Merge remote-tracking branch 'upstream/main' into main

Merge pull request #2274 from ClearlyClaire/glitch-soc/merge-upstream
Merge upstream changes
2561 changed files with 43879 additions and 31075 deletions
--- a/.devcontainer/Dockerfile
+++ b/.devcontainer/Dockerfile
@ -1,5 +1,5 @@
 # For details, see https://github.com/devcontainers/images/tree/main/src/ruby
-FROM mcr.microsoft.com/devcontainers/ruby:0-3.2-bullseye
+FROM mcr.microsoft.com/devcontainers/ruby:1-3.2-bullseye

 # Install Rails
 # RUN gem install rails webdrivers
--- a/.devcontainer/docker-compose.yml
+++ b/.devcontainer/docker-compose.yml
@ -26,7 +26,6 @@ services:
    ports:
      - '127.0.0.1:3000:3000'
      - '127.0.0.1:4000:4000'
-      - '127.0.0.1:80:3000'
    networks:
      - external_network
      - internal_network
@ -70,7 +69,7 @@ services:
        hard: -1

  libretranslate:
-    image: libretranslate/libretranslate:v1.3.10
+    image: libretranslate/libretranslate:v1.3.11
    restart: unless-stopped
    volumes:
      - lt-data:/home/libretranslate/.local
--- a/.eslintrc.js
+++ b/.eslintrc.js
@ -4,9 +4,12 @@ module.exports = {
  extends: [
    'eslint:recommended',
    'plugin:react/recommended',
+    'plugin:react-hooks/recommended',
    'plugin:jsx-a11y/recommended',
    'plugin:import/recommended',
    'plugin:promise/recommended',
+    'plugin:jsdoc/recommended',
+    'plugin:prettier/recommended',
  ],

  env: {
@ -27,6 +30,7 @@ module.exports = {
    'import',
    'promise',
    '@typescript-eslint',
+    'formatjs',
  ],

  parserOptions: {
@ -51,28 +55,14 @@ module.exports = {
      '\\.(css|scss|json)$',
    ],
    'import/resolver': {
-      node: {
-        paths: ['app/javascript'],
-        extensions: ['.js', '.jsx', '.ts', '.tsx'],
-      },
+      typescript: {},
    },
  },

  rules: {
-    'brace-style': 'warn',
-    'comma-dangle': ['error', 'always-multiline'],
-    'comma-spacing': [
-      'warn',
-      {
-        before: false,
-        after: true,
-      },
-    ],
-    'comma-style': ['warn', 'last'],
    'consistent-return': 'error',
    'dot-notation': 'error',
-    eqeqeq: 'error',
-    indent: ['warn', 2],
+    eqeqeq: ['error', 'always', { 'null': 'ignore' }],
    'jsx-quotes': ['error', 'prefer-single'],
    'no-case-declarations': 'off',
    'no-catch-shadow': 'error',
@ -91,8 +81,16 @@ module.exports = {
      { property: 'substring', message: 'Use .slice instead of .substring.' },
      { property: 'substr', message: 'Use .slice instead of .substr.' },
    ],
+    'no-restricted-syntax': [
+      'error',
+      {
+        // eslint-disable-next-line no-restricted-syntax
+        selector: 'Literal[value=/•/], JSXText[value=/•/]',
+        // eslint-disable-next-line no-restricted-syntax
+        message: "Use '·' (middle dot) instead of '•' (bullet)",
+      },
+    ],
    'no-self-assign': 'off',
-    'no-trailing-spaces': 'warn',
    'no-unused-expressions': 'error',
    'no-unused-vars': 'off',
    '@typescript-eslint/no-unused-vars': [
@ -100,34 +98,26 @@ module.exports = {
      {
        vars: 'all',
        args: 'after-used',
+        destructuredArrayIgnorePattern: '^_',
        ignoreRestSiblings: true,
      },
    ],
-    'object-curly-spacing': ['error', 'always'],
-    'padded-blocks': [
-      'error',
-      {
-        classes: 'always',
-      },
-    ],
-    quotes: ['error', 'single'],
-    semi: 'error',
    'valid-typeof': 'error',

    'react/jsx-filename-extension': ['error', { extensions: ['.jsx', 'tsx'] }],
    'react/jsx-boolean-value': 'error',
-    'react/jsx-closing-bracket-location': ['error', 'line-aligned'],
-    'react/jsx-curly-spacing': 'error',
    'react/display-name': 'off',
+    'react/jsx-fragments': ['error', 'syntax'],
    'react/jsx-equals-spacing': 'error',
-    'react/jsx-first-prop-new-line': ['error', 'multiline-multiprop'],
-    'react/jsx-indent': ['error', 2],
    'react/jsx-no-bind': 'error',
+    'react/jsx-no-useless-fragment': 'error',
    'react/jsx-no-target-blank': 'off',
    'react/jsx-tag-spacing': 'error',
+    'react/jsx-uses-react': 'off', // not needed with new JSX transform
    'react/jsx-wrap-multilines': 'error',
    'react/no-deprecated': 'off',
    'react/no-unknown-property': 'off',
+    'react/react-in-jsx-scope': 'off', // not needed with new JSX transform
    'react/self-closing-comp': 'error',

    // recommended values found in https://github.com/jsx-eslint/eslint-plugin-jsx-a11y/blob/main/src/index.js
@ -190,11 +180,14 @@ module.exports = {
      {
        js: 'never',
        jsx: 'never',
+        mjs: 'never',
        ts: 'never',
        tsx: 'never',
      },
    ],
+    'import/first': 'error',
    'import/newline-after-import': 'error',
+    'import/no-anonymous-default-export': 'error',
    'import/no-extraneous-dependencies': [
      'error',
      {
@ -206,8 +199,63 @@ module.exports = {
        ],
      },
    ],
+    'import/no-amd': 'error',
+    'import/no-commonjs': 'error',
+    'import/no-import-module-exports': 'error',
+    'import/no-relative-packages': 'error',
+    'import/no-self-import': 'error',
+    'import/no-useless-path-segments': 'error',
    'import/no-webpack-loader-syntax': 'error',

+    'import/order': [
+      'error',
+      {
+        alphabetize: { order: 'asc' },
+        'newlines-between': 'always',
+        groups: [
+          'builtin',
+          'external',
+          'internal',
+          'parent',
+          ['index', 'sibling'],
+          'object',
+        ],
+        pathGroups: [
+          // React core packages
+          {
+            pattern: '{react,react-dom,react-dom/client,prop-types}',
+            group: 'builtin',
+            position: 'after',
+          },
+          // I18n
+          {
+            pattern: '{react-intl,intl-messageformat}',
+            group: 'builtin',
+            position: 'after',
+          },
+          // Common React utilities
+          {
+            pattern: '{classnames,react-helmet,react-router-dom}',
+            group: 'external',
+            position: 'before',
+          },
+          // Immutable / Redux / data store
+          {
+            pattern: '{immutable,react-redux,react-immutable-proptypes,react-immutable-pure-component,reselect}',
+            group: 'external',
+            position: 'before',
+          },
+          // Internal packages
+          {
+            pattern: '{mastodon/**,flavours/glitch-soc/**}',
+            group: 'internal',
+            position: 'after',
+          },
+        ],
+        pathGroupsExcludedImportTypes: [],
+      },
+    ],
+
    'promise/always-return': 'off',
    'promise/catch-or-return': [
      'error',
@ -218,6 +266,33 @@ module.exports = {
    'promise/no-callback-in-promise': 'off',
    'promise/no-nesting': 'off',
    'promise/no-promise-in-callback': 'off',
+
+    'formatjs/blocklist-elements': 'error',
+    'formatjs/enforce-default-message': ['error', 'literal'],
+    'formatjs/enforce-description': 'off', // description values not currently used
+    'formatjs/enforce-id': 'off', // Explicit IDs are used in the project
+    'formatjs/enforce-placeholders': 'off', // Issues in short_number.jsx
+    'formatjs/enforce-plural-rules': 'error',
+    'formatjs/no-camel-case': 'off', // disabledAccount is only non-conforming
+    'formatjs/no-complex-selectors': 'error',
+    'formatjs/no-emoji': 'error',
+    'formatjs/no-id': 'off', // IDs are used for translation keys
+    'formatjs/no-invalid-icu': 'error',
+    'formatjs/no-literal-string-in-jsx': 'off', // Should be looked at, but mainly flagging punctuation outside of strings
+    'formatjs/no-multiple-plurals': 'off', // Only used by hashtag.jsx
+    'formatjs/no-multiple-whitespaces': 'error',
+    'formatjs/no-offset': 'error',
+    'formatjs/no-useless-message': 'error',
+    'formatjs/prefer-formatted-message': 'error',
+    'formatjs/prefer-pound-in-plural': 'error',
+
+    'jsdoc/check-types': 'off',
+    'jsdoc/no-undefined-types': 'off',
+    'jsdoc/require-jsdoc': 'off',
+    'jsdoc/require-param-description': 'off',
+    'jsdoc/require-property-description': 'off',
+    'jsdoc/require-returns-description': 'off',
+    'jsdoc/require-returns': 'off',
  },

  overrides: [
@ -226,6 +301,8 @@ module.exports = {
        '*.config.js',
        '.*rc.js',
        'ide-helper.js',
+        'config/webpack/**/*',
+        'config/formatjs-formatter.js',
      ],

      env: {
@ -235,6 +312,10 @@ module.exports = {
      parserOptions: {
        sourceType: 'script',
      },
+
+      rules: {
+        'import/no-commonjs': 'off',
+      },
    },
    {
      files: [
@ -245,15 +326,39 @@ module.exports = {
      extends: [
        'eslint:recommended',
        'plugin:@typescript-eslint/recommended',
+        'plugin:@typescript-eslint/recommended-requiring-type-checking',
        'plugin:react/recommended',
+        'plugin:react-hooks/recommended',
        'plugin:jsx-a11y/recommended',
        'plugin:import/recommended',
        'plugin:import/typescript',
        'plugin:promise/recommended',
+        'plugin:jsdoc/recommended-typescript',
+        'plugin:prettier/recommended',
      ],

+      parserOptions: {
+        project: './tsconfig.json',
+        tsconfigRootDir: __dirname,
+      },
+
      rules: {
-        '@typescript-eslint/no-explicit-any': 'off',
+        'import/consistent-type-specifier-style': ['error', 'prefer-top-level'],
+
+        '@typescript-eslint/consistent-type-definitions': ['warn', 'interface'],
+        '@typescript-eslint/consistent-type-exports': 'error',
+        '@typescript-eslint/consistent-type-imports': 'error',
+
+        'jsdoc/require-jsdoc': 'off',
+
+        // Those rules set stricter rules for TS files
+        // to enforce better practices when converting from JS
+        'import/no-default-export': 'warn',
+        'react/prefer-stateless-function': 'warn',
+        'react/function-component-definition': ['error', { namedComponents: 'arrow-function' }],
+        'react/jsx-uses-react': 'off', // not needed with new JSX transform
+        'react/react-in-jsx-scope': 'off', // not needed with new JSX transform
+        'react/prop-types': 'off',
      },
    },
    {
@ -266,5 +371,13 @@ module.exports = {
        jest: true,
      },
    },
+    {
+      files: [
+        'streaming/**/*',
+      ],
+      rules: {
+        'import/no-commonjs': 'off',
+      },
+    },
  ],
 };
--- a/.github/renovate.json5
+++ b/.github/renovate.json5
@ -0,0 +1,114 @@
+{
+  $schema: 'https://docs.renovatebot.com/renovate-schema.json',
+  extends: [
+    'config:base',
+    ':dependencyDashboard',
+    ':labels(dependencies)',
+    ':maintainLockFilesMonthly', // update non-direct dependencies monthly
+    ':prConcurrentLimit10', // only 10 open PRs at the same time
+  ],
+  stabilityDays: 3, // Wait 3 days after the package has been published before upgrading it
+  // packageRules order is important, they are applied from top to bottom and are merged,
+  // so for example grouping rules needs to be at the bottom
+  packageRules: [
+    {
+      // Ignore major version bumps for these node packages
+      matchManagers: ['npm'],
+      matchPackageNames: [
+        '@rails/ujs', // Needs to match the major Rails version
+        'tesseract.js', // Requires code changes
+        'react-hotkeys', // Requires code changes
+
+        // Requires Webpacker upgrade or replacement
+        '@types/webpack',
+        'babel-loader',
+        'compression-webpack-plugin',
+        'css-loader',
+        'imports-loader',
+        'mini-css-extract-plugin',
+        'postcss-loader',
+        'sass-loader',
+        'terser-webpack-plugin',
+        'webpack',
+        'webpack-assets-manifest',
+        'webpack-bundle-analyzer',
+        'webpack-dev-server',
+        'webpack-cli',
+
+        // react-router: Requires manual upgrade
+        'history',
+        'react-router-dom',
+      ],
+      matchUpdateTypes: ['major'],
+      enabled: false,
+    },
+    {
+      // Ignore major version bumps for these Ruby packages
+      matchManagers: ['bundler'],
+      matchPackageNames: [
+        'sprockets', // Requires manual upgrade https://github.com/rails/sprockets/blob/master/UPGRADING.md#guide-to-upgrading-from-sprockets-3x-to-4x
+        'strong_migrations', // Requires manual upgrade
+        'sidekiq', // Requires manual upgrade
+        'sidekiq-unique-jobs', // Requires manual upgrades and sync with Sidekiq version
+        'redis', // Requires manual upgrade and sync with Sidekiq version
+        'fog-openstack', // TODO: was ignored in https://github.com/mastodon/mastodon/pull/13964
+
+        // Needs major Rails version bump
+        'rack',
+        'rails',
+        'rails-i18n',
+      ],
+      matchUpdateTypes: ['major'],
+      enabled: false,
+    },
+    {
+      // Update Github Actions and Docker images weekly
+      matchManagers: ['github-actions', 'dockerfile', 'docker-compose'],
+      extends: ['schedule:weekly'],
+    },
+    {
+      // Ignore major & minor bumps for the ruby image, this needs to be synced with .ruby-version
+      matchManagers: ['dockerfile'],
+      matchPackageNames: ['moritzheiber/ruby-jemalloc'],
+      matchUpdateTypes: ['minor', 'major'],
+      enabled: false,
+    },
+    {
+      // Ignore major bump for the node image, this needs to be synced with .nvmrc
+      matchManagers: ['dockerfile'],
+      matchPackageNames: ['node'],
+      matchUpdateTypes: ['major'],
+      enabled: false,
+    },
+    {
+      // Ignore major postgres bumps in the docker-compose file, as those break dev environments
+      matchManagers: ['docker-compose'],
+      matchPackageNames: ['postgres'],
+      matchUpdateTypes: ['major'],
+      enabled: false,
+    },
+    {
+      // Update devDependencies every week, with one grouped PR
+      matchDepTypes: 'devDependencies',
+      matchUpdateTypes: ['patch', 'minor'],
+      excludePackageNames: [
+        'typescript', // Typescript has many changes in minor versions, needs to be checked every time
+      ],
+      groupName: 'devDependencies (non-major)',
+      extends: ['schedule:weekly'],
+    },
+    {
+      // Update @types/* packages every week, with one grouped PR
+      matchPackagePrefixes: '@types/',
+      matchUpdateTypes: ['patch', 'minor'],
+      groupName: 'DefinitelyTyped types (non-major)',
+      extends: ['schedule:weekly'],
+      addLabels: ['typescript'],
+    },
+    // Add labels depending on package manager
+    { matchManagers: ['npm', 'nvm'], addLabels: ['javascript'] },
+    { matchManagers: ['bundler', 'ruby-version'], addLabels: ['ruby'] },
+    { matchManagers: ['docker-compose', 'dockerfile'], addLabels: ['docker'] },
+    { matchManagers: ['github-actions'], addLabels: ['github_actions'] },
+  ],
+}
--- a/.github/workflows/build-image.yml
+++ b/.github/workflows/build-image.yml
@ -43,9 +43,16 @@ jobs:
            type=edge,branch=main
            type=sha,prefix=,format=long

+      - name: Generate version suffix
+        id: version_vars
+        if: github.repository == 'mastodon/mastodon' && github.event_name == 'push' && github.ref_name == 'main'
+        run: |
+          echo mastodon_version_suffix=+edge-$(git rev-parse --short HEAD) >> $GITHUB_OUTPUT
+
      - uses: docker/build-push-action@v4
        with:
          context: .
+          build-args: MASTODON_VERSION_SUFFIX=${{ steps.version_vars.outputs.mastodon_version_suffix }}
          platforms: linux/amd64,linux/arm64
          provenance: false
          builder: ${{ steps.buildx.outputs.name }}
--- a/.github/workflows/build-nightly.yml
+++ b/.github/workflows/build-nightly.yml
@ -0,0 +1,60 @@
+name: Build nightly container image
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 2 * * *' # run at 2 AM UTC
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build-nightly-image:
+    runs-on: ubuntu-latest
+
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.ref }}
+      cancel-in-progress: true
+
+    steps:
+      - uses: actions/checkout@v3
+      - uses: hadolint/hadolint-action@v3.1.0
+      - uses: docker/setup-qemu-action@v2
+      - uses: docker/setup-buildx-action@v2
+
+      - name: Log in to the Github Container registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: docker/metadata-action@v4
+        id: meta
+        with:
+          images: |
+            ghcr.io/mastodon/mastodon
+          flavor: |
+            latest=auto
+          tags: |
+            type=raw,value=nightly
+            type=schedule,pattern=nightly-{{date 'YYYY-MM-DD' tz='Etc/UTC'}}
+          labels: |
+            org.opencontainers.image.description=Nightly build image used for testing purposes
+
+      - name: Generate version suffix
+        id: version_vars
+        run: |
+          echo mastodon_version_suffix=+nightly-$(date +'%Y%m%d') >> $GITHUB_OUTPUT
+
+      - uses: docker/build-push-action@v4
+        with:
+          context: .
+          build-args: MASTODON_VERSION_SUFFIX=${{ steps.version_vars.outputs.mastodon_version_suffix }}
+          platforms: linux/amd64,linux/arm64
+          provenance: false
+          builder: ${{ steps.buildx.outputs.name }}
+          push: ${{ github.repository == 'mastodon/mastodon' && github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
--- a/.github/workflows/check-i18n.yml
+++ b/.github/workflows/check-i18n.yml
@ -41,8 +41,7 @@ jobs:

      - name: Check for missing strings in English JSON
        run: |
-          yarn build:development
-          yarn manage:translations
+          yarn i18n:extract --throws
          git diff --exit-code

      - name: Check locale file normalization
--- a/.github/workflows/lint-css.yml
+++ b/.github/workflows/lint-css.yml
@ -3,6 +3,7 @@ on:
  push:
    branches-ignore:
      - 'dependabot/**'
+      - 'renovate/**'
    paths:
      - 'package.json'
      - 'yarn.lock'
@ -48,4 +49,4 @@ jobs:
      - run: echo "::add-matcher::.github/stylelint-matcher.json"

      - name: Stylelint
-        run: yarn test:lint:sass
+        run: yarn lint:sass
--- a/.github/workflows/lint-haml.yml
+++ b/.github/workflows/lint-haml.yml
@ -3,6 +3,7 @@ on:
  push:
    branches-ignore:
      - 'dependabot/**'
+      - 'renovate/**'
    paths:
      - '.github/workflows/haml-lint-problem-matcher.json'
      - '.github/workflows/lint-haml.yml'
--- a/.github/workflows/lint-js.yml
+++ b/.github/workflows/lint-js.yml
@ -3,6 +3,7 @@ on:
  push:
    branches-ignore:
      - 'dependabot/**'
+      - 'renovate/**'
    paths:
      - 'package.json'
      - 'yarn.lock'
@ -48,7 +49,7 @@ jobs:
        run: yarn --frozen-lockfile

      - name: ESLint
-        run: yarn test:lint:js
+        run: yarn lint:js --max-warnings 0

      - name: Typecheck
-        run: yarn test:typecheck
+        run: yarn typecheck
--- a/.github/workflows/lint-json.yml
+++ b/.github/workflows/lint-json.yml
@ -3,6 +3,7 @@ on:
  push:
    branches-ignore:
      - 'dependabot/**'
+      - 'renovate/**'
    paths:
      - 'package.json'
      - 'yarn.lock'
@ -40,4 +41,4 @@ jobs:
        run: yarn --frozen-lockfile

      - name: Prettier
-        run: yarn prettier --check "**/*.json"
+        run: yarn lint:json
--- a/.github/workflows/lint-md.yml
+++ b/.github/workflows/lint-md.yml
@ -3,8 +3,10 @@ on:
  push:
    branches-ignore:
      - 'dependabot/**'
+      - 'renovate/**'
    paths:
      - '.github/workflows/lint-md.yml'
+      - '.nvmrc'
      - '.prettier*'
      - '**/*.md'
      - '!AUTHORS.md'
@ -14,6 +16,7 @@ on:
  pull_request:
    paths:
      - '.github/workflows/lint-md.yml'
+      - '.nvmrc'
      - '.prettier*'
      - '**/*.md'
      - '!AUTHORS.md'
@ -32,9 +35,10 @@ jobs:
        uses: actions/setup-node@v3
        with:
          cache: yarn
+          node-version-file: '.nvmrc'

      - name: Install all yarn packages
        run: yarn --frozen-lockfile

      - name: Prettier
-        run: yarn prettier --check "**/*.md"
+        run: yarn lint:md
--- a/.github/workflows/lint-ruby.yml
+++ b/.github/workflows/lint-ruby.yml
@ -3,6 +3,7 @@ on:
  push:
    branches-ignore:
      - 'dependabot/**'
+      - 'renovate/**'
    paths:
      - 'Gemfile*'
      - '.rubocop*.yml'
--- a/.github/workflows/lint-yml.yml
+++ b/.github/workflows/lint-yml.yml
@ -3,6 +3,7 @@ on:
  push:
    branches-ignore:
      - 'dependabot/**'
+      - 'renovate/**'
    paths:
      - 'package.json'
      - 'yarn.lock'
@ -42,4 +43,4 @@ jobs:
        run: yarn --frozen-lockfile

      - name: Prettier
-        run: yarn prettier --check "**/*.{yml,yaml}"
+        run: yarn lint:yml
--- a/.github/workflows/rebase-needed.yml
+++ b/.github/workflows/rebase-needed.yml
@ -4,10 +4,12 @@ on:
  push:
    branches-ignore:
      - 'dependabot/**'
+      - 'renovate/**'
      - 'l10n_main'
  pull_request_target:
    branches-ignore:
      - 'dependabot/**'
+      - 'renovate/**'
      - 'l10n_main'
    types: [synchronize]

--- a/.github/workflows/test-js.yml
+++ b/.github/workflows/test-js.yml
@ -3,12 +3,15 @@ on:
  push:
    branches-ignore:
      - 'dependabot/**'
+      - 'renovate/**'
    paths:
      - 'package.json'
      - 'yarn.lock'
      - '.nvmrc'
      - '**/*.js'
      - '**/*.jsx'
+      - '**/*.ts'
+      - '**/*.tsx'
      - '**/*.snap'
      - '.github/workflows/test-js.yml'

@ -19,6 +22,8 @@ on:
      - '.nvmrc'
      - '**/*.js'
      - '**/*.jsx'
+      - '**/*.ts'
+      - '**/*.tsx'
      - '**/*.snap'
      - '.github/workflows/test-js.yml'

@ -40,4 +45,4 @@ jobs:
        run: yarn --frozen-lockfile

      - name: Jest testing
-        run: yarn test:jest --reporters github-actions summary
+        run: yarn jest --reporters github-actions summary
--- a/.github/workflows/test-migrations-one-step.yml
+++ b/.github/workflows/test-migrations-one-step.yml
@ -3,6 +3,7 @@ on:
  push:
    branches-ignore:
      - 'dependabot/**'
+      - 'renovate/**'
  pull_request:

 jobs:
@ -23,9 +24,17 @@ jobs:
    needs: pre_job
    if: needs.pre_job.outputs.should_skip != 'true'

+    strategy:
+      fail-fast: false
+
+      matrix:
+        postgres:
+          - 14-alpine
+          - 15-alpine
+
    services:
      postgres:
-        image: postgres:14-alpine
+        image: postgres:${{ matrix.postgres}}
        env:
          POSTGRES_PASSWORD: postgres
          POSTGRES_USER: postgres
--- a/.github/workflows/test-migrations-two-step.yml
+++ b/.github/workflows/test-migrations-two-step.yml
@ -3,6 +3,7 @@ on:
  push:
    branches-ignore:
      - 'dependabot/**'
+      - 'renovate/**'
  pull_request:

 jobs:
@ -23,9 +24,17 @@ jobs:
    needs: pre_job
    if: needs.pre_job.outputs.should_skip != 'true'

+    strategy:
+      fail-fast: false
+
+      matrix:
+        postgres:
+          - 14-alpine
+          - 15-alpine
+
    services:
      postgres:
-        image: postgres:14-alpine
+        image: postgres:${{ matrix.postgres}}
        env:
          POSTGRES_PASSWORD: postgres
          POSTGRES_USER: postgres
--- a/.github/workflows/test-ruby.yml
+++ b/.github/workflows/test-ruby.yml
@ -4,12 +4,12 @@ on:
  push:
    branches-ignore:
      - 'dependabot/**'
+      - 'renovate/**'
  pull_request:

 env:
  BUNDLE_CLEAN: true
  BUNDLE_FROZEN: true
-  BUNDLE_WITHOUT: 'development production'

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
@ -19,8 +19,17 @@ jobs:
  build:
    runs-on: ubuntu-latest

+    strategy:
+      fail-fast: true
+      matrix:
+        mode:
+          - production
+          - test
    env:
-      RAILS_ENV: test
+      RAILS_ENV: ${{ matrix.mode }}
+      BUNDLE_WITH: ${{ matrix.mode }}
+      OTP_SECRET: precompile_placeholder
+      SECRET_KEY_BASE: precompile_placeholder

    steps:
      - uses: actions/checkout@v3
@ -50,6 +59,7 @@ jobs:
          ./bin/rails assets:precompile

      - uses: actions/upload-artifact@v3
+        if: matrix.mode == 'test'
        with:
          path: |-
            ./public/assets
@ -97,14 +107,13 @@ jobs:
      PAM_ENABLED: true
      PAM_DEFAULT_SERVICE: pam_test
      PAM_CONTROLLED_SERVICE: pam_test_controlled
-      BUNDLE_WITH: 'pam_authentication'
+      BUNDLE_WITH: 'pam_authentication test'
      CI_JOBS: ${{ matrix.ci_job }}/4

    strategy:
      fail-fast: false
      matrix:
        ruby-version:
-          - '2.7'
          - '3.0'
          - '3.1'
          - '.ruby-version'
@ -136,10 +145,6 @@ jobs:
          ruby-version: ${{ matrix.ruby-version}}
          bundler-cache: true

-      - name: Update system gems
-        if: matrix.ruby-version == '2.7'
-        run: gem update --system
-
      - name: Load database schema
        run: './bin/rails db:create db:schema:load db:seed'

--- a/.haml-lint.yml
+++ b/.haml-lint.yml
@ -4,6 +4,11 @@ exclude:
  - 'vendor/**/*'
  - lib/templates/haml/scaffold/_form.html.haml

+require:
+  - ./lib/linter/haml_middle_dot.rb
+
 linters:
  AltText:
    enabled: true
+  MiddleDot:
+    enabled: true
--- a/.prettierignore
+++ b/.prettierignore
@ -61,7 +61,7 @@ docker-compose.override.yml
 /app/javascript/mastodon/features/emoji/emoji_map.json

 # Ignore locale files
-/app/javascript/mastodon/locales
+/app/javascript/mastodon/locales/*.json
 /config/locales

 # Ignore vendored CSS reset
@ -70,8 +70,6 @@ app/javascript/styles/mastodon/reset.scss
 # Ignore Javascript pending https://github.com/mastodon/mastodon/pull/23631
 *.js
 *.jsx
-*.ts
-*.tsx

 # Ignore HTML till cleaned and included in CI
 *.html
--- a/.prettierrc.js
+++ b/.prettierrc.js
@ -1,3 +1,4 @@
 module.exports = {
-  singleQuote: true
+  singleQuote: true,
+  jsxSingleQuote: true
 }
--- a/.profile
+++ b/.profile
@ -1 +1 @@
-LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/app/.apt/lib/x86_64-linux-gnu:/app/.apt/usr/lib/x86_64-linux-gnu/mesa:/app/.apt/usr/lib/x86_64-linux-gnu/pulseaudio
+LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/app/.apt/lib/x86_64-linux-gnu:/app/.apt/usr/lib/x86_64-linux-gnu/mesa:/app/.apt/usr/lib/x86_64-linux-gnu/pulseaudio:/app/.apt/usr/lib/x86_64-linux-gnu/openblas-pthread
--- a/.rubocop.yml
+++ b/.rubocop.yml
@ -11,9 +11,10 @@ require:
  - rubocop-rspec
  - rubocop-performance
  - rubocop-capybara
+  - ./lib/linter/rubocop_middle_dot

 AllCops:
-  TargetRubyVersion: 2.7 # Set to minimum supported version of CI
+  TargetRubyVersion: 3.0 # Set to minimum supported version of CI
  DisplayCopNames: true
  DisplayStyleGuide: true
  ExtraDetails: true
@ -43,7 +44,7 @@ Layout/LineLength:
    - !ruby/regexp / \# .*$/
    - !ruby/regexp /^\# .*$/
  Exclude:
-    - lib/**/*cli*.rb
+    - 'lib/mastodon/cli/*.rb'
    - db/*migrate/**/*
    - db/seeds/**/*

@ -53,123 +54,69 @@ Lint/UselessAccessModifier:
  ContextCreatingMethods:
    - class_methods

+## Disable most Metrics/*Length cops
+# Reason: those are often triggered and force significant refactors when this happend
+#         but the team feel they are not really improving the code quality.
+
+# https://docs.rubocop.org/rubocop/cops_metrics.html#metricsblocklength
+Metrics/BlockLength:
+  Enabled: false
+
+# https://docs.rubocop.org/rubocop/cops_metrics.html#metricsclasslength
+Metrics/ClassLength:
+  Enabled: false
+
+# https://docs.rubocop.org/rubocop/cops_metrics.html#metricsmethodlength
+Metrics/MethodLength:
+  Enabled: false
+
+# https://docs.rubocop.org/rubocop/cops_metrics.html#metricsmodulelength
+Metrics/ModuleLength:
+  Enabled: false
+
+## End Disable Metrics/*Length cops
+
 # Reason: Currently disabled in .rubocop_todo.yml
 # https://docs.rubocop.org/rubocop/cops_metrics.html#metricsabcsize
 Metrics/AbcSize:
  Exclude:
-    - 'lib/**/*cli*.rb'
+    - 'lib/mastodon/cli/*.rb'
    - db/*migrate/**/*

-# Reason: Some functions cannot be broken up, but others may be refactor candidates
-# https://docs.rubocop.org/rubocop/cops_metrics.html#metricsblocklength
-Metrics/BlockLength:
-  CountAsOne: ['array', 'hash', 'heredoc', 'method_call']
-  Exclude:
-    - 'lib/mastodon/*_cli.rb'
-    - 'lib/tasks/*.rake'
-    - 'app/models/concerns/account_associations.rb'
-    - 'app/models/concerns/account_interactions.rb'
-    - 'app/models/concerns/ldap_authenticable.rb'
-    - 'app/models/concerns/omniauthable.rb'
-    - 'app/models/concerns/pam_authenticable.rb'
-    - 'app/models/concerns/remotable.rb'
-    - 'app/services/suspend_account_service.rb'
-    - 'app/services/unsuspend_account_service.rb'
-    - 'app/views/accounts/show.rss.ruby'
-    - 'app/views/tags/show.rss.ruby'
-    - 'config/environments/development.rb'
-    - 'config/environments/production.rb'
-    - 'config/initializers/devise.rb'
-    - 'config/initializers/doorkeeper.rb'
-    - 'config/initializers/omniauth.rb'
-    - 'config/initializers/simple_form.rb'
-    - 'config/navigation.rb'
-    - 'config/routes.rb'
-    - 'db/post_migrate/20221101190723_backfill_admin_action_logs.rb'
-    - 'db/post_migrate/20221206114142_backfill_admin_action_logs_again.rb'
-    - 'lib/paperclip/gif_transcoder.rb'
-
 # Reason:
 # https://docs.rubocop.org/rubocop/cops_metrics.html#metricsblocknesting
 Metrics/BlockNesting:
  Exclude:
-    - 'lib/mastodon/*_cli.rb'
-
-# Reason: Some Excluded files would be candidates for refactoring but not currently addressed
-# https://docs.rubocop.org/rubocop/cops_metrics.html#metricsclasslength
-Metrics/ClassLength:
-  CountAsOne: ['array', 'hash', 'heredoc', 'method_call']
-  Exclude:
-    - 'lib/mastodon/*_cli.rb'
-    - 'app/controllers/admin/accounts_controller.rb'
-    - 'app/controllers/api/base_controller.rb'
-    - 'app/controllers/api/v1/admin/accounts_controller.rb'
-    - 'app/controllers/application_controller.rb'
-    - 'app/controllers/auth/registrations_controller.rb'
-    - 'app/controllers/auth/sessions_controller.rb'
-    - 'app/lib/activitypub/activity.rb'
-    - 'app/lib/activitypub/activity/create.rb'
-    - 'app/lib/activitypub/tag_manager.rb'
-    - 'app/lib/feed_manager.rb'
-    - 'app/lib/link_details_extractor.rb'
-    - 'app/lib/request.rb'
-    - 'app/lib/text_formatter.rb'
-    - 'app/lib/user_settings_decorator.rb'
-    - 'app/mailers/user_mailer.rb'
-    - 'app/models/account.rb'
-    - 'app/models/admin/account_action.rb'
-    - 'app/models/form/account_batch.rb'
-    - 'app/models/media_attachment.rb'
-    - 'app/models/status.rb'
-    - 'app/models/tag.rb'
-    - 'app/models/user.rb'
-    - 'app/serializers/activitypub/actor_serializer.rb'
-    - 'app/serializers/activitypub/note_serializer.rb'
-    - 'app/serializers/rest/status_serializer.rb'
-    - 'app/services/account_search_service.rb'
-    - 'app/services/activitypub/process_account_service.rb'
-    - 'app/services/activitypub/process_status_update_service.rb'
-    - 'app/services/backup_service.rb'
-    - 'app/services/delete_account_service.rb'
-    - 'app/services/fan_out_on_write_service.rb'
-    - 'app/services/fetch_link_card_service.rb'
-    - 'app/services/import_service.rb'
-    - 'app/services/notify_service.rb'
-    - 'app/services/post_status_service.rb'
-    - 'app/services/update_status_service.rb'
-    - 'lib/paperclip/color_extractor.rb'
+    - 'lib/mastodon/cli/*.rb'

