chore: update spelling

Signed-off-by: Xe Iaso <me@xeiaso.net>

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,12 +1,12 @@
 <!--
 delete me and describe your change here, give enough context for a maintainer to understand what and why
 
-See https://github.com/TecharoHQ/anubis/blob/main/CONTRIBUTING.md for more information
+See https://anubis.techaro.lol/docs/developer/code-quality for more information
 -->
 
 Checklist:
 
 - [ ] Added a description of the changes to the `[Unreleased]` section of docs/docs/CHANGELOG.md
-- [ ] Added test cases to [the relevant parts of the codebase](https://github.com/TecharoHQ/anubis/blob/main/CONTRIBUTING.md)
+- [ ] Added test cases to [the relevant parts of the codebase](https://anubis.techaro.lol/docs/developer/code-quality)
 - [ ] Ran integration tests `npm run test:integration` (unsupported on Windows, please use WSL)
 - [ ] All of my commits have [verified signatures](https://anubis.techaro.lol/docs/developer/signed-commits)

.github/actions/spelling/allow.txt

@@ -24,14 +24,3 @@ iplist
 NArg
 blocklists
 rififi
-prolocation
-Prolocation
-Necron
-Stargate
-FFXIV
-uvensys
-de
-resourced
-envoyproxy
-unipromos
-Samsung

.github/actions/spelling/expect.txt

@@ -7,7 +7,6 @@ Aibrew
 alibaba
 alrest
 amazonbot
-anexia
 anthro
 anubis
 anubistest
@@ -65,7 +64,6 @@ cidranger
 ckie
 CLAUDE
 cloudflare
-cloudsolutions
 Codespaces
 confd
 containerbuild
@@ -80,7 +78,6 @@ databento
 dayjob
 dco
 DDOS
-ddwrt
 Debian
 debrpm
 decaymap
@@ -103,7 +100,6 @@ duckduckbot
 eerror
 ellenjoe
 emacs
-embe
 enbyware
 etld
 everyones
@@ -121,7 +117,6 @@ FCr
 fcrdns
 fediverse
 ffprobe
-fhdr
 financials
 finfos
 Firecrawl
@@ -159,7 +154,6 @@ grw
 gzw
 Hashcash
 hashrate
-hdr
 headermap
 healthcheck
 healthz
@@ -169,7 +163,6 @@ Hetzner
 hmc
 homelab
 hostable
-HSTS
 htmlc
 htmx
 httpdebug
@@ -222,6 +215,7 @@ LLU
 loadbalancer
 lol
 lominsa
+maintainership
 malware
 mcr
 memes
@@ -330,13 +324,11 @@ Spambot
 spammer
 sparkline
 spyderbot
-srcip
 srv
 stackoverflow
 startprecmd
 stoppostcmd
 storetest
-strcmp
 subgrid
 subr
 subrequest
@@ -361,7 +353,6 @@ Timpibot
 TLog
 traefik
 trunc
-txn
 uberspace
 Unbreak
 unbreakdocker

.github/workflows/asset-verification.yml

@@ -22,12 +22,12 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y build-essential
 
-      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
           node-version: "24.11.0"
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
-          go-version: "1.25.7"
+          go-version: "1.25.4"
 
       - name: install node deps
         run: |

.github/workflows/docker-pr.yml

@@ -26,18 +26,18 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y build-essential
 
-      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
           node-version: "24.11.0"
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
-          go-version: "stable"
+          go-version: "1.25.4"
 
       - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
         with:
           images: ghcr.io/${{ github.repository }}
 

.github/workflows/docker.yml

@@ -36,17 +36,17 @@ jobs:
         run: |
           echo "IMAGE=ghcr.io/${GITHUB_REPOSITORY,,}" >> $GITHUB_ENV
 
-      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
           node-version: "24.11.0"
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
-          go-version: "stable"
+          go-version: "1.25.4"
 
       - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
 
       - name: Log into registry
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
@@ -54,7 +54,7 @@ jobs:
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
         with:
           images: ${{ env.IMAGE }}
 
@@ -68,7 +68,7 @@ jobs:
           SLOG_LEVEL: debug
 
       - name: Generate artifact attestation
-        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
+        uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0
         with:
           subject-name: ${{ env.IMAGE }}
           subject-digest: ${{ steps.build.outputs.digest }}

.github/workflows/docs-deploy.yml

@@ -22,10 +22,10 @@ jobs:
           persist-credentials: false
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Log into registry
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           registry: ghcr.io
           username: techarohq
@@ -33,7 +33,7 @@ jobs:
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
         with:
           images: ghcr.io/techarohq/anubis/docs
           tags: |
@@ -42,7 +42,7 @@ jobs:
 
       - name: Build and push
         id: build
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: ./docs
           cache-to: type=gha
@@ -53,14 +53,14 @@ jobs:
           push: true
 
       - name: Apply k8s manifests to limsa lominsa
-        uses: actions-hub/kubectl@934aaa4354bbbc3d2176ae8d7cae92d515032dff # v1.35.3
+        uses: actions-hub/kubectl@f6d776bd78f4523e36d6c74d34f9941c242b2213 # v1.35.0
         env:
           KUBE_CONFIG: ${{ secrets.LIMSA_LOMINSA_KUBECONFIG }}
         with:
           args: apply -k docs/manifest
 
       - name: Apply k8s manifests to limsa lominsa
-        uses: actions-hub/kubectl@934aaa4354bbbc3d2176ae8d7cae92d515032dff # v1.35.3
+        uses: actions-hub/kubectl@f6d776bd78f4523e36d6c74d34f9941c242b2213 # v1.35.0
         env:
           KUBE_CONFIG: ${{ secrets.LIMSA_LOMINSA_KUBECONFIG }}
         with:

.github/workflows/docs-test.yml

@@ -18,11 +18,11 @@ jobs:
           persist-credentials: false
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
         with:
           images: ghcr.io/techarohq/anubis/docs
           tags: |
@@ -31,7 +31,7 @@ jobs:
 
       - name: Build and push
         id: build
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: ./docs
           cache-to: type=gha

.github/workflows/go-mod-tidy-check.yml

@@ -17,9 +17,9 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
-          go-version: "stable"
+          go-version: "1.25.4"
 
       - name: Check go.mod and go.sum in main directory
         run: |

.github/workflows/go.yml

@@ -24,15 +24,15 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y build-essential
 
-      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
           node-version: "24.11.0"
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
-          go-version: "stable"
+          go-version: "1.25.4"
 
       - name: Cache playwright binaries
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
         id: playwright-cache
         with:
           path: |
@@ -55,10 +55,10 @@ jobs:
         run: npm run test
 
       - name: Lint with staticcheck
-        uses: dominikh/staticcheck-action@9716614d4101e79b4340dd97b10e54d68234e431 # v1.4.1
+        uses: dominikh/staticcheck-action@024238d2898c874f26d723e7d0ff4308c35589a2 # v1.4.0
         with:
           version: "latest"
 
       - name: Govulncheck
         run: |
-          go tool govulncheck ./... ||:
+          go tool govulncheck ./...

.github/workflows/lint-pr-title.yaml

@@ -14,6 +14,6 @@ jobs:
     permissions:
       pull-requests: read
     steps:
-      - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1
+      - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/package-builds-stable.yml

@@ -25,12 +25,12 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y build-essential
 
-      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
           node-version: "24.11.0"
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
-          go-version: "stable"
+          go-version: "1.25.4"
 
       - name: install node deps
         run: |

.github/workflows/package-builds-unstable.yml

@@ -26,12 +26,12 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y build-essential
 
-      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
           node-version: "24.11.0"
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
-          go-version: "stable"
+          go-version: "1.25.4"
 
       - name: install node deps
         run: |
@@ -41,7 +41,7 @@ jobs:
         run: |
           go tool yeet
 
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: packages
           path: var/*

.github/workflows/smoke-tests.yml

@@ -34,12 +34,12 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
           node-version: "24.11.0"
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
-          go-version: "stable"
+          go-version: "1.25.4"
 
       - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
 
@@ -57,7 +57,7 @@ jobs:
         run: echo "ARTIFACT_NAME=${{ matrix.test }}" | sed 's|/|-|g' >> $GITHUB_ENV
 
       - name: Upload artifact
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
         if: always()
         with:
           name: ${{ env.ARTIFACT_NAME }}

.github/workflows/ssh-ci-runner-cron.yml

@@ -24,13 +24,13 @@ jobs:
           fetch-depth: 0
           persist-credentials: false
       - name: Log into registry
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
       - name: Build and push
         run: |
           cd ./test/ssh-ci

.github/workflows/ssh-ci.yml

@@ -12,15 +12,14 @@ permissions:
 jobs:
   ssh:
     if: github.repository == 'TecharoHQ/anubis'
-    #runs-on: alrest-techarohq
+    runs-on: alrest-techarohq
-    runs-on: ubuntu-latest
     strategy:
       matrix:
         host:
           - riscv64
           - ppc64le
-          #- aarch64-4k
+          - aarch64-4k
-          #- aarch64-16k
+          - aarch64-16k
     steps:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -30,15 +29,15 @@ jobs:
           persist-credentials: false
 
       - name: Install CI target SSH key
-        uses: shimataro/ssh-key-action@87a8f067114a8ce263df83e9ed5c849953548bc3 # v2.8.1
+        uses: shimataro/ssh-key-action@d4fffb50872869abe2d9a9098a6d9c5aa7d16be4 # v2.7.0
         with:
           key: ${{ secrets.CI_SSH_KEY }}
           name: id_rsa
           known_hosts: ${{ secrets.CI_SSH_KNOWN_HOSTS }}
 
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
-          go-version: "stable"
+          go-version: "1.25.4"
 
       - name: Run CI
         run: go run ./utils/cmd/backoff-retry bash test/ssh-ci/rigging.sh ${{ matrix.host }}

.github/workflows/zizmor.yml

@@ -21,7 +21,7 @@ jobs:
           persist-credentials: false
 
       - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
+        uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b # v7.2.0
 
       - name: Run zizmor 🌈
         run: uvx zizmor --format sarif . > results.sarif
@@ -29,7 +29,7 @@ jobs:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
+        uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
         with:
           sarif_file: results.sarif
           category: zizmor

Makefile

@@ -24,7 +24,8 @@ build: assets
 lint: assets
 	$(GO) vet ./...
 	$(GO) tool staticcheck ./...
-	
+	$(GO) tool govulncheck ./...
+
 prebaked-build:
 	$(GO) build -o ./var/anubis -ldflags "-X 'github.com/TecharoHQ/anubis.Version=$(VERSION)'" ./cmd/anubis
 	$(GO) build -o ./var/robots2policy -ldflags "-X 'github.com/TecharoHQ/anubis.Version=$(VERSION)'" ./cmd/robots2policy

README.md

@@ -26,21 +26,9 @@ Anubis is brought to you by sponsors and donors like:
 
 ### Gold Tier
 
-<a href="https://www.unipromos.com/?utm_campaign=github&utm_medium=referral&utm_content=anubis">
-  <img src="./docs/static/img/sponsors/unipromos.webp" alt="Unipromos" height="64" />
-</a>
-<a href="https://uvensys.de/?utm_campaign=github&utm_medium=referral&utm_content=anubis">
-  <img src="./docs/static/img/sponsors/uvensys.webp" alt="Uvensys" height="64">
-</a>
 <a href="https://distrust.co?utm_campaign=github&utm_medium=referral&utm_content=anubis">
   <img src="./docs/static/img/sponsors/distrust-logo.webp" alt="Distrust" height="64">
 </a>
-<a href="https://about.gitea.com?utm_campaign=github&utm_medium=referral&utm_content=anubis">
-  <img src="./docs/static/img/sponsors/gitea-logo.webp" alt="Gitea" height="64">
-</a>
-<a href="https://prolocation.net?utm_campaign=github&utm_medium=referral&utm_content=anubis">
-  <img src="./docs/static/img/sponsors/prolocation-logo.svg" alt="Prolocation" height="64">
-</a>
 <a href="https://terminaltrove.com/?utm_campaign=github&utm_medium=referral&utm_content=anubis&utm_source=abgh">
   <img src="./docs/static/img/sponsors/terminal-trove.webp" alt="Terminal Trove" height="64">
 </a>
@@ -70,12 +58,6 @@ Anubis is brought to you by sponsors and donors like:
     height="64"
   />
 </a>
-<a href="https://www.anexia.com/">
-  <img src="./docs/static/img/sponsors/anexia-cloudsolutions-logo.webp" alt="ANEXIA Cloud Solutions" height="64">
-</a>
-<a href="https://dd-wrt.com/">
-  <img src="./docs/static/img/sponsors/ddwrt-logo.webp" alt="embeDD GmbH" height="64">
-</a>
 
 ## Overview
 

VERSION

@@ -1 +1 @@
-1.25.0
+1.24.0

cmd/anubis/main.go

@@ -17,7 +17,6 @@ import (
 	"net"
 	"net/http"
 	"net/http/httputil"
-	"net/http/pprof"
 	"net/url"
 	"os"
 	"os/signal"
@@ -419,8 +418,8 @@ func main() {
 
 	var redirectDomainsList []string
 	if *redirectDomains != "" {
-		domains := strings.SplitSeq(*redirectDomains, ",")
+		domains := strings.Split(*redirectDomains, ",")
-		for domain := range domains {
+		for _, domain := range domains {
 			_, err = url.Parse(domain)
 			if err != nil {
 				log.Fatalf("cannot parse redirect-domain %q: %s", domain, err.Error())
@@ -428,7 +427,7 @@ func main() {
 			redirectDomainsList = append(redirectDomainsList, strings.TrimSpace(domain))
 		}
 	} else {
-		lg.Warn("REDIRECT_DOMAINS is not set, Anubis will redirect to any domain, see https://anubis.techaro.lol/docs/admin/configuration/redirect-domains")
+		lg.Warn("REDIRECT_DOMAINS is not set, Anubis will only redirect to the same domain a request is coming from, see https://anubis.techaro.lol/docs/admin/configuration/redirect-domains")
 	}
 
 	anubis.CookieName = *cookiePrefix + "-auth"
@@ -523,11 +522,6 @@ func metricsServer(ctx context.Context, lg slog.Logger, done func()) {
 	defer done()
 
 	mux := http.NewServeMux()
-	mux.HandleFunc("GET /debug/pprof/", pprof.Index)
-	mux.HandleFunc("GET /debug/pprof/cmdline", pprof.Cmdline)
-	mux.HandleFunc("GET /debug/pprof/profile", pprof.Profile)
-	mux.HandleFunc("GET /debug/pprof/symbol", pprof.Symbol)
-	mux.HandleFunc("GET /debug/pprof/trace", pprof.Trace)
 	mux.Handle("/metrics", promhttp.Handler())
 	mux.HandleFunc("/healthz", func(w http.ResponseWriter, r *http.Request) {
 		st, ok := internal.GetHealth("anubis")

cmd/robots2policy/main.go

@@ -10,7 +10,6 @@ import (
 	"net/http"
 	"os"
 	"regexp"
-	"slices"
 	"strings"
 
 	"github.com/TecharoHQ/anubis/lib/config"
@@ -211,8 +210,11 @@ func parseRobotsTxt(input io.Reader) ([]RobotsRule, error) {
 
 	// Mark blacklisted user agents (those with "Disallow: /")
 	for i := range rules {
-		if slices.Contains(rules[i].Disallows, "/") {
+		for _, disallow := range rules[i].Disallows {
-			rules[i].IsBlacklist = true
+			if disallow == "/" {
+				rules[i].IsBlacklist = true
+				break
+			}
 		}
 	}
 

cmd/robots2policy/robots2policy_test.go

@@ -158,8 +158,8 @@ func TestDataFileConversion(t *testing.T) {
 			}
 
 			if strings.ToLower(*outputFormat) == "yaml" {
-				var actualData []any
+				var actualData []interface{}
-				var expectedData []any
+				var expectedData []interface{}
 
 				err = yaml.Unmarshal(actualOutput, &actualData)
 				if err != nil {
@@ -178,8 +178,8 @@ func TestDataFileConversion(t *testing.T) {
 					t.Errorf("Output mismatch for %s\nExpected:\n%s\n\nActual:\n%s", tc.name, expectedStr, actualStr)
 				}
 			} else {
-				var actualData []any
+				var actualData []interface{}
-				var expectedData []any
+				var expectedData []interface{}
 
 				err = json.Unmarshal(actualOutput, &actualData)
 				if err != nil {
@@ -419,6 +419,6 @@ Disallow: /`
 
