chore: spelling

check-spelling run (pull_request) for Xe/v1.21.1-blogpost Signed-off-by: check-spelling-bot <check-spelling-bot@users.noreply.github.com> on-behalf-of: @check-spelling <check-spelling-bot@check-spelling.dev>
docs(v1.21.1): clarify that Bell is trash
2026-04-09 10:08:45 +00:00 · 2025-07-22 12:44:08 +00:00 · 2025-07-22 12:43:43 +00:00 · 2025-07-22 12:41:43 +00:00 · 2025-07-22 12:34:21 +00:00 · 2025-07-22 00:54:32 +00:00
57 changed files with 305 additions and 1432 deletions
--- a/.github/actions/spelling/allow.txt
+++ b/.github/actions/spelling/allow.txt
@@ -3,5 +3,4 @@ https
 ssh
 ubuntu
 workarounds
-rjack
-msgbox
+rjack
--- a/.github/actions/spelling/expect.txt
+++ b/.github/actions/spelling/expect.txt
@@ -23,7 +23,6 @@ bitrate
 Bluesky
 blueskybot
 boi
-Bokm
 botnet
 botstopper
 BPort
--- a/.github/actions/spelling/patterns.txt
+++ b/.github/actions/spelling/patterns.txt
@@ -132,7 +132,3 @@ go install(?:\s+[a-z]+\.[-@\w/.]+)+
 # hit-count: 1 file-count: 1
 # microsoft
 \b(?:https?://|)(?:(?:(?:blogs|download\.visualstudio|docs|msdn2?|research)\.|)microsoft|blogs\.msdn)\.co(?:m|\.\w\w)/[-_a-zA-Z0-9()=./%]*
-
-# hit-count: 1 file-count: 1
-# data url
-\bdata:[-a-zA-Z=;:/0-9+]*,\S*
--- a/.github/workflows/smoke-tests.yml
+++ b/.github/workflows/smoke-tests.yml
@@ -18,9 +18,7 @@ jobs:
          - git-push
          - healthcheck
          - i18n
-          - palemoon/amd64
-          #- palemoon/i386
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
    steps:
      - name: Checkout code
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -45,14 +43,3 @@ jobs:
        run: |
          cd test/${{ matrix.test }}
          backoff-retry --try-count 10 ./test.sh
-
-      - name: Sanitize artifact name
-        if: always()
-        run: echo "ARTIFACT_NAME=${{ matrix.test }}" | sed 's|/|-|g' >> $GITHUB_ENV
-
-      - name: Upload artifact
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
-        if: always()
-        with:
-          name: ${{ env.ARTIFACT_NAME }}
-          path: test/${{ matrix.test }}/var
--- a/2
+++ b/2
@@ -1 +1 @@
-1.21.3
+1.21.0
--- a/cmd/anubis/main.go
+++ b/cmd/anubis/main.go
@@ -30,10 +30,10 @@ import (
 	"github.com/TecharoHQ/anubis"
 	"github.com/TecharoHQ/anubis/data"
 	"github.com/TecharoHQ/anubis/internal"
+	"github.com/TecharoHQ/anubis/internal/thoth"
 	libanubis "github.com/TecharoHQ/anubis/lib"
 	botPolicy "github.com/TecharoHQ/anubis/lib/policy"
 	"github.com/TecharoHQ/anubis/lib/policy/config"
-	"github.com/TecharoHQ/anubis/lib/thoth"
 	"github.com/TecharoHQ/anubis/web"
 	"github.com/facebookgo/flagenv"
 	_ "github.com/joho/godotenv/autoload"
--- a/docs/blog/2025-07-22-release-1.21.1/index.mdx
+++ b/docs/blog/2025-07-22-release-1.21.1/index.mdx
@@ -43,7 +43,7 @@ And this release also fixes the following bugs:
 - In certain cases, a user could be stuck with a test cookie that is invalid, locking them out of the service for up to half an hour. This has been fixed with better validation of this case and clearing the cookie.
 - "Proof of work" has been removed from the branding due to some users having extremely negative connotations with it.

-We try to avoid introducing breaking changes as much as possible, but these are the changes that may be relevant for you as an administrator:
+We try to introduce breaking changes as much as possible, but these are the changes that may be relevant for you as an administrator:

 - The [challenge format](#challenge-format-change) has been changed in order to account for [the new challenge issuance flow](#challenge-flow-v2).
 - The [systemd service `RuntimeDirectory` has been changed](#breaking-change-systemd-runtimedirectory-change).
--- a/docs/docs/CHANGELOG.md
+++ b/docs/docs/CHANGELOG.md
@@ -13,46 +13,19 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

 <!-- This changes the project to: -->

- The [Thoth client](https://anubis.techaro.lol/docs/admin/thoth) is now public in the repo instead of being an internal package.
- The [`segments`](./admin/configuration/expressions.mdx#segments) function was added for splitting a path into its slash-separated segments.
-
-## v1.21.3: Minfilia Warde - Echo 3
-
-### Fixes
-
-#### Fixes a problem with nonstandard URLs and redirects
-
-Fixes [GHSA-jhjj-2g64-px7c](https://github.com/TecharoHQ/anubis/security/advisories/GHSA-jhjj-2g64-px7c).
-
-This could allow an attacker to craft an Anubis pass-challenge URL that forces a redirect to nonstandard URLs, such as the `javascript:` scheme which executes arbitrary JavaScript code in a browser context when the user clicks the "Try again" button.
-
-This has been fixed by disallowing any URLs without the scheme `http` or `https`.
-
-Additionally, the "Try again" button has been fixed to completely ignore the user-supplied redirect location. It now redirects to the home page (`/`).
-
-## v1.21.2: Minfilia Warde - Echo 2
-
-This contained an incomplete fix for [GHSA-jhjj-2g64-px7c](https://github.com/TecharoHQ/anubis/security/advisories/GHSA-jhjj-2g64-px7c). Do not use this version.
-
-## v1.21.1: Minfilia Warde - Echo 1
-
 - Expired records are now properly removed from bbolt databases ([#848](https://github.com/TecharoHQ/anubis/pull/848)).
 - Fix hanging on service restart ([#853](https://github.com/TecharoHQ/anubis/issues/853))

 ### Added

-Anubis now supports the [`missingHeader`](./admin/configuration/expressions.mdx#missingHeader) to assert the absence of headers in requests.
-
-#### New locales
-
 Anubis now supports these new languages:

 - [Czech](https://github.com/TecharoHQ/anubis/pull/849)
 - [Finnish](https://github.com/TecharoHQ/anubis/pull/863)
- [Norwegian Bokmål](https://github.com/TecharoHQ/anubis/pull/855)
- [Norwegian Nynorsk](https://github.com/TecharoHQ/anubis/pull/855)
 - [Russian](https://github.com/TecharoHQ/anubis/pull/882)

+Anubis now supports the [`missingHeader`](./admin/configuration/expressions.mdx#missingHeader) to assert the absence of headers in requests.
+
 ### Fixes

 #### Fix ["error: can't get challenge"](https://github.com/TecharoHQ/anubis/issues/869) when details about a challenge can't be found in the server side state
--- a/docs/docs/admin/configuration/expressions.mdx
+++ b/docs/docs/admin/configuration/expressions.mdx
@@ -232,39 +232,6 @@ This is best applied when doing explicit block rules, eg:

 It seems counter-intuitive to allow known bad clients through sometimes, but this allows you to confuse attackers by making Anubis' behavior random. Adjust the thresholds and numbers as facts and circumstances demand.

-### `segments`
-
-Available in `bot` expressions.
-
-```ts
-function segments(path: string): string[];
-```
-
-`segments` returns the number of slash-separated path segments, ignoring the leading slash. Here is what it will return with some common paths:
-
-| Input                    | Output                 |
-| :----------------------- | :--------------------- |
-| `segments("/")`          | `[""]`                 |
-| `segments("/foo/bar")`   | `["foo", "bar"] `      |
-| `segments("/users/xe/")` | `["users", "xe", ""] ` |
-
-:::note
-
-If the path ends with a `/`, then the last element of the result will be an empty string. This is because `/users/xe` and `/users/xe/` are semantically different paths.
-
-:::
-
-This is useful if you want to write rules that allow requests that have no query parameters only if they have less than two path segments:
-
-```yaml
- name: two-path-segments-no-query
-  action: ALLOW
-  expression:
-    all:
-      - size(query) == 0
-      - size(segments(path)) < 2
-```
-
 ## Life advice

 Expressions are very powerful. This is a benefit and a burden. If you are not careful with your expression targeting, you will be liable to get yourself into trouble. If you are at all in doubt, throw a `CHALLENGE` over a `DENY`. Legitimate users can easily work around a `CHALLENGE` result with a [proof of work challenge](../../design/why-proof-of-work.mdx). Bots are less likely to be able to do this.
--- a/docs/docs/admin/environments/nginx.mdx
+++ b/docs/docs/admin/environments/nginx.mdx
@@ -79,10 +79,6 @@ server {
  root "/srv/http/anubistest.techaro.lol";
  index index.html;

-  # Get the visiting IP from the TLS termination server
-  set_real_ip_from unix:;
-  real_ip_header   X-Real-IP;
-  
  # Your normal configuration can go here
  # location .php { fastcgi...} etc.
 }
--- a/docs/package-lock.json
+++ b/docs/package-lock.json
@@ -5908,9 +5908,9 @@
      }
    },
    "node_modules/brace-expansion": {
-      "version": "1.1.12",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz",
-      "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==",
+      "version": "1.1.11",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz",
+      "integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==",
      "license": "MIT",
      "dependencies": {
        "balanced-match": "^1.0.0",
@@ -6496,16 +6496,16 @@
      }
    },
    "node_modules/compression": {
-      "version": "1.8.1",
-      "resolved": "https://registry.npmjs.org/compression/-/compression-1.8.1.tgz",
-      "integrity": "sha512-9mAqGPHLakhCLeNyxPkK4xVo746zQ/czLH1Ky+vkitMnWfWZps8r0qXuwhwizagCRttsL4lfG4pIOvaWLpAP0w==",
+      "version": "1.8.0",
+      "resolved": "https://registry.npmjs.org/compression/-/compression-1.8.0.tgz",
+      "integrity": "sha512-k6WLKfunuqCYD3t6AsuPGvQWaKwuLLh2/xHNcX4qE+vIfDNXpSqnrhwA7O53R7WVQUnt8dVAIW+YHr7xTgOgGA==",
      "license": "MIT",
      "dependencies": {
        "bytes": "3.1.2",
        "compressible": "~2.0.18",
        "debug": "2.6.9",
        "negotiator": "~0.6.4",
-        "on-headers": "~1.1.0",
+        "on-headers": "~1.0.2",
        "safe-buffer": "5.2.1",
        "vary": "~1.1.2"
      },
@@ -13562,9 +13562,9 @@
      }
    },
    "node_modules/on-headers": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/on-headers/-/on-headers-1.1.0.tgz",
-      "integrity": "sha512-737ZY3yNnXy37FHkQxPzt4UZ2UWPWiCZWLvFZ4fu5cueciegX0zGPnrlY6bwRg4FdQOe9YU8MkmJwGhoMybl8A==",
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/on-headers/-/on-headers-1.0.2.tgz",
+      "integrity": "sha512-pZAE+FJLoyITytdqK0U5s+FIpjN0JP3OzFi/u8Rx+EV5/W+JTWGXG8xFzevE7AjBfDqHv/8vL8qQsIhHnqRkrA==",
      "license": "MIT",
      "engines": {
        "node": ">= 0.8"
--- a/internal/thoth/asnchecker.go
+++ b/internal/thoth/asnchecker.go
--- a/internal/thoth/asnchecker_test.go
+++ b/internal/thoth/asnchecker_test.go
@@ -5,8 +5,8 @@ import (
 	"net/http/httptest"
 	"testing"

+	"github.com/TecharoHQ/anubis/internal/thoth"
 	"github.com/TecharoHQ/anubis/lib/policy/checker"
-	"github.com/TecharoHQ/anubis/lib/thoth"
 	iptoasnv1 "github.com/TecharoHQ/thoth-proto/gen/techaro/thoth/iptoasn/v1"
 )

--- a/internal/thoth/auth.go
+++ b/internal/thoth/auth.go
--- a/internal/thoth/cachediptoasn.go
+++ b/internal/thoth/cachediptoasn.go
--- a/internal/thoth/context.go
+++ b/internal/thoth/context.go
--- a/internal/thoth/geoipchecker.go
+++ b/internal/thoth/geoipchecker.go
--- a/internal/thoth/geoipchecker_test.go
+++ b/internal/thoth/geoipchecker_test.go
@@ -5,8 +5,8 @@ import (
 	"net/http/httptest"
 	"testing"

