Add test to verify limit parameter defaults to 100 for thread subscriptions extension

Co-authored-by: reivilibre <38398653+reivilibre@users.noreply.github.com>

.github/workflows/release-artifacts.yml

@@ -114,12 +114,19 @@ jobs:
         os:
           - ubuntu-24.04
           - ubuntu-24.04-arm
+          - macos-14 # This uses arm64
+          - macos-15-intel # This uses x86-64
         # is_pr is a flag used to exclude certain jobs from the matrix on PRs.
         # It is not read by the rest of the workflow.
         is_pr:
           - ${{ startsWith(github.ref, 'refs/pull/') }}
 
         exclude:
+          # Don't build macos wheels on PR CI.
+          - is_pr: true
+            os: "macos-15-intel"
+          - is_pr: true
+            os: "macos-14"
           # Don't build aarch64 wheels on PR CI.
           - is_pr: true
             os: "ubuntu-24.04-arm"

CHANGES.md

@@ -1,85 +1,3 @@
-# Synapse 1.144.0 (2025-12-09)
-
-## Deprecation of MacOS Python wheels
-
-The team has decided to deprecate and stop publishing python wheels for MacOS.
-Synapse docker images will continue to work on MacOS, as will building Synapse
-from source (though note this requires a Rust compiler).
-
-## Unstable mutual rooms endpoint is now behind an experimental feature flag
-
-Admins using the unstable [MSC2666](https://github.com/matrix-org/matrix-spec-proposals/pull/2666) endpoint (`/_matrix/client/unstable/uk.half-shot.msc2666/user/mutual_rooms`),
-please check [the relevant section in the upgrade notes](https://github.com/element-hq/synapse/blob/develop/docs/upgrade.md#upgrading-to-v11440) as this release contains changes
-that disable that endpoint by default.
-
-
-
-No significant changes since 1.144.0rc1.
-
-
-
-
-# Synapse 1.144.0rc1 (2025-12-02)
-
-Admins using the unstable [MSC2666](https://github.com/matrix-org/matrix-spec-proposals/pull/2666) endpoint (`/_matrix/client/unstable/uk.half-shot.msc2666/user/mutual_rooms`), please check [the relevant section in the upgrade notes](https://github.com/element-hq/synapse/blob/develop/docs/upgrade.md#upgrading-to-v11440) as this release contains changes that disable that endpoint by default.
-
-## Features
-
-- Add experimentatal implememntation of [MSC4380](https://github.com/matrix-org/matrix-spec-proposals/pull/4380) (invite blocking). ([\#19203](https://github.com/element-hq/synapse/issues/19203))
-- Allow restarting delayed event timeouts on workers. ([\#19207](https://github.com/element-hq/synapse/issues/19207))
-
-## Bugfixes
-
-- Fix a bug in the database function for fetching state deltas that could result in unnecessarily long query times. ([\#18960](https://github.com/element-hq/synapse/issues/18960))
-- Fix v12 rooms when running with `use_frozen_dicts: True`. ([\#19235](https://github.com/element-hq/synapse/issues/19235))
-- Fix bug where invalid `canonical_alias` content would return 500 instead of 400. ([\#19240](https://github.com/element-hq/synapse/issues/19240))
-- Fix bug where `Duration` was logged incorrectly. ([\#19267](https://github.com/element-hq/synapse/issues/19267))
-
-## Improved Documentation
-
-- Document in the `--config-path` help how multiple files are merged - by merging them shallowly. ([\#19243](https://github.com/element-hq/synapse/issues/19243))
-
-## Deprecations and Removals
-
-- Stop building release wheels for MacOS. ([\#19225](https://github.com/element-hq/synapse/issues/19225))
-
-## Internal Changes
-
-- Improve event filtering for Simplified Sliding Sync. ([\#17782](https://github.com/element-hq/synapse/issues/17782))
-- Export `SYNAPSE_SUPPORTED_COMPLEMENT_TEST_PACKAGES` environment variable from `scripts-dev/complement.sh`. ([\#19208](https://github.com/element-hq/synapse/issues/19208))
-- Refactor `scripts-dev/complement.sh` logic to avoid `exit` to facilitate being able to source it from other scripts (composable). ([\#19209](https://github.com/element-hq/synapse/issues/19209))
-- Expire sliding sync connections that are too old or have too much pending data. ([\#19211](https://github.com/element-hq/synapse/issues/19211))
-- Require an experimental feature flag to be enabled in order for the unstable [MSC2666](https://github.com/matrix-org/matrix-spec-proposals/pull/2666) endpoint (`/_matrix/client/unstable/uk.half-shot.msc2666/user/mutual_rooms`) to be available. ([\#19219](https://github.com/element-hq/synapse/issues/19219))
-- Prevent changelog check CI running on @dependabot's PRs even when a human has modified the branch. ([\#19220](https://github.com/element-hq/synapse/issues/19220))
-- Auto-fix trailing spaces in multi-line strings and comments when running the lint script. ([\#19221](https://github.com/element-hq/synapse/issues/19221))
-- Move towards using a dedicated `Duration` type. ([\#19223](https://github.com/element-hq/synapse/issues/19223), [\#19229](https://github.com/element-hq/synapse/issues/19229))
-- Improve robustness of the SQL schema linting in CI. ([\#19224](https://github.com/element-hq/synapse/issues/19224))
-- Add log to determine whether clients are using `/messages` as expected. ([\#19226](https://github.com/element-hq/synapse/issues/19226))
-- Simplify README and add ESS Getting started section. ([\#19228](https://github.com/element-hq/synapse/issues/19228), [\#19259](https://github.com/element-hq/synapse/issues/19259))
-- Add a unit test for ensuring associated refresh tokens are erased when a device is deleted. ([\#19230](https://github.com/element-hq/synapse/issues/19230))
-- Prompt user to consider adding future deprecations to the changelog in release script. ([\#19239](https://github.com/element-hq/synapse/issues/19239))
-- Fix check of the Rust compiled code being outdated when using source checkout and `.egg-info`. ([\#19251](https://github.com/element-hq/synapse/issues/19251))
-- Stop building macos wheels in CI pipeline. ([\#19263](https://github.com/element-hq/synapse/issues/19263))
-
-
-
-### Updates to locked dependencies
-
-* Bump Swatinem/rust-cache from 2.8.1 to 2.8.2. ([\#19244](https://github.com/element-hq/synapse/issues/19244))
-* Bump actions/checkout from 5.0.0 to 6.0.0. ([\#19213](https://github.com/element-hq/synapse/issues/19213))
-* Bump actions/setup-go from 6.0.0 to 6.1.0. ([\#19214](https://github.com/element-hq/synapse/issues/19214))
-* Bump actions/setup-python from 6.0.0 to 6.1.0. ([\#19245](https://github.com/element-hq/synapse/issues/19245))
-* Bump attrs from 25.3.0 to 25.4.0. ([\#19215](https://github.com/element-hq/synapse/issues/19215))
-* Bump docker/metadata-action from 5.9.0 to 5.10.0. ([\#19246](https://github.com/element-hq/synapse/issues/19246))
-* Bump http from 1.3.1 to 1.4.0. ([\#19249](https://github.com/element-hq/synapse/issues/19249))
-* Bump pydantic from 2.12.4 to 2.12.5. ([\#19250](https://github.com/element-hq/synapse/issues/19250))
-* Bump pyopenssl from 25.1.0 to 25.3.0. ([\#19248](https://github.com/element-hq/synapse/issues/19248))
-* Bump rpds-py from 0.28.0 to 0.29.0. ([\#19216](https://github.com/element-hq/synapse/issues/19216))
-* Bump rpds-py from 0.29.0 to 0.30.0. ([\#19247](https://github.com/element-hq/synapse/issues/19247))
-* Bump sentry-sdk from 2.44.0 to 2.46.0. ([\#19218](https://github.com/element-hq/synapse/issues/19218))
-* Bump types-bleach from 6.2.0.20250809 to 6.3.0.20251115. ([\#19217](https://github.com/element-hq/synapse/issues/19217))
-* Bump types-jsonschema from 4.25.1.20250822 to 4.25.1.20251009. ([\#19252](https://github.com/element-hq/synapse/issues/19252))
-
 # Synapse 1.143.0 (2025-11-25)
 
