modules/web_hook: Add post-push handler for reacting to push events.

.github/workflows/docker.yml

@@ -4,18 +4,27 @@
 name: Docker Images
 
 on:
-  push:
-    branches: [master]
-
   workflow_dispatch:
     inputs:
+      features:
+        type: string
+        description: JSON array of feature-set names to build images for.
+      distros:
+        type: string
+        description: JSON array of operating system distros to build for.
+      machines:
+        type: string
+        description: JSON array of machines to build for.
+      toolchains:
+        type: string
+        description: JSON array of compiler toolchains to build for.
 
 concurrency:
   group: ${{ github.ref }}
   cancel-in-progress: true
 
 env:
-  ctor_id: ${{ vars.DOCKER_ID }}
+  ctor_id: ${{vars.DOCKER_ID}}
   ctor_url: https://github.com/${{github.repository}}
 
 jobs:
@@ -26,8 +35,8 @@ jobs:
       id: ${{github.env.ctor_id}}
       url: ${{github.env.ctor_url}}
       features: '["base"]'
-      distros: ${{vars.DOCKER_DISTROS}}
-      machines: ${{vars.DOCKER_MACHINES}}
+      distros: ${{github.event.inputs.distros || vars.DOCKER_DISTROS}}
+      machines: ${{github.event.inputs.machines || vars.DOCKER_MACHINES}}
       test: ${{contains(github.events.push.commits[0].message, '[ci test]')}}
 
   # Build the full-feature intermediate images (cached and not shipped).
@@ -38,8 +47,8 @@ jobs:
       id: ${{github.env.ctor_id}}
       url: ${{github.env.ctor_url}}
       features: '["full"]'
-      distros: ${{vars.DOCKER_DISTROS}}
-      machines: ${{vars.DOCKER_MACHINES}}
+      distros: ${{github.event.inputs.distros || vars.DOCKER_DISTROS}}
+      machines: ${{github.event.inputs.machines || vars.DOCKER_MACHINES}}
       test: ${{contains(github.events.push.commits[0].message, '[ci test]')}}
 
   # Build the leaf images (shipped and not cached)
@@ -49,10 +58,10 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        feature: ${{fromJSON(vars.DOCKER_FEATURES)}}
-        distro: ${{fromJSON(vars.DOCKER_DISTROS)}}
-        machine: ${{fromJSON(vars.DOCKER_MACHINES)}}
-        toolchain: ${{fromJSON(vars.DOCKER_TOOLCHAINS)}}
+        feature: ${{fromJSON(github.event.inputs.features || vars.DOCKER_FEATURES)}}
+        distro: ${{fromJSON(github.event.inputs.distros || vars.DOCKER_DISTROS)}}
+        machine: ${{fromJSON(github.event.inputs.machines || vars.DOCKER_MACHINES)}}
+        toolchain: ${{fromJSON(github.event.inputs.toolchains || vars.DOCKER_TOOLCHAINS)}}
         exclude:
           - distro: alpine-3.17
             toolchain: gcc-10      # n/a on distro version

configure.ac

@@ -988,6 +988,7 @@ dnl Compiler specific
 AM_COND_IF([CLANG],
 [
 	RB_MAYBE_CWARN([-Werror=return-stack-address], charybdis_cv_c_gcc_w_error_return_stack_address)
+	RB_MAYBE_CWARN([-Werror=abstract-final-class], charybdis_cv_c_gcc_w_error_abstract_final_class)
 
 	RB_MAYBE_CWARN([-Wundefined-reinterpret-cast], charybdis_cv_c_gcc_w_undefined_reinterpret_cast)
 	RB_MAYBE_CWARN([-Wconditional-uninitialized], charybdis_cv_c_gcc_w_conditional_uninitialized)

include/ircd/ctx/future.h

@@ -46,6 +46,8 @@ struct ircd::ctx::future
 
 	bool valid() const                           { return !is(state(), future_state::INVALID);     }
 	bool operator!() const                       { return !valid();                                }
+	std::exception_ptr eptr() const              { return state().eptr;                            }
+	string_view what() const                     { return util::what(eptr());                      }
 	explicit operator T()                        { return get();                                   }
 
 	template<class U, class time_point> friend bool wait_until(const future<U> &, const time_point &, std::nothrow_t);
@@ -75,6 +77,8 @@ struct ircd::ctx::future<void>
 
 	bool valid() const                           { return !is(state(), future_state::INVALID);     }
 	bool operator!() const                       { return !valid();                                }
+	std::exception_ptr eptr() const              { return state().eptr;                            }
+	string_view what() const                     { return util::what(eptr());                      }
 
 	template<class U, class time_point> friend bool wait_until(const future<U> &, const time_point &, std::nothrow_t);
 	template<class U, class time_point> friend void wait_until(const future<U> &, const time_point &);

include/ircd/m/device.h

@@ -53,11 +53,14 @@ struct ircd::m::signing_key_update
 	/// Required. The user ID whose cross-signing keys have changed.
 	json::property<name::user_id, json::string>,
 
-	/// Cross signing key
+	/// Master signing key
 	json::property<name::master_key, json::object>,
 
-	/// Cross signing key
-	json::property<name::self_signing_key, json::object>
+	/// Self signing key
+	json::property<name::self_signing_key, json::object>,
+
+	/// User signing key (local only)
+	json::property<name::user_signing_key, json::object>
 >
 {
 	using super_type::tuple;

include/ircd/m/event/append.h

@@ -29,6 +29,29 @@ struct ircd::m::event::append
 {
 	struct opts;
 
+  private:
+	static const event::keys::exclude exclude_keys;
+	static const event::keys default_keys;
+	static conf::item<std::string> exclude_types;
+	static conf::item<bool> info;
+	static log::log log;
+
+	bool is_ignored(const event &, const opts &) const;
+	bool is_redacted(const event &, const opts &) const;
+	bool is_invisible(const event &, const opts &) const;
+	bool is_excluded(const event &, const opts &) const;
+
+	bool bundle_replace(json::stack::object &, const event &, const opts &);
+	void _relations(json::stack::object &, const event &, const opts &);
+	void _age(json::stack::object &, const event &, const opts &);
+	void _txnid(json::stack::object &, const event &, const opts &);
+	void _prev_state(json::stack::object &, const event &, const opts &);
+	void _unsigned(json::stack::object &, const event &, const opts &);
+
+	bool members(json::stack::object &, const event &, const opts &);
+	bool object(json::stack::array &, const event &, const opts &);
+
+  public:
 	append(json::stack::object &, const event &, const opts &);
 	append(json::stack::object &, const event &);
 	append(json::stack::array &, const event &, const opts &);
@@ -39,11 +62,11 @@ struct ircd::m::event::append
 /// can provide the best result.
 struct ircd::m::event::append::opts
 {
-	const event::idx *event_idx {nullptr};
-	const string_view *client_txnid {nullptr};
-	const id::user *user_id {nullptr};
-	const room *user_room {nullptr};
-	const int64_t *room_depth {nullptr};
+	event::idx event_idx {0};
+	string_view client_txnid;
+	id::user user_id;
+	id::room user_room_id;
+	int64_t room_depth {-1L};
 	const event::keys *keys {nullptr};
 	const m::event_filter *event_filter {nullptr};
 	long age {std::numeric_limits<long>::min()};
@@ -51,6 +74,8 @@ struct ircd::m::event::append::opts
 	bool query_prev_state {true};
 	bool query_redacted {true};
 	bool query_visible {false};
+	bool bundle_all {false};
+	bool bundle_replace {false};
 };
 
 inline
@@ -64,3 +89,23 @@ ircd::m::event::append::append(json::stack::object &o,
                                const event &e)
 :append{o, e, {}}
 {}
+
+inline
+ircd::m::event::append::append(json::stack::array &array,
+                               const event &event,
+                               const opts &opts)
+:returns<bool>{[this, &array, &event, &opts]
+{
+	return object(array, event, opts);
+}}
+{}
+
+inline
+ircd::m::event::append::append(json::stack::object &object,
+                               const event &event,
+                               const opts &opts)
+:returns<bool>{[this, &object, &event, &opts]
+{
+	return members(object, event, opts);
+}}
+{}

include/ircd/m/name.h

@@ -221,4 +221,5 @@ struct ircd::m::name
 	static constexpr const char *const usage {"usage"};
 	static constexpr const char *const master_key {"master_key"};
 	static constexpr const char *const self_signing_key {"self_signing_key"};
+	static constexpr const char *const user_signing_key {"user_signing_key"};
 };

include/ircd/m/relates.h

@@ -44,9 +44,11 @@ struct ircd::m::relates
 		const event::idx &, const json::object &, const m::relates_to &
 	>;
 
+	static conf::item<std::string> latest_column;
+
 	event::refs refs;
 	bool match_sender {false};
-	bool prefetch_depth {false};
+	bool prefetch_latest {false};
 	bool prefetch_sender {false};
 
   private:

include/ircd/m/room/room.h

@@ -187,9 +187,11 @@ struct ircd::m::room
 	     const vm::copts *const &copts,
 	     const event::fetch::opts *const &fopts = nullptr) noexcept;
 
-	room(const id &room_id = {},
+	room(const id &room_id,
 	     const event::fetch::opts *const &fopts = nullptr) noexcept;
 
+	room() = default;
+
 	// Index of create event
 	static event::idx index(const id &, std::nothrow_t);
 	static event::idx index(const id &);
@@ -229,7 +231,9 @@ ircd::m::room::room(const id &room_id,
 ,event_id{event_id? event::id{event_id} : event::id{}}
 ,copts{copts}
 ,fopts{fopts}
-{}
+{
+	assert(room_id);
+}
 
 inline
 ircd::m::room::room(const id &room_id,
@@ -239,7 +243,9 @@ noexcept
 :room_id{room_id}
 ,copts{copts}
 ,fopts{fopts}
-{}
+{
+	assert(room_id);
+}
 
 inline
 ircd::m::room::room(const id &room_id,
@@ -247,7 +253,9 @@ ircd::m::room::room(const id &room_id,
 noexcept
 :room_id{room_id}
 ,fopts{fopts}
-{}
+{
+	assert(room_id);
+}
 
 inline ircd::m::room::operator
 const ircd::m::room::id &()

include/ircd/m/user/devices.h

@@ -13,8 +13,10 @@
 
 struct ircd::m::user::devices
 {
+	struct send;
+
 	using closure = std::function<void (const event::idx &, const string_view &)>;
-	using closure_bool = std::function<bool (const event::idx &, const string_view &)>;
+	using closure_bool = util::function_bool<const event::idx &, const string_view &>;
 
 	m::user user;
 
@@ -36,9 +38,17 @@ struct ircd::m::user::devices
 	///TODO: XXX junk
 	static std::map<std::string, long> count_one_time_keys(const m::user &, const string_view &);
 	static bool update(const device_list_update &);
-	static bool send(json::iov &content);
 
 	devices(const m::user &user)
 	:user{user}
 	{}
 };
+
+/// Broadcast m.device_list_update.
+///
+struct ircd::m::user::devices::send
+{
+	send(const m::user::devices &,
+	     const m::id::device &,
+	     const string_view = {});
+};

include/ircd/m/user/keys.h

@@ -0,0 +1,128 @@
+// The Construct
+//
+// Copyright (C) The Construct Developers, Authors & Contributors
+// Copyright (C) 2016-2023 Jason Volk <jason@zemos.net>
+//
+// Permission to use, copy, modify, and/or distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice is present in all copies. The
+// full license for this software is available in the LICENSE file.
+
+#pragma once
+#define HAVE_IRCD_M_USER_KEYS_H
+
+struct ircd::m::user::keys
+{
+	struct send;
+
+	static string_view make_sigs_state_key(const mutable_buffer &, const string_view &tgt, const string_view &src);
+	static std::tuple<string_view, string_view> unmake_sigs_state_key(const string_view &) noexcept;
+
+	m::user::room user_room;
+
+	void attach_sigs(json::stack::object &, const json::object &, const user::id &) const;
+	bool attach_sigs(json::stack::object &, const event::idx &, const user::id &) const;
+	void append_sigs(json::stack::object &, const json::object &, const user::id &) const;
+	void append_keys(json::stack::object &, const json::object &, const user::id &) const;
+	bool append_keys(json::stack::object &, const event::idx &, const user::id &) const;
+
+  public:
+	bool has_device(const string_view &) const;
+	bool has_cross(const string_view &type) const;
+	bool has_cross_master() const;
+	bool has_cross_self() const;
+	bool has_cross_user() const;
+
+	void device(json::stack::object &, const string_view &device_id) const;
+	void cross(json::stack::object &, const string_view &type) const;
+	void cross_master(json::stack::object &) const;
+	void cross_self(json::stack::object &) const;
+	void cross_user(json::stack::object &) const;
+
+	bool claim(json::stack::object &, const string_view &device_id, const string_view &algo) const;
+	void update(const m::signing_key_update &) const;
+
+	keys(const m::user &user)
+	:user_room{user}
+	{}
+};
+
+struct ircd::m::user::keys::send
+{
+	send(const m::user::keys &,
+	     const string_view = {});
+};
+
+inline void
+ircd::m::user::keys::cross_user(json::stack::object &out)
+const
+{
+	return cross(out, "ircd.cross_signing.user");
+}
+
+inline void
+ircd::m::user::keys::cross_self(json::stack::object &out)
+const
+{
+	return cross(out, "ircd.cross_signing.self");
+}
+
+inline void
+ircd::m::user::keys::cross_master(json::stack::object &out)
+const
+{
+	return cross(out, "ircd.cross_signing.master");
+}
+
+inline void
+ircd::m::user::keys::cross(json::stack::object &out,
+                           const string_view &type)
+const
+{
+	const auto event_idx
+	{
+		user_room.get(std::nothrow, type, "")
+	};
+
+	append_keys(out, event_idx, user_room.user.user_id);
+}
+
+inline bool
+ircd::m::user::keys::has_cross_user()
+const
+{
+	return has_cross("ircd.cross_signing.user");
+}
+
+inline bool
+ircd::m::user::keys::has_cross_self()
+const
+{
+	return has_cross("ircd.cross_signing.self");
+}
+
+inline bool
+ircd::m::user::keys::has_cross_master()
+const
+{
+	return has_cross("ircd.cross_signing.master");
+}
+
+inline bool
+ircd::m::user::keys::has_cross(const string_view &type)
+const
+{
+	return user_room.has(type, "");
+}
+
+inline bool
+ircd::m::user::keys::has_device(const string_view &device_id)
+const
+{
+	const m::user::devices devices
+	{
+		user_room.user
+	};
+
+	return devices.has(device_id, "keys");
+}

include/ircd/m/user/user.h

@@ -52,6 +52,7 @@ struct ircd::m::user
 	struct tokens;
 	struct devices;
 	struct reading;
+	struct keys;
 
 	using id = m::id::user;
 	using closure = std::function<void (const user &)>;
@@ -73,13 +74,17 @@ struct ircd::m::user
 	event::id::buf deoper();
 	event::id::buf oper();
 
-	user(const id &user_id)
-	:user_id{user_id}
-	{}
-
+	user(const id &user_id);
 	user() = default;
 };
 
