chore: Bump version to 0.5.0-rc.8.1

ci: Run image release workflow on tag
(cherry picked from commit e5e2db37d9)
2026-05-26 20:49:55 +00:00 · 2025-11-16 21:00:14 +00:00 · 2025-11-16 21:00:14 +00:00 · 2025-11-16 20:05:57 +00:00 · 2025-11-16 20:05:57 +00:00 · 2025-11-16 20:05:57 +00:00
34 changed files with 686 additions and 1048 deletions
@@ -61,16 +61,14 @@ runs:
      id: meta
      uses: docker/metadata-action@v5
      with:
-        flavor: |
-          suffix=${{ inputs.tag_suffix }},onlatest=true
        tags: |
-          type=semver,pattern={{version}},prefix=v
-          type=semver,pattern={{major}}.{{minor}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.0.') }},prefix=v
-          type=semver,pattern={{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }},prefix=v
-          type=ref,event=branch,prefix=${{ format('refs/heads/{0}', github.event.repository.default_branch) != github.ref && 'branch-' || '' }},
-          type=ref,event=pr
-          type=sha,format=short
-          type=raw,value=latest${{ inputs.tag_suffix }},enable=${{ startsWith(github.ref, 'refs/tags/v') }},priority=1100
+          type=semver,pattern={{version}},prefix=v,suffix=${{ inputs.tag_suffix }}
+          type=semver,pattern={{major}}.{{minor}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.0.') }},prefix=v,suffix=${{ inputs.tag_suffix }}
+          type=semver,pattern={{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }},prefix=v,suffix=${{ inputs.tag_suffix }}
+          type=ref,event=branch,prefix=${{ format('refs/heads/{0}', github.event.repository.default_branch) != github.ref && 'branch-' || '' }},suffix=${{ inputs.tag_suffix }}
+          type=ref,event=pr,suffix=${{ inputs.tag_suffix }}
+          type=sha,format=short,suffix=${{ inputs.tag_suffix }}
+          type=raw,value=latest${{ inputs.tag_suffix }},enable=${{ startsWith(github.ref, 'refs/tags/v') }}
        images: ${{ inputs.images }}
        # default labels & annotations: https://github.com/docker/metadata-action/blob/master/src/meta.ts#L509
      env:
@@ -83,7 +81,6 @@ runs:
      env:
        IMAGES: ${{ inputs.images }}
      run: |
-        set -o xtrace
        IFS=$'\n'
        IMAGES_LIST=($IMAGES)
        ANNOTATIONS_LIST=($DOCKER_METADATA_OUTPUT_ANNOTATIONS)
@@ -101,7 +98,6 @@ runs:
      env:
        IMAGES: ${{ inputs.images }}
      run: |
-        set -o xtrace
        IMAGES_LIST=($IMAGES)
        for REPO in "${IMAGES_LIST[@]}"; do
          docker buildx imagetools inspect $REPO:${{ steps.meta.outputs.version }}
@@ -0,0 +1,58 @@
+name: detect-runner-os
+description: |
+  Detect the actual OS name and version of the runner.
+  Provides separate outputs for name, version, and a combined slug.
+
+outputs:
+  name:
+    description: 'OS name (e.g. Ubuntu, Debian)'
+    value: ${{ steps.detect.outputs.name }}
+  version:
+    description: 'OS version (e.g. 22.04, 11)'
+    value: ${{ steps.detect.outputs.version }}
+  slug:
+    description: 'Combined OS slug (e.g. Ubuntu-22.04)'
+    value: ${{ steps.detect.outputs.slug }}
+  node_major:
+    description: 'Major version of Node.js if available (e.g. 22)'
+    value: ${{ steps.detect.outputs.node_major }}
+  node_version:
+    description: 'Full Node.js version if available (e.g. 22.19.0)'
+    value: ${{ steps.detect.outputs.node_version }}
+
+runs:
+  using: composite
+  steps:
+    - name: Detect runner OS
+      id: detect
+      shell: bash
+      run: |
+        # Detect OS version (try lsb_release first, fall back to /etc/os-release)
+        OS_VERSION=$(lsb_release -rs 2>/dev/null || grep VERSION_ID /etc/os-release | cut -d'"' -f2)
+
+        # Detect OS name and capitalise (try lsb_release first, fall back to /etc/os-release)
+        OS_NAME=$(lsb_release -is 2>/dev/null || grep "^ID=" /etc/os-release | cut -d'=' -f2 | tr -d '"' | sed 's/\b\(.\)/\u\1/g')
+
+        # Create combined slug
+        OS_SLUG="${OS_NAME}-${OS_VERSION}"
+
+        # Detect Node.js version if available
+        if command -v node >/dev/null 2>&1; then
+          NODE_VERSION=$(node --version | sed 's/v//')
+          NODE_MAJOR=$(echo $NODE_VERSION | cut -d. -f1)
+          echo "node_version=${NODE_VERSION}" >> $GITHUB_OUTPUT
+          echo "node_major=${NODE_MAJOR}" >> $GITHUB_OUTPUT
+          echo "🔍 Detected Node.js: v${NODE_VERSION}"
+        else
+          echo "node_version=" >> $GITHUB_OUTPUT
+          echo "node_major=" >> $GITHUB_OUTPUT
+          echo "🔍 Node.js not found"
+        fi
+
+        # Set OS outputs
+        echo "name=${OS_NAME}" >> $GITHUB_OUTPUT
+        echo "version=${OS_VERSION}" >> $GITHUB_OUTPUT
+        echo "slug=${OS_SLUG}" >> $GITHUB_OUTPUT
+
+        # Log detection results
+        echo "🔍 Detected Runner OS: ${OS_NAME} ${OS_VERSION}"
@@ -121,7 +121,7 @@ runs:
          .cargo/git/checkouts
          .cargo/registry
          .cargo/registry/src
-        key: continuwuity-rust-registry-image-${{hashFiles('**/Cargo.lock') }}
+        key: rust-registry-image-${{hashFiles('**/Cargo.lock') }}

    - name: Cache cargo target
      if: ${{ env.BUILDKIT_ENDPOINT == '' }}
@@ -130,7 +130,7 @@ runs:
      with:
        path: |
          cargo-target${{ env.CPU_SUFFIX }}-${{ inputs.slug }}-${{ inputs.profile }}
-        key: continuwuity-cargo-target${{ env.CPU_SUFFIX }}-${{ inputs.slug }}-${{ inputs.profile }}-${{hashFiles('**/Cargo.lock') }}-${{steps.rust-toolchain.outputs.rustc_version}}
+        key: cargo-target${{ env.CPU_SUFFIX }}-${{ inputs.slug }}-${{ inputs.profile }}-${{hashFiles('**/Cargo.lock') }}-${{steps.rust-toolchain.outputs.rustc_version}}

    - name: Cache apt cache
      if: ${{ env.BUILDKIT_ENDPOINT == '' }}
@@ -139,7 +139,7 @@ runs:
      with:
        path: |
          var-cache-apt-${{ inputs.slug }}
-        key: continuwuity-var-cache-apt-${{ inputs.slug }}
+        key: var-cache-apt-${{ inputs.slug }}

    - name: Cache apt lib
      if: ${{ env.BUILDKIT_ENDPOINT == '' }}
@@ -148,7 +148,7 @@ runs:
      with:
        path: |
          var-lib-apt-${{ inputs.slug }}
-        key: continuwuity-var-lib-apt-${{ inputs.slug }}
+        key: var-lib-apt-${{ inputs.slug }}

    - name: inject cache into docker
      if: ${{ env.BUILDKIT_ENDPOINT == '' }}
@@ -40,7 +40,7 @@ runs:
          !~/.rustup/tmp
          !~/.rustup/downloads
        # Requires repo to be cloned if toolchain is not specified
-        key: continuwuity-${{ runner.os }}-rustup-${{ inputs.toolchain || hashFiles('**/rust-toolchain.toml') }}
+        key: ${{ runner.os }}-rustup-${{ inputs.toolchain || hashFiles('**/rust-toolchain.toml') }}
    - name: Install Rust toolchain
      if: steps.rustup-version.outputs.version == ''
      shell: bash
@@ -29,7 +29,7 @@ runs:
  steps:
    - name: Detect runner OS
      id: runner-os
-      uses: https://git.tomfos.tr/actions/detect-versions@v1
+      uses: ./.forgejo/actions/detect-runner-os

    - name: Configure cross-compilation architecture
      if: inputs.dpkg-arch != ''
@@ -69,7 +69,7 @@ runs:
          /usr/lib/x86_64-linux-gnu/libclang*.so*
          /etc/apt/sources.list.d/archive_uri-*
          /etc/apt/trusted.gpg.d/apt.llvm.org.asc
-        key: continuwuity-llvm-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-v${{ inputs.llvm-version }}-${{ hashFiles('**/Cargo.lock', 'rust-toolchain.toml') }}
+        key: llvm-${{ steps.runner-os.outputs.slug }}-v${{ inputs.llvm-version }}-v3-${{ hashFiles('**/Cargo.lock', 'rust-toolchain.toml') }}

    - name: End LLVM cache group
      shell: bash
@@ -39,7 +39,7 @@ runs:
  steps:
    - name: Detect runner OS
      id: runner-os
-      uses: https://git.tomfos.tr/actions/detect-versions@v1
+      uses: ./.forgejo/actions/detect-runner-os

    - name: Configure Cargo environment
      shell: bash
@@ -73,9 +73,9 @@ runs:
          .cargo/git/db
        # Registry cache saved per workflow, restored from any workflow's cache
        # Each workflow maintains its own registry that accumulates its needed crates
-        key: continuwuity-cargo-registry-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-${{ github.workflow }}
+        key: cargo-registry-${{ steps.runner-os.outputs.slug }}-${{ github.workflow }}
        restore-keys: |
-          continuwuity-cargo-registry-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-
+          cargo-registry-${{ steps.runner-os.outputs.slug }}-

    - name: Cache toolchain binaries
      id: toolchain-cache
@@ -86,42 +86,29 @@ runs:
          .rustup/toolchains
          .rustup/update-hashes
        # Shared toolchain cache across all Rust versions
-        key: continuwuity-toolchain-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}
+        key: toolchain-${{ steps.runner-os.outputs.slug }}


    - name: Setup sccache
      uses: https://git.tomfos.tr/tom/sccache-action@v1

-    - name: Cache dependencies
-      id: deps-cache
+    - name: Cache build artifacts
+      id: build-cache
      uses: actions/cache@v4
      with:
        path: |
-          target/**/.fingerprint
          target/**/deps
-          target/**/*.d
-          target/**/.cargo-lock
-          target/**/CACHEDIR.TAG
-          target/**/.rustc_info.json
-          /timelord/
-        # Dependencies cache - based on Cargo.lock, survives source code changes
-        key: >-
-          continuwuity-deps-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-${{ inputs.rust-version }}${{ inputs.cache-key-suffix && format('-{0}', inputs.cache-key-suffix) || '' }}-${{ hashFiles('rust-toolchain.toml', '**/Cargo.lock') }}
-        restore-keys: |
-          continuwuity-deps-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-${{ inputs.rust-version }}${{ inputs.cache-key-suffix && format('-{0}', inputs.cache-key-suffix) || '' }}-
-
-    - name: Cache incremental compilation
-      id: incremental-cache
-      uses: actions/cache@v4
-      with:
-        path: |
+          !target/**/deps/*.rlib
+          target/**/build
+          target/**/.fingerprint
          target/**/incremental
-        # Incremental cache - based on source code changes
+          target/**/*.d
+          /timelord/
+        # Build artifacts - cache per code change, restore from deps when code changes
        key: >-
-          continuwuity-incremental-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-${{ inputs.rust-version }}${{ inputs.cache-key-suffix && format('-{0}', inputs.cache-key-suffix) || '' }}-${{ hashFiles('rust-toolchain.toml', '**/Cargo.lock') }}-${{ hashFiles('**/*.rs', '**/Cargo.toml') }}
+          build-${{ steps.runner-os.outputs.slug }}-${{ inputs.rust-version }}${{ inputs.cache-key-suffix && format('-{0}', inputs.cache-key-suffix) || '' }}-${{ hashFiles('rust-toolchain.toml', '**/Cargo.lock') }}-${{ hashFiles('**/*.rs', '**/Cargo.toml') }}
        restore-keys: |
-          continuwuity-incremental-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-${{ inputs.rust-version }}${{ inputs.cache-key-suffix && format('-{0}', inputs.cache-key-suffix) || '' }}-${{ hashFiles('rust-toolchain.toml', '**/Cargo.lock') }}-
-          continuwuity-incremental-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-${{ inputs.rust-version }}${{ inputs.cache-key-suffix && format('-{0}', inputs.cache-key-suffix) || '' }}-
+          build-${{ steps.runner-os.outputs.slug }}-${{ inputs.rust-version }}${{ inputs.cache-key-suffix && format('-{0}', inputs.cache-key-suffix) || '' }}-${{ hashFiles('rust-toolchain.toml', '**/Cargo.lock') }}-

    - name: End cache restore group
      shell: bash
@@ -36,7 +36,7 @@ runs:
        path: |
          /usr/share/rust/.cargo/bin
          ~/.cargo/bin
-        key: continuwuity-timelord-binaries
+        key: timelord-binaries-v3

    - name: Check if binaries need installation
      shell: bash
@@ -82,7 +82,7 @@ runs:
        path: |
          /usr/share/rust/.cargo/bin
          ~/.cargo/bin
-        key: continuwuity-timelord-binaries
+        key: timelord-binaries-v3


    - name: Restore timelord cache with fallbacks
@@ -92,7 +92,7 @@ runs:
        path: ${{ env.TIMELORD_CACHE_PATH }}
        key: ${{ env.TIMELORD_KEY }}
        restore-keys: |
-          continuwuity-timelord-${{ github.repository }}-
+          timelord-v1-${{ github.repository }}-

