Fix InFlightGauge typing to allow upgrading to prometheus_client 0.24 (#19379 )

Fixes #19375 `prometheus_client` 0.24 makes `Collector` a generic type. Previously, `InFlightGauge` inherited from both `Generic[MetricsEntry]` and `Collector`, resulting in the error `TypeError: cannot create a consistent MRO` when using `prometheus_client` >= 0.24. This behaviour of disallowing multiple `Generic` inheritance is more strictly enforced starting with python 3.14, but can still lead to issues with earlier versions of python. This PR separates runtime and typing inheritance for `InFlightGauge`: - Runtime: `InFlightGauge` inherits only from `Collector` - Typing: `InFlightGauge` is generic This preserves static typing, avoids MRO conflicts, and supports both `prometheus_client` <0.24 and >=0.24. I have tested these changes out locally with `prometheus_client` 0.23.1 & 0.24 on python 3.14 while sending a bunch of messages over federation and watching a grafana dashboard configured to show `synapse_util_metrics_block_in_flight_total` & `synapse_util_metrics_block_in_flight_real_time_sum` (the only metric setup to use `InFlightGauge`) and things are working in each case. a1e9abc7df/synapse/util/metrics.py (L112-L119) ### Pull Request Checklist  * [X] Pull request is based on the develop branch * [X] Pull request includes a [changelog file](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#changelog). The entry should: - Be a short description of your change which makes sense to users. "Fixed a bug that prevented receiving messages from other servers." instead of "Moved X method from `EventStore` to `EventWorkerStore`.". - Use markdown where necessary, mostly for `code blocks`. - End with either a period (.) or an exclamation mark (!). - Start with a capital letter. - Feel free to credit yourself, by adding a sentence "Contributed by @github_username." or "Contributed by [Your Name]." to the end of the entry. * [X] [Code style](https://element-hq.github.io/synapse/latest/code_style.html) is correct (run the [linters](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#run-the-linters))
Bump pyasn1 from 0.6.1 to 0.6.2 (#19387 )
2026-01-17 07:10:00 +00:00 · 2026-01-16 20:35:30 +00:00 · 2026-01-16 20:32:57 +00:00 · 2026-01-16 11:36:49 -06:00 · 2026-01-15 19:35:51 -06:00 · 2026-01-15 15:49:10 -06:00
298 changed files with 9935 additions and 10743 deletions
--- a/.ci/before_build_wheel.sh
+++ b/.ci/before_build_wheel.sh
@ -7,4 +7,4 @@ if command -v yum &> /dev/null; then
 fi

 # Install a Rust toolchain
-curl https://sh.rustup.rs -sSf | sh -s -- --default-toolchain 1.82.0 -y --profile minimal
+curl https://sh.rustup.rs -sSf | sh -s -- --default-toolchain stable -y --profile minimal
--- a/.ci/scripts/auditwheel_wrapper.py
+++ b/.ci/scripts/auditwheel_wrapper.py
@ -1,146 +0,0 @@
-#!/usr/bin/env python
-#
-# This file is licensed under the Affero General Public License (AGPL) version 3.
-#
-# Copyright (C) 2023 New Vector, Ltd
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as
-# published by the Free Software Foundation, either version 3 of the
-# License, or (at your option) any later version.
-#
-# See the GNU Affero General Public License for more details:
-# <https://www.gnu.org/licenses/agpl-3.0.html>.
-#
-# Originally licensed under the Apache License, Version 2.0:
-# <http://www.apache.org/licenses/LICENSE-2.0>.
-#
-# [This file includes modifications made by New Vector Limited]
-#
-#
-
-# Wraps `auditwheel repair` to first check if we're repairing a potentially abi3
-# compatible wheel, if so rename the wheel before repairing it.
-
-import argparse
-import os
-import subprocess
-from zipfile import ZipFile
-
-from packaging.tags import Tag
-from packaging.utils import parse_wheel_filename
-from packaging.version import Version
-
-
-def check_is_abi3_compatible(wheel_file: str) -> None:
-    """Check the contents of the built wheel for any `.so` files that are *not*
-    abi3 compatible.
-    """
-
-    with ZipFile(wheel_file, "r") as wheel:
-        for file in wheel.namelist():
-            if not file.endswith(".so"):
-                continue
-
-            if not file.endswith(".abi3.so"):
-                raise Exception(f"Found non-abi3 lib: {file}")
-
-
-def cpython(wheel_file: str, name: str, version: Version, tag: Tag) -> str:
-    """Replaces the cpython wheel file with a ABI3 compatible wheel"""
-
-    if tag.abi == "abi3":
-        # Nothing to do.
-        return wheel_file
-
-    check_is_abi3_compatible(wheel_file)
-
-    # HACK: it seems that some older versions of pip will consider a wheel marked
-    # as macosx_11_0 as incompatible with Big Sur. I haven't done the full archaeology
-    # here; there are some clues in
-    #     https://github.com/pantsbuild/pants/pull/12857
-    #     https://github.com/pypa/pip/issues/9138
-    #     https://github.com/pypa/packaging/pull/319
-    # Empirically this seems to work, note that macOS 11 and 10.16 are the same,
-    # both versions are valid for backwards compatibility.
-    platform = tag.platform.replace("macosx_11_0", "macosx_10_16")
-    abi3_tag = Tag(tag.interpreter, "abi3", platform)
-
-    dirname = os.path.dirname(wheel_file)
-    new_wheel_file = os.path.join(
-        dirname,
-        f"{name}-{version}-{abi3_tag}.whl",
-    )
-
-    os.rename(wheel_file, new_wheel_file)
-
-    print("Renamed wheel to", new_wheel_file)
-
-    return new_wheel_file
-
-
-def main(wheel_file: str, dest_dir: str, archs: str | None) -> None:
-    """Entry point"""
-
-    # Parse the wheel file name into its parts. Note that `parse_wheel_filename`
-    # normalizes the package name (i.e. it converts matrix_synapse ->
-    # matrix-synapse), which is not what we want.
-    _, version, build, tags = parse_wheel_filename(os.path.basename(wheel_file))
-    name = os.path.basename(wheel_file).split("-")[0]
-
-    if len(tags) != 1:
-        # We expect only a wheel file with only a single tag
-        raise Exception(f"Unexpectedly found multiple tags: {tags}")
-
-    tag = next(iter(tags))
-
-    if build:
-        # We don't use build tags in Synapse
-        raise Exception(f"Unexpected build tag: {build}")
-
-    # If the wheel is for cpython then convert it into an abi3 wheel.
-    if tag.interpreter.startswith("cp"):
-        wheel_file = cpython(wheel_file, name, version, tag)
-
-    # Finally, repair the wheel.
-    if archs is not None:
-        # If we are given archs then we are on macos and need to use
-        # `delocate-listdeps`.
-        subprocess.run(["delocate-listdeps", wheel_file], check=True)
-        subprocess.run(
-            ["delocate-wheel", "--require-archs", archs, "-w", dest_dir, wheel_file],
-            check=True,
-        )
-    else:
-        subprocess.run(["auditwheel", "repair", "-w", dest_dir, wheel_file], check=True)
-
-
-if __name__ == "__main__":
-    parser = argparse.ArgumentParser(description="Tag wheel as abi3 and repair it.")
-
-    parser.add_argument(
-        "--wheel-dir",
-        "-w",
-        metavar="WHEEL_DIR",
-        help="Directory to store delocated wheels",
-        required=True,
-    )
-
-    parser.add_argument(
-        "--require-archs",
-        metavar="archs",
-        default=None,
-    )
-
-    parser.add_argument(
-        "wheel_file",
-        metavar="WHEEL_FILE",
-    )
-
-    args = parser.parse_args()
-
-    wheel_file = args.wheel_file
-    wheel_dir = args.wheel_dir
-    archs = args.require_archs
-
-    main(wheel_file, wheel_dir, archs)
--- a/.ci/scripts/prepare_old_deps.sh
+++ b/.ci/scripts/prepare_old_deps.sh
@ -1,39 +0,0 @@
-#!/usr/bin/env bash
-# this script is run by GitHub Actions in a plain `jammy` container; it
-# - installs the minimal system requirements, and poetry;
-# - patches the project definition file to refer to old versions only;
-# - creates a venv with these old versions using poetry; and finally
-# - invokes `trial` to run the tests with old deps.
-
-set -ex
-
-# Prevent virtualenv from auto-updating pip to an incompatible version
-export VIRTUALENV_NO_DOWNLOAD=1
-
-# TODO: in the future, we could use an implementation of
-#   https://github.com/python-poetry/poetry/issues/3527
-#   https://github.com/pypa/pip/issues/8085
-# to select the lowest possible versions, rather than resorting to this sed script.
-
-# Patch the project definitions in-place:
-# - `-E` use extended regex syntax.
-# - Don't modify the line that defines required Python versions.
-# - Replace all lower and tilde bounds with exact bounds.
-# - Replace all caret bounds with exact bounds.
-# - Delete all lines referring to psycopg2 - so no testing of postgres support.
-# - Use pyopenssl 17.0, which is the oldest version that works with
-#   a `cryptography` compiled against OpenSSL 1.1.
-# - Omit systemd: we're not logging to journal here.
-
-sed -i -E '
-  /^\s*requires-python\s*=/b
-  s/[~>]=/==/g
-  s/\^/==/g
-  /psycopg2/d
-  s/pyOpenSSL\s*==\s*16\.0\.0"/pyOpenSSL==17.0.0"/
-  /systemd/d
-' pyproject.toml
-
-echo "::group::Patched pyproject.toml"
-cat pyproject.toml
-echo "::endgroup::"
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -1,23 +1,92 @@
 version: 2
+# As dependabot is currently only run on a weekly basis, we raise the
+# open-pull-requests-limit to 10 (from the default of 5) to better ensure we
+# don't continuously grow a backlog of updates.
 updates:
  - # "pip" is the correct setting for poetry, per https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#package-ecosystem
    package-ecosystem: "pip"
    directory: "/"
+    open-pull-requests-limit: 10
    schedule:
      interval: "weekly"
+    # Group patch updates to packages together into a single PR, as they rarely
+    # if ever contain breaking changes that need to be reviewed separately.
+    # 
+    # Less PRs means a streamlined review process.
+    #
+    # Python packages follow semantic versioning, and tend to only introduce
+    # breaking changes in major version bumps. Thus, we'll group minor and patch
+    # versions together.
+    groups:
+      minor-and-patches:
+        applies-to: version-updates
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
+    # Prevent pulling packages that were recently updated to help mitigate
+    # supply chain attacks. 14 days was taken from the recommendation at
+    # https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns
+    # where the author noted that 9/10 attacks would have been mitigated by a
+    # two week cooldown.
+    #
+    # The cooldown only applies to general updates; security updates will still
+    # be pulled in as soon as possible.
+    cooldown:
+      default-days: 14

  - package-ecosystem: "docker"
    directory: "/docker"
+    open-pull-requests-limit: 10
    schedule:
      interval: "weekly"
+    # For container versions, breaking changes are also typically only introduced in major
+    # package bumps.
+    groups:
+      minor-and-patches:
+        applies-to: version-updates
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
+    cooldown:
+      default-days: 14

  - package-ecosystem: "github-actions"
    directory: "/"
+    open-pull-requests-limit: 10
    schedule:
      interval: "weekly"
+    # Similarly for GitHub Actions, breaking changes are typically only introduced in major
+    # package bumps.
+    groups:
+      minor-and-patches:
+        applies-to: version-updates
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
+    cooldown:
+      default-days: 14

  - package-ecosystem: "cargo"
    directory: "/"
+    open-pull-requests-limit: 10
    versioning-strategy: "lockfile-only"
    schedule:
      interval: "weekly"
+    # The Rust ecosystem is special in that breaking changes are often introduced
+    # in minor version bumps, as packages typically stay pre-1.0 for a long time.
+    # Thus we specifically keep minor version bumps separate in their own PRs.
+    groups:
+      patches:
+        applies-to: version-updates
+        patterns:
+          - "*"
+        update-types:
+          - "patch"
+    cooldown:
+      default-days: 14
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@ -28,10 +28,10 @@ jobs:
    steps:
      - name: Set up Docker Buildx
        id: buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Extract version from pyproject.toml
        # Note: explicitly requesting bash will mean bash is invoked with `-eo pipefail`, see
@ -75,7 +75,7 @@ jobs:
          touch "${{ runner.temp }}/digests/${digest#sha256:}"

      - name: Upload digest
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: digests-${{ matrix.suffix }}
          path: ${{ runner.temp }}/digests/*
@ -95,7 +95,7 @@ jobs:
      - build
    steps:
      - name: Download digests
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
        with:
          path: ${{ runner.temp }}/digests
          pattern: digests-*
@ -117,13 +117,13 @@ jobs:
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

      - name: Install Cosign
        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0

      - name: Calculate docker image tag
-        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
        with:
          images: ${{ matrix.repository }}
          flavor: |
--- a/.github/workflows/docs-pr-netlify.yaml
+++ b/.github/workflows/docs-pr-netlify.yaml
@ -1,34 +0,0 @@
-name: Deploy documentation PR preview
-
-on:
-  workflow_run:
-    workflows: [ "Prepare documentation PR preview" ]
-    types:
-      - completed
-
-jobs:
-  netlify:
-    if: github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event == 'pull_request'
-    runs-on: ubuntu-latest
-    steps:
-      # There's a 'download artifact' action, but it hasn't been updated for the workflow_run action
-      # (https://github.com/actions/download-artifact/issues/60) so instead we get this mess:
-      - name: 📥 Download artifact
-        uses: dawidd6/action-download-artifact@ac66b43f0e6a346234dd65d4d0c8fbb31cb316e5 # v11
-        with:
-          workflow: docs-pr.yaml
-          run_id: ${{ github.event.workflow_run.id }}
-          name: book
-          path: book
-
-      - name: 📤 Deploy to Netlify
-        uses: matrix-org/netlify-pr-preview@9805cd123fc9a7e421e35340a05e1ebc5dee46b5 # v3
-        with:
-          path: book
-          owner: ${{ github.event.workflow_run.head_repository.owner.login }}
-          branch: ${{ github.event.workflow_run.head_branch }}
-          revision: ${{ github.event.workflow_run.head_sha }}
-          token: ${{ secrets.NETLIFY_AUTH_TOKEN }}
-          site_id: ${{ secrets.NETLIFY_SITE_ID }}
-          desc: Documentation preview
-          deployment_env: PR Documentation Preview
--- a/.github/workflows/docs-pr.yaml
+++ b/.github/workflows/docs-pr.yaml
@ -13,7 +13,7 @@ jobs:
    name: GitHub Pages
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          # Fetch all history so that the schema_versions script works.
          fetch-depth: 0
@ -21,10 +21,10 @@ jobs:
      - name: Setup mdbook
        uses: peaceiris/actions-mdbook@ee69d230fe19748b7abf22df32acaa93833fad08 # v2.0.0
        with:
-          mdbook-version: '0.4.17'
+          mdbook-version: '0.5.2'

      - name: Setup python
-        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: "3.x"

@ -39,7 +39,7 @@ jobs:
          cp book/welcome_and_overview.html book/index.html

      - name: Upload Artifact
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: book
          path: book
@ -50,12 +50,12 @@ jobs:
    name: Check links in documentation
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Setup mdbook
        uses: peaceiris/actions-mdbook@ee69d230fe19748b7abf22df32acaa93833fad08 # v2.0.0
        with:
-          mdbook-version: '0.4.17'
+          mdbook-version: '0.5.2'

      - name: Setup htmltest
        run: |
@ -64,8 +64,17 @@ jobs:
          tar zxf htmltest_0.17.0_linux_amd64.tar.gz

      - name: Test links with htmltest
-        # Build the book with `./` as the site URL (to make checks on 404.html possible)
-        # Then run htmltest (without checking external links since that involves the network and is slow).
        run: |
+          # Build the book with `./` as the site URL (to make checks on 404.html possible)
          MDBOOK_OUTPUT__HTML__SITE_URL="./" mdbook build
-          ./htmltest book --skip-external
+
+          # Delete the contents of the print.html file, as it can raise false
+          # positives during link checking.
+          #
+          # We empty out the file, instead of deleting it, as doing so would
+          # just cause htmltest to complain that links to it were invalid.
+          # Ideally `htmltest` would have an option to ignore specific files
+          # instead.
+          echo '<!DOCTYPE HTML>' > book/print.html
+
+          ./htmltest book --conf docs/.htmltest.yml
--- a/.github/workflows/docs.yaml
+++ b/.github/workflows/docs.yaml
@ -50,7 +50,7 @@ jobs:
    needs:
      - pre
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          # Fetch all history so that the schema_versions script works.
          fetch-depth: 0
@ -58,13 +58,13 @@ jobs:
      - name: Setup mdbook
        uses: peaceiris/actions-mdbook@ee69d230fe19748b7abf22df32acaa93833fad08 # v2.0.0
        with:
-          mdbook-version: '0.4.17'
+          mdbook-version: '0.5.2'

      - name: Set version of docs
        run: echo 'window.SYNAPSE_VERSION = "${{ needs.pre.outputs.branch-version }}";' > ./docs/website_files/version.js

      - name: Setup python
-        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: "3.x"

--- a/.github/workflows/fix_lint.yaml
+++ b/.github/workflows/fix_lint.yaml
@ -18,14 +18,14 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Install Rust
        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
        with:
          toolchain: ${{ env.RUST_VERSION }}
          components: clippy, rustfmt
-      - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
+      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2

      - name: Setup Poetry
        uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0
@ -47,6 +47,6 @@ jobs:
      - run: cargo fmt
        continue-on-error: true

-      - uses: stefanzweifel/git-auto-commit-action@28e16e81777b558cc906c8750092100bbb34c5e3 # v7.0.0
+      - uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 # v7.1.0
        with:
          commit_message: "Attempt to fix linting"
--- a/.github/workflows/latest_deps.yml
+++ b/.github/workflows/latest_deps.yml
@ -42,12 +42,12 @@ jobs:
    if: needs.check_repo.outputs.should_run_workflow == 'true'
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Install Rust
        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
        with:
          toolchain: ${{ env.RUST_VERSION }}
-      - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
+      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2

      # The dev dependencies aren't exposed in the wheel metadata (at least with current
      # poetry-core versions), so we install with poetry.
@ -77,13 +77,13 @@ jobs:
            postgres-version: "14"

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Install Rust
        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
        with:
          toolchain: ${{ env.RUST_VERSION }}
-      - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
+      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2

      - run: sudo apt-get -qq install xmlsec1
      - name: Set up PostgreSQL ${{ matrix.postgres-version }}
@ -93,7 +93,7 @@ jobs:
            -e POSTGRES_PASSWORD=postgres \
            -e POSTGRES_INITDB_ARGS="--lc-collate C --lc-ctype C --encoding UTF8" \
            postgres:${{ matrix.postgres-version }}
-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: "3.x"
      - run: pip install .[all,test]
@ -152,13 +152,13 @@ jobs:
      BLACKLIST: ${{ matrix.workers && 'synapse-blacklist-with-workers' }}

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Install Rust
        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
        with:
          toolchain: ${{ env.RUST_VERSION }}
-      - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
+      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2

      - name: Ensure sytest runs `pip install`
        # Delete the lockfile so sytest will `pip install` rather than `poetry install`
@ -173,7 +173,7 @@ jobs:
        if: ${{ always() }}
        run: /sytest/scripts/tap_to_gha.pl /logs/results.tap
      - name: Upload SyTest logs
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        if: ${{ always() }}
        with:
          name: Sytest Logs - ${{ job.status }} - (${{ join(matrix.*, ', ') }})
@ -202,14 +202,14 @@ jobs:

    steps:
      - name: Check out synapse codebase
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          path: synapse

      - name: Prepare Complement's Prerequisites
        run: synapse/.ci/scripts/setup_complement_prerequisites.sh

-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
        with:
          cache-dependency-path: complement/go.sum
          go-version-file: complement/go.mod
@ -234,7 +234,7 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2.9.2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/poetry_lockfile.yaml
+++ b/.github/workflows/poetry_lockfile.yaml
@ -16,8 +16,8 @@ jobs:
    name: "Check locked dependencies have sdists"
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: '3.x'
      - run: pip install tomli
--- a/.github/workflows/push_complement_image.yml
+++ b/.github/workflows/push_complement_image.yml
@ -33,17 +33,17 @@ jobs:
      packages: write
    steps:
      - name: Checkout specific branch (debug build)
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        if: github.event_name == 'workflow_dispatch'
        with:
          ref: ${{ inputs.branch }}
      - name: Checkout clean copy of develop (scheduled build)
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        if: github.event_name == 'schedule'
        with:
          ref: develop
      - name: Checkout clean copy of master (on-push)
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        if: github.event_name == 'push'
        with:
          ref: master
@ -55,7 +55,7 @@ jobs:
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Work out labels for complement image
        id: meta
-        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
        with:
          images: ghcr.io/${{ github.repository }}/complement-synapse
          tags: |
--- a/.github/workflows/release-artifacts.yml
+++ b/.github/workflows/release-artifacts.yml
@ -5,7 +5,7 @@ name: Build release artifacts
 on:
  # we build on PRs and develop to (hopefully) get early warning
  # of things breaking (but only build one set of debs). PRs skip
-  # building wheels on macOS & ARM.
+  # building wheels on ARM.
  pull_request:
  push:
    branches: ["develop", "release-*"]
@ -27,8 +27,8 @@ jobs:
    name: "Calculate list of debian distros"
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: "3.x"
      - id: set-distros
@ -55,18 +55,16 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          path: src

      - name: Set up Docker Buildx
        id: buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
-        with:
-          install: true
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

      - name: Set up docker layer caching
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
        with:
          path: /tmp/.buildx-cache
          key: ${{ runner.os }}-buildx-${{ github.sha }}
@ -74,7 +72,7 @@ jobs:
            ${{ runner.os }}-buildx-

      - name: Set up python
-        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: "3.x"

@ -101,7 +99,7 @@ jobs:
          echo "ARTIFACT_NAME=${DISTRO#*:}" >> "$GITHUB_OUTPUT"

      - name: Upload debs as artifacts
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: debs-${{ steps.artifact-name.outputs.ARTIFACT_NAME }}
          path: debs/*
@ -114,27 +112,20 @@ jobs:
        os:
          - ubuntu-24.04
          - ubuntu-24.04-arm
-          - macos-14 # This uses arm64
-          - macos-15-intel # This uses x86-64
        # is_pr is a flag used to exclude certain jobs from the matrix on PRs.
        # It is not read by the rest of the workflow.
        is_pr:
          - ${{ startsWith(github.ref, 'refs/pull/') }}

        exclude:
-          # Don't build macos wheels on PR CI.
-          - is_pr: true
-            os: "macos-15-intel"
-          - is_pr: true
-            os: "macos-14"
          # Don't build aarch64 wheels on PR CI.
          - is_pr: true
            os: "ubuntu-24.04-arm"

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          # setup-python@v4 doesn't impose a default python version. Need to use 3.x
          # here, because `python` on osx points to Python 2.7.
@ -159,7 +150,7 @@ jobs:
          # musl: (TODO: investigate).
          CIBW_TEST_SKIP: pp3*-* *musl*

-      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: Wheel-${{ matrix.os }}
          path: ./wheelhouse/*.whl
@ -170,8 +161,8 @@ jobs:
    if: ${{ !startsWith(github.ref, 'refs/pull/') }}

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: "3.10"

@ -180,7 +171,7 @@ jobs:
      - name: Build sdist
        run: python -m build --sdist

-      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: Sdist
          path: dist/*.tar.gz
@ -196,7 +187,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Download all workflow run artifacts
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
      - name: Build a tarball for the debs
        # We need to merge all the debs uploads into one folder, then compress
        # that.
--- a/.github/workflows/schema.yaml
+++ b/.github/workflows/schema.yaml
@ -14,8 +14,8 @@ jobs:
    name: Ensure Synapse config schema is valid
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: "3.x"
      - name: Install check-jsonschema
@ -40,8 +40,8 @@ jobs:
    name: Ensure generated documentation is up-to-date
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: "3.x"
      - name: Install PyYAML
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@ -26,59 +26,59 @@ jobs:
      linting: ${{ !startsWith(github.ref, 'refs/pull/') || steps.filter.outputs.linting }}
      linting_readme: ${{ !startsWith(github.ref, 'refs/pull/') || steps.filter.outputs.linting_readme }}
    steps:
-    - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
-      id: filter
-      # We only check on PRs
-      if: startsWith(github.ref, 'refs/pull/')
-      with:
-        filters: |
-          rust:
-            - 'rust/**'
-            - 'Cargo.toml'
-            - 'Cargo.lock'
-            - '.rustfmt.toml'
-            - '.github/workflows/tests.yml'
+      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
+        id: filter
+        # We only check on PRs
+        if: startsWith(github.ref, 'refs/pull/')
+        with:
+          filters: |
+            rust:
+              - 'rust/**'
+              - 'Cargo.toml'
+              - 'Cargo.lock'
+              - '.rustfmt.toml'
+              - '.github/workflows/tests.yml'

-          trial:
-            - 'synapse/**'
-            - 'tests/**'
-            - 'rust/**'
-            - '.ci/scripts/calculate_jobs.py'
-            - 'Cargo.toml'
-            - 'Cargo.lock'
-            - 'pyproject.toml'
-            - 'poetry.lock'
-            - '.github/workflows/tests.yml'
+            trial:
+              - 'synapse/**'
+              - 'tests/**'
+              - 'rust/**'
+              - '.ci/scripts/calculate_jobs.py'
+              - 'Cargo.toml'
+              - 'Cargo.lock'
+              - 'pyproject.toml'
+              - 'poetry.lock'
+              - '.github/workflows/tests.yml'

-          integration:
-            - 'synapse/**'
-            - 'rust/**'
-            - 'docker/**'
-            - 'Cargo.toml'
-            - 'Cargo.lock'
-            - 'pyproject.toml'
-            - 'poetry.lock'
-            - 'docker/**'
-            - '.ci/**'
-            - 'scripts-dev/complement.sh'
-            - '.github/workflows/tests.yml'
+            integration:
+              - 'synapse/**'
+              - 'rust/**'
+              - 'docker/**'
+              - 'Cargo.toml'
+              - 'Cargo.lock'
+              - 'pyproject.toml'
+              - 'poetry.lock'
+              - 'docker/**'
+              - '.ci/**'
+              - 'scripts-dev/complement.sh'
+              - '.github/workflows/tests.yml'

-          linting:
-            - 'synapse/**'
-            - 'docker/**'
-            - 'tests/**'
-            - 'scripts-dev/**'
-            - 'contrib/**'
-            - 'synmark/**'
-            - 'stubs/**'
-            - '.ci/**'
-            - 'mypy.ini'
-            - 'pyproject.toml'
-            - 'poetry.lock'
-            - '.github/workflows/tests.yml'
+            linting:
+              - 'synapse/**'
+              - 'docker/**'
+              - 'tests/**'
+              - 'scripts-dev/**'
+              - 'contrib/**'
+              - 'synmark/**'
+              - 'stubs/**'
+              - '.ci/**'
+              - 'mypy.ini'
+              - 'pyproject.toml'
+              - 'poetry.lock'
+              - '.github/workflows/tests.yml'

-          linting_readme:
-            - 'README.rst'
+            linting_readme:
+              - 'README.rst'

  check-sampleconfig:
    runs-on: ubuntu-latest
@ -86,12 +86,12 @@ jobs:
    if: ${{ needs.changes.outputs.linting == 'true' }}

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Install Rust
        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
        with:
          toolchain: ${{ env.RUST_VERSION }}
-      - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
+      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2
      - uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0
        with:
          python-version: "3.x"
@ -106,18 +106,18 @@ jobs:
    if: ${{ needs.changes.outputs.linting == 'true' }}

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: "3.x"
-      - run: "pip install 'click==8.1.1' 'GitPython>=3.1.20'"
+      - run: "pip install 'click==8.1.1' 'GitPython>=3.1.20' 'sqlglot>=28.0.0'"
      - run: scripts-dev/check_schema_delta.py --force-colors

  check-lockfile:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: "3.x"
      - run: .ci/scripts/check_lockfile.py
@ -129,7 +129,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Setup Poetry
        uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0
@ -151,13 +151,13 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Install Rust
        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
        with:
          toolchain: ${{ env.RUST_VERSION }}
-      - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
+      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2

      - name: Setup Poetry
        uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0
@ -174,7 +174,7 @@ jobs:
      # Cribbed from
      # https://github.com/AustinScola/mypy-cache-github-action/blob/85ea4f2972abed39b33bd02c36e341b28ca59213/src/restore.ts#L10-L17
      - name: Restore/persist mypy's cache
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
        with:
          path: |
            .mypy_cache
@ -187,19 +187,20 @@ jobs:
  lint-crlf:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Check line endings
        run: scripts-dev/check_line_terminators.sh

  lint-newsfile:
-    if: ${{ (github.base_ref == 'develop'  || contains(github.base_ref, 'release-')) && github.actor != 'dependabot[bot]' }}
+    # Only run on pull_request events, targeting develop/release branches, and skip when the PR author is dependabot[bot].
+    if: ${{ github.event_name == 'pull_request' && (github.base_ref == 'develop' || contains(github.base_ref, 'release-')) && github.event.pull_request.user.login != 'dependabot[bot]' }}
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          fetch-depth: 0
-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: "3.x"
      - run: "pip install 'towncrier>=18.6.0rc1'"
@ -213,14 +214,14 @@ jobs:
    if: ${{ needs.changes.outputs.rust == 'true' }}

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Install Rust
        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
        with:
-            components: clippy
-            toolchain: ${{ env.RUST_VERSION }}
-      - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
+          components: clippy
+          toolchain: ${{ env.RUST_VERSION }}
+      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2

      - run: cargo clippy -- -D warnings

@ -232,14 +233,14 @@ jobs:
    if: ${{ needs.changes.outputs.rust == 'true' }}

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Install Rust
        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
        with:
-            toolchain: nightly-2025-04-23
-            components: clippy
-      - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
+          toolchain: nightly-2025-04-23
+          components: clippy
+      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2

      - run: cargo clippy --all-features -- -D warnings

@ -250,13 +251,13 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Install Rust
        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
        with:
          toolchain: ${{ env.RUST_VERSION }}
-      - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
+      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2

      - name: Setup Poetry
        uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0
@ -286,7 +287,7 @@ jobs:
    if: ${{ needs.changes.outputs.rust == 'true' }}

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Install Rust
        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
@ -295,7 +296,7 @@ jobs:
          # `.rustfmt.toml`.
          toolchain: nightly-2025-04-23
          components: rustfmt
-      - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
+      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2

