chore: remove duplicate CHANGELOG entry

Signed-off-by: Jason Cameron <git@jasoncameron.dev>
2026-04-08 09:38:45 +00:00 · 2025-06-17 18:45:07 -04:00
79 changed files with 569 additions and 1977 deletions
--- a/.github/actions/spelling/excludes.txt
+++ b/.github/actions/spelling/excludes.txt
@@ -83,9 +83,7 @@
 ^\Q.github/FUNDING.yml\E$
 ^\Q.github/workflows/spelling.yml\E$
 ^data/crawlers/
-^docs/blog/tags\.yml$
 ^docs/manifest/.*$
 ^docs/static/\.nojekyll$
-^lib/policy/config/testdata/bad/unparseable\.json$
 ignore$
 robots.txt
--- a/.github/actions/spelling/expect.txt
+++ b/.github/actions/spelling/expect.txt
@@ -44,6 +44,7 @@ chall
 challengemozilla
 checkpath
 checkresult
+chen
 chibi
 cidranger
 ckie
@@ -60,6 +61,7 @@ DDOS
 Debian
 debrpm
 decaymap
+decompiling
 Diffbot
 discordapp
 discordbot
@@ -129,7 +131,6 @@ iat
 ifm
 Imagesift
 imgproxy
-impressum
 inp
 IPTo
 iptoasn
@@ -187,7 +188,6 @@ ogtags
 omgili
 omgilibot
 openai
-opengraph
 openrc
 pag
 palemoon
@@ -218,7 +218,6 @@ rawler
 rcvar
 redir
 redirectscheme
-refactors
 relayd
 reputational
 reqmeta
@@ -239,7 +238,6 @@ Seo
 setsebool
 shellcheck
 Sidetrade
-simprint
 sitemap
 sls
 sni
@@ -263,7 +261,6 @@ techarohq
 templ
 templruntime
 testarea
-Thancred
 thoth
 thothmock
 Tik
@@ -303,7 +300,6 @@ xess
 xff
 XForwarded
 XNG
-XOB
 XReal
 yae
 YAMLTo
--- a/.github/actions/spelling/line_forbidden.patterns
+++ b/.github/actions/spelling/line_forbidden.patterns
@@ -273,6 +273,14 @@
 # Most people only have two hands. Reword.
 \b(?i)on the third hand\b

+# Should be `Open Graph`
+# unless talking about a specific Open Graph implementation:
+# - Java
+# - Node
+# - Py
+# - Ruby
+\bOpenGraph\b
+
 # Should be `OpenShift`
 \bOpenshift\b

--- a/.github/workflows/docs-deploy.yml
+++ b/.github/workflows/docs-deploy.yml
@@ -22,7 +22,7 @@ jobs:
          persist-credentials: false

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0

      - name: Log into registry
        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
@@ -50,14 +50,14 @@ jobs:
          push: true

      - name: Apply k8s manifests to aeacus
-        uses: actions-hub/kubectl@d50394b7d704525f93faefce1e65a6329ff67271 # v1.33.2
+        uses: actions-hub/kubectl@f632a31512a74cb35940627c49c20f67723cbaaf # v1.33.1
        env:
          KUBE_CONFIG: ${{ secrets.LIMSA_LOMINSA_KUBECONFIG }}
        with:
          args: apply -k docs/manifest

      - name: Apply k8s manifests to aeacus
-        uses: actions-hub/kubectl@d50394b7d704525f93faefce1e65a6329ff67271 # v1.33.2
+        uses: actions-hub/kubectl@f632a31512a74cb35940627c49c20f67723cbaaf # v1.33.1
        env:
          KUBE_CONFIG: ${{ secrets.LIMSA_LOMINSA_KUBECONFIG }}
        with:
--- a/.github/workflows/docs-test.yml
+++ b/.github/workflows/docs-test.yml
@@ -18,7 +18,7 @@ jobs:
          persist-credentials: false

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0

      - name: Docker meta
        id: meta
--- a/.github/workflows/ssh-ci-runner-cron.yml
+++ b/.github/workflows/ssh-ci-runner-cron.yml
@@ -30,7 +30,7 @@ jobs:
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
      - name: Build and push
        run: |
          cd ./test/ssh-ci
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@@ -21,7 +21,7 @@ jobs:
          persist-credentials: false

      - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@445689ea25e0de0a23313031f5fe577c74ae45a1 # v6.3.0
+        uses: astral-sh/setup-uv@f0ec1fc3b38f5e7cd731bb6ce540c5af426746bb # v6.1.0

      - name: Run zizmor 🌈
        run: uvx zizmor --format sarif . > results.sarif 
--- a/2
+++ b/2
@@ -18,7 +18,6 @@ assets: deps

 build: assets
 	$(GO) build -o ./var/anubis ./cmd/anubis
-	$(GO) build -o ./var/robots2policy ./cmd/robots2policy
 	@echo "Anubis is now built to ./var/anubis"

 lint: assets
@@ -28,7 +27,6 @@ lint: assets

 prebaked-build:
 	$(GO) build -o ./var/anubis -ldflags "-X 'github.com/TecharoHQ/anubis.Version=$(VERSION)'" ./cmd/anubis
-	$(GO) build -o ./var/robots2policy -ldflags "-X 'github.com/TecharoHQ/anubis.Version=$(VERSION)'" ./cmd/robots2policy

 test: assets
 	$(GO) test ./...
--- a/2
+++ b/2
@@ -1 +1 @@
-1.20.0-pre2
+1.19.1
--- a/cmd/anubis/main.go
+++ b/cmd/anubis/main.go
@@ -331,28 +331,22 @@ func main() {
 		slog.Warn("REDIRECT_DOMAINS is not set, Anubis will only redirect to the same domain a request is coming from, see https://anubis.techaro.lol/docs/admin/configuration/redirect-domains")
 	}

-	// If OpenGraph configuration values are not set in the config file, use the
-	// values from flags / envvars.
-	if !policy.OpenGraph.Enabled {
-		policy.OpenGraph.Enabled = *ogPassthrough
-		policy.OpenGraph.ConsiderHost = *ogCacheConsiderHost
-		policy.OpenGraph.TimeToLive = *ogTimeToLive
-		policy.OpenGraph.Override = map[string]string{}
-	}
-
 	s, err := libanubis.New(libanubis.Options{
-		BasePrefix:        *basePrefix,
-		StripBasePrefix:   *stripBasePrefix,
-		Next:              rp,
-		Policy:            policy,
-		ServeRobotsTXT:    *robotsTxt,
-		PrivateKey:        priv,
-		CookieDomain:      *cookieDomain,
-		CookieExpiration:  *cookieExpiration,
-		CookiePartitioned: *cookiePartitioned,
-		RedirectDomains:   redirectDomainsList,
-		Target:            *target,
-		WebmasterEmail:    *webmasterEmail,
+		BasePrefix:           *basePrefix,
+		StripBasePrefix:      *stripBasePrefix,
+		Next:                 rp,
+		Policy:               policy,
+		ServeRobotsTXT:       *robotsTxt,
+		PrivateKey:           priv,
+		CookieDomain:         *cookieDomain,
+		CookieExpiration:     *cookieExpiration,
+		CookiePartitioned:    *cookiePartitioned,
+		OGPassthrough:        *ogPassthrough,
+		OGTimeToLive:         *ogTimeToLive,
+		RedirectDomains:      redirectDomainsList,
+		Target:               *target,
+		WebmasterEmail:       *webmasterEmail,
+		OGCacheConsidersHost: *ogCacheConsiderHost,
 	})
 	if err != nil {
 		log.Fatalf("can't construct libanubis.Server: %v", err)
--- a/data/botPolicies.yaml
+++ b/data/botPolicies.yaml
@@ -56,7 +56,7 @@ bots:
  - name: countries-with-aggressive-scrapers
    action: WEIGH
    geoip:
-      countries:
+      counties:
        - BR
        - CN
    weight:
@@ -84,59 +84,6 @@ bots:

 dnsbl: false

-# #
-# impressum:
-#   # Displayed at the bottom of every page rendered by Anubis.
-#   footer: >-
-#     This website is hosted by Zonbocom. If you have any complaints or notes
-#     about the service, please contact
-#     <a href="mailto:contact@domainhere.example">contact@domainhere.example</a>
-#     and we will assist you as soon as possible.
-
-#   # The imprint page that will be linked to at the footer of every Anubis page.
-#   page:
-#     # The HTML <title> of the page
-#     title: Imprint and Privacy Policy
-#     # The HTML contents of the page. The exact contents of this page can
-#     # and will vary by locale. Please consult with a lawyer if you are not
-#     # sure what to put here
-#     body: >-
-#       <p>Last updated: June 2025</p>
-
-#       <h2>Information that is gathered from visitors</h2>
-
-#       <p>In common with other websites, log files are stored on the web server saving details such as the visitor's IP address, browser type, referring page and time of visit.</p>
-
-#       <p>Cookies may be used to remember visitor preferences when interacting with the website.</p>
-
-#       <p>Where registration is required, the visitor's email and a username will be stored on the server.</p>
-
-#       <!-- ... -->
-
-# Open Graph passthrough configuration, see here for more information:
-# https://anubis.techaro.lol/docs/admin/configuration/open-graph/
-openGraph:
-  # Enables Open Graph passthrough
-  enabled: false
-  # Enables the use of the HTTP host in the cache key, this enables
-  # caching metadata for multiple http hosts at once.
-  considerHost: false
-  # How long cached OpenGraph metadata should last in memory
-  ttl: 24h
-  # # If set, return these opengraph values instead of looking them up with
-  # # the target service.
-  # #
-  # # Correlates to properties in https://ogp.me/
-  # override:
-  #   # og:title is required, it is the title of the website
-  #   "og:title": "Techaro Anubis"
-  #   "og:description": >-
-  #     Anubis is a Web AI Firewall Utility that helps you fight the bots
-  #     away so that you can maintain uptime at work!
-  #   "description": >-
-  #     Anubis is a Web AI Firewall Utility that helps you fight the bots
-  #     away so that you can maintain uptime at work!
-
 # By default, send HTTP 200 back to clients that either get issued a challenge
 # or a denial. This seems weird, but this is load-bearing due to the fact that
 # the most aggressive scraper bots seem to really, really, want an HTTP 200 and
@@ -144,57 +91,3 @@ openGraph:
 status_codes:
  CHALLENGE: 200
  DENY: 200
-
-# The weight thresholds for when to trigger individual challenges. Any
-# CHALLENGE will take precedence over this.
-#
-# A threshold has four configuration options:
-#
-#   - name: the name that is reported down the stack and used for metrics
-#   - expression: A CEL expression with the request weight in the variable
-#     weight
-#   - action: the Anubis action to apply, similar to in a bot policy
-#   - challenge: which challenge to send to the user, similar to in a bot policy
-#
-# See https://anubis.techaro.lol/docs/admin/configuration/thresholds for more
-# information.
-thresholds:
-  # By default Anubis ships with the following thresholds:
-  - name: minimal-suspicion # This client is likely fine, its soul is lighter than a feather
-    expression: weight <= 0 # a feather weighs zero units
-    action: ALLOW # Allow the traffic through
-  # For clients that had some weight reduced through custom rules, give them a
-  # lightweight challenge.
-  - name: mild-suspicion
-    expression:
-      all:
-        - weight > 0
-        - weight < 10
-    action: CHALLENGE
-    challenge:
-      # https://anubis.techaro.lol/docs/admin/configuration/challenges/metarefresh
-      algorithm: metarefresh
-      difficulty: 1
-      report_as: 1
-  # For clients that are browser-like but have either gained points from custom rules or
-  # report as a standard browser.
-  - name: moderate-suspicion
-    expression:
-      all:
-        - weight >= 10
-        - weight < 20
-    action: CHALLENGE
-    challenge:
-      # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work
-      algorithm: fast
-      difficulty: 2 # two leading zeros, very fast for most clients
-      report_as: 2
-  # For clients that are browser like and have gained many points from custom rules
-  - name: extreme-suspicion
-    expression: weight >= 20
-    action: CHALLENGE
-    challenge:
-      # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work
-      algorithm: fast
-      difficulty: 4
-      report_as: 4
--- a/data/bots/ai-robots-txt.yaml
+++ b/data/bots/ai-robots-txt.yaml
@@ -2,5 +2,5 @@
 # Note: Blocks human-directed/non-training user agents
 - name: "ai-robots-txt"
  user_agent_regex: >-
-    AI2Bot|Ai2Bot-Dolma|aiHitBot|Amazonbot|Andibot|anthropic-ai|Applebot|Applebot-Extended|bedrockbot|Brightbot 1.0|Bytespider|CCBot|ChatGPT-User|Claude-SearchBot|Claude-User|Claude-Web|ClaudeBot|cohere-ai|cohere-training-data-crawler|Cotoyogi|Crawlspace|Diffbot|DuckAssistBot|EchoboxBot|FacebookBot|facebookexternalhit|Factset_spyderbot|FirecrawlAgent|FriendlyCrawler|Google-CloudVertexBot|Google-Extended|GoogleOther|GoogleOther-Image|GoogleOther-Video|GPTBot|iaskspider/2.0|ICC-Crawler|ImagesiftBot|img2dataset|ISSCyberRiskCrawler|Kangaroo Bot|meta-externalagent|Meta-ExternalAgent|meta-externalfetcher|Meta-ExternalFetcher|MistralAI-User/1.0|MyCentralAIScraperBot|NovaAct|OAI-SearchBot|omgili|omgilibot|Operator|PanguBot|Panscient|panscient.com|Perplexity-User|PerplexityBot|PetalBot|PhindBot|Poseidon Research Crawler|QualifiedBot|QuillBot|quillbot.com|SBIntuitionsBot|Scrapy|SemrushBot|SemrushBot-BA|SemrushBot-CT|SemrushBot-OCOB|SemrushBot-SI|SemrushBot-SWA|Sidetrade indexer bot|TikTokSpider|Timpibot|VelenPublicWebCrawler|Webzio-Extended|wpbot|YandexAdditional|YandexAdditionalBot|YouBot
+    AI2Bot|Ai2Bot-Dolma|aiHitBot|Amazonbot|Andibot|anthropic-ai|Applebot|Applebot-Extended|bedrockbot|Brightbot 1.0|Bytespider|CCBot|ChatGPT-User|Claude-SearchBot|Claude-User|Claude-Web|ClaudeBot|cohere-ai|cohere-training-data-crawler|Cotoyogi|Crawlspace|Diffbot|DuckAssistBot|FacebookBot|Factset_spyderbot|FirecrawlAgent|FriendlyCrawler|Google-CloudVertexBot|Google-Extended|GoogleOther|GoogleOther-Image|GoogleOther-Video|GPTBot|iaskspider/2.0|ICC-Crawler|ImagesiftBot|img2dataset|ISSCyberRiskCrawler|Kangaroo Bot|meta-externalagent|Meta-ExternalAgent|meta-externalfetcher|Meta-ExternalFetcher|MistralAI-User/1.0|NovaAct|OAI-SearchBot|omgili|omgilibot|Operator|PanguBot|Panscient|panscient.com|Perplexity-User|PerplexityBot|PetalBot|PhindBot|QualifiedBot|QuillBot|quillbot.com|SBIntuitionsBot|Scrapy|SemrushBot-OCOB|SemrushBot-SWA|Sidetrade indexer bot|TikTokSpider|Timpibot|VelenPublicWebCrawler|Webzio-Extended|wpbot|YandexAdditional|YandexAdditionalBot|YouBot
  action: DENY
--- a/docs/docs/CHANGELOG.md
+++ b/docs/docs/CHANGELOG.md
@@ -11,139 +11,22 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

 ## [Unreleased]

-## v1.20.0: Thancred Waters
-
-The big ticket items are as follows:
-
- Implement a no-JS challenge method: [`metarefresh`](./admin/configuration/challenges/metarefresh.mdx) ([#95](https://github.com/TecharoHQ/anubis/issues/95))
- Implement request "weight", allowing administrators to customize the behaviour of Anubis based on specific criteria
- Implement GeoIP and ASN based checks via [Thoth](https://anubis.techaro.lol/docs/admin/thoth) ([#206](https://github.com/TecharoHQ/anubis/issues/206))
- Add [custom weight thresholds](./admin/configuration/thresholds.mdx) via CEL ([#688](https://github.com/TecharoHQ/anubis/pull/688))
- Move Open Graph configuration [to the policy file](./admin/configuration/open-graph.mdx)
- Enable support for Open Graph metadata to be returned by default instead of doing lookups against the target
- Add `robots2policy` CLI utility to convert robots.txt files to Anubis challenge policies using CEL expressions ([#409](https://github.com/TecharoHQ/anubis/issues/409))
- Refactor challenge presentation logic to use a challenge registry
- Allow challenge implementations to register HTTP routes
- [Imprint/Impressum support](./admin/configuration/impressum.mdx) ([#362](https://github.com/TecharoHQ/anubis/issues/362))
- Fix "invalid response" after "Success!" in Chromium ([#564](https://github.com/TecharoHQ/anubis/issues/564))
-
-A lot of performance improvements have been made:
-
- Replace internal SHA256 hashing with xxhash for 4-6x performance improvement in policy evaluation and cache operations
- Optimized the OGTags subsystem with reduced allocations and runtime per request by up to 66%
- Replace cidranger with bart for IP range checking, improving IP matching performance by 3-20x with zero heap
+- Replace cidranger with bart for IP range checking, improving IP matching performance by 3-20x with zero heap 
  allocations
-
-And some cleanups/refactors were added:
-
 - Remove the unused `/test-error` endpoint and update the testing endpoint `/make-challenge` to only be enabled in
  development
 - Add `--xff-strip-private` flag/envvar to toggle skipping X-Forwarded-For private addresses or not
- Bump AI-robots.txt to version 1.37
+- Requests can have their weight be adjusted, if a request weighs zero or less than it is allowed through
+- Refactor challenge presentation logic to use a challenge registry
+- Allow challenge implementations to register HTTP routes
+- Implement a no-JS challenge method: [`metarefresh`](./admin/configuration/challenges/metarefresh.mdx) ([#95](https://github.com/TecharoHQ/anubis/issues/95))
+- Bump AI-robots.txt to version 1.34
 - Make progress bar styling more compatible (UXP, etc)
+- Optimized the OGTags subsystem with reduced allocations and runtime per request by up to 66%
 - Add `--strip-base-prefix` flag/envvar to strip the base prefix from request paths when forwarding to target servers
- Fix an off-by-one in the default threshold config
-
-Request weight is one of the biggest ticket features in Anubis. This enables Anubis to be much closer to a Web Application Firewall and when combined with custom thresholds allows administrators to have Anubis take advanced reactions. For more information about request weight, see [the request weight section](./admin/policies.mdx#request-weight) of the policy file documentation.
-
-TL;DR when you have one or more WEIGHT rules like this:
-
-```yaml
-bots:
-  - name: gitea-session-token
-    action: WEIGH
-    expression:
-      all:
-        - '"Cookie" in headers'
-        - headers["Cookie"].contains("i_love_gitea=")
-    # Remove 5 weight points
-    weight:
-      adjust: -5
-```
-
-You can configure custom thresholds like this:
-
-```yaml
-thresholds:
-  - name: minimal-suspicion # This client is likely fine, its soul is lighter than a feather
-    expression: weight < 0 # a feather weighs zero units
-    action: ALLOW # Allow the traffic through
-
-  # For clients that had some weight reduced through custom rules, give them a
-  # lightweight challenge.
-  - name: mild-suspicion
-    expression:
-      all:
-        - weight >= 0
-        - weight < 10
-    action: CHALLENGE
-    challenge:
-      # https://anubis.techaro.lol/docs/admin/configuration/challenges/metarefresh
-      algorithm: metarefresh
-      difficulty: 1
-      report_as: 1
-
-  # For clients that are browser-like but have either gained points from custom
-  # rules or report as a standard browser.
-  - name: moderate-suspicion
-    expression:
-      all:
-        - weight >= 10
-        - weight < 20
-    action: CHALLENGE
-    challenge:
-      # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work
-      algorithm: fast
-      difficulty: 2 # two leading zeros, very fast for most clients
-      report_as: 2
-
-  # For clients that are browser like and have gained many points from custom
-  # rules
-  - name: extreme-suspicion
-    expression: weight >= 20
-    action: CHALLENGE
-    challenge:
-      # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work
-      algorithm: fast
-      difficulty: 4
-      report_as: 4
-```
-
-These thresholds apply when no other `ALLOW`, `DENY`, or `CHALLENGE` rule matches the request. `WEIGHT` rules add and remove request weight as needed:
-
-```yaml
-bots:
-  - name: gitea-session-token
-    action: WEIGH
-    expression:
-      all:
-        - '"Cookie" in headers'
-        - headers["Cookie"].contains("i_love_gitea=")
-    # Remove 5 weight points
-    weight:
-      adjust: -5
-
-  - name: bot-like-user-agent
-    action: WEIGH
-    expression: '"Bot" in userAgent'
-    # Add 5 weight points
-    weight:
-      adjust: 5
-```
-
-Of note: the default "generic browser" rule assigns 10 weight points:
-
-```yaml
-# Generic catchall rule
- name: generic-browser
-  user_agent_regex: >-
-    Mozilla|Opera
-  action: WEIGH
-  weight:
-    adjust: 10
-```
-
-Adjust this as you see fit.
+- Add `robots2policy` CLI utility to convert robots.txt files to Anubis challenge policies using CEL expressions ([#409](https://github.com/TecharoHQ/anubis/issues/409))
+- Implement GeoIP and ASN based checks via [Thoth](https://anubis.techaro.lol/docs/admin/thoth) ([#206](https://github.com/TecharoHQ/anubis/issues/206))
+- Replace internal SHA256 hashing with xxhash for 4-6x performance improvement in policy evaluation and cache operations

