Add note about Fedora packaging Rust libraries

See https://github.com/element-hq/synapse/pull/18856#discussion_r2330378204
Best effort for application dependencies
2025-12-07 01:20:16 +00:00 · 2025-09-08 19:43:10 -05:00 · 2025-09-05 15:10:37 -05:00 · 2025-08-21 19:51:38 -05:00 · 2025-08-21 19:48:05 -05:00
405 changed files with 2283 additions and 5478 deletions
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -31,7 +31,7 @@ jobs:
        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0

      - name: Extract version from pyproject.toml
        # Note: explicitly requesting bash will mean bash is invoked with `-eo pipefail`, see
@@ -41,13 +41,13 @@ jobs:
          echo "SYNAPSE_VERSION=$(grep "^version" pyproject.toml | sed -E 's/version\s*=\s*["]([^"]*)["]/\1/')" >> $GITHUB_ENV

      - name: Log in to DockerHub
-        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Log in to GHCR
-        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
@@ -102,14 +102,14 @@ jobs:
          merge-multiple: true

      - name: Log in to DockerHub
-        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        if: ${{ startsWith(matrix.repository, 'docker.io') }}
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Log in to GHCR
-        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        if: ${{ startsWith(matrix.repository, 'ghcr.io') }}
        with:
          registry: ghcr.io
@@ -120,7 +120,7 @@ jobs:
        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

      - name: Install Cosign
-        uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
+        uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2

      - name: Calculate docker image tag
        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
--- a/.github/workflows/docs-pr.yaml
+++ b/.github/workflows/docs-pr.yaml
@@ -13,7 +13,7 @@ jobs:
    name: GitHub Pages
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
        with:
          # Fetch all history so that the schema_versions script works.
          fetch-depth: 0
@@ -24,7 +24,7 @@ jobs:
          mdbook-version: '0.4.17'

      - name: Setup python
-        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: "3.x"

@@ -50,7 +50,7 @@ jobs:
    name: Check links in documentation
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0

      - name: Setup mdbook
        uses: peaceiris/actions-mdbook@ee69d230fe19748b7abf22df32acaa93833fad08 # v2.0.0
--- a/.github/workflows/docs.yaml
+++ b/.github/workflows/docs.yaml
@@ -50,7 +50,7 @@ jobs:
    needs:
      - pre
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
        with:
          # Fetch all history so that the schema_versions script works.
          fetch-depth: 0
@@ -64,7 +64,7 @@ jobs:
        run: echo 'window.SYNAPSE_VERSION = "${{ needs.pre.outputs.branch-version }}";' > ./docs/website_files/version.js

      - name: Setup python
-        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: "3.x"

--- a/.github/workflows/fix_lint.yaml
+++ b/.github/workflows/fix_lint.yaml
@@ -18,10 +18,10 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0

      - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
        with:
          toolchain: ${{ env.RUST_VERSION }}
          components: clippy, rustfmt
--- a/.github/workflows/latest_deps.yml
+++ b/.github/workflows/latest_deps.yml
@@ -42,9 +42,9 @@ jobs:
    if: needs.check_repo.outputs.should_run_workflow == 'true'
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
      - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
        with:
          toolchain: ${{ env.RUST_VERSION }}
      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
@@ -77,10 +77,10 @@ jobs:
            postgres-version: "14"

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0

      - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
        with:
          toolchain: ${{ env.RUST_VERSION }}
      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
@@ -93,7 +93,7 @@ jobs:
            -e POSTGRES_PASSWORD=postgres \
            -e POSTGRES_INITDB_ARGS="--lc-collate C --lc-ctype C --encoding UTF8" \
            postgres:${{ matrix.postgres-version }}
-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: "3.x"
      - run: pip install .[all,test]
@@ -152,10 +152,10 @@ jobs:
      BLACKLIST: ${{ matrix.workers && 'synapse-blacklist-with-workers' }}

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0

      - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
        with:
          toolchain: ${{ env.RUST_VERSION }}
      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
@@ -202,14 +202,14 @@ jobs:

    steps:
      - name: Check out synapse codebase
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
        with:
          path: synapse

      - name: Prepare Complement's Prerequisites
        run: synapse/.ci/scripts/setup_complement_prerequisites.sh

-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
        with:
          cache-dependency-path: complement/go.sum
          go-version-file: complement/go.mod
@@ -234,7 +234,7 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
      - uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2.9.2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/poetry_lockfile.yaml
+++ b/.github/workflows/poetry_lockfile.yaml
@@ -16,8 +16,8 @@ jobs:
    name: "Check locked dependencies have sdists"
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: '3.x'
      - run: pip install tomli
--- a/.github/workflows/push_complement_image.yml
+++ b/.github/workflows/push_complement_image.yml
@@ -33,22 +33,22 @@ jobs:
      packages: write
    steps:
      - name: Checkout specific branch (debug build)
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
        if: github.event_name == 'workflow_dispatch'
        with:
          ref: ${{ inputs.branch }}
      - name: Checkout clean copy of develop (scheduled build)
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
        if: github.event_name == 'schedule'
        with:
          ref: develop
      - name: Checkout clean copy of master (on-push)
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
        if: github.event_name == 'push'
        with:
          ref: master
      - name: Login to registry
-        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
--- a/.github/workflows/release-artifacts.yml
+++ b/.github/workflows/release-artifacts.yml
@@ -27,8 +27,8 @@ jobs:
    name: "Calculate list of debian distros"
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: "3.x"
      - id: set-distros
@@ -55,7 +55,7 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
        with:
          path: src

@@ -74,7 +74,7 @@ jobs:
            ${{ runner.os }}-buildx-

      - name: Set up python
-        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: "3.x"

@@ -132,9 +132,9 @@ jobs:
            os: "ubuntu-24.04-arm"

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0

-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          # setup-python@v4 doesn't impose a default python version. Need to use 3.x
          # here, because `python` on osx points to Python 2.7.
@@ -165,8 +165,8 @@ jobs:
    if: ${{ !startsWith(github.ref, 'refs/pull/') }}

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: "3.10"

--- a/.github/workflows/schema.yaml
+++ b/.github/workflows/schema.yaml
@@ -14,8 +14,8 @@ jobs:
    name: Ensure Synapse config schema is valid
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: "3.x"
      - name: Install check-jsonschema
@@ -40,8 +40,8 @@ jobs:
    name: Ensure generated documentation is up-to-date
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: "3.x"
      - name: Install PyYAML
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -86,9 +86,9 @@ jobs:
    if: ${{ needs.changes.outputs.linting == 'true' }}

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
      - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
        with:
          toolchain: ${{ env.RUST_VERSION }}
      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
@@ -106,8 +106,8 @@ jobs:
    if: ${{ needs.changes.outputs.linting == 'true' }}

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: "3.x"
      - run: "pip install 'click==8.1.1' 'GitPython>=3.1.20'"
@@ -116,8 +116,8 @@ jobs:
  check-lockfile:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: "3.x"
      - run: .ci/scripts/check_lockfile.py
@@ -129,7 +129,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0

      - name: Setup Poetry
        uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0
@@ -151,10 +151,10 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0

      - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
        with:
          toolchain: ${{ env.RUST_VERSION }}
      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
@@ -187,7 +187,7 @@ jobs:
  lint-crlf:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
      - name: Check line endings
        run: scripts-dev/check_line_terminators.sh

@@ -195,11 +195,11 @@ jobs:
    if: ${{ (github.base_ref == 'develop'  || contains(github.base_ref, 'release-')) && github.actor != 'dependabot[bot]' }}
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          fetch-depth: 0
-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: "3.x"
      - run: "pip install 'towncrier>=18.6.0rc1'"
@@ -213,11 +213,11 @@ jobs:
    if: ${{ needs.changes.outputs.linting == 'true' }}

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
        with:
          toolchain: ${{ env.RUST_VERSION }}
      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
@@ -233,10 +233,10 @@ jobs:
    if: ${{ needs.changes.outputs.rust == 'true' }}

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0

      - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
        with:
            components: clippy
            toolchain: ${{ env.RUST_VERSION }}
@@ -252,10 +252,10 @@ jobs:
    if: ${{ needs.changes.outputs.rust == 'true' }}

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0

      - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
        with:
            toolchain: nightly-2025-04-23
            components: clippy
@@ -270,10 +270,10 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0

      - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
        with:
          toolchain: ${{ env.RUST_VERSION }}
      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
@@ -306,10 +306,10 @@ jobs:
    if: ${{ needs.changes.outputs.rust == 'true' }}

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0

      - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
        with:
          # We use nightly so that we can use some unstable options that we use in
          # `.rustfmt.toml`.
@@ -326,8 +326,8 @@ jobs:
    needs: changes
    if: ${{ needs.changes.outputs.linting_readme == 'true' }}
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: "3.x"
      - run: "pip install rstcheck"
@@ -376,8 +376,8 @@ jobs:
    needs: linting-done
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: "3.x"
      - id: get-matrix
@@ -397,7 +397,7 @@ jobs:
        job:  ${{ fromJson(needs.calculate-test-jobs.outputs.trial_test_matrix) }}

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
      - run: sudo apt-get -qq install xmlsec1
      - name: Set up PostgreSQL ${{ matrix.job.postgres-version }}
        if: ${{ matrix.job.postgres-version }}
@@ -412,7 +412,7 @@ jobs:
            postgres:${{ matrix.job.postgres-version }}

      - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
        with:
          toolchain: ${{ env.RUST_VERSION }}
      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
@@ -453,10 +453,10 @@ jobs:
      - changes
    runs-on: ubuntu-22.04
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0

      - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
        with:
          toolchain: ${{ env.RUST_VERSION }}
      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
@@ -468,7 +468,7 @@ jobs:
          sudo apt-get -qq install build-essential libffi-dev python3-dev \
            libxml2-dev libxslt-dev xmlsec1 zlib1g-dev libjpeg-dev libwebp-dev

-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: '3.9'

@@ -518,7 +518,7 @@ jobs:
        extras: ["all"]

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
      # Install libs necessary for PyPy to build binary wheels for dependencies
      - run: sudo apt-get -qq install xmlsec1 libxml2-dev libxslt-dev
      - uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0
@@ -568,12 +568,12 @@ jobs:
        job: ${{ fromJson(needs.calculate-test-jobs.outputs.sytest_test_matrix) }}

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
      - name: Prepare test blacklist
        run: cat sytest-blacklist .ci/worker-blacklist > synapse-blacklist-with-workers

      - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
        with:
          toolchain: ${{ env.RUST_VERSION }}
      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
@@ -615,7 +615,7 @@ jobs:
          --health-retries 5

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
      - run: sudo apt-get -qq install xmlsec1 postgresql-client
      - uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0
        with:
@@ -659,7 +659,7 @@ jobs:
          --health-retries 5

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
      - name: Add PostgreSQL apt repository
        # We need a version of pg_dump that can handle the version of
        # PostgreSQL being tested against. The Ubuntu package repository lags
@@ -714,12 +714,12 @@ jobs:

    steps:
      - name: Checkout synapse codebase
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
        with:
          path: synapse

      - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
        with:
          toolchain: ${{ env.RUST_VERSION }}
      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
@@ -727,7 +727,7 @@ jobs:
      - name: Prepare Complement's Prerequisites
        run: synapse/.ci/scripts/setup_complement_prerequisites.sh

-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
        with:
          cache-dependency-path: complement/go.sum
          go-version-file: complement/go.mod
@@ -750,10 +750,10 @@ jobs:
      - changes

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0

      - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
        with:
          toolchain: ${{ env.RUST_VERSION }}
      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
@@ -770,10 +770,10 @@ jobs:
      - changes

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0

      - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
        with:
            toolchain: nightly-2022-12-01
      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
--- a/.github/workflows/triage_labelled.yml
+++ b/.github/workflows/triage_labelled.yml
@@ -11,7 +11,7 @@ jobs:
    if: >
      contains(github.event.issue.labels.*.name, 'X-Needs-Info')
    steps:
-      - uses: actions/add-to-project@4515659e2b458b27365e167605ac44f219494b66 # v1.0.2
+      - uses: actions/add-to-project@c0c5949b017d0d4a39f7ba888255881bdac2a823 # v1.0.2
        id: add_project
        with:
          project-url: "https://github.com/orgs/matrix-org/projects/67"
--- a/.github/workflows/twisted_trunk.yml
+++ b/.github/workflows/twisted_trunk.yml
@@ -43,10 +43,10 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0

      - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
        with:
          toolchain: ${{ env.RUST_VERSION }}
      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
@@ -70,11 +70,11 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
      - run: sudo apt-get -qq install xmlsec1

      - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
        with:
          toolchain: ${{ env.RUST_VERSION }}
      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
@@ -117,10 +117,10 @@ jobs:
        - ${{ github.workspace }}:/src

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0

      - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
        with:
          toolchain: ${{ env.RUST_VERSION }}
      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
@@ -175,14 +175,14 @@ jobs:

    steps:
      - name: Run actions/checkout@v4 for synapse
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
        with:
          path: synapse

      - name: Prepare Complement's Prerequisites
        run: synapse/.ci/scripts/setup_complement_prerequisites.sh

-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
        with:
          cache-dependency-path: complement/go.sum
          go-version-file: complement/go.mod
@@ -217,7 +217,7 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
      - uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2.9.2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,181 +1,3 @@
-# Synapse 1.139.2 (2025-10-07)
-
-## Bugfixes
-
- Fix a bug introduced in 1.139.1 where a client could receive an Internal Server Error if they set `device_keys: null` in the request to [`POST /_matrix/client/v3/keys/upload`](https://spec.matrix.org/v1.16/client-server-api/#post_matrixclientv3keysupload). ([\#19023](https://github.com/element-hq/synapse/issues/19023))
-
-
-
-
-# Synapse 1.139.1 (2025-10-07)
-
-## Security Fixes
-
- Fix [CVE-2025-61672](https://www.cve.org/CVERecord?id=CVE-2025-61672) / [GHSA-fh66-fcv5-jjfr](https://github.com/element-hq/synapse/security/advisories/GHSA-fh66-fcv5-jjfr). Lack of validation for device keys in Synapse before 1.139.1 allows an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers. ([\#17097](https://github.com/element-hq/synapse/issues/17097))
-
-## Deprecations and Removals
-
- Drop support for unstable field names from the long-accepted [MSC2732](https://github.com/matrix-org/matrix-spec-proposals/pull/2732) (Olm fallback keys) proposal. This change allows unit tests to pass following the security patch above. ([\#18996](https://github.com/element-hq/synapse/issues/18996))
-
-
-
-# Synapse 1.139.0 (2025-09-30)
-
-### `/register` requests from old application service implementations may break when using MAS
-
-If you are using Matrix Authentication Service (MAS), as of this release any
-Application Services that do not set `inhibit_login=true` when calling `POST
-/_matrix/client/v3/register` will receive the error
-`IO.ELEMENT.MSC4190.M_APPSERVICE_LOGIN_UNSUPPORTED` in response. Please see [the
-upgrade
-notes](https://element-hq.github.io/synapse/develop/upgrade.html#register-requests-from-old-application-service-implementations-may-break-when-using-mas)
-for more information.
-
-No significant changes since 1.139.0rc3.
-
-
-
-
-# Synapse 1.139.0rc3 (2025-09-25)
-
-## Bugfixes
-
- Fix a bug introduced in 1.139.0rc1 where `run_coroutine_in_background(...)` incorrectly handled logcontexts, resulting in partially broken logging. ([\#18964](https://github.com/element-hq/synapse/issues/18964))
-
-
-
-
-# Synapse 1.139.0rc2 (2025-09-23)
-
-## Internal Changes
-
- Drop support for Ubuntu 24.10 Oracular Oriole, and add support for Ubuntu 25.04 Plucky Puffin. ([\#18962](https://github.com/element-hq/synapse/issues/18962))
-
-
-
-
-# Synapse 1.139.0rc1 (2025-09-23)
-
-## Features
-
- Add experimental support for [MSC4308: Thread Subscriptions extension to Sliding Sync](https://github.com/matrix-org/matrix-spec-proposals/pull/4308) when [MSC4306: Thread Subscriptions](https://github.com/matrix-org/matrix-spec-proposals/pull/4306) and [MSC4186: Simplified Sliding Sync](https://github.com/matrix-org/matrix-spec-proposals/pull/4186) are enabled. ([\#18695](https://github.com/element-hq/synapse/issues/18695))
- Update push rules for experimental [MSC4306: Thread Subscriptions](https://github.com/matrix-org/matrix-doc/issues/4306) to follow a newer draft. ([\#18846](https://github.com/element-hq/synapse/issues/18846))
- Add `get_media_upload_limits_for_user` and `on_media_upload_limit_exceeded` module API callbacks to the media repository. ([\#18848](https://github.com/element-hq/synapse/issues/18848))
- Support [MSC4169](https://github.com/matrix-org/matrix-spec-proposals/pull/4169) for backwards-compatible redaction sending using the `/send` endpoint. Contributed by @SpiritCroc @ Beeper. ([\#18898](https://github.com/element-hq/synapse/issues/18898))
- Add an in-memory cache to `_get_e2e_cross_signing_signatures_for_devices` to reduce DB load. ([\#18899](https://github.com/element-hq/synapse/issues/18899))
- Update [MSC4190](https://github.com/matrix-org/matrix-spec-proposals/pull/4190) support to return correct errors and allow appservices to reset cross-signing keys without user-interactive authentication. Contributed by @tulir @ Beeper. ([\#18946](https://github.com/element-hq/synapse/issues/18946))
-
-## Bugfixes
-
- Ensure all PDUs sent via `/send` pass canonical JSON checks. ([\#18641](https://github.com/element-hq/synapse/issues/18641))
- Fix bug where we did not send invite revocations over federation. ([\#18823](https://github.com/element-hq/synapse/issues/18823))
- Fix prefixed support for [MSC4133](https://github.com/matrix-org/matrix-spec-proposals/pull/4133). ([\#18875](https://github.com/element-hq/synapse/issues/18875))
- Fix open redirect in legacy SSO flow with the `idp` query parameter. ([\#18909](https://github.com/element-hq/synapse/issues/18909))
- Fix a performance regression related to the experimental Delayed Events ([MSC4140](https://github.com/matrix-org/matrix-spec-proposals/pull/4140)) feature. ([\#18926](https://github.com/element-hq/synapse/issues/18926))
-
-## Updates to the Docker image
-
- Suppress "Applying schema" log noise bulk when `SYNAPSE_LOG_TESTING` is set. ([\#18878](https://github.com/element-hq/synapse/issues/18878))
-
-## Improved Documentation
-
- Clarify Python dependency constraints in our deprecation policy. ([\#18856](https://github.com/element-hq/synapse/issues/18856))
- Clarify necessary `jwt_config` parameter in OIDC documentation for authentik. Contributed by @maxkratz. ([\#18931](https://github.com/element-hq/synapse/issues/18931))
-
-## Deprecations and Removals
-
- Remove obsolete and experimental `/sync/e2ee` endpoint. ([\#18583](https://github.com/element-hq/synapse/issues/18583))
-
-## Internal Changes
-
- Fix `LaterGauge` metrics to collect from all servers. ([\#18791](https://github.com/element-hq/synapse/issues/18791))
- Configure Synapse to run [MSC4306: Thread Subscriptions](https://github.com/matrix-org/matrix-spec-proposals/pull/4306) Complement tests. ([\#18819](https://github.com/element-hq/synapse/issues/18819))
- Remove `sentinel` logcontext usage where we log in `setup`, `start` and `exit`. ([\#18870](https://github.com/element-hq/synapse/issues/18870))
- Use the `Enum`'s value for the dictionary key when responding to an admin request for experimental features. ([\#18874](https://github.com/element-hq/synapse/issues/18874))
- Start background tasks after we fork the process (daemonize). ([\#18886](https://github.com/element-hq/synapse/issues/18886))
- Better explain how we manage the logcontext in `run_in_background(...)` and `run_as_background_process(...)`. ([\#18900](https://github.com/element-hq/synapse/issues/18900), [\#18906](https://github.com/element-hq/synapse/issues/18906))
- Remove `sentinel` logcontext usage in `Clock` utilities like `looping_call` and `call_later`. ([\#18907](https://github.com/element-hq/synapse/issues/18907))
- Replace usages of the deprecated `pkg_resources` interface in preparation of setuptools dropping it soon. ([\#18910](https://github.com/element-hq/synapse/issues/18910))
- Split loading config from homeserver `setup`. ([\#18933](https://github.com/element-hq/synapse/issues/18933))
- Fix `run_in_background` not being awaited properly in some tests causing `LoggingContext` problems. ([\#18937](https://github.com/element-hq/synapse/issues/18937))
- Fix `run_as_background_process` not being awaited properly causing `LoggingContext` problems in experimental [MSC4140](https://github.com/matrix-org/matrix-spec-proposals/pull/4140): Delayed events implementation. ([\#18938](https://github.com/element-hq/synapse/issues/18938))
- Introduce `Clock.call_when_running(...)` to wrap startup code in a logcontext, ensuring we can identify which server generated the logs. ([\#18944](https://github.com/element-hq/synapse/issues/18944))
- Introduce `Clock.add_system_event_trigger(...)` to wrap system event callback code in a logcontext, ensuring we can identify which server generated the logs. ([\#18945](https://github.com/element-hq/synapse/issues/18945))
-
-
-
-### Updates to locked dependencies
-
-* Bump actions/setup-go from 5.5.0 to 6.0.0. ([\#18891](https://github.com/element-hq/synapse/issues/18891))
-* Bump actions/setup-python from 5.6.0 to 6.0.0. ([\#18890](https://github.com/element-hq/synapse/issues/18890))
-* Bump authlib from 1.6.1 to 1.6.3. ([\#18921](https://github.com/element-hq/synapse/issues/18921))
-* Bump jsonschema from 4.25.0 to 4.25.1. ([\#18897](https://github.com/element-hq/synapse/issues/18897))
-* Bump log from 0.4.27 to 0.4.28. ([\#18892](https://github.com/element-hq/synapse/issues/18892))
-* Bump phonenumbers from 9.0.12 to 9.0.13. ([\#18893](https://github.com/element-hq/synapse/issues/18893))
-* Bump pydantic from 2.11.7 to 2.11.9. ([\#18922](https://github.com/element-hq/synapse/issues/18922))
-* Bump serde from 1.0.219 to 1.0.223. ([\#18920](https://github.com/element-hq/synapse/issues/18920))
-* Bump serde_json from 1.0.143 to 1.0.145. ([\#18919](https://github.com/element-hq/synapse/issues/18919))
-* Bump sigstore/cosign-installer from 3.9.2 to 3.10.0. ([\#18917](https://github.com/element-hq/synapse/issues/18917))
-* Bump towncrier from 24.8.0 to 25.8.0. ([\#18894](https://github.com/element-hq/synapse/issues/18894))
-* Bump types-psycopg2 from 2.9.21.20250809 to 2.9.21.20250915. ([\#18918](https://github.com/element-hq/synapse/issues/18918))
-* Bump types-requests from 2.32.4.20250611 to 2.32.4.20250809. ([\#18895](https://github.com/element-hq/synapse/issues/18895))
-* Bump types-setuptools from 80.9.0.20250809 to 80.9.0.20250822. ([\#18924](https://github.com/element-hq/synapse/issues/18924))
-
-# Synapse 1.138.0 (2025-09-09)
-
-No significant changes since 1.138.0rc1.
-
-
-
-
-# Synapse 1.138.0rc1 (2025-09-02)
-
-### Features
-
- Support for the stable endpoint and scopes of [MSC3861](https://github.com/matrix-org/matrix-spec-proposals/pull/3861) & co. ([\#18549](https://github.com/element-hq/synapse/issues/18549))
-
-### Bugfixes
-
- Improve database performance of [MSC4293](https://github.com/matrix-org/matrix-spec-proposals/pull/4293) - Redact on Kick/Ban. ([\#18851](https://github.com/element-hq/synapse/issues/18851))
- Do not throw an error when fetching a rejected delayed state event on startup. ([\#18858](https://github.com/element-hq/synapse/issues/18858))
-
-### Improved Documentation
-
- Fix worker documentation incorrectly indicating all room Admin API requests were capable of being handled by workers. ([\#18853](https://github.com/element-hq/synapse/issues/18853))
-
-### Internal Changes
-
- Instrument `_ByteProducer` with tracing to measure potential dead time while writing bytes to the request. ([\#18804](https://github.com/element-hq/synapse/issues/18804))
- Switch to OpenTracing's `ContextVarsScopeManager` instead of our own custom `LogContextScopeManager`. ([\#18849](https://github.com/element-hq/synapse/issues/18849))
- Trace how much work is being done while "recursively fetching redactions". ([\#18854](https://github.com/element-hq/synapse/issues/18854))
- Link [upstream Twisted bug](https://github.com/twisted/twisted/issues/12498) tracking the problem that explains why we have to use a `Producer` to write bytes to the request. ([\#18855](https://github.com/element-hq/synapse/issues/18855))
- Introduce `EventPersistencePair` type. ([\#18857](https://github.com/element-hq/synapse/issues/18857))
-
-
-
-### Updates to locked dependencies
-
-* Bump actions/add-to-project from c0c5949b017d0d4a39f7ba888255881bdac2a823 to 4515659e2b458b27365e167605ac44f219494b66. ([\#18863](https://github.com/element-hq/synapse/issues/18863))
-* Bump actions/checkout from 4.3.0 to 5.0.0. ([\#18834](https://github.com/element-hq/synapse/issues/18834))
-* Bump anyhow from 1.0.98 to 1.0.99. ([\#18841](https://github.com/element-hq/synapse/issues/18841))
-* Bump docker/login-action from 3.4.0 to 3.5.0. ([\#18835](https://github.com/element-hq/synapse/issues/18835))
-* Bump dtolnay/rust-toolchain from b3b07ba8b418998c39fb20f53e8b695cdcc8de1b to e97e2d8cc328f1b50210efc529dca0028893a2d9. ([\#18862](https://github.com/element-hq/synapse/issues/18862))
-* Bump phonenumbers from 9.0.11 to 9.0.12. ([\#18837](https://github.com/element-hq/synapse/issues/18837))
-* Bump regex from 1.11.1 to 1.11.2. ([\#18864](https://github.com/element-hq/synapse/issues/18864))
-* Bump reqwest from 0.12.22 to 0.12.23. ([\#18842](https://github.com/element-hq/synapse/issues/18842))
-* Bump ruff from 0.12.7 to 0.12.10. ([\#18865](https://github.com/element-hq/synapse/issues/18865))
-* Bump serde_json from 1.0.142 to 1.0.143. ([\#18866](https://github.com/element-hq/synapse/issues/18866))
-* Bump types-bleach from 6.2.0.20250514 to 6.2.0.20250809. ([\#18838](https://github.com/element-hq/synapse/issues/18838))
-* Bump types-jsonschema from 4.25.0.20250720 to 4.25.1.20250822. ([\#18867](https://github.com/element-hq/synapse/issues/18867))
-* Bump types-psycopg2 from 2.9.21.20250718 to 2.9.21.20250809. ([\#18836](https://github.com/element-hq/synapse/issues/18836))
-
-# Synapse 1.137.0 (2025-08-26)
-
-No significant changes since 1.137.0rc1.
-
-
-
-
 # Synapse 1.137.0rc1 (2025-08-19)