 # Reason: Currently disabled in .rubocop_todo.yml
 # https://docs.rubocop.org/rubocop/cops_metrics.html#metricscyclomaticcomplexity
 Metrics/CyclomaticComplexity:
  Exclude:
-    - lib/mastodon/*cli*.rb
+    - lib/mastodon/cli/*.rb
    - db/*migrate/**/*

-# Reason: Currently disabled in .rubocop_todo.yml
-# https://docs.rubocop.org/rubocop/cops_metrics.html#metricsmethodlength
-Metrics/MethodLength:
-  CountAsOne: [array, heredoc]
-  Exclude:
-    - 'lib/mastodon/*_cli.rb'
-
 # Reason:
-# https://docs.rubocop.org/rubocop/cops_style.html#stylerescuestandarderror
-Metrics/ModuleLength:
-  CountAsOne: [array, heredoc]
+# https://docs.rubocop.org/rubocop/cops_metrics.html#metricsparameterlists
+Metrics/ParameterLists:
+  CountKeywordArgs: false
+
+# Reason: Prevailing style is argument file paths
+# https://docs.rubocop.org/rubocop-rails/cops_rails.html#railsfilepath
+Rails/FilePath:
+  EnforcedStyle: arguments

 # Reason: Prevailing style uses numeric status codes, matches RSpec/Rails/HttpStatus
 # https://docs.rubocop.org/rubocop-rails/cops_rails.html#railshttpstatus
 Rails/HttpStatus:
  EnforcedStyle: numeric

-# Reason: Allowed only in the `tootctl` CLI application code
+# Reason: Allowed in `tootctl` CLI code and in boot ENV checker
 # https://docs.rubocop.org/rubocop-rails/cops_rails.html#railsexit
 Rails/Exit:
  Exclude:
-    - 'lib/mastodon/*_cli.rb'
-    - 'lib/mastodon/cli_helper.rb'
-    - 'lib/cli.rb'
+    - 'config/boot.rb'
+    - 'lib/mastodon/cli/*.rb'

 # Reason: Some single letter camel case files shouldn't be split
 # https://docs.rubocop.org/rubocop-rspec/cops_rspec.html#rspecfilepath
@ -259,3 +206,6 @@ Style/TrailingCommaInArrayLiteral:
 # https://docs.rubocop.org/rubocop/cops_style.html#styletrailingcommainhashliteral
 Style/TrailingCommaInHashLiteral:
  EnforcedStyleForMultiline: 'comma'
+
+Style/MiddleDot:
+  Enabled: true
--- a/.rubocop_todo.yml
+++ b/.rubocop_todo.yml
--- a/1
+++ b/1
@ -1,4 +1,5 @@
 ffmpeg
+libopenblas0-pthread
 libpq-dev
 libxdamage1
 libxfixes3
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,6 +2,54 @@

 All notable changes to this project will be documented in this file.

+## [4.1.3] - 2023-07-06
+
+### Added
+
+- Add fallback redirection when getting a webfinger query `LOCAL_DOMAIN@LOCAL_DOMAIN` ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/23600))
+
+### Changed
+
+- Change OpenGraph-based embeds to allow fullscreen ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/25058))
+- Change AccessTokensVacuum to also delete expired tokens ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/24868))
+- Change profile updates to be sent to recently-mentioned servers ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/24852))
+- Change automatic post deletion thresholds and load detection ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/24614))
+- Change `/api/v1/statuses/:id/history` to always return at least one item ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/25510))
+- Change auto-linking to allow carets in URL query params ([renchap](https://github.com/mastodon/mastodon/pull/25216))
+
+### Removed
+
+- Remove invalid `X-Frame-Options: ALLOWALL` ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/25070))
+
+### Fixed
+
+- Fix wrong view being displayed when a webhook fails validation ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/25464))
+- Fix soft-deleted post cleanup scheduler overwhelming the streaming server ([ThisIsMissEm](https://github.com/mastodon/mastodon/pull/25519))
+- Fix incorrect pagination headers in `/api/v2/admin/accounts` ([danielmbrasil](https://github.com/mastodon/mastodon/pull/25477))
+- Fix multiple inefficiencies in automatic post cleanup worker ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/24607), [ClearlyClaire](https://github.com/mastodon/mastodon/pull/24785), [ClearlyClaire](https://github.com/mastodon/mastodon/pull/24840))
+- Fix performance of streaming by parsing message JSON once ([ThisIsMissEm](https://github.com/mastodon/mastodon/pull/25278), [ThisIsMissEm](https://github.com/mastodon/mastodon/pull/25361))
+- Fix CSP headers when `S3_ALIAS_HOST` includes a path component ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/25273))
+- Fix `tootctl accounts approve --number N` not aproving N earliest registrations ([danielmbrasil](https://github.com/mastodon/mastodon/pull/24605))
+- Fix reports not being closed when performing batch suspensions ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/24988))
+- Fix being able to vote on your own polls ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/25015))
+- Fix race condition when reblogging a status ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/25016))
+- Fix “Authorized applications” inefficiently and incorrectly getting last use date ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/25060))
+- Fix “Authorized applications” crashing when listing apps with certain admin API scopes ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/25713))
+- Fix multiple N+1s in ConversationsController ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/25134), [ClearlyClaire](https://github.com/mastodon/mastodon/pull/25399), [ClearlyClaire](https://github.com/mastodon/mastodon/pull/25499))
+- Fix user archive takeouts when using OpenStack Swift ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/24431))
+- Fix searching for remote content by URL not working under certain conditions ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/25637))
+- Fix inefficiencies in indexing content for search ([VyrCossont](https://github.com/mastodon/mastodon/pull/24285), [VyrCossont](https://github.com/mastodon/mastodon/pull/24342))
+
+### Security
+
+- Add finer permission requirements for managing webhooks ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/25463))
+- Update dependencies
+- Add hardening headers for user-uploaded files ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/25756))
+- Fix verified links possibly hiding important parts of the URL (CVE-2023-36462)
+- Fix timeout handling of outbound HTTP requests (CVE-2023-36461)
+- Fix arbitrary file creation through media processing (CVE-2023-36460)
+- Fix possible XSS in preview cards (CVE-2023-36459)
+
 ## [4.1.2] - 2023-04-04

 ### Fixed
--- a/10
+++ b/10
@ -41,6 +41,10 @@ RUN apt-get update && \

 FROM node:${NODE_VERSION}

+# Use those args to specify your own version flags & suffixes
+ARG MASTODON_VERSION_FLAGS=""
+ARG MASTODON_VERSION_SUFFIX=""
+
 ARG UID="991"
 ARG GID="991"

@ -51,7 +55,7 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 ENV DEBIAN_FRONTEND="noninteractive" \
    PATH="${PATH}:/opt/ruby/bin:/opt/mastodon/bin"

-# Ignoreing these here since we don't want to pin any versions and the Debian image removes apt-get content after use
+# Ignoring these here since we don't want to pin any versions and the Debian image removes apt-get content after use
 # hadolint ignore=DL3008,DL3009
 RUN apt-get update && \
    echo "Etc/UTC" > /etc/localtime && \
@ -84,7 +88,9 @@ COPY --chown=mastodon:mastodon --from=build /opt/mastodon /opt/mastodon
 ENV RAILS_ENV="production" \
    NODE_ENV="production" \
    RAILS_SERVE_STATIC_FILES="true" \
-    BIND="0.0.0.0"
+    BIND="0.0.0.0" \
+    MASTODON_VERSION_FLAGS="${MASTODON_VERSION_FLAGS}" \
+    MASTODON_VERSION_SUFFIX="${MASTODON_VERSION_SUFFIX}"

 # Set the run user
 USER mastodon
--- a/108
+++ b/108
@ -1,26 +1,24 @@
 # frozen_string_literal: true

 source 'https://rubygems.org'
-ruby '>= 2.7.0', '< 3.3.0'
+ruby '>= 3.0.0'

-gem 'pkg-config', '~> 1.5'
-
-gem 'puma', '~> 6.2'
+gem 'puma', '~> 6.3'
 gem 'rails', '~> 6.1.7'
 gem 'sprockets', '~> 3.7.2'
 gem 'thor', '~> 1.2'
-gem 'rack', '~> 2.2.6'
+gem 'rack', '~> 2.2.7'

 gem 'haml-rails', '~>2.0'
-gem 'pg', '~> 1.4'
+gem 'pg', '~> 1.5'
 gem 'makara', '~> 0.5'
 gem 'pghero'
 gem 'dotenv-rails', '~> 2.8'

-gem 'aws-sdk-s3', '~> 1.120', require: false
+gem 'aws-sdk-s3', '~> 1.123', require: false
 gem 'fog-core', '<= 2.4.0'
 gem 'fog-openstack', '~> 0.3', require: false
-gem 'kt-paperclip', '~> 7.1', github: 'kreeti/kt-paperclip', ref: '11abf222dc31bff71160a1d138b445214f434b2b'
+gem 'kt-paperclip', '~> 7.2'
 gem 'blurhash', '~> 0.1'

 gem 'active_model_serializers', '~> 0.10'
@ -28,15 +26,15 @@ gem 'addressable', '~> 2.8'
 gem 'bootsnap', '~> 1.16.0', require: false
 gem 'browser'
 gem 'charlock_holmes', '~> 0.7.7'
-gem 'chewy', '~> 7.2'
+gem 'chewy', '~> 7.3'
 gem 'devise', '~> 4.9'
-gem 'devise-two-factor', '~> 4.0'
+gem 'devise-two-factor', '~> 4.1'

 group :pam_authentication, optional: true do
  gem 'devise_pam_authenticatable2', '~> 9.2'
 end

-gem 'net-ldap', '~> 0.17'
+gem 'net-ldap', '~> 0.18'
 gem 'omniauth-cas', '~> 2.0'
 gem 'omniauth-saml', '~> 1.10'
 gem 'omniauth_openid_connect', '~> 0.6.1'
@ -59,8 +57,7 @@ gem 'idn-ruby', require: 'idn'
 gem 'kaminari', '~> 1.2'
 gem 'link_header', '~> 0.0'
 gem 'mime-types', '~> 3.4.1', require: 'mime/types/columnar'
-gem 'nokogiri', '~> 1.14'
-gem 'nsa', '~> 0.2'
+gem 'nokogiri', '~> 1.15'
 gem 'oj', '~> 3.14'
 gem 'ox', '~> 2.14'
 gem 'parslet'
@ -75,8 +72,8 @@ gem 'rails-settings-cached', '~> 0.6', git: 'https://github.com/mastodon/rails-s
 gem 'redcarpet', '~> 3.6'
 gem 'redis', '~> 4.5', require: ['redis', 'redis/connection/hiredis']
 gem 'mario-redis-lock', '~> 1.2', require: 'redis_lock'
-gem 'rqrcode', '~> 2.1'
-gem 'ruby-progressbar', '~> 1.11'
+gem 'rqrcode', '~> 2.2'
+gem 'ruby-progressbar', '~> 1.13'
 gem 'sanitize', '~> 6.0'
 gem 'scenic', '~> 1.7'
 gem 'sidekiq', '~> 6.5'
@ -99,54 +96,87 @@ gem 'json-ld'
 gem 'json-ld-preloaded', '~> 3.2'
 gem 'rdf-normalize', '~> 0.5'

-group :development, :test do
-  gem 'fabrication', '~> 2.30'
-  gem 'fuubar', '~> 2.5'
-  gem 'i18n-tasks', '~> 1.0', require: false
+gem 'private_address_check', '~> 0.5'
+
+group :test do
+  # RSpec runner for rails
  gem 'rspec-rails', '~> 6.0'
+
+  # Used to split testing into chunks in CI
  gem 'rspec_chunked', '~> 0.6'

-  gem 'rubocop-capybara', require: false
-  gem 'rubocop-performance', require: false
-  gem 'rubocop-rails', require: false
-  gem 'rubocop-rspec', require: false
-  gem 'rubocop', require: false
-end
+  # RSpec progress bar formatter
+  gem 'fuubar', '~> 2.5'

-group :production, :test do
-  gem 'private_address_check', '~> 0.5'
-end
+  # Extra RSpec extenion methods and helpers for sidekiq
+  gem 'rspec-sidekiq', '~> 3.1'

-group :test do
+  # Browser integration testing
  gem 'capybara', '~> 3.39'
-  gem 'climate_control'
-  gem 'faker', '~> 3.1'
-  gem 'json-schema', '~> 3.0'
-  gem 'rack-test', '~> 2.1'
+
+  # Used to mock environment variables
+  gem 'climate_control', '~> 0.2'
+
+  # Generating fake data for specs
+  gem 'faker', '~> 3.2'
+
+  # Generate test objects for specs
+  gem 'fabrication', '~> 2.30'
+
+  # Add back helpers functions removed in Rails 5.1
  gem 'rails-controller-testing', '~> 1.0'
-  gem 'rspec_junit_formatter', '~> 0.6'
-  gem 'rspec-sidekiq', '~> 3.1'
+
+  # Validate schemas in specs
+  gem 'json-schema', '~> 4.0'
+
+  # Test harness fo rack components
+  gem 'rack-test', '~> 2.1'
+
+  # Coverage formatter for RSpec test if DISABLE_SIMPLECOV is false
  gem 'simplecov', '~> 0.22', require: false
+
+  # Stub web requests for specs
  gem 'webmock', '~> 3.18'
 end

 group :development do
+  # Code linting CLI and plugins
+  gem 'rubocop', require: false
+  gem 'rubocop-capybara', require: false
+  gem 'rubocop-performance', require: false
+  gem 'rubocop-rails', require: false
+  gem 'rubocop-rspec', require: false
+
+  # Annotates modules with schema
  gem 'annotate', '~> 3.2'
+
+  # Enhanced error message pages for development
  gem 'better_errors', '~> 2.9'
  gem 'binding_of_caller', '~> 1.0'
+
+  # Preview mail in the browser
  gem 'letter_opener', '~> 1.8'
  gem 'letter_opener_web', '~> 2.0'
-  gem 'memory_profiler'
+
+  # Security analysis CLI tools
  gem 'brakeman', '~> 5.4', require: false
  gem 'bundler-audit', '~> 0.9', require: false
+
+  # Linter CLI for HAML files
  gem 'haml_lint', require: false

+  # Deployment automation
  gem 'capistrano', '~> 3.17'
  gem 'capistrano-rails', '~> 1.6'
  gem 'capistrano-rbenv', '~> 2.2'
  gem 'capistrano-yarn', '~> 2.0'

-  gem 'stackprof'
+  # Validate missing i18n keys
+  gem 'i18n-tasks', '~> 1.0', require: false
+
+  # Profiling tools
+  gem 'memory_profiler', require: false
+  gem 'stackprof', require: false
 end

 group :production do
@ -157,7 +187,9 @@ gem 'concurrent-ruby', require: false
 gem 'connection_pool', require: false
 gem 'xorcist', '~> 1.1'

-gem 'hcaptcha', '~> 7.1'
 gem 'cocoon', '~> 1.2'

 gem 'net-http', '~> 0.3.2'
+gem 'rubyzip', '~> 2.3'
+
+gem 'hcaptcha', '~> 7.1'
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -7,18 +7,6 @@ GIT
      hkdf (~> 0.2)
      jwt (~> 2.0)

