chore: Add newsfrag

feat: Keep track of a min_depth value
Should prevent weird situations where we accidentally gapfill into backfill territory
2026-05-26 20:49:55 +00:00 · 2026-05-26 21:26:57 +01:00 · 2026-05-26 21:22:32 +01:00 · 2026-05-26 20:25:37 +01:00 · 2026-05-26 20:22:45 +01:00 · 2026-05-26 20:22:45 +01:00
343 changed files with 11160 additions and 12119 deletions
@@ -44,7 +44,7 @@ runs:

    - name: Login to builtin registry
      if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
-      uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+      uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
      with:
        registry: ${{ env.BUILTIN_REGISTRY }}
        username: ${{ inputs.registry_user }}
@@ -52,7 +52,7 @@ runs:

    - name: Set up Docker Buildx
      if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
-      uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+      uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
      with:
        # Use persistent BuildKit if BUILDKIT_ENDPOINT is set (e.g. tcp://buildkit:8125)
        driver: ${{ env.BUILDKIT_ENDPOINT != '' && 'remote' || 'docker-container' }}
@@ -61,7 +61,7 @@ runs:
    - name: Extract metadata (tags) for Docker
      if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
      id: meta
-      uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
+      uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
      with:
        flavor: |
          latest=auto
@@ -67,7 +67,7 @@ runs:
      uses: ./.forgejo/actions/rust-toolchain

    - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+      uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
      with:
        # Use persistent BuildKit if BUILDKIT_ENDPOINT is set (e.g. tcp://buildkit:8125)
        driver: ${{ env.BUILDKIT_ENDPOINT != '' && 'remote' || 'docker-container' }}
@@ -79,7 +79,7 @@ runs:

    - name: Login to builtin registry
      if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
-      uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+      uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
      with:
        registry: ${{ env.BUILTIN_REGISTRY }}
        username: ${{ inputs.registry_user }}
@@ -87,7 +87,7 @@ runs:

    - name: Extract metadata (labels, annotations) for Docker
      id: meta
-      uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
+      uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
      with:
        images: ${{ inputs.images }}
        # default labels & annotations: https://github.com/docker/metadata-action/blob/master/src/meta.ts#L509
@@ -17,7 +17,7 @@ inputs:
  llvm-version:
    description: 'LLVM version to install'
    required: false
-    default: '20'
+    default: '21'

 outputs:
  llvm-version:
@@ -71,7 +71,7 @@ runs:

    - name: Install timelord-cli and git-warp-time
      if: steps.check-binaries.outputs.need-install == 'true'
-      uses: https://github.com/taiki-e/install-action@74e87cbfa15a59692b158178d8905a61bf6fca95 # v2
+      uses: https://github.com/taiki-e/install-action@920ab1831fbf4fb3ef75c8ead83556c918bb7290 # v2
      with:
        tool: git-warp-time,timelord-cli@3.0.1

@@ -45,7 +45,6 @@ If you aren't sure about some, feel free to ask for clarification in #dev:contin
  - [ ] I have [tested my contribution][c1t] (or proof-read it for documentation-only changes)
        myself, if applicable. This includes ensuring code compiles.
  - [ ] My commit messages follow the [commit message format][c1cm] and are descriptive.
-  - [ ] I have written a [news fragment][n1] for this PR, if applicable<!--(can be done after hitting open!)-->.

 <!--
 Notes on these requirements:
@@ -79,4 +78,3 @@ Notes on these requirements:
 [c1pc]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/CONTRIBUTING.md#pre-commit-checks
 [c1t]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/CONTRIBUTING.md#running-tests-locally
 [c1cm]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/CONTRIBUTING.md#commit-messages
-[n1]: https://towncrier.readthedocs.io/en/stable/tutorial.html#creating-news-fragments
@@ -28,7 +28,7 @@ jobs:
            const labelsToAdd = new Set();

            for (const file of fileNames) {
-              if (file.startsWith('docs/') || file.startsWith('theme/') || file.endsWith('.md') || file == 'rspress.config.ts') {
+              if (file.startsWith('docs/') || file.startsWith('theme/') || (file.endsWith('.md') && !file.startsWith('changelog.d/')) || file == 'rspress.config.ts') {
                labelsToAdd.add('Documentation');
              }
              if (file.startsWith('.forgejo/')) {
@@ -96,7 +96,7 @@ jobs:
          if [[ ${{ forge.ref_name }} =~ ^v+[0-9]\.+[0-9]\.+[0-9]$ ]]; then
            # Use the "stable" component for tagged semver releases
            COMPONENT="stable"
-          elif [[ ${{ forge.ref }} =~ ^refs/tags/^v+[0-9]\.+[0-9]\.+[0-9] ]]; then
+          elif [[ ${{ forge.ref_name }} =~ ^v+[0-9]\.+[0-9]\.+[0-9] ]]; then
            # Use the "unstable" component for tagged semver pre-releases
            COMPONENT="unstable"
          else
@@ -105,7 +105,7 @@ jobs:
            RELEASE_SUFFIX=""
            TAG_NAME="${{ github.ref_name }}"
            # Extract version from tag (remove v prefix if present)
-            TAG_VERSION=$(echo "$TAG_NAME" | sed 's/^v//')
+            TAG_VERSION=$(echo "$TAG_NAME" | sed 's/^v//' | tr '-' '~')

            # Create spec file with tag version
            sed -e "s/^Version:.*$/Version:        $TAG_VERSION/" \
@@ -270,9 +270,13 @@ jobs:

          # Determine the group based on ref type and branch
          if [[ "${{ github.ref }}" == "refs/tags/"* ]]; then
-            GROUP="stable"
            # For tags, extract the tag name for version info
            TAG_NAME="${{ github.ref_name }}"
+            if [[ "$TAG_NAME" == *"-"* ]]; then
+              GROUP="unstable"
+            else
+              GROUP="stable"
+            fi
          elif [ "${{ github.ref_name }}" = "main" ]; then
            GROUP="dev"
          else
@@ -56,7 +56,7 @@ jobs:

      - name: Deploy to Cloudflare Pages (Production)
        if: github.ref == 'refs/heads/main' && vars.CLOUDFLARE_PROJECT_NAME != ''
-        uses: https://github.com/cloudflare/wrangler-action@9acf94ace14e7dc412b076f2c5c20b8ce93c79cd # v3
+        uses: https://github.com/cloudflare/wrangler-action@ebbaa1584979971c8614a24965b4405ff95890e0 # v4
        with:
          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
@@ -64,7 +64,7 @@ jobs:

      - name: Deploy to Cloudflare Pages (Preview)
        if: github.ref != 'refs/heads/main' && vars.CLOUDFLARE_PROJECT_NAME != ''
-        uses: https://github.com/cloudflare/wrangler-action@9acf94ace14e7dc412b076f2c5c20b8ce93c79cd # v3
+        uses: https://github.com/cloudflare/wrangler-action@ebbaa1584979971c8614a24965b4405ff95890e0 # v4
        with:
          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
@@ -121,7 +121,7 @@ jobs:
      - name: 🚀 Deploy to Cloudflare Pages
        if: vars.CLOUDFLARE_PROJECT_NAME != ''
        id: deploy
-        uses: https://github.com/cloudflare/wrangler-action@9acf94ace14e7dc412b076f2c5c20b8ce93c79cd # v3
+        uses: https://github.com/cloudflare/wrangler-action@ebbaa1584979971c8614a24965b4405ff95890e0 # v4
        with:
          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
@@ -55,7 +55,7 @@ jobs:
      #     repositories: continuwuity

      - name: Install regsync
-        uses: https://github.com/regclient/actions/regsync-installer@f3c6d87835906c175eb6ccfc18b348b69bb447e7 # main
+        uses: https://github.com/regclient/actions/regsync-installer@c70ad64367908075211b10dcd2ab9fad4bfa1816 # main

      - name: Check what images need mirroring
        run: |
@@ -53,7 +53,7 @@ jobs:
          persist-credentials: false

      - name: Check for file changes
-        uses: https://github.com/dorny/paths-filter@v4
+        uses: https://github.com/dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4
        id: filter
        with:
          filters: |
@@ -62,7 +62,7 @@ jobs:
          registry_password: ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}
      - name: Build and push Docker image by digest
        id: build
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7
        with:
          context: .
          file: "docker/Dockerfile"
@@ -149,7 +149,7 @@ jobs:
          registry_password: ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}
      - name: Build and push max-perf Docker image by digest
        id: build
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7
        with:
          context: .
          file: "docker/Dockerfile"
@@ -199,6 +199,28 @@ jobs:
          registry_user: ${{ vars.BUILTIN_REGISTRY_USER || github.actor }}
          registry_password: ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}

+  release-binaries:
+    name: "Release Binaries"
+    runs-on: ubuntu-latest
+    needs:
+      - build-release
+      - build-maxperf
+    permissions:
+      contents: write
+    if: startsWith(github.ref, 'refs/tags/')
+    steps:
+      - name: Download binary artifacts
+        uses: forgejo/download-artifact@v4
+        with:
+          pattern: conduwuit*
+          path: binaries
+          merge-multiple: true
+      - name: Create Release and Upload
+        uses: https://github.com/softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3
+        with:
+          draft: true
+          files: binaries/*
+
  mirror_images:
    name: "Mirror Images"
    runs-on: ubuntu-latest
@@ -43,7 +43,7 @@ jobs:
    name: Renovate
    runs-on: ubuntu-latest
    container:
-      image: ghcr.io/renovatebot/renovate:43.140.0@sha256:61303c28b10a491c559529fb6f41745850e4755a43a54c04c3ae6848d6eaf5cc
+      image: ghcr.io/renovatebot/renovate:43.195.3@sha256:868dffc3d6a46f42dfefe48b6978cc063d8df9c1d58a93a694c8989afa503e34
      options: --tmpfs /tmp:exec
    steps:
      - name: Checkout
@@ -24,7 +24,7 @@ repos:
        - id: check-added-large-files

  - repo: https://github.com/crate-ci/typos
-    rev: v1.45.1
+    rev: v1.46.2
    hooks:
      - id: typos
      - id: typos
@@ -1 +1 @@
-Contributors are expected to follow the [Continuwuity Community Guidelines](continuwuity.org/community/guidelines).
+Contributors are expected to follow the [Continuwuity Community Guidelines](https://continuwuity.org/community/guidelines).
@@ -137,9 +137,9 @@ The allowed types for commits are:

 Examples:
 ```
-feat: add user authentication
-fix(database): resolve connection pooling issue
-docs: update installation instructions
+feat: Add user authentication
+fix(database): Resolve connection pooling issue
+docs: Update installation instructions
 ```

 The project uses the `committed` hook to validate commit messages in pre-commit. This ensures all commits follow the conventional format.
@@ -12,7 +12,7 @@ license = "Apache-2.0"
 # See also `rust-toolchain.toml`
 readme = "README.md"
 repository = "https://forgejo.ellis.link/continuwuation/continuwuity"
-version = "0.5.8"
+version = "0.5.9"

 [workspace.metadata.crane]
 name = "conduwuit"
@@ -39,7 +39,10 @@ features = ["ffi", "std", "union"]
 version = "1.1.0"

 [workspace.dependencies.ctor]
-version = "0.10.0"
+version = "1.0.6"
+
+[workspace.dependencies.dtor]
+version = "1.0.0"

 [workspace.dependencies.cargo_toml]
 version = "0.22"
@@ -68,7 +71,7 @@ default-features = false
 version = "0.1.3"

 [workspace.dependencies.rand]
-version = "0.10.0"
+version = "0.10.1"

 # Used for the http request / response body type for Ruma endpoints used with reqwest
 [workspace.dependencies.bytes]
@@ -161,7 +164,7 @@ features = ["raw_value"]

 # Used for appservice registration files
 [workspace.dependencies.serde-saphyr]
-version = "0.0.24"
+version = "0.0.26"

 # Used to load forbidden room/user regex from config
 [workspace.dependencies.serde_regex]
@@ -177,7 +180,7 @@ version = "0.5.3"
 features = ["alloc", "rand"]
 default-features = false

-# Used to generate thumbnails for images & blurhashes
+# Used to generate thumbnails for images
 [workspace.dependencies.image]
 version = "0.25.5"
 default-features = false
@@ -188,14 +191,6 @@ features = [
    "webp",
 ]

-[workspace.dependencies.blurhash]
-version = "0.2.3"
-default-features = false
-features = [
-    "fast-linear-to-srgb",
-    "image",
-]
-
 # logging
 [workspace.dependencies.log]
 version = "0.4.27"
@@ -342,56 +337,54 @@ version = "0.1.88"
 [workspace.dependencies.lru-cache]
 version = "0.1.2"

+[workspace.dependencies.assign]
+version = "1.1.1"
+
 # Used for matrix spec type definitions and helpers
 [workspace.dependencies.ruma]
-git = "https://forgejo.ellis.link/continuwuation/ruwuma"
-#branch = "conduwuit-changes"
-rev = "d00b51a8669b21689c4eb47fb81f3a8b27c3e371"
+# version = "0.14.1"
+git = "https://github.com/ruma/ruma.git"
+rev = "9c9dccc93f054bbd28f23f630223fffa6289ecbc"
 features = [
-    "compat",
-    "rand",
    "appservice-api-c",
    "client-api",
    "federation-api",
-    "markdown",
    "push-gateway-api-c",
-    "unstable-exhaustive-types",
+    "state-res",
+    "rand",
+    "markdown",
    "ring-compat",
    "compat-upload-signatures",
-    "identifiers-validation",
-    "unstable-unspecified",
-    "unstable-msc2448",
+    "compat-optional-txn-pdus",
    "unstable-msc2666",
    "unstable-msc2867",
    "unstable-msc2870",
-    "unstable-msc3026",
    "unstable-msc3061",
    "unstable-msc3814",
    "unstable-msc3245",
-    "unstable-msc3266",
-    "unstable-msc3381", # polls
-    "unstable-msc3489", # beacon / live location
-    "unstable-msc3575",
-    "unstable-msc3930", # polls push rules
+    "unstable-msc3381",
+    "unstable-msc3489",
+    "unstable-msc3930",
    "unstable-msc4075",
    "unstable-msc4095",
    "unstable-msc4121",
    "unstable-msc4125",
-    "unstable-msc4155",
    "unstable-msc4186",
-    "unstable-msc4203", # sending to-device events to appservices
-    "unstable-msc4210", # remove legacy mentions
+    "unstable-msc4195",
+    "unstable-msc4203",
+    "unstable-msc4310",
+    "unstable-msc4373",
+    "unstable-msc4380",
+    "unstable-msc4143",
+    "unstable-msc4293",
+    "unstable-msc4406",
+    "unstable-msc4439",
    "unstable-extensible-events",
-    "unstable-pdu",
-    "unstable-msc4155",
-    "unstable-msc4143", # livekit well_known response
-    "unstable-msc4284",
-    "unstable-msc4439", # pgp_key in .well_known/matrix/support
 ]

 [workspace.dependencies.rust-rocksdb]
 git = "https://forgejo.ellis.link/continuwuation/rust-rocksdb-zaidoon1"
-rev = "31fb8f772c7afcdc0061ab6a40cfa3a1be2fccd9"
+rev = "0a25ff92f7c09b55eec496b9c192c7d5136ab2b8"
 default-features = false
 features = [
    "multi-threaded-cf",
@@ -411,27 +404,27 @@ default-features = false

 # optional opentelemetry, performance measurements, flamegraphs, etc for performance measurements and monitoring
 [workspace.dependencies.opentelemetry]
-version = "0.31.0"
+version = "0.32.0"

 [workspace.dependencies.tracing-flame]
 version = "0.2.0"

 [workspace.dependencies.tracing-opentelemetry]
-version = "0.32.0"
+version = "0.33.0"

 [workspace.dependencies.opentelemetry_sdk]
-version = "0.31.0"
+version = "0.32.0"
 features = ["rt-tokio"]

 [workspace.dependencies.opentelemetry-otlp]
-version = "0.31.0"
+version = "0.32.0"
 features = ["http", "grpc-tonic", "trace", "logs", "metrics"]



 # optional sentry metrics for crash/panic reporting
 [workspace.dependencies.sentry]
-version = "0.47.0"
+version = "0.48.0"
 default-features = false
 features = [
    "backtrace",
@@ -446,9 +439,9 @@ features = [
 ]

 [workspace.dependencies.sentry-tracing]
-version = "0.47.0"
+version = "0.48.0"
 [workspace.dependencies.sentry-tower]
-version = "0.47.0"
+version = "0.48.0"

 # jemalloc usage
 [workspace.dependencies.tikv-jemalloc-sys]
@@ -541,22 +534,17 @@ version = "2.1.1"
 features = ["std"]

 [workspace.dependencies.minicbor-serde]
-version = "0.6.0"
+version = "0.7.0"
 features = ["std"]

 [workspace.dependencies.maplit]
 version = "1.0.2"

-[workspace.dependencies.ldap3]
-version = "0.12.0"
-default-features = false
-features = ["sync", "tls-rustls", "rustls-provider"]
-
 [workspace.dependencies.yansi]
 version = "1.0.1"

 [workspace.dependencies.askama]
-version = "0.15.0"
+version = "0.16.0"

 [workspace.dependencies.lettre]
 version = "0.11.19"
@@ -658,6 +646,10 @@ default-features = false
 package = "conduwuit"
 path = "src/main"

+[workspace.dependencies.ruminuwuity]
+package = "ruminuwuity"
+path = "src/ruminuwuity"
+
 ###############################################################################
 #
 # Release profiles
@@ -0,0 +1 @@
+The invite recipient's membership event is now included in invite stripped state, which should fix flaky invite display in some clients. Contributed by @ginger
@@ -0,0 +1 @@
+Switched from Continuwuity's fork of Ruma back to upstream Ruma. Contributed by @ginger.
@@ -0,0 +1 @@
+Removed support for guest user registration, a little-used and deprecated approach to room previews.
@@ -0,0 +1 @@
+The deprecated `well_known.rtc_focus_server_urls` config option has been removed. MatrixRTC foci should be configured using the `matrix_rtc.foci` config option.
@@ -0,0 +1 @@
+The version of Debian that the Docker-based build process uses has been upgraded from Bookworm to Trixie, meaning that standalone binaries now have a minimum glibc of 2.41, and can no longer be used on distro versions from before 2025-01-30
@@ -0,0 +1 @@
+Support for server-side blurhashing (part of MSC2448) has been removed.
@@ -0,0 +1 @@
+Updated [MSC4284: Policy Servers](https://github.com/matrix-org/matrix-spec-proposals/pull/4284) implementation to support the newly stabilised proposal. Contributed by @nex.
@@ -0,0 +1 @@
+Add performance tuning documentation. Contributed by @stratself.
@@ -0,0 +1 @@
+Added config option for default room ACLs. Contributed by @eve.
@@ -0,0 +1 @@
+Removed support for LDAP.
@@ -0,0 +1 @@
+Clarified in the config that `max_request_size` affects federated media as well.
@@ -0,0 +1 @@
+Added support for fallback encryption keys.
@@ -0,0 +1 @@
+Fixed a bug that caused the server to drop events during processing if several events for the same room were sent in a singular transaction. Contributed by @nex.
@@ -0,0 +1 @@
+Add `!admin users reject-all-invites` to clean invite spam
@@ -0,0 +1 @@
+fix `!admin query account-data account-data-get` not returning the content
@@ -0,0 +1,9 @@
+Implemented event rejection, which should resolve and prevent future netsplits of the kinds observed
+within some Continuwuity rooms.
+Also resolved several bugs related to both soft-failing events, and event backfilling, which should
+improve state resolution stability.
+The `!admin debug get-pdu` command was updated to disambiguate event acceptance status, and
+`!admin debug show-auth-chain` was added to visually display event auth chains, which may assist
+developers in debugging strangely complex events.
+
+Contributed by @nex.
@@ -0,0 +1 @@
+Fixed an issue where Continuwuity would only advertise support for the unstable endpoint for Mutual Rooms (MSC2666), despite only supporting the stable endpoint. Contributed by @Henry-Hiles (QuadRadical)
@@ -0,0 +1 @@
+Fixed several bugs in the `POST /_matrix/client/v3/rooms/{roomId}/upgrade` endpoint. Contributed by @nex.
@@ -0,0 +1 @@
+Added full support for [MSC4168: Update `m.space.*` state on room upgrade](https://github.com/matrix-org/matrix-spec-proposals/pull/4168). Contributed by @nex.
@@ -0,0 +1,2 @@
+Improved the performance and reliability of fetching missing events, improving network partition recovery. Contributed
+by @nex.
@@ -7,7 +7,6 @@
 [global]
 address = "0.0.0.0"
 allow_device_name_federation = true
-allow_guest_registration = true
 allow_public_room_directory_over_federation = true
 allow_registration = true
 database_path = "/database"
@@ -32,7 +31,6 @@ rocksdb_log_level = "info"
 rocksdb_max_log_files = 1
 rocksdb_recovery_mode = 0
 rocksdb_paranoid_file_checks = true
-log_guest_registrations = false
 allow_legacy_media = true
 startup_netburst = true
 startup_netburst_keep = -1
@@ -291,12 +291,13 @@
 #ip_lookup_strategy = 5

 # Max request size for file uploads in bytes. Defaults to 20MB.
+# Also limits incoming federated media.
 #
 #max_request_size = 20971520

 # This item is undocumented. Please contribute documentation for it.
 #
-#max_fetch_prev_events = 192
+#max_fetch_prev_events = 256

 # How many incoming federation transactions the server is willing to be
 # processing at any given time before it becomes overloaded and starts
@@ -371,21 +372,18 @@
 #
 #federation_timeout = 60

-# MSC4284 Policy server request timeout (seconds). Generally policy
+# Policy server request timeout (seconds). Generally policy
 # servers should respond near instantly, however may slow down under
 # load. If a policy server doesn't respond in a short amount of time, the
 # room it is configured in may become unusable if this limit is set too
-# high. 10 seconds is a good default, however dropping this to 3-5 seconds
-# can be acceptable.
+# high. 30 seconds is a good default, however lower values may be
+# acceptable if temporary send failures are an okay trade-off.
 #
-# Please be aware that policy requests are *NOT* currently re-tried, so if
-# a spam check request fails, the event will be assumed to be not spam,
-# which in some cases may result in spam being sent to or received from
-# the room that would typically be prevented.
 #
 # About policy servers: https://matrix.org/blog/2025/04/introducing-policy-servers/
+# (Stabilized in Matrix v1.18)
 #
-#policy_server_request_timeout = 10
+#policy_server_request_timeout = 30

 # Federation client idle connection pool timeout (seconds).
 #
@@ -573,18 +571,6 @@
 #
 #allow_public_room_directory_over_federation = false

-# Allow guests/unauthenticated users to access TURN credentials.
-#
-# This is the equivalent of Synapse's `turn_allow_guests` config option.
-# This allows any unauthenticated user to call the endpoint
-# `/_matrix/client/v3/voip/turnServer`.
-#
-# It is unlikely you need to enable this as all major clients support
-# authentication for this endpoint and prevents misuse of your TURN server
-# from potential bots.
-#
-#turn_allow_guests = false
-
 # Set this to true to lock down your server's public room directory and
 # only allow admins to publish rooms to the room directory. Unpublishing
 # is still allowed by all users with this enabled.
@@ -635,6 +621,30 @@
 #
 #default_room_version = "12"

+# A default allow value for the Access Control List when creating a room.
+#
+# If a list is provided, new rooms will be created with
+# a m.room.server_acl event. Only servers which match one of the patterns
+# in the list will be permitted to participate in the room.
+#
+# ACLs in existing rooms will not be updated automatically. This is not
+# a substitute for moderation bots.
+#
+#default_room_acl_allow =
+
+# A default deny value for the Access Control List when creating a room.
+#
+# If a list is provided, new rooms will be created with
+# a m.room.server_acl event. Servers which match one of the patterns
+# in the list will be NOT permitted to participate in the room.
+#
+# This config cannot be used if the default_room_acl_allow config is used.
+#
+# ACLs in existing rooms will not be updated automatically. This is not
+# a substitute for moderation bots.
+#
+#default_room_acl_deny =
+
 # Enable OpenTelemetry OTLP tracing export. This replaces the deprecated
 # Jaeger exporter. Traces will be sent via OTLP to a collector (such as
 # Jaeger) that supports the OpenTelemetry Protocol.
@@ -1282,21 +1292,6 @@
 #
 #brotli_compression = false

-# Set to true to allow user type "guest" registrations. Some clients like
-# Element attempt to register guest users automatically.
-#
-#allow_guest_registration = false
-
-# Set to true to log guest registrations in the admin room. Note that
-# these may be noisy or unnecessary if you're a public homeserver.
-#
-#log_guest_registrations = false
-
-# Set to true to allow guest registrations/users to auto join any rooms
-# specified in `auto_join_rooms`.
-#
-#allow_guests_auto_join_rooms = false
-
 # Enable the legacy unauthenticated Matrix media repository endpoints.
 # These endpoints consist of:
 # - /_matrix/media/*/config
@@ -1596,19 +1591,6 @@
 #
 #block_non_admin_invites = false

-# Enable or disable making requests to MSC4284 Policy Servers.
-# It is recommended you keep this enabled unless you experience frequent
-# connectivity issues, such as in a restricted networking environment.
-#
-#enable_msc4284_policy_servers = true
-
-# Enable running locally generated events through configured MSC4284
-# policy servers. You may wish to disable this if your server is
-# single-user for a slight speed benefit in some rooms, but otherwise
-# should leave it enabled.
-#
-#policy_server_check_own_events = true
-
 # Allow admins to enter commands in rooms other than "#admins" (admin
 # room) by prefixing your message with "\!admin" or "\\!admin" followed up
 # a normal continuwuity admin command. The reply will be publicly visible
@@ -1875,6 +1857,11 @@
 #
 #support_page =

+# The ed25519 public key for the policy server available at this server's
+# name. Must be unpadded base64.
+#
+#policy_server_public_key =
+
 # Role string for server support contacts, to be served as part of the
 # MSC1929 server support endpoint at /.well-known/matrix/support.
 #
@@ -1900,34 +1887,6 @@
 #
 #support_pgp_key =

-# **DEPRECATED**: Use `[global.matrix_rtc].foci` instead.
-#
-# A list of MatrixRTC foci URLs which will be served as part of the
-# MSC4143 client endpoint at /.well-known/matrix/client.
-#
-# This option is deprecated and will be removed in a future release.
-# Please migrate to the new `[global.matrix_rtc]` config section.
-#
-#rtc_focus_server_urls = []
-
-[global.blurhashing]
-
-# blurhashing x component, 4 is recommended by https://blurha.sh/
-#
-#components_x = 4
-
-# blurhashing y component, 3 is recommended by https://blurha.sh/
-#
-#components_y = 3
-
-# Max raw size that the server will blurhash, this is the size of the
-# image after converting it to raw data, it should be higher than the
-# upload limit but not too high. The higher it is the higher the
-# potential load will be for clients requesting blurhashes. The default
-# is 33.55MB. Setting it to 0 disables blurhashing.
-#
-#blurhash_max_raw_size = 33554432
-
 [global.matrix_rtc]

 # A list of MatrixRTC foci (transports) which will be served via the
@@ -1945,102 +1904,6 @@
 #
 #foci = []

-[global.ldap]
-
-# Whether to enable LDAP login.
-#
-# example: "true"
-#
-#enable = false
-
-# Whether to force LDAP authentication or authorize classical password
-# login.
-#
-# example: "true"
-#
-#ldap_only = false
-
-# URI of the LDAP server.
-#
-# example: "ldap://ldap.example.com:389"
-#
-#uri = ""
-
-# StartTLS for LDAP connections.
-#
-#use_starttls = false
-
-# Skip TLS certificate verification, possibly dangerous.
-#
-#disable_tls_verification = false
-
-# Root of the searches.
-#
-# example: "ou=users,dc=example,dc=org"
-#
-#base_dn = ""
-
-# Bind DN if anonymous search is not enabled.
-#
-# You can use the variable `{username}` that will be replaced by the
-# entered username. In such case, the password used to bind will be the
-# one provided for the login and not the one given by
-# `bind_password_file`. Beware: automatically granting admin rights will
-# not work if you use this direct bind instead of a LDAP search.
-#
-# example: "cn=ldap-reader,dc=example,dc=org" or
-# "cn={username},ou=users,dc=example,dc=org"
-#
-#bind_dn = ""
-
-# Path to a file on the system that contains the password for the
-# `bind_dn`.
-#
-# The server must be able to access the file, and it must not be empty.
-#
-#bind_password_file = ""
-
-# Search filter to limit user searches.
-#
-# You can use the variable `{username}` that will be replaced by the
-# entered username for more complex filters.
-#
-# example: "(&(objectClass=person)(memberOf=matrix))"
-#
-#filter = "(objectClass=*)"
-
-# Attribute to use to uniquely identify the user.
-#
-# example: "uid" or "cn"
-#
-#uid_attribute = "uid"
-
-# Attribute containing the display name of the user.
-#
-# example: "givenName" or "sn"
-#
-#name_attribute = "givenName"
-
-# Root of the searches for admin users.
-#
-# Defaults to `base_dn` if empty.
-#
-# example: "ou=admins,dc=example,dc=org"
-#
-#admin_base_dn = ""
-
-# The LDAP search filter to find administrative users for continuwuity.
-#
-# If left blank, administrative state must be configured manually for each
-# user.
-#
-# You can use the variable `{username}` that will be replaced by the
-# entered username for more complex filters.
-#
-# example: "(objectClass=conduwuitAdmin)" or "(uid={username})"
-#
-#admin_filter = ""
-
 #[global.antispam]

 #[global.antispam.meowlnir]
@@ -2109,8 +1972,10 @@
 #
 #sender =

-# Whether to require that users provide an email address when they
-# register.
+# Whether to allow public registration with an email address.
+#
+# Note that, if this option is enabled, anyone will be able to register an
+# account with just an email address.
 #
 # If either this option or `require_email_for_token_registration` are set,
 # users will not be allowed to remove their email address.
@@ -2118,6 +1983,7 @@
 #require_email_for_registration = false

 # Whether to require that users who register with a registration token
-# provide an email address.
+# provide an email address. This option is independent of
+# `require_email_for_registration`.
 #
 #require_email_for_token_registration = false
@@ -1,5 +1,5 @@
 ARG RUST_VERSION=1
-ARG DEBIAN_VERSION=bookworm
+ARG DEBIAN_VERSION=trixie

 FROM --platform=$BUILDPLATFORM docker.io/tonistiigi/xx AS xx
 FROM --platform=$BUILDPLATFORM rust:${RUST_VERSION}-slim-${DEBIAN_VERSION} AS base
@@ -10,7 +10,7 @@ RUN rm -f /etc/apt/apt.conf.d/docker-clean

 # Match Rustc version as close as possible
 # rustc -vV
-ARG LLVM_VERSION=21
+ARG LLVM_VERSION=22
 # ENV RUSTUP_TOOLCHAIN=${RUST_VERSION}

 # Install repo tools
@@ -22,7 +22,7 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
    --mount=type=cache,target=/var/lib/apt,sharing=locked \
    apt-get update && apt-get install -y \
    pkg-config make jq \
-    wget curl git software-properties-common \
+    wget curl git lsb-release gpg \
    file
    # golang cmake

@@ -50,7 +50,7 @@ EOF

 # Developer tool versions
 # renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
-ENV BINSTALL_VERSION=1.18.1
+ENV BINSTALL_VERSION=1.19.1
 # renovate: datasource=github-releases depName=psastras/sbom-rs
 ENV CARGO_SBOM_VERSION=0.9.1
 # renovate: datasource=crate depName=lddtree
@@ -18,7 +18,7 @@ RUN --mount=type=cache,target=/etc/apk/cache apk add \

 # Developer tool versions
 # renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
-ENV BINSTALL_VERSION=1.18.1
+ENV BINSTALL_VERSION=1.19.1
 # renovate: datasource=github-releases depName=psastras/sbom-rs
 ENV CARGO_SBOM_VERSION=0.9.1
 # renovate: datasource=crate depName=lddtree
@@ -8,6 +8,11 @@
        "type": "file",
        "name": "dns",
        "label": "DNS tuning (recommended)"
+    },
+    {
+        "type": "file",
+        "name": "performance",
+        "label": "Performance tuning"
    }

 ]
@@ -156,9 +156,11 @@ Remember to set the `Access-Control-Allow-Origin: *` header in your `/.well-know

 ## Troubleshooting

-Check with the [Matrix Connectivity Tester][federation-tester] to see that it's working.
+Check that other servers can connect to you.
+Here are some tools that can help identify federation issues:

-[federation-tester]: https://federationtester.mtrnord.blog/
+- [Matrix Connectivity Tester](https://federationtester.mtrnord.blog/)
+- [Matrix Federation Tester](https://federationtester.matrix.org/)

 ### Cannot log in with web clients

@@ -74,13 +74,11 @@ Some values that are commonly tuned include:

 - Increase `discard-timeout` to something like `4800` to wait longer for upstream resolvers, as recursion can take a long time to respond to some domains. Continuwuity default to `dns_timeout = 10` seconds, so dropping requests early would lead to unnecessary retries and/or failures.