 // compareData performs a deep comparison of two data structures,
 // ignoring differences that are semantically equivalent in YAML/JSON
-func compareData(actual, expected any) bool {
+func compareData(actual, expected interface{}) bool {
 	return reflect.DeepEqual(actual, expected)
 }

data/crawlers/_allow-good.yaml

@@ -8,5 +8,4 @@
 - import: (data)/crawlers/marginalia.yaml
 - import: (data)/crawlers/mojeekbot.yaml
 - import: (data)/crawlers/commoncrawl.yaml
-- import: (data)/crawlers/wikimedia-citoid.yaml
 - import: (data)/crawlers/yandexbot.yaml

data/crawlers/wikimedia-citoid.yaml

@@ -1,18 +0,0 @@
-# Wikimedia Foundation citation services
-# https://www.mediawiki.org/wiki/Citoid
-
-- name: wikimedia-citoid
-  user_agent_regex: "Citoid/WMF"
-  action: ALLOW
-  remote_addresses: [
-    "208.80.152.0/22",
-    "2620:0:860::/46",
-  ]
-
-- name: wikimedia-zotero-translation-server
-  user_agent_regex: "ZoteroTranslationServer/WMF"
-  action: ALLOW
-  remote_addresses: [
-    "208.80.152.0/22",
-    "2620:0:860::/46",
-  ]

docs/docs/CHANGELOG.md

@@ -11,46 +11,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
-- Expose [pprof endpoints](https://pkg.go.dev/net/http/pprof) on the metrics listener to enable profiling Anubis in production.
-- fix: prevent nil pointer panic in challenge validation when threshold rules match during PassChallenge (#1463)
-- Instruct reverse proxies to not cache error pages.
-- Fixed mixed tab/space indentation in Caddy documentation code block
-- Improve error messages and fix broken REDIRECT_DOMAINS link in docs ([#1193](https://github.com/TecharoHQ/anubis/issues/1193))
-- Add Bulgarian locale ([#1394](https://github.com/TecharoHQ/anubis/pull/1394))
-
-<!-- This changes the project to: -->
-- Fix CEL internal errors when iterating `headers`/`query` map wrappers by implementing map iterators for `HTTPHeaders` and `URLValues` ([#1465](https://github.com/TecharoHQ/anubis/pull/1465)).
-
-## v1.25.0: Necron
-
-Hey all,
-
-I'm sure you've all been aware that things have been slowing down a little with Anubis development, and I want to apologize for that. A lot has been going on in my life lately (my blog will have a post out on Friday with more information), and as a result I haven't really had the energy to work on Anubis in publicly visible ways. There are things going on behind the scenes, but nothing is really shippable yet, sorry!
-
-I've also been feeling some burnout in the wake of perennial waves of anger directed towards me. I'm handling it, I'll be fine, I've just had a lot going on in my life and it's been rough.
-
-I've been missing the sense of wanderlust and discovery that comes with the artistic way I playfully develop software. I suspect that some of the stresses I've been through (setting up a complicated surgery in a country whose language you aren't fluent in is kind of an experience) have been sapping my energy. I'd gonna try to mess with things on my break, but realistically I'm probably just gonna be either watching Stargate SG-1 or doing unreasonable amounts of ocean fishing in Final Fantasy 14. Normally I'd love to keep the details about my medical state fairly private, but I'm more of a public figure now than I was this time last year so I don't really get the invisibility I'm used to for this.
-
-I've also had a fair amount of negativity directed at me for simply being much more visible than the anonymous threat actors running the scrapers that are ruining everything, which though understandable has not helped.
-
-Anyways, it all worked out and I'm about to be in the hospital for a week, so if things go really badly with this release please downgrade to the last version and/or upgrade to the main branch when the fix PR is inevitably merged. I hoped to have time to tame GPG and set up full release automation in the Anubis repo, but that didn't work out this time and that's okay.
-
-If I can challenge you all to do something, go out there and try to actually create something new somehow. Combine ideas you've never mixed before. Be creative, be human, make something purely for yourself to scratch an itch that you've always had yet never gotten around to actually mending.
-
-At the very least, try to be an example of how you want other people to act, even when you're in a situation where software written by someone else is configured to require a user agent to execute javascript to access a webpage.
-
-Be well,
-
-Xe
-
-PS: if you're well-versed in FFXIV lore, the release title should give you an idea of the kind of stuff I've been going through mentally.
-
 - Add iplist2rule tool that lets admins turn an IP address blocklist into an Anubis ruleset.
 - Add Polish locale ([#1292](https://github.com/TecharoHQ/anubis/pull/1309))
 - Fix honeypot and imprint links missing `BASE_PREFIX` when deployed behind a path prefix ([#1402](https://github.com/TecharoHQ/anubis/issues/1402))
-- Add ANEXIA Sponsor logo to docs ([#1409](https://github.com/TecharoHQ/anubis/pull/1409))
 - Improve idle performance in memory storage
-- Add HAProxy Configurations to Docs ([#1424](https://github.com/TecharoHQ/anubis/pull/1424))
+
+<!-- This changes the project to: -->
 
 ## v1.24.0: Y'shtola Rhul
 

docs/docs/admin/environments/caddy.mdx

@@ -62,9 +62,9 @@ yourdomain.example.com {
   tls your@email.address
 
   reverse_proxy http://anubis:3000 {
-    header_up X-Real-Ip {remote_host}
+		header_up X-Real-Ip {remote_host}
-    header_up X-Http-Version {http.request.proto}
+		header_up X-Http-Version {http.request.proto}
-  }
+	}
 }
 ```
 

docs/docs/admin/environments/haproxy.mdx

@@ -1,101 +0,0 @@
-# HAProxy
-
-import CodeBlock from "@theme/CodeBlock";
-
-To use Anubis with HAProxy, you have two variants:
-  - simple - stick Anubis between HAProxy and your application backend (simple)
-    - perfect if you only have a single application in general
-  - advanced - force Anubis challenge by default and route to the application backend by HAProxy if the challenge is correct
-    - useful for complex setups
-    - routing can be done in HAProxy
-    - define ACLs in HAProxy for domains, paths etc which are required/excluded regarding Anubis
-    - HAProxy 3.0 recommended
-
-## Simple Variant
-
-```mermaid
----
-title: HAProxy with simple config
----
-flowchart LR
-    T(User Traffic)
-    HAProxy(HAProxy Port 80/443)
-    Anubis
-    Application
-
-    T --> HAProxy
-    HAProxy --> Anubis
-    Anubis --> |Happy Traffic| Application
-```
-
-Your Anubis env file configuration may look like this:
-
-import simpleAnubis from "!!raw-loader!./haproxy/simple-config.env";
-
-<CodeBlock language="bash">{simpleAnubis}</CodeBlock>
-
-The important part is that `TARGET` points to your actual application and if Anubis and HAProxy are on the same machine, a UNIX socket can be used.
-
-Your frontend and backend configuration of HAProxy may look like the following:
-
-import simpleHAProxy from "!!raw-loader!./haproxy/simple-haproxy.cfg";
-
-<CodeBlock language="bash">{simpleHAProxy}</CodeBlock>
-
-This simply enables SSL offloading, sets some useful and required headers and routes to Anubis directly.
-
-## Advanced Variant
-
-Due to the fact that HAProxy can decode JWT, we are able to verify the Anubis token directly in HAProxy and route the traffic to the specific backends ourselves.
-
-Mind that rule logic to allow Git HTTP and other legit bot traffic to bypass is delegated from Anubis to HAProxy then. If required, you should implement any whitelisting in HAProxy using `acl_anubis_ignore` yourself.
-
-In this example are three applications behind one HAProxy frontend. Only App1 and App2 are secured via Anubis; App3 is open for everyone. The path `/excluded/path` can also be accessed by anyone.
-
-```mermaid
----
-title: HAProxy with advanced config
----
-
-flowchart LR
-    T(User Traffic)
-    HAProxy(HAProxy Port 80/443)
-    B1(App1)
-    B2(App2)
-    B3(App3)
-    Anubis
-
-    T --> HAProxy
-    HAProxy --> |Traffic for App1 and App2 without valid challenge| Anubis
-    HAProxy --> |app1.example.com | B1
-    HAProxy --> |app2.example.com| B2
-    HAProxy --> |app3.example.com| B3
-```
-
-:::note
-
-For an improved JWT decoding performance, it's recommended to use HAProxy version 3.0 or above.
-
-:::
-
-Your Anubis env file configuration may look like this:
-
-import advancedAnubis from "!!raw-loader!./haproxy/advanced-config.env";
-
-<CodeBlock language="bash">{advancedAnubis}</CodeBlock>
-
-It's important to use `HS512_SECRET` which HAProxy understands. Please replace `<SECRET-HERE>` with your own secret string (alphanumerical string with 128 characters recommended).
-
-You can set Anubis to force a challenge for every request using the following policy file:
-
-import advancedAnubisPolicy from "!!raw-loader!./haproxy/advanced-config-policy.yml";
-
-<CodeBlock language="yaml">{advancedAnubisPolicy}</CodeBlock>
-
-The HAProxy config file may look like this:
-
-import advancedHAProxy from "!!raw-loader!./haproxy/advanced-haproxy.cfg";
-
-<CodeBlock language="haproxy">{advancedHAProxy}</CodeBlock>
-
-Please replace `<SECRET-HERE>` with the same secret from the Anubis config.

docs/docs/admin/environments/haproxy/advanced-config-policy.yml

@@ -1,15 +0,0 @@
-# /etc/anubis/challenge-any.yml
-
-bots:
-  - name: any
-    action: CHALLENGE
-    user_agent_regex: .*
-
-status_codes:
-  CHALLENGE: 403
-  DENY: 403
-
-thresholds: []
-
-dnsbl: false
-

docs/docs/admin/environments/haproxy/advanced-config.env

@@ -1,11 +0,0 @@
-# /etc/anubis/default.env
-
-BIND=/run/anubis/default.sock
-BIND_NETWORK=unix
-DIFFICULTY=4
-METRICS_BIND=:9090
-# target is irrelevant here, backend routing happens in HAProxy
-TARGET=http://0.0.0.0
-HS512_SECRET=<SECRET-HERE>
-COOKIE_DYNAMIC_DOMAIN=True
-POLICY_FNAME=/etc/anubis/challenge-any.yml

docs/docs/admin/environments/haproxy/advanced-haproxy.cfg

@@ -1,59 +0,0 @@
-# /etc/haproxy/haproxy.cfg
-
-frontend FE-multiple-applications
-  mode http
-  bind :80
-  # ssl offloading on port 443 using a certificate from /etc/haproxy/ssl/ directory
-  bind :443 ssl crt /etc/haproxy/ssl/ alpn h2,http/1.1 ssl-min-ver TLSv1.2 no-tls-tickets
-
-  # set X-Real-IP header required for Anubis
-  http-request set-header X-Real-IP "%[src]"
-
-  # redirect HTTP to HTTPS
-  http-request redirect scheme https code 301 unless { ssl_fc }
-  # add HSTS header
-  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
-
-  # only force Anubis challenge for app1 and app2
-  acl acl_anubis_required hdr(host) -i "app1.example.com"
-  acl acl_anubis_required hdr(host) -i "app2.example.com"
-
-  # exclude Anubis for a specific path
-  acl acl_anubis_ignore path /excluded/path
-
-  # use Anubis if auth cookie not found
-  use_backend BE-anubis if acl_anubis_required !acl_anubis_ignore !{ req.cook(techaro.lol-anubis-auth) -m found }
-
-  # get payload of the JWT such as algorithm, expire time, restrictions
-  http-request set-var(txn.anubis_jwt_alg) req.cook(techaro.lol-anubis-auth),jwt_header_query('$.alg') if acl_anubis_required !acl_anubis_ignore
-  http-request set-var(txn.anubis_jwt_exp) cook(techaro.lol-anubis-auth),jwt_payload_query('$.exp','int') if acl_anubis_required !acl_anubis_ignore
-  http-request set-var(txn.anubis_jwt_res) cook(techaro.lol-anubis-auth),jwt_payload_query('$.restriction') if acl_anubis_required !acl_anubis_ignore
-  http-request set-var(txn.srcip) req.fhdr(X-Real-IP) if acl_anubis_required !acl_anubis_ignore
-  http-request set-var(txn.now) date() if acl_anubis_required !acl_anubis_ignore
-
-  # use Anubis if JWT has wrong algorithm, is expired, restrictions don't match or isn't signed with the correct key
-  use_backend BE-anubis if acl_anubis_required !acl_anubis_ignore !{ var(txn.anubis_jwt_alg) -m str HS512 }
-  use_backend BE-anubis if acl_anubis_required !acl_anubis_ignore { var(txn.anubis_jwt_exp),sub(txn.now) -m int lt 0 }
-  use_backend BE-anubis if acl_anubis_required !acl_anubis_ignore !{ var(txn.srcip),digest(sha256),hex,lower,strcmp(txn.anubis_jwt_res) eq 0 }
-  use_backend BE-anubis if acl_anubis_required !acl_anubis_ignore !{ cook(techaro.lol-anubis-auth),jwt_verify(txn.anubis_jwt_alg,"<SECRET-HERE>") -m int 1 }
-
-  # custom routing in HAProxy
-  use_backend BE-app1 if { hdr(host) -i "app1.example.com" }
-  use_backend BE-app2 if { hdr(host) -i "app2.example.com" }
-  use_backend BE-app3 if { hdr(host) -i "app3.example.com" }
-
-backend BE-app1
-  mode http
-  server app1-server 127.0.0.1:3000
-
-backend BE-app2
-  mode http
-  server app2-server 127.0.0.1:4000
-
-backend BE-app3
-  mode http
-  server app3-server 127.0.0.1:5000
-
-BE-anubis
-  mode http
-  server anubis /run/anubis/default.sock

docs/docs/admin/environments/haproxy/simple-config.env

@@ -1,10 +0,0 @@
-# /etc/anubis/default.env
-
-BIND=/run/anubis/default.sock
-BIND_NETWORK=unix
-SOCKET_MODE=0666
-DIFFICULTY=4
-METRICS_BIND=:9090
-COOKIE_DYNAMIC_DOMAIN=true
-# address and port of the actual application
-TARGET=http://localhost:3000

docs/docs/admin/environments/haproxy/simple-haproxy.cfg

@@ -1,22 +0,0 @@
-# /etc/haproxy/haproxy.cfg
-
-frontend FE-application
-  mode http
-  bind :80
-  # ssl offloading on port 443 using a certificate from /etc/haproxy/ssl/ directory
-  bind :443 ssl crt /etc/haproxy/ssl/ alpn h2,http/1.1 ssl-min-ver TLSv1.2 no-tls-tickets
-
-  # set X-Real-IP header required for Anubis
-  http-request set-header X-Real-IP "%[src]"
-
-  # redirect HTTP to HTTPS
-  http-request redirect scheme https code 301 unless { ssl_fc }
-  # add HSTS header
-  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
-
-  # route to Anubis backend by default
-  default_backend BE-anubis-application
-
-BE-anubis-application
-  mode http
-  server anubis /run/anubis/default.sock

docs/docs/admin/environments/kubernetes.mdx

@@ -130,52 +130,3 @@ Then point your Ingress to the Anubis port:
               # diff-add
               name: anubis
 ```
-
-## Envoy Gateway
-
-If you are using envoy-gateway, the `X-Real-Ip` header is not set by default, but Anubis does require it. You can resolve this by adding the header, either on the specific `HTTPRoute` where Anubis is listening, or on the `ClientTrafficPolicy` to apply it to any number of Gateways:
-
-HTTPRoute:
-```yaml
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: app-route
-spec:
-  hostnames: ["app.domain.tld"]
-  parentRefs:
-    - name: envoy-external
-      namespace: network
-      sectionName: https
-  rules:
-    - backendRefs:
-        - identifier: *app
-          port: anubis
-      filters:
-        - type: RequestHeaderModifier
-          requestHeaderModifier:
-            set:
-              - name: X-Real-Ip
-                value: "%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%"
-```
-
-Applying to any number of Gateways:
-```yaml
-apiVersion: gateway.envoyproxy.io/v1alpha1
-kind: ClientTrafficPolicy
-metadata:
-  name: envoy
-spec:
-  headers:
-    earlyRequestHeaders:
-      set:
-        - name: X-Real-Ip
-          value: "%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%"
-  clientIPDetection:
-    xForwardedFor:
-      trustedCIDRs:
-        - 10.96.0.0/16 # Cluster pod CIDR
-  targetSelectors: # These will apply to all Gateways
-    - group: gateway.networking.k8s.io
-      kind: Gateway
-```