+	"github.com/TecharoHQ/anubis/internal/thoth"
 	"github.com/TecharoHQ/anubis/lib/policy/checker"
-	"github.com/TecharoHQ/anubis/lib/thoth"
 )

 var _ checker.Impl = &thoth.GeoIPChecker{}
--- a/internal/thoth/thoth.go
+++ b/internal/thoth/thoth.go
--- a/internal/thoth/thoth_test.go
+++ b/internal/thoth/thoth_test.go
@@ -4,8 +4,8 @@ import (
 	"os"
 	"testing"

-	"github.com/TecharoHQ/anubis/lib/thoth"
-	"github.com/TecharoHQ/anubis/lib/thoth/thothmock"
+	"github.com/TecharoHQ/anubis/internal/thoth"
+	"github.com/TecharoHQ/anubis/internal/thoth/thothmock"
 	"github.com/joho/godotenv"
 )

--- a/internal/thoth/thothmock/iptoasn.go
+++ b/internal/thoth/thothmock/iptoasn.go
--- a/internal/thoth/thothmock/withthothmock.go
+++ b/internal/thoth/thothmock/withthothmock.go
@@ -4,7 +4,7 @@ import (
 	"context"
 	"testing"

-	"github.com/TecharoHQ/anubis/lib/thoth"
+	"github.com/TecharoHQ/anubis/internal/thoth"
 )

 func WithMockThoth(t *testing.T) context.Context {
--- a/lib/anubis.go
+++ b/lib/anubis.go
@@ -384,23 +384,6 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
 	lg := internal.GetRequestLogger(r)
 	localizer := localization.GetLocalizer(r)

-	redir := r.FormValue("redir")
-	redirURL, err := url.ParseRequestURI(redir)
-	if err != nil {
-		lg.Error("invalid redirect", "err", err)
-		s.respondWithStatus(w, r, localizer.T("invalid_redirect"), http.StatusBadRequest)
-		return
-	}
-
-	switch redirURL.Scheme {
-	case "", "http", "https":
-		// allowed
-	default:
-		lg.Error("XSS attempt blocked, invalid redirect scheme", "scheme", redirURL.Scheme)
-		s.respondWithStatus(w, r, localizer.T("invalid_redirect"), http.StatusBadRequest)
-		return
-	}
-
 	// Adjust cookie path if base prefix is not empty
 	cookiePath := "/"
 	if anubis.BasePrefix != "" {
@@ -415,6 +398,13 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
 		return
 	}

+	redir := r.FormValue("redir")
+	redirURL, err := url.ParseRequestURI(redir)
+	if err != nil {
+		lg.Error("invalid redirect", "err", err)
+		s.respondWithError(w, r, localizer.T("invalid_redirect"))
+		return
+	}
 	// used by the path checker rule
 	r.URL = redirURL

--- a/lib/anubis_test.go
+++ b/lib/anubis_test.go
@@ -1,7 +1,6 @@
 package lib

 import (
-	"bytes"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -17,9 +16,9 @@ import (
 	"github.com/TecharoHQ/anubis"
 	"github.com/TecharoHQ/anubis/data"
 	"github.com/TecharoHQ/anubis/internal"
+	"github.com/TecharoHQ/anubis/internal/thoth/thothmock"
 	"github.com/TecharoHQ/anubis/lib/policy"
 	"github.com/TecharoHQ/anubis/lib/policy/config"
-	"github.com/TecharoHQ/anubis/lib/thoth/thothmock"
 )

 func init() {
@@ -802,166 +801,3 @@ func TestChallengeFor_ErrNotFound(t *testing.T) {
 		}
 	})
 }
-
-func TestPassChallengeXSS(t *testing.T) {
-	pol := loadPolicies(t, "", anubis.DefaultDifficulty)
-
-	srv := spawnAnubis(t, Options{
-		Next:   http.NewServeMux(),
-		Policy: pol,
-	})
-
-	ts := httptest.NewServer(internal.RemoteXRealIP(true, "tcp", srv))
-	defer ts.Close()
-
-	cli := httpClient(t)
-	chall := makeChallenge(t, ts, cli)
-
-	testCases := []struct {
-		name  string
-		redir string
-	}{
-		{
-			name:  "javascript alert",
-			redir: "javascript:alert('xss')",
-		},
-		{
-			name:  "vbscript",
-			redir: "vbscript:msgbox(\"XSS\")",
-		},
-		{
-			name:  "data url",
-			redir: "data:text/html;base64,PHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4=",
-		},
-	}
-
-	t.Run("with test cookie", func(t *testing.T) {
-		for _, tc := range testCases {
-			t.Run(tc.name, func(t *testing.T) {
-				nonce := 0
-				elapsedTime := 420
-				calculated := ""
-				calcString := fmt.Sprintf("%s%d", chall.Challenge, nonce)
-				calculated = internal.SHA256sum(calcString)
-
-				req, err := http.NewRequest(http.MethodGet, ts.URL+"/.within.website/x/cmd/anubis/api/pass-challenge", nil)
-				if err != nil {
-					t.Fatalf("can't make request: %v", err)
-				}
-
-				q := req.URL.Query()
-				q.Set("response", calculated)
-				q.Set("nonce", fmt.Sprint(nonce))
-				q.Set("redir", tc.redir)
-				q.Set("elapsedTime", fmt.Sprint(elapsedTime))
-				req.URL.RawQuery = q.Encode()
-
-				u, err := url.Parse(ts.URL)
-				if err != nil {
-					t.Fatal(err)
-				}
-
-				for _, ckie := range cli.Jar.Cookies(u) {
-					if ckie.Name == anubis.TestCookieName {
-						req.AddCookie(ckie)
-					}
-				}
-
-				resp, err := cli.Do(req)
-				if err != nil {
-					t.Fatalf("can't do request: %v", err)
-				}
-
-				body, _ := io.ReadAll(resp.Body)
-
-				if bytes.Contains(body, []byte(tc.redir)) {
-					t.Log(string(body))
-					t.Error("found XSS in HTML body")
-				}
-
-				if resp.StatusCode != http.StatusBadRequest {
-					t.Errorf("wanted status %d, got %d. body: %s", http.StatusBadRequest, resp.StatusCode, body)
-				}
-			})
-		}
-	})
-
-	t.Run("no test cookie", func(t *testing.T) {
-		for _, tc := range testCases {
-			t.Run(tc.name, func(t *testing.T) {
-				nonce := 0
-				elapsedTime := 420
-				calculated := ""
-				calcString := fmt.Sprintf("%s%d", chall.Challenge, nonce)
-				calculated = internal.SHA256sum(calcString)
-
-				req, err := http.NewRequest(http.MethodGet, ts.URL+"/.within.website/x/cmd/anubis/api/pass-challenge", nil)
-				if err != nil {
-					t.Fatalf("can't make request: %v", err)
-				}
-
-				q := req.URL.Query()
-				q.Set("response", calculated)
-				q.Set("nonce", fmt.Sprint(nonce))
-				q.Set("redir", tc.redir)
-				q.Set("elapsedTime", fmt.Sprint(elapsedTime))
-				req.URL.RawQuery = q.Encode()
-
-				resp, err := cli.Do(req)
-				if err != nil {
-					t.Fatalf("can't do request: %v", err)
-				}
-
-				body, _ := io.ReadAll(resp.Body)
-
-				if bytes.Contains(body, []byte(tc.redir)) {
-					t.Log(string(body))
-					t.Error("found XSS in HTML body")
-				}
-
-				if resp.StatusCode != http.StatusBadRequest {
-					t.Errorf("wanted status %d, got %d. body: %s", http.StatusBadRequest, resp.StatusCode, body)
-				}
-			})
-		}
-	})
-}
-
-func TestXForwardedForNoDoubleComma(t *testing.T) {
-	var h http.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("X-Forwarded-For", r.Header.Get("X-Forwarded-For"))
-		fmt.Fprintln(w, "OK")
-	})
-
-	h = internal.XForwardedForToXRealIP(h)
-	h = internal.XForwardedForUpdate(false, h)
-
-	pol := loadPolicies(t, "testdata/permissive.yaml", 4)
-
-	srv := spawnAnubis(t, Options{
-		Next:   h,
-		Policy: pol,
-	})
-	ts := httptest.NewServer(srv)
-	t.Cleanup(ts.Close)
-
-	req, err := http.NewRequest(http.MethodGet, ts.URL, nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	req.Header.Set("X-Real-Ip", "10.0.0.1")
-
-	resp, err := ts.Client().Do(req)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if resp.StatusCode != http.StatusOK {
-		t.Errorf("response status is wrong, wanted %d but got: %s", http.StatusOK, resp.Status)
-	}
-
-	if xff := resp.Header.Get("X-Forwarded-For"); strings.HasPrefix(xff, ",,") {
-		t.Errorf("X-Forwarded-For has two leading commas: %q", xff)
-	}
-}
--- a/lib/config_test.go
+++ b/lib/config_test.go
@@ -7,8 +7,8 @@ import (
 	"testing"

 	"github.com/TecharoHQ/anubis"
+	"github.com/TecharoHQ/anubis/internal/thoth/thothmock"
 	"github.com/TecharoHQ/anubis/lib/policy"
-	"github.com/TecharoHQ/anubis/lib/thoth/thothmock"
 )

 func TestInvalidChallengeMethod(t *testing.T) {
--- a/lib/http.go
+++ b/lib/http.go
@@ -198,7 +198,7 @@ func (s *Server) respondWithError(w http.ResponseWriter, r *http.Request, messag
 func (s *Server) respondWithStatus(w http.ResponseWriter, r *http.Request, msg string, status int) {
 	localizer := localization.GetLocalizer(r)

-	templ.Handler(web.Base(localizer.T("oh_noes"), web.ErrorPage(msg, s.opts.WebmasterEmail, localizer), s.policy.Impressum, localizer), templ.WithStatus(status)).ServeHTTP(w, r)
+	templ.Handler(web.Base(localizer.T("oh_noes"), web.ErrorPage(msg, s.opts.WebmasterEmail, r.FormValue("redir"), localizer), s.policy.Impressum, localizer), templ.WithStatus(status)).ServeHTTP(w, r)
 }

