Merge pull request #3461 from glitch-soc/glitch-soc/merge-upstream

Merge upstream changes up to 8e00f7cc8f

.devcontainer/Dockerfile

@@ -1,5 +1,5 @@
 # For details, see https://github.com/devcontainers/images/tree/main/src/ruby
-FROM mcr.microsoft.com/devcontainers/ruby:1-3.3-bookworm
+FROM mcr.microsoft.com/devcontainers/ruby:3.4-trixie
 
 # Install node version from .nvmrc
 WORKDIR /app
@@ -9,7 +9,7 @@ RUN /bin/bash --login -i -c "nvm install"
 # Install additional OS packages
 RUN apt-get update && \
     export DEBIAN_FRONTEND=noninteractive && \
-    apt-get -y install --no-install-recommends libicu-dev libidn11-dev ffmpeg imagemagick libvips42 libpam-dev
+    apt-get -y install --no-install-recommends libicu-dev libidn11-dev ffmpeg libvips42 libpam-dev
 
 # Disable download prompt for Corepack
 ENV COREPACK_ENABLE_DOWNLOAD_PROMPT=0

.devcontainer/compose.yaml

@@ -56,7 +56,7 @@ services:
       - internal_network
 
   es:
-    image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2
+    image: docker.elastic.co/elasticsearch/elasticsearch:7.17.29
     restart: unless-stopped
     environment:
       ES_JAVA_OPTS: -Xms512m -Xmx512m

.github/ISSUE_TEMPLATE/2.server_bug_report.yml

@@ -59,7 +59,7 @@ body:
         Any additional technical details you may have, like logs or error traces
       value: |
         If this is happening on your own Mastodon server, please fill out those:
-        - Ruby version: (from `ruby --version`, eg. v3.4.4)
+        - Ruby version: (from `ruby --version`, eg. v3.4.9)
         - Node.js version: (from `node --version`, eg. v22.16.0)
     validations:
       required: false

.github/ISSUE_TEMPLATE/3.troubleshooting.yml

@@ -60,7 +60,7 @@ body:
       value: |
         Please at least include those informations:
         - Operating system: (eg. Ubuntu 24.04.2)
-        - Ruby version: (from `ruby --version`, eg. v3.4.4)
+        - Ruby version: (from `ruby --version`, eg. v3.4.9)
         - Node.js version: (from `node --version`, eg. v22.16.0)
     validations:
       required: false

.github/actions/setup-javascript/action.yml

@@ -9,7 +9,7 @@ runs:
   using: 'composite'
   steps:
     - name: Set up Node.js
-      uses: actions/setup-node@v6
+      uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
       with:
         node-version-file: '.nvmrc'
 
@@ -23,7 +23,7 @@ runs:
       shell: bash
       run: echo "dir=$(yarn config get cacheFolder)" >> $GITHUB_OUTPUT
 
-    - uses: actions/cache@v4
+    - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5
       id: yarn-cache # use this to check for `cache-hit` (`steps.yarn-cache.outputs.cache-hit != 'true'`)
       with:
         path: ${{ steps.yarn-cache-dir-path.outputs.dir }}

.github/actions/setup-ruby/action.yml

@@ -14,10 +14,10 @@ runs:
       shell: bash
       run: |
         sudo apt-get update
-        sudo apt-get install -y libicu-dev libidn11-dev libvips42 ${{ inputs.additional-system-dependencies }}
+        sudo apt-get install --no-install-recommends -y libicu-dev libidn11-dev libvips42 ${{ inputs.additional-system-dependencies }}
 
     - name: Set up Ruby
-      uses: ruby/setup-ruby@v1
+      uses: ruby/setup-ruby@4eb9f110bac952a8b68ecf92e3b5c7a987594ba6 # v1
       with:
         ruby-version: ${{ inputs.ruby-version }}
         bundler-cache: true

.github/renovate.json5

@@ -113,6 +113,7 @@
       ],
       matchUpdateTypes: ['major'],
       groupName: 'artifact actions (major)',
+      extends: ['helpers:pinGitHubActionDigests'],
     },
     {
       // Update @types/* packages every week, with one grouped PR
@@ -153,9 +154,15 @@
       groupName: 'opentelemetry-ruby (non-major)',
     },
     {
-      // Group Playwright Ruby & JS deps in the same PR, as they need to be in sync
-      matchManagers: ['bundler', 'npm'],
-      matchPackageNames: ['playwright-ruby-client', 'playwright'],
+      // The ruby portion of the Playwright group
+      matchManagers: ['bundler'],
+      matchPackageNames: ['playwright-ruby-client'],
+      groupName: 'Playwright',
+    },
+    {
+      // The node portion of the Playwright group
+      matchManagers: ['npm'],
+      matchPackageNames: ['playwright'],
       groupName: 'Playwright',
     },
     // Add labels depending on package manager

.github/workflows/build-container-image.yml

@@ -35,7 +35,7 @@ jobs:
           - linux/arm64
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Prepare
         env:
@@ -47,19 +47,19 @@ jobs:
           image_names=${PUSH_TO_IMAGES//$'\n'/,}
           echo "IMAGE_NAMES=${image_names%,}" >> $GITHUB_ENV
 
-      - uses: docker/setup-buildx-action@v3
+      - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
         id: buildx
 
       - name: Log in to Docker Hub
         if: contains(inputs.push_to_images, 'tootsuite')
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Log in to the GitHub Container registry
         if: contains(inputs.push_to_images, 'ghcr.io')
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -67,7 +67,7 @@ jobs:
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5
         if: ${{ inputs.push_to_images != '' }}
         with:
           images: ${{ inputs.push_to_images }}
@@ -76,7 +76,7 @@ jobs:
 
       - name: Build and push by digest
         id: build
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
         with:
           context: .
           file: ${{ inputs.file_to_build }}
@@ -100,7 +100,7 @@ jobs:
 
       - name: Upload digest
         if: ${{ inputs.push_to_images != '' }}
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
         with:
           # `hashFiles` is used to disambiguate between streaming and non-streaming images
           name: digests-${{ hashFiles(inputs.file_to_build) }}-${{ env.PLATFORM_PAIR }}
@@ -119,10 +119,10 @@ jobs:
       PUSH_TO_IMAGES: ${{ inputs.push_to_images }}
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Download digests
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
         with:
           path: ${{ runner.temp }}/digests
           # `hashFiles` is used to disambiguate between streaming and non-streaming images
@@ -131,25 +131,25 @@ jobs:
 
       - name: Log in to Docker Hub
         if: contains(inputs.push_to_images, 'tootsuite')
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Log in to the GitHub Container registry
         if: contains(inputs.push_to_images, 'ghcr.io')
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5
         if: ${{ inputs.push_to_images != '' }}
         with:
           images: ${{ inputs.push_to_images }}

.github/workflows/build-push-pr.yml

@@ -18,7 +18,7 @@ jobs:
     steps:
       # Repository needs to be cloned so `git rev-parse` below works
       - name: Clone repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - id: version_vars
         run: |
           echo mastodon_version_metadata=pr-${{ github.event.pull_request.number }}-$(git rev-parse --short ${{github.event.pull_request.head.sha}}) >> $GITHUB_OUTPUT

.github/workflows/build-releases.yml

@@ -16,7 +16,7 @@ jobs:
     steps:
       # Repository needs to be cloned to list branches
       - name: Clone repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
 

.github/workflows/bundler-audit.yml

@@ -28,10 +28,10 @@ jobs:
 
     steps:
       - name: Clone repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@4eb9f110bac952a8b68ecf92e3b5c7a987594ba6 # v1
         with:
           bundler-cache: true
 

.github/workflows/check-i18n.yml

@@ -21,7 +21,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Set up Ruby environment
         uses: ./.github/actions/setup-ruby
@@ -42,8 +42,7 @@ jobs:
 
       - name: Check for missing strings in English YML
         run: |
-          bin/i18n-tasks add-missing -l en
-          git diff --exit-code
+          bin/i18n-tasks missing -t used -l en
 
       - name: Check for wrong string interpolations
         run: bin/i18n-tasks check-consistent-interpolations

.github/workflows/chromatic.yml

@@ -16,11 +16,11 @@ jobs:
       changed: ${{ steps.filter.outputs.src }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
 
-      - uses: dorny/paths-filter@v3
+      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
         id: filter
         with:
           filters: |
@@ -42,7 +42,7 @@ jobs:
     if: github.repository == 'mastodon/mastodon' && needs.pathcheck.outputs.changed == 'true'
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
 
@@ -53,10 +53,10 @@ jobs:
         run: yarn build-storybook
 
       - name: Run Chromatic
-        uses: chromaui/action@v13
+        uses: chromaui/action@07791f8243f4cb2698bf4d00426baf4b2d1cb7e0 # v13
         with:
           projectToken: ${{ secrets.CHROMATIC_PROJECT_TOKEN }}
           zip: true
           storybookBuildDir: 'storybook-static'
-          exitZeroOnChanges: false # Fail workflow if changes are found
+          exitOnceUploaded: true # Exit immediately after upload
           autoAcceptChanges: 'main' # Auto-accept changes on main branch only

.github/workflows/codeql.yml

@@ -31,11 +31,11 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
+        uses: github/codeql-action/init@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -48,7 +48,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, Go, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v4
+        uses: github/codeql-action/autobuild@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -61,6 +61,6 @@ jobs:
       #   ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4
+        uses: github/codeql-action/analyze@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4
         with:
           category: '/language:${{matrix.language}}'

.github/workflows/crowdin-download-stable.yml

@@ -13,7 +13,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Increase Git http.postBuffer
         # This is needed due to a bug in Ubuntu's cURL version?
@@ -24,7 +24,7 @@ jobs:
 
       # Download the translation files from Crowdin
       - name: crowdin action
-        uses: crowdin/github-action@v2
+        uses: crowdin/github-action@b4b468cffefb50bdd99dd83e5d2eaeb63c880380 # v2
         with:
           config: crowdin-glitch.yml
           upload_sources: false
@@ -51,7 +51,7 @@ jobs:
 
       # Create or update the pull request
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v7.0.8
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
         with:
           commit-message: 'New Crowdin translations'
           title: 'New Crowdin Translations for ${{ github.base_ref || github.ref_name }} (automated)'

.github/workflows/crowdin-download.yml

@@ -15,7 +15,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Increase Git http.postBuffer
         # This is needed due to a bug in Ubuntu's cURL version?
@@ -26,7 +26,7 @@ jobs:
 
       # Download the translation files from Crowdin
       - name: crowdin action
-        uses: crowdin/github-action@v2
+        uses: crowdin/github-action@b4b468cffefb50bdd99dd83e5d2eaeb63c880380 # v2
         with:
           config: crowdin-glitch.yml
           upload_sources: false
@@ -53,7 +53,7 @@ jobs:
 
       # Create or update the pull request
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8
         with:
           commit-message: 'New Crowdin translations'
           title: 'New Crowdin Translations (automated)'

.github/workflows/crowdin-upload.yml

@@ -23,10 +23,10 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: crowdin action
-        uses: crowdin/github-action@v2
+        uses: crowdin/github-action@b4b468cffefb50bdd99dd83e5d2eaeb63c880380 # v2
         with:
           config: crowdin-glitch.yml
           upload_sources: true

.github/workflows/format-check.yml

@@ -13,10 +13,10 @@ jobs:
 
     steps:
       - name: Clone repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Set up Javascript environment
         uses: ./.github/actions/setup-javascript
 
-      - name: Check formatting with Prettier
+      - name: Check formatting
         run: yarn format:check

.github/workflows/haml-lint-problem-matcher.json

@@ -1,17 +0,0 @@
-{
-  "problemMatcher": [
-    {
-      "owner": "haml-lint",
-      "severity": "warning",
-      "pattern": [
-        {
-          "regexp": "^(.*):(\\d+)\\s\\[W]\\s(.*):\\s(.*)$",
-          "file": 1,
-          "line": 2,
-          "code": 3,
-          "message": 4
-        }
-      ]
-    }
-  ]
-}

.github/workflows/lint-css.yml

@@ -9,7 +9,6 @@ on:
       - 'package.json'
       - 'yarn.lock'
       - '.nvmrc'
-      - '.prettier*'
       - 'stylelint.config.js'
       - '**/*.css'
       - '**/*.scss'
@@ -21,7 +20,6 @@ on:
       - 'package.json'
       - 'yarn.lock'
       - '.nvmrc'
-      - '.prettier*'
       - 'stylelint.config.js'
       - '**/*.css'
       - '**/*.scss'
@@ -34,7 +32,7 @@ jobs:
 
     steps:
       - name: Clone repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Set up Javascript environment
         uses: ./.github/actions/setup-javascript

.github/workflows/lint-haml.yml

@@ -33,14 +33,13 @@ jobs:
 
     steps:
       - name: Clone repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@4eb9f110bac952a8b68ecf92e3b5c7a987594ba6 # v1
         with:
           bundler-cache: true
 
       - name: Run haml-lint
         run: |
-          echo "::add-matcher::.github/workflows/haml-lint-problem-matcher.json"
           bin/haml-lint --reporter github

.github/workflows/lint-js.yml

@@ -10,7 +10,6 @@ on:
       - 'yarn.lock'
       - 'tsconfig.json'
       - '.nvmrc'
-      - '.prettier*'
       - 'eslint.config.mjs'
       - '**/*.js'
       - '**/*.jsx'
@@ -24,7 +23,6 @@ on:
       - 'yarn.lock'
       - 'tsconfig.json'
       - '.nvmrc'
-      - '.prettier*'
       - 'eslint.config.mjs'
       - '**/*.js'
       - '**/*.jsx'
@@ -38,7 +36,7 @@ jobs:
 
     steps:
       - name: Clone repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Set up Javascript environment
         uses: ./.github/actions/setup-javascript

.github/workflows/lint-ruby.yml

@@ -35,15 +35,15 @@ jobs:
 
     steps:
       - name: Clone repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@4eb9f110bac952a8b68ecf92e3b5c7a987594ba6 # v1
         with:
           bundler-cache: true
 
       - name: Set-up RuboCop Problem Matcher
-        uses: r7kamura/rubocop-problem-matchers-action@v1
+        uses: r7kamura/rubocop-problem-matchers-action@59f1a0759f50cc2649849fd850b8487594bb5a81 # v1.2.2
 
       - name: Run rubocop
         run: bin/rubocop

.github/workflows/rebase-needed.yml

@@ -18,7 +18,7 @@ jobs:
 
     steps:
       - name: Check for merge conflicts
-        uses: eps1lon/actions-label-merge-conflict@v3
+        uses: eps1lon/actions-label-merge-conflict@1df065ebe6e3310545d4f4c4e862e43bdca146f0 # v3
         with:
           dirtyLabel: 'rebase needed :construction:'
           repoToken: '${{ secrets.GITHUB_TOKEN }}'

.github/workflows/test-js.yml

@@ -34,7 +34,7 @@ jobs:
 
     steps:
       - name: Clone repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Set up Javascript environment
         uses: ./.github/actions/setup-javascript

.github/workflows/test-migrations.yml

@@ -72,7 +72,7 @@ jobs:
       BUNDLE_RETRY: 3
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Set up Ruby environment
         uses: ./.github/actions/setup-ruby

.github/workflows/test-ruby.yml

@@ -32,7 +32,7 @@ jobs:
       SECRET_KEY_BASE_DUMMY: 1
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Set up Ruby environment
         uses: ./.github/actions/setup-ruby
@@ -43,7 +43,7 @@ jobs:
           onlyProduction: 'true'
 
       - name: Cache assets from compilation
-        uses: actions/cache@v4
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5
         with:
           path: |
             public/assets
@@ -65,7 +65,7 @@ jobs:
         run: |
           tar --exclude={"*.br","*.gz"} -zcf artifacts.tar.gz public/assets public/packs* tmp/cache/vite/last-build*.json
 
-      - uses: actions/upload-artifact@v5
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
         if: matrix.mode == 'test'
         with:
           path: |-
@@ -124,13 +124,12 @@ jobs:
       fail-fast: false
       matrix:
         ruby-version:
-          - '3.2'
           - '3.3'
           - '.ruby-version'
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
-      - uses: actions/download-artifact@v6
+      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
         with:
           path: './'
           name: ${{ github.sha }}
@@ -151,7 +150,7 @@ jobs:
           bin/flatware fan bin/rails db:test:prepare
 
       - name: Cache RSpec persistence file
-        uses: actions/cache@v4
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5
         with:
           path: |
             tmp/rspec/examples.txt
@@ -167,99 +166,12 @@ jobs:
 
       - name: Upload coverage reports to Codecov
         if: matrix.ruby-version == '.ruby-version'
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5
         with:
           files: coverage/lcov/*.lcov
         env:
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
 