      - run: cargo fmt --check

@ -306,8 +307,8 @@ jobs:
    needs: changes
    if: ${{ needs.changes.outputs.linting_readme == 'true' }}
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: "3.x"
      - run: "pip install rstcheck"
@ -348,14 +349,13 @@ jobs:
            lint-rustfmt
            lint-readme

-
  calculate-test-jobs:
    if: ${{ !cancelled() && !failure() }} # Allow previous steps to be skipped, but not fail
    needs: linting-done
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: "3.x"
      - id: get-matrix
@ -372,10 +372,10 @@ jobs:
    runs-on: ubuntu-latest
    strategy:
      matrix:
-        job:  ${{ fromJson(needs.calculate-test-jobs.outputs.trial_test_matrix) }}
+        job: ${{ fromJson(needs.calculate-test-jobs.outputs.trial_test_matrix) }}

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - run: sudo apt-get -qq install xmlsec1
      - name: Set up PostgreSQL ${{ matrix.job.postgres-version }}
        if: ${{ matrix.job.postgres-version }}
@ -393,7 +393,7 @@ jobs:
        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
        with:
          toolchain: ${{ env.RUST_VERSION }}
-      - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
+      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2

      - uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0
        with:
@ -431,13 +431,13 @@ jobs:
      - changes
    runs-on: ubuntu-22.04
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Install Rust
        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
        with:
          toolchain: ${{ env.RUST_VERSION }}
-      - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
+      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2

      # There aren't wheels for some of the older deps, so we need to install
      # their build dependencies
@ -446,19 +446,17 @@ jobs:
          sudo apt-get -qq install build-essential libffi-dev python3-dev \
            libxml2-dev libxslt-dev xmlsec1 zlib1g-dev libjpeg-dev libwebp-dev

-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
-          python-version: '3.10'
+          python-version: "3.10"

      - name: Prepare old deps
-        if: steps.cache-poetry-old-deps.outputs.cache-hit != 'true'
-        run: .ci/scripts/prepare_old_deps.sh
-
-      # Note: we install using `pip` here, not poetry. `poetry install` ignores the
-      # build-system section (https://github.com/python-poetry/poetry/issues/6154), but
-      # we explicitly want to test that you can `pip install` using the oldest version
-      # of poetry-core and setuptools-rust.
-      - run: pip install .[all,test]
+        # Note: we install using `uv` here, not poetry or pip to allow us to test with the
+        # minimum version of all dependencies, both those explicitly specified and those
+        # implicitly brought in by the explicit dependencies.
+        run: |
+          pip install uv
+          uv pip install --system --resolution=lowest .[all,test]

      # We nuke the local copy, as we've installed synapse into the virtualenv
      # (rather than use an editable install, which we no longer support). If we
@ -496,7 +494,7 @@ jobs:
        extras: ["all"]

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      # Install libs necessary for PyPy to build binary wheels for dependencies
      - run: sudo apt-get -qq install xmlsec1 libxml2-dev libxslt-dev
      - uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0
@ -546,7 +544,7 @@ jobs:
        job: ${{ fromJson(needs.calculate-test-jobs.outputs.sytest_test_matrix) }}

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Prepare test blacklist
        run: cat sytest-blacklist .ci/worker-blacklist > synapse-blacklist-with-workers

@ -554,7 +552,7 @@ jobs:
        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
        with:
          toolchain: ${{ env.RUST_VERSION }}
-      - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
+      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2

      - name: Run SyTest
        run: /bootstrap.sh synapse
@ -563,7 +561,7 @@ jobs:
        if: ${{ always() }}
        run: /sytest/scripts/tap_to_gha.pl /logs/results.tap
      - name: Upload SyTest logs
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        if: ${{ always() }}
        with:
          name: Sytest Logs - ${{ job.status }} - (${{ join(matrix.job.*, ', ') }})
@ -593,7 +591,7 @@ jobs:
          --health-retries 5

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - run: sudo apt-get -qq install xmlsec1 postgresql-client
      - uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0
        with:
@ -606,7 +604,6 @@ jobs:
          PGPASSWORD: postgres
          PGDATABASE: postgres

-
  portdb:
    if: ${{ !failure() && !cancelled() && needs.changes.outputs.integration == 'true'}} # Allow previous steps to be skipped, but not fail
    needs:
@ -637,7 +634,7 @@ jobs:
          --health-retries 5

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Add PostgreSQL apt repository
        # We need a version of pg_dump that can handle the version of
        # PostgreSQL being tested against. The Ubuntu package repository lags
@ -661,7 +658,7 @@ jobs:
          PGPASSWORD: postgres
          PGDATABASE: postgres
      - name: "Upload schema differences"
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        if: ${{ failure() && !cancelled() && steps.run_tester_script.outcome == 'failure' }}
        with:
          name: Schema dumps
@ -692,7 +689,7 @@ jobs:

    steps:
      - name: Checkout synapse codebase
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          path: synapse

@ -700,25 +697,39 @@ jobs:
        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
        with:
          toolchain: ${{ env.RUST_VERSION }}
-      - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
+      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2

      - name: Prepare Complement's Prerequisites
        run: synapse/.ci/scripts/setup_complement_prerequisites.sh

-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
        with:
          cache-dependency-path: complement/go.sum
          go-version-file: complement/go.mod

        # use p=1 concurrency as GHA boxes are underpowered and don't like running tons of synapses at once.
-      - run: |
+      - name: Run Complement Tests
+        id: run_complement_tests
+        # -p=1: We're using `-p 1` to force the test packages to run serially as GHA boxes
+        #     are underpowered and don't like running tons of Synapse instances at once.
+        # -json: Output JSON format so that gotestfmt can parse it.
+        #
+        # tee /tmp/gotest.log: We tee the output to a file so that we can re-process it
+        # later on for better formatting with gotestfmt. But we still want the command
+        # to output to the terminal as it runs so we can see what's happening in
+        # real-time.
+        run: |
          set -o pipefail
-          COMPLEMENT_DIR=`pwd`/complement synapse/scripts-dev/complement.sh -p 1 -json 2>&1 | synapse/.ci/scripts/gotestfmt
+          COMPLEMENT_DIR=`pwd`/complement synapse/scripts-dev/complement.sh -p 1 -json 2>&1 | tee /tmp/gotest.log
        shell: bash
        env:
          POSTGRES: ${{ (matrix.database == 'Postgres') && 1 || '' }}
          WORKERS: ${{ (matrix.arrangement == 'workers') && 1 || '' }}
-        name: Run Complement Tests
+
+      - name: Formatted Complement test logs
+        # Always run this step if we attempted to run the Complement tests.
+        if: always() && steps.run_complement_tests.outcome != 'skipped'
+        run: cat /tmp/gotest.log | gotestfmt -hide "successful-downloads,empty-packages"

  cargo-test:
    if: ${{ needs.changes.outputs.rust == 'true' }}
@ -728,13 +739,13 @@ jobs:
      - changes

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Install Rust
        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
        with:
          toolchain: ${{ env.RUST_VERSION }}
-      - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
+      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2

      - run: cargo test

@ -748,13 +759,13 @@ jobs:
      - changes

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Install Rust
        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
        with:
-            toolchain: nightly-2022-12-01
-      - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
+          toolchain: nightly-2022-12-01
+      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2

      - run: cargo bench --no-run

--- a/.github/workflows/triage_labelled.yml
+++ b/.github/workflows/triage_labelled.yml
@ -22,7 +22,7 @@ jobs:
      # This field is case-sensitive.
      TARGET_STATUS: Needs info
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          # Only clone the script file we care about, instead of the whole repo.
          sparse-checkout: .ci/scripts/triage_labelled_issue.sh
--- a/.github/workflows/twisted_trunk.yml
+++ b/.github/workflows/twisted_trunk.yml
@ -43,13 +43,13 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Install Rust
        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
        with:
          toolchain: ${{ env.RUST_VERSION }}
-      - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
+      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2

      - uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0
        with:
@ -70,14 +70,14 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - run: sudo apt-get -qq install xmlsec1

      - name: Install Rust
        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
        with:
          toolchain: ${{ env.RUST_VERSION }}
-      - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
+      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2

      - uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0
        with:
@ -117,13 +117,13 @@ jobs:
        - ${{ github.workspace }}:/src

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Install Rust
        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
        with:
          toolchain: ${{ env.RUST_VERSION }}
-      - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
+      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2

      - name: Patch dependencies
        # Note: The poetry commands want to create a virtualenv in /src/.venv/,
@ -147,7 +147,7 @@ jobs:
        if: ${{ always() }}
        run: /sytest/scripts/tap_to_gha.pl /logs/results.tap
      - name: Upload SyTest logs
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        if: ${{ always() }}
        with:
          name: Sytest Logs - ${{ job.status }} - (${{ join(matrix.*, ', ') }})
@ -175,14 +175,14 @@ jobs:

    steps:
      - name: Run actions/checkout@v4 for synapse
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          path: synapse

      - name: Prepare Complement's Prerequisites
        run: synapse/.ci/scripts/setup_complement_prerequisites.sh

-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
        with:
          cache-dependency-path: complement/go.sum
          go-version-file: complement/go.mod
@ -217,7 +217,7 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2.9.2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/CHANGES.md
+++ b/CHANGES.md
@ -1,4 +1,178 @@
-# Synapse 1.143.0rc1 (2025-11-18)
+# Synapse 1.145.0 (2026-01-13)
+
+No significant changes since 1.145.0rc4.
+
+## End of Life of Ubuntu 25.04 Plucky Puffin
+
+Ubuntu 25.04 (Plucky Puffin) will be end of life on Jan 17, 2026. Synapse will stop building packages for Ubuntu 25.04 shortly thereafter.
+
+## Updates to Locked Dependencies No Longer Included in Changelog
+
+The "Updates to locked dependencies" section has been removed from the changelog due to lack of use and the maintenance burden. ([\#19254](https://github.com/element-hq/synapse/issues/19254))
+
+
+
+
+# Synapse 1.145.0rc4 (2026-01-08)
+
+No significant changes since 1.145.0rc3.
+
+This RC contains a fix specifically for openSUSE packaging and no other changes. 
+
+
+
+# Synapse 1.145.0rc3 (2026-01-07)
+
+No significant changes since 1.145.0rc2.
+
+This RC strips out unnecessary files from the wheels that were added when fixing the source distribution packaging in the previous RC.
+
+
+
+# Synapse 1.145.0rc2 (2026-01-07)
+
+No significant changes since 1.145.0rc1.
+
+This RC fixes the source distribution packaging for uploading to PyPI.
+
+
+
+# Synapse 1.145.0rc1 (2026-01-06)
+
+## Features
+
+- Add `memberships` endpoint to the admin API. This is useful for forensics and T&S purposes. ([\#19260](https://github.com/element-hq/synapse/issues/19260))
+- Server admins can bypass the quarantine media check when downloading media by setting the `admin_unsafely_bypass_quarantine` query parameter to `true` on Client-Server API media download requests. ([\#19275](https://github.com/element-hq/synapse/issues/19275))
+- Implemented pagination for the [MSC2666](https://github.com/matrix-org/matrix-spec-proposals/pull/2666) mutual rooms endpoint. Contributed by @tulir @ Beeper. ([\#19279](https://github.com/element-hq/synapse/issues/19279))
+- Admin API: add worker support to `GET /_synapse/admin/v2/users/<user_id>`. ([\#19281](https://github.com/element-hq/synapse/issues/19281))
+- Improve proxy support for the `federation_client.py` dev script. Contributed by Denis Kasak (@dkasak). ([\#19300](https://github.com/element-hq/synapse/issues/19300))
+
+## Bugfixes
+
+- Fix sliding sync performance slow down for long lived connections. ([\#19206](https://github.com/element-hq/synapse/issues/19206))
+- Fix a bug where Mastodon posts (and possibly other embeds) have the wrong description for URL previews. ([\#19231](https://github.com/element-hq/synapse/issues/19231))
+- Fix bug where `Duration` was logged incorrectly. ([\#19267](https://github.com/element-hq/synapse/issues/19267))
+- Fix bug introduced in 1.143.0 that broke support for versions of `zope-interface` older than 6.2. ([\#19274](https://github.com/element-hq/synapse/issues/19274))
+- Transform events with client metadata before serialising in /event response. ([\#19340](https://github.com/element-hq/synapse/issues/19340))
+
+## Updates to the Docker image
+
+- Add a way to expose metrics from the Docker image (`SYNAPSE_ENABLE_METRICS`). ([\#19324](https://github.com/element-hq/synapse/issues/19324))
+
+## Improved Documentation
+
+- Document the importance of `public_baseurl` when configuring OpenID Connect authentication. ([\#19270](https://github.com/element-hq/synapse/issues/19270))
+
+## Deprecations and Removals
+
+- Ubuntu 25.04 (Plucky Puffin) will be end of life on Jan 17, 2026. Synapse will stop building packages for Ubuntu 25.04 shortly thereafter.
+- Remove the "Updates to locked dependencies" section from the changelog due to lack of use and the maintenance burden. ([\#19254](https://github.com/element-hq/synapse/issues/19254))
+
+## Internal Changes
+
+- Group together dependabot update PRs to reduce the review load. ([\#18402](https://github.com/element-hq/synapse/issues/18402))
+- Fix `HomeServer.shutdown()` failing if the homeserver hasn't been setup yet. ([\#19187](https://github.com/element-hq/synapse/issues/19187))
+- Respond with useful error codes with `Content-Length` header/s are invalid. ([\#19212](https://github.com/element-hq/synapse/issues/19212))
+- Fix `HomeServer.shutdown()` failing if the homeserver failed to `start`. ([\#19232](https://github.com/element-hq/synapse/issues/19232))
+- Switch the build backend from `poetry-core` to `maturin`. ([\#19234](https://github.com/element-hq/synapse/issues/19234))
+- Raise the limit for concurrently-open non-security @dependabot PRs from 5 to 10. ([\#19253](https://github.com/element-hq/synapse/issues/19253))
+- Require 14 days to pass before pulling in general dependency updates to help mitigate upstream supply chain attacks. ([\#19258](https://github.com/element-hq/synapse/issues/19258))
+- Drop the broken netlify documentation workflow until a new one is implemented. ([\#19262](https://github.com/element-hq/synapse/issues/19262))
+- Don't include debug logs in `Clock` unless explicitly enabled. ([\#19278](https://github.com/element-hq/synapse/issues/19278))
+- Use `uv` to test olddeps to ensure all transitive dependencies use minimum versions. ([\#19289](https://github.com/element-hq/synapse/issues/19289))
+- Add a config to be able to rate limit search in the user directory. ([\#19291](https://github.com/element-hq/synapse/issues/19291))
+- Log the original bind exception when encountering `Failed to listen on 0.0.0.0, continuing because listening on [::]`. ([\#19297](https://github.com/element-hq/synapse/issues/19297))
+- Unpin the version of Rust we use to build Synapse wheels (was 1.82.0) now that MacOS support has been dropped. ([\#19302](https://github.com/element-hq/synapse/issues/19302))
+- Make it more clear how `shared_extra_conf` is combined in our Docker configuration scripts. ([\#19323](https://github.com/element-hq/synapse/issues/19323))
+- Update CI to stream Complement progress and format logs in a separate step after all tests are done. ([\#19326](https://github.com/element-hq/synapse/issues/19326))
+- Format `.github/workflows/tests.yml`. ([\#19327](https://github.com/element-hq/synapse/issues/19327))
+
+
+
+
+# Synapse 1.144.0 (2025-12-09)
+
+## Deprecation of MacOS Python wheels
+
+The team has decided to deprecate and stop publishing python wheels for MacOS.
+Synapse docker images will continue to work on MacOS, as will building Synapse
+from source (though note this requires a Rust compiler).
+
+## Unstable mutual rooms endpoint is now behind an experimental feature flag
+
+Admins using the unstable [MSC2666](https://github.com/matrix-org/matrix-spec-proposals/pull/2666) endpoint (`/_matrix/client/unstable/uk.half-shot.msc2666/user/mutual_rooms`),
+please check [the relevant section in the upgrade notes](https://github.com/element-hq/synapse/blob/develop/docs/upgrade.md#upgrading-to-v11440) as this release contains changes
+that disable that endpoint by default.
+
+
+
+No significant changes since 1.144.0rc1.
+
+
+
+
+# Synapse 1.144.0rc1 (2025-12-02)
+
+Admins using the unstable [MSC2666](https://github.com/matrix-org/matrix-spec-proposals/pull/2666) endpoint (`/_matrix/client/unstable/uk.half-shot.msc2666/user/mutual_rooms`), please check [the relevant section in the upgrade notes](https://github.com/element-hq/synapse/blob/develop/docs/upgrade.md#upgrading-to-v11440) as this release contains changes that disable that endpoint by default.
+
+## Features
+
+- Add experimentatal implememntation of [MSC4380](https://github.com/matrix-org/matrix-spec-proposals/pull/4380) (invite blocking). ([\#19203](https://github.com/element-hq/synapse/issues/19203))
+- Allow restarting delayed event timeouts on workers. ([\#19207](https://github.com/element-hq/synapse/issues/19207))
+
+## Bugfixes
+
+- Fix a bug in the database function for fetching state deltas that could result in unnecessarily long query times. ([\#18960](https://github.com/element-hq/synapse/issues/18960))
+- Fix v12 rooms when running with `use_frozen_dicts: True`. ([\#19235](https://github.com/element-hq/synapse/issues/19235))
+- Fix bug where invalid `canonical_alias` content would return 500 instead of 400. ([\#19240](https://github.com/element-hq/synapse/issues/19240))
+- Fix bug where `Duration` was logged incorrectly. ([\#19267](https://github.com/element-hq/synapse/issues/19267))
+
+## Improved Documentation
+
+- Document in the `--config-path` help how multiple files are merged - by merging them shallowly. ([\#19243](https://github.com/element-hq/synapse/issues/19243))
+
+## Deprecations and Removals
+
+- Stop building release wheels for MacOS. ([\#19225](https://github.com/element-hq/synapse/issues/19225))
+
+## Internal Changes
+
+- Improve event filtering for Simplified Sliding Sync. ([\#17782](https://github.com/element-hq/synapse/issues/17782))
+- Export `SYNAPSE_SUPPORTED_COMPLEMENT_TEST_PACKAGES` environment variable from `scripts-dev/complement.sh`. ([\#19208](https://github.com/element-hq/synapse/issues/19208))
+- Refactor `scripts-dev/complement.sh` logic to avoid `exit` to facilitate being able to source it from other scripts (composable). ([\#19209](https://github.com/element-hq/synapse/issues/19209))
+- Expire sliding sync connections that are too old or have too much pending data. ([\#19211](https://github.com/element-hq/synapse/issues/19211))
+- Require an experimental feature flag to be enabled in order for the unstable [MSC2666](https://github.com/matrix-org/matrix-spec-proposals/pull/2666) endpoint (`/_matrix/client/unstable/uk.half-shot.msc2666/user/mutual_rooms`) to be available. ([\#19219](https://github.com/element-hq/synapse/issues/19219))
+- Prevent changelog check CI running on @dependabot's PRs even when a human has modified the branch. ([\#19220](https://github.com/element-hq/synapse/issues/19220))
+- Auto-fix trailing spaces in multi-line strings and comments when running the lint script. ([\#19221](https://github.com/element-hq/synapse/issues/19221))
+- Move towards using a dedicated `Duration` type. ([\#19223](https://github.com/element-hq/synapse/issues/19223), [\#19229](https://github.com/element-hq/synapse/issues/19229))
+- Improve robustness of the SQL schema linting in CI. ([\#19224](https://github.com/element-hq/synapse/issues/19224))
+- Add log to determine whether clients are using `/messages` as expected. ([\#19226](https://github.com/element-hq/synapse/issues/19226))
+- Simplify README and add ESS Getting started section. ([\#19228](https://github.com/element-hq/synapse/issues/19228), [\#19259](https://github.com/element-hq/synapse/issues/19259))
+- Add a unit test for ensuring associated refresh tokens are erased when a device is deleted. ([\#19230](https://github.com/element-hq/synapse/issues/19230))
+- Prompt user to consider adding future deprecations to the changelog in release script. ([\#19239](https://github.com/element-hq/synapse/issues/19239))
+- Fix check of the Rust compiled code being outdated when using source checkout and `.egg-info`. ([\#19251](https://github.com/element-hq/synapse/issues/19251))
+- Stop building macos wheels in CI pipeline. ([\#19263](https://github.com/element-hq/synapse/issues/19263))
+
+
+
+### Updates to locked dependencies
+
+* Bump Swatinem/rust-cache from 2.8.1 to 2.8.2. ([\#19244](https://github.com/element-hq/synapse/issues/19244))
+* Bump actions/checkout from 5.0.0 to 6.0.0. ([\#19213](https://github.com/element-hq/synapse/issues/19213))
+* Bump actions/setup-go from 6.0.0 to 6.1.0. ([\#19214](https://github.com/element-hq/synapse/issues/19214))
+* Bump actions/setup-python from 6.0.0 to 6.1.0. ([\#19245](https://github.com/element-hq/synapse/issues/19245))
+* Bump attrs from 25.3.0 to 25.4.0. ([\#19215](https://github.com/element-hq/synapse/issues/19215))
+* Bump docker/metadata-action from 5.9.0 to 5.10.0. ([\#19246](https://github.com/element-hq/synapse/issues/19246))
+* Bump http from 1.3.1 to 1.4.0. ([\#19249](https://github.com/element-hq/synapse/issues/19249))
+* Bump pydantic from 2.12.4 to 2.12.5. ([\#19250](https://github.com/element-hq/synapse/issues/19250))
+* Bump pyopenssl from 25.1.0 to 25.3.0. ([\#19248](https://github.com/element-hq/synapse/issues/19248))
+* Bump rpds-py from 0.28.0 to 0.29.0. ([\#19216](https://github.com/element-hq/synapse/issues/19216))
+* Bump rpds-py from 0.29.0 to 0.30.0. ([\#19247](https://github.com/element-hq/synapse/issues/19247))
+* Bump sentry-sdk from 2.44.0 to 2.46.0. ([\#19218](https://github.com/element-hq/synapse/issues/19218))
+* Bump types-bleach from 6.2.0.20250809 to 6.3.0.20251115. ([\#19217](https://github.com/element-hq/synapse/issues/19217))
+* Bump types-jsonschema from 4.25.1.20250822 to 4.25.1.20251009. ([\#19252](https://github.com/element-hq/synapse/issues/19252))
+
+# Synapse 1.143.0 (2025-11-25)

 ## Dropping support for PostgreSQL 13

@ -6,6 +180,28 @@ In line with our [deprecation policy](https://github.com/element-hq/synapse/blob
 support for PostgreSQL 13, as it is no longer supported upstream.
 This release of Synapse requires PostgreSQL 14+.

+No significant changes since 1.143.0rc2.
+
+
+
+
+# Synapse 1.143.0rc2 (2025-11-18)
+
+## Dropping support for PostgreSQL 13
+
+In line with our [deprecation policy](https://github.com/element-hq/synapse/blob/develop/docs/deprecation_policy.md), we've dropped
+support for PostgreSQL 13, as it is no longer supported upstream.
+This release of Synapse requires PostgreSQL 14+.
+
+
+## Internal Changes
+
+- Fixes docker image creation in the release workflow.
+
+
+
+# Synapse 1.143.0rc1 (2025-11-18)
+
 ## Features

 - Support multiple config files in `register_new_matrix_user`. ([\#18784](https://github.com/element-hq/synapse/issues/18784))
--- a/Cargo.lock
+++ b/Cargo.lock
@ -374,12 +374,11 @@ checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"

 [[package]]
 name = "http"
-version = "1.3.1"
+version = "1.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f4a85d31aea989eead29a3aaf9e1115a180df8282431156e533de47660892565"
+checksum = "e3ba2a386d7f85a81f119ad7498ebe444d2e22c2af0b86b069416ace48b3311a"
 dependencies = [
 "bytes",
- "fnv",
 "itoa",
 ]

@ -706,9 +705,9 @@ checksum = "241eaef5fd12c88705a01fc1066c48c4b36e0dd4377dcdc7ec3942cea7a69956"

 [[package]]
 name = "log"
-version = "0.4.28"
+version = "0.4.29"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "34080505efa8e45a4b816c349525ebe327ceaa8559756f0356cba97ef3bf7432"
+checksum = "5e5032e24019045c762d3c0f28f5b6b8bbf38563a65908389bf7978758920897"

 [[package]]
 name = "lru-slab"
@ -1025,9 +1024,9 @@ checksum = "2b15c43186be67a4fd63bee50d0303afffcef381492ebe2c5d87f324e1b8815c"

 [[package]]
 name = "reqwest"
-version = "0.12.24"
+version = "0.12.26"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9d0946410b9f7b082a427e4ef5c8ff541a88b357bc6c637c40db3a68ac70a36f"
+checksum = "3b4c14b2d9afca6a60277086b0cc6a6ae0b568f6f7916c943a8cdc79f8be240f"
 dependencies = [
 "base64",
 "bytes",
@ -1469,9 +1468,9 @@ dependencies = [

 [[package]]
 name = "tower-http"
-version = "0.6.6"
+version = "0.6.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "adc82fd73de2a9722ac5da747f12383d2bfdb93591ee6c58486e0097890f05f2"
+checksum = "d4e6559d53cc268e5031cd8429d05415bc4cb4aefc4aa5d6cc35fbf5b924a1f8"
 dependencies = [
 "bitflags",
 "bytes",
--- a/README.rst
+++ b/README.rst
@ -1,4 +1,4 @@
-.. image:: ./docs/element_logo_white_bg.svg
+.. image:: https://github.com/element-hq/synapse/raw/develop/docs/element_logo_white_bg.svg
   :height: 60px

 **Element Synapse - Matrix homeserver implementation**
@ -7,170 +7,48 @@

 Synapse is an open source `Matrix <https://matrix.org>`__ homeserver
 implementation, written and maintained by `Element <https://element.io>`_.
-`Matrix <https://github.com/matrix-org>`__ is the open standard for
-secure and interoperable real-time communications. You can directly run
-and manage the source code in this repository, available under an AGPL
-license (or alternatively under a commercial license from Element).
-There is no support provided by Element unless you have a
-subscription from Element.
+`Matrix <https://github.com/matrix-org>`__ is the open standard for secure and
+interoperable real-time communications. You can directly run and manage the
+source code in this repository, available under an AGPL license (or
+alternatively under a commercial license from Element).

-Subscription
-============
+There is no support provided by Element unless you have a subscription from
+Element.

-For those that need an enterprise-ready solution, Element
-Server Suite (ESS) is `available via subscription <https://element.io/pricing>`_.
-ESS builds on Synapse to offer a complete Matrix-based backend including the full
-`Admin Console product <https://element.io/enterprise-functionality/admin-console>`_,
-giving admins the power to easily manage an organization-wide
-deployment. It includes advanced identity management, auditing,
-moderation and data retention options as well as Long-Term Support and
-SLAs. ESS supports any Matrix-compatible client.
+🚀 Getting started
+==================

-.. contents::
+This component is developed and maintained by `Element <https://element.io>`_.
+It gets shipped as part of the **Element Server Suite (ESS)** which provides the
+official means of deployment.

-🛠️ Installation and configuration
-==================================
+ESS is a Matrix distribution from Element with focus on quality and ease of use.
+It ships a full Matrix stack tailored to the respective use case.

-The Synapse documentation describes `how to install Synapse <https://element-hq.github.io/synapse/latest/setup/installation.html>`_. We recommend using
-`Docker images <https://element-hq.github.io/synapse/latest/setup/installation.html#docker-images-and-ansible-playbooks>`_ or `Debian packages from Matrix.org
-<https://element-hq.github.io/synapse/latest/setup/installation.html#matrixorg-packages>`_.
+There are three editions of ESS:

-.. _federation:
-
-Synapse has a variety of `config options
-<https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html>`_
-which can be used to customise its behaviour after installation.
-There are additional details on how to `configure Synapse for federation here
-<https://element-hq.github.io/synapse/latest/federate.html>`_.
-
-.. _reverse-proxy:
-
-Using a reverse proxy with Synapse
----------------------------------
-
-It is recommended to put a reverse proxy such as
-`nginx <https://nginx.org/en/docs/http/ngx_http_proxy_module.html>`_,
-`Apache <https://httpd.apache.org/docs/current/mod/mod_proxy_http.html>`_,
-`Caddy <https://caddyserver.com/docs/quick-starts/reverse-proxy>`_,
-`HAProxy <https://www.haproxy.org/>`_ or
-`relayd <https://man.openbsd.org/relayd.8>`_ in front of Synapse. One advantage of
-doing so is that it means that you can expose the default https port (443) to
-Matrix clients without needing to run Synapse with root privileges.
-For information on configuring one, see `the reverse proxy docs
-<https://element-hq.github.io/synapse/latest/reverse_proxy.html>`_.
-
-Upgrading an existing Synapse
-----------------------------
-
-The instructions for upgrading Synapse are in `the upgrade notes`_.
-Please check these instructions as upgrading may require extra steps for some
-versions of Synapse.
-
-.. _the upgrade notes: https://element-hq.github.io/synapse/develop/upgrade.html
+- `ESS Community <https://github.com/element-hq/ess-helm>`_ - the free Matrix
+  distribution from Element tailored to small-/mid-scale, non-commercial
+  community use cases
+- `ESS Pro <https://element.io/server-suite>`_ - the commercial Matrix
+  distribution from Element for professional use
+- `ESS TI-M <https://element.io/server-suite/ti-messenger>`_ - a special version
+  of ESS Pro focused on the requirements of TI-Messenger Pro and ePA as
+  specified by the German National Digital Health Agency Gematik


-Platform dependencies
---------------------
+🛠️ Standalone installation and configuration
+============================================

-Synapse uses a number of platform dependencies such as Python and PostgreSQL,
-and aims to follow supported upstream versions. See the
-`deprecation policy <https://element-hq.github.io/synapse/latest/deprecation_policy.html>`_
-for more details.
+The Synapse documentation describes `options for installing Synapse standalone
+<https://element-hq.github.io/synapse/latest/setup/installation.html>`_. See
+below for more useful documentation links.