 ## Dropping support for PostgreSQL 13

README.rst

@@ -7,48 +7,170 @@
 
 Synapse is an open source `Matrix <https://matrix.org>`__ homeserver
 implementation, written and maintained by `Element <https://element.io>`_.
-`Matrix <https://github.com/matrix-org>`__ is the open standard for secure and
-interoperable real-time communications. You can directly run and manage the
-source code in this repository, available under an AGPL license (or
-alternatively under a commercial license from Element).
+`Matrix <https://github.com/matrix-org>`__ is the open standard for
+secure and interoperable real-time communications. You can directly run
+and manage the source code in this repository, available under an AGPL
+license (or alternatively under a commercial license from Element).
+There is no support provided by Element unless you have a
+subscription from Element.
 
-There is no support provided by Element unless you have a subscription from
-Element.
+Subscription
+============
 
-🚀 Getting started
-==================
+For those that need an enterprise-ready solution, Element
+Server Suite (ESS) is `available via subscription <https://element.io/pricing>`_.
+ESS builds on Synapse to offer a complete Matrix-based backend including the full
+`Admin Console product <https://element.io/enterprise-functionality/admin-console>`_,
+giving admins the power to easily manage an organization-wide
+deployment. It includes advanced identity management, auditing,
+moderation and data retention options as well as Long-Term Support and
+SLAs. ESS supports any Matrix-compatible client.
 
-This component is developed and maintained by `Element <https://element.io>`_.
-It gets shipped as part of the **Element Server Suite (ESS)** which provides the
-official means of deployment.
+.. contents::
 
-ESS is a Matrix distribution from Element with focus on quality and ease of use.
-It ships a full Matrix stack tailored to the respective use case.
+🛠️ Installation and configuration
+==================================
 
-There are three editions of ESS:
+The Synapse documentation describes `how to install Synapse <https://element-hq.github.io/synapse/latest/setup/installation.html>`_. We recommend using
+`Docker images <https://element-hq.github.io/synapse/latest/setup/installation.html#docker-images-and-ansible-playbooks>`_ or `Debian packages from Matrix.org
+<https://element-hq.github.io/synapse/latest/setup/installation.html#matrixorg-packages>`_.
 
-- `ESS Community <https://github.com/element-hq/ess-helm>`_ - the free Matrix
-  distribution from Element tailored to small-/mid-scale, non-commercial
-  community use cases
-- `ESS Pro <https://element.io/server-suite>`_ - the commercial Matrix
-  distribution from Element for professional use
-- `ESS TI-M <https://element.io/server-suite/ti-messenger>`_ - a special version
-  of ESS Pro focused on the requirements of TI-Messenger Pro and ePA as
-  specified by the German National Digital Health Agency Gematik
+.. _federation:
+
+Synapse has a variety of `config options
+<https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html>`_
+which can be used to customise its behaviour after installation.
+There are additional details on how to `configure Synapse for federation here
+<https://element-hq.github.io/synapse/latest/federate.html>`_.
+
+.. _reverse-proxy:
+
+Using a reverse proxy with Synapse
+----------------------------------
+
+It is recommended to put a reverse proxy such as
+`nginx <https://nginx.org/en/docs/http/ngx_http_proxy_module.html>`_,
+`Apache <https://httpd.apache.org/docs/current/mod/mod_proxy_http.html>`_,
+`Caddy <https://caddyserver.com/docs/quick-starts/reverse-proxy>`_,
+`HAProxy <https://www.haproxy.org/>`_ or
+`relayd <https://man.openbsd.org/relayd.8>`_ in front of Synapse. One advantage of
+doing so is that it means that you can expose the default https port (443) to
+Matrix clients without needing to run Synapse with root privileges.
+For information on configuring one, see `the reverse proxy docs
+<https://element-hq.github.io/synapse/latest/reverse_proxy.html>`_.
+
+Upgrading an existing Synapse
+-----------------------------
+
+The instructions for upgrading Synapse are in `the upgrade notes`_.
+Please check these instructions as upgrading may require extra steps for some
+versions of Synapse.
+
+.. _the upgrade notes: https://element-hq.github.io/synapse/develop/upgrade.html
 
 
-🛠️ Standalone installation and configuration
-============================================
+Platform dependencies
+---------------------
 
-The Synapse documentation describes `options for installing Synapse standalone
-<https://element-hq.github.io/synapse/latest/setup/installation.html>`_. See
-below for more useful documentation links.
+Synapse uses a number of platform dependencies such as Python and PostgreSQL,
+and aims to follow supported upstream versions. See the
+`deprecation policy <https://element-hq.github.io/synapse/latest/deprecation_policy.html>`_
+for more details.
 
