docs: add reminder for verified signatures in PR template

2026-04-19 22:56:39 +00:00 · 2025-09-07 15:49:51 -04:00
36 changed files with 101 additions and 767 deletions
@@ -9,3 +9,4 @@ Checklist:
 - [ ] Added a description of the changes to the `[Unreleased]` section of docs/docs/CHANGELOG.md
 - [ ] Added test cases to [the relevant parts of the codebase](https://anubis.techaro.lol/docs/developer/code-quality)
 - [ ] Ran integration tests `npm run test:integration` (unsupported on Windows, please use WSL)
+- [ ] All of my commits have [verified signatures](https://anubis.techaro.lol/docs/developer/signed-commits)
@@ -6,4 +6,3 @@ workarounds
 rjack
 msgbox
 xeact
-ABee
@@ -140,7 +140,6 @@ headermap
 healthcheck
 healthz
 hec
-Hetzner
 hmc
 homelab
 hostable
@@ -238,6 +237,7 @@ pki
 podkova
 podman
 poststart
+poxied
 prebaked
 privkey
 promauto
@@ -250,6 +250,7 @@ pwuser
 qualys
 qwant
 qwantbot
+QWEN
 rac
 rawler
 rcvar
@@ -281,6 +282,7 @@ shirou
 Sidetrade
 simprint
 sitemap
+Slackware
 sls
 Smartphone
 sni
@@ -358,7 +360,6 @@ XOriginal
 XReal
 yae
 YAMLTo
-Yda
 yeet
 yeetfile
 yourdomain
@@ -15,7 +15,7 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-tags: true
          fetch-depth: 0
@@ -25,7 +25,7 @@ jobs:
        uses: Homebrew/actions/setup-homebrew@main

      - name: Setup Homebrew cellar cache
-        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
        with:
          path: |
            /home/linuxbrew/.linuxbrew/Cellar
@@ -47,7 +47,7 @@ jobs:

      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
        with:
          images: ghcr.io/${{ github.repository }}

@@ -21,7 +21,7 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-tags: true
          fetch-depth: 0
@@ -35,7 +35,7 @@ jobs:
        uses: Homebrew/actions/setup-homebrew@main

      - name: Setup Homebrew cellar cache
-        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
        with:
          path: |
            /home/linuxbrew/.linuxbrew/Cellar
@@ -56,7 +56,7 @@ jobs:
          brew bundle

      - name: Log into registry
-        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
@@ -64,7 +64,7 @@ jobs:

      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
        with:
          images: ${{ env.IMAGE }}

@@ -78,7 +78,7 @@ jobs:
          SLOG_LEVEL: debug

      - name: Generate artifact attestation
-        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+        uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0
        with:
          subject-name: ${{ env.IMAGE }}
          subject-digest: ${{ steps.build.outputs.digest }}
@@ -17,7 +17,7 @@ jobs:
    runs-on: ubuntu-24.04

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false

@@ -25,7 +25,7 @@ jobs:
        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

      - name: Log into registry
-        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: ghcr.io
          username: techarohq
@@ -33,7 +33,7 @@ jobs:

      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
        with:
          images: ghcr.io/techarohq/anubis/docs
          tags: |
@@ -53,14 +53,14 @@ jobs:
          push: true

      - name: Apply k8s manifests to limsa lominsa
-        uses: actions-hub/kubectl@af345ed727f0268738e65be48422e463cc67c220 # v1.34.0
+        uses: actions-hub/kubectl@b5b19eeb6a0ffde16637e398f8b96ef01eb8fdb7 # v1.33.3
        env:
          KUBE_CONFIG: ${{ secrets.LIMSA_LOMINSA_KUBECONFIG }}
        with:
          args: apply -k docs/manifest

      - name: Apply k8s manifests to limsa lominsa
-        uses: actions-hub/kubectl@af345ed727f0268738e65be48422e463cc67c220 # v1.34.0
+        uses: actions-hub/kubectl@b5b19eeb6a0ffde16637e398f8b96ef01eb8fdb7 # v1.33.3
        env:
          KUBE_CONFIG: ${{ secrets.LIMSA_LOMINSA_KUBECONFIG }}
        with:
@@ -13,7 +13,7 @@ jobs:
    runs-on: ubuntu-24.04

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false

@@ -22,7 +22,7 @@ jobs:

      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
        with:
          images: ghcr.io/techarohq/anubis/docs
          tags: |
@@ -15,7 +15,7 @@ jobs:
    #runs-on: alrest-techarohq
    runs-on: ubuntu-24.04
    steps:
-    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      with:
        persist-credentials: false

@@ -28,7 +28,7 @@ jobs:
      uses: Homebrew/actions/setup-homebrew@main

    - name: Setup Homebrew cellar cache
-      uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
      with:
        path: |
          /home/linuxbrew/.linuxbrew/Cellar
@@ -49,7 +49,7 @@ jobs:
        brew bundle

    - name: Setup Golang caches
-      uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
      with:
        path: |
          ~/.cache/go-build
@@ -59,7 +59,7 @@ jobs:
          ${{ runner.os }}-golang-

    - name: Cache playwright binaries
-      uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
      id: playwright-cache
      with:
        path: |
@@ -14,7 +14,7 @@ jobs:
    #runs-on: alrest-techarohq
    runs-on: ubuntu-24.04
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false
          fetch-tags: true
@@ -29,7 +29,7 @@ jobs:
        uses: Homebrew/actions/setup-homebrew@main

      - name: Setup Homebrew cellar cache
-        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
        with:
          path: |
            /home/linuxbrew/.linuxbrew/Cellar
@@ -50,7 +50,7 @@ jobs:
          brew bundle

      - name: Setup Golang caches
-        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
        with:
          path: |
            ~/.cache/go-build
@@ -15,7 +15,7 @@ jobs:
    #runs-on: alrest-techarohq
    runs-on: ubuntu-24.04
    steps:
-    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      with:
        persist-credentials: false
        fetch-tags: true
@@ -30,7 +30,7 @@ jobs:
      uses: Homebrew/actions/setup-homebrew@main

    - name: Setup Homebrew cellar cache
-      uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
      with:
        path: |
          /home/linuxbrew/.linuxbrew/Cellar
@@ -51,7 +51,7 @@ jobs:
        brew bundle

    - name: Setup Golang caches
-      uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
      with:
        path: |
          ~/.cache/go-build
@@ -24,7 +24,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false

@@ -18,13 +18,13 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-tags: true
          fetch-depth: 0
          persist-credentials: false
      - name: Log into registry
-        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
@@ -20,7 +20,7 @@ jobs:
          - ci@ppc64le.techaro.lol
    steps:
      - name: Checkout code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-tags: true
          fetch-depth: 0
@@ -16,12 +16,12 @@ jobs:
      security-events: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false

      - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@4959332f0f014c5280e7eac8b70c90cb574c9f9b # v6.6.0
+        uses: astral-sh/setup-uv@e92bafb6253dcd438e0484186d7669ea7a8ca1cc # v6.4.3

      - name: Run zizmor 🌈
        run: uvx zizmor --format sarif . > results.sarif 
@@ -29,7 +29,7 @@ jobs:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} 

      - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.11
+        uses: github/codeql-action/upload-sarif@4e828ff8d448a8a6e532957b1811f387a63867e8 # v3.29.4
        with:
          sarif_file: results.sarif
          category: zizmor
@@ -29,7 +29,7 @@ var (
 )

 type RobotsRule struct {
-	UserAgents  []string
+	UserAgent   string
 	Disallows   []string
 	Allows      []string
 	CrawlDelay  int
@@ -130,26 +130,10 @@ func main() {
 	}
 }

-func createRuleFromAccumulated(userAgents, disallows, allows []string, crawlDelay int) RobotsRule {
-	rule := RobotsRule{
-		UserAgents: make([]string, len(userAgents)),
-		Disallows:  make([]string, len(disallows)),
-		Allows:     make([]string, len(allows)),
-		CrawlDelay: crawlDelay,
-	}
-	copy(rule.UserAgents, userAgents)
-	copy(rule.Disallows, disallows)
-	copy(rule.Allows, allows)
-	return rule
-}
-
 func parseRobotsTxt(input io.Reader) ([]RobotsRule, error) {
 	scanner := bufio.NewScanner(input)
 	var rules []RobotsRule
-	var currentUserAgents []string
-	var currentDisallows []string
-	var currentAllows []string
-	var currentCrawlDelay int
+	var currentRule *RobotsRule

 	for scanner.Scan() {
 		line := strings.TrimSpace(scanner.Text())
@@ -170,42 +154,38 @@ func parseRobotsTxt(input io.Reader) ([]RobotsRule, error) {

 		switch directive {
 		case "user-agent":
-			// If we have accumulated rules with directives and encounter a new user-agent,
-			// flush the current rules
-			if len(currentUserAgents) > 0 && (len(currentDisallows) > 0 || len(currentAllows) > 0 || currentCrawlDelay > 0) {
-				rule := createRuleFromAccumulated(currentUserAgents, currentDisallows, currentAllows, currentCrawlDelay)
-				rules = append(rules, rule)
-				// Reset for next group
-				currentUserAgents = nil
-				currentDisallows = nil
-				currentAllows = nil
-				currentCrawlDelay = 0
+			// Start a new rule section
+			if currentRule != nil {
+				rules = append(rules, *currentRule)
+			}
+			currentRule = &RobotsRule{
+				UserAgent: value,
+				Disallows: make([]string, 0),
+				Allows:    make([]string, 0),
 			}
-			currentUserAgents = append(currentUserAgents, value)

 		case "disallow":
-			if len(currentUserAgents) > 0 && value != "" {
-				currentDisallows = append(currentDisallows, value)
+			if currentRule != nil && value != "" {
+				currentRule.Disallows = append(currentRule.Disallows, value)
 			}

 		case "allow":
-			if len(currentUserAgents) > 0 && value != "" {
-				currentAllows = append(currentAllows, value)
+			if currentRule != nil && value != "" {
+				currentRule.Allows = append(currentRule.Allows, value)
 			}

 		case "crawl-delay":
-			if len(currentUserAgents) > 0 {
+			if currentRule != nil {
 				if delay, err := parseIntSafe(value); err == nil {
-					currentCrawlDelay = delay
+					currentRule.CrawlDelay = delay
 				}
 			}
 		}
 	}

-	// Don't forget the last group of rules
-	if len(currentUserAgents) > 0 {
-		rule := createRuleFromAccumulated(currentUserAgents, currentDisallows, currentAllows, currentCrawlDelay)
-		rules = append(rules, rule)
+	// Don't forget the last rule
+	if currentRule != nil {
+		rules = append(rules, *currentRule)
 	}

 	// Mark blacklisted user agents (those with "Disallow: /")
@@ -231,11 +211,10 @@ func convertToAnubisRules(robotsRules []RobotsRule) []AnubisRule {
 	var anubisRules []AnubisRule
 	ruleCounter := 0

-	// Process each robots rule individually
 	for _, robotsRule := range robotsRules {
-		userAgents := robotsRule.UserAgents
+		userAgent := robotsRule.UserAgent

-		// Handle crawl delay
+		// Handle crawl delay as weight adjustment (do this first before any continues)
 		if robotsRule.CrawlDelay > 0 && *crawlDelay > 0 {
 			ruleCounter++
 			rule := AnubisRule{
@@ -244,32 +223,20 @@ func convertToAnubisRules(robotsRules []RobotsRule) []AnubisRule {
 				Weight: &config.Weight{Adjust: *crawlDelay},
 			}

-			if len(userAgents) == 1 && userAgents[0] == "*" {
+			if userAgent == "*" {
 				rule.Expression = &config.ExpressionOrList{
 					All: []string{"true"}, // Always applies
 				}
-			} else if len(userAgents) == 1 {
-				rule.Expression = &config.ExpressionOrList{
-					All: []string{fmt.Sprintf("userAgent.contains(%q)", userAgents[0])},
-				}
 			} else {
-				// Multiple user agents - use any block
-				var expressions []string
-				for _, ua := range userAgents {
-					if ua == "*" {
-						expressions = append(expressions, "true")
-					} else {
-						expressions = append(expressions, fmt.Sprintf("userAgent.contains(%q)", ua))
-					}
-				}
 				rule.Expression = &config.ExpressionOrList{
-					Any: expressions,
+					All: []string{fmt.Sprintf("userAgent.contains(%q)", userAgent)},
 				}
 			}
+
 			anubisRules = append(anubisRules, rule)
 		}

-		// Handle blacklisted user agents
+		// Handle blacklisted user agents (complete deny/challenge)
 		if robotsRule.IsBlacklist {
 			ruleCounter++
 			rule := AnubisRule{
@@ -277,8 +244,6 @@ func convertToAnubisRules(robotsRules []RobotsRule) []AnubisRule {
 				Action: *userAgentDeny,
 			}