 ## v1.19.1: Jenomis cen Lexentale - Echo 1

--- a/docs/docs/admin/configuration/impressum.mdx
+++ b/docs/docs/admin/configuration/impressum.mdx
@@ -1,70 +0,0 @@
-# Imprint / Impressum configuration
-
-Some jurisdictions (such as the European Union and specifically Germany) [must have contact information freely available](https://www.privacycompany.eu/blog/the-imprint-requirement-a-must-have-for-companies-from-outside-germany) on an imprint/impressum page. Anubis supports creating an Anubis-specific imprint page for your organization with the `impressum` block in your bot policy file. For example:
-
-```yaml
-impressum:
-  # Displayed at the bottom of every page rendered by Anubis.
-  footer: >-
-    This website is hosted by Techaro. If you have any complaints or notes 
-    about the service, please contact
-    <a href="mailto:contact@techaro.lol">contact@techaro.lol</a> and we
-    will assist you as soon as possible.
-
-  # The imprint page that will be linked to at the footer of every Anubis page.
-  page:
-    # The HTML <title> of the page
-    title: Imprint and Privacy Policy
-    # The HTML contents of the page. The exact contents of this page can
-    # and will vary by locale. Please consult with a lawyer if you are not
-    # sure what to put here
-    body: >-
-      <p>Last updated: June 2025</p>
-
-      <h2>Information that is gathered from visitors</h2>
-
-      <p>In common with other websites, log files are stored on the web server saving details such as the visitor's IP address, browser type, referring page and time of visit.</p>
-
-      <p>Cookies may be used to remember visitor preferences when interacting with the website.</p>
-
-      <p>Where registration is required, the visitor's email and a username will be stored on the server.</p>
-
-      <!-- ... -->
-```
-
-If you are subscribed to and using [advanced classification features](../thoth.mdx), be sure to disclose the following:
-
-```html
-<h2>Techaro Anubis</h2>
-
-<p>
-  This website uses a service called
-  <a href="https://anubis.techaro.lol">Anubis</a> by
-  <a href="https://techaro.lol">Techaro</a> to filter malicious traffic. Anubis
-  requires the use of browser cookies to ensure that web clients are running
-  conformant software. Anubis also may report the following data to Techaro to
-  improve service quality:
-</p>
-
-<ul>
-  <li>
-    IP address (for purposes of matching against geo-location and BGP autonomous
-    systems numbers), which is stored in-memory and not persisted to disk.
-  </li>
-  <li>
-    Unique browser fingerprints (such as HTTP request fingerprints and
-    encryption system fingerprints), which may be stored on Techaro's side for a
-    period of up to one month.
-  </li>
-  <li>
-    HTTP request metadata that may include things such as the User-Agent header
-    and other identifiers.
-  </li>
-</ul>
-
-<p>
-  This data is processed and stored for the legitimate interest of combatting
-  abusive web clients. This data is encrypted at rest as much as possible and is
-  only decrypted in memory for the purposes of fulfilling requests.
-</p>
-```
--- a/docs/docs/admin/configuration/open-graph.mdx
+++ b/docs/docs/admin/configuration/open-graph.mdx
@@ -9,45 +9,12 @@ This page provides detailed information on how to configure [Open Graph tag](htt

 ## Configuration Options

-Open Graph settings are configured in the `openGraph` section of the [Policy File](../policies.mdx).
-
-```yaml
-openGraph:
-  # Enables Open Graph passthrough
-  enabled: true
-  # Enables the use of the HTTP host in the cache key, this enables
-  # caching metadata for multiple http hosts at once.
-  considerHost: true
-  # How long cached OpenGraph metadata should last in memory
-  ttl: 24h
-  # If set, return these opengraph values instead of looking them up with
-  # the target service.
-  #
-  # Correlates to properties in https://ogp.me/
-  override:
-    # og:title is required, it is the title of the website
-    "og:title": "Techaro Anubis"
-    "og:description": >-
-      Anubis is a Web AI Firewall Utility that helps you fight the bots
-      away so that you can maintain uptime at work!
-    "description": >-
-      Anubis is a Web AI Firewall Utility that helps you fight the bots
-      away so that you can maintain uptime at work!
-```
-
-<details>
-<summary>Configuration flags / envvars (old)</summary>
-
-Open Graph passthrough used to be configured with configuration flags / environment variables. Reference to these settings are maintained for backwards compatibility's sake.
-
 | Name                     | Description                                               | Type     | Default | Example                       |
 | ------------------------ | --------------------------------------------------------- | -------- | ------- | ----------------------------- |
 | `OG_PASSTHROUGH`         | Enables or disables the Open Graph tag passthrough system | Boolean  | `true`  | `OG_PASSTHROUGH=true`         |
 | `OG_EXPIRY_TIME`         | Configurable cache expiration time for Open Graph tags    | Duration | `24h`   | `OG_EXPIRY_TIME=1h`           |
 | `OG_CACHE_CONSIDER_HOST` | Enables or disables the use of the host in the cache key  | Boolean  | `false` | `OG_CACHE_CONSIDER_HOST=true` |

-</details>
-
 ## Usage

 To configure Open Graph tags, you can set the following environment variables, environment file or as flags in your Anubis configuration:
--- a/docs/docs/admin/configuration/thresholds.mdx
+++ b/docs/docs/admin/configuration/thresholds.mdx
@@ -1,140 +0,0 @@
-# Weight Threshold Configuration
-
-Anubis offers the ability to assign "weight" to requests. This is a custom level of suspicion that rules can add to or remove from. For example, here's how you assign 10 weight points to anything that might be a browser:
-
-```yaml
-# botPolicies.yaml
-
-bots:
-  - name: generic-browser
-    user_agent_regex: >-
-      Mozilla|Opera
-    action: WEIGH
-    weight:
-      adjust: 10
-```
-
-Thresholds let you take this per-request weight value and take actions in response to it. Thresholds are defined alongside your bot configuration in `botPolicies.yaml`.
-
-:::note
-
-Thresholds DO NOT apply when a request matches a bot rule with the CHALLENGE action. Thresholds only apply when requests don't match any terminal bot rules.
-
-:::
-
-```yaml
-# botPolicies.yaml
-
-bots: ...
-
-thresholds:
-  - name: minimal-suspicion
-    expression: weight < 0
-    action: ALLOW
-
-  - name: mild-suspicion
-    expression:
-      all:
-        - weight >= 0
-        - weight < 10
-    action: CHALLENGE
-    challenge:
-      algorithm: metarefresh
-      difficulty: 1
-      report_as: 1
-
-  - name: moderate-suspicion
-    expression:
-      all:
-        - weight >= 10
-        - weight < 20
-    action: CHALLENGE
-    challenge:
-      algorithm: fast
-      difficulty: 2
-      report_as: 2
-
-  - name: extreme-suspicion
-    expression: weight >= 20
-    action: CHALLENGE
-    challenge:
-      algorithm: fast
-      difficulty: 4
-      report_as: 4
-```
-
-This defines a suite of 4 thresholds:
-
-1. If the request weight is less than zero, allow it through.
-2. If the request weight is greater than or equal to zero, but less than ten: give it [a very lightweight challenge](./challenges/metarefresh.mdx).
-3. If the request weight is greater than or equal to ten, but less than twenty: give it [a slightly heavier challenge](./challenges/proof-of-work.mdx).
-4. Otherwise, give it [the heaviest challenge](./challenges/proof-of-work.mdx).
-
-Thresholds can be configured with the following options:
-
-<table>
-  <thead>
-  <tr>
-    <th>Name</th>
-    <th>Description</th>
-    <th>Example</th>
-    </tr>
-  </thead>
-  <tbody>
-    <tr>
-      <td>`name`</td>
-      <td>The human-readable name for this threshold.</td>
-      <td>
-
-```yaml
-name: extreme-suspicion
-```
-
-      </td>
-    </tr>
-    <tr>
-    <td>`expression`</td>
-    <td>A [CEL](https://cel.dev/) expression taking the request weight and returning true or false</td>
-    <td>
-
-To check if the request weight is less than zero:
-
-```yaml
-expression: weight < 0
-```
-
-To check if it's between 0 and 10 (inclusive):
-
-```yaml
-expression:
-  all:
-    - weight >= 0
-    - weight < 10
-```
-
-    </td>
-    </tr>
-    <tr>
-    <td>`action`</td>
-    <td>The Anubis action to apply: `ALLOW`, `CHALLENGE`, or `DENY`</td>
-    <td>
-
-```yaml
-action: ALLOW
-```
-
-If you set the CHALLENGE action, you must set challenge details:
-
-```yaml
-action: CHALLENGE
-challenge:
-  algorithm: metarefresh
-  difficulty: 1
-  report_as: 1
-```
-
-    </td>
-    </tr>
-
-  </tbody>
-</table>
--- a/docs/docs/admin/installation.mdx
+++ b/docs/docs/admin/installation.mdx
@@ -4,6 +4,7 @@ title: Setting up Anubis

 import RandomKey from "@site/src/components/RandomKey";

+
 Anubis is meant to sit between your reverse proxy (such as Nginx or Caddy) and your target service. One instance of Anubis must be used per service you are protecting.

 <center>
@@ -29,7 +30,7 @@ TLS terminator)
 Anubis is shipped in the Docker repo [`ghcr.io/techarohq/anubis`](https://github.com/TecharoHQ/anubis/pkgs/container/anubis). The following tags exist for your convenience:

 | Tag                 | Meaning                                                                                                                            |
-| :------------------ | :--------------------------------------------------------------------------------------------------------------------------------- |
+|:--------------------|:-----------------------------------------------------------------------------------------------------------------------------------|
 | `latest`            | The latest [tagged release](https://github.com/TecharoHQ/anubis/releases), if you are in doubt, start here.                        |
 | `v<version number>` | The Anubis image for [any given tagged release](https://github.com/TecharoHQ/anubis/tags)                                          |
 | `main`              | The current build on the `main` branch. Only use this if you need the latest and greatest features as they are merged into `main`. |
@@ -42,24 +43,12 @@ Anubis has very minimal system requirements. I suspect that 128Mi of ram may be

 For more detailed information on installing Anubis with native packages, please read [the native install directions](./native-install.mdx).

-## Configuration
-
-Anubis is configurable via environment variables and [the policy file](./policies.mdx). Most settings are currently exposed with environment variables but they are being slowly moved over to the policy file.
-
-### Configuration via the policy file
-
-Currently the following settings are configurable via the policy file:
-
- [Bot policies](./policies.mdx)
- [Open Graph passthrough](./configuration/open-graph.mdx)
- [Weight thresholds](./configuration/thresholds.mdx)
-
-### Environment variables
+## Environment variables

 Anubis uses these environment variables for configuration:

 | Environment Variable           | Default value           | Explanation                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-| :----------------------------- | :---------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+|:-------------------------------|:------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | `BASE_PREFIX`                  | unset                   | If set, adds a global prefix to all Anubis endpoints. For example, setting this to `/myapp` would make Anubis accessible at `/myapp/` instead of `/`. This is useful when running Anubis behind a reverse proxy that routes based on path prefixes.                                                                                                                                                                                                                                                     |
 | `BIND`                         | `:8923`                 | The network address that Anubis listens on. For `unix`, set this to a path: `/run/anubis/instance.sock`                                                                                                                                                                                                                                                                                                                                                                                                 |
 | `BIND_NETWORK`                 | `tcp`                   | The address family that Anubis listens on. Accepts `tcp`, `unix` and anything Go's [`net.Listen`](https://pkg.go.dev/net#Listen) supports.                                                                                                                                                                                                                                                                                                                                                              |
@@ -71,9 +60,9 @@ Anubis uses these environment variables for configuration:
 | `ED25519_PRIVATE_KEY_HEX_FILE` | unset                   | Path to a file containing the hex-encoded ed25519 private key. Only one of this or its sister option may be set.                                                                                                                                                                                                                                                                                                                                                                                        |
 | `METRICS_BIND`                 | `:9090`                 | The network address that Anubis serves Prometheus metrics on. See `BIND` for more information.                                                                                                                                                                                                                                                                                                                                                                                                          |
 | `METRICS_BIND_NETWORK`         | `tcp`                   | The address family that the Anubis metrics server listens on. See `BIND_NETWORK` for more information.                                                                                                                                                                                                                                                                                                                                                                                                  |
-| `OG_EXPIRY_TIME`               | `24h`                   | The expiration time for the Open Graph tag cache. Prefer using [the policy file](./configuration/open-graph.mdx) to configure the Open Graph subsystem.                                                                                                                                                                                                                                                                                                                                                 |
-| `OG_PASSTHROUGH`               | `false`                 | If set to `true`, Anubis will enable Open Graph tag passthrough. Prefer using [the policy file](./configuration/open-graph.mdx) to configure the Open Graph subsystem.                                                                                                                                                                                                                                                                                                                                  |
-| `OG_CACHE_CONSIDER_HOST`       | `false`                 | If set to `true`, Anubis will consider the host in the Open Graph tag cache key. Prefer using [the policy file](./configuration/open-graph.mdx) to configure the Open Graph subsystem.                                                                                                                                                                                                                                                                                                                  |
+| `OG_EXPIRY_TIME`               | `24h`                   | The expiration time for the Open Graph tag cache.                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
+| `OG_PASSTHROUGH`               | `false`                 | If set to `true`, Anubis will enable Open Graph tag passthrough.                                                                                                                                                                                                                                                                                                                                                                                                                                        |
+| `OG_CACHE_CONSIDER_HOST`       | `false`                 | If set to `true`, Anubis will consider the host in the Open Graph tag cache key.                                                                                                                                                                                                                                                                                                                                                                                                                        |
 | `POLICY_FNAME`                 | unset                   | The file containing [bot policy configuration](./policies.mdx). See the bot policy documentation for more details. If unset, the default bot policy configuration is used.                                                                                                                                                                                                                                                                                                                              |
 | `REDIRECT_DOMAINS`             | unset                   | If set, restrict the domains that Anubis can redirect to when passing a challenge.<br/><br/>If this is unset, Anubis may redirect to any domain which could cause security issues in the unlikely case that an attacker passes a challenge for your browser and then tricks you into clicking a link to your domain.<br/><br/>Note that if you are hosting Anubis on a non-standard port (`https://example:com:8443`, `http://www.example.net:8080`, etc.), you must also include the port number here. |
 | `SERVE_ROBOTS_TXT`             | `false`                 | If set `true`, Anubis will serve a default `robots.txt` file that disallows all known AI scrapers by name and then additionally disallows every scraper. This is useful if facts and circumstances make it difficult to change the underlying service to serve such a `robots.txt` file.                                                                                                                                                                                                                |
@@ -149,7 +138,6 @@ STRIP_BASE_PREFIX=true
 ```

 With this configuration:
-
 - A request to `/myapp/api/users` would be forwarded to your target service as `/api/users`
 - A request to `/myapp/` would be forwarded as `/`

--- a/docs/docs/admin/policies.mdx
+++ b/docs/docs/admin/policies.mdx
@@ -233,10 +233,6 @@ remote_addresses:
 </TabItem>
 </Tabs>

-## Imprint / Impressum support
-
-Anubis has support for showing imprint / impressum information. This is defined in the `impressum` block of your configuration. See [Imprint / Impressum configuration](./configuration/impressum.mdx) for more information.
-
 ## Risk calculation for downstream services

 In case your service needs it for risk calculation reasons, Anubis exposes information about the rules that any requests match using a few headers:
@@ -265,11 +261,17 @@ Anubis rules can also add or remove "weight" from requests, allowing administrat
    adjust: -5
 ```

-This would remove five weight points from the request, which would make Anubis present the [Meta Refresh challenge](./configuration/challenges/metarefresh.mdx) in the default configuration.
+This would remove five weight points from the request, making Anubis present the [Meta Refresh challenge](./configuration/challenges/metarefresh.mdx).

 ### Weight Thresholds

-For more information on configuring weight thresholds, see [Weight Threshold Configuration](./configuration/thresholds.mdx)
+Weight thresholds and challenge associations will be configurable with CEL expressions in the configuration file in an upcoming patch, for now here's how Anubis configures the weight thresholds:
+
+|                                      Weight Expression | Action                                                                                                                                 |
+| -----------------------------------------------------: | :------------------------------------------------------------------------------------------------------------------------------------- |
+|                   `weight < 0` (weight is less than 0) | Allow the request through.                                                                                                             |
+|                 `weight < 10` (weight is less than 10) | Challenge the client with the [Meta Refresh challenge](./configuration/challenges/metarefresh.mdx) at the default difficulty level.    |
+| `weight >= 10` (weight is greater than or equal to 10) | Challenge the client with the [Proof of Work challenge](./configuration/challenges/proof-of-work.mdx) at the default difficulty level. |

 ### Advice

--- a/docs/docs/admin/thoth.mdx
+++ b/docs/docs/admin/thoth.mdx
@@ -59,7 +59,7 @@ For example, to add 10 weight points to requests from Brazil and China:
 - name: countries-with-aggressive-scrapers
  action: WEIGH
  geoip:
-    countries:
+    counties:
      - BR
      - CN
  weight:
--- a/docs/docs/developer/building-anubis.md
+++ b/docs/docs/developer/building-anubis.md
@@ -58,9 +58,7 @@ This will build all static assets (CSS, JavaScript) for distribution.
 make build
 ```

-From this point it is up to you to make sure that `./var/anubis` and `./var/robots2policy` end up in
-the right place. You may want to consult the `./run` folder for useful files such as a systemd unit
-and `anubis.env.default` file.
+From this point it is up to you to make sure that `./var/anubis` ends up in the right place. You may want to consult the `./run` folder for useful files such as a systemd unit and `anubis.env.default` file.

 ## "Pre-baked" tarball

@@ -77,7 +75,7 @@ When using this tarball, all you need to do is build `./cmd/anubis`:
 make prebaked-build
 ```

-Anubis will be built to `./var/anubis` and the robots2policy tool to `./var/robots2policy`.
+Anubis will be built to `./var/anubis`.