 ### Bugfixes
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -28,9 +28,9 @@ dependencies = [

 [[package]]
 name = "anyhow"
-version = "1.0.99"
+version = "1.0.98"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b0674a1ddeecb70197781e945de4b3b8ffb61fa939a5597bcf48503737663100"
+checksum = "e16d2d3311acee920a9eb8d33b8cbc1787ce4a264e85f964c2404b969bdcd487"

 [[package]]
 name = "arc-swap"
@@ -753,9 +753,9 @@ checksum = "241eaef5fd12c88705a01fc1066c48c4b36e0dd4377dcdc7ec3942cea7a69956"

 [[package]]
 name = "log"
-version = "0.4.28"
+version = "0.4.27"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "34080505efa8e45a4b816c349525ebe327ceaa8559756f0356cba97ef3bf7432"
+checksum = "13dc2df351e3202783a1fe0d44375f7295ffb4049267b0f3018346dc122a1d94"

 [[package]]
 name = "lru-slab"
@@ -1062,9 +1062,9 @@ dependencies = [

 [[package]]
 name = "regex"
-version = "1.11.2"
+version = "1.11.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "23d7fd106d8c02486a8d64e778353d1cffe08ce79ac2e82f540c86d0facf6912"
+checksum = "b544ef1b4eac5dc2db33ea63606ae9ffcfac26c1416a2806ae0bf5f56b201191"
 dependencies = [
 "aho-corasick",
 "memchr",
@@ -1091,9 +1091,9 @@ checksum = "2b15c43186be67a4fd63bee50d0303afffcef381492ebe2c5d87f324e1b8815c"

 [[package]]
 name = "reqwest"
-version = "0.12.23"
+version = "0.12.22"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d429f34c8092b2d42c7c93cec323bb4adeb7c67698f70839adec842ec10c7ceb"
+checksum = "cbc931937e6ca3a06e3b6c0aa7841849b160a90351d6ab467a8b9b9959767531"
 dependencies = [
 "base64",
 "bytes",
@@ -1250,28 +1250,18 @@ dependencies = [

 [[package]]
 name = "serde"
-version = "1.0.224"
+version = "1.0.219"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6aaeb1e94f53b16384af593c71e20b095e958dab1d26939c1b70645c5cfbcc0b"
-dependencies = [
- "serde_core",
- "serde_derive",
-]
-
-[[package]]
-name = "serde_core"
-version = "1.0.224"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "32f39390fa6346e24defbcdd3d9544ba8a19985d0af74df8501fbfe9a64341ab"
+checksum = "5f0e2c6ed6606019b4e29e69dbaba95b11854410e5347d525002456dbbb786b6"
 dependencies = [
 "serde_derive",
 ]

 [[package]]
 name = "serde_derive"
-version = "1.0.224"
+version = "1.0.219"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "87ff78ab5e8561c9a675bfc1785cb07ae721f0ee53329a595cefd8c04c2ac4e0"
+checksum = "5b0276cf7f2c73365f7157c8123c21cd9a50fbbd844757af28ca1f5925fc2a00"
 dependencies = [
 "proc-macro2",
 "quote",
@@ -1280,15 +1270,14 @@ dependencies = [

 [[package]]
 name = "serde_json"
-version = "1.0.145"
+version = "1.0.142"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "402a6f66d8c709116cf22f558eab210f5a50187f702eb4d7e5ef38d9a7f1c79c"
+checksum = "030fedb782600dcbd6f02d479bf0d817ac3bb40d644745b769d6a96bc3afc5a7"
 dependencies = [
 "itoa",
 "memchr",
 "ryu",
 "serde",
- "serde_core",
 ]

 [[package]]
--- a/changelog.d/18856.doc
+++ b/changelog.d/18856.doc
@@ -0,0 +1 @@
+Clarify Python dependency constraints in our deprecation policy.
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,57 +1,3 @@
-matrix-synapse-py3 (1.139.2) stable; urgency=medium
-
-  * New Synapse release 1.139.2.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 07 Oct 2025 16:29:47 +0100
-
-matrix-synapse-py3 (1.139.1) stable; urgency=medium
-
-  * New Synapse release 1.139.1.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 07 Oct 2025 11:46:51 +0100
-
-matrix-synapse-py3 (1.139.0) stable; urgency=medium
-
-  * New Synapse release 1.139.0.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 30 Sep 2025 11:58:55 +0100
-
-matrix-synapse-py3 (1.139.0~rc3) stable; urgency=medium
-
-  * New Synapse release 1.139.0rc3.
-
- -- Synapse Packaging team <packages@matrix.org>  Thu, 25 Sep 2025 12:13:23 +0100
-
-matrix-synapse-py3 (1.139.0~rc2) stable; urgency=medium
-
-  * New Synapse release 1.139.0rc2.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 23 Sep 2025 15:31:42 +0100
-
-matrix-synapse-py3 (1.139.0~rc1) stable; urgency=medium
-
-  * New Synapse release 1.139.0rc1.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 23 Sep 2025 13:24:50 +0100
-
-matrix-synapse-py3 (1.138.0) stable; urgency=medium
-
-  * New Synapse release 1.138.0.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 09 Sep 2025 11:21:25 +0100
-
-matrix-synapse-py3 (1.138.0~rc1) stable; urgency=medium
-
-  * New synapse release 1.138.0rc1.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 02 Sep 2025 12:16:14 +0000
-
-matrix-synapse-py3 (1.137.0) stable; urgency=medium
-
-  * New Synapse release 1.137.0.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 26 Aug 2025 10:23:41 +0100
-
 matrix-synapse-py3 (1.137.0~rc1) stable; urgency=medium

  * New Synapse release 1.137.0rc1.
--- a/docker/complement/conf/workers-shared-extra.yaml.j2
+++ b/docker/complement/conf/workers-shared-extra.yaml.j2
@@ -133,8 +133,6 @@ experimental_features:
  msc3984_appservice_key_query: true
  # Invite filtering
  msc4155_enabled: true
-  # Thread Subscriptions
-  msc4306_enabled: true

 server_notices:
  system_mxid_localpart: _server
--- a/docker/conf/log.config
+++ b/docker/conf/log.config
@@ -77,13 +77,6 @@ loggers:
    #}
    synapse.visibility.filtered_event_debug:
        level: DEBUG
-
-    {#
-      If Synapse is under test, we don't care about seeing the "Applying schema" log
-      lines at the INFO level every time we run the tests (it's 100 lines of bulk)
-    #}
-    synapse.storage.prepare_database:
-      level: WARN
    {% endif %}

 root:
--- a/docs/log_contexts.md
+++ b/docs/log_contexts.md
@@ -59,28 +59,6 @@ def do_request_handling():
    logger.debug("phew")
 ```

-### The `sentinel` context
-
-The default logcontext is `synapse.logging.context.SENTINEL_CONTEXT`, which is an empty
-sentinel value to represent the root logcontext. This is what is used when there is no
-other logcontext set. The phrase "clear/reset the logcontext" means to set the current
-logcontext to the `sentinel` logcontext.
-
-No CPU/database usage metrics are recorded against the `sentinel` logcontext.
-
-Ideally, nothing from the Synapse homeserver would be logged against the `sentinel`
-logcontext as we want to know which server the logs came from. In practice, this is not
-always the case yet especially outside of request handling.
-
-Global things outside of Synapse (e.g. Twisted reactor code) should run in the
-`sentinel` logcontext. It's only when it calls into application code that a logcontext
-gets activated. This means the reactor should be started in the `sentinel` logcontext,
-and any time an awaitable yields control back to the reactor, it should reset the
-logcontext to be the `sentinel` logcontext. This is important to avoid leaking the
-current logcontext to the reactor (which would then get picked up and associated with
-the next thing the reactor does).
-
-
 ## Using logcontexts with awaitables

 Awaitables break the linear flow of code so that there is no longer a single entry point
--- a/docs/modules/media_repository_callbacks.md
+++ b/docs/modules/media_repository_callbacks.md
@@ -64,68 +64,3 @@ If multiple modules implement this callback, they will be considered in order. I
 returns `True`, Synapse falls through to the next one. The value of the first callback that
 returns `False` will be used. If this happens, Synapse will not call any of the subsequent
 implementations of this callback.
-
-### `get_media_upload_limits_for_user`
-
-_First introduced in Synapse v1.139.0_
-
-```python
-async def get_media_upload_limits_for_user(user_id: str, size: int) -> Optional[List[synapse.module_api.MediaUploadLimit]]
-```
-
-**<span style="color:red">
-Caution: This callback is currently experimental. The method signature or behaviour
-may change without notice.
-</span>**
-
-Called when processing a request to store content in the media repository. This can be used to dynamically override
-the [media upload limits configuration](../usage/configuration/config_documentation.html#media_upload_limits).
-
-The arguments passed to this callback are:
-
-* `user_id`: The Matrix user ID of the user (e.g. `@alice:example.com`) making the request.
-
-If the callback returns a list then it will be used as the limits instead of those in the configuration (if any).
-
-If an empty list is returned then no limits are applied (**warning:** users will be able
-to upload as much data as they desire).
-
-If multiple modules implement this callback, they will be considered in order. If a
-callback returns `None`, Synapse falls through to the next one. The value of the first
-callback that does not return `None` will be used. If this happens, Synapse will not call
-any of the subsequent implementations of this callback.
-
-If there are no registered modules, or if all modules return `None`, then
-the default
-[media upload limits configuration](../usage/configuration/config_documentation.html#media_upload_limits)
-will be used.
-
-### `on_media_upload_limit_exceeded`
-
-_First introduced in Synapse v1.139.0_
-
-```python
-async def on_media_upload_limit_exceeded(user_id: str, limit: synapse.module_api.MediaUploadLimit, sent_bytes: int, attempted_bytes: int) -> None
-```
-
-**<span style="color:red">
-Caution: This callback is currently experimental. The method signature or behaviour
-may change without notice.
-</span>**
-
-Called when a user attempts to upload media that would exceed a
-[configured media upload limit](../usage/configuration/config_documentation.html#media_upload_limits).
-
-This callback will only be called on workers which handle
-[POST /_matrix/media/v3/upload](https://spec.matrix.org/v1.15/client-server-api/#post_matrixmediav3upload)
-requests.
-
-This could be used to inform the user that they have reached a media upload limit through
-some external method.
-
-The arguments passed to this callback are:
-
-* `user_id`: The Matrix user ID of the user (e.g. `@alice:example.com`) making the request.
-* `limit`: The `synapse.module_api.MediaUploadLimit` representing the limit that was reached.
-* `sent_bytes`: The number of bytes already sent during the period of the limit.
-* `attempted_bytes`: The number of bytes that the user attempted to send.
--- a/docs/openid.md
+++ b/docs/openid.md
@@ -186,7 +186,6 @@ oidc_providers:
 4. Note the slug of your application, Client ID and Client Secret.

 Note: RSA keys must be used for signing for Authentik, ECC keys do not work.
-Note: The provider must have a signing key set and must not use an encryption key.

 Synapse config:
 ```yaml
@@ -205,12 +204,6 @@ oidc_providers:
      config:
        localpart_template: "{{ user.preferred_username }}"
        display_name_template: "{{ user.preferred_username|capitalize }}" # TO BE FILLED: If your users have names in Authentik and you want those in Synapse, this should be replaced with user.name|capitalize.
-[...]
-jwt_config:
-    enabled: true
-    secret: "your client secret" # TO BE FILLED (same as `client_secret` above)
-    algorithm: "RS256"
-    # (...other fields)
 ```

 ### Dex
--- a/docs/structured_logging.md
+++ b/docs/structured_logging.md
@@ -35,7 +35,7 @@ handlers:
 loggers:
    synapse:
        level: INFO
-        handlers: [file]
+        handlers: [remote]
    synapse.storage.SQL:
        level: WARNING
 ```
--- a/docs/upgrade.md
+++ b/docs/upgrade.md
@@ -117,29 +117,6 @@ each upgrade are complete before moving on to the next upgrade, to avoid
 stacking them up. You can monitor the currently running background updates with
 [the Admin API](usage/administration/admin_api/background_updates.html#status).

-# Upgrading to v1.139.0
-
-## Drop support for Ubuntu 24.10 Oracular Oriole, and add support for Ubuntu 25.04 Plucky Puffin
-
-Ubuntu 24.10 Oracular Oriole [has been end-of-life since 10 Jul
-2025](https://endoflife.date/ubuntu). This release drops support for Ubuntu
-24.10, and in its place adds support for Ubuntu 25.04 Plucky Puffin.
-
-## `/register` requests from old application service implementations may break when using MAS
-
-Application Services that do not set `inhibit_login=true` when calling `POST
-/_matrix/client/v3/register` will receive the error
-`IO.ELEMENT.MSC4190.M_APPSERVICE_LOGIN_UNSUPPORTED` in response. This is a
-result of [MSC4190: Device management for application
-services](https://github.com/matrix-org/matrix-spec-proposals/pull/4190) which
-adds new endpoints for application services to create encryption-ready devices
-with other than `/login` or `/register` without `inhibit_login=true`.
-
-If an application service you use starts to fail with the mentioned error,
-ensure it is up to date. If it is, then kindly let the author know that they
-need to update their implementation to call `/register` with
-`inhibit_login=true`.
-
 # Upgrading to v1.136.0

 ## Deprecate `run_as_background_process` exported as part of the module API interface in favor of `ModuleApi.run_as_background_process`
--- a/docs/usage/configuration/config_documentation.md
+++ b/docs/usage/configuration/config_documentation.md
@@ -2168,12 +2168,9 @@ max_upload_size: 60M
 ### `media_upload_limits`

 *(array)* A list of media upload limits defining how much data a given user can upload in a given time period.
-These limits are applied in addition to the `max_upload_size` limit above (which applies to individual uploads).

 An empty list means no limits are applied.

-These settings can be overridden using the `get_media_upload_limits_for_user` module API [callback](../../modules/media_repository_callbacks.md#get_media_upload_limits_for_user).
-
 Defaults to `[]`.

 Example configuration:
--- a/docs/workers.md
+++ b/docs/workers.md
@@ -252,7 +252,7 @@ information.
    ^/_matrix/client/(api/v1|r0|v3|unstable)/directory/room/.*$
    ^/_matrix/client/(r0|v3|unstable)/capabilities$
    ^/_matrix/client/(r0|v3|unstable)/notifications$
-    ^/_synapse/admin/v1/rooms/[^/]+$
+    ^/_synapse/admin/v1/rooms/

    # Encryption requests
    ^/_matrix/client/(r0|v3|unstable)/keys/query$
--- a/poetry.lock
+++ b/poetry.lock
@@ -34,15 +34,15 @@ tests-mypy = ["mypy (>=1.11.1) ; platform_python_implementation == \"CPython\" a

 [[package]]
 name = "authlib"
-version = "1.6.3"
+version = "1.6.1"
 description = "The ultimate Python library in building OAuth and OpenID Connect servers and clients."
 optional = true
 python-versions = ">=3.9"
 groups = ["main"]
 markers = "extra == \"all\" or extra == \"jwt\" or extra == \"oidc\""
 files = [
-    {file = "authlib-1.6.3-py2.py3-none-any.whl", hash = "sha256:7ea0f082edd95a03b7b72edac65ec7f8f68d703017d7e37573aee4fc603f2a48"},
-    {file = "authlib-1.6.3.tar.gz", hash = "sha256:9f7a982cc395de719e4c2215c5707e7ea690ecf84f1ab126f28c053f4219e610"},
+    {file = "authlib-1.6.1-py2.py3-none-any.whl", hash = "sha256:e9d2031c34c6309373ab845afc24168fe9e93dc52d252631f52642f21f5ed06e"},
+    {file = "authlib-1.6.1.tar.gz", hash = "sha256:4dffdbb1460ba6ec8c17981a4c67af7d8af131231b5a36a88a1e8c80c111cdfd"},
 ]

 [package.dependencies]
@@ -919,14 +919,14 @@ i18n = ["Babel (>=2.7)"]

 [[package]]
 name = "jsonschema"
-version = "4.25.1"
+version = "4.25.0"
 description = "An implementation of JSON Schema validation for Python"
 optional = false
 python-versions = ">=3.9"
 groups = ["main"]
 files = [
-    {file = "jsonschema-4.25.1-py3-none-any.whl", hash = "sha256:3fba0169e345c7175110351d456342c364814cfcf3b964ba4587f22915230a63"},
-    {file = "jsonschema-4.25.1.tar.gz", hash = "sha256:e4a9655ce0da0c0b67a085847e00a3a51449e1157f4f75e9fb5aa545e122eb85"},
+    {file = "jsonschema-4.25.0-py3-none-any.whl", hash = "sha256:24c2e8da302de79c8b9382fee3e76b355e44d2a4364bb207159ce10b517bd716"},
+    {file = "jsonschema-4.25.0.tar.gz", hash = "sha256:e63acf5c11762c0e6672ffb61482bdf57f0876684d8d249c0fe2d730d48bc55f"},
 ]

 [package.dependencies]
@@ -1531,14 +1531,14 @@ files = [

 [[package]]
 name = "phonenumbers"
-version = "9.0.13"
+version = "9.0.11"
 description = "Python version of Google's common library for parsing, formatting, storing and validating international phone numbers."
 optional = false
 python-versions = "*"
 groups = ["main"]
 files = [
-    {file = "phonenumbers-9.0.13-py2.py3-none-any.whl", hash = "sha256:b97661e177773e7509c6d503e0f537cd0af22aa3746231654590876eb9430915"},
-    {file = "phonenumbers-9.0.13.tar.gz", hash = "sha256:eca06e01382412c45316868f86a44bb217c02f9ee7196589041556a2f54a7639"},
+    {file = "phonenumbers-9.0.11-py2.py3-none-any.whl", hash = "sha256:a8ebb2136f1f14dfdbadb98be01cb71b96f880dea011eb5e0921967fe3a23abf"},
+    {file = "phonenumbers-9.0.11.tar.gz", hash = "sha256:6573858dcf0a7a2753a071375e154d9fc11791546c699b575af95d2ba7d84a1d"},
 ]

 [[package]]
@@ -1774,14 +1774,14 @@ files = [

 [[package]]
 name = "pydantic"
-version = "2.11.9"
+version = "2.11.7"
 description = "Data validation using Python type hints"
 optional = false
 python-versions = ">=3.9"
 groups = ["main", "dev"]
 files = [
-    {file = "pydantic-2.11.9-py3-none-any.whl", hash = "sha256:c42dd626f5cfc1c6950ce6205ea58c93efa406da65f479dcb4029d5934857da2"},
-    {file = "pydantic-2.11.9.tar.gz", hash = "sha256:6b8ffda597a14812a7975c90b82a8a2e777d9257aba3453f973acd3c032a18e2"},
+    {file = "pydantic-2.11.7-py3-none-any.whl", hash = "sha256:dde5df002701f6de26248661f6835bbe296a47bf73990135c7d07ce741b9623b"},
+    {file = "pydantic-2.11.7.tar.gz", hash = "sha256:d989c3c6cb79469287b1569f7447a17848c998458d49ebe294e975b9baf0f0db"},
 ]

 [package.dependencies]
@@ -2396,31 +2396,30 @@ files = [

 [[package]]
 name = "ruff"
-version = "0.12.10"
+version = "0.12.7"
 description = "An extremely fast Python linter and code formatter, written in Rust."
 optional = false
 python-versions = ">=3.7"
 groups = ["dev"]
 files = [
-    {file = "ruff-0.12.10-py3-none-linux_armv6l.whl", hash = "sha256:8b593cb0fb55cc8692dac7b06deb29afda78c721c7ccfed22db941201b7b8f7b"},
-    {file = "ruff-0.12.10-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:ebb7333a45d56efc7c110a46a69a1b32365d5c5161e7244aaf3aa20ce62399c1"},
-    {file = "ruff-0.12.10-py3-none-macosx_11_0_arm64.whl", hash = "sha256:d59e58586829f8e4a9920788f6efba97a13d1fa320b047814e8afede381c6839"},
-    {file = "ruff-0.12.10-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:822d9677b560f1fdeab69b89d1f444bf5459da4aa04e06e766cf0121771ab844"},
-    {file = "ruff-0.12.10-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:37b4a64f4062a50c75019c61c7017ff598cb444984b638511f48539d3a1c98db"},
-    {file = "ruff-0.12.10-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:2c6f4064c69d2542029b2a61d39920c85240c39837599d7f2e32e80d36401d6e"},
-    {file = "ruff-0.12.10-py3-none-manylinux_2_17_ppc64.manylinux2014_ppc64.whl", hash = "sha256:059e863ea3a9ade41407ad71c1de2badfbe01539117f38f763ba42a1206f7559"},
-    {file = "ruff-0.12.10-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:1bef6161e297c68908b7218fa6e0e93e99a286e5ed9653d4be71e687dff101cf"},
-    {file = "ruff-0.12.10-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:4f1345fbf8fb0531cd722285b5f15af49b2932742fc96b633e883da8d841896b"},
-    {file = "ruff-0.12.10-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:1f68433c4fbc63efbfa3ba5db31727db229fa4e61000f452c540474b03de52a9"},
-    {file = "ruff-0.12.10-py3-none-manylinux_2_31_riscv64.whl", hash = "sha256:141ce3d88803c625257b8a6debf4a0473eb6eed9643a6189b68838b43e78165a"},
-    {file = "ruff-0.12.10-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:f3fc21178cd44c98142ae7590f42ddcb587b8e09a3b849cbc84edb62ee95de60"},
-    {file = "ruff-0.12.10-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:7d1a4e0bdfafcd2e3e235ecf50bf0176f74dd37902f241588ae1f6c827a36c56"},
-    {file = "ruff-0.12.10-py3-none-musllinux_1_2_i686.whl", hash = "sha256:e67d96827854f50b9e3e8327b031647e7bcc090dbe7bb11101a81a3a2cbf1cc9"},
-    {file = "ruff-0.12.10-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:ae479e1a18b439c59138f066ae79cc0f3ee250712a873d00dbafadaad9481e5b"},
-    {file = "ruff-0.12.10-py3-none-win32.whl", hash = "sha256:9de785e95dc2f09846c5e6e1d3a3d32ecd0b283a979898ad427a9be7be22b266"},
-    {file = "ruff-0.12.10-py3-none-win_amd64.whl", hash = "sha256:7837eca8787f076f67aba2ca559cefd9c5cbc3a9852fd66186f4201b87c1563e"},
-    {file = "ruff-0.12.10-py3-none-win_arm64.whl", hash = "sha256:cc138cc06ed9d4bfa9d667a65af7172b47840e1a98b02ce7011c391e54635ffc"},
-    {file = "ruff-0.12.10.tar.gz", hash = "sha256:189ab65149d11ea69a2d775343adf5f49bb2426fc4780f65ee33b423ad2e47f9"},
+    {file = "ruff-0.12.7-py3-none-linux_armv6l.whl", hash = "sha256:76e4f31529899b8c434c3c1dede98c4483b89590e15fb49f2d46183801565303"},
+    {file = "ruff-0.12.7-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:789b7a03e72507c54fb3ba6209e4bb36517b90f1a3569ea17084e3fd295500fb"},
+    {file = "ruff-0.12.7-py3-none-macosx_11_0_arm64.whl", hash = "sha256:2e1c2a3b8626339bb6369116e7030a4cf194ea48f49b64bb505732a7fce4f4e3"},
+    {file = "ruff-0.12.7-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:32dec41817623d388e645612ec70d5757a6d9c035f3744a52c7b195a57e03860"},
+    {file = "ruff-0.12.7-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:47ef751f722053a5df5fa48d412dbb54d41ab9b17875c6840a58ec63ff0c247c"},
+    {file = "ruff-0.12.7-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:a828a5fc25a3efd3e1ff7b241fd392686c9386f20e5ac90aa9234a5faa12c423"},
+    {file = "ruff-0.12.7-py3-none-manylinux_2_17_ppc64.manylinux2014_ppc64.whl", hash = "sha256:5726f59b171111fa6a69d82aef48f00b56598b03a22f0f4170664ff4d8298efb"},
+    {file = "ruff-0.12.7-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:74e6f5c04c4dd4aba223f4fe6e7104f79e0eebf7d307e4f9b18c18362124bccd"},
+    {file = "ruff-0.12.7-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:5d0bfe4e77fba61bf2ccadf8cf005d6133e3ce08793bbe870dd1c734f2699a3e"},
+    {file = "ruff-0.12.7-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:06bfb01e1623bf7f59ea749a841da56f8f653d641bfd046edee32ede7ff6c606"},
+    {file = "ruff-0.12.7-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:e41df94a957d50083fd09b916d6e89e497246698c3f3d5c681c8b3e7b9bb4ac8"},
+    {file = "ruff-0.12.7-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:4000623300563c709458d0ce170c3d0d788c23a058912f28bbadc6f905d67afa"},
+    {file = "ruff-0.12.7-py3-none-musllinux_1_2_i686.whl", hash = "sha256:69ffe0e5f9b2cf2b8e289a3f8945b402a1b19eff24ec389f45f23c42a3dd6fb5"},
+    {file = "ruff-0.12.7-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:a07a5c8ffa2611a52732bdc67bf88e243abd84fe2d7f6daef3826b59abbfeda4"},
+    {file = "ruff-0.12.7-py3-none-win32.whl", hash = "sha256:c928f1b2ec59fb77dfdf70e0419408898b63998789cc98197e15f560b9e77f77"},
+    {file = "ruff-0.12.7-py3-none-win_amd64.whl", hash = "sha256:9c18f3d707ee9edf89da76131956aba1270c6348bfee8f6c647de841eac7194f"},
+    {file = "ruff-0.12.7-py3-none-win_arm64.whl", hash = "sha256:dfce05101dbd11833a0776716d5d1578641b7fddb537fe7fa956ab85d1769b69"},
+    {file = "ruff-0.12.7.tar.gz", hash = "sha256:1fc3193f238bc2d7968772c82831a4ff69252f673be371fb49663f0068b7ec71"},
 ]

