feat: Ask remote servers for individual unknown events

feat: #821 - Options to disable local typing and read receipts
2026-05-26 20:49:55 +00:00 · 2025-07-08 17:07:50 +01:00 · 2025-07-08 14:52:28 +02:00 · 2025-07-08 14:45:57 +02:00 · 2025-07-08 12:43:48 +02:00 · 2025-07-07 14:18:09 -07:00
254 changed files with 13588 additions and 9428 deletions
@@ -0,0 +1,2 @@
+[alias]
+xtask = "run --package xtask --"
@@ -15,6 +15,7 @@ docker/
 .gitea
 .gitlab
 .github
+.forgejo

 # Dot files
 .env
@@ -22,3 +22,7 @@ indent_size = 2
 [*.rs]
 indent_style = tab
 max_line_length = 98
+
+[*.yml]
+indent_size = 2
+indent_style = space
@@ -0,0 +1,27 @@
+name: prefligit
+description: |
+  Runs prefligit, pre-commit reimplemented in Rust.
+inputs:
+  extra_args:
+    description: options to pass to pre-commit run
+    required: false
+    default: '--all-files'
+
+runs:
+  using: composite
+  steps:
+  - name: Install uv
+    uses: https://github.com/astral-sh/setup-uv@v6
+    with:
+      enable-cache: true
+      ignore-nothing-to-cache: true
+  - name: Install Prefligit
+    shell: bash
+    run: |
+      curl --proto '=https' --tlsv1.2 -LsSf https://github.com/j178/prefligit/releases/download/v0.0.10/prefligit-installer.sh | sh
+  - uses: actions/cache@v3
+    with:
+      path: ~/.cache/prefligit
+      key: prefligit-0|${{ hashFiles('.pre-commit-config.yaml') }}
+  - run: prefligit run --show-diff-on-failure --color=always -v ${{ inputs.extra_args }}
+    shell: bash
@@ -0,0 +1,63 @@
+name: rust-toolchain
+description: |
+  Install a Rust toolchain using rustup.
+  See https://rust-lang.github.io/rustup/concepts/toolchains.html#toolchain-specification
+  for more information about toolchains.
+inputs:
+  toolchain:
+    description: |
+      Rust toolchain name.
+      See https://rust-lang.github.io/rustup/concepts/toolchains.html#toolchain-specification
+    required: false
+  target:
+    description: Target triple to install for this toolchain
+    required: false
+  components:
+    description: Space-separated list of components to be additionally installed for a new toolchain
+    required: false
+outputs:
+  rustc_version:
+    description: The rustc version installed
+    value: ${{ steps.rustc-version.outputs.version }}
+  rustup_version:
+    description: The rustup version installed
+    value: ${{ steps.rustup-version.outputs.version }}
+
+runs:
+  using: composite
+  steps:
+    - name: Check if rustup is already installed
+      shell: bash
+      id: rustup-version
+      run: |
+        echo "version=$(rustup --version)" >> $GITHUB_OUTPUT
+    - name: Cache rustup toolchains
+      if: steps.rustup-version.outputs.version == ''
+      uses: actions/cache@v3
+      with:
+        path: |
+          ~/.rustup
+          !~/.rustup/tmp
+          !~/.rustup/downloads
+        # Requires repo to be cloned if toolchain is not specified
+        key: ${{ runner.os }}-rustup-${{ inputs.toolchain || hashFiles('**/rust-toolchain.toml') }}
+    - name: Install Rust toolchain
+      if: steps.rustup-version.outputs.version == ''
+      shell: bash
+      run: |
+        if ! command -v rustup &> /dev/null ; then
+            curl --proto '=https' --tlsv1.2 --retry 10 --retry-connrefused -fsSL "https://sh.rustup.rs" | sh -s -- --default-toolchain none -y
+            echo "${CARGO_HOME:-$HOME/.cargo}/bin" >> $GITHUB_PATH
+        fi
+    - shell: bash
+      run: |
+        set -x
+        ${{ inputs.toolchain && format('rustup override set {0}', inputs.toolchain) }}
+        ${{ inputs.target && format('rustup target add {0}', inputs.target) }}
+        ${{ inputs.components && format('rustup component add {0}', inputs.components) }}
+        cargo --version
+        rustc --version
+    - id: rustc-version
+      shell: bash
+      run: |
+        echo "version=$(rustc --version)" >> $GITHUB_OUTPUT
@@ -0,0 +1,29 @@
+name: sccache
+description: |
+  Install sccache for caching builds in GitHub Actions.
+
+inputs:
+  token:
+    description: 'A Github PAT'
+    required: false
+
+runs:
+  using: composite
+  steps:
+  - name: Install sccache
+    uses: https://github.com/mozilla-actions/sccache-action@v0.0.9
+    with:
+      token: ${{ inputs.token }}
+  - name: Configure sccache
+    uses: https://github.com/actions/github-script@v7
+    with:
+      script: |
+        core.exportVariable('ACTIONS_RESULTS_URL', process.env.ACTIONS_RESULTS_URL || '');
+        core.exportVariable('ACTIONS_RUNTIME_TOKEN', process.env.ACTIONS_RUNTIME_TOKEN || '');
+  - shell: bash
+    run: |
+      echo "SCCACHE_GHA_ENABLED=true" >> $GITHUB_ENV
+      echo "RUSTC_WRAPPER=sccache" >> $GITHUB_ENV
+      echo "CMAKE_C_COMPILER_LAUNCHER=sccache" >> $GITHUB_ENV
+      echo "CMAKE_CXX_COMPILER_LAUNCHER=sccache" >> $GITHUB_ENV
+      echo "CMAKE_CUDA_COMPILER_LAUNCHER=sccache" >> $GITHUB_ENV
@@ -0,0 +1,46 @@
+name: timelord
+description: |
+  Use timelord to set file timestamps
+inputs:
+  key:
+    description: |
+      The key to use for caching the timelord data.
+      This should be unique to the repository and the runner.
+    required: true
+    default: timelord-v0
+  path:
+    description: |
+      The path to the directory to be timestamped.
+      This should be the root of the repository.
+    required: true
+    default: .
+
+runs:
+  using: composite
+  steps:
+    - name: Cache timelord-cli installation
+      id: cache-timelord-bin
+      uses: actions/cache@v3
+      with:
+        path: ~/.cargo/bin/timelord
+        key: timelord-cli-v3.0.1
+    - name: Install timelord-cli
+      uses: https://github.com/cargo-bins/cargo-binstall@main
+      if: steps.cache-timelord-bin.outputs.cache-hit != 'true'
+    - run: cargo binstall timelord-cli@3.0.1
+      shell: bash
+      if: steps.cache-timelord-bin.outputs.cache-hit != 'true'
+
+    - name: Load timelord files
+      uses: actions/cache/restore@v3
+      with:
+        path: /timelord/
+        key: ${{ inputs.key }}
+    - name: Run timelord to set timestamps
+      shell: bash
+      run: timelord sync --source-dir ${{ inputs.path }} --cache-dir /timelord/
+    - name: Save timelord
+      uses: actions/cache/save@v3
+      with:
+        path: /timelord/
+        key: ${{ inputs.key }}
@@ -0,0 +1,55 @@
+version: 1
+
+x-source: &source forgejo.ellis.link/continuwuation/continuwuity
+
+x-tags:
+  releases: &tags-releases
+    tags:
+      allow:
+      - "latest"
+      - "v[0-9]+\\.[0-9]+\\.[0-9]+(-[a-z0-9\\.]+)?"
+      - "v[0-9]+\\.[0-9]+"
+      - "v[0-9]+"
+  main: &tags-main
+    tags:
+      allow:
+      - "latest"
+      - "v[0-9]+\\.[0-9]+\\.[0-9]+(-[a-z0-9\\.]+)?"
+      - "v[0-9]+\\.[0-9]+"
+      - "v[0-9]+"
+      - "main"
+  commits: &tags-commits
+    tags:
+      allow:
+      - "latest"
+      - "v[0-9]+\\.[0-9]+\\.[0-9]+(-[a-z0-9\\.]+)?"
+      - "v[0-9]+\\.[0-9]+"
+      - "v[0-9]+"
+      - "main"
+      - "sha-[a-f0-9]+"
+  all: &tags-all
+    tags:
+      allow:
+      - ".*"
+
+# Registry credentials
+creds:
+  - registry: forgejo.ellis.link
+    user: "{{env \"BUILTIN_REGISTRY_USER\"}}"
+    pass: "{{env \"BUILTIN_REGISTRY_PASSWORD\"}}"
+  - registry: registry.gitlab.com
+    user: "{{env \"GITLAB_USERNAME\"}}"
+    pass: "{{env \"GITLAB_TOKEN\"}}"
+
+# Global defaults
+defaults:
+  parallel: 3
+  interval: 2h
+  digestTags: true
+
+# Sync configuration - each registry gets different image sets
+sync:
+  - source: *source
+    target: registry.gitlab.com/continuwuity/continuwuity
+    type: repository
+    <<: *tags-main
@@ -17,6 +17,7 @@ jobs:
  docs:
    name: Build and Deploy Documentation
    runs-on: ubuntu-latest
+    if: secrets.CLOUDFLARE_API_TOKEN != ''

    steps:
      - name: Sync repository
@@ -11,16 +11,16 @@ concurrency:

 jobs:
  build-and-deploy:
-    name: Build and Deploy Element Web
+    name: 🏗️ Build and Deploy
    runs-on: ubuntu-latest

    steps:
-      - name: Setup Node.js
-        uses: https://code.forgejo.org/actions/setup-node@v4
+      - name: 📦 Setup Node.js
+        uses: https://github.com/actions/setup-node@v4
        with:
-          node-version: "20"
+          node-version: "22"

-      - name: Clone, setup, and build Element Web
+      - name: 🔨 Clone, setup, and build Element Web
        run: |
          echo "Cloning Element Web..."
          git clone https://github.com/maunium/element-web
@@ -64,7 +64,7 @@ jobs:
          echo "Checking for build output..."
          ls -la webapp/

-      - name: Create config.json
+      - name: ⚙️ Create config.json
        run: |
          cat <<EOF > ./element-web/webapp/config.json
          {
@@ -100,28 +100,25 @@ jobs:
          echo "Created ./element-web/webapp/config.json"
          cat ./element-web/webapp/config.json

-      - name: Upload Artifact
+      - name: 📤 Upload Artifact
        uses: https://code.forgejo.org/actions/upload-artifact@v3
        with:
          name: element-web
          path: ./element-web/webapp/
          retention-days: 14

-      - name: Install Wrangler
+      - name: 🛠️ Install Wrangler
        run: npm install --save-dev wrangler@latest

-      - name: Deploy to Cloudflare Pages (Production)
-        if: github.ref == 'refs/heads/main' && vars.CLOUDFLARE_PROJECT_NAME != ''
+      - name: 🚀 Deploy to Cloudflare Pages
+        if: vars.CLOUDFLARE_PROJECT_NAME != ''
+        id: deploy
        uses: https://github.com/cloudflare/wrangler-action@v3
        with:
          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
-          command: pages deploy ./element-web/webapp --branch="main" --commit-dirty=true --project-name="${{ vars.CLOUDFLARE_PROJECT_NAME }}-element"
-
-      - name: Deploy to Cloudflare Pages (Preview)
-        if: github.ref != 'refs/heads/main' && vars.CLOUDFLARE_PROJECT_NAME != ''
-        uses: https://github.com/cloudflare/wrangler-action@v3
-        with:
-          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
-          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
-          command: pages deploy ./element-web/webapp --branch="${{ github.head_ref || github.ref_name }}" --commit-dirty=true --project-name="${{ vars.CLOUDFLARE_PROJECT_NAME }}-element"
+          command: >-
+            pages deploy ./element-web/webapp
+            --branch="${{ github.ref == 'refs/heads/main' && 'main' || github.head_ref || github.ref_name }}"
+            --commit-dirty=true
+            --project-name="${{ vars.CLOUDFLARE_PROJECT_NAME }}-element"
@@ -0,0 +1,47 @@
+name: Mirror Container Images
+
+on:
+  schedule:
+    # Run every 2 hours
+    - cron: "0 */2 * * *"
+  workflow_dispatch:
+    inputs:
+      dry_run:
+        description: 'Dry run (check only, no actual mirroring)'
+        required: false
+        default: false
+        type: boolean
+
+concurrency:
+  group: "mirror-images"
+  cancel-in-progress: true
+
+jobs:
+  mirror-images:
+    runs-on: ubuntu-latest
+    env:
+      BUILTIN_REGISTRY_USER: ${{ vars.BUILTIN_REGISTRY_USER }}
+      BUILTIN_REGISTRY_PASSWORD: ${{ secrets.BUILTIN_REGISTRY_PASSWORD }}
+      GITLAB_USERNAME: ${{ vars.GITLAB_USERNAME }}
+      GITLAB_TOKEN: ${{ secrets.GITLAB_TOKEN }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Install regctl
+        uses: https://forgejo.ellis.link/continuwuation/regclient-actions/regctl-installer@main
+        with:
+          binary: regsync
+
+      - name: Check what images need mirroring
+        run: |
+          echo "Checking images that need mirroring..."
+          regsync check -c .forgejo/regsync/regsync.yml -v info
+
+      - name: Mirror images
+        if: ${{ !inputs.dry_run }}
+        run: |
+          echo "Starting image mirroring..."
+          regsync once -c .forgejo/regsync/regsync.yml -v info
@@ -0,0 +1,22 @@
+name: Checks / Prefligit
+
+on:
+  push:
+  pull_request:
+permissions:
+  contents: read
+
+jobs:
+  prefligit:
+    runs-on: ubuntu-latest
+    env:
+      FROM_REF: ${{ github.event.pull_request.base.sha || (!github.event.forced && ( github.event.before != '0000000000000000000000000000000000000000'  && github.event.before || github.sha )) || format('{0}~', github.sha) }}
+      TO_REF: ${{ github.sha }}
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+      with:
+        persist-credentials: false
+    - uses: ./.forgejo/actions/prefligit
+      with:
+        extra_args: --all-files --hook-stage manual
@@ -3,7 +3,6 @@ concurrency:
  group: "release-image-${{ github.ref }}"

 on:
-  pull_request:
  push:
    paths-ignore:
      - "*.md"
@@ -50,6 +49,7 @@ jobs:
            const platforms = ['linux/amd64', 'linux/arm64']
            core.setOutput('build_matrix', JSON.stringify({
              platform: platforms,
+              target_cpu: ['base'],
              include: platforms.map(platform => { return {
                platform,
                slug: platform.replace('/', '-')
@@ -58,7 +58,6 @@ jobs:

  build-image:
    runs-on: dind
-    container: ghcr.io/catthehacker/ubuntu:act-latest
    needs: define-variables
    permissions:
      contents: read
@@ -68,6 +67,8 @@ jobs:
    strategy:
      matrix:
        {
+          "target_cpu": ["base"],
+          "profile": ["release"],
          "include":
            [
              { "platform": "linux/amd64", "slug": "linux-amd64" },
@@ -75,33 +76,20 @@ jobs:
            ],
          "platform": ["linux/amd64", "linux/arm64"],
        }
+
    steps:
      - name: Echo strategy
        run: echo '${{ toJSON(fromJSON(needs.define-variables.outputs.build_matrix)) }}'
      - name: Echo matrix
        run: echo '${{ toJSON(matrix) }}'
-      - run: |
-          if ! command -v rustup &> /dev/null ; then
-            curl --proto '=https' --tlsv1.2 --retry 10 --retry-connrefused -fsSL "https://sh.rustup.rs" | sh -s -- --default-toolchain none -y
-            echo "${CARGO_HOME:-$HOME/.cargo}/bin" >> $GITHUB_PATH
-          fi
-      
+
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          persist-credentials: false
-
-      - name: Cache timelord-cli installation
-        id: cache-timelord-bin
-        uses: actions/cache@v3
-        with:
-          path: ~/.cargo/bin/timelord
-          key: timelord-cli-v3.0.1
-      - name: Install timelord-cli
-        uses: https://github.com/cargo-bins/cargo-binstall@main
-        if: steps.cache-timelord-bin.outputs.cache-hit != 'true'
-      - run: cargo binstall timelord-cli@3.0.1
-        if: steps.cache-timelord-bin.outputs.cache-hit != 'true'
+      - name: Install rust
+        id: rust-toolchain
+        uses: ./.forgejo/actions/rust-toolchain

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
@@ -136,18 +124,58 @@ jobs:
          echo "COMMIT_SHORT_SHA=$calculatedSha" >> $GITHUB_ENV
      - name: Get Git commit timestamps
        run: echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV
-      - name: Set up timelord
-        uses: actions/cache/restore@v3
+
+      - uses: ./.forgejo/actions/timelord
        with:
-          path: /timelord/
-          key: timelord-v0 # Cache is already split per runner
-      - name: Run timelord to set timestamps
-        run: timelord sync --source-dir . --cache-dir /timelord/
-      - name: Save timelord
-        uses: actions/cache/save@v3
-        with:
-          path: /timelord/
          key: timelord-v0
+          path: .
+
+      - name: Cache Rust registry
+        uses: actions/cache@v3
+        with:
+          path: |
+            .cargo/git
+            .cargo/git/checkouts
+            .cargo/registry
+            .cargo/registry/src
+          key: rust-registry-image-${{hashFiles('**/Cargo.lock') }}
+      - name: Cache cargo target
+        id: cache-cargo-target
+        uses: actions/cache@v3
+        with:
+          path: |
+            cargo-target-${{ matrix.target_cpu }}-${{ matrix.slug }}-${{ matrix.profile }}
+          key: cargo-target-${{ matrix.target_cpu }}-${{ matrix.slug }}-${{ matrix.profile }}-${{hashFiles('**/Cargo.lock') }}-${{steps.rust-toolchain.outputs.rustc_version}}
+      - name: Cache apt cache
+        id: cache-apt
+        uses: actions/cache@v3
+        with:
+          path: |
+            var-cache-apt-${{ matrix.slug }}
+          key: var-cache-apt-${{ matrix.slug }}
+      - name: Cache apt lib
+        id: cache-apt-lib
+        uses: actions/cache@v3
+        with:
+          path: |
+            var-lib-apt-${{ matrix.slug }}
+          key: var-lib-apt-${{ matrix.slug }}
+      - name: inject cache into docker
+        uses: https://github.com/reproducible-containers/buildkit-cache-dance@v3.1.0
+        with:
+          cache-map: |
+            {
+              ".cargo/registry": "/usr/local/cargo/registry",
+              ".cargo/git/db": "/usr/local/cargo/git/db",
+              "cargo-target-${{ matrix.target_cpu }}-${{ matrix.slug }}-${{ matrix.profile }}": {
+                "target": "/app/target",
+                "id": "cargo-target-${{ matrix.target_cpu }}-${{ matrix.slug }}-${{ matrix.profile }}"
+              },
+              "var-cache-apt-${{ matrix.slug }}": "/var/cache/apt",
+              "var-lib-apt-${{ matrix.slug }}": "/var/lib/apt"
+            }
+          skip-extraction: ${{ steps.cache.outputs.cache-hit }}
+
      - name: Build and push Docker image by digest
        id: build
        uses: docker/build-push-action@v6
@@ -156,14 +184,14 @@ jobs:
          file: "docker/Dockerfile"
          build-args: |
            GIT_COMMIT_HASH=${{ github.sha }})
-            GIT_COMMIT_HASH_SHORT=${{ env.COMMIT_SHORT_SHA }})
+            GIT_COMMIT_HASH_SHORT=${{ env.COMMIT_SHORT_SHA }}
            GIT_REMOTE_URL=${{github.event.repository.html_url }}
            GIT_REMOTE_COMMIT_URL=${{github.event.head_commit.url }}
          platforms: ${{ matrix.platform }}
          labels: ${{ steps.meta.outputs.labels }}
          annotations: ${{ steps.meta.outputs.annotations }}
          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          # cache-to: type=gha,mode=max
          sbom: true
          outputs: type=image,"name=${{ needs.define-variables.outputs.images_list }}",push-by-digest=true,name-canonical=true,push=true
        env:
@@ -176,17 +204,34 @@ jobs:
          digest="${{ steps.build.outputs.digest }}"
          touch "/tmp/digests/${digest#sha256:}"

+      - name: Extract binary from container (image)
+        id: extract-binary-image
+        run: |
+          mkdir -p /tmp/binaries
+          digest="${{ steps.build.outputs.digest }}"
+          echo "container_id=$(docker create --platform ${{ matrix.platform }} ${{ needs.define-variables.outputs.images_list }}@$digest)" >> $GITHUB_OUTPUT
+      - name: Extract binary from container (copy)
+        run: docker cp ${{ steps.extract-binary-image.outputs.container_id }}:/sbin/conduwuit /tmp/binaries/conduwuit-${{ matrix.target_cpu }}-${{ matrix.slug }}-${{ matrix.profile }}
+      - name: Extract binary from container (cleanup)
+        run: docker rm ${{ steps.extract-binary-image.outputs.container_id }}
+
+      - name: Upload binary artifact
+        uses: forgejo/upload-artifact@v4
+        with:
+          name: conduwuit-${{ matrix.target_cpu }}-${{ matrix.slug }}-${{ matrix.profile }}
+          path: /tmp/binaries/conduwuit-${{ matrix.target_cpu }}-${{ matrix.slug }}-${{ matrix.profile }}
+          if-no-files-found: error
+
      - name: Upload digest
        uses: forgejo/upload-artifact@v4
        with:
          name: digests-${{ matrix.slug }}
          path: /tmp/digests/*
          if-no-files-found: error
-          retention-days: 1
+          retention-days: 5

  merge:
    runs-on: dind
-    container: ghcr.io/catthehacker/ubuntu:act-latest
    needs: [define-variables, build-image]
    steps:
      - name: Download digests
@@ -211,12 +256,13 @@ jobs:
        uses: docker/metadata-action@v5
        with:
          tags: |
-            type=semver,pattern=v{{version}}
-            type=semver,pattern=v{{major}}.{{minor}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.0.') }}
-            type=semver,pattern=v{{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }}
+            type=semver,pattern={{version}},prefix=v
+            type=semver,pattern={{major}}.{{minor}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.0.') }},prefix=v
+            type=semver,pattern={{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }},prefix=v
            type=ref,event=branch,prefix=${{ format('refs/heads/{0}', github.event.repository.default_branch) != github.ref && 'branch-' || '' }}
            type=ref,event=pr
            type=sha,format=long
+            type=raw,value=latest,enable=${{ !startsWith(github.ref, 'refs/tags/v') }}
          images: ${{needs.define-variables.outputs.images}}
          # default labels & annotations: https://github.com/docker/metadata-action/blob/master/src/meta.ts#L509
        env:
@@ -0,0 +1,142 @@
+name: Checks / Rust
+
+on:
+  push:
+
+jobs:
+  format:
+    name: Format
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Install rust
+        uses: ./.forgejo/actions/rust-toolchain
+        with:
+          toolchain: "nightly"
+          components: "rustfmt"
+
+      - name: Check formatting
+        run: |
+          cargo +nightly fmt --all -- --check
+
+  clippy:
+    name: Clippy
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Install rust
+        uses: ./.forgejo/actions/rust-toolchain
+
+      - uses: https://github.com/actions/create-github-app-token@v2
+        id: app-token
+        with:
+          app-id: ${{ vars.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          github-api-url: https://api.github.com
+          owner: ${{ vars.GH_APP_OWNER }}
+          repositories: ""
+      - name: Install sccache
+        uses: ./.forgejo/actions/sccache
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+      - run: sudo apt-get update
+      - name: Install system dependencies
+        uses: https://github.com/awalsh128/cache-apt-pkgs-action@v1
+        with:
+          packages: clang liburing-dev
+          version: 1
+      - name: Cache Rust registry
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/.cargo/git
+            !~/.cargo/git/checkouts
+            ~/.cargo/registry
+            !~/.cargo/registry/src
+          key: rust-registry-${{hashFiles('**/Cargo.lock') }}
+      - name: Timelord
+        uses: ./.forgejo/actions/timelord
+        with:
+          key: sccache-v0
+          path: .
+      - name: Clippy
+        run: |
+          cargo clippy \
+            --workspace \
+            --locked \
+            --no-deps \
+            --profile test \
+            -- \
+            -D warnings
+
+      - name: Show sccache stats
+        if: always()
+        run: sccache --show-stats
+
+  cargo-test:
+    name: Cargo Test
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Install rust
+        uses: ./.forgejo/actions/rust-toolchain
+
+      - uses: https://github.com/actions/create-github-app-token@v2
+        id: app-token
+        with:
+          app-id: ${{ vars.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          github-api-url: https://api.github.com
+          owner: ${{ vars.GH_APP_OWNER }}
+          repositories: ""
+      - name: Install sccache
+        uses: ./.forgejo/actions/sccache
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+      - run: sudo apt-get update
+      - name: Install system dependencies
+        uses: https://github.com/awalsh128/cache-apt-pkgs-action@v1
+        with:
+          packages: clang liburing-dev
+          version: 1
+      - name: Cache Rust registry
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/.cargo/git
+            !~/.cargo/git/checkouts
+            ~/.cargo/registry
+            !~/.cargo/registry/src
+          key: rust-registry-${{hashFiles('**/Cargo.lock') }}
+      - name: Timelord
+        uses: ./.forgejo/actions/timelord
+        with:
+          key: sccache-v0
+          path: .
+      - name: Cargo Test
+        run: |
+          cargo test \
+            --workspace \
+            --locked \
+            --profile test \
+            --all-targets \
+            --no-fail-fast
+
+      - name: Show sccache stats
+        if: always()
+        run: sccache --show-stats
@@ -5,3 +5,5 @@ f419c64aca300a338096b4e0db4c73ace54f23d0
 # use chain_width 60
 162948313c212193965dece50b816ef0903172ba
 5998a0d883d31b866f7c8c46433a8857eae51a89
+# trailing whitespace and newlines
+46c193e74b2ce86c48ce802333a0aabce37fd6e9
@@ -84,4 +84,4 @@ Cargo.lock text
 *.zst      binary

 # Text files where line endings should be preserved
-*.patch    -text
+*.patch    -text
@@ -0,0 +1,5 @@
+github: [JadedBlueEyes]
+# Doesn't support an array, so we can only list nex
+ko_fi: nexy7574
+custom:
+  - https://ko-fi.com/JadedBlueEyes
@@ -0,0 +1,47 @@
+default_install_hook_types:
+  - pre-commit
+  - commit-msg
+default_stages:
+  - pre-commit
+  - manual
+
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+        - id: check-byte-order-marker
+        - id: check-case-conflict
+        - id: check-symlinks
+        - id: destroyed-symlinks
+        - id: check-yaml
+        - id: check-json
+        - id: check-toml
+        - id: end-of-file-fixer
+        - id: trailing-whitespace
+        - id: mixed-line-ending
+        - id: check-merge-conflict
+        - id: check-added-large-files
+
+  - repo: https://github.com/crate-ci/typos
+    rev: v1.26.0
+    hooks:
+      - id: typos
+      - id: typos
+        name: commit-msg-typos
+        stages: [commit-msg]
+
+  - repo: https://github.com/crate-ci/committed
+    rev: v1.1.7
+    hooks:
+    - id: committed
+
+  - repo: local
+    hooks:
+      - id: cargo-fmt
+        name: cargo fmt
+        entry: cargo +nightly fmt --
+        language: system
+        types: [rust]
+        pass_filenames: false
+        stages:
+            - pre-commit
@@ -1,5 +1,9 @@
+[files]
+extend-exclude = ["*.csr"]
+
 [default.extend-words]
 "allocatedp" = "allocatedp"
 "conduwuit" = "conduwuit"
 "continuwuity" = "continuwuity"
+"continuwity" = "continuwuity"
 "execuse" = "execuse"
@@ -1,6 +1,6 @@
 # Contributing guide

-This page is for about contributing to conduwuit. The
+This page is about contributing to Continuwuity. The
 [development](./development.md) page may be of interest for you as well.

 If you would like to work on an [issue][issues] that is not assigned, preferably
@@ -10,7 +10,7 @@ and comment on it.
 ### Linting and Formatting

 It is mandatory all your changes satisfy the lints (clippy, rustc, rustdoc, etc)
-and your code is formatted via the **nightly** `cargo fmt`. A lot of the
+and your code is formatted via the **nightly** rustfmt (`cargo +nightly fmt`). A lot of the
 `rustfmt.toml` features depend on nightly toolchain. It would be ideal if they
 weren't nightly-exclusive features, but they currently still are. CI's rustfmt
 uses nightly.
@@ -21,67 +21,91 @@ comment saying why. Do not write inefficient code for the sake of satisfying
 lints. If a lint is wrong and provides a more inefficient solution or
 suggestion, allow the lint and mention that in a comment.

-### Running CI tests locally
+### Pre-commit Checks

-continuwuity's CI for tests, linting, formatting, audit, etc use
-[`engage`][engage]. engage can be installed from nixpkgs or `cargo install
-engage`. continuwuity's Nix flake devshell has the nixpkgs engage with `direnv`.
-Use `engage --help` for more usage details.
+Continuwuity uses pre-commit hooks to enforce various coding standards and catch common issues before they're committed. These checks include:

-To test, format, lint, etc that CI would do, install engage, allow the `.envrc`
-file using `direnv allow`, and run `engage`.
+- Code formatting and linting
+- Typo detection (both in code and commit messages)
+- Checking for large files
+- Ensuring proper line endings and no trailing whitespace
+- Validating YAML, JSON, and TOML files
+- Checking for merge conflicts

-All of the tasks are defined at the [engage.toml][engage.toml] file. You can
-view all of them neatly by running `engage list`
+You can run these checks locally by installing [prefligit](https://github.com/j178/prefligit):

-If you would like to run only a specific engage task group, use `just`:

- `engage just <group>`
- Example: `engage just lints`
+```bash
+# Install prefligit using cargo-binstall
+cargo binstall prefligit

-If you would like to run a specific engage task in a specific group, use `just
-<GROUP> [TASK]`: `engage just lints cargo-fmt`
+# Install git hooks to run checks automatically
+prefligit install

-The following binaries are used in [`engage.toml`][engage.toml]:
+# Run all checks
+prefligit --all-files
+```

- [`engage`][engage]
- `nix`
- [`direnv`][direnv]
- `rustc`
- `cargo`
- `cargo-fmt`
- `rustdoc`
- `cargo-clippy`
- [`cargo-audit`][cargo-audit]
- [`cargo-deb`][cargo-deb]
- [`lychee`][lychee]
- [`markdownlint-cli`][markdownlint-cli]
- `dpkg`
+Alternatively, you can use [pre-commit](https://pre-commit.com/):
+```bash
+# Install pre-commit
+pip install pre-commit
+
+# Install the hooks
+pre-commit install
+
+# Run all checks manually
+pre-commit run --all-files
+```
+
+These same checks are run in CI via the prefligit-checks workflow to ensure consistency.
+
+### Running tests locally
+
+Tests, compilation, and linting can be run with standard Cargo commands:
+
+```bash
+# Run tests
+cargo test
+
+# Check compilation
+cargo check --workspace
+
+# Run lints
+cargo clippy --workspace
+# Auto-fix: cargo clippy --workspace --fix --allow-staged;
+
+# Format code (must use nightly)
+cargo +nightly fmt
+```

 ### Matrix tests

-CI runs [Complement][complement], but currently does not fail if results from
-the checked-in results differ with the new results. If your changes are done to
-fix Matrix tests, note that in your pull request. If more Complement tests start
-failing from your changes, please review the logs (they are uploaded as
-artifacts) and determine if they're intended or not.
+Continuwuity uses [Complement][complement] for Matrix protocol compliance testing. Complement tests are run manually by developers, and documentation on how to run these tests locally is currently being developed.

-If you'd like to run Complement locally using Nix, see the
-[testing](development/testing.md) page.
+If your changes are done to fix Matrix tests, please note that in your pull request. If more Complement tests start failing from your changes, please review the logs and determine if they're intended or not.