-  test-imagemagick:
-    name: ImageMagick tests
-    runs-on: ubuntu-latest
-
-    needs:
-      - build
-
-    services:
-      postgres:
-        image: postgres:14-alpine
-        env:
-          POSTGRES_PASSWORD: postgres
-          POSTGRES_USER: postgres
-        options: >-
-          --health-cmd pg_isready
-          --health-interval 10ms
-          --health-timeout 3s
-          --health-retries 50
-        ports:
-          - 5432:5432
-
-      redis:
-        image: redis:7-alpine
-        options: >-
-          --health-cmd "redis-cli ping"
-          --health-interval 10ms
-          --health-timeout 3s
-          --health-retries 50
-        ports:
-          - 6379:6379
-
-    env:
-      DB_HOST: localhost
-      DB_USER: postgres
-      DB_PASS: postgres
-      COVERAGE: ${{ matrix.ruby-version == '.ruby-version' }}
-      RAILS_ENV: test
-      ALLOW_NOPAM: true
-      PAM_ENABLED: true
-      PAM_DEFAULT_SERVICE: pam_test
-      PAM_CONTROLLED_SERVICE: pam_test_controlled
-      OIDC_ENABLED: true
-      OIDC_SCOPE: read
-      SAML_ENABLED: true
-      CAS_ENABLED: true
-      BUNDLE_WITH: 'pam_authentication test'
-      GITHUB_RSPEC: ${{ matrix.ruby-version == '.ruby-version' && github.event.pull_request && 'true' }}
-      MASTODON_USE_LIBVIPS: false
-
-    strategy:
-      fail-fast: false
-      matrix:
-        ruby-version:
-          - '3.2'
-          - '3.3'
-          - '.ruby-version'
-    steps:
-      - uses: actions/checkout@v5
-
-      - uses: actions/download-artifact@v6
-        with:
-          path: './'
-          name: ${{ github.sha }}
-
-      - name: Expand archived asset artifacts
-        run: |
-          tar xvzf artifacts.tar.gz
-
-      - name: Set up Ruby environment
-        uses: ./.github/actions/setup-ruby
-        with:
-          ruby-version: ${{ matrix.ruby-version}}
-          additional-system-dependencies: ffmpeg imagemagick libpam-dev
-
-      - name: Load database schema
-        run: './bin/rails db:create db:schema:load db:seed'
-
-      - run: bin/rspec --tag attachment_processing
-
-      - name: Upload coverage reports to Codecov
-        if: matrix.ruby-version == '.ruby-version'
-        uses: codecov/codecov-action@v5
-        with:
-          files: coverage/lcov/mastodon.lcov
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-
   test-e2e:
     name: End to End testing
     runs-on: ubuntu-latest
@@ -304,14 +216,13 @@ jobs:
       fail-fast: false
       matrix:
         ruby-version:
-          - '3.2'
           - '3.3'
           - '.ruby-version'
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
-      - uses: actions/download-artifact@v6
+      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
         with:
           path: './'
           name: ${{ github.sha }}
@@ -334,7 +245,7 @@ jobs:
 
       - name: Cache Playwright Chromium browser
         id: playwright-cache
-        uses: actions/cache@v4
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5
         with:
           path: ~/.cache/ms-playwright
           key: playwright-browsers-${{ runner.os }}-${{ hashFiles('yarn.lock') }}
@@ -350,14 +261,14 @@ jobs:
       - run: bin/rspec spec/system --tag streaming --tag js
 
       - name: Archive logs
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
         if: failure()
         with:
           name: e2e-logs-${{ matrix.ruby-version }}
           path: log/
 
       - name: Archive test screenshots
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
         if: failure()
         with:
           name: e2e-screenshots-${{ matrix.ruby-version }}
@@ -435,21 +346,20 @@ jobs:
       fail-fast: false
       matrix:
         ruby-version:
-          - '3.2'
           - '3.3'
           - '.ruby-version'
         search-image:
-          - docker.elastic.co/elasticsearch/elasticsearch:7.17.13
+          - docker.elastic.co/elasticsearch/elasticsearch:7.17.29
         include:
           - ruby-version: '.ruby-version'
-            search-image: docker.elastic.co/elasticsearch/elasticsearch:8.10.2
+            search-image: docker.elastic.co/elasticsearch/elasticsearch:8.19.2
           - ruby-version: '.ruby-version'
             search-image: opensearchproject/opensearch:2
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
-      - uses: actions/download-artifact@v6
+      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
         with:
           path: './'
           name: ${{ github.sha }}
@@ -469,15 +379,8 @@ jobs:
       - run: bin/rspec --tag search
 
       - name: Archive logs
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
         if: failure()
         with:
           name: test-search-logs-${{ matrix.ruby-version }}
           path: log/
-
-      - name: Archive test screenshots
-        uses: actions/upload-artifact@v5
-        if: failure()
-        with:
-          name: test-search-screenshots
-          path: tmp/capybara/

.haml-lint.yml

@@ -10,6 +10,6 @@ linters:
   MiddleDot:
     enabled: true
   LineLength:
-    max: 300
+    max: 240 # Override default value of 80 inherited from rubocop
   ViewLength:
     max: 200 # Override default value of 100 inherited from rubocop

.nvmrc

@@ -1 +1 @@
-24.12
+24.14

.oxfmtrc.json

@@ -0,0 +1,99 @@
+{
+  "$schema": "./node_modules/oxfmt/configuration_schema.json",
+  "singleQuote": true,
+  "jsxSingleQuote": true,
+  "printWidth": 80,
+  "ignorePatterns": [
+    "/tmp",
+    "/coverage",
+    "/public/assets",
+    "/public/emoji",
+    "/public/packs",
+    "/public/packs-test",
+    "/public/system",
+    "/public/vite*",
+
+    "*.html",
+    "docker-compose.override.yml",
+
+    // Ignore config YAML files that include ERB/ruby code
+    "config/email.yml",
+
+    // Vendored CSS
+    "app/javascript/styles/mastodon/reset.scss",
+    "app/javascript/flavours/glitch/styles/reset.scss",
+
+    // Automatically generated
+    "/app/javascript/mastodon/features/emoji/emoji_map.json",
+    "/app/javascript/mastodon/features/emoji/emoji_data.json",
+    "AUTHORS.md",
+    "/app/javascript/mastodon/locales/*.json",
+    "/config/locales",
+    ".storybook/static/mockServiceWorker.js",
+
+    // Automatically generated (glitch-soc)
+    "/app/javascript/flavours/glitch/features/emoji/emoji_map.json",
+    "/app/javascript/flavours/glitch/features/emoji/emoji_data.json",
+    "/app/javascript/flavours/glitch/locales/*.json",
+    "/config/locales-glitch",
+
+    // do not reformat JS files as this will change too many files and cause merge conflicts with open PRs and forks
+    "app/javascript/**/*.js",
+    "app/javascript/**/*.jsx",
+    "streaming/**/*.js"
+  ],
+  "experimentalSortPackageJson": false,
+  "experimentalSortImports": {
+    "groups": [
+      ["builtin"],
+      ["react"],
+      ["react-intl"],
+      ["react-utils"],
+      ["redux"],
+      ["external", "type-external"],
+      ["internal", "type-internal"],
+      ["mastodon-internals"],
+      ["parent", "type-parent"],
+      ["sibling", "type-sibling", "index", "type-index"],
+      ["side_effect"]
+    ],
+    "customGroups": [
+      {
+        "groupName": "react",
+        "elementNamePattern": [
+          "react",
+          "react-dom",
+          "react-dom/client",
+          "prop-types"
+        ]
+      },
+      {
+        "groupName": "react-intl",
+        "elementNamePattern": ["react-intl", "intl-messageformat"]
+      },
+      {
+        "groupName": "react-utils",
+        "elementNamePattern": [
+          "classnames",
+          "react-helmet",
+          "react-router",
+          "react-router-dom"
+        ]
+      },
+      {
+        "groupName": "redux",
+        "elementNamePattern": [
+          "immutable",
+          "@reduxjs/toolkit",
+          "react-redux",
+          "react-immutable-proptypes",
+          "react-immutable-pure-component"
+        ]
+      },
+      {
+        "groupName": "mastodon-internals",
+        "elementNamePattern": ["mastodon/**", "flavours/glitch/**", "@/**"]
+      }
+    ]
+  }
+}

.prettierignore

@@ -1,101 +0,0 @@
-# See https://help.github.com/articles/ignoring-files for more about ignoring files.
-#
-# If you find yourself ignoring temporary files generated by your text editor
-# or operating system, you probably want to add a global ignore instead:
-#   git config --global core.excludesfile '~/.gitignore_global'
-
-# Ignore bundler config and downloaded libraries.
-/.bundle
-/vendor/bundle
-
-# Ignore the default SQLite database.
-/db/*.sqlite3
-/db/*.sqlite3-journal
-
-# Ignore all logfiles and tempfiles.
-.eslintcache
-/log/*
-!/log/.keep
-/tmp
-/coverage
-.env
-.env.production
-.env.development
-/node_modules/
-/build/
-
-# Ignore Vagrant files
-.vagrant/
-
-# Ignore IDE files
-.vscode/
-.idea/
-
-# Ignore postgres + redis + elasticsearch volume optionally created by docker-compose
-/postgres
-/postgres14
-/redis
-/elasticsearch
-
-# Ignore Apple files
-.DS_Store
-
-# Ignore vim files
-*~
-*.swp
-
-# Ignore log files
-*.log
-
-# Ignore Docker option files
-docker-compose.override.yml
-
-# Ignore public
-/public/assets
-/public/emoji
-/public/packs
-/public/packs-test
-/public/system
-/public/vite*
-
-# Ignore emoji map file
-/app/javascript/mastodon/features/emoji/emoji_map.json
-/app/javascript/mastodon/features/emoji/emoji_data.json
-
-# Ignore locale files
-/app/javascript/mastodon/locales/*.json
-/config/locales
-
-# Ignore vendored CSS reset
-app/javascript/styles/mastodon/reset.scss
-
-# Ignore Javascript pending https://github.com/mastodon/mastodon/pull/23631
-*.js
-*.jsx
-
-# Ignore HTML till cleaned and included in CI
-*.html
-
-# Ignore the generated AUTHORS.md
-AUTHORS.md
-
-# Process a few selected JS files
-!lint-staged.config.js
-
-# Ignore config YAML files that include ERB/ruby code prettier does not understand
-/config/email.yml
-
-# Ignore glitch-soc emoji map file
-/app/javascript/flavours/glitch/features/emoji/emoji_map.json
-/app/javascript/flavours/glitch/features/emoji/emoji_data.json
-
-# Ignore glitch-soc locale files
-/app/javascript/flavours/glitch/locales
-/config/locales-glitch
-
-# Ignore glitch-soc vendored CSS reset
-app/javascript/flavours/glitch/styles/reset.scss
-app/javascript/flavours/glitch/styles_new/mastodon/reset.scss
-
-# Ignore win95 theme
-app/javascript/styles/win95.scss

.prettierrc.js

@@ -1,4 +0,0 @@
-module.exports = {
-  singleQuote: true,
-  jsxSingleQuote: true
-};

.rubocop.yml

@@ -8,7 +8,7 @@ AllCops:
     - lib/mastodon/migration_helpers.rb
   ExtraDetails: true
   NewCops: enable
-  TargetRubyVersion: 3.2 # Oldest supported ruby version
+  TargetRubyVersion: 3.3 # Oldest supported ruby version
 
 inherit_from:
   - .rubocop/layout.yml

.rubocop/layout.yml

@@ -4,3 +4,6 @@ Layout/FirstHashElementIndentation:
 
 Layout/LineLength:
   Max: 300 # Default of 120 causes a duplicate entry in generated todo file
+
+Layout/MultilineMethodCallIndentation:
+  EnforcedStyle: indented

.ruby-version

@@ -1 +1 @@
-3.4.8
+3.4.9

.storybook/main.ts

@@ -3,7 +3,18 @@ import { resolve } from 'node:path';
 import type { StorybookConfig } from '@storybook/react-vite';
 
 const config: StorybookConfig = {
-  stories: ['../app/javascript/**/*.stories.@(js|jsx|mjs|ts|tsx)'],
+  stories: [
+    {
+      directory: '../app/javascript/mastodon',
+      files: '**/*.stories.@(js|jsx|mjs|ts|tsx)',
+      titlePrefix: 'Vanilla',
+    },
+    {
+      directory: '../app/javascript/flavours/glitch',
+      files: '**/*.stories.@(js|jsx|mjs|ts|tsx)',
+      titlePrefix: 'Glitch',
+    },
+  ],
   addons: [
     '@storybook/addon-docs',
     '@storybook/addon-a11y',

.storybook/modes.ts

@@ -0,0 +1,8 @@
+export const modes = {
+  darkTheme: {
+    theme: 'dark',
+  },
+  lightTheme: {
+    theme: 'light',
+  },
+} as const;

.storybook/preview-body.html

@@ -1,2 +1,2 @@
-<html class="no-reduce-motion theme-light">
+<html class="no-reduce-motion" data-color-scheme="light">
 </html>

.storybook/preview.tsx

@@ -21,14 +21,15 @@ import { reducerWithInitialState } from '@/mastodon/reducers';
 import { defaultMiddleware } from '@/mastodon/store/store';
 import { mockHandlers, unhandledRequestHandler } from '@/testing/api';
 
-// If you want to run the dark theme during development,
-// you can change the below to `/application.scss`
-import '../app/javascript/styles/mastodon-light.scss';
+import { modes } from './modes';
+
+import '../app/javascript/styles/application.scss';
 import './styles.css';
 
-const localeFiles = import.meta.glob('@/mastodon/locales/*.json', {
-  query: { as: 'json' },
-});
+// Disabling locales in Storybook as it's breaking with Vite 8.
+// const localeFiles = import.meta.glob('@/mastodon/locales/*.json', {
+//   query: { as: 'json' },
+// });
 
 // Initialize MSW
 initialize({
@@ -39,20 +40,30 @@ const preview: Preview = {
   // Auto-generate docs: https://storybook.js.org/docs/writing-docs/autodocs
   tags: ['autodocs'],
   globalTypes: {
-    locale: {
-      description: 'Locale for the story',
+    // locale: {
+    //   description: 'Locale for the story',
+    //   toolbar: {
+    //     title: 'Locale',
+    //     icon: 'globe',
+    //     items: Object.keys(localeFiles).map((path) =>
+    //       path.replace('/mastodon/locales/', '').replace('.json', ''),
+    //     ),
+    //     dynamicTitle: true,
+    //   },
+    // },
+    theme: {
+      description: 'Theme for the story',
       toolbar: {
-        title: 'Locale',
-        icon: 'globe',
-        items: Object.keys(localeFiles).map((path) =>
-          path.replace('/mastodon/locales/', '').replace('.json', ''),
-        ),
+        title: 'Theme',
+        icon: 'circlehollow',
+        items: [{ value: 'light' }, { value: 'dark' }],
         dynamicTitle: true,
       },
     },
   },
   initialGlobals: {
     locale: 'en',
+    theme: 'light',
   },
   decorators: [
     (Story, { parameters, globals, args, argTypes }) => {
@@ -126,15 +137,18 @@ const preview: Preview = {
       }, [currentLocale, currentLocaleData]);
 
       return (
-        <IntlProvider
-          locale={currentLocale}
-          messages={currentLocaleData}
-          textComponent='span'
-        >
+        <IntlProvider locale={currentLocale} messages={currentLocaleData}>
           <Story />
         </IntlProvider>
       );
     },
+    (Story, { globals }) => {
+      const theme = (globals.theme as string) || 'light';
+      useEffect(() => {
+        document.body.setAttribute('data-color-scheme', theme);
+      }, [theme]);
+      return <Story />;
+    },
     (Story) => (
       <MemoryRouter>
         <Story />
@@ -181,6 +195,13 @@ const preview: Preview = {
     msw: {
       handlers: mockHandlers,
     },
+
+    chromatic: {
+      modes: {
+        dark: modes.darkTheme,
+        light: modes.lightTheme,
+      },
+    },
   },
 };
 

.storybook/static/mockServiceWorker.js

@@ -7,7 +7,7 @@
  * - Please do NOT modify this file.
  */
 
-const PACKAGE_VERSION = '2.12.1'
+const PACKAGE_VERSION = '2.12.14'
 const INTEGRITY_CHECKSUM = '4db4a41e972cec1b64cc569c66952d82'
 const IS_MOCKED_RESPONSE = Symbol('isMockedResponse')
 const activeClientIds = new Set()

.storybook/vitest.setup.ts

@@ -1,8 +0,0 @@
-import * as a11yAddonAnnotations from '@storybook/addon-a11y/preview';
-import { setProjectAnnotations } from '@storybook/react-vite';
-
-import * as projectAnnotations from './preview';
-
-// This is an important step to apply the right configuration when testing your stories.
-// More info at: https://storybook.js.org/docs/api/portable-stories/portable-stories-vitest#setprojectannotations
-setProjectAnnotations([a11yAddonAnnotations, projectAnnotations]);

CONTRIBUTING.md

@@ -50,6 +50,8 @@ You can contribute in the following ways:
 
 Please review the org-level [contribution guidelines] for high-level acceptance
 criteria guidance and the [DEVELOPMENT] guide for environment-specific details.
+You should also read the project's [AI Contribution Policy] to understand how we approach
+AI-assisted contributions.
 
 ## API Changes and Additions
 
@@ -80,7 +82,7 @@ reviewed and merged into the codebase.
 
 Our time is limited and PRs making large, unsolicited changes are unlikely to
 get a response. Changes which link to an existing confirmed issue, or which come
-from a "help wanted" issue or other request are more likely to be reviewed.
+from a "help wanted" issue or other request, are more likely to be reviewed.
 
