chore: release v1.21.1 (#887 )

Signed-off-by: Xe Iaso <me@xeiaso.net>
feat(localization): Add in Bokmål and Nynorsk translations (#855 )
2026-04-06 16:58:18 +00:00 · 2025-07-22 16:32:06 -04:00 · 2025-07-21 22:37:49 -04:00 · 2025-07-21 23:14:51 +00:00 · 2025-07-21 18:56:16 -04:00 · 2025-07-21 18:53:59 -04:00
60 changed files with 492 additions and 2528 deletions
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -21,9 +21,7 @@
        "golang.go",
        "unifiedjs.vscode-mdx",
        "a-h.templ",
-        "redhat.vscode-yaml",
-        "hashicorp.hcl",
-        "fredwangwang.vscode-hcl-format"
+        "redhat.vscode-yaml"
      ]
    }
  }
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,25 +0,0 @@
-.env
-*.deb
-*.rpm
-
-# Additional package locks
-pnpm-lock.yaml
-yarn.lock
-
-# Go binaries and test artifacts
-main
-*.test
-
-node_modules
-
-# MacOS
-.DS_store
-
-# Intellij
-.idea
-
-# how does this get here
-doc/VERSION
-
-web/static/js/*
-!web/static/js/.gitignore
--- a/.github/actions/spelling/expect.txt
+++ b/.github/actions/spelling/expect.txt
@@ -23,6 +23,7 @@ bitrate
 Bluesky
 blueskybot
 boi
+Bokm
 botnet
 botstopper
 BPort
--- a/.github/workflows/docker-pr.yml
+++ b/.github/workflows/docker-pr.yml
@@ -2,7 +2,7 @@ name: Docker image builds (pull requests)

 on:
  pull_request:
-    branches: ["main"]
+    branches: [ "main" ]

 env:
  DOCKER_METADATA_SET_OUTPUT_ENV: "true"
@@ -11,32 +11,7 @@ permissions:
  contents: read

 jobs:
-  buildx-bake:
-    runs-on: ubuntu-24.04
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-tags: true
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
-
-      - name: Build and push
-        id: build
-        uses: docker/bake-action@76f9fa3a758507623da19f6092dc4089a7e61592 # v6.6.0
-        with:
-          source: .
-          push: true
-          sbom: true
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-          set: |
-            osiris.tags=ttl.sh/techaro/pr-${{ github.event.number }}/osiris:24h
-
-  containerbuild:
+  build:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout code
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -17,38 +17,7 @@ permissions:
  pull-requests: write