-- `Synapse configuration options <https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html>`_
-- `Synapse configuration for federation <https://element-hq.github.io/synapse/latest/federate.html>`_
-- `Using a reverse proxy with Synapse <https://element-hq.github.io/synapse/latest/reverse_proxy.html>`_
-- `Upgrading Synapse <https://element-hq.github.io/synapse/develop/upgrade.html>`_
 
+Security note
+-------------
+
+Matrix serves raw, user-supplied data in some APIs -- specifically the `content
+repository endpoints`_.
+
+.. _content repository endpoints: https://matrix.org/docs/spec/client_server/latest.html#get-matrix-media-r0-download-servername-mediaid
+
+Whilst we make a reasonable effort to mitigate against XSS attacks (for
+instance, by using `CSP`_), a Matrix homeserver should not be hosted on a
+domain hosting other web applications. This especially applies to sharing
+the domain with Matrix web clients and other sensitive applications like
+webmail. See
+https://developer.github.com/changes/2014-04-25-user-content-security for more
+information.
+
+.. _CSP: https://github.com/matrix-org/synapse/pull/1021
+
+Ideally, the homeserver should not simply be on a different subdomain, but on
+a completely different `registered domain`_ (also known as top-level site or
+eTLD+1). This is because `some attacks`_ are still possible as long as the two
+applications share the same registered domain.
+
+.. _registered domain: https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-2.3
+
+.. _some attacks: https://en.wikipedia.org/wiki/Session_fixation#Attacks_using_cross-subdomain_cookie
+
+To illustrate this with an example, if your Element Web or other sensitive web
+application is hosted on ``A.example1.com``, you should ideally host Synapse on
+``example2.com``. Some amount of protection is offered by hosting on
+``B.example1.com`` instead, so this is also acceptable in some scenarios.
+However, you should *not* host your Synapse on ``A.example1.com``.
+
+Note that all of the above refers exclusively to the domain used in Synapse's
+``public_baseurl`` setting. In particular, it has no bearing on the domain
+mentioned in MXIDs hosted on that server.
+
+Following this advice ensures that even if an XSS is found in Synapse, the
+impact to other applications will be minimal.
+
+
+🧪 Testing a new installation
+=============================
+
+The easiest way to try out your new Synapse installation is by connecting to it
+from a web client.
+
+Unless you are running a test instance of Synapse on your local machine, in
+general, you will need to enable TLS support before you can successfully
+connect from a client: see
+`TLS certificates <https://element-hq.github.io/synapse/latest/setup/installation.html#tls-certificates>`_.
+
+An easy way to get started is to login or register via Element at
+https://app.element.io/#/login or https://app.element.io/#/register respectively.
+You will need to change the server you are logging into from ``matrix.org``
+and instead specify a homeserver URL of ``https://<server_name>:8448``
+(or just ``https://<server_name>`` if you are using a reverse proxy).
+If you prefer to use another client, refer to our
+`client breakdown <https://matrix.org/ecosystem/clients/>`_.
+
+If all goes well you should at least be able to log in, create a room, and
+start sending messages.
+
+.. _`client-user-reg`:
+
+Registering a new user from a client
+------------------------------------
+
+By default, registration of new users via Matrix clients is disabled. To enable
+it:
+
+1. In the
+   `registration config section <https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#registration>`_
+   set ``enable_registration: true`` in ``homeserver.yaml``.
+2. Then **either**:
+
+   a. set up a `CAPTCHA <https://element-hq.github.io/synapse/latest/CAPTCHA_SETUP.html>`_, or
+   b. set ``enable_registration_without_verification: true`` in ``homeserver.yaml``.
+
+We **strongly** recommend using a CAPTCHA, particularly if your homeserver is exposed to
+the public internet. Without it, anyone can freely register accounts on your homeserver.
+This can be exploited by attackers to create spambots targeting the rest of the Matrix
+federation.
+
+Your new Matrix ID will be formed partly from the ``server_name``, and partly
+from a localpart you specify when you create the account in the form of::
+
+    @localpart:my.domain.name
+
+(pronounced "at localpart on my dot domain dot name").
+
+As when logging in, you will need to specify a "Custom server".  Specify your
+desired ``localpart`` in the 'Username' box.
 
 🎯 Troubleshooting and support
 ==============================
@@ -60,7 +182,7 @@ Enterprise quality support for Synapse including SLAs is available as part of an
 `Element Server Suite (ESS) <https://element.io/pricing>`_ subscription.
 
 If you are an existing ESS subscriber then you can raise a `support request <https://ems.element.io/support>`_
-and access the `Element product documentation <https://docs.element.io>`_.
+and access the `knowledge base <https://ems-docs.element.io>`_.
 
 🤝 Community support
 --------------------
@@ -79,6 +201,35 @@ issues for support requests, only for bug reports and feature requests.
 .. |docs| replace:: ``docs``
 .. _docs: docs
 
+🪪 Identity Servers
+===================
+
+Identity servers have the job of mapping email addresses and other 3rd Party
+IDs (3PIDs) to Matrix user IDs, as well as verifying the ownership of 3PIDs
+before creating that mapping.
+
+**Identity servers do not store accounts or credentials - these are stored and managed on homeservers.
+Identity Servers are just for mapping 3rd Party IDs to Matrix IDs.**
+
+This process is highly security-sensitive, as there is an obvious risk of spam if it
+is too easy to sign up for Matrix accounts or harvest 3PID data. In the longer
+term, we hope to create a decentralised system to manage it (`matrix-doc #712
+<https://github.com/matrix-org/matrix-doc/issues/712>`_), but in the meantime,
+the role of managing trusted identity in the Matrix ecosystem is farmed out to
+a cluster of known trusted ecosystem partners, who run 'Matrix Identity
+Servers' such as `Sydent <https://github.com/matrix-org/sydent>`_, whose role
+is purely to authenticate and track 3PID logins and publish end-user public
+keys.
+
+You can host your own copy of Sydent, but this will prevent you reaching other
+users in the Matrix ecosystem via their email address, and prevent them finding
+you. We therefore recommend that you use one of the centralised identity servers
+at ``https://matrix.org`` or ``https://vector.im`` for now.
+
+To reiterate: the Identity server will only be used if you choose to associate
+an email address with your account, or send an invite to another user via their
+email address.
+
 
 🛠️ Development
 ==============
@@ -101,29 +252,20 @@ Alongside all that, join our developer community on Matrix:
 Copyright and Licensing
 =======================
 
-  | Copyright 2014–2017 OpenMarket Ltd
-  | Copyright 2017 Vector Creations Ltd
-  | Copyright 2017–2025 New Vector Ltd
-  | Copyright 2025 Element Creations Ltd
+| Copyright 2014-2017 OpenMarket Ltd
+| Copyright 2017 Vector Creations Ltd
+| Copyright 2017-2025 New Vector Ltd
+|
 
-This software is dual-licensed by Element Creations Ltd (Element). It can be
-used either:
+This software is dual-licensed by New Vector Ltd (Element). It can be used either:
 
-(1) for free under the terms of the GNU Affero General Public License (as
-    published by the Free Software Foundation, either version 3 of the License,
-    or (at your option) any later version); OR
+(1) for free under the terms of the GNU Affero General Public License (as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version); OR
 
-(2) under the terms of a paid-for Element Commercial License agreement between
-    you and Element (the terms of which may vary depending on what you and
-    Element have agreed to).
+(2) under the terms of a paid-for Element Commercial License agreement between you and Element (the terms of which may vary depending on what you and Element have agreed to).
 