 func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
--- a/lib/localization/locales/manifest.json
+++ b/lib/localization/locales/manifest.json
@@ -11,8 +11,6 @@
    "is",
    "it",
    "ja",
-    "nb",
-    "nn",
    "pt-BR",
    "ru",
    "tr",
--- a/lib/localization/locales/nb.json
+++ b/lib/localization/locales/nb.json
@@ -1,64 +0,0 @@
-{
-  "loading": "Laster inn...",
-  "why_am_i_seeing": "Hvorfor ser jeg dette?",
-  "protected_by": "Beskyttet av",
-  "protected_from": "Fra",
-  "made_with": "Laget med ❤️ i 🇨🇦",
-  "mascot_design": "Maskotdesign av",
-  "ai_companies_explanation": "Du ser dette fordi administratoren av dette nettstedet har satt opp Anubis for å beskytte sørveren mot plagen av KI-selskaper som aggressivt skraper nettsteder. Dette kan, og fortsetter med å, forårsake driftstans for nettstedene, som gjør ressursene deres utilgjengelige for alle.",
-  "anubis_compromise": "Anubis er et kompromiss. Anubis bruker et «Proof-of-Work»-skjema som ligner på Hashcash, et lignende skjema for å redusere søppel-e-post. Idéen er at ved småstilte tilfeller er den ytterligere belastningen ignorerbar, men ved storstilt skraping samler den på seg fart og gjør det å skrape mye mer dyrt.",
-  "hack_purpose": "Til syvende og sist er dette en hack som har som formål å gi en «god nok» plassholderløsning slik at mer tid kan brukes på å fingeravtrykke og gjenkjenne hodeløse nettlesere (f.eks. hvordan de gjengir skrifttyper) slik at utfordringssiden ikke må bli vist til brukere som er mer sannsynligvis ekte.",
-  "jshelter_note": "NB: Anubis krever bruk av moderne JavaScript-funksjoner som tillegg som JShelter slår av. Vennligst slå av JShelter eller lignende tillegg for dette domenet.",
-  "version_info": "Dette nettstedet kjører Anubis-utgave",
-  "try_again": "Prøv igjen",
-  "go_home": "Gå hjem",
-  "contact_webmaster": "eller om du synes at du ikke burde være blokkert, vennligst ta kontakt med administratoren på",
-  "connection_security": "Vennligst vent mens vi bekrefter tryggheten av tilkoblingen din.",
-  "javascript_required": "Du må dessverre slå på JavaScript for å komme deg forbi denne utfordringen. Dette kreves fordi KI-selskaper har endret sosialkontrakten om hvordan nettstedsverting fungerer. En ikke-JS-løsning er i gang med å skapes.",
-  "benchmark_requires_js": "JavaScript må være påslått for å kjøre sammenligningsverktøyet.",
-  "difficulty": "Vanskelighetsnivå:",
-  "algorithm": "Algoritme:",
-  "compare": "Jevnfør:",
-  "time": "Tid",
-  "iters": "Gjentakelser",
-  "time_a": "Tid A",
-  "iters_a": "Gjentakelser A",
-  "time_b": "Tid B",
-  "iters_b": "Gjentakelser B",
-  "static_check_endpoint": "Dette er bare et sjekkeendepunkt for din omvendte proxy å bruke.",
-  "authorization_required": "Legitimasjon kreves",
-  "cookies_disabled": "Nettleseren din er konfigurert for å avslå informasjonskapsler. Anubis krever informasjonskapsler for å bekrefte at du er en ekte bruker. Vennligst slå på informasjonskapsler på dette domenet.",
-  "access_denied": "Adgang nektet: feilkode",
-  "dronebl_entry": "DroneBL rapporterte em oppføring.",
-  "see_dronebl_lookup": "se",
-  "internal_server_error": "Intern serverfeil: administratoren har feilkonfigurert Anubis. Vennligst ta kontakt med hen og spør hen om å se gjennom loggene om",
-  "invalid_redirect": "Ugyldig omdirigering",
-  "redirect_not_parseable": "Omdirigerings-URL-en kunne ikkj tolkes",
-  "redirect_domain_not_allowed": "Omdirigeringsdomenet er ikke tillatt",
-  "failed_to_sign_jwt": "mislyktes i å signere JWT",
-  "invalid_invocation": "Ugyldig fremkalling av MakeChallenge",
-  "client_error_browser": "Klientfeil: Vennligst sørg for at at nettleseren din er oppdatert og prøv igjen senere.",
-  "oh_noes": "Å nei!",
-  "benchmarking_anubis": "Sammenligner Anubis!",
-  "you_are_not_a_bot": "Du er ikke en bot!",
-  "making_sure_not_bot": "Bekrefter at du ikke er en bot!",
-  "celphase": "CELPHASE",
-  "js_web_crypto_error": "Nettleseren din har ikke et fungerande web.crypto-element. Ser du dette med ei sikker tilkopling?",
-  "js_web_workers_error": "Nettleseren din støtter ikke nettarbeidere (Anubis bruker dette for å unngå å fryse nettleseren din). Har du et tillegg som JShelter installert?",
-  "js_cookies_error": "Nettleseren lagrer ikke informasjonskapsler. Anubis bruker informasjonskapsler for å avgjøre hvilke klienter har lyktes i utfordringen ved å lagre en signert token i en informasjonskapsel. Vennligst slå på informasjonskapsler på dette domenet. Navnene på informasjonskapslene Anubis lagrer, kan variere uten varsel. Informasjonskapselnavn og -verdier er ikke en del av det offentlege API-et.",
-  "js_context_not_secure": "Du bruker ikke en sikker tilkobling!",
-  "js_context_not_secure_msg": "Prøv å koble til over HTTPS eller fortell administratoren å opprette HTTPS. Se <a hreflang=\"en\" href=\"https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts#when_is_a_context_considered_secure\">MDN</a> for mer informasjon.",
-  "js_calculating": "Beregner…",
-  "js_missing_feature": "Mangler funksjon",
-  "js_challenge_error": "Utfordringsfeil!",
-  "js_challenge_error_msg": "Mislyktes i å tolke sjekkalgoritmen. Du burde laste inn denne siden på nytt.",
-  "js_calculating_difficulty": "Beregner…<br/>Vanskelighetsnivå:",
-  "js_speed": "Hastighet:",
-  "js_verification_longer": "Verifisering tar lengre enn forventet. Vennligst ikke last inn denne siden på nytt.",
-  "js_success": "Vellykket!",
-  "js_done_took": "Ferdig! Tok",
-  "js_iterations": "gjentakelser",
-  "js_finished_reading": "Jeg har sluttet å lese, fortsett →",
-  "js_calculation_error": "Beregningsfeil!",
-  "js_calculation_error_msg": "Mislyktes i å beregne utfordring:"
-}
--- a/lib/localization/locales/nn.json
+++ b/lib/localization/locales/nn.json
@@ -1,64 +0,0 @@
-{
-  "loading": "Lastar inn...",
-  "why_am_i_seeing": "Kvifor ser eg dette?",
-  "protected_by": "Verna av",
-  "protected_from": "Frå",
-  "made_with": "Laga med ❤️ i 🇨🇦",
-  "mascot_design": "Maskotdesign av",
-  "ai_companies_explanation": "Du ser dette av di administratoren av denne nettstaden har sett opp Anubis for å verne sørvaren mot plaga av KI-selskap som aggressivt skrapar nettstader. Dette kan, og held frem med å, forårsake driftstans for nettstadene, som gjer ressursane deira utilgjengelege for alle.",
-  "anubis_compromise": "Anubis er eit kompromiss. Anubis brukar eit «Proof-of-Work»-skjema som liknar på Hashcash, eit liknande skjema for å redusere søppel-e-post. Idéen er at ved småstilte tilfelle er den ytterlegare lastinga ignorerbar, men ved storstilt skraping samlar ho på seg fart og gjer det å skrapa mykje meir dyrt.",
-  "hack_purpose": "Til sjuande og sist er dette ein hack som har som formål å gje ei «god nok» plasshaldarløysing slik at meir tid kan brukast på å fingeravtrykkje og attkjenne hovudlause nettlesarar (f.eks. korleis dei attgjev skrifttypar) slik at utfordringssida ikkje må verte synt til brukarar som er meir sannsynlegvis ekte.",
-  "jshelter_note": "NB: Anubis krev bruk av moderne JavaScript-funksjonar som tillegg som JShelter slår av. Venlegast slå av JShelter eller liknande tillegg for dette domenet.",
-  "version_info": "Denne nettstaden køyrer Anubis-utgåve",
-  "try_again": "Prøv att",
-  "go_home": "Gå heim",
-  "contact_webmaster": "eller om du synest at du ikkje burde vera blokkert, venlegast tak kontakt med administratoren på",
-  "connection_security": "Venlegast vent medan vi stadfestar tryggleiken av tilkoplinga di.",
-  "javascript_required": "Du lyt diverre slå på JavaScript for å koma deg forbi denne utfordringa. Dette krevst av di KI-selskap har endra sosialkontrakten om korleis nettstadsverting fungerer. Ei ikkje-JS-løysing er i gang med å skapast.",
-  "benchmark_requires_js": "JavaScript må vera slegen på for å køyre samanlikningsverktøyet.",
-  "difficulty": "Vanskenivå:",
-  "algorithm": "Algoritme:",
-  "compare": "Jamfør:",
-  "time": "Tid",
-  "iters": "Oppattakingar",
-  "time_a": "Tid A",
-  "iters_a": "Oppattakingar A",
-  "time_b": "Tid B",
-  "iters_b": "Oppattakingar B",
-  "static_check_endpoint": "Dette er berre eit sjekkeendepunkt for din omvende proxy å bruke.",
-  "authorization_required": "Legitimasjon krevst",
-  "cookies_disabled": "Nettlesaren din er konfigurert for å avslå informasjonskapslar. Anubis krev informasjonskapslar for å stadfeste at du er ein ekte brukar. Venlegast slå på informasjonskapslar på dette domenet.",
-  "access_denied": "Tilgang nekta: feilkode",
-  "dronebl_entry": "DroneBL rapporterte ei oppføring.",
-  "see_dronebl_lookup": "sjå",
-  "internal_server_error": "Intern serverfeil: administratoren har feilkonfigurert Anubis. Venlegast tak kontakt med hen og spør hen om å sjå gjennom loggane om",
-  "invalid_redirect": "Ugyldig omdirigering",
-  "redirect_not_parseable": "Omdirigerings-URL-en kunne ikkje tolkast",
-  "redirect_domain_not_allowed": "Omdirigeringsdomenet er ikkje tillate",
-  "failed_to_sign_jwt": "mislukkast i å signere JWT",
-  "invalid_invocation": "Ugyldig framkalling av MakeChallenge",
-  "client_error_browser": "Klientfeil: Venlegast stadfest at nettlesaren din er oppdatert og prøv att seinare.",
-  "oh_noes": "Å nei!",
-  "benchmarking_anubis": "Samanliknar Anubis!",
-  "you_are_not_a_bot": "Du er ikkje ein bot!",
-  "making_sure_not_bot": "Stadfestar at du ikkje er ein bot!",
-  "celphase": "CELPHASE",
-  "js_web_crypto_error": "Nettlesaren din har ikkje eit fungerande web.crypto-element. Ser du dette med ei sikker tilkopling?",
-  "js_web_workers_error": "Nettlesaren din støttar ikkje nettarbeidarar (Anubis brukar dette for å unngå å fryse nettlesaren din). Har du eit tillegg som JShelter installert?",
-  "js_cookies_error": "Nettlesaren lagrar ikkje informasjonskapslar. Anubis brukar informasjonskapslar for å avgjera kva klientar har lukkast i utfordringa ved å lagra ein signert token i ein informasjonskapsel. Venlegast slå på informasjonskapslar på dette domenet. Namna på informasjonskapslane Anubis lagrar, kan variere utan varsel. Informasjonskapselnamn og -verdiar er ikkje ein del av det offentlege API-et.",
-  "js_context_not_secure": "Du brukar ikkje ei sikker tilkopling!",
-  "js_context_not_secure_msg": "Prøv å kople til over HTTPS eller fortel administratoren å opprette HTTPS. Sjå <a hreflang=\"en\" href=\"https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts#when_is_a_context_considered_secure\">MDN</a> for fleire opplysingar.",
-  "js_calculating": "Reknar…",
-  "js_missing_feature": "Manglar funksjon",
-  "js_challenge_error": "Utfordringsfeil!",
-  "js_challenge_error_msg": "Mislukkast i å tolke sjekkalgoritmen. Du burde laste inn denne sida på nytt.",
-  "js_calculating_difficulty": "Reknar…<br/>Vanskenivå:",
-  "js_speed": "Fart:",
-  "js_verification_longer": "Verifisering tek lengre enn forventa. Venlegast ikkje last inn denne sida på nytt.",
-  "js_success": "Vellykka!",
-  "js_done_took": "Ferdig! Tok",
-  "js_iterations": "oppattakingar",
-  "js_finished_reading": "Eg har slutta å lesa, hald fram →",
-  "js_calculation_error": "Rekningsfeil!",
-  "js_calculation_error_msg": "Mislukkast i å rekne utfordring:"
-}
--- a/lib/localization/localization_test.go
+++ b/lib/localization/localization_test.go
@@ -21,8 +21,6 @@ func TestLocalizationService(t *testing.T) {
 		"fr":    "Chargement...",
 		"ja":    "ロード中...",
 		"is":    "Hleður...",
-		"nb":    "Laster inn...",
-		"nn":    "Lastar inn...",
 		"pt-BR": "Carregando...",
 		"tr":    "Yükleniyor...",
 		"ru":    "Загрузка...",
@@ -30,16 +28,7 @@ func TestLocalizationService(t *testing.T) {
 		"zh-TW": "載入中...",
 	}

-	var keys []string
-
-	for lang := range loadingStrMap {
-		keys = append(keys, lang)
-	}
-
-	sort.Strings(keys)
-
-	for _, lang := range keys {
-		expected := loadingStrMap[lang]
+	for lang, expected := range loadingStrMap {
 		t.Run(fmt.Sprintf("%s localization", lang), func(t *testing.T) {
 			localizer := service.GetLocalizer(lang)
 			result := localizer.MustLocalize(&i18n.LocalizeConfig{MessageID: "loading"})
@@ -55,7 +44,7 @@ func TestLocalizationService(t *testing.T) {
 		"mascot_design", "try_again", "go_home", "javascript_required",
 	}

-	for _, lang := range keys {
+	for lang := range loadingStrMap {
 		t.Run(fmt.Sprintf("All required keys exist in %s", lang), func(t *testing.T) {
 			loc := service.GetLocalizer(lang)
 			for _, key := range requiredKeys {
--- a/lib/policy/expressions/environment.go
+++ b/lib/policy/expressions/environment.go
@@ -2,7 +2,6 @@ package expressions

 import (
 	"math/rand/v2"
-	"strings"

 	"github.com/google/cel-go/cel"
 	"github.com/google/cel-go/common/types"
@@ -55,28 +54,6 @@ func BotEnvironment() (*cel.Env, error) {
 				}),
 			),
 		),
-
-		cel.Function("segments",
-			cel.Overload("segments_string_list_string",
-				[]*cel.Type{cel.StringType},
-				cel.ListType(cel.StringType),
-				cel.UnaryBinding(func(path ref.Val) ref.Val {
-					pathStrType, ok := path.(types.String)
-					if !ok {
-						return types.ValOrErr(path, "path is not a string, but is %T", path)
-					}
-
-					pathStr := string(pathStrType)
-					if !strings.HasPrefix(pathStr, "/") {
-						return types.ValOrErr(path, "path does not start with /")
-					}
-
-					pathList := strings.Split(string(pathStr), "/")[1:]
-
-					return types.NewStringList(types.DefaultTypeAdapter, pathList)
-				}),
-			),
-		),
 	)
 }