 [[package]]
@@ -2747,14 +2746,14 @@ files = [

 [[package]]
 name = "towncrier"
-version = "25.8.0"
+version = "24.8.0"
 description = "Building newsfiles for your project."
 optional = false
-python-versions = ">=3.9"
+python-versions = ">=3.8"
 groups = ["dev"]
 files = [
-    {file = "towncrier-25.8.0-py3-none-any.whl", hash = "sha256:b953d133d98f9aeae9084b56a3563fd2519dfc6ec33f61c9cd2c61ff243fb513"},
-    {file = "towncrier-25.8.0.tar.gz", hash = "sha256:eef16d29f831ad57abb3ae32a0565739866219f1ebfbdd297d32894eb9940eb1"},
+    {file = "towncrier-24.8.0-py3-none-any.whl", hash = "sha256:9343209592b839209cdf28c339ba45792fbfe9775b5f9c177462fd693e127d8d"},
+    {file = "towncrier-24.8.0.tar.gz", hash = "sha256:013423ee7eed102b2f393c287d22d95f66f1a3ea10a4baa82d298001a7f18af3"},
 ]

 [package.dependencies]
@@ -2878,14 +2877,14 @@ twisted = "*"

 [[package]]
 name = "types-bleach"
-version = "6.2.0.20250809"
+version = "6.2.0.20250514"
 description = "Typing stubs for bleach"
 optional = false
 python-versions = ">=3.9"
 groups = ["dev"]
 files = [
-    {file = "types_bleach-6.2.0.20250809-py3-none-any.whl", hash = "sha256:0b372a75117947d9ac8a31ae733fd0f8d92ec75c4772e7b37093ba3fa5b48fb9"},
-    {file = "types_bleach-6.2.0.20250809.tar.gz", hash = "sha256:188d7a1119f6c953140b513ed57ba4213755695815472c19d0c22ac09c79b90b"},
+    {file = "types_bleach-6.2.0.20250514-py3-none-any.whl", hash = "sha256:380cb74f0db1e3c3b2e0cde217221108e975e07e95ef0970c9d41f7cd4e8ea3c"},
+    {file = "types_bleach-6.2.0.20250514.tar.gz", hash = "sha256:38c2e51d9cac51dc70c1b66121a11f4dad8bbf47fbad494bb7a77d8b8f3c4323"},
 ]

 [package.dependencies]
@@ -2920,14 +2919,14 @@ files = [

 [[package]]
 name = "types-jsonschema"
-version = "4.25.1.20250822"
+version = "4.25.0.20250720"
 description = "Typing stubs for jsonschema"
 optional = false
 python-versions = ">=3.9"
 groups = ["dev"]
 files = [
-    {file = "types_jsonschema-4.25.1.20250822-py3-none-any.whl", hash = "sha256:f82c2d7fa1ce1c0b84ba1de4ed6798469768188884db04e66421913a4e181294"},
-    {file = "types_jsonschema-4.25.1.20250822.tar.gz", hash = "sha256:aac69ed4b23f49aaceb7fcb834141d61b9e4e6a7f6008cb2f0d3b831dfa8464a"},
+    {file = "types_jsonschema-4.25.0.20250720-py3-none-any.whl", hash = "sha256:7d7897c715310d8bf9ae27a2cedba78bbb09e4cad83ce06d2aa79b73a88941df"},
+    {file = "types_jsonschema-4.25.0.20250720.tar.gz", hash = "sha256:765a3b6144798fe3161fd8cbe570a756ed3e8c0e5adb7c09693eb49faad39dbd"},
 ]

 [package.dependencies]
@@ -2971,14 +2970,14 @@ files = [

 [[package]]
 name = "types-psycopg2"
-version = "2.9.21.20250915"
+version = "2.9.21.20250718"
 description = "Typing stubs for psycopg2"
 optional = false
 python-versions = ">=3.9"
 groups = ["dev"]
 files = [
-    {file = "types_psycopg2-2.9.21.20250915-py3-none-any.whl", hash = "sha256:eefe5ccdc693fc086146e84c9ba437bb278efe1ef330b299a0cb71169dc6c55f"},
-    {file = "types_psycopg2-2.9.21.20250915.tar.gz", hash = "sha256:bfeb8f54c32490e7b5edc46215ab4163693192bc90407b4a023822de9239f5c8"},
+    {file = "types_psycopg2-2.9.21.20250718-py3-none-any.whl", hash = "sha256:bcf085d4293bda48f5943a46dadf0389b2f98f7e8007722f7e1c12ee0f541858"},
+    {file = "types_psycopg2-2.9.21.20250718.tar.gz", hash = "sha256:dc09a97272ef67e739e57b9f4740b761208f4514257e311c0b05c8c7a37d04b4"},
 ]

 [[package]]
@@ -3011,14 +3010,14 @@ files = [

 [[package]]
 name = "types-requests"
-version = "2.32.4.20250809"
+version = "2.32.4.20250611"
 description = "Typing stubs for requests"
 optional = false
 python-versions = ">=3.9"
 groups = ["dev"]
 files = [
-    {file = "types_requests-2.32.4.20250809-py3-none-any.whl", hash = "sha256:f73d1832fb519ece02c85b1f09d5f0dd3108938e7d47e7f94bbfa18a6782b163"},
-    {file = "types_requests-2.32.4.20250809.tar.gz", hash = "sha256:d8060de1c8ee599311f56ff58010fb4902f462a1470802cf9f6ed27bc46c4df3"},
+    {file = "types_requests-2.32.4.20250611-py3-none-any.whl", hash = "sha256:ad2fe5d3b0cb3c2c902c8815a70e7fb2302c4b8c1f77bdcd738192cdb3878072"},
+    {file = "types_requests-2.32.4.20250611.tar.gz", hash = "sha256:741c8777ed6425830bf51e54d6abe245f79b4dcb9019f1622b773463946bf826"},
 ]

 [package.dependencies]
@@ -3026,14 +3025,14 @@ urllib3 = ">=2"

 [[package]]
 name = "types-setuptools"
-version = "80.9.0.20250822"
+version = "80.9.0.20250809"
 description = "Typing stubs for setuptools"
 optional = false
 python-versions = ">=3.9"
 groups = ["dev"]
 files = [
-    {file = "types_setuptools-80.9.0.20250822-py3-none-any.whl", hash = "sha256:53bf881cb9d7e46ed12c76ef76c0aaf28cfe6211d3fab12e0b83620b1a8642c3"},
-    {file = "types_setuptools-80.9.0.20250822.tar.gz", hash = "sha256:070ea7716968ec67a84c7f7768d9952ff24d28b65b6594797a464f1b3066f965"},
+    {file = "types_setuptools-80.9.0.20250809-py3-none-any.whl", hash = "sha256:7c6539b4c7ac7b4ab4db2be66d8a58fb1e28affa3ee3834be48acafd94f5976a"},
+    {file = "types_setuptools-80.9.0.20250809.tar.gz", hash = "sha256:e986ba37ffde364073d76189e1d79d9928fb6f5278c7d07589cde353d0218864"},
 ]

 [[package]]
@@ -3256,4 +3255,4 @@ url-preview = ["lxml"]
 [metadata]
 lock-version = "2.1"
 python-versions = "^3.9.0"
-content-hash = "2e8ea085e1a0c6f0ac051d4bc457a96827d01f621b1827086de01a5ffa98cf79"
+content-hash = "600a349d08dde732df251583094a121b5385eb43ae0c6ceff10dcf9749359446"
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -101,7 +101,7 @@ module-name = "synapse.synapse_rust"

 [tool.poetry]
 name = "matrix-synapse"
-version = "1.139.2"
+version = "1.137.0rc1"
 description = "Homeserver for the Matrix decentralised comms protocol"
 authors = ["Matrix.org Team and Contributors <packages@matrix.org>"]
 license = "AGPL-3.0-or-later"
@@ -324,7 +324,7 @@ all = [
 # failing on new releases. Keeping lower bounds loose here means that dependabot
 # can bump versions without having to update the content-hash in the lockfile.
 # This helps prevents merge conflicts when running a batch of dependabot updates.
-ruff = "0.12.10"
+ruff = "0.12.7"
 # Type checking only works with the pydantic.v1 compat module from pydantic v2
 pydantic = "^2"

--- a/rust/src/push/base_rules.rs
+++ b/rust/src/push/base_rules.rs
@@ -289,10 +289,10 @@ pub const BASE_APPEND_CONTENT_RULES: &[PushRule] = &[PushRule {
    default_enabled: true,
 }];

-pub const BASE_APPEND_POSTCONTENT_RULES: &[PushRule] = &[
+pub const BASE_APPEND_UNDERRIDE_RULES: &[PushRule] = &[
    PushRule {
-        rule_id: Cow::Borrowed("global/postcontent/.io.element.msc4306.rule.unsubscribed_thread"),
-        priority_class: 6,
+        rule_id: Cow::Borrowed("global/content/.io.element.msc4306.rule.unsubscribed_thread"),
+        priority_class: 1,
        conditions: Cow::Borrowed(&[Condition::Known(
            KnownCondition::Msc4306ThreadSubscription { subscribed: false },
        )]),
@@ -301,8 +301,8 @@ pub const BASE_APPEND_POSTCONTENT_RULES: &[PushRule] = &[
        default_enabled: true,
    },
    PushRule {
-        rule_id: Cow::Borrowed("global/postcontent/.io.element.msc4306.rule.subscribed_thread"),
-        priority_class: 6,
+        rule_id: Cow::Borrowed("global/content/.io.element.msc4306.rule.subscribed_thread"),
+        priority_class: 1,
        conditions: Cow::Borrowed(&[Condition::Known(
            KnownCondition::Msc4306ThreadSubscription { subscribed: true },
        )]),
@@ -310,9 +310,6 @@ pub const BASE_APPEND_POSTCONTENT_RULES: &[PushRule] = &[
        default: true,
        default_enabled: true,
    },
-];
-
-pub const BASE_APPEND_UNDERRIDE_RULES: &[PushRule] = &[
    PushRule {
        rule_id: Cow::Borrowed("global/underride/.m.rule.call"),
        priority_class: 1,
@@ -729,7 +726,6 @@ lazy_static! {
            .iter()
            .chain(BASE_APPEND_OVERRIDE_RULES.iter())
            .chain(BASE_APPEND_CONTENT_RULES.iter())
-            .chain(BASE_APPEND_POSTCONTENT_RULES.iter())
            .chain(BASE_APPEND_UNDERRIDE_RULES.iter())
            .map(|rule| { (&*rule.rule_id, rule) })
            .collect();
--- a/rust/src/push/mod.rs
+++ b/rust/src/push/mod.rs
@@ -527,7 +527,6 @@ impl PushRules {
            .chain(base_rules::BASE_APPEND_OVERRIDE_RULES.iter())
            .chain(self.content.iter())
            .chain(base_rules::BASE_APPEND_CONTENT_RULES.iter())
-            .chain(base_rules::BASE_APPEND_POSTCONTENT_RULES.iter())
            .chain(self.room.iter())
            .chain(self.sender.iter())
            .chain(self.underride.iter())
--- a/schema/synapse-config.schema.yaml
+++ b/schema/synapse-config.schema.yaml
@@ -1,5 +1,5 @@
 $schema: https://element-hq.github.io/synapse/latest/schema/v1/meta.schema.json
-$id: https://element-hq.github.io/synapse/schema/synapse/v1.139/synapse-config.schema.json
+$id: https://element-hq.github.io/synapse/schema/synapse/v1.137/synapse-config.schema.json
 type: object
 properties:
  modules:
@@ -2415,15 +2415,8 @@ properties:
      A list of media upload limits defining how much data a given user can
      upload in a given time period.

-      These limits are applied in addition to the `max_upload_size` limit above
-      (which applies to individual uploads).
-

      An empty list means no limits are applied.
-
-
-      These settings can be overridden using the `get_media_upload_limits_for_user`
-      module API [callback](../../modules/media_repository_callbacks.md#get_media_upload_limits_for_user).
    default: []
    items:
      time_period:
--- a/scripts-dev/build_debian_packages.py
+++ b/scripts-dev/build_debian_packages.py
@@ -32,7 +32,7 @@ DISTS = (
    "debian:sid",  # (rolling distro, no EOL)
    "ubuntu:jammy",  # 22.04 LTS (EOL 2027-04) (our EOL forced by Python 3.10 is 2026-10-04)
    "ubuntu:noble",  # 24.04 LTS (EOL 2029-06)
-    "ubuntu:plucky",  # 25.04 (EOL 2026-01)
+    "ubuntu:oracular",  # 24.10 (EOL 2025-07)
    "debian:trixie",  # (EOL not specified yet)
 )

--- a/scripts-dev/complement.sh
+++ b/scripts-dev/complement.sh
@@ -230,7 +230,6 @@ test_packages=(
    ./tests/msc3967
    ./tests/msc4140
    ./tests/msc4155
-    ./tests/msc4306
 )

 # Enable dirty runs, so tests will reuse the same container where possible.
--- a/scripts-dev/mypy_synapse_plugin.py
+++ b/scripts-dev/mypy_synapse_plugin.py
@@ -68,18 +68,6 @@ PROMETHEUS_METRIC_MISSING_FROM_LIST_TO_CHECK = ErrorCode(
    category="per-homeserver-tenant-metrics",
 )

-PREFER_SYNAPSE_CLOCK_CALL_WHEN_RUNNING = ErrorCode(
-    "prefer-synapse-clock-call-when-running",
-    "`synapse.util.Clock.call_when_running` should be used instead of `reactor.callWhenRunning`",
-    category="synapse-reactor-clock",
-)
-
-PREFER_SYNAPSE_CLOCK_ADD_SYSTEM_EVENT_TRIGGER = ErrorCode(
-    "prefer-synapse-clock-add-system-event-trigger",
-    "`synapse.util.Clock.add_system_event_trigger` should be used instead of `reactor.addSystemEventTrigger`",
-    category="synapse-reactor-clock",
-)
-

 class Sentinel(enum.Enum):
    # defining a sentinel in this way allows mypy to correctly handle the
@@ -241,77 +229,9 @@ class SynapsePlugin(Plugin):
        ):
            return check_is_cacheable_wrapper

-        if fullname in (
-            "twisted.internet.interfaces.IReactorCore.callWhenRunning",
-            "synapse.types.ISynapseThreadlessReactor.callWhenRunning",
-            "synapse.types.ISynapseReactor.callWhenRunning",
-        ):
-            return check_call_when_running
-
-        if fullname in (
-            "twisted.internet.interfaces.IReactorCore.addSystemEventTrigger",
-            "synapse.types.ISynapseThreadlessReactor.addSystemEventTrigger",
-            "synapse.types.ISynapseReactor.addSystemEventTrigger",
-        ):
-            return check_add_system_event_trigger
-
        return None


-def check_call_when_running(ctx: MethodSigContext) -> CallableType:
-    """
-    Ensure that the `reactor.callWhenRunning` callsites aren't used.
-
-    `synapse.util.Clock.call_when_running` should always be used instead of
-    `reactor.callWhenRunning`.
-
-    Since `reactor.callWhenRunning` is a reactor callback, the callback will start out
-    with the sentinel logcontext. `synapse.util.Clock` starts a default logcontext as we
-    want to know which server the logs came from.
-
-    Args:
-        ctx: The `FunctionSigContext` from mypy.
-    """
-    signature: CallableType = ctx.default_signature
-    ctx.api.fail(
-        (
-            "Expected all `reactor.callWhenRunning` calls to use `synapse.util.Clock.call_when_running` instead. "
-            "This is so all Synapse code runs with a logcontext as we want to know which server the logs came from."
-        ),
-        ctx.context,
-        code=PREFER_SYNAPSE_CLOCK_CALL_WHEN_RUNNING,
-    )
-
-    return signature
-
-
-def check_add_system_event_trigger(ctx: MethodSigContext) -> CallableType:
-    """
-    Ensure that the `reactor.addSystemEventTrigger` callsites aren't used.
-
-    `synapse.util.Clock.add_system_event_trigger` should always be used instead of
-    `reactor.addSystemEventTrigger`.
-
-    Since `reactor.addSystemEventTrigger` is a reactor callback, the callback will start out
-    with the sentinel logcontext. `synapse.util.Clock` starts a default logcontext as we
-    want to know which server the logs came from.
-
-    Args:
-        ctx: The `FunctionSigContext` from mypy.
-    """
-    signature: CallableType = ctx.default_signature
-    ctx.api.fail(
-        (
-            "Expected all `reactor.addSystemEventTrigger` calls to use `synapse.util.Clock.add_system_event_trigger` instead. "
-            "This is so all Synapse code runs with a logcontext as we want to know which server the logs came from."
-        ),
-        ctx.context,
-        code=PREFER_SYNAPSE_CLOCK_ADD_SYSTEM_EVENT_TRIGGER,
-    )
-
-    return signature
-
-
 def analyze_prometheus_metric_classes(ctx: ClassDefContext) -> None:
    """
    Cross-check the list of Prometheus metric classes against the
--- a/scripts-dev/sign_json.py
+++ b/scripts-dev/sign_json.py
@@ -30,7 +30,7 @@ from signedjson.sign import sign_json

 from synapse.api.room_versions import KNOWN_ROOM_VERSIONS
 from synapse.crypto.event_signing import add_hashes_and_signatures
-from synapse.util.json import json_encoder
+from synapse.util import json_encoder


 def main() -> None:
--- a/synapse/_scripts/generate_workers_map.py
+++ b/synapse/_scripts/generate_workers_map.py
@@ -153,13 +153,9 @@ def get_registered_paths_for_default(
    """

    hs = MockHomeserver(base_config, worker_app)
-
    # TODO We only do this to avoid an error, but don't need the database etc
    hs.setup()
-    registered_paths = get_registered_paths_for_hs(hs)
-    hs.cleanup()
-
-    return registered_paths
+    return get_registered_paths_for_hs(hs)


 def elide_http_methods_if_unconflicting(
--- a/synapse/_scripts/synapse_port_db.py
+++ b/synapse/_scripts/synapse_port_db.py
@@ -54,11 +54,11 @@ from twisted.internet import defer, reactor as reactor_
 from synapse.config.database import DatabaseConnectionConfig
 from synapse.config.homeserver import HomeServerConfig
 from synapse.logging.context import (
+    LoggingContext,
    make_deferred_yieldable,
    run_in_background,
 )
-from synapse.server import HomeServer
-from synapse.storage import DataStore
+from synapse.notifier import ReplicationNotifier
 from synapse.storage.database import DatabasePool, LoggingTransaction, make_conn
 from synapse.storage.databases.main import FilteringWorkerStore
 from synapse.storage.databases.main.account_data import AccountDataWorkerStore
@@ -98,7 +98,7 @@ from synapse.storage.databases.state.bg_updates import StateBackgroundUpdateStor
 from synapse.storage.engines import create_engine
 from synapse.storage.prepare_database import prepare_database
 from synapse.types import ISynapseReactor
-from synapse.util import SYNAPSE_VERSION
+from synapse.util import SYNAPSE_VERSION, Clock

 # Cast safety: Twisted does some naughty magic which replaces the
 # twisted.internet.reactor module with a Reactor instance at runtime.
@@ -317,16 +317,27 @@ class Store(
        )


-class MockHomeserver(HomeServer):
-    DATASTORE_CLASS = DataStore
-
+class MockHomeserver:
    def __init__(self, config: HomeServerConfig):
-        super().__init__(
-            hostname=config.server.server_name,
-            config=config,
-            reactor=reactor,
-            version_string=f"Synapse/{SYNAPSE_VERSION}",
-        )
+        self.clock = Clock(reactor)
+        self.config = config
+        self.hostname = config.server.server_name
+        self.version_string = SYNAPSE_VERSION
+
+    def get_clock(self) -> Clock:
+        return self.clock
+
+    def get_reactor(self) -> ISynapseReactor:
+        return reactor
+
+    def get_instance_name(self) -> str:
+        return "master"
+
+    def should_send_federation(self) -> bool:
+        return False
+
+    def get_replication_notifier(self) -> ReplicationNotifier:
+        return ReplicationNotifier()


 class Porter:
@@ -335,12 +346,12 @@ class Porter:
        sqlite_config: Dict[str, Any],
        progress: "Progress",
        batch_size: int,
-        hs: HomeServer,
+        hs_config: HomeServerConfig,
    ):
        self.sqlite_config = sqlite_config
        self.progress = progress
        self.batch_size = batch_size
-        self.hs = hs
+        self.hs_config = hs_config

    async def setup_table(self, table: str) -> Tuple[str, int, int, int, int]:
        if table in APPEND_ONLY_TABLES:
@@ -660,7 +671,8 @@ class Porter:

        engine = create_engine(db_config.config)

-        server_name = self.hs.hostname
+        hs = MockHomeserver(self.hs_config)
+        server_name = hs.hostname

        with make_conn(
            db_config=db_config,
@@ -671,17 +683,9 @@ class Porter:
            engine.check_database(
                db_conn, allow_outdated_version=allow_outdated_version
            )
-            prepare_database(db_conn, engine, config=self.hs.config)
+            prepare_database(db_conn, engine, config=self.hs_config)
            # Type safety: ignore that we're using Mock homeservers here.
-            store = Store(
-                DatabasePool(
-                    self.hs,
-                    db_config,
-                    engine,
-                ),
-                db_conn,
-                self.hs,
-            )
+            store = Store(DatabasePool(hs, db_config, engine), db_conn, hs)  # type: ignore[arg-type]
            db_conn.commit()

        return store
@@ -778,7 +782,7 @@ class Porter:
                return

            self.postgres_store = self.build_db_store(
-                self.hs.config.database.get_single_database()
+                self.hs_config.database.get_single_database()
            )

            await self.remove_ignored_background_updates_from_database()
@@ -1567,8 +1571,6 @@ def main() -> None:
    config = HomeServerConfig()
    config.parse_config_dict(hs_config, "", "")