docs/docs/admin/installation.mdx

@@ -95,7 +95,7 @@ Anubis uses these environment variables for configuration:
 | `OVERLAY_FOLDER`               | unset                   | <EO /> If set, treat the given path as an [overlay folder](./botstopper.mdx#custom-images-and-css), allowing you to customize CSS, fonts, images, and add other assets to BotStopper deployments.                                                                                                                                                                                                                                                                                                                                              |
 | `POLICY_FNAME`                 | unset                   | The file containing [bot policy configuration](./policies.mdx). See the bot policy documentation for more details. If unset, the default bot policy configuration is used.                                                                                                                                                                                                                                                                                                                                                                     |
 | `PUBLIC_URL`                   | unset                   | The externally accessible URL for this Anubis instance, used for constructing redirect URLs (e.g., for Traefik forwardAuth). Leave it unset when Anubis terminates traffic directly (sidecar/standalone deployments) or redirect building will fail with `redir=null`.                                                                                                                                                                                                                                                                         |
-| `REDIRECT_DOMAINS`             | unset                   | Comma-separated list of domain names that Anubis should allow redirects to when passing a challenge. See [Redirect Domain Configuration](./configuration/redirect-domains.mdx) for more details.                                                                                                                                                                                                                                                                                                                                                   |
+| `REDIRECT_DOMAINS`             | unset                   | Comma-separated list of domain names that Anubis should allow redirects to when passing a challenge. See [Redirect Domain Configuration](./configuration/redirect-domains) for more details.                                                                                                                                                                                                                                                                                                                                                   |
 | `SERVE_ROBOTS_TXT`             | `false`                 | If set `true`, Anubis will serve a default `robots.txt` file that disallows all known AI scrapers by name and then additionally disallows every scraper. This is useful if facts and circumstances make it difficult to change the underlying service to serve such a `robots.txt` file.                                                                                                                                                                                                                                                       |
 | `SLOG_LEVEL`                   | `INFO`                  | The log level for structured logging. Valid values are `DEBUG`, `INFO`, `WARN`, and `ERROR`. Set to `DEBUG` to see all requests, evaluations, and detailed diagnostic information.                                                                                                                                                                                                                                                                                                                                                             |
 | `SOCKET_MODE`                  | `0770`                  | _Only used when at least one of the `*_BIND_NETWORK` variables are set to `unix`._ The socket mode (permissions) for Unix domain sockets.                                                                                                                                                                                                                                                                                                                                                                                                      |
@@ -203,7 +203,6 @@ To get Anubis filtering your traffic, you need to make sure it's added to your H
 - [Kubernetes](./environments/kubernetes.mdx)
 - [Nginx](./environments/nginx.mdx)
 - [Traefik](./environments/traefik.mdx)
-- [HAProxy](./environments/haproxy.mdx)
 
 :::note
 

docs/docs/admin/native-install.mdx

@@ -143,4 +143,3 @@ For more details on particular reverse proxies, see here:
 
 - [Apache](./environments/apache.mdx)
 - [Nginx](./environments/nginx.mdx)
-- [HAProxy](./environments/haproxy.mdx)

docs/docs/admin/policies.mdx

@@ -393,32 +393,6 @@ logging:
 
 When files are rotated out, the old files will be named after the rotation timestamp in [RFC 3339 format](https://www.rfc-editor.org/rfc/rfc3339).
 
-:::note
-
-If you are running Anubis in systemd via a native package, the default systemd unit settings are very restrictive and will forbid writing to folders in `/var/log`. In order to fix this, please make a [drop-in unit](https://www.flatcar.org/docs/latest/setup/systemd/drop-in-units/) like the following:
-
-```text
-# /etc/systemd/anubis@instance-name.service.d/50-var-log-readwrite.conf
-[Service]
-ReadWritePaths=/run /var/log/anubis
-```
-
-Once you write this to the correct place, reload the systemd configuration:
-
-```text
-sudo systemctl daemon-reload
-```
-
-And then restart Anubis:
-
-```text
-sudo systemctl restart anubis@instance-name
-```
-
-You may be required to make drop-ins for each Anubis instance depending on the facts and circumstances of your deployment.
-
-:::
-
 ### `stdio` sink
 
 By default, Anubis logs everything to the standard error stream of its process. This requires no configuration:

docs/docs/developer/code-quality.md

@@ -0,0 +1,31 @@
+---
+title: Code quality guidelines
+---
+
+When submitting code to Anubis, please take the time to consider the fact that this project is security software. If things go bad, bots can pummel sites into oblivion. This is not ideal for uptime.
+
+As such, code reviews will be a bit more strict than you have seen in other projects. This is not people trying to be mean, this is a side effect of taking the problem seriously.
+
+When making code changes, try to do the following:
+
+- If you're submitting a bugfix, add a test case for it
+- If you're changing the JavaScript, make sure the integration tests pass (`npm run test:integration`)
+
+## Commit messages
+
+Anubis follows the Go project's conventions for commit messages. In general, an ideal commit message should read like this:
+
+```text
+path/to/folder: brief description of the change
+
+If the change is subtle, has implementation consequences, or is otherwise
+not entirely self-describing: take the time to spell out why. If things
+are very subtle, please also amend the documentation accordingly
+```
+
+The subject of a commit message should be the second half of the sentence "This commit changes the Anubis project to:". Here's a few examples:
+
+- `disable DroneBL by default`
+- `port the challenge to WebAssembly`
+
+The extended commit message is also your place to give rationale for a new feature. When maintainers are reviewing your code, they will use this to figure out if the burden from feature maintainership is worth the merge.

docs/docs/index.mdx

@@ -35,21 +35,9 @@ Anubis is brought to you by sponsors and donors like:
 
 ### Gold Tier
 
-<a href="https://www.unipromos.com/?utm_campaign=github&utm_medium=referral&utm_content=anubis">
-  <img src="/img/sponsors/unipromos.webp" alt="Uvensys" height="64" />
-</a>
-<a href="https://uvensys.de/?utm_campaign=github&utm_medium=referral&utm_content=anubis">
-  <img src="/img/sponsors/uvensys.webp" alt="Uvensys" height="64" />
-</a>
 <a href="https://distrust.co?utm_campaign=github&utm_medium=referral&utm_content=anubis">
   <img src="/img/sponsors/distrust-logo.webp" alt="Distrust" height="64" />
 </a>
-<a href="https://about.gitea.com?utm_campaign=github&utm_medium=referral&utm_content=anubis">
-  <img src="/img/sponsors/gitea-logo.webp" alt="Gitea" height="64" />
-</a>
-<a href="https://prolocation.net?utm_campaign=github&utm_medium=referral&utm_content=anubis">
-  <img src="/img/sponsors/prolocation-logo.svg" alt="Prolocation" height="64" />
-</a>
 <a href="https://terminaltrove.com/?utm_campaign=github&utm_medium=referral&utm_content=anubis&utm_source=abgh">
   <img
     src="/img/sponsors/terminal-trove.webp"
@@ -87,9 +75,6 @@ Anubis is brought to you by sponsors and donors like:
     height="64"
   />
 </a>
-<a href="https://dd-wrt.com/">
-  <img src="/img/sponsors/ddwrt-logo.webp" alt="embeDD GmbH" height="64" />
-</a>
 
 ## Overview
 

docs/docs/user/frequently-asked-questions.mdx

@@ -22,24 +22,3 @@ If you use a browser extension such as [JShelter](https://jshelter.org/), you wi
 ## Does Anubis mine Bitcoin?
 
 No. Anubis does not mine Bitcoin or any other cryptocurrency.
-
-## I disabled Just-in-time compilation in my browser. Why is Anubis slow?
-
-Anubis proof-of-work checks run an open source JavaScript program in your browser. These checks do a lot of complicated math and aim to be done quickly, so the execution speed depends on [Just-in-time (JIT) compilation](https://en.wikipedia.org/wiki/Just-in-time_compilation). JIT compiles JavaScript from the Internet into native machine code at runtime. The code produced by the JIT engine is almost as good as if it was written in a native programming language and compiled for your computer in particular. Without JIT, all JavaScript programs on every website you visit run through a slow interpreter.
-
-This interpreter is much slower than native code because it has to translate each low level JavaScript operation into many dozens of calls to execute. This means that using the interpreter incurs a massive performance hit by its very nature; it takes longer to add numbers than if the CPU just added the numbers directly.
-
-Some users choose to disable JIT as a hardening measure against theoretical browser exploits. This is a reasonable choice if you face targeted attacks from well-resourced adversaries (such as nation-state actors), but it comes with real performance costs.
-
-If you've disabled JIT and find Anubis checks slow, re-enabling JIT is the fix. There is no way for Anubis to work around this on our end.
-
-## What versions of browsers does Anubis support?
-
-Anubis is written mainly by a single person in a basement in Canada. As such it is impossible for Anubis to support every version of every browser on the planet. As such, here's a few rules of thumb for the browsers that Anubis focuses on supporting:
-
-- At least the two (2) most recent LTS releases of Firefox and Chrome.
-- At least the version of Chromium as used by the Samsung Browser on Android.
-- At least the last version of Chromium and Firefox that are known to run on Windows 7.
-- At least the version of Safari that runs on the second-to-oldest iPhone model currently on the market.
-
-We cannot give more cohesive version bounds than this. If you run into problems, please file an issue. Sometimes you may just need to upgrade hardware though.

docs/docs/user/known-instances.md

@@ -38,8 +38,10 @@ This page contains a non-exhaustive list with all websites using Anubis.
 - https://squirreljme.cc/
 - https://superlove.sayitditto.net/
 - https://svnweb.freebsd.org/
+- https://trac.ffmpeg.org/
 - https://tumfatig.net/
 - https://wiki.archlinux.org/
+- https://wiki.dolphin-emu.org/
 - https://wiki.freepascal.org/
 - https://wiki.koha-community.org/
 - https://www.cfaarchive.org/
@@ -51,11 +53,6 @@ This page contains a non-exhaustive list with all websites using Anubis.
   - https://bbs.archlinux32.org/
   - https://bugs.archlinux32.org/
   </details>
-- <details>
-  <summary>Dolphin Emulator</summary>
-  - https://forums.dolphin-emu.org/
-  - https://wiki.dolphin-emu.org/
-  </details>
 - <details>
   <summary>Duke University</summary>
   - https://repository.duke.edu/
@@ -63,11 +60,6 @@ This page contains a non-exhaustive list with all websites using Anubis.
   - https://find.library.duke.edu/
   - https://nicholas.duke.edu/
   </details>
-- <details>
-  <summary>FFmpeg</summary>
-  - https://git.ffmpeg.org/
-  - https://trac.ffmpeg.org/
-  </details>
 - <details>
   <summary>Forschungszentrum Jülich</summary>
   - https://juser.fz-juelich.de/
@@ -120,8 +112,11 @@ This page contains a non-exhaustive list with all websites using Anubis.
   - https://git.kernel.org/
   - https://lore.kernel.org/
   </details>
+- <details>
+  <summary>The United Nations</summary>
+  - https://policytoolbox.iiep.unesco.org/
+  </details>
 - <details>
   <summary>Valve Corporation</summary>
   - https://developer.valvesoftware.com/wiki/Main_Page
-  - https://wiki.teamfortress.com/wiki/Main_Page
   </details>

docs/static/img/sponsors/prolocation-logo.svg

@@ -1,37 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<!-- Generator: Adobe Illustrator 15.1.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
-<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
-<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
-	 width="250px" height="42px" viewBox="0 0.05 250 42" enable-background="new 0 0.05 250 42" xml:space="preserve">
-<g>
-	<rect y="0.15" fill="#FFFFFF" width="42" height="42"/>
-	<polygon fill="#FF0600" points="0,42.05 10.5,42.05 10.5,10.55 31.5,10.55 31.5,31.55 21,31.55 10.5,42.05 42,42.05 42,0.05 
-		0,0.05 	"/>
-	<path fill="#222222" d="M59.1,24.95h-2.2v9.6h-5.3V8.05h7.5c5.7,0,7.5,3.3,7.5,8.5C66.6,21.65,64.9,24.95,59.1,24.95z M59,12.75h-2
-		v7.4h2c2.2,0,2.3-2,2.3-3.7C61.3,14.85,61.2,12.75,59,12.75z"/>
-	<path fill="#222222" d="M80.1,34.55l-3.2-10.3h-1.8v10.3h-5.3V8.05h7.6c5.8,0,7.4,3,7.4,8.1c0,2.8-0.4,5.4-3,7l3.9,11.5h-5.6V34.55
-		z M77.3,12.75h-2.2v6.7h2.2c2,0,2.1-1.8,2.1-3.4C79.4,14.55,79.3,12.75,77.3,12.75z"/>
-	<path fill="#222222" d="M101.2,32.149c-1.2,1.5-2.9,2.7-5.8,2.7s-4.6-1.2-5.8-2.7c-1.9-2.3-2-5.8-2-10.899c0-5.1,0.1-8.6,2-10.9
-		c1.2-1.5,2.9-2.7,5.8-2.7s4.6,1.2,5.8,2.7c1.9,2.3,2,5.8,2,10.9C103.2,26.35,103.1,29.85,101.2,32.149z M97.2,13.55
-		c-0.3-0.6-0.8-1-1.8-1s-1.5,0.4-1.8,1c-0.6,1.2-0.7,4.5-0.7,7.7c0,3.2,0.1,6.5,0.7,7.8c0.3,0.6,0.8,1,1.8,1s1.5-0.4,1.8-1
-		c0.6-1.2,0.7-4.5,0.7-7.8C97.9,18.05,97.8,14.75,97.2,13.55z"/>
-	<path fill="#222222" d="M106.5,34.55V8.05h5.3v21.8h6.9v4.8h-12.2V34.55z"/>
-	<path fill="#222222" d="M133.7,32.149c-1.2,1.5-2.9,2.7-5.8,2.7c-2.9,0-4.601-1.2-5.8-2.7c-1.9-2.3-2-5.8-2-10.899
-		c0-5.1,0.1-8.6,2-10.9c1.2-1.5,2.9-2.7,5.8-2.7c2.899,0,4.6,1.2,5.8,2.7c1.899,2.3,2,5.8,2,10.9
-		C135.7,26.35,135.6,29.85,133.7,32.149z M129.7,13.55c-0.3-0.6-0.8-1-1.8-1s-1.5,0.4-1.801,1c-0.6,1.2-0.7,4.5-0.7,7.7
-		c0,3.2,0.1,6.5,0.7,7.8c0.301,0.6,0.801,1,1.801,1s1.5-0.4,1.8-1c0.6-1.2,0.7-4.5,0.7-7.8C130.4,18.05,130.3,14.75,129.7,13.55z"/>
-	<path fill="#222222" d="M151.3,32.95c-1.3,1.3-2.899,1.899-5.1,1.899c-2.9,0-4.601-1.2-5.8-2.7c-1.9-2.3-2-5.8-2-10.899
-		c0-5.1,0.1-8.6,2-10.9c1.199-1.5,2.899-2.7,5.8-2.7c2.2,0,3.8,0.6,5.1,1.9c1.4,1.3,2.3,3.4,2.4,5.9h-5.3c0-0.7-0.101-1.5-0.4-2
-		c-0.3-0.6-0.8-1-1.8-1s-1.5,0.4-1.8,1c-0.601,1.2-0.7,4.5-0.7,7.7c0,3.2,0.1,6.5,0.7,7.8c0.3,0.6,0.8,1,1.8,1s1.5-0.4,1.8-1
-		c0.3-0.601,0.4-1.301,0.4-2.101h5.3C153.6,29.55,152.7,31.649,151.3,32.95z"/>
-	<path fill="#222222" d="M167.8,34.55l-0.899-4.1H160.8l-0.899,4.1h-5.5l6.899-26.5h5.2l6.8,26.5H167.8z M163.9,15.85l-2,9.8h4.1
-		L163.9,15.85z"/>
-	<path fill="#222222" d="M182.2,12.75v21.8h-5.3v-21.8h-4.5v-4.7H186.6v4.8H182.2V12.75z"/>
-	<path fill="#222222" d="M189.5,34.55V8.05h5.3v26.5H189.5z"/>
-	<path fill="#222222" d="M211.7,32.149c-1.2,1.5-2.9,2.7-5.8,2.7c-2.9,0-4.601-1.2-5.801-2.7c-1.899-2.3-2-5.8-2-10.899
-		c0-5.1,0.101-8.6,2-10.9c1.2-1.5,2.9-2.7,5.801-2.7c2.899,0,4.6,1.2,5.8,2.7c1.899,2.3,2,5.8,2,10.9
-		C213.7,26.35,213.5,29.85,211.7,32.149z M207.6,13.55c-0.3-0.6-0.8-1-1.8-1s-1.5,0.4-1.8,1c-0.6,1.2-0.7,4.5-0.7,7.7
-		c0,3.2,0.101,6.5,0.7,7.8c0.3,0.6,0.8,1,1.8,1s1.5-0.4,1.8-1c0.601-1.2,0.7-4.5,0.7-7.8C208.3,18.05,208.3,14.75,207.6,13.55z"/>
-	<path fill="#222222" d="M227.9,34.55l-5.601-13v13H217V8.05h4.6l5.5,13v-13h5.301v26.5H227.9z"/>
-</g>
-</svg>