-### Using a forwarder (optional)
+### Recursion versus forwarding

-Unbound by default employs **recursive resolution** and contacts many servers around the world. If this is not performant enough, consider forwarding your queries to public resolvers to benefit from their CDNs and get faster responses.
+Unbound by default employs **recursive resolution** and contacts many servers around the world. While this allows updated and authoritative answers and are generally viable for most users, sometimes these recursive queries can be too slow to fully resolve. As an alternative, you can consider **forwarding** your queries to public resolvers, and benefit from faster responses from their CDNs.

-However, most popular upstreams (such as Google DNS or Quad9) employ IP ratelimiting, so a generous cache is still needed to avoid making too many queries.
-
-DNS-over-TLS forwarders may also be used should you need on-the-wire encryption, but TLS overhead causes some speed penalties.
+Do note that most popular upstreams (such as Google DNS or Quad9) employ IP ratelimiting, so a generous cache is still needed to avoid making too many queries.

 If you want to use forwarders, configure it as follows:

@@ -99,6 +97,8 @@ forward-zone:
    # forward-addr: 2606:4700:4700::1111@53

 # alternatively, use DNS-over-TLS for forwarders.
+# this will encrypt traffic between you and the forwarder,
+# but takes more time due to TLS overhead.
 # forward-zone:
    # name: "."
    # forward-tls-upstream: yes
@@ -133,9 +133,11 @@ However, `dnsmasq` does not support TCP fallback which can be problematic when r

 [arch-linux-dnsmasq]: https://wiki.archlinux.org/title/Dnsmasq

-### Technitium
+### Technitium DNS

-[Technitium][technitium] supports recursion as well as a myriad of forwarding protocols, allows saving cache to disk natively, and does work well with Continuwuity. Its default configurations however ratelimits single-IP requests by a lot, and hence must be changed. You may consult this [community guide][technitium-continuwuity] for more details on setting up a dedicated Technitium for Continuwuity.
+[Technitium DNS Server][technitium] supports recursion as well as a myriad of forwarding protocols, allows saving cache to disk natively, and does work well with Continuwuity. Its out-of-the-box configs however ratelimits single-IP requests by a lot, and hence must be changed.
+
+You may consult this [community guide][technitium-continuwuity] for more details on setting up and fine-tuning a dedicated Technitium instance for Continuwuity.

 [technitium]: https://github.com/TechnitiumSoftware/DnsServer
 [technitium-continuwuity]: https://muoi.me/~stratself/articles/technitium-continuwuity/
@@ -150,11 +152,13 @@ Note that it is expected that not all servers will be resolved, as some of them

 ## Further steps

- (Recommended) Set **`dns_cache_entries = 0`** inside Continuwuity and fully rely on the more performant external resolver.
+It is recommended to set **`dns_cache_entries = 0`** inside Continuwuity to fully rely on the external resolver. While Continuwuity does have an internal cache, it can run into reliability issues if you're federating with many domains.
+
+Additionally, you can also make the following improvements:

 - Consider employing **persistent cache to disk**, so your resolver can still run without hassle after a restart. Unbound, via [Cache DB module][unbound-cachedb], can use Redis as a storage backend for this feature.

- Consider [enabling **Serve Stale**][unbound-serve-stale] functionality to serve expired data beyond DNS TTLs. Since most Matrix homeservers have static IPs, this should help improve federation with them especially when upstream resolvers have timed out. For dnsproxy, this corresponds to its [optimistic caching options][dnsproxy-usage].
+- Consider [enabling **Serve Stale**][unbound-serve-stale] functionality to serve expired data beyond DNS TTLs. Since most Matrix homeservers have static IPs, this should still allow federating with them when upstream resolvers have timed out. For dnsproxy, this corresponds to its [optimistic caching options][dnsproxy-usage].

 - If you still experience DNS performance issues, another step could be to **disable DNSSEC** (which is computationally expensive) at a cost of slightly decreased security. On Unbound this is done by commenting out `trust-anchors` config options and removing the `validator` module.

@@ -0,0 +1,135 @@
+# Performance tuning
+
+Continuwuity's default configs are suited for many typical setups and scales appropriately with the size of your hardware. However, there are many scenarios where additional modifications can be made to better utilize your server resources.
+
+This page aims to outline various performance tweaks for Continuwuity and their effects. These adjustments are especially helpful for homeservers that join many large federated rooms or have many users, and it will become increasingly necessary as the Matrix network expands. As always, your mileage may vary according to your setup's specifics. If you have further discussions or recommendations, please share them in the community rooms.
+
+## DNS tuning (recommended)
+
+Please see the dedicated [DNS tuning guide](./dns.mdx).
+
+## Cache capacities
+
+If you have memory to spare, consider increasing the `cache_capacity_modifier` value to a larger number to allow more data to be stored in hot memory. This *significantly* speeds up many intensive operations (such as state resolutions) and decreases CPU usage and disk I/O. Start with a baseline of `cache_capacity_modifier = 2.0` and tune up until you are satisfied with RAM usage.
+
+On the other hand, if your system doesn't have a lot of RAM, consider decreasing the cache capacity modifier to something smaller than `1.0` to avoid low-memory issues (at the cost of higher load on disk/CPU). This recommendation also works if your system has abnormally little RAM compared to the number of CPU cores (for example, 2GB RAM for 12 cores), as cache capacities scale according to number of available cores.
+
+## Disabling some features
+
+You can disable outgoing **typing notifications** and **read markers** to reduce strain on the CPU and network when actively participating in rooms.
+
+```toml
+# disables sending read receipts
+allow_outgoing_read_receipts = false
+# disables sending typing notifications
+allow_outgoing_typing = false
+```
+
+Outgoing presence updates are also considered very expensive and have been disabled by default (`allow_outgoing_presence = false`). For more savings, you may wish to disable _all_ processing of presence entirely.
+
+```toml title=continuwuity.toml
+# disabling presence updates entirely
+allow_local_presence = false
+allow_incoming_presence = false
+allow_outgoing_presence = false
+```
+
+## Tuning database compression
+
+:::warning
+These steps SHOULD be done **before** starting Continuwuity for the first time. While switching database compression midway through is theoretically possible, this has not been tested extensively in the wild.
+:::
+
+### Changing the compression algorithm
+
+For reduced CPU usage at a tradeoff of increased storage space, consider deploying Continuwuity with the faster and less intensive `lz4` algorithm instead of `zstd` for rocksdb, and disable WAL compression entirely:
+
+```toml
+### in continuwuity.toml ###
+rocksdb_compression_algo = "lz4"
+rocksdb_wal_compression = "none"
+```
+
+This tweak can especially be helpful if you have an older or less performant CPU (e.g. a Raspberry Pi) and disk space to spare.
+
+### Increasing bottommost layer compression (`zstd` only)
+
+The bottommost layer of the database usually contains old and read-only data, so it is a suitable place for further compression. In Continuwuity, this is possible by setting `rocksdb_bottommost_compression = true` and tuning `rocksdb_bottommost_compression_level` to a more compact level than the default one used in `rocksdb_compression_level`. This tweak comes at a cost of increased CPU usage, but may prevent your database from growing too large in the long run.
+
+For those using `zstd` compression, the compression level ranges from 1 to 22. An example like this could apply:
+
+```toml
+### in continuwuity.toml ###
+rocksdb_compression_algo = "zstd"
+rocksdb_compression_level = 32767 # magic number, translates to level 3 on zstd
+rocksdb_bottommost_compression = true
+rocksdb_bottommost_compression_level = 9 # level 9 on zstd
+```
+
+For `lz4` users, the default level (`-1`) is already the most compact. You can only further decrease it to favor compression speed over ratio.
+
+Consult these documents for more information on compression tuning and levels:
+
+- [Rocksdb compression documentation][rocksdb-compression]
+- [Rocksdb default compression levels][rocksdb-compression-defaults]
+- [Zstd manual][zstd-manual]
+- [Lz4 manual][lz4-manual]
+
+[rocksdb-compression]: https://github.com/facebook/rocksdb/wiki/Compression
+[rocksdb-compression-defaults]: https://github.com/facebook/rocksdb/blob/main/include/rocksdb/options.h#L208-L217
+[zstd-manual]: https://facebook.github.io/zstd/zstd_manual.html
+[lz4-manual]: https://github.com/lz4/lz4/blob/release/doc/lz4_manual.html
+
+## Other tweaks
+
+### Using UNIX sockets
+
+If your homeserver and reverse proxy live on the same machine, you may wish to expose Continuwuity on a UNIX socket instead of a port. This removes TCP overhead between the two programs.
+
+<details>
+
+<summary>Example config with Caddy</summary>
+
+```toml
+### in continuwuity.toml ###
+
+# `address` and `port` has to be commented out first
+#address = ["127.0.0.1", "::1"]
+#port = 8008
+unix_socket_path = "/run/continuwuity/continuwuity.sock"
+```
+
+```
+### in your Caddyfile ###
+https://matrix.example.com {
+    reverse_proxy unix//run/continuwuity/continuwuity.sock
+
+    # alternatively, use the http2-plaintext protocol
+    # reverse_proxy unix+h2c//run/continuwuity/continuwuity.sock
+}
+```
+
+</details>
+
+### Tuning your trusted servers
+
+:::info Vet your trusted servers!
+Trusted servers are your first point of contact when obtaining public keys from other servers, and they could theoretically impersonate other servers and cause significant harm to your deployment. Please thoroughly verify your trusted servers' credibility before adding them to your configuration.
+:::
+
+Trusted servers are queried sequentially in the order they are listed. If you have multiple trusted servers configured, put the faster ones first:
+
+```toml
+# Example config, using maintainers' recommended homeservers
+trusted_servers = ["codestorm.net","starstruck.systems","unredacted.org","matrix.org"]
+```
+
+Avoid prioritising `matrix.org` as your primary trusted server, as it tends to be quite slow.
+
+Some users have also reported that increasing `trusted_server_batch_size` has helped with faster joins for huge rooms. Start with doubling the default to `2048` until you find a suitable value.
+
+### Enable HTTP/3 on your reverse proxy
+
+Consider enabling the newer **HTTP/3** protocol for inbound connections to Continuwuity. In Caddy HTTP/3 is allowed by default, but you must expose port :443/**udp** on your firewall.
+
+HTTP/3 can vastly improve Client-Server connections especially on unstable networks, as it reduces packet losses and latency from TCP head-of-line blocking, includes workarounds for network switching, and reduces connection establishment handshakes. Continuwuity also includes experimental _outbound_ HTTP/3 support in its Docker images, so connections between Continuwuity servers can benefit from this too.
@@ -25,9 +25,9 @@ You must generate a key and secret to allow the Matrix service to authenticate w
 :::tip Generating the secrets
 LiveKit provides a utility to generate secure random keys
 ```bash
-~$ docker run --rm livekit/livekit-server:latest generate-keys
-API Key:  APIUxUnMnSkuFWV
-API Secret:  t93ZVjPeoEdyx7Wbet3kG4L3NGZIZVEFvqe0UuiVc22A
+docker run --rm livekit/livekit-server:latest generate-keys
+# API Key:  APIUxUnMnSkuFWV
+# API Secret:  t93ZVjPeoEdyx7Wbet3kG4L3NGZIZVEFvqe0UuiVc22A
 ```
 :::

@@ -262,14 +262,14 @@ Restart LiveKit and coturn to apply these changes.

 ## Testing

-To test that LiveKit is successfully integrated with Continuwuity, you will need to replicate its [Token Exchange Flow](https://github.com/element-hq/lk-jwt-service#%EF%B8%8F-how-it-works--token-exchange-flow).
+To test that LiveKit is successfully integrated with Continuwuity, you will need to replicate its [Token Exchange Flow](https://github.com/element-hq/lk-jwt-service#%EF%B8%8F-how-it-works--token-exchange-flow). Follow the steps below while checking Docker logs (`docker-compose logs --follow`), in order to help [troubleshooting](#troubleshooting) any issues.

 First, you will need an access token for your current login session. These can be found in your client's settings or obtained via [this website](https://timedout.uk/mxtoken.html).

-Then, using that token, fetch the discovery endpoints for MatrixRTC services
+Then, using that token, fetch the discovery endpoints for MatrixRTC services:

 ```bash
-curl -X POST -H "Authorization: Bearer <session-access-token>" \
+curl -H "Authorization: Bearer <session-access-token>" \
  https://matrix.example.com/_matrix/client/unstable/org.matrix.msc4143/rtc/transports
 ```

@@ -318,7 +318,7 @@ Replace `matrix_server_name` and `claimed_user_id` with your information, and `<
 You can then send this payload to the lk-jwt-service:

 ```bash
-~$ curl -X POST -d @payload.json https://livekit.example.com/get_token
+curl -X POST -d @payload.json https://livekit.example.com/get_token
 ```

 The lk-jwt-service will, after checking against Continuwuity, answer with a `jwt` token to create a LiveKit media room:
@@ -331,22 +331,31 @@ Use this token to test at the [LiveKit Connection Tester](https://livekit.io/con

 ## Troubleshooting

-To debug any issues, you can place a call or redo the Testing instructions, and check the container logs for any specific errors. Use `docker-compose logs --follow` to follow them in real-time.
+To debug any issues, you can place a call or redo the Testing instructions, and check the container logs for any specific errors. Use `docker-compose logs --follow` to follow these logs in real-time.

 ### Common errors in Element Call UI

 - `MISSING_MATRIX_RTC_FOCUS`: LiveKit is missing from Continuwuity's config file
 - "Waiting for media" popup always showing: a LiveKit URL has been configured in Continuwuity, but your client cannot connect to it for some reason

+For browser-based clients, you can also inspect connections using DevTools' Networking tab, to see which requests are erroring out.
+
 ### Docker loopback networking issues

 Some distros do not allow Docker containers to connect to its host's public IP by default. This would cause `lk-jwt-service` to fail connecting to `livekit` or `continuwuity` on the same host. As a result, you would see connection refused/connection timeouts log entries in the JWT service, even when `LIVEKIT_URL` has been configured correctly.

+You can also test that this is the case by cURLing from a sidecar container:
+
+```bash
+docker run --rm --net container:lk-jwt-service docker.io/curlimages/curl https://livekit.example.com
+# --- some errors ---
+```
+
 To alleviate this, you can try one of the following workarounds:

 - Use `network_mode: host` for the `lk-jwt-service` container (instead of the default bridge networking).

- Add an `extra_hosts` file mapping livekit's (and continuwuity's) domain name to a localhost address:
+- Add an `extra_hosts` file mapping livekit's (and continuwuity's) domain name to a locally-reachable address:

    ```diff
    # in docker-compose.yaml
@@ -360,12 +369,7 @@ To alleviate this, you can try one of the following workarounds:

 - (**untested, use at your own risk**) Implement an iptables workaround as shown [here](https://forums.docker.com/t/unable-to-connect-to-host-service-from-inside-docker-container/145749/6).

-After implementing the changes and restarting your compose, you can test whether the connection works by cURLing from a sidecar container:
-
-```bash
-~$ docker run --rm --net container:lk-jwt-service docker.io/curlimages/curl https://livekit.example.com
-OK
-```
+After implementing the changes and restarting your compose, `lk-jwt-service` should now connect to your other services. The sidecar container test above should now return an `OK` from LiveKit.

 ### Workaround for non-federating servers

@@ -185,13 +185,15 @@ See the [generic deployment guide](generic.mdx) for more deployment options.

 Test that your setup works by following these [instructions](./generic.mdx#how-do-i-know-it-works)

+Check your container logs using `docker-compose logs --follow` to debug any issues. See the [Troubleshooting](../troubleshooting.mdx) page for common errors and how to fix them.
+
 ## Other deployment methods

 ### Docker - Quick Run

-:::note For testing only
-The instructions below are only meant for a quick demo of Continuwuity.
-For production deployment, we recommend using [Docker Compose](#docker-compose)
+:::warning For testing only
+The instructions below are only meant for a quick demo of Continuwuity with **federation disabled**.
+For production deployment, we recommend using [Docker Compose](#docker-compose).
 :::

 Get a working Continuwuity server with an admin user in four steps:
@@ -211,7 +213,7 @@ Get a working Continuwuity server with an admin user in four steps:
      -e CONTINUWUITY_SERVER_NAME="example.com" \
      -e CONTINUWUITY_DATABASE_PATH="/var/lib/continuwuity" \
      -e CONTINUWUITY_ADDRESS="0.0.0.0" \
-      -e CONTINUWUITY_ALLOW_REGISTRATION="false" \
+      -e CONTINUWUITY_ALLOW_FEDERATION="false" \
      --name continuwuity \
      forgejo.ellis.link/continuwuation/continuwuity:latest \
      /sbin/conduwuit
@@ -233,9 +235,9 @@ Get a working Continuwuity server with an admin user in four steps:
    Pick your own username and password!
    ```

-4. Configure your reverse proxy to forward HTTPS traffic to Continuwuity at port 8008. See [Docker Compose](#docker-compose) for examples.
+4. Configure your reverse proxy to forward HTTPS traffic to Continuwuity at port 8008. See [Docker Compose](#docker-compose) or the [Generic instructions](./generic.mdx#setting-up-the-reverse-proxy) for examples.

-Once configured, log in to your server with any Matrix client, and register for an account with the registration token from step 3. You'll automatically be invited to the admin room where you can [manage your server](../reference/admin).
+Once configured, log in to your server with any Matrix client, and register for an account with the registration token from step 3. If you did not configure step 4., log in via the `http://<your_server_ip>:8008` address. You will be automatically invited to the admin room where you can [manage your server](../reference/admin).

 ### (Optional) Building Custom Images

@@ -269,4 +271,5 @@ Note that using `CTRL+c` within `docker attach`'s context will forward the signa