+- `Synapse configuration options <https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html>`_
+- `Synapse configuration for federation <https://element-hq.github.io/synapse/latest/federate.html>`_
+- `Using a reverse proxy with Synapse <https://element-hq.github.io/synapse/latest/reverse_proxy.html>`_
+- `Upgrading Synapse <https://element-hq.github.io/synapse/develop/upgrade.html>`_

-Security note
-------------
-
-Matrix serves raw, user-supplied data in some APIs -- specifically the `content
-repository endpoints`_.
-
-.. _content repository endpoints: https://matrix.org/docs/spec/client_server/latest.html#get-matrix-media-r0-download-servername-mediaid
-
-Whilst we make a reasonable effort to mitigate against XSS attacks (for
-instance, by using `CSP`_), a Matrix homeserver should not be hosted on a
-domain hosting other web applications. This especially applies to sharing
-the domain with Matrix web clients and other sensitive applications like
-webmail. See
-https://developer.github.com/changes/2014-04-25-user-content-security for more
-information.
-
-.. _CSP: https://github.com/matrix-org/synapse/pull/1021
-
-Ideally, the homeserver should not simply be on a different subdomain, but on
-a completely different `registered domain`_ (also known as top-level site or
-eTLD+1). This is because `some attacks`_ are still possible as long as the two
-applications share the same registered domain.
-
-.. _registered domain: https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-2.3
-
-.. _some attacks: https://en.wikipedia.org/wiki/Session_fixation#Attacks_using_cross-subdomain_cookie
-
-To illustrate this with an example, if your Element Web or other sensitive web
-application is hosted on ``A.example1.com``, you should ideally host Synapse on
-``example2.com``. Some amount of protection is offered by hosting on
-``B.example1.com`` instead, so this is also acceptable in some scenarios.
-However, you should *not* host your Synapse on ``A.example1.com``.
-
-Note that all of the above refers exclusively to the domain used in Synapse's
-``public_baseurl`` setting. In particular, it has no bearing on the domain
-mentioned in MXIDs hosted on that server.
-
-Following this advice ensures that even if an XSS is found in Synapse, the
-impact to other applications will be minimal.
-
-
-🧪 Testing a new installation
-=============================
-
-The easiest way to try out your new Synapse installation is by connecting to it
-from a web client.
-
-Unless you are running a test instance of Synapse on your local machine, in
-general, you will need to enable TLS support before you can successfully
-connect from a client: see
-`TLS certificates <https://element-hq.github.io/synapse/latest/setup/installation.html#tls-certificates>`_.
-
-An easy way to get started is to login or register via Element at
-https://app.element.io/#/login or https://app.element.io/#/register respectively.
-You will need to change the server you are logging into from ``matrix.org``
-and instead specify a homeserver URL of ``https://<server_name>:8448``
-(or just ``https://<server_name>`` if you are using a reverse proxy).
-If you prefer to use another client, refer to our
-`client breakdown <https://matrix.org/ecosystem/clients/>`_.
-
-If all goes well you should at least be able to log in, create a room, and
-start sending messages.
-
-.. _`client-user-reg`:
-
-Registering a new user from a client
------------------------------------
-
-By default, registration of new users via Matrix clients is disabled. To enable
-it:
-
-1. In the
-   `registration config section <https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#registration>`_
-   set ``enable_registration: true`` in ``homeserver.yaml``.
-2. Then **either**:
-
-   a. set up a `CAPTCHA <https://element-hq.github.io/synapse/latest/CAPTCHA_SETUP.html>`_, or
-   b. set ``enable_registration_without_verification: true`` in ``homeserver.yaml``.
-
-We **strongly** recommend using a CAPTCHA, particularly if your homeserver is exposed to
-the public internet. Without it, anyone can freely register accounts on your homeserver.
-This can be exploited by attackers to create spambots targeting the rest of the Matrix
-federation.
-
-Your new Matrix ID will be formed partly from the ``server_name``, and partly
-from a localpart you specify when you create the account in the form of::
-
-    @localpart:my.domain.name
-
-(pronounced "at localpart on my dot domain dot name").
-
-As when logging in, you will need to specify a "Custom server".  Specify your
-desired ``localpart`` in the 'Username' box.

 🎯 Troubleshooting and support
 ==============================
@ -182,7 +60,7 @@ Enterprise quality support for Synapse including SLAs is available as part of an
 `Element Server Suite (ESS) <https://element.io/pricing>`_ subscription.

 If you are an existing ESS subscriber then you can raise a `support request <https://ems.element.io/support>`_
-and access the `knowledge base <https://ems-docs.element.io>`_.
+and access the `Element product documentation <https://docs.element.io>`_.

 🤝 Community support
 --------------------
@ -201,35 +79,6 @@ issues for support requests, only for bug reports and feature requests.
 .. |docs| replace:: ``docs``
 .. _docs: docs

-🪪 Identity Servers
-===================
-
-Identity servers have the job of mapping email addresses and other 3rd Party
-IDs (3PIDs) to Matrix user IDs, as well as verifying the ownership of 3PIDs
-before creating that mapping.
-
-**Identity servers do not store accounts or credentials - these are stored and managed on homeservers.
-Identity Servers are just for mapping 3rd Party IDs to Matrix IDs.**
-
-This process is highly security-sensitive, as there is an obvious risk of spam if it
-is too easy to sign up for Matrix accounts or harvest 3PID data. In the longer
-term, we hope to create a decentralised system to manage it (`matrix-doc #712
-<https://github.com/matrix-org/matrix-doc/issues/712>`_), but in the meantime,
-the role of managing trusted identity in the Matrix ecosystem is farmed out to
-a cluster of known trusted ecosystem partners, who run 'Matrix Identity
-Servers' such as `Sydent <https://github.com/matrix-org/sydent>`_, whose role
-is purely to authenticate and track 3PID logins and publish end-user public
-keys.
-
-You can host your own copy of Sydent, but this will prevent you reaching other
-users in the Matrix ecosystem via their email address, and prevent them finding
-you. We therefore recommend that you use one of the centralised identity servers
-at ``https://matrix.org`` or ``https://vector.im`` for now.
-
-To reiterate: the Identity server will only be used if you choose to associate
-an email address with your account, or send an invite to another user via their
-email address.
-

 🛠️ Development
 ==============
@ -252,20 +101,29 @@ Alongside all that, join our developer community on Matrix:
 Copyright and Licensing
 =======================

-| Copyright 2014-2017 OpenMarket Ltd
-| Copyright 2017 Vector Creations Ltd
-| Copyright 2017-2025 New Vector Ltd
-|
+  | Copyright 2014–2017 OpenMarket Ltd
+  | Copyright 2017 Vector Creations Ltd
+  | Copyright 2017–2025 New Vector Ltd
+  | Copyright 2025 Element Creations Ltd

-This software is dual-licensed by New Vector Ltd (Element). It can be used either:
+This software is dual-licensed by Element Creations Ltd (Element). It can be
+used either:

-(1) for free under the terms of the GNU Affero General Public License (as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version); OR
+(1) for free under the terms of the GNU Affero General Public License (as
+    published by the Free Software Foundation, either version 3 of the License,
+    or (at your option) any later version); OR

-(2) under the terms of a paid-for Element Commercial License agreement between you and Element (the terms of which may vary depending on what you and Element have agreed to).
+(2) under the terms of a paid-for Element Commercial License agreement between
+    you and Element (the terms of which may vary depending on what you and
+    Element have agreed to).

-Unless required by applicable law or agreed to in writing, software distributed under the Licenses is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the Licenses for the specific language governing permissions and limitations under the Licenses.
+Unless required by applicable law or agreed to in writing, software distributed
+under the Licenses is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+CONDITIONS OF ANY KIND, either express or implied. See the Licenses for the
+specific language governing permissions and limitations under the Licenses.

-Please contact `licensing@element.io <mailto:licensing@element.io>`_ to purchase an Element commercial license for this software.
+Please contact `licensing@element.io <mailto:licensing@element.io>`_ to purchase
+an Element commercial license for this software.


 .. |support| image:: https://img.shields.io/badge/matrix-community%20support-success
--- a/book.toml
+++ b/book.toml
@ -4,7 +4,6 @@
 title = "Synapse"
 authors = ["The Matrix.org Foundation C.I.C."]
 language = "en"
-multilingual = false

 # The directory that documentation files are stored in
 src = "docs"
@ -31,13 +30,10 @@ site-url = "/synapse/"
 # Additional HTML, JS, CSS that's injected into each page of the book.
 # More information available in docs/website_files/README.md
 additional-css = [
-    "docs/website_files/table-of-contents.css",
-    "docs/website_files/remove-nav-buttons.css",
    "docs/website_files/indent-section-headers.css",
    "docs/website_files/version-picker.css",
 ]
 additional-js = [
-    "docs/website_files/table-of-contents.js",
    "docs/website_files/version-picker.js",
    "docs/website_files/version.js",
 ]
--- a/changelog.d/19204.feature
+++ b/changelog.d/19204.feature
@ -0,0 +1 @@
+Add a new config option [`enable_local_media_storage`](https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#enable_local_media_storage) which controls whether media is additionally stored locally when using configured `media_storage_providers`. Setting this to `false` allows off-site media storage without a local cache. Contributed by Patrice Brend'amour @dr.allgood.
--- a/changelog.d/19273.feature
+++ b/changelog.d/19273.feature
@ -0,0 +1 @@
+Stabilise support for [MSC4312](https://github.com/matrix-org/matrix-spec-proposals/pull/4312)'s `m.oauth` User-Interactive Auth stage for resetting cross-signing identity with the OAuth 2.0 API. The old, unstable name (`org.matrix.cross_signing_reset`) is now deprecated and will be removed in a future release.
--- a/changelog.d/19310.misc
+++ b/changelog.d/19310.misc
@ -0,0 +1 @@
+Add an internal `cancel_task` API to the task scheduler.
--- a/changelog.d/19320.misc
+++ b/changelog.d/19320.misc
@ -0,0 +1 @@
+Tweak docstrings and signatures of `auth_types_for_event` and `get_catchup_room_event_ids`.
--- a/changelog.d/19321.bugfix
+++ b/changelog.d/19321.bugfix
@ -0,0 +1 @@
+Fix joining a restricted v12 room locally when no local room creator is present but local users with sufficient power levels are. Contributed by @nexy7574.
--- a/changelog.d/19335.bugfix
+++ b/changelog.d/19335.bugfix
@ -0,0 +1 @@
+Fixed parallel calls to `/_matrix/media/v1/create` being ratelimited for appservices even if `rate_limited: false` was set in the registration. Contributed by @tulir @ Beeper.
--- a/changelog.d/19336.docker
+++ b/changelog.d/19336.docker
@ -0,0 +1 @@
+Add [Prometheus HTTP service discovery](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#http_sd_config) endpoint for easy discovery of all workers when using the `docker/Dockerfile-workers` image (see the [*Metrics* section of our Docker testing docs](docker/README-testing.md#metrics)).
--- a/changelog.d/19337.feature
+++ b/changelog.d/19337.feature
@ -0,0 +1 @@
+Refactor Grafana dashboard to use `server_name` label (instead of `instance`).
--- a/changelog.d/19341.doc
+++ b/changelog.d/19341.doc
@ -0,0 +1 @@
+Remove docs on legacy metric names (no longer in the codebase since 2022-12-06).
--- a/changelog.d/19345.misc
+++ b/changelog.d/19345.misc
@ -0,0 +1 @@
+Replace usage of deprecated `assertEquals` with `assertEqual` in unit test code.
--- a/changelog.d/19346.removal
+++ b/changelog.d/19346.removal
@ -0,0 +1 @@
+MSC2697 (Dehydrated devices) has been removed, as the MSC is closed. Developers should migrate to MSC3814.
--- a/changelog.d/19348.misc
+++ b/changelog.d/19348.misc
@ -0,0 +1 @@
+Drop support for Ubuntu 25.04 'Plucky Puffin', add support for Ubuntu 25.10 'Questing Quokka'.
--- a/changelog.d/19351.misc
+++ b/changelog.d/19351.misc
@ -0,0 +1 @@
+Revert "Add an Admin API endpoint for listing quarantined media (#19268)".
--- a/changelog.d/19353.bugfix
+++ b/changelog.d/19353.bugfix
@ -0,0 +1 @@
+Fix a bug introduced in 1.61.0 where a user's membership in a room was accidentally ignored when considering access to historical state events in rooms with the "shared" history visibility. Contributed by Lukas Tautz.
--- a/changelog.d/19356.misc
+++ b/changelog.d/19356.misc
@ -0,0 +1 @@
+Bump `mdbook` from 0.4.17 to 0.5.2 and remove our custom table-of-contents plugin in favour of the new default functionality.
--- a/changelog.d/19358.misc
+++ b/changelog.d/19358.misc
@ -0,0 +1 @@
+Replace deprecated usage of PyGitHub's `GitRelease.title` with `.name` in release script.
--- a/changelog.d/19360.bugfix
+++ b/changelog.d/19360.bugfix
@ -0,0 +1 @@
+MSC4140: Store the JSON content of scheduled delayed events as text instead of a byte array. This fixes the inability to schedule a delayed event with non-ASCII characters in its content.
--- a/changelog.d/19368.misc
+++ b/changelog.d/19368.misc
@ -0,0 +1 @@
+Update the Element logo in Synapse's README to be an absolute URL, allowing it to render on other sites (such as PyPI).
--- a/changelog.d/19372.bugfix
+++ b/changelog.d/19372.bugfix
@ -0,0 +1 @@
+Always rollback database transaction when retrying (avoid orphaned connections).
--- a/changelog.d/19376.misc
+++ b/changelog.d/19376.misc
@ -0,0 +1 @@
+Apply minor tweaks to v1.145.0 changelog.
--- a/changelog.d/19379.bugfix
+++ b/changelog.d/19379.bugfix
@ -0,0 +1 @@
+Fix `InFlightGauge` typing to allow upgrading to `prometheus_client` 0.24.
--- a/changelog.d/19381.misc
+++ b/changelog.d/19381.misc
@ -0,0 +1 @@
+Update Grafana dashboard syntax to use the latest from importing/exporting with Grafana 12.3.1.
--- a/changelog.d/19383.misc
+++ b/changelog.d/19383.misc
@ -0,0 +1 @@
+Warn about skipping reactor metrics when using unknown reactor type.
--- a/contrib/grafana/synapse.json
+++ b/contrib/grafana/synapse.json
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,57 @@
+matrix-synapse-py3 (1.145.0) stable; urgency=medium
+
+  * New Synapse release 1.145.0.
+
+ -- Synapse Packaging team <packages@matrix.org>  Tue, 13 Jan 2026 08:37:42 -0700
+
+matrix-synapse-py3 (1.145.0~rc4) stable; urgency=medium
+
+  * New Synapse release 1.145.0rc4.
+
+ -- Synapse Packaging team <packages@matrix.org>  Thu, 08 Jan 2026 12:06:35 -0700
+
+matrix-synapse-py3 (1.145.0~rc3) stable; urgency=medium
+
+  * New Synapse release 1.145.0rc3.
+
+ -- Synapse Packaging team <packages@matrix.org>  Wed, 07 Jan 2026 15:32:07 -0700
+
+matrix-synapse-py3 (1.145.0~rc2) stable; urgency=medium
+
+  * New Synapse release 1.145.0rc2.
+
+ -- Synapse Packaging team <packages@matrix.org>  Wed, 07 Jan 2026 10:10:07 -0700
+
+matrix-synapse-py3 (1.145.0~rc1) stable; urgency=medium
+
+  * New Synapse release 1.145.0rc1.
+
+ -- Synapse Packaging team <packages@matrix.org>  Tue, 06 Jan 2026 09:29:39 -0700
+
+matrix-synapse-py3 (1.144.0) stable; urgency=medium
+
+  * New Synapse release 1.144.0.
+
+ -- Synapse Packaging team <packages@matrix.org>  Tue, 09 Dec 2025 08:30:40 -0700
+
+matrix-synapse-py3 (1.144.0~rc1) stable; urgency=medium
+
+  * New Synapse release 1.144.0rc1.
+
+ -- Synapse Packaging team <packages@matrix.org>  Tue, 02 Dec 2025 09:11:19 -0700
+
+matrix-synapse-py3 (1.143.0) stable; urgency=medium
+
+  * New Synapse release 1.143.0.
+
+ -- Synapse Packaging team <packages@matrix.org>  Tue, 25 Nov 2025 08:44:56 -0700
+
+matrix-synapse-py3 (1.143.0~rc2) stable; urgency=medium
+
+  * New Synapse release 1.143.0rc2.
+
+ -- Synapse Packaging team <packages@matrix.org>  Tue, 18 Nov 2025 17:36:08 -0700
+
 matrix-synapse-py3 (1.143.0~rc1) stable; urgency=medium

  * New Synapse release 1.143.0rc1.
--- a/demo/start.sh
+++ b/demo/start.sh
@ -145,6 +145,12 @@ for port in 8080 8081 8082; do
 			rc_delayed_event_mgmt:
 			  per_second: 1000
 			  burst_count: 1000
+			rc_room_creation:
+			  per_second: 1000
+			  burst_count: 1000
+			rc_user_directory:
+			  per_second: 1000
+			  burst_count: 1000
 			RC
 			)
            echo "${ratelimiting}" >> "$port.config"
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@ -188,7 +188,12 @@ COPY --from=builder  --exclude=.lock /install /usr/local
 COPY ./docker/start.py /start.py
 COPY ./docker/conf /conf

-EXPOSE 8008/tcp 8009/tcp 8448/tcp
+# 8008: CS Matrix API port from Synapse
+# 8448: SS Matrix API port from Synapse
+EXPOSE 8008/tcp 8448/tcp
+# 19090: Metrics listener port for the main process (metrics must be enabled with
+# SYNAPSE_ENABLE_METRICS=1).
+EXPOSE 19090/tcp

 ENTRYPOINT ["/start.py"]

--- a/docker/Dockerfile-workers
+++ b/docker/Dockerfile-workers
@ -71,6 +71,15 @@ FROM $FROM

    # Expose nginx listener port
    EXPOSE 8080/tcp
+    # Metrics for workers are on ports starting from 19091 but since these are dynamic
+    # we don't expose them by default (metrics must be enabled with
+    # SYNAPSE_ENABLE_METRICS=1)
+    #
+    # Instead, we expose a single port used for Prometheus HTTP service discovery
+    # (`http://<synapse_container>:9469/metrics/service_discovery`) and proxy all of the
+    # workers' metrics endpoints through that
+    # (`http://<synapse_container>:9469/metrics/worker/<worker_name>`).
+    EXPOSE 9469/tcp

    # A script to read environment variables and create the necessary
    # files to run the desired worker configuration. Will start supervisord.
--- a/docker/README-testing.md
+++ b/docker/README-testing.md
@ -135,3 +135,49 @@ but it does not serve TLS by default.
 You can configure `SYNAPSE_TLS_CERT` and `SYNAPSE_TLS_KEY` to point to a
 TLS certificate and key (respectively), both in PEM (textual) format.
 In this case, Nginx will additionally serve using HTTPS on port 8448.
+
+
+### Metrics
+
+Set `SYNAPSE_ENABLE_METRICS=1` to configure `enable_metrics: true` and setup the
+`metrics` listener on the main and worker processes. Defaults to `0` (disabled). The
+main process will listen on port `19090` and workers on port `19091 + <worker index>`.
+
+When using `docker/Dockerfile-workers`, to ease the complexity with the metrics setup,
+we also have a [Prometheus HTTP service
+discovery](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#http_sd_config)
+endpoint available at `http://<synapse_container>:9469/metrics/service_discovery`.
+
+The metrics from each worker can also be accessed via
+`http://<synapse_container>:9469/metrics/worker/<worker_name>` which is what the service
+discovery response points to behind the scenes. This way, you only need to expose a
+single port (9469) to access all metrics.
+
+```yaml
+global:
+  scrape_interval: 15s
+  scrape_timeout: 15s
+  evaluation_interval: 15s
+
+scrape_configs:
+  - job_name: synapse
+    scrape_interval: 15s
+    metrics_path: /_synapse/metrics
+    scheme: http
+    # We set `honor_labels` so that each service can set their own `job`/`instance` label
+    #
+    # > honor_labels controls how Prometheus handles conflicts between labels that are
+    # > already present in scraped data and labels that Prometheus would attach
+    # > server-side ("job" and "instance" labels, manually configured target
+    # > labels, and labels generated by service discovery implementations).
+    # >
+    # > *-- https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config*
+    honor_labels: true
+    # Use HTTP service discovery
+    #
+    # Reference:
+    #  - https://prometheus.io/docs/prometheus/latest/http_sd/
+    #  - https://prometheus.io/docs/prometheus/latest/configuration/configuration/#http_sd_config
+    http_sd_configs:
+      - url: 'http://localhost:9469/metrics/service_discovery'
+```
--- a/docker/README.md
+++ b/docker/README.md
@ -75,6 +75,9 @@ The following environment variables are supported in `generate` mode:
  particularly tricky.
 * `SYNAPSE_LOG_TESTING`: if set, Synapse will log additional information useful
  for testing.
+* `SYNAPSE_ENABLE_METRICS`: if set to `1`, the metrics listener will be enabled on the
+  main and worker processes. Defaults to `0` (disabled). The main process will listen on
+  port `19090` and workers on port `19091 + <worker index>`.

 ## Postgres

--- a/docker/complement/conf/workers-shared-extra.yaml.j2
+++ b/docker/complement/conf/workers-shared-extra.yaml.j2
@ -102,6 +102,10 @@ rc_room_creation:
  per_second: 9999
  burst_count: 9999

+rc_user_directory:
+  per_second: 9999
+  burst_count: 9999
+
 federation_rr_transactions_per_room_per_second: 9999

 allow_device_name_lookup_over_federation: true
--- a/docker/conf-workers/nginx.conf.j2
+++ b/docker/conf-workers/nginx.conf.j2
@ -48,3 +48,5 @@ server {
        proxy_set_header Host $host:$server_port;
    }
 }
+
+{{ nginx_prometheus_metrics_service_discovery }}
--- a/docker/conf-workers/shared.yaml.j2
+++ b/docker/conf-workers/shared.yaml.j2
@ -20,4 +20,9 @@ app_service_config_files:
 {%- endfor %}
 {%- endif %}

+{# Controlled by SYNAPSE_ENABLE_METRICS #}
+{% if enable_metrics %}
+enable_metrics: true
+{% endif %}
+
 {{ shared_worker_config }}
--- a/docker/conf-workers/worker.yaml.j2
+++ b/docker/conf-workers/worker.yaml.j2
@ -21,6 +21,14 @@ worker_listeners:
 {%- endfor %}
 {% endif %}

+{# Controlled by SYNAPSE_ENABLE_METRICS #}
+{% if metrics_port %}
+  - type: metrics
+    # Prometheus does not support Unix sockets so we don't bother with
+    # `SYNAPSE_USE_UNIX_SOCKET`, https://github.com/prometheus/prometheus/issues/12024
+    port: {{ metrics_port }}
+{% endif %}
+
 worker_log_config: {{ worker_log_config_filepath }}

 {{ worker_extra_conf }}
--- a/docker/conf/homeserver.yaml
+++ b/docker/conf/homeserver.yaml
@ -53,6 +53,15 @@ listeners:
      - names: [federation]
        compress: false

+{% if SYNAPSE_ENABLE_METRICS %}
+  - type: metrics
+    # The main process always uses the same port 19090
+    #
+    # Prometheus does not support Unix sockets so we don't bother with
+    # `SYNAPSE_USE_UNIX_SOCKET`, https://github.com/prometheus/prometheus/issues/12024
+    port: 19090
+{% endif %}
+
 ## Database ##

 {% if POSTGRES_PASSWORD %}
--- a/docker/configure_workers_and_start.py
+++ b/docker/configure_workers_and_start.py
@ -49,11 +49,16 @@
 #         regardless of the SYNAPSE_LOG_LEVEL setting.
 #   * SYNAPSE_LOG_TESTING: if set, Synapse will log additional information useful
 #     for testing.
+#   * SYNAPSE_USE_UNIX_SOCKET: TODO
+#   * `SYNAPSE_ENABLE_METRICS`: if set to `1`, the metrics listener will be enabled on the
+#      main and worker processes. Defaults to `0` (disabled). The main process will listen on
+#      port `19090` and workers on port `19091 + <worker index>`.
 #
 # NOTE: According to Complement's ENTRYPOINT expectations for a homeserver image (as defined
 # in the project's README), this script may be run multiple times, and functionality should
 # continue to work if so.

+import json
 import os
 import platform
 import re
@ -71,6 +76,7 @@ from typing import (
    SupportsIndex,
 )

+import attr
 import yaml
 from jinja2 import Environment, FileSystemLoader

@ -196,6 +202,7 @@ WORKERS_CONFIG: dict[str, dict[str, Any]] = {
            "^/_matrix/client/(api/v1|r0|v3|unstable)/keys/upload",
            "^/_matrix/client/(api/v1|r0|v3|unstable)/keys/device_signing/upload$",
            "^/_matrix/client/(api/v1|r0|v3|unstable)/keys/signatures/upload$",
+            "^/_matrix/client/unstable/org.matrix.msc4140/delayed_events(/.*/restart)?$",
        ],
        "shared_extra_conf": {},
        "worker_extra_conf": "",
@ -336,7 +343,7 @@ WORKERS_CONFIG: dict[str, dict[str, Any]] = {
 }

 # Templates for sections that may be inserted multiple times in config files
-NGINX_LOCATION_CONFIG_BLOCK = """
+NGINX_LOCATION_REGEX_CONFIG_BLOCK = """
    location ~* {endpoint} {{
        proxy_pass {upstream};
        proxy_set_header X-Forwarded-For $remote_addr;
@ -345,6 +352,25 @@ NGINX_LOCATION_CONFIG_BLOCK = """
    }}
 """

+# Having both **regex** (`NGINX_LOCATION_REGEX_CONFIG_BLOCK`) match vs **exact**
+# (`NGINX_LOCATION_EXACT_CONFIG_BLOCK`) match is necessary because we can't use a URI
+# path in `proxy_pass http://localhost:19090/_synapse/metrics` with the regex version.
+#
+# Example of what happens if you try to use `proxy_pass http://localhost:19090/_synapse/metrics`
+# with `NGINX_LOCATION_REGEX_CONFIG_BLOCK`:
+# ```
+# nginx | 2025/12/31 22:58:34 [emerg] 21#21: "proxy_pass" cannot have URI part in location given by regular expression, or inside named location, or inside "if" statement, or inside "limit_except" block in /etc/nginx/conf.d/matrix-synapse.conf:732
+# ```
+NGINX_LOCATION_EXACT_CONFIG_BLOCK = """
+    location = {endpoint} {{
+        proxy_pass {upstream};
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Host $host;
+    }}
+"""
+
+
 NGINX_UPSTREAM_CONFIG_BLOCK = """
 upstream {upstream_worker_base_name} {{
 {body}
@ -352,6 +378,63 @@ upstream {upstream_worker_base_name} {{
 """


+PROMETHEUS_METRICS_SERVICE_DISCOVERY_FILE_PATH = (
+    "/data/prometheus_service_discovery.json"
+)
+"""
+We serve this file with nginx so people can use it with `http_sd_config` in their
+Prometheus config.
+"""
+
+NGINX_HOST_PLACEHOLDER = "<HOST_PLACEHOLDER>"
+"""Will be replaced with the whatever hostname:port used to access the nginx metrics endpoint."""
+
+NGINX_PROMETHEUS_METRICS_SERVICE_DISCOVERY = """
+server {{
+    listen 9469;
+    location = /metrics/service_discovery {{
+        alias {service_discovery_file_path};
+        default_type application/json;
+
+        # Find/replace the host placeholder in the response body with the actual
+        # host used to access this endpoint.
+        #
+        # We want to reflect back whatever host the client used to access this file.
+        # For example, if they accessed it via `localhost:9469`, then they
+        # can also reach all of the proxied metrics endpoints at the same address.
+        # Or if it's Prometheus in another container, it will access this via
+        # `host.docker.internal:9469`, etc. Or perhaps it's even some randomly assigned
+        # port mapping.
+        sub_filter '{host_placeholder}' '$http_host';
+        # By default, `ngx_http_sub_module` only works on `text/html` responses. We want
+        # to find/replace in `application/JSON`.
+        sub_filter_types application/json;
+        # Replace all occurences
+        sub_filter_once off;
+    }}
+
+    # Make the service discovery endpoint easy to find; redirect to the correct spot.
+    location = / {{
+        return 302 /metrics/service_discovery;
+    }}
+
+    {metrics_proxy_locations}
+}}
+"""
+"""
+Setup the nginx config necessary to serve the JSON file for Prometheus HTTP service discovery
+(`http_sd_config`). Served at `/metrics/service_discovery`.
+
+Reference:
+ - https://prometheus.io/docs/prometheus/latest/http_sd/
+ - https://prometheus.io/docs/prometheus/latest/configuration/configuration/#http_sd_config
+
+We also proxy all of the Synapse metrics endpoints through a central place so that
+people only need to expose the single 9469 port and service discovery can take care of
+the rest: `/metrics/worker/<worker_name>` -> http://localhost:19090/_synapse/metrics
+"""
+
+
 # Utility functions
 def log(txt: str) -> None:
    print(txt)
@ -611,9 +694,42 @@ def generate_base_homeserver_config() -> None:
    subprocess.run([sys.executable, "/start.py", "migrate_config"], check=True)


+@attr.s(auto_attribs=True)
+class Worker:
+    worker_name: str
+    """
+    ex.
+    `event_persister:2` -> `event_persister1` and `event_persister2`
+    `stream_writers=account_data+presence+receipts+to_device+typing"` -> `stream_writers`
+    """
+
+    worker_base_name: str
+    """
+    ex.
+    `event_persister:2` -> `event_persister`
+    `stream_writers=account_data+presence+receipts+to_device+typing"` -> `stream_writers`
+    """
+
+    worker_index: int
+    """
+    The index of the worker starting from 1 for each worker type requested.
+
+    ex.
+    `event_persister:2` -> `1` and `2`
+    `stream_writers=account_data+presence+receipts+to_device+typing"` -> `1`
+    """
+
+    worker_types: set[str]
+    """
+    ex.
+    `event_persister:2` -> `{"event_persister"}`
+    `stream_writers=account_data+presence+receipts+to_device+typing"` -> `{"account_data", "presence", "receipts","to_device", "typing"}
+    """
+
+
 def parse_worker_types(
    requested_worker_types: list[str],
-) -> dict[str, set[str]]:
+) -> list[Worker]:
    """Read the desired list of requested workers and prepare the data for use in
        generating worker config files while also checking for potential gotchas.

@ -621,10 +737,7 @@ def parse_worker_types(
        requested_worker_types: The list formed from the split environment variable
            containing the unprocessed requests for workers.