 jobs:
-  buildx-bake:
-    runs-on: ubuntu-24.04
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-tags: true
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
-
-      - name: Log into registry
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Build and push
-        id: build
-        uses: docker/bake-action@76f9fa3a758507623da19f6092dc4089a7e61592 # v6.6.0
-        with:
-          source: .
-          push: true
-          sbom: true
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-          set: ""
-
-  containerbuild:
+  build:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout code
--- a/.vscode/extensions.json
+++ b/.vscode/extensions.json
@@ -5,8 +5,6 @@
    "golang.go",
    "unifiedjs.vscode-mdx",
    "a-h.templ",
-    "redhat.vscode-yaml",
-    "hashicorp.hcl",
-    "fredwangwang.vscode-hcl-format"
+    "redhat.vscode-yaml"
  ]
 }
--- a/2
+++ b/2
@@ -1 +1 @@
-1.21.0
+1.21.1
--- a/cmd/osiris/internal/config/bind.go
+++ b/cmd/osiris/internal/config/bind.go
@@ -1,39 +0,0 @@
-package config
-
-import (
-	"errors"
-	"fmt"
-	"net"
-)
-
-var (
-	ErrInvalidHostpost = errors.New("bind: invalid host:port")
-)
-
-type Bind struct {
-	HTTP    string `hcl:"http"`
-	HTTPS   string `hcl:"https"`
-	Metrics string `hcl:"metrics"`
-}
-
-func (b *Bind) Valid() error {
-	var errs []error
-
-	if _, _, err := net.SplitHostPort(b.HTTP); err != nil {
-		errs = append(errs, fmt.Errorf("%w %q: %w", ErrInvalidHostpost, b.HTTP, err))
-	}
-
-	if _, _, err := net.SplitHostPort(b.HTTPS); err != nil {
-		errs = append(errs, fmt.Errorf("%w %q: %w", ErrInvalidHostpost, b.HTTPS, err))
-	}
-
-	if _, _, err := net.SplitHostPort(b.Metrics); err != nil {
-		errs = append(errs, fmt.Errorf("%w %q: %w", ErrInvalidHostpost, b.Metrics, err))
-	}
-
-	if len(errs) != 0 {
-		return errors.Join(errs...)
-	}
-
-	return nil
-}
--- a/cmd/osiris/internal/config/bind_test.go
+++ b/cmd/osiris/internal/config/bind_test.go
@@ -1,55 +0,0 @@
-package config
-
-import (
-	"errors"
-	"net"
-	"testing"
-)
-
-func TestBindValid(t *testing.T) {
-	for _, tt := range []struct {
-		name         string
-		precondition func(t *testing.T)
-		bind         Bind
-		err          error
-	}{
-		{
-			name:         "basic",
-			precondition: nil,
-			bind: Bind{
-				HTTP:    ":8081",
-				HTTPS:   ":8082",
-				Metrics: ":8083",
-			},
-			err: nil,
-		},
-		{
-			name: "invalid ports",
-			precondition: func(t *testing.T) {
-				ln, err := net.Listen("tcp", ":8081")
-				if err != nil {
-					t.Fatal(err)
-				}
-				t.Cleanup(func() { ln.Close() })
-			},
-			bind: Bind{
-				HTTP:    "",
-				HTTPS:   "",
-				Metrics: "",
-			},
-			err: ErrInvalidHostpost,
-		},
-	} {
-		t.Run(tt.name, func(t *testing.T) {
-			if tt.precondition != nil {
-				tt.precondition(t)
-			}
-
-			if err := tt.bind.Valid(); !errors.Is(err, tt.err) {
-				t.Logf("want: %v", tt.err)
-				t.Logf("got:  %v", err)
-				t.Error("got wrong error from validation function")
-			}
-		})
-	}
-}
--- a/cmd/osiris/internal/config/config.go
+++ b/cmd/osiris/internal/config/config.go
@@ -1,31 +0,0 @@
-package config
-
-import (
-	"errors"
-	"fmt"
-)
-
-type Toplevel struct {
-	Bind    Bind     `hcl:"bind,block"`
-	Domains []Domain `hcl:"domain,block"`
-}
-
-func (t *Toplevel) Valid() error {
-	var errs []error
-
-	if err := t.Bind.Valid(); err != nil {
-		errs = append(errs, fmt.Errorf("invalid bind block:\n%w", err))
-	}
-
-	for _, d := range t.Domains {
-		if err := d.Valid(); err != nil {
-			errs = append(errs, fmt.Errorf("when parsing domain %s: %w", d.Name, err))
-		}
-	}
-
-	if len(errs) != 0 {
-		return fmt.Errorf("invalid configuration file:\n%w", errors.Join(errs...))
-	}
-
-	return nil
-}
--- a/cmd/osiris/internal/config/domain.go
+++ b/cmd/osiris/internal/config/domain.go
@@ -1,66 +0,0 @@
-package config
-
-import (
-	"errors"
-	"fmt"
-	"net/url"
-
-	"golang.org/x/net/idna"
-)
-
-var (
-	ErrInvalidDomainName      = errors.New("domain: name is invalid")
-	ErrInvalidDomainTLSConfig = errors.New("domain: TLS config is invalid")
-	ErrInvalidURL             = errors.New("invalid URL")
-	ErrInvalidURLScheme       = errors.New("URL has invalid scheme")
-)
-
-type Domain struct {
-	Name               string `hcl:"name,label"`
-	TLS                TLS    `hcl:"tls,block"`
-	Target             string `hcl:"target"`
-	InsecureSkipVerify bool   `hcl:"insecure_skip_verify,optional"`
-	HealthTarget       string `hcl:"health_target"`
-}
-
-func (d Domain) Valid() error {
-	var errs []error
-
-	if _, err := idna.Lookup.ToASCII(d.Name); err != nil {
-		errs = append(errs, fmt.Errorf("%w %q: %w", ErrInvalidDomainName, d.Name, err))
-	}
-
-	if err := d.TLS.Valid(); err != nil {
-		errs = append(errs, fmt.Errorf("%w: %w", ErrInvalidDomainTLSConfig, err))
-	}
-
-	if err := isURLValid(d.Target); err != nil {
-		errs = append(errs, fmt.Errorf("target has %w %q: %w", ErrInvalidURL, d.Target, err))
-	}
-
-	if err := isURLValid(d.HealthTarget); err != nil {
-		errs = append(errs, fmt.Errorf("health_target has %w %q: %w", ErrInvalidURL, d.HealthTarget, err))
-	}
-
-	if len(errs) != 0 {
-		return errors.Join(errs...)
-	}
-
-	return nil
-}
-
-func isURLValid(input string) error {
-	u, err := url.Parse(input)
-	if err != nil {
-		return err
-	}
-
-	switch u.Scheme {
-	case "http", "https", "h2c", "unix":
-		// do nothing
-	default:
-		return fmt.Errorf("%w %s has scheme %s (want http, https, h2c, unix)", ErrInvalidURLScheme, input, u.Scheme)
-	}
-
-	return nil
-}
--- a/cmd/osiris/internal/config/domain_test.go
+++ b/cmd/osiris/internal/config/domain_test.go
@@ -1,89 +0,0 @@
-package config
-
-import (
-	"errors"
-	"testing"
-)
-
-func TestDomainValid(t *testing.T) {
-	for _, tt := range []struct {
-		name  string
-		input Domain
-		err   error
-	}{
-		{
-			name: "simple happy path",
-			input: Domain{
-				Name: "anubis.techaro.lol",
-				TLS: TLS{
-					Cert: "./testdata/tls/selfsigned.crt",
-					Key:  "./testdata/tls/selfsigned.key",
-				},
-				Target:       "http://localhost:3000",
-				HealthTarget: "http://localhost:9091/healthz",
-			},
-		},
-		{
-			name: "invalid domain name",
-			input: Domain{
-				Name: "\uFFFD.techaro.lol",
-				TLS: TLS{
-					Cert: "./testdata/tls/selfsigned.crt",
-					Key:  "./testdata/tls/selfsigned.key",
-				},
-				Target:       "http://localhost:3000",
-				HealthTarget: "http://localhost:9091/healthz",
-			},
-			err: ErrInvalidDomainName,
-		},
-		{
-			name: "invalid tls config",
-			input: Domain{
-				Name: "anubis.techaro.lol",
-				TLS: TLS{
-					Cert: "./testdata/tls/invalid.crt",
-					Key:  "./testdata/tls/invalid.key",
-				},
-				Target:       "http://localhost:3000",
-				HealthTarget: "http://localhost:9091/healthz",
-			},
-			err: ErrInvalidDomainTLSConfig,
-		},
-		{
-			name: "invalid URL",
-			input: Domain{
-				Name: "anubis.techaro.lol",
-				TLS: TLS{
-					Cert: "./testdata/tls/selfsigned.crt",
-					Key:  "./testdata/tls/selfsigned.key",
-				},
-				Target:       "file://[::1:3000",
-				HealthTarget: "file://[::1:9091/healthz",
-			},
-			err: ErrInvalidURL,
-		},
-		{
-			name: "wrong URL scheme",
-			input: Domain{
-				Name: "anubis.techaro.lol",
-				TLS: TLS{
-					Cert: "./testdata/tls/selfsigned.crt",
-					Key:  "./testdata/tls/selfsigned.key",
-				},
-				Target:       "file://localhost:3000",
-				HealthTarget: "file://localhost:9091/healthz",
-			},
-			err: ErrInvalidURLScheme,
-		},
-	} {
-		t.Run(tt.name, func(t *testing.T) {
-			if err := tt.input.Valid(); !errors.Is(err, tt.err) {
-				t.Logf("want: %v", tt.err)
-				t.Logf("got:  %v", err)
-				t.Error("got wrong error from validation function")
-			} else {
-				t.Log(err)
-			}
-		})
-	}
-}
--- a/cmd/osiris/internal/config/testdata/tls/invalid.crt
+++ b/cmd/osiris/internal/config/testdata/tls/invalid.crt
@@ -1 +0,0 @@
-aorsentaeiorsntoiearnstoieanrsoietnaioresntoeiar
--- a/cmd/osiris/internal/config/testdata/tls/invalid.key
+++ b/cmd/osiris/internal/config/testdata/tls/invalid.key
@@ -1 +0,0 @@
-aorsentaeiorsntoiearnstoieanrsoietnaioresntoeiar
--- a/cmd/osiris/internal/config/testdata/tls/selfsigned.crt
+++ b/cmd/osiris/internal/config/testdata/tls/selfsigned.crt
@@ -1,11 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIIBnzCCAVGgAwIBAgIUAw8funCpiB3ZAAPoWdSCWnzbsFIwBQYDK2VwMEUxCzAJ
-BgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5l
-dCBXaWRnaXRzIFB0eSBMdGQwHhcNMjUwNzE4MTkwMjM1WhcNMjUwODE3MTkwMjM1
-WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwY
-SW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMCowBQYDK2VwAyEAcXDHXV3vgpvjtTaz
-s0Oj/73rMr06bhyGGhleYS1MNoWjUzBRMB0GA1UdDgQWBBQwmfKPthucFHB6Wfgz
-2Nj5nkMQOjAfBgNVHSMEGDAWgBQwmfKPthucFHB6Wfgz2Nj5nkMQOjAPBgNVHRMB
-Af8EBTADAQH/MAUGAytlcANBALBYbULlGwB7Ro0UTgUoQDNxEvayn3qzVFHIt7lC
-/2/NzNBkk4yPT+a4mbRuydxLkv+JIvmQbarZxpksYnWlCAM=
-----END CERTIFICATE-----
--- a/cmd/osiris/internal/config/testdata/tls/selfsigned.key
+++ b/cmd/osiris/internal/config/testdata/tls/selfsigned.key
@@ -1,3 +0,0 @@
-----BEGIN PRIVATE KEY-----
-MC4CAQAwBQYDK2VwBCIEIOHKoX22Mha6SnnpLm34fSSfTUDbRiDCi6N1nOgTOlds
-----END PRIVATE KEY-----
--- a/cmd/osiris/internal/config/tls.go
+++ b/cmd/osiris/internal/config/tls.go
@@ -1,40 +0,0 @@
-package config
-
-import (
-	"crypto/tls"
-	"errors"
-	"fmt"
-	"os"
-)
-
-var (
-	ErrCantReadTLS       = errors.New("tls: can't read TLS")
-	ErrInvalidTLSKeypair = errors.New("tls: can't parse TLS keypair")
-)
-
-type TLS struct {
-	Cert string `hcl:"cert"`
-	Key  string `hcl:"key"`
-}
-
-func (t TLS) Valid() error {
-	var errs []error
-
-	if _, err := os.Stat(t.Cert); err != nil {
-		errs = append(errs, fmt.Errorf("%w certificate %s: %w", ErrCantReadTLS, t.Cert, err))
-	}
-
-	if _, err := os.Stat(t.Key); err != nil {
-		errs = append(errs, fmt.Errorf("%w key %s: %w", ErrCantReadTLS, t.Key, err))
-	}
-
-	if _, err := tls.LoadX509KeyPair(t.Cert, t.Key); err != nil {
-		errs = append(errs, fmt.Errorf("%w (%s, %s): %w", ErrInvalidTLSKeypair, t.Cert, t.Key, err))
-	}
-
-	if len(errs) != 0 {
-		return errors.Join(errs...)
-	}
-
-	return nil
-}
--- a/cmd/osiris/internal/config/tls_test.go
+++ b/cmd/osiris/internal/config/tls_test.go
@@ -1,48 +0,0 @@
-package config
-
-import (
-	"errors"
-	"testing"
-)
-
-func TestTLSValid(t *testing.T) {
-	for _, tt := range []struct {
-		name  string
-		input TLS
-		err   error
-	}{
-		{
-			name: "simple selfsigned",
-			input: TLS{
-				Cert: "./testdata/tls/selfsigned.crt",
-				Key:  "./testdata/tls/selfsigned.key",
-			},
-		},
-		{
-			name: "files don't exist",
-			input: TLS{
-				Cert: "./testdata/tls/nonexistent.crt",
-				Key:  "./testdata/tls/nonexistent.key",
-			},
-			err: ErrCantReadTLS,
-		},
-		{
-			name: "invalid keypair",
-			input: TLS{
-				Cert: "./testdata/tls/invalid.crt",
-				Key:  "./testdata/tls/invalid.key",
-			},
-			err: ErrInvalidTLSKeypair,
-		},
-	} {
-		t.Run(tt.name, func(t *testing.T) {
-			if err := tt.input.Valid(); !errors.Is(err, tt.err) {
-				t.Logf("want: %v", tt.err)
-				t.Logf("got:  %v", err)
-				t.Error("got wrong error from validation function")
-			} else {
-				t.Log(err)
-			}
-		})
-	}
-}
--- a/cmd/osiris/internal/entrypoint/entrypoint.go
+++ b/cmd/osiris/internal/entrypoint/entrypoint.go
@@ -1,85 +0,0 @@
-package entrypoint
-
-import (
-	"context"
-	"fmt"
-	"log/slog"
-	"net"
-
-	"github.com/TecharoHQ/anubis/cmd/osiris/internal/config"
-	"github.com/TecharoHQ/anubis/internal"
-	"github.com/hashicorp/hcl/v2/hclsimple"
-	"golang.org/x/sync/errgroup"
-	healthv1 "google.golang.org/grpc/health/grpc_health_v1"
-)
-
-type Options struct {
-	ConfigFname string
-}
-
-func Main(ctx context.Context, opts Options) error {
-	internal.SetHealth("osiris", healthv1.HealthCheckResponse_NOT_SERVING)
-
-	var cfg config.Toplevel
-	if err := hclsimple.DecodeFile(opts.ConfigFname, nil, &cfg); err != nil {
-		return fmt.Errorf("can't read configuration file %s:\n\n%w", opts.ConfigFname, err)
-	}
-
-	if err := cfg.Valid(); err != nil {
-		return fmt.Errorf("configuration file %s is invalid:\n\n%w", opts.ConfigFname, err)
-	}
-
-	rtr, err := NewRouter(cfg)
-	if err != nil {
-		return err
-	}
-	rtr.opts = opts
-	go rtr.backgroundReloadConfig(ctx)
-
-	g, gCtx := errgroup.WithContext(ctx)
-
-	// HTTP
-	g.Go(func() error {
-		ln, err := net.Listen("tcp", cfg.Bind.HTTP)
-		if err != nil {
-			return fmt.Errorf("(HTTP) can't bind to tcp %s: %w", cfg.Bind.HTTP, err)
-		}
-		defer ln.Close()
-
-		go func(ctx context.Context) {
-			<-ctx.Done()
-			ln.Close()
-		}(ctx)
-
-		slog.Info("listening", "for", "http", "bind", cfg.Bind.HTTP)
-
-		return rtr.HandleHTTP(gCtx, ln)
-	})
-
-	// HTTPS
-	g.Go(func() error {
-		ln, err := net.Listen("tcp", cfg.Bind.HTTPS)
-		if err != nil {
-			return fmt.Errorf("(https) can't bind to tcp %s: %w", cfg.Bind.HTTPS, err)
-		}
-		defer ln.Close()
-
-		go func(ctx context.Context) {
-			<-ctx.Done()
-			ln.Close()
-		}(ctx)
-
-		slog.Info("listening", "for", "https", "bind", cfg.Bind.HTTPS)
-
-		return rtr.HandleHTTPS(gCtx, ln)
-	})
-
-	// Metrics
-	g.Go(func() error {
-		return rtr.ListenAndServeMetrics(gCtx, cfg.Bind.Metrics)
-	})
-
-	internal.SetHealth("osiris", healthv1.HealthCheckResponse_SERVING)
-
-	return g.Wait()
-}
--- a/cmd/osiris/internal/entrypoint/entrypoint_test.go
+++ b/cmd/osiris/internal/entrypoint/entrypoint_test.go
@@ -1,93 +0,0 @@
-package entrypoint
-
-import (
-	"context"
-	"errors"
-	"net"
-	"net/http"
-	"os"
-	"path/filepath"
-	"testing"
-	"time"
-)
-
-func TestMainGoodConfig(t *testing.T) {
-	files, err := os.ReadDir("./testdata/good")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	for _, st := range files {
-		t.Run(st.Name(), func(t *testing.T) {
-			ctx, cancel := context.WithCancel(t.Context())
-			cfg := loadConfig(t, filepath.Join("testdata", "good", st.Name()))
-
-			go func(ctx context.Context) {
-				if err := Main(ctx, Options{
-					ConfigFname: filepath.Join("testdata", "good", st.Name()),
-				}); err != nil {
-					var netOpErr *net.OpError
-					switch {
-					case errors.Is(err, context.Canceled):
-						// Context was canceled, this is expected
-						return
-					case errors.As(err, &netOpErr):
-						// Network operation error occurred
-						t.Logf("Network operation error: %v", netOpErr)
-						return
-					case errors.Is(err, http.ErrServerClosed):
-						// Server was closed, this is expected
-						return
-					default:
-						// Other unexpected error
-						panic(err)
-					}
-				}
-			}(ctx)
-
-			wait := 5 * time.Millisecond
-
-			for i := range make([]struct{}, 10) {
-				if i != 0 {
-					time.Sleep(wait)
-					wait = wait * 2
-				}
-
-				t.Logf("try %d (wait=%s)", i+1, wait)
-
-				resp, err := http.Get("http://localhost" + cfg.Bind.Metrics + "/readyz")
-				if err != nil {
-					continue
-				}
-
-				if resp.StatusCode != http.StatusOK {
-					continue
-				}
-
-				cancel()
-				return
-			}
-
-			t.Fatal("router initialization did not work")
-		})
-	}
-}
-
-func TestMainBadConfig(t *testing.T) {
-	files, err := os.ReadDir("./testdata/bad")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	for _, st := range files {
-		t.Run(st.Name(), func(t *testing.T) {
-			if err := Main(t.Context(), Options{
-				ConfigFname: filepath.Join("testdata", "bad", st.Name()),
-			}); err == nil {
-				t.Error("wanted an error but got none")
-			} else {
-				t.Log(err)
-			}
-		})
-	}
-}
--- a/cmd/osiris/internal/entrypoint/h2c.go
+++ b/cmd/osiris/internal/entrypoint/h2c.go
@@ -1,35 +0,0 @@
-package entrypoint
-
-import (
-	"crypto/tls"
-	"net"
-	"net/http"
-	"net/http/httputil"
-	"net/url"
-
-	"golang.org/x/net/http2"
-)
-
-func newH2CReverseProxy(target *url.URL) *httputil.ReverseProxy {
-	target.Scheme = "http"
-
-	director := func(req *http.Request) {
-		req.URL.Scheme = target.Scheme
-		req.URL.Host = target.Host
-		req.Host = target.Host
-	}
-
-	// Use h2c transport
-	transport := &http2.Transport{
-		AllowHTTP: true,
-		DialTLS: func(network, addr string, cfg *tls.Config) (net.Conn, error) {
-			// Just do plain TCP (h2c)
-			return net.Dial(network, addr)
-		},
-	}
-
-	return &httputil.ReverseProxy{
-		Director:  director,
-		Transport: transport,
-	}
-}
--- a/cmd/osiris/internal/entrypoint/h2c_test.go
+++ b/cmd/osiris/internal/entrypoint/h2c_test.go
@@ -1,51 +0,0 @@
-package entrypoint
-
-import (
-	"net/http"
-	"net/http/httptest"
-	"net/url"
-	"testing"
-
-	"golang.org/x/net/http2"
-	"golang.org/x/net/http2/h2c"
-)
-
-func newH2cServer(t *testing.T, h http.Handler) *httptest.Server {
-	t.Helper()
-
-	h2s := &http2.Server{}
-
-	srv := httptest.NewServer(h2c.NewHandler(h, h2s))
-	t.Cleanup(func() {
-		srv.Close()
-	})
-
-	return srv
-}
-
-func TestH2CReverseProxy(t *testing.T) {
-	h := &ackHandler{}
-
-	srv := newH2cServer(t, h)
-
-	u, err := url.Parse(srv.URL)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	rp := httptest.NewServer(newH2CReverseProxy(u))
-	defer rp.Close()
-
-	resp, err := rp.Client().Get(rp.URL)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if resp.StatusCode != http.StatusOK {
-		t.Errorf("wrong status code from reverse proxy: %d", resp.StatusCode)
-	}
-
-	if !h.ack {
-		t.Error("h2c handler was not executed")
-	}
-}
--- a/cmd/osiris/internal/entrypoint/metrics.go
+++ b/cmd/osiris/internal/entrypoint/metrics.go
@@ -1,72 +0,0 @@
-package entrypoint
-
-import (
-	"bytes"
-	"fmt"
-	"log/slog"
-	"net/http"
-	"sort"
-
-	"github.com/TecharoHQ/anubis/internal"
-	healthv1 "google.golang.org/grpc/health/grpc_health_v1"
-)
-
-func healthz(w http.ResponseWriter, r *http.Request) {
-	services, err := internal.HealthSrv.List(r.Context(), nil)
-	if err != nil {
-		slog.Error("can't get list of services", "err", err)
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-		return
-	}
-
-	var keys []string
-	for k := range services.Statuses {
-		if k == "" {
-			continue
-		}
-		keys = append(keys, k)
-	}
-
-	sort.Strings(keys)
-
-	var msg bytes.Buffer
-
-	var healthy bool = true
-
-	for _, k := range keys {
-		st := services.Statuses[k].GetStatus()
-		fmt.Fprintf(&msg, "%s: %s\n", k, st)
-		switch st {
-		case healthv1.HealthCheckResponse_SERVING:
-			// do nothing
-		default:
-			healthy = false
-		}
-	}
-
-	if !healthy {
-		w.WriteHeader(http.StatusInternalServerError)
-	}
-
-	w.Write(msg.Bytes())
-}
-
-func readyz(w http.ResponseWriter, r *http.Request) {
-	st, ok := internal.GetHealth("osiris")
-	if !ok {
-		slog.Error("health service osiris does not exist, file a bug")
-		http.Error(w, "health service osiris does not exist", http.StatusExpectationFailed)
-	}
-
-	switch st {
-	case healthv1.HealthCheckResponse_NOT_SERVING:
-		http.Error(w, "NOT OK", http.StatusInternalServerError)
-		return
-	case healthv1.HealthCheckResponse_SERVING:
-		fmt.Fprintln(w, "OK")
-		return
-	default:
-		http.Error(w, "UNKNOWN", http.StatusFailedDependency)
-		return
-	}
-}
--- a/cmd/osiris/internal/entrypoint/metrics_test.go
+++ b/cmd/osiris/internal/entrypoint/metrics_test.go
@@ -1,66 +0,0 @@
-package entrypoint
-
-import (
-	"net/http"
-	"net/http/httptest"
-	"testing"
-
-	"github.com/TecharoHQ/anubis/internal"
-	healthv1 "google.golang.org/grpc/health/grpc_health_v1"
-)
-
-func TestHealthz(t *testing.T) {
-	srv := httptest.NewServer(http.HandlerFunc(healthz))
-
-	internal.SetHealth("osiris", healthv1.HealthCheckResponse_NOT_SERVING)
-
-	resp, err := srv.Client().Get(srv.URL)
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer resp.Body.Close()
-
-	if resp.StatusCode == http.StatusOK {
-		t.Errorf("wanted not ready but got %d", resp.StatusCode)
-	}
-
-	internal.SetHealth("osiris", healthv1.HealthCheckResponse_SERVING)
-
-	resp, err = srv.Client().Get(srv.URL)
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer resp.Body.Close()
-
-	if resp.StatusCode != http.StatusOK {
-		t.Errorf("wanted ready but got %d", resp.StatusCode)
-	}
-}
-
-func TestReadyz(t *testing.T) {
-	srv := httptest.NewServer(http.HandlerFunc(readyz))
-
-	internal.SetHealth("osiris", healthv1.HealthCheckResponse_NOT_SERVING)
-
-	resp, err := srv.Client().Get(srv.URL)
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer resp.Body.Close()
-
-	if resp.StatusCode == http.StatusOK {
-		t.Errorf("wanted not ready but got %d", resp.StatusCode)
-	}
-
-	internal.SetHealth("osiris", healthv1.HealthCheckResponse_SERVING)
-
-	resp, err = srv.Client().Get(srv.URL)
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer resp.Body.Close()
-
-	if resp.StatusCode != http.StatusOK {
-		t.Errorf("wanted ready but got %d", resp.StatusCode)
-	}
-}
--- a/cmd/osiris/internal/entrypoint/router.go
+++ b/cmd/osiris/internal/entrypoint/router.go
@@ -1,320 +0,0 @@
-package entrypoint
-
-import (
-	"context"
-	"crypto/tls"
-	"errors"
-	"fmt"
-	"log/slog"
-	"net"
-	"net/http"
-	"net/http/httputil"
-	"net/url"
-	"os"
-	"os/signal"
-	"strings"
-	"sync"
-	"syscall"
-	"time"
-
-	"github.com/TecharoHQ/anubis/cmd/osiris/internal/config"
-	"github.com/TecharoHQ/anubis/internal"
-	"github.com/TecharoHQ/anubis/internal/fingerprint"
-	"github.com/felixge/httpsnoop"
-	"github.com/hashicorp/hcl/v2/hclsimple"
-	"github.com/lum8rjack/go-ja4h"
-	"github.com/prometheus/client_golang/prometheus"
-	"github.com/prometheus/client_golang/prometheus/promauto"
-	"github.com/prometheus/client_golang/prometheus/promhttp"
-)
-
-var (
-	ErrTargetInvalid     = errors.New("[unexpected] target invalid")
-	ErrNoHandler         = errors.New("[unexpected] no handler for domain")