-[Sytest][sytest] support will come soon.
+[Sytest][sytest] is currently unsupported.

 ### Writing documentation

-conduwuit's website uses [`mdbook`][mdbook] and deployed via CI using GitHub
-Pages in the [`documentation.yml`][documentation.yml] workflow file with Nix's
-mdbook in the devshell. All documentation is in the `docs/` directory at the top
-level. The compiled mdbook website is also uploaded as an artifact.
+Continuwuity's website uses [`mdbook`][mdbook] and is deployed via CI using Cloudflare Pages
+in the [`documentation.yml`][documentation.yml] workflow file. All documentation is in the `docs/`
+directory at the top level.

-To build the documentation using Nix, run: `bin/nix-build-and-cache just .#book`
+To build the documentation locally:

-The output of the mdbook generation is in `result/`. mdbooks can be opened in
-your browser from the individual HTML files without any web server needed.
+1. Install mdbook if you don't have it already:
+   ```bash
+   cargo install mdbook # or cargo binstall, or another method
+   ```
+
+2. Build the documentation:
+   ```bash
+   mdbook build
+   ```
+
+The output of the mdbook generation is in `public/`. You can open the HTML files directly in your browser without needing a web server.

 ### Inclusivity and Diversity

@@ -109,6 +133,40 @@ Rust's default style and standards with regards to [function names, variable
 names, comments](https://rust-lang.github.io/api-guidelines/naming.html), etc
 applies here.

+### Commit Messages
+
+Continuwuity follows the [Conventional Commits](https://www.conventionalcommits.org/) specification for commit messages. This provides a standardized format that makes the commit history more readable and enables automated tools to generate changelogs.
+
+The basic structure is:
+```
+<type>[(optional scope)]: <description>
+
+[optional body]
+
+[optional footer(s)]
+```
+
+The allowed types for commits are:
+- `fix`: Bug fixes
+- `feat`: New features
+- `docs`: Documentation changes
+- `style`: Changes that don't affect the meaning of the code (formatting, etc.)
+- `refactor`: Code changes that neither fix bugs nor add features
+- `perf`: Performance improvements
+- `test`: Adding or fixing tests
+- `build`: Changes to the build system or dependencies
+- `ci`: Changes to CI configuration
+- `chore`: Other changes that don't modify source or test files
+
+Examples:
+```
+feat: add user authentication
+fix(database): resolve connection pooling issue
+docs: update installation instructions
+```
+
+The project uses the `committed` hook to validate commit messages in pre-commit. This ensures all commits follow the conventional format.
+
 ### Creating pull requests

 Please try to keep contributions to the Forgejo Instance. While the mirrors of continuwuity
@@ -118,6 +176,13 @@ This prevents us from having to ping once in a while to double check the status
 of it, especially when the CI completed successfully and everything so it
 *looks* done.

+Before submitting a pull request, please ensure:
+1. Your code passes all CI checks (formatting, linting, typo detection, etc.)
+2. Your commit messages follow the conventional commits format
+3. Tests are added for new functionality
+4. Documentation is updated if needed
+
+

 Direct all PRs/MRs to the `main` branch.

@@ -125,20 +190,13 @@ By sending a pull request or patch, you are agreeing that your changes are
 allowed to be licenced under the Apache-2.0 licence and all of your conduct is
 in line with the Contributor's Covenant, and continuwuity's Code of Conduct.

-Contribution by users who violate either of these code of conducts will not have
+Contribution by users who violate either of these code of conducts may not have
 their contributions accepted. This includes users who have been banned from
-continuwuityMatrix rooms for Code of Conduct violations.
+continuwuity Matrix rooms for Code of Conduct violations.

 [issues]: https://forgejo.ellis.link/continuwuation/continuwuity/issues
 [continuwuity-matrix]: https://matrix.to/#/#continuwuity:continuwuity.org
 [complement]: https://github.com/matrix-org/complement/
-[engage.toml]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/engage.toml
-[engage]: https://charles.page.computer.surgery/engage/
 [sytest]: https://github.com/matrix-org/sytest/
-[cargo-deb]: https://github.com/kornelski/cargo-deb
-[lychee]: https://github.com/lycheeverse/lychee
-[markdownlint-cli]: https://github.com/igorshubovych/markdownlint-cli
-[cargo-audit]: https://github.com/RustSec/rustsec/tree/main/cargo-audit
-[direnv]: https://direnv.net/
 [mdbook]: https://rust-lang.github.io/mdBook/
 [documentation.yml]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/.forgejo/workflows/documentation.yml
@@ -2,7 +2,7 @@

 [workspace]
 resolver = "2"
-members = ["src/*"]
+members = ["src/*", "xtask/*"]
 default-members = ["src/*"]

 [workspace.package]
@@ -21,7 +21,7 @@ license = "Apache-2.0"
 readme = "README.md"
 repository = "https://forgejo.ellis.link/continuwuation/continuwuity"
 rust-version = "1.86.0"
-version = "0.5.0-rc.5"
+version = "0.5.0-rc.6"

 [workspace.metadata.crane]
 name = "conduwuit"
@@ -213,6 +213,8 @@ default-features = false
 version = "0.3.19"
 default-features = false
 features = ["env-filter", "std", "tracing", "tracing-log", "ansi", "fmt"]
+[workspace.dependencies.tracing-journald]
+version = "0.3.1"
 [workspace.dependencies.tracing-core]
 version = "0.1.33"
 default-features = false
@@ -298,7 +300,7 @@ version = "1.15.0"
 default-features = false
 features = ["serde"]

-# Used for reading the configuration from conduwuit.toml & environment variables
+# Used for reading the configuration from continuwuity.toml & environment variables
 [workspace.dependencies.figment]
 version = "0.10.19"
 default-features = false
@@ -350,7 +352,7 @@ version = "0.1.2"
 [workspace.dependencies.ruma]
 git = "https://forgejo.ellis.link/continuwuation/ruwuma"
 #branch = "conduwuit-changes"
-rev = "97048c0a535a2b895079518b7b9b20fcd144ad5f"
+rev = "a4b948b40417a65ab0282ae47cc50035dd455e02"
 features = [
    "compat",
    "rand",
@@ -381,7 +383,7 @@ features = [
    "unstable-msc4121",
    "unstable-msc4125",
    "unstable-msc4186",
-    "unstable-msc4203", # sending to-device events to appservices 
+    "unstable-msc4203", # sending to-device events to appservices
    "unstable-msc4210", # remove legacy mentions
    "unstable-extensible-events",
    "unstable-pdu",
@@ -556,11 +558,11 @@ rev = "1e64095a8051a1adf0d1faa307f9f030889ec2aa"
 git = "https://forgejo.ellis.link/continuwuation/tracing"
 rev = "1e64095a8051a1adf0d1faa307f9f030889ec2aa"

-# adds a tab completion callback: https://forgejo.ellis.link/continuwuation/rustyline-async/commit/de26100b0db03e419a3d8e1dd26895d170d1fe50
-# adds event for CTRL+\: https://forgejo.ellis.link/continuwuation/rustyline-async/commit/67d8c49aeac03a5ef4e818f663eaa94dd7bf339b
+# adds a tab completion callback: https://forgejo.ellis.link/continuwuation/rustyline-async/src/branch/main/.patchy/0002-add-tab-completion-callback.patch
+# adds event for CTRL+\: https://forgejo.ellis.link/continuwuation/rustyline-async/src/branch/main/.patchy/0001-add-event-for-ctrl.patch
 [patch.crates-io.rustyline-async]
 git = "https://forgejo.ellis.link/continuwuation/rustyline-async"
-rev = "deaeb0694e2083f53d363b648da06e10fc13900c"
+rev = "e9f01cf8c6605483cb80b3b0309b400940493d7f"

 # adds LIFO queue scheduling; this should be updated with PR progress.
 [patch.crates-io.event-listener]
@@ -580,12 +582,11 @@ rev = "9c8e51510c35077df888ee72a36b4b05637147da"
 git = "https://forgejo.ellis.link/continuwuation/hyper-util"
 rev = "e4ae7628fe4fcdacef9788c4c8415317a4489941"

-# allows no-aaaa option in resolv.conf
-# bumps rust edition and toolchain to 1.86.0 and 2024
-# use sat_add on line number errors
+# Allows no-aaaa option in resolv.conf
+# Use 1-indexed line numbers when displaying parse error messages
 [patch.crates-io.resolv-conf]
 git = "https://forgejo.ellis.link/continuwuation/resolv-conf"
-rev = "200e958941d522a70c5877e3d846f55b5586c68d"
+rev = "56251316cc4127bcbf36e68ce5e2093f4d33e227"

 #
 # Our crates
@@ -637,6 +638,11 @@ package = "conduwuit_build_metadata"
 path = "src/build_metadata"
 default-features = false

+
+[workspace.dependencies.conduwuit]
+package = "conduwuit"
+path = "src/main"
+
 ###############################################################################
 #
 # Release profiles
@@ -745,7 +751,6 @@ incremental = true

 [profile.dev.package.conduwuit_core]
 inherits = "dev"
-incremental = false
 #rustflags = [
 #	'--cfg', 'conduwuit_mods',
 #	'-Ztime-passes',
@@ -763,7 +768,8 @@ incremental = false
 #	'-Clink-arg=-Wl,-z,nodlopen',
 #	'-Clink-arg=-Wl,-z,nodelete',
 #]
-
+[profile.dev.package.xtask-generate-commands]
+inherits = "dev"
 [profile.dev.package.conduwuit]
 inherits = "dev"
 #rustflags = [
@@ -785,7 +791,6 @@ inherits = "dev"
 [profile.dev.package.'*']
 inherits = "dev"
 debug = 'limited'
-incremental = false
 codegen-units = 1
 opt-level = 'z'
 #rustflags = [
@@ -807,7 +812,6 @@ inherits = "dev"
 strip = false
 opt-level = 0
 codegen-units = 16
-incremental = false

 [profile.test.package.'*']
 inherits = "dev"
@@ -815,7 +819,6 @@ debug = 0
 strip = false
 opt-level = 0
 codegen-units = 16
-incremental = false

 ###############################################################################
 #
@@ -992,3 +995,6 @@ let_underscore_future = { level = "allow", priority = 1 }

 # rust doesnt understand conduwuit's custom log macros
 literal_string_with_formatting_args = { level = "allow", priority = 1 }
+
+
+needless_raw_string_hashes = "allow"
@@ -4,13 +4,24 @@

 ## A community-driven [Matrix](https://matrix.org/) homeserver in Rust

+[![Chat on Matrix](https://img.shields.io/matrix/continuwuity%3Acontinuwuity.org?server_fqdn=matrix.continuwuity.org&fetchMode=summary&logo=matrix)](https://matrix.to/#/#continuwuity:continuwuity.org?via=continuwuity.org&via=ellis.link&via=explodie.org&via=matrix.org) [![Join the space](https://img.shields.io/matrix/space%3Acontinuwuity.org?server_fqdn=matrix.continuwuity.org&fetchMode=summary&logo=matrix&label=space)](https://matrix.to/#/#space:continuwuity.org?via=continuwuity.org&via=ellis.link&via=explodie.org&via=matrix.org)
+
+
+
 <!-- ANCHOR_END: catchphrase -->

 [continuwuity] is a Matrix homeserver written in Rust.
-It's a community continuation of the [conduwuit](https://github.com/girlbossceo/conduwuit) homeserver. 
+It's a community continuation of the [conduwuit](https://github.com/girlbossceo/conduwuit) homeserver.

 <!-- ANCHOR: body -->

+[![forgejo.ellis.link](https://img.shields.io/badge/Ellis%20Git-main+packages-green?style=flat&logo=forgejo&labelColor=fff)](https://forgejo.ellis.link/continuwuation/continuwuity) [![Stars](https://forgejo.ellis.link/continuwuation/continuwuity/badges/stars.svg?style=flat)](https://forgejo.ellis.link/continuwuation/continuwuity/stars) [![Issues](https://forgejo.ellis.link/continuwuation/continuwuity/badges/issues/open.svg?style=flat)](https://forgejo.ellis.link/continuwuation/continuwuity/issues?state=open) [![Pull Requests](https://forgejo.ellis.link/continuwuation/continuwuity/badges/pulls/open.svg?style=flat)](https://forgejo.ellis.link/continuwuation/continuwuity/pulls?state=open)
+
+[![GitHub](https://img.shields.io/badge/GitHub-mirror-blue?style=flat&logo=github&labelColor=fff&logoColor=24292f)](https://github.com/continuwuity/continuwuity) [![Stars](https://img.shields.io/github/stars/continuwuity/continuwuity?style=flat)](https://github.com/continuwuity/continuwuity/stargazers)
+
+[![GitLab](https://img.shields.io/badge/GitLab-mirror-blue?style=flat&logo=gitlab&labelColor=fff)](https://gitlab.com/continuwuity/continuwuity) [![Stars](https://img.shields.io/gitlab/stars/continuwuity/continuwuity?style=flat)](https://gitlab.com/continuwuity/continuwuity/-/starrers)
+
+[![Codeberg](https://img.shields.io/badge/Codeberg-mirror-2185D0?style=flat&logo=codeberg&labelColor=fff)](https://codeberg.org/continuwuity/continuwuity) [![Stars](https://codeberg.org/continuwuity/continuwuity/badges/stars.svg?style=flat)](https://codeberg.org/continuwuity/continuwuity/stars)

 ### Why does this exist?

@@ -54,8 +65,6 @@ There are currently no open registration Continuwuity instances available.

 We're working our way through all of the issues in the [Forgejo project](https://forgejo.ellis.link/continuwuation/continuwuity/issues).

- [Replacing old conduwuit links with working continuwuity links](https://forgejo.ellis.link/continuwuation/continuwuity/issues/742)
- [Getting CI and docs deployment working on the new Forgejo project](https://forgejo.ellis.link/continuwuation/continuwuity/issues/740)
 - [Packaging & availability in more places](https://forgejo.ellis.link/continuwuation/continuwuity/issues/747)
 - [Appservices bugs & features](https://forgejo.ellis.link/continuwuation/continuwuity/issues?q=&type=all&state=open&labels=178&milestone=0&assignee=0&poster=0)
 - [Improving compatibility and spec compliance](https://forgejo.ellis.link/continuwuation/continuwuity/issues?labels=119)
@@ -112,4 +121,3 @@ Join our [Matrix room](https://matrix.to/#/#continuwuity:continuwuity.org) and [


 [continuwuity]: https://forgejo.ellis.link/continuwuation/continuwuity
-
@@ -0,0 +1,63 @@
+# Security Policy for Continuwuity
+
+This document outlines the security policy for Continuwuity. Our goal is to maintain a secure platform for all users, and we take security matters seriously.
+
+## Supported Versions
+
+We provide security updates for the following versions of Continuwuity:
+
+| Version        | Supported        |
+| -------------- |:----------------:|
+| Latest release |        ✅        |
+| Main branch    |        ✅        |
+| Older releases |        ❌        |
+
+We may backport fixes to the previous release at our discretion, but we don't guarantee this.
+
+## Reporting a Vulnerability
+
+### Responsible Disclosure
+
+We appreciate the efforts of security researchers and the community in identifying and reporting vulnerabilities. To ensure that potential vulnerabilities are addressed properly, please follow these guidelines:
+
+1. **Contact members of the team directly** over E2EE private message.
+   - [@jade:ellis.link](https://matrix.to/#/@jade:ellis.link)
+   - [@nex:nexy7574.co.uk](https://matrix.to/#/@nex:nexy7574.co.uk) <!-- ? -->
+2. **Email the security team** at [security@continuwuity.org](mailto:security@continuwuity.org). This is not E2EE, so don't include sensitive details.
+3. **Do not disclose the vulnerability publicly** until it has been addressed
+4. **Provide detailed information** about the vulnerability, including:
+   - A clear description of the issue
+   - Steps to reproduce
+   - Potential impact
+   - Any possible mitigations
+   - Version(s) affected, including specific commits if possible
+
+If you have any doubts about a potential security vulnerability, contact us via private channels first! We'd prefer that you bother us, instead of having a vulnerability disclosed without a fix.
+
+### What to Expect
+
+When you report a security vulnerability:
+
+1. **Acknowledgment**: We will acknowledge receipt of your report.
+2. **Assessment**: We will assess the vulnerability and determine its impact on our users
+3. **Updates**: We will provide updates on our progress in addressing the vulnerability, and may request you help test mitigations
+4. **Resolution**: Once resolved, we will notify you and discuss coordinated disclosure
+5. **Credit**: We will recognize your contribution (unless you prefer to remain anonymous)
+
+## Security Update Process
+
+When security vulnerabilities are identified:
+
+1. We will develop and test fixes in a private fork
+2. Security updates will be released as soon as possible
+3. Release notes will include information about the vulnerabilities, avoiding details that could facilitate exploitation where possible
+4. Critical security updates may be backported to the previous stable release
+
+## Additional Resources
+
+- [Matrix Security Disclosure Policy](https://matrix.org/security-disclosure-policy/)
+- [Continuwuity Documentation](https://continuwuity.org/introduction)
+
+---
+
+This security policy was last updated on May 25, 2025.
@@ -1,8 +1,9 @@
 [Unit]
-Description=conduwuit Matrix homeserver
+
+Description=Continuwuity - Matrix homeserver
 Wants=network-online.target
 After=network-online.target
-Documentation=https://conduwuit.puppyirl.gay/
+Documentation=https://continuwuity.org/
 RequiresMountsFor=/var/lib/private/conduwuit
 Alias=matrix-conduwuit.service

@@ -16,6 +17,10 @@ DeviceAllow=char-tty
 StandardInput=tty-force
 StandardOutput=tty
 StandardError=journal+console
+
+Environment="CONTINUWUITY_LOG_TO_JOURNALD=1"
+Environment="CONTINUWUITY_JOURNALD_IDENTIFIER=%N"
+
 TTYReset=yes
 # uncomment to allow buffer to be cleared every restart
 TTYVTDisallocate=no
@@ -59,7 +64,8 @@ StateDirectory=conduwuit
 RuntimeDirectory=conduwuit
 RuntimeDirectoryMode=0750

-Environment="CONDUWUIT_CONFIG=/etc/conduwuit/conduwuit.toml"
+Environment=CONTINUWUITY_CONFIG=${CREDENTIALS_DIRECTORY}/config.toml
+LoadCredential=config.toml:/etc/conduwuit/conduwuit.toml
 BindPaths=/var/lib/private/conduwuit:/var/lib/matrix-conduit
 BindPaths=/var/lib/private/conduwuit:/var/lib/private/matrix-conduit

@@ -0,0 +1,3 @@
+style = "conventional"
+subject_length = 72
+allowed_types = ["ci", "build", "fix", "feat", "chore", "docs", "style", "refactor", "perf", "test"]
@@ -1,4 +1,4 @@
-### conduwuit Configuration
+### continuwuity Configuration
 ###
 ### THIS FILE IS GENERATED. CHANGES/CONTRIBUTIONS IN THE REPO WILL BE
 ### OVERWRITTEN!
@@ -13,7 +13,7 @@
 ### that say "YOU NEED TO EDIT THIS".
 ###
 ### For more information, see:
-### https://conduwuit.puppyirl.gay/configuration.html
+### https://continuwuity.org/configuration.html

 [global]

@@ -21,7 +21,7 @@
 # suffix for user and room IDs/aliases.
 #
 # See the docs for reverse proxying and delegation:
-# https://conduwuit.puppyirl.gay/deploying/generic.html#setting-up-the-reverse-proxy
+# https://continuwuity.org/deploying/generic.html#setting-up-the-reverse-proxy
 #
 # Also see the `[global.well_known]` config section at the very bottom.
 #
@@ -32,11 +32,11 @@
 # YOU NEED TO EDIT THIS. THIS CANNOT BE CHANGED AFTER WITHOUT A DATABASE
 # WIPE.
 #
-# example: "conduwuit.woof"
+# example: "continuwuity.org"
 #
 #server_name =

-# The default address (IPv4 or IPv6) conduwuit will listen on.
+# The default address (IPv4 or IPv6) continuwuity will listen on.
 #
 # If you are using Docker or a container NAT networking setup, this must
 # be "0.0.0.0".
@@ -46,10 +46,10 @@
 #
 #address = ["127.0.0.1", "::1"]

-# The port(s) conduwuit will listen on.
+# The port(s) continuwuity will listen on.
 #
 # For reverse proxying, see:
-# https://conduwuit.puppyirl.gay/deploying/generic.html#setting-up-the-reverse-proxy
+# https://continuwuity.org/deploying/generic.html#setting-up-the-reverse-proxy
 #
 # If you are using Docker, don't change this, you'll need to map an
 # external port to this.
@@ -58,16 +58,17 @@
 #
 #port = 8008

-# The UNIX socket conduwuit will listen on.
+# The UNIX socket continuwuity will listen on.
 #
-# conduwuit cannot listen on both an IP address and a UNIX socket. If
+# continuwuity cannot listen on both an IP address and a UNIX socket. If
 # listening on a UNIX socket, you MUST remove/comment the `address` key.
 #
 # Remember to make sure that your reverse proxy has access to this socket
-# file, either by adding your reverse proxy to the 'conduwuit' group or
-# granting world R/W permissions with `unix_socket_perms` (666 minimum).
+# file, either by adding your reverse proxy to the appropriate user group
+# or granting world R/W permissions with `unix_socket_perms` (666
+# minimum).
 #
-# example: "/run/conduwuit/conduwuit.sock"
+# example: "/run/continuwuity/continuwuity.sock"
 #
 #unix_socket_path =

@@ -75,23 +76,23 @@
 #
 #unix_socket_perms = 660

-# This is the only directory where conduwuit will save its data, including
-# media. Note: this was previously "/var/lib/matrix-conduit".
+# This is the only directory where continuwuity will save its data,
+# including media. Note: this was previously "/var/lib/matrix-conduit".
 #
 # YOU NEED TO EDIT THIS.
 #
-# example: "/var/lib/conduwuit"
+# example: "/var/lib/continuwuity"
 #
 #database_path =

-# conduwuit supports online database backups using RocksDB's Backup engine
-# API. To use this, set a database backup path that conduwuit can write
-# to.
+# continuwuity supports online database backups using RocksDB's Backup
+# engine API. To use this, set a database backup path that continuwuity
+# can write to.
 #
 # For more information, see:
-# https://conduwuit.puppyirl.gay/maintenance.html#backups
+# https://continuwuity.org/maintenance.html#backups
 #
-# example: "/opt/conduwuit-db-backups"
+# example: "/opt/continuwuity-db-backups"
 #
 #database_backup_path =

@@ -112,14 +113,14 @@
 #
 #new_user_displayname_suffix = "🏳️‍⚧️"

-# If enabled, conduwuit will send a simple GET request periodically to
+# If enabled, continuwuity will send a simple GET request periodically to
 # `https://continuwuity.org/.well-known/continuwuity/announcements` for any new
 # announcements or major updates. This is not an update check endpoint.
 #
 #allow_announcements_check = true

-# Set this to any float value to multiply conduwuit's in-memory LRU caches
-# with such as "auth_chain_cache_capacity".
+# Set this to any float value to multiply continuwuity's in-memory LRU
+# caches with such as "auth_chain_cache_capacity".
 #
 # May be useful if you have significant memory to spare to increase
 # performance.
@@ -131,7 +132,7 @@
 #
 #cache_capacity_modifier = 1.0

-# Set this to any float value in megabytes for conduwuit to tell the
+# Set this to any float value in megabytes for continuwuity to tell the
 # database engine that this much memory is available for database read
 # caches.
 #
@@ -145,7 +146,7 @@
 #
 #db_cache_capacity_mb = varies by system

-# Set this to any float value in megabytes for conduwuit to tell the
+# Set this to any float value in megabytes for continuwuity to tell the
 # database engine that this much memory is available for database write
 # caches.
 #
@@ -250,9 +251,9 @@
 # Enable using *only* TCP for querying your specified nameservers instead
 # of UDP.
 #
-# If you are running conduwuit in a container environment, this config
+# If you are running continuwuity in a container environment, this config
 # option may need to be enabled. For more details, see:
-# https://conduwuit.puppyirl.gay/troubleshooting.html#potential-dns-issues-when-using-docker
+# https://continuwuity.org/troubleshooting.html#potential-dns-issues-when-using-docker
 #
 #query_over_tcp_only = false

@@ -397,6 +398,22 @@
 #
 #allow_registration = false

+# If registration is enabled, and this setting is true, new users
+# registered after the first admin user will be automatically suspended
+# and will require an admin to run `!admin users unsuspend <user_id>`.
+#
+# Suspended users are still able to read messages, make profile updates,
+# leave rooms, and deactivate their account, however cannot send messages,
+# invites, or create/join or otherwise modify rooms.
+# They are effectively read-only.
+#
+# If you want to use this to screen people who register on your server,
+# you should add a room to `auto_join_rooms` that is public, and contains
+# information that new users can read (since they won't be able to DM
+# anyone, or send a message, and may be confused).
+#
+#suspend_on_register = false
+
 # Enabling this setting opens registration to anyone without restrictions.
 # This makes your server vulnerable to abuse
 #
@@ -418,9 +435,9 @@
 # tokens. Multiple tokens can be added if you separate them with
 # whitespace
 #
-# conduwuit must be able to access the file, and it must not be empty
+# continuwuity must be able to access the file, and it must not be empty
 #
-# example: "/etc/conduwuit/.reg_token"
+# example: "/etc/continuwuity/.reg_token"
 #
 #registration_token_file =

@@ -512,16 +529,16 @@
 #allow_room_creation = true

 # Set to false to disable users from joining or creating room versions
-# that aren't officially supported by conduwuit.
+# that aren't officially supported by continuwuity.
 #
-# conduwuit officially supports room versions 6 - 11.
+# continuwuity officially supports room versions 6 - 11.
 #
-# conduwuit has slightly experimental (though works fine in practice)
+# continuwuity has slightly experimental (though works fine in practice)
 # support for versions 3 - 5.
 #
 #allow_unstable_room_versions = true

-# Default room version conduwuit will create rooms with.
+# Default room version continuwuity will create rooms with.
 #
 # Per spec, room version 11 is the default.
 #
@@ -587,7 +604,7 @@
 # Servers listed here will be used to gather public keys of other servers
 # (notary trusted key servers).
 #
-# Currently, conduwuit doesn't support inbound batched key requests, so
+# Currently, continuwuity doesn't support inbound batched key requests, so
 # this list should only contain other Synapse servers.
 #
 # example: ["matrix.org", "tchncs.de"]
@@ -628,7 +645,7 @@
 #
 #trusted_server_batch_size = 1024

-# Max log level for conduwuit. Allows debug, info, warn, or error.
+# Max log level for continuwuity. Allows debug, info, warn, or error.
 #
 # See also:
 # https://docs.rs/tracing-subscriber/latest/tracing_subscriber/filter/struct.EnvFilter.html#directives
@@ -649,8 +666,9 @@
 #
 #log_span_events = "none"

-# Configures whether CONDUWUIT_LOG EnvFilter matches values using regular
-# expressions. See the tracing_subscriber documentation on Directives.
+# Configures whether CONTINUWUITY_LOG EnvFilter matches values using
+# regular expressions. See the tracing_subscriber documentation on
+# Directives.
 #
 #log_filter_regex = true

@@ -658,6 +676,21 @@
 #
 #log_thread_ids = false

+# Enable journald logging on Unix platforms
+#
+# When enabled, log output will be sent to the systemd journal
+# This is only supported on Unix platforms
+#
+#log_to_journald = false
+
+# The syslog identifier to use with journald logging
+#
+# Only used when journald logging is enabled
+#
+# Defaults to the binary name
+#
+#journald_identifier =
+
 # OpenID token expiration/TTL in seconds.
 #
 # These are the OpenID tokens that are primarily used for Matrix account
@@ -718,7 +751,7 @@
 # This takes priority over "turn_secret" first, and falls back to
 # "turn_secret" if invalid or failed to open.
 #
-# example: "/etc/conduwuit/.turn_secret"
+# example: "/etc/continuwuity/.turn_secret"
 #
 #turn_secret_file =

@@ -726,12 +759,12 @@
 #
 #turn_ttl = 86400

-# List/vector of room IDs or room aliases that conduwuit will make newly
-# registered users join. The rooms specified must be rooms that you have
-# joined at least once on the server, and must be public.
+# List/vector of room IDs or room aliases that continuwuity will make
+# newly registered users join. The rooms specified must be rooms that you
+# have joined at least once on the server, and must be public.
 #
-# example: ["#conduwuit:puppygock.gay",
-# "!eoIzvAvVwY23LPDay8:puppygock.gay"]
+# example: ["#continuwuity:continuwuity.org",
+# "!main-1:continuwuity.org"]
 #
 #auto_join_rooms = []

@@ -754,10 +787,10 @@
 #
 #auto_deactivate_banned_room_attempts = false

-# RocksDB log level. This is not the same as conduwuit's log level. This
-# is the log level for the RocksDB engine/library which show up in your
-# database folder/path as `LOG` files. conduwuit will log RocksDB errors
-# as normal through tracing or panics if severe for safety.
+# RocksDB log level. This is not the same as continuwuity's log level.
+# This is the log level for the RocksDB engine/library which show up in
+# your database folder/path as `LOG` files. continuwuity will log RocksDB
+# errors as normal through tracing or panics if severe for safety.
 #
 #rocksdb_log_level = "error"

@@ -777,7 +810,7 @@
 # Set this to true to use RocksDB config options that are tailored to HDDs
 # (slower device storage).
 #
-# It is worth noting that by default, conduwuit will use RocksDB with
+# It is worth noting that by default, continuwuity will use RocksDB with
 # Direct IO enabled. *Generally* speaking this improves performance as it
 # bypasses buffered I/O (system page cache). However there is a potential
 # chance that Direct IO may cause issues with database operations if your
@@ -785,7 +818,7 @@
 # possibly ZFS filesystem. RocksDB generally deals/corrects these issues
 # but it cannot account for all setups. If you experience any weird
 # RocksDB issues, try enabling this option as it turns off Direct IO and
-# feel free to report in the conduwuit Matrix room if this option fixes
+# feel free to report in the continuwuity Matrix room if this option fixes
 # your DB issues.
 #
 # For more information, see:
@@ -840,7 +873,7 @@
 # as they all differ. See their `kDefaultCompressionLevel`.
 #
 # Note when using the default value we may override it with a setting
-# tailored specifically conduwuit.
+# tailored specifically for continuwuity.
 #
 #rocksdb_compression_level = 32767

@@ -856,7 +889,7 @@
 # algorithm.
 #
 # Note when using the default value we may override it with a setting
-# tailored specifically conduwuit.
+# tailored specifically for continuwuity.
 #
 #rocksdb_bottommost_compression_level = 32767

@@ -896,13 +929,13 @@
 # 0 = AbsoluteConsistency
 # 1 = TolerateCorruptedTailRecords (default)
 # 2 = PointInTime (use me if trying to recover)
-# 3 = SkipAnyCorruptedRecord (you now voided your Conduwuit warranty)
+# 3 = SkipAnyCorruptedRecord (you now voided your Continuwuity warranty)
 #
 # For more information on these modes, see:
 # https://github.com/facebook/rocksdb/wiki/WAL-Recovery-Modes
 #
 # For more details on recovering a corrupt database, see:
-# https://conduwuit.puppyirl.gay/troubleshooting.html#database-corruption
+# https://continuwuity.org/troubleshooting.html#database-corruption
 #
 #rocksdb_recovery_mode = 1

@@ -942,7 +975,7 @@
 # - Disabling repair mode and restarting the server is recommended after
 #   running the repair.
 #
-# See https://conduwuit.puppyirl.gay/troubleshooting.html#database-corruption for more details on recovering a corrupt database.
+# See https://continuwuity.org/troubleshooting.html#database-corruption for more details on recovering a corrupt database.
 #
 #rocksdb_repair = false