-    Returns: A dict of worker names to set of worker types. Format:
-        {'worker_name':
-            {'worker_type', 'worker_type2'}
-        }
+    Returns: A list of requested workers
    """
    # A counter of worker_base_name -> int. Used for determining the name for a given
    # worker when generating its config file, as each worker's name is just
@ -635,8 +748,8 @@ def parse_worker_types(
    # more than a single worker for cases where multiples would be bad(e.g. presence).
    worker_type_shard_counter: dict[str, int] = defaultdict(int)

-    # The final result of all this processing
-    dict_to_return: dict[str, set[str]] = {}
+    # Map from worker name to `Worker`
+    worker_dict: dict[str, Worker] = {}

    # Handle any multipliers requested for given workers.
    multiple_processed_worker_types = apply_requested_multiplier_for_worker(
@ -722,24 +835,29 @@ def parse_worker_types(
        if worker_number > 1:
            # If this isn't the first worker, check that we don't have a confusing
            # mixture of worker types with the same base name.
-            first_worker_with_base_name = dict_to_return[f"{worker_base_name}1"]
-            if first_worker_with_base_name != worker_types_set:
+            first_worker_with_base_name = worker_dict[f"{worker_base_name}1"]
+            if first_worker_with_base_name.worker_types != worker_types_set:
                error(
                    f"Can not use worker_name: '{worker_name}' for worker_type(s): "
                    f"{worker_types_set!r}. It is already in use by "
-                    f"worker_type(s): {first_worker_with_base_name!r}"
+                    f"worker_type(s): {first_worker_with_base_name.worker_types!r}"
                )

-        dict_to_return[worker_name] = worker_types_set
+        worker_dict[worker_name] = Worker(
+            worker_name=worker_name,
+            worker_base_name=worker_base_name,
+            worker_index=worker_number,
+            worker_types=worker_types_set,
+        )

-    return dict_to_return
+    return list(worker_dict.values())


 def generate_worker_files(
    environ: Mapping[str, str],
    config_path: str,
    data_dir: str,
-    requested_worker_types: dict[str, set[str]],
+    requested_workers: list[Worker],
 ) -> None:
    """Read the desired workers(if any) that is passed in and generate shared
        homeserver, nginx and supervisord configs.
@ -749,14 +867,16 @@ def generate_worker_files(
        config_path: The location of the generated Synapse main worker config file.
        data_dir: The location of the synapse data directory. Where log and
            user-facing config files live.
-        requested_worker_types: A Dict containing requested workers in the format of
-            {'worker_name1': {'worker_type', ...}}
+        requested_workers: A list of requested workers
    """
    # Note that yaml cares about indentation, so care should be taken to insert lines
    # into files at the correct indentation below.

    # Convenience helper for if using unix sockets instead of host:port
    using_unix_sockets = environ.get("SYNAPSE_USE_UNIX_SOCKET", False)
+
+    enable_metrics = environ.get("SYNAPSE_ENABLE_METRICS", "0") == "1"
+
    # First read the original config file and extract the listeners block. Then we'll
    # add another listener for replication. Later we'll write out the result to the
    # shared config file.
@ -788,7 +908,11 @@ def generate_worker_files(
    # base shared worker jinja2 template. This config file will be passed to all
    # workers, included Synapse's main process. It is intended mainly for disabling
    # functionality when certain workers are spun up, and adding a replication listener.
-    shared_config: dict[str, Any] = {"listeners": listeners}
+    shared_config: dict[str, Any] = {
+        "listeners": listeners,
+        # Controls `enable_metrics: true`
+        "enable_metrics": enable_metrics,
+    }

    # List of dicts that describe workers.
    # We pass this to the Supervisor template later to generate the appropriate
@ -815,6 +939,8 @@ def generate_worker_files(

    # Start worker ports from this arbitrary port
    worker_port = 18009
+    # The main process metrics port is 19090, so start workers from 19091
+    worker_metrics_port = 19091

    # A list of internal endpoints to healthcheck, starting with the main process
    # which exists even if no workers do.
@ -831,7 +957,9 @@ def generate_worker_files(
        healthcheck_urls = ["http://localhost:8080/health"]

    # Get the set of all worker types that we have configured
-    all_worker_types_in_use = set(chain(*requested_worker_types.values()))
+    all_worker_types_in_use = set(
+        chain(*[worker.worker_types for worker in requested_workers])
+    )
    # Map locations to upstreams (corresponding to worker types) in Nginx
    # but only if we use the appropriate worker type
    for worker_type in all_worker_types_in_use:
@ -840,12 +968,13 @@ def generate_worker_files(

    # For each worker type specified by the user, create config values and write it's
    # yaml config file
-    for worker_name, worker_types_set in requested_worker_types.items():
+    worker_name_to_metrics_port_map: dict[str, int] = {}
+    for worker in requested_workers:
        # The collected and processed data will live here.
        worker_config: dict[str, Any] = {}

        # Merge all worker config templates for this worker into a single config
-        for worker_type in worker_types_set:
+        for worker_type in worker.worker_types:
            copy_of_template_config = WORKERS_CONFIG[worker_type].copy()

            # Merge worker type template configuration data. It's a combination of lists
@ -855,16 +984,27 @@ def generate_worker_files(
            )

        # Replace placeholder names in the config template with the actual worker name.
-        worker_config = insert_worker_name_for_worker_config(worker_config, worker_name)
-
-        worker_config.update(
-            {"name": worker_name, "port": str(worker_port), "config_path": config_path}
+        worker_config = insert_worker_name_for_worker_config(
+            worker_config, worker.worker_name
        )

-        # Update the shared config with any worker_type specific options. The first of a
-        # given worker_type needs to stay assigned and not be replaced.
-        worker_config["shared_extra_conf"].update(shared_config)
-        shared_config = worker_config["shared_extra_conf"]
+        worker_config.update(
+            {
+                "name": worker.worker_name,
+                "port": str(worker_port),
+                "config_path": config_path,
+            }
+        )
+
+        # Keep the `shared_config` up to date with the `shared_extra_conf` from each
+        # worker.
+        shared_config = {
+            **worker_config["shared_extra_conf"],
+            # We combine `shared_config` second to avoid overwriting existing keys just
+            # for sanity sake (always use the first worker).
+            **shared_config,
+        }
+
        if using_unix_sockets:
            healthcheck_urls.append(
                f"--unix-socket /run/worker.{worker_port} http://localhost/health"
@ -876,39 +1016,51 @@ def generate_worker_files(
        # the `events` stream. For other workers, the worker name is the same
        # name of the stream they write to, but for some reason it is not the
        # case for event_persister.
-        if "event_persister" in worker_types_set:
-            worker_types_set.add("events")
+        if "event_persister" in worker.worker_types:
+            worker.worker_types.add("events")

        # Update the shared config with sharding-related options if necessary
        add_worker_roles_to_shared_config(
-            shared_config, worker_types_set, worker_name, worker_port
+            shared_config, worker.worker_types, worker.worker_name, worker_port
        )

        # Enable the worker in supervisord
        worker_descriptors.append(worker_config)

        # Write out the worker's logging config file
-        log_config_filepath = generate_worker_log_config(environ, worker_name, data_dir)
+        log_config_filepath = generate_worker_log_config(
+            environ, worker.worker_name, data_dir
+        )
+
+        worker_name_to_metrics_port_map[worker.worker_name] = worker_metrics_port
+        if enable_metrics:
+            # Enable prometheus metrics endpoint on this worker
+            worker_config["metrics_port"] = worker_metrics_port
+
+        if enable_metrics:
+            # Enable prometheus metrics endpoint on this worker
+            worker_config["metrics_port"] = worker_metrics_port

        # Then a worker config file
        convert(
            "/conf/worker.yaml.j2",
-            f"/conf/workers/{worker_name}.yaml",
+            f"/conf/workers/{worker.worker_name}.yaml",
            **worker_config,
            worker_log_config_filepath=log_config_filepath,
            using_unix_sockets=using_unix_sockets,
        )

        # Save this worker's port number to the correct nginx upstreams
-        for worker_type in worker_types_set:
+        for worker_type in worker.worker_types:
            nginx_upstreams.setdefault(worker_type, set()).add(worker_port)

        worker_port += 1
+        worker_metrics_port += 1

    # Build the nginx location config blocks
    nginx_location_config = ""
    for endpoint, upstream in nginx_locations.items():
-        nginx_location_config += NGINX_LOCATION_CONFIG_BLOCK.format(
+        nginx_location_config += NGINX_LOCATION_REGEX_CONFIG_BLOCK.format(
            endpoint=endpoint,
            upstream=upstream,
        )
@ -931,6 +1083,111 @@ def generate_worker_files(
            body=body,
        )

+    # Provide a Prometheus metrics service discovery endpoint to easily be able to pick
+    # up all of the workers
+    nginx_prometheus_metrics_service_discovery = ""
+    if enable_metrics:
+        # Write JSON file for Prometheus service discovery pointing to all of the
+        # workers. We serve this file with nginx so people can use it with
+        # `http_sd_config` in their Prometheus config.
+        #
+        # > It fetches targets from an HTTP endpoint containing a list of zero or more
+        # > `<static_config>`s. The target must reply with an HTTP 200 response. The HTTP
+        # > header `Content-Type` must be `application/json`, and the body must be valid
+        # > JSON.
+        # >
+        # > *-- https://prometheus.io/docs/prometheus/latest/configuration/configuration/#http_sd_config*
+        #
+        # Another reference: https://prometheus.io/docs/prometheus/latest/http_sd/
+        prometheus_http_service_discovery_content = [
+            {
+                "targets": [NGINX_HOST_PLACEHOLDER],
+                "labels": {
+                    # The downstream user should also configure `honor_labels: true` in
+                    # their Prometheus config to prevent Prometheus from overwriting the
+                    # `job` labels.
+                    #
+                    # > honor_labels controls how Prometheus handles conflicts between labels that are
+                    # > already present in scraped data and labels that Prometheus would attach
+                    # > server-side ("job" and "instance" labels, manually configured target
+                    # > labels, and labels generated by service discovery implementations).
+                    # >
+                    # > *-- https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config*
+                    #
+                    # Reference:
+                    # - https://prometheus.io/docs/concepts/jobs_instances/
+                    # - https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config
+                    "job": worker.worker_base_name,
+                    "index": f"{worker.worker_index}",
+                    # This allows us to change the `metrics_path` on a per-target basis.
+                    # We want to grab the metrics from our nginx proxied location (setup
+                    # below).
+                    #
+                    # While there doesn't seem to be official docs on these special
+                    # labels (`__metrics_path__`, `__scheme__`, `__scrape_interval__`,
+                    # `__scrape_timeout__`), this discussion best summarizes how this
+                    # works: https://github.com/prometheus/prometheus/discussions/13217
+                    "__metrics_path__": f"/metrics/worker/{worker.worker_name}",
+                },
+            }
+            for worker in requested_workers
+        ]
+        # Add the main Synapse process as well
+        prometheus_http_service_discovery_content.append(
+            {
+                "targets": [NGINX_HOST_PLACEHOLDER],
+                "labels": {
+                    # We use `"synapse"` as the job name for the main process because it
+                    # matches what we expect people to use from a monolith setup with
+                    # their static scrape config. It's `job` name used in our Grafana
+                    # dashboard for the main process.
+                    "job": "synapse",
+                    "index": "1",
+                    "__metrics_path__": "/metrics/worker/main",
+                },
+            }
+        )
+
+        # Check to make sure the file doesn't already exist
+        if os.path.isfile(PROMETHEUS_METRICS_SERVICE_DISCOVERY_FILE_PATH):
+            error(
+                f"Prometheus service discovery file "
+                f"'{PROMETHEUS_METRICS_SERVICE_DISCOVERY_FILE_PATH}' already exists (unexpected)! "
+                f"This is a problem because the existing file probably doesn't match the "
+                "Synapse workers we're setting up now."
+            )
+
+        # Write the file
+        with open(PROMETHEUS_METRICS_SERVICE_DISCOVERY_FILE_PATH, "w") as outfile:
+            outfile.write(
+                json.dumps(prometheus_http_service_discovery_content, indent=4)
+            )
+
+        # Proxy all of the Synapse metrics endpoints through a central place so that
+        # people only need to expose the single 9469 port and service discovery can take
+        # care of the rest: `/metrics/worker/<worker_name>` ->
+        # http://localhost:19090/_synapse/metrics
+        #
+        # Build the nginx location config blocks
+        metrics_proxy_locations = ""
+        for worker in requested_workers:
+            metrics_proxy_locations += NGINX_LOCATION_EXACT_CONFIG_BLOCK.format(
+                endpoint=f"/metrics/worker/{worker.worker_name}",
+                upstream=f"http://localhost:{worker_name_to_metrics_port_map[worker.worker_name]}/_synapse/metrics",
+            )
+        # Add the main Synapse process as well
+        metrics_proxy_locations += NGINX_LOCATION_EXACT_CONFIG_BLOCK.format(
+            endpoint="/metrics/worker/main",
+            upstream="http://localhost:19090/_synapse/metrics",
+        )
+
+        # Add a nginx server/location to serve the JSON file
+        nginx_prometheus_metrics_service_discovery = NGINX_PROMETHEUS_METRICS_SERVICE_DISCOVERY.format(
+            service_discovery_file_path=PROMETHEUS_METRICS_SERVICE_DISCOVERY_FILE_PATH,
+            host_placeholder=NGINX_HOST_PLACEHOLDER,
+            metrics_proxy_locations=metrics_proxy_locations,
+        )
+
    # Finally, we'll write out the config files.

    # log config for the master process
@ -948,7 +1205,7 @@ def generate_worker_files(
            if reg_path.suffix.lower() in (".yaml", ".yml")
        ]

-    workers_in_use = len(requested_worker_types) > 0
+    workers_in_use = len(requested_workers) > 0

    # If there are workers, add the main process to the instance_map too.
    if workers_in_use:
@ -983,6 +1240,7 @@ def generate_worker_files(
        tls_cert_path=os.environ.get("SYNAPSE_TLS_CERT"),
        tls_key_path=os.environ.get("SYNAPSE_TLS_KEY"),
        using_unix_sockets=using_unix_sockets,
+        nginx_prometheus_metrics_service_discovery=nginx_prometheus_metrics_service_discovery,
    )

    # Supervisord config
@ -1083,15 +1341,20 @@ def main(args: list[str], environ: MutableMapping[str, str]) -> None:
        if not worker_types_env:
            # No workers, just the main process
            worker_types = []
-            requested_worker_types: dict[str, Any] = {}
+            requested_workers: list[Worker] = []
        else:
            # Split type names by comma, ignoring whitespace.
            worker_types = split_and_strip_string(worker_types_env, ",")
-            requested_worker_types = parse_worker_types(worker_types)
+            requested_workers = parse_worker_types(worker_types)

        # Always regenerate all other config files
        log("Generating worker config files")
-        generate_worker_files(environ, config_path, data_dir, requested_worker_types)
+        generate_worker_files(
+            environ=environ,
+            config_path=config_path,
+            data_dir=data_dir,
+            requested_workers=requested_workers,
+        )

        # Mark workers as being configured
        with open(mark_filepath, "w") as f:
--- a/docker/start.py
+++ b/docker/start.py
@ -31,6 +31,25 @@ def flush_buffers() -> None:
    sys.stderr.flush()


+def strtobool(val: str) -> bool:
+    """Convert a string representation of truth to True or False
+
+    True values are 'y', 'yes', 't', 'true', 'on', and '1'; false values
+    are 'n', 'no', 'f', 'false', 'off', and '0'.  Raises ValueError if
+    'val' is anything else.
+
+    This is lifted from distutils.util.strtobool, with the exception that it actually
+    returns a bool, rather than an int.
+    """
+    val = val.lower()
+    if val in ("y", "yes", "t", "true", "on", "1"):
+        return True
+    elif val in ("n", "no", "f", "false", "off", "0"):
+        return False
+    else:
+        raise ValueError("invalid truth value %r" % (val,))
+
+
 def convert(src: str, dst: str, environ: Mapping[str, object]) -> None:
    """Generate a file from a template

@ -98,19 +117,16 @@ def generate_config_from_template(
        os.mkdir(config_dir)

    # Convert SYNAPSE_NO_TLS to boolean if exists
-    if "SYNAPSE_NO_TLS" in environ:
-        tlsanswerstring = str.lower(environ["SYNAPSE_NO_TLS"])
-        if tlsanswerstring in ("true", "on", "1", "yes"):
-            environ["SYNAPSE_NO_TLS"] = True
-        else:
-            if tlsanswerstring in ("false", "off", "0", "no"):
-                environ["SYNAPSE_NO_TLS"] = False
-            else:
-                error(
-                    'Environment variable "SYNAPSE_NO_TLS" found but value "'
-                    + tlsanswerstring
-                    + '" unrecognized; exiting.'
-                )
+    tlsanswerstring = environ.get("SYNAPSE_NO_TLS")
+    if tlsanswerstring is not None:
+        try:
+            environ["SYNAPSE_NO_TLS"] = strtobool(tlsanswerstring)
+        except ValueError:
+            error(
+                'Environment variable "SYNAPSE_NO_TLS" found but value "'
+                + tlsanswerstring
+                + '" unrecognized; exiting.'
+            )

    if "SYNAPSE_LOG_CONFIG" not in environ:
        environ["SYNAPSE_LOG_CONFIG"] = config_dir + "/log.config"
@ -164,6 +180,18 @@ def run_generate_config(environ: Mapping[str, str], ownership: str | None) -> No
    config_dir = environ.get("SYNAPSE_CONFIG_DIR", "/data")
    config_path = environ.get("SYNAPSE_CONFIG_PATH", config_dir + "/homeserver.yaml")
    data_dir = environ.get("SYNAPSE_DATA_DIR", "/data")
+    enable_metrics_raw = environ.get("SYNAPSE_ENABLE_METRICS", "0")
+
+    enable_metrics = False
+    if enable_metrics_raw is not None:
+        try:
+            enable_metrics = strtobool(enable_metrics_raw)
+        except ValueError:
+            error(
+                'Environment variable "SYNAPSE_ENABLE_METRICS" found but value "'
+                + enable_metrics_raw
+                + '" unrecognized; exiting.'
+            )

    # create a suitable log config from our template
    log_config_file = "%s/%s.log.config" % (config_dir, server_name)
@ -190,6 +218,9 @@ def run_generate_config(environ: Mapping[str, str], ownership: str | None) -> No
        "--open-private-ports",
    ]

+    if enable_metrics:
+        args.append("--enable-metrics")
+
    if ownership is not None:
        # make sure that synapse has perms to write to the data dir.
        log(f"Setting ownership on {data_dir} to {ownership}")
--- a/docs/.htmltest.yml
+++ b/docs/.htmltest.yml
@ -0,0 +1,5 @@
+# Configuration for htmltest, which we run in CI to check that links aren't broken in the built documentation.
+# See all config options: https://github.com/wjdp/htmltest#wrench-configuration
+
+# Don't check external links, as that requires network access and is slow.
+CheckExternal: false
--- a/docs/SUMMARY.md
+++ b/docs/SUMMARY.md
@ -5,6 +5,7 @@

 # Setup
  - [Installation](setup/installation.md)
+  - [Security](setup/security.md)
  - [Using Postgres](postgres.md)
  - [Configuring a Reverse Proxy](reverse_proxy.md)
  - [Configuring a Forward/Outbound Proxy](setup/forward_proxy.md)
--- a/docs/admin_api/media_admin_api.md
+++ b/docs/admin_api/media_admin_api.md
@ -88,6 +88,20 @@ is quarantined, Synapse will:
 - Quarantine any existing cached remote media.
 - Quarantine any future remote media.

+## Downloading quarantined media
+
+Normally, when media is quarantined, it will return a 404 error when downloaded.
+Admins can bypass this by adding `?admin_unsafely_bypass_quarantine=true`
+to the [normal download URL](https://spec.matrix.org/v1.16/client-server-api/#get_matrixclientv1mediadownloadservernamemediaid).
+
+Bypassing the quarantine check is not recommended. Media is typically quarantined
+to prevent harmful content from being served to users, which includes admins. Only
+set the bypass parameter if you intentionally want to access potentially harmful
+content.
+
+Non-admin users cannot bypass quarantine checks, even when specifying the above
+query parameter.
+
 ## Quarantining media by ID

 This API quarantines a single piece of local or remote media.
--- a/docs/admin_api/scheduled_tasks.md
+++ b/docs/admin_api/scheduled_tasks.md
@ -36,9 +36,10 @@ It returns a JSON body like the following:
    - "scheduled" - Task is scheduled but not active
    - "active" - Task is active and probably running, and if not will be run on next scheduler loop run
    - "complete" - Task has completed successfully
+    - "cancelled" - Task has been cancelled
    - "failed" - Task is over and either returned a failed status, or had an exception

-* `max_timestamp`: int - Is optional. Returns only the scheduled tasks with a timestamp inferior to the specified one.
+* `max_timestamp`: int - Is optional. Returns only the scheduled tasks with a timestamp (in milliseconds since the unix epoch) inferior to the specified one.

 **Response**

--- a/docs/admin_api/user_admin_api.md
+++ b/docs/admin_api/user_admin_api.md
@ -505,6 +505,55 @@ with a body of:
 }
 ```

+## List room memberships of a user
+
+Gets a list of room memberships for a specific `user_id`. This
+endpoint differs from
+[`GET /_synapse/admin/v1/users/<user_id>/joined_rooms`](#list-joined-rooms-of-a-user)
+in that it returns rooms with memberships other than "join".
+
+The API is:
+
+```
+GET /_synapse/admin/v1/users/<user_id>/memberships
+```
+
+A response body like the following is returned:
+
+```json
+    {
+        "memberships": {
+            "!DuGcnbhHGaSZQoNQR:matrix.org": "join",
+            "!ZtSaPCawyWtxfWiIy:matrix.org": "leave",
+        }
+    }
+```
+
+which is a list of room membership states for the given user. This endpoint can
+be used with both local and remote users, with the caveat that the homeserver will
+only be aware of the memberships for rooms that one of its local users has joined.
+
+Remote user memberships may also be out of date if all local users have since left
+a room. The homeserver will thus no longer receive membership updates about it.
+
+The list includes rooms that the user has since left; other membership states (knock,
+invite, etc.) are also possible.
+
+Note that rooms will only disappear from this list if they are
+[purged](./rooms.md#delete-room-api) from the homeserver.
+
+**Parameters**
+
+The following parameters should be set in the URL:
+
+- `user_id` - fully qualified: for example, `@user:server.com`.
+
+**Response**
+
+The following fields are returned in the JSON response body:
+
+- `memberships` - A map of `room_id` (string) to `membership` state (string).
+
 ## List joined rooms of a user

 Gets a list of all `room_id` that a specific `user_id` is joined to and is a member of (participating in).
--- a/docs/metrics-howto.md
+++ b/docs/metrics-howto.md
@ -123,193 +123,21 @@ Example Prometheus target for Synapse with workers:
    static_configs:
      - targets: ["my.server.here:port"]
        labels:
-          instance: "my.server"
          job: "master"
          index: 1
      - targets: ["my.workerserver.here:port"]
        labels:
-          instance: "my.server"
          job: "generic_worker"
          index: 1
      - targets: ["my.workerserver.here:port"]
        labels:
-          instance: "my.server"
          job: "generic_worker"
          index: 2
      - targets: ["my.workerserver.here:port"]
        labels:
-          instance: "my.server"
          job: "media_repository"
          index: 1
 ```

-Labels (`instance`, `job`, `index`) can be defined as anything.
+Labels (`job`, `index`) can be defined as anything.
 The labels are used to group graphs in grafana.
-
-## Renaming of metrics & deprecation of old names in 1.2
-
-Synapse 1.2 updates the Prometheus metrics to match the naming
-convention of the upstream `prometheus_client`. The old names are
-considered deprecated and will be removed in a future version of
-Synapse.
-**The old names will be disabled by default in Synapse v1.71.0 and removed
-altogether in Synapse v1.73.0.**
-
-| New Name                                                                     | Old Name                                                               |
-| ---------------------------------------------------------------------------- | ---------------------------------------------------------------------- |
-| python_gc_objects_collected_total                                            | python_gc_objects_collected                                            |
-| python_gc_objects_uncollectable_total                                        | python_gc_objects_uncollectable                                        |
-| python_gc_collections_total                                                  | python_gc_collections                                                  |
-| process_cpu_seconds_total                                                    | process_cpu_seconds                                                    |
-| synapse_federation_client_sent_transactions_total                            | synapse_federation_client_sent_transactions                            |
-| synapse_federation_client_events_processed_total                             | synapse_federation_client_events_processed                             |
-| synapse_event_processing_loop_count_total                                    | synapse_event_processing_loop_count                                    |
-| synapse_event_processing_loop_room_count_total                               | synapse_event_processing_loop_room_count                               |
-| synapse_util_caches_cache_hits                                               | synapse_util_caches_cache:hits                                         |
-| synapse_util_caches_cache_size                                               | synapse_util_caches_cache:size                                         |
-| synapse_util_caches_cache_evicted_size                                       | synapse_util_caches_cache:evicted_size                                 |
-| synapse_util_caches_cache                                                    | synapse_util_caches_cache:total                                        |
-| synapse_util_caches_response_cache_size                                      | synapse_util_caches_response_cache:size                                |
-| synapse_util_caches_response_cache_hits                                      | synapse_util_caches_response_cache:hits                                |
-| synapse_util_caches_response_cache_evicted_size                              | synapse_util_caches_response_cache:evicted_size                        |
-| synapse_util_metrics_block_count_total                                       | synapse_util_metrics_block_count                                       |
-| synapse_util_metrics_block_time_seconds_total                                | synapse_util_metrics_block_time_seconds                                |
-| synapse_util_metrics_block_ru_utime_seconds_total                            | synapse_util_metrics_block_ru_utime_seconds                            |
-| synapse_util_metrics_block_ru_stime_seconds_total                            | synapse_util_metrics_block_ru_stime_seconds                            |
-| synapse_util_metrics_block_db_txn_count_total                                | synapse_util_metrics_block_db_txn_count                                |
-| synapse_util_metrics_block_db_txn_duration_seconds_total                     | synapse_util_metrics_block_db_txn_duration_seconds                     |
-| synapse_util_metrics_block_db_sched_duration_seconds_total                   | synapse_util_metrics_block_db_sched_duration_seconds                   |
-| synapse_background_process_start_count_total                                 | synapse_background_process_start_count                                 |
-| synapse_background_process_ru_utime_seconds_total                            | synapse_background_process_ru_utime_seconds                            |
-| synapse_background_process_ru_stime_seconds_total                            | synapse_background_process_ru_stime_seconds                            |
-| synapse_background_process_db_txn_count_total                                | synapse_background_process_db_txn_count                                |
-| synapse_background_process_db_txn_duration_seconds_total                     | synapse_background_process_db_txn_duration_seconds                     |
-| synapse_background_process_db_sched_duration_seconds_total                   | synapse_background_process_db_sched_duration_seconds                   |
-| synapse_storage_events_persisted_events_total                                | synapse_storage_events_persisted_events                                |
-| synapse_storage_events_persisted_events_sep_total                            | synapse_storage_events_persisted_events_sep                            |
-| synapse_storage_events_state_delta_total                                     | synapse_storage_events_state_delta                                     |
-| synapse_storage_events_state_delta_single_event_total                        | synapse_storage_events_state_delta_single_event                        |
-| synapse_storage_events_state_delta_reuse_delta_total                         | synapse_storage_events_state_delta_reuse_delta                         |
-| synapse_federation_server_received_pdus_total                                | synapse_federation_server_received_pdus                                |
-| synapse_federation_server_received_edus_total                                | synapse_federation_server_received_edus                                |
-| synapse_handler_presence_notified_presence_total                             | synapse_handler_presence_notified_presence                             |
-| synapse_handler_presence_federation_presence_out_total                       | synapse_handler_presence_federation_presence_out                       |
-| synapse_handler_presence_presence_updates_total                              | synapse_handler_presence_presence_updates                              |
-| synapse_handler_presence_timers_fired_total                                  | synapse_handler_presence_timers_fired                                  |
-| synapse_handler_presence_federation_presence_total                           | synapse_handler_presence_federation_presence                           |
-| synapse_handler_presence_bump_active_time_total                              | synapse_handler_presence_bump_active_time                              |
-| synapse_federation_client_sent_edus_total                                    | synapse_federation_client_sent_edus                                    |
-| synapse_federation_client_sent_pdu_destinations_count_total                  | synapse_federation_client_sent_pdu_destinations:count                  |
-| synapse_federation_client_sent_pdu_destinations_total                        | synapse_federation_client_sent_pdu_destinations:total                  |
-| synapse_handlers_appservice_events_processed_total                           | synapse_handlers_appservice_events_processed                           |
-| synapse_notifier_notified_events_total                                       | synapse_notifier_notified_events                                       |
-| synapse_push_bulk_push_rule_evaluator_push_rules_invalidation_counter_total  | synapse_push_bulk_push_rule_evaluator_push_rules_invalidation_counter  |
-| synapse_push_bulk_push_rule_evaluator_push_rules_state_size_counter_total    | synapse_push_bulk_push_rule_evaluator_push_rules_state_size_counter    |
-| synapse_http_httppusher_http_pushes_processed_total                          | synapse_http_httppusher_http_pushes_processed                          |
-| synapse_http_httppusher_http_pushes_failed_total                             | synapse_http_httppusher_http_pushes_failed                             |
-| synapse_http_httppusher_badge_updates_processed_total                        | synapse_http_httppusher_badge_updates_processed                        |
-| synapse_http_httppusher_badge_updates_failed_total                           | synapse_http_httppusher_badge_updates_failed                           |
-| synapse_admin_mau_current                                                    | synapse_admin_mau:current                                              |
-| synapse_admin_mau_max                                                        | synapse_admin_mau:max                                                  |
-| synapse_admin_mau_registered_reserved_users                                  | synapse_admin_mau:registered_reserved_users                            |
-
-Removal of deprecated metrics & time based counters becoming histograms in 0.31.0
---------------------------------------------------------------------------------
-
-The duplicated metrics deprecated in Synapse 0.27.0 have been removed.
-
-All time duration-based metrics have been changed to be seconds. This
-affects:
-
-| msec -> sec metrics                    |
-| -------------------------------------- |
-| python_gc_time                         |
-| python_twisted_reactor_tick_time       |
-| synapse_storage_query_time             |
-| synapse_storage_schedule_time          |
-| synapse_storage_transaction_time       |
-
-Several metrics have been changed to be histograms, which sort entries
-into buckets and allow better analysis. The following metrics are now
-histograms:
-
-| Altered metrics                                  |
-| ------------------------------------------------ |
-| python_gc_time                                   |
-| python_twisted_reactor_pending_calls             |
-| python_twisted_reactor_tick_time                 |
-| synapse_http_server_response_time_seconds        |
-| synapse_storage_query_time                       |
-| synapse_storage_schedule_time                    |
-| synapse_storage_transaction_time                 |
-
-Block and response metrics renamed for 0.27.0
---------------------------------------------
-
-Synapse 0.27.0 begins the process of rationalising the duplicate
-`*:count` metrics reported for the resource tracking for code blocks and
-HTTP requests.
-
-At the same time, the corresponding `*:total` metrics are being renamed,
-as the `:total` suffix no longer makes sense in the absence of a
-corresponding `:count` metric.
-
-To enable a graceful migration path, this release just adds new names
-for the metrics being renamed. A future release will remove the old
-ones.
-
-The following table shows the new metrics, and the old metrics which
-they are replacing.
-
-| New name                                                      | Old name                                                   |
-| ------------------------------------------------------------- | ---------------------------------------------------------- |
-| synapse_util_metrics_block_count                              | synapse_util_metrics_block_timer:count                     |
-| synapse_util_metrics_block_count                              | synapse_util_metrics_block_ru_utime:count                  |
-| synapse_util_metrics_block_count                              | synapse_util_metrics_block_ru_stime:count                  |
-| synapse_util_metrics_block_count                              | synapse_util_metrics_block_db_txn_count:count              |
-| synapse_util_metrics_block_count                              | synapse_util_metrics_block_db_txn_duration:count           |
-| synapse_util_metrics_block_time_seconds                       | synapse_util_metrics_block_timer:total                     |
-| synapse_util_metrics_block_ru_utime_seconds                   | synapse_util_metrics_block_ru_utime:total                  |
-| synapse_util_metrics_block_ru_stime_seconds                   | synapse_util_metrics_block_ru_stime:total                  |
-| synapse_util_metrics_block_db_txn_count                       | synapse_util_metrics_block_db_txn_count:total              |
-| synapse_util_metrics_block_db_txn_duration_seconds            | synapse_util_metrics_block_db_txn_duration:total           |
-| synapse_http_server_response_count                            | synapse_http_server_requests                               |
-| synapse_http_server_response_count                            | synapse_http_server_response_time:count                    |
-| synapse_http_server_response_count                            | synapse_http_server_response_ru_utime:count                |
-| synapse_http_server_response_count                            | synapse_http_server_response_ru_stime:count                |
-| synapse_http_server_response_count                            | synapse_http_server_response_db_txn_count:count            |
-| synapse_http_server_response_count                            | synapse_http_server_response_db_txn_duration:count         |
-| synapse_http_server_response_time_seconds                     | synapse_http_server_response_time:total                    |
-| synapse_http_server_response_ru_utime_seconds                 | synapse_http_server_response_ru_utime:total                |
-| synapse_http_server_response_ru_stime_seconds                 | synapse_http_server_response_ru_stime:total                |
-| synapse_http_server_response_db_txn_count                     | synapse_http_server_response_db_txn_count:total            |
-| synapse_http_server_response_db_txn_duration_seconds          | synapse_http_server_response_db_txn_duration:total         |
-
-Standard Metric Names
---------------------
-
-As of synapse version 0.18.2, the format of the process-wide metrics has
-been changed to fit prometheus standard naming conventions. Additionally
-the units have been changed to seconds, from milliseconds.
-
-| New name                                 | Old name                          |
-| ---------------------------------------- | --------------------------------- |
-| process_cpu_user_seconds_total           | process_resource_utime / 1000     |
-| process_cpu_system_seconds_total         | process_resource_stime / 1000     |
-| process_open_fds (no \'type\' label)     | process_fds                       |
-
-The python-specific counts of garbage collector performance have been
-renamed.
-
-| New name                         | Old name                   |
-| -------------------------------- | -------------------------- |
-| python_gc_time                   | reactor_gc_time            |
-| python_gc_unreachable_total      | reactor_gc_unreachable     |
-| python_gc_counts                 | reactor_gc_counts          |
-
-The twisted-specific reactor metrics have been renamed.
-
-| New name                               | Old name                |
-| -------------------------------------- | ----------------------- |
-| python_twisted_reactor_pending_calls   | reactor_pending_calls   |
-| python_twisted_reactor_tick_time       | reactor_tick_time       |
--- a/docs/openid.md
+++ b/docs/openid.md
@ -50,6 +50,11 @@ setting in your configuration file.
 See the [configuration manual](usage/configuration/config_documentation.md#oidc_providers) for some sample settings, as well as
 the text below for example configurations for specific providers.