    - name: Initialize timestamps on complete cache miss
      if: steps.timelord-restore.outputs.cache-hit != 'true'
@@ -1,148 +0,0 @@
-name: Build / Debian DEB
-
-concurrency:
-  group: "build-debian-${{ forge.ref }}"
-  cancel-in-progress: true
-
-on:
-  push:
-    tags:
-      - "v*.*.*"
-  workflow_dispatch:
-  schedule:
-    - cron: '30 0 * * *'
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        container: ["ubuntu-latest", "ubuntu-previous", "debian-latest", "debian-oldstable"]
-    container:
-      image: "ghcr.io/tcpipuk/act-runner:${{ matrix.container }}"
-
-    steps:
-      - name: Get Debian version
-        id: debian-version
-        run: |
-          VERSION=$(cat /etc/debian_version)
-          DISTRIBUTION=$(lsb_release -sc 2>/dev/null)
-          echo "version=$VERSION" >> $GITHUB_OUTPUT
-          echo "distribution=$DISTRIBUTION" >> $GITHUB_OUTPUT
-          echo "Debian distribution: $DISTRIBUTION ($VERSION)"
-
-      - name: Checkout repository with full history
-        uses: https://code.forgejo.org/actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Cache Cargo registry
-        uses: https://code.forgejo.org/actions/cache@v4
-        with:
-          path: |
-            ~/.cargo/registry
-            ~/.cargo/git
-          key: cargo-debian-${{ steps.debian-version.outputs.distribution }}-${{ hashFiles('**/Cargo.lock') }}
-          restore-keys: |
-            cargo-debian-${{ steps.debian-version.outputs.distribution }}-
-
-      - name: Setup sccache
-        uses: https://git.tomfos.tr/tom/sccache-action@v1
-
-      - name: Configure sccache environment
-        run: |
-          echo "RUSTC_WRAPPER=sccache" >> $GITHUB_ENV
-          echo "CMAKE_C_COMPILER_LAUNCHER=sccache" >> $GITHUB_ENV
-          echo "CMAKE_CXX_COMPILER_LAUNCHER=sccache" >> $GITHUB_ENV
-          echo "SCCACHE_CACHE_SIZE=10G" >> $GITHUB_ENV
-          # Aggressive GC since cache restores don't increment counter
-          echo "CARGO_INCREMENTAL_GC_TRIGGER=5" >> $GITHUB_ENV
-
-      - name: Setup Rust nightly
-        uses: ./.forgejo/actions/setup-rust
-        with:
-          rust-version: nightly
-          github-token: ${{ secrets.GH_PUBLIC_RO }}
-
-      - name: Get package version and component
-        id: package-meta
-        run: |
-          BASE_VERSION=$(cargo metadata --no-deps --format-version 1 | jq -r ".packages[] | select(.name == \"conduwuit\").version" | sed 's/[^a-zA-Z0-9.+]/~/g')
-          # VERSION is the package version, COMPONENT is used in
-          # apt's repository config like a git repo branch
-          if [[ "${{ forge.ref }}" == "refs/tags/"* ]]; then
-            # Use the "stable" component for tagged releases
-            COMPONENT="stable"
-            VERSION=$BASE_VERSION
-          else
-            # Use the "dev" component for development builds
-            SHA=$(echo "${{ forge.sha }}" | cut -c1-7)
-            DATE=$(date +%Y%m%d)
-            if [ "${{ forge.ref_name }}" = "main" ]; then
-              COMPONENT="dev"
-            else
-              # Use the sanitized ref name as the component for feature branches
-              COMPONENT="dev-$(echo '${{ forge.ref_name }}' | sed 's/[^a-zA-Z0-9.+]/-/g' | tr '[:upper:]' '[:lower:]' | cut -c1-30)"
-            fi
-            CLEAN_COMPONENT=$(echo $COMPONENT | sed 's/[^a-zA-Z0-9.+]/~/g')
-            VERSION="$BASE_VERSION~git$DATE.$SHA-$CLEAN_COMPONENT"
-          fi
-          echo "component=$COMPONENT" >> $GITHUB_OUTPUT
-          echo "version=$VERSION" >> $GITHUB_OUTPUT
-          echo "Component: $COMPONENT"
-          echo "Version: $VERSION"
-
-      - name: Install cargo-deb
-        run: |
-          if command -v cargo-deb &> /dev/null; then
-            echo "cargo-deb already available"
-          else
-            echo "Installing cargo-deb"
-            cargo-binstall -y --no-symlinks cargo-deb
-          fi
-
-      - name: Install build dependencies
-        run: |
-          apt-get update -y
-          # Build dependencies for rocksdb
-          apt-get install -y clang liburing-dev
-
-      - name: Run cargo-deb
-        id: cargo-deb
-        run: |
-          DEB_PATH=$(cargo deb --deb-version ${{ steps.package-meta.outputs.version }})
-          echo "path=$DEB_PATH" >> $GITHUB_OUTPUT
-
-      - name: Test deb installation
-        run: |
-          echo "Installing: ${{ steps.cargo-deb.outputs.path }}"
-
-          apt-get install -y ${{ steps.cargo-deb.outputs.path }}
-
-          dpkg -s continuwuity
-
-          [ -f /usr/bin/conduwuit ] && echo "✅ Binary installed successfully"
-          [ -f /usr/lib/systemd/system/conduwuit.service ] && echo "✅ Systemd service installed"
-          [ -f /etc/conduwuit/conduwuit.toml ] && echo "✅ Config file installed"
-
-      - name: Upload deb artifact
-        uses: https://code.forgejo.org/actions/upload-artifact@v3
-        with:
-          name: continuwuity-${{ steps.debian-version.outputs.distribution }}
-          path: ${{ steps.cargo-deb.outputs.path }}
-
-      - name: Publish to Forgejo package registry
-        if: ${{ forge.event_name == 'push' || forge.event_name == 'workflow_dispatch' }}
-        run: |
-          OWNER="continuwuation"
-          DISTRIBUTION=${{ steps.debian-version.outputs.distribution }}
-          COMPONENT=${{ steps.package-meta.outputs.component }}
-          DEB=${{ steps.cargo-deb.outputs.path }}
-
-          echo "Publishing: $DEB in component $COMPONENT for distribution $DISTRIBUTION"
-
-          curl --fail-with-body \
-            -X PUT \
-            -H "Authorization: token ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}" \
-            --upload-file "$DEB" \
-            "${{ forge.server_url }}/api/packages/$OWNER/debian/pool/$DISTRIBUTION/$COMPONENT/upload"
@@ -1,389 +0,0 @@
-name: Build / Fedora RPM
-
-concurrency:
-  group: "build-fedora-${{ github.ref }}"
-  cancel-in-progress: true
-
-on:
-  push:
-    tags:
-      - "v*.*.*"
-    # paths:
-    #   - 'pkg/fedora/**'
-    #   - 'src/**'
-    #   - 'Cargo.toml'
-    #   - 'Cargo.lock'
-    #   - '.forgejo/workflows/build-fedora.yml'
-  workflow_dispatch:
-  schedule:
-    - cron: '30 0 * * *'
-
-jobs:
-  build:
-    runs-on: fedora-latest
-    steps:
-      - name: Detect Fedora version
-        id: fedora
-        run: |
-          VERSION=$(rpm -E %fedora)
-          echo "version=$VERSION" >> $GITHUB_OUTPUT
-          echo "Fedora version: $VERSION"
-
-      - name: Checkout repository with full history
-        uses: https://code.forgejo.org/actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-
-      - name: Cache DNF packages
-        uses: https://code.forgejo.org/actions/cache@v4
-        with:
-          path: |
-            /var/cache/dnf
-            /var/cache/yum
-          key: dnf-fedora${{ steps.fedora.outputs.version }}-${{ hashFiles('pkg/fedora/continuwuity.spec.rpkg') }}-v1
-          restore-keys: |
-            dnf-fedora${{ steps.fedora.outputs.version }}-
-
-      - name: Cache Cargo registry
-        uses: https://code.forgejo.org/actions/cache@v4
-        with:
-          path: |
-            ~/.cargo/registry
-            ~/.cargo/git
-          key: cargo-fedora${{ steps.fedora.outputs.version }}-${{ hashFiles('**/Cargo.lock') }}
-          restore-keys: |
-            cargo-fedora${{ steps.fedora.outputs.version }}-
-
-      - name: Cache Rust build dependencies
-        uses: https://code.forgejo.org/actions/cache@v4
-        with:
-          path: |
-            ~/rpmbuild/BUILD/*/target/release/deps
-            ~/rpmbuild/BUILD/*/target/release/build
-            ~/rpmbuild/BUILD/*/target/release/.fingerprint
-            ~/rpmbuild/BUILD/*/target/release/incremental
-          key: rust-deps-fedora${{ steps.fedora.outputs.version }}-${{ hashFiles('**/Cargo.lock') }}
-          restore-keys: |
-            rust-deps-fedora${{ steps.fedora.outputs.version }}-
-
-      - name: Setup sccache
-        uses: https://git.tomfos.tr/tom/sccache-action@v1
-
-      - name: Configure sccache environment
-        run: |
-          echo "RUSTC_WRAPPER=sccache" >> $GITHUB_ENV
-          echo "CMAKE_C_COMPILER_LAUNCHER=sccache" >> $GITHUB_ENV
-          echo "CMAKE_CXX_COMPILER_LAUNCHER=sccache" >> $GITHUB_ENV
-          echo "SCCACHE_CACHE_SIZE=10G" >> $GITHUB_ENV
-          # Aggressive GC since cache restores don't increment counter
-          echo "CARGO_INCREMENTAL_GC_TRIGGER=5" >> $GITHUB_ENV
-
-      - name: Install base RPM tools
-        run: |
-          dnf install -y --setopt=keepcache=1 \
-            fedora-packager \
-            python3-pip \
-            rpm-sign \
-            rpkg \
-            wget
-
-      - name: Setup build environment and build SRPM
-        run: |
-          git config --global --add safe.directory "$GITHUB_WORKSPACE"
-          git config --global user.email "ci@continuwuity.org"
-          git config --global user.name "Continuwuity"
-
-          rpmdev-setuptree
-
-          cd "$GITHUB_WORKSPACE"
-
-          # Determine release suffix and version based on ref type and branch
-          if [[ "${{ github.ref }}" == "refs/tags/"* ]]; then
-            # Tags get clean version numbers for stable releases
-            RELEASE_SUFFIX=""
-            TAG_NAME="${{ github.ref_name }}"
-            # Extract version from tag (remove v prefix if present)
-            TAG_VERSION=$(echo "$TAG_NAME" | sed 's/^v//')
-
-            # Create spec file with tag version
-            sed -e "s/^Version:.*$/Version:        $TAG_VERSION/" \
-                -e "s/^Release:.*$/Release:        1%{?dist}/" \
-                pkg/fedora/continuwuity.spec.rpkg > continuwuity.spec.rpkg
-          elif [ "${{ github.ref_name }}" = "main" ]; then
-            # Main branch gets .dev suffix
-            RELEASE_SUFFIX=".dev"
-
-            # Replace the Release line to include our suffix
-            sed "s/^Release:.*$/Release:        1${RELEASE_SUFFIX}%{?dist}/" \
-              pkg/fedora/continuwuity.spec.rpkg > continuwuity.spec.rpkg
-          else
-            # Other branches get sanitized branch name as suffix
-            SAFE_BRANCH=$(echo "${{ github.ref_name }}" | sed 's/[^a-zA-Z0-9]/_/g' | cut -c1-20)
-            RELEASE_SUFFIX=".${SAFE_BRANCH}"
-
-            # Replace the Release line to include our suffix
-            sed "s/^Release:.*$/Release:        1${RELEASE_SUFFIX}%{?dist}/" \
-              pkg/fedora/continuwuity.spec.rpkg > continuwuity.spec.rpkg
-          fi
-
-          rpkg srpm --outdir "$HOME/rpmbuild/SRPMS"
-
-          ls -la $HOME/rpmbuild/SRPMS/
-
-
-      - name: Install build dependencies from SRPM
-        run: |
-          SRPM=$(find "$HOME/rpmbuild/SRPMS" -name "*.src.rpm" | head -1)
-
-          if [ -z "$SRPM" ]; then
-            echo "Error: No SRPM file found"
-            exit 1
-          fi
-
-          echo "Installing build dependencies from: $(basename $SRPM)"
-          dnf builddep -y "$SRPM"
-
-      - name: Build RPM from SRPM
-        run: |
-          SRPM=$(find "$HOME/rpmbuild/SRPMS" -name "*.src.rpm" | head -1)
-
-          if [ -z "$SRPM" ]; then
-            echo "Error: No SRPM file found"
-            exit 1
-          fi
-
-          echo "Building from SRPM: $SRPM"
-
-          rpmbuild --rebuild "$SRPM" \
-            --define "_topdir $HOME/rpmbuild" \
-            --define "_sourcedir $GITHUB_WORKSPACE" \
-            --nocheck  # Skip %check section to avoid test dependencies
-
-
-      - name: Test RPM installation
-        run: |
-          # Find the main binary RPM (exclude debug and source RPMs)
-          RPM=$(find "$HOME/rpmbuild/RPMS" -name "continuwuity-*.rpm" \
-            ! -name "*debuginfo*" \
-            ! -name "*debugsource*" \
-            ! -name "*.src.rpm" | head -1)
-
-          if [ -z "$RPM" ]; then
-            echo "Error: No binary RPM file found"
-            exit 1
-          fi
-
-          echo "Testing installation of: $RPM"
-
-          # Dry run first
-          rpm -qpi "$RPM"
-          echo ""
-          rpm -qpl "$RPM"
-
-          # Actually install it
-          dnf install -y "$RPM"
-
-          # Verify installation
-          rpm -qa | grep continuwuity
-
-          # Check that the binary exists
-          [ -f /usr/bin/conduwuit ] && echo "✅ Binary installed successfully"
-          [ -f /usr/lib/systemd/system/conduwuit.service ] && echo "✅ Systemd service installed"
-          [ -f /etc/conduwuit/conduwuit.toml ] && echo "✅ Config file installed"
-
-      - name: List built packages
-        run: |
-          echo "Binary RPMs:"
-          find "$HOME/rpmbuild/RPMS" -name "*.rpm" -type f -exec ls -la {} \;
-
-          echo ""
-          echo "Source RPMs:"
-          find "$HOME/rpmbuild/SRPMS" -name "*.rpm" -type f -exec ls -la {} \;
-
-      - name: Collect artifacts
-        run: |
-          mkdir -p artifacts
-
-          find "$HOME/rpmbuild/RPMS" -name "*.rpm" -type f -exec cp {} artifacts/ \;
-          find "$HOME/rpmbuild/SRPMS" -name "*.rpm" -type f -exec cp {} artifacts/ \;
-
-          cd artifacts
-          echo "Build Information:" > BUILD_INFO.txt
-          echo "==================" >> BUILD_INFO.txt
-          echo "Git commit: ${{ github.sha }}" >> BUILD_INFO.txt
-          echo "Git branch: ${{ github.ref_name }}" >> BUILD_INFO.txt
-          echo "Build date: $(date -u +%Y-%m-%d_%H:%M:%S_UTC)" >> BUILD_INFO.txt
-          echo "" >> BUILD_INFO.txt
-          echo "Package contents:" >> BUILD_INFO.txt
-          echo "-----------------" >> BUILD_INFO.txt
-          for rpm in *.rpm; do
-            echo "" >> BUILD_INFO.txt
-            echo "File: $rpm" >> BUILD_INFO.txt
-            rpm -qpi "$rpm" 2>/dev/null | grep -E "^(Name|Version|Release|Architecture|Size)" >> BUILD_INFO.txt
-          done
-
-          ls -la
-
-      - name: Upload binary RPM artifact
-        run: |
-          # Find the main binary RPM (exclude debug and source RPMs)
-          BIN_RPM=$(find artifacts -name "continuwuity-*.rpm" \
-            ! -name "*debuginfo*" \
-            ! -name "*debugsource*" \
-            ! -name "*.src.rpm" \
-            -type f)
-
-          mkdir -p upload-bin
-          cp $BIN_RPM upload-bin/
-
-      - name: Upload binary RPM
-        uses: https://code.forgejo.org/actions/upload-artifact@v3
-        with:
-          name: continuwuity
-          path: upload-bin/
-
-      - name: Upload debug RPM artifact
-        uses: https://code.forgejo.org/actions/upload-artifact@v3
-        with:
-          name: continuwuity-debug
-          path: artifacts/*debuginfo*.rpm
-
-      - name: Publish to RPM Package Registry
-        if: ${{ github.event_name == 'push' || github.event_name == 'workflow_dispatch' }}
-        run: |
-          # Find the main binary RPM (exclude debug and source RPMs)
-          RPM=$(find artifacts -name "continuwuity-*.rpm" \
-            ! -name "*debuginfo*" \
-            ! -name "*debugsource*" \
-            ! -name "*.src.rpm" \
-            -type f | head -1)
-
-          if [ -z "$RPM" ]; then
-            echo "No binary RPM found to publish"
-            exit 0
-          fi
-
-          RPM_BASENAME=$(basename "$RPM")
-          echo "Publishing: $RPM_BASENAME"
-
-          # Determine the group based on ref type and branch
-          if [[ "${{ github.ref }}" == "refs/tags/"* ]]; then
-            GROUP="stable"
-            # For tags, extract the tag name for version info
-            TAG_NAME="${{ github.ref_name }}"
-          elif [ "${{ github.ref_name }}" = "main" ]; then
-            GROUP="dev"
-          else
-            # Use sanitized branch name as group for feature branches
-            GROUP=$(echo "${{ github.ref_name }}" | sed 's/[^a-zA-Z0-9]/-/g' | tr '[:upper:]' '[:lower:]' | cut -c1-30)
-          fi
-
-          PACKAGE_INFO=$(rpm -qpi "$RPM" 2>/dev/null)
-          PACKAGE_NAME=$(echo "$PACKAGE_INFO" | grep "^Name" | awk '{print $3}')
-          PACKAGE_VERSION=$(echo "$PACKAGE_INFO" | grep "^Version" | awk '{print $3}')
-          PACKAGE_RELEASE=$(echo "$PACKAGE_INFO" | grep "^Release" | awk '{print $3}')
-          PACKAGE_ARCH=$(echo "$PACKAGE_INFO" | grep "^Architecture" | awk '{print $2}')
-
-          # Full version includes release
-          FULL_VERSION="${PACKAGE_VERSION}-${PACKAGE_RELEASE}"
-
-          # Forgejo's RPM registry cannot overwrite existing packages, so we must delete first
-          # 404 is OK if package doesn't exist yet
-          echo "Removing any existing package: $PACKAGE_NAME-$FULL_VERSION.$PACKAGE_ARCH"
-          RESPONSE=$(curl -s -w "\n%{http_code}" -X DELETE \
-            -H "Authorization: token ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}" \
-            "https://forgejo.ellis.link/api/packages/continuwuation/rpm/$GROUP/package/$PACKAGE_NAME/$FULL_VERSION/$PACKAGE_ARCH")
-          HTTP_CODE=$(echo "$RESPONSE" | tail -n1)
-
-          if [ "$HTTP_CODE" != "204" ] && [ "$HTTP_CODE" != "404" ]; then
-            echo "ERROR: Failed to delete package (HTTP $HTTP_CODE)"
-            echo "$RESPONSE" | head -n -1
-            exit 1
-          fi
-
-          curl --fail-with-body \
-            -X PUT \
-            -H "Authorization: token ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}" \
-            -H "Content-Type: application/x-rpm" \
-            -T "$RPM" \
-            "https://forgejo.ellis.link/api/packages/continuwuation/rpm/$GROUP/upload?sign=true"
-
-          echo ""
-          echo "✅ Published binary RPM to: https://forgejo.ellis.link/continuwuation/-/packages/rpm/continuwuity/"
-          echo "Group: $GROUP"
-
-          # Upload debug RPMs to separate group
-          DEBUG_RPMS=$(find artifacts -name "*debuginfo*.rpm")
-          if [ -n "$DEBUG_RPMS" ]; then
-            echo ""
-            echo "Publishing debug RPMs to group: ${GROUP}-debug"
-
-            for DEBUG_RPM in $DEBUG_RPMS; do
-              echo "Publishing: $(basename "$DEBUG_RPM")"
-
-              DEBUG_INFO=$(rpm -qpi "$DEBUG_RPM" 2>/dev/null)
-              DEBUG_NAME=$(echo "$DEBUG_INFO" | grep "^Name" | awk '{print $3}')
-              DEBUG_VERSION=$(echo "$DEBUG_INFO" | grep "^Version" | awk '{print $3}')
-              DEBUG_RELEASE=$(echo "$DEBUG_INFO" | grep "^Release" | awk '{print $3}')
-              DEBUG_ARCH=$(echo "$DEBUG_INFO" | grep "^Architecture" | awk '{print $2}')
-              DEBUG_FULL_VERSION="${DEBUG_VERSION}-${DEBUG_RELEASE}"
-
-              # Must delete existing package first (Forgejo limitation)
-              RESPONSE=$(curl -s -w "\n%{http_code}" -X DELETE \
-                -H "Authorization: token ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}" \
-                "https://forgejo.ellis.link/api/packages/continuwuation/rpm/${GROUP}-debug/package/$DEBUG_NAME/$DEBUG_FULL_VERSION/$DEBUG_ARCH")
-              HTTP_CODE=$(echo "$RESPONSE" | tail -n1)
-
-              if [ "$HTTP_CODE" != "204" ] && [ "$HTTP_CODE" != "404" ]; then
-                echo "ERROR: Failed to delete debug package (HTTP $HTTP_CODE)"
-                echo "$RESPONSE" | head -n -1
-                exit 1
-              fi
-
-              curl --fail-with-body \
-                -X PUT \
-                -H "Authorization: token ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}" \
-                -H "Content-Type: application/x-rpm" \
-                -T "$DEBUG_RPM" \
-                "https://forgejo.ellis.link/api/packages/continuwuation/rpm/${GROUP}-debug/upload?sign=true"
-            done
-
-            echo "✅ Published debug RPMs to group: ${GROUP}-debug"
-          fi
-
-          # Also upload the SRPM to separate group
-          SRPM=$(find artifacts -name "*.src.rpm" | head -1)
-          if [ -n "$SRPM" ]; then
-            echo ""
-            echo "Publishing source RPM: $(basename "$SRPM")"
-            echo "Publishing to group: ${GROUP}-src"
-
-            SRPM_INFO=$(rpm -qpi "$SRPM" 2>/dev/null)
-            SRPM_NAME=$(echo "$SRPM_INFO" | grep "^Name" | awk '{print $3}')
-            SRPM_VERSION=$(echo "$SRPM_INFO" | grep "^Version" | awk '{print $3}')
-            SRPM_RELEASE=$(echo "$SRPM_INFO" | grep "^Release" | awk '{print $3}')
-            SRPM_FULL_VERSION="${SRPM_VERSION}-${SRPM_RELEASE}"
-
-            # Must delete existing SRPM first (Forgejo limitation)
-            echo "Removing any existing SRPM: $SRPM_NAME-$SRPM_FULL_VERSION.src"
-            RESPONSE=$(curl -s -w "\n%{http_code}" -X DELETE \
-              -H "Authorization: token ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}" \
-              "https://forgejo.ellis.link/api/packages/continuwuation/rpm/${GROUP}-src/package/$SRPM_NAME/$SRPM_FULL_VERSION/src")
-            HTTP_CODE=$(echo "$RESPONSE" | tail -n1)
-
-            if [ "$HTTP_CODE" != "204" ] && [ "$HTTP_CODE" != "404" ]; then
-              echo "ERROR: Failed to delete SRPM (HTTP $HTTP_CODE)"
-              echo "$RESPONSE" | head -n -1
-              exit 1
-            fi
-
-            curl --fail-with-body \
-              -X PUT \
-              -H "Authorization: token ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}" \
-              -H "Content-Type: application/x-rpm" \
-              -T "$SRPM" \
-              "https://forgejo.ellis.link/api/packages/continuwuation/rpm/${GROUP}-src/upload?sign=true"
-
-            echo "✅ Published source RPM to group: ${GROUP}-src"
-          fi
@@ -51,7 +51,7 @@ jobs:

      - name: Detect runner environment
        id: runner-env
-        uses: https://git.tomfos.tr/actions/detect-versions@v1
+        uses: ./.forgejo/actions/detect-runner-os

      - name: Setup Node.js
        if: steps.runner-env.outputs.node_major == '' || steps.runner-env.outputs.node_major < '20'
@@ -63,7 +63,9 @@ jobs:
        uses: actions/cache@v3
        with:
          path: ~/.npm
-          key: continuwuity-${{ steps.runner-env.outputs.slug }}-${{ steps.runner-env.outputs.arch }}-node-${{ steps.runner-env.outputs.node_version }}
+          key: ${{ steps.runner-env.outputs.slug }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ steps.runner-env.outputs.slug }}-node-

      - name: Install dependencies
        run: npm install --save-dev wrangler@latest
@@ -43,7 +43,7 @@ jobs:
    name: Renovate
    runs-on: ubuntu-latest
    container:
-      image: ghcr.io/renovatebot/renovate:41.127.2@sha256:66bc84e2f889025fbb3c9df863500dcc18bc64ac85bcf629d015064377d77f31
+      image: ghcr.io/renovatebot/renovate:41.121.4@sha256:c3348a8cc65f3519ec3412d3b9787dc2ae151052220f87f533bfdded051227a9
      options: --tmpfs /tmp:exec
    steps:
      - name: Checkout
@@ -59,27 +59,27 @@ jobs:
        with:
          path: |
            /tmp/renovate/cache/renovate/repository
-          key: renovate-repo-cache-${{ github.run_id }}
+          key: repo-cache-${{ github.run_id }}
          restore-keys: |
-            renovate-repo-cache-
+            repo-cache-

      - name: Restore renovate package cache
        uses: actions/cache/restore@v4
        with:
          path: |
            /tmp/renovate/cache/renovate/renovate-cache-sqlite
-          key: renovate-package-cache-${{ github.run_id }}
+          key: package-cache-${{ github.run_id }}
          restore-keys: |
-            renovate-package-cache-
+            package-cache-

      - name: Restore renovate OSV cache
        uses: actions/cache/restore@v4
        with:
          path: |
            /tmp/osv
-          key: renovate-osv-cache-${{ github.run_id }}
+          key: osv-cache-${{ github.run_id }}
          restore-keys: |
-            renovate-osv-cache-
+            osv-cache-

      - name: Self-hosted Renovate
        run: renovate
@@ -113,7 +113,7 @@ jobs:
        with:
          path: |
            /tmp/renovate/cache/renovate/repository
-          key: renovate-repo-cache-${{ github.run_id }}
+          key: repo-cache-${{ github.run_id }}

      - name: Save renovate package cache
        if: always()
@@ -121,7 +121,7 @@ jobs:
        with:
          path: |
            /tmp/renovate/cache/renovate/renovate-cache-sqlite
-          key: renovate-package-cache-${{ github.run_id }}
+          key: package-cache-${{ github.run_id }}

      - name: Save renovate OSV cache
        if: always()
@@ -129,4 +129,4 @@ jobs:
        with:
          path: |
            /tmp/osv
-          key: renovate-osv-cache-${{ github.run_id }}
+          key: osv-cache-${{ github.run_id }}
@@ -20,7 +20,7 @@ jobs:
          submodules: false
          persist-credentials: false

-      - uses: https://github.com/cachix/install-nix-action@a809471b5c7c913aa67bec8f459a11a0decc3fce # v31.6.2
+      - uses: https://github.com/cachix/install-nix-action@7be5dee1421f63d07e71ce6e0a9f8a4b07c2a487 # v31.6.1
        with:
          nix_path: nixpkgs=channel:nixos-unstable

@@ -875,7 +875,7 @@ dependencies = [

 [[package]]
 name = "conduwuit"
-version = "0.5.0-rc.8"
+version = "0.5.0-rc.8.1"
 dependencies = [
 "clap",
 "conduwuit_admin",
@@ -907,7 +907,7 @@ dependencies = [

 [[package]]
 name = "conduwuit_admin"
-version = "0.5.0-rc.8"
+version = "0.5.0-rc.8.1"
 dependencies = [
 "clap",
 "conduwuit_api",
@@ -929,7 +929,7 @@ dependencies = [