@@ -969,7 +1002,7 @@
 # Enables RocksDB compaction. You should never ever have to set this
 # option to false. If you for some reason find yourself needing to use
 # this option as part of troubleshooting or a bug, please reach out to us
-# in the conduwuit Matrix room with information and details.
+# in the continuwuity Matrix room with information and details.
 #
 # Disabling compaction will lead to a significantly bloated and
 # explosively large database, gradually poor performance, unnecessarily
@@ -995,7 +1028,7 @@
 # purposes such as recovering/recreating your admin room, or inviting
 # yourself back.
 #
-# See https://conduwuit.puppyirl.gay/troubleshooting.html#lost-access-to-admin-room for other ways to get back into your admin room.
+# See https://continuwuity.org/troubleshooting.html#lost-access-to-admin-room for other ways to get back into your admin room.
 #
 # Once this password is unset, all sessions will be logged out for
 # security purposes.
@@ -1010,8 +1043,8 @@

 # Allow local (your server only) presence updates/requests.
 #
-# Note that presence on conduwuit is very fast unlike Synapse's. If using
-# outgoing presence, this MUST be enabled.
+# Note that presence on continuwuity is very fast unlike Synapse's. If
+# using outgoing presence, this MUST be enabled.
 #
 #allow_local_presence = true

@@ -1019,7 +1052,7 @@
 #
 # This option receives presence updates from other servers, but does not
 # send any unless `allow_outgoing_presence` is true. Note that presence on
-# conduwuit is very fast unlike Synapse's.
+# continuwuity is very fast unlike Synapse's.
 #
 #allow_incoming_presence = true

@@ -1027,8 +1060,8 @@
 #
 # This option sends presence updates to other servers, but does not
 # receive any unless `allow_incoming_presence` is true. Note that presence
-# on conduwuit is very fast unlike Synapse's. If using outgoing presence,
-# you MUST enable `allow_local_presence` as well.
+# on continuwuity is very fast unlike Synapse's. If using outgoing
+# presence, you MUST enable `allow_local_presence` as well.
 #
 #allow_outgoing_presence = true

@@ -1051,6 +1084,13 @@
 #
 #presence_timeout_remote_users = true

+# Allow local read receipts.
+#
+# Disabling this will effectively also disable outgoing federated read
+# receipts.
+#
+#allow_local_read_receipts = true
+
 # Allow receiving incoming read receipts from remote servers.
 #
 #allow_incoming_read_receipts = true
@@ -1059,6 +1099,13 @@
 #
 #allow_outgoing_read_receipts = true

+# Allow local typing updates.
+#
+# Disabling this will effectively also disable outgoing federated typing
+# updates.
+#
+#allow_local_typing = true
+
 # Allow outgoing typing updates to federation.
 #
 #allow_outgoing_typing = true
@@ -1081,8 +1128,8 @@
 #
 #typing_client_timeout_max_s = 45

-# Set this to true for conduwuit to compress HTTP response bodies using
-# zstd. This option does nothing if conduwuit was not built with
+# Set this to true for continuwuity to compress HTTP response bodies using
+# zstd. This option does nothing if continuwuity was not built with
 # `zstd_compression` feature. Please be aware that enabling HTTP
 # compression may weaken TLS. Most users should not need to enable this.
 # See https://breachattack.com/ and https://wikipedia.org/wiki/BREACH
@@ -1090,8 +1137,8 @@
 #
 #zstd_compression = false

-# Set this to true for conduwuit to compress HTTP response bodies using
-# gzip. This option does nothing if conduwuit was not built with
+# Set this to true for continuwuity to compress HTTP response bodies using
+# gzip. This option does nothing if continuwuity was not built with
 # `gzip_compression` feature. Please be aware that enabling HTTP
 # compression may weaken TLS. Most users should not need to enable this.
 # See https://breachattack.com/ and https://wikipedia.org/wiki/BREACH before
@@ -1102,8 +1149,8 @@
 #
 #gzip_compression = false

-# Set this to true for conduwuit to compress HTTP response bodies using
-# brotli. This option does nothing if conduwuit was not built with
+# Set this to true for continuwuity to compress HTTP response bodies using
+# brotli. This option does nothing if continuwuity was not built with
 # `brotli_compression` feature. Please be aware that enabling HTTP
 # compression may weaken TLS. Most users should not need to enable this.
 # See https://breachattack.com/ and https://wikipedia.org/wiki/BREACH
@@ -1165,7 +1212,7 @@
 # Otherwise setting this to false reduces filesystem clutter and overhead
 # for managing these symlinks in the directory. This is now disabled by
 # default. You may still return to upstream Conduit but you have to run
-# conduwuit at least once with this set to true and allow the
+# continuwuity at least once with this set to true and allow the
 # media_startup_check to take place before shutting down to return to
 # Conduit.
 #
@@ -1210,8 +1257,8 @@
 #
 #allowed_remote_server_names = []

-# Vector list of regex patterns of server names that conduwuit will refuse
-# to download remote media from.
+# Vector list of regex patterns of server names that continuwuity will
+# refuse to download remote media from.
 #
 # example: ["badserver\.tld$", "badphrase", "19dollarfortnitecards"]
 #
@@ -1225,7 +1272,7 @@
 #
 #forbidden_remote_room_directory_server_names = []

-# Vector list of regex patterns of server names that conduwuit will not
+# Vector list of regex patterns of server names that continuwuity will not
 # send messages to the client from.
 #
 # Note that there is no way for clients to receive messages once a server
@@ -1249,7 +1296,7 @@
 #send_messages_from_ignored_users_to_client = false

 # Vector list of IPv4 and IPv6 CIDR ranges / subnets *in quotes* that you
-# do not want conduwuit to send outbound requests to. Defaults to
+# do not want continuwuity to send outbound requests to. Defaults to
 # RFC1918, unroutable, loopback, multicast, and testnet addresses for
 # security.
 #
@@ -1399,26 +1446,26 @@

 # Allow admins to enter commands in rooms other than "#admins" (admin
 # room) by prefixing your message with "\!admin" or "\\!admin" followed up
-# a normal conduwuit admin command. The reply will be publicly visible to
-# the room, originating from the sender.
+# a normal continuwuity admin command. The reply will be publicly visible
+# to the room, originating from the sender.
 #
 # example: \\!admin debug ping puppygock.gay
 #
 #admin_escape_commands = true

-# Automatically activate the conduwuit admin room console / CLI on
-# startup. This option can also be enabled with `--console` conduwuit
+# Automatically activate the continuwuity admin room console / CLI on
+# startup. This option can also be enabled with `--console` continuwuity
 # argument.
 #
 #admin_console_automatic = false

 # List of admin commands to execute on startup.
 #
-# This option can also be configured with the `--execute` conduwuit
+# This option can also be configured with the `--execute` continuwuity
 # argument and can take standard shell commands and environment variables
 #
-# For example: `./conduwuit --execute "server admin-notice conduwuit has
-# started up at $(date)"`
+# For example: `./continuwuity --execute "server admin-notice continuwuity
+# has started up at $(date)"`
 #
 # example: admin_execute = ["debug ping puppygock.gay", "debug echo hi"]`
 #
@@ -1426,7 +1473,7 @@

 # Ignore errors in startup commands.
 #
-# If false, conduwuit will error and fail to start if an admin execute
+# If false, continuwuity will error and fail to start if an admin execute
 # command (`--execute` / `admin_execute`) fails.
 #
 #admin_execute_errors_ignore = false
@@ -1447,15 +1494,14 @@
 # The default room tag to apply on the admin room.
 #
 # On some clients like Element, the room tag "m.server_notice" is a
-# special pinned room at the very bottom of your room list. The conduwuit
-# admin room can be pinned here so you always have an easy-to-access
-# shortcut dedicated to your admin room.
+# special pinned room at the very bottom of your room list. The
+# continuwuity admin room can be pinned here so you always have an
+# easy-to-access shortcut dedicated to your admin room.
 #
 #admin_room_tag = "m.server_notice"

 # Sentry.io crash/panic reporting, performance monitoring/metrics, etc.
-# This is NOT enabled by default. conduwuit's default Sentry reporting
-# endpoint domain is `o4506996327251968.ingest.us.sentry.io`.
+# This is NOT enabled by default.
 #
 #sentry = false

@@ -1463,7 +1509,7 @@
 #
 #sentry_endpoint = ""

-# Report your conduwuit server_name in Sentry.io crash reports and
+# Report your continuwuity server_name in Sentry.io crash reports and
 # metrics.
 #
 #sentry_send_server_name = false
@@ -1500,7 +1546,7 @@
 # Enable the tokio-console. This option is only relevant to developers.
 #
 #	For more information, see:
-# https://conduwuit.puppyirl.gay/development.html#debugging-with-tokio-console
+# https://continuwuity.org/development.html#debugging-with-tokio-console
 #
 #tokio_console = false

@@ -1640,19 +1686,29 @@
 #
 #server =

-# This item is undocumented. Please contribute documentation for it.
+# URL to a support page for the server, which will be served as part of
+# the MSC1929 server support endpoint at /.well-known/matrix/support.
+# Will be included alongside any contact information
 #
 #support_page =

-# This item is undocumented. Please contribute documentation for it.
+# Role string for server support contacts, to be served as part of the
+# MSC1929 server support endpoint at /.well-known/matrix/support.
 #
-#support_role =
+#support_role = "m.role.admin"

-# This item is undocumented. Please contribute documentation for it.
+# Email address for server support contacts, to be served as part of the
+# MSC1929 server support endpoint.
+# This will be used along with support_mxid if specified.
 #
 #support_email =

-# This item is undocumented. Please contribute documentation for it.
+# Matrix ID for server support contacts, to be served as part of the
+# MSC1929 server support endpoint.
+# This will be used along with support_email if specified.
+#
+# If no email or mxid is specified, all of the server's admins will be
+# listed.
 #
 #support_mxid =

@@ -1,4 +1,4 @@
-# conduwuit for Debian
+# Continuwuity for Debian

 Information about downloading and deploying the Debian package. This may also be
 referenced for other `apt`-based distros such as Ubuntu.
@@ -22,7 +22,7 @@ options in `/etc/conduwuit/conduwuit.toml`.

 ### Running

-The package uses the [`conduwuit.service`](../configuration/examples.md#example-systemd-unit-file) systemd unit file to start and stop conduwuit. The binary is installed at `/usr/sbin/conduwuit`.
+The package uses the [`conduwuit.service`](../configuration/examples.md#example-systemd-unit-file) systemd unit file to start and stop Continuwuity. The binary is installed at `/usr/sbin/conduwuit`.

 This package assumes by default that conduwuit will be placed behind a reverse proxy. The default config options apply (listening on `localhost` and TCP port `6167`). Matrix federation requires a valid domain name and TLS, so you will need to set up TLS certificates and renewal for it to work properly if you intend to federate.

@@ -1,9 +1,10 @@
 [Unit]
-Description=conduwuit Matrix homeserver
+
+Description=Continuwuity - Matrix homeserver
 Wants=network-online.target
 After=network-online.target
-Alias=matrix-conduwuit.service
 Documentation=https://continuwuity.org/
+Alias=matrix-conduwuit.service

 [Service]
 DynamicUser=yes
@@ -11,7 +12,10 @@ User=conduwuit
 Group=conduwuit
 Type=notify

-Environment="CONDUWUIT_CONFIG=/etc/conduwuit/conduwuit.toml"
+Environment="CONTINUWUITY_CONFIG=/etc/conduwuit/conduwuit.toml"
+
+Environment="CONTINUWUITY_LOG_TO_JOURNALD=1"
+Environment="CONTINUWUITY_JOURNALD_IDENTIFIER=%N"

 ExecStart=/usr/sbin/conduwuit

@@ -1,15 +1,16 @@
 ARG RUST_VERSION=1
+ARG DEBIAN_VERSION=bookworm

 FROM --platform=$BUILDPLATFORM docker.io/tonistiigi/xx AS xx
-FROM --platform=$BUILDPLATFORM rust:${RUST_VERSION}-slim-bookworm AS base
-FROM --platform=$BUILDPLATFORM rust:${RUST_VERSION}-slim-bookworm AS toolchain
+FROM --platform=$BUILDPLATFORM rust:${RUST_VERSION}-slim-${DEBIAN_VERSION} AS base
+FROM --platform=$BUILDPLATFORM rust:${RUST_VERSION}-slim-${DEBIAN_VERSION} AS toolchain

 # Prevent deletion of apt cache
 RUN rm -f /etc/apt/apt.conf.d/docker-clean

 # Match Rustc version as close as possible
 # rustc -vV
-ARG LLVM_VERSION=19
+ARG LLVM_VERSION=20
 # ENV RUSTUP_TOOLCHAIN=${RUST_VERSION}

 # Install repo tools
@@ -18,13 +19,22 @@ ARG LLVM_VERSION=19
 # Line three: for xx-verify
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
    --mount=type=cache,target=/var/lib/apt,sharing=locked \
-apt-get update && apt-get install -y \
-    clang-${LLVM_VERSION} lld-${LLVM_VERSION} pkg-config make jq \
-    curl git \
+    apt-get update && apt-get install -y \
+    pkg-config make jq \
+    curl git software-properties-common \
    file

+# LLVM packages
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
+    --mount=type=cache,target=/var/lib/apt,sharing=locked \
+    curl https://apt.llvm.org/llvm.sh > llvm.sh && \
+    chmod +x llvm.sh && \
+    ./llvm.sh ${LLVM_VERSION} && \
+    rm llvm.sh
+
 # Create symlinks for LLVM tools
 RUN <<EOF
+    set -o xtrace
    # clang
    ln -s /usr/bin/clang-${LLVM_VERSION} /usr/bin/clang
    ln -s "/usr/bin/clang++-${LLVM_VERSION}" "/usr/bin/clang++"
@@ -38,7 +48,7 @@ EOF

 # Developer tool versions
 # renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
-ENV BINSTALL_VERSION=1.12.3
+ENV BINSTALL_VERSION=1.13.0
 # renovate: datasource=github-releases depName=psastras/sbom-rs
 ENV CARGO_SBOM_VERSION=0.9.1
 # renovate: datasource=crate depName=lddtree
@@ -46,6 +56,7 @@ ENV LDDTREE_VERSION=0.3.7

 # Install unpackaged tools
 RUN <<EOF
+    set -o xtrace
    curl --retry 5 -L --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/cargo-bins/cargo-binstall/main/install-from-binstall-release.sh | bash
    cargo binstall --no-confirm cargo-sbom --version $CARGO_SBOM_VERSION
    cargo binstall --no-confirm lddtree --version $LDDTREE_VERSION
@@ -59,7 +70,7 @@ ARG TARGETPLATFORM
 # xx-* are xx-specific meta-packages
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
    --mount=type=cache,target=/var/lib/apt,sharing=locked \
-xx-apt-get install -y \
+    xx-apt-get install -y \
    xx-c-essentials xx-cxx-essentials pkg-config \
    liburing-dev

@@ -75,6 +86,7 @@ RUN echo "CARGO_INCREMENTAL=0" >> /etc/environment

 # Configure pkg-config
 RUN <<EOF
+    set -o xtrace
    echo "PKG_CONFIG_LIBDIR=/usr/lib/$(xx-info)/pkgconfig" >> /etc/environment
    echo "PKG_CONFIG=/usr/bin/$(xx-info)-pkg-config" >> /etc/environment
    echo "PKG_CONFIG_ALLOW_CROSS=true" >> /etc/environment
@@ -82,12 +94,14 @@ EOF

 # Configure cc to use clang version
 RUN <<EOF
+    set -o xtrace
    echo "CC=clang" >> /etc/environment
    echo "CXX=clang++" >> /etc/environment
 EOF

 # Cross-language LTO
 RUN <<EOF
+    set -o xtrace
    echo "CFLAGS=-flto" >> /etc/environment
    echo "CXXFLAGS=-flto" >> /etc/environment
    # Linker is set to target-compatible clang by xx
@@ -98,6 +112,7 @@ EOF
 ARG TARGET_CPU=
 RUN <<EOF
  set -o allexport
+  set -o xtrace
  . /etc/environment
  if [ -n "${TARGET_CPU}" ]; then
    echo "CFLAGS='${CFLAGS} -march=${TARGET_CPU}'" >> /etc/environment
@@ -118,7 +133,6 @@ COPY . .
 ARG TARGETPLATFORM

 # Verify environment configuration
-RUN cat /etc/environment
 RUN xx-cargo --print-target-triple

 # Conduwuit version info
@@ -135,19 +149,21 @@ ENV GIT_REMOTE_COMMIT_URL=$GIT_REMOTE_COMMIT_URL
 ENV CONDUWUIT_VERSION_EXTRA=$CONDUWUIT_VERSION_EXTRA
 ENV CONTINUWUITY_VERSION_EXTRA=$CONTINUWUITY_VERSION_EXTRA

+ARG RUST_PROFILE=release

 # Build the binary
 RUN --mount=type=cache,target=/usr/local/cargo/registry \
    --mount=type=cache,target=/usr/local/cargo/git/db \
-    --mount=type=cache,target=/app/target \
+    --mount=type=cache,target=/app/target,id=cargo-target-${TARGET_CPU}-${TARGETPLATFORM}-${RUST_PROFILE} \
    bash <<'EOF'
    set -o allexport
+    set -o xtrace
    . /etc/environment
    TARGET_DIR=($(cargo metadata --no-deps --format-version 1 | \
            jq -r ".target_directory"))
    mkdir /out/sbin
    PACKAGE=conduwuit
-    xx-cargo build --locked --release \
+    xx-cargo build --locked --profile ${RUST_PROFILE} \
        -p $PACKAGE;
    BINARIES=($(cargo metadata --no-deps --format-version 1 | \
        jq -r ".packages[] | select(.name == \"$PACKAGE\") | .targets[] | select( .kind | map(. == \"bin\") | any ) | .name"))
@@ -162,6 +178,7 @@ EOF
 RUN --mount=type=cache,target=/usr/local/cargo/registry \
    --mount=type=cache,target=/usr/local/cargo/git/db \
    bash <<'EOF'
+    set -o xtrace
    mkdir /out/sbom
    typeset -A PACKAGES
    for BINARY in /out/sbin/*; do
@@ -180,6 +197,7 @@ EOF

 # Extract dynamically linked dependencies
 RUN <<EOF
+    set -o xtrace
    mkdir /out/libs
    mkdir /out/libs-root
    for BINARY in /out/sbin/*; do
@@ -15,8 +15,10 @@
 - [Appservices](appservices.md)
 - [Maintenance](maintenance.md)
 - [Troubleshooting](troubleshooting.md)
+- [Admin Command Reference](admin_reference.md)
 - [Development](development.md)
  - [Contributing](contributing.md)
  - [Testing](development/testing.md)
  - [Hot Reloading ("Live" Development)](development/hot_reload.md)
 - [Community (and Guidelines)](community.md)
+- [Security](security.md)
@@ -1,3 +1,5 @@
 # Continuwuity for Arch Linux

-Continuwuity does not have any Arch Linux packages at this time.
+Continuwuity is available on the `archlinuxcn` repository and AUR, with the same package name `continuwuity`, which includes latest taggged version. The development version is available on AUR as `continuwuity-git`
+
+Simply install the `continuwuity` package. Configure the service in `/etc/conduwuit/conduwuit.toml`, then enable/start the continuwuity.service.
@@ -7,30 +7,30 @@ services:
    image: forgejo.ellis.link/continuwuation/continuwuity:latest
    restart: unless-stopped
    volumes:
-      - db:/var/lib/conduwuit
-      - /etc/resolv.conf:/etc/resolv.conf:ro # Use the host's DNS resolver rather than Docker's. 
-      #- ./conduwuit.toml:/etc/conduwuit.toml
+      - db:/var/lib/continuwuity
+      - /etc/resolv.conf:/etc/resolv.conf:ro # Use the host's DNS resolver rather than Docker's.
+      #- ./continuwuity.toml:/etc/continuwuity.toml
    networks:
      - proxy
    environment:
-      CONDUWUIT_SERVER_NAME: your.server.name.example # EDIT THIS
-      CONDUWUIT_DATABASE_PATH: /var/lib/conduwuit
-      CONDUWUIT_PORT: 6167 # should match the loadbalancer traefik label
-      CONDUWUIT_MAX_REQUEST_SIZE: 20000000 # in bytes, ~20 MB
-      CONDUWUIT_ALLOW_REGISTRATION: 'true'
-      CONDUWUIT_REGISTRATION_TOKEN: 'YOUR_TOKEN' # A registration token is required when registration is allowed.
-      #CONDUWUIT_YES_I_AM_VERY_VERY_SURE_I_WANT_AN_OPEN_REGISTRATION_SERVER_PRONE_TO_ABUSE: 'true'
-      CONDUWUIT_ALLOW_FEDERATION: 'true'
-      CONDUWUIT_ALLOW_CHECK_FOR_UPDATES: 'true'
-      CONDUWUIT_TRUSTED_SERVERS: '["matrix.org"]'
-      #CONDUWUIT_LOG: warn,state_res=warn
-      CONDUWUIT_ADDRESS: 0.0.0.0
-      #CONDUWUIT_CONFIG: '/etc/conduwuit.toml' # Uncomment if you mapped config toml above
+      CONTINUWUITY_SERVER_NAME: your.server.name.example # EDIT THIS
+      CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
+      CONTINUWUITY_PORT: 6167 # should match the loadbalancer traefik label
+      CONTINUWUITY_MAX_REQUEST_SIZE: 20000000 # in bytes, ~20 MB
+      CONTINUWUITY_ALLOW_REGISTRATION: 'true'
+      CONTINUWUITY_REGISTRATION_TOKEN: 'YOUR_TOKEN' # A registration token is required when registration is allowed.
+      #CONTINUWUITY_YES_I_AM_VERY_VERY_SURE_I_WANT_AN_OPEN_REGISTRATION_SERVER_PRONE_TO_ABUSE: 'true'
+      CONTINUWUITY_ALLOW_FEDERATION: 'true'
+      CONTINUWUITY_ALLOW_CHECK_FOR_UPDATES: 'true'
+      CONTINUWUITY_TRUSTED_SERVERS: '["matrix.org"]'
+      #CONTINUWUITY_LOG: warn,state_res=warn
+      CONTINUWUITY_ADDRESS: 0.0.0.0
+      #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above

-      # We need some way to serve the client and server .well-known json. The simplest way is via the CONDUWUIT_WELL_KNOWN
-      # variable / config option, there are multiple ways to do this, e.g. in the conduwuit.toml file, and in a separate
+      # We need some way to serve the client and server .well-known json. The simplest way is via the CONTINUWUITY_WELL_KNOWN
+      # variable / config option, there are multiple ways to do this, e.g. in the continuwuity.toml file, and in a separate
      # see the override file for more information about delegation
-      CONDUWUIT_WELL_KNOWN: |
+      CONTINUWUITY_WELL_KNOWN: |
        {
        client=https://your.server.name.example,
        server=your.server.name.example:443
@@ -6,11 +6,11 @@ services:
      - "traefik.enable=true"
      - "traefik.docker.network=proxy"  # Change this to the name of your Traefik docker proxy network

-      - "traefik.http.routers.to-conduwuit.rule=Host(`<SUBDOMAIN>.<DOMAIN>`)"  # Change to the address on which Continuwuity is hosted
-      - "traefik.http.routers.to-conduwuit.tls=true"
-      - "traefik.http.routers.to-conduwuit.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.to-conduwuit.middlewares=cors-headers@docker"
-      - "traefik.http.services.to_conduwuit.loadbalancer.server.port=6167"
+      - "traefik.http.routers.to-continuwuity.rule=Host(`<SUBDOMAIN>.<DOMAIN>`)"  # Change to the address on which Continuwuity is hosted
+      - "traefik.http.routers.to-continuwuity.tls=true"
+      - "traefik.http.routers.to-continuwuity.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.to-continuwuity.middlewares=cors-headers@docker"
+      - "traefik.http.services.to_continuwuity.loadbalancer.server.port=6167"

      - "traefik.http.middlewares.cors-headers.headers.accessControlAllowOriginList=*"
      - "traefik.http.middlewares.cors-headers.headers.accessControlAllowHeaders=Origin, X-Requested-With, Content-Type, Accept, Authorization"
@@ -34,4 +34,3 @@ services:
  #         - "traefik.http.routers.to-element-web.tls.certresolver=letsencrypt"

 # vim: ts=2:sw=2:expandtab
-
@@ -25,23 +25,23 @@ services:
        image: forgejo.ellis.link/continuwuation/continuwuity:latest
        restart: unless-stopped
        volumes:
-            - db:/var/lib/conduwuit
-            - /etc/resolv.conf:/etc/resolv.conf:ro # Use the host's DNS resolver rather than Docker's. 
-            #- ./conduwuit.toml:/etc/conduwuit.toml
+            - db:/var/lib/continuwuity
+            - /etc/resolv.conf:/etc/resolv.conf:ro # Use the host's DNS resolver rather than Docker's.
+            #- ./continuwuity.toml:/etc/continuwuity.toml
        environment:
-            CONDUWUIT_SERVER_NAME: example.com # EDIT THIS
-            CONDUWUIT_DATABASE_PATH: /var/lib/conduwuit
-            CONDUWUIT_PORT: 6167
-            CONDUWUIT_MAX_REQUEST_SIZE: 20000000 # in bytes, ~20 MB
-            CONDUWUIT_ALLOW_REGISTRATION: 'true'
-            CONDUWUIT_REGISTRATION_TOKEN: 'YOUR_TOKEN' # A registration token is required when registration is allowed.
-            #CONDUWUIT_YES_I_AM_VERY_VERY_SURE_I_WANT_AN_OPEN_REGISTRATION_SERVER_PRONE_TO_ABUSE: 'true'
-            CONDUWUIT_ALLOW_FEDERATION: 'true'
-            CONDUWUIT_ALLOW_CHECK_FOR_UPDATES: 'true'
-            CONDUWUIT_TRUSTED_SERVERS: '["matrix.org"]'
-            #CONDUWUIT_LOG: warn,state_res=warn
-            CONDUWUIT_ADDRESS: 0.0.0.0
-            #CONDUWUIT_CONFIG: '/etc/conduwuit.toml' # Uncomment if you mapped config toml above
+            CONTINUWUITY_SERVER_NAME: example.com # EDIT THIS
+            CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
+            CONTINUWUITY_PORT: 6167
+            CONTINUWUITY_MAX_REQUEST_SIZE: 20000000 # in bytes, ~20 MB
+            CONTINUWUITY_ALLOW_REGISTRATION: 'true'
+            CONTINUWUITY_REGISTRATION_TOKEN: 'YOUR_TOKEN' # A registration token is required when registration is allowed.
+            #CONTINUWUITY_YES_I_AM_VERY_VERY_SURE_I_WANT_AN_OPEN_REGISTRATION_SERVER_PRONE_TO_ABUSE: 'true'
+            CONTINUWUITY_ALLOW_FEDERATION: 'true'
+            CONTINUWUITY_ALLOW_CHECK_FOR_UPDATES: 'true'
+            CONTINUWUITY_TRUSTED_SERVERS: '["matrix.org"]'
+            #CONTINUWUITY_LOG: warn,state_res=warn
+            CONTINUWUITY_ADDRESS: 0.0.0.0
+            #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
        networks:
            - caddy
        labels:
@@ -7,38 +7,38 @@ services:
    image: forgejo.ellis.link/continuwuation/continuwuity:latest
    restart: unless-stopped
    volumes:
-      - db:/var/lib/conduwuit
-      - /etc/resolv.conf:/etc/resolv.conf:ro # Use the host's DNS resolver rather than Docker's. 
-      #- ./conduwuit.toml:/etc/conduwuit.toml
+      - db:/var/lib/continuwuity
+      - /etc/resolv.conf:/etc/resolv.conf:ro # Use the host's DNS resolver rather than Docker's.
+      #- ./continuwuity.toml:/etc/continuwuity.toml
    networks:
      - proxy
    environment:
-      CONDUWUIT_SERVER_NAME: your.server.name.example # EDIT THIS
-      CONDUWUIT_TRUSTED_SERVERS: '["matrix.org"]'
-      CONDUWUIT_ALLOW_REGISTRATION: 'false' # After setting a secure registration token, you can enable this
-      CONDUWUIT_REGISTRATION_TOKEN: "" # This is a token you can use to register on the server
-      #CONDUWUIT_REGISTRATION_TOKEN_FILE: "" # Alternatively you can configure a path to a token file to read
-      CONDUWUIT_ADDRESS: 0.0.0.0
-      CONDUWUIT_PORT: 6167 # you need to match this with the traefik load balancer label if you're want to change it
-      CONDUWUIT_DATABASE_PATH: /var/lib/conduwuit
-      #CONDUWUIT_CONFIG: '/etc/conduit.toml' # Uncomment if you mapped config toml above
+      CONTINUWUITY_SERVER_NAME: your.server.name.example # EDIT THIS
+      CONTINUWUITY_TRUSTED_SERVERS: '["matrix.org"]'
+      CONTINUWUITY_ALLOW_REGISTRATION: 'false' # After setting a secure registration token, you can enable this
+      CONTINUWUITY_REGISTRATION_TOKEN: "" # This is a token you can use to register on the server
+      #CONTINUWUITY_REGISTRATION_TOKEN_FILE: "" # Alternatively you can configure a path to a token file to read
+      CONTINUWUITY_ADDRESS: 0.0.0.0
+      CONTINUWUITY_PORT: 6167 # you need to match this with the traefik load balancer label if you're want to change it
+      CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
+      #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
      ### Uncomment and change values as desired, note that Continuwuity has plenty of config options, so you should check out the example example config too
      # Available levels are: error, warn, info, debug, trace - more info at: https://docs.rs/env_logger/*/env_logger/#enabling-logging
-      # CONDUWUIT_LOG: info  # default is: "warn,state_res=warn"
-      # CONDUWUIT_ALLOW_ENCRYPTION: 'true'
-      # CONDUWUIT_ALLOW_FEDERATION: 'true'
-      # CONDUWUIT_ALLOW_CHECK_FOR_UPDATES: 'true'
-      # CONDUWUIT_ALLOW_INCOMING_PRESENCE: true
-      # CONDUWUIT_ALLOW_OUTGOING_PRESENCE: true
-      # CONDUWUIT_ALLOW_LOCAL_PRESENCE: true
-      # CONDUWUIT_WORKERS: 10
-      # CONDUWUIT_MAX_REQUEST_SIZE: 20000000  # in bytes, ~20 MB
-      # CONDUWUIT_NEW_USER_DISPLAYNAME_SUFFIX = "🏳<200d>⚧"
+      # CONTINUWUITY_LOG: info  # default is: "warn,state_res=warn"
+      # CONTINUWUITY_ALLOW_ENCRYPTION: 'true'
+      # CONTINUWUITY_ALLOW_FEDERATION: 'true'
+      # CONTINUWUITY_ALLOW_CHECK_FOR_UPDATES: 'true'
+      # CONTINUWUITY_ALLOW_INCOMING_PRESENCE: true
+      # CONTINUWUITY_ALLOW_OUTGOING_PRESENCE: true
+      # CONTINUWUITY_ALLOW_LOCAL_PRESENCE: true
+      # CONTINUWUITY_WORKERS: 10
+      # CONTINUWUITY_MAX_REQUEST_SIZE: 20000000  # in bytes, ~20 MB
+      # CONTINUWUITY_NEW_USER_DISPLAYNAME_SUFFIX = "🏳<200d>⚧"

-      # We need some way to serve the client and server .well-known json. The simplest way is via the CONDUWUIT_WELL_KNOWN
-      # variable / config option, there are multiple ways to do this, e.g. in the conduwuit.toml file, and in a separate
+      # We need some way to serve the client and server .well-known json. The simplest way is via the CONTINUWUITY_WELL_KNOWN
+      # variable / config option, there are multiple ways to do this, e.g. in the continuwuity.toml file, and in a separate
      # reverse proxy, but since you do not have a reverse proxy and following this guide, this example is included
-      CONDUWUIT_WELL_KNOWN: |
+      CONTINUWUITY_WELL_KNOWN: |
        {
          client=https://your.server.name.example,
          server=your.server.name.example:443
@@ -9,22 +9,22 @@ services:
        ports:
            - 8448:6167
        volumes:
-            - db:/var/lib/conduwuit
-            #- ./conduwuit.toml:/etc/conduwuit.toml
+            - db:/var/lib/continuwuity
+            #- ./continuwuity.toml:/etc/continuwuity.toml
        environment:
-            CONDUWUIT_SERVER_NAME: your.server.name # EDIT THIS
-            CONDUWUIT_DATABASE_PATH: /var/lib/conduwuit
-            CONDUWUIT_PORT: 6167
-            CONDUWUIT_MAX_REQUEST_SIZE: 20000000 # in bytes, ~20 MB
-            CONDUWUIT_ALLOW_REGISTRATION: 'true'
-            CONDUWUIT_REGISTRATION_TOKEN: 'YOUR_TOKEN' # A registration token is required when registration is allowed.
-            #CONDUWUIT_YES_I_AM_VERY_VERY_SURE_I_WANT_AN_OPEN_REGISTRATION_SERVER_PRONE_TO_ABUSE: 'true'
-            CONDUWUIT_ALLOW_FEDERATION: 'true'
-            CONDUWUIT_ALLOW_CHECK_FOR_UPDATES: 'true'
-            CONDUWUIT_TRUSTED_SERVERS: '["matrix.org"]'
-            #CONDUWUIT_LOG: warn,state_res=warn
-            CONDUWUIT_ADDRESS: 0.0.0.0
-            #CONDUWUIT_CONFIG: '/etc/conduwuit.toml' # Uncomment if you mapped config toml above
+            CONTINUWUITY_SERVER_NAME: your.server.name # EDIT THIS
+            CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
+            CONTINUWUITY_PORT: 6167
+            CONTINUWUITY_MAX_REQUEST_SIZE: 20000000 # in bytes, ~20 MB
+            CONTINUWUITY_ALLOW_REGISTRATION: 'true'
+            CONTINUWUITY_REGISTRATION_TOKEN: 'YOUR_TOKEN' # A registration token is required when registration is allowed.
+            #CONTINUWUITY_YES_I_AM_VERY_VERY_SURE_I_WANT_AN_OPEN_REGISTRATION_SERVER_PRONE_TO_ABUSE: 'true'
+            CONTINUWUITY_ALLOW_FEDERATION: 'true'
+            CONTINUWUITY_ALLOW_CHECK_FOR_UPDATES: 'true'
+            CONTINUWUITY_TRUSTED_SERVERS: '["matrix.org"]'
+            #CONTINUWUITY_LOG: warn,state_res=warn
+            CONTINUWUITY_ADDRESS: 0.0.0.0
+            #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
    #
    ### Uncomment if you want to use your own Element-Web App.
    ### Note: You need to provide a config.json for Element and you also need a second
@@ -30,16 +30,16 @@ When you have the image you can simply run it with

 ```bash
 docker run -d -p 8448:6167 \
-    -v db:/var/lib/conduwuit/ \
-    -e CONDUWUIT_SERVER_NAME="your.server.name" \
-    -e CONDUWUIT_ALLOW_REGISTRATION=false \
-    --name conduwuit $LINK
+    -v db:/var/lib/continuwuity/ \
+    -e CONTINUWUITY_SERVER_NAME="your.server.name" \
+    -e CONTINUWUITY_ALLOW_REGISTRATION=false \
+    --name continuwuity $LINK
 ```

 or you can use [docker compose](#docker-compose).