 The smaller and more narrowly focused the changes in a PR are, the easier they
 are to review and potentially merge. If the change only makes sense in some
@@ -130,3 +132,4 @@ and API docs. Improvements are made via PRs to the [documentation repository].
 [keepachangelog]: https://keepachangelog.com/en/1.0.0/
 [Mastodon documentation]: https://docs.joinmastodon.org
 [SECURITY]: SECURITY.md
+[AI Contribution Policy]: https://github.com/mastodon/.github/blob/main/AI_POLICY.md

Dockerfile

@@ -13,7 +13,7 @@ ARG BASE_REGISTRY="docker.io"
 
 # Ruby image to use for base image, change with [--build-arg RUBY_VERSION="3.4.x"]
 # renovate: datasource=docker depName=docker.io/ruby
-ARG RUBY_VERSION="3.4.8"
+ARG RUBY_VERSION="3.4.9"
 # # Node.js version to use in base image, change with [--build-arg NODE_MAJOR_VERSION="22"]
 # renovate: datasource=node-version depName=node
 ARG NODE_MAJOR_VERSION="24"
@@ -70,8 +70,6 @@ ENV \
   PATH="${PATH}:/opt/ruby/bin:/opt/mastodon/bin" \
   # Optimize jemalloc 5.x performance
   MALLOC_CONF="narenas:2,background_thread:true,thp:never,dirty_decay_ms:1000,muzzy_decay_ms:0" \
-  # Enable libvips, should not be changed
-  MASTODON_USE_LIBVIPS=true \
   # Sidekiq will touch tmp/sidekiq_process_has_started_and_will_begin_processing_jobs to indicate it is ready. This can be used for a readiness check in Kubernetes
   MASTODON_SIDEKIQ_READY_FILENAME=sidekiq_process_has_started_and_will_begin_processing_jobs
 
@@ -183,7 +181,7 @@ FROM build AS libvips
 
 # libvips version to compile, change with [--build-arg VIPS_VERSION="8.15.2"]
 # renovate: datasource=github-releases depName=libvips packageName=libvips/libvips
-ARG VIPS_VERSION=8.17.3
+ARG VIPS_VERSION=8.18.1
 # libvips download URL, change with [--build-arg VIPS_URL="https://github.com/libvips/libvips/releases/download"]
 ARG VIPS_URL=https://github.com/libvips/libvips/releases/download
 

FEDERATION.md

@@ -13,7 +13,8 @@
 - [FEP-f1d5: NodeInfo in Fediverse Software](https://codeberg.org/fediverse/fep/src/branch/main/fep/f1d5/fep-f1d5.md)
 - [FEP-8fcf: Followers collection synchronization across servers](https://codeberg.org/fediverse/fep/src/branch/main/fep/8fcf/fep-8fcf.md)
 - [FEP-5feb: Search indexing consent for actors](https://codeberg.org/fediverse/fep/src/branch/main/fep/5feb/fep-5feb.md)
-- [FEP-044f: Consent-respecting quote posts](https://codeberg.org/fediverse/fep/src/branch/main/fep/044f/fep-044f.md): partial support for incoming quote-posts
+- [FEP-044f: Consent-respecting quote posts](https://codeberg.org/fediverse/fep/src/branch/main/fep/044f/fep-044f.md)
+- [FEP-3b86: Activity Intents](https://codeberg.org/fediverse/fep/src/branch/main/fep/3b86/fep-3b86.md): offer handlers for `Object` and `Create` (with support for the `content` parameter only), has support for the `Follow`, `Announce`, `Like` and `Object` intents
 
 ## ActivityPub in Mastodon
 
@@ -48,3 +49,25 @@ Mastodon requires all `POST` requests to be signed, and MAY require `GET` reques
 ### Additional documentation
 
 - [Mastodon documentation](https://docs.joinmastodon.org/)
+
+## Size limits
+
+Mastodon imposes a few hard limits on federated content.
+These limits are intended to be very generous and way above what the Mastodon user experience is optimized for, so as to accommodate future changes and unusual or unforeseen usage patterns, while still providing some limits for performance reasons.
+The following table summarizes those limits.
+
+| Limited property                                              | Size limit | Consequence of exceeding the limit |
+| ------------------------------------------------------------- | ---------- | ---------------------------------- |
+| Serialized JSON-LD                                            | 1MB        | **Activity is rejected/dropped**   |
+| Profile fields (actor `PropertyValue` attachments) name/value | 2047       | Field name/value is truncated      |
+| Number of profile fields (actor `PropertyValue` attachments)  | 50         | Fields list is truncated           |
+| Poll options (number of `anyOf`/`oneOf` in a `Question`)      | 500        | Items list is truncated            |
+| Account username (actor `preferredUsername`) length           | 2048       | **Actor will be rejected**         |
+| Account display name (actor `name`) length                    | 2048       | Display name will be truncated     |
+| Account note (actor `summary`) length                         | 20kB       | Account note will be truncated     |
+| Account `attributionDomains`                                  | 256        | List will be truncated             |
+| Account aliases (actor `alsoKnownAs`)                         | 256        | List will be truncated             |
+| Custom emoji shortcode (`Emoji` `name`)                       | 2048       | Emoji will be rejected             |
+| Media and avatar/header descriptions (`name`/`summary`)       | 10000      | Description will be truncated      |
+| Collection name (`FeaturedCollection` `name`)                 | 256        | Name will be truncated             |
+| Collection description (`FeaturedCollection` `summary`)       | 2048       | Description will be truncated      |

Gemfile

@@ -1,11 +1,11 @@
 # frozen_string_literal: true
 
 source 'https://rubygems.org'
-ruby '>= 3.2.0', '< 3.5.0'
+ruby '>= 3.3.0', '< 3.5.0'
 
 gem 'propshaft'
 gem 'puma', '~> 7.0'
-gem 'rails', '~> 8.0'
+gem 'rails', '~> 8.1.0'
 gem 'thor', '~> 1.2'
 
 gem 'dotenv'
@@ -24,11 +24,11 @@ gem 'ruby-vips', '~> 2.2', require: false
 
 gem 'active_model_serializers', '~> 0.10'
 gem 'addressable', '~> 2.8'
-gem 'bootsnap', '~> 1.19.0', require: false
+gem 'bootsnap', require: false
 gem 'browser'
 gem 'charlock_holmes', '~> 0.7.7'
-gem 'chewy', '~> 7.3'
-gem 'devise', '~> 4.9'
+gem 'chewy'
+gem 'devise'
 gem 'devise-two-factor'
 
 group :pam_authentication, optional: true do
@@ -55,7 +55,7 @@ gem 'hiredis-client'
 gem 'htmlentities', '~> 4.3'
 gem 'http', '~> 5.3.0'
 gem 'http_accept_language', '~> 2.1'
-gem 'httplog', '~> 1.7.0', require: false
+gem 'httplog', '~> 1.8.0', require: false
 gem 'i18n'
 gem 'idn-ruby', require: 'idn'
 gem 'inline_svg'
@@ -67,7 +67,6 @@ gem 'mario-redis-lock', '~> 1.2', require: 'redis_lock'
 gem 'mime-types', '~> 3.7.0', require: 'mime/types/columnar'
 gem 'mutex_m'
 gem 'nokogiri', '~> 1.15'
-gem 'oj', '~> 3.14'
 gem 'ox', '~> 2.14'
 gem 'parslet'
 gem 'premailer-rails'
@@ -96,27 +95,28 @@ gem 'tzinfo-data', '~> 1.2023'
 gem 'webauthn', '~> 3.0'
 gem 'webpush', github: 'mastodon/webpush', ref: '9631ac63045cfabddacc69fc06e919b4c13eb913'
 
+gem 'json'
 gem 'json-ld'
 gem 'json-ld-preloaded', '~> 3.2'
 gem 'rdf-normalize', '~> 0.5'
 
 gem 'prometheus_exporter', '~> 2.2', require: false
 
-gem 'opentelemetry-api', '~> 1.7.0'
+gem 'opentelemetry-api', '~> 1.8.0'
 
 group :opentelemetry do
-  gem 'opentelemetry-exporter-otlp', '~> 0.31.0', require: false
+  gem 'opentelemetry-exporter-otlp', '~> 0.32.0', require: false
   gem 'opentelemetry-instrumentation-active_job', '~> 0.10.0', require: false
   gem 'opentelemetry-instrumentation-active_model_serializers', '~> 0.24.0', require: false
   gem 'opentelemetry-instrumentation-concurrent_ruby', '~> 0.24.0', require: false
-  gem 'opentelemetry-instrumentation-excon', '~> 0.26.0', require: false
-  gem 'opentelemetry-instrumentation-faraday', '~> 0.30.0', require: false
-  gem 'opentelemetry-instrumentation-http', '~> 0.27.0', require: false
-  gem 'opentelemetry-instrumentation-http_client', '~> 0.26.0', require: false
-  gem 'opentelemetry-instrumentation-net_http', '~> 0.26.0', require: false
-  gem 'opentelemetry-instrumentation-pg', '~> 0.34.0', require: false
-  gem 'opentelemetry-instrumentation-rack', '~> 0.29.0', require: false
-  gem 'opentelemetry-instrumentation-rails', '~> 0.39.0', require: false
+  gem 'opentelemetry-instrumentation-excon', '~> 0.28.0', require: false
+  gem 'opentelemetry-instrumentation-faraday', '~> 0.32.0', require: false
+  gem 'opentelemetry-instrumentation-http', '~> 0.29.0', require: false
+  gem 'opentelemetry-instrumentation-http_client', '~> 0.28.0', require: false
+  gem 'opentelemetry-instrumentation-net_http', '~> 0.28.0', require: false
+  gem 'opentelemetry-instrumentation-pg', '~> 0.35.0', require: false
+  gem 'opentelemetry-instrumentation-rack', '~> 0.30.0', require: false
+  gem 'opentelemetry-instrumentation-rails', '~> 0.40.0', require: false
   gem 'opentelemetry-instrumentation-redis', '~> 0.28.0', require: false
   gem 'opentelemetry-instrumentation-sidekiq', '~> 0.28.0', require: false
   gem 'opentelemetry-sdk', '~> 1.4', require: false
@@ -129,16 +129,13 @@ group :test do
   # Adds RSpec Error/Warning annotations to GitHub PRs on the Files tab
   gem 'rspec-github', '~> 3.0', require: false
 
-  # RSpec helpers for email specs
-  gem 'email_spec'
-
   # Extra RSpec extension methods and helpers for sidekiq
   gem 'rspec-sidekiq', '~> 5.0'
 
   # Browser integration testing
   gem 'capybara', '~> 3.39'
   gem 'capybara-playwright-driver'
-  gem 'playwright-ruby-client', '1.57.0', require: false # Pinning the exact version as it needs to be kept in sync with the installed npm package
+  gem 'playwright-ruby-client', '1.57.1', require: false # Pinning the exact version as it needs to be kept in sync with the installed npm package
 
   # Used to reset the database between system tests
   gem 'database_cleaner-active_record'
@@ -180,14 +177,14 @@ group :development do
 
   # Enhanced error message pages for development
   gem 'better_errors', '~> 2.9'
-  gem 'binding_of_caller', '~> 1.0'
+  gem 'binding_of_caller'
 
   # Preview mail in the browser
   gem 'letter_opener', '~> 1.8'
   gem 'letter_opener_web', '~> 3.0'
 
   # Security analysis CLI tools
-  gem 'brakeman', '~> 7.0', require: false
+  gem 'brakeman', '~> 8.0', require: false
   gem 'bundler-audit', '~> 0.9', require: false
 