-	ErrInvalidTLSKeypair = errors.New("[unexpected] invalid TLS keypair")
-	ErrNoCert            = errors.New("this server does not have a certificate for that domain")
-
-	requestsPerDomain = promauto.NewGaugeVec(prometheus.GaugeOpts{
-		Namespace: "techaro",
-		Subsystem: "osiris",
-		Name:      "request_count",
-	}, []string{"domain", "method", "response_code"})
-
-	responseTime = promauto.NewHistogramVec(prometheus.HistogramOpts{
-		Namespace: "techaro",
-		Subsystem: "osiris",
-		Name:      "response_time",
-	}, []string{"domain"})
-
-	unresolvedRequests = promauto.NewGauge(prometheus.GaugeOpts{
-		Namespace: "techaro",
-		Subsystem: "osiris",
-		Name:      "unresolved_requests",
-	})
-)
-
-type Router struct {
-	lock     sync.RWMutex
-	routes   map[string]http.Handler
-	tlsCerts map[string]*tls.Certificate
-	opts     Options
-}
-
-func (rtr *Router) setConfig(c config.Toplevel) error {
-	var errs []error
-	newMap := map[string]http.Handler{}
-	newCerts := map[string]*tls.Certificate{}
-
-	for _, d := range c.Domains {
-		var domainErrs []error
-
-		u, err := url.Parse(d.Target)
-		if err != nil {
-			domainErrs = append(domainErrs, fmt.Errorf("%w %q: %v", ErrTargetInvalid, d.Target, err))
-		}
-
-		var h http.Handler
-
-		if u != nil {
-			switch u.Scheme {
-			case "http", "https":
-				rp := httputil.NewSingleHostReverseProxy(u)
-
-				if d.InsecureSkipVerify {
-					rp.Transport = &http.Transport{
-						TLSClientConfig: &tls.Config{
-							InsecureSkipVerify: true,
-						},
-					}
-				}
-
-				h = rp
-			case "h2c":
-				h = newH2CReverseProxy(u)
-			case "unix":
-				h = &httputil.ReverseProxy{
-					Director: func(r *http.Request) {
-						r.URL.Scheme = "http"
-						r.URL.Host = d.Name
-						r.Host = d.Name
-					},
-					Transport: &http.Transport{
-						DialContext: func(_ context.Context, _, _ string) (net.Conn, error) {
-							return net.Dial("unix", strings.TrimPrefix(d.Target, "unix://"))
-						},
-					},
-				}
-			}
-		}
-
-		if h == nil {
-			domainErrs = append(domainErrs, ErrNoHandler)
-		}
-
-		newMap[d.Name] = h
-
-		cert, err := tls.LoadX509KeyPair(d.TLS.Cert, d.TLS.Key)
-		if err != nil {
-			domainErrs = append(domainErrs, fmt.Errorf("%w: %w", ErrInvalidTLSKeypair, err))
-		}
-
-		newCerts[d.Name] = &cert
-
-		if len(domainErrs) != 0 {
-			errs = append(errs, fmt.Errorf("invalid domain %s: %w", d.Name, errors.Join(domainErrs...)))
-		}
-	}
-
-	if len(errs) != 0 {
-		return fmt.Errorf("can't compile config to routing map: %w", errors.Join(errs...))
-	}
-
-	rtr.lock.Lock()
-	rtr.routes = newMap
-	rtr.tlsCerts = newCerts
-	rtr.lock.Unlock()
-
-	return nil
-}
-
-func (rtr *Router) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
-	rtr.lock.RLock()
-	cert, ok := rtr.tlsCerts[hello.ServerName]
-	rtr.lock.RUnlock()
-
-	if !ok {
-		return nil, ErrNoCert
-	}
-
-	return cert, nil
-}
-
-func (rtr *Router) loadConfig() error {
-	slog.Info("reloading config", "fname", rtr.opts.ConfigFname)
-	var cfg config.Toplevel
-	if err := hclsimple.DecodeFile(rtr.opts.ConfigFname, nil, &cfg); err != nil {
-		return err
-	}
-
-	if err := cfg.Valid(); err != nil {
-		return err
-	}
-
-	if err := rtr.setConfig(cfg); err != nil {
-		return err
-	}
-
-	slog.Info("done!")
-
-	return nil
-}
-
-func (rtr *Router) backgroundReloadConfig(ctx context.Context) {
-	t := time.NewTicker(time.Hour)
-	defer t.Stop()
-	ch := make(chan os.Signal, 1)
-	signal.Notify(ch, syscall.SIGHUP)
-
-	for {
-		select {
-		case <-ctx.Done():
-			return
-		case <-t.C:
-			if err := rtr.loadConfig(); err != nil {
-				slog.Error("can't reload config", "fname", rtr.opts.ConfigFname, "err", err)
-			}
-		case <-ch:
-			if err := rtr.loadConfig(); err != nil {
-				slog.Error("can't reload config", "fname", rtr.opts.ConfigFname, "err", err)
-			}
-		}
-	}
-}
-
-func NewRouter(c config.Toplevel) (*Router, error) {
-	result := &Router{
-		routes: map[string]http.Handler{},
-	}
-
-	if err := result.setConfig(c); err != nil {
-		return nil, err
-	}
-
-	return result, nil
-}
-
-func (rtr *Router) HandleHTTP(ctx context.Context, ln net.Listener) error {
-	srv := http.Server{
-		Handler:  rtr,
-		ErrorLog: internal.GetFilteredHTTPLogger(),
-	}
-
-	go func(ctx context.Context) {
-		<-ctx.Done()
-		srv.Close()
-	}(ctx)
-
-	return srv.Serve(ln)
-}
-
-func (rtr *Router) HandleHTTPS(ctx context.Context, ln net.Listener) error {
-	tc := &tls.Config{
-		GetCertificate: rtr.GetCertificate,
-	}
-
-	srv := &http.Server{
-		Handler:   rtr,
-		ErrorLog:  internal.GetFilteredHTTPLogger(),
-		TLSConfig: tc,
-	}
-
-	go func(ctx context.Context) {
-		<-ctx.Done()
-		srv.Close()
-	}(ctx)
-
-	fingerprint.ApplyTLSFingerprinter(srv)
-
-	return srv.ServeTLS(ln, "", "")
-}
-
-func (rtr *Router) ListenAndServeMetrics(ctx context.Context, addr string) error {
-	ln, err := net.Listen("tcp", addr)
-	if err != nil {
-		return fmt.Errorf("(metrics) can't bind to tcp %s: %w", addr, err)
-	}
-	defer ln.Close()
-
-	go func(ctx context.Context) {
-		<-ctx.Done()
-		ln.Close()
-	}(ctx)
-
-	mux := http.NewServeMux()
-
-	mux.Handle("/metrics", promhttp.Handler())
-	mux.HandleFunc("/readyz", readyz)
-	mux.HandleFunc("/healthz", healthz)
-
-	slog.Info("listening", "for", "metrics", "bind", addr)
-
-	srv := http.Server{
-		Addr:     addr,
-		Handler:  mux,
-		ErrorLog: internal.GetFilteredHTTPLogger(),
-	}
-
-	go func(ctx context.Context) {
-		<-ctx.Done()
-		srv.Close()
-	}(ctx)
-
-	return srv.Serve(ln)
-}
-
-func (rtr *Router) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	var host = r.Host
-
-	if strings.Contains(host, ":") {
-		host, _, _ = net.SplitHostPort(host)
-	}
-
-	var h http.Handler
-	var ok bool
-
-	ja4hFP := ja4h.JA4H(r)
-
-	slog.Info("got request", "method", r.Method, "host", host, "path", r.URL.Path)
-
-	rtr.lock.RLock()
-	h, ok = rtr.routes[host]
-	rtr.lock.RUnlock()
-
-	if !ok {
-		unresolvedRequests.Inc()
-		http.NotFound(w, r) // TODO(Xe): brand this
-		return
-	}
-
-	r.Header.Set("X-Http-Ja4h-Fingerprint", ja4hFP)
-
-	if fp := fingerprint.GetTLSFingerprint(r); fp != nil {
-		if ja3n := fp.JA3N(); ja3n != nil {
-			r.Header.Set("X-Tls-Ja3n-Fingerprint", ja3n.String())
-		}
-		if ja4 := fp.JA4(); ja4 != nil {
-			r.Header.Set("X-Tls-Ja4-Fingerprint", ja4.String())
-		}
-	}
-
-	if tcpFP := fingerprint.GetTCPFingerprint(r); tcpFP != nil {
-		r.Header.Set("X-Tcp-Ja4t-Fingerprint", tcpFP.String())
-	}
-
-	m := httpsnoop.CaptureMetrics(h, w, r)
-
-	requestsPerDomain.WithLabelValues(host, r.Method, fmt.Sprint(m.Code)).Inc()
-	responseTime.WithLabelValues(host).Observe(float64(m.Duration.Milliseconds()))
-
-	slog.Info("request completed", "host", host, "method", r.Method, "response_code", m.Code, "duration_ms", m.Duration.Milliseconds())
-}
--- a/cmd/osiris/internal/entrypoint/router_test.go
+++ b/cmd/osiris/internal/entrypoint/router_test.go
@@ -1,319 +0,0 @@
-package entrypoint
-
-import (
-	"context"
-	"crypto/tls"
-	"errors"
-	"fmt"
-	"net"
-	"net/http"
-	"net/http/httptest"
-	"os"
-	"path/filepath"
-	"strings"
-	"testing"
-
-	"github.com/TecharoHQ/anubis/cmd/osiris/internal/config"
-	"github.com/hashicorp/hcl/v2/hclsimple"
-)
-
-func loadConfig(t *testing.T, fname string) config.Toplevel {
-	t.Helper()
-
-	var cfg config.Toplevel
-	if err := hclsimple.DecodeFile(fname, nil, &cfg); err != nil {
-		t.Fatalf("can't read configuration file %s: %v", fname, err)
-	}
-
-	if err := cfg.Valid(); err != nil {
-		t.Errorf("configuration file %s is invalid: %v", "./testdata/selfsigned.hcl", err)
-	}
-
-	return cfg
-}
-
-func newRouter(t *testing.T, cfg config.Toplevel) *Router {
-	t.Helper()
-
-	rtr, err := NewRouter(cfg)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	return rtr
-}
-
-func TestNewRouter(t *testing.T) {
-	cfg := loadConfig(t, "./testdata/good/selfsigned.hcl")
-	rtr := newRouter(t, cfg)
-
-	srv := httptest.NewServer(rtr)
-	defer srv.Close()
-}
-
-func TestNewRouterFails(t *testing.T) {
-	cfg := loadConfig(t, "./testdata/good/selfsigned.hcl")
-
-	cfg.Domains = append(cfg.Domains, config.Domain{
-		Name: "test1.internal",
-		TLS: config.TLS{
-			Cert: "./testdata/tls/invalid.crt",
-			Key:  "./testdata/tls/invalid.key",
-		},
-		Target:       cfg.Domains[0].Target,
-		HealthTarget: cfg.Domains[0].HealthTarget,
-	})
-
-	rtr, err := NewRouter(cfg)
-	if err == nil {
-		t.Fatal("wanted an error but got none")
-	}
-
-	srv := httptest.NewServer(rtr)
-	defer srv.Close()
-}
-
-func TestRouterSetConfig(t *testing.T) {
-	for _, tt := range []struct {
-		name        string
-		configFname string
-		mutation    func(cfg config.Toplevel) config.Toplevel
-		err         error
-	}{
-		{
-			name:        "basic",
-			configFname: "./testdata/good/selfsigned.hcl",
-			mutation: func(cfg config.Toplevel) config.Toplevel {
-				return cfg
-			},
-		},
-		{
-			name:        "all schemes",
-			configFname: "./testdata/good/selfsigned.hcl",
-			mutation: func(cfg config.Toplevel) config.Toplevel {
-				cfg.Domains = append(cfg.Domains, config.Domain{
-					Name:         "http.internal",
-					TLS:          cfg.Domains[0].TLS,
-					Target:       "http://[::1]:3000",
-					HealthTarget: cfg.Domains[0].HealthTarget,
-				})
-				cfg.Domains = append(cfg.Domains, config.Domain{
-					Name:         "https.internal",
-					TLS:          cfg.Domains[0].TLS,
-					Target:       "https://[::1]:3000",
-					HealthTarget: cfg.Domains[0].HealthTarget,
-				})
-				cfg.Domains = append(cfg.Domains, config.Domain{
-					Name:         "h2c.internal",
-					TLS:          cfg.Domains[0].TLS,
-					Target:       "h2c://[::1]:3000",
-					HealthTarget: cfg.Domains[0].HealthTarget,
-				})
-				cfg.Domains = append(cfg.Domains, config.Domain{
-					Name:         "unix.internal",
-					TLS:          cfg.Domains[0].TLS,
-					Target:       "unix://foo.sock",
-					HealthTarget: cfg.Domains[0].HealthTarget,
-				})
-
-				return cfg
-			},
-		},
-		{
-			name:        "invalid TLS",
-			configFname: "./testdata/good/selfsigned.hcl",
-			mutation: func(cfg config.Toplevel) config.Toplevel {
-				cfg.Domains = append(cfg.Domains, config.Domain{
-					Name: "test1.internal",
-					TLS: config.TLS{
-						Cert: "./testdata/tls/invalid.crt",
-						Key:  "./testdata/tls/invalid.key",
-					},
-					Target:       cfg.Domains[0].Target,
-					HealthTarget: cfg.Domains[0].HealthTarget,
-				})
-
-				return cfg
-			},
-			err: ErrInvalidTLSKeypair,
-		},
-		{
-			name:        "target is not a valid URL",
-			configFname: "./testdata/good/selfsigned.hcl",
-			mutation: func(cfg config.Toplevel) config.Toplevel {
-				cfg.Domains = append(cfg.Domains, config.Domain{
-					Name:         "test1.internal",
-					TLS:          cfg.Domains[0].TLS,
-					Target:       "http://[::1:443",
-					HealthTarget: cfg.Domains[0].HealthTarget,
-				})
-
-				return cfg
-			},
-			err: ErrTargetInvalid,
-		},
-		{
-			name:        "invalid target scheme",
-			configFname: "./testdata/good/selfsigned.hcl",
-			mutation: func(cfg config.Toplevel) config.Toplevel {
-				cfg.Domains = append(cfg.Domains, config.Domain{
-					Name:         "test1.internal",
-					TLS:          cfg.Domains[0].TLS,
-					Target:       "foo://",
-					HealthTarget: cfg.Domains[0].HealthTarget,
-				})
-
-				return cfg
-			},
-			err: ErrNoHandler,
-		},
-	} {
-		t.Run(tt.name, func(t *testing.T) {
-			cfg := loadConfig(t, tt.configFname)
-			rtr := newRouter(t, cfg)
-
-			cfg = tt.mutation(cfg)
-
-			if err := rtr.setConfig(cfg); !errors.Is(err, tt.err) {
-				t.Logf("want: %v", tt.err)
-				t.Logf("got:  %v", err)
-				t.Error("got wrong error from rtr.setConfig function")
-			}
-		})
-	}
-}
-
-type ackHandler struct {
-	ack bool
-}
-
-func (ah *ackHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	ah.ack = true
-	fmt.Fprintln(w, "OK")
-}
-
-func (ah *ackHandler) Reset() {
-	ah.ack = false
-}
-
-func newUnixServer(t *testing.T, h http.Handler) string {
-	sockName := filepath.Join(t.TempDir(), "s")
-	ln, err := net.Listen("unix", sockName)
-	if err != nil {
-		t.Fatalf("can't listen on %s: %v", sockName, err)
-	}
-	t.Cleanup(func() {
-		ln.Close()
-		os.Remove(sockName)
-	})
-
-	go func(ctx context.Context) {
-		srv := &http.Server{
-			Handler: h,
-		}
-
-		go func() {
-			<-ctx.Done()
-			srv.Close()
-		}()
-
-		srv.Serve(ln)
-	}(t.Context())
-
-	return "unix://" + sockName
-}
-
-func TestRouterGetCertificate(t *testing.T) {
-	cfg := loadConfig(t, "./testdata/good/selfsigned.hcl")
-	rtr := newRouter(t, cfg)
-
-	for _, tt := range []struct {
-		domainName string
-		err        error
-	}{
-		{
-			domainName: "osiris.local.cetacean.club",
-		},
-		{
-			domainName: "whacky-fun.local",
-			err:        ErrNoCert,
-		},
-	} {
-		t.Run(tt.domainName, func(t *testing.T) {
-			if _, err := rtr.GetCertificate(&tls.ClientHelloInfo{ServerName: tt.domainName}); !errors.Is(err, tt.err) {
-				t.Logf("want: %v", tt.err)
-				t.Logf("got:  %v", err)
-				t.Error("got wrong error from rtr.GetCertificate")
-			}
-		})
-	}
-}
-
-func TestRouterServeAllProtocols(t *testing.T) {
-	cfg := loadConfig(t, "./testdata/good/all_protocols.hcl")
-
-	httpAckHandler := &ackHandler{}
-	httpsAckHandler := &ackHandler{}
-	h2cAckHandler := &ackHandler{}
-	unixAckHandler := &ackHandler{}
-
-	httpSrv := httptest.NewServer(httpAckHandler)
-	httpsSrv := httptest.NewTLSServer(httpsAckHandler)
-	h2cSrv := newH2cServer(t, h2cAckHandler)
-	unixPath := newUnixServer(t, unixAckHandler)
-
-	cfg.Domains[0].Target = httpSrv.URL
-	cfg.Domains[1].Target = httpsSrv.URL
-	cfg.Domains[2].Target = strings.ReplaceAll(h2cSrv.URL, "http:", "h2c:")
-	cfg.Domains[3].Target = unixPath
-
-	// enc := json.NewEncoder(os.Stderr)
-	// enc.SetIndent("", "  ")
-	// enc.Encode(cfg)
-
-	rtr := newRouter(t, cfg)
-
-	cli := &http.Client{
-		Transport: &http.Transport{
-			TLSClientConfig: &tls.Config{
-				InsecureSkipVerify: true,
-			},
-		},
-	}
-
-	t.Run("plain http", func(t *testing.T) {
-		ln, err := net.Listen("tcp", ":0")
-		if err != nil {
-			t.Fatal(err)
-		}
-		t.Cleanup(func() {
-			ln.Close()
-		})
-
-		go rtr.HandleHTTP(t.Context(), ln)
-
-		serverURL := "http://" + ln.Addr().String()
-		t.Log(serverURL)
-
-		for _, d := range cfg.Domains {
-			t.Run(d.Name, func(t *testing.T) {
-				req, err := http.NewRequestWithContext(t.Context(), http.MethodGet, serverURL, nil)
-				if err != nil {
-					t.Fatal(err)
-				}
-
-				req.Host = d.Name
-
-				resp, err := cli.Do(req)
-				if err != nil {
-					t.Fatal(err)
-				}
-				defer resp.Body.Close()
-
-				if resp.StatusCode != http.StatusOK {
-					t.Fatalf("wrong status code %d", resp.StatusCode)
-				}
-			})
-		}
-	})
-}
--- a/cmd/osiris/internal/entrypoint/testdata/bad/empty.hcl
+++ b/cmd/osiris/internal/entrypoint/testdata/bad/empty.hcl
--- a/cmd/osiris/internal/entrypoint/testdata/bad/invalid.hcl
+++ b/cmd/osiris/internal/entrypoint/testdata/bad/invalid.hcl
@@ -1,15 +0,0 @@
-bind {
-  http    = ":65530"
-  https   = ":65531"
-  metrics = ":65532"
-}
-
-domain "osiris.local.cetacean.club" {
-  tls {
-    cert = "./testdata/invalid.crt"
-    key  = "./testdata/invalid.key"
-  }
-
-  target        = "http://localhost:3000"
-  health_target = "http://localhost:9091/healthz"
-}
--- a/cmd/osiris/internal/entrypoint/testdata/good/all_protocols.hcl
+++ b/cmd/osiris/internal/entrypoint/testdata/good/all_protocols.hcl
@@ -1,46 +0,0 @@
-bind {
-  http    = ":65520"
-  https   = ":65521"
-  metrics = ":65522"
-}
-
-domain "http.internal" {
-  tls {
-    cert = "./testdata/selfsigned.crt"
-    key  = "./testdata/selfsigned.key"
-  }
-
-  target        = "http://localhost:65510" # XXX(Xe) this is overwritten
-  health_target = "http://localhost:9091/healthz"
-}
-
-domain "https.internal" {
-  tls {
-    cert = "./testdata/selfsigned.crt"
-    key  = "./testdata/selfsigned.key"
-  }
-
-  target               = "https://localhost:65511" # XXX(Xe) this is overwritten
-  insecure_skip_verify = true
-  health_target        = "http://localhost:9091/healthz"
-}
-
-domain "h2c.internal" {
-  tls {
-    cert = "./testdata/selfsigned.crt"
-    key  = "./testdata/selfsigned.key"
-  }
-
-  target        = "h2c://localhost:65511" # XXX(Xe) this is overwritten
-  health_target = "http://localhost:9091/healthz"
-}
-
-domain "unix.internal" {
-  tls {
-    cert = "./testdata/selfsigned.crt"
-    key  = "./testdata/selfsigned.key"
-  }
-
-  target        = "http://localhost:65511" # XXX(Xe) this is overwritten
-  health_target = "http://localhost:9091/healthz"
-}
--- a/cmd/osiris/internal/entrypoint/testdata/good/selfsigned.hcl
+++ b/cmd/osiris/internal/entrypoint/testdata/good/selfsigned.hcl
@@ -1,15 +0,0 @@
-bind {
-  http    = ":65530"
-  https   = ":65531"
-  metrics = ":65532"
-}
-
-domain "osiris.local.cetacean.club" {
-  tls {
-    cert = "./testdata/selfsigned.crt"
-    key  = "./testdata/selfsigned.key"
-  }
-
-  target        = "http://localhost:3000"
-  health_target = "http://localhost:9091/healthz"
-}
--- a/cmd/osiris/internal/entrypoint/testdata/selfsigned.crt
+++ b/cmd/osiris/internal/entrypoint/testdata/selfsigned.crt
@@ -1,11 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIIBnzCCAVGgAwIBAgIUOLTjSYOjFk00IemtFTC4oEZs988wBQYDK2VwMEUxCzAJ
-BgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5l
-dCBXaWRnaXRzIFB0eSBMdGQwHhcNMjUwNzE4MjEyNDIzWhcNMjUwODE3MjEyNDIz
-WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwY
-SW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMCowBQYDK2VwAyEAPHphABS15+4VV6R1
-vYzBQYIycQmOmlbA8QcfwzuB2VajUzBRMB0GA1UdDgQWBBT2s+MQ4AR6cbK4V0+d
-XZnok1orhDAfBgNVHSMEGDAWgBT2s+MQ4AR6cbK4V0+dXZnok1orhDAPBgNVHRMB
-Af8EBTADAQH/MAUGAytlcANBAOdoJbRMnHmkEETzVtXP+jkAI9yQNRXujnglApGP
-8I5pvIYVgYCgoQrnb4haVWFldHM1T9H698n19e/egfFb+w4=
-----END CERTIFICATE-----
--- a/cmd/osiris/internal/entrypoint/testdata/selfsigned.key
+++ b/cmd/osiris/internal/entrypoint/testdata/selfsigned.key
@@ -1,3 +0,0 @@
-----BEGIN PRIVATE KEY-----
-MC4CAQAwBQYDK2VwBCIEIBop42tiZ0yzhaKo9NAc0PlAyBsE8NAE0i9Z7s2lgZuR
-----END PRIVATE KEY-----
--- a/cmd/osiris/main.go
+++ b/cmd/osiris/main.go
@@ -1,43 +0,0 @@
-package main
-
-import (
-	"context"
-	"flag"
-	"fmt"
-	"os"
-	"os/signal"
-	"syscall"
-
-	"github.com/TecharoHQ/anubis"
-	"github.com/TecharoHQ/anubis/cmd/osiris/internal/entrypoint"
-	"github.com/TecharoHQ/anubis/internal"
-	"github.com/facebookgo/flagenv"
-)
-
-var (
-	configFname = flag.String("config", "./osiris.hcl", "Configuration file (HCL), see docs")
-	slogLevel   = flag.String("slog-level", "INFO", "logging level (see https://pkg.go.dev/log/slog#hdr-Levels)")
-	versionFlag = flag.Bool("version", false, "if true, show version information then quit")
-)
-
-func main() {
-	flagenv.Parse()
-	flag.Parse()
-
-	if *versionFlag {
-		fmt.Println("Osiris", anubis.Version)
-		return
-	}
-
-	internal.InitSlog(*slogLevel)
-
-	ctx, cancel := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM)
-	defer cancel()
-
-	if err := entrypoint.Main(ctx, entrypoint.Options{
-		ConfigFname: *configFname,
-	}); err != nil {
-		fmt.Fprintf(os.Stderr, "%v\n", err)
-		os.Exit(1)
-	}
-}
--- a/cmd/osiris/osiris.hcl
+++ b/cmd/osiris/osiris.hcl
@@ -1,15 +0,0 @@
-bind {
-  http    = ":3004"
-  https   = ":3005"
-  metrics = ":9091"
-}
-
-domain "osiris.local.cetacean.club" {
-  tls {
-    cert = "./internal/config/testdata/tls/selfsigned.crt"
-    key  = "./internal/config/testdata/tls/selfsigned.key"
-  }
-
-  target        = "http://localhost:3000"
-  health_target = "http://localhost:9091/healthz"
-}
--- a/docker-bake.hcl
+++ b/docker-bake.hcl
@@ -1,32 +0,0 @@
-variable "ALPINE_VERSION" { default = "3.22" }
-variable "GITHUB_SHA" { default = "devel" }
-variable "VERSION" { default = "devel-docker" }
-
-group "default" {
-  targets = [
-    "osiris",
-  ]
-}
-
-target "osiris" {
-  args = {
-    ALPINE_VERSION = "3.22"
-    VERSION        = "${VERSION}"
-  }
-  context    = "."
-  dockerfile = "./docker/osiris.Dockerfile"
-  platforms = [
-    "linux/amd64",
-    "linux/arm64",
-    "linux/arm/v7",
-    "linux/ppc64le",
-    "linux/riscv64",
-  ]
-  pull       = true
-  sbom       = true
-  provenance = true
-  tags = [
-    "ghcr.io/techarohq/anubis/osiris:${VERSION}",
-    "ghcr.io/techarohq/anubis/osiris:main"
-  ]
-}
--- a/docker/osiris.Dockerfile
+++ b/docker/osiris.Dockerfile
@@ -1,30 +0,0 @@
-ARG ALPINE_VERSION=edge
-FROM --platform=${BUILDPLATFORM} alpine:${ALPINE_VERSION} AS build
-
-RUN apk -U add go nodejs git build-base git npm bash zstd brotli gzip
-
-WORKDIR /app
-
-COPY go.mod go.sum ./
-RUN --mount=type=cache,target=/root/.cache --mount=type=cache,target=/root/go go mod download
-
-COPY package.json package-lock.json ./
-RUN npm ci
-
-ARG TARGETOS
-ARG TARGETARCH
-ARG VERSION=devel-docker
-
-COPY . .
-RUN --mount=type=cache,target=/root/.cache --mount=type=cache,target=/root/go GOOS=${TARGETOS} GOARCH=${TARGETARCH} CGO_ENABLED=0 GOARM=7 go build -gcflags "all=-N -l" -o /app/bin/osiris -ldflags "-s -w -extldflags -static -X github.com/TecharoHQ/anubis.Version=${VERSION}" ./cmd/osiris
-
-FROM alpine:${ALPINE_VERSION} AS run
-WORKDIR /app
-
-RUN apk -U add ca-certificates mailcap
-
-COPY --from=build /app/bin/osiris /app/bin/osiris
-
-CMD ["/app/bin/osiris"]
-
-LABEL org.opencontainers.image.source="https://github.com/TecharoHQ/anubis"
--- a/docs/docs/CHANGELOG.md
+++ b/docs/docs/CHANGELOG.md
@@ -13,17 +13,47 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