 The `-d` flag lets the container run in detached mode. You may supply an
-optional `conduwuit.toml` config file, the example config can be found
+optional `continuwuity.toml` config file, the example config can be found
 [here](../configuration/examples.md). You can pass in different env vars to
 change config values on the fly. You can even configure Continuwuity completely by
 using env vars. For an overview of possible values, please take a look at the
@@ -115,7 +115,7 @@ ReadWritePaths=/path/to/custom/database/path
 ## Creating the Continuwuity configuration file

 Now we need to create the Continuwuity's config file in
-`/etc/conduwuit/conduwuit.toml`. The example config can be found at
+`/etc/continuwuity/continuwuity.toml`. The example config can be found at
 [conduwuit-example.toml](../configuration/examples.md).

 **Please take a moment to read the config. You need to change at least the
@@ -29,7 +29,7 @@ appropriately to use Continuwuity instead of Conduit.

 Due to the lack of a Continuwuity NixOS module, when using the `services.matrix-conduit` module
 a workaround like the one below is necessary to use UNIX sockets. This is because the UNIX
-socket option does not exist in Conduit, and the module forcibly sets the `address` and 
+socket option does not exist in Conduit, and the module forcibly sets the `address` and
 `port` config options.

 ```nix
@@ -68,31 +68,22 @@ do this if Rust supported workspace-level features to begin with.

 ## List of forked dependencies

-During Continuwuity development, we have had to fork
-some dependencies to support our use-cases in some areas. This ranges from
-things said upstream project won't accept for any reason, faster-paced
-development (unresponsive or slow upstream), Continuwuity-specific usecases, or
-lack of time to upstream some things.
+During Continuwuity (and prior projects) development, we have had to fork some dependencies to support our use-cases.
+These forks exist for various reasons including features that upstream projects won't accept,
+faster-paced development, Continuwuity-specific usecases, or lack of time to upstream changes.

- [ruma/ruma][1]: <https://github.com/girlbossceo/ruwuma> - various performance
-improvements, more features, faster-paced development, better client/server interop
-hacks upstream won't accept, etc
- [facebook/rocksdb][2]: <https://github.com/girlbossceo/rocksdb> - liburing
-build fixes and GCC debug build fix
- [tikv/jemallocator][3]: <https://github.com/girlbossceo/jemallocator> - musl
-builds seem to be broken on upstream, fixes some broken/suspicious code in
-places, additional safety measures, and support redzones for Valgrind
- [zyansheep/rustyline-async][4]:
-<https://github.com/girlbossceo/rustyline-async> - tab completion callback and
-`CTRL+\` signal quit event for Continuwuity console CLI
- [rust-rocksdb/rust-rocksdb][5]:
-<https://github.com/girlbossceo/rust-rocksdb-zaidoon1> - [`@zaidoon1`][8]'s fork
-has quicker updates, more up to date dependencies, etc. Our fork fixes musl build
-issues, removes unnecessary `gtest` include, and uses our RocksDB and jemallocator
-forks.
- [tokio-rs/tracing][6]: <https://github.com/girlbossceo/tracing> - Implements
-`Clone` for `EnvFilter` to support dynamically changing tracing envfilter's
-alongside other logging/metrics things
+All forked dependencies are maintained under the [continuwuation organization on Forgejo](https://forgejo.ellis.link/continuwuation):
+
+- [ruwuma][continuwuation-ruwuma] - Fork of [ruma/ruma][ruma] with various performance improvements, more features and better client/server interop
+- [rocksdb][continuwuation-rocksdb] - Fork of [facebook/rocksdb][rocksdb] via [`@zaidoon1`][8] with liburing build fixes and GCC debug build fixes
+- [jemallocator][continuwuation-jemallocator] - Fork of [tikv/jemallocator][jemallocator] fixing musl builds, suspicious code,
+  and adding support for redzones in Valgrind
+- [rustyline-async][continuwuation-rustyline-async] - Fork of [zyansheep/rustyline-async][rustyline-async] with tab completion callback
+  and `CTRL+\` signal quit event for Continuwuity console CLI
+- [rust-rocksdb][continuwuation-rust-rocksdb] - Fork of [rust-rocksdb/rust-rocksdb][rust-rocksdb] fixing musl build issues,
+  removing unnecessary `gtest` include, and using our RocksDB and jemallocator forks
+- [tracing][continuwuation-tracing] - Fork of [tokio-rs/tracing][tracing] implementing `Clone` for `EnvFilter` to
+  support dynamically changing tracing environments

 ## Debugging with `tokio-console`

@@ -113,12 +104,30 @@ You will also need to enable the `tokio_console` config option in Continuwuity w
 starting it. This was due to tokio-console causing gradual memory leak/usage
 if left enabled.

-[1]: https://github.com/ruma/ruma/
-[2]: https://github.com/facebook/rocksdb/
-[3]: https://github.com/tikv/jemallocator/
-[4]: https://github.com/zyansheep/rustyline-async/
-[5]: https://github.com/rust-rocksdb/rust-rocksdb/
-[6]: https://github.com/tokio-rs/tracing/
+## Building Docker Images
+
+To build a Docker image for Continuwuity, use the standard Docker build command:
+
+```bash
+docker build -f docker/Dockerfile .
+```
+
+The image can be cross-compiled for different architectures.
+
+[continuwuation-ruwuma]: https://forgejo.ellis.link/continuwuation/ruwuma
+[continuwuation-rocksdb]: https://forgejo.ellis.link/continuwuation/rocksdb
+[continuwuation-jemallocator]: https://forgejo.ellis.link/continuwuation/jemallocator
+[continuwuation-rustyline-async]: https://forgejo.ellis.link/continuwuation/rustyline-async
+[continuwuation-rust-rocksdb]: https://forgejo.ellis.link/continuwuation/rust-rocksdb
+[continuwuation-tracing]: https://forgejo.ellis.link/continuwuation/tracing
+
+[ruma]: https://github.com/ruma/ruma/
+[rocksdb]: https://github.com/facebook/rocksdb/
+[jemallocator]: https://github.com/tikv/jemallocator/
+[rustyline-async]: https://github.com/zyansheep/rustyline-async/
+[rust-rocksdb]: https://github.com/rust-rocksdb/rust-rocksdb/
+[tracing]: https://github.com/tokio-rs/tracing/
+
 [7]: https://docs.rs/tokio-console/latest/tokio_console/
 [8]: https://github.com/zaidoon1/
 [9]: https://github.com/rust-lang/cargo/issues/12162
@@ -190,7 +190,7 @@ The initial implementation PR is available [here][1].
 - [Workspace-level metadata
 (cargo-deb)](https://github.com/kornelski/cargo-deb/issues/68)

-[1]: https://github.com/girlbossceo/conduwuit/pull/387
+[1]: https://forgejo.ellis.link/continuwuation/continuwuity/pulls/387
 [2]: https://wiki.musl-libc.org/functional-differences-from-glibc.html#Unloading-libraries
 [3]: https://github.com/rust-lang/rust/issues/28794
 [4]: https://github.com/rust-lang/rust/issues/28794#issuecomment-368693049
@@ -24,8 +24,9 @@ and run the script.
 If you're on macOS and need to build an image, run `nix build .#linux-complement`.

 We have a Complement fork as some tests have needed to be fixed. This can be found
-at: <https://github.com/girlbossceo/complement>
+at: <https://forgejo.ellis.link/continuwuation/complement>

-[ci-workflows]: https://github.com/girlbossceo/conduwuit/actions/workflows/ci.yml?query=event%3Apush+is%3Asuccess+actor%3Agirlbossceo
+[ci-workflows]:
+https://forgejo.ellis.link/continuwuation/continuwuity/actions/?workflow=ci.yml&actor=0&status=1
 [complement]: https://github.com/matrix-org/complement
 [direnv]: https://direnv.net/docs/hook.html
@@ -0,0 +1 @@
+{{#include ../SECURITY.md}}
@@ -0,0 +1,21 @@
+# Command-Line Help for `continuwuity`
+
+This document contains the help content for the `continuwuity` command-line program.
+
+**Command Overview:**
+
+* [`continuwuity`↴](#continuwuity)
+
+## `continuwuity`
+
+a very cool Matrix chat homeserver written in Rust
+
+**Usage:** `continuwuity [OPTIONS]`
+
+###### **Options:**
+
+* `-c`, `--config <CONFIG>` — Path to the config TOML file (optional)
+* `-O`, `--option <OPTION>` — Override a configuration variable using TOML 'key=value' syntax
+* `--read-only` — Run in a stricter read-only --maintenance mode
+* `--maintenance` — Run in maintenance mode while refusing connections
+* `--execute <EXECUTE>` — Execute console command automatically after startup
@@ -3,4 +3,4 @@
  Content-Type: application/json
 /.well-known/continuwuity/*
  Access-Control-Allow-Origin: *
-  Content-Type: application/json
+  Content-Type: application/json
@@ -4,6 +4,10 @@
        {
            "id": 1,
            "message": "Welcome to Continuwuity! Important announcements about the project will appear here."
+        },
+        {
+            "id": 2,
+            "message": "🎉 Continuwuity v0.5.0-rc.6 is now available! This release includes improved knock-restricted room handling, automatic support contact configuration, and a new HTML landing page. Check [the release notes for full details](https://forgejo.ellis.link/continuwuation/continuwuity/releases/tag/v0.5.0-rc.6) and upgrade instructions."
        }
    ]
-}
+}
@@ -3,7 +3,7 @@
    "$id": "https://continwuity.org/schema/announcements.schema.json",
    "type": "object",
    "properties": {
-      "updates": {
+      "announcements": {
        "type": "array",
        "items": {
          "type": "object",
@@ -16,6 +16,10 @@
            },
            "date": {
              "type": "string"
+            },
+            "mention_room": {
+              "type": "boolean",
+              "description": "Whether to mention the room (@room) when posting this announcement"
            }
          },
          "required": [
@@ -26,6 +30,6 @@
      }
    },
    "required": [
-      "updates"
+      "announcements"
    ]
-  }
+  }
@@ -21,4 +21,4 @@
    }
  ],
  "support_page": "https://continuwuity.org/introduction#contact"
-}
+}
@@ -10,11 +10,11 @@
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
-        "lastModified": 1738524606,
-        "narHash": "sha256-hPYEJ4juK3ph7kbjbvv7PlU1D9pAkkhl+pwx8fZY53U=",
+        "lastModified": 1751403276,
+        "narHash": "sha256-V0EPQNsQko1a8OqIWc2lLviLnMpR1m08Ej00z5RVTfs=",
        "owner": "zhaofengli",
        "repo": "attic",
-        "rev": "ff8a897d1f4408ebbf4d45fa9049c06b3e1e3f4e",
+        "rev": "896ad88fa57ad5dbcd267c0ac51f1b71ccfcb4dd",
        "type": "github"
      },
      "original": {
@@ -32,11 +32,11 @@
        "nixpkgs": "nixpkgs_4"
      },
      "locked": {
-        "lastModified": 1737621947,
-        "narHash": "sha256-8HFvG7fvIFbgtaYAY2628Tb89fA55nPm2jSiNs0/Cws=",
+        "lastModified": 1748883665,
+        "narHash": "sha256-R0W7uAg+BLoHjMRMQ8+oiSbTq8nkGz5RDpQ+ZfxxP3A=",
        "owner": "cachix",
        "repo": "cachix",
-        "rev": "f65a3cd5e339c223471e64c051434616e18cc4f5",
+        "rev": "f707778d902af4d62d8dd92c269f8e70de09acbe",
        "type": "github"
      },
      "original": {
@@ -63,11 +63,11 @@
        "nixpkgs": "nixpkgs_2"
      },
      "locked": {
-        "lastModified": 1728672398,
-        "narHash": "sha256-KxuGSoVUFnQLB2ZcYODW7AVPAh9JqRlD5BrfsC/Q4qs=",
+        "lastModified": 1744206633,
+        "narHash": "sha256-pb5aYkE8FOoa4n123slgHiOf1UbNSnKe5pEZC+xXD5g=",
        "owner": "cachix",
        "repo": "cachix",
-        "rev": "aac51f698309fd0f381149214b7eee213c66ef0a",
+        "rev": "8a60090640b96f9df95d1ab99e5763a586be1404",
        "type": "github"
      },
      "original": {
@@ -77,23 +77,6 @@
        "type": "github"
      }
    },
-    "complement": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1741891349,
-        "narHash": "sha256-YvrzOWcX7DH1drp5SGa+E/fc7wN3hqFtPbqPjZpOu1Q=",
-        "owner": "girlbossceo",
-        "repo": "complement",
-        "rev": "e587b3df569cba411aeac7c20b6366d03c143745",
-        "type": "github"
-      },
-      "original": {
-        "owner": "girlbossceo",
-        "ref": "main",
-        "repo": "complement",
-        "type": "github"
-      }
-    },
    "crane": {
      "inputs": {
        "nixpkgs": [
@@ -117,11 +100,11 @@
    },
    "crane_2": {
      "locked": {
-        "lastModified": 1739936662,
-        "narHash": "sha256-x4syUjNUuRblR07nDPeLDP7DpphaBVbUaSoeZkFbGSk=",
+        "lastModified": 1750266157,
+        "narHash": "sha256-tL42YoNg9y30u7zAqtoGDNdTyXTi8EALDeCB13FtbQA=",
        "owner": "ipetkov",
        "repo": "crane",
-        "rev": "19de14aaeb869287647d9461cbd389187d8ecdb7",
+        "rev": "e37c943371b73ed87faf33f7583860f81f1d5a48",
        "type": "github"
      },
      "original": {
@@ -149,11 +132,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1733323168,
-        "narHash": "sha256-d5DwB4MZvlaQpN6OQ4SLYxb5jA4UH5EtV5t5WOtjLPU=",
+        "lastModified": 1748273445,
+        "narHash": "sha256-5V0dzpNgQM0CHDsMzh+ludYeu1S+Y+IMjbaskSSdFh0=",
        "owner": "cachix",
        "repo": "devenv",
-        "rev": "efa9010b8b1cfd5dd3c7ed1e172a470c3b84a064",
+        "rev": "668a50d8b7bdb19a0131f53c9f6c25c9071e1ffb",
        "type": "github"
      },
      "original": {
@@ -170,11 +153,11 @@
        "rust-analyzer-src": "rust-analyzer-src"
      },
      "locked": {
-        "lastModified": 1740724364,
-        "narHash": "sha256-D1jLIueJx1dPrP09ZZwTrPf4cubV+TsFMYbpYYTVj6A=",
+        "lastModified": 1751525020,
+        "narHash": "sha256-oDO6lCYS5Bf4jUITChj9XV7k3TP38DE0Ckz5n5ORCME=",
        "owner": "nix-community",
        "repo": "fenix",
-        "rev": "edf7d9e431cda8782e729253835f178a356d3aab",
+        "rev": "a1a5f92f47787e7df9f30e5e5ac13e679215aa1e",
        "type": "github"
      },
      "original": {
@@ -203,11 +186,11 @@
    "flake-compat_2": {
      "flake": false,
      "locked": {
-        "lastModified": 1733328505,
-        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
+        "lastModified": 1747046372,
+        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
        "owner": "edolstra",
        "repo": "flake-compat",
-        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
+        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
        "type": "github"
      },
      "original": {
@@ -219,11 +202,11 @@
    "flake-compat_3": {
      "flake": false,
      "locked": {
-        "lastModified": 1733328505,
-        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
+        "lastModified": 1747046372,
+        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
        "owner": "edolstra",
        "repo": "flake-compat",
-        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
+        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
        "type": "github"
      },
      "original": {
@@ -306,15 +289,14 @@
        "nixpkgs": [
          "cachix",
          "nixpkgs"
-        ],
-        "nixpkgs-stable": "nixpkgs-stable_2"
+        ]
      },
      "locked": {
-        "lastModified": 1733318908,
-        "narHash": "sha256-SVQVsbafSM1dJ4fpgyBqLZ+Lft+jcQuMtEL3lQWx2Sk=",
+        "lastModified": 1747372754,
+        "narHash": "sha256-2Y53NGIX2vxfie1rOW0Qb86vjRZ7ngizoo+bnXU9D9k=",
        "owner": "cachix",
        "repo": "git-hooks.nix",
-        "rev": "6f4e2a2112050951a314d2733a994fbab94864c6",
+        "rev": "80479b6ec16fefd9c1db3ea13aeb038c60530f46",
        "type": "github"
      },
      "original": {
@@ -361,23 +343,6 @@
        "type": "github"
      }
    },
-    "liburing": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1740613216,
-        "narHash": "sha256-NpPOBqNND3Qe9IwqYs0mJLGTmIx7e6FgUEBAnJ+1ZLA=",
-        "owner": "axboe",
-        "repo": "liburing",
-        "rev": "e1003e496e66f9b0ae06674869795edf772d5500",
-        "type": "github"
-      },
-      "original": {
-        "owner": "axboe",
-        "ref": "master",
-        "repo": "liburing",
-        "type": "github"
-      }
-    },
    "nix": {
      "inputs": {
        "flake-compat": [
@@ -401,11 +366,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1727438425,
-        "narHash": "sha256-X8ES7I1cfNhR9oKp06F6ir4Np70WGZU5sfCOuNBEwMg=",
+        "lastModified": 1745930071,
+        "narHash": "sha256-bYyjarS3qSNqxfgc89IoVz8cAFDkF9yPE63EJr+h50s=",
        "owner": "domenkozar",
        "repo": "nix",
-        "rev": "f6c5ae4c1b2e411e6b1e6a8181cc84363d6a7546",
+        "rev": "b455edf3505f1bf0172b39a735caef94687d0d9c",
        "type": "github"
      },
      "original": {
@@ -484,29 +449,13 @@
        "type": "github"
      }
    },
-    "nixpkgs-stable_2": {
-      "locked": {
-        "lastModified": 1730741070,
-        "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-24.05",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1730531603,
-        "narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=",
+        "lastModified": 1733212471,
+        "narHash": "sha256-M1+uCoV5igihRfcUKrr1riygbe73/dzNnzPsmaLCmpo=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d",
+        "rev": "55d15ad12a74eb7d4646254e13638ad0c4128776",
        "type": "github"
      },
      "original": {
@@ -534,11 +483,11 @@
    },
    "nixpkgs_4": {
      "locked": {
-        "lastModified": 1733212471,
-        "narHash": "sha256-M1+uCoV5igihRfcUKrr1riygbe73/dzNnzPsmaLCmpo=",
+        "lastModified": 1748190013,
+        "narHash": "sha256-R5HJFflOfsP5FBtk+zE8FpL8uqE7n62jqOsADvVshhE=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "55d15ad12a74eb7d4646254e13638ad0c4128776",
+        "rev": "62b852f6c6742134ade1abdd2a21685fd617a291",
        "type": "github"
      },
      "original": {
@@ -550,11 +499,11 @@
    },
    "nixpkgs_5": {
      "locked": {
-        "lastModified": 1740547748,
-        "narHash": "sha256-Ly2fBL1LscV+KyCqPRufUBuiw+zmWrlJzpWOWbahplg=",
+        "lastModified": 1751498133,
+        "narHash": "sha256-QWJ+NQbMU+NcU2xiyo7SNox1fAuwksGlQhpzBl76g1I=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "3a05eebede89661660945da1f151959900903b6a",
+        "rev": "d55716bb59b91ae9d1ced4b1ccdea7a442ecbfdb",
        "type": "github"
      },
      "original": {
@@ -569,28 +518,26 @@
      "locked": {
        "lastModified": 1741308171,
        "narHash": "sha256-YdBvdQ75UJg5ffwNjxizpviCVwVDJnBkM8ZtGIduMgY=",
-        "owner": "girlbossceo",
-        "repo": "rocksdb",
+        "ref": "v9.11.1",
        "rev": "3ce04794bcfbbb0d2e6f81ae35fc4acf688b6986",
-        "type": "github"
+        "revCount": 13177,
+        "type": "git",
+        "url": "https://forgejo.ellis.link/continuwuation/rocksdb"
      },
      "original": {
-        "owner": "girlbossceo",
        "ref": "v9.11.1",
-        "repo": "rocksdb",
-        "type": "github"
+        "type": "git",
+        "url": "https://forgejo.ellis.link/continuwuation/rocksdb"
      }
    },
    "root": {
      "inputs": {
        "attic": "attic",
        "cachix": "cachix",
-        "complement": "complement",
        "crane": "crane_2",
        "fenix": "fenix",
        "flake-compat": "flake-compat_3",
        "flake-utils": "flake-utils",
-        "liburing": "liburing",
        "nix-filter": "nix-filter",
        "nixpkgs": "nixpkgs_5",
        "rocksdb": "rocksdb"
@@ -599,11 +546,11 @@
    "rust-analyzer-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1740691488,
-        "narHash": "sha256-Fs6vBrByuiOf2WO77qeMDMTXcTGzrIMqLBv+lNeywwM=",
+        "lastModified": 1751433876,
+        "narHash": "sha256-IsdwOcvLLDDlkFNwhdD5BZy20okIQL01+UQ7Kxbqh8s=",
        "owner": "rust-lang",
        "repo": "rust-analyzer",
-        "rev": "fe3eda77d3a7ce212388bda7b6cec8bffcc077e5",
+        "rev": "11d45c881389dae90b0da5a94cde52c79d0fc7ef",
        "type": "github"
      },
      "original": {
@@ -2,577 +2,344 @@
  inputs = {
    attic.url = "github:zhaofengli/attic?ref=main";
    cachix.url = "github:cachix/cachix?ref=master";
-    complement = { url = "github:girlbossceo/complement?ref=main"; flake = false; };
-    crane = { url = "github:ipetkov/crane?ref=master"; };
-    fenix = { url = "github:nix-community/fenix?ref=main"; inputs.nixpkgs.follows = "nixpkgs"; };
-    flake-compat = { url = "github:edolstra/flake-compat?ref=master"; flake = false; };
+    crane = {
+      url = "github:ipetkov/crane?ref=master";
+    };
+    fenix = {
+      url = "github:nix-community/fenix?ref=main";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    flake-compat = {
+      url = "github:edolstra/flake-compat?ref=master";
+      flake = false;
+    };
    flake-utils.url = "github:numtide/flake-utils?ref=main";
    nix-filter.url = "github:numtide/nix-filter?ref=main";
    nixpkgs.url = "github:NixOS/nixpkgs?ref=nixpkgs-unstable";
-    rocksdb = { url = "github:girlbossceo/rocksdb?ref=v9.11.1"; flake = false; };
-    liburing = { url = "github:axboe/liburing?ref=master"; flake = false; };
+    rocksdb = {
+      url = "git+https://forgejo.ellis.link/continuwuation/rocksdb?ref=v9.11.1";
+      flake = false;
+    };
  };

-  outputs = inputs:
-    inputs.flake-utils.lib.eachDefaultSystem (system:
-    let
-      pkgsHost = import inputs.nixpkgs{
-        inherit system;
-      };
-      pkgsHostStatic = pkgsHost.pkgsStatic;
-
-      # The Rust toolchain to use
-      toolchain = inputs.fenix.packages.${system}.fromToolchainFile {
-        file = ./rust-toolchain.toml;
-
-        # See also `rust-toolchain.toml`
-        sha256 = "sha256-X/4ZBHO3iW0fOenQ3foEvscgAPJYl2abspaBThDOukI=";
-      };
-
-      mkScope = pkgs: pkgs.lib.makeScope pkgs.newScope (self: {
-        inherit pkgs;
-        book = self.callPackage ./nix/pkgs/book {};
-        complement = self.callPackage ./nix/pkgs/complement {};
-        craneLib = ((inputs.crane.mkLib pkgs).overrideToolchain (_: toolchain));
-        inherit inputs;
-        main = self.callPackage ./nix/pkgs/main {};
-        oci-image = self.callPackage ./nix/pkgs/oci-image {};
-        tini = pkgs.tini.overrideAttrs {
-            # newer clang/gcc is unhappy with tini-static: <https://3.dog/~strawberry/pb/c8y4>
-            patches = [ (pkgs.fetchpatch {
-                url = "https://patch-diff.githubusercontent.com/raw/krallin/tini/pull/224.patch";
-                hash = "sha256-4bTfAhRyIT71VALhHY13hUgbjLEUyvgkIJMt3w9ag3k=";
-              })
-            ];
-        };
-        liburing = pkgs.liburing.overrideAttrs {
-          # Tests weren't building
-          outputs = [ "out" "dev" "man" ];
-          buildFlags = [ "library" ];
-          src = inputs.liburing;
-        };
-        rocksdb = (pkgs.rocksdb.override {
-          liburing = self.liburing;
-        }).overrideAttrs (old: {
-          src = inputs.rocksdb;
-          version = pkgs.lib.removePrefix
-            "v"
-            (builtins.fromJSON (builtins.readFile ./flake.lock))
-              .nodes.rocksdb.original.ref;
-          # we have this already at https://github.com/girlbossceo/rocksdb/commit/a935c0273e1ba44eacf88ce3685a9b9831486155
-          # unsetting this so i don't have to revert it and make this nix exclusive
-          patches = [];
-          cmakeFlags = pkgs.lib.subtractLists
-            [
-              # no real reason to have snappy or zlib, no one uses this
-              "-DWITH_SNAPPY=1"
-              "-DZLIB=1"
-              "-DWITH_ZLIB=1"
-              # we dont need to use ldb or sst_dump (core_tools)
-              "-DWITH_CORE_TOOLS=1"
-              # we dont need to build rocksdb tests
-              "-DWITH_TESTS=1"
-              # we use rust-rocksdb via C interface and dont need C++ RTTI
-              "-DUSE_RTTI=1"
-              # this doesn't exist in RocksDB, and USE_SSE is deprecated for
-              # PORTABLE=$(march)
-              "-DFORCE_SSE42=1"
-              # PORTABLE will get set in main/default.nix
-              "-DPORTABLE=1"
-            ]
-            old.cmakeFlags
-            ++ [
-              # no real reason to have snappy, no one uses this
-              "-DWITH_SNAPPY=0"
-              "-DZLIB=0"
-              "-DWITH_ZLIB=0"
-              # we dont need to use ldb or sst_dump (core_tools)
-              "-DWITH_CORE_TOOLS=0"
-              # we dont need trace tools
-              "-DWITH_TRACE_TOOLS=0"
-              # we dont need to build rocksdb tests
-              "-DWITH_TESTS=0"
-              # we use rust-rocksdb via C interface and dont need C++ RTTI
-              "-DUSE_RTTI=0"
-            ];
-
-          # outputs has "tools" which we dont need or use
-          outputs = [ "out" ];
-
-          # preInstall hooks has stuff for messing with ldb/sst_dump which we dont need or use
-          preInstall = "";
-        });
-      });
-
-      scopeHost = mkScope pkgsHost;
-      scopeHostStatic = mkScope pkgsHostStatic;
-      scopeCrossLinux = mkScope pkgsHost.pkgsLinux.pkgsStatic;
-      mkCrossScope = crossSystem:
-        let pkgsCrossStatic = (import inputs.nixpkgs {
+  outputs =
+    inputs:
+    inputs.flake-utils.lib.eachDefaultSystem (
+      system:
+      let
+        pkgsHost = import inputs.nixpkgs {
          inherit system;
-          crossSystem = {
-           config = crossSystem;
-          };
-        }).pkgsStatic;
-         in
-        mkScope pkgsCrossStatic;
-
-      mkDevShell = scope: scope.pkgs.mkShell {
-        env = scope.main.env // {
-          # Rust Analyzer needs to be able to find the path to default crate
-          # sources, and it can read this environment variable to do so. The
-          # `rust-src` component is required in order for this to work.
-          RUST_SRC_PATH = "${toolchain}/lib/rustlib/src/rust/library";
-
-          # Convenient way to access a pinned version of Complement's source
-          # code.
-          COMPLEMENT_SRC = inputs.complement.outPath;
-
-          # Needed for Complement: <https://github.com/golang/go/issues/52690>
-          CGO_CFLAGS = "-Wl,--no-gc-sections";
-          CGO_LDFLAGS = "-Wl,--no-gc-sections";
        };

-        # Development tools
-        packages = [
-          # Always use nightly rustfmt because most of its options are unstable
-          #
-          # This needs to come before `toolchain` in this list, otherwise
-          # `$PATH` will have stable rustfmt instead.
-          inputs.fenix.packages.${system}.latest.rustfmt
+        # The Rust toolchain to use
+        toolchain = inputs.fenix.packages.${system}.fromToolchainFile {
+          file = ./rust-toolchain.toml;

-          toolchain
-        ]
-        ++ (with pkgsHost.pkgs; [
-          # Required by hardened-malloc.rs dep
-          binutils
+          # See also `rust-toolchain.toml`
+          sha256 = "sha256-KUm16pHj+cRedf8vxs/Hd2YWxpOrWZ7UOrwhILdSJBU=";
+        };

-          cargo-audit
-          cargo-auditable
+        mkScope =
+          pkgs:
+          pkgs.lib.makeScope pkgs.newScope (self: {
+            inherit pkgs inputs;
+            craneLib = (inputs.crane.mkLib pkgs).overrideToolchain (_: toolchain);
+            main = self.callPackage ./nix/pkgs/main { };
+            liburing = pkgs.liburing.overrideAttrs {
+              # Tests weren't building
+              outputs = [
+                "out"
+                "dev"
+                "man"
+              ];
+              buildFlags = [ "library" ];
+            };
+            rocksdb =
+              (pkgs.rocksdb_9_10.override {
+                # Override the liburing input for the build with our own so
+                # we have it built with the library flag
+                inherit (self) liburing;
+              }).overrideAttrs
+                (old: {
+                  src = inputs.rocksdb;
+                  version = "v9.11.1";
+                  cmakeFlags =
+                    pkgs.lib.subtractLists [
+                      # No real reason to have snappy or zlib, no one uses this
+                      "-DWITH_SNAPPY=1"
+                      "-DZLIB=1"
+                      "-DWITH_ZLIB=1"
+                      # We don't need to use ldb or sst_dump (core_tools)
+                      "-DWITH_CORE_TOOLS=1"
+                      # We don't need to build rocksdb tests
+                      "-DWITH_TESTS=1"
+                      # We use rust-rocksdb via C interface and don't need C++ RTTI
+                      "-DUSE_RTTI=1"
+                      # This doesn't exist in RocksDB, and USE_SSE is deprecated for
+                      # PORTABLE=$(march)
+                      "-DFORCE_SSE42=1"
+                      # PORTABLE will get set in main/default.nix
+                      "-DPORTABLE=1"
+                    ] old.cmakeFlags
+                    ++ [
+                      # No real reason to have snappy, no one uses this
+                      "-DWITH_SNAPPY=0"
+                      "-DZLIB=0"
+                      "-DWITH_ZLIB=0"
+                      # We don't need to use ldb or sst_dump (core_tools)
+                      "-DWITH_CORE_TOOLS=0"
+                      # We don't need trace tools
