+	}
+}
@@ -0,0 +1,9 @@
+use axum::Router;
+
+pub(crate) fn build() -> Router<crate::State> {
+	Router::new().nest(
+		"/resources/",
+		#[allow(unused_qualifications)]
+		memory_serve::load!().index_file(None).into_router(),
+	)
+}
@@ -0,0 +1,185 @@
+:root {
+    color-scheme: light;
+    --font-stack: sans-serif;
+
+    --background-color: #fff;
+    --text-color: #000;
+    --secondary: #666;
+    --bg: oklch(0.76 0.0854 317.27);
+    --panel-bg: oklch(0.91 0.042 317.27);
+    --c1: oklch(0.44 0.177 353.06);
+    --c2: oklch(0.59 0.158 150.88);
+
+    --name-lightness: 0.45;
+    --background-lightness: 0.9;
+
+    --background-gradient:
+        radial-gradient(42.12% 56.13% at 100% 0%, oklch(from var(--c2) var(--background-lightness) c h) 0%, #fff0 100%),
+        radial-gradient(42.01% 79.63% at 52.86% 0%, #d9ff5333 0%, #fff0 100%),
+        radial-gradient(79.67% 58.09% at 0% 0%, oklch(from var(--c1) var(--background-lightness) c h) 0%, #fff0 100%);
+
+    --normal-font-size: 1rem;
+    --small-font-size: 0.8rem;
+
+    --border-radius-sm: 5px;
+    --border-radius-lg: 15px;
+
+    @media (prefers-color-scheme: dark) {
+        color-scheme: dark;
+        --text-color: #fff;
+        --secondary: #888;
+        --bg: oklch(0.15 0.042 317.27);
+        --panel-bg: oklch(0.24 0.03 317.27);
+
+        --name-lightness: 0.8;
+        --background-lightness: 0.2;
+
+        --background-gradient:
+            radial-gradient(
+                42.12% 56.13% at 100% 0%,
+                oklch(from var(--c2) var(--background-lightness) c h) 0%,
+                #12121200 100%
+            ),
+            radial-gradient(55.81% 87.78% at 48.37% 0%, #000 0%, #12121200 89.55%),
+            radial-gradient(
+                122.65% 88.24% at 0% 0%,
+                oklch(from var(--c1) var(--background-lightness) c h) 0%,
+                #12121200 100%
+            );
+    }
+}
+
+* {
+    box-sizing: border-box;
+}
+
+body {
+    display: grid;
+    margin: 0;
+    padding: 0;
+    place-items: center;
+    min-height: 100vh;
+
+    color: var(--text-color);
+    font-family: var(--font-stack);
+    line-height: 1.5;
+}
+
+html {
+    background-color: var(--bg);
+    background-image: var(--background-gradient);
+    font-size: var(--normal-font-size);
+}
+
+footer {
+    padding-inline: 0.25rem;
+    height: max(fit-content, 2rem);
+
+    .logo {
+        width: 100%;
+        height: 64px;
+    }
+}
+
+p {
+    margin: 1rem 0;
+}
+
+em {
+    color: oklch(from var(--c2) var(--name-lightness) c h);
+    font-weight: bold;
+    font-style: normal;
+}
+
+small {
+    color: var(--secondary);
+}
+
+small.error {
+    display: block;
+    color: red;
+    font-size: small;
+    font-style: italic;
+    margin-bottom: 0.5rem;
+}
+
+.panel {
+    --preferred-width: 12rem + 40dvw;
+    --maximum-width: 48rem;
+
+    width: min(clamp(24rem, var(--preferred-width), var(--maximum-width)), calc(100dvw - 3rem));
+    border-radius: var(--border-radius-lg);
+    background-color: var(--panel-bg);
+    padding-inline: 1.5rem;
+    padding-block: 1rem;
+    box-shadow: 0 0.25em 0.375em hsla(0, 0%, 0%, 0.1);
+
+    &.narrow {
+        --preferred-width: 12rem + 20dvw;
+        --maximum-width: 36rem;
+
+        input, button {
+            width: 100%;
+        }
+    }
+}
+
+label {
+    display: block;
+}
+
+input, button {
+    display: inline-block;
+    padding: 0.5em;
+    margin-bottom: 0.5em;
+
+    font-size: inherit;
+    font-family: inherit;
+    color: white;
+    background-color: transparent;
+
+    border: none;
+    border-radius: var(--border-radius-sm);
+}
+
+input {
+    border: 2px solid var(--secondary);
+
+    &:focus-visible {
+        outline: 2px solid var(--c1);
+        border-color: transparent;
+    }
+}
+
+button {
+    background-color: var(--c1);