+For setups using [`.well-known` delegation](delegate.md), make sure
+[`public_baseurl`](usage/configuration/config_documentation.md#public_baseurl) is set
+appropriately. If unset, Synapse defaults to `https://<server_name>/` which is used in
+the OIDC callback URL.
+
 ## OIDC Back-Channel Logout

 Synapse supports receiving [OpenID Connect Back-Channel Logout](https://openid.net/specs/openid-connect-backchannel-1_0.html) notifications.
--- a/docs/sample_config.yaml
+++ b/docs/sample_config.yaml
@ -24,14 +24,18 @@
 server_name: "SERVERNAME"
 pid_file: DATADIR/homeserver.pid
 listeners:
-  - port: 8008
+  - bind_addresses:
+    - ::1
+    - 127.0.0.1
+    port: 8008
+    resources:
+    - compress: false
+      names:
+      - client
+      - federation
    tls: false
    type: http
    x_forwarded: true
-    bind_addresses: ['::1', '127.0.0.1']
-    resources:
-      - names: [client, federation]
-        compress: false
 database:
  name: sqlite3
  args:
--- a/docs/setup/installation.md
+++ b/docs/setup/installation.md
@ -16,8 +16,15 @@ that your email address is probably `user@example.com` rather than
 `user@email.example.com`) - but doing so may require more advanced setup: see
 [Setting up Federation](../federate.md).

+⚠️ Before setting up Synapse please consult the [security page](security.md) for
+best practices. ⚠️
+
 ## Installing Synapse

+Note: Synapse uses a number of platform dependencies such as Python and PostgreSQL,
+and aims to follow supported upstream versions. See the [deprecation
+policy](../deprecation_policy.md) for more details.
+
 ### Prebuilt packages

 Prebuilt packages are available for a number of platforms. These are recommended
--- a/docs/setup/security.md
+++ b/docs/setup/security.md
@ -0,0 +1,41 @@
+# Security
+
+This page lays out security best-practices when running Synapse.
+
+If you believe you have encountered a security issue, see our [Security
+Disclosure Policy](https://element.io/en/security/security-disclosure-policy).
+
+## Content repository
+
+Matrix serves raw, user-supplied data in some APIs — specifically the [content
+repository endpoints](https://matrix.org/docs/spec/client_server/latest.html#get-matrix-media-r0-download-servername-mediaid).
+
+Whilst we make a reasonable effort to mitigate against XSS attacks (for
+instance, by using [CSP](https://github.com/matrix-org/synapse/pull/1021)), a
+Matrix homeserver should not be hosted on a domain hosting other web
+applications. This especially applies to sharing the domain with Matrix web
+clients and other sensitive applications like webmail. See
+https://developer.github.com/changes/2014-04-25-user-content-security for more
+information.
+
+Ideally, the homeserver should not simply be on a different subdomain, but on a
+completely different [registered
+domain](https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-2.3)
+(also known as top-level site or eTLD+1). This is because [some
+attacks](https://en.wikipedia.org/wiki/Session_fixation#Attacks_using_cross-subdomain_cookie)
+are still possible as long as the two applications share the same registered
+domain.
+
+
+To illustrate this with an example, if your Element Web or other sensitive web
+application is hosted on `A.example1.com`, you should ideally host Synapse on
+`example2.com`. Some amount of protection is offered by hosting on
+`B.example1.com` instead, so this is also acceptable in some scenarios.
+However, you should *not* host your Synapse on `A.example1.com`.
+
+Note that all of the above refers exclusively to the domain used in Synapse's
+`public_baseurl` setting. In particular, it has no bearing on the domain
+mentioned in MXIDs hosted on that server.
+
+Following this advice ensures that even if an XSS is found in Synapse, the
+impact to other applications will be minimal.
--- a/docs/upgrade.md
+++ b/docs/upgrade.md
@ -117,6 +117,41 @@ each upgrade are complete before moving on to the next upgrade, to avoid
 stacking them up. You can monitor the currently running background updates with
 [the Admin API](usage/administration/admin_api/background_updates.html#status).

+# Upgrading to v1.146.0
+
+## Drop support for Ubuntu 25.04 Plucky Puffin, and add support for 25.10 Questing Quokka
+
+Ubuntu 25.04 Plucky Puffin [is end-of-life as of 17 Jan
+2026](https://endoflife.date/ubuntu). This release drops support for Ubuntu
+25.04, and in its place adds support for Ubuntu 25.10 Questing Quokka.
+
+## Removal of MSC2697 (Legacy) Dehydrated devices
+
+The endpoints for
+[MSC2697](https://github.com/matrix-org/matrix-spec-proposals/pull/2697) have now
+been removed, since the MSC is closed. Developers who rely on this feature should
+migrate to [MSC3814](https://github.com/matrix-org/matrix-spec-proposals/pull/3814)
+which introduces support for a newer version of dehydrated devices.
+
+# Upgrading to v1.144.0
+
+## Worker support for unstable MSC4140 `/restart` endpoint
+
+The following unstable endpoint pattern may now be routed to worker processes:
+
+```
+^/_matrix/client/unstable/org.matrix.msc4140/delayed_events/.*/restart$
+```
+
+## Unstable mutual rooms endpoint is now behind an experimental feature flag
+
+The unstable mutual rooms endpoint from
+[MSC2666](https://github.com/matrix-org/matrix-spec-proposals/pull/2666)
+(`/_matrix/client/unstable/uk.half-shot.msc2666/user/mutual_rooms`) is now
+disabled by default.  If you rely on this unstable endpoint, you must now set
+`experimental_features.msc2666_enabled: true` in your configuration to keep
+using it.
+
 # Upgrading to v1.143.0

 ## Dropping support for PostgreSQL 13
@ -809,7 +844,7 @@ the names of Prometheus metrics.
 If you want to test your changes before legacy names are disabled by default,
 you may specify `enable_legacy_metrics: false` in your homeserver configuration.

-A list of affected metrics is available on the [Metrics How-to page](https://element-hq.github.io/synapse/v1.69/metrics-howto.html?highlight=metrics%20deprecated#renaming-of-metrics--deprecation-of-old-names-in-12).
+A list of affected metrics is available on the [Metrics How-to page](https://element-hq.github.io/synapse/v1.69/metrics-howto.html#renaming-of-metrics--deprecation-of-old-names-in-12).


 ## Deprecation of the `generate_short_term_login_token` module API method
@ -2404,7 +2439,7 @@ back to v1.3.1, subject to the following:

 Some counter metrics have been renamed, with the old names deprecated.
 See [the metrics
-documentation](metrics-howto.md#renaming-of-metrics--deprecation-of-old-names-in-12)
+documentation](https://element-hq.github.io/synapse/v1.69/metrics-howto.html#renaming-of-metrics--deprecation-of-old-names-in-12)
 for details.

 # Upgrading to v1.1.0
--- a/docs/usage/configuration/config_documentation.md
+++ b/docs/usage/configuration/config_documentation.md
@ -2041,6 +2041,25 @@ rc_room_creation:
  burst_count: 5.0
 ```
 ---
+### `rc_user_directory`
+
+*(object)* This option allows admins to ratelimit searches in the user directory.
+
+_Added in Synapse 1.145.0._
+
+This setting has the following sub-options:
+
+* `per_second` (number): Maximum number of requests a client can send per second.
+
+* `burst_count` (number): Maximum number of requests a client can send before being throttled.
+
+Default configuration:
+```yaml
+rc_user_directory:
+  per_second: 0.016
+  burst_count: 200.0
+```
+---
 ### `federation_rr_transactions_per_room_per_second`

 *(integer)* Sets outgoing federation transaction frequency for sending read-receipts, per-room.
@ -2092,6 +2111,16 @@ Example configuration:
 enable_media_repo: false
 ```
 ---
+### `enable_local_media_storage`
+
+*(boolean)* Enable the local on-disk media storage provider. When disabled, media is stored only in configured `media_storage_providers` and temporary files are used for processing.
+**Warning:** If this option is set to `false` and no `media_storage_providers` are configured, all media requests will return 404 errors as there will be no storage backend available. Defaults to `true`.
+
+Example configuration:
+```yaml
+enable_local_media_storage: false
+```
+---
 ### `media_store_path`

 *(string)* Directory where uploaded images and attachments are stored. Defaults to `"media_store"`.
--- a/docs/website_files/README.md
+++ b/docs/website_files/README.md
@ -9,27 +9,18 @@ point to additional JS/CSS in this directory that are added on each page load. I
 addition, the `theme` directory contains files that overwrite their counterparts in
 each of the default themes included with mdbook.

-Currently we use these files to generate a floating Table of Contents panel. The code for
-which was partially taken from
-[JorelAli/mdBook-pagetoc](https://github.com/JorelAli/mdBook-pagetoc/)
-before being modified such that it scrolls with the content of the page. This is handled
-by the `table-of-contents.js/css` files. The table of contents panel only appears on pages
-that have more than one header, as well as only appearing on desktop-sized monitors.
+Currently we use these files to make a few modifications:

-We remove the navigation arrows which typically appear on the left and right side of the
-screen on desktop as they interfere with the table of contents. This is handled by
-the `remove-nav-buttons.css` file.
+* We stylise the chapter titles in the left sidebar by indenting them
+  slightly so that they are more visually distinguishable from the section headers
+  (the bold titles). This is done through the `indent-section-headers.css` file.

-Finally, we also stylise the chapter titles in the left sidebar by indenting them
-slightly so that they are more visually distinguishable from the section headers
-(the bold titles). This is done through the `indent-section-headers.css` file.
-
-In addition to these modifications, we have added a version picker to the documentation.
-Users can switch between documentations for different versions of Synapse.
-This functionality was implemented through the `version-picker.js` and
-`version-picker.css` files.
+* We add a version picker pertaining to the different documentation versions
+  shipped with each version of Synapse. This functionality was implemented through
+  the `version-picker.js` and `version-picker.css` files, and is currently the only
+  requirement for the custom `theme/`.

 More information can be found in mdbook's official documentation for
 [injecting page JS/CSS](https://rust-lang.github.io/mdBook/format/config.html)
 and
-[customising the default themes](https://rust-lang.github.io/mdBook/format/theme/index.html).
+[customising the default themes](https://rust-lang.github.io/mdBook/format/theme/index.html).
--- a/docs/website_files/remove-nav-buttons.css
+++ b/docs/website_files/remove-nav-buttons.css
@ -1,8 +0,0 @@
-/* Remove the prev, next chapter buttons as they interfere with the
- * table of contents.
- * Note that the table of contents only appears on desktop, thus we
- * only remove the desktop (wide) chapter buttons.
- */
-.nav-wide-wrapper {
-    display: none
-}
--- a/docs/website_files/table-of-contents.css
+++ b/docs/website_files/table-of-contents.css
@ -1,47 +0,0 @@
-:root {
-    --pagetoc-width: 250px;
-}
-
-@media only screen and (max-width:1439px) {
-    .sidetoc {
-        display: none;
-    }
-}
-
-@media only screen and (min-width:1440px) {
-    main {
-        position: relative;
-        margin-left: 100px !important;
-        margin-right: var(--pagetoc-width) !important;
-    }
-    .sidetoc {
-        margin-left: auto;
-        margin-right: auto;
-        left: calc(100% + (var(--content-max-width))/4 - 140px);
-        position: absolute;
-        text-align: right;
-    }
-    .pagetoc {
-        position: fixed;
-        width: var(--pagetoc-width);
-        overflow: auto;
-        right: 20px;
-        height: calc(100% - var(--menu-bar-height));
-    }
-    .pagetoc a {
-        color: var(--fg) !important;
-        display: block;
-        padding: 5px 15px 5px 10px;
-        text-align: left;
-        text-decoration: none;
-    }
-    .pagetoc a:hover,
-    .pagetoc a.active {
-        background: var(--sidebar-bg) !important;
-        color: var(--sidebar-fg) !important;
-    }
-    .pagetoc .active {
-        background: var(--sidebar-bg);
-        color: var(--sidebar-fg);
-    }
-}
--- a/docs/website_files/table-of-contents.js
+++ b/docs/website_files/table-of-contents.js
@ -1,148 +0,0 @@
-const getPageToc = () => document.getElementsByClassName('pagetoc')[0];
-
-const pageToc = getPageToc();
-const pageTocChildren = [...pageToc.children];
-const headers = [...document.getElementsByClassName('header')];
-
-
-// Select highlighted item in ToC when clicking an item
-pageTocChildren.forEach(child => {
-    child.addEventHandler('click', () => {
-        pageTocChildren.forEach(child => {
-            child.classList.remove('active');
-        });
-        child.classList.add('active');
-    });
-});
-
-
-/**
- * Test whether a node is in the viewport
- */
-function isInViewport(node) {
-    const rect = node.getBoundingClientRect();
-    return rect.top >= 0 && rect.left >= 0 && rect.bottom <= (window.innerHeight || document.documentElement.clientHeight) && rect.right <= (window.innerWidth || document.documentElement.clientWidth);
-}
-
-
-/**
- * Set a new ToC entry.
- * Clear any previously highlighted ToC items, set the new one,
- * and adjust the ToC scroll position.
- */
-function setTocEntry() {
-    let activeEntry;
-    const pageTocChildren = [...getPageToc().children];
-
-    // Calculate which header is the current one at the top of screen
-    headers.forEach(header => {
-        if (window.pageYOffset >= header.offsetTop) {
-            activeEntry = header;
-        }
-    });
-
-    // Update selected item in ToC when scrolling
-    pageTocChildren.forEach(child => {
-        if (activeEntry.href.localeCompare(child.href) === 0) {
-            child.classList.add('active');
-        } else {
-            child.classList.remove('active');
-        }
-    });
-
-    let tocEntryForLocation = document.querySelector(`nav a[href="${activeEntry.href}"]`);
-    if (tocEntryForLocation) {
-        const headingForLocation = document.querySelector(activeEntry.hash);
-        if (headingForLocation && isInViewport(headingForLocation)) {
-            // Update ToC scroll
-            const nav = getPageToc();
-            const content = document.querySelector('html');
-            if (content.scrollTop !== 0) {
-                nav.scrollTo({
-                    top: tocEntryForLocation.offsetTop - 100,
-                    left: 0,
-                    behavior: 'smooth',
-                });
-            } else {
-                nav.scrollTop = 0;
-            }
-        }
-    }
-}
-
-
-/**
- * Populate sidebar on load
- */
-window.addEventListener('load', () => {
-    // Prevent rendering the table of contents of the "print book" page, as it
-    // will end up being rendered into the output (in a broken-looking way)
-
-    // Get the name of the current page (i.e. 'print.html')
-    const pageNameExtension = window.location.pathname.split('/').pop();
-
-    // Split off the extension (as '.../print' is also a valid page name), which
-    // should result in 'print'
-    const pageName = pageNameExtension.split('.')[0];
-    if (pageName === "print") {
-        // Don't render the table of contents on this page
-        return;
-    }
-
-    // Only create table of contents if there is more than one header on the page
-    if (headers.length <= 1) {
-        return;
-    }
-
-    // Create an entry in the page table of contents for each header in the document
-    headers.forEach((header, index) => {
-        const link = document.createElement('a');
-
-        // Indent shows hierarchy
-        let indent = '0px';
-        switch (header.parentElement.tagName) {
-            case 'H1':
-                indent = '5px';
-                break;
-            case 'H2':
-                indent = '20px';
-                break;
-            case 'H3':
-                indent = '30px';
-                break;
-            case 'H4':
-                indent = '40px';
-                break;
-            case 'H5':
-                indent = '50px';
-                break;
-            case 'H6':
-                indent = '60px';
-                break;
-            default:
-                break;
-        }
-
-        let tocEntry;
-        if (index == 0) {
-            // Create a bolded title for the first element
-            tocEntry = document.createElement("strong");
-            tocEntry.innerHTML = header.text;
-        } else {
-            // All other elements are non-bold
-            tocEntry = document.createTextNode(header.text);
-        }
-        link.appendChild(tocEntry);
-
-        link.style.paddingLeft = indent;
-        link.href = header.href;
-        pageToc.appendChild(link);
-    });
-    setTocEntry.call();
-});
-
-
-// Handle active headers on scroll, if there is more than one header on the page
-if (headers.length > 1) {
-    window.addEventListener('scroll', setTocEntry);
-}
--- a/docs/website_files/theme/index.hbs
+++ b/docs/website_files/theme/index.hbs
@ -1,11 +1,11 @@
 <!DOCTYPE HTML>
-<html lang="{{ language }}" class="sidebar-visible no-js {{ default_theme }}">
+<html lang="{{ language }}" class="{{ default_theme }} sidebar-visible" dir="{{ text_direction }}">
    <head>
        <!-- Book generated using mdBook -->
        <meta charset="UTF-8">
        <title>{{ title }}</title>
        {{#if is_print }}
-        <meta name="robots" content="noindex" />
+        <meta name="robots" content="noindex">
        {{/if}}
        {{#if base_url}}
        <base href="{{ base_url }}">
@ -15,60 +15,78 @@
        <!-- Custom HTML head -->
        {{> head}}

-        <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
        <meta name="description" content="{{ description }}">
        <meta name="viewport" content="width=device-width, initial-scale=1">
-        <meta name="theme-color" content="#ffffff" />
+        <meta name="theme-color" content="#ffffff">

        {{#if favicon_svg}}
-        <link rel="icon" href="{{ path_to_root }}favicon.svg">
+        <link rel="icon" href="{{ resource "favicon.svg" }}">
        {{/if}}
        {{#if favicon_png}}
-        <link rel="shortcut icon" href="{{ path_to_root }}favicon.png">
+        <link rel="shortcut icon" href="{{ resource "favicon.png" }}">
        {{/if}}
-        <link rel="stylesheet" href="{{ path_to_root }}css/variables.css">
-        <link rel="stylesheet" href="{{ path_to_root }}css/general.css">
-        <link rel="stylesheet" href="{{ path_to_root }}css/chrome.css">
+        <link rel="stylesheet" href="{{ resource "css/variables.css" }}">
+        <link rel="stylesheet" href="{{ resource "css/general.css" }}">
+        <link rel="stylesheet" href="{{ resource "css/chrome.css" }}">
        {{#if print_enable}}
-        <link rel="stylesheet" href="{{ path_to_root }}css/print.css" media="print">
+        <link rel="stylesheet" href="{{ resource "css/print.css" }}" media="print">
        {{/if}}

        <!-- Fonts -->
-        <link rel="stylesheet" href="{{ path_to_root }}FontAwesome/css/font-awesome.css">
-        {{#if copy_fonts}}
-        <link rel="stylesheet" href="{{ path_to_root }}fonts/fonts.css">
-        {{/if}}
+        <link rel="stylesheet" href="{{ resource "fonts/fonts.css" }}">

        <!-- Highlight.js Stylesheets -->
-        <link rel="stylesheet" href="{{ path_to_root }}highlight.css">
-        <link rel="stylesheet" href="{{ path_to_root }}tomorrow-night.css">
-        <link rel="stylesheet" href="{{ path_to_root }}ayu-highlight.css">
+        <link rel="stylesheet" id="mdbook-highlight-css" href="{{ resource "highlight.css" }}">
+        <link rel="stylesheet" id="mdbook-tomorrow-night-css" href="{{ resource "tomorrow-night.css" }}">
+        <link rel="stylesheet" id="mdbook-ayu-highlight-css" href="{{ resource "ayu-highlight.css" }}">

        <!-- Custom theme stylesheets -->
        {{#each additional_css}}
-        <link rel="stylesheet" href="{{ ../path_to_root }}{{ this }}">
+        <link rel="stylesheet" href="{{ resource this }}">
        {{/each}}

        {{#if mathjax_support}}
        <!-- MathJax -->
-        <script async type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=TeX-AMS-MML_HTMLorMML"></script>
+        <script async src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=TeX-AMS-MML_HTMLorMML"></script>
        {{/if}}
+
+        <!-- Provide site root and default themes to javascript -->
+        <script>
+            const path_to_root = "{{ path_to_root }}";
+            const default_light_theme = "{{ default_theme }}";
+            const default_dark_theme = "{{ preferred_dark_theme }}";
+        {{#if search_js}}
+            window.path_to_searchindex_js = "{{ resource "searchindex.js" }}";
+        {{/if}}
+        </script>
+        <!-- Start loading toc.js asap -->
+        <script src="{{ resource "toc.js" }}"></script>
    </head>
    <body>
-        <!-- Provide site root to javascript -->
-        <script type="text/javascript">
-            var path_to_root = "{{ path_to_root }}";
-            var default_theme = window.matchMedia("(prefers-color-scheme: dark)").matches ? "{{ preferred_dark_theme }}" : "{{ default_theme }}";
-        </script>
-
+    <div id="mdbook-help-container">
+        <div id="mdbook-help-popup">
+            <h2 class="mdbook-help-title">Keyboard shortcuts</h2>
+            <div>
+                <p>Press <kbd>←</kbd> or <kbd>→</kbd> to navigate between chapters</p>
+                {{#if search_enabled}}
+                <p>Press <kbd>S</kbd> or <kbd>/</kbd> to search in the book</p>
+                {{/if}}
+                <p>Press <kbd>?</kbd> to show this help</p>
+                <p>Press <kbd>Esc</kbd> to hide this help</p>
+            </div>
+        </div>
+    </div>
+    <div id="mdbook-body-container">
        <!-- Work around some values being stored in localStorage wrapped in quotes -->
-        <script type="text/javascript">
+        <script>
            try {
-                var theme = localStorage.getItem('mdbook-theme');
-                var sidebar = localStorage.getItem('mdbook-sidebar');
+                let theme = localStorage.getItem('mdbook-theme');
+                let sidebar = localStorage.getItem('mdbook-sidebar');
+
                if (theme.startsWith('"') && theme.endsWith('"')) {
                    localStorage.setItem('mdbook-theme', theme.slice(1, theme.length - 1));
                }
+
                if (sidebar.startsWith('"') && sidebar.endsWith('"')) {
                    localStorage.setItem('mdbook-sidebar', sidebar.slice(1, sidebar.length - 1));
                }
@ -76,91 +94,107 @@
        </script>

        <!-- Set the theme before any content is loaded, prevents flash -->
-        <script type="text/javascript">
-            var theme;
+        <script>
+            const default_theme = window.matchMedia("(prefers-color-scheme: dark)").matches ? default_dark_theme : default_light_theme;
+            let theme;
            try { theme = localStorage.getItem('mdbook-theme'); } catch(e) { }
            if (theme === null || theme === undefined) { theme = default_theme; }
-            var html = document.querySelector('html');
-            html.classList.remove('no-js')
+            const html = document.documentElement;
            html.classList.remove('{{ default_theme }}')
            html.classList.add(theme);
-            html.classList.add('js');
+            html.classList.add("js");
        </script>

+        <input type="checkbox" id="mdbook-sidebar-toggle-anchor" class="hidden">
+
        <!-- Hide / unhide sidebar before it is displayed -->
-        <script type="text/javascript">
-            var html = document.querySelector('html');
-            var sidebar = 'hidden';
+        <script>
+            let sidebar = null;
+            const sidebar_toggle = document.getElementById("mdbook-sidebar-toggle-anchor");
            if (document.body.clientWidth >= 1080) {
                try { sidebar = localStorage.getItem('mdbook-sidebar'); } catch(e) { }
                sidebar = sidebar || 'visible';
+            } else {
+                sidebar = 'hidden';
+                sidebar_toggle.checked = false;
+            }
+            if (sidebar === 'visible') {
+                sidebar_toggle.checked = true;
+            } else {
+                html.classList.remove('sidebar-visible');
            }
-            html.classList.remove('sidebar-visible');
-            html.classList.add("sidebar-" + sidebar);
        </script>

-        <nav id="sidebar" class="sidebar" aria-label="Table of contents">
-            <div class="sidebar-scrollbox">
-                {{#toc}}{{/toc}}
+        <nav id="mdbook-sidebar" class="sidebar" aria-label="Table of contents">
+            <!-- populated by js -->
+            <mdbook-sidebar-scrollbox class="sidebar-scrollbox"></mdbook-sidebar-scrollbox>
+            <noscript>
+                <iframe class="sidebar-iframe-outer" src="{{ path_to_root }}toc.html"></iframe>
+            </noscript>
+            <div id="mdbook-sidebar-resize-handle" class="sidebar-resize-handle">
+                <div class="sidebar-resize-indicator"></div>
            </div>
-            <div id="sidebar-resize-handle" class="sidebar-resize-handle"></div>
        </nav>

-        <div id="page-wrapper" class="page-wrapper">
+        <div id="mdbook-page-wrapper" class="page-wrapper">

