Fix the config schema not passing validation with the default config

.ci/before_build_wheel.sh

@@ -7,4 +7,4 @@ if command -v yum &> /dev/null; then
 fi
 
 # Install a Rust toolchain
-curl https://sh.rustup.rs -sSf | sh -s -- --default-toolchain stable -y --profile minimal
+curl https://sh.rustup.rs -sSf | sh -s -- --default-toolchain 1.82.0 -y --profile minimal

.ci/scripts/auditwheel_wrapper.py

@@ -0,0 +1,147 @@
+#!/usr/bin/env python
+#
+# This file is licensed under the Affero General Public License (AGPL) version 3.
+#
+# Copyright (C) 2023 New Vector, Ltd
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# See the GNU Affero General Public License for more details:
+# <https://www.gnu.org/licenses/agpl-3.0.html>.
+#
+# Originally licensed under the Apache License, Version 2.0:
+# <http://www.apache.org/licenses/LICENSE-2.0>.
+#
+# [This file includes modifications made by New Vector Limited]
+#
+#
+
+# Wraps `auditwheel repair` to first check if we're repairing a potentially abi3
+# compatible wheel, if so rename the wheel before repairing it.
+
+import argparse
+import os
+import subprocess
+from typing import Optional
+from zipfile import ZipFile
+
+from packaging.tags import Tag
+from packaging.utils import parse_wheel_filename
+from packaging.version import Version
+
+
+def check_is_abi3_compatible(wheel_file: str) -> None:
+    """Check the contents of the built wheel for any `.so` files that are *not*
+    abi3 compatible.
+    """
+
+    with ZipFile(wheel_file, "r") as wheel:
+        for file in wheel.namelist():
+            if not file.endswith(".so"):
+                continue
+
+            if not file.endswith(".abi3.so"):
+                raise Exception(f"Found non-abi3 lib: {file}")
+
+
+def cpython(wheel_file: str, name: str, version: Version, tag: Tag) -> str:
+    """Replaces the cpython wheel file with a ABI3 compatible wheel"""
+
+    if tag.abi == "abi3":
+        # Nothing to do.
+        return wheel_file
+
+    check_is_abi3_compatible(wheel_file)
+
+    # HACK: it seems that some older versions of pip will consider a wheel marked
+    # as macosx_11_0 as incompatible with Big Sur. I haven't done the full archaeology
+    # here; there are some clues in
+    #     https://github.com/pantsbuild/pants/pull/12857
+    #     https://github.com/pypa/pip/issues/9138
+    #     https://github.com/pypa/packaging/pull/319
+    # Empirically this seems to work, note that macOS 11 and 10.16 are the same,
+    # both versions are valid for backwards compatibility.
+    platform = tag.platform.replace("macosx_11_0", "macosx_10_16")
+    abi3_tag = Tag(tag.interpreter, "abi3", platform)
+
+    dirname = os.path.dirname(wheel_file)
+    new_wheel_file = os.path.join(
+        dirname,
+        f"{name}-{version}-{abi3_tag}.whl",
+    )
+
+    os.rename(wheel_file, new_wheel_file)
+
+    print("Renamed wheel to", new_wheel_file)
+
+    return new_wheel_file
+
+
+def main(wheel_file: str, dest_dir: str, archs: Optional[str]) -> None:
+    """Entry point"""
+
+    # Parse the wheel file name into its parts. Note that `parse_wheel_filename`
+    # normalizes the package name (i.e. it converts matrix_synapse ->
+    # matrix-synapse), which is not what we want.
+    _, version, build, tags = parse_wheel_filename(os.path.basename(wheel_file))
+    name = os.path.basename(wheel_file).split("-")[0]
+
+    if len(tags) != 1:
+        # We expect only a wheel file with only a single tag
+        raise Exception(f"Unexpectedly found multiple tags: {tags}")
+
+    tag = next(iter(tags))
+
+    if build:
+        # We don't use build tags in Synapse
+        raise Exception(f"Unexpected build tag: {build}")
+
+    # If the wheel is for cpython then convert it into an abi3 wheel.
+    if tag.interpreter.startswith("cp"):
+        wheel_file = cpython(wheel_file, name, version, tag)
+
+    # Finally, repair the wheel.
+    if archs is not None:
+        # If we are given archs then we are on macos and need to use
+        # `delocate-listdeps`.
+        subprocess.run(["delocate-listdeps", wheel_file], check=True)
+        subprocess.run(
+            ["delocate-wheel", "--require-archs", archs, "-w", dest_dir, wheel_file],
+            check=True,
+        )
+    else:
+        subprocess.run(["auditwheel", "repair", "-w", dest_dir, wheel_file], check=True)
+
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description="Tag wheel as abi3 and repair it.")
+
+    parser.add_argument(
+        "--wheel-dir",
+        "-w",
+        metavar="WHEEL_DIR",
+        help="Directory to store delocated wheels",
+        required=True,
+    )
+
+    parser.add_argument(
+        "--require-archs",
+        metavar="archs",
+        default=None,
+    )
+
+    parser.add_argument(
+        "wheel_file",
+        metavar="WHEEL_FILE",
+    )
+
+    args = parser.parse_args()
+
+    wheel_file = args.wheel_file
+    wheel_dir = args.wheel_dir
+    archs = args.require_archs
+
+    main(wheel_file, wheel_dir, archs)

.ci/scripts/calculate_jobs.py

@@ -35,58 +35,49 @@ IS_PR = os.environ["GITHUB_REF"].startswith("refs/pull/")
 
 # First calculate the various trial jobs.
 #
-# For PRs, we only run each type of test with the oldest and newest Python
-# version that's supported. The oldest version ensures we don't accidentally
-# introduce syntax or code that's too new, and the newest ensures we don't use
-# code that's been dropped in the latest supported Python version.
+# For PRs, we only run each type of test with the oldest Python version supported (which
+# is Python 3.9 right now)
 
 trial_sqlite_tests = [
     {
-        "python-version": "3.10",
+        "python-version": "3.9",
         "database": "sqlite",
         "extras": "all",
-    },
-    {
-        "python-version": "3.14",
-        "database": "sqlite",
-        "extras": "all",
-    },
+    }
 ]
 
 if not IS_PR:
-    # Otherwise, check all supported Python versions.
-    #
-    # Avoiding running all of these versions on every PR saves on CI time.
     trial_sqlite_tests.extend(
         {
             "python-version": version,
             "database": "sqlite",
             "extras": "all",
         }
-        for version in ("3.11", "3.12", "3.13")
+        for version in ("3.10", "3.11", "3.12", "3.13")
     )
 
-# Only test postgres against the earliest and latest Python versions that we
-# support in order to save on CI time.
 trial_postgres_tests = [
     {
-        "python-version": "3.10",
+        "python-version": "3.9",
         "database": "postgres",
-        "postgres-version": "14",
+        "postgres-version": "13",
         "extras": "all",
-    },
-    {
-        "python-version": "3.14",
-        "database": "postgres",
-        "postgres-version": "17",
-        "extras": "all",
-    },
+    }
 ]
 
-# Ensure that Synapse passes unit tests even with no extra dependencies installed.
+if not IS_PR:
+    trial_postgres_tests.append(
+        {
+            "python-version": "3.13",
+            "database": "postgres",
+            "postgres-version": "17",
+            "extras": "all",
+        }
+    )
+
 trial_no_extra_tests = [
     {
-        "python-version": "3.10",
+        "python-version": "3.9",
         "database": "sqlite",
         "extras": "",
     }
@@ -108,24 +99,24 @@ set_output("trial_test_matrix", test_matrix)
 
 # First calculate the various sytest jobs.
 #
-# For each type of test we only run on bookworm on PRs
+# For each type of test we only run on bullseye on PRs
 
 
 sytest_tests = [
     {
-        "sytest-tag": "bookworm",
+        "sytest-tag": "bullseye",
     },
     {
-        "sytest-tag": "bookworm",
+        "sytest-tag": "bullseye",
         "postgres": "postgres",
     },
     {
-        "sytest-tag": "bookworm",
+        "sytest-tag": "bullseye",
         "postgres": "multi-postgres",
         "workers": "workers",
     },
     {
-        "sytest-tag": "bookworm",
+        "sytest-tag": "bullseye",
         "postgres": "multi-postgres",
         "workers": "workers",
         "reactor": "asyncio",
@@ -136,11 +127,11 @@ if not IS_PR:
     sytest_tests.extend(
         [
             {
-                "sytest-tag": "bookworm",
+                "sytest-tag": "bullseye",
                 "reactor": "asyncio",
             },
             {
-                "sytest-tag": "bookworm",
+                "sytest-tag": "bullseye",
                 "postgres": "postgres",
                 "reactor": "asyncio",
             },

.ci/scripts/prepare_old_deps.sh

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+# this script is run by GitHub Actions in a plain `jammy` container; it
+# - installs the minimal system requirements, and poetry;
+# - patches the project definition file to refer to old versions only;
+# - creates a venv with these old versions using poetry; and finally
+# - invokes `trial` to run the tests with old deps.
+
+set -ex
+
+# Prevent virtualenv from auto-updating pip to an incompatible version
+export VIRTUALENV_NO_DOWNLOAD=1
+
+# TODO: in the future, we could use an implementation of
+#   https://github.com/python-poetry/poetry/issues/3527
+#   https://github.com/pypa/pip/issues/8085
+# to select the lowest possible versions, rather than resorting to this sed script.
+
+# Patch the project definitions in-place:
+# - Replace all lower and tilde bounds with exact bounds
+# - Replace all caret bounds---but not the one that defines the supported Python version!
+# - Delete all lines referring to psycopg2 --- so no testing of postgres support.
+# - Use pyopenssl 17.0, which is the oldest version that works with
+#   a `cryptography` compiled against OpenSSL 1.1.
+# - Omit systemd: we're not logging to journal here.
+
+sed -i \
+   -e "s/[~>]=/==/g" \
+   -e '/^python = "^/!s/\^/==/g' \
+   -e "/psycopg2/d" \
+   -e 's/pyOpenSSL = "==16.0.0"/pyOpenSSL = "==17.0.0"/' \
+   -e '/systemd/d' \
+   pyproject.toml
+
+echo "::group::Patched pyproject.toml"
+cat pyproject.toml
+echo "::endgroup::"

.ci/scripts/test_synapse_port_db.sh

@@ -61,7 +61,7 @@ poetry run update_synapse_database --database-config .ci/postgres-config-unporte
 echo "+++ Comparing ported schema with unported schema"
 # Ignore the tables that portdb creates. (Should it tidy them up when the porting is completed?)
 psql synapse -c "DROP TABLE port_from_sqlite3;"
-pg_dump --format=plain --schema-only --no-tablespaces --no-acl --no-owner --restrict-key=TESTING synapse_unported > unported.sql
-pg_dump --format=plain --schema-only --no-tablespaces --no-acl --no-owner --restrict-key=TESTING synapse          >   ported.sql
+pg_dump --format=plain --schema-only --no-tablespaces --no-acl --no-owner synapse_unported > unported.sql
+pg_dump --format=plain --schema-only --no-tablespaces --no-acl --no-owner synapse          >   ported.sql
 # By default, `diff` returns zero if there are no changes and nonzero otherwise
-diff -u unported.sql ported.sql | tee schema_diff
+diff -u unported.sql ported.sql | tee schema_diff

.ci/scripts/triage_labelled_issue.sh

@@ -1,29 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-# 1) Resolve project ID.
-PROJECT_ID=$(gh project view "$PROJECT_NUMBER" --owner "$PROJECT_OWNER" --format json | jq -r '.id')
-
-# 2) Find existing item (project card) for this issue.
-ITEM_ID=$(
-  gh project item-list "$PROJECT_NUMBER" --owner "$PROJECT_OWNER" --format json \
-  | jq -r --arg url "$ISSUE_URL" '.items[] | select(.content.url==$url) | .id' | head -n1
-)
-
-# 3) If one doesn't exist, add this issue to the project.
-if [ -z "${ITEM_ID:-}" ]; then
-  ITEM_ID=$(gh project item-add "$PROJECT_NUMBER" --owner "$PROJECT_OWNER" --url "$ISSUE_URL" --format json | jq -r '.id')
-fi
-
-# 4) Get Status field id + the option id for TARGET_STATUS.
-FIELDS_JSON=$(gh project field-list "$PROJECT_NUMBER" --owner "$PROJECT_OWNER" --format json)
-STATUS_FIELD=$(echo "$FIELDS_JSON" | jq -r '.fields[] | select(.name=="Status")')
-STATUS_FIELD_ID=$(echo "$STATUS_FIELD" | jq -r '.id')
-OPTION_ID=$(echo "$STATUS_FIELD" | jq -r --arg name "$TARGET_STATUS" '.options[] | select(.name==$name) | .id')
-
-if [ -z "${OPTION_ID:-}" ]; then
-  echo "No Status option named \"$TARGET_STATUS\" found"; exit 1
-fi
-
-# 5) Set Status (moves item to the matching column in the board view).
-gh project item-edit --id "$ITEM_ID" --project-id "$PROJECT_ID" --field-id "$STATUS_FIELD_ID" --single-select-option-id "$OPTION_ID"

.git-blame-ignore-revs

@@ -26,8 +26,3 @@ c4268e3da64f1abb5b31deaeb5769adb6510c0a7
 # Update black to 23.1.0 (https://github.com/matrix-org/synapse/pull/15103)
 9bb2eac71962970d02842bca441f4bcdbbf93a11
 
-# Use type hinting generics in standard collections (https://github.com/element-hq/synapse/pull/19046)
-fc244bb592aa481faf28214a2e2ce3bb4e95d990
-
-# Write union types as X | Y where possible (https://github.com/element-hq/synapse/pull/19111)
-fcac7e0282b074d4bd3414d1c9c181e9701875d9

.github/dependabot.yml

@@ -1,92 +1,23 @@
 version: 2
-# As dependabot is currently only run on a weekly basis, we raise the
-# open-pull-requests-limit to 10 (from the default of 5) to better ensure we
-# don't continuously grow a backlog of updates.
 updates:
   - # "pip" is the correct setting for poetry, per https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#package-ecosystem
     package-ecosystem: "pip"
     directory: "/"
-    open-pull-requests-limit: 10
     schedule:
       interval: "weekly"
-    # Group patch updates to packages together into a single PR, as they rarely
-    # if ever contain breaking changes that need to be reviewed separately.
-    # 
-    # Less PRs means a streamlined review process.
-    #
-    # Python packages follow semantic versioning, and tend to only introduce
-    # breaking changes in major version bumps. Thus, we'll group minor and patch
-    # versions together.
-    groups:
-      minor-and-patches:
-        applies-to: version-updates
-        patterns:
-          - "*"
-        update-types:
-          - "minor"
-          - "patch"
-    # Prevent pulling packages that were recently updated to help mitigate
-    # supply chain attacks. 14 days was taken from the recommendation at
-    # https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns
-    # where the author noted that 9/10 attacks would have been mitigated by a
-    # two week cooldown.
-    #
-    # The cooldown only applies to general updates; security updates will still
-    # be pulled in as soon as possible.
-    cooldown:
-      default-days: 14
 
   - package-ecosystem: "docker"
     directory: "/docker"
-    open-pull-requests-limit: 10
     schedule:
       interval: "weekly"
-    # For container versions, breaking changes are also typically only introduced in major
-    # package bumps.
-    groups:
-      minor-and-patches:
-        applies-to: version-updates
-        patterns:
-          - "*"
-        update-types:
-          - "minor"
-          - "patch"
-    cooldown:
-      default-days: 14
 
   - package-ecosystem: "github-actions"
     directory: "/"
-    open-pull-requests-limit: 10
     schedule:
       interval: "weekly"
-    # Similarly for GitHub Actions, breaking changes are typically only introduced in major
-    # package bumps.
-    groups:
-      minor-and-patches:
-        applies-to: version-updates
-        patterns:
-          - "*"
-        update-types:
-          - "minor"
-          - "patch"
-    cooldown:
-      default-days: 14
 
   - package-ecosystem: "cargo"
     directory: "/"
-    open-pull-requests-limit: 10
     versioning-strategy: "lockfile-only"
     schedule:
       interval: "weekly"
-    # The Rust ecosystem is special in that breaking changes are often introduced
-    # in minor version bumps, as packages typically stay pre-1.0 for a long time.
-    # Thus we specifically keep minor version bumps separate in their own PRs.
-    groups:
-      patches:
-        applies-to: version-updates
-        patterns:
-          - "*"
-        update-types:
-          - "patch"
-    cooldown:
-      default-days: 14

.github/workflows/docker.yml

@@ -28,10 +28,10 @@ jobs:
     steps:
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
 
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Extract version from pyproject.toml
         # Note: explicitly requesting bash will mean bash is invoked with `-eo pipefail`, see
@@ -41,50 +41,18 @@ jobs:
           echo "SYNAPSE_VERSION=$(grep "^version" pyproject.toml | sed -E 's/version\s*=\s*["]([^"]*)["]/\1/')" >> $GITHUB_ENV
 
       - name: Log in to DockerHub
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Log in to GHCR
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Tailscale
-        uses: tailscale/github-action@53acf823325fe9ca47f4cdaa951f90b4b0de5bb9 # v4.1.1
-        with:
-          oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
-          audience: ${{ secrets.TS_AUDIENCE }}
-          tags: tag:github-actions
-
-      - name: Compute vault jwt role name
-        id: vault-jwt-role
-        run: |
-           echo "role_name=github_service_management_$( echo "${{ github.repository }}" | sed -r 's|[/-]|_|g')" | tee -a "$GITHUB_OUTPUT"
-
-      - name: Get team registry token
-        id: import-secrets
-        uses: hashicorp/vault-action@4c06c5ccf5c0761b6029f56cfb1dcf5565918a3b # v3.4.0
-        with:
-          url: https://vault.infra.ci.i.element.dev
-          role: ${{ steps.vault-jwt-role.outputs.role_name }}
-          path: service-management/github-actions
-          jwtGithubAudience: https://vault.infra.ci.i.element.dev
-          method: jwt
-          secrets: |
-             services/backend-repositories/secret/data/oci.element.io username | OCI_USERNAME ;
-             services/backend-repositories/secret/data/oci.element.io password | OCI_PASSWORD ;
-
-      - name: Login to Element OCI Registry
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
-        with:
-          registry: oci-push.vpn.infra.element.io
-          username: ${{ steps.import-secrets.outputs.OCI_USERNAME }}
-          password: ${{ steps.import-secrets.outputs.OCI_PASSWORD }}
-
       - name: Build and push by digest
         id: build
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
@@ -96,7 +64,6 @@ jobs:
           tags: |
             docker.io/matrixdotorg/synapse
             ghcr.io/element-hq/synapse
-            oci-push.vpn.infra.element.io/synapse
           file: "docker/Dockerfile"
           platforms: ${{ matrix.platform }}
           outputs: type=image,push-by-digest=true,name-canonical=true,push=true
@@ -108,7 +75,7 @@ jobs:
           touch "${{ runner.temp }}/digests/${digest#sha256:}"
 
       - name: Upload digest
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@v4
         with:
           name: digests-${{ matrix.suffix }}
           path: ${{ runner.temp }}/digests/*
@@ -123,73 +90,40 @@ jobs:
         repository:
           - docker.io/matrixdotorg/synapse
           - ghcr.io/element-hq/synapse
-          - oci-push.vpn.infra.element.io/synapse
 
     needs:
       - build
     steps:
       - name: Download digests
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           path: ${{ runner.temp }}/digests
           pattern: digests-*
           merge-multiple: true
 
       - name: Log in to DockerHub
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         if: ${{ startsWith(matrix.repository, 'docker.io') }}
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Log in to GHCR
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         if: ${{ startsWith(matrix.repository, 'ghcr.io') }}
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Tailscale
-        uses: tailscale/github-action@53acf823325fe9ca47f4cdaa951f90b4b0de5bb9 # v4.1.1
-        with:
-          oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
-          audience: ${{ secrets.TS_AUDIENCE }}
-          tags: tag:github-actions
-
-      - name: Compute vault jwt role name
-        id: vault-jwt-role
-        run: |
-           echo "role_name=github_service_management_$( echo "${{ github.repository }}" | sed -r 's|[/-]|_|g')" | tee -a "$GITHUB_OUTPUT"
-
-      - name: Get team registry token
-        id: import-secrets
-        uses: hashicorp/vault-action@4c06c5ccf5c0761b6029f56cfb1dcf5565918a3b # v3.4.0
-        with:
-          url: https://vault.infra.ci.i.element.dev
-          role: ${{ steps.vault-jwt-role.outputs.role_name }}
-          path: service-management/github-actions
-          jwtGithubAudience: https://vault.infra.ci.i.element.dev
-          method: jwt
-          secrets: |
-             services/backend-repositories/secret/data/oci.element.io username | OCI_USERNAME ;
-             services/backend-repositories/secret/data/oci.element.io password | OCI_PASSWORD ;
-
-      - name: Login to Element OCI Registry
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
-        with:
-          registry: oci-push.vpn.infra.element.io
-          username: ${{ steps.import-secrets.outputs.OCI_USERNAME }}
-          password: ${{ steps.import-secrets.outputs.OCI_PASSWORD }}
-
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
 
       - name: Install Cosign
-        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+        uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
 
       - name: Calculate docker image tag
-        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
         with:
           images: ${{ matrix.repository }}
           flavor: |

.github/workflows/docs-pr-netlify.yaml

@@ -0,0 +1,34 @@
+name: Deploy documentation PR preview
+
+on:
+  workflow_run:
+    workflows: [ "Prepare documentation PR preview" ]
+    types:
+      - completed
+
+jobs:
+  netlify:
+    if: github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event == 'pull_request'
+    runs-on: ubuntu-latest
+    steps:
+      # There's a 'download artifact' action, but it hasn't been updated for the workflow_run action
+      # (https://github.com/actions/download-artifact/issues/60) so instead we get this mess:
+      - name: 📥 Download artifact
+        uses: dawidd6/action-download-artifact@ac66b43f0e6a346234dd65d4d0c8fbb31cb316e5 # v11
+        with:
+          workflow: docs-pr.yaml
+          run_id: ${{ github.event.workflow_run.id }}
+          name: book
+          path: book
+
+      - name: 📤 Deploy to Netlify
+        uses: matrix-org/netlify-pr-preview@9805cd123fc9a7e421e35340a05e1ebc5dee46b5 # v3
+        with:
+          path: book
+          owner: ${{ github.event.workflow_run.head_repository.owner.login }}
+          branch: ${{ github.event.workflow_run.head_branch }}
+          revision: ${{ github.event.workflow_run.head_sha }}
+          token: ${{ secrets.NETLIFY_AUTH_TOKEN }}
+          site_id: ${{ secrets.NETLIFY_SITE_ID }}
+          desc: Documentation preview
+          deployment_env: PR Documentation Preview

.github/workflows/docs-pr.yaml

@@ -13,7 +13,7 @@ jobs:
     name: GitHub Pages
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           # Fetch all history so that the schema_versions script works.
           fetch-depth: 0
@@ -21,10 +21,10 @@ jobs:
       - name: Setup mdbook
         uses: peaceiris/actions-mdbook@ee69d230fe19748b7abf22df32acaa93833fad08 # v2.0.0
         with:
-          mdbook-version: '0.5.2'
+          mdbook-version: '0.4.17'
 
       - name: Setup python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: "3.x"
 
@@ -39,7 +39,7 @@ jobs:
           cp book/welcome_and_overview.html book/index.html
 
       - name: Upload Artifact
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: book
           path: book
@@ -50,12 +50,12 @@ jobs:
     name: Check links in documentation
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Setup mdbook
         uses: peaceiris/actions-mdbook@ee69d230fe19748b7abf22df32acaa93833fad08 # v2.0.0
         with:
-          mdbook-version: '0.5.2'
+          mdbook-version: '0.4.17'
 