+    transition: opacity .2s;
+
+    &:enabled:hover {
+        opacity: 0.8;
+        cursor: pointer;
+    }
+}
+
+h1 {
+    margin-top: 0;
+    margin-bottom: 0.67em;
+}
+
+@media (max-width: 425px) {
+    main {
+        padding-block-start: 2rem;
+        width: 100%;
+    }
+
+    .panel {
+        border-radius: 0;
+        width: 100%;
+    }
+}
+
+@media (max-width: 799px) {
+    input, button {
+        width: 100%;
+    }
+}
@@ -0,0 +1,44 @@
+.avatar {
+    --avatar-size: 56px;
+
+    display: inline-block;
+    aspect-ratio: 1 / 1;
+    inline-size: var(--avatar-size);
+    border-radius: 50%;
+
+    text-align: center;
+    text-transform: uppercase;
+    font-size: calc(var(--avatar-size) * 0.5);
+    font-weight: 700;
+    line-height: calc(var(--avatar-size) - 2px);
+
+    color: oklch(from var(--c1) calc(l + 0.2) c h);
+    background-color: var(--c1);
+}
+
+.user-card {
+    display: flex;
+    flex-direction: row;
+    align-items: center;
+    gap: 16px;
+
+    background-color: oklch(from var(--panel-bg) calc(l - 0.05) c h);
+    border-radius: var(--border-radius-lg);
+    padding: 16px;
+
+    .info {
+        flex: 1 1;
+
+        p {
+            margin: 0;
+
+            &.display-name {
+                font-weight: 700;
+            }
+
+            &:nth-of-type(2) {
+                color: var(--secondary);
+            }
+        }
+    }
+}
@@ -0,0 +1,13 @@
+.k10y {
+    font-family: monospace;
+    font-size: x-small;
+    font-weight: 700;
+    transform: translate(1rem, 1.6rem);
+    color: var(--secondary);
+    user-select: none;
+}
+
+h1 {
+    display: flex;
+    align-items: center;
+}
@@ -0,0 +1,11 @@
+.project-name {
+    text-decoration: none;
+    background: linear-gradient(
+        130deg,
+        oklch(from var(--c1) var(--name-lightness) c h),
+        oklch(from var(--c2) var(--name-lightness) c h)
+    );
+    background-clip: text;
+    color: transparent;
+    filter: brightness(1.2);
+}
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   width="447.99823"
+   height="447.99823"
+   viewBox="0 0 447.99823 447.99823"
+   version="1.1"
+   id="svg1"
+   xml:space="preserve"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg"><defs
+     id="defs1" /><g
+     id="layer1"
+     transform="translate(-32.000893,-32.000893)"><circle
+       style="fill:#9b4bd4;fill-opacity:1;stroke:#000000;stroke-width:10;stroke-dasharray:none;stroke-opacity:1"
+       id="path1"
+       cy="256"
+       cx="256"
+       r="176" /><path
+       style="fill:#de6cd3;fill-opacity:1;stroke:#000000;stroke-width:10;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
+       d="m 41,174 69,36 C 135,126 175,102 226,94 l -12,31 62,-44 -69,-44 15,30 C 128,69 84,109 41,172 Z"
+       id="path7" /><path
+       style="fill:#de6cd3;fill-opacity:1;stroke:#000000;stroke-width:10;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
+       d="m 338,41 -36,69 c 84,25 108,65 116,116 l -31,-12 44,62 44,-69 -30,15 C 443,128 403,84 340,41 Z"
+       id="path6" /><path
+       style="fill:#de6cd3;fill-opacity:1;stroke:#000000;stroke-width:10;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
+       d="m 471,338 -69,-36 c -25,84 -65,108 -116,116 l 12,-31 -62,44 69,44 -15,-30 c 94,-2 138,-42 181,-105 z"
+       id="path8" /><path
+       style="fill:#de6cd3;fill-opacity:1;stroke:#000000;stroke-width:10;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
+       d="m 174,471 36,-69 C 126,377 102,337 94,286 l 31,12 -44,-62 -44,69 30,-15 c 2,94 42,138 105,181 z"
+       id="path9" /><g
+       id="g15"
+       transform="translate(-5.4157688e-4)"><path
+         style="fill:none;stroke:#000000;stroke-width:10;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1;paint-order:normal"