 ## Development dependencies

--- a/docs/docs/user/known-instances.md
+++ b/docs/docs/user/known-instances.md
@@ -44,7 +44,6 @@ This page contains a non-exhaustive list with all websites using Anubis.
 - https://squirreljme.cc/
 - https://gitlab.postmarketos.org/
 - https://wiki.koha-community.org/
- https://extensions.typo3.org/
 - <details>
  <summary>FreeCAD</summary>
  - https://forum.freecad.org/
--- a/docs/manifest/cfg/anubis/botPolicies.yaml
+++ b/docs/manifest/cfg/anubis/botPolicies.yaml
@@ -70,55 +70,6 @@ bots:

 dnsbl: false

-impressum:
-  footer: |
-    This website is hosted by Techaro. If you have any complaints or notes about the service, please contact <a href="mailto:contact@techaro.lol">contact@techaro.lol</a> and we will assist you as soon as possible.
-
-  page:
-    title: Privacy Policy
-    body: |
-      <p>Last updated: June 2025</p>
-
-      <h2>Information that is gathered from visitors</h2>
-
-      <p>In common with other websites, log files are stored on the web server saving details such as the visitor's IP address, browser type, referring page and time of visit.</p>
-
-      <p>Cookies may be used to remember visitor preferences when interacting with the website.</p>
-
-      <p>Where registration is required, the visitor's email and a username will be stored on the server.</p>
-
-      <h2>How the Information is used</h2>
-
-      <p>The information is used to enhance the vistor's experience when using the website to display personalised content and possibly advertising.</p>
-
-      <p>E-mail addresses will not be sold, rented or leased to 3rd parties.</p>
-
-      <p>E-mail may be sent to inform you of news of our services or offers by us or our affiliates.</p>
-
-      <h2>Visitor Options</h2>
-
-      <p>If you have subscribed to one of our services, you may unsubscribe by following the instructions which are included in e-mail that you receive.</p>
-
-      <p>You may be able to block cookies via your browser settings but this may prevent you from access to certain features of the website.</p>
-
-      <h2>Cookies</h2>
-
-      <p>Cookies are small digital signature files that are stored by your web browser that allow your preferences to be recorded when visiting the website. Also they may be used to track your return visits to the website.</p>
-
-      <p>3rd party advertising companies may also use cookies for tracking purposes.</p>
-
-      <h2>Techaro Anubis</h2>
-
-      <p>This website uses a service called <a href="https://anubis.techaro.lol">Anubis</a> to filter malicious traffic. Anubis requires the use of browser cookies to ensure that web clients are running conformant software. Anubis also may report the following data to Techaro to improve service quality:</p>
-
-      <ul>
-        <li>IP address (for purposes of matching against geo-location and BGP autonomous systems numbers), which is stored in-memory and not persisted to disk.</li>
-        <li>Unique browser fingerprints (such as HTTP request fingerprints and encryption system fingerprints), which may be stored on Techaro's side for a period of up to one month.</li>
-        <li>HTTP request metadata that may include things such as the User-Agent header and other identifiers.</li>
-      </ul>
-
-      <p>This data is processed and stored for the legitimate interest of combatting abusive web clients. This data is encrypted at rest as much as possible and is only decrypted in memory for the purposes of fulfilling requests.</p>
-
 # By default, send HTTP 200 back to clients that either get issued a challenge
 # or a denial. This seems weird, but this is load-bearing due to the fact that
 # the most aggressive scraper bots seem to really, really, want an HTTP 200 and
--- a/internal/ogtags/cache.go
+++ b/internal/ogtags/cache.go
@@ -13,10 +13,6 @@ func (c *OGTagCache) GetOGTags(url *url.URL, originalHost string) (map[string]st
 		return nil, errors.New("nil URL provided, cannot fetch OG tags")
 	}

-	if len(c.ogOverride) != 0 {
-		return c.ogOverride, nil
-	}
-
 	target := c.getTarget(url)
 	cacheKey := c.generateCacheKey(target, originalHost)

--- a/internal/ogtags/cache_test.go
+++ b/internal/ogtags/cache_test.go
@@ -7,49 +7,10 @@ import (
 	"reflect"
 	"testing"
 	"time"
-
-	"github.com/TecharoHQ/anubis/lib/policy/config"
 )

-func TestCacheReturnsDefault(t *testing.T) {
-	want := map[string]string{
-		"og:title":       "Foo bar",
-		"og:description": "The best website ever made!!!1!",
-	}
-	cache := NewOGTagCache("", config.OpenGraph{
-		Enabled:      true,
-		TimeToLive:   time.Minute,
-		ConsiderHost: false,
-		Override:     want,
-	})
-
-	u, err := url.Parse("https://anubis.techaro.lol")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	result, err := cache.GetOGTags(u, "anubis.techaro.lol")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	for k, v := range want {
-		t.Run(k, func(t *testing.T) {
-			if got := result[k]; got != v {
-				t.Logf("want: tags[%q] = %q", k, v)
-				t.Logf("got:  tags[%q] = %q", k, got)
-				t.Error("invalid result from function")
-			}
-		})
-	}
-}
-
 func TestCheckCache(t *testing.T) {
-	cache := NewOGTagCache("http://example.com", config.OpenGraph{
-		Enabled:      true,
-		TimeToLive:   time.Minute,
-		ConsiderHost: false,
-	})
+	cache := NewOGTagCache("http://example.com", true, time.Minute, false)

 	// Set up test data
 	urlStr := "http://example.com/page"
@@ -108,11 +69,7 @@ func TestGetOGTags(t *testing.T) {
 	defer ts.Close()

 	// Create an instance of OGTagCache with a short TTL for testing
-	cache := NewOGTagCache(ts.URL, config.OpenGraph{
-		Enabled:      true,
-		TimeToLive:   time.Minute,
-		ConsiderHost: false,
-	})
+	cache := NewOGTagCache(ts.URL, true, 1*time.Minute, false)

 	// Parse the test server URL
 	parsedURL, err := url.Parse(ts.URL)
@@ -259,11 +216,7 @@ func TestGetOGTagsWithHostConsideration(t *testing.T) {
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			loadCount = 0 // Reset load count for each test case
-			cache := NewOGTagCache(ts.URL, config.OpenGraph{
-				Enabled:      true,
-				TimeToLive:   time.Minute,
-				ConsiderHost: tc.ogCacheConsiderHost,
-			})
+			cache := NewOGTagCache(ts.URL, true, 1*time.Minute, tc.ogCacheConsiderHost)

 			for i, req := range tc.requests {
 				ogTags, err := cache.GetOGTags(parsedURL, req.host)
--- a/internal/ogtags/fetch_test.go
+++ b/internal/ogtags/fetch_test.go
@@ -10,7 +10,6 @@ import (
 	"testing"
 	"time"

-	"github.com/TecharoHQ/anubis/lib/policy/config"
 	"golang.org/x/net/html"
 )

@@ -81,11 +80,7 @@ func TestFetchHTMLDocument(t *testing.T) {
 			}))
 			defer ts.Close()

-			cache := NewOGTagCache("", config.OpenGraph{
-				Enabled:      true,
-				TimeToLive:   time.Minute,
-				ConsiderHost: false,
-			})
+			cache := NewOGTagCache("", true, time.Minute, false)
 			doc, err := cache.fetchHTMLDocument(ts.URL, "anything")

 			if tt.expectError {
@@ -112,11 +107,7 @@ func TestFetchHTMLDocumentInvalidURL(t *testing.T) {
 		t.Skip("test requires theoretical network egress")
 	}

-	cache := NewOGTagCache("", config.OpenGraph{
-		Enabled:      true,
-		TimeToLive:   time.Minute,
-		ConsiderHost: false,
-	})
+	cache := NewOGTagCache("", true, time.Minute, false)

 	doc, err := cache.fetchHTMLDocument("http://invalid.url.that.doesnt.exist.example", "anything")

--- a/internal/ogtags/integration_test.go
+++ b/internal/ogtags/integration_test.go
@@ -6,8 +6,6 @@ import (
 	"net/url"
 	"testing"
 	"time"
-
-	"github.com/TecharoHQ/anubis/lib/policy/config"
 )

 func TestIntegrationGetOGTags(t *testing.T) {
@@ -106,11 +104,7 @@ func TestIntegrationGetOGTags(t *testing.T) {
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			// Create cache instance
-			cache := NewOGTagCache(ts.URL, config.OpenGraph{
-				Enabled:      true,
-				TimeToLive:   time.Minute,
-				ConsiderHost: false,
-			})
+			cache := NewOGTagCache(ts.URL, true, 1*time.Minute, false)

 			// Create URL for test
 			testURL, _ := url.Parse(ts.URL)
--- a/internal/ogtags/mem_test.go
+++ b/internal/ogtags/mem_test.go
@@ -6,7 +6,6 @@ import (
 	"strings"
 	"testing"

-	"github.com/TecharoHQ/anubis/lib/policy/config"
 	"golang.org/x/net/html"
 )

@@ -30,7 +29,7 @@ func BenchmarkGetTarget(b *testing.B) {

 	for _, tt := range tests {
 		b.Run(tt.name, func(b *testing.B) {
-			cache := NewOGTagCache(tt.target, config.OpenGraph{})
+			cache := NewOGTagCache(tt.target, false, 0, false)
 			urls := make([]*url.URL, len(tt.paths))
 			for i, path := range tt.paths {
 				u, _ := url.Parse(path)
@@ -66,7 +65,7 @@ func BenchmarkExtractOGTags(b *testing.B) {
 		</head><body><div><p>Content</p></div></body></html>`,
 	}

-	cache := NewOGTagCache("http://example.com", config.OpenGraph{})
+	cache := NewOGTagCache("http://example.com", false, 0, false)
 	docs := make([]*html.Node, len(htmlSamples))

 	for i, sample := range htmlSamples {
@@ -84,7 +83,7 @@ func BenchmarkExtractOGTags(b *testing.B) {

 // Memory usage test
 func TestMemoryUsage(t *testing.T) {
-	cache := NewOGTagCache("http://example.com", config.OpenGraph{})
+	cache := NewOGTagCache("http://example.com", false, 0, false)

 	// Force GC and wait for it to complete
 	runtime.GC()
--- a/internal/ogtags/ogtags.go
+++ b/internal/ogtags/ogtags.go
@@ -10,7 +10,6 @@ import (
 	"time"

 	"github.com/TecharoHQ/anubis/decaymap"
-	"github.com/TecharoHQ/anubis/lib/policy/config"
 )

 const (
@@ -33,10 +32,9 @@ type OGTagCache struct {
 	ogTimeToLive        time.Duration
 	ogCacheConsiderHost bool
 	ogPassthrough       bool
-	ogOverride          map[string]string
 }

-func NewOGTagCache(target string, conf config.OpenGraph) *OGTagCache {
+func NewOGTagCache(target string, ogPassthrough bool, ogTimeToLive time.Duration, ogTagsConsiderHost bool) *OGTagCache {
 	// Predefined approved tags and prefixes
 	defaultApprovedTags := []string{"description", "keywords", "author"}
 	defaultApprovedPrefixes := []string{"og:", "twitter:", "fediverse:"}
@@ -79,10 +77,9 @@ func NewOGTagCache(target string, conf config.OpenGraph) *OGTagCache {
 	return &OGTagCache{
 		cache:               decaymap.New[string, map[string]string](),
 		targetURL:           parsedTargetURL,
-		ogPassthrough:       conf.Enabled,
-		ogTimeToLive:        conf.TimeToLive,
-		ogCacheConsiderHost: conf.ConsiderHost,
-		ogOverride:          conf.Override,
+		ogPassthrough:       ogPassthrough,
+		ogTimeToLive:        ogTimeToLive,
+		ogCacheConsiderHost: ogTagsConsiderHost,
 		approvedTags:        defaultApprovedTags,
 		approvedPrefixes:    defaultApprovedPrefixes,
 		client:              client,
--- a/internal/ogtags/ogtags_fuzz_test.go
+++ b/internal/ogtags/ogtags_fuzz_test.go
@@ -6,7 +6,6 @@ import (
 	"testing"
 	"unicode/utf8"

-	"github.com/TecharoHQ/anubis/lib/policy/config"
 	"golang.org/x/net/html"
 )

@@ -46,7 +45,7 @@ func FuzzGetTarget(f *testing.F) {
 		}

 		// Create cache - should not panic
-		cache := NewOGTagCache(target, config.OpenGraph{})
+		cache := NewOGTagCache(target, false, 0, false)

 		// Create URL
 		u := &url.URL{
@@ -130,7 +129,7 @@ func FuzzExtractOGTags(f *testing.F) {
 			return
 		}

-		cache := NewOGTagCache("http://example.com", config.OpenGraph{})
+		cache := NewOGTagCache("http://example.com", false, 0, false)

 		// Should not panic
 		tags := cache.extractOGTags(doc)
@@ -186,7 +185,7 @@ func FuzzGetTargetRoundTrip(f *testing.F) {
 			t.Skip()
 		}

-		cache := NewOGTagCache(target, config.OpenGraph{})
+		cache := NewOGTagCache(target, false, 0, false)
 		u := &url.URL{Path: path, RawQuery: query}

 		result := cache.getTarget(u)
@@ -243,7 +242,7 @@ func FuzzExtractMetaTagInfo(f *testing.F) {
 			},
 		}

-		cache := NewOGTagCache("http://example.com", config.OpenGraph{})
+		cache := NewOGTagCache("http://example.com", false, 0, false)

 		// Should not panic
 		property, content := cache.extractMetaTagInfo(node)
@@ -296,7 +295,7 @@ func BenchmarkFuzzedGetTarget(b *testing.B) {

 	for _, input := range inputs {
 		b.Run(input.name, func(b *testing.B) {
-			cache := NewOGTagCache(input.target, config.OpenGraph{})
+			cache := NewOGTagCache(input.target, false, 0, false)
 			u := &url.URL{Path: input.path, RawQuery: input.query}

 			b.ResetTimer()
--- a/internal/ogtags/ogtags_test.go
+++ b/internal/ogtags/ogtags_test.go
@@ -13,8 +13,6 @@ import (
 	"strings"
 	"testing"
 	"time"
-
-	"github.com/TecharoHQ/anubis/lib/policy/config"
 )

 func TestNewOGTagCache(t *testing.T) {
@@ -40,11 +38,7 @@ func TestNewOGTagCache(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			cache := NewOGTagCache(tt.target, config.OpenGraph{
-				Enabled:      tt.ogPassthrough,
-				TimeToLive:   tt.ogTimeToLive,
-				ConsiderHost: false,
-			})
+			cache := NewOGTagCache(tt.target, tt.ogPassthrough, tt.ogTimeToLive, false)

 			if cache == nil {
 				t.Fatal("expected non-nil cache, got nil")
@@ -80,11 +74,7 @@ func TestNewOGTagCache_UnixSocket(t *testing.T) {
 	socketPath := filepath.Join(tempDir, "test.sock")
 	target := "unix://" + socketPath

-	cache := NewOGTagCache(target, config.OpenGraph{
-		Enabled:      true,
-		TimeToLive:   5 * time.Minute,
-		ConsiderHost: false,
-	})
+	cache := NewOGTagCache(target, true, 5*time.Minute, false)

 	if cache == nil {
 		t.Fatal("expected non-nil cache, got nil")
@@ -165,11 +155,7 @@ func TestGetTarget(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			cache := NewOGTagCache(tt.target, config.OpenGraph{
-				Enabled:      true,
-				TimeToLive:   time.Minute,
-				ConsiderHost: false,
-			})
+			cache := NewOGTagCache(tt.target, false, time.Minute, false)

 			u := &url.URL{
 				Path:     tt.path,
@@ -189,9 +175,7 @@ func TestGetTarget(t *testing.T) {
 func TestIntegrationGetOGTags_UnixSocket(t *testing.T) {
 	tempDir := t.TempDir()

-	// XXX(Xe): if this is named longer, macOS fails with `bind: invalid argument`
-	// because the unix socket path is too long. I love computers.
-	socketPath := filepath.Join(tempDir, "t")
+	socketPath := filepath.Join(tempDir, "anubis-test.sock")

 	// Ensure the socket does not exist initially
 	_ = os.Remove(socketPath)
@@ -238,11 +222,7 @@ func TestIntegrationGetOGTags_UnixSocket(t *testing.T) {

 	// Create cache instance pointing to the Unix socket
 	targetURL := "unix://" + socketPath
-	cache := NewOGTagCache(targetURL, config.OpenGraph{
-		Enabled:      true,
-		TimeToLive:   time.Minute,
-		ConsiderHost: false,
-	})
+	cache := NewOGTagCache(targetURL, true, 1*time.Minute, false)

 	// Create a dummy URL for the request (path and query matter)
 	testReqURL, _ := url.Parse("/some/page?query=1")
--- a/internal/ogtags/parse_test.go
+++ b/internal/ogtags/parse_test.go
@@ -6,18 +6,13 @@ import (
 	"testing"
 	"time"

-	"github.com/TecharoHQ/anubis/lib/policy/config"
 	"golang.org/x/net/html"
 )

 // TestExtractOGTags updated with correct expectations based on filtering logic
 func TestExtractOGTags(t *testing.T) {
 	// Use a cache instance that reflects the default approved lists
-	testCache := NewOGTagCache("", config.OpenGraph{
-		Enabled:      false,
-		ConsiderHost: false,
-		TimeToLive:   time.Minute,
-	})
+	testCache := NewOGTagCache("", false, time.Minute, false)
 	// Manually set approved tags/prefixes based on the user request for clarity
 	testCache.approvedTags = []string{"description"}
 	testCache.approvedPrefixes = []string{"og:"}
@@ -194,11 +189,7 @@ func TestIsOGMetaTag(t *testing.T) {

 func TestExtractMetaTagInfo(t *testing.T) {
 	// Use a cache instance that reflects the default approved lists
-	testCache := NewOGTagCache("", config.OpenGraph{
-		Enabled:      false,
-		ConsiderHost: false,
-		TimeToLive:   time.Minute,
-	})
+	testCache := NewOGTagCache("", false, time.Minute, false)
 	testCache.approvedTags = []string{"description"}
 	testCache.approvedPrefixes = []string{"og:"}

--- a/lib/anubis.go
+++ b/lib/anubis.go
@@ -15,7 +15,6 @@ import (
 	"time"

 	"github.com/golang-jwt/jwt/v5"
-	"github.com/google/cel-go/common/types"

 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promauto"
@@ -77,8 +76,14 @@ type Server struct {
 func (s *Server) challengeFor(r *http.Request, difficulty int) string {
 	fp := sha256.Sum256(s.pub[:])

+	acceptLanguage := r.Header.Get("Accept-Language")
+	if len(acceptLanguage) > 5 {
+		acceptLanguage = acceptLanguage[:5]
+	}
+
 	challengeData := fmt.Sprintf(
-		"X-Real-IP=%s,User-Agent=%s,WeekTime=%s,Fingerprint=%x,Difficulty=%d",
+		"Accept-Language=%s,X-Real-IP=%s,User-Agent=%s,WeekTime=%s,Fingerprint=%x,Difficulty=%d",
+		acceptLanguage,
 		r.Header.Get("X-Real-Ip"),
 		r.UserAgent(),
 		time.Now().UTC().Round(24*7*time.Hour).Format(time.RFC3339),
@@ -406,6 +411,12 @@ func cr(name string, rule config.Rule, weight int) policy.CheckResult {
 	}
 }