+                      "-DWITH_TRACE_TOOLS=0"
+                      # We don't need to build rocksdb tests
+                      "-DWITH_TESTS=0"
+                      # We use rust-rocksdb via C interface and don't need C++ RTTI
+                      "-DUSE_RTTI=0"
+                    ];

-          # Needed for producing Debian packages
-          cargo-deb
+                  # outputs has "tools" which we don't need or use
+                  outputs = [ "out" ];

-          # Needed for CI to check validity of produced Debian packages (dpkg-deb)
-          dpkg
+                  # preInstall hooks has stuff for messing with ldb/sst_dump which we don't need or use
+                  preInstall = "";

-	  engage
+                  # We have this already at https://forgejo.ellis.link/continuwuation/rocksdb/commit/a935c0273e1ba44eacf88ce3685a9b9831486155
+                  # Unsetting this so we don't have to revert it and make this nix exclusive
+                  patches = [ ];

-          # Needed for Complement
-          go
+                  postPatch = ''
+                    # Fix gcc-13 build failures due to missing <cstdint> and
+                    # <system_error> includes, fixed upstream since 8.x
+                    sed -e '1i #include <cstdint>' -i db/compaction/compaction_iteration_stats.h
+                    sed -e '1i #include <cstdint>' -i table/block_based/data_block_hash_index.h
+                    sed -e '1i #include <cstdint>' -i util/string_util.h
+                    sed -e '1i #include <cstdint>' -i include/rocksdb/utilities/checkpoint.h
+                  '';
+                });
+          });

-          # Needed for our script for Complement
-          jq
-          gotestfmt
+        scopeHost = mkScope pkgsHost;
+        mkCrossScope =
+          crossSystem:
+          let
+            pkgsCrossStatic =
+              (import inputs.nixpkgs {
+                inherit system;
+                crossSystem = {
+                  config = crossSystem;
+                };
+              }).pkgsStatic;
+          in
+          mkScope pkgsCrossStatic;

-          # Needed for finding broken markdown links
-          lychee
-
-          # Needed for linting markdown files
-          markdownlint-cli
-
-          # Useful for editing the book locally
-          mdbook
-
-          # used for rust caching in CI to speed it up
-          sccache
-        ]
-        # liburing is Linux-exclusive
-        ++ lib.optional stdenv.hostPlatform.isLinux liburing
-        ++ lib.optional stdenv.hostPlatform.isLinux numactl)
-        ++ scope.main.buildInputs
-        ++ scope.main.propagatedBuildInputs
-        ++ scope.main.nativeBuildInputs;
-      };
-    in
-    {
-      packages = {
-        default = scopeHost.main.override {
-            disable_features = [
-                # dont include experimental features
+      in
+      {
+        packages =
+          {
+            default = scopeHost.main.override {
+              disable_features = [
+                # Don't include experimental features
                "experimental"
                # jemalloc profiling/stats features are expensive and shouldn't
                # be expected on non-debug builds.
                "jemalloc_prof"
                "jemalloc_stats"
-                # this is non-functional on nix for some reason
+                # This is non-functional on nix for some reason
                "hardened_malloc"
                # conduwuit_mods is a development-only hot reload feature
                "conduwuit_mods"
-            ];
-        };
-        default-debug = scopeHost.main.override {
-            profile = "dev";
-            # debug build users expect full logs
-            disable_release_max_log_level = true;
-            disable_features = [
-                # dont include experimental features
+              ];
+            };
+            default-debug = scopeHost.main.override {
+              profile = "dev";
+              # Debug build users expect full logs
+              disable_release_max_log_level = true;
+              disable_features = [
+                # Don't include experimental features
+                "experimental"
+                # This is non-functional on nix for some reason
+                "hardened_malloc"
+                # conduwuit_mods is a development-only hot reload feature
+                "conduwuit_mods"
+              ];
+            };
+            # Just a test profile used for things like CI and complement
+            default-test = scopeHost.main.override {
+              profile = "test";
+              disable_release_max_log_level = true;
+              disable_features = [
+                # Don't include experimental features
                "experimental"
                # this is non-functional on nix for some reason
                "hardened_malloc"
                # conduwuit_mods is a development-only hot reload feature
                "conduwuit_mods"
-            ];
-        };
-        # just a test profile used for things like CI and complement
-        default-test = scopeHost.main.override {
-            profile = "test";
-            disable_release_max_log_level = true;
-            disable_features = [
-                # dont include experimental features
-                "experimental"
-                # this is non-functional on nix for some reason
-                "hardened_malloc"
-                # conduwuit_mods is a development-only hot reload feature
-                "conduwuit_mods"
-            ];
-        };
-        all-features = scopeHost.main.override {
-            all_features = true;
-            disable_features = [
-                # dont include experimental features
+              ];
+            };
+            all-features = scopeHost.main.override {
+              all_features = true;
+              disable_features = [
+                # Don't include experimental features
                "experimental"
                # jemalloc profiling/stats features are expensive and shouldn't
                # be expected on non-debug builds.
                "jemalloc_prof"
                "jemalloc_stats"
-                # this is non-functional on nix for some reason
+                # This is non-functional on nix for some reason
                "hardened_malloc"
                # conduwuit_mods is a development-only hot reload feature
                "conduwuit_mods"
-            ];
-        };
-        all-features-debug = scopeHost.main.override {
-            profile = "dev";
-            all_features = true;
-            # debug build users expect full logs
-            disable_release_max_log_level = true;
-            disable_features = [
-                # dont include experimental features
+              ];
+            };
+            all-features-debug = scopeHost.main.override {
+              profile = "dev";
+              all_features = true;
+              # Debug build users expect full logs
+              disable_release_max_log_level = true;
+              disable_features = [
+                # Don't include experimental features
                "experimental"
-                # this is non-functional on nix for some reason
+                # This is non-functional on nix for some reason
                "hardened_malloc"
                # conduwuit_mods is a development-only hot reload feature
                "conduwuit_mods"
-            ];
-        };
-        hmalloc = scopeHost.main.override { features = ["hardened_malloc"]; };
+              ];
+            };
+            hmalloc = scopeHost.main.override { features = [ "hardened_malloc" ]; };
+          }
+          // builtins.listToAttrs (
+            builtins.concatLists (
+              builtins.map
+                (
+                  crossSystem:
+                  let
+                    binaryName = "static-${crossSystem}";
+                    scopeCrossStatic = mkCrossScope crossSystem;
+                  in
+                  [
+                    # An output for a statically-linked binary
+                    {
+                      name = binaryName;
+                      value = scopeCrossStatic.main;
+                    }

-        oci-image = scopeHost.oci-image;
-        oci-image-all-features = scopeHost.oci-image.override {
-          main = scopeHost.main.override {
-            all_features = true;
-            disable_features = [
-                # dont include experimental features
-                "experimental"
-                # jemalloc profiling/stats features are expensive and shouldn't
-                # be expected on non-debug builds.
-                "jemalloc_prof"
-                "jemalloc_stats"
-                # this is non-functional on nix for some reason
-                "hardened_malloc"
-                # conduwuit_mods is a development-only hot reload feature
-                "conduwuit_mods"
-            ];
-          };
-        };
-        oci-image-all-features-debug = scopeHost.oci-image.override {
-          main = scopeHost.main.override {
-            profile = "dev";
-            all_features = true;
-            # debug build users expect full logs
-            disable_release_max_log_level = true;
-            disable_features = [
-                # dont include experimental features
-                "experimental"
-                # this is non-functional on nix for some reason
-                "hardened_malloc"
-                # conduwuit_mods is a development-only hot reload feature
-                "conduwuit_mods"
-            ];
-          };
-        };
-        oci-image-hmalloc = scopeHost.oci-image.override {
-          main = scopeHost.main.override {
-            features = ["hardened_malloc"];
-          };
-        };
+                    # An output for a statically-linked binary with x86_64 haswell
+                    # target optimisations
+                    {
+                      name = "${binaryName}-x86_64-haswell-optimised";
+                      value = scopeCrossStatic.main.override {
+                        x86_64_haswell_target_optimised =
+                          if (crossSystem == "x86_64-linux-gnu" || crossSystem == "x86_64-linux-musl") then true else false;
+                      };
+                    }

-        book = scopeHost.book;
-
-        complement = scopeHost.complement;
-        static-complement = scopeHostStatic.complement;
-        # macOS containers don't exist, so the complement images must be forced to linux
-        linux-complement = (mkCrossScope "${pkgsHost.hostPlatform.qemuArch}-linux-musl").complement;
-      }
-      //
-      builtins.listToAttrs
-        (builtins.concatLists
-          (builtins.map
-            (crossSystem:
-              let
-                binaryName = "static-${crossSystem}";
-                scopeCrossStatic = mkCrossScope crossSystem;
-              in
-              [
-                # An output for a statically-linked binary
-                {
-                  name = binaryName;
-                  value = scopeCrossStatic.main;
-                }
-
-                # An output for a statically-linked binary with x86_64 haswell
-                # target optimisations
-                {
-                  name = "${binaryName}-x86_64-haswell-optimised";
-                  value = scopeCrossStatic.main.override {
-                    x86_64_haswell_target_optimised = (if (crossSystem == "x86_64-linux-gnu" || crossSystem == "x86_64-linux-musl") then true else false);
-                  };
-                }
-
-                # An output for a statically-linked unstripped debug ("dev") binary
-                {
-                  name = "${binaryName}-debug";
-                  value = scopeCrossStatic.main.override {
-                    profile = "dev";
-                    # debug build users expect full logs
-                    disable_release_max_log_level = true;
-                  };
-                }
-
-                # An output for a statically-linked unstripped debug binary with the
-                # "test" profile (for CI usage only)
-                {
-                  name = "${binaryName}-test";
-                  value = scopeCrossStatic.main.override {
-                    profile = "test";
-                    disable_release_max_log_level = true;
-                    disable_features = [
-                        # dont include experimental features
-                        "experimental"
-                        # this is non-functional on nix for some reason
-                        "hardened_malloc"
-                        # conduwuit_mods is a development-only hot reload feature
-                        "conduwuit_mods"
-                    ];
-                  };
-                }
-
-                # An output for a statically-linked binary with `--all-features`
-                {
-                  name = "${binaryName}-all-features";
-                  value = scopeCrossStatic.main.override {
-                    all_features = true;
-                    disable_features = [
-                        # dont include experimental features
-                        "experimental"
-                        # jemalloc profiling/stats features are expensive and shouldn't
-                        # be expected on non-debug builds.
-                        "jemalloc_prof"
-                        "jemalloc_stats"
-                        # this is non-functional on nix for some reason
-                        "hardened_malloc"
-                        # conduwuit_mods is a development-only hot reload feature
-                        "conduwuit_mods"
-                    ];
-                  };
-                }
-
-                # An output for a statically-linked binary with `--all-features` and with x86_64 haswell
-                # target optimisations
-                {
-                  name = "${binaryName}-all-features-x86_64-haswell-optimised";
-                  value = scopeCrossStatic.main.override {
-                    all_features = true;
-                    disable_features = [
-                        # dont include experimental features
-                        "experimental"
-                        # jemalloc profiling/stats features are expensive and shouldn't
-                        # be expected on non-debug builds.
-                        "jemalloc_prof"
-                        "jemalloc_stats"
-                        # this is non-functional on nix for some reason
-                        "hardened_malloc"
-                        # conduwuit_mods is a development-only hot reload feature
-                        "conduwuit_mods"
-                    ];
-                    x86_64_haswell_target_optimised = (if (crossSystem == "x86_64-linux-gnu" || crossSystem == "x86_64-linux-musl") then true else false);
-                  };
-                }
-
-                # An output for a statically-linked unstripped debug ("dev") binary with `--all-features`
-                {
-                  name = "${binaryName}-all-features-debug";
-                  value = scopeCrossStatic.main.override {
-                    profile = "dev";
-                    all_features = true;
-                    # debug build users expect full logs
-                    disable_release_max_log_level = true;
-                    disable_features = [
-                        # dont include experimental features
-                        "experimental"
-                        # this is non-functional on nix for some reason
-                        "hardened_malloc"
-                        # conduwuit_mods is a development-only hot reload feature
-                        "conduwuit_mods"
-                    ];
-                  };
-                }
-
-                # An output for a statically-linked binary with hardened_malloc
-                {
-                  name = "${binaryName}-hmalloc";
-                  value = scopeCrossStatic.main.override {
-                    features = ["hardened_malloc"];
-                  };
-                }
-
-                # An output for an OCI image based on that binary
-                {
-                  name = "oci-image-${crossSystem}";
-                  value = scopeCrossStatic.oci-image;
-                }
-
-                # An output for an OCI image based on that binary with x86_64 haswell
-                # target optimisations
-                {
-                  name = "oci-image-${crossSystem}-x86_64-haswell-optimised";
-                  value = scopeCrossStatic.oci-image.override {
-                    main = scopeCrossStatic.main.override {
-                      x86_64_haswell_target_optimised = (if (crossSystem == "x86_64-linux-gnu" || crossSystem == "x86_64-linux-musl") then true else false);
-                    };
-                  };
-                }
-
-                # An output for an OCI image based on that unstripped debug ("dev") binary
-                {
-                  name = "oci-image-${crossSystem}-debug";
-                  value = scopeCrossStatic.oci-image.override {
-                    main = scopeCrossStatic.main.override {
+                    # An output for a statically-linked unstripped debug ("dev") binary
+                    {
+                      name = "${binaryName}-debug";
+                      value = scopeCrossStatic.main.override {
                        profile = "dev";
                        # debug build users expect full logs
                        disable_release_max_log_level = true;
-                    };
-                  };
-                }
+                      };
+                    }

-                # An output for an OCI image based on that binary with `--all-features`
-                {
-                  name = "oci-image-${crossSystem}-all-features";
-                  value = scopeCrossStatic.oci-image.override {
-                    main = scopeCrossStatic.main.override {
-                      all_features = true;
-                      disable_features = [
-                        # dont include experimental features
-                        "experimental"
-                        # jemalloc profiling/stats features are expensive and shouldn't
-                        # be expected on non-debug builds.
-                        "jemalloc_prof"
-                        "jemalloc_stats"
-                        # this is non-functional on nix for some reason
-                        "hardened_malloc"
-                        # conduwuit_mods is a development-only hot reload feature
-                        "conduwuit_mods"
-                      ];
-                    };
-                  };
-                }
+                    # An output for a statically-linked unstripped debug binary with the
+                    # "test" profile (for CI usage only)
+                    {
+                      name = "${binaryName}-test";
+                      value = scopeCrossStatic.main.override {
+                        profile = "test";
+                        disable_release_max_log_level = true;
+                        disable_features = [
+                          # dont include experimental features
+                          "experimental"
+                          # this is non-functional on nix for some reason
+                          "hardened_malloc"
+                          # conduwuit_mods is a development-only hot reload feature
+                          "conduwuit_mods"
+                        ];
+                      };
+                    }

-                # An output for an OCI image based on that binary with `--all-features` and with x86_64 haswell
-                # target optimisations
-                {
-                  name = "oci-image-${crossSystem}-all-features-x86_64-haswell-optimised";
-                  value = scopeCrossStatic.oci-image.override {
-                    main = scopeCrossStatic.main.override {
-                      all_features = true;
-                      disable_features = [
-                        # dont include experimental features
-                        "experimental"
-                        # jemalloc profiling/stats features are expensive and shouldn't
-                        # be expected on non-debug builds.
-                        "jemalloc_prof"
-                        "jemalloc_stats"
-                        # this is non-functional on nix for some reason
-                        "hardened_malloc"
-                        # conduwuit_mods is a development-only hot reload feature
-                        "conduwuit_mods"
-                      ];
-                      x86_64_haswell_target_optimised = (if (crossSystem == "x86_64-linux-gnu" || crossSystem == "x86_64-linux-musl") then true else false);
-                    };
-                  };
-                }
+                    # An output for a statically-linked binary with `--all-features`
+                    {
+                      name = "${binaryName}-all-features";
+                      value = scopeCrossStatic.main.override {
+                        all_features = true;
+                        disable_features = [
+                          # dont include experimental features
+                          "experimental"
+                          # jemalloc profiling/stats features are expensive and shouldn't
+                          # be expected on non-debug builds.
+                          "jemalloc_prof"
+                          "jemalloc_stats"
+                          # this is non-functional on nix for some reason
+                          "hardened_malloc"
+                          # conduwuit_mods is a development-only hot reload feature
+                          "conduwuit_mods"
+                        ];
+                      };
+                    }

-                # An output for an OCI image based on that unstripped debug ("dev") binary with `--all-features`
-                {
-                  name = "oci-image-${crossSystem}-all-features-debug";
-                  value = scopeCrossStatic.oci-image.override {
-                    main = scopeCrossStatic.main.override {
-                      profile = "dev";
-                      all_features = true;
-                      # debug build users expect full logs
-                      disable_release_max_log_level = true;
-                      disable_features = [
-                        # dont include experimental features
-                        "experimental"
-                        # this is non-functional on nix for some reason
-                        "hardened_malloc"
-                        # conduwuit_mods is a development-only hot reload feature
-                        "conduwuit_mods"
-                      ];
-                    };
-                  };
-                }
+                    # An output for a statically-linked binary with `--all-features` and with x86_64 haswell
+                    # target optimisations
+                    {
+                      name = "${binaryName}-all-features-x86_64-haswell-optimised";
+                      value = scopeCrossStatic.main.override {
+                        all_features = true;
+                        disable_features = [
+                          # dont include experimental features
+                          "experimental"
+                          # jemalloc profiling/stats features are expensive and shouldn't
+                          # be expected on non-debug builds.
+                          "jemalloc_prof"
+                          "jemalloc_stats"
+                          # this is non-functional on nix for some reason
+                          "hardened_malloc"
+                          # conduwuit_mods is a development-only hot reload feature
+                          "conduwuit_mods"
+                        ];
+                        x86_64_haswell_target_optimised =
+                          if (crossSystem == "x86_64-linux-gnu" || crossSystem == "x86_64-linux-musl") then true else false;
+                      };
+                    }

-                # An output for an OCI image based on that binary with hardened_malloc
-                {
-                  name = "oci-image-${crossSystem}-hmalloc";
-                  value = scopeCrossStatic.oci-image.override {
-                    main = scopeCrossStatic.main.override {
-                      features = ["hardened_malloc"];
-                    };
-                  };
-                }
+                    # An output for a statically-linked unstripped debug ("dev") binary with `--all-features`
+                    {
+                      name = "${binaryName}-all-features-debug";
+                      value = scopeCrossStatic.main.override {
+                        profile = "dev";
+                        all_features = true;
+                        # debug build users expect full logs
+                        disable_release_max_log_level = true;
+                        disable_features = [
+                          # dont include experimental features
+                          "experimental"
+                          # this is non-functional on nix for some reason
+                          "hardened_malloc"
+                          # conduwuit_mods is a development-only hot reload feature
+                          "conduwuit_mods"
+                        ];
+                      };
+                    }

-                # An output for a complement OCI image for the specified platform
-                {
-                  name = "complement-${crossSystem}";
-                  value = scopeCrossStatic.complement;
-                }
-              ]
+                    # An output for a statically-linked binary with hardened_malloc
+                    {
+                      name = "${binaryName}-hmalloc";
+                      value = scopeCrossStatic.main.override {
+                        features = [ "hardened_malloc" ];
+                      };
+                    }
+                  ]
+                )
+                [
+                  #"x86_64-apple-darwin"
+                  #"aarch64-apple-darwin"
+                  "x86_64-linux-gnu"
+                  "x86_64-linux-musl"
+                  "aarch64-linux-musl"
+                ]
            )
-            [
-              #"x86_64-apple-darwin"
-              #"aarch64-apple-darwin"
-              "x86_64-linux-gnu"
-              "x86_64-linux-musl"
-              "aarch64-linux-musl"
-            ]
-          )
-        );
-
-      devShells.default = mkDevShell scopeHostStatic;
-      devShells.all-features = mkDevShell
-        (scopeHostStatic.overrideScope (final: prev: {
-          main = prev.main.override {
-            all_features = true;
-            disable_features = [
-                # dont include experimental features
-                "experimental"
-                # jemalloc profiling/stats features are expensive and shouldn't
-                # be expected on non-debug builds.
-                "jemalloc_prof"
-                "jemalloc_stats"
-                # this is non-functional on nix for some reason
-                "hardened_malloc"
-                # conduwuit_mods is a development-only hot reload feature
-                "conduwuit_mods"
-            ];
-        };
-        }));
-      devShells.no-features = mkDevShell
-        (scopeHostStatic.overrideScope (final: prev: {
-          main = prev.main.override { default_features = false; };
-        }));
-      devShells.dynamic = mkDevShell scopeHost;
-    });
+          );
+      }
+    );
 }
@@ -1,36 +0,0 @@
-{ inputs
-
-# Dependencies
-, main
-, mdbook
-, stdenv
-}:
-
-stdenv.mkDerivation {
-  inherit (main) pname version;
-
-  src = inputs.nix-filter {
-    root = inputs.self;
-    include = [
-      "book.toml"
-      "conduwuit-example.toml"
-      "CODE_OF_CONDUCT.md"
-      "CONTRIBUTING.md"
-      "README.md"
-      "development.md"
-      "debian/conduwuit.service"
-      "debian/README.md"
-      "arch/conduwuit.service"
-      "docs"
-      "theme"
-    ];
-  };
-
-  nativeBuildInputs = [
-    mdbook
-  ];
-
-  buildPhase = ''
-    mdbook build -d $out
-  '';
-}
@@ -1,21 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIIDfzCCAmegAwIBAgIUcrZdSPmCh33Evys/U6mTPpShqdcwDQYJKoZIhvcNAQEL
-BQAwPzELMAkGA1UEBhMCNjkxCzAJBgNVBAgMAjQyMRUwEwYDVQQKDAx3b29mZXJz
-IGluYy4xDDAKBgNVBAMMA2hzMTAgFw0yNTAzMTMxMjU4NTFaGA8yMDUyMDcyODEy