-			if len(userAgents) == 1 {
-				userAgent := userAgents[0]
 			if userAgent == "*" {
 				// This would block everything - convert to a weight adjustment instead
 				rule.Name = fmt.Sprintf("%s-global-restriction-%d", *policyName, ruleCounter)
@@ -292,21 +257,8 @@ func convertToAnubisRules(robotsRules []RobotsRule) []AnubisRule {
 					All: []string{fmt.Sprintf("userAgent.contains(%q)", userAgent)},
 				}
 			}
-			} else {
-				// Multiple user agents - use any block
-				var expressions []string
-				for _, ua := range userAgents {
-					if ua == "*" {
-						expressions = append(expressions, "true")
-					} else {
-						expressions = append(expressions, fmt.Sprintf("userAgent.contains(%q)", ua))
-					}
-				}
-				rule.Expression = &config.ExpressionOrList{
-					Any: expressions,
-				}
-			}
 			anubisRules = append(anubisRules, rule)
+			continue
 		}

 		// Handle specific disallow rules
@@ -324,33 +276,9 @@ func convertToAnubisRules(robotsRules []RobotsRule) []AnubisRule {
 			// Build CEL expression
 			var conditions []string

-			// Add user agent conditions
-			if len(userAgents) == 1 && userAgents[0] == "*" {
-				// Wildcard user agent - no user agent condition needed
-			} else if len(userAgents) == 1 {
-				conditions = append(conditions, fmt.Sprintf("userAgent.contains(%q)", userAgents[0]))
-			} else {
-				// For multiple user agents, we need to use a more complex expression
-				// This is a limitation - we can't easily combine any for user agents with all for path
-				// So we'll create separate rules for each user agent
-				for _, ua := range userAgents {
-					if ua == "*" {
-						continue // Skip wildcard as it's handled separately
-					}
-					ruleCounter++
-					subRule := AnubisRule{
-						Name:   fmt.Sprintf("%s-disallow-%d", *policyName, ruleCounter),
-						Action: *baseAction,
-						Expression: &config.ExpressionOrList{
-							All: []string{
-								fmt.Sprintf("userAgent.contains(%q)", ua),
-								buildPathCondition(disallow),
-							},
-						},
-					}
-					anubisRules = append(anubisRules, subRule)
-				}
-				continue
+			// Add user agent condition if not wildcard
+			if userAgent != "*" {
+				conditions = append(conditions, fmt.Sprintf("userAgent.contains(%q)", userAgent))
 			}

 			// Add path condition
@@ -363,6 +291,7 @@ func convertToAnubisRules(robotsRules []RobotsRule) []AnubisRule {

 			anubisRules = append(anubisRules, rule)
 		}
+
 	}

 	return anubisRules
@@ -78,12 +78,6 @@ func TestDataFileConversion(t *testing.T) {
 			expectedFile: "complex.yaml",
 			options:      TestOptions{format: "yaml", crawlDelayWeight: 5},
 		},
-		{
-			name:         "consecutive_user_agents",
-			robotsFile:   "consecutive.robots.txt",
-			expectedFile: "consecutive.yaml",
-			options:      TestOptions{format: "yaml", crawlDelayWeight: 3},
-		},
 	}

 	for _, tc := range testCases {
@@ -1,25 +0,0 @@
-# Test consecutive user agents that should be grouped into any: blocks
-User-agent: *
-Disallow: /admin
-Crawl-delay: 10
-
-# Multiple consecutive user agents - should be grouped
-User-agent: BadBot
-User-agent: SpamBot
-User-agent: EvilBot
-Disallow: /
-
-# Single user agent - should be separate
-User-agent: GoodBot
-Disallow: /private
-
-# Multiple consecutive user agents with crawl delay
-User-agent: SlowBot1
-User-agent: SlowBot2
-Crawl-delay: 5
-
-# Multiple consecutive user agents with specific path
-User-agent: SearchBot1
-User-agent: SearchBot2
-User-agent: SearchBot3
-Disallow: /search 
@@ -1,47 +0,0 @@
- action: WEIGH
-  expression: "true"
-  name: robots-txt-policy-crawl-delay-1
-  weight:
-    adjust: 3
- action: CHALLENGE
-  expression: path.startsWith("/admin")
-  name: robots-txt-policy-disallow-2
- action: DENY
-  expression:
-    any:
-    - userAgent.contains("BadBot")
-    - userAgent.contains("SpamBot")
-    - userAgent.contains("EvilBot")
-  name: robots-txt-policy-blacklist-3
- action: CHALLENGE
-  expression:
-    all:
-    - userAgent.contains("GoodBot")
-    - path.startsWith("/private")
-  name: robots-txt-policy-disallow-4
- action: WEIGH
-  expression:
-    any:
-    - userAgent.contains("SlowBot1")
-    - userAgent.contains("SlowBot2")
-  name: robots-txt-policy-crawl-delay-5
-  weight:
-    adjust: 3
- action: CHALLENGE
-  expression:
-    all:
-    - userAgent.contains("SearchBot1")
-    - path.startsWith("/search")
-  name: robots-txt-policy-disallow-7
- action: CHALLENGE
-  expression:
-    all:
-    - userAgent.contains("SearchBot2")
-    - path.startsWith("/search")
-  name: robots-txt-policy-disallow-8
- action: CHALLENGE
-  expression:
-    all:
-    - userAgent.contains("SearchBot3")
-    - path.startsWith("/search")
-  name: robots-txt-policy-disallow-9
@@ -1,12 +1,12 @@
 [
  {
+    "action": "CHALLENGE",
    "expression": "path.startsWith(\"/admin/\")",
-    "name": "robots-txt-policy-disallow-1",
-    "action": "CHALLENGE"
+    "name": "robots-txt-policy-disallow-1"
  },
  {
+    "action": "CHALLENGE",
    "expression": "path.startsWith(\"/private\")",
-    "name": "robots-txt-policy-disallow-2",
-    "action": "CHALLENGE"
+    "name": "robots-txt-policy-disallow-2"
  }
 ]
@@ -3,6 +3,6 @@ package data
 import "embed"

 var (
-	//go:embed botPolicies.yaml all:apps all:bots all:clients all:common all:crawlers all:meta all:services
+	//go:embed botPolicies.yaml all:apps all:bots all:clients all:common all:crawlers all:meta
 	BotPolicies embed.FS
 )
@@ -11,16 +11,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

 ## [Unreleased]

-<!-- This changes the project to: -->
-
 - Document missing environment variables in installation guide: `SLOG_LEVEL`, `COOKIE_PREFIX`, `FORCED_LANGUAGE`, and `TARGET_DISABLE_KEEPALIVE` ([#1086](https://github.com/TecharoHQ/anubis/pull/1086))
- Fixed `robots2policy` to properly group consecutive user agents into `any:` instead of only processing the last one ([#925](https://github.com/TecharoHQ/anubis/pull/925))
- Add the [`s3api` storage backend](./admin/policies.mdx#s3api) to allow Anubis to use S3 API compatible object storage as its storage backend.
- Add the `services` folder to the embedded data filesystem.