-Unless required by applicable law or agreed to in writing, software distributed
-under the Licenses is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
-CONDITIONS OF ANY KIND, either express or implied. See the Licenses for the
-specific language governing permissions and limitations under the Licenses.
+Unless required by applicable law or agreed to in writing, software distributed under the Licenses is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the Licenses for the specific language governing permissions and limitations under the Licenses.
 
-Please contact `licensing@element.io <mailto:licensing@element.io>`_ to purchase
-an Element commercial license for this software.
+Please contact `licensing@element.io <mailto:licensing@element.io>`_ to purchase an Element commercial license for this software.
 
 
 .. |support| image:: https://img.shields.io/badge/matrix-community%20support-success

changelog.d/17782.misc

@@ -0,0 +1 @@
+Improve event filtering for Simplified Sliding Sync.

changelog.d/18960.bugfix

@@ -0,0 +1 @@
+Fix a bug in the database function for fetching state deltas that could result in unnecessarily long query times.

changelog.d/19203.feature

@@ -0,0 +1 @@
+Add experimentatal implememntation of [MSC4380](https://github.com/matrix-org/matrix-spec-proposals/pull/4380) (invite blocking).

changelog.d/19207.feature

@@ -0,0 +1 @@
+Allow restarting delayed event timeouts on workers.

changelog.d/19208.misc

@@ -0,0 +1 @@
+Export `SYNAPSE_SUPPORTED_COMPLEMENT_TEST_PACKAGES` environment variable from `scripts-dev/complement.sh`.

changelog.d/19209.misc

@@ -0,0 +1 @@
+Refactor `scripts-dev/complement.sh` logic to avoid `exit` to facilitate being able to source it from other scripts (composable).

changelog.d/19211.misc

@@ -0,0 +1 @@
+Expire sliding sync connections that are too old or have too much pending data.

changelog.d/19219.misc

@@ -0,0 +1 @@
+Require an experimental feature flag to be enabled in order for the unstable [MSC2666](https://github.com/matrix-org/matrix-spec-proposals/pull/2666) endpoint (`/_matrix/client/unstable/uk.half-shot.msc2666/user/mutual_rooms`) to be available.

changelog.d/19220.misc

@@ -0,0 +1 @@
+Prevent changelog check CI running on @dependabot's PRs even when a human has modified the branch.

changelog.d/19221.misc

@@ -0,0 +1 @@
+Auto-fix trailing spaces in multi-line strings and comments when running the lint script.

changelog.d/19223.misc

@@ -0,0 +1 @@
+Move towards using a dedicated `Duration` type.

changelog.d/19224.misc

@@ -0,0 +1 @@
+Improve robustness of the SQL schema linting in CI.

changelog.d/19225.removal

@@ -0,0 +1 @@
+Stop building release wheels for MacOS.

changelog.d/19229.misc

@@ -0,0 +1 @@
+Move towards using a dedicated `Duration` type.

changelog.d/19230.misc

@@ -0,0 +1 @@
+Add a unit test for ensuring associated refresh tokens are erased when a device is delted.

changelog.d/19239.misc

@@ -0,0 +1 @@
+Prompt user to consider adding future deprecations to the changelog in release script.

changelog.d/19240.bugfix

@@ -0,0 +1 @@
+Fix bug where invalid `canonical_alias` content would return 500 instead of 400.

changelog.d/19243.doc

@@ -0,0 +1 @@
+Document in the `--config-path` help how multiple files are merged - by merging them shallowly.

changelog.d/19251.misc

@@ -0,0 +1 @@
+Fix check of the Rust compiled code being outdated when using source checkout and `.egg-info`.

debian/changelog

@@ -1,15 +1,3 @@
-matrix-synapse-py3 (1.144.0) stable; urgency=medium
-
-  * New Synapse release 1.144.0.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 09 Dec 2025 08:30:40 -0700
-
-matrix-synapse-py3 (1.144.0~rc1) stable; urgency=medium
-
-  * New Synapse release 1.144.0rc1.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 02 Dec 2025 09:11:19 -0700
-
 matrix-synapse-py3 (1.143.0) stable; urgency=medium
 
   * New Synapse release 1.143.0.

docs/SUMMARY.md

@@ -5,7 +5,6 @@
 
 # Setup
   - [Installation](setup/installation.md)
-  - [Security](setup/security.md)
   - [Using Postgres](postgres.md)
   - [Configuring a Reverse Proxy](reverse_proxy.md)
   - [Configuring a Forward/Outbound Proxy](setup/forward_proxy.md)

docs/setup/installation.md

@@ -16,15 +16,8 @@ that your email address is probably `user@example.com` rather than
 `user@email.example.com`) - but doing so may require more advanced setup: see
 [Setting up Federation](../federate.md).
 
