Bump version to 1.124.7

| datasource      | package            | from    | to      |
| --------------- | ------------------ | ------- | ------- |
| github-releases | element-hq/synapse | 1.142.1 | 1.143.0 |

CHANGELOG.md

@@ -706,3 +706,808 @@
 * Fix a long-standing spec compliance bug where Synapse would accept a trailing slash on the end of /get_missing_events federation requests. (#13789)
 * Delete associated data from event_failed_pull_attempts, insertion_events, insertion_event_extremities, insertion_event_extremities, insertion_event_extremities when purging the room. (#13825)
 
+[1.52.0]
+* Update Synapse to 1.69.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.69.0)
+* Fix poor performance of the event_push_backfill_thread_id background update, which was introduced in Synapse 1.68.0rc1. (#14172, #14181)
+* Fix an issue with Docker images causing the Rust dependencies to not be pinned correctly. Introduced in v1.68.0 (#14129)
+* Fix a bug introduced in Synapse 1.69.0rc1 which would cause registration replication requests to fail if the worker sending the request is not running Synapse 1.69. (#14135)
+* Fix error in background update when rotating existing notifications. Introduced in v1.69.0rc2. (#14138)
+* Allow application services to set the origin_server_ts of a state event by providing the query parameter ts in PUT `/_matrix/client/r0/rooms/{roomId}/state/{eventType}/{stateKey}`, per MSC3316. Contributed by @lukasdenk. (#11866)
+* Allow server admins to require a manual approval process before new accounts can be used (using MSC3866). (#13556)
+* Exponentially backoff from backfilling the same event over and over. (#13635, #13936)
+* Add cache invalidation across workers to module API. (#13667, #13947)
+* Experimental implementation of MSC3882 to allow an existing device/session to generate a login token for use on a new device/session. (#13722, #13868)
+* Experimental support for thread-specific receipts (MSC3771). (#13782, #13893, #13932, #13937, #13939)
+* Add experimental support for MSC3881: Remotely toggle push notifications for another client. (#13799, #13831, #13860)
+* Keep track when an event pulled over federation fails its signature check so we can intelligently back-off in the future. (#13815)
+* Improve validation for the unspecced, internal-only `_matrix/client/unstable/add_threepid/msisdn/submit_token` endpoint. (#13832)
+* Faster remote room joins: record when we first partial-join to a room. (#13892)
+* Support a dir parameter on the /relations endpoint per MSC3715. (#13920)
+* Ask mail servers receiving emails from Synapse to not send automatic replies (e.g. out-of-office responses). (#13957)
+* Send push notifications for invites received over federation. (#13719, #14014)
+* Fix a long-standing bug where typing events would be accepted from remote servers not present in a room. Also fix a bug where incoming typing events would cause other incoming events to get stuck during a fast join. (#13830)
+* Fix a bug introduced in Synapse v1.53.0 where the experimental implementation of MSC3715 would give incorrect results when paginating forward. (#13840)
+* Fix access token leak to logs from proxy agent. (#13855)
+* Fix have_seen_event cache not being invalidated after we persist an event which causes inefficiency effects like extra /state federation calls. (#13863)
+* Faster room joins: Fix a bug introduced in 1.66.0 where an error would be logged when syncing after joining a room. (#13872)
+* Fix a bug introduced in 1.66.0 where some required fields in the pushrules sent to clients were not present anymore. Contributed by Nico. (#13904)
+* Fix packaging to include Cargo.lock in sdist. (#13909)
+* Fix a long-standing bug where device updates could cause delays sending out to-device messages over federation. (#13922)
+* Fix a bug introduced in v1.68.0 where Synapse would require setuptools_rust at runtime, even though the package is only required at build time. (#13952)
+* Fix a long-standing bug where POST `/_matrix/client/v3/keys/query` requests could result in excessively large SQL queries. (#13956)
+* Fix a performance regression in the get_users_in_room database query. Introduced in v1.67.0. (#13972)
+* Fix a bug introduced in v1.68.0 bug where Rust extension wasn't built in release mode when using poetry install. (#14009)
+* Do not return an unspecified original_event field when using the stable /relations endpoint. Introduced in Synapse v1.57.0. (#14025)
+* Correctly handle a race with device lists when a remote user leaves during a partial join. (#13885)
+* Correctly handle sending local device list updates to remote servers during a partial join. (#13934)
+
+[1.53.0]
+* Update Synapse to 1.70.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.70.0)
+* Support for [MSC3856](https://github.com/matrix-org/matrix-spec-proposals/pull/3856): threads list API. ([\#13394](https://github.com/matrix-org/synapse/issues/13394), [\#14171](https://github.com/matrix-org/synapse/issues/14171), [\#14175](https://github.com/matrix-org/synapse/issues/14175))
+* Support for thread-specific notifications & receipts ([MSC3771](https://github.com/matrix-org/matrix-spec-proposals/pull/3771) and [MSC3773](https://github.com/matrix-org/matrix-spec-proposals/pull/3773)). ([\#13776](https://github.com/matrix-org/synapse/issues/13776), [\#13824](https://github.com/matrix-org/synapse/issues/13824), [\#13877](https://github.com/matrix-org/synapse/issues/13877), [\#13878](https://github.com/matrix-org/synapse/issues/13878), [\#14050](https://github.com/matrix-org/synapse/issues/14050), [\#14140](https://github.com/matrix-org/synapse/issues/14140), [\#14159](https://github.com/matrix-org/synapse/issues/14159), [\#14163](https://github.com/matrix-org/synapse/issues/14163), [\#14174](https://github.com/matrix-org/synapse/issues/14174), [\#14222](https://github.com/matrix-org/synapse/issues/14222))
+* Stop fetching missing `prev_events` after we already know their signature is invalid. ([\#13816](https://github.com/matrix-org/synapse/issues/13816))
+* Send application service access tokens as a header (and query parameter). Implements [MSC2832](https://github.com/matrix-org/matrix-spec-proposals/pull/2832). ([\#13996](https://github.com/matrix-org/synapse/issues/13996))
+* Ignore server ACL changes when generating pushes. Implements [MSC3786](https://github.com/matrix-org/matrix-spec-proposals/pull/3786). ([\#13997](https://github.com/matrix-org/synapse/issues/13997))
+* Experimental support for redirecting to an implementation of a [MSC3886](https://github.com/matrix-org/matrix-spec-proposals/pull/3886) HTTP rendezvous service. ([\#14018](https://github.com/matrix-org/synapse/issues/14018))
+* The `/relations` endpoint can now be used on workers. ([\#14028](https://github.com/matrix-org/synapse/issues/14028))
+* Advertise support for Matrix 1.3 and 1.4 on `/_matrix/client/versions`. ([\#14032](https://github.com/matrix-org/synapse/issues/14032), [\#14184](https://github.com/matrix-org/synapse/issues/14184))
+* Improve validation of request bodies for the [Device Management](https://spec.matrix.org/v1.4/client-server-api/#device-management) and [MSC2697 Device Dehyrdation](https://github.com/matrix-org/matrix-spec-proposals/pull/2697) client-server API endpoints. ([\#14054](https://github.com/matrix-org/synapse/issues/14054))
+* Experimental support for [MSC3874](https://github.com/matrix-org/matrix-spec-proposals/pull/3874): Filtering threads from the `/messages` endpoint. ([\#14148](https://github.com/matrix-org/synapse/issues/14148))
+* Improve the validation of the following PUT endpoints: [`/directory/room/{roomAlias}`](https://spec.matrix.org/v1.4/client-server-api/#put_matrixclientv3directoryroomroomalias), [`/directory/list/room/{roomId}`](https://spec.matrix.org/v1.4/client-server-api/#put_matrixclientv3directorylistroomroomid) and [`/directory/list/appservice/{networkId}/{roomId}`](https://spec.matrix.org/v1.4/application-service-api/#put_matrixclientv3directorylistappservicenetworkidroomid). ([\#14179](https://github.com/matrix-org/synapse/issues/14179))
+* Build and publish binary wheels for `aarch64` platforms. ([\#14212](https://github.com/matrix-org/synapse/issues/14212))
+
+[1.53.1]
+* Update Synapse to 1.70.1
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.70.1)
+* Fix a bug introduced in Synapse 1.70.0rc1 where the access tokens sent to application services as headers were malformed. Application services which were obtaining access tokens from query parameters were not affected. (#14301)
+* Fix room creation being rate limited too aggressively since Synapse v1.69.0. (#14314)
+
+[1.54.0]
+* Update Synapse to 1.71.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.71.0)
+
+[1.55.0]
+* Update Synapse to 1.72.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.72.0)
+* Add experimental support for MSC3912: Relation-based redactions. (#14260)
+* Add an Admin API endpoint for user lookup based on third-party ID (3PID). Contributed by @ashfame. (#14405)
+* Faster joins: include heroes' membership events in the partial join response, for rooms without a name or canonical alias. (#14442)
+
+[1.56.0]
+* Update Synapse to 1.73.0
+* Update Cloudron base image to 4.0.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.73.0)
+
+[1.57.0]
+* Update Synapse to 1.74.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.74.0)
+* Improve user search for international display names. ([\#14464](https://github.com/matrix-org/synapse/issues/14464))
+* Stop using deprecated `keyIds` parameter when calling `/_matrix/key/v2/server`. ([\#14490](https://github.com/matrix-org/synapse/issues/14490), [\#14525](https://github.com/matrix-org/synapse/issues/14525))
+* Add new `push.enabled` config option to allow opting out of push notification calculation. ([\#14551](https://github.com/matrix-org/synapse/issues/14551), [\#14619](https://github.com/matrix-org/synapse/issues/14619))
+* Advertise support for Matrix 1.5 on `/_matrix/client/versions`. ([\#14576](https://github.com/matrix-org/synapse/issues/14576))
+* Improve opentracing and logging for to-device message handling. ([\#14598](https://github.com/matrix-org/synapse/issues/14598))
+* Allow selecting "prejoin" events by state keys in addition to event types. ([\#14642](https://github.com/matrix-org/synapse/issues/14642))
+* Fix a long-standing bug where a device list update might not be sent to clients in certain circumstances. ([\#14435](https://github.com/matrix-org/synapse/issues/14435), [\#14592](https://github.com/matrix-org/synapse/issues/14592), [\#14604](https://github.com/matrix-org/synapse/issues/14604))
+* Suppress a spurious warning when `POST /rooms/<room_id>/<membership>/`, `POST /join/<room_id_or_alias`, or the unspecced `PUT /join/<room_id_or_alias>/<txn_id>` receive an empty HTTP request body. ([\#14600](https://github.com/matrix-org/synapse/issues/14600))
+* Return spec-compliant JSON errors when unknown endpoints are requested. ([\#14620](https://github.com/matrix-org/synapse/issues/14620), [\#14621](https://github.com/matrix-org/synapse/issues/14621))
+* Update html templates to load images over HTTPS. Contributed by @ashfame. ([\#14625](https://github.com/matrix-org/synapse/issues/14625))
+* Fix a long-standing bug where the user directory would return 1 more row than requested. ([\#14631](https://github.com/matrix-org/synapse/issues/14631))
+* Reject invalid read receipt requests with empty room or event IDs. Contributed by Nick @ Beeper (@fizzadar). ([\#14632](https://github.com/matrix-org/synapse/issues/14632))
+* Fix a bug introduced in Synapse 1.67.0 where not specifying a config file or a server URL would lead to the `register_new_matrix_user` script failing. ([\#14637](https://github.com/matrix-org/synapse/issues/14637))
+* Fix a long-standing bug where the user directory and room/user stats might be out of sync. ([\#14639](https://github.com/matrix-org/synapse/issues/14639), [\#14643](https://github.com/matrix-org/synapse/issues/14643))
+* Fix a bug introduced in Synapse 1.72.0 where the background updates to add non-thread unique indexes on receipts would fail if they were previously interrupted. ([\#14650](https://github.com/matrix-org/synapse/issues/14650))
+* Improve validation of field size limits in events. ([\#14664](https://github.com/matrix-org/synapse/issues/14664))
+* Fix bugs introduced in Synapse 1.55.0 and 1.69.0 where application services would not be notified of events in the correct rooms, due to stale caches. ([\#14670](https://github.com/matrix-org/synapse/issues/14670))
+
+[1.58.0]
+* Update Synapse to 1.75.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.75.0)
+* Fix race where calling /members or /state with an at parameter could fail for newly created rooms, when using multiple workers. (#14817)
+* Add a cached function to synapse.module_api that returns a decorator to cache return values of functions. (#14663)
+* Add experimental support for MSC3391 (removing account data). (#14714)
+* Support RFC7636 Proof Key for Code Exchange for OAuth single sign-on. (#14750)
+* Support non-OpenID compliant userinfo claims for subject and picture. (#14753)
+* Improve performance of /sync when filtering all rooms, message types, or senders. (#14786)
+* Improve performance of the /hierarchy endpoint. (#14263)
+* Fix the MAU Limits section of the Grafana dashboard relying on a specific job name for the workers of a Synapse deployment. (#14644)
+* Fix a bug introduced in Synapse 1.70.0 which could cause spurious UNIQUE constraint failed errors in the rotate_notifs background job. (#14669)
+* Ensure stream IDs are always updated after caches get invalidated with workers. Contributed by Nick @ Beeper (@Fizzadar). (#14723)
+* Remove the unspecced device field from /pushrules responses. (#14727)
+* Fix a bug introduced in Synapse 1.73.0 where the picture_claim configured under oidc_providers was unused (the default value of "picture" was used instead). (#14751)
+* Unescape HTML entities in URL preview titles making use of oEmbed responses. (#14781)
+* Disable sending confirmation email when 3pid is disabled. (#14725)
+
+[1.59.0]
+* Update Synapse to 1.76.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.76.0)
+* Faster joins: Fix a bug introduced in Synapse 1.69 where device list EDUs could fail to be handled after a restart when a faster join sync is in progress. (#14914)
+* Update the default room version to v10 (MSC 3904). Contributed by @FSG-Cat. (#14111)
+* Add a set_displayname() method to the module API for setting a user's display name. (#14629)
+* Add a dedicated listener configuration for health endpoint. (#14747)
+* Implement support for MSC3890: Remotely silence local notifications. (#14775)
+* Implement experimental support for MSC3930: Push rules for (MSC3381) Polls. (#14787)
+* Per MSC3925, bundle the whole of the replacement with any edited events, and optionally inhibit server-side replacement. (#14811)
+* Faster joins: always serve a partial join response to servers that request it with the stable query param. (#14839)
+* Faster joins: allow non-lazy-loading ("eager") syncs to complete after a partial join by omitting partial state rooms until they become fully stated. (#14870)
+* Faster joins: request partial joins by default. Admins can opt-out of this for the time being---see the upgrade notes. (#14905)
+
+[1.60.0]
+* Update Synapse to 1.77.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.77.0)
+* Fix bug where retried replication requests would return a failure. Introduced in v1.76.0. ([\#15024](https://github.com/matrix-org/synapse/issues/15024))
+
+[1.61.0]
+* Update Synapse to 1.78.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.78.0)
+* Implement the experimental `exact_event_match` push rule condition from MSC3758. (#14964)
+* Add account data to the command line user data export tool. (#14969)
+* Implement MSC3873 to disambiguate push rule keys with dots in them. (#15004)
+* Allow Synapse to use a specific Redis logical database in worker-mode deployments. (#15034)
+* Tag opentracing spans for federation requests with the name of the worker serving the request. (#15042)
+* Implement the experimental `exact_event_property_contains` push rule condition from MSC3966. (#15045)
+
+[1.62.0]
+* Update Synapse to 1.79.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.79.0)
+* Fix a bug introduced in Synapse 1.79.0rc1 where attempting to register a on_remove_user_third_party_identifier module API callback would be a no-op. (#15227)
+* Fix a rare bug introduced in Synapse 1.73 where events could remain unsent to other homeservers after a faster-join to a room. (#15248)
+* Add two new Third Party Rules module API callbacks: on_add_user_third_party_identifier and on_remove_user_third_party_identifier. (#15044)
+* Experimental support for MSC3967 to not require UIA for setting up cross-signing on first use. (#15077)
+* Add media information to the command line user data export tool. (#15107)
+* Add an admin API to delete a specific event report. (#15116)
+* Add support for knocking to workers. (#15133)
+* Allow use of the /filter Client-Server APIs on workers. (#15134)
+* Update support for MSC2677: remove support for server-side aggregation of reactions. (#15172)
+* Stabilise support for MSC3758: event_property_is push condition. (#15185)
+
+[1.62.1]
+* Update post installation message
+
+[1.63.0]
+* Update Synapse to 1.80.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.80.0)
+* Fix a bug in which the POST `/_matrix/client/v3/rooms/{roomId}/report/{eventId}` endpoint would return the wrong error if the user did not have permission to view the event. This aligns Synapse's implementation with MSC2249. (#15298, #15300)
+* Fix a bug introduced in Synapse 1.75.0rc1 where the SQLite port_db script
+* would fail to open the SQLite database. (#15301)
+* Stabilise support for MSC3966: event_property_contains push condition. (#15187)
+* Implement MSC2659: application service ping endpoint. Contributed by Tulir @ Beeper. (#15249)
+* Allow loading /register/available endpoint on workers. (#15268)
+* Improve performance of creating and authenticating events. (#15195)
+* Add topic and name events to group of events that are batch persisted when creating a room. (#15229)
+* Fix a long-standing bug in which the user directory would assume any remote membership state events represent a profile change. (#14755, #14756)
+* Implement MSC3873 to fix a long-standing bug where properties with dots were handled ambiguously in push rules. (#15190)
+* Faster joins: Fix a bug introduced in Synapse 1.66 where spurious "Failed to find memberships ..." errors would be logged. (#15232)
+* Fix a long-standing error when sending message into deleted room. (#15235)
+
+[1.64.0]
+* Update Synapse to 1.81.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.81.0)
+* Fix the set_device_id_for_pushers_txn background update crash. (#15391)
+* Add the ability to enable/disable registrations when in the OIDC flow. (#14978)
+* Add a primitive helper script for listing worker endpoints. (#15243)
+* Experimental support for passing One Time Key and device key requests to application services (MSC3983 and MSC3984). (#15314, #15321)
+* Allow loading /password_policy endpoint on workers. (#15331)
+* Add experimental support for Unix sockets. Contributed by Jason Little. (#15353)
+* Build Debian packages for Ubuntu 23.04 (Lunar Lobster). (#15381)
+* Fix a long-standing bug where edits of non-m.room.message events would not be correctly bundled. (#15295)
+* Fix a bug introduced in Synapse v1.55.0 which could delay remote homeservers being able to decrypt encrypted messages sent by local users. (#15297)
+* Add a check to SQLite port_db script
+* to ensure that the sqlite database passed to the script exists before trying to port from it. (#15306)
+* Fix a bug introduced in Synapse 1.76.0 where responses from worker deployments could include an internal `_INT_STREAM_POS` key. (#15309)
+* Fix a long-standing bug that Synpase only used the legacy appservice routes. (#15317)
+* Fix a long-standing bug preventing users from rejoining rooms after being banned and unbanned over federation. Contributed by Nico. (#15323)
+* Fix bug in worker mode where on a rolling restart of workers the "typing" worker would consume 100% CPU until it got restarted. (#15332)
+* Fix a long-standing bug where some to_device messages could be dropped when using workers. (#15349)
+* Fix a bug introduced in Synapse 1.70.0 where the background sync from a faster join could spin for hours when one of the events involved had been marked for backoff. (#15351)
+* Fix missing app variable in mail subject for password resets. Contributed by Cyberes. (#15352)
+* Fix a rare bug introduced in Synapse 1.66.0 where initial syncs would fail when the user had been kicked from a faster joined room that had not finished syncing. (#15383)
+
+[1.65.0]
+* Update Synapse to 1.82.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.81.0)
+* Allow loading the `/directory/room/{roomAlias}` endpoint on workers. ([\#15333](https://github.com/matrix-org/synapse/issues/15333))
+* Add some validation to `instance_map` configuration loading. ([\#15431](https://github.com/matrix-org/synapse/issues/15431))
+* Allow loading the `/capabilities` endpoint on workers. ([\#15436](https://github.com/matrix-org/synapse/issues/15436))
+* Delete server-side backup keys when deactivating an account. ([\#15181](https://github.com/matrix-org/synapse/issues/15181))
+* Fix and document untold assumption that `on_logged_out` module hooks will be called before the deletion of pushers. ([\#15410](https://github.com/matrix-org/synapse/issues/15410))
+* Improve robustness when handling a perspective key response by deduplicating received server keys. ([\#15423](https://github.com/matrix-org/synapse/issues/15423))
+* Synapse now correctly fails to start if the config option `app_service_config_files` is not a list. ([\#15425](https://github.com/matrix-org/synapse/issues/15425))
+* Disable loading `RefreshTokenServlet` (`/_matrix/client/(r0|v3|unstable)/refresh`) on workers. ([\#15428](https://github.com/matrix-org/synapse/issues/15428))
+
+[1.66.0]
+* Update Synapse to 1.83.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.83.0)
+* Experimental support to recursively provide relations per [MSC3981](https://github.com/matrix-org/matrix-spec-proposals/pull/3981). ([\#15315](https://github.com/matrix-org/synapse/issues/15315))
+* Experimental support for [MSC3970](https://github.com/matrix-org/matrix-spec-proposals/pull/3970): Scope transaction IDs to devices. ([\#15318](https://github.com/matrix-org/synapse/issues/15318))
+* Add an [admin API endpoint](https://matrix-org.github.io/synapse/v1.83/admin_api/experimental_features.html) to support per-user feature flags. ([\#15344](https://github.com/matrix-org/synapse/issues/15344))
+* Add a module API to send an HTTP push notification. ([\#15387](https://github.com/matrix-org/synapse/issues/15387))
+* Add an [admin API endpoint](https://matrix-org.github.io/synapse/v1.83/admin_api/statistics.html#get-largest-rooms-by-size-in-database) to query the largest rooms by disk space used in the database. ([\#15482](https://github.com/matrix-org/synapse/issues/15482))
+* Disable push rule evaluation for rooms excluded from sync. ([\#15361](https://github.com/matrix-org/synapse/issues/15361))
+* Fix a long-standing bug where cached server key results which were directly fetched would not be properly re-used. ([\#15417](https://github.com/matrix-org/synapse/issues/15417))
+* Fix a bug introduced in Synapse 1.73.0 where some experimental push rules were returned by default. ([\#15494](https://github.com/matrix-org/synapse/issues/15494))
+
+[1.67.0]
+* Update Synapse to 1.84.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.84.0)
+* Fix a bug introduced in Synapse 1.84.0rc1 where errors during startup were not reported correctly on Python < 3.10. ([\#15599](https://github.com/matrix-org/synapse/issues/15599))
+* Add an option to prevent media downloads from configured domains. ([\#15197](https://github.com/matrix-org/synapse/issues/15197))
+* Add `forget_rooms_on_leave` config option to automatically forget rooms when users leave them or are removed from them. ([\#15224](https://github.com/matrix-org/synapse/issues/15224))
+* Add redis TLS configuration options. ([\#15312](https://github.com/matrix-org/synapse/issues/15312))
+* Add a config option to delay push notifications by a random amount, to discourage time-based profiling. ([\#15516](https://github.com/matrix-org/synapse/issues/15516))
+* Stabilize support for [MSC2659](https://github.com/matrix-org/matrix-spec-proposals/pull/2659): application service ping endpoint. Contributed by Tulir @ Beeper. ([\#15528](https://github.com/matrix-org/synapse/issues/15528))
+* Implement [MSC4009](https://github.com/matrix-org/matrix-spec-proposals/pull/4009) to expand the supported characters in Matrix IDs. ([\#15536](https://github.com/matrix-org/synapse/issues/15536))
+* Advertise support for Matrix 1.6 on `/_matrix/client/versions`. ([\#15559](https://github.com/matrix-org/synapse/issues/15559))
+* Print full error and stack-trace of any exception that occurs during startup/initialization. ([\#15569](https://github.com/matrix-org/synapse/issues/15569))
+* Don't fail on federation over TOR where SRV queries are not supported. Contributed by Zdzichu. ([\#15523](https://github.com/matrix-org/synapse/issues/15523))
+* Experimental support for [MSC4010](https://github.com/matrix-org/matrix-spec-proposals/pull/4010) which rejects setting the `"m.push_rules"` via account data. ([\#15554](https://github.com/matrix-org/synapse/issues/15554), [\#15555](https://github.com/matrix-org/synapse/issues/15555))
+* Fix a long-standing bug where an invalid membership event could cause an internal server error. ([\#15564](https://github.com/matrix-org/synapse/issues/15564))
+* Require at least poetry-core v1.1.0. ([\#15566](https://github.com/matrix-org/synapse/issues/15566), [\#15571](https://github.com/matrix-org/synapse/issues/15571))
+
+[1.67.1]
+* Update Synapse to 1.84.1
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.84.1)
+* Fix a bug introduced in Synapse v1.84.0 where workers do not start up when no `instance_map` was provided
+
+[1.68.0]
+* Update Synapse to 1.85.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.85.0)
+* GHSA-26c5-ppr8-f33p / CVE-2023-32682 — Low Severity
+* GHSA-98px-6486-j7qc / CVE-2023-32683 — Low Severity
+* Fix a performance issue introduced in Synapse v1.83.0 which meant that purging rooms was very slow and database-intensive. (#15693)
+* Improve performance of backfill requests by performing backfill of previously failed requests in the background. (#15585)
+* Add a new admin API to create a new device for a user. (#15611)
+
+[1.68.1]
+* Update Synapse to 1.85.1
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.85.1)
+* Fix bug in schema delta that broke upgrades for some deployments. Introduced in v1.85.0. (#15738, #15739)
+
+[1.68.2]
+* Update Synapse to 1.85.2
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.85.2)
+* Fix regression where using TLS for HTTP replication between workers did not work. Introduced in v1.85.0. (#15746)
+
+[1.69.0]
+* Update Synapse to 1.86.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.86.0)
+* Fix an error when having workers of different versions running. (#15774)
+* Stable support for MSC3882 to allow an existing device/session to generate a login token for use on a new device/session. (#15388)
+* Support resolving a room's canonical alias via the module API. (#15450)
+* Enable support for MSC3952: intentional mentions. (#15520)
+* Experimental MSC3861 support: delegate auth to an OIDC provider. (#15582)
+* Add Synapse version deploy annotations to Grafana dashboard which enables easy correlation between behavior changes witnessed in a graph to a certain Synapse version and nail down regressions. (#15674)
+* Add a catch-all * to the supported relation types when redacting an event and its related events. This is an update to MSC3912 implementation. (#15705)
+* Speed up /messages by backfilling in the background when there are no backward extremities where we are directly paginating. (#15710)
+* Expose a metric reporting the database background update status. (#15740)
+* Correctly clear caches when we delete a room. (#15609)
+* Check permissions for enabling encryption earlier during room creation to avoid creating broken rooms. (#15695)
+
+[1.70.0]
+* Update Synapse to 1.87.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.87.0)
+* Improve /messages response time by avoiding backfill when we already have messages to return. (#15737)
+* Add spam checker module API for logins. (#15838)
+* Fix a long-standing bug where media files were served in an unsafe manner. Contributed by @joshqou. (#15680)
+* Avoid invalidating a cache that was just prefilled. (#15758)
+* Fix requesting multiple keys at once over federation, related to MSC3983. (#15770)
+* Fix joining rooms through aliases where the alias server isn't a real homeserver. Contributed by @tulir @ Beeper. (#15776)
+
+[1.70.1]
+* Add workaround for broken thumbnailing
+* Update s3 storage provider
+
+[1.71.0]
+* Update Synapse to 1.88.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.88.0)
+* Add not_user_type param to the list accounts admin API. (#15844)
+* Pin pydantic to ^=1.7.4 to avoid backwards-incompatible API changes from the 2.0.0 release.
+* Contributed by @PaarthShah. (#15862)
+* Correctly resize thumbnails with pillow version >=10. (#15876)
+
+[1.72.0]
+* Update Synapse to 1.89.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.89.0)
+* Add Unix Socket support for HTTP Replication Listeners. Document and provide usage instructions for utilizing Unix sockets in Synapse. Contributed by Jason Little. (#15708, #15924)
+* Allow + in Matrix IDs, per MSC4009. (#15911)
+* Support room version 11 from MSC3820. (#15912)
+* Allow configuring the set of workers to proxy outbound federation traffic through via outbound_federation_restricted_to. (#15913, #15969)
+* Implement MSC3814, dehydrated devices v2/shrivelled sessions and move MSC2697 behind a config flag. Contributed by Nico from Famedly, H-Shay and poljar. (#15929)
+* Fix a long-standing bug where remote invites weren't correctly pushed. (#15820)
+* Fix background schema updates failing over a large upgrade gap. (#15887)
+* Fix a bug introduced in 1.86.0 where Synapse starting with an empty experimental_features configuration setting. (#15925)
+* Fixed deploy annotations in the provided Grafana dashboard config, so that it shows for any homeserver and not just matrix.org. Contributed by @wrjlewis. (#15957)
+* Ensure a long state res does not starve CPU by occasionally yielding to the reactor. (#15960)
+* Properly handle redactions of creation events. (#15973)
+* Fix a bug where resyncing stale device lists could block responding to federation transactions, and thus delay receiving new data from the remote server. (#15975)
+
+[1.73.0]
+* Update Synapse to 1.90.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.90.0)
+* Scope transaction IDs to devices (implement MSC3970). (#15629)
+* Remove old rows from the cache_invalidation_stream_by_instance table automatically (this table is unused in SQLite). (#15868)
+* Fix a long-standing bug where purging history and paginating simultaneously could lead to database corruption when using workers. (#15791)
+* Fix a long-standing bug where profile endpoint returned a 404 when the user's display name was empty. (#16012)
+* Fix a long-standing bug where the synapse_port_db failed to configure sequences for application services and partial stated rooms. (#16043)