 - For smooth federation, set up a caching resolver according to the [**DNS tuning guide**](../advanced/dns.mdx) (recommended)
 - To set up Audio/Video communication, see the [**Calls**](../calls.mdx) page.
+- Consult the [Maintenance](../maintenance.mdx) page for guidance on maintaining your homeserver.
 - If you want to set up an appservice, take a look at the [**Appservice Guide**](../appservices.mdx).
@@ -260,7 +260,7 @@ Pick your own username and password!
 ```

 You can then open [a Matrix client][matrix-clients],
-enter your homeserver address, and try to register with the provided token.
+enter your homeserver address, and register with the provided token.
 By default, the first user is the instance's first admin. They will be added
 to the `#admin:example.com` room and be able to [issue admin commands](../reference/admin/index.md).

@@ -268,9 +268,13 @@ to the `#admin:example.com` room and be able to [issue admin commands](../refere

 ## How do I know it works?

-To check if your server can communicate with other homeservers, use the
-[Matrix Federation Tester](https://federationtester.mtrnord.blog/). If you can
-register your account but cannot join federated rooms, check your configuration
+To check if your server can communicate with other homeservers,
+use an external testing tool:
+
+- [Matrix Connectivity Tester](https://federationtester.mtrnord.blog/)
+- [Matrix Federation Tester](https://federationtester.matrix.org/)
+
+If you can register your account but cannot join federated rooms, check your configuration
 and verify that your federation endpoints are opened and forwarded correctly.

 As a quick health check, you can also use these cURL commands:
@@ -292,4 +296,5 @@ curl https://example.com/_matrix/client/versions

 - For smooth federation, set up a caching resolver according to the [**DNS tuning guide**](../advanced/dns.mdx) (recommended)
 - For Audio/Video call functionality see the [**Calls**](../calls.md) page.
+- Consult the [Maintenance](../maintenance.mdx) page for guidance on maintaining your homeserver.
 - If you want to set up an appservice, take a look at the [**Appservice Guide**](../appservices.md).
@@ -81,8 +81,6 @@ changes.
 All forked dependencies are maintained under the
 [continuwuation organization on Forgejo](https://forgejo.ellis.link/continuwuation):

- [ruwuma][continuwuation-ruwuma] - Fork of [ruma/ruma][ruma] with various
-  performance improvements, more features and better client/server interop
 - [rocksdb][continuwuation-rocksdb] - Fork of [facebook/rocksdb][rocksdb] via
  [`@zaidoon1`][8] with liburing build fixes and GCC debug build fixes
 - [jemallocator][continuwuation-jemallocator] - Fork of
@@ -6,10 +6,10 @@
            "message": "Welcome to Continuwuity! Important announcements about the project will appear here."
        },
        {
-            "id": 11,
-            "mention_room": false,
-            "date": "2026-04-17",
-            "message": "[v0.5.7](https://forgejo.ellis.link/continuwuation/continuwuity/releases/tag/v0.5.7) is out! Email verification! Terms and Conditions! Deleting notification pushers! So much good stuff. Go grab the release and read the changelog!"
+            "id": 13,
+            "mention_room": true,
+            "date": "2026-05-08",
+            "message": "[v0.5.9](https://forgejo.ellis.link/continuwuation/continuwuity/releases/tag/v0.5.9) has been released, fixing a few low-severity federation-related vulnerabilities. It is recommended you read the changelog and update as soon as possible. There are no new features or other changes in this release, only related bugfixes. Deployments tracking the main branch should also update to the latest commit."
        }
    ]
 }
@@ -7,7 +7,7 @@ Admin commands allow server administrators to manage the server from within thei

 * All commands listed here may be used by server administrators in the admin room by sending them as messages.
 * If the `admin_escape_commands` configuration option is enabled, server administrators may run certain commands in public rooms by prefixing them with a single backslash. These commands will only run on _their_ homeserver, even if they are a member of another homeserver's admin room. Some sensitive commands cannot be used outside the admin room and will return an error.
-* All commands listed here may be used in the server's console, if it is enabled. Commands entered in the console do not require the `!admin` prefix. If Continuwuity is deployed via Docker, be sure to set the appropriate options detailed in [the Docker deployment guide](../../deploying/docker.mdx#accessing-the-servers-console) to enable access to the server's console.
+* All commands listed here may be used in the server's console, if it is enabled. Commands entered in the console do not require the `!admin` prefix.

 ## Categories

@@ -146,7 +146,7 @@ cargo clippy \
    --locked \
    --profile test \
    --no-default-features \
-    --features=console,systemd,element_hacks,direct_tls,perf_measurements,brotli_compression,blurhashing \
+    --features=console,systemd,element_hacks,direct_tls,perf_measurements,brotli_compression \
    --color=always \
    -- \
    -D warnings
@@ -3,11 +3,11 @@
    "advisory-db": {
      "flake": false,
      "locked": {
-        "lastModified": 1775907537,
-        "narHash": "sha256-vbeLNgmsx1Z6TwnlDV0dKyeBCcon3UpkV9yLr/yc6HM=",
+        "lastModified": 1779575509,
+        "narHash": "sha256-wXKYURZz76ZC5lbuDA1oVQA/MxSB3pSJ1raF1HG0oIc=",
        "owner": "rustsec",
        "repo": "advisory-db",
-        "rev": "d99f7b9eb81731bddebf80a355f8be7b2f8b1b28",
+        "rev": "831c50f4a4304068f125e603add6a8839f08b3eb",
        "type": "github"
      },
      "original": {
@@ -18,11 +18,11 @@
    },
    "crane": {
      "locked": {
-        "lastModified": 1775839657,
-        "narHash": "sha256-SPm9ck7jh3Un9nwPuMGbRU04UroFmOHjLP56T10MOeM=",
+        "lastModified": 1779130139,
+        "narHash": "sha256-BLrtr42azquO7MdGFU5a7KiMl3YpFlTeIXqy1fT5GlQ=",
        "owner": "ipetkov",
        "repo": "crane",
-        "rev": "7cf72d978629469c4bd4206b95c402514c1f6000",
+        "rev": "edb38893982a3338972bb4a2ec7ce7c29ba10fd9",
        "type": "github"
      },
      "original": {
@@ -39,11 +39,11 @@
        "rust-analyzer-src": "rust-analyzer-src"
      },
      "locked": {
-        "lastModified": 1775891769,
-        "narHash": "sha256-EOfVlTKw2n8w1uhfh46GS4hEGnQ7oWrIWQfIY6utIkI=",
+        "lastModified": 1779612045,
+        "narHash": "sha256-+7lfNVnmXJDkiRYHd5NoNwYoyUcc0LcXPaIJqjO7VWM=",
        "owner": "nix-community",
        "repo": "fenix",
-        "rev": "6fbc54dde15aee725bdc7aae5e478849685d5f56",
+        "rev": "d7be747f0a65af378de515fc3cee131bf99a008f",
        "type": "github"
      },
      "original": {
@@ -74,11 +74,11 @@
        "nixpkgs-lib": "nixpkgs-lib"
      },
      "locked": {
-        "lastModified": 1775087534,
-        "narHash": "sha256-91qqW8lhL7TLwgQWijoGBbiD4t7/q75KTi8NxjVmSmA=",
+        "lastModified": 1778716662,
+        "narHash": "sha256-m1Yf0wZ8j1OHjTc2UwHwyQRSnNeSgLJOd7q5Y45hzi4=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "3107b77cd68437b9a76194f0f7f9c55f2329ca5b",
+        "rev": "f7c1a2d347e4c52d5fb8d10cb4d94b5884e546fb",
        "type": "github"
      },
      "original": {
@@ -89,11 +89,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1775710090,
-        "narHash": "sha256-ar3rofg+awPB8QXDaFJhJ2jJhu+KqN/PRCXeyuXR76E=",
+        "lastModified": 1779508470,
+        "narHash": "sha256-Ap9KJX+5xHIn3bPIpfNgT6MEXdAECECwo4/rmlQD74M=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "4c1018dae018162ec878d42fec712642d214fdfa",
+        "rev": "29916453413845e54a65b8a1cf996842300cd299",
        "type": "github"
      },
      "original": {
@@ -105,11 +105,11 @@
    },
    "nixpkgs-lib": {
      "locked": {
-        "lastModified": 1774748309,
-        "narHash": "sha256-+U7gF3qxzwD5TZuANzZPeJTZRHS29OFQgkQ2kiTJBIQ=",
+        "lastModified": 1777168982,
+        "narHash": "sha256-GOkGPcboWE9BmGCRMLX3worL4EMnsnG8MyKmXNeYuhQ=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
-        "rev": "333c4e0545a6da976206c74db8773a1645b5870a",
+        "rev": "f5901329dade4a6ea039af1433fb087bd9c1fe14",
        "type": "github"
      },
      "original": {
@@ -132,11 +132,11 @@
    "rust-analyzer-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1775843361,
-        "narHash": "sha256-j53ZgyDvmYf3Sjh1IPvvTjqa614qUfVQSzj59+MpzkY=",
+        "lastModified": 1779569060,
+        "narHash": "sha256-NSnk5D+3KEfRdbgPijs33N2RAKSG6A74SwfnynLcouo=",
        "owner": "rust-lang",
        "repo": "rust-analyzer",
-        "rev": "9eb97ea96d8400e8957ddd56702e962614296583",
+        "rev": "987ea33645ab1c709b1df6823038abcb2fe8973e",
        "type": "github"
      },
      "original": {
@@ -5,11 +5,11 @@
  liburing,
  craneLib,
  pkg-config,
-  callPackage,
  rustPlatform,
  cargoExtraArgs ? "",
  rustflags ? "",
-  rocksdb ? callPackage ./rocksdb.nix { },
+  target_cpu ? null,
+  rocksdb,
  profile ? "release",
 }:
 let
@@ -39,7 +39,10 @@ let
      ROCKSDB_LIB_DIR = "${rocksdb}/lib";
      CARGO_PROFILE = profile;
      RUSTFLAGS = rustflags;
-    };
+    }
+    // (lib.optionalAttrs (target_cpu != null) {
+      TARGET_CPU = target_cpu;
+    });
  };
 in
 craneLib.buildPackage (
@@ -56,7 +59,7 @@ craneLib.buildPackage (
        ]
      }"

-      patchelf  --set-rpath "$old_rpath:$extra_rpath" $out/bin/conduwuit
+      patchelf --set-rpath "$old_rpath:$extra_rpath" $out/bin/conduwuit
    '';

    meta = {
@@ -15,6 +15,7 @@
        rocksdb = pkgs.callPackage ./rocksdb.nix { };
        default = pkgs.callPackage ./continuwuity.nix {
          inherit self craneLib;
+          inherit (self'.packages) rocksdb;
          # extra features via `cargoExtraArgs`
          cargoExtraArgs = "-F http3";
          # extra RUSTFLAGS via `rustflags`
@@ -22,11 +23,13 @@
          rustflags = "--cfg reqwest_unstable";
        };
        # users may also override this with other cargo profiles to build for other feature sets
-        #
-        # other examples include:
-        #
-        # - release-high-perf
-        max-perf = self'.packages.default.override {
+        # for features configuration see `default` package which enables http3 by default
+
+        # example: different compilation profile and different target_cpu
+        max-perf-haswell = self'.packages.default.override {
+          # compiles explicitly for haswell arch cpus
+          target_cpu = "haswell";
+          # compiles slower but with more thorough optimizations
          profile = "release-max-perf";
        };
      };
@@ -1,5 +1,7 @@
 {
-  stdenv,
+  # stdenv,
+  # enableJemalloc ? stdenv.hostPlatform.isLinux,
+  enableJemalloc ? false,
  rocksdb,
  fetchFromGitea,
  rust-jemalloc-sys-unprefixed,
@@ -13,16 +15,16 @@
  #
  # [1]: https://github.com/tikv/jemallocator/blob/ab0676d77e81268cd09b059260c75b38dbef2d51/jemalloc-sys/src/env.rs#L17
  jemalloc = rust-jemalloc-sys-unprefixed;
-  enableJemalloc = stdenv.hostPlatform.isLinux;
+  inherit enableJemalloc;
 }).overrideAttrs
  ({
-    version = "continuwuity-v0.5.0-unstable-2026-03-27";
+    version = "continuwuity-v0.5.0-unstable-2026-05-19";
    src = fetchFromGitea {
      domain = "forgejo.ellis.link";
      owner = "continuwuation";
      repo = "rocksdb";
-      rev = "463f47afceebfe088f6922420265546bd237f249";
-      hash = "sha256-1ef75IDMs5Hba4VWEyXPJb02JyShy5k4gJfzGDhopRk=";
+      rev = "3756b2b905e13216d8b56bcc783d814e7b073aff";
+      hash = "sha256-rSv4fr2bf9JJwdodgeuPCuceeh7k97KVxrAOC0wyPQY=";
    };

    # We have this already at https://forgejo.ellis.link/continuwuation/rocksdb/commit/a935c0273e1ba44eacf88ce3685a9b9831486155
@@ -16,7 +16,7 @@
            file = inputs.self + "/rust-toolchain.toml";

            # See also `rust-toolchain.toml`
-            sha256 = "sha256-sqSWJDUxc+zaz1nBWMAJKTAGBuGWP25GCftIOlCEAtA=";
+            sha256 = "sha256-gh/xTkxKHL4eiRXzWv8KP7vfjSk61Iq48x47BEDFgfk=";
          };
        in
        {
@@ -16,26 +16,24 @@
      }
    },
    "node_modules/@emnapi/core": {
-      "version": "1.9.2",
-      "resolved": "https://registry.npmjs.org/@emnapi/core/-/core-1.9.2.tgz",
-      "integrity": "sha512-UC+ZhH3XtczQYfOlu3lNEkdW/p4dsJ1r/bP7H8+rhao3TTTMO1ATq/4DdIi23XuGoFY+Cz0JmCbdVl0hz9jZcA==",
+      "version": "1.10.0",
+      "resolved": "https://registry.npmjs.org/@emnapi/core/-/core-1.10.0.tgz",
+      "integrity": "sha512-yq6OkJ4p82CAfPl0u9mQebQHKPJkY7WrIuk205cTYnYe+k2Z8YBh11FrbRG/H6ihirqcacOgl2BIO8oyMQLeXw==",
      "dev": true,
      "license": "MIT",
      "optional": true,
-      "peer": true,
      "dependencies": {
        "@emnapi/wasi-threads": "1.2.1",
        "tslib": "^2.4.0"
      }
    },
    "node_modules/@emnapi/runtime": {
-      "version": "1.9.2",
-      "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.9.2.tgz",
-      "integrity": "sha512-3U4+MIWHImeyu1wnmVygh5WlgfYDtyf0k8AbLhMFxOipihf6nrWC4syIm/SwEeec0mNSafiiNnMJwbza/Is6Lw==",
+      "version": "1.10.0",
+      "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.10.0.tgz",
+      "integrity": "sha512-ewvYlk86xUoGI0zQRNq/mC+16R1QeDlKQy21Ki3oSYXNgLb45GV1P6A0M+/s6nyCuNDqe5VpaY84BzXGwVbwFA==",
      "dev": true,
      "license": "MIT",
      "optional": true,
-      "peer": true,
      "dependencies": {
        "tslib": "^2.4.0"
      }
@@ -47,7 +45,6 @@
      "dev": true,
      "license": "MIT",
      "optional": true,
-      "peer": true,
      "dependencies": {
        "tslib": "^2.4.0"
      }
@@ -109,9 +106,9 @@
      }
    },
    "node_modules/@napi-rs/wasm-runtime": {
-      "version": "1.1.2",
-      "resolved": "https://registry.npmjs.org/@napi-rs/wasm-runtime/-/wasm-runtime-1.1.2.tgz",
-      "integrity": "sha512-sNXv5oLJ7ob93xkZ1XnxisYhGYXfaG9f65/ZgYuAu3qt7b3NadcOEhLvx28hv31PgX8SZJRYrAIPQilQmFpLVw==",
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/@napi-rs/wasm-runtime/-/wasm-runtime-1.1.4.tgz",
+      "integrity": "sha512-3NQNNgA1YSlJb/kMH1ildASP9HW7/7kYnRI2szWJaofaS1hWmbGI4H+d3+22aGzXXN9IJ+n+GiFVcGipJP18ow==",
      "dev": true,
      "license": "MIT",
      "optional": true,
@@ -128,13 +125,13 @@
      }
    },
    "node_modules/@rsbuild/core": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rsbuild/core/-/core-2.0.0-rc.1.tgz",
-      "integrity": "sha512-eqxtRlQiFSm/ibCNGiPj8ozsGSNK91NY+GksmPuTCPmWQExGtPqM1V+s13UYeWZS6fYbMRs7NlQKD896e0QkKA==",
+      "version": "2.0.7",
+      "resolved": "https://registry.npmjs.org/@rsbuild/core/-/core-2.0.7.tgz",
+      "integrity": "sha512-LsBONEzsjzOAqO72ot39eI7g53zSfF9QuDXTu4ks8IUX+EZsxRSniQfc+1zVA6a6y3b9KUUtG96avoMLKbWklQ==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@rspack/core": "2.0.0-rc.1",
+        "@rspack/core": "~2.0.4",
        "@swc/helpers": "^0.5.21"
      },
      "bin": {
@@ -153,17 +150,17 @@
      }
    },
    "node_modules/@rsbuild/plugin-react": {
-      "version": "1.4.6",
-      "resolved": "https://registry.npmjs.org/@rsbuild/plugin-react/-/plugin-react-1.4.6.tgz",
-      "integrity": "sha512-LAT6xHlEyZKA0VjF/ph5d50iyG+WSmBx+7g98HNZUwb94VeeTMZFB8qVptTkbIRMss3BNKOXmHOu71Lhsh9oEw==",
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/@rsbuild/plugin-react/-/plugin-react-2.0.0.tgz",
+      "integrity": "sha512-/1gzt39EGUSFEqB83g46QoOwsgv172HI18i6au1b6lgIaX4sv9stuX4ijdHbHCp8PqYEq+MyQ99jIQMO6I+etg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@rspack/plugin-react-refresh": "^1.6.1",
+        "@rspack/plugin-react-refresh": "2.0.0",
        "react-refresh": "^0.18.0"
      },
      "peerDependencies": {
-        "@rsbuild/core": "^1.0.0 || ^2.0.0-0"
+        "@rsbuild/core": "^2.0.0-0"
      },
      "peerDependenciesMeta": {
        "@rsbuild/core": {
@@ -172,28 +169,28 @@
      }
    },
    "node_modules/@rspack/binding": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding/-/binding-2.0.0-rc.1.tgz",
-      "integrity": "sha512-rhJqtbyiRPOjTAZW0xTZFbOrS5yP5yL1SF0DPE9kvFfzePz30IqjMDMxL0KuhkDZd/M1eUINJyoqd8NTbR9wHw==",
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/@rspack/binding/-/binding-2.0.4.tgz",
+      "integrity": "sha512-/QeJDPUw/lWkBJESG264KA9u6/rAjvoJhKncU4rkTi5Ap45kue5HTgOzr0ufxKdd2Xl72fjFBuqlKmtFDD5LiQ==",
      "dev": true,
      "license": "MIT",
      "optionalDependencies": {
-        "@rspack/binding-darwin-arm64": "2.0.0-rc.1",
-        "@rspack/binding-darwin-x64": "2.0.0-rc.1",
-        "@rspack/binding-linux-arm64-gnu": "2.0.0-rc.1",
-        "@rspack/binding-linux-arm64-musl": "2.0.0-rc.1",
-        "@rspack/binding-linux-x64-gnu": "2.0.0-rc.1",
-        "@rspack/binding-linux-x64-musl": "2.0.0-rc.1",
-        "@rspack/binding-wasm32-wasi": "2.0.0-rc.1",
-        "@rspack/binding-win32-arm64-msvc": "2.0.0-rc.1",
-        "@rspack/binding-win32-ia32-msvc": "2.0.0-rc.1",
-        "@rspack/binding-win32-x64-msvc": "2.0.0-rc.1"
+        "@rspack/binding-darwin-arm64": "2.0.4",
+        "@rspack/binding-darwin-x64": "2.0.4",
+        "@rspack/binding-linux-arm64-gnu": "2.0.4",
+        "@rspack/binding-linux-arm64-musl": "2.0.4",
+        "@rspack/binding-linux-x64-gnu": "2.0.4",
+        "@rspack/binding-linux-x64-musl": "2.0.4",
+        "@rspack/binding-wasm32-wasi": "2.0.4",
+        "@rspack/binding-win32-arm64-msvc": "2.0.4",
+        "@rspack/binding-win32-ia32-msvc": "2.0.4",
+        "@rspack/binding-win32-x64-msvc": "2.0.4"
      }
    },
    "node_modules/@rspack/binding-darwin-arm64": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-darwin-arm64/-/binding-darwin-arm64-2.0.0-rc.1.tgz",
-      "integrity": "sha512-fYbeDDDg6QKZzXYt/J0/j0Qhr01wQLuISUsYnNhu5MLwdXVUSVcqz+CTqgF3d0EQVVn6FqLV63lbNRzUGfSq9g==",
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-darwin-arm64/-/binding-darwin-arm64-2.0.4.tgz",
+      "integrity": "sha512-0Q1QXFEsZfDc4opiDnb8q50KlBbC2VovViDaYlMJZBzvjAo325mh3itXPfz7YZ31M+TxRE7TUiJXH3ltiV1Hdg==",
      "cpu": [
        "arm64"
      ],
@@ -205,9 +202,9 @@
      ]
    },
    "node_modules/@rspack/binding-darwin-x64": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-darwin-x64/-/binding-darwin-x64-2.0.0-rc.1.tgz",
-      "integrity": "sha512-MvXi9kr8xXn1y0PD1WI/4YphRNOdbykJjKdEsAG4JxEVoERmhIHOTwKvUqlejajizAwlVZcxQl/FacoPLsKN5Q==",
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-darwin-x64/-/binding-darwin-x64-2.0.4.tgz",
+      "integrity": "sha512-oO5J2QYf7+H+aYRj85EiGrDOoDEE9EDDl7NgXv46iWvIF0wXowEHXqnjMFxHxRq2Vf6scT+0yYQX9blWcvMWAA==",
      "cpu": [
        "x64"
      ],
@@ -219,9 +216,9 @@
      ]
    },
    "node_modules/@rspack/binding-linux-arm64-gnu": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-2.0.0-rc.1.tgz",
-      "integrity": "sha512-j6WsHEwGSdUoiy4BsQBW0RjFl+MBzozdybSYhkiyVSoHlbm7CPt3XaaS3elH5YcwuLHORmVHPP91QhwWl9UFJg==",
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-2.0.4.tgz",
+      "integrity": "sha512-BEk6mIYBK4BihW9qXXITJORrVXecTlkRjrqhgefili4xjXtLdcUnxAm9sN/2oJ8m378n2h33qDh4gr2orPBFWQ==",
      "cpu": [
        "arm64"
      ],
@@ -236,9 +233,9 @@
      ]
    },
    "node_modules/@rspack/binding-linux-arm64-musl": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-musl/-/binding-linux-arm64-musl-2.0.0-rc.1.tgz",
-      "integrity": "sha512-MPoZE0aS8oH+Wr0R5tIYch8gbUwYYf4LsiGdP6enMKMTrmpJyOVGlhPHVSwsrFgBg7fjTGOuxHuibtsvDUdLOQ==",
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-musl/-/binding-linux-arm64-musl-2.0.4.tgz",
+      "integrity": "sha512-Hyt3z1RwNcSMIoaoWLN4Hb/696/O5JPukf8rXQASvf2UkC+X3ij7tr+8lMSYi3Zysi1QL375CnT4fNoABEW0JA==",
      "cpu": [
        "arm64"
      ],
@@ -253,9 +250,9 @@
      ]
    },
    "node_modules/@rspack/binding-linux-x64-gnu": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-gnu/-/binding-linux-x64-gnu-2.0.0-rc.1.tgz",
-      "integrity": "sha512-gOlPCwtIg9GsFG/8ZdUyV5SyXDaGq2kmtXmyyFU7RO33MaalltNEBMf2hevRPj9z39eSzxwgJDonMOdx5Fo0Og==",
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-gnu/-/binding-linux-x64-gnu-2.0.4.tgz",
+      "integrity": "sha512-xHorBPBZAg0Pn9Q0k9dWZ9euowieDxcSOzQ9JhTCmhDY6wZH5M/kCBFlCs/OQeW5/NUArW3x3MwEdO/0QJHMxg==",
      "cpu": [
        "x64"
      ],
@@ -270,9 +267,9 @@
      ]
    },
    "node_modules/@rspack/binding-linux-x64-musl": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-musl/-/binding-linux-x64-musl-2.0.0-rc.1.tgz",
-      "integrity": "sha512-K6Swk1rfP4z4b6bp84NlikGlUWMOPpIWCtlPr/W0TWgc2C/cd844oHdoIu7WtmOH7y9AwB5UG2bWpgFAVwykCw==",
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-musl/-/binding-linux-x64-musl-2.0.4.tgz",
+      "integrity": "sha512-QLxEGUXofF0kVNU12Y2NT3Qi9lGs+WbnYpapVeb+2IXtrAXJfU7Rhy7lAp5GLMzYMQNrKKL9SVnTWKbODbNW9Q==",
      "cpu": [
        "x64"
      ],
@@ -287,9 +284,9 @@
      ]
    },
    "node_modules/@rspack/binding-wasm32-wasi": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-wasm32-wasi/-/binding-wasm32-wasi-2.0.0-rc.1.tgz",
-      "integrity": "sha512-aa9oUTqOb1QjwsHVlMr5sV+7mcBI4MLQ/xhFO2CIEcfVnJIPl8XpKUbDEgqMwcFlzcgzKmHg5cVmIvd82BLgow==",
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-wasm32-wasi/-/binding-wasm32-wasi-2.0.4.tgz",
+      "integrity": "sha512-YhN8HkiH46ONU9tm5dyoXDImDWGpU7E4SPqGI4OyAVF0445uIChurIUmTIOYcD6cg81GGeIjozWJOcb635Dcqw==",
      "cpu": [
        "wasm32"
      ],
@@ -297,13 +294,15 @@
      "license": "MIT",
      "optional": true,
      "dependencies": {
-        "@napi-rs/wasm-runtime": "1.1.2"
+        "@emnapi/core": "1.10.0",
+        "@emnapi/runtime": "1.10.0",
+        "@napi-rs/wasm-runtime": "1.1.4"
      }
    },
    "node_modules/@rspack/binding-win32-arm64-msvc": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-2.0.0-rc.1.tgz",
-      "integrity": "sha512-+UxF0c7E9bE3siFbMHi+mmoeQJzcTKl1j3x+Y6MY/PJ3V70cU23wOaxMvmSsCyq2JNJBT2RCNZ9HaL+o3kReug==",
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-2.0.4.tgz",
+      "integrity": "sha512-MUlYIz82xQRN0aoiXXyEBrNVUwiOSSFRi7nuCgUKduaSdlbPWzCY31IdtOygZ06LVp5JIGUEtyqSrjQq4FrMRw==",
      "cpu": [
        "arm64"
      ],
@@ -315,9 +314,9 @@
      ]
    },
    "node_modules/@rspack/binding-win32-ia32-msvc": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-ia32-msvc/-/binding-win32-ia32-msvc-2.0.0-rc.1.tgz",
-      "integrity": "sha512-gc0JdkdxSWo+o/b1qTCT6mZ3DrlGe32eW+Ps3xInxcG4UHjUG7hTDgFtOgVQ6VhQ8WMUXG+TQOz0CySVpYjsoQ==",
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-ia32-msvc/-/binding-win32-ia32-msvc-2.0.4.tgz",
+      "integrity": "sha512-D7UcIFMzlY2yhhyuW4Ej15gBWmTwUM5DxuObl3Kv31qRv/pmV3MsqUeG5m2dqLbUxzqPH87qnp0cArbkJQ1b+w==",
      "cpu": [
        "ia32"
      ],
@@ -329,9 +328,9 @@
      ]
    },
    "node_modules/@rspack/binding-win32-x64-msvc": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-x64-msvc/-/binding-win32-x64-msvc-2.0.0-rc.1.tgz",
-      "integrity": "sha512-Dnj0jthyVUikf65MGEyZy3akshtSmR1xsp/Xr0h/NWTo5JFWHKAFNYFE+jFfY0uzC8e4IDcLQLYoFomqV1DsEg==",
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-x64-msvc/-/binding-win32-x64-msvc-2.0.4.tgz",
+      "integrity": "sha512-MnYKPfdrAEbtpKg/1SZ6cNtzreIRyQJK4APbxLLPXENdTH5QXQkaTjLMKEeJcJ51FRhI/+yNpOUm2oTHdCQ1Og==",
      "cpu": [
        "x64"
      ],
@@ -343,13 +342,13 @@
      ]
    },
    "node_modules/@rspack/core": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/core/-/core-2.0.0-rc.1.tgz",
-      "integrity": "sha512-OIfkYn05/IWtVIdZ8Y/a0y/k4ipzqfApxIZqnJM59G/bGwQKMBrLHpOMGgV2Wmq1j9UMXzF7ZtsFMUbYBhFb9A==",
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/@rspack/core/-/core-2.0.4.tgz",
+      "integrity": "sha512-OuxdQeeKWQpNvFBRDOcnoSaQvp6E4APM/6JJMM/k0p6oL1TEFQVGdNu3VGY4mRAsebnNBXapMVMhj+v66Bn2pg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@rspack/binding": "2.0.0-rc.1"
+        "@rspack/binding": "2.0.4"
      },
      "engines": {
        "node": "^20.19.0 || >=22.12.0"
@@ -368,39 +367,36 @@
      }
    },
    "node_modules/@rspack/plugin-react-refresh": {
-      "version": "1.6.2",
-      "resolved": "https://registry.npmjs.org/@rspack/plugin-react-refresh/-/plugin-react-refresh-1.6.2.tgz",
-      "integrity": "sha512-k+/VrfTNgo+KirjI6V+8CWRj6y+DH9jOUWv8JorYY4vKf/9xfnZ8xHzuB4iqCwTtoZl9YnxOaOuoyjJipc2tiQ==",
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/@rspack/plugin-react-refresh/-/plugin-react-refresh-2.0.0.tgz",
+      "integrity": "sha512-Cf6CxBStNDJbiXMc/GmsvG1G8PRlUpa0MSfWsMTI+e8npzuTN/p8nwLs3shriBZOLciqgkSZpBtPTd10BLpj1g==",
      "dev": true,
      "license": "MIT",
-      "dependencies": {
-        "error-stack-parser": "^2.1.4"
-      },
      "peerDependencies": {
-        "react-refresh": ">=0.10.0 <1.0.0",
-        "webpack-hot-middleware": "2.x"
+        "@rspack/core": "^2.0.0-0",
+        "react-refresh": ">=0.10.0 <1.0.0"
      },
      "peerDependenciesMeta": {
-        "webpack-hot-middleware": {
+        "@rspack/core": {
          "optional": true
        }
      }
    },
    "node_modules/@rspress/core": {
-      "version": "2.0.9",
-      "resolved": "https://registry.npmjs.org/@rspress/core/-/core-2.0.9.tgz",
-      "integrity": "sha512-cfbqqbWtdimrWIsfeyPnQOTKwJpdNLr8VnwLIL4JYC2ZcRq+xcInpszLXVpV86nONL6qI19usr2Or7uzZJ+ynA==",
+      "version": "2.0.13",
+      "resolved": "https://registry.npmjs.org/@rspress/core/-/core-2.0.13.tgz",
+      "integrity": "sha512-lbaBA5eqh7wKdH98TUQEI+SfS3Z6YgaNCup3X+ttrYVLOrxN8PJvbedo6fFAcl+wP3XLy6D0pcnnzAgu8y3tdg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@mdx-js/mdx": "^3.1.1",
        "@mdx-js/react": "^3.1.1",
-        "@rsbuild/core": "2.0.0-rc.1",
-        "@rsbuild/plugin-react": "~1.4.6",
-        "@rspress/shared": "2.0.9",
+        "@rsbuild/core": "^2.0.7",
+        "@rsbuild/plugin-react": "~2.0.0",
+        "@rspress/shared": "2.0.13",
        "@shikijs/rehype": "^4.0.2",
        "@types/unist": "^3.0.3",
-        "@unhead/react": "^2.1.13",
+        "@unhead/react": "^2.1.15",
        "body-scroll-lock": "4.0.0-beta.0",
        "clsx": "2.1.1",
        "copy-to-clipboard": "^3.3.3",
@@ -411,12 +407,12 @@
        "mdast-util-mdxjs-esm": "^2.0.1",
        "medium-zoom": "1.1.0",
        "nprogress": "^0.2.0",
-        "react": "^19.2.4",
-        "react-dom": "^19.2.4",
+        "react": "^19.2.6",
+        "react-dom": "^19.2.6",
        "react-lazy-with-preload": "^2.2.1",
        "react-reconciler": "0.33.0",
-        "react-render-to-markdown": "19.0.1",
-        "react-router-dom": "^7.13.2",
+        "react-render-to-markdown": "19.1.0",
+        "react-router-dom": "^7.15.1",
        "rehype-external-links": "^3.0.0",
        "rehype-raw": "^7.0.0",
        "remark-cjk-friendly": "^2.0.1",
@@ -440,52 +436,52 @@
      }
    },
    "node_modules/@rspress/plugin-client-redirects": {
-      "version": "2.0.9",
-      "resolved": "https://registry.npmjs.org/@rspress/plugin-client-redirects/-/plugin-client-redirects-2.0.9.tgz",
-      "integrity": "sha512-r2GyHzOSt8CeS4UIsy/cPM5Zotekt1JVQFmgOYGapvll5ktUlVcd77HLtXDbZjtpgtj0XlaMLrXueOpV2gsBoQ==",
+      "version": "2.0.13",
+      "resolved": "https://registry.npmjs.org/@rspress/plugin-client-redirects/-/plugin-client-redirects-2.0.13.tgz",
+      "integrity": "sha512-dP753ASTvH6eDtSEulcqq2lE/kTSdOWSCw0nzvXG+7atTWTHDp6z47uH3CGD8E78cBuKyEi4OH+U7V0EtCTc0Q==",
      "dev": true,
      "license": "MIT",
      "engines": {
        "node": "^20.19.0 || >=22.12.0"
      },
      "peerDependencies": {
-        "@rspress/core": "^2.0.9"
+        "@rspress/core": "^2.0.10"
      }
    },
    "node_modules/@rspress/plugin-sitemap": {
-      "version": "2.0.9",
-      "resolved": "https://registry.npmjs.org/@rspress/plugin-sitemap/-/plugin-sitemap-2.0.9.tgz",
-      "integrity": "sha512-GTuXuySaeaazUZoUxdk2vZ8p0ehIgulPjCP9C7gDg6lIh5JGpUbcjG4def4tWHsxUoKp2rIwu/93bHwKb8T0Mw==",
+      "version": "2.0.13",
+      "resolved": "https://registry.npmjs.org/@rspress/plugin-sitemap/-/plugin-sitemap-2.0.13.tgz",
+      "integrity": "sha512-JtkNlxNuA7BzknKIrLvLQkSk0XVi7OXzrE76ma/cLvleccNWr8LGrHtrac4IrDr+HauK4WKTM2JaHGGHUdOUKw==",
      "dev": true,
      "license": "MIT",
      "engines": {
        "node": "^20.19.0 || >=22.12.0"
      },
      "peerDependencies": {
-        "@rspress/core": "^2.0.9"
+        "@rspress/core": "^2.0.10"
      }
    },
    "node_modules/@rspress/shared": {
-      "version": "2.0.9",
-      "resolved": "https://registry.npmjs.org/@rspress/shared/-/shared-2.0.9.tgz",
-      "integrity": "sha512-G48n3pC7AVAR58pLqwClUCYj5Nt7ZgYEStR8VTBGFuPgXtzb3+KPfo/gz0hb6wxdKJ1cL5ohPsZ6EXqllu6lew==",