internal/glob/glob.go

@@ -36,7 +36,7 @@ func Glob(pattern, subj string) bool {
 	end := len(parts) - 1
 
 	// Go over the leading parts and ensure they match.
-	for i := range end {
+	for i := 0; i < end; i++ {
 		idx := strings.Index(subj, parts[i])
 
 		switch i {

internal/hash_bench_test.go

@@ -184,7 +184,7 @@ func TestHashCollisions(t *testing.T) {
 	for _, prefix := range prefixes {
 		for _, suffix := range suffixes {
 			for _, variation := range variations {
-				for i := range 100 {
+				for i := 0; i < 100; i++ {
 					input := fmt.Sprintf("%s%s%s-%d", prefix, suffix, variation, i)
 					hash := XXHash64sum(input)
 					if existing, exists := xxhashHashes[hash]; exists {
@@ -211,7 +211,7 @@ func TestHashCollisions(t *testing.T) {
 
 	seqCount := 0
 	for _, pattern := range patterns {
-		for i := range 10000 {
+		for i := 0; i < 10000; i++ {
 			input := fmt.Sprintf(pattern, i)
 			hash := XXHash64sum(input)
 			if existing, exists := xxhashHashes[hash]; exists {

internal/honeypot/naive/naive.go

@@ -120,7 +120,7 @@ func (i *Impl) makeAffirmations() []string {
 	count := rand.IntN(5) + 1
 
 	var result []string
-	for range count {
+	for j := 0; j < count; j++ {
 		result = append(result, i.affirmation.Spin())
 	}
 
@@ -131,7 +131,7 @@ func (i *Impl) makeSpins() []string {
 	count := rand.IntN(5) + 1
 
 	var result []string
-	for range count {
+	for j := 0; j < count; j++ {
 		result = append(result, i.body.Spin())
 	}
 

internal/listor.go

@@ -16,7 +16,7 @@ func (lo *ListOr[T]) UnmarshalJSON(data []byte) error {
 
 	// Check if first non-whitespace character is '['
 	firstChar := data[0]
-	for i := range data {
+	for i := 0; i < len(data); i++ {
 		if data[i] != ' ' && data[i] != '\t' && data[i] != '\n' && data[i] != '\r' {
 			firstChar = data[i]
 			break
@@ -36,4 +36,4 @@ func (lo *ListOr[T]) UnmarshalJSON(data []byte) error {
 	}
 
 	return nil
-}
+}

internal/ogtags/mem_test.go

@@ -95,7 +95,7 @@ func TestMemoryUsage(t *testing.T) {
 
 	// Run getTarget many times
 	u, _ := url.Parse("/path/to/resource?query=1&foo=bar&baz=qux")
-	for range 10000 {
+	for i := 0; i < 10000; i++ {
 		_ = cache.getTarget(u)
 	}
 
@@ -129,7 +129,7 @@ func TestMemoryUsage(t *testing.T) {
 	runtime.GC()
 	runtime.ReadMemStats(&m1)
 
-	for range 1000 {
+	for i := 0; i < 1000; i++ {
 		_ = cache.extractOGTags(doc)
 	}
 

internal/ogtags/ogtags_fuzz_test.go

@@ -3,7 +3,6 @@ package ogtags
 import (
 	"context"
 	"net/url"
-	"slices"
 	"strings"
 	"testing"
 	"unicode/utf8"
@@ -79,7 +78,7 @@ func FuzzGetTarget(f *testing.F) {
 		}
 
 		// Ensure no memory corruption by calling multiple times
-		for range 3 {
+		for i := 0; i < 3; i++ {
 			result2 := cache.getTarget(u)
 			if result != result2 {
 				t.Errorf("getTarget not deterministic: %q != %q", result, result2)
@@ -149,8 +148,11 @@ func FuzzExtractOGTags(f *testing.F) {
 				}
 			}
 			if !approved {
-				if slices.Contains(cache.approvedTags, property) {
+				for _, tag := range cache.approvedTags {
-					approved = true
+					if property == tag {
+						approved = true
+						break
+					}
 				}
 			}
 			if !approved {
@@ -258,8 +260,11 @@ func FuzzExtractMetaTagInfo(f *testing.F) {
 				}
 			}
 			if !approved {
-				if slices.Contains(cache.approvedTags, property) {
+				for _, tag := range cache.approvedTags {
-					approved = true
+					if property == tag {
+						approved = true
+						break
+					}
 				}
 			}
 			if !approved {

internal/ogtags/parse.go

@@ -1,7 +1,6 @@
 package ogtags
 
 import (
-	"slices"
 	"strings"
 
 	"golang.org/x/net/html"
@@ -66,8 +65,10 @@ func (c *OGTagCache) extractMetaTagInfo(n *html.Node) (property, content string)
 	}
 
 	// Check exact matches
-	if slices.Contains(c.approvedTags, propertyKey) {
+	for _, tag := range c.approvedTags {
-		return propertyKey, content
+		if propertyKey == tag {
+			return propertyKey, content
+		}
 	}
 
 	return "", content

internal/test/playwright_test.go

@@ -270,7 +270,7 @@ func TestPlaywrightBrowser(t *testing.T) {
 
 				var performedAction action
 				var err error
-				for i := range 5 {
+				for i := 0; i < 5; i++ {
 					performedAction, err = executeTestCase(t, tc, typ, anubisURL)
 					if performedAction == tc.action {
 						break

lib/anubis.go

@@ -81,11 +81,11 @@ type Server struct {
 func (s *Server) getTokenKeyfunc() jwt.Keyfunc {
 	// return ED25519 key if HS512 is not set
 	if len(s.hs512Secret) == 0 {
-		return func(token *jwt.Token) (any, error) {
+		return func(token *jwt.Token) (interface{}, error) {
 			return s.ed25519Priv.Public().(ed25519.PublicKey), nil
 		}
 	} else {
-		return func(token *jwt.Token) (any, error) {
+		return func(token *jwt.Token) (interface{}, error) {
 			return s.hs512Secret, nil
 		}
 	}
@@ -106,13 +106,6 @@ func (s *Server) issueChallenge(ctx context.Context, r *http.Request, lg *slog.L
 		//return nil, errors.New("[unexpected] this codepath should be impossible, asked to issue a challenge for a non-challenge rule")
 	}
 
-	if rule.Challenge == nil {
-		rule.Challenge = &config.ChallengeRules{
-			Difficulty: s.policy.DefaultDifficulty,
-			Algorithm:  config.DefaultAlgorithm,
-		}
-	}
-
 	id, err := uuid.NewV7()
 	if err != nil {
 		return nil, err
@@ -498,11 +491,7 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
 	chall, err := s.getChallenge(r)
 	if err != nil {
 		lg.Error("getChallenge failed", "err", err)
-		algorithm := "unknown"
+		s.respondWithError(w, r, fmt.Sprintf("%s: %s", localizer.T("internal_server_error"), rule.Challenge.Algorithm), makeCode(err))
-		if rule.Challenge != nil {
-			algorithm = rule.Challenge.Algorithm
-		}
-		s.respondWithError(w, r, fmt.Sprintf("%s: %s", localizer.T("internal_server_error"), algorithm), makeCode(err))
 		return
 	}
 
@@ -649,16 +638,8 @@ func (s *Server) check(r *http.Request, lg *slog.Logger) (policy.CheckResult, *p
 		}
 
 		if matches {
-			challRules := t.Challenge
-			if challRules == nil {
-				// Non-CHALLENGE thresholds (ALLOW/DENY) don't have challenge config.
-				// Use an empty struct so hydrateChallengeRule can fill from stored
-				// challenge data during validation, rather than baking in defaults
-				// that could mismatch the difficulty the client actually solved for.
-				challRules = &config.ChallengeRules{}
-			}
 			return cr("threshold/"+t.Name, t.Action, weight), &policy.Bot{
-				Challenge: challRules,
+				Challenge: t.Challenge,
 				Rules:     &checker.List{},
 			}, nil
 		}

lib/anubis_test.go

@@ -38,8 +38,8 @@ func NewTLogWriter(t *testing.T) io.Writer {
 
 // Write splits input on newlines and logs each line separately.
 func (w *TLogWriter) Write(p []byte) (n int, err error) {
-	lines := strings.SplitSeq(string(p), "\n")
+	lines := strings.Split(string(p), "\n")
-	for line := range lines {
+	for _, line := range lines {
 		if line != "" {
 			w.t.Log(line)
 		}

lib/challenge/error.go

@@ -10,7 +10,6 @@ var (
 	ErrFailed        = errors.New("challenge: user failed challenge")
 	ErrMissingField  = errors.New("challenge: missing field")
 	ErrInvalidFormat = errors.New("challenge: field has invalid format")
-	ErrInvalidInput  = errors.New("challenge: input is nil or missing required fields")
 )
 
 func NewError(verb, publicReason string, privateReason error) *Error {

lib/challenge/interface.go

@@ -1,7 +1,6 @@
 package challenge
 
 import (
-	"fmt"
 	"log/slog"
 	"net/http"
 	"sort"
@@ -51,44 +50,12 @@ type IssueInput struct {
 	Store     store.Interface
 }
 
-func (in *IssueInput) Valid() error {
-	if in == nil {
-		return fmt.Errorf("%w: IssueInput is nil", ErrInvalidInput)
-	}
-	if in.Rule == nil {
-		return fmt.Errorf("%w: Rule is nil", ErrInvalidInput)
-	}
-	if in.Rule.Challenge == nil {
-		return fmt.Errorf("%w: Rule.Challenge is nil", ErrInvalidInput)
-	}
-	if in.Challenge == nil {
-		return fmt.Errorf("%w: Challenge is nil", ErrInvalidInput)
-	}
-	return nil
-}
-
 type ValidateInput struct {
 	Rule      *policy.Bot
 	Challenge *Challenge
 	Store     store.Interface
 }
 
-func (in *ValidateInput) Valid() error {
-	if in == nil {
-		return fmt.Errorf("%w: ValidateInput is nil", ErrInvalidInput)
-	}
-	if in.Rule == nil {
-		return fmt.Errorf("%w: Rule is nil", ErrInvalidInput)
-	}
-	if in.Rule.Challenge == nil {
-		return fmt.Errorf("%w: Rule.Challenge is nil", ErrInvalidInput)
-	}
-	if in.Challenge == nil {
-		return fmt.Errorf("%w: Challenge is nil", ErrInvalidInput)
-	}
-	return nil
-}
-
 type Impl interface {
 	// Setup registers any additional routes with the Impl for assets or API routes.
 	Setup(mux *http.ServeMux)

lib/challenge/metarefresh/metarefresh.go

@@ -24,10 +24,6 @@ type Impl struct{}
 func (i *Impl) Setup(mux *http.ServeMux) {}
 
 func (i *Impl) Issue(w http.ResponseWriter, r *http.Request, lg *slog.Logger, in *challenge.IssueInput) (templ.Component, error) {
-	if err := in.Valid(); err != nil {
-		return nil, err
-	}
-
 	u, err := r.URL.Parse(anubis.BasePrefix + "/.within.website/x/cmd/anubis/api/pass-challenge")
 	if err != nil {
 		return nil, fmt.Errorf("can't render page: %w", err)
@@ -53,10 +49,6 @@ func (i *Impl) Issue(w http.ResponseWriter, r *http.Request, lg *slog.Logger, in
 }
 
 func (i *Impl) Validate(r *http.Request, lg *slog.Logger, in *challenge.ValidateInput) error {
-	if err := in.Valid(); err != nil {
-		return challenge.NewError("validate", "invalid input", err)
-	}
-
 	wantTime := in.Challenge.IssuedAt.Add(time.Duration(in.Rule.Challenge.Difficulty) * 800 * time.Millisecond)
 
 	if time.Now().Before(wantTime) {

lib/challenge/preact/preact.go

@@ -39,10 +39,6 @@ type impl struct{}
 func (i *impl) Setup(mux *http.ServeMux) {}
 
 func (i *impl) Issue(w http.ResponseWriter, r *http.Request, lg *slog.Logger, in *challenge.IssueInput) (templ.Component, error) {
-	if err := in.Valid(); err != nil {
-		return nil, err
-	}
-
 	u, err := r.URL.Parse(anubis.BasePrefix + "/.within.website/x/cmd/anubis/api/pass-challenge")
 	if err != nil {
 		return nil, fmt.Errorf("can't render page: %w", err)
@@ -61,10 +57,6 @@ func (i *impl) Issue(w http.ResponseWriter, r *http.Request, lg *slog.Logger, in
 }
 
 func (i *impl) Validate(r *http.Request, lg *slog.Logger, in *challenge.ValidateInput) error {
-	if err := in.Valid(); err != nil {
-		return challenge.NewError("validate", "invalid input", err)
-	}
-
 	wantTime := in.Challenge.IssuedAt.Add(time.Duration(in.Rule.Challenge.Difficulty) * 80 * time.Millisecond)
 
 	if time.Now().Before(wantTime) {

lib/challenge/proofofwork/proofofwork.go

@@ -33,10 +33,6 @@ func (i *Impl) Issue(w http.ResponseWriter, r *http.Request, lg *slog.Logger, in
 }
 
 func (i *Impl) Validate(r *http.Request, lg *slog.Logger, in *chall.ValidateInput) error {
-	if err := in.Valid(); err != nil {
-		return chall.NewError("validate", "invalid input", err)
-	}
-
 	rule := in.Rule
 	challenge := in.Challenge.RandomData
 

lib/challenge/proofofwork/proofofwork_test.go

@@ -30,62 +30,6 @@ func mkRequest(t *testing.T, values map[string]string) *http.Request {
 	return req
 }
 