+* Fix long-standing bug with deletion in dehydrated devices v2. (#16046)
+
+[1.74.0]
+* Turn addon can be optionally enabled/disabled
+
+[1.75.0]
+* Update Synapse to 1.91.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.91.0)
+
+[1.75.1]
+* Update Synapse to 1.91.1
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.91.1)
+* Fix a performance regression introduced in Synapse 1.91.0 where event persistence would cause an excessive linear growth in CPU usage. (#16220)
+
+[1.75.2]
+* Update Synapse to 1.91.2
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.91.2)
+* Revert MSC3861 introspection cache, admin impersonation and account lock. (#16258)
+
+[1.76.0]
+* Update Synapse to 1.92.1
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.92.0)
+* Revert MSC3861 introspection cache, admin impersonation and account lock. (#16258)
+* Fix incorrect docstring for Ratelimiter. (#16255)
+
+[1.76.1]
+* Update Synapse to 1.92.2
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.92.2)
+
+[1.76.2]
+* Update Synapse to 1.92.3
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.92.3)
+* Pillow 10.0.1 is now mandatory because of libwebp CVE-2023-4863, since Pillow provides libwebp in the wheels. (#16347)
+
+[1.77.0]
+* Update Synapse to 1.93.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.93.0)
+* GHSA-4f74-84v3-j9q5 / CVE-2023-41335 — Low Severity  Temporary storage of plaintext passwords during password changes.
+* GHSA-7565-cq32-vx2x / CVE-2023-42453 — Low Severity Improper validation of receipts allows forged read receipts.
+* Add automatic purge after all users have forgotten a room. (#15488)
+* Restore room purge/shutdown after a Synapse restart. (#15488)
+* Support resolving homeservers using matrix-fed DNS SRV records from MSC4040. (#16137)
+* Add the ability to use G (GiB) and T (TiB) suffixes in configuration options that refer to numbers of bytes. (#16219)
+* Add span information to requests sent to appservices. Contributed by MTRNord. (#16227)
+* Add the ability to enable/disable registrations when using CAS. Contributed by Aurélien Grimpard. (#16262)
+* Allow the /notifications endpoint to be routed to workers. (#16265)
+
+[1.78.0]
+* Update base image to 4.2.0
+
+[1.79.0]
+* Update Synapse to 1.94.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.94.0)
+* Render plain, CSS, CSV, JSON and common image formats in the browser (inline) when requested through the /download endpoint. (#15988)
+* Add experimental support for MSC4028 to push all encrypted events to clients. (#16361)
+* Minor performance improvement when sending presence to federated servers. (#16385)
+* Minor performance improvement by caching server ACL checking. (#16360)
+
+[1.80.0]
+* Update Synapse to 1.95.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.95.0)
+* Remove legacy unspecced `knock_state_events` field returned in some responses. (#16403)
+* Fix a bug introduced in Synapse 1.81.0 where an AttributeError would be raised when `_matrix/client/v3/account/whoami` is called over a unix socket. Contributed by @Sir-Photch. (#16404)
+* Properly return inline media when content types have parameters. (#16440)
+* Prevent the purging of large rooms from timing out when Postgres is in use. The timeout which causes this issue was introduced in Synapse 1.88.0. (#16455)
+* Improve the performance of purging rooms, particularly encrypted rooms. (#16457)
+* Fix a bug introduced in Synapse 1.59.0 where servers could be incorrectly marked as available after an error response was received. (#16506)
+
+[1.80.1]
+* Update Synapse to 1.95.1
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.95.1)
+* GHSA-mp92-3jfm-3575 / CVE-2023-43796 — Moderate Severity
+
+[1.81.0]
+* Update Synapse to 1.96.1
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.96.1)
+* Add experimental support to allow multiple workers to write to receipts stream. (#16432)
+* Add a new module API for controller presence. (#16544)
+* Add a new module API callback that allows adding extra fields to events' unsigned section when sent down to clients. (#16549)
+* Improve the performance of claiming encryption keys. (#16565, #16570)
+
+[1.82.0]
+* Switch LDAP authentication to OIDC login
+
+[1.83.0]
+* Update Synapse to 1.97.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.97.0)
+* Add support for asynchronous uploads as defined by MSC2246. Contributed by @sumnerevans at @beeper. (#15503)
+* Improve the performance of some operations in multi-worker deployments. (#16613, #16616)
+* Fix a long-standing bug where some queries updated the same row twice. Introduced in Synapse 1.57.0. (#16609)
+* Fix a long-standing bug where Synapse would not unbind third-party identifiers for Application Service users when deactivated and would not emit a compliant response. (#16617)
+* Fix sending out of order POSITION over replication, causing additional database load. (#16639)
+
+[1.84.0]
+* Update Synapse to 1.98.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.98.0)
+* Synapse now declares support for Matrix v1.7, v1.8, and v1.9. (#16707)
+* Add `on_user_login` module API callback for when a user logs in. (#15207)
+* Support MSC4069: Inhibit profile propagation. (#16636)
+* Restore tracking of requests and monthly active users when delegating authentication via MSC3861 to an OIDC provider. (#16672)
+* Add an autojoin setting for server notices rooms, so users may be joined directly instead of receiving an invite. (#16699)
+* Follow redirects when downloading media over federation (per MSC3860). (#16701)
+
+[1.85.0]
+* Update public suffix list as part of the base image to get the latest domains
+
+[1.86.0]
+* Update Synapse to 1.99.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.99.0)
+* Add config options to set the avatar and the topic of the server notices room, as well as the avatar of the server notices user. (\https://github.com/element-hq/synapse/issues/16679)
+* Add config option email.notif_delay_before_mail to tweak the delay before an email is sent following a notification. (\https://github.com/element-hq/synapse/issues/16696)
+* Add new configuration option sentry.environment for improved system monitoring. Contributed by @zeeshanrafiqrana. (\https://github.com/element-hq/synapse/issues/16738)
+* Filter out rooms from the room directory being served to other homeservers when those rooms block that homeserver by their Access Control Lists. (\https://github.com/element-hq/synapse/pull/16759)
+* Fix a long-standing bug where the signing keys generated by Synapse were world-readable. Contributed by Fabian Klemp. (\https://github.com/element-hq/synapse/issues/16740)
+* Fix email verification redirection. Contributed by Fadhlan Ridhwanallah. (\https://github.com/element-hq/synapse/pull/16761)
+* Fixed a bug that prevented users from being queried by display name if it contains non-ASCII characters. (\https://github.com/element-hq/synapse/pull/16767)
+* Allow reactivate user without password with Admin API in some edge cases. (\https://github.com/element-hq/synapse/pull/16770)
+* Adds the recursion_depth parameter to the response of the /relations endpoint if MSC3981 recursion is being performed. (\https://github.com/element-hq/synapse/pull/16775)
+* Added version picker for Synapse documentation. Contributed by @Dmytro27Ind. (\https://github.com/element-hq/synapse/issues/16533)
+* Clarify that password_config.enabled: "only_for_reauth" does not allow new logins to be created using password auth. (\https://github.com/element-hq/synapse/issues/16737)
+* Remove value from header in configuration documentation for refresh_token_lifetime. (\https://github.com/element-hq/synapse/pull/16763)
+* Add another custom statistics collection server to the documentation. Contributed by @loelkes. (\https://github.com/element-hq/synapse/pull/16769)
+* Remove run-once workflow after adding the version picker to the documentation. (\https://github.com/element-hq/synapse/pull/9453)
+* Update the implementation of [MSC2965](matrix-org/matrix-spec-proposals#2965) (OIDC Provider discovery). (\https://github.com/element-hq/synapse/issues/16726)
+* Move the rust stubs inline for better IDE integration. (\https://github.com/element-hq/synapse/pull/16757)
+* Fix sample config doc CI. (\https://github.com/element-hq/synapse/pull/16758)
+* Simplify event internal metadata class. (\https://github.com/element-hq/synapse/pull/16762, \https://github.com/element-hq/synapse/pull/16780)
+* Sign the published docker image using cosign. (\https://github.com/element-hq/synapse/pull/16774)
+* Port EventInternalMetadata class to Rust. (\https://github.com/element-hq/synapse/pull/16782)
+* Bump actions/setup-go from 4 to 5. (\https://github.com/element-hq/synapse/issues/16749)
+* Bump actions/setup-python from 4 to 5. (\https://github.com/element-hq/synapse/issues/16748)
+* Bump immutabledict from 3.0.0 to 4.0.0. (\https://github.com/element-hq/synapse/issues/16743)
+* Bump isort from 5.12.0 to 5.13.0. (\https://github.com/element-hq/synapse/issues/16745)
+* Bump isort from 5.13.0 to 5.13.1. (\https://github.com/element-hq/synapse/issues/16752)
+* Bump pydantic from 2.5.1 to 2.5.2. (\https://github.com/element-hq/synapse/issues/16747)
+* Bump ruff from 0.1.6 to 0.1.7. (\https://github.com/element-hq/synapse/issues/16746)
+* Bump types-setuptools from 68.2.0.2 to 69.0.0.0. (\https://github.com/element-hq/synapse/issues/16744)
+
+[1.87.0]
+* Update Synapse to 1.100.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.100.0)
+* Fix database performance regression due to changing Postgres table statistics. Introduced in v1.100.0rc1. (#16849)
+* Advertise experimental support for MSC4028 through /matrix/clients/versions if enabled. Contributed by @hanadi92. (#16787)
+* Handle wildcard type filters properly for room messages endpoint. Contributed by Mo Balaa. (#14984)
+
+[1.88.0]
+* Update Synapse to 1.101.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.101.0)
+* Add support for stabilised MSC3981 that adds a recurse parameter on the /relations API. (#16842)
+* Fix performance regression when fetching auth chains from the DB. Introduced in v1.100.0. (#16893)
+
+[1.89.0]
+* Update Synapse to 1.102.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.102.0)
+* A metric was added for emails sent by Synapse, broken down by type: `synapse_emails_sent_total`. Contributed by Remi Rampin. (#16881)
+* Do not send multiple concurrent requests for keys for the same server. (#16894)
+* Fix performance issue when joining very large rooms that can cause the server to lock up. Introduced in v1.100.0. (#16903)
+* Always prefer unthreaded receipt when >1 exist (MSC4102). (#16927)
+
+[1.90.0]
+* Update Synapse to 1.103.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.103.0)
+* Add a new List Accounts v3 Admin API with improved deactivated user filtering capabilities. (#16874)
+* Include Retry-After header by default per MSC4041. Contributed by @clokep. (#16947)
+* Fix joining remote rooms when a module uses the `on_new_event` callback. This callback may now pass partial state events instead of the full state for remote rooms. Introduced in v1.76.0. (#16973)
+* Fix performance issue when joining very large rooms that can cause the server to lock up. Introduced in v1.100.0. Contributed by @ggogel. (#16968)
+
+[1.91.0]
+* Update Synapse to 1.104.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.104.0)
+* Fix regression when using OIDC provider. Introduced in v1.104.0rc1. (#17031)
+* Add an OIDC config to specify extra parameters for the authorization grant URL. IT can be useful to pass an ACR value for example. (#16971)
+* Add support for OIDC provider returning JWT. (#16972, #17031)
+* Fix a bug which meant that, under certain circumstances, we might never retry sending events or to-device messages over federation after a failure. (#16925)
+* Fix various long-standing bugs which could cause incorrect state to be returned from /sync in certain situations. (#16949)
+* Fix case in which m.fully_read marker would not get updated. Contributed by @SpiritCroc. (#16990)
+* Fix bug which did not retract a user's pending knocks at rooms when their account was deactivated. Contributed by @hanadi92. (#17010)
+
+[1.91.1]
+* Update Synapse to 1.105.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.105.0)
+* Stabilize support for MSC4010 which clarifies the interaction of push rules and account data. Contributed by @clokep. (#17022)
+* Stabilize support for MSC3981: /relations recursion. Contributed by @clokep. (#17023)
+* Add support for moving /pushrules off of main process. (#17037, #17038)
+* Fix various long-standing bugs which could cause incorrect state to be returned from /sync in certain situations. (#16930, #16932, #16942, #17064, #17065, #17066)
+* Fix server notice rooms not always being created as unencrypted rooms, even when encryption_enabled_by_default_for_room_type is in use (server notices are always unencrypted). (#17033)
+* Fix the .m.rule.encrypted_room_one_to_one and .m.rule.room_one_to_one default underride push rules being in the wrong order. Contributed by @Sumpy1. (#17043)
+
+[1.91.2]
+* Update Synapse to 1.105.1
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.105.1)
+* GHSA-3h7q-rfh9-xm4v / CVE-2024-31208 — High Severity . Weakness in auth chain indexing allows DoS from remote room members through disk fill and high CPU usage.
+
+[1.92.0]
+* Update Synapse to 1.106.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.106.0)
+* Send an email if the address is already bound to an user account. (#16819)
+* Implement the rendezvous mechanism described by MSC4108. (#17056)
+* Support delegating the rendezvous mechanism described MSC4108 to an external implementation. (#17086)
+* Add validation to ensure that the limit parameter on /publicRooms is non-negative. (#16920)
+* Return 400 M_NOT_JSON upon receiving invalid JSON in query parameters across various client and admin endpoints, rather than an internal server error. (#16923)
+* Make the CSAPI endpoint /keys/device_signing/upload idempotent. (#16943)
+* Redact membership events if the user requested erasure upon deactivating. (#17076)
+
+[1.93.0]
+* Update Synapse to 1.107.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.107.0)
+
+[1.94.0]
+* Update Synapse to 1.108.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.108.0)
+* Add a feature that allows clients to query the configured federation whitelist. Disabled by default. (#16848, #17199)
+* Add the ability to allow numeric user IDs with a specific prefix when in the CAS flow. Contributed by Aurélien Grimpard. (#17098)
+* Fix bug where push rules would be empty in /sync for some accounts. Introduced in v1.93.0. (#17142)
+* Add support for optional whitespace around the Federation API's Authorization header's parameter commas. (#17145)
+* Fix bug where disabling room publication prevented public rooms being created on workers. (#17177, #17184)
+
+[1.95.0]
+* Update Synapse to 1.109.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.109.0)
+
+[1.96.0]
+* Update Synapse to 1.110.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.110.0)
+
+[1.97.0]
+* Update Synapse to 1.111.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.111.0)
+
+[1.97.1]
+* Update Synapse to 1.111.1
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.111.1)
+
+[1.97.2]
+* Update Synapse to 1.112.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.112.0)
+
+[1.97.3]
+* Update Synapse to 1.113.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.113.0)
+
+[1.97.4]
+* Update Synapse to 1.114.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.114.0)
+
+[1.97.5]
+* Update Synapse to 1.115.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.115.0)
+
+[1.97.6]
+* Update Synapse to 1.116.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.116.0)
+
+[1.98.0]
+* Update Synapse to 1.118.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.118.0)
+
+[1.98.1]
+* Update S3 Storage Provider to 1.5.0
+[1.99.0]
+* Update synapse to 1.119.0
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.118.0)
+* Support [MSC4151](https://github.com/matrix-org/matrix-spec-proposals/pull/4151)'s stable report room API. ([#&#8203;17374](https://github.com/element-hq/synapse/issues/17374))
+* Add experimental support for [MSC4222](https://github.com/matrix-org/matrix-spec-proposals/pull/4222) (Adding `state_after` to sync v2). ([#&#8203;17888](https://github.com/element-hq/synapse/issues/17888))
+* Fix bug with sliding sync where `$LAZY`-loading room members would not return `required_state` membership in incremental syncs. ([#&#8203;17809](https://github.com/element-hq/synapse/issues/17809))
+* Check if user has membership in a room before tagging it. Contributed by Lama Alosaimi. ([#&#8203;17839](https://github.com/element-hq/synapse/issues/17839))
+* Fix a bug in the admin redact endpoint where the background task would not run if a worker was specified in
+* Fix bug where some presence and typing timeouts can expire early. ([#&#8203;17850](https://github.com/element-hq/synapse/issues/17850))
+* Fix detection when the built Rust library was outdated when using source installations. ([#&#8203;17861](https://github.com/element-hq/synapse/issues/17861))
+* Fix a long-standing bug in Synapse which could cause one-time keys to be issued in the incorrect order, causing message decryption failures. ([#&#8203;17903](https://github.com/element-hq/synapse/pull/17903))
+* Fix experimental support for [MSC4222](https://github.com/matrix-org/matrix-spec-proposals/pull/4222) (Adding `state_after` to sync v2) where we would return the full state on incremental syncs when using lazy loaded members and there were no new events in the timeline. ([#&#8203;17915](https://github.com/element-hq/synapse/pull/17915))
+* Remove support for python 3.8. ([#&#8203;17908](https://github.com/element-hq/synapse/issues/17908))
+* Add a test for downloading and thumbnailing a CMYK JPEG. ([#&#8203;17786](https://github.com/element-hq/synapse/issues/17786))
+* Refactor database calls to remove `Generator` usage. ([#&#8203;17813](https://github.com/element-hq/synapse/issues/17813), [#&#8203;17814](https://github.com/element-hq/synapse/issues/17814), [#&#8203;17815](https://github.com/element-hq/synapse/issues/17815), [#&#8203;17816](https://github.com/element-hq/synapse/issues/17816), [#&#8203;17817](https://github.com/element-hq/synapse/issues/17817), [#&#8203;17818](https://github.com/element-hq/synapse/issues/17818), [#&#8203;17890](https://github.com/element-hq/synapse/issues/17890))
+* Include the destination in the error of 'Destination mismatch' on federation requests. ([#&#8203;17830](https://github.com/element-hq/synapse/issues/17830))
+* The nix flake inside the repository no longer tracks nixpkgs/master to not catch the latest bugs from a MR merged 5 minutes ago. ([#&#8203;17852](https://github.com/element-hq/synapse/issues/17852))
+* Minor speed-up of sliding sync by computing extensions results in parallel. ([#&#8203;17884](https://github.com/element-hq/synapse/issues/17884))
+* Bump the default Python version in the Synapse Dockerfile from 3.11 -> 3.12. ([#&#8203;17887](https://github.com/element-hq/synapse/issues/17887))
+* Remove usage of internal header encoding API. ([#&#8203;17894](https://github.com/element-hq/synapse/issues/17894))
+* Use unique name for each os.arch variant when uploading Wheel artifacts. ([#&#8203;17905](https://github.com/element-hq/synapse/issues/17905))
+* Fix tests to run with latest Twisted. ([#&#8203;17906](https://github.com/element-hq/synapse/pull/17906), [#&#8203;17907](https://github.com/element-hq/synapse/pull/17907), [#&#8203;17911](https://github.com/element-hq/synapse/pull/17911))
+* Update version constraint to allow the latest poetry-core 1.9.1. ([#&#8203;17902](https://github.com/element-hq/synapse/pull/17902))
+* Update the portdb CI to use Python 3.13 and Postgres 17 as latest dependencies. ([#&#8203;17909](https://github.com/element-hq/synapse/pull/17909))
+* Add an index to `current_state_delta_stream` table. ([#&#8203;17912](https://github.com/element-hq/synapse/issues/17912))
+* Fix building and attaching release artifacts during the release process. ([#&#8203;17921](https://github.com/element-hq/synapse/issues/17921))
+
+[1.100.0]
+* Update synapse to 1.120.0
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.118.0)
+* Fix a bug introduced in Synapse v1.120rc1 which would cause the newly-introduced `delete_old_otks` job to fail in worker-mode deployments. ([#&#8203;17960](https://github.com/element-hq/synapse/issues/17960))
+
+[1.100.1]
+* Update synapse to 1.120.2
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.118.0)
+
+[1.101.0]
+* Update synapse to 1.121.1
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.121.0)
+* Support for MSC4190: device management for Application Services. (#17705)
+* Update MSC4186 Sliding Sync to include invite, ban, kick, targets when $LAZY-loading room members. (#17947)
+* Use stable M_USER_LOCKED error code for locked accounts, as per Matrix 1.12. (#17965)
+* MSC4076: Add disable_badge_count to pusher configuration. (#17975)
+
+
+[1.101.1]
+* CLOUDRON_OIDC_PROVIDER_NAME implemented
+
+[1.102.0]
+* Update synapse to 1.122.0
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.122.0)
+
+[1.103.0]
+* Update synapse to 1.123.0
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.123.0)
+
+[1.104.0]
+* Update synapse to 1.124.0
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.124.0)
+
+[1.105.0]
+* Update synapse to 1.125.0
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.125.0)
+* Add functionality to be able to use multiple values in SSO feature attribute_requirements. (#17949)
+* Add experimental config options admin_token_path and client_secret_path for MSC3861. (#18004)
+* Add get_current_time_msec() method to the module API for sound time comparisons with Synapse. (#18144)
+* Update the response when a client attempts to add an invalid email address to the user's account from a 500, to a 400 with error text. (#18125)
+* Fix user directory search when using a legacy module with a check_username_for_spam callback. Broke in v1.122.0. (#18135)
+
+[1.106.0]
+* Update synapse to 1.126.0
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.126.0)
+* Define ratelimit configuration for delayed event management. (#18019)
+* Add form_secret_path config option. (#18090)
+* Add the --no-secrets-in-config command line option. (#18092)
+* Add background job to clear unreferenced state groups. (#18154)
+* Add support for specifying/overriding id_token_signing_alg_values_supported for an OpenID identity provider. (#18177)
+* Add worker_replication_secret_path config option. (#18191)
+* Add support for specifying/overriding redirect_uri in the authorization and token requests against an OpenID identity provider. (#18197)
+
+[1.107.0]
+* Update base image to 5.0.0
+
+[1.108.0]
+* Update synapse to 1.127.0
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.127.0)
+* Update MSC4140 implementation to no longer cancel a user's own delayed state events with an event type & state key that match a more recent state event sent by that user. (#17810)
+* Fixed a minor typo in the Synapse documentation. Contributed by @karuto12. (#18224)
+* Remove undocumented SYNAPSE_USE_FROZEN_DICTS environment variable. (#18123)
+* Fix detection of workflow failures in the release script. (#18211)
+* Add caching support to media endpoints. (#18235)
+
+[1.108.1]
+* Update synapse to 1.127.1
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.127.1)
+* Fix CVE-2025-30355 / GHSA-v56r-hwv5-mxg6. High severity vulnerability affecting federation. The vulnerability has been exploited in the wild.
+
+[1.109.0]
+* Update synapse to 1.128.0
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.128.0)
+* Add an access token introspection cache to make Matrix Authentication Service integration (MSC3861) more efficient. (#18231)
+* Add background job to clear unreferenced state groups. (#18254)
+* Hashes of media files are now tracked by Synapse. Media quarantines will now apply to all files with the same hash. (#18277, #18302, #18296)
+
+[1.110.0]
+* Update synapse to 1.129.0
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.129.0)
+
+[1.111.0]
+* Update synapse to 1.130.0
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.130.0)
+* Fix startup being blocked on creating a new index that was introduced in v1.130.0rc1. ([#&#8203;18439](https://github.com/element-hq/synapse/issues/18439))
+* Fix the ordering of local messages in rooms that were affected by [GHSA-v56r-hwv5-mxg6](https://github.com/advisories/GHSA-v56r-hwv5-mxg6). ([#&#8203;18447](https://github.com/element-hq/synapse/issues/18447))
+
+[1.112.0]
+* Update synapse to 1.131.0
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.131.0)
+
+[1.113.0]
+* Update synapse to 1.132.0
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.132.0)
+
+[1.114.0]
+* Update synapse to 1.133.0
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.133.0)
+* Pre-built wheels are now built using the manylinux\_2\_28 base, which is expected to be compatible with distros using glibc 2.28 or later, including:
+* Previously, wheels were built using the manylinux2014 base, which was expected to be compatible with distros using glibc 2.17 or later.
+* Bump `cibuildwheel` to 3.0.0 to fix the `manylinux` wheel builds. ([#&#8203;18615](https://github.com/element-hq/synapse/issues/18615))
+
+[1.115.0]
+* Update synapse to 1.134.0
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.134.0)
+
+[1.116.0]
+* Update synapse to 1.135.0
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.135.0)
+
+[1.116.1]
+* Update synapse to 1.135.2
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.135.2)
+* Fix invalidation of storage cache that was broken in 1.135.0. ([#&#8203;18786](https://github.com/element-hq/synapse/issues/18786))
+* Add a parameter to `upgrade_rooms(..)` to allow auto join local users. ([#&#8203;82](https://github.com/element-hq/synapse/issues/82))
+* Speed up upgrading a room with large numbers of banned users. ([#&#8203;18574](https://github.com/element-hq/synapse/issues/18574))
+
+[1.117.0]
+* Update synapse to 1.136.0
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.136.0)
+* Fix bug introduced in 1.135.2 and 1.136.0rc2 where the [Make Room Admin API](https://element-hq.github.io/synapse/latest/admin_api/rooms.html#make-room-admin-api) would not treat a room v12's creator power level as the highest in room. ([#&#8203;18805](https://github.com/element-hq/synapse/issues/18805))
+
+[1.118.0]
+* Update synapse to 1.137.0
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.137.0)
+* Fix a bug which could corrupt auth chains making it impossible to perform state resolution. (#18746)
+* Fix error message in register_new_matrix_user utility script for empty registration_shared_secret. (#18780)
+* Allow enabling MSC4108 when the stable Matrix Authentication Service integration is enabled. (#18832)
+* Include IPv6 networks in denied-peer-ips of coturn setup. Contributed by @litetex. (#18781)
+
+[1.119.0]
+* Update synapse to 1.138.0
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.138.0)
+* Support for the stable endpoint and scopes of [MSC3861](https://github.com/matrix-org/matrix-spec-proposals/pull/3861) & co. ([\#18549](https://github.com/element-hq/synapse/issues/18549))
+* Improve database performance of [MSC4293](https://github.com/matrix-org/matrix-spec-proposals/pull/4293) - Redact on Kick/Ban. ([\#18851](https://github.com/element-hq/synapse/issues/18851))
+* Do not throw an error when fetching a rejected delayed state event on startup. ([\#18858](https://github.com/element-hq/synapse/issues/18858))
+* Fix worker documentation incorrectly indicating all room Admin API requests were capable of being handled by workers. ([\#18853](https://github.com/element-hq/synapse/issues/18853))
+* Instrument `_ByteProducer` with tracing to measure potential dead time while writing bytes to the request. ([\#18804](https://github.com/element-hq/synapse/issues/18804))
+* Switch to OpenTracing's `ContextVarsScopeManager` instead of our own custom `LogContextScopeManager`. ([\#18849](https://github.com/element-hq/synapse/issues/18849))
+* Trace how much work is being done while "recursively fetching redactions". ([\#18854](https://github.com/element-hq/synapse/issues/18854))
+* Link [upstream Twisted bug](https://github.com/twisted/twisted/issues/12498) tracking the problem that explains why we have to use a `Producer` to write bytes to the request. ([\#18855](https://github.com/element-hq/synapse/issues/18855))
+* Introduce `EventPersistencePair` type. ([\#18857](https://github.com/element-hq/synapse/issues/18857))
+
+[1.119.1]
+* Update synapse to 1.138.2
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.138.2)
+* Drop support for Ubuntu 24.10 Oracular Oriole, and add support for Ubuntu 25.04 Plucky Puffin. This change was applied on top of 1.138.1. ([#&#8203;18962](https://github.com/element-hq/synapse/issues/18962))
+
+[1.120.0]
+* Update synapse to 1.139.0
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.139.0)
+* /register requests from old application service implementations may break when using MAS
+
+[1.120.1]
+* Update synapse to 1.139.1
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.139.1)
+* Fix [CVE-2025-61672](https://www.cve.org/CVERecord?id=CVE-2025-61672) / [GHSA-fh66-fcv5-jjfr](https://github.com/element-hq/synapse/security/advisories/GHSA-fh66-fcv5-jjfr). Lack of validation for device keys in Synapse before 1.139.1 allows an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers. ([#17097](https://github.com/element-hq/synapse/issues/17097))
+* Drop support for unstable field names from the long-accepted [MSC2732](https://github.com/matrix-org/matrix-spec-proposals/pull/2732) (Olm fallback keys) proposal. This change allows unit tests to pass following the security patch above. ([#18996](https://github.com/element-hq/synapse/issues/18996))
+
+[1.120.2]
+* Update synapse to 1.139.2
+
+[1.120.3]
+* Update synapse-s3-storage-provider to 1.6.0
+
+[1.121.0]
+* Update synapse to 1.140.0
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.140.0)
+* Add a new Media Query by ID Admin API that allows server admins to query and investigate the metadata of local or cached remote media via the origin/media_id identifier found in a Matrix Content URI. (#18911)
+* Add a new Fetch Event Admin API to fetch an event by ID. (#18963)
+* Update MSC4284: Policy Servers implementation to support signatures when available. (#18934)
+* Add experimental implementation of the GET /_matrix/client/v1/rtc/transports endpoint for the latest draft of MSC4143: MatrixRTC. (#18967)
+* Expose a defer_to_threadpool function in the Synapse Module API that allows modules to run a function on a separate thread in a custom threadpool. (#19032)
+
+[1.122.0]
+* Update synapse to 1.141.0
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.141.0)
+
+[1.123.0]
+* Update synapse to 1.142.0
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.142.0)
+* Dropped support for Python 3.9
+* SQLite 3.40.0+ is now required
+* Deprecation of MacOS Python wheels
+* Properly stop building wheels for Python 3.9 and free-threaded CPython. ([#19154](https://github.com/element-hq/synapse/issues/19154))
+
+[1.123.1]
+* Update synapse to 1.142.1
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.142.1)
+* Fixed a bug introduced in v1.142.0 preventing subpaths in MAS endpoints from working. ([#19186](https://github.com/element-hq/synapse/issues/19186))
+
+[1.124.0]
+* Update synapse to 1.143.0
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.143.0)
+