+         d="m 155.45977,224.65379 c -7.25909,13.49567 -7.25909,26.09161 -6.35171,39.58729 0.90737,11.69626 12.7034,24.29222 24.49943,26.09164 21.77727,3.59884 28.12898,-20.69338 28.12898,-20.69338 0,0 4.53693,-15.29508 5.4443,-40.48699"
+         id="path11" /><path
+         style="fill:none;stroke:#000000;stroke-width:10;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1;paint-order:normal"
+         d="m 218.96706,278.05399 c 3.00446,17.12023 7.52704,24.88918 19.22704,28.48918 9,2.7 22.5,-4.5 22.5,-16.2 0.9,21.6 17.1,17.1 19.8,17.1 11.7,-1.8 18.9,-14.4 16.2,-30.6"
+         id="path12" /><path
+         style="fill:none;stroke:#000000;stroke-width:10;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1;paint-order:normal"
+         d="m 305.6941,230.94317 c 1.8,27 6.3,40.5 6.3,40.5 8.1,27 28.8,19.8 28.8,19.8 18.9,-7.2 22.5,-24.3 22.5,-30.6 0,-25.2 -6.3,-35.1 -6.3,-35.1"
+         id="path13" /></g></g></svg>
@@ -0,0 +1,6 @@
+{% match avatar_type %}
+    {% when AvatarType::Initial with (initial) %}
+    <span class="avatar" role="img">{{ initial }}</span>
+    {% when AvatarType::Image with (src) %}
+    <img class="avatar" src="{{ src }}">
+{% endmatch %}
@@ -0,0 +1,30 @@
+<form method="post">
+    {% let validation_errors = validation_errors.clone().unwrap_or_default() %}
+    {% let field_errors = validation_errors.field_errors() %}
+    {% for input in inputs %}
+        <p>
+            <label for="{{ input.id }}">{{ input.label }}</label>
+            {% let name = std::borrow::Cow::from(*input.id) %}
+            {% if let Some(errors) = field_errors.get(name) %}
+                {% for error in errors %}
+                    <small class="error">
+                        {% if let Some(message) = error.message %}
+                            {{ message }}
+                        {% else %}
+                            Mysterious validation error <code>{{ error.code }}</code>!
+                        {% endif %}
+                    </small>
+                {% endfor %}
+            {% endif %}
+            <input
+                type="{{ input.input_type }}"
+                id="{{ input.id }}"
+                autocomplete="{{ input.autocomplete }}"
+                {% if input.type_name.is_some() %}name="{{ input.id }}"{% endif %}
+                {% if input.required %}required{% endif %}
+            >
+        </p>
+    {% endfor %}
+
+    <button type="submit">{{ submit_label }}</button>
+</form>
@@ -0,0 +1,9 @@
+<div class="user-card">
+    {{ avatar() }}
+    <div class="info">
+        {% if let Some(display_name) = display_name %}
+        <p class="display-name">{{ display_name }}</p>
+        {% endif %}
+        <p class="user_id">{{ user_id }}</p>
+    </div>
+</div>
@@ -5,23 +5,24 @@
    <meta charset="UTF-8" />
    <title>{% block title %}Continuwuity{% endblock %}</title>
    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    {%- if !context.allow_indexing %}
+    <meta name="robots" content="noindex" />
+    {%- endif %}

-    <link rel="icon" href="/_continuwuity/logo.svg">
-    <style type="text/css" nonce="{{ nonce }}">
-        /*<![CDATA[*/
-            {{ include_str !("css/index.css") | safe }}
-        /*]]>*/
-    </style>
+    <link rel="icon" href="/_continuwuity/resources/logo.svg">
+    <link rel="stylesheet" href="/_continuwuity/resources/common.css">
+    <link rel="stylesheet" href="/_continuwuity/resources/components.css">
+    {% block head %}{% endblock %}
 </head>

 <body>
    <main>{%~ block content %}{% endblock ~%}</main>
    {%~ block footer ~%}
        <footer>
-            <img class="logo" src="/_continuwuity/logo.svg">
+            <img class="logo" src="/_continuwuity/resources/logo.svg">
            <p>Powered by <a href="https://continuwuity.org">Continuwuity</a> {{ env!("CARGO_PKG_VERSION") }}
-                {%~ if let Some(version_info) = self::version_tag() ~%}