+inline
+ircd::m::user::user(const id &user_id)
+:user_id{user_id}
+{
+	assert(user_id);
+}
+
 inline ircd::m::user::operator
 const ircd::m::user::id &()
 const
@@ -105,3 +110,4 @@ const
 #include "tokens.h"
 #include "devices.h"
 #include "reading.h"
+#include "keys.h"

include/ircd/rest.h

@@ -40,6 +40,7 @@ struct ircd::rest::get
 :request
 {
 	get(const mutable_buffer &out, const rfc3986::uri &, opts);
+	get(const mutable_buffer &out, const rfc3986::uri &);
 	get(const rfc3986::uri &, opts);
 };
 
@@ -181,6 +182,15 @@ ircd::rest::get::get(const rfc3986::uri &uri,
 }
 {}
 
+inline
+ircd::rest::get::get(const mutable_buffer &out,
+                     const rfc3986::uri &uri)
+:get
+{
+	out, uri, opts{}
+}
+{}
+
 inline
 ircd::rest::get::get(const mutable_buffer &out,
                      const rfc3986::uri &uri,

include/ircd/versions.h

@@ -73,16 +73,9 @@ struct ircd::versions
 	~versions() noexcept;
 };
 
-namespace ircd
-{
-	template<>
-	decltype(versions::allocator)
-	instance_list<versions>::allocator;
-
-	template<>
-	decltype(versions::list)
-	instance_list<versions>::list;
-}
+template<>
+decltype(ircd::versions::list)
+ircd::instance_list<ircd::versions>::list;
 
 inline ircd::versions::operator
 const long &()

ircd/db.h

@@ -224,7 +224,9 @@ ircd::db::database::cache final
 	#else
 	Status Insert(const Slice &key, void *value, size_t charge, deleter, Handle **, Priority) noexcept override;
 	#endif
-	#ifdef IRCD_DB_HAS_CACHE_ITEMHELPER
+	#if defined(IRCD_DB_HAS_CACHE_ASYNC)
+	Handle *Lookup(const Slice &key, const CacheItemHelper *, CreateContext *, Priority, Statistics *) noexcept override;
+	#elif defined(IRCD_DB_HAS_CACHE_ITEMHELPER)
 	Handle *Lookup(const Slice &key, const CacheItemHelper *, CreateContext *, Priority, bool, Statistics *) noexcept override;
 	#else
 	Handle *Lookup(const Slice &key, Statistics *) noexcept override;
@@ -263,6 +265,9 @@ ircd::db::database::cache final
 	#ifdef IRCD_DB_HAS_CACHE_ITEMHELPER
 	const CacheItemHelper *GetCacheItemHelper(Handle *) const noexcept override;
 	#endif
+	#ifdef IRCD_DB_HAS_CACHE_ASYNC
+	Handle *CreateStandalone(const Slice &, ObjectPtr, const CacheItemHelper *, size_t, bool) noexcept override;
+	#endif
 
 	cache(database *const &,
 	      std::shared_ptr<struct database::stats>,

ircd/db_database.cc

@@ -3321,7 +3321,14 @@ noexcept
 	return ret;
 }
 
-#ifdef IRCD_DB_HAS_CACHE_ITEMHELPER
+#if defined(IRCD_DB_HAS_CACHE_ASYNC)
+rocksdb::Cache::Handle *
+ircd::db::database::cache::Lookup(const Slice &key,
+                                  const CacheItemHelper *const helper,
+                                  CreateContext *const cc,
+                                  Priority pri,
+                                  Statistics *const statistics)
+#elif defined(IRCD_DB_HAS_CACHE_ITEMHELPER)
 rocksdb::Cache::Handle *
 ircd::db::database::cache::Lookup(const Slice &key,
                                   const CacheItemHelper *const helper,
@@ -3355,7 +3362,9 @@ noexcept
 
 	auto *const &ret
 	{
-		#ifdef IRCD_DB_HAS_CACHE_ITEMHELPER
+		#if defined(IRCD_DB_HAS_CACHE_ASYNC)
+		c->Lookup(key, helper, cc, pri, statistics)
+		#elif defined(IRCD_DB_HAS_CACHE_ITEMHELPER)
 		c->Lookup(key, helper, cc, pri, wait, statistics)
 		#else
 		c->Lookup(key, s)
@@ -3559,6 +3568,20 @@ const noexcept
 }
 #endif
 
+#if defined(IRCD_DB_HAS_CACHE_ASYNC)
+rocksdb::Cache::Handle *
+ircd::db::database::cache::CreateStandalone(const Slice &key,
+                                            ObjectPtr ptr,
+                                            const CacheItemHelper *const helper,
+                                            size_t charge,
+                                            bool allow_uncharged)
+noexcept
+{
+	assert(bool(c));
+	return c->CreateStandalone(key, ptr, helper, charge, allow_uncharged);
+}
+#endif
+
 ///////////////////////////////////////////////////////////////////////////////
 //
 // database::compaction_filter

ircd/db_has.h

@@ -193,3 +193,9 @@
 || (ROCKSDB_MAJOR == 8 && ROCKSDB_MINOR == 0 && ROCKSDB_PATCH >= 0)
 	#define IRCD_DB_HAS_CACHE_WRAPPER
 #endif
+
+#if ROCKSDB_MAJOR > 8 \
+|| (ROCKSDB_MAJOR == 8 && ROCKSDB_MINOR > 1) \
+|| (ROCKSDB_MAJOR == 8 && ROCKSDB_MINOR == 1 && ROCKSDB_PATCH >= 1)
+	#define IRCD_DB_HAS_CACHE_ASYNC
+#endif

ircd/net_dns_cache.cc

@@ -191,10 +191,10 @@ bool
 ircd::net::dns::cache::operator==(const waiter &a, const waiter &b)
 noexcept
 {
-	return
-	a.opts.qtype == b.opts.qtype &&
-	a.key && b.key &&
-	a.key == b.key;
+	return true
+	&& a.opts.qtype == b.opts.qtype
+	&& a.key && b.key
+	&& a.key == b.key;
 }
 
 bool
@@ -227,7 +227,7 @@ ircd::net::dns::cache::waiter::waiter(const hostport &hp,
 {
 	opts.qtype == 33?
 		make_SRV_key(keybuf, hp, opts):
-		strlcpy(keybuf, host(hp))
+		tolower(keybuf, host(hp))
 }
 {
 	this->opts.srv = {};

ircd/versions.cc

@@ -13,12 +13,12 @@
 //
 
 template<>
-decltype(ircd::util::instance_list<ircd::versions>::allocator)
+decltype(ircd::versions::allocator)
 ircd::util::instance_list<ircd::versions>::allocator
 {};
 
 template<>
-decltype(ircd::util::instance_list<ircd::versions>::list)
+decltype(ircd::versions::list)
 ircd::util::instance_list<ircd::versions>::list
 {
 	allocator

matrix/Makefile.am

@@ -137,6 +137,7 @@ libircd_matrix_la_SOURCES += user_devices.cc
 libircd_matrix_la_SOURCES += user_events.cc
 libircd_matrix_la_SOURCES += user_filter.cc
 libircd_matrix_la_SOURCES += user_ignores.cc
+libircd_matrix_la_SOURCES += user_keys.cc
 libircd_matrix_la_SOURCES += user_mitsein.cc
 libircd_matrix_la_SOURCES += user_notifications.cc
 libircd_matrix_la_SOURCES += user_profile.cc

matrix/event_append.cc

@@ -8,31 +8,25 @@
 // copyright notice and this permission notice is present in all copies. The
 // full license for this software is available in the LICENSE file.
 
-namespace ircd::m
-{
-	extern const event::keys::exclude event_append_exclude_keys;
-	extern const event::keys event_append_default_keys;
-	extern conf::item<std::string> event_append_exclude_types;
-	extern conf::item<bool> event_append_info;
-	extern log::log event_append_log;
-}
-
-decltype(ircd::m::event_append_log)
-ircd::m::event_append_log
+[[gnu::visibility("hidden")]]
+decltype(ircd::m::event::append::log)
+ircd::m::event::append::log
 {
 	"m.event.append"
 };
 
-decltype(ircd::m::event_append_info)
-ircd::m::event_append_info
+[[gnu::visibility("hidden")]]
+decltype(ircd::m::event::append::info)
+ircd::m::event::append::info
 {
 	{ "name",     "ircd.m.event.append.info" },
 	{ "default",  false                      },
 	{ "persist",  false                      },
 };
 
-decltype(ircd::m::event_append_exclude_types)
-ircd::m::event_append_exclude_types
+[[gnu::visibility("hidden")]]
+decltype(ircd::m::event::append::exclude_types)
+ircd::m::event::append::exclude_types
 {
 	{ "name",     "ircd.m.event.append.exclude.types" },
 	{ "default",  "org.matrix.dummy_event"            },
@@ -42,8 +36,9 @@ ircd::m::event_append_exclude_types
 /// to the client. This mask is applied only if the caller of event::append{}
 /// did not supply their mask to apply. It is also inferior to the user's
 /// filter if supplied.
-decltype(ircd::m::event_append_exclude_keys)
-ircd::m::event_append_exclude_keys
+[[gnu::visibility("hidden")]]
+decltype(ircd::m::event::append::exclude_keys)
+ircd::m::event::append::exclude_keys
 {
 	"auth_events",
 	"hashes",
@@ -53,16 +48,17 @@ ircd::m::event_append_exclude_keys
 	"signatures",
 };
 
-decltype(ircd::m::event_append_default_keys)
-ircd::m::event_append_default_keys
+[[gnu::visibility("hidden")]]
+decltype(ircd::m::event::append::default_keys)
+ircd::m::event::append::default_keys
 {
-	event_append_exclude_keys
+	event::append::exclude_keys
 };
 
-ircd::m::event::append::append(json::stack::array &array,
-                               const event &event_,
+bool
+ircd::m::event::append::object(json::stack::array &array,
+                               const event &event,
                                const opts &opts)
-:returns<bool>{[&]
 {
 	assert(array.s);
 	json::stack::checkpoint cp
@@ -70,29 +66,24 @@ ircd::m::event::append::append(json::stack::array &array,
 		*array.s
 	};
 
-	json::stack::object object
+	json::stack::object _object
 	{
 		array
 	};
 
 	const bool ret
 	{
-		append
-		{
-			object, event_, opts
-		}
+		members(_object, event, opts)
 	};
 
 	cp.committing(ret);
 	return ret;
-}}
-{
 }
 
-ircd::m::event::append::append(json::stack::object &object,
-                               const event &event,
-                               const opts &opts)
-:returns<bool>{[&]
+bool
+ircd::m::event::append::members(json::stack::object &out,
+                                const event &event,
+                                const opts &opts)
 {
 	// Assertions that the event being appended has some required fields. This
 	// is a central butt-end test of data coming through the system to here.
@@ -101,150 +92,35 @@ ircd::m::event::append::append(json::stack::object &object,
 	assert(defined(json::get<"sender"_>(event)));
 	//assert(json::get<"origin_server_ts"_>(event));
 	//assert(json::get<"origin_server_ts"_>(event) != json::undefined_number);
-	#if defined(RB_DEBUG)
-	if(unlikely(!defined(json::get<"type"_>(event))))
-		return false;
+	if constexpr(RB_DEBUG_LEVEL)
+	{
+		if(unlikely(!defined(json::get<"type"_>(event))))
+			return false;
 
-	if(unlikely(!defined(json::get<"sender"_>(event))))
-		return false;
-	#endif
+		if(unlikely(!defined(json::get<"sender"_>(event))))
+			return false;
+	}
 
 	if(opts.event_filter && !m::match(*opts.event_filter, event))
 		return false;
 
-	const auto &not_types
-	{
-		event_append_exclude_types
-	};
-
-	if(!opts.event_filter && token_exists(not_types, ' ', json::get<"type"_>(event)))
-	{
-		log::debug
-		{
-			log, "Not sending event %s because type '%s' excluded by configuration.",
-			string_view{event.event_id},
-			json::get<"type"_>(event),
-		};
-
+	if(is_excluded(event, opts))
 		return false;
-	}
-
-	if(opts.query_visible && opts.user_id && !visible(event, *opts.user_id))
-	{
-		log::debug
-		{
-			log, "Not sending event %s because not visible to %s.",
-			string_view{event.event_id},
-			string_view{*opts.user_id},
-		};
 
+	if(is_invisible(event, opts))
 		return false;
-	}
-
-	const bool has_event_idx
-	{
-		opts.event_idx && *opts.event_idx
-	};
-
-	const bool is_state
-	{
-		defined(json::get<"state_key"_>(event))
-	};
-
-	const bool query_redacted
-	{
-		has_event_idx &&
-		opts.query_redacted &&
-		!is_state &&
-		(!opts.room_depth || *opts.room_depth > json::get<"depth"_>(event))
-	};
-
-	if(query_redacted && m::redacted(*opts.event_idx))
-	{
-		log::debug
-		{
-			log, "Not sending event %s because redacted.",
-			string_view{event.event_id},
-		};
 
+	if(is_redacted(event, opts))
 		return false;
-	}
 
-	const bool has_user
-	{
-		opts.user_id && opts.user_room
-	};
-
-	const bool check_ignores
-	{
-		has_user && !is_state
-	};
-
-	if(check_ignores && *opts.user_id != json::get<"sender"_>(event))
-	{
-		const m::user::ignores ignores
-		{
-			*opts.user_id
-		};
-
-		if(ignores.enforce("events") && ignores.has(json::get<"sender"_>(event)))
-		{
-			log::debug
-			{
-				log, "Not sending event %s because %s is ignored by %s",
-				string_view{event.event_id},
-				json::get<"sender"_>(event),
-				string_view{*opts.user_id}
-			};
-
-			return false;
-		}
-	}
-
-	const bool sender_is_user
-	{
-		has_user && json::get<"sender"_>(event) == *opts.user_id
-	};
-
-	const bool has_client_txnid
-	{
-		opts.client_txnid && *opts.client_txnid
-	};
-
-	const auto txnid_idx
-	{
-		!has_client_txnid && sender_is_user && opts.query_txnid?
-			opts.user_room->get(std::nothrow, "ircd.client.txnid", event.event_id):
-			0UL
-	};
-
-	const bool query_prev_state
-	{
-		opts.query_prev_state && has_event_idx && is_state
-	};
-
-	const auto prev_state_idx
-	{
-		query_prev_state?
-			room::state::prev(*opts.event_idx):
-			0UL
-	};
-
-	#if defined(RB_DEBUG) && 0
-	if(!has_client_txnid && !txnid_idx && sender_is_user && opts.query_txnid)
-		log::dwarning
-		{
-			log, "Could not find transaction_id for %s from %s in %s",
-			string_view{event.event_id},
-			json::get<"sender"_>(event),
-			json::get<"room_id"_>(event)
-		};
-	#endif
+	if(is_ignored(event, opts))
+		return false;
 
+	// For v3+ events
 	if(!json::get<"event_id"_>(event))
 		json::stack::member
 		{
-			object, "event_id", event.event_id
+			out, "event_id", event.event_id
 		};
 
 	// Get the list of properties to send to the client so we can strip
@@ -254,11 +130,11 @@ ircd::m::event::append::append(json::stack::object &object,
 	{
 		opts.keys?
 			*opts.keys:
-			event_append_default_keys
+			default_keys
 	};
 
 	// Append the event members
-	for_each(event, [&keys, &object]
+	for_each(event, [&keys, &out]
 	(const auto &key, const auto &val_)
 	{
 		if(!keys.has(key) && key != "redacts"_sv)
@@ -274,70 +150,77 @@ ircd::m::event::append::append(json::stack::object &object,
 
 		json::stack::member
 		{
-			object, key, val
+			out, key, val
 		};
 
 		return true;
 	});
 