 [[package]]
 name = "conduwuit_api"
-version = "0.5.0-rc.8"
+version = "0.5.0-rc.8.1"
 dependencies = [
 "async-trait",
 "axum",
@@ -962,14 +962,14 @@ dependencies = [

 [[package]]
 name = "conduwuit_build_metadata"
-version = "0.5.0-rc.8"
+version = "0.5.0-rc.8.1"
 dependencies = [
 "built 0.8.0",
 ]

 [[package]]
 name = "conduwuit_core"
-version = "0.5.0-rc.8"
+version = "0.5.0-rc.8.1"
 dependencies = [
 "argon2",
 "arrayvec",
@@ -1030,7 +1030,7 @@ dependencies = [

 [[package]]
 name = "conduwuit_database"
-version = "0.5.0-rc.8"
+version = "0.5.0-rc.8.1"
 dependencies = [
 "async-channel",
 "conduwuit_core",
@@ -1049,7 +1049,7 @@ dependencies = [

 [[package]]
 name = "conduwuit_macros"
-version = "0.5.0-rc.8"
+version = "0.5.0-rc.8.1"
 dependencies = [
 "itertools 0.14.0",
 "proc-macro2",
@@ -1059,7 +1059,7 @@ dependencies = [

 [[package]]
 name = "conduwuit_router"
-version = "0.5.0-rc.8"
+version = "0.5.0-rc.8.1"
 dependencies = [
 "axum",
 "axum-client-ip",
@@ -1094,7 +1094,7 @@ dependencies = [

 [[package]]
 name = "conduwuit_service"
-version = "0.5.0-rc.8"
+version = "0.5.0-rc.8.1"
 dependencies = [
 "async-trait",
 "base64 0.22.1",
@@ -1134,7 +1134,7 @@ dependencies = [

 [[package]]
 name = "conduwuit_web"
-version = "0.5.0-rc.8"
+version = "0.5.0-rc.8.1"
 dependencies = [
 "askama",
 "axum",
@@ -6565,7 +6565,7 @@ dependencies = [

 [[package]]
 name = "xtask"
-version = "0.5.0-rc.8"
+version = "0.5.0-rc.8.1"
 dependencies = [
 "clap",
 "serde",
@@ -6574,7 +6574,7 @@ dependencies = [

 [[package]]
 name = "xtask-generate-commands"
-version = "0.5.0-rc.8"
+version = "0.5.0-rc.8.1"
 dependencies = [
 "clap-markdown",
 "clap_builder",
@@ -21,7 +21,7 @@ license = "Apache-2.0"
 readme = "README.md"
 repository = "https://forgejo.ellis.link/continuwuation/continuwuity"
 rust-version = "1.86.0"
-version = "0.5.0-rc.8"
+version = "0.5.0-rc.8.1"

 [workspace.metadata.crane]
 name = "conduwuit"
@@ -166,7 +166,7 @@ ARG RUST_PROFILE=release
 # Build the binary
 RUN --mount=type=cache,target=/usr/local/cargo/registry \
    --mount=type=cache,target=/usr/local/cargo/git/db \
-    --mount=type=cache,target=/app/target,id=continuwuity-cargo-target-${TARGET_CPU}-${TARGETPLATFORM}-${RUST_PROFILE} \
+    --mount=type=cache,target=/app/target,id=cargo-target-${TARGET_CPU}-${TARGETPLATFORM}-${RUST_PROFILE} \
    bash <<'EOF'
    set -o allexport
    set -o xtrace
@@ -122,7 +122,7 @@ ARG RUST_PROFILE=release
 # Build the binary
 RUN --mount=type=cache,target=/usr/local/cargo/registry \
    --mount=type=cache,target=/usr/local/cargo/git/db \
-    --mount=type=cache,target=/app/target,id=continuwuity-cargo-target-${TARGET_CPU}-${TARGETPLATFORM}-musl-${RUST_PROFILE} \
+    --mount=type=cache,target=/app/target,id=cargo-target-${TARGET_CPU}-${TARGETPLATFORM}-musl-${RUST_PROFILE} \
    bash <<'EOF'
    set -o allexport
    set -o xtrace
@@ -10,7 +10,6 @@
  - [Kubernetes](deploying/kubernetes.md)
  - [Arch Linux](deploying/arch-linux.md)
  - [Debian](deploying/debian.md)
-  - [Fedora](deploying/fedora.md)
  - [FreeBSD](deploying/freebsd.md)
 - [TURN](turn.md)
 - [Appservices](appservices.md)
@@ -1,201 +0,0 @@
-# RPM Installation Guide
-
-Continuwuity is available as RPM packages for Fedora, RHEL, and compatible distributions.
-
-The RPM packaging files are maintained in the `fedora/` directory:
- `continuwuity.spec.rpkg` - RPM spec file using rpkg macros for building from git
- `continuwuity.service` - Systemd service file for the server
- `RPM-GPG-KEY-continuwuity.asc` - GPG public key for verifying signed packages
-
-RPM packages built by CI are signed with our GPG key (Ed25519, ID: `5E0FF73F411AAFCA`).
-
-```bash
-# Import the signing key
-sudo rpm --import https://forgejo.ellis.link/continuwuation/continuwuity/raw/branch/main/fedora/RPM-GPG-KEY-continuwuity.asc
-
-# Verify a downloaded package
-rpm --checksig continuwuity-*.rpm
-```
-
-## Installation methods
-
-**Stable releases** (recommended)
-
-```bash
-# Add the repository and install
-sudo dnf config-manager addrepo --from-repofile=https://forgejo.ellis.link/api/packages/continuwuation/rpm/stable/continuwuation.repo
-sudo dnf install continuwuity
-```
-
-**Development builds** from main branch
-
-```bash
-# Add the dev repository and install
-sudo dnf config-manager addrepo --from-repofile=https://forgejo.ellis.link/api/packages/continuwuation/rpm/dev/continuwuation.repo
-sudo dnf install continuwuity
-```
-
-**Feature branch builds** (example: `tom/new-feature`)
-
-```bash
-# Branch names are sanitized (slashes become hyphens, lowercase only)
-sudo dnf config-manager addrepo --from-repofile=https://forgejo.ellis.link/api/packages/continuwuation/rpm/tom-new-feature/continuwuation.repo
-sudo dnf install continuwuity
-```
-
-**Direct installation** without adding repository
-
-```bash
-# Latest stable release
-sudo dnf install https://forgejo.ellis.link/api/packages/continuwuation/rpm/stable/continuwuity
-
-# Latest development build
-sudo dnf install https://forgejo.ellis.link/api/packages/continuwuation/rpm/dev/continuwuity
-
-# Specific feature branch
-sudo dnf install https://forgejo.ellis.link/api/packages/continuwuation/rpm/branch-name/continuwuity
-```
-
-**Manual repository configuration** (alternative method)
-
-```bash
-cat << 'EOF' | sudo tee /etc/yum.repos.d/continuwuity.repo
-[continuwuity]
-name=Continuwuity - Matrix homeserver
-baseurl=https://forgejo.ellis.link/api/packages/continuwuation/rpm/stable
-enabled=1
-gpgcheck=1
-gpgkey=https://forgejo.ellis.link/continuwuation/continuwuity/raw/branch/main/fedora/RPM-GPG-KEY-continuwuity.asc
-EOF
-
-sudo dnf install continuwuity
-```
-
-## Package management
-
-**Automatic updates** with DNF Automatic
-
-```bash
-# Install and configure
-sudo dnf install dnf-automatic
-sudo nano /etc/dnf/automatic.conf  # Set: apply_updates = yes
-sudo systemctl enable --now dnf-automatic.timer
-```
-
-**Manual updates**
-
-```bash
-# Check for updates
-sudo dnf check-update continuwuity
-
-# Update to latest version
-sudo dnf update continuwuity
-```
-
-**Switching channels** (stable/dev/feature branches)
-
-```bash
-# List enabled repositories
-dnf repolist | grep continuwuation
-
-# Disable current repository
-sudo dnf config-manager --set-disabled continuwuation-stable  # or -dev, or branch name
-
-# Enable desired repository
-sudo dnf config-manager --set-enabled continuwuation-dev  # or -stable, or branch name
-
-# Update to the new channel's version
-sudo dnf update continuwuity
-```
-
-**Verifying installation**
-
-```bash
-# Check installed version
-rpm -q continuwuity
-
-# View package information
-rpm -qi continuwuity
-
-# List installed files
-rpm -ql continuwuity
-
-# Verify package integrity
-rpm -V continuwuity
-```
-
-## Service management and removal
-
-**Systemd service commands**
-
-```bash
-# Start the service
-sudo systemctl start conduwuit
-
-# Enable on boot
-sudo systemctl enable conduwuit
-
-# Check status
-sudo systemctl status conduwuit
-
-# View logs
-sudo journalctl -u conduwuit -f
-```
-
-**Uninstallation**
-
-```bash
-# Stop and disable the service
-sudo systemctl stop conduwuit
-sudo systemctl disable conduwuit
-
-# Remove the package
-sudo dnf remove continuwuity
-
-# Remove the repository (optional)
-sudo rm /etc/yum.repos.d/continuwuation-*.repo
-```
-
-## Troubleshooting
-
-**GPG key errors**: Temporarily disable GPG checking
-
-```bash
-sudo dnf --nogpgcheck install continuwuity
-```
-
-**Repository metadata issues**: Clear and rebuild cache
-
-```bash
-sudo dnf clean all
-sudo dnf makecache
-```
-
-**Finding specific versions**
-
-```bash
-# List all available versions
-dnf --showduplicates list continuwuity
-
-# Install a specific version
-sudo dnf install continuwuity-<version>
-```
-
-## Building locally
-
-Build the RPM locally using rpkg:
-
-```bash
-# Install dependencies
-sudo dnf install rpkg rpm-build cargo-rpm-macros systemd-rpm-macros
-
-# Clone the repository
-git clone https://forgejo.ellis.link/continuwuation/continuwuity.git
-cd continuwuity
-
-# Build SRPM
-rpkg srpm
-
-# Build RPM
-rpmbuild --rebuild *.src.rpm
-```
@@ -8,6 +8,10 @@
        {
            "id": 3,
            "message": "_taps microphone_ The Continuwuity 0.5.0-rc.7 release is now available, and it's better than ever! **177 commits**, **35 pull requests**, **11 contributors,** and a lot of new stuff!\n\nFor highlights, we've got:\n\n* 🕵️ Full Policy Server support to fight spam!\n* 🚀 Smarter room & space upgrades.\n* 🚫 User suspension tools for better moderation.\n* 🤖 reCaptcha support for safer open registration.\n* 🔍 Ability to disable read receipts & typing indicators.\n* ⚡ Sweeping performance improvements!\n\nGet the [full changelog and downloads on our Forgejo](https://forgejo.ellis.link/continuwuation/continuwuity/releases/tag/v0.5.0-rc.7) - and make sure you're in the [Announcements room](https://matrix.to/#/!releases:continuwuity.org/$hN9z6L2_dTAlPxFLAoXVfo_g8DyYXu4cpvWsSrWhmB0) to get stuff like this sooner."
+        },
+        {
+            "id": 5,
+            "message": "It's a bird! It's a plane! No, it's 0.5.0-rc.8.1!\n\nThis is a minor bugfix update to the rc8 which backports some important fixes from the latest main branch. If you still haven't updated to rc8, you should skip to main. Otherwise, you should upgrade to this bugfix release as soon as possible.\n\nBugfixes backported to this version:\n\n- Resolved several issues with state resolution v2.1 (room version 12)\n- Fixed issues with the `restricted` and `knock_restricted` join rules that would sometimes incorrectly disallow a valid join\n- Fixed the automatic support contact listing being a no-op\n- Fixed upgrading pre-v12 rooms to v12 rooms\n- Fixed policy servers sending the incorrect JSON objects (resulted in false positives)\n- Fixed debug build panic during MSC4133 migration\n\nIt is recommended, if you can and are comfortable with doing so, following updates to the main branch - we're in the run up to the full 0.5.0 release, and more and more bugfixes and new features are being pushed constantly. Please don't forget to join [#announcements:continuwuity.org](https://matrix.to/#/#announcements:continuwuity.org) to receive this news faster and be alerted to other important updates!"
        }
    ]
 }
@@ -65,10 +65,10 @@
                    domain = "forgejo.ellis.link";
                    owner = "continuwuation";
                    repo = "rocksdb";
-                    rev = "10.5.fb";
-                    sha256 = "sha256-X4ApGLkHF9ceBtBg77dimEpu720I79ffLoyPa8JMHaU=";
+                    rev = "10.4.fb";
+                    sha256 = "sha256-/Hvy1yTH/0D5aa7bc+/uqFugCQq4InTdwlRw88vA5IY=";
                  };
-                  version = "v10.5.fb";
+                  version = "v10.4.fb";
                  cmakeFlags =
                    pkgs.lib.subtractLists [
                      # No real reason to have snappy or zlib, no one uses this
@@ -1,29 +1,13 @@
 # Continuwuity for Debian

-This document provides information about downloading and deploying the Debian package. You can also use this guide for other deb-based distributions such as Ubuntu.
+This document provides information about downloading and deploying the Debian package. You can also use this guide for other `apt`-based distributions such as Ubuntu.

 ### Installation

-To add the Continuwuation apt repository:
-```bash
-# Replace with `"dev"` for bleeding-edge builds at your own risk
-export COMPONENT="stable"
-# Import the Continuwuation signing key
-sudo curl https://forgejo.ellis.link/api/packages/continuwuation/debian/repository.key -o /etc/apt/keyrings/forgejo-continuwuation.asc
-# Add a new apt source list pointing to the repository
-echo "deb [signed-by=/etc/apt/keyrings/forgejo-continuwuation.asc] https://forgejo.ellis.link/api/packages/continuwuation/debian $(lsb_release -sc) $COMPONENT" | sudo tee /etc/apt/sources.list.d/continuwuation.list
-# Update remote package lists
-sudo apt update
-```
-
-To install continuwuity:
-```bash
-sudo apt install continuwuity
-```
-The `continuwuity` package conflicts with the old `conduwuit` package and will remove it automatically when installed.
-
 See the [generic deployment guide](../deploying/generic.md) for additional information about using the Debian package.