-                    {%~ if let Some(url) = GIT_REMOTE_COMMIT_URL.or(GIT_REMOTE_WEB_URL) ~%}
+                {%~ if let Some(version_info) = conduwuit_build_metadata::version_tag() ~%}
+                    {%~ if let Some(url) = conduwuit_build_metadata::GIT_REMOTE_COMMIT_URL.or(conduwuit_build_metadata::GIT_REMOTE_WEB_URL) ~%}
                        (<a href="{{ url }}">{{ version_info }}</a>)
                    {%~ else ~%}
                        ({{ version_info }})
@@ -0,0 +1,41 @@
+{% extends "_layout.html.j2" %}
+
+{%- block head -%}
+<link rel="stylesheet" href="/_continuwuity/resources/error.css">
+{%- endblock -%}
+
+{%- block title -%}
+🐈 Request Error
+{%- endblock -%}
+
+{%- block content -%}
+<pre class="k10y" aria-hidden>
+　　　 　  ／＞　　 フ
+　　　 　  | 　_　 _|
+　 　　  ／` ミ＿xノ
+　　 　 /　　　 　 |
+　　　 /　 ヽ　　 ﾉ
+　 　 │　　|　|　|
+　／￣|　　 |　|　|
+　| (￣ヽ＿_ヽ_)__)
+　＼二つ
+</pre>
+<div class="panel">
+    <h1>
+        {% if status == StatusCode::NOT_FOUND %}
+        Not found
+        {% else if status == StatusCode::INTERNAL_SERVER_ERROR %}
+        Internal server error
+        {% else %}
+        Bad request
+        {% endif %}
+    </h1>
+
+    {% if status == StatusCode::INTERNAL_SERVER_ERROR %}
+    <p>Please <a href="https://forgejo.ellis.link/continuwuation/continuwuity/issues/new">submit a bug report</a> 🥺</p>
+    {% endif %}
+
+    <pre><code>{{ error }}</code></pre>
+</div>
+
+{%- endblock -%}
@@ -1,4 +1,9 @@
 {% extends "_layout.html.j2" %}
+
+{%- block head -%}
+<link rel="stylesheet" href="/_continuwuity/resources/index.css">
+{%- endblock -%}
+
 {%- block content -%}
 <div class="panel">
    <h1>
@@ -6,7 +11,7 @@
    </h1>
    <p>Continuwuity is successfully installed and working.</p>
    {%- if first_run %}
-    <p>To get started, <b>check the server logs</b> for instructions on how to create the first account.</p>
+    <p>To get started, <em>check the server logs</em> for instructions on how to create the first account.</p>
    <p>For support, take a look at the <a href="https://continuwuity.org/introduction">documentation</a> or join the <a href="https://matrix.to/#/#continuwuity:continuwuity.org?via=continuwuity.org&via=ellis.link&via=explodie.org&via=matrix.org">Continuwuity Matrix room</a>.</p>
    {%- else %}
    <p>To get started, <a href="https://matrix.org/ecosystem/clients">choose a client</a> and connect to <code>{{ server_name }}</code>.</p>
@@ -0,0 +1,18 @@
+{% extends "_layout.html.j2" %}
+
+{%- block title -%}
+Reset Password
+{%- endblock -%}
+
+{%- block content -%}
+<div class="panel narrow">
+    <h1>Reset Password</h1>
+    {{ user_card }}
+    {% match body %}
+        {% when PasswordResetBody::Form(reset_form) %}
+        {{ reset_form }}
+        {% when PasswordResetBody::Success %}
+        <p>Your password has been reset successfully.</p>
+    {% endmatch %}
+</div>
+{%- endblock -%}
@@ -1,20 +0,0 @@
-{% extends "_layout.html.j2" %}
-
-{%- block title -%}
-Server Error
-{%- endblock -%}
-
-{%- block content -%}
-<h1>
-    {%- match err -%}
-    {% else -%} 500: Internal Server Error
-    {%- endmatch -%}
-</h1>
-
-{%- match err -%}
-    {% when WebError::Render(err) -%}
-        <pre>{{ err }}</pre>
-    {% else -%} <p>An error occurred</p>
-{%- endmatch -%}
-
-{%- endblock -%}
@@ -1 +0,0 @@
-../../../docs/public/assets/logo.svg
Author	SHA1	Message	Date
timedout	422db2105c	style: Run linter	2026-03-29 15:16:54 +01:00
timedout	8b206564aa	feat: Reduce verbosity of "remote server couldn't process pdu" warning	2026-03-29 14:28:33 +01:00
timedout	127030ac38	fix: Only pop unsigned from PDUs	2026-03-29 14:21:30 +01:00
timedout	303ad4ab9c	fix: Don't include `origin` in remote memberships	2026-03-29 14:18:13 +01:00
timedout	053860e496	fix: Correctly handle size evaluation of local events Also improved the performance of `pdu_fits`	2026-03-29 13:42:49 +01:00