-### Bug Fixes
-
-Sometimes the enhanced temporal assurance in [#1038](https://github.com/TecharoHQ/anubis/pull/1038) and [#1068](https://github.com/TecharoHQ/anubis/pull/1068) could backfire because Chromium and its ilk randomize the amount of time they wait in order to avoid a timing side channel attack. This has been fixed by both increasing the amount of time a client has to wait for the metarefresh and preact challenges as well as making the server side logic more permissive.
+<!-- This changes the project to: -->

 ## v1.22.0: Yda Hext

@@ -196,83 +196,6 @@ store:
    path: /data/anubis.bdb
 ```

-### `s3api`
-
-A network-backed storage layer backed by [object storage](https://en.wikipedia.org/wiki/Object_storage), specifically using the [S3 API](https://docs.aws.amazon.com/AmazonS3/latest/API/Type_API_Reference.html). This can be backed by any S3-compatible object storage service such as:
-
- [AWS S3](https://aws.amazon.com/s3/)
- [Cloudflare R2](https://www.cloudflare.com/developer-platform/products/r2/)
- [Hetzner Object Storage](https://www.hetzner.com/storage/object-storage/)
- [Minio](https://www.min.io/)
- [Tigris](https://www.tigrisdata.com/)
-
-If you are using a cloud platform, they likely provide an S3 compatible object storage service. If not, you may want to choose [one of the fastest options](https://www.tigrisdata.com/blog/benchmark-small-objects/).
-
-| Should I use this backend?                                    | Yes/no |
-| :------------------------------------------------------------ | :----- |
-| Are you running only one instance of Anubis for this service? | 🚫 No  |
-| Does your service get a lot of traffic?                       | ✅ Yes |
-| Do you want to store data persistently when Anubis restarts?  | ✅ Yes |
-| Do you run Anubis without mutable filesystem storage?         | ✅ Yes |
-
-:::note
-
-Using this backend will cause a lot of S3 operations, at least one for creating challenges, one for invalidating challenges, one for updating challenges to prevent double-spends, and one for removing challenges.
-
-:::
-
-#### Configuration
-
-The `s3api` backend takes the following configuration options:
-
-| Name         | Type    | Example                                                              | Description                                                                                                                                 |
-| :----------- | :------ | :------------------------------------------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------ |
-| `bucketName` | string  | The name of the dedicated bucket for Anubis to store information in. |
-| `pathStyle`  | boolean | `false`                                                              | If true, use path-style S3 API operations. Please consult your storage provider's documentation if you don't know what you should put here. |
-
-:::note
-
-You should probably enable a lifecycle expiration rule for buckets containing Anubis data. Here is an example policy:
-
-```json
-{
-  "Rules": [
-    {
-      "Status": "Enabled",
-      "Expiration": {
-        "Days": 7
-      }
-    }
-  ]
-}
-```
-
-Adjust this as facts and circumstances demand, but 7 days should be enough for anyone.
-
-:::
-
-Example:
-
-Assuming your environment looks like this:
-
-```sh
-# All of the following are fake credentials that look like real ones.
-AWS_ACCESS_KEY_ID=accordingToAllKnownRulesOfAviation
-AWS_SECRET_ACCESS_KEY=thereIsNoWayABeeShouldBeAbleToFly
-AWS_REGION=yow
-AWS_ENDPOINT_URL_S3=https://yow.s3.probably-not-malware.lol
-```
-
-Then your configuration would look like this:
-
-```yaml
-store:
-  backend: s3api
-  parameters:
-    bucketName: techaro-prod-anubis
-    pathStyle: false
-```
-
 ### `valkey`

 [Valkey](https://valkey.io/) is an in-memory key/value store that clients access over the network. This allows multiple instances of Anubis to share information and does not require each instance of Anubis to have persistent filesystem storage.
@@ -5,9 +5,6 @@ go 1.24.2
 require (
 	github.com/TecharoHQ/thoth-proto v0.4.0
 	github.com/a-h/templ v0.3.924
-	github.com/aws/aws-sdk-go-v2 v1.38.3
-	github.com/aws/aws-sdk-go-v2/config v1.31.6
-	github.com/aws/aws-sdk-go-v2/service/s3 v1.87.3
 	github.com/cespare/xxhash/v2 v2.3.0
 	github.com/facebookgo/flagenv v0.0.0-20160425205200-fcd59fca7456
 	github.com/gaissmai/bart v0.23.0
@@ -52,21 +49,6 @@ require (
 	github.com/a-h/parse v0.0.0-20250122154542-74294addb73e // indirect
 	github.com/andybalholm/brotli v1.2.0 // indirect
 	github.com/antlr4-go/antlr/v4 v4.13.1 // indirect
-	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.1 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.18.10 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.6 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.6 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.6 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.8.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.29.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.34.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.38.2 // indirect
-	github.com/aws/smithy-go v1.23.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb // indirect
 	github.com/cavaliergopher/cpio v1.0.1 // indirect