-	json::stack::object unsigned_
-	{
-		object, "unsigned"
-	};
+	_unsigned(out, event, opts);
 
-	const json::value age
-	{
-		// When the opts give an explicit age, use it.
-		opts.age != std::numeric_limits<long>::min()?
-			opts.age:
-
-		// If we have depth information, craft a value based on the
-		// distance to the head depth; if this is 0 in riot the event will
-		// "stick" at the bottom of the timeline. This may be advantageous
-		// in the future but for now we make sure the result is non-zero.
-		json::get<"depth"_>(event) >= 0 && opts.room_depth && *opts.room_depth >= 0L?
-			(*opts.room_depth + 1 - json::get<"depth"_>(event)) + 1:
-
-		// We don't have depth information, so we use the origin_server_ts.
-		// It is bad if it conflicts with other appends in the room which
-		// did have depth information.
-		!opts.room_depth && json::get<"origin_server_ts"_>(event)?
-			ircd::time<milliseconds>() - json::get<"origin_server_ts"_>(event):
-
-		// Finally, this special value will eliminate the age altogether
-		// during serialization.
-		json::undefined_number
-	};
-
-	json::stack::member
-	{
-		unsigned_, "age", age
-	};
-
-	if(has_client_txnid)
-		json::stack::member
+	if(unlikely(info))
+		log::info
 		{
-			unsigned_, "transaction_id", *opts.client_txnid
+			log, "%s %s idx:%lu in %s depth:%ld txnid:%s %s,%s",
+			string_view{opts.user_id},
+			string_view{event.event_id},
+			opts.event_idx,
+			json::get<"room_id"_>(event),
+			json::get<"depth"_>(event),
+			opts.client_txnid,
+			json::get<"type"_>(event),
+			json::get<"state_key"_>(event),
 		};
 
-	if(txnid_idx)
-		m::get(std::nothrow, txnid_idx, "content", [&unsigned_]
-		(const json::object &content)
-		{
-			json::stack::member
-			{
-				unsigned_, "transaction_id", unquote(content.get("transaction_id"))
-			};
-		});
+	return true;
+}
+
+void
+ircd::m::event::append::_unsigned(json::stack::object &out,
+                                  const event &event,
+                                  const opts &opts)
+{
+	json::stack::object object
+	{
+		out, "unsigned"
+	};
+
+	_age(object, event, opts);
+	_txnid(object, event, opts);
+	_relations(object, event, opts);
+	if(defined(json::get<"state_key"_>(event)))
+		_prev_state(object, event, opts);
+}
+
+void
+ircd::m::event::append::_prev_state(json::stack::object &out,
+                                    const event &event,
+                                    const opts &opts)
+{
+	assert(defined(json::get<"state_key"_>(event)));
+
+	const bool query_prev_state
+	{
+		true
+		&& opts.event_idx
+		&& opts.query_prev_state
+	};
+
+	const auto prev_state_idx
+	{
+		query_prev_state?
+			room::state::prev(opts.event_idx):
+			0UL
+	};
 
 	if(prev_state_idx)
 	{
-		m::get(std::nothrow, prev_state_idx, "content", [&unsigned_]
+		m::get(std::nothrow, prev_state_idx, "content", [&out]
 		(const json::object &content)
 		{
 			json::stack::member
 			{
-				unsigned_, "prev_content", content
+				out, "prev_content", content
 			};
 		});
 
@@ -348,7 +231,7 @@ ircd::m::event::append::append(json::stack::object &object,
 
 		json::stack::member
 		{
-			unsigned_, "replaces_state", json::value
+			out, "replaces_state", json::value
 			{
 				replaces_state_id?
 					string_view{replaces_state_id}:
@@ -356,24 +239,279 @@ ircd::m::event::append::append(json::stack::object &object,
 			}
 		};
 	}
+}
 
-	if(unlikely(event_append_info))
-		log::info
+void
+ircd::m::event::append::_txnid(json::stack::object &out,
+                               const event &event,
+                               const opts &opts)
+{
+	const bool sender_is_user
+	{
+		json::get<"sender"_>(event) == opts.user_id
+	};
+
+	const bool query_txnid
+	{
+		true
+		&& !opts.client_txnid
+		&& opts.query_txnid
+		&& opts.user_room_id
+		&& sender_is_user
+	};
+
+	const auto txnid_idx
+	{
+		query_txnid?
+			m::room(opts.user_room_id).get(std::nothrow, "ircd.client.txnid", event.event_id):
+			0UL
+	};
+
+	if constexpr(RB_DEBUG_LEVEL)
+	{
+		const bool missing_txnid
 		{
-			event_append_log, "%s %s idx:%lu in %s depth:%ld txnid:%s idx:%lu age:%ld %s,%s",
-			opts.user_id? string_view{*opts.user_id} : string_view{},
-			string_view{event.event_id},
-			opts.event_idx? *opts.event_idx : 0UL,
-			json::get<"room_id"_>(event),
-			json::get<"depth"_>(event),
-			has_client_txnid? *opts.client_txnid : string_view{},
-			txnid_idx,
-			int64_t(age),
-			json::get<"type"_>(event),
-			json::get<"state_key"_>(event),
+			true
+			&& !opts.client_txnid
+			&& !txnid_idx
+			&& sender_is_user
+			&& opts.query_txnid
 		};
 
-	return true;
-}}
-{
+		if(unlikely(missing_txnid))
+			log::dwarning
+			{
+				log, "Could not find transaction_id for %s from %s in %s",
+				string_view{event.event_id},
+				json::get<"sender"_>(event),
+				json::get<"room_id"_>(event)
+			};
+	}
+
+	if(opts.client_txnid)
+		json::stack::member
+		{
+			out, "transaction_id", opts.client_txnid
+		};
+	else if(txnid_idx)
+		m::get(std::nothrow, txnid_idx, "content", [&out]
+		(const json::object &content)
+		{
+			json::stack::member
+			{
+				out, "transaction_id", content.get("transaction_id")
+			};
+		});
+}
+
+void
+ircd::m::event::append::_age(json::stack::object &out,
+                             const event &event,
+                             const opts &opts)
+{
+	const json::value age
+	{
+		// When the opts give an explicit age, use it.
+		opts.age != std::numeric_limits<long>::min()?
+			opts.age:
+
+		// If we have depth information, craft a value based on the
+		// distance to the head depth; if this is 0 in riot the event will
+		// "stick" at the bottom of the timeline. This may be advantageous
+		// in the future but for now we make sure the result is non-zero.
+		json::get<"depth"_>(event) >= 0 && opts.room_depth >= 0L?
+			(opts.room_depth + 1 - json::get<"depth"_>(event)) + 1:
+
+		// We don't have depth information, so we use the origin_server_ts.
+		// It is bad if it conflicts with other appends in the room which
+		// did have depth information.
+		opts.room_depth < 0 && json::get<"origin_server_ts"_>(event)?
+			ircd::time<milliseconds>() - json::get<"origin_server_ts"_>(event):
+
+		// Finally, this special value will eliminate the age altogether
+		// during serialization.
+		json::undefined_number
+	};
+
+	json::stack::member
+	{
+		out, "age", age
+	};
+}
+
+void
+ircd::m::event::append::_relations(json::stack::object &out,
+                                   const event &event,
+                                   const opts &opts)
+{
+	assert(out.s);
+	json::stack::checkpoint cp
+	{
+		*out.s, false
+	};
+
+	json::stack::object object
+	{
+		out, "m.relations"
+	};
+
+	bool commit
+	{
+		cp.committing()
+	};
+
+	if(opts.bundle_all || opts.bundle_replace)
+		commit |= bundle_replace(object, event, opts);
+
+	cp.committing(commit);
+}
+
+bool
+ircd::m::event::append::bundle_replace(json::stack::object &out,
+                                       const event &event,
+                                       const opts &opts)
+{
+	const m::replaced replaced
+	{
+		opts.event_idx, m::replaced::latest
+	};
+
+	const event::idx &replace_idx
+	{
+		replaced
+	};
+
+	if(likely(!replace_idx))
+		return false;
+
+	const m::event::fetch replace
+	{
+		std::nothrow, replace_idx
+	};
+
+	if(unlikely(!replace.valid))
+		return false;
+
+	json::stack::object object
+	{
+		out, "m.replace"
+	};
+
+	object.append(replace);
+	return true;
+}
+
+bool
+ircd::m::event::append::is_excluded(const event &event,
+                                    const opts &opts)
+const
+{
+	const auto &not_types
+	{
+		exclude_types
+	};
+
+	const bool ret
+	{
+		true
+		&& !opts.event_filter
+		&& token_exists(not_types, ' ', json::get<"type"_>(event))
+	};
+
+	if(ret)
+		log::debug
+		{
+			log, "Not sending event %s because type '%s' excluded by configuration.",
+			string_view{event.event_id},
+			json::get<"type"_>(event),
+		};
+
+	return ret;
+}
+
+bool
+ircd::m::event::append::is_invisible(const event &event,
+                                     const opts &opts)
+const
+{
+	const bool ret
+	{
+		true
+		&& opts.query_visible
+		&& opts.user_id
+		&& !visible(event, opts.user_id)
+	};
+
+	if(ret)
+		log::debug
+		{
+			log, "Not sending event %s because not visible to %s.",
+			string_view{event.event_id},
+			string_view{opts.user_id},
+		};
+
+	return ret;
+}
+
+bool
+ircd::m::event::append::is_redacted(const event &event,
+                                    const opts &opts)
+const
+{
+	const bool ret
+	{
+		true
+		&& opts.event_idx
+		&& opts.query_redacted
+		&& !defined(json::get<"state_key"_>(event))
+		&& opts.room_depth > json::get<"depth"_>(event)
+		&& m::redacted(opts.event_idx)
+	};
+
+	if(ret)
+		log::debug
+		{
+			log, "Not sending event %s because redacted.",
+			string_view{event.event_id},
+		};
+
+	return ret;
+}
+
+bool
+ircd::m::event::append::is_ignored(const event &event,
+                                   const opts &opts)
+const
+{
+	const bool check_ignores
+	{
+		true
+		&& !defined(json::get<"state_key"_>(event))
+		&& opts.user_id
+		&& opts.user_room_id
+		&& opts.user_id != json::get<"sender"_>(event)
+	};
+
+	if(!check_ignores)
+		return false;
+
+	const m::user::ignores ignores
+	{
+		opts.user_id
+	};
+
+	if(ignores.enforce("events") && ignores.has(json::get<"sender"_>(event)))
+	{
+		log::debug
+		{
+			log, "Not sending event %s because %s is ignored by %s",
+			string_view{event.event_id},
+			json::get<"sender"_>(event),
+			string_view{opts.user_id}
+		};
+
+		return true;
+	}
+
+	return false;
 }

matrix/name.cc

@@ -200,3 +200,4 @@ constexpr const char *const ircd::m::name::m_in_reply_to;
 constexpr const char *const ircd::m::name::usage;
 constexpr const char *const ircd::m::name::master_key;
 constexpr const char *const ircd::m::name::self_signing_key;
+constexpr const char *const ircd::m::name::user_signing_key;

matrix/pretty.cc

@@ -365,8 +365,8 @@ ircd::m::pretty_stateline(std::ostream &out,
 		<< std::right << " [ "
 		<< std::setw(30) << type
 		<< std::left << " | "
-		<< std::setw(50) << state_key
-		<< std::left << " ]" << flags << " "
+		<< std::setw(50) << trunc(state_key, 50)
+		<< std::left << "]" << flags << " "
 		<< std::setw(10) << event_idx
 		<< std::left << "  "
 		<< std::setw(72) << string_view{event.event_id}
@@ -382,10 +382,10 @@ ircd::m::pretty_stateline(std::ostream &out,
 		<< std::right << " "
 		<< std::setw(9) << json::get<"depth"_>(event)
 		<< std::right << " [ "
-		<< std::setw(40) << type
+		<< std::setw(50) << type
 		<< std::left << " | "
-		<< std::setw(56) << state_key
-		<< std::left << " ]" << flags << " "
+		<< std::setw(60) << trunc(state_key, 60)
+		<< std::left << "]" << flags << " "
 		<< std::setw(10) << event_idx
 		<< ' '
 		<< std::left << trunc(content, 80)

matrix/relates.cc

@@ -8,6 +8,13 @@
 // copyright notice and this permission notice is present in all copies. The
 // full license for this software is available in the LICENSE file.
 
+decltype(ircd::m::relates::latest_column)
+ircd::m::relates::latest_column
+{
+	{ "name",     "ircd.m.relates.latest_column" },
+	{ "default",  "origin_server_ts"             },
+};
+
 bool
 ircd::m::relates::prefetch(const string_view &type)
 const
@@ -21,8 +28,8 @@ const
 	refs.for_each(dbs::ref::M_RELATES, [this, &ret]
 	(const auto &event_idx, const auto &)
 	{
-		if(this->prefetch_depth)
-			ret |= m::prefetch(event_idx, "depth");
+		if(this->prefetch_latest)
+			ret |= m::prefetch(event_idx, string_view{latest_column});
 
 		if(this->prefetch_sender || this->match_sender)
 			ret |= m::prefetch(event_idx, "sender");
@@ -87,6 +94,11 @@ ircd::m::relates::latest(const string_view &type,
                          uint *const at)
 const
 {
+	const string_view &column
+	{
+		latest_column
+	};
+
 	if(at)
 		*at = -1;
 
@@ -97,10 +109,10 @@ const
 	(const event::idx &event_idx, const json::object &, const m::relates_to &)
 	noexcept
 	{
-		int64_t depth{0};
-		if((depth = m::get(std::nothrow, event_idx, "depth", depth)) > best)
+		int64_t val{0};
+		if((val = m::get(std::nothrow, event_idx, column, val)) > best)
 		{
-			best = depth;
+			best = val;
 			ret = event_idx;
 
 			if(at)

matrix/user_devices.cc

@@ -8,26 +8,81 @@
 // copyright notice and this permission notice is present in all copies. The
 // full license for this software is available in the LICENSE file.
 