timedout	b0e3b9eeb5	style: Fix clippy lint	2026-03-27 22:54:52 +00:00
timedout	d636da06e2	chore: Add news fragment	2026-03-27 22:19:26 +00:00
timedout	3cec9d0077	fix: Correctly, explicitly format outgoing events	2026-03-27 22:11:27 +00:00
norm	9209b847f6	docs: Mention systemd's `ReadWritePaths` setting for the backup dir The systemd unit file uses `ProtectSystem=strict`, which makes almost every directory read-only. This can cause backups to not work, even if the directory is granted the correct permissions and ownership to the `conduwuit` user. The `ReadWritePaths` setting lets you specify which directories are exempt from being made read-only by `ProtectSystem=strict`.	2026-03-27 19:25:26 +00:00
Jade Ellis	cf9c2c23b6	chore: Upgrade git dependencies	2026-03-27 18:39:43 +00:00
Jade Ellis	1bd161a306	fix(deps): Update to rocksdb v10.10.1, jemalloc 0.6.1 Re-adds revert to try and fix rocksdb repair deadlock	2026-03-27 18:39:43 +00:00
Renovate Bot	0a0206e866	chore(deps): update node-patch-updates to v2.0.7	2026-03-27 13:31:35 +00:00
Henry-Hiles	e6f31d7d4f	fix(renovate): Fix name of extends of renovate.json to use full name for pinGitHubActionDigests	2026-03-26 21:45:11 -04:00
timedout	f0c3fdfe3a	fix: Well-known read errors no longer crash resolver flow Reviewed-By: Jade Ellis <jade@ellis.link>	2026-03-27 00:54:17 +00:00
Jade	3c3314b498	deps: Pin actions In the wake of all the compromises so far this week, this seems like a good idea.	2026-03-27 00:46:06 +00:00
Niklas Wojtkowiak	8e7846c644	fix(alias): preserve room alias enumeration on delete	2026-03-26 19:23:24 +00:00
Jade Ellis	3ebaba920f	ci: Minor improvements	2026-03-25 17:32:28 +00:00
Jade Ellis	19e620c8c6	ci: Automatically comment on pull requests missing changelog entries	2026-03-25 17:32:28 +00:00
Henry-Hiles	300b6d81e7	feat(nix): add NPM to devshell	2026-03-25 12:55:49 +00:00
PerformativeJade	ed81dfc6cd	fix: Thumbnail fetching error handling	2026-03-24 20:14:55 +00:00
Jade Ellis	2ffafc17d2	style: Unmeow	2026-03-24 19:48:37 +00:00
Jade Ellis	8589563a2f	meow	2026-03-24 19:46:14 +00:00
Henry-Hiles	27d806e961	fix(docs): make contributing.mdx a symlink	2026-03-24 11:18:54 -04:00
stratself	7aa02a1cd9	fix(docs): Remove prefligit reference	2026-03-24 13:20:56 +00:00
stratself	fc342f5401	docs: move all contrib docs to central source at CONTRIBUTING.md * remove rarely-used docs/contributing.mdx page and redirect links to docs/development/contributing.mdx * softlink docs/development/contributing.mdx to CONTRIBUTING.md * add back section of towncrier to CONTRIBUTING.md * use indirect hyperlinks for all URLs in CONTRIBUTING.md	2026-03-24 13:20:56 +00:00
stratself	ef089c1800	docs(livekit): Put livekit+coturn port clash notice in a tip box * reworded first part of external TURN integration * add restart/recreate instructions to apply final TURNs changes	2026-03-24 13:20:13 +00:00
stratself	279c505af9	docs(livekit): Further enhance compose instructions + examples	2026-03-24 13:20:13 +00:00
stratself	f9058ee062	docs: Add instructions from #1440 to Livekit workarounds * still keep the link to the issue on forgejo * also fixed a word in the Calls overview page	2026-03-24 13:20:13 +00:00
stratself	6c856bd1a4	chore: Write news fragment for PR	2026-03-24 13:20:13 +00:00
stratself	4dbda8692c	fix(docs): Other small improvements in clarity and consistent wordings	2026-03-24 13:20:13 +00:00
stratself	075914d8e8	fix(docs): Use correct var for nonfed server in livekit t00ting	2026-03-24 13:20:13 +00:00
stratself	a2a644194b	fix(docs): Remove trailing whitespace	2026-03-24 13:20:13 +00:00
stratself	093ef742c3	docs(livekit): various mini-clarifications and edits * specify that the added ports belong to livekit's container in TURN section, and remind firewall rules for them * prioritize the network_mode: host workaround * add docker livelogs instructions * use bash for code blocks instead of console * some other small fixes	2026-03-24 13:20:13 +00:00