       - name: Setup htmltest
         run: |
@@ -64,17 +64,8 @@ jobs:
           tar zxf htmltest_0.17.0_linux_amd64.tar.gz
 
       - name: Test links with htmltest
+        # Build the book with `./` as the site URL (to make checks on 404.html possible)
+        # Then run htmltest (without checking external links since that involves the network and is slow).
         run: |
-          # Build the book with `./` as the site URL (to make checks on 404.html possible)
           MDBOOK_OUTPUT__HTML__SITE_URL="./" mdbook build
-
-          # Delete the contents of the print.html file, as it can raise false
-          # positives during link checking.
-          #
-          # We empty out the file, instead of deleting it, as doing so would
-          # just cause htmltest to complain that links to it were invalid.
-          # Ideally `htmltest` would have an option to ignore specific files
-          # instead.
-          echo '<!DOCTYPE HTML>' > book/print.html
-
-          ./htmltest book --conf docs/.htmltest.yml
+          ./htmltest book --skip-external

.github/workflows/docs.yaml

@@ -50,7 +50,7 @@ jobs:
     needs:
       - pre
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           # Fetch all history so that the schema_versions script works.
           fetch-depth: 0
@@ -58,13 +58,13 @@ jobs:
       - name: Setup mdbook
         uses: peaceiris/actions-mdbook@ee69d230fe19748b7abf22df32acaa93833fad08 # v2.0.0
         with:
-          mdbook-version: '0.5.2'
+          mdbook-version: '0.4.17'
 
       - name: Set version of docs
         run: echo 'window.SYNAPSE_VERSION = "${{ needs.pre.outputs.branch-version }}";' > ./docs/website_files/version.js
 
       - name: Setup python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: "3.x"
 

.github/workflows/fix_lint.yaml

@@ -18,14 +18,14 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
         with:
           toolchain: ${{ env.RUST_VERSION }}
           components: clippy, rustfmt
-      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
 
       - name: Setup Poetry
         uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0
@@ -47,6 +47,6 @@ jobs:
       - run: cargo fmt
         continue-on-error: true
 
-      - uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 # v7.1.0
+      - uses: stefanzweifel/git-auto-commit-action@778341af668090896ca464160c2def5d1d1a3eb0 # v6.0.1
         with:
           commit_message: "Attempt to fix linting"

.github/workflows/latest_deps.yml

@@ -42,12 +42,12 @@ jobs:
     if: needs.check_repo.outputs.should_run_workflow == 'true'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
         with:
           toolchain: ${{ env.RUST_VERSION }}
-      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
 
       # The dev dependencies aren't exposed in the wheel metadata (at least with current
       # poetry-core versions), so we install with poetry.
@@ -77,13 +77,13 @@ jobs:
             postgres-version: "14"
 
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
         with:
           toolchain: ${{ env.RUST_VERSION }}
-      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
 
       - run: sudo apt-get -qq install xmlsec1
       - name: Set up PostgreSQL ${{ matrix.postgres-version }}
@@ -93,7 +93,7 @@ jobs:
             -e POSTGRES_PASSWORD=postgres \
             -e POSTGRES_INITDB_ARGS="--lc-collate C --lc-ctype C --encoding UTF8" \
             postgres:${{ matrix.postgres-version }}
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: "3.x"
       - run: pip install .[all,test]
@@ -126,6 +126,7 @@ jobs:
           -exec echo "::endgroup::" \;
           || true
 
+
   sytest:
     needs: check_repo
     if: needs.check_repo.outputs.should_run_workflow == 'true'
@@ -138,9 +139,9 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - sytest-tag: bookworm
+          - sytest-tag: bullseye
 
-          - sytest-tag: bookworm
+          - sytest-tag: bullseye
             postgres: postgres
             workers: workers
             redis: redis
@@ -151,13 +152,13 @@ jobs:
       BLACKLIST: ${{ matrix.workers && 'synapse-blacklist-with-workers' }}
 
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
         with:
           toolchain: ${{ env.RUST_VERSION }}
-      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
 
       - name: Ensure sytest runs `pip install`
         # Delete the lockfile so sytest will `pip install` rather than `poetry install`
@@ -172,7 +173,7 @@ jobs:
         if: ${{ always() }}
         run: /sytest/scripts/tap_to_gha.pl /logs/results.tap
       - name: Upload SyTest logs
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         if: ${{ always() }}
         with:
           name: Sytest Logs - ${{ job.status }} - (${{ join(matrix.*, ', ') }})
@@ -180,6 +181,7 @@ jobs:
             /logs/results.tap
             /logs/**/*.log*
 
+
   complement:
     needs: check_repo
     if: "!failure() && !cancelled() && needs.check_repo.outputs.should_run_workflow == 'true'"
@@ -200,65 +202,23 @@ jobs:
 
     steps:
       - name: Check out synapse codebase
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           path: synapse
 
       - name: Prepare Complement's Prerequisites
         run: synapse/.ci/scripts/setup_complement_prerequisites.sh
 
-      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
           cache-dependency-path: complement/go.sum
           go-version-file: complement/go.mod
 
-      - name: Run Complement Tests
-        id: run_complement_tests
-        # -p=1: We're using `-p 1` to force the test packages to run serially as GHA boxes
-        #     are underpowered and don't like running tons of Synapse instances at once.
-        # -json: Output JSON format so that gotestfmt can parse it.
-        #
-        # tee /tmp/gotest-complement.log: We tee the output to a file so that we can re-process it
-        # later on for better formatting with gotestfmt. But we still want the command
-        # to output to the terminal as it runs so we can see what's happening in
-        # real-time.
-        run: |
+      - run: |
           set -o pipefail
-          COMPLEMENT_DIR=`pwd`/complement synapse/scripts-dev/complement.sh -p 1 -json 2>&1 | tee /tmp/gotest-complement.log
+          TEST_ONLY_IGNORE_POETRY_LOCKFILE=1 POSTGRES=${{ (matrix.database == 'Postgres') && 1 || '' }} WORKERS=${{ (matrix.arrangement == 'workers') && 1 || '' }} COMPLEMENT_DIR=`pwd`/complement synapse/scripts-dev/complement.sh -json 2>&1 | synapse/.ci/scripts/gotestfmt
         shell: bash
-        env:
-          POSTGRES: ${{ (matrix.database == 'Postgres') && 1 || '' }}
-          WORKERS: ${{ (matrix.arrangement == 'workers') && 1 || '' }}
-          TEST_ONLY_IGNORE_POETRY_LOCKFILE: 1
-
-      - name: Formatted Complement test logs
-        # Always run this step if we attempted to run the Complement tests.
-        if: always() && steps.run_complement_tests.outcome != 'skipped'
-        run: cat /tmp/gotest-complement.log | gotestfmt -hide "successful-downloads,empty-packages"
-
-      - name: Run in-repo Complement Tests
-        id: run_in_repo_complement_tests
-        # -p=1: We're using `-p 1` to force the test packages to run serially as GHA boxes
-        #     are underpowered and don't like running tons of Synapse instances at once.
-        # -json: Output JSON format so that gotestfmt can parse it.
-        #
-        # tee /tmp/gotest-in-repo-complement.log: We tee the output to a file so that we can re-process it
-        # later on for better formatting with gotestfmt. But we still want the command
-        # to output to the terminal as it runs so we can see what's happening in
-        # real-time.
-        run: |
-          set -o pipefail
-          COMPLEMENT_DIR=`pwd`/complement synapse/scripts-dev/complement.sh --in-repo -p 1 -json 2>&1 | tee /tmp/gotest-in-repo-complement.log
-        shell: bash
-        env:
-          POSTGRES: ${{ (matrix.database == 'Postgres') && 1 || '' }}
-          WORKERS: ${{ (matrix.arrangement == 'workers') && 1 || '' }}
-          TEST_ONLY_IGNORE_POETRY_LOCKFILE: 1
-
-      - name: Formatted in-repo Complement test logs
-        # Always run this step if we attempted to run the Complement tests.
-        if: always() && steps.run_in_repo_complement_tests.outcome != 'skipped'
-        run: cat /tmp/gotest-in-repo-complement.log | gotestfmt -hide "successful-downloads,empty-packages"
+        name: Run Complement Tests
 
   # Open an issue if the build fails, so we know about it.
   # Only do this if we're not experimenting with this action in a PR.
@@ -274,7 +234,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2.9.2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/poetry_lockfile.yaml

@@ -16,8 +16,8 @@ jobs:
     name: "Check locked dependencies have sdists"
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: '3.x'
       - run: pip install tomli

.github/workflows/push_complement_image.yml

@@ -33,29 +33,29 @@ jobs:
       packages: write
     steps:
       - name: Checkout specific branch (debug build)
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         if: github.event_name == 'workflow_dispatch'
         with:
           ref: ${{ inputs.branch }}
       - name: Checkout clean copy of develop (scheduled build)
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         if: github.event_name == 'schedule'
         with:
           ref: develop
       - name: Checkout clean copy of master (on-push)
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         if: github.event_name == 'push'
         with:
           ref: master
       - name: Login to registry
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Work out labels for complement image
         id: meta
-        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
         with:
           images: ghcr.io/${{ github.repository }}/complement-synapse
           tags: |

.github/workflows/release-artifacts.yml

@@ -5,7 +5,7 @@ name: Build release artifacts
 on:
   # we build on PRs and develop to (hopefully) get early warning
   # of things breaking (but only build one set of debs). PRs skip
-  # building wheels on ARM.
+  # building wheels on macOS & ARM.
   pull_request:
   push:
     branches: ["develop", "release-*"]
@@ -27,8 +27,8 @@ jobs:
     name: "Calculate list of debian distros"
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: "3.x"
       - id: set-distros
@@ -55,16 +55,18 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           path: src
 
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+        with:
+          install: true
 
       - name: Set up docker layer caching
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         with:
           path: /tmp/.buildx-cache
           key: ${{ runner.os }}-buildx-${{ github.sha }}
@@ -72,7 +74,7 @@ jobs:
             ${{ runner.os }}-buildx-
 
       - name: Set up python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: "3.x"
 
@@ -99,7 +101,7 @@ jobs:
           echo "ARTIFACT_NAME=${DISTRO#*:}" >> "$GITHUB_OUTPUT"
 
       - name: Upload debs as artifacts
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: debs-${{ steps.artifact-name.outputs.ARTIFACT_NAME }}
           path: debs/*
@@ -112,45 +114,47 @@ jobs:
         os:
           - ubuntu-24.04
           - ubuntu-24.04-arm
+          - macos-13 # This uses x86-64
+          - macos-14 # This uses arm64
         # is_pr is a flag used to exclude certain jobs from the matrix on PRs.
         # It is not read by the rest of the workflow.
         is_pr:
           - ${{ startsWith(github.ref, 'refs/pull/') }}
 
         exclude:
+          # Don't build macos wheels on PR CI.
+          - is_pr: true
+            os: "macos-13"
+          - is_pr: true
+            os: "macos-14"
           # Don't build aarch64 wheels on PR CI.
           - is_pr: true
             os: "ubuntu-24.04-arm"
 
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           # setup-python@v4 doesn't impose a default python version. Need to use 3.x
           # here, because `python` on osx points to Python 2.7.
           python-version: "3.x"
 
       - name: Install cibuildwheel
-        run: python -m pip install cibuildwheel==3.2.1
+        run: python -m pip install cibuildwheel==3.0.0
 
       - name: Only build a single wheel on PR
         if: startsWith(github.ref, 'refs/pull/')
-        run: echo "CIBW_BUILD="cp310-manylinux_*"" >> $GITHUB_ENV
+        run: echo "CIBW_BUILD="cp39-manylinux_*"" >> $GITHUB_ENV
 
       - name: Build wheels
         run: python -m cibuildwheel --output-dir wheelhouse
         env:
-          # The platforms that we build for are determined by the
-          # `tool.cibuildwheel.skip` option in `pyproject.toml`.
+          # Skip testing for platforms which various libraries don't have wheels
+          # for, and so need extra build deps.
+          CIBW_TEST_SKIP: pp3*-* *i686* *musl*
 
-          # We skip testing wheels for the following platforms in CI:
-          #
-          # pp3*-* (PyPy wheels) broke in CI (TODO: investigate).
-          # musl: (TODO: investigate).
-          CIBW_TEST_SKIP: pp3*-* *musl*
-
-      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: Wheel-${{ matrix.os }}
           path: ./wheelhouse/*.whl
@@ -161,8 +165,8 @@ jobs:
     if: ${{ !startsWith(github.ref, 'refs/pull/') }}
 
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: "3.10"
 
@@ -171,7 +175,7 @@ jobs:
       - name: Build sdist
         run: python -m build --sdist
 
-      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: Sdist
           path: dist/*.tar.gz
@@ -187,7 +191,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Download all workflow run artifacts
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
       - name: Build a tarball for the debs
         # We need to merge all the debs uploads into one folder, then compress
         # that.
@@ -196,11 +200,16 @@ jobs:
           mv debs*/* debs/
           tar -cvJf debs.tar.xz debs
       - name: Attach to release
+        # Pinned to work around https://github.com/softprops/action-gh-release/issues/445
+        uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v0.1.15
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          gh release upload "${{ github.ref_name }}" \
-            Sdist/* \
-            Wheel*/* \
-            debs.tar.xz \
-            --repo ${{ github.repository }}
+        with:
+          files: |
+            Sdist/*
+            Wheel*/*
+            debs.tar.xz
+          # if it's not already published, keep the release as a draft.
+          draft: true
+          # mark it as a prerelease if the tag contains 'rc'.
+          prerelease: ${{ contains(github.ref, 'rc') }}

.github/workflows/schema.yaml

@@ -14,8 +14,8 @@ jobs:
     name: Ensure Synapse config schema is valid
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: "3.x"
       - name: Install check-jsonschema
@@ -40,8 +40,8 @@ jobs:
     name: Ensure generated documentation is up-to-date
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: "3.x"
       - name: Install PyYAML

.github/workflows/tests.yml

@@ -26,59 +26,59 @@ jobs:
       linting: ${{ !startsWith(github.ref, 'refs/pull/') || steps.filter.outputs.linting }}
       linting_readme: ${{ !startsWith(github.ref, 'refs/pull/') || steps.filter.outputs.linting_readme }}
     steps:
-      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
-        id: filter
-        # We only check on PRs
-        if: startsWith(github.ref, 'refs/pull/')
-        with:
-          filters: |
-            rust:
-              - 'rust/**'
-              - 'Cargo.toml'
-              - 'Cargo.lock'
-              - '.rustfmt.toml'
-              - '.github/workflows/tests.yml'
+    - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
+      id: filter
+      # We only check on PRs
+      if: startsWith(github.ref, 'refs/pull/')
+      with:
+        filters: |
+          rust:
+            - 'rust/**'
+            - 'Cargo.toml'
+            - 'Cargo.lock'
+            - '.rustfmt.toml'
+            - '.github/workflows/tests.yml'
 
-            trial:
-              - 'synapse/**'
-              - 'tests/**'
-              - 'rust/**'
-              - '.ci/scripts/calculate_jobs.py'
-              - 'Cargo.toml'
-              - 'Cargo.lock'
-              - 'pyproject.toml'
-              - 'poetry.lock'
-              - '.github/workflows/tests.yml'
+          trial:
+            - 'synapse/**'
+            - 'tests/**'
+            - 'rust/**'
+            - '.ci/scripts/calculate_jobs.py'
+            - 'Cargo.toml'
+            - 'Cargo.lock'
+            - 'pyproject.toml'
+            - 'poetry.lock'
+            - '.github/workflows/tests.yml'
 
-            integration:
-              - 'synapse/**'
-              - 'rust/**'
-              - 'docker/**'
-              - 'Cargo.toml'
-              - 'Cargo.lock'
-              - 'pyproject.toml'
-              - 'poetry.lock'
-              - 'docker/**'
-              - '.ci/**'
-              - 'scripts-dev/complement.sh'
-              - '.github/workflows/tests.yml'
+          integration:
+            - 'synapse/**'
+            - 'rust/**'
+            - 'docker/**'
+            - 'Cargo.toml'
+            - 'Cargo.lock'
+            - 'pyproject.toml'
+            - 'poetry.lock'
+            - 'docker/**'
+            - '.ci/**'
+            - 'scripts-dev/complement.sh'
+            - '.github/workflows/tests.yml'
 
-            linting:
-              - 'synapse/**'
-              - 'docker/**'
-              - 'tests/**'
-              - 'scripts-dev/**'
-              - 'contrib/**'
-              - 'synmark/**'
-              - 'stubs/**'
-              - '.ci/**'
-              - 'mypy.ini'
-              - 'pyproject.toml'
-              - 'poetry.lock'
-              - '.github/workflows/tests.yml'
+          linting:
+            - 'synapse/**'
+            - 'docker/**'
+            - 'tests/**'
+            - 'scripts-dev/**'
+            - 'contrib/**'
+            - 'synmark/**'
+            - 'stubs/**'
+            - '.ci/**'
+            - 'mypy.ini'
+            - 'pyproject.toml'
+            - 'poetry.lock'
+            - '.github/workflows/tests.yml'
 
-            linting_readme:
-              - 'README.rst'
+          linting_readme:
+            - 'README.rst'
 
   check-sampleconfig:
     runs-on: ubuntu-latest
@@ -86,12 +86,12 @@ jobs:
     if: ${{ needs.changes.outputs.linting == 'true' }}
 
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
         with:
           toolchain: ${{ env.RUST_VERSION }}
-      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
       - uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0
         with:
           python-version: "3.x"
@@ -106,18 +106,18 @@ jobs:
     if: ${{ needs.changes.outputs.linting == 'true' }}
 
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: "3.x"
-      - run: "pip install 'click==8.1.1' 'GitPython>=3.1.20' 'sqlglot>=28.0.0'"
+      - run: "pip install 'click==8.1.1' 'GitPython>=3.1.20'"
       - run: scripts-dev/check_schema_delta.py --force-colors
 
   check-lockfile:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: "3.x"
       - run: .ci/scripts/check_lockfile.py
@@ -129,7 +129,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Setup Poetry
         uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0
@@ -151,13 +151,13 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
         with:
           toolchain: ${{ env.RUST_VERSION }}
-      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
 
       - name: Setup Poetry
         uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0
@@ -174,7 +174,7 @@ jobs:
       # Cribbed from
       # https://github.com/AustinScola/mypy-cache-github-action/blob/85ea4f2972abed39b33bd02c36e341b28ca59213/src/restore.ts#L10-L17
       - name: Restore/persist mypy's cache
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         with:
           path: |
             .mypy_cache
@@ -187,20 +187,19 @@ jobs:
   lint-crlf:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Check line endings
         run: scripts-dev/check_line_terminators.sh
 
   lint-newsfile:
-    # Only run on pull_request events, targeting develop/release branches, and skip when the PR author is dependabot[bot].
-    if: ${{ github.event_name == 'pull_request' && (github.base_ref == 'develop' || contains(github.base_ref, 'release-')) && github.event.pull_request.user.login != 'dependabot[bot]' }}
+    if: ${{ (github.base_ref == 'develop'  || contains(github.base_ref, 'release-')) && github.actor != 'dependabot[bot]' }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 0
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: "3.x"
       - run: "pip install 'towncrier>=18.6.0rc1'"
@@ -208,20 +207,40 @@ jobs:
         env:
           PULL_REQUEST_NUMBER: ${{ github.event.number }}
 
+  lint-pydantic:
+    runs-on: ubuntu-latest
+    needs: changes
+    if: ${{ needs.changes.outputs.linting == 'true' }}
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
+        with:
+          toolchain: ${{ env.RUST_VERSION }}
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
+      - uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0
+        with:
+          poetry-version: "2.1.1"
+          extras: "all"
+      - run: poetry run scripts-dev/check_pydantic_models.py
+
   lint-clippy:
     runs-on: ubuntu-latest
     needs: changes
     if: ${{ needs.changes.outputs.rust == 'true' }}
 
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
         with:
-          components: clippy
-          toolchain: ${{ env.RUST_VERSION }}
-      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2
+            components: clippy
+            toolchain: ${{ env.RUST_VERSION }}
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
 
       - run: cargo clippy -- -D warnings
 
@@ -233,14 +252,14 @@ jobs:
     if: ${{ needs.changes.outputs.rust == 'true' }}
 
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
         with:
-          toolchain: nightly-2026-02-01
-          components: clippy
-      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2
+            toolchain: nightly-2025-04-23
+            components: clippy
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
 
       - run: cargo clippy --all-features -- -D warnings
 
@@ -251,13 +270,13 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
         with:
           toolchain: ${{ env.RUST_VERSION }}
-      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
 
       - name: Setup Poetry
         uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0
@@ -287,16 +306,16 @@ jobs:
     if: ${{ needs.changes.outputs.rust == 'true' }}
 
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
         with:
           # We use nightly so that we can use some unstable options that we use in
           # `.rustfmt.toml`.
           toolchain: nightly-2025-04-23
           components: rustfmt
-      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
 
       - run: cargo fmt --check
 
@@ -307,8 +326,8 @@ jobs:
     needs: changes
     if: ${{ needs.changes.outputs.linting_readme == 'true' }}
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: "3.x"
       - run: "pip install rstcheck"
@@ -322,6 +341,7 @@ jobs:
       - lint-mypy
       - lint-crlf
       - lint-newsfile
+      - lint-pydantic
       - check-sampleconfig
       - check-schema-delta
       - check-lockfile
@@ -343,19 +363,21 @@ jobs:
             lint
             lint-mypy
             lint-newsfile
+            lint-pydantic
             lint-clippy
             lint-clippy-nightly
             lint-rust
             lint-rustfmt
             lint-readme
 
+
   calculate-test-jobs:
     if: ${{ !cancelled() && !failure() }} # Allow previous steps to be skipped, but not fail
     needs: linting-done
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: "3.x"
       - id: get-matrix
@@ -372,10 +394,10 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        job: ${{ fromJson(needs.calculate-test-jobs.outputs.trial_test_matrix) }}
+        job:  ${{ fromJson(needs.calculate-test-jobs.outputs.trial_test_matrix) }}
 
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - run: sudo apt-get -qq install xmlsec1
       - name: Set up PostgreSQL ${{ matrix.job.postgres-version }}
         if: ${{ matrix.job.postgres-version }}
@@ -390,10 +412,10 @@ jobs:
             postgres:${{ matrix.job.postgres-version }}
 
       - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
         with:
           toolchain: ${{ env.RUST_VERSION }}
-      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
 
       - uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0
         with:
@@ -431,13 +453,13 @@ jobs:
       - changes
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
         with:
           toolchain: ${{ env.RUST_VERSION }}
-      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
 
       # There aren't wheels for some of the older deps, so we need to install
       # their build dependencies
@@ -446,17 +468,19 @@ jobs:
           sudo apt-get -qq install build-essential libffi-dev python3-dev \
             libxml2-dev libxslt-dev xmlsec1 zlib1g-dev libjpeg-dev libwebp-dev
 
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
-          python-version: "3.10"
+          python-version: '3.9'
 
       - name: Prepare old deps
-        # Note: we install using `uv` here, not poetry or pip to allow us to test with the
-        # minimum version of all dependencies, both those explicitly specified and those
-        # implicitly brought in by the explicit dependencies.
-        run: |
-          pip install uv
-          uv pip install --system --resolution=lowest .[all,test]
+        if: steps.cache-poetry-old-deps.outputs.cache-hit != 'true'
+        run: .ci/scripts/prepare_old_deps.sh
+
+      # Note: we install using `pip` here, not poetry. `poetry install` ignores the
+      # build-system section (https://github.com/python-poetry/poetry/issues/6154), but
+      # we explicitly want to test that you can `pip install` using the oldest version
+      # of poetry-core and setuptools-rust.
+      - run: pip install .[all,test]
 