-GIT
-  remote: https://github.com/kreeti/kt-paperclip.git
-  revision: 11abf222dc31bff71160a1d138b445214f434b2b
-  ref: 11abf222dc31bff71160a1d138b445214f434b2b
-  specs:
-    kt-paperclip (7.1.1)
-      activemodel (>= 4.2.0)
-      activesupport (>= 4.2.0)
-      marcel (~> 1.0.1)
-      mime-types
-      terrapin (~> 0.6.0)
-
 GIT
  remote: https://github.com/mastodon/rails-settings-cached.git
  revision: 86328ef0bd04ce21cc0504ff5e334591e8c2ccab
@ -30,40 +18,40 @@ GIT
 GEM
  remote: https://rubygems.org/
  specs:
-    actioncable (6.1.7.3)
-      actionpack (= 6.1.7.3)
-      activesupport (= 6.1.7.3)
+    actioncable (6.1.7.4)
+      actionpack (= 6.1.7.4)
+      activesupport (= 6.1.7.4)
      nio4r (~> 2.0)
      websocket-driver (>= 0.6.1)
-    actionmailbox (6.1.7.3)
-      actionpack (= 6.1.7.3)
-      activejob (= 6.1.7.3)
-      activerecord (= 6.1.7.3)
-      activestorage (= 6.1.7.3)
-      activesupport (= 6.1.7.3)
+    actionmailbox (6.1.7.4)
+      actionpack (= 6.1.7.4)
+      activejob (= 6.1.7.4)
+      activerecord (= 6.1.7.4)
+      activestorage (= 6.1.7.4)
+      activesupport (= 6.1.7.4)
      mail (>= 2.7.1)
-    actionmailer (6.1.7.3)
-      actionpack (= 6.1.7.3)
-      actionview (= 6.1.7.3)
-      activejob (= 6.1.7.3)
-      activesupport (= 6.1.7.3)
+    actionmailer (6.1.7.4)
+      actionpack (= 6.1.7.4)
+      actionview (= 6.1.7.4)
+      activejob (= 6.1.7.4)
+      activesupport (= 6.1.7.4)
      mail (~> 2.5, >= 2.5.4)
      rails-dom-testing (~> 2.0)
-    actionpack (6.1.7.3)
-      actionview (= 6.1.7.3)
-      activesupport (= 6.1.7.3)
+    actionpack (6.1.7.4)
+      actionview (= 6.1.7.4)
+      activesupport (= 6.1.7.4)
      rack (~> 2.0, >= 2.0.9)
      rack-test (>= 0.6.3)
      rails-dom-testing (~> 2.0)
      rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actiontext (6.1.7.3)
-      actionpack (= 6.1.7.3)
-      activerecord (= 6.1.7.3)
-      activestorage (= 6.1.7.3)
-      activesupport (= 6.1.7.3)
+    actiontext (6.1.7.4)
+      actionpack (= 6.1.7.4)
+      activerecord (= 6.1.7.4)
+      activestorage (= 6.1.7.4)
+      activesupport (= 6.1.7.4)
      nokogiri (>= 1.8.5)
-    actionview (6.1.7.3)
-      activesupport (= 6.1.7.3)
+    actionview (6.1.7.4)
+      activesupport (= 6.1.7.4)
      builder (~> 3.1)
      erubi (~> 1.4)
      rails-dom-testing (~> 2.0)
@ -73,28 +61,28 @@ GEM
      activemodel (>= 4.1, < 7.1)
      case_transform (>= 0.2)
      jsonapi-renderer (>= 0.1.1.beta1, < 0.3)
-    activejob (6.1.7.3)
-      activesupport (= 6.1.7.3)
+    activejob (6.1.7.4)
+      activesupport (= 6.1.7.4)
      globalid (>= 0.3.6)
-    activemodel (6.1.7.3)
-      activesupport (= 6.1.7.3)
-    activerecord (6.1.7.3)
-      activemodel (= 6.1.7.3)
-      activesupport (= 6.1.7.3)
-    activestorage (6.1.7.3)
-      actionpack (= 6.1.7.3)
-      activejob (= 6.1.7.3)
-      activerecord (= 6.1.7.3)
-      activesupport (= 6.1.7.3)
+    activemodel (6.1.7.4)
+      activesupport (= 6.1.7.4)
+    activerecord (6.1.7.4)
+      activemodel (= 6.1.7.4)
+      activesupport (= 6.1.7.4)
+    activestorage (6.1.7.4)
+      actionpack (= 6.1.7.4)
+      activejob (= 6.1.7.4)
+      activerecord (= 6.1.7.4)
+      activesupport (= 6.1.7.4)
      marcel (~> 1.0)
      mini_mime (>= 1.1.0)
-    activesupport (6.1.7.3)
+    activesupport (6.1.7.4)
      concurrent-ruby (~> 1.0, >= 1.0.2)
      i18n (>= 1.6, < 2)
      minitest (>= 5.1)
      tzinfo (~> 2.0)
      zeitwerk (~> 2.3)
-    addressable (2.8.2)
+    addressable (2.8.4)
      public_suffix (>= 2.0.2, < 6.0)
    aes_key_wrap (1.1.0)
    airbrussh (1.4.1)
@ -104,31 +92,31 @@ GEM
      activerecord (>= 3.2, < 8.0)
      rake (>= 10.4, < 14.0)
    ast (2.4.2)
-    attr_encrypted (3.1.0)
+    attr_encrypted (4.0.0)
      encryptor (~> 3.0.0)
    attr_required (1.0.1)
    awrence (1.2.1)
    aws-eventstream (1.2.0)
-    aws-partitions (1.739.0)
-    aws-sdk-core (3.171.0)
+    aws-partitions (1.780.0)
+    aws-sdk-core (3.175.0)
      aws-eventstream (~> 1, >= 1.0.2)
      aws-partitions (~> 1, >= 1.651.0)
      aws-sigv4 (~> 1.5)
      jmespath (~> 1, >= 1.6.1)
-    aws-sdk-kms (1.63.0)
-      aws-sdk-core (~> 3, >= 3.165.0)
+    aws-sdk-kms (1.67.0)
+      aws-sdk-core (~> 3, >= 3.174.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.120.0)
-      aws-sdk-core (~> 3, >= 3.165.0)
+    aws-sdk-s3 (1.126.0)
+      aws-sdk-core (~> 3, >= 3.174.0)
      aws-sdk-kms (~> 1)
      aws-sigv4 (~> 1.4)
    aws-sigv4 (1.5.2)
      aws-eventstream (~> 1, >= 1.0.2)
    bcrypt (3.1.18)
-    better_errors (2.9.1)
-      coderay (>= 1.0.0)
+    better_errors (2.10.1)
      erubi (>= 1.0.0)
      rack (>= 0.9.0)
+      rouge (>= 1.0.0)
    better_html (2.0.1)
      actionview (>= 6.0)
      activesupport (>= 6.0)
@ -142,7 +130,7 @@ GEM
    blurhash (0.1.7)
    bootsnap (1.16.0)
      msgpack (~> 1.2)
-    brakeman (5.4.0)
+    brakeman (5.4.1)
    browser (5.3.1)
    brpoplpush-redis_script (0.1.3)
      concurrent-ruby (~> 1.0, >= 1.0.5)
@ -151,12 +139,12 @@ GEM
    bundler-audit (0.9.1)
      bundler (>= 1.2.0, < 3)
      thor (~> 1.0)
-    capistrano (3.17.2)
+    capistrano (3.17.3)
      airbrussh (>= 1.0.0)
      i18n
      rake (>= 10.0.0)
      sshkit (>= 1.9.0)
-    capistrano-bundler (2.0.1)
+    capistrano-bundler (2.1.0)
      capistrano (~> 3.1)
    capistrano-rails (1.6.2)
      capistrano (~> 3.1)
@ -166,7 +154,7 @@ GEM
      sshkit (~> 1.3)
    capistrano-yarn (2.0.2)
      capistrano (~> 3.0)
-    capybara (3.39.0)
+    capybara (3.39.2)
      addressable
      matrix
      mini_mime (>= 0.1.3)
@ -179,36 +167,35 @@ GEM
      activesupport
    cbor (0.5.9.6)
    charlock_holmes (0.7.7)
-    chewy (7.2.7)
+    chewy (7.3.2)
      activesupport (>= 5.2)
      elasticsearch (>= 7.12.0, < 7.14.0)
      elasticsearch-dsl
    chunky_png (1.4.0)
    climate_control (0.2.0)
    cocoon (1.2.15)
-    coderay (1.1.3)
    color_diff (0.1)
    concurrent-ruby (1.2.2)
-    connection_pool (2.3.0)
+    connection_pool (2.4.1)
    cose (1.3.0)
      cbor (~> 0.5.9)
      openssl-signature_algorithm (~> 1.0)
    crack (0.4.5)
      rexml
    crass (1.0.6)
-    css_parser (1.12.0)
+    css_parser (1.14.0)
      addressable
    date (3.3.3)
-    debug_inspector (1.0.0)
+    debug_inspector (1.1.0)
    devise (4.9.2)
      bcrypt (~> 3.0)
      orm_adapter (~> 0.1)
      railties (>= 4.1.0)
      responders
      warden (~> 1.2.3)
-    devise-two-factor (4.0.2)
+    devise-two-factor (4.1.0)
      activesupport (< 7.1)
-      attr_encrypted (>= 1.3, < 4, != 2)
+      attr_encrypted (>= 1.3, < 5, != 2)
      devise (~> 4.0)
      railties (< 7.1)
      rotp (~> 6.0)
@ -241,9 +228,9 @@ GEM
    erubi (1.12.0)
    et-orbi (1.2.7)
      tzinfo
-    excon (0.95.0)
+    excon (0.100.0)
    fabrication (2.30.0)
-    faker (3.1.1)
+    faker (3.2.0)
      i18n (>= 1.8.11, < 2)
    faraday (1.10.3)
      faraday-em_http (~> 1.0)
@ -269,7 +256,7 @@ GEM
    faraday-rack (1.0.0)
    faraday-retry (1.0.3)
    fast_blank (1.0.1)
-    fastimage (2.2.6)
+    fastimage (2.2.7)
    ffi (1.15.5)
    ffi-compiler (1.0.1)
      ffi (>= 1.0.0)
@ -314,7 +301,7 @@ GEM
    hashie (5.0.0)
    hcaptcha (7.1.0)
      json
-    highline (2.0.3)
+    highline (2.1.0)
    hiredis (0.6.3)
    hkdf (0.3.0)
    htmlentities (4.3.4)
@ -331,7 +318,7 @@ GEM
    httplog (1.6.2)
      rack (>= 2.0)
      rainbow (>= 2.0.0)
-    i18n (1.12.0)
+    i18n (1.14.1)
      concurrent-ruby (~> 1.0)
    i18n-tasks (1.0.12)
      activesupport (>= 4.0.2)
@ -348,26 +335,26 @@ GEM
    ipaddress (0.8.3)
    jmespath (1.6.2)
    json (2.6.3)
-    json-canonicalization (0.3.0)
+    json-canonicalization (0.3.2)
    json-jwt (1.15.3)
      activesupport (>= 4.2)
      aes_key_wrap
      bindata
      httpclient
-    json-ld (3.2.3)
+    json-ld (3.2.5)
      htmlentities (~> 4.3)
-      json-canonicalization (~> 0.3)
+      json-canonicalization (~> 0.3, >= 0.3.2)
      link_header (~> 0.0, >= 0.0.8)
      multi_json (~> 1.15)
-      rack (~> 2.2)
-      rdf (~> 3.2, >= 3.2.9)
+      rack (>= 2.2, < 4)
+      rdf (~> 3.2, >= 3.2.10)
    json-ld-preloaded (3.2.2)
      json-ld (~> 3.2)
      rdf (~> 3.2)
-    json-schema (3.0.0)
+    json-schema (4.0.0)
      addressable (>= 2.8)
    jsonapi-renderer (0.2.2)
-    jwt (2.7.0)
+    jwt (2.7.1)
    kaminari (1.2.2)
      activesupport (>= 4.1.0)
      kaminari-actionview (= 1.2.2)
@ -380,8 +367,14 @@ GEM
      activerecord
      kaminari-core (= 1.2.2)
    kaminari-core (1.2.2)
-    launchy (2.5.0)
-      addressable (~> 2.7)
+    kt-paperclip (7.2.0)
+      activemodel (>= 4.2.0)
+      activesupport (>= 4.2.0)
+      marcel (~> 1.0.1)
+      mime-types
+      terrapin (~> 0.6.0)
+    launchy (2.5.2)
+      addressable (~> 2.8)
    letter_opener (1.8.1)
      launchy (>= 2.2, < 3)
    letter_opener_web (2.0.0)
@ -398,9 +391,9 @@ GEM
      activesupport (>= 4)
      railties (>= 4)
      request_store (~> 1.0)
-    loofah (2.20.0)
+    loofah (2.21.3)
      crass (~> 1.0.2)
-      nokogiri (>= 1.5.9)
+      nokogiri (>= 1.12.0)
    mail (2.8.1)
      mini_mime (>= 0.1.1)
      net-imap
@ -416,19 +409,19 @@ GEM
    method_source (1.0.0)
    mime-types (3.4.1)
      mime-types-data (~> 3.2015)
-    mime-types-data (3.2022.0105)
+    mime-types-data (3.2023.0218.1)
    mini_mime (1.1.2)
-    mini_portile2 (2.8.1)
-    minitest (5.18.0)
-    msgpack (1.6.0)
+    mini_portile2 (2.8.2)
+    minitest (5.18.1)
+    msgpack (1.7.1)
    multi_json (1.15.0)
    multipart-post (2.3.0)
    net-http (0.3.2)
      uri
-    net-imap (0.3.4)
+    net-imap (0.3.6)
      date
      net-protocol
-    net-ldap (0.17.1)
+    net-ldap (0.18.0)
    net-pop (0.1.2)
      net-protocol
    net-protocol (0.2.1)
@ -437,17 +430,12 @@ GEM
      net-ssh (>= 2.6.5, < 8.0.0)
    net-smtp (0.3.3)
      net-protocol
-    net-ssh (7.0.1)
+    net-ssh (7.1.0)
    nio4r (2.5.9)
-    nokogiri (1.14.2)
-      mini_portile2 (~> 2.8.0)
+    nokogiri (1.15.2)
+      mini_portile2 (~> 2.8.2)
      racc (~> 1.4)
-    nsa (0.2.8)
-      activesupport (>= 4.2, < 7)
-      concurrent-ruby (~> 1.0, >= 1.0.2)
-      sidekiq (>= 3.5)
-      statsd-ruby (~> 1.4, >= 1.4.0)
-    oj (3.14.2)
+    oj (3.15.0)
    omniauth (1.9.2)
      hashie (>= 3.4.6)
      rack (>= 1.6.2, < 3)
@ -479,19 +467,19 @@ GEM
    openssl-signature_algorithm (1.3.0)
      openssl (> 2.0)
    orm_adapter (0.5.0)
-    ox (2.14.14)
-    parallel (1.22.1)
-    parser (3.2.2.0)
+    ox (2.14.16)
+    parallel (1.23.0)
+    parser (3.2.2.3)
      ast (~> 2.4.1)
+      racc
    parslet (2.0.0)
    pastel (0.8.0)
      tty-color (~> 0.5)
-    pg (1.4.6)
-    pghero (3.3.1)
+    pg (1.5.3)
+    pghero (3.3.3)
      activerecord (>= 6)
-    pkg-config (1.5.1)
    posix-spawn (0.3.15)
-    premailer (1.18.0)
+    premailer (1.21.0)
      addressable
      css_parser (>= 1.12.0)
      htmlentities (>= 4.0.0)
@ -501,13 +489,13 @@ GEM
      premailer (~> 1.7, >= 1.7.9)
    private_address_check (0.5.0)
    public_suffix (5.0.1)
-    puma (6.2.1)
+    puma (6.3.0)
      nio4r (~> 2.0)
    pundit (2.3.0)
      activesupport (>= 3.0.0)
    raabro (1.4.0)
-    racc (1.6.2)
-    rack (2.2.6.4)
+    racc (1.7.1)
+    rack (2.2.7)
    rack-attack (6.6.1)
      rack (>= 1.0, < 3)
    rack-cors (2.0.1)
@ -522,20 +510,20 @@ GEM
      rack
    rack-test (2.1.0)
      rack (>= 1.3)
-    rails (6.1.7.3)
-      actioncable (= 6.1.7.3)
-      actionmailbox (= 6.1.7.3)
-      actionmailer (= 6.1.7.3)
-      actionpack (= 6.1.7.3)
-      actiontext (= 6.1.7.3)
-      actionview (= 6.1.7.3)
-      activejob (= 6.1.7.3)
-      activemodel (= 6.1.7.3)
-      activerecord (= 6.1.7.3)
-      activestorage (= 6.1.7.3)
-      activesupport (= 6.1.7.3)
+    rails (6.1.7.4)
+      actioncable (= 6.1.7.4)
+      actionmailbox (= 6.1.7.4)
+      actionmailer (= 6.1.7.4)
+      actionpack (= 6.1.7.4)
+      actiontext (= 6.1.7.4)
+      actionview (= 6.1.7.4)
+      activejob (= 6.1.7.4)
+      activemodel (= 6.1.7.4)
+      activerecord (= 6.1.7.4)
+      activestorage (= 6.1.7.4)
+      activesupport (= 6.1.7.4)
      bundler (>= 1.15.0)
-      railties (= 6.1.7.3)
+      railties (= 6.1.7.4)
      sprockets-rails (>= 2.0.0)
    rails-controller-testing (1.0.5)
      actionpack (>= 5.0.1.rc1)
@ -544,95 +532,99 @@ GEM
    rails-dom-testing (2.0.3)
      activesupport (>= 4.2.0)
      nokogiri (>= 1.6)
-    rails-html-sanitizer (1.5.0)
-      loofah (~> 2.19, >= 2.19.1)
+    rails-html-sanitizer (1.6.0)
+      loofah (~> 2.21)
+      nokogiri (~> 1.14)
    rails-i18n (6.0.0)
      i18n (>= 0.7, < 2)
      railties (>= 6.0.0, < 7)
-    railties (6.1.7.3)
-      actionpack (= 6.1.7.3)
-      activesupport (= 6.1.7.3)
+    railties (6.1.7.4)
+      actionpack (= 6.1.7.4)
+      activesupport (= 6.1.7.4)
      method_source
      rake (>= 12.2)
      thor (~> 1.0)
    rainbow (3.1.1)
    rake (13.0.6)
-    rdf (3.2.9)
+    rdf (3.2.11)
      link_header (~> 0.0, >= 0.0.8)
-    rdf-normalize (0.5.1)
+    rdf-normalize (0.6.0)
      rdf (~> 3.2)
    redcarpet (3.6.0)
    redis (4.8.1)
-    redis-namespace (1.10.0)
+    redis-namespace (1.11.0)
      redis (>= 4)
    redlock (1.3.2)
      redis (>= 3.0.0, < 6.0)
-    regexp_parser (2.7.0)
+    regexp_parser (2.8.1)
    request_store (1.5.1)
      rack (>= 1.4)
    responders (3.1.0)
      actionpack (>= 5.2)
      railties (>= 5.2)
    rexml (3.2.5)
-    rotp (6.2.0)
+    rotp (6.2.2)
+    rouge (4.1.2)
    rpam2 (4.0.2)
-    rqrcode (2.1.2)
+    rqrcode (2.2.0)
      chunky_png (~> 1.0)
      rqrcode_core (~> 1.0)
    rqrcode_core (1.2.0)
-    rspec-core (3.12.1)
+    rspec-core (3.12.2)
      rspec-support (~> 3.12.0)
-    rspec-expectations (3.12.2)
+    rspec-expectations (3.12.3)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.12.0)
-    rspec-mocks (3.12.3)
+    rspec-mocks (3.12.5)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.12.0)
-    rspec-rails (6.0.1)
+    rspec-rails (6.0.3)
      actionpack (>= 6.1)
      activesupport (>= 6.1)
      railties (>= 6.1)
-      rspec-core (~> 3.11)
-      rspec-expectations (~> 3.11)
-      rspec-mocks (~> 3.11)
-      rspec-support (~> 3.11)
+      rspec-core (~> 3.12)
+      rspec-expectations (~> 3.12)
+      rspec-mocks (~> 3.12)
+      rspec-support (~> 3.12)
    rspec-sidekiq (3.1.0)
      rspec-core (~> 3.0, >= 3.0.0)
      sidekiq (>= 2.4.0)
    rspec-support (3.12.0)
    rspec_chunked (0.6)
-    rspec_junit_formatter (0.6.0)
-      rspec-core (>= 2, < 4, != 2.12.0)
-    rubocop (1.49.0)
+    rubocop (1.52.1)
      json (~> 2.3)
      parallel (~> 1.10)
-      parser (>= 3.2.0.0)
+      parser (>= 3.2.2.3)
      rainbow (>= 2.2.2, < 4.0)
      regexp_parser (>= 1.8, < 3.0)
      rexml (>= 3.2.5, < 4.0)
      rubocop-ast (>= 1.28.0, < 2.0)
      ruby-progressbar (~> 1.7)
      unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-ast (1.28.0)
+    rubocop-ast (1.29.0)
      parser (>= 3.2.1.0)
-    rubocop-capybara (2.17.1)
+    rubocop-capybara (2.18.0)
      rubocop (~> 1.41)
-    rubocop-performance (1.16.0)
+    rubocop-factory_bot (2.23.1)
+      rubocop (~> 1.33)
+    rubocop-performance (1.18.0)
      rubocop (>= 1.7.0, < 2.0)
      rubocop-ast (>= 0.4.0)
-    rubocop-rails (2.18.0)
+    rubocop-rails (2.19.1)
      activesupport (>= 4.2.0)
      rack (>= 1.1)
      rubocop (>= 1.33.0, < 2.0)
-    rubocop-rspec (2.19.0)
+    rubocop-rspec (2.22.0)
      rubocop (~> 1.33)
      rubocop-capybara (~> 2.17)
+      rubocop-factory_bot (~> 2.22)
    ruby-progressbar (1.13.0)
-    ruby-saml (1.13.0)
-      nokogiri (>= 1.10.5)
+    ruby-saml (1.15.0)
+      nokogiri (>= 1.13.10)
      rexml
    ruby2_keywords (0.0.5)
-    rufus-scheduler (3.8.2)
+    rubyzip (2.3.2)
+    rufus-scheduler (3.9.1)
      fugit (~> 1.1, >= 1.1.6)
    safety_net_attestation (0.4.0)
      jwt (~> 2.0)
@ -643,13 +635,13 @@ GEM
      activerecord (>= 4.0.0)
      railties (>= 4.0.0)
    semantic_range (3.0.0)
-    sidekiq (6.5.8)
+    sidekiq (6.5.9)
      connection_pool (>= 2.2.5, < 3)
      rack (~> 2.0)
      redis (>= 4.5.0, < 5)
    sidekiq-bulk (0.2.0)
      sidekiq
-    sidekiq-scheduler (5.0.2)
+    sidekiq-scheduler (5.0.3)
      rufus-scheduler (~> 3.2)
      sidekiq (>= 6, < 8)
      tilt (>= 1.4.0)
@ -681,8 +673,7 @@ GEM
    sshkit (1.21.4)
      net-scp (>= 1.1.2)
      net-ssh (>= 2.8.0)
-    stackprof (0.2.24)
-    statsd-ruby (1.5.0)
+    stackprof (0.2.25)
    stoplight (3.0.1)
      redlock (~> 1.0)
    strong_migrations (0.8.0)
@ -692,13 +683,13 @@ GEM
      attr_required (>= 0.0.5)
      httpclient (>= 2.4)
    sysexits (1.2.0)
-    temple (0.10.0)
+    temple (0.10.2)
    terminal-table (3.0.2)
      unicode-display_width (>= 1.1.1, < 3)
    terrapin (0.6.0)
      climate_control (>= 0.0.3, < 1.0)
-    thor (1.2.1)
-    tilt (2.1.0)
+    thor (1.2.2)
+    tilt (2.2.0)
    timeout (0.3.2)
    tpm-key_attestation (0.12.0)
      bindata (~> 2.4)
@ -725,7 +716,7 @@ GEM
      unf_ext
    unf_ext (0.0.8.2)
    unicode-display_width (2.4.2)
-    uri (0.12.1)
+    uri (0.12.2)
    validate_email (0.1.6)
      activemodel (>= 3.0)
      mail (>= 2.2.5)
@ -762,7 +753,7 @@ GEM
    xorcist (1.1.3)
    xpath (3.2.0)
      nokogiri (~> 1.8)
-    zeitwerk (2.6.7)
+    zeitwerk (2.6.8)