CloudronManifest.json

@@ -5,33 +5,65 @@
   "description": "file://DESCRIPTION.md",
   "changelog": "file://CHANGELOG.md",
   "tagline": "Secure & decentralized communication",
-  "version": "1.51.0",
-  "upstreamVersion": "1.68.0",
+  "version": "1.124.7",
+  "upstreamVersion": "1.143.0",
   "healthCheckPath": "/",
   "httpPort": 8008,
+  "httpPorts": {
+    "MAS_DOMAIN": {
+      "title": "MAS authentication domain",
+      "description": "Cloudron will proxy MAS on this domain so the Element client and Synapse OIDC discovery can reach http://<domain>/.well-known/openid-configuration",
+      "containerPort": 4000,
+      "defaultValue": "mas"
+    }
+  },
   "memoryLimit": 536870912,
   "addons": {
     "localstorage": {},
-    "ldap": {},
+    "oidc": {
+      "loginRedirectUri": "/_synapse/client/oidc/callback"
+    },
     "postgresql": {},
-    "sendmail": { "supportsDisplayName": true },
-    "turn": {}
+    "sendmail": {
+      "supportsDisplayName": true
+    },
+    "turn": {
+      "optional": true
+    }
   },
   "manifestVersion": 2,
   "website": "https://matrix.org",
   "contactEmail": "support@cloudron.io",
   "icon": "file://logo.png",
   "tags": [
-    "im", "collaboration", "voip", "videochat", "chat", "slack", "zulip", "federated"
+    "im",
+    "collaboration",
+    "voip",
+    "videochat",
+    "chat",
+    "slack",
+    "zulip",
+    "federated",
+    "element",
+    "riot"
   ],
   "mediaLinks": [
     "https://screenshots.cloudron.io/org.matrix.synapse/1.png",
     "https://screenshots.cloudron.io/org.matrix.synapse/2.png",
     "https://screenshots.cloudron.io/org.matrix.synapse/3.png"
   ],
+  "checklist": {
+    "configure-federation": {
+      "message": "For federation to work, the delegation URI `https://$CLOUDRON-APP-DOMAIN/.well-known/matrix/server` must be configured. See the [docs](https://docs.cloudron.io/apps/synapse/#post-installation) on how to do this."
+    },
+    "registration-enabled-without-verification": {
+      "message": "Registration is enabled but verification is disabled. See [docs](https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html?highlight=registration_require#enable_registration) for more information",
+      "sso": false
+    }
+  },
   "postInstallMessage": "file://POSTINSTALL.md",
-  "minBoxVersion": "7.2.0",
+  "minBoxVersion": "8.2.0",
   "forumUrl": "https://forum.cloudron.io/category/50/matrix-synapse-riot",
-  "documentationUrl": "https://docs.cloudron.io/apps/synapse/",
+  "documentationUrl": "https://docs.cloudron.io/packages/synapse/",
   "optionalSso": true
 }

Dockerfile

@@ -1,26 +1,29 @@
-FROM cloudron/base:3.2.0@sha256:ba1d566164a67c266782545ea9809dc611c4152e27686fd14060332dd88263ea
+FROM cloudron/base:5.0.0@sha256:04fd70dbd8ad6149c19de39e35718e024417c3e01dc9c6637eaf4a41ec4e596c
 
 RUN mkdir -p /app/pkg
 
 WORKDIR /app/code
 
-# https://pythonspeed.com/articles/activate-virtualenv-dockerfile/
-RUN virtualenv -p python3 /app/code/env
-ENV VIRTUAL_ENV=/app/code/env
-ENV PATH="$VIRTUAL_ENV/bin:$PATH"
+# https://github.com/element-hq/synapse/blob/master/docs/setup/installation.md?plain=1#L202
+RUN python3 -m venv /app/code/env
 
-ARG VERSION=v1.68.0
+# renovate: datasource=github-releases depName=element-hq/synapse versioning=semver extractVersion=^v(?<version>.+)$
+ARG SYNAPSE_VERSION=1.143.0
+
+# renovate: datasource=github-releases depName=matrix-org/synapse-s3-storage-provider versioning=semver extractVersion=^v(?<version>.+)$
+ARG S3PROVIDER_VERSION=1.6.0
 
 # Synapse (https://github.com/matrix-org/synapse/blob/master/INSTALL.md)
 # lxml - required for previews
-RUN pip install --upgrade pip && \
-    pip install --upgrade setuptools && \
-    pip install matrix-synapse==${VERSION} psycopg2-binary python-ldap matrix-synapse-ldap3 lxml publicsuffix2 git+https://github.com/matrix-org/synapse-s3-storage-provider.git@ffd3fa477321608e57d27644197e721965e0e858 matrix-synapse[oidc]
+RUN source /app/code/env/bin/activate && \
+    pip3 install --no-cache-dir matrix-synapse==v${SYNAPSE_VERSION} psycopg2-binary python-ldap matrix-synapse-ldap3 lxml publicsuffix2 git+https://github.com/matrix-org/synapse-s3-storage-provider.git@v${S3PROVIDER_VERSION} matrix-synapse[oidc]
 
-RUN ln -sf /app/data/index.html /app/code/env/lib/python3.8/site-packages/synapse/static/index.html
+# Updated suffix list
+RUN curl -L https://publicsuffix.org/list/public_suffix_list.dat -o /app/code/env/lib/python3.12/site-packages/publicsuffix2/public_suffix_list.dat
 
-RUN chown -R cloudron.cloudron /app/code
+RUN ln -sf /app/data/index.html /app/code/env/lib/python3.12/site-packages/synapse/static/index.html
 
 ADD index.html homeserver.yaml.template start.sh /app/pkg/
+ADD mas /app/pkg/mas
 
 CMD [ "/app/pkg/start.sh" ]

MAS-implementation-plan.md

@@ -0,0 +1,74 @@
+# MAS Integration Research & Plan
+
+## Objectives
+- Understand what the Matrix Authentication Service (MAS) needs to replace or augment in the Cloudron Synapse package.
+- Capture upstream recommendations for deployment (domains, reverse proxy, database, config) and map them to Cloudron-specific constraints (single app bundle, OpenID provider, Element compatibility).
+- Document the next steps to get from the working Synapse package to a MAS-enabled deployment that keeps Element/Element X happy.
+
+## Upstream MAS requirements (source: https://element-hq.github.io/matrix-authentication-service/setup/)
+1. **Dedicated authentication service**: MAS runs on its own domain (e.g. `auth.example.com`) and handles account/session management via OIDC. The homeserver (Synapse) becomes an OIDC relying party.
+2. **Assets & binaries**: Upstream shipped packages bundle `mas-cli`, the frontend assets, policy wasm, templates, translations, etc. These can be overridden via configuration (paths configurable).
+3. **Database**: MAS maintains its own PostgreSQL database with user/session/registration information. Upstream provides `mas-cli database migrate` to manage schema.
+4. **Homeserver configuration**: Synapse needs to be configured to trust MAS—this includes replacing the `MXID_LOCALPART_REGEXP`, `oidc_config`, and adjusting `User Interactive Auth` settings to redirect to MAS endpoints.
+5. **Reverse proxy**: Both MAS and Synapse must be exposed through a reverse proxy (or Cloudron routing layer) so they can talk over HTTPS. OIDC discovery endpoints must be reachable at sensible URLs.
+6. **SSO / upstream provider**: MAS is configurable to use external SSO providers (email, identity providers) but for Cloudron we expect MAS to hook into Cloudron's OpenID provider layer (since Cloudron exposes apps via OpenID for dashboard login).
+7. **CLI tooling**: `mas-cli` ships a `config`, `database`, `manage`, `server`, `syn2mas`, `worker`, `templates`, `doctor` command suite. We'll likely rely on the `template` assets and the `doctor` check when packaging.
+8. **Templates & policies**: The frontend, policy engine (OPA), and default templates drive what flows look like; for Cloudron we should ensure these assets are present and configurable by the package (perhaps via volume mounts or extraction during install).
+
+## Cloudron-specific considerations
+- **Single-app package**: Currently the Cloudron Synapse package bundles Synapse (homeserver) and exposes it via `matrix.example.com`. MAS needs a separate service but Cloudron apps normally run in a single container. Need to decide: 1) include MAS binary / assets in the same package but run a second process, or 2) run MAS as a child service through Cloudron's `run.yml`/`start.sh`. Need to inspect existing packaging to see how (1) Synapse currently runs (maybe `start.sh`), (2) if additional processes are possible (should be via background start commands). Cloudron package manifest may need adjustments to expose MAS endpoints via additional subdomain or path.
+  - The existing `start.sh` is an idempotent bootstrap that provisions `homeserver.yaml` from the pip-installed Synapse, copies a static `homeserver.yaml.template`, writes generated secrets, and configures the database, email, OIDC (if Cloudron-provided), TURN, and logging before finally `exec`-ing Synapse with `gosu`. Adding MAS will require launching a second process (probably before the `exec`) so we can keep `start.sh` running both MAS and Synapse. Cloudron apps expose a single HTTP port (`8008` per `CloudronManifest.json`), so MAS would need to listen on a different port and rely on Cloudron’s reverse proxy rules (manifest may need to expose additional `exposePorts` or route via a subpath). 
+- **OpenID integration**: MAS expects to be an OIDC provider. Cloudron uses OpenID Connect to allow users to log into the dashboard/app. The original Cloudron issue (https://forum.cloudron.io/topic/13648) mentioned `openid uri configuration issue for synapse-s-mas`. We need to ensure MAS's `.well-known/openid-configuration` URL is accessible and correctly registered in Cloudron. This might require adding proper `manifest.json` entries so MAS endpoints are published to Cloudron's OIDC routing layer.
+- **Element/Element X login improvements**: MAS unlocks QR-code login, passkeys, etc. Need to ensure the packaged MAS supports the flow required by Element/Element X (i.e., MAS must report as the OIDC server for `matrix.org` domain). The `homeserver.yaml.template` might need updates to point at MAS discovery endpoints.
+- **Cloudron assets**: Determine how to ship MAS assets (frontend/policy/manifest) with the package so MAS can locate them without needing network downloads (Cloudron apps need offline reliability). Could use `test/` folder to store sample config? Need to ensure `start.sh` extracts these assets and sets environment variables.
+
+## Observations from the current package
+- `CloudronManifest.json` exposes only `httpPort` 8008, so Synapse listens there. There are addons for localstorage, oidc, postgresql, sendmail, and optional TURN, meaning Cloudron will inject database, mail, and OIDC env vars. Introducing MAS likely requires either:
+  - adding `exposePorts` or `httpService` entries so the reverse proxy knows about MAS’s port, and optionally an `oidc` addon entry for MAS’s `.well-known` metadata, or
+  - routing MAS through the same HTTP port but behind a different path (e.g., `/auth`). The docs for MAS mention it should run on a dedicated domain, but we might be able to serve it on a subpath if Cloudron doesn’t allow multiple ports.
+- `start.sh` already uses environment-supplied OIDC configuration when Cloudron provides it. That logic may need to be extended so MAS can either (a) act as the provider and register itself with Cloudron, or (b) rely on Cloudron’s OpenID stack if MAS is configured as a relying party. The script currently does not interact with Cloudron beyond templating `homeserver.yaml`, so we have full control over how MAS is provisioned once we decide where to run it.
+
+## Recent implementation notes
+- `CloudronManifest.json` now advertises a second `httpService` named `mas` on port `4000` so a Cloudron TLS route can reach the MAS discovery endpoints at `/mas/.well-known`.
+- Added `mas/mas-config.template.yaml` plus `mas/README.md` so the package now ships an editable MAS config skeleton, expected assets directory, and guidance on where upstream binaries live.
+- `start.sh` generates `/app/data/configs/mas.yaml`, keeps a persistent MAS client secret, and is ready to launch `mas-cli server --config ...` with proper signal handling.
+- `mas/` now holds the upstream v1.7.0 release artifacts: the `mas-cli` binary plus `share/` assets (frontend, manifest, policy, translations) that the config template points to, enabling MAS to run without building from source.
+
+## Manifest & runtime guardrails
+- Cloudron manifest v2 gives every app a single declared `httpPort`, but you can add `httpServices` entries if you need additional HTTPS-terminating services routed through Cloudron’s reverse proxy. Each `httpService` can specify a `port`, `path`, `certificate`, and `protocol`, making it possible to expose MAS on a different internal port or mount it under a distinct path (e.g., `/auth`). Alternatively, `exposePorts` allows you to expose TCP ports directly if a separate plain TCP route is acceptable.
+- The existing `oidc` addon signals Cloudron to proxy `.well-known/openid-configuration`. To surface MAS’s discovery documents we can either:
+      - register MAS as a second HTTP service with its own path for `.well-known/`, or
+      - keep MAS on the same port and let the reverse proxy forward `/auth/.well-known/*` to the MAS port.
+    - Since MAS needs to run alongside the homeserver, `start.sh` now writes `/app/data/configs/mas.yaml`, backgrounds `mas-cli server --config ...`, and installs traps so signals kill both services before the script exits, keeping the container responsive while the MAS service shares the same app lifecycle.
+    - The script also configures Synapse’s `homeserver.yaml` to treat MAS as its login provider: password registration is disabled and the MAS OIDC endpoints/secret are templated at startup so Element clients see an OIDC-capable homeserver.
+
+## Rough plan for MAS implementation
+1. **Gather upstream assets**
+   - Confirm we can download a MAS release tarball as part of the build (prefer Docker image if Cloudron supports it, otherwise pre-built binary).
+   - Verify what assets need to be packaged (frontend dist, policy wasm, translations, templates, `mas-cli`). Document in this repo how they will be bundled.
+2. **Process orchestration**
+   - Update `start.sh` to launch MAS alongside Synapse (probably via `&` background process) and ensure proper log capture.
+    - Ensure MAS listens on a different port (e.g., `4000`), while Synapse remains on its port. Cloudron reverse proxy must route `/mas` or assign a subdomain (maybe `auth.<app domain>`). Need to explore Cloudron manifest to see if multiple ports can be exposed; if not, we may need to run MAS on the same port but separate path? Need to review Cloudron packaging docs.
+    - Sketch a background-run pattern: configure MAS before Synapse, run `/app/pkg/mas/mas-cli server --config ...` as `gosu cloudron:cloudron ... &`, save the child PID, and trap SIGTERM/SIGINT so both MAS and Synapse are terminated when the container stops; the script can then `wait` on Synapse while MAS serves requests in the background.
+3. **Configuration mapping**
+   - Determine MAS config file structure and defaults. We'll likely need `mas-config.yaml` referencing Synapse endpoints, database credentials, and OIDC discovery data. Need to map Cloudron config variables (domain, TLS cert path) into MAS's config.
+   - Update `homeserver.yaml.template` to include the `oidc` settings pointing at MAS (including `client_id`, `client_secret`, `authorization_endpoint`, etc.). This may require new templating variables that Cloudron populates at runtime.
+4. **Cloudron integration (OpenID provider)**
+   - Evaluate how Cloudron registers OpenID providers for apps; we might need to adjust `CloudronManifest.json` or `start.sh` to register MAS's `.well-known/openid-configuration` with Cloudron (maybe through environment variables or `start.sh` hooking into Cloudron's OpenID provider interface). Need to research Cloudron packaging guidelines for apps that expose their own OIDC endpoints.
+   - Identify required scopes and metadata so MAS appears as the identity provider for Element clients used by Cloudron.
+5. **Test flows (Element, CLI)**
+   - Ensure Element clients can authenticate via MAS (login flow). Document manual steps to test after packaging.
+   - Provide instructions for administrators to configure MAS if Cloudron-specific modifications (domain names, secrets) are needed.
+6. **Documentation/Assets**
+   - Update README or create a new `docs/` entry explaining how MAS is configured for Cloudron (OAUTH endpoints, necessary environment variables).
+   - Add `POSTINSTALL.md` or similar update to inform Cloudron admins of new MAS dependencies.
+
+## Next steps (action items)
+1. **Clarify process/port constraints**: confirm whether Cloudron allows exposing two ports or mapping a subpath to MAS; if the manifest must change, note which keys support the MAS discovery endpoints. Ensure `start.sh` can launch MAS before Synapse `exec`.
+2. **Fetch latest MAS release** (prefer Docker image if Cloudron supports pulling `ghcr.io/element-hq/matrix-authentication-service:latest`). Determine how to extract assets and integrate into our package (hopefully by storing release tarball in repo or downloading during install?).
+3. **Define MAS config template** that references Cloudron environment variables (domain, TLS certs, database credentials). Draft a template config file in `test/` or new folder.
+4. **Map OpenID requirements**: find Cloudron docs for apps that need to expose OIDC metadata. Write down the necessary manifest keys or scripts to register MAS endpoints.
+5. **Document user flows**: in this repo, outline how MAS interacts with Synapse and Element (i.e., MAS obtains upstream login info, issues tokens to Synapse, Element authenticates via Synapse -> MAS). This can serve as both reference and testing checklist.
+6. **Additional research**: determine if Cloudron's OpenID stack can act as an upstream provider for MAS (i.e., MAS is the relying party to Cloudron's OIDC provider) or if MAS should be the provider and Cloudron just routes to it.
+
+Once the above are addressed, we'll have a clearer technical path for implementing MAS within this package. Let me know if you'd like me to iterate on any of these sections or move into prototyping a MAS-powered build.