   # Linter CLI for HAML files

Gemfile.lock

@@ -10,29 +10,31 @@ GIT
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (8.0.3)
-      actionpack (= 8.0.3)
-      activesupport (= 8.0.3)
+    action_text-trix (2.1.17)
+      railties
+    actioncable (8.1.3)
+      actionpack (= 8.1.3)
+      activesupport (= 8.1.3)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
       zeitwerk (~> 2.6)
-    actionmailbox (8.0.3)
-      actionpack (= 8.0.3)
-      activejob (= 8.0.3)
-      activerecord (= 8.0.3)
-      activestorage (= 8.0.3)
-      activesupport (= 8.0.3)
+    actionmailbox (8.1.3)
+      actionpack (= 8.1.3)
+      activejob (= 8.1.3)
+      activerecord (= 8.1.3)
+      activestorage (= 8.1.3)
+      activesupport (= 8.1.3)
       mail (>= 2.8.0)
-    actionmailer (8.0.3)
-      actionpack (= 8.0.3)
-      actionview (= 8.0.3)
-      activejob (= 8.0.3)
-      activesupport (= 8.0.3)
+    actionmailer (8.1.3)
+      actionpack (= 8.1.3)
+      actionview (= 8.1.3)
+      activejob (= 8.1.3)
+      activesupport (= 8.1.3)
       mail (>= 2.8.0)
       rails-dom-testing (~> 2.2)
-    actionpack (8.0.3)
-      actionview (= 8.0.3)
-      activesupport (= 8.0.3)
+    actionpack (8.1.3)
+      actionview (= 8.1.3)
+      activesupport (= 8.1.3)
       nokogiri (>= 1.8.5)
       rack (>= 2.2.4)
       rack-session (>= 1.0.1)
@@ -40,15 +42,16 @@ GEM
       rails-dom-testing (~> 2.2)
       rails-html-sanitizer (~> 1.6)
       useragent (~> 0.16)
-    actiontext (8.0.3)
-      actionpack (= 8.0.3)
-      activerecord (= 8.0.3)
-      activestorage (= 8.0.3)
-      activesupport (= 8.0.3)
+    actiontext (8.1.3)
+      action_text-trix (~> 2.1.15)
+      actionpack (= 8.1.3)
+      activerecord (= 8.1.3)
+      activestorage (= 8.1.3)
+      activesupport (= 8.1.3)
       globalid (>= 0.6.0)
       nokogiri (>= 1.8.5)
-    actionview (8.0.3)
-      activesupport (= 8.0.3)
+    actionview (8.1.3)
+      activesupport (= 8.1.3)
       builder (~> 3.1)
       erubi (~> 1.11)
       rails-dom-testing (~> 2.2)
@@ -58,46 +61,46 @@ GEM
       activemodel (>= 4.1)
       case_transform (>= 0.2)
       jsonapi-renderer (>= 0.1.1.beta1, < 0.3)
-    activejob (8.0.3)
-      activesupport (= 8.0.3)
+    activejob (8.1.3)
+      activesupport (= 8.1.3)
       globalid (>= 0.3.6)
-    activemodel (8.0.3)
-      activesupport (= 8.0.3)
-    activerecord (8.0.3)
-      activemodel (= 8.0.3)
-      activesupport (= 8.0.3)
+    activemodel (8.1.3)
+      activesupport (= 8.1.3)
+    activerecord (8.1.3)
+      activemodel (= 8.1.3)
+      activesupport (= 8.1.3)
       timeout (>= 0.4.0)
-    activestorage (8.0.3)
-      actionpack (= 8.0.3)
-      activejob (= 8.0.3)
-      activerecord (= 8.0.3)
-      activesupport (= 8.0.3)
+    activestorage (8.1.3)
+      actionpack (= 8.1.3)
+      activejob (= 8.1.3)
+      activerecord (= 8.1.3)
+      activesupport (= 8.1.3)
       marcel (~> 1.0)
-    activesupport (8.0.3)
+    activesupport (8.1.3)
       base64
-      benchmark (>= 0.3)
       bigdecimal
       concurrent-ruby (~> 1.0, >= 1.3.1)
       connection_pool (>= 2.2.5)
       drb
       i18n (>= 1.6, < 2)
+      json
       logger (>= 1.4.2)
       minitest (>= 5.1)
       securerandom (>= 0.3)
       tzinfo (~> 2.0, >= 2.0.5)
       uri (>= 0.13.1)
-    addressable (2.8.8)
+    addressable (2.8.9)
       public_suffix (>= 2.0.2, < 8.0)
     aes_key_wrap (1.1.0)
     android_key_attestation (0.3.0)
-    annotaterb (4.20.0)
+    annotaterb (4.22.0)
       activerecord (>= 6.0.0)
       activesupport (>= 6.0.0)
     ast (2.4.3)
     attr_required (1.0.2)
     aws-eventstream (1.4.0)
-    aws-partitions (1.1194.0)
-    aws-sdk-core (3.239.2)
+    aws-partitions (1.1227.0)
+    aws-sdk-core (3.244.0)
       aws-eventstream (~> 1, >= 1.3.0)
       aws-partitions (~> 1, >= 1.992.0)
       aws-sigv4 (~> 1.9)
@@ -105,11 +108,11 @@ GEM
       bigdecimal
       jmespath (~> 1, >= 1.6.1)
       logger
-    aws-sdk-kms (1.118.0)
-      aws-sdk-core (~> 3, >= 3.239.1)
+    aws-sdk-kms (1.123.0)
+      aws-sdk-core (~> 3, >= 3.244.0)
       aws-sigv4 (~> 1.5)
-    aws-sdk-s3 (1.207.0)
-      aws-sdk-core (~> 3, >= 3.234.0)
+    aws-sdk-s3 (1.217.0)
+      aws-sdk-core (~> 3, >= 3.244.0)
       aws-sdk-kms (~> 1)
       aws-sigv4 (~> 1.5)
     aws-sigv4 (1.12.1)
@@ -118,7 +121,7 @@ GEM
       rexml
     base64 (0.3.0)
     bcp47_spec (0.2.1)
-    bcrypt (3.1.20)
+    bcrypt (3.1.22)
     benchmark (0.5.0)
     better_errors (2.10.1)
       erubi (>= 1.0.0)
@@ -126,12 +129,12 @@ GEM
       rouge (>= 1.0.0)
     bigdecimal (3.3.1)
     bindata (2.5.1)
-    binding_of_caller (1.0.1)
+    binding_of_caller (2.0.0)
       debug_inspector (>= 1.2.0)
     blurhash (0.1.8)
-    bootsnap (1.19.0)
+    bootsnap (1.23.0)
       msgpack (~> 1.2)
-    brakeman (7.1.1)
+    brakeman (8.0.4)
       racc
     browser (6.2.0)
     builder (3.3.0)
@@ -147,27 +150,27 @@ GEM
       rack-test (>= 0.6.3)
       regexp_parser (>= 1.5, < 3.0)
       xpath (~> 3.2)
-    capybara-playwright-driver (0.5.7)
+    capybara-playwright-driver (0.5.9)
       addressable
       capybara
       playwright-ruby-client (>= 1.16.0)
     case_transform (0.2)
       activesupport
     cbor (0.5.10.1)
-    cgi (0.4.2)
+    cgi (0.5.1)
     charlock_holmes (0.7.9)
-    chewy (7.6.0)
-      activesupport (>= 5.2)
-      elasticsearch (>= 7.14.0, < 8)
+    chewy (8.0.1)
+      activesupport (>= 7.2)
+      elasticsearch (>= 8.14, < 9.0)
       elasticsearch-dsl
     childprocess (5.1.0)
       logger (~> 1.5)
     chunky_png (1.4.0)
     climate_control (1.2.0)
     cocoon (1.2.15)
-    color_diff (0.1)
+    color_diff (0.2)
     concurrent-ruby (1.3.6)
-    connection_pool (2.5.5)
+    connection_pool (3.0.2)
     cose (1.3.1)
       cbor (~> 0.5.9)
       openssl-signature_algorithm (~> 1.0)
@@ -183,20 +186,20 @@ GEM
       database_cleaner-core (~> 2.0)
     database_cleaner-core (2.0.1)
     date (3.5.1)
-    debug (1.11.0)
+    debug (1.11.1)
       irb (~> 1.10)
       reline (>= 0.3.8)
     debug_inspector (1.2.0)
-    devise (4.9.4)
+    devise (5.0.3)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
-      railties (>= 4.1.0)
+      railties (>= 7.0)
       responders
       warden (~> 1.2.3)
-    devise-two-factor (6.2.0)
-      activesupport (>= 7.0, < 8.2)
-      devise (~> 4.0)
-      railties (>= 7.0, < 8.2)
+    devise-two-factor (6.4.0)
+      activesupport (>= 7.2, < 8.2)
+      devise (>= 4.0, < 6.0)
+      railties (>= 7.2, < 8.2)
       rotp (~> 6.0)
     devise_pam_authenticatable2 (9.2.0)
       devise (>= 4.0.0)
@@ -206,58 +209,56 @@ GEM
       activerecord (>= 4.2, < 9.0)
     docile (1.4.1)
     domain_name (0.6.20240107)
-    doorkeeper (5.8.2)
+    doorkeeper (5.9.0)
       railties (>= 5)
     dotenv (3.2.0)
     drb (2.2.3)
-    dry-cli (1.3.0)
-    elasticsearch (7.17.11)
-      elasticsearch-api (= 7.17.11)
-      elasticsearch-transport (= 7.17.11)
-    elasticsearch-api (7.17.11)
+    dry-cli (1.4.1)
+    elastic-transport (8.4.1)
+      faraday (< 3)
+      multi_json
+    elasticsearch (8.19.3)
+      elastic-transport (~> 8.3)
+      elasticsearch-api (= 8.19.3)
+      ostruct
+    elasticsearch-api (8.19.3)
       multi_json
     elasticsearch-dsl (0.1.10)
-    elasticsearch-transport (7.17.11)
-      base64
-      faraday (>= 1, < 3)
-      multi_json
-    email_spec (2.3.0)
-      htmlentities (~> 4.3.3)
-      launchy (>= 2.1, < 4.0)
-      mail (~> 2.7)
     email_validator (2.2.4)
       activemodel
-    erb (6.0.1)
+    erb (6.0.2)
     erubi (1.13.1)
     et-orbi (1.4.0)
       tzinfo
-    excon (1.3.2)
+    excon (1.4.0)
       logger
     fabrication (3.0.0)
-    faker (3.5.3)
+    faker (3.6.1)
       i18n (>= 1.8.11, < 2)
-    faraday (2.14.0)
+    faraday (2.14.1)
       faraday-net_http (>= 2.0, < 3.5)
       json
       logger
-    faraday-follow_redirects (0.4.0)
+    faraday-follow_redirects (0.5.0)
       faraday (>= 1, < 3)
     faraday-httpclient (2.0.2)
       httpclient (>= 2.2)
     faraday-net_http (3.4.2)
       net-http (~> 0.5)
     fast_blank (1.0.1)
-    fastimage (2.4.0)
-    ffi (1.17.2)
+    fastimage (2.4.1)
+    ffi (1.17.3)
     ffi-compiler (1.3.2)
       ffi (>= 1.15.5)
       rake
-    flatware (2.3.4)
+    flatware (2.4.0)
+      benchmark
       drb
+      logger
       thor (< 2.0)
-    flatware-rspec (2.3.4)
-      flatware (= 2.3.4)
-      rspec (>= 3.6)
+    flatware-rspec (2.4.0)
+      flatware (= 2.4.0)
+      rspec (>= 3.8)
     fog-core (2.6.0)
       builder
       excon (~> 1.0)
@@ -271,18 +272,18 @@ GEM
       fog-json (>= 1.0)
     formatador (1.2.3)
       reline
-    forwardable (1.3.3)
+    forwardable (1.4.0)
     fugit (1.12.1)
       et-orbi (~> 1.4)
       raabro (~> 1.4)
     globalid (1.3.0)
       activesupport (>= 6.1)
-    google-protobuf (4.33.2)
+    google-protobuf (4.34.0)
       bigdecimal
-      rake (>= 13)
+      rake (~> 13.3)
     googleapis-common-protos-types (1.22.0)
       google-protobuf (~> 4.26)
-    haml (7.1.0)
+    haml (7.2.0)
       temple (>= 0.8.2)
       thor
       tilt
@@ -291,23 +292,24 @@ GEM
       activesupport (>= 5.1)
       haml (>= 4.0.6)
       railties (>= 5.1)
-    haml_lint (0.68.0)
+    haml_lint (0.72.0)
       haml (>= 5.0)
       parallel (~> 1.10)
       rainbow
       rubocop (>= 1.0)
       sysexits (~> 1.1)
     hashdiff (1.2.1)
-    hashie (5.0.0)
+    hashie (5.1.0)
+      logger
     hcaptcha (7.1.0)
       json
     highline (3.1.2)
       reline
     hiredis (0.6.3)
-    hiredis-client (0.26.2)
-      redis-client (= 0.26.2)
+    hiredis-client (0.28.0)
+      redis-client (= 0.28.0)
     hkdf (0.3.0)
-    htmlentities (4.3.4)
+    htmlentities (4.4.2)
     http (5.3.1)
       addressable (~> 2.8)
       http-cookie (~> 1.0)
@@ -319,10 +321,11 @@ GEM
     http_accept_language (2.1.1)
     httpclient (2.9.0)
       mutex_m
-    httplog (1.7.3)
+    httplog (1.8.0)
+      benchmark
       rack (>= 2.0)
       rainbow (>= 2.0.0)
-    i18n (1.14.7)
+    i18n (1.14.8)
       concurrent-ruby (~> 1.0)
     i18n-tasks (1.1.2)
       activesupport (>= 4.0.2)
@@ -341,8 +344,9 @@ GEM
       activesupport (>= 3.0)
       nokogiri (>= 1.6)
     io-console (0.8.2)
-    irb (1.15.3)
+    irb (1.17.0)
       pp (>= 0.6.0)
+      prism (>= 1.3.0)
       rdoc (>= 4.0.0)
       reline (>= 0.4.2)
     jd-paperclip-azure (3.0.0)
@@ -350,7 +354,7 @@ GEM
       azure-blob (~> 0.5.2)
       hashie (~> 5.0)
     jmespath (1.6.2)
-    json (2.18.0)
+    json (2.19.3)
     json-canonicalization (1.0.0)
     json-jwt (1.17.0)
       activesupport (>= 4.2)
@@ -370,9 +374,9 @@ GEM
     json-ld-preloaded (3.3.2)
       json-ld (~> 3.3)
       rdf (~> 3.3)
-    json-schema (6.0.0)
+    json-schema (6.2.0)
       addressable (~> 2.8)
-      bigdecimal (~> 3.1)
+      bigdecimal (>= 3.1, < 5)
     jsonapi-renderer (0.2.2)
     jwt (2.10.2)
       base64
@@ -388,7 +392,7 @@ GEM
       activerecord
       kaminari-core (= 1.2.2)
     kaminari-core (1.2.2)
-    kt-paperclip (7.2.2)
+    kt-paperclip (7.3.0)
       activemodel (>= 4.2.0)
       activesupport (>= 4.2.0)
       marcel (~> 1.0.1)
@@ -408,12 +412,12 @@ GEM
       rexml
     link_header (0.0.8)
     lint_roller (1.1.0)
-    linzer (0.7.7)
-      cgi (~> 0.4.2)
+    linzer (0.7.8)
+      cgi (>= 0.4.2, < 0.6.0)
       forwardable (~> 1.3, >= 1.3.3)
       logger (~> 1.7, >= 1.7.0)
-      net-http (~> 0.6.0)
-      openssl (~> 3.0, >= 3.0.0)
+      net-http (>= 0.6, < 0.10)
+      openssl (>= 3, < 5)
       rack (>= 2.2, < 4.0)
       starry (~> 0.2)
       stringio (~> 3.1, >= 3.1.2)
@@ -427,7 +431,7 @@ GEM
       activesupport (>= 4)
       railties (>= 4)
       request_store (~> 1.0)
-    loofah (2.24.1)
+    loofah (2.25.1)
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
     mail (2.9.0)
@@ -444,16 +448,18 @@ GEM
     mime-types (3.7.0)
       logger
       mime-types-data (~> 3.2025, >= 3.2025.0507)
-    mime-types-data (3.2025.0924)
+    mime-types-data (3.2026.0317)
     mini_mime (1.1.5)
     mini_portile2 (2.8.9)
-    minitest (5.27.0)
+    minitest (6.0.2)
+      drb (~> 2.0)
+      prism (~> 1.5)
     msgpack (1.8.0)
-    multi_json (1.18.0)
+    multi_json (1.19.1)
     mutex_m (0.3.0)
     net-http (0.6.0)
       uri
-    net-imap (0.6.0)
+    net-imap (0.6.3)
       date
       net-protocol
     net-ldap (0.20.0)
@@ -466,12 +472,9 @@ GEM
     net-smtp (0.5.1)
       net-protocol
     nio4r (2.7.5)
-    nokogiri (1.18.10)
+    nokogiri (1.19.2)
       mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
-    oj (3.16.13)
-      bigdecimal (>= 3.0)
-      ostruct (>= 0.2)
     omniauth (2.1.4)
       hashie (>= 3.4.6)
       logger
@@ -484,7 +487,7 @@ GEM
     omniauth-rails_csrf_protection (2.0.1)
       actionpack (>= 4.2)
       omniauth (~> 2.0)
-    omniauth-saml (2.2.4)
+    omniauth-saml (2.2.5)
       omniauth (~> 2.1)
       ruby-saml (~> 1.18)
     omniauth_openid_connect (0.8.0)
@@ -503,13 +506,14 @@ GEM
       tzinfo
       validate_url
       webfinger (~> 2.0)
-    openssl (3.3.2)
+    openssl (4.0.1)
     openssl-signature_algorithm (1.3.0)
       openssl (> 2.0)
-    opentelemetry-api (1.7.0)
+    opentelemetry-api (1.8.0)
+      logger
     opentelemetry-common (0.23.0)
       opentelemetry-api (~> 1.0)
-    opentelemetry-exporter-otlp (0.31.1)
+    opentelemetry-exporter-otlp (0.32.0)
       google-protobuf (>= 3.18)
       googleapis-common-protos-types (~> 1.3)
       opentelemetry-api (~> 1.1)
@@ -518,13 +522,14 @@ GEM
       opentelemetry-semantic_conventions
     opentelemetry-helpers-sql (0.3.0)
       opentelemetry-api (~> 1.7)
-    opentelemetry-helpers-sql-processor (0.3.1)
+    opentelemetry-helpers-sql-processor (0.4.0)
+      opentelemetry-api (~> 1.0)
       opentelemetry-common (~> 0.21)
     opentelemetry-instrumentation-action_mailer (0.6.1)
       opentelemetry-instrumentation-active_support (~> 0.10)
-    opentelemetry-instrumentation-action_pack (0.15.1)
+    opentelemetry-instrumentation-action_pack (0.16.0)
       opentelemetry-instrumentation-rack (~> 0.29)
-    opentelemetry-instrumentation-action_view (0.11.1)
+    opentelemetry-instrumentation-action_view (0.11.2)
       opentelemetry-instrumentation-active_support (~> 0.10)
     opentelemetry-instrumentation-active_job (0.10.1)
       opentelemetry-instrumentation-base (~> 0.25)
@@ -542,23 +547,23 @@ GEM
       opentelemetry-registry (~> 0.1)
     opentelemetry-instrumentation-concurrent_ruby (0.24.0)
       opentelemetry-instrumentation-base (~> 0.25)
-    opentelemetry-instrumentation-excon (0.26.1)
+    opentelemetry-instrumentation-excon (0.28.0)
       opentelemetry-instrumentation-base (~> 0.25)
-    opentelemetry-instrumentation-faraday (0.30.1)
+    opentelemetry-instrumentation-faraday (0.32.0)
       opentelemetry-instrumentation-base (~> 0.25)
-    opentelemetry-instrumentation-http (0.27.1)
+    opentelemetry-instrumentation-http (0.29.0)
       opentelemetry-instrumentation-base (~> 0.25)
-    opentelemetry-instrumentation-http_client (0.26.1)
+    opentelemetry-instrumentation-http_client (0.28.0)
       opentelemetry-instrumentation-base (~> 0.25)
-    opentelemetry-instrumentation-net_http (0.26.1)
+    opentelemetry-instrumentation-net_http (0.28.0)
       opentelemetry-instrumentation-base (~> 0.25)
-    opentelemetry-instrumentation-pg (0.34.1)
+    opentelemetry-instrumentation-pg (0.35.0)
       opentelemetry-helpers-sql
       opentelemetry-helpers-sql-processor
       opentelemetry-instrumentation-base (~> 0.25)
-    opentelemetry-instrumentation-rack (0.29.0)
+    opentelemetry-instrumentation-rack (0.30.0)
       opentelemetry-instrumentation-base (~> 0.25)
-    opentelemetry-instrumentation-rails (0.39.1)
+    opentelemetry-instrumentation-rails (0.40.0)
       opentelemetry-instrumentation-action_mailer (~> 0.6)
       opentelemetry-instrumentation-action_pack (~> 0.15)
       opentelemetry-instrumentation-action_view (~> 0.11)
@@ -585,16 +590,17 @@ GEM
     ox (2.14.23)
       bigdecimal (>= 3.0)
     parallel (1.27.0)
-    parser (3.3.10.0)
+    parser (3.3.10.2)
       ast (~> 2.4.1)
       racc
     parslet (2.0.0)
     pastel (0.8.0)
       tty-color (~> 0.5)
-    pg (1.6.2)
+    pg (1.6.3)
     pghero (3.7.0)
       activerecord (>= 7.1)
-    playwright-ruby-client (1.57.0)
+    playwright-ruby-client (1.57.1)
+      base64
       concurrent-ruby (>= 1.1.6)
       mime-types (>= 3.0)
     pp (0.6.3)
@@ -608,24 +614,24 @@ GEM
       net-smtp
       premailer (~> 1.7, >= 1.7.9)
     prettyprint (0.2.0)
-    prism (1.6.0)
+    prism (1.9.0)
     prometheus_exporter (2.3.1)
       webrick
     propshaft (1.3.1)
       actionpack (>= 7.0.0)
       activesupport (>= 7.0.0)
       rack
-    psych (5.3.0)
+    psych (5.3.1)
       date
       stringio
-    public_suffix (7.0.0)
-    puma (7.1.0)
+    public_suffix (7.0.5)
+    puma (7.2.0)
       nio4r (~> 2.0)
     pundit (2.5.2)
       activesupport (>= 3.0.0)
     raabro (1.4.0)
     racc (1.8.1)
-    rack (3.2.4)
+    rack (3.2.5)
     rack-attack (6.8.0)
       rack (>= 1.0, < 4)
     rack-cors (3.0.0)
@@ -651,33 +657,33 @@ GEM
       rack (>= 1.3)
     rackup (2.3.1)
       rack (>= 3)
-    rails (8.0.3)
-      actioncable (= 8.0.3)
-      actionmailbox (= 8.0.3)
-      actionmailer (= 8.0.3)
-      actionpack (= 8.0.3)
-      actiontext (= 8.0.3)
-      actionview (= 8.0.3)
-      activejob (= 8.0.3)
-      activemodel (= 8.0.3)
-      activerecord (= 8.0.3)
-      activestorage (= 8.0.3)
-      activesupport (= 8.0.3)
+    rails (8.1.3)
+      actioncable (= 8.1.3)
+      actionmailbox (= 8.1.3)
+      actionmailer (= 8.1.3)
+      actionpack (= 8.1.3)
+      actiontext (= 8.1.3)
+      actionview (= 8.1.3)
+      activejob (= 8.1.3)
+      activemodel (= 8.1.3)
+      activerecord (= 8.1.3)
+      activestorage (= 8.1.3)
+      activesupport (= 8.1.3)
       bundler (>= 1.15.0)
-      railties (= 8.0.3)
+      railties (= 8.1.3)
     rails-dom-testing (2.3.0)
       activesupport (>= 5.0.0)
       minitest
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.6.2)
-      loofah (~> 2.21)
+    rails-html-sanitizer (1.7.0)
+      loofah (~> 2.25)
       nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
     rails-i18n (8.1.0)
       i18n (>= 0.7, < 2)
       railties (>= 8.0.0, < 9)
-    railties (8.0.3)
-      actionpack (= 8.0.3)
-      activesupport (= 8.0.3)
+    railties (8.1.3)
+      actionpack (= 8.1.3)
+      activesupport (= 8.1.3)
       irb (~> 1.13)
       rackup (>= 1.0.0)
       rake (>= 12.2)
@@ -695,7 +701,7 @@ GEM
       readline (~> 0.0)
     rdf-normalize (0.7.0)
       rdf (~> 3.3)
-    rdoc (6.17.0)
+    rdoc (7.2.0)
       erb
       psych (>= 4.0.0)
       tsort
@@ -703,7 +709,7 @@ GEM
       reline
     redcarpet (3.6.1)
     redis (4.8.1)
-    redis-client (0.26.2)
+    redis-client (0.28.0)
       connection_pool
     regexp_parser (2.11.3)
     reline (0.6.3)
@@ -715,12 +721,12 @@ GEM
       railties (>= 7.0)
     rexml (3.4.4)
     rotp (6.3.0)
-    rouge (4.6.1)
+    rouge (4.7.0)
     rpam2 (4.0.2)
-    rqrcode (3.1.1)
+    rqrcode (3.2.0)
       chunky_png (~> 1.0)
       rqrcode_core (~> 2.0)
-    rqrcode_core (2.0.1)
+    rqrcode_core (2.1.0)
     rspec (3.13.2)
       rspec-core (~> 3.13.0)
       rspec-expectations (~> 3.13.0)
@@ -732,24 +738,24 @@ GEM
       rspec-support (~> 3.13.0)
     rspec-github (3.0.0)
       rspec-core (~> 3.0)
-    rspec-mocks (3.13.7)
+    rspec-mocks (3.13.8)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
-    rspec-rails (8.0.2)
+    rspec-rails (8.0.4)
       actionpack (>= 7.2)
       activesupport (>= 7.2)
       railties (>= 7.2)
-      rspec-core (~> 3.13)
-      rspec-expectations (~> 3.13)
-      rspec-mocks (~> 3.13)
-      rspec-support (~> 3.13)
-    rspec-sidekiq (5.2.0)
+      rspec-core (>= 3.13.0, < 5.0.0)
+      rspec-expectations (>= 3.13.0, < 5.0.0)
+      rspec-mocks (>= 3.13.0, < 5.0.0)
+      rspec-support (>= 3.13.0, < 5.0.0)
+    rspec-sidekiq (5.3.0)
       rspec-core (~> 3.0)
       rspec-expectations (~> 3.0)
       rspec-mocks (~> 3.0)
       sidekiq (>= 5, < 9)
-    rspec-support (3.13.6)
-    rubocop (1.81.7)
+    rspec-support (3.13.7)
+    rubocop (1.84.2)
       json (~> 2.3)
       language_server-protocol (~> 3.17.0.2)
       lint_roller (~> 1.1.0)
@@ -757,12 +763,12 @@ GEM
       parser (>= 3.3.0.2)
       rainbow (>= 2.2.2, < 4.0)
       regexp_parser (>= 2.9.3, < 3.0)
-      rubocop-ast (>= 1.47.1, < 2.0)
+      rubocop-ast (>= 1.49.0, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 2.4.0, < 4.0)
-    rubocop-ast (1.48.0)
+    rubocop-ast (1.49.1)
       parser (>= 3.3.7.2)
-      prism (~> 1.4)
+      prism (~> 1.7)
     rubocop-capybara (2.22.1)
       lint_roller (~> 1.1)
       rubocop (~> 1.72, >= 1.72.1)
@@ -773,21 +779,22 @@ GEM
       lint_roller (~> 1.1)
       rubocop (>= 1.75.0, < 2.0)
       rubocop-ast (>= 1.47.1, < 2.0)
-    rubocop-rails (2.34.2)
+    rubocop-rails (2.34.3)
       activesupport (>= 4.2.0)
       lint_roller (~> 1.1)
       rack (>= 1.1)
       rubocop (>= 1.75.0, < 2.0)
       rubocop-ast (>= 1.44.0, < 2.0)
-    rubocop-rspec (3.8.0)
+    rubocop-rspec (3.9.0)
       lint_roller (~> 1.1)
       rubocop (~> 1.81)
     rubocop-rspec_rails (2.32.0)
       lint_roller (~> 1.1)
       rubocop (~> 1.72, >= 1.72.1)
       rubocop-rspec (~> 3.5)
-    ruby-prof (1.7.2)
+    ruby-prof (2.0.4)
       base64
+      ostruct
     ruby-progressbar (1.13.0)
     ruby-saml (1.18.1)
       nokogiri (>= 1.13.10)
@@ -820,13 +827,14 @@ GEM
     sidekiq-scheduler (6.0.1)
       rufus-scheduler (~> 3.2)
       sidekiq (>= 7.3, < 9)
-    sidekiq-unique-jobs (8.0.12)
+    sidekiq-unique-jobs (8.0.13)
       concurrent-ruby (~> 1.0, >= 1.0.5)
       sidekiq (>= 7.0.0, < 9.0.0)
       thor (>= 1.0, < 3.0)
-    simple-navigation (4.4.0)
+    simple-navigation (4.4.1)
       activesupport (>= 2.3.2)
-    simple_form (5.4.0)
+      ostruct
+    simple_form (5.4.1)
       actionpack (>= 7.0)
       activemodel (>= 7.0)
     simplecov (0.22.0)
@@ -836,14 +844,14 @@ GEM
     simplecov-html (0.13.2)
     simplecov-lcov (0.9.0)
     simplecov_json_formatter (0.1.4)
-    stackprof (0.2.27)
+    stackprof (0.2.28)
     starry (0.2.0)
       base64
-    stoplight (5.7.0)
+    stoplight (5.8.0)
       concurrent-ruby
       zeitwerk
-    stringio (3.1.9)
-    strong_migrations (2.5.1)
+    stringio (3.2.0)
+    strong_migrations (2.5.2)
       activerecord (>= 7.1)
     swd (2.0.3)
       activesupport (>= 3)
@@ -856,10 +864,10 @@ GEM
       unicode-display_width (>= 1.1.1, < 4)
     terrapin (1.1.1)
       climate_control
-    test-prof (1.5.0)
-    thor (1.4.0)
-    tilt (2.6.1)
-    timeout (0.5.0)
+    test-prof (1.6.0)
+    thor (1.5.0)
+    tilt (2.7.0)
+    timeout (0.6.1)
     tpm-key_attestation (0.14.1)
       bindata (~> 2.4)
       openssl (> 2.0)
@@ -880,23 +888,23 @@ GEM
       unf (~> 0.1.0)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
-    tzinfo-data (1.2025.3)
+    tzinfo-data (1.2026.1)
       tzinfo (>= 1.0.0)
     unf (0.1.4)
       unf_ext
     unf_ext (0.0.9.1)
     unicode-display_width (3.2.0)
       unicode-emoji (~> 4.1)
-    unicode-emoji (4.1.0)
+    unicode-emoji (4.2.0)
     uri (1.1.1)
     useragent (0.16.11)
     validate_url (1.0.15)
       activemodel (>= 3.0.0)
       public_suffix
-    vite_rails (3.0.19)
+    vite_rails (3.0.20)
       railties (>= 5.1, < 9)
       vite_ruby (~> 3.0, >= 3.2.2)
-    vite_ruby (3.9.2)
+    vite_ruby (3.9.3)
       dry-cli (>= 0.7, < 2)
       logger (~> 1.6)
       mutex_m
@@ -916,7 +924,7 @@ GEM
       activesupport
       faraday (~> 2.0)
       faraday-follow_redirects
-    webmock (3.26.1)
+    webmock (3.26.2)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
@@ -929,7 +937,7 @@ GEM
     xorcist (1.1.3)
     xpath (3.2.0)
       nokogiri (~> 1.8)
-    zeitwerk (2.7.3)
+    zeitwerk (2.7.5)
 