-bool
-ircd::m::user::devices::send(json::iov &content)
+ircd::m::user::devices::send::send(const m::user::devices &devices,
+                                   const m::id::device &device_id,
+                                   const string_view room_id)
 try
 {
-	assert(content.has("user_id"));
-	assert(content.has("device_id"));
+	assert(device_id);
+
+	const auto &user_id
+	{
+		devices.user.user_id
+	};
+
+	const bool deleted
+	{
+		devices.has(device_id)
+	};
+
+	const m::user::keys user_keys
+	{
+		user_id
+	};
+
+	const bool has_keys
+	{
+		!deleted && user_keys.has_device(device_id)
+	};
+
+	const unique_mutable_buffer keys_buf
+	{
+		has_keys? 4_KiB: 0_KiB
+	};
+
+	json::stack keys{keys_buf};
+	if(has_keys)
+	{
+		json::stack::object top{keys};
+		user_keys.device(top, device_id);
+	}
 
 	// Triggers a devices request from the remote; also see
 	// modules/federation/user_devices.cc
-	const long &stream_id
-	{
-		1L
-	};
+	static const auto stream_id{1L};
 
-	json::iov event;
+	json::iov event, content;
 	const json::iov::push push[]
 	{
 		{ event,    { "type",       "m.device_list_update"  } },
-		{ event,    { "sender",     content.at("user_id")   } },
+		{ event,    { "sender",     user_id                 } },
+		{ content,  { "deleted",    deleted                 } },
+		{ content,  { "device_id",  device_id               } },
 		{ content,  { "stream_id",  stream_id               } },
+		{ content,  { "user_id",    user_id                 } },
+	};
+
+	const json::iov::push push_keys
+	{
+		content, has_keys,
+		{
+			"keys", [&keys]
+			{
+				return keys.completed();
+			}
+		}
+	};
+
+	// For diagnostic purposes; usually not defined.
+	const json::iov::push push_room_id
+	{
+		event, m::valid(m::id::ROOM, room_id),
+		{
+			"room_id", [&room_id]
+			{
+				return room_id;
+			}
+		}
 	};
 
 	m::vm::copts opts;
@@ -39,8 +94,6 @@ try
 	{
 		event, content, opts
 	};
-
-	return true;
 }
 catch(const ctx::interrupted &)
 {
@@ -51,12 +104,10 @@ catch(const std::exception &e)
 	log::error
 	{
 		m::log, "Send m.device_list_update for '%s' belonging to %s :%s",
-		content.at("device_id"),
-		content.at("user_id"),
+		string_view{device_id},
+		string_view{devices.user.user_id},
 		e.what(),
 	};
-
-	return false;
 }
 
 bool
@@ -185,21 +236,11 @@ const
 		m::redact(user_room, user_room.user, event_id, "deleted")
 	};
 
-	if(!my(user))
-		return true;
-
-	json::iov content;
-	const json::iov::push push[]
-	{
-		{ content,  { "user_id",    user.user_id  } },
-		{ content,  { "device_id",  id            } },
-		{ content,  { "deleted",    true          } },
-	};
-
-	const bool broadcasted
-	{
-		user::devices::send(content)
-	};
+	if(my(user))
+		user::devices::send
+		{
+			*this, id
+		};
 
 	return true;
 }

matrix/user_keys.cc

@@ -0,0 +1,429 @@
+// The Construct
+//
+// Copyright (C) The Construct Developers, Authors & Contributors
+// Copyright (C) 2016-2023 Jason Volk <jason@zemos.net>
+//
+// Permission to use, copy, modify, and/or distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice is present in all copies. The
+// full license for this software is available in the LICENSE file.
+
+ircd::m::user::keys::send::send(const m::user::keys &user_keys,
+                                const string_view room_id)
+try
+{
+	const auto &user_id
+	{
+		user_keys.user_room.user.user_id
+	};
+
+	const unique_mutable_buffer keys_buf[2]
+	{
+		{ 4_KiB },
+		{ 4_KiB },
+	};
+
+	json::stack keys[2]
+	{
+		{ keys_buf[0] },
+		{ keys_buf[1] },
+	};
+
+	// master
+	{
+		json::stack::object object{keys[0]};
+		user_keys.cross_master(object);
+	}
+
+	// self
+	{
+		json::stack::object object{keys[1]};
+		user_keys.cross_self(object);
+	}
+
+	json::iov event, content;
+	const json::iov::push push[]
+	{
+		{ event,    { "type",             "m.signing_key_update"  } },
+		{ event,    { "sender",            user_id                } },
+		{ content,  { "master_key",        keys[0].completed()    } },
+		{ content,  { "self_signing_key",  keys[1].completed()    } },
+		{ content,  { "user_id",           user_id                } },
+	};
+
+	// For diagnostic purposes; usually not defined.
+	const json::iov::push push_room_id
+	{
+		event, m::valid(m::id::ROOM, room_id),
+		{
+			"room_id", [&room_id]
+			{
+				return room_id;
+			}
+		}
+	};
+
+	m::vm::copts opts;
+	opts.edu = true;
+	opts.prop_mask.reset();
+	opts.prop_mask.set("origin");
+	opts.notify_clients = false;
+	m::vm::eval
+	{
+		event, content, opts
+	};
+}
+catch(const ctx::interrupted &)
+{
+	throw;
+}
+catch(const std::exception &e)
+{
+	log::error
+	{
+		m::log, "Sending m.signing_key_update for %s :%s",
+		string_view{user_keys.user_room.user.user_id},
+		e.what(),
+	};
+}
+
+void
+ircd::m::user::keys::update(const m::signing_key_update &sku)
+const
+{
+	const m::user::id &user_id
+	{
+		json::get<"user_id"_>(sku)
+	};
+
+	const m::user::room room
+	{
+		user_id
+	};
+
+	const json::object &msk
+	{
+		json::get<"master_key"_>(sku)
+	};
+
+	const auto cross_master_id
+	{
+		json::get<"master_key"_>(sku)?
+			m::send(room, user_id, "ircd.cross_signing.master", "", msk):
+			m::event::id::buf{}
+	};
+
+	const json::object &ssk
+	{
+		json::get<"self_signing_key"_>(sku)
+	};
+
+	const auto cross_self_id
+	{
+		ssk?
+			m::send(room, user_id, "ircd.cross_signing.self", "", ssk):
+			m::event::id::buf{}
+	};
+
+	const json::object &usk
+	{
+		json::get<"user_signing_key"_>(sku)
+	};
+
+	const auto cross_user_id
+	{
+		usk && my(user_id)?
+			m::send(room, user_id, "ircd.cross_signing.user", "", usk):
+			m::event::id::buf{}
+	};
+}
+
+bool
+ircd::m::user::keys::claim(json::stack::object &object,
+                           const string_view &device_id,
+                           const string_view &algorithm)
+const
+{
+	const fmt::bsprintf<m::event::TYPE_MAX_SIZE> type
+	{
+		"ircd.device.one_time_key|%s",
+		algorithm
+	};
+
+	const m::room::type events
+	{
+		user_room, type, { -1UL, -1L }, true
+	};
+
+	return !events.for_each([this, &object, &device_id]
+	(const string_view &type, const auto &, const m::event::idx &event_idx)
+	{
+		if(m::redacted(event_idx))
+			return true;
+
+		const bool match
+		{
+			m::query(std::nothrow, event_idx, "state_key", [&device_id]
+			(const string_view &state_key) noexcept
+			{
+				return state_key == device_id;
+			})
+		};
+
+		if(!match)
+			return true;
+
+		const auto algorithm
+		{
+			split(type, '|').second
+		};
+
+		const bool fetched
+		{
+			m::get(std::nothrow, event_idx, "content", [&object, &algorithm]
+			(const json::object &content)
+			{
+				json::stack::member
+				{
+					object, algorithm, json::object
+					{
+						content[""] // ircd.device.* quirk
+					}
+				};
+			})
+		};
+
+		if(!fetched)
+			return true;
+
+		const auto event_id
+		{
+			m::event_id(event_idx)
+		};
+
+		const auto redact_id
+		{
+			m::redact(user_room, user_room.user, event_id, "claimed")
+		};
+
+		return false;
+	});
+}
+
+void
+ircd::m::user::keys::device(json::stack::object &out,
+                            const string_view &device_id)
+const
+{
+	const m::user::devices devices
+	{
+		user_room.user
+	};
+
+	devices.get(std::nothrow, device_id, "keys", [this, &out, &device_id]
+	(const auto &, const json::object &device_keys)
+	{
+		const auto &user_id
+		{
+			user_room.user.user_id
+		};
+
+		for(const auto &member : device_keys)
+			if(member.first != "signatures")
+				json::stack::member
+				{
+					out, member
+				};
+
+		json::stack::object sigs
+		{
+			out, "signatures"
+		};
+
+		json::stack::object user_sigs
+		{
+			sigs, user_id
+		};
+
+		attach_sigs(user_sigs, device_keys, user_id);
+
+		const m::room::state state
+		{
+			user_room
+		};
+
+		state.for_each("ircd.keys.signatures", [this, &user_sigs, &user_id, &device_id]
+		(const string_view &, const string_view &state_key, const auto &event_idx)
+		{
+			const auto &[target, source]
+			{
+				unmake_sigs_state_key(state_key)
+			};
+
+			if(target && target != device_id)
+				return true;
+
+			attach_sigs(user_sigs, event_idx, user_id);
+			return true;
+		});
+	});
+}
+
+bool
+ircd::m::user::keys::append_keys(json::stack::object &out,
+                                 const event::idx &event_idx,
+                                 const user::id &user_id)
+const
+{
+	return m::get(std::nothrow, event_idx, "content", [this, &out, &user_id]
+	(const json::object &device_keys)
+	{
+		append_keys(out, device_keys, user_id);
+	});
+}
+
+void
+ircd::m::user::keys::append_keys(json::stack::object &out,
+                                 const json::object &device_keys,
+                                 const user::id &user_id)
+const
+{
+	for(const auto &member : device_keys)
+		if(member.first != "signatures")
+			json::stack::member
+			{
+				out, member
+			};
+
+	json::stack::object sigs
+	{
+		out, "signatures"
+	};
+
+	// signatures of the key's owner
+	assert(user_room.user.user_id);
+	append_sigs(sigs, device_keys, user_room.user.user_id);
+
+	// signatures of a cross-signer
+	assert(user_id);
+	if(user_id != user_room.user.user_id)
+		append_sigs(sigs, device_keys, user_id);
+}
+
+void
+ircd::m::user::keys::append_sigs(json::stack::object &out,
+                                 const json::object &device_keys,
+                                 const user::id &user_id)
+const
+{
+	json::stack::object user_sigs
+	{
+		out, user_id
+	};
+
+	attach_sigs(user_sigs, device_keys, user_id);
+
+	const json::object device_keys_keys
+	{
+		device_keys["keys"]
+	};
+
+	const m::room::state state
+	{
+		user_room
+	};
+
+	state.for_each("ircd.keys.signatures", [this, &user_sigs, &user_id, &device_keys_keys]
+	(const string_view &, const string_view &state_key, const auto &event_idx)
+	{
+		const auto &[target, source]
+		{
+			unmake_sigs_state_key(state_key)
+		};
+
+		for(const auto &[key_id_, key] : device_keys_keys)
+		{
+			const auto &key_id
+			{
+				split(key_id_, ':').second
+			};
+
+			if(target != key_id)
+				continue;
+
+			attach_sigs(user_sigs, event_idx, user_id);
+		}
+
+		return true;
+	});
+}
+
+bool
+ircd::m::user::keys::attach_sigs(json::stack::object &user_sigs,
+                                 const event::idx &event_idx,
+                                 const user::id &user_id)
+const
+{
+	return m::get(std::nothrow, event_idx, "content", [this, &user_sigs, &user_id]
+	(const json::object &device_sigs)
+	{
+		attach_sigs(user_sigs, device_sigs, user_id);
+	});
+}
+
+void
+ircd::m::user::keys::attach_sigs(json::stack::object &user_sigs,
+                                 const json::object &device_sigs,
+                                 const user::id &user_id)
+const
+{
+	const json::object device_sigs_sigs
+	{
+		device_sigs["signatures"]
+	};
+
+	const json::object device_sigs_user_sigs
+	{
+		device_sigs_sigs[user_id]
+	};
+
+	for(const auto &member : device_sigs_user_sigs)
+		json::stack::member
+		{
+			user_sigs, member
+		};
+}
+
+//
+// user::keys::sigs
+//
+
+std::tuple<ircd::string_view, ircd::string_view>
+ircd::m::user::keys::unmake_sigs_state_key(const string_view &state_key)
+noexcept
+{
+	const auto &[tgt, src]
+	{
+		rsplit(state_key, '%')
+	};
+
+	return std::tuple
+	{
+		tgt, src
+	};
+}
+
+ircd::string_view
+ircd::m::user::keys::make_sigs_state_key(const mutable_buffer &buf,
+                                         const string_view &tgt,
+                                         const string_view &src)
+{
+	return fmt::sprintf
+	{
+		buf, "%s%s",
+		string_view{tgt},
+		tgt != src && src?
+			string_view{src}:
+			string_view{},
+	};
+}

modules/client/create_group.cc

@@ -60,7 +60,7 @@ ircd::m::groups::handle_post(client &client,
 
 	return resource::response
 	{
-		client, http::CREATED, json::members
+		client, http::OK, json::members
 		{
 			{ "group_id", group_id }
 		},

modules/client/createroom.cc

@@ -103,7 +103,7 @@ post__createroom(client &client,
 	top.~object();
 	return m::resource::response
 	{
-		client, http::CREATED, json::object
+		client, http::OK, json::object
 		{
 			out.completed()
 		}

modules/client/events.cc

@@ -376,10 +376,10 @@ append_event(json::stack::array &out,
 	{
 		out, event,
 		{
-			.event_idx = &event_idx,
-			.user_id = &user_room.user.user_id,
-			.user_room = &user_room,
-			.room_depth = &room_depth,
+			.event_idx = event_idx,
+			.user_id = user_room.user.user_id,
+			.user_room_id = user_room.room_id,
+			.room_depth = room_depth,
 		},
 	};
 }

modules/client/keys/claim.cc

@@ -42,10 +42,11 @@ recv_response(const string_view &,
               const system_point &);
 
 static void
-recv_responses(query_map &,
+recv_responses(const host_users_map &,
+               query_map &,
                failure_map &,
                json::stack::object &,
-               const milliseconds &);
+               const system_point &);
 
 static void
 handle_failures(const failure_map &,
@@ -137,6 +138,11 @@ post__keys_claim(client &client,
 		send_requests(map, buffers, failures)
 	};
 
+	const system_point timedout
+	{
+		ircd::now<system_point>() + timeout
+	};
+
 	m::resource::response::chunked response
 	{
 		client, http::OK
@@ -152,9 +158,9 @@ post__keys_claim(client &client,
 		out
 	};
 
-	recv_responses(queries, failures, top, timeout);
+	recv_responses(map, queries, failures, top, timedout);
 	handle_failures(failures, top);
-	return {};
+	return response;
 }
 
 void
@@ -174,14 +180,22 @@ handle_failures(const failure_map &failures,
 }
 
 void
-recv_responses(query_map &queries,
+recv_responses(const host_users_map &map,
+               query_map &queries,
                failure_map &failures,
                json::stack::object &out,
-               const milliseconds &timeout)
+               const system_point &timeout)
 {
-	const system_point timedout
+	static const user_devices_map empty;
+
+	const auto it
 	{
-		ircd::now<system_point>() + timeout
+		map.find(origin(m::my()))
+	};
+
+	const user_devices_map &self
+	{
+		it != end(map)? it->second: empty
 	};
 
 	json::stack::object one_time_keys
@@ -189,13 +203,55 @@ recv_responses(query_map &queries,
 		out, "one_time_keys"
 	};
 
-	for(auto &[remote, request] : queries)
+	// local handle
+	for(const auto &[user_id, reqs] : self)
 	{
-		assert(!failures.count(remote));
-		if(failures.count(remote))
-			continue;
+		const m::user::keys keys
+		{
+			user_id
+		};
 
-		recv_response(remote, request, failures, one_time_keys, timedout);
+		json::stack::object user_object
+		{
+			one_time_keys, user_id
+		};
+
+		for(const auto &[device_id, algorithm] : json::object(reqs))
+		{
+			json::stack::object device_object
+			{
+				user_object, device_id
+			};
+
+			keys.claim(device_object, device_id, json::string(algorithm));
+		}
+	}
+
+	// remote handle
+	while(!queries.empty())
+	{
+		auto next
+		{
+			ctx::when_any(begin(queries), end(queries), []
+			(auto &it) -> m::fed::user::keys::claim &
+			{
+				return it->second;
+			})
+		};
+
+		const bool ok
+		{
+			next.wait_until(timeout, std::nothrow)
+		};
+
+		const auto it(next.get());
+		const unwind remove{[&queries, &it]
+		{
+			queries.erase(it);
+		}};
+
+		auto &[remote, request] {*it};
+		recv_response(remote, request, failures, one_time_keys, timeout);
 	}
 }
 