+No `apt` repository is currently available. This feature is in development.
+
 ### Configuration

 After installation, Continuwuity places the example configuration at `/etc/conduwuit/conduwuit.toml` as the default configuration file. The configuration file indicates which settings you must change before starting the service.
@@ -32,7 +16,7 @@ You can customize additional settings by uncommenting and modifying the configur

 ### Running

-The package uses the [`conduwuit.service`](../configuration/examples.md#example-systemd-unit-file) systemd unit file to start and stop Continuwuity. The binary installs at `/usr/bin/conduwuit`.
+The package uses the [`conduwuit.service`](../configuration/examples.md#example-systemd-unit-file) systemd unit file to start and stop Continuwuity. The binary installs at `/usr/sbin/conduwuit`.

 By default, this package assumes that Continuwuity runs behind a reverse proxy. The default configuration options apply (listening on `localhost` and TCP port `6167`). Matrix federation requires a valid domain name and TLS. To federate properly, you must set up TLS certificates and certificate renewal.

@@ -1,5 +1,6 @@
-# This should be run using rpkg: https://docs.pagure.org/rpkg
+# This should be run using rpkg-util: https://docs.pagure.org/rpkg-util
 # it requires Internet access and is not suitable for Fedora main repos
+# TODO: rpkg-util is no longer maintained, find a replacement

 Name:           continuwuity
 Version:        {{{ git_repo_version }}}
@@ -78,7 +78,7 @@ pub(crate) async fn well_known_support(
 			while let Some(user_id) = stream.next().await {
 				// Skip server user
 				if *user_id == services.globals.server_user {
-					break;
+					continue;
 				}
 				contacts.push(Contact {
 					role: role_value.clone(),
@@ -1,6 +1,6 @@
 use axum::extract::State;
 use conduwuit::{
-	Err, Error, Result, debug_info, matrix::pdu::PduBuilder, utils::IterStream, warn,
+	Err, Error, Result, debug_info, info, matrix::pdu::PduBuilder, utils::IterStream, warn,
 };
 use conduwuit_service::Services;
 use futures::StreamExt;
@@ -22,6 +22,7 @@ use crate::Ruma;
 /// # `GET /_matrix/federation/v1/make_join/{roomId}/{userId}`
 ///
 /// Creates a join template.
+#[tracing::instrument(skip_all, fields(room_id = %body.room_id, user_id = %body.user_id, origin = %body.origin()))]
 pub(crate) async fn create_join_event_template_route(
 	State(services): State<crate::State>,
 	body: Ruma<prepare_join_event::v1::Request>,
@@ -72,11 +73,16 @@ pub(crate) async fn create_join_event_template_route(
 	}

 	let state_lock = services.rooms.state.mutex.lock(&body.room_id).await;
-
+	let is_invited = services
+		.rooms
+		.state_cache
+		.is_invited(&body.user_id, &body.room_id)
+		.await;
 	let join_authorized_via_users_server: Option<OwnedUserId> = {
 		use RoomVersionId::*;
-		if matches!(room_version_id, V1 | V2 | V3 | V4 | V5 | V6 | V7) {
-			// room version does not support restricted join rules
+		if matches!(room_version_id, V1 | V2 | V3 | V4 | V5 | V6 | V7) || is_invited {
+			// room version does not support restricted join rules, or the user is currently
+			// already invited
 			None
 		} else if user_can_perform_restricted_join(
 			&services,
@@ -103,6 +109,10 @@ pub(crate) async fn create_join_event_template_route(
 				.await
 				.map(ToOwned::to_owned)
 			else {
+				info!(
+					"No local user is able to authorize the join of {} into {}",
+					&body.user_id, &body.room_id
+				);
 				return Err!(Request(UnableToGrantJoin(
 					"No user on this server is able to assist in joining."
 				)));
@@ -167,6 +177,7 @@ pub(crate) async fn user_can_perform_restricted_join(
 		)
 		.await
 	else {
+		// No join rules means there's nothing to authorise (defaults to invite)
 		return Ok(false);
 	};

@@ -200,11 +200,15 @@ where
 		if incoming_event.room_id().is_some() {
 			let Some(room_id_server_name) = incoming_event.room_id().unwrap().server_name()
 			else {
-				warn!("room ID has no servername");
+				warn!("legacy room ID has no server name");
 				return Ok(false);
 			};
 			if room_id_server_name != sender.server_name() {
-				warn!("servername of room ID does not match servername of sender");
+				warn!(
+					expected = %sender.server_name(),
+					received = %room_id_server_name,
+					"server name of legacy room ID does not match server name of sender"
+				);
 				return Ok(false);
 			}
 		}
@@ -215,12 +219,12 @@ where
 			.room_version
 			.is_some_and(|v| v.deserialize().is_err())
 		{
-			warn!("invalid room version found in m.room.create event");
+			warn!("unsupported room version found in m.room.create event");
 			return Ok(false);
 		}

 		if room_version.room_ids_as_hashes && incoming_event.room_id().is_some() {
-			warn!("room create event incorrectly claims a room ID");
+			warn!("room create event incorrectly claims to have a room ID when it should not");
 			return Ok(false);
 		}

@@ -229,7 +233,7 @@ where
 		{
 			// If content has no creator field, reject
 			if content.creator.is_none() {
-				warn!("no creator field found in m.room.create content");
+				warn!("m.room.create event incorrectly omits 'creator' field");
 				return Ok(false);
 			}
 		}
@@ -282,16 +286,19 @@ where
 		.room_version
 		.is_some_and(|v| v.deserialize().is_err())
 	{
-		warn!("invalid room version found in m.room.create event");
+		warn!(
+			create_event_id = %room_create_event.event_id(),
+			"unsupported room version found in m.room.create event"
+		);
 		return Ok(false);
 	}
 	let expected_room_id = room_create_event.room_id_or_hash();

-	if incoming_event.room_id().unwrap() != expected_room_id {
+	if incoming_event.room_id().expect("event must have a room ID") != expected_room_id {
 		warn!(
 			expected = %expected_room_id,
 			received = %incoming_event.room_id().unwrap(),
-			"room_id of incoming event ({}) does not match room_id of m.room.create event ({})",
+			"room_id of incoming event ({}) does not match that of the m.room.create event ({})",
 			incoming_event.room_id().unwrap(),
 			expected_room_id,
 		);
@@ -304,12 +311,15 @@ where
 		.auth_events()
 		.any(|id| id == room_create_event.event_id());
 	if room_version.room_ids_as_hashes && claims_create_event {
-		warn!("m.room.create event incorrectly found in auth events");
+		warn!("event incorrectly references m.room.create event in auth events");
 		return Ok(false);
 	} else if !room_version.room_ids_as_hashes && !claims_create_event {
 		// If the create event is not referenced in the event's auth events, and this is
 		// a v11 room, reject
-		warn!("no m.room.create event found in auth events");
+		warn!(
+			missing = %room_create_event.event_id(),
+			"event incorrectly did not reference an m.room.create in its auth events"
+		);
 		return Ok(false);
 	}

@@ -318,7 +328,7 @@ where
 			warn!(
 				expected = %expected_room_id,
 				received = %pe.room_id().unwrap(),
-				"room_id of power levels event does not match room_id of m.room.create event"
+				"room_id of referenced power levels event does not match that of the m.room.create event"
 			);
 			return Ok(false);
 		}
@@ -332,8 +342,9 @@ where
 		&& room_create_event.sender().server_name() != incoming_event.sender().server_name()
 	{
 		warn!(
-			"room is not federated and event's sender domain does not match create event's \
-			 sender domain"
+			sender = %incoming_event.sender(),
+			create_sender = %room_create_event.sender(),
+			"room is not federated and event's sender domain does not match create event's sender domain"
 		);
 		return Ok(false);
 	}
@@ -416,7 +427,6 @@ where
 			&user_for_join_auth_membership,
 			&room_create_event,
 		)? {
-			warn!("membership change not valid for some reason");
 			return Ok(false);
 		}

@@ -429,7 +439,7 @@ where
 	let sender_member_event = match sender_member_event {
 		| Some(mem) => mem,
 		| None => {
-			warn!("sender not found in room");
+			warn!("sender has no membership event");
 			return Ok(false);
 		},
 	};
@@ -440,7 +450,7 @@ where
 		!= expected_room_id
 	{
 		warn!(
-			"room_id of incoming event ({}) does not match room_id of m.room.create event ({})",
+			"room_id of incoming event ({}) does not match that of the m.room.create event ({})",
 			sender_member_event
 				.room_id()
 				.expect("event must have a room ID"),
@@ -453,8 +463,7 @@ where
 		from_json_str(sender_member_event.content().get())?;
 	let Some(membership_state) = sender_membership_event_content.membership else {
 		warn!(
-			sender_membership_event_content = format!("{sender_membership_event_content:?}"),
-			event_id = format!("{}", incoming_event.event_id()),
+			?sender_membership_event_content,
 			"Sender membership event content missing membership field"
 		);
 		return Err(Error::InvalidPdu("Missing membership field".to_owned()));
@@ -462,7 +471,11 @@ where
 	let membership_state = membership_state.deserialize()?;

 	if !matches!(membership_state, MembershipState::Join) {
-		warn!("sender's membership is not join");
+		warn!(
+			%sender,
+			?membership_state,
+			"sender cannot send events without being joined to the room"
+		);
 		return Ok(false);
 	}

@@ -522,7 +535,12 @@ where
 		};

 		if sender_power_level < invite_level {
-			warn!("sender's cannot send invites in this room");
+			warn!(
+				%sender,
+				has=?sender_power_level,
+				required=?invite_level,
+				"sender cannot send invites in this room"
+			);
 			return Ok(false);
 		}

@@ -534,7 +552,11 @@ where
 	// level, reject If the event has a state_key that starts with an @ and does
 	// not match the sender, reject.
 	if !can_send_event(incoming_event, power_levels_event.as_ref(), sender_power_level) {
-		warn!("user cannot send event");
+		warn!(
+			%sender,
+			event_type=?incoming_event.kind(),
+			"sender cannot send event"
+		);
 		return Ok(false);
 	}

@@ -579,6 +601,12 @@ where
 		};

 		if !check_redaction(room_version, incoming_event, sender_power_level, redact_level)? {
+			warn!(
+				%sender,
+				?sender_power_level,
+				?redact_level,
+				"redaction event was not allowed"
+			);
 			return Ok(false);
 		}
 	}
@@ -587,15 +615,21 @@ where
 	Ok(true)
 }

-fn is_creator<EV>(v: &RoomVersion, c: &BTreeSet<OwnedUserId>, ce: &EV, user_id: &UserId) -> bool
+fn is_creator<EV>(
+	v: &RoomVersion,
+	c: &BTreeSet<OwnedUserId>,
+	ce: &EV,
+	user_id: &UserId,
+	have_pls: bool,
+) -> bool
 where
 	EV: Event + Send + Sync,
 {
 	if v.explicitly_privilege_room_creators {
 		c.contains(user_id)
-	} else if v.use_room_create_sender {
+	} else if v.use_room_create_sender && !have_pls {
 		ce.sender() == user_id
-	} else {
+	} else if !have_pls {
 		#[allow(deprecated)]
 		let creator = from_json_str::<RoomCreateEventContent>(ce.content().get())
 			.unwrap()
@@ -604,6 +638,8 @@ where
 			.unwrap();

 		creator == user_id
+	} else {
+		false
 	}
 }

@@ -696,10 +732,11 @@ where
 	}
 	trace!(?creators, "creators for room");

-	let mut join_rules = JoinRule::Invite;
-	if let Some(jr) = &join_rules_event {
-		join_rules = from_json_str::<RoomJoinRulesEventContent>(jr.content().get())?.join_rule;
-	}
+	let join_rules = if let Some(jr) = &join_rules_event {
+		from_json_str::<RoomJoinRulesEventContent>(jr.content().get())?.join_rule
+	} else {
+		JoinRule::Invite
+	};

 	let power_levels_event_id = power_levels_event.as_ref().map(Event::event_id);
 	let sender_membership_event_id = sender_membership_event.as_ref().map(Event::event_id);
@@ -725,8 +762,13 @@ where
 			(int!(0), int!(0))
 		};
 		let user_joined = user_for_join_auth_membership == &MembershipState::Join;
-		let okay_power = is_creator(room_version, &creators, create_room, user_for_join_auth)
-			|| auth_user_pl >= invite_level;
+		let okay_power = is_creator(
+			room_version,
+			&creators,
+			create_room,
+			user_for_join_auth,
+			power_levels_event.as_ref().is_some(),
+		) || auth_user_pl >= invite_level;
 		trace!(
 			auth_user_pl=?auth_user_pl,
 			invite_level=?invite_level,
@@ -741,8 +783,20 @@ where
 		trace!("No auth user given for join auth");
 		false
 	};
-	let sender_creator = is_creator(room_version, &creators, create_room, sender);
-	let target_creator = is_creator(room_version, &creators, create_room, target_user);
+	let sender_creator = is_creator(
+		room_version,
+		&creators,
+		create_room,
+		sender,
+		power_levels_event.as_ref().is_some(),
+	);
+	let target_creator = is_creator(
+		room_version,
+		&creators,
+		create_room,
+		target_user,
+		power_levels_event.as_ref().is_some(),
+	);