            <div class="page">
                {{> header}}
-                <div id="menu-bar-hover-placeholder"></div>
-                <div id="menu-bar" class="menu-bar sticky bordered">
+                <div id="mdbook-menu-bar-hover-placeholder"></div>
+                <div id="mdbook-menu-bar" class="menu-bar sticky">
                    <div class="left-buttons">
-                        <button id="sidebar-toggle" class="icon-button" type="button" title="Toggle Table of Contents" aria-label="Toggle Table of Contents" aria-controls="sidebar">
-                            <i class="fa fa-bars"></i>
+                        <label id="mdbook-sidebar-toggle" class="icon-button" for="mdbook-sidebar-toggle-anchor" title="Toggle Table of Contents" aria-label="Toggle Table of Contents" aria-controls="mdbook-sidebar">
+                            {{fa "solid" "bars"}}
+                        </label>
+                        <button id="mdbook-theme-toggle" class="icon-button" type="button" title="Change theme" aria-label="Change theme" aria-haspopup="true" aria-expanded="false" aria-controls="mdbook-theme-list">
+                            {{fa "solid" "paintbrush"}}
                        </button>
-                        <button id="theme-toggle" class="icon-button" type="button" title="Change theme" aria-label="Change theme" aria-haspopup="true" aria-expanded="false" aria-controls="theme-list">
-                            <i class="fa fa-paint-brush"></i>
-                        </button>
-                        <ul id="theme-list" class="theme-popup" aria-label="Themes" role="menu">
-                            <li role="none"><button role="menuitem" class="theme" id="light">{{ theme_option "Light" }}</button></li>
-                            <li role="none"><button role="menuitem" class="theme" id="rust">{{ theme_option "Rust" }}</button></li>
-                            <li role="none"><button role="menuitem" class="theme" id="coal">{{ theme_option "Coal" }}</button></li>
-                            <li role="none"><button role="menuitem" class="theme" id="navy">{{ theme_option "Navy" }}</button></li>
-                            <li role="none"><button role="menuitem" class="theme" id="ayu">{{ theme_option "Ayu" }}</button></li>
+                        <ul id="mdbook-theme-list" class="theme-popup" aria-label="Themes" role="menu">
+                            <li role="none"><button role="menuitem" class="theme" id="mdbook-theme-default_theme">Auto</button></li>
+                            <li role="none"><button role="menuitem" class="theme" id="mdbook-theme-light">Light</button></li>
+                            <li role="none"><button role="menuitem" class="theme" id="mdbook-theme-rust">Rust</button></li>
+                            <li role="none"><button role="menuitem" class="theme" id="mdbook-theme-coal">Coal</button></li>
+                            <li role="none"><button role="menuitem" class="theme" id="mdbook-theme-navy">Navy</button></li>
+                            <li role="none"><button role="menuitem" class="theme" id="mdbook-theme-ayu">Ayu</button></li>
                        </ul>
                        {{#if search_enabled}}
-                        <button id="search-toggle" class="icon-button" type="button" title="Search. (Shortkey: s)" aria-label="Toggle Searchbar" aria-expanded="false" aria-keyshortcuts="S" aria-controls="searchbar">
-                            <i class="fa fa-search"></i>
+                        <button id="mdbook-search-toggle" class="icon-button" type="button" title="Search (`/`)" aria-label="Toggle Searchbar" aria-expanded="false" aria-keyshortcuts="/ s" aria-controls="mdbook-searchbar">
+                            {{fa "solid" "magnifying-glass"}}
                        </button>
                        {{/if}}
-                        <div class="version-picker">
-                            <div class="dropdown">
-                                <div class="select">
-                                    <span></span>
-                                    <i class="fa fa-chevron-down"></i>
-                                </div>
-                                <input type="hidden" name="version">
-                                <ul class="dropdown-menu">
-                                    <!-- Versions will be added dynamically in version-picker.js -->
-                                </ul>
+                    </div>
+
+                    <!-- BEGIN CUSTOM SYNAPSE MODIFICATIONS -->
+                    <div class="version-picker">
+                        <div class="dropdown">
+                            <div class="select">
+                                <span></span>
+                                <i class="fa fa-chevron-down"></i>
                            </div>
+                            <input type="hidden" name="version">
+                            <ul class="dropdown-menu">
+                                <!-- Versions will be added dynamically in version-picker.js -->
+                            </ul>
                        </div>
                    </div>
+                    <!-- END CUSTOM SYNAPSE MODIFICATIONS -->

                    <h1 class="menu-title">{{ book_title }}</h1>

                    <div class="right-buttons">
                        {{#if print_enable}}
                        <a href="{{ path_to_root }}print.html" title="Print this book" aria-label="Print this book">
-                            <i id="print-button" class="fa fa-print"></i>
+                            {{fa "solid" "print" "print-button"}}
                        </a>
                        {{/if}}
                        {{#if git_repository_url}}
                        <a href="{{git_repository_url}}" title="Git repository" aria-label="Git repository">
-                            <i id="git-repository-button" class="fa {{git_repository_icon}}"></i>
+                            {{fa git_repository_icon_class git_repository_icon}}
                        </a>
                        {{/if}}
                        {{#if git_repository_edit_url}}
-                        <a href="{{git_repository_edit_url}}" title="Suggest an edit" aria-label="Suggest an edit">
-                            <i id="git-edit-button" class="fa fa-edit"></i>
+                        <a href="{{git_repository_edit_url}}" title="Suggest an edit" aria-label="Suggest an edit" rel="edit">
+                            {{fa "solid" "pencil" "git-edit-button"}}
                        </a>
                        {{/if}}

@ -168,50 +202,58 @@
                </div>

                {{#if search_enabled}}
-                <div id="search-wrapper" class="hidden">
-                    <form id="searchbar-outer" class="searchbar-outer">
-                        <input type="search" id="searchbar" name="searchbar" placeholder="Search this book ..." aria-controls="searchresults-outer" aria-describedby="searchresults-header">
+                <div id="mdbook-search-wrapper" class="hidden">
+                    <form id="mdbook-searchbar-outer" class="searchbar-outer">
+                        <div class="search-wrapper">
+                            <input type="search" id="mdbook-searchbar" name="searchbar" placeholder="Search this book ..." aria-controls="mdbook-searchresults-outer" aria-describedby="searchresults-header">
+                            <div class="spinner-wrapper">
+                                {{fa "solid" "spinner" "fa-spin"}}
+                            </div>
+                        </div>
                    </form>
-                    <div id="searchresults-outer" class="searchresults-outer hidden">
-                        <div id="searchresults-header" class="searchresults-header"></div>
-                        <ul id="searchresults">
+                    <div id="mdbook-searchresults-outer" class="searchresults-outer hidden">
+                        <div id="mdbook-searchresults-header" class="searchresults-header"></div>
+                        <ul id="mdbook-searchresults">
                        </ul>
                    </div>
                </div>
                {{/if}}

                <!-- Apply ARIA attributes after the sidebar and the sidebar toggle button are added to the DOM -->
-                <script type="text/javascript">
-                    document.getElementById('sidebar-toggle').setAttribute('aria-expanded', sidebar === 'visible');
-                    document.getElementById('sidebar').setAttribute('aria-hidden', sidebar !== 'visible');
-                    Array.from(document.querySelectorAll('#sidebar a')).forEach(function(link) {
+                <script>
+                    document.getElementById('mdbook-sidebar-toggle').setAttribute('aria-expanded', sidebar === 'visible');
+                    document.getElementById('mdbook-sidebar').setAttribute('aria-hidden', sidebar !== 'visible');
+                    Array.from(document.querySelectorAll('#mdbook-sidebar a')).forEach(function(link) {
                        link.setAttribute('tabIndex', sidebar === 'visible' ? 0 : -1);
                    });
                </script>

-                <div id="content" class="content">
+                <div id="mdbook-content" class="content">
                    <main>
-                        <!-- Page table of contents -->
-                        <div class="sidetoc">
-                            <nav class="pagetoc"></nav>
-                        </div>
-
                        {{{ content }}}
                    </main>

                    <nav class="nav-wrapper" aria-label="Page navigation">
                        <!-- Mobile navigation buttons -->
-                        {{#previous}}
-                            <a rel="prev" href="{{ path_to_root }}{{link}}" class="mobile-nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
-                                <i class="fa fa-angle-left"></i>
+                        {{#if previous}}
+                            <a rel="prev" href="{{ path_to_root }}{{previous.link}}" class="mobile-nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
+                                {{#if (eq ../text_direction "rtl")}}
+                                {{fa "solid" "angle-right"}}
+                                {{else}}
+                                {{fa "solid" "angle-left"}}
+                                {{/if}}
                            </a>
-                        {{/previous}}
+                        {{/if}}

-                        {{#next}}
-                            <a rel="next" href="{{ path_to_root }}{{link}}" class="mobile-nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
-                                <i class="fa fa-angle-right"></i>
+                        {{#if next}}
+                            <a rel="next prefetch" href="{{ path_to_root }}{{next.link}}" class="mobile-nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
+                                {{#if (eq ../text_direction "rtl")}}
+                                {{fa "solid" "angle-left"}}
+                                {{else}}
+                                {{fa "solid" "angle-right"}}
+                                {{/if}}
                            </a>
-                        {{/next}}
+                        {{/if}}

                        <div style="clear: both"></div>
                    </nav>
@ -219,92 +261,92 @@
            </div>

            <nav class="nav-wide-wrapper" aria-label="Page navigation">
-                {{#previous}}
-                    <a rel="prev" href="{{ path_to_root }}{{link}}" class="nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
-                        <i class="fa fa-angle-left"></i>
+                {{#if previous}}
+                    <a rel="prev" href="{{ path_to_root }}{{previous.link}}" class="nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
+                        {{#if (eq ../text_direction "rtl")}}
+                        {{fa "solid" "angle-right"}}
+                        {{else}}
+                        {{fa "solid" "angle-left"}}
+                        {{/if}}
                    </a>
-                {{/previous}}
+                {{/if}}

-                {{#next}}
-                    <a rel="next" href="{{ path_to_root }}{{link}}" class="nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
-                        <i class="fa fa-angle-right"></i>
+                {{#if next}}
+                    <a rel="next prefetch" href="{{ path_to_root }}{{next.link}}" class="nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
+                        {{#if (eq text_direction "rtl")}}
+                        {{fa "solid" "angle-left"}}
+                        {{else}}
+                        {{fa "solid" "angle-right"}}
+                        {{/if}}
                    </a>
-                {{/next}}
+                {{/if}}
            </nav>

        </div>

-        {{#if livereload}}
+        <template id=fa-eye>{{fa "solid" "eye"}}</template>
+        <template id=fa-eye-slash>{{fa "solid" "eye-slash"}}</template>
+        <template id=fa-copy>{{fa "regular" "copy"}}</template>
+        <template id=fa-play>{{fa "solid" "play"}}</template>
+        <template id=fa-clock-rotate-left>{{fa "solid" "clock-rotate-left"}}</template>
+
+        {{#if live_reload_endpoint}}
        <!-- Livereload script (if served using the cli tool) -->
-        <script type="text/javascript">
-            var socket = new WebSocket("{{{livereload}}}");
+        <script>
+            const wsProtocol = location.protocol === 'https:' ? 'wss:' : 'ws:';
+            const wsAddress = wsProtocol + "//" + location.host + "/" + "{{{live_reload_endpoint}}}";
+            const socket = new WebSocket(wsAddress);
            socket.onmessage = function (event) {
                if (event.data === "reload") {
                    socket.close();
                    location.reload();
                }
            };
+
            window.onbeforeunload = function() {
                socket.close();
            }
        </script>
        {{/if}}

-        {{#if google_analytics}}
-        <!-- Google Analytics Tag -->
-        <script type="text/javascript">
-            var localAddrs = ["localhost", "127.0.0.1", ""];
-            // make sure we don't activate google analytics if the developer is
-            // inspecting the book locally...
-            if (localAddrs.indexOf(document.location.hostname) === -1) {
-                (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
-                (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
-                m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
-                })(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
-                ga('create', '{{google_analytics}}', 'auto');
-                ga('send', 'pageview');
-            }
-        </script>
-        {{/if}}
-
        {{#if playground_line_numbers}}
-        <script type="text/javascript">
+        <script>
            window.playground_line_numbers = true;
        </script>
        {{/if}}

        {{#if playground_copyable}}
-        <script type="text/javascript">
+        <script>
            window.playground_copyable = true;
        </script>
        {{/if}}

        {{#if playground_js}}
-        <script src="{{ path_to_root }}ace.js" type="text/javascript" charset="utf-8"></script>
-        <script src="{{ path_to_root }}editor.js" type="text/javascript" charset="utf-8"></script>
-        <script src="{{ path_to_root }}mode-rust.js" type="text/javascript" charset="utf-8"></script>
-        <script src="{{ path_to_root }}theme-dawn.js" type="text/javascript" charset="utf-8"></script>
-        <script src="{{ path_to_root }}theme-tomorrow_night.js" type="text/javascript" charset="utf-8"></script>
+        <script src="{{ resource "ace.js" }}"></script>
+        <script src="{{ resource "mode-rust.js" }}"></script>
+        <script src="{{ resource "editor.js" }}"></script>
+        <script src="{{ resource "theme-dawn.js" }}"></script>
+        <script src="{{ resource "theme-tomorrow_night.js" }}"></script>
        {{/if}}

        {{#if search_js}}
-        <script src="{{ path_to_root }}elasticlunr.min.js" type="text/javascript" charset="utf-8"></script>
-        <script src="{{ path_to_root }}mark.min.js" type="text/javascript" charset="utf-8"></script>
-        <script src="{{ path_to_root }}searcher.js" type="text/javascript" charset="utf-8"></script>
+        <script src="{{ resource "elasticlunr.min.js" }}"></script>
+        <script src="{{ resource "mark.min.js" }}"></script>
+        <script src="{{ resource "searcher.js" }}"></script>
        {{/if}}

-        <script src="{{ path_to_root }}clipboard.min.js" type="text/javascript" charset="utf-8"></script>
-        <script src="{{ path_to_root }}highlight.js" type="text/javascript" charset="utf-8"></script>
-        <script src="{{ path_to_root }}book.js" type="text/javascript" charset="utf-8"></script>
+        <script src="{{ resource "clipboard.min.js" }}"></script>
+        <script src="{{ resource "highlight.js" }}"></script>
+        <script src="{{ resource "book.js" }}"></script>

        <!-- Custom JS scripts -->
        {{#each additional_js}}
-        <script type="text/javascript" src="{{ ../path_to_root }}{{this}}"></script>
+        <script src="{{ resource this}}"></script>
        {{/each}}

        {{#if is_print}}
        {{#if mathjax_support}}
-        <script type="text/javascript">
+        <script>
        window.addEventListener('load', function() {
            MathJax.Hub.Register.StartupHook('End', function() {
                window.setTimeout(window.print, 100);
@ -312,7 +354,7 @@
        });
        </script>
        {{else}}
-        <script type="text/javascript">
+        <script>
        window.addEventListener('load', function() {
            window.setTimeout(window.print, 100);
        });
@ -320,5 +362,21 @@
        {{/if}}
        {{/if}}

+        {{#if fragment_map}}
+        <script>
+            document.addEventListener('DOMContentLoaded', function() {
+                const fragmentMap =
+                    {{{fragment_map}}}
+                ;
+                const target = fragmentMap[window.location.hash];
+                if (target) {
+                    let url = new URL(target, window.location.href);
+                    window.location.replace(url.href);
+                }
+            });
+        </script>
+        {{/if}}
+
+    </div>
    </body>
 </html>
--- a/docs/workers.md
+++ b/docs/workers.md
@ -255,6 +255,8 @@ information.
    ^/_matrix/client/(api/v1|r0|v3|unstable)/directory/room/.*$
    ^/_matrix/client/(r0|v3|unstable)/capabilities$
    ^/_matrix/client/(r0|v3|unstable)/notifications$
+
+    # Admin API requests
    ^/_synapse/admin/v1/rooms/[^/]+$

    # Encryption requests
@ -285,10 +287,13 @@ information.
    # User directory search requests
    ^/_matrix/client/(r0|v3|unstable)/user_directory/search$

+    # Unstable MSC4140 support
+    ^/_matrix/client/unstable/org.matrix.msc4140/delayed_events(/.*/restart)?$
+
 Additionally, the following REST endpoints can be handled for GET requests:

+    # Push rules requests
    ^/_matrix/client/(api/v1|r0|v3|unstable)/pushrules/
-    ^/_matrix/client/unstable/org.matrix.msc4140/delayed_events

    # Account data requests
    ^/_matrix/client/(r0|v3|unstable)/.*/tags
@ -297,6 +302,9 @@ Additionally, the following REST endpoints can be handled for GET requests:
    # Presence requests
    ^/_matrix/client/(api/v1|r0|v3|unstable)/presence/

+    # Admin API requests
+    ^/_synapse/admin/v2/users/[^/]+$
+
 Pagination requests can also be handled, but all requests for a given
 room must be routed to the same instance. Additionally, care must be taken to
 ensure that the purge history admin API is not used while pagination requests
--- a/poetry.lock
+++ b/poetry.lock
--- a/pyproject.toml
+++ b/pyproject.toml
@ -1,6 +1,6 @@
 [project]
 name = "matrix-synapse"
-version = "1.143.0rc1"
+version = "1.145.0"
 description = "Homeserver for the Matrix decentralised comms protocol"
 readme = "README.rst"
 authors = [
@ -42,7 +42,8 @@ dependencies = [
    "Twisted[tls]>=21.2.0",
    "treq>=21.5.0",
    # Twisted has required pyopenssl 16.0 since about Twisted 16.6.
-    "pyOpenSSL>=16.0.0",
+    # pyOpenSSL 16.2.0 fixes compatibility with OpenSSL 1.1.0. 
+    "pyOpenSSL>=16.2.0",
    "PyYAML>=5.3",
    "pyasn1>=0.1.9",
    "pyasn1-modules>=0.0.7",
@ -95,6 +96,25 @@ dependencies = [

    # This is used for parsing multipart responses
    "python-multipart>=0.0.9",
+
+    # Transitive dependency constraints
+    # These dependencies aren't directly required by Synapse.
+    # However, in order for Synapse to build, Synapse requires a higher minimum version
+    # for these dependencies than the minimum specified by the direct dependency.
+    # We should periodically check to see if these dependencies are still necessary and
+    # remove any that are no longer required.
+    "cffi>=1.15", # via cryptography
+    "pynacl>=1.3", # via signedjson
+    "pyparsing>=2.4",  # via packaging
+    "pyrsistent>=0.18.0",  # via jsonschema
+    "requests>=2.16.0", # 2.16.0+ no longer vendors urllib3, avoiding Python 3.10+ incompatibility
+    "urllib3>=1.26.5", # via treq; 1.26.5 fixes Python 3.10+ collections.abc compatibility
+    # 5.2 is the current version in Debian oldstable. If we don't care to support that, then 5.4 is
+    # the minimum version from Ubuntu 22.04 and RHEL 9. (as of 2025-12)
+    # When bumping this version to 6.2 or above, refer to https://github.com/element-hq/synapse/pull/19274
+    # for details of Synapse improvements that may be unlocked. Particularly around the use of `|`
+    # syntax with zope interface types.
+    "zope-interface>=5.2", # via twisted
 ]

 [project.optional-dependencies]
@ -104,7 +124,16 @@ postgres = [
    "psycopg2cffi>=2.8;platform_python_implementation == 'PyPy'",
    "psycopg2cffi-compat==1.1;platform_python_implementation == 'PyPy'",
 ]
-saml2 = ["pysaml2>=4.5.0"]
+saml2 = [
+    "pysaml2>=4.5.0",
+
+    # Transitive dependencies from pysaml2
+    # These dependencies aren't directly required by Synapse.
+    # However, in order for Synapse to build, Synapse requires a higher minimum version
+    # for these dependencies than the minimum specified by the direct dependency.
+    "defusedxml>=0.7.1", # via pysaml2
+    "pytz>=2018.3",  # via pysaml2
+]
 oidc = ["authlib>=0.15.1"]
 # systemd-python is necessary for logging to the systemd journal via
 # `systemd.journal.JournalHandler`, as is documented in
@ -112,15 +141,25 @@ oidc = ["authlib>=0.15.1"]
 systemd = ["systemd-python>=231"]
 url-preview = ["lxml>=4.6.3"]
 sentry = ["sentry-sdk>=0.7.2"]
-opentracing = ["jaeger-client>=4.2.0", "opentracing>=2.2.0"]
+opentracing = [
+    "jaeger-client>=4.2.0",
+    "opentracing>=2.2.0",
+
+    # Transitive dependencies from jaeger-client
+    # These dependencies aren't directly required by Synapse.
+    # However, in order for Synapse to build, Synapse requires a higher minimum version
+    # for these dependencies than the minimum specified by the direct dependency.
+    "thrift>=0.10",  # via jaeger-client
+    "tornado>=6.0",  # via jaeger-client
+]
 jwt = ["authlib"]
 # hiredis is not a *strict* dependency, but it makes things much faster.
 # (if it is not installed, we fall back to slow code.)
-redis = ["txredisapi>=1.4.7", "hiredis"]
+redis = ["txredisapi>=1.4.7", "hiredis>=0.3"]
 # Required to use experimental `caches.track_memory_usage` config option.
-cache-memory = ["pympler"]
+cache-memory = ["pympler>=1.0"]
 # If this is updated, don't forget to update the equivalent lines in
-# tool.poetry.group.dev.dependencies.
+# `dependency-groups.dev` below.
 test = ["parameterized>=0.9.0", "idna>=3.3"]

 # The duplication here is awful.
@ -149,12 +188,22 @@ all = [
    # opentracing
    "jaeger-client>=4.2.0", "opentracing>=2.2.0",
    # redis
-    "txredisapi>=1.4.7", "hiredis",
+    "txredisapi>=1.4.7", "hiredis>=0.3",
    # cache-memory
-    "pympler",
+    # 1.0 added support for python 3.10, our current minimum supported python version
+    "pympler>=1.0",
    # omitted:
    #   - test: it's useful to have this separate from dev deps in the olddeps job
    #   - systemd: this is a system-based requirement
+
+    # Transitive dependencies
+    # These dependencies aren't directly required by Synapse.
+    # However, in order for Synapse to build, Synapse requires a higher minimum version
+    # for these dependencies than the minimum specified by the direct dependency.
+    "defusedxml>=0.7.1", # via pysaml2
+    "pytz>=2018.3",  # via pysaml2
+    "thrift>=0.10",  # via jaeger-client
+    "tornado>=6.0",  # via jaeger-client
 ]

 [project.urls]
@ -177,6 +226,85 @@ synapse_port_db = "synapse._scripts.synapse_port_db:main"
 synapse_review_recent_signups = "synapse._scripts.review_recent_signups:main"
 update_synapse_database = "synapse._scripts.update_synapse_database:main"

+[tool.poetry]
+packages = [{ include = "synapse" }]
+
+[tool.poetry.build]
+# Compile our rust module when using `poetry install`. This is still required
+# while using `poetry` as the build frontend. Saves the developer from needing
+# to run both:
+#
+# $ poetry install
+# $ maturin develop
+script = "build_rust.py"
+# Create a `setup.py` file which will call the `build` method in our build
+# script.
+#
+# Our build script currently uses the "old" build method, where we define a
+# `build` method and `setup.py` calls it. Poetry developers have mentioned that
+# this will eventually be removed:
+# https://github.com/matrix-org/synapse/pull/14949#issuecomment-1418001859
+#
+# The new build method is defined here:
+# https://python-poetry.org/docs/building-extension-modules/#maturin-build-script
+# but is still marked as "unstable" at the time of writing. This would also
+# bump our minimum `poetry-core` version to 1.5.0.
+#
+# We can just drop this work-around entirely if migrating away from
+# Poetry, thus there's little motivation to update the build script.
+generate-setup-file = true
+
+# Dependencies used for developing Synapse itself.
+#
+# Hold off on migrating these to `dev-dependencies` (PEP 735) for now until
+# Poetry 2.2.0+, pip 25.1+ are more widely available.
+[tool.poetry.group.dev.dependencies]
+# We pin development dependencies in poetry.lock so that our tests don't start
+# failing on new releases. Keeping lower bounds loose here means that dependabot
+# can bump versions without having to update the content-hash in the lockfile.
+# This helps prevents merge conflicts when running a batch of dependabot updates.
+ruff = "0.14.6"
+
+# Typechecking
+lxml-stubs = ">=0.4.0"
+mypy = "*"
+mypy-zope = "*"
+types-bleach = ">=4.1.0"
+types-jsonschema = ">=3.2.0"
+types-netaddr = ">=0.8.0.6"
+types-opentracing = ">=2.4.2"
+types-Pillow = ">=8.3.4"
+types-psycopg2 = ">=2.9.9"
+types-pyOpenSSL = ">=20.0.7"
+types-PyYAML = ">=5.4.10"
+types-requests = ">=2.26.0"
+types-setuptools = ">=57.4.0"
+
+# Dependencies which are exclusively required by unit test code. This is
+# NOT a list of all modules that are necessary to run the unit tests.
+# Tests assume that all optional dependencies are installed.
+#
+# If this is updated, don't forget to update the equivalent lines in
+# project.optional-dependencies.test.
+parameterized = ">=0.9.0"
+idna = ">=3.3"
+
+# The following are used by the release script
+click = ">=8.1.3"
+# GitPython was == 3.1.14; bumped to 3.1.20, the first release with type hints.
+GitPython = ">=3.1.20"
+markdown-it-py = ">=3.0.0"
+pygithub = ">=1.59"
+# The following are executed as commands by the release script.
+twine = "*"
+# Towncrier min version comes from https://github.com/matrix-org/synapse/pull/3425. Rationale unclear.
+towncrier = ">=18.6.0rc1"
+
+# Used for checking the Poetry lockfile
+tomli = ">=1.2.3"
+
+# Used for checking the schema delta files
+sqlglot = ">=28.0.0"

 [tool.towncrier]
    package = "synapse"
@ -260,15 +388,12 @@ select = [
    "G",
    # pyupgrade
    "UP006",
-    "UP007",
-    "UP045",
 ]
 extend-safe-fixes = [
    # pyupgrade rules compatible with Python >= 3.9
    "UP006",
-    "UP007",
-    # pyupgrade rules compatible with Python >= 3.10
-    "UP045",
+    # Allow ruff to automatically fix trailing spaces within a multi-line string/comment.
+    "W293"
 ]

 [tool.ruff.lint.isort]
@ -289,32 +414,23 @@ line-ending = "auto"
 [tool.maturin]
 manifest-path = "rust/Cargo.toml"
 module-name = "synapse.synapse_rust"
-
-[tool.poetry]
-name = "matrix-synapse"
-version = "1.143.0rc1"
-description = "Homeserver for the Matrix decentralised comms protocol"
-authors = ["Matrix.org Team and Contributors <packages@matrix.org>"]
-license = "AGPL-3.0-or-later OR LicenseRef-Element-Commercial"
-readme = "README.rst"
-repository = "https://github.com/element-hq/synapse"
-packages = [
-    { include = "synapse" },
-]
+python-source = "."
 include = [
    { path = "AUTHORS.rst", format = "sdist" },
    { path = "book.toml", format = "sdist" },
-    { path = "changelog.d", format = "sdist" },
+    { path = "changelog.d/**/*", format = "sdist" },
    { path = "CHANGES.md", format = "sdist" },
    { path = "CONTRIBUTING.md", format = "sdist" },
-    { path = "demo", format = "sdist" },
-    { path = "docs", format = "sdist" },
+    { path = "demo/**/*", format = "sdist" },
+    { path = "docs/**/*", format = "sdist" },
    { path = "INSTALL.md", format = "sdist" },
+    { path = "LICENSE-AGPL-3.0", format = "sdist" },
+    { path = "LICENSE-COMMERCIAL", format = "sdist" },
    { path = "mypy.ini", format = "sdist" },
-    { path = "scripts-dev", format = "sdist" },
-    { path = "synmark", format="sdist" },
+    { path = "scripts-dev/**/*", format = "sdist" },
+    { path = "synmark/**/*", format = "sdist" },
    { path = "sytest-blacklist", format = "sdist" },
-    { path = "tests", format = "sdist" },
+    { path = "tests/**/*", format = "sdist" },
    { path = "UPGRADE.rst", format = "sdist" },
    { path = "Cargo.toml", format = "sdist" },
    { path = "Cargo.lock", format = "sdist" },
@ -323,59 +439,9 @@ include = [
    { path = "rust/src/**", format = "sdist" },
 ]
 exclude = [
-    { path = "synapse/*.so", format = "sdist"}
+    { path = "synapse/*.so", format = "sdist" },
 ]

-[tool.poetry.build]
-script = "build_rust.py"
-generate-setup-file = true
-
-[tool.poetry.group.dev.dependencies]
-# We pin development dependencies in poetry.lock so that our tests don't start
-# failing on new releases. Keeping lower bounds loose here means that dependabot
-# can bump versions without having to update the content-hash in the lockfile.
-# This helps prevents merge conflicts when running a batch of dependabot updates.
-ruff = "0.14.5"
-
-# Typechecking
-lxml-stubs = ">=0.4.0"
-mypy = "*"
-mypy-zope = "*"
-types-bleach = ">=4.1.0"
-types-jsonschema = ">=3.2.0"
-types-netaddr = ">=0.8.0.6"
-types-opentracing = ">=2.4.2"
-types-Pillow = ">=8.3.4"
-types-psycopg2 = ">=2.9.9"
-types-pyOpenSSL = ">=20.0.7"
-types-PyYAML = ">=5.4.10"
-types-requests = ">=2.26.0"
-types-setuptools = ">=57.4.0"
-
-# Dependencies which are exclusively required by unit test code. This is
-# NOT a list of all modules that are necessary to run the unit tests.
-# Tests assume that all optional dependencies are installed.
-#
-# If this is updated, don't forget to update the equivalent lines in
-# project.optional-dependencies.test.
-parameterized = ">=0.9.0"
-idna = ">=3.3"
-
-# The following are used by the release script
-click = ">=8.1.3"
-# GitPython was == 3.1.14; bumped to 3.1.20, the first release with type hints.
-GitPython = ">=3.1.20"
-markdown-it-py = ">=3.0.0"
-pygithub = ">=1.59"
-# The following are executed as commands by the release script.
-twine = "*"
-# Towncrier min version comes from https://github.com/matrix-org/synapse/pull/3425. Rationale unclear.
-towncrier = ">=18.6.0rc1"
-
-# Used for checking the Poetry lockfile
-tomli = ">=1.2.3"
-
-
 [build-system]
 # The upper bounds here are defensive, intended to prevent situations like
 # https://github.com/matrix-org/synapse/issues/13849 and
@ -383,8 +449,8 @@ tomli = ">=1.2.3"
 # runtime errors caused by build system changes.
 # We are happy to raise these upper bounds upon request,
 # provided we check that it's safe to do so (i.e. that CI passes).
-requires = ["poetry-core>=2.0.0,<=2.1.3", "setuptools_rust>=1.3,<=1.11.1"]
-build-backend = "poetry.core.masonry.api"
+requires = ["maturin>=1.0,<2.0"]
+build-backend = "maturin"


 [tool.cibuildwheel]
@ -400,7 +466,8 @@ build-backend = "poetry.core.masonry.api"
 # We skip:
 #  - free-threaded cpython builds: these are not currently supported.
 #  - i686: We don't support 32-bit platforms.
-skip = "cp3??t-* *i686*"
+#  - *macosx*: we don't support building wheels for MacOS.
+skip = "cp3??t-* *i686* *macosx*"
 # Enable non-default builds. See the list of available options:
 # https://cibuildwheel.pypa.io/en/stable/options#enable
 #
@ -408,9 +475,6 @@ skip = "cp3??t-* *i686*"
 enable = "pypy"

 # We need a rust compiler.
-#
-# We temporarily pin Rust to 1.82.0 to work around
-# https://github.com/element-hq/synapse/issues/17988
 before-all =  "sh .ci/before_build_wheel.sh"
 environment= { PATH = "$PATH:$HOME/.cargo/bin" }