--- a/lib/policy/expressions/environment_test.go
+++ b/lib/policy/expressions/environment_test.go
@@ -12,228 +12,99 @@ func TestBotEnvironment(t *testing.T) {
 		t.Fatalf("failed to create bot environment: %v", err)
 	}

-	t.Run("missingHeader", func(t *testing.T) {
-		tests := []struct {
-			name        string
-			expression  string
-			headers     map[string]string
-			expected    types.Bool
-			description string
-		}{
-			{
-				name:       "missing-header",
-				expression: `missingHeader(headers, "Missing-Header")`,
-				headers: map[string]string{
-					"User-Agent":   "test-agent",
-					"Content-Type": "application/json",
-				},
-				expected:    types.Bool(true),
-				description: "should return true when header is missing",
+	tests := []struct {
+		name        string
+		expression  string
+		headers     map[string]string
+		expected    types.Bool
+		description string
+	}{
+		{
+			name:       "missing-header",
+			expression: `missingHeader(headers, "Missing-Header")`,
+			headers: map[string]string{
+				"User-Agent":   "test-agent",
+				"Content-Type": "application/json",
 			},
-			{
-				name:       "existing-header",
-				expression: `missingHeader(headers, "User-Agent")`,
-				headers: map[string]string{
-					"User-Agent":   "test-agent",
-					"Content-Type": "application/json",
-				},
-				expected:    types.Bool(false),
-				description: "should return false when header exists",
+			expected:    types.Bool(true),
+			description: "should return true when header is missing",
+		},
+		{
+			name:       "existing-header",
+			expression: `missingHeader(headers, "User-Agent")`,
+			headers: map[string]string{
+				"User-Agent":   "test-agent",
+				"Content-Type": "application/json",
 			},
-			{
-				name:       "case-sensitive",
-				expression: `missingHeader(headers, "user-agent")`,
-				headers: map[string]string{
-					"User-Agent": "test-agent",
-				},
-				expected:    types.Bool(true),
-				description: "should be case-sensitive (user-agent != User-Agent)",
+			expected:    types.Bool(false),
+			description: "should return false when header exists",
+		},
+		{
+			name:       "case-sensitive",
+			expression: `missingHeader(headers, "user-agent")`,
+			headers: map[string]string{
+				"User-Agent": "test-agent",
 			},
-			{
-				name:        "empty-headers",
-				expression:  `missingHeader(headers, "Any-Header")`,
-				headers:     map[string]string{},
-				expected:    types.Bool(true),
-				description: "should return true for any header when map is empty",
+			expected:    types.Bool(true),
+			description: "should be case-sensitive (user-agent != User-Agent)",
+		},
+		{
+			name:        "empty-headers",
+			expression:  `missingHeader(headers, "Any-Header")`,
+			headers:     map[string]string{},
+			expected:    types.Bool(true),
+			description: "should return true for any header when map is empty",
+		},
+		{
+			name:       "real-world-sec-ch-ua",
+			expression: `missingHeader(headers, "Sec-Ch-Ua")`,
+			headers: map[string]string{
+				"User-Agent": "curl/7.68.0",
+				"Accept":     "*/*",
+				"Host":       "example.com",
 			},
-			{
-				name:       "real-world-sec-ch-ua",
-				expression: `missingHeader(headers, "Sec-Ch-Ua")`,
-				headers: map[string]string{
-					"User-Agent": "curl/7.68.0",
-					"Accept":     "*/*",
-					"Host":       "example.com",
-				},
-				expected:    types.Bool(true),
-				description: "should detect missing browser-specific headers from bots",
+			expected:    types.Bool(true),
+			description: "should detect missing browser-specific headers from bots",
+		},
+		{
+			name:       "browser-with-sec-ch-ua",
+			expression: `missingHeader(headers, "Sec-Ch-Ua")`,
+			headers: map[string]string{
+				"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
+				"Sec-Ch-Ua":  `"Chrome"; v="91", "Not A Brand"; v="99"`,
+				"Accept":     "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
 			},
-			{
-				name:       "browser-with-sec-ch-ua",
-				expression: `missingHeader(headers, "Sec-Ch-Ua")`,
-				headers: map[string]string{
-					"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
-					"Sec-Ch-Ua":  `"Chrome"; v="91", "Not A Brand"; v="99"`,
-					"Accept":     "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
-				},
-				expected:    types.Bool(false),
-				description: "should return false when browser sends Sec-Ch-Ua header",
-			},
-		}
+			expected:    types.Bool(false),
+			description: "should return false when browser sends Sec-Ch-Ua header",
+		},
+	}

-		for _, tt := range tests {
-			t.Run(tt.name, func(t *testing.T) {
-				prog, err := Compile(env, tt.expression)
-				if err != nil {
-					t.Fatalf("failed to compile expression %q: %v", tt.expression, err)
-				}
-
-				result, _, err := prog.Eval(map[string]interface{}{
-					"headers": tt.headers,
-				})
-				if err != nil {
-					t.Fatalf("failed to evaluate expression %q: %v", tt.expression, err)
-				}
-
-				if result != tt.expected {
-					t.Errorf("%s: expected %v, got %v", tt.description, tt.expected, result)
-				}
-			})
-		}
-
-		t.Run("function-compilation", func(t *testing.T) {
-			src := `missingHeader(headers, "Test-Header")`
-			_, err := Compile(env, src)
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			prog, err := Compile(env, tt.expression)
 			if err != nil {
-				t.Fatalf("failed to compile missingHeader expression: %v", err)
+				t.Fatalf("failed to compile expression %q: %v", tt.expression, err)
 			}
-		})
-	})

-	t.Run("segments", func(t *testing.T) {
-		for _, tt := range []struct {
-			name        string
-			description string
-			expression  string
-			path        string
-			expected    types.Bool
-		}{
-			{
-				name:        "simple",
-				description: "/ should have one path segment",
-				expression:  `size(segments(path)) == 1`,
-				path:        "/",
-				expected:    types.Bool(true),
-			},
-			{
-				name:        "two segments without trailing slash",
-				description: "/user/foo should have two segments",
-				expression:  `size(segments(path)) == 2`,
-				path:        "/user/foo",
-				expected:    types.Bool(true),
-			},
-			{
-				name:        "at least two segments",
-				description: "/foo/bar/ should have at least two path segments",
-				expression:  `size(segments(path)) >= 2`,
-				path:        "/foo/bar/",
-				expected:    types.Bool(true),
-			},
-			{
-				name:        "at most two segments",
-				description: "/foo/bar/ does not have less than two path segments",
-				expression:  `size(segments(path)) < 2`,
-				path:        "/foo/bar/",
-				expected:    types.Bool(false),
-			},
-		} {
-			t.Run(tt.name, func(t *testing.T) {
-				prog, err := Compile(env, tt.expression)
-				if err != nil {
-					t.Fatalf("failed to compile expression %q: %v", tt.expression, err)
-				}
-
-				result, _, err := prog.Eval(map[string]interface{}{
-					"path": tt.path,
-				})
-				if err != nil {
-					t.Fatalf("failed to evaluate expression %q: %v", tt.expression, err)
-				}
-
-				if result != tt.expected {
-					t.Errorf("%s: expected %v, got %v", tt.description, tt.expected, result)
-				}
+			result, _, err := prog.Eval(map[string]interface{}{
+				"headers": tt.headers,
 			})
-		}
-
-		t.Run("invalid", func(t *testing.T) {
-			for _, tt := range []struct {
-				name            string
-				description     string
-				expression      string
-				env             any
-				wantFailCompile bool
-				wantFailEval    bool
-			}{
-				{
-					name:        "segments of headers",
-					description: "headers are not a path list",
-					expression:  `segments(headers)`,
-					env: map[string]any{
-						"headers": map[string]string{
-							"foo": "bar",
-						},
-					},
-					wantFailCompile: true,
-				},
-				{
-					name:        "invalid path type",
-					description: "a path should be a sting",
-					expression:  `size(segments(path)) != 0`,
-					env: map[string]any{
-						"path": 4,
-					},
-					wantFailEval: true,
-				},
-				{
-					name:        "invalid path",
-					description: "a path should start with a leading slash",
-					expression:  `size(segments(path)) != 0`,
-					env: map[string]any{
-						"path": "foo",
-					},
-					wantFailEval: true,
-				},
-			} {
-				t.Run(tt.name, func(t *testing.T) {
-					prog, err := Compile(env, tt.expression)
-					if err != nil {
-						if !tt.wantFailCompile {
-							t.Log(tt.description)
-							t.Fatalf("failed to compile expression %q: %v", tt.expression, err)
-						} else {
-							return
-						}
-					}
-
-					_, _, err = prog.Eval(tt.env)
-
-					if err == nil {
-						t.Log(tt.description)
-						t.Fatal("wanted an error but got none")
-					}
-
-					t.Log(err)
-				})
-			}
-		})
-
-		t.Run("function-compilation", func(t *testing.T) {
-			src := `size(segments(path)) <= 2`
-			_, err := Compile(env, src)
 			if err != nil {
-				t.Fatalf("failed to compile missingHeader expression: %v", err)
+				t.Fatalf("failed to evaluate expression %q: %v", tt.expression, err)
+			}
+
+			if result != tt.expected {
+				t.Errorf("%s: expected %v, got %v", tt.description, tt.expected, result)
 			}
 		})
+	}
+
+	t.Run("function-compilation", func(t *testing.T) {
+		src := `missingHeader(headers, "Test-Header")`
+		_, err := Compile(env, src)
+		if err != nil {
+			t.Fatalf("failed to compile missingHeader expression: %v", err)
+		}
 	})
 }

--- a/lib/policy/policy.go
+++ b/lib/policy/policy.go
@@ -8,10 +8,10 @@ import (
 	"log/slog"
 	"sync/atomic"

+	"github.com/TecharoHQ/anubis/internal/thoth"
 	"github.com/TecharoHQ/anubis/lib/policy/checker"
 	"github.com/TecharoHQ/anubis/lib/policy/config"
 	"github.com/TecharoHQ/anubis/lib/store"
-	"github.com/TecharoHQ/anubis/lib/thoth"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promauto"

--- a/lib/policy/policy_test.go
+++ b/lib/policy/policy_test.go
@@ -7,7 +7,7 @@ import (

 	"github.com/TecharoHQ/anubis"
 	"github.com/TecharoHQ/anubis/data"
-	"github.com/TecharoHQ/anubis/lib/thoth/thothmock"
+	"github.com/TecharoHQ/anubis/internal/thoth/thothmock"
 )