 PLATFORMS
   ruby
@@ -941,16 +949,16 @@ DEPENDENCIES
   aws-sdk-core
   aws-sdk-s3 (~> 1.123)
   better_errors (~> 2.9)
-  binding_of_caller (~> 1.0)
+  binding_of_caller
   blurhash (~> 0.1)
-  bootsnap (~> 1.19.0)
-  brakeman (~> 7.0)
+  bootsnap
+  brakeman (~> 8.0)
   browser
   bundler-audit (~> 0.9)
   capybara (~> 3.39)
   capybara-playwright-driver
   charlock_holmes (~> 0.7.7)
-  chewy (~> 7.3)
+  chewy
   climate_control
   cocoon (~> 1.2)
   color_diff (~> 0.1)
@@ -959,13 +967,12 @@ DEPENDENCIES
   csv (~> 3.2)
   database_cleaner-active_record
   debug (~> 1.8)
-  devise (~> 4.9)
+  devise
   devise-two-factor
   devise_pam_authenticatable2 (~> 9.2)
   discard (~> 1.2)
   doorkeeper (~> 5.6)
   dotenv
-  email_spec
   fabrication
   faker (~> 3.2)
   faraday-httpclient
@@ -982,13 +989,14 @@ DEPENDENCIES
   htmlentities (~> 4.3)
   http (~> 5.3.0)
   http_accept_language (~> 2.1)
-  httplog (~> 1.7.0)
+  httplog (~> 1.8.0)
   i18n
   i18n-tasks (~> 1.0)
   idn-ruby
   inline_svg
   irb (~> 1.8)
   jd-paperclip-azure (~> 3.0)
+  json
   json-ld
   json-ld-preloaded (~> 3.2)
   json-schema (~> 6.0)
@@ -1007,25 +1015,24 @@ DEPENDENCIES
   net-http (~> 0.6.0)
   net-ldap (~> 0.18)
   nokogiri (~> 1.15)
-  oj (~> 3.14)
   omniauth (~> 2.0)
   omniauth-cas (~> 3.0.0.beta.1)
   omniauth-rails_csrf_protection (~> 2.0)
   omniauth-saml (~> 2.0)
   omniauth_openid_connect (~> 0.8.0)
-  opentelemetry-api (~> 1.7.0)
-  opentelemetry-exporter-otlp (~> 0.31.0)
+  opentelemetry-api (~> 1.8.0)
+  opentelemetry-exporter-otlp (~> 0.32.0)
   opentelemetry-instrumentation-active_job (~> 0.10.0)
   opentelemetry-instrumentation-active_model_serializers (~> 0.24.0)
   opentelemetry-instrumentation-concurrent_ruby (~> 0.24.0)
-  opentelemetry-instrumentation-excon (~> 0.26.0)
-  opentelemetry-instrumentation-faraday (~> 0.30.0)
-  opentelemetry-instrumentation-http (~> 0.27.0)
-  opentelemetry-instrumentation-http_client (~> 0.26.0)
-  opentelemetry-instrumentation-net_http (~> 0.26.0)
-  opentelemetry-instrumentation-pg (~> 0.34.0)
-  opentelemetry-instrumentation-rack (~> 0.29.0)
-  opentelemetry-instrumentation-rails (~> 0.39.0)
+  opentelemetry-instrumentation-excon (~> 0.28.0)
+  opentelemetry-instrumentation-faraday (~> 0.32.0)
+  opentelemetry-instrumentation-http (~> 0.29.0)
+  opentelemetry-instrumentation-http_client (~> 0.28.0)
+  opentelemetry-instrumentation-net_http (~> 0.28.0)
+  opentelemetry-instrumentation-pg (~> 0.35.0)
+  opentelemetry-instrumentation-rack (~> 0.30.0)
+  opentelemetry-instrumentation-rails (~> 0.40.0)
   opentelemetry-instrumentation-redis (~> 0.28.0)
   opentelemetry-instrumentation-sidekiq (~> 0.28.0)
   opentelemetry-sdk (~> 1.4)
@@ -1033,7 +1040,7 @@ DEPENDENCIES
   parslet
   pg (~> 1.5)
   pghero
-  playwright-ruby-client (= 1.57.0)
+  playwright-ruby-client (= 1.57.1)
   premailer-rails
   prometheus_exporter (~> 2.2)
   propshaft
@@ -1043,7 +1050,7 @@ DEPENDENCIES
   rack-attack (~> 6.6)
   rack-cors
   rack-test (~> 2.1)
-  rails (~> 8.0)
+  rails (~> 8.1.0)
   rails-i18n (~> 8.0)
   rdf-normalize (~> 0.5)
   redcarpet (~> 3.6)
@@ -1090,7 +1097,7 @@ DEPENDENCIES
   xorcist (~> 1.1)
 
 RUBY VERSION
-  ruby 3.4.1p0
+  ruby 3.4.9
 
 BUNDLED WITH
-  4.0.2
+  4.0.8

README.md

@@ -72,10 +72,11 @@ Mastodon is a **free, open-source social network server** based on [ActivityPub]
 
 ### Requirements
 
-- **Ruby** 3.2+
+- **Ruby** 3.3+
 - **PostgreSQL** 14+
 - **Redis** 7.0+
 - **Node.js** 20+
+- **FFmpeg** 5.1+
 
 This repository includes deployment configurations for **Docker and docker-compose**, as well as for other environments like Heroku and Scalingo. For Helm charts, reference the [mastodon/chart repository](https://github.com/mastodon/chart). A [**standalone** installation guide](https://docs.joinmastodon.org/admin/install/) is available in the main documentation.
 