+      "version": "2.0.13",
+      "resolved": "https://registry.npmjs.org/@rspress/shared/-/shared-2.0.13.tgz",
+      "integrity": "sha512-LmDfr7+MDNWRBbxcNoWkW68A35oRonpDJq2Jlx3L8GCzG4sAsyd6Yw0DebTWAxx7hVOXGMf37nEf1J4aOLEZfg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@rsbuild/core": "2.0.0-rc.1",
+        "@rsbuild/core": "^2.0.7",
        "@shikijs/rehype": "^4.0.2",
        "unified": "^11.0.5"
      }
    },
    "node_modules/@shikijs/core": {
-      "version": "4.0.2",
-      "resolved": "https://registry.npmjs.org/@shikijs/core/-/core-4.0.2.tgz",
-      "integrity": "sha512-hxT0YF4ExEqB8G/qFdtJvpmHXBYJ2lWW7qTHDarVkIudPFE6iCIrqdgWxGn5s+ppkGXI0aEGlibI0PAyzP3zlw==",
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/@shikijs/core/-/core-4.1.0.tgz",
+      "integrity": "sha512-jLJtSJeuFffqX6/inRE1zqU5aFv2hrszvYgq3OjbAgFRZiWv7abKMDdQzYxuSDfmUPQozZvI/kuy6VMTvnvqTQ==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@shikijs/primitive": "4.0.2",
-        "@shikijs/types": "4.0.2",
+        "@shikijs/primitive": "4.1.0",
+        "@shikijs/types": "4.1.0",
        "@shikijs/vscode-textmate": "^10.0.2",
        "@types/hast": "^3.0.4",
        "hast-util-to-html": "^9.0.5"
@@ -495,28 +491,28 @@
      }
    },
    "node_modules/@shikijs/engine-javascript": {
-      "version": "4.0.2",
-      "resolved": "https://registry.npmjs.org/@shikijs/engine-javascript/-/engine-javascript-4.0.2.tgz",
-      "integrity": "sha512-7PW0Nm49DcoUIQEXlJhNNBHyoGMjalRETTCcjMqEaMoJRLljy1Bi/EGV3/qLBgLKQejdspiiYuHGQW6dX94Nag==",
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/@shikijs/engine-javascript/-/engine-javascript-4.1.0.tgz",
+      "integrity": "sha512-YquhawCUgaBfhsS72e2Y/dI59gCBNPHu3fEO/tvLaXrTssxZrY5ddjtNLTwndrMgPo8b3IscE+xoICDzpTmlFQ==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@shikijs/types": "4.0.2",
+        "@shikijs/types": "4.1.0",
        "@shikijs/vscode-textmate": "^10.0.2",
-        "oniguruma-to-es": "^4.3.4"
+        "oniguruma-to-es": "^4.3.6"
      },
      "engines": {
        "node": ">=20"
      }
    },
    "node_modules/@shikijs/engine-oniguruma": {
-      "version": "4.0.2",
-      "resolved": "https://registry.npmjs.org/@shikijs/engine-oniguruma/-/engine-oniguruma-4.0.2.tgz",
-      "integrity": "sha512-UpCB9Y2sUKlS9z8juFSKz7ZtysmeXCgnRF0dlhXBkmQnek7lAToPte8DkxmEYGNTMii72zU/lyXiCB6StuZeJg==",
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/@shikijs/engine-oniguruma/-/engine-oniguruma-4.1.0.tgz",
+      "integrity": "sha512-axLpjVs45YBvvINa+dJF+NPW+KtFkNXsFr4SDw2BMj9GdeMnGxVB9PQb2xXlJYovslt/nz6giedAyOANkfc7hg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@shikijs/types": "4.0.2",
+        "@shikijs/types": "4.1.0",
        "@shikijs/vscode-textmate": "^10.0.2"
      },
      "engines": {
@@ -524,26 +520,26 @@
      }
    },
    "node_modules/@shikijs/langs": {
-      "version": "4.0.2",
-      "resolved": "https://registry.npmjs.org/@shikijs/langs/-/langs-4.0.2.tgz",
-      "integrity": "sha512-KaXby5dvoeuZzN0rYQiPMjFoUrz4hgwIE+D6Du9owcHcl6/g16/yT5BQxSW5cGt2MZBz6Hl0YuRqf12omRfUUg==",
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/@shikijs/langs/-/langs-4.1.0.tgz",
+      "integrity": "sha512-nwOMruEkbgdZfQ/b8CgpNBVOpvG1k0N5tbmgiFeqsan401+x3ILqlzZJowSla4Agmq4hG2Uf2wh5jLTEhR8VSg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@shikijs/types": "4.0.2"
+        "@shikijs/types": "4.1.0"
      },
      "engines": {
        "node": ">=20"
      }
    },
    "node_modules/@shikijs/primitive": {
-      "version": "4.0.2",
-      "resolved": "https://registry.npmjs.org/@shikijs/primitive/-/primitive-4.0.2.tgz",
-      "integrity": "sha512-M6UMPrSa3fN5ayeJwFVl9qWofl273wtK1VG8ySDZ1mQBfhCpdd8nEx7nPZ/tk7k+TYcpqBZzj/AnwxT9lO+HJw==",
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/@shikijs/primitive/-/primitive-4.1.0.tgz",
+      "integrity": "sha512-zx2/2Uwj2q9X3KSyYREEhXO23xBw5WUhP4orK2lE4r+t9JGITmEe0JH+wPmJhqHpOT2bRRs6lAL945+LDvOAGw==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@shikijs/types": "4.0.2",
+        "@shikijs/types": "4.1.0",
        "@shikijs/vscode-textmate": "^10.0.2",
        "@types/hast": "^3.0.4"
      },
@@ -552,16 +548,16 @@
      }
    },
    "node_modules/@shikijs/rehype": {
-      "version": "4.0.2",
-      "resolved": "https://registry.npmjs.org/@shikijs/rehype/-/rehype-4.0.2.tgz",
-      "integrity": "sha512-cmPlKLD8JeojasNFoY64162ScpEdEdQUMuVodPCrv1nx1z3bjmGwoKWDruQWa/ejSznImlaeB0Ty6Q3zPaVQAA==",
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/@shikijs/rehype/-/rehype-4.1.0.tgz",
+      "integrity": "sha512-HQwltCcO2/UiFz44/8whyji4rP1VghLu++MgvQn+lQA8/gvuycGkay8DH8o8VAOvLBDKGOkBEw7cC1Cm33GObQ==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@shikijs/types": "4.0.2",
+        "@shikijs/types": "4.1.0",
        "@types/hast": "^3.0.4",
        "hast-util-to-string": "^3.0.1",
-        "shiki": "4.0.2",
+        "shiki": "4.1.0",
        "unified": "^11.0.5",
        "unist-util-visit": "^5.1.0"
      },
@@ -570,22 +566,22 @@
      }
    },
    "node_modules/@shikijs/themes": {
-      "version": "4.0.2",
-      "resolved": "https://registry.npmjs.org/@shikijs/themes/-/themes-4.0.2.tgz",
-      "integrity": "sha512-mjCafwt8lJJaVSsQvNVrJumbnnj1RI8jbUKrPKgE6E3OvQKxnuRoBaYC51H4IGHePsGN/QtALglWBU7DoKDFnA==",
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/@shikijs/themes/-/themes-4.1.0.tgz",
+      "integrity": "sha512-emCcTnUM7yO2wltYbaxm+yLvcCI4+h8XBKc4KmJ7EZUXoSGjcCHifkI//R4OFit9ewpg7H2/9tjOuXrT2v/Knw==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@shikijs/types": "4.0.2"
+        "@shikijs/types": "4.1.0"
      },
      "engines": {
        "node": ">=20"
      }
    },
    "node_modules/@shikijs/types": {
-      "version": "4.0.2",
-      "resolved": "https://registry.npmjs.org/@shikijs/types/-/types-4.0.2.tgz",
-      "integrity": "sha512-qzbeRooUTPnLE+sHD/Z8DStmaDgnbbc/pMrU203950aRqjX/6AFHeDYT+j00y2lPdz0ywJKx7o/7qnqTivtlXg==",
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/@shikijs/types/-/types-4.1.0.tgz",
+      "integrity": "sha512-3EQWX54fMpniOrDblzAhiwiJwpiTMW6+B9DWyUd9ska483tbayFYuw47UxwuPknI31bKnySfVQ/QW+jFL4rFdA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
@@ -614,9 +610,9 @@
      }
    },
    "node_modules/@tybys/wasm-util": {
-      "version": "0.10.1",
-      "resolved": "https://registry.npmjs.org/@tybys/wasm-util/-/wasm-util-0.10.1.tgz",
-      "integrity": "sha512-9tTaPJLSiejZKx+Bmog4uSubteqTvFrVrURwkmHixBo0G4seD0zUxp98E1DzUBJxLQ3NPwXrGKDiVjwx/DpPsg==",
+      "version": "0.10.2",
+      "resolved": "https://registry.npmjs.org/@tybys/wasm-util/-/wasm-util-0.10.2.tgz",
+      "integrity": "sha512-RoBvJ2X0wuKlWFIjrwffGw1IqZHKQqzIchKaadZZfnNpsAYp2mM0h36JtPCjNDAHGgYez/15uMBpfGwchhiMgg==",
      "dev": true,
      "license": "MIT",
      "optional": true,
@@ -635,9 +631,9 @@
      }
    },
    "node_modules/@types/estree": {
-      "version": "1.0.8",
-      "resolved": "https://registry.npmjs.org/@types/estree/-/estree-1.0.8.tgz",
-      "integrity": "sha512-dWHzHa2WqEXI/O1E9OjrocMTKJl2mSrEolh1Iomrv6U+JuNwaHXsXx9bLu5gG7BUWFIN0skIQJQ/L1rIex4X6w==",
+      "version": "1.0.9",
+      "resolved": "https://registry.npmjs.org/@types/estree/-/estree-1.0.9.tgz",
+      "integrity": "sha512-GhdPgy1el4/ImP05X05Uw4cw2/M93BCUmnEvWZNStlCzEKME4Fkk+YpoA5OiHNQmoS7Cafb8Xa3Pya8m1Qrzeg==",
      "dev": true,
      "license": "MIT"
    },
@@ -686,9 +682,9 @@
      "license": "MIT"
    },
    "node_modules/@types/react": {
-      "version": "19.2.14",
-      "resolved": "https://registry.npmjs.org/@types/react/-/react-19.2.14.tgz",
-      "integrity": "sha512-ilcTH/UniCkMdtexkoCN0bI7pMcJDvmQFPvuPvmEaYA/NSfFTAgdUSLAoVjaRJm7+6PvcM+q1zYOwS4wTYMF9w==",
+      "version": "19.2.15",
+      "resolved": "https://registry.npmjs.org/@types/react/-/react-19.2.15.tgz",
+      "integrity": "sha512-eRwcGNHve+E8qtEQSSRl6urh+rFop4v8gm6O8rGv25CodbvFdLjA1vVQ1KkiFE0w0UPOnb8tDiFKL5lp0rtY5Q==",
      "dev": true,
      "license": "MIT",
      "peer": true,
@@ -704,20 +700,20 @@
      "license": "MIT"
    },
    "node_modules/@ungap/structured-clone": {
-      "version": "1.3.0",
-      "resolved": "https://registry.npmjs.org/@ungap/structured-clone/-/structured-clone-1.3.0.tgz",
-      "integrity": "sha512-WmoN8qaIAo7WTYWbAZuG8PYEhn5fkz7dZrqTBZ7dtt//lL2Gwms1IcnQ5yHqjDfX8Ft5j4YzDM23f87zBfDe9g==",
+      "version": "1.3.1",
+      "resolved": "https://registry.npmjs.org/@ungap/structured-clone/-/structured-clone-1.3.1.tgz",
+      "integrity": "sha512-mUFwbeTqrVgDQxFveS+df2yfap6iuP20NAKAsBt5jDEoOTDew+zwLAOilHCeQJOVSvmgCX4ogqIrA0mnyr08yQ==",
      "dev": true,
      "license": "ISC"
    },
    "node_modules/@unhead/react": {
-      "version": "2.1.13",
-      "resolved": "https://registry.npmjs.org/@unhead/react/-/react-2.1.13.tgz",
-      "integrity": "sha512-gC48tNJ0UtbithkiKCc2WUlxbVVk5o171EtruS2w2hQUblfYFHzCPu2hljjT1e0tUHXXqN8EMv7mpxHddMB2sg==",
+      "version": "2.1.15",
+      "resolved": "https://registry.npmjs.org/@unhead/react/-/react-2.1.15.tgz",
+      "integrity": "sha512-5hfAaZ3XJq9JkspRzZdSPsMrXXA8v/SKiEOxZcN9L40o44byF/50bcQuOLgSSCAx8802mI5VG32KZXWTtsLu9Q==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "unhead": "2.1.13"
+        "unhead": "2.1.15"
      },
      "funding": {
        "url": "https://github.com/sponsors/harlan-zw"
@@ -972,16 +968,6 @@
        "url": "https://github.com/fb55/entities?sponsor=1"
      }
    },
-    "node_modules/error-stack-parser": {
-      "version": "2.1.4",
-      "resolved": "https://registry.npmjs.org/error-stack-parser/-/error-stack-parser-2.1.4.tgz",
-      "integrity": "sha512-Sk5V6wVazPhq5MhpO+AUxJn5x7XSXGl1R93Vn7i+zS15KDVxQijejNCrz8340/2bgLBjR9GtEG8ZVKONDjcqGQ==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "stackframe": "^1.3.4"
-      }
-    },
    "node_modules/esast-util-from-estree": {
      "version": "2.0.0",
      "resolved": "https://registry.npmjs.org/esast-util-from-estree/-/esast-util-from-estree-2.0.0.tgz",
@@ -1164,9 +1150,9 @@
      "license": "Apache-2.0"
    },
    "node_modules/get-east-asian-width": {
-      "version": "1.5.0",
-      "resolved": "https://registry.npmjs.org/get-east-asian-width/-/get-east-asian-width-1.5.0.tgz",
-      "integrity": "sha512-CQ+bEO+Tva/qlmw24dCejulK5pMzVnUOFOijVogd3KQs07HnRIgp8TGipvCCRT06xeYEbpbgwaCxglFyiuIcmA==",
+      "version": "1.6.0",
+      "resolved": "https://registry.npmjs.org/get-east-asian-width/-/get-east-asian-width-1.6.0.tgz",
+      "integrity": "sha512-QRbvDIbx6YklUe6RxeTeleMR0yv3cYH6PsPZHcnVn7xv7zO1BHN8r0XETu8n6Ye3Q+ahtSarc3WgtNWmehIBfA==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -1413,9 +1399,9 @@
      }
    },
    "node_modules/hookable": {
-      "version": "6.1.0",
-      "resolved": "https://registry.npmjs.org/hookable/-/hookable-6.1.0.tgz",
-      "integrity": "sha512-ZoKZSJgu8voGK2geJS+6YtYjvIzu9AOM/KZXsBxr83uhLL++e9pEv/dlgwgy3dvHg06kTz6JOh1hk3C8Ceiymw==",
+      "version": "6.1.1",
+      "resolved": "https://registry.npmjs.org/hookable/-/hookable-6.1.1.tgz",
+      "integrity": "sha512-U9LYDy1CwhMCnprUfeAZWZGByVbhd54hwepegYTK7Pi5NvqEj63ifz5z+xukznehT7i6NIZRu89Ay1AZmRsLEQ==",
      "dev": true,
      "license": "MIT"
    },
@@ -2697,20 +2683,20 @@
      "license": "MIT"
    },
    "node_modules/oniguruma-parser": {
-      "version": "0.12.1",
-      "resolved": "https://registry.npmjs.org/oniguruma-parser/-/oniguruma-parser-0.12.1.tgz",
-      "integrity": "sha512-8Unqkvk1RYc6yq2WBYRj4hdnsAxVze8i7iPfQr8e4uSP3tRv0rpZcbGUDvxfQQcdwHt/e9PrMvGCsa8OqG9X3w==",
+      "version": "0.12.2",
+      "resolved": "https://registry.npmjs.org/oniguruma-parser/-/oniguruma-parser-0.12.2.tgz",
+      "integrity": "sha512-6HVa5oIrgMC6aA6WF6XyyqbhRPJrKR02L20+2+zpDtO5QAzGHAUGw5TKQvwi5vctNnRHkJYmjAhRVQF2EKdTQw==",
      "dev": true,
      "license": "MIT"
    },
    "node_modules/oniguruma-to-es": {
-      "version": "4.3.5",
-      "resolved": "https://registry.npmjs.org/oniguruma-to-es/-/oniguruma-to-es-4.3.5.tgz",
-      "integrity": "sha512-Zjygswjpsewa0NLTsiizVuMQZbp0MDyM6lIt66OxsF21npUDlzpHi1Mgb/qhQdkb+dWFTzJmFbEWdvZgRho8eQ==",
+      "version": "4.3.6",
+      "resolved": "https://registry.npmjs.org/oniguruma-to-es/-/oniguruma-to-es-4.3.6.tgz",
+      "integrity": "sha512-csuQ9x3Yr0cEIs/Zgx/OEt9iBw9vqIunAPQkx19R/fiMq2oGVTgcMqO/V3Ybqefr1TBvosI6jU539ksaBULJyA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "oniguruma-parser": "^0.12.1",
+        "oniguruma-parser": "^0.12.2",
        "regex": "^6.1.0",
        "regex-recursion": "^6.0.2"
      }
@@ -2767,9 +2753,9 @@
      }
    },
    "node_modules/react": {
-      "version": "19.2.5",
-      "resolved": "https://registry.npmjs.org/react/-/react-19.2.5.tgz",
-      "integrity": "sha512-llUJLzz1zTUBrskt2pwZgLq59AemifIftw4aB7JxOqf1HY2FDaGDxgwpAPVzHU1kdWabH7FauP4i1oEeer2WCA==",
+      "version": "19.2.6",
+      "resolved": "https://registry.npmjs.org/react/-/react-19.2.6.tgz",
+      "integrity": "sha512-sfWGGfavi0xr8Pg0sVsyHMAOziVYKgPLNrS7ig+ivMNb3wbCBw3KxtflsGBAwD3gYQlE/AEZsTLgToRrSCjb0Q==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -2777,16 +2763,16 @@
      }
    },
    "node_modules/react-dom": {
-      "version": "19.2.5",
-      "resolved": "https://registry.npmjs.org/react-dom/-/react-dom-19.2.5.tgz",
-      "integrity": "sha512-J5bAZz+DXMMwW/wV3xzKke59Af6CHY7G4uYLN1OvBcKEsWOs4pQExj86BBKamxl/Ik5bx9whOrvBlSDfWzgSag==",
+      "version": "19.2.6",
+      "resolved": "https://registry.npmjs.org/react-dom/-/react-dom-19.2.6.tgz",
+      "integrity": "sha512-0prMI+hvBbPjsWnxDLxlCGyM8PN6UuWjEUCYmZhO67xIV9Xasa/r/vDnq+Xyq4Lo27g8QSbO5YzARu0D1Sps3g==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "scheduler": "^0.27.0"
      },
      "peerDependencies": {
-        "react": "^19.2.5"
+        "react": "^19.2.6"
      }
    },
    "node_modules/react-lazy-with-preload": {
@@ -2823,9 +2809,9 @@
      }
    },
    "node_modules/react-render-to-markdown": {
-      "version": "19.0.1",
-      "resolved": "https://registry.npmjs.org/react-render-to-markdown/-/react-render-to-markdown-19.0.1.tgz",
-      "integrity": "sha512-BPv48o+ubcu2JyUDIktvJXFqLIZqR7hA4mvGu1eFIofz9fogT2me9UvXwRvqvGs9jEtNaJkxZIUKUX0oiK4hDA==",
+      "version": "19.1.0",
+      "resolved": "https://registry.npmjs.org/react-render-to-markdown/-/react-render-to-markdown-19.1.0.tgz",
+      "integrity": "sha512-dF9b3tO41ezqdmHP8X92kbHbMexJ6iC7iHw4ykC8fwiO7DgpFc9PhMoKlI+BcPzRxGcWgQSdrixVB9RykhjJpQ==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
@@ -2836,9 +2822,9 @@
      }
    },
    "node_modules/react-router": {
-      "version": "7.14.0",
-      "resolved": "https://registry.npmjs.org/react-router/-/react-router-7.14.0.tgz",
-      "integrity": "sha512-m/xR9N4LQLmAS0ZhkY2nkPA1N7gQ5TUVa5n8TgANuDTARbn1gt+zLPXEm7W0XDTbrQ2AJSJKhoa6yx1D8BcpxQ==",
+      "version": "7.15.1",
+      "resolved": "https://registry.npmjs.org/react-router/-/react-router-7.15.1.tgz",
+      "integrity": "sha512-R8rl9HhgikFYoPJymnUtPXWbnDb3oget6lQnfIoupbt61aT9aOhRkDsY2XRhZRyX1Z/8a5sL74fXmFNm3NRK5A==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
@@ -2859,13 +2845,13 @@
      }
    },
    "node_modules/react-router-dom": {
-      "version": "7.14.0",
-      "resolved": "https://registry.npmjs.org/react-router-dom/-/react-router-dom-7.14.0.tgz",
-      "integrity": "sha512-2G3ajSVSZMEtmTjIklRWlNvo8wICEpLihfD/0YMDxbWK2UyP5EGfnoIn9AIQGnF3G/FX0MRbHXdFcD+rL1ZreQ==",
+      "version": "7.15.1",
+      "resolved": "https://registry.npmjs.org/react-router-dom/-/react-router-dom-7.15.1.tgz",
+      "integrity": "sha512-AzF62gjY6U9rkMq4RfP/r2EVtQ7DMfNMjyOp/flLTCrtRylLiK4wT4pSq6O8rOXZ2eXdZYJPEYe+ifomiv+Igg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "react-router": "7.14.0"
+        "react-router": "7.15.1"
      },
      "engines": {
        "node": ">=20.0.0"
@@ -3178,18 +3164,18 @@
      "license": "MIT"
    },
    "node_modules/shiki": {
-      "version": "4.0.2",
-      "resolved": "https://registry.npmjs.org/shiki/-/shiki-4.0.2.tgz",
-      "integrity": "sha512-eAVKTMedR5ckPo4xne/PjYQYrU3qx78gtJZ+sHlXEg5IHhhoQhMfZVzetTYuaJS0L2Ef3AcCRzCHV8T0WI6nIQ==",
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/shiki/-/shiki-4.1.0.tgz",
+      "integrity": "sha512-l/ABZPUR5v70jI10EzqfMS/I96vjSGv2y0ihUV+WYFzv0EfvW4s54m0Lg8wCrrL+2IkwBzFTuxkZjPf8b2NX9Q==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@shikijs/core": "4.0.2",
-        "@shikijs/engine-javascript": "4.0.2",
-        "@shikijs/engine-oniguruma": "4.0.2",
-        "@shikijs/langs": "4.0.2",
-        "@shikijs/themes": "4.0.2",
-        "@shikijs/types": "4.0.2",
+        "@shikijs/core": "4.1.0",
+        "@shikijs/engine-javascript": "4.1.0",
+        "@shikijs/engine-oniguruma": "4.1.0",
+        "@shikijs/langs": "4.1.0",
+        "@shikijs/themes": "4.1.0",
+        "@shikijs/types": "4.1.0",
        "@shikijs/vscode-textmate": "^10.0.2",
        "@types/hast": "^3.0.4"
      },
@@ -3218,13 +3204,6 @@
        "url": "https://github.com/sponsors/wooorm"
      }
    },
-    "node_modules/stackframe": {
-      "version": "1.3.4",
-      "resolved": "https://registry.npmjs.org/stackframe/-/stackframe-1.3.4.tgz",
-      "integrity": "sha512-oeVtt7eWQS+Na6F//S4kJ2K2VbRlS9D43mAlMyVpVWovy9o+jfgH8O9agzANzaiLjclA0oYzUXEM4PurhSUChw==",
-      "dev": true,
-      "license": "MIT"
-    },
    "node_modules/stringify-entities": {
      "version": "4.0.4",
      "resolved": "https://registry.npmjs.org/stringify-entities/-/stringify-entities-4.0.4.tgz",
@@ -3311,9 +3290,9 @@
      }
    },
    "node_modules/unhead": {
-      "version": "2.1.13",
-      "resolved": "https://registry.npmjs.org/unhead/-/unhead-2.1.13.tgz",
-      "integrity": "sha512-jO9M1sI6b2h/1KpIu4Jeu+ptumLmUKboRRLxys5pYHFeT+lqTzfNHbYUX9bxVDhC1FBszAGuWcUVlmvIPsah8Q==",
+      "version": "2.1.15",
+      "resolved": "https://registry.npmjs.org/unhead/-/unhead-2.1.15.tgz",
+      "integrity": "sha512-MCt5T90mCWyr3Z6pUCdM9lVRXoMoVBlL7z7U4CYVIiaDiuzad/UCfLuMqz5MeNmpZUgoBCQnrucJimU7EZR+XA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
@@ -5,7 +5,7 @@
    "osvVulnerabilityAlerts": true,
    "lockFileMaintenance": {
        "enabled": true,
-        "schedule": ["at any time"]
+        "schedule": ["* * * * 0,6"]
    },
    "platformAutomerge": true,
    "nix": {
@@ -66,6 +66,17 @@
            "matchUpdateTypes": ["minor", "patch"],
            "groupName": "github-actions-non-major"
        },
+        {
+            "description": "Batch GitHub Actions digest updates",
+            "matchManagers": ["github-actions"],
+            "matchUpdateTypes": ["digest"],
+            "groupName": "github-actions-digest",
+            "automerge": true,
+            "automergeStrategy": "fast-forward",
+            "schedule": [
+              "* 0-7 * * 2"
+            ]
+        },
        {
            "description": "Batch patch-level Node.js dependency updates",
            "matchManagers": ["npm"],
@@ -83,7 +94,10 @@
            "matchPackageNames": ["crate-ci/typos"],
            "matchUpdateTypes": ["minor", "patch"],
            "automerge": true,
-            "automergeStrategy": "fast-forward"
+            "automergeStrategy": "fast-forward",
+            "schedule": [
+              "* 0-7 * * 3"
+            ]
        },
        {
            "description": "Auto-merge renovatebot docker image updates",
@@ -91,7 +105,9 @@
            "matchPackageNames": ["ghcr.io/renovatebot/renovate"],
            "automerge": true,
            "automergeStrategy": "fast-forward",
-            "extends": ["schedule:earlyMondays"]
+            "schedule": [
+              "* 0-7 * * 1"
+            ]
        }
    ],
    "customManagers": [
@@ -10,7 +10,7 @@

 [toolchain]
 profile = "minimal"
-channel = "1.92.0"
+channel = "1.95.0"
 components = [
    # For rust-analyzer
    "rust-src",
@@ -81,9 +81,11 @@ conduwuit-macros.workspace = true
 conduwuit-service.workspace = true
 const-str.workspace = true
 ctor.workspace = true
+dtor.workspace = true
 futures.workspace = true
 lettre.workspace = true
 log.workspace = true
+assign.workspace = true
 ruma.workspace = true
 serde_json.workspace = true
 serde-saphyr.workspace = true
@@ -7,7 +7,7 @@ use crate::Context;
 #[implement(Context, params = "<'_>")]
 pub(super) async fn check_all_users(&self) -> Result {
 	let timer = tokio::time::Instant::now();
-	let users = self.services.users.iter().collect::<Vec<_>>().await;
+	let users = self.services.users.stream().collect::<Vec<_>>().await;
 	let query_time = timer.elapsed();

 	let total = users.len();
@@ -1,5 +1,5 @@
 use std::{
-	collections::HashMap,
+	collections::{HashMap, HashSet},
 	fmt::Write,
 	iter::once,
 	time::{Instant, SystemTime},
@@ -22,7 +22,7 @@ use futures::{FutureExt, StreamExt, TryStreamExt};
 use lettre::message::Mailbox;
 use ruma::{
 	CanonicalJsonObject, CanonicalJsonValue, EventId, OwnedEventId, OwnedRoomId,
-	OwnedRoomOrAliasId, OwnedServerName, RoomId, RoomVersionId,
+	OwnedRoomOrAliasId, OwnedServerName, RoomId, RoomVersionId, UInt,
 	api::federation::event::get_room_state, events::AnyStateEvent, serde::Raw,
 };
 use service::rooms::{
@@ -69,6 +69,205 @@ pub(super) async fn get_auth_chain(&self, event_id: OwnedEventId) -> Result {
 	self.write_str(&out).await
 }

+#[derive(Clone, Copy, Eq, PartialEq)]
+enum NodeStatus {
+	Normal(bool),
+	SoftFailed(bool),
+	Rejected(bool),
+}
+
+struct AuthChild {
+	node_id: String,
+	event_id: OwnedEventId,
+	depth: UInt,
+	ts: UInt,
+	first_seen: bool,
+	pdu: Option<PduEvent>,
+}
+
+fn render_node(
+	graph: &mut String,
+	node_id: &str,
+	event_id: &EventId,
+	name: &str,
+	status: NodeStatus,
+) -> Result {
+	let evt_str = event_id.to_string();
+
+	let status_label = match status {
+		| NodeStatus::Normal(false) => format!("{evt_str}: {name}"),
+		| NodeStatus::Normal(true) => format!("{evt_str}: {name} (missing locally)"),
+		| NodeStatus::SoftFailed(false) => format!("{evt_str}: {name} (soft-failed)"),
+		| NodeStatus::SoftFailed(true) =>
+			format!("{evt_str}: {name} (soft-failed & missing locally)"),
+		| NodeStatus::Rejected(false) => format!("{evt_str}: {name} (rejected)"),
+		| NodeStatus::Rejected(true) => format!("{evt_str}: {name} (rejected & missing locally)"),
+	};
+
+	writeln!(graph, "{node_id}[\"{}\"]", status_label.as_str())?;
+
+	match status {
+		| NodeStatus::Rejected(_) => writeln!(graph, "class {node_id} rejected;")?,
+		| NodeStatus::SoftFailed(_) => writeln!(graph, "class {node_id} soft_failed;")?,
+		| NodeStatus::Normal(_) => {},
+	}
+
+	Ok(())
+}
+
+#[admin_command]
+pub(super) async fn show_auth_chain(&self, event_id: OwnedEventId) -> Result {
+	let node_status = async |event_id: &EventId, missing: bool| -> NodeStatus {
+		if self
+			.services
+			.rooms
+			.pdu_metadata
+			.is_event_rejected(event_id)
+			.await
+		{
+			NodeStatus::Rejected(missing)
+		} else if self
+			.services
+			.rooms
+			.pdu_metadata
+			.is_event_soft_failed(event_id)
+			.await
+		{
+			NodeStatus::SoftFailed(missing)
+		} else {
+			NodeStatus::Normal(missing)
+		}
+	};
+
+	let Ok(root) = self.services.rooms.timeline.get_pdu(&event_id).await else {
+		return Err!("Event not found.");
+	};
+
+	let mut graph = String::from(
+		"```mermaid\n%% This is a mermaid graph. You can plug this output into\n\
+		%% https://mermaid.live/edit to visualise it on-the-fly.\nflowchart TD\n\
+		classDef rejected fill:#ffe5e5,stroke:#cc0000,stroke-width:2px,color:#000;\n\
+		classDef soft_failed fill:#fff6cc,stroke:#c9a400,stroke-width:2px,color:#000;\n"
+	);
+
+	let mut node_ids: HashMap<OwnedEventId, String> = HashMap::new();
+	let mut cached_events: HashMap<OwnedEventId, PduEvent> =
+		HashMap::from([(event_id.clone(), root.clone())]);
+	let mut scheduled: HashSet<OwnedEventId> = HashSet::from([event_id.clone()]);
+	let mut visited: HashSet<OwnedEventId> = HashSet::new();
+	let mut stack = vec![root];
+	let mut next_node_id = 0_usize;
+
+	let node_id_for = |event_id: &OwnedEventId,
+	                   node_ids: &mut HashMap<OwnedEventId, String>,
+	                   next_node_id: &mut usize| {
+		node_ids
+			.entry(event_id.clone())
+			.or_insert_with(|| {
+				let id = format!("n{}", *next_node_id);
+				*next_node_id = next_node_id.saturating_add(1);
+				id
+			})
+			.clone()
+	};
+	let node_name = |e: &PduEvent| {
+		if let Some(state_key) = e.state_key() {
+			format!("{},'{}'", e.event_type(), state_key)
+		} else {
+			format!("{}", e.event_type())
+		}
+	};
+
+	while let Some(event) = stack.pop() {
+		let current_event_id = event.event_id().to_owned();
+		if !visited.insert(current_event_id.clone()) {
+			continue;
+		}
+
+		let current_node_id = node_id_for(&current_event_id, &mut node_ids, &mut next_node_id);
+		let current_status = node_status(&current_event_id, false).await;
+
+		render_node(
+			&mut graph,
+			&current_node_id,
+			&current_event_id,
+			&node_name(&event),
+			current_status,
+		)?;
+
+		let mut children = Vec::with_capacity(event.auth_events.len());
+		for auth_event_id in event.auth_events().rev() {
+			let auth_event_id = auth_event_id.to_owned();
+			let auth_node_id = node_id_for(&auth_event_id, &mut node_ids, &mut next_node_id);
+			writeln!(graph, "{current_node_id} --> {auth_node_id}")?;
+
+			let first_seen = scheduled.insert(auth_event_id.clone());
+			let auth_pdu = if let Some(auth_pdu) = cached_events.get(&auth_event_id) {
+				// NOTE: events might be referenced multiple times (like the create event)
+				// so this saves some cheeky db lookup time
+				Some(auth_pdu.clone())
+			} else if first_seen {
+				match self.services.rooms.timeline.get_pdu(&auth_event_id).await {
+					| Ok(auth_event) => {
+						cached_events.insert(auth_event_id.clone(), auth_event.clone());
+						Some(auth_event)
+					},
+					| Err(_) => None,
+				}
+			} else {
+				None
+			};
+
+			// NOTE: Depth is used as the primary sorting key here, even though it has no
+			// bearing on state resolution or anything. Timestamp is used as a
+			// tiebreaker, failing back to lexicographical comparison.
+			let (depth, ts) = auth_pdu
+				.as_ref()
+				.map_or((UInt::MAX, UInt::MAX), |pdu| (pdu.depth, pdu.origin_server_ts));
+
+			children.push(AuthChild {
+				node_id: auth_node_id,
+				event_id: auth_event_id,
+				depth,
+				ts,
+				first_seen,
+				pdu: auth_pdu,
+			});
+		}
+
+		children.sort_by(|a, b| {
+			a.depth
+				.cmp(&b.depth)
+				.then(a.ts.cmp(&b.ts))
+				.then(a.event_id.as_str().cmp(b.event_id.as_str()))
+		});
+
+		for child in children.into_iter().rev() {
+			if !child.first_seen {
+				continue;
+			}
+
+			if let Some(child_pdu) = child.pdu {
+				// We have this PDU so will want to traverse it.
+				stack.push(child_pdu);
+			} else {
+				// We don't have this PDU locally so we can't traverse its auth events,
+				// but we can still render it as a node.
+				render_node(
+					&mut graph,
+					&child.node_id,
+					&child.event_id,
+					"",
+					node_status(&child.event_id, true).await,
+				)?;
+			}
+		}
+	}
+
+	graph.push_str("```\n");
+	self.write_str(&graph).await
+}
+
 #[admin_command]
 pub(super) async fn parse_pdu(&self) -> Result {
 	if self.body.len() < 2
@@ -79,12 +278,14 @@ pub(super) async fn parse_pdu(&self) -> Result {
 	}

 	let string = self.body[1..self.body.len().saturating_sub(1)].join("\n");
+	let room_version_rules = RoomVersionId::V12.rules().unwrap();
+
 	match serde_json::from_str(&string) {
 		| Err(e) => return Err!("Invalid json in command body: {e}"),
-		| Ok(value) => match ruma::signatures::reference_hash(&value, &RoomVersionId::V6) {
+		| Ok(value) => match ruma::signatures::reference_hash(&value, &room_version_rules) {
 			| Err(e) => return Err!("Could not parse PDU JSON: {e:?}"),
 			| Ok(hash) => {
-				let event_id = OwnedEventId::parse(format!("${hash}"));
+				let event_id = EventId::parse(format!("${hash}"));
 				match serde_json::from_value::<PduEvent>(serde_json::to_value(value)?) {
 					| Err(e) => return Err!("EventId: {event_id:?}\nCould not parse event: {e}"),
 					| Ok(pdu) => write!(self, "EventId: {event_id:?}\n{pdu:#?}"),
@@ -109,17 +310,33 @@ pub(super) async fn get_pdu(&self, event_id: OwnedEventId) -> Result {
 		outlier = true;
 		pdu_json = self.services.rooms.timeline.get_pdu_json(&event_id).await;
 	}
+	let rejected = self
+		.services
+		.rooms
+		.pdu_metadata
+		.is_event_rejected(&event_id)
+		.await;
+	let soft_failed = self
+		.services
+		.rooms
+		.pdu_metadata