 	Ok(match target_membership {
 		| MembershipState::Join => {
@@ -759,7 +813,7 @@ where

 			if prev_event_is_create_event && no_more_prev_events {
 				trace!(
-					sender = %sender,
+					%sender,
 					target_user = %target_user,
 					?sender_creator,
 					?target_creator,
@@ -779,22 +833,33 @@ where
 			);
 			if sender != target_user {
 				// If the sender does not match state_key, reject.
-				warn!("Can't make other user join");
+				warn!(
+					%sender,
+					target_user = %target_user,
+					"sender cannot join on behalf of another user"
+				);
 				false
 			} else if target_user_current_membership == MembershipState::Ban {
 				// If the sender is banned, reject.
-				warn!(?target_user_membership_event_id, "Banned user can't join");
+				warn!(
+					%sender,
+					membership_event_id = ?target_user_membership_event_id,
+					"sender cannot join as they are banned from the room"
+				);
 				false
 			} else {
 				match join_rules {
 					| JoinRule::Invite =>
 						if !membership_allows_join {
 							warn!(
-								membership=?target_user_current_membership,
-								"Join rule is invite but membership does not allow join"
+								%sender,
+								membership_event_id = ?target_user_membership_event_id,
+								membership = ?target_user_current_membership,
+								"sender cannot join as they are not invited to the invite-only room"
 							);
 							false
 						} else {
+							trace!(sender=%sender, "sender is invited to room, allowing join");
 							true
 						},
 					| JoinRule::Knock if !room_version.allow_knocking => {
@@ -804,11 +869,14 @@ where
 					| JoinRule::Knock =>
 						if !membership_allows_join {
 							warn!(
+								%sender,
+								membership_event_id = ?target_user_membership_event_id,
 								membership=?target_user_current_membership,
-								"Join rule is knock but membership does not allow join"
+								"sender cannot join a knock room without being invited or already joined"
 							);
 							false
 						} else {
+							trace!(sender=%sender, "sender is invited or already joined to room, allowing join");
 							true
 						},
 					| JoinRule::KnockRestricted(_) if !room_version.knock_restricted_join_rule =>
@@ -820,33 +888,55 @@ where
 					},
 					| JoinRule::KnockRestricted(_) => {
 						if membership_allows_join || user_for_join_auth_is_valid {
+							trace!(
+								%sender,
+								%membership_allows_join,
+								%user_for_join_auth_is_valid,
+								"sender is invited, already joined to, or authorised to join the room, allowing join"
+							);
 							true
 						} else {
 							warn!(
+								%sender,
+								membership_event_id = ?target_user_membership_event_id,
 								membership=?target_user_current_membership,
-								"Join rule is a restricted one, but no valid authorising user \
-								 was given and the sender's current membership does not permit \
-								 a join transition"
+								%user_for_join_auth_is_valid,
+								?user_for_join_auth,
+								"sender cannot join as they are not invited nor already joined to the room, nor was a \
+								 valid authorising user given to permit the join"
 							);
 							false
 						}
 					},
 					| JoinRule::Restricted(_) =>
 						if membership_allows_join || user_for_join_auth_is_valid {
+							trace!(
+								%sender,
+								%membership_allows_join,
+								%user_for_join_auth_is_valid,
+								"sender is invited, already joined to, or authorised to join the room, allowing join"
+							);
 							true
 						} else {
 							warn!(
-								"Join rule is a restricted one but no valid authorising user \
-								 was given"
+								%sender,
+								membership_event_id = ?target_user_membership_event_id,
+								membership=?target_user_current_membership,
+								%user_for_join_auth_is_valid,
+								?user_for_join_auth,
+								"sender cannot join as they are not invited nor already joined to the room, nor was a \
+								 valid authorising user given to permit the join"
 							);
 							false
 						},
-					| JoinRule::Public => true,
+					| JoinRule::Public => {
+						trace!(%sender, "join rule is public, allowing join");
+						true
+					},
 					| _ => {
 						warn!(
 							join_rule=?join_rules,
-							membership=?target_user_current_membership,
-							"Unknown join rule doesn't allow joining, or the rule's conditions were not met"
+							"Join rule is unknown, or the rule's conditions were not met"
 						);
 						false
 					},
@@ -873,16 +963,23 @@ where
 						}
 						allow
 					},
-				| _ => {
-					if !sender_is_joined
-						|| target_user_current_membership == MembershipState::Join
-						|| target_user_current_membership == MembershipState::Ban
-					{
+				| _ =>
+					if !sender_is_joined {
+						warn!(
+							%sender,
+							?sender_membership_event_id,
+							?sender_membership,
+							"sender cannot produce an invite without being joined to the room",
+						);
+						false
+					} else if matches!(
+						target_user_current_membership,
+						MembershipState::Join | MembershipState::Ban
+					) {
 						warn!(
 							?target_user_membership_event_id,
-							?sender_membership_event_id,
-							"Can't invite user if sender not joined or the user is currently \
-							 joined or banned",
+							?target_user_current_membership,
+							"cannot invite a user who is banned or already joined",
 						);
 						false
 					} else {
@@ -892,56 +989,124 @@ where
 								.is_some();
 						if !allow {
 							warn!(
-								?target_user_membership_event_id,
-								?power_levels_event_id,
-								"User does not have enough power to invite",
+								%sender,
+								has=?sender_power,
+								required=?power_levels.invite,
+								"sender does not have enough power to produce invites",
 							);
 						}
+						trace!(
+							%sender,
+							?sender_membership_event_id,
+							?sender_membership,
+							?target_user_membership_event_id,
+							?target_user_current_membership,
+							sender_pl=?sender_power,
+							required_pl=?power_levels.invite,
+							"allowing invite"
+						);
 						allow
-					}
-				},
+					},
 			}
 		},
-		| MembershipState::Leave =>
+		| MembershipState::Leave => {
+			let can_unban = if target_user_current_membership == MembershipState::Ban {
+				sender_creator || sender_power.filter(|&p| p >= &power_levels.ban).is_some()
+			} else {
+				true
+			};
+			let can_kick = if !matches!(
+				target_user_current_membership,
+				MembershipState::Ban | MembershipState::Leave
+			) {
+				if sender_creator {
+					// sender is a creator
+					true
+				} else if sender_power.filter(|&p| p >= &power_levels.kick).is_none() {
+					// sender lacks kick power level
+					false
+				} else if let Some(sp) = sender_power {
+					if let Some(tp) = target_power {
+						// sender must have more power than target
+						sp > tp
+					} else {
+						// target has default power level
+						true
+					}
+				} else {
+					// sender has default power level
+					false
+				}
+			} else {
+				true
+			};
 			if sender == target_user {
-				let allow = target_user_current_membership == MembershipState::Join
-					|| target_user_current_membership == MembershipState::Invite
-					|| target_user_current_membership == MembershipState::Knock;
+				// self-leave
+				// let allow = target_user_current_membership == MembershipState::Join
+				// 	|| target_user_current_membership == MembershipState::Invite
+				// 	|| target_user_current_membership == MembershipState::Knock;
+				let allow = matches!(
+					target_user_current_membership,
+					MembershipState::Join | MembershipState::Invite | MembershipState::Knock
+				);
 				if !allow {
 					warn!(
-						?target_user_membership_event_id,
-						?target_user_current_membership,
-						"Can't leave if sender is not already invited, knocked, or joined"
+						%sender,
+						current_membership_event_id=?target_user_membership_event_id,
+						current_membership=?target_user_current_membership,
+						"sender cannot leave as they are not already knocking on, invited to, or joined to the room"
 					);
 				}
+				trace!(sender=%sender, "allowing leave");
 				allow
-			} else if !sender_is_joined
-				|| target_user_current_membership == MembershipState::Ban
-					&& (sender_creator
-						|| sender_power.filter(|&p| p < &power_levels.ban).is_some())
-			{
+			} else if !sender_is_joined {
 				warn!(
-					?target_user_membership_event_id,
+					%sender,
 					?sender_membership_event_id,
-					"Can't kick if sender not joined or user is already banned",
+					"sender cannot kick another user as they are not joined to the room",
+				);
+				false
+			} else if !(can_unban && can_kick) {
+				// If the target is banned, only a room creator or someone with ban power
+				// level can unban them
+				warn!(
+					%sender,
+					?target_user_membership_event_id,
+					?power_levels_event_id,
+					"sender lacks the power level required to unban users",
+				);
+				false
+			} else if !can_kick {
+				warn!(
+					%sender,
+					%target_user,
+					?target_user_membership_event_id,
+					?target_user_current_membership,
+					?power_levels_event_id,
+					"sender does not have enough power to kick the target",
 				);
 				false
 			} else {
-				let allow = sender_creator
-					|| (sender_power.filter(|&p| p >= &power_levels.kick).is_some()
-						&& target_power < sender_power);
-				if !allow {
-					warn!(
-						?target_user_membership_event_id,
-						?power_levels_event_id,
-						"User does not have enough power to kick",
-					);
-				}
-				allow
-			},
+				trace!(
+					%sender,
+					%target_user,
+					?target_user_membership_event_id,
+					?target_user_current_membership,
+					sender_pl=?sender_power,
+					target_pl=?target_power,
+					required_pl=?power_levels.kick,
+					"allowing kick/unban",
+				);
+				true
+			}
+		},
 		| MembershipState::Ban =>
 			if !sender_is_joined {
-				warn!(?sender_membership_event_id, "Can't ban user if sender is not joined");
+				warn!(
+					%sender,
+					?sender_membership_event_id,
+					"sender cannot ban another user as they are not joined to the room",
+				);
 				false
 			} else {
 				let allow = sender_creator
@@ -949,9 +1114,11 @@ where
 						&& target_power < sender_power);
 				if !allow {
 					warn!(
+						%sender,
+						%target_user,
 						?target_user_membership_event_id,
 						?power_levels_event_id,
-						"User does not have enough power to ban",
+						"sender does not have enough power to ban the target",
 					);
 				}
 				allow
@@ -977,9 +1144,9 @@ where
 			} else if sender != target_user {
 				// 3. If `sender` does not match `state_key`, reject.
 				warn!(
-					?sender,
-					?target_user,
-					"Can't make another user knock, sender did not match target"
+					%sender,
+					%target_user,
+					"sender cannot knock on behalf of another user",
 				);
 				false
 			} else if matches!(
@@ -991,15 +1158,25 @@ where
 				// 5. Otherwise, reject.
 				warn!(
 					?target_user_membership_event_id,
+					?sender_membership,
 					"Knocking with a membership state of ban, invite or join is invalid",
 				);
 				false
 			} else {
+				trace!(%sender, "allowing knock");
 				true
 			}
 		},
 		| _ => {
-			warn!("Unknown membership transition");
+			warn!(
+				%sender,
+				?target_membership,
+				%target_user,
+				%target_user_current_membership,
+				"Unknown or invalid membership transition {} -> {}",
+				target_user_current_membership,
+				target_membership
+			);
 			false
 		},
 	})
@@ -1029,6 +1206,13 @@ fn can_send_event(event: &impl Event, ple: Option<&impl Event>, user_level: Int)
 	if event.state_key().is_some_and(|k| k.starts_with('@'))
 		&& event.state_key() != Some(event.sender().as_str())
 	{
+		warn!(
+			%user_level,
+			required=?event_type_power_level,
+			state_key=?event.state_key(),
+			sender=%event.sender(),
+			"state_key starts with @ but does not match sender",
+		);
 		return false; // permission required to post in this room
 	}

@@ -1113,7 +1297,14 @@ fn check_power_levels(

 		// If the current value is equal to the sender's current power level, reject
 		if user != power_event.sender() && old_level == Some(&user_level) {
-			warn!("m.room.power_level cannot remove ops == to own");
+			warn!(
+				?old_level,
+				?new_level,
+				?user,
+				%user_level,
+				sender=%power_event.sender(),
+				"cannot alter the power level of a user with the same power level as sender's own"
+			);
 			return Some(false); // cannot remove ops level == to own
 		}

@@ -1121,8 +1312,26 @@ fn check_power_levels(
 		// If the new value is higher than the sender's current power level, reject
 		let old_level_too_big = old_level > Some(&user_level);
 		let new_level_too_big = new_level > Some(&user_level);
-		if old_level_too_big || new_level_too_big {
-			warn!("m.room.power_level failed to add ops > than own");
+		if old_level_too_big {
+			warn!(
+				?old_level,
+				?new_level,
+				?user,
+				%user_level,
+				sender=%power_event.sender(),
+				"cannot alter the power level of a user with a higher power level than sender's own"
+			);
+			return Some(false); // cannot add ops greater than own
+		}
+		if new_level_too_big {
+			warn!(
+				?old_level,
+				?new_level,
+				?user,
+				%user_level,
+				sender=%power_event.sender(),
+				"cannot set the power level of a user to a level higher than sender's own"
+			);
 			return Some(false); // cannot add ops greater than own
 		}
 	}
@@ -1139,8 +1348,26 @@ fn check_power_levels(
 		// If the new value is higher than the sender's current power level, reject
 		let old_level_too_big = old_level > Some(&user_level);
 		let new_level_too_big = new_level > Some(&user_level);
-		if old_level_too_big || new_level_too_big {
-			warn!("m.room.power_level failed to add ops > than own");
+		if old_level_too_big {
+			warn!(
+				?old_level,
+				?new_level,
+				?ev_type,
+				%user_level,
+				sender=%power_event.sender(),
+				"cannot alter the power level of an event with a higher power level than sender's own"
+			);
+			return Some(false); // cannot add ops greater than own
+		}
+		if new_level_too_big {
+			warn!(
+				?old_level,
+				?new_level,
+				?ev_type,
+				%user_level,
+				sender=%power_event.sender(),
+				"cannot set the power level of an event to a level higher than sender's own"
+			);
 			return Some(false); // cannot add ops greater than own
 		}
 	}
@@ -1155,7 +1382,13 @@ fn check_power_levels(
 			let old_level_too_big = old_level > user_level;
 			let new_level_too_big = new_level > user_level;
 			if old_level_too_big || new_level_too_big {
-				warn!("m.room.power_level failed to add ops > than own");
+				warn!(
+					?old_level,
+					?new_level,
+					%user_level,
+					sender=%power_event.sender(),
+					"cannot alter the power level of notifications greater than sender's own"
+				);
 				return Some(false); // cannot add ops greater than own
 			}
 		}
@@ -1179,7 +1412,14 @@ fn check_power_levels(
 			let new_level_too_big = new_lvl > user_level;

 			if old_level_too_big || new_level_too_big {
-				warn!("cannot add ops > than own");
+				warn!(
+					?old_lvl,
+					?new_lvl,
+					%user_level,
+					sender=%power_event.sender(),
+					action=%lvl_name,
+					"cannot alter the power level of action greater than sender's own",
+				);
 				return Some(false);
 			}
 		}
@@ -36,7 +36,7 @@ pub use self::{
 	room_version::RoomVersion,
 };
 use crate::{
-	debug, debug_error,
+	debug, debug_error, err,
 	matrix::{Event, StateKey},
 	state_res::room_version::StateResolutionVersion,
 	trace,
@@ -101,40 +101,40 @@ where
 	debug!(version = ?stateres_version, "State resolution starting");