SECURITY.md

@@ -18,5 +18,4 @@ A "vulnerability in Mastodon" is a vulnerability in the code distributed through
 | 4.5.x   | Yes              |
 | 4.4.x   | Yes              |
 | 4.3.x   | Until 2026-05-06 |
-| 4.2.x   | Until 2026-01-08 |
-| < 4.2   | No               |
+| < 4.3   | No               |

Vagrantfile

@@ -29,7 +29,6 @@ sudo apt-get install \
   libpq-dev \
   libxml2-dev \
   libxslt1-dev \
-  imagemagick \
   nodejs \
   redis-server \
   redis-tools \

app/chewy/public_statuses_index.rb

@@ -53,9 +53,9 @@ class PublicStatusesIndex < Chewy::Index
   }
 
   index_scope ::Status.unscoped
-                      .kept
-                      .indexable
-                      .includes(:media_attachments, :preloadable_poll, :tags, preview_cards_status: :preview_card)
+    .kept
+    .indexable
+    .includes(:media_attachments, :preloadable_poll, :tags, preview_cards_status: :preview_card)
 
   root date_detection: false do
     field(:id, type: 'long')

app/controllers/accounts_controller.rb

@@ -18,6 +18,8 @@ class AccountsController < ApplicationController
     respond_to do |format|
       format.html do
         expires_in(15.seconds, public: true, stale_while_revalidate: 30.seconds, stale_if_error: 1.hour) unless user_signed_in?
+
+        redirect_to short_account_path(@account) if account_id_param.present? && username_param.blank?
       end
 
       format.rss do

app/controllers/activitypub/collections_controller.rb

@@ -1,20 +1,36 @@
 # frozen_string_literal: true
 
 class ActivityPub::CollectionsController < ActivityPub::BaseController
+  SUPPORTED_COLLECTIONS = %w(featured tags).freeze
+
   vary_by -> { 'Signature' if authorized_fetch_mode? }
 
   before_action :require_account_signature!, if: :authorized_fetch_mode?
+  before_action :check_authorization
   before_action :set_items
   before_action :set_size
   before_action :set_type
 
   def show
     expires_in 3.minutes, public: public_fetch_mode?
-    render_with_cache json: collection_presenter, content_type: 'application/activity+json', serializer: ActivityPub::CollectionSerializer, adapter: ActivityPub::Adapter
+
+    if @unauthorized
+      render json: collection_presenter, content_type: 'application/activity+json', serializer: ActivityPub::CollectionSerializer, adapter: ActivityPub::Adapter
+    else
+      render_with_cache json: collection_presenter, content_type: 'application/activity+json', serializer: ActivityPub::CollectionSerializer, adapter: ActivityPub::Adapter
+    end
   end
 
   private
 
+  def check_authorization
+    # Because in public fetch mode we cache the response, there would be no
+    # benefit from performing the check below, since a blocked account or domain
+    # would likely be served the cache from the reverse proxy anyway
+
+    @unauthorized = authorized_fetch_mode? && !signed_request_account.nil? && (@account.blocking?(signed_request_account) || (!signed_request_account.domain.nil? && @account.domain_blocking?(signed_request_account.domain)))
+  end
+
   def set_items
     case params[:id]
     when 'featured'
@@ -57,11 +73,7 @@ class ActivityPub::CollectionsController < ActivityPub::BaseController
   end
 
   def for_signed_account
-    # Because in public fetch mode we cache the response, there would be no
-    # benefit from performing the check below, since a blocked account or domain
-    # would likely be served the cache from the reverse proxy anyway
-
-    if authorized_fetch_mode? && !signed_request_account.nil? && (@account.blocking?(signed_request_account) || (!signed_request_account.domain.nil? && @account.domain_blocking?(signed_request_account.domain)))
+    if @unauthorized
       []
     else
       yield

app/controllers/activitypub/contexts_controller.rb

@@ -36,9 +36,8 @@ class ActivityPub::ContextsController < ActivityPub::BaseController
 
   def context_presenter
     first_page = ActivityPub::CollectionPresenter.new(
-      id: items_context_url(@conversation, page_params),
       type: :unordered,
-      part_of: items_context_url(@conversation),
+      part_of: context_url(@conversation),
       next: next_page,
       items: @items.map { |status| status.local? ? ActivityPub::TagManager.instance.uri_for(status) : status.uri }
     )
@@ -52,7 +51,7 @@ class ActivityPub::ContextsController < ActivityPub::BaseController
     page = ActivityPub::CollectionPresenter.new(
       id: items_context_url(@conversation, page_params),
       type: :unordered,
-      part_of: items_context_url(@conversation),
+      part_of: context_url(@conversation),
       next: next_page,
       items: @items.map { |status| status.local? ? ActivityPub::TagManager.instance.uri_for(status) : status.uri }
     )

app/controllers/activitypub/feature_authorizations_controller.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+class ActivityPub::FeatureAuthorizationsController < ActivityPub::BaseController
+  include Authorization
+
+  vary_by -> { 'Signature' if authorized_fetch_mode? }
+
+  before_action :require_account_signature!, if: :authorized_fetch_mode?
+  before_action :set_collection_item
+
+  def show
+    expires_in 30.seconds, public: true if public_fetch_mode?
+    render json: @collection_item, serializer: ActivityPub::FeatureAuthorizationSerializer, adapter: ActivityPub::Adapter, content_type: 'application/activity+json'
+  end
+
+  private
+
+  def pundit_user
+    signed_request_account
+  end
+
+  def set_collection_item
+    @collection_item = @account.collection_items.accepted.find(params[:id])
+
+    authorize @collection_item.collection, :show?
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
+    not_found
+  end
+end

app/controllers/activitypub/featured_collections_controller.rb

@@ -0,0 +1,79 @@
+# frozen_string_literal: true
+
+class ActivityPub::FeaturedCollectionsController < ApplicationController
+  include SignatureAuthentication
+  include Authorization
+  include AccountOwnedConcern
+
+  PER_PAGE = 5
+
+  vary_by -> { public_fetch_mode? ? 'Accept, Accept-Language, Cookie' : 'Accept, Accept-Language, Cookie, Signature' }
+
+  before_action :check_feature_enabled
+  before_action :require_account_signature!, if: -> { authorized_fetch_mode? }
+  before_action :set_collections
+
+  skip_around_action :set_locale
+  skip_before_action :require_functional!, unless: :limited_federation_mode?
+
+  def index
+    respond_to do |format|
+      format.json do
+        expires_in(page_requested? ? 0 : 3.minutes, public: public_fetch_mode?)
+
+        render json: collection_presenter,
+               serializer: ActivityPub::CollectionSerializer,
+               adapter: ActivityPub::Adapter,
+               content_type: 'application/activity+json'
+      end
+    end
+  end
+
+  private
+
+  def set_collections
+    authorize @account, :index_collections?
+    @collections = @account.collections
+      .includes(:accepted_collection_items)
+      .page(params[:page]).per(PER_PAGE)
+  rescue Mastodon::NotPermittedError
+    not_found
+  end
+
+  def page_requested?
+    params[:page].present?
+  end
+
+  def next_page_url
+    ap_account_featured_collections_url(@account, page: @collections.next_page) if @collections.respond_to?(:next_page)
+  end
+
+  def prev_page_url
+    ap_account_featured_collections_url(@account, page: @collections.prev_page) if @collections.respond_to?(:prev_page)
+  end
+
+  def collection_presenter
+    if page_requested?
+      ActivityPub::CollectionPresenter.new(
+        id: ap_account_featured_collections_url(@account, page: params.fetch(:page, 1)),
+        type: :unordered,
+        size: @account.collections.count,
+        items: @collections,
+        part_of: ap_account_featured_collections_url(@account),
+        next: next_page_url,
+        prev: prev_page_url
+      )
+    else
+      ActivityPub::CollectionPresenter.new(
+        id: ap_account_featured_collections_url(@account),
+        type: :unordered,
+        size: @account.collections.count,
+        first: ap_account_featured_collections_url(@account, page: 1)
+      )
+    end
+  end
+
+  def check_feature_enabled
+    raise ActionController::RoutingError unless Mastodon::Feature.collections_enabled?
+  end
+end

app/controllers/activitypub/inboxes_controller.rb

@@ -3,6 +3,7 @@
 class ActivityPub::InboxesController < ActivityPub::BaseController
   include JsonLdHelper
 
+  before_action :skip_large_payload
   before_action :skip_unknown_actor_activity
   before_action :require_actor_signature!
   skip_before_action :authenticate_user!
@@ -16,14 +17,18 @@ class ActivityPub::InboxesController < ActivityPub::BaseController
 
   private
 
+  def skip_large_payload
+    head 413 if request.content_length > ActivityPub::Activity::MAX_JSON_SIZE
+  end
+
   def skip_unknown_actor_activity
     head 202 if unknown_affected_account?
   end
 
   def unknown_affected_account?
-    json = Oj.load(body, mode: :strict)
+    json = JSON.parse(body)
     json.is_a?(Hash) && %w(Delete Update).include?(json['type']) && json['actor'].present? && json['actor'] == value_or_id(json['object']) && !Account.exists?(uri: json['actor'])
-  rescue Oj::ParseError
+  rescue JSON::ParserError
     false
   end
 

app/controllers/admin/collections_controller.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Admin
+  class CollectionsController < BaseController
+    before_action :set_account
+    before_action :set_collection, only: :show
+
+    def show
+      authorize @collection, :show?
+    end
+
+    private
+
+    def set_account
+      @account = Account.find(params[:account_id])
+    end
+
+    def set_collection
+      @collection = @account.collections.includes(accepted_collection_items: :account).find(params[:id])
+    end
+  end
+end

app/controllers/admin/domain_blocks_controller.rb

@@ -54,7 +54,7 @@ module Admin
       end
 
       # Allow transparently upgrading a domain block
-      if existing_domain_block.present? && existing_domain_block.domain == TagManager.instance.normalize_domain(@domain_block.domain.strip)
+      if existing_domain_block.present? && existing_domain_block.domain == TagManager.instance.normalize_domain(@domain_block.domain)
         @domain_block = existing_domain_block
         @domain_block.assign_attributes(resource_params)
       end

app/controllers/admin/fasp/debug/callbacks_controller.rb

@@ -5,8 +5,8 @@ class Admin::Fasp::Debug::CallbacksController < Admin::BaseController
     authorize [:admin, :fasp, :provider], :update?
 
     @callbacks = Fasp::DebugCallback
-                 .includes(:fasp_provider)
-                 .order(created_at: :desc)
+      .includes(:fasp_provider)
+      .order(created_at: :desc)
   end
 
   def destroy

app/controllers/admin/instances/moderation_notes_controller.rb

@@ -34,8 +34,11 @@ class Admin::Instances::ModerationNotesController < Admin::BaseController
   end
 
   def set_instance
-    domain = params[:instance_id]&.strip
-    @instance = Instance.find_or_initialize_by(domain: TagManager.instance.normalize_domain(domain))
+    @instance = Instance.find_or_initialize_by(domain: normalized_domain)
+  end
+
+  def normalized_domain
+    TagManager.instance.normalize_domain(params[:instance_id])
   end
 
   def set_instance_note

app/controllers/admin/instances_controller.rb

@@ -55,8 +55,11 @@ module Admin
     private
 
     def set_instance
-      domain = params[:id]&.strip
-      @instance = Instance.find_or_initialize_by(domain: TagManager.instance.normalize_domain(domain))
+      @instance = Instance.find_or_initialize_by(domain: normalized_domain)
+    end
+
+    def normalized_domain
+      TagManager.instance.normalize_domain(params[:id])
     end
 
     def set_instances

app/controllers/admin/reports/actions_controller.rb

@@ -13,7 +13,7 @@ class Admin::Reports::ActionsController < Admin::BaseController
 
     case action_from_button
     when 'delete', 'mark_as_sensitive'
-      Admin::StatusBatchAction.new(status_batch_action_params).save!
+      Admin::ModerationAction.new(moderation_action_params).save!
     when 'silence', 'suspend'
       Admin::AccountAction.new(account_action_params).save!
     else
@@ -25,9 +25,8 @@ class Admin::Reports::ActionsController < Admin::BaseController
 
   private
 
-  def status_batch_action_params
+  def moderation_action_params
     shared_params
-      .merge(status_ids: @report.status_ids)
   end
 
   def account_action_params

app/controllers/admin/reports_controller.rb

@@ -50,7 +50,7 @@ module Admin
     private
 
     def filtered_reports
-      ReportFilter.new(filter_params).results.order(id: :desc).includes(:account, :target_account)
+      ReportFilter.new(filter_params).results.order(id: :desc).includes(:account, :target_account, :collections)
     end
 
     def filter_params
@@ -58,7 +58,7 @@ module Admin
     end
 
     def set_report
-      @report = Report.find(params[:id])
+      @report = Report.includes(collections: :accepted_collection_items).find(params[:id])
     end
   end
 end

app/controllers/admin/roles_controller.rb

@@ -62,7 +62,7 @@ module Admin
 
     def resource_params
       params
-        .expect(user_role: [:name, :color, :highlighted, :position, permissions_as_keys: []])
+        .expect(user_role: [:name, :color, :highlighted, :position, :require_2fa, permissions_as_keys: []])
     end
   end
 end

app/controllers/admin/statuses_controller.rb

@@ -62,7 +62,11 @@ module Admin
     end
 
     def set_statuses
-      @statuses = Admin::StatusFilter.new(@account, filter_params).results.preload(:application, :preloadable_poll, :media_attachments, active_mentions: :account, reblog: [:account, :application, :preloadable_poll, :media_attachments, active_mentions: :account]).page(params[:page]).per(PER_PAGE)
+      @statuses = Admin::StatusFilter.new(@account, filter_params).results.preload(*preload_columns, reblog: [:account, *preload_columns]).page(params[:page]).per(PER_PAGE)
+    end
+
+    def preload_columns
+      [:application, :preloadable_poll, :media_attachments, active_mentions: :account]
     end
 
     def filter_params
@@ -78,8 +82,6 @@ module Admin
         'report'
       elsif params[:remove_from_report]
         'remove_from_report'
-      elsif params[:delete]
-        'delete'
       end
     end
   end

app/controllers/api/fasp/base_controller.rb

@@ -47,7 +47,7 @@ class Api::Fasp::BaseController < ApplicationController
     provider = nil
 
     Linzer.verify!(request.rack_request, no_older_than: 5.minutes) do |keyid|
-      provider = Fasp::Provider.find(keyid)
+      provider = Fasp::Provider.confirmed.find(keyid)
       Linzer.new_ed25519_public_key(provider.provider_public_key_pem, keyid)
     end
 

app/controllers/api/v1/accounts/email_subscriptions_controller.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+class Api::V1::Accounts::EmailSubscriptionsController < Api::BaseController
+  before_action :set_account
+  before_action :require_feature_enabled!
+  before_action :require_account_permissions!
+
+  def create
+    @account.email_subscriptions.create!(email: params[:email], locale: I18n.locale)
+    render_empty
+  end
+
+  private
+
+  def set_account
+    @account = Account.local.find(params[:account_id])
+  end
+
+  def require_feature_enabled!
+    head 404 unless Mastodon::Feature.email_subscriptions_enabled?
+  end
+
+  def require_account_permissions!
+    head 404 if @account.unavailable? || !@account.user_can?(:manage_email_subscriptions) || !@account.user_email_subscriptions_enabled?
+  end
+end

app/controllers/api/v1/accounts/notes_controller.rb

@@ -9,9 +9,9 @@ class Api::V1::Accounts::NotesController < Api::BaseController
 
   def create
     if params[:comment].blank?
-      AccountNote.find_by(account: current_account, target_account: @account)&.destroy
+      current_account.account_notes.find_by(target_account: @account)&.destroy
     else
-      @note = AccountNote.find_or_initialize_by(account: current_account, target_account: @account)
+      @note = current_account.account_notes.find_or_initialize_by(target_account: @account)
       @note.comment = params[:comment]
       @note.save! if @note.changed?
     end

app/controllers/api/v1/accounts_controller.rb

@@ -38,7 +38,7 @@ class Api::V1::AccountsController < Api::BaseController
 
     headers.merge!(response.headers)
 
-    self.response_body = Oj.dump(response.body)
+    self.response_body = response.body.to_json
     self.status        = response.status
   rescue ActiveRecord::RecordInvalid => e
     render json: ValidationErrorFormatter.new(e, 'account.username': :username, 'invite_request.text': :reason).as_json, status: 422

app/controllers/api/v1/blocks_controller.rb

@@ -18,14 +18,14 @@ class Api::V1::BlocksController < Api::BaseController
 
   def paginated_blocks
     @paginated_blocks ||= Block.eager_load(target_account: [:account_stat, :user])
-                               .joins(:target_account)
-                               .merge(Account.without_suspended)
-                               .where(account: current_account)
-                               .paginate_by_max_id(
-                                 limit_param(DEFAULT_ACCOUNTS_LIMIT),
-                                 params[:max_id],
-                                 params[:since_id]
-                               )
+      .joins(:target_account)
+      .merge(Account.without_suspended)
+      .where(account: current_account)
+      .paginate_by_max_id(
+        limit_param(DEFAULT_ACCOUNTS_LIMIT),
+        params[:max_id],
+        params[:since_id]
+      )
   end
 
   def next_path

app/controllers/api/v1/conversations_controller.rb

@@ -37,20 +37,20 @@ class Api::V1::ConversationsController < Api::BaseController
 
   def paginated_conversations
     AccountConversation.where(account: current_account)
-                       .includes(
-                         account: [:account_stat, user: :role],
-                         last_status: [
-                           :media_attachments,
-                           :status_stat,
-                           :tags,
-                           {
-                             preview_cards_status: { preview_card: { author_account: [:account_stat, user: :role] } },
-                             active_mentions: :account,
-                             account: [:account_stat, user: :role],
-                           },
-                         ]
-                       )
-                       .to_a_paginated_by_id(limit_param(LIMIT), params_slice(:max_id, :since_id, :min_id))
+      .includes(
+        account: [:account_stat, user: :role],
+        last_status: [
+          :media_attachments,
+          :status_stat,
+          :tags,
+          {
+            preview_cards_status: { preview_card: { author_account: [:account_stat, user: :role] } },
+            active_mentions: :account,
+            account: [:account_stat, user: :role],
+          },
+        ]
+      )
+      .to_a_paginated_by_id(limit_param(LIMIT), params_slice(:max_id, :since_id, :min_id))
   end
 
   def next_path

app/controllers/api/v1/donation_campaigns_controller.rb

@@ -0,0 +1,86 @@
+# frozen_string_literal: true
+
+class Api::V1::DonationCampaignsController < Api::BaseController
+  before_action :require_user!
+
+  STOPLIGHT_COOL_OFF_TIME = 60
+  STOPLIGHT_FAILURE_THRESHOLD = 10
+
+  def index
+    return head 204 if api_url.blank?
+
+    json = from_cache
+    return render json: json if json.present?
+
+    campaign = fetch_campaign
+    return head 204 if campaign.nil?
+
+    save_to_cache!(campaign)
+
+    render json: campaign
+  end
+
+  private
+
+  def api_url
+    Rails.configuration.x.donation_campaigns.api_url
+  end
+
+  def seed
+    @seed ||= Random.new(current_account.id).rand(100)
+  end
+
+  def from_cache
+    key = Rails.cache.read(request_key, raw: true)
+    return if key.blank?
+
+    campaign = Rails.cache.read("donation_campaign:#{key}", raw: true)
+    JSON.parse(campaign) if campaign.present?
+  end
+
+  def save_to_cache!(campaign)
+    return if campaign.blank?
+
+    Rails.cache.write_multi(
+      {
+        request_key => campaign_key(campaign),
+        "donation_campaign:#{campaign_key(campaign)}" => campaign.to_json,
+      },
+      expires_in: 1.hour,
+      raw: true
+    )
+  end
+
+  def fetch_campaign
+    stoplight_wrapper.run do
+      url = Addressable::URI.parse(api_url)
+      url.query_values = { platform: 'web', seed: seed, locale: locale, environment: Rails.configuration.x.donation_campaigns.environment }.compact
+
+      Request.new(:get, url.to_s).perform do |res|
+        return JSON.parse(res.body_with_limit) if res.code == 200
+      end
+    end
+  rescue *Mastodon::HTTP_CONNECTION_ERRORS, JSON::ParserError
+    nil
+  end
+
+  def stoplight_wrapper
+    Stoplight(
+      'donation_campaigns',
+      cool_off_time: STOPLIGHT_COOL_OFF_TIME,
+      threshold: STOPLIGHT_FAILURE_THRESHOLD
+    )
+  end
+
+  def request_key
+    "donation_campaign_request:#{seed}:#{locale}"
+  end
+
+  def campaign_key(campaign)
+    "#{campaign['id']}:#{campaign['locale']}"
+  end
+
+  def locale
+    I18n.locale.to_s
+  end
+end