stratself	010daf079d	fix(docs): use docker run instead of exec for a livekit troubleshooting command	2026-03-24 13:20:13 +00:00
stratself	58c4f5d5b5	fix(docs): further apply fixes from feedback for livekit documentation	2026-03-24 13:20:13 +00:00
ginger	c78a72bbef	chore: Trim trailing whitespace Signed-off-by: Ellis Git <forgejo@mail.ellis.link>	2026-03-24 13:20:13 +00:00
stratself	7e8f1ffd63	fix(docs): little nits for livekit's troubleshooting section	2026-03-24 13:20:13 +00:00
stratself	3d0b886ab8	fix(docs): apply clarity fixes for livekit testing from feedbacks * clearer wording and ordering on client token versus openid token * provide outputs for curl examples	2026-03-24 13:20:13 +00:00
stratself	2e7bfea240	docs(livekit): new troubleshooting section and other small changes * add link to matrix-rtc room * include livekit key-secret pair examples for clarity with livekit.yaml * troubleshooting: add common EC errors and docker networking subsections * fix a merge conflict issue	2026-03-24 13:20:13 +00:00
stratself	b9456c1130	docs: add caveat for deployment with non-federated instances	2026-03-24 13:20:13 +00:00
stratself	3ce6e909dd	docs: apply changes from feedback turn all the things into LiveKit	2026-03-24 13:20:13 +00:00
stratself	3b4b401a51	docs: add livekit testing instructions against new /get_token endpoint	2026-03-24 13:20:13 +00:00
stratself	260b88975d	docs: replace personal links and small fixes in docs for Livekit TURN	2026-03-24 13:20:13 +00:00
stratself	be8e3772c1	docs: rework Related Documentation section for livekit page * separate links into categories in order of importance: guides, specs, source codes * add short description to included community guides * add Element Call, lk-jwt-service, and the livekit MSCs too	2026-03-24 13:20:13 +00:00
stratself	8b91db2918	docs: add caveat for deployment with non-federated instances	2026-03-24 13:20:13 +00:00
stratself	34758c52cc	docs: apply changes from feedback turn all the things into LiveKit	2026-03-24 13:20:13 +00:00
stratself	8b8c015dcc	docs: add livekit testing instructions against new /get_token endpoint	2026-03-24 13:20:13 +00:00
stratself	9afe5f6bed	docs: add caveat for deployment with non-federated instances	2026-03-24 13:20:13 +00:00
stratself	fe03b3b8b7	docs: apply changes from feedback turn all the things into LiveKit	2026-03-24 13:20:13 +00:00
stratself	a04ef6d686	docs: add livekit testing instructions against new /get_token endpoint	2026-03-24 13:20:13 +00:00
stratself	fd807ff1f6	docs: specify both inbuilt + external options for livekit TURN in calls page	2026-03-24 13:20:13 +00:00
stratself	b0632dde41	docs: replace personal links and small fixes in docs for Livekit TURN	2026-03-24 13:20:13 +00:00
stratself	cc3a8a1d40	docs: move Livekit's inbuilt TURN guide to top The purpose is to simplify new deployments, which are more likely to use Livekit-only calls. This also makes docs flow a bit better	2026-03-24 13:20:13 +00:00
stratself	30a540d8bc	docs: rework Related Documentation section for livekit page * separate links into categories in order of importance: guides, specs, source codes * add short description to included community guides * add Element Call, lk-jwt-service, and the livekit MSCs too	2026-03-24 13:20:13 +00:00
stratself	6d0832a6ee	docs: replaces all instances of matrix-rtc to livekit to match rest of page	2026-03-24 13:20:13 +00:00
Renovate Bot	119aa6476d	chore(deps): update docker/setup-qemu-action action to v4	2026-03-24 13:12:12 +00:00
Jonathan Sutton	b9854662f3	fix(room_member): Strip join_authorized_via_users_server (#1542 ) Realized code for fix did in fact require a check for `join_authorized_via_users_server` before stripping. Otherwise, waste processing power, most of the time. Signed-off-by: Jonathan Sutton <jonathansutton91@proton.me>	2026-03-24 13:11:25 +00:00