 func TestDefaultPolicyMustParse(t *testing.T) {
--- a/lib/testdata/permissive.yaml
+++ b/lib/testdata/permissive.yaml
@@ -1,4 +0,0 @@
-bots:
-  - import: (data)/common/allow-private-addresses.yaml
-
-dnsbl: false
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
  "name": "@techaro/anubis",
-  "version": "1.21.3",
+  "version": "1.21.0",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "@techaro/anubis",
-      "version": "1.21.3",
+      "version": "1.21.0",
      "license": "ISC",
      "devDependencies": {
        "cssnano": "^7.1.0",
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@techaro/anubis",
-  "version": "1.21.3",
+  "version": "1.21.0",
  "description": "",
  "main": "index.js",
  "scripts": {
--- a/test/cmd/cipra/internal/containerip.go
+++ b/test/cmd/cipra/internal/containerip.go
@@ -1,33 +0,0 @@
-package internal
-
-import (
-	"context"
-	"fmt"
-
-	"github.com/docker/docker/client"
-)
-
-// GetContainerIPAddress returns the first non-empty IP address of the container with the given name.
-// It returns the IP address as a string or an error.
-func GetContainerIPAddress(containerName string) (string, error) {
-	ctx := context.Background()
-	cli, err := client.NewClientWithOpts(client.FromEnv)
-	if err != nil {
-		return "", err
-	}
-
-	// Get container details
-	containerJSON, err := cli.ContainerInspect(ctx, containerName)
-	if err != nil {
-		return "", err
-	}
-
-	// Loop through all networks and return the first IP address found
-	for _, net := range containerJSON.NetworkSettings.Networks {
-		if net.IPAddress != "" {
-			return net.IPAddress, nil
-		}
-	}
-
-	return "", fmt.Errorf("no IP address found for container %q", containerName)
-}
--- a/test/cmd/cipra/internal/getlanip.go
+++ b/test/cmd/cipra/internal/getlanip.go
@@ -1,50 +0,0 @@
-package internal
-
-import (
-	"fmt"
-	"net"
-)
-
-// GetLANIP returns the first non-loopback IPv4 LAN IP address.
-func GetLANIP() (net.IP, error) {
-	ifaces, err := net.Interfaces()
-	if err != nil {
-		return nil, err
-	}
-
-	for _, iface := range ifaces {
-		// Skip down or loopback interfaces
-		if iface.Flags&(net.FlagUp|net.FlagLoopback) != net.FlagUp {
-			continue
-		}
-
-		addrs, err := iface.Addrs()
-		if err != nil {
-			continue // skip interfaces we can't query
-		}
-
-		for _, addr := range addrs {
-			var ip net.IP
-
-			switch v := addr.(type) {
-			case *net.IPNet:
-				ip = v.IP
-			case *net.IPAddr:
-				ip = v.IP
-			}
-
-			if ip == nil || ip.IsLoopback() {
-				continue
-			}
-
-			ip = ip.To4()
-			if ip == nil {
-				continue // not an IPv4 address
-			}
-
-			return ip, nil
-		}
-	}
-
-	return nil, fmt.Errorf("no connected LAN IPv4 address found")
-}
--- a/test/cmd/cipra/internal/unbreakdocker.go
+++ b/test/cmd/cipra/internal/unbreakdocker.go
@@ -1,34 +0,0 @@
-package internal
-
-import (
-	"context"
-	"log"
-	"os"
-
-	"github.com/docker/docker/api/types/network"
-	"github.com/docker/docker/client"
-)
-
-// UnbreakDocker connects the container named after the current hostname
-// to the specified Docker network.
-func UnbreakDocker(networkName string) error {
-	ctx := context.Background()
-
-	cli, err := client.NewClientWithOpts(client.FromEnv)
-	if err != nil {
-		return err
-	}
-
-	hostname, err := os.Hostname()
-	if err != nil {
-		return err
-	}
-
-	err = cli.NetworkConnect(ctx, networkName, hostname, &network.EndpointSettings{})
-	if err != nil {
-		return err
-	}
-
-	log.Printf("Connected container %q to network %q\n", hostname, networkName)
-	return nil
-}
--- a/test/cmd/cipra/main.go
+++ b/test/cmd/cipra/main.go
@@ -1,114 +0,0 @@
-package main
-
-import (
-	"context"
-	"errors"
-	"flag"
-	"fmt"
-	"log"
-	"net/http"
-	"os"
-	"os/exec"
-	"strings"
-	"time"
-
-	"github.com/TecharoHQ/anubis/test/cmd/cipra/internal"
-	"github.com/facebookgo/flagenv"
-)
-
-var (
-	bind                 = flag.String("bind", ":9090", "TCP host:port to bind HTTP on")
-	browserBin           = flag.String("browser-bin", "palemoon", "browser binary name")
-	browserContainerName = flag.String("browser-container-name", "palemoon", "browser container name")
-	composeName          = flag.String("compose-name", "", "docker compose base name for resources")
-	vncServerContainer   = flag.String("vnc-container-name", "display", "VNC host:port (NOT a display number)")
-)
-
-func main() {
-	flagenv.Parse()
-	flag.Parse()
-
-	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
-	defer cancel()
-
-	lanip, err := internal.GetLANIP()
-	if err != nil {
-		log.Panic(err)
-	}
-
-	os.Setenv("TARGET", fmt.Sprintf("%s%s", lanip.String(), *bind))
-
-	http.HandleFunc("/{$}", func(w http.ResponseWriter, r *http.Request) {
-		http.Error(w, "OK", http.StatusOK)
-		log.Println("got termination signal", r.RequestURI)
-		go func() {
-			time.Sleep(2 * time.Second)
-			cancel()
-		}()
-	})
-
-	srv := &http.Server{
-		Handler: http.DefaultServeMux,
-		Addr:    *bind,
-	}
-
-	go func() {
-		if err := srv.ListenAndServe(); !errors.Is(err, http.ErrServerClosed) {
-			log.Panic(err)
-		}
-	}()
-
-	if err := RunScript(ctx, "docker", "compose", "up", "-d"); err != nil {
-		log.Fatalf("can't start project: %v", err)
-	}
-
-	defer RunScript(ctx, "docker", "compose", "down", "-t", "1")
-	defer RunScript(ctx, "docker", "compose", "rm", "-f")
-
-	internal.UnbreakDocker(*composeName + "_default")
-
-	if err := RunScript(ctx, "docker", "exec", fmt.Sprintf("%s-%s-1", *composeName, *browserContainerName), "bash", "/hack/scripts/install-cert.sh"); err != nil {
-		log.Panic(err)
-	}
-
-	if err := RunScript(ctx, "docker", "exec", fmt.Sprintf("%s-%s-1", *composeName, *browserContainerName), *browserBin, "https://relayd"); err != nil {
-		log.Panic(err)
-	}
-
-	<-ctx.Done()
-	srv.Close()
-	time.Sleep(2 * time.Second)
-}
-
-func RunScript(ctx context.Context, args ...string) error {
-	var err error
-	backoff := 250 * time.Millisecond
-
-	for attempt := 0; attempt < 5; attempt++ {
-		select {
-		case <-ctx.Done():
-			return nil
-		default:
-		}
-		log.Printf("Running command: %s", strings.Join(args, " "))
-		cmd := exec.CommandContext(ctx, args[0], args[1:]...)
-		cmd.Stdout = os.Stdout
-		cmd.Stderr = os.Stderr
-
-		err = cmd.Run()
-		if exitErr, ok := err.(*exec.ExitError); ok {
-			log.Printf("attempt=%d code=%d", attempt, exitErr.ExitCode())
-		}
-
-		if err == nil {
-			return nil
-		}
-
-		log.Printf("Attempt %d failed: %v %T", attempt+1, err, err)
-		log.Printf("Retrying in %v...", backoff)
-		time.Sleep(backoff)
-		backoff *= 2
-	}
-
-	return fmt.Errorf("script failed after 5 attempts: %w", err)
-}
--- a/test/go.mod
+++ b/test/go.mod
@@ -6,7 +6,6 @@ replace github.com/TecharoHQ/anubis => ..