@@ -223,14 +279,22 @@ try
 	};
 
 	for(const auto &[user_id, keys] : one_time_keys)
+	{
+		if(m::user::id(user_id).host() != remote)
+			continue;
+
 		json::stack::member
 		{
-			object, user_id, json::object{keys}
+			object, user_id, json::object
+			{
+				keys
+			}
 		};
+	}
 }
 catch(const std::exception &e)
 {
-	log::error
+	log::derror
 	{
 		m::log, "user keys claim from %s :%s",
 		remote,
@@ -247,7 +311,8 @@ send_requests(const host_users_map &hosts,
 {
 	query_map ret;
 	for(const auto &[remote, user_devices] : hosts)
-		send_request(remote, user_devices, failures, buffers, ret);
+		if(likely(!my_host(remote)))
+			send_request(remote, user_devices, failures, buffers, ret);
 
 	return ret;
 }
@@ -292,7 +357,7 @@ try
 }
 catch(const std::exception &e)
 {
-	log::error
+	log::derror
 	{
 		m::log, "user keys claim to %s for %zu users :%s",
 		remote,

modules/client/keys/device_signing/upload.cc

@@ -66,52 +66,26 @@ ircd::m::post_keys_device_signing_upload(client &client,
 		auth["password"]
 	};
 
-	const m::user::room room
+	const m::user user
 	{
 		request.user_id
 	};
 
-	if(!room.user.is_password(password))
+	if(!user.is_password(password))
 		throw m::ACCESS_DENIED
 		{
 			"Incorrect password."
 		};
 
-	const json::object &msk
+	const m::user::keys keys
 	{
-		request["master_key"]
+		user
 	};
 
-	const auto master_id
-	{
-		msk?
-			send(room, request.user_id, "ircd.device.signing.master", "", msk):
-			event::id::buf{}
-	};
+	m::signing_key_update sku{request};
+	json::get<"user_id"_>(sku) = request.user_id;
 
-	const json::object &ssk
-	{
-		request["self_signing_key"]
-	};
-
-	const auto self_signing_id
-	{
-		ssk?
-			send(room, request.user_id, "ircd.device.signing.self", "", ssk):
-			event::id::buf{}
-	};
-
-	const json::object &usk
-	{
-		request["user_signing_key"]
-	};
-
-	const auto user_signing_id
-	{
-		usk?
-			send(room, request.user_id, "ircd.device.signing.user", "", usk):
-			event::id::buf{}
-	};
+	keys.update(sku);
 
 	return resource::response
 	{

modules/client/keys/query.cc

@@ -19,8 +19,32 @@ namespace
 	using buffer_list = std::vector<unique_buffer<mutable_buffer>>;
 }
 
-static host_users_map
-parse_user_request(const json::object &device_keys);
+static void
+handle_cross_keys(const m::resource::request &,
+                  const user_devices_map &,
+                  query_map &,
+                  failure_map &,
+                  json::stack::object &,
+                  const string_view &);
+
+static void
+handle_device_keys(const m::resource::request &,
+                   const user_devices_map &,
+                   query_map &,
+                   failure_map &,
+                   json::stack::object &);
+
+static void
+handle_responses(const m::resource::request &,
+                 const host_users_map &,
+                 query_map &,
+                 failure_map &,
+                 json::stack::object &);
+
+static void
+handle_errors(const m::resource::request &,
+              query_map &,
+              failure_map &);
 
 static bool
 send_request(const string_view &,
@@ -34,19 +58,8 @@ send_requests(const host_users_map &,
               buffer_list &,
               failure_map &);
 
-static void
-recv_response(const m::resource::request &,
-              const string_view &,
-              m::fed::user::keys::query &,
-              failure_map &,
-              json::stack::object &);
-
-static void
-recv_responses(const m::resource::request &,
-               query_map &,
-               failure_map &,
-               json::stack::object &,
-               const milliseconds &);
+static host_users_map
+parse_user_request(const json::object &device_keys);
 
 static void
 handle_failures(const failure_map &,
@@ -148,6 +161,20 @@ post__keys_query(client &client,
 		send_requests(map, buffers, failures)
 	};
 
+	auto responses
+	{
+		ctx::when_all(begin(queries), end(queries), []
+		(auto &it) -> m::fed::user::keys::query &
+		{
+			return it->second;
+		})
+	};
+
+	const bool all_good
+	{
+		responses.wait_until(now<system_point>() + timeout, std::nothrow)
+	};
+
 	m::resource::response::chunked response
 	{
 		client, http::OK
@@ -163,9 +190,9 @@ post__keys_query(client &client,
 		out
 	};
 
-	recv_responses(request, queries, failures, top, timeout);
+	handle_responses(request, map, queries, failures, top);
 	handle_failures(failures, top);
-	return {};
+	return response;
 }
 
 void
@@ -177,216 +204,39 @@ handle_failures(const failure_map &failures,
 		out, "failures"
 	};
 
-	for(const auto &p : failures)
-	{
-		const string_view &hostname(p.first);
-		const std::exception_ptr &eptr(p.second);
+	for(const auto &[remote, eptr] : failures)
 		json::stack::member
 		{
-			response_failures, hostname, what(eptr)
+			response_failures, remote, what(eptr)
 		};
-	}
 }
 
-void
-recv_responses(const m::resource::request &client_request,
-               query_map &queries,
-               failure_map &failures,
-               json::stack::object &out,
-               const milliseconds &timeout)
-try
+host_users_map
+parse_user_request(const json::object &device_keys)
 {
-	const system_point timedout
+	host_users_map ret;
+	for(const auto &member : device_keys)
 	{
-		ircd::now<system_point>() + timeout
-	};
+		const m::user::id &user_id(member.first);
+		const json::array &device_ids(member.second);
+		const string_view &host(user_id.host());
 
-	while(!queries.empty())
-	{
-		static const auto dereferencer{[]
-		(auto &it) -> m::fed::user::keys::query &
+		auto it(ret.lower_bound(host));
+		if(it == end(ret) || it->first != host)
+			it = ret.emplace_hint(it, host, user_devices_map{});
+
+		user_devices_map &users(it->second);
 		{
-			return it->second;
-		}};
+			auto it(users.lower_bound(user_id));
+			if(it == end(users) || it->first != user_id)
+				it = users.emplace_hint(it, user_id, json::array{});
 
-		auto next
-		{
-			ctx::when_any(begin(queries), end(queries), dereferencer)
-		};
-
-		next.wait_until(timedout); // throws on timeout
-		const auto it{next.get()};
-		const unwind remove{[&queries, &it]
-		{
-			queries.erase(it);
-		}};
-
-		const auto &remote(it->first);
-		auto &request(it->second);
-
-		assert(!failures.count(remote));
-		if(failures.count(remote))
-			continue;
-
-		recv_response(client_request, remote, request, failures, out);
-	}
-}
-catch(const std::exception &)
-{
-	for(const auto &[remote, request] : queries)
-		failures.emplace(remote, std::current_exception());
-}
-
-void
-recv_response(const m::resource::request &client_request,
-              const string_view &remote,
-              m::fed::user::keys::query &request,
-              failure_map &failures,
-              json::stack::object &out)
-try
-{
-	const auto code
-	{
-		request.get()
-	};
-
-	const json::object response
-	{
-		request
-	};
-
-	// device_keys
-	{
-		json::stack::object object
-		{
-			out, "device_keys"
-		};
-
-		const json::object &device_keys
-		{
-			response["device_keys"]
-		};
-
-		for(const auto &[_user_id, device_keys] : device_keys)
-		{
-			const m::user::id &user_id
-			{
-				_user_id
-			};
-
-			json::stack::object user_object
-			{
-				object, user_id
-			};
-
-			for(const auto &[device_id, keys] : json::object(device_keys))
-				json::stack::member
-				{
-					user_object, device_id, keys
-				};
+			if(!empty(device_ids))
+				it->second = device_ids;
 		}
 	}
 
-	// master_keys
-	{
-		json::stack::object object
-		{
-			out, "master_keys"
-		};
-
-		const json::object &master_keys
-		{
-			response["master_keys"]
-		};
-
-		for(const auto &[_user_id, master_key] : master_keys)
-		{
-			const m::user::id &user_id
-			{
-				_user_id
-			};
-
-			json::stack::member
-			{
-				object, user_id, json::object
-				{
-					master_key
-				}
-			};
-		}
-	}
-
-	// self_signing_keys
-	{
-		json::stack::object object
-		{
-			out, "self_signing_keys"
-		};
-
-		const json::object &self_signing_keys
-		{
-			response["self_signing_keys"]
-		};
-
-		for(const auto &[_user_id, self_signing_key] : self_signing_keys)
-		{
-			const m::user::id &user_id
-			{
-				_user_id
-			};
-
-			json::stack::member
-			{
-				object, user_id, json::object
-				{
-					self_signing_key
-				}
-			};
-		}
-	}
-
-	// user_signing_keys
-	{
-		json::stack::object object
-		{
-			out, "user_signing_keys"
-		};
-
-		const json::object &user_signing_keys
-		{
-			response["user_signing_keys"]
-		};
-
-		for(const auto &[_user_id, user_signing_key] : user_signing_keys)
-		{
-			const m::user::id &user_id
-			{
-				_user_id
-			};
-
-			if(client_request.user_id != _user_id)
-				continue;
-
-			json::stack::member
-			{
-				object, user_id, json::object
-				{
-					user_signing_key
-				}
-			};
-		}
-	}
-}
-catch(const std::exception &e)
-{
-	log::error
-	{
-		m::log, "user keys query from %s :%s",
-		remote,
-		e.what()
-	};
-
-	failures.emplace(remote, std::current_exception());
+	return ret;
 }
 
 query_map
@@ -395,12 +245,9 @@ send_requests(const host_users_map &hosts,
               failure_map &failures)
 {
 	query_map ret;
-	for(const auto &pair : hosts)
-	{
-		const string_view &remote(pair.first);
-		const user_devices_map &user_devices(pair.second);
-		send_request(remote, user_devices, failures, buffers, ret);
-	}
+	for(const auto &[remote, user_devices] : hosts)
+		if(likely(!my_host(remote)))
+			send_request(remote, user_devices, failures, buffers, ret);
 
 	return ret;
 }
@@ -441,43 +288,281 @@ try
 
 	return true;
 }
+catch(const ctx::interrupted &e)
+{
+	throw;
+}
 catch(const std::exception &e)
 {
-	log::error
+	failures.emplace(remote, std::current_exception());
+	log::derror
 	{
 		m::log, "user keys query to %s :%s",
 		remote,
 		e.what()
 	};
 
-	failures.emplace(remote, std::current_exception());
 	return false;
 }
 
-host_users_map
-parse_user_request(const json::object &device_keys)
+void
+handle_responses(const m::resource::request &request,
+                 const host_users_map &map,
+                 query_map &queries,
+                 failure_map &failures,
+                 json::stack::object &out)
 {
-	host_users_map ret;
-	for(const auto &member : device_keys)
+	static const user_devices_map empty;
+
+	const auto it
 	{
-		const m::user::id &user_id(member.first);
-		const json::array &device_ids(member.second);
-		const string_view &host(user_id.host());
+		map.find(origin(m::my()))
+	};
 
-		auto it(ret.lower_bound(host));
-		if(it == end(ret) || it->first != host)
-			it = ret.emplace_hint(it, host, user_devices_map{});
+	const user_devices_map &self
+	{
+		it != end(map)? it->second: empty
+	};
 
-		user_devices_map &users(it->second);
+	handle_errors(request, queries, failures);
+	handle_device_keys(request, self, queries, failures, out);
+	handle_cross_keys(request, self, queries, failures, out, "master_keys");
+	handle_cross_keys(request, self, queries, failures, out, "self_signing_keys");
+	handle_cross_keys(request, self, queries, failures, out, "user_signing_keys");
+}
+
+void
+handle_errors(const m::resource::request &request,
+              query_map &queries,
+              failure_map &failures)
+{
+	auto it(begin(queries));
+	while(it != end(queries))
+	{
+		const auto &[remote, query] {*it};
+		if(query.eptr())
 		{
-			auto it(users.lower_bound(user_id));
-			if(it == end(users) || it->first != user_id)
-				it = users.emplace_hint(it, user_id, json::array{});
+			failures.emplace(remote, query.eptr());
+			it = queries.erase(it);
+		}
+		else ++it;
+	}
+}
 
-			if(!empty(device_ids))
-				it->second = device_ids;
+void
+handle_device_keys(const m::resource::request &request,
+                   const user_devices_map &self,
+                   query_map &queries,
+                   failure_map &failures,
+                   json::stack::object &out)
+{
+	json::stack::object object
+	{
+		out, "device_keys"
+	};
+
+	// local handle
+	for(const auto &[user_id, device_ids] : self)
+	{
+		const m::user::keys keys
+		{
+			user_id
+		};
+
+		json::stack::object user_object
+		{
+			object, user_id
+		};
+
+		if(empty(json::array(device_ids)))
+		{
+			const m::user::devices devices
+			{
+				user_id
+			};
+
+			devices.for_each([&user_object, &keys]
+			(const auto &, const string_view &device_id)
+			{
+				json::stack::object device_object
+				{
+					user_object, device_id
+				};
+
+				keys.device(device_object, device_id);
+			});
+		}
+		else for(const json::string device_id : json::array(device_ids))
+		{
+			json::stack::object device_object
+			{
+				user_object, device_id
+			};
+
+			keys.device(device_object, device_id);
 		}
 	}
 