       # We nuke the local copy, as we've installed synapse into the virtualenv
       # (rather than use an editable install, which we no longer support). If we
@@ -490,11 +514,11 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: ["pypy-3.10"]
+        python-version: ["pypy-3.9"]
         extras: ["all"]
 
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       # Install libs necessary for PyPy to build binary wheels for dependencies
       - run: sudo apt-get -qq install xmlsec1 libxml2-dev libxslt-dev
       - uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0
@@ -544,15 +568,15 @@ jobs:
         job: ${{ fromJson(needs.calculate-test-jobs.outputs.sytest_test_matrix) }}
 
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Prepare test blacklist
         run: cat sytest-blacklist .ci/worker-blacklist > synapse-blacklist-with-workers
 
       - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
         with:
           toolchain: ${{ env.RUST_VERSION }}
-      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
 
       - name: Run SyTest
         run: /bootstrap.sh synapse
@@ -561,7 +585,7 @@ jobs:
         if: ${{ always() }}
         run: /sytest/scripts/tap_to_gha.pl /logs/results.tap
       - name: Upload SyTest logs
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         if: ${{ always() }}
         with:
           name: Sytest Logs - ${{ job.status }} - (${{ join(matrix.job.*, ', ') }})
@@ -591,7 +615,7 @@ jobs:
           --health-retries 5
 
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - run: sudo apt-get -qq install xmlsec1 postgresql-client
       - uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0
         with:
@@ -604,6 +628,7 @@ jobs:
           PGPASSWORD: postgres
           PGDATABASE: postgres
 
+
   portdb:
     if: ${{ !failure() && !cancelled() && needs.changes.outputs.integration == 'true'}} # Allow previous steps to be skipped, but not fail
     needs:
@@ -613,10 +638,10 @@ jobs:
     strategy:
       matrix:
         include:
-          - python-version: "3.10"
-            postgres-version: "14"
+          - python-version: "3.9"
+            postgres-version: "13"
 
-          - python-version: "3.14"
+          - python-version: "3.13"
             postgres-version: "17"
 
     services:
@@ -634,7 +659,7 @@ jobs:
           --health-retries 5
 
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Add PostgreSQL apt repository
         # We need a version of pg_dump that can handle the version of
         # PostgreSQL being tested against. The Ubuntu package repository lags
@@ -658,7 +683,7 @@ jobs:
           PGPASSWORD: postgres
           PGDATABASE: postgres
       - name: "Upload schema differences"
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         if: ${{ failure() && !cancelled() && steps.run_tester_script.outcome == 'failure' }}
         with:
           name: Schema dumps
@@ -689,69 +714,33 @@ jobs:
 
     steps:
       - name: Checkout synapse codebase
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           path: synapse
 
       - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
         with:
           toolchain: ${{ env.RUST_VERSION }}
-      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
 
       - name: Prepare Complement's Prerequisites
         run: synapse/.ci/scripts/setup_complement_prerequisites.sh
 
-      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
           cache-dependency-path: complement/go.sum
           go-version-file: complement/go.mod
 
-      - name: Run Complement Tests
-        id: run_complement_tests
-        # -p=1: We're using `-p 1` to force the test packages to run serially as GHA boxes
-        #     are underpowered and don't like running tons of Synapse instances at once.
-        # -json: Output JSON format so that gotestfmt can parse it.
-        #
-        # tee /tmp/gotest-complement.log: We tee the output to a file so that we can re-process it
-        # later on for better formatting with gotestfmt. But we still want the command
-        # to output to the terminal as it runs so we can see what's happening in
-        # real-time.
-        run: |
+        # use p=1 concurrency as GHA boxes are underpowered and don't like running tons of synapses at once.
+      - run: |
           set -o pipefail
-          COMPLEMENT_DIR=`pwd`/complement synapse/scripts-dev/complement.sh -p 1 -json 2>&1 | tee /tmp/gotest-complement.log
+          COMPLEMENT_DIR=`pwd`/complement synapse/scripts-dev/complement.sh -p 1 -json 2>&1 | synapse/.ci/scripts/gotestfmt
         shell: bash
         env:
           POSTGRES: ${{ (matrix.database == 'Postgres') && 1 || '' }}
           WORKERS: ${{ (matrix.arrangement == 'workers') && 1 || '' }}
-
-      - name: Formatted Complement test logs
-        # Always run this step if we attempted to run the Complement tests.
-        if: always() && steps.run_complement_tests.outcome != 'skipped'
-        run: cat /tmp/gotest-complement.log | gotestfmt -hide "successful-downloads,empty-packages"
-
-      - name: Run in-repo Complement Tests
-        id: run_in_repo_complement_tests
-        # -p=1: We're using `-p 1` to force the test packages to run serially as GHA boxes
-        #     are underpowered and don't like running tons of Synapse instances at once.
-        # -json: Output JSON format so that gotestfmt can parse it.
-        #
-        # tee /tmp/gotest-in-repo-complement.log: We tee the output to a file so that we can re-process it
-        # later on for better formatting with gotestfmt. But we still want the command
-        # to output to the terminal as it runs so we can see what's happening in
-        # real-time.
-        run: |
-          set -o pipefail
-          COMPLEMENT_DIR=`pwd`/complement synapse/scripts-dev/complement.sh --in-repo -p 1 -json 2>&1 | tee /tmp/gotest-in-repo-complement.log
-        shell: bash
-        env:
-          POSTGRES: ${{ (matrix.database == 'Postgres') && 1 || '' }}
-          WORKERS: ${{ (matrix.arrangement == 'workers') && 1 || '' }}
-
-      - name: Formatted in-repo Complement test logs
-        # Always run this step if we attempted to run the Complement tests.
-        if: always() && steps.run_in_repo_complement_tests.outcome != 'skipped'
-        run: cat /tmp/gotest-in-repo-complement.log | gotestfmt -hide "successful-downloads,empty-packages"
+        name: Run Complement Tests
 
   cargo-test:
     if: ${{ needs.changes.outputs.rust == 'true' }}
@@ -761,13 +750,13 @@ jobs:
       - changes
 
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
         with:
           toolchain: ${{ env.RUST_VERSION }}
-      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
 
       - run: cargo test
 
@@ -781,13 +770,13 @@ jobs:
       - changes
 
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
         with:
-          toolchain: nightly-2022-12-01
-      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2
+            toolchain: nightly-2022-12-01
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
 
       - run: cargo bench --no-run
 

.github/workflows/triage_labelled.yml

@@ -6,26 +6,43 @@ on:
 
 jobs:
   move_needs_info:
+    name: Move X-Needs-Info on the triage board
     runs-on: ubuntu-latest
     if: >
       contains(github.event.issue.labels.*.name, 'X-Needs-Info')
-    permissions:
-      contents: read
-    env:
-      # This token must have the following scopes: ["repo:public_repo", "admin:org->read:org", "user->read:user", "project"]
-      GITHUB_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }}
-      PROJECT_OWNER: matrix-org
-      # Backend issue triage board.
-      # https://github.com/orgs/matrix-org/projects/67/views/1
-      PROJECT_NUMBER: 67
-      ISSUE_URL: ${{ github.event.issue.html_url }}
-      # This field is case-sensitive.
-      TARGET_STATUS: Needs info
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/add-to-project@5b1a254a3546aef88e0a7724a77a623fa2e47c36 # main (v1.0.2 + 10 commits)
+        id: add_project
         with:
-          # Only clone the script file we care about, instead of the whole repo.
-          sparse-checkout: .ci/scripts/triage_labelled_issue.sh
-
-      - name: Ensure issue exists on the board, then set Status
-        run: .ci/scripts/triage_labelled_issue.sh
+          project-url: "https://github.com/orgs/matrix-org/projects/67"
+          github-token: ${{ secrets.ELEMENT_BOT_TOKEN }}
+        # This action will error if the issue already exists on the project. Which is
+        # common as `X-Needs-Info` will often be added to issues that are already in
+        # the triage queue. Prevent the whole job from failing in this case.
+        continue-on-error: true
+      - name: Set status
+        env:
+          GITHUB_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }}
+        run: |
+          gh api graphql -f query='
+          mutation(
+              $project: ID!
+              $item: ID!
+              $fieldid: ID!
+              $columnid: String!
+            )  {
+            updateProjectV2ItemFieldValue(
+              input: {
+               projectId: $project
+                itemId: $item
+                fieldId: $fieldid
+                value: { 
+                  singleSelectOptionId: $columnid
+                  }
+              }
+            ) {
+              projectV2Item {
+                id
+              }
+            }
+          }' -f project="PVT_kwDOAIB0Bs4AFDdZ" -f item=${{ steps.add_project.outputs.itemId }} -f fieldid="PVTSSF_lADOAIB0Bs4AFDdZzgC6ZA4" -f columnid=ba22e43c --silent

.github/workflows/twisted_trunk.yml

@@ -12,9 +12,10 @@ on:
       twisted_ref:
         description: Commit, branch or tag to checkout from upstream Twisted.
         required: false
-        default: "trunk"
+        default: 'trunk'
         type: string
 
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -42,13 +43,13 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
         with:
           toolchain: ${{ env.RUST_VERSION }}
-      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
 
       - uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0
         with:
@@ -69,14 +70,14 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - run: sudo apt-get -qq install xmlsec1
 
       - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
         with:
           toolchain: ${{ env.RUST_VERSION }}
-      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
 
       - uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0
         with:
@@ -88,6 +89,7 @@ jobs:
           poetry add --extras tls git+https://github.com/twisted/twisted.git#trunk
           poetry install --no-interaction --extras "all test"
       - run: poetry run trial --jobs 2 tests
+
       - name: Dump logs
         # Logs are most useful when the command fails, always include them.
         if: ${{ always() }}
@@ -106,22 +108,22 @@ jobs:
     if: needs.check_repo.outputs.should_run_workflow == 'true'
     runs-on: ubuntu-latest
     container:
-      # We're using bookworm because that's what Debian oldstable is at the time of writing.
+      # We're using debian:bullseye because it uses Python 3.9 which is our minimum supported Python version.
       # This job is a canary to warn us about unreleased twisted changes that would cause problems for us if
       # they were to be released immediately. For simplicity's sake (and to save CI runners) we use the oldest
       # version, assuming that any incompatibilities on newer versions would also be present on the oldest.
-      image: matrixdotorg/sytest-synapse:bookworm
+      image: matrixdotorg/sytest-synapse:bullseye
       volumes:
         - ${{ github.workspace }}:/src
 
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
         with:
           toolchain: ${{ env.RUST_VERSION }}
-      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
 
       - name: Patch dependencies
         # Note: The poetry commands want to create a virtualenv in /src/.venv/,
@@ -145,7 +147,7 @@ jobs:
         if: ${{ always() }}
         run: /sytest/scripts/tap_to_gha.pl /logs/results.tap
       - name: Upload SyTest logs
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         if: ${{ always() }}
         with:
           name: Sytest Logs - ${{ job.status }} - (${{ join(matrix.*, ', ') }})
@@ -173,14 +175,14 @@ jobs:
 
     steps:
       - name: Run actions/checkout@v4 for synapse
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           path: synapse
 
       - name: Prepare Complement's Prerequisites
         run: synapse/.ci/scripts/setup_complement_prerequisites.sh
 
-      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
           cache-dependency-path: complement/go.sum
           go-version-file: complement/go.mod
@@ -197,53 +199,11 @@ jobs:
           poetry lock
         working-directory: synapse
 
-      - name: Run Complement Tests
-        id: run_complement_tests
-        # -p=1: We're using `-p 1` to force the test packages to run serially as GHA boxes
-        #     are underpowered and don't like running tons of Synapse instances at once.
-        # -json: Output JSON format so that gotestfmt can parse it.
-        #
-        # tee /tmp/gotest-complement.log: We tee the output to a file so that we can re-process it
-        # later on for better formatting with gotestfmt. But we still want the command
-        # to output to the terminal as it runs so we can see what's happening in
-        # real-time.
-        run: |
+      - run: |
           set -o pipefail
-          COMPLEMENT_DIR=`pwd`/complement synapse/scripts-dev/complement.sh -p 1 -json 2>&1 | tee /tmp/gotest-complement.log
+          TEST_ONLY_SKIP_DEP_HASH_VERIFICATION=1 POSTGRES=${{ (matrix.database == 'Postgres') && 1 || '' }} WORKERS=${{ (matrix.arrangement == 'workers') && 1 || '' }} COMPLEMENT_DIR=`pwd`/complement synapse/scripts-dev/complement.sh -json 2>&1 | synapse/.ci/scripts/gotestfmt
         shell: bash
-        env:
-          POSTGRES: ${{ (matrix.database == 'Postgres') && 1 || '' }}
-          WORKERS: ${{ (matrix.arrangement == 'workers') && 1 || '' }}
-          TEST_ONLY_SKIP_DEP_HASH_VERIFICATION: 1
-
-      - name: Formatted Complement test logs
-        # Always run this step if we attempted to run the Complement tests.
-        if: always() && steps.run_complement_tests.outcome != 'skipped'
-        run: cat /tmp/gotest-complement.log | gotestfmt -hide "successful-downloads,empty-packages"
-
-      - name: Run in-repo Complement Tests
-        id: run_in_repo_complement_tests
-        # -p=1: We're using `-p 1` to force the test packages to run serially as GHA boxes
-        #     are underpowered and don't like running tons of Synapse instances at once.
-        # -json: Output JSON format so that gotestfmt can parse it.
-        #
-        # tee /tmp/gotest-in-repo-complement.log: We tee the output to a file so that we can re-process it
-        # later on for better formatting with gotestfmt. But we still want the command
-        # to output to the terminal as it runs so we can see what's happening in
-        # real-time.
-        run: |
-          set -o pipefail
-          COMPLEMENT_DIR=`pwd`/complement synapse/scripts-dev/complement.sh --in-repo -p 1 -json 2>&1 | tee /tmp/gotest-in-repo-complement.log
-        shell: bash
-        env:
-          POSTGRES: ${{ (matrix.database == 'Postgres') && 1 || '' }}
-          WORKERS: ${{ (matrix.arrangement == 'workers') && 1 || '' }}
-          TEST_ONLY_SKIP_DEP_HASH_VERIFICATION: 1
-
-      - name: Formatted in-repo Complement test logs
-        # Always run this step if we attempted to run the Complement tests.
-        if: always() && steps.run_in_repo_complement_tests.outcome != 'skipped'
-        run: cat /tmp/gotest-in-repo-complement.log | gotestfmt -hide "successful-downloads,empty-packages"
+        name: Run Complement Tests
 
   # open an issue if the build fails, so we know about it.
   open-issue:
@@ -257,7 +217,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2.9.2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Cargo.lock

@@ -2,6 +2,21 @@
 # It is not intended for manual editing.
 version = 3
 
+[[package]]
+name = "addr2line"
+version = "0.24.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dfbe277e56a376000877090da837660b4427aad530e3028d44e0bffe4f89a1c1"
+dependencies = [
+ "gimli",
+]
+
+[[package]]
+name = "adler2"
+version = "2.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "320119579fcad9c21884f5c4861d16174d0e06250625266f50fe6898340abefa"
+
 [[package]]
 name = "aho-corasick"
 version = "1.1.3"
@@ -13,9 +28,9 @@ dependencies = [
 
 [[package]]
 name = "anyhow"
-version = "1.0.100"
+version = "1.0.98"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a23eb6b1614318a8071c9b2521f36b424b2c83db5eb3a0fead4a6c0809af6e61"
+checksum = "e16d2d3311acee920a9eb8d33b8cbc1787ce4a264e85f964c2404b969bdcd487"
 
 [[package]]
 name = "arc-swap"
@@ -35,6 +50,21 @@ version = "1.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8"
 
+[[package]]
+name = "backtrace"
+version = "0.3.75"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6806a6321ec58106fea15becdad98371e28d92ccbc7c8f1b3b6dd724fe8f1002"
+dependencies = [
+ "addr2line",
+ "cfg-if",
+ "libc",
+ "miniz_oxide",
+ "object",
+ "rustc-demangle",
+ "windows-targets",
+]
+
 [[package]]
 name = "base64"
 version = "0.22.1"
@@ -73,9 +103,9 @@ checksum = "46c5e41b57b8bba42a04676d81cb89e9ee8e859a1a66f80a5a72e1cb76b34d43"
 
 [[package]]
 name = "bytes"
-version = "1.11.1"
+version = "1.10.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1e748733b7cbc798e1434b6ac524f0c1ff2ab456fe201501e6497c8417a4fc33"
+checksum = "d71b6127be86fdcfddb610f7182ac57211d4b18a3e9c82eb2d17662f2227ad6a"
 
 [[package]]
 name = "cc"
@@ -311,6 +341,12 @@ dependencies = [
  "wasm-bindgen",
 ]
 
+[[package]]
+name = "gimli"
+version = "0.31.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "07e28edb80900c19c28f1072f2e8aeca7fa06b23cd4169cefe1af5aa3260783f"
+
 [[package]]
 name = "h2"
 version = "0.4.11"
@@ -374,11 +410,12 @@ checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
 
 [[package]]
 name = "http"
-version = "1.4.0"
+version = "1.3.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e3ba2a386d7f85a81f119ad7498ebe444d2e22c2af0b86b069416ace48b3311a"
+checksum = "f4a85d31aea989eead29a3aaf9e1115a180df8282431156e533de47660892565"
 dependencies = [
  "bytes",
+ "fnv",
  "itoa",
 ]
 
@@ -588,9 +625,9 @@ dependencies = [
 
 [[package]]
 name = "icu_segmenter"
-version = "2.0.1"
+version = "2.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "38e30e593cf9c3ca2f51aa312eb347cd1ba95715e91a842ec3fc9058eab2af4b"
+checksum = "e185fc13b6401c138cf40db12b863b35f5edf31b88192a545857b41aeaf7d3d3"
 dependencies = [
  "core_maths",
  "displaydoc",
@@ -647,6 +684,17 @@ version = "2.0.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f4c7245a08504955605670dbf141fceab975f15ca21570696aebe9d2e71576bd"
 
+[[package]]
+name = "io-uring"
+version = "0.7.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d93587f37623a1a17d94ef2bc9ada592f5465fe7732084ab7beefabe5c77c0c4"
+dependencies = [
+ "bitflags",
+ "cfg-if",
+ "libc",
+]
+
 [[package]]
 name = "ipnet"
 version = "2.11.0"
@@ -705,9 +753,9 @@ checksum = "241eaef5fd12c88705a01fc1066c48c4b36e0dd4377dcdc7ec3942cea7a69956"
 
 [[package]]
 name = "log"
-version = "0.4.29"
+version = "0.4.27"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5e5032e24019045c762d3c0f28f5b6b8bbf38563a65908389bf7978758920897"
+checksum = "13dc2df351e3202783a1fe0d44375f7295ffb4049267b0f3018346dc122a1d94"
 
 [[package]]
 name = "lru-slab"
@@ -736,6 +784,15 @@ version = "0.3.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6877bb514081ee2a7ff5ef9de3281f14a4dd4bceac4c09388074a6b5df8a139a"
 
+[[package]]
+name = "miniz_oxide"
+version = "0.8.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1fa76a2c86f704bdb222d66965fb3d63269ce38518b83cb0575fca855ebb6316"
+dependencies = [
+ "adler2",
+]
+
 [[package]]
 name = "mio"
 version = "1.0.4"
@@ -747,6 +804,15 @@ dependencies = [
  "windows-sys 0.59.0",
 ]
 
+[[package]]
+name = "object"
+version = "0.36.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "62948e14d923ea95ea2c7c86c71013138b66525b86bdc08d2dcc262bdb497b87"
+dependencies = [
+ "memchr",
+]
+
 [[package]]
 name = "once_cell"
 version = "1.21.3"
@@ -813,9 +879,9 @@ dependencies = [
 
 [[package]]
 name = "pyo3"
-version = "0.27.2"
+version = "0.25.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ab53c047fcd1a1d2a8820fe84f05d6be69e9526be40cb03b73f86b6b03e6d87d"
+checksum = "8970a78afe0628a3e3430376fc5fd76b6b45c4d43360ffd6cdd40bdde72b682a"
 dependencies = [
  "anyhow",
  "indoc",
@@ -831,18 +897,19 @@ dependencies = [
 
 [[package]]
 name = "pyo3-build-config"
-version = "0.27.2"
+version = "0.25.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b455933107de8642b4487ed26d912c2d899dec6114884214a0b3bb3be9261ea6"
+checksum = "458eb0c55e7ece017adeba38f2248ff3ac615e53660d7c71a238d7d2a01c7598"
 dependencies = [
+ "once_cell",
  "target-lexicon",
 ]
 
 [[package]]
 name = "pyo3-ffi"
-version = "0.27.2"
+version = "0.25.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1c85c9cbfaddf651b1221594209aed57e9e5cff63c4d11d1feead529b872a089"
+checksum = "7114fe5457c61b276ab77c5055f206295b812608083644a5c5b2640c3102565c"
 dependencies = [
  "libc",
  "pyo3-build-config",
@@ -850,9 +917,9 @@ dependencies = [
 
 [[package]]
 name = "pyo3-log"
-version = "0.13.2"
+version = "0.12.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2f8bae9ad5ba08b0b0ed2bb9c2bdbaeccc69cafca96d78cf0fbcea0d45d122bb"
+checksum = "45192e5e4a4d2505587e27806c7b710c231c40c56f3bfc19535d0bb25df52264"
 dependencies = [
  "arc-swap",
  "log",
@@ -861,9 +928,9 @@ dependencies = [
 
 [[package]]
 name = "pyo3-macros"
-version = "0.27.2"
+version = "0.25.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0a5b10c9bf9888125d917fb4d2ca2d25c8df94c7ab5a52e13313a07e050a3b02"
+checksum = "a8725c0a622b374d6cb051d11a0983786448f7785336139c3c94f5aa6bef7e50"
 dependencies = [
  "proc-macro2",
  "pyo3-macros-backend",
@@ -873,9 +940,9 @@ dependencies = [
 
 [[package]]
 name = "pyo3-macros-backend"
-version = "0.27.2"
+version = "0.25.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "03b51720d314836e53327f5871d4c0cfb4fb37cc2c4a11cc71907a86342c40f9"
+checksum = "4109984c22491085343c05b0dbc54ddc405c3cf7b4374fc533f5c3313a572ccc"
 dependencies = [
  "heck",
  "proc-macro2",
@@ -886,9 +953,9 @@ dependencies = [
 
 [[package]]
 name = "pythonize"
-version = "0.27.0"
+version = "0.25.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a3a8f29db331e28c332c63496cfcbb822aca3d7320bc08b655d7fd0c29c50ede"
+checksum = "597907139a488b22573158793aa7539df36ae863eba300c75f3a0d65fc475e27"
 dependencies = [
  "pyo3",
  "serde",
@@ -995,9 +1062,9 @@ dependencies = [
 
 [[package]]
 name = "regex"
-version = "1.12.2"
+version = "1.11.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "843bc0191f75f3e22651ae5f1e72939ab2f72a4bc30fa80a066bd66edefc24d4"
+checksum = "b544ef1b4eac5dc2db33ea63606ae9ffcfac26c1416a2806ae0bf5f56b201191"
 dependencies = [
  "aho-corasick",
  "memchr",
@@ -1007,9 +1074,9 @@ dependencies = [
 