 require (
 	github.com/TecharoHQ/anubis v1.19.1
-	github.com/docker/docker v28.0.1+incompatible
 	github.com/facebookgo/flagenv v0.0.0-20160425205200-fcd59fca7456
 	github.com/google/uuid v1.6.0
 )
@@ -14,38 +13,27 @@ require (
 require (
 	buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.6-20250425153114-8976f5be98c1.1 // indirect
 	cel.dev/expr v0.24.0 // indirect
-	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/TecharoHQ/thoth-proto v0.4.0 // indirect
 	github.com/a-h/templ v0.3.906 // indirect
 	github.com/antlr4-go/antlr/v4 v4.13.1 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
-	github.com/distribution/reference v0.6.0 // indirect
-	github.com/docker/go-connections v0.5.0 // indirect
-	github.com/docker/go-units v0.5.0 // indirect
 	github.com/ebitengine/purego v0.8.4 // indirect
 	github.com/facebookgo/ensure v0.0.0-20200202191622-63f1cf65ac4c // indirect
 	github.com/facebookgo/subset v0.0.0-20200203212716-c811ad88dec4 // indirect
-	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/gaissmai/bart v0.20.5 // indirect
-	github.com/go-logr/logr v1.4.3 // indirect
-	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.2.6 // indirect
-	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v5 v5.2.2 // indirect
 	github.com/google/cel-go v0.25.0 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus v1.1.0 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.2 // indirect
 	github.com/joho/godotenv v1.5.1 // indirect
 	github.com/jsha/minica v1.1.0 // indirect
+	github.com/kr/text v0.2.0 // indirect
 	github.com/lum8rjack/go-ja4h v0.0.0-20250606032308-3a989c6635be // indirect
-	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/nicksnyder/go-i18n/v2 v2.6.0 // indirect
-	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.1.1 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
 	github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect
 	github.com/prometheus/client_golang v1.22.0 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
@@ -57,22 +45,15 @@ require (
 	github.com/stoewer/go-strcase v1.3.0 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
 	go.etcd.io/bbolt v1.4.2 // indirect
-	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect
-	go.opentelemetry.io/otel v1.37.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.37.0 // indirect
-	go.opentelemetry.io/otel/metric v1.37.0 // indirect
-	go.opentelemetry.io/otel/trace v1.37.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	golang.org/x/exp v0.0.0-20250506013437-ce4c2cf36ca6 // indirect
 	golang.org/x/net v0.42.0 // indirect
 	golang.org/x/sys v0.34.0 // indirect
 	golang.org/x/text v0.27.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250528174236-200df99c418a // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a // indirect
 	google.golang.org/grpc v1.73.0 // indirect
 	google.golang.org/protobuf v1.36.6 // indirect
-	gotest.tools/v3 v3.5.2 // indirect
 	k8s.io/apimachinery v0.33.2 // indirect
 	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
 	sigs.k8s.io/yaml v1.5.0 // indirect
--- a/test/go.sum
+++ b/test/go.sum
@@ -24,8 +24,6 @@ github.com/bsm/gomega v1.27.10 h1:yeMWxP2pV2fG3FgAODIY8EiRE3dy0aeFYt4l7wh6yKA=
 github.com/bsm/gomega v1.27.10/go.mod h1:JyEr/xRbxbtgWNi8tIEVPUYZ5Dzef52k01W3YH0H+O0=
 github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
 github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
-github.com/cenkalti/backoff/v5 v5.0.2 h1:rIfFVxEf1QsI7E1ZHfp/B4DF/6QBAUhmgkxc0H7Zss8=
-github.com/cenkalti/backoff/v5 v5.0.2/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
@@ -34,6 +32,7 @@ github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpS
 github.com/containerd/platforms v0.2.1/go.mod h1:XHCb+2/hzowdiut9rkudds9bE5yJ7npe7dG/wG+uFPw=
 github.com/cpuguy83/dockercfg v0.3.2 h1:DlJTyZGBDlXqUZ2Dk2Q3xHs/FtnooJJVaad2S9GKorA=
 github.com/cpuguy83/dockercfg v0.3.2/go.mod h1:sugsbF4//dDlL/i+S+rtpIWp+5h0BHJHfjj5/jFyUJc=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
@@ -62,7 +61,6 @@ github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/gaissmai/bart v0.20.5 h1:ehoWZWQ7j//qt0K0Zs4i9hpoPpbgqsMQiR8W2QPJh+c=
 github.com/gaissmai/bart v0.20.5/go.mod h1:cEed+ge8dalcbpi8wtS9x9m2hn/fNJH5suhdGQOHnYk=
-github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
 github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
@@ -85,14 +83,10 @@ github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus v1.1.0 h1:QGLs
 github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus v1.1.0/go.mod h1:hM2alZsMUni80N33RBe6J0e423LB+odMj7d3EMP9l20=
 github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.2 h1:sGm2vDRFUrQJO/Veii4h4zG2vvqG6uWNkBHSTqXOZk0=
 github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.2/go.mod h1:wd1YpapPLivG6nQgbf7ZkG1hhSOXDhhn4MLTknx2aAc=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1 h1:X5VWvz21y3gzm9Nw/kaUeku/1+uBhcekkmy4IkffJww=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1/go.mod h1:Zanoh4+gvIgluNqcfMVTJueD4wSS5hT7zTt4Mrutd90=
 github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0=
 github.com/joho/godotenv v1.5.1/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
 github.com/jsha/minica v1.1.0 h1:O2ZbzAN75w4RTB+5+HfjIEvY5nxRqDlwj3ZlLVG5JD8=
 github.com/jsha/minica v1.1.0/go.mod h1:dxC3wNmD+gU1ewXo/R8jB2ihB6wNpyXrG8aUk5Iuf/k=
-github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
 github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
@@ -170,8 +164,6 @@ github.com/tklauser/go-sysconf v0.3.12 h1:0QaGUFOdQaIVdPgfITYzaTegZvdCjmYO52cSFA
 github.com/tklauser/go-sysconf v0.3.12/go.mod h1:Ho14jnntGE1fpdOqQEEaiKRpvIavV0hSfmBq8nJbHYI=
 github.com/tklauser/numcpus v0.6.1 h1:ng9scYS7az0Bk4OZLvrNXNSAO2Pxr1XXRAPyjhIx+Fk=
 github.com/tklauser/numcpus v0.6.1/go.mod h1:1XfjsgE2zo8GVw7POkMbHENHzVg3GzmoZ9fESEdAacY=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0=
 github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
 go.etcd.io/bbolt v1.4.2 h1:IrUHp260R8c+zYx/Tm8QZr04CX+qWS5PGfPdevhdm1I=
@@ -182,10 +174,6 @@ go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 h1:jq9TW8u
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0/go.mod h1:p8pYQP+m5XfbZm9fxtSKAbM6oIllS7s2AfxrChvc7iw=
 go.opentelemetry.io/otel v1.37.0 h1:9zhNfelUvx0KBfu/gb+ZgeAfAgtWrfHJZcAqFC228wQ=
 go.opentelemetry.io/otel v1.37.0/go.mod h1:ehE/umFRLnuLa/vSccNq9oS1ErUlkkK71gMcN34UG8I=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0 h1:Ahq7pZmv87yiyn3jeFz/LekZmPLLdKejuO3NcK9MssM=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0/go.mod h1:MJTqhM0im3mRLw1i8uGHnCvUEeS7VwRyxlLC78PA18M=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.37.0 h1:bDMKF3RUSxshZ5OjOTi8rsHGaPKsAt76FaqgvIUySLc=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.37.0/go.mod h1:dDT67G/IkA46Mr2l9Uj7HsQVwsjASyV9SjGofsiUZDA=
 go.opentelemetry.io/otel/metric v1.37.0 h1:mvwbQS5m0tbmqML4NqK+e3aDiO02vsf/WgbsdpcPoZE=
 go.opentelemetry.io/otel/metric v1.37.0/go.mod h1:04wGrZurHYKOc+RKeye86GwKiTb9FKm1WHtO+4EVr2E=
 go.opentelemetry.io/otel/sdk v1.37.0 h1:ItB0QUqnjesGRvNcmAcU0LyvkVyGJ2xftD29bWdDvKI=
@@ -194,57 +182,28 @@ go.opentelemetry.io/otel/sdk/metric v1.35.0 h1:1RriWBmCKgkeHEhM7a2uMjMUfP7MsOF5J
 go.opentelemetry.io/otel/sdk/metric v1.35.0/go.mod h1:is6XYCUMpcKi+ZsOvfluY5YstFnhW0BidkR+gL+qN+w=
 go.opentelemetry.io/otel/trace v1.37.0 h1:HLdcFNbRQBE2imdSEgm/kwqmQj1Or1l/7bW6mxVK7z4=
 go.opentelemetry.io/otel/trace v1.37.0/go.mod h1:TlgrlQ+PtQO5XFerSPUYG0JSgGyryXewPGyayAWSBS0=
-go.opentelemetry.io/proto/otlp v1.7.0 h1:jX1VolD6nHuFzOYso2E73H85i92Mv8JQYk0K9vz09os=
-go.opentelemetry.io/proto/otlp v1.7.0/go.mod h1:fSKjH6YJ7HDlwzltzyMj036AJ3ejJLCgCSHGj4efDDo=
 go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
 go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
 go.yaml.in/yaml/v3 v3.0.3 h1:bXOww4E/J3f66rav3pX3m8w6jDE4knZjGOw8b5Y6iNE=
 go.yaml.in/yaml/v3 v3.0.3/go.mod h1:tBHosrYAkRZjRAOREWbDnBXUf08JOwYq++0QNwQiWzI=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.40.0 h1:r4x+VvoG5Fm+eJcxMaY8CQM7Lb0l1lsmjGBQ6s8BfKM=
 golang.org/x/crypto v0.40.0/go.mod h1:Qr1vMER5WyS2dfPHAlsOj01wgLbsyWtFn/aY+5+ZdxY=
 golang.org/x/exp v0.0.0-20250506013437-ce4c2cf36ca6 h1:y5zboxd6LQAqYIhHnB48p0ByQ/GnQx2BE33L8BOHQkI=
 golang.org/x/exp v0.0.0-20250506013437-ce4c2cf36ca6/go.mod h1:U6Lno4MTRCDY+Ba7aCcauB9T60gsv5s4ralQzP72ZoQ=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.42.0 h1:jzkYrhi3YQWD6MLBJcsklgQsoAcw89EcZbJw8Z614hs=
 golang.org/x/net v0.42.0/go.mod h1:FF1RA5d3u7nAYA4z2TkclSCKh68eSXtiFwcWQpPXdt8=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
 golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.34.0 h1:H5Y5sJ2L2JRdyv7ROF1he/lPdvFsd0mJHFw2ThKHxLA=
 golang.org/x/sys v0.34.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.27.0 h1:4fGWRpyh641NLlecmyl4LOe6yDdfaYNrGb2zdfo4JV4=
 golang.org/x/text v0.27.0/go.mod h1:1D28KMCvyooCX9hBiosv5Tz/+YLxj0j7XhWjpSUF7CU=
-golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
-golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822 h1:oWVWY3NzT7KJppx2UKhKmzPq4SRe0LdCijVRwvGeikY=
-google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822/go.mod h1:h3c4v36UTKzUiuaOKQ6gr3S+0hovBtUrXzTG/i3+XEc=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822 h1:fc6jSaCT0vBduLYZHYrBBNY4dsWuvgyff9noRNDdBeE=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
+google.golang.org/genproto/googleapis/api v0.0.0-20250528174236-200df99c418a h1:SGktgSolFCo75dnHJF2yMvnns6jCmHFJ0vE4Vn2JKvQ=
+google.golang.org/genproto/googleapis/api v0.0.0-20250528174236-200df99c418a/go.mod h1:a77HrdMjoeKbnd2jmgcWdaS++ZLZAEq3orIOAEIKiVw=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a h1:v2PbRU4K3llS09c7zodFpNePeamkAwG3mPrAery9VeE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
 google.golang.org/grpc v1.73.0 h1:VIWSmpI2MegBtTuFt5/JWy2oXxtjJ/e89Z70ImfD2ok=
 google.golang.org/grpc v1.73.0/go.mod h1:50sbHOUqWoCQGI8V2HQLJM0B+LMlIUjNSZmow7EVBQc=
 google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
@@ -255,8 +214,6 @@ gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EV
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
-gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
 k8s.io/apimachinery v0.33.2 h1:IHFVhqg59mb8PJWTLi8m1mAoepkUNYmptHsV+Z1m5jY=
 k8s.io/apimachinery v0.33.2/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM=
 sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
--- a/test/i18n/var/.gitignore
+++ b/test/i18n/var/.gitignore
@@ -1,2 +0,0 @@
-*
-!.gitignore
--- a/test/lib/lib.sh
+++ b/test/lib/lib.sh
@@ -1,51 +0,0 @@
-REPO_ROOT=$(git rev-parse --show-toplevel)
-(cd $REPO_ROOT && go install ./utils/cmd/...)
-
-function cleanup() {
-  pkill -P $$
-
-  if [ -f "docker-compose.yaml" ]; then
-    docker compose down -t 1 || :
-    docker compose rm -f || :
-  fi
-}
-
-trap cleanup EXIT SIGINT
-
-function build_anubis_ko() {
-  (
-    cd $REPO_ROOT && npm ci && npm run assets
-  )
-  (
-    cd $REPO_ROOT &&
-      VERSION=devel ko build \
-        --platform=all \
-        --base-import-paths \
-        --tags="latest" \
-        --image-user=1000 \
-        --image-annotation="" \
-        --image-label="" \
-        ./cmd/anubis \
-        --local
-  )
-}
-
-function mint_cert() {
-  if [ "$#" -ne 1 ]; then
-    echo "Usage: mint_cert <domain.name>"
-  fi
-
-  domainName="$1"
-
-  # If the transient local TLS certificate doesn't exist, mint a new one
-  if [ ! -f "${REPO_ROOT}/test/pki/${domainName}/cert.pem" ]; then
-    # Subshell to contain the directory change
-    (
-      cd ${REPO_ROOT}/test/pki &&
-        mkdir -p "${domainName}" &&
-        go tool minica -domains "${domainName}" &&
-        cd "${domainName}" &&
-        chmod 666 *
-    )
-  fi
-}
--- a/test/palemoon/README.md
+++ b/test/palemoon/README.md
@@ -1,5 +0,0 @@
-# Pale Moon CI tests
-
-Pale Moon has exposed [some pretty bad bugs](https://anubis.techaro.lol/blog/release/v1.21.1#fix-event-loop-thrashing-when-solving-a-proof-of-work-challenge) in Anubis. As such, we're running Pale Moon against Anubis in CI to ensure that it keeps working.
-
-This test is a fork of [dtinth/xtigervnc-docker](https://github.com/dtinth/xtigervnc-docker) but focused on Pale Moon.
--- a/test/palemoon/amd64/docker-compose.yml
+++ b/test/palemoon/amd64/docker-compose.yml
@@ -1,50 +0,0 @@
-services:
-  display:
-    image: ghcr.io/techarohq/ci-images/xserver:latest
-    pull_policy: always
-    ports:
-      - 5900:5900
-
-  anubis:
-    image: ko.local/anubis
-    environment:
-      BIND: ":3000"
-      TARGET: http://$TARGET
-      POLICY_FNAME: /cfg/anubis.yaml
-      SLOG_LEVEL: DEBUG
-    volumes:
-      - ../anubis:/cfg
-    depends_on:
-      - relayd
-
-  relayd:
-    image: ghcr.io/xe/x/relayd
-    environment:
-      BIND: :443
-      CERT_DIR: /techaro/pki
-      CERT_FNAME: cert.pem
-      KEY_FNAME: key.pem
-      PROXY_TO: http://anubis:3000
-    volumes:
-      - ../../pki/relayd:/techaro/pki:ro
-
-  # novnc:
-  #   image: geek1011/easy-novnc
-  #   command: -a :5800 -h display --no-url-password
-  #   ports:
-  #     - 5800:5800
-
-  palemoon:
-    platform: linux/amd64
-    init: true
-    image: ghcr.io/techarohq/ci-images/palemoon:latest
-    command: sleep inf
-    environment:
-      DISPLAY: display:0
-    volumes:
-      - ../../pki:/usr/local/share/ca-certificates/minica:ro
-      - ../scripts:/hack/scripts:ro
-    depends_on:
-      - anubis
-      - relayd
-      - display
--- a/test/palemoon/amd64/test.sh
+++ b/test/palemoon/amd64/test.sh
@@ -1,30 +0,0 @@
-#!/usr/bin/env bash
-
-export VERSION=$GITHUB_COMMIT-test
-export KO_DOCKER_REPO=ko.local
-
-function capture_vnc_snapshots() {
-  sudo apt-get update && sudo apt-get install -y gvncviewer
-  mkdir -p ./var
-  while true; do
-    timestamp=$(date +"%Y%m%d%H%M%S")
-    gvnccapture localhost:0 ./var/snapshot_$timestamp.png 2>/dev/null
-    sleep 1
-  done
-}
-
-source ../../lib/lib.sh
-
-if [ "$GITHUB_ACTIONS" = "true" ]; then
-  capture_vnc_snapshots &
-fi
-
-set -euo pipefail
-
-build_anubis_ko
-mint_cert relayd
-
-go run ../../cmd/cipra/ --compose-name $(basename $(pwd))
-
-docker compose down -t 1 || :
-docker compose rm -f || :
--- a/test/palemoon/amd64/var/.gitignore
+++ b/test/palemoon/amd64/var/.gitignore
@@ -1,2 +0,0 @@
-*
-!.gitignore
--- a/test/palemoon/anubis/anubis.yaml
+++ b/test/palemoon/anubis/anubis.yaml
@@ -1,12 +0,0 @@
-bots:
-  - name: palemoon
-    user_agent_regex: PaleMoon
-    action: CHALLENGE
-    challenge:
-      difficulty: 2
-      report_as: 2
-      algorithm: fast
-
-status_codes:
-  CHALLENGE: 401
-  DENY: 403
--- a/test/palemoon/i386/docker-compose.yml
+++ b/test/palemoon/i386/docker-compose.yml
@@ -1,44 +0,0 @@
-services:
-  display:
-    image: ghcr.io/techarohq/ci-images/xserver:latest
-    pull_policy: always
-    ports:
-      - 5900:5900
-
-  anubis:
-    image: ko.local/anubis
-    environment:
-      BIND: ":3000"
-      TARGET: http://$TARGET
-      POLICY_FNAME: /cfg/anubis.yaml
-      SLOG_LEVEL: DEBUG
-    volumes:
-      - ../anubis:/cfg
-
-  relayd:
-    image: ghcr.io/xe/x/relayd
-    environment:
-      BIND: :443
-      CERT_DIR: /techaro/pki
-      CERT_FNAME: cert.pem
-      KEY_FNAME: key.pem
-      PROXY_TO: http://anubis:3000
-    volumes:
-      - ../../pki/relayd:/techaro/pki:ro
-
-  # novnc:
-  #   image: geek1011/easy-novnc
-  #   command: -a :5800 -h display --no-url-password
-  #   ports:
-  #     - 5800:5800
-
-  palemoon:
-    platform: linux/386
-    init: true
-    image: ghcr.io/techarohq/ci-images/palemoon:latest
-    command: sleep inf
-    environment:
-      DISPLAY: display:0
-    volumes:
-      - ../../pki:/usr/local/share/ca-certificates/minica:ro
-      - ../scripts:/hack/scripts:ro
--- a/test/palemoon/i386/test.sh
+++ b/test/palemoon/i386/test.sh
@@ -1,30 +0,0 @@
-#!/usr/bin/env bash
-
-export VERSION=$GITHUB_COMMIT-test
-export KO_DOCKER_REPO=ko.local
-
-function capture_vnc_snapshots() {
-  sudo apt-get update && sudo apt-get install -y gvncviewer
-  mkdir -p ./var
-  while true; do
-    timestamp=$(date +"%Y%m%d%H%M%S")
-    gvnccapture localhost:0 ./var/snapshot_$timestamp.png 2>/dev/null
-    sleep 1
-  done
-}
-
-source ../../lib/lib.sh
-
-if [ "$GITHUB_ACTIONS" = "true" ]; then
-  capture_vnc_snapshots &
-fi
-
-set -euo pipefail
-
-build_anubis_ko
-mint_cert relayd
-
-go run ../../cmd/cipra/ --compose-name $(basename $(pwd))
-
-docker compose down -t 1 || :
-docker compose rm -f || :
--- a/test/palemoon/i386/var/.gitignore
+++ b/test/palemoon/i386/var/.gitignore
@@ -1,2 +0,0 @@
-*
-!.gitignore
--- a/test/palemoon/scripts/install-cert.sh
+++ b/test/palemoon/scripts/install-cert.sh
@@ -1,103 +0,0 @@
-#!/usr/bin/env bash
-
-set -euo pipefail
-
-CERT_PATH="/usr/local/share/ca-certificates/minica/minica.pem"
-CERT_NAME="minica"
-TRUST_FLAGS="C,,"
-
-FIREFOX_DIR="$HOME/.mozilla/firefox"
-PALEMOON_DIR="$HOME/.moonchild productions/pale moon"
-
-echo "🔄 Updating system CA certificates..."
-update-ca-certificates
-
-# 🌀 Trigger Pale Moon to create its profile if needed
-if command -v palemoon &>/dev/null; then
-  echo "🚀 Launching Pale Moon to initialize profile..."
-  palemoon &>/dev/null &
-  PALEMOON_PID=$!
-
-  # Wait up to 20 seconds for prefs.js to be created
-  for i in {1..20}; do
-    set +e
-    PROFILE_DIR=$(grep Path ~/.moonchild\ productions/pale\ moon/profiles.ini | cut -d= -f2)
-    PREFS_FILE="$HOME/.moonchild productions/pale moon/$PROFILE_DIR/prefs.js"
-
-    if [[ -f "$PREFS_FILE" ]]; then
-      set -e
-      echo "✅ prefs.js found at: $PREFS_FILE"
-      break
-    fi
-
-    sleep 5
-  done
-
-  kill $PALEMOON_PID 2>/dev/null || true
-  wait $PALEMOON_PID 2>/dev/null || true
-
-  if [[ ! -f "$PREFS_FILE" ]]; then
-    echo "❌ prefs.js not found. Pale Moon did not fully initialize."
-    exit 1
-  fi
-else
-  echo "⚠️ Pale Moon is not installed or not in PATH. Skipping profile bootstrap."
-fi
-
-echo 'user_pref("security.cert_pinning.enforcement_level", 0);' >>"$PREFS_FILE"
-
-echo "✅ TLS cert validation disabled in Pale Moon profile: $PROFILE_DIR"
-
-# 🔧 Ensure certutil is installed
-if ! command -v certutil &>/dev/null; then
-  if [ -f /etc/debian_version ]; then
-    echo "🔧 'certutil' not found. Installing via apt..."
-    apt-get update
-    apt-get install -y libnss3-tools
-  else
-    echo "❌ 'certutil' not found and install is only supported on Debian-based systems."
-    exit 1
-  fi
-fi
-
-import_cert_to_profiles() {
-  local base_dir="$1"
-  local browser_name="$2"
-  local profile_glob="$3"
-
-  if [ ! -d "$base_dir" ]; then
-    echo "⚠️  $browser_name profile directory not found: $base_dir"
-    return
-  fi
-
-  echo "📌 Searching for $browser_name profiles in: $base_dir"
-
-  local found=0
-
-  for profile in "$base_dir"/$profile_glob; do
-    if [ ! -d "$profile" ]; then
-      continue
-    fi
-
-    found=1
-    local db_path="sql:$profile"
-    echo "🔍 Processing $browser_name profile: $profile"
-
-    if certutil -L -d "$db_path" | grep -q "^$CERT_NAME"; then
-      echo "  ✅ Certificate '$CERT_NAME' already exists in profile."
-      continue
-    fi
-
-    certutil -A -n "$CERT_NAME" -t "$TRUST_FLAGS" -i "$CERT_PATH" -d "$db_path"
-    echo "  ➕ Added certificate '$CERT_NAME' to $browser_name profile."
-  done
-
-  if [ "$found" -eq 0 ]; then
-    echo "⚠️  No $browser_name profiles found in: $base_dir"
-  fi
-}
-
-import_cert_to_profiles "$FIREFOX_DIR" "Firefox" "*.default*"
-import_cert_to_profiles "$PALEMOON_DIR" "Pale Moon" "*.*"
-
-echo "✅ Done. Firefox and Pale Moon profiles updated with '$CERT_NAME' certificate."
--- a/web/index.go
+++ b/web/index.go
@@ -25,8 +25,8 @@ func Index(localizer *localization.SimpleLocalizer) templ.Component {
 	return index(localizer)
 }