-NTg1MVowPzELMAkGA1UEBhMCNjkxCzAJBgNVBAgMAjQyMRUwEwYDVQQKDAx3b29m
-ZXJzIGluYy4xDDAKBgNVBAMMA2hzMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
-AQoCggEBANL+h2ZmK/FqN5uLJPtIy6Feqcyb6EX7MQBEtxuJ56bTAbjHuCLZLpYt
-/wOWJ91drHqZ7Xd5iTisGdMu8YS803HSnHkzngf4VXKhVrdzW2YDrpZRxmOhtp88
-awOHmP7mqlJyBbCOQw8aDVrT0KmEIWzA7g+nFRQ5Ff85MaP+sQrHGKZbo61q8HBp
-L0XuaqNckruUKtxnEqrm5xx5sYyYKg7rrSFE5JMFoWKB1FNWJxyWT42BhGtnJZsK
-K5c+NDSOU4TatxoN6mpNSBpCz/a11PiQHMEfqRk6JA4g3911dqPTfZBevUdBh8gl
-8maIzqeZGhvyeKTmull1Y0781yyuj98CAwEAAaNxMG8wCQYDVR0TBAIwADALBgNV
-HQ8EBAMCBPAwNgYDVR0RBC8wLYIRKi5kb2NrZXIuaW50ZXJuYWyCA2hzMYIDaHMy
-ggNoczOCA2hzNIcEfwAAATAdBgNVHQ4EFgQUr4VYrmW1d+vjBTJewvy7fJYhLDYw
-DQYJKoZIhvcNAQELBQADggEBADkYqkjNYxjWX8hUUAmFHNdCwzT1CpYe/5qzLiyJ
-irDSdMlC5g6QqMUSrpu7nZxo1lRe1dXGroFVfWpoDxyCjSQhplQZgtYqtyLfOIx+
-HQ7cPE/tUU/KsTGc0aL61cETB6u8fj+rQKUGdfbSlm0Rpu4v0gC8RnDj06X/hZ7e
-VkWU+dOBzxlqHuLlwFFtVDgCyyTatIROx5V+GpMHrVqBPO7HcHhwqZ30k2kMM8J3
-y1CWaliQM85jqtSZV+yUHKQV8EksSowCFJuguf+Ahz0i0/koaI3i8m4MRN/1j13d
-jbTaX5a11Ynm3A27jioZdtMRty6AJ88oCp18jxVzqTxNNO4=
-----END CERTIFICATE-----
@@ -1,50 +0,0 @@
-[global]
-address = "0.0.0.0"
-allow_device_name_federation = true
-allow_guest_registration = true
-allow_public_room_directory_over_federation = true
-allow_public_room_directory_without_auth = true
-allow_registration = true
-database_path = "/database"
-log = "trace,h2=debug,hyper=debug"
-port = [8008, 8448]
-trusted_servers = []
-only_query_trusted_key_servers = false
-query_trusted_key_servers_first = false
-query_trusted_key_servers_first_on_join = false
-yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse = true
-ip_range_denylist = []
-url_preview_domain_contains_allowlist = ["*"]
-url_preview_domain_explicit_denylist = ["*"]
-media_compat_file_link = false
-media_startup_check = true
-prune_missing_media = true
-log_colors = true
-admin_room_notices = false
-allow_check_for_updates = false
-intentionally_unknown_config_option_for_testing = true
-rocksdb_log_level = "info"
-rocksdb_max_log_files = 1
-rocksdb_recovery_mode = 0
-rocksdb_paranoid_file_checks = true
-log_guest_registrations = false
-allow_legacy_media = true
-startup_netburst = true
-startup_netburst_keep = -1
-
-allow_invalid_tls_certificates_yes_i_know_what_the_fuck_i_am_doing_with_this_and_i_know_this_is_insecure = true
-
-# valgrind makes things so slow
-dns_timeout = 60
-dns_attempts = 20
-request_conn_timeout = 60
-request_timeout = 120
-well_known_conn_timeout = 60
-well_known_timeout = 60
-federation_idle_timeout = 300
-sender_timeout = 300
-sender_idle_timeout = 300
-sender_retry_backoff_limit = 300
-
-[global.tls]
-dual_protocol = true
@@ -1,89 +0,0 @@
-# Dependencies
-{ bashInteractive
-, buildEnv
-, coreutils
-, dockerTools
-, lib
-, main
-, stdenv
-, tini
-, writeShellScriptBin
-}:
-
-let
-  main' = main.override {
-    profile = "test";
-    all_features = true;
-    disable_release_max_log_level = true;
-    disable_features = [
-        # console/CLI stuff isn't used or relevant for complement
-        "console"
-        "tokio_console"
-        # sentry telemetry isn't useful for complement, disabled by default anyways
-        "sentry_telemetry"
-        "perf_measurements"
-        # this is non-functional on nix for some reason
-        "hardened_malloc"
-        # dont include experimental features
-        "experimental"
-        # compression isn't needed for complement
-        "brotli_compression"
-        "gzip_compression"
-        "zstd_compression"
-        # complement doesn't need hot reloading
-        "conduwuit_mods"
-        # complement doesn't have URL preview media tests
-        "url_preview"
-    ];
-  };
-
-  start = writeShellScriptBin "start" ''
-    set -euxo pipefail
-
-    ${lib.getExe' coreutils "env"} \
-      CONDUWUIT_SERVER_NAME="$SERVER_NAME" \
-      ${lib.getExe main'}
-  '';
-in
-
-dockerTools.buildImage {
-  name = "complement-conduwuit";
-  tag = "main";
-
-  copyToRoot = buildEnv {
-    name = "root";
-    pathsToLink = [
-      "/bin"
-    ];
-    paths = [
-      bashInteractive
-      coreutils
-      main'
-      start
-    ];
-  };
-
-  config = {
-    Cmd = [
-      "${lib.getExe start}"
-    ];
-
-    Entrypoint = if !stdenv.hostPlatform.isDarwin
-      # Use the `tini` init system so that signals (e.g. ctrl+c/SIGINT)
-      # are handled as expected
-      then [ "${lib.getExe' tini "tini"}" "--" ]
-      else [];
-
-    Env = [
-      "CONDUWUIT_TLS__KEY=${./private_key.key}"
-      "CONDUWUIT_TLS__CERTS=${./certificate.crt}"
-      "CONDUWUIT_CONFIG=${./config.toml}"
-      "RUST_BACKTRACE=full"
-    ];
-
-    ExposedPorts = {
-      "8008/tcp" = {};
-      "8448/tcp" = {};
-    };
-  };
-}
@@ -1,28 +0,0 @@
-----BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDS/odmZivxajeb
-iyT7SMuhXqnMm+hF+zEARLcbieem0wG4x7gi2S6WLf8DlifdXax6me13eYk4rBnT
-LvGEvNNx0px5M54H+FVyoVa3c1tmA66WUcZjobafPGsDh5j+5qpScgWwjkMPGg1a
-09CphCFswO4PpxUUORX/OTGj/rEKxximW6OtavBwaS9F7mqjXJK7lCrcZxKq5ucc
-ebGMmCoO660hROSTBaFigdRTVicclk+NgYRrZyWbCiuXPjQ0jlOE2rcaDepqTUga
-Qs/2tdT4kBzBH6kZOiQOIN/ddXaj032QXr1HQYfIJfJmiM6nmRob8nik5rpZdWNO
-/Ncsro/fAgMBAAECggEAITCCkfv+a5I+vwvrPE/eIDso0JOxvNhfg+BLQVy3AMnu
-WmeoMmshZeREWgcTrEGg8QQnk4Sdrjl8MnkO6sddJ2luza3t7OkGX+q7Hk5aETkB
-DIo+f8ufU3sIhlydF3OnVSK0fGpUaBq8AQ6Soyeyrk3G5NVufmjgae5QPbDBnqUb
-piOGyfcwagL4JtCbZsMk8AT7vQSynLm6zaWsVzWNd71jummLqtVV063K95J9PqVN
-D8meEcP3WR5kQrvf+mgy9RVgWLRtVWN8OLZfJ9yrnl4Efj62elrldUj4jaCFezGQ
-8f0W+d8jjt038qhmEdymw2MWQ+X/b0R79lJar1Up8QKBgQD1DtHxauhl+JUoI3y+
-3eboqXl7YPJt1/GTnChb4b6D1Z1hvLsOKUa7hjGEfruYGbsWXBCRMICdfzp+iWcq
-/lEOp7/YU9OaW4lQMoG4sXMoBWd9uLgg0E+aH6VDJOBvxsfafqM4ufmtspzwEm90
-FU1cq6oImomFnPChSq4X+3+YpwKBgQDcalaK9llCcscWA8HAP8WVVNTjCOqiDp9q
-td61E9IO/FIB/gW5y+JkaFRrA2CN1zY3s3K92uveLTNYTArecWlDcPNNFDuaYu2M
-Roz4bC104HGh+zztJ0iPVzELL81Lgg6wHhLONN+eVi4gTftJxzJFXybyb+xVT25A
-91ynKXB+CQKBgQC+Ub43MoI+/6pHvBfb3FbDByvz6D0flgBmVXb6tP3TQYmzKHJV
-8zSd2wCGGC71V7Z3DRVIzVR1/SOetnPLbivhp+JUzfWfAcxI3pDksdvvjxLrDxTh
-VycbWcxtsywjY0w/ou581eLVRcygnpC0pP6qJCAwAmUfwd0YRvmiYo6cLQKBgHIW
-UIlJDdaJFmdctnLOD3VGHZMOUHRlYTqYvJe5lKbRD5mcZFZRI/OY1Ok3LEj+tj+K
-kL+YizHK76KqaY3N4hBYbHbfHCLDRfWvptQHGlg+vFJ9eoG+LZ6UIPyLV5XX0cZz
-KoS1dXG9Zc6uznzXsDucDsq6B/f4TzctUjXsCyARAoGAOKb4HtuNyYAW0jUlujR7
-IMHwUesOGlhSXqFtP9aTvk6qJgvV0+3CKcWEb4y02g+uYftP8BLNbJbIt9qOqLYh
-tOVyzCoamAi8araAhjA0w4dXvqDCDK7k/gZFkojmKQtRijoxTHnWcDc3vAjYCgaM
-9MVtdgSkuh2gwkD/mMoAJXM=
-----END PRIVATE KEY-----
@@ -1,16 +0,0 @@
-----BEGIN CERTIFICATE REQUEST-----
-MIIChDCCAWwCAQAwPzELMAkGA1UEBhMCNjkxCzAJBgNVBAgMAjQyMRUwEwYDVQQK
-DAx3b29mZXJzIGluYy4xDDAKBgNVBAMMA2hzMTCCASIwDQYJKoZIhvcNAQEBBQAD
-ggEPADCCAQoCggEBANL+h2ZmK/FqN5uLJPtIy6Feqcyb6EX7MQBEtxuJ56bTAbjH
-uCLZLpYt/wOWJ91drHqZ7Xd5iTisGdMu8YS803HSnHkzngf4VXKhVrdzW2YDrpZR
-xmOhtp88awOHmP7mqlJyBbCOQw8aDVrT0KmEIWzA7g+nFRQ5Ff85MaP+sQrHGKZb
-o61q8HBpL0XuaqNckruUKtxnEqrm5xx5sYyYKg7rrSFE5JMFoWKB1FNWJxyWT42B
-hGtnJZsKK5c+NDSOU4TatxoN6mpNSBpCz/a11PiQHMEfqRk6JA4g3911dqPTfZBe
-vUdBh8gl8maIzqeZGhvyeKTmull1Y0781yyuj98CAwEAAaAAMA0GCSqGSIb3DQEB
-CwUAA4IBAQDR/gjfxN0IID1MidyhZB4qpdWn3m6qZnEQqoTyHHdWalbfNXcALC79
-ffS+Smx40N5hEPvqy6euR89N5YuYvt8Hs+j7aWNBn7Wus5Favixcm2JcfCTJn2R3
-r8FefuSs2xGkoyGsPFFcXE13SP/9zrZiwvOgSIuTdz/Pbh6GtEx7aV4DqHJsrXnb
-XuPxpQleoBqKvQgSlmaEBsJg13TQB+Fl2foBVUtqAFDQiv+RIuircf0yesMCKJaK
-MPH4Oo+r3pR8lI8ewfJPreRhCoV+XrGYMubaakz003TJ1xlOW8M+N9a6eFyMVh76
-U1nY/KP8Ua6Lgaj9PRz7JCRzNoshZID/
-----END CERTIFICATE REQUEST-----
@@ -1,12 +0,0 @@
-authorityKeyIdentifier=keyid,issuer
-basicConstraints=CA:FALSE
-keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
-subjectAltName = @alt_names
-
-[alt_names]
-DNS.1 = *.docker.internal
-DNS.2 = hs1
-DNS.3 = hs2
-DNS.4 = hs3
-DNS.5 = hs4
-IP.1 = 127.0.0.1
@@ -4,51 +4,47 @@
 , stdenv
 }:

-lib.optionalAttrs stdenv.hostPlatform.isStatic {
-  ROCKSDB_STATIC = "";
-}
+lib.optionalAttrs stdenv.hostPlatform.isStatic
+  {
+    ROCKSDB_STATIC = "";
+  }
 //
 {
  CARGO_BUILD_RUSTFLAGS =
    lib.concatStringsSep
      " "
-      ([]
-        # This disables PIE for static builds, which isn't great in terms
-        # of security. Unfortunately, my hand is forced because nixpkgs'
-        # `libstdc++.a` is built without `-fPIE`, which precludes us from
-        # leaving PIE enabled.
-        ++ lib.optionals
-          stdenv.hostPlatform.isStatic
-          [ "-C" "relocation-model=static" ]
-        ++ lib.optionals
-          (stdenv.buildPlatform.config != stdenv.hostPlatform.config)
-          [
-            "-l"
-            "c"
+      (lib.optionals
+        stdenv.hostPlatform.isStatic
+        [ "-C" "relocation-model=static" ]
+      ++ lib.optionals
+        (stdenv.buildPlatform.config != stdenv.hostPlatform.config)
+        [
+          "-l"
+          "c"

-            "-l"
-            "stdc++"
+          "-l"
+          "stdc++"

-            "-L"
-            "${stdenv.cc.cc.lib}/${stdenv.hostPlatform.config}/lib"
-          ]
+          "-L"
+          "${stdenv.cc.cc.lib}/${stdenv.hostPlatform.config}/lib"
+        ]
      );
 }

-# What follows is stolen from [here][0]. Its purpose is to properly
-# configure compilers and linkers for various stages of the build, and
-# even covers the case of build scripts that need native code compiled and
-# run on the build platform (I think).
-#
-# [0]: https://github.com/NixOS/nixpkgs/blob/nixpkgs-unstable/pkgs/build-support/rust/lib/default.nix#L48-L68
-//
+  # What follows is stolen from [here][0]. Its purpose is to properly
+  # configure compilers and linkers for various stages of the build, and
+  # even covers the case of build scripts that need native code compiled and
+  # run on the build platform (I think).
+  #
+  # [0]: https://github.com/NixOS/nixpkgs/blob/nixpkgs-unstable/pkgs/build-support/rust/lib/default.nix#L48-L68
+  //
 (
  let
    inherit (rust.lib) envVars;
  in
  lib.optionalAttrs
    (stdenv.targetPlatform.rust.rustcTarget
-      != stdenv.hostPlatform.rust.rustcTarget)
+    != stdenv.hostPlatform.rust.rustcTarget)
    (
      let
        inherit (stdenv.targetPlatform.rust) cargoEnvVarTarget;
@@ -12,144 +12,146 @@
 , rust-jemalloc-sys
 , stdenv

-# Options (keep sorted)
+  # Options (keep sorted)
 , all_features ? false
 , default_features ? true
-# default list of disabled features
+  # default list of disabled features
 , disable_features ? [
-  # dont include experimental features
-  "experimental"
-  # jemalloc profiling/stats features are expensive and shouldn't
-  # be expected on non-debug builds.
-  "jemalloc_prof"
-  "jemalloc_stats"
-  # this is non-functional on nix for some reason
-  "hardened_malloc"
-  # conduwuit_mods is a development-only hot reload feature
-  "conduwuit_mods"
-]
+    # dont include experimental features
+    "experimental"
+    # jemalloc profiling/stats features are expensive and shouldn't
+    # be expected on non-debug builds.
+    "jemalloc_prof"
+    "jemalloc_stats"
+    # this is non-functional on nix for some reason
+    "hardened_malloc"
+    # conduwuit_mods is a development-only hot reload feature
+    "conduwuit_mods"
+  ]
 , disable_release_max_log_level ? false
-, features ? []
+, features ? [ ]
 , profile ? "release"
-# rocksdb compiled with -march=haswell and target-cpu=haswell rustflag
-# haswell is pretty much any x86 cpu made in the last 12 years, and
-# supports modern CPU extensions that rocksdb can make use of.
-# disable if trying to make a portable x86_64 build for very old hardware
+  # rocksdb compiled with -march=haswell and target-cpu=haswell rustflag
+  # haswell is pretty much any x86 cpu made in the last 12 years, and
+  # supports modern CPU extensions that rocksdb can make use of.
+  # disable if trying to make a portable x86_64 build for very old hardware
 , x86_64_haswell_target_optimised ? false
 }:

 let
-# We perform default-feature unification in nix, because some of the dependencies
-# on the nix side depend on feature values.
-crateFeatures = path:
-  let manifest = lib.importTOML "${path}/Cargo.toml"; in
-  lib.remove "default" (lib.attrNames manifest.features);
-crateDefaultFeatures = path:
-  (lib.importTOML "${path}/Cargo.toml").features.default;
-allDefaultFeatures = crateDefaultFeatures "${inputs.self}/src/main";
-allFeatures = crateFeatures "${inputs.self}/src/main";
-features' = lib.unique
-  (features ++
-    lib.optionals default_features allDefaultFeatures ++
-    lib.optionals all_features allFeatures);
-disable_features' = disable_features ++ lib.optionals disable_release_max_log_level ["release_max_log_level"];
-features'' = lib.subtractLists disable_features' features';
+  # We perform default-feature unification in nix, because some of the dependencies
+  # on the nix side depend on feature values.
+  crateFeatures = path:
+    let manifest = lib.importTOML "${path}/Cargo.toml"; in
+    lib.remove "default" (lib.attrNames manifest.features);
+  crateDefaultFeatures = path:
+    (lib.importTOML "${path}/Cargo.toml").features.default;
+  allDefaultFeatures = crateDefaultFeatures "${inputs.self}/src/main";
+  allFeatures = crateFeatures "${inputs.self}/src/main";
+  features' = lib.unique
+    (features ++
+      lib.optionals default_features allDefaultFeatures ++
+      lib.optionals all_features allFeatures);
+  disable_features' = disable_features ++ lib.optionals disable_release_max_log_level [ "release_max_log_level" ];
+  features'' = lib.subtractLists disable_features' features';

-featureEnabled = feature : builtins.elem feature features'';
+  featureEnabled = feature: builtins.elem feature features'';

-enableLiburing = featureEnabled "io_uring" && !stdenv.hostPlatform.isDarwin;
+  enableLiburing = featureEnabled "io_uring" && !stdenv.hostPlatform.isDarwin;

-# This derivation will set the JEMALLOC_OVERRIDE variable, causing the
-# tikv-jemalloc-sys crate to use the nixpkgs jemalloc instead of building it's
-# own. In order for this to work, we need to set flags on the build that match
-# whatever flags tikv-jemalloc-sys was going to use. These are dependent on
-# which features we enable in tikv-jemalloc-sys.
-rust-jemalloc-sys' = (rust-jemalloc-sys.override {
-  # tikv-jemalloc-sys/unprefixed_malloc_on_supported_platforms feature
-  unprefixed = true;
-}).overrideAttrs (old: {
-  configureFlags = old.configureFlags ++
-    # we dont need docs
-    [ "--disable-doc" ] ++
-    # we dont need cxx/C++ integration
-    [ "--disable-cxx" ] ++
-    # tikv-jemalloc-sys/profiling feature
-    lib.optional (featureEnabled "jemalloc_prof") "--enable-prof" ++
-    # tikv-jemalloc-sys/stats feature
-    (if (featureEnabled "jemalloc_stats") then [ "--enable-stats" ] else [ "--disable-stats" ]);
-});
-
-buildDepsOnlyEnv =
-  let
-    rocksdb' = (rocksdb.override {
-      jemalloc = lib.optional (featureEnabled "jemalloc") rust-jemalloc-sys';
-      # rocksdb fails to build with prefixed jemalloc, which is required on
-      # darwin due to [1]. In this case, fall back to building rocksdb with
-      # libc malloc. This should not cause conflicts, because all of the
-      # jemalloc symbols are prefixed.
-      #
-      # [1]: https://github.com/tikv/jemallocator/blob/ab0676d77e81268cd09b059260c75b38dbef2d51/jemalloc-sys/src/env.rs#L17
-      enableJemalloc = featureEnabled "jemalloc" && !stdenv.hostPlatform.isDarwin;
-
-      # for some reason enableLiburing in nixpkgs rocksdb is default true
-      # which breaks Darwin entirely
-      enableLiburing = enableLiburing;
-    }).overrideAttrs (old: {
-      enableLiburing = enableLiburing;
-      cmakeFlags = (if x86_64_haswell_target_optimised then (lib.subtractLists [
-        # dont make a portable build if x86_64_haswell_target_optimised is enabled
-        "-DPORTABLE=1"
-      ] old.cmakeFlags
-      ++ [ "-DPORTABLE=haswell" ]) else ([ "-DPORTABLE=1" ])
-      )
-      ++ old.cmakeFlags;
-
-      # outputs has "tools" which we dont need or use
-      outputs = [ "out" ];
-
-      # preInstall hooks has stuff for messing with ldb/sst_dump which we dont need or use
-      preInstall = "";
-    });
-  in
-  {
-    # https://crane.dev/faq/rebuilds-bindgen.html
-    NIX_OUTPATH_USED_AS_RANDOM_SEED = "aaaaaaaaaa";
-
-    CARGO_PROFILE = profile;
-    ROCKSDB_INCLUDE_DIR = "${rocksdb'}/include";
-    ROCKSDB_LIB_DIR = "${rocksdb'}/lib";
-  }
-  //
-  (import ./cross-compilation-env.nix {
-    # Keep sorted
-    inherit
-      lib
-      pkgsBuildHost
-      rust
-      stdenv;
+  # This derivation will set the JEMALLOC_OVERRIDE variable, causing the
+  # tikv-jemalloc-sys crate to use the nixpkgs jemalloc instead of building it's
+  # own. In order for this to work, we need to set flags on the build that match
+  # whatever flags tikv-jemalloc-sys was going to use. These are dependent on
+  # which features we enable in tikv-jemalloc-sys.
+  rust-jemalloc-sys' = (rust-jemalloc-sys.override {
+    # tikv-jemalloc-sys/unprefixed_malloc_on_supported_platforms feature
+    unprefixed = true;
+  }).overrideAttrs (old: {
+    configureFlags = old.configureFlags ++
+      # we dont need docs
+      [ "--disable-doc" ] ++
+      # we dont need cxx/C++ integration
+      [ "--disable-cxx" ] ++
+      # tikv-jemalloc-sys/profiling feature
+      lib.optional (featureEnabled "jemalloc_prof") "--enable-prof" ++
+      # tikv-jemalloc-sys/stats feature
+      (if (featureEnabled "jemalloc_stats") then [ "--enable-stats" ] else [ "--disable-stats" ]);
  });

-buildPackageEnv = {
-  GIT_COMMIT_HASH = inputs.self.rev or inputs.self.dirtyRev or "";
-  GIT_COMMIT_HASH_SHORT = inputs.self.shortRev or inputs.self.dirtyShortRev or "";
-} // buildDepsOnlyEnv // {
-  # Only needed in static stdenv because these are transitive dependencies of rocksdb
-  CARGO_BUILD_RUSTFLAGS = buildDepsOnlyEnv.CARGO_BUILD_RUSTFLAGS
-    + lib.optionalString (enableLiburing && stdenv.hostPlatform.isStatic)
+  buildDepsOnlyEnv =
+    let
+      rocksdb' = (rocksdb.override {
+        jemalloc = lib.optional (featureEnabled "jemalloc") rust-jemalloc-sys';
+        # rocksdb fails to build with prefixed jemalloc, which is required on
+        # darwin due to [1]. In this case, fall back to building rocksdb with
+        # libc malloc. This should not cause conflicts, because all of the
+        # jemalloc symbols are prefixed.
+        #
+        # [1]: https://github.com/tikv/jemallocator/blob/ab0676d77e81268cd09b059260c75b38dbef2d51/jemalloc-sys/src/env.rs#L17
+        enableJemalloc = featureEnabled "jemalloc" && !stdenv.hostPlatform.isDarwin;
+
+        # for some reason enableLiburing in nixpkgs rocksdb is default true
+        # which breaks Darwin entirely
+        inherit enableLiburing;
+      }).overrideAttrs (old: {
+        inherit enableLiburing;
+        cmakeFlags = (if x86_64_haswell_target_optimised then
+          (lib.subtractLists [
+            # dont make a portable build if x86_64_haswell_target_optimised is enabled
+            "-DPORTABLE=1"
+          ]
+            old.cmakeFlags
+          ++ [ "-DPORTABLE=haswell" ]) else [ "-DPORTABLE=1" ]
+        )
+        ++ old.cmakeFlags;
+
+        # outputs has "tools" which we dont need or use
+        outputs = [ "out" ];
+
+        # preInstall hooks has stuff for messing with ldb/sst_dump which we dont need or use
+        preInstall = "";
+      });
+    in
+    {
+      # https://crane.dev/faq/rebuilds-bindgen.html
+      NIX_OUTPATH_USED_AS_RANDOM_SEED = "aaaaaaaaaa";
+
+      CARGO_PROFILE = profile;
+      ROCKSDB_INCLUDE_DIR = "${rocksdb'}/include";
+      ROCKSDB_LIB_DIR = "${rocksdb'}/lib";
+    }
+    //
+    (import ./cross-compilation-env.nix {
+      # Keep sorted
+      inherit
+        lib
+        pkgsBuildHost
+        rust
+        stdenv;
+    });
+
+  buildPackageEnv = {
+    GIT_COMMIT_HASH = inputs.self.rev or inputs.self.dirtyRev or "";
+    GIT_COMMIT_HASH_SHORT = inputs.self.shortRev or inputs.self.dirtyShortRev or "";
+  } // buildDepsOnlyEnv // {
+    # Only needed in static stdenv because these are transitive dependencies of rocksdb
+    CARGO_BUILD_RUSTFLAGS = buildDepsOnlyEnv.CARGO_BUILD_RUSTFLAGS
+      + lib.optionalString (enableLiburing && stdenv.hostPlatform.isStatic)
      " -L${lib.getLib liburing}/lib -luring"
-    + lib.optionalString x86_64_haswell_target_optimised
+      + lib.optionalString x86_64_haswell_target_optimised
      " -Ctarget-cpu=haswell";
-};
+  };



-commonAttrs = {
-  inherit
-    (craneLib.crateNameFromCargoToml {
-      cargoToml = "${inputs.self}/Cargo.toml";
-    })
-    pname
-    version;
+  commonAttrs = {
+    inherit
+      (craneLib.crateNameFromCargoToml {
+        cargoToml = "${inputs.self}/Cargo.toml";
+      })
+      pname
+      version;

    src = let filter = inputs.nix-filter.lib; in filter {
      root = inputs.self;
@@ -160,6 +162,7 @@ commonAttrs = {
        "Cargo.lock"
        "Cargo.toml"
        "src"
+        "xtask"
      ];
    };

@@ -167,22 +170,22 @@ commonAttrs = {

    cargoExtraArgs = "--no-default-features --locked "
      + lib.optionalString
-        (features'' != [])
-        "--features " + (builtins.concatStringsSep "," features'');
+      (features'' != [ ])
+      "--features " + (builtins.concatStringsSep "," features'');

    dontStrip = profile == "dev" || profile == "test";
    dontPatchELF = profile == "dev" || profile == "test";

    buildInputs = lib.optional (featureEnabled "jemalloc") rust-jemalloc-sys'
-    # needed to build Rust applications on macOS
-    ++ lib.optionals stdenv.hostPlatform.isDarwin [
-        # https://github.com/NixOS/nixpkgs/issues/206242
-        # ld: library not found for -liconv
-        libiconv
-        # https://stackoverflow.com/questions/69869574/properly-adding-darwin-apple-sdk-to-a-nix-shell
-        # https://discourse.nixos.org/t/compile-a-rust-binary-on-macos-dbcrossbar/8612
-        pkgsBuildHost.darwin.apple_sdk.frameworks.Security
-      ];
+      # needed to build Rust applications on macOS
+      ++ lib.optionals stdenv.hostPlatform.isDarwin [
+      # https://github.com/NixOS/nixpkgs/issues/206242
+      # ld: library not found for -liconv
+      libiconv
+      # https://stackoverflow.com/questions/69869574/properly-adding-darwin-apple-sdk-to-a-nix-shell
+      # https://discourse.nixos.org/t/compile-a-rust-binary-on-macos-dbcrossbar/8612
+      pkgsBuildHost.darwin.apple_sdk.frameworks.Security
+    ];

    nativeBuildInputs = [
      # bindgen needs the build platform's libclang. Apparently due to "splicing
@@ -195,11 +198,11 @@ commonAttrs = {
      # differing values for `NIX_CFLAGS_COMPILE`, which contributes to spurious
      # rebuilds of bindgen and its depedents.
      jq
-  ];
- };
+    ];
+  };
 in

-craneLib.buildPackage ( commonAttrs // {
+craneLib.buildPackage (commonAttrs // {
  cargoArtifacts = craneLib.buildDepsOnly (commonAttrs // {
    env = buildDepsOnlyEnv;
  });
@@ -208,8 +211,8 @@ craneLib.buildPackage ( commonAttrs // {

  cargoExtraArgs = "--no-default-features --locked "
    + lib.optionalString
-      (features'' != [])
-      "--features " + (builtins.concatStringsSep "," features'');
+    (features'' != [ ])
+    "--features " + (builtins.concatStringsSep "," features'');

  env = buildPackageEnv;

@@ -1,46 +0,0 @@
-{ inputs
-
-# Dependencies
-, dockerTools
-, lib
-, main
-, stdenv
-, tini
-}:
-
-dockerTools.buildLayeredImage {
-  name = main.pname;
-  tag = "main";
-  created = "@${toString inputs.self.lastModified}";
-  contents = [
-    dockerTools.caCertificates
-    main
-  ];
-  config = {
-    Entrypoint = if !stdenv.hostPlatform.isDarwin
-      # Use the `tini` init system so that signals (e.g. ctrl+c/SIGINT)
-      # are handled as expected
-      then [ "${lib.getExe' tini "tini"}" "--" ]
-      else [];
-    Cmd = [
-      "${lib.getExe main}"
-    ];
-    Env = [
-      "RUST_BACKTRACE=full"
-    ];
-    Labels = {
-      "org.opencontainers.image.authors" = "June Clementine Strawberry <june@girlboss.ceo> and Jason Volk
-      <jason@zemos.net>";
-      "org.opencontainers.image.created" ="@${toString inputs.self.lastModified}";
-      "org.opencontainers.image.description" = "a very cool Matrix chat homeserver written in Rust";
-      "org.opencontainers.image.documentation" = "https://conduwuit.puppyirl.gay/";
-      "org.opencontainers.image.licenses" = "Apache-2.0";
-      "org.opencontainers.image.revision" = inputs.self.rev or inputs.self.dirtyRev or "";
-      "org.opencontainers.image.source" = "https://github.com/girlbossceo/conduwuit";
-      "org.opencontainers.image.title" = main.pname;
-      "org.opencontainers.image.url" = "https://conduwuit.puppyirl.gay/";
-      "org.opencontainers.image.vendor" = "girlbossceo";
-      "org.opencontainers.image.version" = main.version;
-    };
-  };
-}
@@ -9,7 +9,7 @@
 # If you're having trouble making the relevant changes, bug a maintainer.

 [toolchain]
-channel = "1.86.0"
+channel = "1.87.0"
 profile = "minimal"
 components = [
    # For rust-analyzer
@@ -19,11 +19,3 @@ components = [
    "rustfmt",
    "clippy",
 ]
-targets = [
-    #"x86_64-apple-darwin",
-    "x86_64-unknown-linux-gnu",
-    "x86_64-unknown-linux-musl",
-    "aarch64-unknown-linux-musl",
-    "aarch64-unknown-linux-gnu",
-    #"aarch64-apple-darwin",
-]
@@ -9,8 +9,8 @@ use crate::{
 };

 #[derive(Debug, Parser)]
-#[command(name = "conduwuit", version = conduwuit::version())]
-pub(super) enum AdminCommand {
+#[command(name = conduwuit_core::name(), version = conduwuit_core::version())]
+pub enum AdminCommand {
 	#[command(subcommand)]
 	/// - Commands for managing appservices
 	Appservices(AppserviceCommand),
@@ -7,7 +7,7 @@ use crate::admin_command_dispatch;

 #[derive(Debug, Subcommand)]
 #[admin_command_dispatch]
-pub(super) enum AppserviceCommand {
+pub enum AppserviceCommand {
 	/// - Register an appservice using its registration YAML
 	///
 	/// This command needs a YAML generated by an appservice (such as a bridge),
@@ -7,6 +7,6 @@ use crate::admin_command_dispatch;

 #[admin_command_dispatch]
 #[derive(Debug, Subcommand)]
-pub(super) enum CheckCommand {
+pub enum CheckCommand {
 	CheckAllUsers,
 }
@@ -7,13 +7,14 @@ use futures::{
 	io::{AsyncWriteExt, BufWriter},
 	lock::Mutex,
 };
-use ruma::EventId;
+use ruma::{EventId, UserId};

 pub(crate) struct Context<'a> {
 	pub(crate) services: &'a Services,
 	pub(crate) body: &'a [&'a str],
 	pub(crate) timer: SystemTime,
 	pub(crate) reply_id: Option<&'a EventId>,
+	pub(crate) sender: Option<&'a UserId>,
 	pub(crate) output: Mutex<BufWriter<Vec<u8>>>,
 }

@@ -36,4 +37,10 @@ impl Context<'_> {
 			output.write_all(s.as_bytes()).map_err(Into::into).await
 		})
 	}
+
+	/// Get the sender as a string, or service user ID if not available
+	pub(crate) fn sender_or_service_user(&self) -> &UserId {
+		self.sender
+			.unwrap_or_else(|| self.services.globals.server_user.as_ref())
+	}
 }
@@ -7,7 +7,10 @@ use std::{

 use conduwuit::{
 	Err, Result, debug_error, err, info,
-	matrix::pdu::{PduEvent, PduId, RawPduId},
+	matrix::{
+		Event,
+		pdu::{PduEvent, PduId, RawPduId},
+	},
 	trace, utils,
 	utils::{
 		stream::{IterStream, ReadyExt},
@@ -19,7 +22,7 @@ use futures::{FutureExt, StreamExt, TryStreamExt};
 use ruma::{
 	CanonicalJsonObject, CanonicalJsonValue, EventId, OwnedEventId, OwnedRoomId,
 	OwnedRoomOrAliasId, OwnedServerName, RoomId, RoomVersionId,
-	api::federation::event::get_room_state,
+	api::federation::event::get_room_state, events::AnyStateEvent, serde::Raw,
 };
 use service::rooms::{
 	short::{ShortEventId, ShortRoomId},
@@ -239,10 +242,11 @@ pub(super) async fn get_remote_pdu(
 		})
 		.await
 	{
-		| Err(e) =>
+		| Err(e) => {
 			return Err!(
 				"Remote server did not have PDU or failed sending request to remote server: {e}"
-			),
+			);
+		},
 		| Ok(response) => {
 			let json: CanonicalJsonObject =
 				serde_json::from_str(response.pdu.get()).map_err(|e| {
@@ -295,12 +299,12 @@ pub(super) async fn get_remote_pdu(
 #[admin_command]
 pub(super) async fn get_room_state(&self, room: OwnedRoomOrAliasId) -> Result {
 	let room_id = self.services.rooms.alias.resolve(&room).await?;
-	let room_state: Vec<_> = self
+	let room_state: Vec<Raw<AnyStateEvent>> = self
 		.services
 		.rooms
 		.state_accessor
 		.room_state_full_pdus(&room_id)
-		.map_ok(PduEvent::into_state_event)
+		.map_ok(Event::into_format)
 		.try_collect()
 		.await?;

@@ -384,8 +388,9 @@ pub(super) async fn change_log_level(&self, filter: Option<String>, reset: bool)
 			.reload
 			.reload(&old_filter_layer, Some(handles))
 		{
-			| Err(e) =>
-				return Err!("Failed to modify and reload the global tracing log level: {e}"),
+			| Err(e) => {
+				return Err!("Failed to modify and reload the global tracing log level: {e}");
+			},
 			| Ok(()) => {