-    hs = MockHomeserver(config)
-
    def start(stdscr: Optional["curses.window"] = None) -> None:
        progress: Progress
        if stdscr:
@@ -1580,14 +1582,15 @@ def main() -> None:
            sqlite_config=sqlite_config,
            progress=progress,
            batch_size=args.batch_size,
-            hs=hs,
+            hs_config=config,
        )

        @defer.inlineCallbacks
        def run() -> Generator["defer.Deferred[Any]", Any, None]:
-            yield defer.ensureDeferred(porter.run())
+            with LoggingContext("synapse_port_db_run"):
+                yield defer.ensureDeferred(porter.run())

-        hs.get_clock().call_when_running(run)
+        reactor.callWhenRunning(run)

        reactor.run()

--- a/synapse/_scripts/update_synapse_database.py
+++ b/synapse/_scripts/update_synapse_database.py
@@ -74,7 +74,7 @@ def run_background_updates(hs: HomeServer) -> None:
            )
        )

-    hs.get_clock().call_when_running(run)
+    reactor.callWhenRunning(run)

    reactor.run()

@@ -120,13 +120,6 @@ def main() -> None:
    # DB.
    hs.setup()

-    # This will cause all of the relevant storage classes to be instantiated and call
-    # `register_background_update_handler(...)`,
-    # `register_background_index_update(...)`,
-    # `register_background_validate_constraint(...)`, etc so they are available to use
-    # if we are asked to run those background updates.
-    hs.get_storage_controllers()
-
    if args.run_background_updates:
        run_background_updates(hs)

--- a/synapse/api/auth/mas.py
+++ b/synapse/api/auth/mas.py
@@ -13,7 +13,7 @@
 #
 #
 import logging
-from typing import TYPE_CHECKING, Optional, Set
+from typing import TYPE_CHECKING, Optional
 from urllib.parse import urlencode

 from synapse._pydantic_compat import (
@@ -43,9 +43,9 @@ from synapse.logging.opentracing import (
 from synapse.metrics import SERVER_NAME_LABEL
 from synapse.synapse_rust.http_client import HttpClient
 from synapse.types import JsonDict, Requester, UserID, create_requester
+from synapse.util import json_decoder
 from synapse.util.caches.cached_call import RetryOnExceptionCachedCall
 from synapse.util.caches.response_cache import ResponseCache, ResponseCacheContext
-from synapse.util.json import json_decoder

 from . import introspection_response_timer

@@ -57,10 +57,8 @@ logger = logging.getLogger(__name__)

 # Scope as defined by MSC2967
 # https://github.com/matrix-org/matrix-spec-proposals/pull/2967
-UNSTABLE_SCOPE_MATRIX_API = "urn:matrix:org.matrix.msc2967.client:api:*"
-UNSTABLE_SCOPE_MATRIX_DEVICE_PREFIX = "urn:matrix:org.matrix.msc2967.client:device:"
-STABLE_SCOPE_MATRIX_API = "urn:matrix:client:api:*"
-STABLE_SCOPE_MATRIX_DEVICE_PREFIX = "urn:matrix:client:device:"
+SCOPE_MATRIX_API = "urn:matrix:org.matrix.msc2967.client:api:*"
+SCOPE_MATRIX_DEVICE_PREFIX = "urn:matrix:org.matrix.msc2967.client:device:"


 class ServerMetadata(BaseModel):
@@ -336,10 +334,7 @@ class MasDelegatedAuth(BaseAuth):
        scope = introspection_result.get_scope_set()

        # Determine type of user based on presence of particular scopes
-        if (
-            UNSTABLE_SCOPE_MATRIX_API not in scope
-            and STABLE_SCOPE_MATRIX_API not in scope
-        ):
+        if SCOPE_MATRIX_API not in scope:
            raise InvalidClientTokenError(
                "Token doesn't grant access to the Matrix C-S API"
            )
@@ -371,12 +366,11 @@ class MasDelegatedAuth(BaseAuth):
            # We only allow a single device_id in the scope, so we find them all in the
            # scope list, and raise if there are more than one. The OIDC server should be
            # the one enforcing valid scopes, so we raise a 500 if we find an invalid scope.
-            device_ids: Set[str] = set()
-            for tok in scope:
-                if tok.startswith(UNSTABLE_SCOPE_MATRIX_DEVICE_PREFIX):
-                    device_ids.add(tok[len(UNSTABLE_SCOPE_MATRIX_DEVICE_PREFIX) :])
-                elif tok.startswith(STABLE_SCOPE_MATRIX_DEVICE_PREFIX):
-                    device_ids.add(tok[len(STABLE_SCOPE_MATRIX_DEVICE_PREFIX) :])
+            device_ids = [
+                tok[len(SCOPE_MATRIX_DEVICE_PREFIX) :]
+                for tok in scope
+                if tok.startswith(SCOPE_MATRIX_DEVICE_PREFIX)
+            ]

            if len(device_ids) > 1:
                raise AuthError(
@@ -384,7 +378,7 @@ class MasDelegatedAuth(BaseAuth):
                    "Multiple device IDs in scope",
                )

-            device_id = next(iter(device_ids), None)
+            device_id = device_ids[0] if device_ids else None

        if device_id is not None:
            # Sanity check the device_id
--- a/synapse/api/auth/msc3861_delegated.py
+++ b/synapse/api/auth/msc3861_delegated.py
@@ -20,7 +20,7 @@
 #
 import logging
 from dataclasses import dataclass
-from typing import TYPE_CHECKING, Any, Callable, Dict, List, Optional, Set
+from typing import TYPE_CHECKING, Any, Callable, Dict, List, Optional
 from urllib.parse import urlencode

 from authlib.oauth2 import ClientAuth
@@ -34,6 +34,7 @@ from synapse.api.errors import (
    AuthError,
    HttpResponseException,
    InvalidClientTokenError,
+    OAuthInsufficientScopeError,
    SynapseError,
    UnrecognizedRequestError,
 )
@@ -48,9 +49,9 @@ from synapse.logging.opentracing import (
 from synapse.metrics import SERVER_NAME_LABEL
 from synapse.synapse_rust.http_client import HttpClient
 from synapse.types import Requester, UserID, create_requester
+from synapse.util import json_decoder
 from synapse.util.caches.cached_call import RetryOnExceptionCachedCall
 from synapse.util.caches.response_cache import ResponseCache, ResponseCacheContext
-from synapse.util.json import json_decoder

 from . import introspection_response_timer

@@ -62,10 +63,9 @@ logger = logging.getLogger(__name__)

 # Scope as defined by MSC2967
 # https://github.com/matrix-org/matrix-spec-proposals/pull/2967
-UNSTABLE_SCOPE_MATRIX_API = "urn:matrix:org.matrix.msc2967.client:api:*"
-UNSTABLE_SCOPE_MATRIX_DEVICE_PREFIX = "urn:matrix:org.matrix.msc2967.client:device:"
-STABLE_SCOPE_MATRIX_API = "urn:matrix:client:api:*"
-STABLE_SCOPE_MATRIX_DEVICE_PREFIX = "urn:matrix:client:device:"
+SCOPE_MATRIX_API = "urn:matrix:org.matrix.msc2967.client:api:*"
+SCOPE_MATRIX_GUEST = "urn:matrix:org.matrix.msc2967.client:api:guest"
+SCOPE_MATRIX_DEVICE_PREFIX = "urn:matrix:org.matrix.msc2967.client:device:"

 # Scope which allows access to the Synapse admin API
 SCOPE_SYNAPSE_ADMIN = "urn:synapse:admin:*"
@@ -444,6 +444,9 @@ class MSC3861DelegatedAuth(BaseAuth):
        if not self._is_access_token_the_admin_token(access_token):
            await self._record_request(request, requester)

+        if not allow_guest and requester.is_guest:
+            raise OAuthInsufficientScopeError([SCOPE_MATRIX_API])
+
        request.requester = requester

        return requester
@@ -525,11 +528,10 @@ class MSC3861DelegatedAuth(BaseAuth):
        scope: List[str] = introspection_result.get_scope_list()

        # Determine type of user based on presence of particular scopes
-        has_user_scope = (
-            UNSTABLE_SCOPE_MATRIX_API in scope or STABLE_SCOPE_MATRIX_API in scope
-        )
+        has_user_scope = SCOPE_MATRIX_API in scope
+        has_guest_scope = SCOPE_MATRIX_GUEST in scope

-        if not has_user_scope:
+        if not has_user_scope and not has_guest_scope:
            raise InvalidClientTokenError("No scope in token granting user rights")

        # Match via the sub claim
@@ -577,12 +579,11 @@ class MSC3861DelegatedAuth(BaseAuth):
            # We only allow a single device_id in the scope, so we find them all in the
            # scope list, and raise if there are more than one. The OIDC server should be
            # the one enforcing valid scopes, so we raise a 500 if we find an invalid scope.
-            device_ids: Set[str] = set()
-            for tok in scope:
-                if tok.startswith(UNSTABLE_SCOPE_MATRIX_DEVICE_PREFIX):
-                    device_ids.add(tok[len(UNSTABLE_SCOPE_MATRIX_DEVICE_PREFIX) :])
-                elif tok.startswith(STABLE_SCOPE_MATRIX_DEVICE_PREFIX):
-                    device_ids.add(tok[len(STABLE_SCOPE_MATRIX_DEVICE_PREFIX) :])
+            device_ids = [
+                tok[len(SCOPE_MATRIX_DEVICE_PREFIX) :]
+                for tok in scope
+                if tok.startswith(SCOPE_MATRIX_DEVICE_PREFIX)
+            ]

            if len(device_ids) > 1:
                raise AuthError(
@@ -590,7 +591,7 @@ class MSC3861DelegatedAuth(BaseAuth):
                    "Multiple device IDs in scope",
                )

-            device_id = next(iter(device_ids), None)
+            device_id = device_ids[0] if device_ids else None

        if device_id is not None:
            # Sanity check the device_id
@@ -616,4 +617,5 @@ class MSC3861DelegatedAuth(BaseAuth):
            user_id=user_id,
            device_id=device_id,
            scope=scope,
+            is_guest=(has_guest_scope and not has_user_scope),
        )
--- a/synapse/api/errors.py
+++ b/synapse/api/errors.py
@@ -30,7 +30,7 @@ from typing import Any, Dict, List, Optional, Union

 from twisted.web import http

-from synapse.util.json import json_decoder
+from synapse.util import json_decoder

 if typing.TYPE_CHECKING:
    from synapse.config.homeserver import HomeServerConfig
@@ -140,9 +140,6 @@ class Codes(str, Enum):
    # Part of MSC4155
    INVITE_BLOCKED = "ORG.MATRIX.MSC4155.M_INVITE_BLOCKED"

-    # Part of MSC4190
-    APPSERVICE_LOGIN_UNSUPPORTED = "IO.ELEMENT.MSC4190.M_APPSERVICE_LOGIN_UNSUPPORTED"
-
    # Part of MSC4306: Thread Subscriptions
    MSC4306_CONFLICTING_UNSUBSCRIPTION = (
        "IO.ELEMENT.MSC4306.M_CONFLICTING_UNSUBSCRIPTION"
--- a/synapse/api/ratelimiting.py
+++ b/synapse/api/ratelimiting.py
@@ -26,7 +26,7 @@ from synapse.api.errors import LimitExceededError
 from synapse.config.ratelimiting import RatelimitSettings
 from synapse.storage.databases.main import DataStore
 from synapse.types import Requester
-from synapse.util.clock import Clock
+from synapse.util import Clock

 if TYPE_CHECKING:
    # To avoid circular imports:
--- a/synapse/api/urls.py
+++ b/synapse/api/urls.py
@@ -22,7 +22,6 @@
 """Contains the URL paths to prefix various aspects of the server with."""

 import hmac
-import urllib.parse
 from hashlib import sha256
 from typing import Optional
 from urllib.parse import urlencode, urljoin
@@ -97,21 +96,11 @@ class LoginSSORedirectURIBuilder:
        serialized_query_parameters = urlencode({"redirectUrl": client_redirect_url})

        if idp_id:
-            # Since this is a user-controlled string, make it safe to include in a URL path.
-            url_encoded_idp_id = urllib.parse.quote(
-                idp_id,
-                # Since this defaults to `safe="/"`, we have to override it. We're
-                # working with an individual URL path parameter so there shouldn't be
-                # any slashes in it which could change the request path.
-                safe="",
-                encoding="utf8",
-            )
-
            resultant_url = urljoin(
                # We have to add a trailing slash to the base URL to ensure that the
                # last path segment is not stripped away when joining with another path.
                f"{base_url}/",
-                f"{url_encoded_idp_id}?{serialized_query_parameters}",
+                f"{idp_id}?{serialized_query_parameters}",
            )
        else:
            resultant_url = f"{base_url}?{serialized_query_parameters}"
--- a/synapse/app/_base.py
+++ b/synapse/app/_base.py
@@ -72,7 +72,7 @@ from synapse.events.auto_accept_invites import InviteAutoAccepter
 from synapse.events.presence_router import load_legacy_presence_router
 from synapse.handlers.auth import load_legacy_password_auth_providers
 from synapse.http.site import SynapseSite
-from synapse.logging.context import LoggingContext, PreserveLoggingContext
+from synapse.logging.context import PreserveLoggingContext
 from synapse.logging.opentracing import init_tracer
 from synapse.metrics import install_gc_manager, register_threadpool
 from synapse.metrics.background_process_metrics import run_as_background_process
@@ -183,23 +183,25 @@ def start_reactor(
        if gc_thresholds:
            gc.set_threshold(*gc_thresholds)
        install_gc_manager()
+        run_command()

-        # Reset the logging context when we start the reactor (whenever we yield control
-        # to the reactor, the `sentinel` logging context needs to be set so we don't
-        # leak the current logging context and erroneously apply it to the next task the
-        # reactor event loop picks up)
-        with PreserveLoggingContext():
-            run_command()
+    # make sure that we run the reactor with the sentinel log context,
+    # otherwise other PreserveLoggingContext instances will get confused
+    # and complain when they see the logcontext arbitrarily swapping
+    # between the sentinel and `run` logcontexts.
+    #
+    # We also need to drop the logcontext before forking if we're daemonizing,
+    # otherwise the cputime metrics get confused about the per-thread resource usage
+    # appearing to go backwards.
+    with PreserveLoggingContext():
+        if daemonize:
+            assert pid_file is not None

-    if daemonize:
-        assert pid_file is not None
+            if print_pidfile:
+                print(pid_file)

-        if print_pidfile:
-            print(pid_file)
-
-        daemonize_process(pid_file, logger)
-
-    run()
+            daemonize_process(pid_file, logger)
+        run()


 def quit_with_error(error_string: str) -> NoReturn:
@@ -241,7 +243,7 @@ def redirect_stdio_to_logs() -> None:


 def register_start(
-    hs: "HomeServer", cb: Callable[P, Awaitable], *args: P.args, **kwargs: P.kwargs
+    cb: Callable[P, Awaitable], *args: P.args, **kwargs: P.kwargs
 ) -> None:
    """Register a callback with the reactor, to be called once it is running

@@ -278,8 +280,7 @@ def register_start(
            # on as normal.
            os._exit(1)

-    clock = hs.get_clock()
-    clock.call_when_running(lambda: defer.ensureDeferred(wrapper()))
+    reactor.callWhenRunning(lambda: defer.ensureDeferred(wrapper()))


 def listen_metrics(bind_addresses: StrCollection, port: int) -> None:
@@ -518,9 +519,7 @@ async def start(hs: "HomeServer") -> None:
    # numbers of DNS requests don't starve out other users of the threadpool.
    resolver_threadpool = ThreadPool(name="gai_resolver")
    resolver_threadpool.start()
-    hs.get_clock().add_system_event_trigger(
-        "during", "shutdown", resolver_threadpool.stop
-    )
+    reactor.addSystemEventTrigger("during", "shutdown", resolver_threadpool.stop)
    reactor.installNameResolver(
        GAIResolver(reactor, getThreadPool=lambda: resolver_threadpool)
    )
@@ -602,38 +601,18 @@ async def start(hs: "HomeServer") -> None:
    hs.get_datastores().main.db_pool.start_profiling()
    hs.get_pusherpool().start()

-    def log_shutdown() -> None:
-        with LoggingContext("log_shutdown"):
-            logger.info("Shutting down...")
-
    # Log when we start the shut down process.
-    hs.get_clock().add_system_event_trigger("before", "shutdown", log_shutdown)
+    hs.get_reactor().addSystemEventTrigger(
+        "before", "shutdown", logger.info, "Shutting down..."
+    )

    setup_sentry(hs)
    setup_sdnotify(hs)

-    # Register background tasks required by this server. This must be done
-    # somewhat manually due to the background tasks not being registered
-    # unless handlers are instantiated.
-    #
-    # While we could "start" these before the reactor runs, nothing will happen until
-    # the reactor is running, so we may as well do it here in `start`.
-    #
-    # Additionally, this means we also start them after we daemonize and fork the
-    # process which means we can avoid any potential problems with cputime metrics
-    # getting confused about the per-thread resource usage appearing to go backwards
-    # because we're comparing the resource usage (`rusage`) from the original process to
-    # the forked process.
+    # If background tasks are running on the main process or this is the worker in
+    # charge of them, start collecting the phone home stats and shared usage metrics.
    if hs.config.worker.run_background_tasks:
-        hs.start_background_tasks()
-
-        # TODO: This should be moved to same pattern we use for other background tasks:
-        # Add to `REQUIRED_ON_BACKGROUND_TASK_STARTUP` and rely on
-        # `start_background_tasks` to start it.
        await hs.get_common_usage_metrics_manager().setup()
-
-        # TODO: This feels like another pattern that should refactored as one of the
-        # `REQUIRED_ON_BACKGROUND_TASK_STARTUP`
        start_phone_stats_home(hs)

    # We now freeze all allocated objects in the hopes that (almost)
@@ -722,7 +701,7 @@ def setup_sdnotify(hs: "HomeServer") -> None:
    # we're not using systemd.
    sdnotify(b"READY=1\nMAINPID=%i" % (os.getpid(),))

-    hs.get_clock().add_system_event_trigger(
+    hs.get_reactor().addSystemEventTrigger(
        "before", "shutdown", sdnotify, b"STOPPING=1"
    )

--- a/synapse/app/admin_cmd.py
+++ b/synapse/app/admin_cmd.py
@@ -24,7 +24,7 @@ import logging
 import os
 import sys
 import tempfile
-from typing import List, Mapping, Optional, Sequence, Tuple
+from typing import List, Mapping, Optional, Sequence

 from twisted.internet import defer, task

@@ -256,7 +256,7 @@ class FileExfiltrationWriter(ExfiltrationWriter):
        return self.base_directory


-def load_config(argv_options: List[str]) -> Tuple[HomeServerConfig, argparse.Namespace]:
+def start(config_options: List[str]) -> None:
    parser = argparse.ArgumentParser(description="Synapse Admin Command")
    HomeServerConfig.add_arguments_to_parser(parser)

@@ -282,15 +282,11 @@ def load_config(argv_options: List[str]) -> Tuple[HomeServerConfig, argparse.Nam
    export_data_parser.set_defaults(func=export_data_command)

    try:
-        config, args = HomeServerConfig.load_config_with_parser(parser, argv_options)
+        config, args = HomeServerConfig.load_config_with_parser(parser, config_options)
    except ConfigError as e:
        sys.stderr.write("\n" + str(e) + "\n")
        sys.exit(1)

-    return config, args
-
-
-def start(config: HomeServerConfig, args: argparse.Namespace) -> None:
    if config.worker.worker_app is not None:
        assert config.worker.worker_app == "synapse.app.admin_cmd"

@@ -329,7 +325,7 @@ def start(config: HomeServerConfig, args: argparse.Namespace) -> None:
    # command.

    async def run() -> None:
-        with LoggingContext(name="command"):
+        with LoggingContext("command"):
            await _base.start(ss)
            await args.func(ss, args)

@@ -341,6 +337,5 @@ def start(config: HomeServerConfig, args: argparse.Namespace) -> None:


 if __name__ == "__main__":
-    homeserver_config, args = load_config(sys.argv[1:])
-    with LoggingContext(name="main"):
-        start(homeserver_config, args)
+    with LoggingContext("main"):
+        start(sys.argv[1:])
--- a/synapse/app/appservice.py
+++ b/synapse/app/appservice.py
@@ -21,14 +21,13 @@

 import sys

-from synapse.app.generic_worker import load_config, start
+from synapse.app.generic_worker import start
 from synapse.util.logcontext import LoggingContext


 def main() -> None:
-    homeserver_config = load_config(sys.argv[1:])
-    with LoggingContext(name="main"):
-        start(homeserver_config)
+    with LoggingContext("main"):
+        start(sys.argv[1:])


 if __name__ == "__main__":
--- a/synapse/app/client_reader.py
+++ b/synapse/app/client_reader.py
@@ -21,14 +21,13 @@

 import sys

-from synapse.app.generic_worker import load_config, start
+from synapse.app.generic_worker import start
 from synapse.util.logcontext import LoggingContext


 def main() -> None:
-    homeserver_config = load_config(sys.argv[1:])
-    with LoggingContext(name="main"):
-        start(homeserver_config)
+    with LoggingContext("main"):
+        start(sys.argv[1:])


 if __name__ == "__main__":
--- a/synapse/app/event_creator.py
+++ b/synapse/app/event_creator.py
@@ -20,14 +20,13 @@

 import sys

-from synapse.app.generic_worker import load_config, start
+from synapse.app.generic_worker import start
 from synapse.util.logcontext import LoggingContext


 def main() -> None:
-    homeserver_config = load_config(sys.argv[1:])
-    with LoggingContext(name="main"):
-        start(homeserver_config)
+    with LoggingContext("main"):
+        start(sys.argv[1:])


 if __name__ == "__main__":
--- a/synapse/app/federation_reader.py
+++ b/synapse/app/federation_reader.py
@@ -21,14 +21,13 @@

 import sys

-from synapse.app.generic_worker import load_config, start
+from synapse.app.generic_worker import start
 from synapse.util.logcontext import LoggingContext


 def main() -> None:
-    homeserver_config = load_config(sys.argv[1:])
-    with LoggingContext(name="main"):
-        start(homeserver_config)
+    with LoggingContext("main"):
+        start(sys.argv[1:])


 if __name__ == "__main__":
--- a/synapse/app/federation_sender.py
+++ b/synapse/app/federation_sender.py
@@ -21,14 +21,13 @@

 import sys

-from synapse.app.generic_worker import load_config, start
+from synapse.app.generic_worker import start
 from synapse.util.logcontext import LoggingContext


 def main() -> None:
-    homeserver_config = load_config(sys.argv[1:])
-    with LoggingContext(name="main"):
-        start(homeserver_config)
+    with LoggingContext("main"):
+        start(sys.argv[1:])


 if __name__ == "__main__":
--- a/synapse/app/frontend_proxy.py
+++ b/synapse/app/frontend_proxy.py
@@ -21,14 +21,13 @@

 import sys

-from synapse.app.generic_worker import load_config, start
+from synapse.app.generic_worker import start
 from synapse.util.logcontext import LoggingContext


 def main() -> None:
-    homeserver_config = load_config(sys.argv[1:])
-    with LoggingContext(name="main"):
-        start(homeserver_config)
+    with LoggingContext("main"):
+        start(sys.argv[1:])


 if __name__ == "__main__":
--- a/synapse/app/generic_worker.py
+++ b/synapse/app/generic_worker.py
@@ -310,26 +310,13 @@ class GenericWorkerServer(HomeServer):
        self.get_replication_command_handler().start_replication(self)


-def load_config(argv_options: List[str]) -> HomeServerConfig:
-    """
-    Parse the commandline and config files (does not generate config)
-
-    Args:
-        argv_options: The options passed to Synapse. Usually `sys.argv[1:]`.
-
-    Returns:
-        Config object.
-    """
+def start(config_options: List[str]) -> None:
    try:
-        config = HomeServerConfig.load_config("Synapse worker", argv_options)
+        config = HomeServerConfig.load_config("Synapse worker", config_options)
    except ConfigError as e:
        sys.stderr.write("\n" + str(e) + "\n")
        sys.exit(1)

-    return config
-
-
-def start(config: HomeServerConfig) -> None:
    # For backwards compatibility let any of the old app names.
    assert config.worker.worker_app in (
        "synapse.app.appservice",
@@ -368,10 +355,7 @@ def start(config: HomeServerConfig) -> None:
    except Exception as e:
        handle_startup_exception(e)

-    async def start() -> None:
-        await _base.start(hs)
-
-    register_start(hs, start)
+    register_start(_base.start, hs)

    # redirect stdio to the logs, if configured.
    if not hs.config.logging.no_redirect_stdio:
@@ -381,9 +365,8 @@ def start(config: HomeServerConfig) -> None:


 def main() -> None:
-    homeserver_config = load_config(sys.argv[1:])
-    with LoggingContext(name="main"):
-        start(homeserver_config)
+    with LoggingContext("main"):
+        start(sys.argv[1:])


 if __name__ == "__main__":
--- a/synapse/app/homeserver.py
+++ b/synapse/app/homeserver.py
@@ -308,21 +308,17 @@ class SynapseHomeServer(HomeServer):
                logger.warning("Unrecognized listener type: %s", listener.type)


-def load_or_generate_config(argv_options: List[str]) -> HomeServerConfig:
+def setup(config_options: List[str]) -> SynapseHomeServer:
    """
-    Parse the commandline and config files
-
-    Supports generation of config files, so is used for the main homeserver app.
-
    Args:
-        argv_options: The options passed to Synapse. Usually `sys.argv[1:]`.
+        config_options_options: The options passed to Synapse. Usually `sys.argv[1:]`.