-// TestValidateNilRuleChallenge reproduces the panic from
-// https://github.com/TecharoHQ/anubis/issues/1463
-//
-// When a threshold rule matches during PassChallenge, check() can return
-// a policy.Bot with Challenge == nil. After hydrateChallengeRule fails to
-// run (or the error path hits before it), Validate dereferences
-// rule.Challenge.Difficulty and panics.
-func TestValidateNilRuleChallenge(t *testing.T) {
-	i := &Impl{Algorithm: "fast"}
-	lg := slog.With()
-
-	// This is the exact response for SHA256("hunter" + "0") with 0 leading zeros required.
-	const challengeStr = "hunter"
-	const response = "2652bdba8fb4d2ab39ef28d8534d7694c557a4ae146c1e9237bd8d950280500e"
-
-	req := mkRequest(t, map[string]string{
-		"nonce":       "0",
-		"elapsedTime": "69",
-		"response":    response,
-	})
-
-	for _, tc := range []struct {
-		name  string
-		input *challenge.ValidateInput
-	}{
-		{
-			name: "nil-rule-challenge",
-			input: &challenge.ValidateInput{
-				Rule:      &policy.Bot{},
-				Challenge: &challenge.Challenge{RandomData: challengeStr},
-			},
-		},
-		{
-			name: "nil-rule",
-			input: &challenge.ValidateInput{
-				Challenge: &challenge.Challenge{RandomData: challengeStr},
-			},
-		},
-		{
-			name:  "nil-challenge",
-			input: &challenge.ValidateInput{Rule: &policy.Bot{Challenge: &config.ChallengeRules{Algorithm: "fast"}}},
-		},
-		{
-			name:  "nil-input",
-			input: nil,
-		},
-	} {
-		t.Run(tc.name, func(t *testing.T) {
-			err := i.Validate(req, lg, tc.input)
-			if !errors.Is(err, challenge.ErrInvalidInput) {
-				t.Fatalf("expected ErrInvalidInput, got: %v", err)
-			}
-		})
-	}
-}
-
 func TestBasic(t *testing.T) {
 	i := &Impl{Algorithm: "fast"}
 	bot := &policy.Bot{

lib/config/config.go

@@ -19,7 +19,7 @@ import (
 var (
 	ErrNoBotRulesDefined                 = errors.New("config: must define at least one (1) bot rule")
 	ErrBotMustHaveName                   = errors.New("config.Bot: must set name")
-	ErrBotMustHaveUserAgentOrPath        = errors.New("config.Bot: must set one of user_agent_regex, path_regex, headers_regex, remote_addresses, expression, or Thoth keyword")
+	ErrBotMustHaveUserAgentOrPath        = errors.New("config.Bot: must set either user_agent_regex, path_regex, headers_regex, or remote_addresses")
 	ErrBotMustHaveUserAgentOrPathNotBoth = errors.New("config.Bot: must set either user_agent_regex, path_regex, and not both")
 	ErrUnknownAction                     = errors.New("config.Bot: unknown action")
 	ErrInvalidUserAgentRegex             = errors.New("config.Bot: invalid user agent regex")
@@ -228,8 +228,8 @@ type ImportStatement struct {
 }
 
 func (is *ImportStatement) open() (fs.File, error) {
-	if after, ok := strings.CutPrefix(is.Import, "(data)/"); ok {
+	if strings.HasPrefix(is.Import, "(data)/") {
-		fname := after
+		fname := strings.TrimPrefix(is.Import, "(data)/")
 		fin, err := data.BotPolicies.Open(fname)
 		return fin, err
 	}
@@ -325,7 +325,7 @@ func (sc StatusCodes) Valid() error {
 }
 
 type fileConfig struct {
-	OpenGraph   openGraphFileConfig `json:"openGraph"`
+	OpenGraph   openGraphFileConfig `json:"openGraph,omitempty"`
 	Impressum   *Impressum          `json:"impressum,omitempty"`
 	Store       *Store              `json:"store"`
 	Bots        []BotOrImport       `json:"bots"`

lib/config/config_test.go

@@ -188,6 +188,7 @@ func TestBotValid(t *testing.T) {
 	}
 
 	for _, cs := range tests {
+		cs := cs
 		t.Run(cs.name, func(t *testing.T) {
 			err := cs.bot.Valid()
 			if err == nil && cs.err == nil {
@@ -215,6 +216,7 @@ func TestConfigValidKnownGood(t *testing.T) {
 	}
 
 	for _, st := range finfos {
+		st := st
 		t.Run(st.Name(), func(t *testing.T) {
 			fin, err := os.Open(filepath.Join("testdata", "good", st.Name()))
 			if err != nil {
@@ -301,6 +303,7 @@ func TestConfigValidBad(t *testing.T) {
 	}
 
 	for _, st := range finfos {
+		st := st
 		t.Run(st.Name(), func(t *testing.T) {
 			fin, err := os.Open(filepath.Join("testdata", "bad", st.Name()))
 			if err != nil {

lib/config_test.go

@@ -24,6 +24,7 @@ func TestBadConfigs(t *testing.T) {
 	}
 
 	for _, st := range finfos {
+		st := st
 		t.Run(st.Name(), func(t *testing.T) {
 			if _, err := LoadPoliciesOrDefault(t.Context(), filepath.Join("config", "testdata", "bad", st.Name()), anubis.DefaultDifficulty, "info"); err == nil {
 				t.Fatal(err)
@@ -41,6 +42,7 @@ func TestGoodConfigs(t *testing.T) {
 	}
 
 	for _, st := range finfos {
+		st := st
 		t.Run(st.Name(), func(t *testing.T) {
 			t.Run("with-thoth", func(t *testing.T) {
 				ctx := thothmock.WithMockThoth(t)

lib/http.go

@@ -182,7 +182,10 @@ func makeCode(err error) string {
 	enc := base64.StdEncoding.EncodeToString(buf.Bytes())
 	var builder strings.Builder
 	for i := 0; i < len(enc); i += width {
-		end := min(i+width, len(enc))
+		end := i + width
+		if end > len(enc) {
+			end = len(enc)
+		}
 		builder.WriteString(enc[i:end])
 		builder.WriteByte('\n')
 	}
@@ -219,12 +222,8 @@ func (s *Server) RenderIndex(w http.ResponseWriter, r *http.Request, cr policy.C
 	chall, err := s.issueChallenge(r.Context(), r, lg, cr, rule)
 	if err != nil {
 		lg.Error("can't get challenge", "err", err)
-		algorithm := "unknown"
-		if rule.Challenge != nil {
-			algorithm = rule.Challenge.Algorithm
-		}
 		s.ClearCookie(w, CookieOpts{Name: anubis.TestCookieName, Host: r.Host})
-		s.respondWithError(w, r, fmt.Sprintf("%s: %s", localizer.T("internal_server_error"), algorithm), makeCode(err))
+		s.respondWithError(w, r, fmt.Sprintf("%s: %s", localizer.T("internal_server_error"), rule.Challenge.Algorithm), makeCode(err))
 		return
 	}
 
@@ -249,13 +248,9 @@ func (s *Server) RenderIndex(w http.ResponseWriter, r *http.Request, cr policy.C
 
 	impl, ok := challenge.Get(chall.Method)
 	if !ok {
-		algorithm := "unknown"
+		lg.Error("check failed", "err", "can't get algorithm", "algorithm", rule.Challenge.Algorithm)
-		if rule.Challenge != nil {
-			algorithm = rule.Challenge.Algorithm
-		}
-		lg.Error("check failed", "err", "can't get algorithm", "algorithm", algorithm)
 		s.ClearCookie(w, CookieOpts{Name: anubis.TestCookieName, Host: r.Host})
-		s.respondWithError(w, r, fmt.Sprintf("%s: %s", localizer.T("internal_server_error"), algorithm), makeCode(err))
+		s.respondWithError(w, r, fmt.Sprintf("%s: %s", localizer.T("internal_server_error"), rule.Challenge.Algorithm), makeCode(err))
 		return
 	}
 
@@ -338,14 +333,7 @@ func (s *Server) respondWithError(w http.ResponseWriter, r *http.Request, messag
 func (s *Server) respondWithStatus(w http.ResponseWriter, r *http.Request, msg, code string, status int) {
 	localizer := localization.GetLocalizer(r)
 
-	component := web.Base(
+	templ.Handler(web.Base(localizer.T("oh_noes"), web.ErrorPage(msg, s.opts.WebmasterEmail, code, localizer), s.policy.Impressum, localizer), templ.WithStatus(status)).ServeHTTP(w, r)
-		localizer.T("oh_noes"),
-		web.ErrorPage(msg, s.opts.WebmasterEmail, code, localizer),
-		s.policy.Impressum,
-		localizer,
-	)
-	handler := internal.NoStoreCache(templ.Handler(component, templ.WithStatus(status)))
-	handler.ServeHTTP(w, r)
 }
 
 func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {

lib/http_test.go

@@ -7,7 +7,6 @@ import (
 	"testing"
 
 	"github.com/TecharoHQ/anubis"
-	"github.com/TecharoHQ/anubis/internal"
 	"github.com/TecharoHQ/anubis/lib/policy"
 )
 
@@ -192,34 +191,3 @@ func TestRenderIndexUnauthorized(t *testing.T) {
 		t.Errorf("expected body %q, got %q", "Authorization required", body)
 	}
 }
-
-func TestNoCacheOnError(t *testing.T) {
-	pol := loadPolicies(t, "testdata/useragent.yaml", 0)
-	srv := spawnAnubis(t, Options{Policy: pol})
-	ts := httptest.NewServer(internal.RemoteXRealIP(true, "tcp", srv))
-	defer ts.Close()
-
-	for userAgent, expectedCacheControl := range map[string]string{
-		"DENY":      "no-store",
-		"CHALLENGE": "no-store",
-		"ALLOW":     "",
-	} {
-		t.Run(userAgent, func(t *testing.T) {
-			req, err := http.NewRequest(http.MethodGet, ts.URL, nil)
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			req.Header.Set("User-Agent", userAgent)
-
-			resp, err := ts.Client().Do(req)
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			if resp.Header.Get("Cache-Control") != expectedCacheControl {
-				t.Errorf("wanted Cache-Control header %q, got %q", expectedCacheControl, resp.Header.Get("Cache-Control"))
-			}
-		})
-	}
-}

lib/localization/locales/bg.json

@@ -1,66 +0,0 @@
-{
-  "loading": "Зареждане...",
-  "why_am_i_seeing": "Защо виждам това?",
-  "protected_by": "Защитено от",
-  "protected_from": "От",
-  "made_with": "Направено с ❤️ в 🇨🇦",
-  "mascot_design": "Дизайн на талисмана от",
-  "ai_companies_explanation": "Виждате това, защото администраторът на този уебсайт е kонфигурирал Anubis, за да защити сървъра от агресивното събиране на данни от компании, занимаващи се с изкуствен интелект. Това може и причинява прекъсвания на уебсайтовете, което прави техните ресурси недостъпни за всички.",
-  "anubis_compromise": "Anubis е компромис. Anubis използва схема за ддоказателство-за-работа по подобие на Hashcash, предложена схема за доказателство-за-работа за намаляване на спама в имейлите. Идеята е, че при индивидуални мащаби допълнителното натоварване е пренебрежимо, но при масов ниво на събиране на данни то се натрупва и прави събирането на данни много по-скъпо.",
-  "hack_purpose": "В крайна сметка, това е временно решение, за да се отдели повече време за идентифициране и разпознаване на безглави браузъри (например чрез това как те рендират шрифтовете), така че страницата за доказателство-за-работа да не се налага да се показва на потребители, които е по-вероятно да са легитимни.",
-  "simplified_explanation": "Това е мярка срещу ботове и злонамерени заявки, подобна на CAPTCHA. Вместо да трябва да правите нещо сами, браузърът ви получава задача за изчисление, която трябва да реши, за да се увери, че е валиден клиент. Тази концепция се нарича схема доказателство-за-работа. Задачата се изчислява за няколко секунди и ви се дава достъп до уебсайта. Благодаря ви за разбирането и търпението.",
-  "jshelter_note": "Моля, имайте предвид, че Anubis изисква използването на модерни функции на JavaScript, сред които и като JShelter ще деактивират. Моля, деактивирайте JShelter или други подобни добавки за този домейн.",
-  "version_info": "Този уебсайт използва версия на Anubis",
-  "try_again": "Опитайте отново",
-  "go_home": "Отидете на началната страница",
-  "contact_webmaster": "или ако смятате, че не трябва да бъдете блокирани, моля свържете се с уебмастъра на",
-  "connection_security": "Моля, изчакайте, докато се уверим в сигурността на връзката ви",
-  "javascript_required": "За съжаление, трябва да включите JavaScript, за да минете през това предизвикателство. Това е необходимо, защото компаниите за изкуствен интелект промениха социалния договор около начина на хостинг на уебсайтове. Решение без JavaScript е в процес на разработка.",
-  "benchmark_requires_js": "За да използвате инструмента за тестване, е необходимо да включите JavaScript.",
-  "difficulty": "Трудност:",
-  "algorithm": "Алгоритъм:",
-  "compare": "Сравни:",
-  "time": "Време",
-  "iters": "Итерации",
-  "time_a": "Време А",
-  "iters_a": "Итерации А",
-  "time_b": "Време Б",
-  "iters_b": "Итерации Б",
-  "static_check_endpoint": "Това е просто краен пункт за проверка, който да използва обратният ви прокси.",
-  "authorization_required": "Изисква се авторизация",
-  "cookies_disabled": "Браузърът ви е настроен да деактивира бисквитките. Anubis изисква бисквитки за законния интерес да се увери, че сте валиден клиент. Моля, включете бисквитките за този домейн",
-  "access_denied": "Достъпът е отказан: код на грешка",
-  "dronebl_entry": "DroneBL докладва запис",
-  "see_dronebl_lookup": "вижте",
-  "internal_server_error": "Вътрешна сървърна грешка: администраторът е грешно конфигурирал Anubis. Моля, свържете се с администратора и ги помолете да проверят логовете около",
-  "invalid_redirect": "Невалидно пренасочване",
-  "redirect_not_parseable": "URL адресът за пренасочване не може да бъде разпознат",
-  "redirect_domain_not_allowed": "Домейнът за пренасочване не е позволен",
-  "missing_required_forwarded_headers": "Липсват необходимите X-Forwarded-* заглавни части",
-  "failed_to_sign_jwt": "неуспешно подписване на JWT",
-  "invalid_invocation": "Невалидно извикване на MakeChallenge",
-  "client_error_browser": "Крешка в клиента: Моля, уверете се, че браузърът ви е актуализиран и опитайте отново по-късно.",
-  "oh_noes": "О, не!",
-  "benchmarking_anubis": "Тестване на Anubis!",
-  "you_are_not_a_bot": "Ти не си бот!",
-  "making_sure_not_bot": "Уверяваме се, че не си бот!",
-  "celphase": "CELPHASE",
-  "js_web_crypto_error": "Браузърът ви няма функциониращ web.crypto елемент. Гледате ли това през сигурен контекст?",
-  "js_web_workers_error": "Браузърът ви не поддържа уеб работници (Anubis използва това, за да избегне замръзване на браузъра ви). Имате ли инсталирана добавка като JShelter?",
-  "js_cookies_error": "Браузърът ви не съхранява бисквитки. Anubis използва бисквитки, за да определи които клиенти са преминали задачите, като съхранява подписан токен в бисквитка. Моля, включете съхраняването на бисквитки за този домейн. Имената на бисквитките, съхранени от Anubis, могат да се променят без предварително уведомление. Имената и стойностите на бисквитките не са част от публичния API.",
-  "js_context_not_secure": "Вашият контекст не е сигурен!",
-  "js_context_not_secure_msg": "Опитайте да се свържете чрез HTTPS или уведомете администратора да kонфигурира HTTPS. За повече информация вижте MDN.",
-  "js_calculating": "Изчисляване...",
-  "js_missing_feature": "Липсваща функция",
-  "js_challenge_error": "Грешка при задачата!",
-  "js_challenge_error_msg": "Неуспешно разрешаване на алгоритъма за проверка. Може би искате да презаредите страницата.",
-  "js_calculating_difficulty": "Изчисляване... Трудност:",
-  "js_speed": "Скорост:",
-  "js_verification_longer": "Проверката отнема повече време от очакваното. Моля, не презареждайте страницата.",
-  "js_success": "Успех!",
-  "js_done_took": "Готово! Отне",
-  "js_iterations": "итерации",
-  "js_finished_reading": "Приключих с четенето, продължете →",
-  "js_calculation_error": "Грешка при изчислението!",
-  "js_calculation_error_msg": "Неуспешно изчисление на задачата:"
-}