 				let value = &self.services.server.config.log;
 				let out = format!("Successfully changed log level back to config value {value}");
@@ -407,9 +412,12 @@ pub(super) async fn change_log_level(&self, filter: Option<String>, reset: bool)
 			.reload
 			.reload(&new_filter_layer, Some(handles))
 		{
-			| Ok(()) => return self.write_str("Successfully changed log level").await,
-			| Err(e) =>
-				return Err!("Failed to modify and reload the global tracing log level: {e}"),
+			| Ok(()) => {
+				return self.write_str("Successfully changed log level").await;
+			},
+			| Err(e) => {
+				return Err!("Failed to modify and reload the global tracing log level: {e}");
+			},
 		}
 	}

@@ -529,6 +537,7 @@ pub(super) async fn force_set_room_state_from_server(
 	&self,
 	room_id: OwnedRoomId,
 	server_name: OwnedServerName,
+	at_event: Option<OwnedEventId>,
 ) -> Result {
 	if !self
 		.services
@@ -540,13 +549,18 @@ pub(super) async fn force_set_room_state_from_server(
 		return Err!("We are not participating in the room / we don't know about the room ID.");
 	}

-	let first_pdu = self
-		.services
-		.rooms
-		.timeline
-		.latest_pdu_in_room(&room_id)
-		.await
-		.map_err(|_| err!(Database("Failed to find the latest PDU in database")))?;
+	let at_event_id = match at_event {
+		| Some(event_id) => event_id,
+		| None => self
+			.services
+			.rooms
+			.timeline
+			.latest_pdu_in_room(&room_id)
+			.await
+			.map_err(|_| err!(Database("Failed to find the latest PDU in database")))?
+			.event_id()
+			.to_owned(),
+	};

 	let room_version = self.services.rooms.state.get_room_version(&room_id).await?;

@@ -557,7 +571,7 @@ pub(super) async fn force_set_room_state_from_server(
 		.sending
 		.send_federation_request(&server_name, get_room_state::v1::Request {
 			room_id: room_id.clone(),
-			event_id: first_pdu.event_id.clone(),
+			event_id: at_event_id,
 		})
 		.await?;

@@ -11,7 +11,7 @@ use crate::admin_command_dispatch;

 #[admin_command_dispatch]
 #[derive(Debug, Subcommand)]
-pub(super) enum DebugCommand {
+pub enum DebugCommand {
 	/// - Echo input of admin command
 	Echo {
 		message: Vec<String>,
@@ -32,13 +32,13 @@ pub(super) enum DebugCommand {
 	/// the command.
 	ParsePdu,

-	/// - Retrieve and print a PDU by EventID from the conduwuit database
+	/// - Retrieve and print a PDU by EventID from the Continuwuity database
 	GetPdu {
 		/// An event ID (a $ followed by the base64 reference hash)
 		event_id: OwnedEventId,
 	},

-	/// - Retrieve and print a PDU by PduId from the conduwuit database
+	/// - Retrieve and print a PDU by PduId from the Continuwuity database
 	GetShortPdu {
 		/// Shortroomid integer
 		shortroomid: ShortRoomId,
@@ -125,13 +125,13 @@ pub(super) enum DebugCommand {
 		reset: bool,
 	},

-	/// - Verify json signatures
+	/// - Sign JSON blob
 	///
 	/// This command needs a JSON blob provided in a Markdown code block below
 	/// the command.
 	SignJson,

-	/// - Verify json signatures
+	/// - Verify JSON signatures
 	///
 	/// This command needs a JSON blob provided in a Markdown code block below
 	/// the command.
@@ -177,9 +177,12 @@ pub(super) enum DebugCommand {
 		room_id: OwnedRoomId,
 		/// The server we will use to query the room state for
 		server_name: OwnedServerName,
+		/// The event ID of the latest known PDU in the room. Will be found
+		/// automatically if not provided.
+		event_id: Option<OwnedEventId>,
 	},

-	/// - Runs a server name through conduwuit's true destination resolution
+	/// - Runs a server name through Continuwuity's true destination resolution
 	///   process
 	///
 	/// Useful for debugging well-known issues
@@ -4,7 +4,7 @@ use crate::{admin_command, admin_command_dispatch};

 #[admin_command_dispatch]
 #[derive(Debug, clap::Subcommand)]
-pub(crate) enum TesterCommand {
+pub enum TesterCommand {
 	Panic,
 	Failure,
 	Tester,
@@ -8,7 +8,7 @@ use crate::admin_command_dispatch;

 #[admin_command_dispatch]
 #[derive(Debug, Subcommand)]
-pub(super) enum FederationCommand {
+pub enum FederationCommand {
 	/// - List all rooms we are currently handling an incoming pdu from
 	IncomingFederation,

@@ -9,7 +9,7 @@ use crate::admin_command_dispatch;

 #[admin_command_dispatch]
 #[derive(Debug, Subcommand)]
-pub(super) enum MediaCommand {
+pub enum MediaCommand {
 	/// - Deletes a single media file from our database and on the filesystem
 	///   via a single MXC URL or event ID (not redacted)
 	Delete {
@@ -90,10 +90,10 @@ pub(super) enum MediaCommand {
 		#[arg(short, long, default_value("10000"))]
 		timeout: u32,

-		#[arg(short, long, default_value("800"))]
+		#[arg(long, default_value("800"))]
 		width: u32,

-		#[arg(short, long, default_value("800"))]
+		#[arg(long, default_value("800"))]
 		height: u32,
 	},
 }
@@ -33,6 +33,8 @@ conduwuit::mod_ctor! {}
 conduwuit::mod_dtor! {}
 conduwuit::rustc_flags_capture! {}

+pub use crate::admin::AdminCommand;
+
 /// Install the admin command processor
 pub async fn init(admin_service: &service::admin::Service) {
 	_ = admin_service
@@ -63,6 +63,7 @@ async fn process_command(services: Arc<Services>, input: &CommandInput) -> Proce
 		body: &body,
 		timer: SystemTime::now(),
 		reply_id: input.reply_id.as_deref(),
+		sender: input.sender.as_deref(),
 		output: BufWriter::new(Vec::new()).into(),
 	};

@@ -93,8 +94,7 @@ async fn process_command(services: Arc<Services>, input: &CommandInput) -> Proce

 #[allow(clippy::result_large_err)]
 fn handle_panic(error: &Error, command: &CommandInput) -> ProcessorResult {
-	let link =
-		"Please submit a [bug report](https://github.com/girlbossceo/conduwuit/issues/new). 🥺";
+	let link = "Please submit a [bug report](https://forgejo.ellis.link/continuwuation/continuwuity/issues/new). 🥺";
 	let msg = format!("Panic occurred while processing command:\n```\n{error:#?}\n```\n{link}");
 	let content = RoomMessageEventContent::notice_markdown(msg);
 	error!("Panic while processing command: {error:?}");
@@ -8,7 +8,7 @@ use crate::{admin_command, admin_command_dispatch};
 #[admin_command_dispatch]
 #[derive(Debug, Subcommand)]
 /// All the getters and iterators from src/database/key_value/account_data.rs
-pub(crate) enum AccountDataCommand {
+pub enum AccountDataCommand {
 	/// - Returns all changes to the account data that happened after `since`.
 	ChangesSince {
 		/// Full user ID
@@ -6,7 +6,7 @@ use crate::Context;

 #[derive(Debug, Subcommand)]
 /// All the getters and iterators from src/database/key_value/appservice.rs
-pub(crate) enum AppserviceCommand {
+pub enum AppserviceCommand {
 	/// - Gets the appservice registration info/details from the ID as a string
 	GetRegistration {
 		/// Appservice registration ID
@@ -6,7 +6,7 @@ use crate::Context;

 #[derive(Debug, Subcommand)]
 /// All the getters and iterators from src/database/key_value/globals.rs
-pub(crate) enum GlobalsCommand {
+pub enum GlobalsCommand {
 	DatabaseVersion,

 	CurrentCount,
@@ -27,7 +27,7 @@ use crate::admin_command_dispatch;
 #[admin_command_dispatch]
 #[derive(Debug, Subcommand)]
 /// Query tables from database
-pub(super) enum QueryCommand {
+pub enum QueryCommand {
 	/// - account_data.rs iterators and getters
 	#[command(subcommand)]
 	AccountData(AccountDataCommand),
@@ -7,7 +7,7 @@ use crate::Context;

 #[derive(Debug, Subcommand)]
 /// All the getters and iterators from src/database/key_value/presence.rs
-pub(crate) enum PresenceCommand {
+pub enum PresenceCommand {
 	/// - Returns the latest presence event for the given user.
 	GetPresence {
 		/// Full user ID
@@ -5,7 +5,7 @@ use ruma::OwnedUserId;
 use crate::Context;

 #[derive(Debug, Subcommand)]
-pub(crate) enum PusherCommand {
+pub enum PusherCommand {
 	/// - Returns all the pushers for the user.
 	GetPushers {
 		/// Full user ID
@@ -19,7 +19,7 @@ use crate::{admin_command, admin_command_dispatch};
 #[derive(Debug, Subcommand)]
 #[allow(clippy::enum_variant_names)]
 /// Query tables from database
-pub(crate) enum RawCommand {
+pub enum RawCommand {
 	/// - List database maps
 	RawMaps,

@@ -8,7 +8,7 @@ use crate::{admin_command, admin_command_dispatch};
 #[admin_command_dispatch]
 #[derive(Debug, Subcommand)]
 /// Resolver service and caches
-pub(crate) enum ResolverCommand {
+pub enum ResolverCommand {
 	/// Query the destinations cache
 	DestinationsCache {
 		server_name: Option<OwnedServerName>,
@@ -7,7 +7,7 @@ use crate::Context;

 #[derive(Debug, Subcommand)]
 /// All the getters and iterators from src/database/key_value/rooms/alias.rs
-pub(crate) enum RoomAliasCommand {
+pub enum RoomAliasCommand {
 	ResolveLocalAlias {
 		/// Full room alias
 		alias: OwnedRoomAliasId,
@@ -6,7 +6,7 @@ use ruma::{OwnedRoomId, OwnedServerName, OwnedUserId};
 use crate::Context;

 #[derive(Debug, Subcommand)]
-pub(crate) enum RoomStateCacheCommand {
+pub enum RoomStateCacheCommand {
 	ServerInRoom {
 		server: OwnedServerName,
 		room_id: OwnedRoomId,
@@ -8,7 +8,7 @@ use crate::{admin_command, admin_command_dispatch};
 #[admin_command_dispatch]
 #[derive(Debug, Subcommand)]
 /// Query tables from database
-pub(crate) enum RoomTimelineCommand {
+pub enum RoomTimelineCommand {
 	Pdus {
 		room_id: OwnedRoomOrAliasId,

@@ -8,7 +8,7 @@ use crate::Context;

 #[derive(Debug, Subcommand)]
 /// All the getters and iterators from src/database/key_value/sending.rs
-pub(crate) enum SendingCommand {
+pub enum SendingCommand {
 	/// - Queries database for all `servercurrentevent_data`
 	ActiveRequests,

@@ -7,7 +7,7 @@ use crate::{admin_command, admin_command_dispatch};
 #[admin_command_dispatch]
 #[derive(Debug, Subcommand)]
 /// Query tables from database
-pub(crate) enum ShortCommand {
+pub enum ShortCommand {
 	ShortEventId {
 		event_id: OwnedEventId,
 	},
@@ -8,7 +8,7 @@ use crate::{admin_command, admin_command_dispatch};
 #[admin_command_dispatch]
 #[derive(Debug, Subcommand)]
 /// All the getters and iterators from src/database/key_value/users.rs
-pub(crate) enum UsersCommand {
+pub enum UsersCommand {
 	CountUsers,

 	IterUsers,
@@ -8,7 +8,7 @@ use ruma::{OwnedRoomAliasId, OwnedRoomId};
 use crate::Context;

 #[derive(Debug, Subcommand)]
-pub(crate) enum RoomAliasCommand {
+pub enum RoomAliasCommand {
 	/// - Make an alias point to a room.
 	Set {
 		#[arg(short, long)]
@@ -6,7 +6,7 @@ use ruma::OwnedRoomId;
 use crate::{Context, PAGE_SIZE, get_room_info};

 #[derive(Debug, Subcommand)]
-pub(crate) enum RoomDirectoryCommand {
+pub enum RoomDirectoryCommand {
 	/// - Publish a room to the room directory
 	Publish {
 		/// The room id of the room to publish
@@ -7,7 +7,7 @@ use crate::{admin_command, admin_command_dispatch};

 #[admin_command_dispatch]
 #[derive(Debug, Subcommand)]
-pub(crate) enum RoomInfoCommand {
+pub enum RoomInfoCommand {
 	/// - List joined members in a room
 	ListJoinedMembers {
 		room_id: OwnedRoomId,
@@ -16,7 +16,7 @@ use crate::admin_command_dispatch;

 #[admin_command_dispatch]
 #[derive(Debug, Subcommand)]
-pub(super) enum RoomCommand {
+pub enum RoomCommand {
 	/// - List all rooms the server knows about
 	#[clap(alias = "list")]
 	ListRooms {
@@ -1,18 +1,18 @@
 use api::client::leave_room;
 use clap::Subcommand;
 use conduwuit::{
-	Err, Result, debug,
+	Err, Result, debug, info,
 	utils::{IterStream, ReadyExt},
 	warn,
 };
-use futures::StreamExt;
+use futures::{FutureExt, StreamExt};
 use ruma::{OwnedRoomId, OwnedRoomOrAliasId, RoomAliasId, RoomId, RoomOrAliasId};

 use crate::{admin_command, admin_command_dispatch, get_room_info};

 #[admin_command_dispatch]
 #[derive(Debug, Subcommand)]
-pub(crate) enum RoomModerationCommand {
+pub enum RoomModerationCommand {
 	/// - Bans a room from local users joining and evicts all our local users
 	///   (including server
 	/// admins)
@@ -70,7 +70,6 @@ async fn ban_room(&self, room: OwnedRoomOrAliasId) -> Result {
 		};

 		debug!("Room specified is a room ID, banning room ID");
-		self.services.rooms.metadata.ban_room(room_id, true);

 		room_id.to_owned()
 	} else if room.is_room_alias_id() {
@@ -90,47 +89,25 @@ async fn ban_room(&self, room: OwnedRoomOrAliasId) -> Result {
 			 locally, if not using get_alias_helper to fetch room ID remotely"
 		);

-		let room_id = match self
+		match self
 			.services
 			.rooms
 			.alias
-			.resolve_local_alias(room_alias)
+			.resolve_alias(room_alias, None)
 			.await
 		{
-			| Ok(room_id) => room_id,
-			| _ => {
+			| Ok((room_id, servers)) => {
 				debug!(
-					"We don't have this room alias to a room ID locally, attempting to fetch \
-					 room ID over federation"
+					?room_id,
+					?servers,
+					"Got federation response fetching room ID for room {room}"
 				);
-
-				match self
-					.services
-					.rooms
-					.alias
-					.resolve_alias(room_alias, None)
-					.await
-				{
-					| Ok((room_id, servers)) => {
-						debug!(
-							?room_id,
-							?servers,
-							"Got federation response fetching room ID for {room_id}"
-						);
-						room_id
-					},
-					| Err(e) => {
-						return Err!(
-							"Failed to resolve room alias {room_alias} to a room ID: {e}"
-						);
-					},
-				}
+				room_id
 			},
-		};
-
-		self.services.rooms.metadata.ban_room(&room_id, true);
-
-		room_id
+			| Err(e) => {
+				return Err!("Failed to resolve room alias {room} to a room ID: {e}");
+			},
+		}
 	} else {
 		return Err!(
 			"Room specified is not a room ID or room alias. Please note that this requires a \
@@ -139,7 +116,7 @@ async fn ban_room(&self, room: OwnedRoomOrAliasId) -> Result {
 		);
 	};

-	debug!("Making all users leave the room {room_id} and forgetting it");
+	info!("Making all users leave the room {room_id} and forgetting it");
 	let mut users = self
 		.services
 		.rooms
@@ -150,12 +127,15 @@ async fn ban_room(&self, room: OwnedRoomOrAliasId) -> Result {
 		.boxed();

 	while let Some(ref user_id) = users.next().await {
-		debug!(
+		info!(
 			"Attempting leave for user {user_id} in room {room_id} (ignoring all errors, \
 			 evicting admins too)",
 		);

-		if let Err(e) = leave_room(self.services, user_id, &room_id, None).await {
+		if let Err(e) = leave_room(self.services, user_id, &room_id, None)
+			.boxed()
+			.await
+		{
 			warn!("Failed to leave room: {e}");
 		}

@@ -177,10 +157,9 @@ async fn ban_room(&self, room: OwnedRoomOrAliasId) -> Result {
 		})
 		.await;

-	// unpublish from room directory
-	self.services.rooms.directory.set_not_public(&room_id);
-
-	self.services.rooms.metadata.disable_room(&room_id, true);
+	self.services.rooms.directory.set_not_public(&room_id); // remove from the room directory
+	self.services.rooms.metadata.ban_room(&room_id, true); // prevent further joins
+	self.services.rooms.metadata.disable_room(&room_id, true); // disable federation

 	self.write_str(
 		"Room banned, removed all our local users, and disabled incoming federation with room.",
@@ -302,8 +281,6 @@ async fn ban_list_of_rooms(&self) -> Result {
 	}

 	for room_id in room_ids {
-		self.services.rooms.metadata.ban_room(&room_id, true);
-
 		debug!("Banned {room_id} successfully");
 		room_ban_count = room_ban_count.saturating_add(1);

@@ -323,7 +300,10 @@ async fn ban_list_of_rooms(&self) -> Result {
 				 evicting admins too)",
 			);

-			if let Err(e) = leave_room(self.services, user_id, &room_id, None).await {
+			if let Err(e) = leave_room(self.services, user_id, &room_id, None)
+				.boxed()
+				.await
+			{
 				warn!("Failed to leave room: {e}");
 			}

@@ -346,9 +326,9 @@ async fn ban_list_of_rooms(&self) -> Result {
 			})
 			.await;

+		self.services.rooms.metadata.ban_room(&room_id, true);
 		// unpublish from room directory, ignore errors
 		self.services.rooms.directory.set_not_public(&room_id);
-
 		self.services.rooms.metadata.disable_room(&room_id, true);
 	}

@@ -9,7 +9,7 @@ use crate::admin_command_dispatch;

 #[admin_command_dispatch]
 #[derive(Debug, Subcommand)]
-pub(super) enum ServerCommand {
+pub enum ServerCommand {
 	/// - Time elapsed since startup
 	Uptime,

@@ -1,14 +1,16 @@
 use std::{collections::BTreeMap, fmt::Write as _};

-use api::client::{full_user_deactivate, join_room_by_id_helper, leave_room};
+use api::client::{
+	full_user_deactivate, join_room_by_id_helper, leave_all_rooms, leave_room, update_avatar_url,
+	update_displayname,
+};
 use conduwuit::{
 	Err, Result, debug, debug_warn, error, info, is_equal_to,
-	matrix::pdu::PduBuilder,
+	matrix::{Event, pdu::PduBuilder},
 	utils::{self, ReadyExt},
 	warn,
 };
-use conduwuit_api::client::{leave_all_rooms, update_avatar_url, update_displayname};
-use futures::StreamExt;
+use futures::{FutureExt, StreamExt};
 use ruma::{
 	OwnedEventId, OwnedRoomId, OwnedRoomOrAliasId, OwnedUserId, UserId,
 	events::{
@@ -224,6 +226,47 @@ pub(super) async fn deactivate(&self, no_leave_rooms: bool, user_id: String) ->
 		.await
 }

+#[admin_command]
+pub(super) async fn suspend(&self, user_id: String) -> Result {
+	let user_id = parse_local_user_id(self.services, &user_id)?;
+
+	if user_id == self.services.globals.server_user {
+		return Err!("Not allowed to suspend the server service account.",);
+	}
+
+	if !self.services.users.exists(&user_id).await {
+		return Err!("User {user_id} does not exist.");
+	}
+	if self.services.users.is_admin(&user_id).await {
+		return Err!("Admin users cannot be suspended.");
+	}
+	// TODO: Record the actual user that sent the suspension where possible
+	self.services
+		.users
+		.suspend_account(&user_id, self.sender_or_service_user())
+		.await;
+
+	self.write_str(&format!("User {user_id} has been suspended."))
+		.await
+}
+
+#[admin_command]
+pub(super) async fn unsuspend(&self, user_id: String) -> Result {
+	let user_id = parse_local_user_id(self.services, &user_id)?;
+
+	if user_id == self.services.globals.server_user {
+		return Err!("Not allowed to unsuspend the server service account.",);
+	}
+
+	if !self.services.users.exists(&user_id).await {
+		return Err!("User {user_id} does not exist.");
+	}
+	self.services.users.unsuspend_account(&user_id).await;
+
+	self.write_str(&format!("User {user_id} has been unsuspended."))
+		.await
+}
+
 #[admin_command]
 pub(super) async fn reset_password(&self, username: String, password: Option<String>) -> Result {
 	let user_id = parse_local_user_id(self.services, &username)?;
@@ -243,8 +286,9 @@ pub(super) async fn reset_password(&self, username: String, password: Option<Str
 		.set_password(&user_id, Some(new_password.as_str()))
 	{
 		| Err(e) => return Err!("Couldn't reset the password for user {user_id}: {e}"),
-		| Ok(()) =>
-			write!(self, "Successfully reset the password for user {user_id}: `{new_password}`"),
+		| Ok(()) => {
+			write!(self, "Successfully reset the password for user {user_id}: `{new_password}`")
+		},
 	}
 	.await
 }
@@ -655,7 +699,9 @@ pub(super) async fn force_leave_room(
 		return Err!("{user_id} is not joined in the room");
 	}

-	leave_room(self.services, &user_id, &room_id, None).await?;
+	leave_room(self.services, &user_id, &room_id, None)
+		.boxed()
+		.await?;

 	self.write_str(&format!("{user_id} has left {room_id}.",))
 		.await
@@ -692,7 +738,7 @@ pub(super) async fn force_demote(&self, user_id: String, room_id: OwnedRoomOrAli
 		.state_accessor
 		.room_state_get(&room_id, &StateEventType::RoomCreate, "")
 		.await
-		.is_ok_and(|event| event.sender == user_id);
+		.is_ok_and(|event| event.sender() == user_id);

 	if !user_can_demote_self {
 		return Err!("User is not allowed to modify their own power levels in the room.",);
@@ -843,10 +889,7 @@ pub(super) async fn redact_event(&self, event_id: OwnedEventId) -> Result {
 		return Err!("Event is already redacted.");
 	}

-	let room_id = event.room_id;
-	let sender_user = event.sender;
-
-	if !self.services.globals.user_is_local(&sender_user) {
+	if !self.services.globals.user_is_local(event.sender()) {
 		return Err!("This command only works on local users.");
 	}

@@ -856,21 +899,21 @@ pub(super) async fn redact_event(&self, event_id: OwnedEventId) -> Result {
 	);

 	let redaction_event_id = {
-		let state_lock = self.services.rooms.state.mutex.lock(&room_id).await;
+		let state_lock = self.services.rooms.state.mutex.lock(event.room_id()).await;

 		self.services
 			.rooms
 			.timeline
 			.build_and_append_pdu(
 				PduBuilder {
-					redacts: Some(event.event_id.clone()),
+					redacts: Some(event.event_id().to_owned()),
 					..PduBuilder::timeline(&RoomRedactionEventContent {
-						redacts: Some(event.event_id.clone()),
+						redacts: Some(event.event_id().to_owned()),
 						reason: Some(reason),
 					})
 				},
-				&sender_user,
-				&room_id,
+				event.sender(),
+				event.room_id(),
 				&state_lock,
 			)
 			.await?
@@ -8,7 +8,7 @@ use crate::admin_command_dispatch;

 #[admin_command_dispatch]
 #[derive(Debug, Subcommand)]
-pub(super) enum UserCommand {
+pub enum UserCommand {
 	/// - Create a new user
 	#[clap(alias = "create")]
 	CreateUser {
@@ -59,6 +59,28 @@ pub(super) enum UserCommand {
 		force: bool,
 	},

+	/// - Suspend a user
+	///
+	/// Suspended users are able to log in, sync, and read messages, but are not
+	/// able to send events nor redact them, cannot change their profile, and
+	/// are unable to join, invite to, or knock on rooms.
+	///
+	/// Suspended users can still leave rooms and deactivate their account.
+	/// Suspending them effectively makes them read-only.
+	Suspend {
+		/// Username of the user to suspend
+		user_id: String,
+	},
+
+	/// - Unsuspend a user
+	///
+	/// Reverses the effects of the `suspend` command, allowing the user to send
+	/// messages, change their profile, create room invites, etc.
+	Unsuspend {
+		/// Username of the user to unsuspend
+		user_id: String,
+	},
+
 	/// - List local users in the database
 	#[clap(alias = "list")]
 	ListUsers,
@@ -3,10 +3,9 @@ use std::fmt::Write;
 use axum::extract::State;
 use axum_client_ip::InsecureClientIp;
 use conduwuit::{
-	Err, Error, Result, debug_info, err, error, info, is_equal_to,
+	Err, Error, Event, Result, debug_info, err, error, info, is_equal_to,
 	matrix::pdu::PduBuilder,
-	utils,
-	utils::{ReadyExt, stream::BroadbandExt},
+	utils::{self, ReadyExt, stream::BroadbandExt},
 	warn,
 };
 use conduwuit_service::Services;
@@ -151,16 +150,32 @@ pub(crate) async fn register_route(
 	if !services.config.allow_registration && body.appservice_info.is_none() {
 		match (body.username.as_ref(), body.initial_device_display_name.as_ref()) {
 			| (Some(username), Some(device_display_name)) => {
-				info!(%is_guest, user = %username, device_name = %device_display_name, "Rejecting registration attempt as registration is disabled");
+				info!(
+					%is_guest,
+					user = %username,
+					device_name = %device_display_name,
+					"Rejecting registration attempt as registration is disabled"
+				);
 			},
 			| (Some(username), _) => {
-				info!(%is_guest, user = %username, "Rejecting registration attempt as registration is disabled");
+				info!(
+					%is_guest,
+					user = %username,
+					"Rejecting registration attempt as registration is disabled"
+				);
 			},
 			| (_, Some(device_display_name)) => {
-				info!(%is_guest, device_name = %device_display_name, "Rejecting registration attempt as registration is disabled");
+				info!(
+					%is_guest,
+					device_name = %device_display_name,
+					"Rejecting registration attempt as registration is disabled"
+				);
 			},
 			| (None, _) => {
-				info!(%is_guest, "Rejecting registration attempt as registration is disabled");
+				info!(
+					%is_guest,
+					"Rejecting registration attempt as registration is disabled"
+				);
 			},
 		}

@@ -351,8 +366,7 @@ pub(crate) async fn register_route(
 	if !services.globals.new_user_displayname_suffix().is_empty()
 		&& body.appservice_info.is_none()
 	{
-		write!(displayname, " {}", services.server.config.new_user_displayname_suffix)
-			.expect("should be able to write to string buffer");
+		write!(displayname, " {}", services.server.config.new_user_displayname_suffix)?;
 	}

 	services
@@ -370,8 +384,7 @@ pub(crate) async fn register_route(
 				content: ruma::events::push_rules::PushRulesEventContent {
 					global: push::Ruleset::server_default(&user_id),
 				},
-			})
-			.expect("to json always works"),
+			})?,
 		)
 		.await?;

@@ -416,32 +429,21 @@ pub(crate) async fn register_route(
 	// log in conduit admin channel if a non-guest user registered
 	if body.appservice_info.is_none() && !is_guest {
 		if !device_display_name.is_empty() {
-			info!(
-				"New user \"{user_id}\" registered on this server with device display name: \
-				 \"{device_display_name}\""
+			let notice = format!(
+				"New user \"{user_id}\" registered on this server from IP {client} and device \
+				 display name \"{device_display_name}\""
 			);

+			info!("{notice}");
 			if services.server.config.admin_room_notices {
-				services
-					.admin
-					.send_message(RoomMessageEventContent::notice_plain(format!(
-						"New user \"{user_id}\" registered on this server from IP {client} and \
-						 device display name \"{device_display_name}\""
-					)))
-					.await
-					.ok();
+				services.admin.notice(&notice).await;
 			}
 		} else {
-			info!("New user \"{user_id}\" registered on this server.");
+			let notice = format!("New user \"{user_id}\" registered on this server.");

+			info!("{notice}");
 			if services.server.config.admin_room_notices {
-				services
-					.admin
-					.send_message(RoomMessageEventContent::notice_plain(format!(
-						"New user \"{user_id}\" registered on this server from IP {client}"
-					)))
-					.await
-					.ok();
+				services.admin.notice(&notice).await;
 			}
 		}
 	}
@@ -454,24 +456,22 @@ pub(crate) async fn register_route(
 			if services.server.config.admin_room_notices {
 				services
 					.admin
-					.send_message(RoomMessageEventContent::notice_plain(format!(
+					.notice(&format!(
 						"Guest user \"{user_id}\" with device display name \
 						 \"{device_display_name}\" registered on this server from IP {client}"
-					)))
-					.await
-					.ok();
+					))
+					.await;
 			}
 		} else {
 			#[allow(clippy::collapsible_else_if)]
 			if services.server.config.admin_room_notices {
 				services
 					.admin
-					.send_message(RoomMessageEventContent::notice_plain(format!(
+					.notice(&format!(
 						"Guest user \"{user_id}\" with no device display name registered on \
 						 this server from IP {client}",
-					)))
-					.await
-					.ok();
+					))
+					.await;
 			}
 		}
 	}
@@ -490,6 +490,25 @@ pub(crate) async fn register_route(
 			{
 				services.admin.make_user_admin(&user_id).await?;
 				warn!("Granting {user_id} admin privileges as the first user");
+			} else if services.config.suspend_on_register {
+				// This is not an admin, suspend them.
+				// Note that we can still do auto joins for suspended users
+				services
+					.users
+					.suspend_account(&user_id, &services.globals.server_user)
+					.await;
+				// And send an @room notice to the admin room, to prompt admins to review the
+				// new user and ideally unsuspend them if deemed appropriate.
+				if services.server.config.admin_room_notices {
+					services
+						.admin
+						.send_loud_message(RoomMessageEventContent::text_plain(format!(
+							"User {user_id} has been suspended as they are not the first user \
+							 on this server. Please review and unsuspend them if appropriate."
+						)))
+						.await
+						.ok();
+				}
 			}
 		}
 	}
@@ -584,7 +603,6 @@ pub(crate) async fn change_password_route(
 		.sender_user
 		.as_ref()
 		.ok_or_else(|| err!(Request(MissingToken("Missing access token."))))?;
-	let sender_device = body.sender_device();

 	let mut uiaainfo = UiaaInfo {
 		flows: vec![AuthFlow { stages: vec![AuthType::Password] }],
@@ -598,7 +616,7 @@ pub(crate) async fn change_password_route(
 		| Some(auth) => {
 			let (worked, uiaainfo) = services
 				.uiaa
-				.try_auth(sender_user, sender_device, auth, &uiaainfo)
+				.try_auth(sender_user, body.sender_device(), auth, &uiaainfo)
 				.await?;

 			if !worked {
@@ -612,7 +630,7 @@ pub(crate) async fn change_password_route(
 				uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH));
 				services
 					.uiaa
-					.create(sender_user, sender_device, &uiaainfo, json);
+					.create(sender_user, body.sender_device(), &uiaainfo, json);

 				return Err(Error::Uiaa(uiaainfo));
 			},
@@ -631,7 +649,7 @@ pub(crate) async fn change_password_route(
 		services
 			.users
 			.all_device_ids(sender_user)
-			.ready_filter(|id| *id != sender_device)
+			.ready_filter(|id| *id != body.sender_device())
 			.for_each(|id| services.users.remove_device(sender_user, id))
 			.await;

@@ -640,17 +658,17 @@ pub(crate) async fn change_password_route(
 			.pusher
 			.get_pushkeys(sender_user)
 			.map(ToOwned::to_owned)
-			.broad_filter_map(|pushkey| async move {