-⚠️ Before setting up Synapse please consult the [security page](security.md) for
-best practices. ⚠️
-
 ## Installing Synapse
 
-Note: Synapse uses a number of platform dependencies such as Python and PostgreSQL,
-and aims to follow supported upstream versions. See the [deprecation
-policy](../deprecation_policy.md) for more details.
-
 ### Prebuilt packages
 
 Prebuilt packages are available for a number of platforms. These are recommended

docs/setup/security.md

@@ -1,41 +0,0 @@
-# Security
-
-This page lays out security best-practices when running Synapse.
-
-If you believe you have encountered a security issue, see our [Security
-Disclosure Policy](https://element.io/en/security/security-disclosure-policy).
-
-## Content repository
-
-Matrix serves raw, user-supplied data in some APIs — specifically the [content
-repository endpoints](https://matrix.org/docs/spec/client_server/latest.html#get-matrix-media-r0-download-servername-mediaid).
-
-Whilst we make a reasonable effort to mitigate against XSS attacks (for
-instance, by using [CSP](https://github.com/matrix-org/synapse/pull/1021)), a
-Matrix homeserver should not be hosted on a domain hosting other web
-applications. This especially applies to sharing the domain with Matrix web
-clients and other sensitive applications like webmail. See
-https://developer.github.com/changes/2014-04-25-user-content-security for more
-information.
-
-Ideally, the homeserver should not simply be on a different subdomain, but on a
-completely different [registered
-domain](https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-2.3)
-(also known as top-level site or eTLD+1). This is because [some
-attacks](https://en.wikipedia.org/wiki/Session_fixation#Attacks_using_cross-subdomain_cookie)
-are still possible as long as the two applications share the same registered
-domain.
-
-
-To illustrate this with an example, if your Element Web or other sensitive web
-application is hosted on `A.example1.com`, you should ideally host Synapse on
-`example2.com`. Some amount of protection is offered by hosting on
-`B.example1.com` instead, so this is also acceptable in some scenarios.
-However, you should *not* host your Synapse on `A.example1.com`.
-
-Note that all of the above refers exclusively to the domain used in Synapse's
-`public_baseurl` setting. In particular, it has no bearing on the domain
-mentioned in MXIDs hosted on that server.
-
-Following this advice ensures that even if an XSS is found in Synapse, the
-impact to other applications will be minimal.

poetry.lock

@@ -3035,14 +3035,14 @@ files = [
 
 [[package]]
 name = "types-jsonschema"
-version = "4.25.1.20251009"
+version = "4.25.1.20250822"
 description = "Typing stubs for jsonschema"
 optional = false
 python-versions = ">=3.9"
 groups = ["dev"]
 files = [
-    {file = "types_jsonschema-4.25.1.20251009-py3-none-any.whl", hash = "sha256:f30b329037b78e7a60146b1146feb0b6fb0b71628637584409bada83968dad3e"},
-    {file = "types_jsonschema-4.25.1.20251009.tar.gz", hash = "sha256:75d0f5c5dd18dc23b664437a0c1a625743e8d2e665ceaf3aecb29841f3a5f97f"},
+    {file = "types_jsonschema-4.25.1.20250822-py3-none-any.whl", hash = "sha256:f82c2d7fa1ce1c0b84ba1de4ed6798469768188884db04e66421913a4e181294"},
+    {file = "types_jsonschema-4.25.1.20250822.tar.gz", hash = "sha256:aac69ed4b23f49aaceb7fcb834141d61b9e4e6a7f6008cb2f0d3b831dfa8464a"},
 ]
 
 [package.dependencies]

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "matrix-synapse"
-version = "1.144.0"
+version = "1.143.0"
 description = "Homeserver for the Matrix decentralised comms protocol"
 readme = "README.rst"
 authors = [
@@ -424,3 +424,7 @@ test-command = "python -c 'from synapse.synapse_rust import sum_as_string; print
 [tool.cibuildwheel.linux]
 # Wrap the repair command to correctly rename the built cpython wheels as ABI3.
 repair-wheel-command = "./.ci/scripts/auditwheel_wrapper.py -w {dest_dir} {wheel}"
+
+[tool.cibuildwheel.macos]
+# Wrap the repair command to correctly rename the built cpython wheels as ABI3.
+repair-wheel-command = "./.ci/scripts/auditwheel_wrapper.py --require-archs {delocate_archs} -w {dest_dir} {wheel}"

schema/synapse-config.schema.yaml

@@ -1,5 +1,5 @@
 $schema: https://element-hq.github.io/synapse/latest/schema/v1/meta.schema.json
-$id: https://element-hq.github.io/synapse/schema/synapse/v1.144/synapse-config.schema.json
+$id: https://element-hq.github.io/synapse/schema/synapse/v1.143/synapse-config.schema.json
 type: object
 properties:
   modules:

synapse/appservice/scheduler.py

@@ -506,7 +506,7 @@ class _Recoverer:
 
     def recover(self) -> None:
         delay = Duration(seconds=2**self.backoff_counter)
-        logger.info("Scheduling retries on %s in %fs", self.service.id, delay.as_secs())
+        logger.info("Scheduling retries on %s in %fs", self.service.id, delay)
         self.scheduled_recovery = self.clock.call_later(
             delay,
             self.hs.run_as_background_process,

synapse/events/__init__.py

@@ -548,7 +548,7 @@ class FrozenEventV4(FrozenEventV3):
         assert create_event_id not in self._dict["auth_events"]
         if self.type == EventTypes.Create and self.get_state_key() == "":
             return self._dict["auth_events"]  # should be []
-        return [*self._dict["auth_events"], create_event_id]
+        return self._dict["auth_events"] + [create_event_id]
 
 
 def _event_type_from_format_version(

synapse/handlers/pagination.py

@@ -21,25 +21,22 @@
 import logging
 from typing import TYPE_CHECKING, cast
 
-import attr
-
 from twisted.python.failure import Failure
 
 from synapse.api.constants import Direction, EventTypes, Membership
 from synapse.api.errors import SynapseError
 from synapse.api.filtering import Filter
-from synapse.events import EventBase
-from synapse.handlers.relations import BundledAggregations
+from synapse.events.utils import SerializeEventConfig
 from synapse.handlers.worker_lock import NEW_EVENT_DURING_PURGE_LOCK_NAME
 from synapse.logging.opentracing import trace
 from synapse.rest.admin._base import assert_user_is_admin
 from synapse.streams.config import PaginationConfig
 from synapse.types import (
+    JsonDict,
     JsonMapping,
     Requester,
     ScheduledTask,
     StreamKeyType,
-    StreamToken,
     TaskStatus,
 )
 from synapse.types.handlers import ShutdownRoomParams, ShutdownRoomResponse
@@ -73,58 +70,6 @@ PURGE_ROOM_ACTION_NAME = "purge_room"
 SHUTDOWN_AND_PURGE_ROOM_ACTION_NAME = "shutdown_and_purge_room"
 