+var (
+	weightOkayStatic    = policy.NewStaticHashChecker("weight/okay")
+	weightMildSusStatic = policy.NewStaticHashChecker("weight/mild-suspicion")
+	weightVerySusStatic = policy.NewStaticHashChecker("weight/extreme-suspicion")
+)
+
 // Check evaluates the list of rules, and returns the result
 func (s *Server) check(r *http.Request) (policy.CheckResult, *policy.Bot, error) {
 	host := r.Header.Get("X-Real-Ip")
@@ -437,25 +448,34 @@ func (s *Server) check(r *http.Request) (policy.CheckResult, *policy.Bot, error)
 		}
 	}

-	for _, t := range s.policy.Thresholds {
-		result, _, err := t.Program.ContextEval(r.Context(), &policy.ThresholdRequest{Weight: weight})
-		if err != nil {
-			slog.Error("error when evaluating threshold expression", "expression", t.Expression.String(), "err", err)
-			continue
-		}
-
-		var matches bool
-
-		if val, ok := result.(types.Bool); ok {
-			matches = bool(val)
-		}
-
-		if matches {
-			return cr("threshold/"+t.Name, t.Action, weight), &policy.Bot{
-				Challenge: t.Challenge,
-				Rules:     &checker.List{},
-			}, nil
-		}
+	switch {
+	case weight <= 0:
+		return cr("weight/okay", config.RuleAllow, weight), &policy.Bot{
+			Challenge: &config.ChallengeRules{
+				Difficulty: s.policy.DefaultDifficulty,
+				ReportAs:   s.policy.DefaultDifficulty,
+				Algorithm:  config.DefaultAlgorithm,
+			},
+			Rules: weightOkayStatic,
+		}, nil
+	case weight > 0 && weight < 10:
+		return cr("weight/mild-suspicion", config.RuleChallenge, weight), &policy.Bot{
+			Challenge: &config.ChallengeRules{
+				Difficulty: s.policy.DefaultDifficulty,
+				ReportAs:   s.policy.DefaultDifficulty,
+				Algorithm:  "metarefresh",
+			},
+			Rules: weightMildSusStatic,
+		}, nil
+	case weight >= 10:
+		return cr("weight/extreme-suspicion", config.RuleChallenge, weight), &policy.Bot{
+			Challenge: &config.ChallengeRules{
+				Difficulty: s.policy.DefaultDifficulty,
+				ReportAs:   s.policy.DefaultDifficulty,
+				Algorithm:  "fast",
+			},
+			Rules: weightVerySusStatic,
+		}, nil
 	}

 	return cr("default/allow", config.RuleAllow, weight), &policy.Bot{
--- a/lib/anubis_test.go
+++ b/lib/anubis_test.go
@@ -24,16 +24,12 @@ func init() {
 	internal.InitSlog("debug")
 }

-func loadPolicies(t *testing.T, fname string, difficulty int) *policy.ParsedConfig {
+func loadPolicies(t *testing.T, fname string) *policy.ParsedConfig {
 	t.Helper()

 	ctx := thothmock.WithMockThoth(t)

-	if fname == "" {
-		fname = "./testdata/test_config.yaml"
-	}
-
-	anubisPolicy, err := LoadPoliciesOrDefault(ctx, fname, difficulty)
+	anubisPolicy, err := LoadPoliciesOrDefault(ctx, fname, anubis.DefaultDifficulty)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -44,10 +40,6 @@ func loadPolicies(t *testing.T, fname string, difficulty int) *policy.ParsedConf
 func spawnAnubis(t *testing.T, opts Options) *Server {
 	t.Helper()

-	if opts.Policy == nil {
-		opts.Policy = loadPolicies(t, "", 4)
-	}
-
 	s, err := New(opts)
 	if err != nil {
 		t.Fatalf("can't construct libanubis.Server: %v", err)
@@ -184,7 +176,8 @@ func TestLoadPolicies(t *testing.T) {

 // Regression test for CVE-2025-24369
 func TestCVE2025_24369(t *testing.T) {
-	pol := loadPolicies(t, "", anubis.DefaultDifficulty)
+	pol := loadPolicies(t, "")
+	pol.DefaultDifficulty = 4

 	srv := spawnAnubis(t, Options{
 		Next:   http.NewServeMux(),
@@ -207,7 +200,8 @@ func TestCVE2025_24369(t *testing.T) {
 }

 func TestCookieCustomExpiration(t *testing.T) {
-	pol := loadPolicies(t, "", 0)
+	pol := loadPolicies(t, "")
+	pol.DefaultDifficulty = 0
 	ckieExpiration := 10 * time.Minute

 	srv := spawnAnubis(t, Options{
@@ -256,7 +250,8 @@ func TestCookieCustomExpiration(t *testing.T) {
 }

 func TestCookieSettings(t *testing.T) {
-	pol := loadPolicies(t, "", 0)
+	pol := loadPolicies(t, "")
+	pol.DefaultDifficulty = 0

 	srv := spawnAnubis(t, Options{
 		Next:   http.NewServeMux(),
@@ -321,7 +316,10 @@ func TestCheckDefaultDifficultyMatchesPolicy(t *testing.T) {

 	for i := 1; i < 10; i++ {
 		t.Run(fmt.Sprint(i), func(t *testing.T) {
-			anubisPolicy := loadPolicies(t, "", i)
+			anubisPolicy, err := LoadPoliciesOrDefault(t.Context(), "", i)
+			if err != nil {
+				t.Fatal(err)
+			}

 			s, err := New(Options{
 				Next:           h,
@@ -339,13 +337,11 @@ func TestCheckDefaultDifficultyMatchesPolicy(t *testing.T) {

 			req.Header.Add("X-Real-Ip", "127.0.0.1")

-			cr, bot, err := s.check(req)
+			_, bot, err := s.check(req)
 			if err != nil {
 				t.Fatal(err)
 			}

-			t.Log(cr.Name)
-
 			if bot.Challenge.Difficulty != i {
 				t.Errorf("Challenge.Difficulty is wrong, wanted %d, got: %d", i, bot.Challenge.Difficulty)
 			}
@@ -393,7 +389,8 @@ func TestBasePrefix(t *testing.T) {
 			// Reset the global BasePrefix before each test
 			anubis.BasePrefix = ""

-			pol := loadPolicies(t, "", 4)
+			pol := loadPolicies(t, "")
+			pol.DefaultDifficulty = 4

 			srv := spawnAnubis(t, Options{
 				Next:       h,
@@ -521,7 +518,8 @@ func TestCustomStatusCodes(t *testing.T) {
 		"DENY":      403,
 	}

-	pol := loadPolicies(t, "./testdata/aggressive_403.yaml", 4)
+	pol := loadPolicies(t, "./testdata/aggressive_403.yaml")
+	pol.DefaultDifficulty = 4

 	srv := spawnAnubis(t, Options{
 		Next:   h,
@@ -555,7 +553,7 @@ func TestCustomStatusCodes(t *testing.T) {
 func TestCloudflareWorkersRule(t *testing.T) {
 	for _, variant := range []string{"cel", "header"} {
 		t.Run(variant, func(t *testing.T) {
-			pol := loadPolicies(t, "./testdata/cloudflare-workers-"+variant+".yaml", 0)
+			pol := loadPolicies(t, "./testdata/cloudflare-workers-"+variant+".yaml")

 			h := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 				fmt.Fprintln(w, "OK")
@@ -611,7 +609,8 @@ func TestCloudflareWorkersRule(t *testing.T) {
 }

 func TestRuleChange(t *testing.T) {
-	pol := loadPolicies(t, "testdata/rule_change.yaml", 0)
+	pol := loadPolicies(t, "testdata/rule_change.yaml")
+	pol.DefaultDifficulty = 0
 	ckieExpiration := 10 * time.Minute

 	srv := spawnAnubis(t, Options{
--- a/lib/challenge/challenge.go
+++ b/lib/challenge/challenge.go
@@ -7,7 +7,6 @@ import (
 	"sync"

 	"github.com/TecharoHQ/anubis/lib/policy"
-	"github.com/TecharoHQ/anubis/lib/policy/config"
 	"github.com/a-h/templ"
 )

@@ -41,19 +40,12 @@ func Methods() []string {
 	return result
 }

-type IssueInput struct {
-	Impressum *config.Impressum
-	Rule      *policy.Bot
-	Challenge string
-	OGTags    map[string]string
-}
-
 type Impl interface {
 	// Setup registers any additional routes with the Impl for assets or API routes.
 	Setup(mux *http.ServeMux)

 	// Issue a new challenge to the user, called by the Anubis.
-	Issue(r *http.Request, lg *slog.Logger, in *IssueInput) (templ.Component, error)
+	Issue(r *http.Request, lg *slog.Logger, rule *policy.Bot, challenge string, ogTags map[string]string) (templ.Component, error)

 	// Validate a challenge, making sure that it passes muster.
 	Validate(r *http.Request, lg *slog.Logger, rule *policy.Bot, challenge string) error
--- a/lib/challenge/metarefresh/metarefresh.go
+++ b/lib/challenge/metarefresh/metarefresh.go
@@ -23,7 +23,7 @@ type Impl struct{}

 func (i *Impl) Setup(mux *http.ServeMux) {}

-func (i *Impl) Issue(r *http.Request, lg *slog.Logger, in *challenge.IssueInput) (templ.Component, error) {
+func (i *Impl) Issue(r *http.Request, lg *slog.Logger, rule *policy.Bot, challenge string, ogTags map[string]string) (templ.Component, error) {
 	u, err := r.URL.Parse(anubis.BasePrefix + "/.within.website/x/cmd/anubis/api/pass-challenge")
 	if err != nil {
 		return nil, fmt.Errorf("can't render page: %w", err)
@@ -31,10 +31,10 @@ func (i *Impl) Issue(r *http.Request, lg *slog.Logger, in *challenge.IssueInput)

 	q := u.Query()
 	q.Set("redir", r.URL.String())
-	q.Set("challenge", in.Challenge)
+	q.Set("challenge", challenge)
 	u.RawQuery = q.Encode()

-	component, err := web.BaseWithChallengeAndOGTags("Making sure you're not a bot!", page(in.Challenge, u.String(), in.Rule.Challenge.Difficulty), in.Impressum, in.Challenge, in.Rule.Challenge, in.OGTags)
+	component, err := web.BaseWithChallengeAndOGTags("Making sure you're not a bot!", page(challenge, u.String(), rule.Challenge.Difficulty), challenge, rule.Challenge, ogTags)
 	if err != nil {
 		return nil, fmt.Errorf("can't render page: %w", err)
 	}
--- a/lib/challenge/proofofwork/proofofwork.go
+++ b/lib/challenge/proofofwork/proofofwork.go
@@ -28,8 +28,8 @@ func (i *Impl) Setup(mux *http.ServeMux) {
 	/* no implementation required */
 }

-func (i *Impl) Issue(r *http.Request, lg *slog.Logger, in *chall.IssueInput) (templ.Component, error) {
-	component, err := web.BaseWithChallengeAndOGTags("Making sure you're not a bot!", web.Index(), in.Impressum, in.Challenge, in.Rule.Challenge, in.OGTags)
+func (i *Impl) Issue(r *http.Request, lg *slog.Logger, rule *policy.Bot, challenge string, ogTags map[string]string) (templ.Component, error) {
+	component, err := web.BaseWithChallengeAndOGTags("Making sure you're not a bot!", web.Index(), challenge, rule.Challenge, ogTags)
 	if err != nil {
 		return nil, fmt.Errorf("can't render page: %w", err)
 	}
--- a/lib/challenge/proofofwork/proofofwork_test.go
+++ b/lib/challenge/proofofwork/proofofwork_test.go
@@ -124,12 +124,7 @@ func TestBasic(t *testing.T) {
 		t.Run(cs.name, func(t *testing.T) {
 			lg := slog.With()

-			inp := &challenge.IssueInput{
-				Rule:      bot,
-				Challenge: cs.challengeStr,
-			}
-
-			if _, err := i.Issue(cs.req, lg, inp); err != nil {
+			if _, err := i.Issue(cs.req, lg, bot, cs.challengeStr, nil); err != nil {
 				t.Errorf("can't issue challenge: %v", err)
 			}

--- a/lib/config.go
+++ b/lib/config.go
@@ -21,27 +21,27 @@ import (
 	"github.com/TecharoHQ/anubis/internal/ogtags"
 	"github.com/TecharoHQ/anubis/lib/challenge"
 	"github.com/TecharoHQ/anubis/lib/policy"
-	"github.com/TecharoHQ/anubis/lib/policy/config"
 	"github.com/TecharoHQ/anubis/web"
 	"github.com/TecharoHQ/anubis/xess"
-	"github.com/a-h/templ"
 )

 type Options struct {
-	Next              http.Handler
-	Policy            *policy.ParsedConfig
-	Target            string
-	CookieDomain      string
-	CookieName        string
-	BasePrefix        string
-	WebmasterEmail    string
-	RedirectDomains   []string
-	PrivateKey        ed25519.PrivateKey
-	CookieExpiration  time.Duration
-	StripBasePrefix   bool
-	OpenGraph         config.OpenGraph
-	CookiePartitioned bool
-	ServeRobotsTXT    bool
+	Next                 http.Handler
+	Policy               *policy.ParsedConfig
+	Target               string
+	CookieDomain         string
+	CookieName           string
+	BasePrefix           string
+	WebmasterEmail       string
+	RedirectDomains      []string
+	PrivateKey           ed25519.PrivateKey
+	CookieExpiration     time.Duration
+	OGTimeToLive         time.Duration
+	StripBasePrefix      bool
+	OGCacheConsidersHost bool
+	OGPassthrough        bool
+	CookiePartitioned    bool
+	ServeRobotsTXT       bool
 }

 func LoadPoliciesOrDefault(ctx context.Context, fname string, defaultDifficulty int) (*policy.ParsedConfig, error) {
@@ -112,7 +112,7 @@ func New(opts Options) (*Server, error) {
 		policy:     opts.Policy,
 		opts:       opts,
 		DNSBLCache: decaymap.New[string, dnsbl.DroneBLResponse](),
-		OGTags:     ogtags.NewOGTagCache(opts.Target, opts.Policy.OpenGraph),
+		OGTags:     ogtags.NewOGTagCache(opts.Target, opts.OGPassthrough, opts.OGTimeToLive, opts.OGCacheConsidersHost),
 		cookieName: cookieName,
 	}

@@ -150,14 +150,6 @@ func New(opts Options) (*Server, error) {
 		}), "GET")
 	}

-	if opts.Policy.Impressum != nil {
-		registerWithPrefix(anubis.APIPrefix+"imprint", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			templ.Handler(
-				web.Base(opts.Policy.Impressum.Page.Title, opts.Policy.Impressum.Page, opts.Policy.Impressum),
-			).ServeHTTP(w, r)
-		}), "GET")
-	}
-
 	registerWithPrefix(anubis.APIPrefix+"pass-challenge", http.HandlerFunc(result.PassChallenge), "GET")
 	registerWithPrefix(anubis.APIPrefix+"check", http.HandlerFunc(result.maybeReverseProxyHttpStatusOnly), "")
 	registerWithPrefix("/", http.HandlerFunc(result.maybeReverseProxyOrPage), "")
--- a/lib/config_test.go
+++ b/lib/config_test.go
@@ -26,7 +26,7 @@ func TestBadConfigs(t *testing.T) {
 	for _, st := range finfos {
 		st := st
 		t.Run(st.Name(), func(t *testing.T) {
-			if _, err := LoadPoliciesOrDefault(t.Context(), filepath.Join("policy", "config", "testdata", "bad", st.Name()), anubis.DefaultDifficulty); err == nil {
+			if _, err := LoadPoliciesOrDefault(t.Context(), filepath.Join("policy", "config", "testdata", "good", st.Name()), anubis.DefaultDifficulty); err == nil {
 				t.Fatal(err)
 			} else {
 				t.Log(err)
--- a/lib/http.go
+++ b/lib/http.go
@@ -80,7 +80,7 @@ func (s *Server) RenderIndex(w http.ResponseWriter, r *http.Request, rule *polic
 	challengeStr := s.challengeFor(r, rule.Challenge.Difficulty)

 	var ogTags map[string]string = nil
-	if s.opts.OpenGraph.Enabled {
+	if s.opts.OGPassthrough {
 		var err error
 		ogTags, err = s.OGTags.GetOGTags(r.URL, r.Host)
 		if err != nil {
@@ -102,14 +102,7 @@ func (s *Server) RenderIndex(w http.ResponseWriter, r *http.Request, rule *polic
 		return
 	}

-	in := &challenge.IssueInput{
-		Impressum: s.policy.Impressum,
-		Rule:      rule,
-		Challenge: challengeStr,
-		OGTags:    ogTags,
-	}
-
-	component, err := impl.Issue(r, lg, in)
+	component, err := impl.Issue(r, lg, rule, challengeStr, ogTags)
 	if err != nil {
 		lg.Error("[unexpected] render failed, please open an issue", "err", err) // This is likely a bug in the template. Should never be triggered as CI tests for this.
 		s.respondWithError(w, r, "Internal Server Error: please contact the administrator and ask them to look for the logs around \"RenderIndex\"")
@@ -125,7 +118,7 @@ func (s *Server) RenderIndex(w http.ResponseWriter, r *http.Request, rule *polic

 func (s *Server) RenderBench(w http.ResponseWriter, r *http.Request) {
 	templ.Handler(
-		web.Base("Benchmarking Anubis!", web.Bench(), s.policy.Impressum),
+		web.Base("Benchmarking Anubis!", web.Bench()),
 	).ServeHTTP(w, r)
 }

@@ -134,7 +127,7 @@ func (s *Server) respondWithError(w http.ResponseWriter, r *http.Request, messag
 }

 func (s *Server) respondWithStatus(w http.ResponseWriter, r *http.Request, msg string, status int) {
-	templ.Handler(web.Base("Oh noes!", web.ErrorPage(msg, s.opts.WebmasterEmail), s.policy.Impressum), templ.WithStatus(status)).ServeHTTP(w, r)
+	templ.Handler(web.Base("Oh noes!", web.ErrorPage(msg, s.opts.WebmasterEmail)), templ.WithStatus(status)).ServeHTTP(w, r)
 }

 func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
@@ -187,7 +180,7 @@ func (s *Server) ServeHTTPNext(w http.ResponseWriter, r *http.Request) {
 		}

 		templ.Handler(
-			web.Base("You are not a bot!", web.StaticHappy(), s.policy.Impressum),
+			web.Base("You are not a bot!", web.StaticHappy()),
 		).ServeHTTP(w, r)
 	} else {
 		requestsProxied.WithLabelValues(r.Host).Inc()
--- a/lib/policy/celchecker.go
+++ b/lib/policy/celchecker.go
@@ -17,18 +17,47 @@ type CELChecker struct {
 }

 func NewCELChecker(cfg *config.ExpressionOrList) (*CELChecker, error) {
-	env, err := expressions.BotEnvironment()
+	env, err := expressions.NewEnvironment()
 	if err != nil {
 		return nil, err
 	}