 [[package]]
 name = "regex-automata"
-version = "0.4.13"
+version = "0.4.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5276caf25ac86c8d810222b3dbb938e512c55c6831a10f3e6ed1c93b84041f1c"
+checksum = "809e8dc61f6de73b46c85f4c96486310fe304c434cfa43669d7b40f711150908"
 dependencies = [
  "aho-corasick",
  "memchr",
@@ -1024,9 +1091,9 @@ checksum = "2b15c43186be67a4fd63bee50d0303afffcef381492ebe2c5d87f324e1b8815c"
 
 [[package]]
 name = "reqwest"
-version = "0.12.28"
+version = "0.12.22"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "eddd3ca559203180a307f12d114c268abf583f59b03cb906fd0b3ff8646c1147"
+checksum = "cbc931937e6ca3a06e3b6c0aa7841849b160a90351d6ab467a8b9b9959767531"
 dependencies = [
  "base64",
  "bytes",
@@ -1078,6 +1145,12 @@ dependencies = [
  "windows-sys 0.52.0",
 ]
 
+[[package]]
+name = "rustc-demangle"
+version = "0.1.26"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "56f7d92ca342cea22a06f2121d944b4fd82af56988c270852495420f961d4ace"
+
 [[package]]
 name = "rustc-hash"
 version = "2.1.1"
@@ -1177,28 +1250,18 @@ dependencies = [
 
 [[package]]
 name = "serde"
-version = "1.0.228"
+version = "1.0.219"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9a8e94ea7f378bd32cbbd37198a4a91436180c5bb472411e48b5ec2e2124ae9e"
-dependencies = [
- "serde_core",
- "serde_derive",
-]
-
-[[package]]
-name = "serde_core"
-version = "1.0.228"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "41d385c7d4ca58e59fc732af25c3983b67ac852c1a25000afe1175de458b67ad"
+checksum = "5f0e2c6ed6606019b4e29e69dbaba95b11854410e5347d525002456dbbb786b6"
 dependencies = [
  "serde_derive",
 ]
 
 [[package]]
 name = "serde_derive"
-version = "1.0.228"
+version = "1.0.219"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d540f220d3187173da220f885ab66608367b6574e925011a9353e4badda91d79"
+checksum = "5b0276cf7f2c73365f7157c8123c21cd9a50fbbd844757af28ca1f5925fc2a00"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -1207,15 +1270,14 @@ dependencies = [
 
 [[package]]
 name = "serde_json"
-version = "1.0.149"
+version = "1.0.141"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "83fc039473c5595ace860d8c4fafa220ff474b3fc6bfdb4293327f1a37e94d86"
+checksum = "30b9eff21ebe718216c6ec64e1d9ac57087aad11efc64e32002bce4a0d4c03d3"
 dependencies = [
  "itoa",
  "memchr",
+ "ryu",
  "serde",
- "serde_core",
- "zmij",
 ]
 
 [[package]]
@@ -1260,9 +1322,9 @@ checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64"
 
 [[package]]
 name = "slab"
-version = "0.4.11"
+version = "0.4.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7a2ae44ef20feb57a68b23d846850f861394c2e02dc425a50098ae8c90267589"
+checksum = "04dc19736151f35336d325007ac991178d504a119863a2fcb3758cdb5e52c50d"
 
 [[package]]
 name = "smallvec"
@@ -1416,16 +1478,19 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
 
 [[package]]
 name = "tokio"
-version = "1.49.0"
+version = "1.47.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "72a2903cd7736441aac9df9d7688bd0ce48edccaadf181c3b90be801e81d3d86"
+checksum = "43864ed400b6043a4757a25c7a64a8efde741aed79a056a2fb348a406701bb35"
 dependencies = [
+ "backtrace",
  "bytes",
+ "io-uring",
  "libc",
  "mio",
  "pin-project-lite",
+ "slab",
  "socket2 0.6.0",
- "windows-sys 0.61.2",
+ "windows-sys 0.59.0",
 ]
 
 [[package]]
@@ -1468,9 +1533,9 @@ dependencies = [
 
 [[package]]
 name = "tower-http"
-version = "0.6.8"
+version = "0.6.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d4e6559d53cc268e5031cd8429d05415bc4cb4aefc4aa5d6cc35fbf5b924a1f8"
+checksum = "adc82fd73de2a9722ac5da747f12383d2bfdb93591ee6c58486e0097890f05f2"
 dependencies = [
  "bitflags",
  "bytes",
@@ -1706,12 +1771,6 @@ dependencies = [
  "wasm-bindgen",
 ]
 
-[[package]]
-name = "windows-link"
-version = "0.2.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f0805222e57f7521d6a62e36fa9163bc891acd422f971defe97d64e70d0a4fe5"
-
 [[package]]
 name = "windows-sys"
 version = "0.52.0"
@@ -1730,15 +1789,6 @@ dependencies = [
  "windows-targets",
 ]
 
-[[package]]
-name = "windows-sys"
-version = "0.61.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ae137229bcbd6cdf0f7b80a31df61766145077ddf49416a728b02cb3921ff3fc"
-dependencies = [
- "windows-link",
-]
-
 [[package]]
 name = "windows-targets"
 version = "0.52.6"
@@ -1921,9 +1971,3 @@ dependencies = [
  "quote",
  "syn",
 ]
-
-[[package]]
-name = "zmij"
-version = "1.0.19"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3ff05f8caa9038894637571ae6b9e29466c1f4f829d26c9b28f869a29cbe3445"

README.rst

@@ -1,4 +1,4 @@
-.. image:: https://github.com/element-hq/synapse/raw/develop/docs/element_logo_white_bg.svg
+.. image:: ./docs/element_logo_white_bg.svg
    :height: 60px
 
 **Element Synapse - Matrix homeserver implementation**
@@ -7,48 +7,170 @@
 
 Synapse is an open source `Matrix <https://matrix.org>`__ homeserver
 implementation, written and maintained by `Element <https://element.io>`_.
-`Matrix <https://github.com/matrix-org>`__ is the open standard for secure and
-interoperable real-time communications. You can directly run and manage the
-source code in this repository, available under an AGPL license (or
-alternatively under a commercial license from Element).
+`Matrix <https://github.com/matrix-org>`__ is the open standard for
+secure and interoperable real-time communications. You can directly run
+and manage the source code in this repository, available under an AGPL
+license (or alternatively under a commercial license from Element).
+There is no support provided by Element unless you have a
+subscription from Element.
 
-There is no support provided by Element unless you have a subscription from
-Element.
+Subscription
+============
 
-🚀 Getting started
-==================
+For those that need an enterprise-ready solution, Element
+Server Suite (ESS) is `available via subscription <https://element.io/pricing>`_.
+ESS builds on Synapse to offer a complete Matrix-based backend including the full
+`Admin Console product <https://element.io/enterprise-functionality/admin-console>`_,
+giving admins the power to easily manage an organization-wide
+deployment. It includes advanced identity management, auditing,
+moderation and data retention options as well as Long-Term Support and
+SLAs. ESS supports any Matrix-compatible client.
 
-This component is developed and maintained by `Element <https://element.io>`_.
-It gets shipped as part of the **Element Server Suite (ESS)** which provides the
-official means of deployment.
+.. contents::
 
-ESS is a Matrix distribution from Element with focus on quality and ease of use.
-It ships a full Matrix stack tailored to the respective use case.
+🛠️ Installation and configuration
+==================================
 
-There are three editions of ESS:
+The Synapse documentation describes `how to install Synapse <https://element-hq.github.io/synapse/latest/setup/installation.html>`_. We recommend using
+`Docker images <https://element-hq.github.io/synapse/latest/setup/installation.html#docker-images-and-ansible-playbooks>`_ or `Debian packages from Matrix.org
+<https://element-hq.github.io/synapse/latest/setup/installation.html#matrixorg-packages>`_.
 
-- `ESS Community <https://github.com/element-hq/ess-helm>`_ - the free Matrix
-  distribution from Element tailored to small-/mid-scale, non-commercial
-  community use cases
-- `ESS Pro <https://element.io/server-suite>`_ - the commercial Matrix
-  distribution from Element for professional use
-- `ESS TI-M <https://element.io/server-suite/ti-messenger>`_ - a special version
-  of ESS Pro focused on the requirements of TI-Messenger Pro and ePA as
-  specified by the German National Digital Health Agency Gematik
+.. _federation:
+
+Synapse has a variety of `config options
+<https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html>`_
+which can be used to customise its behaviour after installation.
+There are additional details on how to `configure Synapse for federation here
+<https://element-hq.github.io/synapse/latest/federate.html>`_.
+
+.. _reverse-proxy:
+
+Using a reverse proxy with Synapse
+----------------------------------
+
+It is recommended to put a reverse proxy such as
+`nginx <https://nginx.org/en/docs/http/ngx_http_proxy_module.html>`_,
+`Apache <https://httpd.apache.org/docs/current/mod/mod_proxy_http.html>`_,
+`Caddy <https://caddyserver.com/docs/quick-starts/reverse-proxy>`_,
+`HAProxy <https://www.haproxy.org/>`_ or
+`relayd <https://man.openbsd.org/relayd.8>`_ in front of Synapse. One advantage of
+doing so is that it means that you can expose the default https port (443) to
+Matrix clients without needing to run Synapse with root privileges.
+For information on configuring one, see `the reverse proxy docs
+<https://element-hq.github.io/synapse/latest/reverse_proxy.html>`_.
+
+Upgrading an existing Synapse
+-----------------------------
+
+The instructions for upgrading Synapse are in `the upgrade notes`_.
+Please check these instructions as upgrading may require extra steps for some
+versions of Synapse.
+
+.. _the upgrade notes: https://element-hq.github.io/synapse/develop/upgrade.html
 
 
-🛠️ Standalone installation and configuration
-============================================
+Platform dependencies
+---------------------
 
-The Synapse documentation describes `options for installing Synapse standalone
-<https://element-hq.github.io/synapse/latest/setup/installation.html>`_. See
-below for more useful documentation links.
+Synapse uses a number of platform dependencies such as Python and PostgreSQL,
+and aims to follow supported upstream versions. See the
+`deprecation policy <https://element-hq.github.io/synapse/latest/deprecation_policy.html>`_
+for more details.
 
-- `Synapse configuration options <https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html>`_
-- `Synapse configuration for federation <https://element-hq.github.io/synapse/latest/federate.html>`_
-- `Using a reverse proxy with Synapse <https://element-hq.github.io/synapse/latest/reverse_proxy.html>`_
-- `Upgrading Synapse <https://element-hq.github.io/synapse/develop/upgrade.html>`_
 
+Security note
+-------------
+
+Matrix serves raw, user-supplied data in some APIs -- specifically the `content
+repository endpoints`_.
+
+.. _content repository endpoints: https://matrix.org/docs/spec/client_server/latest.html#get-matrix-media-r0-download-servername-mediaid
+
+Whilst we make a reasonable effort to mitigate against XSS attacks (for
+instance, by using `CSP`_), a Matrix homeserver should not be hosted on a
+domain hosting other web applications. This especially applies to sharing
+the domain with Matrix web clients and other sensitive applications like
+webmail. See
+https://developer.github.com/changes/2014-04-25-user-content-security for more
+information.
+
+.. _CSP: https://github.com/matrix-org/synapse/pull/1021
+
+Ideally, the homeserver should not simply be on a different subdomain, but on
+a completely different `registered domain`_ (also known as top-level site or
+eTLD+1). This is because `some attacks`_ are still possible as long as the two
+applications share the same registered domain.
+
+.. _registered domain: https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-2.3
+
+.. _some attacks: https://en.wikipedia.org/wiki/Session_fixation#Attacks_using_cross-subdomain_cookie
+
+To illustrate this with an example, if your Element Web or other sensitive web
+application is hosted on ``A.example1.com``, you should ideally host Synapse on
+``example2.com``. Some amount of protection is offered by hosting on
+``B.example1.com`` instead, so this is also acceptable in some scenarios.
+However, you should *not* host your Synapse on ``A.example1.com``.
+
+Note that all of the above refers exclusively to the domain used in Synapse's
+``public_baseurl`` setting. In particular, it has no bearing on the domain
+mentioned in MXIDs hosted on that server.
+
+Following this advice ensures that even if an XSS is found in Synapse, the
+impact to other applications will be minimal.
+
+
+🧪 Testing a new installation
+=============================
+
+The easiest way to try out your new Synapse installation is by connecting to it
+from a web client.
+
+Unless you are running a test instance of Synapse on your local machine, in
+general, you will need to enable TLS support before you can successfully
+connect from a client: see
+`TLS certificates <https://element-hq.github.io/synapse/latest/setup/installation.html#tls-certificates>`_.
+
+An easy way to get started is to login or register via Element at
+https://app.element.io/#/login or https://app.element.io/#/register respectively.
+You will need to change the server you are logging into from ``matrix.org``
+and instead specify a homeserver URL of ``https://<server_name>:8448``
+(or just ``https://<server_name>`` if you are using a reverse proxy).
+If you prefer to use another client, refer to our
+`client breakdown <https://matrix.org/ecosystem/clients/>`_.
+
+If all goes well you should at least be able to log in, create a room, and
+start sending messages.
+
+.. _`client-user-reg`:
+
+Registering a new user from a client
+------------------------------------
+
+By default, registration of new users via Matrix clients is disabled. To enable
+it:
+
+1. In the
+   `registration config section <https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#registration>`_
+   set ``enable_registration: true`` in ``homeserver.yaml``.
+2. Then **either**:
+
+   a. set up a `CAPTCHA <https://element-hq.github.io/synapse/latest/CAPTCHA_SETUP.html>`_, or
+   b. set ``enable_registration_without_verification: true`` in ``homeserver.yaml``.
+
+We **strongly** recommend using a CAPTCHA, particularly if your homeserver is exposed to
+the public internet. Without it, anyone can freely register accounts on your homeserver.
+This can be exploited by attackers to create spambots targeting the rest of the Matrix
+federation.
+
+Your new Matrix ID will be formed partly from the ``server_name``, and partly
+from a localpart you specify when you create the account in the form of::
+
+    @localpart:my.domain.name
+
+(pronounced "at localpart on my dot domain dot name").
+
+As when logging in, you will need to specify a "Custom server".  Specify your
+desired ``localpart`` in the 'Username' box.
 
 🎯 Troubleshooting and support
 ==============================
@@ -60,7 +182,7 @@ Enterprise quality support for Synapse including SLAs is available as part of an
 `Element Server Suite (ESS) <https://element.io/pricing>`_ subscription.
 
 If you are an existing ESS subscriber then you can raise a `support request <https://ems.element.io/support>`_
-and access the `Element product documentation <https://docs.element.io>`_.
+and access the `knowledge base <https://ems-docs.element.io>`_.
 
 🤝 Community support
 --------------------
@@ -79,6 +201,35 @@ issues for support requests, only for bug reports and feature requests.
 .. |docs| replace:: ``docs``
 .. _docs: docs
 
+🪪 Identity Servers
+===================
+
+Identity servers have the job of mapping email addresses and other 3rd Party
+IDs (3PIDs) to Matrix user IDs, as well as verifying the ownership of 3PIDs
+before creating that mapping.
+
+**Identity servers do not store accounts or credentials - these are stored and managed on homeservers.
+Identity Servers are just for mapping 3rd Party IDs to Matrix IDs.**
+
+This process is highly security-sensitive, as there is an obvious risk of spam if it
+is too easy to sign up for Matrix accounts or harvest 3PID data. In the longer
+term, we hope to create a decentralised system to manage it (`matrix-doc #712
+<https://github.com/matrix-org/matrix-doc/issues/712>`_), but in the meantime,
+the role of managing trusted identity in the Matrix ecosystem is farmed out to
+a cluster of known trusted ecosystem partners, who run 'Matrix Identity
+Servers' such as `Sydent <https://github.com/matrix-org/sydent>`_, whose role
+is purely to authenticate and track 3PID logins and publish end-user public
+keys.
+
+You can host your own copy of Sydent, but this will prevent you reaching other
+users in the Matrix ecosystem via their email address, and prevent them finding
+you. We therefore recommend that you use one of the centralised identity servers
+at ``https://matrix.org`` or ``https://vector.im`` for now.
+
+To reiterate: the Identity server will only be used if you choose to associate
+an email address with your account, or send an invite to another user via their
+email address.
+
 
 🛠️ Development
 ==============
@@ -101,29 +252,18 @@ Alongside all that, join our developer community on Matrix:
 Copyright and Licensing
 =======================
 
-  | Copyright 2014–2017 OpenMarket Ltd
-  | Copyright 2017 Vector Creations Ltd
-  | Copyright 2017–2025 New Vector Ltd
-  | Copyright 2025 Element Creations Ltd
+| Copyright 2014-2017 OpenMarket Ltd
+| Copyright 2017 Vector Creations Ltd
+| Copyright 2017-2025 New Vector Ltd
+|
 
-This software is dual-licensed by Element Creations Ltd (Element). It can be
-used either:
+This software is dual-licensed by New Vector Ltd (Element). It can be used either:
 
-(1) for free under the terms of the GNU Affero General Public License (as
-    published by the Free Software Foundation, either version 3 of the License,
-    or (at your option) any later version); OR
+(1) for free under the terms of the GNU Affero General Public License (as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version); OR
 
-(2) under the terms of a paid-for Element Commercial License agreement between
-    you and Element (the terms of which may vary depending on what you and
-    Element have agreed to).
+(2) under the terms of a paid-for Element Commercial License agreement between you and Element (the terms of which may vary depending on what you and Element have agreed to).
 
-Unless required by applicable law or agreed to in writing, software distributed
-under the Licenses is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
-CONDITIONS OF ANY KIND, either express or implied. See the Licenses for the
-specific language governing permissions and limitations under the Licenses.
-
-Please contact `licensing@element.io <mailto:licensing@element.io>`_ to purchase
-an Element commercial license for this software.
+Unless required by applicable law or agreed to in writing, software distributed under the Licenses is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the Licenses for the specific language governing permissions and limitations under the Licenses.
 
 
 .. |support| image:: https://img.shields.io/badge/matrix-community%20support-success

book.toml

@@ -4,6 +4,7 @@
 title = "Synapse"
 authors = ["The Matrix.org Foundation C.I.C."]
 language = "en"
+multilingual = false
 
 # The directory that documentation files are stored in
 src = "docs"
@@ -30,10 +31,13 @@ site-url = "/synapse/"
 # Additional HTML, JS, CSS that's injected into each page of the book.
 # More information available in docs/website_files/README.md
 additional-css = [
+    "docs/website_files/table-of-contents.css",
+    "docs/website_files/remove-nav-buttons.css",
     "docs/website_files/indent-section-headers.css",
     "docs/website_files/version-picker.css",
 ]
 additional-js = [
+    "docs/website_files/table-of-contents.js",
     "docs/website_files/version-picker.js",
     "docs/website_files/version.js",
 ]

build_rust.py

@@ -2,13 +2,13 @@
 
 import itertools
 import os
-from typing import Any
+from typing import Any, Dict
 
 from packaging.specifiers import SpecifierSet
 from setuptools_rust import Binding, RustExtension
 
 
-def build(setup_kwargs: dict[str, Any]) -> None:
+def build(setup_kwargs: Dict[str, Any]) -> None:
     original_project_dir = os.path.dirname(os.path.realpath(__file__))
     cargo_toml_path = os.path.join(original_project_dir, "rust", "Cargo.toml")
 
@@ -27,12 +27,12 @@ def build(setup_kwargs: dict[str, Any]) -> None:
     setup_kwargs["zip_safe"] = False
 
     # We look up the minimum supported Python version with
-    # `python_requires` (e.g. ">=3.10.0,<4.0.0") and finding the first Python
+    # `python_requires` (e.g. ">=3.9.0,<4.0.0") and finding the first Python
     # version that matches. We then convert that into the `py_limited_api` form,
-    # e.g. cp310 for Python 3.10.
+    # e.g. cp39 for Python 3.9.
     py_limited_api: str
     python_bounds = SpecifierSet(setup_kwargs["python_requires"])
-    for minor_version in itertools.count(start=10):
+    for minor_version in itertools.count(start=8):
         if f"3.{minor_version}.0" in python_bounds:
             py_limited_api = f"cp3{minor_version}"
             break

changelog.d/18474.misc

@@ -0,0 +1 @@
+Add debug logging for HMAC digest verification failures when using the admin API to register users.

changelog.d/18514.feature

@@ -0,0 +1 @@
+Add configurable rate limiting for the creation of rooms.

changelog.d/18540.feature

@@ -0,0 +1 @@
+Add support for [MSC4293](https://github.com/matrix-org/matrix-spec-proposals/pull/4293) - Redact on Kick/Ban.

changelog.d/18574.misc

@@ -0,0 +1 @@
+Speed up upgrading a room with large numbers of banned users.

changelog.d/18580.misc

@@ -0,0 +1 @@
+Fix config documentation generation script on Windows by enforcing UTF-8.

changelog.d/18585.feature

@@ -0,0 +1 @@
+When admins enable themselves to see soft-failed events, they will also see if the cause is due to the policy server flagging them as spam via `unsigned`.

changelog.d/18656.misc

@@ -0,0 +1 @@
+Refactor `Counter` metrics to be homeserver-scoped.

changelog.d/18670.misc

@@ -0,0 +1 @@
+Refactor background process metrics to be homeserver-scoped.

changelog.d/18686.feature

@@ -0,0 +1 @@
+Add ability to configure forward/outbound proxy via homeserver config instead of environment variables. See `http_proxy`, `https_proxy`, `no_proxy_hosts`.

changelog.d/18696.bugfix

@@ -0,0 +1 @@
+Allow return code 403 (allowed by C2S Spec since v1.2) when fetching profiles via federation.

changelog.d/18700.doc

@@ -0,0 +1 @@
+Minor improvements to README.

changelog.d/18714.misc

@@ -0,0 +1 @@
+Refactor `LaterGauge` metrics to be homeserver-scoped.

changelog.d/18715.misc

@@ -0,0 +1 @@
+Refactor `GaugeBucketCollector` metrics to be homeserver-scoped.

changelog.d/18718.misc

@@ -0,0 +1 @@
+Reduce database usage in Sliding Sync by not querying for background update completion after the update is known to be complete.

changelog.d/18722.feature

@@ -0,0 +1 @@
+Advertise experimental support for [MSC4306](https://github.com/matrix-org/matrix-spec-proposals/pull/4306) through `/_matrix/clients/versions` if enabled.

changelog.d/18723.misc

@@ -0,0 +1 @@
+Improve order of validation and ratelimiting in room creation.

changelog.d/18724.misc

@@ -0,0 +1 @@
+Refactor `Histogram` metrics to be homeserver-scoped.

changelog.d/18725.misc

@@ -0,0 +1 @@
+Refactor `Gauge` metrics to be homeserver-scoped.

changelog.d/18726.bugfix

@@ -0,0 +1 @@
+Register the MSC4306 endpoints in the CS API when the experimental feature is enabled.

changelog.d/18727.misc

@@ -0,0 +1 @@
+Bump minimum version bound on Twisted to 21.2.0.

changelog.d/18728.misc

@@ -0,0 +1 @@
+Use `twisted.internet.testing` module in tests instead of deprecated `twisted.test.proto_helpers`.

changelog.d/18729.misc

@@ -0,0 +1 @@
+Bump minimum version bound on Twisted to 21.2.0.

changelog.d/18730.misc

@@ -0,0 +1 @@
+Remove obsolete `/send_event` replication endpoint.

changelog.d/18733.misc

@@ -0,0 +1 @@
+Update metrics linting to be able to handle custom metrics.

changelog.d/18736.misc

@@ -0,0 +1 @@
+Work around `twisted.protocols.amp.TooLong` error by reducing logging in some tests.

changelog.d/18737.removal

@@ -0,0 +1 @@
+Deprecate `run_as_background_process` exported as part of the module API interface in favor of `ModuleApi.run_as_background_process`. See the relevant section in the upgrade notes for more information.