 
-@attr.s(slots=True, frozen=True, auto_attribs=True)
-class GetMessagesResult:
-    """
-    Everything needed to serialize a `/messages` response.
-    """
-
-    messages_chunk: list[EventBase]
-    """
-    A list of room events.
-
-     - When the request is `Direction.FORWARDS`, events will be in the range:
-       `start_token` < x <= `end_token`, (ascending topological_order)
-     - When the request is `Direction.BACKWARDS`, events will be in the range:
-       `start_token` >= x > `end_token`, (descending topological_order)
-
-    Note that an empty chunk does not necessarily imply that no more events are
-    available. Clients should continue to paginate until no `end_token` property is returned.
-    """
-
-    bundled_aggregations: dict[str, BundledAggregations]
-    """
-    A map of event ID to the bundled aggregations for the events in the chunk.
-
-    If an event doesn't have any bundled aggregations, it may not appear in the map.
-    """
-
-    state: list[EventBase] | None
-    """
-    A list of state events relevant to showing the chunk. For example, if
-    lazy_load_members is enabled in the filter then this may contain the membership
-    events for the senders of events in the chunk.
-
-    Omitted from the response when `None`.
-    """
-
-    start_token: StreamToken
-    """
-    Token corresponding to the start of chunk. This will be the same as the value given
-    in `from` query parameter of the `/messages` request.
-    """
-
-    end_token: StreamToken | None
-    """
-    A token corresponding to the end of chunk. This token can be passed back to this
-    endpoint to request further events.
-
-    If no further events are available (either because we have reached the start of the
-    timeline, or because the user does not have permission to see any more events), this
-    property is omitted from the response.
-    """
-
-
 class PaginationHandler:
     """Handles pagination and purge history requests.
 
@@ -473,7 +418,7 @@ class PaginationHandler:
         as_client_event: bool = True,
         event_filter: Filter | None = None,
         use_admin_priviledge: bool = False,
-    ) -> GetMessagesResult:
+    ) -> JsonDict:
         """Get messages in a room.
 
         Args:
@@ -672,13 +617,10 @@ class PaginationHandler:
         # In that case we do not return end, to tell the client
         # there is no need for further queries.
         if not events:
-            return GetMessagesResult(
-                messages_chunk=[],
-                bundled_aggregations={},
-                state=None,
-                start_token=from_token,
-                end_token=None,
-            )
+            return {
+                "chunk": [],
+                "start": await from_token.to_string(self.store),
+            }
 
         if event_filter:
             events = await event_filter.filter(events)
@@ -694,13 +636,11 @@ class PaginationHandler:
         # if after the filter applied there are no more events
         # return immediately - but there might be more in next_token batch
         if not events:
-            return GetMessagesResult(
-                messages_chunk=[],
-                bundled_aggregations={},
-                state=None,
-                start_token=from_token,
-                end_token=next_token,
-            )
+            return {
+                "chunk": [],
+                "start": await from_token.to_string(self.store),
+                "end": await next_token.to_string(self.store),
+            }
 
         state = None
         if event_filter and event_filter.lazy_load_members and len(events) > 0:
@@ -717,20 +657,38 @@ class PaginationHandler:
 
             if state_ids:
                 state_dict = await self.store.get_events(list(state_ids.values()))
-                state = list(state_dict.values())
+                state = state_dict.values()
 
         aggregations = await self._relations_handler.get_bundled_aggregations(
             events, user_id
         )
 
-        return GetMessagesResult(
-            messages_chunk=events,
-            bundled_aggregations=aggregations,
-            state=state,
-            start_token=from_token,
-            end_token=next_token,
+        time_now = self.clock.time_msec()
+
+        serialize_options = SerializeEventConfig(
+            as_client_event=as_client_event, requester=requester
         )
 
+        chunk = {
+            "chunk": (
+                await self._event_serializer.serialize_events(
+                    events,
+                    time_now,
+                    config=serialize_options,
+                    bundle_aggregations=aggregations,
+                )
+            ),
+            "start": await from_token.to_string(self.store),
+            "end": await next_token.to_string(self.store),
+        }
+
+        if state:
+            chunk["state"] = await self._event_serializer.serialize_events(
+                state, time_now, config=serialize_options
+            )
+
+        return chunk
+
     async def _shutdown_and_purge_room(
         self,
         task: ScheduledTask,

synapse/rest/admin/rooms.py

@@ -28,13 +28,9 @@ from immutabledict import immutabledict
 from synapse.api.constants import Direction, EventTypes, JoinRules, Membership
 from synapse.api.errors import AuthError, Codes, NotFoundError, SynapseError
 from synapse.api.filtering import Filter
-from synapse.events.utils import (
-    SerializeEventConfig,
-)
 from synapse.handlers.pagination import (
     PURGE_ROOM_ACTION_NAME,
     SHUTDOWN_AND_PURGE_ROOM_ACTION_NAME,
-    GetMessagesResult,
 )
 from synapse.http.servlet import (
     ResolveRoomIdMixin,
@@ -48,13 +44,11 @@ from synapse.http.servlet import (
     parse_string,
 )
 from synapse.http.site import SynapseRequest
-from synapse.logging.opentracing import trace
 from synapse.rest.admin._base import (
     admin_patterns,
     assert_requester_is_admin,
     assert_user_is_admin,
 )
-from synapse.rest.client.room import SerializeMessagesDeps, encode_messages_response
 from synapse.storage.databases.main.room import RoomSortOrder
 from synapse.streams.config import PaginationConfig
 from synapse.types import JsonDict, RoomID, ScheduledTask, UserID, create_requester
@@ -982,7 +976,6 @@ class RoomMessagesRestServlet(RestServlet):
         self._pagination_handler = hs.get_pagination_handler()
         self._auth = hs.get_auth()
         self._store = hs.get_datastores().main
-        self._event_serializer = hs.get_event_client_serializer()
 
     async def on_GET(
         self, request: SynapseRequest, room_id: str
@@ -1006,11 +999,7 @@ class RoomMessagesRestServlet(RestServlet):
         ):
             as_client_event = False
 
-        serialize_options = SerializeEventConfig(
-            as_client_event=as_client_event, requester=requester
-        )
-
-        get_messages_result = await self._pagination_handler.get_messages(
+        msgs = await self._pagination_handler.get_messages(
             room_id=room_id,
             requester=requester,
             pagin_config=pagination_config,
@@ -1019,27 +1008,7 @@ class RoomMessagesRestServlet(RestServlet):
             use_admin_priviledge=True,
         )
 
-        response_content = await self.encode_response(
-            get_messages_result, serialize_options
-        )
-
-        return HTTPStatus.OK, response_content
-
-    @trace
-    async def encode_response(
-        self,
-        get_messages_result: GetMessagesResult,
-        serialize_options: SerializeEventConfig,
-    ) -> JsonDict:
-        return await encode_messages_response(
-            get_messages_result=get_messages_result,
-            serialize_options=serialize_options,
-            serialize_deps=SerializeMessagesDeps(
-                clock=self._clock,
-                event_serializer=self._event_serializer,
-                store=self._store,
-            ),
-        )
+        return HTTPStatus.OK, msgs
 
 
 class RoomTimestampToEventRestServlet(RestServlet):

synapse/rest/client/room.py

@@ -28,7 +28,6 @@ from http import HTTPStatus
 from typing import TYPE_CHECKING, Awaitable
 from urllib import parse as urlparse
 