@ -420,12 +484,3 @@ environment= { PATH = "$PATH:$HOME/.cargo/bin" }
 before-build = "rm -rf {project}/build"
 build-frontend = "build"
 test-command = "python -c 'from synapse.synapse_rust import sum_as_string; print(sum_as_string(1, 2))'"
-
-
-[tool.cibuildwheel.linux]
-# Wrap the repair command to correctly rename the built cpython wheels as ABI3.
-repair-wheel-command = "./.ci/scripts/auditwheel_wrapper.py -w {dest_dir} {wheel}"
-
-[tool.cibuildwheel.macos]
-# Wrap the repair command to correctly rename the built cpython wheels as ABI3.
-repair-wheel-command = "./.ci/scripts/auditwheel_wrapper.py --require-archs {delocate_archs} -w {dest_dir} {wheel}"
--- a/rust/src/duration.rs
+++ b/rust/src/duration.rs
@ -0,0 +1,56 @@
+/*
+ * This file is licensed under the Affero General Public License (AGPL) version 3.
+ *
+ * Copyright (C) 2025 Element Creations, Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * See the GNU Affero General Public License for more details:
+ * <https://www.gnu.org/licenses/agpl-3.0.html>.
+ */
+
+use once_cell::sync::OnceCell;
+use pyo3::{
+    types::{IntoPyDict, PyAnyMethods},
+    Bound, BoundObject, IntoPyObject, Py, PyAny, PyErr, PyResult, Python,
+};
+
+/// A reference to the `synapse.util.duration` module.
+static DURATION: OnceCell<Py<PyAny>> = OnceCell::new();
+
+/// Access to the `synapse.util.duration` module.
+fn duration_module(py: Python<'_>) -> PyResult<&Bound<'_, PyAny>> {
+    Ok(DURATION
+        .get_or_try_init(|| py.import("synapse.util.duration").map(Into::into))?
+        .bind(py))
+}
+
+/// Mirrors the `synapse.util.duration.Duration` Python class.
+pub struct SynapseDuration {
+    microseconds: u64,
+}
+
+impl SynapseDuration {
+    /// For now we only need to create durations from milliseconds.
+    pub fn from_milliseconds(milliseconds: u64) -> Self {
+        Self {
+            microseconds: milliseconds * 1_000,
+        }
+    }
+}
+
+impl<'py> IntoPyObject<'py> for &SynapseDuration {
+    type Target = PyAny;
+    type Output = Bound<'py, Self::Target>;
+    type Error = PyErr;
+
+    fn into_pyobject(self, py: Python<'py>) -> Result<Self::Output, Self::Error> {
+        let duration_module = duration_module(py)?;
+        let kwargs = [("microseconds", self.microseconds)].into_py_dict(py)?;
+        let duration_instance = duration_module.call_method("Duration", (), Some(&kwargs))?;
+        Ok(duration_instance.into_bound())
+    }
+}
--- a/rust/src/lib.rs
+++ b/rust/src/lib.rs
@ -5,6 +5,7 @@ use pyo3::prelude::*;
 use pyo3_log::ResetHandle;

 pub mod acl;
+pub mod duration;
 pub mod errors;
 pub mod events;
 pub mod http;
--- a/rust/src/rendezvous/mod.rs
+++ b/rust/src/rendezvous/mod.rs
@ -35,6 +35,7 @@ use ulid::Ulid;

 use self::session::Session;
 use crate::{
+    duration::SynapseDuration,
    errors::{NotFoundError, SynapseError},
    http::{http_request_from_twisted, http_response_to_twisted, HeaderMapPyExt},
    UnwrapInfallible,
@ -132,6 +133,8 @@ impl RendezvousHandler {
            .unwrap_infallible()
            .unbind();

+        let eviction_duration = SynapseDuration::from_milliseconds(eviction_interval);
+
        // Construct a Python object so that we can get a reference to the
        // evict method and schedule it to run.
        let self_ = Py::new(
@ -149,7 +152,7 @@ impl RendezvousHandler {
        let evict = self_.getattr(py, "_evict")?;
        homeserver.call_method0("get_clock")?.call_method(
            "looping_call",
-            (evict, eviction_interval),
+            (evict, &eviction_duration),
            None,
        )?;

--- a/schema/synapse-config.schema.yaml
+++ b/schema/synapse-config.schema.yaml
@ -1,5 +1,5 @@
 $schema: https://element-hq.github.io/synapse/latest/schema/v1/meta.schema.json
-$id: https://element-hq.github.io/synapse/schema/synapse/v1.143/synapse-config.schema.json
+$id: https://element-hq.github.io/synapse/schema/synapse/v1.145/synapse-config.schema.json
 type: object
 properties:
  modules:
@ -2274,6 +2274,16 @@ properties:
    examples:
      - per_second: 1.0
        burst_count: 5.0
+  rc_user_directory:
+    $ref: "#/$defs/rc"
+    description: >-
+      This option allows admins to ratelimit searches in the user directory.
+
+
+      _Added in Synapse 1.145.0._
+    default:
+      per_second: 0.016
+      burst_count: 200.0
  federation_rr_transactions_per_room_per_second:
    type: integer
    description: >-
@ -2338,6 +2348,19 @@ properties:
    default: true
    examples:
      - false
+  enable_local_media_storage:
+    type: boolean
+    description: >-
+      Enable the local on-disk media storage provider. When disabled, media is
+      stored only in configured `media_storage_providers` and temporary files are
+      used for processing.
+      
+      **Warning:** If this option is set to `false` and no `media_storage_providers`
+      are configured, all media requests will return 404 errors as there will be
+      no storage backend available.
+    default: true
+    examples:
+      - false
  media_store_path:
    type: string
    description: Directory where uploaded images and attachments are stored.
--- a/scripts-dev/build_debian_packages.py
+++ b/scripts-dev/build_debian_packages.py
@ -31,7 +31,7 @@ DISTS = (
    "debian:sid",  # (rolling distro, no EOL)
    "ubuntu:jammy",  # 22.04 LTS (EOL 2027-04) (our EOL forced by Python 3.10 is 2026-10-04)
    "ubuntu:noble",  # 24.04 LTS (EOL 2029-06)
-    "ubuntu:plucky",  # 25.04 (EOL 2026-01)
+    "ubuntu:questing",  # 25.10 (EOL 2026-07)
    "debian:trixie",  # (EOL not specified yet)
 )

@ -94,6 +94,7 @@ class Builder:
        build_args = (
            (
                "docker",
+                "buildx",
                "build",
                "--tag",
                "dh-venv-builder:" + tag,
--- a/scripts-dev/check_schema_delta.py
+++ b/scripts-dev/check_schema_delta.py
@ -9,15 +9,10 @@ from typing import Any

 import click
 import git
+import sqlglot
+import sqlglot.expressions

 SCHEMA_FILE_REGEX = re.compile(r"^synapse/storage/schema/(.*)/delta/(.*)/(.*)$")
-INDEX_CREATION_REGEX = re.compile(
-    r"CREATE .*INDEX .*ON ([a-z_0-9]+)", flags=re.IGNORECASE
-)
-INDEX_DELETION_REGEX = re.compile(r"DROP .*INDEX ([a-z_0-9]+)", flags=re.IGNORECASE)
-TABLE_CREATION_REGEX = re.compile(
-    r"CREATE .*TABLE.* ([a-z_0-9]+)\s*\(", flags=re.IGNORECASE
-)

 # The base branch we want to check against. We use the main development branch
 # on the assumption that is what we are developing against.
@ -141,6 +136,9 @@ def main(force_colors: bool) -> None:
            color=force_colors,
        )

+        # Mark this run as not successful, but continue so that we report *all*
+        # errors.
+        return_code = 1
    else:
        click.secho(
            f"All deltas are in the correct folder: {current_schema_version}!",
@ -153,60 +151,98 @@ def main(force_colors: bool) -> None:
    # and delta files are also numbered in order.
    changed_delta_files.sort()

-    # Now check that we're not trying to create or drop indices. If we want to
-    # do that they should be in background updates. The exception is when we
-    # create indices on tables we've just created.
-    created_tables = set()
-    for delta_file in changed_delta_files:
-        with open(delta_file) as fd:
-            delta_lines = fd.readlines()
-
-        for line in delta_lines:
-            # Strip SQL comments
-            line = line.split("--", maxsplit=1)[0]
-
-            # Check and track any tables we create
-            match = TABLE_CREATION_REGEX.search(line)
-            if match:
-                table_name = match.group(1)
-                created_tables.add(table_name)
-
-            # Check for dropping indices, these are always banned
-            match = INDEX_DELETION_REGEX.search(line)
-            if match:
-                clause = match.group()
-
-                click.secho(
-                    f"Found delta with index deletion: '{clause}' in {delta_file}",
-                    fg="red",
-                    bold=True,
-                    color=force_colors,
-                )
-                click.secho(
-                    " ↪ These should be in background updates.",
-                )
-                return_code = 1
-
-            # Check for index creation, which is only allowed for tables we've
-            # created.
-            match = INDEX_CREATION_REGEX.search(line)
-            if match:
-                clause = match.group()
-                table_name = match.group(1)
-                if table_name not in created_tables:
-                    click.secho(
-                        f"Found delta with index creation for existing table: '{clause}' in {delta_file}",
-                        fg="red",
-                        bold=True,
-                        color=force_colors,
-                    )
-                    click.secho(
-                        " ↪ These should be in background updates (or the table should be created in the same delta).",
-                    )
-                    return_code = 1
+    success = check_schema_delta(changed_delta_files, force_colors)
+    if not success:
+        return_code = 1

    click.get_current_context().exit(return_code)


+def check_schema_delta(delta_files: list[str], force_colors: bool) -> bool:
+    """Check that the given schema delta files do not create or drop indices
+    inappropriately.
+
+    Index creation is only allowed on tables created in the same set of deltas.
+
+    Index deletion is never allowed and should be done in background updates.
+
+    Returns:
+        True if all checks succeeded, False if at least one failed.
+    """
+
+    # The tables created in this delta
+    created_tables = set[str]()
+
+    # The indices created/dropped in this delta, each a tuple of (table_name, sql)
+    created_indices = list[tuple[str, str]]()
+
+    # The indices dropped in this delta, just the sql
+    dropped_indices = list[str]()
+
+    for delta_file in delta_files:
+        with open(delta_file) as fd:
+            delta_contents = fd.read()
+
+        # Assume the SQL dialect from the file extension, defaulting to Postgres.
+        sql_lang = "postgres"
+        if delta_file.endswith(".sqlite"):
+            sql_lang = "sqlite"
+        elif delta_file.endswith(".py"):
+            click.secho(
+                f"Skipping Python delta file: '{delta_file}'",
+                fg="yellow",
+                bold=True,
+                color=force_colors,
+            )
+            return True
+
+        statements = sqlglot.parse(delta_contents, read=sql_lang)
+
+        for statement in statements:
+            if isinstance(statement, sqlglot.expressions.Create):
+                if statement.kind == "TABLE":
+                    assert isinstance(statement.this, sqlglot.expressions.Schema)
+                    assert isinstance(statement.this.this, sqlglot.expressions.Table)
+
+                    table_name = statement.this.this.name
+                    created_tables.add(table_name)
+                elif statement.kind == "INDEX":
+                    assert isinstance(statement.this, sqlglot.expressions.Index)
+
+                    table_name = statement.this.args["table"].name
+                    created_indices.append((table_name, statement.sql()))
+            elif isinstance(statement, sqlglot.expressions.Drop):
+                if statement.kind == "INDEX":
+                    dropped_indices.append(statement.sql())
+
+    success = True
+    for table_name, clause in created_indices:
+        if table_name not in created_tables:
+            click.secho(
+                f"Found delta with index creation for existing table: '{clause}'",
+                fg="red",
+                bold=True,
+                color=force_colors,
+            )
+            click.secho(
+                " ↪ These should be in background updates (or the table should be created in the same delta).",
+            )
+            success = False
+
+    for clause in dropped_indices:
+        click.secho(
+            f"Found delta with index deletion: '{clause}'",
+            fg="red",
+            bold=True,
+            color=force_colors,
+        )
+        click.secho(
+            " ↪ These should be in background updates.",
+        )
+        success = False
+
+    return success
+
+
 if __name__ == "__main__":
    main()
--- a/scripts-dev/complement.sh
+++ b/scripts-dev/complement.sh
@ -72,153 +72,151 @@ For help on arguments to 'go test', run 'go help testflag'.
 EOF
 }

-# parse our arguments
-skip_docker_build=""
-skip_complement_run=""
-while [ $# -ge 1 ]; do
+# We use a function to wrap the script logic so that we can use `return` to exit early
+# if needed. This is particularly useful so that this script can be sourced by other
+# scripts without exiting the calling subshell (composable). This allows us to share
+# variables like `SYNAPSE_SUPPORTED_COMPLEMENT_TEST_PACKAGES` with other scripts.
+#
+# Returns an exit code of 0 on success, or 1 on failure.
+main() {
+  # parse our arguments
+  skip_docker_build=""
+  skip_complement_run=""
+  while [ $# -ge 1 ]; do
    arg=$1
    case "$arg" in
-        "-h")
-            usage
-            exit 1
-            ;;
-        "-f"|"--fast")
-            skip_docker_build=1
-            ;;
-        "--build-only")
-            skip_complement_run=1
-            ;;
-        "-e"|"--editable")
-            use_editable_synapse=1
-            ;;
-        "--rebuild-editable")
-            rebuild_editable_synapse=1
-            ;;
-        *)
-            # unknown arg: presumably an argument to gotest. break the loop.
-            break
+      "-h")
+        usage
+        return 1
+        ;;
+      "-f"|"--fast")
+        skip_docker_build=1
+        ;;
+      "--build-only")
+        skip_complement_run=1
+        ;;
+      "-e"|"--editable")
+        use_editable_synapse=1
+        ;;
+      "--rebuild-editable")
+        rebuild_editable_synapse=1
+        ;;
+      *)
+        # unknown arg: presumably an argument to gotest. break the loop.
+        break
    esac
    shift
-done
+  done

-# enable buildkit for the docker builds
-export DOCKER_BUILDKIT=1
+  # enable buildkit for the docker builds
+  export DOCKER_BUILDKIT=1

-# Determine whether to use the docker or podman container runtime.
-if [ -n "$PODMAN" ]; then
-  export CONTAINER_RUNTIME=podman
-  export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/podman/podman.sock
-  export BUILDAH_FORMAT=docker
-  export COMPLEMENT_HOSTNAME_RUNNING_COMPLEMENT=host.containers.internal
-else
-  export CONTAINER_RUNTIME=docker
-fi
+  # Determine whether to use the docker or podman container runtime.
+  if [ -n "$PODMAN" ]; then
+    export CONTAINER_RUNTIME=podman
+    export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/podman/podman.sock
+    export BUILDAH_FORMAT=docker
+    export COMPLEMENT_HOSTNAME_RUNNING_COMPLEMENT=host.containers.internal
+  else
+    export CONTAINER_RUNTIME=docker
+  fi

-# Change to the repository root
-cd "$(dirname $0)/.."
+  # Change to the repository root
+  cd "$(dirname $0)/.."

-# Check for a user-specified Complement checkout
-if [[ -z "$COMPLEMENT_DIR" ]]; then
-  COMPLEMENT_REF=${COMPLEMENT_REF:-main}
-  echo "COMPLEMENT_DIR not set. Fetching Complement checkout from ${COMPLEMENT_REF}..."
-  wget -Nq https://github.com/matrix-org/complement/archive/${COMPLEMENT_REF}.tar.gz
-  tar -xzf ${COMPLEMENT_REF}.tar.gz
-  COMPLEMENT_DIR=complement-${COMPLEMENT_REF}
-  echo "Checkout available at 'complement-${COMPLEMENT_REF}'"
-fi
+  # Check for a user-specified Complement checkout
+  if [[ -z "$COMPLEMENT_DIR" ]]; then
+    COMPLEMENT_REF=${COMPLEMENT_REF:-main}
+    echo "COMPLEMENT_DIR not set. Fetching Complement checkout from ${COMPLEMENT_REF}..."
+    wget -Nq https://github.com/matrix-org/complement/archive/${COMPLEMENT_REF}.tar.gz
+    tar -xzf ${COMPLEMENT_REF}.tar.gz
+    COMPLEMENT_DIR=complement-${COMPLEMENT_REF}
+    echo "Checkout available at 'complement-${COMPLEMENT_REF}'"
+  fi

-if [ -n "$use_editable_synapse" ]; then
+  if [ -n "$use_editable_synapse" ]; then
    if [[ -e synapse/synapse_rust.abi3.so ]]; then
-        # In an editable install, back up the host's compiled Rust module to prevent
-        # inconvenience; the container will overwrite the module with its own copy.
-        mv -n synapse/synapse_rust.abi3.so synapse/synapse_rust.abi3.so~host
-        # And restore it on exit:
-        synapse_pkg=`realpath synapse`
-        trap "mv -f '$synapse_pkg/synapse_rust.abi3.so~host' '$synapse_pkg/synapse_rust.abi3.so'" EXIT
+      # In an editable install, back up the host's compiled Rust module to prevent
+      # inconvenience; the container will overwrite the module with its own copy.
+      mv -n synapse/synapse_rust.abi3.so synapse/synapse_rust.abi3.so~host
+      # And restore it on exit:
+      synapse_pkg=`realpath synapse`
+      trap "mv -f '$synapse_pkg/synapse_rust.abi3.so~host' '$synapse_pkg/synapse_rust.abi3.so'" EXIT
    fi

    editable_mount="$(realpath .):/editable-src:z"
    if [ -n "$rebuild_editable_synapse" ]; then
-        unset skip_docker_build
+      unset skip_docker_build
    elif $CONTAINER_RUNTIME inspect complement-synapse-editable &>/dev/null; then
-        # complement-synapse-editable already exists: see if we can still use it:
-        # - The Rust module must still be importable; it will fail to import if the Rust source has changed.
-        # - The Poetry lock file must be the same (otherwise we assume dependencies have changed)
+      # complement-synapse-editable already exists: see if we can still use it:
+      # - The Rust module must still be importable; it will fail to import if the Rust source has changed.
+      # - The Poetry lock file must be the same (otherwise we assume dependencies have changed)

-        # First set up the module in the right place for an editable installation.
-        $CONTAINER_RUNTIME run --rm -v $editable_mount --entrypoint 'cp' complement-synapse-editable -- /synapse_rust.abi3.so.bak /editable-src/synapse/synapse_rust.abi3.so
+      # First set up the module in the right place for an editable installation.
+      $CONTAINER_RUNTIME run --rm -v $editable_mount --entrypoint 'cp' complement-synapse-editable -- /synapse_rust.abi3.so.bak /editable-src/synapse/synapse_rust.abi3.so

-        if ($CONTAINER_RUNTIME run --rm -v $editable_mount --entrypoint 'python' complement-synapse-editable -c 'import synapse.synapse_rust' \
-            && $CONTAINER_RUNTIME run --rm -v $editable_mount --entrypoint 'diff' complement-synapse-editable --brief /editable-src/poetry.lock /poetry.lock.bak); then
-            skip_docker_build=1
-        else
-            echo "Editable Synapse image is stale. Will rebuild."
-            unset skip_docker_build
-        fi
+      if ($CONTAINER_RUNTIME run --rm -v $editable_mount --entrypoint 'python' complement-synapse-editable -c 'import synapse.synapse_rust' \
+        && $CONTAINER_RUNTIME run --rm -v $editable_mount --entrypoint 'diff' complement-synapse-editable --brief /editable-src/poetry.lock /poetry.lock.bak); then
+        skip_docker_build=1
+      else
+        echo "Editable Synapse image is stale. Will rebuild."
+        unset skip_docker_build
+      fi
    fi
-fi
+  fi

-if [ -z "$skip_docker_build" ]; then
+  if [ -z "$skip_docker_build" ]; then
    if [ -n "$use_editable_synapse" ]; then

-        # Build a special image designed for use in development with editable
-        # installs.
-        $CONTAINER_RUNTIME build -t synapse-editable \
-            -f "docker/editable.Dockerfile" .
+      # Build a special image designed for use in development with editable
+      # installs.
+      $CONTAINER_RUNTIME build -t synapse-editable \
+        -f "docker/editable.Dockerfile" .

-        $CONTAINER_RUNTIME build -t synapse-workers-editable \
-            --build-arg FROM=synapse-editable \
-            -f "docker/Dockerfile-workers" .
+      $CONTAINER_RUNTIME build -t synapse-workers-editable \
+        --build-arg FROM=synapse-editable \
+        -f "docker/Dockerfile-workers" .

-        $CONTAINER_RUNTIME build -t complement-synapse-editable \
-            --build-arg FROM=synapse-workers-editable \
-            -f "docker/complement/Dockerfile" "docker/complement"
+      $CONTAINER_RUNTIME build -t complement-synapse-editable \
+        --build-arg FROM=synapse-workers-editable \
+        -f "docker/complement/Dockerfile" "docker/complement"

-        # Prepare the Rust module
-        $CONTAINER_RUNTIME run --rm -v $editable_mount --entrypoint 'cp' complement-synapse-editable -- /synapse_rust.abi3.so.bak /editable-src/synapse/synapse_rust.abi3.so
+      # Prepare the Rust module
+      $CONTAINER_RUNTIME run --rm -v $editable_mount --entrypoint 'cp' complement-synapse-editable -- /synapse_rust.abi3.so.bak /editable-src/synapse/synapse_rust.abi3.so

    else

-        # Build the base Synapse image from the local checkout
-        echo_if_github "::group::Build Docker image: matrixdotorg/synapse"
-        $CONTAINER_RUNTIME build -t matrixdotorg/synapse \
-        --build-arg TEST_ONLY_SKIP_DEP_HASH_VERIFICATION \
-        --build-arg TEST_ONLY_IGNORE_POETRY_LOCKFILE \
-        -f "docker/Dockerfile" .
-        echo_if_github "::endgroup::"
+      # Build the base Synapse image from the local checkout
+      echo_if_github "::group::Build Docker image: matrixdotorg/synapse"
+      $CONTAINER_RUNTIME build -t matrixdotorg/synapse \
+      --build-arg TEST_ONLY_SKIP_DEP_HASH_VERIFICATION \
+      --build-arg TEST_ONLY_IGNORE_POETRY_LOCKFILE \
+      -f "docker/Dockerfile" .
+      echo_if_github "::endgroup::"

-        # Build the workers docker image (from the base Synapse image we just built).
-        echo_if_github "::group::Build Docker image: matrixdotorg/synapse-workers"
-        $CONTAINER_RUNTIME build -t matrixdotorg/synapse-workers -f "docker/Dockerfile-workers" .
-        echo_if_github "::endgroup::"
+      # Build the workers docker image (from the base Synapse image we just built).
+      echo_if_github "::group::Build Docker image: matrixdotorg/synapse-workers"
+      $CONTAINER_RUNTIME build -t matrixdotorg/synapse-workers -f "docker/Dockerfile-workers" .
+      echo_if_github "::endgroup::"

-        # Build the unified Complement image (from the worker Synapse image we just built).
-        echo_if_github "::group::Build Docker image: complement/Dockerfile"
-        $CONTAINER_RUNTIME build -t complement-synapse \
-            `# This is the tag we end up pushing to the registry (see` \
-            `# .github/workflows/push_complement_image.yml) so let's just label it now` \
-            `# so people can reference it by the same name locally.` \
-            -t ghcr.io/element-hq/synapse/complement-synapse \
-            -f "docker/complement/Dockerfile" "docker/complement"
-        echo_if_github "::endgroup::"
+      # Build the unified Complement image (from the worker Synapse image we just built).
+      echo_if_github "::group::Build Docker image: complement/Dockerfile"
+      $CONTAINER_RUNTIME build -t complement-synapse \
+        `# This is the tag we end up pushing to the registry (see` \
+        `# .github/workflows/push_complement_image.yml) so let's just label it now` \
+        `# so people can reference it by the same name locally.` \
+        -t ghcr.io/element-hq/synapse/complement-synapse \
+        -f "docker/complement/Dockerfile" "docker/complement"
+      echo_if_github "::endgroup::"

    fi
-fi
+  
+    echo "Docker images built."
+  else
+    echo "Skipping Docker image build as requested."
+  fi

-if [ -n "$skip_complement_run" ]; then
-    echo "Skipping Complement run as requested."
-    exit
-fi
-
-export COMPLEMENT_BASE_IMAGE=complement-synapse
-if [ -n "$use_editable_synapse" ]; then
-    export COMPLEMENT_BASE_IMAGE=complement-synapse-editable
-    export COMPLEMENT_HOST_MOUNTS="$editable_mount"
-fi
-
-extra_test_args=()
-
-test_packages=(
+  test_packages=(
    ./tests/csapi
    ./tests
    ./tests/msc3874
@ -231,71 +229,104 @@ test_packages=(
    ./tests/msc4140
    ./tests/msc4155
    ./tests/msc4306
-)
+  )

-# Enable dirty runs, so tests will reuse the same container where possible.
-# This significantly speeds up tests, but increases the possibility of test pollution.
-export COMPLEMENT_ENABLE_DIRTY_RUNS=1
+  # Export the list of test packages as a space-separated environment variable, so other
+  # scripts can use it.
+  export SYNAPSE_SUPPORTED_COMPLEMENT_TEST_PACKAGES="${test_packages[@]}"

-# All environment variables starting with PASS_ will be shared.
-# (The prefix is stripped off before reaching the container.)
-export COMPLEMENT_SHARE_ENV_PREFIX=PASS_
-
-# It takes longer than 10m to run the whole suite.
-extra_test_args+=("-timeout=60m")
-
-if [[ -n "$WORKERS" ]]; then
-  # Use workers.
-  export PASS_SYNAPSE_COMPLEMENT_USE_WORKERS=true
-
-  # Pass through the workers defined. If none, it will be an empty string
-  export PASS_SYNAPSE_WORKER_TYPES="$WORKER_TYPES"
-
-  # Workers can only use Postgres as a database.
-  export PASS_SYNAPSE_COMPLEMENT_DATABASE=postgres
-
-  # And provide some more configuration to complement.
-
-  # It can take quite a while to spin up a worker-mode Synapse for the first
-  # time (the main problem is that we start 14 python processes for each test,
-  # and complement likes to do two of them in parallel).
-  export COMPLEMENT_SPAWN_HS_TIMEOUT_SECS=120
-else
-  export PASS_SYNAPSE_COMPLEMENT_USE_WORKERS=
-  if [[ -n "$POSTGRES" ]]; then
-    export PASS_SYNAPSE_COMPLEMENT_DATABASE=postgres
-  else
-    export PASS_SYNAPSE_COMPLEMENT_DATABASE=sqlite
+  export COMPLEMENT_BASE_IMAGE=complement-synapse
+  if [ -n "$use_editable_synapse" ]; then
+    export COMPLEMENT_BASE_IMAGE=complement-synapse-editable
+    export COMPLEMENT_HOST_MOUNTS="$editable_mount"
  fi
+
+  # Enable dirty runs, so tests will reuse the same container where possible.
+  # This significantly speeds up tests, but increases the possibility of test pollution.
+  export COMPLEMENT_ENABLE_DIRTY_RUNS=1
+
+  # All environment variables starting with PASS_ will be shared.
+  # (The prefix is stripped off before reaching the container.)
+  export COMPLEMENT_SHARE_ENV_PREFIX=PASS_
+
+  # * -count=1: Only run tests once, and disable caching for tests.
+  # * -v: Output test logs, even if those tests pass.
+  # * -tags=synapse_blacklist: Enable the `synapse_blacklist` build tag, which is
+  #   necessary for `runtime.Synapse` checks/skips to work in the tests
+  test_args=(
+    -v
+    -tags="synapse_blacklist"
+    -count=1
+  )
+
+  # It takes longer than 10m to run the whole suite.
+  test_args+=("-timeout=60m")
+
+  if [[ -n "$WORKERS" ]]; then
+    # Use workers.
+    export PASS_SYNAPSE_COMPLEMENT_USE_WORKERS=true
+
+    # Pass through the workers defined. If none, it will be an empty string
+    export PASS_SYNAPSE_WORKER_TYPES="$WORKER_TYPES"
+
+    # Workers can only use Postgres as a database.
+    export PASS_SYNAPSE_COMPLEMENT_DATABASE=postgres
+
+    # And provide some more configuration to complement.
+
+    # It can take quite a while to spin up a worker-mode Synapse for the first
+    # time (the main problem is that we start 14 python processes for each test,
+    # and complement likes to do two of them in parallel).
+    export COMPLEMENT_SPAWN_HS_TIMEOUT_SECS=120
+  else
+    export PASS_SYNAPSE_COMPLEMENT_USE_WORKERS=
+    if [[ -n "$POSTGRES" ]]; then
+      export PASS_SYNAPSE_COMPLEMENT_DATABASE=postgres
+    else
+      export PASS_SYNAPSE_COMPLEMENT_DATABASE=sqlite
+    fi
+  fi
+
+  if [[ -n "$ASYNCIO_REACTOR" ]]; then
+    # Enable the Twisted asyncio reactor
+    export PASS_SYNAPSE_COMPLEMENT_USE_ASYNCIO_REACTOR=true
+  fi
+
+  if [[ -n "$UNIX_SOCKETS" ]]; then
+    # Enable full on Unix socket mode for Synapse, Redis and Postgresql
+    export PASS_SYNAPSE_USE_UNIX_SOCKET=1
+  fi
+
+  if [[ -n "$SYNAPSE_TEST_LOG_LEVEL" ]]; then
+    # Set the log level to what is desired
+    export PASS_SYNAPSE_LOG_LEVEL="$SYNAPSE_TEST_LOG_LEVEL"
+
+    # Allow logging sensitive things (currently SQL queries & parameters).
+    # (This won't have any effect if we're not logging at DEBUG level overall.)
+    # Since this is just a test suite, this is fine and won't reveal anyone's
+    # personal information
+    export PASS_SYNAPSE_LOG_SENSITIVE=1
+  fi
+
+  # Log a few more useful things for a developer attempting to debug something
+  # particularly tricky.
+  export PASS_SYNAPSE_LOG_TESTING=1
+
+  if [ -n "$skip_complement_run" ]; then
+    echo "Skipping Complement run as requested."
+    return 0
+  fi
+  
+  # Run the tests!
+  echo "Running Complement with ${test_args[@]} $@ ${test_packages[@]}"
+  cd "$COMPLEMENT_DIR"
+  go test "${test_args[@]}" "$@" "${test_packages[@]}"
+}
+
+main "$@"
+# For any non-zero exit code (indicating some sort of error happened), we want to exit
+# with that code.
+exit_code=$?
+if [ $exit_code -ne 0 ]; then
+    exit $exit_code
 fi
-
-if [[ -n "$ASYNCIO_REACTOR" ]]; then
-  # Enable the Twisted asyncio reactor
-  export PASS_SYNAPSE_COMPLEMENT_USE_ASYNCIO_REACTOR=true
-fi
-
-if [[ -n "$UNIX_SOCKETS" ]]; then
-  # Enable full on Unix socket mode for Synapse, Redis and Postgresql
-  export PASS_SYNAPSE_USE_UNIX_SOCKET=1
-fi
-
-if [[ -n "$SYNAPSE_TEST_LOG_LEVEL" ]]; then
-  # Set the log level to what is desired
-  export PASS_SYNAPSE_LOG_LEVEL="$SYNAPSE_TEST_LOG_LEVEL"
-
-  # Allow logging sensitive things (currently SQL queries & parameters).
-  # (This won't have any effect if we're not logging at DEBUG level overall.)
-  # Since this is just a test suite, this is fine and won't reveal anyone's
-  # personal information
-  export PASS_SYNAPSE_LOG_SENSITIVE=1
-fi
-
-# Log a few more useful things for a developer attempting to debug something
-# particularly tricky.
-export PASS_SYNAPSE_LOG_TESTING=1
-
-# Run the tests!
-echo "Images built; running complement with ${extra_test_args[@]} $@ ${test_packages[@]}"
-cd "$COMPLEMENT_DIR"
-
-go test -v -tags "synapse_blacklist" -count=1 "${extra_test_args[@]}" "$@" "${test_packages[@]}"
--- a/scripts-dev/federation_client.py
+++ b/scripts-dev/federation_client.py
@ -145,7 +145,7 @@ def request(
    print("Requesting %s" % dest, file=sys.stderr)

    s = requests.Session()
-    s.mount("matrix-federation://", MatrixConnectionAdapter())
+    s.mount("matrix-federation://", MatrixConnectionAdapter(verify_tls=verify_tls))

    headers: dict[str, str] = {
        "Authorization": authorization_headers[0],
@ -267,6 +267,17 @@ def read_args_from_config(args: argparse.Namespace) -> None:


 class MatrixConnectionAdapter(HTTPAdapter):
+    """
+    A Matrix federation-aware HTTP Adapter.
+    """
+
+    verify_tls: bool
+    """whether to verify the remote server's TLS certificate."""
+
+    def __init__(self, verify_tls: bool = True) -> None:
+        self.verify_tls = verify_tls
+        super().__init__()
+
    def send(
        self,
        request: PreparedRequest,
@ -280,7 +291,7 @@ class MatrixConnectionAdapter(HTTPAdapter):
        assert isinstance(request.url, str)
        parsed = urlparse.urlsplit(request.url)
        server_name = parsed.netloc
-        well_known = self._get_well_known(parsed.netloc)
+        well_known = self._get_well_known(parsed.netloc, verify_tls=self.verify_tls)

        if well_known:
            server_name = well_known
@ -318,6 +329,21 @@ class MatrixConnectionAdapter(HTTPAdapter):
        print(
            f"Connecting to {host}:{port} with SNI {ssl_server_name}", file=sys.stderr
        )
+
+        if proxies:
+            scheme = parsed.scheme
+            if isinstance(scheme, bytes):
+                scheme = scheme.decode("utf-8")
+
+            proxy_for_scheme = proxies.get(scheme)
+            if proxy_for_scheme:
+                return self.proxy_manager_for(proxy_for_scheme).connection_from_host(
+                    host,
+                    port=port,
+                    scheme="https",
+                    pool_kwargs={"server_hostname": ssl_server_name},
+                )
+
        return self.poolmanager.connection_from_host(
            host,
            port=port,
@ -368,7 +394,7 @@ class MatrixConnectionAdapter(HTTPAdapter):
            return server_name, 8448, server_name