changelog.d/18748.misc

@@ -0,0 +1 @@
+Refactor cache metrics to be homeserver-scoped.

changelog.d/18750.bugfix

@@ -0,0 +1 @@
+Fix a long-standing bug where suspended users could not have server notices sent to them (a 403 was returned to the admin).

changelog.d/18751.misc

@@ -0,0 +1 @@
+Fix `LaterGauge` metrics to collect from all servers.

changelog.d/18753.misc

@@ -0,0 +1 @@
+Refactor `Histogram` metrics to be homeserver-scoped.

changelog.d/18755.misc

@@ -0,0 +1 @@
+Prevent "Move labelled issues to correct projects" GitHub Actions workflow from failing when an issue is already on the project board.

changelog.d/18756.misc

@@ -0,0 +1 @@
+Update implementation of [MSC4306: Thread Subscriptions](https://github.com/matrix-org/matrix-doc/issues/4306) to include automatic subscription conflict prevention as introduced in later drafts.

changelog.d/18757.misc

@@ -0,0 +1 @@
+Bump minimum supported Rust version (MSRV) to 1.82.0. Missed in [#18553](https://github.com/element-hq/synapse/pull/18553) (released in Synapse 1.134.0).

changelog.d/18759.feature

@@ -0,0 +1 @@
+Stable support for delegating authentication to [Matrix Authentication Service](https://github.com/element-hq/matrix-authentication-service/).

changelog.d/18760.doc.md

@@ -0,0 +1 @@
+Document that there can be multiple workers handling the `receipts` stream.

changelog.d/18761.doc.md

@@ -0,0 +1 @@
+Improve worker documentation for some device paths.

changelog.d/18763.bugfix

@@ -0,0 +1 @@
+Fix an issue that could cause logcontexts to be lost on rate-limited requests. Found by @realtyem.

changelog.d/18772.misc

@@ -0,0 +1 @@
+Make `Clock.sleep(..)` return a coroutine, so that mypy can catch places where we don't await on it.

changelog.d/18817.feature

@@ -0,0 +1 @@
+Allow serving media with a redirect to an unauthenticated, short-lived, signed URL.

complement/.golangci.yml

@@ -1,38 +0,0 @@
-# Docs: https://golangci-lint.run/docs/configuration/file/
-#
-# Go formatting/linting rules
-#
-# This is run as part of the normal linting utility script,
-# `poetry run ./scripts-dev/lint.sh`
-
-version: "2"
-
-linters:
-  # Default set of linters.
-  # The value can be:
-  # - `standard`: https://golangci-lint.run/docs/linters/#enabled-by-default
-  # - `all`: enables all linters by default.
-  # - `none`: disables all linters by default.
-  # - `fast`: enables only linters considered as "fast" (`golangci-lint help linters --json | jq '[ .[] | select(.fast==true) ] | map(.name)'`).
-  # Default: standard
-  default: standard
-
-  # Enable specific linter.
-  # enable:
-  #   - example
-
-  # Disable specific linters.
-  disable:
-    # FIXME: Ideally, we'd enable the `bodyclose` lint but there are many
-    # false-positives (like https://github.com/timakin/bodyclose/issues/39) and just is
-    # not well-suited for our use case (https://github.com/timakin/bodyclose/issues/11 and
-    # https://github.com/timakin/bodyclose/issues/76).
-    - bodyclose
-
-formatters:
-  # Enable specific formatter.
-  # Default: [] (uses standard Go formatting)
-  enable:
-    - gofmt
-    - goimports
-    - golines

complement/README.md

@@ -1,54 +0,0 @@
-# Complement testing
-
-Complement is a black box integration testing framework for Matrix homeservers. It
-allows us to write end-to-end tests that interact with real Synapse homeservers to
-ensure everything works at a holistic level.
-
-
-## Setup
-
-Nothing beyond a [normal Complement
-setup](https://github.com/matrix-org/complement?tab=readme-ov-file#running) (just Go and
-Docker).
-
-
-## Running tests
-
-Run tests from the [Complement](https://github.com/matrix-org/complement) repo:
-
-```shell
-# Run the tests
-./scripts-dev/complement.sh
-
-# To run a whole group of tests, you can specify part of the test path:
-scripts-dev/complement.sh ./tests/csapi/... -run TestRoomCreate
-# To run a specific test, you can specify the whole name structure:
-scripts-dev/complement.sh ./tests/csapi/... -run TestRoomCreate/Parallel/POST_/createRoom_makes_a_public_room
-# Generally though, the `-run` parameter accepts regex patterns, so you can match however you like:
-scripts-dev/complement.sh ./tests/... -run 'TestRoomCreate/Parallel/POST_/createRoom_makes_a_(.*)'
-```
-
-Typically, if you're developing the Synapse and Complement tests side-by-side, you will
-run something like this:
-
-```shell
-# To run a specific test
-COMPLEMENT_DIR=../complement ./scripts-dev/complement.sh ./tests/csapi/... -run TestRoomCreate
-```
-
-
-### Running in-repo tests
-
-In-repo Complement tests are tests that are vendored into this project. We use the
-in-repo test suite to test Synapse specific behaviors like the admin API.
-
-To run the in-repo Complement tests, use the `--in-repo` command line argument.
-
-```shell
-# Run only a specific test package.
-# Note: test packages are relative to the `./complement` directory in this project
-./scripts-dev/complement.sh --in-repo ./tests/...
-
-# Similarly, you can also use `-run` to specify all or part of a specific test path to run
-scripts-dev/complement.sh --in-repo ./tests/... -run TestIntraShardFederation
-```

complement/go.mod

@@ -1,57 +0,0 @@
-module github.com/element-hq/synapse
-
-go 1.24.1
-
-toolchain go1.24.4
-
-require (
-	github.com/matrix-org/complement v0.0.0-20251120181401-44111a2a8a9d
-	github.com/matrix-org/gomatrixserverlib v0.0.0-20250813150445-9f5070a65744
-)
-
-require (
-	github.com/docker/docker v28.3.3+incompatible // indirect
-	github.com/docker/go-connections v0.5.0 // indirect
-	github.com/hashicorp/go-set/v3 v3.0.0 // indirect
-	github.com/moby/sys/atomicwriter v0.1.0 // indirect
-	github.com/oleiade/lane/v2 v2.0.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.34.0 // indirect
-	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
-	gotest.tools/v3 v3.4.0 // indirect
-)
-
-require (
-	github.com/Microsoft/go-winio v0.6.2 // indirect
-	github.com/containerd/errdefs v1.0.0 // indirect
-	github.com/containerd/errdefs/pkg v0.3.0 // indirect
-	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
-	github.com/distribution/reference v0.6.0 // indirect
-	github.com/docker/go-units v0.5.0 // indirect
-	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/go-logr/logr v1.4.3 // indirect
-	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/matrix-org/util v0.0.0-20221111132719-399730281e66 // indirect
-	github.com/moby/docker-image-spec v1.3.1 // indirect
-	github.com/moby/term v0.5.2 // indirect
-	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.1.1 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
-	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/sirupsen/logrus v1.9.3 // indirect
-	github.com/tidwall/gjson v1.18.0 // indirect
-	github.com/tidwall/match v1.1.1 // indirect
-	github.com/tidwall/pretty v1.2.1 // indirect
-	github.com/tidwall/sjson v1.2.5 // indirect
-	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
-	go.opentelemetry.io/otel v1.36.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.36.0 // indirect
-	go.opentelemetry.io/otel/metric v1.36.0 // indirect
-	go.opentelemetry.io/otel/trace v1.36.0 // indirect
-	go.opentelemetry.io/proto/otlp v1.7.0 // indirect
-	golang.org/x/crypto v0.45.0 // indirect
-	golang.org/x/sys v0.38.0 // indirect
-	golang.org/x/time v0.11.0 // indirect
-	google.golang.org/protobuf v1.36.6 // indirect
-)

complement/go.sum

@@ -1,169 +0,0 @@
-github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEKWjV8V+WSxDXJ4NFATAsZjh8iIbsQIg=
-github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
-github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
-github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
-github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
-github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
-github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
-github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
-github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE=
-github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk=
-github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
-github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
-github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
-github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
-github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
-github.com/docker/docker v28.3.3+incompatible h1:Dypm25kh4rmk49v1eiVbsAtpAsYURjYkaKubwuBdxEI=
-github.com/docker/docker v28.3.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
-github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
-github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
-github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
-github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
-github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
-github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
-github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
-github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
-github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
-github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
-github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
-github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
-github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 h1:5ZPtiqj0JL5oKWmcsq4VMaAW5ukBEgSGXEN89zeH1Jo=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3/go.mod h1:ndYquD05frm2vACXE1nsccT4oJzjhw2arTS2cpUD1PI=
-github.com/hashicorp/go-set/v3 v3.0.0 h1:CaJBQvQCOWoftrBcDt7Nwgo0kdpmrKxar/x2o6pV9JA=
-github.com/hashicorp/go-set/v3 v3.0.0/go.mod h1:IEghM2MpE5IaNvL+D7X480dfNtxjRXZ6VMpK3C8s2ok=
-github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/matrix-org/complement v0.0.0-20251120181401-44111a2a8a9d h1:s2Xc9GB2E/pXdElP18h8+04Y3SmhaII7xh2YmCM7oZc=
-github.com/matrix-org/complement v0.0.0-20251120181401-44111a2a8a9d/go.mod h1:HioTV089DHLBfljH9QLGifJRE4Avnyk08BXXhCwd4gs=
-github.com/matrix-org/gomatrix v0.0.0-20220926102614-ceba4d9f7530 h1:kHKxCOLcHH8r4Fzarl4+Y3K5hjothkVW5z7T1dUM11U=
-github.com/matrix-org/gomatrix v0.0.0-20220926102614-ceba4d9f7530/go.mod h1:/gBX06Kw0exX1HrwmoBibFA98yBk/jxKpGVeyQbff+s=
-github.com/matrix-org/gomatrixserverlib v0.0.0-20250813150445-9f5070a65744 h1:5GvC2FD9O/PhuyY95iJQdNYHbDioEhMWdeMP9maDUL8=
-github.com/matrix-org/gomatrixserverlib v0.0.0-20250813150445-9f5070a65744/go.mod h1:b6KVfDjXjA5Q7vhpOaMqIhFYvu5BuFVZixlNeTV/CLc=
-github.com/matrix-org/util v0.0.0-20221111132719-399730281e66 h1:6z4KxomXSIGWqhHcfzExgkH3Z3UkIXry4ibJS4Aqz2Y=
-github.com/matrix-org/util v0.0.0-20221111132719-399730281e66/go.mod h1:iBI1foelCqA09JJgPV0FYz4qA5dUXYOxMi57FxKBdd4=
-github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
-github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
-github.com/moby/sys/atomicwriter v0.1.0 h1:kw5D/EqkBwsBFi0ss9v1VG3wIkVhzGvLklJ+w3A14Sw=
-github.com/moby/sys/atomicwriter v0.1.0/go.mod h1:Ul8oqv2ZMNHOceF643P6FKPXeCmYtlQMvpizfsSoaWs=
-github.com/moby/sys/sequential v0.6.0 h1:qrx7XFUd/5DxtqcoH1h438hF5TmOvzC/lspjy7zgvCU=
-github.com/moby/sys/sequential v0.6.0/go.mod h1:uyv8EUTrca5PnDsdMGXhZe6CCe8U/UiTWd+lL+7b/Ko=
-github.com/moby/term v0.5.2 h1:6qk3FJAFDs6i/q3W/pQ97SX192qKfZgGjCQqfCJkgzQ=
-github.com/moby/term v0.5.2/go.mod h1:d3djjFCrjnB+fl8NJux+EJzu0msscUP+f8it8hPkFLc=
-github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
-github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
-github.com/oleiade/lane/v2 v2.0.0 h1:XW/ex/Inr+bPkLd3O240xrFOhUkTd4Wy176+Gv0E3Qw=
-github.com/oleiade/lane/v2 v2.0.0/go.mod h1:i5FBPFAYSWCgLh58UkUGCChjcCzef/MI7PlQm2TKCeg=
-github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
-github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
-github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
-github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
-github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
-github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/shoenig/test v1.11.0 h1:NoPa5GIoBwuqzIviCrnUJa+t5Xb4xi5Z+zODJnIDsEQ=
-github.com/shoenig/test v1.11.0/go.mod h1:UxJ6u/x2v/TNs/LoLxBNJRV9DiwBBKYxXSyczsBHFoI=
-github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
-github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
-github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-github.com/tidwall/gjson v1.14.2/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
-github.com/tidwall/gjson v1.18.0 h1:FIDeeyB800efLX89e5a8Y0BNH+LOngJyGrIWxG2FKQY=
-github.com/tidwall/gjson v1.18.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
-github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
-github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
-github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
-github.com/tidwall/pretty v1.2.1 h1:qjsOFOWWQl+N3RsoF5/ssm1pHmJJwhjlSbZ51I6wMl4=
-github.com/tidwall/pretty v1.2.1/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
-github.com/tidwall/sjson v1.2.5 h1:kLy8mja+1c9jlljvWTlSazM7cKDRfJuR/bOJhcY5NcY=
-github.com/tidwall/sjson v1.2.5/go.mod h1:Fvgq9kS/6ociJEDnK0Fk1cpYF4FIW6ZF7LAe+6jwd28=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
-go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q=
-go.opentelemetry.io/otel v1.36.0 h1:UumtzIklRBY6cI/lllNZlALOF5nNIzJVb16APdvgTXg=
-go.opentelemetry.io/otel v1.36.0/go.mod h1:/TcFMXYjyRNh8khOAO9ybYkqaDBb/70aVwkNML4pP8E=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.36.0 h1:dNzwXjZKpMpE2JhmO+9HsPl42NIXFIFSUSSs0fiqra0=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.36.0/go.mod h1:90PoxvaEB5n6AOdZvi+yWJQoE95U8Dhhw2bSyRqnTD0=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.34.0 h1:BEj3SPM81McUZHYjRS5pEgNgnmzGJ5tRpU5krWnV8Bs=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.34.0/go.mod h1:9cKLGBDzI/F3NoHLQGm4ZrYdIHsvGt6ej6hUowxY0J4=
-go.opentelemetry.io/otel/metric v1.36.0 h1:MoWPKVhQvJ+eeXWHFBOPoBOi20jh6Iq2CcCREuTYufE=
-go.opentelemetry.io/otel/metric v1.36.0/go.mod h1:zC7Ks+yeyJt4xig9DEw9kuUFe5C3zLbVjV2PzT6qzbs=
-go.opentelemetry.io/otel/sdk v1.36.0 h1:b6SYIuLRs88ztox4EyrvRti80uXIFy+Sqzoh9kFULbs=
-go.opentelemetry.io/otel/sdk v1.36.0/go.mod h1:+lC+mTgD+MUWfjJubi2vvXWcVxyr9rmlshZni72pXeY=
-go.opentelemetry.io/otel/sdk/metric v1.36.0 h1:r0ntwwGosWGaa0CrSt8cuNuTcccMXERFwHX4dThiPis=
-go.opentelemetry.io/otel/sdk/metric v1.36.0/go.mod h1:qTNOhFDfKRwX0yXOqJYegL5WRaW376QbB7P4Pb0qva4=
-go.opentelemetry.io/otel/trace v1.36.0 h1:ahxWNuqZjpdiFAyrIoQ4GIiAIhxAunQR6MUoKrsNd4w=
-go.opentelemetry.io/otel/trace v1.36.0/go.mod h1:gQ+OnDZzrybY4k4seLzPAWNwVBBVlF2szhehOBB/tGA=
-go.opentelemetry.io/proto/otlp v1.7.0 h1:jX1VolD6nHuFzOYso2E73H85i92Mv8JQYk0K9vz09os=
-go.opentelemetry.io/proto/otlp v1.7.0/go.mod h1:fSKjH6YJ7HDlwzltzyMj036AJ3ejJLCgCSHGj4efDDo=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
-golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
-golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
-golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
-golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
-golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
-golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
-golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0=
-golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/genproto/googleapis/api v0.0.0-20250528174236-200df99c418a h1:SGktgSolFCo75dnHJF2yMvnns6jCmHFJ0vE4Vn2JKvQ=
-google.golang.org/genproto/googleapis/api v0.0.0-20250528174236-200df99c418a/go.mod h1:a77HrdMjoeKbnd2jmgcWdaS++ZLZAEq3orIOAEIKiVw=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a h1:v2PbRU4K3llS09c7zodFpNePeamkAwG3mPrAery9VeE=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
-google.golang.org/grpc v1.72.2 h1:TdbGzwb82ty4OusHWepvFWGLgIbNo1/SUynEN0ssqv8=
-google.golang.org/grpc v1.72.2/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
-google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
-google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
-gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
-gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o=
-gotest.tools/v3 v3.4.0/go.mod h1:CtbdzLSsqVhDgMtKsx03ird5YTGB3ar27v0u/yKBW5g=

complement/tests/federation_test.go

@@ -1,65 +0,0 @@
-// This file is licensed under the Affero General Public License (AGPL) version 3.
-//
-// Copyright (C) 2026 Element Creations Ltd
-//
-// This program is free software: you can redistribute it and/or modify
-// it under the terms of the GNU Affero General Public License as
-// published by the Free Software Foundation, either version 3 of the
-// License, or (at your option) any later version.
-//
-// See the GNU Affero General Public License for more details:
-// <https://www.gnu.org/licenses/agpl-3.0.html>.
-
-package synapse_tests
-
-import (
-	"testing"
-
-	"github.com/matrix-org/complement"
-	"github.com/matrix-org/complement/client"
-	"github.com/matrix-org/complement/helpers"
-	"github.com/matrix-org/gomatrixserverlib/spec"
-)
-
-// Stub test to ensure that homeservers can communicate with each other (federation works correctly).
-//
-// TODO: This test will disappear once we have other real Synapse specific tests in
-// place. This is simply here as an example without bloating the PR with some specific
-// new tests.
-func TestFederation(t *testing.T) {
-	// Create two homeservers
-	deployment := complement.Deploy(t, 2)
-	defer deployment.Destroy(t)
-
-	alice := deployment.Register(t, "hs1", helpers.RegistrationOpts{})
-	bob := deployment.Register(t, "hs2", helpers.RegistrationOpts{})
-
-	aliceRoomID := alice.MustCreateRoom(t, map[string]any{
-		"preset": "public_chat",
-	})
-	bobRoomID := bob.MustCreateRoom(t, map[string]any{
-		"preset": "public_chat",
-	})
-
-	t.Run("parallel", func(t *testing.T) {
-		t.Run("HS1 -> HS2", func(t *testing.T) {
-			t.Parallel()
-
-			alice.MustJoinRoom(t, bobRoomID, []spec.ServerName{
-				deployment.GetFullyQualifiedHomeserverName(t, "hs2"),
-			})
-
-			bob.MustSyncUntil(t, client.SyncReq{}, client.SyncJoinedTo(alice.UserID, bobRoomID))
-		})
-
-		t.Run("HS2 -> HS1", func(t *testing.T) {
-			t.Parallel()
-
-			bob.MustJoinRoom(t, aliceRoomID, []spec.ServerName{
-				deployment.GetFullyQualifiedHomeserverName(t, "hs1"),
-			})
-
-			alice.MustSyncUntil(t, client.SyncReq{}, client.SyncJoinedTo(bob.UserID, aliceRoomID))
-		})
-	})
-}

complement/tests/main_test.go

@@ -1,23 +0,0 @@
-// This file is licensed under the Affero General Public License (AGPL) version 3.
-//
-// Copyright (C) 2026 Element Creations Ltd
-//
-// This program is free software: you can redistribute it and/or modify
-// it under the terms of the GNU Affero General Public License as
-// published by the Free Software Foundation, either version 3 of the
-// License, or (at your option) any later version.
-//
-// See the GNU Affero General Public License for more details:
-// <https://www.gnu.org/licenses/agpl-3.0.html>.
-
-package synapse_tests
-
-import (
-	"testing"
-
-	"github.com/matrix-org/complement"
-)
-
-func TestMain(m *testing.M) {
-	complement.TestMain(m, "synapse")
-}

contrib/cmdclient/console.py

@@ -33,6 +33,7 @@ import sys
 import time
 import urllib
 from http import TwistedHttpClient
+from typing import Optional
 
 import urlparse
 from signedjson.key import NACL_ED25519, decode_verify_key_bytes
@@ -725,7 +726,7 @@ class SynapseCmd(cmd.Cmd):
         method,
         path,
         data=None,
-        query_params: dict | None = None,
+        query_params: Optional[dict] = None,
         alt_text=None,
     ):
         """Runs an HTTP request and pretty prints the output.

contrib/cmdclient/http.py

@@ -22,6 +22,7 @@
 import json
 import urllib
 from pprint import pformat
+from typing import Optional
 
 from twisted.internet import defer, reactor
 from twisted.web.client import Agent, readBody
@@ -89,7 +90,7 @@ class TwistedHttpClient(HttpClient):
         body = yield readBody(response)
         return json.loads(body)
 
-    def _create_put_request(self, url, json_data, headers_dict: dict | None = None):
+    def _create_put_request(self, url, json_data, headers_dict: Optional[dict] = None):
         """Wrapper of _create_request to issue a PUT request"""
         headers_dict = headers_dict or {}
 
@@ -100,7 +101,7 @@ class TwistedHttpClient(HttpClient):
             "PUT", url, producer=_JsonProducer(json_data), headers_dict=headers_dict
         )
 
-    def _create_get_request(self, url, headers_dict: dict | None = None):
+    def _create_get_request(self, url, headers_dict: Optional[dict] = None):
         """Wrapper of _create_request to issue a GET request"""
         return self._create_request("GET", url, headers_dict=headers_dict or {})
 
@@ -112,7 +113,7 @@ class TwistedHttpClient(HttpClient):
         data=None,
         qparams=None,
         jsonreq=True,
-        headers: dict | None = None,
+        headers: Optional[dict] = None,
     ):
         headers = headers or {}
 
@@ -137,7 +138,7 @@ class TwistedHttpClient(HttpClient):
 
     @defer.inlineCallbacks
     def _create_request(
-        self, method, url, producer=None, headers_dict: dict | None = None
+        self, method, url, producer=None, headers_dict: Optional[dict] = None
     ):
         """Creates and sends a request to the given url"""
         headers_dict = headers_dict or {}

contrib/graph/graph.py

@@ -24,6 +24,7 @@ import datetime
 import html
 import json
 import urllib.request
+from typing import List
 
 import pydot
 
@@ -32,7 +33,7 @@ def make_name(pdu_id: str, origin: str) -> str:
     return f"{pdu_id}@{origin}"
 
 
-def make_graph(pdus: list[dict], filename_prefix: str) -> None:
+def make_graph(pdus: List[dict], filename_prefix: str) -> None:
     """
     Generate a dot and SVG file for a graph of events in the room based on the
     topological ordering by querying a homeserver.
@@ -126,7 +127,7 @@ def make_graph(pdus: list[dict], filename_prefix: str) -> None:
     graph.write_svg("%s.svg" % filename_prefix, prog="dot")
 