    Returns:
        A homeserver instance.
    """
    try:
        config = HomeServerConfig.load_or_generate_config(
-            "Synapse Homeserver", argv_options
+            "Synapse Homeserver", config_options
        )
    except ConfigError as e:
        sys.stderr.write("\n")
@@ -336,20 +332,6 @@ def load_or_generate_config(argv_options: List[str]) -> HomeServerConfig:
        # generating config files and shouldn't try to continue.
        sys.exit(0)

-    return config
-
-
-def setup(config: HomeServerConfig) -> SynapseHomeServer:
-    """
-    Create and setup a Synapse homeserver instance given a configuration.
-
-    Args:
-        config: The configuration for the homeserver.
-
-    Returns:
-        A homeserver instance.
-    """
-
    if config.worker.worker_app:
        raise ConfigError(
            "You have specified `worker_app` in the config but are attempting to start a non-worker "
@@ -405,7 +387,7 @@ def setup(config: HomeServerConfig) -> SynapseHomeServer:

        hs.get_datastores().main.db_pool.updates.start_doing_background_updates()

-    register_start(hs, start)
+    register_start(start)

    return hs

@@ -423,12 +405,10 @@ def run(hs: HomeServer) -> None:


 def main() -> None:
-    homeserver_config = load_or_generate_config(sys.argv[1:])
-
    with LoggingContext("main"):
        # check base requirements
        check_requirements()
-        hs = setup(homeserver_config)
+        hs = setup(sys.argv[1:])

        # redirect stdio to the logs, if configured.
        if not hs.config.logging.no_redirect_stdio:
--- a/synapse/app/media_repository.py
+++ b/synapse/app/media_repository.py
@@ -21,14 +21,13 @@

 import sys

-from synapse.app.generic_worker import load_config, start
+from synapse.app.generic_worker import start
 from synapse.util.logcontext import LoggingContext


 def main() -> None:
-    homeserver_config = load_config(sys.argv[1:])
-    with LoggingContext(name="main"):
-        start(homeserver_config)
+    with LoggingContext("main"):
+        start(sys.argv[1:])


 if __name__ == "__main__":
--- a/synapse/app/pusher.py
+++ b/synapse/app/pusher.py
@@ -21,14 +21,13 @@

 import sys

-from synapse.app.generic_worker import load_config, start
+from synapse.app.generic_worker import start
 from synapse.util.logcontext import LoggingContext


 def main() -> None:
-    homeserver_config = load_config(sys.argv[1:])
-    with LoggingContext(name="main"):
-        start(homeserver_config)
+    with LoggingContext("main"):
+        start(sys.argv[1:])


 if __name__ == "__main__":
--- a/synapse/app/synchrotron.py
+++ b/synapse/app/synchrotron.py
@@ -21,14 +21,13 @@

 import sys

-from synapse.app.generic_worker import load_config, start
+from synapse.app.generic_worker import start
 from synapse.util.logcontext import LoggingContext


 def main() -> None:
-    homeserver_config = load_config(sys.argv[1:])
-    with LoggingContext(name="main"):
-        start(homeserver_config)
+    with LoggingContext("main"):
+        start(sys.argv[1:])


 if __name__ == "__main__":
--- a/synapse/app/user_dir.py
+++ b/synapse/app/user_dir.py
@@ -21,14 +21,13 @@

 import sys

-from synapse.app.generic_worker import load_config, start
+from synapse.app.generic_worker import start
 from synapse.util.logcontext import LoggingContext


 def main() -> None:
-    homeserver_config = load_config(sys.argv[1:])
-    with LoggingContext(name="main"):
-        start(homeserver_config)
+    with LoggingContext("main"):
+        start(sys.argv[1:])


 if __name__ == "__main__":
--- a/synapse/appservice/scheduler.py
+++ b/synapse/appservice/scheduler.py
@@ -84,7 +84,7 @@ from synapse.logging.context import run_in_background
 from synapse.metrics.background_process_metrics import run_as_background_process
 from synapse.storage.databases.main import DataStore
 from synapse.types import DeviceListUpdates, JsonMapping
-from synapse.util.clock import Clock
+from synapse.util import Clock

 if TYPE_CHECKING:
    from synapse.server import HomeServer
--- a/synapse/config/_base.py
+++ b/synapse/config/_base.py
@@ -22,7 +22,6 @@

 import argparse
 import errno
-import importlib.resources as importlib_resources
 import logging
 import os
 import re
@@ -47,6 +46,7 @@ from typing import (

 import attr
 import jinja2
+import pkg_resources
 import yaml

 from synapse.types import StrSequence
@@ -174,8 +174,8 @@ class Config:
        self.root = root_config

        # Get the path to the default Synapse template directory
-        self.default_template_dir = str(
-            importlib_resources.files("synapse").joinpath("res").joinpath("templates")
+        self.default_template_dir = pkg_resources.resource_filename(
+            "synapse", "res/templates"
        )

    @staticmethod
@@ -646,16 +646,12 @@ class RootConfig:

    @classmethod
    def load_or_generate_config(
-        cls: Type[TRootConfig], description: str, argv_options: List[str]
+        cls: Type[TRootConfig], description: str, argv: List[str]
    ) -> Optional[TRootConfig]:
        """Parse the commandline and config files

        Supports generation of config files, so is used for the main homeserver app.

-        Args:
-            description: TODO
-            argv_options: The options passed to Synapse. Usually `sys.argv[1:]`.
-
        Returns:
            Config object, or None if --generate-config or --generate-keys was set
        """
@@ -751,7 +747,7 @@ class RootConfig:
        )

        cls.invoke_all_static("add_arguments", parser)
-        config_args = parser.parse_args(argv_options)
+        config_args = parser.parse_args(argv)

        config_files = find_config_files(search_paths=config_args.config_path)

--- a/synapse/config/experimental.py
+++ b/synapse/config/experimental.py
@@ -556,9 +556,6 @@ class ExperimentalConfig(Config):
        # MSC4133: Custom profile fields
        self.msc4133_enabled: bool = experimental.get("msc4133_enabled", False)

-        # MSC4169: Backwards-compatible redaction sending using `/send`
-        self.msc4169_enabled: bool = experimental.get("msc4169_enabled", False)
-
        # MSC4210: Remove legacy mentions
        self.msc4210_enabled: bool = experimental.get("msc4210_enabled", False)

@@ -593,5 +590,5 @@ class ExperimentalConfig(Config):
        self.msc4293_enabled: bool = experimental.get("msc4293_enabled", False)

        # MSC4306: Thread Subscriptions
-        # (and MSC4308: Thread Subscriptions extension to Sliding Sync)
+        # (and MSC4308: sliding sync extension for thread subscriptions)
        self.msc4306_enabled: bool = experimental.get("msc4306_enabled", False)
--- a/synapse/config/oembed.py
+++ b/synapse/config/oembed.py
@@ -18,13 +18,13 @@
 # [This file includes modifications made by New Vector Limited]
 #
 #
-import importlib.resources as importlib_resources
 import json
 import re
 from typing import Any, Dict, Iterable, List, Optional, Pattern
 from urllib import parse as urlparse

 import attr
+import pkg_resources

 from synapse.types import JsonDict, StrSequence

@@ -64,12 +64,7 @@ class OembedConfig(Config):
        """
        # Whether to use the packaged providers.json file.
        if not oembed_config.get("disable_default_providers") or False:
-            path = (
-                importlib_resources.files("synapse")
-                .joinpath("res")
-                .joinpath("providers.json")
-            )
-            with path.open("r", encoding="utf-8") as s:
+            with pkg_resources.resource_stream("synapse", "res/providers.json") as s:
                providers = json.load(s)

            yield from self._parse_and_validate_provider(
--- a/synapse/config/repository.py
+++ b/synapse/config/repository.py
@@ -120,19 +120,11 @@ def parse_thumbnail_requirements(

@attr.s(auto_attribs=True, slots=True, frozen=True)
 class MediaUploadLimit:
-    """
-    Represents a limit on the amount of data a user can upload in a given time
-    period.
-
-    These can be configured through the `media_upload_limits` [config option](https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#media_upload_limits)
-    or via the `get_media_upload_limits_for_user` module API [callback](https://element-hq.github.io/synapse/latest/modules/media_repository_callbacks.html#get_media_upload_limits_for_user).
-    """
+    """A limit on the amount of data a user can upload in a given time
+    period."""

    max_bytes: int
-    """The maximum number of bytes that can be uploaded in the given time period."""
-
    time_period_ms: int
-    """The time period in milliseconds."""


 class ContentRepositoryConfig(Config):
--- a/synapse/events/builder.py
+++ b/synapse/events/builder.py
@@ -38,7 +38,7 @@ from synapse.storage.databases.main import DataStore
 from synapse.synapse_rust.events import EventInternalMetadata
 from synapse.types import EventID, JsonDict, StrCollection
 from synapse.types.state import StateFilter
-from synapse.util.clock import Clock
+from synapse.util import Clock
 from synapse.util.stringutils import random_string

 if TYPE_CHECKING:
--- a/synapse/events/snapshot.py
+++ b/synapse/events/snapshot.py
@@ -306,12 +306,6 @@ class EventContext(UnpersistedEventContextBase):
        )


-EventPersistencePair = Tuple[EventBase, EventContext]
-"""
-The combination of an event to be persisted and its context.
-"""
-
-
@attr.s(slots=True, auto_attribs=True)
 class UnpersistedEventContext(UnpersistedEventContextBase):
    """
@@ -369,7 +363,7 @@ class UnpersistedEventContext(UnpersistedEventContextBase):
        room_id: str,
        last_known_state_group: int,
        datastore: "StateGroupDataStore",
-    ) -> List[EventPersistencePair]:
+    ) -> List[Tuple[EventBase, EventContext]]:
        """
        Takes a list of events and their associated unpersisted contexts and persists
        the unpersisted contexts, returning a list of events and persisted contexts.
--- a/synapse/federation/federation_server.py
+++ b/synapse/federation/federation_server.py
@@ -59,7 +59,7 @@ from synapse.api.errors import (
 from synapse.api.room_versions import KNOWN_ROOM_VERSIONS, RoomVersion
 from synapse.crypto.event_signing import compute_event_signature
 from synapse.events import EventBase
-from synapse.events.snapshot import EventPersistencePair
+from synapse.events.snapshot import EventContext
 from synapse.federation.federation_base import (
    FederationBase,
    InvalidEventSignatureError,
@@ -914,7 +914,7 @@ class FederationServer(FederationBase):

    async def _on_send_membership_event(
        self, origin: str, content: JsonDict, membership_type: str, room_id: str
-    ) -> EventPersistencePair:
+    ) -> Tuple[EventBase, EventContext]:
        """Handle an on_send_{join,leave,knock} request

        Does some preliminary validation before passing the request on to the
--- a/synapse/federation/send_queue.py
+++ b/synapse/federation/send_queue.py
@@ -37,7 +37,6 @@ Events are replicated via a separate events stream.
 """

 import logging
-from enum import Enum
 from typing import (
    TYPE_CHECKING,
    Dict,
@@ -68,25 +67,6 @@ if TYPE_CHECKING:
 logger = logging.getLogger(__name__)


-class QueueNames(str, Enum):
-    PRESENCE_MAP = "presence_map"
-    KEYED_EDU = "keyed_edu"
-    KEYED_EDU_CHANGED = "keyed_edu_changed"
-    EDUS = "edus"
-    POS_TIME = "pos_time"
-    PRESENCE_DESTINATIONS = "presence_destinations"
-
-
-queue_name_to_gauge_map: Dict[QueueNames, LaterGauge] = {}
-
-for queue_name in QueueNames:
-    queue_name_to_gauge_map[queue_name] = LaterGauge(
-        name=f"synapse_federation_send_queue_{queue_name.value}_size",
-        desc="",
-        labelnames=[SERVER_NAME_LABEL],
-    )
-
-
 class FederationRemoteSendQueue(AbstractFederationSender):
    """A drop in replacement for FederationSender"""

@@ -131,16 +111,23 @@ class FederationRemoteSendQueue(AbstractFederationSender):
        # we make a new function, so we need to make a new function so the inner
        # lambda binds to the queue rather than to the name of the queue which
        # changes. ARGH.
-        def register(queue_name: QueueNames, queue: Sized) -> None:
-            queue_name_to_gauge_map[queue_name].register_hook(
-                homeserver_instance_id=hs.get_instance_id(),
-                hook=lambda: {(self.server_name,): len(queue)},
+        def register(name: str, queue: Sized) -> None:
+            LaterGauge(
+                name="synapse_federation_send_queue_%s_size" % (queue_name,),
+                desc="",
+                labelnames=[SERVER_NAME_LABEL],
+                caller=lambda: {(self.server_name,): len(queue)},
            )

-        for queue_name in QueueNames:
-            queue = getattr(self, queue_name.value)
-            assert isinstance(queue, Sized)
-            register(queue_name, queue=queue)
+        for queue_name in [
+            "presence_map",
+            "keyed_edu",
+            "keyed_edu_changed",
+            "edus",
+            "pos_time",
+            "presence_destinations",
+        ]:
+            register(queue_name, getattr(self, queue_name))

        self.clock.looping_call(self._clear_queue, 30 * 1000)

--- a/synapse/federation/sender/init.py
+++ b/synapse/federation/sender/init.py
@@ -150,7 +150,6 @@ from prometheus_client import Counter
 from twisted.internet import defer

 import synapse.metrics
-from synapse.api.constants import EventTypes, Membership
 from synapse.api.presence import UserPresenceState
 from synapse.events import EventBase
 from synapse.federation.sender.per_destination_queue import (
@@ -178,7 +177,7 @@ from synapse.types import (
    StrCollection,
    get_domain_from_id,
 )
-from synapse.util.clock import Clock
+from synapse.util import Clock
 from synapse.util.metrics import Measure
 from synapse.util.retryutils import filter_destinations_by_retry_limiter

@@ -200,24 +199,6 @@ sent_pdus_destination_dist_total = Counter(
    labelnames=[SERVER_NAME_LABEL],
 )

-transaction_queue_pending_destinations_gauge = LaterGauge(
-    name="synapse_federation_transaction_queue_pending_destinations",
-    desc="",
-    labelnames=[SERVER_NAME_LABEL],
-)
-
-transaction_queue_pending_pdus_gauge = LaterGauge(
-    name="synapse_federation_transaction_queue_pending_pdus",
-    desc="",
-    labelnames=[SERVER_NAME_LABEL],
-)
-
-transaction_queue_pending_edus_gauge = LaterGauge(
-    name="synapse_federation_transaction_queue_pending_edus",
-    desc="",
-    labelnames=[SERVER_NAME_LABEL],
-)
-
 # Time (in s) to wait before trying to wake up destinations that have
 # catch-up outstanding.
 # Please note that rate limiting still applies, so while the loop is
@@ -417,9 +398,11 @@ class FederationSender(AbstractFederationSender):
        # map from destination to PerDestinationQueue
        self._per_destination_queues: Dict[str, PerDestinationQueue] = {}

-        transaction_queue_pending_destinations_gauge.register_hook(
-            homeserver_instance_id=hs.get_instance_id(),
-            hook=lambda: {
+        LaterGauge(
+            name="synapse_federation_transaction_queue_pending_destinations",
+            desc="",
+            labelnames=[SERVER_NAME_LABEL],
+            caller=lambda: {
                (self.server_name,): sum(
                    1
                    for d in self._per_destination_queues.values()
@@ -427,17 +410,22 @@ class FederationSender(AbstractFederationSender):
                )
            },
        )
-        transaction_queue_pending_pdus_gauge.register_hook(
-            homeserver_instance_id=hs.get_instance_id(),
-            hook=lambda: {
+
+        LaterGauge(
+            name="synapse_federation_transaction_queue_pending_pdus",
+            desc="",
+            labelnames=[SERVER_NAME_LABEL],
+            caller=lambda: {
                (self.server_name,): sum(
                    d.pending_pdu_count() for d in self._per_destination_queues.values()
                )
            },
        )
-        transaction_queue_pending_edus_gauge.register_hook(
-            homeserver_instance_id=hs.get_instance_id(),
-            hook=lambda: {
+        LaterGauge(
+            name="synapse_federation_transaction_queue_pending_edus",
+            desc="",
+            labelnames=[SERVER_NAME_LABEL],
+            caller=lambda: {
                (self.server_name,): sum(
                    d.pending_edu_count() for d in self._per_destination_queues.values()
                )
@@ -656,31 +644,6 @@ class FederationSender(AbstractFederationSender):
                            )
                            return

-                    # If we've rescinded an invite then we want to tell the
-                    # other server.
-                    if (
-                        event.type == EventTypes.Member
-                        and event.membership == Membership.LEAVE
-                        and event.sender != event.state_key
-                    ):
-                        # We check if this leave event is rescinding an invite
-                        # by looking if there is an invite event for the user in
-                        # the auth events. It could otherwise be a kick or
-                        # unban, which we don't want to send (if the user wasn't
-                        # already in the room).
-                        auth_events = await self.store.get_events_as_list(
-                            event.auth_event_ids()
-                        )
-                        for auth_event in auth_events:
-                            if (
-                                auth_event.type == EventTypes.Member
-                                and auth_event.state_key == event.state_key
-                                and auth_event.membership == Membership.INVITE
-                            ):
-                                destinations = set(destinations)
-                                destinations.add(get_domain_from_id(event.state_key))
-                                break
-
                    sharded_destinations = {
                        d
                        for d in destinations
--- a/synapse/federation/sender/transaction_manager.py
+++ b/synapse/federation/sender/transaction_manager.py
@@ -26,7 +26,7 @@ from synapse.api.constants import EduTypes
 from synapse.api.errors import HttpResponseException
 from synapse.events import EventBase
 from synapse.federation.persistence import TransactionActions
-from synapse.federation.units import Edu, Transaction, serialize_and_filter_pdus
+from synapse.federation.units import Edu, Transaction
 from synapse.logging.opentracing import (
    extract_text_map,
    set_tag,
@@ -36,7 +36,7 @@ from synapse.logging.opentracing import (
 )
 from synapse.metrics import SERVER_NAME_LABEL
 from synapse.types import JsonDict
-from synapse.util.json import json_decoder
+from synapse.util import json_decoder
 from synapse.util.metrics import measure_func

 if TYPE_CHECKING:
@@ -119,7 +119,7 @@ class TransactionManager:
                transaction_id=txn_id,
                origin=self.server_name,
                destination=destination,
-                pdus=serialize_and_filter_pdus(pdus),
+                pdus=[p.get_pdu_json() for p in pdus],
                edus=[edu.get_dict() for edu in edus],
            )

--- a/synapse/federation/transport/server/init.py
+++ b/synapse/federation/transport/server/init.py
@@ -135,7 +135,7 @@ class PublicRoomList(BaseFederationServlet):
        if not self.allow_access:
            raise FederationDeniedError(origin)

-        limit: Optional[int] = parse_integer_from_args(query, "limit", 0)
+        limit = parse_integer_from_args(query, "limit", 0)
        since_token = parse_string_from_args(query, "since", None)
        include_all_networks = parse_boolean_from_args(
            query, "include_all_networks", default=False
--- a/synapse/handlers/deactivate_account.py
+++ b/synapse/handlers/deactivate_account.py
@@ -62,7 +62,7 @@ class DeactivateAccountHandler:
        # Start the user parter loop so it can resume parting users from rooms where
        # it left off (if it has work left to do).
        if hs.config.worker.worker_app is None:
-            hs.get_clock().call_when_running(self._start_user_parting)
+            hs.get_reactor().callWhenRunning(self._start_user_parting)
        else:
            self._notify_account_deactivated_client = (
                ReplicationNotifyAccountDeactivatedServlet.make_client(hs)
--- a/synapse/handlers/delayed_events.py
+++ b/synapse/handlers/delayed_events.py
@@ -18,15 +18,12 @@ from typing import TYPE_CHECKING, List, Optional, Set, Tuple
 from twisted.internet.interfaces import IDelayedCall

 from synapse.api.constants import EventTypes
-from synapse.api.errors import ShadowBanError, SynapseError
+from synapse.api.errors import ShadowBanError
 from synapse.api.ratelimiting import Ratelimiter
 from synapse.config.workers import MAIN_PROCESS_INSTANCE_NAME
-from synapse.logging.context import make_deferred_yieldable
 from synapse.logging.opentracing import set_tag
 from synapse.metrics import SERVER_NAME_LABEL, event_processing_positions
-from synapse.metrics.background_process_metrics import (
-    run_as_background_process,
-)
+from synapse.metrics.background_process_metrics import run_as_background_process
 from synapse.replication.http.delayed_events import (
    ReplicationAddedDelayedEventRestServlet,
 )
@@ -48,7 +45,6 @@ from synapse.types import (
 )
 from synapse.util.events import generate_fake_event_id
 from synapse.util.metrics import Measure
-from synapse.util.sentinel import Sentinel

 if TYPE_CHECKING:
    from synapse.server import HomeServer
@@ -150,37 +146,10 @@ class DelayedEventsHandler:
        )

    async def _unsafe_process_new_event(self) -> None:
-        # We purposefully fetch the current max room stream ordering before
-        # doing anything else, as it could increment duing processing of state
-        # deltas. We want to avoid updating `delayed_events_stream_pos` past
-        # the stream ordering of the state deltas we've processed. Otherwise
-        # we'll leave gaps in our processing.
-        room_max_stream_ordering = self._store.get_room_max_stream_ordering()
-
-        # Check that there are actually any delayed events to process. If not, bail early.
-        delayed_events_count = await self._store.get_count_of_delayed_events()
-        if delayed_events_count == 0:
-            # There are no delayed events to process. Update the
-            # `delayed_events_stream_pos` to the latest `events` stream pos and
-            # exit early.
-            self._event_pos = room_max_stream_ordering
-
-            logger.debug(
-                "No delayed events to process. Updating `delayed_events_stream_pos` to max stream ordering (%s)",
-                room_max_stream_ordering,
-            )
-
-            await self._store.update_delayed_events_stream_pos(room_max_stream_ordering)
-
-            event_processing_positions.labels(
-                name="delayed_events", **{SERVER_NAME_LABEL: self.server_name}
-            ).set(room_max_stream_ordering)
-
-            return
-
        # If self._event_pos is None then means we haven't fetched it from the DB yet
        if self._event_pos is None:
            self._event_pos = await self._store.get_delayed_events_stream_pos()
+            room_max_stream_ordering = self._store.get_room_max_stream_ordering()
            if self._event_pos > room_max_stream_ordering:
                # apparently, we've processed more events than exist in the database!
                # this can happen if events are removed with history purge or similar.
@@ -198,7 +167,7 @@ class DelayedEventsHandler:
                self._clock, name="delayed_events_delta", server_name=self.server_name
            ):
                room_max_stream_ordering = self._store.get_room_max_stream_ordering()
-                if self._event_pos >= room_max_stream_ordering:
+                if self._event_pos == room_max_stream_ordering:
                    return

                logger.debug(
@@ -233,81 +202,23 @@ class DelayedEventsHandler:
        Process current state deltas to cancel other users' pending delayed events
        that target the same state.
        """
-        # Get the senders of each delta's state event (as sender information is
-        # not currently stored in the `current_state_deltas` table).
-        event_id_and_sender_dict = await self._store.get_senders_for_event_ids(
-            [delta.event_id for delta in deltas if delta.event_id is not None]
-        )
-
-        # Note: No need to batch as `get_current_state_deltas` will only ever
-        # return 100 rows at a time.
        for delta in deltas:
-            logger.debug(
-                "Handling: %r %r, %s", delta.event_type, delta.state_key, delta.event_id
-            )
-
-            # `delta.event_id` and `delta.sender` can be `None` in a few valid
-            # cases (see the docstring of
-            # `get_current_state_delta_membership_changes_for_user` for details).
            if delta.event_id is None:
-                # TODO: Differentiate between this being caused by a state reset
-                # which removed a user from a room, or the homeserver
-                # purposefully having left the room. We can do so by checking
-                # whether there are any local memberships still left in the
-                # room. If so, then this is the result of a state reset.
-                #
-                # If it is a state reset, we should avoid cancelling new,
-                # delayed state events due to old state resurfacing. So we
-                # should skip and log a warning in this case.
-                #
-                # If the homeserver has left the room, then we should cancel all
-                # delayed state events intended for this room, as there is no
-                # need to try and send a delayed event into a room we've left.
-                logger.warning(
-                    "Skipping state delta (%r, %r) without corresponding event ID. "
-                    "This can happen if the homeserver has left the room (in which "
-                    "case this can be ignored), or if there has been a state reset "
-                    "which has caused the sender to be kicked out of the room",
+                logger.debug(
+                    "Not handling delta for deleted state: %r %r",
                    delta.event_type,
                    delta.state_key,
                )
                continue