 <!-- This changes the project to: -->

- Expired records are now properly removed from bbolt databases ([#848](https://github.com/TecharoHQ/anubis/pull/848)).
+## v1.21.1: Minfilia Warde - Echo 1

+- Expired records are now properly removed from bbolt databases ([#848](https://github.com/TecharoHQ/anubis/pull/848)).
 - Fix hanging on service restart ([#853](https://github.com/TecharoHQ/anubis/issues/853))

 ### Added

+Anubis now supports the [`missingHeader`](./admin/configuration/expressions.mdx#missingHeader) to assert the absence of headers in requests.
+
+#### New locales
+
 Anubis now supports these new languages:

 - [Czech](https://github.com/TecharoHQ/anubis/pull/849)
+- [Finnish](https://github.com/TecharoHQ/anubis/pull/863)
+- [Norwegian Bokmål](https://github.com/TecharoHQ/anubis/pull/855)
+- [Norwegian Nynorsk](https://github.com/TecharoHQ/anubis/pull/855)
+- [Russian](https://github.com/TecharoHQ/anubis/pull/882)

-Anubis now supports the [`missingHeader`](./admin/configuration/expressions.mdx#missingHeader) to assert the absence of headers in requests.
+### Fixes
+
+#### Fix ["error: can't get challenge"](https://github.com/TecharoHQ/anubis/issues/869) when details about a challenge can't be found in the server side state
+
+v1.21.0 changed the core challenge flow to maintain information about challenges on the server side instead of only doing them via stateless idempotent generation functions and relying on details to not change. There was a subtle bug introduced in this change: if a client has an unknown challenge ID set in its test cookie, Anubis will clear that cookie and then throw an HTTP 500 error.
+
+This has been fixed by making Anubis throw a new challenge page instead.
+
+#### Fix event loop thrashing when solving a proof of work challenge
+
+Previously the "fast" proof of work solver had a fragment of JavaScript that attempted to only post an update about proof of work progress to the main browser window every 1024 iterations. This fragment of JavaScript was subtly incorrect in a way that passed review but actually made the workers send an update back to the main thread every iteration. This caused a pileup of unhandled async calls (similar to a socket accept() backlog pileup in Unix) that caused stack space exhaustion.
+
+This has been fixed in the following ways:
+
+1. The complicated boolean logic has been totally removed in favour of a worker-local iteration counter.
+2. The progress bar is updated by worker `0` instead of all workers.
+
+Hopefully this should limit the event loop thrashing and let ia32 browsers (as well as any environment with a smaller stack size than amd64 and aarch64 seem to have) function normally when processing Anubis proof of work challenges.
+
+#### Fix potential memory leak when discovering a solution
+
+In some cases, the parallel solution finder in Anubis could cause all of the worker promises to leak due to the fact the promises were being improperly terminated. This was fixed by having Anubis debounce worker termination instead of allowing it to potentially recurse infinitely.