@@ -51,42 +51,6 @@ github.com/antlr4-go/antlr/v4 v4.13.1 h1:SqQKkuVZ+zWkMMNkjy5FZe5mr5WURWnlpmOuzYW
 github.com/antlr4-go/antlr/v4 v4.13.1/go.mod h1:GKmUxMtwp6ZgGwZSva4eWPC5mS6vUAmOABFgjdkM7Nw=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
-github.com/aws/aws-sdk-go-v2 v1.38.3 h1:B6cV4oxnMs45fql4yRH+/Po/YU+597zgWqvDpYMturk=
-github.com/aws/aws-sdk-go-v2 v1.38.3/go.mod h1:sDioUELIUO9Znk23YVmIk86/9DOpkbyyVb1i/gUNFXY=
-github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.1 h1:i8p8P4diljCr60PpJp6qZXNlgX4m2yQFpYk+9ZT+J4E=
-github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.1/go.mod h1:ddqbooRZYNoJ2dsTwOty16rM+/Aqmk/GOXrK8cg7V00=
-github.com/aws/aws-sdk-go-v2/config v1.31.6 h1:a1t8fXY4GT4xjyJExz4knbuoxSCacB5hT/WgtfPyLjo=
-github.com/aws/aws-sdk-go-v2/config v1.31.6/go.mod h1:5ByscNi7R+ztvOGzeUaIu49vkMk2soq5NaH5PYe33MQ=
-github.com/aws/aws-sdk-go-v2/credentials v1.18.10 h1:xdJnXCouCx8Y0NncgoptztUocIYLKeQxrCgN6x9sdhg=
-github.com/aws/aws-sdk-go-v2/credentials v1.18.10/go.mod h1:7tQk08ntj914F/5i9jC4+2HQTAuJirq7m1vZVIhEkWs=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.6 h1:wbjnrrMnKew78/juW7I2BtKQwa1qlf6EjQgS69uYY14=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.6/go.mod h1:AtiqqNrDioJXuUgz3+3T0mBWN7Hro2n9wll2zRUc0ww=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.6 h1:uF68eJA6+S9iVr9WgX1NaRGyQ/6MdIyc4JNUo6TN1FA=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.6/go.mod h1:qlPeVZCGPiobx8wb1ft0GHT5l+dc6ldnwInDFaMvC7Y=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.6 h1:pa1DEC6JoI0zduhZePp3zmhWvk/xxm4NB8Hy/Tlsgos=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.6/go.mod h1:gxEjPebnhWGJoaDdtDkA0JX46VRg1wcTHYe63OfX5pE=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 h1:bIqFDwgGXXN1Kpp99pDOdKMTTb5d2KyU5X/BZxjOkRo=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3/go.mod h1:H5O/EsxDWyU+LP/V8i5sm8cxoZgc2fdNR9bxlOFrQTo=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.6 h1:R0tNFJqfjHL3900cqhXuwQ+1K4G0xc9Yf8EDbFXCKEw=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.6/go.mod h1:y/7sDdu+aJvPtGXr4xYosdpq9a6T9Z0jkXfugmti0rI=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1 h1:oegbebPEMA/1Jny7kvwejowCaHz1FWZAQ94WXFNCyTM=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1/go.mod h1:kemo5Myr9ac0U9JfSjMo9yHLtw+pECEHsFtJ9tqCEI8=
-github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.8.6 h1:hncKj/4gR+TPauZgTAsxOxNcvBayhUlYZ6LO/BYiQ30=
-github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.8.6/go.mod h1:OiIh45tp6HdJDDJGnja0mw8ihQGz3VGrUflLqSL0SmM=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.6 h1:LHS1YAIJXJ4K9zS+1d/xa9JAA9sL2QyXIQCQFQW/X08=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.6/go.mod h1:c9PCiTEuh0wQID5/KqA32J+HAgZxN9tOGXKCiYJjTZI=
-github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.6 h1:nEXUSAwyUfLTgnc9cxlDWy637qsq4UWwp3sNAfl0Z3Y=
-github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.6/go.mod h1:HGzIULx4Ge3Do2V0FaiYKcyKzOqwrhUZgCI77NisswQ=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.87.3 h1:ETkfWcXP2KNPLecaDa++5bsQhCRa5M5sLUJa5DWYIIg=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.87.3/go.mod h1:+/3ZTqoYb3Ur7DObD00tarKMLMuKg8iqz5CHEanqTnw=
-github.com/aws/aws-sdk-go-v2/service/sso v1.29.1 h1:8OLZnVJPvjnrxEwHFg9hVUof/P4sibH+Ea4KKuqAGSg=
-github.com/aws/aws-sdk-go-v2/service/sso v1.29.1/go.mod h1:27M3BpVi0C02UiQh1w9nsBEit6pLhlaH3NHna6WUbDE=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.34.2 h1:gKWSTnqudpo8dAxqBqZnDoDWCiEh/40FziUjr/mo6uA=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.34.2/go.mod h1:x7+rkNmRoEN1U13A6JE2fXne9EWyJy54o3n6d4mGaXQ=
-github.com/aws/aws-sdk-go-v2/service/sts v1.38.2 h1:YZPjhyaGzhDQEvsffDEcpycq49nl7fiGcfJTIo8BszI=
-github.com/aws/aws-sdk-go-v2/service/sts v1.38.2/go.mod h1:2dIN8qhQfv37BdUYGgEC8Q3tteM3zFxTI1MLO2O3J3c=
-github.com/aws/smithy-go v1.23.0 h1:8n6I3gXzWJB2DxBDnfxgBaSX6oe0d/t10qGz7OKqMCE=
-github.com/aws/smithy-go v1.23.0/go.mod h1:t1ufH5HMublsJYulve2RKmHDC15xu1f26kHCp/HgceI=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb h1:m935MPodAbYS46DG4pJSv7WO+VECIWUQ7OJYSoTrMh4=
@@ -43,7 +43,7 @@ func (i *Impl) Issue(r *http.Request, lg *slog.Logger, in *challenge.IssueInput)
 }

 func (i *Impl) Validate(r *http.Request, lg *slog.Logger, in *challenge.ValidateInput) error {
-	wantTime := in.Challenge.IssuedAt.Add(time.Duration(in.Rule.Challenge.Difficulty) * 800 * time.Millisecond)
+	wantTime := in.Challenge.IssuedAt.Add(time.Duration(in.Rule.Challenge.Difficulty) * 950 * time.Millisecond)

 	if time.Now().Before(wantTime) {
 		return challenge.NewError("validate", "insufficent time", fmt.Errorf("%w: wanted user to wait until at least %s", challenge.ErrFailed, wantTime.Format(time.RFC3339)))
@@ -13,6 +13,6 @@ templ page(redir string, difficulty int, loc *localization.SimpleLocalizer) {
 		<img style="display:none;" style="width:100%;max-width:256px;" src={ anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/happy.webp?cacheBuster=" + anubis.Version }/>
 		<p id="status">{ loc.T("loading") }</p>
 		<p>{ loc.T("connection_security") }</p>
-		<meta http-equiv="refresh" content={ fmt.Sprintf("%d; url=%s", difficulty+1, redir) }/>
+		<meta http-equiv="refresh" content={ fmt.Sprintf("%d; url=%s", difficulty, redir) }/>