 
-def get_pdus(host: str, room: str) -> list[dict]:
+def get_pdus(host: str, room: str) -> List[dict]:
     transaction = json.loads(
         urllib.request.urlopen(
             f"http://{host}/_matrix/federation/v1/context/{room}/"

contrib/prometheus/synapse-v2.rules

@@ -44,3 +44,31 @@ groups:
   ###
   ### End of 'Prometheus Console Only' rules block
   ###
+
+
+  ###
+  ### Grafana Only
+  ### The following rules are only needed if you use the Grafana dashboard
+  ### in contrib/grafana/synapse.json
+  ###
+  - record: synapse_storage_events_persisted_by_source_type
+    expr: sum without(type, origin_type, origin_entity) (synapse_storage_events_persisted_events_sep_total{origin_type="remote"})
+    labels:
+      type: remote
+  - record: synapse_storage_events_persisted_by_source_type
+    expr: sum without(type, origin_type, origin_entity) (synapse_storage_events_persisted_events_sep_total{origin_entity="*client*",origin_type="local"})
+    labels:
+      type: local
+  - record: synapse_storage_events_persisted_by_source_type
+    expr: sum without(type, origin_type, origin_entity) (synapse_storage_events_persisted_events_sep_total{origin_entity!="*client*",origin_type="local"})
+    labels:
+      type: bridges
+
+  - record: synapse_storage_events_persisted_by_event_type
+    expr: sum without(origin_entity, origin_type) (synapse_storage_events_persisted_events_sep_total)
+
+  - record: synapse_storage_events_persisted_by_origin
+    expr: sum without(type) (synapse_storage_events_persisted_events_sep_total)
+  ###
+  ### End of 'Grafana Only' rules block
+  ###

debian/changelog

@@ -1,281 +1,3 @@
-matrix-synapse-py3 (1.148.0) stable; urgency=medium
-
-  * New synapse release 1.148.0.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 24 Feb 2026 11:17:49 +0000
-
-matrix-synapse-py3 (1.148.0~rc1) stable; urgency=medium
-
-  * New synapse release 1.148.0rc1.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 17 Feb 2026 16:44:08 +0000
-
-matrix-synapse-py3 (1.147.1) stable; urgency=medium
-
-  * New synapse release 1.147.1.
-
- -- Synapse Packaging team <packages@matrix.org>  Thu, 12 Feb 2026 15:45:15 +0000
-
-matrix-synapse-py3 (1.147.0) stable; urgency=medium
-
-  * New synapse release 1.147.0.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 10 Feb 2026 12:39:58 +0000
-
-matrix-synapse-py3 (1.147.0~rc1) stable; urgency=medium
-
-  * New Synapse release 1.147.0rc1.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 03 Feb 2026 08:53:17 -0700
-
-matrix-synapse-py3 (1.146.0) stable; urgency=medium
-
-  * New Synapse release 1.146.0.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 27 Jan 2026 08:43:59 -0700
-
-matrix-synapse-py3 (1.146.0~rc1) stable; urgency=medium
-
-  * New Synapse release 1.146.0rc1.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 20 Jan 2026 08:42:10 -0700
-
-matrix-synapse-py3 (1.145.0) stable; urgency=medium
-
-  * New Synapse release 1.145.0.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 13 Jan 2026 08:37:42 -0700
-
-matrix-synapse-py3 (1.145.0~rc4) stable; urgency=medium
-
-  * New Synapse release 1.145.0rc4.
-
- -- Synapse Packaging team <packages@matrix.org>  Thu, 08 Jan 2026 12:06:35 -0700
-
-matrix-synapse-py3 (1.145.0~rc3) stable; urgency=medium
-
-  * New Synapse release 1.145.0rc3.
-
- -- Synapse Packaging team <packages@matrix.org>  Wed, 07 Jan 2026 15:32:07 -0700
-
-matrix-synapse-py3 (1.145.0~rc2) stable; urgency=medium
-
-  * New Synapse release 1.145.0rc2.
-
- -- Synapse Packaging team <packages@matrix.org>  Wed, 07 Jan 2026 10:10:07 -0700
-
-matrix-synapse-py3 (1.145.0~rc1) stable; urgency=medium
-
-  * New Synapse release 1.145.0rc1.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 06 Jan 2026 09:29:39 -0700
-
-matrix-synapse-py3 (1.144.0) stable; urgency=medium
-
-  * New Synapse release 1.144.0.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 09 Dec 2025 08:30:40 -0700
-
-matrix-synapse-py3 (1.144.0~rc1) stable; urgency=medium
-
-  * New Synapse release 1.144.0rc1.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 02 Dec 2025 09:11:19 -0700
-
-matrix-synapse-py3 (1.143.0) stable; urgency=medium
-
-  * New Synapse release 1.143.0.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 25 Nov 2025 08:44:56 -0700
-
-matrix-synapse-py3 (1.143.0~rc2) stable; urgency=medium
-
-  * New Synapse release 1.143.0rc2.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 18 Nov 2025 17:36:08 -0700
-
-matrix-synapse-py3 (1.143.0~rc1) stable; urgency=medium
-
-  * New Synapse release 1.143.0rc1.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 18 Nov 2025 13:08:39 -0700
-
-matrix-synapse-py3 (1.142.1) stable; urgency=medium
-
-  * New Synapse release 1.142.1.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 18 Nov 2025 12:25:23 -0700
-
-matrix-synapse-py3 (1.142.0) stable; urgency=medium
-
-  * New Synapse release 1.142.0.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 11 Nov 2025 09:45:51 +0000
-
-matrix-synapse-py3 (1.142.0~rc4) stable; urgency=medium
-
-  * New Synapse release 1.142.0rc4.
-
- -- Synapse Packaging team <packages@matrix.org>  Fri, 07 Nov 2025 10:54:42 +0000
-
-matrix-synapse-py3 (1.142.0~rc3) stable; urgency=medium
-
-  * New Synapse release 1.142.0rc3.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 04 Nov 2025 17:39:11 +0000
-
-matrix-synapse-py3 (1.142.0~rc2) stable; urgency=medium
-
-  * New Synapse release 1.142.0rc2.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 04 Nov 2025 16:21:30 +0000
-
-matrix-synapse-py3 (1.142.0~rc1) stable; urgency=medium
-
-  * New Synapse release 1.142.0rc1.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 04 Nov 2025 13:20:15 +0000
-
-matrix-synapse-py3 (1.141.0) stable; urgency=medium
-
-  * New Synapse release 1.141.0.
-
- -- Synapse Packaging team <packages@matrix.org>  Wed, 29 Oct 2025 11:01:43 +0000
-
-matrix-synapse-py3 (1.141.0~rc2) stable; urgency=medium
-
-  * New Synapse release 1.141.0rc2.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 28 Oct 2025 10:20:26 +0000
-
-matrix-synapse-py3 (1.141.0~rc1) stable; urgency=medium
-
-  * New Synapse release 1.141.0rc1.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 21 Oct 2025 11:01:44 +0100
-
-matrix-synapse-py3 (1.140.0) stable; urgency=medium
-
-  * New Synapse release 1.140.0.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 14 Oct 2025 15:22:36 +0100
-
-matrix-synapse-py3 (1.140.0~rc1) stable; urgency=medium
-
-  * New Synapse release 1.140.0rc1.
-
- -- Synapse Packaging team <packages@matrix.org>  Fri, 10 Oct 2025 10:56:51 +0100
-
-matrix-synapse-py3 (1.139.2) stable; urgency=medium
-
-  * New Synapse release 1.139.2.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 07 Oct 2025 16:29:47 +0100
-
-matrix-synapse-py3 (1.139.1) stable; urgency=medium
-
-  * New Synapse release 1.139.1.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 07 Oct 2025 11:46:51 +0100
-
-matrix-synapse-py3 (1.138.4) stable; urgency=medium
-
-  * New Synapse release 1.138.4.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 07 Oct 2025 16:28:38 +0100
-
-matrix-synapse-py3 (1.138.3) stable; urgency=medium
-
-  * New Synapse release 1.138.3.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 07 Oct 2025 12:54:18 +0100
-
-matrix-synapse-py3 (1.139.0) stable; urgency=medium
-
-  * New Synapse release 1.139.0.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 30 Sep 2025 11:58:55 +0100
-
-matrix-synapse-py3 (1.139.0~rc3) stable; urgency=medium
-
-  * New Synapse release 1.139.0rc3.
-
- -- Synapse Packaging team <packages@matrix.org>  Thu, 25 Sep 2025 12:13:23 +0100
-
-matrix-synapse-py3 (1.138.2) stable; urgency=medium
-
-  * The licensing specifier has been updated to add an optional
-    `LicenseRef-Element-Commercial` license. The code was already licensed in
-    this manner - the debian metadata was just not updated to reflect it.
-
- -- Synapse Packaging team <packages@matrix.org>  Thu, 25 Sep 2025 12:17:17 +0100
-
-matrix-synapse-py3 (1.138.1) stable; urgency=medium
-
-  * New Synapse release 1.138.1.
-
- -- Synapse Packaging team <packages@matrix.org>  Wed, 24 Sep 2025 11:32:38 +0100
-
-matrix-synapse-py3 (1.139.0~rc2) stable; urgency=medium
-
-  * New Synapse release 1.139.0rc2.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 23 Sep 2025 15:31:42 +0100
-
-matrix-synapse-py3 (1.139.0~rc1) stable; urgency=medium
-
-  * New Synapse release 1.139.0rc1.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 23 Sep 2025 13:24:50 +0100
-
-matrix-synapse-py3 (1.138.0~rc1) stable; urgency=medium
-
-  * New synapse release 1.138.0rc1.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 02 Sep 2025 12:16:14 +0000
-
-matrix-synapse-py3 (1.137.0) stable; urgency=medium
-
-  * New Synapse release 1.137.0.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 26 Aug 2025 10:23:41 +0100
-
-matrix-synapse-py3 (1.137.0~rc1) stable; urgency=medium
-
-  * New Synapse release 1.137.0rc1.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 19 Aug 2025 10:55:22 +0100
-
-matrix-synapse-py3 (1.136.0) stable; urgency=medium
-
-  * New Synapse release 1.136.0.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 12 Aug 2025 13:18:03 +0100
-
-matrix-synapse-py3 (1.136.0~rc2) stable; urgency=medium
-
-  * New Synapse release 1.136.0rc2.
-
- -- Synapse Packaging team <packages@matrix.org>  Mon, 11 Aug 2025 12:18:52 -0600
-
-matrix-synapse-py3 (1.136.0~rc1) stable; urgency=medium
-
-  * New Synapse release 1.136.0rc1.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 05 Aug 2025 08:13:30 -0600
-
-matrix-synapse-py3 (1.135.2) stable; urgency=medium
-
-  * New Synapse release 1.135.2.
-
- -- Synapse Packaging team <packages@matrix.org>  Mon, 11 Aug 2025 11:52:01 -0600
-
-matrix-synapse-py3 (1.135.1) stable; urgency=medium
-
-  * New Synapse release 1.135.1.
-
- -- Synapse Packaging team <packages@matrix.org>  Mon, 11 Aug 2025 11:13:15 -0600
-
 matrix-synapse-py3 (1.135.0) stable; urgency=medium
 
   * New Synapse release 1.135.0.

debian/copyright

@@ -8,7 +8,7 @@ License: Apache-2.0
 
 Files: *
 Copyright: 2023 New Vector Ltd
-License: AGPL-3.0-or-later or LicenseRef-Element-Commercial
+License: AGPL-3.0-or-later
 
 Files: synapse/config/saml2.py
 Copyright: 2015, Ericsson

demo/start.sh

@@ -145,12 +145,6 @@ for port in 8080 8081 8082; do
 			rc_delayed_event_mgmt:
 			  per_second: 1000
 			  burst_count: 1000
-			rc_room_creation:
-			  per_second: 1000
-			  burst_count: 1000
-			rc_user_directory:
-			  per_second: 1000
-			  burst_count: 1000
 			RC
 			)
             echo "${ratelimiting}" >> "$port.config"

docker/Dockerfile

@@ -20,8 +20,8 @@
 # `poetry export | pip install -r /dev/stdin`, but beware: we have experienced bugs in
 # in `poetry export` in the past.
 
-ARG DEBIAN_VERSION=trixie
-ARG PYTHON_VERSION=3.13
+ARG DEBIAN_VERSION=bookworm
+ARG PYTHON_VERSION=3.12
 ARG POETRY_VERSION=2.1.1
 
 ###
@@ -142,10 +142,10 @@ RUN \
       libwebp7 \
       xmlsec1 \
       libjemalloc2 \
+      libicu \
     | grep '^\w' > /tmp/pkg-list && \
   for arch in arm64 amd64; do \
     mkdir -p /tmp/debs-${arch} && \
-    chown _apt:root /tmp/debs-${arch} && \
     cd /tmp/debs-${arch} && \
     apt-get -o APT::Architecture="${arch}" download $(cat /tmp/pkg-list); \
   done
@@ -171,29 +171,24 @@ FROM docker.io/library/python:${PYTHON_VERSION}-slim-${DEBIAN_VERSION}
 
 ARG TARGETARCH
 
-LABEL org.opencontainers.image.url='https://github.com/element-hq/synapse'
-LABEL org.opencontainers.image.documentation='https://element-hq.github.io/synapse/latest/'
+LABEL org.opencontainers.image.url='https://matrix.org/docs/projects/server/synapse'
+LABEL org.opencontainers.image.documentation='https://github.com/element-hq/synapse/blob/master/docker/README.md'
 LABEL org.opencontainers.image.source='https://github.com/element-hq/synapse.git'
-LABEL org.opencontainers.image.licenses='AGPL-3.0-or-later OR LicenseRef-Element-Commercial'
+LABEL org.opencontainers.image.licenses='AGPL-3.0-or-later'
 
+# On the runtime image, /lib is a symlink to /usr/lib, so we need to copy the
+# libraries to the right place, else the `COPY` won't work.
+# On amd64, we'll also have a /lib64 folder with ld-linux-x86-64.so.2, which is
+# already present in the runtime image.
+COPY --from=runtime-deps /install-${TARGETARCH}/lib /usr/lib
 COPY --from=runtime-deps /install-${TARGETARCH}/etc /etc
 COPY --from=runtime-deps /install-${TARGETARCH}/usr /usr
 COPY --from=runtime-deps /install-${TARGETARCH}/var /var
-
-# Copy the installed python packages from the builder stage.
-#
-# uv will generate a `.lock` file when installing packages, which we don't want
-# to copy to the final image.
-COPY --from=builder  --exclude=.lock /install /usr/local
+COPY --from=builder /install /usr/local
 COPY ./docker/start.py /start.py
 COPY ./docker/conf /conf
 
-# 8008: CS Matrix API port from Synapse
-# 8448: SS Matrix API port from Synapse
-EXPOSE 8008/tcp 8448/tcp
-# 19090: Metrics listener port for the main process (metrics must be enabled with
-# SYNAPSE_ENABLE_METRICS=1).
-EXPOSE 19090/tcp
+EXPOSE 8008/tcp 8009/tcp 8448/tcp
 
 ENTRYPOINT ["/start.py"]
 

docker/Dockerfile-workers

@@ -1,10 +1,9 @@
-# syntax=docker/dockerfile:1-labs
+# syntax=docker/dockerfile:1
 
 ARG SYNAPSE_VERSION=latest
 ARG FROM=matrixdotorg/synapse:$SYNAPSE_VERSION
-ARG DEBIAN_VERSION=trixie
-ARG PYTHON_VERSION=3.13
-ARG REDIS_VERSION=7.2
+ARG DEBIAN_VERSION=bookworm
+ARG PYTHON_VERSION=3.12
 
 # first of all, we create a base image with dependencies which we can copy into the
 # target image. For repeated rebuilds, this is much faster than apt installing
@@ -12,27 +11,15 @@ ARG REDIS_VERSION=7.2
 
 FROM ghcr.io/astral-sh/uv:python${PYTHON_VERSION}-${DEBIAN_VERSION} AS deps_base
 
-    ARG DEBIAN_VERSION
-    ARG REDIS_VERSION
-
     # Tell apt to keep downloaded package files, as we're using cache mounts.
     RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
 
-    # The upstream redis-server deb has fewer dynamic libraries than Debian's package which makes it easier to copy later on
-    RUN \
-      curl -fsSL https://packages.redis.io/gpg | gpg --dearmor -o /usr/share/keyrings/redis-archive-keyring.gpg && \
-      chmod 644 /usr/share/keyrings/redis-archive-keyring.gpg && \
-      echo "deb [signed-by=/usr/share/keyrings/redis-archive-keyring.gpg] https://packages.redis.io/deb ${DEBIAN_VERSION} main" | tee /etc/apt/sources.list.d/redis.list
-
     RUN \
        --mount=type=cache,target=/var/cache/apt,sharing=locked \
        --mount=type=cache,target=/var/lib/apt,sharing=locked \
       apt-get update -qq && \
       DEBIAN_FRONTEND=noninteractive apt-get install -yqq --no-install-recommends \
-          nginx-light \
-          redis-server="6:${REDIS_VERSION}.*" redis-tools="6:${REDIS_VERSION}.*" \
-          # libicu is required by postgres, see `docker/complement/Dockerfile`
-          libicu76
+          nginx-light
 
     RUN \
     # remove default page
@@ -48,12 +35,19 @@ FROM ghcr.io/astral-sh/uv:python${PYTHON_VERSION}-${DEBIAN_VERSION} AS deps_base
 
     RUN mkdir -p /uv/etc/supervisor/conf.d
 
+# Similarly, a base to copy the redis server from.
+#
+# The redis docker image has fewer dynamic libraries than the debian package,
+# which makes it much easier to copy (but we need to make sure we use an image
+# based on the same debian version as the synapse image, to make sure we get
+# the expected version of libc.
+FROM docker.io/library/redis:7-${DEBIAN_VERSION} AS redis_base
+
 # now build the final image, based on the the regular Synapse docker image
 FROM $FROM
 
     # Copy over dependencies
-    COPY --from=deps_base --parents /usr/lib/*-linux-gnu/libicu* /
-    COPY --from=deps_base /usr/bin/redis-server /usr/local/bin
+    COPY --from=redis_base /usr/local/bin/redis-server /usr/local/bin
     COPY --from=deps_base /uv /
     COPY --from=deps_base /usr/sbin/nginx /usr/sbin
     COPY --from=deps_base /usr/share/nginx /usr/share/nginx
@@ -71,15 +65,6 @@ FROM $FROM
 
     # Expose nginx listener port
     EXPOSE 8080/tcp
-    # Metrics for workers are on ports starting from 19091 but since these are dynamic
-    # we don't expose them by default (metrics must be enabled with
-    # SYNAPSE_ENABLE_METRICS=1)
-    #
-    # Instead, we expose a single port used for Prometheus HTTP service discovery
-    # (`http://<synapse_container>:9469/metrics/service_discovery`) and proxy all of the
-    # workers' metrics endpoints through that
-    # (`http://<synapse_container>:9469/metrics/worker/<worker_name>`).
-    EXPOSE 9469/tcp
 
     # A script to read environment variables and create the necessary
     # files to run the desired worker configuration. Will start supervisord.

docker/README-testing.md

@@ -135,49 +135,3 @@ but it does not serve TLS by default.
 You can configure `SYNAPSE_TLS_CERT` and `SYNAPSE_TLS_KEY` to point to a
 TLS certificate and key (respectively), both in PEM (textual) format.
 In this case, Nginx will additionally serve using HTTPS on port 8448.
-
-
-### Metrics
-
-Set `SYNAPSE_ENABLE_METRICS=1` to configure `enable_metrics: true` and setup the
-`metrics` listener on the main and worker processes. Defaults to `0` (disabled). The
-main process will listen on port `19090` and workers on port `19091 + <worker index>`.
-
-When using `docker/Dockerfile-workers`, to ease the complexity with the metrics setup,
-we also have a [Prometheus HTTP service
-discovery](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#http_sd_config)
-endpoint available at `http://<synapse_container>:9469/metrics/service_discovery`.
-
-The metrics from each worker can also be accessed via
-`http://<synapse_container>:9469/metrics/worker/<worker_name>` which is what the service
-discovery response points to behind the scenes. This way, you only need to expose a
-single port (9469) to access all metrics.
-
-```yaml
-global:
-  scrape_interval: 15s
-  scrape_timeout: 15s
-  evaluation_interval: 15s
-
-scrape_configs:
-  - job_name: synapse
-    scrape_interval: 15s
-    metrics_path: /_synapse/metrics
-    scheme: http
-    # We set `honor_labels` so that each service can set their own `job`/`instance` label
-    #
-    # > honor_labels controls how Prometheus handles conflicts between labels that are
-    # > already present in scraped data and labels that Prometheus would attach
-    # > server-side ("job" and "instance" labels, manually configured target
-    # > labels, and labels generated by service discovery implementations).
-    # >
-    # > *-- https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config*
-    honor_labels: true
-    # Use HTTP service discovery
-    #
-    # Reference:
-    #  - https://prometheus.io/docs/prometheus/latest/http_sd/
-    #  - https://prometheus.io/docs/prometheus/latest/configuration/configuration/#http_sd_config
-    http_sd_configs:
-      - url: 'http://localhost:9469/metrics/service_discovery'
-```

docker/README.md

@@ -75,9 +75,6 @@ The following environment variables are supported in `generate` mode:
   particularly tricky.
 * `SYNAPSE_LOG_TESTING`: if set, Synapse will log additional information useful
   for testing.
-* `SYNAPSE_ENABLE_METRICS`: if set to `1`, the metrics listener will be enabled on the
-  main and worker processes. Defaults to `0` (disabled). The main process will listen on
-  port `19090` and workers on port `19091 + <worker index>`.
 
 ## Postgres
 

docker/complement/Dockerfile

@@ -9,24 +9,24 @@
 ARG SYNAPSE_VERSION=latest
 # This is an intermediate image, to be built locally (not pulled from a registry).
 ARG FROM=matrixdotorg/synapse-workers:$SYNAPSE_VERSION
-ARG DEBIAN_VERSION=trixie
+ARG DEBIAN_VERSION=bookworm
 
-FROM docker.io/library/postgres:14-${DEBIAN_VERSION} AS postgres_base
+FROM docker.io/library/postgres:13-${DEBIAN_VERSION} AS postgres_base
 
 FROM $FROM
 # First of all, we copy postgres server from the official postgres image,
 # since for repeated rebuilds, this is much faster than apt installing
 # postgres each time.
 