lib/localization/locales/de.json

@@ -1,38 +1,38 @@
 {
-  "loading": "Wird geladen …",
+  "loading": "Ladevorgang...",
   "why_am_i_seeing": "Warum sehe ich diese Seite?",
   "protected_by": "Geschützt durch",
   "protected_from": "Von",
   "made_with": "Mit ❤️ entwickelt in 🇨🇦",
-  "mascot_design": "Maskottchen entworfen von",
+  "mascot_design": "Maskottchen erstellt von",
-  "ai_companies_explanation": "Diese Seite wird angezeigt, weil der Betreiber dieser Website Anubis eingerichtet hat, um den Server vor aggressivem Scraping durch KI-Unternehmen zu schützen. Dieses Scraping kann Ausfälle verursachen, wodurch die Website für niemanden erreichbar ist.",
+  "ai_companies_explanation": "Diese Seite wird angezeigt, da der Betreiber der Website Anubis eingerichtet hat, um sie vor aggressiven Webcrawlern von KI-Unternehmen zu schützen. Diese können Ausfälle verursachen, wodurch die Website für niemanden erreichbar ist.",
-  "anubis_compromise": "Anubis ist ein Kompromiss. Es verwendet ein Proof-of-Work-Verfahren nach dem Vorbild von Hashcash, das ursprünglich zur Reduzierung von E-Mail-Spam entwickelt wurde. Die Idee dahinter ist, dass die zusätzliche Last für einzelne Nutzer vernachlässigbar ist, sich aber auf der Ebene von Massen-Scrapern summiert und das Scraping deutlich teurer macht.",
+  "anubis_compromise": "Anubis stellt einen Kompromiss dar. Es verwendet eine Proof-of-Work-Methode nach dem Hashcash-Prinzip, das ursprünglich zur Bekämpfung von E-Mail-Spam entwickelt wurde. Die Idee dahinter: Für einen einzelnen Besucher ist die Verzögerung vernachlässigbar, aber massenhaftes Scraping wird dadurch aufwändig und teuer.",
-  "hack_purpose": "Letztlich ist dies eine Übergangslösung, damit mehr Zeit in das Fingerprinting und die Erkennung von Headless-Browsern investiert werden kann (z. B. anhand ihrer Schriftart-Darstellung), sodass die Proof-of-Work-Seite Nutzern, die mit hoher Wahrscheinlichkeit legitim sind, nicht mehr angezeigt werden muss.",
+  "hack_purpose": "Letztendlich ist dies eine Übergangslösung, um mehr Zeit für Browser-Fingerprinting und die Identifizierung von Headless-Browsern (z. B. anhand ihrer Schriftwiedergabe) zu gewinnen. So muss die Proof-of-Work-Seite nicht Nutzern angezeigt werden, die sehr wahrscheinlich legitim sind.",
-  "simplified_explanation": "Dies ist eine Schutzmaßnahme gegen Bots und schädliche Anfragen, ähnlich einem CAPTCHA. Anstatt selbst eine Aufgabe lösen zu müssen, bekommt dein Browser eine Rechenaufgabe, die er lösen muss, um sicherzustellen, dass es sich um einen gültigen Client handelt. Dieses Konzept nennt sich <a href=\"https://de.wikipedia.org/wiki/Proof_of_Work\">Proof of Work</a>. Die Aufgabe wird innerhalb weniger Sekunden berechnet und du erhältst Zugang zur Website. Danke für dein Verständnis und deine Geduld.",
+  "simplified_explanation": "Dies ist eine Maßnahme gegen Bots und bösartige Anfragen, ähnlich einem CAPTCHA. Anstatt jedoch selbst arbeiten zu müssen, erhält dein Browser eine Rechenaufgabe, um sicherzustellen, dass es sich um einen gültigen Client handelt. Dieses Konzept nennt sich <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Proof of Work</a>. Die Aufgabe wird in wenigen Sekunden berechnet und du erhältst Zugriff auf die Website. Danke für deine Geduld.",
-  "jshelter_note": "Anubis benötigt moderne JavaScript-Funktionen, die von Plugins wie JShelter deaktiviert werden. Bitte deaktiviere JShelter oder ähnliche Plugins für diese Domain.",
+  "jshelter_note": "Anubis benötigt moderne JavaScript-Features, die von Plugins wie JShelter deaktiviert werden. Bitte deaktiviere JShelter oder ähnliche Plugins für diese Domain.",
-  "version_info": "Diese Website nutzt Anubis Version",
+  "version_info": "Diese Website läuft mit Anubis-Version",
   "try_again": "Erneut versuchen",
   "go_home": "Zur Startseite",
-  "contact_webmaster": "oder kontaktiere den Webmaster unter, falls du glaubst, dass du nicht blockiert werden solltest:",
+  "contact_webmaster": "Falls du glaubst, dass es sich um einen Fehler handelt, kontaktiere bitte den Administrator unter",
-  "connection_security": "Bitte warte einen Moment, während wir die Sicherheit deiner Verbindung überprüfen.",
+  "connection_security": "Bitte warte einen Moment, während wir die Sicherheit deiner Verbindung prüfen.",
-  "javascript_required": "Du musst JavaScript aktivieren, um diese Prüfung zu bestehen. Dies ist notwendig, da KI-Unternehmen den Gesellschaftsvertrag rund um Webhosting verändert haben. Eine Lösung ohne JavaScript ist in Arbeit.",
+  "javascript_required": "Du musst JavaScript aktivieren, um diese Prüfung durchführen zu können. Dies ist notwendig, da KI-Unternehmen die bisherigen Regeln für das Hosting von Websites nicht mehr respektieren. Eine Lösung ohne JavaScript ist in Entwicklung.",
-  "benchmark_requires_js": "Für das Benchmark-Tool muss JavaScript aktiviert sein.",
+  "benchmark_requires_js": "Für die Nutzung des Benchmark-Tools muss JavaScript aktiviert sein.",
   "difficulty": "Schwierigkeit:",
   "algorithm": "Algorithmus:",
-  "compare": "Vergleichen:",
+  "compare": "Vergleich:",
   "time": "Zeit",
   "iters": "Iterationen",
   "time_a": "Zeit A",
   "iters_a": "Iterationen A",
   "time_b": "Zeit B",
   "iters_b": "Iterationen B",
-  "static_check_endpoint": "Dies ist nur ein Prüf-Endpunkt für deinen Reverse-Proxy.",
+  "static_check_endpoint": "Dies ist ein Endpunkt zur Prüfung durch einen Reverse-Proxy.",
   "authorization_required": "Autorisierung erforderlich",
-  "cookies_disabled": "Cookies sind in deinem Browser deaktiviert. Anubis benötigt Cookies im berechtigten Interesse, sicherzustellen, dass es sich um einen gültigen Client handelt. Bitte aktiviere Cookies für diese Domain.",
+  "cookies_disabled": "Cookies sind in deinem Browser deaktiviert. Anubis benötigt Cookies, um sicherzustellen, dass es sich um einen legitimen Zugriff handelt. Bitte aktiviere Cookies für diese Domain.",
-  "access_denied": "Zugriff verweigert: Fehlercode",
+  "access_denied": "Zugriff verweigert – Fehlercode",
-  "dronebl_entry": "DroneBL hat einen Eintrag gemeldet",
+  "dronebl_entry": "Eintrag in DroneBL",
   "see_dronebl_lookup": "anzeigen",
-  "internal_server_error": "Interner Serverfehler: Der Administrator hat Anubis fehlerhaft konfiguriert. Bitte kontaktiere den Administrator und bitte ihn, die Logs im Zeitraum um folgenden Zeitpunkt zu prüfen:",
+  "internal_server_error": "Interner Serverfehler: Der Administrator hat Anubis fehlerhaft konfiguriert. Bitte kontaktiere den Administrator und bitte ihn, die Logs zu prüfen.",
   "invalid_redirect": "Ungültige Weiterleitung",
   "redirect_not_parseable": "Weiterleitungs-URL kann nicht verarbeitet werden",
   "redirect_domain_not_allowed": "Weiterleitungs-Domain nicht erlaubt",
@@ -41,26 +41,26 @@
   "invalid_invocation": "Ungültiger Aufruf von MakeChallenge",
   "client_error_browser": "Client-Fehler: Bitte stelle sicher, dass dein Browser aktuell ist, und versuche es später erneut.",
   "oh_noes": "Oh nein!",
-  "benchmarking_anubis": "Anubis-Benchmark wird durchgeführt!",
+  "benchmarking_anubis": "Benchmark wird durchgeführt!",
   "you_are_not_a_bot": "Du bist kein Bot!",
   "making_sure_not_bot": "Dein Browser wird geprüft!",
   "celphase": "CELPHASE",
-  "js_web_crypto_error": "Dein Browser verfügt nicht über ein funktionierendes web.crypto-Element. Wird diese Seite in einem sicheren Kontext angezeigt?",
+  "js_web_crypto_error": "Dein Browser verfügt nicht über ein funktionierendes web.crypto-Element. Wird eine sichere Verbindung verwendet?",
-  "js_web_workers_error": "Dein Browser unterstützt keine Web Workers (Anubis verwendet diese, damit dein Browser nicht einfriert). Hast du ein Plugin wie JShelter installiert?",
+  "js_web_workers_error": "Dein Browser unterstützt keine Web-Worker (Anubis verwendet diese, damit der Browser nicht einfriert). Ist ein Plugin wie JShelter installiert?",
-  "js_cookies_error": "Dein Browser speichert keine Cookies. Anubis verwendet Cookies, um nach bestandener Prüfung ein signiertes Token abzulegen. Bitte aktiviere Cookies für diese Domain. Die Cookie-Namen von Anubis können sich jederzeit ohne Vorankündigung ändern. Cookie-Namen und -Werte sind nicht Teil der öffentlichen API.",
+  "js_cookies_error": "Dein Browser speichert keine Cookies. Anubis verwendet Cookies, um nach bestandener Prüfung ein signiertes Token abzulegen. Bitte aktiviere Cookies für diese Domain. Die Cookie-Namen von Anubis können sich jederzeit ändern. Cookie-Namen und gespeicherte Werte sind nicht Teil der öffentlichen API.",
   "js_context_not_secure": "Diese Verbindung ist nicht sicher!",
-  "js_context_not_secure_msg": "Versuche, dich über HTTPS zu verbinden, oder informiere den Administrator, HTTPS einzurichten. Weitere Informationen unter <a href=\"https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts#when_is_a_context_considered_secure\">MDN</a>.",
+  "js_context_not_secure_msg": "Bitte versuche, dich über HTTPS zu verbinden, oder weise den Administrator darauf hin, HTTPS einzurichten. Mehr Informationen: <a href=\"https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts#when_is_a_context_considered_secure\">MDN</a>.",
-  "js_calculating": "Berechnung läuft …",
+  "js_calculating": "Berechnung läuft...",
   "js_missing_feature": "Fehlendes Feature",
   "js_challenge_error": "Prüfung fehlgeschlagen!",
-  "js_challenge_error_msg": "Der Prüfalgorithmus konnte nicht aufgelöst werden. Bitte lade die Seite neu.",
+  "js_challenge_error_msg": "Der Prüf-Algorithmus konnte nicht geladen werden. Bitte lade die Seite neu.",
-  "js_calculating_difficulty": "Berechnung läuft …<br/>Schwierigkeit:",
+  "js_calculating_difficulty": "Berechnung läuft...<br/>Schwierigkeit:",
   "js_speed": "Geschwindigkeit:",
-  "js_verification_longer": "Die Verifizierung dauert länger als erwartet. Bitte bleibe auf der Seite und lade sie nicht neu.",
+  "js_verification_longer": "Die Prüfung dauert länger als erwartet. Bitte warte und lade die Seite nicht neu.",
-  "js_success": "Geschafft!",
+  "js_success": "Erfolgreich!",
   "js_done_took": "Fertig! Dauer:",
   "js_iterations": "Iterationen",
-  "js_finished_reading": "Fertig gelesen, weiter zur Seite →",
+  "js_finished_reading": "Fertig gelesen – weiter zur Seite →",
   "js_calculation_error": "Berechnungsfehler!",
   "js_calculation_error_msg": "Fehler bei der Berechnung der Prüfung:"
 }