 	</div>
 }
@@ -32,7 +32,7 @@ const App = () => {
  useEffect(() => {
    const timer = setTimeout(() => {
      setPassed(true);
-    }, state.difficulty * 125);
+    }, state.difficulty * 100);

    return () => clearTimeout(timer);
  }, [challenge]);
@@ -57,7 +57,7 @@ func (i *impl) Issue(r *http.Request, lg *slog.Logger, in *challenge.IssueInput)
 }

 func (i *impl) Validate(r *http.Request, lg *slog.Logger, in *challenge.ValidateInput) error {
-	wantTime := in.Challenge.IssuedAt.Add(time.Duration(in.Rule.Challenge.Difficulty) * 80 * time.Millisecond)
+	wantTime := in.Challenge.IssuedAt.Add(time.Duration(in.Rule.Challenge.Difficulty) * 95 * time.Millisecond)

 	if time.Now().Before(wantTime) {
 		return challenge.NewError("validate", "insufficent time", fmt.Errorf("%w: wanted user to wait until at least %s", challenge.ErrFailed, wantTime.Format(time.RFC3339)))
@@ -6,6 +6,5 @@ package all
 import (
 	_ "github.com/TecharoHQ/anubis/lib/store/bbolt"
 	_ "github.com/TecharoHQ/anubis/lib/store/memory"
-	_ "github.com/TecharoHQ/anubis/lib/store/s3api"
 	_ "github.com/TecharoHQ/anubis/lib/store/valkey"
 )
@@ -1,107 +0,0 @@
-package s3api
-
-import (
-	"context"
-	"encoding/json"
-	"errors"
-	"fmt"
-
-	"github.com/TecharoHQ/anubis/lib/store"
-	awsConfig "github.com/aws/aws-sdk-go-v2/config"
-	"github.com/aws/aws-sdk-go-v2/service/s3"
-)
-
-var (
-	ErrNoRegion          = errors.New("s3api.Config: no region env var name defined")
-	ErrNoAccessKeyID     = errors.New("s3api.Config: no access key id env var name defined")
-	ErrNoSecretAccessKey = errors.New("s3api.Config: no secret access key env var name defined")
-	ErrNoBucketName      = errors.New("s3api.Config: no bucket name env var name defined")
-)
-
-func init() {
-	store.Register("s3api", Factory{})
-}
-
-// S3API is the subset of the AWS S3 client used by this store. It enables mocking in tests.
-type S3API interface {
-	PutObject(ctx context.Context, params *s3.PutObjectInput, optFns ...func(*s3.Options)) (*s3.PutObjectOutput, error)
-	GetObject(ctx context.Context, params *s3.GetObjectInput, optFns ...func(*s3.Options)) (*s3.GetObjectOutput, error)
-	DeleteObject(ctx context.Context, params *s3.DeleteObjectInput, optFns ...func(*s3.Options)) (*s3.DeleteObjectOutput, error)
-	HeadObject(ctx context.Context, params *s3.HeadObjectInput, optFns ...func(*s3.Options)) (*s3.HeadObjectOutput, error)
-}
-
-// Factory builds an S3-backed store. Tests can inject a Mock via Client.
-// Factory can optionally carry a preconstructed S3 client (e.g., a mock in tests).
-type Factory struct {
-	Client S3API
-}
-
-func (f Factory) Build(ctx context.Context, data json.RawMessage) (store.Interface, error) {
-	var config Config
-
-	if err := json.Unmarshal([]byte(data), &config); err != nil {
-		return nil, fmt.Errorf("%w: %w", store.ErrBadConfig, err)
-	}
-
-	if err := config.Valid(); err != nil {
-		return nil, fmt.Errorf("%w: %w", store.ErrBadConfig, err)
-	}
-
-	if config.BucketName == "" {
-		return nil, fmt.Errorf("%w: %s", store.ErrBadConfig, ErrNoBucketName)
-	}
-
-	// If a client was injected (e.g., tests), use it directly.
-	if f.Client != nil {
-		return &Store{
-			s3:     f.Client,
-			bucket: config.BucketName,
-		}, nil
-	}
-
-	cfg, err := awsConfig.LoadDefaultConfig(ctx)
-	if err != nil {
-		return nil, fmt.Errorf("can't load AWS config from environment: %w", err)
-	}
-
-	client := s3.NewFromConfig(cfg, func(o *s3.Options) {
-		o.UsePathStyle = config.PathStyle
-	})
-
-	return &Store{
-		s3:     client,
-		bucket: config.BucketName,
-	}, nil
-}
-
-func (Factory) Valid(data json.RawMessage) error {
-	var config Config
-	if err := json.Unmarshal([]byte(data), &config); err != nil {
-		return fmt.Errorf("%w: %w", store.ErrBadConfig, err)
-	}
-
-	if err := config.Valid(); err != nil {
-		return fmt.Errorf("%w: %w", store.ErrBadConfig, err)
-	}
-
-	return nil
-}
-
-type Config struct {
-	PathStyle  bool   `json:"pathStyle"`
-	BucketName string `json:"bucketName"`
-}
-
-func (c Config) Valid() error {
-	var errs []error
-
-	if c.BucketName == "" {
-		errs = append(errs, ErrNoBucketName)
-	}
-
-	if len(errs) != 0 {
-		return fmt.Errorf("s3api.Config: invalid config: %w", errors.Join(errs...))
-	}
-
-	return nil
-}
@@ -1,78 +0,0 @@
-package s3api
-
-import (
-	"bytes"
-	"context"
-	"fmt"
-	"io"
-	"strconv"
-	"strings"
-	"time"
-
-	"github.com/TecharoHQ/anubis/lib/store"
-	"github.com/aws/aws-sdk-go-v2/service/s3"
-)
-
-type Store struct {
-	s3     S3API
-	bucket string
-}
-
-func (s *Store) Delete(ctx context.Context, key string) error {
-	normKey := strings.ReplaceAll(key, ":", "/")
-	// Emulate not found by probing first.
-	if _, err := s.s3.HeadObject(ctx, &s3.HeadObjectInput{Bucket: &s.bucket, Key: &normKey}); err != nil {
-		return fmt.Errorf("%w: %w", store.ErrNotFound, err)
-	}
-	if _, err := s.s3.DeleteObject(ctx, &s3.DeleteObjectInput{Bucket: &s.bucket, Key: &normKey}); err != nil {
-		return fmt.Errorf("can't delete from s3: %w", err)
-	}
-	return nil
-}
-
-func (s *Store) Get(ctx context.Context, key string) ([]byte, error) {
-	normKey := strings.ReplaceAll(key, ":", "/")
-	out, err := s.s3.GetObject(ctx, &s3.GetObjectInput{
-		Bucket: &s.bucket,
-		Key:    &normKey,
-	})
-	if err != nil {