    @staticmethod
-    def _get_well_known(server_name: str) -> str | None:
+    def _get_well_known(server_name: str, verify_tls: bool = True) -> str | None:
        if ":" in server_name:
            # explicit port, or ipv6 literal. Either way, no .well-known
            return None
@ -379,7 +405,7 @@ class MatrixConnectionAdapter(HTTPAdapter):
        print(f"fetching {uri}", file=sys.stderr)

        try:
-            resp = requests.get(uri)
+            resp = requests.get(uri, verify=verify_tls)
            if resp.status_code != 200:
                print("%s gave %i" % (uri, resp.status_code), file=sys.stderr)
                return None
--- a/scripts-dev/mypy_synapse_plugin.py
+++ b/scripts-dev/mypy_synapse_plugin.py
@ -133,6 +133,7 @@ prometheus_metric_fullname_to_label_arg_map: Mapping[str, ArgLocation | None] =
    "prometheus_client.metrics.Info": ArgLocation("labelnames", 2),
    "prometheus_client.metrics.Enum": ArgLocation("labelnames", 2),
    "synapse.metrics.LaterGauge": ArgLocation("labelnames", 2),
+    "synapse.metrics._InFlightGaugeRuntime": ArgLocation("labels", 2),
    "synapse.metrics.InFlightGauge": ArgLocation("labels", 2),
    "synapse.metrics.GaugeBucketCollector": ArgLocation("labelnames", 2),
    "prometheus_client.registry.Collector": None,
--- a/scripts-dev/release.py
+++ b/scripts-dev/release.py
@ -32,7 +32,7 @@ import time
 import urllib.request
 from os import path
 from tempfile import TemporaryDirectory
-from typing import Any, Match
+from typing import Any

 import attr
 import click
@ -291,6 +291,12 @@ def _prepare() -> None:
    synapse_repo.git.add("-u")
    subprocess.run("git diff --cached", shell=True)

+    print(
+        "Consider any upcoming platform deprecations that should be mentioned in the changelog. (e.g. upcoming Python, PostgreSQL or SQLite deprecations)"
+    )
+    print(
+        "Platform deprecations should be mentioned at least 1 release prior to being unsupported."
+    )
    if click.confirm("Edit changelog?", default=False):
        click.edit(filename="CHANGES.md")

@ -449,19 +455,19 @@ def _publish(gh_token: str) -> None:
    gh = Github(auth=github.Auth.Token(token=gh_token))
    gh_repo = gh.get_repo("element-hq/synapse")
    for release in gh_repo.get_releases():
-        if release.title == tag_name:
+        if release.name == tag_name:
            break
    else:
        raise ClickException(f"Failed to find GitHub release for {tag_name}")

-    assert release.title == tag_name
+    assert release.name == tag_name

    if not release.draft:
        click.echo("Release already published.")
        return

    release = release.update_release(
-        name=release.title,
+        name=release.name,
        message=release.body,
        tag_name=release.tag_name,
        prerelease=release.prerelease,
@ -962,10 +968,6 @@ def generate_and_write_changelog(
    new_changes = new_changes.replace(
        "No significant changes.", f"No significant changes since {current_version}."
    )
-    new_changes += build_dependabot_changelog(
-        repo,
-        current_version,
-    )

    # Prepend changes to changelog
    with open("CHANGES.md", "r+") as f:
@ -980,49 +982,5 @@ def generate_and_write_changelog(
        os.remove(filename)


-def build_dependabot_changelog(repo: Repo, current_version: version.Version) -> str:
-    """Summarise dependabot commits between `current_version` and `release_branch`.
-
-    Returns an empty string if there have been no such commits; otherwise outputs a
-    third-level markdown header followed by an unordered list."""
-    last_release_commit = repo.tag("v" + str(current_version)).commit
-    rev_spec = f"{last_release_commit.hexsha}.."
-    commits = list(git.objects.Commit.iter_items(repo, rev_spec))
-    messages = []
-    for commit in reversed(commits):
-        if commit.author.name == "dependabot[bot]":
-            message: str | bytes = commit.message
-            if isinstance(message, bytes):
-                message = message.decode("utf-8")
-            messages.append(message.split("\n", maxsplit=1)[0])
-
-    if not messages:
-        print(f"No dependabot commits in range {rev_spec}", file=sys.stderr)
-        return ""
-
-    messages.sort()
-
-    def replacer(match: Match[str]) -> str:
-        desc = match.group(1)
-        number = match.group(2)
-        return f"* {desc}. ([\\#{number}](https://github.com/element-hq/synapse/issues/{number}))"
-
-    for i, message in enumerate(messages):
-        messages[i] = re.sub(r"(.*) \(#(\d+)\)$", replacer, message)
-    messages.insert(0, "### Updates to locked dependencies\n")
-    # Add an extra blank line to the bottom of the section
-    messages.append("")
-    return "\n".join(messages)
-
-
-@cli.command()
-@click.argument("since")
-def test_dependabot_changelog(since: str) -> None:
-    """Test building the dependabot changelog.
-
-    Summarises all dependabot commits between the SINCE tag and the current git HEAD."""
-    print(build_dependabot_changelog(git.Repo("."), version.Version(since)))
-
-
 if __name__ == "__main__":
    cli()
--- a/scripts-dev/schema_versions.py
+++ b/scripts-dev/schema_versions.py
@ -172,7 +172,7 @@ if __name__ == "__main__":
        # Expect JSON data on stdin.
        context, book = json.load(sys.stdin)

-        for section in book["sections"]:
+        for section in book["items"]:
            if "Chapter" in section and section["Chapter"]["path"] == "upgrade.md":
                section["Chapter"]["content"] = section["Chapter"]["content"].replace(
                    "<!-- REPLACE_WITH_SCHEMA_VERSIONS -->", calculate_version_chart()
--- a/synapse/api/constants.py
+++ b/synapse/api/constants.py
@ -29,6 +29,19 @@ from typing import Final
 # the max size of a (canonical-json-encoded) event
 MAX_PDU_SIZE = 65536

+# The maximum allowed size of an HTTP request.
+# Other than media uploads, the biggest request we expect to see is a fully-loaded
+# /federation/v1/send request.
+#
+# The main thing in such a request is up to 50 PDUs, and up to 100 EDUs. PDUs are
+# limited to 65536 bytes (possibly slightly more if the sender didn't use canonical
+# json encoding); there is no specced limit to EDUs (see
+# https://github.com/matrix-org/matrix-doc/issues/3121).
+#
+# in short, we somewhat arbitrarily limit requests to 200 * 64K (about 12.5M)
+#
+MAX_REQUEST_SIZE = 200 * MAX_PDU_SIZE
+
 # Max/min size of ints in canonical JSON
 CANONICALJSON_MAX_INT = (2**53) - 1
 CANONICALJSON_MIN_INT = -CANONICALJSON_MAX_INT
@ -307,6 +320,10 @@ class AccountDataTypes:
    MSC4155_INVITE_PERMISSION_CONFIG: Final = (
        "org.matrix.msc4155.invite_permission_config"
    )
+    # MSC4380: Invite blocking
+    MSC4380_INVITE_PERMISSION_CONFIG: Final = (
+        "org.matrix.msc4380.invite_permission_config"
+    )
    # Synapse-specific behaviour. See "Client-Server API Extensions" documentation
    # in Admin API for more information.
    SYNAPSE_ADMIN_CLIENT_CONFIG: Final = "io.element.synapse.admin_client_config"
--- a/synapse/api/errors.py
+++ b/synapse/api/errors.py
@ -137,7 +137,7 @@ class Codes(str, Enum):
    PROFILE_TOO_LARGE = "M_PROFILE_TOO_LARGE"
    KEY_TOO_LARGE = "M_KEY_TOO_LARGE"

-    # Part of MSC4155
+    # Part of MSC4155/MSC4380
    INVITE_BLOCKED = "ORG.MATRIX.MSC4155.M_INVITE_BLOCKED"

    # Part of MSC4190
@ -856,6 +856,12 @@ class HttpResponseException(CodeMessageException):
        return ProxiedRequestError(self.code, errmsg, errcode, j)


+class HomeServerNotSetupException(Exception):
+    """
+    Raised when an operation is attempted on the HomeServer before setup() has been called.
+    """
+
+
 class ShadowBanError(Exception):
    """
    Raised when a shadow-banned user attempts to perform an action.
--- a/synapse/api/ratelimiting.py
+++ b/synapse/api/ratelimiting.py
@ -27,6 +27,7 @@ from synapse.config.ratelimiting import RatelimitSettings
 from synapse.storage.databases.main import DataStore
 from synapse.types import Requester
 from synapse.util.clock import Clock
+from synapse.util.duration import Duration
 from synapse.util.wheel_timer import WheelTimer

 if TYPE_CHECKING:
@ -100,7 +101,7 @@ class Ratelimiter:
        # and doesn't affect correctness.
        self._timer: WheelTimer[Hashable] = WheelTimer()

-        self.clock.looping_call(self._prune_message_counts, 15 * 1000)
+        self.clock.looping_call(self._prune_message_counts, Duration(seconds=15))

    def _get_key(self, requester: Requester | None, key: Hashable | None) -> Hashable:
        """Use the requester's MXID as a fallback key if no key is provided."""
--- a/synapse/app/init.py
+++ b/synapse/app/init.py
@ -54,7 +54,9 @@ def check_bind_error(
    """
    if address == "0.0.0.0" and "::" in bind_addresses:
        logger.warning(
-            "Failed to listen on 0.0.0.0, continuing because listening on [::]"
+            "Failed to listen on 0.0.0.0, continuing because listening on [::]. Original exception: %s: %s",
+            type(e).__name__,
+            str(e),
        )
    else:
        raise e
--- a/synapse/app/_base.py
+++ b/synapse/app/_base.py
@ -36,12 +36,13 @@ from typing import (
    Awaitable,
    Callable,
    NoReturn,
+    Optional,
    cast,
 )
 from wsgiref.simple_server import WSGIServer

 from cryptography.utils import CryptographyDeprecationWarning
-from typing_extensions import ParamSpec
+from typing_extensions import ParamSpec, assert_never

 import twisted
 from twisted.internet import defer, error, reactor as _reactor
@ -59,12 +60,17 @@ from twisted.python.threadpool import ThreadPool
 from twisted.web.resource import Resource

 import synapse.util.caches
-from synapse.api.constants import MAX_PDU_SIZE
+from synapse.api.constants import MAX_REQUEST_SIZE
 from synapse.app import check_bind_error
 from synapse.config import ConfigError
 from synapse.config._base import format_config_error
 from synapse.config.homeserver import HomeServerConfig
-from synapse.config.server import ListenerConfig, ManholeConfig, TCPListenerConfig
+from synapse.config.server import (
+    ListenerConfig,
+    ManholeConfig,
+    TCPListenerConfig,
+    UnixListenerConfig,
+)
 from synapse.crypto import context_factory
 from synapse.events.auto_accept_invites import InviteAutoAccepter
 from synapse.events.presence_router import load_legacy_presence_router
@ -413,13 +419,44 @@ def listen_unix(
    ]


+class ListenerException(RuntimeError):
+    """
+    An exception raised when we fail to listen with the given `ListenerConfig`.
+
+    Attributes:
+        listener_config: The listener config that caused the exception.
+    """
+
+    def __init__(
+        self,
+        listener_config: ListenerConfig,
+    ):
+        listener_human_name = ""
+        port = ""
+        if isinstance(listener_config, TCPListenerConfig):
+            listener_human_name = "TCP port"
+            port = str(listener_config.port)
+        elif isinstance(listener_config, UnixListenerConfig):
+            listener_human_name = "unix socket"
+            port = listener_config.path
+        else:
+            assert_never(listener_config)
+
+        super().__init__(
+            "Failed to listen on %s (%s) with the given listener config: %s"
+            % (listener_human_name, port, listener_config)
+        )
+
+        self.listener_config = listener_config
+
+
 def listen_http(
    hs: "HomeServer",
    listener_config: ListenerConfig,
    root_resource: Resource,
    version_string: str,
    max_request_body_size: int,
-    context_factory: IOpenSSLContextFactory | None,
+    context_factory: Optional[IOpenSSLContextFactory],
    reactor: ISynapseReactor = reactor,
 ) -> list[Port]:
    """
@ -447,39 +484,55 @@ def listen_http(
        hs=hs,
    )

-    if isinstance(listener_config, TCPListenerConfig):
-        if listener_config.is_tls():
-            # refresh_certificate should have been called before this.
-            assert context_factory is not None
-            ports = listen_ssl(
-                listener_config.bind_addresses,
-                listener_config.port,
-                site,
-                context_factory,
-                reactor=reactor,
+    try:
+        if isinstance(listener_config, TCPListenerConfig):
+            if listener_config.is_tls():
+                # refresh_certificate should have been called before this.
+                assert context_factory is not None
+                ports = listen_ssl(
+                    listener_config.bind_addresses,
+                    listener_config.port,
+                    site,
+                    context_factory,
+                    reactor=reactor,
+                )
+                logger.info(
+                    "Synapse now listening on TCP port %d (TLS)", listener_config.port
+                )
+            else:
+                ports = listen_tcp(
+                    listener_config.bind_addresses,
+                    listener_config.port,
+                    site,
+                    reactor=reactor,
+                )
+                logger.info(
+                    "Synapse now listening on TCP port %d", listener_config.port
+                )
+
+        elif isinstance(listener_config, UnixListenerConfig):
+            ports = listen_unix(
+                listener_config.path, listener_config.mode, site, reactor=reactor
            )
+            # getHost() returns a UNIXAddress which contains an instance variable of 'name'
+            # encoded as a byte string. Decode as utf-8 so pretty.
            logger.info(
-                "Synapse now listening on TCP port %d (TLS)", listener_config.port
+                "Synapse now listening on Unix Socket at: %s",
+                ports[0].getHost().name.decode("utf-8"),
            )
        else:
-            ports = listen_tcp(
-                listener_config.bind_addresses,
-                listener_config.port,
-                site,
-                reactor=reactor,
-            )
-            logger.info("Synapse now listening on TCP port %d", listener_config.port)
-
-    else:
-        ports = listen_unix(
-            listener_config.path, listener_config.mode, site, reactor=reactor
-        )
-        # getHost() returns a UNIXAddress which contains an instance variable of 'name'
-        # encoded as a byte string. Decode as utf-8 so pretty.
-        logger.info(
-            "Synapse now listening on Unix Socket at: %s",
-            ports[0].getHost().name.decode("utf-8"),
-        )
+            assert_never(listener_config)
+    except Exception as exc:
+        # The Twisted interface says that "Users should not call this function
+        # themselves!" but this appears to be the correct/only way handle proper cleanup
+        # of the site when things go wrong. In the normal case, a `Port` is created
+        # which we can call `Port.stopListening()` on to do the same thing (but no
+        # `Port` is created when an error occurs).
+        #
+        # We use `site.stopFactory()` instead of `site.doStop()` as the latter assumes
+        # that `site.doStart()` was called (which won't be the case if an error occurs).
+        site.stopFactory()
+        raise ListenerException(listener_config) from exc

    return ports

@ -843,17 +896,8 @@ def sdnotify(state: bytes) -> None:
 def max_request_body_size(config: HomeServerConfig) -> int:
    """Get a suitable maximum size for incoming HTTP requests"""

-    # Other than media uploads, the biggest request we expect to see is a fully-loaded
-    # /federation/v1/send request.
-    #
-    # The main thing in such a request is up to 50 PDUs, and up to 100 EDUs. PDUs are
-    # limited to 65536 bytes (possibly slightly more if the sender didn't use canonical
-    # json encoding); there is no specced limit to EDUs (see
-    # https://github.com/matrix-org/matrix-doc/issues/3121).
-    #
-    # in short, we somewhat arbitrarily limit requests to 200 * 64K (about 12.5M)
-    #
-    max_request_size = 200 * MAX_PDU_SIZE
+    # Baseline default for any request that isn't configured in the homeserver config
+    max_request_size = MAX_REQUEST_SIZE

    # if we have a media repo enabled, we may need to allow larger uploads than that
    if config.media.can_load_media_repo:
--- a/synapse/app/admin_cmd.py
+++ b/synapse/app/admin_cmd.py
@ -24,7 +24,7 @@ import logging
 import os
 import sys
 import tempfile
-from typing import Mapping, Sequence
+from typing import Mapping, Optional, Sequence

 from twisted.internet import defer, task

@ -291,7 +291,7 @@ def load_config(argv_options: list[str]) -> tuple[HomeServerConfig, argparse.Nam

 def create_homeserver(
    config: HomeServerConfig,
-    reactor: ISynapseReactor | None = None,
+    reactor: Optional[ISynapseReactor] = None,
 ) -> AdminCmdServer:
    """
    Create a homeserver instance for the Synapse admin command process.
--- a/synapse/app/generic_worker.py
+++ b/synapse/app/generic_worker.py
@ -21,6 +21,7 @@
 #
 import logging
 import sys
+from typing import Optional

 from twisted.web.resource import Resource

@ -335,7 +336,7 @@ def load_config(argv_options: list[str]) -> HomeServerConfig:

 def create_homeserver(
    config: HomeServerConfig,
-    reactor: ISynapseReactor | None = None,
+    reactor: Optional[ISynapseReactor] = None,
 ) -> GenericWorkerServer:
    """
    Create a homeserver instance for the Synapse worker process.
--- a/synapse/app/homeserver.py
+++ b/synapse/app/homeserver.py
@ -22,7 +22,7 @@
 import logging
 import os
 import sys
-from typing import Iterable
+from typing import Iterable, Optional

 from twisted.internet.tcp import Port
 from twisted.web.resource import EncodingResourceWrapper, Resource
@ -350,7 +350,7 @@ def load_or_generate_config(argv_options: list[str]) -> HomeServerConfig:

 def create_homeserver(
    config: HomeServerConfig,
-    reactor: ISynapseReactor | None = None,
+    reactor: Optional[ISynapseReactor] = None,
 ) -> SynapseHomeServer:
    """
    Create a homeserver instance for the Synapse main process.
--- a/synapse/app/phone_stats_home.py
+++ b/synapse/app/phone_stats_home.py
@ -30,24 +30,20 @@ from twisted.internet import defer

 from synapse.metrics import SERVER_NAME_LABEL
 from synapse.types import JsonDict
-from synapse.util.constants import (
-    MILLISECONDS_PER_SECOND,
-    ONE_HOUR_SECONDS,
-    ONE_MINUTE_SECONDS,
-)
+from synapse.util.duration import Duration

 if TYPE_CHECKING:
    from synapse.server import HomeServer

 logger = logging.getLogger("synapse.app.homeserver")

-INITIAL_DELAY_BEFORE_FIRST_PHONE_HOME_SECONDS = 5 * ONE_MINUTE_SECONDS
+INITIAL_DELAY_BEFORE_FIRST_PHONE_HOME = Duration(minutes=5)
 """
 We wait 5 minutes to send the first set of stats as the server can be quite busy the
 first few minutes
 """

-PHONE_HOME_INTERVAL_SECONDS = 3 * ONE_HOUR_SECONDS
+PHONE_HOME_INTERVAL = Duration(hours=3)
 """
 Phone home stats are sent every 3 hours
 """
@ -222,13 +218,13 @@ def start_phone_stats_home(hs: "HomeServer") -> None:
    # table will decrease
    clock.looping_call(
        hs.get_datastores().main.generate_user_daily_visits,
-        5 * ONE_MINUTE_SECONDS * MILLISECONDS_PER_SECOND,
+        Duration(minutes=5),
    )

    # monthly active user limiting functionality
    clock.looping_call(
        hs.get_datastores().main.reap_monthly_active_users,
-        ONE_HOUR_SECONDS * MILLISECONDS_PER_SECOND,
+        Duration(hours=1),
    )
    hs.get_datastores().main.reap_monthly_active_users()

@ -267,14 +263,14 @@ def start_phone_stats_home(hs: "HomeServer") -> None:

    if hs.config.server.limit_usage_by_mau or hs.config.server.mau_stats_only:
        generate_monthly_active_users()
-        clock.looping_call(generate_monthly_active_users, 5 * 60 * 1000)
+        clock.looping_call(generate_monthly_active_users, Duration(minutes=5))
    # End of monthly active user settings

    if hs.config.metrics.report_stats:
        logger.info("Scheduling stats reporting for 3 hour intervals")
        clock.looping_call(
            phone_stats_home,
-            PHONE_HOME_INTERVAL_SECONDS * MILLISECONDS_PER_SECOND,
+            PHONE_HOME_INTERVAL,
            hs,
            stats,
        )
@ -282,14 +278,14 @@ def start_phone_stats_home(hs: "HomeServer") -> None:
        # We need to defer this init for the cases that we daemonize
        # otherwise the process ID we get is that of the non-daemon process
        clock.call_later(
-            0,
+            Duration(seconds=0),
            performance_stats_init,
        )

        # We wait 5 minutes to send the first set of stats as the server can
        # be quite busy the first few minutes
        clock.call_later(
-            INITIAL_DELAY_BEFORE_FIRST_PHONE_HOME_SECONDS,
+            INITIAL_DELAY_BEFORE_FIRST_PHONE_HOME,
            phone_stats_home,
            hs,
            stats,
--- a/synapse/appservice/scheduler.py
+++ b/synapse/appservice/scheduler.py
@ -77,6 +77,7 @@ from synapse.logging.context import run_in_background
 from synapse.storage.databases.main import DataStore
 from synapse.types import DeviceListUpdates, JsonMapping
 from synapse.util.clock import Clock, DelayedCallWrapper
+from synapse.util.duration import Duration

 if TYPE_CHECKING:
    from synapse.server import HomeServer
@ -504,8 +505,8 @@ class _Recoverer:
        self.scheduled_recovery: DelayedCallWrapper | None = None

    def recover(self) -> None:
-        delay = 2**self.backoff_counter
-        logger.info("Scheduling retries on %s in %fs", self.service.id, delay)
+        delay = Duration(seconds=2**self.backoff_counter)
+        logger.info("Scheduling retries on %s in %fs", self.service.id, delay.as_secs())
        self.scheduled_recovery = self.clock.call_later(
            delay,
            self.hs.run_as_background_process,
--- a/synapse/config/_base.py
+++ b/synapse/config/_base.py
@ -44,6 +44,7 @@ import jinja2
 import yaml

 from synapse.types import StrSequence
+from synapse.util.stringutils import parse_and_validate_server_name
 from synapse.util.templates import _create_mxc_to_http_filter, _format_ts_filter

 logger = logging.getLogger(__name__)
@ -465,6 +466,7 @@ class RootConfig:
        generate_secrets: bool = False,
        report_stats: bool | None = None,
        open_private_ports: bool = False,
+        enable_metrics: bool = False,
        listeners: list[dict] | None = None,
        tls_certificate_path: str | None = None,
        tls_private_key_path: str | None = None,
@ -495,9 +497,15 @@ class RootConfig:
            open_private_ports: True to leave private ports (such as the non-TLS
                HTTP listener) open to the internet.

+            enable_metrics: True to set `enable_metrics: true` and when using the
+                default set of listeners, will also add the metrics listener on port 19090.
+
            listeners: A list of descriptions of the listeners synapse should
-                start with each of which specifies a port (int), a list of
-                resources (list(str)), tls (bool) and type (str). For example:
+                start with each of which specifies a port (int), a list of resources
+                (list(str)), tls (bool) and type (str). There is a default set of
+                listeners when `None`.
+
+                Example usage:
                [{
                    "port": 8448,
                    "resources": [{"names": ["federation"]}],
@ -518,6 +526,35 @@ class RootConfig:
        Returns:
            The yaml config file
        """
+        _, bind_port = parse_and_validate_server_name(server_name)
+        if bind_port is not None:
+            unsecure_port = bind_port - 400
+        else:
+            bind_port = 8448
+            unsecure_port = 8008
+
+        # The default listeners
+        if listeners is None:
+            listeners = [
+                {
+                    "port": unsecure_port,
+                    "tls": False,
+                    "type": "http",
+                    "x_forwarded": True,
+                    "resources": [
+                        {"names": ["client", "federation"], "compress": False}
+                    ],
+                }
+            ]
+
+            if enable_metrics:
+                listeners.append(
+                    {
+                        "port": 19090,
+                        "tls": False,
+                        "type": "metrics",
+                    }
+                )

        conf = CONFIG_FILE_HEADER + "\n".join(
            dedent(conf)
@ -529,6 +566,7 @@ class RootConfig:
                generate_secrets=generate_secrets,
                report_stats=report_stats,
                open_private_ports=open_private_ports,
+                enable_metrics=enable_metrics,
                listeners=listeners,
                tls_certificate_path=tls_certificate_path,
                tls_private_key_path=tls_private_key_path,
@ -672,7 +710,8 @@ class RootConfig:
            action="append",
            metavar="CONFIG_FILE",
            help="Specify config file. Can be given multiple times and"
-            " may specify directories containing *.yaml files.",
+            " may specify directories containing *.yaml files."
+            " Top-level keys in later files overwrite ones in earlier files.",
        )
        parser.add_argument(
            "--no-secrets-in-config",
@ -755,6 +794,14 @@ class RootConfig:
                " internet. Do not use this unless you know what you are doing."
            ),
        )
+        generate_group.add_argument(
+            "--enable-metrics",
+            action="store_true",
+            help=(
+                "Sets `enable_metrics: true` and when using the default set of listeners, "
+                "will also add the metrics listener on port 19090."
+            ),
+        )

        cls.invoke_all_static("add_arguments", parser)
        config_args = parser.parse_args(argv_options)
@ -811,6 +858,7 @@ class RootConfig:
                    report_stats=(config_args.report_stats == "yes"),
                    generate_secrets=True,
                    open_private_ports=config_args.open_private_ports,
+                    enable_metrics=config_args.enable_metrics,
                )

                os.makedirs(config_dir_path, exist_ok=True)
--- a/Show more
+++ b/Show more
				`@ -0,0 +1 @@`
				Add a new config option [`enable_local_media_storage`](https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#enable_local_media_storage) which controls whether media is additionally stored locally when using configured `media_storage_providers`. Setting this to `false` allows off-site media storage without a local cache. Contributed by Patrice Brend'amour @dr.allgood.
				`@ -0,0 +1 @@`
				Stabilise support for [MSC4312](https://github.com/matrix-org/matrix-spec-proposals/pull/4312)'s `m.oauth` User-Interactive Auth stage for resetting cross-signing identity with the OAuth 2.0 API. The old, unstable name (`org.matrix.cross_signing_reset`) is now deprecated and will be removed in a future release.
				`@ -0,0 +1 @@`
				Add an internal `cancel_task` API to the task scheduler.
				`@ -0,0 +1 @@`
				Tweak docstrings and signatures of `auth_types_for_event` and `get_catchup_room_event_ids`.
				`@ -0,0 +1 @@`
				`Fix joining a restricted v12 room locally when no local room creator is present but local users with sufficient power levels are. Contributed by @nexy7574.`
				`@ -0,0 +1 @@`
				Fixed parallel calls to `/_matrix/media/v1/create` being ratelimited for appservices even if `rate_limited: false` was set in the registration. Contributed by @tulir @ Beeper.
				`@ -0,0 +1 @@`
				Add [Prometheus HTTP service discovery](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#http_sd_config) endpoint for easy discovery of all workers when using the `docker/Dockerfile-workers` image (see the [Metrics section of our Docker testing docs](docker/README-testing.md#metrics)).
				`@ -0,0 +1 @@`
				Refactor Grafana dashboard to use `server_name` label (instead of `instance`).
				`@ -0,0 +1 @@`
				`Remove docs on legacy metric names (no longer in the codebase since 2022-12-06).`
				`@ -0,0 +1 @@`
				Replace usage of deprecated `assertEquals` with `assertEqual` in unit test code.