-# This trick only works because we use a postgres image based on the same
-# debian version as Synapse's docker image (so the versions of the shared
-# libraries match). Any missing libraries need to be added to either the
-# Synapse image or docker/Dockerfile-workers.
+# This trick only works because (a) the Synapse image happens to have all the
+# shared libraries that postgres wants, (b) we use a postgres image based on
+# the same debian version as Synapse's docker image (so the versions of the
+# shared libraries match).
 RUN adduser --system --uid 999 postgres --home /var/lib/postgresql
 COPY --from=postgres_base /usr/lib/postgresql /usr/lib/postgresql
 COPY --from=postgres_base /usr/share/postgresql /usr/share/postgresql
 COPY --from=postgres_base --chown=postgres /var/run/postgresql /var/run/postgresql
-ENV PATH="${PATH}:/usr/lib/postgresql/14/bin"
+ENV PATH="${PATH}:/usr/lib/postgresql/13/bin"
 ENV PGDATA=/var/lib/postgresql/data
 
 # We also initialize the database at build time, rather than runtime, so that it's faster to spin up the image.

docker/complement/conf/workers-shared-extra.yaml.j2

@@ -102,10 +102,6 @@ rc_room_creation:
   per_second: 9999
   burst_count: 9999
 
-rc_user_directory:
-  per_second: 9999
-  burst_count: 9999
-
 federation_rr_transactions_per_room_per_second: 9999
 
 allow_device_name_lookup_over_federation: true
@@ -137,10 +133,6 @@ experimental_features:
   msc3984_appservice_key_query: true
   # Invite filtering
   msc4155_enabled: true
-  # Thread Subscriptions
-  msc4306_enabled: true
-  # Sticky Events
-  msc4354_enabled: true
 
 server_notices:
   system_mxid_localpart: _server

docker/conf-workers/nginx.conf.j2

@@ -48,5 +48,3 @@ server {
         proxy_set_header Host $host:$server_port;
     }
 }
-
-{{ nginx_prometheus_metrics_service_discovery }}

docker/conf-workers/shared.yaml.j2

@@ -20,9 +20,4 @@ app_service_config_files:
 {%- endfor %}
 {%- endif %}
 
-{# Controlled by SYNAPSE_ENABLE_METRICS #}
-{% if enable_metrics %}
-enable_metrics: true
-{% endif %}
-
 {{ shared_worker_config }}

docker/conf-workers/worker.yaml.j2

@@ -21,14 +21,6 @@ worker_listeners:
 {%- endfor %}
 {% endif %}
 
-{# Controlled by SYNAPSE_ENABLE_METRICS #}
-{% if metrics_port %}
-  - type: metrics
-    # Prometheus does not support Unix sockets so we don't bother with
-    # `SYNAPSE_USE_UNIX_SOCKET`, https://github.com/prometheus/prometheus/issues/12024
-    port: {{ metrics_port }}
-{% endif %}
-
 worker_log_config: {{ worker_log_config_filepath }}
 
 {{ worker_extra_conf }}

docker/conf/homeserver.yaml

@@ -53,15 +53,6 @@ listeners:
       - names: [federation]
         compress: false
 
-{% if SYNAPSE_ENABLE_METRICS %}
-  - type: metrics
-    # The main process always uses the same port 19090
-    #
-    # Prometheus does not support Unix sockets so we don't bother with
-    # `SYNAPSE_USE_UNIX_SOCKET`, https://github.com/prometheus/prometheus/issues/12024
-    port: 19090
-{% endif %}
-
 ## Database ##
 
 {% if POSTGRES_PASSWORD %}

docker/conf/log.config

@@ -77,13 +77,6 @@ loggers:
     #}
     synapse.visibility.filtered_event_debug:
         level: DEBUG
-
-    {#
-      If Synapse is under test, we don't care about seeing the "Applying schema" log
-      lines at the INFO level every time we run the tests (it's 100 lines of bulk)
-    #}
-    synapse.storage.prepare_database:
-      level: WARN
     {% endif %}
 
 root:

docker/configure_workers_and_start.py

@@ -49,16 +49,11 @@
 #         regardless of the SYNAPSE_LOG_LEVEL setting.
 #   * SYNAPSE_LOG_TESTING: if set, Synapse will log additional information useful
 #     for testing.
-#   * SYNAPSE_USE_UNIX_SOCKET: TODO
-#   * `SYNAPSE_ENABLE_METRICS`: if set to `1`, the metrics listener will be enabled on the
-#      main and worker processes. Defaults to `0` (disabled). The main process will listen on
-#      port `19090` and workers on port `19091 + <worker index>`.
 #
 # NOTE: According to Complement's ENTRYPOINT expectations for a homeserver image (as defined
 # in the project's README), this script may be run multiple times, and functionality should
 # continue to work if so.
 
-import json
 import os
 import platform
 import re
@@ -70,13 +65,16 @@ from itertools import chain
 from pathlib import Path
 from typing import (
     Any,
+    Dict,
+    List,
     Mapping,
     MutableMapping,
     NoReturn,
+    Optional,
+    Set,
     SupportsIndex,
 )
 
-import attr
 import yaml
 from jinja2 import Environment, FileSystemLoader
 
@@ -98,7 +96,7 @@ WORKER_PLACEHOLDER_NAME = "placeholder_name"
 # Watching /_matrix/media and related needs a "media" listener
 # Stream Writers require "client" and "replication" listeners because they
 #   have to attach by instance_map to the master process and have client endpoints.
-WORKERS_CONFIG: dict[str, dict[str, Any]] = {
+WORKERS_CONFIG: Dict[str, Dict[str, Any]] = {
     "pusher": {
         "app": "synapse.app.generic_worker",
         "listener_resources": [],
@@ -129,6 +127,7 @@ WORKERS_CONFIG: dict[str, dict[str, Any]] = {
             "^/_synapse/admin/v1/quarantine_media/.*$",
             "^/_matrix/client/v1/media/.*$",
             "^/_matrix/federation/v1/media/.*$",
+            "^/_synapse/media/",
         ],
         # The first configured media worker will run the media background jobs
         "shared_extra_conf": {
@@ -202,7 +201,6 @@ WORKERS_CONFIG: dict[str, dict[str, Any]] = {
             "^/_matrix/client/(api/v1|r0|v3|unstable)/keys/upload",
             "^/_matrix/client/(api/v1|r0|v3|unstable)/keys/device_signing/upload$",
             "^/_matrix/client/(api/v1|r0|v3|unstable)/keys/signatures/upload$",
-            "^/_matrix/client/unstable/org.matrix.msc4140/delayed_events(/.*/restart)?$",
         ],
         "shared_extra_conf": {},
         "worker_extra_conf": "",
@@ -343,7 +341,7 @@ WORKERS_CONFIG: dict[str, dict[str, Any]] = {
 }
 
 # Templates for sections that may be inserted multiple times in config files
-NGINX_LOCATION_REGEX_CONFIG_BLOCK = """
+NGINX_LOCATION_CONFIG_BLOCK = """
     location ~* {endpoint} {{
         proxy_pass {upstream};
         proxy_set_header X-Forwarded-For $remote_addr;
@@ -352,25 +350,6 @@ NGINX_LOCATION_REGEX_CONFIG_BLOCK = """
     }}
 """
 
-# Having both **regex** (`NGINX_LOCATION_REGEX_CONFIG_BLOCK`) match vs **exact**
-# (`NGINX_LOCATION_EXACT_CONFIG_BLOCK`) match is necessary because we can't use a URI
-# path in `proxy_pass http://localhost:19090/_synapse/metrics` with the regex version.
-#
-# Example of what happens if you try to use `proxy_pass http://localhost:19090/_synapse/metrics`
-# with `NGINX_LOCATION_REGEX_CONFIG_BLOCK`:
-# ```
-# nginx | 2025/12/31 22:58:34 [emerg] 21#21: "proxy_pass" cannot have URI part in location given by regular expression, or inside named location, or inside "if" statement, or inside "limit_except" block in /etc/nginx/conf.d/matrix-synapse.conf:732
-# ```
-NGINX_LOCATION_EXACT_CONFIG_BLOCK = """
-    location = {endpoint} {{
-        proxy_pass {upstream};
-        proxy_set_header X-Forwarded-For $remote_addr;
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_set_header Host $host;
-    }}
-"""
-
-
 NGINX_UPSTREAM_CONFIG_BLOCK = """
 upstream {upstream_worker_base_name} {{
 {body}
@@ -378,63 +357,6 @@ upstream {upstream_worker_base_name} {{
 """
 
 
-PROMETHEUS_METRICS_SERVICE_DISCOVERY_FILE_PATH = (
-    "/data/prometheus_service_discovery.json"
-)
-"""
-We serve this file with nginx so people can use it with `http_sd_config` in their
-Prometheus config.
-"""
-
-NGINX_HOST_PLACEHOLDER = "<HOST_PLACEHOLDER>"
-"""Will be replaced with the whatever hostname:port used to access the nginx metrics endpoint."""
-
-NGINX_PROMETHEUS_METRICS_SERVICE_DISCOVERY = """
-server {{
-    listen 9469;
-    location = /metrics/service_discovery {{
-        alias {service_discovery_file_path};
-        default_type application/json;
-
-        # Find/replace the host placeholder in the response body with the actual
-        # host used to access this endpoint.
-        #
-        # We want to reflect back whatever host the client used to access this file.
-        # For example, if they accessed it via `localhost:9469`, then they
-        # can also reach all of the proxied metrics endpoints at the same address.
-        # Or if it's Prometheus in another container, it will access this via
-        # `host.docker.internal:9469`, etc. Or perhaps it's even some randomly assigned
-        # port mapping.
-        sub_filter '{host_placeholder}' '$http_host';
-        # By default, `ngx_http_sub_module` only works on `text/html` responses. We want
-        # to find/replace in `application/JSON`.
-        sub_filter_types application/json;
-        # Replace all occurences
-        sub_filter_once off;
-    }}
-
-    # Make the service discovery endpoint easy to find; redirect to the correct spot.
-    location = / {{
-        return 302 /metrics/service_discovery;
-    }}
-
-    {metrics_proxy_locations}
-}}
-"""
-"""
-Setup the nginx config necessary to serve the JSON file for Prometheus HTTP service discovery
-(`http_sd_config`). Served at `/metrics/service_discovery`.
-
-Reference:
- - https://prometheus.io/docs/prometheus/latest/http_sd/
- - https://prometheus.io/docs/prometheus/latest/configuration/configuration/#http_sd_config
-
-We also proxy all of the Synapse metrics endpoints through a central place so that
-people only need to expose the single 9469 port and service discovery can take care of
-the rest: `/metrics/worker/<worker_name>` -> http://localhost:19090/_synapse/metrics
-"""
-
-
 # Utility functions
 def log(txt: str) -> None:
     print(txt)
@@ -487,7 +409,7 @@ def convert(src: str, dst: str, **template_vars: object) -> None:
 
 def add_worker_roles_to_shared_config(
     shared_config: dict,
-    worker_types_set: set[str],
+    worker_types_set: Set[str],
     worker_name: str,
     worker_port: int,
 ) -> None:
@@ -550,9 +472,9 @@ def add_worker_roles_to_shared_config(
 
 
 def merge_worker_template_configs(
-    existing_dict: dict[str, Any] | None,
-    to_be_merged_dict: dict[str, Any],
-) -> dict[str, Any]:
+    existing_dict: Optional[Dict[str, Any]],
+    to_be_merged_dict: Dict[str, Any],
+) -> Dict[str, Any]:
     """When given an existing dict of worker template configuration consisting with both
         dicts and lists, merge new template data from WORKERS_CONFIG(or create) and
         return new dict.
@@ -563,7 +485,7 @@ def merge_worker_template_configs(
             existing_dict.
     Returns: The newly merged together dict values.
     """
-    new_dict: dict[str, Any] = {}
+    new_dict: Dict[str, Any] = {}
     if not existing_dict:
         # It doesn't exist yet, just use the new dict(but take a copy not a reference)
         new_dict = to_be_merged_dict.copy()
@@ -588,8 +510,8 @@ def merge_worker_template_configs(
 
 
 def insert_worker_name_for_worker_config(
-    existing_dict: dict[str, Any], worker_name: str
-) -> dict[str, Any]:
+    existing_dict: Dict[str, Any], worker_name: str
+) -> Dict[str, Any]:
     """Insert a given worker name into the worker's configuration dict.
 
     Args:
@@ -605,7 +527,7 @@ def insert_worker_name_for_worker_config(
     return dict_to_edit
 
 
-def apply_requested_multiplier_for_worker(worker_types: list[str]) -> list[str]:
+def apply_requested_multiplier_for_worker(worker_types: List[str]) -> List[str]:
     """
     Apply multiplier(if found) by returning a new expanded list with some basic error
     checking.
@@ -666,7 +588,7 @@ def is_sharding_allowed_for_worker_type(worker_type: str) -> bool:
 
 def split_and_strip_string(
     given_string: str, split_char: str, max_split: SupportsIndex = -1
-) -> list[str]:
+) -> List[str]:
     """
     Helper to split a string on split_char and strip whitespace from each end of each
         element.
@@ -694,42 +616,9 @@ def generate_base_homeserver_config() -> None:
     subprocess.run([sys.executable, "/start.py", "migrate_config"], check=True)
 
 
-@attr.s(auto_attribs=True)
-class Worker:
-    worker_name: str
-    """
-    ex.
-    `event_persister:2` -> `event_persister1` and `event_persister2`
-    `stream_writers=account_data+presence+receipts+to_device+typing"` -> `stream_writers`
-    """
-
-    worker_base_name: str
-    """
-    ex.
-    `event_persister:2` -> `event_persister`
-    `stream_writers=account_data+presence+receipts+to_device+typing"` -> `stream_writers`
-    """
-
-    worker_index: int
-    """
-    The index of the worker starting from 1 for each worker type requested.
-
-    ex.
-    `event_persister:2` -> `1` and `2`
-    `stream_writers=account_data+presence+receipts+to_device+typing"` -> `1`
-    """
-
-    worker_types: set[str]
-    """
-    ex.
-    `event_persister:2` -> `{"event_persister"}`
-    `stream_writers=account_data+presence+receipts+to_device+typing"` -> `{"account_data", "presence", "receipts","to_device", "typing"}
-    """
-
-
 def parse_worker_types(
-    requested_worker_types: list[str],
-) -> list[Worker]:
+    requested_worker_types: List[str],
+) -> Dict[str, Set[str]]:
     """Read the desired list of requested workers and prepare the data for use in
         generating worker config files while also checking for potential gotchas.
 
@@ -737,19 +626,22 @@ def parse_worker_types(
         requested_worker_types: The list formed from the split environment variable
             containing the unprocessed requests for workers.
 
-    Returns: A list of requested workers
+    Returns: A dict of worker names to set of worker types. Format:
+        {'worker_name':
+            {'worker_type', 'worker_type2'}
+        }
     """
     # A counter of worker_base_name -> int. Used for determining the name for a given
     # worker when generating its config file, as each worker's name is just
     # worker_base_name followed by instance number
-    worker_base_name_counter: dict[str, int] = defaultdict(int)
+    worker_base_name_counter: Dict[str, int] = defaultdict(int)
 
     # Similar to above, but more finely grained. This is used to determine we don't have
     # more than a single worker for cases where multiples would be bad(e.g. presence).
-    worker_type_shard_counter: dict[str, int] = defaultdict(int)
+    worker_type_shard_counter: Dict[str, int] = defaultdict(int)
 
-    # Map from worker name to `Worker`
-    worker_dict: dict[str, Worker] = {}
+    # The final result of all this processing
+    dict_to_return: Dict[str, Set[str]] = {}
 
     # Handle any multipliers requested for given workers.
     multiple_processed_worker_types = apply_requested_multiplier_for_worker(
@@ -793,7 +685,7 @@ def parse_worker_types(
 
         # Split the worker_type_string on "+", remove whitespace from ends then make
         # the list a set so it's deduplicated.
-        worker_types_set: set[str] = set(
+        worker_types_set: Set[str] = set(
             split_and_strip_string(worker_type_string, "+")
         )
 
@@ -835,29 +727,24 @@ def parse_worker_types(
         if worker_number > 1:
             # If this isn't the first worker, check that we don't have a confusing
             # mixture of worker types with the same base name.
-            first_worker_with_base_name = worker_dict[f"{worker_base_name}1"]
-            if first_worker_with_base_name.worker_types != worker_types_set:
+            first_worker_with_base_name = dict_to_return[f"{worker_base_name}1"]
+            if first_worker_with_base_name != worker_types_set:
                 error(
                     f"Can not use worker_name: '{worker_name}' for worker_type(s): "
                     f"{worker_types_set!r}. It is already in use by "
-                    f"worker_type(s): {first_worker_with_base_name.worker_types!r}"
+                    f"worker_type(s): {first_worker_with_base_name!r}"
                 )
 
-        worker_dict[worker_name] = Worker(
-            worker_name=worker_name,
-            worker_base_name=worker_base_name,
-            worker_index=worker_number,
-            worker_types=worker_types_set,
-        )
+        dict_to_return[worker_name] = worker_types_set
 
-    return list(worker_dict.values())
+    return dict_to_return
 
 
 def generate_worker_files(
     environ: Mapping[str, str],
     config_path: str,
     data_dir: str,
-    requested_workers: list[Worker],
+    requested_worker_types: Dict[str, Set[str]],
 ) -> None:
     """Read the desired workers(if any) that is passed in and generate shared
         homeserver, nginx and supervisord configs.
@@ -867,20 +754,18 @@ def generate_worker_files(
         config_path: The location of the generated Synapse main worker config file.
         data_dir: The location of the synapse data directory. Where log and
             user-facing config files live.
-        requested_workers: A list of requested workers
+        requested_worker_types: A Dict containing requested workers in the format of
+            {'worker_name1': {'worker_type', ...}}
     """
     # Note that yaml cares about indentation, so care should be taken to insert lines
     # into files at the correct indentation below.
 
     # Convenience helper for if using unix sockets instead of host:port
     using_unix_sockets = environ.get("SYNAPSE_USE_UNIX_SOCKET", False)
-
-    enable_metrics = environ.get("SYNAPSE_ENABLE_METRICS", "0") == "1"
-
     # First read the original config file and extract the listeners block. Then we'll
     # add another listener for replication. Later we'll write out the result to the
     # shared config file.
-    listeners: list[Any]
+    listeners: List[Any]
     if using_unix_sockets:
         listeners = [
             {
@@ -908,16 +793,12 @@ def generate_worker_files(
     # base shared worker jinja2 template. This config file will be passed to all
     # workers, included Synapse's main process. It is intended mainly for disabling
     # functionality when certain workers are spun up, and adding a replication listener.
-    shared_config: dict[str, Any] = {
-        "listeners": listeners,
-        # Controls `enable_metrics: true`
-        "enable_metrics": enable_metrics,
-    }
+    shared_config: Dict[str, Any] = {"listeners": listeners}
 
     # List of dicts that describe workers.
     # We pass this to the Supervisor template later to generate the appropriate
     # program blocks.
-    worker_descriptors: list[dict[str, Any]] = []
+    worker_descriptors: List[Dict[str, Any]] = []
 
     # Upstreams for load-balancing purposes. This dict takes the form of the worker
     # type to the ports of each worker. For example:
@@ -925,22 +806,20 @@ def generate_worker_files(
     #   worker_type: {1234, 1235, ...}}
     # }
     # and will be used to construct 'upstream' nginx directives.
-    nginx_upstreams: dict[str, set[int]] = {}
+    nginx_upstreams: Dict[str, Set[int]] = {}
 
     # A map of: {"endpoint": "upstream"}, where "upstream" is a str representing what
     # will be placed after the proxy_pass directive. The main benefit to representing
     # this data as a dict over a str is that we can easily deduplicate endpoints
     # across multiple instances of the same worker. The final rendering will be combined
     # with nginx_upstreams and placed in /etc/nginx/conf.d.
-    nginx_locations: dict[str, str] = {}
+    nginx_locations: Dict[str, str] = {}
 
     # Create the worker configuration directory if it doesn't already exist
     os.makedirs("/conf/workers", exist_ok=True)
 
     # Start worker ports from this arbitrary port
     worker_port = 18009
-    # The main process metrics port is 19090, so start workers from 19091
-    worker_metrics_port = 19091
 
     # A list of internal endpoints to healthcheck, starting with the main process
     # which exists even if no workers do.
@@ -957,9 +836,7 @@ def generate_worker_files(
         healthcheck_urls = ["http://localhost:8080/health"]
 
     # Get the set of all worker types that we have configured
-    all_worker_types_in_use = set(
-        chain(*[worker.worker_types for worker in requested_workers])
-    )
+    all_worker_types_in_use = set(chain(*requested_worker_types.values()))
     # Map locations to upstreams (corresponding to worker types) in Nginx
     # but only if we use the appropriate worker type
     for worker_type in all_worker_types_in_use:
@@ -968,13 +845,12 @@ def generate_worker_files(
 
     # For each worker type specified by the user, create config values and write it's
     # yaml config file
-    worker_name_to_metrics_port_map: dict[str, int] = {}
-    for worker in requested_workers:
+    for worker_name, worker_types_set in requested_worker_types.items():
         # The collected and processed data will live here.
-        worker_config: dict[str, Any] = {}
+        worker_config: Dict[str, Any] = {}
 
         # Merge all worker config templates for this worker into a single config
-        for worker_type in worker.worker_types:
+        for worker_type in worker_types_set:
             copy_of_template_config = WORKERS_CONFIG[worker_type].copy()
 
             # Merge worker type template configuration data. It's a combination of lists
@@ -984,27 +860,16 @@ def generate_worker_files(
             )
 
         # Replace placeholder names in the config template with the actual worker name.
-        worker_config = insert_worker_name_for_worker_config(
-            worker_config, worker.worker_name
-        )
+        worker_config = insert_worker_name_for_worker_config(worker_config, worker_name)
 
         worker_config.update(
-            {
-                "name": worker.worker_name,
-                "port": str(worker_port),
-                "config_path": config_path,
-            }
+            {"name": worker_name, "port": str(worker_port), "config_path": config_path}
         )
 
-        # Keep the `shared_config` up to date with the `shared_extra_conf` from each
-        # worker.
-        shared_config = {
-            **worker_config["shared_extra_conf"],
-            # We combine `shared_config` second to avoid overwriting existing keys just
-            # for sanity sake (always use the first worker).
-            **shared_config,
-        }
-
+        # Update the shared config with any worker_type specific options. The first of a
+        # given worker_type needs to stay assigned and not be replaced.
+        worker_config["shared_extra_conf"].update(shared_config)
+        shared_config = worker_config["shared_extra_conf"]
         if using_unix_sockets:
             healthcheck_urls.append(
                 f"--unix-socket /run/worker.{worker_port} http://localhost/health"
@@ -1016,51 +881,39 @@ def generate_worker_files(
         # the `events` stream. For other workers, the worker name is the same
         # name of the stream they write to, but for some reason it is not the
         # case for event_persister.
-        if "event_persister" in worker.worker_types:
-            worker.worker_types.add("events")
+        if "event_persister" in worker_types_set:
+            worker_types_set.add("events")
 
         # Update the shared config with sharding-related options if necessary
         add_worker_roles_to_shared_config(
-            shared_config, worker.worker_types, worker.worker_name, worker_port
+            shared_config, worker_types_set, worker_name, worker_port
         )
 
         # Enable the worker in supervisord
         worker_descriptors.append(worker_config)
 
         # Write out the worker's logging config file
-        log_config_filepath = generate_worker_log_config(
-            environ, worker.worker_name, data_dir
-        )
-
-        worker_name_to_metrics_port_map[worker.worker_name] = worker_metrics_port
-        if enable_metrics:
-            # Enable prometheus metrics endpoint on this worker
-            worker_config["metrics_port"] = worker_metrics_port
-
-        if enable_metrics:
-            # Enable prometheus metrics endpoint on this worker
-            worker_config["metrics_port"] = worker_metrics_port
+        log_config_filepath = generate_worker_log_config(environ, worker_name, data_dir)
 
         # Then a worker config file
         convert(
             "/conf/worker.yaml.j2",
-            f"/conf/workers/{worker.worker_name}.yaml",
+            f"/conf/workers/{worker_name}.yaml",
             **worker_config,
             worker_log_config_filepath=log_config_filepath,
             using_unix_sockets=using_unix_sockets,
         )
 
         # Save this worker's port number to the correct nginx upstreams
-        for worker_type in worker.worker_types:
+        for worker_type in worker_types_set:
             nginx_upstreams.setdefault(worker_type, set()).add(worker_port)
 
         worker_port += 1
-        worker_metrics_port += 1
 
     # Build the nginx location config blocks
     nginx_location_config = ""
     for endpoint, upstream in nginx_locations.items():
-        nginx_location_config += NGINX_LOCATION_REGEX_CONFIG_BLOCK.format(
+        nginx_location_config += NGINX_LOCATION_CONFIG_BLOCK.format(
             endpoint=endpoint,
             upstream=upstream,
         )
@@ -1083,111 +936,6 @@ def generate_worker_files(
             body=body,
         )
 