+		.is_event_soft_failed(&event_id)
+		.await;

 	match pdu_json {
 		| Err(_) => return Err!("PDU not found locally."),
 		| Ok(json) => {
 			let text = serde_json::to_string_pretty(&json)?;
-			let msg = if outlier {
-				"Outlier (Rejected / Soft Failed) PDU found in our database"
+			let msg = if rejected {
+				"Rejected PDU:"
+			} else if soft_failed {
+				"Soft-failed PDU:"
+			} else if outlier {
+				"Outlier PDU:"
 			} else {
-				"PDU found in our database"
+				"PDU:"
 			};
-			write!(self, "{msg}\n```json\n{text}\n```",)
+			write!(self, "{msg}\n```json\n{text}\n```")
 		},
 	}
 	.await
@@ -187,10 +404,7 @@ pub(super) async fn get_remote_pdu_list(&self, server: OwnedServerName, force: b

 	for event_id in list {
 		if force {
-			match self
-				.get_remote_pdu(event_id.to_owned(), server.clone())
-				.await
-			{
+			match self.get_remote_pdu(event_id.clone(), server.clone()).await {
 				| Err(e) => {
 					failed_count = failed_count.saturating_add(1);
 					self.services
@@ -205,7 +419,7 @@ pub(super) async fn get_remote_pdu_list(&self, server: OwnedServerName, force: b
 				},
 			}
 		} else {
-			self.get_remote_pdu(event_id.to_owned(), server.clone())
+			self.get_remote_pdu(event_id.clone(), server.clone())
 				.await?;
 			success_count = success_count.saturating_add(1);
 		}
@@ -237,10 +451,10 @@ pub(super) async fn get_remote_pdu(
 	match self
 		.services
 		.sending
-		.send_federation_request(&server, ruma::api::federation::event::get_event::v1::Request {
-			event_id: event_id.clone(),
-			include_unredacted_content: None,
-		})
+		.send_federation_request(
+			&server,
+			ruma::api::federation::event::get_event::v1::Request::new(event_id.clone()),
+		)
 		.await
 	{
 		| Err(e) => {
@@ -330,9 +544,9 @@ pub(super) async fn ping(&self, server: OwnedServerName) -> Result {
 	match self
 		.services
 		.sending
-		.send_federation_request(
+		.send_unauthenticated_request(
 			&server,
-			ruma::api::federation::discovery::get_server_version::v1::Request {},
+			ruma::api::federation::discovery::get_server_version::v1::Request::new(),
 		)
 		.await
 	{
@@ -361,7 +575,7 @@ pub(super) async fn force_device_list_updates(&self) -> Result {
 	self.services
 		.users
 		.stream()
-		.for_each(|user_id| self.services.users.mark_device_key_update(user_id))
+		.for_each(async |user_id| self.services.users.mark_device_key_update(&user_id).await)
 		.await;

 	write!(self, "Marked all devices for all users as having new keys to update").await
@@ -430,9 +644,16 @@ pub(super) async fn verify_json(&self) -> Result {
 	}

 	let string = self.body[1..self.body.len().checked_sub(1).unwrap()].join("\n");
+	let room_version_rules = RoomVersionId::V12.rules().unwrap();
+
 	match serde_json::from_str::<CanonicalJsonObject>(&string) {
 		| Err(e) => return Err!("Invalid json: {e}"),
-		| Ok(value) => match self.services.server_keys.verify_json(&value, None).await {
+		| Ok(value) => match self
+			.services
+			.server_keys
+			.verify_json(&value, &room_version_rules)
+			.await
+		{
 			| Err(e) => return Err!("Signature verification failed: {e}"),
 			| Ok(()) => write!(self, "Signature correct"),
 		},
@@ -445,9 +666,15 @@ pub(super) async fn verify_pdu(&self, event_id: OwnedEventId) -> Result {
 	use ruma::signatures::Verified;

 	let mut event = self.services.rooms.timeline.get_pdu_json(&event_id).await?;
+	let room_version_rules = RoomVersionId::V12.rules().unwrap();

 	event.remove("event_id");
-	let msg = match self.services.server_keys.verify_event(&event, None).await {
+	let msg = match self
+		.services
+		.server_keys
+		.verify_event(&event, &room_version_rules)
+		.await
+	{
 		| Err(e) => return Err(e),
 		| Ok(Verified::Signatures) => "signatures OK, but content hash failed (redaction).",
 		| Ok(Verified::All) => "signatures and hashes OK.",
@@ -544,16 +771,17 @@ pub(super) async fn force_set_room_state_from_server(
 	};

 	let room_version = self.services.rooms.state.get_room_version(&room_id).await?;
+	let room_version_rules = room_version.rules().unwrap();

 	let mut state: HashMap<u64, OwnedEventId> = HashMap::new();

 	let remote_state_response = self
 		.services
 		.sending
-		.send_federation_request(&server_name, get_room_state::v1::Request {
-			room_id: room_id.clone(),
-			event_id: at_event_id,
-		})
+		.send_federation_request(
+			&server_name,
+			get_room_state::v1::Request::new(at_event_id, room_id.clone()),
+		)
 		.await?;

 	for pdu in remote_state_response.pdus.clone() {
@@ -576,7 +804,7 @@ pub(super) async fn force_set_room_state_from_server(
 	for result in remote_state_response.pdus.iter().map(|pdu| {
 		self.services
 			.server_keys
-			.validate_and_add_event_id(pdu, &room_version)
+			.validate_and_add_event_id(pdu, &room_version_rules)
 	}) {
 		let Ok((event_id, value)) = result.await else {
 			continue;
@@ -601,6 +829,10 @@ pub(super) async fn force_set_room_state_from_server(
 				.await;

 			state.insert(shortstatekey, pdu.event_id.clone());
+			self.services
+				.rooms
+				.pdu_metadata
+				.clear_pdu_markers(pdu.event_id());
 		}
 	}

@@ -608,7 +840,7 @@ pub(super) async fn force_set_room_state_from_server(
 	for result in remote_state_response.auth_chain.iter().map(|pdu| {
 		self.services
 			.server_keys
-			.validate_and_add_event_id(pdu, &room_version)
+			.validate_and_add_event_id(pdu, &room_version_rules)
 	}) {
 		let Ok((event_id, value)) = result.await else {
 			continue;
@@ -618,6 +850,10 @@ pub(super) async fn force_set_room_state_from_server(
 			.rooms
 			.outlier
 			.add_pdu_outlier(&event_id, &value);
+		self.services
+			.rooms
+			.pdu_metadata
+			.clear_pdu_markers(&event_id);
 	}

 	info!("Resolving new room state");
@@ -625,7 +861,7 @@ pub(super) async fn force_set_room_state_from_server(
 		.services
 		.rooms
 		.event_handler
-		.resolve_state(&room_id, &room_version, state)
+		.resolve_state(&room_id, &room_version_rules, state)
 		.await?;

 	info!("Compressing new room state");
@@ -649,10 +885,7 @@ pub(super) async fn force_set_room_state_from_server(
 		.force_state(room_id.clone().as_ref(), short_state_hash, added, removed, &state_lock)
 		.await?;

-	info!(
-		"Updating joined counts for room just in case (e.g. we may have found a difference in \
-		 the room's m.room.member state"
-	);
+	info!("Updating joined counts for room");
 	self.services
 		.rooms
 		.state_cache
@@ -17,12 +17,21 @@ pub enum DebugCommand {
 		message: Vec<String>,
 	},

-	/// Get the auth_chain of a PDU
+	/// Loads the auth_chain of a PDU, reporting how long it took.
 	GetAuthChain {
 		/// An event ID (the $ character followed by the base64 reference hash)
 		event_id: OwnedEventId,
 	},

+	/// Walks & displays the auth_chain of a PDU in a mermaid graph format.
+	///
+	/// This is useless to basically anyone but developers, and is also probably
+	/// slow and memory hungry.
+	ShowAuthChain {
+		/// The root event ID to start walking back from.
+		event_id: OwnedEventId,
+	},
+
 	/// Parse and print a PDU from a JSON
 	///
 	/// The PDU event is only checked for validity and is not added to the
@@ -102,16 +102,12 @@ pub(super) async fn remote_user_in_rooms(&self, user_id: OwnedUserId) -> Result
 		);
 	}

-	if !self.services.users.exists(&user_id).await {
-		return Err!("Remote user does not exist in our database.",);
-	}
-
 	let mut rooms: Vec<(OwnedRoomId, u64, String)> = self
 		.services
 		.rooms
 		.state_cache
 		.rooms_joined(&user_id)
-		.then(|room_id| get_room_info(self.services, room_id))
+		.then(async |room_id| get_room_info(self.services, &room_id).await)
 		.collect()
 		.await;

@@ -129,6 +125,6 @@ pub(super) async fn remote_user_in_rooms(&self, user_id: OwnedUserId) -> Result
 		.collect::<Vec<_>>()
 		.join("\n");

-	self.write_str(&format!("Rooms {user_id} shares with us ({num}):\n```\n{body}\n```",))
+	self.write_str(&format!("Rooms {user_id} shares with us ({num}):\n```\n{body}\n```"))
 		.await
 }
@@ -6,7 +6,8 @@ use conduwuit::{
 	warn,
 };
 use conduwuit_service::media::Dim;
-use ruma::{Mxc, OwnedEventId, OwnedMxcUri, OwnedServerName};
+use ruma::{OwnedEventId, OwnedMxcUri, OwnedServerName};
+use service::media::mxc::Mxc;

 use crate::{admin_command, utils::parse_local_user_id};

@@ -261,7 +262,7 @@ pub(super) async fn delete_past_remote_media(
 		)
 		.await?;

-	self.write_str(&format!("Deleted {deleted_count} total files.",))
+	self.write_str(&format!("Deleted {deleted_count} total files."))
 		.await
 }

@@ -271,7 +272,7 @@ pub(super) async fn delete_all_from_user(&self, username: String) -> Result {

 	let deleted_count = self.services.media.delete_from_user(&user_id).await?;

-	self.write_str(&format!("Deleted {deleted_count} total files.",))
+	self.write_str(&format!("Deleted {deleted_count} total files."))
 		.await
 }

@@ -330,7 +331,7 @@ pub(super) async fn delete_all_from_server(
 		}
 	}

-	self.write_str(&format!("Deleted {deleted_count} total files.",))
+	self.write_str(&format!("Deleted {deleted_count} total files."))
 		.await
 }

@@ -16,8 +16,8 @@ use futures::{AsyncWriteExt, future::FutureExt, io::BufWriter};
 use ruma::{
 	EventId,
 	events::{
-		relation::InReplyTo,
-		room::message::{Relation::Reply, RoomMessageEventContent},
+		relation::{InReplyTo, Reply},
+		room::message::{Relation, RoomMessageEventContent},
 	},
 };
 use service::{
@@ -38,6 +38,7 @@ pub(super) fn dispatch(services: Arc<Services>, command: CommandInput) -> Proces
 }

 #[tracing::instrument(skip_all, name = "admin", level = "info")]
+#[allow(clippy::result_large_err)]
 async fn handle_command(services: Arc<Services>, command: CommandInput) -> ProcessorResult {
 	AssertUnwindSafe(Box::pin(process_command(services, &command)))
 		.catch_unwind()
@@ -277,9 +278,8 @@ fn reply(
 	mut content: RoomMessageEventContent,
 	reply_id: Option<&EventId>,
 ) -> RoomMessageEventContent {
-	content.relates_to = reply_id.map(|event_id| Reply {
-		in_reply_to: InReplyTo { event_id: event_id.to_owned() },
-	});
+	content.relates_to =
+		reply_id.map(|event_id| Relation::Reply(Reply::new(InReplyTo::new(event_id.to_owned()))));

 	content
 }
@@ -1,7 +1,8 @@
 use clap::Subcommand;
 use conduwuit::Result;
+use conduwuit_database::Deserialized as _;
 use futures::StreamExt;
-use ruma::{OwnedRoomId, OwnedUserId};
+use ruma::{OwnedRoomId, OwnedUserId, exports::serde::Serialize};

 use crate::{admin_command, admin_command_dispatch};

@@ -58,13 +59,22 @@ async fn account_data_get(
 	room_id: Option<OwnedRoomId>,
 ) -> Result {
 	let timer = tokio::time::Instant::now();
-	let results = self
+	let result = self
 		.services
 		.account_data
 		.get_raw(room_id.as_deref(), &user_id, &kind)
 		.await;
 	let query_time = timer.elapsed();

-	self.write_str(&format!("Query completed in {query_time:?}:\n\n```rs\n{results:#?}\n```"))
+	let json = serde_json::to_string_pretty(&match room_id {
+		| None => result
+			.deserialized::<ruma::serde::Raw<ruma::events::AnyGlobalAccountDataEvent>>()?
+			.serialize(serde_json::value::Serializer)?,
+		| Some(_) => result
+			.deserialized::<ruma::serde::Raw<ruma::events::AnyRoomAccountDataEvent>>()?
+			.serialize(serde_json::value::Serializer)?,
+	})?;
+
+	self.write_str(&format!("Query completed in {query_time:?}:\n\n```rs\n{json}\n```"))
 		.await
 }
@@ -50,7 +50,7 @@ async fn destinations_cache(&self, server_name: Option<OwnedServerName>) -> Resu

 	while let Some((name, CachedDest { dest, host, expire })) = destinations.next().await {
 		if let Some(server_name) = server_name.as_ref() {
-			if name != server_name {
+			if name != *server_name {
 				continue;
 			}
 		}
@@ -76,7 +76,7 @@ async fn overrides_cache(&self, server_name: Option<String>) -> Result {
 		overrides.next().await
 	{
 		if let Some(server_name) = server_name.as_ref() {
-			if name != server_name {
+			if name != *server_name {
 				continue;
 			}
 		}
@@ -41,7 +41,6 @@ pub(super) async fn process(subcommand: RoomAliasCommand, context: &Context<'_>)
 				.rooms
 				.alias
 				.local_aliases_for_room(&room_id)
-				.map(ToOwned::to_owned)
 				.collect()
 				.await;
 			let query_time = timer.elapsed();
@@ -54,7 +53,7 @@ pub(super) async fn process(subcommand: RoomAliasCommand, context: &Context<'_>)
 				.rooms
 				.alias
 				.all_local_aliases()
-				.map(|(room_id, alias)| (room_id.to_owned(), alias.to_owned()))
+				.map(|(room_id, alias)| (room_id, alias.to_owned()))
 				.collect::<Vec<_>>()
 				.await;
 			let query_time = timer.elapsed();
@@ -101,7 +101,6 @@ pub(super) async fn process(subcommand: RoomStateCacheCommand, context: &Context
 				.rooms
 				.state_cache
 				.room_servers(&room_id)
-				.map(ToOwned::to_owned)
 				.collect()
 				.await;
 			let query_time = timer.elapsed();
@@ -118,7 +117,6 @@ pub(super) async fn process(subcommand: RoomStateCacheCommand, context: &Context
 				.rooms
 				.state_cache
 				.server_rooms(&server)
-				.map(ToOwned::to_owned)
 				.collect()
 				.await;
 			let query_time = timer.elapsed();
@@ -135,7 +133,6 @@ pub(super) async fn process(subcommand: RoomStateCacheCommand, context: &Context
 				.rooms
 				.state_cache
 				.room_members(&room_id)
-				.map(ToOwned::to_owned)
 				.collect()
 				.await;
 			let query_time = timer.elapsed();
@@ -152,7 +149,6 @@ pub(super) async fn process(subcommand: RoomStateCacheCommand, context: &Context
 				.rooms
 				.state_cache
 				.local_users_in_room(&room_id)
-				.map(ToOwned::to_owned)
 				.collect()
 				.await;
 			let query_time = timer.elapsed();
@@ -169,7 +165,6 @@ pub(super) async fn process(subcommand: RoomStateCacheCommand, context: &Context
 				.rooms
 				.state_cache
 				.active_local_users_in_room(&room_id)
-				.map(ToOwned::to_owned)
 				.collect()
 				.await;
 			let query_time = timer.elapsed();
@@ -212,7 +207,6 @@ pub(super) async fn process(subcommand: RoomStateCacheCommand, context: &Context
 				.rooms
 				.state_cache
 				.room_useroncejoined(&room_id)
-				.map(ToOwned::to_owned)
 				.collect()
 				.await;
 			let query_time = timer.elapsed();
@@ -229,7 +223,6 @@ pub(super) async fn process(subcommand: RoomStateCacheCommand, context: &Context
 				.rooms
 				.state_cache
 				.room_members_invited(&room_id)
-				.map(ToOwned::to_owned)
 				.collect()
 				.await;
 			let query_time = timer.elapsed();
@@ -276,7 +269,6 @@ pub(super) async fn process(subcommand: RoomStateCacheCommand, context: &Context
 				.rooms
 				.state_cache
 				.rooms_joined(&user_id)
-				.map(ToOwned::to_owned)
 				.collect()
 				.await;
 			let query_time = timer.elapsed();
@@ -15,10 +15,6 @@ pub enum UsersCommand {

 	IterUsers2,

-	PasswordHash {
-		user_id: OwnedUserId,
-	},
-
 	ListDevices {
 		user_id: OwnedUserId,
 	},
@@ -104,7 +100,6 @@ async fn get_shared_rooms(&self, user_a: OwnedUserId, user_b: OwnedUserId) -> Re
 		.rooms
 		.state_cache
 		.get_shared_rooms(&user_a, &user_b)
-		.map(ToOwned::to_owned)
 		.collect()
 		.await;
 	let query_time = timer.elapsed();
@@ -217,8 +212,7 @@ async fn iter_users2(&self) -> Result {
 	let result: Vec<_> = self.services.users.stream().collect().await;
 	let result: Vec<_> = result
 		.into_iter()
-		.map(ruma::UserId::as_bytes)
-		.map(String::from_utf8_lossy)
+		.map(|user_id| String::from_utf8_lossy(user_id.as_bytes()).into_owned())
 		.collect();

 	let query_time = timer.elapsed();
@@ -237,16 +231,6 @@ async fn count_users(&self) -> Result {
 		.await
 }

-#[admin_command]
-async fn password_hash(&self, user_id: OwnedUserId) -> Result {
-	let timer = tokio::time::Instant::now();
-	let result = self.services.users.password_hash(&user_id).await;
-	let query_time = timer.elapsed();
-
-	self.write_str(&format!("Query completed in {query_time:?}:\n\n```rs\n{result:#?}\n```"))
-		.await
-}
-
 #[admin_command]
 async fn list_devices(&self, user_id: OwnedUserId) -> Result {
 	let timer = tokio::time::Instant::now();
@@ -254,7 +238,6 @@ async fn list_devices(&self, user_id: OwnedUserId) -> Result {
 		.services
 		.users
 		.all_device_ids(&user_id)
-		.map(ToOwned::to_owned)
 		.collect::<Vec<_>>()
 		.await;

@@ -3,7 +3,7 @@ use std::fmt::Write;
 use clap::Subcommand;
 use conduwuit::{Err, Result};
 use futures::StreamExt;
-use ruma::{OwnedRoomAliasId, OwnedRoomId};
+use ruma::{OwnedRoomAliasId, OwnedRoomId, RoomAliasId};

 use crate::Context;

@@ -52,7 +52,7 @@ pub(super) async fn process(command: RoomAliasCommand, context: &Context<'_>) ->
 		| RoomAliasCommand::Which { ref room_alias_localpart } => {
 			let room_alias_str =
 				format!("#{}:{}", room_alias_localpart, services.globals.server_name());
-			let room_alias = match OwnedRoomAliasId::parse(room_alias_str) {
+			let room_alias = match RoomAliasId::parse(room_alias_str) {
 				| Ok(alias) => alias,
 				| Err(err) => {
 					return Err!("Failed to parse alias: {err}");
@@ -139,7 +139,7 @@ pub(super) async fn process(command: RoomAliasCommand, context: &Context<'_>) ->
 					.rooms
 					.alias
 					.all_local_aliases()
-					.map(|(room_id, localpart)| (room_id.into(), localpart.into()))
+					.map(|(room_id, localpart)| (room_id, localpart.into()))
 					.collect::<Vec<(OwnedRoomId, String)>>()
 					.await;

@@ -22,14 +22,14 @@ pub(super) async fn list_rooms(
 		.metadata
 		.iter_ids()
 		.filter_map(|room_id| async move {
-			(!exclude_disabled || !self.services.rooms.metadata.is_disabled(room_id).await)
+			(!exclude_disabled || !self.services.rooms.metadata.is_disabled(&room_id).await)
 				.then_some(room_id)
 		})
 		.filter_map(|room_id| async move {
-			(!exclude_banned || !self.services.rooms.metadata.is_banned(room_id).await)
+			(!exclude_banned || !self.services.rooms.metadata.is_banned(&room_id).await)
 				.then_some(room_id)
 		})
-		.then(|room_id| get_room_info(self.services, room_id))
+		.then(async |room_id| get_room_info(self.services, &room_id).await)
 		.then(|(room_id, total_members, name)| async move {
 			let local_members: Vec<_> = self
 				.services
@@ -72,7 +72,7 @@ pub(super) async fn list_rooms(
 		.collect::<Vec<_>>()
 		.join("\n");

-	self.write_str(&format!("Rooms ({}):\n```\n{body}\n```", rooms.len(),))
+	self.write_str(&format!("Rooms ({}):\n```\n{body}\n```", rooms.len()))
 		.await
 }

@@ -43,7 +43,7 @@ pub(super) async fn process(command: RoomDirectoryCommand, context: &Context<'_>
 				.rooms
 				.directory
 				.public_rooms()
-				.then(|room_id| get_room_info(services, room_id))
+				.then(async |room_id| get_room_info(services, &room_id).await)
 				.collect()
 				.await;

@@ -67,7 +67,7 @@ pub(super) async fn process(command: RoomDirectoryCommand, context: &Context<'_>
 				.join("\n");

 			context
-				.write_str(&format!("Rooms (page {page}):\n```\n{body}\n```",))
+				.write_str(&format!("Rooms (page {page}):\n```\n{body}\n```"))
 				.await
 		},
 	}
@@ -46,7 +46,6 @@ async fn list_joined_members(&self, room_id: OwnedRoomId, local_only: bool) -> R
 				.then(|| self.services.globals.user_is_local(user_id))
 				.unwrap_or(true)
 		})
-		.map(ToOwned::to_owned)
 		.filter_map(|user_id| async move {
 			Some((
 				self.services
@@ -67,7 +66,7 @@ async fn list_joined_members(&self, room_id: OwnedRoomId, local_only: bool) -> R
 		.collect::<Vec<_>>()
 		.join("\n");

-	self.write_str(&format!("{num} Members in Room \"{room_name}\":\n```\n{body}\n```",))
+	self.write_str(&format!("{num} Members in Room \"{room_name}\":\n```\n{body}\n```"))
 		.await
 }

@@ -71,7 +71,7 @@ async fn ban_room(&self, room: OwnedRoomOrAliasId) -> Result {

 		debug!("Room specified is a room ID, banning room ID");

-		room_id.to_owned()
+		room_id.clone()
 	} else if room.is_room_alias_id() {
 		let room_alias = match RoomAliasId::parse(&room) {
 			| Ok(room_alias) => room_alias,
@@ -89,7 +89,7 @@ async fn ban_room(&self, room: OwnedRoomOrAliasId) -> Result {
 			 locally, if not using get_alias_helper to fetch room ID remotely"
 		);

-		match self.services.rooms.alias.resolve_alias(room_alias).await {
+		match self.services.rooms.alias.resolve_alias(&room_alias).await {
 			| Ok((room_id, servers)) => {
 				debug!(
 					%room_id,
@@ -116,7 +116,6 @@ async fn ban_room(&self, room: OwnedRoomOrAliasId) -> Result {
 		.rooms
 		.state_cache
 		.room_members(&room_id)
-		.map(ToOwned::to_owned)
 		.ready_filter(|user| self.services.globals.user_is_local(user))
 		.boxed();

@@ -140,7 +139,6 @@ async fn ban_room(&self, room: OwnedRoomOrAliasId) -> Result {
 		.rooms
 		.alias
 		.local_aliases_for_room(&room_id)
-		.map(ToOwned::to_owned)
 		.for_each(|local_alias| async move {
 			self.services
 				.rooms
@@ -205,7 +203,7 @@ async fn ban_list_of_rooms(&self) -> Result {
 						},
 					};

-					room_ids.push(room_id.to_owned());
+					room_ids.push(room_id.clone());
 				}

 				if room_alias_or_id.is_room_alias_id() {
@@ -215,7 +213,7 @@ async fn ban_list_of_rooms(&self) -> Result {
 								.services
 								.rooms
 								.alias
-								.resolve_local_alias(room_alias)
+								.resolve_local_alias(&room_alias)
 								.await
 							{
 								| Ok(room_id) => room_id,
@@ -229,7 +227,7 @@ async fn ban_list_of_rooms(&self) -> Result {
 										.services
 										.rooms
 										.alias
-										.resolve_alias(room_alias)
+										.resolve_alias(&room_alias)
 										.await
 									{
 										| Ok((room_id, servers)) => {
@@ -284,7 +282,6 @@ async fn ban_list_of_rooms(&self) -> Result {
 			.rooms
 			.state_cache
 			.room_members(&room_id)
-			.map(ToOwned::to_owned)
 			.ready_filter(|user| self.services.globals.user_is_local(user))
 			.boxed();

@@ -309,7 +306,6 @@ async fn ban_list_of_rooms(&self) -> Result {
 			.rooms
 			.alias
 			.local_aliases_for_room(&room_id)
-			.map(ToOwned::to_owned)
 			.for_each(|local_alias| async move {
 				self.services
 					.rooms
@@ -348,9 +344,9 @@ async fn unban_room(&self, room: OwnedRoomOrAliasId) -> Result {
 		};

 		debug!("Room specified is a room ID, unbanning room ID");
-		self.services.rooms.metadata.ban_room(room_id, false);
+		self.services.rooms.metadata.ban_room(&room_id, false);

-		room_id.to_owned()
+		room_id.clone()
 	} else if room.is_room_alias_id() {
 		let room_alias = match RoomAliasId::parse(&room) {
 			| Ok(room_alias) => room_alias,
@@ -372,7 +368,7 @@ async fn unban_room(&self, room: OwnedRoomOrAliasId) -> Result {
 			.services
 			.rooms
 			.alias
-			.resolve_local_alias(room_alias)
+			.resolve_local_alias(&room_alias)
 			.await
 		{
 			| Ok(room_id) => room_id,
@@ -382,7 +378,7 @@ async fn unban_room(&self, room: OwnedRoomOrAliasId) -> Result {
 					 room ID over federation"
 				);

-				match self.services.rooms.alias.resolve_alias(room_alias).await {
+				match self.services.rooms.alias.resolve_alias(&room_alias).await {
 					| Ok((room_id, servers)) => {
 						debug!(
 							%room_id,
@@ -453,6 +449,6 @@ async fn list_banned_rooms(&self, no_details: bool) -> Result {
 		.collect::<Vec<_>>()
 		.join("\n");

-	self.write_str(&format!("Rooms Banned ({num}):\n```\n{body}\n```",))
+	self.write_str(&format!("Rooms Banned ({num}):\n```\n{body}\n```"))
 		.await
 }
@@ -159,8 +159,8 @@ pub(super) async fn list_features(&self) -> Result {
 	let mut enabled_features = conduwuit::info::introspection::ENABLED_FEATURES
 		.lock()
 		.expect("locked")
-		.iter()
-		.flat_map(|(_, f)| f.iter())
+		.values()
+		.flat_map(|f| f.iter())
 		.collect::<Vec<_>>();

 	enabled_features.sort_unstable();
@@ -4,28 +4,26 @@ use std::{
 };

 use api::client::{
-	full_user_deactivate, join_room_by_id_helper, leave_room, recreate_push_rules_and_return,
-	remote_leave_room,
+	full_user_deactivate, leave_room, recreate_push_rules_and_return, remote_leave_room,
 };
 use conduwuit::{
 	Err, Result, debug_warn, error, info,
-	matrix::{Event, pdu::PduBuilder},
+	matrix::{Event, pdu::PartialPdu},
 	utils::{self, ReadyExt},
 	warn,
 };
 use futures::{FutureExt, StreamExt};
 use lettre::Address;
 use ruma::{
-	OwnedEventId, OwnedRoomId, OwnedRoomOrAliasId, OwnedServerName, OwnedUserId, UserId,
+	OwnedEventId, OwnedRoomId, OwnedRoomOrAliasId, OwnedServerName, OwnedUserId, ServerName,
+	UserId, assign,
 	events::{
-		RoomAccountDataEventType, StateEventType,
-		room::{
-			power_levels::{RoomPowerLevels, RoomPowerLevelsEventContent},
-			redaction::RoomRedactionEventContent,
-		},
+		RoomAccountDataEventType,
+		room::{power_levels::RoomPowerLevelsEventContent, redaction::RoomRedactionEventContent},
 		tag::{TagEvent, TagEventContent, TagInfo},
 	},
 };
+use service::users::HashedPassword;

 use crate::{
 	admin_command, get_room_info,
@@ -41,7 +39,7 @@ pub(super) async fn list_users(&self) -> Result {
 		.services
 		.users
 		.list_local_users()
-		.map(ToString::to_string)
+		.map(|id| id.as_str().to_owned())
 		.collect()
 		.await;

@@ -72,7 +70,7 @@ pub(super) async fn create_user(&self, username: String, password: Option<String
 	// Create user
 	self.services
 		.users
-		.create(&user_id, Some(password.as_str()), None)
+		.create(&user_id, Some(HashedPassword::new(&password)?))
 		.await?;

 	// Default to pretty displayname
@@ -103,11 +101,12 @@ pub(super) async fn create_user(&self, username: String, password: Option<String
 			ruma::events::GlobalAccountDataEventType::PushRules
 				.to_string()
 				.into(),
-			&serde_json::to_value(ruma::events::push_rules::PushRulesEvent {
-				content: ruma::events::push_rules::PushRulesEventContent {
-					global: ruma::push::Ruleset::server_default(&user_id),
-				},
-			})?,
+			&serde_json::to_value(ruma::events::push_rules::PushRulesEvent::new(
+				ruma::events::push_rules::PushRulesEventContent::new(
+					ruma::push::Ruleset::server_default(&user_id),
+				),
+			))
+			.unwrap(),
 		)
 		.await?;

@@ -135,18 +134,20 @@ pub(super) async fn create_user(&self, username: String, password: Option<String
 			}

 			if let Some(room_server_name) = room.server_name() {
-				match join_room_by_id_helper(
-					self.services,
-					&user_id,
-					&room_id,
-					Some("Automatically joining this room upon registration".to_owned()),
-					&[
-						self.services.globals.server_name().to_owned(),
-						room_server_name.to_owned(),
-					],
-					&None,
-				)
-				.await
+				match self
+					.services
+					.rooms
+					.membership
+					.join_room(
+						&user_id,
+						&room_id,
+						Some("Automatically joining this room upon registration".to_owned()),
+						&[
+							self.services.globals.server_name().to_owned(),
+							room_server_name.to_owned(),
+						],
+					)
+					.await
 				{
 					| Ok(_response) => {
 						info!("Automatically joined room {room} for user {user_id}");
@@ -275,24 +276,25 @@ pub(super) async fn reset_password(

 	let new_password = password.unwrap_or_else(|| utils::random_string(AUTO_GEN_PASSWORD_LENGTH));

-	match self
-		.services
+	self.services
 		.users
-		.set_password(&user_id, Some(new_password.as_str()))
-		.await
-	{
-		| Err(e) => return Err!("Couldn't reset the password for user {user_id}: {e}"),
-		| Ok(()) => {
-			write!(self, "Successfully reset the password for user {user_id}: `{new_password}`")
-		},
-	}
+		.set_password(&user_id, Some(HashedPassword::new(&new_password)?));
+
+	self.write_str(&format!(
+		"Successfully reset the password for user {user_id}: `{new_password}`"
+	))
 	.await?;

 	if logout {
 		self.services
 			.users
 			.all_device_ids(&user_id)
-			.for_each(|device_id| self.services.users.remove_device(&user_id, device_id))
+			.for_each(async |device_id| {
+				self.services
+					.users
+					.remove_device(&user_id, &device_id)
+					.await;
+			})
 			.await;
 		write!(self, "\nAll existing sessions have been logged out.").await?;
 	}
@@ -427,6 +429,82 @@ pub(super) async fn deactivate_all(&self, no_leave_rooms: bool, force: bool) ->
 	.await
 }

+#[admin_command]
+pub(super) async fn list_invited_rooms(&self, user_id: String) -> Result {
+	// Validate user id
+	let user_id = parse_local_user_id(self.services, &user_id)?;
+
+	let mut rooms: Vec<((OwnedRoomId, u64, String), Result<OwnedUserId>)> = self
+		.services
+		.rooms
+		.state_cache
+		.rooms_invited(&user_id)
+		.then(async |(room_id, _)| {
+			let sender = self
+				.services
+				.rooms
+				.state_cache
+				.invite_sender(&user_id, &room_id)
+				.await;
+			(get_room_info(self.services, &room_id).await, sender)
+		})
+		.collect()
+		.await;
+
+	if rooms.is_empty() {
+		return Err!("User is not invited to any rooms.");
+	}
+
+	rooms.sort_by_key(|r| r.0.1);
+	rooms.reverse();
+
+	let body = rooms
+		.iter()