 PLATFORMS
  ruby
@ -771,7 +762,7 @@ DEPENDENCIES
  active_model_serializers (~> 0.10)
  addressable (~> 2.8)
  annotate (~> 3.2)
-  aws-sdk-s3 (~> 1.120)
+  aws-sdk-s3 (~> 1.123)
  better_errors (~> 2.9)
  binding_of_caller (~> 1.0)
  blurhash (~> 0.1)
@ -785,21 +776,21 @@ DEPENDENCIES
  capistrano-yarn (~> 2.0)
  capybara (~> 3.39)
  charlock_holmes (~> 0.7.7)
-  chewy (~> 7.2)
-  climate_control
+  chewy (~> 7.3)
+  climate_control (~> 0.2)
  cocoon (~> 1.2)
  color_diff (~> 0.1)
  concurrent-ruby
  connection_pool
  devise (~> 4.9)
-  devise-two-factor (~> 4.0)
+  devise-two-factor (~> 4.1)
  devise_pam_authenticatable2 (~> 9.2)
  discard (~> 1.2)
  doorkeeper (~> 5.6)
  dotenv-rails (~> 2.8)
  ed25519 (~> 1.3)
  fabrication (~> 2.30)
-  faker (~> 3.1)
+  faker (~> 3.2)
  fast_blank (~> 1.0)
  fastimage
  fog-core (<= 2.4.0)
@ -817,9 +808,9 @@ DEPENDENCIES
  idn-ruby
  json-ld
  json-ld-preloaded (~> 3.2)
-  json-schema (~> 3.0)
+  json-schema (~> 4.0)
  kaminari (~> 1.2)
-  kt-paperclip (~> 7.1)!
+  kt-paperclip (~> 7.2)
  letter_opener (~> 1.8)
  letter_opener_web (~> 2.0)
  link_header (~> 0.0)
@ -829,9 +820,8 @@ DEPENDENCIES
  memory_profiler
  mime-types (~> 3.4.1)
  net-http (~> 0.3.2)
-  net-ldap (~> 0.17)
-  nokogiri (~> 1.14)
-  nsa (~> 0.2)
+  net-ldap (~> 0.18)
+  nokogiri (~> 1.15)
  oj (~> 3.14)
  omniauth (~> 1.9)
  omniauth-cas (~> 2.0)
@ -840,16 +830,15 @@ DEPENDENCIES
  omniauth_openid_connect (~> 0.6.1)
  ox (~> 2.14)
  parslet
-  pg (~> 1.4)
+  pg (~> 1.5)
  pghero
-  pkg-config (~> 1.5)
  posix-spawn
  premailer-rails
  private_address_check (~> 0.5)
  public_suffix (~> 5.0)
-  puma (~> 6.2)
+  puma (~> 6.3)
  pundit (~> 2.3)
-  rack (~> 2.2.6)
+  rack (~> 2.2.7)
  rack-attack (~> 6.6)
  rack-cors (~> 2.0)
  rack-test (~> 2.1)
@ -861,17 +850,17 @@ DEPENDENCIES
  redcarpet (~> 3.6)
  redis (~> 4.5)
  redis-namespace (~> 1.10)
-  rqrcode (~> 2.1)
+  rqrcode (~> 2.2)
  rspec-rails (~> 6.0)
  rspec-sidekiq (~> 3.1)
  rspec_chunked (~> 0.6)
-  rspec_junit_formatter (~> 0.6)
  rubocop
  rubocop-capybara
  rubocop-performance
  rubocop-rails
  rubocop-rspec
-  ruby-progressbar (~> 1.11)
+  ruby-progressbar (~> 1.13)
+  rubyzip (~> 2.3)
  sanitize (~> 6.0)
  scenic (~> 1.7)
  sidekiq (~> 6.5)
@ -895,3 +884,9 @@ DEPENDENCIES
  webpacker (~> 5.4)
  webpush!
  xorcist (~> 1.1)
+
+RUBY VERSION
+   ruby 3.2.2p53
+
+BUNDLED WITH
+   2.4.13
--- a/app/chewy/accounts_index.rb
+++ b/app/chewy/accounts_index.rb
@ -2,8 +2,37 @@

 class AccountsIndex < Chewy::Index
  settings index: { refresh_interval: '30s' }, analysis: {
+    filter: {
+      english_stop: {
+        type: 'stop',
+        stopwords: '_english_',
+      },
+
+      english_stemmer: {
+        type: 'stemmer',
+        language: 'english',
+      },
+
+      english_possessive_stemmer: {
+        type: 'stemmer',
+        language: 'possessive_english',
+      },
+    },
+
    analyzer: {
-      content: {
+      natural: {
+        tokenizer: 'uax_url_email',
+        filter: %w(
+          english_possessive_stemmer
+          lowercase
+          asciifolding
+          cjk_width
+          english_stop
+          english_stemmer
+        ),
+      },
+
+      verbatim: {
        tokenizer: 'whitespace',
        filter: %w(lowercase asciifolding cjk_width),
      },
@ -26,18 +55,13 @@ class AccountsIndex < Chewy::Index
  index_scope ::Account.searchable.includes(:account_stat)

  root date_detection: false do
-    field :id, type: 'long'
-
-    field :display_name, type: 'text', analyzer: 'content' do
-      field :edge_ngram, type: 'text', analyzer: 'edge_ngram', search_analyzer: 'content'
-    end
-
-    field :acct, type: 'text', analyzer: 'content', value: ->(account) { [account.username, account.domain].compact.join('@') } do
-      field :edge_ngram, type: 'text', analyzer: 'edge_ngram', search_analyzer: 'content'
-    end
-
-    field :following_count, type: 'long', value: ->(account) { account.following_count }
-    field :followers_count, type: 'long', value: ->(account) { account.followers_count }
-    field :last_status_at, type: 'date', value: ->(account) { account.last_status_at || account.created_at }
+    field(:id, type: 'long')
+    field(:following_count, type: 'long')
+    field(:followers_count, type: 'long')
+    field(:properties, type: 'keyword', value: ->(account) { account.searchable_properties })
+    field(:last_status_at, type: 'date', value: ->(account) { account.last_status_at || account.created_at })
+    field(:display_name, type: 'text', analyzer: 'verbatim') { field :edge_ngram, type: 'text', analyzer: 'edge_ngram', search_analyzer: 'verbatim' }
+    field(:username, type: 'text', analyzer: 'verbatim', value: ->(account) { [account.username, account.domain].compact.join('@') }) { field :edge_ngram, type: 'text', analyzer: 'edge_ngram', search_analyzer: 'verbatim' }
+    field(:text, type: 'text', value: ->(account) { account.searchable_text }) { field :stemmed, type: 'text', analyzer: 'natural' }
  end
 end
--- a/app/controllers/about_controller.rb
+++ b/app/controllers/about_controller.rb
@ -8,7 +8,7 @@ class AboutController < ApplicationController
  before_action :set_instance_presenter

  def show
-    expires_in 0, public: true unless user_signed_in?
+    expires_in(15.seconds, public: true, stale_while_revalidate: 30.seconds, stale_if_error: 1.day) unless user_signed_in?
  end

  private
--- a/app/controllers/accounts_controller.rb
+++ b/app/controllers/accounts_controller.rb
@ -7,8 +7,9 @@ class AccountsController < ApplicationController
  include AccountControllerConcern
  include SignatureAuthentication

+  vary_by -> { public_fetch_mode? ? 'Accept, Accept-Language, Cookie' : 'Accept, Accept-Language, Cookie, Signature' }
+
  before_action :require_account_signature!, if: -> { request.format == :json && authorized_fetch_mode? }
-  before_action :set_cache_headers

  skip_around_action :set_locale, if: -> { [:json, :rss].include?(request.format&.to_sym) }
  skip_before_action :require_functional!, unless: :whitelist_mode?
@ -16,7 +17,7 @@ class AccountsController < ApplicationController
  def show
    respond_to do |format|
      format.html do
-        expires_in 0, public: true unless user_signed_in?
+        expires_in(15.seconds, public: true, stale_while_revalidate: 30.seconds, stale_if_error: 1.hour) unless user_signed_in?

        @rss_url = rss_url
      end
--- a/app/controllers/activitypub/base_controller.rb
+++ b/app/controllers/activitypub/base_controller.rb
@ -7,10 +7,6 @@ class ActivityPub::BaseController < Api::BaseController

  private

-  def set_cache_headers
-    response.headers['Vary'] = 'Signature' if authorized_fetch_mode?
-  end
-
  def skip_temporary_suspension_response?
    false
  end
--- a/app/controllers/activitypub/collections_controller.rb
+++ b/app/controllers/activitypub/collections_controller.rb
@ -4,11 +4,12 @@ class ActivityPub::CollectionsController < ActivityPub::BaseController
  include SignatureVerification
  include AccountOwnedConcern

+  vary_by -> { 'Signature' if authorized_fetch_mode? }
+
  before_action :require_account_signature!, if: :authorized_fetch_mode?
  before_action :set_items
  before_action :set_size
  before_action :set_type
-  before_action :set_cache_headers

  def show
    expires_in 3.minutes, public: public_fetch_mode?
--- a/app/controllers/activitypub/followers_synchronizations_controller.rb
+++ b/app/controllers/activitypub/followers_synchronizations_controller.rb
@ -4,9 +4,10 @@ class ActivityPub::FollowersSynchronizationsController < ActivityPub::BaseContro
  include SignatureVerification
  include AccountOwnedConcern

+  vary_by -> { 'Signature' if authorized_fetch_mode? }
+
  before_action :require_account_signature!
  before_action :set_items
-  before_action :set_cache_headers

  def show
    expires_in 0, public: false
--- a/app/controllers/activitypub/outboxes_controller.rb
+++ b/app/controllers/activitypub/outboxes_controller.rb
@ -6,9 +6,10 @@ class ActivityPub::OutboxesController < ActivityPub::BaseController
  include SignatureVerification
  include AccountOwnedConcern

+  vary_by -> { 'Signature' if authorized_fetch_mode? || page_requested? }
+
  before_action :require_account_signature!, if: :authorized_fetch_mode?
  before_action :set_statuses
-  before_action :set_cache_headers

  def show
    if page_requested?
@ -16,6 +17,7 @@ class ActivityPub::OutboxesController < ActivityPub::BaseController
    else
      expires_in(3.minutes, public: public_fetch_mode?)
    end
+
    render json: outbox_presenter, serializer: ActivityPub::OutboxSerializer, adapter: ActivityPub::Adapter, content_type: 'application/activity+json'
  end

@ -80,8 +82,4 @@ class ActivityPub::OutboxesController < ActivityPub::BaseController
  def set_account
    @account = params[:account_username].present? ? Account.find_local!(username_param) : Account.representative
  end
-
-  def set_cache_headers
-    response.headers['Vary'] = 'Signature' if authorized_fetch_mode? || page_requested?
-  end
 end
--- a/app/controllers/activitypub/replies_controller.rb
+++ b/app/controllers/activitypub/replies_controller.rb
@ -7,9 +7,10 @@ class ActivityPub::RepliesController < ActivityPub::BaseController

  DESCENDANTS_LIMIT = 60

+  vary_by -> { 'Signature' if authorized_fetch_mode? }
+
  before_action :require_account_signature!, if: :authorized_fetch_mode?
  before_action :set_status
-  before_action :set_cache_headers
  before_action :set_replies

  def index
--- a/app/controllers/admin/announcements_controller.rb
+++ b/app/controllers/admin/announcements_controller.rb
@ -14,6 +14,10 @@ class Admin::AnnouncementsController < Admin::BaseController
    @announcement = Announcement.new
  end

+  def edit
+    authorize :announcement, :update?
+  end
+
  def create
    authorize :announcement, :create?

@ -28,10 +32,6 @@ class Admin::AnnouncementsController < Admin::BaseController
    end
  end

-  def edit
-    authorize :announcement, :update?
-  end
-
  def update
    authorize :announcement, :update?