Jonathan Sutton	dab50b1ec3	fix(room_member): Strip join_authorized_via_users_server (#1542 ) Fixed test. Signed-off-by: Jonathan Sutton <jonathansutton91@proton.me>	2026-03-24 13:11:25 +00:00
Jonathan Sutton	0338539221	fix(room_member): Strip join_authorized_via_users_server (#1542 ) Added test. Signed-off-by: Jonathan Sutton <jonathansutton91@proton.me>	2026-03-24 13:11:25 +00:00
Jonathan Sutton	e94e614498	fix(room_member): Strip join_authorized_via_users_server (#1542 ) Removed extra clone() and made membership_content mutable, to change contents and reserialize to json. Signed-off-by: Jonathan Sutton <jonathansutton91@proton.me>	2026-03-24 13:11:25 +00:00
Jonathan Sutton	098e8a0b92	fix(room_member): Strip join_authorized_via_users_server (#1542 ) Added news fragment. Signed-off-by: Jonathan Sutton <jonathansutton91@proton.me>	2026-03-24 13:11:25 +00:00
Jonathan Sutton	1c3890476a	fix(room_member): Strip join_authorized_via_users_server (#1542 ) Actually implemented fix. Modified json if user was already a member. Signed-off-by: Jonathan Sutton <jonathansutton91@proton.me>	2026-03-24 13:11:25 +00:00
Jonathan Sutton	8ef6f02ee9	fix(room_member): Strip join_authorized_via_users_server (#1542 ) Some clients were sending join_authorized_via_users_server when they were already in the room, to change nicknames. This caused an undesirable error, so a check for if they were already in the room was moved and changed to strip from metadata before attempting to process metadata. Signed-off-by: Jonathan Sutton <jonathansutton91@proton.me>	2026-03-24 13:11:25 +00:00
Renovate Bot	11020df89d	chore(deps): update node-patch-updates to v2.0.6	2026-03-24 13:10:39 +00:00
Renovate Bot	47e3738807	chore(deps): update dependency cargo-bins/cargo-binstall to v1.17.8	2026-03-24 13:08:48 +00:00
Renovate Bot	8afb19757e	chore(deps): update dependency typescript to v6	2026-03-24 05:02:11 +00:00
31a05b9c	de3dfb2bea	style: format	2026-03-23 20:54:10 +00:00
31a05b9c	bbb2615f2c	fix: request errror: error sending request	2026-03-23 19:27:18 +00:00
coolGi	af1b4de231	fix: Typo in the domain for the announcment schema	2026-03-22 21:34:55 +13:00
timedout	677c407755	chore: Bump ruwuma # Conflicts: # Cargo.lock # Cargo.toml	2026-03-21 16:24:05 +00:00
renovate	e3ae714248	chore(Nix): Updated flake hashes	2026-03-20 18:55:28 +00:00
Jade Ellis	fb9a2aa4d6	chore: Upgrade Rust to 1.92	2026-03-20 18:27:59 +00:00
coolGi	5164822090	chore: Update ruwuma	2026-03-21 06:13:45 +13:00
Jade Ellis	6b013bcf60	chore: Update funding links	2026-03-19 12:45:12 +00:00
Ginger	05a49ceb60	chore: Whitelist cognitive_complexity lint	2026-03-18 13:59:48 -04:00
Ginger	728c5828ba	feat: Add a panic handler and clean up error page	2026-03-18 13:43:34 -04:00
Ginger	50c94d85a1	fix: Code cleanup	2026-03-18 13:18:53 -04:00
Ginger	0cc188f62c	fix: Remove redirect on index	2026-03-18 12:42:55 -04:00
Ginger	6451671f66	fix: Update doc comment	2026-03-18 12:42:55 -04:00
theS1LV3R	ca21a885d5	chore: Rename option index_page_allow_indexing to allow_web_indexing	2026-03-18 12:42:55 -04:00
Ginger	4af4110f6d	chore: Update news fragment	2026-03-18 12:42:55 -04:00
Ginger	51b450c05c	feat: Use a context struct to store global template context	2026-03-18 12:42:55 -04:00
theS1LV3R	f9d1f71343	fix: Fix logic error	2026-03-18 12:42:55 -04:00
theS1LV3R	7901e4b996	chore: Add news fragment for !1527	2026-03-18 12:42:55 -04:00
theS1LV3R	7b6bf4b78e	feat: Add option for a noindex meta tag on the HTML index page Adds a new config option `index_page_allow_indexing` which defaults to false. Fixes: !1527	2026-03-18 12:42:55 -04:00
Ginger	67d5619ccb	fix: Fix password reset page appearance in light mode	2026-03-18 12:42:55 -04:00