+		.map(|((id, members, name), sender)| match sender {
+			| Ok(user_id) =>
+				format!("{id}\tInviter: {user_id}\tMembers: {members}\tName: {name}"),
+			| Err(_) => format!("{id}\tMembers: {members}\tName: {name}"),
+		})
+		.collect::<Vec<_>>()
+		.join("\n");
+
+	self.write_str(&format!("Rooms {user_id} is Invited to ({}):\n```\n{body}\n```", rooms.len()))
+		.await
+}
+
+#[admin_command]
+pub(super) async fn reject_all_invites(&self, user_id: String) -> Result {
+	let user_id = parse_local_user_id(self.services, &user_id)?;
+
+	assert!(
+		self.services.globals.user_is_local(&user_id),
+		"Parsed user_id must be a local user"
+	);
+
+	let fails = self
+		.services
+		.rooms
+		.state_cache
+		.rooms_invited(&user_id)
+		.filter_map(async |(room_id, _)| {
+			match leave_room(self.services, &user_id, &room_id, None).await {
+				| Err(ref e) => {
+					warn!(%user_id, "Failed to leave {room_id}: {e}");
+					Some(())
+				},
+				| Ok(()) => None,
+			}
+		})
+		.count()
+		.await;
+
+	if fails > 0 {
+		return Err!("{fails} invites could not be rejected");
+	}
+
+	self.write_str("Successfully rejected all invites.").await
+}
+
 #[admin_command]
 pub(super) async fn list_joined_rooms(&self, user_id: String) -> Result {
 	// Validate user id
@@ -437,7 +515,7 @@ pub(super) async fn list_joined_rooms(&self, user_id: String) -> Result {
 		.rooms
 		.state_cache
 		.rooms_joined(&user_id)
-		.then(|room_id| get_room_info(self.services, room_id))
+		.then(async |room_id| get_room_info(self.services, &room_id).await)
 		.collect()
 		.await;

@@ -454,7 +532,7 @@ pub(super) async fn list_joined_rooms(&self, user_id: String) -> Result {
 		.collect::<Vec<_>>()
 		.join("\n");

-	self.write_str(&format!("Rooms {user_id} Joined ({}):\n```\n{body}\n```", rooms.len(),))
+	self.write_str(&format!("Rooms {user_id} Joined ({}):\n```\n{body}\n```", rooms.len()))
 		.await
 }

@@ -506,7 +584,7 @@ pub(super) async fn force_join_list_of_local_users(
 		.rooms
 		.state_cache
 		.room_members(&room_id)
-		.ready_any(|user_id| server_admins.contains(&user_id.to_owned()))
+		.ready_any(|user_id| server_admins.contains(&user_id))
 		.await
 	{
 		return Err!("There is not a single server admin in the room.",);
@@ -552,15 +630,12 @@ pub(super) async fn force_join_list_of_local_users(
 	let mut successful_joins: usize = 0;

 	for user_id in user_ids {
-		match join_room_by_id_helper(
-			self.services,
-			&user_id,
-			&room_id,
-			Some(String::from(BULK_JOIN_REASON)),
-			&servers,
-			&None,
-		)
-		.await
+		match self
+			.services
+			.rooms
+			.membership
+			.join_room(&user_id, &room_id, Some(String::from(BULK_JOIN_REASON)), &servers)
+			.await
 		{
 			| Ok(_res) => {
 				successful_joins = successful_joins.saturating_add(1);
@@ -620,7 +695,7 @@ pub(super) async fn force_join_all_local_users(
 		.rooms
 		.state_cache
 		.room_members(&room_id)
-		.ready_any(|user_id| server_admins.contains(&user_id.to_owned()))
+		.ready_any(|user_id| server_admins.contains(&user_id))
 		.await
 	{
 		return Err!("There is not a single server admin in the room.",);
@@ -633,19 +708,15 @@ pub(super) async fn force_join_all_local_users(
 		.services
 		.users
 		.list_local_users()
-		.map(UserId::to_owned)
 		.collect::<Vec<_>>()
 		.await
 	{
-		match join_room_by_id_helper(
-			self.services,
-			user_id,
-			&room_id,
-			Some(String::from(BULK_JOIN_REASON)),
-			&servers,
-			&None,
-		)
-		.await
+		match self
+			.services
+			.rooms
+			.membership
+			.join_room(user_id, &room_id, Some(String::from(BULK_JOIN_REASON)), &servers)
+			.await
 		{
 			| Ok(_res) => {
 				successful_joins = successful_joins.saturating_add(1);
@@ -669,22 +740,31 @@ pub(super) async fn force_join_room(
 	&self,
 	user_id: String,
 	room_id: OwnedRoomOrAliasId,
+	via: Option<String>,
 ) -> Result {
 	let user_id = parse_local_user_id(self.services, &user_id)?;
-	let (room_id, servers) = self
+	let (room_id, mut servers) = self
 		.services
 		.rooms
 		.alias
 		.resolve_with_servers(&room_id, None)
 		.await?;
+	if let Some(via) = via.map(ServerName::parse).transpose()? {
+		servers.retain(|n| *n != via);
+		servers.insert(0, via);
+	}

 	assert!(
 		self.services.globals.user_is_local(&user_id),
 		"Parsed user_id must be a local user"
 	);
-	join_room_by_id_helper(self.services, &user_id, &room_id, None, &servers, &None).await?;
+	self.services
+		.rooms
+		.membership
+		.join_room(&user_id, &room_id, None, &servers)
+		.await?;

-	self.write_str(&format!("{user_id} has been joined to {room_id}.",))
+	self.write_str(&format!("{user_id} has been joined to {room_id}."))
 		.await
 }

@@ -716,7 +796,7 @@ pub(super) async fn force_leave_room(
 		.boxed()
 		.await?;

-	self.write_str(&format!("{user_id} has left {room_id}.",))
+	self.write_str(&format!("{user_id} has left {room_id}."))
 		.await
 }

@@ -730,42 +810,34 @@ pub(super) async fn force_demote(&self, user_id: String, room_id: OwnedRoomOrAli
 		"Parsed user_id must be a local user"
 	);

-	let state_lock = self.services.rooms.state.mutex.lock(&room_id).await;
+	let state_lock = self.services.rooms.state.mutex.lock(room_id.as_str()).await;

-	let room_power_levels: Option<RoomPowerLevelsEventContent> = self
+	let mut room_power_levels = self
 		.services
 		.rooms
 		.state_accessor
-		.room_state_get_content(&room_id, &StateEventType::RoomPowerLevels, "")
-		.await
-		.ok();
+		.get_room_power_levels(&room_id)
+		.await;

-	let user_can_demote_self = room_power_levels
-		.as_ref()
-		.is_some_and(|power_levels_content| {
-			RoomPowerLevels::from(power_levels_content.clone())
-				.user_can_change_user_power_level(&user_id, &user_id)
-		}) || self
-		.services
-		.rooms
-		.state_accessor
-		.room_state_get(&room_id, &StateEventType::RoomCreate, "")
-		.await
-		.is_ok_and(|event| event.sender() == user_id);
+	let user_can_demote_self =
+		room_power_levels.user_can_change_user_power_level(&user_id, &user_id);

 	if !user_can_demote_self {
 		return Err!("User is not allowed to modify their own power levels in the room.",);
 	}

-	let mut power_levels_content = room_power_levels.unwrap_or_default();
-	power_levels_content.users.remove(&user_id);
+	room_power_levels.users.remove(&user_id);

 	let event_id = self
 		.services
 		.rooms
 		.timeline
 		.build_and_append_pdu(
-			PduBuilder::state(String::new(), &power_levels_content),
+			PartialPdu::state(
+				String::new(),
+				&RoomPowerLevelsEventContent::try_from(room_power_levels)
+					.expect("PLs should be valid for room version"),
+			),
 			&user_id,
 			Some(&room_id),
 			&state_lock,
@@ -793,7 +865,7 @@ pub(super) async fn make_user_admin(&self, user_id: String) -> Result {
 		.boxed()
 		.await?;

-	self.write_str(&format!("{user_id} has been granted admin privileges.",))
+	self.write_str(&format!("{user_id} has been granted admin privileges."))
 		.await
 }

@@ -811,9 +883,7 @@ pub(super) async fn put_room_tag(
 		.account_data
 		.get_room(&room_id, &user_id, RoomAccountDataEventType::Tag)
 		.await
-		.unwrap_or(TagEvent {
-			content: TagEventContent { tags: BTreeMap::new() },
-		});
+		.unwrap_or_else(|_| TagEvent::new(TagEventContent::new(BTreeMap::new())));

 	tags_event
 		.content
@@ -850,9 +920,7 @@ pub(super) async fn delete_room_tag(
 		.account_data
 		.get_room(&room_id, &user_id, RoomAccountDataEventType::Tag)
 		.await
-		.unwrap_or(TagEvent {
-			content: TagEventContent { tags: BTreeMap::new() },
-		});
+		.unwrap_or_else(|_| TagEvent::new(TagEventContent::new(BTreeMap::new())));

 	tags_event.content.tags.remove(&tag.clone().into());

@@ -882,9 +950,7 @@ pub(super) async fn get_room_tags(&self, user_id: String, room_id: OwnedRoomId)
 		.account_data
 		.get_room(&room_id, &user_id, RoomAccountDataEventType::Tag)
 		.await
-		.unwrap_or(TagEvent {
-			content: TagEventContent { tags: BTreeMap::new() },
-		});
+		.unwrap_or_else(|_| TagEvent::new(TagEventContent::new(BTreeMap::new())));

 	self.write_str(&format!("```\n{:#?}\n```", tags_event.content.tags))
 		.await
@@ -921,19 +987,19 @@ pub(super) async fn redact_event(&self, event_id: OwnedEventId) -> Result {
 			.rooms
 			.state
 			.mutex
-			.lock(&event.room_id_or_hash())
+			.lock(event.room_id_or_hash().as_str())
 			.await;

 		self.services
 			.rooms
 			.timeline
 			.build_and_append_pdu(
-				PduBuilder {
+				PartialPdu {
 					redacts: Some(event.event_id().to_owned()),
-					..PduBuilder::timeline(&RoomRedactionEventContent {
+					..PartialPdu::timeline(&assign!(RoomRedactionEventContent::new_v1(), {
 						redacts: Some(event.event_id().to_owned()),
 						reason: Some(reason),
-					})
+					}))
 				},
 				event.sender(),
 				Some(&event.room_id_or_hash()),
@@ -963,7 +1029,7 @@ pub(super) async fn force_leave_remote_room(
 		.resolve_with_servers(
 			&room_id,
 			if let Some(v) = via.clone() {
-				Some(vec![OwnedServerName::parse(v)?])
+				Some(vec![ServerName::parse(v)?])
 			} else {
 				None
 			},
@@ -976,7 +1042,7 @@ pub(super) async fn force_leave_remote_room(
 	);
 	let mut vias: HashSet<OwnedServerName> = HashSet::new();
 	if let Some(via) = via {
-		vias.insert(OwnedServerName::parse(via)?);
+		vias.insert(ServerName::parse(via)?);
 	}
 	for server in vias_raw {
 		vias.insert(server);
@@ -1051,7 +1117,12 @@ pub(super) async fn logout(&self, user_id: String) -> Result {
 	self.services
 		.users
 		.all_device_ids(&user_id)
-		.for_each(|device_id| self.services.users.remove_device(&user_id, device_id))
+		.for_each(async |device_id| {
+			self.services
+				.users
+				.remove_device(&user_id, &device_id)
+				.await;
+		})
 		.await;
 	self.write_str(&format!("User {user_id} has been logged out from all devices."))
 		.await
@@ -1129,11 +1200,9 @@ pub(super) async fn get_user_by_email(&self, email: String) -> Result {

 	match self.services.threepid.get_localpart_for_email(&email).await {
 		| Some(localpart) => {
-			let user_id = OwnedUserId::parse(format!(
-				"@{localpart}:{}",
-				self.services.globals.server_name()
-			))
-			.unwrap();
+			let user_id =
+				UserId::parse(format!("@{localpart}:{}", self.services.globals.server_name()))
+					.unwrap();

 			self.write_str(&format!("{email} belongs to {user_id}."))
 				.await
@@ -160,6 +160,17 @@ pub enum UserCommand {
 	#[clap(alias = "list")]
 	ListUsers,

+	/// Lists all the rooms (local and remote) that the specified user is
+	///   invited to
+	ListInvitedRooms {
+		user_id: String,
+	},
+
+	/// Manually make a user reject all current invites
+	RejectAllInvites {
+		user_id: String,
+	},
+
 	/// Lists all the rooms (local and remote) that the specified user is
 	///   joined in
 	ListJoinedRooms {
@@ -168,8 +179,15 @@ pub enum UserCommand {

 	/// Manually join a local user to a room.
 	ForceJoinRoom {
+		/// The user to join
 		user_id: String,
+		/// The room to join
 		room_id: OwnedRoomOrAliasId,
+		/// The server name to join via.
+		///
+		/// This server will always be tried first, however if more are
+		/// available, they may be tried after.
+		via: Option<String>,
 	},

 	/// Manually leave a local user from a room.
@@ -48,7 +48,7 @@ pub(crate) fn parse_local_user_id(services: &Services, user_id: &str) -> Result<
 	Ok(user_id)
 }

-/// Parses user ID that is an active (not guest or deactivated) local user
+/// Parses user ID that is an active (not deactivated) local user
 pub(crate) async fn parse_active_local_user_id(
 	services: &Services,
 	user_id: &str,
@@ -48,9 +48,6 @@ jemalloc_stats = [
 	"conduwuit-core/jemalloc_stats",
 	"conduwuit-service/jemalloc_stats",
 ]
-ldap = [
-    "conduwuit-service/ldap"
-]
 release_max_log_level = [
 	"conduwuit-core/release_max_log_level",
 	"conduwuit-service/release_max_log_level",
@@ -77,6 +74,7 @@ conduwuit-macros.workspace = true
 conduwuit-service.workspace = true
 const-str.workspace = true
 ctor.workspace = true
+dtor.workspace = true
 futures.workspace = true
 hmac.workspace = true
 http.workspace = true
@@ -88,7 +86,9 @@ lettre.workspace = true
 log.workspace = true
 rand.workspace = true
 reqwest.workspace = true
+assign.workspace = true
 ruma.workspace = true
+ruminuwuity.workspace = true
 serde_html_form.workspace = true
 serde_json.workspace = true
 serde.workspace = true
@@ -1,10 +1,8 @@
 use axum::extract::State;
 use conduwuit::{Err, Result, info, utils::ReadyExt, warn};
 use futures::{FutureExt, StreamExt};
-use ruma::{
-	OwnedRoomAliasId, continuwuity_admin_api::rooms,
-	events::room::message::RoomMessageEventContent,
-};
+use ruma::{OwnedRoomAliasId, events::room::message::RoomMessageEventContent};
+use ruminuwuity::admin::continuwuity::rooms;

 use crate::{Ruma, client::leave_room};

@@ -15,7 +13,7 @@ pub(crate) async fn ban_room(
 	State(services): State<crate::State>,
 	body: Ruma<rooms::ban::v1::Request>,
 ) -> Result<rooms::ban::v1::Response> {
-	let sender_user = body.sender_user();
+	let sender_user = body.identity.sender_user();
 	if !services.users.is_admin(sender_user).await {
 		return Err!(Request(Forbidden("Only server administrators can use this endpoint")));
 	}
@@ -36,7 +34,6 @@ pub(crate) async fn ban_room(
 			.rooms
 			.state_cache
 			.room_members(&body.room_id)
-			.map(ToOwned::to_owned)
 			.ready_filter(|user| services.globals.user_is_local(user))
 			.boxed();
 		let mut evicted = Vec::new();
@@ -63,9 +60,9 @@ pub(crate) async fn ban_room(
 			.rooms
 			.alias
 			.local_aliases_for_room(&body.room_id)
-			.map(ToOwned::to_owned)
-			.collect::<Vec<_>>()
+			.collect()
 			.await;
+
 		for alias in &aliases {
 			info!("Removing alias {} for banned room {}", alias, body.room_id);
 			services
@@ -1,7 +1,8 @@
 use axum::extract::State;
 use conduwuit::{Err, Result};
 use futures::StreamExt;
-use ruma::{OwnedRoomId, continuwuity_admin_api::rooms};
+use ruma::OwnedRoomId;
+use ruminuwuity::admin::continuwuity::rooms;

 use crate::Ruma;

@@ -12,7 +13,7 @@ pub(crate) async fn list_rooms(
 	State(services): State<crate::State>,
 	body: Ruma<rooms::list::v1::Request>,
 ) -> Result<rooms::list::v1::Response> {
-	let sender_user = body.sender_user();
+	let sender_user = body.identity.sender_user();
 	if !services.users.is_admin(sender_user).await {
 		return Err!(Request(Forbidden("Only server administrators can use this endpoint")));
 	}
@@ -22,8 +23,8 @@ pub(crate) async fn list_rooms(
 		.metadata
 		.iter_ids()
 		.filter_map(|room_id| async move {
-			if !services.rooms.metadata.is_banned(room_id).await {
-				Some(room_id.to_owned())
+			if !services.rooms.metadata.is_banned(&room_id).await {
+				Some(room_id.clone())
 			} else {
 				None
 			}
@@ -1,15 +1,15 @@
 use axum::extract::State;
 use axum_client_ip::ClientIp;
 use conduwuit::{
-	Err, Event, Result, err, info,
-	pdu::PduBuilder,
+	Err, Result, err, info,
+	pdu::PartialPdu,
 	utils::{ReadyExt, stream::BroadbandExt},
 };
 use conduwuit_service::Services;
 use futures::{FutureExt, StreamExt};
 use lettre::{Address, message::Mailbox};
 use ruma::{
-	OwnedRoomId, OwnedUserId, UserId,
+	OwnedRoomId, UserId,
 	api::client::{
 		account::{
 			ThirdPartyIdRemovalStatus, change_password, check_registration_token_validity,
@@ -18,18 +18,16 @@ use ruma::{
 		},
 		uiaa::{AuthFlow, AuthType},
 	},
-	events::{
-		StateEventType,
-		room::{
-			member::{MembershipState, RoomMemberEventContent},
-			power_levels::{RoomPowerLevels, RoomPowerLevelsEventContent},
-		},
+	assign,
+	events::room::{
+		member::{MembershipState, RoomMemberEventContent},
+		power_levels::RoomPowerLevelsEventContent,
 	},
 };
-use service::{mailer::messages, uiaa::Identity};
+use service::{mailer::messages, uiaa::Identity, users::HashedPassword};

-use super::{DEVICE_ID_LENGTH, TOKEN_LENGTH, join_room_by_id_helper};
-use crate::Ruma;
+use super::{DEVICE_ID_LENGTH, TOKEN_LENGTH};
+use crate::{Ruma, router::ClientIdentity};

 pub(crate) mod register;
 pub(crate) mod threepid;
@@ -77,17 +75,15 @@ pub(crate) async fn get_register_available_route(
 		return Err!(Request(UserInUse("User ID is not available.")));
 	}

-	if let Some(ref info) = body.appservice_info {
-		if !info.is_user_match(&user_id) {
-			return Err!(Request(Exclusive("Username is not in an appservice namespace.")));
-		}
-	}
-
-	if services.appservice.is_exclusive_user_id(&user_id).await {
+	if let Some(ClientIdentity::Appservice { appservice_info, .. }) = &body.identity
+		&& !appservice_info.is_user_match(&user_id)
+	{
+		return Err!(Request(Exclusive("Username is not in an appservice namespace.")));
+	} else if services.appservice.is_exclusive_user_id(&user_id).await {
 		return Err!(Request(Exclusive("Username is reserved by an appservice.")));
 	}

-	Ok(get_username_availability::v3::Response { available: true })
+	Ok(get_username_availability::v3::Response::new(true))
 }

 /// # `POST /_matrix/client/r0/account/password`
@@ -113,7 +109,8 @@ pub(crate) async fn change_password_route(
 	ClientIp(client): ClientIp,
 	body: Ruma<change_password::v3::Request>,
 ) -> Result<change_password::v3::Response> {
-	let identity = if let Some(ref user_id) = body.sender_user {
+	let identity = if let Some(user_id) = body.identity.as_ref().map(ClientIdentity::sender_user)
+	{
 		// A signed-in user is trying to change their password, prompt them for their
 		// existing one

@@ -143,7 +140,7 @@ pub(crate) async fn change_password_route(
 			.await?
 	};

-	let sender_user = OwnedUserId::parse(format!(
+	let sender_user = UserId::parse(format!(
 		"@{}:{}",
 		identity.localpart.expect("localpart should be known"),
 		services.globals.server_name()
@@ -152,16 +149,20 @@ pub(crate) async fn change_password_route(

 	services
 		.users
-		.set_password(&sender_user, Some(&body.new_password))
-		.await?;
+		.set_password(&sender_user, Some(HashedPassword::new(&body.new_password)?));

 	if body.logout_devices {
 		// Logout all devices except the current one
 		services
 			.users
 			.all_device_ids(&sender_user)
-			.ready_filter(|id| *id != body.sender_device())
-			.for_each(|id| services.users.remove_device(&sender_user, id))
+			.ready_filter(|id| {
+				body.identity
+					.as_ref()
+					.and_then(|identity| identity.sender_device())
+					.is_none_or(|sender_device| sender_device != *id)
+			})
+			.for_each(async |id| services.users.remove_device(&sender_user, &id).await)
 			.await;

 		// Remove all pushers except the ones associated with this session
@@ -175,8 +176,13 @@ pub(crate) async fn change_password_route(
 					.get_pusher_device(&pushkey)
 					.await
 					.ok()
-					.filter(|pusher_device| pusher_device != body.sender_device())
-					.is_some()
+					.as_ref()
+					.is_some_and(|pusher_device| {
+						body.identity
+							.as_ref()
+							.and_then(|identity| identity.sender_device())
+							.is_none_or(|sender_device| sender_device != *pusher_device)
+					})
 					.then_some(pushkey)
 			})
 			.for_each(async |pushkey| {
@@ -190,11 +196,11 @@ pub(crate) async fn change_password_route(
 	if services.server.config.admin_room_notices {
 		services
 			.admin
-			.notice(&format!("User {} changed their password.", &sender_user))
+			.notice(&format!("User {sender_user} changed their password."))
 			.await;
 	}

-	Ok(change_password::v3::Response {})
+	Ok(change_password::v3::Response::new())
 }

 /// # `POST /_matrix/client/v3/account/password/email/requestToken`
@@ -215,7 +221,7 @@ pub(crate) async fn request_password_change_token_via_email_route(
 	};

 	let user_id =
-		OwnedUserId::parse(format!("@{localpart}:{}", services.globals.server_name())).unwrap();
+		UserId::parse(format!("@{localpart}:{}", services.globals.server_name())).unwrap();
 	let display_name = services.users.displayname(&user_id).await.ok();

 	let session = services
@@ -241,21 +247,14 @@ pub(crate) async fn request_password_change_token_via_email_route(
 ///
 /// Note: Also works for Application Services
 pub(crate) async fn whoami_route(
-	State(services): State<crate::State>,
+	State(_): State<crate::State>,
 	body: Ruma<whoami::v3::Request>,
 ) -> Result<whoami::v3::Response> {
-	let is_guest = services
-		.users
-		.is_deactivated(body.sender_user())
-		.await
-		.map_err(|_| {
-			err!(Request(Forbidden("Application service has not registered this user.")))
-		})? && body.appservice_info.is_none();
-	Ok(whoami::v3::Response {
-		user_id: body.sender_user().to_owned(),
-		device_id: body.sender_device.clone(),
-		is_guest,
-	})
+	Ok(
+		assign!(whoami::v3::Response::new(body.identity.sender_user().to_owned(), false), {
+			device_id: body.identity.sender_device().map(ToOwned::to_owned),
+		}),
+	)
 }

 /// # `POST /_matrix/client/r0/account/deactivate`
@@ -278,8 +277,9 @@ pub(crate) async fn deactivate_route(
 	// Authentication for this endpoint is technically optional,
 	// but we require the user to be logged in
 	let sender_user = body
-		.sender_user
+		.identity
 		.as_ref()
+		.map(ClientIdentity::sender_user)
 		.ok_or_else(|| err!(Request(MissingToken("Missing access token."))))?;

 	// Prompt the user to confirm with their password using UIAA
@@ -310,9 +310,7 @@ pub(crate) async fn deactivate_route(
 			.await;
 	}

-	Ok(deactivate::v3::Response {
-		id_server_unbind_result: ThirdPartyIdRemovalStatus::Success,
-	})
+	Ok(deactivate::v3::Response::new(ThirdPartyIdRemovalStatus::Success))
 }

 /// # `GET /_matrix/client/v1/register/m.login.registration_token/validity`
@@ -330,14 +328,12 @@ pub(crate) async fn check_registration_token_validity(
 		.await
 		.is_some();

-	Ok(check_registration_token_validity::v1::Response { valid })
+	Ok(check_registration_token_validity::v1::Response::new(valid))
 }

 /// Runs through all the deactivation steps:
 ///
 /// - Mark as deactivated
-/// - Removing display name
-/// - Removing avatar URL and blurhash
 /// - Removing all profile data
 /// - Leaving all rooms (and forgets all of them)
 pub async fn full_user_deactivate(
@@ -354,13 +350,7 @@ pub async fn full_user_deactivate(
 			.await;
 	}

-	services
-		.users
-		.all_profile_keys(user_id)
-		.ready_for_each(|(profile_key, _)| {
-			services.users.set_profile_key(user_id, &profile_key, None);
-		})
-		.await;
+	services.users.clear_profile(user_id).await;

 	services
 		.pusher
@@ -372,62 +362,49 @@ pub async fn full_user_deactivate(

 	// TODO: Rescind all user invites

-	let mut pdu_queue: Vec<(PduBuilder, &OwnedRoomId)> = Vec::new();
+	let mut pdu_queue: Vec<(PartialPdu, &OwnedRoomId)> = Vec::new();

 	for room_id in all_joined_rooms {
 		let room_power_levels = services
 			.rooms
 			.state_accessor
-			.room_state_get_content::<RoomPowerLevelsEventContent>(
-				room_id,
-				&StateEventType::RoomPowerLevels,
-				"",
-			)
-			.await
-			.ok();
+			.get_room_power_levels(room_id)
+			.await;

 		let user_can_demote_self =
-			room_power_levels
-				.as_ref()
-				.is_some_and(|power_levels_content| {
-					RoomPowerLevels::from(power_levels_content.clone())
-						.user_can_change_user_power_level(user_id, user_id)
-				}) || services
-				.rooms
-				.state_accessor
-				.room_state_get(room_id, &StateEventType::RoomCreate, "")
-				.await
-				.is_ok_and(|event| event.sender() == user_id);
+			room_power_levels.user_can_change_user_power_level(user_id, user_id);

-		if user_can_demote_self {
-			let mut power_levels_content = room_power_levels.unwrap_or_default();
+		if user_can_demote_self
+			&& let Ok(mut power_levels_content) =
+				RoomPowerLevelsEventContent::try_from(room_power_levels)
+		{
 			power_levels_content.users.remove(user_id);
-			let pl_evt = PduBuilder::state(String::new(), &power_levels_content);
+			let pl_evt = PartialPdu::state(String::new(), &power_levels_content);
 			pdu_queue.push((pl_evt, room_id));
 		}

 		// Leave the room
 		pdu_queue.push((
-			PduBuilder::state(user_id.to_string(), &RoomMemberEventContent {
-				avatar_url: None,
-				blurhash: None,
-				membership: MembershipState::Leave,
-				displayname: None,
-				join_authorized_via_users_server: None,
-				reason: None,
-				is_direct: None,
-				third_party_invite: None,
-				redact_events: None,
-			}),
+			PartialPdu::state(
+				user_id.to_string(),
+				&RoomMemberEventContent::new(MembershipState::Leave),
+			),
 			room_id,
 		));

 		// TODO: Redact all messages sent by the user in the room
 	}

-	super::update_all_rooms(services, pdu_queue, user_id)
-		.boxed()
-		.await;
+	for (pdu, room_id) in pdu_queue {
+		let state_lock = services.rooms.state.mutex.lock(room_id.as_str()).await;
+
+		let _ = services
+			.rooms
+			.timeline
+			.build_and_append_pdu(pdu, user_id, Some(room_id.as_ref()), &state_lock)
+			.await;
+	}
+
 	for room_id in all_joined_rooms {
 		services.rooms.state_cache.forget(room_id, user_id);
 	}
@@ -10,23 +10,26 @@ use conduwuit::{
 use conduwuit_service::Services;
 use futures::{FutureExt, StreamExt};
 use lettre::{Address, message::Mailbox};
-use register::RegistrationKind;
 use ruma::{
 	OwnedUserId, UserId,
 	api::client::{
 		account::{
-			register::{self, LoginType},
+			register::{self, LoginType, RegistrationKind},
 			request_registration_token_via_email,
 		},
 		uiaa::{AuthFlow, AuthType},
 	},
-	events::{GlobalAccountDataEventType, room::message::RoomMessageEventContent},
+	assign,
+	events::{
+		GlobalAccountDataEventType, push_rules::PushRulesEvent,
+		room::message::RoomMessageEventContent,
+	},
 	push,
 };
 use serde_json::value::RawValue;
-use service::mailer::messages;
+use service::{mailer::messages, users::HashedPassword};

-use super::{DEVICE_ID_LENGTH, TOKEN_LENGTH, join_room_by_id_helper};
+use super::{DEVICE_ID_LENGTH, TOKEN_LENGTH};
 use crate::Ruma;

 const RANDOM_USER_ID_LENGTH: usize = 10;
@@ -38,16 +41,6 @@ const RANDOM_USER_ID_LENGTH: usize = 10;
 /// You can use [`GET
 /// /_matrix/client/v3/register/available`](fn.get_register_available_route.
 /// html) to check if the user id is valid and available.
-///
-/// - Only works if registration is enabled
-/// - If type is guest: ignores all parameters except
-///   initial_device_display_name
-/// - If sender is not appservice: Requires UIAA (but we only use a dummy stage)
-/// - If type is not guest and no username is given: Always fails after UIAA
-///   check
-/// - Creates a new account and populates it with default account data
-/// - If `inhibit_login` is false: Creates a device and returns device id and
-///   access_token
 #[allow(clippy::doc_markdown)]
 #[tracing::instrument(skip_all, fields(%client), name = "register", level = "info")]
 pub(crate) async fn register_route(
@@ -55,7 +48,10 @@ pub(crate) async fn register_route(
 	ClientIp(client): ClientIp,
 	body: Ruma<register::v3::Request>,
 ) -> Result<register::v3::Response> {
-	let is_guest = body.kind == RegistrationKind::Guest;
+	if body.kind != RegistrationKind::User {
+		return Err!(Request(GuestAccessForbidden("Guests may not register on this server.")));
+	}
+
 	let emergency_mode_enabled = services.config.emergency_password.is_some();

 	// Allow registration if it's enabled in the config file or if this is the first
@@ -63,70 +59,20 @@ pub(crate) async fn register_route(
 	let allow_registration =
 		services.config.allow_registration || services.firstrun.is_first_run();

-	if !allow_registration && body.appservice_info.is_none() {
-		match (body.username.as_ref(), body.initial_device_display_name.as_ref()) {
-			| (Some(username), Some(device_display_name)) => {
-				info!(
-					%is_guest,
-					user = %username,
-					device_name = %device_display_name,
-					"Rejecting registration attempt as registration is disabled"
-				);
-			},
-			| (Some(username), _) => {
-				info!(
-					%is_guest,
-					user = %username,
-					"Rejecting registration attempt as registration is disabled"
-				);
-			},
-			| (_, Some(device_display_name)) => {
-				info!(
-					%is_guest,
-					device_name = %device_display_name,
-					"Rejecting registration attempt as registration is disabled"
-				);
-			},
-			| (None, _) => {
-				info!(
-					%is_guest,
-					"Rejecting registration attempt as registration is disabled"
-				);
-			},
-		}
-
-		return Err!(Request(Forbidden(
-			"This server is not accepting registrations at this time."
-		)));
-	}
-
-	if is_guest && !services.config.allow_guest_registration {
+	if !allow_registration && body.identity.is_none() {
 		info!(
-			"Guest registration disabled, rejecting guest registration attempt, initial device \
-			 name: \"{}\"",
-			body.initial_device_display_name.as_deref().unwrap_or("")
+			?body.username,
+			?body.initial_device_display_name,