 ## v1.21.0: Minfilia Warde

--- a/go.mod
+++ b/go.mod
@@ -4,12 +4,12 @@ go 1.24.2

 require (
 	github.com/TecharoHQ/thoth-proto v0.4.0
-	github.com/a-h/templ v0.3.920
+	github.com/a-h/templ v0.3.906
 	github.com/cespare/xxhash/v2 v2.3.0
 	github.com/facebookgo/flagenv v0.0.0-20160425205200-fcd59fca7456
-	github.com/gaissmai/bart v0.22.0
-	github.com/golang-jwt/jwt/v5 v5.2.3
-	github.com/google/cel-go v0.26.0
+	github.com/gaissmai/bart v0.20.5
+	github.com/golang-jwt/jwt/v5 v5.2.2
+	github.com/google/cel-go v0.25.0
 	github.com/google/uuid v1.6.0
 	github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus v1.1.0
 	github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.2
@@ -21,20 +21,20 @@ require (
 	github.com/redis/go-redis/v9 v9.11.0
 	github.com/sebest/xff v0.0.0-20210106013422-671bd2870b3a
 	github.com/shirou/gopsutil/v4 v4.25.6
-	github.com/testcontainers/testcontainers-go v0.38.0
+	github.com/testcontainers/testcontainers-go v0.37.0
 	go.etcd.io/bbolt v1.4.2
 	golang.org/x/net v0.42.0
 	golang.org/x/text v0.27.0
 	google.golang.org/grpc v1.73.0
 	gopkg.in/yaml.v3 v3.0.1
-	k8s.io/apimachinery v0.33.3
+	k8s.io/apimachinery v0.33.2
 	sigs.k8s.io/yaml v1.5.0
 )