--- a/app/controllers/admin/base_controller.rb
+++ b/app/controllers/admin/base_controller.rb
@ -9,6 +9,8 @@ module Admin

    before_action :set_pack
    before_action :set_body_classes
+    before_action :set_cache_headers
+
    after_action :verify_authorized

    private
@ -21,6 +23,10 @@ module Admin
      use_pack 'admin'
    end

+    def set_cache_headers
+      response.cache_control.replace(private: true, no_store: true)
+    end
+
    def set_user
      @user = Account.find(params[:account_id]).user || raise(ActiveRecord::RecordNotFound)
    end
--- a/app/controllers/admin/dashboard_controller.rb
+++ b/app/controllers/admin/dashboard_controller.rb
@ -14,15 +14,5 @@ module Admin
      @pending_tags_count    = Tag.pending_review.count
      @pending_appeals_count = Appeal.pending.count
    end
-
-    private
-
-    def redis_info
-      @redis_info ||= if redis.is_a?(Redis::Namespace)
-                        redis.redis.info
-                      else
-                        redis.info
-                      end
-    end
  end
 end
--- a/app/controllers/admin/domain_blocks_controller.rb
+++ b/app/controllers/admin/domain_blocks_controller.rb
@ -31,31 +31,41 @@ module Admin
      @domain_block = DomainBlock.new(resource_params)
      existing_domain_block = resource_params[:domain].present? ? DomainBlock.rule_for(resource_params[:domain]) : nil

+      # Disallow accidentally downgrading a domain block
      if existing_domain_block.present? && !@domain_block.stricter_than?(existing_domain_block)
        @domain_block.save
-        flash.now[:alert] = I18n.t('admin.domain_blocks.existing_domain_block_html', name: existing_domain_block.domain, unblock_url: admin_domain_block_path(existing_domain_block)).html_safe # rubocop:disable Rails/OutputSafety
+        flash.now[:alert] = I18n.t('admin.domain_blocks.existing_domain_block_html', name: existing_domain_block.domain, unblock_url: admin_domain_block_path(existing_domain_block)).html_safe
        @domain_block.errors.delete(:domain)
-        render :new
+        return render :new
+      end
+
+      # Allow transparently upgrading a domain block
+      if existing_domain_block.present?
+        @domain_block = existing_domain_block
+        @domain_block.assign_attributes(resource_params)
+      end
+
+      # Require explicit confirmation when suspending
+      return render :confirm_suspension if requires_confirmation?
+
+      if @domain_block.save
+        DomainBlockWorker.perform_async(@domain_block.id)
+        log_action :create, @domain_block
+        redirect_to admin_instances_path(limited: '1'), notice: I18n.t('admin.domain_blocks.created_msg')
      else
-        if existing_domain_block.present?
-          @domain_block = existing_domain_block
-          @domain_block.update(resource_params)
-        end
-
-        if @domain_block.save
-          DomainBlockWorker.perform_async(@domain_block.id)
-          log_action :create, @domain_block
-          redirect_to admin_instances_path(limited: '1'), notice: I18n.t('admin.domain_blocks.created_msg')
-        else
-          render :new
-        end
+        render :new
      end
    end

    def update
      authorize :domain_block, :update?

-      if @domain_block.update(update_params)
+      @domain_block.assign_attributes(update_params)
+
+      # Require explicit confirmation when suspending
+      return render :confirm_suspension if requires_confirmation?
+
+      if @domain_block.save
        DomainBlockWorker.perform_async(@domain_block.id, @domain_block.severity_previously_changed?)
        log_action :update, @domain_block
        redirect_to admin_instances_path(limited: '1'), notice: I18n.t('admin.domain_blocks.created_msg')
@ -92,5 +102,9 @@ module Admin
    def action_from_button
      'save' if params[:save]
    end
+
+    def requires_confirmation?
+      @domain_block.valid? && (@domain_block.new_record? || @domain_block.severity_changed?) && @domain_block.severity.to_s == 'suspend' && !params[:confirm]
+    end
  end
 end
--- a/app/controllers/admin/roles_controller.rb
+++ b/app/controllers/admin/roles_controller.rb
@ -16,6 +16,10 @@ module Admin
      @role = UserRole.new
    end

+    def edit
+      authorize @role, :update?
+    end
+
    def create
      authorize :user_role, :create?

@ -30,10 +34,6 @@ module Admin
      end
    end

-    def edit
-      authorize @role, :update?
-    end
-
    def update
      authorize @role, :update?

--- a/app/controllers/admin/rules_controller.rb
+++ b/app/controllers/admin/rules_controller.rb
@ -11,6 +11,10 @@ module Admin
      @rule  = Rule.new
    end

+    def edit
+      authorize @rule, :update?
+    end
+
    def create
      authorize :rule, :create?

@ -24,10 +28,6 @@ module Admin
      end
    end

-    def edit
-      authorize @rule, :update?
-    end
-
    def update
      authorize @rule, :update?

--- a/app/controllers/admin/warning_presets_controller.rb
+++ b/app/controllers/admin/warning_presets_controller.rb
@ -11,6 +11,10 @@ module Admin
      @warning_preset  = AccountWarningPreset.new
    end

+    def edit
+      authorize @warning_preset, :update?
+    end
+
    def create
      authorize :account_warning_preset, :create?

@ -24,10 +28,6 @@ module Admin
      end
    end

-    def edit
-      authorize @warning_preset, :update?
-    end
-
    def update
      authorize @warning_preset, :update?

--- a/app/controllers/admin/webhooks_controller.rb
+++ b/app/controllers/admin/webhooks_controller.rb
@ -10,16 +10,25 @@ module Admin
      @webhooks = Webhook.page(params[:page])
    end

+    def show
+      authorize @webhook, :show?
+    end
+
    def new
      authorize :webhook, :create?

      @webhook = Webhook.new
    end

+    def edit
+      authorize @webhook, :update?
+    end
+
    def create
      authorize :webhook, :create?

      @webhook = Webhook.new(resource_params)
+      @webhook.current_account = current_account

      if @webhook.save
        redirect_to admin_webhook_path(@webhook)
@ -28,21 +37,15 @@ module Admin
      end
    end

-    def show
-      authorize @webhook, :show?
-    end
-
-    def edit
-      authorize @webhook, :update?
-    end
-
    def update
      authorize @webhook, :update?

+      @webhook.current_account = current_account
+
      if @webhook.update(resource_params)
        redirect_to admin_webhook_path(@webhook)
      else
-        render :show
+        render :edit
      end
    end

@ -71,7 +74,7 @@ module Admin
    end

    def resource_params
-      params.require(:webhook).permit(:url, events: [])
+      params.require(:webhook).permit(:url, :template, events: [])
    end
  end
 end
--- a/app/controllers/api/base_controller.rb
+++ b/app/controllers/api/base_controller.rb
@ -6,13 +6,14 @@ class Api::BaseController < ApplicationController

  include RateLimitHeaders
  include AccessTokenTrackingConcern
+  include ApiCachingConcern

-  skip_before_action :store_current_location
  skip_before_action :require_functional!, unless: :whitelist_mode?

  before_action :require_authenticated_user!, if: :disallow_unauthenticated_api_access?
  before_action :require_not_suspended!
-  before_action :set_cache_headers
+
+  vary_by 'Authorization'

  protect_from_forgery with: :null_session

@ -148,10 +149,6 @@ class Api::BaseController < ApplicationController
    doorkeeper_authorize!(*scopes) if doorkeeper_token
  end

-  def set_cache_headers
-    response.headers['Cache-Control'] = 'private, no-store'
-  end
-
  def disallow_unauthenticated_api_access?
    ENV['DISALLOW_UNAUTHENTICATED_API_ACCESS'] == 'true' || Rails.configuration.x.whitelist_mode
  end
--- a/app/controllers/api/v1/accounts/follower_accounts_controller.rb
+++ b/app/controllers/api/v1/accounts/follower_accounts_controller.rb
@ -6,6 +6,7 @@ class Api::V1::Accounts::FollowerAccountsController < Api::BaseController
  after_action :insert_pagination_headers

  def index
+    cache_if_unauthenticated!
    @accounts = load_accounts
    render json: @accounts, each_serializer: REST::AccountSerializer
  end
--- a/app/controllers/api/v1/accounts/following_accounts_controller.rb
+++ b/app/controllers/api/v1/accounts/following_accounts_controller.rb
@ -6,6 +6,7 @@ class Api::V1::Accounts::FollowingAccountsController < Api::BaseController
  after_action :insert_pagination_headers

  def index
+    cache_if_unauthenticated!
    @accounts = load_accounts
    render json: @accounts, each_serializer: REST::AccountSerializer
  end
--- a/app/controllers/api/v1/accounts/lookup_controller.rb
+++ b/app/controllers/api/v1/accounts/lookup_controller.rb
@ -5,6 +5,7 @@ class Api::V1::Accounts::LookupController < Api::BaseController
  before_action :set_account

  def show
+    cache_if_unauthenticated!
    render json: @account, serializer: REST::AccountSerializer
  end

--- a/app/controllers/api/v1/accounts/statuses_controller.rb
+++ b/app/controllers/api/v1/accounts/statuses_controller.rb
@ -7,6 +7,7 @@ class Api::V1::Accounts::StatusesController < Api::BaseController
  after_action :insert_pagination_headers, unless: -> { truthy_param?(:pinned) }

  def index
+    cache_if_unauthenticated!
    @statuses = load_statuses
    render json: @statuses, each_serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new(@statuses, current_user&.account_id)
  end
--- a/app/controllers/api/v1/accounts_controller.rb
+++ b/app/controllers/api/v1/accounts_controller.rb
@ -18,6 +18,7 @@ class Api::V1::AccountsController < Api::BaseController
  override_rate_limit_headers :follow, family: :follows

  def show
+    cache_if_unauthenticated!
    render json: @account, serializer: REST::AccountSerializer
  end

@ -89,7 +90,7 @@ class Api::V1::AccountsController < Api::BaseController
  end

  def account_params
-    params.permit(:username, :email, :password, :agreement, :locale, :reason)
+    params.permit(:username, :email, :password, :agreement, :locale, :reason, :time_zone)
  end

  def check_enabled_registrations
--- a/app/controllers/api/v1/admin/canonical_email_blocks_controller.rb
+++ b/app/controllers/api/v1/admin/canonical_email_blocks_controller.rb
@ -58,7 +58,7 @@ class Api::V1::Admin::CanonicalEmailBlocksController < Api::BaseController
  end

  def set_canonical_email_blocks_from_test
-    @canonical_email_blocks = CanonicalEmailBlock.matching_email(params[:email])
+    @canonical_email_blocks = CanonicalEmailBlock.matching_email(params.require(:email))
  end

  def set_canonical_email_block
--- a/app/controllers/api/v1/admin/domain_allows_controller.rb
+++ b/app/controllers/api/v1/admin/domain_allows_controller.rb
@ -16,10 +16,20 @@ class Api::V1::Admin::DomainAllowsController < Api::BaseController

  PAGINATION_PARAMS = %i(limit).freeze

+  def index
+    authorize :domain_allow, :index?
+    render json: @domain_allows, each_serializer: REST::Admin::DomainAllowSerializer
+  end
+
+  def show
+    authorize @domain_allow, :show?
+    render json: @domain_allow, serializer: REST::Admin::DomainAllowSerializer
+  end
+
  def create
    authorize :domain_allow, :create?

-    @domain_allow = DomainAllow.find_by(resource_params)
+    @domain_allow = DomainAllow.find_by(domain: resource_params[:domain])

    if @domain_allow.nil?
      @domain_allow = DomainAllow.create!(resource_params)
@ -29,16 +39,6 @@ class Api::V1::Admin::DomainAllowsController < Api::BaseController
    render json: @domain_allow, serializer: REST::Admin::DomainAllowSerializer
  end

-  def index
-    authorize :domain_allow, :index?
-    render json: @domain_allows, each_serializer: REST::Admin::DomainAllowSerializer
-  end
-
-  def show
-    authorize @domain_allow, :show?
-    render json: @domain_allow, serializer: REST::Admin::DomainAllowSerializer
-  end
-
  def destroy
    authorize @domain_allow, :destroy?
    UnallowDomainService.new.call(@domain_allow)
--- a/app/controllers/api/v1/admin/domain_blocks_controller.rb
+++ b/app/controllers/api/v1/admin/domain_blocks_controller.rb
@ -16,6 +16,16 @@ class Api::V1::Admin::DomainBlocksController < Api::BaseController

  PAGINATION_PARAMS = %i(limit).freeze

+  def index
+    authorize :domain_block, :index?
+    render json: @domain_blocks, each_serializer: REST::Admin::DomainBlockSerializer
+  end
+
+  def show
+    authorize @domain_block, :show?
+    render json: @domain_block, serializer: REST::Admin::DomainBlockSerializer
+  end
+
  def create
    authorize :domain_block, :create?

@ -28,16 +38,6 @@ class Api::V1::Admin::DomainBlocksController < Api::BaseController
    render json: @domain_block, serializer: REST::Admin::DomainBlockSerializer
  end

-  def index
-    authorize :domain_block, :index?
-    render json: @domain_blocks, each_serializer: REST::Admin::DomainBlockSerializer
-  end
-
-  def show
-    authorize @domain_block, :show?
-    render json: @domain_block, serializer: REST::Admin::DomainBlockSerializer
-  end
-
  def update
    authorize @domain_block, :update?
    @domain_block.update!(domain_block_params)
--- a/app/controllers/api/v1/admin/email_domain_blocks_controller.rb
+++ b/app/controllers/api/v1/admin/email_domain_blocks_controller.rb
@ -18,15 +18,6 @@ class Api::V1::Admin::EmailDomainBlocksController < Api::BaseController
    limit
  ).freeze

-  def create
-    authorize :email_domain_block, :create?
-
-    @email_domain_block = EmailDomainBlock.create!(resource_params)
-    log_action :create, @email_domain_block
-
-    render json: @email_domain_block, serializer: REST::Admin::EmailDomainBlockSerializer
-  end
-
  def index
    authorize :email_domain_block, :index?
    render json: @email_domain_blocks, each_serializer: REST::Admin::EmailDomainBlockSerializer
@ -37,6 +28,15 @@ class Api::V1::Admin::EmailDomainBlocksController < Api::BaseController
    render json: @email_domain_block, serializer: REST::Admin::EmailDomainBlockSerializer
  end

+  def create
+    authorize :email_domain_block, :create?
+
+    @email_domain_block = EmailDomainBlock.create!(resource_params)
+    log_action :create, @email_domain_block
+
+    render json: @email_domain_block, serializer: REST::Admin::EmailDomainBlockSerializer
+  end
+
  def destroy
    authorize @email_domain_block, :destroy?
    @email_domain_block.destroy!
--- a/app/controllers/api/v1/admin/ip_blocks_controller.rb
+++ b/app/controllers/api/v1/admin/ip_blocks_controller.rb
@ -18,13 +18,6 @@ class Api::V1::Admin::IpBlocksController < Api::BaseController
    limit
  ).freeze

-  def create
-    authorize :ip_block, :create?
-    @ip_block = IpBlock.create!(resource_params)
-    log_action :create, @ip_block
-    render json: @ip_block, serializer: REST::Admin::IpBlockSerializer
-  end
-
  def index
    authorize :ip_block, :index?
    render json: @ip_blocks, each_serializer: REST::Admin::IpBlockSerializer
@ -35,6 +28,13 @@ class Api::V1::Admin::IpBlocksController < Api::BaseController
    render json: @ip_block, serializer: REST::Admin::IpBlockSerializer
  end