+			"Rejecting registration attempt as registration is disabled"
 		);
-		return Err!(Request(GuestAccessForbidden("Guest registration is disabled.")));
-	}

-	// forbid guests from registering if there is not a real admin user yet. give
-	// generic user error.
-	if is_guest && services.firstrun.is_first_run() {
-		warn!(
-			"Guest account attempted to register before a real admin user has been registered, \
-			 rejecting registration. Guest's initial device name: \"{}\"",
-			body.initial_device_display_name.as_deref().unwrap_or("")
-		);
 		return Err!(Request(Forbidden(
 			"This server is not accepting registrations at this time."
 		)));
 	}

-	// Appeservices and guests get to skip auth
-	let skip_auth = body.appservice_info.is_some() || is_guest;
-
-	let identity = if skip_auth {
-		// Appservices and guests have no identity
+	let identity = if body.identity.is_some() {
+		// Appservices can skip auth
 		None
 	} else {
 		// Perform UIAA to determine the user's identity
@@ -153,19 +99,15 @@ pub(crate) async fn register_route(
 		}
 	});

-	let user_id = determine_registration_user_id(
-		&services,
-		supplied_username,
-		is_guest,
-		emergency_mode_enabled,
-	)
-	.await?;
+	let user_id =
+		determine_registration_user_id(&services, supplied_username, emergency_mode_enabled)
+			.await?;

 	if body.body.login_type == Some(LoginType::ApplicationService) {
 		// For appservice logins, make sure that the user ID is in the appservice's
 		// namespace

-		match body.appservice_info {
+		match body.identity {
 			| Some(ref info) =>
 				if !info.is_user_match(&user_id) && !emergency_mode_enabled {
 					return Err!(Request(Exclusive(
@@ -183,18 +125,22 @@ pub(crate) async fn register_route(
 		return Err!(Request(Exclusive("Username is reserved by an appservice.")));
 	}

-	let password = if is_guest { None } else { body.password.as_deref() };
+	let password = if body.identity.is_some() {
+		None
+	} else if let Some(password) = body.password.as_deref() {
+		Some(HashedPassword::new(password)?)
+	} else {
+		return Err!(Request(InvalidParam("A password must be provided")));
+	};

 	// Create user
-	services.users.create(&user_id, password, None).await?;
+	services.users.create(&user_id, password).await?;

 	// Set an initial display name
 	let mut displayname = user_id.localpart().to_owned();

 	// Apply the new user displayname suffix, if it's set
-	if !services.globals.new_user_displayname_suffix().is_empty()
-		&& body.appservice_info.is_none()
-	{
+	if !services.globals.new_user_displayname_suffix().is_empty() && body.identity.is_none() {
 		write!(displayname, " {}", services.server.config.new_user_displayname_suffix)?;
 	}

@@ -209,24 +155,18 @@ pub(crate) async fn register_route(
 			None,
 			&user_id,
 			GlobalAccountDataEventType::PushRules.to_string().into(),
-			&serde_json::to_value(ruma::events::push_rules::PushRulesEvent {
-				content: ruma::events::push_rules::PushRulesEventContent {
-					global: push::Ruleset::server_default(&user_id),
-				},
-			})?,
+			&serde_json::to_value(PushRulesEvent::new(
+				push::Ruleset::server_default(&user_id).into(),
+			))
+			.expect("should be able to serialize push rules"),
 		)
 		.await?;

 	// Generate new device id if the user didn't specify one
-	let no_device = body.inhibit_login
-		|| body
-			.appservice_info
-			.as_ref()
-			.is_some_and(|aps| aps.registration.device_management);
-
-	let (token, device) = if !no_device {
-		// Don't create a device for inhibited logins
-		let device_id = if is_guest { None } else { body.device_id.clone() }
+	let (token, device) = if !body.inhibit_login {
+		let device_id = body
+			.device_id
+			.clone()
 			.unwrap_or_else(|| utils::random_string(DEVICE_ID_LENGTH).into());

 		// Generate new token for the device
@@ -243,12 +183,14 @@ pub(crate) async fn register_route(
 				Some(client.to_string()),
 			)
 			.await?;
-		debug_info!(%user_id, %device_id, "User account was created");
 		(Some(new_token), Some(device_id))
 	} else {
+		// Don't create a device for inhibited logins
 		(None, None)
 	};

+	debug_info!(%user_id, ?device, "User account was created");
+
 	// If the user registered with an email, associate it with their account.
 	if let Some(identity) = identity
 		&& let Some(email) = identity.email
@@ -265,8 +207,7 @@ pub(crate) async fn register_route(

 	let device_display_name = body.initial_device_display_name.as_deref().unwrap_or("");

-	// log in conduit admin channel if a non-guest user registered
-	if body.appservice_info.is_none() && !is_guest {
+	if body.identity.is_none() {
 		if !device_display_name.is_empty() {
 			let notice = format!(
 				"New user \"{user_id}\" registered on this server from IP {client} and device \
@@ -287,65 +228,32 @@ pub(crate) async fn register_route(
 		}
 	}

-	// log in conduit admin channel if a guest registered
-	if body.appservice_info.is_none() && is_guest && services.config.log_guest_registrations {
-		debug_info!("New guest user \"{user_id}\" registered on this server.");
+	// Make the first user to register an administrator and disable first-run mode.
+	let was_first_user = services.firstrun.empower_first_user(&user_id).await?;

-		if !device_display_name.is_empty() {
-			if services.server.config.admin_room_notices {
-				services
-					.admin
-					.notice(&format!(
-						"Guest user \"{user_id}\" with device display name \
-						 \"{device_display_name}\" registered on this server from IP {client}"
-					))
-					.await;
-			}
-		} else {
-			#[allow(clippy::collapsible_else_if)]
-			if services.server.config.admin_room_notices {
-				services
-					.admin
-					.notice(&format!(
-						"Guest user \"{user_id}\" with no device display name registered on \
-						 this server from IP {client}",
-					))
-					.await;
-			}
-		}
-	}
-
-	if !is_guest {
-		// Make the first user to register an administrator and disable first-run mode.
-		let was_first_user = services.firstrun.empower_first_user(&user_id).await?;
-
-		// If the registering user was not the first and we're suspending users on
-		// register, suspend them.
-		if !was_first_user && services.config.suspend_on_register {
-			// Note that we can still do auto joins for suspended users
+	// If the registering user was not the first and we're suspending users on
+	// register, suspend them.
+	if !was_first_user && services.config.suspend_on_register {
+		// Note that we can still do auto joins for suspended users
+		services
+			.users
+			.suspend_account(&user_id, &services.globals.server_user)
+			.await;
+		// And send an @room notice to the admin room, to prompt admins to review the
+		// new user and ideally unsuspend them if deemed appropriate.
+		if services.server.config.admin_room_notices {
 			services
-				.users
-				.suspend_account(&user_id, &services.globals.server_user)
-				.await;
-			// And send an @room notice to the admin room, to prompt admins to review the
-			// new user and ideally unsuspend them if deemed appropriate.
-			if services.server.config.admin_room_notices {
-				services
-					.admin
-					.send_loud_message(RoomMessageEventContent::text_plain(format!(
-						"User {user_id} has been suspended as they are not the first user on \
-						 this server. Please review and unsuspend them if appropriate."
-					)))
-					.await
-					.ok();
-			}
+				.admin
+				.send_loud_message(RoomMessageEventContent::text_plain(format!(
+					"User {user_id} has been suspended as they are not the first user on this \
+					 server. Please review and unsuspend them if appropriate."
+				)))
+				.await
+				.ok();
 		}
 	}

-	if body.appservice_info.is_none()
-		&& !services.server.config.auto_join_rooms.is_empty()
-		&& (services.config.allow_guests_auto_join_rooms || !is_guest)
-	{
+	if body.identity.is_none() && !services.server.config.auto_join_rooms.is_empty() {
 		for room in &services.server.config.auto_join_rooms {
 			let Ok(room_id) = services.rooms.alias.resolve(room).await else {
 				error!(
@@ -368,16 +276,17 @@ pub(crate) async fn register_route(
 			}

 			if let Some(room_server_name) = room.server_name() {
-				match join_room_by_id_helper(
-					&services,
-					&user_id,
-					&room_id,
-					Some("Automatically joining this room upon registration".to_owned()),
-					&[services.globals.server_name().to_owned(), room_server_name.to_owned()],
-					&body.appservice_info,
-				)
-				.boxed()
-				.await
+				match services
+					.rooms
+					.membership
+					.join_room(
+						&user_id,
+						&room_id,
+						Some("Automatically joining this room upon registration".to_owned()),
+						&[services.globals.server_name().to_owned(), room_server_name.to_owned()],
+					)
+					.boxed()
+					.await
 				{
 					| Err(e) => {
 						// don't return this error so we don't fail registrations
@@ -393,13 +302,12 @@ pub(crate) async fn register_route(
 		}
 	}

-	Ok(register::v3::Response {
+	Ok(assign!(register::v3::Response::new(user_id), {
 		access_token: token,
-		user_id,
 		device_id: device,
 		refresh_token: None,
 		expires_in: None,
-	})
+	}))
 }

 /// Determine which flows and parameters should be presented when
@@ -514,12 +422,9 @@ async fn create_registration_uiaa_session(
 async fn determine_registration_user_id(
 	services: &Services,
 	supplied_username: Option<String>,
-	is_guest: bool,
 	emergency_mode_enabled: bool,
 ) -> Result<OwnedUserId> {
-	if let Some(supplied_username) = supplied_username
-		&& !is_guest
-	{
+	if let Some(supplied_username) = supplied_username {
 		// The user gets to pick their username. Do some validation to make sure it's
 		// acceptable.

@@ -572,7 +477,7 @@ async fn determine_registration_user_id(

 		Ok(user_id)
 	} else {
-		// The user is a guest or didn't specify a username. Generate a username for
+		// The user didn't specify a username. Generate a username for
 		// them.

 		loop {
@@ -13,7 +13,7 @@ use ruma::{
 };
 use service::{mailer::messages, uiaa::Identity};

-use crate::Ruma;
+use crate::{Ruma, router::ClientIdentity};

 /// # `GET _matrix/client/v3/account/3pid`
 ///
@@ -22,7 +22,7 @@ pub(crate) async fn third_party_route(
 	State(services): State<crate::State>,
 	body: Ruma<get_3pids::v3::Request>,
 ) -> Result<get_3pids::v3::Response> {
-	let sender_user = body.sender_user();
+	let sender_user = body.identity.sender_user();
 	let mut threepids = vec![];

 	if let Some(email) = services
@@ -53,6 +53,14 @@ pub(crate) async fn request_3pid_management_token_via_email_route(
 	State(services): State<crate::State>,
 	body: Ruma<request_3pid_management_token_via_email::v3::Request>,
 ) -> Result<request_3pid_management_token_via_email::v3::Response> {
+	// Authentication for this endpoint is technically optional,
+	// but we require the user to be logged in
+	let sender_user = body
+		.identity
+		.as_ref()
+		.map(ClientIdentity::sender_user)
+		.ok_or_else(|| err!(Request(MissingToken("Missing access token."))))?;
+
 	if !services.threepid.email_requirement().may_change() {
 		return Err!(Request(Forbidden("You may not change your email address.")));
 	}
@@ -76,7 +84,7 @@ pub(crate) async fn request_3pid_management_token_via_email_route(
 			Mailbox::new(None, email),
 			|verification_link| messages::ChangeEmail {
 				server_name: services.config.server_name.as_str(),
-				user_id: body.sender_user.as_deref(),
+				user_id: Some(sender_user),
 				verification_link,
 			},
 			&body.client_secret,
@@ -107,8 +115,6 @@ pub(crate) async fn add_3pid_route(
 	State(services): State<crate::State>,
 	body: Ruma<add_3pid::v3::Request>,
 ) -> Result<add_3pid::v3::Response> {
-	let sender_user = body.sender_user();
-
 	if !services.threepid.email_requirement().may_change() {
 		return Err!(Request(Forbidden("You may not change your email address.")));
 	}
@@ -116,7 +122,10 @@ pub(crate) async fn add_3pid_route(
 	// Require password auth to add an email
 	let _ = services
 		.uiaa
-		.authenticate_password(&body.auth, Some(Identity::from_user_id(sender_user)))
+		.authenticate_password(
+			&body.auth,
+			Some(Identity::from_user_id(body.identity.sender_user())),
+		)
 		.await?;

 	let email = services
@@ -127,7 +136,7 @@ pub(crate) async fn add_3pid_route(

 	services
 		.threepid
-		.associate_localpart_email(sender_user.localpart(), &email)
+		.associate_localpart_email(body.identity.sender_user().localpart(), &email)
 		.await?;

 	Ok(add_3pid::v3::Response::new())
@@ -138,12 +147,8 @@ pub(crate) async fn delete_3pid_route(
 	State(services): State<crate::State>,
 	body: Ruma<delete_3pid::v3::Request>,
 ) -> Result<delete_3pid::v3::Response> {
-	let sender_user = body.sender_user();
-
 	if body.medium != Medium::Email {
-		return Ok(delete_3pid::v3::Response {
-			id_server_unbind_result: ThirdPartyIdRemovalStatus::NoSupport,
-		});
+		return Ok(delete_3pid::v3::Response::new(ThirdPartyIdRemovalStatus::NoSupport));
 	}

 	if !services.threepid.email_requirement().may_remove() {
@@ -152,14 +157,12 @@ pub(crate) async fn delete_3pid_route(

 	if services
 		.threepid
-		.disassociate_localpart_email(sender_user.localpart())
+		.disassociate_localpart_email(body.identity.sender_user().localpart())
 		.await
 		.is_none()
 	{
 		return Err!(Request(ThreepidNotFound("Your account has no associated email.")));
 	}

-	Ok(delete_3pid::v3::Response {
-		id_server_unbind_result: ThirdPartyIdRemovalStatus::Success,
-	})
+	Ok(delete_3pid::v3::Response::new(ThirdPartyIdRemovalStatus::Success))
 }
@@ -7,10 +7,7 @@ use ruma::{
 		get_global_account_data, get_room_account_data, set_global_account_data,
 		set_room_account_data,
 	},
-	events::{
-		AnyGlobalAccountDataEventContent, AnyRoomAccountDataEventContent,
-		RoomAccountDataEventType,
-	},
+	events::{AnyGlobalAccountDataEventContent, AnyRoomAccountDataEventContent},
 	serde::Raw,
 };
 use serde::Deserialize;
@@ -25,9 +22,9 @@ pub(crate) async fn set_global_account_data_route(
 	State(services): State<crate::State>,
 	body: Ruma<set_global_account_data::v3::Request>,
 ) -> Result<set_global_account_data::v3::Response> {
-	let sender_user = body.sender_user();
+	let sender_user = body.identity.sender_user();

-	if sender_user != body.user_id && body.appservice_info.is_none() {
+	if sender_user != body.user_id && !body.identity.is_appservice() {
 		return Err!(Request(Forbidden("You cannot set account data for other users.")));
 	}

@@ -40,7 +37,7 @@ pub(crate) async fn set_global_account_data_route(
 	)
 	.await?;

-	Ok(set_global_account_data::v3::Response {})
+	Ok(set_global_account_data::v3::Response::new())
 }

 /// # `PUT /_matrix/client/r0/user/{userId}/rooms/{roomId}/account_data/{type}`
@@ -50,9 +47,9 @@ pub(crate) async fn set_room_account_data_route(
 	State(services): State<crate::State>,
 	body: Ruma<set_room_account_data::v3::Request>,
 ) -> Result<set_room_account_data::v3::Response> {
-	let sender_user = body.sender_user();
+	let sender_user = body.identity.sender_user();

-	if sender_user != body.user_id && body.appservice_info.is_none() {
+	if sender_user != body.user_id && !body.identity.is_appservice() {
 		return Err!(Request(Forbidden("You cannot set account data for other users.")));
 	}

@@ -65,7 +62,7 @@ pub(crate) async fn set_room_account_data_route(
 	)
 	.await?;

-	Ok(set_room_account_data::v3::Response {})
+	Ok(set_room_account_data::v3::Response::new())
 }

 /// # `GET /_matrix/client/r0/user/{userId}/account_data/{type}`
@@ -75,9 +72,9 @@ pub(crate) async fn get_global_account_data_route(
 	State(services): State<crate::State>,
 	body: Ruma<get_global_account_data::v3::Request>,
 ) -> Result<get_global_account_data::v3::Response> {
-	let sender_user = body.sender_user();
+	let sender_user = body.identity.sender_user();

-	if sender_user != body.user_id && body.appservice_info.is_none() {
+	if sender_user != body.user_id && !body.identity.is_appservice() {
 		return Err!(Request(Forbidden("You cannot get account data of other users.")));
 	}

@@ -87,7 +84,7 @@ pub(crate) async fn get_global_account_data_route(
 		.await
 		.map_err(|_| err!(Request(NotFound("Data not found."))))?;

-	Ok(get_global_account_data::v3::Response { account_data: account_data.content })
+	Ok(get_global_account_data::v3::Response::new(account_data.content))
 }

 /// # `GET /_matrix/client/r0/user/{userId}/rooms/{roomId}/account_data/{type}`
@@ -97,9 +94,9 @@ pub(crate) async fn get_room_account_data_route(
 	State(services): State<crate::State>,
 	body: Ruma<get_room_account_data::v3::Request>,
 ) -> Result<get_room_account_data::v3::Response> {
-	let sender_user = body.sender_user();
+	let sender_user = body.identity.sender_user();

-	if sender_user != body.user_id && body.appservice_info.is_none() {
+	if sender_user != body.user_id && !body.identity.is_appservice() {
 		return Err!(Request(Forbidden("You cannot get account data of other users.")));
 	}

@@ -109,7 +106,7 @@ pub(crate) async fn get_room_account_data_route(
 		.await
 		.map_err(|_| err!(Request(NotFound("Data not found."))))?;

-	Ok(get_room_account_data::v3::Response { account_data: account_data.content })
+	Ok(get_room_account_data::v3::Response::new(account_data.content))
 }

 async fn set_account_data(
@@ -119,7 +116,7 @@ async fn set_account_data(
 	event_type_s: &str,
 	data: &RawJsonValue,
 ) -> Result {
-	if event_type_s == RoomAccountDataEventType::FullyRead.to_cow_str() {
+	if event_type_s == "m.fully_read" {
 		return Err!(Request(BadJson(
 			"This endpoint cannot be used for marking a room as fully read (setting \
 			 m.fully_read)"
@@ -1,7 +1,7 @@
 use axum::extract::State;
 use conduwuit::{Err, Result};
 use futures::future::{join, join3};
-use ruma::api::client::admin::{get_suspended, set_suspended};
+use ruminuwuity::admin::{get_suspended, set_suspended};

 use crate::Ruma;

@@ -12,10 +12,11 @@ pub(crate) async fn get_suspended_status(
 	State(services): State<crate::State>,
 	body: Ruma<get_suspended::v1::Request>,
 ) -> Result<get_suspended::v1::Response> {
-	let sender_user = body.sender_user();
-
-	let (admin, active) =
-		join(services.users.is_admin(sender_user), services.users.is_active(&body.user_id)).await;
+	let (admin, active) = join(
+		services.users.is_admin(body.identity.sender_user()),
+		services.users.is_active(&body.user_id),
+	)
+	.await;
 	if !admin {
 		return Err!(Request(Forbidden("Only server administrators can use this endpoint")));
 	}
@@ -37,7 +38,7 @@ pub(crate) async fn put_suspended_status(
 	State(services): State<crate::State>,
 	body: Ruma<set_suspended::v1::Request>,
 ) -> Result<set_suspended::v1::Response> {
-	let sender_user = body.sender_user();
+	let sender_user = body.identity.sender_user();

 	let (sender_admin, active, target_admin) = join3(
 		services.users.is_admin(sender_user),
@@ -11,7 +11,7 @@ pub(crate) async fn create_alias_route(
 	State(services): State<crate::State>,
 	body: Ruma<create_alias::v3::Request>,
 ) -> Result<create_alias::v3::Response> {
-	let sender_user = body.sender_user();
+	let sender_user = body.identity.sender_user();
 	if services.users.is_suspended(sender_user).await? {
 		return Err!(Request(UserSuspended("You cannot perform this action while suspended.")));
 	}
@@ -19,7 +19,7 @@ pub(crate) async fn create_alias_route(
 	services
 		.rooms
 		.alias
-		.appservice_checks(&body.room_alias, &body.appservice_info)
+		.appservice_checks(&body.room_alias, body.identity.appservice_info())
 		.await?;

 	// this isn't apart of alias_checks or delete alias route because we should
@@ -59,7 +59,7 @@ pub(crate) async fn delete_alias_route(
 	State(services): State<crate::State>,
 	body: Ruma<delete_alias::v3::Request>,
 ) -> Result<delete_alias::v3::Response> {
-	let sender_user = body.sender_user();
+	let sender_user = body.identity.sender_user();
 	if services.users.is_suspended(sender_user).await? {
 		return Err!(Request(UserSuspended("You cannot perform this action while suspended.")));
 	}
@@ -67,7 +67,7 @@ pub(crate) async fn delete_alias_route(
 	services
 		.rooms
 		.alias
-		.appservice_checks(&body.room_alias, &body.appservice_info)
+		.appservice_checks(&body.room_alias, body.identity.appservice_info())
 		.await?;

 	services
@@ -1,6 +1,9 @@
 use axum::extract::State;
-use conduwuit::{Err, Result, err};
-use ruma::api::{appservice::ping, client::appservice::request_ping};
+use conduwuit::{Err, Result};
+use ruma::{
+	api::{appservice::ping, client::appservice::request_ping},
+	assign,
+};

 use crate::Ruma;

@@ -12,9 +15,7 @@ pub(crate) async fn appservice_ping(
 	State(services): State<crate::State>,
 	body: Ruma<request_ping::v1::Request>,
 ) -> Result<request_ping::v1::Response> {
-	let appservice_info = body.appservice_info.as_ref().ok_or_else(|| {
-		err!(Request(Forbidden("This endpoint can only be called by appservices.")))
-	})?;
+	let appservice_info = &body.identity;

 	if body.appservice_id != appservice_info.registration.id {
 		return Err!(Request(Forbidden(
@@ -40,12 +41,12 @@ pub(crate) async fn appservice_ping(
 		.sending
 		.send_appservice_request(
 			appservice_info.registration.clone(),
-			ping::send_ping::v1::Request {
+			assign!(ping::send_ping::v1::Request::new(), {
 				transaction_id: body.transaction_id.clone(),
-			},
+			}),
 		)
 		.await?
 		.expect("We already validated if an appservice URL exists above");

-	Ok(request_ping::v1::Response { duration: timer.elapsed() })
+	Ok(request_ping::v1::Response::new(timer.elapsed()))
 }
@@ -3,7 +3,6 @@ use std::cmp::Ordering;
 use axum::extract::State;
 use conduwuit::{Err, Result, err};
 use conduwuit_service::Services;
-use futures::{FutureExt, future::try_join};
 use ruma::{
 	UInt, UserId,
 	api::client::backup::{
@@ -26,9 +25,9 @@ pub(crate) async fn create_backup_version_route(
 ) -> Result<create_backup_version::v3::Response> {
 	let version = services
 		.key_backups
-		.create_backup(body.sender_user(), &body.algorithm)?;
+		.create_backup(body.identity.sender_user(), &body.algorithm)?;

-	Ok(create_backup_version::v3::Response { version })
+	Ok(create_backup_version::v3::Response::new(version))
 }

 /// # `PUT /_matrix/client/r0/room_keys/version/{version}`
@@ -41,10 +40,10 @@ pub(crate) async fn update_backup_version_route(
 ) -> Result<update_backup_version::v3::Response> {
 	services
 		.key_backups
-		.update_backup(body.sender_user(), &body.version, &body.algorithm)
+		.update_backup(body.identity.sender_user(), &body.version, &body.algorithm)
 		.await?;

-	Ok(update_backup_version::v3::Response {})
+	Ok(update_backup_version::v3::Response::new())
 }

 /// # `GET /_matrix/client/r0/room_keys/version`
@@ -56,13 +55,13 @@ pub(crate) async fn get_latest_backup_info_route(
 ) -> Result<get_latest_backup_info::v3::Response> {
 	let (version, algorithm) = services
 		.key_backups
-		.get_latest_backup(body.sender_user())
+		.get_latest_backup(body.identity.sender_user())
 		.await
 		.map_err(|_| err!(Request(NotFound("Key backup does not exist."))))?;

-	let (count, etag) = get_count_etag(&services, body.sender_user(), &version).await?;
+	let (count, etag) = get_count_etag(&services, body.identity.sender_user(), &version).await;

-	Ok(get_latest_backup_info::v3::Response { algorithm, count, etag, version })
+	Ok(get_latest_backup_info::v3::Response::new(algorithm, count, etag, version))
 }

 /// # `GET /_matrix/client/v3/room_keys/version/{version}`
@@ -74,20 +73,16 @@ pub(crate) async fn get_backup_info_route(
 ) -> Result<get_backup_info::v3::Response> {
 	let algorithm = services
 		.key_backups
-		.get_backup(body.sender_user(), &body.version)
+		.get_backup(body.identity.sender_user(), &body.version)
 		.await
 		.map_err(|_| {
 			err!(Request(NotFound("Key backup does not exist at version {:?}", body.version)))
 		})?;

-	let (count, etag) = get_count_etag(&services, body.sender_user(), &body.version).await?;
+	let (count, etag) =
+		get_count_etag(&services, body.identity.sender_user(), &body.version).await;

-	Ok(get_backup_info::v3::Response {
-		algorithm,
-		count,
-		etag,
-		version: body.version.clone(),
-	})
+	Ok(get_backup_info::v3::Response::new(algorithm, count, etag, body.version.clone()))
 }

 /// # `DELETE /_matrix/client/r0/room_keys/version/{version}`
@@ -102,10 +97,10 @@ pub(crate) async fn delete_backup_version_route(
 ) -> Result<delete_backup_version::v3::Response> {
 	services
 		.key_backups
-		.delete_backup(body.sender_user(), &body.version)
+		.delete_backup(body.identity.sender_user(), &body.version)
 		.await;

-	Ok(delete_backup_version::v3::Response {})
+	Ok(delete_backup_version::v3::Response::new())
 }

 /// # `PUT /_matrix/client/r0/room_keys/keys`
@@ -122,7 +117,7 @@ pub(crate) async fn add_backup_keys_route(
 ) -> Result<add_backup_keys::v3::Response> {
 	if services
 		.key_backups
-		.get_latest_backup_version(body.sender_user())
+		.get_latest_backup_version(body.identity.sender_user())
 		.await
 		.is_ok_and(|version| version != body.version)
 	{
@@ -135,14 +130,21 @@ pub(crate) async fn add_backup_keys_route(
 		for (session_id, key_data) in &room.sessions {
 			services
 				.key_backups
-				.add_key(body.sender_user(), &body.version, room_id, session_id, key_data)
+				.add_key(
+					body.identity.sender_user(),
+					&body.version,
+					room_id,
+					session_id,
+					key_data,
+				)
 				.await?;
 		}
 	}

-	let (count, etag) = get_count_etag(&services, body.sender_user(), &body.version).await?;
+	let (count, etag) =
+		get_count_etag(&services, body.identity.sender_user(), &body.version).await;

-	Ok(add_backup_keys::v3::Response { count, etag })
+	Ok(add_backup_keys::v3::Response::new(etag, count))
 }

 /// # `PUT /_matrix/client/r0/room_keys/keys/{roomId}`
@@ -159,7 +161,7 @@ pub(crate) async fn add_backup_keys_for_room_route(
 ) -> Result<add_backup_keys_for_room::v3::Response> {
 	if services
 		.key_backups
-		.get_latest_backup_version(body.sender_user())
+		.get_latest_backup_version(body.identity.sender_user())
 		.await
 		.is_ok_and(|version| version != body.version)
 	{
@@ -171,13 +173,20 @@ pub(crate) async fn add_backup_keys_for_room_route(
 	for (session_id, key_data) in &body.sessions {
 		services
 			.key_backups
-			.add_key(body.sender_user(), &body.version, &body.room_id, session_id, key_data)
+			.add_key(
+				body.identity.sender_user(),
+				&body.version,
+				&body.room_id,
+				session_id,
+				key_data,
+			)
 			.await?;
 	}

-	let (count, etag) = get_count_etag(&services, body.sender_user(), &body.version).await?;
+	let (count, etag) =
+		get_count_etag(&services, body.identity.sender_user(), &body.version).await;

-	Ok(add_backup_keys_for_room::v3::Response { count, etag })
+	Ok(add_backup_keys_for_room::v3::Response::new(etag, count))
 }

 /// # `PUT /_matrix/client/r0/room_keys/keys/{roomId}/{sessionId}`
@@ -194,7 +203,7 @@ pub(crate) async fn add_backup_keys_for_session_route(
 ) -> Result<add_backup_keys_for_session::v3::Response> {
 	if services
 		.key_backups
-		.get_latest_backup_version(body.sender_user())
+		.get_latest_backup_version(body.identity.sender_user())
 		.await
 		.is_ok_and(|version| version != body.version)
 	{
@@ -207,7 +216,7 @@ pub(crate) async fn add_backup_keys_for_session_route(
 	let mut ok_to_replace = true;
 	if let Some(old_key) = &services
 		.key_backups
-		.get_session(body.sender_user(), &body.version, &body.room_id, &body.session_id)
+		.get_session(body.identity.sender_user(), &body.version, &body.room_id, &body.session_id)
 		.await
 		.ok()
 	{
@@ -266,7 +275,7 @@ pub(crate) async fn add_backup_keys_for_session_route(
 		services
 			.key_backups
 			.add_key(
-				body.sender_user(),
+				body.identity.sender_user(),
 				&body.version,
 				&body.room_id,
 				&body.session_id,
@@ -275,9 +284,10 @@ pub(crate) async fn add_backup_keys_for_session_route(
 			.await?;
 	}

-	let (count, etag) = get_count_etag(&services, body.sender_user(), &body.version).await?;
+	let (count, etag) =
+		get_count_etag(&services, body.identity.sender_user(), &body.version).await;

-	Ok(add_backup_keys_for_session::v3::Response { count, etag })
+	Ok(add_backup_keys_for_session::v3::Response::new(etag, count))
 }

 /// # `GET /_matrix/client/r0/room_keys/keys`
@@ -289,10 +299,10 @@ pub(crate) async fn get_backup_keys_route(
 ) -> Result<get_backup_keys::v3::Response> {
 	let rooms = services
 		.key_backups
-		.get_all(body.sender_user(), &body.version)
+		.get_all(body.identity.sender_user(), &body.version)
 		.await;

-	Ok(get_backup_keys::v3::Response { rooms })
+	Ok(get_backup_keys::v3::Response::new(rooms))