 require (
 	al.essio.dev/pkg/shellescape v1.6.0 // indirect
 	buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.6-20250425153114-8976f5be98c1.1 // indirect
-	cel.dev/expr v0.24.0 // indirect
+	cel.dev/expr v0.23.1 // indirect
 	dario.cat/mergo v1.0.2 // indirect
 	github.com/AlekSi/pointer v1.2.0 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
@@ -47,10 +47,8 @@ require (
 	github.com/Songmu/gitconfig v0.2.0 // indirect
 	github.com/TecharoHQ/yeet v0.6.0 // indirect
 	github.com/a-h/parse v0.0.0-20250122154542-74294addb73e // indirect
-	github.com/agext/levenshtein v1.2.1 // indirect
 	github.com/andybalholm/brotli v1.1.0 // indirect
 	github.com/antlr4-go/antlr/v4 v4.13.0 // indirect
-	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb // indirect
 	github.com/cavaliergopher/cpio v1.0.1 // indirect
@@ -58,8 +56,6 @@ require (
 	github.com/cli/browser v1.3.0 // indirect
 	github.com/cli/go-gh v0.1.0 // indirect
 	github.com/cloudflare/circl v1.6.1 // indirect
-	github.com/containerd/errdefs v1.0.0 // indirect
-	github.com/containerd/errdefs/pkg v0.3.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/containerd/platforms v0.2.1 // indirect
 	github.com/cpuguy83/dockercfg v0.3.2 // indirect
@@ -70,7 +66,7 @@ require (
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/dlclark/regexp2 v1.11.4 // indirect
-	github.com/docker/docker v28.2.2+incompatible // indirect
+	github.com/docker/docker v28.0.1+incompatible // indirect
 	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/dop251/goja v0.0.0-20250309171923-bcd7cc6bf64c // indirect
@@ -95,7 +91,6 @@ require (
 	github.com/goccy/go-yaml v1.12.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
-	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/go-github/v70 v70.0.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/pprof v0.0.0-20230207041349-798e818bf904 // indirect
@@ -104,7 +99,6 @@ require (
 	github.com/goreleaser/fileglob v1.3.0 // indirect
 	github.com/goreleaser/nfpm/v2 v2.42.1 // indirect
 	github.com/hashicorp/go-version v1.7.0 // indirect
-	github.com/hashicorp/hcl/v2 v2.24.0 // indirect
 	github.com/huandu/xstrings v1.5.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
@@ -115,13 +109,11 @@ require (
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
-	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
-	github.com/moby/go-archive v0.1.0 // indirect
 	github.com/moby/patternmatcher v0.6.0 // indirect
-	github.com/moby/sys/sequential v0.6.0 // indirect
-	github.com/moby/sys/user v0.4.0 // indirect
+	github.com/moby/sys/sequential v0.5.0 // indirect
+	github.com/moby/sys/user v0.1.0 // indirect
 	github.com/moby/sys/userns v0.1.0 // indirect
 	github.com/moby/term v0.5.0 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
@@ -155,7 +147,6 @@ require (
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
-	github.com/zclconf/go-cty v1.16.3 // indirect
 	gitlab.com/digitalxero/go-conventional-commit v1.0.7 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect
--- a/go.sum
+++ b/go.sum
@@ -2,12 +2,12 @@ al.essio.dev/pkg/shellescape v1.6.0 h1:NxFcEqzFSEVCGN2yq7Huv/9hyCEGVa/TncnOOBBeX
 al.essio.dev/pkg/shellescape v1.6.0/go.mod h1:6sIqp7X2P6mThCQ7twERpZTuigpr6KbZWtls1U8I890=
 buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.6-20250425153114-8976f5be98c1.1 h1:YhMSc48s25kr7kv31Z8vf7sPUIq5YJva9z1mn/hAt0M=
 buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.6-20250425153114-8976f5be98c1.1/go.mod h1:avRlCjnFzl98VPaeCtJ24RrV/wwHFzB8sWXhj26+n/U=
-cel.dev/expr v0.24.0 h1:56OvJKSH3hDGL0ml5uSxZmz3/3Pq4tJ+fb1unVLAFcY=
-cel.dev/expr v0.24.0/go.mod h1:hLPLo1W4QUmuYdA72RBX06QTs6MXw941piREPl3Yfiw=
+cel.dev/expr v0.23.1 h1:K4KOtPCJQjVggkARsjG9RWXP6O4R73aHeJMa/dmCQQg=
+cel.dev/expr v0.23.1/go.mod h1:hLPLo1W4QUmuYdA72RBX06QTs6MXw941piREPl3Yfiw=
 dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8=
 dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA=
-github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 h1:He8afgbRMd7mFxO99hRNu+6tazq8nFF9lIwo9JFroBk=
-github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
+github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU=
+github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
 github.com/AlekSi/pointer v1.2.0 h1:glcy/gc4h8HnG2Z3ZECSzZ1IX1x2JxRVuDzaJwQE0+w=
 github.com/AlekSi/pointer v1.2.0/go.mod h1:gZGfd3dpW4vEc/UlyfKKi1roIqcCgwOIvb0tSNSBle0=
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8=
@@ -40,18 +40,14 @@ github.com/TecharoHQ/yeet v0.6.0 h1:RCBAjr7wIlllsgy0tpvWpLX7jsZgu2tiuBY3RrprcR0=
 github.com/TecharoHQ/yeet v0.6.0/go.mod h1:bj2V4Fg8qKQXoiuPZa3HuawrE8g+LsOQv/9q2WyGSsA=
 github.com/a-h/parse v0.0.0-20250122154542-74294addb73e h1:HjVbSQHy+dnlS6C3XajZ69NYAb5jbGNfHanvm1+iYlo=
 github.com/a-h/parse v0.0.0-20250122154542-74294addb73e/go.mod h1:3mnrkvGpurZ4ZrTDbYU84xhwXW2TjTKShSwjRi2ihfQ=
-github.com/agext/levenshtein v1.2.1 h1:QmvMAjj2aEICytGiWzmxoE0x2KZvE0fvmqMOfy2tjT8=
-github.com/agext/levenshtein v1.2.1/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
-github.com/a-h/templ v0.3.920 h1:IQjjTu4KGrYreHo/ewzSeS8uefecisPayIIc9VflLSE=
-github.com/a-h/templ v0.3.920/go.mod h1:FFAu4dI//ESmEN7PQkJ7E7QfnSEMdcnu7QrAY8Dn334=
+github.com/a-h/templ v0.3.906 h1:ZUThc8Q9n04UATaCwaG60pB1AqbulLmYEAMnWV63svg=
+github.com/a-h/templ v0.3.906/go.mod h1:FFAu4dI//ESmEN7PQkJ7E7QfnSEMdcnu7QrAY8Dn334=
 github.com/andybalholm/brotli v1.1.0 h1:eLKJA0d02Lf0mVpIDgYnqXcUn0GqVmEFny3VuID1U3M=
 github.com/andybalholm/brotli v1.1.0/go.mod h1:sms7XGricyQI9K10gOSf56VKKWS4oLer58Q+mhRPtnY=
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
 github.com/antlr4-go/antlr/v4 v4.13.0 h1:lxCg3LAv+EUK6t1i0y1V6/SLeUi0eKEKdhQAlS8TVTI=
 github.com/antlr4-go/antlr/v4 v4.13.0/go.mod h1:pfChB/xh/Unjila75QW7+VU4TSnWnnk9UTnmpPaOR2g=
-github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew1u1fNQOlOtuGxQY=
-github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
@@ -81,10 +77,6 @@ github.com/cli/safeexec v1.0.0/go.mod h1:Z/D4tTN8Vs5gXYHDCbaM1S/anmEDnJb1iW0+EJ5
 github.com/cli/shurcooL-graphql v0.0.1/go.mod h1:U7gCSuMZP/Qy7kbqkk5PrqXEeDgtfG5K+W+u8weorps=
 github.com/cloudflare/circl v1.6.1 h1:zqIqSPIndyBh1bjLVVDHMPpVKqp8Su/V+6MeDzzQBQ0=
 github.com/cloudflare/circl v1.6.1/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
-github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
-github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
-github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE=
-github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk=
 github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
 github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
 github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpSBQv6A=
@@ -109,8 +101,8 @@ github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5Qvfr
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
 github.com/dlclark/regexp2 v1.11.4 h1:rPYF9/LECdNymJufQKmri9gV604RvvABwgOA8un7yAo=
 github.com/dlclark/regexp2 v1.11.4/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
-github.com/docker/docker v28.2.2+incompatible h1:CjwRSksz8Yo4+RmQ339Dp/D2tGO5JxwYeqtMOEe0LDw=
-github.com/docker/docker v28.2.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v28.0.1+incompatible h1:FCHjSRdXhNRFjlHMTv4jUNlIBbTeRjrWfeFuJp7jpo0=
+github.com/docker/docker v28.0.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
 github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
@@ -141,8 +133,8 @@ github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHk
 github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/8M=
 github.com/fsnotify/fsnotify v1.8.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
-github.com/gaissmai/bart v0.22.0 h1:+yR2mCpZx8H8GlqA+Icqi7/Iwx2/OUbO4bVbsORK0ns=
-github.com/gaissmai/bart v0.22.0/go.mod h1:RpLtt3lWq1BoRz3AAyDAJ7jhLWBkYhVCfi+ximB2t68=
+github.com/gaissmai/bart v0.20.5 h1:ehoWZWQ7j//qt0K0Zs4i9hpoPpbgqsMQiR8W2QPJh+c=
+github.com/gaissmai/bart v0.20.5/go.mod h1:cEed+ge8dalcbpi8wtS9x9m2hn/fNJH5suhdGQOHnYk=
 github.com/gliderlabs/ssh v0.3.8 h1:a4YXD1V7xMF9g5nTkdfnja3Sxy1PVDCj1Zg4Wb8vY6c=
 github.com/gliderlabs/ssh v0.3.8/go.mod h1:xYoytBv1sV0aL3CavoDuJIQNURXkkfPA/wxQ1pL1fAU=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=
@@ -183,14 +175,14 @@ github.com/goccy/go-yaml v1.12.0 h1:/1WHjnMsI1dlIBQutrvSMGZRQufVO3asrHfTwfACoPM=
 github.com/goccy/go-yaml v1.12.0/go.mod h1:wKnAMd44+9JAAnGQpWVEgBzGt3YuTaQ4uXoHvE4m7WU=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang-jwt/jwt/v5 v5.2.3 h1:kkGXqQOBSDDWRhWNXTFpqGSCMyh/PLnqUvMGJPDJDs0=
-github.com/golang-jwt/jwt/v5 v5.2.3/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
+github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ=
 github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8/go.mod h1:wcDNUvekVysuuOpQKo3191zZyTpiI6se1N1ULghS0sw=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
-github.com/google/cel-go v0.26.0 h1:DPGjXackMpJWH680oGY4lZhYjIameYmR+/6RBdDGmaI=
-github.com/google/cel-go v0.26.0/go.mod h1:A9O8OU9rdvrK5MQyrqfIxo1a0u4g3sF8KB6PUIaryMM=
+github.com/google/cel-go v0.25.0 h1:jsFw9Fhn+3y2kBbltZR4VEz5xKkcIFRPDnuEzAGv5GY=
+github.com/google/cel-go v0.25.0/go.mod h1:hjEb6r5SuOSlhCHmFoLzu8HGCERvIsDAbxDAyNU/MmI=
 github.com/google/go-cmdtest v0.4.1-0.20220921163831-55ab3332a786 h1:rcv+Ippz6RAtvaGgKxc+8FQIpxHgsF+HBzPyYL2cyVU=
 github.com/google/go-cmdtest v0.4.1-0.20220921163831-55ab3332a786/go.mod h1:apVn/GCasLZUVpAJ6oWAuyP7Ne7CEsQbTnc0plM3m+o=
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
@@ -229,8 +221,6 @@ github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3/go.mod h1:ndYquD05frm2vACXE1ns
 github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542/go.mod h1:Ow0tF8D4Kplbc8s8sSb3V2oUCygFHVp8gC3Dn6U4MNI=
 github.com/hashicorp/go-version v1.7.0 h1:5tqGy27NaOTB8yJKUZELlFAS/LTKJkrmONwQKeRZfjY=
 github.com/hashicorp/go-version v1.7.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
-github.com/hashicorp/hcl/v2 v2.24.0 h1:2QJdZ454DSsYGoaE6QheQZjtKZSUs9Nh2izTWiwQxvE=
-github.com/hashicorp/hcl/v2 v2.24.0/go.mod h1:oGoO1FIQYfn/AgyOhlg9qLC6/nOJPX3qGbkZpYAcqfM=
 github.com/henvic/httpretty v0.0.6/go.mod h1:X38wLjWXHkXT7r2+uK8LjCMne9rsuNaBLJ+5cU2/Pmo=
 github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI=
 github.com/huandu/xstrings v1.5.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
@@ -284,22 +274,16 @@ github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa1
 github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s=
 github.com/mitchellh/go-ps v1.0.0 h1:i6ampVEEF4wQFF+bkYfwYgY+F/uYJDktmvLPf7qIgjc=
 github.com/mitchellh/go-ps v1.0.0/go.mod h1:J4lOc8z8yJs6vUwklHw2XEIiT4z4C40KtWVN3nvg8Pg=
-github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0=
-github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0=
 github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=
 github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
-github.com/moby/go-archive v0.1.0 h1:Kk/5rdW/g+H8NHdJW2gsXyZ7UnzvJNOy6VKJqueWdcQ=
-github.com/moby/go-archive v0.1.0/go.mod h1:G9B+YoujNohJmrIYFBpSd54GTUB4lt9S+xVQvsJyFuo=
 github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkVGiPk=
 github.com/moby/patternmatcher v0.6.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc=
-github.com/moby/sys/atomicwriter v0.1.0 h1:kw5D/EqkBwsBFi0ss9v1VG3wIkVhzGvLklJ+w3A14Sw=
-github.com/moby/sys/atomicwriter v0.1.0/go.mod h1:Ul8oqv2ZMNHOceF643P6FKPXeCmYtlQMvpizfsSoaWs=
-github.com/moby/sys/sequential v0.6.0 h1:qrx7XFUd/5DxtqcoH1h438hF5TmOvzC/lspjy7zgvCU=
-github.com/moby/sys/sequential v0.6.0/go.mod h1:uyv8EUTrca5PnDsdMGXhZe6CCe8U/UiTWd+lL+7b/Ko=
-github.com/moby/sys/user v0.4.0 h1:jhcMKit7SA80hivmFJcbB1vqmw//wU61Zdui2eQXuMs=
-github.com/moby/sys/user v0.4.0/go.mod h1:bG+tYYYJgaMtRKgEmuueC0hJEAZWwtIbZTB+85uoHjs=
+github.com/moby/sys/sequential v0.5.0 h1:OPvI35Lzn9K04PBbCLW0g4LcFAJgHsvXsRyewg5lXtc=
+github.com/moby/sys/sequential v0.5.0/go.mod h1:tH2cOOs5V9MlPiXcQzRC+eEyab644PWKGRYaaV5ZZlo=
+github.com/moby/sys/user v0.1.0 h1:WmZ93f5Ux6het5iituh9x2zAG7NFY9Aqi49jjE1PaQg=
+github.com/moby/sys/user v0.1.0/go.mod h1:fKJhFOnsCN6xZ5gSfbM6zaHGgDJMrqt9/reuj4T7MmU=
 github.com/moby/sys/userns v0.1.0 h1:tVLXkFOxVu9A64/yh59slHVv9ahO9UIev4JZusOLG/g=
 github.com/moby/sys/userns v0.1.0/go.mod h1:IHUYgu/kao6N8YZlp9Cf444ySSvCmDlmzUcYfDHOl28=
 github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0=
@@ -389,8 +373,8 @@ github.com/suzuki-shunsuke/pinact v1.6.0 h1:2QvSzREOquwLwKXhF9Hj0AInE/Rl63SZz9dK
 github.com/suzuki-shunsuke/pinact v1.6.0/go.mod h1:FDUMck0mmL0mcnNZ23Vjh/aOR5cIdZhF1IIpGksT4dQ=
 github.com/suzuki-shunsuke/urfave-cli-help-all v0.0.4 h1:YGHgrVjGTYHY98II6zijXUHP+OyvrzSCvd8m9iUcaK8=
 github.com/suzuki-shunsuke/urfave-cli-help-all v0.0.4/go.mod h1:sSi6xaUaHfaqu32ECLeyE7NTMv+ZM5dW0JikhllaalY=
-github.com/testcontainers/testcontainers-go v0.38.0 h1:d7uEapLcv2P8AvH8ahLqDMMxda2W9gQN1nRbHS28HBw=
-github.com/testcontainers/testcontainers-go v0.38.0/go.mod h1:C52c9MoHpWO+C4aqmgSU+hxlR5jlEayWtgYrb8Pzz1w=
+github.com/testcontainers/testcontainers-go v0.37.0 h1:L2Qc0vkTw2EHWQ08djon0D2uw7Z/PtHS/QzZZ5Ra/hg=
+github.com/testcontainers/testcontainers-go v0.37.0/go.mod h1:QPzbxZhQ6Bclip9igjLFj6z0hs01bU8lrl2dHQmgFGM=
 github.com/thlib/go-timezone-local v0.0.0-20210907160436-ef149e42d28e/go.mod h1:/Tnicc6m/lsJE0irFMA0LfIwTBo4QP7A8IfyIv4zZKI=
 github.com/tklauser/go-sysconf v0.3.12 h1:0QaGUFOdQaIVdPgfITYzaTegZvdCjmYO52cSFAEVmqU=
 github.com/tklauser/go-sysconf v0.3.12/go.mod h1:Ho14jnntGE1fpdOqQEEaiKRpvIavV0hSfmBq8nJbHYI=
@@ -411,8 +395,6 @@ github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9dec
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0=
 github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
-github.com/zclconf/go-cty v1.16.3 h1:osr++gw2T61A8KVYHoQiFbFd1Lh3JOCXc/jFLJXKTxk=
-github.com/zclconf/go-cty v1.16.3/go.mod h1:VvMs5i0vgZdhYawQNq5kePSpLAoz8u1xvZgrPIxfnZE=
 gitlab.com/digitalxero/go-conventional-commit v1.0.7 h1:8/dO6WWG+98PMhlZowt/YjuiKhqhGlOCwlIV8SqqGh8=
 gitlab.com/digitalxero/go-conventional-commit v1.0.7/go.mod h1:05Xc2BFsSyC5tKhK0y+P3bs0AwUtNuTp+mTpbCU/DZ0=
 go.etcd.io/bbolt v1.4.2 h1:IrUHp260R8c+zYx/Tm8QZr04CX+qWS5PGfPdevhdm1I=
@@ -567,12 +549,12 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
-gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
+gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU=
+gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
 honnef.co/go/tools v0.6.1 h1:R094WgE8K4JirYjBaOpz/AvTyUu/3wbmAoskKN/pxTI=
 honnef.co/go/tools v0.6.1/go.mod h1:3puzxxljPCe8RGJX7BIy1plGbxEOZni5mR2aXe3/uk4=
-k8s.io/apimachinery v0.33.3 h1:4ZSrmNa0c/ZpZJhAgRdcsFcZOw1PQU1bALVQ0B3I5LA=
-k8s.io/apimachinery v0.33.3/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM=
+k8s.io/apimachinery v0.33.2 h1:IHFVhqg59mb8PJWTLi8m1mAoepkUNYmptHsV+Z1m5jY=
+k8s.io/apimachinery v0.33.2/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM=
 mvdan.cc/sh/v3 v3.11.0 h1:q5h+XMDRfUGUedCqFFsjoFjrhwf2Mvtt1rkMvVz0blw=
 mvdan.cc/sh/v3 v3.11.0/go.mod h1:LRM+1NjoYCzuq/WZ6y44x14YNAI0NK7FLPeQSaFagGg=
 pault.ag/go/debian v0.18.0 h1:nr0iiyOU5QlG1VPnhZLNhnCcHx58kukvBJp+dvaM6CQ=
--- a/internal/fingerprint/ja3n.go
+++ b/internal/fingerprint/ja3n.go
@@ -1,97 +0,0 @@
-package fingerprint
-
-import (
-	"crypto/md5"
-	"crypto/tls"
-	"encoding/hex"
-	"slices"
-	"strconv"
-)
-
-// TLSFingerprintJA3N represents a JA3N fingerprint
-type TLSFingerprintJA3N [md5.Size]byte
-
-func (f TLSFingerprintJA3N) String() string {
-	return hex.EncodeToString(f[:])
-}
-
-func buildJA3N(hello *tls.ClientHelloInfo, sortExtensions bool) TLSFingerprintJA3N {
-	buf := make([]byte, 0, 256)
-
-	{
-		var sslVersion uint16
-		var hasGrease bool
-		for _, v := range hello.SupportedVersions {
-			if v&greaseMask != greaseValue {
-				if v > sslVersion {
-					sslVersion = v
-				}
-			} else {
-				hasGrease = true
-			}
-		}
-
-		// maximum TLS 1.2 as specified on JA3, as TLS 1.3 is put in SupportedVersions
-		if slices.Contains(hello.Extensions, extensionSupportedVersions) && hasGrease && sslVersion > tls.VersionTLS12 {
-			sslVersion = tls.VersionTLS12
-		}
-
-		buf = strconv.AppendUint(buf, uint64(sslVersion), 10)
-		buf = append(buf, ',')
-	}
-
-	n := 0
-	for _, cipher := range hello.CipherSuites {
-		//if !slices.Contains(greaseValues[:], cipher) {
-		if cipher&greaseMask != greaseValue {
-			buf = strconv.AppendUint(buf, uint64(cipher), 10)
-			buf = append(buf, '-')
-			n = 1
-		}
-	}
-
-	buf = buf[:len(buf)-n]
-	buf = append(buf, ',')
-	n = 0
-
-	extensions := hello.Extensions
-	if sortExtensions {
-		extensions = slices.Clone(extensions)
-		slices.Sort(extensions)
-	}
-
-	for _, extension := range extensions {
-		if extension&greaseMask != greaseValue {
-			buf = strconv.AppendUint(buf, uint64(extension), 10)
-			buf = append(buf, '-')
-			n = 1
-		}
-	}
-
-	buf = buf[:len(buf)-n]
-	buf = append(buf, ',')
-	n = 0
-
-	for _, curve := range hello.SupportedCurves {
-		if curve&greaseMask != greaseValue {
-			buf = strconv.AppendUint(buf, uint64(curve), 10)
-			buf = append(buf, '-')
-			n = 1
-		}
-	}
-
-	buf = buf[:len(buf)-n]
-	buf = append(buf, ',')
-	n = 0
-
-	for _, point := range hello.SupportedPoints {
-		buf = strconv.AppendUint(buf, uint64(point), 10)
-		buf = append(buf, '-')
-		n = 1
-	}
-
-	buf = buf[:len(buf)-n]
-
-	sum := md5.Sum(buf)
-	return TLSFingerprintJA3N(sum[:])
-}
--- a/internal/fingerprint/ja4.go
+++ b/internal/fingerprint/ja4.go
@@ -1,176 +0,0 @@
-package fingerprint
-
-import (
-	"crypto/sha256"
-	"crypto/tls"
-	"encoding/hex"
-	"fmt"
-	"slices"
-	"strconv"
-	"strings"
-)
-
-// TLSFingerprintJA4 represents a JA4 fingerprint
-type TLSFingerprintJA4 struct {
-	A [10]byte
-	B [6]byte
-	C [6]byte
-}
-
-func (f *TLSFingerprintJA4) String() string {
-	if f == nil {
-		return ""
-	}
-
-	return strings.Join([]string{
-		string(f.A[:]),
-		hex.EncodeToString(f.B[:]),
-		hex.EncodeToString(f.C[:]),
-	}, "_")
-}
-
-func buildJA4(hello *tls.ClientHelloInfo) (ja4 TLSFingerprintJA4) {
-	buf := make([]byte, 0, 36)
-
-	hasQuic := false
-
-	for _, ext := range hello.Extensions {
-		if ext == extensionQUICTransportParameters {
-			hasQuic = true
-		}
-	}
-
-	switch hasQuic {
-	case true:
-		buf = append(buf, 'q')
-	case false:
-		buf = append(buf, 't')
-	}
-
-	{
-		var sslVersion uint16
-		for _, v := range hello.SupportedVersions {
-			if v&greaseMask != greaseValue {
-				if v > sslVersion {
-					sslVersion = v
-				}
-			}
-		}
-
-		switch sslVersion {
-		case tls.VersionTLS10:
-			buf = append(buf, '1', '0')
-		case tls.VersionTLS11:
-			buf = append(buf, '1', '1')
-		case tls.VersionTLS12:
-			buf = append(buf, '1', '2')
-		case tls.VersionTLS13:
-			buf = append(buf, '1', '3')
-		default:
-			sslVersion -= 0x0201
-			buf = strconv.AppendUint(buf, uint64(sslVersion>>8), 10)
-			buf = strconv.AppendUint(buf, uint64(sslVersion&0xff), 10)
-		}
-
-	}
-
-	if slices.Contains(hello.Extensions, extensionServerName) && hello.ServerName != "" {
-		buf = append(buf, 'd')
-	} else {
-		buf = append(buf, 'i')
-	}
-
-	ciphers := make([]uint16, 0, len(hello.CipherSuites))
-	for _, cipher := range hello.CipherSuites {
-		if cipher&greaseMask != greaseValue {
-			ciphers = append(ciphers, cipher)
-		}
-	}
-
-	extensionCount := 0
-	extensions := make([]uint16, 0, len(hello.Extensions))
-	for _, extension := range hello.Extensions {
-		if extension&greaseMask != greaseValue {
-			extensionCount++
-			if extension != extensionALPN && extension != extensionServerName {
-				extensions = append(extensions, extension)
-			}
-		}
-	}
-
-	schemes := make([]tls.SignatureScheme, 0, len(hello.SignatureSchemes))
-
-	for _, scheme := range hello.SignatureSchemes {
-		if scheme&greaseMask != greaseValue {
-			schemes = append(schemes, scheme)
-		}
-	}
-
-	//TODO: maybe little endian
-	slices.Sort(ciphers)
-	slices.Sort(extensions)
-	//slices.Sort(schemes)
-
-	if len(ciphers) < 10 {
-		buf = append(buf, '0')
-		buf = strconv.AppendUint(buf, uint64(len(ciphers)), 10)
-	} else if len(ciphers) > 99 {
-		buf = append(buf, '9', '9')
-	} else {
-		buf = strconv.AppendUint(buf, uint64(len(ciphers)), 10)
-	}
-
-	if extensionCount < 10 {
-		buf = append(buf, '0')
-		buf = strconv.AppendUint(buf, uint64(extensionCount), 10)
-	} else if extensionCount > 99 {
-		buf = append(buf, '9', '9')
-	} else {
-		buf = strconv.AppendUint(buf, uint64(extensionCount), 10)
-	}
-
-	if len(hello.SupportedProtos) > 0 && len(hello.SupportedProtos[0]) > 1 {
-		buf = append(buf, hello.SupportedProtos[0][0], hello.SupportedProtos[0][len(hello.SupportedProtos[0])-1])
-	} else {
-		buf = append(buf, '0', '0')
-	}
-
-	copy(ja4.A[:], buf)
-
-	ja4.B = ja4SHA256(uint16SliceToHex(ciphers))
-
-	extBuf := uint16SliceToHex(extensions)
-
-	if len(schemes) > 0 {
-		extBuf = append(extBuf, '_')
-		extBuf = append(extBuf, uint16SliceToHex(schemes)...)
-	}
-
-	ja4.C = ja4SHA256(extBuf)
-
-	return ja4
-}
-
-func uint16SliceToHex[T ~uint16](in []T) (out []byte) {
-	if len(in) == 0 {
-		return out
-	}
-	out = slices.Grow(out, hex.EncodedLen(len(in)*2)+len(in))
-
-	for _, n := range in {
-		out = append(out, fmt.Sprintf("%04x", uint16(n))...)
-		out = append(out, ',')
-	}
-	out = out[:len(out)-1]
-
-	return out
-}
-
-func ja4SHA256(buf []byte) [6]byte {
-	if len(buf) == 0 {
-		return [6]byte{0, 0, 0, 0, 0, 0}
-	}
-	sum := sha256.Sum256(buf)
-
-	return [6]byte(sum[:6])
-}
--- a/internal/fingerprint/tcp.go
+++ b/internal/fingerprint/tcp.go
@@ -1,46 +0,0 @@
-package fingerprint
-
-import (
-	"fmt"
-	"net/http"
-	"strings"
-)
-
-// JA4T represents a TCP fingerprint
-type JA4T struct {
-	Window      uint32
-	Options     []uint8
-	MSS         uint16
-	WindowScale uint8
-}
-
-func (j JA4T) String() string {
-	var sb strings.Builder
-
-	// Start with the window size
-	fmt.Fprintf(&sb, "%d", j.Window)
-
-	// Append each option
-	for i, opt := range j.Options {
-		if i == 0 {
-			fmt.Fprint(&sb, "_")
-		} else {
-			fmt.Fprint(&sb, "-")
-		}
-		fmt.Fprintf(&sb, "%d", opt)
-	}
-
-	// Append MSS and WindowScale
-	fmt.Fprintf(&sb, "_%d_%d", j.MSS, j.WindowScale)
-
-	return sb.String()
-}
-
-// GetTCPFingerprint extracts TCP fingerprint from HTTP request context
-func GetTCPFingerprint(r *http.Request) *JA4T {
-	ptr := r.Context().Value(tcpFingerprintKey{})
-	if fpPtr, ok := ptr.(*JA4T); ok && ptr != nil && fpPtr != nil {
-		return fpPtr
-	}
-	return nil
-}
--- a/internal/fingerprint/tcp_freebsd.go
+++ b/internal/fingerprint/tcp_freebsd.go
@@ -1,106 +0,0 @@
-//go:build freebsd
-
-package fingerprint
-
-import (
-	"fmt"
-	"net"
-	"syscall"
-	"unsafe"
-)
-
-type tcpInfo struct {
-	State          uint8
-	Options        uint8
-	SndScale       uint8
-	RcvScale       uint8
-	__pad          [4]byte
-	Rto            uint32
-	Ato            uint32
-	SndMss         uint32
-	RcvMss         uint32
-	Unacked        uint32
-	Sacked         uint32
-	Lost           uint32
-	Retrans        uint32
-	Fackets        uint32
-	Last_data_sent uint32
-	Last_ack_sent  uint32
-	Last_data_recv uint32
-	Last_ack_recv  uint32
-	Pmtu           uint32
-	Rcv_ssthresh   uint32
-	RTT            uint32
-	RTTvar         uint32
-	Snd_ssthresh   uint32
-	Snd_cwnd       uint32
-	Advmss         uint32
-	Reordering     uint32
-	Rcv_rtt        uint32
-	Rcv_space      uint32
-	Total_retrans  uint32
-	Snd_wnd        uint32
-	// Truncated for brevity — add more fields if needed
-}
-
-// AssignTCPFingerprint extracts TCP fingerprint information from a connection
-func AssignTCPFingerprint(conn net.Conn) (*JA4T, error) {
-	tcpConn, ok := conn.(*net.TCPConn)
-	if !ok {
-		return nil, fmt.Errorf("not a TCPConn")
-	}
-
-	rawConn, err := tcpConn.SyscallConn()
-	if err != nil {
-		return nil, fmt.Errorf("SyscallConn failed: %w", err)
-	}
-
-	var info tcpInfo
-	var sysErr error
-
-	err = rawConn.Control(func(fd uintptr) {
-		size := uint32(unsafe.Sizeof(info))
-		_, _, errno := syscall.Syscall6(
-			syscall.SYS_GETSOCKOPT,
-			fd,
-			uintptr(syscall.IPPROTO_TCP),
-			uintptr(syscall.TCP_INFO),
-			uintptr(unsafe.Pointer(&info)),
-			uintptr(unsafe.Pointer(&size)),
-			0,
-		)
-		if errno != 0 {
-			sysErr = errno
-		}
-	})
-	if err != nil {
-		return nil, fmt.Errorf("SyscallConn.Control: %w", err)
-	}
-	if sysErr != nil {
-		return nil, fmt.Errorf("getsockopt TCP_INFO: %w", sysErr)
-	}
-
-	fp := &JA4T{
-		Window:      info.Snd_wnd,
-		MSS:         uint16(info.SndMss),
-		WindowScale: info.SndScale,
-	}
-
-	const (
-		TCPI_OPT_TIMESTAMPS = 1 << 0
-		TCPI_OPT_SACK       = 1 << 1
-		TCPI_OPT_WSCALE     = 1 << 2
-	)
-
-	if info.Options&TCPI_OPT_SACK != 0 {
-		fp.Options = append(fp.Options, 4, 1)
-	}
-	if info.Options&TCPI_OPT_TIMESTAMPS != 0 {
-		fp.Options = append(fp.Options, 8, 1)
-	}
-	if info.Options&TCPI_OPT_WSCALE != 0 {
-		fp.Options = append(fp.Options, 3)
-	}
-
-	return fp, nil
-}
--- a/internal/fingerprint/tcp_linux.go
+++ b/internal/fingerprint/tcp_linux.go
@@ -1,132 +0,0 @@
-//go:build linux
-
-package fingerprint
-
-import (
-	"fmt"
-	"net"
-	"syscall"
-	"unsafe"
-)
-
-type tcpInfo struct {
-	State                     uint8
-	Ca_state                  uint8
-	Retransmits               uint8
-	Probes                    uint8
-	Backoff                   uint8
-	Options                   uint8
-	Wnd_scale                 uint8
-	Delivery_rate_app_limited uint8
-
-	Rto    uint32
-	Ato    uint32
-	SndMss uint32
-	RcvMss uint32
-
-	Unacked uint32
-	Sacked  uint32
-	Lost    uint32
-	Retrans uint32
-	Fackets uint32
-
-	Last_data_sent  uint32
-	Last_ack_sent   uint32
-	Last_data_recv  uint32
-	Last_ack_recv   uint32
-	PMTU            uint32
-	Rcv_ssthresh    uint32
-	RTT             uint32
-	RTTvar          uint32
-	Snd_ssthresh    uint32
-	Snd_cwnd        uint32
-	Advmss          uint32
-	Reordering      uint32
-	Rcv_rtt         uint32
-	Rcv_space       uint32
-	Total_retrans   uint32
-	Pacing_rate     uint64
-	Max_pacing_rate uint64
-	Bytes_acked     uint64
-	Bytes_received  uint64
-	Segs_out        uint32
-	Segs_in         uint32
-	Notsent_bytes   uint32
-	Min_rtt         uint32
-	Data_segs_in    uint32
-	Data_segs_out   uint32
-	Delivery_rate   uint64
-	Busy_time       uint64
-	Rwnd_limited    uint64
-	Sndbuf_limited  uint64
-	Delivered       uint32
-	Delivered_ce    uint32
-	Bytes_sent      uint64
-	Bytes_retrans   uint64
-	DSACK_dups      uint32
-	Reord_seen      uint32
-	Rcv_ooopack     uint32
-	Snd_wnd         uint32
-}
-
-// AssignTCPFingerprint extracts TCP fingerprint information from a connection
-func AssignTCPFingerprint(conn net.Conn) (*JA4T, error) {
-	tcpConn, ok := conn.(*net.TCPConn)
-	if !ok {
-		return nil, fmt.Errorf("not a TCPConn")
-	}
-
-	rawConn, err := tcpConn.SyscallConn()
-	if err != nil {
-		return nil, fmt.Errorf("SyscallConn failed: %w", err)
-	}
-
-	var info tcpInfo
-	var sysErr error
-
-	err = rawConn.Control(func(fd uintptr) {
-		size := uint32(unsafe.Sizeof(info))
-		_, _, errno := syscall.Syscall6(
-			syscall.SYS_GETSOCKOPT,
-			fd,
-			uintptr(syscall.IPPROTO_TCP),
-			uintptr(syscall.TCP_INFO),
-			uintptr(unsafe.Pointer(&info)),
-			uintptr(unsafe.Pointer(&size)),
-			0,
-		)
-		if errno != 0 {
-			sysErr = errno
-		}
-	})
-	if err != nil {
-		return nil, fmt.Errorf("SyscallConn.Control: %w", err)
-	}
-	if sysErr != nil {
-		return nil, fmt.Errorf("getsockopt TCP_INFO: %w", sysErr)
-	}
-
-	fp := &JA4T{
-		Window: info.Snd_wnd,
-		MSS:    uint16(info.SndMss),
-	}
-
-	const (
-		TCPI_OPT_TIMESTAMPS = 1 << 0
-		TCPI_OPT_SACK       = 1 << 1
-		TCPI_OPT_WSCALE     = 1 << 2
-	)
-
-	if info.Options&TCPI_OPT_SACK != 0 {
-		fp.Options = append(fp.Options, 4, 1)
-	}
-	if info.Options&TCPI_OPT_TIMESTAMPS != 0 {
-		fp.Options = append(fp.Options, 8, 1)
-	}
-	if info.Options&TCPI_OPT_WSCALE != 0 {
-		fp.Options = append(fp.Options, 3)
-		fp.WindowScale = info.Wnd_scale
-	}
-
-	return fp, nil
-}
--- a/internal/fingerprint/tcp_unsupported.go
+++ b/internal/fingerprint/tcp_unsupported.go
@@ -1,11 +0,0 @@
-//go:build !linux && !freebsd
-
-package fingerprint
-
-import "net"
-
-// AssignTCPFingerprint is not supported on this platform
-func AssignTCPFingerprint(conn net.Conn) (*JA4T, error) {
-	// Not supported on macOS and other platforms
-	return &JA4T{}, nil
-}
--- a/internal/fingerprint/tls.go
+++ b/internal/fingerprint/tls.go
@@ -1,110 +0,0 @@
-package fingerprint
-
-import (
-	"context"
-	"crypto/tls"
-	"log/slog"
-	"net"
-	"net/http"
-	"sync/atomic"
-)
-
-// ApplyTLSFingerprinter configures a TLS server to capture TLS fingerprints
-func ApplyTLSFingerprinter(server *http.Server) {
-	if server.TLSConfig == nil {
-		return
-	}
-	server.TLSConfig = server.TLSConfig.Clone()
-
-	getConfigForClient := server.TLSConfig.GetConfigForClient
-
-	if getConfigForClient == nil {
-		getConfigForClient = func(info *tls.ClientHelloInfo) (*tls.Config, error) {
-			return nil, nil
-		}
-	}
-
-	server.TLSConfig.GetConfigForClient = func(clientHello *tls.ClientHelloInfo) (*tls.Config, error) {
-		ja3n, ja4 := buildTLSFingerprint(clientHello)
-		ptr := clientHello.Context().Value(tlsFingerprintKey{})
-		if fpPtr, ok := ptr.(*TLSFingerprint); ok && ptr != nil && fpPtr != nil {
-			fpPtr.ja3n.Store(&ja3n)
-			fpPtr.ja4.Store(&ja4)
-		}
-		return getConfigForClient(clientHello)
-	}
-	server.ConnContext = func(ctx context.Context, c net.Conn) context.Context {
-		ctx = context.WithValue(ctx, tlsFingerprintKey{}, &TLSFingerprint{})
-
-		if tc, ok := c.(*tls.Conn); ok {
-			tcpFP, err := AssignTCPFingerprint(tc.NetConn())
-			if err == nil {
-				ctx = context.WithValue(ctx, tcpFingerprintKey{}, tcpFP)
-			} else {
-				slog.Debug("ja4t error", "err", err)
-			}
-		}
-
-		return ctx
-	}
-}
-
-type tcpFingerprintKey struct{}
-type tlsFingerprintKey struct{}
-
-// TLSFingerprint represents TLS fingerprint data
-type TLSFingerprint struct {
-	ja3n atomic.Pointer[TLSFingerprintJA3N]
-	ja4  atomic.Pointer[TLSFingerprintJA4]
-}
-
-// JA3N returns the JA3N fingerprint
-func (f *TLSFingerprint) JA3N() *TLSFingerprintJA3N {
-	return f.ja3n.Load()
-}
-
-// JA4 returns the JA4 fingerprint
-func (f *TLSFingerprint) JA4() *TLSFingerprintJA4 {
-	return f.ja4.Load()
-}
-
-const greaseMask = 0x0F0F
-const greaseValue = 0x0a0a
-
-// TLS extension numbers
-const (
-	extensionServerName              uint16 = 0
-	extensionStatusRequest           uint16 = 5
-	extensionSupportedCurves         uint16 = 10 // supported_groups in TLS 1.3, see RFC 8446, Section 4.2.7
-	extensionSupportedPoints         uint16 = 11
-	extensionSignatureAlgorithms     uint16 = 13
-	extensionALPN                    uint16 = 16
-	extensionSCT                     uint16 = 18
-	extensionExtendedMasterSecret    uint16 = 23
-	extensionSessionTicket           uint16 = 35
-	extensionPreSharedKey            uint16 = 41
-	extensionEarlyData               uint16 = 42
-	extensionSupportedVersions       uint16 = 43
-	extensionCookie                  uint16 = 44
-	extensionPSKModes                uint16 = 45
-	extensionCertificateAuthorities  uint16 = 47
-	extensionSignatureAlgorithmsCert uint16 = 50
-	extensionKeyShare                uint16 = 51
-	extensionQUICTransportParameters uint16 = 57
-	extensionRenegotiationInfo       uint16 = 0xff01
-	extensionECHOuterExtensions      uint16 = 0xfd00
-	extensionEncryptedClientHello    uint16 = 0xfe0d
-)
-
-func buildTLSFingerprint(hello *tls.ClientHelloInfo) (TLSFingerprintJA3N, TLSFingerprintJA4) {
-	return TLSFingerprintJA3N(buildJA3N(hello, true)), buildJA4(hello)
-}
-
-// GetTLSFingerprint extracts TLS fingerprint from HTTP request context
-func GetTLSFingerprint(r *http.Request) *TLSFingerprint {
-	ptr := r.Context().Value(tlsFingerprintKey{})
-	if fpPtr, ok := ptr.(*TLSFingerprint); ok && ptr != nil && fpPtr != nil {
-		return fpPtr
-	}
-	return nil
-}
--- a/lib/anubis.go
+++ b/lib/anubis.go
@@ -102,6 +102,10 @@ func (s *Server) challengeFor(r *http.Request) (*challenge.Challenge, error) {
 	ckie := ckies[0]
 	chall, err := j.Get(r.Context(), "challenge:"+ckie.Value)
 	if err != nil {
+		if errors.Is(err, store.ErrNotFound) {
+			return s.issueChallenge(r.Context(), r)
+		}
+
 		return nil, err
 	}