-		return nil, fmt.Errorf("%w: %w", store.ErrNotFound, err)
-	}
-	defer out.Body.Close()
-	if msStr, ok := out.Metadata["x-anubis-expiry-ms"]; ok && msStr != "" {
-		if ms, err := strconv.ParseInt(msStr, 10, 64); err == nil {
-			if time.Now().UnixMilli() >= ms {
-				_, _ = s.s3.DeleteObject(ctx, &s3.DeleteObjectInput{Bucket: &s.bucket, Key: &normKey})
-				return nil, store.ErrNotFound
-			}
-		}
-	}
-	b, err := io.ReadAll(out.Body)
-	if err != nil {
-		return nil, fmt.Errorf("can't read s3 object: %w", err)
-	}
-	return b, nil
-}
-
-func (s *Store) Set(ctx context.Context, key string, value []byte, expiry time.Duration) error {
-	normKey := strings.ReplaceAll(key, ":", "/")
-	// S3 has no native TTL; we store object with metadata X-Anubis-Expiry as epoch seconds.
-	var meta map[string]string
-	if expiry > 0 {
-		exp := time.Now().Add(expiry).UnixMilli()
-		meta = map[string]string{"x-anubis-expiry-ms": fmt.Sprintf("%d", exp)}
-	}
-	_, err := s.s3.PutObject(ctx, &s3.PutObjectInput{
-		Bucket:   &s.bucket,
-		Key:      &normKey,
-		Body:     bytes.NewReader(value),
-		Metadata: meta,
-	})
-	if err != nil {
-		return fmt.Errorf("can't put s3 object: %w", err)
-	}
-	return nil
-}
-
-func (Store) IsPersistent() bool { return true }
@@ -1,140 +0,0 @@
-package s3api
-
-import (
-	"bytes"
-	"context"
-	"encoding/json"
-	"fmt"
-	"io"
-	"sync"
-	"testing"
-	"time"
-
-	"github.com/TecharoHQ/anubis/lib/store/storetest"
-	"github.com/aws/aws-sdk-go-v2/aws"
-	"github.com/aws/aws-sdk-go-v2/service/s3"
-)
-
-// mockS3 is an in-memory mock of the methods we use.
-type mockS3 struct {
-	mu     sync.RWMutex
-	bucket string
-	data   map[string][]byte
-	meta   map[string]map[string]string
-}
-
-func (m *mockS3) PutObject(ctx context.Context, in *s3.PutObjectInput, _ ...func(*s3.Options)) (*s3.PutObjectOutput, error) {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-	if m.data == nil {
-		m.data = map[string][]byte{}
-	}
-	if m.meta == nil {
-		m.meta = map[string]map[string]string{}
-	}
-	b, _ := io.ReadAll(in.Body)
-	m.data[aws.ToString(in.Key)] = bytes.Clone(b)
-	if in.Metadata != nil {
-		m.meta[aws.ToString(in.Key)] = map[string]string{}
-		for k, v := range in.Metadata {
-			m.meta[aws.ToString(in.Key)][k] = v
-		}
-	}
-	m.bucket = aws.ToString(in.Bucket)
-	return &s3.PutObjectOutput{}, nil
-}
-
-func (m *mockS3) GetObject(ctx context.Context, in *s3.GetObjectInput, _ ...func(*s3.Options)) (*s3.GetObjectOutput, error) {
-	m.mu.RLock()
-	defer m.mu.RUnlock()
-	b, ok := m.data[aws.ToString(in.Key)]
-	if !ok {
-		return nil, fmt.Errorf("not found")
-	}
-	out := &s3.GetObjectOutput{Body: io.NopCloser(bytes.NewReader(b))}
-	if md, ok := m.meta[aws.ToString(in.Key)]; ok {
-		out.Metadata = md
-	}
-	return out, nil
-}
-
-func (m *mockS3) DeleteObject(ctx context.Context, in *s3.DeleteObjectInput, _ ...func(*s3.Options)) (*s3.DeleteObjectOutput, error) {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-	delete(m.data, aws.ToString(in.Key))
-	delete(m.meta, aws.ToString(in.Key))
-	return &s3.DeleteObjectOutput{}, nil
-}
-
-func (m *mockS3) HeadObject(ctx context.Context, in *s3.HeadObjectInput, _ ...func(*s3.Options)) (*s3.HeadObjectOutput, error) {
-	m.mu.RLock()
-	defer m.mu.RUnlock()
-	if _, ok := m.data[aws.ToString(in.Key)]; !ok {
-		return nil, fmt.Errorf("not found")
-	}
-	return &s3.HeadObjectOutput{}, nil
-}
-
-func TestImpl(t *testing.T) {
-	mock := &mockS3{}
-	f := Factory{Client: mock}
-
-	data, _ := json.Marshal(Config{
-		BucketName: "bucket",
-	})
-
-	storetest.Common(t, f, json.RawMessage(data))
-}
-
-func TestKeyNormalization(t *testing.T) {
-	mock := &mockS3{}
-	f := Factory{Client: mock}
-
-	data, _ := json.Marshal(Config{
-		BucketName: "anubis",
-	})
-
-	s, err := f.Build(t.Context(), json.RawMessage(data))
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	key := "a:b:c"
-	val := []byte("value")
-	if err := s.Set(t.Context(), key, val, 0); err != nil {
-		t.Fatalf("Set failed: %v", err)
-	}
-	// Ensure mock saw normalized key
-	mock.mu.RLock()
-	_, hasRaw := mock.data["a:b:c"]
-	got, hasNorm := mock.data["a/b/c"]
-	mock.mu.RUnlock()
-	if hasRaw {
-		t.Fatalf("mock contains raw key with colon; normalization failed")
-	}
-	if !hasNorm || !bytes.Equal(got, val) {
-		t.Fatalf("normalized key missing or wrong value: got=%q", string(got))
-	}
-
-	// Get using colon key should work
-	out, err := s.Get(t.Context(), key)
-	if err != nil {
-		t.Fatalf("Get failed: %v", err)
-	}
-	if !bytes.Equal(out, val) {
-		t.Fatalf("Get returned wrong value: got=%q", string(out))
-	}
-
-	// Delete using colon key should delete normalized object
-	if err := s.Delete(t.Context(), key); err != nil {
-		t.Fatalf("Delete failed: %v", err)
-	}
-	// Give any async cleanup in tests a tick (not needed for mock, but harmless)
-	time.Sleep(1 * time.Millisecond)
-	mock.mu.RLock()
-	_, exists := mock.data["a/b/c"]
-	mock.mu.RUnlock()
-	if exists {
-		t.Fatalf("normalized key still exists after Delete")
-	}
-}
@@ -5,7 +5,7 @@ go 1.24.5
 replace github.com/TecharoHQ/anubis => ..

 require (
-	github.com/TecharoHQ/anubis v1.22.0
+	github.com/TecharoHQ/anubis v1.21.3
 	github.com/docker/docker v28.3.2+incompatible
 	github.com/facebookgo/flagenv v0.0.0-20160425205200-fcd59fca7456
 	github.com/google/uuid v1.6.0