POSTINSTALL.md

@@ -1,6 +1,2 @@
 Account ids are created with the username and the second level domain under which the
-app is installed e.g. `@$CLOUDRON-USERNAME@$CLOUDRON-APP-DOMAIN`.
-
-For federation to work, the delegation URI `https://$CLOUDRON-APP-DOMAIN/.well-known/matrix/server`
-must be configured. See the [docs](https://docs.cloudron.io/apps/synapse/#post-installation) on how to do this.
-
+app is installed e.g. `@$CLOUDRON-USERNAME:$CLOUDRON-APP-DOMAIN`.

homeserver.yaml.template

@@ -1,4 +1,4 @@
-# https://github.com/matrix-org/synapse/blob/master/docs/sample_config.yaml
+# https://github.com/element-hq/synapse/blob/master/docs/sample_config.yaml
 
 # if you change this, change the auto_join_rooms below as well
 server_name: "example.com"
@@ -13,7 +13,6 @@ listeners:
     type: http
     x_forwarded: true
     bind_addresses: ['0.0.0.0']
-
     resources:
       - names: [client,federation]
         compress: false
@@ -21,7 +20,6 @@ listeners:
 database:
   name: "psycopg2"
   args:
-    # Path to the database
     user: ${POSTGRESQL_USERNAME}
     password: ${POSTGRESQL_PASSWORD}
     database: ${POSTGRESQL_DATABASE}
@@ -29,6 +27,17 @@ database:
     cp_min: 5
     cp_max: 10
 
+log_config: "/app/data/configs/log.config"
+media_store_path: "/app/data/data/media_store"
+registration_shared_secret: "some_shared_secret"
+report_stats: false
+macaroon_secret_key: "some_macaroon_secret"
+form_secret: "some_form_secret"
+signing_key_path: "/app/data/configs/signing.key"
+trusted_key_servers:
+  - server_name: "matrix.org"
+
+## Cloudron packaging
 email:
     smtp_host: mail.server
     smtp_port: 587
@@ -40,74 +49,37 @@ email:
     enable_notifs: true
     notif_for_new_users: true
 
-password_providers:
-    - module: "synapse.util.ldap_auth_provider.LdapAuthProvider"
-      config:
-        enabled: true
-        uri: "ldap://ldap.example.com:389"
-        start_tls: true
-        base: "ou=users,dc=example,dc=com"
-        attributes:
-           uid: "username"
-           mail: "mail"
-           name: "username"
-        bind_dn: "ou=users,dc=cloudron"
-        bind_password: "password"
-        filter: "(objectClass=posixAccount)"
-
 # turn
 turn_uris: []
 turn_shared_secret: "sharedsecret"
 turn_allow_guests: true
 
-federation_ip_range_blacklist:
-  - '127.0.0.0/8'
-  - '10.0.0.0/8'
-  - '172.16.0.0/12'
-  - '192.168.0.0/16'
-  - '100.64.0.0/10'
-  - '169.254.0.0/16'
-  - '::1/128'
-  - 'fe80::/64'
-  - 'fc00::/7'
-
+# sso (https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#single-sign-on-integration)
 enable_registration: false
+# without this, registration requires one of email/captcha/token verification
 enable_registration_without_verification: true
-registration_shared_secret: "somesecret"
-allow_guest_access: false
 
-enable_group_creation: true
-
-report_stats: False
-
-signing_key_path: "/app/data/configs/signing.key"
-
-url_preview_enabled: true
-url_preview_ip_range_blacklist:
-  - '127.0.0.0/8'
-  - '10.0.0.0/8'
-  - '172.16.0.0/12'
-  - '192.168.0.0/16'
-  - '100.64.0.0/10'
-  - '169.254.0.0/16'
-  - '::1/128'
-  - 'fe80::/64'
-  - 'fc00::/7'
-
-media_store_path: "/app/data/data/media_store"
-max_upload_size: 200M
-max_image_pixels: "32M"
-dynamic_thumbnails: false
-
-autocreate_auto_join_rooms: true
-auto_join_rooms:
-  - "#discuss:example.com"
-
-trusted_key_servers:
-  - server_name: "matrix.org"
-suppress_key_server_warning: true
+oidc_providers:
+  - idp_id: cloudron
+    idp_name: "CLOUDRON_OIDC_PROVIDER_NAME"
+    issuer: "CLOUDRON_OIDC_ISSUER"
+    client_id: "CLOUDRON_OIDC_CLIENT_ID"
+    client_secret: "CLOUDRON_OIDC_CLIENT_SECRET"
+    scopes: ["openid", "profile", "email"]
+    authorization_endpoint: "CLOUDRON_OIDC_AUTH_ENDPOINT"
+    token_endpoint: "CLOUDRON_OIDC_TOKEN_ENDPOINT"
+    userinfo_endpoint: "CLOUDRON_OIDC_AUTH_ENDPOINT"
+    allow_existing_users: true
+    enable_registration: true
+    backchannel_logout_enabled: false
+    user_mapping_provider:
+      config:
+        localpart_template: "{{ user.sub }}"
+        display_name_template: "{{ user.name }}"
+        email_template: "{{ user.email }}"
 
 password_config:
-   enabled: true
-   localdb_enabled: false
+    enabled: false
+    localdb_enabled: false
+    pepper: "some_pepper_secret"
 

logo.svg

@@ -0,0 +1,105 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg:svg
+   width="92"
+   height="92"
+   viewBox="0 0 92 92"
+   version="1.1"
+   id="svg5"
+   sodipodi:docname="logo.svg"
+   inkscape:version="1.4.2 (ebf0e940d0, 2025-05-08)"
+   inkscape:export-filename="logo.png"
+   inkscape:export-xdpi="534.26086"
+   inkscape:export-ydpi="534.26086"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:dc="http://purl.org/dc/elements/1.1/">
+  <svg:defs
+     id="defs5" />
+  <sodipodi:namedview
+     id="namedview5"
+     pagecolor="#ffffff"
+     bordercolor="#666666"
+     borderopacity="1.0"
+     inkscape:showpageshadow="2"
+     inkscape:pageopacity="0.0"
+     inkscape:pagecheckerboard="0"
+     inkscape:deskcolor="#d1d1d1"
+     inkscape:zoom="3.5066667"
+     inkscape:cx="34.93346"
+     inkscape:cy="46.340304"
+     inkscape:window-width="1280"
+     inkscape:window-height="654"
+     inkscape:window-x="0"
+     inkscape:window-y="0"
+     inkscape:window-maximized="1"
+     inkscape:current-layer="matrix-logo-white" />
+  <!-- Generator: Sketch 55 (78076) - https://sketchapp.com -->
+  <svg:title
+     id="title1">matrix logo white</svg:title>
+  <svg:desc
+     id="desc1">Created with Sketch.</svg:desc>
+  <svg:g
+     id="Page-1"
+     stroke="none"
+     stroke-width="1"
+     fill="none"
+     fill-rule="evenodd"
+     style="fill:#000000">
+    <svg:g
+       id="matrix-logo-white"
+       fill="#FFFFFF"
+       fill-rule="nonzero"
+       style="fill:#000000">
+      <svg:g
+         id="g5"
+         transform="matrix(1.1943286,0,0,1.1943286,1.1945584,26.901573)"
+         style="fill:#666666;stroke:none;stroke-opacity:1;stroke-width:0.99972487;stroke-dasharray:none">
+        <svg:polygon
+           id="Path"
+           points="0.93631479,31.249567 3.1294248,31.249567 3.1294248,31.981769 0.094721871,31.981769 0.094721871,9.495549e-05 3.1294248,9.495549e-05 3.1294248,0.73220178 0.93631479,0.73220178 "
+           style="fill:#666666;stroke:none;stroke-opacity:1;stroke-width:0.99972487;stroke-dasharray:none" />
+        <svg:path
+           d="m 9.3857143,10.406647 v 1.544356 h 0.0439 c 0.4113148,-0.587869 0.9067317,-1.04432 1.4871047,-1.367929 0.579994,-0.323038 1.244849,-0.485222 1.993711,-0.485222 0.719469,0 1.376833,0.140059 1.971523,0.419228 0.59488,0.279644 1.046587,0.772083 1.355025,1.478172 0.337548,-0.49994 0.796461,-0.941293 1.376834,-1.323679 0.579993,-0.382196 1.266561,-0.573721 2.059797,-0.573721 0.602181,0 1.159988,0.07369 1.674463,0.220771 0.513717,0.147086 0.95433,0.382386 1.321555,0.705899 0.366846,0.323799 0.653192,0.746635 0.859229,1.268321 0.205468,0.522635 0.308439,1.15105 0.308439,1.88667 v 7.633092 l -3.128382,-9.5e-5 v -6.464 c 0,-0.382196 -0.0146,-0.742551 -0.04409,-1.081068 -0.02968,-0.338041 -0.110082,-0.632024 -0.242257,-0.882421 -0.132269,-0.249828 -0.327117,-0.44857 -0.583786,-0.595751 -0.257048,-0.146516 -0.605973,-0.220487 -1.046492,-0.220487 -0.440518,0 -0.796744,0.08508 -1.068489,0.253626 -0.271934,0.169401 -0.484703,0.390173 -0.63878,0.661935 -0.154172,0.272427 -0.257048,0.581128 -0.308344,0.926956 -0.05167,0.345448 -0.07718,0.694884 -0.07718,1.047834 v 6.353471 h -3.128097 v -6.397626 c 0,-0.338231 -0.0077,-0.672949 -0.02181,-1.003679 -0.01498,-0.33111 -0.07718,-0.636202 -0.187547,-0.915846 -0.110177,-0.279169 -0.293837,-0.503644 -0.55079,-0.673045 -0.257048,-0.168545 -0.635177,-0.253626 -1.134482,-0.253626 -0.147061,0 -0.341625,0.03314 -0.583692,0.09951 -0.242351,0.06618 -0.477497,0.19143 -0.704962,0.374979 -0.227939,0.184024 -0.4223133,0.44876 -0.5838809,0.794113 -0.1616625,0.345828 -0.2423515,0.797816 -0.2423515,1.356629 v 6.618492 l -3.1280025,9.5e-5 V 10.406647 Z"
+           id="path1"
+           style="fill:#666666;stroke:none;stroke-opacity:1;stroke-width:0.99972487;stroke-dasharray:none" />
+        <svg:path
+           d="m 25.841719,12.083561 c 0.322851,-0.485508 0.734261,-0.875015 1.233755,-1.169472 0.499115,-0.294077 1.06062,-0.503549 1.684987,-0.6287 0.624084,-0.124867 1.252055,-0.187632 1.883534,-0.187632 0.572882,0 1.152781,0.04064 1.740265,0.121258 0.58739,0.08119 1.123578,0.239478 1.608281,0.474492 0.484608,0.235205 0.881037,0.562707 1.18957,0.98165 0.308439,0.419134 0.462611,0.974434 0.462611,1.665804 v 5.934149 c 0,0.515418 0.02939,1.007572 0.08827,1.478172 0.05831,0.470884 0.161283,0.823834 0.308249,1.059038 h -3.172092 c -0.05888,-0.176617 -0.106764,-0.356557 -0.143268,-0.540581 -0.03698,-0.183549 -0.06267,-0.371086 -0.07709,-0.562422 -0.4994,0.514849 -1.087073,0.875205 -1.762168,1.081164 -0.675759,0.205388 -1.366024,0.3087 -2.070986,0.3087 -0.543584,0 -1.050285,-0.06628 -1.520196,-0.198457 C 26.82534,21.768261 26.414309,21.562493 26.061876,21.282564 25.709347,21.003585 25.434,20.65054 25.235738,20.224095 25.037476,19.79765 24.938203,19.289733 24.938203,18.701674 c 0,-0.646932 0.113685,-1.180297 0.341719,-1.599051 0.227466,-0.419418 0.521018,-0.753851 0.881322,-1.004154 0.359639,-0.249923 0.770764,-0.43746 1.233565,-0.562421 0.462515,-0.124867 0.928729,-0.223906 1.398735,-0.297876 0.470007,-0.07331 0.932523,-0.132273 1.387927,-0.176332 0.455215,-0.04425 0.859229,-0.110528 1.211663,-0.198742 0.352528,-0.08821 0.631289,-0.216688 0.837136,-0.385994 0.205278,-0.169116 0.300759,-0.41543 0.286346,-0.739229 0,-0.338041 -0.05499,-0.60667 -0.16517,-0.805127 -0.110082,-0.198457 -0.257048,-0.35314 -0.440519,-0.463383 -0.183659,-0.110243 -0.396618,-0.183834 -0.63878,-0.220771 -0.242446,-0.03627 -0.503381,-0.05508 -0.782048,-0.05508 -0.616877,0 -1.101485,0.132463 -1.454013,0.397199 -0.352339,0.264736 -0.558376,0.706184 -0.616878,1.32368 h -3.128097 c 0.04381,-0.735146 0.227086,-1.345804 0.5506,-1.830837 z m 6.179109,4.423311 c -0.198167,0.06609 -0.41122,0.121069 -0.638685,0.165318 -0.22775,0.04415 -0.466309,0.081 -0.715961,0.110243 -0.249842,0.02972 -0.499494,0.06628 -0.748957,0.110433 -0.235145,0.04378 -0.466403,0.103122 -0.693774,0.176333 -0.227939,0.07397 -0.426201,0.173009 -0.59488,0.29797 -0.169152,0.125056 -0.30493,0.283442 -0.407711,0.474208 -0.102876,0.19124 -0.154172,0.434041 -0.154172,0.728118 0,0.27917 0.0513,0.514849 0.154172,0.705615 0.102781,0.191525 0.242541,0.342219 0.41871,0.452463 0.17617,0.110243 0.381637,0.187632 0.616972,0.231501 0.234672,0.04425 0.477023,0.06628 0.72677,0.06628 0.616783,0 1.0939,-0.102742 1.432017,-0.30889 0.337642,-0.205674 0.587105,-0.452178 0.748957,-0.739229 0.161378,-0.28667 0.260651,-0.576569 0.29744,-0.871121 0.03641,-0.294077 0.05499,-0.529472 0.05499,-0.705899 v -1.169472 c -0.132364,0.11803 -0.297534,0.209851 -0.495891,0.27613 z"
+           id="Shape"
+           style="fill:#666666;stroke:none;stroke-opacity:1;stroke-width:0.99972487;stroke-dasharray:none" />
+        <svg:path
+           d="m 43.883533,10.406647 v 2.095858 h -2.290866 v 5.647857 c 0,0.529187 0.08799,0.882326 0.264349,1.058659 0.17598,0.176522 0.528698,0.264736 1.057396,0.264736 0.176264,0 0.344943,-0.0072 0.506606,-0.02203 0.161472,-0.01443 0.315739,-0.03684 0.462515,-0.06609 v 2.426777 c -0.264348,0.04415 -0.558185,0.0734 -0.881131,0.0884 -0.32304,0.01415 -0.63878,0.02184 -0.947219,0.02184 -0.484608,0 -0.94371,-0.03323 -1.376833,-0.09951 C 40.244943,21.757154 39.863211,21.62877 39.53287,21.43734 39.202339,21.246385 38.941593,20.973957 38.750822,20.621008 38.559671,20.268343 38.46438,19.804865 38.46438,19.230954 v -6.72845 H 36.569943 V 10.406647 H 38.46438 V 6.9871098 h 3.128193 v 3.4195372 z"
+           id="path2"
+           style="fill:#666666;stroke:none;stroke-opacity:1;stroke-width:0.99972487;stroke-dasharray:none" />
+        <svg:path
+           d="m 48.355373,10.406647 v 2.117982 h 0.04409 c 0.146586,-0.353234 0.344753,-0.680166 0.59469,-0.981935 0.249747,-0.301199 0.535904,-0.558813 0.859039,-0.772083 0.322851,-0.21289 0.668173,-0.378397 1.035683,-0.496427 0.366751,-0.11746 0.748862,-0.176522 1.14548,-0.176522 0.205563,0 0.432933,0.03703 0.68287,0.110433 v 2.912285 c -0.147061,-0.02963 -0.323325,-0.05545 -0.528698,-0.07729 -0.205752,-0.02213 -0.403919,-0.03323 -0.59488,-0.03323 -0.572787,0 -1.057395,0.09591 -1.453729,0.28686 -0.396524,0.191241 -0.715866,0.452083 -0.958312,0.783098 -0.242257,0.33111 -0.415203,0.716914 -0.517889,1.158267 -0.102687,0.441068 -0.154077,0.919359 -0.154077,1.434018 V 21.81232 H 45.381542 V 10.406647 Z"
+           id="path3"
+           style="fill:#666666;stroke:none;stroke-opacity:1;stroke-width:0.99972487;stroke-dasharray:none" />
+        <svg:path
+           d="m 54.038875,8.6416142 v -2.581175 h 3.128382 v 2.581175 z m 3.128382,1.7650328 V 21.812415 H 54.038875 V 10.406647 Z"
+           id="path4"
+           style="fill:#666666;stroke:none;stroke-opacity:1;stroke-width:0.99972487;stroke-dasharray:none" />
+        <svg:polygon
+           id="polygon4"
+           points="61.94725,21.81251 58.444912,21.81251 62.542225,15.811988 58.79725,10.406647 62.365866,10.406647 64.37067,13.384926 66.353382,10.406647 69.811915,10.406647 66.067035,15.745614 70.274715,21.81251 66.705815,21.81251 64.32658,18.216546 "
+           style="fill:#666666;stroke:none;stroke-opacity:1;stroke-width:0.99972487;stroke-dasharray:none" />
+        <svg:polygon
+           id="polygon5"
+           points="74.093837,0.73220178 71.900727,0.73220178 71.900727,9.495549e-05 74.93562,9.495549e-05 74.93562,31.981769 71.900727,31.981769 71.900727,31.249567 74.093837,31.249567 "
+           style="fill:#666666;stroke:none;stroke-opacity:1;stroke-width:0.99972487;stroke-dasharray:none" />
+      </svg:g>
+    </svg:g>
+  </svg:g>
+  <script />
+  <svg:metadata
+     id="metadata5">
+    <rdf:RDF>
+      <cc:Work
+         rdf:about="">
+        <dc:title>matrix logo white</dc:title>
+      </cc:Work>
+    </rdf:RDF>
+  </svg:metadata>
+</svg:svg>

mas/LICENSE

@@ -0,0 +1,661 @@
+                    GNU AFFERO GENERAL PUBLIC LICENSE
+                       Version 3, 19 November 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The GNU Affero General Public License is a free, copyleft license for
+software and other kinds of works, specifically designed to ensure
+cooperation with the community in the case of network server software.
+
+  The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works.  By contrast,
+our General Public Licenses are intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+  Developers that use our General Public Licenses protect your rights
+with two steps: (1) assert copyright on the software, and (2) offer
+you this License which gives you legal permission to copy, distribute
+and/or modify the software.
+
+  A secondary benefit of defending all users' freedom is that
+improvements made in alternate versions of the program, if they
+receive widespread use, become available for other developers to
+incorporate.  Many developers of free software are heartened and
+encouraged by the resulting cooperation.  However, in the case of
+software used on network servers, this result may fail to come about.
+The GNU General Public License permits making a modified version and
+letting the public access it on a server without ever releasing its
+source code to the public.
+
+  The GNU Affero General Public License is designed specifically to
+ensure that, in such cases, the modified source code becomes available
+to the community.  It requires the operator of a network server to
+provide the source code of the modified version running there to the
+users of that server.  Therefore, public use of a modified version, on
+a publicly accessible server, gives the public access to the source
+code of the modified version.
+
+  An older license, called the Affero General Public License and
+published by Affero, was designed to accomplish similar goals.  This is
+a different license, not a version of the Affero GPL, but Affero has
+released a new version of the Affero GPL which permits relicensing under
+this license.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                       TERMS AND CONDITIONS
+
+  0. Definitions.
+
+  "This License" refers to version 3 of the GNU Affero General Public License.
+
+  "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
+
+  "The Program" refers to any copyrightable work licensed under this
+License.  Each licensee is addressed as "you".  "Licensees" and
+"recipients" may be individuals or organizations.
+
+  To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy.  The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
+
+  A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+  To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy.  Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+  To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies.  Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+  An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License.  If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+  1. Source Code.
+
+  The "source code" for a work means the preferred form of the work
+for making modifications to it.  "Object code" means any non-source
+form of a work.
+
+  A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+  The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form.  A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+  The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities.  However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work.  For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+  The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+  The Corresponding Source for a work in source code form is that
+same work.
+
+  2. Basic Permissions.
+
+  All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met.  This License explicitly affirms your unlimited
+permission to run the unmodified Program.  The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work.  This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+  You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force.  You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright.  Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+  Conveying under any other circumstances is permitted solely under
+the conditions stated below.  Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+  No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+  When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
+
+  4. Conveying Verbatim Copies.
+
+  You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+  You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+  5. Conveying Modified Source Versions.
+
+  You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+    a) The work must carry prominent notices stating that you modified
+    it, and giving a relevant date.
+
+    b) The work must carry prominent notices stating that it is
+    released under this License and any conditions added under section
+    7.  This requirement modifies the requirement in section 4 to
+    "keep intact all notices".
+
+    c) You must license the entire work, as a whole, under this
+    License to anyone who comes into possession of a copy.  This
+    License will therefore apply, along with any applicable section 7
+    additional terms, to the whole of the work, and all its parts,
+    regardless of how they are packaged.  This License gives no
+    permission to license the work in any other way, but it does not
+    invalidate such permission if you have separately received it.
+
+    d) If the work has interactive user interfaces, each must display
+    Appropriate Legal Notices; however, if the Program has interactive
+    interfaces that do not display Appropriate Legal Notices, your
+    work need not make them do so.
+
+  A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit.  Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+  6. Conveying Non-Source Forms.
+
+  You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+    a) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by the
+    Corresponding Source fixed on a durable physical medium
+    customarily used for software interchange.
+
+    b) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by a
+    written offer, valid for at least three years and valid for as
+    long as you offer spare parts or customer support for that product
+    model, to give anyone who possesses the object code either (1) a
+    copy of the Corresponding Source for all the software in the
+    product that is covered by this License, on a durable physical
+    medium customarily used for software interchange, for a price no
+    more than your reasonable cost of physically performing this
+    conveying of source, or (2) access to copy the
+    Corresponding Source from a network server at no charge.
+
+    c) Convey individual copies of the object code with a copy of the
+    written offer to provide the Corresponding Source.  This
+    alternative is allowed only occasionally and noncommercially, and
+    only if you received the object code with such an offer, in accord
+    with subsection 6b.
+
+    d) Convey the object code by offering access from a designated
+    place (gratis or for a charge), and offer equivalent access to the
+    Corresponding Source in the same way through the same place at no
+    further charge.  You need not require recipients to copy the
+    Corresponding Source along with the object code.  If the place to
+    copy the object code is a network server, the Corresponding Source
+    may be on a different server (operated by you or a third party)
+    that supports equivalent copying facilities, provided you maintain
+    clear directions next to the object code saying where to find the
+    Corresponding Source.  Regardless of what server hosts the
+    Corresponding Source, you remain obligated to ensure that it is
+    available for as long as needed to satisfy these requirements.
+
+    e) Convey the object code using peer-to-peer transmission, provided
+    you inform other peers where the object code and Corresponding
+    Source of the work are being offered to the general public at no
+    charge under subsection 6d.
+
+  A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+  A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling.  In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage.  For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product.  A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+  "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source.  The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+  If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information.  But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+  The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed.  Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+  Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+  7. Additional Terms.
+
+  "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law.  If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+  When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it.  (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.)  You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+  Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+    a) Disclaiming warranty or limiting liability differently from the
+    terms of sections 15 and 16 of this License; or
+
+    b) Requiring preservation of specified reasonable legal notices or
+    author attributions in that material or in the Appropriate Legal
+    Notices displayed by works containing it; or
+
+    c) Prohibiting misrepresentation of the origin of that material, or
+    requiring that modified versions of such material be marked in
+    reasonable ways as different from the original version; or
+
+    d) Limiting the use for publicity purposes of names of licensors or
+    authors of the material; or
+
+    e) Declining to grant rights under trademark law for use of some
+    trade names, trademarks, or service marks; or
+
+    f) Requiring indemnification of licensors and authors of that
+    material by anyone who conveys the material (or modified versions of
+    it) with contractual assumptions of liability to the recipient, for
+    any liability that these contractual assumptions directly impose on
+    those licensors and authors.
+
+  All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10.  If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term.  If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+  If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+  Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+  8. Termination.
+
+  You may not propagate or modify a covered work except as expressly
+provided under this License.  Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+  However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+  Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+  Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License.  If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+  9. Acceptance Not Required for Having Copies.
+
+  You are not required to accept this License in order to receive or
+run a copy of the Program.  Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance.  However,
+nothing other than this License grants you permission to propagate or
+modify any covered work.  These actions infringe copyright if you do
+not accept this License.  Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+  10. Automatic Licensing of Downstream Recipients.
+
+  Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License.  You are not responsible
+for enforcing compliance by third parties with this License.
+
+  An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations.  If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+  You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License.  For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+  11. Patents.
+
+  A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based.  The
+work thus licensed is called the contributor's "contributor version".
+
+  A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version.  For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+  Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+  In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement).  To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+  If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients.  "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+  If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+  A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License.  You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+  Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+  12. No Surrender of Others' Freedom.
+
+  If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all.  For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+  13. Remote Network Interaction; Use with the GNU General Public License.
+
+  Notwithstanding any other provision of this License, if you modify the
+Program, your modified version must prominently offer all users
+interacting with it remotely through a computer network (if your version
+supports such interaction) an opportunity to receive the Corresponding
+Source of your version by providing access to the Corresponding Source
+from a network server at no charge, through some standard or customary
+means of facilitating copying of software.  This Corresponding Source
+shall include the Corresponding Source for any work covered by version 3
+of the GNU General Public License that is incorporated pursuant to the
+following paragraph.
+
+  Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU General Public License into a single
+combined work, and to convey the resulting work.  The terms of this
+License will continue to apply to the part which is the covered work,
+but the work with which it is combined will remain governed by version
+3 of the GNU General Public License.
+
+  14. Revised Versions of this License.
+
+  The Free Software Foundation may publish revised and/or new versions of
+the GNU Affero General Public License from time to time.  Such new versions
+will be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+  Each version is given a distinguishing version number.  If the
+Program specifies that a certain numbered version of the GNU Affero General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation.  If the Program does not specify a version number of the
+GNU Affero General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+  If the Program specifies that a proxy can decide which future
+versions of the GNU Affero General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+  Later license versions may give you additional or different
+permissions.  However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+  15. Disclaimer of Warranty.
+
+  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+  16. Limitation of Liability.
+
+  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+  17. Interpretation of Sections 15 and 16.
+
+  If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU Affero General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU Affero General Public License for more details.
+
+    You should have received a copy of the GNU Affero General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper mail.
+
+  If your software can interact with users remotely through a computer
+network, you should also make sure that it provides a way for users to
+get its source.  For example, if your program is a web application, its
+interface could display a "Source" link that leads users to an archive
+of the code.  There are many ways you could offer source, and different
+solutions will be better for different programs; see section 13 for the
+specific requirements.
+
+  You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU AGPL, see
+<https://www.gnu.org/licenses/>.