--- a/lib/anubis_test.go
+++ b/lib/anubis_test.go
@@ -3,6 +3,7 @@ package lib
 import (
 	"encoding/json"
 	"fmt"
+	"io"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
@@ -736,3 +737,67 @@ func TestStripBasePrefixFromRequest(t *testing.T) {
 		})
 	}
 }
+
+// TestChallengeFor_ErrNotFound makes sure that users with invalid challenge IDs
+// in the test cookie don't get rejected by the database lookup failing.
+func TestChallengeFor_ErrNotFound(t *testing.T) {
+	pol := loadPolicies(t, "testdata/aggressive_403.yaml", 0)
+	ckieExpiration := 10 * time.Minute
+	const wrongCookie = "wrong cookie"
+
+	srv := spawnAnubis(t, Options{
+		Next:   http.NewServeMux(),
+		Policy: pol,
+
+		CookieDomain:     "127.0.0.1",
+		CookieExpiration: ckieExpiration,
+	})
+
+	req := httptest.NewRequest("GET", "http://example.com/", nil)
+	req.Header.Set("X-Real-IP", "127.0.0.1")
+	req.Header.Set("User-Agent", "CHALLENGE")
+	req.AddCookie(&http.Cookie{Name: anubis.TestCookieName, Value: wrongCookie})
+
+	w := httptest.NewRecorder()
+	srv.maybeReverseProxyOrPage(w, req)
+
+	resp := w.Result()
+	defer resp.Body.Close()
+
+	body := new(strings.Builder)
+	_, err := io.Copy(body, resp.Body)
+	if err != nil {
+		t.Fatalf("reading body should not fail: %v", err)
+	}
+
+	t.Run("make sure challenge page is issued", func(t *testing.T) {
+		if !strings.Contains(body.String(), "anubis_challenge") {
+			t.Error("should get a challenge page")
+		}
+
+		if resp.StatusCode != http.StatusUnauthorized {
+			t.Errorf("should get a 401 Unauthorized, got: %d", resp.StatusCode)
+		}
+	})
+
+	t.Run("make sure that the body is not an error page", func(t *testing.T) {
+		if strings.Contains(body.String(), "reject.webp") {
+			t.Error("should not get an internal server error")
+		}
+	})
+
+	t.Run("make sure new test cookie is issued", func(t *testing.T) {
+		found := false
+		for _, cookie := range resp.Cookies() {
+			if cookie.Name == anubis.TestCookieName {
+				if cookie.Value == wrongCookie {
+					t.Error("a new challenge cookie should be issued")
+				}
+				found = true
+			}
+		}
+		if !found {
+			t.Error("a new test cookie should be set")
+		}
+	})
+}
--- a/lib/localization/locales/fi.json
+++ b/lib/localization/locales/fi.json
@@ -0,0 +1,64 @@
+{
+  "loading": "Ladataan...",
+  "why_am_i_seeing": "Miksi näen tämän?",
+  "protected_by": "Suojan tarjoaa",
+  "protected_from": "tekijänä",
+  "made_with": "❤️ tehty 🇨🇦:ssa",
+  "mascot_design": "Maskotin suunnitellut",
+  "ai_companies_explanation": "Sivustolla on käytössä Anubis. Anubis estää robotteja lataamasta sivustoa ylettömästi. Tämä voi aiheuttaa palvelimen ylikuormituksen, joka estää ketään pääsemästä sivustolle.",
+  "anubis_compromise": "Anubis on kompromissi. Anubis käyttää roskapostin vähentämiseen ehdotettua, Hashcash-järjestelmän mukaista työnnäytettä. Yksittäiselle käyttäjälle kuormitus on mitätön, mutta kasvattaa sivuston ylettömän lataamisen kuluja huomattavasti.",
+  "hack_purpose": "Tämä on \"riittävän hyvä\" väliaikainen ratkaisu, joka antaa aikaa tunnistaa robotit, ettei työnnäyte sivua tarvitsisi näyttää todellisille käyttäjille.",
+  "jshelter_note": "Anubis tarvitsee toimiakseen JavaScript-ominaisuuksia, jotka liitännäiset kuten jShelter estää. Otathan tällaiset liitännäiset pois käytöstä tälle verkkotunnukselle.",
+  "version_info": "Sivusto käyttää Anubis versiota",
+  "try_again": "Yritä uudelleen",
+  "go_home": "Poistu",
+  "contact_webmaster": "tai jos uskot ettei sinua tulisi estää, ota yhteyttä ylläpitäjään",
+  "connection_security": "Odota hetki. Varmistamme yhteytesi tietoturvan.",
+  "javascript_required": "Valitettavasti JavaScript on oltava käytössä tämän haasteen suorittamiseksi. Vaihtoehtoinen ratkaisu on työn alla.",
+  "benchmark_requires_js": "JavaScript on oltava käytössä suorituskykytestin ajamiseksi.",
+  "difficulty": "Vaikeus:",
+  "algorithm": "Kaava:",
+  "compare": "Vertailu:",
+  "time": "Aika",
+  "iters": "Toisto",
+  "time_a": "Aika A",
+  "iters_a": "Toisto A",
+  "time_b": "Aika B",
+  "iters_b": "Toisto B",
+  "static_check_endpoint": "Tämä päätepiste on käyttämääsi käänteistä välityspalvelinta varten.",
+  "authorization_required": "Valtuutus vaadittu",
+  "cookies_disabled": "Selaimesi estää evästeet. Anubis tarvitsee evästeitä varmistaakseen, että olet todellinen käyttäjä. Otathan evästeet käyttöön tälle verkkotunnukselle",
+  "access_denied": "Pääsy estetty: virhekoodi",
+  "dronebl_entry": "DroneBL ilmoitti merkinnän",
+  "see_dronebl_lookup": "katso",
+  "internal_server_error": "Palvelinvirhe: Anubis on väärin määritetty. Pyydä ylläpitäjää tarkistamaan lokit",
+  "invalid_redirect": "Virheellinen pyyntö",
+  "redirect_not_parseable": "Uudellenohjauksen URL ei voitu jäsentää",
+  "redirect_domain_not_allowed": "Uudelleenohjauksen verkkotunnus ei ole sallittu",
+  "failed_to_sign_jwt": "JWT ei voitu allekirjoittaa",
+  "invalid_invocation": "Virheellinen MakeChallenge-kaava",
+  "client_error_browser": "Käyttäjävirhe: Varmista ettei selaimesi ole vanhentunut ja yritä uudelleen.",
+  "oh_noes": "Voi ei!",
+  "benchmarking_anubis": "Testataan Anubis!",
+  "you_are_not_a_bot": "Et ole robotti!",
+  "making_sure_not_bot": "Varmistetaan ettet ole robotti!",
+  "celphase": "CELPHASE",
+  "js_web_crypto_error": "Selaimesi web.crypto elementti ei toimi. Onko yhteytesi suojattu?",
+  "js_web_workers_error": "Selaimesi ei tue Web Workers ominaisuutta. Anubis käyttää tätä estääkseen selaimesi lukkiutumisen. Onko sinulla liitännäinen, kuten jShelter käytössä?",
+  "js_cookies_error": "Selaimesi ei tallenna evästeitä. Anubis tallentaa allekirjoitetun merkinnän evästeeseen, tunnistaakseen haasteen läpäisseet käyttäjät. Sallithan evästeiden tallentamisen tälle verkkotunnukselle. Tallennettujen evästeiden nimet voivat vaihdella. Evästeiden nimet ja arvot eivät ole osa julkista rajapintaa.",
+  "js_context_not_secure": "Yhteytesi ei ole suojattu!",
+  "js_context_not_secure_msg": "Yhdistä käyttäen HTTPS tai pyydä ylläpitäjää määrittämään HTTPS. Saadaksesi lisätietoja, katso <a href=\"https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts#when_is_a_context_considered_secure\">MDN</a>.",
+  "js_calculating": "Lasketaan...",
+  "js_missing_feature": "Puuttuva ominaisuus",
+  "js_challenge_error": "Haastevirhe!",
+  "js_challenge_error_msg": "Tarkistuskaavaa ei voitu ratkaista. Voit yrittää ladata sivua uudelleen.",
+  "js_calculating_difficulty": "Lasketaan...<br/>Vaikeus:",
+  "js_speed": "Nopeus:",
+  "js_verification_longer": "Vahvistus kestää odotettua pitempään. Ethän lataa sivua uudelleen.",
+  "js_success": "Onnistui!",
+  "js_done_took": "Valmis! Kesti",
+  "js_iterations": "toistot",
+  "js_finished_reading": "Luettu, jatka →",
+  "js_calculation_error": "Laskentavirhe!",
+  "js_calculation_error_msg": "Haasteen laskenta ei onnistunut:"
+}
--- a/lib/localization/locales/fil.json
+++ b/lib/localization/locales/fil.json
@@ -45,8 +45,7 @@
  "celphase": "CELPHASE",
  "js_web_crypto_error": "Ang iyong browser ay walang gumaganang web.crypto element. Tinitingnan mo ba ito sa isang secure na konteksto?",
  "js_web_workers_error": "Hindi sinusuportahan ng iyong browser ang mga web worker (ginagamit ito ng Anubis upang maiwasan ang pag-freeze ng iyong browser). Mayroon ka bang naka-install na plugin tulad ng JShelter?",
-  "js_cookies_error": "Your browser doesn't store cookies. Anubis uses cookies to determine which clients have passed challenges by storing a signed token in a cookie. Please enable storing cookies for this domain. The names of the cookies Anubis stores may vary w",
-  "js_cookies_error": "Ang iyong browser ay hindi nag-iimbak ng cookies. Gumagamit ang Anubis ng cookies upang matukoy kung aling mga kliyente ang nakapasa sa mga hamon sa pamamagitan ng pag-iimbak ng isang nilagdaang token sa isang cookie. Mangyaring paganahin ang pag-iimbak ng cookies para sa domain na ito. Ang mga pangalan ng cookies na Anubis store ay maaaring mag-iba nang walang abiso. Ang mga pangalan at value ng cookie ay hindi bahagi ng pampublikong API.",
+  "js_cookies_error": "Ang iyong browser ay hindi nag-iimbak ng cookies. Gumagamit ang Anubis ng cookies upang matukoy kung aling mga kliyente ang nakapasa sa mga hamon sa pamamagitan ng pag-iimbak ng isang nilagdaang token sa isang cookie. Mangyaring paganahin ang pag-iimbak ng cookies para sa domain na ito. Ang mga pangalan ng cookies na iniimbak ng Anubis ay maaaring mag-iba nang walang abiso. Ang mga pangalan at value ng cookie ay hindi bahagi ng pampublikong API.",
  "js_context_not_secure": "Hindi secure ang iyong konteksto!",
  "js_context_not_secure_msg": "Subukang kumonekta sa pamamagitan ng HTTPS o sabihin sa admin na i-set up ang HTTPS. Para sa karagdagang impormasyon, tignan ang <a href=\"https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts#when_is_a_context_considered_secure\">MDN</a>.",
  "js_calculating": "Kinakalkula...",
--- a/lib/localization/locales/manifest.json
+++ b/lib/localization/locales/manifest.json
@@ -5,12 +5,16 @@
    "en",
    "es",
    "et",
+    "fi",
    "fil",
    "fr",
    "is",
    "it",
    "ja",
+    "nb",
+    "nn",
    "pt-BR",
+    "ru",
    "tr",
    "zh-CN",
    "zh-TW"
--- a/lib/localization/locales/nb.json
+++ b/lib/localization/locales/nb.json
@@ -0,0 +1,64 @@
+{
+  "loading": "Laster inn...",
+  "why_am_i_seeing": "Hvorfor ser jeg dette?",
+  "protected_by": "Beskyttet av",
+  "protected_from": "Fra",
+  "made_with": "Laget med ❤️ i 🇨🇦",
+  "mascot_design": "Maskotdesign av",
+  "ai_companies_explanation": "Du ser dette fordi administratoren av dette nettstedet har satt opp Anubis for å beskytte sørveren mot plagen av KI-selskaper som aggressivt skraper nettsteder. Dette kan, og fortsetter med å, forårsake driftstans for nettstedene, som gjør ressursene deres utilgjengelige for alle.",
+  "anubis_compromise": "Anubis er et kompromiss. Anubis bruker et «Proof-of-Work»-skjema som ligner på Hashcash, et lignende skjema for å redusere søppel-e-post. Idéen er at ved småstilte tilfeller er den ytterligere belastningen ignorerbar, men ved storstilt skraping samler den på seg fart og gjør det å skrape mye mer dyrt.",
+  "hack_purpose": "Til syvende og sist er dette en hack som har som formål å gi en «god nok» plassholderløsning slik at mer tid kan brukes på å fingeravtrykke og gjenkjenne hodeløse nettlesere (f.eks. hvordan de gjengir skrifttyper) slik at utfordringssiden ikke må bli vist til brukere som er mer sannsynligvis ekte.",
+  "jshelter_note": "NB: Anubis krever bruk av moderne JavaScript-funksjoner som tillegg som JShelter slår av. Vennligst slå av JShelter eller lignende tillegg for dette domenet.",
+  "version_info": "Dette nettstedet kjører Anubis-utgave",
+  "try_again": "Prøv igjen",
+  "go_home": "Gå hjem",
+  "contact_webmaster": "eller om du synes at du ikke burde være blokkert, vennligst ta kontakt med administratoren på",
+  "connection_security": "Vennligst vent mens vi bekrefter tryggheten av tilkoblingen din.",
+  "javascript_required": "Du må dessverre slå på JavaScript for å komme deg forbi denne utfordringen. Dette kreves fordi KI-selskaper har endret sosialkontrakten om hvordan nettstedsverting fungerer. En ikke-JS-løsning er i gang med å skapes.",
+  "benchmark_requires_js": "JavaScript må være påslått for å kjøre sammenligningsverktøyet.",
+  "difficulty": "Vanskelighetsnivå:",
+  "algorithm": "Algoritme:",
+  "compare": "Jevnfør:",
+  "time": "Tid",
+  "iters": "Gjentakelser",
+  "time_a": "Tid A",
+  "iters_a": "Gjentakelser A",
+  "time_b": "Tid B",
+  "iters_b": "Gjentakelser B",
+  "static_check_endpoint": "Dette er bare et sjekkeendepunkt for din omvendte proxy å bruke.",
+  "authorization_required": "Legitimasjon kreves",
+  "cookies_disabled": "Nettleseren din er konfigurert for å avslå informasjonskapsler. Anubis krever informasjonskapsler for å bekrefte at du er en ekte bruker. Vennligst slå på informasjonskapsler på dette domenet.",
+  "access_denied": "Adgang nektet: feilkode",
+  "dronebl_entry": "DroneBL rapporterte em oppføring.",
+  "see_dronebl_lookup": "se",
+  "internal_server_error": "Intern serverfeil: administratoren har feilkonfigurert Anubis. Vennligst ta kontakt med hen og spør hen om å se gjennom loggene om",
+  "invalid_redirect": "Ugyldig omdirigering",
+  "redirect_not_parseable": "Omdirigerings-URL-en kunne ikkj tolkes",
+  "redirect_domain_not_allowed": "Omdirigeringsdomenet er ikke tillatt",
+  "failed_to_sign_jwt": "mislyktes i å signere JWT",
+  "invalid_invocation": "Ugyldig fremkalling av MakeChallenge",
+  "client_error_browser": "Klientfeil: Vennligst sørg for at at nettleseren din er oppdatert og prøv igjen senere.",
+  "oh_noes": "Å nei!",
+  "benchmarking_anubis": "Sammenligner Anubis!",
+  "you_are_not_a_bot": "Du er ikke en bot!",
+  "making_sure_not_bot": "Bekrefter at du ikke er en bot!",
+  "celphase": "CELPHASE",
+  "js_web_crypto_error": "Nettleseren din har ikke et fungerande web.crypto-element. Ser du dette med ei sikker tilkopling?",
+  "js_web_workers_error": "Nettleseren din støtter ikke nettarbeidere (Anubis bruker dette for å unngå å fryse nettleseren din). Har du et tillegg som JShelter installert?",
+  "js_cookies_error": "Nettleseren lagrer ikke informasjonskapsler. Anubis bruker informasjonskapsler for å avgjøre hvilke klienter har lyktes i utfordringen ved å lagre en signert token i en informasjonskapsel. Vennligst slå på informasjonskapsler på dette domenet. Navnene på informasjonskapslene Anubis lagrer, kan variere uten varsel. Informasjonskapselnavn og -verdier er ikke en del av det offentlege API-et.",
+  "js_context_not_secure": "Du bruker ikke en sikker tilkobling!",
+  "js_context_not_secure_msg": "Prøv å koble til over HTTPS eller fortell administratoren å opprette HTTPS. Se <a hreflang=\"en\" href=\"https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts#when_is_a_context_considered_secure\">MDN</a> for mer informasjon.",
+  "js_calculating": "Beregner…",
+  "js_missing_feature": "Mangler funksjon",
+  "js_challenge_error": "Utfordringsfeil!",
+  "js_challenge_error_msg": "Mislyktes i å tolke sjekkalgoritmen. Du burde laste inn denne siden på nytt.",
+  "js_calculating_difficulty": "Beregner…<br/>Vanskelighetsnivå:",
+  "js_speed": "Hastighet:",
+  "js_verification_longer": "Verifisering tar lengre enn forventet. Vennligst ikke last inn denne siden på nytt.",
+  "js_success": "Vellykket!",
+  "js_done_took": "Ferdig! Tok",
+  "js_iterations": "gjentakelser",
+  "js_finished_reading": "Jeg har sluttet å lese, fortsett →",
+  "js_calculation_error": "Beregningsfeil!",
+  "js_calculation_error_msg": "Mislyktes i å beregne utfordring:"
+}
--- a/lib/localization/locales/nn.json
+++ b/lib/localization/locales/nn.json
@@ -0,0 +1,64 @@
+{
+  "loading": "Lastar inn...",
+  "why_am_i_seeing": "Kvifor ser eg dette?",
+  "protected_by": "Verna av",
+  "protected_from": "Frå",
+  "made_with": "Laga med ❤️ i 🇨🇦",
+  "mascot_design": "Maskotdesign av",
+  "ai_companies_explanation": "Du ser dette av di administratoren av denne nettstaden har sett opp Anubis for å verne sørvaren mot plaga av KI-selskap som aggressivt skrapar nettstader. Dette kan, og held frem med å, forårsake driftstans for nettstadene, som gjer ressursane deira utilgjengelege for alle.",
+  "anubis_compromise": "Anubis er eit kompromiss. Anubis brukar eit «Proof-of-Work»-skjema som liknar på Hashcash, eit liknande skjema for å redusere søppel-e-post. Idéen er at ved småstilte tilfelle er den ytterlegare lastinga ignorerbar, men ved storstilt skraping samlar ho på seg fart og gjer det å skrapa mykje meir dyrt.",
+  "hack_purpose": "Til sjuande og sist er dette ein hack som har som formål å gje ei «god nok» plasshaldarløysing slik at meir tid kan brukast på å fingeravtrykkje og attkjenne hovudlause nettlesarar (f.eks. korleis dei attgjev skrifttypar) slik at utfordringssida ikkje må verte synt til brukarar som er meir sannsynlegvis ekte.",
+  "jshelter_note": "NB: Anubis krev bruk av moderne JavaScript-funksjonar som tillegg som JShelter slår av. Venlegast slå av JShelter eller liknande tillegg for dette domenet.",
+  "version_info": "Denne nettstaden køyrer Anubis-utgåve",
+  "try_again": "Prøv att",
+  "go_home": "Gå heim",
+  "contact_webmaster": "eller om du synest at du ikkje burde vera blokkert, venlegast tak kontakt med administratoren på",
+  "connection_security": "Venlegast vent medan vi stadfestar tryggleiken av tilkoplinga di.",
+  "javascript_required": "Du lyt diverre slå på JavaScript for å koma deg forbi denne utfordringa. Dette krevst av di KI-selskap har endra sosialkontrakten om korleis nettstadsverting fungerer. Ei ikkje-JS-løysing er i gang med å skapast.",
+  "benchmark_requires_js": "JavaScript må vera slegen på for å køyre samanlikningsverktøyet.",
+  "difficulty": "Vanskenivå:",
+  "algorithm": "Algoritme:",
+  "compare": "Jamfør:",
+  "time": "Tid",
+  "iters": "Oppattakingar",
+  "time_a": "Tid A",
+  "iters_a": "Oppattakingar A",
+  "time_b": "Tid B",
+  "iters_b": "Oppattakingar B",
+  "static_check_endpoint": "Dette er berre eit sjekkeendepunkt for din omvende proxy å bruke.",
+  "authorization_required": "Legitimasjon krevst",
+  "cookies_disabled": "Nettlesaren din er konfigurert for å avslå informasjonskapslar. Anubis krev informasjonskapslar for å stadfeste at du er ein ekte brukar. Venlegast slå på informasjonskapslar på dette domenet.",
+  "access_denied": "Tilgang nekta: feilkode",
+  "dronebl_entry": "DroneBL rapporterte ei oppføring.",
+  "see_dronebl_lookup": "sjå",
+  "internal_server_error": "Intern serverfeil: administratoren har feilkonfigurert Anubis. Venlegast tak kontakt med hen og spør hen om å sjå gjennom loggane om",
+  "invalid_redirect": "Ugyldig omdirigering",
+  "redirect_not_parseable": "Omdirigerings-URL-en kunne ikkje tolkast",
+  "redirect_domain_not_allowed": "Omdirigeringsdomenet er ikkje tillate",
+  "failed_to_sign_jwt": "mislukkast i å signere JWT",
+  "invalid_invocation": "Ugyldig framkalling av MakeChallenge",
+  "client_error_browser": "Klientfeil: Venlegast stadfest at nettlesaren din er oppdatert og prøv att seinare.",
+  "oh_noes": "Å nei!",
+  "benchmarking_anubis": "Samanliknar Anubis!",
+  "you_are_not_a_bot": "Du er ikkje ein bot!",
+  "making_sure_not_bot": "Stadfestar at du ikkje er ein bot!",
+  "celphase": "CELPHASE",
+  "js_web_crypto_error": "Nettlesaren din har ikkje eit fungerande web.crypto-element. Ser du dette med ei sikker tilkopling?",
+  "js_web_workers_error": "Nettlesaren din støttar ikkje nettarbeidarar (Anubis brukar dette for å unngå å fryse nettlesaren din). Har du eit tillegg som JShelter installert?",
+  "js_cookies_error": "Nettlesaren lagrar ikkje informasjonskapslar. Anubis brukar informasjonskapslar for å avgjera kva klientar har lukkast i utfordringa ved å lagra ein signert token i ein informasjonskapsel. Venlegast slå på informasjonskapslar på dette domenet. Namna på informasjonskapslane Anubis lagrar, kan variere utan varsel. Informasjonskapselnamn og -verdiar er ikkje ein del av det offentlege API-et.",
+  "js_context_not_secure": "Du brukar ikkje ei sikker tilkopling!",
+  "js_context_not_secure_msg": "Prøv å kople til over HTTPS eller fortel administratoren å opprette HTTPS. Sjå <a hreflang=\"en\" href=\"https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts#when_is_a_context_considered_secure\">MDN</a> for fleire opplysingar.",
+  "js_calculating": "Reknar…",
+  "js_missing_feature": "Manglar funksjon",
+  "js_challenge_error": "Utfordringsfeil!",
+  "js_challenge_error_msg": "Mislukkast i å tolke sjekkalgoritmen. Du burde laste inn denne sida på nytt.",
+  "js_calculating_difficulty": "Reknar…<br/>Vanskenivå:",
+  "js_speed": "Fart:",
+  "js_verification_longer": "Verifisering tek lengre enn forventa. Venlegast ikkje last inn denne sida på nytt.",
+  "js_success": "Vellykka!",
+  "js_done_took": "Ferdig! Tok",
+  "js_iterations": "oppattakingar",
+  "js_finished_reading": "Eg har slutta å lesa, hald fram →",
+  "js_calculation_error": "Rekningsfeil!",
+  "js_calculation_error_msg": "Mislukkast i å rekne utfordring:"
+}
--- a/lib/localization/locales/pt-BR.json
+++ b/lib/localization/locales/pt-BR.json
@@ -2,19 +2,19 @@
  "loading": "Carregando...",
  "why_am_i_seeing": "Por que estou vendo isso?",
  "protected_by": "Protegido por",
-  "protected_from": "From",
-  "made_with": "Feito com ❤️ no 🇨🇦",
+  "protected_from": "de",
+  "made_with": "Feito com ❤️ no Canadá",
  "mascot_design": "Design do mascote por",
-  "ai_companies_explanation": "Você está vendo isso porque o administrador deste site configurou Anubis para proteger o servidor contra a praga de empresas de IA que realizam scraping agressivo em sites. Isso pode causar, e de fato causa, inoperância nos sites, o que torna seus recursos inacessíveis para todos.",
-  "anubis_compromise": "O Anubis é um meio-termo. Ele utiliza um esquema de Prova de Trabalho (Proof-of-Work) semelhante ao Hashcash, um esquema de Prova de Trabalho proposto para reduzir spam de e-mail. A ideia é que, em escalas individuais, a carga adicional seja insignificante, mas em níveis em massa de scrapers, ela se acumula e torna o scraping muito mais custoso.",
-  "hack_purpose": "Em última análise, este é um hack cujo propósito real é fornecer uma solução \"boa o suficiente\" para que mais tempo possa ser gasto na identificação de navegadores sem interface (por exemplo: por meio de como eles fazem a renderização de fontes), para que a página do desafio da prova de trabalho não precise ser apresentada a usuários que têm muito mais probabilidade de serem legítimos.",
-  "jshelter_note": "Observe que o Anubis requer o uso de recursos JavaScript modernos que plugins como o JShelter desabilitarão. Desabilite o JShelter ou outros plugins semelhantes para este domínio.",
+  "ai_companies_explanation": "Você está vendo isso porque o administrador deste site configurou Anubis para proteger o servidor contra a praga de empresas de IA que realizam captura agressiva dos dados de páginas da Web. Isso pode causar, e de fato causa, indisponibilidade nos sites, o que os torna inacessíveis para todos.",
+  "anubis_compromise": "O Anubis é um meio-termo. Ele utiliza um mecanismo de prova de validação semelhante ao Hashcash, proposto para reduzir spam de e-mail. A ideia é que, para acessos individuais, a carga adicional seja insignificante, mas acessos para captura em massa, ela se acumula e torna esse processo muito mais oneroso.",
+  "hack_purpose": "Por fim, essa é uma solução \"boa o suficiente\" cujo propósito real é gastar mais tempo na identificação de navegadores sem interface (por exemplo: como eles renderizam fontes), para que a página de validação não precise ser apresentada a usuários que têm muito mais probabilidade de serem legítimos.",
+  "jshelter_note": "Lembrando que o Anubis requer o uso de recursos JavaScript modernos, que plugins como o JShelter desabilitarão. Desabilite o JShelter ou similares para este domínio.",
  "version_info": "Este site está usando o Anubis versão",
  "try_again": "Tente novamente",
  "go_home": "Início",
-  "contact_webmaster": "ou se você acredita que não deveria estar bloqueado, contate o webmaster em",
+  "contact_webmaster": "ou se você acredita que não deveria estar bloqueado, contate o administrador em",
  "connection_security": "Por favor, aguarde um momento enquanto nós garantimos a segurança de sua conexão.",
-  "javascript_required": "Infelizmente, você deve habilitar JavaScript para passar por este desafio. Isso é necessário porque empresas de IA alteraram o contrato social sobre como a hospedagem de sites funciona. Uma solução que não use JavaScript ainda está sendo desenvolvida.",
+  "javascript_required": "Infelizmente, você deve habilitar JavaScript para passar por esta validação. Isso é necessário porque empresas de IA alteraram o contrato social sobre como a hospedagem de sites funciona. Uma solução não dependente de JavaScript ainda está sendo desenvolvida.",
  "benchmark_requires_js": "Para executar a ferramenta de benchmark, é necessário que o JavaScript esteja habilitado.",
  "difficulty": "Dificuldade:",
  "algorithm": "Algoritmo:",
@@ -27,7 +27,7 @@
  "iters_b": "Iteração B",
  "static_check_endpoint": "Este é apenas um ponto de verificação para seu proxy reverso usar.",
  "authorization_required": "Autorização necessária",
-  "cookies_disabled": "Seu navegador está configurado para desabilitar cookies. O Anubis requer cookies para o interesse legítimo de garantir que você seja um cliente válido. Habilite os cookies para este domínio.",
+  "cookies_disabled": "Seu navegador está configurado para desabilitar cookies. O Anubis requer cookies somente com o interesse de garantir que você seja um cliente válido. Por favor, habilite os cookies para este domínio.",
  "access_denied": "Acesso negado: código de erro",
  "dronebl_entry": "DroneBL relatou uma entrada",
  "see_dronebl_lookup": "consulte",
@@ -36,21 +36,21 @@
  "redirect_not_parseable": "URL de redirecionamento não analisável",
  "redirect_domain_not_allowed": "Domínio de redirecionamento não permitido",
  "failed_to_sign_jwt": "falha ao assinar JWT",
-  "invalid_invocation": "Invocação inválida de MakeChallenge",
-  "client_error_browser": "Erro do cliente: verifique se seu navegador está atualizado e tente novamente mais tarde..",
+  "invalid_invocation": "Invocação de MakeChallenge inválida",
+  "client_error_browser": "Erro do cliente: verifique se seu navegador está atualizado e tente novamente mais tarde.",
  "oh_noes": "Ah, não!",
  "benchmarking_anubis": "Fazendo benchmark do Anubis!",
  "you_are_not_a_bot": "Você não é um bot!",
  "making_sure_not_bot": "Certificando de que você não é um bot!",
  "celphase": "CELPHASE",
  "js_web_crypto_error": "Seu navegador não possui um elemento web.crypto funcional. Você está visualizando isso em um contexto seguro?",
-  "js_web_workers_error": "Seu navegador não oferece suporte a web workers (o Anubis usa isso para evitar que seu navegador trave). Você tem um plugin como o JShelter instalado?",
-  "js_cookies_error": "Seu navegador não armazena cookies. O Anubis usa cookies para determinar quais clientes passaram nos desafios, armazenando um token assinado em um cookie. Habilite o armazenamento de cookies para este domínio. Os nomes dos cookies armazenados pelo Anubis podem variar sem aviso prévio. Os nomes e valores dos cookies não fazem parte da API pública.",
+  "js_web_workers_error": "Seu navegador não suporta web workers (o Anubis os usa para evitar que seu navegador trave). Você tem um plugin como o JShelter instalado?",
+  "js_cookies_error": "Seu navegador não armazena cookies. O Anubis usa cookies para determinar quais clientes passaram pelas validações, armazenando um token assinado nesse cookie. Habilite o armazenamento de cookies para este domínio. Os nomes dos cookies armazenados pelo Anubis podem variar sem aviso prévio. Os nomes e valores dos cookies não fazem parte da API pública.",
  "js_context_not_secure": "Seu contexto não é seguro!",
-  "js_context_not_secure_msg": "Tente conectar-se via HTTPS ou avise o administrador para configurar o HTTPS. Para mais informações, consulte o <a href=\"https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts#when_is_a_context_considered_secure\">MDN</a>.",
+  "js_context_not_secure_msg": "Tente conectar-se via HTTPS ou avise o administrador para configurar a segurança de site via HTTPS. Para mais informações, consulte o <a href=\"https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts#when_is_a_context_considered_secure\">MDN</a>.",
  "js_calculating": "Calculando...",
-  "js_missing_feature": "Faltando recurso",
-  "js_challenge_error": "Erro no desafio!",
+  "js_missing_feature": "Recurso não disponível",
+  "js_challenge_error": "Erro na validação!",
  "js_challenge_error_msg": "Falha ao resolver o algoritmo de verificação. Talvez seja necessário recarregar a página.",
  "js_calculating_difficulty": "Calculando...<br/>Dificuldade:",
  "js_speed": "Velocidade:",
@@ -60,5 +60,5 @@
  "js_iterations": "iterações",
  "js_finished_reading": "Terminei de ler, continue →",
  "js_calculation_error": "Erro de cálculo!",
-  "js_calculation_error_msg": "Falha ao calcular o desafio:"
+  "js_calculation_error_msg": "Falha ao calcular a validação:"
 }
--- a/lib/localization/locales/ru.json
+++ b/lib/localization/locales/ru.json
@@ -0,0 +1,64 @@
+{
+  "loading": "Загрузка...",
+  "why_am_i_seeing": "Почему я вижу это?",
+  "protected_by": "Защищено",
+  "protected_from": "От",
+  "made_with": "Сделано с ❤️ из 🇨🇦",
+  "mascot_design": "Дизайн маскота от",
+  "ai_companies_explanation": "Вы это видите, потому что администратор этого сайта настроил Anubis для защиты сервера от атак, использующих ИИ, которые агрессивно копируют данные с сайтов. Это может привести к зависанию сайтов и делает их ресурсы недоступными для всех.",
+  "anubis_compromise": "Anubis - это компромисс. Anubis использует Proof-of-Work, похожую на Hashcash, для борьбы со спамом в электронной почте. Идея в том, что на отдельных уровнях дополнительная нагрузка не влиятельна, но на уровне массового парсинга она накапливается и значительно удорожает сбор данных.",
+  "hack_purpose": "В реальности, это хак, у которого настоящая цель - предоставить «достаточно хорошее» решение, чтобы можно было потратить больше времени на идентификацию headless-браузеров (например, по тому, как они выполняют отрисовку шрифтов), чтобы не отображать страницу с подтверждением пользователям, которые с гораздо большей вероятностью являются настоящими.",
+  "jshelter_note": "Anubis требует использования современных функций JavaScript, которые плагины, по типу JShelter, отключают. Пожалуйста, отключите JShelter и другие подобные плагины для этого домена.",
+  "version_info": "На сайте запущен Anubis версии",
+  "try_again": "Попробуйте снова",
+  "go_home": "Перейти на домашнюю",
+  "contact_webmaster": "если вы уверены, что это ошибка, свяжитесь с владельцем сайта через",
+  "connection_security": "Пожалуйста, подождите, пока мы проверим безопасность вашего соединения.",
+  "javascript_required": "К сожалению, для решения этой проверки необходимо включить JavaScript. Это необходимо, поскольку компании, занимающиеся разработкой ИИ, изменили моральные правила, касающийся хостинга веб-сайтов. Решение без использования JavaScript находится в стадии разработки.",
+  "benchmark_requires_js": "Для работы тестирования необходимо включить JavaScript.",
+  "difficulty": "Сложность:",
+  "algorithm": "Алгоритм:",
+  "compare": "Сравнить:",
+  "time": "Время",
+  "iters": "Итерации",
+  "time_a": "Время A",
+  "iters_a": "Итерации A",
+  "time_b": "Время B",
+  "iters_b": "Итерации B",
+  "static_check_endpoint": "Это всего лишь точка проверки, которую может использовать ваш обратный прокси-сервер.",
+  "authorization_required": "Требуется авторизация.",
+  "cookies_disabled": "В вашем браузере отключены cookie файлы. Anubis требует их для подтверждения того, что вы являетесь настоящим человеком. Пожалуйста, включите файлы cookie для этого домена",
+  "access_denied": "Доступ запрещён: код ошибки",
+  "dronebl_entry": "DroneBL сообщил о записи",
+  "see_dronebl_lookup": "см.",
+  "internal_server_error": "Внутренняя ошибка сервера: администратор неправильно настроил Anubis. Обратитесь к администратору и попросите его просмотреть логи",
+  "invalid_redirect": "Неверное перенаправление",
+  "redirect_not_parseable": "URL-адрес перенаправления не может быть анализирован",
+  "redirect_domain_not_allowed": "Перенаправление домена запрещено",
+  "failed_to_sign_jwt": "не смог подписать JWT",
+  "invalid_invocation": "Неверный вызов MakeChallenge",
+  "client_error_browser": "Ошибка клиента: убедитесь, что у вас браузер новейшей версии, и повторите попытку позже.",
+  "oh_noes": "О нет!",
+  "benchmarking_anubis": "Анализ Анубиса!",
+  "you_are_not_a_bot": "Вы не бот!",
+  "making_sure_not_bot": "Проверяем, что вы не бот!",
+  "celphase": "CELPHASE",
+  "js_web_crypto_error": "В вашем браузере отсутствует функция web.crypto. Вы просматриваете страницу через защищённый контекст?",
+  "js_web_workers_error": "Ваш браузер не поддерживает web worker (Anubis использует его, чтобы избежать зависания браузера). У вас установлен плагин типа JShelter?",
+  "js_cookies_error": "Ваш браузер не сохраняет cookie файлы. Anubis использует их для определения клиентов, прошедших проверку, сохраняя подписанный токен в файле cookie. Включите сохранение файлов cookie для этого домена. Имена файлов cookie, хранимых Anubis, могут изменяться без предварительного уведомления. Имена и значения cookie файлов не являются частью общедоступного API.",
+  "js_context_not_secure": "Ваш контекст небезопасен!",
+  "js_context_not_secure_msg": "Попробуйте подключиться по HTTPS или попросите администратора, чтобы он настроил HTTPS. Подробнее см. <a href=\"https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts#when_is_a_context_considered_secure\">MDN</a>.",
+  "js_calculating": "Расчёт...",
+  "js_missing_feature": "Отсутствует функция",
+  "js_challenge_error": "Ошибка проверки!",
+  "js_challenge_error_msg": "Не удалось определить алгоритм проверки. Возможно, нужно перезагрузить страницу..",
+  "js_calculating_difficulty": "Расчёт...<br/>Сложность:",
+  "js_speed": "Скорость:",
+  "js_verification_longer": "Проверка занимает больше времени, чем ожидалось. Пожалуйста, не обновляйте страницу.",
+  "js_success": "Успех!",
+  "js_done_took": "Получилось! Заняло",
+  "js_iterations": "итераций",
+  "js_finished_reading": "Я дочитал, продолжить →",
+  "js_calculation_error": "Ошибка расчёта!",
+  "js_calculation_error_msg": "Не удалось рассчитать задачу:"
+}
--- a/lib/localization/localization_test.go
+++ b/lib/localization/localization_test.go
@@ -21,13 +21,25 @@ func TestLocalizationService(t *testing.T) {
 		"fr":    "Chargement...",
 		"ja":    "ロード中...",
 		"is":    "Hleður...",
+		"nb":    "Laster inn...",
+		"nn":    "Lastar inn...",
 		"pt-BR": "Carregando...",
 		"tr":    "Yükleniyor...",
+		"ru":    "Загрузка...",
 		"zh-CN": "加载中...",
 		"zh-TW": "載入中...",
 	}