-	program, err := expressions.Compile(env, cfg.String())
+	var src string
+	var ast *cel.Ast
+
+	if cfg.Expression != "" {
+		src = cfg.Expression
+		var iss *cel.Issues
+		intermediate, iss := env.Compile(src)
+		if iss != nil {
+			return nil, iss.Err()
+		}
+
+		ast, iss = env.Check(intermediate)
+		if iss != nil {
+			return nil, iss.Err()
+		}
+	}
+
+	if len(cfg.All) != 0 {
+		ast, err = expressions.Join(env, expressions.JoinAnd, cfg.All...)
+	}
+
+	if len(cfg.Any) != 0 {
+		ast, err = expressions.Join(env, expressions.JoinOr, cfg.Any...)
+	}
+
+	if err != nil {
+		return nil, err
+	}
+
+	program, err := expressions.Compile(env, ast)
 	if err != nil {
 		return nil, fmt.Errorf("can't compile CEL program: %w", err)
 	}

 	return &CELChecker{
-		src:     cfg.String(),
+		src:     src,
 		program: program,
 	}, nil
 }
--- a/lib/policy/config/asn_test.go
+++ b/lib/policy/config/asn_test.go
@@ -1,55 +0,0 @@
-package config
-
-import (
-	"errors"
-	"fmt"
-	"testing"
-)
-
-func TestASNsValid(t *testing.T) {
-	for _, tt := range []struct {
-		name  string
-		input *ASNs
-		err   error
-	}{
-		{
-			name: "basic valid",
-			input: &ASNs{
-				Match: []uint32{13335}, // Cloudflare
-			},
-		},
-		{
-			name: "private ASN",
-			input: &ASNs{
-				Match: []uint32{64513, 4206942069}, // 16 and 32 bit private ASN
-			},
-			err: ErrPrivateASN,
-		},
-	} {
-		t.Run(tt.name, func(t *testing.T) {
-			if err := tt.input.Valid(); !errors.Is(err, tt.err) {
-				t.Logf("want: %v", tt.err)
-				t.Logf("got:  %v", err)
-				t.Error("got wrong validation error")
-			}
-		})
-	}
-}
-
-func TestIsPrivateASN(t *testing.T) {
-	for _, tt := range []struct {
-		input  uint32
-		output bool
-	}{
-		{13335, false},     // Cloudflare
-		{64513, true},      // 16 bit private ASN
-		{4206942069, true}, // 32 bit private ASN
-	} {
-		t.Run(fmt.Sprint(tt.input, "->", tt.output), func(t *testing.T) {
-			result := isPrivateASN(tt.input)
-			if result != tt.output {
-				t.Errorf("wanted isPrivateASN(%d) == %v, got: %v", tt.input, tt.output, result)
-			}
-		})
-	}
-}
--- a/lib/policy/config/config.go
+++ b/lib/policy/config/config.go
@@ -10,7 +10,6 @@ import (
 	"os"
 	"regexp"
 	"strings"
-	"time"

 	"github.com/TecharoHQ/anubis/data"
 	"k8s.io/apimachinery/pkg/util/yaml"
@@ -44,15 +43,6 @@ const (
 	RuleBenchmark Rule = "DEBUG_BENCHMARK"
 )

-func (r Rule) Valid() error {
-	switch r {
-	case RuleAllow, RuleDeny, RuleChallenge, RuleWeigh, RuleBenchmark:
-		return nil
-	default:
-		return ErrUnknownAction
-	}
-}
-
 const DefaultAlgorithm = "fast"

 type BotConfig struct {
@@ -194,18 +184,13 @@ type ChallengeRules struct {
 }

 var (
-	ErrChallengeDifficultyTooLow  = errors.New("config.ChallengeRules: difficulty is too low (must be >= 1)")
-	ErrChallengeDifficultyTooHigh = errors.New("config.ChallengeRules: difficulty is too high (must be <= 64)")
-	ErrChallengeMustHaveAlgorithm = errors.New("config.ChallengeRules: must have algorithm name set")
+	ErrChallengeDifficultyTooLow  = errors.New("config.Bot.ChallengeRules: difficulty is too low (must be >= 1)")
+	ErrChallengeDifficultyTooHigh = errors.New("config.Bot.ChallengeRules: difficulty is too high (must be <= 64)")
 )

 func (cr ChallengeRules) Valid() error {
 	var errs []error

-	if cr.Algorithm == "" {
-		errs = append(errs, ErrChallengeMustHaveAlgorithm)
-	}
-
 	if cr.Difficulty < 1 {
 		errs = append(errs, fmt.Errorf("%w, got: %d", ErrChallengeDifficultyTooLow, cr.Difficulty))
 	}
@@ -324,29 +309,20 @@ func (sc StatusCodes) Valid() error {
 }

 type fileConfig struct {
-	Bots        []BotOrImport       `json:"bots"`
-	DNSBL       bool                `json:"dnsbl"`
-	OpenGraph   openGraphFileConfig `json:"openGraph,omitempty"`
-	Impressum   *Impressum          `json:"impressum,omitempty"`
-	StatusCodes StatusCodes         `json:"status_codes"`
-	Thresholds  []Threshold         `json:"thresholds"`
+	Bots        []BotOrImport `json:"bots"`
+	DNSBL       bool          `json:"dnsbl"`
+	StatusCodes StatusCodes   `json:"status_codes"`
 }

-func (c *fileConfig) Valid() error {
+func (c fileConfig) Valid() error {
 	var errs []error

 	if len(c.Bots) == 0 {
 		errs = append(errs, ErrNoBotRulesDefined)
 	}

-	for i, b := range c.Bots {
+	for _, b := range c.Bots {
 		if err := b.Valid(); err != nil {
-			errs = append(errs, fmt.Errorf("bot %d: %w", i, err))
-		}
-	}
-
-	if c.OpenGraph.Enabled {
-		if err := c.OpenGraph.Valid(); err != nil {
 			errs = append(errs, err)
 		}
 	}
@@ -355,12 +331,6 @@ func (c *fileConfig) Valid() error {
 		errs = append(errs, err)
 	}

-	for i, t := range c.Thresholds {
-		if err := t.Valid(); err != nil {
-			errs = append(errs, fmt.Errorf("threshold %d: %w", i, err))
-		}
-	}
-
 	if len(errs) != 0 {
 		return fmt.Errorf("config is not valid:\n%w", errors.Join(errs...))
 	}
@@ -369,13 +339,11 @@ func (c *fileConfig) Valid() error {
 }

 func Load(fin io.Reader, fname string) (*Config, error) {
-	c := &fileConfig{
-		StatusCodes: StatusCodes{
-			Challenge: http.StatusOK,
-			Deny:      http.StatusOK,
-		},
+	var c fileConfig
+	c.StatusCodes = StatusCodes{
+		Challenge: http.StatusOK,
+		Deny:      http.StatusOK,
 	}
-
 	if err := yaml.NewYAMLToJSONDecoder(fin).Decode(&c); err != nil {
 		return nil, fmt.Errorf("can't parse policy config YAML %s: %w", fname, err)
 	}
@@ -385,21 +353,10 @@ func Load(fin io.Reader, fname string) (*Config, error) {
 	}

 	result := &Config{
-		DNSBL: c.DNSBL,
-		OpenGraph: OpenGraph{
-			Enabled:      c.OpenGraph.Enabled,
-			ConsiderHost: c.OpenGraph.ConsiderHost,
-			Override:     c.OpenGraph.Override,
-		},
+		DNSBL:       c.DNSBL,
 		StatusCodes: c.StatusCodes,
 	}

-	if c.OpenGraph.TimeToLive != "" {
-		// XXX(Xe): already validated in Valid()
-		ogTTL, _ := time.ParseDuration(c.OpenGraph.TimeToLive)
-		result.OpenGraph.TimeToLive = ogTTL
-	}
-
 	var validationErrs []error

 	for _, boi := range c.Bots {
@@ -422,27 +379,6 @@ func Load(fin io.Reader, fname string) (*Config, error) {
 		}
 	}

-	if c.Impressum != nil {
-		if err := c.Impressum.Valid(); err != nil {
-			validationErrs = append(validationErrs, err)
-		}
-
-		result.Impressum = c.Impressum
-	}
-
-	if len(c.Thresholds) == 0 {
-		c.Thresholds = DefaultThresholds
-	}
-
-	for _, t := range c.Thresholds {
-		if err := t.Valid(); err != nil {
-			validationErrs = append(validationErrs, err)
-			continue
-		}
-
-		result.Thresholds = append(result.Thresholds, t)
-	}
-
 	if len(validationErrs) > 0 {
 		return nil, fmt.Errorf("errors validating policy config %s: %w", fname, errors.Join(validationErrs...))
 	}
@@ -452,10 +388,7 @@ func Load(fin io.Reader, fname string) (*Config, error) {

 type Config struct {
 	Bots        []BotConfig
-	Thresholds  []Threshold
 	DNSBL       bool
-	Impressum   *Impressum
-	OpenGraph   OpenGraph
 	StatusCodes StatusCodes
 }

--- a/lib/policy/config/config_test.go
+++ b/lib/policy/config/config_test.go
@@ -8,6 +8,7 @@ import (
 	"testing"

 	"github.com/TecharoHQ/anubis/data"
+	"k8s.io/apimachinery/pkg/util/yaml"
 )

 func p[V any](v V) *V { return &v }
@@ -312,8 +313,12 @@ func TestConfigValidBad(t *testing.T) {
 			}
 			defer fin.Close()

-			_, err = Load(fin, filepath.Join("testdata", "bad", st.Name()))
-			if err == nil {
+			var c fileConfig
+			if err := yaml.NewYAMLToJSONDecoder(fin).Decode(&c); err != nil {
+				t.Fatalf("can't decode file: %v", err)
+			}
+
+			if err := c.Valid(); err == nil {
 				t.Fatal("validation should have failed but didn't somehow")
 			} else {
 				t.Log(err)
--- a/lib/policy/config/expressionorlist.go
+++ b/lib/policy/config/expressionorlist.go
@@ -3,9 +3,7 @@ package config
 import (
 	"encoding/json"
 	"errors"
-	"fmt"
 	"slices"
-	"strings"
 )

 var (
@@ -20,32 +18,6 @@ type ExpressionOrList struct {
 	Any        []string `json:"any,omitempty" yaml:"any,omitempty"`
 }

-func (eol ExpressionOrList) String() string {
-	switch {
-	case len(eol.Expression) != 0:
-		return eol.Expression
-	case len(eol.All) != 0:
-		var sb strings.Builder
-		for i, pred := range eol.All {
-			if i != 0 {
-				fmt.Fprintf(&sb, " && ")
-			}
-			fmt.Fprintf(&sb, "( %s )", pred)
-		}
-		return sb.String()
-	case len(eol.Any) != 0:
-		var sb strings.Builder
-		for i, pred := range eol.Any {
-			if i != 0 {
-				fmt.Fprintf(&sb, " || ")
-			}
-			fmt.Fprintf(&sb, "( %s )", pred)
-		}
-		return sb.String()
-	}
-	panic("this should not happen")
-}
-
 func (eol ExpressionOrList) Equal(rhs *ExpressionOrList) bool {
 	if eol.Expression != rhs.Expression {
 		return false
--- a/lib/policy/config/expressionorlist_test.go
+++ b/lib/policy/config/expressionorlist_test.go
@@ -213,54 +213,3 @@ func TestExpressionOrListUnmarshalJSON(t *testing.T) {
 		})
 	}
 }
-
-func TestExpressionOrListString(t *testing.T) {
-	for _, tt := range []struct {
-		name string
-		in   ExpressionOrList
-		out  string
-	}{
-		{
-			name: "single expression",
-			in: ExpressionOrList{
-				Expression: "true",
-			},
-			out: "true",
-		},
-		{
-			name: "all",
-			in: ExpressionOrList{
-				All: []string{"true"},
-			},
-			out: "( true )",
-		},
-		{
-			name: "all with &&",
-			in: ExpressionOrList{
-				All: []string{"true", "true"},
-			},
-			out: "( true ) && ( true )",
-		},
-		{
-			name: "any",
-			in: ExpressionOrList{
-				All: []string{"true"},
-			},
-			out: "( true )",
-		},
-		{
-			name: "any with ||",
-			in: ExpressionOrList{
-				Any: []string{"true", "true"},
-			},
-			out: "( true ) || ( true )",
-		},
-	} {
-		t.Run(tt.name, func(t *testing.T) {
-			result := tt.in.String()
-			if result != tt.out {
-				t.Errorf("wanted %q, got: %q", tt.out, result)
-			}
-		})
-	}
-}
--- a/lib/policy/config/geoip.go
+++ b/lib/policy/config/geoip.go
@@ -8,7 +8,7 @@ import (
 )

 var (
-	countryCodeRegexp = regexp.MustCompile(`^[a-zA-Z]{2}$`)
+	countryCodeRegexp = regexp.MustCompile(`^\w{2}$`)