-            sender_str = event_id_and_sender_dict.get(
-                delta.event_id, Sentinel.UNSET_SENTINEL
+            logger.debug(
+                "Handling: %r %r, %s", delta.event_type, delta.state_key, delta.event_id
            )
-            if sender_str is None:
-                # An event exists, but the `sender` field was "null" and Synapse
-                # incorrectly accepted the event. This is not expected.
-                logger.error(
-                    "Skipping state delta with event ID '%s' as 'sender' was None. "
-                    "This is unexpected - please report it as a bug!",
-                    delta.event_id,
-                )
-                continue
-            if sender_str is Sentinel.UNSET_SENTINEL:
-                # We have an event ID, but the event was not found in the
-                # datastore. This can happen if a room, or its history, is
-                # purged. State deltas related to the room are left behind, but
-                # the event no longer exists.
-                #
-                # As we cannot get the sender of this event, we can't calculate
-                # whether to cancel delayed events related to this one. So we skip.
-                logger.debug(
-                    "Skipping state delta with event ID '%s' - the room, or its history, may have been purged",
-                    delta.event_id,
-                )
-                continue

-            try:
-                sender = UserID.from_string(sender_str)
-            except SynapseError as e:
-                logger.error(
-                    "Skipping state delta with Matrix User ID '%s' that failed to parse: %s",
-                    sender_str,
-                    e,
-                )
-                continue
+            event = await self._store.get_event(
+                delta.event_id, check_room_id=delta.room_id
+            )
+            sender = UserID.from_string(event.sender)

            next_send_ts = await self._store.cancel_delayed_state_events(
                room_id=delta.room_id,
@@ -417,7 +328,7 @@ class DelayedEventsHandler:
            requester,
            (requester.user.to_string(), requester.device_id),
        )
-        await make_deferred_yieldable(self._initialized_from_db)
+        await self._initialized_from_db

        next_send_ts = await self._store.cancel_delayed_event(
            delay_id=delay_id,
@@ -443,7 +354,7 @@ class DelayedEventsHandler:
            requester,
            (requester.user.to_string(), requester.device_id),
        )
-        await make_deferred_yieldable(self._initialized_from_db)
+        await self._initialized_from_db

        next_send_ts = await self._store.restart_delayed_event(
            delay_id=delay_id,
@@ -469,7 +380,7 @@ class DelayedEventsHandler:
        # Use standard request limiter for sending delayed events on-demand,
        # as an on-demand send is similar to sending a regular event.
        await self._request_ratelimiter.ratelimit(requester)
-        await make_deferred_yieldable(self._initialized_from_db)
+        await self._initialized_from_db

        event, next_send_ts = await self._store.process_target_delayed_event(
            delay_id=delay_id,
--- a/synapse/handlers/device.py
+++ b/synapse/handlers/device.py
@@ -1002,7 +1002,7 @@ class DeviceWriterHandler(DeviceHandler):
        # rolling-restarting Synapse.
        if self._is_main_device_list_writer:
            # On start up check if there are any updates pending.
-            hs.get_clock().call_when_running(self._handle_new_device_update_async)
+            hs.get_reactor().callWhenRunning(self._handle_new_device_update_async)
            self.device_list_updater = DeviceListUpdater(hs, self)
            hs.get_federation_registry().register_edu_handler(
                EduTypes.DEVICE_LIST_UPDATE,
--- a/synapse/handlers/devicemessage.py
+++ b/synapse/handlers/devicemessage.py
@@ -34,7 +34,7 @@ from synapse.logging.opentracing import (
    set_tag,
 )
 from synapse.types import JsonDict, Requester, StreamKeyType, UserID, get_domain_from_id
-from synapse.util.json import json_encoder
+from synapse.util import json_encoder
 from synapse.util.stringutils import random_string

 if TYPE_CHECKING:
--- a/synapse/handlers/e2e_keys.py
+++ b/synapse/handlers/e2e_keys.py
@@ -44,9 +44,9 @@ from synapse.types import (
    get_domain_from_id,
    get_verify_key_from_cross_signing_key,
 )
+from synapse.util import json_decoder
 from synapse.util.async_helpers import Linearizer, concurrently_execute
 from synapse.util.cancellation import cancellable
-from synapse.util.json import json_decoder
 from synapse.util.retryutils import (
    NotRetryingDestination,
    filter_destinations_by_retry_limiter,
@@ -57,6 +57,7 @@ if TYPE_CHECKING:

 logger = logging.getLogger(__name__)

+
 ONE_TIME_KEY_UPLOAD = "one_time_key_upload_lock"


@@ -847,22 +848,14 @@ class E2eKeysHandler:
        """
        time_now = self.clock.time_msec()

+        # TODO: Validate the JSON to make sure it has the right keys.
        device_keys = keys.get("device_keys", None)
        if device_keys:
-            log_kv(
-                {
-                    "message": "Updating device_keys for user.",
-                    "user_id": user_id,
-                    "device_id": device_id,
-                }
-            )
            await self.upload_device_keys_for_user(
                user_id=user_id,
                device_id=device_id,
                keys={"device_keys": device_keys},
            )
-        else:
-            log_kv({"message": "Did not update device_keys", "reason": "not a dict"})

        one_time_keys = keys.get("one_time_keys", None)
        if one_time_keys:
@@ -880,9 +873,10 @@ class E2eKeysHandler:
            log_kv(
                {"message": "Did not update one_time_keys", "reason": "no keys given"}
            )
-
-        fallback_keys = keys.get("fallback_keys")
-        if fallback_keys:
+        fallback_keys = keys.get("fallback_keys") or keys.get(
+            "org.matrix.msc2732.fallback_keys"
+        )
+        if fallback_keys and isinstance(fallback_keys, dict):
            log_kv(
                {
                    "message": "Updating fallback_keys for device.",
@@ -891,6 +885,8 @@ class E2eKeysHandler:
                }
            )
            await self.store.set_e2e_fallback_keys(user_id, device_id, fallback_keys)
+        elif fallback_keys:
+            log_kv({"message": "Did not update fallback_keys", "reason": "not a dict"})
        else:
            log_kv(
                {"message": "Did not update fallback_keys", "reason": "no keys given"}
--- a/synapse/handlers/federation_event.py
+++ b/synapse/handlers/federation_event.py
@@ -66,11 +66,7 @@ from synapse.event_auth import (
    validate_event_for_room_version,
 )
 from synapse.events import EventBase
-from synapse.events.snapshot import (
-    EventContext,
-    EventPersistencePair,
-    UnpersistedEventContextBase,
-)
+from synapse.events.snapshot import EventContext, UnpersistedEventContextBase
 from synapse.federation.federation_client import InvalidResponseError, PulledPduInfo
 from synapse.logging.context import nested_logging_context
 from synapse.logging.opentracing import (
@@ -248,10 +244,9 @@ class FederationEventHandler:
            self.room_queues[room_id].append((pdu, origin))
            return

-        # If we're not in the room just ditch the event entirely (and not
-        # invited). This is probably an old server that has come back and thinks
-        # we're still in the room (or we've been rejoined to the room by a state
-        # reset).
+        # If we're not in the room just ditch the event entirely. This is
+        # probably an old server that has come back and thinks we're still in
+        # the room (or we've been rejoined to the room by a state reset).
        #
        # Note that if we were never in the room then we would have already
        # dropped the event, since we wouldn't know the room version.
@@ -259,43 +254,6 @@ class FederationEventHandler:
            room_id, self.server_name
        )
        if not is_in_room:
-            # Check if this is a leave event rescinding an invite
-            if (
-                pdu.type == EventTypes.Member
-                and pdu.membership == Membership.LEAVE
-                and pdu.state_key != pdu.sender
-                and self._is_mine_id(pdu.state_key)
-            ):
-                (
-                    membership,
-                    membership_event_id,
-                ) = await self._store.get_local_current_membership_for_user_in_room(
-                    pdu.state_key, pdu.room_id
-                )
-                if (
-                    membership == Membership.INVITE
-                    and membership_event_id
-                    and membership_event_id
-                    in pdu.auth_event_ids()  # The invite should be in the auth events of the rescission.
-                ):
-                    invite_event = await self._store.get_event(
-                        membership_event_id, allow_none=True
-                    )
-
-                    # We cannot fully auth the rescission event, but we can
-                    # check if the sender of the leave event is the same as the
-                    # invite.
-                    #
-                    # Technically, a room admin could rescind the invite, but we
-                    # have no way of knowing who is and isn't a room admin.
-                    if invite_event and pdu.sender == invite_event.sender:
-                        # Handle the rescission event
-                        pdu.internal_metadata.outlier = True
-                        pdu.internal_metadata.out_of_band_membership = True
-                        context = EventContext.for_outlier(self._storage_controllers)
-                        await self.persist_events_and_notify(room_id, [(pdu, context)])
-                        return
-
            logger.info(
                "Ignoring PDU from %s as we're not in the room",
                origin,
@@ -383,7 +341,7 @@ class FederationEventHandler:

    async def on_send_membership_event(
        self, origin: str, event: EventBase
-    ) -> EventPersistencePair:
+    ) -> Tuple[EventBase, EventContext]:
        """
        We have received a join/leave/knock event for a room via send_join/leave/knock.

@@ -1754,7 +1712,7 @@ class FederationEventHandler:
            )
            auth_map.update(persisted_events)

-        events_and_contexts_to_persist: List[EventPersistencePair] = []
+        events_and_contexts_to_persist: List[Tuple[EventBase, EventContext]] = []

        async def prep(event: EventBase) -> None:
            with nested_logging_context(suffix=event.event_id):
@@ -2267,7 +2225,7 @@ class FederationEventHandler:
    async def persist_events_and_notify(
        self,
        room_id: str,
-        event_and_contexts: Sequence[EventPersistencePair],
+        event_and_contexts: Sequence[Tuple[EventBase, EventContext]],
        backfilled: bool = False,
    ) -> int:
        """Persists events and tells the notifier/pushers about them, if
--- a/synapse/handlers/identity.py
+++ b/synapse/handlers/identity.py
@@ -39,8 +39,8 @@ from synapse.http import RequestTimedOutError
 from synapse.http.client import SimpleHttpClient
 from synapse.http.site import SynapseRequest
 from synapse.types import JsonDict, Requester
+from synapse.util import json_decoder
 from synapse.util.hash import sha256_and_url_safe_base64
-from synapse.util.json import json_decoder
 from synapse.util.stringutils import (
    assert_valid_client_secret,
    random_string,
--- a/synapse/handlers/message.py
+++ b/synapse/handlers/message.py
@@ -57,7 +57,6 @@ from synapse.events import EventBase, relation_from_event
 from synapse.events.builder import EventBuilder
 from synapse.events.snapshot import (
    EventContext,
-    EventPersistencePair,
    UnpersistedEventContext,
    UnpersistedEventContextBase,
 )
@@ -81,10 +80,9 @@ from synapse.types import (
    create_requester,
 )
 from synapse.types.state import StateFilter
-from synapse.util import log_failure, unwrapFirstError
+from synapse.util import json_decoder, json_encoder, log_failure, unwrapFirstError
 from synapse.util.async_helpers import Linearizer, gather_results
 from synapse.util.caches.expiringcache import ExpiringCache
-from synapse.util.json import json_decoder, json_encoder
 from synapse.util.metrics import measure_func
 from synapse.visibility import get_effective_room_visibility_from_state

@@ -1014,37 +1012,14 @@ class EventCreationHandler:
            await self.clock.sleep(random.randint(1, 10))
            raise ShadowBanError()

-        room_version = None
-
-        if (
-            event_dict["type"] == EventTypes.Redaction
-            and "redacts" in event_dict["content"]
-            and self.hs.config.experimental.msc4169_enabled
-        ):
+        if ratelimit:
            room_id = event_dict["room_id"]
            try:
                room_version = await self.store.get_room_version(room_id)
            except NotFoundError:
+                # The room doesn't exist.
                raise AuthError(403, f"User {requester.user} not in room {room_id}")

-            if not room_version.updated_redaction_rules:
-                # Legacy room versions need the "redacts" field outside of the event's
-                # content. However clients may still send it within the content, so move
-                # the field if necessary for compatibility.
-                redacts = event_dict.get("redacts") or event_dict["content"].pop(
-                    "redacts", None
-                )
-                if redacts is not None and "redacts" not in event_dict:
-                    event_dict["redacts"] = redacts
-
-        if ratelimit:
-            if room_version is None:
-                room_id = event_dict["room_id"]
-                try:
-                    room_version = await self.store.get_room_version(room_id)
-                except NotFoundError:
-                    raise AuthError(403, f"User {requester.user} not in room {room_id}")
-
            if room_version.updated_redaction_rules:
                redacts = event_dict["content"].get("redacts")
            else:
@@ -1464,7 +1439,7 @@ class EventCreationHandler:
    async def handle_new_client_event(
        self,
        requester: Requester,
-        events_and_context: List[EventPersistencePair],
+        events_and_context: List[Tuple[EventBase, EventContext]],
        ratelimit: bool = True,
        extra_users: Optional[List[UserID]] = None,
        ignore_shadow_ban: bool = False,
@@ -1676,7 +1651,7 @@ class EventCreationHandler:
    async def _persist_events(
        self,
        requester: Requester,
-        events_and_context: List[EventPersistencePair],
+        events_and_context: List[Tuple[EventBase, EventContext]],
        ratelimit: bool = True,
        extra_users: Optional[List[UserID]] = None,
    ) -> EventBase:
@@ -1762,7 +1737,7 @@ class EventCreationHandler:
            raise

    async def cache_joined_hosts_for_events(
-        self, events_and_context: List[EventPersistencePair]
+        self, events_and_context: List[Tuple[EventBase, EventContext]]
    ) -> None:
        """Precalculate the joined hosts at each of the given events, when using Redis, so that
        external federation senders don't have to recalculate it themselves.
@@ -1868,7 +1843,7 @@ class EventCreationHandler:
    async def persist_and_notify_client_events(
        self,
        requester: Requester,
-        events_and_context: List[EventPersistencePair],
+        events_and_context: List[Tuple[EventBase, EventContext]],
        ratelimit: bool = True,
        extra_users: Optional[List[UserID]] = None,
    ) -> EventBase:
--- a/synapse/handlers/oidc.py
+++ b/synapse/handlers/oidc.py
@@ -67,9 +67,8 @@ from synapse.http.site import SynapseRequest
 from synapse.logging.context import make_deferred_yieldable
 from synapse.module_api import ModuleApi
 from synapse.types import JsonDict, UserID, map_username_to_mxid_localpart
+from synapse.util import Clock, json_decoder
 from synapse.util.caches.cached_call import RetryOnExceptionCachedCall
-from synapse.util.clock import Clock
-from synapse.util.json import json_decoder
 from synapse.util.macaroons import MacaroonGenerator, OidcSessionData
 from synapse.util.templates import _localpart_from_email_filter

--- a/synapse/handlers/presence.py
+++ b/synapse/handlers/presence.py
@@ -173,18 +173,6 @@ state_transition_counter = Counter(
    labelnames=["locality", "from", "to", SERVER_NAME_LABEL],
 )

-presence_user_to_current_state_size_gauge = LaterGauge(
-    name="synapse_handlers_presence_user_to_current_state_size",
-    desc="",
-    labelnames=[SERVER_NAME_LABEL],
-)
-
-presence_wheel_timer_size_gauge = LaterGauge(
-    name="synapse_handlers_presence_wheel_timer_size",
-    desc="",
-    labelnames=[SERVER_NAME_LABEL],
-)
-
 # If a user was last active in the last LAST_ACTIVE_GRANULARITY, consider them
 # "currently_active"
 LAST_ACTIVE_GRANULARITY = 60 * 1000
@@ -541,7 +529,7 @@ class WorkerPresenceHandler(BasePresenceHandler):
            self.send_stop_syncing, UPDATE_SYNCING_USERS_MS
        )

-        hs.get_clock().add_system_event_trigger(
+        hs.get_reactor().addSystemEventTrigger(
            "before",
            "shutdown",
            run_as_background_process,
@@ -791,9 +779,11 @@ class PresenceHandler(BasePresenceHandler):
            EduTypes.PRESENCE, self.incoming_presence
        )

-        presence_user_to_current_state_size_gauge.register_hook(
-            homeserver_instance_id=hs.get_instance_id(),
-            hook=lambda: {(self.server_name,): len(self.user_to_current_state)},
+        LaterGauge(
+            name="synapse_handlers_presence_user_to_current_state_size",
+            desc="",
+            labelnames=[SERVER_NAME_LABEL],
+            caller=lambda: {(self.server_name,): len(self.user_to_current_state)},
        )

        # The per-device presence state, maps user to devices to per-device presence state.
@@ -842,7 +832,7 @@ class PresenceHandler(BasePresenceHandler):
        # have not yet been persisted
        self.unpersisted_users_changes: Set[str] = set()

-        hs.get_clock().add_system_event_trigger(
+        hs.get_reactor().addSystemEventTrigger(
            "before",
            "shutdown",
            run_as_background_process,
@@ -892,9 +882,11 @@ class PresenceHandler(BasePresenceHandler):
                60 * 1000,
            )

-        presence_wheel_timer_size_gauge.register_hook(
-            homeserver_instance_id=hs.get_instance_id(),
-            hook=lambda: {(self.server_name,): len(self.wheel_timer)},
+        LaterGauge(
+            name="synapse_handlers_presence_wheel_timer_size",
+            desc="",
+            labelnames=[SERVER_NAME_LABEL],
+            caller=lambda: {(self.server_name,): len(self.wheel_timer)},
        )

        # Used to handle sending of presence to newly joined users/servers
@@ -1548,7 +1540,7 @@ class PresenceHandler(BasePresenceHandler):
                self.clock, name="presence_delta", server_name=self.server_name
            ):
                room_max_stream_ordering = self.store.get_room_max_stream_ordering()
-                if self._event_pos >= room_max_stream_ordering:
+                if self._event_pos == room_max_stream_ordering:
                    return

                logger.debug(
--- a/synapse/handlers/sliding_sync/init.py
+++ b/synapse/handlers/sliding_sync/init.py
@@ -211,7 +211,7 @@ class SlidingSyncHandler:

        Args:
            sync_config: Sync configuration
-            to_token: The latest point in the stream to sync up to.
+            to_token: The point in the stream to sync up to.
            from_token: The point in the stream to sync from. Token of the end of the
                previous batch. May be `None` if this is the initial sync request.
        """
--- a/synapse/handlers/sliding_sync/extensions.py
+++ b/synapse/handlers/sliding_sync/extensions.py
@@ -27,7 +27,7 @@ from typing import (
    cast,
 )

-from typing_extensions import TypeAlias, assert_never
+from typing_extensions import assert_never

 from synapse.api.constants import AccountDataTypes, EduTypes
 from synapse.handlers.receipts import ReceiptEventSource
@@ -40,7 +40,6 @@ from synapse.types import (
    SlidingSyncStreamToken,
    StrCollection,
    StreamToken,
-    ThreadSubscriptionsToken,
 )
 from synapse.types.handlers.sliding_sync import (
    HaveSentRoomFlag,
@@ -55,13 +54,6 @@ from synapse.util.async_helpers import (
    gather_optional_coroutines,
 )

-_ThreadSubscription: TypeAlias = (
-    SlidingSyncResult.Extensions.ThreadSubscriptionsExtension.ThreadSubscription
-)
-_ThreadUnsubscription: TypeAlias = (
-    SlidingSyncResult.Extensions.ThreadSubscriptionsExtension.ThreadUnsubscription
-)
-
 if TYPE_CHECKING:
    from synapse.server import HomeServer

@@ -76,7 +68,6 @@ class SlidingSyncExtensionHandler:
        self.event_sources = hs.get_event_sources()
        self.device_handler = hs.get_device_handler()
        self.push_rules_handler = hs.get_push_rules_handler()
-        self._enable_thread_subscriptions = hs.config.experimental.msc4306_enabled

    @trace
    async def get_extensions_response(
@@ -102,7 +93,7 @@ class SlidingSyncExtensionHandler:
            actual_room_ids: The actual room IDs in the the Sliding Sync response.
            actual_room_response_map: A map of room ID to room results in the the
                Sliding Sync response.
-            to_token: The latest point in the stream to sync up to.
+            to_token: The point in the stream to sync up to.
            from_token: The point in the stream to sync from.
        """

@@ -165,32 +156,18 @@ class SlidingSyncExtensionHandler:
                from_token=from_token,
            )

-        thread_subs_coro = None
-        if (
-            sync_config.extensions.thread_subscriptions is not None
-            and self._enable_thread_subscriptions
-        ):
-            thread_subs_coro = self.get_thread_subscriptions_extension_response(
-                sync_config=sync_config,
-                thread_subscriptions_request=sync_config.extensions.thread_subscriptions,
-                to_token=to_token,
-                from_token=from_token,
-            )
-
        (
            to_device_response,
            e2ee_response,
            account_data_response,
            receipts_response,
            typing_response,
-            thread_subs_response,
        ) = await gather_optional_coroutines(
            to_device_coro,
            e2ee_coro,
            account_data_coro,
            receipts_coro,
            typing_coro,
-            thread_subs_coro,
        )

        return SlidingSyncResult.Extensions(
@@ -199,7 +176,6 @@ class SlidingSyncExtensionHandler:
            account_data=account_data_response,
            receipts=receipts_response,
            typing=typing_response,
-            thread_subscriptions=thread_subs_response,
        )

    def find_relevant_room_ids_for_extension(
@@ -901,72 +877,3 @@ class SlidingSyncExtensionHandler:
        return SlidingSyncResult.Extensions.TypingExtension(
            room_id_to_typing_map=room_id_to_typing_map,
        )
-
-    async def get_thread_subscriptions_extension_response(
-        self,
-        sync_config: SlidingSyncConfig,
-        thread_subscriptions_request: SlidingSyncConfig.Extensions.ThreadSubscriptionsExtension,
-        to_token: StreamToken,
-        from_token: Optional[SlidingSyncStreamToken],
-    ) -> Optional[SlidingSyncResult.Extensions.ThreadSubscriptionsExtension]:
-        """Handle Thread Subscriptions extension (MSC4308)
-
-        Args:
-            sync_config: Sync configuration
-            thread_subscriptions_request: The thread_subscriptions extension from the request
-            to_token: The point in the stream to sync up to.
-            from_token: The point in the stream to sync from.
-
-        Returns:
-            the response (None if empty or thread subscriptions are disabled)
-        """
-        if not thread_subscriptions_request.enabled:
-            return None
-
-        limit = thread_subscriptions_request.limit
-
-        if from_token:
-            from_stream_id = from_token.stream_token.thread_subscriptions_key
-        else:
-            from_stream_id = StreamToken.START.thread_subscriptions_key
-
-        to_stream_id = to_token.thread_subscriptions_key
-
-        updates = await self.store.get_latest_updated_thread_subscriptions_for_user(
-            user_id=sync_config.user.to_string(),
-            from_id=from_stream_id,
-            to_id=to_stream_id,
-            limit=limit,
-        )
-
-        if len(updates) == 0:
-            return None
-
-        subscribed_threads: Dict[str, Dict[str, _ThreadSubscription]] = {}
-        unsubscribed_threads: Dict[str, Dict[str, _ThreadUnsubscription]] = {}
-        for stream_id, room_id, thread_root_id, subscribed, automatic in updates:
-            if subscribed:
-                subscribed_threads.setdefault(room_id, {})[thread_root_id] = (
-                    _ThreadSubscription(
-                        automatic=automatic,
-                        bump_stamp=stream_id,
-                    )
-                )
-            else:
-                unsubscribed_threads.setdefault(room_id, {})[thread_root_id] = (
-                    _ThreadUnsubscription(bump_stamp=stream_id)
-                )
-
-        prev_batch = None
-        if len(updates) == limit:
-            # Tell the client about a potential gap where there may be more
-            # thread subscriptions for it to backpaginate.
-            # We subtract one because the 'later in the stream' bound is inclusive,
-            # and we already saw the element at index 0.
-            prev_batch = ThreadSubscriptionsToken(updates[0][0] - 1)
-
-        return SlidingSyncResult.Extensions.ThreadSubscriptionsExtension(
-            subscribed=subscribed_threads,
-            unsubscribed=unsubscribed_threads,
-            prev_batch=prev_batch,
-        )
--- a/synapse/handlers/sliding_sync/room_lists.py
+++ b/synapse/handlers/sliding_sync/room_lists.py
@@ -13,6 +13,7 @@
 #


+import enum
 import logging
 from itertools import chain
 from typing import (
@@ -74,7 +75,6 @@ from synapse.types.handlers.sliding_sync import (
 )
 from synapse.types.state import StateFilter
 from synapse.util import MutableOverlayMapping
-from synapse.util.sentinel import Sentinel

 if TYPE_CHECKING:
    from synapse.server import HomeServer
@@ -83,6 +83,12 @@ if TYPE_CHECKING:
 logger = logging.getLogger(__name__)


+class Sentinel(enum.Enum):
+    # defining a sentinel in this way allows mypy to correctly handle the
+    # type of a dictionary lookup and subsequent type narrowing.
+    UNSET_SENTINEL = object()
+
+
 # Helper definition for the types that we might return. We do this to avoid
 # copying data between types (which can be expensive for many rooms).
 RoomsForUserType = Union[RoomsForUserStateReset, RoomsForUser, RoomsForUserSlidingSync]
--- a/synapse/handlers/sync.py
+++ b/synapse/handlers/sync.py
@@ -20,6 +20,7 @@
 #
 import itertools
 import logging
+from enum import Enum
 from typing import (
    TYPE_CHECKING,
    AbstractSet,
@@ -27,11 +28,14 @@ from typing import (
    Dict,
    FrozenSet,
    List,
+    Literal,
    Mapping,
    Optional,
    Sequence,
    Set,
    Tuple,
+    Union,
+    overload,
 )

 import attr
@@ -116,6 +120,25 @@ LAZY_LOADED_MEMBERS_CACHE_MAX_SIZE = 100
 SyncRequestKey = Tuple[Any, ...]