app/controllers/api/v1/instances/terms_of_service_controller.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+class Api::V1::Instances::TermsOfServiceController < Api::V1::Instances::BaseController
+  before_action :cache_even_if_authenticated!
+
+  def index
+    @terms_of_service = TermsOfService.current || raise(ActiveRecord::RecordNotFound)
+    render json: @terms_of_service, serializer: REST::TermsOfServiceSerializer
+  end
+
+  def show
+    @terms_of_service = TermsOfService.published.find_by!(effective_date: params[:date])
+    render json: @terms_of_service, serializer: REST::TermsOfServiceSerializer
+  end
+end

app/controllers/api/v1/instances/terms_of_services_controller.rb

@@ -1,23 +0,0 @@
-# frozen_string_literal: true
-
-class Api::V1::Instances::TermsOfServicesController < Api::V1::Instances::BaseController
-  before_action :set_terms_of_service
-
-  def show
-    cache_even_if_authenticated!
-    render json: @terms_of_service, serializer: REST::TermsOfServiceSerializer
-  end
-
-  private
-
-  def set_terms_of_service
-    @terms_of_service = begin
-      if params[:date].present?
-        TermsOfService.published.find_by!(effective_date: params[:date])
-      else
-        TermsOfService.current
-      end
-    end
-    not_found if @terms_of_service.nil?
-  end
-end

app/controllers/api/v1/markers_controller.rb

@@ -32,13 +32,7 @@ class Api::V1::MarkersController < Api::BaseController
   private
 
   def serialize_map(map)
-    serialized = {}
-
-    map.each_pair do |key, value|
-      serialized[key] = ActiveModelSerializers::SerializableResource.new(value, serializer: REST::MarkerSerializer).as_json
-    end
-
-    Oj.dump(serialized)
+    map.transform_values { |value| ActiveModelSerializers::SerializableResource.new(value, serializer: REST::MarkerSerializer) }
   end
 
   def resource_params

app/controllers/api/v1/mutes_controller.rb

@@ -18,14 +18,14 @@ class Api::V1::MutesController < Api::BaseController
 
   def paginated_mutes
     @paginated_mutes ||= Mute.eager_load(target_account: [:account_stat, :user])
-                             .joins(:target_account)
-                             .merge(Account.without_suspended)
-                             .where(account: current_account)
-                             .paginate_by_max_id(
-                               limit_param(DEFAULT_ACCOUNTS_LIMIT),
-                               params[:max_id],
-                               params[:since_id]
-                             )
+      .joins(:target_account)
+      .merge(Account.without_suspended)
+      .where(account: current_account)
+      .paginate_by_max_id(
+        limit_param(DEFAULT_ACCOUNTS_LIMIT),
+        params[:max_id],
+        params[:since_id]
+      )
   end
 
   def next_path

app/controllers/api/v1/peers/search_controller.rb

@@ -47,10 +47,6 @@ class Api::V1::Peers::SearchController < Api::BaseController
   end
 
   def normalized_domain
-    TagManager.instance.normalize_domain(query_value)
-  end
-
-  def query_value
-    params[:q].strip
+    TagManager.instance.normalize_domain(params[:q])
   end
 end

app/controllers/api/v1/profiles_controller.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+class Api::V1::ProfilesController < Api::BaseController
+  before_action -> { doorkeeper_authorize! :profile, :read, :'read:accounts' }, except: [:update]
+  before_action -> { doorkeeper_authorize! :write, :'write:accounts' }, only: [:update]
+  before_action :require_user!
+
+  def show
+    @account = current_account
+    render json: @account, serializer: REST::ProfileSerializer
+  end
+
+  def update
+    @account = current_account
+    UpdateAccountService.new.call(@account, account_params, raise_error: true)
+    ActivityPub::UpdateDistributionWorker.perform_in(ActivityPub::UpdateDistributionWorker::DEBOUNCE_DELAY, @account.id)
+
+    render json: @account, serializer: REST::ProfileSerializer
+  rescue ActiveRecord::RecordInvalid => e
+    render json: ValidationErrorFormatter.new(e).as_json, status: 422
+  end
+
+  def account_params
+    params.permit(
+      :display_name,
+      :note,
+      :avatar,
+      :avatar_description,
+      :header,
+      :header_description,
+      :locked,
+      :bot,
+      :discoverable,
+      :hide_collections,
+      :indexable,
+      :show_media,
+      :show_media_replies,
+      :show_featured,
+      attribution_domains: [],
+      fields_attributes: [:name, :value]
+    )
+  end
+end

app/controllers/api/v1/reports_controller.rb

@@ -23,6 +23,10 @@ class Api::V1::ReportsController < Api::BaseController
   end
 
   def report_params
-    params.permit(:account_id, :comment, :category, :forward, forward_to_domains: [], status_ids: [], rule_ids: [])
+    if Mastodon::Feature.collections_enabled?
+      params.permit(:account_id, :comment, :category, :forward, forward_to_domains: [], status_ids: [], collection_ids: [], rule_ids: [])
+    else
+      params.permit(:account_id, :comment, :category, :forward, forward_to_domains: [], status_ids: [], rule_ids: [])
+    end
   end
 end

app/controllers/api/v1/statuses/pins_controller.rb

@@ -26,20 +26,20 @@ class Api::V1::Statuses::PinsController < Api::V1::Statuses::BaseController
   def distribute_add_activity!
     json = ActiveModelSerializers::SerializableResource.new(
       @status,
-      serializer: ActivityPub::AddSerializer,
+      serializer: ActivityPub::AddNoteSerializer,
       adapter: ActivityPub::Adapter
     ).as_json
 
-    ActivityPub::RawDistributionWorker.perform_async(Oj.dump(json), current_account.id)
+    ActivityPub::RawDistributionWorker.perform_async(json.to_json, current_account.id)
   end
 
   def distribute_remove_activity!
     json = ActiveModelSerializers::SerializableResource.new(
       @status,
-      serializer: ActivityPub::RemoveSerializer,
+      serializer: ActivityPub::RemoveNoteSerializer,
       adapter: ActivityPub::Adapter
     ).as_json
 
-    ActivityPub::RawDistributionWorker.perform_async(Oj.dump(json), current_account.id)
+    ActivityPub::RawDistributionWorker.perform_async(json.to_json, current_account.id)
   end
 end

app/controllers/api/v1/statuses_controller.rb

@@ -93,6 +93,7 @@ class Api::V1::StatusesController < Api::BaseController
       application: doorkeeper_token.application,
       poll: status_params[:poll],
       content_type: status_params[:content_type],
+      local_only: status_params[:local_only],
       allowed_mentions: status_params[:allowed_mentions],
       idempotency: request.headers['Idempotency-Key'],
       with_rate_limit: true
@@ -107,9 +108,7 @@ class Api::V1::StatusesController < Api::BaseController
     @status = Status.where(account: current_account).find(params[:id])
     authorize @status, :update?
 
-    UpdateStatusService.new.call(
-      @status,
-      current_account.id,
+    update_options = {
       text: status_params[:status],
       media_ids: status_params[:media_ids],
       media_attributes: status_params[:media_attributes],
@@ -117,9 +116,12 @@ class Api::V1::StatusesController < Api::BaseController
       language: status_params[:language],
       spoiler_text: status_params[:spoiler_text],
       poll: status_params[:poll],
-      quote_approval_policy: quote_approval_policy,
-      content_type: status_params[:content_type]
-    )
+      content_type: status_params[:content_type],
+    }
+
+    update_options[:quote_approval_policy] = quote_approval_policy if status_params[:quote_approval_policy].present?
+
+    UpdateStatusService.new.call(@status, current_account.id, update_options)
 
     render json: @status, serializer: REST::StatusSerializer
   end
@@ -128,6 +130,8 @@ class Api::V1::StatusesController < Api::BaseController
     @status = Status.where(account: current_account).find(params[:id])
     authorize @status, :destroy?
 
+    # JSON is generated before `discard_with_reblogs` in order to have the proper URL
+    # for media attachments, as it would otherwise redirect to the media proxy
     json = render_to_body json: @status, serializer: REST::StatusSerializer, source_requested: true
 
     @status.discard_with_reblogs
@@ -191,6 +195,7 @@ class Api::V1::StatusesController < Api::BaseController
       :language,
       :scheduled_at,
       :content_type,
+      :local_only,
       allowed_mentions: [],
       media_ids: [],
       media_attributes: [

app/controllers/api/v1/tags_controller.rb

@@ -39,6 +39,6 @@ class Api::V1::TagsController < Api::BaseController
   def set_or_create_tag
     return not_found unless Tag::HASHTAG_NAME_RE.match?(params[:id])
 
-    @tag = Tag.find_normalized(params[:id]) || Tag.new(name: Tag.normalize(params[:id]), display_name: params[:id])
+    @tag = Tag.find_normalized(params[:id]) || Tag.new(name: params[:id], display_name: params[:id])
   end
 end

app/controllers/api/v1_alpha/collection_items_controller.rb

@@ -11,7 +11,7 @@ class Api::V1Alpha::CollectionItemsController < Api::BaseController
 
   before_action :set_collection
   before_action :set_account, only: [:create]
-  before_action :set_collection_item, only: [:destroy]
+  before_action :set_collection_item, only: [:destroy, :revoke]
 
   after_action :verify_authorized
 
@@ -21,13 +21,21 @@ class Api::V1Alpha::CollectionItemsController < Api::BaseController
 
     @item = AddAccountToCollectionService.new.call(@collection, @account)
 
-    render json: @item, serializer: REST::CollectionItemSerializer
+    render json: @item, serializer: REST::CollectionItemSerializer, adapter: :json
   end
 
   def destroy
     authorize @collection, :update?
 
-    @collection_item.destroy
+    DeleteCollectionItemService.new.call(@collection_item)
+
+    head 200
+  end
+
+  def revoke
+    authorize @collection_item, :revoke?
+
+    RevokeCollectionItemService.new.call(@collection_item)
 
     head 200
   end

app/controllers/api/v1_alpha/collections_controller.rb

@@ -26,16 +26,18 @@ class Api::V1Alpha::CollectionsController < Api::BaseController
 
   def index
     cache_if_unauthenticated!
-    authorize Collection, :index?
+    authorize @account, :index_collections?
 
-    render json: @collections, each_serializer: REST::BaseCollectionSerializer
+    render json: @collections, each_serializer: REST::CollectionSerializer, adapter: :json
+  rescue Mastodon::NotPermittedError
+    render json: { collections: [] }
   end
 
   def show
     cache_if_unauthenticated!
     authorize @collection, :show?
 
-    render json: @collection, serializer: REST::CollectionSerializer
+    render json: @collection, serializer: REST::CollectionWithAccountsSerializer
   end
 
   def create
@@ -43,21 +45,21 @@ class Api::V1Alpha::CollectionsController < Api::BaseController
 
     @collection = CreateCollectionService.new.call(collection_creation_params, current_user.account)
 
-    render json: @collection, serializer: REST::CollectionSerializer
+    render json: @collection, serializer: REST::CollectionSerializer, adapter: :json
   end
 
   def update
     authorize @collection, :update?
 
-    @collection.update!(collection_update_params) # TODO: Create a service for this to federate changes
+    UpdateCollectionService.new.call(@collection, collection_update_params)
 
-    render json: @collection, serializer: REST::CollectionSerializer
+    render json: @collection, serializer: REST::CollectionSerializer, adapter: :json
   end
 
   def destroy
     authorize @collection, :destroy?
 
-    @collection.destroy
+    DeleteCollectionService.new.call(@collection)
 
     head 200
   end
@@ -70,10 +72,11 @@ class Api::V1Alpha::CollectionsController < Api::BaseController
 
   def set_collections
     @collections = @account.collections
-                           .with_tag
-                           .order(created_at: :desc)
-                           .offset(offset_param)
-                           .limit(limit_param(DEFAULT_COLLECTIONS_LIMIT))
+      .with_tag
+      .order(created_at: :desc)
+      .offset(offset_param)
+      .limit(limit_param(DEFAULT_COLLECTIONS_LIMIT))
+    @collections = @collections.discoverable unless @account == current_account
   end
 
   def set_collection
@@ -81,11 +84,11 @@ class Api::V1Alpha::CollectionsController < Api::BaseController
   end
 
   def collection_creation_params
-    params.permit(:name, :description, :sensitive, :discoverable, :tag_name, account_ids: [])
+    params.permit(:name, :description, :language, :sensitive, :discoverable, :tag_name, account_ids: [])
   end
 
   def collection_update_params
-    params.permit(:name, :description, :sensitive, :discoverable, :tag_name)
+    params.permit(:name, :description, :language, :sensitive, :discoverable, :tag_name)
   end
 
   def check_feature_enabled

app/controllers/api/web/push_subscriptions_controller.rb

@@ -62,7 +62,7 @@ class Api::Web::PushSubscriptionsController < Api::Web::BaseController
   end
 
   def set_push_subscription
-    @push_subscription = ::Web::PushSubscription.find(params[:id])
+    @push_subscription = ::Web::PushSubscription.where(user_id: active_session.user_id).find(params[:id])
   end
 
   def subscription_params

app/controllers/application_controller.rb

@@ -9,39 +9,21 @@ class ApplicationController < ActionController::Base
   include UserTrackingConcern
   include SessionTrackingConcern
   include CacheConcern
+  include ErrorResponses
   include PreloadingConcern
   include DomainControlHelper
-  include ThemingConcern
   include DatabaseHelper
   include AuthorizedFetchHelper
   include SelfDestructHelper
 
   helper_method :current_account
   helper_method :current_session
-  helper_method :current_flavour
-  helper_method :current_skin
-  helper_method :current_theme
   helper_method :single_user_mode?
   helper_method :use_seamless_external_login?
   helper_method :sso_account_settings
   helper_method :limited_federation_mode?
   helper_method :skip_csrf_meta_tags?
 
-  rescue_from ActionController::ParameterMissing, Paperclip::AdapterRegistry::NoHandlerError, with: :bad_request
-  rescue_from Mastodon::NotPermittedError, with: :forbidden
-  rescue_from ActionController::RoutingError, ActiveRecord::RecordNotFound, with: :not_found
-  rescue_from ActionController::UnknownFormat, with: :not_acceptable
-  rescue_from ActionController::InvalidAuthenticityToken, with: :unprocessable_content
-  rescue_from Mastodon::RateLimitExceededError, with: :too_many_requests
-
-  rescue_from(*Mastodon::HTTP_CONNECTION_ERRORS, with: :internal_server_error)
-  rescue_from Mastodon::RaceConditionError, Stoplight::Error::RedLight, ActiveRecord::SerializationFailure, with: :service_unavailable
-
-  rescue_from Seahorse::Client::NetworkingError do |e|
-    Rails.logger.warn "Storage server error: #{e}"
-    service_unavailable
-  end
-
   before_action :check_self_destruct!
 
   before_action :store_referrer, except: :raise_not_found, if: :devise_controller?
@@ -65,19 +47,25 @@ class ApplicationController < ActionController::Base
     return if request.referer.blank?
 
     redirect_uri = URI(request.referer)
-    return if redirect_uri.path.start_with?('/auth')
+    return if redirect_uri.path.start_with?('/auth', '/settings/two_factor_authentication', '/settings/otp_authentication')
 
     stored_url = redirect_uri.to_s if redirect_uri.host == request.host && redirect_uri.port == request.port
 
     store_location_for(:user, stored_url)
   end
 
+  def mfa_setup_path(path_params = {})
+    settings_two_factor_authentication_methods_path(path_params)
+  end
+
   def require_functional!
     return if current_user.functional?
 
     respond_to do |format|
       format.any do
-        if current_user.confirmed?
+        if current_user.missing_2fa?
+          redirect_to mfa_setup_path
+        elsif current_user.confirmed?
           redirect_to edit_user_registration_path
         else
           redirect_to auth_setup_path
@@ -89,6 +77,8 @@ class ApplicationController < ActionController::Base
           render json: { error: 'Your login is missing a confirmed e-mail address' }, status: 403
         elsif !current_user.approved?
           render json: { error: 'Your login is currently pending approval' }, status: 403
+        elsif current_user.missing_2fa?
+          render json: { error: 'Your account requires two-factor authentication' }, status: 403
         elsif !current_user.functional?
           render json: { error: 'Your login is currently disabled' }, status: 403
         end
@@ -114,42 +104,6 @@ class ApplicationController < ActionController::Base
     ActiveModel::Type::Boolean.new.cast(params[key])
   end
 
-  def forbidden
-    respond_with_error(403)
-  end
-
-  def not_found
-    respond_with_error(404)
-  end
-
-  def gone
-    respond_with_error(410)
-  end
-
-  def unprocessable_content
-    respond_with_error(422)
-  end
-
-  def not_acceptable
-    respond_with_error(406)
-  end
-
-  def bad_request
-    respond_with_error(400)
-  end
-
-  def internal_server_error
-    respond_with_error(500)
-  end
-
-  def service_unavailable
-    respond_with_error(503)
-  end
-
-  def too_many_requests
-    respond_with_error(429)
-  end
-
   def single_user_mode?
     @single_user_mode ||= Rails.configuration.x.single_user_mode && Account.without_internal.exists?
   end
@@ -174,13 +128,6 @@ class ApplicationController < ActionController::Base
     @current_session = SessionActivation.find_by(session_id: cookies.signed['_session_id']) if cookies.signed['_session_id'].present?
   end
 
-  def respond_with_error(code)
-    respond_to do |format|
-      format.any  { render "errors/#{code}", layout: 'error', status: code, formats: [:html] }
-      format.json { render json: { error: Rack::Utils::HTTP_STATUS_CODES[code] }, status: code }
-    end
-  end
-
   def check_self_destruct!
     return unless self_destruct?
 

app/controllers/auth/registrations_controller.rb

@@ -130,14 +130,19 @@ class Auth::RegistrationsController < Devise::RegistrationsController
   end
 
   def require_rules_acceptance!
-    return if @rules.empty? || (session[:accept_token].present? && params[:accept] == session[:accept_token])
+    return if @rules.empty? || validated_accept_token?
 