 	ErrNotCountryCode = errors.New("config.Bot: invalid country code")
 )
--- a/lib/policy/config/geoip_test.go
+++ b/lib/policy/config/geoip_test.go
@@ -1,36 +0,0 @@
-package config
-
-import (
-	"errors"
-	"testing"
-)
-
-func TestGeoIPValid(t *testing.T) {
-	for _, tt := range []struct {
-		name  string
-		input *GeoIP
-		err   error
-	}{
-		{
-			name: "basic valid",
-			input: &GeoIP{
-				Countries: []string{"CA"},
-			},
-		},
-		{
-			name: "invalid country",
-			input: &GeoIP{
-				Countries: []string{"XOB"},
-			},
-			err: ErrNotCountryCode,
-		},
-	} {
-		t.Run(tt.name, func(t *testing.T) {
-			if err := tt.input.Valid(); !errors.Is(err, tt.err) {
-				t.Logf("want: %v", tt.err)
-				t.Logf("got:  %v", err)
-				t.Error("got wrong validation error")
-			}
-		})
-	}
-}
--- a/lib/policy/config/impressum.go
+++ b/lib/policy/config/impressum.go
@@ -1,71 +0,0 @@
-package config
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"io"
-)
-
-var ErrMissingValue = errors.New("config: missing value")
-
-type Impressum struct {
-	Footer string        `json:"footer" yaml:"footer"`
-	Page   ImpressumPage `json:"page" yaml:"page"`
-}
-
-func (i Impressum) Render(_ context.Context, w io.Writer) error {
-	if _, err := fmt.Fprint(w, i.Footer); err != nil {
-		return err
-	}
-	return nil
-}
-
-func (i Impressum) Valid() error {
-	var errs []error
-
-	if len(i.Footer) == 0 {
-		errs = append(errs, fmt.Errorf("%w: impressum footer must be defined", ErrMissingValue))
-	}
-
-	if err := i.Page.Valid(); err != nil {
-		errs = append(errs, err)
-	}
-
-	if len(errs) != 0 {
-		return errors.Join(errs...)
-	}
-
-	return nil
-}
-
-type ImpressumPage struct {
-	Title string `json:"title" yaml:"title"`
-	Body  string `json:"body" yaml:"body"`
-}
-
-func (ip ImpressumPage) Render(_ context.Context, w io.Writer) error {
-	if _, err := fmt.Fprint(w, ip.Body); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (ip ImpressumPage) Valid() error {
-	var errs []error
-
-	if len(ip.Title) == 0 {
-		errs = append(errs, fmt.Errorf("%w: impressum page title must be defined", ErrMissingValue))
-	}
-
-	if len(ip.Body) == 0 {
-		errs = append(errs, fmt.Errorf("%w: impressum body title must be defined", ErrMissingValue))
-	}
-
-	if len(errs) != 0 {
-		return errors.Join(errs...)
-	}
-
-	return nil
-}
--- a/lib/policy/config/impressum_test.go
+++ b/lib/policy/config/impressum_test.go
@@ -1,62 +0,0 @@
-package config
-
-import (
-	"bytes"
-	"errors"
-	"testing"
-)
-
-func TestImpressumValid(t *testing.T) {
-	for _, cs := range []struct {
-		name string
-		inp  Impressum
-		err  error
-	}{
-		{
-			name: "basic happy path",
-			inp: Impressum{
-				Footer: "<p>Website hosted by Techaro.<p>",
-				Page: ImpressumPage{
-					Title: "Techaro Imprint",
-					Body:  "<p>This is an imprint page.</p>",
-				},
-			},
-			err: nil,
-		},
-		{
-			name: "no footer",
-			inp: Impressum{
-				Footer: "",
-				Page: ImpressumPage{
-					Title: "Techaro Imprint",
-					Body:  "<p>This is an imprint page.</p>",
-				},
-			},
-			err: ErrMissingValue,
-		},
-		{
-			name: "page not valid",
-			inp: Impressum{
-				Footer: "test page please ignore",
-			},
-			err: ErrMissingValue,
-		},
-	} {
-		t.Run(cs.name, func(t *testing.T) {
-			if err := cs.inp.Valid(); !errors.Is(err, cs.err) {
-				t.Logf("want: %v", cs.err)
-				t.Logf("got:  %v", err)
-				t.Error("validation failed")
-			}
-
-			var buf bytes.Buffer
-			if err := cs.inp.Render(t.Context(), &buf); err != nil {
-				t.Errorf("can't render footer: %v", err)
-			}
-
-			if err := cs.inp.Page.Render(t.Context(), &buf); err != nil {
-				t.Errorf("can't render page: %v", err)
-			}
-		})
-	}
-}
--- a/lib/policy/config/opengraph.go
+++ b/lib/policy/config/opengraph.go
@@ -1,51 +0,0 @@
-package config
-
-import (
-	"errors"
-	"fmt"
-	"time"
-)
-
-var (
-	ErrInvalidOpenGraphConfig   = errors.New("config.OpenGraph: invalid OpenGraph configuration")
-	ErrOpenGraphTTLDoesNotParse = errors.New("config.OpenGraph: ttl does not parse as a Duration, see https://pkg.go.dev/time#ParseDuration (formatted like 5m -> 5 minutes, 2h -> 2 hours, etc)")
-	ErrOpenGraphMissingProperty = errors.New("config.OpenGraph: default opengraph tags missing a property")
-)
-
-type openGraphFileConfig struct {
-	Enabled      bool              `json:"enabled" yaml:"enabled"`
-	ConsiderHost bool              `json:"considerHost" yaml:"enabled"`
-	TimeToLive   string            `json:"ttl" yaml:"ttl"`
-	Override     map[string]string `json:"override,omitempty" yaml:"override,omitempty"`
-}
-
-type OpenGraph struct {
-	Enabled      bool              `json:"enabled" yaml:"enabled"`
-	ConsiderHost bool              `json:"considerHost" yaml:"enabled"`
-	Override     map[string]string `json:"override,omitempty" yaml:"override,omitempty"`
-	TimeToLive   time.Duration     `json:"ttl" yaml:"ttl"`
-}
-
-func (og *openGraphFileConfig) Valid() error {
-	var errs []error
-
-	if _, err := time.ParseDuration(og.TimeToLive); err != nil {
-		errs = append(errs, fmt.Errorf("%w: ParseDuration(%q) returned: %w", ErrOpenGraphTTLDoesNotParse, og.TimeToLive, err))
-	}
-
-	if len(og.Override) != 0 {
-		for _, tag := range []string{
-			"og:title",
-		} {
-			if _, ok := og.Override[tag]; !ok {
-				errs = append(errs, fmt.Errorf("%w: %s", ErrOpenGraphMissingProperty, tag))
-			}
-		}
-	}
-
-	if len(errs) != 0 {
-		return errors.Join(ErrInvalidOpenGraphConfig, errors.Join(errs...))
-	}
-
-	return nil
-}
--- a/lib/policy/config/opengraph_test.go
+++ b/lib/policy/config/opengraph_test.go
@@ -1,67 +0,0 @@
-package config
-
-import (
-	"errors"
-	"testing"
-)
-
-func TestOpenGraphFileConfigValid(t *testing.T) {
-	for _, tt := range []struct {
-		name  string
-		input *openGraphFileConfig
-		err   error
-	}{
-		{
-			name: "basic happy path",
-			input: &openGraphFileConfig{
-				Enabled:      true,
-				ConsiderHost: false,
-				TimeToLive:   "1h",
-				Override:     map[string]string{},
-			},
-			err: nil,
-		},
-		{
-			name: "basic happy path with default",
-			input: &openGraphFileConfig{
-				Enabled:      true,
-				ConsiderHost: false,
-				TimeToLive:   "1h",
-				Override: map[string]string{
-					"og:title": "foobar",
-				},
-			},
-			err: nil,
-		},
-		{
-			name: "invalid time duration",
-			input: &openGraphFileConfig{
-				Enabled:      true,
-				ConsiderHost: false,
-				TimeToLive:   "taco",
-				Override:     map[string]string{},
-			},
-			err: ErrOpenGraphTTLDoesNotParse,
-		},
-		{
-			name: "missing og:title in defaults",
-			input: &openGraphFileConfig{
-				Enabled:      true,
-				ConsiderHost: false,
-				TimeToLive:   "1h",
-				Override: map[string]string{
-					"description": "foobar",
-				},
-			},
-			err: ErrOpenGraphMissingProperty,
-		},
-	} {
-		t.Run(tt.name, func(t *testing.T) {
-			if err := tt.input.Valid(); !errors.Is(err, tt.err) {
-				t.Logf("wanted error: %v", tt.err)
-				t.Logf("got error:    %v", err)
-				t.Error("validation failed")
-			}
-		})
-	}
-}
--- a/lib/policy/config/testdata/bad/impressum-no-footer.yaml
+++ b/lib/policy/config/testdata/bad/impressum-no-footer.yaml
@@ -1,11 +0,0 @@
-bots:
-  - name: simple-weight-adjust
-    action: WEIGH
-    user_agent_regex: Mozilla
-    weight:
-      adjust: 5
-
-impressum:
-  page:
-    title: Test
-    body: <p>This is a test</p>
--- a/lib/policy/config/testdata/bad/impressum-no-page-contents.yaml
+++ b/lib/policy/config/testdata/bad/impressum-no-page-contents.yaml
@@ -1,10 +0,0 @@
-bots:
-  - name: simple-weight-adjust
-    action: WEIGH
-    user_agent_regex: Mozilla
-    weight:
-      adjust: 5
-
-impressum:
-  footer: "Hi there these are WORDS on the INTERNET."
-  page: {}
--- a/lib/policy/config/testdata/bad/opengraph_bad_ttl.yaml
+++ b/lib/policy/config/testdata/bad/opengraph_bad_ttl.yaml
@@ -1,12 +0,0 @@
-bots:
-  - name: everything
-    user_agent_regex: .*
-    action: DENY
-
-openGraph:
-  enabled: true
-  considerHost: false
-  ttl: taco
-  default:
-    "og:title": "Xe's magic land of fun"
-    "og:description": "We're no strangers to love, you know the rules and so do I"
--- a/lib/policy/config/testdata/bad/threshold-challenge-without-challenge.yaml
+++ b/lib/policy/config/testdata/bad/threshold-challenge-without-challenge.yaml
@@ -1,11 +0,0 @@
-bots:
-  - name: simple-weight-adjust
-    action: WEIGH
-    user_agent_regex: Mozilla
-    weight:
-      adjust: 5
-
-thresholds:
-  - name: extreme-suspicion
-    expression: "true"
-    action: WEIGH
--- a/lib/policy/config/testdata/bad/thresholds.yaml
+++ b/lib/policy/config/testdata/bad/thresholds.yaml
@@ -1,15 +0,0 @@
-bots:
-  - name: simple-weight-adjust
-    action: WEIGH
-    user_agent_regex: Mozilla
-    weight:
-      adjust: 5
-
-thresholds:
-  - name: extreme-suspicion
-    expression: "true"
-    action: WEIGH
-    challenge:
-      algorithm: fast
-      difficulty: 4
-      report_as: 4
--- a/lib/policy/config/testdata/bad/unparseable.json
+++ b/lib/policy/config/testdata/bad/unparseable.json
@@ -1 +0,0 @@
-}
--- a/lib/policy/config/testdata/bad/unparseable.yaml
+++ b/lib/policy/config/testdata/bad/unparseable.yaml
@@ -1 +0,0 @@
-}
--- a/lib/policy/config/testdata/good/impressum.yaml
+++ b/lib/policy/config/testdata/good/impressum.yaml
@@ -1,10 +0,0 @@
-bots:
-  - name: simple
-    action: CHALLENGE
-    user_agent_regex: Mozilla
-
-impressum:
-  footer: "Hi these are WORDS on the INTERNET."
-  page:
-    title: Test
-    body: <p>This is a test</p>
--- a/lib/policy/config/testdata/good/no-thresholds.yaml
+++ b/lib/policy/config/testdata/good/no-thresholds.yaml
@@ -1,8 +0,0 @@
-bots:
-  - name: simple-weight-adjust
-    action: WEIGH
-    user_agent_regex: Mozilla
-    weight:
-      adjust: 5
-
-thresholds: []
--- a/lib/policy/config/testdata/good/opengraph_all_good.yaml
+++ b/lib/policy/config/testdata/good/opengraph_all_good.yaml
@@ -1,12 +0,0 @@
-bots:
-  - name: everything
-    user_agent_regex: .*
-    action: DENY
-
-openGraph:
-  enabled: true
-  considerHost: false
-  ttl: 1h
-  default:
-    "og:title": "Xe's magic land of fun"
-    "og:description": "We're no strangers to love, you know the rules and so do I"
--- a/lib/policy/config/testdata/good/thresholds.yaml
+++ b/lib/policy/config/testdata/good/thresholds.yaml
@@ -1,38 +0,0 @@
-bots:
-  - name: simple-weight-adjust
-    action: WEIGH
-    user_agent_regex: Mozilla
-    weight:
-      adjust: 5
-
-thresholds:
-  - name: minimal-suspicion
-    expression: weight < 0
-    action: ALLOW
-  - name: mild-suspicion
-    expression:
-      all:
-        - weight >= 0
-        - weight < 10
-    action: CHALLENGE
-    challenge:
-      algorithm: metarefresh
-      difficulty: 1
-      report_as: 1
-  - name: moderate-suspicion
-    expression:
-      all:
-        - weight >= 10
-        - weight < 20
-    action: CHALLENGE
-    challenge:
-      algorithm: fast
-      difficulty: 2
-      report_as: 2
-  - name: extreme-suspicion
-    expression: weight >= 20
-    action: CHALLENGE
-    challenge:
-      algorithm: fast
-      difficulty: 4
-      report_as: 4
--- a/lib/policy/config/threshold.go
+++ b/lib/policy/config/threshold.go
@@ -1,80 +0,0 @@
-package config
-
-import (
-	"errors"
-	"fmt"
-
-	"github.com/TecharoHQ/anubis"
-)
-
-var (
-	ErrNoThresholdRulesDefined             = errors.New("config: no thresholds defined")
-	ErrThresholdMustHaveName               = errors.New("config.Threshold: must set name")
-	ErrThresholdMustHaveExpression         = errors.New("config.Threshold: must set expression")
-	ErrThresholdChallengeMustHaveChallenge = errors.New("config.Threshold: a threshold with the CHALLENGE action must have challenge set")
-	ErrThresholdCannotHaveWeighAction      = errors.New("config.Threshold: a threshold cannot have the WEIGH action")
-
-	DefaultThresholds = []Threshold{
-		{
-			Name: "legacy-anubis-behaviour",
-			Expression: &ExpressionOrList{
-				Expression: "weight > 0",
-			},
-			Action: RuleChallenge,
-			Challenge: &ChallengeRules{
-				Algorithm:  "fast",
-				Difficulty: anubis.DefaultDifficulty,
-				ReportAs:   anubis.DefaultDifficulty,
-			},
-		},
-	}
-)
-
-type Threshold struct {
-	Name       string            `json:"name" yaml:"name"`
-	Expression *ExpressionOrList `json:"expression" yaml:"expression"`
-	Action     Rule              `json:"action" yaml:"action"`
-	Challenge  *ChallengeRules   `json:"challenge" yaml:"challenge"`
-}
-
-func (t Threshold) Valid() error {
-	var errs []error
-
-	if len(t.Name) == 0 {
-		errs = append(errs, ErrThresholdMustHaveName)
-	}
-
-	if t.Expression == nil {
-		errs = append(errs, ErrThresholdMustHaveExpression)
-	}
-
-	if t.Expression != nil {
-		if err := t.Expression.Valid(); err != nil {
-			errs = append(errs, err)
-		}
-	}
-
-	if err := t.Action.Valid(); err != nil {
-		errs = append(errs, err)
-	}
-
-	if t.Action == RuleWeigh {
-		errs = append(errs, ErrThresholdCannotHaveWeighAction)
-	}
-
-	if t.Action == RuleChallenge && t.Challenge == nil {
-		errs = append(errs, ErrThresholdChallengeMustHaveChallenge)
-	}
-
-	if t.Challenge != nil {
-		if err := t.Challenge.Valid(); err != nil {
-			errs = append(errs, err)
-		}
-	}
-
-	if len(errs) != 0 {
-		return fmt.Errorf("config: threshold entry for %q is not valid:\n%w", t.Name, errors.Join(errs...))
-	}
-
-	return nil
-}
--- a/lib/policy/config/threshold_test.go
+++ b/lib/policy/config/threshold_test.go
@@ -1,111 +0,0 @@
-package config
-
-import (
-	"errors"
-	"fmt"
-	"os"
-	"path/filepath"
-	"testing"
-)
-
-func TestThresholdValid(t *testing.T) {
-	for _, tt := range []struct {
-		name  string
-		input *Threshold
-		err   error
-	}{
-		{
-			name: "basic allow",
-			input: &Threshold{
-				Name:       "basic-allow",
-				Expression: &ExpressionOrList{Expression: "true"},
-				Action:     RuleAllow,
-			},
-			err: nil,
-		},
-		{
-			name: "basic challenge",
-			input: &Threshold{
-				Name:       "basic-challenge",
-				Expression: &ExpressionOrList{Expression: "true"},
-				Action:     RuleChallenge,
-				Challenge: &ChallengeRules{
-					Algorithm:  "fast",
-					Difficulty: 1,
-					ReportAs:   1,
-				},
-			},
-			err: nil,
-		},
-		{
-			name:  "no name",
-			input: &Threshold{},
-			err:   ErrThresholdMustHaveName,
-		},
-		{
-			name:  "no expression",
-			input: &Threshold{},
-			err:   ErrThresholdMustHaveName,
-		},
-		{
-			name: "invalid expression",
-			input: &Threshold{
-				Expression: &ExpressionOrList{},
-			},
-			err: ErrExpressionEmpty,
-		},
-		{
-			name:  "invalid action",
-			input: &Threshold{},
-			err:   ErrUnknownAction,
-		},
-		{
-			name: "challenge action but no challenge",
-			input: &Threshold{
-				Action: RuleChallenge,
-			},
-			err: ErrThresholdChallengeMustHaveChallenge,
-		},
-		{
-			name: "challenge invalid",
-			input: &Threshold{
-				Action:    RuleChallenge,
-				Challenge: &ChallengeRules{Difficulty: 0, ReportAs: 0},
-			},
-			err: ErrChallengeDifficultyTooLow,
-		},
-	} {
-		t.Run(tt.name, func(t *testing.T) {
-			if err := tt.input.Valid(); !errors.Is(err, tt.err) {
-				t.Errorf("threshold is invalid: %v", err)
-			}
-		})
-	}
-}
-
-func TestDefaultThresholdsValid(t *testing.T) {
-	for i, th := range DefaultThresholds {
-		t.Run(fmt.Sprintf("%d %s", i, th.Name), func(t *testing.T) {
-			if err := th.Valid(); err != nil {
-				t.Errorf("threshold invalid: %v", err)
-			}
-		})
-	}
-}
-
-func TestLoadActuallyLoadsThresholds(t *testing.T) {
-	fin, err := os.Open(filepath.Join(".", "testdata", "good", "thresholds.yaml"))
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer fin.Close()
-
-	c, err := Load(fin, fin.Name())
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if len(c.Thresholds) != 4 {
-		t.Errorf("wanted 4 thresholds, got %d thresholds", len(c.Thresholds))
-	}
-}
--- a/lib/policy/expressions/environment.go
+++ b/lib/policy/expressions/environment.go
@@ -9,32 +9,12 @@ import (
 	"github.com/google/cel-go/ext"
 )

-// BotEnvironment creates a new CEL environment, this is the set of
+// NewEnvironment creates a new CEL environment, this is the set of
 // variables and functions that are passed into the CEL scope so that
 // Anubis can fail loudly and early when something is invalid instead
 // of blowing up at runtime.
-func BotEnvironment() (*cel.Env, error) {
-	return New(
-		// Variables exposed to CEL programs:
-		cel.Variable("remoteAddress", cel.StringType),
-		cel.Variable("host", cel.StringType),
-		cel.Variable("method", cel.StringType),
-		cel.Variable("userAgent", cel.StringType),
-		cel.Variable("path", cel.StringType),
-		cel.Variable("query", cel.MapType(cel.StringType, cel.StringType)),
-		cel.Variable("headers", cel.MapType(cel.StringType, cel.StringType)),
-	)
-}
-
-// NewThreshold creates a new CEL environment for threshold checking.
-func ThresholdEnvironment() (*cel.Env, error) {
-	return New(
-		cel.Variable("weight", cel.IntType),
-	)
-}
-
-func New(opts ...cel.EnvOption) (*cel.Env, error) {
-	args := []cel.EnvOption{
+func NewEnvironment() (*cel.Env, error) {
+	return cel.NewEnv(
 		ext.Strings(
 			ext.StringsLocale("en_US"),
 			ext.StringsValidateFormatCalls(true),
@@ -43,7 +23,16 @@ func New(opts ...cel.EnvOption) (*cel.Env, error) {
 		// default all timestamps to UTC
 		cel.DefaultUTCTimeZone(true),

-		// Functions exposed to all CEL programs:
+		// Variables exposed to CEL programs:
+		cel.Variable("remoteAddress", cel.StringType),
+		cel.Variable("host", cel.StringType),
+		cel.Variable("method", cel.StringType),
+		cel.Variable("userAgent", cel.StringType),
+		cel.Variable("path", cel.StringType),
+		cel.Variable("query", cel.MapType(cel.StringType, cel.StringType)),
+		cel.Variable("headers", cel.MapType(cel.StringType, cel.StringType)),
+
+		// Functions exposed to CEL programs:
 		cel.Function("randInt",
 			cel.Overload("randInt_int",
 				[]*cel.Type{cel.IntType},
@@ -58,25 +47,12 @@ func New(opts ...cel.EnvOption) (*cel.Env, error) {
 				}),
 			),
 		),
-	}
-
-	args = append(args, opts...)
-	return cel.NewEnv(args...)
+	)
 }

 // Compile takes CEL environment and syntax tree then emits an optimized
 // Program for execution.
-func Compile(env *cel.Env, src string) (cel.Program, error) {
-	intermediate, iss := env.Compile(src)
-	if iss != nil {
-		return nil, iss.Err()
-	}
-
-	ast, iss := env.Check(intermediate)
-	if iss != nil {
-		return nil, iss.Err()
-	}
-
+func Compile(env *cel.Env, ast *cel.Ast) (cel.Program, error) {
 	return env.Program(
 		ast,
 		cel.EvalOptions(
--- a/lib/policy/expressions/join.go
+++ b/lib/policy/expressions/join.go
@@ -0,0 +1,104 @@
+package expressions
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+
+	"github.com/google/cel-go/cel"
+)
+
+// JoinOperator is a type wrapper for and/or operators.
+//
+// This is a separate type so that validation can be done at the type level.
+type JoinOperator string
+
+// Possible values for JoinOperator
+const (
+	JoinAnd JoinOperator = "&&"
+	JoinOr  JoinOperator = "||"
+)
+
+// Valid ensures that JoinOperator is semantically valid.
+func (jo JoinOperator) Valid() error {
+	switch jo {
+	case JoinAnd, JoinOr:
+		return nil
+	default:
+		return ErrWrongJoinOperator
+	}
+}
+
+var (
+	ErrWrongJoinOperator = errors.New("expressions: invalid join operator")
+	ErrNoExpressions     = errors.New("expressions: cannot join zero expressions")
+	ErrCantCompile       = errors.New("expressions: can't compile one expression")
+)
+
+// JoinClauses joins a list of compiled clauses into one big if statement.
+//
+// Imagine the following two clauses:
+//
+//	ball.color == "red"
+//	ball.shape == "round"
+//
+// JoinClauses would emit one "joined" clause such as:
+//
+//	( ball.color == "red" ) && ( ball.shape == "round" )
+func JoinClauses(env *cel.Env, operator JoinOperator, clauses ...*cel.Ast) (*cel.Ast, error) {
+	if err := operator.Valid(); err != nil {
+		return nil, fmt.Errorf("%w: wanted && or ||, got: %q", err, operator)
+	}
+
+	switch len(clauses) {
+	case 0:
+		return nil, ErrNoExpressions
+	case 1:
+		return clauses[0], nil
+	}
+
+	var exprs []string
+	var errs []error
+
+	for _, clause := range clauses {
+		clauseStr, err := cel.AstToString(clause)
+		if err != nil {
+			errs = append(errs, err)
+			continue
+		}
+
+		exprs = append(exprs, "( "+clauseStr+" )")
+	}
+
+	if len(errs) != 0 {
+		return nil, fmt.Errorf("errors while decompiling statements: %w", errors.Join(errs...))
+	}
+
+	statement := strings.Join(exprs, " "+string(operator)+" ")
+	result, iss := env.Compile(statement)
+	if iss != nil {
+		return nil, iss.Err()
+	}
+
+	return result, nil
+}
+
+func Join(env *cel.Env, operator JoinOperator, clauses ...string) (*cel.Ast, error) {
+	var statements []*cel.Ast
+	var errs []error
+
+	for _, clause := range clauses {
+		stmt, iss := env.Compile(clause)
+		if iss != nil && iss.Err() != nil {
+			errs = append(errs, fmt.Errorf("%w: %q gave: %w", ErrCantCompile, clause, iss.Err()))
+			continue
+		}
+		statements = append(statements, stmt)
+	}
+
+	if len(errs) != 0 {
+		return nil, fmt.Errorf("errors while joining clauses: %w", errors.Join(errs...))
+	}
+
+	return JoinClauses(env, operator, statements...)
+}
--- a/lib/policy/expressions/join_test.go
+++ b/lib/policy/expressions/join_test.go
@@ -0,0 +1,90 @@
+package expressions
+
+import (
+	"errors"
+	"testing"
+
+	"github.com/google/cel-go/cel"
+)
+
+func TestJoin(t *testing.T) {
+	env, err := NewEnvironment()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	for _, tt := range []struct {
+		err       error
+		name      string
+		op        JoinOperator
+		resultStr string
+		clauses   []string
+	}{
+		{
+			name:    "no-clauses",
+			clauses: []string{},
+			op:      JoinAnd,
+			err:     ErrNoExpressions,
+		},
+		{
+			name:      "one-clause-identity",
+			clauses:   []string{`remoteAddress == "8.8.8.8"`},
+			op:        JoinAnd,
+			err:       nil,
+			resultStr: `remoteAddress == "8.8.8.8"`,
+		},
+		{
+			name: "multi-clause-and",
+			clauses: []string{
+				`remoteAddress == "8.8.8.8"`,
+				`host == "anubis.techaro.lol"`,
+			},
+			op:        JoinAnd,
+			err:       nil,
+			resultStr: `remoteAddress == "8.8.8.8" && host == "anubis.techaro.lol"`,
+		},
+		{
+			name: "multi-clause-or",
+			clauses: []string{
+				`remoteAddress == "8.8.8.8"`,
+				`host == "anubis.techaro.lol"`,
+			},
+			op:        JoinOr,
+			err:       nil,
+			resultStr: `remoteAddress == "8.8.8.8" || host == "anubis.techaro.lol"`,
+		},
+		{
+			name: "git-user-agent",
+			clauses: []string{
+				`userAgent.startsWith("git/") || userAgent.contains("libgit")`,
+				`"Git-Protocol" in headers && headers["Git-Protocol"] == "version=2"`,
+			},
+			op:  JoinAnd,
+			err: nil,
+			resultStr: `(userAgent.startsWith("git/") || userAgent.contains("libgit")) && "Git-Protocol" in headers &&
+headers["Git-Protocol"] == "version=2"`,
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			result, err := Join(env, tt.op, tt.clauses...)
+			if !errors.Is(err, tt.err) {
+				t.Errorf("wanted error %v but got: %v", tt.err, err)
+			}
+
+			if tt.err != nil {
+				return
+			}
+
+			program, err := cel.AstToString(result)
+			if err != nil {
+				t.Fatalf("can't decompile program: %v", err)
+			}
+
+			if tt.resultStr != program {
+				t.Logf("wanted: %s", tt.resultStr)
+				t.Logf("got: %s", program)
+				t.Error("program did not compile as expected")
+			}
+		})
+	}
+}
--- a/lib/policy/policy.go
+++ b/lib/policy/policy.go
@@ -6,7 +6,6 @@ import (
 	"fmt"
 	"io"
 	"log/slog"
-	"sync/atomic"