-func ErrorPage(msg, mail string, localizer *localization.SimpleLocalizer) templ.Component {
-	return errorPage(msg, mail, localizer)
+func ErrorPage(msg, mail, redirect string, localizer *localization.SimpleLocalizer) templ.Component {
+	return errorPage(msg, mail, redirect, localizer)
 }

 func Bench(localizer *localization.SimpleLocalizer) templ.Component {
--- a/web/index.templ
+++ b/web/index.templ
@@ -122,10 +122,18 @@ templ index(localizer *localization.SimpleLocalizer) {
 	</div>
 }

-templ errorPage(message, mail string, localizer *localization.SimpleLocalizer) {
+script reload(redirect string) {
+	if (redirect === "") {
+		redirect = "/";
+	}
+	window.location = redirect;
+}
+
+templ errorPage(message, mail, redirect string, localizer *localization.SimpleLocalizer) {
 	<div class="centered-div">
 		<img id="image" alt="Sad Anubis" style="width:100%;max-width:256px;" src={ anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/reject.webp?cacheBuster=" + anubis.Version }/>
 		<p>{ message }.</p>
+		<button onClick={ reload(redirect) }>{ localizer.T("try_again") }</button>
 		if mail != "" {
 			<p>
 				<a href="/">{ localizer.T("go_home") }</a> { localizer.T("contact_webmaster") }
--- a/web/index_templ.go
+++ b/web/index_templ.go
@@ -440,7 +440,20 @@ func index(localizer *localization.SimpleLocalizer) templ.Component {
 	})
 }