-    # Provide a Prometheus metrics service discovery endpoint to easily be able to pick
-    # up all of the workers
-    nginx_prometheus_metrics_service_discovery = ""
-    if enable_metrics:
-        # Write JSON file for Prometheus service discovery pointing to all of the
-        # workers. We serve this file with nginx so people can use it with
-        # `http_sd_config` in their Prometheus config.
-        #
-        # > It fetches targets from an HTTP endpoint containing a list of zero or more
-        # > `<static_config>`s. The target must reply with an HTTP 200 response. The HTTP
-        # > header `Content-Type` must be `application/json`, and the body must be valid
-        # > JSON.
-        # >
-        # > *-- https://prometheus.io/docs/prometheus/latest/configuration/configuration/#http_sd_config*
-        #
-        # Another reference: https://prometheus.io/docs/prometheus/latest/http_sd/
-        prometheus_http_service_discovery_content = [
-            {
-                "targets": [NGINX_HOST_PLACEHOLDER],
-                "labels": {
-                    # The downstream user should also configure `honor_labels: true` in
-                    # their Prometheus config to prevent Prometheus from overwriting the
-                    # `job` labels.
-                    #
-                    # > honor_labels controls how Prometheus handles conflicts between labels that are
-                    # > already present in scraped data and labels that Prometheus would attach
-                    # > server-side ("job" and "instance" labels, manually configured target
-                    # > labels, and labels generated by service discovery implementations).
-                    # >
-                    # > *-- https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config*
-                    #
-                    # Reference:
-                    # - https://prometheus.io/docs/concepts/jobs_instances/
-                    # - https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config
-                    "job": worker.worker_base_name,
-                    "index": f"{worker.worker_index}",
-                    # This allows us to change the `metrics_path` on a per-target basis.
-                    # We want to grab the metrics from our nginx proxied location (setup
-                    # below).
-                    #
-                    # While there doesn't seem to be official docs on these special
-                    # labels (`__metrics_path__`, `__scheme__`, `__scrape_interval__`,
-                    # `__scrape_timeout__`), this discussion best summarizes how this
-                    # works: https://github.com/prometheus/prometheus/discussions/13217
-                    "__metrics_path__": f"/metrics/worker/{worker.worker_name}",
-                },
-            }
-            for worker in requested_workers
-        ]
-        # Add the main Synapse process as well
-        prometheus_http_service_discovery_content.append(
-            {
-                "targets": [NGINX_HOST_PLACEHOLDER],
-                "labels": {
-                    # We use `"synapse"` as the job name for the main process because it
-                    # matches what we expect people to use from a monolith setup with
-                    # their static scrape config. It's `job` name used in our Grafana
-                    # dashboard for the main process.
-                    "job": "synapse",
-                    "index": "1",
-                    "__metrics_path__": "/metrics/worker/main",
-                },
-            }
-        )
-
-        # Check to make sure the file doesn't already exist
-        if os.path.isfile(PROMETHEUS_METRICS_SERVICE_DISCOVERY_FILE_PATH):
-            error(
-                f"Prometheus service discovery file "
-                f"'{PROMETHEUS_METRICS_SERVICE_DISCOVERY_FILE_PATH}' already exists (unexpected)! "
-                f"This is a problem because the existing file probably doesn't match the "
-                "Synapse workers we're setting up now."
-            )
-
-        # Write the file
-        with open(PROMETHEUS_METRICS_SERVICE_DISCOVERY_FILE_PATH, "w") as outfile:
-            outfile.write(
-                json.dumps(prometheus_http_service_discovery_content, indent=4)
-            )
-
-        # Proxy all of the Synapse metrics endpoints through a central place so that
-        # people only need to expose the single 9469 port and service discovery can take
-        # care of the rest: `/metrics/worker/<worker_name>` ->
-        # http://localhost:19090/_synapse/metrics
-        #
-        # Build the nginx location config blocks
-        metrics_proxy_locations = ""
-        for worker in requested_workers:
-            metrics_proxy_locations += NGINX_LOCATION_EXACT_CONFIG_BLOCK.format(
-                endpoint=f"/metrics/worker/{worker.worker_name}",
-                upstream=f"http://localhost:{worker_name_to_metrics_port_map[worker.worker_name]}/_synapse/metrics",
-            )
-        # Add the main Synapse process as well
-        metrics_proxy_locations += NGINX_LOCATION_EXACT_CONFIG_BLOCK.format(
-            endpoint="/metrics/worker/main",
-            upstream="http://localhost:19090/_synapse/metrics",
-        )
-
-        # Add a nginx server/location to serve the JSON file
-        nginx_prometheus_metrics_service_discovery = NGINX_PROMETHEUS_METRICS_SERVICE_DISCOVERY.format(
-            service_discovery_file_path=PROMETHEUS_METRICS_SERVICE_DISCOVERY_FILE_PATH,
-            host_placeholder=NGINX_HOST_PLACEHOLDER,
-            metrics_proxy_locations=metrics_proxy_locations,
-        )
-
     # Finally, we'll write out the config files.
 
     # log config for the master process
@@ -1205,7 +953,7 @@ def generate_worker_files(
             if reg_path.suffix.lower() in (".yaml", ".yml")
         ]
 
-    workers_in_use = len(requested_workers) > 0
+    workers_in_use = len(requested_worker_types) > 0
 
     # If there are workers, add the main process to the instance_map too.
     if workers_in_use:
@@ -1240,7 +988,6 @@ def generate_worker_files(
         tls_cert_path=os.environ.get("SYNAPSE_TLS_CERT"),
         tls_key_path=os.environ.get("SYNAPSE_TLS_KEY"),
         using_unix_sockets=using_unix_sockets,
-        nginx_prometheus_metrics_service_discovery=nginx_prometheus_metrics_service_discovery,
     )
 
     # Supervisord config
@@ -1283,7 +1030,7 @@ def generate_worker_log_config(
     Returns: the path to the generated file
     """
     # Check whether we should write worker logs to disk, in addition to the console
-    extra_log_template_args: dict[str, str | None] = {}
+    extra_log_template_args: Dict[str, Optional[str]] = {}
     if environ.get("SYNAPSE_WORKERS_WRITE_LOGS_TO_DISK"):
         extra_log_template_args["LOG_FILE_PATH"] = f"{data_dir}/logs/{worker_name}.log"
 
@@ -1307,7 +1054,7 @@ def generate_worker_log_config(
     return log_config_filepath
 
 
-def main(args: list[str], environ: MutableMapping[str, str]) -> None:
+def main(args: List[str], environ: MutableMapping[str, str]) -> None:
     parser = ArgumentParser()
     parser.add_argument(
         "--generate-only",
@@ -1341,20 +1088,15 @@ def main(args: list[str], environ: MutableMapping[str, str]) -> None:
         if not worker_types_env:
             # No workers, just the main process
             worker_types = []
-            requested_workers: list[Worker] = []
+            requested_worker_types: Dict[str, Any] = {}
         else:
             # Split type names by comma, ignoring whitespace.
             worker_types = split_and_strip_string(worker_types_env, ",")
-            requested_workers = parse_worker_types(worker_types)
+            requested_worker_types = parse_worker_types(worker_types)
 
         # Always regenerate all other config files
         log("Generating worker config files")
-        generate_worker_files(
-            environ=environ,
-            config_path=config_path,
-            data_dir=data_dir,
-            requested_workers=requested_workers,
-        )
+        generate_worker_files(environ, config_path, data_dir, requested_worker_types)
 
         # Mark workers as being configured
         with open(mark_filepath, "w") as f:

docker/editable.Dockerfile

@@ -3,14 +3,14 @@
 #
 # Used by `complement.sh`. Not suitable for production use.
 
-ARG PYTHON_VERSION=3.10
+ARG PYTHON_VERSION=3.9
 
 ###
 ### Stage 0: generate requirements.txt
 ###
-# We hardcode the use of Debian trixie here because this could change upstream
-# and other Dockerfiles used for testing are expecting trixie.
-FROM docker.io/library/python:${PYTHON_VERSION}-slim-trixie
+# We hardcode the use of Debian bookworm here because this could change upstream
+# and other Dockerfiles used for testing are expecting bookworm.
+FROM docker.io/library/python:${PYTHON_VERSION}-slim-bookworm
 
 # Install Rust and other dependencies (stolen from normal Dockerfile)
 # install the OS build deps

docker/start.py

@@ -6,7 +6,7 @@ import os
 import platform
 import subprocess
 import sys
-from typing import Any, Mapping, MutableMapping, NoReturn
+from typing import Any, Dict, List, Mapping, MutableMapping, NoReturn, Optional
 
 import jinja2
 
@@ -31,25 +31,6 @@ def flush_buffers() -> None:
     sys.stderr.flush()
 
 
-def strtobool(val: str) -> bool:
-    """Convert a string representation of truth to True or False
-
-    True values are 'y', 'yes', 't', 'true', 'on', and '1'; false values
-    are 'n', 'no', 'f', 'false', 'off', and '0'.  Raises ValueError if
-    'val' is anything else.
-
-    This is lifted from distutils.util.strtobool, with the exception that it actually
-    returns a bool, rather than an int.
-    """
-    val = val.lower()
-    if val in ("y", "yes", "t", "true", "on", "1"):
-        return True
-    elif val in ("n", "no", "f", "false", "off", "0"):
-        return False
-    else:
-        raise ValueError("invalid truth value %r" % (val,))
-
-
 def convert(src: str, dst: str, environ: Mapping[str, object]) -> None:
     """Generate a file from a template
 
@@ -69,7 +50,7 @@ def generate_config_from_template(
     config_dir: str,
     config_path: str,
     os_environ: Mapping[str, str],
-    ownership: str | None,
+    ownership: Optional[str],
 ) -> None:
     """Generate a homeserver.yaml from environment variables
 
@@ -88,7 +69,7 @@ def generate_config_from_template(
             )
 
     # populate some params from data files (if they exist, else create new ones)
-    environ: dict[str, Any] = dict(os_environ)
+    environ: Dict[str, Any] = dict(os_environ)
     secrets = {
         "registration": "SYNAPSE_REGISTRATION_SHARED_SECRET",
         "macaroon": "SYNAPSE_MACAROON_SECRET_KEY",
@@ -117,16 +98,19 @@ def generate_config_from_template(
         os.mkdir(config_dir)
 
     # Convert SYNAPSE_NO_TLS to boolean if exists
-    tlsanswerstring = environ.get("SYNAPSE_NO_TLS")
-    if tlsanswerstring is not None:
-        try:
-            environ["SYNAPSE_NO_TLS"] = strtobool(tlsanswerstring)
-        except ValueError:
-            error(
-                'Environment variable "SYNAPSE_NO_TLS" found but value "'
-                + tlsanswerstring
-                + '" unrecognized; exiting.'
-            )
+    if "SYNAPSE_NO_TLS" in environ:
+        tlsanswerstring = str.lower(environ["SYNAPSE_NO_TLS"])
+        if tlsanswerstring in ("true", "on", "1", "yes"):
+            environ["SYNAPSE_NO_TLS"] = True
+        else:
+            if tlsanswerstring in ("false", "off", "0", "no"):
+                environ["SYNAPSE_NO_TLS"] = False
+            else:
+                error(
+                    'Environment variable "SYNAPSE_NO_TLS" found but value "'
+                    + tlsanswerstring
+                    + '" unrecognized; exiting.'
+                )
 
     if "SYNAPSE_LOG_CONFIG" not in environ:
         environ["SYNAPSE_LOG_CONFIG"] = config_dir + "/log.config"
@@ -163,7 +147,7 @@ def generate_config_from_template(
     subprocess.run(args, check=True)
 
 
-def run_generate_config(environ: Mapping[str, str], ownership: str | None) -> None:
+def run_generate_config(environ: Mapping[str, str], ownership: Optional[str]) -> None:
     """Run synapse with a --generate-config param to generate a template config file
 
     Args:
@@ -180,18 +164,6 @@ def run_generate_config(environ: Mapping[str, str], ownership: str | None) -> No
     config_dir = environ.get("SYNAPSE_CONFIG_DIR", "/data")
     config_path = environ.get("SYNAPSE_CONFIG_PATH", config_dir + "/homeserver.yaml")
     data_dir = environ.get("SYNAPSE_DATA_DIR", "/data")
-    enable_metrics_raw = environ.get("SYNAPSE_ENABLE_METRICS", "0")
-
-    enable_metrics = False
-    if enable_metrics_raw is not None:
-        try:
-            enable_metrics = strtobool(enable_metrics_raw)
-        except ValueError:
-            error(
-                'Environment variable "SYNAPSE_ENABLE_METRICS" found but value "'
-                + enable_metrics_raw
-                + '" unrecognized; exiting.'
-            )
 
     # create a suitable log config from our template
     log_config_file = "%s/%s.log.config" % (config_dir, server_name)
@@ -218,9 +190,6 @@ def run_generate_config(environ: Mapping[str, str], ownership: str | None) -> No
         "--open-private-ports",
     ]
 
-    if enable_metrics:
-        args.append("--enable-metrics")
-
     if ownership is not None:
         # make sure that synapse has perms to write to the data dir.
         log(f"Setting ownership on {data_dir} to {ownership}")
@@ -231,7 +200,7 @@ def run_generate_config(environ: Mapping[str, str], ownership: str | None) -> No
     subprocess.run(args, check=True)
 
 
-def main(args: list[str], environ: MutableMapping[str, str]) -> None:
+def main(args: List[str], environ: MutableMapping[str, str]) -> None:
     mode = args[1] if len(args) > 1 else "run"
 
     # if we were given an explicit user to switch to, do so

docs/.htmltest.yml

@@ -1,5 +0,0 @@
-# Configuration for htmltest, which we run in CI to check that links aren't broken in the built documentation.
-# See all config options: https://github.com/wjdp/htmltest#wrench-configuration
-
-# Don't check external links, as that requires network access and is slow.
-CheckExternal: false

docs/SUMMARY.md

@@ -5,7 +5,6 @@
 
 # Setup
   - [Installation](setup/installation.md)
-  - [Security](setup/security.md)
   - [Using Postgres](postgres.md)
   - [Configuring a Reverse Proxy](reverse_proxy.md)
   - [Configuring a Forward/Outbound Proxy](setup/forward_proxy.md)
@@ -61,7 +60,6 @@
     - [Admin API](usage/administration/admin_api/README.md)
       - [Account Validity](admin_api/account_validity.md)
       - [Background Updates](usage/administration/admin_api/background_updates.md)
-      - [Fetch Event](admin_api/fetch_event.md)
       - [Event Reports](admin_api/event_reports.md)
       - [Experimental Features](admin_api/experimental_features.md)
       - [Media](admin_api/media_admin_api.md)
@@ -117,8 +115,6 @@
       - [The Auth Chain Difference Algorithm](auth_chain_difference_algorithm.md)
     - [Media Repository](media_repository.md)
     - [Room and User Statistics](room_and_user_statistics.md)
-    - [Releasing]()
-      - [Release Notes Review Checklist](development/internal_documentation/release_notes_review_checklist.md)
   - [Scripts]()
 
 # Other

docs/admin_api/fetch_event.md

@@ -1,53 +0,0 @@
-# Fetch Event API
-
-The fetch event API allows admins to fetch an event regardless of their membership in the room it
-originated in.
-
-To use it, you will need to authenticate by providing an `access_token`
-for a server admin: see [Admin API](../usage/administration/admin_api/).
-
-Request:
-```http
-GET /_synapse/admin/v1/fetch_event/<event_id>
-```
-
-The API returns a JSON body like the following:
-
-Response:
-```json
-{
-    "event": {
-        "auth_events": [
-            "$WhLChbYg6atHuFRP7cUd95naUtc8L0f7fqeizlsUVvc",
-            "$9Wj8dt02lrNEWweeq-KjRABUYKba0K9DL2liRvsAdtQ",
-            "$qJxBFxBt8_ODd9b3pgOL_jXP98S_igc1_kizuPSZFi4"
-        ],
-        "content": {
-            "body": "Hey now",
-            "msgtype": "m.text"
-        },
-        "depth": 6,
-        "event_id": "$hJ_kcXbVMcI82JDrbqfUJIHu61tJD86uIFJ_8hNHi7s",
-        "hashes": {
-            "sha256": "LiNw8DtrRVf55EgAH8R42Wz7WCJUqGsPt2We6qZO5Rg"
-        },
-        "origin_server_ts": 799,
-        "prev_events": [
-            "$cnSUrNMnC3Ywh9_W7EquFxYQjC_sT3BAAVzcUVxZq1g"
-        ],
-        "room_id": "!aIhKToCqgPTBloWMpf:test",
-        "sender": "@user:test",
-        "signatures": {
-            "test": {
-                "ed25519:a_lPym": "7mqSDwK1k7rnw34Dd8Fahu0rhPW7jPmcWPRtRDoEN9Yuv+BCM2+Rfdpv2MjxNKy3AYDEBwUwYEuaKMBaEMiKAQ"
-            }
-        },
-        "type": "m.room.message",
-        "unsigned": {
-            "age_ts": 799
-        }
-    }
-}
-```
-
-

docs/admin_api/media_admin_api.md

@@ -39,40 +39,6 @@ the use of the
 [List media uploaded by a user](user_admin_api.md#list-media-uploaded-by-a-user)
 Admin API.
 
-## Query a piece of media by ID
-
-This API returns information about a piece of local or cached remote media given the origin server name and media id. If
-information is requested for remote media which is not cached the endpoint will return 404. 
-
-Request:
-```http
-GET /_synapse/admin/v1/media/<origin>/<media_id>
-```
-
-The API returns a JSON body with media info like the following:
-
-Response:
-```json
-{
-  "media_info": {
-    "media_origin": "remote.com",
-    "user_id": null,
-    "media_id": "sdginwegWEG",
-    "media_type": "img/png",
-    "media_length": 67,
-    "upload_name":  "test.png",
-    "created_ts":  300,
-    "filesystem_id":  "wgeweg",
-    "url_cache": null,
-    "last_access_ts": 400,
-    "quarantined_by":  null,
-    "authenticated":  false,
-    "safe_from_quarantine": null,
-    "sha256": "ebf4f635a17d10d6eb46ba680b70142419aa3220f228001a036d311a22ee9d2a"
-  }
-}
-```
-
 # Quarantine media
 
 Quarantining media means that it is marked as inaccessible by users. It applies
@@ -88,20 +54,6 @@ is quarantined, Synapse will:
  - Quarantine any existing cached remote media.
  - Quarantine any future remote media.
 
-## Downloading quarantined media
-
-Normally, when media is quarantined, it will return a 404 error when downloaded.
-Admins can bypass this by adding `?admin_unsafely_bypass_quarantine=true`
-to the [normal download URL](https://spec.matrix.org/v1.16/client-server-api/#get_matrixclientv1mediadownloadservernamemediaid).
-
-Bypassing the quarantine check is not recommended. Media is typically quarantined
-to prevent harmful content from being served to users, which includes admins. Only
-set the bypass parameter if you intentionally want to access potentially harmful
-content.
-
-Non-admin users cannot bypass quarantine checks, even when specifying the above
-query parameter.
-
 ## Quarantining media by ID
 
 This API quarantines a single piece of local or remote media.

docs/admin_api/rooms.md

@@ -1115,76 +1115,3 @@ Example response:
   ]
 }
 ```
-
-# Admin Space Hierarchy Endpoint
-
-This API allows an admin to fetch the space/room hierarchy for a given space, 
-returning details about that room and any children the room may have, paginating
-over the space tree in a depth-first manner to locate child rooms. This is
-functionally similar to the [CS Hierarchy](https://spec.matrix.org/v1.16/client-server-api/#get_matrixclientv1roomsroomidhierarchy) endpoint but does not check for
-room membership when returning room summaries.
-
-The endpoint does not query other servers over federation about remote rooms
-that the server has not joined. This is a deliberate trade-off: while this
-means it will leave some holes in the hierarchy that we could otherwise
-sometimes fill in, it significantly improves the endpoint's response time and
-the admin endpoint is designed for managing rooms local to the homeserver
-anyway.
-
-**Parameters**
-
-The following query parameters are available:
-
-* `from` - An optional pagination token, provided when there are more rooms to 
-    return than the limit. 
-* `limit` - Maximum amount of rooms to return. Must be a non-negative integer,
-   defaults to `50`.
-* `max_depth` - The maximum depth in the tree to explore, must be a non-negative
-   integer. 0 would correspond to just the root room, 1 would include just the
-   root room's children, etc.  If not provided will recurse into the space tree without limit.
-
-Request:
-
-```http
-GET /_synapse/admin/v1/rooms/<room_id>/hierarchy
-```
-
-Response:
-
-```json
-{
-  "rooms":
-      [
-        { "children_state": [
-            {
-              "content": {
-                "via": ["local_test_server"]
-              },
-              "origin_server_ts": 1500,
-              "sender": "@user:test",
-              "state_key": "!QrMkkqBSwYRIFNFCso:test",
-              "type": "m.space.child"
-            }
-        ],
-        "name": "space room",
-        "guest_can_join": false,
-        "join_rule": "public",
-        "num_joined_members": 1,
-        "room_id": "!sPOpNyMHbZAoAOsOFL:test",
-        "room_type": "m.space",
-        "world_readable": false
-      },
-
-      {
-        "children_state": [],
-        "guest_can_join": true,
-        "join_rule": "invite",
-        "name": "nefarious",
-        "num_joined_members": 1,
-        "room_id": "!QrMkkqBSwYRIFNFCso:test",
-        "topic": "being bad",
-        "world_readable": false}
-    ],
-  "next_batch": "KUYmRbeSpAoaAIgOKGgyaCEn"
-}
-```

docs/admin_api/scheduled_tasks.md

@@ -36,10 +36,9 @@ It returns a JSON body like the following:
     - "scheduled" - Task is scheduled but not active
     - "active" - Task is active and probably running, and if not will be run on next scheduler loop run
     - "complete" - Task has completed successfully
-    - "cancelled" - Task has been cancelled
     - "failed" - Task is over and either returned a failed status, or had an exception
 
-* `max_timestamp`: int - Is optional. Returns only the scheduled tasks with a timestamp (in milliseconds since the unix epoch) inferior to the specified one.
+* `max_timestamp`: int - Is optional. Returns only the scheduled tasks with a timestamp inferior to the specified one.
 
 **Response**
 

docs/admin_api/user_admin_api.md

@@ -505,55 +505,6 @@ with a body of:
 }
 ```
 
-## List room memberships of a user
-
-Gets a list of room memberships for a specific `user_id`. This
-endpoint differs from
-[`GET /_synapse/admin/v1/users/<user_id>/joined_rooms`](#list-joined-rooms-of-a-user)
-in that it returns rooms with memberships other than "join".
-
-The API is:
-
-```
-GET /_synapse/admin/v1/users/<user_id>/memberships
-```
-
-A response body like the following is returned:
-
-```json
-    {
-        "memberships": {
-            "!DuGcnbhHGaSZQoNQR:matrix.org": "join",
-            "!ZtSaPCawyWtxfWiIy:matrix.org": "leave",
-        }
-    }
-```
-
-which is a list of room membership states for the given user. This endpoint can
-be used with both local and remote users, with the caveat that the homeserver will
-only be aware of the memberships for rooms that one of its local users has joined.
-
-Remote user memberships may also be out of date if all local users have since left
-a room. The homeserver will thus no longer receive membership updates about it.
-
-The list includes rooms that the user has since left; other membership states (knock,
-invite, etc.) are also possible.
-
-Note that rooms will only disappear from this list if they are
-[purged](./rooms.md#delete-room-api) from the homeserver.
-
-**Parameters**
-
-The following parameters should be set in the URL:
-
-- `user_id` - fully qualified: for example, `@user:server.com`.
-
-**Response**
-
-The following fields are returned in the JSON response body:
-
-- `memberships` - A map of `room_id` (string) to `membership` state (string).
-
 ## List joined rooms of a user
 
 Gets a list of all `room_id` that a specific `user_id` is joined to and is a member of (participating in).