lib/localization/locales/fr.json

@@ -1,66 +1,66 @@
 {
   "loading": "Chargement...",
-  "why_am_i_seeing": "Comment suis-je arrivé·e ici ?",
+  "why_am_i_seeing": "Pourquoi je vois ceci ?",
   "protected_by": "Protégé par",
-  "protected_from": "de",
+  "protected_from": "From",
   "made_with": "Fait avec ❤️ au 🇨🇦",
   "mascot_design": "Design de la mascotte par",
-  "ai_companies_explanation": "Vous voyez cette page car l'administrateur·rice de ce site Web a configuré Anubis pour protéger le serveur contre le fléau des entreprises d'IA qui récupèrent agressivement le contenu des sites Web. Cela perturbe leur fonctionnement et rend leurs ressources inaccessibles pour tout le monde.",
+  "ai_companies_explanation": "Vous voyez ceci car l'administrateur de ce site web a configuré Anubis pour protéger le serveur contre le fléau des entreprises d'IA qui scrapent agressivement les sites web. Cela peut et cause des temps d'arrêt pour les sites web, ce qui rend leurs ressources inaccessibles pour tout le monde.",
-  "anubis_compromise": "Anubis est un compromis. Anubis utilise un procédé de preuve de travail similaire à Hashcash, un procédé de preuve de travail proposé pour réduire le spam par e-mail. L'idée est qu'à l'échelle individuelle, la charge supplémentaire est négligeable, mais à l'échelle des scrapers de masse, la charge s'accumule et le scraping devient beaucoup plus coûteux.",
+  "anubis_compromise": "Anubis est un compromis. Anubis utilise un schéma de Preuve de Travail dans la veine de Hashcash, un schéma de preuve de travail proposé pour réduire le spam par email. L'idée est qu'à l'échelle individuelle, la charge supplémentaire est négligeable, mais à l'échelle des scrapers de masse, cela s'accumule et rend le scraping beaucoup plus coûteux.",
-  "hack_purpose": "En fin de compte, il s'agit d'une solution de substitution permettant de consacrer plus de temps à l'identification et à la prise d'empreintes des navigateurs headless (par exemple, en reconnaissant leur rendu des polices), pour que, à terme, la page de défi utilisant la preuve de travail n'ait plus besoin d'être présentée aux utilisateur·rices qui sont beaucoup plus susceptibles d'être légitimes.",
+  "hack_purpose": "En fin de compte, il s'agit d'une solution de substitution afin de consacrer plus de temps à l'identification et à l'empreinte digitale des navigateurs sans tête (par exemple, via leur rendu de police) afin que la page de preuve de travail du défi n'ait pas besoin d'être présentée aux utilisateurs qui sont beaucoup plus susceptibles d'être légitimes.",
-  "jshelter_note": "Veuillez noter qu'Anubis nécessite l'utilisation de fonctionnalités JavaScript modernes qui peuvent être désactivées par des plugins comme JShelter. Veuillez désactiver JShelter ou tout autre plugin similaire pour ce domaine.",
+  "jshelter_note": "Veuillez noter qu'Anubis nécessite l'utilisation de fonctionnalités JavaScript modernes que des plugins comme JShelter désactiveront. Veuillez désactiver JShelter ou d'autres plugins similaires pour ce domaine.",
-  "version_info": "Ce site Web utilise Anubis version",
+  "version_info": "Ce site web utilise Anubis version",
   "try_again": "Réessayer",
   "go_home": "Accueil",
-  "contact_webmaster": "ou si vous pensez que vous ne devriez pas être bloqué, veuillez contacter le webmaster à l'adresse",
+  "contact_webmaster": "ou si vous pensez que vous ne devriez pas être bloqué, veuillez contacter le webmaster à",
   "connection_security": "Veuillez patienter un instant pendant que nous assurons la sécurité de votre connexion.",
-  "javascript_required": "Malheureusement, vous devez activer JavaScript pour passer cette page de défi. Cette obligation est imposée par les entreprises d'IA, qui ont décidé de modifier unilatéralement les termes du contrat social régissant l'hébergement de sites Web. Une solution sans JavaScript est en cours de développement.",
+  "javascript_required": "Malheureusement, vous devez activer JavaScript pour passer ce défi. Ceci est requis car les entreprises d'IA ont changé le contrat social autour du fonctionnement de l'hébergement de sites web. Une solution sans JS est en cours de développement.",
   "benchmark_requires_js": "L'exécution de l'outil de benchmark nécessite l'activation de JavaScript.",
-  "difficulty": "Difficulté :",
+  "difficulty": "Difficulté :",
-  "algorithm": "Algorithme :",
+  "algorithm": "Algorithme :",
-  "compare": "Comparer :",
+  "compare": "Comparer :",
   "time": "Temps",
   "iters": "Itérations",
   "time_a": "Temps A",
   "iters_a": "Itér. A",
   "time_b": "Temps B",
   "iters_b": "Itér. B",
-  "static_check_endpoint": "Ceci est juste un point de terminaison de vérification à utiliser par votre proxy inverse.",
+  "static_check_endpoint": "Ceci est juste un point de terminaison de vérification pour votre proxy inverse à utiliser.",
   "authorization_required": "Autorisation requise",
-  "cookies_disabled": "Les cookies sont désactivés dans votre navigateur. Anubis a recours aux cookies pour l'intérêt légitime de s'assurer que vous êtes un client valide. Veuillez activer les cookies pour ce domaine.",
+  "cookies_disabled": "Votre navigateur est configuré pour désactiver les cookies. Anubis nécessite des cookies pour l'intérêt légitime de s'assurer que vous êtes un client valide. Veuillez activer les cookies pour ce domaine",
-  "access_denied": "Accès refusé : code d'erreur",
+  "access_denied": "Accès refusé : code d'erreur",
-  "dronebl_entry": "DroneBL a rapporté une entrée",
+  "dronebl_entry": "DroneBL a signalé une entrée",
   "see_dronebl_lookup": "voir",
-  "internal_server_error": "Erreur interne du serveur : l'administrateur·rice a mal configuré Anubis. Veuillez contacter l'administrateur·rice et lui demander de consulter les logs autour de",
+  "internal_server_error": "Erreur interne du serveur : l'administrateur a mal configuré Anubis. Veuillez contacter l'administrateur et lui demander de consulter les logs autour de",
   "invalid_redirect": "Redirection invalide",
   "redirect_not_parseable": "URL de redirection non analysable",
   "redirect_domain_not_allowed": "Domaine de redirection non autorisé",
-  "failed_to_sign_jwt": "échec de la signature du JWT",
+  "failed_to_sign_jwt": "échec de la signature JWT",
   "invalid_invocation": "Invocation invalide de MakeChallenge",
-  "client_error_browser": "Erreur client : Veuillez vous assurer que votre navigateur est à jour et réessayez plus tard.",
+  "client_error_browser": "Erreur client : Veuillez vous assurer que votre navigateur est à jour et réessayez plus tard.",
-  "oh_noes": "Oh non !",
+  "oh_noes": "Oh non !",
-  "benchmarking_anubis": "Je vérifie les performances d'Anubis !",
+  "benchmarking_anubis": "Test de performance d'Anubis !",
-  "you_are_not_a_bot": "Vous n'êtes pas un robot !",
+  "you_are_not_a_bot": "Vous n'êtes pas un robot !",
-  "making_sure_not_bot": "Je m'assure que vous n'êtes pas un robot !",
+  "making_sure_not_bot": "Vérification que vous n'êtes pas un robot !",
-  "celphase": "CELPHASE",
+  "celphase": "PHASE de CEL",
-  "js_web_crypto_error": "L'élément web.crypto de votre navigateur n'est pas fonctionnel. Consultez-vous bien cette page dans un contexte sécurisé ?",
+  "js_web_crypto_error": "Votre navigateur n'a pas d'élément web.crypto fonctionnel. Consultez-vous cette page dans un contexte sécurisé ?",
-  "js_web_workers_error": "Votre navigateur ne prend pas en charge les web workers (Anubis les utilise pour éviter de bloquer votre navigateur). Avez-vous installé un plugin comme JShelter ?",
+  "js_web_workers_error": "Votre navigateur ne prend pas en charge les web workers (Anubis les utilise pour éviter de bloquer votre navigateur). Avez-vous un plugin comme JShelter installé ?",
-  "js_cookies_error": "Votre navigateur ne stocke pas les cookies. Anubis a recours aux cookies pour déterminer quels clients ont réussi les défis en stockant un jeton signé dans un cookie. Veuillez activer le stockage des cookies pour ce domaine. Le nom des cookies stockés par Anubis peut varier à tout moment. Le nom et la valeur des cookies ne font pas partie de l'API publique.",
+  "js_cookies_error": "Votre navigateur ne stocke pas les cookies. Anubis utilise des cookies pour déterminer quels clients ont réussi les défis en stockant un jeton signé dans un cookie. Veuillez activer le stockage des cookies pour ce domaine. Les noms des cookies qu'Anubis stocke peuvent varier sans préavis. Les noms et valeurs des cookies ne font pas partie de l'API publique.",
-  "js_context_not_secure": "Votre contexte n'est pas sécurisé !",
+  "js_context_not_secure": "Votre contexte n'est pas sécurisé !",
-  "js_context_not_secure_msg": "Essayez de vous connecter via HTTPS ou demandez à l'administrateur·rice de configurer HTTPS. Pour plus d'informations, consultez <a href=\"https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts#when_is_a_context_considered_secure\">MDN</a>.",
+  "js_context_not_secure_msg": "Essayez de vous connecter via HTTPS ou informez l'administrateur de configurer HTTPS. Pour plus d'informations, voir <a href=\"https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts#when_is_a_context_considered_secure\">MDN</a>.",
   "js_calculating": "Calcul en cours...",
   "js_missing_feature": "Fonctionnalité manquante",
-  "js_challenge_error": "Erreur de défi !",
+  "js_challenge_error": "Erreur de défi !",
   "js_challenge_error_msg": "Échec de la résolution de l'algorithme de vérification. Vous pouvez essayer de recharger la page.",
-  "js_calculating_difficulty": "Calcul en cours...<br/>Difficulté :",
+  "js_calculating_difficulty": "Calcul en cours...<br/>Difficulté :",
-  "js_speed": "Vitesse :",
+  "js_speed": "Vitesse :",
   "js_verification_longer": "La vérification prend plus de temps que prévu. Veuillez ne pas actualiser la page.",
-  "js_success": "Vérification réussie !",
+  "js_success": "Succès !",
-  "js_done_took": "Terminé ! Cela aura nécessité",
+  "js_done_took": "Terminé ! A pris",
   "js_iterations": "itérations",
-  "js_finished_reading": "J'ai fini de lire, continuer →",
+  "js_finished_reading": "J'ai fini de lire, continuer →",
-  "js_calculation_error": "Erreur de calcul !",
+  "js_calculation_error": "Erreur de calcul !",
-  "js_calculation_error_msg": "Échec du calcul du défi :",
+  "js_calculation_error_msg": "Échec du calcul du défi :",
-  "missing_required_forwarded_headers": "En-têtes X-Forwarded-* manquants",
+  "missing_required_forwarded_headers": "En-têtes X-Forwarded-* requis manquants",
-  "simplified_explanation": "Ceci est une mesure contre les robots et les requêtes malveillantes, similaire à un CAPTCHA. Cependant, au lieu d'avoir à faire le travail vous-même, votre navigateur se voit confier une tâche de calcul qu'il doit résoudre pour confirmer qu'il est un client valide. Ce concept est nommé <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Preuve de travail</a>. La tâche s'effectue en quelques secondes, puis vous avez accès au site Web. Merci pour votre compréhension et votre patience."
+  "simplified_explanation": "Il s'agit d'une mesure contre les robots et les requêtes malveillantes similaire à un CAPTCHA. Cependant, au lieu d'avoir à faire le travail vous-même, votre navigateur se voit confier une tâche de calcul qu'il doit résoudre pour s'assurer qu'il est un client valide. Ce concept s'appelle <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Preuve de travail</a>. La tâche est calculée en quelques secondes et vous avez accès au site Web. Merci de votre compréhension et de votre patience."
 }

lib/localization/locales/ja.json

@@ -9,7 +9,7 @@
   "anubis_compromise": "Anubisは妥協策です。AnubisはHashcashのようなProof-of-Work方式を採用しており、これは元々メールスパムを減らすために提案された仕組みです。個人レベルでは追加の負荷は無視できる程度ですが、大規模なスクレイピングでは負荷が積み重なり、スクレイピングのコストが大幅に増加します。",
   "hack_purpose": "最終的に、これはヘッドレスブラウザのフィンガープリントと識別に時間を費やすためのプレースホルダーソリューションです（例：フォントレンダリングの方法による）。これにより、正当なユーザーにはチャレンジのプルーフオブワークページを提示する必要がなくなります。",
   "jshelter_note": "Anubisは、JShelterのようなプラグインが無効化する最新のJavaScript機能を必要とします。このドメインではJShelterや同様のプラグインを無効にしてください。",
-  "version_info": "このウェブサイトはAnubisで動作しています バージョン",
+  "version_info": "このウェブサイトはAnubisバージョンで動作しています",
   "try_again": "再試行",
   "go_home": "ホームに戻る",
   "contact_webmaster": "もしブロックされるべきでないと思われる場合は、ウェブマスターにご連絡ください：",

lib/localization/locales/manifest.json

@@ -23,7 +23,6 @@
     "vi",
     "zh-CN",
     "zh-TW",
-    "sv",
+    "sv"
-    "bg"
   ]
-}
+}

lib/localization/locales/vi.json

@@ -1,20 +1,20 @@
 {
-  "loading": "Đang tải...",
+  "loading": "Đang nạp...",
-  "why_am_i_seeing": "Tại sao tôi thấy trang này?",
+  "why_am_i_seeing": "Tại sao tôi đang thấy trang này?",
   "protected_by": "Bảo vệ bởi",
   "protected_from": "từ",
-  "made_with": "Lập trình bằng ❤️ ở 🇨🇦",
+  "made_with": "Tạo ra bằng ❤️ tại 🇨🇦",
-  "mascot_design": "Mascot thiết kế bởi",
+  "mascot_design": "Thiết kế mascot bởi",
-  "ai_companies_explanation": "Bạn thấy trang này do quản trị viên của trang web này đã thiết lập Anubis để bảo vệ máy chủ của họ khỏi quấy rầy từ những công ty AI hung hãn cóp nhặt nội dung khắp Internet. Điều này dẫn tới tình trạng gián đoạn hoạt động trên nhiều trang web, khiến tài nguyên ở đó nằm ngoài tầm với của mọi người.",
+  "ai_companies_explanation": "Bạn đang thấy trang này do quản trị viên của trang web này đã thiết lập Anubis để bảo vệ máy chủ của họ khỏi quấy rầy từ những công ty AI hung hãn cóp nhặt nội dung khắp Internet. Điều này có thể và đã dẫn tới tình trạng gián đoạn hoạt động trên nhiều trang web, khiến tài nguyên tại đó nằm ngoài tầm với của mọi người.",
   "anubis_compromise": "Anubis là giải pháp thỏa hiệp. Anubis sử dụng cơ chế Proof-of-Work dựa trên Hashcash, được thiết kế ban đầu để giảm bớt email spam. Ý tưởng đằng sau đó là với người dùng cá nhân phần nạp thêm sẽ không đáng kể, nhưng ở tầm mức quy mô lớn sẽ cộng dồn và dẫn tới chi phí tiêu hao hơn rất nhiều.",
-  "hack_purpose": "Chốt lại, đây cũng chỉ là giải pháp \"tạm ổn\" với mục đích thực sự là để giành thêm thời gian nhận diện và truy vết những trình duyệt headless (VD: cách dựng font ra sao), sao cho hạn chế tối đa các yêu cầu tính toán trang thử thách Proof-of-Work tới nhóm người dùng có khả năng cao là con người hơn.",
+  "hack_purpose": "Chốt lại, đây cũng chỉ là giải pháp \"tạm ổn\" với mục đích thực sự là để giành thêm thời gian nhận diện và fingerprint những trình duyệt headless (VD: cách dựng font ra sao), sao cho hạn chế tối đa các yêu cầu tính toán trang thử thách Proof-of-Work tới nhóm người dùng có khả năng cao là con người hơn.",
   "simplified_explanation": "Đây là một biện pháp chống lại bot và các yêu cầu độc hại tương tự như CAPTCHA. Tuy nhiên, thay vì bạn phải tự mình thực hiện, trình duyệt của bạn sẽ được giao một nhiệm vụ tính toán mà nó phải giải quyết để đảm bảo rằng nó là một máy khách hợp lệ. Khái niệm này được gọi là <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Bằng chứng Công việc</a>. Nhiệm vụ được tính toán trong vài giây và bạn được cấp quyền truy cập vào trang web. Cảm ơn sự thông cảm và kiên nhẫn của bạn.",
   "jshelter_note": "Vui lòng lưu ý Anubis cần sử dụng những tính năng JavaScript hiện đại mà một số phần mở rộng như JShelter sẽ tắt. Vui lòng vô hiệu hóa JShelter hoặc những phần mở rộng tương tự cho tên miền này.",
-  "version_info": "Trang web này dùng Anubis bản",
+  "version_info": "Trang web này đang chạy Anubis phiên bản",
   "try_again": "Thử lại",
   "go_home": "Về trang chủ",
   "contact_webmaster": "hoặc nếu bạn tin rằng mình không nên bị chặn, vui lòng liên hệ chủ trang web tại",
-  "connection_security": "Vui lòng chờ một chút trong lúc chúng tôi kiểm tra kết nối của bạn.",
+  "connection_security": "Vui lòng chờ một chút trong khi chúng tôi kiểm tra an ninh kết nối của bạn.",
   "javascript_required": "Rất tiếc, bạn phải bật JavaScript để vượt qua thử thách này. Điều này bắt buộc do những công ty AI đã thay đổi luật ngầm quanh việc hoạt động máy chủ web ra sao. Giải pháp không có JavaScript đang được phát triển.",
   "benchmark_requires_js": "Bắt buộc phải bật JavaScript để chạy công cụ benchmark.",
   "difficulty": "Độ khó:",
@@ -28,14 +28,14 @@
   "iters_b": "Lặp lại kiểu B",
   "static_check_endpoint": "Đây là điểm cuối cho reverse proxy của bạn sử dụng.",
   "authorization_required": "Bắt buộc xác thực",
-  "cookies_disabled": "Trình duyệt của bạn đã vô hiệu hóa cookie. Anubis cần cookie cho mục đích chính đáng để kiểm tra chắc chắn bạn là người dùng hợp lệ. Vui lòng bật cookie cho tên miền này",
+  "cookies_disabled": "Trình duyệt của bạn được thiết lập để vô hiệu hóa cookie. Anubis cần cookie cho mục đích chính đáng để kiểm tra chắc chắn bạn là người dùng hợp lệ. Vui lòng bật cookie cho tên miền này",
   "access_denied": "Truy cập bị từ chối: mã lỗi",
   "dronebl_entry": "DroneBL báo cáo truy cập",
   "see_dronebl_lookup": "xem",
-  "internal_server_error": "Lỗi nội bộ máy chủ: quản trị viên đã thiết lập sai Anubis. Vui lòng liên hệ quản trị viên và yêu cầu họ kiểm tra log",
+  "internal_server_error": "Lỗi máy chủ nội bộ: quản trị viên đã thiết lập sai Anubis. Vui lòng liên hệ quản trị viên và yêu cầu họ kiểm tra log",
   "invalid_redirect": "Điều hướng không hợp lệ",
-  "redirect_not_parseable": "Không thể xử lý liên kết điều hướng",
+  "redirect_not_parseable": "Liên kết điều hướng không thể xử lý",
-  "redirect_domain_not_allowed": "Không được phép điều hướng tên miền",
+  "redirect_domain_not_allowed": "Tên miền điều hướng không được phép",
   "missing_required_forwarded_headers": "Thiếu các tiêu đề X-Forwarded-* bắt buộc",
   "failed_to_sign_jwt": "không thể ký JWT",
   "invalid_invocation": "Gọi hàm MakeChallenge không hợp lệ",
@@ -43,7 +43,7 @@
   "oh_noes": "Ôi không!",
   "benchmarking_anubis": "Đang benchmark Anubis!",
   "you_are_not_a_bot": "Bạn không phải là bot!",
-  "making_sure_not_bot": "Đảm bảo bạn không phải là bot!",
+  "making_sure_not_bot": "Đang kiểm tra bạn không phải là bot!",
   "celphase": "CELPHASE",
   "js_web_crypto_error": "Trình duyệt của bạn không có web.crypto hoạt động. Liệu bạn có đang xem trang này với kết nối bảo mật không?",
   "js_web_workers_error": "Trình duyệt của bạn không hỗ trợ tính năng web worker (Anubis sử dụng để trình duyệt của bạn bị đơ). Bạn có cài đặt và sử dụng phần mở rộng như JShelter hay không?",
@@ -53,12 +53,12 @@
   "js_calculating": "Đang tính toán...",
   "js_missing_feature": "Thiếu tính năng",
   "js_challenge_error": "Lỗi thử thách!",
-  "js_challenge_error_msg": "Không thể xử lý thuật toán kiểm tra. Bạn nên tải lại trang này.",
+  "js_challenge_error_msg": "Không thể xử lý thuật toán kiểm tra. Bạn nên nạp lại trang này.",
-  "js_calculating_difficulty": "Đang tính toán...<br/>Độ khó:",
+  "js_calculating_difficulty": "Đang tính...<br/>Độ khó:",
   "js_speed": "Tốc độ:",
-  "js_verification_longer": "Quá trình kiểm tra hơi lâu hơn dự kiến. Vui lòng không tải lại trang này.",
+  "js_verification_longer": "Quá trình kiểm tra đang kéo dài lâu hơn dự kiến. Vui lòng không nạp lại trang này.",
   "js_success": "Thành công!",
-  "js_done_took": "Xong rồi! Vào",
+  "js_done_took": "Hoàn tất! Mất",
   "js_iterations": "lần lặp lại",
   "js_finished_reading": "Tôi đã đọc xong, tiếp tục →",
   "js_calculation_error": "Lỗi tính toán!",