-import attr
 from prometheus_client.core import Histogram
 
 from twisted.web.server import Request
@@ -46,12 +45,10 @@ from synapse.api.errors import (
 )
 from synapse.api.filtering import Filter
 from synapse.events.utils import (
-    EventClientSerializer,
     SerializeEventConfig,
     format_event_for_client_v2,
     serialize_event,
 )
-from synapse.handlers.pagination import GetMessagesResult
 from synapse.http.server import HttpServer
 from synapse.http.servlet import (
     ResolveRoomIdMixin,
@@ -67,17 +64,15 @@ from synapse.http.servlet import (
 )
 from synapse.http.site import SynapseRequest
 from synapse.logging.context import make_deferred_yieldable, run_in_background
-from synapse.logging.opentracing import set_tag, trace
+from synapse.logging.opentracing import set_tag
 from synapse.metrics import SERVER_NAME_LABEL
 from synapse.rest.client._base import client_patterns
 from synapse.rest.client.transactions import HttpTransactionCache
 from synapse.state import CREATE_KEY, POWER_KEY
-from synapse.storage.databases.main import DataStore
 from synapse.streams.config import PaginationConfig
 from synapse.types import JsonDict, Requester, StreamToken, ThirdPartyInstanceID, UserID
 from synapse.types.state import StateFilter
 from synapse.util.cancellation import cancellable
-from synapse.util.clock import Clock
 from synapse.util.events import generate_fake_event_id
 from synapse.util.stringutils import parse_and_validate_server_name
 
@@ -795,56 +790,6 @@ class JoinedRoomMemberListRestServlet(RestServlet):
         return 200, {"joined": users_with_profile}
 
 
-@attr.s(slots=True, frozen=True, auto_attribs=True)
-class SerializeMessagesDeps:
-    clock: Clock
-    event_serializer: EventClientSerializer
-    store: DataStore
-
-
-@trace
-async def encode_messages_response(
-    *,
-    get_messages_result: GetMessagesResult,
-    serialize_options: SerializeEventConfig,
-    serialize_deps: SerializeMessagesDeps,
-) -> JsonDict:
-    """
-    Serialize a `GetMessagesResult` into the JSON response format for the `/messages`
-    endpoint.
-
-    This logic is shared between the client API and Synapse admin API.
-    """
-
-    time_now = serialize_deps.clock.time_msec()
-
-    serialized_result = {
-        "chunk": (
-            await serialize_deps.event_serializer.serialize_events(
-                get_messages_result.messages_chunk,
-                time_now,
-                config=serialize_options,
-                bundle_aggregations=get_messages_result.bundled_aggregations,
-            )
-        ),
-        "start": await get_messages_result.start_token.to_string(serialize_deps.store),
-    }
-
-    if get_messages_result.end_token is not None:
-        serialized_result["end"] = await get_messages_result.end_token.to_string(
-            serialize_deps.store
-        )
-
-    if get_messages_result.state is not None:
-        serialized_result[
-            "state"
-        ] = await serialize_deps.event_serializer.serialize_events(
-            get_messages_result.state, time_now, config=serialize_options
-        )
-
-    return serialized_result
-
-
 # TODO: Needs better unit testing
 class RoomMessageListRestServlet(RestServlet):
     PATTERNS = client_patterns("/rooms/(?P<room_id>[^/]*)/messages$", v1=True)
@@ -861,7 +806,6 @@ class RoomMessageListRestServlet(RestServlet):
         self.pagination_handler = hs.get_pagination_handler()
         self.auth = hs.get_auth()
         self.store = hs.get_datastores().main
-        self.event_serializer = hs.get_event_client_serializer()
 
     async def on_GET(
         self, request: SynapseRequest, room_id: str
@@ -895,11 +839,7 @@ class RoomMessageListRestServlet(RestServlet):
         ):
             as_client_event = False
 
-        serialize_options = SerializeEventConfig(
-            as_client_event=as_client_event, requester=requester
-        )
-
-        get_messages_result = await self.pagination_handler.get_messages(
+        msgs = await self.pagination_handler.get_messages(
             room_id=room_id,
             requester=requester,
             pagin_config=pagination_config,
@@ -907,24 +847,6 @@ class RoomMessageListRestServlet(RestServlet):
             event_filter=event_filter,
         )
 
-        # Useful for debugging timeline/pagination issues. For example, if a client
-        # isn't seeing the full history, we can check the homeserver logs to see if the
-        # client just never made the next request with the given `end` token.
-        logger.info(
-            "Responding to `/messages` request: {%s} %s %s -> %d messages with end_token=%s",
-            requester.user.to_string(),
-            request.get_method(),
-            request.get_redacted_uri(),
-            len(get_messages_result.messages_chunk),
-            (await get_messages_result.end_token.to_string(self.store))
-            if get_messages_result.end_token
-            else None,
-        )
-
-        response_content = await self.encode_response(
-            get_messages_result, serialize_options
-        )
-
         processing_end_time = self.clock.time_msec()
         room_member_count = await make_deferred_yieldable(room_member_count_deferred)
         messsages_response_timer.labels(
@@ -932,23 +854,7 @@ class RoomMessageListRestServlet(RestServlet):
             **{SERVER_NAME_LABEL: self.server_name},
         ).observe((processing_end_time - processing_start_time) / 1000)
 
-        return 200, response_content
-
-    @trace
-    async def encode_response(
-        self,
-        get_messages_result: GetMessagesResult,
-        serialize_options: SerializeEventConfig,
-    ) -> JsonDict:
-        return await encode_messages_response(
-            get_messages_result=get_messages_result,
-            serialize_options=serialize_options,
-            serialize_deps=SerializeMessagesDeps(
-                clock=self.clock,
-                event_serializer=self.event_serializer,
-                store=self.store,
-            ),
-        )
+        return 200, msgs
 