+			.broad_filter_map(async |pushkey| {
 				services
 					.pusher
 					.get_pusher_device(&pushkey)
 					.await
 					.ok()
-					.filter(|pusher_device| pusher_device != sender_device)
+					.filter(|pusher_device| pusher_device != body.sender_device())
 					.is_some()
 					.then_some(pushkey)
 			})
-			.for_each(|pushkey| async move {
+			.for_each(async |pushkey| {
 				services.pusher.delete_pusher(sender_user, &pushkey).await;
 			})
 			.await;
@@ -661,11 +679,8 @@ pub(crate) async fn change_password_route(
 	if services.server.config.admin_room_notices {
 		services
 			.admin
-			.send_message(RoomMessageEventContent::notice_plain(format!(
-				"User {sender_user} changed their password."
-			)))
-			.await
-			.ok();
+			.notice(&format!("User {sender_user} changed their password."))
+			.await;
 	}

 	Ok(change_password::v3::Response {})
@@ -680,13 +695,10 @@ pub(crate) async fn whoami_route(
 	State(services): State<crate::State>,
 	body: Ruma<whoami::v3::Request>,
 ) -> Result<whoami::v3::Response> {
-	let sender_user = body.sender_user.as_ref().expect("user is authenticated");
-	let device_id = body.sender_device.clone();
-
 	Ok(whoami::v3::Response {
-		user_id: sender_user.clone(),
-		device_id,
-		is_guest: services.users.is_deactivated(sender_user).await?
+		user_id: body.sender_user().to_owned(),
+		device_id: body.sender_device.clone(),
+		is_guest: services.users.is_deactivated(body.sender_user()).await?
 			&& body.appservice_info.is_none(),
 	})
 }
@@ -714,7 +726,6 @@ pub(crate) async fn deactivate_route(
 		.sender_user
 		.as_ref()
 		.ok_or_else(|| err!(Request(MissingToken("Missing access token."))))?;
-	let sender_device = body.sender_device();

 	let mut uiaainfo = UiaaInfo {
 		flows: vec![AuthFlow { stages: vec![AuthType::Password] }],
@@ -728,7 +739,7 @@ pub(crate) async fn deactivate_route(
 		| Some(auth) => {
 			let (worked, uiaainfo) = services
 				.uiaa
-				.try_auth(sender_user, sender_device, auth, &uiaainfo)
+				.try_auth(sender_user, body.sender_device(), auth, &uiaainfo)
 				.await?;

 			if !worked {
@@ -741,7 +752,7 @@ pub(crate) async fn deactivate_route(
 				uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH));
 				services
 					.uiaa
-					.create(sender_user, sender_device, &uiaainfo, json);
+					.create(sender_user, body.sender_device(), &uiaainfo, json);

 				return Err(Error::Uiaa(uiaainfo));
 			},
@@ -763,18 +774,17 @@ pub(crate) async fn deactivate_route(
 	super::update_displayname(&services, sender_user, None, &all_joined_rooms).await;
 	super::update_avatar_url(&services, sender_user, None, None, &all_joined_rooms).await;

-	full_user_deactivate(&services, sender_user, &all_joined_rooms).await?;
+	full_user_deactivate(&services, sender_user, &all_joined_rooms)
+		.boxed()
+		.await?;

 	info!("User {sender_user} deactivated their account.");

 	if services.server.config.admin_room_notices {
 		services
 			.admin
-			.send_message(RoomMessageEventContent::notice_plain(format!(
-				"User {sender_user} deactivated their account."
-			)))
-			.await
-			.ok();
+			.notice(&format!("User {sender_user} deactivated their account."))
+			.await;
 	}

 	Ok(deactivate::v3::Response {
@@ -851,6 +861,7 @@ pub async fn full_user_deactivate(
 	all_joined_rooms: &[OwnedRoomId],
 ) -> Result<()> {
 	services.users.deactivate_account(user_id).await.ok();
+
 	super::update_displayname(services, user_id, None, all_joined_rooms).await;
 	super::update_avatar_url(services, user_id, None, None, all_joined_rooms).await;

@@ -887,7 +898,7 @@ pub async fn full_user_deactivate(
 				.state_accessor
 				.room_state_get(room_id, &StateEventType::RoomCreate, "")
 				.await
-				.is_ok_and(|event| event.sender == user_id);
+				.is_ok_and(|event| event.sender() == user_id);

 		if user_can_demote_self {
 			let mut power_levels_content = room_power_levels.unwrap_or_default();
@@ -915,7 +926,7 @@ pub async fn full_user_deactivate(
 		}
 	}

-	super::leave_all_rooms(services, user_id).await;
+	super::leave_all_rooms(services, user_id).boxed().await;

 	Ok(())
 }
@@ -17,7 +17,10 @@ pub(crate) async fn create_alias_route(
 	State(services): State<crate::State>,
 	body: Ruma<create_alias::v3::Request>,
 ) -> Result<create_alias::v3::Response> {
-	let sender_user = body.sender_user.as_ref().expect("user is authenticated");
+	let sender_user = body.sender_user();
+	if services.users.is_suspended(sender_user).await? {
+		return Err!(Request(UserSuspended("You cannot perform this action while suspended.")));
+	}

 	services
 		.rooms
@@ -62,7 +65,10 @@ pub(crate) async fn delete_alias_route(
 	State(services): State<crate::State>,
 	body: Ruma<delete_alias::v3::Request>,
 ) -> Result<delete_alias::v3::Response> {
-	let sender_user = body.sender_user.as_ref().expect("user is authenticated");
+	let sender_user = body.sender_user();
+	if services.users.is_suspended(sender_user).await? {
+		return Err!(Request(UserSuspended("You cannot perform this action while suspended.")));
+	}

 	services
 		.rooms
@@ -2,8 +2,10 @@ use std::cmp::Ordering;

 use axum::extract::State;
 use conduwuit::{Err, Result, err};
+use conduwuit_service::Services;
+use futures::{FutureExt, future::try_join};
 use ruma::{
-	UInt,
+	UInt, UserId,
 	api::client::backup::{
 		add_backup_keys, add_backup_keys_for_room, add_backup_keys_for_session,
 		create_backup_version, delete_backup_keys, delete_backup_keys_for_room,
@@ -58,21 +60,9 @@ pub(crate) async fn get_latest_backup_info_route(
 		.await
 		.map_err(|_| err!(Request(NotFound("Key backup does not exist."))))?;

-	Ok(get_latest_backup_info::v3::Response {
-		algorithm,
-		count: (UInt::try_from(
-			services
-				.key_backups
-				.count_keys(body.sender_user(), &version)
-				.await,
-		)
-		.expect("user backup keys count should not be that high")),
-		etag: services
-			.key_backups
-			.get_etag(body.sender_user(), &version)
-			.await,
-		version,
-	})
+	let (count, etag) = get_count_etag(&services, body.sender_user(), &version).await?;
+
+	Ok(get_latest_backup_info::v3::Response { algorithm, count, etag, version })
 }

 /// # `GET /_matrix/client/v3/room_keys/version/{version}`
@@ -90,17 +80,12 @@ pub(crate) async fn get_backup_info_route(
 			err!(Request(NotFound("Key backup does not exist at version {:?}", body.version)))
 		})?;

+	let (count, etag) = get_count_etag(&services, body.sender_user(), &body.version).await?;
+
 	Ok(get_backup_info::v3::Response {
 		algorithm,
-		count: services
-			.key_backups
-			.count_keys(body.sender_user(), &body.version)
-			.await
-			.try_into()?,
-		etag: services
-			.key_backups
-			.get_etag(body.sender_user(), &body.version)
-			.await,
+		count,
+		etag,
 		version: body.version.clone(),
 	})
 }
@@ -155,17 +140,9 @@ pub(crate) async fn add_backup_keys_route(
 		}
 	}

-	Ok(add_backup_keys::v3::Response {
-		count: services
-			.key_backups
-			.count_keys(body.sender_user(), &body.version)
-			.await
-			.try_into()?,
-		etag: services
-			.key_backups
-			.get_etag(body.sender_user(), &body.version)
-			.await,
-	})
+	let (count, etag) = get_count_etag(&services, body.sender_user(), &body.version).await?;
+
+	Ok(add_backup_keys::v3::Response { count, etag })
 }

 /// # `PUT /_matrix/client/r0/room_keys/keys/{roomId}`
@@ -198,17 +175,9 @@ pub(crate) async fn add_backup_keys_for_room_route(
 			.await?;
 	}

-	Ok(add_backup_keys_for_room::v3::Response {
-		count: services
-			.key_backups
-			.count_keys(body.sender_user(), &body.version)
-			.await
-			.try_into()?,
-		etag: services
-			.key_backups
-			.get_etag(body.sender_user(), &body.version)
-			.await,
-	})
+	let (count, etag) = get_count_etag(&services, body.sender_user(), &body.version).await?;
+
+	Ok(add_backup_keys_for_room::v3::Response { count, etag })
 }

 /// # `PUT /_matrix/client/r0/room_keys/keys/{roomId}/{sessionId}`
@@ -306,17 +275,9 @@ pub(crate) async fn add_backup_keys_for_session_route(
 			.await?;
 	}

-	Ok(add_backup_keys_for_session::v3::Response {
-		count: services
-			.key_backups
-			.count_keys(body.sender_user(), &body.version)
-			.await
-			.try_into()?,
-		etag: services
-			.key_backups
-			.get_etag(body.sender_user(), &body.version)
-			.await,
-	})
+	let (count, etag) = get_count_etag(&services, body.sender_user(), &body.version).await?;
+
+	Ok(add_backup_keys_for_session::v3::Response { count, etag })
 }

 /// # `GET /_matrix/client/r0/room_keys/keys`
@@ -379,17 +340,9 @@ pub(crate) async fn delete_backup_keys_route(
 		.delete_all_keys(body.sender_user(), &body.version)
 		.await;

-	Ok(delete_backup_keys::v3::Response {
-		count: services
-			.key_backups
-			.count_keys(body.sender_user(), &body.version)
-			.await
-			.try_into()?,
-		etag: services
-			.key_backups
-			.get_etag(body.sender_user(), &body.version)
-			.await,
-	})
+	let (count, etag) = get_count_etag(&services, body.sender_user(), &body.version).await?;
+
+	Ok(delete_backup_keys::v3::Response { count, etag })
 }

 /// # `DELETE /_matrix/client/r0/room_keys/keys/{roomId}`
@@ -404,17 +357,9 @@ pub(crate) async fn delete_backup_keys_for_room_route(
 		.delete_room_keys(body.sender_user(), &body.version, &body.room_id)
 		.await;

-	Ok(delete_backup_keys_for_room::v3::Response {
-		count: services
-			.key_backups
-			.count_keys(body.sender_user(), &body.version)
-			.await
-			.try_into()?,
-		etag: services
-			.key_backups
-			.get_etag(body.sender_user(), &body.version)
-			.await,
-	})
+	let (count, etag) = get_count_etag(&services, body.sender_user(), &body.version).await?;
+
+	Ok(delete_backup_keys_for_room::v3::Response { count, etag })
 }

 /// # `DELETE /_matrix/client/r0/room_keys/keys/{roomId}/{sessionId}`
@@ -429,15 +374,22 @@ pub(crate) async fn delete_backup_keys_for_session_route(
 		.delete_room_key(body.sender_user(), &body.version, &body.room_id, &body.session_id)
 		.await;

-	Ok(delete_backup_keys_for_session::v3::Response {
-		count: services
-			.key_backups
-			.count_keys(body.sender_user(), &body.version)
-			.await
-			.try_into()?,
-		etag: services
-			.key_backups
-			.get_etag(body.sender_user(), &body.version)
-			.await,
-	})
+	let (count, etag) = get_count_etag(&services, body.sender_user(), &body.version).await?;
+
+	Ok(delete_backup_keys_for_session::v3::Response { count, etag })
+}
+
+async fn get_count_etag(
+	services: &Services,
+	sender_user: &UserId,
+	version: &str,
+) -> Result<(UInt, String)> {
+	let count = services
+		.key_backups
+		.count_keys(sender_user, version)
+		.map(TryInto::try_into);
+
+	let etag = services.key_backups.get_etag(sender_user, version).map(Ok);
+
+	Ok(try_join(count, etag).await?)
 }
@@ -26,8 +26,8 @@ pub(crate) async fn get_capabilities_route(

 	let mut capabilities = Capabilities::default();
 	capabilities.room_versions = RoomVersionsCapability {
-		default: services.server.config.default_room_version.clone(),
 		available,
+		default: services.server.config.default_room_version.clone(),
 	};

 	// we do not implement 3PID stuff
@@ -38,16 +38,12 @@ pub(crate) async fn get_capabilities_route(
 	};

 	// MSC4133 capability
-	capabilities
-		.set("uk.tcpip.msc4133.profile_fields", json!({"enabled": true}))
-		.expect("this is valid JSON we created");
+	capabilities.set("uk.tcpip.msc4133.profile_fields", json!({"enabled": true}))?;

-	capabilities
-		.set(
-			"org.matrix.msc4267.forget_forced_upon_leave",
-			json!({"enabled": services.config.forget_forced_upon_leave}),
-		)
-		.expect("valid JSON we created");
+	capabilities.set(
+		"org.matrix.msc4267.forget_forced_upon_leave",
+		json!({"enabled": services.config.forget_forced_upon_leave}),
+	)?;

 	Ok(get_capabilities::v3::Response { capabilities })
 }
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
nexy7574	89e2faaa8e	feat: Ask remote servers for individual unknown events	2025-07-08 17:07:50 +01:00
Odd E. Ebbesen	13b21b00a9	feat: #821 - Options to disable local typing and read receipts	2025-07-08 14:52:28 +02:00
Odd E. Ebbesen	c3c33f47e2	feat: #821 - Options to disable local typing and read receipts	2025-07-08 14:45:57 +02:00
Odd E. Ebbesen	564e7097e6	feat: #821 - Options to disable local typing and read receipts	2025-07-08 12:43:48 +02:00
Gwendolyn Kornak	925e200d9c	include xtask	2025-07-07 14:18:09 -07:00
Shuroii	b5bf68b8c8	fix: RocksDB build	2025-07-07 20:47:30 +01:00
Shuroii	6289bcaabc	style: Run statix	2025-07-07 20:47:30 +01:00
Shuroii	cb138f5039	ref: Clean up rocksdb build	2025-07-07 20:47:29 +01:00
Shuroii	36a7bd7eb3	chore: Update toolchain hash & flake.lock	2025-07-07 20:47:29 +01:00
Shuroii	520a179bb0	ref: Remove lots of unused Nix assets Also change some links to the new ones, removing reliance on June's github repos in some places	2025-07-07 20:47:29 +01:00
Shuroii	09199b0ea7	style: Format nix nixfmt-rfc-style for flake nixpkgs-fmt for nix/ directory	2025-07-07 20:47:29 +01:00
transgwender	0e2fdc415c	Update the rust 1.87 hash	2025-07-07 01:42:26 +00:00
Jade Ellis	8fb94f99e9	ci: Upload binaries as artifacts	2025-07-07 01:40:59 +00:00
Jade Ellis	3977ccfcea	ci: Fix docker tags	2025-07-07 01:40:59 +00:00
Jade Ellis	890b8e25fc	ci: Mirror RC tags	2025-07-07 01:40:59 +00:00
Jade Ellis	28a29c3a7b	feat: Generate binary documentation Also refactors main.rs/mod.rs to silence clippy	2025-07-06 22:58:01 +01:00
Jade Ellis	d98ce2c7b9	feat: Generate admin command documentation The first part of getting admin command docs on the website. There's also the beginnings of manpage generation here, although it's kinda sus and I'm not sure how it's supposed to work. I'll leave that to anyone who wants to package it. We introduce the beginings of the xtask pattern here - we do a lot of file generation, I thought it would be best to avoid doing that on every compilation. It also helps avoid lots of runtime deps. We'll need to document generating this stuff & probably add pre-commit hooks for it, though.	2025-07-06 22:58:00 +01:00
Jade Ellis	18d12a7756	feat: Support logging to journald with tracing-journald This stubs out on non-unix platforms.	2025-07-06 22:58:00 +01:00
Jade Ellis	928b7c5e4a	fix: Correct vars	2025-07-06 22:57:33 +01:00
Jade Ellis	af8783ee51	ci: Mirror registry images	2025-07-06 22:45:01 +01:00
Nyx	52954c5b75	Even more renaming	2025-07-06 14:00:42 -05:00
Tom Foster	7e406445d4	Element Web build fixes	2025-07-03 22:26:02 +01:00
Jade Ellis	293e7243b3	style: Fix formatting/clippy issues	2025-07-02 19:32:50 +01:00
Jason Volk	143cb55ac8	Fix clippy::unnecessary-unwrap. Signed-off-by: Jason Volk <jason@zemos.net>	2025-07-02 19:29:32 +01:00
Jason Volk	3c7c641d2d	Add revoke_admin to service. Signed-off-by: Jason Volk <jason@zemos.net>	2025-07-02 19:29:32 +01:00
Jason Volk	36e81ba185	Split state_cache service. Signed-off-by: Jason Volk <jason@zemos.net>	2025-07-02 19:29:31 +01:00
Jason Volk	56420a67ca	Outdent state_compressor service. Signed-off-by: Jason Volk <jason@zemos.net>	2025-07-02 19:29:31 +01:00
Jason Volk	c5c309ec43	Split timeline service. Signed-off-by: Jason Volk <jason@zemos.net>	2025-07-02 19:29:28 +01:00
Jason Volk	c06aa49a90	Fix regression `75aadd5c6a` Signed-off-by: Jason Volk <jason@zemos.net>	2025-07-02 19:17:09 +01:00
Jason Volk	364293608d	Post-formatting aesthetic and spacing corrections Signed-off-by: Jason Volk <jason@zemos.net>	2025-07-02 19:17:06 +01:00
Jason Volk	af4f66c768	Cleanup/improve other async queries in some client handlers. Signed-off-by: Jason Volk <jason@zemos.net>	2025-07-02 19:12:51 +01:00
Jason Volk	116f85360f	Toward abstracting Pdu into trait Event. Co-authored-by: Jade Ellis <jade@ellis.link> Signed-off-by: Jason Volk <jason@zemos.net>	2025-07-02 19:03:26 +01:00
Jason Volk	3d0360bcd6	Dedup and parallelize current key backup count and etag fetching. Signed-off-by: Jason Volk <jason@zemos.net>	2025-07-02 19:03:26 +01:00
Jason Volk	667afedd24	Macroize various remaining Error constructions. Signed-off-by: Jason Volk <jason@zemos.net>	2025-07-02 19:03:24 +01:00
Jason Volk	21bbee8e3c	Simplify api to send notices to admin room Signed-off-by: Jason Volk <jason@zemos.net>	2025-07-02 18:58:18 +01:00
Jason Volk	732a77f3a8	Use integrated error instead of panic on some legacy codepaths Signed-off-by: Jason Volk <jason@zemos.net>	2025-07-02 18:58:18 +01:00
Jason Volk	f3dd90df39	Mitigate large futures Signed-off-by: Jason Volk <jason@zemos.net>	2025-07-02 18:58:18 +01:00
Jason Volk	2051c22a28	Support optional device_id's in lazy-loading context. Co-authored-by: Jade Ellis <jade@ellis.link> Signed-off-by: Jason Volk <jason@zemos.net>	2025-07-02 18:58:17 +01:00
Jason Volk	49f7a2487f	Modernize various sender_user/sender_device lets. Signed-off-by: Jason Volk <jason@zemos.net>	2025-07-02 18:58:14 +01:00
nexy7574	d6aa03ea73	style: Remove extraneous import	2025-07-02 00:53:40 +00:00
nexy7574	8e0852e5b5	docs: Add suggestion about auto join room Adds suggestion to suspend_on_register doc that admins should add a room that contains information to their auto_join_rooms as to not confuse new users who may be lost at the fact they can't join any rooms or send any messages.	2025-07-02 00:53:40 +00:00
nexy7574	6e60918584	feat: Suspend new users on registration	2025-07-02 00:53:40 +00:00
nexy7574	68afb07c27	feat: Stabilise room summary API (MSC3266) # Conflicts: # Cargo.lock # Cargo.toml	2025-07-02 00:48:16 +01:00
nexy7574	b44791799c	fix: Room bans preventing federated leaves Fixes the issue where room bans prevent federating leave events, resulting in local users being stuck in remote rooms	2025-07-01 23:14:41 +01:00
nexy7574	4f69da47c6	feat: Advertise support for spec v1.8, 1.12, 1.13, and 1.14	2025-07-01 18:38:48 +01:00
nexy7574	24d2a514e2	chore: Resolve linting errors	2025-07-01 18:00:28 +01:00
nexy7574	f49c73c031	feat: Forbid suspended users from sending reports	2025-07-01 15:44:04 +01:00
nexy7574	59912709aa	feat: Send intentional mentions in report messages	2025-07-01 15:42:38 +01:00
nexy7574	97e5cc4e2d	feat: Implement user reporting	2025-07-01 01:55:13 +01:00
Jade Ellis	17930708d8	chore: Add second ko-fi as custom link	2025-06-29 23:06:26 +01:00
Jade Ellis	ec9d3d613e	chore: Add funding	2025-06-29 23:02:15 +01:00
nexy7574	d4862b8ead	style: Remove redundant, unused functions	2025-06-29 15:38:01 +00:00
Jade Ellis	acb74faa07	feat: Pass sender through admin commands	2025-06-29 15:38:01 +00:00
Jade Ellis	ecc6fda98b	feat: Record metadata about user suspensions	2025-06-29 15:38:01 +00:00
nexy7574	13e17d52e0	style: Remove unnecessary imports (clippy)	2025-06-29 15:38:01 +00:00
nexy7574	d8a27eeb54	fix: Failing open on database errors oops	2025-06-29 15:38:01 +00:00
nexy7574	eb2e3b3bb7	fix: Missing suspensions shouldn't error Turns out copying and pasting the function above verbatim actually introduces more problems than it solves!	2025-06-29 15:38:01 +00:00
nexy7574	72f8cb3038	feat: Do not allow suspended users to send typing statuses	2025-06-29 15:38:01 +00:00
nexy7574	1124097bd1	feat: Only allow private read receipts when suspended	2025-06-29 15:38:01 +00:00
nexy7574	08527a2880	feat: Prevent suspended users upgrading rooms	2025-06-29 15:38:01 +00:00
nexy7574	8e06571e7c	feat: Prevent suspended users uploading media	2025-06-29 15:38:01 +00:00
nexy7574	90180916eb	feat: Prevent suspended users performing room changes Prevents kicks, bans, unbans, and alias modification	2025-06-29 15:38:01 +00:00
nexy7574	d0548ec064	feat: Forbid suspended users from sending state events	2025-06-29 15:38:01 +00:00
nexy7574	1ff8af8e9e	style: Remove unneeded statements (clippy)	2025-06-29 15:38:01 +00:00
nexy7574	cc864dc8bb	feat: Do not allow suspending admin users	2025-06-29 15:38:01 +00:00
nexy7574	8791a9b851	fix: Inappropriate empty check I once again, assumed `true` is actually `false`.	2025-06-29 15:38:01 +00:00
nexy7574	968c0e236c	fix: Create the column appropriately	2025-06-29 15:38:01 +00:00
nexy7574	5d5350a9fe	feat: Prevent suspended users creating new rooms	2025-06-29 15:38:01 +00:00
nexy7574	e127c4e5a2	feat: Add un/suspend admin commands	2025-06-29 15:38:01 +00:00
nexy7574	a94128e698	feat: Prevent suspended users joining/knocking on rooms	2025-06-29 15:38:01 +00:00
nexy7574	a6ba9e3045	feat: Prevent suspended users changing their profile	2025-06-29 15:38:01 +00:00
nexy7574	286974cb9a	feat: Prevent suspended users redacting events	2025-06-29 15:38:01 +00:00
nexy7574	accfda2586	feat: Prevent suspended users sending events	2025-06-29 15:38:01 +00:00
nexy7574	fac9e090cd	feat: Add suspension helper to user service	2025-06-29 15:38:01 +00:00
nexy7574	b4bdd1ee65	chore: Update ruwuma Fixes the wrong field name being serialised	2025-06-29 13:43:27 +01:00
nexy7574	4b5e8df95c	fix: Add missing init fields	2025-06-29 13:29:27 +01:00
nexy7574	d63c8b9fca	feat: Support passing through MSC4293 redact_events	2025-06-29 13:16:31 +01:00
nexy7574	9b6ac6c45f	fix: Ignore existing membership when room is disconnected	2025-06-29 12:14:20 +00:00
nexy7574	52e042cb06	Always calculate state diff IDs in syncv3 seemingly fixes #779	2025-06-28 20:37:40 +00:00
Jason Volk	f508e7654c	fix: off by one.	2025-06-28 00:38:45 +00:00
nexy7574	543ab27747	fix: Additional sanity checks when creating a PDU Prevents creating events that are most likely catastrophically invalid	2025-06-27 20:58:52 +01:00
Jade Ellis	c82ea24069	docs: Add Matrix chat and space badges to README	2025-06-27 18:44:46 +01:00
Jacob Taylor	db58d841aa	fix: Only load children of nested spaces	2025-06-25 18:17:06 +01:00
Jade Ellis	f1ca84fcaf	fix: Correct project brand in admin & OTEL	2025-06-24 23:16:48 +01:00
Jade Ellis	63962fc040	docs: Remove completed items from the README	2025-06-24 23:13:28 +01:00
Jade Ellis	a24278dc1b	docs: Update mirror badges	2025-06-24 23:12:09 +01:00
Jade Ellis	b787e97dc1	chore: Document & enforce conventional commit messages	2025-06-24 22:43:44 +01:00
Jade Ellis	eb75c4ecb0	chore: Fix typos in commit messages automatically	2025-06-24 22:43:44 +01:00
Jade Ellis	9bbe333082	ci: Don't run docs flow when the secret is inaccessible	2025-06-24 22:43:43 +01:00
Jade Ellis	3177545a6f	chore: Remove clippy pre-commit hook It's too slow for a good git experience	2025-06-24 21:45:54 +01:00
Kimiblock Moe	4a289a9fee	arch systemd: use credentials to load config	2025-06-24 11:07:11 +00:00
Jade Ellis	4d69a1ad51	docs: Deduplicate sections	2025-06-23 01:25:38 +01:00
Jade Ellis	4f174324ba	docs: Update contributing guide	2025-06-23 01:04:27 +01:00
Jade Ellis	2ecbd75d64	ci: fixes - Install UV - Verbose run - Set permissions explicitly - Check all files	2025-06-21 19:17:21 +01:00
Jade Ellis	a682e9dbb8	chore: Add commit to ignored revs	2025-06-21 18:03:38 +01:00
Jade Ellis	46c193e74b	chore: fix end of files & trailing whitespace	2025-06-21 17:59:01 +01:00
Jade Ellis	93719018a8	ci: Run additional sanity checks on repository	2025-06-21 17:58:28 +01:00
Jade Ellis	70df8364b3	chore: Bump rustyline-async from 0.4.3 to 0.4.6	2025-06-21 00:50:02 +01:00
Jade Ellis	bae8192fb3	chore: Bump resolv-conf from 0.7.1 to 0.7.4	2025-06-20 23:39:20 +01:00
Jade Ellis	add5c7052c	chore: Update lockfile	2025-06-20 21:51:53 +01:00
Jade Ellis	01200d9b54	build: Allow specifying build profile Additionally splits caches by target CPU	2025-06-20 21:48:37 +01:00
Jade Ellis	0ba4a265be	build: Upgrade to Rust 1.87	2025-06-20 21:45:29 +01:00
Jade Ellis	08fbcbba69	build: Use newer LLVM for rust 1.87	2025-06-20 21:35:48 +01:00
Jade Ellis	b526935d45	build: Specify debian version	2025-06-20 21:35:03 +01:00
Jade Ellis	a737d845a4	chore: Don't specify targets in rust-toolchain	2025-06-20 21:25:34 +01:00
nex	e508b1197f	feat: allow overriding the "most recent event" when forcing a state download (#853 ) Add option to select which event to set the state at to, for the force-set-room-state admin command. This allows us to work around issues where the latest PDU is one that remote servers don't know about (i.e. failed federation for whatever reason) Closes #852 Reviewed-on: https://forgejo.ellis.link/continuwuation/continuwuity/pulls/853 Reviewed-by: Jade Ellis <jade@ellis.link> Co-authored-by: nex <nex@noreply.forgejo.ellis.link> Co-committed-by: nex <nex@noreply.forgejo.ellis.link>	2025-06-19 21:27:50 +00:00
Kimiblock	d6fd30393c	Update docs/deploying/arch-linux.md	2025-06-19 12:36:49 +00:00
Jade Ellis	6e16a6ef8f	chore: Release announcement	2025-06-14 22:34:24 +01:00
Jade Ellis	0870c8d647	chore: Release	2025-06-14 20:53:00 +01:00
Jade Ellis	d0f00e6f5c	feat: Allow mentioning @room in an admin announcement	2025-06-14 19:09:54 +01:00
Jade Ellis	5d44653e3a	fix: Incorrect command descriptions	2025-06-14 16:51:24 +01:00
Jade Ellis	44e60d0ea6	docs: Tiny phrasing changes to the security policy	2025-06-14 16:34:58 +01:00
Jade Ellis	d7514178ab	ci: Fix extra bracket in commit shorthash	2025-06-13 14:30:26 +01:00
Jade Ellis	1d45e0b68c	feat: Add warning when admin users will be exposed as support contacts	2025-06-13 13:39:50 +01:00
Jade Ellis	3c44dccd65	ci: HACK, disable saving to actions cache	2025-05-26 19:16:50 +01:00
Jade Ellis	b57be072c7	build: Don't rerun on git changes	2025-05-26 19:16:05 +01:00
Jade Ellis	ea5dc8e09d	fix: Use correct brand in clap version string	2025-05-26 19:16:05 +01:00
Jade Ellis	b9d60c64e5	ci: Don't specify container for image builder	2025-05-26 19:16:04 +01:00
Jade Ellis	94ae824149	ci: Don't install rustup if it's already there	2025-05-26 19:16:03 +01:00
Jade Ellis	640714922b	feat: For knock_restricted rooms, automatically join rooms we meet restrictions for rather than knocking	2025-05-26 19:16:03 +01:00
Jade Ellis	2b268fdaf3	fix: Allow joining via invite for knock_restricted rooms	2025-05-26 19:16:01 +01:00
Jade Ellis	e8d823a653	docs: Apply feedback on security policy	2025-05-26 15:01:58 +01:00
Jade Ellis	0ba77674c7	docs: Security policy	2025-05-25 00:36:28 +01:00
Jade Ellis	2ccbd7d60b	fix: Reference config directly	2025-05-21 21:06:44 +01:00
Jade Ellis	60960c6e09	feat: Automatically set well-known support contacts	2025-05-21 20:32:53 +01:00
Jade Ellis	ce40304667	chore: Upgrade deps	2025-05-21 15:28:46 +01:00
Jade Ellis	dcbc4b54c5	ci: Always show sccache stats	2025-05-21 12:45:25 +01:00
Jade Ellis	fce024b30b	chore: Add must_use annotation	2025-05-21 12:45:14 +01:00
Jade Ellis	3e4e696761	fix: Make sure empty VERSION_EXTRA strings are ignored Also updates built & removes unused optional features	2025-05-21 12:35:36 +01:00
Jason Volk	f605913ea9	Eliminate associated Id type from trait Event. Co-authored-by: Jade Ellis <jade@ellis.link> Signed-off-by: Jason Volk <jason@zemos.net>	2025-05-21 11:36:15 +01:00
Jason Volk	44302ce732	Eliminate explicit parallel_fetches argument. Signed-off-by: Jason Volk <jason@zemos.net>	2025-05-21 11:36:15 +01:00
Jason Volk	bfb0a2b76a	Remove unused Pdu::into_any_event(). Signed-off-by: Jason Volk <jason@zemos.net>	2025-05-21 11:36:14 +01:00
Jason Volk	fcd5669aa1	Join jemalloc background threads prior to exit. Co-authored-by: Jade Ellis <jade@ellis.link> Signed-off-by: Jason Volk <jason@zemos.net>	2025-05-21 11:36:13 +01:00
Jade Ellis	9b8b37f162	docs: Badges for mirrors	2025-05-21 02:51:09 +01:00
Jade Ellis	7a46563f23	ci: Cache docker image build mounts	2025-05-21 01:48:25 +01:00
Jade Ellis	1bf6537319	build: Split docker target cache by target platform	2025-05-20 22:47:55 +01:00
Jade Ellis	4ed04b343a	build: Use xtrace in bash scripts in Dockerfile	2025-05-20 22:13:13 +01:00
Jade Ellis	a4ad72e11d	ci: Run `cargo test`	2025-05-20 21:48:40 +01:00
Jade Ellis	1f57508879	ci: Don't clippy check dependancies	2025-05-20 21:47:35 +01:00
Jade Ellis	a325dfa56a	ci: Use timelord in clippy check	2025-05-20 21:47:27 +01:00
Jade Ellis	b5d2ef9a4a	ci: Refactor timelord to its own action	2025-05-20 21:36:01 +01:00
Jade Ellis	e200a7d991	ci: Cache Rust registry	2025-05-20 21:36:01 +01:00
Jade Ellis	034762c619	chore: Allow raw string hashes for metadata crate	2025-05-20 21:36:00 +01:00
Jade Ellis	e31d261e66	ci: Run clippy check	2025-05-20 21:36:00 +01:00
Jade Ellis	c5db43ba9a	chore: Docker ignore forgejo files	2025-05-20 21:31:41 +01:00
Jade Ellis	ec08e16b9f	build: Allow builder to decide on incremental or not	2025-05-20 21:31:41 +01:00
Jade Ellis	f14725a51b	ci: Check formatting Also moves rustup installation to a seperate workflow and enables caching. The sccache action required a github.com api token, so we set all that up too.	2025-05-20 21:31:41 +01:00
Jade Ellis	d03325c65a	chore: Set editorconfig for workflows	2025-05-20 21:31:40 +01:00
Jade Ellis	066794fe90	ci: Don't try build images on PR	2025-05-20 21:31:40 +01:00
Jade Ellis	beee996f72	docs: Rename conduwuit to continuwuity in more places	2025-05-10 20:37:08 +01:00
Jade Ellis	7c58e40c96	chore(typos): Ignore certificate files	2025-05-10 19:42:40 +01:00
Jade Ellis	5577ddca27	chore: Add CONTINUWUITY_ environment variables Also updates some examples to match	2025-05-10 12:54:33 +01:00