 	"github.com/TecharoHQ/anubis/internal/thoth"
 	"github.com/TecharoHQ/anubis/lib/policy/checker"
@@ -22,17 +21,13 @@ var (
 	}, []string{"rule", "action"})

 	ErrChallengeRuleHasWrongAlgorithm = errors.New("config.Bot.ChallengeRules: algorithm is invalid")
-	warnedAboutThresholds             = &atomic.Bool{}
 )

 type ParsedConfig struct {
 	orig *config.Config

 	Bots              []Bot
-	Thresholds        []*Threshold
 	DNSBL             bool
-	Impressum         *config.Impressum
-	OpenGraph         config.OpenGraph
 	DefaultDifficulty int
 	StatusCodes       config.StatusCodes
 }
@@ -40,7 +35,6 @@ type ParsedConfig struct {
 func NewParsedConfig(orig *config.Config) *ParsedConfig {
 	return &ParsedConfig{
 		orig:        orig,
-		OpenGraph:   orig.OpenGraph,
 		StatusCodes: orig.StatusCodes,
 	}
 }
@@ -151,33 +145,11 @@ func ParseConfig(ctx context.Context, fin io.Reader, fname string, defaultDiffic
 			parsedBot.Weight = b.Weight
 		}

-		result.Impressum = c.Impressum
-
 		parsedBot.Rules = cl

 		result.Bots = append(result.Bots, parsedBot)
 	}

-	for _, t := range c.Thresholds {
-		if t.Name == "legacy-anubis-behaviour" && t.Expression.String() == "true" {
-			if !warnedAboutThresholds.Load() {
-				slog.Warn("configuration file does not contain thresholds, see docs for details on how to upgrade", "fname", fname, "docs_url", "https://anubis.techaro.lol/docs/admin/configuration/thresholds/")
-				warnedAboutThresholds.Store(true)
-			}
-
-			t.Challenge.Difficulty = defaultDifficulty
-			t.Challenge.ReportAs = defaultDifficulty
-		}
-
-		threshold, err := ParsedThresholdFromConfig(t)
-		if err != nil {
-			validationErrs = append(validationErrs, fmt.Errorf("can't compile threshold config for %s: %w", t.Name, err))
-			continue
-		}
-
-		result.Thresholds = append(result.Thresholds, threshold)
-	}
-
 	if len(validationErrs) > 0 {
 		return nil, fmt.Errorf("errors validating policy config JSON %s: %w", fname, errors.Join(validationErrs...))
 	}
--- a/lib/policy/thresholds.go
+++ b/lib/policy/thresholds.go
@@ -1,47 +0,0 @@
-package policy
-
-import (
-	"github.com/TecharoHQ/anubis/lib/policy/config"
-	"github.com/TecharoHQ/anubis/lib/policy/expressions"
-	"github.com/google/cel-go/cel"
-)
-
-type Threshold struct {
-	config.Threshold
-	Program cel.Program
-}
-
-func ParsedThresholdFromConfig(t config.Threshold) (*Threshold, error) {
-	result := &Threshold{
-		Threshold: t,
-	}
-
-	env, err := expressions.ThresholdEnvironment()
-	if err != nil {
-		return nil, err
-	}
-
-	program, err := expressions.Compile(env, t.Expression.String())
-	if err != nil {
-		return nil, err
-	}
-
-	result.Program = program
-
-	return result, nil
-}
-
-type ThresholdRequest struct {
-	Weight int
-}
-
-func (tr *ThresholdRequest) Parent() cel.Activation { return nil }
-
-func (tr *ThresholdRequest) ResolveName(name string) (any, bool) {
-	switch name {
-	case "weight":
-		return tr.Weight, true
-	default:
-		return nil, false
-	}
-}
--- a/lib/testdata/aggressive_403.yaml
+++ b/lib/testdata/aggressive_403.yaml
@@ -1,12 +1,12 @@
 bots:
-  - name: deny
-    user_agent_regex: DENY
-    action: DENY
+- name: deny
+  user_agent_regex: DENY
+  action: DENY

-  - name: challenge
-    user_agent_regex: CHALLENGE
-    action: CHALLENGE
+- name: challenge
+  user_agent_regex: CHALLENGE
+  action: CHALLENGE

 status_codes:
  CHALLENGE: 401
-  DENY: 403
+  DENY: 403
--- a/lib/testdata/test_config.yaml
+++ b/lib/testdata/test_config.yaml
@@ -1,38 +0,0 @@
-bots:
-  - import: (data)/bots/_deny-pathological.yaml
-  - import: (data)/bots/aggressive-brazilian-scrapers.yaml
-  - import: (data)/meta/ai-block-aggressive.yaml
-  - import: (data)/crawlers/_allow-good.yaml
-  - import: (data)/clients/x-firefox-ai.yaml
-  - import: (data)/common/keep-internet-working.yaml
-  - name: countries-with-aggressive-scrapers
-    action: WEIGH
-    geoip:
-      countries:
-        - BR
-        - CN
-    weight:
-      adjust: 10
-  - name: aggressive-asns-without-functional-abuse-contact
-    action: WEIGH
-    asns:
-      match:
-        - 13335 # Cloudflare
-        - 136907 # Huawei Cloud
-        - 45102 # Alibaba Cloud
-    weight:
-      adjust: 10
-  - name: generic-browser
-    user_agent_regex: >-
-      Mozilla|Opera
-    action: WEIGH
-    weight:
-      adjust: 10
-
-dnsbl: false
-
-status_codes:
-  CHALLENGE: 200
-  DENY: 200
-
-thresholds: []
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
  "name": "@techaro/anubis",
-  "version": "1.20.0-pre2",
+  "version": "1.19.1",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "@techaro/anubis",
-      "version": "1.20.0-pre2",
+      "version": "1.19.1",
      "license": "ISC",
      "devDependencies": {
        "cssnano": "^7.0.7",
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@techaro/anubis",
-  "version": "1.20.0-pre2",
+  "version": "1.19.1",
  "description": "",
  "main": "index.js",
  "scripts": {
--- a/web/index.go
+++ b/web/index.go
@@ -6,12 +6,12 @@ import (
 	"github.com/TecharoHQ/anubis/lib/policy/config"
 )

-func Base(title string, body templ.Component, impressum *config.Impressum) templ.Component {
-	return base(title, body, impressum, nil, nil)
+func Base(title string, body templ.Component) templ.Component {
+	return base(title, body, nil, nil)
 }

-func BaseWithChallengeAndOGTags(title string, body templ.Component, impressum *config.Impressum, challenge string, rules *config.ChallengeRules, ogTags map[string]string) (templ.Component, error) {
-	return base(title, body, impressum, struct {
+func BaseWithChallengeAndOGTags(title string, body templ.Component, challenge string, rules *config.ChallengeRules, ogTags map[string]string) (templ.Component, error) {
+	return base(title, body, struct {
 		Rules     *config.ChallengeRules `json:"rules"`
 		Challenge string                 `json:"challenge"`
 	}{
--- a/web/index.templ
+++ b/web/index.templ
@@ -1,13 +1,11 @@
 package web

 import (
-	"fmt"
 	"github.com/TecharoHQ/anubis"
-	"github.com/TecharoHQ/anubis/lib/policy/config"
 	"github.com/TecharoHQ/anubis/xess"
 )

-templ base(title string, body templ.Component, impressum *config.Impressum, challenge any, ogTags map[string]string) {
+templ base(title string, body templ.Component, challenge any, ogTags map[string]string) {
 	<!DOCTYPE html>
 	<html lang="en">
 		<head>
@@ -38,16 +36,16 @@ templ base(title string, body templ.Component, impressum *config.Impressum, chal
        }

        #progress {
-          display: none;
-          width: 90%;
-          width: min(20rem, 90%);
-          height: 2rem;
-          border-radius: 1rem;
-          overflow: hidden;
-          margin: 1rem 0 2rem;
-					outline-offset: 2px;
-					outline: #b16286 solid 4px;
-				}
+            display: none;
+            width: 90%;
+            width: min(20rem, 90%);
+            height: 2rem;
+            border-radius: 1rem;
+            overflow: hidden;
+            margin: 1rem 0 2rem;
+			outline-offset: 2px;
+			outline: #b16286 solid 4px;
+		}

        .bar-inner {
            background-color: #b16286;
@@ -55,7 +53,7 @@ templ base(title string, body templ.Component, impressum *config.Impressum, chal
            width: 0;
            transition: width 0.25s ease-in;
        }
-    	</style>
+    </style>
 			@templ.JSONScript("anubis_version", anubis.Version)
 			if challenge != nil {
 				@templ.JSONScript("anubis_challenge", challenge)
@@ -76,10 +74,6 @@ templ base(title string, body templ.Component, impressum *config.Impressum, chal
 >Techaro</a>. Made with ❤️ in 🇨🇦.
 						</p>
 						<p>Mascot design by <a href="https://bsky.app/profile/celphase.bsky.social">CELPHASE</a>.</p>
-						if impressum != nil {
-							<p>@templ.Raw(impressum.Footer)
-- <a href={ templ.SafeURL(fmt.Sprintf("%simprint", anubis.APIPrefix)) }>Imprint</a></p>
-						}
 					</center>
 				</footer>
 			</main>
--- a/web/index_templ.go
+++ b/web/index_templ.go
@@ -9,13 +9,11 @@ import "github.com/a-h/templ"
 import templruntime "github.com/a-h/templ/runtime"

 import (
-	"fmt"
 	"github.com/TecharoHQ/anubis"
-	"github.com/TecharoHQ/anubis/lib/policy/config"
 	"github.com/TecharoHQ/anubis/xess"
 )