 
 # TODO: Needs unit testing

tests/federation/test_federation_server.py

@@ -30,7 +30,6 @@ from synapse.api.constants import EventTypes, Membership
 from synapse.api.errors import FederationError
 from synapse.api.room_versions import KNOWN_ROOM_VERSIONS, RoomVersions
 from synapse.config.server import DEFAULT_ROOM_VERSION
-from synapse.crypto.event_signing import add_hashes_and_signatures
 from synapse.events import EventBase, make_event_from_dict
 from synapse.federation.federation_base import event_from_pdu_json
 from synapse.http.types import QueryParams
@@ -357,44 +356,19 @@ class SendJoinFederationTests(unittest.FederatingHomeserverTestCase):
         self.assertEqual(channel.code, HTTPStatus.OK, channel.json_body)
         return channel.json_body
 
-    def _test_send_join_common(self, room_version: str) -> None:
+    def test_send_join(self) -> None:
         """happy-path test of send_join"""
-        creator_user_id = self.register_user(f"kermit_v{room_version}", "test")
-        tok = self.login(f"kermit_v{room_version}", "test")
-        room_id = self.helper.create_room_as(
-            room_creator=creator_user_id, tok=tok, room_version=room_version
-        )
-
-        # Second member joins
-        second_member_user_id = self.register_user(f"fozzie_v{room_version}", "bear")
-        tok2 = self.login(f"fozzie_v{room_version}", "bear")
-        self.helper.join(room_id, second_member_user_id, tok=tok2)
-
-        # Make join for remote user
         joining_user = "@misspiggy:" + self.OTHER_SERVER_NAME
-        channel = self.make_signed_federation_request(
-            "GET",
-            f"/_matrix/federation/v1/make_join/{room_id}/{joining_user}?ver={room_version}",
-        )
-        self.assertEqual(channel.code, HTTPStatus.OK, channel.json_body)
-        join_result = channel.json_body
+        join_result = self._make_join(joining_user)
 
-        # Sign and send the join
         join_event_dict = join_result["event"]
         self.add_hashes_and_signatures_from_other_server(
             join_event_dict,
-            KNOWN_ROOM_VERSIONS[room_version],
+            KNOWN_ROOM_VERSIONS[DEFAULT_ROOM_VERSION],
         )
-        if room_version in ["1", "2"]:
-            add_hashes_and_signatures(
-                KNOWN_ROOM_VERSIONS[room_version],
-                join_event_dict,
-                signature_name=self.hs.hostname,
-                signing_key=self.hs.signing_key,
-            )
         channel = self.make_signed_federation_request(
             "PUT",
-            f"/_matrix/federation/v2/send_join/{room_id}/x",
+            f"/_matrix/federation/v2/send_join/{self._room_id}/x",
             content=join_event_dict,
         )
         self.assertEqual(channel.code, HTTPStatus.OK, channel.json_body)
@@ -410,8 +384,8 @@ class SendJoinFederationTests(unittest.FederatingHomeserverTestCase):
                 ("m.room.power_levels", ""),
                 ("m.room.join_rules", ""),
                 ("m.room.history_visibility", ""),
-                ("m.room.member", f"@kermit_v{room_version}:test"),
-                ("m.room.member", f"@fozzie_v{room_version}:test"),
+                ("m.room.member", "@kermit:test"),
+                ("m.room.member", "@fozzie:test"),
                 # nb: *not* the joining user
             ],
         )
@@ -424,28 +398,18 @@ class SendJoinFederationTests(unittest.FederatingHomeserverTestCase):
             returned_auth_chain_events,
             [
                 ("m.room.create", ""),
-                ("m.room.member", f"@kermit_v{room_version}:test"),
+                ("m.room.member", "@kermit:test"),
                 ("m.room.power_levels", ""),
                 ("m.room.join_rules", ""),
             ],
         )
 
         # the room should show that the new user is a member
-        r = self.get_success(self._storage_controllers.state.get_current_state(room_id))
+        r = self.get_success(
+            self._storage_controllers.state.get_current_state(self._room_id)
+        )
         self.assertEqual(r[("m.room.member", joining_user)].membership, "join")
 
-    @parameterized.expand([(k,) for k in KNOWN_ROOM_VERSIONS.keys()])
-    @override_config({"use_frozen_dicts": True})
-    def test_send_join_with_frozen_dicts(self, room_version: str) -> None:
-        """Test send_join with USE_FROZEN_DICTS=True"""
-        self._test_send_join_common(room_version)
-
-    @parameterized.expand([(k,) for k in KNOWN_ROOM_VERSIONS.keys()])
-    @override_config({"use_frozen_dicts": False})
-    def test_send_join_without_frozen_dicts(self, room_version: str) -> None:
-        """Test send_join with USE_FROZEN_DICTS=False"""
-        self._test_send_join_common(room_version)
-
     def test_send_join_partial_state(self) -> None:
         """/send_join should return partial state, if requested"""
         joining_user = "@misspiggy:" + self.OTHER_SERVER_NAME

tests/rest/client/sliding_sync/test_extension_thread_subscriptions.py

@@ -351,6 +351,42 @@ class SlidingSyncThreadSubscriptionsExtensionTestCase(SlidingSyncBase):
             len(thread_subscriptions["subscribed"][room_id]), 3, thread_subscriptions
         )
 
+    def test_limit_defaults_to_100(self) -> None:
+        """
+        Test that the limit parameter defaults to 100 when not specified.
+
+        This test verifies that:
+        1. When 'limit' is omitted from the request, it defaults to 100
+        2. All subscriptions (less than 100) are returned in the response
+        """
+        user1_id = self.register_user("user1", "pass")
+        user1_tok = self.login(user1_id, "pass")
+        room_id = self.helper.create_room_as(user1_id, tok=user1_tok)
+
+        # Create 5 thread roots and subscribe to each
+        thread_root_ids = []
+        for i in range(5):
+            thread_root_resp = self.helper.send(
+                room_id, body=f"Thread root {i}", tok=user1_tok
+            )
+            thread_root_ids.append(thread_root_resp["event_id"])
+            self._subscribe_to_thread(user1_id, room_id, thread_root_ids[-1])
+
+        # Sync without specifying 'limit' - it should default to 100
+        sync_body = {
+            "lists": {},
+            "extensions": {EXT_NAME: {"enabled": True}},
+        }
+
+        # Sync
+        response_body, _ = self.do_sync(sync_body, tok=user1_tok)
+
+        # Assert: All 5 subscriptions should be returned since the default limit is 100
+        thread_subscriptions = response_body["extensions"][EXT_NAME]
+        self.assertEqual(
+            len(thread_subscriptions["subscribed"][room_id]), 5, thread_subscriptions
+        )
+
     def test_limit_and_companion_backpagination(self) -> None:
         """
         Create 1 thread subscription, do a sync, create 4 more,