+class SyncVersion(Enum):
+    """
+    Enum for specifying the version of sync request. This is used to key which type of
+    sync response that we are generating.
+
+    This is different than the `sync_type` you might see used in other code below; which
+    specifies the sub-type sync request (e.g. initial_sync, full_state_sync,
+    incremental_sync) and is really only relevant for the `/sync` v2 endpoint.
+    """
+
+    # These string values are semantically significant because they are used in the the
+    # metrics
+
+    # Traditional `/sync` endpoint
+    SYNC_V2 = "sync_v2"
+    # Part of MSC3575 Sliding Sync
+    E2EE_SYNC = "e2ee_sync"
+
+
@attr.s(slots=True, frozen=True, auto_attribs=True)
 class SyncConfig:
    user: UserID
@@ -285,6 +308,26 @@ class SyncResult:
        )


+@attr.s(slots=True, frozen=True, auto_attribs=True)
+class E2eeSyncResult:
+    """
+    Attributes:
+        next_batch: Token for the next sync
+        to_device: List of direct messages for the device.
+        device_lists: List of user_ids whose devices have changed
+        device_one_time_keys_count: Dict of algorithm to count for one time keys
+            for this device
+        device_unused_fallback_key_types: List of key types that have an unused fallback
+            key
+    """
+
+    next_batch: StreamToken
+    to_device: List[JsonDict]
+    device_lists: DeviceListUpdates
+    device_one_time_keys_count: JsonMapping
+    device_unused_fallback_key_types: List[str]
+
+
 class SyncHandler:
    def __init__(self, hs: "HomeServer"):
        self.server_name = hs.hostname
@@ -330,15 +373,52 @@ class SyncHandler:

        self.rooms_to_exclude_globally = hs.config.server.rooms_to_exclude_from_sync

+    @overload
    async def wait_for_sync_for_user(
        self,
        requester: Requester,
        sync_config: SyncConfig,
+        sync_version: Literal[SyncVersion.SYNC_V2],
        request_key: SyncRequestKey,
        since_token: Optional[StreamToken] = None,
        timeout: int = 0,
        full_state: bool = False,
-    ) -> SyncResult:
+    ) -> SyncResult: ...
+
+    @overload
+    async def wait_for_sync_for_user(
+        self,
+        requester: Requester,
+        sync_config: SyncConfig,
+        sync_version: Literal[SyncVersion.E2EE_SYNC],
+        request_key: SyncRequestKey,
+        since_token: Optional[StreamToken] = None,
+        timeout: int = 0,
+        full_state: bool = False,
+    ) -> E2eeSyncResult: ...
+
+    @overload
+    async def wait_for_sync_for_user(
+        self,
+        requester: Requester,
+        sync_config: SyncConfig,
+        sync_version: SyncVersion,
+        request_key: SyncRequestKey,
+        since_token: Optional[StreamToken] = None,
+        timeout: int = 0,
+        full_state: bool = False,
+    ) -> Union[SyncResult, E2eeSyncResult]: ...
+
+    async def wait_for_sync_for_user(
+        self,
+        requester: Requester,
+        sync_config: SyncConfig,
+        sync_version: SyncVersion,
+        request_key: SyncRequestKey,
+        since_token: Optional[StreamToken] = None,
+        timeout: int = 0,
+        full_state: bool = False,
+    ) -> Union[SyncResult, E2eeSyncResult]:
        """Get the sync for a client if we have new data for it now. Otherwise
        wait for new data to arrive on the server. If the timeout expires, then
        return an empty sync result.
@@ -353,7 +433,8 @@ class SyncHandler:
            full_state: Whether to return the full state for each room.

        Returns:
-            returns a full `SyncResult`.
+            When `SyncVersion.SYNC_V2`, returns a full `SyncResult`.
+            When `SyncVersion.E2EE_SYNC`, returns a `E2eeSyncResult`.
        """
        # If the user is not part of the mau group, then check that limits have
        # not been exceeded (if not part of the group by this point, almost certain
@@ -365,6 +446,7 @@ class SyncHandler:
            request_key,
            self._wait_for_sync_for_user,
            sync_config,
+            sync_version,
            since_token,
            timeout,
            full_state,
@@ -373,14 +455,48 @@ class SyncHandler:
        logger.debug("Returning sync response for %s", user_id)
        return res

+    @overload
    async def _wait_for_sync_for_user(
        self,
        sync_config: SyncConfig,
+        sync_version: Literal[SyncVersion.SYNC_V2],
        since_token: Optional[StreamToken],
        timeout: int,
        full_state: bool,
        cache_context: ResponseCacheContext[SyncRequestKey],
-    ) -> SyncResult:
+    ) -> SyncResult: ...
+
+    @overload
+    async def _wait_for_sync_for_user(
+        self,
+        sync_config: SyncConfig,
+        sync_version: Literal[SyncVersion.E2EE_SYNC],
+        since_token: Optional[StreamToken],
+        timeout: int,
+        full_state: bool,
+        cache_context: ResponseCacheContext[SyncRequestKey],
+    ) -> E2eeSyncResult: ...
+
+    @overload
+    async def _wait_for_sync_for_user(
+        self,
+        sync_config: SyncConfig,
+        sync_version: SyncVersion,
+        since_token: Optional[StreamToken],
+        timeout: int,
+        full_state: bool,
+        cache_context: ResponseCacheContext[SyncRequestKey],
+    ) -> Union[SyncResult, E2eeSyncResult]: ...
+
+    async def _wait_for_sync_for_user(
+        self,
+        sync_config: SyncConfig,
+        sync_version: SyncVersion,
+        since_token: Optional[StreamToken],
+        timeout: int,
+        full_state: bool,
+        cache_context: ResponseCacheContext[SyncRequestKey],
+    ) -> Union[SyncResult, E2eeSyncResult]:
        """The start of the machinery that produces a /sync response.

        See https://spec.matrix.org/v1.1/client-server-api/#syncing for full details.
@@ -401,7 +517,7 @@ class SyncHandler:
        else:
            sync_type = "incremental_sync"

-        sync_label = f"sync_v2:{sync_type}"
+        sync_label = f"{sync_version}:{sync_type}"

        context = current_context()
        if context:
@@ -462,15 +578,19 @@ class SyncHandler:
        if timeout == 0 or since_token is None or full_state:
            # we are going to return immediately, so don't bother calling
            # notifier.wait_for_events.
-            result = await self.current_sync_for_user(
-                sync_config, since_token, full_state=full_state
+            result: Union[
+                SyncResult, E2eeSyncResult
+            ] = await self.current_sync_for_user(
+                sync_config, sync_version, since_token, full_state=full_state
            )
        else:
            # Otherwise, we wait for something to happen and report it to the user.
            async def current_sync_callback(
                before_token: StreamToken, after_token: StreamToken
-            ) -> SyncResult:
-                return await self.current_sync_for_user(sync_config, since_token)
+            ) -> Union[SyncResult, E2eeSyncResult]:
+                return await self.current_sync_for_user(
+                    sync_config, sync_version, since_token
+                )

            result = await self.notifier.wait_for_events(
                sync_config.user.to_string(),
@@ -503,15 +623,43 @@ class SyncHandler:

        return result

+    @overload
    async def current_sync_for_user(
        self,
        sync_config: SyncConfig,
+        sync_version: Literal[SyncVersion.SYNC_V2],
        since_token: Optional[StreamToken] = None,
        full_state: bool = False,
-    ) -> SyncResult:
+    ) -> SyncResult: ...
+
+    @overload
+    async def current_sync_for_user(
+        self,
+        sync_config: SyncConfig,
+        sync_version: Literal[SyncVersion.E2EE_SYNC],
+        since_token: Optional[StreamToken] = None,
+        full_state: bool = False,
+    ) -> E2eeSyncResult: ...
+
+    @overload
+    async def current_sync_for_user(
+        self,
+        sync_config: SyncConfig,
+        sync_version: SyncVersion,
+        since_token: Optional[StreamToken] = None,
+        full_state: bool = False,
+    ) -> Union[SyncResult, E2eeSyncResult]: ...
+
+    async def current_sync_for_user(
+        self,
+        sync_config: SyncConfig,
+        sync_version: SyncVersion,
+        since_token: Optional[StreamToken] = None,
+        full_state: bool = False,
+    ) -> Union[SyncResult, E2eeSyncResult]:
        """
        Generates the response body of a sync result, represented as a
-        `SyncResult`.
+        `SyncResult`/`E2eeSyncResult`.

        This is a wrapper around `generate_sync_result` which starts an open tracing
        span to track the sync. See `generate_sync_result` for the next part of your
@@ -524,15 +672,28 @@ class SyncHandler:
            full_state: Whether to return the full state for each room.

        Returns:
-            returns a full `SyncResult`.
+            When `SyncVersion.SYNC_V2`, returns a full `SyncResult`.
+            When `SyncVersion.E2EE_SYNC`, returns a `E2eeSyncResult`.
        """
        with start_active_span("sync.current_sync_for_user"):
            log_kv({"since_token": since_token})

            # Go through the `/sync` v2 path
-            sync_result = await self.generate_sync_result(
-                sync_config, since_token, full_state
-            )
+            if sync_version == SyncVersion.SYNC_V2:
+                sync_result: Union[
+                    SyncResult, E2eeSyncResult
+                ] = await self.generate_sync_result(
+                    sync_config, since_token, full_state
+                )
+            # Go through the MSC3575 Sliding Sync `/sync/e2ee` path
+            elif sync_version == SyncVersion.E2EE_SYNC:
+                sync_result = await self.generate_e2ee_sync_result(
+                    sync_config, since_token
+                )
+            else:
+                raise Exception(
+                    f"Unknown sync_version (this is a Synapse problem): {sync_version}"
+                )

            set_tag(SynapseTags.SYNC_RESULT, bool(sync_result))
            return sync_result
@@ -1807,6 +1968,102 @@ class SyncHandler:
            next_batch=sync_result_builder.now_token,
        )

+    async def generate_e2ee_sync_result(
+        self,
+        sync_config: SyncConfig,
+        since_token: Optional[StreamToken] = None,
+    ) -> E2eeSyncResult:
+        """
+        Generates the response body of a MSC3575 Sliding Sync `/sync/e2ee` result.
+
+        This is represented by a `E2eeSyncResult` struct, which is built from small
+        pieces using a `SyncResultBuilder`. The `sync_result_builder` is passed as a
+        mutable ("inout") parameter to various helper functions. These retrieve and
+        process the data which forms the sync body, often writing to the
+        `sync_result_builder` to store their output.
+
+        At the end, we transfer data from the `sync_result_builder` to a new `E2eeSyncResult`
+        instance to signify that the sync calculation is complete.
+        """
+        user_id = sync_config.user.to_string()
+        app_service = self.store.get_app_service_by_user_id(user_id)
+        if app_service:
+            # We no longer support AS users using /sync directly.
+            # See https://github.com/matrix-org/matrix-doc/issues/1144
+            raise NotImplementedError()
+
+        sync_result_builder = await self.get_sync_result_builder(
+            sync_config,
+            since_token,
+            full_state=False,
+        )
+
+        # 1. Calculate `to_device` events
+        await self._generate_sync_entry_for_to_device(sync_result_builder)
+
+        # 2. Calculate `device_lists`
+        # Device list updates are sent if a since token is provided.
+        device_lists = DeviceListUpdates()
+        include_device_list_updates = bool(since_token and since_token.device_list_key)
+        if include_device_list_updates:
+            # Note that _generate_sync_entry_for_rooms sets sync_result_builder.joined, which
+            # is used in calculate_user_changes below.
+            #
+            # TODO: Running `_generate_sync_entry_for_rooms()` is a lot of work just to
+            # figure out the membership changes/derived info needed for
+            # `_generate_sync_entry_for_device_list()`. In the future, we should try to
+            # refactor this away.
+            (
+                newly_joined_rooms,
+                newly_left_rooms,
+            ) = await self._generate_sync_entry_for_rooms(sync_result_builder)
+
+            # This uses the sync_result_builder.joined which is set in
+            # `_generate_sync_entry_for_rooms`, if that didn't find any joined
+            # rooms for some reason it is a no-op.
+            (
+                newly_joined_or_invited_or_knocked_users,
+                newly_left_users,
+            ) = sync_result_builder.calculate_user_changes()
+
+            # include_device_list_updates can only be True if we have a
+            # since token.
+            assert since_token is not None
+            device_lists = await self._device_handler.generate_sync_entry_for_device_list(
+                user_id=user_id,
+                since_token=since_token,
+                now_token=sync_result_builder.now_token,
+                joined_room_ids=sync_result_builder.joined_room_ids,
+                newly_joined_rooms=newly_joined_rooms,
+                newly_joined_or_invited_or_knocked_users=newly_joined_or_invited_or_knocked_users,
+                newly_left_rooms=newly_left_rooms,
+                newly_left_users=newly_left_users,
+            )
+
+        # 3. Calculate `device_one_time_keys_count` and `device_unused_fallback_key_types`
+        device_id = sync_config.device_id
+        one_time_keys_count: JsonMapping = {}
+        unused_fallback_key_types: List[str] = []
+        if device_id:
+            # TODO: We should have a way to let clients differentiate between the states of:
+            #   * no change in OTK count since the provided since token
+            #   * the server has zero OTKs left for this device
+            #  Spec issue: https://github.com/matrix-org/matrix-doc/issues/3298
+            one_time_keys_count = await self.store.count_e2e_one_time_keys(
+                user_id, device_id
+            )
+            unused_fallback_key_types = list(
+                await self.store.get_e2e_unused_fallback_key_types(user_id, device_id)
+            )
+
+        return E2eeSyncResult(
+            to_device=sync_result_builder.to_device,
+            device_lists=device_lists,
+            device_one_time_keys_count=one_time_keys_count,
+            device_unused_fallback_key_types=unused_fallback_key_types,
+            next_batch=sync_result_builder.now_token,
+        )
+
    async def get_sync_result_builder(
        self,
        sync_config: SyncConfig,
--- a/synapse/handlers/thread_subscriptions.py
+++ b/synapse/handlers/thread_subscriptions.py
@@ -9,7 +9,7 @@ from synapse.storage.databases.main.thread_subscriptions import (
    AutomaticSubscriptionConflicted,
    ThreadSubscription,
 )
-from synapse.types import EventOrderings, StreamKeyType, UserID
+from synapse.types import EventOrderings, UserID

 if TYPE_CHECKING:
    from synapse.server import HomeServer
@@ -22,7 +22,6 @@ class ThreadSubscriptionsHandler:
        self.store = hs.get_datastores().main
        self.event_handler = hs.get_event_handler()
        self.auth = hs.get_auth()
-        self._notifier = hs.get_notifier()

    async def get_thread_subscription_settings(
        self,
@@ -133,15 +132,6 @@ class ThreadSubscriptionsHandler:
                errcode=Codes.MSC4306_CONFLICTING_UNSUBSCRIPTION,
            )

-        if outcome is not None:
-            # wake up user streams (e.g. sliding sync) on the same worker
-            self._notifier.on_new_event(
-                StreamKeyType.THREAD_SUBSCRIPTIONS,
-                # outcome is a stream_id
-                outcome,
-                users=[user_id.to_string()],
-            )
-
        return outcome

    async def unsubscribe_user_from_thread(
@@ -172,19 +162,8 @@ class ThreadSubscriptionsHandler:
            logger.info("rejecting thread subscriptions change (thread not accessible)")
            raise NotFoundError("No such thread root")

-        outcome = await self.store.unsubscribe_user_from_thread(
+        return await self.store.unsubscribe_user_from_thread(
            user_id.to_string(),
            event.room_id,
            thread_root_event_id,
        )
-
-        if outcome is not None:
-            # wake up user streams (e.g. sliding sync) on the same worker
-            self._notifier.on_new_event(
-                StreamKeyType.THREAD_SUBSCRIPTIONS,
-                # outcome is a stream_id
-                outcome,
-                users=[user_id.to_string()],
-            )
-
-        return outcome
--- a/synapse/handlers/ui_auth/checkers.py
+++ b/synapse/handlers/ui_auth/checkers.py
@@ -27,7 +27,7 @@ from twisted.web.client import PartialDownloadError

 from synapse.api.constants import LoginType
 from synapse.api.errors import Codes, LoginError, SynapseError
-from synapse.util.json import json_decoder
+from synapse.util import json_decoder

 if TYPE_CHECKING:
    from synapse.server import HomeServer
--- a/synapse/http/client.py
+++ b/synapse/http/client.py
@@ -87,8 +87,8 @@ from synapse.logging.context import make_deferred_yieldable, run_in_background
 from synapse.logging.opentracing import set_tag, start_active_span, tags
 from synapse.metrics import SERVER_NAME_LABEL
 from synapse.types import ISynapseReactor, StrSequence
+from synapse.util import json_decoder
 from synapse.util.async_helpers import timeout_deferred
-from synapse.util.json import json_decoder

 if TYPE_CHECKING:
    from synapse.server import HomeServer
--- a/synapse/http/federation/matrix_federation_agent.py
+++ b/synapse/http/federation/matrix_federation_agent.py
@@ -49,7 +49,7 @@ from synapse.http.federation.well_known_resolver import WellKnownResolver
 from synapse.http.proxyagent import ProxyAgent
 from synapse.logging.context import make_deferred_yieldable, run_in_background
 from synapse.types import ISynapseReactor
-from synapse.util.clock import Clock
+from synapse.util import Clock

 logger = logging.getLogger(__name__)

--- a/synapse/http/federation/well_known_resolver.py
+++ b/synapse/http/federation/well_known_resolver.py
@@ -27,6 +27,7 @@ from typing import Callable, Dict, Optional, Tuple
 import attr

 from twisted.internet import defer
+from twisted.internet.interfaces import IReactorTime
 from twisted.web.client import RedirectAgent
 from twisted.web.http import stringToDatetime
 from twisted.web.http_headers import Headers
@@ -34,10 +35,8 @@ from twisted.web.iweb import IAgent, IResponse

 from synapse.http.client import BodyExceededMaxSize, read_body_with_max_size
 from synapse.logging.context import make_deferred_yieldable
-from synapse.types import ISynapseThreadlessReactor
+from synapse.util import Clock, json_decoder
 from synapse.util.caches.ttlcache import TTLCache
-from synapse.util.clock import Clock
-from synapse.util.json import json_decoder
 from synapse.util.metrics import Measure

 # period to cache .well-known results for by default
@@ -89,7 +88,7 @@ class WellKnownResolver:
    def __init__(
        self,
        server_name: str,
-        reactor: ISynapseThreadlessReactor,
+        reactor: IReactorTime,
        agent: IAgent,
        user_agent: bytes,
        well_known_cache: Optional[TTLCache[bytes, Optional[bytes]]] = None,
--- a/synapse/http/matrixfederationclient.py
+++ b/synapse/http/matrixfederationclient.py
@@ -89,8 +89,8 @@ from synapse.logging.context import make_deferred_yieldable, run_in_background
 from synapse.logging.opentracing import set_tag, start_active_span, tags
 from synapse.metrics import SERVER_NAME_LABEL
 from synapse.types import JsonDict
+from synapse.util import json_decoder
 from synapse.util.async_helpers import AwakenableSleeper, Linearizer, timeout_deferred
-from synapse.util.json import json_decoder
 from synapse.util.metrics import Measure
 from synapse.util.stringutils import parse_and_validate_server_name

--- a/synapse/http/request_metrics.py
+++ b/synapse/http/request_metrics.py
@@ -164,13 +164,11 @@ def _get_in_flight_counts() -> Mapping[Tuple[str, ...], int]:
    return counts


-in_flight_requests = LaterGauge(
+LaterGauge(
    name="synapse_http_server_in_flight_requests_count",
    desc="",
    labelnames=["method", "servlet", SERVER_NAME_LABEL],
-)
-in_flight_requests.register_hook(
-    homeserver_instance_id=None, hook=_get_in_flight_counts
+    caller=_get_in_flight_counts,
 )


--- a/synapse/http/server.py
+++ b/synapse/http/server.py
@@ -52,11 +52,10 @@ from zope.interface import implementer

 from twisted.internet import defer, interfaces, reactor
 from twisted.internet.defer import CancelledError
+from twisted.internet.interfaces import IReactorTime
 from twisted.python import failure
 from twisted.web import resource

-from synapse.types import ISynapseThreadlessReactor
-
 try:
    from twisted.web.pages import notFound
 except ImportError:
@@ -78,11 +77,10 @@ from synapse.api.errors import (
 from synapse.config.homeserver import HomeServerConfig
 from synapse.logging.context import defer_to_thread, preserve_fn, run_in_background
 from synapse.logging.opentracing import active_span, start_active_span, trace_servlet
+from synapse.util import Clock, json_encoder
 from synapse.util.caches import intern_dict
 from synapse.util.cancellation import is_function_cancellable
-from synapse.util.clock import Clock
 from synapse.util.iterutils import chunk_seq
-from synapse.util.json import json_encoder

 if TYPE_CHECKING:
    import opentracing
@@ -412,7 +410,7 @@ class DirectServeJsonResource(_AsyncResource):
        clock: Optional[Clock] = None,
    ):
        if clock is None:
-            clock = Clock(cast(ISynapseThreadlessReactor, reactor))
+            clock = Clock(cast(IReactorTime, reactor))

        super().__init__(clock, extract_context)
        self.canonical_json = canonical_json
@@ -591,7 +589,7 @@ class DirectServeHtmlResource(_AsyncResource):
        clock: Optional[Clock] = None,
    ):
        if clock is None:
-            clock = Clock(cast(ISynapseThreadlessReactor, reactor))
+            clock = Clock(cast(IReactorTime, reactor))

        super().__init__(clock, extract_context)

@@ -704,10 +702,6 @@ class _ByteProducer:
        self._request: Optional[Request] = request
        self._iterator = iterator
        self._paused = False
-        self.tracing_scope = start_active_span(
-            "write_bytes_to_request",
-        )
-        self.tracing_scope.__enter__()

        try:
            self._request.registerProducer(self, True)
@@ -718,8 +712,8 @@ class _ByteProducer:
            logger.info("Connection disconnected before response was written: %r", e)

            # We drop our references to data we'll not use.
+            self._request = None
            self._iterator = iter(())
-            self.tracing_scope.__exit__(type(e), None, e.__traceback__)
        else:
            # Start producing if `registerProducer` was successful
            self.resumeProducing()
@@ -733,9 +727,6 @@ class _ByteProducer:
        self._request.write(b"".join(data))

    def pauseProducing(self) -> None:
-        opentracing_span = active_span()
-        if opentracing_span is not None:
-            opentracing_span.log_kv({"event": "producer_paused"})
        self._paused = True

    def resumeProducing(self) -> None:
@@ -746,10 +737,6 @@ class _ByteProducer:

        self._paused = False

-        opentracing_span = active_span()
-        if opentracing_span is not None:
-            opentracing_span.log_kv({"event": "producer_resumed"})
-
        # Write until there's backpressure telling us to stop.
        while not self._paused:
            # Get the next chunk and write it to the request.
@@ -784,7 +771,6 @@ class _ByteProducer:
    def stopProducing(self) -> None:
        # Clear a circular reference.
        self._request = None
-        self.tracing_scope.__exit__(None, None, None)


 def _encode_json_bytes(json_object: object) -> bytes:
@@ -927,9 +913,8 @@ def _write_bytes_to_request(request: Request, bytes_to_write: bytes) -> None:
    # once (via `Request.write`) is that doing so starts the timeout for the
    # next request to be received: so if it takes longer than 60s to stream back
    # the response to the client, the client never gets it.
-    # c.f https://github.com/twisted/twisted/issues/12498
    #
-    # One workaround is to use a `Producer`; then the timeout is only
+    # The correct solution is to use a Producer; then the timeout is only
    # started once all of the content is sent over the TCP connection.