-func base(title string, body templ.Component, impressum *config.Impressum, challenge any, ogTags map[string]string) templ.Component {
+func base(title string, body templ.Component, challenge any, ogTags map[string]string) templ.Component {
 	return templruntime.GeneratedTemplate(func(templ_7745c5c3_Input templruntime.GeneratedComponentInput) (templ_7745c5c3_Err error) {
 		templ_7745c5c3_W, ctx := templ_7745c5c3_Input.Writer, templ_7745c5c3_Input.Context
 		if templ_7745c5c3_CtxErr := ctx.Err(); templ_7745c5c3_CtxErr != nil {
@@ -43,7 +41,7 @@ func base(title string, body templ.Component, impressum *config.Impressum, chall
 		var templ_7745c5c3_Var2 string
 		templ_7745c5c3_Var2, templ_7745c5c3_Err = templ.JoinStringErrs(title)
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 14, Col: 17}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 12, Col: 17}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var2))
 		if templ_7745c5c3_Err != nil {
@@ -56,7 +54,7 @@ func base(title string, body templ.Component, impressum *config.Impressum, chall
 		var templ_7745c5c3_Var3 string
 		templ_7745c5c3_Var3, templ_7745c5c3_Err = templ.JoinStringErrs(anubis.BasePrefix + xess.URL)
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 15, Col: 61}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 13, Col: 61}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var3))
 		if templ_7745c5c3_Err != nil {
@@ -74,7 +72,7 @@ func base(title string, body templ.Component, impressum *config.Impressum, chall
 			var templ_7745c5c3_Var4 string
 			templ_7745c5c3_Var4, templ_7745c5c3_Err = templ.JoinStringErrs(key)
 			if templ_7745c5c3_Err != nil {
-				return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 19, Col: 24}
+				return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 17, Col: 24}
 			}
 			_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var4))
 			if templ_7745c5c3_Err != nil {
@@ -87,7 +85,7 @@ func base(title string, body templ.Component, impressum *config.Impressum, chall
 			var templ_7745c5c3_Var5 string
 			templ_7745c5c3_Var5, templ_7745c5c3_Err = templ.JoinStringErrs(value)
 			if templ_7745c5c3_Err != nil {
-				return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 19, Col: 42}
+				return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 17, Col: 42}
 			}
 			_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var5))
 			if templ_7745c5c3_Err != nil {
@@ -98,7 +96,7 @@ func base(title string, body templ.Component, impressum *config.Impressum, chall
 				return templ_7745c5c3_Err
 			}
 		}
-		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 7, "<style>\n        body,\n        html {\n            height: 100%;\n            display: flex;\n            justify-content: center;\n            align-items: center;\n            margin-left: auto;\n            margin-right: auto;\n        }\n\n        .centered-div {\n            text-align: center;\n        }\n\n        #status {\n            font-variant-numeric: tabular-nums;\n        }\n\n        #progress {\n          display: none;\n          width: 90%;\n          width: min(20rem, 90%);\n          height: 2rem;\n          border-radius: 1rem;\n          overflow: hidden;\n          margin: 1rem 0 2rem;\n\t\t\t\t\toutline-offset: 2px;\n\t\t\t\t\toutline: #b16286 solid 4px;\n\t\t\t\t}\n\n        .bar-inner {\n            background-color: #b16286;\n            height: 100%;\n            width: 0;\n            transition: width 0.25s ease-in;\n        }\n    \t</style>")
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 7, "<style>\n        body,\n        html {\n            height: 100%;\n            display: flex;\n            justify-content: center;\n            align-items: center;\n            margin-left: auto;\n            margin-right: auto;\n        }\n\n        .centered-div {\n            text-align: center;\n        }\n\n        #status {\n            font-variant-numeric: tabular-nums;\n        }\n\n        #progress {\n            display: none;\n            width: 90%;\n            width: min(20rem, 90%);\n            height: 2rem;\n            border-radius: 1rem;\n            overflow: hidden;\n            margin: 1rem 0 2rem;\n\t\t\toutline-offset: 2px;\n\t\t\toutline: #b16286 solid 4px;\n\t\t}\n\n        .bar-inner {\n            background-color: #b16286;\n            height: 100%;\n            width: 0;\n            transition: width 0.25s ease-in;\n        }\n    </style>")
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
@@ -123,7 +121,7 @@ func base(title string, body templ.Component, impressum *config.Impressum, chall
 		var templ_7745c5c3_Var6 string
 		templ_7745c5c3_Var6, templ_7745c5c3_Err = templ.JoinStringErrs(title)
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 68, Col: 49}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 66, Col: 49}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var6))
 		if templ_7745c5c3_Err != nil {
@@ -137,38 +135,7 @@ func base(title string, body templ.Component, impressum *config.Impressum, chall
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
-		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 10, "<footer><center><p>Protected by <a href=\"https://github.com/TecharoHQ/anubis\">Anubis</a> from <a href=\"https://techaro.lol\">Techaro</a>. Made with ❤️ in 🇨🇦.</p><p>Mascot design by <a href=\"https://bsky.app/profile/celphase.bsky.social\">CELPHASE</a>.</p>")
-		if templ_7745c5c3_Err != nil {
-			return templ_7745c5c3_Err
-		}
-		if impressum != nil {
-			templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 11, "<p>")
-			if templ_7745c5c3_Err != nil {
-				return templ_7745c5c3_Err
-			}
-			templ_7745c5c3_Err = templ.Raw(impressum.Footer).Render(ctx, templ_7745c5c3_Buffer)
-			if templ_7745c5c3_Err != nil {
-				return templ_7745c5c3_Err
-			}
-			templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 12, "-- <a href=\"")
-			if templ_7745c5c3_Err != nil {
-				return templ_7745c5c3_Err
-			}
-			var templ_7745c5c3_Var7 templ.SafeURL
-			templ_7745c5c3_Var7, templ_7745c5c3_Err = templ.JoinURLErrs(templ.SafeURL(fmt.Sprintf("%simprint", anubis.APIPrefix)))
-			if templ_7745c5c3_Err != nil {
-				return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 81, Col: 70}
-			}
-			_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var7))
-			if templ_7745c5c3_Err != nil {
-				return templ_7745c5c3_Err
-			}
-			templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 13, "\">Imprint</a></p>")
-			if templ_7745c5c3_Err != nil {
-				return templ_7745c5c3_Err
-			}
-		}
-		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 14, "</center></footer></main></body></html>")
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 10, "<footer><center><p>Protected by <a href=\"https://github.com/TecharoHQ/anubis\">Anubis</a> from <a href=\"https://techaro.lol\">Techaro</a>. Made with ❤️ in 🇨🇦.</p><p>Mascot design by <a href=\"https://bsky.app/profile/celphase.bsky.social\">CELPHASE</a>.</p></center></footer></main></body></html>")
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
@@ -192,64 +159,64 @@ func index() templ.Component {
 			}()
 		}
 		ctx = templ.InitializeContext(ctx)
-		templ_7745c5c3_Var8 := templ.GetChildren(ctx)
-		if templ_7745c5c3_Var8 == nil {
-			templ_7745c5c3_Var8 = templ.NopComponent
+		templ_7745c5c3_Var7 := templ.GetChildren(ctx)
+		if templ_7745c5c3_Var7 == nil {
+			templ_7745c5c3_Var7 = templ.NopComponent
 		}
 		ctx = templ.ClearChildren(ctx)
-		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 15, "<div class=\"centered-div\"><img id=\"image\" style=\"width:100%;max-width:256px;\" src=\"")
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 11, "<div class=\"centered-div\"><img id=\"image\" style=\"width:100%;max-width:256px;\" src=\"")
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		var templ_7745c5c3_Var8 string
+		templ_7745c5c3_Var8, templ_7745c5c3_Err = templ.JoinStringErrs(anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/pensive.webp?cacheBuster=" + anubis.Version)
+		if templ_7745c5c3_Err != nil {
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 86, Col: 165}
+		}
+		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var8))
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 12, "\"> <img style=\"display:none;\" style=\"width:100%;max-width:256px;\" src=\"")
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
 		var templ_7745c5c3_Var9 string
-		templ_7745c5c3_Var9, templ_7745c5c3_Err = templ.JoinStringErrs(anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/pensive.webp?cacheBuster=" + anubis.Version)
+		templ_7745c5c3_Var9, templ_7745c5c3_Err = templ.JoinStringErrs(anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/happy.webp?cacheBuster=" + anubis.Version)
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 92, Col: 165}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 87, Col: 174}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var9))
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
-		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 16, "\"> <img style=\"display:none;\" style=\"width:100%;max-width:256px;\" src=\"")
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 13, "\"><p id=\"status\">Loading...</p><script async type=\"module\" src=\"")
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
 		var templ_7745c5c3_Var10 string
-		templ_7745c5c3_Var10, templ_7745c5c3_Err = templ.JoinStringErrs(anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/happy.webp?cacheBuster=" + anubis.Version)
+		templ_7745c5c3_Var10, templ_7745c5c3_Err = templ.JoinStringErrs(anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/js/main.mjs?cacheBuster=" + anubis.Version)
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 93, Col: 174}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 89, Col: 136}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var10))
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
-		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 17, "\"><p id=\"status\">Loading...</p><script async type=\"module\" src=\"")
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 14, "\"></script><div id=\"progress\" role=\"progressbar\" aria-labelledby=\"status\"><div class=\"bar-inner\"></div></div><details><summary>Why am I seeing this?</summary><p>You are seeing this because the administrator of this website has set up <a href=\"https://github.com/TecharoHQ/anubis\">Anubis</a> to protect the server against the scourge of <a href=\"https://thelibre.news/foss-infrastructure-is-under-attack-by-ai-companies/\">AI companies aggressively scraping websites</a>. This can and does cause downtime for the websites, which makes their resources inaccessible for everyone.</p><p>Anubis is a compromise. Anubis uses a <a href=\"https://anubis.techaro.lol/docs/design/why-proof-of-work\">Proof-of-Work</a> scheme in the vein of <a href=\"https://en.wikipedia.org/wiki/Hashcash\">Hashcash</a>, a proposed proof-of-work scheme for reducing email spam. The idea is that at individual scales the additional load is ignorable, but at mass scraper levels it adds up and makes scraping much more expensive.</p><p>Ultimately, this is a hack whose real purpose is to give a \"good enough\" placeholder solution so that more time can be spent on fingerprinting and identifying headless browsers (EG: via how they do font rendering) so that the challenge proof of work page doesn't need to be presented to users that are much more likely to be legitimate.</p><p>Please note that Anubis requires the use of modern JavaScript features that plugins like <a href=\"https://jshelter.org/\">JShelter</a> will disable. Please disable JShelter or other such plugins for this domain.</p><p>This website is running Anubis version <code>")
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
 		var templ_7745c5c3_Var11 string
-		templ_7745c5c3_Var11, templ_7745c5c3_Err = templ.JoinStringErrs(anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/js/main.mjs?cacheBuster=" + anubis.Version)
+		templ_7745c5c3_Var11, templ_7745c5c3_Err = templ.JoinStringErrs(anubis.Version)
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 95, Col: 136}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 125, Col: 67}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var11))
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
-		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 18, "\"></script><div id=\"progress\" role=\"progressbar\" aria-labelledby=\"status\"><div class=\"bar-inner\"></div></div><details><summary>Why am I seeing this?</summary><p>You are seeing this because the administrator of this website has set up <a href=\"https://github.com/TecharoHQ/anubis\">Anubis</a> to protect the server against the scourge of <a href=\"https://thelibre.news/foss-infrastructure-is-under-attack-by-ai-companies/\">AI companies aggressively scraping websites</a>. This can and does cause downtime for the websites, which makes their resources inaccessible for everyone.</p><p>Anubis is a compromise. Anubis uses a <a href=\"https://anubis.techaro.lol/docs/design/why-proof-of-work\">Proof-of-Work</a> scheme in the vein of <a href=\"https://en.wikipedia.org/wiki/Hashcash\">Hashcash</a>, a proposed proof-of-work scheme for reducing email spam. The idea is that at individual scales the additional load is ignorable, but at mass scraper levels it adds up and makes scraping much more expensive.</p><p>Ultimately, this is a hack whose real purpose is to give a \"good enough\" placeholder solution so that more time can be spent on fingerprinting and identifying headless browsers (EG: via how they do font rendering) so that the challenge proof of work page doesn't need to be presented to users that are much more likely to be legitimate.</p><p>Please note that Anubis requires the use of modern JavaScript features that plugins like <a href=\"https://jshelter.org/\">JShelter</a> will disable. Please disable JShelter or other such plugins for this domain.</p><p>This website is running Anubis version <code>")
-		if templ_7745c5c3_Err != nil {
-			return templ_7745c5c3_Err
-		}
-		var templ_7745c5c3_Var12 string
-		templ_7745c5c3_Var12, templ_7745c5c3_Err = templ.JoinStringErrs(anubis.Version)
-		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 131, Col: 67}
-		}
-		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var12))
-		if templ_7745c5c3_Err != nil {
-			return templ_7745c5c3_Err
-		}
-		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 19, "</code>.</p></details><noscript><p>Sadly, you must enable JavaScript to get past this challenge. This is required because AI companies have changed the social contract around how website hosting works. A no-JS solution is a work-in-progress.</p></noscript><div id=\"testarea\"></div></div>")
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 15, "</code>.</p></details><noscript><p>Sadly, you must enable JavaScript to get past this challenge. This is required because AI companies have changed the social contract around how website hosting works. A no-JS solution is a work-in-progress.</p></noscript><div id=\"testarea\"></div></div>")
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
@@ -273,79 +240,79 @@ func errorPage(message string, mail string) templ.Component {
 			}()
 		}
 		ctx = templ.InitializeContext(ctx)
-		templ_7745c5c3_Var13 := templ.GetChildren(ctx)
-		if templ_7745c5c3_Var13 == nil {
-			templ_7745c5c3_Var13 = templ.NopComponent
+		templ_7745c5c3_Var12 := templ.GetChildren(ctx)
+		if templ_7745c5c3_Var12 == nil {
+			templ_7745c5c3_Var12 = templ.NopComponent
 		}
 		ctx = templ.ClearChildren(ctx)
-		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 20, "<div class=\"centered-div\"><img id=\"image\" alt=\"Sad Anubis\" style=\"width:100%;max-width:256px;\" src=\"")
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 16, "<div class=\"centered-div\"><img id=\"image\" alt=\"Sad Anubis\" style=\"width:100%;max-width:256px;\" src=\"")
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		var templ_7745c5c3_Var13 string
+		templ_7745c5c3_Var13, templ_7745c5c3_Err = templ.JoinStringErrs(anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/reject.webp?cacheBuster=" + anubis.Version)
+		if templ_7745c5c3_Err != nil {
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 140, Col: 181}
+		}
+		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var13))
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 17, "\"><p>")
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
 		var templ_7745c5c3_Var14 string
-		templ_7745c5c3_Var14, templ_7745c5c3_Err = templ.JoinStringErrs(anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/reject.webp?cacheBuster=" + anubis.Version)
+		templ_7745c5c3_Var14, templ_7745c5c3_Err = templ.JoinStringErrs(message)
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 146, Col: 181}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 141, Col: 14}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var14))
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
-		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 21, "\"><p>")
-		if templ_7745c5c3_Err != nil {
-			return templ_7745c5c3_Err
-		}
-		var templ_7745c5c3_Var15 string
-		templ_7745c5c3_Var15, templ_7745c5c3_Err = templ.JoinStringErrs(message)
-		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 147, Col: 14}
-		}
-		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var15))
-		if templ_7745c5c3_Err != nil {
-			return templ_7745c5c3_Err
-		}
-		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 22, ".</p><button onClick=\"window.location.reload();\">Try again</button> ")
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 18, ".</p><button onClick=\"window.location.reload();\">Try again</button> ")
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
 		if mail != "" {
-			templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 23, "<p><a href=\"/\">Go home</a> or if you believe you should not be blocked, please contact the webmaster at <a href=\"")
+			templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 19, "<p><a href=\"/\">Go home</a> or if you believe you should not be blocked, please contact the webmaster at <a href=\"")
 			if templ_7745c5c3_Err != nil {
 				return templ_7745c5c3_Err
 			}
-			var templ_7745c5c3_Var16 templ.SafeURL
-			templ_7745c5c3_Var16, templ_7745c5c3_Err = templ.JoinURLErrs("mailto:" + templ.SafeURL(mail))
+			var templ_7745c5c3_Var15 templ.SafeURL
+			templ_7745c5c3_Var15, templ_7745c5c3_Err = templ.JoinURLErrs("mailto:" + templ.SafeURL(mail))
 			if templ_7745c5c3_Err != nil {
-				return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 152, Col: 45}
+				return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 146, Col: 45}
+			}
+			_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var15))
+			if templ_7745c5c3_Err != nil {
+				return templ_7745c5c3_Err
+			}
+			templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 20, "\">")
+			if templ_7745c5c3_Err != nil {
+				return templ_7745c5c3_Err
+			}
+			var templ_7745c5c3_Var16 string
+			templ_7745c5c3_Var16, templ_7745c5c3_Err = templ.JoinStringErrs(mail)
+			if templ_7745c5c3_Err != nil {
+				return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 147, Col: 11}
 			}
 			_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var16))
 			if templ_7745c5c3_Err != nil {
 				return templ_7745c5c3_Err
 			}
-			templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 24, "\">")
-			if templ_7745c5c3_Err != nil {
-				return templ_7745c5c3_Err
-			}
-			var templ_7745c5c3_Var17 string
-			templ_7745c5c3_Var17, templ_7745c5c3_Err = templ.JoinStringErrs(mail)
-			if templ_7745c5c3_Err != nil {
-				return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 153, Col: 11}
-			}
-			_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var17))
-			if templ_7745c5c3_Err != nil {
-				return templ_7745c5c3_Err
-			}
-			templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 25, "</a></p>")
+			templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 21, "</a></p>")
 			if templ_7745c5c3_Err != nil {
 				return templ_7745c5c3_Err
 			}
 		} else {
-			templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 26, "<p><a href=\"/\">Go home</a></p>")
+			templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 22, "<p><a href=\"/\">Go home</a></p>")
 			if templ_7745c5c3_Err != nil {
 				return templ_7745c5c3_Err
 			}
 		}
-		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 27, "</div>")
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 23, "</div>")
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
@@ -369,26 +336,26 @@ func StaticHappy() templ.Component {
 			}()
 		}
 		ctx = templ.InitializeContext(ctx)
-		templ_7745c5c3_Var18 := templ.GetChildren(ctx)
-		if templ_7745c5c3_Var18 == nil {
-			templ_7745c5c3_Var18 = templ.NopComponent
+		templ_7745c5c3_Var17 := templ.GetChildren(ctx)
+		if templ_7745c5c3_Var17 == nil {
+			templ_7745c5c3_Var17 = templ.NopComponent
 		}
 		ctx = templ.ClearChildren(ctx)
-		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 28, "<div class=\"centered-div\"><img style=\"display:none;\" style=\"width:100%;max-width:256px;\" src=\"")
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 24, "<div class=\"centered-div\"><img style=\"display:none;\" style=\"width:100%;max-width:256px;\" src=\"")
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
-		var templ_7745c5c3_Var19 string
-		templ_7745c5c3_Var19, templ_7745c5c3_Err = templ.JoinStringErrs("/.within.website/x/cmd/anubis/static/img/happy.webp?cacheBuster=" +
+		var templ_7745c5c3_Var18 string
+		templ_7745c5c3_Var18, templ_7745c5c3_Err = templ.JoinStringErrs("/.within.website/x/cmd/anubis/static/img/happy.webp?cacheBuster=" +
 			anubis.Version)
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 168, Col: 18}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 162, Col: 18}
 		}
-		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var19))
+		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var18))
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
-		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 29, "\"><p>This is just a check endpoint for your reverse proxy to use.</p></div>")
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 25, "\"><p>This is just a check endpoint for your reverse proxy to use.</p></div>")
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
@@ -412,38 +379,38 @@ func bench() templ.Component {
 			}()
 		}
 		ctx = templ.InitializeContext(ctx)
-		templ_7745c5c3_Var20 := templ.GetChildren(ctx)
-		if templ_7745c5c3_Var20 == nil {
-			templ_7745c5c3_Var20 = templ.NopComponent
+		templ_7745c5c3_Var19 := templ.GetChildren(ctx)
+		if templ_7745c5c3_Var19 == nil {
+			templ_7745c5c3_Var19 = templ.NopComponent
 		}
 		ctx = templ.ClearChildren(ctx)
-		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 30, "<div style=\"height:20rem;display:flex\"><table style=\"margin-top:1rem;display:grid;grid-template:auto 1fr/auto auto;gap:0 0.5rem\"><thead style=\"border-bottom:1px solid black;padding:0.25rem 0;display:grid;grid-template:1fr/subgrid;grid-column:1/-1\"><tr id=\"table-header\" style=\"display:contents\"><th style=\"width:4.5rem\">Time</th><th style=\"width:4rem\">Iters</th></tr><tr id=\"table-header-compare\" style=\"display:none\"><th style=\"width:4.5rem\">Time A</th><th style=\"width:4rem\">Iters A</th><th style=\"width:4.5rem\">Time B</th><th style=\"width:4rem\">Iters B</th></tr></thead> <tbody id=\"results\" style=\"padding-top:0.25rem;display:grid;grid-template-columns:subgrid;grid-auto-rows:min-content;grid-column:1/-1;row-gap:0.25rem;overflow-y:auto;font-variant-numeric:tabular-nums\"></tbody></table><div class=\"centered-div\"><img id=\"image\" style=\"width:100%;max-width:256px;\" src=\"")
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 26, "<div style=\"height:20rem;display:flex\"><table style=\"margin-top:1rem;display:grid;grid-template:auto 1fr/auto auto;gap:0 0.5rem\"><thead style=\"border-bottom:1px solid black;padding:0.25rem 0;display:grid;grid-template:1fr/subgrid;grid-column:1/-1\"><tr id=\"table-header\" style=\"display:contents\"><th style=\"width:4.5rem\">Time</th><th style=\"width:4rem\">Iters</th></tr><tr id=\"table-header-compare\" style=\"display:none\"><th style=\"width:4.5rem\">Time A</th><th style=\"width:4rem\">Iters A</th><th style=\"width:4.5rem\">Time B</th><th style=\"width:4rem\">Iters B</th></tr></thead> <tbody id=\"results\" style=\"padding-top:0.25rem;display:grid;grid-template-columns:subgrid;grid-auto-rows:min-content;grid-column:1/-1;row-gap:0.25rem;overflow-y:auto;font-variant-numeric:tabular-nums\"></tbody></table><div class=\"centered-div\"><img id=\"image\" style=\"width:100%;max-width:256px;\" src=\"")
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		var templ_7745c5c3_Var20 string
+		templ_7745c5c3_Var20, templ_7745c5c3_Err = templ.JoinStringErrs(anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/pensive.webp?cacheBuster=" + anubis.Version)
+		if templ_7745c5c3_Err != nil {
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 191, Col: 166}
+		}
+		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var20))
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 27, "\"><p id=\"status\" style=\"max-width:256px\">Loading...</p><script async type=\"module\" src=\"")
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
 		var templ_7745c5c3_Var21 string
-		templ_7745c5c3_Var21, templ_7745c5c3_Err = templ.JoinStringErrs(anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/pensive.webp?cacheBuster=" + anubis.Version)
+		templ_7745c5c3_Var21, templ_7745c5c3_Err = templ.JoinStringErrs(anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/js/bench.mjs?cacheBuster=" + anubis.Version)
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 197, Col: 166}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 193, Col: 138}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var21))
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
-		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 31, "\"><p id=\"status\" style=\"max-width:256px\">Loading...</p><script async type=\"module\" src=\"")
-		if templ_7745c5c3_Err != nil {
-			return templ_7745c5c3_Err
-		}
-		var templ_7745c5c3_Var22 string
-		templ_7745c5c3_Var22, templ_7745c5c3_Err = templ.JoinStringErrs(anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/js/bench.mjs?cacheBuster=" + anubis.Version)
-		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 199, Col: 138}
-		}
-		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var22))
-		if templ_7745c5c3_Err != nil {
-			return templ_7745c5c3_Err
-		}
-		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 32, "\"></script><div id=\"sparkline\"></div><noscript><p>Running the benchmark tool requires JavaScript to be enabled.</p></noscript></div></div><form id=\"controls\" style=\"position:fixed;top:0.5rem;right:0.5rem\"><div style=\"display:flex;justify-content:end\"><label for=\"difficulty-input\" style=\"margin-right:0.5rem\">Difficulty:</label> <input id=\"difficulty-input\" type=\"number\" name=\"difficulty\" style=\"width:3rem\"></div><div style=\"margin-top:0.25rem;display:flex;justify-content:end\"><label for=\"algorithm-select\" style=\"margin-right:0.5rem\">Algorithm:</label> <select id=\"algorithm-select\" name=\"algorithm\"></select></div><div style=\"margin-top:0.25rem;display:flex;justify-content:end\"><label for=\"compare-select\" style=\"margin-right:0.5rem\">Compare:</label> <select id=\"compare-select\" name=\"compare\"><option value=\"NONE\">-</option></select></div></form>")
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 28, "\"></script><div id=\"sparkline\"></div><noscript><p>Running the benchmark tool requires JavaScript to be enabled.</p></noscript></div></div><form id=\"controls\" style=\"position:fixed;top:0.5rem;right:0.5rem\"><div style=\"display:flex;justify-content:end\"><label for=\"difficulty-input\" style=\"margin-right:0.5rem\">Difficulty:</label> <input id=\"difficulty-input\" type=\"number\" name=\"difficulty\" style=\"width:3rem\"></div><div style=\"margin-top:0.25rem;display:flex;justify-content:end\"><label for=\"algorithm-select\" style=\"margin-right:0.5rem\">Algorithm:</label> <select id=\"algorithm-select\" name=\"algorithm\"></select></div><div style=\"margin-top:0.25rem;display:flex;justify-content:end\"><label for=\"compare-select\" style=\"margin-right:0.5rem\">Compare:</label> <select id=\"compare-select\" name=\"compare\"><option value=\"NONE\">-</option></select></div></form>")
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
--- a/web/js/proof-of-work-slow.mjs
+++ b/web/js/proof-of-work-slow.mjs
@@ -70,7 +70,7 @@ function processTask() {
      let hash;
      let nonce = 0;
      do {
-        if ((nonce & 1023) === 0) {
+        if (nonce & (1023 === 0)) {
          postMessage(nonce);
        }
        hash = await sha256(data + nonce++);
--- a/web/static/robots.txt
+++ b/web/static/robots.txt
@@ -21,9 +21,7 @@ User-agent: Cotoyogi
 User-agent: Crawlspace
 User-agent: Diffbot
 User-agent: DuckAssistBot
-User-agent: EchoboxBot
 User-agent: FacebookBot
-User-agent: facebookexternalhit
 User-agent: Factset_spyderbot
 User-agent: FirecrawlAgent
 User-agent: FriendlyCrawler
@@ -44,7 +42,6 @@ User-agent: Meta-ExternalAgent
 User-agent: meta-externalfetcher
 User-agent: Meta-ExternalFetcher
 User-agent: MistralAI-User/1.0
-User-agent: MyCentralAIScraperBot
 User-agent: NovaAct
 User-agent: OAI-SearchBot
 User-agent: omgili
@@ -57,17 +54,12 @@ User-agent: Perplexity-User
 User-agent: PerplexityBot
 User-agent: PetalBot
 User-agent: PhindBot
-User-agent: Poseidon Research Crawler
 User-agent: QualifiedBot
 User-agent: QuillBot
 User-agent: quillbot.com
 User-agent: SBIntuitionsBot
 User-agent: Scrapy
-User-agent: SemrushBot
-User-agent: SemrushBot-BA
-User-agent: SemrushBot-CT
 User-agent: SemrushBot-OCOB
-User-agent: SemrushBot-SI
 User-agent: SemrushBot-SWA
 User-agent: Sidetrade indexer bot
 User-agent: TikTokSpider