lib/localization/localization_test.go

@@ -14,7 +14,7 @@ func TestLocalizationService(t *testing.T) {
 	service := NewLocalizationService()
 
 	loadingStrMap := map[string]string{
-		"de":    "Wird geladen …",
+		"de":    "Ladevorgang...",
 		"en":    "Loading...",
 		"es":    "Cargando...",
 		"et":    "Laadin...",
@@ -30,11 +30,10 @@ func TestLocalizationService(t *testing.T) {
 		"tr":    "Yükleniyor...",
 		"ru":    "Загрузка...",
 		"uk":    "Завантаження...",
-		"vi":    "Đang tải...",
+		"vi":    "Đang nạp...",
 		"zh-CN": "加载中...",
 		"zh-TW": "載入中...",
 		"sv":    "Laddar...",
-		"bg":    "Зареждане...",
 	}
 
 	var keys []string

lib/policy/celchecker_test.go

@@ -1,44 +0,0 @@
-package policy
-
-import (
-	"net/http"
-	"testing"
-
-	"github.com/TecharoHQ/anubis/internal/dns"
-	"github.com/TecharoHQ/anubis/lib/config"
-	"github.com/TecharoHQ/anubis/lib/store/memory"
-)
-
-func newTestDNS(t *testing.T) *dns.Dns {
-	t.Helper()
-
-	ctx := t.Context()
-	memStore := memory.New(ctx)
-	cache := dns.NewDNSCache(300, 300, memStore)
-	return dns.New(ctx, cache)
-}
-
-func TestCELChecker_MapIterationWrappers(t *testing.T) {
-	cfg := &config.ExpressionOrList{
-		Expression: `headers.exists(k, k == "Accept") && query.exists(k, k == "format")`,
-	}
-
-	checker, err := NewCELChecker(cfg, newTestDNS(t))
-	if err != nil {
-		t.Fatalf("creating CEL checker failed: %v", err)
-	}
-
-	req, err := http.NewRequest(http.MethodGet, "https://example.com/?format=json", nil)
-	if err != nil {
-		t.Fatalf("making request failed: %v", err)
-	}
-	req.Header.Set("Accept", "application/json")
-
-	got, err := checker.Check(req)
-	if err != nil {
-		t.Fatalf("checking expression failed: %v", err)
-	}
-	if !got {
-		t.Fatal("expected expression to evaluate true")
-	}
-}

lib/policy/expressions/environment_test.go

@@ -103,7 +103,7 @@ func TestBotEnvironment(t *testing.T) {
 					t.Fatalf("failed to compile expression %q: %v", tt.expression, err)
 				}
 
-				result, _, err := prog.Eval(map[string]any{
+				result, _, err := prog.Eval(map[string]interface{}{
 					"headers": tt.headers,
 				})
 				if err != nil {
@@ -168,7 +168,7 @@ func TestBotEnvironment(t *testing.T) {
 					t.Fatalf("failed to compile expression %q: %v", tt.expression, err)
 				}
 
-				result, _, err := prog.Eval(map[string]any{
+				result, _, err := prog.Eval(map[string]interface{}{
 					"path": tt.path,
 				})
 				if err != nil {
@@ -280,7 +280,7 @@ func TestBotEnvironment(t *testing.T) {
 					t.Fatalf("failed to compile expression %q: %v", tt.expression, err)
 				}
 
-				result, _, err := prog.Eval(map[string]any{})
+				result, _, err := prog.Eval(map[string]interface{}{})
 				if err != nil {
 					t.Fatalf("failed to evaluate expression %q: %v", tt.expression, err)
 				}
@@ -359,7 +359,7 @@ func TestBotEnvironment(t *testing.T) {
 						t.Fatalf("failed to compile expression %q: %v", tt.expression, err)
 					}
 
-					result, _, err := prog.Eval(map[string]any{})
+					result, _, err := prog.Eval(map[string]interface{}{})
 					if err != nil {
 						t.Fatalf("failed to evaluate expression %q: %v", tt.expression, err)
 					}
@@ -421,7 +421,7 @@ func TestBotEnvironment(t *testing.T) {
 						t.Fatalf("failed to compile expression %q: %v", tt.expression, err)
 					}
 
-					result, _, err := prog.Eval(map[string]any{})
+					result, _, err := prog.Eval(map[string]interface{}{})
 					if err != nil {
 						t.Fatalf("failed to evaluate expression %q: %v", tt.expression, err)
 					}
@@ -514,7 +514,7 @@ func TestBotEnvironment(t *testing.T) {
 						t.Fatalf("failed to compile expression %q: %v", tt.expression, err)
 					}
 
-					result, _, err := prog.Eval(map[string]any{})
+					result, _, err := prog.Eval(map[string]interface{}{})
 					if err != nil {
 						t.Fatalf("failed to evaluate expression %q: %v", tt.expression, err)
 					}
@@ -572,7 +572,7 @@ func TestBotEnvironment(t *testing.T) {
 						t.Fatalf("failed to compile expression %q: %v", tt.expression, err)
 					}
 
-					result, _, err := prog.Eval(map[string]any{})
+					result, _, err := prog.Eval(map[string]interface{}{})
 					if tt.evalError {
 						if err == nil {
 							t.Errorf("%s: expected an evaluation error, but got none", tt.description)
@@ -598,7 +598,7 @@ func TestThresholdEnvironment(t *testing.T) {
 	}
 
 	tests := []struct {
-		variables     map[string]any
+		variables     map[string]interface{}
 		name          string
 		expression    string
 		description   string
@@ -608,7 +608,7 @@ func TestThresholdEnvironment(t *testing.T) {
 		{
 			name:          "weight-variable-available",
 			expression:    `weight > 100`,
-			variables:     map[string]any{"weight": 150},
+			variables:     map[string]interface{}{"weight": 150},
 			expected:      types.Bool(true),
 			description:   "should support weight variable in expressions",
 			shouldCompile: true,
@@ -616,7 +616,7 @@ func TestThresholdEnvironment(t *testing.T) {
 		{
 			name:          "weight-variable-false-case",
 			expression:    `weight > 100`,
-			variables:     map[string]any{"weight": 50},
+			variables:     map[string]interface{}{"weight": 50},
 			expected:      types.Bool(false),
 			description:   "should correctly evaluate weight comparisons",
 			shouldCompile: true,
@@ -624,7 +624,7 @@ func TestThresholdEnvironment(t *testing.T) {
 		{
 			name:          "missingHeader-not-available",
 			expression:    `missingHeader(headers, "Test")`,
-			variables:     map[string]any{},
+			variables:     map[string]interface{}{},
 			expected:      types.Bool(false), // not used
 			description:   "should not have missingHeader function available",
 			shouldCompile: false,
@@ -667,7 +667,7 @@ func TestNewEnvironment(t *testing.T) {
 	tests := []struct {
 		name          string
 		expression    string
-		variables     map[string]any
+		variables     map[string]interface{}
 		expectBool    *bool // nil if we just want to test compilation or non-bool result
 		description   string
 		shouldCompile bool
@@ -675,7 +675,7 @@ func TestNewEnvironment(t *testing.T) {
 		{
 			name:          "randInt-function-compilation",
 			expression:    `randInt(10)`,
-			variables:     map[string]any{},
+			variables:     map[string]interface{}{},
 			expectBool:    nil, // Don't check result, just compilation
 			description:   "should compile randInt function",
 			shouldCompile: true,
@@ -683,7 +683,7 @@ func TestNewEnvironment(t *testing.T) {
 		{
 			name:          "randInt-range-validation",
 			expression:    `randInt(10) >= 0 && randInt(10) < 10`,
-			variables:     map[string]any{},
+			variables:     map[string]interface{}{},
 			expectBool:    boolPtr(true),
 			description:   "should return values in correct range",
 			shouldCompile: true,
@@ -691,7 +691,7 @@ func TestNewEnvironment(t *testing.T) {
 		{
 			name:          "strings-extension-size",
 			expression:    `"hello".size() == 5`,
-			variables:     map[string]any{},
+			variables:     map[string]interface{}{},
 			expectBool:    boolPtr(true),
 			description:   "should support string extension functions",
 			shouldCompile: true,
@@ -699,7 +699,7 @@ func TestNewEnvironment(t *testing.T) {
 		{
 			name:          "strings-extension-contains",
 			expression:    `"hello world".contains("world")`,
-			variables:     map[string]any{},
+			variables:     map[string]interface{}{},
 			expectBool:    boolPtr(true),
 			description:   "should support string contains function",
 			shouldCompile: true,
@@ -707,7 +707,7 @@ func TestNewEnvironment(t *testing.T) {
 		{
 			name:          "strings-extension-startsWith",
 			expression:    `"hello world".startsWith("hello")`,
-			variables:     map[string]any{},
+			variables:     map[string]interface{}{},
 			expectBool:    boolPtr(true),
 			description:   "should support string startsWith function",
 			shouldCompile: true,

lib/policy/expressions/http_headers.go

@@ -66,9 +66,7 @@ func (h HTTPHeaders) Get(key ref.Val) ref.Val {
 	return result
 }
 
-func (h HTTPHeaders) Iterator() traits.Iterator {
+func (h HTTPHeaders) Iterator() traits.Iterator { panic("TODO(Xe): implement me") }
-	return newMapIterator(h.Header)
-}
 
 func (h HTTPHeaders) IsZeroValue() bool {
 	return len(h.Header) == 0

lib/policy/expressions/map_iterator.go

@@ -1,60 +0,0 @@
-package expressions
-
-import (
-	"errors"
-	"maps"
-	"reflect"
-	"slices"
-
-	"github.com/google/cel-go/common/types"
-	"github.com/google/cel-go/common/types/ref"
-	"github.com/google/cel-go/common/types/traits"
-)
-
-var ErrNotImplemented = errors.New("expressions: not implemented")
-
-type stringSliceIterator struct {
-	keys []string
-	idx  int
-}
-
-func (s *stringSliceIterator) Value() any {
-	return s
-}
-
-func (s *stringSliceIterator) ConvertToNative(typeDesc reflect.Type) (any, error) {
-	return nil, ErrNotImplemented
-}
-
-func (s *stringSliceIterator) ConvertToType(typeValue ref.Type) ref.Val {
-	return types.NewErr("can't convert from %q to %q", types.IteratorType, typeValue)
-}
-
-func (s *stringSliceIterator) Equal(other ref.Val) ref.Val {
-	return types.NewErr("can't compare %q to %q", types.IteratorType, other.Type())
-}
-
-func (s *stringSliceIterator) Type() ref.Type {
-	return types.IteratorType
-}
-
-func (s *stringSliceIterator) HasNext() ref.Val {
-	return types.Bool(s.idx < len(s.keys))
-}
-
-func (s *stringSliceIterator) Next() ref.Val {
-	if s.HasNext() != types.True {
-		return nil
-	}
-
-	val := s.keys[s.idx]
-	s.idx++
-	return types.String(val)
-}
-
-func newMapIterator(m map[string][]string) traits.Iterator {
-	return &stringSliceIterator{
-		keys: slices.Collect(maps.Keys(m)),
-		idx:  0,
-	}
-}

lib/policy/expressions/url_values.go

@@ -1,6 +1,7 @@
 package expressions
 
 import (
+	"errors"
 	"net/url"
 	"reflect"
 	"strings"
@@ -10,6 +11,8 @@ import (
 	"github.com/google/cel-go/common/types/traits"
 )
 
+var ErrNotImplemented = errors.New("expressions: not implemented")
+
 // URLValues is a type wrapper to expose url.Values into CEL programs.
 type URLValues struct {
 	url.Values
@@ -66,9 +69,7 @@ func (u URLValues) Get(key ref.Val) ref.Val {
 	return result
 }
 
-func (u URLValues) Iterator() traits.Iterator {
+func (u URLValues) Iterator() traits.Iterator { panic("TODO(Xe): implement me") }
-	return newMapIterator(u.Values)
-}
 
 func (u URLValues) IsZeroValue() bool {
 	return len(u.Values) == 0

lib/policy/policy_test.go

@@ -32,6 +32,7 @@ func TestGoodConfigs(t *testing.T) {
 	}
 
 	for _, st := range finfos {
+		st := st
 		t.Run(st.Name(), func(t *testing.T) {
 			t.Run("with-thoth", func(t *testing.T) {
 				fin, err := os.Open(filepath.Join("..", "config", "testdata", "good", st.Name()))
@@ -70,6 +71,7 @@ func TestBadConfigs(t *testing.T) {
 	}
 
 	for _, st := range finfos {
+		st := st
 		t.Run(st.Name(), func(t *testing.T) {
 			fin, err := os.Open(filepath.Join("..", "config", "testdata", "bad", st.Name()))
 			if err != nil {

lib/store/s3api/s3api_test.go

@@ -6,7 +6,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
-	"maps"
 	"sync"
 	"testing"
 	"time"
@@ -37,7 +36,9 @@ func (m *mockS3) PutObject(ctx context.Context, in *s3.PutObjectInput, _ ...func
 	m.data[aws.ToString(in.Key)] = bytes.Clone(b)
 	if in.Metadata != nil {
 		m.meta[aws.ToString(in.Key)] = map[string]string{}
-		maps.Copy(m.meta[aws.ToString(in.Key)], in.Metadata)
+		for k, v := range in.Metadata {
+			m.meta[aws.ToString(in.Key)][k] = v
+		}
 	}
 	m.bucket = aws.ToString(in.Bucket)
 	return &s3.PutObjectOutput{}, nil

lib/store/valkey/factory.go

@@ -103,7 +103,7 @@ func (s Sentinel) Valid() error {
 // redisClient is satisfied by *valkey.Client and *valkey.ClusterClient.
 type redisClient interface {
 	Get(ctx context.Context, key string) *valkey.StringCmd
-	Set(ctx context.Context, key string, value any, expiration time.Duration) *valkey.StatusCmd
+	Set(ctx context.Context, key string, value interface{}, expiration time.Duration) *valkey.StatusCmd
 	Del(ctx context.Context, keys ...string) *valkey.IntCmd
 	Ping(ctx context.Context) *valkey.StatusCmd
 }

lib/testdata/useragent.yaml

@@ -1,12 +0,0 @@
-bots:
-  - name: deny
-    user_agent_regex: DENY
-    action: DENY
-
-  - name: challenge
-    user_agent_regex: CHALLENGE
-    action: CHALLENGE
-
-  - name: allow
-    user_agent_regex: ALLOW
-    action: ALLOW

lib/thoth/auth.go

@@ -11,8 +11,8 @@ func authUnaryClientInterceptor(token string) grpc.UnaryClientInterceptor {
 	return func(
 		ctx context.Context,
 		method string,
-		req any,
+		req interface{},
-		reply any,
+		reply interface{},
 		cc *grpc.ClientConn,
 		invoker grpc.UnaryInvoker,
 		opts ...grpc.CallOption,

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@techaro/anubis",
-  "version": "1.25.0",
+  "version": "1.24.0",
   "description": "",
   "main": "index.js",
   "scripts": {
@@ -20,12 +20,12 @@
   "author": "",
   "license": "ISC",
   "devDependencies": {
-    "@commitlint/cli": "^20.5.0",
+    "@commitlint/cli": "^20.4.1",
-    "@commitlint/config-conventional": "^20.5.0",
+    "@commitlint/config-conventional": "^20.4.1",
-    "baseline-browser-mapping": "^2.10.8",
+    "baseline-browser-mapping": "^2.9.19",
-    "cssnano": "^7.1.3",
+    "cssnano": "^7.1.2",
-    "cssnano-preset-advanced": "^7.0.11",
+    "cssnano-preset-advanced": "^7.0.10",
-    "esbuild": "^0.27.4",
+    "esbuild": "^0.27.2",
     "husky": "^9.1.7",
     "playwright": "^1.52.0",
     "postcss-cli": "^11.0.1",
@@ -36,7 +36,7 @@
   },
   "dependencies": {
     "@aws-crypto/sha256-js": "^5.2.0",
-    "preact": "^10.29.0"
+    "preact": "^10.28.2"
   },
   "commitlint": {
     "extends": [
@@ -66,4 +66,4 @@
     "trailingComma": "all",
     "printWidth": 80
   }
-}
+}