mas/README.md

@@ -0,0 +1,9 @@
+# MAS assets
+
+This directory is reserved for the Matrix Authentication Service release that will ship with this package.
+
+- `mas-cli` is the upstream binary that currently provides the CLI and `server` subcommand used by `start.sh`.
+- `share/` will contain the frontend assets, manifest, policy wasm, translations, and templates that MAS expects.
+- `mas-config.template.yaml` is the Cloudron-aware configuration template that `start.sh` expands into `/app/data/configs/mas.yaml` at runtime.
+
+During build time we will download the official `matrix-authentication-service` release (Docker or the prebuilt tarball) into this directory so that the package can start the MAS server as soon as the app boots.

mas/mas-config.template.yaml

@@ -0,0 +1,54 @@
+# MAS configuration template for Cloudron per https://element-hq.github.io/matrix-authentication-service/setup/
+
+server:
+  bind_address: "0.0.0.0"
+  port: ${MAS_PORT}
+
+site:
+  base_url: "https://${MAS_DOMAIN}"
+  developer_mode: false
+
+logging:
+  level: info
+
+metrics:
+  enabled: false
+
+database:
+  provider: postgresql
+  host: "${CLOUDRON_POSTGRESQL_HOST}"
+  port: ${CLOUDRON_POSTGRESQL_PORT}
+  username: "${CLOUDRON_POSTGRESQL_USERNAME}"
+  password: "${CLOUDRON_POSTGRESQL_PASSWORD}"
+  database: "${CLOUDRON_POSTGRESQL_DATABASE}_mas"
+
+oidc:
+  issuer: "https://${MAS_DOMAIN}"
+  clients:
+    - id: "synapse"
+      secret: "${MAS_OIDC_CLIENT_SECRET}"
+      redirect_uris:
+        - "${CLOUDRON_APP_ORIGIN}/_synapse/client/oidc/callback"
+      response_types:
+        - "code"
+      grant_types:
+        - "authorization_code"
+        - "refresh_token"
+      scopes:
+        - "openid"
+        - "profile"
+        - "email"
+
+homeserver:
+  name: "${CLOUDRON_APP_DOMAIN}"
+  public_baseurl: "${CLOUDRON_APP_ORIGIN}"
+  discovery_url: "${CLOUDRON_APP_ORIGIN}/.well-known/openid-configuration"
+
+assets:
+  frontend: "/app/pkg/mas/share/assets"
+  manifest: "/app/pkg/mas/share/manifest.json"
+  policy: "/app/pkg/mas/share/policy.wasm"
+  translations: "/app/pkg/mas/share/translations"
+secrets:
+  encryption_file: "${MAS_ENCRYPTION_FILE}"
+  keys_dir: "/app/data/configs/mas-keys"

mas/share/assets/Avatar-B3RWCmae.js

@@ -0,0 +1,2 @@
+import{r as f,a4 as u,w as m,j as g}from"./main-CiAhdYQG.js";const h="@",v="#",A="+",I=new Intl.Segmenter;function M(t){if(t.length<1)return"";const e=t[0];[h,v,A].includes(e)&&(t=t.substring(1));const a=I.segment(t)[Symbol.iterator]().next();return a.done?"":a.value.segment}const E="_avatar_1qbcf_8",R="_image_1qbcf_41",o={avatar:E,image:R,"avatar-imageless":"_avatar-imageless_1qbcf_52"};function X(t){return t.split("").reduce((r,n)=>r+n.charCodeAt(0),0)%6+1}function b(t){return!!(t.onClick||t.onKeyDown||t.onKeyUp)}const y=f.forwardRef(function({src:e,id:a,name:c="",type:r="round",className:n="",size:s,style:i={},onError:d,...l},_){return u.createElement(b(l)?"button":"span",{ref:_,role:"img","aria-label":a,...l,"data-type":r,"data-color":X(a),className:m(o.avatar,n,{[o["avatar-imageless"]]:!e}),style:{...i,"--cpd-avatar-size":s}},g.jsx(u.Fragment,{children:e?g.jsx("img",{loading:"lazy",alt:"",src:e,referrerPolicy:"no-referrer",className:m(o.image),"data-type":r,style:i,width:s,height:s,onError:d}):M(c)}))});export{y as A};
+//# sourceMappingURL=Avatar-B3RWCmae.js.map

mas/share/assets/Avatar-B3RWCmae.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"Avatar-B3RWCmae.js","sources":["../node_modules/@vector-im/compound-web/dist/utils/string.js","../node_modules/@vector-im/compound-web/dist/components/Avatar/Avatar.module.css.js","../node_modules/@vector-im/compound-web/dist/components/Avatar/useIdColorHash.js","../node_modules/@vector-im/compound-web/dist/components/Avatar/Avatar.js"],"sourcesContent":["const MX_USERNAME_PREFIX = \"@\";\nconst MX_ROOM_PREFIX = \"#\";\nconst MX_ALIAS_PREFIX = \"+\";\nconst graphemeSegmenter = new Intl.Segmenter();\nfunction getInitialLetter(name) {\n  if (name.length < 1) {\n    return \"\";\n  }\n  const initial = name[0];\n  if ([MX_USERNAME_PREFIX, MX_ROOM_PREFIX, MX_ALIAS_PREFIX].includes(initial)) {\n    name = name.substring(1);\n  }\n  const result = graphemeSegmenter.segment(name)[Symbol.iterator]().next();\n  return result.done ? \"\" : result.value.segment;\n}\nexport {\n  MX_ALIAS_PREFIX,\n  MX_ROOM_PREFIX,\n  MX_USERNAME_PREFIX,\n  getInitialLetter\n};\n//# sourceMappingURL=string.js.map\n","const avatar = \"_avatar_1qbcf_8\";\nconst image = \"_image_1qbcf_41\";\nconst styles = {\n  avatar,\n  image,\n  \"avatar-imageless\": \"_avatar-imageless_1qbcf_52\",\n  \"stacked-avatars\": \"_stacked-avatars_1qbcf_102\",\n  \"clip-path\": \"_clip-path_1qbcf_121\"\n};\nexport {\n  avatar,\n  styles as default,\n  image\n};\n//# sourceMappingURL=Avatar.module.css.js.map\n","function useIdColorHash(id) {\n  const MIN = 1;\n  const MAX = 6;\n  const charCodeSum = id.split(\"\").reduce((sum, char) => {\n    return sum + char.charCodeAt(0);\n  }, 0);\n  return charCodeSum % MAX + MIN;\n}\nexport {\n  useIdColorHash\n};\n//# sourceMappingURL=useIdColorHash.js.map\n","import { jsx } from \"react/jsx-runtime\";\nimport classNames from \"classnames\";\nimport React, { forwardRef } from \"react\";\nimport { getInitialLetter } from \"../../utils/string.js\";\nimport styles from \"./Avatar.module.css.js\";\nimport { useIdColorHash } from \"./useIdColorHash.js\";\nfunction shouldBeAButton(props) {\n  return !!(props.onClick || props.onKeyDown || props.onKeyUp);\n}\nconst Avatar = forwardRef(function Avatar2({\n  src,\n  id,\n  name = \"\",\n  type = \"round\",\n  className = \"\",\n  size,\n  style = {},\n  onError,\n  ...props\n}, ref) {\n  return React.createElement(\n    shouldBeAButton(props) ? \"button\" : \"span\",\n    {\n      ref,\n      role: \"img\",\n      // Default the aria-label to id\n      \"aria-label\": id,\n      ...props,\n      \"data-type\": type,\n      \"data-color\": useIdColorHash(id),\n      className: classNames(styles.avatar, className, {\n        [styles[\"avatar-imageless\"]]: !src\n      }),\n      style: {\n        ...style,\n        \"--cpd-avatar-size\": size\n      }\n    },\n    /* @__PURE__ */ jsx(React.Fragment, { children: !src ? getInitialLetter(name) : /* @__PURE__ */ jsx(\n      \"img\",\n      {\n        loading: \"lazy\",\n        alt: \"\",\n        src,\n        referrerPolicy: \"no-referrer\",\n        className: classNames(styles.image),\n        \"data-type\": type,\n        style,\n        width: size,\n        height: size,\n        onError\n      }\n    ) })\n  );\n});\nexport {\n  Avatar\n};\n//# sourceMappingURL=Avatar.js.map\n"],"names":["MX_USERNAME_PREFIX","MX_ROOM_PREFIX","MX_ALIAS_PREFIX","graphemeSegmenter","getInitialLetter","name","initial","result","avatar","image","styles","useIdColorHash","id","sum","char","shouldBeAButton","props","Avatar","forwardRef","src","type","className","size","style","onError","ref","React","classNames","jsx"],"mappings":"6DAAA,MAAMA,EAAqB,IACrBC,EAAiB,IACjBC,EAAkB,IAClBC,EAAoB,IAAI,KAAK,UACnC,SAASC,EAAiBC,EAAM,CAC9B,GAAIA,EAAK,OAAS,EAChB,MAAO,GAET,MAAMC,EAAUD,EAAK,CAAC,EAClB,CAACL,EAAoBC,EAAgBC,CAAe,EAAE,SAASI,CAAO,IACxED,EAAOA,EAAK,UAAU,CAAC,GAEzB,MAAME,EAASJ,EAAkB,QAAQE,CAAI,EAAE,OAAO,QAAQ,EAAC,EAAG,KAAI,EACtE,OAAOE,EAAO,KAAO,GAAKA,EAAO,MAAM,OACzC,CCdA,MAAMC,EAAS,kBACTC,EAAQ,kBACRC,EAAS,CACb,OAAAF,EACA,MAAAC,EACA,mBAAoB,4BAGtB,ECRA,SAASE,EAAeC,EAAI,CAM1B,OAHoBA,EAAG,MAAM,EAAE,EAAE,OAAO,CAACC,EAAKC,IACrCD,EAAMC,EAAK,WAAW,CAAC,EAC7B,CAAC,EACiB,EAAM,CAC7B,CCDA,SAASC,EAAgBC,EAAO,CAC9B,MAAO,CAAC,EAAEA,EAAM,SAAWA,EAAM,WAAaA,EAAM,QACtD,CACK,MAACC,EAASC,EAAAA,WAAW,SAAiB,CACzC,IAAAC,EACA,GAAAP,EACA,KAAAP,EAAO,GACP,KAAAe,EAAO,QACP,UAAAC,EAAY,GACZ,KAAAC,EACA,MAAAC,EAAQ,CAAA,EACR,QAAAC,EACA,GAAGR,CACL,EAAGS,EAAK,CACN,OAAOC,EAAM,cACXX,EAAgBC,CAAK,EAAI,SAAW,OACpC,CACE,IAAAS,EACA,KAAM,MAEN,aAAcb,EACd,GAAGI,EACH,YAAaI,EACb,aAAcT,EAAeC,CAAE,EAC/B,UAAWe,EAAWjB,EAAO,OAAQW,EAAW,CAC9C,CAACX,EAAO,kBAAkB,CAAC,EAAG,CAACS,CACvC,CAAO,EACD,MAAO,CACL,GAAGI,EACH,oBAAqBD,CAC7B,CACA,EACoBM,MAAIF,EAAM,SAAU,CAAE,SAAWP,EAA+CS,EAAAA,IAC9F,MACA,CACE,QAAS,OACT,IAAK,GACL,IAAAT,EACA,eAAgB,cAChB,UAAWQ,EAAWjB,EAAO,KAAK,EAClC,YAAaU,EACb,MAAAG,EACA,MAAOD,EACP,OAAQA,EACR,QAAAE,CACR,CACA,EAd2DpB,EAAiBC,CAAI,CAc3E,CAAE,CACP,CACA,CAAC","x_google_ignoreList":[0,1,2,3]}

mas/share/assets/ButtonLink-C4AMHHR_.css

@@ -0,0 +1 @@
+a._button-link_x5txo_8[href]{inline-size:initial}

mas/share/assets/ButtonLink-kWcKQZoZ.js

@@ -0,0 +1,2 @@
+import{ag as e,r as i,j as r,B as c,w as l}from"./main-CiAhdYQG.js";const u="_button-link_x5txo_8",b={buttonLink:u},x=e(i.forwardRef(({children:s,className:a,...t},n)=>{const o=!!t.disabled||!!t["aria-disabled"]||!1;return r.jsx(c,{as:"a",...t,className:l(b.buttonLink,a),disabled:o,ref:n,children:s})}));export{x as B};
+//# sourceMappingURL=ButtonLink-kWcKQZoZ.js.map

mas/share/assets/ButtonLink-kWcKQZoZ.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ButtonLink-kWcKQZoZ.js","sources":["../src/components/ButtonLink.tsx"],"sourcesContent":["// Copyright 2024, 2025 New Vector Ltd.\n// Copyright 2024 The Matrix.org Foundation C.I.C.\n//\n// SPDX-License-Identifier: AGPL-3.0-only OR LicenseRef-Element-Commercial\n// Please see LICENSE files in the repository root for full details.\n\nimport { createLink } from \"@tanstack/react-router\";\nimport { Button } from \"@vector-im/compound-web\";\nimport cx from \"classnames\";\nimport { forwardRef, type PropsWithChildren } from \"react\";\nimport styles from \"./ButtonLink.module.css\";\n\ntype Props = {\n  kind?: \"primary\" | \"secondary\" | \"tertiary\";\n  size?: \"sm\" | \"lg\";\n  Icon?: React.ComponentType<React.SVGAttributes<SVGElement>>;\n  destructive?: boolean;\n  disabled?: boolean;\n  className?: string;\n} & React.AnchorHTMLAttributes<HTMLAnchorElement>;\n\nexport const ButtonLink = createLink(\n  forwardRef<HTMLAnchorElement, PropsWithChildren<Props>>(\n    ({ children, className, ...props }, ref) => {\n      const disabled = !!props.disabled || !!props[\"aria-disabled\"] || false;\n      return (\n        <Button\n          as=\"a\"\n          {...props}\n          className={cx(styles.buttonLink, className)}\n          disabled={disabled}\n          ref={ref}\n        >\n          {children}\n        </Button>\n      );\n    },\n  ),\n);\n"],"names":["ButtonLink","createLink","forwardRef","children","className","props","ref","disabled","jsx","Button","cx","styles"],"mappings":"oHAqBaA,EAAaC,EACxBC,EAAAA,WACE,CAAC,CAAE,SAAAC,EAAU,UAAAC,EAAW,GAAGC,CAAA,EAASC,IAAQ,CAC1C,MAAMC,EAAW,CAAC,CAACF,EAAM,UAAY,CAAC,CAACA,EAAM,eAAe,GAAK,GACjE,OACEG,EAAAA,IAACC,EAAA,CACC,GAAG,IACF,GAAGJ,EACJ,UAAWK,EAAGC,EAAO,WAAYP,CAAS,EAC1C,SAAAG,EACA,IAAAD,EAEC,SAAAH,CAAA,CAAA,CAGP,CAAA,CAEJ"}

mas/share/assets/EndBrowserSessionButton-DXsnVcVV.js

@@ -0,0 +1,21 @@
+import{r as l,j as e,u as _,w as p,ag as A,D as I,e as B,G as C,B as m,N as v,h as S,i as q,c as w,d as x,l as y,k as h,b as T}from"./main-CiAhdYQG.js";import{I as k,C as E}from"./computer-Cx9wZ7Nf.js";function f(s,n){return e.jsx("svg",{xmlns:"http://www.w3.org/2000/svg",width:"1em",height:"1em",fill:"currentColor",viewBox:"0 0 24 24",ref:n,...s,children:e.jsx("path",{d:"M7 23q-.824 0-1.412-.587A1.93 1.93 0 0 1 5 21V3q0-.824.588-1.412A1.93 1.93 0 0 1 7 1h10q.824 0 1.413.587Q19 2.176 19 3v18q0 .824-.587 1.413A1.93 1.93 0 0 1 17 23zm0-5h10V6H7z"})})}f.displayName="MobileIcon";const M=l.forwardRef(f);function b(s,n){return e.jsxs("svg",{xmlns:"http://www.w3.org/2000/svg",width:"1em",height:"1em",fill:"currentColor",viewBox:"0 0 24 24",ref:n,...s,children:[e.jsx("path",{d:"M5 21q-.824 0-1.412-.587A1.93 1.93 0 0 1 3 19V5q0-.824.587-1.412A1.93 1.93 0 0 1 5 3h14q.824 0 1.413.587Q21 4.176 21 5v14q0 .824-.587 1.413A1.93 1.93 0 0 1 19 21zm0-2h14V5H5z"}),e.jsx("path",{d:"M11 10a1 1 0 1 1 1.479.878c-.31.17-.659.413-.94.741-.286.334-.539.8-.539 1.381a1 1 0 0 0 2 .006.3.3 0 0 1 .057-.085 1.4 1.4 0 0 1 .382-.288A3 3 0 1 0 9 10a1 1 0 1 0 2 0m1.999 3.012v-.005zM12 17a1 1 0 1 0 0-2 1 1 0 0 0 0 2"})]})}b.displayName="UnknownIcon";const L=l.forwardRef(b);function j(s,n){return e.jsx("svg",{xmlns:"http://www.w3.org/2000/svg",width:"1em",height:"1em",fill:"currentColor",viewBox:"0 0 24 24",ref:n,...s,children:e.jsx("path",{d:"M4 20q-.824 0-1.412-.587A1.93 1.93 0 0 1 2 18V6q0-.824.587-1.412A1.93 1.93 0 0 1 4 4h16q.824 0 1.413.588Q22 5.175 22 6v12q0 .824-.587 1.413A1.93 1.93 0 0 1 20 20zm0-2h16V8H4z"})})}j.displayName="WebBrowserIcon";const R=l.forwardRef(j),D="_device-type-icon_10tr1_8",O={deviceTypeIcon:D},Q={UNKNOWN:L,PC:k,MOBILE:M,TABLET:R},K=({deviceType:s})=>{const{t:n}=_(),a=Q[s],i={UNKNOWN:n("frontend.device_type_icon_label.unknown"),PC:n("frontend.device_type_icon_label.pc"),MOBILE:n("frontend.device_type_icon_label.mobile"),TABLET:n("frontend.device_type_icon_label.tablet")}[s];return e.jsx(a,{className:O.deviceTypeIcon,"aria-label":i})},z="_session-card-root_8sc98_8",H="_action_8sc98_13",U="_session-card_8sc98_8",V="_card-header_8sc98_13",P="_disabled_8sc98_59",W="_compact_8sc98_65",F="_content_8sc98_75",$="_name_8sc98_84",G="_client_8sc98_94",J="_metadata_8sc98_109",X="_key_8sc98_118",Y="_value_8sc98_124",t={sessionCardRoot:z,action:H,sessionCard:U,cardHeader:V,disabled:P,compact:W,content:F,name:$,client:G,metadata:J,key:X,value:Y},re=({children:s})=>e.jsx("section",{className:t.sessionCardRoot,children:s}),ce=A(l.forwardRef(({children:s,compact:n,className:a,...o},i)=>{const r=!!o.disabled||!!o["aria-disabled"]||!1;return e.jsx("a",{className:p(a,t.sessionCard,n&&t.compact,r&&t.disabled),...o,ref:i,children:s})})),Z=({children:s,compact:n,disabled:a})=>e.jsx("div",{className:p(t.sessionCard,n&&t.compact,a&&t.disabled),children:s}),ee=({type:s,children:n})=>e.jsxs("header",{className:t.cardHeader,children:[e.jsx(K,{deviceType:s}),e.jsx("div",{className:t.content,children:n})]}),se=({name:s})=>e.jsx("div",{className:t.name,children:s}),ne=({name:s,logoUri:n})=>e.jsxs("div",{className:t.client,children:[e.jsx(E,{name:s,size:"var(--cpd-space-5x)",logoUri:n}),s]}),de=({children:s})=>e.jsx("ul",{className:t.metadata,children:s}),le=({label:s,children:n})=>e.jsxs("li",{children:[e.jsx("div",{className:t.key,children:s}),e.jsx("div",{className:t.value,children:n})]}),ue=({children:s})=>e.jsx("div",{className:t.action,children:s}),oe=({children:s,mutation:n,size:a})=>{const[o,i]=l.useState(!1),{t:r}=_(),u=c=>{c.preventDefault(),n.mutate(void 0,{onSuccess:()=>i(!1)})};return e.jsxs(I,{open:o,onOpenChange:i,trigger:e.jsx(m,{kind:"secondary",destructive:!0,size:a,Icon:v,children:r("frontend.end_session_button.text")}),children:[e.jsx(B,{children:r("frontend.end_session_button.confirmation_modal_title")}),s&&e.jsx(C,{children:s}),e.jsxs(m,{type:"button",kind:"primary",destructive:!0,onClick:u,disabled:n.isPending,Icon:n.isPending?void 0:v,children:[n.isPending&&e.jsx(S,{inline:!0}),r("frontend.end_session_button.text")]}),e.jsx(q,{asChild:!0,children:e.jsx(m,{kind:"tertiary",children:r("action.cancel")})})]})},te=h(`
+  fragment EndBrowserSessionButton_session on BrowserSession {
+    id
+    userAgent {
+      name
+      os
+      model
+      deviceType
+    }
+  }
+`),g=h(`
+  mutation EndBrowserSession($id: ID!) {
+    endBrowserSession(input: { browserSessionId: $id }) {
+      status
+      browserSession {
+        id
+      }
+    }
+  }
+`),me=(s,n)=>{const a=w();return x({mutationFn:()=>y({query:g,variables:{id:s}}),onSuccess:i=>{a.invalidateQueries({queryKey:["sessionsOverview"]}),a.invalidateQueries({queryKey:["browserSessionList"]}),a.invalidateQueries({queryKey:["sessionDetail",i.endBrowserSession.browserSession?.id]}),window.location.reload()}})},_e=({session:s,size:n})=>{const{t:a}=_(),o=T(te,s),i=w(),r=x({mutationFn:()=>y({query:g,variables:{id:o.id}}),onSuccess:N=>{i.invalidateQueries({queryKey:["sessionsOverview"]}),i.invalidateQueries({queryKey:["appSessionList"]}),i.invalidateQueries({queryKey:["sessionDetail",N.endBrowserSession.browserSession?.id]})}}),u=o.userAgent?.deviceType??"UNKNOWN";let c=null,d=null;return o.userAgent?.model?(c=o.userAgent.model,o.userAgent?.name&&(o.userAgent?.os?d=a("frontend.session.name_for_platform",{name:o.userAgent.name,platform:o.userAgent.os}):d=o.userAgent.name)):(c=o.userAgent?.name??a("frontend.session.unknown_browser"),d=o.userAgent?.os??null),e.jsx(oe,{mutation:r,size:n,children:e.jsx(Z,{compact:!0,children:e.jsxs(ee,{type:u,children:[e.jsx(se,{name:c}),d&&e.jsx(ne,{name:d})]})})})};export{ue as A,Z as B,ne as C,_e as E,ee as H,le as I,ce as L,de as M,se as N,re as R,oe as a,me as u};
+//# sourceMappingURL=EndBrowserSessionButton-DXsnVcVV.js.map