 }

 /// # `GET /_matrix/client/r0/room_keys/keys/{roomId}`
@@ -304,10 +314,10 @@ pub(crate) async fn get_backup_keys_for_room_route(
 ) -> Result<get_backup_keys_for_room::v3::Response> {
 	let sessions = services
 		.key_backups
-		.get_room(body.sender_user(), &body.version, &body.room_id)
+		.get_room(body.identity.sender_user(), &body.version, &body.room_id)
 		.await;

-	Ok(get_backup_keys_for_room::v3::Response { sessions })
+	Ok(get_backup_keys_for_room::v3::Response::new(sessions))
 }

 /// # `GET /_matrix/client/r0/room_keys/keys/{roomId}/{sessionId}`
@@ -319,13 +329,13 @@ pub(crate) async fn get_backup_keys_for_session_route(
 ) -> Result<get_backup_keys_for_session::v3::Response> {
 	let key_data = services
 		.key_backups
-		.get_session(body.sender_user(), &body.version, &body.room_id, &body.session_id)
+		.get_session(body.identity.sender_user(), &body.version, &body.room_id, &body.session_id)
 		.await
 		.map_err(|_| {
 			err!(Request(NotFound(debug_error!("Backup key not found for this user's session."))))
 		})?;

-	Ok(get_backup_keys_for_session::v3::Response { key_data })
+	Ok(get_backup_keys_for_session::v3::Response::new(key_data))
 }

 /// # `DELETE /_matrix/client/r0/room_keys/keys`
@@ -337,12 +347,13 @@ pub(crate) async fn delete_backup_keys_route(
 ) -> Result<delete_backup_keys::v3::Response> {
 	services
 		.key_backups
-		.delete_all_keys(body.sender_user(), &body.version)
+		.delete_all_keys(body.identity.sender_user(), &body.version)
 		.await;

-	let (count, etag) = get_count_etag(&services, body.sender_user(), &body.version).await?;
+	let (count, etag) =
+		get_count_etag(&services, body.identity.sender_user(), &body.version).await;

-	Ok(delete_backup_keys::v3::Response { count, etag })
+	Ok(delete_backup_keys::v3::Response::new(etag, count))
 }

 /// # `DELETE /_matrix/client/r0/room_keys/keys/{roomId}`
@@ -354,12 +365,13 @@ pub(crate) async fn delete_backup_keys_for_room_route(
 ) -> Result<delete_backup_keys_for_room::v3::Response> {
 	services
 		.key_backups
-		.delete_room_keys(body.sender_user(), &body.version, &body.room_id)
+		.delete_room_keys(body.identity.sender_user(), &body.version, &body.room_id)
 		.await;

-	let (count, etag) = get_count_etag(&services, body.sender_user(), &body.version).await?;
+	let (count, etag) =
+		get_count_etag(&services, body.identity.sender_user(), &body.version).await;

-	Ok(delete_backup_keys_for_room::v3::Response { count, etag })
+	Ok(delete_backup_keys_for_room::v3::Response::new(etag, count))
 }

 /// # `DELETE /_matrix/client/r0/room_keys/keys/{roomId}/{sessionId}`
@@ -371,25 +383,33 @@ pub(crate) async fn delete_backup_keys_for_session_route(
 ) -> Result<delete_backup_keys_for_session::v3::Response> {
 	services
 		.key_backups
-		.delete_room_key(body.sender_user(), &body.version, &body.room_id, &body.session_id)
+		.delete_room_key(
+			body.identity.sender_user(),
+			&body.version,
+			&body.room_id,
+			&body.session_id,
+		)
 		.await;

-	let (count, etag) = get_count_etag(&services, body.sender_user(), &body.version).await?;
+	let (count, etag) =
+		get_count_etag(&services, body.identity.sender_user(), &body.version).await;

-	Ok(delete_backup_keys_for_session::v3::Response { count, etag })
+	Ok(delete_backup_keys_for_session::v3::Response::new(etag, count))
 }

 async fn get_count_etag(
 	services: &Services,
 	sender_user: &UserId,
 	version: &str,
-) -> Result<(UInt, String)> {
-	let count = services
+) -> (UInt, String) {
+	let count: UInt = services
 		.key_backups
 		.count_keys(sender_user, version)
-		.map(TryInto::try_into);
+		.await
+		.try_into()
+		.expect("number of keys should fit into a UInt");

-	let etag = services.key_backups.get_etag(sender_user, version).map(Ok);
+	let etag = services.key_backups.get_etag(sender_user, version).await;

-	Ok(try_join(count, etag).await?)
+	(count, etag)
 }
@@ -5,8 +5,11 @@ use conduwuit::{Result, Server};
 use ruma::{
 	RoomVersionId,
 	api::client::discovery::get_capabilities::{
-		self, Capabilities, GetLoginTokenCapability, RoomVersionStability,
-		RoomVersionsCapability, ThirdPartyIdChangesCapability,
+		self,
+		v3::{
+			Capabilities, GetLoginTokenCapability, RoomVersionStability, RoomVersionsCapability,
+			ThirdPartyIdChangesCapability,
+		},
 	},
 };
 use serde_json::json;
@@ -25,19 +28,17 @@ pub(crate) async fn get_capabilities_route(
 		Server::available_room_versions().collect();

 	let mut capabilities = Capabilities::default();
-	capabilities.room_versions = RoomVersionsCapability {
+	capabilities.room_versions = RoomVersionsCapability::new(
+		services.server.config.default_room_version.clone(),
 		available,
-		default: services.server.config.default_room_version.clone(),
-	};
+	);

 	// Only allow 3pid changes if SMTP is configured
-	capabilities.thirdparty_id_changes = ThirdPartyIdChangesCapability {
-		enabled: services.threepid.email_requirement().may_change(),
-	};
+	capabilities.thirdparty_id_changes =
+		ThirdPartyIdChangesCapability::new(services.threepid.email_requirement().may_change());

-	capabilities.get_login_token = GetLoginTokenCapability {
-		enabled: services.server.config.login_via_existing_session,
-	};
+	capabilities.get_login_token =
+		GetLoginTokenCapability::new(services.server.config.login_via_existing_session);

 	// MSC4133 capability
 	capabilities.set("uk.tcpip.msc4133.profile_fields", json!({"enabled": true}))?;
@@ -47,14 +48,10 @@ pub(crate) async fn get_capabilities_route(
 		json!({"enabled": services.config.forget_forced_upon_leave}),
 	)?;

-	if services
-		.users
-		.is_admin(body.sender_user.as_ref().unwrap())
-		.await
-	{
+	if services.users.is_admin(body.identity.sender_user()).await {
 		// Advertise suspension API
 		capabilities.set("uk.timedout.msc4323", json!({"suspend": true, "lock": false}))?;
 	}

-	Ok(get_capabilities::v3::Response { capabilities })
+	Ok(get_capabilities::v3::Response::new(capabilities))
 }
@@ -12,7 +12,9 @@ use futures::{
 	FutureExt, StreamExt, TryFutureExt, TryStreamExt,
 	future::{OptionFuture, join, join3, try_join3},
 };
-use ruma::{OwnedEventId, UserId, api::client::context::get_context, events::StateEventType};
+use ruma::{
+	OwnedEventId, UserId, api::client::context::get_context, assign, events::StateEventType,
+};

 use crate::{
 	Ruma,
@@ -35,8 +37,8 @@ pub(crate) async fn get_context_route(
 	State(services): State<crate::State>,
 	body: Ruma<get_context::v3::Request>,
 ) -> Result<get_context::v3::Response> {
-	let sender = body.sender();
-	let (sender_user, sender_device) = sender;
+	let sender_user = body.identity.sender_user();
+	let sender_device = body.identity.sender_device();
 	let room_id = &body.room_id;
 	let event_id = &body.event_id;
 	let filter = &body.filter;
@@ -141,7 +143,7 @@ pub(crate) async fn get_context_route(

 	let lazy_loading_context = lazy_loading::Context {
 		user_id: sender_user,
-		device_id: Some(sender_device),
+		device_id: sender_device,
 		room_id,
 		token: Some(base_count.into_unsigned()),
 		options: Some(&filter.lazy_load_options),
@@ -213,7 +215,7 @@ pub(crate) async fn get_context_route(
 		.collect()
 		.await;

-	Ok(get_context::v3::Response {
+	Ok(assign!(get_context::v3::Response::new(), {
 		event: base_event.map(at!(1)).map(Event::into_format),

 		start: events_before
@@ -243,5 +245,5 @@ pub(crate) async fn get_context_route(
 			.collect(),

 		state,
-	})
+	}))
 }
@@ -2,10 +2,14 @@ use axum::extract::State;
 use axum_client_ip::ClientIp;
 use conduwuit::{Err, Result, at};
 use futures::StreamExt;
-use ruma::api::client::dehydrated_device::{
-	delete_dehydrated_device::unstable as delete_dehydrated_device,
-	get_dehydrated_device::unstable as get_dehydrated_device, get_events::unstable as get_events,
-	put_dehydrated_device::unstable as put_dehydrated_device,
+use ruma::{
+	api::client::dehydrated_device::{
+		delete_dehydrated_device::unstable as delete_dehydrated_device,
+		get_dehydrated_device::unstable as get_dehydrated_device,
+		get_events::unstable as get_events,
+		put_dehydrated_device::unstable as put_dehydrated_device,
+	},
+	assign,
 };

 use crate::Ruma;
@@ -21,19 +25,14 @@ pub(crate) async fn put_dehydrated_device_route(
 	ClientIp(client): ClientIp,
 	body: Ruma<put_dehydrated_device::Request>,
 ) -> Result<put_dehydrated_device::Response> {
-	let sender_user = body
-		.sender_user
-		.as_deref()
-		.expect("AccessToken authentication required");
-
-	let device_id = body.body.device_id.clone();
+	let device_id = body.device_id.clone();

 	services
 		.users
-		.set_dehydrated_device(sender_user, body.body)
+		.set_dehydrated_device(body.identity.sender_user(), body.body)
 		.await?;

-	Ok(put_dehydrated_device::Response { device_id })
+	Ok(put_dehydrated_device::Response::new(device_id))
 }

 /// # `DELETE /_matrix/client/../dehydrated_device`
@@ -45,13 +44,13 @@ pub(crate) async fn delete_dehydrated_device_route(
 	ClientIp(client): ClientIp,
 	body: Ruma<delete_dehydrated_device::Request>,
 ) -> Result<delete_dehydrated_device::Response> {
-	let sender_user = body.sender_user();
+	let sender_user = body.identity.sender_user();

 	let device_id = services.users.get_dehydrated_device_id(sender_user).await?;

 	services.users.remove_device(sender_user, &device_id).await;

-	Ok(delete_dehydrated_device::Response { device_id })
+	Ok(delete_dehydrated_device::Response::new(device_id))
 }

 /// # `GET /_matrix/client/../dehydrated_device`
@@ -63,14 +62,11 @@ pub(crate) async fn get_dehydrated_device_route(
 	ClientIp(client): ClientIp,
 	body: Ruma<get_dehydrated_device::Request>,
 ) -> Result<get_dehydrated_device::Response> {
-	let sender_user = body.sender_user();
+	let sender_user = body.identity.sender_user();

 	let device = services.users.get_dehydrated_device(sender_user).await?;

-	Ok(get_dehydrated_device::Response {
-		device_id: device.device_id,
-		device_data: device.device_data,
-	})
+	Ok(get_dehydrated_device::Response::new(device.device_id, device.device_data))
 }

 /// # `GET /_matrix/client/../dehydrated_device/{device_id}/events`
@@ -82,7 +78,7 @@ pub(crate) async fn get_dehydrated_events_route(
 	ClientIp(client): ClientIp,
 	body: Ruma<get_events::Request>,
 ) -> Result<get_events::Response> {
-	let sender_user = body.sender_user();
+	let sender_user = body.identity.sender_user();

 	let device_id = &body.body.device_id;
 	let existing_id = services.users.get_dehydrated_device_id(sender_user).await;
@@ -114,8 +110,7 @@ pub(crate) async fn get_dehydrated_events_route(
 		.collect()
 		.await;

-	Ok(get_events::Response {
-		events,
+	Ok(assign!(get_events::Response::new(events), {
 		next_batch: next_batch.as_ref().map(ToString::to_string),
-	})
+	}))
 }
@@ -21,11 +21,11 @@ pub(crate) async fn get_devices_route(
 ) -> Result<get_devices::v3::Response> {
 	let devices: Vec<device::Device> = services
 		.users
-		.all_devices_metadata(body.sender_user())
+		.all_devices_metadata(body.identity.sender_user())
 		.collect()
 		.await;

-	Ok(get_devices::v3::Response { devices })
+	Ok(get_devices::v3::Response::new(devices))
 }

 /// # `GET /_matrix/client/r0/devices/{deviceId}`
@@ -37,11 +37,11 @@ pub(crate) async fn get_device_route(
 ) -> Result<get_device::v3::Response> {
 	let device = services
 		.users
-		.get_device_metadata(body.sender_user(), &body.body.device_id)
+		.get_device_metadata(body.identity.sender_user(), &body.body.device_id)
 		.await
 		.map_err(|_| err!(Request(NotFound("Device not found."))))?;

-	Ok(get_device::v3::Response { device })
+	Ok(get_device::v3::Response::new(device))
 }

 /// # `PUT /_matrix/client/r0/devices/{deviceId}`
@@ -53,8 +53,8 @@ pub(crate) async fn update_device_route(
 	ClientIp(client): ClientIp,
 	body: Ruma<update_device::v3::Request>,
 ) -> Result<update_device::v3::Response> {
-	let sender_user = body.sender_user();
-	let appservice = body.appservice_info.as_ref();
+	let sender_user = body.identity.sender_user();
+	let appservice = body.identity.appservice_info();

 	match services
 		.users
@@ -73,19 +73,16 @@ pub(crate) async fn update_device_route(
 				.update_device_metadata(sender_user, &body.device_id, &device)
 				.await?;

-			Ok(update_device::v3::Response {})
+			Ok(update_device::v3::Response::new())
 		},
 		| Err(_) => {
 			let Some(appservice) = appservice else {
 				return Err!(Request(NotFound("Device not found.")));
 			};
-			if !appservice.registration.device_management {
-				return Err!(Request(NotFound("Device not found.")));
-			}

 			debug!(
-				"Creating new device for {sender_user} from appservice {} as MSC4190 is enabled \
-				 and device ID does not exist",
+				"Creating new device for {sender_user} from appservice {} as device ID does not \
+				 exist",
 				appservice.registration.id
 			);

@@ -102,7 +99,7 @@ pub(crate) async fn update_device_route(
 				)
 				.await?;

-			return Ok(update_device::v3::Response {});
+			return Ok(update_device::v3::Response::new());
 		},
 	}
 }
@@ -121,42 +118,31 @@ pub(crate) async fn delete_device_route(
 	State(services): State<crate::State>,
 	body: Ruma<delete_device::v3::Request>,
 ) -> Result<delete_device::v3::Response> {
-	let sender_user = body.sender_user();
-	let appservice = body.appservice_info.as_ref();
+	let sender_user = body.identity.sender_user();
+	let appservice = body.identity.appservice_info();

-	if appservice.is_some_and(|appservice| appservice.registration.device_management) {
-		debug!(
-			"Skipping UIAA for {sender_user} as this is from an appservice and MSC4190 is \
-			 enabled"
-		);
-		services
-			.users
-			.remove_device(sender_user, &body.device_id)
-			.await;
-
-		return Ok(delete_device::v3::Response {});
+	// Appservices get to skip UIAA for this endpoint
+	if appservice.is_none() {
+		// Prompt the user to confirm with their password using UIAA
+		let _ = services
+			.uiaa
+			.authenticate_password(&body.auth, Some(Identity::from_user_id(sender_user)))
+			.await?;
 	}

-	// Prompt the user to confirm with their password using UIAA
-	let _ = services
-		.uiaa
-		.authenticate_password(&body.auth, Some(Identity::from_user_id(sender_user)))
-		.await?;
-
 	services
 		.users
 		.remove_device(sender_user, &body.device_id)
 		.await;

-	Ok(delete_device::v3::Response {})
+	Ok(delete_device::v3::Response::new())
 }

 /// # `POST /_matrix/client/v3/delete_devices`
 ///
 /// Deletes the given list of devices.
 ///
-/// - Requires UIAA to verify user password unless from an appservice with
-///   MSC4190 enabled.
+/// - Requires UIAA to verify user password.
 ///
 /// For each device:
 /// - Invalidates access token
@@ -168,30 +154,21 @@ pub(crate) async fn delete_devices_route(
 	State(services): State<crate::State>,
 	body: Ruma<delete_devices::v3::Request>,
 ) -> Result<delete_devices::v3::Response> {
-	let sender_user = body.sender_user();
-	let appservice = body.appservice_info.as_ref();
+	let sender_user = body.identity.sender_user();
+	let appservice = body.identity.appservice_info();

-	if appservice.is_some_and(|appservice| appservice.registration.device_management) {
-		debug!(
-			"Skipping UIAA for {sender_user} as this is from an appservice and MSC4190 is \
-			 enabled"
-		);
-		for device_id in &body.devices {
-			services.users.remove_device(sender_user, device_id).await;
-		}
-
-		return Ok(delete_devices::v3::Response {});
+	// Appservices get to skip UIAA for this endpoint
+	if appservice.is_none() {
+		// Prompt the user to confirm with their password using UIAA
+		let _ = services
+			.uiaa
+			.authenticate_password(&body.auth, Some(Identity::from_user_id(sender_user)))
+			.await?;
 	}

-	// Prompt the user to confirm with their password using UIAA
-	let _ = services
-		.uiaa
-		.authenticate_password(&body.auth, Some(Identity::from_user_id(sender_user)))
-		.await?;
-
 	for device_id in &body.devices {
 		services.users.remove_device(sender_user, device_id).await;
 	}

-	Ok(delete_devices::v3::Response {})
+	Ok(delete_devices::v3::Response::new())
 }
@@ -1,23 +1,16 @@
-use std::iter::once;
-
 use axum::extract::State;
 use axum_client_ip::ClientIp;
 use conduwuit::{
-	Err, Event, Result, RoomVersion, err, info,
+	Err, Result, err, info,
 	utils::{
-		TryFutureExtExt,
 		math::Expected,
-		result::FlatOk,
 		stream::{ReadyExt, WidebandExt},
 	},
 };
 use conduwuit_service::Services;
-use futures::{
-	FutureExt, StreamExt, TryFutureExt,
-	future::{join, join4, join5},
-};
+use futures::StreamExt;
 use ruma::{
-	OwnedRoomId, RoomId, ServerName, UInt, UserId,
+	RoomId, ServerName, UInt, UserId,
 	api::{
 		client::{
 			directory::{
@@ -28,15 +21,9 @@ use ruma::{
 		},
 		federation,
 	},
-	directory::{Filter, PublicRoomJoinRule, PublicRoomsChunk, RoomNetwork, RoomTypeFilter},
-	events::{
-		StateEventType,
-		room::{
-			create::RoomCreateEventContent,
-			join_rules::{JoinRule, RoomJoinRulesEventContent},
-			power_levels::{RoomPowerLevels, RoomPowerLevelsEventContent},
-		},
-	},
+	assign,
+	directory::{Filter, PublicRoomsChunk, RoomNetwork, RoomTypeFilter},
+	events::StateEventType,
 	uint,
 };
 use tokio::join;
@@ -109,12 +96,11 @@ pub(crate) async fn get_public_rooms_route(
 		err!(Request(Unknown(warn!(?body.server, "Failed to return /publicRooms: {e}"))))
 	})?;

-	Ok(get_public_rooms::v3::Response {
-		chunk: response.chunk,
+	Ok(assign!(get_public_rooms::v3::Response::new(response.chunk), {
 		prev_batch: response.prev_batch,
 		next_batch: response.next_batch,
 		total_room_count_estimate: response.total_room_count_estimate,
-	})
+	}))
 }

 /// # `PUT /_matrix/client/r0/directory/list/room/{roomId}`
@@ -126,7 +112,7 @@ pub(crate) async fn set_room_visibility_route(
 	ClientIp(client): ClientIp,
 	body: Ruma<set_room_visibility::v3::Request>,
 ) -> Result<set_room_visibility::v3::Response> {
-	let sender_user = body.sender_user();
+	let sender_user = body.identity.sender_user();

 	if !services.rooms.metadata.exists(&body.room_id).await {
 		// Return 404 if the room doesn't exist
@@ -136,16 +122,6 @@ pub(crate) async fn set_room_visibility_route(
 		return Err!(Request(UserSuspended("You cannot perform this action while suspended.")));
 	}

-	if services
-		.users
-		.is_deactivated(sender_user)
-		.await
-		.unwrap_or(false)
-		&& body.appservice_info.is_none()
-	{
-		return Err!(Request(Forbidden("Guests cannot publish to room directories")));
-	}
-
 	if !user_can_publish_room(&services, sender_user, &body.room_id).await? {
 		return Err!(Request(Forbidden("User is not allowed to publish this room")));
 	}
@@ -154,7 +130,7 @@ pub(crate) async fn set_room_visibility_route(
 		| room::Visibility::Public => {
 			if services.server.config.lockdown_public_room_directory
 				&& !services.users.is_admin(sender_user).await
-				&& body.appservice_info.is_none()
+				&& !body.identity.is_appservice()
 			{
 				info!(
 					"Non-admin user {sender_user} tried to publish {0} to the room directory \
@@ -197,7 +173,7 @@ pub(crate) async fn set_room_visibility_route(
 		},
 	}

-	Ok(set_room_visibility::v3::Response {})
+	Ok(set_room_visibility::v3::Response::new())
 }

 /// # `GET /_matrix/client/r0/directory/list/room/{roomId}`
@@ -212,13 +188,13 @@ pub(crate) async fn get_room_visibility_route(
 		return Err!(Request(NotFound("Room not found")));
 	}

-	Ok(get_room_visibility::v3::Response {
-		visibility: if services.rooms.directory.is_public_room(&body.room_id).await {
-			room::Visibility::Public
-		} else {
-			room::Visibility::Private
-		},
-	})
+	let visibility = if services.rooms.directory.is_public_room(&body.room_id).await {
+		room::Visibility::Public
+	} else {
+		room::Visibility::Private
+	};
+
+	Ok(get_room_visibility::v3::Response::new(visibility))
 }

 pub(crate) async fn get_public_rooms_filtered_helper(
@@ -236,24 +212,24 @@ pub(crate) async fn get_public_rooms_filtered_helper(
 			.sending
 			.send_federation_request(
 				other_server,
-				federation::directory::get_public_rooms_filtered::v1::Request {
+				assign!(federation::directory::get_public_rooms_filtered::v1::Request::new(), {
 					limit,
 					since: since.map(ToOwned::to_owned),
-					filter: Filter {
+					filter: assign!(Filter::new(), {
 						generic_search_term: filter.generic_search_term.clone(),
 						room_types: filter.room_types.clone(),
-					},
+					}),
 					room_network: RoomNetwork::Matrix,
-				},
+				}),
 			)
 			.await?;

-		return Ok(get_public_rooms_filtered::v3::Response {
+		return Ok(assign!(get_public_rooms_filtered::v3::Response::new(), {
 			chunk: response.chunk,
 			prev_batch: response.prev_batch,
 			next_batch: response.next_batch,
 			total_room_count_estimate: response.total_room_count_estimate,
-		});
+		}));
 	}

 	// Use limit or else 10, with maximum 100
@@ -284,16 +260,24 @@ pub(crate) async fn get_public_rooms_filtered_helper(
 		.rooms
 		.directory
 		.public_rooms()
-		.map(ToOwned::to_owned)
-		.wide_then(|room_id| public_rooms_chunk(services, room_id))
-		.ready_filter_map(|chunk| {
+		.wide_then(async |room_id| {
+			let summary = services
+				.rooms
+				.summary
+				.build_local_room_summary(&room_id)
+				.await
+				.expect("room in public room directory should exist");
+
+			summary.into()
+		})
+		.ready_filter_map(|chunk: PublicRoomsChunk| {
 			if !filter.room_types.is_empty() && !filter.room_types.contains(&RoomTypeFilter::from(chunk.room_type.clone())) {
 				return None;
 			}

 			if let Some(query) = filter.generic_search_term.as_ref().map(|q| q.to_lowercase()) {
 				if let Some(name) = &chunk.name {
-					if name.as_str().to_lowercase().contains(&query) {
+					if name.to_lowercase().contains(&query) {
 						return Some(chunk);
 					}
 				}
@@ -320,7 +304,7 @@ pub(crate) async fn get_public_rooms_filtered_helper(
 		.collect()
 		.await;

-	all_rooms.sort_by(|l, r| r.num_joined_members.cmp(&l.num_joined_members));
+	all_rooms.sort_by_key(|r| std::cmp::Reverse(r.num_joined_members));

 	let total_room_count_estimate = UInt::try_from(all_rooms.len())
 		.unwrap_or_else(|_| uint!(0))
@@ -335,12 +319,12 @@ pub(crate) async fn get_public_rooms_filtered_helper(
 		.ge(&limit)
 		.then_some(format!("n{}", num_since.expected_add(limit)));

-	Ok(get_public_rooms_filtered::v3::Response {
+	Ok(assign!(get_public_rooms_filtered::v3::Response::new(), {
 		chunk,
 		prev_batch,
 		next_batch,
 		total_room_count_estimate,
-	})
+	}))
 }

 /// Checks whether the given user ID is allowed to publish the target room to
@@ -356,109 +340,25 @@ async fn user_can_publish_room(
 		// Server admins can always publish to their own room directory.
 		return Ok(true);
 	}
-	let (create_event, room_version, power_levels_content) = join!(
-		services
-			.rooms
-			.state_accessor
-			.room_state_get(room_id, &StateEventType::RoomCreate, ""),
+
+	let (room_version, room_creators, power_levels) = join!(
 		services.rooms.state.get_room_version(room_id),
-		services
-			.rooms
-			.state_accessor
-			.room_state_get_content::<RoomPowerLevelsEventContent>(
-				room_id,
-				&StateEventType::RoomPowerLevels,
-				""
-			)
+		services.rooms.state_accessor.get_room_creators(room_id),
+		services.rooms.state_accessor.get_room_power_levels(room_id),
 	);
+
 	let room_version = room_version
 		.as_ref()
 		.map_err(|_| err!(Request(NotFound("Unknown room"))))?;
-	let create_event = create_event.map_err(|_| err!(Request(NotFound("Unknown room"))))?;
-	if RoomVersion::new(room_version)
-		.expect("room version must be supported")
+	let room_version_rules = room_version.rules().unwrap();
+
+	if room_version_rules
+		.authorization
 		.explicitly_privilege_room_creators
+		&& room_creators.contains(user_id)
 	{
-		let create_content: RoomCreateEventContent =
-			serde_json::from_str(create_event.content().get())
-				.map_err(|_| err!(Database("Invalid event content for m.room.create")))?;
-		let is_creator = create_content
-			.additional_creators
-			.unwrap_or_default()
-			.into_iter()
-			.chain(once(create_event.sender().to_owned()))
-			.any(|sender| sender == user_id);
-		if is_creator {
-			return Ok(true);
-		}
-	}
-	match power_levels_content.map(RoomPowerLevels::from) {
-		| Ok(pl) => Ok(pl.user_can_send_state(user_id, StateEventType::RoomCanonicalAlias)),
-		| Err(e) =>
-			if e.is_not_found() {
-				Ok(create_event.sender() == user_id)
-			} else {
-				Err!(Database("Invalid event content for m.room.power_levels: {e}"))
-			},
-	}
-}
-
-async fn public_rooms_chunk(services: &Services, room_id: OwnedRoomId) -> PublicRoomsChunk {
-	let name = services.rooms.state_accessor.get_name(&room_id).ok();
-
-	let room_type = services.rooms.state_accessor.get_room_type(&room_id).ok();
-
-	let canonical_alias = services
-		.rooms
-		.state_accessor
-		.get_canonical_alias(&room_id)
-		.ok();
-
-	let avatar_url = services.rooms.state_accessor.get_avatar(&room_id);
-
-	let topic = services.rooms.state_accessor.get_room_topic(&room_id).ok();
-
-	let world_readable = services.rooms.state_accessor.is_world_readable(&room_id);
-
-	let join_rule = services
-		.rooms
-		.state_accessor
-		.room_state_get_content(&room_id, &StateEventType::RoomJoinRules, "")
-		.map_ok(|c: RoomJoinRulesEventContent| match c.join_rule {
-			| JoinRule::Public => PublicRoomJoinRule::Public,
-			| JoinRule::Knock => "knock".into(),
-			| JoinRule::KnockRestricted(_) => "knock_restricted".into(),
-			| _ => "invite".into(),
-		});
-
-	let guest_can_join = services.rooms.state_accessor.guest_can_join(&room_id);
-
-	let num_joined_members = services.rooms.state_cache.room_joined_count(&room_id);
-
-	let (
-		(avatar_url, canonical_alias, guest_can_join, join_rule, name),
-		(num_joined_members, room_type, topic, world_readable),
-	) = join(
-		join5(avatar_url, canonical_alias, guest_can_join, join_rule, name),
-		join4(num_joined_members, room_type, topic, world_readable),
-	)
-	.boxed()
-	.await;
-
-	PublicRoomsChunk {
-		avatar_url: avatar_url.into_option().unwrap_or_default().url,
-		canonical_alias,
-		guest_can_join,
-		join_rule: join_rule.unwrap_or_default(),
-		name,
-		num_joined_members: num_joined_members
-			.map(TryInto::try_into)
-			.map(Result::ok)
-			.flat_ok()
-			.unwrap_or_else(|| uint!(0)),
-		room_id,
-		room_type,
-		topic,
-		world_readable,
+		return Ok(true);
 	}
+
+	Ok(power_levels.user_can_send_state(user_id, StateEventType::RoomCanonicalAlias))
 }
@@ -15,7 +15,7 @@ pub(crate) async fn get_filter_route(
 ) -> Result<get_filter::v3::Response> {
 	services
 		.users
-		.get_filter(body.sender_user(), &body.filter_id)
+		.get_filter(body.identity.sender_user(), &body.filter_id)
 		.await
 		.map(get_filter::v3::Response::new)
 		.map_err(|_| err!(Request(NotFound("Filter not found."))))
@@ -30,7 +30,7 @@ pub(crate) async fn create_filter_route(
 ) -> Result<create_filter::v3::Response> {
 	let filter_id = services
 		.users
-		.create_filter(body.sender_user(), &body.filter);
+		.create_filter(body.identity.sender_user(), &body.filter);

 	Ok(create_filter::v3::Response::new(filter_id))
 }
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				`The invite recipient's membership event is now included in invite stripped state, which should fix flaky invite display in some clients. Contributed by @ginger`
				`@@ -0,0 +1 @@`
				`Switched from Continuwuity's fork of Ruma back to upstream Ruma. Contributed by @ginger.`
				`@@ -0,0 +1 @@`
				`Removed support for guest user registration, a little-used and deprecated approach to room previews.`
				`@@ -0,0 +1 @@`
				The deprecated `well_known.rtc_focus_server_urls` config option has been removed. MatrixRTC foci should be configured using the `matrix_rtc.foci` config option.
				`@@ -0,0 +1 @@`
				`The version of Debian that the Docker-based build process uses has been upgraded from Bookworm to Trixie, meaning that standalone binaries now have a minimum glibc of 2.41, and can no longer be used on distro versions from before 2025-01-30`
				`@@ -0,0 +1 @@`
				`Support for server-side blurhashing (part of MSC2448) has been removed.`
				`@@ -0,0 +1 @@`
				`Updated [MSC4284: Policy Servers](https://github.com/matrix-org/matrix-spec-proposals/pull/4284) implementation to support the newly stabilised proposal. Contributed by @nex.`
				`@@ -0,0 +1 @@`
				`Add performance tuning documentation. Contributed by @stratself.`
				`@@ -0,0 +1 @@`
				`Added config option for default room ACLs. Contributed by @eve.`
				`@@ -0,0 +1 @@`
				Clarified in the config that `max_request_size` affects federated media as well.