-	return ret;
+	// remote handle
+	for(const auto &[remote, query] : queries) try
+	{
+		const json::object response
+		{
+			query.in.content
+		};
+
+		const json::object &device_keys
+		{
+			response["device_keys"]
+		};
+
+		for(const auto &[user_id, device_keys] : device_keys)
+		{
+			if(m::user::id(user_id).host() != remote)
+				continue;
+
+			json::stack::object user_object
+			{
+				object, user_id
+			};
+
+			for(const auto &[device_id, keys] : json::object(device_keys))
+				json::stack::member
+				{
+					user_object, device_id, keys
+				};
+		}
+	}
+	catch(const ctx::interrupted &)
+	{
+		throw;
+	}
+	catch(const std::exception &e)
+	{
+		failures.emplace(remote, std::current_exception());
+		log::derror
+		{
+			m::log, "Processing device_keys response from '%s' :%s",
+			remote,
+			e.what(),
+		};
+	}
+}
+
+static std::tuple<string_view, bool>
+translate_cross_type(const string_view &name)
+{
+	bool match_user;
+	string_view cross_type;
+	switch(match_user = false; hash(name))
+	{
+		case "master_keys"_:
+			cross_type = "ircd.cross_signing.master";
+			break;
+
+		case "self_signing_keys"_:
+			cross_type = "ircd.cross_signing.self";
+			break;
+
+		case "user_signing_keys"_:
+			cross_type = "ircd.cross_signing.user";
+			match_user = true;
+			break;
+	};
+
+	assert(cross_type);
+	return
+	{
+		cross_type, match_user
+	};
+}
+
+void
+handle_cross_keys(const m::resource::request &request,
+                  const user_devices_map &self,
+                  query_map &queries,
+                  failure_map &failures,
+                  json::stack::object &out_,
+                  const string_view &name)
+{
+	const auto &[cross_type, match_user]
+	{
+		translate_cross_type(name)
+	};
+
+	json::stack::object out
+	{
+		out_, name
+	};
+
+	// local handle
+	for(const auto &[user_id, device_ids] : self)
+	{
+		if(match_user && request.user_id != user_id)
+			continue;
+
+		const m::user::keys keys
+		{
+			user_id
+		};
+
+		if(!keys.has_cross(cross_type))
+			continue;
+
+		json::stack::object user_object
+		{
+			out, user_id
+		};
+
+		keys.cross(user_object, cross_type);
+	}
+
+	// remote handle
+	for(auto &[remote, query] : queries) try
+	{
+		if(match_user && request.user_id.host() != remote)
+			continue;
+
+		const json::object response
+		{
+			query.in.content
+		};
+
+		const json::object &object
+		{
+			response[name]
+		};
+
+		for(const auto &[user_id, keys] : object)
+		{
+			if(m::user::id(user_id).host() != remote)
+				continue;
+
+			if(match_user && request.user_id != user_id)
+				continue;
+
+			json::stack::member
+			{
+				out, user_id, json::object
+				{
+					keys
+				}
+			};
+		}
+	}
+	catch(const ctx::interrupted &)
+	{
+		throw;
+	}
+	catch(const std::exception &e)
+	{
+		failures.emplace(remote, std::current_exception());
+		log::derror
+		{
+			m::log, "Processing %s response from '%s' :%s",
+			name,
+			remote,
+			e.what(),
+		};
+	}
 }

modules/client/keys/signatures/upload.cc

@@ -43,42 +43,37 @@ ircd::m::resource::response
 ircd::m::post_keys_signatures_upload(client &client,
                                      const resource::request &request)
 {
-	for(const auto &[_user_id, devices_keys_] : request)
+	const auto src_dev
 	{
-		if(!valid(m::id::USER, _user_id))
-			continue;
+		user::tokens::device(std::nothrow, request.access_token)
+	};
+
+	for(const auto &[user_id_, device_keys_] : request)
+	{
+		const json::object device_keys
+		{
+			device_keys_
+		};
 
 		const m::user::id user_id
 		{
-			_user_id
+			user_id_
 		};
 
-		const m::user::room user_room
+		const user::room user_room
 		{
 			user_id
 		};
 
-		const m::user::devices devices
+		for(const auto &[tgt_id, keys] : device_keys)
 		{
-			user_id
-		};
-
-		const json::object &devices_keys
-		{
-			devices_keys_
-		};
-
-		for(const auto &[_device_id, device_keys_] : devices_keys)
-		{
-			const m::device_keys device_keys
+			char state_key_buf[512];
+			const string_view state_key
 			{
-				device_keys_
+				user::keys::make_sigs_state_key(state_key_buf, tgt_id, src_dev)
 			};
 
-			const bool set
-			{
-				devices.set(_device_id, "signatures", device_keys_)
-			};
+			send(user_room, request.user_id, "ircd.keys.signatures", state_key, keys);
 		}
 	}
 

modules/client/notifications.cc

@@ -206,7 +206,7 @@ ircd::m::get_notifications(client &client,
 			{
 				event_object, event,
 				{
-					.event_idx = &event_idx,
+					.event_idx = event_idx,
 					.keys = &notification_event_keys,
 					//.query_txnid = false,
 					//.query_prev_state = false,

modules/client/register.cc

@@ -148,7 +148,7 @@ try
 	// Send response to user
 	return m::resource::response
 	{
-		client, http::CREATED, response
+		client, http::OK, response
 	};
 }
 catch(const m::INVALID_MXID &e)
@@ -191,7 +191,7 @@ post__register_guest(client &client,
 
 	return m::resource::response
 	{
-		client, http::CREATED,
+		client, http::OK,
 		{
 			{ "user_id",         user_id        },
 			{ "home_server",     my_host()      },
@@ -243,7 +243,7 @@ try
 	// Send response to user
 	return m::resource::response
 	{
-		client, http::CREATED, response
+		client, http::OK, response
 	};
 }
 catch(const m::INVALID_MXID &e)

modules/client/rooms/context.cc

@@ -132,10 +132,10 @@ get__context(client &client,
 		{
 			_event, event,
 			{
-				.event_idx = &event.event_idx,
-				.user_id = &user_room.user.user_id,
-				.user_room = &user_room,
-				.room_depth = &room_depth,
+				.event_idx = event.event_idx,
+				.user_id = user_room.user.user_id,
+				.user_room_id = user_room.room_id,
+				.room_depth = room_depth,
 			}
 		};
 	}
@@ -179,10 +179,10 @@ get__context(client &client,
 			{
 				array, event,
 				{
-					.event_idx = &event_idx,
-					.user_id = &user_room.user.user_id,
-					.user_room = &user_room,
-					.room_depth = &room_depth,
+					.event_idx = event_idx,
+					.user_id = user_room.user.user_id,
+					.user_room_id = user_room.room_id,
+					.room_depth = room_depth,
 					.query_txnid = true,
 				}
 			};
@@ -233,10 +233,10 @@ get__context(client &client,
 			{
 				array, event,
 				{
-					.event_idx = &event_idx,
-					.user_id = &user_room.user.user_id,
-					.user_room = &user_room,
-					.room_depth = &room_depth,
+					.event_idx = event_idx,
+					.user_id = user_room.user.user_id,
+					.user_room_id = user_room.room_id,
+					.room_depth = room_depth,
 					.query_txnid = true,
 				}
 			};
@@ -301,10 +301,10 @@ get__context(client &client,
 			{
 				array, event,
 				{
-					.event_idx = &event_idx,
-					.user_id = &user_room.user.user_id,
-					.user_room = &user_room,
-					.room_depth = &room_depth,
+					.event_idx = event_idx,
+					.user_id = user_room.user.user_id,
+					.user_room_id = user_room.room_id,
+					.room_depth = room_depth,
 					.query_txnid = false,
 				}
 			};

modules/client/rooms/event.cc

@@ -46,8 +46,32 @@ get__event(client &client,
 		event_id, fopts
 	};
 
+	const unique_mutable_buffer buf
+	{
+		m::event::MAX_SIZE
+	};
+
+	json::stack out{buf};
+	{
+		json::stack::object top{out};
+		m::event::append
+		{
+			top, event,
+			{
+				.event_idx = event.event_idx,
+				.user_id = request.user_id,
+				.query_prev_state = false,
+				.query_redacted = false,
+				.query_visible = false,
+			}
+		};
+	};
+
 	return m::resource::response
 	{
-		client, event.source
+		client, json::object
+		{
+			out.completed()
+		}
 	};
 }

modules/client/rooms/initialsync.cc

@@ -202,10 +202,10 @@ get__initialsync_local(client &client,
 		{
 			state, state_event,
 			{
-				.event_idx = &event_idx,
-				.user_id = &user.user_id,
-				.user_room = &user_room,
-				.room_depth = &room_depth,
+				.event_idx = event_idx,
+				.user_id = user.user_id,
+				.user_room_id = user_room.room_id,
+				.room_depth = room_depth,
 				.query_txnid = false,
 			}
 		};
@@ -255,14 +255,17 @@ get__initialsync_local(client &client,
 		if(!visible(event, user.user_id))
 			continue;
 
-		m::event::append(chunk, event,
+		m::event::append
 		{
-			.event_idx = &event_idx,
-			.user_id = &user.user_id,
-			.user_room = &user_room,
-			.room_depth = &room_depth,
-			.query_txnid = true,
-		});
+			chunk, event,
+			{
+				.event_idx = event_idx,
+				.user_id = user.user_id,
+				.user_room_id = user_room.room_id,
+				.room_depth = room_depth,
+				.query_txnid = true,
+			}
+		};
 	}
 }
 

modules/client/rooms/members.cc

@@ -165,8 +165,8 @@ get__members(client &client,
 		{
 			chunk, event,
 			{
-				.event_idx = &event_idx,
-				.user_id = &request.user_id,
+				.event_idx = event_idx,
+				.user_id = request.user_id,
 				.query_txnid = false,
 				.query_prev_state = false,
 				.query_redacted = false,

modules/client/rooms/messages.cc

@@ -152,10 +152,10 @@ get__messages(client &client,
 			{
 				chunk, event,
 				{
-					.event_idx = &event_idx,
-					.user_id = &user_room.user.user_id,
-					.user_room = &user_room,
-					.room_depth = &room_depth,
+					.event_idx = event_idx,
+					.user_id = user_room.user.user_id,
+					.user_room_id = user_room.room_id,
+					.room_depth = room_depth,
 				}
 			}
 		};

modules/client/rooms/relations.cc

@@ -60,9 +60,11 @@ get__relations(client &client,
 			"relation rel_type path parameter required"
 		};
 
-	const string_view &rel_type
+	const string_view rel_type
 	{
-		url::decode(rel_type_buf, request.parv[3])
+		request.parv.size() > 3?
+			url::decode(rel_type_buf, request.parv[3]):
+			string_view{}
 	};
 
 	// Get the alleged type path parameter.
@@ -75,9 +77,11 @@ get__relations(client &client,
 			"relation ?type? path parameter required"
 		};
 
-	const string_view &type
+	const string_view type
 	{
-		url::decode(type_buf, request.parv[4])
+		request.parv.size() > 4?
+			url::decode(type_buf, request.parv[4]):
+			string_view{}
 	};
 
 	const auto event_idx
@@ -170,8 +174,8 @@ relations_chunk_append(client &client,
 	{
 		chunk, event,
 		{
-			.event_idx = &event_idx,
-			.user_id = &request.user_id,
+			.event_idx = event_idx,
+			.user_id = request.user_id,
 			.query_txnid = false,
 		}
 	};

modules/client/rooms/state.cc

@@ -206,8 +206,8 @@ append_event(const m::resource::request &request,
 	{
 		array, event,
 		{
-			.event_idx = &event_idx,
-			.user_id = &request.user_id,
+			.event_idx = event_idx,
+			.user_id = request.user_id,
 			.query_txnid = false,
 			.query_prev_state = false,
 			.query_redacted = false,

modules/client/search.cc

@@ -550,8 +550,8 @@ try
 		{
 			result_event, event,
 			{
-				.event_idx = &result.event_idx,
-				.user_id = &query.user_id,
+				.event_idx = result.event_idx,
+				.user_id = query.user_id,
 				.event_filter = &event_filter,
 				.query_prev_state = false,
 				.query_visible = true,
@@ -599,8 +599,8 @@ try
 			{
 				events_before, event,
 				{
-					.event_idx = &event_idx,
-					.user_id = &query.user_id,
+					.event_idx = event_idx,
+					.user_id = query.user_id,
 					.event_filter = &event_filter,
 					.query_prev_state = false,
 					.query_visible = true,
@@ -628,8 +628,8 @@ try
 			{
 				events_after, event,
 				{
-					.event_idx = &event_idx,
-					.user_id = &query.user_id,
+					.event_idx = event_idx,
+					.user_id = query.user_id,
 					.event_filter = &event_filter,
 					.query_prev_state = false,
 					.query_visible = true,

modules/client/sync/device_lists.cc

@@ -38,13 +38,21 @@ ircd::m::sync::device_lists_linear(data &data)
 
 	assert(data.event);
 	const m::event &event{*data.event};
-	if(!startswith(json::get<"type"_>(event), "ircd.device"))
-		return false;
 
-	if(startswith(json::get<"type"_>(event), "ircd.device.signing"))
-		return false;
+	const bool including
+	{
+		false
+		|| startswith(json::get<"type"_>(event), "ircd.device")
+		|| startswith(json::get<"type"_>(event), "ircd.keys.signatures")
+	};
 
-	if(startswith(json::get<"type"_>(event), "ircd.device.one_time_key"))
+	const bool excluding
+	{
+		false
+		|| startswith(json::get<"type"_>(event), "ircd.device.one_time_key")
+	};
+
+	if(!including || excluding)
 		return false;
 
 	const m::user sender

modules/client/sync/rooms/state.cc

@@ -221,10 +221,10 @@ ircd::m::sync::room_state_linear_events(data &data)
 			{
 				array, event,
 				{
-					.event_idx = &event_idx,
-					.user_id = &data.user.user_id,
-					.user_room = &data.user_room,
-					.room_depth = &data.room_depth,
+					.event_idx = event_idx,
+					.user_id = data.user.user_id,
+					.user_room_id = data.user_room.room_id,
+					.room_depth = data.room_depth,
 					.query_txnid = false,
 					.query_prev_state = true,
 				}
@@ -265,10 +265,10 @@ ircd::m::sync::room_state_linear_events(data &data)
 	{
 		array, *data.event,
 		{
-			.event_idx = &data.event_idx,
-			.user_id = &data.user.user_id,
-			.user_room = &data.user_room,
-			.room_depth = &data.room_depth,
+			.event_idx = data.event_idx,
+			.user_id = data.user.user_id,
+			.user_room_id = data.user_room.room_id,
+			.room_depth = data.room_depth,
 			.query_txnid = false,
 			.query_prev_state = true,
 		}
@@ -377,10 +377,10 @@ ircd::m::sync::room_state_polylog_events(data &data)
 			{
 				array, event,
 				{
-					.event_idx = &event_idx,
-					.user_id = &data.user.user_id,
-					.user_room = &data.user_room,
-					.room_depth = &data.room_depth,
+					.event_idx = event_idx,
+					.user_id = data.user.user_id,
+					.user_room_id = data.user_room.room_id,
+					.room_depth = data.room_depth,
 					.query_txnid = false,
 					.query_prev_state = false,
 				}
@@ -517,10 +517,10 @@ ircd::m::sync::room_state_phased_events(data &data)
 			{
 				array, event,
 				{
-					.event_idx = &event_idx,
-					.user_id = &data.user.user_id,
-					.user_room = &data.user_room,
-					.room_depth = &data.room_depth,
+					.event_idx = event_idx,
+					.user_id = data.user.user_id,
+					.user_room_id = data.user_room.room_id,
+					.room_depth = data.room_depth,
 					.query_txnid = false,
 					.query_prev_state = true,
 				}
@@ -664,10 +664,10 @@ ircd::m::sync::room_state_phased_member_events(data &data,
 		{
 			array, event,
 			{
-				.event_idx = &sender_idx,
-				.user_id = &data.user.user_id,
-				.user_room = &data.user_room,
-				.room_depth = &data.room_depth,
+				.event_idx = sender_idx,
+				.user_id = data.user.user_id,
+				.user_room_id = data.user_room.room_id,
+				.room_depth = data.room_depth,
 				.query_txnid = false,
 				.query_prev_state = false,
 			}

modules/client/sync/rooms/timeline.cc

@@ -212,11 +212,11 @@ ircd::m::sync::room_timeline_linear(data &data)
 	{
 		array, *data.event,
 		{
-			.event_idx = &data.event_idx,
-			.client_txnid = &data.client_txnid,
-			.user_id = &data.user.user_id,
-			.user_room = &data.user_room,
-			.room_depth = &data.room_depth,
+			.event_idx = data.event_idx,
+			.client_txnid = data.client_txnid,
+			.user_id = data.user.user_id,
+			.user_room_id = data.user_room.room_id,
+			.room_depth = data.room_depth,
 		}
 	};
 }
@@ -289,11 +289,11 @@ ircd::m::sync::_room_timeline_linear_command(data &data)
 	{
 		array, *data.event,
 		{
-			.event_idx = &data.event_idx,
-			.client_txnid = &data.client_txnid,
-			.user_id = &data.user.user_id,
-			.user_room = &data.user_room,
-			.room_depth = &data.room_depth,
+			.event_idx = data.event_idx,
+			.client_txnid = data.client_txnid,
+			.user_id = data.user.user_id,
+			.user_room_id = data.user_room.room_id,
+			.room_depth = data.room_depth,
 		}
 	};
 }
@@ -400,11 +400,11 @@ ircd::m::sync::_room_timeline_polylog_events(data &data,
 		{
 			array, event,
 			{
-				.event_idx = &event_idx,
-				.client_txnid = &data.client_txnid,
-				.user_id = &data.user.user_id,
-				.user_room = &data.user_room,
-				.room_depth = &data.room_depth,
+				.event_idx = event_idx,
+				.client_txnid = data.client_txnid,
+				.user_id = data.user.user_id,
+				.user_room_id = data.user_room.room_id,
+				.room_depth = data.room_depth,
 			}
 		};
 	}

modules/client/user/filter.cc

@@ -122,7 +122,7 @@ post__filter(client &client,
 
 	return m::resource::response
 	{
-		client, http::CREATED,
+               client, http::OK,
 		{
 			{ "filter_id", filter_id }
 		}

modules/client/user/user.cc

@@ -43,17 +43,17 @@ get_user(client &client,
 		url::decode(user_id, request.parv[0])
 	};
 