+  def create
+    authorize :ip_block, :create?
+    @ip_block = IpBlock.create!(resource_params)
+    log_action :create, @ip_block
+    render json: @ip_block, serializer: REST::Admin::IpBlockSerializer
+  end
+
  def update
    authorize @ip_block, :update?
    @ip_block.update(resource_params)
--- a/app/controllers/api/v1/admin/trends/links/preview_card_providers_controller.rb
+++ b/app/controllers/api/v1/admin/trends/links/preview_card_providers_controller.rb
@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+class Api::V1::Admin::Trends::Links::PreviewCardProvidersController < Api::BaseController
+  include Authorization
+
+  LIMIT = 100
+
+  before_action -> { authorize_if_got_token! :'admin:read' }, only: :index
+  before_action -> { authorize_if_got_token! :'admin:write' }, except: :index
+  before_action :set_providers, only: :index
+
+  after_action :verify_authorized
+  after_action :insert_pagination_headers, only: :index
+
+  PAGINATION_PARAMS = %i(limit).freeze
+
+  def index
+    authorize :preview_card_provider, :index?
+
+    render json: @providers, each_serializer: REST::Admin::Trends::Links::PreviewCardProviderSerializer
+  end
+
+  def approve
+    authorize :preview_card_provider, :review?
+
+    provider = PreviewCardProvider.find(params[:id])
+    provider.update(trendable: true, reviewed_at: Time.now.utc)
+    render json: provider, serializer: REST::Admin::Trends::Links::PreviewCardProviderSerializer
+  end
+
+  def reject
+    authorize :preview_card_provider, :review?
+
+    provider = PreviewCardProvider.find(params[:id])
+    provider.update(trendable: false, reviewed_at: Time.now.utc)
+    render json: provider, serializer: REST::Admin::Trends::Links::PreviewCardProviderSerializer
+  end
+
+  private
+
+  def set_providers
+    @providers = PreviewCardProvider.all.to_a_paginated_by_id(limit_param(LIMIT), params_slice(:max_id, :since_id, :min_id))
+  end
+
+  def insert_pagination_headers
+    set_pagination_headers(next_path, prev_path)
+  end
+
+  def next_path
+    api_v1_admin_trends_links_preview_card_providers_url(pagination_params(max_id: pagination_max_id)) if records_continue?
+  end
+
+  def prev_path
+    api_v1_admin_trends_links_preview_card_providers_url(pagination_params(min_id: pagination_since_id)) unless @providers.empty?
+  end
+
+  def pagination_max_id
+    @providers.last.id
+  end
+
+  def pagination_since_id
+    @providers.first.id
+  end
+
+  def records_continue?
+    @providers.size == limit_param(LIMIT)
+  end
+
+  def pagination_params(core_params)
+    params.slice(*PAGINATION_PARAMS).permit(*PAGINATION_PARAMS).merge(core_params)
+  end
+end
--- a/app/controllers/api/v1/admin/trends/links_controller.rb
+++ b/app/controllers/api/v1/admin/trends/links_controller.rb
@ -1,7 +1,36 @@
 # frozen_string_literal: true

 class Api::V1::Admin::Trends::LinksController < Api::V1::Trends::LinksController
-  before_action -> { authorize_if_got_token! :'admin:read' }
+  include Authorization
+
+  before_action -> { authorize_if_got_token! :'admin:read' }, only: :index
+  before_action -> { authorize_if_got_token! :'admin:write' }, except: :index
+
+  after_action :verify_authorized, except: :index
+
+  def index
+    if current_user&.can?(:manage_taxonomies)
+      render json: @links, each_serializer: REST::Admin::Trends::LinkSerializer
+    else
+      super
+    end
+  end
+
+  def approve
+    authorize :preview_card, :review?
+
+    link = PreviewCard.find(params[:id])
+    link.update(trendable: true)
+    render json: link, serializer: REST::Admin::Trends::LinkSerializer
+  end
+
+  def reject
+    authorize :preview_card, :review?
+
+    link = PreviewCard.find(params[:id])
+    link.update(trendable: false)
+    render json: link, serializer: REST::Admin::Trends::LinkSerializer
+  end

  private

--- a/app/controllers/api/v1/admin/trends/statuses_controller.rb
+++ b/app/controllers/api/v1/admin/trends/statuses_controller.rb
@ -1,7 +1,36 @@
 # frozen_string_literal: true

 class Api::V1::Admin::Trends::StatusesController < Api::V1::Trends::StatusesController
-  before_action -> { authorize_if_got_token! :'admin:read' }
+  include Authorization
+
+  before_action -> { authorize_if_got_token! :'admin:read' }, only: :index
+  before_action -> { authorize_if_got_token! :'admin:write' }, except: :index
+
+  after_action :verify_authorized, except: :index
+
+  def index
+    if current_user&.can?(:manage_taxonomies)
+      render json: @statuses, each_serializer: REST::Admin::Trends::StatusSerializer
+    else
+      super
+    end
+  end
+
+  def approve
+    authorize [:admin, :status], :review?
+
+    status = Status.find(params[:id])
+    status.update(trendable: true)
+    render json: status, serializer: REST::Admin::Trends::StatusSerializer
+  end
+
+  def reject
+    authorize [:admin, :status], :review?
+
+    status = Status.find(params[:id])
+    status.update(trendable: false)
+    render json: status, serializer: REST::Admin::Trends::StatusSerializer
+  end

  private

--- a/app/controllers/api/v1/admin/trends/tags_controller.rb
+++ b/app/controllers/api/v1/admin/trends/tags_controller.rb
@ -1,7 +1,12 @@
 # frozen_string_literal: true

 class Api::V1::Admin::Trends::TagsController < Api::V1::Trends::TagsController
-  before_action -> { authorize_if_got_token! :'admin:read' }
+  include Authorization
+
+  before_action -> { authorize_if_got_token! :'admin:read' }, only: :index
+  before_action -> { authorize_if_got_token! :'admin:write' }, except: :index
+
+  after_action :verify_authorized, except: :index

  def index
    if current_user&.can?(:manage_taxonomies)
@ -11,6 +16,22 @@ class Api::V1::Admin::Trends::TagsController < Api::V1::Trends::TagsController
    end
  end

+  def approve
+    authorize :tag, :review?
+
+    tag = Tag.find(params[:id])
+    tag.update(trendable: true, reviewed_at: Time.now.utc)
+    render json: tag, serializer: REST::Admin::TagSerializer
+  end
+
+  def reject
+    authorize :tag, :review?
+
+    tag = Tag.find(params[:id])
+    tag.update(trendable: false, reviewed_at: Time.now.utc)
+    render json: tag, serializer: REST::Admin::TagSerializer
+  end
+
  private

  def enabled?
--- a/app/controllers/api/v1/conversations_controller.rb
+++ b/app/controllers/api/v1/conversations_controller.rb
@ -11,7 +11,7 @@ class Api::V1::ConversationsController < Api::BaseController

  def index
    @conversations = paginated_conversations
-    render json: @conversations, each_serializer: REST::ConversationSerializer
+    render json: @conversations, each_serializer: REST::ConversationSerializer, relationships: StatusRelationshipsPresenter.new(@conversations.map(&:last_status), current_user&.account_id)
  end

  def read
@ -19,6 +19,11 @@ class Api::V1::ConversationsController < Api::BaseController
    render json: @conversation, serializer: REST::ConversationSerializer
  end

+  def unread
+    @conversation.update!(unread: true)
+    render json: @conversation, serializer: REST::ConversationSerializer
+  end
+
  def destroy
    @conversation.destroy!
    render_empty
@ -32,6 +37,19 @@ class Api::V1::ConversationsController < Api::BaseController

  def paginated_conversations
    AccountConversation.where(account: current_account)
+                       .includes(
+                         account: :account_stat,
+                         last_status: [
+                           :media_attachments,
+                           :preview_cards,
+                           :status_stat,
+                           :tags,
+                           {
+                             active_mentions: [account: :account_stat],
+                             account: :account_stat,
+                           },
+                         ]
+                       )
                       .to_a_paginated_by_id(limit_param(LIMIT), params_slice(:max_id, :since_id, :min_id))
  end

--- a/app/controllers/api/v1/custom_emojis_controller.rb
+++ b/app/controllers/api/v1/custom_emojis_controller.rb
@ -1,10 +1,10 @@
 # frozen_string_literal: true

 class Api::V1::CustomEmojisController < Api::BaseController
-  skip_before_action :set_cache_headers
+  vary_by '', unless: :disallow_unauthenticated_api_access?

  def index
-    expires_in 3.minutes, public: true
+    cache_even_if_authenticated! unless disallow_unauthenticated_api_access?
    render_with_cache(each_serializer: REST::CustomEmojiSerializer) { CustomEmoji.listed.includes(:category) }
  end
 end
--- a/app/controllers/api/v1/directories_controller.rb
+++ b/app/controllers/api/v1/directories_controller.rb
@ -5,6 +5,7 @@ class Api::V1::DirectoriesController < Api::BaseController
  before_action :set_accounts

  def show
+    cache_if_unauthenticated!
    render json: @accounts, each_serializer: REST::AccountSerializer
  end

@ -20,11 +21,35 @@ class Api::V1::DirectoriesController < Api::BaseController

  def accounts_scope
    Account.discoverable.tap do |scope|
-      scope.merge!(Account.local)                                          if truthy_param?(:local)
-      scope.merge!(Account.by_recent_status)                               if params[:order].blank? || params[:order] == 'active'
-      scope.merge!(Account.order(id: :desc))                               if params[:order] == 'new'
-      scope.merge!(Account.not_excluded_by_account(current_account))       if current_account
-      scope.merge!(Account.not_domain_blocked_by_account(current_account)) if current_account && !truthy_param?(:local)
+      scope.merge!(account_order_scope)
+      scope.merge!(local_account_scope) if local_accounts?
+      scope.merge!(account_exclusion_scope) if current_account
+      scope.merge!(account_domain_block_scope) if current_account && !local_accounts?
    end
  end
+
+  def local_accounts?
+    truthy_param?(:local)
+  end
+
+  def account_order_scope
+    case params[:order]
+    when 'new'
+      Account.order(id: :desc)
+    when 'active', nil
+      Account.by_recent_status
+    end
+  end
+
+  def local_account_scope
+    Account.local
+  end
+
+  def account_exclusion_scope
+    Account.not_excluded_by_account(current_account)
+  end
+
+  def account_domain_block_scope
+    Account.not_domain_blocked_by_account(current_account)
+  end
 end
--- a/app/controllers/api/v1/emails/confirmations_controller.rb
+++ b/app/controllers/api/v1/emails/confirmations_controller.rb
@ -1,9 +1,11 @@
 # frozen_string_literal: true

 class Api::V1::Emails::ConfirmationsController < Api::BaseController
-  before_action -> { doorkeeper_authorize! :write, :'write:accounts' }
-  before_action :require_user_owned_by_application!
-  before_action :require_user_not_confirmed!
+  before_action -> { authorize_if_got_token! :read, :'read:accounts' }, only: :check
+  before_action -> { doorkeeper_authorize! :write, :'write:accounts' }, except: :check
+  before_action :require_user_owned_by_application!, except: :check
+  before_action :require_user_not_confirmed!, except: :check
+  before_action :require_authenticated_user!, only: :check

  def create
    current_user.update!(email: params[:email]) if params.key?(:email)
@ -12,6 +14,10 @@ class Api::V1::Emails::ConfirmationsController < Api::BaseController
    render_empty
  end

+  def check
+    render json: current_user.confirmed?
+  end
+
  private

  def require_user_owned_by_application!
--- a/app/controllers/api/v1/featured_tags_controller.rb
+++ b/app/controllers/api/v1/featured_tags_controller.rb
@ -13,7 +13,7 @@ class Api::V1::FeaturedTagsController < Api::BaseController
  end

  def create
-    featured_tag = CreateFeaturedTagService.new.call(current_account, featured_tag_params[:name])
+    featured_tag = CreateFeaturedTagService.new.call(current_account, params.require(:name))
    render json: featured_tag, serializer: REST::FeaturedTagSerializer
  end

@ -31,8 +31,4 @@ class Api::V1::FeaturedTagsController < Api::BaseController
  def set_featured_tags
    @featured_tags = current_account.featured_tags.order(statuses_count: :desc)
  end
-
-  def featured_tag_params
-    params.permit(:name)
-  end
 end
--- a/app/controllers/api/v1/filters_controller.rb
+++ b/app/controllers/api/v1/filters_controller.rb
@ -11,6 +11,10 @@ class Api::V1::FiltersController < Api::BaseController
    render json: @filters, each_serializer: REST::V1::FilterSerializer
  end

+  def show
+    render json: @filter, serializer: REST::V1::FilterSerializer
+  end
+
  def create
    ApplicationRecord.transaction do
      filter_category = current_account.custom_filters.create!(filter_params)
@ -20,10 +24,6 @@ class Api::V1::FiltersController < Api::BaseController
    render json: @filter, serializer: REST::V1::FilterSerializer
  end

-  def show
-    render json: @filter, serializer: REST::V1::FilterSerializer
-  end
-
  def update
    ApplicationRecord.transaction do
      @filter.update!(keyword_params)
--- a/app/controllers/api/v1/instances/activity_controller.rb
+++ b/app/controllers/api/v1/instances/activity_controller.rb
@ -3,11 +3,12 @@
 class Api::V1::Instances::ActivityController < Api::BaseController
  before_action :require_enabled_api!

-  skip_before_action :set_cache_headers
  skip_before_action :require_authenticated_user!, unless: :whitelist_mode?

+  vary_by ''
+
  def show
-    expires_in 1.day, public: true
+    cache_even_if_authenticated!
    render_with_cache json: :activity, expires_in: 1.day
  end

--- a/app/controllers/api/v1/instances/domain_blocks_controller.rb
+++ b/app/controllers/api/v1/instances/domain_blocks_controller.rb
@ -6,8 +6,15 @@ class Api::V1::Instances::DomainBlocksController < Api::BaseController
  before_action :require_enabled_api!
  before_action :set_domain_blocks

+  vary_by '', if: -> { Setting.show_domain_blocks == 'all' }
+
  def index
-    expires_in 3.minutes, public: true
+    if Setting.show_domain_blocks == 'all'
+      cache_even_if_authenticated!
+    else
+      cache_if_unauthenticated!
+    end
+
    render json: @domain_blocks, each_serializer: REST::DomainBlockSerializer, with_comment: (Setting.show_domain_blocks_rationale == 'all' || (Setting.show_domain_blocks_rationale == 'users' && user_signed_in?))
  end

--- a/app/controllers/api/v1/instances/extended_descriptions_controller.rb
+++ b/app/controllers/api/v1/instances/extended_descriptions_controller.rb
@ -2,11 +2,19 @@

 class Api::V1::Instances::ExtendedDescriptionsController < Api::BaseController
  skip_before_action :require_authenticated_user!, unless: :whitelist_mode?
+  skip_around_action :set_locale

  before_action :set_extended_description

+  vary_by ''
+
+  # Override `current_user` to avoid reading session cookies unless in whitelist mode
+  def current_user
+    super if whitelist_mode?
+  end
+
  def show
-    expires_in 3.minutes, public: true
+    cache_even_if_authenticated!
    render json: @extended_description, serializer: REST::ExtendedDescriptionSerializer
  end

--- a/app/controllers/api/v1/instances/peers_controller.rb
+++ b/app/controllers/api/v1/instances/peers_controller.rb
@ -3,11 +3,18 @@
 class Api::V1::Instances::PeersController < Api::BaseController
  before_action :require_enabled_api!

-  skip_before_action :set_cache_headers
  skip_before_action :require_authenticated_user!, unless: :whitelist_mode?
+  skip_around_action :set_locale
+
+  vary_by ''
+
+  # Override `current_user` to avoid reading session cookies unless in whitelist mode
+  def current_user
+    super if whitelist_mode?
+  end

  def index
-    expires_in 1.day, public: true
+    cache_even_if_authenticated!
    render_with_cache(expires_in: 1.day) { Instance.where.not(domain: DomainBlock.select(:domain)).pluck(:domain) }
  end

--- a/app/controllers/api/v1/instances/privacy_policies_controller.rb
+++ b/app/controllers/api/v1/instances/privacy_policies_controller.rb
@ -5,8 +5,10 @@ class Api::V1::Instances::PrivacyPoliciesController < Api::BaseController

  before_action :set_privacy_policy

+  vary_by ''
+
  def show
-    expires_in 1.day, public: true
+    cache_even_if_authenticated!
    render json: @privacy_policy, serializer: REST::PrivacyPolicySerializer
  end

--- a/app/controllers/api/v1/instances/rules_controller.rb
+++ b/app/controllers/api/v1/instances/rules_controller.rb
@ -2,10 +2,19 @@

 class Api::V1::Instances::RulesController < Api::BaseController
  skip_before_action :require_authenticated_user!, unless: :whitelist_mode?
+  skip_around_action :set_locale

  before_action :set_rules

+  vary_by ''
+
+  # Override `current_user` to avoid reading session cookies unless in whitelist mode
+  def current_user
+    super if whitelist_mode?
+  end
+
  def index
+    cache_even_if_authenticated!
    render json: @rules, each_serializer: REST::RuleSerializer
  end

--- a/app/controllers/api/v1/instances/translation_languages_controller.rb
+++ b/app/controllers/api/v1/instances/translation_languages_controller.rb
@ -5,8 +5,10 @@ class Api::V1::Instances::TranslationLanguagesController < Api::BaseController

  before_action :set_languages

+  vary_by ''
+
  def show
-    expires_in 1.day, public: true
+    cache_even_if_authenticated!
    render json: @languages
  end

--- a/app/controllers/api/v1/instances_controller.rb
+++ b/app/controllers/api/v1/instances_controller.rb
@ -1,11 +1,18 @@
 # frozen_string_literal: true

 class Api::V1::InstancesController < Api::BaseController
-  skip_before_action :set_cache_headers
  skip_before_action :require_authenticated_user!, unless: :whitelist_mode?
+  skip_around_action :set_locale
+
+  vary_by ''
+
+  # Override `current_user` to avoid reading session cookies unless in whitelist mode
+  def current_user
+    super if whitelist_mode?
+  end

  def show
-    expires_in 3.minutes, public: true
+    cache_even_if_authenticated!
    render_with_cache json: InstancePresenter.new, serializer: REST::V1::InstanceSerializer, root: 'instance'
  end
 end
--- a/app/controllers/api/v1/lists_controller.rb
+++ b/app/controllers/api/v1/lists_controller.rb
@ -42,6 +42,6 @@ class Api::V1::ListsController < Api::BaseController
  end

  def list_params
-    params.permit(:title, :replies_policy)
+    params.permit(:title, :replies_policy, :exclusive)
  end
 end
--- a/app/controllers/api/v1/media_controller.rb
+++ b/app/controllers/api/v1/media_controller.rb
@ -6,19 +6,20 @@ class Api::V1::MediaController < Api::BaseController
  before_action :set_media_attachment, except: [:create]
  before_action :check_processing, except: [:create]

+  def show
+    render json: @media_attachment, serializer: REST::MediaAttachmentSerializer, status: status_code_for_media_attachment
+  end
+
  def create
    @media_attachment = current_account.media_attachments.create!(media_attachment_params)
    render json: @media_attachment, serializer: REST::MediaAttachmentSerializer
  rescue Paperclip::Errors::NotIdentifiedByImageMagickError
    render json: file_type_error, status: 422
-  rescue Paperclip::Error
+  rescue Paperclip::Error => e
+    Rails.logger.error "#{e.class}: #{e.message}"
    render json: processing_error, status: 500
  end

-  def show
-    render json: @media_attachment, serializer: REST::MediaAttachmentSerializer, status: status_code_for_media_attachment
-  end
-
  def update
    @media_attachment.update!(updateable_media_attachment_params)
    render json: @media_attachment, serializer: REST::MediaAttachmentSerializer, status: status_code_for_media_attachment
--- a/app/controllers/api/v1/polls_controller.rb
+++ b/app/controllers/api/v1/polls_controller.rb
@ -8,6 +8,7 @@ class Api::V1::PollsController < Api::BaseController
  before_action :refresh_poll

  def show
+    cache_if_unauthenticated!
    render json: @poll, serializer: REST::PollSerializer, include_results: true
  end

--- a/app/controllers/api/v1/push/subscriptions_controller.rb
+++ b/app/controllers/api/v1/push/subscriptions_controller.rb
@ -6,6 +6,10 @@ class Api::V1::Push::SubscriptionsController < Api::BaseController
  before_action :set_push_subscription
  before_action :check_push_subscription, only: [:show, :update]

+  def show
+    render json: @push_subscription, serializer: REST::WebPushSubscriptionSerializer
+  end
+
  def create
    @push_subscription&.destroy!