mas/share/assets/EndBrowserSessionButton-b2eg7MjM.css

@@ -0,0 +1 @@
+._device-type-icon_10tr1_8{color:var(--cpd-color-icon-secondary);background-color:var(--cpd-color-bg-subtle-secondary);box-sizing:content-box;height:var(--cpd-space-6x);width:var(--cpd-space-6x);padding:var(--cpd-space-2x);border-radius:var(--cpd-space-2x)}._session-card-root_8sc98_8{position:relative}@media screen and (min-width: 768px){._session-card-root_8sc98_8:has(._action_8sc98_13) ._session-card_8sc98_8 ._card-header_8sc98_13{padding-inline-end:calc(var(--cpd-space-16x) + 10ch)}}@media screen and (max-width: 767px){._session-card-root_8sc98_8:has(._action_8sc98_13) ._session-card_8sc98_8{padding-block-end:calc(var(--cpd-space-9x) + var(--cpd-space-6x) + var(--cpd-space-6x))}}._session-card_8sc98_8{display:flex;gap:var(--cpd-space-4x);flex-direction:column;text-align:start;border-radius:var(--cpd-space-4x);background-color:var(--cpd-color-bg-canvas-default);outline:1px solid var(--cpd-color-border-interactive-secondary);outline-offset:-1px;box-shadow:0 1.2px 2.4px #00000026;padding:var(--cpd-space-6x)}._session-card_8sc98_8._disabled_8sc98_59{outline-color:var(--cpd-color-border-disabled);background-color:var(--cpd-color-bg-canvas-disabled);box-shadow:none}._session-card_8sc98_8._compact_8sc98_65{box-shadow:none;padding:var(--cpd-space-3x)}._session-card_8sc98_8 ._card-header_8sc98_13{display:flex;gap:var(--cpd-space-4x);align-items:center}:is(._session-card_8sc98_8 ._card-header_8sc98_13) ._content_8sc98_75{display:flex;flex-direction:column;flex:0 1 auto;min-width:0}._auto_8sc98_83:is(:is(._session-card_8sc98_8 ._card-header_8sc98_13) ._content_8sc98_75) div:first-child,:is(:is(._session-card_8sc98_8 ._card-header_8sc98_13) ._content_8sc98_75) ._name_8sc98_84{overflow:hidden;white-space:nowrap;text-overflow:ellipsis;font:var(--cpd-font-body-md-semibold);letter-spacing:var(--cpd-font-letter-spacing-body-md);color:var(--cpd-color-text-primary)}._auto_8sc98_83:is(:is(._session-card_8sc98_8 ._card-header_8sc98_13) ._content_8sc98_75) div:not(:first-child),:is(:is(._session-card_8sc98_8 ._card-header_8sc98_13) ._content_8sc98_75) ._client_8sc98_94{overflow:hidden;white-space:nowrap;text-overflow:ellipsis;font:var(--cpd-font-body-sm-regular);letter-spacing:var(--cpd-font-letter-spacing-body-sm);color:var(--cpd-color-text-secondary)}:is(._auto_8sc98_83:is(:is(._session-card_8sc98_8 ._card-header_8sc98_13) ._content_8sc98_75) div:not(:first-child),:is(:is(._session-card_8sc98_8 ._card-header_8sc98_13) ._content_8sc98_75) ._client_8sc98_94) img{margin-inline-end:var(--cpd-space-1x)}._session-card_8sc98_8 ._metadata_8sc98_109{display:flex;flex-wrap:wrap;gap:var(--cpd-space-4x) var(--cpd-space-10x)}:is(._session-card_8sc98_8 ._metadata_8sc98_109)>*{min-width:0}:is(._session-card_8sc98_8 ._metadata_8sc98_109) ._key_8sc98_118{font:var(--cpd-font-body-sm-regular);letter-spacing:var(--cpd-font-letter-spacing-body-sm);color:var(--cpd-color-text-secondary)}:is(._session-card_8sc98_8 ._metadata_8sc98_109) ._value_8sc98_124{font:var(--cpd-font-body-md-regular);letter-spacing:var(--cpd-font-letter-spacing-body-md);color:var(--cpd-color-text-primary);overflow:hidden;text-overflow:ellipsis}a._session-card_8sc98_8:not(._disabled_8sc98_59){transition-property:outline-color,box-shadow;transition-duration:.1s;transition-timing-function:linear}a._session-card_8sc98_8:not(._disabled_8sc98_59):hover,a._session-card_8sc98_8:not(._disabled_8sc98_59):focus-visible{box-shadow:none;outline:2px solid var(--cpd-color-border-interactive-hovered);outline-offset:-2px}a._session-card_8sc98_8:not(._disabled_8sc98_59):focus-visible{outline-color:var(--cpd-color-border-focused)}@media screen and (min-width: 768px){._session-card-root_8sc98_8 ._action_8sc98_13{position:absolute;padding:var(--cpd-space-6x) var(--cpd-space-6x) var(--cpd-space-2x) var(--cpd-space-2x);inset-block-start:0;inset-inline-end:0}}@media screen and (max-width: 767px){._session-card-root_8sc98_8 ._action_8sc98_13{display:flex;flex-direction:column;position:absolute;padding:var(--cpd-space-6x);inset-block-end:0;inset-inline:0}}

mas/share/assets/EndOAuth2SessionButton-CPWjVtc_.js

@@ -0,0 +1,52 @@
+import{u as l,c as p,d as S,l as g,k as r,b as y,j as t}from"./main-CiAhdYQG.js";import{a as v,B as A,H as N,N as E,C as h}from"./EndBrowserSessionButton-DXsnVcVV.js";const T=s=>{let n;try{n=new URL(s)}catch{return s}return n.search="",n.hash="",n.protocol==="https:"?n.hostname:n.toString()},I=r(`
+  fragment EndCompatSessionButton_session on CompatSession {
+    id
+    userAgent {
+      name
+      os
+      model
+      deviceType
+    }
+    ssoLogin {
+      id
+      redirectUri
+    }
+  }
+`),f=r(`
+  mutation EndCompatSession($id: ID!) {
+    endCompatSession(input: { compatSessionId: $id }) {
+      status
+      compatSession {
+        id
+      }
+    }
+  }
+`),D=({session:s,size:n})=>{const{t:i}=l(),e=y(I,s),o=p(),c=S({mutationFn:()=>g({query:f,variables:{id:e.id}}),onSuccess:m=>{o.invalidateQueries({queryKey:["sessionsOverview"]}),o.invalidateQueries({queryKey:["appSessionList"]}),o.invalidateQueries({queryKey:["sessionDetail",m.endCompatSession.compatSession?.id]})}}),a=e.ssoLogin?.redirectUri?T(e.ssoLogin.redirectUri):void 0,u=e.userAgent?.deviceType??"UNKNOWN",d=e.userAgent?.model??(e.userAgent?.name?e.userAgent?.os?i("frontend.session.name_for_platform",{name:e.userAgent.name,platform:e.userAgent.os}):e.userAgent.name:i("frontend.session.unknown_device"));return t.jsx(v,{mutation:c,size:n,children:t.jsx(A,{compact:!0,children:t.jsxs(N,{type:u,children:[t.jsx(E,{name:d}),a&&t.jsx(h,{name:a})]})})})},_="urn:matrix:org.matrix.msc2967.client:device:",x="urn:matrix:client:device:",B=s=>{const[,n]=s.split(x),[,i]=s.split(_);return n||i},O=r(`
+  fragment EndOAuth2SessionButton_session on Oauth2Session {
+    id
+
+    userAgent {
+      name
+      model
+      os
+      deviceType
+    }
+
+    client {
+      clientId
+      clientName
+      applicationType
+      logoUri
+    }
+  }
+`),C=r(`
+  mutation EndOAuth2Session($id: ID!) {
+    endOauth2Session(input: { oauth2SessionId: $id }) {
+      status
+      oauth2Session {
+        id
+      }
+    }
+  }
+`),U=s=>s==="WEB"?"PC":s==="NATIVE"?"MOBILE":"UNKNOWN",F=({session:s,size:n})=>{const{t:i}=l(),e=y(O,s),o=p(),c=S({mutationFn:()=>g({query:C,variables:{id:e.id}}),onSuccess:m=>{o.invalidateQueries({queryKey:["sessionsOverview"]}),o.invalidateQueries({queryKey:["appSessionList"]}),o.invalidateQueries({queryKey:["sessionDetail",m.endOauth2Session.oauth2Session?.id]})}}),a=(e.userAgent?.deviceType==="UNKNOWN"?null:e.userAgent?.deviceType)??U(e.client.applicationType),u=e.client.clientName||e.client.clientId,d=e.userAgent?.model??(e.userAgent?.name?e.userAgent?.os?i("frontend.session.name_for_platform",{name:e.userAgent.name,platform:e.userAgent.os}):e.userAgent.name:i("frontend.session.unknown_device"));return t.jsx(v,{mutation:c,size:n,children:t.jsx(A,{compact:!0,children:t.jsxs(N,{type:a,children:[t.jsx(E,{name:d}),t.jsx(h,{name:u,logoUri:e.client.logoUri??void 0})]})})})};export{D as E,F as a,B as g,T as s};
+//# sourceMappingURL=EndOAuth2SessionButton-CPWjVtc_.js.map

mas/share/assets/Filter-_9i8iQpA.js

@@ -0,0 +1,16 @@
+import{u as _,b as x,j as s,k as g,r as f,w as u,ag as p,C as w}from"./main-CiAhdYQG.js";import{p as d,L as h,D as j,B as v}from"./LastActive-D4SP35FS.js";import{R as b,L as N,H as y,N as B,C as F,M as S,I as m,A as I,E as L}from"./EndBrowserSessionButton-DXsnVcVV.js";const E=""+new URL("chrome_64x64-TTj2uZYF.png",import.meta.url).href,R=""+new URL("firefox_64x64-sbBPu9C9.png",import.meta.url).href,T=""+new URL("safari_64x64-DJVjfeAY.png",import.meta.url).href,C=g(`
+  fragment BrowserSession_session on BrowserSession {
+    id
+    createdAt
+    finishedAt
+    ...EndBrowserSessionButton_session
+    userAgent {
+      deviceType
+      name
+      os
+      model
+    }
+    lastActiveAt
+  }
+`),U=r=>{const t=r?.toLowerCase();if(t?.includes("chrome")||t?.includes("chromium"))return E;if(t?.includes("firefox"))return R;if(t?.includes("safari"))return T},G=({session:r,isCurrent:t})=>{const e=x(C,r),{t:n}=_(),a=e.userAgent?.deviceType??"UNKNOWN";let o=null,i=null;e.userAgent?.model?(o=e.userAgent.model,e.userAgent?.name&&(e.userAgent?.os?i=n("frontend.session.name_for_platform",{name:e.userAgent.name,platform:e.userAgent.os}):i=e.userAgent.name)):(o=e.userAgent?.name??n("frontend.session.unknown_browser"),i=e.userAgent?.os??null);const A=d(e.createdAt),c=e.lastActiveAt?d(e.lastActiveAt):void 0;return s.jsxs(b,{children:[s.jsxs(N,{to:"/sessions/$id",params:{id:e.id},disabled:!!e.finishedAt,children:[s.jsxs(y,{type:a,children:[s.jsx(B,{name:o}),i&&s.jsx(F,{name:i,logoUri:U(e.userAgent?.name??void 0)})]}),s.jsxs(S,{children:[c&&!t&&s.jsx(m,{label:n("frontend.session.last_active_label"),children:s.jsx(h,{lastActive:c})}),s.jsx(m,{label:n("frontend.session.signed_in_label"),children:s.jsx(j,{datetime:A})}),t&&s.jsx(v,{kind:"green",className:"self-center",children:n("frontend.session.current")})]})]}),!e.finishedAt&&s.jsx(I,{children:s.jsx(L,{session:e,size:"sm"})})]})},k="_empty-state_1lwui_8",D={emptyState:k},J=f.forwardRef(function({children:t,...e},n){const a=u(D.emptyState,e.className);return s.jsx("div",{ref:n,...e,className:a,children:t})}),M="_filter_nv8wu_8",H="_enabled-filter_nv8wu_18",O="_close-icon_nv8wu_22",Y="_disabled-filter_nv8wu_43",l={filter:M,enabledFilter:H,closeIcon:O,disabledFilter:Y},K=p(f.forwardRef(function({children:t,enabled:e,...n},a){const o=u(l.filter,e?l.enabledFilter:l.disabledFilter,n.className);return s.jsxs("a",{...n,ref:a,className:o,children:[t,e&&s.jsx(w,{className:l.closeIcon})]})}));export{G as B,J as E,K as F,U as b};
+//# sourceMappingURL=Filter-_9i8iQpA.js.map

mas/share/assets/Filter-lwtJLR9L.css

@@ -0,0 +1 @@
+._empty-state_1lwui_8{display:flex;flex-direction:column;gap:var(--cpd-space-2x);padding:var(--cpd-space-4x);background:var(--cpd-color-gray-200);color:var(--cpd-color-text-secondary);font:var(--cpd-font-body-sm-regular);letter-spacing:var(--cpd-font-letter-spacing-body-sm)}._filter_nv8wu_8{display:flex;align-items:center;gap:var(--cpd-space-2x);font:var(--cpd-font-body-xs-regular);letter-spacing:var(--cpd-font-letter-spacing-body-xs);padding:var(--cpd-space-2x) var(--cpd-space-3x);border-radius:var(--cpd-radius-pill-effect)}._enabled-filter_nv8wu_18{background:var(--cpd-color-bg-action-primary-rest);color:var(--cpd-color-text-on-solid-primary)}._enabled-filter_nv8wu_18>._close-icon_nv8wu_22{height:var(--cpd-space-4x);width:var(--cpd-space-4x);opacity:.5}._enabled-filter_nv8wu_18:hover{background:var(--cpd-color-bg-action-primary-hovered)}._enabled-filter_nv8wu_18:hover>._close-icon_nv8wu_22{opacity:1}._enabled-filter_nv8wu_18:active{background:var(--cpd-color-bg-action-primary-rest)}._enabled-filter_nv8wu_18:active>._close-icon_nv8wu_22{opacity:1}._disabled-filter_nv8wu_43{color:var(--cpd-color-text-action-primary);background:var(--cpd-color-bg-canvas-default);outline:1px solid var(--cpd-color-border-interactive-secondary)}._disabled-filter_nv8wu_43:hover{background:var(--cpd-color-bg-subtle-secondary)}

mas/share/assets/Filter-lwtJLR9L.css.zz

@@ -0,0 +1,3 @@
+xÚ¥TAŽÛ0¼÷9Vïl`¿bÈ­•%<25>¢Aÿ^Øi€x{·íÅ€8r8¤µ¯±‹<BbÉXÜ9ÛúxÑ6E'Dzu8TÓ´%Tlƒ/Up¹ó•‘±ì%}PQCŠR!ƒ¨¢ÔÚzó€½
+¢j¤úi(d¯ï`\ 0$G(^^D5ŸpÆ<70>!¡
+^KEÕÏw—¦#4A<34><41>: 4ÙI•Cf¤YÀRÒ|}‰ÞØâ×¾n­c¤Ú÷Çsþè†tÖx°Œ]*zFZµbUã<55>þGã<47>Ö].±û{<7B>œ¤‘€¤¶9ݱ®
ˆÖ9À¶EÅSÿèeãPÇÃñ²1¿Æ€œ÷"ÙNÒ„‰7§<¤à¬¾16*¿ïkåBB°*ø?Ñ¢¸œÐš?]µ³Õ|zŠ„ÉKËý<C38B>õzå)ôH×ïLA->˺ÒËMÖaƒ?UìñÆðiÎ/ˆÒ6=ÉðözÙñRËæÐPÒ÷2<C3B7>ÆVfÇ¢

mas/share/assets/Heading-zTQC9Kqs.js

@@ -0,0 +1,2 @@
+import{j as t,av as r,T as o}from"./main-CiAhdYQG.js";const a=({as:s="h1",children:e,...i})=>t.jsx(r,{as:s,type:"heading",...i,children:e}),h=({children:s,...e})=>t.jsx(a,{as:"h3",weight:"semibold",size:"md",...e,children:s}),m=({children:s,...e})=>t.jsx(a,{as:"h4",weight:"semibold",size:"sm",...e,children:s}),x=({children:s,...e})=>t.jsx(o,{as:"h5",weight:"semibold",size:"lg",...e,children:s});export{a as H,m as a,h as b,x as c};
+//# sourceMappingURL=Heading-zTQC9Kqs.js.map

mas/share/assets/Heading-zTQC9Kqs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"Heading-zTQC9Kqs.js","sources":["../node_modules/@vector-im/compound-web/dist/components/Typography/Heading.js"],"sourcesContent":["import { jsx } from \"react/jsx-runtime\";\nimport { Typography } from \"./Typography.js\";\nimport { Text } from \"./Text.js\";\nconst Heading = ({ as = \"h1\", children, ...props }) => {\n  return /* @__PURE__ */ jsx(Typography, { as, type: \"heading\", ...props, children });\n};\nconst H1 = ({ children, ...props }) => {\n  return /* @__PURE__ */ jsx(Heading, { as: \"h1\", weight: \"semibold\", size: \"xl\", ...props, children });\n};\nconst H2 = ({ children, ...props }) => {\n  return /* @__PURE__ */ jsx(Heading, { as: \"h2\", weight: \"semibold\", size: \"lg\", ...props, children });\n};\nconst H3 = ({ children, ...props }) => {\n  return /* @__PURE__ */ jsx(Heading, { as: \"h3\", weight: \"semibold\", size: \"md\", ...props, children });\n};\nconst H4 = ({ children, ...props }) => {\n  return /* @__PURE__ */ jsx(Heading, { as: \"h4\", weight: \"semibold\", size: \"sm\", ...props, children });\n};\nconst H5 = ({ children, ...props }) => {\n  return /* @__PURE__ */ jsx(Text, { as: \"h5\", weight: \"semibold\", size: \"lg\", ...props, children });\n};\nconst H6 = ({ children, ...props }) => {\n  return /* @__PURE__ */ jsx(Text, { as: \"h6\", weight: \"semibold\", size: \"md\", ...props, children });\n};\nexport {\n  H1,\n  H2,\n  H3,\n  H4,\n  H5,\n  H6,\n  Heading\n};\n//# sourceMappingURL=Heading.js.map\n"],"names":["Heading","as","children","props","jsx","Typography","H3","H4","H5","Text"],"mappings":"sDAGK,MAACA,EAAU,CAAC,CAAE,GAAAC,EAAK,KAAM,SAAAC,EAAU,GAAGC,KAClBC,EAAAA,IAAIC,EAAY,CAAE,GAAAJ,EAAI,KAAM,UAAW,GAAGE,EAAO,SAAAD,EAAU,EAQ9EI,EAAK,CAAC,CAAE,SAAAJ,EAAU,GAAGC,CAAK,IACPC,MAAIJ,EAAS,CAAE,GAAI,KAAM,OAAQ,WAAY,KAAM,KAAM,GAAGG,EAAO,SAAAD,CAAQ,CAAE,EAEhGK,EAAK,CAAC,CAAE,SAAAL,EAAU,GAAGC,CAAK,IACPC,MAAIJ,EAAS,CAAE,GAAI,KAAM,OAAQ,WAAY,KAAM,KAAM,GAAGG,EAAO,SAAAD,CAAQ,CAAE,EAEhGM,EAAK,CAAC,CAAE,SAAAN,EAAU,GAAGC,CAAK,IACPC,MAAIK,EAAM,CAAE,GAAI,KAAM,OAAQ,WAAY,KAAM,KAAM,GAAGN,EAAO,SAAAD,CAAQ,CAAE","x_google_ignoreList":[0]}

mas/share/assets/LastActive-C9wo4AOG.css

@@ -0,0 +1 @@
+._active_1y6r4_8{color:var(--cpd-color-text-success-primary)}

mas/share/assets/Link-Do_sTHM7.js

@@ -0,0 +1,2 @@
+import{ag as a,a8 as i}from"./main-CiAhdYQG.js";const o=a(i);export{o as L};
+//# sourceMappingURL=Link-Do_sTHM7.js.map

mas/share/assets/Link-Do_sTHM7.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"Link-Do_sTHM7.js","sources":["../src/components/Link.tsx"],"sourcesContent":["// Copyright 2024, 2025 New Vector Ltd.\n// Copyright 2023, 2024 The Matrix.org Foundation C.I.C.\n//\n// SPDX-License-Identifier: AGPL-3.0-only OR LicenseRef-Element-Commercial\n// Please see LICENSE files in the repository root for full details.\n\nimport { createLink } from \"@tanstack/react-router\";\nimport { Link as CompoundLink } from \"@vector-im/compound-web\";\n\nexport const Link = createLink(CompoundLink);\n"],"names":["Link","createLink","CompoundLink"],"mappings":"gDASO,MAAMA,EAAOC,EAAWC,CAAY"}

mas/share/assets/Separator-C2iSg9zz.css

@@ -0,0 +1 @@
+._separator_1qgmy_7{border-block-start:1px solid var(--cpd-color-bg-subtle-primary)}._section_1qgmy_11{border-block-start-width:2px}

mas/share/assets/Separator-CVNE-7yB.js

@@ -0,0 +1,2 @@
+import{r as e,j as n,w as c}from"./main-CiAhdYQG.js";const i="_separator_1qgmy_7",p="_section_1qgmy_11",s={separator:i,section:p},_=e.forwardRef(({kind:a,className:o,...r},t)=>n.jsx("div",{"aria-orientation":"horizontal",role:"separator",className:c(s.separator,a==="section"&&s.section,o),...r,ref:t}));export{_ as S};
+//# sourceMappingURL=Separator-CVNE-7yB.js.map

mas/share/assets/Separator-CVNE-7yB.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"Separator-CVNE-7yB.js","sources":["../src/components/Separator/Separator.tsx"],"sourcesContent":["// Copyright 2025 New Vector Ltd.\n//\n// SPDX-License-Identifier: AGPL-3.0-only OR LicenseRef-Element-Commercial\n// Please see LICENSE files in the repository root for full details.\n\n// biome-ignore-all lint/a11y/useFocusableInteractive: this is a false positive\n// biome-ignore-all lint/a11y/useAriaPropsForRole: this is a false positive\n// biome-ignore-all lint/a11y/useSemanticElements: I don't want to use an <hr />\n\nimport cx from \"classnames\";\nimport { forwardRef } from \"react\";\n\nimport styles from \"./Separator.module.css\";\n\ntype Props = {\n  kind?: \"section\";\n} & React.HTMLAttributes<HTMLDivElement>;\n\nconst Separator = forwardRef<HTMLDivElement, Props>(\n  ({ kind, className, ...props }: Props, ref) => (\n    <div\n      aria-orientation=\"horizontal\"\n      role=\"separator\"\n      className={cx(\n        styles.separator,\n        kind === \"section\" && styles.section,\n        className,\n      )}\n      {...props}\n      ref={ref}\n    />\n  ),\n);\n\nexport default Separator;\n"],"names":["Separator","forwardRef","kind","className","props","ref","jsx","cx","styles"],"mappings":"kIAkBMA,EAAYC,EAAAA,WAChB,CAAC,CAAE,KAAAC,EAAM,UAAAC,EAAW,GAAGC,CAAA,EAAgBC,IACrCC,EAAAA,IAAC,MAAA,CACC,mBAAiB,aACjB,KAAK,YACL,UAAWC,EACTC,EAAO,UACPN,IAAS,WAAaM,EAAO,QAC7BL,CAAA,EAED,GAAGC,EACJ,IAAAC,CAAA,CAAA,CAGN"}

mas/share/assets/Submit-DW2aiKTW.js

@@ -0,0 +1,2 @@
+import{r as i,j as t,S as o,B as u}from"./main-CiAhdYQG.js";const m=i.forwardRef(function(r,s){return t.jsx(o,{asChild:!0,children:t.jsx(u,{type:"submit",ref:s,...r})})});export{m as S};
+//# sourceMappingURL=Submit-DW2aiKTW.js.map

mas/share/assets/Submit-DW2aiKTW.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"Submit-DW2aiKTW.js","sources":["../node_modules/@vector-im/compound-web/dist/components/Form/Submit.js"],"sourcesContent":["import { jsx } from \"react/jsx-runtime\";\nimport { forwardRef } from \"react\";\nimport { Submit as Submit$1 } from \"@radix-ui/react-form\";\nimport { Button } from \"../Button/Button.js\";\nconst Submit = forwardRef(\n  function Submit2(props, ref) {\n    return /* @__PURE__ */ jsx(Submit$1, { asChild: true, children: /* @__PURE__ */ jsx(Button, { type: \"submit\", ref, ...props }) });\n  }\n);\nexport {\n  Submit\n};\n//# sourceMappingURL=Submit.js.map\n"],"names":["Submit","forwardRef","props","ref","jsx","Submit$1","Button"],"mappings":"4DAIK,MAACA,EAASC,EAAAA,WACb,SAAiBC,EAAOC,EAAK,CAC3B,OAAuBC,EAAAA,IAAIC,EAAU,CAAE,QAAS,GAAM,SAA0BD,EAAAA,IAAIE,EAAQ,CAAE,KAAM,SAAU,IAAAH,EAAK,GAAGD,CAAK,CAAE,CAAC,CAAE,CAClI,CACF","x_google_ignoreList":[0]}

mas/share/assets/VisualListItem-Dd-weqBc.js

@@ -0,0 +1,2 @@
+import{j as e,w as a}from"./main-CiAhdYQG.js";const n={"visual-list":"_visual-list_15wzx_8"};function o({className:i,children:t,...l}){return e.jsx("ul",{className:a(n["visual-list"],i),...l,children:t})}const s={"visual-list-item":"_visual-list-item_1ma3e_8","visual-list-item-icon":"_visual-list-item-icon_1ma3e_17","visual-list-item-icon-success":"_visual-list-item-icon-success_1ma3e_22","visual-list-item-icon-destructive":"_visual-list-item-icon-destructive_1ma3e_26"};function _({className:i,children:t,Icon:l,success:u=!1,destructive:c=!1,...m}){return e.jsxs("li",{className:a(s["visual-list-item"],i),...m,children:[e.jsx(l,{className:a(s["visual-list-item-icon"],{[s["visual-list-item-icon-success"]]:u,[s["visual-list-item-icon-destructive"]]:c}),width:"24px",height:"24px","aria-hidden":!0}),t]})}export{o as V,_ as a};
+//# sourceMappingURL=VisualListItem-Dd-weqBc.js.map