-	if(request.user_id != user_id)
-		throw m::UNSUPPORTED
-		{
-			"Getting user data as someone else is not yet supported"
-		};
-
 	const string_view &cmd
 	{
 		request.parv[1]
 	};
 
+	if(request.user_id != user_id && !request.bridge_id)
+		throw m::UNSUPPORTED
+		{
+			"Getting user data as someone else is only for bridges."
+		};
+
 	if(cmd == "filter")
 		return get__filter(client, request, user_id);
 
@@ -93,10 +93,10 @@ post_user(client &client,
 		url::decode(user_id, request.parv[0])
 	};
 
-	if(request.user_id != user_id)
+	if(request.user_id != user_id && !request.bridge_id)
 		throw m::UNSUPPORTED
 		{
-			"Posting user data as someone else is not yet supported"
+			"Posting user data as someone else is only for bridges."
 		};
 
 	const string_view &cmd
@@ -140,10 +140,10 @@ put_user(client &client,
 		url::decode(user_id, request.parv[0])
 	};
 
-	if(request.user_id != user_id)
+	if(request.user_id != user_id && !request.bridge_id)
 		throw m::UNSUPPORTED
 		{
-			"Putting user data as someone else is not yet supported"
+			"Putting user data as someone else is only for bridges."
 		};
 
 	if(request.parv.size() < 2)
@@ -193,10 +193,10 @@ delete_user(client &client,
 		url::decode(user_id, request.parv[0])
 	};
 
-	if(request.user_id != user_id)
+	if(request.user_id != user_id && !request.bridge_id)
 		throw m::UNSUPPORTED
 		{
-			"Deleting user data as someone else is not yet supported"
+			"Deleting user data as someone else is only for bridges."
 		};
 
 	if(request.parv.size() < 2)

modules/console.cc

@@ -14449,7 +14449,7 @@ console_cmd__user__devices__update(opt &out, const string_view &line)
 {
 	const params param{line, " ",
 	{
-		"user_id", "device_id", "deleted"
+		"user_id", "device_id", "room_id"
 	}};
 
 	const m::user::id &user_id
@@ -14459,12 +14459,14 @@ console_cmd__user__devices__update(opt &out, const string_view &line)
 
 	const string_view &device_id
 	{
-		param.at("device_id")
+		param.at("device_id", "*"_sv)
 	};
 
-	const bool deleted
+	const m::room::id::buf room_id
 	{
-		param["deleted"] == "deleted"
+		m::valid(m::id::ROOM, param["room_id"])?
+			m::room_id(param["room_id"]):
+			m::room::id::buf{}
 	};
 
 	const m::user::devices devices
@@ -14472,20 +14474,36 @@ console_cmd__user__devices__update(opt &out, const string_view &line)
 		user_id
 	};
 
-	json::iov content;
-	const json::iov::push push[]
+	const auto update{[&out, &devices, &user_id, &room_id]
+	(const auto &device_id)
 	{
-		{ content,  { "user_id",    user_id       } },
-		{ content,  { "device_id",  device_id     } },
-		{ content,  { "deleted",    deleted       } },
+		m::user::devices::send
+		{
+			devices, device_id, room_id
+		};
+
+		out
+		<< "broadcast: "
+		<< device_id
+		<< std::endl;
+	}};
+
+	const bool found
+	{
+		!devices.for_each([&update, &device_id]
+		(const auto &, const string_view &_device_id)
+		{
+			if(device_id != "*" && _device_id != device_id)
+				return true;
+
+			update(_device_id);
+			return _device_id != device_id; // false to break
+		})
 	};
 
-	const bool broadcasted
-	{
-		m::user::devices::send(content)
-	};
+	if(device_id != "*" && !found)
+		update(device_id);
 
-	out << "done" << std::endl;
 	return true;
 }
 
@@ -14497,6 +14515,43 @@ console_id__device(opt &out,
 	return true;
 }
 
+bool
+console_cmd__user__keys__update(opt &out, const string_view &line)
+{
+	const params param{line, " ",
+	{
+		"user_id", "room_id"
+	}};
+
+	const m::user::id &user_id
+	{
+		param.at("user_id")
+	};
+
+	const m::room::id::buf room_id
+	{
+		m::valid(m::id::ROOM, param["room_id"])?
+			m::room_id(param["room_id"]):
+			m::room::id::buf{}
+	};
+
+	const m::user::keys keys
+	{
+		user_id
+	};
+
+	m::user::keys::send
+	{
+		keys, room_id
+	};
+
+	out
+	<< "broadcast: "
+	<< user_id
+	<< std::endl;
+	return true;
+}
+
 bool
 console_cmd__user__ignores(opt &out, const string_view &line)
 {
@@ -17205,7 +17260,7 @@ console_cmd__fed__user__devices(opt &out, const string_view &line)
 {
 	const params param{line, " ",
 	{
-		"user_id", "remote"
+		"user_id", "remote", "op"
 	}};
 
 	const m::user::id &user_id
@@ -17218,6 +17273,11 @@ console_cmd__fed__user__devices(opt &out, const string_view &line)
 		param.at("remote", user_id.host())
 	};
 
+	const bool raw
+	{
+		has(param["op"], "raw")
+	};
+
 	m::fed::user::devices::opts opts;
 	opts.remote = remote;
 
@@ -17242,6 +17302,14 @@ console_cmd__fed__user__devices(opt &out, const string_view &line)
 		request
 	};
 
+	if(raw)
+	{
+		out
+		<< string_view{response}
+		<< std::endl;
+		return true;
+	}
+
 	const string_view stream_id
 	{
 		unquote(response["stream_id"])
@@ -17272,16 +17340,23 @@ console_cmd__fed__user__keys__query(opt &out, const string_view &line)
 		param.at("user_id")
 	};
 
-	const string_view &device_id
-	{
-		param.at("device_id", string_view{})
-	};
-
 	const string_view remote
 	{
 		param.at("remote", user_id.host())
 	};
 
+	const bool raw
+	{
+		param["device_id"] == "raw"
+	};
+
+	const string_view device_id
+	{
+		!raw?
+			param.at("device_id", string_view{}):
+			string_view{}
+	};
+
 	m::fed::user::opts opts;
 	opts.remote = remote;
 
@@ -17306,6 +17381,14 @@ console_cmd__fed__user__keys__query(opt &out, const string_view &line)
 		request
 	};
 
+	if(raw)
+	{
+		out
+		<< string_view{response}
+		<< std::endl;
+		return true;
+	}
+
 	const json::object &device_keys
 	{
 		response["device_keys"]
@@ -18448,6 +18531,35 @@ console_cmd__well_known__matrix__server(opt &out, const string_view &line)
 	return true;
 }
 
+bool
+console_cmd__well_known__matrix__client(opt &out, const string_view &line)
+{
+	const params param{line, " ",
+	{
+		"remote"
+	}};
+
+	const fmt::bsprintf<512> url
+	{
+		"https://%s/.well-known/matrix/client",
+		param.at("remote"),
+	};
+
+	char buf[1024];
+	const json::object response
+	{
+		rest::get
+		{
+			buf, string_view{url}
+		}
+	};
+
+	out
+	<< string_view{response}
+	<< std::endl;
+	return true;
+}
+
 //
 // bridge
 //

modules/federation/user_devices.cc

@@ -64,6 +64,11 @@ get__user_devices(client &client,
 		user_id
 	};
 
+	const m::user::keys user_keys
+	{
+		user_id
+	};
+
 	m::resource::response::chunked::json response
 	{
 		client, http::OK
@@ -82,49 +87,34 @@ get__user_devices(client &client,
 		}
 	};
 
-	const auto master_event_idx
+	if(user_keys.has_cross_master())
 	{
-		user_room.get(std::nothrow, "ircd.device.signing.master", "")
-	};
-
-	m::get(std::nothrow, master_event_idx, "content", [&response]
-	(const json::object &content)
-	{
-		json::stack::member
+		json::stack::object object
 		{
-			response, "master_key", content
-		};
-	});
-
-	const auto self_event_idx
-	{
-		user_room.get(std::nothrow, "ircd.device.signing.self", "")
-	};
-
-	m::get(std::nothrow, self_event_idx, "content", [&response]
-	(const json::object &content)
-	{
-		json::stack::member
-		{
-			response, "self_signing_key", content
-		};
-	});
-
-	if(my_host(request.node_id))
-	{
-		const auto user_event_idx
-		{
-			user_room.get(std::nothrow, "ircd.device.signing.user", "")
+			response, "master_key"
 		};
 
-		m::get(std::nothrow, user_event_idx, "content", [&response]
-		(const json::object &content)
+		user_keys.cross_master(object);
+	}
+
+	if(user_keys.has_cross_self())
+	{
+		json::stack::object object
 		{
-			json::stack::member
-			{
-				response, "user_signing_key", content
-			};
-		});
+			response, "self_signing_key"
+		};
+
+		user_keys.cross_self(object);
+	}
+
+	if(my_host(request.node_id) && user_keys.has_cross_user())
+	{
+		json::stack::object object
+		{
+			response, "user_signing_key"
+		};
+
+		user_keys.cross_user(object);
 	}
 
 	json::stack::array devices
@@ -132,7 +122,7 @@ get__user_devices(client &client,
 		response, "devices"
 	};
 
-	user_devices.for_each([&user_devices, &devices]
+	user_devices.for_each([&user_devices, &devices, &user_keys]
 	(const auto &, const string_view &device_id)
 	{
 		json::stack::object device
@@ -145,6 +135,16 @@ get__user_devices(client &client,
 			device, "device_id", device_id
 		};
 
+		if(user_keys.has_device(device_id))
+		{
+			json::stack::object keys
+			{
+				device, "keys"
+			};
+
+			user_keys.device(keys, device_id);
+		}
+
 		// The property name difference here is on purpose, probably one of
 		// those so-called spec "thinkos"
 		user_devices.get(std::nothrow, device_id, "display_name", [&device]
@@ -156,15 +156,6 @@ get__user_devices(client &client,
 			};
 		});
 
-		user_devices.get(std::nothrow, device_id, "keys", [&device]
-		(const auto &, const json::object &value)
-		{
-			json::stack::member
-			{
-				device, "keys", value
-			};
-		});
-
 		return true;
 	});
 

modules/federation/user_keys_claim.cc

@@ -47,29 +47,27 @@ post__user_keys_claim(client &client,
 		request["one_time_keys"]
 	};
 
-	m::resource::response::chunked response
+	m::resource::response::chunked::json response
 	{
 		client, http::OK
 	};
 
-	json::stack out
-	{
-		response.buf, response.flusher()
-	};
-
-	json::stack::object top
-	{
-		out
-	};
-
 	json::stack::object response_keys
 	{
-		top, "one_time_keys"
+		response, "one_time_keys"
 	};
 
-	for(const auto &[user_id, devices] : one_time_keys)
+	for(const auto &[user_id_, devices] : one_time_keys)
 	{
-		const m::user::room user_room
+		const m::user::id user_id
+		{
+			user_id_
+		};
+
+		if(!m::exists(user_id))
+			continue;
+
+		const m::user::keys keys
 		{
 			user_id
 		};
@@ -79,26 +77,11 @@ post__user_keys_claim(client &client,
 			response_keys, user_id
 		};
 
-		for(const auto &[device_id_, algorithm_] : json::object(devices))
+		for(const auto &[device_id, algorithm_] : json::object(devices))
 		{
-			const json::string &algorithm{algorithm_};
-			const json::string &device_id{device_id_};
-			const auto match{[&device_id]
-			(const string_view &state_key) noexcept
+			const json::string algorithm
 			{
-				return state_key == device_id;
-			}};
-
-			char buf[m::event::TYPE_MAX_SIZE];
-			const string_view type{fmt::sprintf
-			{
-				buf, "ircd.device.one_time_key|%s",
-				algorithm
-			}};
-
-			const m::room::type events
-			{
-				user_room, type, { -1UL, -1L }, true
+				algorithm_
 			};
 
 			json::stack::object response_device
@@ -106,33 +89,9 @@ post__user_keys_claim(client &client,
 				response_user, device_id
 			};
 
-			events.for_each([&response_device, &match]
-			(const string_view &type, const auto &, const m::event::idx &event_idx)
-			{
-				if(!m::query(std::nothrow, event_idx, "state_key", match))
-					return true;
-
-				m::get(std::nothrow, event_idx, "content", [&response_device, type]
-				(const json::object &content)
-				{
-					const auto algorithm
-					{
-						split(type, '|').second
-					};
-
-					json::stack::member
-					{
-						response_device, algorithm, json::object
-						{
-							content[""] // device quirk
-						}
-					};
-				});
-
-				return false;
-			});
+			keys.claim(response_device, device_id, algorithm);
 		}
 	}
 
-	return {};
+	return response;
 }

modules/federation/user_keys_query.cc

@@ -155,24 +155,20 @@ _query_master_keys(client &client,
 			user_id_
 		};
 
-		const m::user::room room
+		const m::user::keys keys
 		{
 			user_id
 		};
 
-		const auto event_idx
+		if(!keys.has_cross_master())
+			continue;
+
+		json::stack::object object
 		{
-			room.get(std::nothrow, "ircd.device.signing.master", "")
+			response_keys, user_id
 		};
 
-		m::get(std::nothrow, event_idx, "content", [&response_keys, &user_id]
-		(const json::object &content)
-		{
-			json::stack::member
-			{
-				response_keys, user_id, content
-			};
-		});
+		keys.cross_master(object);
 	}
 }
 
@@ -198,24 +194,20 @@ _query_self_keys(client &client,
 			user_id_
 		};
 
-		const m::user::room room
+		const m::user::keys keys
 		{
 			user_id
 		};
 