@ -21,10 +25,6 @@ class Api::V1::Push::SubscriptionsController < Api::BaseController
    render json: @push_subscription, serializer: REST::WebPushSubscriptionSerializer
  end

-  def show
-    render json: @push_subscription, serializer: REST::WebPushSubscriptionSerializer
-  end
-
  def update
    @push_subscription.update!(data: data_params)
    render json: @push_subscription, serializer: REST::WebPushSubscriptionSerializer
--- a/app/controllers/api/v1/statuses/favourited_by_accounts_controller.rb
+++ b/app/controllers/api/v1/statuses/favourited_by_accounts_controller.rb
@ -8,6 +8,7 @@ class Api::V1::Statuses::FavouritedByAccountsController < Api::BaseController
  after_action :insert_pagination_headers

  def index
+    cache_if_unauthenticated!
    @accounts = load_accounts
    render json: @accounts, each_serializer: REST::AccountSerializer
  end
--- a/app/controllers/api/v1/statuses/histories_controller.rb
+++ b/app/controllers/api/v1/statuses/histories_controller.rb
@ -7,11 +7,16 @@ class Api::V1::Statuses::HistoriesController < Api::BaseController
  before_action :set_status

  def show
-    render json: @status.edits.includes(:account, status: [:account]), each_serializer: REST::StatusEditSerializer
+    cache_if_unauthenticated!
+    render json: status_edits, each_serializer: REST::StatusEditSerializer
  end

  private

+  def status_edits
+    @status.edits.includes(:account, status: [:account]).to_a.presence || [@status.build_snapshot(at_time: @status.edited_at || @status.created_at)]
+  end
+
  def set_status
    @status = Status.find(params[:status_id])
    authorize @status, :show?
--- a/app/controllers/api/v1/statuses/reblogged_by_accounts_controller.rb
+++ b/app/controllers/api/v1/statuses/reblogged_by_accounts_controller.rb
@ -8,6 +8,7 @@ class Api::V1::Statuses::RebloggedByAccountsController < Api::BaseController
  after_action :insert_pagination_headers

  def index
+    cache_if_unauthenticated!
    @accounts = load_accounts
    render json: @accounts, each_serializer: REST::AccountSerializer
  end
--- a/app/controllers/api/v1/statuses/reblogs_controller.rb
+++ b/app/controllers/api/v1/statuses/reblogs_controller.rb
@ -2,6 +2,8 @@

 class Api::V1::Statuses::ReblogsController < Api::BaseController
  include Authorization
+  include Redisable
+  include Lockable

  before_action -> { doorkeeper_authorize! :write, :'write:statuses' }
  before_action :require_user!
@ -10,7 +12,9 @@ class Api::V1::Statuses::ReblogsController < Api::BaseController
  override_rate_limit_headers :create, family: :statuses

  def create
-    @status = ReblogService.new.call(current_account, @reblog, reblog_params)
+    with_redis_lock("reblog:#{current_account.id}:#{@reblog.id}") do
+      @status = ReblogService.new.call(current_account, @reblog, reblog_params)
+    end

    render json: @status, serializer: REST::StatusSerializer
  end
--- a/app/controllers/api/v1/statuses_controller.rb
+++ b/app/controllers/api/v1/statuses_controller.rb
@ -24,11 +24,14 @@ class Api::V1::StatusesController < Api::BaseController
  DESCENDANTS_DEPTH_LIMIT = 20

  def show
+    cache_if_unauthenticated!
    @status = cache_collection([@status], Status).first
    render json: @status, serializer: REST::StatusSerializer
  end

  def context
+    cache_if_unauthenticated!
+
    ancestors_limit         = CONTEXT_LIMIT
    descendants_limit       = CONTEXT_LIMIT
    descendants_depth_limit = nil
--- a/app/controllers/api/v1/tags_controller.rb
+++ b/app/controllers/api/v1/tags_controller.rb
@ -8,6 +8,7 @@ class Api::V1::TagsController < Api::BaseController
  override_rate_limit_headers :follow, family: :follows

  def show
+    cache_if_unauthenticated!
    render json: @tag, serializer: REST::TagSerializer
  end

--- a/app/controllers/api/v1/timelines/public_controller.rb
+++ b/app/controllers/api/v1/timelines/public_controller.rb
@ -5,6 +5,7 @@ class Api::V1::Timelines::PublicController < Api::BaseController
  after_action :insert_pagination_headers, unless: -> { @statuses.empty? }

  def show
+    cache_if_unauthenticated!
    @statuses = load_statuses
    render json: @statuses, each_serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new(@statuses, current_user&.account_id)
  end
--- a/app/controllers/api/v1/timelines/tag_controller.rb
+++ b/app/controllers/api/v1/timelines/tag_controller.rb
@ -5,6 +5,7 @@ class Api::V1::Timelines::TagController < Api::BaseController
  after_action :insert_pagination_headers, unless: -> { @statuses.empty? }

  def show
+    cache_if_unauthenticated!
    @statuses = load_statuses
    render json: @statuses, each_serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new(@statuses, current_user&.account_id)
  end
--- a/app/controllers/api/v1/trends/links_controller.rb
+++ b/app/controllers/api/v1/trends/links_controller.rb
@ -1,6 +1,8 @@
 # frozen_string_literal: true

 class Api::V1::Trends::LinksController < Api::BaseController
+  vary_by 'Authorization, Accept-Language'
+
  before_action :set_links

  after_action :insert_pagination_headers
@ -8,6 +10,7 @@ class Api::V1::Trends::LinksController < Api::BaseController
  DEFAULT_LINKS_LIMIT = 10

  def index
+    cache_if_unauthenticated!
    render json: @links, each_serializer: REST::Trends::LinkSerializer
  end

--- a/app/controllers/api/v1/trends/statuses_controller.rb
+++ b/app/controllers/api/v1/trends/statuses_controller.rb
@ -1,11 +1,14 @@
 # frozen_string_literal: true

 class Api::V1::Trends::StatusesController < Api::BaseController
+  vary_by 'Authorization, Accept-Language'
+
  before_action :set_statuses

  after_action :insert_pagination_headers

  def index
+    cache_if_unauthenticated!
    render json: @statuses, each_serializer: REST::StatusSerializer
  end

--- a/app/controllers/api/v1/trends/tags_controller.rb
+++ b/app/controllers/api/v1/trends/tags_controller.rb
@ -8,6 +8,7 @@ class Api::V1::Trends::TagsController < Api::BaseController
  DEFAULT_TAGS_LIMIT = (ENV['MAX_TRENDING_TAGS'] || 10).to_i

  def index
+    cache_if_unauthenticated!
    render json: @tags, each_serializer: REST::TagSerializer, relationships: TagRelationshipsPresenter.new(@tags, current_user&.account_id)
  end

--- a/app/controllers/api/v2/admin/accounts_controller.rb
+++ b/app/controllers/api/v2/admin/accounts_controller.rb
@ -18,6 +18,14 @@ class Api::V2::Admin::AccountsController < Api::V1::Admin::AccountsController

  private

+  def next_path
+    api_v2_admin_accounts_url(pagination_params(max_id: pagination_max_id)) if records_continue?
+  end
+
+  def prev_path
+    api_v2_admin_accounts_url(pagination_params(min_id: pagination_since_id)) unless @accounts.empty?
+  end
+
  def filtered_accounts
    AccountFilter.new(translated_filter_params).results
  end
--- a/app/controllers/api/v2/filters/keywords_controller.rb
+++ b/app/controllers/api/v2/filters/keywords_controller.rb
@ -12,13 +12,13 @@ class Api::V2::Filters::KeywordsController < Api::BaseController
    render json: @keywords, each_serializer: REST::FilterKeywordSerializer
  end

-  def create
-    @keyword = current_account.custom_filters.find(params[:filter_id]).keywords.create!(resource_params)
-
+  def show
    render json: @keyword, serializer: REST::FilterKeywordSerializer
  end

-  def show
+  def create
+    @keyword = current_account.custom_filters.find(params[:filter_id]).keywords.create!(resource_params)
+
    render json: @keyword, serializer: REST::FilterKeywordSerializer
  end

--- a/app/controllers/api/v2/filters/statuses_controller.rb
+++ b/app/controllers/api/v2/filters/statuses_controller.rb
@ -12,13 +12,13 @@ class Api::V2::Filters::StatusesController < Api::BaseController
    render json: @status_filters, each_serializer: REST::FilterStatusSerializer
  end

-  def create
-    @status_filter = current_account.custom_filters.find(params[:filter_id]).statuses.create!(resource_params)
-
+  def show
    render json: @status_filter, serializer: REST::FilterStatusSerializer
  end

-  def show
+  def create
+    @status_filter = current_account.custom_filters.find(params[:filter_id]).statuses.create!(resource_params)
+
    render json: @status_filter, serializer: REST::FilterStatusSerializer
  end

--- a/app/controllers/api/v2/filters_controller.rb
+++ b/app/controllers/api/v2/filters_controller.rb
@ -11,13 +11,13 @@ class Api::V2::FiltersController < Api::BaseController
    render json: @filters, each_serializer: REST::FilterSerializer, rules_requested: true
  end

-  def create
-    @filter = current_account.custom_filters.create!(resource_params)
-
+  def show
    render json: @filter, serializer: REST::FilterSerializer, rules_requested: true
  end

-  def show
+  def create
+    @filter = current_account.custom_filters.create!(resource_params)
+
    render json: @filter, serializer: REST::FilterSerializer, rules_requested: true
  end

--- a/app/controllers/api/v2/instances_controller.rb
+++ b/app/controllers/api/v2/instances_controller.rb
@ -2,7 +2,7 @@

 class Api::V2::InstancesController < Api::V1::InstancesController
  def show
-    expires_in 3.minutes, public: true
+    cache_even_if_authenticated!
    render_with_cache json: InstancePresenter.new, serializer: REST::InstanceSerializer, root: 'instance'
  end
 end
--- a/app/controllers/api/v2/media_controller.rb
+++ b/app/controllers/api/v2/media_controller.rb
@ -6,7 +6,8 @@ class Api::V2::MediaController < Api::V1::MediaController
    render json: @media_attachment, serializer: REST::MediaAttachmentSerializer, status: @media_attachment.not_processed? ? 202 : 200
  rescue Paperclip::Errors::NotIdentifiedByImageMagickError
    render json: file_type_error, status: 422
-  rescue Paperclip::Error
+  rescue Paperclip::Error => e
+    Rails.logger.error "#{e.class}: #{e.message}"
    render json: processing_error, status: 500
  end
 end
--- a/app/controllers/api/v2/search_controller.rb
+++ b/app/controllers/api/v2/search_controller.rb
@ -34,11 +34,11 @@ class Api::V2::SearchController < Api::BaseController
      params[:q],
      current_account,
      limit_param(RESULTS_LIMIT),
-      search_params.merge(resolve: truthy_param?(:resolve), exclude_unreviewed: truthy_param?(:exclude_unreviewed))
+      search_params.merge(resolve: truthy_param?(:resolve), exclude_unreviewed: truthy_param?(:exclude_unreviewed), following: truthy_param?(:following))
    )
  end

  def search_params
-    params.permit(:type, :offset, :min_id, :max_id, :account_id)
+    params.permit(:type, :offset, :min_id, :max_id, :account_id, :following)
  end
 end
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -21,6 +21,8 @@ class ApplicationController < ActionController::Base
  helper_method :omniauth_only?
  helper_method :sso_account_settings
  helper_method :whitelist_mode?
+  helper_method :body_class_string
+  helper_method :skip_csrf_meta_tags?

  rescue_from ActionController::ParameterMissing, Paperclip::AdapterRegistry::NoHandlerError, with: :bad_request
  rescue_from Mastodon::NotPermittedError, with: :forbidden
@ -37,9 +39,11 @@ class ApplicationController < ActionController::Base
    service_unavailable
  end

-  before_action :store_current_location, except: :raise_not_found, unless: :devise_controller?
+  before_action :store_referrer, except: :raise_not_found, if: :devise_controller?
  before_action :require_functional!, if: :user_signed_in?

+  before_action :set_cache_control_defaults
+
  skip_before_action :verify_authenticity_token, only: :raise_not_found

  def raise_not_found
@ -56,14 +60,25 @@ class ApplicationController < ActionController::Base
    !authorized_fetch_mode?
  end

-  def store_current_location
-    store_location_for(:user, request.url) unless [:json, :rss].include?(request.format&.to_sym)
+  def store_referrer
+    return if request.referer.blank?
+
+    redirect_uri = URI(request.referer)
+    return if redirect_uri.path.start_with?('/auth')
+
+    stored_url = redirect_uri.to_s if redirect_uri.host == request.host && redirect_uri.port == request.port
+
+    store_location_for(:user, stored_url)
  end

  def require_functional!
    redirect_to edit_user_registration_path unless current_user.functional?
  end

+  def skip_csrf_meta_tags?
+    false
+  end
+
  def after_sign_out_path_for(_resource_or_scope)
    if ENV['OMNIAUTH_ONLY'] == 'true' && ENV['OIDC_ENABLED'] == 'true'
      '/auth/auth/openid_connect/logout'
@ -127,7 +142,7 @@ class ApplicationController < ActionController::Base
  end

  def sso_account_settings
-    ENV.fetch('SSO_ACCOUNT_SETTINGS')
+    ENV.fetch('SSO_ACCOUNT_SETTINGS', nil)
  end

  def current_account
@ -142,6 +157,10 @@ class ApplicationController < ActionController::Base
    @current_session = SessionActivation.find_by(session_id: cookies.signed['_session_id']) if cookies.signed['_session_id'].present?
  end

+  def body_class_string
+    @body_classes || ''
+  end
+
  def respond_with_error(code)
    respond_to do |format|
      format.any do
@ -151,4 +170,8 @@ class ApplicationController < ActionController::Base
      format.json { render json: { error: Rack::Utils::HTTP_STATUS_CODES[code] }, status: code }
    end
  end
+
+  def set_cache_control_defaults
+    response.cache_control.replace(private: true, no_store: true)
+  end
 end
--- a/app/controllers/auth/confirmations_controller.rb
+++ b/app/controllers/auth/confirmations_controller.rb
@ -57,9 +57,6 @@ class Auth::ConfirmationsController < Devise::ConfirmationsController

  def captcha_user_bypass?
    return true if @confirmation_user.nil? || @confirmation_user.confirmed?
-
-    invite = Invite.find(@confirmation_user.invite_id) if @confirmation_user.invite_id.present?
-    invite.present? && !invite.max_uses.nil?
  end

  def set_pack
@ -91,8 +88,10 @@ class Auth::ConfirmationsController < Devise::ConfirmationsController
  def after_confirmation_path_for(_resource_name, user)
    if user.created_by_application && truthy_param?(:redirect_to_app)
      user.created_by_application.confirmation_redirect_uri
+    elsif user_signed_in?
+      web_url('start')
    else
-      super
+      new_user_session_path
    end
  end
 end
--- a/app/controllers/auth/registrations_controller.rb
+++ b/app/controllers/auth/registrations_controller.rb
@ -25,16 +25,16 @@ class Auth::RegistrationsController < Devise::RegistrationsController
    super(&:build_invite_request)
  end

-  def destroy
-    not_found
-  end
-
  def update
    super do |resource|
      resource.clear_other_sessions(current_session.session_id) if resource.saved_change_to_encrypted_password?
    end
  end

+  def destroy
+    not_found
+  end
+
  protected

  def update_resource(resource, params)
@ -132,7 +132,7 @@ class Auth::RegistrationsController < Devise::RegistrationsController
  end

  def set_sessions
-    @sessions = current_user.session_activations
+    @sessions = current_user.session_activations.order(updated_at: :desc)
  end

  def set_strikes
@ -157,6 +157,6 @@ class Auth::RegistrationsController < Devise::RegistrationsController
  end

  def set_cache_headers
-    response.headers['Cache-Control'] = 'private, no-store'
+    response.cache_control.replace(private: true, no_store: true)
  end
 end
--- a/Show More
+++ b/Show More