 	// Split non-conflicting and conflicting state
-	let (clean, conflicting) = separate(state_sets.into_iter());
+	let (unconflicted, conflicting) = separate(state_sets.into_iter());

-	debug!(count = clean.len(), "non-conflicting events");
-	trace!(map = ?clean, "non-conflicting events");
+	debug!(count = unconflicted.len(), "non-conflicting events");
+	trace!(map = ?unconflicted, "non-conflicting events");

 	if conflicting.is_empty() {
 		debug!("no conflicting state found");
-		return Ok(clean);
+		return Ok(unconflicted);
 	}

 	debug!(count = conflicting.len(), "conflicting events");
 	trace!(map = ?conflicting, "conflicting events");
-	let conflicted_state_subgraph: HashSet<_> = match stateres_version {
-		| StateResolutionVersion::V2_1 =>
-			calculate_conflicted_subgraph(&conflicting, event_fetch)
+	let (conflicted_state_subgraph, initial_state) =
+		if stateres_version == StateResolutionVersion::V2_1 {
+			let csg = calculate_conflicted_subgraph(&conflicting, event_fetch)
 				.await
 				.ok_or_else(|| {
 					Error::InvalidPdu("Failed to calculate conflicted subgraph".to_owned())
-				})?,
-		| _ => HashSet::new(),
-	};
-	debug!(count = conflicted_state_subgraph.len(), "conflicted subgraph");
-	trace!(set = ?conflicted_state_subgraph, "conflicted subgraph");
-
-	let conflicting_values = conflicting.into_values().flatten().stream();
+				})?;
+			debug!(count = csg.len(), "conflicted subgraph");
+			trace!(set = ?csg, "conflicted subgraph");
+			(csg, HashMap::new())
+		} else {
+			(HashSet::new(), unconflicted.clone())
+		};

 	// `all_conflicted` contains unique items
 	// synapse says `full_set = {eid for eid in full_conflicted_set if eid in
 	// event_map}`
 	// Hydra: Also consider the conflicted state subgraph
 	let all_conflicted: HashSet<_> = get_auth_chain_diff(auth_chain_sets)
-		.chain(conflicting_values)
-		.chain(conflicted_state_subgraph.into_iter().stream())
+		.chain(conflicting.into_values().flatten().stream())
 		.broad_filter_map(async |id| event_exists(id.clone()).await.then_some(id))
+		.chain(conflicted_state_subgraph.into_iter().stream())
 		.collect()
 		.await;

@@ -169,9 +169,8 @@ where
 	// Sequentially auth check each control event.
 	let resolved_control = iterative_auth_check(
 		&room_version,
-		&stateres_version,
 		sorted_control_levels.iter().stream().map(AsRef::as_ref),
-		clean.clone(),
+		initial_state,
 		&event_fetch,
 	)
 	.await?;
@@ -201,7 +200,7 @@ where
 	let power_levels_ty_sk = (StateEventType::RoomPowerLevels, StateKey::new());
 	let power_event = resolved_control.get(&power_levels_ty_sk);

-	debug!(event_id = ?power_event, "power event");
+	trace!(event_id = ?power_event, "power event");

 	let sorted_left_events =
 		mainline_sort(&events_to_resolve, power_event.cloned(), &event_fetch).await?;
@@ -210,21 +209,14 @@ where

 	let mut resolved_state = iterative_auth_check(
 		&room_version,
-		&stateres_version,
 		sorted_left_events.iter().stream().map(AsRef::as_ref),
-		resolved_control.clone(), // The control events are added to the final resolved state
+		resolved_control, // The control events are added to the final resolved state
 		&event_fetch,
 	)
 	.await?;

-	// Add unconflicted state to the resolved state
-	// We priorities the unconflicting state
-	resolved_state.extend(clean);
-	if stateres_version == StateResolutionVersion::V2_1 {
-		resolved_state.extend(resolved_control);
-		// TODO(hydra): this feels disgusting and wrong but it allows
-		// the state to resolve properly?
-	}
+	// Ensure unconflicting state is in the final state
+	resolved_state.extend(unconflicted);

 	debug!("state resolution finished");
 	trace!( map = ?resolved_state, "final resolved state" );
@@ -319,8 +311,19 @@ where
 			path.pop();
 			continue;
 		}
-		let evt = fetch_event(event_id.clone()).await?;
-		stack.push(evt.auth_events().map(ToOwned::to_owned).collect());
+		trace!(event_id = event_id.as_str(), "fetching event for its auth events");
+		let evt = fetch_event(event_id.clone()).await;
+		if evt.is_none() {
+			err!("could not fetch event {} to calculate conflicted subgraph", event_id);
+			path.pop();
+			continue;
+		}
+		stack.push(
+			evt.expect("checked")
+				.auth_events()
+				.map(ToOwned::to_owned)
+				.collect(),
+		);
 		seen.insert(event_id);
 	}
 	Some(subgraph)
@@ -592,7 +595,6 @@ where
 #[tracing::instrument(level = "trace", skip_all)]
 async fn iterative_auth_check<'a, E, F, Fut, S>(
 	room_version: &RoomVersion,
-	stateres_version: &StateResolutionVersion,
 	events_to_check: S,
 	unconflicted_state: StateMap<OwnedEventId>,
 	fetch_event: &F,
@@ -617,6 +619,10 @@ where
 		.boxed()
 		.await?;
 	trace!(list = ?events_to_check, "events to check");
+	if events_to_check.is_empty() {
+		debug!("no events to check, returning unconflicted state");
+		return Ok(unconflicted_state);
+	}

 	let auth_event_ids: HashSet<OwnedEventId> = events_to_check
 		.iter()
@@ -637,10 +643,11 @@ where
 	trace!(map = ?auth_events.keys().collect::<Vec<_>>(), "fetched auth events");

 	let auth_events = &auth_events;
-	let mut resolved_state = match stateres_version {
-		| StateResolutionVersion::V2_1 => StateMap::new(),
-		| _ => unconflicted_state,
-	};
+	// NOTE: in state resolution v2.1, auth checks should start with an empty state
+	// map. It is the caller's job to do this. Previously, this function would
+	// force an empty state map in this case, and this resulted in power events
+	// going missing from the resolved state as they'd be discarded here.
+	let mut resolved_state = unconflicted_state;
 	for event in events_to_check {
 		trace!(event_id = event.event_id().as_str(), "checking event");
 		let state_key = event
@@ -1028,7 +1035,6 @@ mod tests {

 		let resolved_power = super::iterative_auth_check(
 			&RoomVersion::V6,
-			&StateResolutionVersion::V2,
 			sorted_power_events.iter().map(AsRef::as_ref).stream(),
 			HashMap::new(), // unconflicted events
 			&fetcher,
@@ -22,13 +22,11 @@ crate-type = [
 ]

 [package.metadata.deb]
-name = "continuwuity"
-maintainer = "continuwuity developers <contact@continuwuity.org>"
-copyright = "2024, continuwuity developers"
+name = "conduwuit"
+maintainer = "strawberry <strawberry@puppygock.gay>"
+copyright = "2024, strawberry <strawberry@puppygock.gay>"
 license-file = ["../../LICENSE", "3"]
 depends = "$auto, ca-certificates"
-breaks = ["conduwuit (<<0.5.0)"]
-replaces = ["conduwuit (<<0.5.0)"]
 extended-description = """\
 a cool hard fork of Conduit, a Matrix homeserver written in Rust"""
 section = "net"
@@ -9,6 +9,7 @@ use conduwuit::{
 	},
 	warn,
 };
+use database::Json;
 use futures::{FutureExt, StreamExt, TryStreamExt};
 use itertools::Itertools;
 use ruma::{
@@ -606,7 +607,7 @@ async fn fix_corrupt_msc4133_fields(services: &Services) -> Result {
 						);
 					};

-					useridprofilekey_value.put((user, key), new_value);
+					useridprofilekey_value.put((user, key), Json(new_value));
 					fixed = fixed.saturating_add(1);
 				}
 				total = total.saturating_add(1);
@@ -4,9 +4,8 @@ use std::{
 };

 use conduwuit::{
-	Event, PduEvent, debug, debug_error, debug_warn, implement,
-	matrix::event::gen_event_id_canonical_json, trace, utils::continue_exponential_backoff_secs,
-	warn,
+	Event, PduEvent, debug, debug_warn, implement, matrix::event::gen_event_id_canonical_json,
+	trace, utils::continue_exponential_backoff_secs, warn,
 };
 use ruma::{
 	CanonicalJsonValue, EventId, OwnedEventId, RoomId, ServerName,
@@ -52,12 +51,14 @@ where
 	};

 	let mut events_with_auth_events = Vec::with_capacity(events.clone().count());
+	trace!("Fetching {} outlier pdus", events.clone().count());

 	for id in events {
 		// a. Look in the main timeline (pduid_pdu tree)
 		// b. Look at outlier pdu tree
 		// (get_pdu_json checks both)
 		if let Ok(local_pdu) = self.services.timeline.get_pdu(id).await {
+			trace!("Found {id} in main timeline or outlier tree");
 			events_with_auth_events.push((id.to_owned(), Some(local_pdu), vec![]));
 			continue;
 		}
@@ -104,7 +105,7 @@ where
 				continue;
 			}

-			debug!("Fetching {next_id} over federation.");
+			debug!("Fetching {next_id} over federation from {origin}.");
 			match self
 				.services
 				.sending
@@ -115,7 +116,7 @@ where
 				.await
 			{
 				| Ok(res) => {
-					debug!("Got {next_id} over federation");
+					debug!("Got {next_id} over federation from {origin}");
 					let Ok(room_version_id) = get_room_version_id(create_event) else {
 						back_off((*next_id).to_owned());
 						continue;
@@ -145,6 +146,9 @@ where
 								auth_event.clone().into(),
 							) {
 								| Ok(auth_event) => {
+									trace!(
+										"Found auth event id {auth_event} for event {next_id}"
+									);
 									todo_auth_events.push_back(auth_event);
 								},
 								| _ => {
@@ -160,7 +164,7 @@ where
 					events_all.insert(next_id);
 				},
 				| Err(e) => {
-					debug_error!("Failed to fetch event {next_id}: {e}");
+					warn!("Failed to fetch auth event {next_id} from {origin}: {e}");
 					back_off((*next_id).to_owned());
 				},
 			}
@@ -175,7 +179,7 @@ where
 		// b. Look at outlier pdu tree
 		// (get_pdu_json checks both)
 		if let Some(local_pdu) = local_pdu {
-			trace!("Found {id} in db");
+			trace!("Found {id} in main timeline or outlier tree");
 			pdus.push((local_pdu.clone(), None));
 		}

@@ -201,6 +205,7 @@ where
 				}
 			}

+			trace!("Handling outlier {next_id}");
 			match Box::pin(self.handle_outlier_pdu(
 				origin,
 				create_event,
@@ -213,6 +218,7 @@ where
 			{
 				| Ok((pdu, json)) =>
 					if next_id == *id {
+						trace!("Handled outlier {next_id} (original request)");
 						pdus.push((pdu, Some(json)));
 					},
 				| Err(e) => {
@@ -222,6 +228,6 @@ where
 			}
 		}
 	}
-
+	trace!("Fetched and handled {} outlier pdus", pdus.len());
 	pdus
 }
@@ -1,11 +1,12 @@
 use std::collections::{BTreeMap, HashMap, hash_map};

 use conduwuit::{
-	Err, Event, PduEvent, Result, debug, debug_info, err, implement, state_res, trace, warn,
+	Err, Event, PduEvent, Result, debug, debug_info, debug_warn, err, implement, state_res, trace,
 };
 use futures::future::ready;
 use ruma::{
-	CanonicalJsonObject, CanonicalJsonValue, EventId, RoomId, ServerName, events::StateEventType,
+	CanonicalJsonObject, CanonicalJsonValue, EventId, OwnedEventId, RoomId, ServerName,
+	events::StateEventType,
 };

 use super::{check_room_id, get_room_version_id, to_room_version};
@@ -74,36 +75,73 @@ where

 	check_room_id(room_id, &pdu_event)?;

-	if !auth_events_known {
-		// 4. fetch any missing auth events doing all checks listed here starting at 1.
-		//    These are not timeline events
-		// 5. Reject "due to auth events" if can't get all the auth events or some of
-		//    the auth events are also rejected "due to auth events"
-		// NOTE: Step 5 is not applied anymore because it failed too often
-		debug!("Fetching auth events");
-		Box::pin(self.fetch_and_handle_outliers(
-			origin,
-			pdu_event.auth_events(),
-			create_event,
-			room_id,
-		))
-		.await;
+	// Fetch all auth events
+	let mut auth_events: HashMap<OwnedEventId, PduEvent> = HashMap::new();
+
+	for aid in pdu_event.auth_events() {
+		if let Ok(auth_event) = self.services.timeline.get_pdu(aid).await {
+			check_room_id(room_id, &auth_event)?;
+			trace!("Found auth event {aid} for outlier event {event_id} locally");
+			auth_events.insert(aid.to_owned(), auth_event);
+		} else {
+			debug_warn!("Could not find auth event {aid} for outlier event {event_id} locally");
+		}
+	}
+
+	// Fetch any missing ones & reject invalid ones
+	let missing_auth_events = if auth_events_known {
+		pdu_event
+			.auth_events()
+			.filter(|id| !auth_events.contains_key(*id))
+			.collect::<Vec<_>>()
+	} else {
+		pdu_event.auth_events().collect::<Vec<_>>()
+	};
+	if !missing_auth_events.is_empty() || !auth_events_known {
+		debug_info!(
+			"Fetching {} missing auth events for outlier event {event_id}",
+			missing_auth_events.len()
+		);
+		for (pdu, _) in self
+			.fetch_and_handle_outliers(
+				origin,
+				missing_auth_events.iter().copied(),
+				create_event,
+				room_id,
+			)
+			.await
+		{
+			auth_events.insert(pdu.event_id().to_owned(), pdu);
+		}
+	} else {
+		debug!("No missing auth events for outlier event {event_id}");
+	}
+	// reject if we are still missing some
+	let still_missing = pdu_event
+		.auth_events()
+		.filter(|id| !auth_events.contains_key(*id))
+		.collect::<Vec<_>>();
+	if !still_missing.is_empty() {
+		return Err!(Request(InvalidParam(
+			"Could not fetch all auth events for outlier event {event_id}, still missing: \
+			 {still_missing:?}"
+		)));
 	}