mas/share/assets/VisualListItem-Dd-weqBc.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"VisualListItem-Dd-weqBc.js","sources":["../node_modules/@vector-im/compound-web/dist/components/VisualList/VisualList.module.css.js","../node_modules/@vector-im/compound-web/dist/components/VisualList/VisualList.js","../node_modules/@vector-im/compound-web/dist/components/VisualList/VisualListItem.module.css.js","../node_modules/@vector-im/compound-web/dist/components/VisualList/VisualListItem.js"],"sourcesContent":["const styles = {\n  \"visual-list\": \"_visual-list_15wzx_8\"\n};\nexport {\n  styles as default\n};\n//# sourceMappingURL=VisualList.module.css.js.map\n","import { jsx } from \"react/jsx-runtime\";\nimport styles from \"./VisualList.module.css.js\";\nimport classNames from \"classnames\";\nfunction VisualList({\n  className,\n  children,\n  ...props\n}) {\n  return /* @__PURE__ */ jsx(\"ul\", { className: classNames(styles[\"visual-list\"], className), ...props, children });\n}\nexport {\n  VisualList\n};\n//# sourceMappingURL=VisualList.js.map\n","const styles = {\n  \"visual-list-item\": \"_visual-list-item_1ma3e_8\",\n  \"visual-list-item-icon\": \"_visual-list-item-icon_1ma3e_17\",\n  \"visual-list-item-icon-success\": \"_visual-list-item-icon-success_1ma3e_22\",\n  \"visual-list-item-icon-destructive\": \"_visual-list-item-icon-destructive_1ma3e_26\"\n};\nexport {\n  styles as default\n};\n//# sourceMappingURL=VisualListItem.module.css.js.map\n","import { jsxs, jsx } from \"react/jsx-runtime\";\nimport styles from \"./VisualListItem.module.css.js\";\nimport classNames from \"classnames\";\nfunction VisualListItem({\n  className,\n  children,\n  Icon,\n  success = false,\n  destructive = false,\n  ...props\n}) {\n  return /* @__PURE__ */ jsxs(\n    \"li\",\n    {\n      className: classNames(styles[\"visual-list-item\"], className),\n      ...props,\n      children: [\n        /* @__PURE__ */ jsx(\n          Icon,\n          {\n            className: classNames(styles[\"visual-list-item-icon\"], {\n              [styles[\"visual-list-item-icon-success\"]]: success,\n              [styles[\"visual-list-item-icon-destructive\"]]: destructive\n            }),\n            width: \"24px\",\n            height: \"24px\",\n            \"aria-hidden\": true\n          }\n        ),\n        children\n      ]\n    }\n  );\n}\nexport {\n  VisualListItem\n};\n//# sourceMappingURL=VisualListItem.js.map\n"],"names":["styles","VisualList","className","children","props","jsx","classNames","VisualListItem","Icon","success","destructive","jsxs"],"mappings":"8CAAA,MAAMA,EAAS,CACb,cAAe,sBACjB,ECCA,SAASC,EAAW,CAClB,UAAAC,EACA,SAAAC,EACA,GAAGC,CACL,EAAG,CACD,OAAuBC,MAAI,KAAM,CAAE,UAAWC,EAAWN,EAAO,aAAa,EAAGE,CAAS,EAAG,GAAGE,EAAO,SAAAD,CAAQ,CAAE,CAClH,CCTA,MAAMH,EAAS,CACb,mBAAoB,4BACpB,wBAAyB,kCACzB,gCAAiC,0CACjC,oCAAqC,6CACvC,ECFA,SAASO,EAAe,CACtB,UAAAL,EACA,SAAAC,EACA,KAAAK,EACA,QAAAC,EAAU,GACV,YAAAC,EAAc,GACd,GAAGN,CACL,EAAG,CACD,OAAuBO,EAAAA,KACrB,KACA,CACE,UAAWL,EAAWN,EAAO,kBAAkB,EAAGE,CAAS,EAC3D,GAAGE,EACH,SAAU,CACQC,EAAAA,IACdG,EACA,CACE,UAAWF,EAAWN,EAAO,uBAAuB,EAAG,CACrD,CAACA,EAAO,+BAA+B,CAAC,EAAGS,EAC3C,CAACT,EAAO,mCAAmC,CAAC,EAAGU,CAC7D,CAAa,EACD,MAAO,OACP,OAAQ,OACR,cAAe,EAC3B,CACA,EACQP,CACR,CACA,CACA,CACA","x_google_ignoreList":[0,1,2,3]}

mas/share/assets/_account-BMDlqbFy.js

@@ -0,0 +1,34 @@
+import{j as e,a as U,r as p,b as g,c as A,d as B,u as N,T as u,D,e as F,R as S,F as h,f as _,A as w,C as G,H as E,g as R,h as L,i as M,B as O,k as c,l as I,m as z,n as k,o as $,q as H,p as P,L as Q,O as K}from"./main-CiAhdYQG.js";import{H as V}from"./Heading-zTQC9Kqs.js";import{I as Y}from"./edit-DvN6hAeY.js";import{A as v}from"./Avatar-B3RWCmae.js";import{S as J}from"./Submit-DW2aiKTW.js";import"./_commonjsHelpers-DaWZu8wl.js";/* empty css               */const W="_nav-bar_16kbp_8",X="_nav-bar-items_16kbp_12",y={navBar:W,navBarItems:X},Z=({children:a})=>e.jsx("nav",{className:y.navBar,children:e.jsx("ul",{className:y.navBarItems,children:a})}),ee="_nav-tab_9fhit_8",se="_nav-item_9fhit_26",j={navTab:ee,navItem:se},x=a=>e.jsx("li",{className:j.navTab,children:e.jsx(U,{className:j.navItem,activeProps:{"aria-current":"page"},...a})}),ae="_user_lnqhg_8",te="_meta_lnqhg_19",ne="_edit-button_lnqhg_32",ie="_mxid_lnqhg_36",re="_dialog-form_lnqhg_40",o={user:ae,meta:te,editButton:ne,mxid:ie,dialogForm:re},oe=c(`
+  fragment UserGreeting_user on User {
+    id
+    matrix {
+      mxid
+      displayName
+    }
+  }
+`),le=c(`
+  fragment UserGreeting_siteConfig on SiteConfig {
+    displayNameChangeAllowed
+  }
+`),ce=c(`
+  mutation SetDisplayName($userId: ID!, $displayName: String) {
+    setDisplayName(input: { userId: $userId, displayName: $displayName }) {
+      status
+    }
+  }
+`),de=p.forwardRef(({label:a,...r},t)=>e.jsx(z,{label:a,children:e.jsx(k,{ref:t,type:"button",size:"var(--cpd-space-6x)",className:o.editButton,...r,children:e.jsx(Y,{})})})),me=({user:a,siteConfig:r})=>{const t=p.useRef(null),s=g(oe,a),{displayNameChangeAllowed:d}=g(le,r),b=A(),l=B({mutationFn:({userId:i,displayName:m})=>I({query:ce,variables:{userId:i,displayName:m}}),onSuccess:i=>{b.invalidateQueries({queryKey:["currentUserGreeting"]}),i.setDisplayName.status==="SET"&&f(!1)}}),[C,f]=p.useState(!1),{t:n}=N(),q=i=>{i.preventDefault();const m=i.currentTarget,T=new FormData(m).get("displayname")||null;l.mutate({displayName:T,userId:s.id})};return e.jsxs("div",{className:o.user,children:[e.jsx(v,{size:"var(--cpd-space-14x)",id:s.matrix.mxid,name:s.matrix.displayName||s.matrix.mxid,className:o.avatar}),e.jsx("div",{className:o.meta,children:s.matrix.displayName?e.jsxs(e.Fragment,{children:[e.jsx(u,{size:"lg",weight:"semibold",children:s.matrix.displayName}),e.jsx(u,{size:"md",className:o.mxid,children:s.matrix.mxid})]}):e.jsx(u,{size:"lg",weight:"semibold",children:s.matrix.mxid})}),d&&e.jsxs(D,{trigger:e.jsx(de,{label:n("action.edit")}),open:C,onOpenChange:i=>{t.current?.form?.reset(),f(i)},children:[e.jsx(F,{children:n("frontend.account.edit_profile.title")}),e.jsx(v,{size:"88px",className:"self-center",id:s.matrix.mxid,name:s.matrix.displayName||s.matrix.mxid}),e.jsxs(S,{onSubmit:q,children:[e.jsxs("div",{className:o.dialogForm,children:[e.jsxs(h,{name:"displayname",serverInvalid:l.data?.setDisplayName.status==="INVALID",children:[e.jsx(_,{children:n("frontend.account.edit_profile.display_name_label")}),e.jsx(w,{type:"text",Icon:G,autoComplete:"name",defaultValue:s.matrix.displayName||void 0,actionLabel:n("action.clear"),ref:t,onActionClick:()=>{t.current&&(t.current.value="",t.current.focus())}}),e.jsx(E,{children:n("frontend.account.edit_profile.display_name_help")})]}),e.jsxs(h,{name:"mxid",children:[e.jsx(_,{children:n("frontend.account.edit_profile.username_label")}),e.jsx(R,{value:s.matrix.mxid,readOnly:!0})]})]}),e.jsxs(J,{disabled:l.isPending,children:[l.isPending&&e.jsx(L,{inline:!0}),n("action.save")]})]}),e.jsx(M,{asChild:!0,children:e.jsx(O,{kind:"tertiary",children:n("action.cancel")})})]})]})},ue=c(`
+  query CurrentUserGreeting {
+    viewer {
+      __typename
+      ... on User {
+        ...UserGreeting_user
+      }
+    }
+
+    siteConfig {
+      ...UserGreeting_siteConfig
+      planManagementIframeUri
+    }
+  }
+`),xe=H({queryKey:["currentUserGreeting"],queryFn:({signal:a})=>I({query:ue,signal:a})});function Ne(){const{t:a}=N(),r=$(xe),t=r.data.viewer;if(t?.__typename!=="User")throw P();const{siteConfig:s}=r.data,{planManagementIframeUri:d}=s;return e.jsxs(Q,{wide:!0,children:[e.jsxs("div",{className:"flex flex-col gap-10",children:[e.jsx(V,{size:"md",weight:"semibold",children:a("frontend.account.title")}),e.jsxs("div",{className:"flex flex-col gap-4",children:[e.jsx(me,{user:t,siteConfig:s}),e.jsxs(Z,{children:[e.jsx(x,{to:"/",children:a("frontend.nav.settings")}),e.jsx(x,{to:"/sessions",children:a("frontend.nav.devices")}),d&&e.jsx(x,{to:"/plan",children:a("frontend.nav.plan")})]})]})]}),e.jsx(K,{})]})}export{Ne as component};
+//# sourceMappingURL=_account-BMDlqbFy.js.map

mas/share/assets/_account-Bo4jHeuD.css

@@ -0,0 +1 @@
+._nav-bar_16kbp_8{border-bottom:var(--cpd-border-width-1) solid var(--cpd-color-gray-400)}._nav-bar-items_16kbp_12{display:flex;flex-direction:row;justify-content:flex-start;align-items:center;gap:var(--cpd-space-3x)}._nav-tab_9fhit_8{padding:var(--cpd-space-4x) 0;position:relative}._nav-tab_9fhit_8:before{content:"";position:absolute;bottom:0;left:0;right:0;height:0;border-radius:var(--cpd-radius-pill-effect) var(--cpd-radius-pill-effect) 0 0;background-color:var(--cpd-color-bg-action-primary-rest);transition:height .1s ease-in-out}._nav-tab_9fhit_8:has(._nav-item_9fhit_26[aria-current=page]):before{height:var(--cpd-border-width-4)}._nav-item_9fhit_26{padding:var(--cpd-space-1x) var(--cpd-space-2x);color:var(--cpd-color-text-secondary);line-height:var(--cpd-space-6x);border-radius:var(--cpd-radius-pill-effect);border:transparent var(--cpd-border-width-2) solid}._nav-item_9fhit_26._external-link_9fhit_39{text-decoration:underline;color:var(--cpd-color-text-primary)}._nav-item_9fhit_26:hover{color:var(--cpd-color-text-primary);background-color:var(--cpd-color-bg-subtle-secondary)}._nav-item_9fhit_26:active{color:var(--cpd-color-text-primary);background-color:var(--cpd-color-bg-subtle-primary)}._nav-item_9fhit_26:focus{outline:none;border-color:var(--cpd-color-border-focused)}._nav-item_9fhit_26[aria-current=page]{color:var(--cpd-color-text-primary)}._user_lnqhg_8{display:flex;flex-direction:row;align-items:center;gap:var(--cpd-space-4x);outline:1px solid var(--cpd-color-gray-400);outline-offset:-1px;border-radius:var(--cpd-space-3x);padding:var(--cpd-space-4x)}._meta_lnqhg_19{flex:1 1;min-width:0}._meta_lnqhg_19 p{overflow:hidden;white-space:nowrap;text-overflow:ellipsis}._edit-button_lnqhg_32{align-self:flex-start}._mxid_lnqhg_36{color:var(--cpd-color-text-secondary)}._dialog-form_lnqhg_40{display:flex;flex-direction:column;gap:var(--cpd-space-4x);align-self:center;max-width:378px;width:100%;margin-block-end:var(--cpd-space-9x)}

mas/share/assets/_account-D5pwwkVm.css

@@ -0,0 +1 @@
+._link_1g96u_8{display:inline-block;text-decoration:underline;color:var(--cpd-color-text-primary);font-weight:var(--cpd-font-weight-medium);border-radius:var(--cpd-radius-pill-effect);padding-inline:.25rem}._link_1g96u_8:hover{background:var(--cpd-color-gray-300)}._link_1g96u_8:active{background:var(--cpd-color-text-primary);color:var(--cpd-color-text-on-solid-primary)}._root_1hqni_8{display:flex;flex-direction:column;gap:var(--cpd-space-6x)}._heading_1hqni_14{display:flex;flex-direction:column;gap:var(--cpd-space-2x)}._trigger_1hqni_20{display:flex;width:100%;align-items:center;justify-content:space-between;text-align:start;gap:var(--cpd-space-2x)}._trigger-title_1hqni_29{cursor:pointer;flex-grow:1}._trigger-icon_1hqni_34{transition:transform .1s ease-out}._root_1hqni_8[data-state=closed] ._trigger-icon_1hqni_34{transform:rotate(180deg)}._description_1hqni_42{color:var(--cpd-color-text-secondary);font:var(--cpd-font-body-md-regular);letter-spacing:var(--cpd-font-letter-spacing-body-md)}._content_1hqni_48{display:flex;flex-direction:column;gap:var(--cpd-space-6x)}