    # To make sure we don't write all of the bytes at once we split it up into
--- a/synapse/http/servlet.py
+++ b/synapse/http/servlet.py
@@ -51,7 +51,7 @@ from synapse.api.errors import Codes, SynapseError
 from synapse.http import redact_uri
 from synapse.http.server import HttpServer
 from synapse.types import JsonDict, RoomAlias, RoomID, StrCollection
-from synapse.util.json import json_decoder
+from synapse.util import json_decoder

 if TYPE_CHECKING:
    from synapse.server import HomeServer
@@ -130,16 +130,6 @@ def parse_integer(
    return parse_integer_from_args(args, name, default, required, negative)


-@overload
-def parse_integer_from_args(
-    args: Mapping[bytes, Sequence[bytes]],
-    name: str,
-    default: int,
-    required: Literal[False] = False,
-    negative: bool = False,
-) -> int: ...
-
-
@overload
 def parse_integer_from_args(
    args: Mapping[bytes, Sequence[bytes]],
--- a/synapse/logging/context.py
+++ b/synapse/logging/context.py
@@ -56,6 +56,7 @@ from twisted.internet import defer, threads
 from twisted.python.threadpool import ThreadPool

 if TYPE_CHECKING:
+    from synapse.logging.scopecontextmanager import _LogContextScope
    from synapse.types import ISynapseReactor

 logger = logging.getLogger(__name__)
@@ -227,24 +228,16 @@ LoggingContextOrSentinel = Union["LoggingContext", "_Sentinel"]


 class _Sentinel:
-    """
-    Sentinel to represent the root context
+    """Sentinel to represent the root context"""

-    This should only be used for tasks outside of Synapse like when we yield control
-    back to the Twisted reactor (event loop) so we don't leak the current logging
-    context to other tasks that are scheduled next in the event loop.
-
-    Nothing from the Synapse homeserver should be logged with the sentinel context. i.e.
-    we should always know which server the logs are coming from.
-    """
-
-    __slots__ = ["previous_context", "finished", "request", "tag"]
+    __slots__ = ["previous_context", "finished", "request", "scope", "tag"]

    def __init__(self) -> None:
        # Minimal set for compatibility with LoggingContext
        self.previous_context = None
        self.finished = False
        self.request = None
+        self.scope = None
        self.tag = None

    def __str__(self) -> str:
@@ -297,6 +290,7 @@ class LoggingContext:
        "finished",
        "request",
        "tag",
+        "scope",
    ]

    def __init__(
@@ -317,6 +311,7 @@ class LoggingContext:
        self.main_thread = get_thread_id()
        self.request = None
        self.tag = ""
+        self.scope: Optional["_LogContextScope"] = None

        # keep track of whether we have hit the __exit__ block for this context
        # (suggesting that the the thing that created the context thinks it should
@@ -329,6 +324,9 @@ class LoggingContext:
            # we track the current request_id
            self.request = self.parent_context.request

+            # we also track the current scope:
+            self.scope = self.parent_context.scope
+
        if request is not None:
            # the request param overrides the request from the parent context
            self.request = request
@@ -625,17 +623,9 @@ class LoggingContextFilter(logging.Filter):


 class PreserveLoggingContext:
-    """
-    Context manager which replaces the logging context
+    """Context manager which replaces the logging context

-    The previous logging context is restored on exit.
-
-    `make_deferred_yieldable` is pretty equivalent to using `with
-    PreserveLoggingContext():` (using the default sentinel context), i.e. it clears the
-    logcontext before awaiting (and so before execution passes back to the reactor) and
-    restores the old context once the awaitable completes (execution passes from the
-    reactor back to the code).
-    """
+    The previous logging context is restored on exit."""

    __slots__ = ["_old_context", "_new_context"]

@@ -801,17 +791,6 @@ def run_in_background(
    return from the function, and that the sentinel context is set once the
    deferred returned by the function completes.

-    To explain how the log contexts work here:
-     - When `run_in_background` is called, the calling logcontext is stored
-       ("original"), we kick off the background task in the current context, and we
-       restore that original context before returning.
-     - For a completed deferred, that's the end of the story.
-     - For an incomplete deferred, when the background task finishes, we don't want to
-       leak our context into the reactor which would erroneously get attached to the
-       next operation picked up by the event loop. We add a callback to the deferred
-       which will clear the logging context after it finishes and yields control back to
-       the reactor.
-
    Useful for wrapping functions that return a deferred or coroutine, which you don't
    yield or await on (for instance because you want to pass it to
    deferred.gatherResults()).
@@ -823,15 +802,9 @@ def run_in_background(
    `f` doesn't raise any deferred exceptions, otherwise a scary-looking
    CRITICAL error about an unhandled error will be logged without much
    indication about where it came from.
-
-    Returns:
-        Deferred which returns the result of func, or `None` if func raises.
-        Note that the returned Deferred does not follow the synapse logcontext
-        rules.
    """
-    calling_context = current_context()
+    current = current_context()
    try:
-        # (kick off the task in the current context)
        res = f(*args, **kwargs)
    except Exception:
        # the assumption here is that the caller doesn't want to be disturbed
@@ -840,9 +813,6 @@ def run_in_background(

    # `res` may be a coroutine, `Deferred`, some other kind of awaitable, or a plain
    # value. Convert it to a `Deferred`.
-    #
-    # Wrapping the value in a deferred has the side effect of executing the coroutine,
-    # if it is one. If it's already a deferred, then we can just use that.
    d: "defer.Deferred[R]"
    if isinstance(res, typing.Coroutine):
        # Wrap the coroutine in a `Deferred`.
@@ -857,38 +827,20 @@ def run_in_background(
        # `res` is a plain value. Wrap it in a `Deferred`.
        d = defer.succeed(res)

-    # The deferred has already completed
    if d.called and not d.paused:
-        # If the function messes with logcontexts, we can assume it follows the Synapse
-        # logcontext rules (Rules for functions returning awaitables: "If the awaitable
-        # is already complete, the function returns with the same logcontext it started
-        # with."). If it function doesn't touch logcontexts at all, we can also assume
-        # the logcontext is unchanged.
-        #
-        # Either way, the function should have maintained the calling logcontext, so we
-        # can avoid messing with it further. Additionally, if the deferred has already
-        # completed, then it would be a mistake to then add a deferred callback (below)
-        # to reset the logcontext to the sentinel logcontext as that would run
-        # immediately (remember our goal is to maintain the calling logcontext when we
-        # return).
+        # The function should have maintained the logcontext, so we can
+        # optimise out the messing about
        return d

-    # Since the function we called may follow the Synapse logcontext rules (Rules for
-    # functions returning awaitables: "If the awaitable is incomplete, the function
-    # clears the logcontext before returning"), the function may have reset the
-    # logcontext before returning, so we need to restore the calling logcontext now
-    # before we return ourselves.
-    #
-    # Our goal is to have the caller logcontext unchanged after firing off the
-    # background task and returning.
-    set_current_context(calling_context)
+    # The function may have reset the context before returning, so
+    # we need to restore it now.
+    ctx = set_current_context(current)

-    # If the function we called is playing nice and following the Synapse logcontext
-    # rules, it will restore original calling logcontext when the deferred completes;
-    # but there is nothing waiting for it, so it will get leaked into the reactor (which
-    # would then get picked up by the next thing the reactor does). We therefore need to
-    # reset the logcontext here (set the `sentinel` logcontext) before yielding control
-    # back to the reactor.
+    # The original context will be restored when the deferred
+    # completes, but there is nothing waiting for it, so it will
+    # get leaked into the reactor or some other function which
+    # wasn't expecting it. We therefore need to reset the context
+    # here.
    #
    # (If this feels asymmetric, consider it this way: we are
    # effectively forking a new thread of execution. We are
@@ -896,7 +848,7 @@ def run_in_background(
    # which is supposed to have a single entry and exit point. But
    # by spawning off another deferred, we are effectively
    # adding a new exit point.)
-    d.addBoth(_set_context_cb, SENTINEL_CONTEXT)
+    d.addBoth(_set_context_cb, ctx)
    return d


@@ -910,63 +862,57 @@ def run_coroutine_in_background(
    Useful for wrapping coroutines that you don't yield or await on (for
    instance because you want to pass it to deferred.gatherResults()).

-    This is a special case of `run_in_background` where we can accept a coroutine
-    directly rather than a function. We can do this because coroutines do not continue
-    running once they have yielded.
-
-    This is an ergonomic helper so we can do this:
-    ```python
-    run_coroutine_in_background(func1(arg1))
-    ```
-    Rather than having to do this:
-    ```python
-    run_in_background(lambda: func1(arg1))
-    ```
+    This is a special case of `run_in_background` where we can accept a
+    coroutine directly rather than a function. We can do this because coroutines
+    do not run until called, and so calling an async function without awaiting
+    cannot change the log contexts.
    """
-    return run_in_background(lambda: coroutine)
+
+    current = current_context()
+    d = defer.ensureDeferred(coroutine)
+
+    # The function may have reset the context before returning, so
+    # we need to restore it now.
+    ctx = set_current_context(current)
+
+    # The original context will be restored when the deferred
+    # completes, but there is nothing waiting for it, so it will
+    # get leaked into the reactor or some other function which
+    # wasn't expecting it. We therefore need to reset the context
+    # here.
+    #
+    # (If this feels asymmetric, consider it this way: we are
+    # effectively forking a new thread of execution. We are
+    # probably currently within a ``with LoggingContext()`` block,
+    # which is supposed to have a single entry and exit point. But
+    # by spawning off another deferred, we are effectively
+    # adding a new exit point.)
+    d.addBoth(_set_context_cb, ctx)
+    return d


 T = TypeVar("T")


 def make_deferred_yieldable(deferred: "defer.Deferred[T]") -> "defer.Deferred[T]":
+    """Given a deferred, make it follow the Synapse logcontext rules:
+
+    If the deferred has completed, essentially does nothing (just returns another
+    completed deferred with the result/failure).
+
+    If the deferred has not yet completed, resets the logcontext before
+    returning a deferred. Then, when the deferred completes, restores the
+    current logcontext before running callbacks/errbacks.
+
+    (This is more-or-less the opposite operation to run_in_background.)
    """
-    Given a deferred, make it follow the Synapse logcontext rules:
-
-    - If the deferred has completed, essentially does nothing (just returns another
-      completed deferred with the result/failure).
-    - If the deferred has not yet completed, resets the logcontext before returning a
-      incomplete deferred. Then, when the deferred completes, restores the current
-      logcontext before running callbacks/errbacks.
-
-    This means the resultant deferred can be awaited without leaking the current
-    logcontext to the reactor (which would then get erroneously picked up by the next
-    thing the reactor does), and also means that the logcontext is preserved when the
-    deferred completes.
-
-    (This is more-or-less the opposite operation to run_in_background in terms of how it
-    handles log contexts.)
-
-    Pretty much equivalent to using `with PreserveLoggingContext():`, i.e. it clears the
-    logcontext before awaiting (and so before execution passes back to the reactor) and
-    restores the old context once the awaitable completes (execution passes from the
-    reactor back to the code).
-    """
-    # The deferred has already completed
    if deferred.called and not deferred.paused:
        # it looks like this deferred is ready to run any callbacks we give it
        # immediately. We may as well optimise out the logcontext faffery.
        return deferred

-    # Our goal is to have the caller logcontext unchanged after they yield/await the
-    # returned deferred.
-    #
-    # When the caller yield/await's the returned deferred, it may yield
-    # control back to the reactor. To avoid leaking the current logcontext to the
-    # reactor (which would then get erroneously picked up by the next thing the reactor
-    # does) while the deferred runs in the reactor event loop, we reset the logcontext
-    # and add a callback to the deferred to restore it so the caller's logcontext is
-    # active when the deferred completes.
+    # ok, we can't be sure that a yield won't block, so let's reset the
+    # logcontext, and add a callback to the deferred to restore it.
    prev_context = set_current_context(SENTINEL_CONTEXT)
    deferred.addBoth(_set_context_cb, prev_context)
    return deferred
--- a/synapse/logging/handlers.py
+++ b/synapse/logging/handlers.py
@@ -60,18 +60,8 @@ class PeriodicallyFlushingMemoryHandler(MemoryHandler):
        else:
            reactor_to_use = reactor

-        # Call our hook when the reactor start up
-        #
-        # type-ignore: Ideally, we'd use `Clock.call_when_running(...)`, but
-        # `PeriodicallyFlushingMemoryHandler` is instantiated via Python logging
-        # configuration, so it's not straightforward to pass in the homeserver's clock
-        # (and we don't want to burden other peoples logging config with the details).
-        #
-        # The important reason why we want to use `Clock.call_when_running` is so that
-        # the callback runs with a logcontext as we want to know which server the logs
-        # came from. But since we don't log anything in the callback, it's safe to
-        # ignore the lint here.
-        reactor_to_use.callWhenRunning(on_reactor_running)  # type: ignore[prefer-synapse-clock-call-when-running]
+        # call our hook when the reactor start up
+        reactor_to_use.callWhenRunning(on_reactor_running)

    def shouldFlush(self, record: LogRecord) -> bool:
        """
--- a/synapse/logging/opentracing.py
+++ b/synapse/logging/opentracing.py
@@ -204,7 +204,7 @@ from twisted.web.http import Request
 from twisted.web.http_headers import Headers

 from synapse.config import ConfigError
-from synapse.util.json import json_decoder, json_encoder
+from synapse.util import json_decoder, json_encoder

 if TYPE_CHECKING:
    from synapse.http.site import SynapseRequest
@@ -251,17 +251,18 @@ class _DummyTagNames:
 try:
    import opentracing
    import opentracing.tags
-    from opentracing.scope_managers.contextvars import ContextVarsScopeManager

    tags = opentracing.tags
 except ImportError:
    opentracing = None  # type: ignore[assignment]
    tags = _DummyTagNames  # type: ignore[assignment]
-    ContextVarsScopeManager = None  # type: ignore
 try:
    from jaeger_client import Config as JaegerConfig
+
+    from synapse.logging.scopecontextmanager import LogContextScopeManager
 except ImportError:
    JaegerConfig = None  # type: ignore
+    LogContextScopeManager = None  # type: ignore


 try:
@@ -483,7 +484,7 @@ def init_tracer(hs: "HomeServer") -> None:
    config = JaegerConfig(
        config=jaeger_config,
        service_name=f"{hs.config.server.server_name} {instance_name_by_type}",
-        scope_manager=ContextVarsScopeManager(),
+        scope_manager=LogContextScopeManager(),
        metrics_factory=PrometheusMetricsFactory(),
    )

--- a/synapse/logging/scopecontextmanager.py
+++ b/synapse/logging/scopecontextmanager.py
@@ -0,0 +1,161 @@
+#
+# This file is licensed under the Affero General Public License (AGPL) version 3.
+#
+# Copyright 2019 The Matrix.org Foundation C.I.C.
+# Copyright (C) 2023 New Vector, Ltd
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# See the GNU Affero General Public License for more details:
+# <https://www.gnu.org/licenses/agpl-3.0.html>.
+#
+# Originally licensed under the Apache License, Version 2.0:
+# <http://www.apache.org/licenses/LICENSE-2.0>.
+#
+# [This file includes modifications made by New Vector Limited]
+#
+#
+
+import logging
+from typing import Optional
+
+from opentracing import Scope, ScopeManager, Span
+
+from synapse.logging.context import (
+    LoggingContext,
+    current_context,
+    nested_logging_context,
+)
+
+logger = logging.getLogger(__name__)
+
+
+class LogContextScopeManager(ScopeManager):
+    """
+    The LogContextScopeManager tracks the active scope in opentracing
+    by using the log contexts which are native to synapse. This is so
+    that the basic opentracing api can be used across twisted defereds.
+
+    It would be nice just to use opentracing's ContextVarsScopeManager,
+    but currently that doesn't work due to https://twistedmatrix.com/trac/ticket/10301.
+    """
+
+    def __init__(self) -> None:
+        pass
+
+    @property
+    def active(self) -> Optional[Scope]:
+        """
+        Returns the currently active Scope which can be used to access the
+        currently active Scope.span.
+        If there is a non-null Scope, its wrapped Span
+        becomes an implicit parent of any newly-created Span at
+        Tracer.start_active_span() time.
+
+        Return:
+            The Scope that is active, or None if not available.
+        """
+        ctx = current_context()
+        return ctx.scope
+
+    def activate(self, span: Span, finish_on_close: bool) -> Scope:
+        """
+        Makes a Span active.
+        Args
+            span: the span that should become active.
+            finish_on_close: whether Span should be automatically finished when
+                Scope.close() is called.
+
+        Returns:
+            Scope to control the end of the active period for
+            *span*. It is a programming error to neglect to call
+            Scope.close() on the returned instance.
+        """
+
+        ctx = current_context()
+
+        if not ctx:
+            logger.error("Tried to activate scope outside of loggingcontext")
+            return Scope(None, span)  # type: ignore[arg-type]
+
+        if ctx.scope is not None:
+            # start a new logging context as a child of the existing one.
+            # Doing so -- rather than updating the existing logcontext -- means that
+            # creating several concurrent spans under the same logcontext works
+            # correctly.
+            ctx = nested_logging_context("")
+            enter_logcontext = True
+        else:
+            # if there is no span currently associated with the current logcontext, we
+            # just store the scope in it.
+            #
+            # This feels a bit dubious, but it does hack around a problem where a
+            # span outlasts its parent logcontext (which would otherwise lead to
+            # "Re-starting finished log context" errors).
+            enter_logcontext = False
+
+        scope = _LogContextScope(self, span, ctx, enter_logcontext, finish_on_close)
+        ctx.scope = scope
+        if enter_logcontext:
+            ctx.__enter__()
+
+        return scope
+
+
+class _LogContextScope(Scope):
+    """
+    A custom opentracing scope, associated with a LogContext
+
+      * When the scope is closed, the logcontext's active scope is reset to None.
+        and - if enter_logcontext was set - the logcontext is finished too.
+    """
+
+    def __init__(
+        self,
+        manager: LogContextScopeManager,
+        span: Span,
+        logcontext: LoggingContext,
+        enter_logcontext: bool,
+        finish_on_close: bool,
+    ):
+        """
+        Args:
+            manager:
+                the manager that is responsible for this scope.
+            span:
+                the opentracing span which this scope represents the local
+                lifetime for.
+            logcontext:
+                the log context to which this scope is attached.
+            enter_logcontext:
+                if True the log context will be exited when the scope is finished
+            finish_on_close:
+                if True finish the span when the scope is closed
+        """
+        super().__init__(manager, span)
+        self.logcontext = logcontext
+        self._finish_on_close = finish_on_close
+        self._enter_logcontext = enter_logcontext
+
+    def __str__(self) -> str:
+        return f"Scope<{self.span}>"
+
+    def close(self) -> None:
+        active_scope = self.manager.active
+        if active_scope is not self:
+            logger.error(
+                "Closing scope %s which is not the currently-active one %s",
+                self,
+                active_scope,
+            )
+
+        if self._finish_on_close:
+            self.span.finish()
+
+        self.logcontext.scope = None
+
+        if self._enter_logcontext:
+            self.logcontext.__exit__(None, None, None)
--- a/synapse/media/_base.py
+++ b/synapse/media/_base.py
@@ -54,8 +54,8 @@ from synapse.logging.context import (
    make_deferred_yieldable,
    run_in_background,
 )
+from synapse.util import Clock
 from synapse.util.async_helpers import DeferredEvent
-from synapse.util.clock import Clock
 from synapse.util.stringutils import is_ascii

 if TYPE_CHECKING:
--- a/synapse/media/media_repository.py
+++ b/synapse/media/media_repository.py
@@ -179,13 +179,11 @@ class MediaRepository:

        # We get the media upload limits and sort them in descending order of
        # time period, so that we can apply some optimizations.
-        self.default_media_upload_limits = hs.config.media.media_upload_limits
-        self.default_media_upload_limits.sort(
+        self.media_upload_limits = hs.config.media.media_upload_limits
+        self.media_upload_limits.sort(
            key=lambda limit: limit.time_period_ms, reverse=True
        )

-        self.media_repository_callbacks = hs.get_module_api_callbacks().media_repository
-
    def _start_update_recently_accessed(self) -> Deferred:
        return run_as_background_process(
            "update_recently_accessed_media",
@@ -342,27 +340,16 @@ class MediaRepository:

        # Check that the user has not exceeded any of the media upload limits.

-        # Use limits from module API if provided
-        media_upload_limits = (
-            await self.media_repository_callbacks.get_media_upload_limits_for_user(
-                auth_user.to_string()
-            )
-        )
-
-        # Otherwise use the default limits from config
-        if media_upload_limits is None:
-            # Note: the media upload limits are sorted so larger time periods are
-            # first.
-            media_upload_limits = self.default_media_upload_limits
-
        # This is the total size of media uploaded by the user in the last
        # `time_period_ms` milliseconds, or None if we haven't checked yet.
        uploaded_media_size: Optional[int] = None

-        for limit in media_upload_limits:
+        # Note: the media upload limits are sorted so larger time periods are
+        # first.
+        for limit in self.media_upload_limits:
            # We only need to check the amount of media uploaded by the user in
            # this latest (smaller) time period if the amount of media uploaded
-            # in a previous (larger) time period is below the limit.
+            # in a previous (larger) time period is above the limit.
            #
            # This optimization means that in the common case where the user
            # hasn't uploaded much media, we only need to query the database
@@ -376,12 +363,6 @@ class MediaRepository:
                )

            if uploaded_media_size + content_length > limit.max_bytes:
-                await self.media_repository_callbacks.on_media_upload_limit_exceeded(
-                    user_id=auth_user.to_string(),
-                    limit=limit,
-                    sent_bytes=uploaded_media_size,
-                    attempted_bytes=content_length,
-                )
                raise SynapseError(
                    400, "Media upload limit exceeded", Codes.RESOURCE_LIMIT_EXCEEDED
                )
--- a/synapse/media/media_storage.py
+++ b/synapse/media/media_storage.py
@@ -55,7 +55,7 @@ from synapse.api.errors import NotFoundError
 from synapse.logging.context import defer_to_thread, run_in_background
 from synapse.logging.opentracing import start_active_span, trace, trace_with_opname
 from synapse.media._base import ThreadedFileSender
-from synapse.util.clock import Clock
+from synapse.util import Clock
 from synapse.util.file_consumer import BackgroundFileConsumer

 from ..types import JsonDict
--- a/synapse/media/oembed.py
+++ b/synapse/media/oembed.py
@@ -27,7 +27,7 @@ import attr

 from synapse.media.preview_html import parse_html_description
 from synapse.types import JsonDict
-from synapse.util.json import json_decoder
+from synapse.util import json_decoder

 if TYPE_CHECKING:
    from lxml import etree
--- a/synapse/media/url_previewer.py
+++ b/synapse/media/url_previewer.py
@@ -46,9 +46,9 @@ from synapse.media.oembed import OEmbedProvider
 from synapse.media.preview_html import decode_body, parse_html_to_open_graph
 from synapse.metrics.background_process_metrics import run_as_background_process
 from synapse.types import JsonDict, UserID
+from synapse.util import json_encoder
 from synapse.util.async_helpers import ObservableDeferred
 from synapse.util.caches.expiringcache import ExpiringCache
-from synapse.util.json import json_encoder
 from synapse.util.stringutils import random_string

 if TYPE_CHECKING:
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Eric Eastwood	9f03797413	Add note about Fedora packaging Rust libraries See https://github.com/element-hq/synapse/pull/18856#discussion_r2330378204	2025-09-08 19:43:10 -05:00
Eric Eastwood	d3ee33398f	Best effort for application dependencies	2025-09-05 15:10:37 -05:00
Eric Eastwood	8eb1c25211	Add changelog	2025-08-21 19:51:38 -05:00
Eric Eastwood	87bc699dcc	Clarify Python dependency constraints	2025-08-21 19:48:05 -05:00
				`@@ -0,0 +1 @@`
				`Clarify Python dependency constraints in our deprecation policy.`