-func errorPage(message, mail string, localizer *localization.SimpleLocalizer) templ.Component {
+func reload(redirect string) templ.ComponentScript {
+	return templ.ComponentScript{
+		Name: `__templ_reload_f48f`,
+		Function: `function __templ_reload_f48f(redirect){if (redirect === "") {
+		redirect = "/";
+	}
+	window.location = redirect;
+}`,
+		Call:       templ.SafeScript(`__templ_reload_f48f`, redirect),
+		CallInline: templ.SafeScriptInline(`__templ_reload_f48f`, redirect),
+	}
+}
+
+func errorPage(message, mail, redirect string, localizer *localization.SimpleLocalizer) templ.Component {
 	return templruntime.GeneratedTemplate(func(templ_7745c5c3_Input templruntime.GeneratedComponentInput) (templ_7745c5c3_Err error) {
 		templ_7745c5c3_W, ctx := templ_7745c5c3_Input.Writer, templ_7745c5c3_Input.Context
 		if templ_7745c5c3_CtxErr := ctx.Err(); templ_7745c5c3_CtxErr != nil {
@@ -468,7 +481,7 @@ func errorPage(message, mail string, localizer *localization.SimpleLocalizer) te
 		var templ_7745c5c3_Var28 string
 		templ_7745c5c3_Var28, templ_7745c5c3_Err = templ.JoinStringErrs(anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/reject.webp?cacheBuster=" + anubis.Version)
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 127, Col: 181}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 134, Col: 181}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var28))
 		if templ_7745c5c3_Err != nil {
@@ -481,7 +494,7 @@ func errorPage(message, mail string, localizer *localization.SimpleLocalizer) te
 		var templ_7745c5c3_Var29 string
 		templ_7745c5c3_Var29, templ_7745c5c3_Err = templ.JoinStringErrs(message)
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 128, Col: 14}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 135, Col: 14}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var29))
 		if templ_7745c5c3_Err != nil {
@@ -491,83 +504,113 @@ func errorPage(message, mail string, localizer *localization.SimpleLocalizer) te
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
+		templ_7745c5c3_Err = templ.RenderScriptItems(ctx, templ_7745c5c3_Buffer, reload(redirect))
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 37, "<button onClick=\"")
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		var templ_7745c5c3_Var30 templ.ComponentScript = reload(redirect)
+		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ_7745c5c3_Var30.Call)
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 38, "\">")
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		var templ_7745c5c3_Var31 string
+		templ_7745c5c3_Var31, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("try_again"))
+		if templ_7745c5c3_Err != nil {
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 136, Col: 65}
+		}
+		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var31))
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 39, "</button> ")
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
 		if mail != "" {
-			templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 37, "<p><a href=\"/\">")
+			templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 40, "<p><a href=\"/\">")
 			if templ_7745c5c3_Err != nil {
 				return templ_7745c5c3_Err
 			}
-			var templ_7745c5c3_Var30 string
-			templ_7745c5c3_Var30, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("go_home"))
+			var templ_7745c5c3_Var32 string
+			templ_7745c5c3_Var32, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("go_home"))
 			if templ_7745c5c3_Err != nil {
-				return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 131, Col: 40}
-			}
-			_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var30))
-			if templ_7745c5c3_Err != nil {
-				return templ_7745c5c3_Err
-			}
-			templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 38, "</a> ")
-			if templ_7745c5c3_Err != nil {
-				return templ_7745c5c3_Err
-			}
-			var templ_7745c5c3_Var31 string
-			templ_7745c5c3_Var31, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("contact_webmaster"))
-			if templ_7745c5c3_Err != nil {
-				return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 131, Col: 81}
-			}
-			_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var31))
-			if templ_7745c5c3_Err != nil {
-				return templ_7745c5c3_Err
-			}
-			templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 39, " <a href=\"")
-			if templ_7745c5c3_Err != nil {
-				return templ_7745c5c3_Err
-			}
-			var templ_7745c5c3_Var32 templ.SafeURL
-			templ_7745c5c3_Var32, templ_7745c5c3_Err = templ.JoinURLErrs("mailto:" + templ.SafeURL(mail))
-			if templ_7745c5c3_Err != nil {
-				return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 132, Col: 45}
+				return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 139, Col: 40}
 			}
 			_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var32))
 			if templ_7745c5c3_Err != nil {
 				return templ_7745c5c3_Err
 			}
-			templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 40, "\">")
+			templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 41, "</a> ")
 			if templ_7745c5c3_Err != nil {
 				return templ_7745c5c3_Err
 			}
 			var templ_7745c5c3_Var33 string
-			templ_7745c5c3_Var33, templ_7745c5c3_Err = templ.JoinStringErrs(mail)
+			templ_7745c5c3_Var33, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("contact_webmaster"))
 			if templ_7745c5c3_Err != nil {
-				return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 133, Col: 11}
+				return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 139, Col: 81}
 			}
 			_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var33))
 			if templ_7745c5c3_Err != nil {
 				return templ_7745c5c3_Err
 			}
-			templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 41, "</a></p>")
+			templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 42, " <a href=\"")
 			if templ_7745c5c3_Err != nil {
 				return templ_7745c5c3_Err
 			}
-		} else {
-			templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 42, "<p><a href=\"/\">")
+			var templ_7745c5c3_Var34 templ.SafeURL
+			templ_7745c5c3_Var34, templ_7745c5c3_Err = templ.JoinURLErrs("mailto:" + templ.SafeURL(mail))
 			if templ_7745c5c3_Err != nil {
-				return templ_7745c5c3_Err
-			}
-			var templ_7745c5c3_Var34 string
-			templ_7745c5c3_Var34, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("go_home"))
-			if templ_7745c5c3_Err != nil {
-				return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 137, Col: 42}
+				return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 140, Col: 45}
 			}
 			_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var34))
 			if templ_7745c5c3_Err != nil {
 				return templ_7745c5c3_Err
 			}
-			templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 43, "</a></p>")
+			templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 43, "\">")
+			if templ_7745c5c3_Err != nil {
+				return templ_7745c5c3_Err
+			}
+			var templ_7745c5c3_Var35 string
+			templ_7745c5c3_Var35, templ_7745c5c3_Err = templ.JoinStringErrs(mail)
+			if templ_7745c5c3_Err != nil {
+				return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 141, Col: 11}
+			}
+			_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var35))
+			if templ_7745c5c3_Err != nil {
+				return templ_7745c5c3_Err
+			}
+			templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 44, "</a></p>")
+			if templ_7745c5c3_Err != nil {
+				return templ_7745c5c3_Err
+			}
+		} else {
+			templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 45, "<p><a href=\"/\">")
+			if templ_7745c5c3_Err != nil {
+				return templ_7745c5c3_Err
+			}
+			var templ_7745c5c3_Var36 string
+			templ_7745c5c3_Var36, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("go_home"))
+			if templ_7745c5c3_Err != nil {
+				return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 145, Col: 42}
+			}
+			_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var36))
+			if templ_7745c5c3_Err != nil {
+				return templ_7745c5c3_Err
+			}
+			templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 46, "</a></p>")
 			if templ_7745c5c3_Err != nil {
 				return templ_7745c5c3_Err
 			}
 		}
-		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 44, "</div>")
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 47, "</div>")
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
@@ -591,39 +634,39 @@ func StaticHappy(localizer *localization.SimpleLocalizer) templ.Component {
 			}()
 		}
 		ctx = templ.InitializeContext(ctx)
-		templ_7745c5c3_Var35 := templ.GetChildren(ctx)
-		if templ_7745c5c3_Var35 == nil {
-			templ_7745c5c3_Var35 = templ.NopComponent
+		templ_7745c5c3_Var37 := templ.GetChildren(ctx)
+		if templ_7745c5c3_Var37 == nil {
+			templ_7745c5c3_Var37 = templ.NopComponent
 		}
 		ctx = templ.ClearChildren(ctx)
-		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 45, "<div class=\"centered-div\"><img style=\"display:none;\" style=\"width:100%;max-width:256px;\" src=\"")
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 48, "<div class=\"centered-div\"><img style=\"display:none;\" style=\"width:100%;max-width:256px;\" src=\"")
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
-		var templ_7745c5c3_Var36 string
-		templ_7745c5c3_Var36, templ_7745c5c3_Err = templ.JoinStringErrs("/.within.website/x/cmd/anubis/static/img/happy.webp?cacheBuster=" +
+		var templ_7745c5c3_Var38 string
+		templ_7745c5c3_Var38, templ_7745c5c3_Err = templ.JoinStringErrs("/.within.website/x/cmd/anubis/static/img/happy.webp?cacheBuster=" +
 			anubis.Version)
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 148, Col: 18}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 156, Col: 18}
 		}
-		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var36))
+		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var38))
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
-		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 46, "\"><p>")
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 49, "\"><p>")
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
-		var templ_7745c5c3_Var37 string
-		templ_7745c5c3_Var37, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("static_check_endpoint"))
+		var templ_7745c5c3_Var39 string
+		templ_7745c5c3_Var39, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("static_check_endpoint"))
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 150, Col: 43}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 158, Col: 43}
 		}
-		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var37))
+		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var39))
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
-		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 47, "</p></div>")
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 50, "</p></div>")
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
@@ -647,181 +690,181 @@ func bench(localizer *localization.SimpleLocalizer) templ.Component {
 			}()
 		}
 		ctx = templ.InitializeContext(ctx)
-		templ_7745c5c3_Var38 := templ.GetChildren(ctx)
-		if templ_7745c5c3_Var38 == nil {
-			templ_7745c5c3_Var38 = templ.NopComponent
+		templ_7745c5c3_Var40 := templ.GetChildren(ctx)
+		if templ_7745c5c3_Var40 == nil {
+			templ_7745c5c3_Var40 = templ.NopComponent
 		}
 		ctx = templ.ClearChildren(ctx)
-		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 48, "<div style=\"height:20rem;display:flex\"><table style=\"margin-top:1rem;display:grid;grid-template:auto 1fr/auto auto;gap:0 0.5rem\"><thead style=\"border-bottom:1px solid black;padding:0.25rem 0;display:grid;grid-template:1fr/subgrid;grid-column:1/-1\"><tr id=\"table-header\" style=\"display:contents\"><th style=\"width:4.5rem\">")
-		if templ_7745c5c3_Err != nil {
-			return templ_7745c5c3_Err
-		}
-		var templ_7745c5c3_Var39 string
-		templ_7745c5c3_Var39, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("time"))
-		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 161, Col: 51}
-		}
-		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var39))
-		if templ_7745c5c3_Err != nil {
-			return templ_7745c5c3_Err
-		}
-		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 49, "</th><th style=\"width:4rem\">")
-		if templ_7745c5c3_Err != nil {
-			return templ_7745c5c3_Err
-		}
-		var templ_7745c5c3_Var40 string
-		templ_7745c5c3_Var40, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("iters"))
-		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 162, Col: 50}
-		}
-		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var40))
-		if templ_7745c5c3_Err != nil {
-			return templ_7745c5c3_Err
-		}
-		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 50, "</th></tr><tr id=\"table-header-compare\" style=\"display:none\"><th style=\"width:4.5rem\">")
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 51, "<div style=\"height:20rem;display:flex\"><table style=\"margin-top:1rem;display:grid;grid-template:auto 1fr/auto auto;gap:0 0.5rem\"><thead style=\"border-bottom:1px solid black;padding:0.25rem 0;display:grid;grid-template:1fr/subgrid;grid-column:1/-1\"><tr id=\"table-header\" style=\"display:contents\"><th style=\"width:4.5rem\">")
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
 		var templ_7745c5c3_Var41 string
-		templ_7745c5c3_Var41, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("time_a"))
+		templ_7745c5c3_Var41, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("time"))
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 165, Col: 53}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 169, Col: 51}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var41))
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
-		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 51, "</th><th style=\"width:4rem\">")
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 52, "</th><th style=\"width:4rem\">")
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
 		var templ_7745c5c3_Var42 string
-		templ_7745c5c3_Var42, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("iters_a"))
+		templ_7745c5c3_Var42, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("iters"))
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 166, Col: 52}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 170, Col: 50}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var42))
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
-		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 52, "</th><th style=\"width:4.5rem\">")
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 53, "</th></tr><tr id=\"table-header-compare\" style=\"display:none\"><th style=\"width:4.5rem\">")
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
 		var templ_7745c5c3_Var43 string
-		templ_7745c5c3_Var43, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("time_b"))
+		templ_7745c5c3_Var43, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("time_a"))
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 167, Col: 53}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 173, Col: 53}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var43))
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
-		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 53, "</th><th style=\"width:4rem\">")
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 54, "</th><th style=\"width:4rem\">")
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
 		var templ_7745c5c3_Var44 string
-		templ_7745c5c3_Var44, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("iters_b"))
+		templ_7745c5c3_Var44, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("iters_a"))
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 168, Col: 52}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 174, Col: 52}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var44))
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
-		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 54, "</th></tr></thead> <tbody id=\"results\" style=\"padding-top:0.25rem;display:grid;grid-template-columns:subgrid;grid-auto-rows:min-content;grid-column:1/-1;row-gap:0.25rem;overflow-y:auto;font-variant-numeric:tabular-nums\"></tbody></table><div class=\"centered-div\"><img id=\"image\" style=\"width:100%;max-width:256px;\" src=\"")
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 55, "</th><th style=\"width:4.5rem\">")
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
 		var templ_7745c5c3_Var45 string
-		templ_7745c5c3_Var45, templ_7745c5c3_Err = templ.JoinStringErrs(anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/pensive.webp?cacheBuster=" + anubis.Version)
+		templ_7745c5c3_Var45, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("time_b"))
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 177, Col: 166}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 175, Col: 53}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var45))
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
-		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 55, "\"><p id=\"status\" style=\"max-width:256px\">")
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 56, "</th><th style=\"width:4rem\">")
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
 		var templ_7745c5c3_Var46 string
-		templ_7745c5c3_Var46, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("loading"))
+		templ_7745c5c3_Var46, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("iters_b"))
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 178, Col: 66}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 176, Col: 52}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var46))
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
-		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 56, "</p><script async type=\"module\" src=\"")
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 57, "</th></tr></thead> <tbody id=\"results\" style=\"padding-top:0.25rem;display:grid;grid-template-columns:subgrid;grid-auto-rows:min-content;grid-column:1/-1;row-gap:0.25rem;overflow-y:auto;font-variant-numeric:tabular-nums\"></tbody></table><div class=\"centered-div\"><img id=\"image\" style=\"width:100%;max-width:256px;\" src=\"")
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
 		var templ_7745c5c3_Var47 string
-		templ_7745c5c3_Var47, templ_7745c5c3_Err = templ.JoinStringErrs(anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/js/bench.mjs?cacheBuster=" + anubis.Version)
+		templ_7745c5c3_Var47, templ_7745c5c3_Err = templ.JoinStringErrs(anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/pensive.webp?cacheBuster=" + anubis.Version)
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 179, Col: 138}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 185, Col: 166}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var47))
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
-		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 57, "\"></script><div id=\"sparkline\"></div><noscript><p>")
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 58, "\"><p id=\"status\" style=\"max-width:256px\">")
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
 		var templ_7745c5c3_Var48 string
-		templ_7745c5c3_Var48, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("benchmark_requires_js"))
+		templ_7745c5c3_Var48, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("loading"))
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 182, Col: 45}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 186, Col: 66}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var48))
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
-		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 58, "</p></noscript></div></div><form id=\"controls\" style=\"position:fixed;top:0.5rem;right:0.5rem\"><div style=\"display:flex;justify-content:end\"><label for=\"difficulty-input\" style=\"margin-right:0.5rem\">")
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 59, "</p><script async type=\"module\" src=\"")
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
 		var templ_7745c5c3_Var49 string
-		templ_7745c5c3_Var49, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("difficulty"))
+		templ_7745c5c3_Var49, templ_7745c5c3_Err = templ.JoinStringErrs(anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/js/bench.mjs?cacheBuster=" + anubis.Version)
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 188, Col: 88}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 187, Col: 138}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var49))
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
-		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 59, "</label> <input id=\"difficulty-input\" type=\"number\" name=\"difficulty\" style=\"width:3rem\"></div><div style=\"margin-top:0.25rem;display:flex;justify-content:end\"><label for=\"algorithm-select\" style=\"margin-right:0.5rem\">")
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 60, "\"></script><div id=\"sparkline\"></div><noscript><p>")
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
 		var templ_7745c5c3_Var50 string
-		templ_7745c5c3_Var50, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("algorithm"))
+		templ_7745c5c3_Var50, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("benchmark_requires_js"))
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 192, Col: 87}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 190, Col: 45}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var50))
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
-		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 60, "</label> <select id=\"algorithm-select\" name=\"algorithm\"></select></div><div style=\"margin-top:0.25rem;display:flex;justify-content:end\"><label for=\"compare-select\" style=\"margin-right:0.5rem\">")
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 61, "</p></noscript></div></div><form id=\"controls\" style=\"position:fixed;top:0.5rem;right:0.5rem\"><div style=\"display:flex;justify-content:end\"><label for=\"difficulty-input\" style=\"margin-right:0.5rem\">")
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
 		var templ_7745c5c3_Var51 string
-		templ_7745c5c3_Var51, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("compare"))
+		templ_7745c5c3_Var51, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("difficulty"))
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 196, Col: 83}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 196, Col: 88}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var51))
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
-		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 61, "</label> <select id=\"compare-select\" name=\"compare\"><option value=\"NONE\">-</option></select></div></form>")
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 62, "</label> <input id=\"difficulty-input\" type=\"number\" name=\"difficulty\" style=\"width:3rem\"></div><div style=\"margin-top:0.25rem;display:flex;justify-content:end\"><label for=\"algorithm-select\" style=\"margin-right:0.5rem\">")
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		var templ_7745c5c3_Var52 string
+		templ_7745c5c3_Var52, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("algorithm"))
+		if templ_7745c5c3_Err != nil {
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 200, Col: 87}
+		}
+		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var52))
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 63, "</label> <select id=\"algorithm-select\" name=\"algorithm\"></select></div><div style=\"margin-top:0.25rem;display:flex;justify-content:end\"><label for=\"compare-select\" style=\"margin-right:0.5rem\">")
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		var templ_7745c5c3_Var53 string
+		templ_7745c5c3_Var53, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("compare"))
+		if templ_7745c5c3_Err != nil {
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 204, Col: 83}
+		}
+		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var53))
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 64, "</label> <select id=\"compare-select\" name=\"compare\"><option value=\"NONE\">-</option></select></div></form>")
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
Author	SHA1	Message	Date
Xe Iaso	97864df1f4	chore: spelling check-spelling run (pull_request) for Xe/v1.21.1-blogpost Signed-off-by: check-spelling-bot <check-spelling-bot@users.noreply.github.com> on-behalf-of: @check-spelling <check-spelling-bot@check-spelling.dev>	2025-07-22 12:44:08 +00:00
Xe Iaso	73cd5c0512	docs(v1.21.1): clarify that Bell is trash Signed-off-by: Xe Iaso <me@xeiaso.net>	2025-07-22 12:43:43 +00:00
Xe Iaso	4b9f9dc08c	docs(v1.21.1): spelling fixes Signed-off-by: Xe Iaso <me@xeiaso.net>	2025-07-22 12:41:43 +00:00
Xe Iaso	8f9fa20156	docs(v1.21.1): small fixups Signed-off-by: Xe Iaso <me@xeiaso.net>	2025-07-22 12:34:21 +00:00
Xe Iaso	e587cdcbe3	docs: add release announcement post for v1.21.1 Signed-off-by: Xe Iaso <me@xeiaso.net>	2025-07-22 00:54:32 +00:00
@@ -1 +1 @@
 .21.3
 .21.0