-	for lang, expected := range loadingStrMap {
+	var keys []string
+
+	for lang := range loadingStrMap {
+		keys = append(keys, lang)
+	}
+
+	sort.Strings(keys)
+
+	for _, lang := range keys {
+		expected := loadingStrMap[lang]
 		t.Run(fmt.Sprintf("%s localization", lang), func(t *testing.T) {
 			localizer := service.GetLocalizer(lang)
 			result := localizer.MustLocalize(&i18n.LocalizeConfig{MessageID: "loading"})
@@ -43,7 +55,7 @@ func TestLocalizationService(t *testing.T) {
 		"mascot_design", "try_again", "go_home", "javascript_required",
 	}

-	for lang := range loadingStrMap {
+	for _, lang := range keys {
 		t.Run(fmt.Sprintf("All required keys exist in %s", lang), func(t *testing.T) {
 			loc := service.GetLocalizer(lang)
 			for _, key := range requiredKeys {
@@ -57,7 +69,7 @@ func TestLocalizationService(t *testing.T) {
 }

 type manifest struct {
-	SupportedLanguages []string `json:"supported_languages"`
+	SupportedLanguages []string `json:"supportedLanguages"`
 }

 func loadManifest(t *testing.T) manifest {
@@ -98,6 +110,11 @@ func TestComprehensiveTranslations(t *testing.T) {

 	sort.Strings(keys)

+	manifest := loadManifest(t)
+	if len(manifest.SupportedLanguages) == 0 {
+		t.Fatal("no languages loaded")
+	}
+
 	for _, lang := range loadManifest(t).SupportedLanguages {
 		t.Run(lang, func(t *testing.T) {
 			loc := service.GetLocalizer(lang)
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
  "name": "@techaro/anubis",
-  "version": "1.21.0",
+  "version": "1.21.1",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "@techaro/anubis",
-      "version": "1.21.0",
+      "version": "1.21.1",
      "license": "ISC",
      "devDependencies": {
        "cssnano": "^7.1.0",
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@techaro/anubis",
-  "version": "1.21.0",
+  "version": "1.21.1",
  "description": "",
  "main": "index.js",
  "scripts": {
--- a/web/js/proof-of-work-slow.mjs
+++ b/web/js/proof-of-work-slow.mjs
@@ -14,32 +14,42 @@ export default function process(
    );

    let worker = new Worker(webWorkerURL);
-    const terminate = () => {
+    let settled = false;
+
+    const cleanup = () => {
+      if (settled) return;
+      settled = true;
      worker.terminate();
      if (signal != null) {
-        // clean up listener to avoid memory leak
-        signal.removeEventListener("abort", terminate);
-        if (signal.aborted) {
-          console.log("PoW aborted");
-          reject(false);
-        }
+        signal.removeEventListener("abort", onAbort);
      }
+      URL.revokeObjectURL(webWorkerURL);
    };
+
+    const onAbort = () => {
+      console.log("PoW aborted");
+      cleanup();
+      reject(new DOMException("Aborted", "AbortError"));
+    };
+
    if (signal != null) {
-      signal.addEventListener("abort", terminate, { once: true });
+      if (signal.aborted) {
+        return onAbort();
+      }
+      signal.addEventListener("abort", onAbort, { once: true });
    }

    worker.onmessage = (event) => {
      if (typeof event.data === "number") {
        progressCallback?.(event.data);
      } else {
-        terminate();
+        cleanup();
        resolve(event.data);
      }
    };

    worker.onerror = (event) => {
-      terminate();
+      cleanup();
      reject(event);
    };

@@ -47,8 +57,6 @@ export default function process(
      data,
      difficulty,
    });
-
-    URL.revokeObjectURL(webWorkerURL);
  });
 }

--- a/web/js/proof-of-work.mjs
+++ b/web/js/proof-of-work.mjs
@@ -3,7 +3,7 @@ export default function process(
  difficulty = 5,
  signal = null,
  progressCallback = null,
-  threads = navigator.hardwareConcurrency || 1,
+  threads = Math.max(navigator.hardwareConcurrency / 2, 1),
 ) {
  console.debug("fast algo");
  return new Promise((resolve, reject) => {
@@ -12,19 +12,31 @@ export default function process(
    );

    const workers = [];
-    const terminate = () => {
+    let settled = false;
+
+    const cleanup = () => {
+      if (settled) {
+        return;
+      }
+      settled = true;
      workers.forEach((w) => w.terminate());
      if (signal != null) {
-        // clean up listener to avoid memory leak
-        signal.removeEventListener("abort", terminate);
-        if (signal.aborted) {
-          console.log("PoW aborted");
-          reject(false);
-        }
+        signal.removeEventListener("abort", onAbort);
      }
+      URL.revokeObjectURL(webWorkerURL);
    };
+
+    const onAbort = () => {
+      console.log("PoW aborted");
+      cleanup();
+      reject(new DOMException("Aborted", "AbortError"));
+    };
+
    if (signal != null) {
-      signal.addEventListener("abort", terminate, { once: true });
+      if (signal.aborted) {
+        return onAbort();
+      }
+      signal.addEventListener("abort", onAbort, { once: true });
    }

    for (let i = 0; i < threads; i++) {
@@ -34,13 +46,13 @@ export default function process(
        if (typeof event.data === "number") {
          progressCallback?.(event.data);
        } else {
-          terminate();
+          cleanup();
          resolve(event.data);
        }
      };

      worker.onerror = (event) => {
-        terminate();
+        cleanup();
        reject(event);
      };

@@ -53,8 +65,6 @@ export default function process(

      workers.push(worker);
    }
-
-    URL.revokeObjectURL(webWorkerURL);
  });
 }

@@ -79,6 +89,7 @@ function processTask() {
      let threads = event.data.threads;

      const threadId = nonce;
+      let localIterationCount = 0;

      while (true) {
        const currentHash = await sha256(data + nonce);
@@ -104,21 +115,15 @@ function processTask() {
          break;
        }

-        const oldNonce = nonce;
        nonce += threads;

-        // send a progress update every 1024 iterations. since each thread checks
-        // separate values, one simple way to do this is by bit masking the
-        // nonce for multiples of 1024. unfortunately, if the number of threads
-        // is not prime, only some of the threads will be sending the status
-        // update and they will get behind the others. this is slightly more
-        // complicated but ensures an even distribution between threads.
-        if (
-          (nonce > oldNonce) | 1023 && // we've wrapped past 1024
-          (nonce >> 10) % threads === threadId // and it's our turn
-        ) {
+        // send a progress update every 1024 iterations so that the user can be informed of
+        // the state of the challenge.
+        if (threadId == 0 && localIterationCount === 1024) {
          postMessage(nonce);
+          localIterationCount = 0;
        }
+        localIterationCount++;
      }

      postMessage({
Author	SHA1	Message	Date
Xe Iaso	1a19d7eee4	chore: release v1.21.1 (#887 ) Signed-off-by: Xe Iaso <me@xeiaso.net>	2025-07-22 16:32:06 -04:00
Sunniva Løvstad	25af5a232f	feat(localization): Add in Bokmål and Nynorsk translations (#855 ) * feat(localization): add bokmål and nynorsk translations * feat(localization): update tests for Bokmål and Nynorsk * docs(localization): document bokmål and nynorsk locales * fix(locales/nb,nn): remove unicode ellipsis to make tests pass Signed-off-by: Xe Iaso <me@xeiaso.net> * style(localization): sort languages to make test output stable Signed-off-by: Xe Iaso <me@xeiaso.net> * chore: spelling check-spelling run (pull_request) for main Signed-off-by: check-spelling-bot <check-spelling-bot@users.noreply.github.com> on-behalf-of: @check-spelling <check-spelling-bot@check-spelling.dev> --------- Signed-off-by: Xe Iaso <me@xeiaso.net> Signed-off-by: Xe Iaso <xe.iaso@techaro.lol> Signed-off-by: check-spelling-bot <check-spelling-bot@users.noreply.github.com> Co-authored-by: Xe Iaso <me@xeiaso.net> Co-authored-by: Xe Iaso <xe.iaso@techaro.lol>	2025-07-21 22:37:49 -04:00
Xe Iaso	24d2501187	feat: Russian localization for Anubis (#882 ) * feat(localization): Add Russian language translation * test(localization): ensure Russian translations are tested Signed-off-by: Xe Iaso <me@xeiaso.net> * docs(changelog): update with Russian translation Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: Xe Iaso <me@xeiaso.net> Signed-off-by: Xe Iaso <xe.iaso@techaro.lol> Co-authored-by: MichaelAgarkov <michaelagarkov@internet.ru>	2025-07-21 23:14:51 +00:00
ZerionSeven	1dc9525427	Add Finnish localization (#863 ) * add Finnish localization * add fi to supportedLanguages * add entry for Finnish to CHANGELOG	2025-07-21 18:56:16 -04:00
Xe Iaso	24e3746b0b	fix(lib): fix challenge issuance logic (#881 ) * fix(lib): fix challenge issuance logic Fixes #869 v1.21.0 changed the core challenge flow to maintain information about challenges on the server side instead of only doing them via stateless idempotent generation functions and relying on details to not change. There was a subtle bug introduced in this change: if a client has an unknown challenge ID set in its test cookie, Anubis will clear that cookie and then throw an HTTP 500 error. This has been fixed by making Anubis throw a new challenge page instead. Signed-off-by: Xe Iaso <me@xeiaso.net> * test(lib): you win this time spell check Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: Xe Iaso <me@xeiaso.net>	2025-07-21 18:53:59 -04:00
HQuest	31184ccd5f	Update pt-BR.json (#878 ) * Update pt-BR.json While current version is good enough as a machine translation, it is not natural enough for what a reader would like to read while browsing sites made by native devs - including the subtle nuances from the original English version, now incorporated to the translation instead of plain, literal translations with questionable meanings. Signed-off-by: HQuest <hquest@gmail.com> * fix(locales/pt-BR): anubis is from Canada CA is the ISO country code for Canada, but also the US state code for California. Co-authored-by: Victor Fernandes <victorvalenca@gmail.com> Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: HQuest <hquest@gmail.com> Signed-off-by: Xe Iaso <me@xeiaso.net> Co-authored-by: Xe Iaso <me@xeiaso.net> Co-authored-by: Victor Fernandes <victorvalenca@gmail.com>	2025-07-21 22:21:47 +00:00
Xe Iaso	e69fadddf1	fix(web/fast): remove event loop thrashing (#880 ) Fixes #877 Continued from #879, event loop thrashing can cause stack space exhaustion on ia32 systems. Previously this would thrash the event loop in Firefox and Firefox derived browsers such as Pale Moon. I suspect that this is the ultimate root cause of the bizarre irreproducible bugs that Pale Moon (and maybe Cromite) users have been reporting since at least #87 was merged. The root cause is an invalid boolean statement: ```js // send a progress update every 1024 iterations. since each thread checks // separate values, one simple way to do this is by bit masking the // nonce for multiples of 1024. unfortunately, if the number of threads // is not prime, only some of the threads will be sending the status // update and they will get behind the others. this is slightly more // complicated but ensures an even distribution between threads. if ( (nonce > oldNonce) \| 1023 && // we've wrapped past 1024 (nonce >> 10) % threads === threadId // and it's our turn ) { postMessage(nonce); } ``` The logic here looks fine but is subtly wrong as was reported in #877 by a user in the Pale Moon community. Consider the following scenario: `nonce` is a counter that increments by the worker count every loop. This is intended to spread the load between CPU cores as such: \| Iteration \| Worker ID \| Nonce \| \| :-------- \| :-------- \| :---- \| \| 1 \| 0 \| 0 \| \| 1 \| 1 \| 1 \| \| 2 \| 0 \| 2 \| \| 3 \| 1 \| 3 \| And so on. The incorrect part of this is the boolean logic, specifically the part with the bitwise or `\|`. I think the intent was to use a logical or (`\|\|`), but this had the effect of making the `postMessage` handler fire on every iteration. The intent of this snippet (as the comment clearly indicates) is to make sure that the main event loop is only updated with the worker status every 1024 iterations per worker. This had the opposite effect, causing a lot of messages to be sent from workers to the parent JavaScript context. This is bad for the event loop. Instead, I have ripped out that statement and replaced it with a much simpler increment only counter that fires every 1024 iterations. Additionally, only the first thread communicates back to the parent process. This does mean that in theory the other workers could be ahead of the first thread (posting a message out of a worker has a nonzero cost), but in practice I don't think this will be as much of an issue as the current behaviour is. The root cause of the stack exhaustion is likely the pressure caused by all of the postMessage futures piling up. Maybe the larger stack size in 64 bit environments is causing this to be fine there, maybe it's some combination of newer hardware in 64 bit systems making this not be as much of a problem due to it being able to handle events fast enough to keep up with the pressure. Either way, thanks much to @wolfbeast and the Pale Moon community for finding this. This will make Anubis faster for everyone! Signed-off-by: Xe Iaso <xe.iaso@techaro.lol>	2025-07-21 18:05:24 -04:00
Xe Iaso	5e8ebaeb5d	fix(web): amend future leak on proof of work solution (#879 ) Possible fix for #877 In some cases, the parallel solution finder in Anubis could cause all of the worker promises to leak due to the fact the promises were being improperly terminated. A recursion bomb happens in the following scenario: 1. A worker sends a message indicating it found a solution to the proof of work challenge. 2. The `onmessage` handler for that worker calls `terminate()` 3. Inside `terminate()`, the parent process loops through all other workers and calls `w.terminate()` on them. 4. It's possible that terminating a worker could lead to the `onerror` event handler. 5. This would create a recursive loop of `onmessage` -> `terminate` -> `onerror` -> `terminate` -> `onerror` and so on. This infinite recursion quickly consumes all available stack space, but this has never been noticed in development because all of my computers have at least 64Gi of ram provisioned to them under the axiom paying for more ram is cheaper than paying in my time spent having to work around not having enough ram. Additionally, ia32 has a smaller base stack size, which means that they will run into this issue much sooner than users on other CPU architectures will. The fix adds a boolean `settled` flag to prevent termination from running more than once. Signed-off-by: Xe Iaso <me@xeiaso.net>	2025-07-21 17:50:31 -04:00
searingmoonlight	3e1aaa6273	Remove duplicated string in Filipino language file (#875 ) Signed-off-by: searingmoonlight <kitakita@disroot.org>	2025-07-20 23:17:48 -04:00
Jason Cameron	dce7ed2405	Revert "build(deps): bump the gomod group with 6 updates (#873 )" (#874 )	2025-07-21 01:22:40 +00:00
@@ -1 +1 @@
 .21.0
 .21.1
				`@@ -1 +0,0 @@`
				`aorsentaeiorsntoiearnstoieanrsoietnaioresntoeiar`