mas/share/assets/_account.index-Bgj2uEUe.js

@@ -0,0 +1,73 @@
+import{r,j as e,v as we,w as $,x as O,y as Ce,R as z,F as D,f as S,g as G,m as X,S as be,B as y,C as ve,z as ye,E as Ee,V as Ae,H,b as T,u as I,d as te,l as V,k as E,D as se,e as ne,G as Ne,T as k,J as Re,K as C,M as Ie,N as Z,h as re,i as ae,a as Se,Q as Te,U as ke,W as Pe,X as Q,Y as De,Z as Fe,_ as qe,$ as Me,n as Oe,c as Be,a0 as Le,a1 as Ue,a2 as $e,o as ze,q as Ge,p as He,a3 as Ve}from"./main-CiAhdYQG.js";import{A as Qe}from"./Avatar-B3RWCmae.js";import{I as oe}from"./check-Cx46Fv0J.js";import{S as R}from"./Separator-CVNE-7yB.js";import{T as We}from"./Trans-CeobkUgR.js";import{B as Ke}from"./ButtonLink-kWcKQZoZ.js";import{a as Ye}from"./Heading-zTQC9Kqs.js";import{u as Je}from"./EndBrowserSessionButton-DXsnVcVV.js";import"./_commonjsHelpers-DaWZu8wl.js";/* empty css               */import"./computer-Cx9wZ7Nf.js";const Xe="_container_1hel1_10",Ze="_input_1hel1_18",et="_ui_1hel1_19",B={container:Xe,input:Ze,ui:et},tt=r.forwardRef(function({className:t,...a},n){const i=$(B.container,t);return e.jsxs("div",{className:i,children:[e.jsx("input",{ref:n,className:B.input,...a,type:"checkbox"}),e.jsx("div",{className:B.ui,children:e.jsx(oe,{"aria-hidden":!0})})]})}),st=r.forwardRef(function(t,a){return e.jsx(we,{asChild:!0,children:e.jsx(tt,{ref:a,...t})})}),nt=r.forwardRef(function({className:t,control:a,children:n,...i},u){const c=$(O["inline-field"],t);return e.jsxs(Ce,{ref:u,...i,className:c,children:[e.jsx("div",{className:O["inline-field-control"],children:a}),e.jsx("div",{className:O["inline-field-body"],children:n})]})}),rt="_controls_17lij_8",L={controls:rt,"button-group":"_button-group_17lij_18"};function at(s,t){switch(t){case 0:return s===0||s===3?1:s;case 1:return 2;case 4:return 0;case 2:return s===2?3:s;case 3:return s===2?0:s;case 5:return s===3?0:s}ot(t)}function ot(s){throw new Error(`Unreachable value: ${s}`)}const it=r.forwardRef(function({className:t,label:a,onSave:n,onCancel:i,onInput:u,onClearServerErrors:c,serverInvalid:h,saveButtonLabel:p,cancelButtonLabel:f,savedLabel:g,savingLabel:x,helpLabel:_,disabled:m,children:b,...o},j){const[l,d]=r.useReducer(at,0),v=r.useRef(!1),[q,P]=r.useState(!1),he=l===1||l===2||q,N=r.useRef(void 0);r.useEffect(()=>(l===3&&(N.current=setTimeout(()=>{d(5),N.current=void 0},2e3)),()=>{N.current&&clearTimeout(N.current),N.current=void 0}),[l]);const fe=r.useRef(null),J=r.useRef(null),M=r.useRef(null),pe=r.useCallback(()=>{v.current||(v.current=!0,P(!0))},[q,P]),ge=r.useCallback(w=>{v.current&&(w.currentTarget.contains(w.relatedTarget)||(v.current=!1,P(!1)))},[q,P]),xe=r.useCallback(w=>{d(0),u?.(w)},[d,u]),_e=r.useCallback(async w=>{if(w.preventDefault(),l!==0)try{d(1),J.current?.blur(),await n?.(w),d(2)}catch{d(3)}},[n,l,N]),je=r.useCallback(w=>{M.current?.blur(),i?.(w),d(4)},[M,i]);return e.jsx(z,{className:t,onSubmit:_e,onReset:je,onFocus:pe,onBlur:ge,onClearServerErrors:c,ref:fe,children:e.jsxs(D,{name:"input",serverInvalid:h,children:[e.jsx(S,{children:a}),e.jsxs("div",{className:L.controls,children:[e.jsx(G,{ref:j,...o,onInput:xe,disabled:m||l===2}),he&&e.jsxs("div",{className:L["button-group"],children:[e.jsx(X,{label:p,children:e.jsx(be,{asChild:!0,children:e.jsx(y,{type:"submit",kind:"primary",size:"sm",ref:J,disabled:l!==1,iconOnly:!0,Icon:oe})})}),e.jsx(X,{label:f,children:e.jsx(y,{type:"reset",kind:"secondary",size:"sm",ref:M,className:L.button,disabled:l===2,iconOnly:!0,Icon:ve})})]})]}),l===2?e.jsx(ye,{children:x}):b,g&&l===3&&e.jsx(Ee,{children:g}),_&&(l===0||l===1)&&e.jsx(Ae,{children:w=>(w===void 0||w.valid)&&!h&&e.jsx(H,{children:_})})]})})});function ie(s,t){return e.jsx("svg",{xmlns:"http://www.w3.org/2000/svg",width:"1em",height:"1em",fill:"currentColor",viewBox:"0 0 24 24",ref:t,...s,children:e.jsx("path",{d:"M9 12.031q0-.424.288-.712A.97.97 0 0 1 10 11.03h7.15l-1.875-1.875a.96.96 0 0 1-.3-.7q0-.4.325-.725a.93.93 0 0 1 .712-.287.98.98 0 0 1 .688.287l3.6 3.6q.15.15.212.325.063.175.063.375 0 .201-.062.375a.9.9 0 0 1-.213.325l-3.6 3.6q-.3.3-.712.288a.98.98 0 0 1-.688-.288 1.02 1.02 0 0 1-.312-.712.93.93 0 0 1 .287-.713l1.875-1.875H10a.97.97 0 0 1-.712-.287A.97.97 0 0 1 9 12.03m-6-7q0-.824.588-1.412A1.93 1.93 0 0 1 5 3.03h6q.424 0 .713.288.287.287.287.712t-.287.713A.97.97 0 0 1 11 5.03H5v14h6q.424 0 .713.288.287.287.287.712t-.287.713a.97.97 0 0 1-.713.287H5q-.824 0-1.412-.587A1.93 1.93 0 0 1 3 19.03z"})})}ie.displayName="SignOutIcon";const ee=r.forwardRef(ie),ct=E(`
+  fragment AccountDeleteButton_user on User {
+    username
+    hasPassword
+    matrix {
+      mxid
+      displayName
+    }
+  }
+`),lt=E(`
+  fragment AccountDeleteButton_siteConfig on SiteConfig {
+    passwordLoginEnabled
+  }
+`),dt=E(`
+  mutation DeactivateUser($hsErase: Boolean!, $password: String) {
+    deactivateUser(input: { hsErase: $hsErase, password: $password }) {
+      status
+    }
+  }
+`),ut=({mxid:s,displayName:t,username:a})=>e.jsxs("section",{className:"flex items-center p-4 gap-4 border border-[var(--cpd-color-gray-400)] rounded-xl",children:[e.jsx(Qe,{id:s,name:t||a,size:"56px"}),e.jsxs("div",{className:"flex-1 flex flex-col",children:[e.jsx(k,{type:"body",weight:"semibold",size:"lg",className:"text-primary",children:t||a}),e.jsx(k,{type:"body",weight:"regular",size:"md",className:"text-secondary",children:s})]})]}),mt=s=>{const t=T(ct,s.user),a=T(lt,s.siteConfig),{t:n}=I(),i=te({mutationFn:({password:o,hsErase:j})=>V({query:dt,variables:{password:o,hsErase:j}}),onSuccess:o=>{o.deactivateUser.status==="DEACTIVATED"&&window.location.reload()}}),[u,c]=r.useState(!1),[h,p]=r.useState(!1);r.useEffect(()=>{if(u){const o=setTimeout(()=>{p(!0)},500);return()=>clearTimeout(o)}p(!1)},[u]);const f=r.useCallback(o=>{c(o.currentTarget.value!=="")},[]),g=r.useCallback(o=>{c(o.currentTarget.value===t.matrix.mxid)},[t.matrix.mxid]),x=r.useCallback(o=>{if(o.preventDefault(),!h)return;const j=new FormData(o.currentTarget),l=j.get("password");if(l!==null&&typeof l!="string")throw new Error;const d=j.get("hs-erase")==="on";i.mutate({password:l,hsErase:d})},[i.mutate,h]),_=i.data?.deactivateUser.status==="INCORRECT_PASSWORD",m=i.isPending||i.data?.deactivateUser.status==="DEACTIVATED",b=t.hasPassword&&a.passwordLoginEnabled;return e.jsxs(se,{trigger:e.jsx(y,{kind:"tertiary",destructive:!0,size:"sm",className:"self-center",Icon:Z,children:n("frontend.account.delete_account.button")}),children:[e.jsx(ne,{children:n("frontend.account.delete_account.dialog_title")}),e.jsx(Ne,{className:"flex flex-col gap-4",children:e.jsx(We,{t:n,i18nKey:"frontend.account.delete_account.dialog_description",components:{text:e.jsx(k,{type:"body",weight:"regular",size:"md"}),list:e.jsx("ul",{className:"list-disc list-outside pl-6"}),item:e.jsx(k,{as:"li",type:"body",weight:"regular",size:"md"}),profile:e.jsx(ut,{mxid:t.matrix.mxid,username:t.username,displayName:t.matrix.displayName})}})}),e.jsxs(z,{onSubmit:x,children:[e.jsx(nt,{control:e.jsx(st,{}),name:"hs-erase",children:e.jsx(S,{children:n("frontend.account.delete_account.erase_checkbox_label")})}),e.jsx(R,{className:"my-1"}),b?e.jsxs(D,{name:"password",serverInvalid:_,children:[e.jsx(S,{children:n("frontend.account.delete_account.password_label")}),e.jsx(Re,{autoComplete:"current-password",required:!0,onInput:f}),e.jsx(C,{match:"valueMissing",children:n("frontend.errors.field_required")}),_&&e.jsx(C,{children:n("frontend.account.delete_account.incorrect_password")})]}):e.jsxs(D,{name:"mxid",children:[e.jsx(S,{children:n("frontend.account.delete_account.mxid_label",{mxid:t.matrix.mxid})}),e.jsx(G,{required:!0,placeholder:t.matrix.mxid,onInput:g}),e.jsx(C,{match:"valueMissing",children:n("frontend.errors.field_required")}),e.jsx(C,{match:o=>o!==t.matrix.mxid,children:n("frontend.account.delete_account.mxid_mismatch")})]}),u&&e.jsx(Ie,{type:"critical",title:n("frontend.account.delete_account.alert_title"),children:n("frontend.account.delete_account.alert_description")}),e.jsxs(y,{type:"submit",kind:"primary",destructive:!0,disabled:!h||m,Icon:m?void 0:Z,children:[m&&e.jsx(re,{inline:!0}),n("frontend.account.delete_account.button")]})]}),e.jsx(ae,{asChild:!0,children:e.jsx(y,{kind:"tertiary",children:n("action.cancel")})})]})},ht="_link_1g96u_8",ft={link:ht},pt=E(`
+  fragment PasswordChange_siteConfig on SiteConfig {
+    passwordChangeAllowed
+  }
+`);function gt({siteConfig:s}){const{t}=I(),{passwordChangeAllowed:a}=T(pt,s);return e.jsx(z,{children:e.jsxs(D,{name:"password_preview",children:[e.jsx(S,{children:t("frontend.account.password.label")}),e.jsx(G,{type:"password",readOnly:!0,value:"this looks like a password"}),e.jsxs(H,{children:[a&&e.jsx(Se,{to:"/password/change",className:ft.link,children:t("frontend.account.password.change")}),!a&&t("frontend.account.password.change_disabled")]})]})})}var F="Collapsible",[xt,Kt]=ke(F),[_t,W]=xt(F),ce=r.forwardRef((s,t)=>{const{__scopeCollapsible:a,open:n,defaultOpen:i,disabled:u,onOpenChange:c,...h}=s,[p,f]=Te({prop:n,defaultProp:i??!1,onChange:c,caller:F});return e.jsx(_t,{scope:a,disabled:u,contentId:Pe(),open:p,onOpenToggle:r.useCallback(()=>f(g=>!g),[f]),children:e.jsx(Q.div,{"data-state":Y(p),"data-disabled":u?"":void 0,...h,ref:t})})});ce.displayName=F;var le="CollapsibleTrigger",de=r.forwardRef((s,t)=>{const{__scopeCollapsible:a,...n}=s,i=W(le,a);return e.jsx(Q.button,{type:"button","aria-controls":i.contentId,"aria-expanded":i.open||!1,"data-state":Y(i.open),"data-disabled":i.disabled?"":void 0,disabled:i.disabled,...n,ref:t,onClick:De(s.onClick,i.onOpenToggle)})});de.displayName=le;var K="CollapsibleContent",ue=r.forwardRef((s,t)=>{const{forceMount:a,...n}=s,i=W(K,s.__scopeCollapsible);return e.jsx(Fe,{present:a||i.open,children:({present:u})=>e.jsx(jt,{...n,ref:t,present:u})})});ue.displayName=K;var jt=r.forwardRef((s,t)=>{const{__scopeCollapsible:a,present:n,children:i,...u}=s,c=W(K,a),[h,p]=r.useState(n),f=r.useRef(null),g=qe(t,f),x=r.useRef(0),_=x.current,m=r.useRef(0),b=m.current,o=c.open||h,j=r.useRef(o),l=r.useRef(void 0);return r.useEffect(()=>{const d=requestAnimationFrame(()=>j.current=!1);return()=>cancelAnimationFrame(d)},[]),Me(()=>{const d=f.current;if(d){l.current=l.current||{transitionDuration:d.style.transitionDuration,animationName:d.style.animationName},d.style.transitionDuration="0s",d.style.animationName="none";const v=d.getBoundingClientRect();x.current=v.height,m.current=v.width,j.current||(d.style.transitionDuration=l.current.transitionDuration,d.style.animationName=l.current.animationName),p(n)}},[c.open,n]),e.jsx(Q.div,{"data-state":Y(c.open),"data-disabled":c.disabled?"":void 0,id:c.contentId,hidden:!o,...u,ref:g,style:{"--radix-collapsible-content-height":_?`${_}px`:void 0,"--radix-collapsible-content-width":b?`${b}px`:void 0,...s.style},children:o&&i})});function Y(s){return s?"open":"closed"}var wt=ce,Ct=de,bt=ue;function me(s,t){return e.jsx("svg",{xmlns:"http://www.w3.org/2000/svg",width:"1em",height:"1em",fill:"currentColor",viewBox:"0 0 24 24",ref:t,...s,children:e.jsx("path",{d:"m12 10.775-3.9 3.9a.95.95 0 0 1-.7.275.95.95 0 0 1-.7-.275.95.95 0 0 1-.275-.7q0-.425.275-.7l4.6-4.6q.15-.15.325-.212Q11.8 8.4 12 8.4t.375.063a.9.9 0 0 1 .325.212l4.6 4.6a.95.95 0 0 1 .275.7.95.95 0 0 1-.275.7.95.95 0 0 1-.7.275.95.95 0 0 1-.7-.275z"})})}me.displayName="ChevronUpIcon";const vt=r.forwardRef(me),yt="_root_1hqni_8",Et="_heading_1hqni_14",At="_trigger_1hqni_20",Nt="_trigger-title_1hqni_29",Rt="_trigger-icon_1hqni_34",It="_description_1hqni_42",St="_content_1hqni_48",A={root:yt,heading:Et,trigger:At,triggerTitle:Nt,triggerIcon:Rt,description:It,content:St},U=({title:s,description:t,defaultOpen:a,className:n,children:i,...u})=>{const{t:c}=I(),[h,p]=r.useState(a||!1),f=r.useId(),g=r.useId(),x=r.useCallback(_=>{_.preventDefault(),p(m=>!m)},[]);return e.jsx(wt,{...u,open:h,onOpenChange:p,asChild:!0,"aria-labelledby":f,"aria-describedby":t?g:void 0,className:$(A.root,n),children:e.jsxs("section",{children:[e.jsxs("header",{className:A.heading,children:[e.jsxs("div",{className:A.trigger,children:[e.jsx(Ye,{onClick:x,id:f,className:A.triggerTitle,children:s}),e.jsx(Ct,{className:A.triggerIcon,asChild:!0,children:e.jsx(Oe,{tooltip:c(h?"action.collapse":"action.expand"),children:e.jsx(vt,{})})})]}),t&&e.jsx("p",{className:A.description,id:g,children:t})]}),e.jsx(bt,{asChild:!0,children:e.jsx("article",{className:A.content,children:i})})]})})},Tt=E(`
+  fragment AddEmailForm_user on User {
+    hasPassword
+  }
+`),kt=E(`
+  fragment AddEmailForm_siteConfig on SiteConfig {
+    passwordLoginEnabled
+  }
+`),Pt=E(`
+  mutation AddEmail($email: String!, $password: String, $language: String!) {
+    startEmailAuthentication(
+      input: { email: $email, password: $password, language: $language }
+    ) {
+      status
+      violations
+      authentication {
+        id
+      }
+    }
+  }
+`),Dt=({user:s,siteConfig:t,onAdd:a})=>{const{hasPassword:n}=T(Tt,s),{passwordLoginEnabled:i}=T(kt,t),u=n&&i,{t:c,i18n:h}=I(),p=Be(),[f,g]=Le(),x=te({mutationFn:({email:o,password:j,language:l})=>V({query:Pt,variables:{email:o,password:j,language:l}}),onSuccess:async o=>{if(p.invalidateQueries({queryKey:["userEmails"]}),o.startEmailAuthentication.status==="STARTED"){if(!o.startEmailAuthentication.authentication?.id)throw new Error("Unexpected response from server");await a(o.startEmailAuthentication.authentication?.id)}}}),_=r.useCallback(async o=>{o.preventDefault();const l=new FormData(o.currentTarget).get("input");let d;if(u&&(d=await f()),(await x.mutateAsync({email:l,password:d,language:h.languages[0]})).startEmailAuthentication.status!=="STARTED")throw new Error},[x.mutateAsync,u,f,h.languages]),m=x.data?.startEmailAuthentication.status??null,b=x.data?.startEmailAuthentication.violations??[];return e.jsxs(e.Fragment,{children:[e.jsx(Ue,{title:c("frontend.add_email_form.password_confirmation"),ref:g}),e.jsxs(it,{onSave:_,required:!0,type:"email",serverInvalid:!!m&&m!=="STARTED",label:c("frontend.add_email_form.email_field_label"),helpLabel:c("frontend.add_email_form.email_field_help"),saveButtonLabel:c("action.save"),savingLabel:c("common.saving"),savedLabel:c("common.saved"),cancelButtonLabel:c("action.cancel"),children:[e.jsx(C,{match:"typeMismatch",forceMatch:m==="INVALID_EMAIL_ADDRESS",children:c("frontend.add_email_form.email_invalid_error")}),m==="IN_USE"&&e.jsx(C,{children:c("frontend.add_email_form.email_in_use_error")}),m==="RATE_LIMITED"&&e.jsx(C,{children:c("frontend.errors.rate_limit_exceeded")}),m==="DENIED"&&e.jsxs(e.Fragment,{children:[e.jsx(C,{children:c("frontend.add_email_form.email_denied_error")}),b.map(o=>e.jsx(H,{children:o},o))]}),m==="INCORRECT_PASSWORD"&&e.jsx(C,{children:c("frontend.add_email_form.incorrect_password_error")})]})]})},Ft=E(`
+  query UserProfile {
+    viewerSession {
+      __typename
+      ... on BrowserSession {
+        id
+        user {
+          ...AddEmailForm_user
+          ...UserEmailList_user
+          ...AccountDeleteButton_user
+          hasPassword
+          emails(first: 0) {
+            totalCount
+          }
+        }
+      }
+    }
+
+    siteConfig {
+      emailChangeAllowed
+      passwordLoginEnabled
+      accountDeactivationAllowed
+      ...AddEmailForm_siteConfig
+      ...UserEmailList_siteConfig
+      ...PasswordChange_siteConfig
+      ...AccountDeleteButton_siteConfig
+    }
+  }
+`),qt=Ge({queryKey:["userProfile"],queryFn:({signal:s})=>V({query:Ft,signal:s})}),Mt=({id:s})=>{const{t}=I(),a=Je(s);return e.jsxs(se,{trigger:e.jsx(y,{kind:"primary",destructive:!0,size:"lg",Icon:ee,children:t("frontend.account.sign_out.button")}),children:[e.jsx(ne,{children:t("frontend.account.sign_out.dialog")}),e.jsxs(y,{type:"button",kind:"primary",destructive:!0,onClick:()=>a.mutate(),disabled:a.isPending,Icon:a.isPending?void 0:ee,children:[a.isPending&&e.jsx(re,{inline:!0}),t("action.sign_out")]}),e.jsx(ae,{asChild:!0,children:e.jsx(y,{kind:"tertiary",children:t("action.cancel")})})]})};function Yt(){const s=$e(),{t}=I(),{data:{viewerSession:a,siteConfig:n}}=ze(qt);if(a?.__typename!=="BrowserSession")throw He();const i=async u=>{await s({to:"/emails/$id/verify",params:{id:u}})};return e.jsxs("div",{className:"flex flex-col gap-6",children:[(n.emailChangeAllowed||a.user.emails.totalCount>0)&&e.jsxs(e.Fragment,{children:[e.jsxs(U,{defaultOpen:!0,title:t("frontend.account.contact_info"),children:[e.jsx(Ve,{user:a.user,siteConfig:n}),n.emailChangeAllowed&&e.jsx(Dt,{user:a.user,siteConfig:n,onAdd:i})]}),e.jsx(R,{kind:"section"})]}),n.passwordLoginEnabled&&a.user.hasPassword&&e.jsxs(e.Fragment,{children:[e.jsx(U,{defaultOpen:!0,title:t("frontend.account.account_password"),children:e.jsx(gt,{siteConfig:n})}),e.jsx(R,{kind:"section"})]}),e.jsxs(U,{title:t("common.e2ee"),children:[e.jsx(k,{className:"text-secondary",size:"md",children:t("frontend.reset_cross_signing.description")}),e.jsx(Ke,{to:"/reset-cross-signing",kind:"secondary",destructive:!0,children:t("frontend.reset_cross_signing.start_reset")})]}),e.jsx(R,{kind:"section"}),e.jsx(Mt,{id:a.id}),n.accountDeactivationAllowed&&e.jsxs(e.Fragment,{children:[e.jsx(R,{}),e.jsx(mt,{user:a.user,siteConfig:n})]}),e.jsx(R,{})]})}export{Yt as component};
+//# sourceMappingURL=_account.index-Bgj2uEUe.js.map

mas/share/assets/_account.plan.index-az7l7N5p.js

@@ -0,0 +1,2 @@
+import{o as c,ah as l,j as u,ai as m,r as o}from"./main-CiAhdYQG.js";import"./_commonjsHelpers-DaWZu8wl.js";/* empty css               */function b(){const a=c(l),{planManagementIframeUri:t}=a.data.siteConfig;return t?u.jsx(f,{planManagementIframeUri:t}):u.jsx(m,{to:"/",replace:!0})}function f({planManagementIframeUri:a}){const t=o.useRef(null),r=o.useCallback(()=>{const e=t.current;if(!e)return;const n=e.contentWindow?.document.body.parentElement?.scrollHeight;n?e.height=`${n}px`:e.height="500px"},[]),s=o.useMemo(()=>new MutationObserver(e=>{r(),setTimeout(()=>{r()},1e3)}),[r]),i=o.useCallback(e=>{const n=e.contentWindow?.document.body;n&&(r(),s.observe(n,{childList:!0,subtree:!0,attributes:!0}))},[r,s]);return o.useEffect(()=>{const e=t.current;return e&&i(e),()=>s.disconnect()},[s,i]),u.jsx("iframe",{title:"iframe",ref:t,onLoad:e=>i(e.target),src:a,scrolling:"no"})}export{b as component};
+//# sourceMappingURL=_account.plan.index-az7l7N5p.js.map

mas/share/assets/_account.sessions-CQQxPQtC.css

@@ -0,0 +1 @@
+._browser-sessions-overview_xlk0o_8{display:flex;align-items:center;gap:var(--cpd-space-4x);padding:var(--cpd-space-4x);border-radius:var(--cpd-space-3x);background-color:var(--cpd-color-bg-canvas-default);outline:1px solid var(--cpd-color-gray-400);outline-offset:-1px}

mas/share/assets/_account.sessions.browsers-DNRESZGR.js

@@ -0,0 +1,47 @@
+import{u as l,au as u,o as f,q as m,p as v,ae as p,j as s,l as w,k as _,af as b}from"./main-CiAhdYQG.js";import{c as x}from"./Heading-zTQC9Kqs.js";import{F as S,B as g,E as h}from"./Filter-_9i8iQpA.js";import{B as d}from"./ButtonLink-kWcKQZoZ.js";import"./_commonjsHelpers-DaWZu8wl.js";/* empty css               */import"./LastActive-D4SP35FS.js";import"./EndBrowserSessionButton-DXsnVcVV.js";import"./computer-Cx9wZ7Nf.js";const y=6,j=_(`
+  query BrowserSessionList(
+    $first: Int
+    $after: String
+    $last: Int
+    $before: String
+    $lastActive: DateFilter
+  ) {
+    viewerSession {
+      __typename
+      ... on BrowserSession {
+        id
+
+        user {
+          id
+
+          browserSessions(
+            first: $first
+            after: $after
+            last: $last
+            before: $before
+            lastActive: $lastActive
+            state: ACTIVE
+          ) {
+            totalCount
+
+            edges {
+              cursor
+              node {
+                id
+                ...BrowserSession_session
+              }
+            }
+
+            pageInfo {
+              hasNextPage
+              hasPreviousPage
+              startCursor
+              endCursor
+            }
+          }
+        }
+      }
+    }
+  }
+`),q=(e,r)=>m({queryKey:["browserSessionList",r,e],queryFn:({signal:o})=>w({query:j,variables:{lastActive:r?{before:b()}:void 0,...e},signal:o})});function N(){const{t:e}=l(),{inactive:r,pagination:o}=u.useLoaderDeps(),{data:{viewerSession:t}}=f(q(o,r));if(t.__typename!=="BrowserSession")throw v();const[i,n]=p(o,t.user.browserSessions.pageInfo,y),c=[...t.user.browserSessions.edges].reverse();return s.jsxs("div",{className:"flex flex-col gap-6",children:[s.jsx(x,{children:e("frontend.browser_sessions_overview.heading")}),s.jsx("div",{className:"flex gap-2 items-start",children:s.jsx(S,{to:"/sessions/browsers",enabled:r,search:{inactive:r?void 0:!0},children:e("frontend.last_active.inactive_90_days")})}),c.map(a=>s.jsx(g,{session:a.node,isCurrent:t.id===a.node.id},a.cursor)),t.user.browserSessions.totalCount===0&&s.jsx(h,{children:e(r?"frontend.browser_sessions_overview.no_active_sessions.inactive_90_days":"frontend.browser_sessions_overview.no_active_sessions.default")}),(n||i)&&s.jsxs("div",{className:"flex *:flex-1",children:[s.jsx(d,{kind:"secondary",size:"sm",disabled:!n,to:"/sessions/browsers",search:n||o,resetScroll:!0,children:e("common.previous")}),s.jsx("div",{}),s.jsx(d,{kind:"secondary",size:"sm",disabled:!i,to:"/sessions/browsers",search:i||o,resetScroll:!0,children:e("common.next")})]})]})}export{N as component};
+//# sourceMappingURL=_account.sessions.browsers-DNRESZGR.js.map

mas/share/assets/_account.sessions.index-ChqhRgNC.js

@@ -0,0 +1,110 @@
+import{u as v,b as f,j as s,k as m,T as U,ad as C,o as _,q as g,p as h,ae as L,l as j,af as $}from"./main-CiAhdYQG.js";import{c as q,b as k}from"./Heading-zTQC9Kqs.js";import{B as x}from"./ButtonLink-kWcKQZoZ.js";import{s as B,E as F,g as R,a as P}from"./EndOAuth2SessionButton-CPWjVtc_.js";import{b as D,F as M,E as K}from"./Filter-_9i8iQpA.js";import{p as u,L as y,D as w}from"./LastActive-D4SP35FS.js";import{R as S,L as b,H as N,N as T,C as E,M as I,I as d,A as O}from"./EndBrowserSessionButton-DXsnVcVV.js";import{S as z}from"./Separator-CVNE-7yB.js";import{L as G}from"./Link-Do_sTHM7.js";import"./_commonjsHelpers-DaWZu8wl.js";/* empty css               */import"./computer-Cx9wZ7Nf.js";const H=m(`
+  fragment CompatSession_session on CompatSession {
+    id
+    createdAt
+    deviceId
+    finishedAt
+    lastActiveIp
+    lastActiveAt
+    humanName
+    ...EndCompatSessionButton_session
+    userAgent {
+      name
+      os
+      model
+      deviceType
+    }
+    ssoLogin {
+      id
+      redirectUri
+    }
+  }
+`),Q=({session:t})=>{const{t:n}=v(),e=f(H,t),o=e.humanName??(e.ssoLogin?.redirectUri?B(e.ssoLogin.redirectUri):void 0),c=e.userAgent?.deviceType??"UNKNOWN",i=e.userAgent?.model??(e.userAgent?.name?e.userAgent?.os?n("frontend.session.name_for_platform",{name:e.userAgent.name,platform:e.userAgent.os}):e.userAgent.name:n("frontend.session.unknown_device")),a=u(e.createdAt),r=e.lastActiveAt?u(e.lastActiveAt):void 0;return s.jsxs(S,{children:[s.jsxs(b,{to:"/sessions/$id",params:{id:e.id},disabled:!!e.finishedAt,children:[s.jsxs(N,{type:c,children:[s.jsx(T,{name:i}),o&&s.jsx(E,{name:o,logoUri:D(e.userAgent?.name??void 0)})]}),s.jsxs(I,{children:[r&&s.jsx(d,{label:n("frontend.session.last_active_label"),children:s.jsx(y,{lastActive:r})}),s.jsx(d,{label:n("frontend.session.signed_in_label"),children:s.jsx(w,{datetime:a})}),s.jsx(d,{label:n("frontend.session.device_id_label"),children:e.deviceId})]})]}),!e.finishedAt&&s.jsx(O,{children:s.jsx(F,{session:e,size:"sm"})})]})},W=m(`
+  fragment OAuth2Session_session on Oauth2Session {
+    id
+    scope
+    createdAt
+    finishedAt
+    lastActiveIp
+    lastActiveAt
+    humanName
+
+    ...EndOAuth2SessionButton_session
+
+    userAgent {
+      name
+      model
+      os
+      deviceType
+    }
+
+    client {
+      id
+      clientId
+      clientName
+      applicationType
+      logoUri
+    }
+  }
+`),V=t=>t==="WEB"?"PC":t==="NATIVE"?"MOBILE":"UNKNOWN",Y=({session:t})=>{const{t:n}=v(),e=f(W,t),o=R(e.scope),c=u(e.createdAt),i=e.lastActiveAt?u(e.lastActiveAt):void 0,a=(e.userAgent?.deviceType==="UNKNOWN"?null:e.userAgent?.deviceType)??V(e.client.applicationType),r=e.client.clientName||e.client.clientId,p=e.humanName??e.userAgent?.model??(e.userAgent?.name?e.userAgent?.os?n("frontend.session.name_for_platform",{name:e.userAgent.name,platform:e.userAgent.os}):e.userAgent.name:n("frontend.session.unknown_device"));return s.jsxs(S,{children:[s.jsxs(b,{to:"/sessions/$id",params:{id:e.id},disabled:!!e.finishedAt,children:[s.jsxs(N,{type:a,children:[s.jsx(T,{name:p}),s.jsx(E,{name:r,logoUri:e.client.logoUri??void 0})]}),s.jsxs(I,{children:[i&&s.jsx(d,{label:n("frontend.session.last_active_label"),children:s.jsx(y,{lastActive:i})}),s.jsx(d,{label:n("frontend.session.signed_in_label"),children:s.jsx(w,{datetime:c})}),o&&s.jsx(d,{label:n("frontend.session.device_id_label"),children:o})]})]}),!e.finishedAt&&s.jsx(O,{children:s.jsx(P,{session:e,size:"sm"})})]})},Z="_browser-sessions-overview_xlk0o_8",J={browserSessionsOverview:Z},X=m(`
+  fragment BrowserSessionsOverview_user on User {
+    id
+
+    browserSessions(first: 0, state: ACTIVE) {
+      totalCount
+    }
+  }
+`),ee=({user:t})=>{const n=f(X,t),{t:e}=v();return s.jsxs("div",{className:J.browserSessionsOverview,children:[s.jsxs("div",{className:"flex flex-1 flex-col",children:[s.jsx(q,{children:e("frontend.browser_sessions_overview.heading")}),s.jsx(U,{children:e("frontend.browser_sessions_overview.body",{count:n.browserSessions.totalCount})})]}),s.jsx(G,{to:"/sessions/browsers",children:e("frontend.browser_sessions_overview.view_all_button")})]})},se=6,ne=m(`
+  query SessionsOverview {
+    viewer {
+      __typename
+
+      ... on User {
+        id
+        ...BrowserSessionsOverview_user
+      }
+    }
+  }
+`),te=g({queryKey:["sessionsOverview"],queryFn:({signal:t})=>j({query:ne,signal:t})}),oe=m(`
+  query AppSessionsList(
+    $before: String
+    $after: String
+    $first: Int
+    $last: Int
+    $lastActive: DateFilter
+  ) {
+    viewer {
+      __typename
+
+      ... on User {
+        id
+        appSessions(
+          before: $before
+          after: $after
+          first: $first
+          last: $last
+          lastActive: $lastActive
+          state: ACTIVE
+        ) {
+          edges {
+            cursor
+            node {
+              __typename
+              ...CompatSession_session
+              ...OAuth2Session_session
+            }
+          }
+
+          totalCount
+          pageInfo {
+            startCursor
+            endCursor
+            hasNextPage
+            hasPreviousPage
+          }
+        }
+      }
+    }
+  }
+`),ie=(t,n)=>g({queryKey:["appSessionList",n,t],queryFn:({signal:e})=>j({query:oe,variables:{lastActive:n?{before:$()}:void 0,...t},signal:e})}),re=t=>{throw new Error(`Unknown session type: ${t}`)};function xe(){const{t}=v(),{inactive:n,pagination:e}=C.useLoaderDeps(),{data:{viewer:o}}=_(te);if(o.__typename!=="User")throw h();const{data:c}=_(ie(e,n));if(c.viewer.__typename!=="User")throw h();const i=c.viewer.appSessions,[a,r]=L(e,i.pageInfo,se),p=[...i.edges].reverse();return s.jsxs("div",{className:"flex flex-col gap-6",children:[s.jsx(k,{children:t("frontend.user_sessions_overview.heading")}),s.jsx(ee,{user:o}),s.jsx(z,{kind:"section"}),s.jsx("div",{className:"flex gap-2 justify-start items-center",children:s.jsx(M,{to:"/sessions",enabled:n,search:{inactive:n?void 0:!0},children:t("frontend.last_active.inactive_90_days")})}),p.map(l=>{const A=l.node.__typename;switch(A){case"Oauth2Session":return s.jsx(Y,{session:l.node},l.cursor);case"CompatSession":return s.jsx(Q,{session:l.node},l.cursor);default:return re(A)}}),i.totalCount===0&&s.jsx(K,{children:t(n?"frontend.user_sessions_overview.no_active_sessions.inactive_90_days":"frontend.user_sessions_overview.no_active_sessions.default")}),(r||a)&&s.jsxs("div",{className:"flex *:flex-1",children:[s.jsx(x,{kind:"secondary",size:"sm",disabled:!r,to:"/sessions",search:{inactive:n,...r||e},resetScroll:!0,children:t("common.previous")}),s.jsx("div",{}),s.jsx(x,{kind:"secondary",size:"sm",disabled:!a,to:"/sessions",search:{inactive:n,...a||e},resetScroll:!0,children:t("common.next")})]})]})}export{xe as component};
+//# sourceMappingURL=_account.sessions.index-ChqhRgNC.js.map