 	// 6. Reject "due to auth events" if the event doesn't pass auth based on the
 	//    auth events
 	debug!("Checking based on auth events");
+	let mut auth_events_by_key: HashMap<_, _> = HashMap::with_capacity(auth_events.len());
 	// Build map of auth events
-	let mut auth_events = HashMap::with_capacity(pdu_event.auth_events().count());
 	for id in pdu_event.auth_events() {
-		let Ok(auth_event) = self.services.timeline.get_pdu(id).await else {
-			warn!("Could not find auth event {id}");
-			continue;
-		};
+		let auth_event = auth_events
+			.get(id)
+			.expect("we just checked that we have all auth events")
+			.to_owned();

 		check_room_id(room_id, &auth_event)?;

-		match auth_events.entry((
+		match auth_events_by_key.entry((
 			auth_event.kind.to_string().into(),
 			auth_event
 				.state_key
@@ -123,7 +161,7 @@ where

 	// The original create event must be in the auth events
 	if !matches!(
-		auth_events.get(&(StateEventType::RoomCreate, String::new().into())),
+		auth_events_by_key.get(&(StateEventType::RoomCreate, String::new().into())),
 		Some(_) | None
 	) {
 		return Err!(Request(InvalidParam("Incoming event refers to wrong create event.")));
@@ -131,7 +169,7 @@ where

 	let state_fetch = |ty: &StateEventType, sk: &str| {
 		let key = (ty.to_owned(), sk.into());
-		ready(auth_events.get(&key).map(ToOwned::to_owned))
+		ready(auth_events_by_key.get(&key).map(ToOwned::to_owned))
 	};

 	let auth_check = state_res::event_auth::auth_check(
@@ -5,9 +5,9 @@

 use std::time::Duration;

-use conduwuit::{Err, Event, PduEvent, Result, debug, implement, warn};
+use conduwuit::{Err, Event, PduEvent, Result, debug, debug_info, implement, trace, warn};
 use ruma::{
-	RoomId, ServerName,
+	CanonicalJsonObject, RoomId, ServerName,
 	api::federation::room::policy::v1::Request as PolicyRequest,
 	events::{StateEventType, room::policy::RoomPolicyEventContent},
 };
@@ -25,7 +25,12 @@ use ruma::{
 /// fail-open operation.
 #[implement(super::Service)]
 #[tracing::instrument(skip_all, level = "debug")]
-pub async fn ask_policy_server(&self, pdu: &PduEvent, room_id: &RoomId) -> Result<bool> {
+pub async fn ask_policy_server(
+	&self,
+	pdu: &PduEvent,
+	pdu_json: &CanonicalJsonObject,
+	room_id: &RoomId,
+) -> Result<bool> {
 	if *pdu.event_type() == StateEventType::RoomPolicy.into() {
 		debug!(
 			room_id = %room_id,
@@ -47,12 +52,12 @@ pub async fn ask_policy_server(&self, pdu: &PduEvent, room_id: &RoomId) -> Resul
 	let via = match policyserver.via {
 		| Some(ref via) => ServerName::parse(via)?,
 		| None => {
-			debug!("No policy server configured for room {room_id}");
+			trace!("No policy server configured for room {room_id}");
 			return Ok(true);
 		},
 	};
 	if via.is_empty() {
-		debug!("Policy server is empty for room {room_id}, skipping spam check");
+		trace!("Policy server is empty for room {room_id}, skipping spam check");
 		return Ok(true);
 	}
 	if !self.services.state_cache.server_in_room(via, room_id).await {
@@ -66,12 +71,12 @@ pub async fn ask_policy_server(&self, pdu: &PduEvent, room_id: &RoomId) -> Resul
 	let outgoing = self
 		.services
 		.sending
-		.convert_to_outgoing_federation_event(pdu.to_canonical_object())
+		.convert_to_outgoing_federation_event(pdu_json.clone())
 		.await;
-	debug!(
+	debug_info!(
 		room_id = %room_id,
 		via = %via,
-		outgoing = ?outgoing,
+		outgoing = ?pdu_json,
 		"Checking event for spam with policy server"
 	);
 	let response = tokio::time::timeout(
@@ -85,7 +90,10 @@ pub async fn ask_policy_server(&self, pdu: &PduEvent, room_id: &RoomId) -> Resul
 	)
 	.await;
 	let response = match response {
-		| Ok(Ok(response)) => response,
+		| Ok(Ok(response)) => {
+			debug!("Response from policy server: {:?}", response);
+			response
+		},
 		| Ok(Err(e)) => {
 			warn!(
 				via = %via,
@@ -97,16 +105,18 @@ pub async fn ask_policy_server(&self, pdu: &PduEvent, room_id: &RoomId) -> Resul
 			// default.
 			return Err(e);
 		},
-		| Err(_) => {
+		| Err(elapsed) => {
 			warn!(
-				via = %via,
+				%via,
 				event_id = %pdu.event_id(),
-				room_id = %room_id,
+				%room_id,
+				%elapsed,
 				"Policy server request timed out after 10 seconds"
 			);
 			return Err!("Request to policy server timed out");
 		},
 	};
+	trace!("Recommendation from policy server was {}", response.recommendation);
 	if response.recommendation == "spam" {
 		warn!(
 			via = %via,
@@ -255,7 +255,10 @@ where
 		// 14-pre. If the event is not a state event, ask the policy server about it
 		if incoming_pdu.state_key.is_none() {
 			debug!(event_id = %incoming_pdu.event_id, "Checking policy server for event");
-			match self.ask_policy_server(&incoming_pdu, room_id).await {
+			match self
+				.ask_policy_server(&incoming_pdu, &incoming_pdu.to_canonical_object(), room_id)
+				.await
+			{
 				| Ok(false) => {
 					warn!(
 						event_id = %incoming_pdu.event_id,
@@ -1,9 +1,10 @@
-use conduwuit::{Err, Result, implement, matrix::Event, pdu::PduBuilder};
+use conduwuit::{Err, Result, RoomVersion, implement, matrix::Event, pdu::PduBuilder};
 use ruma::{
 	EventId, RoomId, UserId,
 	events::{
 		StateEventType, TimelineEventType,
 		room::{
+			create::RoomCreateEventContent,
 			history_visibility::{HistoryVisibility, RoomHistoryVisibilityEventContent},
 			member::{MembershipState, RoomMemberEventContent},
 			power_levels::{RoomPowerLevels, RoomPowerLevelsEventContent},
@@ -44,6 +45,23 @@ pub async fn user_can_redact(
 		)));
 	}

+	let room_create = self
+		.room_state_get(room_id, &StateEventType::RoomCreate, "")
+		.await?;
+	let create_content: RoomCreateEventContent =
+		serde_json::from_str(room_create.content().get())?;
+	let room_features = RoomVersion::new(&create_content.room_version)?;
+	if room_features.explicitly_privilege_room_creators {
+		let sender_owned = sender.to_owned();
+		if sender == room_create.sender()
+			|| create_content
+				.additional_creators
+				.is_some_and(|cs| cs.contains(&sender_owned))
+		{
+			return Ok(true);
+		}
+	}
+
 	match self
 		.room_state_get_content::<RoomPowerLevelsEventContent>(
 			room_id,
@@ -68,18 +86,10 @@ pub async fn user_can_redact(
 		},
 		| _ => {
 			// Falling back on m.room.create to judge power level
-			match self
-				.room_state_get(room_id, &StateEventType::RoomCreate, "")
-				.await
-			{
-				| Ok(room_create) => Ok(room_create.sender() == sender
-					|| redacting_event
-						.as_ref()
-						.is_ok_and(|redacting_event| redacting_event.sender() == sender)),
-				| _ => Err!(Database(
-					"No m.room.power_levels or m.room.create events in database for room"
-				)),
-			}
+			Ok(room_create.sender() == sender
+				|| redacting_event
+					.as_ref()
+					.is_ok_and(|redacting_event| redacting_event.sender() == sender))
 		},
 	}
 }
@@ -9,6 +9,7 @@ use conduwuit_core::{
 		state_res::{self, RoomVersion},
 	},
 	utils::{self, IterStream, ReadyExt, stream::TryIgnore},
+	warn,
 };
 use futures::{StreamExt, TryStreamExt, future, future::ready};
 use ruma::{
@@ -19,7 +20,6 @@ use ruma::{
 	uint,
 };
 use serde_json::value::{RawValue, to_raw_value};
-use tracing::warn;

 use super::RoomMutexGuard;

@@ -267,11 +267,33 @@ pub async fn create_hash_and_sign_event(
 			| _ => Err!(Request(Unknown(warn!("Signing event failed: {e}")))),
 		};
 	}
-
+	// Check with the policy server
 	// Generate event id
 	pdu.event_id = gen_event_id(&pdu_json, &room_version_id)?;
-
 	pdu_json.insert("event_id".into(), CanonicalJsonValue::String(pdu.event_id.clone().into()));
+	if room_id.is_some() {
+		trace!(
+			"Checking event in room {} with policy server",
+			pdu.room_id.as_ref().map_or("None", |id| id.as_str())
+		);
+		match self
+			.services
+			.event_handler
+			.ask_policy_server(&pdu, &pdu_json, pdu.room_id().expect("has room ID"))
+			.await
+		{
+			| Ok(true) => {},
+			| Ok(false) => {
+				return Err!(Request(Forbidden(debug_warn!(
+					"Policy server marked this event as spam"
+				))));
+			},
+			| Err(e) => {
+				// fail open
+				warn!("Failed to check event with policy server: {e}");
+			},
+		}
+	}

 	// Check with the policy server
 	if room_id.is_some() {
@@ -283,7 +305,7 @@ pub async fn create_hash_and_sign_event(
 		match self
 			.services
 			.event_handler
-			.ask_policy_server(&pdu, &pdu.room_id_or_hash())
+			.ask_policy_server(&pdu, &pdu_json, &pdu.room_id_or_hash())
 			.await
 		{
 			| Ok(true) => {},
Author	SHA1	Message	Date
timedout	bb6c513ee8	chore: Bump version to 0.5.0-rc.8.1	2025-11-16 21:00:14 +00:00
Jade Ellis	5241f89ebc	ci: Run image release workflow on tag (cherry picked from commit `e5e2db37d9`)	2025-11-16 21:00:14 +00:00
timedout	e2349de270	style: Fix clippy failures from `9e73146` (cherry picked from commit `def8816c02`)	2025-11-16 20:05:57 +00:00
timedout	7c51688251	fix: Restore continuwuity's remembering capabilities (cherry picked from commit `9e73146b19`)	2025-11-16 20:05:57 +00:00
timedout	80399a0be0	fix(1163): Resolve algorithm misinterpretations (cherry picked from commit `9375e81974`)	2025-11-16 20:05:57 +00:00
Jade	bdcd08dd01	fix: Don't break when encountering the server user, as there may be real users after (cherry picked from commit `45e4053883`)	2025-11-16 20:05:57 +00:00
timedout	55df764af2	fix(user_can): Fix room creators being unable to redact events in v12 rooms (cherry picked from commit `fbf48addc7`)	2025-11-16 20:05:57 +00:00
nexy7574	6d2cac66b7	fix: Kicks in !v12 are impossible (cherry picked from commit `cbf726580f`)	2025-11-16 20:05:57 +00:00
nexy7574	22835ae8ec	fix: Incorrect interpretation of 5.5.4 (cherry picked from commit `28f258fc8c`)	2025-11-16 20:05:57 +00:00
nexy7574	cc4852076f	fix: Inverted creatorship check (cherry picked from commit `8b3acfd770`)	2025-11-16 20:05:56 +00:00
nexy7574	94507285d8	fix: Don't check restricted join rules for invite joins (cherry picked from commit `a581e8de01`)	2025-11-16 20:05:56 +00:00
nexy7574	138bbf23df	fix: Weird re-application of partially resolved state (cherry picked from commit `7c74db5e74`)	2025-11-16 20:05:56 +00:00
nexy7574	3aaecb0c5c	fix: Unbans and kicks incorrectly checked creatorship in !v12 (cherry picked from commit `b17b4235f3`)	2025-11-16 20:05:56 +00:00
timedout	1c430c0fd4	fix: Policy server calls use the correct JSON object (#1126 ) Fixes #1060 Reviewed-on: https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1126 Reviewed-by: Jacob Taylor <aranjedeath@noreply.forgejo.ellis.link> Co-authored-by: timedout <git@nexy7574.co.uk> Co-committed-by: timedout <git@nexy7574.co.uk> (cherry picked from commit `26b700bf51`)	2025-11-16 20:05:56 +00:00
nexy7574	93966e4d78	fix(stateres): Creators can always unban Also basically rewrote all of the event auth logs to be more digestable (cherry picked from commit `d614e43981`)	2025-11-16 20:05:56 +00:00
Jade Ellis	fa3424eb2e	fix(v12): Create tombstone event on room upgrade (cherry picked from commit `ef84e1bb02`)	2025-11-16 20:05:56 +00:00
nexy7574	9092e5f69f	fix: V12 room upgrades (cherry picked from commit `1887d58df8`)	2025-11-16 20:05:55 +00:00
nexy7574	bbd1316b80	fix(stateres): Correctly fetch missing auth events for incoming PDUs (cherry picked from commit `c66f6f8900`)	2025-11-16 20:05:55 +00:00
Ginger	209601a8ea	fix: Fix panic in debug builds caused by MSC4133 migration (cherry picked from commit `902fe7b7ab`)	2025-11-16 20:05:55 +00:00
Ginger	4182a67df2	feat: Advertise support for MSC4155 (cherry picked from commit `92d74c293e`)	2025-11-16 20:05:55 +00:00