@@ -18,24 +18,6 @@ require (
 	github.com/TecharoHQ/thoth-proto v0.4.0 // indirect
 	github.com/a-h/templ v0.3.924 // indirect
 	github.com/antlr4-go/antlr/v4 v4.13.1 // indirect
-	github.com/aws/aws-sdk-go-v2 v1.38.3 // indirect
-	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.1 // indirect
-	github.com/aws/aws-sdk-go-v2/config v1.31.6 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.18.10 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.6 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.6 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.6 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.8.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/s3 v1.87.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.29.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.34.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.38.2 // indirect
-	github.com/aws/smithy-go v1.23.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/containerd/errdefs v1.0.0 // indirect
@@ -16,42 +16,6 @@ github.com/a-h/templ v0.3.924 h1:t5gZqTneXqvehpNZsgtnlOscnBboNh9aASBH2MgV/0k=
 github.com/a-h/templ v0.3.924/go.mod h1:FFAu4dI//ESmEN7PQkJ7E7QfnSEMdcnu7QrAY8Dn334=
 github.com/antlr4-go/antlr/v4 v4.13.1 h1:SqQKkuVZ+zWkMMNkjy5FZe5mr5WURWnlpmOuzYWrPrQ=
 github.com/antlr4-go/antlr/v4 v4.13.1/go.mod h1:GKmUxMtwp6ZgGwZSva4eWPC5mS6vUAmOABFgjdkM7Nw=
-github.com/aws/aws-sdk-go-v2 v1.38.3 h1:B6cV4oxnMs45fql4yRH+/Po/YU+597zgWqvDpYMturk=
-github.com/aws/aws-sdk-go-v2 v1.38.3/go.mod h1:sDioUELIUO9Znk23YVmIk86/9DOpkbyyVb1i/gUNFXY=
-github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.1 h1:i8p8P4diljCr60PpJp6qZXNlgX4m2yQFpYk+9ZT+J4E=
-github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.1/go.mod h1:ddqbooRZYNoJ2dsTwOty16rM+/Aqmk/GOXrK8cg7V00=
-github.com/aws/aws-sdk-go-v2/config v1.31.6 h1:a1t8fXY4GT4xjyJExz4knbuoxSCacB5hT/WgtfPyLjo=
-github.com/aws/aws-sdk-go-v2/config v1.31.6/go.mod h1:5ByscNi7R+ztvOGzeUaIu49vkMk2soq5NaH5PYe33MQ=
-github.com/aws/aws-sdk-go-v2/credentials v1.18.10 h1:xdJnXCouCx8Y0NncgoptztUocIYLKeQxrCgN6x9sdhg=
-github.com/aws/aws-sdk-go-v2/credentials v1.18.10/go.mod h1:7tQk08ntj914F/5i9jC4+2HQTAuJirq7m1vZVIhEkWs=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.6 h1:wbjnrrMnKew78/juW7I2BtKQwa1qlf6EjQgS69uYY14=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.6/go.mod h1:AtiqqNrDioJXuUgz3+3T0mBWN7Hro2n9wll2zRUc0ww=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.6 h1:uF68eJA6+S9iVr9WgX1NaRGyQ/6MdIyc4JNUo6TN1FA=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.6/go.mod h1:qlPeVZCGPiobx8wb1ft0GHT5l+dc6ldnwInDFaMvC7Y=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.6 h1:pa1DEC6JoI0zduhZePp3zmhWvk/xxm4NB8Hy/Tlsgos=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.6/go.mod h1:gxEjPebnhWGJoaDdtDkA0JX46VRg1wcTHYe63OfX5pE=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 h1:bIqFDwgGXXN1Kpp99pDOdKMTTb5d2KyU5X/BZxjOkRo=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3/go.mod h1:H5O/EsxDWyU+LP/V8i5sm8cxoZgc2fdNR9bxlOFrQTo=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.6 h1:R0tNFJqfjHL3900cqhXuwQ+1K4G0xc9Yf8EDbFXCKEw=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.6/go.mod h1:y/7sDdu+aJvPtGXr4xYosdpq9a6T9Z0jkXfugmti0rI=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1 h1:oegbebPEMA/1Jny7kvwejowCaHz1FWZAQ94WXFNCyTM=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1/go.mod h1:kemo5Myr9ac0U9JfSjMo9yHLtw+pECEHsFtJ9tqCEI8=
-github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.8.6 h1:hncKj/4gR+TPauZgTAsxOxNcvBayhUlYZ6LO/BYiQ30=
-github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.8.6/go.mod h1:OiIh45tp6HdJDDJGnja0mw8ihQGz3VGrUflLqSL0SmM=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.6 h1:LHS1YAIJXJ4K9zS+1d/xa9JAA9sL2QyXIQCQFQW/X08=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.6/go.mod h1:c9PCiTEuh0wQID5/KqA32J+HAgZxN9tOGXKCiYJjTZI=
-github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.6 h1:nEXUSAwyUfLTgnc9cxlDWy637qsq4UWwp3sNAfl0Z3Y=
-github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.6/go.mod h1:HGzIULx4Ge3Do2V0FaiYKcyKzOqwrhUZgCI77NisswQ=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.87.3 h1:ETkfWcXP2KNPLecaDa++5bsQhCRa5M5sLUJa5DWYIIg=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.87.3/go.mod h1:+/3ZTqoYb3Ur7DObD00tarKMLMuKg8iqz5CHEanqTnw=
-github.com/aws/aws-sdk-go-v2/service/sso v1.29.1 h1:8OLZnVJPvjnrxEwHFg9hVUof/P4sibH+Ea4KKuqAGSg=
-github.com/aws/aws-sdk-go-v2/service/sso v1.29.1/go.mod h1:27M3BpVi0C02UiQh1w9nsBEit6pLhlaH3NHna6WUbDE=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.34.2 h1:gKWSTnqudpo8dAxqBqZnDoDWCiEh/40FziUjr/mo6uA=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.34.2/go.mod h1:x7+rkNmRoEN1U13A6JE2fXne9EWyJy54o3n6d4mGaXQ=
-github.com/aws/aws-sdk-go-v2/service/sts v1.38.2 h1:YZPjhyaGzhDQEvsffDEcpycq49nl7fiGcfJTIo8BszI=
-github.com/aws/aws-sdk-go-v2/service/sts v1.38.2/go.mod h1:2dIN8qhQfv37BdUYGgEC8Q3tteM3zFxTI1MLO2O3J3c=
-github.com/aws/smithy-go v1.23.0 h1:8n6I3gXzWJB2DxBDnfxgBaSX6oe0d/t10qGz7OKqMCE=
-github.com/aws/smithy-go v1.23.0/go.mod h1:t1ufH5HMublsJYulve2RKmHDC15xu1f26kHCp/HgceI=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bsm/ginkgo/v2 v2.12.0 h1:Ny8MWAHyOepLGlLKYmXG4IEkioBysk6GpaRTLC8zwWs=