Ginger	bf001f96d6	feat: Restrict reset token command	2026-03-18 12:42:55 -04:00
Ginger	ae2b87f03f	fix: Fix M_NOT_FOUND for users with no origin set	2026-03-18 12:42:55 -04:00
Ginger	957cd3502f	fix: Evil CSS hackery	2026-03-18 12:42:55 -04:00
Ginger	a109542eb8	fix: Disable text selection on k10y	2026-03-18 12:42:55 -04:00
Ginger	8c4844b00b	fix: Use error page for extractor rejections	2026-03-18 12:42:55 -04:00
Ginger	eec7103910	feat: Implement dedicated 404 page for routes under `/_continuwuity/`	2026-03-18 12:42:55 -04:00
Ginger	43aa172829	feat: Move index to `/_continuwuity/`	2026-03-18 12:42:55 -04:00
Ginger	9b4c483b6d	chore: Remove unnecessary database map left over from refactor	2026-03-18 12:42:55 -04:00
Ginger	b885e206ce	fix: Use server name in index again	2026-03-18 12:42:55 -04:00
Ginger	07a935f625	fix: Add CSRF protection	2026-03-18 12:42:55 -04:00
Ginger	d13801e976	fix: Disallow issuing password reset tokens for deactivated users	2026-03-18 12:42:55 -04:00
Ginger	5716c36b47	chore: Change password reset page path	2026-03-18 12:42:55 -04:00
Ginger	f11943b956	chore: News fragment	2026-03-18 12:42:55 -04:00
Ginger	8b726a9c94	chore: Cleanup	2026-03-18 12:42:55 -04:00
Ginger	ffa3c53847	feat: Implement a webpage for self-service password resets	2026-03-18 12:42:55 -04:00
Ginger	da8833fca4	feat: Implement a command for issuing password reset links	2026-03-18 12:42:55 -04:00
Ginger	267feb3c09	feat: Add a new service for handling password resets	2026-03-18 12:42:55 -04:00
Ginger	3d50af0943	refactor: Split web code into multiple files, improve static resource loading	2026-03-18 12:42:55 -04:00
Ginger	9515019641	fix: Allow cognitive_complexity on two particularly large functions	2026-03-18 10:57:50 -04:00
Renovate Bot	f0f53dfada	chore(deps): lock file maintenance	2026-03-18 05:05:56 +00:00
Renovate Bot	acef746d26	fix(deps): Update rust crate recaptcha-verify to 0.2.0	2026-03-17 13:20:50 +00:00
Jade Ellis	3356b60e97	chore: Remove git.nexy7574.co.uk mirror This mirror seems to have some issues preventing regsync from working.	2026-03-16 18:13:26 +00:00
Jade Ellis	c988c2b387	chore: Release	2026-03-16 16:48:53 +00:00
theS1LV3R	3121229707	docs: Update docker documentation to add /sbin/conduwuit to examples These will likely have to be updated when !1485 goes through. Fixes: !1529	2026-03-15 00:21:37 +00:00
Shane Jaroch	ff85145ee8	fix: missing logic inversion for acquired keys (should speed up room joins)	2026-03-13 20:54:38 -04:00
lveneris	f61d1a11e0	chore: set correct commit types for all renovate PRs	2026-03-09 21:51:21 +00:00
lveneris	11ba8979ff	chore: batch non-major non-zerover cargo renovate PRs	2026-03-09 21:51:21 +00:00
Ginger	f6956ccf12	fix: Nuke all remaining references to MSC3575 in docs and code	2026-03-09 17:11:19 +00:00
				`@@ -0,0 +1 @@`
				`Added support for using an admin command to issue self-service password reset links.`
				`@@ -0,0 +1 @@`
				`Fixed room alias deletion so removing one local alias no longer removes other aliases from room alias listings.`
				`@@ -0,0 +1 @@`
				`Added Testing and Troubleshooting instructions for Livekit documentation. Contributed by @stratself.`
				`@@ -0,0 +1 @@`
				Add new config option to allow or disallow search engine indexing through a `<meta ../>` tag. Defaults to blocking indexing (`content="noindex"`). Contributed by @s1lv3r and @ginger.
				`@@ -0,0 +1 @@`
				Stripped `join_authorised_via_users_server` from json if user is already in room (@partha:cxy.run)
				`@@ -0,0 +1 @@`
				`Fixed internal server errors for fetching thumbnails. Contributed by @PerformativeJade`
				`@@ -0,0 +1 @@`
				`Drop unnecessary fields when converting an event into the federation format, saving bandwidth. Contributed by @nex.`
				`@@ -0,0 +1 @@`
				`fn main() { memory_serve::load_directory("./pages/resources"); }`