-		const auto event_idx
+		if(!keys.has_cross_self())
+			continue;
+
+		json::stack::object object
 		{
-			room.get(std::nothrow, "ircd.device.signing.self", "")
+			response_keys, user_id
 		};
 
-		m::get(std::nothrow, event_idx, "content", [&response_keys, &user_id]
-		(const json::object &content)
-		{
-			json::stack::member
-			{
-				response_keys, user_id, content
-			};
-		});
+		keys.cross_self(object);
 	}
 }
 
@@ -241,24 +233,20 @@ _query_user_keys(client &client,
 			user_id_
 		};
 
-		const m::user::room room
+		const m::user::keys keys
 		{
 			user_id
 		};
 
-		const auto event_idx
+		if(!keys.has_cross_user())
+			continue;
+
+		json::stack::object object
 		{
-			room.get(std::nothrow, "ircd.device.signing.user", "")
+			response_keys, user_id
 		};
 
-		m::get(std::nothrow, event_idx, "content", [&response_keys, &user_id]
-		(const json::object &content)
-		{
-			json::stack::member
-			{
-				response_keys, user_id, content
-			};
-		});
+		keys.cross_user(object);
 	}
 }
 
@@ -269,7 +257,12 @@ _query_user_device(client &client,
                    const string_view &device_id,
                    json::stack::object &out)
 {
-	if(!devices.has(device_id, "keys"))
+	const m::user::keys keys
+	{
+		devices.user
+	};
+
+	if(!keys.has_device(device_id))
 		return;
 
 	json::stack::object object
@@ -277,67 +270,7 @@ _query_user_device(client &client,
 		out, device_id
 	};
 
-	devices.get(std::nothrow, device_id, "keys", [&devices, &device_id, &object]
-	(const auto &event_idx, const json::object &device_keys)
-	{
-		const auto &user_id
-		{
-			devices.user.user_id
-		};
-
-		for(const auto &member : device_keys)
-			if(member.first != "signatures")
-				json::stack::member
-				{
-					object, member
-				};
-
-		json::stack::object sigs
-		{
-			object, "signatures"
-		};
-
-		json::stack::object user_sigs
-		{
-			sigs, user_id
-		};
-
-		const json::object device_keys_sigs
-		{
-			device_keys["signatures"]
-		};
-
-		const json::object device_keys_user_sigs
-		{
-			device_keys_sigs[user_id]
-		};
-
-		for(const auto &member : device_keys_user_sigs)
-			json::stack::member
-			{
-				user_sigs, member
-			};
-
-		devices.get(std::nothrow, device_id, "signatures", [&user_id, &user_sigs]
-		(const auto &event_idx, const json::object &device_sigs)
-		{
-			const json::object device_sigs_sigs
-			{
-				device_sigs["signatures"]
-			};
-
-			const json::object device_sigs_user_sigs
-			{
-				device_sigs_sigs[user_id]
-			};
-
-			for(const auto &member : device_sigs_user_sigs)
-				json::stack::member
-				{
-					user_sigs, member
-				};
-		});
-	});
+	keys.device(object, device_id);
 
 	devices.get(std::nothrow, device_id, "display_name", [&device_id, &object]
 	(const auto &event_idx, const string_view &display_name)

modules/m_bridge.cc

@@ -677,14 +677,15 @@ ircd::m::bridge::append(const config &config,
                         const event::idx &event_idx,
                         const event &event)
 {
-	event::append::opts opts;
-	opts.event_idx = &event_idx;
-	opts.query_txnid = false;
-	opts.query_prev_state = true;
-	opts.query_redacted = false;
 	event::append
 	{
-		events, event, opts
+		events, event, event::append::opts
+		{
+			.event_idx = event_idx,
+			.query_txnid = false,
+			.query_prev_state = true,
+			.query_redacted = false,
+		},
 	};
 
 	log::debug

modules/m_signing_key_update.cc

@@ -56,53 +56,29 @@ try
 	if(user_id.host() != at<"origin"_>(event))
 		return;
 
-	const json::object &msk
-	{
-		json::get<"master_key"_>(update)
-	};
-
-	const m::user::room room
-	{
-		user_id
-	};
-
-	if(!exists(room))
+	if(!exists(user_id))
 	{
 		log::derror
 		{
 			m::log, "Refusing signing key update for unknown %s",
-			json::get<"user_id"_>(update),
+			string_view{user_id},
 		};
 
 		return;
 	}
 
-	const auto master_id
+	const m::user::keys keys
 	{
-		msk?
-			send(room, user_id, "ircd.device.signing.master", "", msk):
-			m::event::id::buf{}
+		user_id
 	};
 
-	const json::object &ssk
-	{
-		json::get<"self_signing_key"_>(update)
-	};
-
-	const auto self_id
-	{
-		ssk?
-			send(room, user_id, "ircd.device.signing.self", "", ssk):
-			m::event::id::buf{}
-	};
+	keys.update(update);
 
 	log::info
 	{
-		m::log, "Signing key update from :%s by %s master:%s self:%s",
+		m::log, "Signing key update from '%s' for %s",
 		json::get<"origin"_>(event),
 		json::get<"user_id"_>(update),
-		string_view{master_id},
-		string_view{self_id},
 	};
 }
 catch(const ctx::interrupted &e)
@@ -113,7 +89,7 @@ catch(const std::exception &e)
 {
 	log::derror
 	{
-		m::log, "m.signing_key_update from %s :%s",
+		m::log, "m.signing_key_update from '%s' :%s",
 		json::get<"origin"_>(event),
 		e.what(),
 	};

modules/media/upload.cc

@@ -96,7 +96,7 @@ post__upload(client &client,
 
 	return m::resource::response
 	{
-		client, http::CREATED, json::members
+		client, http::OK, json::members
 		{
 			{ "content_uri", content_uri }
 		}

modules/net_dns_cache.cc

@@ -89,7 +89,7 @@ ircd::net::dns::cache::put(const hostport &hp,
 	{
 		opts.qtype == 33?
 			make_SRV_key(state_key_buf, hp, opts):
-			host(hp)
+			tolower(state_key_buf, host(hp))
 	};
 
 	return put(type, state_key, code, msg);
@@ -117,7 +117,7 @@ ircd::net::dns::cache::put(const hostport &hp,
 	{
 		opts.qtype == 33?
 			make_SRV_key(state_key_buf, hp, opts):
-			host(hp)
+			tolower(state_key_buf, host(hp))
 	};
 
 	return put(type, state_key, rrs);
@@ -369,7 +369,7 @@ ircd::net::dns::cache::get(const hostport &hp,
 	{
 		opts.qtype == 33?
 			make_SRV_key(state_key_buf, hp, opts):
-			host(hp)
+			tolower(state_key_buf, host(hp))
 	};
 
 	const m::room::state state
@@ -431,7 +431,7 @@ ircd::net::dns::cache::for_each(const hostport &hp,
 	{
 		opts.qtype == 33?
 			make_SRV_key(state_key_buf, hp, opts):
-			host(hp)
+			tolower(state_key_buf, host(hp))
 	};
 
 	const m::room::state state

modules/web_hook.cc

@@ -174,6 +174,10 @@ static bool
 github_handle__push(std::ostream &,
                     const json::object &content);
 
+static bool
+github_post_handle__push(const m::event::id &,
+                         const json::object &content);
+
 static bool
 github_handle__pull_request(std::ostream &,
                             const json::object &content);
@@ -355,6 +359,9 @@ github_handle(client &client,
 		m::msghtml(room_id, user_id, view(out, buf[0]), view(alt, buf[1]), "m.notice")
 	};
 
+	if(type == "push")
+		github_post_handle__push(evid, request.content);
+
 	log::info
 	{
 		"Webhook [%s] '%s' delivered to %s %s",
@@ -620,7 +627,7 @@ find_reaction_id(const m::room &room,
 }
 
 static ircd::m::event::id::buf
-find_reaction_id_endswith(const m::room &room,
+find_reaction_id_contains(const m::room &room,
                           const m::user::id &user_id,
                           const m::event::id &event_id,
                           const string_view &label)
@@ -633,7 +640,7 @@ find_reaction_id_endswith(const m::room &room,
 			relates["key"]
 		};
 
-		return endswith(key, label);
+		return has(key, label);
 	});
 }
 
@@ -656,14 +663,14 @@ clear_reaction(const m::room &room,
 }
 
 static bool
-clear_reaction_endswith(const m::room &room,
+clear_reaction_contains(const m::room &room,
                         const m::user::id &user_id,
                         const m::event::id &event_id,
                         const string_view &label)
 {
 	const auto reaction_id
 	{
-		find_reaction_id_endswith(room, user_id, event_id, label)
+		find_reaction_id_contains(room, user_id, event_id, label)
 	};
 
 	if(!reaction_id)
@@ -933,6 +940,33 @@ github_hook_shot_retry(const string_view &repo,
 	);
 }
 
+static bool
+github_hook_shot_for_each_fail(const string_view &repo,
+                               const string_view &hook,
+                               const function_bool<json::object> &closure)
+{
+	bool ret {true};
+	github_hook_shot_for_each(repo, hook, true, [&ret, &closure]
+	(const json::object &object)
+	{
+		if(object.at<bool>("redelivery"))
+			return true;
+
+		const json::string status
+		{
+			object["status"]
+		};
+
+		if(status == "OK")
+			return false;
+
+		ret = closure(object);
+		return ret;
+	});
+
+	return ret;
+}
+
 static bool
 github_run_for_each_jobs(const string_view &repo,
                          const string_view &run_id,
@@ -992,6 +1026,59 @@ github_run_rerun_failed(const string_view &repo,
 	github_request(buf, "POST", repo, "actions/runs/%s/rerun-failed-jobs", run_id);
 }
 
+static void
+github_run_dispatch(const string_view &repo,
+                    const string_view &name,
+                    const string_view &ref = "master",
+                    const json::members inputs = {})
+{
+	const json::strung content{json::members
+	{
+		{ "ref",    ref    },
+		{ "inputs", inputs },
+	}};
+
+	unique_const_buffer buf;
+	github_request(content, buf, "POST", repo, "actions/workflows/%s/dispatches", name);
+}
+
+static bool
+github_flow_for_each(const string_view &repo,
+                     const function_bool<json::object> &closure,
+                     const bool active_only = true)
+{
+	unique_const_buffer buf;
+	const json::object response
+	{
+		github_request
+		(
+			//TODO: pagination token
+			buf, "GET", repo, "actions/workflows?per_page=100&page=1"
+		)
+	};
+
+	const json::array workflows
+	{
+		response["workflows"]
+	};
+
+	for(const json::object flow : workflows)
+	{
+		const json::string state
+		{
+			flow["state"]
+		};
+
+		if(active_only && state != "active")
+			continue;
+
+		if(!closure(flow))
+			return false;
+	}
+
+	return true;
+}
+
 bool
 github_handle__workflow_run(std::ostream &out,
                             std::ostream &alt,
@@ -1058,15 +1145,8 @@ github_handle__workflow_run(std::ostream &out,
 	annote = ircd::strlcat(buf, " "_sv);
 	annote = ircd::strlcat(buf, name);
 
-	const auto reaction_id
-	{
-		push_event_id && action != "requested"? // skip search on first action
-			find_reaction_id_endswith(_webhook_room, _webhook_user, push_event_id, name):
-			m::event::id::buf{}
-	};
-
-	if(reaction_id)
-		m::redact(_webhook_room, _webhook_user, reaction_id, "status change");
+	if(push_event_id && action != "requested") // skip search on first action
+		while(clear_reaction_contains(_webhook_room, _webhook_user, push_event_id, name));
 
 	m::annotate(_webhook_room, _webhook_user, push_event_id, annote);
 
@@ -1518,40 +1598,77 @@ try
 		json::object{relates_content}.get("body")
 	};
 
-	if(!startswith(relates_body, "job status table "))
-		return;
-
-	const auto suffix
+	if(startswith(relates_body, "job status table "))
 	{
-		lstrip(relates_body, "job status table ")
-	};
+		const auto suffix
+		{
+			lstrip(relates_body, "job status table ")
+		};
 
-	string_view token[3];
-	ircd::tokens(suffix, ' ', token);
-	const auto &[repopath, run_id, attempt] {token};
-	assert(repopath);
-	assert(run_id);
-	if(!repopath || !run_id)
-		return;
+		string_view token[3];
+		ircd::tokens(suffix, ' ', token);
+		const auto &[repopath, run_id, attempt] {token};
+		assert(repopath);
+		assert(run_id);
+		if(!repopath || !run_id)
+			return;
 
-	switch(hash(key))
+		switch(hash(key))
+		{
+			case hash("🚮"_sv):
+				github_run_delete(repopath, run_id);
+				m::redact(room, user_id, relates_event_id, "deleted");
+				break;
+
+			case hash("⭕"_sv):
+				github_run_cancel(repopath, run_id);
+				break;
+
+			case hash("🔄"_sv):
+				github_run_rerun_failed(repopath, run_id);
+				break;
+
+			case hash("↪️"_sv):
+				github_run_rerun(repopath, run_id);
+				break;
+		}
+	}
+	else if(startswith(relates_body, "push by "))
 	{
-		case hash("🚮"_sv):
-			github_run_delete(repopath, run_id);
-			m::redact(room, user_id, relates_event_id, "deleted");
-			break;
+		const auto suffix
+		{
+			lstrip(relates_body, "push by ")
+		};
 
-		case hash("⭕"_sv):
-			github_run_cancel(repopath, run_id);
-			break;
+		string_view token[5];
+		ircd::tokens(suffix, ' ', token);
+		const auto &[pusher, _by_, repo, _at_, commit] {token};
+		assert(pusher);
+		assert(repo);
+		assert(commit);
+		if(!repo)
+			return;
 
-		case hash("🔄"_sv):
-			github_run_rerun_failed(repopath, run_id);
-			break;
+		if(startswith(key, "▶️"))
+		{
+			const auto id
+			{
+				between(key, '(', ')')
+			};
 
-		case hash("↪️"_sv):
-			github_run_rerun(repopath, run_id);
-			break;
+			const auto ref
+			{
+				// commit // hash not supported by github
+				"master"
+			};
+
+			github_run_dispatch(repo, id, ref, json::members
+			{
+
+			});
+
+			return;
+		}
 	}
 }
 catch(const ctx::interrupted &)
@@ -1871,6 +1988,54 @@ github_handle__push(std::ostream &out,
 	return true;
 }
 
+static bool
+github_post_handle__push(const m::event::id &push_event_id,
+                         const json::object &content)
+{
+	const m::user::id::buf _webhook_user
+	{
+		string_view{webhook_user}, my_host()
+	};
+
+	const auto _webhook_room
+	{
+		m::room_id(string_view(webhook_room))
+	};
+
+	const auto repo
+	{
+		github_repopath(content)
+	};
+
+	github_flow_for_each(repo, [&]
+	(const json::object &flow)
+	{
+		const json::string name
+		{
+			flow["name"]
+		};
+
+		const json::string id
+		{
+			flow["id"]
+		};
+
+		const fmt::bsprintf<128> key
+		{
+			"▶️ %s (%s)", name, id
+		};
+
+		const auto annote_id
+		{
+			m::annotate(_webhook_room, _webhook_user, push_event_id, string_view(key))
+		};
+
+		return true;
+	});
+
+	return true;
+}
+
 bool
 github_handle__pull_request(std::ostream &out,
                             const json::object &content)