     @accept_token = session[:accept_token] = SecureRandom.hex
-    @invite_code  = invite_code
+    @invite_code = invite_code
+    @rule_translations = @rules.map { |rule| rule.translation_for(I18n.locale) }
 
     render :rules
   end
 
+  def validated_accept_token?
+    session[:accept_token].present? && params[:accept] == session[:accept_token]
+  end
+
   def is_flashing_format? # rubocop:disable Naming/PredicatePrefix
     if params[:action] == 'create'
       false # Disable flash messages for sign-up

app/controllers/auth/sessions/security_key_options_controller.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+class Auth::Sessions::SecurityKeyOptionsController < ApplicationController
+  skip_before_action :check_self_destruct!
+  skip_before_action :require_functional!
+  skip_before_action :update_user_sign_in
+
+  def show
+    user = User.find_by(id: session[:attempt_user_id])
+
+    if user&.webauthn_enabled?
+      options_for_get = WebAuthn::Credential.options_for_get(
+        allow: user.webauthn_credentials.pluck(:external_id),
+        user_verification: 'discouraged'
+      )
+
+      session[:webauthn_challenge] = options_for_get.challenge
+
+      render json: options_for_get, status: 200
+    else
+      render json: { error: t('webauthn_credentials.not_enabled') }, status: 401
+    end
+  end
+end

app/controllers/auth/sessions_controller.rb

@@ -38,23 +38,6 @@ class Auth::SessionsController < Devise::SessionsController
     flash.delete(:notice)
   end
 
-  def webauthn_options
-    user = User.find_by(id: session[:attempt_user_id])
-
-    if user&.webauthn_enabled?
-      options_for_get = WebAuthn::Credential.options_for_get(
-        allow: user.webauthn_credentials.pluck(:external_id),
-        user_verification: 'discouraged'
-      )
-
-      session[:webauthn_challenge] = options_for_get.challenge
-
-      render json: options_for_get, status: 200
-    else
-      render json: { error: t('webauthn_credentials.not_enabled') }, status: 401
-    end
-  end
-
   protected
 
   def find_user
@@ -197,14 +180,14 @@ class Auth::SessionsController < Devise::SessionsController
     "2fa_auth_attempts:#{user.id}:#{Time.now.utc.hour}"
   end
 
-  def respond_to_on_destroy
+  def respond_to_on_destroy(**)
     respond_to do |format|
       format.json do
         render json: {
           redirect_to: after_sign_out_path_for(resource_name),
         }, status: 200
       end
-      format.all { super }
+      format.all { super(**) }
     end
   end
 end

app/controllers/collection_items_controller.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+class CollectionItemsController < ApplicationController
+  include SignatureAuthentication
+  include Authorization
+  include AccountOwnedConcern
+
+  vary_by -> { public_fetch_mode? ? 'Accept, Accept-Language, Cookie' : 'Accept, Accept-Language, Cookie, Signature' }
+
+  before_action :check_feature_enabled
+  before_action :require_account_signature!, if: -> { authorized_fetch_mode? }
+  before_action :set_collection_item
+
+  skip_around_action :set_locale
+  skip_before_action :require_functional!, unless: :limited_federation_mode?
+
+  def show
+    respond_to do |format|
+      format.json do
+        expires_in(3.minutes, public: public_fetch_mode?)
+
+        render json: @collection_item,
+               serializer: ActivityPub::FeaturedItemSerializer,
+               adapter: ActivityPub::Adapter,
+               content_type: 'application/activity+json'
+      end
+    end
+  end
+
+  private
+
+  def set_collection_item
+    @collection_item = @account.curated_collection_items.find(params[:id])
+    authorize @collection_item.collection, :show?
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
+    not_found
+  end
+
+  def check_feature_enabled
+    raise ActionController::RoutingError unless Mastodon::Feature.collections_enabled?
+  end
+end

app/controllers/collections_controller.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+class CollectionsController < ApplicationController
+  include WebAppControllerConcern
+  include SignatureAuthentication
+  include Authorization
+  include AccountOwnedConcern
+
+  vary_by -> { public_fetch_mode? ? 'Accept, Accept-Language, Cookie' : 'Accept, Accept-Language, Cookie, Signature' }
+
+  before_action :check_feature_enabled
+  before_action :require_account_signature!, only: :show, if: -> { request.format == :json && authorized_fetch_mode? }
+  before_action :set_collection
+
+  skip_around_action :set_locale, if: -> { request.format == :json }
+  skip_before_action :require_functional!, only: :show, unless: :limited_federation_mode?
+
+  def show
+    respond_to do |format|
+      # TODO: format.html
+
+      format.json do
+        expires_in expiration_duration, public: true if public_fetch_mode?
+        render_with_cache json: @collection, content_type: 'application/activity+json', serializer: ActivityPub::FeaturedCollectionSerializer, adapter: ActivityPub::Adapter
+      end
+    end
+  end
+
+  private
+
+  def set_collection
+    @collection = @account.collections.find(params[:id])
+    authorize @collection, :show?
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
+    not_found
+  end
+
+  def expiration_duration
+    recently_updated = @collection.updated_at > 15.minutes.ago
+    recently_updated ? 30.seconds : 5.minutes
+  end
+
+  def check_feature_enabled
+    raise ActionController::RoutingError unless Mastodon::Feature.collections_enabled?
+  end
+end

app/controllers/concerns/accountable_concern.rb

@@ -4,10 +4,8 @@ module AccountableConcern
   extend ActiveSupport::Concern
 
   def log_action(action, target)
-    Admin::ActionLog.create(
-      account: current_account,
-      action: action,
-      target: target
-    )
+    current_account
+      .action_logs
+      .create(action:, target:)
   end
 end

app/controllers/concerns/cache_concern.rb

@@ -19,7 +19,7 @@ module CacheConcern
   # from being used as cache keys, while allowing to `Vary` on them (to not serve
   # anonymous cached data to authenticated requests when authentication matters)
   def enforce_cache_control!
-    vary = response.headers['Vary']&.split&.map { |x| x.strip.downcase }
+    vary = response.headers['Vary'].to_s.split(',').map { |x| x.strip.downcase }.reject(&:empty?)
     return unless vary.present? && %w(cookie authorization signature).any? { |header| vary.include?(header) && request.headers[header].present? }
 
     response.cache_control.replace(private: true, no_store: true)

app/controllers/concerns/challengable_concern.rb

@@ -42,7 +42,7 @@ module ChallengableConcern
   end
 
   def render_challenge
-    render 'auth/challenges/new', layout: 'auth'
+    render 'auth/challenges/new', layout: params[:oauth] ? 'modal' : 'auth'
   end
 
   def challenge_passed?

app/controllers/concerns/error_responses.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+module ErrorResponses
+  extend ActiveSupport::Concern
+
+  included do
+    rescue_from ActionController::InvalidAuthenticityToken, with: :unprocessable_content
+    rescue_from ActionController::ParameterMissing, Paperclip::AdapterRegistry::NoHandlerError, with: :bad_request
+    rescue_from ActionController::RoutingError, ActiveRecord::RecordNotFound, with: :not_found
+    rescue_from ActionController::UnknownFormat, with: :not_acceptable
+    rescue_from Mastodon::NotPermittedError, with: :forbidden
+    rescue_from Mastodon::RaceConditionError, Stoplight::Error::RedLight, ActiveRecord::SerializationFailure, with: :service_unavailable
+    rescue_from Mastodon::RateLimitExceededError, with: :too_many_requests
+    rescue_from(*Mastodon::HTTP_CONNECTION_ERRORS, with: :internal_server_error)
+
+    rescue_from Seahorse::Client::NetworkingError do |e|
+      Rails.logger.warn "Storage server error: #{e}"
+      service_unavailable
+    end
+  end
+
+  protected
+
+  def bad_request
+    respond_with_error(400)
+  end
+
+  def forbidden
+    respond_with_error(403)
+  end
+
+  def gone
+    respond_with_error(410)
+  end
+
+  def internal_server_error
+    respond_with_error(500)
+  end
+
+  def not_acceptable
+    respond_with_error(406)
+  end
+
+  def not_found
+    respond_with_error(404)
+  end
+
+  def service_unavailable
+    respond_with_error(503)
+  end
+
+  def too_many_requests
+    respond_with_error(429)
+  end
+
+  def unprocessable_content
+    respond_with_error(422)
+  end
+
+  private
+
+  def respond_with_error(code)
+    respond_to do |format|
+      format.any  { render "errors/#{code}", layout: 'error', formats: [:html], status: code }
+      format.json { render json: { error: Rack::Utils::HTTP_STATUS_CODES[code] }, status: code }
+    end
+  end
+end

app/controllers/concerns/signature_verification.rb

@@ -53,19 +53,21 @@ module SignatureVerification
 
     raise Mastodon::SignatureVerificationError, 'Request not signed' unless signed_request?
 
-    actor = actor_from_key_id
+    keypair = keypair_from_key_id
 
-    raise Mastodon::SignatureVerificationError, "Public key not found for key #{signature_key_id}" if actor.nil?
+    raise Mastodon::SignatureVerificationError, "Public key not found for key #{signature_key_id}" if keypair.nil?
 
-    return (@signed_request_actor = actor) if signed_request.verified?(actor)
+    check_keypair_validity!(keypair)
+    return (@signed_request_actor = keypair.actor) if signed_request.verified?(keypair)
 
-    actor = stoplight_wrapper.run { actor_refresh_key!(actor) }
+    keypair = stoplight_wrapper.run { keypair_refresh_key!(keypair) }
 
-    raise Mastodon::SignatureVerificationError, "Could not refresh public key #{signature_key_id}" if actor.nil?
+    raise Mastodon::SignatureVerificationError, "Could not refresh public key #{signature_key_id}" if keypair.nil?
 
-    return (@signed_request_actor = actor) if signed_request.verified?(actor)
+    check_keypair_validity!(keypair)
+    return (@signed_request_actor = keypair.actor) if signed_request.verified?(keypair)
 
-    fail_with! "Verification failed for #{actor.to_log_human_identifier} #{actor.uri}"
+    fail_with! "Verification failed for #{keypair.actor.to_log_human_identifier} #{keypair.actor.uri} #{keypair.uri}"
   rescue Mastodon::MalformedHeaderError => e
     @signature_verification_failure_code = 400
     fail_with! e.message
@@ -89,7 +91,7 @@ module SignatureVerification
     @signed_request_actor = nil
   end
 
-  def actor_from_key_id
+  def keypair_from_key_id
     key_id = signed_request.key_id
     domain = key_id.start_with?('acct:') ? key_id.split('@').last : key_id
 
@@ -101,9 +103,10 @@ module SignatureVerification
     if key_id.start_with?('acct:')
       stoplight_wrapper.run { ResolveAccountService.new.call(key_id.delete_prefix('acct:'), suppress_errors: false) }
     elsif !ActivityPub::TagManager.instance.local_uri?(key_id)
-      account   = ActivityPub::TagManager.instance.uri_to_actor(key_id)
-      account ||= stoplight_wrapper.run { ActivityPub::FetchRemoteKeyService.new.call(key_id, suppress_errors: false) }
-      account
+      keypair = Keypair.from_keyid(key_id)
+      return keypair if keypair.present?
+
+      stoplight_wrapper.run { ActivityPub::FetchRemoteKeyService.new.call(key_id, suppress_errors: false) }
     end
   rescue Mastodon::PrivateNetworkAddressError => e
     raise Mastodon::SignatureVerificationError, "Requests to private network addresses are disallowed (tried to query #{e.host})"
@@ -120,14 +123,20 @@ module SignatureVerification
     )
   end
 
-  def actor_refresh_key!(actor)
-    return if actor.local? || !actor.activitypub?
-    return actor.refresh! if actor.respond_to?(:refresh!) && actor.possibly_stale?
+  def keypair_refresh_key!(keypair)
+    # TODO: this currently only is concerned with refreshing the actor and returning the legacy key, this needs to be reworked
+    return if keypair.actor.local? || !keypair.actor.activitypub?
+    return keypair.actor.refresh! if keypair.actor.respond_to?(:refresh!) && keypair.actor.possibly_stale?
 
-    ActivityPub::FetchRemoteActorService.new.call(actor.uri, only_key: true, suppress_errors: false)
+    Keypair.from_legacy_account(ActivityPub::FetchRemoteActorService.new.call(keypair.actor.uri, only_key: true, suppress_errors: false))
   rescue Mastodon::PrivateNetworkAddressError => e
     raise Mastodon::SignatureVerificationError, "Requests to private network addresses are disallowed (tried to query #{e.host})"
   rescue Mastodon::HostValidationError, ActivityPub::FetchRemoteActorService::Error, Webfinger::Error => e
     raise Mastodon::SignatureVerificationError, e.message
   end
+
+  def check_keypair_validity!(keypair)
+    raise Mastodon::SignatureVerification, "Key #{signature_key_id} is revoked" if keypair.revoked?
+    raise Mastodon::SignatureVerification, "Key #{signature_key_id} has expired" if keypair.expired?
+  end
 end

app/controllers/concerns/theming_concern.rb

@@ -1,24 +0,0 @@
-# frozen_string_literal: true
-
-module ThemingConcern
-  extend ActiveSupport::Concern
-
-  private
-
-  def current_flavour
-    @current_flavour ||= [current_user&.setting_flavour, Setting.flavour, 'glitch', 'vanilla'].find { |flavour| Themes.instance.flavours.include?(flavour) }
-  end
-
-  def current_skin
-    @current_skin ||= begin
-      skins = Themes.instance.skins_for(current_flavour)
-      [current_user&.setting_skin, Setting.skin, 'system', 'default'].find { |skin| skins.include?(skin) }
-    end
-  end
-
-  def current_theme
-    # NOTE: this is slightly different from upstream, as it's a derived value used
-    # for the sole purpose of pointing to the appropriate stylesheet pack
-    [current_flavour, current_skin]
-  end
-end

app/controllers/email_subscriptions/confirmations_controller.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+class EmailSubscriptions::ConfirmationsController < ApplicationController
+  layout 'auth'
+
+  before_action :set_email_subscription
+
+  def show
+    @email_subscription.confirm! unless @email_subscription.confirmed?
+  end
+
+  private
+
+  def set_email_subscription
+    @email_subscription = EmailSubscription.find_by!(confirmation_token: params[:confirmation_token])
+  end
+end

app/controllers/mail_subscriptions_controller.rb

@@ -1,39 +0,0 @@
-# frozen_string_literal: true
-
-class MailSubscriptionsController < ApplicationController
-  layout 'auth'
-
-  skip_before_action :require_functional!
-
-  before_action :set_user
-  before_action :set_type
-
-  protect_from_forgery with: :null_session
-
-  def show; end
-
-  def create
-    @user.settings[email_type_from_param] = false
-    @user.save!
-  end
-
-  private
-
-  def set_user
-    @user = GlobalID::Locator.locate_signed(params[:token], for: 'unsubscribe')
-    not_found unless @user
-  end
-
-  def set_type
-    @type = email_type_from_param
-  end
-
-  def email_type_from_param
-    case params[:type]
-    when 'follow', 'reblog', 'favourite', 'mention', 'follow_request'
-      "notification_emails.#{params[:type]}"
-    else
-      not_found
-    end
-  end
-end